1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * (C) Copyright 2015 Google, Inc 4 * Written by Simon Glass <sjg@chromium.org> 5 * 6 * (C) 2017 Theobroma Systems Design und Consulting GmbH 7 * 8 * Helper functions for Rockchip images 9 */ 10 11 #include "imagetool.h" 12 #include <image.h> 13 #include <rc4.h> 14 #include "mkimage.h" 15 #include "rkcommon.h" 16 17 enum { 18 RK_SIGNATURE = 0x0ff0aa55, 19 }; 20 21 /** 22 * struct header0_info - header block for boot ROM 23 * 24 * This is stored at SD card block 64 (where each block is 512 bytes, or at 25 * the start of SPI flash. It is encoded with RC4. 26 * 27 * @signature: Signature (must be RKSD_SIGNATURE) 28 * @disable_rc4: 0 to use rc4 for boot image, 1 to use plain binary 29 * @init_offset: Offset in blocks of the SPL code from this header 30 * block. E.g. 4 means 2KB after the start of this header. 31 * Other fields are not used by U-Boot 32 */ 33 struct header0_info { 34 uint32_t signature; 35 uint8_t reserved[4]; 36 uint32_t disable_rc4; 37 uint16_t init_offset; 38 uint8_t reserved1[492]; 39 uint16_t init_size; 40 uint16_t init_boot_size; 41 uint8_t reserved2[2]; 42 }; 43 44 /** 45 * struct header1_info 46 */ 47 struct header1_info { 48 uint32_t magic; 49 }; 50 51 /** 52 * struct spl_info - spl info for each chip 53 * 54 * @imagename: Image name(passed by "mkimage -n") 55 * @spl_hdr: Boot ROM requires a 4-bytes spl header 56 * @spl_size: Spl size(include extra 4-bytes spl header) 57 * @spl_rc4: RC4 encode the SPL binary (same key as header) 58 */ 59 60 struct spl_info { 61 const char *imagename; 62 const char *spl_hdr; 63 const uint32_t spl_size; 64 const bool spl_rc4; 65 }; 66 67 static struct spl_info spl_infos[] = { 68 { "px30", "RK33", 0x2800, false }, 69 { "rk3036", "RK30", 0x1000, false }, 70 { "rk3128", "RK31", 0x1800, false }, 71 { "rk3188", "RK31", 0x8000 - 0x800, true }, 72 { "rk322x", "RK32", 0x8000 - 0x1000, false }, 73 { "rk3288", "RK32", 0x8000, false }, 74 { "rk3308", "RK33", 0x40000 - 0x1000, false}, 75 { "rk3328", "RK32", 0x8000 - 0x1000, false }, 76 { "rk3368", "RK33", 0x8000 - 0x1000, false }, 77 { "rk3399", "RK33", 0x30000 - 0x2000, false }, 78 { "rv1108", "RK11", 0x1800, false }, 79 }; 80 81 /** 82 * struct spl_params - spl params parsed in check_params() 83 * 84 * @init_file: Init data file path 85 * @init_size: Aligned size of init data in bytes 86 * @boot_file: Boot data file path 87 * @boot_size: Aligned size of boot data in bytes 88 */ 89 90 struct spl_params { 91 char *init_file; 92 uint32_t init_size; 93 char *boot_file; 94 uint32_t boot_size; 95 }; 96 97 static struct spl_params spl_params = { 0 }; 98 99 static unsigned char rc4_key[16] = { 100 124, 78, 3, 4, 85, 5, 9, 7, 101 45, 44, 123, 56, 23, 13, 23, 17 102 }; 103 rkcommon_get_spl_info(char * imagename)104 static struct spl_info *rkcommon_get_spl_info(char *imagename) 105 { 106 int i; 107 108 if (!imagename) 109 return NULL; 110 111 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 112 if (!strncmp(imagename, spl_infos[i].imagename, 6)) 113 return spl_infos + i; 114 115 return NULL; 116 } 117 rkcommon_get_aligned_size(struct image_tool_params * params,const char * fname)118 static int rkcommon_get_aligned_size(struct image_tool_params *params, 119 const char *fname) 120 { 121 int size; 122 123 size = imagetool_get_filesize(params, fname); 124 if (size < 0) 125 return -1; 126 127 /* 128 * Pad to a 2KB alignment, as required for init/boot size by the ROM 129 * (see https://lists.denx.de/pipermail/u-boot/2017-May/293268.html) 130 */ 131 return ROUND(size, RK_SIZE_ALIGN); 132 } 133 rkcommon_check_params(struct image_tool_params * params)134 int rkcommon_check_params(struct image_tool_params *params) 135 { 136 int i, size; 137 138 /* 139 * If this is a operation (list or extract), the don't require 140 * imagename to be set. 141 */ 142 if (params->lflag || params->iflag) 143 return EXIT_SUCCESS; 144 145 if (!rkcommon_get_spl_info(params->imagename)) 146 goto err_spl_info; 147 148 spl_params.init_file = params->datafile; 149 150 spl_params.boot_file = strchr(spl_params.init_file, ':'); 151 if (spl_params.boot_file) { 152 *spl_params.boot_file = '\0'; 153 spl_params.boot_file += 1; 154 } 155 156 size = rkcommon_get_aligned_size(params, spl_params.init_file); 157 if (size < 0) 158 return EXIT_FAILURE; 159 spl_params.init_size = size; 160 161 /* Boot file is optional, and only for back-to-bootrom functionality. */ 162 if (spl_params.boot_file) { 163 size = rkcommon_get_aligned_size(params, spl_params.boot_file); 164 if (size < 0) 165 return EXIT_FAILURE; 166 spl_params.boot_size = size; 167 } 168 169 if (spl_params.init_size > rkcommon_get_spl_size(params)) { 170 fprintf(stderr, 171 "Error: SPL image is too large (size %#x than %#x)\n", 172 spl_params.init_size, rkcommon_get_spl_size(params)); 173 return EXIT_FAILURE; 174 } 175 176 return EXIT_SUCCESS; 177 178 err_spl_info: 179 fprintf(stderr, "ERROR: imagename (%s) is not supported!\n", 180 params->imagename ? params->imagename : "NULL"); 181 182 fprintf(stderr, "Available imagename:"); 183 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 184 fprintf(stderr, "\t%s", spl_infos[i].imagename); 185 fprintf(stderr, "\n"); 186 187 return EXIT_FAILURE; 188 } 189 rkcommon_get_spl_hdr(struct image_tool_params * params)190 const char *rkcommon_get_spl_hdr(struct image_tool_params *params) 191 { 192 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 193 194 /* 195 * info would not be NULL, because of we checked params before. 196 */ 197 return info->spl_hdr; 198 } 199 200 rkcommon_get_spl_size(struct image_tool_params * params)201 int rkcommon_get_spl_size(struct image_tool_params *params) 202 { 203 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 204 205 /* 206 * info would not be NULL, because of we checked params before. 207 */ 208 return info->spl_size; 209 } 210 rkcommon_need_rc4_spl(struct image_tool_params * params)211 bool rkcommon_need_rc4_spl(struct image_tool_params *params) 212 { 213 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 214 215 /* 216 * info would not be NULL, because of we checked params before. 217 */ 218 return info->spl_rc4; 219 } 220 rkcommon_set_header0(void * buf,struct image_tool_params * params)221 static void rkcommon_set_header0(void *buf, struct image_tool_params *params) 222 { 223 struct header0_info *hdr = buf; 224 uint32_t init_boot_size; 225 226 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 227 hdr->signature = cpu_to_le32(RK_SIGNATURE); 228 hdr->disable_rc4 = cpu_to_le32(!rkcommon_need_rc4_spl(params)); 229 hdr->init_offset = cpu_to_le16(RK_INIT_OFFSET); 230 hdr->init_size = cpu_to_le16(spl_params.init_size / RK_BLK_SIZE); 231 232 /* 233 * init_boot_size needs to be set, as it is read by the BootROM 234 * to determine the size of the next-stage bootloader (e.g. U-Boot 235 * proper), when used with the back-to-bootrom functionality. 