1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright (C) 2018 Xilinx, Inc.
4 */
5
6 #include <common.h>
7 #include <asm/io.h>
8 #include <asm/arch/hardware.h>
9 #include <asm/arch/sys_proto.h>
10 #include <malloc.h>
11 #include <u-boot/md5.h>
12 #include <u-boot/rsa.h>
13 #include <u-boot/rsa-mod-exp.h>
14 #include <u-boot/sha256.h>
15 #include <zynqpl.h>
16 #include <fpga.h>
17 #include <zynq_bootimg.h>
18
19 DECLARE_GLOBAL_DATA_PTR;
20
21 #ifdef CONFIG_CMD_ZYNQ_RSA
22
23 #define ZYNQ_EFUSE_RSA_ENABLE_MASK 0x400
24 #define ZYNQ_ATTRIBUTE_PL_IMAGE_MASK 0x20
25 #define ZYNQ_ATTRIBUTE_CHECKSUM_TYPE_MASK 0x7000
26 #define ZYNQ_ATTRIBUTE_RSA_PRESENT_MASK 0x8000
27 #define ZYNQ_ATTRIBUTE_RSA_PART_OWNER_MASK 0x30000
28
29 #define ZYNQ_RSA_MODULAR_SIZE 256
30 #define ZYNQ_RSA_MODULAR_EXT_SIZE 256
31 #define ZYNQ_RSA_EXPO_SIZE 64
32 #define ZYNQ_RSA_SPK_SIGNATURE_SIZE 256
33 #define ZYNQ_RSA_PARTITION_SIGNATURE_SIZE 256
34 #define ZYNQ_RSA_SIGNATURE_SIZE 0x6C0
35 #define ZYNQ_RSA_HEADER_SIZE 4
36 #define ZYNQ_RSA_MAGIC_WORD_SIZE 60
37 #define ZYNQ_RSA_PART_OWNER_UBOOT 1
38 #define ZYNQ_RSA_ALIGN_PPK_START 64
39
40 #define WORD_LENGTH_SHIFT 2
41
42 static u8 *ppkmodular;
43 static u8 *ppkmodularex;
44
45 struct zynq_rsa_public_key {
46 uint len; /* Length of modulus[] in number of u32 */
47 u32 n0inv; /* -1 / modulus[0] mod 2^32 */
48 u32 *modulus; /* modulus as little endian array */
49 u32 *rr; /* R^2 as little endian array */
50 };
51
52 static struct zynq_rsa_public_key public_key;
53
54 static struct partition_hdr part_hdr[ZYNQ_MAX_PARTITION_NUMBER];
55
56 /*
57 * Extract the primary public key components from already autheticated FSBL
58 */
zynq_extract_ppk(u32 fsbl_len)59 static void zynq_extract_ppk(u32 fsbl_len)
60 {
61 u32 padsize;
62 u8 *ppkptr;
63
64 debug("%s\n", __func__);
65
66 /*
67 * Extract the authenticated PPK from OCM i.e at end of the FSBL
68 */
69 ppkptr = (u8 *)(fsbl_len + ZYNQ_OCM_BASEADDR);
70 padsize = ((u32)ppkptr % ZYNQ_RSA_ALIGN_PPK_START);
71 if (padsize)
72 ppkptr += (ZYNQ_RSA_ALIGN_PPK_START - padsize);
73
74 ppkptr += ZYNQ_RSA_HEADER_SIZE;
75
76 ppkptr += ZYNQ_RSA_MAGIC_WORD_SIZE;
77
78 ppkmodular = (u8 *)ppkptr;
79 ppkptr += ZYNQ_RSA_MODULAR_SIZE;
80 ppkmodularex = (u8 *)ppkptr;
81 ppkptr += ZYNQ_RSA_MODULAR_EXT_SIZE;
82 }
83
84 /*
85 * Calculate the inverse(-1 / modulus[0] mod 2^32 ) for the PPK
86 */
zynq_calc_inv(void)87 static u32 zynq_calc_inv(void)
88 {
89 u32 modulus = public_key.modulus[0];
90 u32 tmp = BIT(1);
91 u32 inverse;
92
93 inverse = modulus & BIT(0);
94
95 while (tmp) {
96 inverse *= 2 - modulus * inverse;
97 tmp *= tmp;
98 }
99
100 return ~(inverse - 1);
101 }
102
103 /*
104 * Recreate the signature by padding the bytes and verify with hash value
105 */
zynq_pad_and_check(u8 * signature,u8 * hash)106 static int zynq_pad_and_check(u8 *signature, u8 *hash)
