ARM: tegra20: tegra30: support EBTUPDATE on non-encrypted devices

Re-crypt support was extended to devices without burnt SBK. In case
SBK is not set, place from where it is read is filled with zeroes.
This patch adds support for ebtupdate function to detect nosbk device
and avoid crypto operations for it.

Tested-by: Maksim Kurnosenko <[email protected]>
Signed-off-by: Svyatoslav Ryhel <[email protected]>

2 files changed, 40 insertions, 20 deletions

diff --git a/arch/arm/mach-tegra/tegra20/bct.c b/arch/arm/mach-tegra/tegra20/bct.c
index 5eb48990b6c..b2c44f3d237 100644
--- a/arch/arm/mach-tegra/tegra20/bct.c
+++ b/arch/arm/mach-tegra/tegra20/bct.c
@@ -11,6 +11,9 @@
 #include "bct.h"
 #include "uboot_aes.h"
 
+/* Device with "sbk burned: false" will expose zero key */
+const u8 nosbk[AES128_KEY_LENGTH] = { 0 };
+
 /*
  * @param  bct		boot config table start in RAM
  * @param  ect		bootloader start in RAM
@@ -23,22 +26,27 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 	u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
 	u8 sbk[AES128_KEY_LENGTH] = { 0 };
 	u8 *bct_hash = bct;
+	bool encrypted;
 	int ret;
 
 	bct += BCT_HASH;
 
+	ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+
 	memcpy(sbk, (u8 *)(bct + BCT_LENGTH),
 	       NVBOOT_CMAC_AES_HASH_LENGTH * 4);
 
-	ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
-	if (ret)
-		return 1;
+	encrypted = memcmp(&sbk, &nosbk, AES128_KEY_LENGTH);
 
-	ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+	if (encrypted) {
+		ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
+		if (ret)
+			return 1;
 
-	ret = encrypt_data_block(ebt, ebt_size, sbk);
-	if (ret)
-		return 1;
+		ret = encrypt_data_block(ebt, ebt_size, sbk);
+		if (ret)
+			return 1;
+	}
 
 	ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
 	if (ret)
@@ -52,9 +60,11 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 	bct_tbl->bootloader[0].load_addr = CONFIG_SPL_TEXT_BASE;
 	bct_tbl->bootloader[0].length = ebt_size;
 
-	ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
-	if (ret)
-		return 1;
+	if (encrypted) {
+		ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
+		if (ret)
+			return 1;
+	}
 
 	ret = sign_enc_data_block(bct, BCT_LENGTH, bct_hash, sbk);
 	if (ret)
diff --git a/arch/arm/mach-tegra/tegra30/bct.c b/arch/arm/mach-tegra/tegra30/bct.c
index c56958da691..cff1a3e98d2 100644
--- a/arch/arm/mach-tegra/tegra30/bct.c
+++ b/arch/arm/mach-tegra/tegra30/bct.c
@@ -11,6 +11,9 @@
 #include "bct.h"
 #include "uboot_aes.h"
 
+/* Device with "sbk burned: false" will expose zero key */
+const u8 nosbk[AES128_KEY_LENGTH] = { 0 };
+
 /*
  * @param  bct		boot config table start in RAM
  * @param  ect		bootloader start in RAM
@@ -23,22 +26,27 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 	u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
 	u8 sbk[AES128_KEY_LENGTH] = { 0 };
 	u8 *bct_hash = bct;
+	bool encrypted;
 	int ret;
 
 	bct += BCT_HASH;
 
+	ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+
 	memcpy(sbk, (u8 *)(bct + BCT_LENGTH),
 	       NVBOOT_CMAC_AES_HASH_LENGTH * 4);
 
-	ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
-	if (ret)
-		return 1;
+	encrypted = memcmp(&sbk, &nosbk, AES128_KEY_LENGTH);
 
-	ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+	if (encrypted) {
+		ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
+		if (ret)
+			return 1;
 
-	ret = encrypt_data_block(ebt, ebt_size, sbk);
-	if (ret)
-		return 1;
+		ret = encrypt_data_block(ebt, ebt_size, sbk);
+		if (ret)
+			return 1;
+	}
 
 	ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
 	if (ret)
@@ -52,9 +60,11 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 	bct_tbl->bootloader[0].load_addr = CONFIG_SPL_TEXT_BASE;
 	bct_tbl->bootloader[0].length = ebt_size;
 
-	ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
-	if (ret)
-		return 1;
+	if (encrypted) {
+		ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
+		if (ret)
+			return 1;
+	}
 
 	ret = sign_enc_data_block(bct, BCT_LENGTH, bct_hash, sbk);
 	if (ret)