core: pta: add Rockchip secure boot PTA

The S_OTP area for the Rockchip secure boot RSA hash and status register
is accessible only from the secure world. Thus, secure boot must be
enabled from the secure world on these board.

The PTA implements 3 functions:

1. Ask the TA from the non-secure world about the current status and hash
   of the hardware. This allows to inspect the current status of secure
   boot on a specific device.

2. Write an RSA hash into the OTP fuses. It's the responsibility of the
   user to calculate the hash and ensure that it matches the key, which
   will be used to sign the images.

3. Actually lockdown the device by enabling secure boot. This is a
   separate step to allow the user to verify the setup before
   potentially bricking a device.

With these functions, a user may use a client running in the normal
world (for example in a boot loader or operating system) to enable
secure boot on a Rockchip device.

Implementing secure boot setup as an OP-TEE PTA has the advantage that
secure boot can be enabled at any time during the device setup instead
of during early boot. This allows a developer/user or additional scripts
to interact with the secure boot setup process.

The hash of the root key is accepted and reported as calculated by
sha256sum and internally converted to the correct byte order that needs
to be burned into the fuses.

Signed-off-by: Michael Tretter <[email protected]>

Author: tretter

core/pta/rockchip/rk_secure_boot.c

@@ -0,0 +1,289 @@
+// SPDX-License-Identifier: BSD-2-Clause
+/*
+ * Copyright (C) 2025, Pengutronix, Michael Tretter <[email protected]>
+ */
+
+#include <config.h>
+#include <kernel/pseudo_ta.h>
+#include <kernel/tee_misc.h>
+#include <tee/uuid.h>
+#include <utee_defines.h>
+#include <string.h>
+
+#include <pta_rk_secure_boot.h>
+
+#include <drivers/rockchip_otp.h>
+
+#define PTA_NAME "rk_secure_boot.pta"
+
+static void u32_to_bytes(uint32_t u32, uint8_t *bytes)
+{
+	size_t i;
+
+	for (i = 0; i < sizeof(u32); i++)
+		*(bytes + i) = (uint8_t) (u32 >> (i * 8));
+}
+
+static void bytes_to_u32(uint8_t *bytes, uint32_t *u32)
+{
+	size_t i;
+
+	*u32 = 0;
+	for (i = 0; i < sizeof(u32); i++)
+		*u32 += (uint32_t)*(bytes + i) << (i * 8);
+}
+
+static void print_hash(const char *name, uint32_t *hash)
+{
+	EMSG("%s0x%08x, 0x%08x, 0x%08x, 0x%08x, 0x%08x, 0x%08x, 0x%08x, 0x%08x\n",
+	     name, hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7]);
+}
+
+static bool secure_boot_status_enabled(uint32_t status)
+{
+	return (status & SECURE_BOOT_STATUS_ENABLE) == SECURE_BOOT_STATUS_ENABLE;
+}
+
+static TEE_Result get_info(uint32_t param_types,
+			   TEE_Param params[TEE_NUM_PARAMS])
+{
+	TEE_Result res = TEE_ERROR_GENERIC;
+	struct pta_rk_secure_boot_info *info = NULL;
+	uint32_t status = 0;
+	uint32_t hash[RSA_HASH_LENGTH];
+	size_t i;
+
+	if (param_types != TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_OUTPUT,
+					   TEE_PARAM_TYPE_NONE,
+					   TEE_PARAM_TYPE_NONE,
+					   TEE_PARAM_TYPE_NONE))
+		return TEE_ERROR_BAD_PARAMETERS;