107 {
108 u8 padding[] = {0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48,
109 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04,
110 0x20};
111 u8 *pad_ptr = signature + 256;
112 u32 pad = 202;
113 u32 ii;
114
115 /*
116 * Re-Create PKCS#1v1.5 Padding
117 * MSB ----------------------------------------------------LSB
118 * 0x0 || 0x1 || 0xFF(for 202 bytes) || 0x0 || T_padding || SHA256 Hash
119 */
120 if (*--pad_ptr != 0 || *--pad_ptr != 1)
121 return -1;
122
123 for (ii = 0; ii < pad; ii++) {
124 if (*--pad_ptr != 0xFF)
125 return -1;
126 }
127
128 if (*--pad_ptr != 0)
129 return -1;
130
131 for (ii = 0; ii < sizeof(padding); ii++) {
132 if (*--pad_ptr != padding[ii])
133 return -1;
134 }
135
136 for (ii = 0; ii < 32; ii++) {
137 if (*--pad_ptr != hash[ii])
138 return -1;
139 }
140 return 0;
141 }
142
143 /*
144 * Verify and extract the hash value from signature using the public key
145 * and compare it with calculated hash value.
146 */
zynq_rsa_verify_key(const struct zynq_rsa_public_key * key,const u8 * sig,const u32 sig_len,const u8 * hash)147 static int zynq_rsa_verify_key(const struct zynq_rsa_public_key *key,
148 const u8 *sig, const u32 sig_len, const u8 *hash)
149 {
150 int status;
151 void *buf;
152
153 if (!key || !sig || !hash)
154 return -1;
155
156 if (sig_len != (key->len * sizeof(u32))) {
157 printf("Signature is of incorrect length %d\n", sig_len);
158 return -1;
159 }
160
161 /* Sanity check for stack size */
162 if (sig_len > ZYNQ_RSA_SPK_SIGNATURE_SIZE) {
163 printf("Signature length %u exceeds maximum %d\n", sig_len,
164 ZYNQ_RSA_SPK_SIGNATURE_SIZE);
165 return -1;
166 }
167
168 buf = malloc(sig_len);
169 if (!buf)
170 return -1;
171
172 memcpy(buf, sig, sig_len);
173
174 status = zynq_pow_mod((u32 *)key, (u32 *)buf);
175 if (status == -1) {
176 free(buf);
177 return status;
178 }
179
180 status = zynq_pad_and_check((u8 *)buf, (u8 *)hash);
181
182 free(buf);
183 return status;
184 }
185
186 /*
187 * Authenticate the partition
188 */
zynq_authenticate_part(u8 * buffer,u32 size)189 static int zynq_authenticate_part(u8 *buffer, u32 size)
190 {
191 u8 hash_signature[32];
192 u8 *spk_modular;
193 u8 *spk_modular_ex;
194 u8 *signature_ptr;
195 u32 status;
196
197 debug("%s\n", __func__);
198
199 signature_ptr = (u8 *)(buffer + size - ZYNQ_RSA_SIGNATURE_SIZE);
200
201 signature_ptr += ZYNQ_RSA_HEADER_SIZE;
202
203 signature_ptr += ZYNQ_RSA_MAGIC_WORD_SIZE;
204
205 ppkmodular = (u8 *)signature_ptr;
206 signature_ptr += ZYNQ_RSA_MODULAR_SIZE;
207 ppkmodularex = signature_ptr;
208 signature_ptr += ZYNQ_RSA_MODULAR_EXT_SIZE;
209 signature_ptr += ZYNQ_RSA_EXPO_SIZE;
210
211 sha256_csum_wd((const unsigned char *)signature_ptr,
212 (ZYNQ_RSA_MODULAR_EXT_SIZE + ZYNQ_RSA_EXPO_SIZE +
213 ZYNQ_RSA_MODULAR_SIZE),
214 (unsigned char *)hash_signature, 0x1000);
215
216 spk_modular = (u8 *)signature_ptr;
