10ec3ac60SManish V Badarkhe /* 2aae7c96dSSebastien Pasdeloup * Copyright (c) 2021-2022, Arm Limited. All rights reserved. 30ec3ac60SManish V Badarkhe * 40ec3ac60SManish V Badarkhe * SPDX-License-Identifier: BSD-3-Clause 50ec3ac60SManish V Badarkhe */ 60ec3ac60SManish V Badarkhe 70ec3ac60SManish V Badarkhe #include <assert.h> 80ec3ac60SManish V Badarkhe 90ec3ac60SManish V Badarkhe #include <common/debug.h> 10c885d5c8SManish V Badarkhe #include <common/tf_crc32.h> 110ec3ac60SManish V Badarkhe #include <common/tbbr/tbbr_img_def.h> 120ec3ac60SManish V Badarkhe #include <drivers/fwu/fwu.h> 130ec3ac60SManish V Badarkhe #include <drivers/fwu/fwu_metadata.h> 140ec3ac60SManish V Badarkhe #include <drivers/io/io_storage.h> 150ec3ac60SManish V Badarkhe 160ec3ac60SManish V Badarkhe #include <plat/common/platform.h> 170ec3ac60SManish V Badarkhe 180ec3ac60SManish V Badarkhe /* 190ec3ac60SManish V Badarkhe * Assert that crc_32 is the first member of fwu_metadata structure. 200ec3ac60SManish V Badarkhe * It avoids accessing data outside of the metadata structure during 210ec3ac60SManish V Badarkhe * CRC32 computation if the crc_32 field gets moved due the structure 220ec3ac60SManish V Badarkhe * member(s) addition in the future. 230ec3ac60SManish V Badarkhe */ 240ec3ac60SManish V Badarkhe CASSERT((offsetof(struct fwu_metadata, crc_32) == 0), 250ec3ac60SManish V Badarkhe crc_32_must_be_first_member_of_structure); 260ec3ac60SManish V Badarkhe 27d2566cfbSSughosh Ganu /* 28d2566cfbSSughosh Ganu * Ensure that the NR_OF_FW_BANKS selected by the platform is not 29d2566cfbSSughosh Ganu * zero and not greater than the maximum number of banks allowed 30d2566cfbSSughosh Ganu * by the specification. 31d2566cfbSSughosh Ganu */ 32d2566cfbSSughosh Ganu CASSERT((NR_OF_FW_BANKS > 0) && (NR_OF_FW_BANKS <= NR_OF_MAX_FW_BANKS), 33d2566cfbSSughosh Ganu assert_fwu_num_banks_invalid_value); 34d2566cfbSSughosh Ganu 35d2566cfbSSughosh Ganu #define FWU_METADATA_VERSION 2U 36d2566cfbSSughosh Ganu #define FWU_FW_STORE_DESC_OFFSET 0x20U 37d2566cfbSSughosh Ganu 380ec3ac60SManish V Badarkhe static struct fwu_metadata metadata; 39aae7c96dSSebastien Pasdeloup static bool is_metadata_initialized __unused; 400ec3ac60SManish V Badarkhe 410ec3ac60SManish V Badarkhe /******************************************************************************* 420ec3ac60SManish V Badarkhe * Compute CRC32 of the FWU metadata, and check it against the CRC32 value 430ec3ac60SManish V Badarkhe * present in the FWU metadata. 440ec3ac60SManish V Badarkhe * 450ec3ac60SManish V Badarkhe * return -1 on error, otherwise 0 460ec3ac60SManish V Badarkhe ******************************************************************************/ 470ec3ac60SManish V Badarkhe static int fwu_metadata_crc_check(void) 480ec3ac60SManish V Badarkhe { 490ec3ac60SManish V Badarkhe unsigned char *data = (unsigned char *)&metadata; 500ec3ac60SManish V Badarkhe 51c885d5c8SManish V Badarkhe uint32_t calc_crc = tf_crc32(0U, data + sizeof(metadata.crc_32), 520ec3ac60SManish V Badarkhe (sizeof(metadata) - 530ec3ac60SManish V Badarkhe sizeof(metadata.crc_32))); 540ec3ac60SManish V Badarkhe 550ec3ac60SManish V Badarkhe if (metadata.crc_32 != calc_crc) { 560ec3ac60SManish V Badarkhe return -1; 570ec3ac60SManish V Badarkhe } 580ec3ac60SManish V Badarkhe 590ec3ac60SManish V Badarkhe return 0; 600ec3ac60SManish V Badarkhe } 610ec3ac60SManish V Badarkhe 620ec3ac60SManish V Badarkhe /******************************************************************************* 630ec3ac60SManish V Badarkhe * Check the sanity of FWU metadata. 