236 * 237 * see https://lists.denx.de/pipermail/u-boot/2017-May/293267.html 238 * for a more detailed explanation by Andy Yan 239 */ 240 if (spl_params.boot_file) 241 init_boot_size = spl_params.init_size + spl_params.boot_size; 242 else 243 init_boot_size = spl_params.init_size + RK_MAX_BOOT_SIZE; 244 hdr->init_boot_size = cpu_to_le16(init_boot_size / RK_BLK_SIZE); 245 246 rc4_encode(buf, RK_BLK_SIZE, rc4_key); 247 } 248 rkcommon_set_header(void * buf,struct stat * sbuf,int ifd,struct image_tool_params * params)249 void rkcommon_set_header(void *buf, struct stat *sbuf, int ifd, 250 struct image_tool_params *params) 251 { 252 struct header1_info *hdr = buf + RK_SPL_HDR_START; 253 254 rkcommon_set_header0(buf, params); 255 256 /* Set up the SPL name (i.e. copy spl_hdr over) */ 257 memcpy(&hdr->magic, rkcommon_get_spl_hdr(params), RK_SPL_HDR_SIZE); 258 259 if (rkcommon_need_rc4_spl(params)) 260 rkcommon_rc4_encode_spl(buf, RK_SPL_HDR_START, 261 spl_params.init_size); 262 263 if (spl_params.boot_file) { 264 if (rkcommon_need_rc4_spl(params)) 265 rkcommon_rc4_encode_spl(buf + RK_SPL_HDR_START, 266 spl_params.init_size, 267 spl_params.boot_size); 268 } 269 } 270 rkcommon_offset_to_spi(unsigned offset)271 static inline unsigned rkcommon_offset_to_spi(unsigned offset) 272 { 273 /* 274 * While SD/MMC images use a flat addressing, SPI images are padded 275 * to use the first 2K of every 4K sector only. 276 */ 277 return ((offset & ~0x7ff) << 1) + (offset & 0x7ff); 278 } 279 rkcommon_parse_header(const void * buf,struct header0_info * header0,struct spl_info ** spl_info)280 static int rkcommon_parse_header(const void *buf, struct header0_info *header0, 281 struct spl_info **spl_info) 282 { 283 unsigned hdr1_offset; 284 struct header1_info *hdr1_sdmmc, *hdr1_spi; 285 int i; 286 287 if (spl_info) 288 *spl_info = NULL; 289 290 /* 291 * The first header (hdr0) is always RC4 encoded, so try to decrypt 292 * with the well-known key. 293 */ 294 memcpy((void *)header0, buf, sizeof(struct header0_info)); 295 rc4_encode((void *)header0, sizeof(struct header0_info), rc4_key); 296 297 if (le32_to_cpu(header0->signature) != RK_SIGNATURE) 298 return -EPROTO; 299 300 /* We don't support RC4 encoded image payloads here, yet... */ 301 if (le32_to_cpu(header0->disable_rc4) == 0) 302 return -ENOSYS; 303 304 hdr1_offset = le16_to_cpu(header0->init_offset) * RK_BLK_SIZE; 305 hdr1_sdmmc = (struct header1_info *)(buf + hdr1_offset); 306 hdr1_spi = (struct header1_info *)(buf + 307 rkcommon_offset_to_spi(hdr1_offset)); 308 309 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) { 310 if (!memcmp(&hdr1_sdmmc->magic, spl_infos[i].spl_hdr, 311 RK_SPL_HDR_SIZE)) { 312 if (spl_info) 313 *spl_info = &spl_infos[i]; 314 return IH_TYPE_RKSD; 315 } else if (!memcmp(&hdr1_spi->magic, spl_infos[i].spl_hdr, 316 RK_SPL_HDR_SIZE)) { 317 if (spl_info) 318 *spl_info = &spl_infos[i]; 319 return IH_TYPE_RKSPI; 320 } 321 } 322 323 return -1; 324 } 325 rkcommon_verify_header(unsigned char * buf,int size,struct