Rockchip OTP Ff Ri SCR: RK-KE-YP-147 BHI: VLAO HM), 2022-03-08 SEA: ofits Of ON META ATT Si AAT, ESCUELA A] CAATIN, FD ARRPARSCMIUEE PTR. (2 SLA ‘SefREWaE. OPM. SERRE. SALE. AE HAHEI REESE OME OT WL aR APRESS SCAR Aa eA SA. BPP RATHER IWR, ASCSM REAR FE REN LF. AR AT BER. Ca) “Rockchip”, “bie. SABES A A a] ARERR, ARS AS ATTA SIP ARTR, SR ETAT. FUSLITAT © nozn AAS fet F RL AT LAS ARAM, PEKATTET AT, EMA ATSM ERD. BHAA SERS Bb, HORRRLLEIONTE Heth. iTS HE FROM RLZ Rockchip Electronics Co., Ld Sieh: is AHL LR PRIA AME: wonv.rock-chips.com PIRI Gs ¥86-4007-700-590 SPAN: +86-591-83951833 EP BIWE: fae@rock-chips.comwe RO ASLHEBESHH Rockchip OTP OEM DiI. i ih AR Be Ai Ben RK RBIS Linux 4.19 RK RBI Linux 5.10 ieeah ae ALE ORD SOTTO ELEM SARL TERT ARI wiTIGR mA fe EL , 3 a sei a 20206 Loo ig Maks r a e200 7 VO. oe festisiT ci 2022- 7 V1.0 Siig BiSecure OTP OEMEC HE 2022 ae Vi20 fe Oiag_ BARPURIOEM Cipher KeyfB 7h) A091 AK 2022. ENIHELHLOTP Life cycles], dH Protected OEM Zone Write lock v1.30 ; ols RAE viao 2022 f#kNon-Protected OEM ZonesEHF HT. #8: UserSpacel/" 18H SO 5% 03:08 OEM Cipher Key.AR Rockehip OTP FF S81 11 Ri 2. 2. Non-Secure OTP 2. OTP Layout 2d RVIIQ6/RV L109 2.2 OEM Zone 22.1 OEM Read 22.2 OEM Write 223 Demo 3. 3. Secure OTP 3.1. Protected OEM Zone 3.1 ERE 312 SAE 3.2. Non-Protected OFM Zone 321 RA 3.22 GRA 33 OEM Cipher Key 33.1 APRA 33.2 RAIA 34 OTPLife Cycle 341 EAE 342 RERE 3.43 GRAD1.1. BEA OTP NVM (One Time Programmable Non-Volatile Memory), ll Ua #ifE 2k RUE CHET. (EINRIHC. FLASH 474870 2S. OTPLAGA HALRB A ARAM (Secure OTP) ALEK (NonSecure OTP) , FUL CHlINU- Boot, UserSpace) 5] DERE 2 2 DCHUR, LL IEEL RE 22D, — ARAB BAR Eft PRAM, RAK AHH COUMIMiniloader/SPL, OP-TEE) W] LARS 2S KMOTP. RP RAE ee ML Be TrustZone TERME, ASA ‘Rockchip_Developer_Guide TEE_SDK_CNand? 3 ARM Ts¥EH. 2. 2. Non-Secure OTP 2.1 OTP Layout RK “¥ € Non-Secure OTP Layout #/#JSEAHIEL, A-BAT. 2.1.1 RV1126/RV1109 RVII26/RV1109 Non-Secure OTP 4 iil 1-1 HFA: ‘Type Range [bytes] Description. SYSTEM (0x00 ~ Ox0FF system info, read only OEM 0x10 ~ Ox1EF ‘oem zone for customized RESERVED Ox1FO~ Ox1F7 reserved wP OxIF8 ~ OxIFF ‘waite protection for oem zone -# 1-1 RVI126/RV1109 Non-Secure OTP Layout 2.2 OEM Zone RK *¥ 7 OTP fH OEM KA, FM Fe Ae AR. bea: ARPS, MAC hbk, Pant. ih LARMESCEESS API XY OFM DORR ATIESS. 247 OTP Layout AMA ASHF és OFM SEK. Hee: RVI126(f) OTP_OEM_OFFSET 9 0x100, RANGE Jy 0x100~ OxIEF, TOTAL SIZE % 240 bytes.2.2.1 OEM Read pe + Qoffset: offset from cen base * @buf: buf to store data uhich read from oem * @len: data len in bytes ” int rockchip_otp_cem_read(int offset, char *buf, int len) ‘ int fd = 0, ret = 0; £0 = open("/sys/bus/nvmen/devices/rockchip-otp0/nvmen", 0_RDONLY); it (td < 0) return -1; ret = lacek(£4, O1P_OEM OFESEY + offset, SEEK SEY); AE (ret < 0) gore outs ret ~ read(td, but, len); close (fa); 2.2.2 OEM Write 1, 4¢48 