Measured Boot: add function for hash calculation This patch adds 'calc_hash' function using Mbed TLS library required for Measured Boot support. Change-Id: Ifc5aee0162d04db58ec6391e0726a526f29a52bb Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

commit: 913cb7ef51afc0c0cf56949bbc2702b2eab5d440 [log] [tgz]
author: Alexei Fedorov <Alexei.Fedorov@arm.com> Thu Jan 23 14:27:38 2020 +0000
committer: Alexei Fedorov <Alexei.Fedorov@arm.com> Tue Jan 28 16:51:40 2020 +0000
tree: 204f88f59c8d18a4af387d7185fe5c5f51a04fa4
parent: 5f98390e6ba024d0cd2da08046e8390f101346a3 [diff]
diff --git a/Makefile b/Makefile
index bd52c0b..72db2a7 100644
--- a/Makefile
+++ b/Makefile

@@ -604,6 +604,14 @@
     endif
 endif
 
+ifeq ($(MEASURED_BOOT),1)
+    ifneq (${TRUSTED_BOARD_BOOT},1)
+        $(error MEASURED_BOOT requires TRUSTED_BOARD_BOOT=1")
+    else
+        $(info MEASURED_BOOT is an experimental feature)
+    endif
+endif
+
 ################################################################################
 # Process platform overrideable behaviour
 ################################################################################
@@ -751,6 +759,7 @@
 $(eval $(call assert_boolean,GICV2_G0_FOR_EL3))
 $(eval $(call assert_boolean,HANDLE_EA_EL3_FIRST))
 $(eval $(call assert_boolean,HW_ASSISTED_COHERENCY))
+$(eval $(call assert_boolean,MEASURED_BOOT))
 $(eval $(call assert_boolean,NS_TIMER_SWITCH))
 $(eval $(call assert_boolean,OVERRIDE_LIBC))
 $(eval $(call assert_boolean,PL011_GENERIC_UART))
@@ -817,6 +826,7 @@
 $(eval $(call add_define,HANDLE_EA_EL3_FIRST))
 $(eval $(call add_define,HW_ASSISTED_COHERENCY))
 $(eval $(call add_define,LOG_LEVEL))
+$(eval $(call add_define,MEASURED_BOOT))
 $(eval $(call add_define,NS_TIMER_SWITCH))
 $(eval $(call add_define,PL011_GENERIC_UART))
 $(eval $(call add_define,PLAT_${PLAT}))

diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index fc45455..b702c34 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst

@@ -387,6 +387,11 @@
    All log output up to and including the selected log level is compiled into
    the build. The default value is 40 in debug builds and 20 in release builds.
 
+-  ``MEASURED_BOOT``: Boolean flag to include support for the Measured Boot
+   feature. If this flag is enabled ``TRUSTED_BOARD_BOOT`` must be set.
+   This option defaults to 0 and is an experimental feature in the stage of
+   development.
+
 -  ``NON_TRUSTED_WORLD_KEY``: This option is used when ``GENERATE_COT=1``. It
    specifies the file that contains the Non-Trusted World private key in PEM
    format. If ``SAVE_KEYS=1``, this file name will be used to save the key.

diff --git a/drivers/auth/crypto_mod.c b/drivers/auth/crypto_mod.c
index 5e5ac2b..110c504 100644
--- a/drivers/auth/crypto_mod.c
+++ b/drivers/auth/crypto_mod.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -103,3 +103,24 @@
 	return crypto_lib_desc.verify_hash(data_ptr, data_len,
 					   digest_info_ptr, digest_info_len);
 }
+
+#if MEASURED_BOOT
+/*
+ * Calculate a hash
+ *
+ * Parameters:
+ *
+ *   alg: message digest algorithm
+ *   data_ptr, data_len: data to be hashed
+ *   output: resulting hash
+ */
+int crypto_mod_calc_hash(unsigned int alg, void *data_ptr,
+			 unsigned int data_len, unsigned char *output)
+{
+	assert(data_ptr != NULL);
+	assert(data_len != 0);
+	assert(output != NULL);
+
+	return crypto_lib_desc.calc_hash(alg, data_ptr, data_len, output);
+}
+#endif	/* MEASURED_BOOT */

diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c
index 33420fb..04fbc64 100644
--- a/drivers/auth/mbedtls/mbedtls_crypto.c
+++ b/drivers/auth/mbedtls/mbedtls_crypto.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -205,7 +205,32 @@
 	return CRYPTO_SUCCESS;
 }
 
