xref: /rk3399_ARM-atf/drivers/fwu/fwu.c (revision bd435c525ec49b9b084e8787385efe0f82e3c410) 
10ec3ac60SManish V Badarkhe /*
2aae7c96dSSebastien Pasdeloup  * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
30ec3ac60SManish V Badarkhe  *
40ec3ac60SManish V Badarkhe  * SPDX-License-Identifier: BSD-3-Clause
50ec3ac60SManish V Badarkhe  */
60ec3ac60SManish V Badarkhe 
70ec3ac60SManish V Badarkhe #include <assert.h>
80ec3ac60SManish V Badarkhe 
90ec3ac60SManish V Badarkhe #include <common/debug.h>
10c885d5c8SManish V Badarkhe #include <common/tf_crc32.h>
110ec3ac60SManish V Badarkhe #include <common/tbbr/tbbr_img_def.h>
120ec3ac60SManish V Badarkhe #include <drivers/fwu/fwu.h>
130ec3ac60SManish V Badarkhe #include <drivers/fwu/fwu_metadata.h>
140ec3ac60SManish V Badarkhe #include <drivers/io/io_storage.h>
150ec3ac60SManish V Badarkhe 
160ec3ac60SManish V Badarkhe #include <plat/common/platform.h>
170ec3ac60SManish V Badarkhe 
180ec3ac60SManish V Badarkhe /*
190ec3ac60SManish V Badarkhe  * Assert that crc_32 is the first member of fwu_metadata structure.
200ec3ac60SManish V Badarkhe  * It avoids accessing data outside of the metadata structure during
210ec3ac60SManish V Badarkhe  * CRC32 computation if the crc_32 field gets moved due the structure
220ec3ac60SManish V Badarkhe  * member(s) addition in the future.
230ec3ac60SManish V Badarkhe  */
240ec3ac60SManish V Badarkhe CASSERT((offsetof(struct fwu_metadata, crc_32) == 0),
250ec3ac60SManish V Badarkhe 	crc_32_must_be_first_member_of_structure);
260ec3ac60SManish V Badarkhe 
27d2566cfbSSughosh Ganu /*
28d2566cfbSSughosh Ganu  * Ensure that the NR_OF_FW_BANKS selected by the platform is not
29d2566cfbSSughosh Ganu  * zero and not greater than the maximum number of banks allowed
30d2566cfbSSughosh Ganu  * by the specification.
31d2566cfbSSughosh Ganu  */
32d2566cfbSSughosh Ganu CASSERT((NR_OF_FW_BANKS > 0) && (NR_OF_FW_BANKS <= NR_OF_MAX_FW_BANKS),
33d2566cfbSSughosh Ganu 	assert_fwu_num_banks_invalid_value);
34d2566cfbSSughosh Ganu 
35d2566cfbSSughosh Ganu #define FWU_METADATA_VERSION		2U
36d2566cfbSSughosh Ganu #define FWU_FW_STORE_DESC_OFFSET	0x20U
37d2566cfbSSughosh Ganu 
380ec3ac60SManish V Badarkhe static struct fwu_metadata metadata;
39aae7c96dSSebastien Pasdeloup static bool is_metadata_initialized __unused;
400ec3ac60SManish V Badarkhe 
410ec3ac60SManish V Badarkhe /*******************************************************************************
420ec3ac60SManish V Badarkhe  * Compute CRC32 of the FWU metadata, and check it against the CRC32 value
430ec3ac60SManish V Badarkhe  * present in the FWU metadata.
440ec3ac60SManish V Badarkhe  *
450ec3ac60SManish V Badarkhe  * return -1 on error, otherwise 0
460ec3ac60SManish V Badarkhe  ******************************************************************************/
fwu_metadata_crc_check(void)470ec3ac60SManish V Badarkhe static int fwu_metadata_crc_check(void)
480ec3ac60SManish V Badarkhe {
490ec3ac60SManish V Badarkhe 	unsigned char *data = (unsigned char *)&metadata;
500ec3ac60SManish V Badarkhe 
51c885d5c8SManish V Badarkhe 	uint32_t calc_crc = tf_crc32(0U, data + sizeof(metadata.crc_32),
520ec3ac60SManish V Badarkhe 				     (sizeof(metadata) -
530ec3ac60SManish V Badarkhe 				      sizeof(metadata.crc_32)));
540ec3ac60SManish V Badarkhe 
550ec3ac60SManish V Badarkhe 	if (metadata.crc_32 != calc_crc) {
560ec3ac60SManish V Badarkhe 		return -1;
570ec3ac60SManish V Badarkhe 	}
580ec3ac60SManish V Badarkhe 
590ec3ac60SManish V Badarkhe 	return 0;
600ec3ac60SManish V Badarkhe }
610ec3ac60SManish V Badarkhe 
620ec3ac60SManish V Badarkhe /*******************************************************************************
630ec3ac60SManish V Badarkhe  * Check the sanity of FWU metadata.
