commit 713b6a59230de73a53859e5f5a745f112d4e09aa
author Pankaj Gupta <pankaj.gupta@nxp.com> Wed Dec 09 14:02:40 2020 +0530
committer Pankaj Gupta <pankaj.gupta@nxp.com> Wed Mar 24 09:49:32 2021 +0530
tree d694c53b8947e9672f91567e8cdbe29f087151dc
parent 9f29965b55fc24f3ff5f6a09a6e14e6104d68826

nxp: supports two mode of trusted board boot

NXP SoC supports two TBB mode:
- MBED_TLS based
  -- ROTK key hash is placed as part of the BL2 binary at section:
     --- .rodata.nxp_rotpk_hash
  -- Supporting non-volatile counter via SFP.
     -- platform function used by TFA common authentication code.

- NXP CSF based
  -- ROTK key deployment vary from MBEDTLS

Signed-off-by: Ruchika Gupta <ruchika.gupta@nxp.com>
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: Ib0f0bf024fd93de906c5d4f609383ae9e02b2fbc

plat/nxp/common/tbbr/csf_tbbr.c

diff --git a/plat/nxp/common/tbbr/csf_tbbr.c b/plat/nxp/common/tbbr/csf_tbbr.c
new file mode 100644
index 0000000..8f38f3e
--- /dev/null
+++ b/plat/nxp/common/tbbr/csf_tbbr.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright 2018-2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ *
+ */
+
+#include <errno.h>
+
+#include <common/debug.h>
+#include <csf_hdr.h>
+#include <dcfg.h>
+#include <drivers/auth/crypto_mod.h>
+#include <snvs.h>
+
+#include <plat/common/platform.h>
+#include "plat_common.h"
+
+extern bool rotpk_not_dpld;
+extern uint8_t rotpk_hash_table[MAX_KEY_ENTRIES][SHA256_BYTES];
+extern uint32_t num_rotpk_hash_entries;
+
+/*
+ * In case of secure boot, return ptr of rotpk_hash table in key_ptr and
+ * number of hashes in key_len
+ */
+int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len,
+			unsigned int *flags)
+{
+	uint32_t mode = 0U;
+	*flags = ROTPK_NOT_DEPLOYED;
+
+	/* ROTPK hash table must be available for secure boot */
+	if (rotpk_not_dpld == true) {
+		if (check_boot_mode_secure(&mode) == true) {
+			/* Production mode, don;t continue further */
+			if (mode == 1U) {
+				return -EAUTH;
+			}
+
+			/* For development mode, rotpk flag false
+			 * indicates that SRK hash comparison might
+			 * have failed. This is not fatal error.
+			 * Continue in this case but transition SNVS
+			 * to non-secure state
+			 */
+			transition_snvs_non_secure();
+			return 0;
+		} else {
+			return 0;
+		}
+	}
+
+	/*
+	 * We return the complete hash table and number of entries in
+	 * table for NXP platform specific implementation.
+	 * Here hash is always assume as SHA-256
+	 */
+	*key_ptr = rotpk_hash_table;
+	*key_len = num_rotpk_hash_entries;
+	*flags = ROTPK_IS_HASH;
+
+	return 0;
+}
+
+int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr)
+{
+	/*
+	 * No support for non-volatile counter. Update the ROT key to protect
+	 * the system against rollback.
+	 */
+	*nv_ctr = 0U;
+
+	return 0;
+}
+
+int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr)
+{
+	return 0;
+}