1 /* 2 * (C) Copyright 2015 Google, Inc 3 * Written by Simon Glass <sjg@chromium.org> 4 * 5 * (C) 2017 Theobroma Systems Design und Consulting GmbH 6 * 7 * SPDX-License-Identifier: GPL-2.0+ 8 * 9 * Helper functions for Rockchip images 10 */ 11 12 #include "imagetool.h" 13 #include <image.h> 14 #include <u-boot/sha256.h> 15 #include <rc4.h> 16 #include "mkimage.h" 17 #include "rkcommon.h" 18 19 enum { 20 RK_MAGIC = 0x0ff0aa55, 21 RK_MAGIC_V2 = 0x534E4B52, 22 }; 23 24 enum { 25 RK_HEADER_V1 = 1, 26 RK_HEADER_V2 = 2, 27 }; 28 29 enum hash_type { 30 HASH_NONE = 0, 31 HASH_SHA256 = 1, 32 HASH_SHA512 = 2, 33 }; 34 35 /** 36 * struct image_entry 37 * 38 * @size_and_off: [31:16]image size;[15:0]image offset 39 * @address: default as 0xFFFFFFFF 40 * @flag: no use 41 * @counter: no use 42 * @hash: hash of image 43 * 44 */ 45 struct image_entry { 46 uint32_t size_and_off; 47 uint32_t address; 48 uint32_t flag; 49 uint32_t counter; 50 uint8_t reserved[8]; 51 uint8_t hash[64]; 52 }; 53 54 /** 55 * struct header0_info_v2 - from rk35 on boot rom using the new header block 56 * 57 * This is stored at SD card block 64 (where each block is 512 bytes) 58 * 59 * @magic: Magic (must be RK_MAGIC_V2) 60 * @size_and_nimage: [31:16]number of images;[15:0] 61 * offset to hash field of header(unit as 4Byte) 62 * @boot_flag: [3:0]hash type(0:none,1:sha256,2:sha512) 63 * @signature: hash or signature for header info 64 * 65 */ 66 struct header0_info_v2 { 67 uint32_t magic; 68 uint8_t reserved[4]; 69 uint32_t size_and_nimage; 70 uint32_t boot_flag; 71 uint8_t reserved1[104]; 72 struct image_entry images[4]; 73 uint8_t reserved2[1064]; 74 uint8_t hash[512]; 75 }; 76 77 /** 78 * struct header0_info - header block for boot ROM 79 * 80 * This is stored at SD card block 64 (where each block is 512 bytes, or at 81 * the start of SPI flash. It is encoded with RC4. 82 * 83 * @magic: Magic (must be RK_MAGIC) 84 * @disable_rc4: 0 to use rc4 for boot image, 1 to use plain binary 85 * @init_offset: Offset in blocks of the SPL code from this header 86 * block. E.g. 4 means 2KB after the start of this header. 87 * Other fields are not used by U-Boot 88 */ 89 struct header0_info { 90 uint32_t magic; 91 uint8_t reserved[4]; 92 uint32_t disable_rc4; 93 uint16_t init_offset; 94 uint8_t reserved1[492]; 95 uint16_t init_size; 96 uint16_t init_boot_size; 97 uint8_t reserved2[2]; 98 }; 99 100 /** 101 * struct header1 info 102 */ 103 struct header1_info { 104 uint32_t magic; 105 }; 106 107 /** 108 * struct spl_info - spl info for each chip 109 * 110 * @imagename: Image name(passed by "mkimage -n") 111 * @spl_hdr: Boot ROM requires a 4-bytes spl header 112 * @spl_size: Spl size(include extra 4-bytes spl header) 113 * @spl_rc4: RC4 encode the SPL binary (same key as header) 114 * @header_ver: header block version 115 */ 116 struct spl_info { 117 const char *imagename; 118 const char *spl_hdr; 119 const uint32_t spl_size; 120 const bool spl_rc4; 121 const uint32_t header_ver; 122 }; 123 124 static struct spl_info spl_infos[] = { 125 { "rk3036", "RK30", 0x1000, false, RK_HEADER_V1 }, 126 { "rk3066", "RK30", 0x8000, true, RK_HEADER_V1 }, 127 { "rk3128", "RK31", 0x1800, false, RK_HEADER_V1 }, 128 { "rk3188", "RK31", 0x8000 - 0x800, true, RK_HEADER_V1 }, 129 { "rk322x", "RK32", 0x8000 - 0x1000, false, RK_HEADER_V1 }, 130 { "rk3288", "RK32", 0x8000, false, RK_HEADER_V1 }, 131 { "rk3308", "RK33", 0x40000 - 0x1000, false, RK_HEADER_V1 }, 132 { "rk3328", "RK32", 0x8000 - 0x800, false, RK_HEADER_V1 }, 133 { "rk3368", "RK33", 0x8000 - 0x1000, false, RK_HEADER_V1 }, 134 { "rk3399", "RK33", 0x30000 - 0x2000, false, RK_HEADER_V1 }, 135 { "rk3326", "RK33", 0x4000 - 0x1000, false, RK_HEADER_V1 }, 136 { "px30", "RK33", 0x4000 - 0x1000, false, RK_HEADER_V1 }, 137 { "rv1108", "RK11", 0x1800, false, RK_HEADER_V1 }, 138 { "rv1126", "110B", 0x10000 - 0x1000, false, RK_HEADER_V1 }, 139 { "rk1808", "RK18", 0x200000 - 0x2000, false, RK_HEADER_V1 }, 140 { "rk3568", "RK35", 0x10000 - 0x1000, false, RK_HEADER_V2 }, 141 { "rk3588", "RK35", 0x100000 - 0x1000, false, RK_HEADER_V2 }, 142 }; 143 144 /** 145 * struct spl_params - spl params parsed in check_params() 146 * 147 * @init_file: Init data file path 148 * @init_size: Aligned size of init data in bytes 149 * @boot_file: Boot data file path 150 * @boot_size: Aligned size of boot data in bytes 151 */ 152 153 struct spl_params { 154 char *init_file; 155 uint32_t init_size; 156 char *boot_file; 157 uint32_t boot_size; 158 }; 159 160 static struct spl_params spl_params = { 0 }; 161 162 static unsigned char rc4_key[16] = { 163 124, 78, 3, 4, 85, 5, 9, 7, 164 45, 44, 123, 56, 23, 13, 23, 17 165 }; 166 167 static struct spl_info *rkcommon_get_spl_info(char *imagename) 168 { 169 int i; 170 171 if (!imagename) 172 return NULL; 173 174 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 175 if (!strncmp(imagename, spl_infos[i].imagename, 6)) 176 return spl_infos + i; 177 178 return NULL; 179 } 180 181 static int rkcommon_get_aligned_size(struct image_tool_params *params, 182 const char *fname) 183 { 184 int size; 185 186 size = imagetool_get_filesize(params, fname); 187 if (size < 0) 188 return -1; 189 190 /* 191 * Pad to a 2KB alignment, as required for init/boot size by the ROM 192 * (see https://lists.denx.de/pipermail/u-boot/2017-May/293268.html) 193 */ 194 return ROUND(size, RK_SIZE_ALIGN); 195 } 196 197 int rkcommon_check_params(struct image_tool_params *params) 198 { 199 int i; 200 201 /* 202 * If this is a operation (list or extract), the don't require 203 * imagename to be set. 204 */ 205 if (params->lflag || params->iflag) 206 return EXIT_SUCCESS; 207 208 if (!rkcommon_get_spl_info(params->imagename)) 209 goto err_spl_info; 210 211 spl_params.init_file = params->datafile; 212 213 spl_params.boot_file = strchr(spl_params.init_file, ':'); 214 if (spl_params.boot_file) { 215 *spl_params.boot_file = '\0'; 216 spl_params.boot_file += 1; 217 } 218 219 spl_params.init_size = 220 rkcommon_get_aligned_size(params, spl_params.init_file); 221 if (spl_params.init_size < 0) 222 return EXIT_FAILURE; 223 224 /* Boot file is optional, and only for back-to-bootrom functionality. */ 225 if (spl_params.boot_file) { 226 spl_params.boot_size = 227 rkcommon_get_aligned_size(params, spl_params.boot_file); 228 if (spl_params.boot_size < 0) 229 return EXIT_FAILURE; 230 } 231 232 if (spl_params.init_size > rkcommon_get_spl_size(params)) { 233 fprintf(stderr, 234 "Error: SPL image is too large (size %#x than %#x)\n", 235 spl_params.init_size, rkcommon_get_spl_size(params)); 236 return EXIT_FAILURE; 237 } 238 239 return EXIT_SUCCESS; 240 241 err_spl_info: 242 fprintf(stderr, "ERROR: imagename (%s) is not supported!