640ec3ac60SManish V Badarkhe  *
65d2566cfbSSughosh Ganu  * return -EINVAL on error, otherwise 0
660ec3ac60SManish V Badarkhe  ******************************************************************************/
fwu_metadata_sanity_check(void)670ec3ac60SManish V Badarkhe static int fwu_metadata_sanity_check(void)
680ec3ac60SManish V Badarkhe {
69d2566cfbSSughosh Ganu 	if (metadata.version != FWU_METADATA_VERSION) {
70d2566cfbSSughosh Ganu 		WARN("Incorrect FWU Metadata version of %u\n",
71d2566cfbSSughosh Ganu 		     metadata.version);
72d2566cfbSSughosh Ganu 		return -EINVAL;
730ec3ac60SManish V Badarkhe 	}
740ec3ac60SManish V Badarkhe 
75d2566cfbSSughosh Ganu 	if (metadata.active_index >= NR_OF_FW_BANKS) {
76d2566cfbSSughosh Ganu 		WARN("Active Index value(%u) greater than the configured value(%d)",
77d2566cfbSSughosh Ganu 		     metadata.active_index, NR_OF_FW_BANKS);
78d2566cfbSSughosh Ganu 		return -EINVAL;
79d2566cfbSSughosh Ganu 	}
80d2566cfbSSughosh Ganu 
81d2566cfbSSughosh Ganu 	if (metadata.previous_active_index >= NR_OF_FW_BANKS) {
82d2566cfbSSughosh Ganu 		WARN("Previous Active Index value(%u) greater than the configured value(%d)",
83d2566cfbSSughosh Ganu 		     metadata.previous_active_index, NR_OF_FW_BANKS);
84d2566cfbSSughosh Ganu 		return -EINVAL;
85d2566cfbSSughosh Ganu 	}
86d2566cfbSSughosh Ganu 
87d2566cfbSSughosh Ganu #if PSA_FWU_METADATA_FW_STORE_DESC
88d2566cfbSSughosh Ganu 	if (metadata.fw_desc.num_banks != NR_OF_FW_BANKS) {
89d2566cfbSSughosh Ganu 		WARN("Number of Banks(%u) in FWU Metadata different from the configured value(%d)",
90d2566cfbSSughosh Ganu 		     metadata.fw_desc.num_banks, NR_OF_FW_BANKS);
91d2566cfbSSughosh Ganu 		return -EINVAL;
92d2566cfbSSughosh Ganu 	}
93d2566cfbSSughosh Ganu 
94d2566cfbSSughosh Ganu 	if (metadata.fw_desc.num_images != NR_OF_IMAGES_IN_FW_BANK) {
95d2566cfbSSughosh Ganu 		WARN("Number of Images(%u) in FWU Metadata different from the configured value(%d)",
96d2566cfbSSughosh Ganu 		     metadata.fw_desc.num_images, NR_OF_IMAGES_IN_FW_BANK);
97d2566cfbSSughosh Ganu 		return -EINVAL;
98d2566cfbSSughosh Ganu 	}
99d2566cfbSSughosh Ganu 
100d2566cfbSSughosh Ganu 	if (metadata.desc_offset != FWU_FW_STORE_DESC_OFFSET) {
101d2566cfbSSughosh Ganu 		WARN("Descriptor Offset(0x%x) in the FWU Metadata not equal to 0x20\n",
102d2566cfbSSughosh Ganu 		     metadata.desc_offset);
103d2566cfbSSughosh Ganu 		return -EINVAL;
104d2566cfbSSughosh Ganu 	}
105d2566cfbSSughosh Ganu #else
106d2566cfbSSughosh Ganu 	if (metadata.desc_offset != 0U) {
107d2566cfbSSughosh Ganu 		WARN("Descriptor offset has non zero value of 0x%x\n",
108d2566cfbSSughosh Ganu 		     metadata.desc_offset);
109d2566cfbSSughosh Ganu 		return -EINVAL;
110d2566cfbSSughosh Ganu 	}
111d2566cfbSSughosh Ganu #endif
112d2566cfbSSughosh Ganu 
1130ec3ac60SManish V Badarkhe 	return 0;
1140ec3ac60SManish V Badarkhe }
1150ec3ac60SManish V Badarkhe 
1160ec3ac60SManish V Badarkhe /*******************************************************************************
1170ec3ac60SManish V Badarkhe  * Verify and load specified FWU metadata image to local FWU metadata structure.
