[U-Boot] [PATCH 4/5] imx: hab: Check if CSF contains deprecated commands

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Breno Lima <brenomatheus@gmail.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 4/5] imx: hab: Check if CSF contains deprecated commands
Date: Tue, 20 Feb 2018 01:19:25 +0000	[thread overview]
Message-ID: <1519089566-17147-4-git-send-email-brenomatheus@gmail.com> (raw)
In-Reply-To: <1519089566-17147-1-git-send-email-brenomatheus@gmail.com>

From: Utkarsh Gupta <utkarsh.gupta@nxp.com>

Write, Check and Set MID commands have been deprecated from the Code
Signing Tool (CST) v2.3.3 and will not be implemented in newer versions
of HAB, hence the following features are no longer available:

- Write Data
- Clear Mask
- Set Mask
- Check All Clear
- Check All Set
- Check Any Clear
- Check Any Set
- Set MID

The inappropriate use of Write Data command may lead to an incorrect
authentication boot flow. Since no specific application has been identified
that requires the use of any of these features, it is highly recommended to
add this check.

Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
---
 arch/arm/include/asm/mach-imx/hab.h |  4 ++++
 arch/arm/mach-imx/hab.c             | 20 ++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/arch/arm/include/asm/mach-imx/hab.h b/arch/arm/include/asm/mach-imx/hab.h
index bb73203..93475a6 100644
--- a/arch/arm/include/asm/mach-imx/hab.h
+++ b/arch/arm/include/asm/mach-imx/hab.h
@@ -189,6 +189,10 @@ typedef void hapi_clock_init_t(void);
 #define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/
 
 #define HAB_CMD_HDR          0xD4  /* CSF Header */
+#define HAB_CMD_WRT_DAT      0xCC  /* Write Data command tag */
+#define HAB_CMD_CHK_DAT      0xCF  /* Check Data command tag */
+#define HAB_CMD_SET          0xB1  /* Set command tag */
+#define HAB_PAR_MID          0x01  /* MID parameter value */
 
 #define IVT_SIZE			0x20
 #define CSF_PAD_SIZE			0x2000
diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c
index 7f66965..79e8bf6 100644
--- a/arch/arm/mach-imx/hab.c
+++ b/arch/arm/mach-imx/hab.c
@@ -518,6 +518,26 @@ static bool csf_is_valid(struct ivt *ivt, ulong start_addr, size_t bytes)
 	}
 
 	do {
+		struct hab_hdr *cmd;
+
+		cmd = (struct hab_hdr *)&csf_hdr[offset];
+
+		switch (cmd->tag) {
+		case (HAB_CMD_WRT_DAT):
+			puts("Error: Deprecated write command found\n");
+			return false;
+		case (HAB_CMD_CHK_DAT):
+			puts("Error: Deprecated check command found\n");
+			return false;
+		case (HAB_CMD_SET):
+			if (cmd->par == HAB_PAR_MID) {
+				puts("Error: Deprecated Set MID command found\n");
+				return false;
+			}
+		default:
+			break;
+		}
+
 		cmd_hdr_len = get_csf_cmd_hdr_len(&csf_hdr[offset]);
 		if (!cmd_hdr_len) {
 			puts("Error: Invalid command length\n");
-- 
2.7.4

next prev parent reply	other threads:[~2018-02-20  1:19 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-20  1:19 [U-Boot] [PATCH 1/5] imx: hab: Keep CAAM clock enabled after authenticating additional images Breno Lima
2018-02-20  1:19 ` [U-Boot] [PATCH 2/5] imx: hab: Ensure the IVT DCD pointer is Null prior to calling HAB authenticate function Breno Lima
2018-02-20 10:44   ` Fabio Estevam
2018-02-20  1:19 ` [U-Boot] [PATCH 3/5] imx: hab: Check if CSF is valid before authenticating image Breno Lima
2018-02-20 10:45   ` Fabio Estevam
2018-02-20  1:19 ` Breno Lima [this message]
2018-02-20 10:45   ` [U-Boot] [PATCH 4/5] imx: hab: Check if CSF contains deprecated commands Fabio Estevam
2018-02-20  1:19 ` [U-Boot] [PATCH 5/5] arm: imx: hab: Define HAB_RVT_BASE according to the processor version Breno Lima
2018-02-20 10:45   ` Fabio Estevam
2018-02-20 10:44 ` [U-Boot] [PATCH 1/5] imx: hab: Keep CAAM clock enabled after authenticating additional images Fabio Estevam
2018-02-22 13:36   ` Stefano Babic

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bb73203 dfblob:93475a6 dfblob:7f66965 dfblob:79e8bf6 )
 OR (
bs:"[U-Boot] [PATCH 4/5] imx: hab: Check if CSF contains deprecated commands" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1519089566-17147-4-git-send-email-brenomatheus@gmail.com \
    --to=brenomatheus@gmail.com \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox