1 files changed, 3 insertions, 235 deletions

diff --git a/src/vendorcode/cavium/bdk/libbdk-trust/bdk-trust.c b/src/vendorcode/cavium/bdk/libbdk-trust/bdk-trust.c
index 27c3294479..52dd702e3b 100644
--- a/src/vendorcode/cavium/bdk/libbdk-trust/bdk-trust.c
+++ b/src/vendorcode/cavium/bdk/libbdk-trust/bdk-trust.c
@@ -37,225 +37,8 @@
 * ARISING OUT OF USE OR PERFORMANCE OF THE SOFTWARE LIES WITH YOU.
 ***********************license end**************************************/
 #include <bdk.h>
-#include "libbdk-arch/bdk-csrs-fusf.h"
-#include "libbdk-arch/bdk-csrs-rom.h"
 
-/* The define BDK_TRUST_HARD_BLOW_NV controls whether the BDK will
-   hard blow the secure NV counter on boot. This is needed for a
-   production system, but can be dangerous in a development
-   environment. The default value of 0 is to prevent bricking of
-   chips due to CSIB[NVCOUNT] mistakes. BDK_TRUST_HARD_BLOW_NV must
-   be changed to a 1 for production. The code below will display a
-   warning if BDK_TRUST_HARD_BLOW_NV=0 in a trusted boot to remind
-   you */
-#define BDK_TRUST_HARD_BLOW_NV 0
-
-/* The CSIB used to boot will be stored here by bsk-start.S */
-union bdk_rom_csib_s __bdk_trust_csib __attribute__((section("init")));
-static bdk_trust_level_t __bdk_trust_level = BDK_TRUST_LEVEL_BROKEN;
-
-/**
- * Update the fused secure NV counter to reflect the CSIB[NVCOUNT] value. In
- * production systems, be sure to set BDK_TRUST_HARD_BLOW_NV=1.
- */
-static void __bdk_program_nv_counter(void)
-{
-    int hw_nv = bdk_trust_get_nv_counter();
-    int csib_nv = __bdk_trust_csib.s.nvcnt;
-
-    if (!BDK_TRUST_HARD_BLOW_NV)
-    {
-        printf("\33[1m"); /* Bold */
-        bdk_warn("\n");
-        bdk_warn("********************************************************\n");
-        bdk_warn("* Configured for soft blow of secure NV counter. This\n");
-        bdk_warn("* build is not suitable for production trusted boot.\n");
-        bdk_warn("********************************************************\n");
-        bdk_warn("\n");
-        printf("\33[0m"); /* Normal */
-    }
-
-    /* Check if the CSIB NV counter is less than the HW fused values.
-       This means the image is an old rollback. Refuse to run */
-    if (csib_nv < hw_nv)
-        bdk_fatal("CSIB[NVCOUNT] is less than FUSF_CTL[ROM_T_CNT]. Image rollback not allowed\n");
-    /* If the CSIB NV counter matches the HW fuses, everything is
-       good */
-    if (csib_nv == hw_nv)
-        return;
-    /* CSIB NV counter is larger than the HW fuses. We must blow
-       fuses to move the hardware counter forward, protecting from
-       image rollback */
-    if (BDK_TRUST_HARD_BLOW_NV)
-    {
-        BDK_TRACE(INIT, "Trust: Hard blow secure NV counter to %d\n", csib_nv);
-        uint64_t v = 1ull << BDK_FUSF_FUSE_NUM_E_ROM_T_CNTX(csib_nv - 1);
-        bdk_fuse_field_hard_blow(bdk_numa_master(), BDK_FUSF_FUSE_NUM_E_FUSF_LCK, v, 0);
-    }
-    else
-    {
-        BDK_TRACE(INIT, "Trust: Soft blow secure NV counter to %d\n", csib_nv);
-        bdk_fuse_field_soft_blow(bdk_numa_master(), BDK_FUSF_FUSE_NUM_E_ROM_T_CNTX(csib_nv - 1));
-    }
-}
-
-/**
- * Called by boot stub (TBL1FW) to initialize the state of trust
- */
-void __bdk_trust_init(void)
-{
-    extern uint64_t __bdk_init_reg_pc; /* The contents of PC when this image started */
-    const bdk_node_t node = bdk_numa_local();