OEM Write i787 SEE AES ITS, FRYER int rockchip_otp_enable_write (void) 4 char magic{] ~ "1380926283"; int fd, ret: £0 = open("/sys/module/numen_rockchip_otp/parameters/rockchip_otp_r_magic™, (©_WRONLY) 5 if (fa <0) return “1; ret = write(fd, magic, 10); close (fd); return rety 2 MIRAE RRP AT, BURN RIO OR, UMS Ce PU Witt. pe * Qoffset: offset from oom base, MUST be 4 bytes aligned * @buf: data buf for write * @len: data len in bytes, MUST be 4 bytes aligned” Ant rockchip otp_cem write(int offset, char *buf, int len) 4 int fa = 0, ret = /* wusT be 4 bytes aligned */ if (en @ 4) fa = open("/sys/bus/nvmen/devices/rockchip-otpO/nvmen", 0_WRONLY); if (fd < 0) return “1; zet = lseek(Ed, OTP_OEM OFFSET + offset, SEEK SET); Af (ret < 0) gore outy ret = write(fd, buf, len); out: close (td); return rety 2.2.3 Demo 1, OEM Dit (iABORIEILHL SA 0 ~ 15 void demo (void) 4 char bufl16] = { 0, 1, 2, 3, 4) Sy Ge 7, 8 9 10, 11, 12, 13, 14, int ret = 0; ret = rockchip otp_enable rite (); Af (ret < 0) rockchip otp_cem_write(0, buf, 16); 2, hE OFM Read S8% hexdump dr OPER, ta NL dr ot OEM Kae 4 hexdump -C /sys/bus /nvmen/devices/rockchip-otp0/nvmen 0000000 52 56 11 26 91 fe 21 4h S0 41 30 31 37 00 00 00 0000010 00 00 00 00 10 25 16 12 2£ de OF 00 08 00 00 OD 00000020 00 00 00 e0 0a e0 0a 1e 00 00 00 00 00 00 00 00 0000030 00 00 G0 00 00 00 00 G0 a0 00 G0 00 00 00 00 00 00000100 00 01 02 03 04 05 06 07 08 09 Ga Ob Oc Od Ue OF 00000110 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 00 00000120 00 09 00 00 00 00 00 0 00 00 00 00 00 00 00 00 900001r0 00 00 00 0 00 00 00 00 Of 00 00 00 00 00 00 003.3. Secure OTP Secure OTP iB & #75 FOVOEM Zone iF] ULiH 2 EAS AER. 3.1 Protected OEM Zone OEM ZonelX #8 (i Siz fF 4EOP-TEE OS It Trust Application( TAI) UH. Thue tH SIGN AE E'S AOEM Zonel< ik, AL SRTRH A 2e4 tHFF ECIR LA AR ULEEFOEM ZonelX Ak. RK3SB8%F FEL #892! Protected OEM Zone KE hfe, — ELSEMAIRES hfe. ¥¢AERLIHES Protected OEM Zone. 3.11 KEE Platform Protected OEM Zone Size Support Write Lock RVII26/RV1109 2088 Bytes Not Support RK3308/RK3326/RK3358 64 Bytes Not Support RK3566/RK3568 224 Bytes [Not Support RK3S88 1536 Bytes Support 3.1.2 (EADIE FAP‘ RABAY (Rockchip Developer Guide TEE SDK_CN.nd} CH, HEAT rk tee_user! HAE FANCA TAGUH), Demoifi irk tee _user/v2vtaltk testirktest_otp.c, Frktest_owpeX PAE CEIN A RLETAN EL Fase ‘ER Protected OEM Zone Size static TRE Result get_oem otp_size(uint32 t *size) ‘ TEE_UUID sta_uuid = { 0x527£12de, 0x3£8e, 0x4 { 0x8, 0x40, 0x03, 0x07, Oxac, 0x86, Oxdb, Oxaf } 1 TEE_TASessionHandle sta_session = TEE_HANDLE NULL wint32_t origins TEE Result ress TEE Param taParans(4]; uints2_t nBarantypes? pParanTypes = TEE_PARAM TYPES (TEE PARAM TYPE NONE, 'TEE_PARAM_TYPE_NONE, ‘TEE_PARAM TYPE_NONE, ‘TEE_PARAM_TYPE_NONE) ; res ~ TEE_openTAsession(ssta_uuid, 0, nParamTypes, taParans, ista_session, sorigin) : if (res | ‘ SUCCESS) ENSG("TEE_OpenTASession failed\n");pParanTypes = TEE_PARAM TYPES (TEE PARAM TYPE_VALUE_OUTPUT, ‘TEE_PARAM TYPE_NONE, ‘TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE) ; res - TEE_InvokeTAConmand(sta_session, 0, 160, nParanTypes, taParans, sorigin); A= (ree != TEE success) ‘ EMSG("TEE_InvokeTAConmand returned Oxtx\n", res}; , taParams[0].value.as ‘TEE_CloseTASession(sta_session) ; sta_session = TEE HANDLE NULL; return TBE_SUCCESS; ‘WEIR Protected OEM Zone ” + read offset: {BEI Ko - (size - 1) % read data: SMW Mirae LONE + read data_size: GMRKIE, DPA ” static TRE Result read_cem_otp(uint32_t read offset, uint8 t ‘read data, read data_size) ‘ TEE_UUID sta_uuid = { 0x527£12de, Ox3¢8e, Ox434¢, { 0X8, 0x40, 0X03, 0x07, Oxae, 0x86, Ox4d, Oxat + 17 TEE_TASession#andle sta_session = TEB_HANDLE_NULL; wint32_¢ origin; TEE Result res; TEE Param taParans (4); uints2_t nBarantypes? nParantypes ~ TES_PARAN_TYPES (TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE, TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE) ; winta2e res ~ TEE_openTAsession(ssta_uuid, 0, nParamTypes, taParans, ista_session, sorigin) + it (res ! ‘ ‘TEE_succESS) ENSG ("> | OpenTASession failed\n") nParanTypes = TEE_PARAN TYPES (TEE PARAM TYPE_VALUE_INEUT, ‘TEE_PARAM_TYPE_MEMREF_INOUT, ‘TEE_PARAM_TYPE_NONE,‘TEE_PARAM_TYPE_NONE) ; ‘taParams[0].value.a = read offset; teParams[1].menref.buffer - read data; ‘teParams[1].menref.size = read data_size; res = TEE_InvokeTAComand(sta_session, 0, 130, nParanTypes, taParans, sorigin); A= (ee != TEE success) ‘ ENSG("PEE_InvokeTACommand returned Oxtx\n", res}; TEE_CloseTASession (sta_session ‘TEE_HANDLE NULL; sta_seesion return TSE_SUCCESS; ‘ES Protected OEM Zone i” + write offset: iM KIMAO - (size - 1) Yowrite date: SMG WAIA HE XE + write data_size: SESKIE, DFTA ” static THE Result write_oem_otp(uint32_t write offset, uint®_t ‘write data, uint32_t write data_size) 1 TEE_UUID sta_wuid — { 0x527f12de, Ox3#8e, Ox4348, { 0x82, 0x60, 0x03, 0x07, Oxae, 0x86, Oxtb, Oxaf +} TEE_TASessionHandle sta_session ~ TEE_HANDLE_NULI wint32_t origin: Tes_Result ress TeE_Paran taParans [4]: vint32_¢ nParanTypes? nParantypes - TEE PARAM TYPES (TEE PARAM TYPE_NONE, TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE) + res = TEE OpentASession(ssta_wuid, 0, nParanTypes, taParans, csta_session, sorigin) + if (res !~ TSE success) ‘ Msc ("r OpentASession failed\n’ pParanTypes = TEE_PARAM TYPES (TEE PARAM TYPE_VALUE_INPUT, ‘TEE_PARAM_TYPE_MEMREF_INOUT, TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE) ; ‘aParans(0].value.a = write_offset;‘taParams[1].emref.buffer = write data; taParams[1].menref.size ~ te_data_size; zee = TEE_InvoketAConmand(sta_session, 0, 110, nParantypes, taParans, sorigin); if (res !