1 /* 2 * (C) Copyright 2015 Google, Inc 3 * Written by Simon Glass <sjg@chromium.org> 4 * 5 * (C) 2017 Theobroma Systems Design und Consulting GmbH 6 * 7 * SPDX-License-Identifier: GPL-2.0+ 8 * 9 * Helper functions for Rockchip images 10 */ 11 12 #include "imagetool.h" 13 #include <image.h> 14 #include <u-boot/sha256.h> 15 #include <rc4.h> 16 #include "mkimage.h" 17 #include "rkcommon.h" 18 19 enum { 20 RK_MAGIC = 0x0ff0aa55, 21 RK_MAGIC_V2 = 0x534E4B52, 22 }; 23 24 enum { 25 RK_HEADER_V1 = 1, 26 RK_HEADER_V2 = 2, 27 }; 28 29 enum hash_type { 30 HASH_NONE = 0, 31 HASH_SHA256 = 1, 32 HASH_SHA512 = 2, 33 }; 34 35 /** 36 * struct image_entry 37 * 38 * @size_and_off: [31:16]image size;[15:0]image offset 39 * @address: default as 0xFFFFFFFF 40 * @flag: no use 41 * @counter: no use 42 * @hash: hash of image 43 * 44 */ 45 struct image_entry { 46 uint32_t size_and_off; 47 uint32_t address; 48 uint32_t flag; 49 uint32_t counter; 50 uint8_t reserved[8]; 51 uint8_t hash[64]; 52 }; 53 54 /** 55 * struct header0_info_v2 - from rk35 on boot rom using the new header block 56 * 57 * This is stored at SD card block 64 (where each block is 512 bytes) 58 * 59 * @magic: Magic (must be RK_MAGIC_V2) 60 * @size_and_nimage: [31:16]number of images;[15:0] 61 * offset to hash field of header(unit as 4Byte) 62 * @boot_flag: [3:0]hash type(0:none,1:sha256,2:sha512) 63 * @signature: hash or signature for header info 64 * 65 */ 66 struct header0_info_v2 { 67 uint32_t magic; 68 uint8_t reserved[4]; 69 uint32_t size_and_nimage; 70 uint32_t boot_flag; 71 uint8_t reserved1[104]; 72 struct image_entry images[4]; 73 uint8_t reserved2[1064]; 74 uint8_t hash[512]; 75 }; 76 77 /** 78 * struct header0_info - header block for boot ROM 79 * 80 * This is stored at SD card block 64 (where each block is 512 bytes, or at 81 * the start of SPI flash. It is encoded with RC4. 82 * 83 * @magic: Magic (must be RK_MAGIC) 84 * @disable_rc4: 0 to use rc4 for boot image, 1 to use plain binary 85 * @init_offset: Offset in blocks of the SPL code from this header 86 * block. E.g. 4 means 2KB after the start of this header. 87 * Other fields are not used by U-Boot 88 */ 89 struct header0_info { 90 uint32_t magic; 91 uint8_t reserved[4]; 92 uint32_t disable_rc4; 93 uint16_t init_offset; 94 uint8_t reserved1[492]; 95 uint16_t init_size; 96 uint16_t init_boot_size; 97 uint8_t reserved2[2]; 98 }; 99 100 /** 101 * struct header1 info 102 */ 103 struct header1_info { 104 uint32_t magic; 105 }; 106 107 /** 108 * struct spl_info - spl info for each chip 109 * 110 * @imagename: Image name(passed by "mkimage -n") 111 * @spl_hdr: Boot ROM requires a 4-bytes spl header 112 * @spl_size: Spl size(include extra 4-bytes spl header) 113 * @spl_rc4: RC4 encode the SPL binary (same key as header) 114 * @header_ver: header block version 115 */ 116 struct spl_info { 117 const char *imagename; 118 const char *spl_hdr; 119 const uint32_t spl_size; 120 const bool spl_rc4; 121 const uint32_t header_ver; 122 }; 123 124 static struct spl_info spl_infos[] = { 125 { "rk3036", "RK30", 0x1000, false, RK_HEADER_V1 }, 126 { "rk3066", "RK30", 0x8000, true, RK_HEADER_V1 }, 127 { "rk3128", "RK31", 0x2000 - 0x800, false, RK_HEADER_V1 }, 128 { "px3se", "RK31", 0x2000 - 0x800, false, RK_HEADER_V1 }, 129 { "rk3188", "RK31", 0x8000 - 