* [PATCH v2 0/3] Initial support for One-Time Programmable Memory (OTP) in BCM2835
@ 2024-05-18 20:01 Rayhan Faizel
2024-05-18 20:01 ` [PATCH v2 1/3] hw/nvram: Add BCM2835 OTP device Rayhan Faizel
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Rayhan Faizel @ 2024-05-18 20:01 UTC (permalink / raw)
To: qemu-devel; +Cc: philmd, peter.maydell, qemu-arm, Rayhan Faizel
All BCM2835 boards have on-board OTP memory with 66 32-bit rows. Usually,
its contents are accessible via mailbox commands.
[Changes in v2]
- Replace read/write with get/set in bcm2835_otp.c.
- Use impl instead of valid in bcm2835_otp.c.
- Replace all constant values with macros defined in bcm2835_otp.h.
- Change memory region size of OTP device to 0x80.
- After further testing on a real Raspberry Pi 3, I noticed a few things
contrary to my initial assumptions:
-- The customer OTP lock bit is bit 6 of row 32, NOT bit 30 of row 30. This is
currently undocumented to my knowledge.
-- The above lock indeed applies to the private key as well.
Rayhan Faizel (3):
hw/nvram: Add BCM2835 OTP device
hw/arm: Connect OTP device to BCM2835
hw/misc: Implement mailbox properties for customer OTP and device
specific private keys
hw/arm/bcm2835_peripherals.c | 15 ++-
hw/misc/bcm2835_property.c | 87 +++++++++++++
hw/nvram/bcm2835_otp.c | 187 +++++++++++++++++++++++++++
hw/nvram/meson.build | 1 +
include/hw/arm/bcm2835_peripherals.h | 3 +-
include/hw/arm/raspberrypi-fw-defs.h | 2 +
include/hw/misc/bcm2835_property.h | 2 +
include/hw/nvram/bcm2835_otp.h | 67 ++++++++++
8 files changed, 362 insertions(+), 2 deletions(-)
create mode 100644 hw/nvram/bcm2835_otp.c
create mode 100644 include/hw/nvram/bcm2835_otp.h
--
2.34.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 1/3] hw/nvram: Add BCM2835 OTP device
2024-05-18 20:01 [PATCH v2 0/3] Initial support for One-Time Programmable Memory (OTP) in BCM2835 Rayhan Faizel
@ 2024-05-18 20:01 ` Rayhan Faizel
2024-05-18 20:01 ` [PATCH v2 2/3] hw/arm: Connect OTP device to BCM2835 Rayhan Faizel
2024-05-18 20:01 ` [PATCH v2 3/3] hw/misc: Implement mailbox properties for customer OTP and device specific private keys Rayhan Faizel
2 siblings, 0 replies; 4+ messages in thread
From: Rayhan Faizel @ 2024-05-18 20:01 UTC (permalink / raw)
To: qemu-devel; +Cc: philmd, peter.maydell, qemu-arm, Rayhan Faizel
The OTP device registers are currently stubbed. For now, the device
houses the OTP rows which will be accessed directly by other peripherals.
Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>
---
hw/nvram/bcm2835_otp.c | 187 +++++++++++++++++++++++++++++++++
hw/nvram/meson.build | 1 +
include/hw/nvram/bcm2835_otp.h | 67 ++++++++++++
3 files changed, 255 insertions(+)
create mode 100644 hw/nvram/bcm2835_otp.c
create mode 100644 include/hw/nvram/bcm2835_otp.h
diff --git a/hw/nvram/bcm2835_otp.c b/hw/nvram/bcm2835_otp.c
new file mode 100644
index 0000000000..c4aed28472
--- /dev/null
+++ b/hw/nvram/bcm2835_otp.c
@@ -0,0 +1,187 @@
+/*
+ * BCM2835 One-Time Programmable (OTP) Memory
+ *
+ * The OTP implementation is mostly a stub except for the OTP rows
+ * which are accessed directly by other peripherals such as the mailbox.
