1 /* 2 * (C) Copyright 2015 Google, Inc 3 * Written by Simon Glass <sjg@chromium.org> 4 * 5 * (C) 2017 Theobroma Systems Design und Consulting GmbH 6 * 7 * SPDX-License-Identifier: GPL-2.0+ 8 * 9 * Helper functions for Rockchip images 10 */ 11 12 #include "imagetool.h" 13 #include <image.h> 14 #include <u-boot/sha256.h> 15 #include <rc4.h> 16 #include "mkimage.h" 17 #include "rkcommon.h" 18 19 enum { 20 RK_MAGIC = 0x0ff0aa55, 21 RK_MAGIC_V2 = 0x534E4B52, 22 }; 23 24 enum { 25 RK_HEADER_V1 = 1, 26 RK_HEADER_V2 = 2, 27 }; 28 29 enum hash_type { 30 HASH_NONE = 0, 31 HASH_SHA256 = 1, 32 HASH_SHA512 = 2, 33 }; 34 35 /** 36 * struct image_entry 37 * 38 * @size_and_off: [31:16]image size;[15:0]image offset 39 * @address: default as 0xFFFFFFFF 40 * @flag: no use 41 * @counter: no use 42 * @hash: hash of image 43 * 44 */ 45 struct image_entry { 46 uint32_t size_and_off; 47 uint32_t address; 48 uint32_t flag; 49 uint32_t counter; 50 uint8_t reserved[8]; 51 uint8_t hash[64]; 52 }; 53 54 /** 55 * struct header0_info_v2 - from rk35 on boot rom using the new header block 56 * 57 * This is stored at SD card block 64 (where each block is 512 bytes) 58 * 59 * @magic: Magic (must be RK_MAGIC_V2) 60 * @size_and_nimage: [31:16]number of images;[15:0] 61 * offset to hash field of header(unit as 4Byte) 62 * @boot_flag: [3:0]hash type(0:none,1:sha256,2:sha512) 63 * @signature: hash or signature for header info 64 * 65 */ 66 struct header0_info_v2 { 67 uint32_t magic; 68 uint8_t reserved[4]; 69 uint32_t size_and_nimage; 70 uint32_t boot_flag; 71 uint8_t reserved1[104]; 72 struct image_entry images[4]; 73 uint8_t reserved2[1064]; 74 uint8_t hash[512]; 75 }; 76 77 /** 78 * struct header0_info - header block for boot ROM 79 * 80 * This is stored at SD card block 64 (where each block is 512 bytes, or at 81 * the start of SPI flash. It is encoded with RC4. 82 * 83 * @magic: Magic (must be RK_MAGIC) 84 * @disable_rc4: 0 to use rc4 for boot image, 1 to use plain binary 85 * @init_offset: Offset in blocks of the SPL code from this header 86 * block. E.g. 4 means 2KB after the start of this header. 87 * Other fields are not used by U-Boot 88 */ 89 struct header0_info { 90 uint32_t magic; 91 uint8_t reserved[4]; 92 uint32_t disable_rc4; 93 uint16_t init_offset; 94 uint8_t reserved1[492]; 95 uint16_t init_size; 96 uint16_t init_boot_size; 97 uint8_t reserved2[2]; 98 }; 99 100 /** 101 * struct header1 info 102 */ 103 struct header1_info { 104 uint32_t magic; 105 }; 106 107 /** 108 * struct spl_info - spl info for each chip 109 * 110 * @imagename: Image name(passed by "mkimage -n") 111 * @spl_hdr: Boot ROM requires a 4-bytes spl header 112 * @spl_size: Spl size(include extra 4-bytes spl header) 113 * @spl_rc4: RC4 encode the SPL binary (same key as header) 114 * @header_ver: header block version 115 */ 116 struct spl_info { 117 const char *imagename; 118 const char *spl_hdr; 119 const uint32_t spl_size; 120 const bool spl_rc4; 121 const uint32_t header_ver; 122 }; 123 124 static struct spl_info spl_infos[] = { 125 { "rk3036", "RK30", 0x1000, false, RK_HEADER_V1 }, 126 { "rk3066", "RK30", 0x8000, true, RK_HEADER_V1 }, 127 { "rk3128", "RK31", 0x1800, false, RK_HEADER_V1 }, 128 { "rk3188", "RK31", 0x8000 - 0x800, true, RK_HEADER_V1 }, 