ap/0001-ZX297520V3-511624.patch

From 7d1985ec82ab00b5a9c88d13f0d2ef9482ede535 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=AB=98=E5=8D=8E=E5=B3=B00318000169?=
 <gao.huafeng@sanechips.com.cn>
Date: Tue, 27 Feb 2024 15:18:54 +0800
Subject: [PATCH] =?UTF-8?q?=E7=94=A8=E6=88=B7=E6=95=85=E4=BA=8B=EF=BC=9A?=
 =?UTF-8?q?=E6=97=A0=20=E6=95=85=E9=9A=9C=E5=8D=95=E5=8F=B7=EF=BC=9AZX2975?=
 =?UTF-8?q?20V3-511624=20=20=E5=90=88=E5=85=A5=E5=86=85=E5=AE=B9:=20?=
 =?UTF-8?q?=E5=B9=BF=E5=B7=9E=E9=80=9A=E5=88=99=E5=BA=B7=E5=A8=81=EF=BC=9A?=
 =?UTF-8?q?=E6=96=87=E4=BB=B6=E7=B3=BB=E7=BB=9F=E7=AD=BE=E5=90=8D=E5=8A=A0?=
 =?UTF-8?q?=E5=AF=86=E9=9C=80=E6=B1=82=E8=AF=84=E4=BC=B0=E3=80=82=E6=B3=A2?=
 =?UTF-8?q?=E5=8F=8A=E5=88=86=E6=9E=90=EF=BC=9A=E5=90=AF=E5=8A=A8=20=20?=
 =?UTF-8?q?=E6=B5=8B=E8=AF=95=E5=BB=BA=E8=AE=AE=EF=BC=9A=E5=90=AF=E5=8A=A8?=
 =?UTF-8?q?=E5=92=8C=E5=BA=94=E7=94=A8=E9=AA=8C=E7=AD=BE=E5=8A=9F=E8=83=BD?=
 =?UTF-8?q?=E6=98=AF=E5=90=A6=E6=AD=A3=E5=B8=B8=20=20=E7=BB=84=E4=BB=B6?=
 =?UTF-8?q?=E6=A0=87=E7=AD=BE=EF=BC=9A=E6=97=A0=20=E5=BC=95=E5=85=A5?=
 =?UTF-8?q?=E6=9D=A5=E6=BA=90=EF=BC=9A=E5=85=B6=E5=AE=83?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I9bd1fea056f4a34c7b21421703de5b14523262a7
---
 Makefile                                      |  18 +++
 build/gen_app_hash.sh                         |  65 +++++++++
 .../linux-3.4.x/include/linux/verify_app.h    |  16 +++
 os/linux/linux-3.4.x/init/Kconfig             |   8 ++
 os/linux/linux-3.4.x/init/Makefile            |   2 +-
 os/linux/linux-3.4.x/init/verify_app.c        | 130 ++++++++++++++++++
 project/pubconf.mk                            |   1 +
 project/zx297520v3/prj_cpe/build/config.mk    |   5 +-
 .../prj_cpe/config/normal/config.linux        |   2 +-
 .../prj_cpe/config/normal/verify_app_list.txt |   3 +
 10 files changed, 247 insertions(+), 3 deletions(-)
 create mode 100755 build/gen_app_hash.sh
 create mode 100755 os/linux/linux-3.4.x/include/linux/verify_app.h
 create mode 100755 os/linux/linux-3.4.x/init/verify_app.c
 create mode 100755 project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt

diff --git a/Makefile b/Makefile
index 97cd38f03..3b5cf553c 100644
--- a/Makefile
+++ b/Makefile
@@ -380,11 +380,29 @@ endif
 	make normal_conf
 	make AP_BUILD_TYPE=normal sys
 	make AP_BUILD_TYPE=normal rootfs
+ifeq ($(VERIFY_APP_IN_KERNEL),yes)
+	bash $(BUILD_DIR)/gen_app_hash.sh  $(PRJ_CONF_DIR)/normal/verify_app_list.txt $(ROOTFS_DIR)  $(LINUX_DIR)
+	make kernel
+ifeq ($(CONFIG_SINGLECORE),yes)
+ifeq ($(USE_CPPS_KO),yes)
+	make cpko
+endif
+endif
+endif
 	make AP_BUILD_TYPE=normal copybin
 
