ARM: tegra20: tegra30: support EBTUPDATE on non-encrypted devices
Re-crypt support was extended to devices without burnt SBK. In case
SBK is not set, place from where it is read is filled with zeroes.
This patch adds support for ebtupdate function to detect nosbk device
and avoid crypto operations for it.
Tested-by: Maksim Kurnosenko <asusx2@mail.ru>
Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com>
diff --git a/arch/arm/mach-tegra/tegra20/bct.c b/arch/arm/mach-tegra/tegra20/bct.c
index 5eb4899..b2c44f3 100644
--- a/arch/arm/mach-tegra/tegra20/bct.c
+++ b/arch/arm/mach-tegra/tegra20/bct.c
@@ -11,6 +11,9 @@
#include "bct.h"
#include "uboot_aes.h"
+/* Device with "sbk burned: false" will expose zero key */
+const u8 nosbk[AES128_KEY_LENGTH] = { 0 };
+
/*
* @param bct boot config table start in RAM
* @param ect bootloader start in RAM
@@ -23,22 +26,27 @@
u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
u8 sbk[AES128_KEY_LENGTH] = { 0 };
u8 *bct_hash = bct;
+ bool encrypted;
int ret;
bct += BCT_HASH;
+ ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+
memcpy(sbk, (u8 *)(bct + BCT_LENGTH),
NVBOOT_CMAC_AES_HASH_LENGTH * 4);
- ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
- if (ret)
- return 1;
+ encrypted = memcmp(&sbk, &nosbk, AES128_KEY_LENGTH);
- ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+ if (encrypted) {
+ ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
+ if (ret)
+ return 1;
- ret = encrypt_data_block(ebt, ebt_size, sbk);
- if (ret)
- return 1;
+ ret = encrypt_data_block(ebt, ebt_size, sbk);
+ if (ret)
+ return 1;
+ }
ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
if (ret)
@@ -52,9 +60,11 @@
bct_tbl->bootloader[0].load_addr = CONFIG_SPL_TEXT_BASE;
bct_tbl->bootloader[0].length = ebt_size;
- ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
- if (ret)
- return 1;
+ if (encrypted) {
+ ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
+ if (ret)
+ return 1;
+ }
ret = sign_enc_data_block(bct, BCT_LENGTH, bct_hash, sbk);
if (ret)
diff --git a/arch/arm/mach-tegra/tegra30/bct.c b/arch/arm/mach-tegra/tegra30/bct.c
index c56958d..cff1a3e 100644
--- a/arch/arm/mach-tegra/tegra30/bct.c
+++ b/arch/arm/mach-tegra/tegra30/bct.c
@@ -11,6 +11,9 @@
#include "bct.h"
#include "uboot_aes.h"
+/* Device with "sbk burned: false" will expose zero key */
+const u8 nosbk[AES128_KEY_LENGTH] = { 0 };
+
/*
* @param bct boot config table start in RAM
* @param ect bootloader start in RAM
@@ -23,22 +26,27 @@
u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
u8 sbk[AES128_KEY_LENGTH] = { 0 };
u8 *bct_hash = bct;
+ bool encrypted;
int ret;
bct += BCT_HASH;
+ ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+
memcpy(sbk, (u8 *)(bct + BCT_LENGTH),
NVBOOT_CMAC_AES_HASH_LENGTH * 4);
- ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
- if (ret)
- return 1;
+ encrypted = memcmp(&sbk, &nosbk, AES128_KEY_LENGTH);
- ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+ if (encrypted) {
+ ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
+ if (ret)
+ return 1;
- ret = encrypt_data_block(ebt, ebt_size, sbk);
- if (ret)
- return 1;
+ ret = encrypt_data_block(ebt, ebt_size, sbk);
+ if (ret)
+ return 1;
+ }
ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
if (ret)
@@ -52,9 +60,11 @@
bct_tbl->bootloader[0].load_addr = CONFIG_SPL_TEXT_BASE;
bct_tbl->bootloader[0].length = ebt_size;
- ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
- if (ret)
- return 1;
+ if (encrypted) {
+ ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
+ if (ret)
+ return 1;
+ }
ret = sign_enc_data_block(bct, BCT_LENGTH, bct_hash, sbk);
if (ret)