640ec3ac60SManish V Badarkhe * 65d2566cfbSSughosh Ganu * return -EINVAL on error, otherwise 0 660ec3ac60SManish V Badarkhe ******************************************************************************/ 670ec3ac60SManish V Badarkhe static int fwu_metadata_sanity_check(void) 680ec3ac60SManish V Badarkhe { 69d2566cfbSSughosh Ganu if (metadata.version != FWU_METADATA_VERSION) { 70d2566cfbSSughosh Ganu WARN("Incorrect FWU Metadata version of %u\n", 71d2566cfbSSughosh Ganu metadata.version); 72d2566cfbSSughosh Ganu return -EINVAL; 730ec3ac60SManish V Badarkhe } 740ec3ac60SManish V Badarkhe 75d2566cfbSSughosh Ganu if (metadata.active_index >= NR_OF_FW_BANKS) { 76d2566cfbSSughosh Ganu WARN("Active Index value(%u) greater than the configured value(%d)", 77d2566cfbSSughosh Ganu metadata.active_index, NR_OF_FW_BANKS); 78d2566cfbSSughosh Ganu return -EINVAL; 79d2566cfbSSughosh Ganu } 80d2566cfbSSughosh Ganu 81d2566cfbSSughosh Ganu if (metadata.previous_active_index >= NR_OF_FW_BANKS) { 82d2566cfbSSughosh Ganu WARN("Previous Active Index value(%u) greater than the configured value(%d)", 83d2566cfbSSughosh Ganu metadata.previous_active_index, NR_OF_FW_BANKS); 84d2566cfbSSughosh Ganu return -EINVAL; 85d2566cfbSSughosh Ganu } 86d2566cfbSSughosh Ganu 87d2566cfbSSughosh Ganu #if PSA_FWU_METADATA_FW_STORE_DESC 88d2566cfbSSughosh Ganu if (metadata.fw_desc.num_banks != NR_OF_FW_BANKS) { 89d2566cfbSSughosh Ganu WARN("Number of Banks(%u) in FWU Metadata different from the configured value(%d)", 90d2566cfbSSughosh Ganu metadata.fw_desc.num_banks, NR_OF_FW_BANKS); 91d2566cfbSSughosh Ganu return -EINVAL; 92d2566cfbSSughosh Ganu } 93d2566cfbSSughosh Ganu 94d2566cfbSSughosh Ganu if (metadata.fw_desc.num_images != NR_OF_IMAGES_IN_FW_BANK) { 95d2566cfbSSughosh Ganu WARN("Number of Images(%u) in FWU Metadata different from the configured value(%d)", 96d2566cfbSSughosh Ganu metadata.fw_desc.num_images, NR_OF_IMAGES_IN_FW_BANK); 97d2566cfbSSughosh Ganu return -EINVAL; 98d2566cfbSSughosh Ganu } 99d2566cfbSSughosh Ganu 100d2566cfbSSughosh Ganu if (metadata.desc_offset != FWU_FW_STORE_DESC_OFFSET) { 101d2566cfbSSughosh Ganu WARN("Descriptor Offset(0x%x) in the FWU Metadata not equal to 0x20\n", 102d2566cfbSSughosh Ganu metadata.desc_offset); 103d2566cfbSSughosh Ganu return -EINVAL; 104d2566cfbSSughosh Ganu } 105d2566cfbSSughosh Ganu #else 106d2566cfbSSughosh Ganu if (metadata.desc_offset != 0U) { 107d2566cfbSSughosh Ganu WARN("Descriptor offset has non zero value of 0x%x\n", 108d2566cfbSSughosh Ganu metadata.desc_offset); 109d2566cfbSSughosh Ganu return -EINVAL; 110d2566cfbSSughosh Ganu } 111d2566cfbSSughosh Ganu #endif 112d2566cfbSSughosh Ganu 1130ec3ac60SManish V Badarkhe return 0; 1140ec3ac60SManish V Badarkhe } 1150ec3ac60SManish V Badarkhe 1160ec3ac60SManish V Badarkhe /******************************************************************************* 1170ec3ac60SManish V Badarkhe * Verify and load specified FWU metadata image to local FWU metadata structure. 