217 signature_ptr += ZYNQ_RSA_MODULAR_SIZE;
218 spk_modular_ex = (u8 *)signature_ptr;
219 signature_ptr += ZYNQ_RSA_MODULAR_EXT_SIZE;
220 signature_ptr += ZYNQ_RSA_EXPO_SIZE;
221
222 public_key.len = ZYNQ_RSA_MODULAR_SIZE / sizeof(u32);
223 public_key.modulus = (u32 *)ppkmodular;
224 public_key.rr = (u32 *)ppkmodularex;
225 public_key.n0inv = zynq_calc_inv();
226
227 status = zynq_rsa_verify_key(&public_key, signature_ptr,
228 ZYNQ_RSA_SPK_SIGNATURE_SIZE,
229 hash_signature);
230 if (status)
231 return status;
232
233 signature_ptr += ZYNQ_RSA_SPK_SIGNATURE_SIZE;
234
235 sha256_csum_wd((const unsigned char *)buffer,
236 (size - ZYNQ_RSA_PARTITION_SIGNATURE_SIZE),
237 (unsigned char *)hash_signature, 0x1000);
238
239 public_key.len = ZYNQ_RSA_MODULAR_SIZE / sizeof(u32);
240 public_key.modulus = (u32 *)spk_modular;
241 public_key.rr = (u32 *)spk_modular_ex;
242 public_key.n0inv = zynq_calc_inv();
243
244 return zynq_rsa_verify_key(&public_key, (u8 *)signature_ptr,
245 ZYNQ_RSA_PARTITION_SIGNATURE_SIZE,
246 (u8 *)hash_signature);
247 }
248
249 /*
250 * Parses the partition header and verfies the authenticated and
251 * encrypted image.
252 */
zynq_verify_image(u32 src_ptr)253 static int zynq_verify_image(u32 src_ptr)
254 {
255 u32 silicon_ver, image_base_addr, status;
256 u32 partition_num = 0;
257 u32 efuseval, srcaddr, size, fsbl_len;
258 struct partition_hdr *hdr_ptr;
259 u32 part_data_len, part_img_len, part_attr;
260 u32 part_load_addr, part_dst_addr, part_chksum_offset;
261 u32 part_start_addr, part_total_size, partitioncount;
262 bool encrypt_part_flag = false;
263 bool part_chksum_flag = false;
264 bool signed_part_flag = false;
265
266 image_base_addr = src_ptr;
267
268 silicon_ver = zynq_get_silicon_version();
269
270 /* RSA not supported in silicon versions 1.0 and 2.0 */
271 if (silicon_ver == 0 || silicon_ver == 1)
272 return -1;
273
274 zynq_get_partition_info(image_base_addr, &fsbl_len,
275 &part_hdr[0]);
276
277 /* Extract ppk if efuse was blown Otherwise return error */
278 efuseval = readl(&efuse_base->status);
279 if (!(efuseval & ZYNQ_EFUSE_RSA_ENABLE_MASK))
280 return -1;
281
282 zynq_extract_ppk(fsbl_len);
283
284 partitioncount = zynq_get_part_count(&part_hdr[0]);
285
286 /*
287 * As the first two partitions are related to fsbl,
288 * we can ignore those two in bootimage and the below
289 * code doesn't need to validate it as fsbl is already
290 * done by now
291 */
292 if (partitioncount <= 2 ||
293 partitioncount > ZYNQ_MAX_PARTITION_NUMBER)
294 return -1;
295
296 while (partition_num < partitioncount) {
297 if (((part_hdr[partition_num].partitionattr &
298 ZYNQ_ATTRIBUTE_RSA_PART_OWNER_MASK) >> 16) !=
299 ZYNQ_RSA_PART_OWNER_UBOOT) {
300 printf("UBOOT is not Owner for partition %d\n",
301 partition_num);
302 partition_num++;
303 continue;
304 }
305 hdr_ptr = &part_hdr[partition_num];
