common/zircon_abr.c - u-boot - Git at Google

 /*
  * Copyright (c) 2019 The Fuchsia Authors
  *
  * SPDX-License-Identifier:	BSD-3-Clause
  */

 #include <common.h>
 #include <abr/abr.h>
 #include <abr/ops.h>
 #include <amlogic/aml_image.h>
 #include <zircon/boot/image.h>
 #include <zircon_uboot/partition.h>
 #include <zircon_uboot/vboot.h>
 #include <zircon_uboot/zircon.h>

 #define ABR_OFFSET 0
 static bool read_abr_metadata(void *context, size_t size, uint8_t *buffer)
 {
 	assert(buffer != NULL);

 	zircon_partition *part =
 		zircon_get_partition(zircon_abr_partition_name);
 	if (!part) {
 		fprintf(stderr, "%s partition not found.\n",
 			zircon_abr_partition_name);
 		return false;
 	}

 	if (part->read(part, ABR_OFFSET, buffer, size)) {
 		fprintf(stderr, "failed to read A/B/R metadata.\n");
 		zircon_free_partition(part);
 		return false;
 	}

 	zircon_free_partition(part);
 	return true;
 }

 static bool write_abr_metadata(void *context, const uint8_t *buffer,
 			       size_t size)
 {
 	assert(buffer != NULL);

 	zircon_partition *part =
 		zircon_get_partition(zircon_abr_partition_name);
 	if (!part) {
 		fprintf(stderr, "%s partition not found.\n",
 			zircon_abr_partition_name);
 		return false;
 	}

 	if (part->write(part, ABR_OFFSET, buffer, size)) {
 		fprintf(stderr, "failed to read A/B/R metadata.\n");
 		zircon_free_partition(part);
 		return false;
 	}

 	zircon_free_partition(part);
 	return true;
 }

 static const AbrOps abr_ops = {
 	.read_abr_metadata = read_abr_metadata,
 	.write_abr_metadata = write_abr_metadata,
 };

 const AbrOps *zircon_abr_ops(void)
 {
 	return &abr_ops;
 }

 const char *zircon_slot_idx_to_part_name(AbrSlotIndex slot_index)
 {
 	switch (slot_index) {
 	case kAbrSlotIndexA:
 		return "zircon_a";
 	case kAbrSlotIndexB:
 		return "zircon_b";
 	case kAbrSlotIndexR:
 		return "zircon_r";
 	}

 	printf("Error: invalid slot index %d\n", slot_index);
 	return "";
 }

 // Minimum read size needed to verify existence of a ZBI and get length is the
 // optional AMLogic signing header (not used by recent builds) plus the first
 // ZBI header.
 #define ZIRCON_IMAGE_HEADER_BUF_SIZE                                           \
 	(sizeof(aml_boot_header_t) + sizeof(zbi_header_t))

 static int zircon_find_headers(const zircon_partition *part,
 			       bool *out_aml_hdr_found,
 			       aml_boot_header_t *out_aml_hdr,
 			       bool *out_zbi_hdr_found,
 			       zbi_header_t *out_zbi_hdr)
 {
 	unsigned char buf[ZIRCON_IMAGE_HEADER_BUF_SIZE]
 		__attribute__((aligned(ZBI_ALIGNMENT)));
 	if (part->read(part, 0, buf, sizeof(buf))) {
 		return -1;
 	}

 	uint64_t zbi_offset = 0;

 	aml_boot_header_t *aml_hdr = (aml_boot_header_t *)buf;

 	bool aml_hdr_found = aml_hdr->magic == AML_BOOT_HEADER_MAGIC;

 	if (out_aml_hdr_found)
 		*out_aml_hdr_found = aml_hdr_found;

 	if (aml_hdr_found) {
 		zbi_offset = sizeof(aml_boot_header_t);
 		if (out_aml_hdr)
 			*out_aml_hdr = *aml_hdr;
 	}

 	zbi_header_t *zbi_hdr = (zbi_header_t *)(buf + zbi_offset);

 	// Just check if the header looks like a ZBI container. We'll do a full
 	// ZBI validity check later once we've loaded the whole image into memory.
 	bool zbi_hdr_found = (zbi_hdr->type == ZBI_TYPE_CONTAINER &&
 			      zbi_hdr->extra == ZBI_CONTAINER_MAGIC &&
 			      zbi_hdr->magic == ZBI_ITEM_MAGIC);

 	if (out_zbi_hdr_found)
 		*out_zbi_hdr_found = zbi_hdr_found;

 	if (zbi_hdr_found) {
 		if (out_zbi_hdr)
 			*out_zbi_hdr = *zbi_hdr;
 	}

 	return 0;
 }

 /**
  * zircon_get_img_size() - Gets upper bound size for image in partition
  *
  * The size is derived from the Amlogic boot header if it exists.
  * If not, the first ZBI header is used. If neither header is found,
  * the entire partition size is used.
  *
  * @partition: The zircon partition in which the image resides.
  * @size: Set to an upper bound of the full image size, including amlogic
  * 	  secure boot headers and ZBI headers.
  * @img_offset: Set to image offset.
  *
  * Return: 0 on success, negative value on failure
  */
 int zircon_get_img_size(const zircon_partition *part, uint64_t *size,
 			size_t *img_offset)
 {
 	bool aml_hdr_found;
 	aml_boot_header_t aml_hdr;
 	bool zbi_hdr_found;
 	zbi_header_t zbi_hdr;

 	if (zircon_find_headers(part, &aml_hdr_found, &aml_hdr, &zbi_hdr_found,
 				&zbi_hdr)) {
 		fprintf(stderr, "Failed to find headers\n");
 		return -1;
 	}

 	// Always set to 0 unless Amlogic boot header found
 	*img_offset = 0;

 	// Get an upper bound on image size by using the outermost header of
 	// the image and falling back on the partition size.
 	// The Amlogic header is always found first if it exists.
 	if (aml_hdr_found) {
 		*size = aml_hdr.img_size + sizeof(aml_boot_header_t);
 		*img_offset = sizeof(aml_boot_header_t);
 		printf("AML header found: img_size: %llu\n", *size);
 	} else if (zbi_hdr_found) {
 		*size = zbi_hdr.length + sizeof(zbi_header_t);
 		printf("ZBI header found: img_size: %llu\n", *size);
 	} else {
 		*size = part->size;
 		printf("Headers not found. Using partition size: %llu\n",
 		       *size);
 	}

 	return 0;
 }

 /** zircon_load_kernel() - Loads zircon kernel into specified address.
  *
  * @loadaddr: The address at which to load the kernel.
  * @loadsize: The size of the load buffer.
  * @slot_idx: The slot index from which to read the kernel.
  * @has_successfully_booted: True if this slot has previously booted successfully.
  * @img_offset: Set to the image offset, if known, otherwise, set to 0.
  *
  * Return: 0 if successful, negative value on failure.
  */
 static int zircon_load_kernel(unsigned char *loadaddr, size_t loadsize,
 			      AbrSlotIndex slot_idx,
 			      bool has_successfully_booted, size_t *img_offset)
 {
 	const char *ab_suffix = AbrGetSlotSuffix(slot_idx);

 	if (ab_suffix == NULL) {
 		fprintf(stderr, "Invalid slot_idx %d\n", slot_idx);
 		return -1;
 	}

 	const char *part_name = zircon_slot_idx_to_part_name(slot_idx);

 	printf("ABR: loading kernel from %s...\n", part_name);

 	zircon_partition *part = zircon_get_partition(part_name);
 	if (!part) {
 		fprintf(stderr, "partition not found: %s\n", part_name);
 		return -1;
 	}

 	uint64_t img_size;

 	if (zircon_get_img_size(part, &img_size, img_offset)) {
 		fprintf(stderr, "unable to get zircon image size\n");
 		zircon_free_partition(part);
 		return -1;
 	}

 	if (img_size > loadsize) {
 		fprintf(stderr, "Image is too large to load (%llu > %zu)\n",
 			img_size, loadsize);
 		return -1;
 	}

 	if (part->read(part, 0, loadaddr, img_size)) {
 		fprintf(stderr, "Failed to to read partition\n");
 		zircon_free_partition(part);
 		return -1;
 	}

 	zbi_header_t *zbi = (zbi_header_t *)(loadaddr + *img_offset);
 	size_t capacity = loadsize - *img_offset;
 	if (zircon_vboot_slot_verify(loadaddr, img_size, ab_suffix,
 				     has_successfully_booted, zbi, capacity)) {
 		fprintf(stderr, "Failed to verify slot: %s\n", ab_suffix);
 		zircon_free_partition(part);
 		return -1;
 	}

 	printf("Successfully loaded slot: %s\n", ab_suffix);

 	zircon_free_partition(part);
 	return 0;
 }

 int zircon_abr_img_load(unsigned char *loadaddr, size_t loadsize,
 			bool force_recovery, size_t *img_offset,
 			AbrSlotIndex *slot)
 {
 	int ret = 0;
 	AbrSlotIndex cur_slot;

 	do {
 		bool has_successfully_booted;
 		/* check recovery mode */
 		if (force_recovery) {
 			cur_slot = kAbrSlotIndexR;
 			has_successfully_booted = true;
 		} else {
 			cur_slot = AbrGetBootSlot(zircon_abr_ops(), true,
 						  &has_successfully_booted);
 		}

 		ret = zircon_load_kernel(loadaddr, loadsize, cur_slot,
 					 has_successfully_booted, img_offset);

 		if (ret) {
 			fprintf(stderr, "ABR: failed to load slot %d: %s\n",
 				cur_slot,
 				zircon_slot_idx_to_part_name(cur_slot));
 			if (AbrMarkSlotUnbootable(zircon_abr_ops(), cur_slot) !=
 			    kAbrResultOk) {
 				return -1;
 			}
 			continue;
 		}

 	} while ((ret != 0) && (cur_slot != kAbrSlotIndexR));

 	if (ret != 0) {
 		fprintf(stderr, "Fail to boot: no valid slots\n");
 		return -1;
 	}

 	*slot = cur_slot;
 	return 0;
 }
	/*
	* Copyright (c) 2019 The Fuchsia Authors
	*
	* SPDX-License-Identifier: BSD-3-Clause
	*/

	#include <common.h>
	#include <abr/abr.h>
	#include <abr/ops.h>
	#include <amlogic/aml_image.h>
	#include <zircon/boot/image.h>
	#include <zircon_uboot/partition.h>
	#include <zircon_uboot/vboot.h>
	#include <zircon_uboot/zircon.h>

	#define ABR_OFFSET 0
	static bool read_abr_metadata(void context, size_t size, uint8_t buffer)
	{
	assert(buffer != NULL);

	zircon_partition *part =
	zircon_get_partition(zircon_abr_partition_name);
	if (!part) {
	fprintf(stderr, "%s partition not found.\n",
	zircon_abr_partition_name);
	return false;
	}

	if (part->read(part, ABR_OFFSET, buffer, size)) {
	fprintf(stderr, "failed to read A/B/R metadata.\n");
	zircon_free_partition(part);
	return false;
	}

	zircon_free_partition(part);
	return true;
	}

	static bool write_abr_metadata(void context, const uint8_t buffer,
	size_t size)
	{
	assert(buffer != NULL);

	zircon_partition *part =
	zircon_get_partition(zircon_abr_partition_name);
	if (!part) {
	fprintf(stderr, "%s partition not found.\n",
	zircon_abr_partition_name);
	return false;
	}

	if (part->write(part, ABR_OFFSET, buffer, size)) {
	fprintf(stderr, "failed to read A/B/R metadata.\n");
	zircon_free_partition(part);
	return false;
	}

	zircon_free_partition(part);
	return true;
	}

	static const AbrOps abr_ops = {
	.read_abr_metadata = read_abr_metadata,
	.write_abr_metadata = write_abr_metadata,
	};

	const AbrOps *zircon_abr_ops(void)
	{
	return &abr_ops;
	}

	const char *zircon_slot_idx_to_part_name(AbrSlotIndex slot_index)
	{
	switch (slot_index) {
	case kAbrSlotIndexA:
	return "zircon_a";
	case kAbrSlotIndexB:
	return "zircon_b";
	case kAbrSlotIndexR:
	return "zircon_r";
	}

	printf("Error: invalid slot index %d\n", slot_index);
	return "";
	}

	// Minimum read size needed to verify existence of a ZBI and get length is the
	// optional AMLogic signing header (not used by recent builds) plus the first
	// ZBI header.
	#define ZIRCON_IMAGE_HEADER_BUF_SIZE \
	(sizeof(aml_boot_header_t) + sizeof(zbi_header_t))

	static int zircon_find_headers(const zircon_partition *part,
	bool *out_aml_hdr_found,
	aml_boot_header_t *out_aml_hdr,
	bool *out_zbi_hdr_found,
	zbi_header_t *out_zbi_hdr)
	{
	unsigned char buf[ZIRCON_IMAGE_HEADER_BUF_SIZE]
	__attribute__((aligned(ZBI_ALIGNMENT)));
	if (part->read(part, 0, buf, sizeof(buf))) {
	return -1;
	}

	uint64_t zbi_offset = 0;

	aml_boot_header_t aml_hdr = (aml_boot_header_t )buf;

	bool aml_hdr_found = aml_hdr->magic == AML_BOOT_HEADER_MAGIC;

	if (out_aml_hdr_found)
	*out_aml_hdr_found = aml_hdr_found;

	if (aml_hdr_found) {
	zbi_offset = sizeof(aml_boot_header_t);
	if (out_aml_hdr)
	out_aml_hdr = aml_hdr;
	}

	zbi_header_t zbi_hdr = (zbi_header_t )(buf + zbi_offset);

	// Just check if the header looks like a ZBI container. We'll do a full
	// ZBI validity check later once we've loaded the whole image into memory.
	bool zbi_hdr_found = (zbi_hdr->type == ZBI_TYPE_CONTAINER &&
	zbi_hdr->extra == ZBI_CONTAINER_MAGIC &&
	zbi_hdr->magic == ZBI_ITEM_MAGIC);

	if (out_zbi_hdr_found)
	*out_zbi_hdr_found = zbi_hdr_found;

	if (zbi_hdr_found) {
	if (out_zbi_hdr)
	out_zbi_hdr = zbi_hdr;
	}

	return 0;
	}

	/**
	* zircon_get_img_size() - Gets upper bound size for image in partition
	*
	* The size is derived from the Amlogic boot header if it exists.
	* If not, the first ZBI header is used. If neither header is found,
	* the entire partition size is used.
	*
	* @partition: The zircon partition in which the image resides.
	* @size: Set to an upper bound of the full image size, including amlogic
	* secure boot headers and ZBI headers.
	* @img_offset: Set to image offset.
	*
	* Return: 0 on success, negative value on failure
	*/
	int zircon_get_img_size(const zircon_partition part, uint64_t size,
	size_t *img_offset)
	{
	bool aml_hdr_found;
	aml_boot_header_t aml_hdr;
	bool zbi_hdr_found;
	zbi_header_t zbi_hdr;

	if (zircon_find_headers(part, &aml_hdr_found, &aml_hdr, &zbi_hdr_found,
	&zbi_hdr)) {
	fprintf(stderr, "Failed to find headers\n");
	return -1;
	}

	// Always set to 0 unless Amlogic boot header found
	*img_offset = 0;

	// Get an upper bound on image size by using the outermost header of
	// the image and falling back on the partition size.
	// The Amlogic header is always found first if it exists.
	if (aml_hdr_found) {
	*size = aml_hdr.img_size + sizeof(aml_boot_header_t);
	*img_offset = sizeof(aml_boot_header_t);
	printf("AML header found: img_size: %llu\n", *size);
	} else if (zbi_hdr_found) {
	*size = zbi_hdr.length + sizeof(zbi_header_t);
	printf("ZBI header found: img_size: %llu\n", *size);
	} else {
	*size = part->size;
	printf("Headers not found. Using partition size: %llu\n",
	*size);
	}

	return 0;
	}

	/** zircon_load_kernel() - Loads zircon kernel into specified address.
	*
	* @loadaddr: The address at which to load the kernel.
	* @loadsize: The size of the load buffer.
	* @slot_idx: The slot index from which to read the kernel.
	* @has_successfully_booted: True if this slot has previously booted successfully.
	* @img_offset: Set to the image offset, if known, otherwise, set to 0.
	*
	* Return: 0 if successful, negative value on failure.
	*/
	static int zircon_load_kernel(unsigned char *loadaddr, size_t loadsize,
	AbrSlotIndex slot_idx,
	bool has_successfully_booted, size_t *img_offset)
	{
	const char *ab_suffix = AbrGetSlotSuffix(slot_idx);

	if (ab_suffix == NULL) {
	fprintf(stderr, "Invalid slot_idx %d\n", slot_idx);
	return -1;
	}

	const char *part_name = zircon_slot_idx_to_part_name(slot_idx);

	printf("ABR: loading kernel from %s...\n", part_name);

	zircon_partition *part = zircon_get_partition(part_name);
	if (!part) {
	fprintf(stderr, "partition not found: %s\n", part_name);
	return -1;
	}

	uint64_t img_size;

	if (zircon_get_img_size(part, &img_size, img_offset)) {
	fprintf(stderr, "unable to get zircon image size\n");
	zircon_free_partition(part);
	return -1;
	}

	if (img_size > loadsize) {
	fprintf(stderr, "Image is too large to load (%llu > %zu)\n",
	img_size, loadsize);
	return -1;
	}

	if (part->read(part, 0, loadaddr, img_size)) {
	fprintf(stderr, "Failed to to read partition\n");
	zircon_free_partition(part);
	return -1;
	}

	zbi_header_t zbi = (zbi_header_t )(loadaddr + *img_offset);
	size_t capacity = loadsize - *img_offset;
	if (zircon_vboot_slot_verify(loadaddr, img_size, ab_suffix,
	has_successfully_booted, zbi, capacity)) {
	fprintf(stderr, "Failed to verify slot: %s\n", ab_suffix);
	zircon_free_partition(part);
	return -1;
	}

	printf("Successfully loaded slot: %s\n", ab_suffix);

	zircon_free_partition(part);
	return 0;
	}

	int zircon_abr_img_load(unsigned char *loadaddr, size_t loadsize,
	bool force_recovery, size_t *img_offset,
	AbrSlotIndex *slot)
	{
	int ret = 0;
	AbrSlotIndex cur_slot;

	do {
	bool has_successfully_booted;
	/* check recovery mode */
	if (force_recovery) {
	cur_slot = kAbrSlotIndexR;
	has_successfully_booted = true;
	} else {
	cur_slot = AbrGetBootSlot(zircon_abr_ops(), true,
	&has_successfully_booted);
	}

	ret = zircon_load_kernel(loadaddr, loadsize, cur_slot,
	has_successfully_booted, img_offset);

	if (ret) {
	fprintf(stderr, "ABR: failed to load slot %d: %s\n",
	cur_slot,
	zircon_slot_idx_to_part_name(cur_slot));
	if (AbrMarkSlotUnbootable(zircon_abr_ops(), cur_slot) !=
	kAbrResultOk) {
	return -1;
	}
	continue;
	}

	} while ((ret != 0) && (cur_slot != kAbrSlotIndexR));

	if (ret != 0) {
	fprintf(stderr, "Fail to boot: no valid slots\n");
	return -1;
	}

	*slot = cur_slot;
	return 0;
	}