1 /* 2 * (C) Copyright 2015 Google, Inc 3 * Written by Simon Glass <sjg@chromium.org> 4 * 5 * (C) 2017 Theobroma Systems Design und Consulting GmbH 6 * 7 * SPDX-License-Identifier: GPL-2.0+ 8 * 9 * Helper functions for Rockchip images 10 */ 11 12 #include "imagetool.h" 13 #include <image.h> 14 #include <u-boot/sha256.h> 15 #include <rc4.h> 16 #include "mkimage.h" 17 #include "rkcommon.h" 18 19 enum { 20 RK_MAGIC = 0x0ff0aa55, 21 RK_MAGIC_V2 = 0x534E4B52, 22 }; 23 24 enum { 25 RK_HEADER_V1 = 1, 26 RK_HEADER_V2 = 2, 27 }; 28 29 enum hash_type { 30 HASH_NONE = 0, 31 HASH_SHA256 = 1, 32 HASH_SHA512 = 2, 33 }; 34 35 /** 36 * struct image_entry 37 * 38 * @size_and_off: [31:16]image size;[15:0]image offset 39 * @address: default as 0xFFFFFFFF 40 * @flag: no use 41 * @counter: no use 42 * @hash: hash of image 43 * 44 */ 45 struct image_entry { 46 uint32_t size_and_off; 47 uint32_t address; 48 uint32_t flag; 49 uint32_t counter; 50 uint8_t reserved[8]; 51 uint8_t hash[64]; 52 }; 53 54 /** 55 * struct header0_info_v2 - from rk35 on boot rom using the new header block 56 * 57 * This is stored at SD card block 64 (where each block is 512 bytes) 58 * 59 * @magic: Magic (must be RK_MAGIC_V2) 60 * @size_and_nimage: [31:16]number of images;[15:0] 61 * offset to hash field of header(unit as 4Byte) 62 * @boot_flag: [3:0]hash type(0:none,1:sha256,2:sha512) 63 * @signature: hash or signature for header info 64 * 65 */ 66 struct header0_info_v2 { 67 uint32_t magic; 68 uint8_t reserved[4]; 69 uint32_t size_and_nimage; 70 uint32_t boot_flag; 71 uint8_t reserved1[104]; 72 struct image_entry images[4]; 73 uint8_t reserved2[1064]; 74 uint8_t hash[512]; 75 }; 76 77 /** 78 * struct header0_info - header block for boot ROM 79 * 80 * This is stored at SD card block 64 (where each block is 512 bytes, or at 81 * the start of SPI flash. It is encoded with RC4. 82 * 83 * @magic: Magic (must be RK_MAGIC) 84 * @disable_rc4: 0 to use rc4 for boot image, 1 to use plain binary 85 * @init_offset: Offset in blocks of the SPL code from this header 86 * block. E.g. 4 means 2KB after the start of this header. 87 * Other fields are not used by U-Boot 88 */ 89 struct header0_info { 90 uint32_t magic; 91 uint8_t reserved[4]; 92 uint32_t disable_rc4; 93 uint16_t init_offset; 94 uint8_t reserved1[492]; 95 uint16_t init_size; 96 uint16_t init_boot_size; 97 uint8_t reserved2[2]; 98 }; 99 100 /** 101 * struct header1 info 102 */ 103 struct header1_info { 104 uint32_t magic; 105 }; 106 107 /** 108 * struct spl_info - spl info for each chip 109 * 110 * @imagename: Image name(passed by "mkimage -n") 111 * @spl_hdr: Boot ROM requires a 4-bytes spl header 112 * @spl_size: Spl size(include extra 4-bytes spl header) 113 * @spl_rc4: RC4 encode the SPL binary (same key as header) 114 * @header_ver: header block version 115 */ 116 struct spl_info { 117 const char *imagename; 118 const char *spl_hdr; 119 const uint32_t spl_size; 120 const bool spl_rc4; 121 const uint32_t header_ver; 122 }; 123 124 static struct spl_info spl_infos[] = { 125 { "rk3036", "RK30", 0x1000, false, RK_HEADER_V1 }, 126 { "rk3066", "RK30", 0x8000, true, RK_HEADER_V1 }, 127 { "rk3128", "RK31", 0x1800, false, RK_HEADER_V1 }, 128 { "rk3188", "RK31", 0x8000 - 0x800, true, RK_HEADER_V1 }, 129 { "rk322x", "RK32", 0x8000 - 0x1000, false, RK_HEADER_V1 }, 130 { "rk3288", "RK32", 0x8000, false, RK_HEADER_V1 }, 131 { "rk3308", "RK33", 0x40000 - 0x1000, false, RK_HEADER_V1 }, 132 { "rk3328", "RK32", 0x8000 - 0x800, false, RK_HEADER_V1 }, 133 { "rk3368", "RK33", 0x8000 - 0x1000, false, RK_HEADER_V1 }, 134 { "rk3399", "RK33", 0x30000 - 0x2000, false, RK_HEADER_V1 }, 135 { "px30", "RK33", 0x2800, false, RK_HEADER_V1 }, 136 { "rv1108", "RK11", 0x1800, false, RK_HEADER_V1 }, 137 { "rv1126", "110B", 0x10000 - 0x1000, false, RK_HEADER_V1 }, 138 { "rk1808", "RK18", 0x200000 - 0x2000, false, RK_HEADER_V1 }, 139 { "rk3568", "RK35", 0x10000 - 0x1000, false, RK_HEADER_V2 }, 140 }; 141 142 /** 143 * struct spl_params - spl params parsed in check_params() 144 * 145 * @init_file: Init data file path 146 * @init_size: Aligned size of init data in bytes 147 * @boot_file: Boot data file path 148 * @boot_size: Aligned size of boot data in bytes 149 */ 150 151 struct spl_params { 152 char *init_file; 153 uint32_t init_size; 154 char *boot_file; 155 uint32_t boot_size; 156 }; 157 158 static struct spl_params spl_params = { 0 }; 159 160 static unsigned char rc4_key[16] = { 161 124, 78, 3, 4, 85, 5, 9, 7, 162 45, 44, 123, 56, 23, 13, 23, 17 163 }; 164 165 static struct spl_info *rkcommon_get_spl_info(char *imagename) 166 { 167 int i; 168 169 if (!imagename) 170 return NULL; 171 172 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 173 if (!strncmp(imagename, spl_infos[i].imagename, 6)) 174 return spl_infos + i; 175 176 return NULL; 177 } 178 179 static int rkcommon_get_aligned_size(struct image_tool_params *params, 180 const char *fname) 181 { 182 int size; 183 184 size = imagetool_get_filesize(params, fname); 185 if (size < 0) 186 return -1; 187 188 /* 189 * Pad to a 2KB alignment, as required for init/boot size by the ROM 190 * (see https://lists.denx.de/pipermail/u-boot/2017-May/293268.html) 191 */ 192 return ROUND(size, RK_SIZE_ALIGN); 193 } 194 195 int rkcommon_check_params(struct image_tool_params *params) 196 { 197 int i; 198 199 /* 200 * If this is a operation (list or extract), the don't require 201 * imagename to be set. 202 */ 203 if (params->lflag || params->iflag) 204 return EXIT_SUCCESS; 205 206 if (!rkcommon_get_spl_info(params->imagename)) 207 goto err_spl_info; 208 209 spl_params.init_file = params->datafile; 210 211 spl_params.boot_file = strchr(spl_params.init_file, ':'); 212 if (spl_params.boot_file) { 213 *spl_params.boot_file = '\0'; 214 spl_params.boot_file += 1; 215 } 216 217 spl_params.init_size = 218 rkcommon_get_aligned_size(params, spl_params.init_file); 219 if (spl_params.init_size < 0) 220 return EXIT_FAILURE; 221 222 /* Boot file is optional, and only for back-to-bootrom functionality. */ 223 if (spl_params.boot_file) { 224 spl_params.boot_size = 225 rkcommon_get_aligned_size(params, spl_params.boot_file); 226 if (spl_params.boot_size < 0) 227 return EXIT_FAILURE; 228 } 229 230 if (spl_params.init_size > rkcommon_get_spl_size(params)) { 231 fprintf(stderr, 232 "Error: SPL image is too large (size %#x than %#x)\n", 233 spl_params.init_size, rkcommon_get_spl_size(params)); 234 return EXIT_FAILURE; 235 } 236 237 return EXIT_SUCCESS; 238 239 err_spl_info: 240 fprintf(stderr, "ERROR: imagename (%s) is not supported!