TBB: switch to the new authentication framework
This patch modifies the Trusted Board Boot implementation to use
the new authentication framework, making use of the authentication
module, the cryto module and the image parser module to
authenticate the images in the Chain of Trust.
A new function 'load_auth_image()' has been implemented. When TBB
is enabled, this function will call the authentication module to
authenticate parent images following the CoT up to the root of
trust to finally load and authenticate the requested image.
The platform is responsible for picking up the right makefiles to
build the corresponding cryptographic and image parser libraries.
ARM platforms use the mbedTLS based libraries.
The platform may also specify what key algorithm should be used
to sign the certificates. This is done by declaring the 'KEY_ALG'
variable in the platform makefile. FVP and Juno use ECDSA keys.
On ARM platforms, BL2 and BL1-RW regions have been increased 4KB
each to accommodate the ECDSA code.
REMOVED BUILD OPTIONS:
* 'AUTH_MOD'
Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867
diff --git a/bl2/bl2_main.c b/bl2/bl2_main.c
index aba0afc..4c19002 100644
--- a/bl2/bl2_main.c
+++ b/bl2/bl2_main.c
@@ -31,7 +31,7 @@
#include <arch.h>
#include <arch_helpers.h>
#include <assert.h>
-#include <auth.h>
+#include <auth_mod.h>
#include <bl_common.h>
#include <debug.h>
#include <platform.h>
@@ -39,147 +39,6 @@
#include <stdint.h>
#include "bl2_private.h"
-#if TRUSTED_BOARD_BOOT
-
-#ifdef BL32_BASE
-static int bl32_cert_error;
-#endif
-
-/*
- * Load and authenticate the key and content certificates for a BL3-x image.
- * The _blob values identify the authentication objects (an object may be seen
- * as a single stage in the authentication process). See auth.h for the complete
- * list of objects. The _id values are passed to the IO framework to identify
- * the images to load.
- *
- * Parameters:
- * key_cert_blob: key certificate blob id (see auth.h)
- * key_cert_id: key certificate image identifier (for IO framework)
- * cont_cert_blob: content certificate blob id (see auth.h)
- * cont_cert_id: content certificate image identifier (for IO framework)
- * mem_layout: Trusted SRAM memory layout
- * load_addr: load the certificates at this address
- *
- * Return: 0 = success, Otherwise = error
- */
-static int load_cert_bl3x(unsigned int key_cert_blob, unsigned int key_cert_id,
- unsigned int cont_cert_blob, unsigned int cont_cert_id,
- meminfo_t *mem_layout, uint64_t load_addr)
-{
- image_info_t image_info;
- int err;
-
- /* Load Key certificate */
- image_info.h.version = VERSION_1;
- err = load_image(mem_layout, key_cert_id, load_addr, &image_info, NULL);
- if (err) {
- ERROR("Cannot load key certificate id=%u\n", key_cert_id);
- return err;
- }
-
- err = auth_verify_obj(key_cert_blob, image_info.image_base,
- image_info.image_size);
- if (err) {
- ERROR("Invalid key certificate id=%u\n", key_cert_id);
- return err;
- }
-
- /* Load Content certificate */
- image_info.h.version = VERSION_1;
- err = load_image(mem_layout, cont_cert_id, load_addr, &image_info, NULL);
- if (err) {
- ERROR("Cannot load content certificate id=%u\n",
- cont_cert_id);
- return err;
- }
-
- err = auth_verify_obj(cont_cert_blob, image_info.image_base,
- image_info.image_size);
- if (err) {
- ERROR("Invalid content certificate id=%u\n", cont_cert_id);
- return err;
- }
-
- return 0;
-}
-
-/*
- * Load and authenticate the Trusted Key certificate the key and content
- * certificates for each of the BL3-x images.