+
+	if (!IS_ALIGNED_WITH_TYPE(params[0].memref.buffer, typeof(*info)))
+		return TEE_ERROR_BAD_PARAMETERS;
+
+	info = params[0].memref.buffer;
+	if (!info || params[0].memref.size != sizeof(*info))
+		return TEE_ERROR_BAD_PARAMETERS;
+
+	memset(info, 0, sizeof(*info));
+
+	res = tee_otp_read_secure(&status,
+				  SECURE_BOOT_STATUS_INDEX,
+				  SECURE_BOOT_STATUS_LENGTH);
+	if (res)
+		return res;
+
+	res = tee_otp_read_secure(hash, RSA_HASH_INDEX, RSA_HASH_LENGTH);
+	if (res)
+		return res;
+
+	info->enabled = secure_boot_status_enabled(status);
+	for (i = 0; i < ARRAY_SIZE(hash); i++)
+		u32_to_bytes(hash[i], &info->hash.value[i * sizeof(uint32_t)]);
+#if !defined(SECURE_BOOT_ENABLE_DANGEROUS)
+	info->simulation = 1;
+#else
+	info->simulation = 0;
+#endif
+
+	return TEE_SUCCESS;
+}
+
+/* Compare the hashes and return the number of identical bytes */
+static size_t hash_cmp(uint32_t *a, uint32_t *b, size_t s)
+{
+	size_t i;
+
+	for (i = 0; i < s; i++) {
+		if (b && a[i] == b[i]) {
+			continue;
+		} else if (a[i] == 0x0) {
+			break;
+		} else if (!b) {
+			continue;
+		} else {
+			EMSG("Burned hash differs from new hash");
+			return TEE_ERROR_GENERIC;
+		}
+	}
+
+	return i;
+}
+
+static TEE_Result burn_hash(uint32_t param_types,
+			    TEE_Param params[TEE_NUM_PARAMS])
+{
+	TEE_Result res = TEE_SUCCESS;
+	struct pta_rk_secure_boot_hash *hash;
+	size_t hash_sz;
+	uint32_t status;
+	uint32_t new_hash[RSA_HASH_LENGTH];
+	uint32_t old_hash[RSA_HASH_LENGTH];
+	size_t i;
+
+	if (param_types != TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
+					   TEE_PARAM_TYPE_NONE,
+					   TEE_PARAM_TYPE_NONE,
+					   TEE_PARAM_TYPE_NONE))
+		return TEE_ERROR_BAD_PARAMETERS;
+
+	hash = params[0].memref.buffer;
+	hash_sz = params[0].memref.size;
+	if (!hash || hash_sz != sizeof(*hash))
+		return TEE_ERROR_BAD_PARAMETERS;
+
+	res = tee_otp_read_secure(&status,
+				  SECURE_BOOT_STATUS_INDEX,
+				  SECURE_BOOT_STATUS_LENGTH);
+	if (res)
+		return res;
+	if (secure_boot_status_enabled(status))
+		return TEE_SUCCESS;
+
+	for (i = 0; i < ARRAY_SIZE(new_hash); i++)
+		bytes_to_u32(&hash->value[i * sizeof(uint32_t)], &new_hash[i]);
+
+	print_hash("Burning new hash ", new_hash);
+	res = tee_otp_read_secure(old_hash, RSA_HASH_INDEX, RSA_HASH_LENGTH);
+	if (res)
+		return res;
+	i = hash_cmp(old_hash, new_hash, ARRAY_SIZE(new_hash));
+	if (i == TEE_ERROR_GENERIC) {
+		print_hash("Refuse to write new hash. Burned hash is ", old_hash);
+		return TEE_ERROR_GENERIC;
+	}
+
+#if !defined(SECURE_BOOT_ENABLE_DANGEROUS)
+	print_hash("Skip burning new hash ", new_hash);
+#else
+	print_hash("Burning new hash ", new_hash);
+	res = tee_otp_write_secure(new_hash,
+				   RSA_HASH_INDEX + i,
+				   RSA_HASH_LENGTH - i);
+	if (res)
+		return res;
+
+	res = tee_otp_read_secure(old_hash, RSA_HASH_INDEX, RSA_HASH_LENGTH);
+	if (res)
+		return res;
+	if (hash_cmp(old_hash, new_hash, ARRAY_SIZE(new_hash)) != ARRAY_SIZE(new_hash)) {
+		print_hash("Failed to burn hash. Burned hash is ", old_hash);
+		return TEE_ERROR_GENERIC;