1180ec3ac60SManish V Badarkhe  *
1190ec3ac60SManish V Badarkhe  * @image_id: FWU metadata image id (either FWU_METADATA_IMAGE_ID or
1200ec3ac60SManish V Badarkhe  *				     BKUP_FWU_METADATA_IMAGE_ID)
1210ec3ac60SManish V Badarkhe  *
1220ec3ac60SManish V Badarkhe  * return a negative value on error, otherwise 0
1230ec3ac60SManish V Badarkhe  ******************************************************************************/
fwu_metadata_load(unsigned int image_id)1240ec3ac60SManish V Badarkhe static int fwu_metadata_load(unsigned int image_id)
1250ec3ac60SManish V Badarkhe {
1260ec3ac60SManish V Badarkhe 	int result;
1270ec3ac60SManish V Badarkhe 	uintptr_t dev_handle, image_handle, image_spec;
1280ec3ac60SManish V Badarkhe 	size_t bytes_read;
1290ec3ac60SManish V Badarkhe 
1300ec3ac60SManish V Badarkhe 	assert((image_id == FWU_METADATA_IMAGE_ID) ||
1310ec3ac60SManish V Badarkhe 	       (image_id == BKUP_FWU_METADATA_IMAGE_ID));
1320ec3ac60SManish V Badarkhe 
1330ec3ac60SManish V Badarkhe 	result = plat_fwu_set_metadata_image_source(image_id,
1340ec3ac60SManish V Badarkhe 						    &dev_handle,
1350ec3ac60SManish V Badarkhe 						    &image_spec);
1360ec3ac60SManish V Badarkhe 	if (result != 0) {
1370ec3ac60SManish V Badarkhe 		WARN("Failed to set reference to image id=%u (%i)\n",
1380ec3ac60SManish V Badarkhe 		     image_id, result);
1390ec3ac60SManish V Badarkhe 		return result;
1400ec3ac60SManish V Badarkhe 	}
1410ec3ac60SManish V Badarkhe 
1420ec3ac60SManish V Badarkhe 	result = io_open(dev_handle, image_spec, &image_handle);
1430ec3ac60SManish V Badarkhe 	if (result != 0) {
1440ec3ac60SManish V Badarkhe 		WARN("Failed to load image id id=%u (%i)\n",
1450ec3ac60SManish V Badarkhe 		     image_id, result);
1460ec3ac60SManish V Badarkhe 		return result;
1470ec3ac60SManish V Badarkhe 	}
1480ec3ac60SManish V Badarkhe 
1490ec3ac60SManish V Badarkhe 	result = io_read(image_handle, (uintptr_t)&metadata,
1500ec3ac60SManish V Badarkhe 			 sizeof(struct fwu_metadata), &bytes_read);
1510ec3ac60SManish V Badarkhe 
1520ec3ac60SManish V Badarkhe 	if (result != 0) {
1530ec3ac60SManish V Badarkhe 		WARN("Failed to read image id=%u (%i)\n", image_id, result);
1540ec3ac60SManish V Badarkhe 		goto exit;
1550ec3ac60SManish V Badarkhe 	}
1560ec3ac60SManish V Badarkhe 
1570ec3ac60SManish V Badarkhe 	if (sizeof(struct fwu_metadata) != bytes_read) {
1580ec3ac60SManish V Badarkhe 		/* return -1 in case of partial/no read */
1590ec3ac60SManish V Badarkhe 		result = -1;
1600ec3ac60SManish V Badarkhe 		WARN("Read bytes (%zu) instead of expected (%zu) bytes\n",
1610ec3ac60SManish V Badarkhe 		     bytes_read, sizeof(struct fwu_metadata));
1620ec3ac60SManish V Badarkhe 		goto exit;
1630ec3ac60SManish V Badarkhe 	}
1640ec3ac60SManish V Badarkhe 
1650ec3ac60SManish V Badarkhe 	/* sanity check on loaded parameters */
1660ec3ac60SManish V Badarkhe 	result = fwu_metadata_sanity_check();
1670ec3ac60SManish V Badarkhe 	if (result != 0) {
1680ec3ac60SManish V Badarkhe 		WARN("Sanity %s\n", "check failed on FWU metadata");
1690ec3ac60SManish V Badarkhe 		goto exit;
1700ec3ac60SManish V Badarkhe 	}
1710ec3ac60SManish V Badarkhe 
1720ec3ac60SManish V Badarkhe 	/* CRC check on loaded parameters */
1730ec3ac60SManish V Badarkhe 	result = fwu_metadata_crc_check();
1740ec3ac60SManish V Badarkhe 	if (result != 0) {
1750ec3ac60SManish V Badarkhe 		WARN("CRC %s\n", "check failed on FWU metadata");
1760ec3ac60SManish V Badarkhe 	}
1770ec3ac60SManish V Badarkhe 
1780ec3ac60SManish V Badarkhe exit:
1790ec3ac60SManish V Badarkhe 	(void)io_close(image_handle);
1800ec3ac60SManish V Badarkhe 
1810ec3ac60SManish V Badarkhe 	return result;
1820ec3ac60SManish V Badarkhe }
1830ec3ac60SManish V Badarkhe 
1840ec3ac60SManish V Badarkhe /*******************************************************************************
185*26aab795SSughosh Ganu  * Check for an alternate bank for the platform to boot from. This function will
186*26aab795SSughosh Ganu  * mostly be called whenever the count of the number of times a platform boots
187*26aab795SSughosh Ganu  * in the Trial State exceeds a pre-set limit.