\n", 241 params->imagename ? params->imagename : "NULL"); 242 243 fprintf(stderr, "Available imagename:"); 244 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 245 fprintf(stderr, "\t%s", spl_infos[i].imagename); 246 fprintf(stderr, "\n"); 247 248 return EXIT_FAILURE; 249 } 250 251 const char *rkcommon_get_spl_hdr(struct image_tool_params *params) 252 { 253 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 254 255 /* 256 * info would not be NULL, because of we checked params before. 257 */ 258 return info->spl_hdr; 259 } 260 261 int rkcommon_get_spl_size(struct image_tool_params *params) 262 { 263 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 264 265 /* 266 * info would not be NULL, because of we checked params before. 267 */ 268 return info->spl_size; 269 } 270 271 bool rkcommon_need_rc4_spl(struct image_tool_params *params) 272 { 273 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 274 275 /* 276 * info would not be NULL, because of we checked params before. 277 */ 278 return info->spl_rc4; 279 } 280 281 bool rkcommon_is_header_v2(struct image_tool_params *params) 282 { 283 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 284 285 /* 286 * info would not be NULL, because of we checked params before. 287 */ 288 return (info->header_ver == RK_HEADER_V2); 289 } 290 291 static void do_sha256_hash(uint8_t *buf, uint32_t size, uint8_t *out) 292 { 293 sha256_context ctx; 294 295 sha256_starts(&ctx); 296 sha256_update(&ctx, buf, size); 297 sha256_finish(&ctx, out); 298 } 299 300 static void rkcommon_set_header0(void *buf, struct image_tool_params *params) 301 { 302 struct header0_info *hdr = buf; 303 304 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 305 hdr->magic = RK_MAGIC; 306 hdr->disable_rc4 = !rkcommon_need_rc4_spl(params); 307 hdr->init_offset = RK_INIT_OFFSET; 308 hdr->init_size = spl_params.init_size / RK_BLK_SIZE; 309 310 /* 311 * init_boot_size needs to be set, as it is read by the BootROM 312 * to determine the size of the next-stage bootloader (e.g. U-Boot 313 * proper), when used with the back-to-bootrom functionality. 314 * 315 * see https://lists.denx.de/pipermail/u-boot/2017-May/293267.html 316 * for a more detailed explanation by Andy Yan 317 */ 318 if (spl_params.boot_file) 319 hdr->init_boot_size = 320 hdr->init_size + spl_params.boot_size / RK_BLK_SIZE; 321 else 322 hdr->init_boot_size = 323 hdr->init_size + RK_MAX_BOOT_SIZE / RK_BLK_SIZE; 324 325 rc4_encode(buf, RK_BLK_SIZE, rc4_key); 326 } 327 328 static void rkcommon_set_header0_v2(void *buf, struct image_tool_params *params) 329 { 330 struct header0_info_v2 *hdr = buf; 331 uint32_t sector_offset, image_sector_count; 332 uint32_t image_size_array[2]; 333 uint8_t *image_ptr = NULL; 334 int i; 335 336 printf("Image Type: Rockchip %s boot image\n", rkcommon_get_spl_hdr(params)); 337 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 338 hdr->magic = cpu_to_le32(RK_MAGIC_V2); 339 hdr->size_and_nimage = cpu_to_le32((2 << 16) + 384); 340 hdr->boot_flag = cpu_to_le32(HASH_SHA256); 341 sector_offset = 4; 342 image_size_array[0] = spl_params.init_size; 343 image_size_array[1] = spl_params.boot_size; 344 345 for (i = 0; i < 2; i++) { 346 