~ TsE_success) ‘ EMSG("TEE_InvokeTACormand returned Oxtx\n", res)s ‘TEE_CloseTASession(sta_session) ; sta_session = TEE HANDLE NULL; return TEE SUCCESS; LA Protected OEM Zone #85 hie enum rk_otp_flag_type { LIFE_CYCLE_T0_MISSIONED, ‘O=M_OTP_WRITE_LOCK, Ms #define CMD _sET_OTP_FLAGS a0 static TEE Result set_oemotp+ ‘ te_lock (void) TEE_UUID sta_uuid = { 0x527F12de, Ox3¢8e, Ox4342, { 0X8E, 0x40, 0X03, 0x07, Oxae, 0x86, Oxdb, Oxaf + 12 TEE_TASession#andle sta_session = TEB_HANDLE_NULL; wint32_t origins TEE Result res: TEE Param taParans(4]; uints2_t nBarantypes? nParantypes ~ TES_PARAN_TYPES (TEE_PARAM_TYPE_NONE, 'TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE) ; res ~ TEE_openTAsession(ssta_uuid, 0, nParamTypes, taParans, forigin) + it (res ‘ /~ TEE_sUCCESS) sc ("0 | OpenTASession failed\n") nParanTypes = TEE_PARAN TYPES (TEE PARAM TYPE_VALUE_INEUT, TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE) ; ‘taParams[0].value.a = O8M_OTP_WRITE_LOCK: //disable Protected OFM Zone write from 0 to S11 taParams(0).value.b = 0; res = TEE_InvokeTACommand(sta_session, 0, CMD_SET_OTP_FLAGS, taParans, sorigin); ista_session, nParantypes,4f (ros i = TeE_success) ENSG("TEE_InvokeTACommand returned Oxtx\n", res}; /{disable Protected OFM Zone write from 512 to 1023 taParans(0).value.b = 1 res = TEE InvokeTAComand(sta_session, 0, CMD SET OTP FLAGS, nParanTypes, taParans, sorigin) AE (es t= TEE success) ‘ ENSG("TEE_InvokeTAConmand returned Oxtx\n", res); //disable Protected OEM Zone write from 1024 to 1535 ‘taParams[0].value.b = 2; res = TEE_InvokeTAConmand(sta_session, 0, CMD SET_O1P FLAGS, nParamtypes, taParane, sorigin); if (res !~ TSE success) ‘ Msc ("r | InvokeTACormand returned Oxtx\n", res); ‘TEE_CloseTASession(sta_session sta_session = TEE_HANDLE_NULL; return TEE_SUCCESS; DUFIE TA 48) Protected OEM Zone 8% Demo: TEE Result demo_for_oem_otp (void) ‘ TEE Result res ~ TEE_sUCCESS; uint32_t otp_size = 0; res = get_cem_otp_size(sotp_size); AE (es t= TEE SUCCESS) { EMSG("get_oen_otp_size failed with code Oxex", res)? ) INSG("The OEM Zone size is td byte.", otp_sizel: inta2_t write len = uint®_t write data[2] = {Oxaa, Oxaabs uint32_t write offset ~ 0; write_oemotp(write offset, write data, write_len); if (ces != TEE success) { EMSG("write_cem otp failed with code Oxtx", rea); > IMsG("write_oem_otp succes with data: Oxtx, Oxtx", write data(ol, write data(i}); vint32_t read_len = 2;uint®_t read datal21; uint32_t read_offeet = 0; res - read_com otp(read_offset, read data, read_len); AE (nes 1 TEE success) { ENSG("read_cem_otp tailed with code Oxtx", res); ) IMSG("read_cem otp succes with data: Oxix, Gxt", read data(D], ead data[1]); > 3.2 Non-Protected OEM Zone iBROEM ZonelX * FI LLYEU-BootlUserSpaceiilfi}, SUR AMAEAR Cente H1-FNon-Secure OTP HLA AE 5 BAG RAL, HL (LAGAN £Non-Secure OTP#THHOEM ZoneX Bf, 81 F'Non-Secure OTPHLA HIBIOEM ZoneDC MKT £, JH) CH {EU-BoothlUserSpaceite JOTPAN Rs FILGLFTHOEM Zonet. 