-    volatile uint64_t *huk = bdk_phys_to_ptr(bdk_numa_get_address(node, BDK_FUSF_HUKX(0)));
-
-    /* Non-trusted boot address */
-    if (__bdk_init_reg_pc == 0x120000)
-    {
-        __bdk_trust_level = BDK_TRUST_LEVEL_NONE;
-        if (huk[0] | huk[1])
-        {
-            BDK_TRACE(INIT, "Trust: Initial image, Non-trusted boot with HUK\n");
-            goto fail_trust;
-        }
-        else
-        {
-            BDK_TRACE(INIT, "Trust: Initial image, Non-trusted boot without HUK\n");
-            goto skip_trust;
-        }
-    }
-
-    if (__bdk_init_reg_pc != 0x150000)
-    {
-        /* Not the first image */
-        BDK_CSR_INIT(rst_boot, node, BDK_RST_BOOT);
-        if (!rst_boot.s.trusted_mode)
-        {
-            __bdk_trust_level = BDK_TRUST_LEVEL_NONE;
-            BDK_TRACE(INIT, "Trust: Secondary image, non-trusted boot\n");
-            goto skip_trust;
-        }
-        int csibsize = 0;
-        const union bdk_rom_csib_s *csib = bdk_config_get_blob(&csibsize, BDK_CONFIG_TRUST_CSIB);
-        if (!csib)
-        {
-            __bdk_trust_level = BDK_TRUST_LEVEL_NONE;
-            BDK_TRACE(INIT, "Trust: Secondary image, non-trusted boot\n");
-            goto skip_trust;
-        }
-        if (csibsize != sizeof(__bdk_trust_csib))
-        {
-            BDK_TRACE(INIT, "Trust: Secondary image, Trusted boot with corrupt CSIB, trust broken\n");
-            goto fail_trust;
-        }
-        /* Record our trust level */
-        switch (csib->s.crypt)
-        {
-            case 0:
-                __bdk_trust_level = BDK_TRUST_LEVEL_SIGNED;
-                BDK_TRACE(INIT, "Trust: Secondary image, Trused boot, no encryption\n");
-                goto success_trust;
-            case 1:
-                __bdk_trust_level = BDK_TRUST_LEVEL_SIGNED_SSK;
-                BDK_TRACE(INIT, "Trust: Secondary image, Trused boot, SSK encryption\n");
-                goto success_trust;
-            case 2:
-                __bdk_trust_level = BDK_TRUST_LEVEL_SIGNED_BSSK;
-                BDK_TRACE(INIT, "Trust: Secondary image, Trused boot, BSSK encryption\n");
-                goto success_trust;
-            default:
-                __bdk_trust_level = BDK_TRUST_LEVEL_BROKEN;
-                BDK_TRACE(INIT, "Trust: Secondary image, Trusted boot, Corrupt CSIB[crypt], trust broken\n");
-                goto fail_trust;
-        }
-    }
-
-    /* Copy the Root of Trust public key out of the CSIB */
-    volatile uint64_t *rot_pub_key = bdk_key_alloc(node, 64);
-    if (!rot_pub_key)
-    {
-        __bdk_trust_level = BDK_TRUST_LEVEL_BROKEN;
-        BDK_TRACE(INIT, "Trust: Failed to allocate ROT memory, trust broken\n");
-        goto fail_trust;
-    }
-    rot_pub_key[0] = bdk_le64_to_cpu(__bdk_trust_csib.s.rotpk0);
-    rot_pub_key[1] = bdk_le64_to_cpu(__bdk_trust_csib.s.rotpk1);
-    rot_pub_key[2] = bdk_le64_to_cpu(__bdk_trust_csib.s.rotpk2);
-    rot_pub_key[3] = bdk_le64_to_cpu(__bdk_trust_csib.s.rotpk3);
-    rot_pub_key[4] = bdk_le64_to_cpu(__bdk_trust_csib.s.rotpk4);
-    rot_pub_key[5] = bdk_le64_to_cpu(__bdk_trust_csib.s.rotpk5);
-    rot_pub_key[6] = bdk_le64_to_cpu(__bdk_trust_csib.s.rotpk6);
-    rot_pub_key[7] = bdk_le64_to_cpu(__bdk_trust_csib.s.rotpk7);
-    bdk_config_set_int(bdk_ptr_to_phys((void*)rot_pub_key), BDK_CONFIG_TRUST_ROT_ADDR);
