libubootenv: generate key modifier from fuses

Until now the key modifier was being read from 'hwid_n' device tree entries, but now those entries reflect the environment HWID, which could be temporarily overriding the fuse HWID. Ensure the key modifier is generated from the new 'hwid_fuse_n' device tree entries created by U-Boot with the contents of the fuse HWID, just as U-Boot does to encrypt/decrypt the environment. https://onedigi.atlassian.net/browse/DEL-9123 Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
2026-03-17 13:57:08 +01:00 · 2026-03-17 13:57:08 +01:00 · 5d54f13c2d
parent 191f891f6c
commit 5d54f13c2d
1 changed files with 40 additions and 5 deletions
--- a/meta-digi-arm/recipes-bsp/libubootenv/libubootenv/0003-Implement-support-for-environment-encryption-by-CAAM.patch
+++ b/meta-digi-arm/recipes-bsp/libubootenv/libubootenv/0003-Implement-support-for-environment-encryption-by-CAAM.patch
@ -49,15 +49,35 @@ Generalize the code to make room for Optee-based encryption.
  Optee) implementation.

 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
+
+ # This is the commit message #4:
+
+crypt: read HWID from 'digi,hwid_fuse_n' dt properties
+
+Now that U-Boot supports overriding the HWID, it inserts the local,
+variable HWID into the 'digi,hwid_n' properties and the fused,
+stable HWID into the 'digi,hwid_fuse_n' properties.
+
+Read the HWID to compute the key modifier from 'digi,hwid_fuse_n'
+as a preferred method. If those properties do not exist, fall back
+to the previous method, 'digi,hwid_n'.
+
+An outdated U-Boot that does not create the 'digi,hwid_fuse_n'
+properties does not support HWID overriding either, so we can trust
+'digi,hwid_n' to have the contents from the fuses.
+
+https://onedigi.atlassian.net/browse/DEL-9123
+
+Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
 ---
 src/CMakeLists.txt |   4 +
 src/caam_keyblob.h |  42 +++++++
- src/crypt.c        | 179 +++++++++++++++++++++++++++++
+ src/crypt.c        | 194 ++++++++++++++++++++++++++++++++
 src/crypt.h        |  10 ++
 src/md5.c          | 275 +++++++++++++++++++++++++++++++++++++++++++++
 src/md5.h          |  24 ++++
 src/uboot_env.c    |  18 +++
- 7 files changed, 552 insertions(+)
+ 7 files changed, 567 insertions(+)
 create mode 100644 src/caam_keyblob.h
 create mode 100644 src/crypt.c
 create mode 100644 src/crypt.h
@ -129,10 +149,10 @@ index 0000000..e313e87
 +#endif /* CAAM_KEYBLOB_H */
 diff --git a/src/crypt.c b/src/crypt.c
 new file mode 100644
-index 0000000..213cffd
+index 0000000..565d13d
 --- /dev/null
 +++ b/src/crypt.c
-@@ -0,0 +1,179 @@
+@@ -0,0 +1,194 @@
 +/*
 + * Copyright 2024 Digi International Inc
 + *
@ -192,10 +212,25 @@ index 0000000..213cffd
 +	int len;
 +	int fd;
 +	uint32_t ocotp_hwid[MAX_HWID_WORDS];
-+	char dt_prop[32];
+	char dt_prop[40];
 +	char buf[sizeof(uint32_t)];
 +
 +	for (i = 0; i < MAX_HWID_WORDS; i++) {
+		sprintf(dt_prop, "/proc/device-tree/digi,hwid_fuse_%d", i);
+		if (access(dt_prop, F_OK) != -1) {
+			fd = open(dt_prop, O_RDONLY);
+			if (fd < 0)
+				return fd;
+			len = read(fd, buf, sizeof(uint32_t));
+			if (len < 0) {
+				close(fd);
+				return -1;
+			}
+			ocotp_hwid[i] = ntohl(*(uint32_t *) buf);
+			close(fd);
+			continue;
+		}
+
 +		sprintf(dt_prop, "/proc/device-tree/digi,hwid_%d", i);
 +		if (access(dt_prop, F_OK) != -1) {
 +			fd = open(dt_prop, O_RDONLY);