Merge "sysupgrade: Add support to authenticate image using TZ"

2026-03-09 02:37:31 +01:00 · 2018-02-08 23:34:03 -08:00 · 2018-02-08 23:34:03 -08:00 · 4dcba1bb54
commit 4dcba1bb54
parent 68f0e9fb64 bcfcba7eb2
2 changed files with 96 additions and 1 deletions
--- a/tools/sysupgrade.c
+++ b/tools/sysupgrade.c
@ -21,6 +21,7 @@
 #define DEVCFG_VERSION_FILE	"devcfg_version"
 #define VERSION_FILE_BASENAME  "/sys/devices/system/qfprom/qfprom0/"
 #define AUTHENTICATE_FILE	"/sys/devices/system/qfprom/qfprom0/authenticate"
+#define SEC_AUTHENTICATE_FILE  "/sys/sec_upgrade/sec_auth"
 #define TEMP_KERNEL_PATH	"/tmp/tmp_kernel.bin"
 #define MAX_SBL_VERSION	11
 #define MAX_HLOS_VERSION	32
@ -52,6 +53,7 @@ struct image_section sections[] = {
 		.file			= TMP_FILE_DIR,
 		.version_file		= APPSBL_VERSION_FILE,
 		.is_present		= NOT_PRESENT,
+		.img_code		= "0x9"
 	},
 	{
 		.section_type		= HLOS_TYPE,
@ -60,6 +62,7 @@ struct image_section sections[] = {
 		.file			= TMP_FILE_DIR,
 		.version_file		= HLOS_VERSION_FILE,
 		.is_present		= NOT_PRESENT,
+		.img_code		= "0x17"
 	},
 	{
 		.section_type		= HLOS_TYPE,
@ -70,6 +73,7 @@ struct image_section sections[] = {
 		.file			= TEMP_KERNEL_PATH,
 		.version_file		= HLOS_VERSION_FILE,
 		.is_present		= NOT_PRESENT,
+		.img_code		= "0x17"
 	},
 	{
 		.section_type		= TZ_TYPE,
@ -78,6 +82,7 @@ struct image_section sections[] = {
 		.file			= TMP_FILE_DIR,
 		.version_file		= TZ_VERSION_FILE,
 		.is_present		= NOT_PRESENT,
+		.img_code		= "0x7"
 	},
 	{
 		.section_type		= SBL_TYPE,
@ -86,6 +91,7 @@ struct image_section sections[] = {
 		.file			= TMP_FILE_DIR,
 		.version_file		= SBL_VERSION_FILE,
 		.is_present		= NOT_PRESENT,
+		.img_code		= "0x0"
 	},
 	{
 		.section_type		= SBL_TYPE,
@ -94,6 +100,7 @@ struct image_section sections[] = {
 		.file			= TMP_FILE_DIR,
 		.version_file		= SBL_VERSION_FILE,
 		.is_present		= NOT_PRESENT,
+		.img_code		= "0x5"
 	},
 	{
 		.section_type		= SBL_TYPE,
@ -102,6 +109,7 @@ struct image_section sections[] = {
 		.file			= TMP_FILE_DIR,
 		.version_file		= SBL_VERSION_FILE,
 		.is_present		= NOT_PRESENT,
+		.img_code		= "0x6"
 	},
 	{
 		.section_type		= RPM_TYPE,
@ -110,6 +118,7 @@ struct image_section sections[] = {
 		.file			= TMP_FILE_DIR,
 		.version_file		= RPM_VERSION_FILE,
 		.is_present		= NOT_PRESENT,
+		.img_code		= "0xA"
 	},
 	{
 		.section_type		= DEVCFG_TYPE,
@ -118,6 +127,7 @@ struct image_section sections[] = {
 		.file			= TMP_FILE_DIR,
 		.version_file		= DEVCFG_VERSION_FILE,
 		.is_present		= NOT_PRESENT,
+		.img_code		= "0x5"
 	},
 };

@ -220,6 +230,44 @@ int get_sections(void)
 	return 1;
 }

+int load_sections(void)
+{
+	DIR *dir;
+	int i;
+	struct dirent *file;
+	struct image_section *sec;
+
+	dir = opendir(TMP_FILE_DIR);
+	if (dir == NULL) {
+		printf("Error accessing the %s image directory\n", TMP_FILE_DIR);
+		return 0;
+	}
+
+	while ((file = readdir(dir)) != NULL) {
+		for (i = 0, sec = &sections[0]; i < NO_OF_SECTIONS; i++, sec++) {
+			if (strstr(file->d_name, sec->type)) {
+				if (sec->pre_op) {
+					strncat(sec->tmp_file, file->d_name,
+							sizeof(sec->tmp_file));
+					if (!sec->pre_op(sec)) {
+						printf("Error extracting %s from ubi\n",
+									   sec->tmp_file);
+						closedir(dir);
+						return 0;
+					}
+				} else {
+					strncat(sec->file, file->d_name,
+							sizeof(sec->file));
+				}
+				sec->is_present = PRESENT;
+				break;
+			}
+		}
+	}
+	closedir(dir);
+	return 1;
+}
+
 /**
 * is_authentication_check_enabled() - checks whether installed image is
 * secure(1) or not(0)
@ -246,6 +294,17 @@ int is_authentication_check_enabled(void)
 	return 1;
 }

+int is_tz_authentication_enabled(void)
+{
+	struct stat sb;
+
+	if (stat(SEC_AUTHENTICATE_FILE, &sb) == -1) {
+		perror("stat");
+		return 0;
+	}
+	return 1;
+}
+
 /**
 * get_local_image_version() check the version file & if it exists, read the
 * value & save it into global variable local_version
@ -1341,9 +1400,44 @@ int is_image_authenticated(void)
 	return 1;
 }

+int sec_image_auth()
+{
+	int fd, i, len;
+	char buf[256];
+
+	fd = open(SEC_AUTHENTICATE_FILE, O_RDWR);
+	if (-1 == fd) {
+		perror(SEC_AUTHENTICATE_FILE);
+		return 1;
+	}
+
+	for (i = 0; i < NO_OF_SECTIONS; i++) {
+		if (!sections[i].is_present) {
+			continue;
+		}
+
+		len = snprintf(buf, sizeof(buf), "%s %s", sections[i].img_code, sections[i].file);
+		if (write(fd, buf, len) != len) {
+			perror("write");
+			close(fd);
+			printf("%s Image authentication failed\n", buf);
+			return 1;
+		}
+	}
+	close(fd);
+	return 0;
+}
+
 int do_board_upgrade_check(char *img)
 {
-	if (is_authentication_check_enabled()) {
+	if (is_tz_authentication_enabled()) {
+		printf("TZ authentication enabled ...\n");
+		if (!load_sections()) {
+			printf("Error: Failed to load sections from image: %s\n", img);
+			return 1;
+		}
+		return sec_image_auth();
+	} else if (is_authentication_check_enabled()) {
 		if (!get_sections()) {
 			printf("Error: %s is not a signed image\n", img);
 			return 1;
--- a/tools/sysupgrade.h
+++ b/tools/sysupgrade.h
@ -32,6 +32,7 @@ struct image_section {
 	int local_version;
 	char *version_file;
 	int is_present;
+	char *img_code;
 	int (*pre_op)(struct image_section *);
 	int (*get_sw_id)(struct image_section *);
 	int (*split_components)(struct image_section *, char **, char**, char**);