0x800, true, RK_HEADER_V1 }, 130 { "rk322x", "RK32", 0x8000 - 0x1000, false, RK_HEADER_V1 }, 131 { "rk3288", "RK32", 0x8000, false, RK_HEADER_V1 }, 132 { "rk3308", "RK33", 0x40000 - 0x1000, false, RK_HEADER_V1 }, 133 { "rk3328", "RK32", 0x8000 - 0x800, false, RK_HEADER_V1 }, 134 { "rk3368", "RK33", 0x8000 - 0x1000, false, RK_HEADER_V1 }, 135 { "rk3399", "RK33", 0x30000 - 0x2000, false, RK_HEADER_V1 }, 136 { "rk3326", "RK33", 0x4000 - 0x1000, false, RK_HEADER_V1 }, 137 { "px30", "RK33", 0x4000 - 0x1000, false, RK_HEADER_V1 }, 138 { "rv1108", "RK11", 0x1800, false, RK_HEADER_V1 }, 139 { "rv1126", "110B", 0x10000 - 0x1000, false, RK_HEADER_V1 }, 140 { "rk1808", "RK18", 0x200000 - 0x2000, false, RK_HEADER_V1 }, 141 { "rk3568", "RK35", 0x10000 - 0x1000, false, RK_HEADER_V2 }, 142 { "rk3588", "RK35", 0x100000 - 0x1000, false, RK_HEADER_V2 }, 143 }; 144 145 /** 146 * struct spl_params - spl params parsed in check_params() 147 * 148 * @init_file: Init data file path 149 * @init_size: Aligned size of init data in bytes 150 * @boot_file: Boot data file path 151 * @boot_size: Aligned size of boot data in bytes 152 */ 153 154 struct spl_params { 155 char *init_file; 156 uint32_t init_size; 157 char *boot_file; 158 uint32_t boot_size; 159 }; 160 161 static struct spl_params spl_params = { 0 }; 162 163 static unsigned char rc4_key[16] = { 164 124, 78, 3, 4, 85, 5, 9, 7, 165 45, 44, 123, 56, 23, 13, 23, 17 166 }; 167 168 static struct spl_info *rkcommon_get_spl_info(char *imagename) 169 { 170 int i; 171 172 if (!imagename) 173 return NULL; 174 175 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 176 if (!strncmp(imagename, spl_infos[i].imagename, 6)) 177 return spl_infos + i; 178 179 return NULL; 180 } 181 182 static int rkcommon_get_aligned_size(struct image_tool_params *params, 183 const char *fname) 184 { 185 int size; 186 187 size = imagetool_get_filesize(params, fname); 188 if (size < 0) 189 return -1; 190 191 /* 192 * Pad to a 2KB alignment, as required for init/boot size by the ROM 193 * (see https://lists.denx.de/pipermail/u-boot/2017-May/293268.html) 194 */ 195 return ROUND(size, RK_SIZE_ALIGN); 196 } 197 198 int rkcommon_check_params(struct image_tool_params *params) 199 { 200 int i; 201 202 /* 203 * If this is a operation (list or extract), the don't require 204 * imagename to be set. 205 */ 206 if (params->lflag || params->iflag) 207 return EXIT_SUCCESS; 208 209 if (!rkcommon_get_spl_info(params->imagename)) 210 goto err_spl_info; 211 212 spl_params.init_file = params->datafile; 213 214 spl_params.boot_file = strchr(spl_params.init_file, ':'); 215 if (spl_params.boot_file) { 216 *spl_params.boot_file = '\0'; 217 spl_params.boot_file += 1; 218 } 219 220 spl_params.init_size = 221 rkcommon_get_aligned_size(params, spl_params.init_file); 222 if (spl_params.init_size < 0) 223 return EXIT_FAILURE; 224 225 /* Boot file is optional, and only for back-to-bootrom functionality. */ 226 if (spl_params.boot_file) { 227 spl_params.boot_size = 228 rkcommon_get_aligned_size(params, spl_params.boot_file); 229 if (spl_params.boot_size < 0) 230 return EXIT_FAILURE; 231 } 232 233 if (spl_params.init_size > rkcommon_get_spl_size(params)) { 234 fprintf(stderr, 235 "Error: SPL image is too large (size %#x than %#x)\n", 236 spl_params.init_size, rkcommon_get_spl_size(params)); 237 return EXIT_FAILURE; 238 } 239 240 return EXIT_SUCCESS; 241 242 err_spl_info: 243 fprintf(stderr, "ERROR: imagename (%s) is not supported!