dualroot: add chain of trust for secure partitions
A new certificate "sip-sp-cert" has been added for Silicon Provider(SiP)
owned Secure Partitions(SP). A similar support for Platform owned SP can
be added in future. The certificate is also protected against anti-
rollback using the trusted Non-Volatile counter.
To avoid deviating from TBBR spec, support for SP CoT is only provided
in dualroot.
Secure Partition content certificate is assigned image ID 31 and SP
images follows after it.
The CoT for secure partition look like below.
+------------------+ +-------------------+
| ROTPK/ROTPK Hash |------>| Trusted Key |
+------------------+ | Certificate |
| (Auth Image) |
/+-------------------+
/ |
/ |
/ |
/ |
L v
+------------------+ +-------------------+
| Trusted World |------>| SiP owned SPs |
| Public Key | | Content Cert |
+------------------+ | (Auth Image) |
/ +-------------------+
/ |
/ v|
+------------------+ L +-------------------+
| SP_PKG1 Hash |------>| SP_PKG1 |
| | | (Data Image) |
+------------------+ +-------------------+
. .
. .
. .
+------------------+ +-------------------+
| SP_PKG8 Hash |------>| SP_PKG8 |
| | | (Data Image) |
+------------------+ +-------------------+
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia31546bac1327a3e0b5d37e8b99c808442d5e53f
diff --git a/drivers/auth/dualroot/cot.c b/drivers/auth/dualroot/cot.c
index 8aca2be..f28ddaa 100644
--- a/drivers/auth/dualroot/cot.c
+++ b/drivers/auth/dualroot/cot.c
@@ -30,6 +30,9 @@
static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
+#if defined(SPD_spmd)
+static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN];
+#endif /* SPD_spmd */
static unsigned char trusted_world_pk_buf[PK_DER_LEN];
static unsigned char content_pk_buf[PK_DER_LEN];
@@ -97,6 +100,24 @@
AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
+#if defined(SPD_spmd)
+static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG1_HASH_OID);
+static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG2_HASH_OID);
+static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG3_HASH_OID);
+static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG4_HASH_OID);
+static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG5_HASH_OID);
+static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG6_HASH_OID);
+static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG7_HASH_OID);
+static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG8_HASH_OID);
+#endif /* SPD_spmd */
#endif /* IMAGE_BL2 */
@@ -642,6 +663,102 @@
}
};
+/*
+ * Secure Partitions
+ */
+#if defined(SPD_spmd)
+static const auth_img_desc_t sp_content_cert = {
+ .img_id = SP_CONTENT_CERT_ID,
+ .img_type = IMG_CERT,
+ .parent = &trusted_key_cert,
+ .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+ [0] = {
+ .type = AUTH_METHOD_SIG,
+ .param.sig = {
+ .pk = &trusted_world_pk,
+ .sig = &sig,
+ .alg = &sig_alg,
+ .data = &raw_data
+ }
+ },
+ [1] = {
+ .type = AUTH_METHOD_NV_CTR,
+ .param.nv_ctr = {
+ .cert_nv_ctr = &trusted_nv_ctr,
+ .plat_nv_ctr = &trusted_nv_ctr
+ }
+ }
+ },
+ .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
+ [0] = {
+ .type_desc = &sp_pkg1_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[0],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [1] = {
