OpenBIOS October 2007

openbios@openbios.org

11 participants
63 discussions

by svn＠openbios.org

Author: wmb Date: 2007-10-05 20:36:19 +0200 (Fri, 05 Oct 2007) New Revision: 667 Modified: dev/olpc/cafenand/ecc.fth Log: OLPC NAND driver - fixed ECC correction bug. Modified: dev/olpc/cafenand/ecc.fth =================================================================== --- dev/olpc/cafenand/ecc.fth 2007-10-04 08:19:30 UTC (rev 666) +++ dev/olpc/cafenand/ecc.fth 2007-10-05 18:36:19 UTC (rev 667) @@ -95,7 +95,7 @@ \ Find the degree of a polynomial. The degree of the 0 polynomial is 0. : poly-deg ( poly -- ) 0 9 1 do ( 'poly degree ) - over i wa+ @ if drop i then ( 'poly degree' ) + over i wa+ w@ if drop i then ( 'poly degree' ) loop ( 'poly degree ) nip ( degree ) ;

12 years, 10 months

r666 - cpu/x86/pc/olpc

by svn＠openbios.org

Author: wmb Date: 2007-10-04 10:19:30 +0200 (Thu, 04 Oct 2007) New Revision: 666 Added: cpu/x86/pc/olpc/fsupdate.fth Modified: cpu/x86/pc/olpc/copynand.fth cpu/x86/pc/olpc/crypto.bth cpu/x86/pc/olpc/crypto.fth cpu/x86/pc/olpc/fw.bth cpu/x86/pc/olpc/loaddropins.fth cpu/x86/pc/olpc/security.fth cpu/x86/pc/olpc/versions.fth Log: OLPC - Secure NAND file system update. Modified: cpu/x86/pc/olpc/copynand.fth =================================================================== --- cpu/x86/pc/olpc/copynand.fth 2007-10-02 07:52:21 UTC (rev 665) +++ cpu/x86/pc/olpc/copynand.fth 2007-10-04 08:19:30 UTC (rev 666) @@ -198,6 +198,8 @@ defer show-done ' cr to show-done +: >eblock# ( page# -- eblock# ) nand-pages/block / ; + : copy-nand ( "devspec" -- ) open-nand get-img-filename @@ -206,7 +208,7 @@ ['] noop to show-progress - #nand-pages nand-pages/block / dup show-init ( #eblocks ) + #nand-pages >eblock# dup show-init ( #eblocks ) show-erasing ( ) ['] show-bad ['] show-erased ['] show-bbt-block " (wipe)" $call-nand @@ -219,7 +221,7 @@ load-base " copy-block" $call-nand ( page# error? ) " Error writing to NAND FLASH" ?nand-abort ( page# ) ?skip-oob - nand-pages/block / show-written ( ) + >eblock# show-written ( ) loop show-cleaning @@ -319,7 +321,7 @@ ; : alloc-crc-buf ( -- ) - #nand-pages nand-pages/block / to #crc-records + #nand-pages >eblock# to #crc-records #crc-records /l* alloc-mem to crc-buf ; @@ -370,7 +372,7 @@ \ The stack is empty at the end of each line unless otherwise noted dump-oob? if #nand-pages else " usable-page-limit" $call-nand then 0 do - (cr i nand-pages/block / . + (cr i >eblock# . load-base i nand-pages/block " read-blocks" $call-nand nand-pages/block = if load-base /nand-block written? if Modified: cpu/x86/pc/olpc/crypto.bth =================================================================== --- cpu/x86/pc/olpc/crypto.bth 2007-10-02 07:52:21 UTC (rev 665) +++ cpu/x86/pc/olpc/crypto.bth 2007-10-04 08:19:30 UTC (rev 666) @@ -6,9 +6,9 @@ fload ${BP}/cpu/x86/pc/olpc/versions.fth " wget http://dev.laptop.org/pub/firmware/crypto/bios_verify-${CRYPTO_VERSION}.img -O verify.img" expand$ $sh -" wget http://dev.laptop.org/pub/firmware/crypto/bios_hash-${CRYPTO_VERSION}.img -O hasher.img" expand$ $sh " wget http://dev.laptop.org/pub/firmware/crypto/testkeys/os.public -O os.public" expand$ $sh " wget http://dev.laptop.org/pub/firmware/crypto/testkeys/fw.public -O fw.public" expand$ $sh +" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/fs.public -O fs.public" expand$ $sh " wget http://dev.laptop.org/pub/firmware/crypto/testkeys/lease.public -O lease.public" expand$ $sh " wget http://dev.laptop.org/pub/firmware/crypto/testkeys/developer.public -O developer.public" expand$ $sh Modified: cpu/x86/pc/olpc/crypto.fth =================================================================== --- cpu/x86/pc/olpc/crypto.fth 2007-10-02 07:52:21 UTC (rev 665) +++ cpu/x86/pc/olpc/crypto.fth 2007-10-04 08:19:30 UTC (rev 666) @@ -5,29 +5,6 @@ h# d0000 constant verify-bss \ The address the code is linked to run at h# 10000 constant /verify-bss -1 [if] -h# 70000 constant hasher-base \ The address the code is linked to run at -h# 80000 constant hasher-bss -h# 18000 constant /hasher-bss -variable hashlen -d# 128 buffer: hashbuf - -: get-hasher ( -- ) - " hasher" find-drop-in 0= if 4drop true exit then ( prog$ ) - 2dup hasher-base swap move free-mem ( hashname$ ) -; - -: hash ( data$ hashname$ -- result$ ) - d# 128 hashlen ! - $cstr hashbuf hashlen ( databuf datalen hashname-cstr resbuf &reslen ) - - hasher-bss /hasher-bss erase - - hasher-base dup h# 10 - sp-call abort" Hash failed" drop 4drop ( ) - hashbuf hashlen @ -; -[then] - 0 value crypto-loaded? : load-crypto ( -- error? ) crypto-loaded? if false exit then @@ -43,14 +20,23 @@ $cstr verify-bss /verify-bss erase ( data$ sig$ key$ 'hashname ) verify-base dup h# 10 - sp-call >r 3drop 4drop r> ( result ) - -\ XXX free-mem in suspend.fth and fw.bth after find-drop-in -\ XXX clean