\n", 244 params->imagename ? params->imagename : "NULL"); 245 246 fprintf(stderr, "Available imagename:"); 247 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 248 fprintf(stderr, "\t%s", spl_infos[i].imagename); 249 fprintf(stderr, "\n"); 250 251 return EXIT_FAILURE; 252 } 253 254 const char *rkcommon_get_spl_hdr(struct image_tool_params *params) 255 { 256 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 257 258 /* 259 * info would not be NULL, because of we checked params before. 260 */ 261 return info->spl_hdr; 262 } 263 264 int rkcommon_get_spl_size(struct image_tool_params *params) 265 { 266 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 267 268 /* 269 * info would not be NULL, because of we checked params before. 270 */ 271 return info->spl_size; 272 } 273 274 bool rkcommon_need_rc4_spl(struct image_tool_params *params) 275 { 276 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 277 278 /* 279 * info would not be NULL, because of we checked params before. 280 */ 281 return info->spl_rc4; 282 } 283 284 bool rkcommon_is_header_v2(struct image_tool_params *params) 285 { 286 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 287 288 /* 289 * info would not be NULL, because of we checked params before. 290 */ 291 return (info->header_ver == RK_HEADER_V2); 292 } 293 294 static void do_sha256_hash(uint8_t *buf, uint32_t size, uint8_t *out) 295 { 296 sha256_context ctx; 297 298 sha256_starts(&ctx); 299 sha256_update(&ctx, buf, size); 300 sha256_finish(&ctx, out); 301 } 302 303 static void rkcommon_set_header0(void *buf, struct image_tool_params *params) 304 { 305 struct header0_info *hdr = buf; 306 307 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 308 hdr->magic = RK_MAGIC; 309 hdr->disable_rc4 = !rkcommon_need_rc4_spl(params); 310 hdr->init_offset = RK_INIT_OFFSET; 311 hdr->init_size = spl_params.init_size / RK_BLK_SIZE; 312 313 /* 314 * init_boot_size needs to be set, as it is read by the BootROM 315 * to determine the size of the next-stage bootloader (e.g. U-Boot 316 * proper), when used with the back-to-bootrom functionality. 317 * 318 * see https://lists.denx.de/pipermail/u-boot/2017-May/293267.html 319 * for a more detailed explanation by Andy Yan 320 */ 321 if (spl_params.boot_file) 322 hdr->init_boot_size = 323 hdr->init_size + spl_params.boot_size / RK_BLK_SIZE; 324 else 325 hdr->init_boot_size = 326 hdr->init_size + RK_MAX_BOOT_SIZE / RK_BLK_SIZE; 327 328 rc4_encode(buf, RK_BLK_SIZE, rc4_key); 329 } 330 331 static void rkcommon_set_header0_v2(void *buf, struct image_tool_params *params) 332 { 333 struct header0_info_v2 *hdr = buf; 334 uint32_t sector_offset, image_sector_count; 335 uint32_t image_size_array[2]; 336 uint8_t *image_ptr = NULL; 337 int i; 338 339 printf("Image Type: Rockchip %s boot image\n", rkcommon_get_spl_hdr(params)); 340 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 341 hdr->magic = cpu_to_le32(RK_MAGIC_V2); 342 hdr->size_and_nimage = cpu_to_le32((2 << 16) + 384); 343 hdr->boot_flag = cpu_to_le32(HASH_SHA256); 344 sector_offset = 4; 345 image_size_array[0] = spl_params.init_size; 346 image_size_array[1] = spl_params.boot_size; 