188*26aab795SSughosh Ganu  * The function first checks if the platform can boot from the previously active
189*26aab795SSughosh Ganu  * bank. If not, it tries to find another bank in the accepted state.
190*26aab795SSughosh Ganu  * And finally, if both the checks fail, as a last resort, it tries to find
191*26aab795SSughosh Ganu  * a valid bank.
192*26aab795SSughosh Ganu  *
193*26aab795SSughosh Ganu  * Returns the index of a bank to boot, else returns invalid index
194*26aab795SSughosh Ganu  * INVALID_BOOT_IDX.
195*26aab795SSughosh Ganu  ******************************************************************************/
fwu_get_alternate_boot_bank(void)196*26aab795SSughosh Ganu uint32_t fwu_get_alternate_boot_bank(void)
197*26aab795SSughosh Ganu {
198*26aab795SSughosh Ganu 	uint32_t i;
199*26aab795SSughosh Ganu 
200*26aab795SSughosh Ganu 	/* First check if the previously active bank can be used */
201*26aab795SSughosh Ganu 	if (metadata.bank_state[metadata.previous_active_index] ==
202*26aab795SSughosh Ganu 	    FWU_BANK_STATE_ACCEPTED) {
203*26aab795SSughosh Ganu 		return metadata.previous_active_index;
204*26aab795SSughosh Ganu 	}
205*26aab795SSughosh Ganu 
206*26aab795SSughosh Ganu 	/* Now check for any other bank in the accepted state */
207*26aab795SSughosh Ganu 	for (i = 0U; i < NR_OF_FW_BANKS; i++) {
208*26aab795SSughosh Ganu 		if (i == metadata.active_index ||
209*26aab795SSughosh Ganu 		    i == metadata.previous_active_index) {
210*26aab795SSughosh Ganu 			continue;
211*26aab795SSughosh Ganu 		}
212*26aab795SSughosh Ganu 
213*26aab795SSughosh Ganu 		if (metadata.bank_state[i] == FWU_BANK_STATE_ACCEPTED) {
214*26aab795SSughosh Ganu 			return i;
215*26aab795SSughosh Ganu 		}
216*26aab795SSughosh Ganu 	}
217*26aab795SSughosh Ganu 
218*26aab795SSughosh Ganu 	/*
219*26aab795SSughosh Ganu 	 * No accepted bank found. Now try booting from a valid bank.
220*26aab795SSughosh Ganu 	 * Give priority to the previous active bank.
221*26aab795SSughosh Ganu 	 */
222*26aab795SSughosh Ganu 	if (metadata.bank_state[metadata.previous_active_index] ==
223*26aab795SSughosh Ganu 	    FWU_BANK_STATE_VALID) {
224*26aab795SSughosh Ganu 		return metadata.previous_active_index;
225*26aab795SSughosh Ganu 	}
226*26aab795SSughosh Ganu 
227*26aab795SSughosh Ganu 	for (i = 0U; i < NR_OF_FW_BANKS; i++) {
228*26aab795SSughosh Ganu 		if (i == metadata.active_index ||
229*26aab795SSughosh Ganu 		    i == metadata.previous_active_index) {
230*26aab795SSughosh Ganu 			continue;
231*26aab795SSughosh Ganu 		}
232*26aab795SSughosh Ganu 
233*26aab795SSughosh Ganu 		if (metadata.bank_state[i] == FWU_BANK_STATE_VALID) {
234*26aab795SSughosh Ganu 			return i;
235*26aab795SSughosh Ganu 		}
236*26aab795SSughosh Ganu 	}
237*26aab795SSughosh Ganu 
238*26aab795SSughosh Ganu 	return INVALID_BOOT_IDX;
239*26aab795SSughosh Ganu }
240*26aab795SSughosh Ganu 
241*26aab795SSughosh Ganu /*******************************************************************************
24256724d09SSughosh Ganu  * The platform can be in one of Valid, Invalid or Accepted states.