3.21 KEE Platform ‘Non-Protected OEM Zone Size RK3308/RK3326/RK3358/RK3S66/RK3568/RK3S88 64 Bytes 3.2.2 (TIE U-Boot YH Non-Protected OEM Zone, if! u-bootlibfoptee_clientApi/OpteeClientInterface.¢ trusty read_oem_ns_otp HBB. U-Boot #85 Non-Protected OEM Zone,_ till] u-bootlibfoptee_clientApi/OpteeClientinterface c trusty_vrite_oem as otp Bit. UL FALU-Boot (Rj Non-Protected OEM Zone $44 Demo: winta2_t demo_for_oem_ns_otp (void) 4 TEEC Result res ~ TEEC_sUCCESS; uint32_t writelen = 25 uint®_t write datal2] = {Oxbb, Oxbb}; uint®2 ¢ write offeet = 0; ssty_write_cem ns otp(write offset, write data, write len); if (res ! TaEc_success) { printf ("trusty write oem ns_otp failed with code Oxtx", res):print£ ("trusty write cem_ns_otp succes with data: Oxtx, Oxtx", write datal0l, weite_data(t])7 wint32_¢ read_len = 2) uint®_¢ read data[2]; uint32_t read_offset ~ 0; res = trusty read com ns otp(read_offset, read data, read len); AE (ree != TEEC SUCCESS) { print£ ("trusty read_cem_ns_otp failed with code Ox%x", res)? > printf (*trusty_read_oem_ns_otp succes with data: Oxtx, Oxtx™, read_data[0), read_data[i]); UserSpace H)*#%3t4% (Rockchip Developer_Guide_TEE_SDK_CN.md} 544, $447 rk_tee_user! FL “FINCABLAL, #USTECA tk_tee_user/v2/hostrk_test/rktest.c *# invoke_otp_ns_read il invoke_otp_ns_write HSAVSCHL, BARE ADL F oat FT fdefine STORAGE_CMD_READ_OEM_N5_O7e /+ byte_off KMIM 0 - (size - 1) */ static uint32_t read_oem_ns_otp(uint32_t byte off, uinté_t *byte but, uint32_t byte_len) ‘ TEEC_Result res = TEEC_SUCCESS: intl2_t error_origin = 0; TERC_Context contex; ‘TEEC_Session sessions TEEC_Operation operation: const TEEC_UUID storage_uuid = { Ox2d26d8a8, 0x5134, Oxtdds, { Oxb3, Ox2£, Oxb3, Oxéb, Oxce, Oxeb, Oxcd, Ox71 } I: const TEEC_QUID *uuid = ésterage_uui: //{2] Connect to THE res ~ TEEC_InitializeContext (NULL, scontex); if (res != TEEC_suCcESs) { print£(*TEEC_InitializeContext failed with code Oxtx\n", res); //{2) Open session with TEE application res ~ TEEC_openSession(scontex, ssession, uuid, TEEC_LOGIN PUBLIC, NULL, NULL, Serror_origin); Af (res I> TeEC success) { prints ("TEEC Opensession failed with code Oxtx origin Oxtx\n", zee, exror_origin); gore out; J/(3) Stazt invoke command to the TEE application. momset (operation, 0, sizeof (TEEC Operation) ); operation.paramTypes = TSEC_PARAM TYPES (TEEC_VALUE_INPUT, ‘TREC_MEMREF_TEMP_OUTPUT,‘TEEC_NONE, TEEC_NONE) ; operation.parama[0].value.a = byte off; operation. params[1].tmpref.size - byte len; operation.parama[1).tmpref.buffer - (void *)byte buf; res ~ TEEC_InvokeCommand(isession, STORAGE_CMD_READ_OBM_NS_OTP, soperation, éerror_origin); Af (res I> TEC success) | Print#("InvokeCommand ERR! =: gote out; 2 Oxtx\n", zes)7 printf ("Read OK.