\n", 243 params->imagename ? params->imagename : "NULL"); 244 245 fprintf(stderr, "Available imagename:"); 246 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 247 fprintf(stderr, "\t%s", spl_infos[i].imagename); 248 fprintf(stderr, "\n"); 249 250 return EXIT_FAILURE; 251 } 252 253 const char *rkcommon_get_spl_hdr(struct image_tool_params *params) 254 { 255 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 256 257 /* 258 * info would not be NULL, because of we checked params before. 259 */ 260 return info->spl_hdr; 261 } 262 263 int rkcommon_get_spl_size(struct image_tool_params *params) 264 { 265 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 266 267 /* 268 * info would not be NULL, because of we checked params before. 269 */ 270 return info->spl_size; 271 } 272 273 bool rkcommon_need_rc4_spl(struct image_tool_params *params) 274 { 275 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 276 277 /* 278 * info would not be NULL, because of we checked params before. 279 */ 280 return info->spl_rc4; 281 } 282 283 bool rkcommon_is_header_v2(struct image_tool_params *params) 284 { 285 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 286 287 /* 288 * info would not be NULL, because of we checked params before. 289 */ 290 return (info->header_ver == RK_HEADER_V2); 291 } 292 293 static void do_sha256_hash(uint8_t *buf, uint32_t size, uint8_t *out) 294 { 295 sha256_context ctx; 296 297 sha256_starts(&ctx); 298 sha256_update(&ctx, buf, size); 299 sha256_finish(&ctx, out); 300 } 301 302 static void rkcommon_set_header0(void *buf, struct image_tool_params *params) 303 { 304 struct header0_info *hdr = buf; 305 306 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 307 hdr->magic = RK_MAGIC; 308 hdr->disable_rc4 = !rkcommon_need_rc4_spl(params); 309 hdr->init_offset = RK_INIT_OFFSET; 310 hdr->init_size = spl_params.init_size / RK_BLK_SIZE; 311 312 /* 313 * init_boot_size needs to be set, as it is read by the BootROM 314 * to determine the size of the next-stage bootloader (e.g. U-Boot 315 * proper), when used with the back-to-bootrom functionality. 316 * 317 * see https://lists.denx.de/pipermail/u-boot/2017-May/293267.html 318 * for a more detailed explanation by Andy Yan 319 */ 320 if (spl_params.boot_file) 321 hdr->init_boot_size = 322 hdr->init_size + spl_params.boot_size / RK_BLK_SIZE; 323 else 324 hdr->init_boot_size = 325 hdr->init_size + RK_MAX_BOOT_SIZE / RK_BLK_SIZE; 326 327 rc4_encode(buf, RK_BLK_SIZE, rc4_key); 328 } 329 330 static void rkcommon_set_header0_v2(void *buf, struct image_tool_params *params) 331 { 332 struct header0_info_v2 *hdr = buf; 333 uint32_t sector_offset, image_sector_count; 334 uint32_t image_size_array[2]; 335 uint8_t *image_ptr = NULL; 336 int i; 337 338 printf("Image Type: Rockchip %s boot image\n", rkcommon_get_spl_hdr(params)); 339 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 340 hdr->magic = cpu_to_le32(RK_MAGIC_V2); 341 hdr->size_and_nimage = cpu_to_le32((2 << 16) + 384); 342 hdr->boot_flag = cpu_to_le32(HASH_SHA256); 343 sector_offset = 4; 344 image_size_array[0] = spl_params.init_size; 345 