[PATCH 4/4] commands: hab: extend by field_return fuse burn
Fabian Pflug
f.pflug at pengutronix.de
Thu Dec 18 09:36:31 PST 2025
Extend hab command with an additional parameter to burn the field return
fuse, but only if it is unlocked via the kconfig option.
Without the kconfig option, the extra argument makes no sense, as it
would not be possible to access the FIELD_RETURN fuse.
Signed-off-by: Fabian Pflug <f.pflug at pengutronix.de>
---
arch/arm/mach-imx/Kconfig | 6 +++++-
commands/hab.c | 20 +++++++++++++++++---
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 5f50d1a823..5fea0bbbca 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -926,13 +926,17 @@ config HABV4_CSF_UNLOCK_UID
feature. This value must match the per device UNIQUE_ID fuses.
The below example shows the expected format. The UNIQUE_ID is
- queried by Linux via:
+ printed during boot by barebox:
+ i.MX___ unique ID: 7766554433221100
+ or it can be queried by Linux via:
- cat /sys/devices/soc0/serial_number
7766554433221100
So this value have to be set:
- 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77
+ Afterwards, the `hab -p -r` command can be used to burn the fuse.
+
config HABV4_IMG_CRT_PEM
string "Path to IMG certificate"
default "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
diff --git a/commands/hab.c b/commands/hab.c
index 8ae943a4c8..435c20f4d3 100644
--- a/commands/hab.c
+++ b/commands/hab.c
@@ -16,9 +16,9 @@ static int do_hab(int argc, char *argv[])
char *srkhashfile = NULL, *srkhash = NULL;
unsigned flags = 0;
u8 srk[SRK_HASH_SIZE];
- int lockdown = 0, info = 0;
+ int lockdown = 0, info = 0, field_return = 0;
- while ((opt = getopt(argc, argv, "s:fpx:li")) > 0) {
+ while ((opt = getopt(argc, argv, "s:fpx:lir")) > 0) {
switch (opt) {
case 's':
srkhashfile = optarg;
@@ -38,12 +38,16 @@ static int do_hab(int argc, char *argv[])
case 'i':
info = 1;
break;
+ case 'r':
+ field_return = 1;
+ break;
default:
return COMMAND_ERROR_USAGE;
}
}
- if (!info && !lockdown && !srkhashfile && !srkhash) {
+ if (!info && !lockdown && !srkhashfile && !srkhash &&
+ !(IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN) && field_return)) {
printf("Nothing to do\n");
return COMMAND_ERROR_USAGE;
}
@@ -94,6 +98,13 @@ static int do_hab(int argc, char *argv[])
printf("Device successfully locked down\n");
}
+ if (IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN) && field_return) {
+ ret = imx_hab_field_return(flags & IMX_SRK_HASH_WRITE_PERMANENT);
+ if (ret)
+ return ret;
+ printf("Field return fuse successfully burnt\n");
+ }
+
return 0;
}
@@ -105,6 +116,9 @@ BAREBOX_CMD_HELP_OPT ("-x <sha256>", "Burn Super Root Key hash from hex string"
BAREBOX_CMD_HELP_OPT ("-i", "Print HAB info")
BAREBOX_CMD_HELP_OPT ("-f", "Force. Write even when a key is already written")
BAREBOX_CMD_HELP_OPT ("-l", "Lockdown device. Dangerous! After executing only signed images can be booted")
+#ifdef CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN
+BAREBOX_CMD_HELP_OPT ("-r", "Field Return. Dangerous! After executing signed images are disabled forever.")
+#endif // CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN
BAREBOX_CMD_HELP_OPT ("-p", "Permanent. Really burn fuses. Be careful!")
BAREBOX_CMD_HELP_END
--
2.47.3
More information about the barebox
mailing list