image_tool_params * params)326 int rkcommon_verify_header(unsigned char *buf, int size, 327 struct image_tool_params *params) 328 { 329 struct header0_info header0; 330 struct spl_info *img_spl_info, *spl_info; 331 int ret; 332 333 ret = rkcommon_parse_header(buf, &header0, &img_spl_info); 334 335 /* If this is the (unimplemented) RC4 case, then rewrite the result */ 336 if (ret == -ENOSYS) 337 return 0; 338 339 if (ret < 0) 340 return ret; 341 342 /* 343 * If no 'imagename' is specified via the commandline (e.g. if this is 344 * 'dumpimage -l' w/o any further constraints), we accept any spl_info. 345 */ 346 if (params->imagename == NULL) 347 return 0; 348 349 /* Match the 'imagename' against the 'spl_hdr' found */ 350 spl_info = rkcommon_get_spl_info(params->imagename); 351 if (spl_info && img_spl_info) 352 return strcmp(spl_info->spl_hdr, img_spl_info->spl_hdr); 353 354 return -ENOENT; 355 } 356 rkcommon_print_header(const void * buf)357 void rkcommon_print_header(const void *buf) 358 { 359 struct header0_info header0; 360 struct spl_info *spl_info; 361 uint8_t image_type; 362 int ret, boot_size, init_size; 363 364 ret = rkcommon_parse_header(buf, &header0, &spl_info); 365 366 /* If this is the (unimplemented) RC4 case, then fail silently */ 367 if (ret == -ENOSYS) 368 return; 369 370 if (ret < 0) { 371 fprintf(stderr, "Error: image verification failed\n"); 372 return; 373 } 374 375 image_type = ret; 376 377 printf("Image Type: Rockchip %s (%s) boot image\n", 378 spl_info->spl_hdr, 379 (image_type == IH_TYPE_RKSD) ? "SD/MMC" : "SPI"); 380 init_size = le16_to_cpu(header0.init_size) * RK_BLK_SIZE; 381 printf("Init Data Size: %d bytes\n", init_size); 382 383 boot_size = le16_to_cpu(header0.init_boot_size) * RK_BLK_SIZE - init_size; 384 if (boot_size != RK_MAX_BOOT_SIZE) 385 printf("Boot Data Size: %d bytes\n", boot_size); 386 } 387 rkcommon_rc4_encode_spl(void * buf,unsigned int offset,unsigned int size)388 void rkcommon_rc4_encode_spl(void *buf, unsigned int offset, unsigned int size) 389 { 390 unsigned int remaining = size; 391 392 while (remaining > 0) { 393 int step = (remaining > RK_BLK_SIZE) ? RK_BLK_SIZE : remaining; 394 395 rc4_encode(buf + offset, step, rc4_key); 396 offset += RK_BLK_SIZE; 397 remaining -= step; 398 } 399 } 400 rkcommon_vrec_header(struct image_tool_params * params,struct image_type_params * tparams)401 int rkcommon_vrec_header(struct image_tool_params *params, 402 struct image_type_params *tparams) 403 { 404 /* 405 * The SPL image looks as follows: 406 * 407 * 0x0 header0 (see rkcommon.c) 408 * 0x800 spl_name ('RK30', ..., 'RK33') 409 * (start of the payload for AArch64 payloads: we expect the 410 * first 4 bytes to be available for overwriting with our 411 * spl_name) 412 * 0x804 first instruction to be executed 413 * (start of the image/payload for 32bit payloads) 414 * 415 * For AArch64 (ARMv8) payloads, natural alignment (8-bytes) is 416 * required for its sections (so the image we receive needs to 417 * have the first 4 bytes reserved for the spl_name). Reserving 418 * these 4 bytes is done using the BOOT0_HOOK infrastructure. 419 * 420 * The header is always at 0x800 (as we now use a payload 421 * prepadded using the boot0 hook for all targets): the first 422 * 4 bytes of these images can safely be overwritten using the 423 * boot magic. 