129 { "rk322x", "RK32", 0x8000 - 0x1000, false, RK_HEADER_V1 }, 130 { "rk3288", "RK32", 0x8000, false, RK_HEADER_V1 }, 131 { "rk3308", "RK33", 0x40000 - 0x1000, false, RK_HEADER_V1 }, 132 { "rk3328", "RK32", 0x8000 - 0x800, false, RK_HEADER_V1 }, 133 { "rk3368", "RK33", 0x8000 - 0x1000, false, RK_HEADER_V1 }, 134 { "rk3399", "RK33", 0x30000 - 0x2000, false, RK_HEADER_V1 }, 135 { "px30", "RK33", 0x2800, false, RK_HEADER_V1 }, 136 { "rv1108", "RK11", 0x1800, false, RK_HEADER_V1 }, 137 { "rv1126", "110B", 0x10000 - 0x1000, false, RK_HEADER_V1 }, 138 { "rk1808", "RK18", 0x200000 - 0x2000, false, RK_HEADER_V1 }, 139 { "rk3568", "RK35", 0x10000 - 0x1000, false, RK_HEADER_V2 }, 140 { "rk3588", "RK35", 0x100000 - 0x1000, false, RK_HEADER_V2 }, 141 }; 142 143 /** 144 * struct spl_params - spl params parsed in check_params() 145 * 146 * @init_file: Init data file path 147 * @init_size: Aligned size of init data in bytes 148 * @boot_file: Boot data file path 149 * @boot_size: Aligned size of boot data in bytes 150 */ 151 152 struct spl_params { 153 char *init_file; 154 uint32_t init_size; 155 char *boot_file; 156 uint32_t boot_size; 157 }; 158 159 static struct spl_params spl_params = { 0 }; 160 161 static unsigned char rc4_key[16] = { 162 124, 78, 3, 4, 85, 5, 9, 7, 163 45, 44, 123, 56, 23, 13, 23, 17 164 }; 165 166 static struct spl_info *rkcommon_get_spl_info(char *imagename) 167 { 168 int i; 169 170 if (!imagename) 171 return NULL; 172 173 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 174 if (!strncmp(imagename, spl_infos[i].imagename, 6)) 175 return spl_infos + i; 176 177 return NULL; 178 } 179 180 static int rkcommon_get_aligned_size(struct image_tool_params *params, 181 const char *fname) 182 { 183 int size; 184 185 size = imagetool_get_filesize(params, fname); 186 if (size < 0) 187 return -1; 188 189 /* 190 * Pad to a 2KB alignment, as required for init/boot size by the ROM 191 * (see https://lists.denx.de/pipermail/u-boot/2017-May/293268.html) 192 */ 193 return ROUND(size, RK_SIZE_ALIGN); 194 } 195 196 int rkcommon_check_params(struct image_tool_params *params) 197 { 198 int i; 199 200 /* 201 * If this is a operation (list or extract), the don't require 202 * imagename to be set. 203 */ 204 if (params->lflag || params->iflag) 205 return EXIT_SUCCESS; 206 207 if (!rkcommon_get_spl_info(params->imagename)) 208 goto err_spl_info; 209 210 spl_params.init_file = params->datafile; 211 212 spl_params.boot_file = strchr(spl_params.init_file, ':'); 213 if (spl_params.boot_file) { 214 *spl_params.boot_file = '\0'; 215 spl_params.boot_file += 1; 216 } 217 218 spl_params.init_size = 219 rkcommon_get_aligned_size(params, spl_params.init_file); 220 if (spl_params.init_size < 0) 221 return EXIT_FAILURE; 222 223 /* Boot file is optional, and only for back-to-bootrom functionality. */ 224 if (spl_params.boot_file) { 225 spl_params.boot_size = 226 rkcommon_get_aligned_size(params, spl_params.boot_file); 227 if (spl_params.boot_size < 0) 228 return EXIT_FAILURE; 229 } 230 231 if (spl_params.init_size > rkcommon_get_spl_size(params)) { 232 fprintf(stderr, 233 "Error: SPL image is too large (size %#x than %#x)\n", 234 spl_params.init_size, rkcommon_get_spl_size(params)); 235 return EXIT_FAILURE; 236 } 237 238 return EXIT_SUCCESS; 239 240 err_spl_info: 241 fprintf(stderr, "ERROR: imagename (%s) is not supported!