+ *
+ * The OTP registers are unimplemented due to lack of documentation.
+ *
+ * Copyright (c) 2024 Rayhan Faizel <rayhan.faizel@gmail.com>
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "hw/nvram/bcm2835_otp.h"
+#include "migration/vmstate.h"
+
+/* OTP rows are 1-indexed */
+uint32_t bcm2835_otp_get_row(BCM2835OTPState *s, unsigned int row)
+{
+ assert(row <= BCM2835_OTP_ROW_COUNT && row >= 1);
+
+ return s->otp_rows[row - 1];
+}
+
+void bcm2835_otp_set_row(BCM2835OTPState *s, unsigned int row,
+ uint32_t value)
+{
+ assert(row <= BCM2835_OTP_ROW_COUNT && row >= 1);
+
+ /* Real OTP rows work as e-fuses */
+ s->otp_rows[row - 1] |= value;
+}
+
+static uint64_t bcm2835_otp_read(void *opaque, hwaddr addr, unsigned size)
+{
+ switch (addr) {
+ case BCM2835_OTP_BOOTMODE_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_BOOTMODE_REG\n");
+ break;
+ case BCM2835_OTP_CONFIG_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CONFIG_REG\n");
+ break;
+ case BCM2835_OTP_CTRL_LO_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CTRL_LO_REG\n");
+ break;
+ case BCM2835_OTP_CTRL_HI_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CTRL_HI_REG\n");
+ break;
+ case BCM2835_OTP_STATUS_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_STATUS_REG\n");
+ break;
+ case BCM2835_OTP_BITSEL_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_BITSEL_REG\n");
+ break;
+ case BCM2835_OTP_DATA_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_DATA_REG\n");
+ break;
+ case BCM2835_OTP_ADDR_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_ADDR_REG\n");
+ break;
+ case BCM2835_OTP_WRITE_DATA_READ_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_WRITE_DATA_READ_REG\n");
+ break;
+ case BCM2835_OTP_INIT_STATUS_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_INIT_STATUS_REG\n");
+ break;
+ default:
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, addr);
+ }
+
+ return 0;
+}
+
+static void bcm2835_otp_write(void *opaque, hwaddr addr,
+ uint64_t value, unsigned int size)
+{
+ switch (addr) {
+ case BCM2835_OTP_BOOTMODE_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_BOOTMODE_REG\n");
+ break;
+ case BCM2835_OTP_CONFIG_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CONFIG_REG\n");
+ break;
+ case BCM2835_OTP_CTRL_LO_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CTRL_LO_REG\n");
+ break;
+ case BCM2835_OTP_CTRL_HI_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CTRL_HI_REG\n");
+ break;
+ case BCM2835_OTP_STATUS_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_STATUS_REG\n");
+ break;
+ case BCM2835_OTP_BITSEL_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_BITSEL_REG\n");
+ break;
+ case BCM2835_OTP_DATA_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_DATA_REG\n");
+ break;
