Changes between Version 33 and Version 34 of venice/secure_boot


Ignore:
Timestamp:
05/16/2024 08:53:31 PM (6 months ago)
Author:
Tim Harvey
Comment:

added linux methods for reading/blowing OTP fuses

Legend:

Unmodified
Added
Removed
Modified

  • venice/secure_boot

    v33 v34  
    201201   * **OTP fuses can only be programmed once - be careful to use the correct values**
    202202   * **IF YOU WISH TO IMPLEMENT DISK ENCRYPTION AS WELL: FINISH FDE SETUP AND COME BACK TO THIS**
     203   * via U-Boot:
    203204{{{#!bash
    204205fuse prog -y 6 0 0xDCE644DB
     
    211212fuse prog -y 7 3 0xDB9B5895
    212213}}}
     214   * via Linux:
     215{{{#!bash
     216# read OTP fuse
     217# $1 bank
     218# $2 word
     219# OTP is arranged as banks of 32bit words so we access with bs=4 and skip to the word we want
     220OCOTP_DEV=/sys/devices/platform/soc@0/30000000.bus/30350000.efuse/imx-ocotp0/nvmem
     221fuse_read()
     222{
     223        local bank=$1
     224        local word=$2
     225        local offset=$(($((bank*4))+((word%4))))
     226        # and can use hexdump to display as a 32bit int
     227        dd if=$OCOTP_DEV bs=4 count=1 skip=$offset 2>/dev/null | hexdump -v -e '1/4 "0x%08x"'
     228}
     229
     230# blow OTP fuse
     231#  $1 bank
     232#  $2 word
     233#  $3 value
     234fuse_blow() {
     235        local bank=$1
     236        local word=$2
     237        local val=$3
     238        local offset=$(($((bank*4))+((word%4))))
     239
     240        echo "fuse_blow: bank$bank word$word offset=$offset val=$val"
     241        # output binary 32bit int
     242        local b0=$(( $((val>>24)) & 0xff))
     243        local b1=$(( $((val>>16)) & 0xff))
     244        local b2=$(( $((val>>8)) & 0xff))
     245        local b3=$(( $((val>>0)) & 0xff))
     246        printf "\\x$(printf "%x" $b3)\\x$(printf "%x" $b2)\\x$(printf "%x" $b1)\\x$(printf "%x" $b0)" |
     247                dd of=$OCOTP_DEV bs=4 seek=$offset 2>/dev/null
     248}
     249
     250echo "Current SRK_FUSES:"
     251echo $(fuse_read 6 0)
     252echo $(fuse_read 6 1)
     253echo $(fuse_read 6 2)
     254echo $(fuse_read 6 3)
     255echo $(fuse_read 7 0)
     256echo $(fuse_read 7 1)
     257echo $(fuse_read 7 2)
     258echo $(fuse_read 7 3)
     259echo $(fuse_read 1 3)
     260
     261echo "Blowing fuses from $SRK_HASH..."
     262bank=6
     263word=0
     264for i in $(hexdump -e '/4 "0x"' -e '/4 "%X""\n"' $SRK_HASH); do
     265     fuse_blow $bank $word $i
     266     word=$((word+1))
     267     [ $word -eq 4 ] && {
     268          word=0
     269          bank=$((bank+1))
     270     }
     271done
     272}}}
    213273 6. Boot it again and verify no HAB events:
    214274{{{#!bash
     
    220280}}}
    221281 7. Close the device (lock it down!) - this step is irreversible, make sure there are no HAB events from the prior step
     282  * via U-Boot:
    222283{{{#!bash
    223284u-boot=> fuse prog -y 1 3 0x2000000
     285}}}
     286  * via Linux (see above):
     287{{{#!bash
     288fuse blow 1 3 0x2000000
    224289}}}
    225290  * This sets the SEC_CONFIG[1] fuse on the i.MX8M and once done the processor will not load an image that has not been signed using the correct PKI tree