\n", 242 params->imagename ? params->imagename : "NULL"); 243 244 fprintf(stderr, "Available imagename:"); 245 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 246 fprintf(stderr, "\t%s", spl_infos[i].imagename); 247 fprintf(stderr, "\n"); 248 249 return EXIT_FAILURE; 250 } 251 252 const char *rkcommon_get_spl_hdr(struct image_tool_params *params) 253 { 254 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 255 256 /* 257 * info would not be NULL, because of we checked params before. 258 */ 259 return info->spl_hdr; 260 } 261 262 int rkcommon_get_spl_size(struct image_tool_params *params) 263 { 264 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 265 266 /* 267 * info would not be NULL, because of we checked params before. 268 */ 269 return info->spl_size; 270 } 271 272 bool rkcommon_need_rc4_spl(struct image_tool_params *params) 273 { 274 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 275 276 /* 277 * info would not be NULL, because of we checked params before. 278 */ 279 return info->spl_rc4; 280 } 281 282 bool rkcommon_is_header_v2(struct image_tool_params *params) 283 { 284 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 285 286 /* 287 * info would not be NULL, because of we checked params before. 288 */ 289 return (info->header_ver == RK_HEADER_V2); 290 } 291 292 static void do_sha256_hash(uint8_t *buf, uint32_t size, uint8_t *out) 293 { 294 sha256_context ctx; 295 296 sha256_starts(&ctx); 297 sha256_update(&ctx, buf, size); 298 sha256_finish(&ctx, out); 299 } 300 301 static void rkcommon_set_header0(void *buf, struct image_tool_params *params) 302 { 303 struct header0_info *hdr = buf; 304 305 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 306 hdr->magic = RK_MAGIC; 307 hdr->disable_rc4 = !rkcommon_need_rc4_spl(params); 308 hdr->init_offset = RK_INIT_OFFSET; 309 hdr->init_size = spl_params.init_size / RK_BLK_SIZE; 310 311 /* 312 * init_boot_size needs to be set, as it is read by the BootROM 313 * to determine the size of the next-stage bootloader (e.g. U-Boot 314 * proper), when used with the back-to-bootrom functionality. 315 * 316 * see https://lists.denx.de/pipermail/u-boot/2017-May/293267.html 317 * for a more detailed explanation by Andy Yan 318 */ 319 if (spl_params.boot_file) 320 hdr->init_boot_size = 321 hdr->init_size + spl_params.boot_size / RK_BLK_SIZE; 322 else 323 hdr->init_boot_size = 324 hdr->init_size + RK_MAX_BOOT_SIZE / RK_BLK_SIZE; 325 326 rc4_encode(buf, RK_BLK_SIZE, rc4_key); 327 } 328 329 static void rkcommon_set_header0_v2(void *buf, struct image_tool_params *params) 330 { 331 struct header0_info_v2 *hdr = buf; 332 uint32_t sector_offset, image_sector_count; 333 uint32_t image_size_array[2]; 334 uint8_t *image_ptr = NULL; 335 int i; 336 337 printf("Image Type: Rockchip %s boot image\n", rkcommon_get_spl_hdr(params)); 338 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 339 hdr->magic = cpu_to_le32(RK_MAGIC_V2); 340 hdr->size_and_nimage = cpu_to_le32((2 << 16) + 384); 341 hdr->boot_flag = cpu_to_le32(HASH_SHA256); 342 sector_offset = 4; 343 image_size_array[0] = spl_params.init_size; 344 image_size_array[1] = spl_params.boot_size; 345 