- *
- * Return: 0 = success, Otherwise = error
- */
-static int load_certs(void)
-{
- const uint64_t load_addr = BL31_BASE;
- image_info_t image_info;
- meminfo_t *mem_layout;
- int err;
-
- /* Find out how much free trusted ram remains after BL2 load */
- mem_layout = bl2_plat_sec_mem_layout();
-
- /* Load the Trusted Key certificate in the BL31 region */
- image_info.h.version = VERSION_1;
- err = load_image(mem_layout, TRUSTED_KEY_CERT_ID, load_addr,
- &image_info, NULL);
- if (err) {
- ERROR("Failed to load Trusted Key certificate.\n");
- return err;
- }
-
- /* Validate the certificate */
- err = auth_verify_obj(AUTH_TRUSTED_KEY_CERT, image_info.image_base,
- image_info.image_size);
- if (err) {
- ERROR("Invalid Trusted Key certificate.\n");
- return err;
- }
-
- /* Load and validate Key and Content certificates for BL3-x images */
-#ifdef BL30_BASE
- err = load_cert_bl3x(AUTH_BL30_KEY_CERT, BL30_KEY_CERT_ID,
- AUTH_BL30_IMG_CERT, BL30_CERT_ID,
- mem_layout, load_addr);
- if (err) {
- ERROR("Failed to verify BL3-0 authenticity\n");
- return err;
- }
-#endif /* BL30_BASE */
-
- err = load_cert_bl3x(AUTH_BL31_KEY_CERT, BL31_KEY_CERT_ID,
- AUTH_BL31_IMG_CERT, BL31_CERT_ID,
- mem_layout, load_addr);
- if (err) {
- ERROR("Failed to verify BL3-1 authenticity\n");
- return err;
- }
-
-#ifdef BL32_BASE
- /* BL3-2 image is optional, but keep the return value in case the
- * image is present but the certificate is missing */
- err = load_cert_bl3x(AUTH_BL32_KEY_CERT, BL32_KEY_CERT_ID,
- AUTH_BL32_IMG_CERT, BL32_CERT_ID,
- mem_layout, load_addr);
- if (err) {
- WARN("Failed to verify BL3-2 authenticity\n");
- }
- bl32_cert_error = err;
-#endif /* BL32_BASE */
-
- err = load_cert_bl3x(AUTH_BL33_KEY_CERT, BL33_KEY_CERT_ID,
- AUTH_BL33_IMG_CERT, BL33_CERT_ID,
- mem_layout, load_addr);
- if (err) {
- ERROR("Failed to verify BL3-3 authenticity\n");
- return err;
- }
-
- return 0;
-}
-
-#endif /* TRUSTED_BOARD_BOOT */
-
/*******************************************************************************
* Load the BL3-0 image if there's one.
* If a platform does not want to attempt to load BL3-0 image it must leave
@@ -205,34 +64,18 @@
INFO("BL2: Loading BL3-0\n");
bl2_plat_get_bl30_meminfo(&bl30_mem_info);
bl30_image_info.h.version = VERSION_1;
- e = load_image(&bl30_mem_info,
- BL30_IMAGE_ID,
- BL30_BASE,
- &bl30_image_info,
- NULL);
-
- if (e)
- return e;
-
-#if TRUSTED_BOARD_BOOT
- e = auth_verify_obj(AUTH_BL30_IMG,
- bl30_image_info.image_base,
- bl30_image_info.image_size);
- if (e) {
- ERROR("Failed to authenticate BL3-0 image.\n");
- return e;
- }
+ e = load_auth_image(&bl30_mem_info,
+ BL30_IMAGE_ID,
+ BL30_BASE,
+ &bl30_image_info,
+ NULL);
- /* After working with data, invalidate the data cache */
- inv_dcache_range(bl30_image_info.image_base,
- (size_t)bl30_image_info.image_size);
-#endif /* TRUSTED_BOARD_BOOT */
-
- /* The subsequent handling of BL3-0 is platform specific */
- e = bl2_plat_handle_bl30(&bl30_image_info);
- if (e) {
- ERROR("Failure in platform-specific handling of BL3-0 image.\n");
- return e;
+ if (e == 0) {
+ /* The subsequent handling of BL3-0 is platform specific */
+ e = bl2_plat_handle_bl30(&bl30_image_info);
+ if (e) {
+ ERROR("Failure in platform-specific handling of BL3-0 image.\n");
+ }
}
#endif /* BL30_BASE */
@@ -262,31 +105,17 @@
bl31_ep_info->args.arg0 = (unsigned long)bl2_to_bl31_params;
/* Load the BL3-1 image */
- e = load_image(bl2_tzram_layout,
- BL31_IMAGE_ID,
- BL31_BASE,
- bl2_to_bl31_params->bl31_image_info,
- bl31_ep_info);
- if (e)
- return e;
+ e = load_auth_image(bl2_tzram_layout,
+ BL31_IMAGE_ID,
+ BL31_BASE,
+ bl2_to_bl31_params->bl31_image_info,
+ bl31_ep_info);
-#if TRUSTED_BOARD_BOOT
- e = auth_verify_obj(AUTH_BL31_IMG,
- bl2_to_bl31_params->bl31_image_info->image_base,
- bl2_to_bl31_params->bl31_image_info->image_size);
- if (e) {
- ERROR("Failed to authenticate BL3-1 image.\n");
- return e;
+ if (e == 0) {
+ bl2_plat_set_bl31_ep_info(bl2_to_bl31_params->bl31_image_info,
+ bl31_ep_info);
}
- /* After working with data, invalidate the data cache */
- inv_dcache_range(bl2_to_bl31_params->bl31_image_info->image_base,
- (size_t)bl2_to_bl31_params->bl31_image_info->image_size);
-#endif /* TRUSTED_BOARD_BOOT */
-
- bl2_plat_set_bl31_ep_info(bl2_to_bl31_params->bl31_image_info,
- bl31_ep_info);
-
return e;
}
@@ -314,37 +143,17 @@
* completely different memory.
