ARM: tegra20: implement BCT patching

This function allows updating bootloader from u-boot
on production devices without need in host PC.

Be aware! It works only with re-crypt BCT.

Tested-by: Robert Eckelmann <longnoserob@gmail.com> # ASUS TF101 T20
Signed-off-by: Ramin Khonsari <raminterex@yahoo.com>
Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com>
Signed-off-by: Tom <twarren@nvidia.com>

arch/arm/mach-tegra/Kconfig

@@ -231,7 +231,7 @@ config CMD_ENTERRCM
 
 config CMD_EBTUPDATE
 	bool "Enable 'ebtupdate' command"
-	depends on TEGRA30
+	depends on TEGRA20 || TEGRA30
 	select TEGRA_CRYPTO
 	help
 	  Updating u-boot from within u-boot in rather complex or even

arch/arm/mach-tegra/tegra20/Makefile

@@ -2,9 +2,8 @@
 #
 # (C) Copyright 2010,2011 Nvidia Corporation.
 
-ifdef CONFIG_SPL_BUILD
-obj-y	+= cpu.o
-endif
+obj-$(CONFIG_SPL_BUILD) += cpu.o
+obj-$(CONFIG_$(SPL_)CMD_EBTUPDATE) += bct.o
 
 # The AVP is ARMv4T architecture so we must use special compiler
 # flags for any startup files it might use.

arch/arm/mach-tegra/tegra20/bct.c

@@ -0,0 +1,79 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2022, Ramin <raminterex@yahoo.com>
+ * Copyright (c) 2022, Svyatoslav Ryhel <clamor95@gmail.com>
+ */
+
+#include <common.h>
+#include <command.h>
+#include <log.h>
+#include <asm/arch-tegra/crypto.h>
+#include "bct.h"
+#include "uboot_aes.h"
+
+/*
+ * @param  bct		boot config table start in RAM
+ * @param  ect		bootloader start in RAM
+ * @param  ebt_size	bootloader file size in bytes
+ * Return: 0, or 1 if failed
+ */
+static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
+{
+	struct nvboot_config_table *bct_tbl = NULL;
+	u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
+	u8 sbk[AES128_KEY_LENGTH] = { 0 };
+	u8 *bct_hash = bct;
+	int ret;
+
+	bct += BCT_HASH;
+
+	memcpy(sbk, (u8 *)(bct + BCT_LENGTH),
+	       NVBOOT_CMAC_AES_HASH_LENGTH * 4);
+
+	ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
+	if (ret)
+		return 1;
+
+	ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+
+	ret = encrypt_data_block(ebt, ebt_size, sbk);
+	if (ret)
+		return 1;
+
+	ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
+	if (ret)
+		return 1;
+
+	bct_tbl = (struct nvboot_config_table *)bct;
+
+	memcpy((u8 *)&bct_tbl->bootloader[0].crypto_hash,
+	       ebt_hash, NVBOOT_CMAC_AES_HASH_LENGTH * 4);
+	bct_tbl->bootloader[0].entry_point = CONFIG_SPL_TEXT_BASE;
+	bct_tbl->bootloader[0].load_addr = CONFIG_SPL_TEXT_BASE;
+	bct_tbl->bootloader[0].length = ebt_size;
+
+	ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
+	if (ret)
+		return 1;
+
+	ret = sign_enc_data_block(bct, BCT_LENGTH, bct_hash, sbk);
+	if (ret)
+		return 1;
+
+	return 0;
+}
+
+static int do_ebtupdate(struct cmd_tbl *cmdtp, int flag, int argc,
+			char *const argv[])
+{
+	u32 bct_addr = hextoul(argv[1], NULL);
+	u32 ebt_addr = hextoul(argv[2], NULL);
+	u32 ebt_size = hextoul(argv[3], NULL);
+
+	return bct_patch((u8 *)bct_addr, (u8 *)ebt_addr, ebt_size);
+}
+
+U_BOOT_CMD(ebtupdate,	4,	0,	do_ebtupdate,
+	   "update bootloader on re-crypted Tegra20 devices",
+	   ""
+);