+	}
+#endif
+
+	/* TODO Pass RSA key length as an argument */
+	status = SECURE_BOOT_STATUS_RSA4096;
+#if !defined(SECURE_BOOT_ENABLE_DANGEROUS)
+	IMSG("Skip writing RSA4096 enable bit: %x", status);
+#else
+	IMSG("Writing RSA4096 enable bit: %x", status);
+	res = tee_otp_write_secure(&status,
+				   SECURE_BOOT_STATUS_INDEX,
+				   SECURE_BOOT_STATUS_LENGTH);
+	if (res)
+		return res;
+
+	res = tee_otp_read_secure(&status,
+				  SECURE_BOOT_STATUS_INDEX,
+				  SECURE_BOOT_STATUS_LENGTH);
+	if (res)
+		return res;
+#endif
+
+	return TEE_SUCCESS;
+}
+
+static TEE_Result lockdown_device(uint32_t param_types,
+				  TEE_Param params[TEE_NUM_PARAMS] __unused)
+{
+	TEE_Result res = TEE_ERROR_GENERIC;
+	uint32_t status;
+	uint32_t hash[RSA_HASH_LENGTH];
+
+	if (param_types != TEE_PARAM_TYPES(TEE_PARAM_TYPE_NONE,
+					   TEE_PARAM_TYPE_NONE,
+					   TEE_PARAM_TYPE_NONE,
+					   TEE_PARAM_TYPE_NONE))
+		return TEE_ERROR_BAD_PARAMETERS;
+
+	res = tee_otp_read_secure(&status,
+				  SECURE_BOOT_STATUS_INDEX,
+				  SECURE_BOOT_STATUS_LENGTH);
+	if (res)
+		return res;
+	if (secure_boot_status_enabled(status))
+		return TEE_SUCCESS;
+
+	res = tee_otp_read_secure(hash, RSA_HASH_INDEX, RSA_HASH_LENGTH);
+	if (res)
+		return res;
+	if (hash_cmp(hash, NULL, ARRAY_SIZE(hash) < ARRAY_SIZE(hash))) {
+		print_hash("Hash not burned yet. Burned hash is ", hash);
+		return TEE_ERROR_GENERIC;
+	}
+
+	status = SECURE_BOOT_STATUS_ENABLE;
+#if !defined(SECURE_BOOT_ENABLE_DANGEROUS)
+	IMSG("Skip writing secure boot enable bit: %x", status);
+#else
+	IMSG("Writing secure boot enable bit: %x", status);
+	res = tee_otp_write_secure(&status,
+				   SECURE_BOOT_STATUS_INDEX,
+				   SECURE_BOOT_STATUS_LENGTH);
+	if (res)
+		return res;
+
+	res = tee_otp_read_secure(&status,
+				  SECURE_BOOT_STATUS_INDEX,
+				  SECURE_BOOT_STATUS_LENGTH);
+	if (res)
+		return res;
+	if (secure_boot_status_enabled(status)) {
+		EMSG("Failed to enable secure boot");
+		return TEE_ERROR_GENERIC;
+	}
+#endif
+
+	return TEE_SUCCESS;
+}
+
+static TEE_Result invoke_command(void *sess_ctx __unused, uint32_t cmd_id,
+				 uint32_t param_types,
+				 TEE_Param params[TEE_NUM_PARAMS])
+{
+	TEE_Result res = TEE_ERROR_BAD_PARAMETERS;
+	TEE_Result res2 = TEE_ERROR_GENERIC;
+	TEE_Param bparams[TEE_NUM_PARAMS] = { };
+	TEE_Param *eparams = NULL;
+
+	res = to_bounce_params(param_types, params, bparams, &eparams);
+	if (res)
+		return res;
+
+	switch (cmd_id) {
+	case PTA_RK_SECURE_BOOT_GET_INFO:
+		res = get_info(param_types, eparams);
+		break;
+	case PTA_RK_SECURE_BOOT_BURN_HASH:
+		res = burn_hash(param_types, eparams);
+		break;
+	case PTA_RK_SECURE_BOOT_LOCKDOWN_DEVICE:
+		res = lockdown_device(param_types, eparams);
+		break;
+	default:
+		break;
+	}
+
+	res2 = from_bounce_params(param_types, params, bparams, eparams);
+	if (!res && res2)
+		res = res2;
+
+	return res;
+}
+
+pseudo_ta_register(.uuid = PTA_RK_SECURE_BOOT_UUID,
+		   .name = PTA_NAME,
+		   .flags = PTA_DEFAULT_FLAGS,
+		   .invoke_command_entry_point = invoke_command);

