1// SPDX-License-Identifier: GPL-2.0+ 2/* 3 * (C) Copyright 2015 Google, Inc 4 * Written by Simon Glass <sjg@chromium.org> 5 * 6 * (C) 2017 Theobroma Systems Design und Consulting GmbH 7 * 8 * Helper functions for Rockchip images 9 */ 10 11#include "imagetool.h" 12#include <image.h> 13#include <u-boot/sha256.h> 14#include <rc4.h> 15#include "mkimage.h" 16#include "rkcommon.h" 17 18enum { 19 RK_MAGIC = 0x0ff0aa55, 20 RK_MAGIC_V2 = 0x534E4B52, 21}; 22 23enum { 24 RK_HEADER_V1 = 1, 25 RK_HEADER_V2 = 2, 26}; 27 28enum hash_type { 29 HASH_NONE = 0, 30 HASH_SHA256 = 1, 31 HASH_SHA512 = 2, 32}; 33 34/** 35 * struct image_entry 36 * 37 * @size_and_off: [31:16]image size;[15:0]image offset 38 * @address: default as 0xFFFFFFFF 39 * @flag: no use 40 * @counter: no use 41 * @hash: hash of image 42 * 43 */ 44struct image_entry { 45 uint32_t size_and_off; 46 uint32_t address; 47 uint32_t flag; 48 uint32_t counter; 49 uint8_t reserved[8]; 50 uint8_t hash[64]; 51}; 52 53/** 54 * struct header0_info_v2 - v2 header block for rockchip BootRom 55 * 56 * This is stored at SD card block 64 (where each block is 512 bytes) 57 * 58 * @magic: Magic (must be RK_MAGIC_V2) 59 * @size_and_nimage: [31:16]number of images;[15:0] 60 * offset to hash field of header(unit as 4Byte) 61 * @boot_flag: [3:0]hash type(0:none,1:sha256,2:sha512) 62 * @signature: hash or signature for header info 63 * 64 */ 65struct header0_info_v2 { 66 uint32_t magic; 67 uint8_t reserved[4]; 68 uint32_t size_and_nimage; 69 uint32_t boot_flag; 70 uint8_t reserved1[104]; 71 struct image_entry images[4]; 72 uint8_t reserved2[1064]; 73 uint8_t hash[512]; 74}; 75 76/** 77 * struct header0_info - header block for boot ROM 78 * 79 * This is stored at SD card block 64 (where each block is 512 bytes, or at 80 * the start of SPI flash. It is encoded with RC4. 81 * 82 * @magic: Magic (must be RK_MAGIC) 83 * @disable_rc4: 0 to use rc4 for boot image, 1 to use plain binary 84 * @init_offset: Offset in blocks of the SPL code from this header 85 * block. E.g. 4 means 2KB after the start of this header. 86 * Other fields are not used by U-Boot 87 */ 88struct header0_info { 89 uint32_t magic; 90 uint8_t reserved[4]; 91 uint32_t disable_rc4; 92 uint16_t init_offset; 93 uint8_t reserved1[492]; 94 uint16_t init_size; 95 uint16_t init_boot_size; 96 uint8_t reserved2[2]; 97}; 98 99/** 100 * struct header1_info 101 */ 102struct header1_info { 103 uint32_t magic; 104}; 105 106/** 107 * struct spl_info - spl info for each chip 108 * 109 * @imagename: Image name(passed by "mkimage -n") 110 * @spl_hdr: Boot ROM requires a 4-bytes spl header 111 * @spl_size: Spl size(include extra 4-bytes spl header) 112 * @spl_rc4: RC4 encode the SPL binary (same key as header) 113 * @header_ver: header block version 114 */ 115struct spl_info { 116 const char *imagename; 117 const char *spl_hdr; 118 const uint32_t spl_size; 119 const bool spl_rc4; 120 const uint32_t header_ver; 121}; 122 123static struct spl_info spl_infos[] = { 124 { "px30", "RK33", 0x2800, false, RK_HEADER_V1 }, 125 { "rk3036", "RK30", 0x1000, false, RK_HEADER_V1 }, 126 { "rk3066", "RK30", 0x8000 - 0x800, true, RK_HEADER_V1 }, 127 { "rk3128", "RK31", 0x1800, false, RK_HEADER_V1 }, 128 { "rk3188", "RK31", 0x8000 - 0x800, true, RK_HEADER_V1 }, 129 { "rk322x", "RK32", 0x8000 - 0x1000, false, RK_HEADER_V1 }, 130 { "rk3288", "RK32", 0x8000, false, RK_HEADER_V1 }, 131 { "rk3308", "RK33", 0x40000 - 0x1000, false, RK_HEADER_V1 }, 132 { "rk3328", "RK32", 0x8000 - 0x800, false, RK_HEADER_V1 }, 133 { "rk3368", "RK33", 0x8000 - 0x1000, false, RK_HEADER_V1 }, 134 { "rk3399", "RK33", 0x30000 - 0x2000, false, RK_HEADER_V1 }, 135 { "rv1108", "RK11", 0x1800, false, RK_HEADER_V1 }, 136 { "rv1126", "110B", 0x10000 - 0x1000, false, RK_HEADER_V1 }, 137 { "rk3568", "RK35", 0x10000 - 0x1000, false, RK_HEADER_V2 }, 138 { "rk3588", "RK35", 0x100000 - 0x1000, false, RK_HEADER_V2 }, 139}; 140 141/** 142 * struct spl_params - spl params parsed in check_params() 143 * 144 * @init_file: Init data file path 145 * @init_size: Aligned size of init data in bytes 146 * @boot_file: Boot data file path 147 * @boot_size: Aligned size of boot data in bytes 148 */ 149 150struct spl_params { 151 char *init_file; 152 uint32_t init_size; 153 char *boot_file; 154 uint32_t boot_size; 155}; 156 157static struct spl_params spl_params = { 0 }; 158 159static const unsigned char rc4_key[16] = { 160 124, 78, 3, 4, 85, 5, 9, 7, 161 45, 44, 123, 56, 23, 13, 23, 17 162}; 163 164static struct spl_info *rkcommon_get_spl_info(char *imagename) 165{ 166 int i; 167 168 if (!imagename) 169 return NULL; 170 171 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 172 if (!strncmp(imagename, spl_infos[i].imagename, 6)) 173 return spl_infos + i; 174 175 return NULL; 176} 177 178static int rkcommon_get_aligned_size(struct image_tool_params *params, 179 const char *fname) 180{ 181 int size; 182 183 size = imagetool_get_filesize(params, fname); 184 if (size < 0) 185 return -1; 186 187 /* 188 * Pad to a 2KB alignment, as required for init/boot size by the ROM 189 * (see https://lists.denx.de/pipermail/u-boot/2017-May/293268.html) 190 */ 191 return ROUND(size, RK_SIZE_ALIGN); 192} 193 194int rkcommon_check_params(struct image_tool_params *params) 195{ 196 int i, size; 197 198 /* 199 * If this is a operation (list or extract), the don't require 200 * imagename to be set. 201 */ 202 if (params->lflag || params->iflag) 203 return EXIT_SUCCESS; 204 205 if (!rkcommon_get_spl_info(params->imagename)) 206 goto err_spl_info; 207 208 spl_params.init_file = params->datafile; 209 210 spl_params.boot_file = strchr(spl_params.init_file, ':'); 211 if (spl_params.boot_file) { 212 *spl_params.boot_file = '\0'; 213 spl_params.boot_file += 1; 214 } 215 216 size = rkcommon_get_aligned_size(params, spl_params.init_file); 217 if (size < 0) 218 return EXIT_FAILURE; 219 spl_params.init_size = size; 220 221 /* Boot file is optional, and only for back-to-bootrom functionality. */ 222 if (spl_params.boot_file) { 223 size = rkcommon_get_aligned_size(params, spl_params.boot_file); 224 if (size < 0) 225 return EXIT_FAILURE; 226 spl_params.boot_size = size; 227 } 228 229 if (spl_params.init_size > rkcommon_get_spl_size(params)) { 230 fprintf(stderr, 231 "Error: SPL image is too large (size %#x than %#x)\n", 232 spl_params.init_size, rkcommon_get_spl_size(params)); 233 return EXIT_FAILURE; 234 } 235 236 return EXIT_SUCCESS; 237 238err_spl_info: 239 fprintf(stderr, "ERROR: imagename (%s) is not supported!