image_sector_count = image_size_array[i] / RK_BLK_SIZE; 347 hdr->images[i].size_and_off = cpu_to_le32((image_sector_count << 16) + sector_offset); 348 hdr->images[i].address = 0xFFFFFFFF; 349 hdr->images[i].counter = cpu_to_le32(i + 1); 350 image_ptr = buf + sector_offset * RK_BLK_SIZE; 351 do_sha256_hash(image_ptr, image_size_array[i], hdr->images[i].hash); 352 sector_offset = sector_offset + image_sector_count; 353 } 354 355 do_sha256_hash(buf, (void *)hdr->hash - buf, hdr->hash); 356 } 357 358 void rkcommon_set_header(void *buf, struct stat *sbuf, int ifd, 359 struct image_tool_params *params) 360 { 361 struct header1_info *hdr = buf + RK_SPL_HDR_START; 362 363 if (rkcommon_is_header_v2(params)) { 364 rkcommon_set_header0_v2(buf, params); 365 } else { 366 rkcommon_set_header0(buf, params); 367 368 /* Set up the SPL name (i.e. copy spl_hdr over) */ 369 if (memcmp(&hdr->magic, "RSAK", 4)) 370 memcpy(&hdr->magic, rkcommon_get_spl_hdr(params), RK_SPL_HDR_SIZE); 371 372 if (rkcommon_need_rc4_spl(params)) 373 rkcommon_rc4_encode_spl(buf, RK_SPL_HDR_START, 374 spl_params.init_size); 375 376 if (spl_params.boot_file) { 377 if (rkcommon_need_rc4_spl(params)) 378 rkcommon_rc4_encode_spl(buf + RK_SPL_HDR_START, 379 spl_params.init_size, 380 spl_params.boot_size); 381 } 382 } 383 } 384 385 static inline unsigned int rkcommon_offset_to_spi(unsigned int offset) 386 { 387 /* 388 * While SD/MMC images use a flat addressing, SPI images are padded 389 * to use the first 2K of every 4K sector only. 390 */ 391 return ((offset & ~0x7ff) << 1) + (offset & 0x7ff); 392 } 393 394 static int rkcommon_parse_header(const void *buf, struct header0_info *header0, 395 struct spl_info **spl_info) 396 { 397 unsigned int hdr1_offset; 398 struct header1_info *hdr1_sdmmc, *hdr1_spi; 399 int i; 400 401 if (spl_info) 402 *spl_info = NULL; 403 404 /* 405 * The first header (hdr0) is always RC4 encoded, so try to decrypt 406 * with the well-known key. 407 */ 408 memcpy((void *)header0, buf, sizeof(struct header0_info)); 409 rc4_encode((void *)header0, sizeof(struct header0_info), rc4_key); 410 411 if (header0->magic != RK_MAGIC) 412 return -EPROTO; 413 414 /* We don't support RC4 encoded image payloads here, yet... */ 415 if (header0->disable_rc4 == 0) 416 return -ENOSYS; 417 418 hdr1_offset = header0->init_offset * RK_BLK_SIZE; 419 hdr1_sdmmc = (struct header1_info *)(buf + hdr1_offset); 420 hdr1_spi = (struct header1_info *)(buf + 421 rkcommon_offset_to_spi(hdr1_offset)); 422 423 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) { 424 if (!memcmp(&hdr1_sdmmc->magic, spl_infos[i].spl_hdr, 4)) { 425 if (spl_info) 426 *spl_info = &spl_infos[i]; 427 return IH_TYPE_RKSD; 428 } else if (!memcmp(&hdr1_spi->magic, spl_infos[i].spl_hdr, 4)) { 429 if (spl_info) 430 *spl_info = &spl_infos[i]; 431 return IH_TYPE_RKSPI; 432 } 433 } 434 435 return -1; 436 } 437 438 static int rkcommon_parse_header_v2(const void *buf, struct header0_info_v2 *header) 439 { 440 memcpy((void *)header, buf, sizeof(struct header0_info_v2)); 441 442 if (le32_to_cpu(header->magic) != RK_MAGIC_V2) 443 return -EPROTO; 444 445 return 0; 446 } 447 448 int rkcommon_verify_header(unsigned char *buf, int size, 449 struct image_tool_params *params) 450 { 451 