core/pta/rockchip/sub.mk

@@ -0,0 +1,2 @@
+# TODO Add actual config item
+srcs-y += rk_secure_boot.c

core/pta/sub.mk

@@ -19,6 +19,7 @@ subdirs-y += bcm
 subdirs-y += stm32mp
 subdirs-y += imx
 subdirs-y += k3
+subdirs-y += rockchip
 subdirs-y += veraison_attestation
 
 ifeq ($(CFG_REMOTEPROC_PTA),y)
@@ -28,4 +29,4 @@ depends-rproc_pub_key = $(RPROC_SIGN_KEY) scripts/pem_to_pub_c.py
 recipe-rproc_pub_key = $(PYTHON3) scripts/pem_to_pub_c.py \
 	--prefix rproc_pub_key --key $(RPROC_SIGN_KEY)    \
 	--out $(sub-dir-out)/rproc_pub_key.c
-endif
+endif

lib/libutee/include/pta_rk_secure_boot.h

@@ -0,0 +1,45 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+/*
+ * Copyright (C) 2025, Pengutronix, Michael Tretter <[email protected]>
+ */
+
+#ifndef __PTA_RK_SECURE_BOOT_H
+#define __PTA_RK_SECURE_BOOT_H
+
+#include <tee_api_types.h>
+
+#define PTA_RK_SECURE_BOOT_UUID { 0x5cfa57f6, 0x1a4c, 0x407f, \
+	{ 0x94, 0xa7, 0xa5, 0x6c, 0x8c, 0x47, 0x01, 0x9d } }
+
+struct pta_rk_secure_boot_hash {
+	/* sha256 has 256 bit */
+	uint8_t value[32];
+};
+
+/* TODO Add a version field for this struct? */
+struct pta_rk_secure_boot_info {
+	uint8_t enabled;
+	uint8_t simulation;
+	struct pta_rk_secure_boot_hash hash;
+};
+
+/*
+ * PTA_RK_SECURE_BOOT_GET_INFO - Get secure boot status info
+ *
+ * [out]    memref[0]   buffer memory reference containing a struct pta_rk_secure_boot_info
+ */
+#define PTA_RK_SECURE_BOOT_GET_INFO		0x0
+
+/*
+ * PTA_RK_SECURE_BOOT_BURN_HASH - Burn the RSA key hash to fuses
+ *
+ * [in]    memref[0]   buffer memory reference containing a struct pta_rk_secure_boot_hash
+ */
+#define PTA_RK_SECURE_BOOT_BURN_HASH		0x1
+
+/*
+ * PTA_RK_SECURE_BOOT_LOCKDOWN_DEVICE - Lockdown the device with secure boot
+ */
+#define PTA_RK_SECURE_BOOT_LOCKDOWN_DEVICE	0x2
+
+#endif /* __PTA_ROCKCHIP_OTP_H */