346 for (i = 0; i < 2; i++) { 347 image_sector_count = image_size_array[i] / RK_BLK_SIZE; 348 hdr->images[i].size_and_off = cpu_to_le32((image_sector_count << 16) + sector_offset); 349 hdr->images[i].address = 0xFFFFFFFF; 350 hdr->images[i].counter = cpu_to_le32(i + 1); 351 image_ptr = buf + sector_offset * RK_BLK_SIZE; 352 do_sha256_hash(image_ptr, image_size_array[i], hdr->images[i].hash); 353 sector_offset = sector_offset + image_sector_count; 354 } 355 356 do_sha256_hash(buf, (void *)hdr->hash - buf, hdr->hash); 357 } 358 359 void rkcommon_set_header(void *buf, struct stat *sbuf, int ifd, 360 struct image_tool_params *params) 361 { 362 struct header1_info *hdr = buf + RK_SPL_HDR_START; 363 364 if (rkcommon_is_header_v2(params)) { 365 rkcommon_set_header0_v2(buf, params); 366 } else { 367 rkcommon_set_header0(buf, params); 368 369 /* Set up the SPL name (i.e. copy spl_hdr over) */ 370 if (memcmp(&hdr->magic, "RSAK", 4)) 371 memcpy(&hdr->magic, rkcommon_get_spl_hdr(params), RK_SPL_HDR_SIZE); 372 373 if (rkcommon_need_rc4_spl(params)) 374 rkcommon_rc4_encode_spl(buf, RK_SPL_HDR_START, 375 spl_params.init_size); 376 377 if (spl_params.boot_file) { 378 if (rkcommon_need_rc4_spl(params)) 379 rkcommon_rc4_encode_spl(buf + RK_SPL_HDR_START, 380 spl_params.init_size, 381 spl_params.boot_size); 382 } 383 } 384 } 385 386 static inline unsigned int rkcommon_offset_to_spi(unsigned int offset) 387 { 388 /* 389 * While SD/MMC images use a flat addressing, SPI images are padded 390 * to use the first 2K of every 4K sector only. 391 */ 392 return ((offset & ~0x7ff) << 1) + (offset & 0x7ff); 393 } 394 395 static int rkcommon_parse_header(const void *buf, struct header0_info *header0, 396 struct spl_info **spl_info) 397 { 398 unsigned int hdr1_offset; 399 struct header1_info *hdr1_sdmmc, *hdr1_spi; 400 int i; 401 402 if (spl_info) 403 *spl_info = NULL; 404 405 /* 406 * The first header (hdr0) is always RC4 encoded, so try to decrypt 407 * with the well-known key. 408 */ 409 memcpy((void *)header0, buf, sizeof(struct header0_info)); 410 rc4_encode((void *)header0, sizeof(struct header0_info), rc4_key); 411 412 if (header0->magic != RK_MAGIC) 413 return -EPROTO; 414 415 /* We don't support RC4 encoded image payloads here, yet... */ 416 if (header0->disable_rc4 == 0) 417 return -ENOSYS; 418 419 hdr1_offset = header0->init_offset * RK_BLK_SIZE; 420 hdr1_sdmmc = (struct header1_info *)(buf + hdr1_offset); 421 hdr1_spi = (struct header1_info *)(buf + 422 rkcommon_offset_to_spi(hdr1_offset)); 423 424 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) { 425 if (!memcmp(&hdr1_sdmmc->magic, spl_infos[i].spl_hdr, 4)) { 426 if (spl_info) 427 *spl_info = &spl_infos[i]; 428 return IH_TYPE_RKSD; 429 } else if (!memcmp(&hdr1_spi->magic, spl_infos[i].spl_hdr, 4)) { 430 if (spl_info) 431 *spl_info = &spl_infos[i]; 432 return IH_TYPE_RKSPI; 433 } 434 } 435 436 return -1; 437 } 438 439 static int rkcommon_parse_header_v2(const void *buf, struct header0_info_v2 *header) 440 { 441 memcpy((void *)header, buf, sizeof(struct header0_info_v2)); 442 443 if (le32_to_cpu(header->magic) != RK_MAGIC_V2) 444 return -EPROTO; 445 446 return 0; 447 } 448 449 int rkcommon_verify_header(unsigned char *buf, int size, 450 struct image_tool_params *params) 451 { 452 struct header0_info header0; 453 struct spl_info *img_spl_info, *spl_info; 454 int ret; 455 456 ret = rkcommon_parse_header(buf, &header0, &img_spl_info); 457 458 /* If this is the (unimplemented) RC4 case, then rewrite the result */ 459 if (ret == -ENOSYS) 460 return 0; 461 462 if (ret < 0) 463 return ret; 464 465 /* 466 * If no 'imagename' is specified via the commandline (e.g. if this is 467 * 'dumpimage -l' w/o any further constraints), we accept any spl_info. 468 */ 469 if (params->imagename == NULL) 470 return 0; 471 472 /* Match the 'imagename' against the 'spl_hdr' found */ 473 spl_info = rkcommon_get_spl_info(params->imagename); 474 if (spl_info && img_spl_info) 475 return strcmp(spl_info->spl_hdr, img_spl_info->spl_hdr); 476 477 return -ENOENT; 478 } 479 480 void rkcommon_print_header(const void *buf) 481 { 482 struct header0_info header0; 483 struct header0_info_v2 header0_v2; 484 struct spl_info *spl_info; 485 uint8_t image_type; 486 int ret, boot_size, init_size; 487 488 if ((*(uint32_t *)buf) == RK_MAGIC_V2) { 489 ret = rkcommon_parse_header_v2(buf, &header0_v2); 490 491 if (ret < 0) { 492 fprintf(stderr, "Error: image verification failed\n"); 493 return; 494 } 495 496 init_size = header0_v2.images[0].size_and_off >> 16; 497 init_size = init_size * RK_BLK_SIZE; 498 boot_size = header0_v2.images[1].size_and_off >> 16; 499 boot_size = boot_size * RK_BLK_SIZE; 500 } else { 501 ret = rkcommon_parse_header(buf, &header0, &spl_info); 502 503 /* If this is the (unimplemented) RC4 case, then fail silently */ 504 if (ret == -ENOSYS) 505 return; 506 507 if (ret < 0) { 508 fprintf(stderr, "Error: image verification failed\n"); 509 return; 510 } 511 512 image_type = ret; 513 init_size = header0.init_size * RK_BLK_SIZE; 514 boot_size = header0.init_boot_size * RK_BLK_SIZE - init_size; 515 printf("Image Type: Rockchip %s (%s) boot image\n", 516 spl_info->spl_hdr, 517 (image_type == IH_TYPE_RKSD) ? "SD/MMC" : "SPI"); 518 } 519 520 printf("Init Data Size: %d bytes\n", init_size); 521 522 if (boot_size != RK_MAX_BOOT_SIZE) 523 printf("Boot Data Size: %d bytes\n", boot_size); 524 } 525 526 void rkcommon_rc4_encode_spl(void *buf, unsigned int offset, unsigned int size) 527 { 528 unsigned int remaining = size; 529 530 while (remaining > 0) { 531 int step = (remaining > RK_BLK_SIZE) ? RK_BLK_SIZE : remaining; 532 533 rc4_encode(buf + offset, step, rc4_key); 534 offset += RK_BLK_SIZE; 535 remaining -= step; 536 } 537 } 538 539 int rkcommon_vrec_header(struct image_tool_params *params, 540 struct image_type_params *tparams) 541 { 542 /* 543 * The SPL image looks as follows: 544 * 545 * 0x0 header0 (see rkcommon.c) 546 * 0x800 spl_name ('RK30', ..., 'RK33') 547 * (start of the payload for AArch64 payloads: we expect the 548 * first 4 bytes to be available for overwriting with our 549 * spl_name) 550 * 0x804 first instruction to be executed 551 * (start of the image/payload for 32bit payloads) 552 * 553 * For AArch64 (ARMv8) payloads, natural alignment (8-bytes) is 554 * required for its sections (so the image we receive needs to 555 * have the first 4 bytes reserved for the spl_name). Reserving 556 * these 4 bytes is done using the BOOT0_HOOK infrastructure. 