*/
bl2_plat_get_bl32_meminfo(&bl32_mem_info);
- e = load_image(&bl32_mem_info,
- BL32_IMAGE_ID,
- BL32_BASE,
- bl2_to_bl31_params->bl32_image_info,
- bl2_to_bl31_params->bl32_ep_info);
-
- if (e)
- return e;
-
-#if TRUSTED_BOARD_BOOT
- /* Image is present. Check if there is a valid certificate */
- if (bl32_cert_error) {
- ERROR("Failed to authenticate BL3-2 certificates.\n");
- return bl32_cert_error;
- }
+ e = load_auth_image(&bl32_mem_info,
+ BL32_IMAGE_ID,
+ BL32_BASE,
+ bl2_to_bl31_params->bl32_image_info,
+ bl2_to_bl31_params->bl32_ep_info);
- e = auth_verify_obj(AUTH_BL32_IMG,
- bl2_to_bl31_params->bl32_image_info->image_base,
- bl2_to_bl31_params->bl32_image_info->image_size);
- if (e) {
- ERROR("Failed to authenticate BL3-2 image.\n");
- return e;
+ if (e == 0) {
+ bl2_plat_set_bl32_ep_info(
+ bl2_to_bl31_params->bl32_image_info,
+ bl2_to_bl31_params->bl32_ep_info);
}
- /* After working with data, invalidate the data cache */
- inv_dcache_range(bl2_to_bl31_params->bl32_image_info->image_base,
- (size_t)bl2_to_bl31_params->bl32_image_info->image_size);
-#endif /* TRUSTED_BOARD_BOOT */
-
- bl2_plat_set_bl32_ep_info(
- bl2_to_bl31_params->bl32_image_info,
- bl2_to_bl31_params->bl32_ep_info);
#endif /* BL32_BASE */
return e;
@@ -367,30 +176,16 @@
bl2_plat_get_bl33_meminfo(&bl33_mem_info);
/* Load the BL3-3 image in non-secure memory provided by the platform */
- e = load_image(&bl33_mem_info,
- BL33_IMAGE_ID,
- plat_get_ns_image_entrypoint(),
- bl2_to_bl31_params->bl33_image_info,
- bl2_to_bl31_params->bl33_ep_info);
+ e = load_auth_image(&bl33_mem_info,
+ BL33_IMAGE_ID,
+ plat_get_ns_image_entrypoint(),
+ bl2_to_bl31_params->bl33_image_info,
+ bl2_to_bl31_params->bl33_ep_info);
- if (e)
- return e;
-
-#if TRUSTED_BOARD_BOOT
- e = auth_verify_obj(AUTH_BL33_IMG,
- bl2_to_bl31_params->bl33_image_info->image_base,
- bl2_to_bl31_params->bl33_image_info->image_size);
- if (e) {
- ERROR("Failed to authenticate BL3-3 image.\n");
- return e;
+ if (e == 0) {
+ bl2_plat_set_bl33_ep_info(bl2_to_bl31_params->bl33_image_info,
+ bl2_to_bl31_params->bl33_ep_info);
}
- /* After working with data, invalidate the data cache */
- inv_dcache_range(bl2_to_bl31_params->bl33_image_info->image_base,
- (size_t)bl2_to_bl31_params->bl33_image_info->image_size);
-#endif /* TRUSTED_BOARD_BOOT */
-
- bl2_plat_set_bl33_ep_info(bl2_to_bl31_params->bl33_image_info,
- bl2_to_bl31_params->bl33_ep_info);
return e;
}
@@ -414,14 +209,7 @@
#if TRUSTED_BOARD_BOOT
/* Initialize authentication module */
- auth_init();
-
- /* Validate the certificates involved in the Chain of Trust */
- e = load_certs();
- if (e) {
- ERROR("Chain of Trust invalid. Aborting...\n");
- panic();
- }
+ auth_mod_init();
#endif /* TRUSTED_BOARD_BOOT */
/*