imx: hab: Check if CSF contains deprecated commands
authorUtkarsh Gupta <utkarsh.gupta@nxp.com>
Tue, 20 Feb 2018 01:19:25 +0000 (01:19 +0000)
committerStefano Babic <sbabic@denx.de>
Thu, 22 Feb 2018 13:35:57 +0000 (14:35 +0100)
Write, Check and Set MID commands have been deprecated from the Code
Signing Tool (CST) v2.3.3 and will not be implemented in newer versions
of HAB, hence the following features are no longer available:

- Write Data
- Clear Mask
- Set Mask
- Check All Clear
- Check All Set
- Check Any Clear
- Check Any Set
- Set MID

The inappropriate use of Write Data command may lead to an incorrect
authentication boot flow. Since no specific application has been identified
that requires the use of any of these features, it is highly recommended to
add this check.

Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
arch/arm/include/asm/mach-imx/hab.h
arch/arm/mach-imx/hab.c

index bb732030e97e931440d168d6e32f0badd8e1133c..93475a61da9cdcf59b514ce23ba703df5ae70e07 100644 (file)
@@ -189,6 +189,10 @@ typedef void hapi_clock_init_t(void);
 #define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/
 
 #define HAB_CMD_HDR          0xD4  /* CSF Header */
+#define HAB_CMD_WRT_DAT      0xCC  /* Write Data command tag */
+#define HAB_CMD_CHK_DAT      0xCF  /* Check Data command tag */
+#define HAB_CMD_SET          0xB1  /* Set command tag */
+#define HAB_PAR_MID          0x01  /* MID parameter value */
 
 #define IVT_SIZE                       0x20
 #define CSF_PAD_SIZE                   0x2000
index 7f66965af56275c8923a1b60b3656d0b82ceb9db..79e8bf697973b78d0c9a2e7d18cbc97c4834f075 100644 (file)
@@ -518,6 +518,26 @@ static bool csf_is_valid(struct ivt *ivt, ulong start_addr, size_t bytes)
        }
 
        do {
+               struct hab_hdr *cmd;
+
+               cmd = (struct hab_hdr *)&csf_hdr[offset];
+
+               switch (cmd->tag) {
+               case (HAB_CMD_WRT_DAT):
+                       puts("Error: Deprecated write command found\n");
+                       return false;
+               case (HAB_CMD_CHK_DAT):
+                       puts("Error: Deprecated check command found\n");
+                       return false;
+               case (HAB_CMD_SET):
+                       if (cmd->par == HAB_PAR_MID) {
+                               puts("Error: Deprecated Set MID command found\n");
+                               return false;
+                       }
+               default:
+                       break;
+               }
+
                cmd_hdr_len = get_csf_cmd_hdr_len(&csf_hdr[offset]);
                if (!cmd_hdr_len) {
                        puts("Error: Invalid command length\n");