557 * 558 * The header is always at 0x800 (as we now use a payload 559 * prepadded using the boot0 hook for all targets): the first 560 * 4 bytes of these images can safely be overwritten using the 561 * boot magic. 562 */ 563 tparams->header_size = RK_SPL_HDR_START; 564 565 /* Allocate, clear and install the header */ 566 tparams->hdr = malloc(tparams->header_size); 567 if (!tparams->hdr) { 568 fprintf(stderr, "%s: Can't alloc header: %s\n", 569 params->cmdname, strerror(errno)); 570 exit(EXIT_FAILURE); 571 } 572 memset(tparams->hdr, 0, tparams->header_size); 573 574 /* 575 * We need to store the original file-size (i.e. before padding), as 576 * imagetool does not set this during its adjustment of file_size. 577 */ 578 params->orig_file_size = tparams->header_size + 579 spl_params.init_size + spl_params.boot_size; 580 581 params->file_size = ROUND(params->orig_file_size, RK_SIZE_ALIGN); 582 583 /* Ignoring pad len, since we are using our own copy_image() */ 584 return 0; 585 } 586 587 static int pad_file(struct image_tool_params *params, int ifd, int pad) 588 { 589 uint8_t zeros[4096]; 590 591 memset(zeros, 0, sizeof(zeros)); 592 593 while (pad > 0) { 594 int todo = sizeof(zeros); 595 596 if (todo > pad) 597 todo = pad; 598 if (write(ifd, (char *)&zeros, todo) != todo) { 599 fprintf(stderr, "%s: Write error on %s: %s\n", 600 params->cmdname, params->imagefile, 601 strerror(errno)); 602 return -1; 603 } 604 pad -= todo; 605 } 606 607 return 0; 608 } 609 610 static int copy_file(struct image_tool_params *params, int ifd, 611 const char *file, int padded_size) 612 { 613 int dfd; 614 struct stat sbuf; 615 unsigned char *ptr; 616 int size; 617 618 if (params->vflag) 619 fprintf(stderr, "Adding Image %s\n", file); 620 621 dfd = open(file, O_RDONLY | O_BINARY); 622 if (dfd < 0) { 623 fprintf(stderr, "%s: Can't open %s: %s\n", 624 params->cmdname, file, strerror(errno)); 625 return -1; 626 } 627 628 if (fstat(dfd, &sbuf) < 0) { 629 fprintf(stderr, "%s: Can't stat %s: %s\n", 630 params->cmdname, file, strerror(errno)); 631 goto err_close; 632 } 633 634 if (params->vflag) 635 fprintf(stderr, "Size %u(pad to %u)\n", 636 (int)sbuf.st_size, padded_size); 637 638 ptr = mmap(0, sbuf.st_size, PROT_READ, MAP_SHARED, dfd, 0); 639 if (ptr == MAP_FAILED) { 640 fprintf(stderr, "%s: Can't read %s: %s\n", 641 params->cmdname, file, strerror(errno)); 642 goto err_munmap; 643 } 644 645 size = sbuf.st_size; 646 if (write(ifd, ptr, size) != size) { 647 fprintf(stderr, "%s: Write error on %s: %s\n", 648 params->cmdname, params->imagefile, strerror(errno)); 649 goto err_munmap; 650 } 651 652 munmap((void *)ptr, sbuf.st_size); 653 close(dfd); 654 return pad_file(params, ifd, padded_size - size); 655 656 err_munmap: 657 munmap((void *)ptr, sbuf.st_size); 658 err_close: 659 close(dfd); 660 return -1; 661 } 662 663 int rockchip_copy_image(int ifd, struct image_tool_params *params) 664 { 665 int ret; 666 667 ret = copy_file(params, ifd, spl_params.init_file, 668 spl_params.init_size); 669 if (ret) 670 return ret; 671 672 if (spl_params.boot_file) { 673 ret = copy_file(params, ifd, spl_params.boot_file, 674 spl_params.boot_size); 675 if (ret) 676 return ret; 677 } 678 679 return pad_file(params, ifd, 680 params->file_size - params->orig_file_size); 681 } 682