struct header0_info header0; 452 struct spl_info *img_spl_info, *spl_info; 453 int ret; 454 455 ret = rkcommon_parse_header(buf, &header0, &img_spl_info); 456 457 /* If this is the (unimplemented) RC4 case, then rewrite the result */ 458 if (ret == -ENOSYS) 459 return 0; 460 461 if (ret < 0) 462 return ret; 463 464 /* 465 * If no 'imagename' is specified via the commandline (e.g. if this is 466 * 'dumpimage -l' w/o any further constraints), we accept any spl_info. 467 */ 468 if (params->imagename == NULL) 469 return 0; 470 471 /* Match the 'imagename' against the 'spl_hdr' found */ 472 spl_info = rkcommon_get_spl_info(params->imagename); 473 if (spl_info && img_spl_info) 474 return strcmp(spl_info->spl_hdr, img_spl_info->spl_hdr); 475 476 return -ENOENT; 477 } 478 479 void rkcommon_print_header(const void *buf) 480 { 481 struct header0_info header0; 482 struct header0_info_v2 header0_v2; 483 struct spl_info *spl_info; 484 uint8_t image_type; 485 int ret, boot_size, init_size; 486 487 if ((*(uint32_t *)buf) == RK_MAGIC_V2) { 488 ret = rkcommon_parse_header_v2(buf, &header0_v2); 489 490 if (ret < 0) { 491 fprintf(stderr, "Error: image verification failed\n"); 492 return; 493 } 494 495 init_size = header0_v2.images[0].size_and_off >> 16; 496 init_size = init_size * RK_BLK_SIZE; 497 boot_size = header0_v2.images[1].size_and_off >> 16; 498 boot_size = boot_size * RK_BLK_SIZE; 499 } else { 500 ret = rkcommon_parse_header(buf, &header0, &spl_info); 501 502 /* If this is the (unimplemented) RC4 case, then fail silently */ 503 if (ret == -ENOSYS) 504 return; 505 506 if (ret < 0) { 507 fprintf(stderr, "Error: image verification failed\n"); 508 return; 509 } 510 511 image_type = ret; 512 init_size = header0.init_size * RK_BLK_SIZE; 513 boot_size = header0.init_boot_size * RK_BLK_SIZE - init_size; 514 printf("Image Type: Rockchip %s (%s) boot image\n", 515 spl_info->spl_hdr, 516 (image_type == IH_TYPE_RKSD) ? "SD/MMC" : "SPI"); 517 } 518 519 printf("Init Data Size: %d bytes\n", init_size); 520 521 if (boot_size != RK_MAX_BOOT_SIZE) 522 printf("Boot Data Size: %d bytes\n", boot_size); 523 } 524 525 void rkcommon_rc4_encode_spl(void *buf, unsigned int offset, unsigned int size) 526 { 527 unsigned int remaining = size; 528 529 while (remaining > 0) { 530 int step = (remaining > RK_BLK_SIZE) ? RK_BLK_SIZE : remaining; 531 532 rc4_encode(buf + offset, step, rc4_key); 533 offset += RK_BLK_SIZE; 534 remaining -= step; 535 } 536 } 537 538 int rkcommon_vrec_header(struct image_tool_params *params, 539 struct image_type_params *tparams) 540 { 541 /* 542 * The SPL image looks as follows: 543 * 544 * 0x0 header0 (see rkcommon.c) 545 * 0x800 spl_name ('RK30', ..., 'RK33') 546 * (start of the payload for AArch64 payloads: we expect the 547 * first 4 bytes to be available for overwriting with our 548 * spl_name) 549 * 0x804 first instruction to be executed 550 * (start of the image/payload for 32bit payloads) 551 * 552 * For AArch64 (ARMv8) payloads, natural alignment (8-bytes) is 553 * required for its sections (so the image we receive needs to 554 * have the first 4 bytes reserved for the spl_name). Reserving 555 * these 4 bytes is done using the BOOT0_HOOK infrastructure. 