1180ec3ac60SManish V Badarkhe * 1190ec3ac60SManish V Badarkhe * @image_id: FWU metadata image id (either FWU_METADATA_IMAGE_ID or 1200ec3ac60SManish V Badarkhe * BKUP_FWU_METADATA_IMAGE_ID) 1210ec3ac60SManish V Badarkhe * 1220ec3ac60SManish V Badarkhe * return a negative value on error, otherwise 0 1230ec3ac60SManish V Badarkhe ******************************************************************************/ 1240ec3ac60SManish V Badarkhe static int fwu_metadata_load(unsigned int image_id) 1250ec3ac60SManish V Badarkhe { 1260ec3ac60SManish V Badarkhe int result; 1270ec3ac60SManish V Badarkhe uintptr_t dev_handle, image_handle, image_spec; 1280ec3ac60SManish V Badarkhe size_t bytes_read; 1290ec3ac60SManish V Badarkhe 1300ec3ac60SManish V Badarkhe assert((image_id == FWU_METADATA_IMAGE_ID) || 1310ec3ac60SManish V Badarkhe (image_id == BKUP_FWU_METADATA_IMAGE_ID)); 1320ec3ac60SManish V Badarkhe 1330ec3ac60SManish V Badarkhe result = plat_fwu_set_metadata_image_source(image_id, 1340ec3ac60SManish V Badarkhe &dev_handle, 1350ec3ac60SManish V Badarkhe &image_spec); 1360ec3ac60SManish V Badarkhe if (result != 0) { 1370ec3ac60SManish V Badarkhe WARN("Failed to set reference to image id=%u (%i)\n", 1380ec3ac60SManish V Badarkhe image_id, result); 1390ec3ac60SManish V Badarkhe return result; 1400ec3ac60SManish V Badarkhe } 1410ec3ac60SManish V Badarkhe 1420ec3ac60SManish V Badarkhe result = io_open(dev_handle, image_spec, &image_handle); 1430ec3ac60SManish V Badarkhe if (result != 0) { 1440ec3ac60SManish V Badarkhe WARN("Failed to load image id id=%u (%i)\n", 1450ec3ac60SManish V Badarkhe image_id, result); 1460ec3ac60SManish V Badarkhe return result; 1470ec3ac60SManish V Badarkhe } 1480ec3ac60SManish V Badarkhe 1490ec3ac60SManish V Badarkhe result = io_read(image_handle, (uintptr_t)&metadata, 1500ec3ac60SManish V Badarkhe sizeof(struct fwu_metadata), &bytes_read); 1510ec3ac60SManish V Badarkhe 1520ec3ac60SManish V Badarkhe if (result != 0) { 1530ec3ac60SManish V Badarkhe WARN("Failed to read image id=%u (%i)\n", image_id, result); 1540ec3ac60SManish V Badarkhe goto exit; 1550ec3ac60SManish V Badarkhe } 1560ec3ac60SManish V Badarkhe 1570ec3ac60SManish V Badarkhe if (sizeof(struct fwu_metadata) != bytes_read) { 1580ec3ac60SManish V Badarkhe /* return -1 in case of partial/no read */ 1590ec3ac60SManish V Badarkhe result = -1; 1600ec3ac60SManish V Badarkhe WARN("Read bytes (%zu) instead of expected (%zu) bytes\n", 1610ec3ac60SManish V Badarkhe bytes_read, sizeof(struct fwu_metadata)); 1620ec3ac60SManish V Badarkhe goto exit; 1630ec3ac60SManish V Badarkhe } 1640ec3ac60SManish V Badarkhe 1650ec3ac60SManish V Badarkhe /* sanity check on loaded parameters */ 1660ec3ac60SManish V Badarkhe result = fwu_metadata_sanity_check(); 1670ec3ac60SManish V Badarkhe if (result != 0) { 1680ec3ac60SManish V Badarkhe WARN("Sanity %s\n", "check failed on FWU metadata"); 1690ec3ac60SManish V Badarkhe goto exit; 1700ec3ac60SManish V Badarkhe } 1710ec3ac60SManish V Badarkhe 1720ec3ac60SManish V Badarkhe /* CRC check on loaded parameters */ 1730ec3ac60SManish V Badarkhe result = fwu_metadata_crc_check(); 1740ec3ac60SManish V Badarkhe if (result != 0) { 1750ec3ac60SManish V Badarkhe WARN("CRC %s\n", "check failed on FWU metadata"); 1760ec3ac60SManish V Badarkhe } 1770ec3ac60SManish V Badarkhe 1780ec3ac60SManish V Badarkhe exit: 1790ec3ac60SManish