out dead code in usb.fth ; -: getbin " usb8388.bin" find-drop-in 0= abort" No usb8388.bin" ; -: getsig " usb8388.sig" find-drop-in 0= abort" No usb8388.sig" ; +\ This is a hack that saves a lot of memory. The crypto verifier +\ code has a mode where it will just compute and return the hash value, +\ instead of going on to verify the hash's signature. In that mode, +\ we use sig$ for the address and length of the result buffer, key-adr +\ to return the actual return length, and pass in key-len = 0 to denote +\ that we want only hashing. +variable hashlen +d# 128 buffer: hashbuf +: hash ( data$ hashname$ -- result$ ) + 2>r hashbuf d# 128 hashlen 0 2r> ( data$ sig$ key$ hashname$ ) + signature-bad? abort" Hash failed" ( ) + hashbuf hashlen @ +; + \ LICENSE_BEGIN \ Copyright (c) 2007 FirmWorks \ Added: cpu/x86/pc/olpc/fsupdate.fth =================================================================== --- cpu/x86/pc/olpc/fsupdate.fth (rev 0) +++ cpu/x86/pc/olpc/fsupdate.fth 2007-10-04 08:19:30 UTC (rev 666) @@ -0,0 +1,125 @@ +purpose: Secure NAND updater + +\ Depends on words from security.fth and copynand.fth + +: get-hex# ( -- n ) + safe-parse-word + push-hex + $number " Bad number" ?nand-abort + pop-base +; + +\ XXX implement this +: map-eblock# ( block# -- block#' ) ; + + +vocabulary nand-commands +also nand-commands definitions + +: data: ( "filename" -- ) + safe-parse-word fn-buf place + bundle-name$ image-name-buf place + open-img +; + +: erase-all ( -- ) + #nand-pages >eblock# show-erasing + ['] show-bad ['] show-erased ['] show-bbt-block " (wipe)" $call-nand + #image-eblocks show-writing +; + +: eblock: ( "eblock#" "hashname" "hash-of-128KiB" -- ) + get-hex# ( eblock# ) + read-image-block + load-base /nand-block safe-parse-word ( eblock# data$ hashname$ ) + hash ( eblock# result$ ) + safe-parse-word hex-decode " Malformed hash string" ?nand-abort + $= if ( eblock# ) + drop + else ( eblock# ) + ." Bad hash for eblock# " .x cr + abort + then ( ) + + load-base " copy-block" $call-nand ( page# error? ) + " Error writing to NAND FLASH" ?nand-abort ( page# ) + >eblock# show-written ( ) +; + +: bytes: ( "eblock#" "page#" "offset" "length" "data" -- ) + get-hex# get-hex# 2>r ( r: eblock# page# ) + get-hex# get-hex# ( offset length r: eblock# page# ) + 2dup + h# 840 >= abort" Offset + length exceeds page + OOB size" + safe-parse-word hex-decode ( offset length data$ ) + rot over <> abort" Length mismatch" ( offset data$ ) + r> r> map-eblock# nand-pages/block * + ( offset data$ page#') + -rot 2swap swap ( data$ page# offset ) + " pio-write-raw" $call-nand abort" NAND write error" +; + +: cleanmarkers ( -- ) + show-cleaning + ['] show-clean " put-cleanmarkers" $call-nand +; + +: mark-pending: ( "eblock#" -- ) + get-hex# map-eblock# nand-pages/block * ( page# ) + " COMP" rot h# 838 + " pio-write-raw" $call-nand abort" NAND write error" +; + +: mark-complete: ( "eblock#" -- ) + get-hex# map-eblock# nand-pages/block * + " LETE" rot h# 83c + " pio-write-raw" $call-nand abort" NAND write error" +; + +previous definitions + +: do-fs-update ( img$ -- ) + tuck load-base h# 100000 + swap move ( len ) + load-base h# 100000 + swap + open-nand + ['] noop to show-progress + #nand-pages >eblock# show-init + +\ clear-context nand-commands +also nand-commands + + ['] include-buffer catch if nip nip .error security-failure then + +previous +\ only forth also definitions + + show-done + close-nand-ihs +; + +: fs-update-from-list ( devlist$ -- ) + load-crypto if visible ." Crytpo load failed" cr show-sad security-failure then + + visible ( devlist$ ) + begin dup while ( rem$ ) + bl left-parse-string ( rem$ dev$ ) + dn-buf place ( rem$ ) + + null$ pn-buf place ( rem$ ) + null$ cn-buf place ( rem$ ) + " fs" bundle-present? if ( rem$ ) + " Filesystem image found - " ?lease-debug + fskey$ to pubkey$ ( rem$ ) + img$ sig$ sha-valid? if ( rem$ ) + 2drop ( ) + show-unlock ( ) + img$ do-fs-update ( ) + exit + then ( rem$ ) + show-lock ( rem$ ) + then ( rem$ ) + repeat ( rem$ ) + 2drop +; +: try-fs-update ( -- ) + ." Searching for a NAND file system update image." cr + all-devices$ fs-update-from-list +; Modified: cpu/x86/pc/olpc/fw.bth =================================================================== --- cpu/x86/pc/olpc/fw.bth 2007-10-02 07:52:21 UTC (rev 665) +++ cpu/x86/pc/olpc/fw.bth 2007-10-04 08:19:30 UTC (rev 666) @@ -334,6 +334,7 @@ fload ${BP}/cpu/x86/pc/olpc/gamekeys.fth fload ${BP}/cpu/x86/pc/olpc/linux.fth fload ${BP}/cpu/x86/pc/olpc/security.fth +fload ${BP}/cpu/x86/pc/olpc/fsupdate.fth fload ${BP}/cpu/x86/pc/olpc/setwp.fth fload ${BP}/ofw/gui/ofpong.fth fload ${BP}/cpu/x86/pc/olpc/life.fth @@ -496,6 +497,12 @@ time&date 5drop 1 and if pong else life-demo then then ; +: ?fs-update ( -- ) + button-check button-x or button-o or button-square or ( mask ) + game-key-mask