\n", 240 params->imagename ? params->imagename : "NULL"); 241 242 fprintf(stderr, "Available imagename:"); 243 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 244 fprintf(stderr, "\t%s", spl_infos[i].imagename); 245 fprintf(stderr, "\n"); 246 247 return EXIT_FAILURE; 248} 249 250const char *rkcommon_get_spl_hdr(struct image_tool_params *params) 251{ 252 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 253 254 /* 255 * info would not be NULL, because of we checked params before. 256 */ 257 return info->spl_hdr; 258} 259 260int rkcommon_get_spl_size(struct image_tool_params *params) 261{ 262 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 263 264 /* 265 * info would not be NULL, because of we checked params before. 266 */ 267 return info->spl_size; 268} 269 270bool rkcommon_need_rc4_spl(struct image_tool_params *params) 271{ 272 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 273 274 /* 275 * info would not be NULL, because of we checked params before. 276 */ 277 return info->spl_rc4; 278} 279 280bool rkcommon_is_header_v2(struct image_tool_params *params) 281{ 282 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 283 284 return (info->header_ver == RK_HEADER_V2); 285} 286 287static void do_sha256_hash(uint8_t *buf, uint32_t size, uint8_t *out) 288{ 289 sha256_context ctx; 290 291 sha256_starts(&ctx); 292 sha256_update(&ctx, buf, size); 293 sha256_finish(&ctx, out); 294} 295 296static void rkcommon_set_header0(void *buf, struct image_tool_params *params) 297{ 298 struct header0_info *hdr = buf; 299 uint32_t init_boot_size; 300 301 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 302 hdr->magic = cpu_to_le32(RK_MAGIC); 303 hdr->disable_rc4 = cpu_to_le32(!rkcommon_need_rc4_spl(params)); 304 hdr->init_offset = cpu_to_le16(RK_INIT_OFFSET); 305 hdr->init_size = cpu_to_le16(spl_params.init_size / RK_BLK_SIZE); 306 307 /* 308 * init_boot_size needs to be set, as it is read by the BootROM 309 * to determine the size of the next-stage bootloader (e.g. U-Boot 310 * proper), when used with the back-to-bootrom functionality. 311 * 312 * see https://lists.denx.de/pipermail/u-boot/2017-May/293267.html 313 * for a more detailed explanation by Andy Yan 314 */ 315 if (spl_params.boot_file) 316 init_boot_size = spl_params.init_size + spl_params.boot_size; 317 else 318 init_boot_size = spl_params.init_size + RK_MAX_BOOT_SIZE; 319 hdr->init_boot_size = cpu_to_le16(init_boot_size / RK_BLK_SIZE); 320 321 rc4_encode(buf, RK_BLK_SIZE, rc4_key); 322} 323 324static void rkcommon_set_header0_v2(void *buf, struct image_tool_params *params) 325{ 326 struct header0_info_v2 *hdr = buf; 327 uint32_t sector_offset, image_sector_count; 328 uint32_t image_size_array[2]; 329 uint8_t *image_ptr = NULL; 330 int i; 331 332 printf("Image Type: Rockchip %s boot image\n", 333 rkcommon_get_spl_hdr(params)); 334 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 335 hdr->magic = cpu_to_le32(RK_MAGIC_V2); 336 hdr->size_and_nimage = cpu_to_le32((2 << 16) + 384); 337 hdr->boot_flag = cpu_to_le32(HASH_SHA256); 338 sector_offset = 4; 339 image_size_array[0] = spl_params.init_size; 340 image_size_array[1] = spl_params.boot_size; 341 342 for (i = 0; i < 2; i++) { 343 image_sector_count = image_size_array[i] / RK_BLK_SIZE; 344 hdr->images[i].size_and_off = cpu_to_le32((image_sector_count 