V Badarkhe (void)io_close(image_handle); 1800ec3ac60SManish V Badarkhe 1810ec3ac60SManish V Badarkhe return result; 1820ec3ac60SManish V Badarkhe } 1830ec3ac60SManish V Badarkhe 1840ec3ac60SManish V Badarkhe /******************************************************************************* 185*26aab795SSughosh Ganu * Check for an alternate bank for the platform to boot from. This function will 186*26aab795SSughosh Ganu * mostly be called whenever the count of the number of times a platform boots 187*26aab795SSughosh Ganu * in the Trial State exceeds a pre-set limit. 188*26aab795SSughosh Ganu * The function first checks if the platform can boot from the previously active 189*26aab795SSughosh Ganu * bank. If not, it tries to find another bank in the accepted state. 190*26aab795SSughosh Ganu * And finally, if both the checks fail, as a last resort, it tries to find 191*26aab795SSughosh Ganu * a valid bank. 192*26aab795SSughosh Ganu * 193*26aab795SSughosh Ganu * Returns the index of a bank to boot, else returns invalid index 194*26aab795SSughosh Ganu * INVALID_BOOT_IDX. 195*26aab795SSughosh Ganu ******************************************************************************/ 196*26aab795SSughosh Ganu uint32_t fwu_get_alternate_boot_bank(void) 197*26aab795SSughosh Ganu { 198*26aab795SSughosh Ganu uint32_t i; 199*26aab795SSughosh Ganu 200*26aab795SSughosh Ganu /* First check if the previously active bank can be used */ 201*26aab795SSughosh Ganu if (metadata.bank_state[metadata.previous_active_index] == 202*26aab795SSughosh Ganu FWU_BANK_STATE_ACCEPTED) { 203*26aab795SSughosh Ganu return metadata.previous_active_index; 204*26aab795SSughosh Ganu } 205*26aab795SSughosh Ganu 206*26aab795SSughosh Ganu /* Now check for any other bank in the accepted state */ 207*26aab795SSughosh Ganu for (i = 0U; i < NR_OF_FW_BANKS; i++) { 208*26aab795SSughosh Ganu if (i == metadata.active_index || 209*26aab795SSughosh Ganu i == metadata.previous_active_index) { 210*26aab795SSughosh Ganu continue; 211*26aab795SSughosh Ganu } 212*26aab795SSughosh Ganu 213*26aab795SSughosh Ganu if (metadata.bank_state[i] == FWU_BANK_STATE_ACCEPTED) { 214*26aab795SSughosh Ganu return i; 215*26aab795SSughosh Ganu } 216*26aab795SSughosh Ganu } 217*26aab795SSughosh Ganu 218*26aab795SSughosh Ganu /* 219*26aab795SSughosh Ganu * No accepted bank found. Now try booting from a valid bank. 220*26aab795SSughosh Ganu * Give priority to the previous active bank. 221*26aab795SSughosh Ganu */ 222*26aab795SSughosh Ganu if (metadata.bank_state[metadata.previous_active_index] == 223*26aab795SSughosh Ganu FWU_BANK_STATE_VALID) { 224*26aab795SSughosh Ganu return metadata.previous_active_index; 225*26aab795SSughosh Ganu } 226*26aab795SSughosh Ganu 227*26aab795SSughosh Ganu for (i = 0U; i < NR_OF_FW_BANKS; i++) { 228*26aab795SSughosh Ganu if (i == metadata.active_index || 229*26aab795SSughosh Ganu i == metadata.previous_active_index) { 230*26aab795SSughosh Ganu continue; 231*26aab795SSughosh Ganu } 232*26aab795SSughosh Ganu 233*26aab795SSughosh Ganu if (metadata.bank_state[i] == FWU_BANK_STATE_VALID) { 234*26aab795SSughosh Ganu return i; 235*26aab795SSughosh Ganu } 236*26aab795SSughosh Ganu } 237*26aab795SSughosh Ganu 238*26aab795SSughosh Ganu return INVALID_BOOT_IDX; 239*26aab795SSughosh Ganu } 240*26aab795SSughosh Ganu 241*26aab795SSughosh Ganu /******************************************************************************* 24256724d09SSughosh Ganu * The platform can be in one of Valid, Invalid or Accepted states. 