image_size_array[1] = spl_params.boot_size; 346 347 for (i = 0; i < 2; i++) { 348 image_sector_count = image_size_array[i] / RK_BLK_SIZE; 349 hdr->images[i].size_and_off = cpu_to_le32((image_sector_count << 16) + sector_offset); 350 hdr->images[i].address = 0xFFFFFFFF; 351 hdr->images[i].counter = cpu_to_le32(i + 1); 352 image_ptr = buf + sector_offset * RK_BLK_SIZE; 353 do_sha256_hash(image_ptr, image_size_array[i], hdr->images[i].hash); 354 sector_offset = sector_offset + image_sector_count; 355 } 356 357 do_sha256_hash(buf, (void *)hdr->hash - buf, hdr->hash); 358 } 359 360 void rkcommon_set_header(void *buf, struct stat *sbuf, int ifd, 361 struct image_tool_params *params) 362 { 363 struct header1_info *hdr = buf + RK_SPL_HDR_START; 364 365 if (rkcommon_is_header_v2(params)) { 366 rkcommon_set_header0_v2(buf, params); 367 } else { 368 rkcommon_set_header0(buf, params); 369 370 /* Set up the SPL name (i.e. copy spl_hdr over) */ 371 if (memcmp(&hdr->magic, "RSAK", 4)) 372 memcpy(&hdr->magic, rkcommon_get_spl_hdr(params), RK_SPL_HDR_SIZE); 373 374 if (rkcommon_need_rc4_spl(params)) 375 rkcommon_rc4_encode_spl(buf, RK_SPL_HDR_START, 376 spl_params.init_size); 377 378 if (spl_params.boot_file) { 379 if (rkcommon_need_rc4_spl(params)) 380 rkcommon_rc4_encode_spl(buf + RK_SPL_HDR_START, 381 spl_params.init_size, 382 spl_params.boot_size); 383 } 384 } 385 } 386 387 static inline unsigned int rkcommon_offset_to_spi(unsigned int offset) 388 { 389 /* 390 * While SD/MMC images use a flat addressing, SPI images are padded 391 * to use the first 2K of every 4K sector only. 392 */ 393 return ((offset & ~0x7ff) << 1) + (offset & 0x7ff); 394 } 395 396 static int rkcommon_parse_header(const void *buf, struct header0_info *header0, 397 struct spl_info **spl_info) 398 { 399 unsigned int hdr1_offset; 400 struct header1_info *hdr1_sdmmc, *hdr1_spi; 401 int i; 402 403 if (spl_info) 404 *spl_info = NULL; 405 406 /* 407 * The first header (hdr0) is always RC4 encoded, so try to decrypt 408 * with the well-known key. 409 */ 410 memcpy((void *)header0, buf, sizeof(struct header0_info)); 411 rc4_encode((void *)header0, sizeof(struct header0_info), rc4_key); 412 413 if (header0->magic != RK_MAGIC) 414 return -EPROTO; 415 416 /* We don't support RC4 encoded image payloads here, yet... */ 417 if (header0->disable_rc4 == 0) 418 return -ENOSYS; 419 420 hdr1_offset = header0->init_offset * RK_BLK_SIZE; 421 hdr1_sdmmc = (struct header1_info *)(buf + hdr1_offset); 422 hdr1_spi = (struct header1_info *)(buf + 423 rkcommon_offset_to_spi(hdr1_offset)); 424 425 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) { 426 if (!memcmp(&hdr1_sdmmc->magic, spl_infos[i].spl_hdr, 4)) { 427 if (spl_info) 428 *spl_info = &spl_infos[i]; 429 return IH_TYPE_RKSD; 430 } else if (!memcmp(&hdr1_spi->magic, spl_infos[i].spl_hdr, 4)) { 431 if (spl_info) 432 *spl_info = &spl_infos[i]; 433 return IH_TYPE_RKSPI; 434 } 435 } 436 437 return -1; 438 } 439 440 static int rkcommon_parse_header_v2(const void *buf, struct header0_info_v2 *header) 441 { 442 memcpy((void *)header, buf, sizeof(struct header0_info_v2)); 443 444 if (le32_to_cpu(header->magic) != RK_MAGIC_V2) 445 return -EPROTO; 446 447 return 0; 448 } 449 450 int rkcommon_verify_header(unsigned char *buf, int size, 451 