306 status = zynq_validate_hdr(hdr_ptr);
307 if (status)
308 return status;
309
310 part_data_len = hdr_ptr->datawordlen;
311 part_img_len = hdr_ptr->imagewordlen;
312 part_attr = hdr_ptr->partitionattr;
313 part_load_addr = hdr_ptr->loadaddr;
314 part_chksum_offset = hdr_ptr->checksumoffset;
315 part_start_addr = hdr_ptr->partitionstart;
316 part_total_size = hdr_ptr->partitionwordlen;
317
318 if (part_data_len != part_img_len) {
319 debug("Encrypted\n");
320 encrypt_part_flag = true;
321 }
322
323 if (part_attr & ZYNQ_ATTRIBUTE_CHECKSUM_TYPE_MASK)
324 part_chksum_flag = true;
325
326 if (part_attr & ZYNQ_ATTRIBUTE_RSA_PRESENT_MASK) {
327 debug("RSA Signed\n");
328 signed_part_flag = true;
329 size = part_total_size << WORD_LENGTH_SHIFT;
330 } else {
331 size = part_img_len;
332 }
333
334 if (!signed_part_flag && !part_chksum_flag) {
335 printf("Partition not signed & no chksum\n");
336 partition_num++;
337 continue;
338 }
339
340 srcaddr = image_base_addr +
341 (part_start_addr << WORD_LENGTH_SHIFT);
342
343 /*
344 * This validation is just for PS DDR.
345 * TODO: Update this for PL DDR check as well.
346 */
347 if (part_load_addr < gd->bd->bi_dram[0].start &&
348 ((part_load_addr + part_data_len) >
349 (gd->bd->bi_dram[0].start +
350 gd->bd->bi_dram[0].size))) {
351 printf("INVALID_LOAD_ADDRESS_FAIL\n");
352 return -1;
353 }
354
355 if (part_attr & ZYNQ_ATTRIBUTE_PL_IMAGE_MASK)
356 part_load_addr = srcaddr;
357 else
358 memcpy((u32 *)part_load_addr, (u32 *)srcaddr,
359 size);
360
361 if (part_chksum_flag) {
362 part_chksum_offset = image_base_addr +
363 (part_chksum_offset <<
364 WORD_LENGTH_SHIFT);
365 status = zynq_validate_partition(part_load_addr,
366 (part_total_size <<
367 WORD_LENGTH_SHIFT),
368 part_chksum_offset);
369 if (status != 0) {
370 printf("PART_CHKSUM_FAIL\n");
371 return -1;
372 }
373 debug("Partition Validation Done\n");
374 }
375
376 if (signed_part_flag) {
377 status = zynq_authenticate_part((u8 *)part_load_addr,
378 size);
379 if (status != 0) {
380 printf("AUTHENTICATION_FAIL\n");
381 return -1;
382 }
383 debug("Authentication Done\n");
384 }
385
386 if (encrypt_part_flag) {
387 debug("DECRYPTION\n");
388
389 part_dst_addr = part_load_addr;
390
391 if (part_attr & ZYNQ_ATTRIBUTE_PL_IMAGE_MASK) {
392 partition_num++;
393 continue;
394 }
395
396 status = zynq_decrypt_load(part_load_addr,
397 part_img_len,
398 part_dst_addr,
399 part_data_len);
400 if (status != 0) {
401 printf("DECRYPTION_FAIL\n");
402 return -1;
403 }
404 }
405 partition_num++;
406 }
407
408 return 0;
409 }
410
do_zynq_rsa(cmd_tbl_t * cmdtp,int flag,int argc,char * const argv[])411 static int do_zynq_rsa(cmd_tbl_t *cmdtp, int flag, int argc,
412 char * const argv[])
413 {
414 u32 src_ptr;
415 char *endp;
416
417 if (argc != cmdtp->maxargs)
418 return CMD_RET_FAILURE;
419
420 src_ptr = simple_strtoul(argv[2], &endp, 16);