345 << 16) + sector_offset); 346 hdr->images[i].address = 0xFFFFFFFF; 347 hdr->images[i].counter = cpu_to_le32(i + 1); 348 image_ptr = buf + sector_offset * RK_BLK_SIZE; 349 do_sha256_hash(image_ptr, image_size_array[i], 350 hdr->images[i].hash); 351 sector_offset = sector_offset + image_sector_count; 352 } 353 354 do_sha256_hash(buf, (void *)hdr->hash - buf, hdr->hash); 355} 356 357void rkcommon_set_header(void *buf, struct stat *sbuf, int ifd, 358 struct image_tool_params *params) 359{ 360 struct header1_info *hdr = buf + RK_SPL_HDR_START; 361 362 if (rkcommon_is_header_v2(params)) { 363 rkcommon_set_header0_v2(buf, params); 364 } else { 365 rkcommon_set_header0(buf, params); 366 367 /* Set up the SPL name (i.e. copy spl_hdr over) */ 368 if (memcmp(&hdr->magic, "RSAK", 4)) 369 memcpy(&hdr->magic, rkcommon_get_spl_hdr(params), RK_SPL_HDR_SIZE); 370 371 if (rkcommon_need_rc4_spl(params)) 372 rkcommon_rc4_encode_spl(buf, RK_SPL_HDR_START, 373 spl_params.init_size); 374 375 if (spl_params.boot_file) { 376 if (rkcommon_need_rc4_spl(params)) 377 rkcommon_rc4_encode_spl(buf + RK_SPL_HDR_START, 378 spl_params.init_size, 379 spl_params.boot_size); 380 } 381 } 382} 383 384static inline unsigned int rkcommon_offset_to_spi(unsigned int offset) 385{ 386 /* 387 * While SD/MMC images use a flat addressing, SPI images are padded 388 * to use the first 2K of every 4K sector only. 389 */ 390 return ((offset & ~0x7ff) << 1) + (offset & 0x7ff); 391} 392 393static int rkcommon_parse_header(const void *buf, struct header0_info *header0, 394 struct spl_info **spl_info) 395{ 396 unsigned int hdr1_offset; 397 struct header1_info *hdr1_sdmmc, *hdr1_spi; 398 int i; 399 400 if (spl_info) 401 *spl_info = NULL; 402 403 /* 404 * The first header (hdr0) is always RC4 encoded, so try to decrypt 405 * with the well-known key. 406 */ 407 memcpy((void *)header0, buf, sizeof(struct header0_info)); 408 rc4_encode((void *)header0, sizeof(struct header0_info), rc4_key); 409 410 if (le32_to_cpu(header0->magic) != RK_MAGIC) 411 return -EPROTO; 412 413 /* We don't support RC4 encoded image payloads here, yet... */ 414 if (le32_to_cpu(header0->disable_rc4) == 0) 415 return -ENOSYS; 416 417 hdr1_offset = le16_to_cpu(header0->init_offset) * RK_BLK_SIZE; 418 hdr1_sdmmc = (struct header1_info *)(buf + hdr1_offset); 419 hdr1_spi = (struct header1_info *)(buf + 420 rkcommon_offset_to_spi(hdr1_offset)); 421 422 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) { 423 if (!memcmp(&hdr1_sdmmc->magic, spl_infos[i].spl_hdr, 424 RK_SPL_HDR_SIZE)) { 425 if (spl_info) 426 *spl_info = &spl_infos[i]; 427 return IH_TYPE_RKSD; 428 } else if (!memcmp(&hdr1_spi->magic, spl_infos[i].spl_hdr, 429 RK_SPL_HDR_SIZE)) { 430 if (spl_info) 431 *spl_info = &spl_infos[i]; 432 return IH_TYPE_RKSPI; 433 } 434 } 435 436 return -1; 437} 438 439static int rkcommon_parse_header_v2(const void *buf, struct header0_info_v2 *header) 440{ 441 memcpy((void *)header, buf, sizeof(struct header0_info_v2)); 442 443 if (le32_to_cpu(header->magic) != RK_MAGIC_V2) 444 return -EPROTO; 445 446 return 0; 447} 448 449int rkcommon_verify_header(unsigned char *buf, int size, 450 struct image_tool_params *params) 451{ 452 struct header0_info header0; 453 struct spl_info *img_spl_info, *spl_info; 