2430ec3ac60SManish V Badarkhe  *
24456724d09SSughosh Ganu  * Invalid - One or more images in the bank are corrupted, or partially
24556724d09SSughosh Ganu  *           overwritten. The bank is not to be used for booting.
24656724d09SSughosh Ganu  *
24756724d09SSughosh Ganu  * Valid - All images of the bank are valid but at least one image has not
24856724d09SSughosh Ganu  *         been accepted. This implies that the platform is in Trial State.
24956724d09SSughosh Ganu  *
25056724d09SSughosh Ganu  * Accepted - All images of the bank are valid and accepted.
25156724d09SSughosh Ganu  *
25256724d09SSughosh Ganu  * Returns the state of the current active bank
2530ec3ac60SManish V Badarkhe  ******************************************************************************/
fwu_get_active_bank_state(void)25456724d09SSughosh Ganu uint32_t fwu_get_active_bank_state(void)
2550ec3ac60SManish V Badarkhe {
256aae7c96dSSebastien Pasdeloup 	assert(is_metadata_initialized);
2570ec3ac60SManish V Badarkhe 
25856724d09SSughosh Ganu 	return metadata.bank_state[metadata.active_index];
2590ec3ac60SManish V Badarkhe }
2600ec3ac60SManish V Badarkhe 
fwu_get_metadata(void)2619adce87eSSughosh Ganu const struct fwu_metadata *fwu_get_metadata(void)
2629adce87eSSughosh Ganu {
263aae7c96dSSebastien Pasdeloup 	assert(is_metadata_initialized);
2649adce87eSSughosh Ganu 
2659adce87eSSughosh Ganu 	return &metadata;
2669adce87eSSughosh Ganu }
2679adce87eSSughosh Ganu 
2680ec3ac60SManish V Badarkhe /*******************************************************************************
2690ec3ac60SManish V Badarkhe  * Load verified copy of FWU metadata image kept in the platform NV storage
2700ec3ac60SManish V Badarkhe  * into local FWU metadata structure.
2710ec3ac60SManish V Badarkhe  * Also, update platform I/O policies with the offset address and length of
2720ec3ac60SManish V Badarkhe  * firmware-updated images kept in the platform NV storage.
2730ec3ac60SManish V Badarkhe  ******************************************************************************/
fwu_init(void)2740ec3ac60SManish V Badarkhe void fwu_init(void)
2750ec3ac60SManish V Badarkhe {
2760ec3ac60SManish V Badarkhe 	/* Load FWU metadata which will be used to load the images in the
2770ec3ac60SManish V Badarkhe 	 * active bank as per PSA FWU specification
2780ec3ac60SManish V Badarkhe 	 */
2790ec3ac60SManish V Badarkhe 	int result = fwu_metadata_load(FWU_METADATA_IMAGE_ID);
2800ec3ac60SManish V Badarkhe 
2810ec3ac60SManish V Badarkhe 	if (result != 0) {
2820ec3ac60SManish V Badarkhe 		WARN("loading of FWU-Metadata failed, "
2830ec3ac60SManish V Badarkhe 		     "using Bkup-FWU-Metadata\n");
2840ec3ac60SManish V Badarkhe 
2850ec3ac60SManish V Badarkhe 		result = fwu_metadata_load(BKUP_FWU_METADATA_IMAGE_ID);
2860ec3ac60SManish V Badarkhe 		if (result != 0) {
2870ec3ac60SManish V Badarkhe 			ERROR("loading of Bkup-FWU-Metadata failed\n");
2880ec3ac60SManish V Badarkhe 			panic();
2890ec3ac60SManish V Badarkhe 		}
2900ec3ac60SManish V Badarkhe 	}
2910ec3ac60SManish V Badarkhe 
292aae7c96dSSebastien Pasdeloup 	is_metadata_initialized = true;
2930ec3ac60SManish V Badarkhe 
294aae7c96dSSebastien Pasdeloup 	plat_fwu_set_images_source(&metadata);
2950ec3ac60SManish V Badarkhe }
296