+ .type_desc = &sp_pkg2_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[1],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [2] = {
+ .type_desc = &sp_pkg3_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[2],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [3] = {
+ .type_desc = &sp_pkg4_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[3],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [4] = {
+ .type_desc = &sp_pkg5_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[4],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [5] = {
+ .type_desc = &sp_pkg6_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[5],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [6] = {
+ .type_desc = &sp_pkg7_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[6],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [7] = {
+ .type_desc = &sp_pkg8_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[7],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ }
+ }
+};
+
+DEFINE_SP_PKG(1);
+DEFINE_SP_PKG(2);
+DEFINE_SP_PKG(3);
+DEFINE_SP_PKG(4);
+DEFINE_SP_PKG(5);
+DEFINE_SP_PKG(6);
+DEFINE_SP_PKG(7);
+DEFINE_SP_PKG(8);
+#endif /* SPD_spmd */
+
#else /* IMAGE_BL2 */
/* FWU auth descriptor */
@@ -769,6 +886,17 @@
[NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert,
[BL33_IMAGE_ID] = &bl33_image,
[NT_FW_CONFIG_ID] = &nt_fw_config,
+#if defined(SPD_spmd)
+ [SP_CONTENT_CERT_ID] = &sp_content_cert,
+ [SP_CONTENT_CERT_ID + 1] = &sp_pkg1,
+ [SP_CONTENT_CERT_ID + 2] = &sp_pkg2,
+ [SP_CONTENT_CERT_ID + 3] = &sp_pkg3,
+ [SP_CONTENT_CERT_ID + 4] = &sp_pkg4,
+ [SP_CONTENT_CERT_ID + 5] = &sp_pkg5,
+ [SP_CONTENT_CERT_ID + 6] = &sp_pkg6,
+ [SP_CONTENT_CERT_ID + 7] = &sp_pkg7,
+ [SP_CONTENT_CERT_ID + 8] = &sp_pkg8,
+#endif
};
#endif
diff --git a/include/common/tbbr/cot_def.h b/include/common/tbbr/cot_def.h
index c411146..6ce7f80 100644
--- a/include/common/tbbr/cot_def.h
+++ b/include/common/tbbr/cot_def.h
@@ -8,8 +8,11 @@
#define COT_DEF_H
/* TBBR CoT definitions */
-
+#if defined(SPD_spmd)
+#define COT_MAX_VERIFIED_PARAMS 8
+#else
#define COT_MAX_VERIFIED_PARAMS 4
+#endif
/*
* Maximum key and hash sizes (in DER format).
diff --git a/include/common/tbbr/tbbr_img_def.h b/include/common/tbbr/tbbr_img_def.h
index 1701995..1f9aab1 100644
--- a/include/common/tbbr/tbbr_img_def.h
+++ b/include/common/tbbr/tbbr_img_def.h
@@ -9,4 +9,12 @@
#include <export/common/tbbr/tbbr_img_def_exp.h>
+#if defined(SPD_spmd)
+#define SP_CONTENT_CERT_ID MAX_IMAGE_IDS
+#define MAX_SP_IDS U(8)
+#define MAX_NUMBER_IDS (MAX_IMAGE_IDS + MAX_SP_IDS + U(1))
+#else
+#define MAX_NUMBER_IDS MAX_IMAGE_IDS
+#endif
+
#endif /* TBBR_IMG_DEF_H */
diff --git a/include/drivers/auth/auth_mod.h b/include/drivers/auth/auth_mod.h
index 1dc9ff4..01d144d 100644
--- a/include/drivers/auth/auth_mod.h
+++ b/include/drivers/auth/auth_mod.h
@@ -50,6 +50,24 @@
extern const size_t cot_desc_size;
extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
+#if defined(SPD_spmd)
+#define DEFINE_SP_PKG(n) \
+ static const auth_img_desc_t sp_pkg##n = { \
+ .img_id = SP_CONTENT_CERT_ID + (n), \
+ .img_type = IMG_RAW, \
+ .parent = &sp_content_cert, \
+ .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { \
+ [0] = { \
