Show advanced fusing status

[fxsheep]

A wide range of QFPROM ranges can be accessed directly from EL1 on stock TZ firmware. They contain more than just whether secure boot is enabled or not. By adding QFPROM parsing feature, additional information can be displayed on fastboot screen and users could potentially be benefited from:

• Accurate secure boot status (incl. hash of public key): useful for finding the right firmware/EDL loader, and report secure boot status as "unknown" when scm call is_secure_boot_enable failed #273
• Anti-rollback status and version: useful when flashing firmware on some devices that does enable it
• Read/write protection status of individual regions: allows user know if the device is susceptible to unintentional fuse blow, like e.g. flashing a production firmware on an unfused device
• PBL boot order: advanced users can know about this and fuse the device to force booting from sdcard first, making it unbrickable without opening the case
• SoC binning info: allows user to know how much it could be benefited from overclocking
• SoC serial number: might be useful for identifying the device, even after eMMC replacement
• JTAG disable status: some OEMs (such as early Samsung) enabled secure boot without disabling JTAG(as a feature/bug, both possible but the latter is unlikely), user could check if they're the lucky ones

I don't yet have an idea regarding how it should be displayed. Showing directly on fastboot menu may eventually make it bloated. A secondary menu could be better (also for other possible features such as multi-booting selection, etc). Some manufacturers such as Motorola and Huawei has secondary menus in fastboot to display more info, with even barcodes and QR codes.

[stephan-gh]

How much do we know (or do we need to know) about the layout of the fuse addresses/bits? Is this platform-specific? Will it need adjustment for every SoC supported in lk2nd?

Regarding the UI screen, I think it would be easier to start with a fastboot command that parses or possibly just dumps this (with parsing in a separate tool?). I think we don't have any consistent way at the moment to display additional screens. If wanted, this could be added later as a second step.

[fxsheep]

How much do we know (or do we need to know) about the layout of the fuse addresses/bits?Is this platform-specific? Will it need adjustment for every SoC supported in lk2nd?

Yes, this is platform specific. For msm8916, all listed above are documented publicly in the TRM(lm80-p0436-100_d_snapdragon_410e_apq8016e_tech_reference_manual_revd.pdf, page 3323), except binning, which is mostly documented in different pieces of CAF kernel sources.

For other platforms, AFAIK, Qualcomm tends to keep backward compatibility, which means the addresses can be cross-referenced from msm8916. This leaves verification a bigger problem though, since QFPROM should be considered static, and it's hard to 'test' the actual meaning.

However, this is actually more a legal problem than a technical one. Years have passed and these offsets are no longer a top secret, and people have been using addresses that come out of nowhere, e.g. here.

possibly just dumps this

TrustZone address protection on QFPROM is not contiguous and LK has to know where to dump from, so I think it's more reasonable to implement parsing on LK and print human-readable results.