+ case BCM2835_OTP_ADDR_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_ADDR_REG\n");
+ break;
+ case BCM2835_OTP_WRITE_DATA_READ_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_WRITE_DATA_READ_REG\n");
+ break;
+ case BCM2835_OTP_INIT_STATUS_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_INIT_STATUS_REG\n");
+ break;
+ default:
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, addr);
+ }
+}
+
+static const MemoryRegionOps bcm2835_otp_ops = {
+ .read = bcm2835_otp_read,
+ .write = bcm2835_otp_write,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .impl = {
+ .min_access_size = 4,
+ .max_access_size = 4,
+ },
+};
+
+static void bcm2835_otp_realize(DeviceState *dev, Error **errp)
+{
+ BCM2835OTPState *s = BCM2835_OTP(dev);
+ memory_region_init_io(&s->iomem, OBJECT(dev), &bcm2835_otp_ops, s,
+ TYPE_BCM2835_OTP, 0x80);
+ sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
+
+ memset(s->otp_rows, 0x00, sizeof(s->otp_rows));
+}
+
+static const VMStateDescription vmstate_bcm2835_otp = {
+ .name = TYPE_BCM2835_OTP,
+ .version_id = 1,
+ .minimum_version_id = 1,
+ .fields = (const VMStateField[]) {
+ VMSTATE_UINT32_ARRAY(otp_rows, BCM2835OTPState, BCM2835_OTP_ROW_COUNT),
+ VMSTATE_END_OF_LIST()
+ }
+};
+
+static void bcm2835_otp_class_init(ObjectClass *klass, void *data)
+{
+ DeviceClass *dc = DEVICE_CLASS(klass);
+
+ dc->realize = bcm2835_otp_realize;
+ dc->vmsd = &vmstate_bcm2835_otp;
+}
+
+static const TypeInfo bcm2835_otp_info = {
+ .name = TYPE_BCM2835_OTP,
+ .parent = TYPE_SYS_BUS_DEVICE,
+ .instance_size = sizeof(BCM2835OTPState),
+ .class_init = bcm2835_otp_class_init,
+};
+
+static void bcm2835_otp_register_types(void)
+{
+ type_register_static(&bcm2835_otp_info);
+}
+
+type_init(bcm2835_otp_register_types)
diff --git a/hw/nvram/meson.build b/hw/nvram/meson.build
index 4996c72456..10f3639db6 100644
--- a/hw/nvram/meson.build
+++ b/hw/nvram/meson.build
@@ -1,5 +1,6 @@
system_ss.add(files('fw_cfg-interface.c'))
system_ss.add(files('fw_cfg.c'))
+system_ss.add(when: 'CONFIG_RASPI', if_true: files('bcm2835_otp.c'))
system_ss.add(when: 'CONFIG_CHRP_NVRAM', if_true: files('chrp_nvram.c'))
system_ss.add(when: 'CONFIG_DS1225Y', if_true: files('ds1225y.c'))
system_ss.add(when: 'CONFIG_NMC93XX_EEPROM', if_true: files('eeprom93xx.c'))
diff --git a/include/hw/nvram/bcm2835_otp.h b/include/hw/nvram/bcm2835_otp.h
new file mode 100644
index 0000000000..6d4f2937e2
--- /dev/null
+++ b/include/hw/nvram/bcm2835_otp.h
@@ -0,0 +1,67 @@
+/*
+ * BCM2835 One-Time Programmable (OTP) Memory
+ *
+ * Copyright (c) 2024 Rayhan Faizel <rayhan.faizel@gmail.com>
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef BCM2835_OTP_H
+#define BCM2835_OTP_H
+
+#include "hw/sysbus.h"
+#include "qom/object.h"
+
+#define TYPE_BCM2835_OTP "bcm2835-otp"
+OBJECT_DECLARE_SIMPLE_TYPE(BCM2835OTPState, BCM2835_OTP)
+