+#if MEASURED_BOOT
+/*
+ * Calculate a hash
+ *
+ * output points to the computed hash
+ */
+int calc_hash(unsigned int alg, void *data_ptr,
+	      unsigned int data_len, unsigned char *output)
+{
+	const mbedtls_md_info_t *md_info;
+
+	md_info = mbedtls_md_info_from_type((mbedtls_md_type_t)alg);
+	if (md_info == NULL) {
+		return CRYPTO_ERR_HASH;
+	}
+
+	/* Calculate the hash of the data */
+	return mbedtls_md(md_info, data_ptr, data_len, output);
+}
+#endif /* MEASURED_BOOT */
+
 /*
  * Register crypto library descriptor
  */
+#if MEASURED_BOOT
+REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash);
+#else
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash);
+#endif /* MEASURED_BOOT */

diff --git a/include/drivers/auth/crypto_mod.h b/include/drivers/auth/crypto_mod.h
index 3a42105..f211035 100644
--- a/include/drivers/auth/crypto_mod.h
+++ b/include/drivers/auth/crypto_mod.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -37,6 +37,13 @@
 	/* Verify a hash. Return one of the 'enum crypto_ret_value' options */
 	int (*verify_hash)(void *data_ptr, unsigned int data_len,
 			   void *digest_info_ptr, unsigned int digest_info_len);
+
+#if MEASURED_BOOT
+	/* Calculate a hash. Return hash value */
+	int (*calc_hash)(unsigned int alg, void *data_ptr,
+			 unsigned int data_len, unsigned char *output);
+#endif /* MEASURED_BOOT */
+
 } crypto_lib_desc_t;
 
 /* Public functions */
@@ -48,7 +55,21 @@
 int crypto_mod_verify_hash(void *data_ptr, unsigned int data_len,
 			   void *digest_info_ptr, unsigned int digest_info_len);
 
+#if MEASURED_BOOT
+int crypto_mod_calc_hash(unsigned int alg, void *data_ptr,
+			 unsigned int data_len, unsigned char *output);
+
 /* Macro to register a cryptographic library */
+#define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
+							     _calc_hash) \
+	const crypto_lib_desc_t crypto_lib_desc = { \
+		.name = _name, \
+		.init = _init, \
+		.verify_signature = _verify_signature, \
+		.verify_hash = _verify_hash, \
+		.calc_hash = _calc_hash \
+	}
+#else
 #define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash) \
 	const crypto_lib_desc_t crypto_lib_desc = { \
 		.name = _name, \
@@ -56,6 +77,7 @@
 		.verify_signature = _verify_signature, \
 		.verify_hash = _verify_hash \
 	}
+#endif	/* MEASURED_BOOT */
 
 extern const crypto_lib_desc_t crypto_lib_desc;
 

diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk
index 53832c5..4af1da6 100644
--- a/make_helpers/defaults.mk
+++ b/make_helpers/defaults.mk

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2016-2019, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2016-2020, ARM Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -139,6 +139,9 @@
 # Set the default algorithm for the generation of Trusted Board Boot keys
 KEY_ALG				:= rsa
 
+# Option to build TF with Measured Boot support
+MEASURED_BOOT			:= 0
+
 # NS timer register save and restore
 NS_TIMER_SWITCH			:= 0
commit	913cb7ef51afc0c0cf56949bbc2702b2eab5d440	[log] [tgz]
author	Alexei Fedorov <Alexei.Fedorov@arm.com>	Thu Jan 23 14:27:38 2020 +0000
committer	Alexei Fedorov <Alexei.Fedorov@arm.com>	Tue Jan 28 16:51:40 2020 +0000
tree	204f88f59c8d18a4af387d7185fe5c5f51a04fa4
parent	5f98390e6ba024d0cd2da08046e8390f101346a3 [diff]