556 * 557 * The header is always at 0x800 (as we now use a payload 558 * prepadded using the boot0 hook for all targets): the first 559 * 4 bytes of these images can safely be overwritten using the 560 * boot magic. 561 */ 562 tparams->header_size = RK_SPL_HDR_START; 563 564 /* Allocate, clear and install the header */ 565 tparams->hdr = malloc(tparams->header_size); 566 if (!tparams->hdr) { 567 fprintf(stderr, "%s: Can't alloc header: %s\n", 568 params->cmdname, strerror(errno)); 569 exit(EXIT_FAILURE); 570 } 571 memset(tparams->hdr, 0, tparams->header_size); 572 573 /* 574 * We need to store the original file-size (i.e. before padding), as 575 * imagetool does not set this during its adjustment of file_size. 576 */ 577 params->orig_file_size = tparams->header_size + 578 spl_params.init_size + spl_params.boot_size; 579 580 params->file_size = ROUND(params->orig_file_size, RK_SIZE_ALIGN); 581 582 /* Ignoring pad len, since we are using our own copy_image() */ 583 return 0; 584 } 585 586 static int pad_file(struct image_tool_params *params, int ifd, int pad) 587 { 588 uint8_t zeros[4096]; 589 590 memset(zeros, 0, sizeof(zeros)); 591 592 while (pad > 0) { 593 int todo = sizeof(zeros); 594 595 if (todo > pad) 596 todo = pad; 597 if (write(ifd, (char *)&zeros, todo) != todo) { 598 fprintf(stderr, "%s: Write error on %s: %s\n", 599 params->cmdname, params->imagefile, 600 strerror(errno)); 601 return -1; 602 } 603 pad -= todo; 604 } 605 606 return 0; 607 } 608 609 static int copy_file(struct image_tool_params *params, int ifd, 610 const char *file, int padded_size) 611 { 612 int dfd; 613 struct stat sbuf; 614 unsigned char *ptr; 615 int size; 616 617 if (params->vflag) 618 fprintf(stderr, "Adding Image %s\n", file); 619 620 dfd = open(file, O_RDONLY | O_BINARY); 621 if (dfd < 0) { 622 fprintf(stderr, "%s: Can't open %s: %s\n", 623 params->cmdname, file, strerror(errno)); 624 return -1; 625 } 626 627 if (fstat(dfd, &sbuf) < 0) { 628 fprintf(stderr, "%s: Can't stat %s: %s\n", 629 params->cmdname, file, strerror(errno)); 630 goto err_close; 631 } 632 633 if (params->vflag) 634 fprintf(stderr, "Size %u(pad to %u)\n", 635 (int)sbuf.st_size, padded_size); 636 637 ptr = mmap(0, sbuf.st_size, PROT_READ, MAP_SHARED, dfd, 0); 638 if (ptr == MAP_FAILED) { 639 fprintf(stderr, "%s: Can't read %s: %s\n", 640 params->cmdname, file, strerror(errno)); 641 goto err_munmap; 642 } 643 644 size = sbuf.st_size; 645 if (write(ifd, ptr, size) != size) { 646 fprintf(stderr, "%s: Write error on %s: %s\n", 647 params->cmdname, params->imagefile, strerror(errno)); 648 goto err_munmap; 649 } 650 651 munmap((void *)ptr, sbuf.st_size); 652 close(dfd); 653 return pad_file(params, ifd, padded_size - size); 654 655 err_munmap: 656 munmap((void *)ptr, sbuf.st_size); 657 err_close: 658 close(dfd); 659 return -1; 660 } 661 662 int rockchip_copy_image(int ifd, struct image_tool_params *params) 663 { 664 int ret; 665 666 ret = copy_file(params, ifd, spl_params.init_file, 667 spl_params.init_size); 668 if (ret) 669 return ret; 670 671 if (spl_params.boot_file) { 672 ret = copy_file(params, ifd, spl_params.boot_file, 673 spl_params.boot_size); 674 if (ret) 675 return ret; 676 } 677 678 return pad_file(params, ifd, 679 params->file_size - params->orig_file_size); 680 } 681