454 int ret; 455 456 /* spl_hdr is abandon on header_v2 */ 457 if ((*(uint32_t *)buf) == RK_MAGIC_V2) 458 return 0; 459 460 ret = rkcommon_parse_header(buf, &header0, &img_spl_info); 461 462 /* If this is the (unimplemented) RC4 case, then rewrite the result */ 463 if (ret == -ENOSYS) 464 return 0; 465 466 if (ret < 0) 467 return ret; 468 469 /* 470 * If no 'imagename' is specified via the commandline (e.g. if this is 471 * 'dumpimage -l' w/o any further constraints), we accept any spl_info. 472 */ 473 if (params->imagename == NULL) 474 return 0; 475 476 /* Match the 'imagename' against the 'spl_hdr' found */ 477 spl_info = rkcommon_get_spl_info(params->imagename); 478 if (spl_info && img_spl_info) 479 return strcmp(spl_info->spl_hdr, img_spl_info->spl_hdr); 480 481 return -ENOENT; 482} 483 484void rkcommon_print_header(const void *buf, struct image_tool_params *params) 485{ 486 struct header0_info header0; 487 struct header0_info_v2 header0_v2; 488 struct spl_info *spl_info; 489 uint8_t image_type; 490 int ret, boot_size, init_size; 491 492 if ((*(uint32_t *)buf) == RK_MAGIC_V2) { 493 ret = rkcommon_parse_header_v2(buf, &header0_v2); 494 495 if (ret < 0) { 496 fprintf(stderr, "Error: image verification failed\n"); 497 return; 498 } 499 500 init_size = header0_v2.images[0].size_and_off >> 16; 501 init_size = init_size * RK_BLK_SIZE; 502 boot_size = header0_v2.images[1].size_and_off >> 16; 503 boot_size = boot_size * RK_BLK_SIZE; 504 } else { 505 ret = rkcommon_parse_header(buf, &header0, &spl_info); 506 507 /* If this is the (unimplemented) RC4 case, then fail silently */ 508 if (ret == -ENOSYS) 509 return; 510 511 if (ret < 0) { 512 fprintf(stderr, "Error: image verification failed\n"); 513 return; 514 } 515 516 image_type = ret; 517 init_size = header0.init_size * RK_BLK_SIZE; 518 boot_size = header0.init_boot_size * RK_BLK_SIZE - init_size; 519 520 printf("Image Type: Rockchip %s (%s) boot image\n", 521 spl_info->spl_hdr, 522 (image_type == IH_TYPE_RKSD) ? "SD/MMC" : "SPI"); 523 } 524 525 printf("Init Data Size: %d bytes\n", init_size); 526 527 if (boot_size != RK_MAX_BOOT_SIZE) 528 printf("Boot Data Size: %d bytes\n", boot_size); 529} 530 531void rkcommon_rc4_encode_spl(void *buf, unsigned int offset, unsigned int size) 532{ 533 unsigned int remaining = size; 534 535 while (remaining > 0) { 536 int step = (remaining > RK_BLK_SIZE) ? RK_BLK_SIZE : remaining; 537 538 rc4_encode(buf + offset, step, rc4_key); 539 offset += RK_BLK_SIZE; 540 remaining -= step; 541 } 542} 543 544int rkcommon_vrec_header(struct image_tool_params *params, 545 struct image_type_params *tparams) 546{ 547 /* 548 * The SPL image looks as follows: 549 * 550 * 0x0 header0 (see rkcommon.c) 551 * 0x800 spl_name ('RK30', ..., 'RK33') 552 * (start of the payload for AArch64 payloads: we expect the 553 * first 4 bytes to be available for overwriting with our 554 * spl_name) 555 * 0x804 first instruction to be executed 556 * (start of the image/payload for 32bit payloads) 557 * 558 * For AArch64 (ARMv8) payloads, natural alignment (8-bytes) is 559 * required for its sections (so the image we receive needs to 560 * have the first 4 bytes reserved for the spl_name). Reserving 561 * these 4 bytes is done using the BOOT0_HOOK infrastructure. 