424 */ 425 tparams->header_size = RK_SPL_HDR_START; 426 427 /* Allocate, clear and install the header */ 428 tparams->hdr = malloc(tparams->header_size); 429 if (!tparams->hdr) { 430 fprintf(stderr, "%s: Can't alloc header: %s\n", 431 params->cmdname, strerror(errno)); 432 exit(EXIT_FAILURE); 433 } 434 memset(tparams->hdr, 0, tparams->header_size); 435 436 /* 437 * We need to store the original file-size (i.e. before padding), as 438 * imagetool does not set this during its adjustment of file_size. 439 */ 440 params->orig_file_size = tparams->header_size + 441 spl_params.init_size + spl_params.boot_size; 442 443 params->file_size = ROUND(params->orig_file_size, RK_SIZE_ALIGN); 444 445 /* Ignoring pad len, since we are using our own copy_image() */ 446 return 0; 447 } 448 pad_file(struct image_tool_params * params,int ifd,int pad)449 static int pad_file(struct image_tool_params *params, int ifd, int pad) 450 { 451 uint8_t zeros[4096]; 452 453 memset(zeros, 0, sizeof(zeros)); 454 455 while (pad > 0) { 456 int todo = sizeof(zeros); 457 458 if (todo > pad) 459 todo = pad; 460 if (write(ifd, (char *)&zeros, todo) != todo) { 461 fprintf(stderr, "%s: Write error on %s: %s\n", 462 params->cmdname, params->imagefile, 463 strerror(errno)); 464 return -1; 465 } 466 pad -= todo; 467 } 468 469 return 0; 470 } 471 copy_file(struct image_tool_params * params,int ifd,const char * file,int padded_size)472 static int copy_file(struct image_tool_params *params, int ifd, 473 const char *file, int padded_size) 474 { 475 int dfd; 476 struct stat sbuf; 477 unsigned char *ptr; 478 int size; 479 480 if (params->vflag) 481 fprintf(stderr, "Adding Image %s\n", file); 482 483 dfd = open(file, O_RDONLY | O_BINARY); 484 if (dfd < 0) { 485 fprintf(stderr, "%s: Can't open %s: %s\n", 486 params->cmdname, file, strerror(errno)); 487 return -1; 488 } 489 490 if (fstat(dfd, &sbuf) < 0) { 491 fprintf(stderr, "%s: Can't stat %s: %s\n", 492 params->cmdname, file, strerror(errno)); 493 goto err_close; 494 } 495 496 if (params->vflag) 497 fprintf(stderr, "Size %u(pad to %u)\n", 498 (int)sbuf.st_size, padded_size); 499 500 ptr = mmap(0, sbuf.st_size, PROT_READ, MAP_SHARED, dfd, 0); 501 if (ptr == MAP_FAILED) { 502 fprintf(stderr, "%s: Can't read %s: %s\n", 503 params->cmdname, file, strerror(errno)); 504 goto err_munmap; 505 } 506 507 size = sbuf.st_size; 508 if (write(ifd, ptr, size) != size) { 509 fprintf(stderr, "%s: Write error on %s: %s\n", 510 params->cmdname, params->imagefile, strerror(errno)); 511 goto err_munmap; 512 } 513 514 munmap((void *)ptr, sbuf.st_size); 515 close(dfd); 516 return pad_file(params, ifd, padded_size - size); 517 518 err_munmap: 519 munmap((void *)ptr, sbuf.st_size); 520 err_close: 521 close(dfd); 522 return -1; 523 } 524 rockchip_copy_image(int ifd,struct image_tool_params * params)525 int rockchip_copy_image(int ifd, struct image_tool_params *params) 526 { 527 int ret; 528 529 ret = copy_file(params, ifd, spl_params.init_file, 530 spl_params.init_size); 531 if (ret) 532 return ret; 533 534 if (spl_params.boot_file) { 535 ret = copy_file(params, ifd, spl_params.boot_file, 536 spl_params.boot_size); 537 if (ret) 538 return ret; 539 } 540 541 return pad_file(params, ifd, 542 params->file_size - params->orig_file_size); 543 } 544