347 348 for (i = 0; i < 2; i++) { 349 image_sector_count = image_size_array[i] / RK_BLK_SIZE; 350 hdr->images[i].size_and_off = cpu_to_le32((image_sector_count << 16) + sector_offset); 351 hdr->images[i].address = 0xFFFFFFFF; 352 hdr->images[i].counter = cpu_to_le32(i + 1); 353 image_ptr = buf + sector_offset * RK_BLK_SIZE; 354 do_sha256_hash(image_ptr, image_size_array[i], hdr->images[i].hash); 355 sector_offset = sector_offset + image_sector_count; 356 } 357 358 do_sha256_hash(buf, (void *)hdr->hash - buf, hdr->hash); 359 } 360 361 void rkcommon_set_header(void *buf, struct stat *sbuf, int ifd, 362 struct image_tool_params *params) 363 { 364 struct header1_info *hdr = buf + RK_SPL_HDR_START; 365 366 if (rkcommon_is_header_v2(params)) { 367 rkcommon_set_header0_v2(buf, params); 368 } else { 369 rkcommon_set_header0(buf, params); 370 371 /* Set up the SPL name (i.e. copy spl_hdr over) */ 372 if (memcmp(&hdr->magic, "RSAK", 4)) 373 memcpy(&hdr->magic, rkcommon_get_spl_hdr(params), RK_SPL_HDR_SIZE); 374 375 if (rkcommon_need_rc4_spl(params)) 376 rkcommon_rc4_encode_spl(buf, RK_SPL_HDR_START, 377 spl_params.init_size); 378 379 if (spl_params.boot_file) { 380 if (rkcommon_need_rc4_spl(params)) 381 rkcommon_rc4_encode_spl(buf + RK_SPL_HDR_START, 382 spl_params.init_size, 383 spl_params.boot_size); 384 } 385 } 386 } 387 388 static inline unsigned int rkcommon_offset_to_spi(unsigned int offset) 389 { 390 /* 391 * While SD/MMC images use a flat addressing, SPI images are padded 392 * to use the first 2K of every 4K sector only. 393 */ 394 return ((offset & ~0x7ff) << 1) + (offset & 0x7ff); 395 } 396 397 static int rkcommon_parse_header(const void *buf, struct header0_info *header0, 398 struct spl_info **spl_info) 399 { 400 unsigned int hdr1_offset; 401 struct header1_info *hdr1_sdmmc, *hdr1_spi; 402 int i; 403 404 if (spl_info) 405 *spl_info = NULL; 406 407 /* 408 * The first header (hdr0) is always RC4 encoded, so try to decrypt 409 * with the well-known key. 410 */ 411 memcpy((void *)header0, buf, sizeof(struct header0_info)); 412 rc4_encode((void *)header0, sizeof(struct header0_info), rc4_key); 413 414 if (header0->magic != RK_MAGIC) 415 return -EPROTO; 416 417 /* We don't support RC4 encoded image payloads here, yet... */ 418 if (header0->disable_rc4 == 0) 419 return -ENOSYS; 420 421 hdr1_offset = header0->init_offset * RK_BLK_SIZE; 422 hdr1_sdmmc = (struct header1_info *)(buf + hdr1_offset); 423 hdr1_spi = (struct header1_info *)(buf + 424 rkcommon_offset_to_spi(hdr1_offset)); 425 426 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) { 427 if (!memcmp(&hdr1_sdmmc->magic, spl_infos[i].spl_hdr, 4)) { 428 if (spl_info) 429 *spl_info = &spl_infos[i]; 430 return IH_TYPE_RKSD; 431 } else if (!memcmp(&hdr1_spi->magic, spl_infos[i].spl_hdr, 4)) { 432 if (spl_info) 433 *spl_info = &spl_infos[i]; 434 return IH_TYPE_RKSPI; 435 } 436 } 437 438 return -1; 439 } 440 441 static int rkcommon_parse_header_v2(const void *buf, struct header0_info_v2 *header) 442 { 443 memcpy((void *)header, buf, sizeof(struct header0_info_v2)); 444 445 if (le32_to_cpu(header->magic) != RK_MAGIC_V2) 446 return -EPROTO; 447 448 return 0; 449 } 450 451 int rkcommon_verify_header(unsigned char *buf, int size, 452 struct image_tool_params *params) 453 { 454 