\n") 7 TEEC_CloseSession (tsession); ‘TEEC_FinalizeContext (écontex) ; #define STORAGE_CMD_WRITE_O=M_Ns_oTP 2 /* byte off EMM 0 - (size - 1) */ static uint2? + write_oomne_otp(uint22_t byte off, uintl_t “byte buf, vint32 © byte len) ‘ TEEC_Result res = TEEC_SUCCESS; uintS2_¢ erzor_origin TEEC_Context contex: TEEC_Session session; EEC operation operations const TEEC_UUID storage_uvid = { 0x2d26d8a8, 0x5134, Oxdcds, { Oxb3, 0x2f, Oxb3, Oxéb, Oxce, Oxeb, Oxcd, Ox71 } 1 const TEEC_UUID *wuid = sstorage_wui //(2] Connect to THE kes ~ TEEC InitializeContext (NULL, ccontex); if (res ! TaEc_success) { printé(*TEEC_InitializeContext failed with code Ox$x\n", res); return res; //{2) Open session with TEE application res = TEEC_OpenSession(scontex, ssession, uuid, TEEC_LOGIN PUBLIC, NULL, NULL, serror_origin); if (res != TREC SUCCESS) { printf (*TEEC_Opensession failed with code Ox%x origin Ox%x\n", xes, error_origin); goto outs //{3) Start Invoke conmand to the TEE application. memset (4operation, 0, sizeof (TBEC_Operation) ); operation. paramtypes = TSEC_PARAM TYPES (TEEC_VALUS_INEUT, ‘TEEC_MEMRER_TEMP_INPUT, ‘TEEC_NONE, TEEC_NONE) ; operation.params[0].value.a = byte oft; operation.params[1].tmpref.size ~ byte_len;operation. params[1).tmpref.buffer void *)byte_bufs es = TEEC_InvokeCommand(ésession, STORAGE_CMD WRITE_OEM NS OTP, koperation, sev! AE (res 1 TEEC success) { printf (*Invokeconmand ERR! res~ Oxéx\n", res); outl; origin): got peinté ("Write OK.\n"); TEEC_CloseSession(tsession) ; TEEC_FinalizeContext (écontex) ; EL Fs2UserSpace $28] Non-Protected OEM Zone 4 Demo: winta2_t demo_fox_oem_ns_otp (void) ‘ TEEC Result res = TEEC_SUCCESS; int32_¢ write len = wints_t write_data[2] = {0xbb, Oxbb}; uint32_t write offset ~ 0; res ~ write_oem ns otp(write offset, write data, write len); if (res != TaEC_suCcESs) { print£(*write_cen_ns_otp failed with code Oxtx", res); > printf (*write_oem_na_otp succes with data: Oxtx, OxtK", write data(0}, write_data(i}); wint32_t read_len uint® = read data(2]7 wint32_t read_offset = 07 res ~ read_cemns otp(read offset, read data, read_len); if (res != TeEC_succESs) { printf (*read_cem_ns_otp failed with code Oxtx", res}; ) Print£("read_cem_ns_otp succes with data: Oxtx, Ox8x", read_data[d], read data[1]); ) 3.3 OEM Cipher Key ROEM Zone RRIF EMAL RR, RAFU AST ME, FPS eT DLO SI AT ARE, ACRES, RARE SE BA BE, RESORT AY LLRU-Boot ‘AlUserSpace iH.3.3.1 KE A Is Support Platform OEM Cipher Key Length 2 ne Hardware Read RK_OEM_OTP_KEY0-3 (16 or 32 Bytes), RVII26/RVI109 [Not Support RK OEM OTP KEY FW(16 Bytes) RK3S66/RK3568 —_RK_OEM_OTP_KEYO-3 (16 or24 or 32 Bytes) ‘Not Support RKIS8S RK_OEM_OTP_KEY0-3 (16 oF 24 or 32 Bytes) Support 3.3.2 (EHF IK U-Boot #8 OEM Cipher Key, ii8/H u-boot/lib/optee_clientApi/OpteeClientInterface.c " trusty_vrite_oom_otp_key Hit. ‘i 8 wint32_t trusty_write_oem_otp_key(enum RK_OEM_OTP_KEYID key_id, uint8_t *byte_buf, uint32_¢ bbyte_len)!