+ .type = AUTH_METHOD_HASH, \
+ .param.hash = { \
+ .data = &raw_data, \
+ .hash = &sp_pkg##n##_hash \
+ } \
+ } \
+ } \
+ }
+#endif
+
#endif /* TRUSTED_BOARD_BOOT */
#endif /* AUTH_MOD_H */
diff --git a/include/export/common/tbbr/tbbr_img_def_exp.h b/include/export/common/tbbr/tbbr_img_def_exp.h
index 89dbc58..a98c1b4 100644
--- a/include/export/common/tbbr/tbbr_img_def_exp.h
+++ b/include/export/common/tbbr/tbbr_img_def_exp.h
@@ -88,12 +88,7 @@
/* Encrypted image identifier */
#define ENC_IMAGE_ID U(30)
-/* Define size of the array */
-#if defined(SPD_spmd)
-#define MAX_SP_IDS U(8)
-#define MAX_NUMBER_IDS MAX_SP_IDS + U(31)
-#else
-#define MAX_NUMBER_IDS U(31)
-#endif
+/* Max Images */
+#define MAX_IMAGE_IDS U(31)
#endif /* ARM_TRUSTED_FIRMWARE_EXPORT_COMMON_TBBR_TBBR_IMG_DEF_EXP_H */
diff --git a/plat/arm/board/fvp/fdts/fvp_fw_config.dts b/plat/arm/board/fvp/fdts/fvp_fw_config.dts
index 7c11108..5bd0edb 100644
--- a/plat/arm/board/fvp/fdts/fvp_fw_config.dts
+++ b/plat/arm/board/fvp/fdts/fvp_fw_config.dts
@@ -111,6 +111,7 @@
soc_fw_content_cert_uuid = <0x200cb2e2 0x11e4635e 0xccabe89c 0x66b62bf9>;
tos_fw_content_cert_uuid = <0x11449fa4 0x11e4635e 0x53f2887 0x3df32a72>;
nt_fw_content_cert_uuid = <0xf3c1c48e 0x11e4635d 0xee87a9a7 0xa73fb240>;
+ sp_content_cert_uuid = <0x44fd6d77 0x3b4c9786 0x3ec1eb91 0x6f2a5a02>;
};
};
#endif /* ARM_IO_IN_DTB */
diff --git a/plat/arm/common/fconf/arm_fconf_io.c b/plat/arm/common/fconf/arm_fconf_io.c
index 26e51b2..68cd9fb 100644
--- a/plat/arm/common/fconf/arm_fconf_io.c
+++ b/plat/arm/common/fconf/arm_fconf_io.c
@@ -49,6 +49,9 @@
[SOC_FW_CONTENT_CERT_ID] = {UUID_SOC_FW_CONTENT_CERT},
[TRUSTED_OS_FW_CONTENT_CERT_ID] = {UUID_TRUSTED_OS_FW_CONTENT_CERT},
[NON_TRUSTED_FW_CONTENT_CERT_ID] = {UUID_NON_TRUSTED_FW_CONTENT_CERT},
+#if defined(SPD_spmd)
+ [SP_CONTENT_CERT_ID] = {UUID_SIP_SECURE_PARTITION_CONTENT_CERT},
+#endif
#endif /* ARM_IO_IN_DTB */
#endif /* TRUSTED_BOARD_BOOT */
};
@@ -174,6 +177,13 @@
(uintptr_t)&arm_uuid_spec[NON_TRUSTED_FW_CONTENT_CERT_ID],
open_fip
},
+#if defined(SPD_spmd)
+ [SP_CONTENT_CERT_ID] = {
+ &fip_dev_handle,
+ (uintptr_t)&arm_uuid_spec[SP_CONTENT_CERT_ID],
+ open_fip
+ },
+#endif
#endif /* ARM_IO_IN_DTB */
#endif /* TRUSTED_BOARD_BOOT */
};
@@ -181,7 +191,7 @@
#ifdef IMAGE_BL2
#if TRUSTED_BOARD_BOOT
-#define FCONF_ARM_IO_UUID_NUMBER U(19)
+#define FCONF_ARM_IO_UUID_NUMBER U(20)
#else
#define FCONF_ARM_IO_UUID_NUMBER U(10)
#endif
@@ -216,6 +226,9 @@
{SOC_FW_CONTENT_CERT_ID, "soc_fw_content_cert_uuid"},
{TRUSTED_OS_FW_CONTENT_CERT_ID, "tos_fw_content_cert_uuid"},
{NON_TRUSTED_FW_CONTENT_CERT_ID, "nt_fw_content_cert_uuid"},
+#if defined(SPD_spmd)
+ {SP_CONTENT_CERT_ID, "sp_content_cert_uuid"},
+#endif
#endif /* TRUSTED_BOARD_BOOT */
};
diff --git a/plat/arm/common/fconf/arm_fconf_sp.c b/plat/arm/common/fconf/arm_fconf_sp.c
index 1b09bc8..64e873e 100644
--- a/plat/arm/common/fconf/arm_fconf_sp.c
+++ b/plat/arm/common/fconf/arm_fconf_sp.c
@@ -30,7 +30,7 @@
union uuid_helper_t uuid_helper;
unsigned int index = 0;
uint32_t val32;
- const unsigned int sp_start_index = MAX_NUMBER_IDS - MAX_SP_IDS;
+ const unsigned int sp_start_index = SP_CONTENT_CERT_ID + 1;
/* As libfdt use void *, we can't avoid this cast */
const void *dtb = (void *)config;