2430ec3ac60SManish V Badarkhe * 24456724d09SSughosh Ganu * Invalid - One or more images in the bank are corrupted, or partially 24556724d09SSughosh Ganu * overwritten. The bank is not to be used for booting. 24656724d09SSughosh Ganu * 24756724d09SSughosh Ganu * Valid - All images of the bank are valid but at least one image has not 24856724d09SSughosh Ganu * been accepted. This implies that the platform is in Trial State. 24956724d09SSughosh Ganu * 25056724d09SSughosh Ganu * Accepted - All images of the bank are valid and accepted. 25156724d09SSughosh Ganu * 25256724d09SSughosh Ganu * Returns the state of the current active bank 2530ec3ac60SManish V Badarkhe ******************************************************************************/ 25456724d09SSughosh Ganu uint32_t fwu_get_active_bank_state(void) 2550ec3ac60SManish V Badarkhe { 256aae7c96dSSebastien Pasdeloup assert(is_metadata_initialized); 2570ec3ac60SManish V Badarkhe 25856724d09SSughosh Ganu return metadata.bank_state[metadata.active_index]; 2590ec3ac60SManish V Badarkhe } 2600ec3ac60SManish V Badarkhe 2619adce87eSSughosh Ganu const struct fwu_metadata *fwu_get_metadata(void) 2629adce87eSSughosh Ganu { 263aae7c96dSSebastien Pasdeloup assert(is_metadata_initialized); 2649adce87eSSughosh Ganu 2659adce87eSSughosh Ganu return &metadata; 2669adce87eSSughosh Ganu } 2679adce87eSSughosh Ganu 2680ec3ac60SManish V Badarkhe /******************************************************************************* 2690ec3ac60SManish V Badarkhe * Load verified copy of FWU metadata image kept in the platform NV storage 2700ec3ac60SManish V Badarkhe * into local FWU metadata structure. 2710ec3ac60SManish V Badarkhe * Also, update platform I/O policies with the offset address and length of 2720ec3ac60SManish V Badarkhe * firmware-updated images kept in the platform NV storage. 2730ec3ac60SManish V Badarkhe ******************************************************************************/ 2740ec3ac60SManish V Badarkhe void fwu_init(void) 2750ec3ac60SManish V Badarkhe { 2760ec3ac60SManish V Badarkhe /* Load FWU metadata which will be used to load the images in the 2770ec3ac60SManish V Badarkhe * active bank as per PSA FWU specification 2780ec3ac60SManish V Badarkhe */ 2790ec3ac60SManish V Badarkhe int result = fwu_metadata_load(FWU_METADATA_IMAGE_ID); 2800ec3ac60SManish V Badarkhe 2810ec3ac60SManish V Badarkhe if (result != 0) { 2820ec3ac60SManish V Badarkhe WARN("loading of FWU-Metadata failed, " 2830ec3ac60SManish V Badarkhe "using Bkup-FWU-Metadata\n"); 2840ec3ac60SManish V Badarkhe 2850ec3ac60SManish V Badarkhe result = fwu_metadata_load(BKUP_FWU_METADATA_IMAGE_ID); 2860ec3ac60SManish V Badarkhe if (result != 0) { 2870ec3ac60SManish V Badarkhe ERROR("loading of Bkup-FWU-Metadata failed\n"); 2880ec3ac60SManish V Badarkhe panic(); 2890ec3ac60SManish V Badarkhe } 2900ec3ac60SManish V Badarkhe } 2910ec3ac60SManish V Badarkhe 292aae7c96dSSebastien Pasdeloup is_metadata_initialized = true; 2930ec3ac60SManish V Badarkhe 294aae7c96dSSebastien Pasdeloup plat_fwu_set_images_source(&metadata); 2950ec3ac60SManish V Badarkhe } 296