} key id 24H F enum RK_OEM_OTP_KEYID { RK_OEM OTP _KEYO ~ 0, RK_OEM_OTP_K: RK_OBM_OTP_KEY2 = 2, RK_OBM_OTP_KaY3 = 3, = 10, //keyid of £¥_encryption_key 1a, 1: #1C KET RK_OEM_OTP_KEY0, RK_OEM_OTP_KEY1, RK_OEM_OTP_KEY2. RK_OEM OTP _KEY3; RV1126/RV1109 "F f2iE8108 XIGKE'S RK_OEM_OTP_KEY FW #48, RK_OEM_OTP_KEY_FW #7(H3:38)1-F BootROM fH Loader Il #257 LG ae tA Be SHAH Kemel it. ULF 2U-Bootht"S OEM Cipher Key #4 Demo: uint32_t demo_for_trusty_write_oem_otp_key (void) ‘ uint32_t resi uints_t key[16] = 0x53, 0x46, Ox1£, 0x93, Oxéb, 0x16, 0x00, 0x28, Oxce, 0x34, OxD1, 0x37, 0x30, Oxad, 0x72, 0x65, usty_write_cem_ctp_key(RK_OEM OTP _KEYO, key, sizeof (key)); if (res) Print# ("test trusty _write_cem otp_key fail! oxs0sx\n", res); else printf("test trusty write_oem otp_key success.\U-Boot JME 77E22HES OFM Cipher Key, if UHH w-bootib/optee_clientApi/OpteeClientinterface.c trusty_oem_otp_key_is_written Bit. ELF 2U-Boot Hi ft #5 2.22485 OEM Cipher Key 847 Demo: void demo_for_trusty oem otp_key_is written (void) 4 uints_t value; uint32_t res = trusty oem otp_key_is_written(RK OEM OTP KEYO, évalue); Af (res == TeEc_success) { print£("oen otp key is ts", value ? “written” empty") + } else ( prints ("access com otp key #2411"); , Fd RK3S88 4 F2165EIF Hardware Read Dhflé> LP AL DAIL u boot/lib/optee_clientApi/OpteeClientinterface.c trusty_set_oem_hr_otp_read lock iit, WALA ARCPURAKMU RAE, BORAR RUDE RO Albee LAE, GAEL CPU RATA, RPT DL a ba I Blerypeol BAR FF MMAR BE. AY RAI SORA FTO FE RK_OEM_OTP_KEY0. RK_OEM_OTP_KEYI, RK_OEM_OTP_KEY2, %.18)/0 1) 4UR 28% CPU RY OTP KAHL IO de ALEL, Het Secure Boot. Security Level RAR He RENE ALL. ARULAL RAW A She OTPRUR fs PEIN Yea Re. PF RARSR8( FT NM ERK OEM_OTP_KEY3IY, if FRM OTP HOB SR PLFA RK3S88 °F #7 U-Boot (4F} Hardware Read 2144 Demo: uint32_t demo_for_trusty_set_oem_hr_otp_read_lock (void) ‘ vint32_t res? res = trusty_set_oem _hr_otp_read_lock(RK_OBM_OTP_KEYO); it (res) print£("test trusty_set_oem_hr_otp_read_lock fail! Oxt08x\n", res); else printé("test trusty_set_oem_hr_otp_sead_lock success. \a"); U-Boot (i HIOEM Cipher Keyl F RPRFYEtE, 17H u-bootlib/optee_clientAp/OpteeClientinerface.c "T trusty_oem_otp_Key_cipher Pt. BL FJU-BootftH] OEM Cipher Key #4 Demo: uint32_t deno_for_trusty_oem_otp_key_cipher (void) ‘ vint32_t res? zk_cipher_config config? uintptr_t src_phys addr, dest_phys addr; uint32_t key_id ~ RK_OBM_O7P_KEYO; uint32_t key_len = 16; uint32_t algo = RK _ALGO_AES; wint32_t mode = RK CIPHER MODE_CBC uint32_t operation = RK MODE_ENCRYPT; uints_t iv{i6] = {0x10, Oxt4, 0280, Oxb3, 0x88, Ox5£, 0x02, 0x03, 0x05, 0x21, 0x07, Oxe9, Oxé4, 0x00, Oxtb, Ox80, vs winta_s inowt [16] = ( Oxc9, 0x07, 0x21, 0x05, 0x80, Ox1b, 0x00, 0x44, Oxac, 0x13, Oxf, 0x23, 0x93, Ox4a, 0x66, Oxed, uw uint32_t data_len = sizeof (inout); config.algo = algo; config.mode = mode; config.operation = operation; contig-key_len ~ key_len config.reserved = NULL; mamcpy(config.iv, iv, sizeof(iv)); src_phys_addr = (vintptx_t)inout: dest_phys_addr = ere_phys_addry res ~ trusty_cen_otp_key cipher (key id, sconfig, szc_phys_addr, dest_phys_addr, gata_len); if (res) printf("test trusty oem otp_key phys cipher fail! Oxt08x\n", res); else printf ("test trusty oem otp_key phys_cipher success.