tbbr/dualroot: Add fw_config image in chain of trust fw_config image is authenticated using secure boot framework by adding it into the single root and dual root chain of trust. The COT for fw_config image looks as below: +------------------+ +-------------------+ | ROTPK/ROTPK Hash |------>| Trusted Boot fw | +------------------+ | Certificate | | (Auth Image) | /+-------------------+ / | / | / | / | L v +------------------+ +-------------------+ | fw_config hash |------>| fw_config | | | | (Data Image) | +------------------+ +-------------------+ Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: I08fc8ee95c29a95bb140c807dd06e772474c7367

commit: 244027d375f30351da1747da9afa0b0a435d3c5a [log] [tgz]
author: Louis Mayencourt <louis.mayencourt@arm.com> Thu Jun 11 21:15:15 2020 +0100
committer: Manish V Badarkhe <Manish.Badarkhe@arm.com> Wed Jun 24 08:44:26 2020 +0100
tree: 27078b2290a74d0bf1dc91eede38bd5d8f56592e
parent: a1ffcf756c84fa197e1c8d3930629137a92db395 [diff]
diff --git a/drivers/auth/dualroot/cot.c b/drivers/auth/dualroot/cot.c
index f28ddaa..31e5d65 100644
--- a/drivers/auth/dualroot/cot.c
+++ b/drivers/auth/dualroot/cot.c

@@ -16,6 +16,7 @@
  * Allocate static buffers to store the authentication parameters extracted from
  * the certificates.
  */
+static unsigned char fw_config_hash_buf[HASH_DER_LEN];
 static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
 static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
 static unsigned char hw_config_hash_buf[HASH_DER_LEN];
@@ -58,6 +59,8 @@
 		AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
 static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
+static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
 #ifdef IMAGE_BL1
 static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
@@ -165,6 +168,13 @@
 				.ptr = (void *)hw_config_hash_buf,
 				.len = (unsigned int)HASH_DER_LEN
 			}
+		},
+		[3] = {
+			.type_desc = &fw_config_hash,
+			.data = {
+				.ptr = (void *)fw_config_hash_buf,
+				.len = (unsigned int)HASH_DER_LEN
+			}
 		}
 	}
 };
@@ -218,6 +228,22 @@
 		}
 	}
 };
+
+static const auth_img_desc_t fw_config = {
+	.img_id = FW_CONFIG_ID,
+	.img_type = IMG_RAW,
+	.parent = &trusted_boot_fw_cert,
+	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+		[0] = {
+			.type = AUTH_METHOD_HASH,
+			.param.hash = {
+				.data = &raw_data,
+				.hash = &fw_config_hash
+			}
+		}
+	}
+};
+
 #endif /* IMAGE_BL1 */
 
 #ifdef IMAGE_BL2
@@ -860,6 +886,7 @@
 	[BL2_IMAGE_ID]				=	&bl2_image,
 	[HW_CONFIG_ID]				=	&hw_config,
 	[TB_FW_CONFIG_ID]			=	&tb_fw_config,
+	[FW_CONFIG_ID]				=	&fw_config,
 	[FWU_CERT_ID]				=	&fwu_cert,
 	[SCP_BL2U_IMAGE_ID]			=	&scp_bl2u_image,
 	[BL2U_IMAGE_ID]				=	&bl2u_image,

diff --git a/drivers/auth/tbbr/tbbr_cot_bl1.c b/drivers/auth/tbbr/tbbr_cot_bl1.c
index f3bb376..e4c9221 100644
--- a/drivers/auth/tbbr/tbbr_cot_bl1.c
+++ b/drivers/auth/tbbr/tbbr_cot_bl1.c

@@ -150,6 +150,21 @@
 	}
 };
 
+static const auth_img_desc_t fw_config = {
+	.img_id = FW_CONFIG_ID,
+	.img_type = IMG_RAW,
+	.parent = &trusted_boot_fw_cert,
+	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+		[0] = {
+			.type = AUTH_METHOD_HASH,
+			.param.hash = {
+				.data = &raw_data,
+				.hash = &fw_config_hash
+			}
+		}
+	}
+};
+
 /*
  * TBBR Chain of trust definition
  */
@@ -158,6 +173,7 @@
 	[BL2_IMAGE_ID]				=	&bl2_image,
 	[HW_CONFIG_ID]				=	&hw_config,
 	[TB_FW_CONFIG_ID]			=	&tb_fw_config,
+	[FW_CONFIG_ID]				=	&fw_config,
 	[FWU_CERT_ID]				=	&fwu_cert,
 	[SCP_BL2U_IMAGE_ID]			=	&scp_bl2u_image,
 	[BL2U_IMAGE_ID]				=	&bl2u_image,

diff --git a/drivers/auth/tbbr/tbbr_cot_common.c b/drivers/auth/tbbr/tbbr_cot_common.c
index 0a4b75e..ff3f22d 100644
--- a/drivers/auth/tbbr/tbbr_cot_common.c
+++ b/drivers/auth/tbbr/tbbr_cot_common.c

@@ -23,9 +23,10 @@
  * established, we can reuse some of the buffers on different stages
  */
 
+static unsigned char fw_config_hash_buf[HASH_DER_LEN];
+static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
+static unsigned char hw_config_hash_buf[HASH_DER_LEN];
 unsigned char tb_fw_hash_buf[HASH_DER_LEN];
-unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
-unsigned char hw_config_hash_buf[HASH_DER_LEN];
 unsigned char scp_fw_hash_buf[HASH_DER_LEN];
 unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
 
@@ -48,7 +49,9 @@
 	AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
 auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
 	AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
-auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
+auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
+	AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
+static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
 	AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
 
 /* trusted_boot_fw_cert */
@@ -95,6 +98,13 @@
 				.ptr = (void *)hw_config_hash_buf,
 				.len = (unsigned int)HASH_DER_LEN
 			}
+		},
+		[3] = {
+			.type_desc = &fw_config_hash,
+			.data = {
+				.ptr = (void *)fw_config_hash_buf,
+				.len = (unsigned int)HASH_DER_LEN
+			}
 		}
 	}
 };
commit	244027d375f30351da1747da9afa0b0a435d3c5a	[log] [tgz]
author	Louis Mayencourt <louis.mayencourt@arm.com>	Thu Jun 11 21:15:15 2020 +0100
committer	Manish V Badarkhe <Manish.Badarkhe@arm.com>	Wed Jun 24 08:44:26 2020 +0100
tree	27078b2290a74d0bf1dc91eede38bd5d8f56592e
parent	a1ffcf756c84fa197e1c8d3930629137a92db395 [diff]