From 92575b1451b54de69bf8db306b71dcbfed322ede Mon Sep 17 00:00:00 2001 From: Anusha Rao Date: Tue, 4 Jan 2022 16:26:33 +0530 Subject: [PATCH] ipq: Clear kernel & rootfs headers after authentication After secure sysupgrade, uboot/TZ successfully authenticates rootfs even if the signature & certificates are not appended to kernel image. This is because the header and certificates copied to DDR memory before sysupgrade is retained. Updated the code to clear this DDR memory after authentication. Change-Id: Ic2331326baefc945c217a507d4379951dba821ab Signed-off-by: Anusha Rao Signed-off-by: Timple Raj M --- board/qca/arm/common/cmd_bootqca.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/board/qca/arm/common/cmd_bootqca.c b/board/qca/arm/common/cmd_bootqca.c index 74a5295df5..48ca377278 100644 --- a/board/qca/arm/common/cmd_bootqca.c +++ b/board/qca/arm/common/cmd_bootqca.c @@ -307,9 +307,9 @@ static int parse_elf_image_phdr(image_info *img_info, unsigned int addr) #ifdef CONFIG_IPQ_ROOTFS_AUTH static int copy_rootfs(unsigned int request, uint32_t size) { - int ret; char runcmd[256]; #ifdef CONFIG_QCA_MMC + int ret; block_dev_desc_t *blk_dev; disk_partition_t disk_info; unsigned int active_part = 0; @@ -401,6 +401,11 @@ static int authenticate_rootfs(unsigned int kernel_addr) rootfs_img_info.size = sizeof(mbn_header_t) + mbn_ptr->image_size; ret = qca_scm_secure_authenticate(&rootfs_img_info, sizeof(rootfs_img_info)); + + memset((void *)kernel_img_info.kernel_load_addr, 0, sizeof(mbn_header_t)); + memset(mbn_ptr, 0, + (sizeof(mbn_header_t) + mbn_ptr->signature_size + mbn_ptr->cert_chain_size)); + if (ret) return CMD_RET_FAILURE; @@ -435,6 +440,7 @@ static int authenticate_rootfs_elf(unsigned int rootfs_hdr) rootfs_img_info.size = img_info.img_offset + img_info.img_size; ret = qca_scm_secure_authenticate(&rootfs_img_info, sizeof(rootfs_img_info)); + memset((void *)rootfs_hdr, 0, img_info.img_offset); if (ret) return CMD_RET_FAILURE; @@ -635,6 +641,7 @@ static int do_boot_signedimg(cmd_tbl_t *cmdtp, int flag, int argc, char *const a setenv("mtdids", mtdids); #ifndef CONFIG_IPQ_ELF_AUTH + mbn_header_t * mbn_ptr = (mbn_header_t *) request; request += sizeof(mbn_header_t); #else kernel_img_info.kernel_load_addr = request; @@ -649,6 +656,11 @@ static int do_boot_signedimg(cmd_tbl_t *cmdtp, int flag, int argc, char *const a ret = qca_scm_auth_kernel(&kernel_img_info, sizeof(kernel_img_info)); +#ifndef CONFIG_IPQ_ELF_AUTH + memset((void *)mbn_ptr->signature_ptr, 0,(mbn_ptr->signature_size + mbn_ptr->cert_chain_size)); +#else + memset((void *)kernel_img_info.kernel_load_addr, 0, img_info.img_offset); +#endif if (ret) { printf("Kernel image authentication failed \n"); BUG();