arch/arm/mach-tegra/tegra20/bct.h

@@ -0,0 +1,42 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+
+#ifndef _BCT_H_
+#define _BCT_H_
+
+/*
+ * Defines the BCT parametres for T20
+ */
+#define BCT_LENGTH		0xFE0
+#define BCT_HASH		0x10
+#define EBT_ALIGNMENT		0x10
+
+/*
+ * Defines the CMAC-AES-128 hash length in 32 bit words. (128 bits = 4 words)
+ */
+#define NVBOOT_CMAC_AES_HASH_LENGTH		4
+
+/*
+ * Defines the maximum number of bootloader descriptions in the BCT.
+ */
+#define NVBOOT_MAX_BOOTLOADERS			4
+
+struct nv_bootloader_info {
+	u32 version;
+	u32 start_blk;
+	u32 start_page;
+	u32 length;
+	u32 load_addr;
+	u32 entry_point;
+	u32 attribute;
+	u32 crypto_hash[NVBOOT_CMAC_AES_HASH_LENGTH];
+};
+
+struct nvboot_config_table {
+	u32 unused0[4];
+	u32 boot_data_version;
+	u32 unused1[668];
+	struct nv_bootloader_info bootloader[NVBOOT_MAX_BOOTLOADERS];
+	u32 unused2[508];
+};
+
+#endif /* _BCT_H_ */

doc/usage/cmd/ebtupdate.rst

@@ -0,0 +1,69 @@
+.. SPDX-License-Identifier: GPL-2.0+:
+
+ebtupdate command
+=============
+
+Synopsis
+--------
+
+::
+
+    ebtupdate [<bct> [<ebt>] [<size>]]
+
+Description
+-----------
+
+The "ebtupdate" command is used to self-update bootloader on Tegra 2 and Tegra 3
+production devices which were processed using re-cryption.
+
+The "ebtupdate" performs encryption of new bootloader and decryption, patching
+and re-encryption of BCT "in situ". After BCT and bootloader can be written in
+their respective places.
+
+bct
+    address of BCT block pre-loaded into RAM.
+
+ebt
+    address of the bootloader pre-loaded into RAM.
+
+size
+    size of the pre-loaded bootloader.
+
+Example
+-------
+
+This is the boot log of a LG Optimus Vu:
+
+::
+
+    => mmc dev 0 1
+    switch to partitions #1, OK
+    mmc0(part 1) is current device
+    => mmc read $kernel_addr_r 0 $boot_block_size
+    MMC read: dev # 0, block # 0, count 4096 ... 4096 blocks read: OK
+    => load mmc 0:1 $ramdisk_addr_r $bootloader_file
+    684783 bytes read in 44 ms (14.8 MiB/s)
+    => size mmc 0:1 $bootloader_file
+    => ebtupdate $kernel_addr_r $ramdisk_addr_r $filesize
+    => mmc dev 0 1
+    switch to partitions #1, OK
+    mmc0(part 1) is current device
+    => mmc write $kernel_addr_r 0 $boot_block_size
+    MMC write: dev # 0, block # 0, count 4096 ... 4096 blocks written: OK
+    => mmc dev 0 2
+    switch to partitions #2, OK
+    mmc0(part 2) is current device
+    => mmc write $ramdisk_addr_r 0 $boot_block_size
+    MMC write: dev # 0, block # 0, count 4096 ... 4096 blocks written: OK
+
+Configuration
+-------------
+
+The ebtupdate command is only available if CONFIG_CMD_EBTUPDATE=y and
+only on Tegra 2 and Tegra 3 configurations.
+
+Return value
+------------
+
+The return value $? is set to 0 (true) if everything went successfully. If an
+error occurs, the return value $? is set to 1 (false).