 normal2:
 	make AP_BUILD_TYPE=normal sys
 	make AP_BUILD_TYPE=normal rootfs
+ifeq ($(VERIFY_APP_IN_KERNEL),yes)
+	bash $(BUILD_DIR)/gen_app_hash.sh  $(PRJ_CONF_DIR)/normal/verify_app_list.txt $(ROOTFS_DIR)  $(LINUX_DIR)
+	make kernel
+ifeq ($(CONFIG_SINGLECORE),yes)
+ifeq ($(USE_CPPS_KO),yes)
+	make cpko
+endif
+endif
+endif
 	make AP_BUILD_TYPE=normal copybin
 
 normalclean:
diff --git a/build/gen_app_hash.sh b/build/gen_app_hash.sh
new file mode 100755
index 000000000..479403809
--- /dev/null
+++ b/build/gen_app_hash.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+echo $#
+
+if [ $# -lt 3 ]; then
+    echo "$0  app_list_file  rootfs_dir kernel_dir"
+    exit 1
+fi
+APP_LIST_FILE=$1
+ROOTFS_DIR=$2
+KERNEL_DIR=$3
+
+if [ ! -f $APP_LIST_FILE ]; then
+    echo "$APP_LIST_FILE NOT exist"
+    exit 2
+fi
+
+if [ ! -d $KERNEL_DIR ]; then
+    echo "$KERNEL_DIR NOT exist"
+    exit 3
+fi
+
+if [ ! -d $ROOTFS_DIR ]; then
+    echo "$ROOTFS_DIR NOT exist"
+    exit 4
+fi
+VERIFY_APP_HEADER=$KERNEL_DIR/include/linux/verify_app.h
+
+file_array=()
+hash_array=()
+file_cnt=0
+while read file_item; do
+    if [ -f ${ROOTFS_DIR}${file_item} ]; then
+        hash_val=`sha256sum ${ROOTFS_DIR}${file_item} | awk '{ print $1 }'`
+        echo "${file_item} $hash_val ok"
+        file_array+=("$file_item")
+        hash_array+=("$hash_val")
+        let "file_cnt=file_cnt+1"
+    else
+        echo "regular file ${ROOTFS_DIR}${file_item} NOT exist"
+        exit 9
+    fi
+done < "${APP_LIST_FILE}"
+
+# 打印数组中的数据
+
+echo "#ifndef __VERIFY_APP_H" > $VERIFY_APP_HEADER
+echo "#define __VERIFY_APP_H" >> $VERIFY_APP_HEADER
+echo ""                       >> $VERIFY_APP_HEADER
+
+echo "const int g_verify_app_cnt = $file_cnt;" >> $VERIFY_APP_HEADER
+echo "const char *g_verify_file_array[] = {" >> $VERIFY_APP_HEADER
+for element in "${file_array[@]}"; do
+    echo "    \"$element\"," >> $VERIFY_APP_HEADER
+done
+echo "};" >> $VERIFY_APP_HEADER
+
+echo "const char *g_verify_hash_array[] = {" >> $VERIFY_APP_HEADER
+for element in "${hash_array[@]}"; do
+    echo "    \"$element\"," >> $VERIFY_APP_HEADER
+done
+echo "};" >> $VERIFY_APP_HEADER
+
+echo ""                       >> $VERIFY_APP_HEADER
+echo "#endif" >> $VERIFY_APP_HEADER
diff --git a/os/linux/linux-3.4.x/include/linux/verify_app.h b/os/linux/linux-3.4.x/include/linux/verify_app.h
new file mode 100755
index 000000000..90ed58b87
--- /dev/null
+++ b/os/linux/linux-3.4.x/include/linux/verify_app.h
@@ -0,0 +1,16 @@
+#ifndef __VERIFY_APP_H
+#define __VERIFY_APP_H
+
+const int g_verify_app_cnt = 3;
+const char *g_verify_file_array[] = {
+    "/bin/busybox",
+    "/etc/rc",
+    "/sbin/zte_mdl",
+};
+const char *g_verify_hash_array[] = {
+    "a071cc29b7bbd47e45a6698e5dde5564995172e7b530314dd375040e0b1d9a41",
+    "1296e7b4fe520bbc0cdd0b76289afd86318674a99ea2d5faff52baf39854b5d6",
+    "8a3815c1394f3b343ffc598c245fb356c80071ac3755927f0e7c6b7e8955c070",
+};
+
+#endif
diff --git a/os/linux/linux-3.4.x/init/Kconfig b/os/linux/linux-3.4.x/init/Kconfig
index 3db3a515a..8742bb316 100644
--- a/os/linux/linux-3.4.x/init/Kconfig
+++ b/os/linux/linux-3.4.x/init/Kconfig
@@ -1452,3 +1452,11 @@ config PADATA
 	bool
 