over and = if + try-fs-update + then +; : open-keyboard ( -- ) " keyboard" open-dev ?dup if set-stdin then ; @@ -521,6 +528,7 @@ ['] false to interrupt-auto-boot? probe-usb interpreter-init + ?fs-update secure-startup ['] (interrupt-auto-boot?) to interrupt-auto-boot? screen-ih stdout ! Modified: cpu/x86/pc/olpc/loaddropins.fth =================================================================== --- cpu/x86/pc/olpc/loaddropins.fth 2007-10-02 07:52:21 UTC (rev 665) +++ cpu/x86/pc/olpc/loaddropins.fth 2007-10-04 08:19:30 UTC (rev 666) @@ -55,6 +55,7 @@ " verify.img" " verify" $add-deflated-dropin " os.public" " ospubkey" $add-dropin \ Incompressible " fw.public" " fwpubkey" $add-dropin \ Incompressible + " fs.public" " fspubkey" $add-dropin \ Incompressible " lease.public" " leasepubkey" $add-dropin \ Incompressible " developer.public" " develpubkey" $add-dropin \ Incompressible Modified: cpu/x86/pc/olpc/security.fth =================================================================== --- cpu/x86/pc/olpc/security.fth 2007-10-02 07:52:21 UTC (rev 665) +++ cpu/x86/pc/olpc/security.fth 2007-10-04 08:19:30 UTC (rev 666) @@ -3,8 +3,6 @@ \ Specs at http://wiki.laptop.org/go/Firmware_Security -: boot-device-list " disk sd nand" ; - true value debug-security? : ?lease-debug ( msg$ -- ) debug-security? if type else 2drop then @@ -53,6 +51,7 @@ then rot >r 2dup r> 2! ( key$ ) ; +" fspubkey" key: fskey$ " ospubkey" key: oskey$ " fwpubkey" key: fwkey$ " develpubkey" key: develkey$ @@ -73,10 +72,6 @@ \ binary form at sig-buf. It returns the adr,len of the binary string. : hex-decode ( hex$ -- true | sig$ false ) - dup /sig 2* <> if - ( ." Bad signature length" cr ) - 2drop true exit - then ( hex$ ) sig-buf -rot ( adr hex$ ) bounds ?do ( adr ) i 2 push-hex $number pop-base if ( adr ) @@ -97,6 +92,8 @@ bl left-parse-string dup d# 6 <> if 4drop true exit then 2swap ( hash$ rem$ ) bl left-parse-string nip d# 64 <> if 4drop true exit then ( hash$ rem$ ) newline left-parse-string 2swap nip 0<> if 4drop true exit then ( hash$ data$ ) + dup /sig 2* <> if ( ." Bad signature length" cr ) 2drop true exit then ( hash$ data$ ) + hex-decode if 2drop true else false then ; @@ -141,8 +138,6 @@ \ hashname remembers the most recently used hashname to guard against \ attacks based on reuse of the same (presumably compromized) hash. -d# 32 buffer: hashname - \ invalid? checks the validity of data$ against the ASCII signature \ record sig01$, using the public key that pubkey$ points to. \ It also verifies that the hashname contained in sig01$ is the @@ -344,7 +339,6 @@ \ a tree-state flag; see check-lease.) : check-machine-signature ( sig$ expiration$ -- -1|1 ) - 0 hashname c! machine-id-buf d# 51 + swap move ( sig$ ) machine-id-buf d# 67 2swap sha-valid? if 1 else -1 then ; @@ -510,7 +504,6 @@ r> to load-path " RD found - " ?lease-debug - 0 hashname c! img$ sig$ sha-valid? if show-unlock load-base to ramdisk-adr @@ -606,7 +599,6 @@ else " minus" show-icon " new - " ?lease-debug - 0 hashname c! fwkey$ to pubkey$ img$ sig$ fw-valid? if visible @@ -617,6 +609,12 @@ true to file-loaded? " Updating firmware" ?lease-debug-cr + ['] ?enough-power catch ?dup if + visible + .error + security-failure + then + \ Latch alternate? flag for next startup alternate? if [char] A h# 82 cmos! then @@ -636,7 +634,6 @@ d# 16 0 +icon-xy show-dot " os" bundle-present? if " OS found - " ?lease-debug - 0 hashname c! oskey$ to pubkey$ img$ sig$ sha-valid? if img$ tuck load-base swap move !load-size @@ -667,17 +664,18 @@ icon-xy to base-xy icon-xy image-width 0 d+ to next-xy ( list$ ) - filesystem-present? if + filesystem-present? if ( list$ ) - d# 5 d# 77 +icon-xy show-dot - has-developer-key? if + d# 5 d# 77 +icon-xy show-dot ( list$ ) + has-developer-key? if ( list$ ) + 2drop ( ) visible show-unlock true exit - then + then ( list$ ) - load-from-device if - 2drop + load-from-device if ( list$ ) + 2drop ( ) ['] secure-load-ramdisk to load-ramdisk " init-program" $find if execute show-going go @@ -685,12 +683,12 @@ show-x security-failure then - then + then ( list$ ) - next-xy to icon-xy + next-xy to icon-xy ( list$ ) repeat ( list$ ) - " sad" show-icon - 2drop false + " sad" show-icon ( list$ ) + 2drop false ( ) ; : persistent-devkey? ( -- flag ) " dk" find-tag dup if nip nip then ; Modified: cpu/x86/pc/olpc/versions.fth =================================================================== --- cpu/x86/pc/olpc/versions.fth 2007-10-02 07:52:21 UTC (rev 665) +++ cpu/x86/pc/olpc/versions.fth 2007-10-04 08:19:30 UTC (rev 666) @@ -2,7 +2,7 @@ \ The overall firmware revision macro: FW_MAJOR C -macro: FW_MINOR 28 +macro: FW_MINOR 28b \ The EC microcode macro: EC_VERSION c24 @@ -16,4 +16,4 @@ macro: WLAN_VERSION 5.110.16.p1 \ The bios_verify image -macro: CRYPTO_VERSION 0.1 +macro: CRYPTO_VERSION 0.2