struct image_tool_params *params) 452 { 453 struct header0_info header0; 454 struct spl_info *img_spl_info, *spl_info; 455 int ret; 456 457 ret = rkcommon_parse_header(buf, &header0, &img_spl_info); 458 459 /* If this is the (unimplemented) RC4 case, then rewrite the result */ 460 if (ret == -ENOSYS) 461 return 0; 462 463 if (ret < 0) 464 return ret; 465 466 /* 467 * If no 'imagename' is specified via the commandline (e.g. if this is 468 * 'dumpimage -l' w/o any further constraints), we accept any spl_info. 469 */ 470 if (params->imagename == NULL) 471 return 0; 472 473 /* Match the 'imagename' against the 'spl_hdr' found */ 474 spl_info = rkcommon_get_spl_info(params->imagename); 475 if (spl_info && img_spl_info) 476 return strcmp(spl_info->spl_hdr, img_spl_info->spl_hdr); 477 478 return -ENOENT; 479 } 480 481 void rkcommon_print_header(const void *buf) 482 { 483 struct header0_info header0; 484 struct header0_info_v2 header0_v2; 485 struct spl_info *spl_info; 486 uint8_t image_type; 487 int ret, boot_size, init_size; 488 489 if ((*(uint32_t *)buf) == RK_MAGIC_V2) { 490 ret = rkcommon_parse_header_v2(buf, &header0_v2); 491 492 if (ret < 0) { 493 fprintf(stderr, "Error: image verification failed\n"); 494 return; 495 } 496 497 init_size = header0_v2.images[0].size_and_off >> 16; 498 init_size = init_size * RK_BLK_SIZE; 499 boot_size = header0_v2.images[1].size_and_off >> 16; 500 boot_size = boot_size * RK_BLK_SIZE; 501 } else { 502 ret = rkcommon_parse_header(buf, &header0, &spl_info); 503 504 /* If this is the (unimplemented) RC4 case, then fail silently */ 505 if (ret == -ENOSYS) 506 return; 507 508 if (ret < 0) { 509 fprintf(stderr, "Error: image verification failed\n"); 510 return; 511 } 512 513 image_type = ret; 514 init_size = header0.init_size * RK_BLK_SIZE; 515 boot_size = header0.init_boot_size * RK_BLK_SIZE - init_size; 516 printf("Image Type: Rockchip %s (%s) boot image\n", 517 spl_info->spl_hdr, 518 (image_type == IH_TYPE_RKSD) ? "SD/MMC" : "SPI"); 519 } 520 521 printf("Init Data Size: %d bytes\n", init_size); 522 523 if (boot_size != RK_MAX_BOOT_SIZE) 524 printf("Boot Data Size: %d bytes\n", boot_size); 525 } 526 527 void rkcommon_rc4_encode_spl(void *buf, unsigned int offset, unsigned int size) 528 { 529 unsigned int remaining = size; 530 531 while (remaining > 0) { 532 int step = (remaining > RK_BLK_SIZE) ? RK_BLK_SIZE : remaining; 533 534 rc4_encode(buf + offset, step, rc4_key); 535 offset += RK_BLK_SIZE; 536 remaining -= step; 537 } 538 } 539 540 int rkcommon_vrec_header(struct image_tool_params *params, 541 struct image_type_params *tparams) 542 { 543 /* 544 * The SPL image looks as follows: 545 * 546 * 0x0 header0 (see rkcommon.c) 547 * 0x800 spl_name ('RK30', ..., 'RK33') 548 * (start of the payload for AArch64 payloads: we expect the 549 * first 4 bytes to be available for overwriting with our 550 * spl_name) 551 * 0x804 first instruction to be executed 552 * (start of the image/payload for 32bit payloads) 553 * 554 * For AArch64 (ARMv8) payloads, natural alignment (8-bytes) is 555 * required for its sections (so the image we receive needs to 556 * have the first 4 bytes reserved for the spl_name). Reserving 557 * these 4 bytes is done using the BOOT0_HOOK infrastructure. 