\n"); ‘UserSpace Sit #69 AMR] OEM Cipher Key 49 U-Boot 812610, (8 Hii & 470 8% 118 U-Boor WES FLEE Fi OEM Cipher Key ( UserSpace Hl *865 RIF] OEM Cipher Key itt 35% librkeryptoléemoldemo_otpkey.c, librkcryptoi#e iA 181 (Rockchip_Developer_Guide_Crypto_HWRNG_CN pdf? BRA ELAS REISDK tH. Android’? #2: librkeryptoiSf¢Ehardware/rockchip/ Hak F Limox'? #3; librkeryptoiRiiéextemal/ 13K. 3.4 OTP Life Cycle SPE LAOTP Life Cycle, HEPA LREROTPH} RE Ze ASAI Oo ML ACA Us LOR 3.4.1 KEEPlatform OTP Life Cycle Type BB BlankS EQN # Bits MLW, MissionedBit SHUI, SALI AR, REL FRPTUAE RE MBI ETEL, AURORA HE RK3588 ——_Blank/Tested/Provisioned/Missioned —i@k AHRLHAUPER. RHF) IN} AEProvisionedist BL, OEMAyLLR#FIEAMissionedift 8, ORM ProvisionediftUJEAMissioned TEU HS} OTPR TS BMI RE. 3.4.2 ALOE ULF %RK3S88 OTP LEProvisionedBrELFIMissioned FTL SATA, FH RW LRTI. RE it. or revised Minioaed 388 Secure HAP B MH Secure Bootsh(, AFF Secure Bootshhbi 4 WM ALOTP Life Boot RW Rg Cycle, Secure Boot} 2, Fable ‘Rockchip Developer Guide Secure Boot_ Application Note_EN.md} Pag RA Pubie RW R AL Hash Security gy k AP REARS RATA, EEN Socwiy Level RHEEOTP Lie Level Cycle, Secwiy Level (Rockchip Developer Guide TEE, SDK_CN} #5 on os Cipher RW a ‘WEIL OEM Cipher Key if Keyo2 we = copie aw SYM sired, tatoo a key 3.4.3 (EHTS HUEELOTP Life Cycle FLARE: PHLIE (Ket, AFBAKFOTP Life Cycleb\ProvisionedSit Pt JyMissioned St BL, UP 'FIBAF (Rockehip_Developer Guide TEE_SDK_CNimd) XCM, WiRiE4T rk toe_user/ HEF NCA TARE, #A/G2ETAST MILLE ea FD. enum rk_otp flag type 4 LIFE_CYCLE_T0_MISSIONED, ‘O=M_OTP_WRITE_LOCK, dM fdefine CHD _seT_oTP_FLAGS 170 static TEE Result set_otp life cycle to missioned{(void) ‘ TEE_UUID sta_uuid = { 0x527F12de, Ox3¢8e, Ox4342, { 0X8, 0x40, 0X03, 0x07, Oxae, 0x86, Ox4b, TEE_TASession#andle sta_session = TEH_HANDLE NULL; wint32_¢ origins TEE Result res; TEE_Paran taParans(4]; oxat bevint32_¢ mParantypes? nParantypes - TEE PARAM TYPES (TEE PARAM TYPE_NONE, ‘TEE_PARAM_TYPE_NONE, ‘TEE_PARAM TYPE_NONE, ‘TEE_PARAM_TYPE_NONE) + zes = TEE OpenTASession(ssta_uuid, 0, nParanTypes, taPazams, ista session, sorigin) + AE (res t= TEE success) ‘ ENSG("TEE_Open‘TASession failed\n"); return res; pParanTypes = TEE_PARAM TYPES (TEE PARAM TYPE_VALUE_INPUT, ‘TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE, ‘TEE_PARAM_TYPE_NONE) + taParams[0).value.a = LIFE_CYCLE_70_MISSIONED; res = TEE_InvokeTAComand(sta_session, 0, CMD SET OTP FLAGS, nParanTypes, taParane, sorigin); if (res !~ TSE success) ‘ BNSG("TES_InvokeTAConmand returned Ox4x\n", res}; TEE_CloseTASession(sta_session) ; sta_session = TEE HANDLE NULL; return TEE_SUCCESS;