421 if (*argv[2] == 0 || *endp != 0)
422 return CMD_RET_USAGE;
423
424 if (zynq_verify_image(src_ptr))
425 return CMD_RET_FAILURE;
426
427 return CMD_RET_SUCCESS;
428 }
429 #endif
430
431 #ifdef CONFIG_CMD_ZYNQ_AES
zynq_decrypt_image(cmd_tbl_t * cmdtp,int flag,int argc,char * const argv[])432 static int zynq_decrypt_image(cmd_tbl_t *cmdtp, int flag, int argc,
433 char * const argv[])
434 {
435 char *endp;
436 u32 srcaddr, srclen, dstaddr, dstlen;
437 int status;
438
439 if (argc < 5 && argc > cmdtp->maxargs)
440 return CMD_RET_USAGE;
441
442 srcaddr = simple_strtoul(argv[2], &endp, 16);
443 if (*argv[2] == 0 || *endp != 0)
444 return CMD_RET_USAGE;
445 srclen = simple_strtoul(argv[3], &endp, 16);
446 if (*argv[3] == 0 || *endp != 0)
447 return CMD_RET_USAGE;
448 dstaddr = simple_strtoul(argv[4], &endp, 16);
449 if (*argv[4] == 0 || *endp != 0)
450 return CMD_RET_USAGE;
451 dstlen = simple_strtoul(argv[5], &endp, 16);
452 if (*argv[5] == 0 || *endp != 0)
453 return CMD_RET_USAGE;
454
455 /*
456 * Roundup source and destination lengths to
457 * word size
458 */
459 if (srclen % 4)
460 srclen = roundup(srclen, 4);
461 if (dstlen % 4)
462 dstlen = roundup(dstlen, 4);
463
464 status = zynq_decrypt_load(srcaddr, srclen >> 2, dstaddr, dstlen >> 2);
465 if (status != 0)
466 return CMD_RET_FAILURE;
467
468 return CMD_RET_SUCCESS;
469 }
470 #endif
471
472 static cmd_tbl_t zynq_commands[] = {
473 #ifdef CONFIG_CMD_ZYNQ_RSA
474 U_BOOT_CMD_MKENT(rsa, 3, 1, do_zynq_rsa, "", ""),
475 #endif
476 #ifdef CONFIG_CMD_ZYNQ_AES
477 U_BOOT_CMD_MKENT(aes, 6, 1, zynq_decrypt_image, "", ""),
478 #endif
479 };
480
do_zynq(cmd_tbl_t * cmdtp,int flag,int argc,char * const argv[])481 static int do_zynq(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
482 {
483 cmd_tbl_t *zynq_cmd;
484 int ret;
485
486 if (!ARRAY_SIZE(zynq_commands)) {
487 puts("No zynq specific command enabled\n");
488 return CMD_RET_USAGE;
489 }
490
491 if (argc < 2)
492 return CMD_RET_USAGE;
493 zynq_cmd = find_cmd_tbl(argv[1], zynq_commands,
494 ARRAY_SIZE(zynq_commands));
495 if (!zynq_cmd)
496 return CMD_RET_USAGE;
497
498 ret = zynq_cmd->cmd(zynq_cmd, flag, argc, argv);
499
500 return cmd_process_error(zynq_cmd, ret);
501 }
502
503 #ifdef CONFIG_SYS_LONGHELP
504 static char zynq_help_text[] =
505 ""
506 #ifdef CONFIG_CMD_ZYNQ_RSA
507 "rsa <baseaddr> - Verifies the authenticated and encrypted\n"
508 " zynq images and loads them back to load\n"
509 " addresses as specified in BOOT image(BOOT.BIN)\n"
510 #endif
511 #ifdef CONFIG_CMD_ZYNQ_AES
512 "aes <srcaddr> <srclen> <dstaddr> <dstlen>\n"
513 " - Decrypts the encrypted image present in source\n"
514 " address and places the decrypted image at\n"
515 " destination address\n"
516 #endif
517 ;
518 #endif
519
520 U_BOOT_CMD(zynq, 6, 0, do_zynq,
521 "Zynq specific commands", zynq_help_text
522 );
523