-    BDK_TRACE(INIT, "Trust: ROT %016lx %016lx %016lx %016lx %016lx %016lx %016lx %016lx\n",
-        bdk_cpu_to_be64(rot_pub_key[0]), bdk_cpu_to_be64(rot_pub_key[1]),
-        bdk_cpu_to_be64(rot_pub_key[2]), bdk_cpu_to_be64(rot_pub_key[3]),
-        bdk_cpu_to_be64(rot_pub_key[4]), bdk_cpu_to_be64(rot_pub_key[5]),
-        bdk_cpu_to_be64(rot_pub_key[6]), bdk_cpu_to_be64(rot_pub_key[7]));
-
-    /* Update the secure NV counter with the value in the CSIB */
-    __bdk_program_nv_counter();
-
-    /* Create the BSSK */
-    if (huk[0] | huk[1])
-    {
-        uint64_t iv[2] = {0, 0};
-        volatile uint64_t *bssk = bdk_key_alloc(node, 16);
-        if (!bssk)
-        {
-            __bdk_trust_level = BDK_TRUST_LEVEL_BROKEN;
-            BDK_TRACE(INIT, "Trust: Failed to allocate BSSK memory, trust broken\n");
-            goto fail_trust;
-        }
-        BDK_TRACE(INIT, "Trust: Calculating BSSK\n");
-        uint64_t tmp_bssk[2];
-        tmp_bssk[0] = __bdk_trust_csib.s.fs0;
-        tmp_bssk[1] = __bdk_trust_csib.s.fs1;
-        bdk_aes128cbc_decrypt((void*)huk, (void*)tmp_bssk, 16, iv);
-        bssk[0] = tmp_bssk[0];
-        bssk[1] = tmp_bssk[1];
-        tmp_bssk[0] = 0;
-        tmp_bssk[1] = 0;
-        bdk_config_set_int(bdk_ptr_to_phys((void*)bssk), BDK_CONFIG_TRUST_BSSK_ADDR);
-        //BDK_TRACE(INIT, "Trust: BSSK %016lx %016lx\n", bdk_cpu_to_be64(bssk[0]), bdk_cpu_to_be64(bssk[1]));
-    }
-
-    /* Record our trust level */
-    switch (__bdk_trust_csib.s.crypt)
-    {
-        case 0:
-            __bdk_trust_level = BDK_TRUST_LEVEL_SIGNED;
-            BDK_TRACE(INIT, "Trust: Trused boot, no encryption\n");
-            break;
-        case 1:
-            __bdk_trust_level = BDK_TRUST_LEVEL_SIGNED_SSK;
-            BDK_TRACE(INIT, "Trust: Trused boot, SSK encryption\n");
-            break;
-        case 2:
-            __bdk_trust_level = BDK_TRUST_LEVEL_SIGNED_BSSK;
-            BDK_TRACE(INIT, "Trust: Trused boot, BSSK encryption\n");
-            break;
-        default:
-            __bdk_trust_level = BDK_TRUST_LEVEL_BROKEN;
-            goto fail_trust;
-    }
-
-    /* We started at the trusted boot address, CSIB should be
-       valid */
-    bdk_config_set_blob(sizeof(__bdk_trust_csib), &__bdk_trust_csib, BDK_CONFIG_TRUST_CSIB);
-success_trust:
-    bdk_signed_load_public();
-    return;
-
-fail_trust:
-    /* Hide secrets  */
-    BDK_CSR_MODIFY(c, node, BDK_RST_BOOT,
-        c.s.dis_huk = 1);
-    BDK_TRACE(INIT, "Trust: Secrets Hidden\n");
-skip_trust:
-    /* Erase CSIB as it is invalid */
-    memset(&__bdk_trust_csib, 0, sizeof(__bdk_trust_csib));
-    bdk_config_set_blob(0, NULL, BDK_CONFIG_TRUST_CSIB);
-}
+#include <libbdk-trust/bdk-trust.h>
 
 /**
  * Returns the current level of trust. Must be called after
@@ -265,22 +48,7 @@ skip_trust:
  */
 bdk_trust_level_t bdk_trust_get_level(void)
 {
-    return __bdk_trust_level;
-}
-
-/**
- * Return the current secure NV counter stored in the fuses
- *
- * @return NV counter (0-31)
- */
-int bdk_trust_get_nv_counter(void)
-{
-    /* Count leading zeros in FUSF_CTL[ROM_T_CNT] to dermine the
-       hardware NV value */
-    BDK_CSR_INIT(fusf_ctl, bdk_numa_master(), BDK_FUSF_CTL);
-    int hw_nv = 0;
-    if (fusf_ctl.s.rom_t_cnt)
-        hw_nv = 32 - __builtin_clz(fusf_ctl.s.rom_t_cnt);
-    return hw_nv;
+    // FIXME
+    return BDK_TRUST_LEVEL_NONE;
 }