12 years, 10 months

r665 - cpu/x86/pc/olpc

by svn＠openbios.org

Author: wmb Date: 2007-10-02 09:52:21 +0200 (Tue, 02 Oct 2007) New Revision: 665 Modified: cpu/x86/pc/olpc/security.fth Log: q2c28 late addition 4 - This is getting tedious. Modified: cpu/x86/pc/olpc/security.fth =================================================================== --- cpu/x86/pc/olpc/security.fth 2007-10-02 07:26:52 UTC (rev 664) +++ cpu/x86/pc/olpc/security.fth 2007-10-02 07:52:21 UTC (rev 665) @@ -442,19 +442,17 @@ : text-on screen-ih stdout ! ; +: visible dcon-unfreeze text-on ; + : ?unfreeze ( -- ) - game-key@ button-check and if - dcon-unfreeze text-on - unfreeze - then + game-key@ button-check and if visible unfreeze then ; : security-failure ( -- ) + visible ." Security failure" cr - get-msecs d# 10000 + begin ( limit ) - ?unfreeze - dup get-msecs - - 0< until drop + + d# 10000 ms power-off ; @@ -583,13 +581,13 @@ base @ >r d# 36 base ! fw#buf 5 $number if show-x - ." Invalid firmware version number" security-failure + visible ." Invalid firmware version number" security-failure then pop-base ; : firmware-up-to-date? ( img$ -- ) - /flash <> if show-x ." Invalid Firmware image" security-failure then ( adr ) + /flash <> if show-x visible ." Invalid Firmware image" security-failure then ( adr ) (fw-version) ( file-version# ) rom-pa (fw-version) ( file-version# rom-version# ) u<= @@ -611,7 +609,7 @@ 0 hashname c! fwkey$ to pubkey$ img$ sig$ fw-valid? if - dcon-unfreeze text-on + visible img$ tuck flash-buf swap move ( len ) @@ -624,6 +622,7 @@ reflash \ Should power-off and reboot show-x + visible ." Reflash returned, unexpectedly" cr security-failure then @@ -672,7 +671,7 @@ d# 5 d# 77 +icon-xy show-dot has-developer-key? if - dcon-unfreeze text-on + visible show-unlock true exit then @@ -712,24 +711,24 @@ ?toggle-secure - secure? 0= if dcon-unfreeze unfreeze text-on exit then + secure? 0= if unfreeze visible exit then button-check game-key? if - dcon-unfreeze unfreeze text-on + unfreeze visible else freeze dcon-freeze then persistent-devkey? if exit then - get-my-sn if ." No serial number" cr show-sad security-failure then - get-date if ." Invalid system date" cr show-sad security-failure then + get-my-sn if visible ." No serial number" cr show-sad security-failure then + get-date if visible ." Invalid system date" cr show-sad security-failure then - load-crypto if show-sad security-failure then ( ) + load-crypto if visible ." Crytpo load failed" cr show-sad security-failure then ( ) alternate? if " \boot-alt" else " \boot" then pn-buf place all-devices$ load-from-list if exit then \ Returns only if no images found - ." Boot failed" cr show-sad security-failure + visible ." Boot failed" cr show-sad security-failure ;

12 years, 10 months

r664 - cpu/x86/pc/olpc

by svn＠openbios.org

Author: wmb Date: 2007-10-02 09:26:52 +0200 (Tue, 02 Oct 2007) New Revision: 664 Modified: cpu/x86/pc/olpc/security.fth Log: q2c28 late addition 3 - This time for sure! Modified: cpu/x86/pc/olpc/security.fth =================================================================== --- cpu/x86/pc/olpc/security.fth 2007-10-02 07:20:53 UTC (rev 663) +++ cpu/x86/pc/olpc/security.fth 2007-10-02 07:26:52 UTC (rev 664) @@ -712,10 +712,10 @@ ?toggle-secure - secure? 0= if unfreeze text-on exit then + secure? 0= if dcon-unfreeze unfreeze text-on exit then button-check game-key? if - unfreeze text-on + dcon-unfreeze unfreeze text-on else freeze dcon-freeze then

12 years, 10 months

r663 - cpu/x86/pc/olpc

by svn＠openbios.org

Author: wmb Date: 2007-10-02 09:20:53 +0200 (Tue, 02 Oct 2007) New Revision: 663 Modified: cpu/x86/pc/olpc/security.fth Log: q2c28 late addition 2 - fixed a problem with the sense of the x button when security isn't enabled via wp. Modified: cpu/x86/pc/olpc/security.fth =================================================================== --- cpu/x86/pc/olpc/security.fth 2007-10-02 06:40:25 UTC (rev 662) +++ cpu/x86/pc/olpc/security.fth 2007-10-02 07:20:53 UTC (rev 663) @@ -710,16 +710,16 @@ button-rotate game-key? if show-warnings then show-child - button-check button-x or game-key? if + ?toggle-secure + + secure? 0= if unfreeze text-on exit then + + button-check game-key? if unfreeze text-on else freeze dcon-freeze then - ?toggle-secure - - secure? 0= if exit then - persistent-devkey? if exit then get-my-sn if ." No serial number" cr show-sad security-failure then

12 years, 10 months

r662 - cpu/x86/pc/olpc dev/olpc/kb3700

by svn＠openbios.org

Author: wmb Date: 2007-10-02 08:40:25 +0200 (Tue, 02 Oct 2007) New Revision: 662 Modified: cpu/x86/pc/olpc/boardrev.fth cpu/x86/pc/olpc/devices.fth cpu/x86/pc/olpc/fw.bth cpu/x86/pc/olpc/security.fth dev/olpc/kb3700/ecio.fth Log: q2c28 late additions - made fw autoupdate work, and various other usability improvements. Modified: cpu/x86/pc/olpc/boardrev.fth =================================================================== --- cpu/x86/pc/olpc/boardrev.fth 2007-10-02 04:56:15 UTC (rev 661) +++ cpu/x86/pc/olpc/boardrev.fth 2007-10-02 06:40:25 UTC (rev 662) @@ -24,7 +24,8 @@ h# a18 else lx? if - board-id@ case + ['] board-id@ catch if 0 then case + 0 of 0 endof \ EC broken h# b2 of h# b30 endof \ preB3 ( board-id ) dup h# 10 * 8 + swap \ E.g. b3 -> b38 endcase Modified: cpu/x86/pc/olpc/devices.fth =================================================================== --- cpu/x86/pc/olpc/devices.fth 2007-10-02 04:56:15 UTC (rev 661) +++ cpu/x86/pc/olpc/devices.fth 2007-10-02 06:40:25 UTC (rev 662) @@ -247,7 +247,8 @@ fload ${BP}/cpu/x86/pc/olpc/boardrev.fth \ Board revision decoding stand-init: Date to EC - time&date d# 2000 - ec-date! 3drop + time&date d# 2000 - ['] ec-date! catch if 3drop then + 3drop ; stand-init: Wireless reset Modified: cpu/x86/pc/olpc/fw.bth =================================================================== --- cpu/x86/pc/olpc/fw.bth 2007-10-02 04:56:15 UTC (rev 661) +++ cpu/x86/pc/olpc/fw.bth 2007-10-02 06:40:25 UTC (rev 662) @@ -506,6 +506,12 @@ no-page console-start + + board-revision 0= if + ." EC problem - remove all power and restart" cr + begin again + then + read-game-keys stdout off \ probe-pci Modified: cpu/x86/pc/olpc/security.fth =================================================================== --- cpu/x86/pc/olpc/security.fth 2007-10-02 04:56:15 UTC (rev 661) +++ cpu/x86/pc/olpc/security.fth 2007-10-02 06:40:25 UTC (rev 662) @@ -143,35 +143,40 @@ d# 32 buffer: hashname -\ valid? checks the validity of data$ against the ASCII signature +\ invalid? checks the validity of data$ against the ASCII signature \ record sig01$, using the public key that pubkey$ points to. -\ It also verifies that the hashname contained in sig01$ is not -\ the same one that was last used (for verification of firmware -\ images against two different hashes). +\ It also verifies that the hashname contained in sig01$ is the +\ expected one. -: valid? ( data$ sig01$ -- okay? ) +: invalid? ( data$ sig01$ exp-hashname$ -- error? ) + 2>r parse-sig if ." Bad signature format in " bundle-name$ type cr - false exit - then ( data$ hashname$ sig$ ) + 2r> 2drop true exit + then ( data$ hashname$ sig$ r: exp$ ) - 2swap d# 31 min ( data$ sig$ hashname$' ) - \ Check for duplicate hashname attacks - 2dup hashname count $= if ( data$ sig$ hashname$ ) - ." Duplicate hash name in " bundle-name$ type cr - 4drop false exit + 2swap 2dup 2r> $= 0= if ( data$ sig$ hashname$ ) + ." Wrong hash name in " bundle-name$ type cr + 4drop 2drop true exit then ( data$ sig$ hashname$ ) - hashname place ( data$ sig$ ) - - pubkey$ hashname count signature-bad? 0= ( okay? ) + pubkey$ 2swap signature-bad? ( error? ) dup if - " Signature valid" ?lease-debug-cr + " Signature invalid" ?lease-debug-cr else - " Signature invalid" ?lease-debug-cr + " Signature valid" ?lease-debug-cr then ; +: sha-valid? ( data$ sig01$ -- okay? ) " sha256" invalid? 0= ; +: fw-valid? ( data$ 2*sig$ -- okay? ) + 2swap 2>r ( 2*sig$ r: data$ ) + newline left-parse-string ( rmd-sig$ sha-sig$ r: data$ ) + 2r@ 2swap sha-valid? 0= if ( rmd-sig$ r: data$ ) + 2r> 4drop false exit + then ( rmd-sig$ r: data$ ) + 2r> 2swap " rmd160" invalid? 0= +; \ earliest is the earliest acceptable date value (in seconds). \ It is the date that the first test version of this code was @@ -341,7 +346,7 @@ : check-machine-signature ( sig$ expiration$ -- -1|1 ) 0 hashname c! machine-id-buf d# 51 + swap move ( sig$ ) - machine-id-buf d# 67 2swap valid? if 1 else -1 then + machine-id-buf d# 67 2swap sha-valid? if 1 else -1 then ; : set-disposition ( adr -- ) c@ machine-id-buf d# 49 + c! ; @@ -422,48 +427,6 @@ cn-buf place ; -\ olpc-load-image is factor that is close the top level of the -\ secure boot process. Given a directory prefix (e.g. "\boot") -\ and a space-delimited list of device names, it searches -\ each device in that list for an OS bundle in that directory. -\ The name of the OS bundle file is either "actos.zip" or -\ "runos.zip" according to whether or not a valid lease for -\ this machine is present on the same device. - -: olpc-load-image ( list$ -- okay? ) - begin dup while ( list$ ) - bl left-parse-string ( list$ devname$ ) - dn-buf place ( list$' ) - ?leased ( list$ ) - " os" bundle-present? if ( list$ ) - " OS found - " ?lease-debug - 0 hashname c! - oskey$ to pubkey$ - img$ sig$ valid? if - img$ tuck load-base swap move !load-size - 2drop true exit - then - then ( list$ ) - repeat ( list$ ) - 2drop false -; - -\ secure-load is the top level of the secure OS loading process. -\ It searches for lease files and signed OS image bundles on several -\ different devices. If an OS bundle is not found, it then searches -\ the NAND FLASH for an alternate OS image. - -: secure-load ( -- okay? ) - load-crypto if false exit then - - get-my-sn if false exit then - get-date if false exit then - - " \boot" pn-buf place boot-device-list olpc-load-image if true exit then - " \boot-alt" pn-buf place " nand" olpc-load-image if true exit then - false -; - 0 value alternate? : set-alternate ( -- ) button-o game-key? if true to alternate? exit then @@ -481,9 +444,8 @@ : ?unfreeze ( -- ) game-key@ button-check and if - dcon-unfreeze + dcon-unfreeze text-on unfreeze - text-on then ; @@ -496,17 +458,13 @@ power-off ; +: +icon-xy ( delta-x,y -- ) icon-xy d+ to icon-xy ; + : show-going ( -- ) h# c0 h# c0 h# c0 rgb>565 progress-xy d# 500 d# 100 " fill-rectangle" $call-screen d# 585 d# 613 to icon-xy " bigdot" show-icon dcon-unfreeze ; - -: show-check ( -- ) - icon-xy base-xy to icon-xy " check" show-icon to icon-xy -; -: +icon-xy ( delta-x,y -- ) icon-xy d+ to icon-xy ; - : show-dot ( -- ) alternate? if " yellowdot" else " lightdot" then show-icon ; @@ -555,7 +513,7 @@ " RD found - " ?lease-debug 0 hashname c! - img$ sig$ valid? if + img$ sig$ sha-valid? if show-unlock load-base to ramdisk-adr img$ dup to /ramdisk ( adr len ) @@ -569,30 +527,12 @@ r> to load-path ; -\ secure-boot performs the secure boot process - -: secure-boot ( -- ) - debug-security? if screen-ih stdout ! then - ['] secure-load-ramdisk to load-ramdisk - secure-load 0= if fail-load then - loaded sync-cache " init-program" $find if execute else 2drop then - go -; - false value secure? stand-init: wp " wp" find-tag if 2drop true to secure? then ; -\ do-secure-boot performs either the secure boot algorithm or the -\ historical boot algorithm depending on the presence of a "wp" -\ manufacturing data tag. - -: do-secure-boot ( -- ) secure? if secure-boot else boot then ; -\ " do-secure-boot" ' boot-command set-config-string-default - - \ check-devel-key tests the developer signature string "dev01$". \ -1 means the signature is for this machine and is invalid @@ -634,16 +574,6 @@ r> close-file drop false ; -\ developer? searches a list of devices (given by "developer-device-list") -\ for a valid developer key - -: checked-load-started ( -- ) - not-screen? if exit then - show-check -; -\ ' checked-load-started to load-started -\ noop to load-started - : ?toggle-secure ( -- ) button-x game-key? if secure? 0= to secure? then ; 6 buffer: fw#buf @@ -680,11 +610,14 @@ " new - " ?lease-debug 0 hashname c! fwkey$ to pubkey$ - img$ sig$ valid? if + img$ sig$ fw-valid? if + dcon-unfreeze text-on + img$ tuck flash-buf swap move ( len ) + ?image-valid ( ) true to file-loaded? - " Updating firmware" ?lease-debug + " Updating firmware" ?lease-debug-cr \ Latch alternate? flag for next startup alternate? if [char] A h# 82 cmos! then @@ -706,7 +639,7 @@ " OS found - " ?lease-debug 0 hashname c! oskey$ to pubkey$ - img$ sig$ valid? if + img$ sig$ sha-valid? if img$ tuck load-base swap move !load-size show-unlock true exit @@ -739,6 +672,7 @@ d# 5 d# 77 +icon-xy show-dot has-developer-key? if + dcon-unfreeze text-on show-unlock true exit then Modified: dev/olpc/kb3700/ecio.fth =================================================================== --- dev/olpc/kb3700/ecio.fth 2007-10-02 04:56:15 UTC (rev 661) +++ dev/olpc/kb3700/ecio.fth 2007-10-02 06:40:25 UTC (rev 662) @@ -253,6 +253,7 @@ : io-spi-reprogrammed ( -- ) ." Restarting..." d# 2000 ms cr kbc-on + begin again \ ." Keyboard back on" cr ; @@ -266,6 +267,7 @@ 7 to spi-us \ Measured time for "1 fea9 ec!" is 7.9 uS ignore-power-button \ Guard against the user panicing + disable-interrupts \ Don't poll the EC kbc-off ; : use-local-ec ( -- ) ['] io-spi-start to spi-start ;

12 years, 10 months

r661 - cpu/x86/pc/olpc

by svn＠openbios.org

Author: wmb Date: 2007-10-02 06:56:15 +0200 (Tue, 02 Oct 2007) New Revision: 661 Modified: cpu/x86/pc/olpc/versions.fth Log: q2c28 Modified: cpu/x86/pc/olpc/versions.fth =================================================================== --- cpu/x86/pc/olpc/versions.fth 2007-10-02 04:56:02 UTC (rev 660) +++ cpu/x86/pc/olpc/versions.fth 2007-10-02 04:56:15 UTC (rev 661) @@ -2,14 +2,14 @@ \ The overall firmware revision macro: FW_MAJOR C -macro: FW_MINOR 27 +macro: FW_MINOR 28 \ The EC microcode macro: EC_VERSION c24 \ Alternate command for getting EC microcode, for testing new versions. \ Temporarily uncomment the line and modify the path as necessary -\ macro: GET_EC cp ./ec_wlan_debug.bin ec.img +macro: GET_EC cp ./shiny5.bin ec.img \ The wireless LAN module firmware macro: WLAN_RPM ${WLAN_VERSION}-1.olpc1

12 years, 10 months

r660 - cpu/x86/pc/olpc

by svn＠openbios.org

Author: wmb Date: 2007-10-02 06:56:02 +0200 (Tue, 02 Oct 2007) New Revision: 660 Modified: cpu/x86/pc/olpc/security.fth Log: OLPC pretty boot - enable text for x button and after-the-fact check button. Modified: cpu/x86/pc/olpc/security.fth =================================================================== --- cpu/x86/pc/olpc/security.fth 2007-10-02 04:39:49 UTC (rev 659) +++ cpu/x86/pc/olpc/security.fth 2007-10-02 04:56:02 UTC (rev 660) @@ -477,10 +477,13 @@ 0 0 2value base-xy d# 410 d# 540 2constant progress-xy +: text-on screen-ih stdout ! ; + : ?unfreeze ( -- ) game-key@ button-check and if dcon-unfreeze unfreeze + text-on then ; @@ -757,7 +760,6 @@ 2drop false ; -: text-on screen-ih stdout ! ; : persistent-devkey? ( -- flag ) " dk" find-tag dup if nip nip then ; : all-devices$ ( -- list$ ) " disk sd fastnand nand" ; @@ -774,7 +776,7 @@ button-rotate game-key? if show-warnings then show-child - button-check game-key? if + button-check button-x or game-key? if unfreeze text-on else freeze dcon-freeze

12 years, 10 months

Successor to IEEE 1275 (Was:FCode Limit (Was:Dictionary size limit per device instance))

by Loye Young

Why doesn't this group specify on its own a new standard to replace IEEE 1275? It should, IMHO. What's wrong with attempting an IEEE standard? IEEE is chock full of people from the "big guys" (Intel, the proprietary BIOS/EFI/UEFI vendors, etc.), each of whom have a different dog in the race, so it would essentially go nowhere. Phoenix wants its own proprietary BIOS thing as long as possible. Intel wants EFI or UEFI, but doesn't want it to be an open standard. (I know they have the tiano.org project and trumpted loudly the coming open EFI standard, but I've actually talked to the engineers and executives over at Intel; they have contractually committed NOT to open the bootloader in order to protect the proprietary vendors. EFI is in fact simply an obfuscation layer to protect the code. The UEFI group is dead in the water. No movement for a long time. None expected. AMD has opened its hardware and plans to do more within the next few months. Chinese ODMs would be happy to apply the standards if one could be developed. OEMs like me need some better guidance on engineering the machine. This group is a relatively vendor-neutral forum. Should we just go it alone? No. We invite developers who actually will work on the code, (from this list, LinuxBIOS, Codegen, playground.sun.com/1275, etc.), component manufacturers who actually open their hardware (not just give press releases and make speeches), and ODMs/OEMs who will actually ship OpenBIOS. Examples of manufacturers who are actually opening their hardware are AMD, Solaris, and to some extent Apple. Who else would be interested? The open source community has been increasingly vocal about its desire for more open boot loaders. See, e.g., http://www.fsf.org/campaigns/free-bios.html What good would a standard to if no recognized standard organization adopted it? Standards organizations are only as good as the standards they promulgate. Given the current mess in the bool loader world, a detailed published standard would carry its own weight because engineers like having specifications already written down. Essentially, the manufacturers are likely to say "Some published reference is better than none." Happy Trails, Loye Young Isaac & Young Computer Company Laredo, Texas http://www.iycc.biz

12 years, 10 months

r659 - cpu/x86/pc/olpc dev/geode/display

by svn＠openbios.org

Author: wmb Date: 2007-10-02 06:39:49 +0200 (Tue, 02 Oct 2007) New Revision: 659 Modified: cpu/x86/pc/olpc/crypto.fth cpu/x86/pc/olpc/gui.fth dev/geode/display/gxfb.fth Log: OLPC pretty boot - Fixed memory allocation problem with large image. Modified: cpu/x86/pc/olpc/crypto.fth =================================================================== --- cpu/x86/pc/olpc/crypto.fth 2007-10-02 04:35:36 UTC (rev 658) +++ cpu/x86/pc/olpc/crypto.fth 2007-10-02 04:39:49 UTC (rev 659) @@ -48,71 +48,9 @@ \ XXX clean out dead code in usb.fth ; -1 [if] - -\ Check that the version is an upgrade? - -: >rom-name$ ( device$ -- path$ ) - image-name-buf place ( ) - " :\boot\olpcfw.rom" image-name-buf $cat ( ) - image-name$ -; -: sig-name$ ( -- path$ ) - image-name$ + 4 - " .rom" caps-comp 0= if - " sig" image-name$ + 3 - swap move - image-name$ - else - 2drop " " - then -; -: $dev-update-flash ( device$ -- ) - >rom-name$ $get-image if exit then ( data$ ) - - sig-name$ $get-image if - ." Missing firmware update signature file: " sig-name$ type cr - free-mem exit - then ( data$ sig$ ) - - 2over 2over signature-bad? if ( data$ sig$ ) - ." Firmware update image signature mismatch: " sig-name$ type cr - free-mem free-mem exit - then ( data$ sig$ ) - - free-mem ( data$ ) - - 2dup flash-buf swap move ( data$ ) - tuck free-mem ( data-len ) - ['] ?image-valid catch if ( x ) - drop ." Firmware image failed sanity checks" cr ( ) - exit - then ( x ) - - true to file-loaded? - reflash -; -[then] - : getbin " usb8388.bin" find-drop-in 0= abort" No usb8388.bin" ; : getsig " usb8388.sig" find-drop-in 0= abort" No usb8388.sig" ; -: tc ( -- ) - getbin getsig - signature-bad? if - ." Signature was bad, expected good" cr - then - getbin over 1 swap +! - getsig - signature-bad? 0= if - ." Signature was good, expected bad (corrupt image)" cr - then - - getbin - getsig over 40 + 1 swap +! - signature-bad? 0= if - ." Signature was good, expected bad (corrupt signature)" cr - then -; - \ LICENSE_BEGIN \ Copyright (c) 2007 FirmWorks \ Modified: cpu/x86/pc/olpc/gui.fth =================================================================== --- cpu/x86/pc/olpc/gui.fth 2007-10-02 04:35:36 UTC (rev 658) +++ cpu/x86/pc/olpc/gui.fth 2007-10-02 04:39:49 UTC (rev 659) @@ -26,25 +26,26 @@ icon-xy image-width image-height ; +: image-base ( -- adr ) " graphmem" $call-screen ; + : $get-image ( filename$ -- true | adr,len false ) r/o open-file if drop true exit then >r ( r: fd ) - r@ fsize dup alloc-mem swap ( bmp-adr,len r: fd ) + + image-base r@ fsize ( bmp-adr,len r: fd ) 2dup r@ fgets over <> ( bmp-adr,len error? r: fd ) r> fclose ( bmp-adr,len ) - if free-mem true else false then ( true | bmp-adr,len false ) + if 2drop true else false then ( true | bmp-adr,len false ) ; : $show ( filename$ -- ) not-screen? if 2drop exit then 0 to image-width \ In case $show fails $get-image if exit then - 2dup prep-565 " draw-transparent-rectangle" $call-screen - free-mem + prep-565 " draw-transparent-rectangle" $call-screen ; : $show-opaque ( filename$ -- ) not-screen? if 2drop exit then $get-image if exit then - 2dup prep-565 " draw-rectangle" $call-screen - free-mem + prep-565 " draw-rectangle" $call-screen ; : advance ( -- ) icon-xy image-width 0 d+ to icon-xy Modified: dev/geode/display/gxfb.fth =================================================================== --- dev/geode/display/gxfb.fth 2007-10-02 04:35:36 UTC (rev 658) +++ dev/geode/display/gxfb.fth 2007-10-02 04:39:49 UTC (rev 659) @@ -544,6 +544,8 @@ h# 0f color@ h# ff color! \ Set color ff to white (same as 15) ; +0 instance value graphmem + : init-all ( -- ) \ Initializes the controller smb-init map-io-regs \ Enable IO registers @@ -559,6 +561,8 @@ 4 of frame-buffer-adr /fb h# ffff.ffff lfill endof endcase 7 to background-color + + frame-buffer-adr /fb + to graphmem ; : display-remove ( -- )

12 years, 10 months