struct header0_info header0; 455 struct spl_info *img_spl_info, *spl_info; 456 int ret; 457 458 /* spl_hdr is abandon on header_v2 */ 459 if ((*(uint32_t *)buf) == RK_MAGIC_V2) 460 return 0; 461 462 ret = rkcommon_parse_header(buf, &header0, &img_spl_info); 463 464 /* If this is the (unimplemented) RC4 case, then rewrite the result */ 465 if (ret == -ENOSYS) 466 return 0; 467 468 if (ret < 0) 469 return ret; 470 471 /* 472 * If no 'imagename' is specified via the commandline (e.g. if this is 473 * 'dumpimage -l' w/o any further constraints), we accept any spl_info. 474 */ 475 if (params->imagename == NULL) 476 return 0; 477 478 /* Match the 'imagename' against the 'spl_hdr' found */ 479 spl_info = rkcommon_get_spl_info(params->imagename); 480 if (spl_info && img_spl_info) 481 return strcmp(spl_info->spl_hdr, img_spl_info->spl_hdr); 482 483 return -ENOENT; 484 } 485 486 void rkcommon_print_header(const void *buf) 487 { 488 struct header0_info header0; 489 struct header0_info_v2 header0_v2; 490 struct spl_info *spl_info; 491 uint8_t image_type; 492 int ret, boot_size, init_size; 493 494 if ((*(uint32_t *)buf) == RK_MAGIC_V2) { 495 ret = rkcommon_parse_header_v2(buf, &header0_v2); 496 497 if (ret < 0) { 498 fprintf(stderr, "Error: image verification failed\n"); 499 return; 500 } 501 502 init_size = header0_v2.images[0].size_and_off >> 16; 503 init_size = init_size * RK_BLK_SIZE; 504 boot_size = header0_v2.images[1].size_and_off >> 16; 505 boot_size = boot_size * RK_BLK_SIZE; 506 } else { 507 ret = rkcommon_parse_header(buf, &header0, &spl_info); 508 509 /* If this is the (unimplemented) RC4 case, then fail silently */ 510 if (ret == -ENOSYS) 511 return; 512 513 if (ret < 0) { 514 fprintf(stderr, "Error: image verification failed\n"); 515 return; 516 } 517 518 image_type = ret; 519 init_size = header0.init_size * RK_BLK_SIZE; 520 boot_size = header0.init_boot_size * RK_BLK_SIZE - init_size; 521 printf("Image Type: Rockchip %s (%s) boot image\n", 522 spl_info->spl_hdr, 523 (image_type == IH_TYPE_RKSD) ? "SD/MMC" : "SPI"); 524 } 525 526 printf("Init Data Size: %d bytes\n", init_size); 527 528 if (boot_size != RK_MAX_BOOT_SIZE) 529 printf("Boot Data Size: %d bytes\n", boot_size); 530 } 531 532 void rkcommon_rc4_encode_spl(void *buf, unsigned int offset, unsigned int size) 533 { 534 unsigned int remaining = size; 535 536 while (remaining > 0) { 537 int step = (remaining > RK_BLK_SIZE) ? RK_BLK_SIZE : remaining; 538 539 rc4_encode(buf + offset, step, rc4_key); 540 offset += RK_BLK_SIZE; 541 remaining -= step; 542 } 543 } 544 545 int rkcommon_vrec_header(struct image_tool_params *params, 546 struct image_type_params *tparams) 547 { 548 /* 549 * The SPL image looks as follows: 550 * 551 * 0x0 header0 (see rkcommon.c) 552 * 0x800 spl_name ('RK30', ..., 'RK33') 553 * (start of the payload for AArch64 payloads: we expect the 554 * first 4 bytes to be available for overwriting with our 555 * spl_name) 556 * 0x804 first instruction to be executed 557 * (start of the image/payload for 32bit payloads) 558 * 559 * For AArch64 (ARMv8) payloads, natural alignment (8-bytes) is 560 * required for its sections (so the image we receive needs to 561 * have the first 4 bytes reserved for the spl_name). Reserving 562 * these 4 bytes is done using the BOOT0_HOOK infrastructure. 