+#define BCM2835_OTP_ROW_COUNT 66
+
+/* https://elinux.org/BCM2835_registers#OTP */
+#define BCM2835_OTP_BOOTMODE_REG 0x00
+#define BCM2835_OTP_CONFIG_REG 0x04
+#define BCM2835_OTP_CTRL_LO_REG 0x08
+#define BCM2835_OTP_CTRL_HI_REG 0x0c
+#define BCM2835_OTP_STATUS_REG 0x10
+#define BCM2835_OTP_BITSEL_REG 0x14
+#define BCM2835_OTP_DATA_REG 0x18
+#define BCM2835_OTP_ADDR_REG 0x1c
+#define BCM2835_OTP_WRITE_DATA_READ_REG 0x20
+#define BCM2835_OTP_INIT_STATUS_REG 0x24
+
+
+/* -- Row 32: Undocumented -- */
+
+#define BCM2835_OTP_ROW_32 32
+
+/* Lock OTP Programming (Customer OTP and private key) */
+#define BCM2835_OTP_ROW_32_LOCK BIT(6)
+
+/* -- Row 36-43: Customer OTP -- */
+
+#define BCM2835_OTP_CUSTOMER_OTP 36
+#define BCM2835_OTP_CUSTOMER_OTP_LEN 8
+
+/* Magic numbers to lock programming of customer OTP and private key */
+#define BCM2835_OTP_LOCK_NUM1 0xffffffff
+#define BCM2835_OTP_LOCK_NUM2 0xaffe0000
+
+/* -- Row 56-63: Device-specific private key -- */
+
+#define BCM2835_OTP_PRIVATE_KEY 56
+#define BCM2835_OTP_PRIVATE_KEY_LEN 8
+
+struct BCM2835OTPState {
+ /* <private> */
+ SysBusDevice parent_obj;
+
+ /* <public> */
+ MemoryRegion iomem;
+ uint32_t otp_rows[66];
+};
+
+
+uint32_t bcm2835_otp_get_row(BCM2835OTPState *s, unsigned int row);
+void bcm2835_otp_set_row(BCM2835OTPState *s, unsigned int row, uint32_t value);
+
+#endif
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 2/3] hw/arm: Connect OTP device to BCM2835
2024-05-18 20:01 [PATCH v2 0/3] Initial support for One-Time Programmable Memory (OTP) in BCM2835 Rayhan Faizel
2024-05-18 20:01 ` [PATCH v2 1/3] hw/nvram: Add BCM2835 OTP device Rayhan Faizel
@ 2024-05-18 20:01 ` Rayhan Faizel
2024-05-18 20:01 ` [PATCH v2 3/3] hw/misc: Implement mailbox properties for customer OTP and device specific private keys Rayhan Faizel
2 siblings, 0 replies; 4+ messages in thread
From: Rayhan Faizel @ 2024-05-18 20:01 UTC (permalink / raw)
To: qemu-devel; +Cc: philmd, peter.maydell, qemu-arm, Rayhan Faizel
Replace stubbed OTP memory region with the new OTP device.
Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>
---
hw/arm/bcm2835_peripherals.c | 13 ++++++++++++-
include/hw/arm/bcm2835_peripherals.h | 3 ++-
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/hw/arm/bcm2835_peripherals.c b/hw/arm/bcm2835_peripherals.c
index 1695d8b453..7d735bb56c 100644
--- a/hw/arm/bcm2835_peripherals.c
+++ b/hw/arm/bcm2835_peripherals.c
@@ -116,6 +116,10 @@ static void raspi_peripherals_base_init(Object *obj)
object_property_add_const_link(OBJECT(&s->fb), "dma-mr",
OBJECT(&s->gpu_bus_mr));
+ /* OTP */
+ object_initialize_child(obj, "bcm2835-otp", &s->otp,
+ TYPE_BCM2835_OTP);
+
/* Property channel */
object_initialize_child(obj, "property", &s->property,
TYPE_BCM2835_PROPERTY);
@@ -374,6 +378,14 @@ void bcm_soc_peripherals_common_realize(DeviceState *dev, Error **errp)