 source "kernel/Kconfig.locks"
+
+config VERIFY_APP_IN_KERNEL
+	bool "Enable verify app in kernel"
+	default n
+	help
+	  This option enables support for verify app in kernel. You almost
+	  certainly want to say n here.
+	  
\ No newline at end of file
diff --git a/os/linux/linux-3.4.x/init/Makefile b/os/linux/linux-3.4.x/init/Makefile
index 6b473cd16..ab6b944cf 100644
--- a/os/linux/linux-3.4.x/init/Makefile
+++ b/os/linux/linux-3.4.x/init/Makefile
@@ -9,7 +9,7 @@ else
 obj-$(CONFIG_BLK_DEV_INITRD)   += initramfs.o
 endif
 obj-$(CONFIG_GENERIC_CALIBRATE_DELAY) += calibrate.o
-
+obj-$(CONFIG_VERIFY_APP_IN_KERNEL) += verify_app.o
 mounts-y			:= do_mounts.o
 mounts-$(CONFIG_BLK_DEV_RAM)	+= do_mounts_rd.o
 mounts-$(CONFIG_BLK_DEV_INITRD)	+= do_mounts_initrd.o
diff --git a/os/linux/linux-3.4.x/init/verify_app.c b/os/linux/linux-3.4.x/init/verify_app.c
new file mode 100755
index 000000000..5eccd9c8c
--- /dev/null
+++ b/os/linux/linux-3.4.x/init/verify_app.c
@@ -0,0 +1,130 @@
+/*
+ *  linux/init/verify_app.c
+ *
+ */
+#include <linux/types.h>
+#include <linux/kernel.h>
+#include <linux/syscalls.h>
+#include <linux/string.h>
+#include <linux/ctype.h>
+#include <linux/delay.h>
+#include <linux/init.h>
+#include <linux/security.h>
+#include <linux/kthread.h>
+#include <linux/crypto.h>
+#include <crypto/hash.h>
+#include <crypto/sha.h>
+#include <linux/verify_app.h>
+#include <linux/soc/zte/efuse/efuse_zx.h>
+
+#define VERIFY_TIMEOUT   30000      //ÑÓ³ÙÑéǩʱ¼ä,½¨Òé´óÓÚ2s£»
+
+extern void zDrvEfuse_GetSecureMsg(T_ZDrvEfuse_Secure *secure);
+
+u8 *bin2hex(const u8 *old, const size_t oldlen)
+{
+    u8 *result = (u8 *)kmalloc((oldlen * 2 + 1), GFP_KERNEL);
+    size_t i, j;
+    int b = 0;
+
+    for (i = j = 0; i < oldlen; i++)
+    {
+        b = old[i] >> 4;
+        result[j++] = (char)(87 + b + (((b - 10) >> 31) & -39));
+        b = old[i] & 0xf;
+        result[j++] = (char)(87 + b + (((b - 10) >> 31) & -39));
+    }
+    result[j] = '\0';
+    return result;
+}
+
+static int verify_app_entry(void *p)
+{
+    int    i = 0;
+    int    rdlen;
+    char  *buff = NULL;
+    size_t size;
+    struct file *fp;
+    int bufflen = 4096;
+    u8 *hashstring;
+    u8 hash[SHA256_DIGEST_SIZE];
+    struct shash_desc *desc;
+    struct crypto_shash *sha256;
+    T_ZDrvEfuse_Secure secure;
+
+    msleep(VERIFY_TIMEOUT);
+
+    zDrvEfuse_GetSecureMsg(&secure);
+    if((secure.secureFlag & 0xFF) != 0xFF)
+    {
+        printk("verify secure boot don't open \n");
+        return 0;
+    }
+
+    sha256 = crypto_alloc_shash("sha256", 0, 0);
+    if (IS_ERR(sha256)) {
+        panic("verify sha256 error ! \n");
+    }
+    size = crypto_shash_descsize(sha256) + sizeof(*desc);
+    desc = kzalloc(size, GFP_KERNEL);
+    BUG_ON(desc == NULL);
+    desc->tfm = sha256;
+    buff = kmalloc(bufflen, GFP_KERNEL);
+    BUG_ON(buff == NULL);
+    for (i = 0; i < g_verify_app_cnt; i++)
+    {
+        fp = filp_open(g_verify_file_array[i], O_RDONLY, 0644);
+        if (IS_ERR(fp))
+        {
+            printk("app=%s open fail \n",g_verify_file_array[i]);
+            panic("verify open fail");
+        }
+        else
+            fp->f_pos = 0;
+        crypto_shash_init(desc);
+        while(1)
+        {
+            rdlen = kernel_read(fp, fp->f_pos, buff, bufflen);
+            if (rdlen > 0)
+            {
+                fp->f_pos += rdlen;
+                crypto_shash_update(desc, buff, rdlen);
+            }
+            else if (rdlen == 0)
+            {
+                filp_close((struct file *)fp, NULL);
+                crypto_shash_final(desc, hash);
+                hashstring = bin2hex(hash, SHA256_DIGEST_SIZE);
+                if (memcmp(hashstring, g_verify_hash_array[i], SHA256_DIGEST_SIZE))
+                {
+                    printk("verify app=%s hash=%s \n", g_verify_file_array[i], hashstring);
+                    panic("verify hash fail");
+                }
+               // printk("verify app=%s success \n", g_verify_file_array[i]);
+                kfree(hashstring);
+                break;
+            }
+            else
+            {
+                printk("verify app=%s rdlen=%d \n", g_verify_file_array[i], rdlen);
+                panic("verify read fail");
+                break;
+            }
+        }
+    }
+
+    crypto_free_shash(sha256);
+    kfree(desc);
+    kfree(buff);
+    printk("verify app init success \n");
+    return 0;
+}
+
+static int __init verify_app_init(void)
+{
+    kthread_run(verify_app_entry, NULL, "verify_app");
+    return 0;
+}
+
+late_initcall(verify_app_init);
+
diff --git a/project/pubconf.mk b/project/pubconf.mk
index 43d289bd2..b35f3f3b7 100755
--- a/project/pubconf.mk
+++ b/project/pubconf.mk
@@ -62,4 +62,5 @@ export CONFIG_MIN_8M_VERSION ?= n
 export USE_ZCAT_MBIM ?= no
 export USE_RECOVERYFS ?= no
 export USE_OEM_FS ?= no
+export VERIFY_APP_IN_KERNEL ?= no
 