558 * 559 * The header is always at 0x800 (as we now use a payload 560 * prepadded using the boot0 hook for all targets): the first 561 * 4 bytes of these images can safely be overwritten using the 562 * boot magic. 563 */ 564 tparams->header_size = RK_SPL_HDR_START; 565 566 /* Allocate, clear and install the header */ 567 tparams->hdr = malloc(tparams->header_size); 568 if (!tparams->hdr) { 569 fprintf(stderr, "%s: Can't alloc header: %s\n", 570 params->cmdname, strerror(errno)); 571 exit(EXIT_FAILURE); 572 } 573 memset(tparams->hdr, 0, tparams->header_size); 574 575 /* 576 * We need to store the original file-size (i.e. before padding), as 577 * imagetool does not set this during its adjustment of file_size. 578 */ 579 params->orig_file_size = tparams->header_size + 580 spl_params.init_size + spl_params.boot_size; 581 582 params->file_size = ROUND(params->orig_file_size, RK_SIZE_ALIGN); 583 584 /* Ignoring pad len, since we are using our own copy_image() */ 585 return 0; 586 } 587 588 static int pad_file(struct image_tool_params *params, int ifd, int pad) 589 { 590 uint8_t zeros[4096]; 591 592 memset(zeros, 0, sizeof(zeros)); 593 594 while (pad > 0) { 595 int todo = sizeof(zeros); 596 597 if (todo > pad) 598 todo = pad; 599 if (write(ifd, (char *)&zeros, todo) != todo) { 600 fprintf(stderr, "%s: Write error on %s: %s\n", 601 params->cmdname, params->imagefile, 602 strerror(errno)); 603 return -1; 604 } 605 pad -= todo; 606 } 607 608 return 0; 609 } 610 611 static int copy_file(struct image_tool_params *params, int ifd, 612 const char *file, int padded_size) 613 { 614 int dfd; 615 struct stat sbuf; 616 unsigned char *ptr; 617 int size; 618 619 if (params->vflag) 620 fprintf(stderr, "Adding Image %s\n", file); 621 622 dfd = open(file, O_RDONLY | O_BINARY); 623 if (dfd < 0) { 624 fprintf(stderr, "%s: Can't open %s: %s\n", 625 params->cmdname, file, strerror(errno)); 626 return -1; 627 } 628 629 if (fstat(dfd, &sbuf) < 0) { 630 fprintf(stderr, "%s: Can't stat %s: %s\n", 631 params->cmdname, file, strerror(errno)); 632 goto err_close; 633 } 634 635 if (params->vflag) 636 fprintf(stderr, "Size %u(pad to %u)\n", 637 (int)sbuf.st_size, padded_size); 638 639 ptr = mmap(0, sbuf.st_size, PROT_READ, MAP_SHARED, dfd, 0); 640 if (ptr == MAP_FAILED) { 641 fprintf(stderr, "%s: Can't read %s: %s\n", 642 params->cmdname, file, strerror(errno)); 643 goto err_munmap; 644 } 645 646 size = sbuf.st_size; 647 if (write(ifd, ptr, size) != size) { 648 fprintf(stderr, "%s: Write error on %s: %s\n", 649 params->cmdname, params->imagefile, strerror(errno)); 650 goto err_munmap; 651 } 652 653 munmap((void *)ptr, sbuf.st_size); 654 close(dfd); 655 return pad_file(params, ifd, padded_size - size); 656 657 err_munmap: 658 munmap((void *)ptr, sbuf.st_size); 659 err_close: 660 close(dfd); 661 return -1; 662 } 663 664 int rockchip_copy_image(int ifd, struct image_tool_params *params) 665 { 666 int ret; 667 668 ret = copy_file(params, ifd, spl_params.init_file, 669 spl_params.init_size); 670 if (ret) 671 return ret; 672 673 if (spl_params.boot_file) { 674 ret = copy_file(params, ifd, spl_params.boot_file, 675 spl_params.boot_size); 676 if (ret) 677 return ret; 678 } 679 680 return pad_file(params, ifd, 681 params->file_size - params->orig_file_size); 682 } 683