563 * 564 * The header is always at 0x800 (as we now use a payload 565 * prepadded using the boot0 hook for all targets): the first 566 * 4 bytes of these images can safely be overwritten using the 567 * boot magic. 568 */ 569 tparams->header_size = RK_SPL_HDR_START; 570 571 /* Allocate, clear and install the header */ 572 tparams->hdr = malloc(tparams->header_size); 573 if (!tparams->hdr) { 574 fprintf(stderr, "%s: Can't alloc header: %s\n", 575 params->cmdname, strerror(errno)); 576 exit(EXIT_FAILURE); 577 } 578 memset(tparams->hdr, 0, tparams->header_size); 579 580 /* 581 * We need to store the original file-size (i.e. before padding), as 582 * imagetool does not set this during its adjustment of file_size. 583 */ 584 params->orig_file_size = tparams->header_size + 585 spl_params.init_size + spl_params.boot_size; 586 587 params->file_size = ROUND(params->orig_file_size, RK_SIZE_ALIGN); 588 589 /* Ignoring pad len, since we are using our own copy_image() */ 590 return 0; 591 } 592 593 static int pad_file(struct image_tool_params *params, int ifd, int pad) 594 { 595 uint8_t zeros[4096]; 596 597 memset(zeros, 0, sizeof(zeros)); 598 599 while (pad > 0) { 600 int todo = sizeof(zeros); 601 602 if (todo > pad) 603 todo = pad; 604 if (write(ifd, (char *)&zeros, todo) != todo) { 605 fprintf(stderr, "%s: Write error on %s: %s\n", 606 params->cmdname, params->imagefile, 607 strerror(errno)); 608 return -1; 609 } 610 pad -= todo; 611 } 612 613 return 0; 614 } 615 616 static int copy_file(struct image_tool_params *params, int ifd, 617 const char *file, int padded_size) 618 { 619 int dfd; 620 struct stat sbuf; 621 unsigned char *ptr; 622 int size; 623 624 if (params->vflag) 625 fprintf(stderr, "Adding Image %s\n", file); 626 627 dfd = open(file, O_RDONLY | O_BINARY); 628 if (dfd < 0) { 629 fprintf(stderr, "%s: Can't open %s: %s\n", 630 params->cmdname, file, strerror(errno)); 631 return -1; 632 } 633 634 if (fstat(dfd, &sbuf) < 0) { 635 fprintf(stderr, "%s: Can't stat %s: %s\n", 636 params->cmdname, file, strerror(errno)); 637 goto err_close; 638 } 639 640 if (params->vflag) 641 fprintf(stderr, "Size %u(pad to %u)\n", 642 (int)sbuf.st_size, padded_size); 643 644 ptr = mmap(0, sbuf.st_size, PROT_READ, MAP_SHARED, dfd, 0); 645 if (ptr == MAP_FAILED) { 646 fprintf(stderr, "%s: Can't read %s: %s\n", 647 params->cmdname, file, strerror(errno)); 648 goto err_munmap; 649 } 650 651 size = sbuf.st_size; 652 if (write(ifd, ptr, size) != size) { 653 fprintf(stderr, "%s: Write error on %s: %s\n", 654 params->cmdname, params->imagefile, strerror(errno)); 655 goto err_munmap; 656 } 657 658 munmap((void *)ptr, sbuf.st_size); 659 close(dfd); 660 return pad_file(params, ifd, padded_size - size); 661 662 err_munmap: 663 munmap((void *)ptr, sbuf.st_size); 664 err_close: 665 close(dfd); 666 return -1; 667 } 668 669 int rockchip_copy_image(int ifd, struct image_tool_params *params) 670 { 671 int ret; 672 673 ret = copy_file(params, ifd, spl_params.init_file, 674 spl_params.init_size); 675 if (ret) 676 return ret; 677 678 if (spl_params.boot_file) { 679 ret = copy_file(params, ifd, spl_params.boot_file, 680 spl_params.boot_size); 681 if (ret) 682 return ret; 683 } 684 685 return pad_file(params, ifd, 686 params->file_size - params->orig_file_size); 687 } 688