TBB: authenticate BL3-x images and certificates
This patch adds support to authenticate the Trusted Key certificate
and the BL3-x certificates and images at BL2.
Change-Id: I69a8c13a14c8da8b75f93097d3a4576aed71c5dd
diff --git a/plat/juno/include/platform_def.h b/plat/juno/include/platform_def.h
index 748b32d..1071d12 100644
--- a/plat/juno/include/platform_def.h
+++ b/plat/juno/include/platform_def.h
@@ -74,6 +74,17 @@
#if TRUSTED_BOARD_BOOT
/* Certificates */
# define BL2_CERT_NAME "bl2.crt"
+# define TRUSTED_KEY_CERT_NAME "trusted_key.crt"
+
+# define BL30_KEY_CERT_NAME "bl30_key.crt"
+# define BL31_KEY_CERT_NAME "bl31_key.crt"
+# define BL32_KEY_CERT_NAME "bl32_key.crt"
+# define BL33_KEY_CERT_NAME "bl33_key.crt"
+
+# define BL30_CERT_NAME "bl30.crt"
+# define BL31_CERT_NAME "bl31.crt"
+# define BL32_CERT_NAME "bl32.crt"
+# define BL33_CERT_NAME "bl33.crt"
#endif /* TRUSTED_BOARD_BOOT */
#define PLATFORM_CACHE_LINE_SIZE 64
diff --git a/plat/juno/plat_io_storage.c b/plat/juno/plat_io_storage.c
index dd9f048..b31865e 100644
--- a/plat/juno/plat_io_storage.c
+++ b/plat/juno/plat_io_storage.c
@@ -82,6 +82,51 @@
.path = BL2_CERT_NAME,
.mode = FOPEN_MODE_RB
};
+
+static const io_file_spec_t trusted_key_cert_file_spec = {
+ .path = TRUSTED_KEY_CERT_NAME,
+ .mode = FOPEN_MODE_RB
+};
+
+static const io_file_spec_t bl30_key_cert_file_spec = {
+ .path = BL30_KEY_CERT_NAME,
+ .mode = FOPEN_MODE_RB
+};
+
+static const io_file_spec_t bl31_key_cert_file_spec = {
+ .path = BL31_KEY_CERT_NAME,
+ .mode = FOPEN_MODE_RB
+};
+
+static const io_file_spec_t bl32_key_cert_file_spec = {
+ .path = BL32_KEY_CERT_NAME,
+ .mode = FOPEN_MODE_RB
+};
+
+static const io_file_spec_t bl33_key_cert_file_spec = {
+ .path = BL33_KEY_CERT_NAME,
+ .mode = FOPEN_MODE_RB
+};
+
+static const io_file_spec_t bl30_cert_file_spec = {
+ .path = BL30_CERT_NAME,
+ .mode = FOPEN_MODE_RB
+};
+
+static const io_file_spec_t bl31_cert_file_spec = {
+ .path = BL31_CERT_NAME,
+ .mode = FOPEN_MODE_RB
+};
+
+static const io_file_spec_t bl32_cert_file_spec = {
+ .path = BL32_CERT_NAME,
+ .mode = FOPEN_MODE_RB
+};
+
+static const io_file_spec_t bl33_cert_file_spec = {
+ .path = BL33_CERT_NAME,
+ .mode = FOPEN_MODE_RB
+};
#endif /* TRUSTED_BOARD_BOOT */
static int open_fip(const uintptr_t spec);
@@ -132,6 +177,51 @@
(uintptr_t)&bl2_cert_file_spec,
open_fip
}, {
+ TRUSTED_KEY_CERT_NAME,
+ &fip_dev_handle,
+ (uintptr_t)&trusted_key_cert_file_spec,
+ open_fip
+ }, {
+ BL30_KEY_CERT_NAME,
+ &fip_dev_handle,
+ (uintptr_t)&bl30_key_cert_file_spec,
+ open_fip
+ }, {
+ BL31_KEY_CERT_NAME,
+ &fip_dev_handle,
+ (uintptr_t)&bl31_key_cert_file_spec,
+ open_fip
+ }, {
+ BL32_KEY_CERT_NAME,
+ &fip_dev_handle,
+ (uintptr_t)&bl32_key_cert_file_spec,
+ open_fip
+ }, {
+ BL33_KEY_CERT_NAME,
+ &fip_dev_handle,
+ (uintptr_t)&bl33_key_cert_file_spec,
+ open_fip
+ }, {
+ BL30_CERT_NAME,
+ &fip_dev_handle,
+ (uintptr_t)&bl30_cert_file_spec,
+ open_fip
+ }, {
+ BL31_CERT_NAME,
+ &fip_dev_handle,
+ (uintptr_t)&bl31_cert_file_spec,
+ open_fip
+ }, {
+ BL32_CERT_NAME,
+ &fip_dev_handle,
+ (uintptr_t)&bl32_cert_file_spec,
+ open_fip
+ }, {
+ BL33_CERT_NAME,
+ &fip_dev_handle,
+ (uintptr_t)&bl33_cert_file_spec,
+ open_fip
+ }, {
#endif /* TRUSTED_BOARD_BOOT */
0, 0, 0
}