FVP: Add BL2 hash calculation in BL1
This patch provides support for measured boot by adding calculation
of BL2 image hash in BL1 and writing these data in TB_FW_CONFIG DTB.
Change-Id: Ic074a7ed19b14956719c271c805b35d147b7cec1
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
diff --git a/plat/arm/common/arm_dyn_cfg.c b/plat/arm/common/arm_dyn_cfg.c
index df75307..ffa2a64 100644
--- a/plat/arm/common/arm_dyn_cfg.c
+++ b/plat/arm/common/arm_dyn_cfg.c
@@ -15,6 +15,10 @@
#include <common/tbbr/tbbr_img_def.h>
#if TRUSTED_BOARD_BOOT
#include <drivers/auth/mbedtls/mbedtls_config.h>
+#if MEASURED_BOOT
+#include <drivers/auth/crypto_mod.h>
+#include <mbedtls/md.h>
+#endif
#endif
#include <lib/fconf/fconf.h>
#include <lib/fconf/fconf_dyn_cfg_getter.h>
@@ -87,7 +91,7 @@
* the default heap's address and size.
*/
- /* fconf FW_CONFIG and TB_FW_CONFIG are currently the same DTB*/
+ /* fconf FW_CONFIG and TB_FW_CONFIG are currently the same DTB */
tb_fw_cfg_dtb = FCONF_GET_PROPERTY(fconf, dtb, base_addr);
if ((tb_fw_cfg_dtb != 0UL) && (mbedtls_heap_addr != NULL)) {
@@ -100,15 +104,68 @@
ERROR("BL1: unable to write shared Mbed TLS heap information to DTB\n");
panic();
}
+#if !MEASURED_BOOT
/*
* Ensure that the info written to the DTB is visible to other
* images. It's critical because BL2 won't be able to proceed
* without the heap info.
+ *
+ * In MEASURED_BOOT case flushing is done in
+ * arm_bl1_set_bl2_hash() function which is called after heap
+ * information is written in the DTB.
*/
flush_dcache_range(tb_fw_cfg_dtb, fdt_totalsize(dtb));
+#endif /* !MEASURED_BOOT */
}
}
+#if MEASURED_BOOT
+/*
+ * Puts the BL2 hash data to TB_FW_CONFIG DTB.
+ * Executed only from BL1.
+ */
+void arm_bl1_set_bl2_hash(image_desc_t *image_desc)
+{
+ unsigned char hash_data[MBEDTLS_MD_MAX_SIZE];
+ image_info_t image_info = image_desc->image_info;
+ uintptr_t tb_fw_cfg_dtb;
+ int err;
+
+ /* fconf FW_CONFIG and TB_FW_CONFIG are currently the same DTB */
+ tb_fw_cfg_dtb = FCONF_GET_PROPERTY(fconf, dtb, base_addr);
+
+ /*
+ * If tb_fw_cfg_dtb==NULL then DTB is not present for the current
+ * platform. As such, we cannot write to the DTB at all and pass
+ * measured data.
+ */
+ if (tb_fw_cfg_dtb == 0UL) {
+ panic();
+ }
+
+ /* Calculate hash */
+ err = crypto_mod_calc_hash(MBEDTLS_MD_ID,
+ (void *)image_info.image_base,
+ image_info.image_size, hash_data);
+ if (err != 0) {
+ ERROR("BL1: unable to calculate BL2 hash\n");
+ panic();
+ }
+
+ err = arm_set_bl2_hash_info((void *)tb_fw_cfg_dtb, hash_data);
+ if (err < 0) {
+ ERROR("BL1: unable to write BL2 hash data to DTB\n");
+ panic();
+ }
+
+ /*
+ * Ensure that the info written to the DTB is visible to other
+ * images. It's critical because BL2 won't be able to proceed
+ * without the heap info and its hash data.
+ */
+ flush_dcache_range(tb_fw_cfg_dtb, fdt_totalsize((void *)tb_fw_cfg_dtb));
+}
+#endif /* MEASURED_BOOT */
#endif /* TRUSTED_BOARD_BOOT */
/*