diff --git a/project/zx297520v3/prj_cpe/build/config.mk b/project/zx297520v3/prj_cpe/build/config.mk
index b7bbac7a0..cbe5621f5 100755
--- a/project/zx297520v3/prj_cpe/build/config.mk
+++ b/project/zx297520v3/prj_cpe/build/config.mk
@@ -77,4 +77,7 @@ endif
 export ENABLE_PHONECODE_IN_ATCTL=yes
 
 #¿ØÖÆÊÇ·ñʹÓûìÒô
-export USE_MIXDATA_SUPPORT=no
\ No newline at end of file
+export USE_MIXDATA_SUPPORT=no
+
+#ÎļþÑéÇ©¿ª¹Ø
+#VERIFY_APP_IN_KERNEL := yes
diff --git a/project/zx297520v3/prj_cpe/config/normal/config.linux b/project/zx297520v3/prj_cpe/config/normal/config.linux
index d6d117611..bd1d78ba8 100755
--- a/project/zx297520v3/prj_cpe/config/normal/config.linux
+++ b/project/zx297520v3/prj_cpe/config/normal/config.linux
@@ -1916,7 +1916,7 @@ CONFIG_ACCURATE_CPU_PERCENT=y
 CONFIG_DEFAULT_SECURITY_DAC=y
 CONFIG_DEFAULT_SECURITY=""
 CONFIG_CRYPTO=y
-
+# CONFIG_VERIFY_APP_IN_KERNEL is not set
 #
 # Crypto core or helper
 #
diff --git a/project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt b/project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt
new file mode 100755
index 000000000..f375abf3f
--- /dev/null
+++ b/project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt
@@ -0,0 +1,3 @@
+/bin/busybox
+/etc/rc
+/sbin/zte_cpe
-- 
2.25.1