562 * 563 * The header is always at 0x800 (as we now use a payload 564 * prepadded using the boot0 hook for all targets): the first 565 * 4 bytes of these images can safely be overwritten using the 566 * boot magic. 567 */ 568 tparams->header_size = RK_SPL_HDR_START; 569 570 /* Allocate, clear and install the header */ 571 tparams->hdr = malloc(tparams->header_size); 572 if (!tparams->hdr) { 573 fprintf(stderr, "%s: Can't alloc header: %s\n", 574 params->cmdname, strerror(errno)); 575 exit(EXIT_FAILURE); 576 } 577 memset(tparams->hdr, 0, tparams->header_size); 578 579 /* 580 * We need to store the original file-size (i.e. before padding), as 581 * imagetool does not set this during its adjustment of file_size. 582 */ 583 params->orig_file_size = tparams->header_size + 584 spl_params.init_size + spl_params.boot_size; 585 586 params->file_size = ROUND(params->orig_file_size, RK_SIZE_ALIGN); 587 588 /* Ignoring pad len, since we are using our own copy_image() */ 589 return 0; 590} 591 592static int pad_file(struct image_tool_params *params, int ifd, int pad) 593{ 594 uint8_t zeros[4096]; 595 596 memset(zeros, 0, sizeof(zeros)); 597 598 while (pad > 0) { 599 int todo = sizeof(zeros); 600 601 if (todo > pad) 602 todo = pad; 603 if (write(ifd, (char *)&zeros, todo) != todo) { 604 fprintf(stderr, "%s: Write error on %s: %s\n", 605 params->cmdname, params->imagefile, 606 strerror(errno)); 607 return -1; 608 } 609 pad -= todo; 610 } 611 612 return 0; 613} 614 615static int copy_file(struct image_tool_params *params, int ifd, 616 const char *file, int padded_size) 617{ 618 int dfd; 619 struct stat sbuf; 620 unsigned char *ptr; 621 int size; 622 623 if (params->vflag) 624 fprintf(stderr, "Adding Image %s\n", file); 625 626 dfd = open(file, O_RDONLY | O_BINARY); 627 if (dfd < 0) { 628 fprintf(stderr, "%s: Can't open %s: %s\n", 629 params->cmdname, file, strerror(errno)); 630 return -1; 631 } 632 633 if (fstat(dfd, &sbuf) < 0) { 634 fprintf(stderr, "%s: Can't stat %s: %s\n", 635 params->cmdname, file, strerror(errno)); 636 goto err_close; 637 } 638 639 if (params->vflag) 640 fprintf(stderr, "Size %u(pad to %u)\n", 641 (int)sbuf.st_size, padded_size); 642 643 ptr = mmap(0, sbuf.st_size, PROT_READ, MAP_SHARED, dfd, 0); 644 if (ptr == MAP_FAILED) { 645 fprintf(stderr, "%s: Can't read %s: %s\n", 646 params->cmdname, file, strerror(errno)); 647 goto err_munmap; 648 } 649 650 size = sbuf.st_size; 651 if (write(ifd, ptr, size) != size) { 652 fprintf(stderr, "%s: Write error on %s: %s\n", 653 params->cmdname, params->imagefile, strerror(errno)); 654 goto err_munmap; 655 } 656 657 munmap((void *)ptr, sbuf.st_size); 658 close(dfd); 659 return pad_file(params, ifd, padded_size - size); 660 661err_munmap: 662 munmap((void *)ptr, sbuf.st_size); 663err_close: 664 close(dfd); 665 return -1; 666} 667 668int rockchip_copy_image(int ifd, struct image_tool_params *params) 669{ 670 int ret; 671 672 ret = copy_file(params, ifd, spl_params.init_file, 673 spl_params.init_size); 674 if (ret) 675 return ret; 676 677 if (spl_params.boot_file) { 678 ret = copy_file(params, ifd, spl_params.boot_file, 679 spl_params.boot_size); 680 if (ret) 681 return ret; 682 } 683 684 return pad_file(params, ifd, 685 params->file_size - params->orig_file_size); 686} 687