sysbus_connect_irq(SYS_BUS_DEVICE(&s->fb), 0,
qdev_get_gpio_in(DEVICE(&s->mboxes), MBOX_CHAN_FB));
+ /* OTP */
+ if (!sysbus_realize(SYS_BUS_DEVICE(&s->otp), errp)) {
+ return;
+ }
+
+ memory_region_add_subregion(&s->peri_mr, OTP_OFFSET,
+ sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->otp), 0));
+
/* Property channel */
if (!sysbus_realize(SYS_BUS_DEVICE(&s->property), errp)) {
return;
@@ -500,7 +512,6 @@ void bcm_soc_peripherals_common_realize(DeviceState *dev, Error **errp)
create_unimp(s, &s->i2s, "bcm2835-i2s", I2S_OFFSET, 0x100);
create_unimp(s, &s->smi, "bcm2835-smi", SMI_OFFSET, 0x100);
create_unimp(s, &s->bscsl, "bcm2835-spis", BSC_SL_OFFSET, 0x100);
- create_unimp(s, &s->otp, "bcm2835-otp", OTP_OFFSET, 0x80);
create_unimp(s, &s->dbus, "bcm2835-dbus", DBUS_OFFSET, 0x8000);
create_unimp(s, &s->ave0, "bcm2835-ave0", AVE0_OFFSET, 0x8000);
create_unimp(s, &s->v3d, "bcm2835-v3d", V3D_OFFSET, 0x1000);
diff --git a/include/hw/arm/bcm2835_peripherals.h b/include/hw/arm/bcm2835_peripherals.h
index 636203baa5..1eeaeec9e0 100644
--- a/include/hw/arm/bcm2835_peripherals.h
+++ b/include/hw/arm/bcm2835_peripherals.h
@@ -33,6 +33,7 @@
#include "hw/usb/hcd-dwc2.h"
#include "hw/ssi/bcm2835_spi.h"
#include "hw/i2c/bcm2835_i2c.h"
+#include "hw/nvram/bcm2835_otp.h"
#include "hw/misc/unimp.h"
#include "qom/object.h"
@@ -71,7 +72,7 @@ struct BCMSocPeripheralBaseState {
BCM2835SPIState spi[1];
BCM2835I2CState i2c[3];
OrIRQState orgated_i2c_irq;
- UnimplementedDeviceState otp;
+ BCM2835OTPState otp;
UnimplementedDeviceState dbus;
UnimplementedDeviceState ave0;
UnimplementedDeviceState v3d;
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 3/3] hw/misc: Implement mailbox properties for customer OTP and device specific private keys
2024-05-18 20:01 [PATCH v2 0/3] Initial support for One-Time Programmable Memory (OTP) in BCM2835 Rayhan Faizel
2024-05-18 20:01 ` [PATCH v2 1/3] hw/nvram: Add BCM2835 OTP device Rayhan Faizel
2024-05-18 20:01 ` [PATCH v2 2/3] hw/arm: Connect OTP device to BCM2835 Rayhan Faizel
@ 2024-05-18 20:01 ` Rayhan Faizel
2 siblings, 0 replies; 4+ messages in thread
From: Rayhan Faizel @ 2024-05-18 20:01 UTC (permalink / raw)
To: qemu-devel; +Cc: philmd, peter.maydell, qemu-arm, Rayhan Faizel
Four mailbox properties are implemented as follows:
1. Customer OTP: GET_CUSTOMER_OTP and SET_CUSTOMER_OTP
2. Device-specific private key: GET_PRIVATE_KEY and
SET_PRIVATE_KEY.
The customer OTP is located in the rows 36-43. The device-specific private key
is located in the rows 56-63.
The customer OTP can be locked with the magic numbers 0xffffffff 0xaffe0000
when running the SET_CUSTOMER_OTP mailbox command. Bit 6 of row 32 indicates
this lock, which is undocumented. The lock also applies to the device-specific
private key.
Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>
---
hw/arm/bcm2835_peripherals.c | 2 +
hw/misc/bcm2835_property.c | 87 ++++++++++++++++++++++++++++
include/hw/arm/raspberrypi-fw-defs.h | 2 +
include/hw/misc/bcm2835_property.h | 2 +
4 files changed, 93 insertions(+)
diff --git a/hw/arm/bcm2835_peripherals.c b/hw/arm/bcm2835_peripherals.c
index 7d735bb56c..ac153a96b9 100644
--- a/hw/arm/bcm2835_peripherals.c
+++ b/hw/arm/bcm2835_peripherals.c
@@ -132,6 +132,8 @@ static void raspi_peripherals_base_init(Object *obj)
OBJECT(&s->fb));
object_property_add_const_link(OBJECT(&s->property), "dma-mr",
OBJECT(&s->gpu_bus_mr));
+ object_property_add_const_link(OBJECT(&s->property), "otp",
+ OBJECT(&s->otp));
/* Extended Mass Media Controller */
object_initialize_child(obj, "sdhci", &s->sdhci, TYPE_SYSBUS_SDHCI);
diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
index bdd9a6bbce..63de3db621 100644
--- a/hw/misc/bcm2835_property.c
+++ b/hw/misc/bcm2835_property.c
@@ -32,6 +32,7 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
uint32_t tmp;
int n;
uint32_t offset, length, color;
+ uint32_t start_num, number, otp_row;
/*
* Copy the current state of the framebuffer config; we will update
@@ -322,6 +323,89 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
0);
resplen = VCHI_BUSADDR_SIZE;
break;
+
+ /* Customer OTP */
+
+ case RPI_FWREQ_GET_CUSTOMER_OTP:
+ start_num = ldl_le_phys(&s->dma_as, value + 12);
+ number = ldl_le_phys(&s->dma_as, value + 16);
+
+ resplen = 8 + 4 * number;
+
+ for (n = start_num; n < start_num + number &&
+ n < BCM2835_OTP_CUSTOMER_OTP_LEN; n++) {
+ otp_row = bcm2835_otp_get_row(s->otp,
+ BCM2835_OTP_CUSTOMER_OTP + n);
+ stl_le_phys(&s->dma_as,
+ value + 20 + ((n - start_num) << 2), otp_row);
+ }
+ break;
+ case RPI_FWREQ_SET_CUSTOMER_OTP:
+ start_num = ldl_le_phys(&s->dma_as, value + 12);
+ number = ldl_le_phys(&s->dma_as, value + 16);
+
+ resplen = 4;
+
+ /* Magic numbers to permanently lock customer OTP */
+ if (start_num == BCM2835_OTP_LOCK_NUM1 &&
+ number == BCM2835_OTP_LOCK_NUM2) {
+ bcm2835_otp_set_row(s->otp,
+ BCM2835_OTP_ROW_32,
+ BCM2835_OTP_ROW_32_LOCK);
+ break;
+ }
+
+ /* If row 32 has the lock bit, don't allow further writes */
+ if (bcm2835_otp_get_row(s->otp, BCM2835_OTP_ROW_32) &
+ BCM2835_OTP_ROW_32_LOCK) {
+ break;
+ }
+
+ for (n = start_num; n < start_num + number &&
+ n < BCM2835_OTP_CUSTOMER_OTP_LEN; n++) {
+ otp_row = ldl_le_phys(&s->dma_as,
+ value + 20 + ((n - start_num) << 2));
+ bcm2835_otp_set_row(s->otp,
+ BCM2835_OTP_CUSTOMER_OTP + n, otp_row);
+ }
+ break;
+
+ /* Device-specific private key */
+
+ case RPI_FWREQ_GET_PRIVATE_KEY:
+ start_num = ldl_le_phys(&s->dma_as, value + 12);
+ number = ldl_le_phys(&s->dma_as, value + 16);
+
+ resplen = 8 + 4 * number;
+
+ for (n = start_num; n < start_num + number &&
+ n < BCM2835_OTP_PRIVATE_KEY_LEN; n++) {
+ otp_row = bcm2835_otp_get_row(s->otp,
+ BCM2835_OTP_PRIVATE_KEY + n);
+ stl_le_phys(&s->dma_as,
+ value + 20 + ((n - start_num) << 2), otp_row);
+ }
+ break;
+ case RPI_FWREQ_SET_PRIVATE_KEY:
+ start_num = ldl_le_phys(&s->dma_as, value + 12);
+ number = ldl_le_phys(&s->dma_as, value + 16);
+
+ resplen = 4;
+
+ /* If row 32 has the lock bit, don't allow further writes */
+ if (bcm2835_otp_get_row(s->otp, BCM2835_OTP_ROW_32) &
+ BCM2835_OTP_ROW_32_LOCK) {
+ break;
+ }
+
+ for (n = start_num; n < start_num + number &&
+ n < BCM2835_OTP_PRIVATE_KEY_LEN; n++) {
+ otp_row = ldl_le_phys(&s->dma_as,
+ value + 20 + ((n - start_num) << 2));
+ bcm2835_otp_set_row(s->otp,
+ BCM2835_OTP_PRIVATE_KEY + n, otp_row);
+ }
+ break;
default:
qemu_log_mask(LOG_UNIMP,
"bcm2835_property: unhandled tag 0x%08x\n", tag);
@@ -449,6 +533,9 @@ static void bcm2835_property_realize(DeviceState *dev, Error **errp)
s->dma_mr = MEMORY_REGION(obj);
address_space_init(&s->dma_as, s->dma_mr, TYPE_BCM2835_PROPERTY "-memory");
+ obj = object_property_get_link(OBJECT(dev), "otp", &error_abort);
+ s->otp = BCM2835_OTP(obj);
+
/* TODO: connect to MAC address of USB NIC device, once we emulate it */
qemu_macaddr_default_if_unset(&s->macaddr);
diff --git a/include/hw/arm/raspberrypi-fw-defs.h b/include/hw/arm/raspberrypi-fw-defs.h
index 8b404e0533..60b8e5b451 100644
--- a/include/hw/arm/raspberrypi-fw-defs.h
+++ b/include/hw/arm/raspberrypi-fw-defs.h
@@ -56,6 +56,7 @@ enum rpi_firmware_property_tag {
RPI_FWREQ_GET_THROTTLED = 0x00030046,
RPI_FWREQ_GET_CLOCK_MEASURED = 0x00030047,
RPI_FWREQ_NOTIFY_REBOOT = 0x00030048,
+ RPI_FWREQ_GET_PRIVATE_KEY = 0x00030081,
RPI_FWREQ_SET_CLOCK_STATE = 0x00038001,
RPI_FWREQ_SET_CLOCK_RATE = 0x00038002,
RPI_FWREQ_SET_VOLTAGE = 0x00038003,
@@ -73,6 +74,7 @@ enum rpi_firmware_property_tag {
RPI_FWREQ_SET_PERIPH_REG = 0x00038045,
RPI_FWREQ_GET_POE_HAT_VAL = 0x00030049,
RPI_FWREQ_SET_POE_HAT_VAL = 0x00038049,
+ RPI_FWREQ_SET_PRIVATE_KEY = 0x00038081,
RPI_FWREQ_SET_POE_HAT_VAL_OLD = 0x00030050,
RPI_FWREQ_NOTIFY_XHCI_RESET = 0x00030058,
RPI_FWREQ_GET_REBOOT_FLAGS = 0x00030064,
diff --git a/include/hw/misc/bcm2835_property.h b/include/hw/misc/bcm2835_property.h
index ba8896610c..2f93fd0c75 100644
--- a/include/hw/misc/bcm2835_property.h
+++ b/include/hw/misc/bcm2835_property.h
@@ -11,6 +11,7 @@
#include "hw/sysbus.h"
#include "net/net.h"
#include "hw/display/bcm2835_fb.h"
+#include "hw/nvram/bcm2835_otp.h"
#include "qom/object.h"
#define TYPE_BCM2835_PROPERTY "bcm2835-property"
@@ -26,6 +27,7 @@ struct BCM2835PropertyState {
MemoryRegion iomem;
qemu_irq mbox_irq;
BCM2835FBState *fbdev;
+ BCM2835OTPState *otp;
MACAddr macaddr;
uint32_t board_rev;
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-05-18 20:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-18 20:01 [PATCH v2 0/3] Initial support for One-Time Programmable Memory (OTP) in BCM2835 Rayhan Faizel
2024-05-18 20:01 ` [PATCH v2 1/3] hw/nvram: Add BCM2835 OTP device Rayhan Faizel
2024-05-18 20:01 ` [PATCH v2 2/3] hw/arm: Connect OTP device to BCM2835 Rayhan Faizel
2024-05-18 20:01 ` [PATCH v2 3/3] hw/misc: Implement mailbox properties for customer OTP and device specific private keys Rayhan Faizel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).