nxp: cot using nxp internal and mbedtls
Chain of trust(CoT) is enabled on NXP SoC in two ways:
- Using MbedTLS, parsing X509 Certificates.
- Using NXP internal method parsing CSF header
Signed-off-by: Ruchika Gupta <ruchika.gupta@nxp.com>
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: I78fb28516dfcfa667bebf8a1951ffb24bcab8de4
diff --git a/drivers/nxp/auth/csf_hdr_parser/plat_img_parser.c b/drivers/nxp/auth/csf_hdr_parser/plat_img_parser.c
new file mode 100644
index 0000000..43b78e5
--- /dev/null
+++ b/drivers/nxp/auth/csf_hdr_parser/plat_img_parser.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright (c) 2014-2016, Freescale Semiconductor, Inc.
+ * Copyright 2017-2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#include <assert.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include <arch_helpers.h>
+#include <common/debug.h>
+#include <csf_hdr.h>
+#include <drivers/auth/crypto_mod.h>
+#include <drivers/auth/img_parser_mod.h>
+#include <lib/utils.h>
+#include <sfp.h>
+
+/* Temporary variables to speed up the authentication parameters search. These
+ * variables are assigned once during the integrity check and used any time an
+ * authentication parameter is requested, so we do not have to parse the image
+ * again.
+ */
+
+/* Hash of Image + CSF Header + SRK table */
+uint8_t img_hash[SHA256_BYTES] __aligned(CACHE_WRITEBACK_GRANULE);
+uint32_t hash_len;
+
+/* Key being used for authentication
+ * Points to the key in CSF header copied in DDR
+ * ESBC client key
+ */
+void *img_key;
+uint32_t key_len;
+
+/* ESBC client signature */
+void *img_sign;
+uint32_t sign_len;
+enum sig_alg alg;
+
+/* Maximum OID string length ("a.b.c.d.e.f ...") */
+#define MAX_OID_STR_LEN 64
+
+#define LIB_NAME "NXP CSFv2"
+
+/*
+ * Clear all static temporary variables.
+ */
+static void clear_temp_vars(void)
+{
+#define ZERO_AND_CLEAN(x) \
+ do { \
+ zeromem(&x, sizeof(x)); \
+ clean_dcache_range((uintptr_t)&x, sizeof(x)); \
+ } while (0)
+
+ ZERO_AND_CLEAN(img_key);
+ ZERO_AND_CLEAN(img_sign);
+ ZERO_AND_CLEAN(img_hash);
+ ZERO_AND_CLEAN(key_len);
+ ZERO_AND_CLEAN(hash_len);
+ ZERO_AND_CLEAN(sign_len);
+
+#undef ZERO_AND_CLEAN
+}
+
+/* Exported functions */
+
+static void init(void)
+{
+ clear_temp_vars();
+}
+
+/*
+ * This function would check the integrity of the CSF header
+ */
+static int check_integrity(void *img, unsigned int img_len)
+{
+ int ret;
+
+ /*
+ * The image file has been successfully loaded till here.
+ *
+ * Flush the image to main memory so that it can be authenticated
+ * by CAAM, a HW accelerator regardless of cache and MMU state.
+ */
+ flush_dcache_range((uintptr_t) img, img_len);
+
+ /*
+ * Image is appended at an offset of 16K (IMG_OFFSET) to the header.
+ * So the size in header should be equal to img_len - IMG_OFFSET
+ */
+ VERBOSE("Barker code is %x\n", *(unsigned int *)img);
+ ret = validate_esbc_header(img, &img_key, &key_len, &img_sign,
+ &sign_len, &alg);
+ if (ret < 0) {
+ ERROR("Header authentication failed\n");
+ clear_temp_vars();
+ return IMG_PARSER_ERR;
+ }
+ /* Calculate the hash of various components from the image */
+ ret = calc_img_hash(img, (uint8_t *)img + CSF_HDR_SZ,
+ img_len - CSF_HDR_SZ, img_hash, &hash_len);
+ if (ret != 0) {
+ ERROR("Issue in hash calculation %d\n", ret);
+ clear_temp_vars();
+ return IMG_PARSER_ERR;
+ }
+
+ return IMG_PARSER_OK;
+}
+
+/*
+ * Extract an authentication parameter from CSF header
+ *
+ * CSF header has already been parsed and the required information like
+ * hash of data, signature, length stored in global variables has been
+ * extracted in chek_integrity function. This data
+ * is returned back to the caller.
+ */
+static int get_auth_param(const auth_param_type_desc_t *type_desc,
+ void *img, unsigned int img_len,
+ void **param, unsigned int *param_len)
+{
+ int rc = IMG_PARSER_OK;
+
+ /* We do not use img because the check_integrity function has already
+ * extracted the relevant data ( pk, sig_alg, etc)
+ */
+
+ switch (type_desc->type) {
+
+ /* Hash will be returned for comparison with signature */
+ case AUTH_PARAM_HASH:
+ *param = (void *)img_hash;
+ *param_len = (unsigned int)SHA256_BYTES;
+ break;
+
+ /* Return the public key used for signature extracted from the SRK table
+ * after checks with key revocation
+ */
+ case AUTH_PARAM_PUB_KEY:
+ /* Get the subject public key */
+ /* For a 1K key - the length would be 2k/8 = 0x100 bytes
+ * 2K RSA key - 0x200 , 4K RSA - 0x400
+ */
+ *param = img_key;
+ *param_len = (unsigned int)key_len;
+ break;
+
+ /* Call a function to tell if signature is RSA or ECDSA. ECDSA to be
+ * supported in later platforms like LX2 etc
+ */
+ case AUTH_PARAM_SIG_ALG:
+ /* Algo will be signature - RSA or ECDSA on hash */
+ *param = (void *)&alg;
+ *param_len = 4U;
+ break;
+
+ /* Return the signature */
+ case AUTH_PARAM_SIG:
+ *param = img_sign;
+ *param_len = (unsigned int)sign_len;
+ break;
+
+ case AUTH_PARAM_NV_CTR:
+
+ default:
+ rc = IMG_PARSER_ERR_NOT_FOUND;
+ break;
+ }
+
+ return rc;
+}
+
+REGISTER_IMG_PARSER_LIB(IMG_PLAT, LIB_NAME, init,
+ check_integrity, get_auth_param);