feat(tc): add DPE backend to the measured boot framework
The client platform relies on the DICE attestation
scheme. RSS provides the DICE Protection Environment
(DPE) service. TF-A measured boot framework supports
multiple backends. A given platform always enables
the corresponding backend which is required by the
attestation scheme.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Idc3360d0d7216e4859e99b5db3d377407e0aeee5
diff --git a/Makefile b/Makefile
index ef570b2..800346a 100644
--- a/Makefile
+++ b/Makefile
@@ -1145,6 +1145,7 @@
HARDEN_SLS \
HW_ASSISTED_COHERENCY \
MEASURED_BOOT \
+ DICE_PROTECTION_ENVIRONMENT \
DRTM_SUPPORT \
NS_TIMER_SWITCH \
OVERRIDE_LIBC \
@@ -1312,6 +1313,7 @@
HW_ASSISTED_COHERENCY \
LOG_LEVEL \
MEASURED_BOOT \
+ DICE_PROTECTION_ENVIRONMENT \
DRTM_SUPPORT \
NS_TIMER_SWITCH \
PL011_GENERIC_UART \
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index a8b40ad..f817da0 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -706,6 +706,13 @@
This option defaults to 0.
+- ``DICE_PROTECTION_ENVIRONMENT``: Boolean flag to specify the measured boot
+ backend when ``MEASURED_BOOT`` is enabled. The default value is ``0``. When
+ set to ``1`` then measurements and additional metadata collected during the
+ measured boot process are sent to the DICE Protection Environment for storage
+ and processing. A certificate chain, which represents the boot state of the
+ device, can be queried from the DPE.
+
- ``MARCH_DIRECTIVE``: used to pass a -march option from the platform build
options to the compiler. An example usage:
diff --git a/include/plat/common/platform.h b/include/plat/common/platform.h
index 4d1b1c1..714d9a9 100644
--- a/include/plat/common/platform.h
+++ b/include/plat/common/platform.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2023, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2024, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -242,7 +242,7 @@
int bl1_plat_handle_pre_image_load(unsigned int image_id);
int bl1_plat_handle_post_image_load(unsigned int image_id);
-#if MEASURED_BOOT
+#if (MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENT)
void bl1_plat_mboot_init(void);
void bl1_plat_mboot_finish(void);
#else
@@ -252,7 +252,7 @@
static inline void bl1_plat_mboot_finish(void)
{
}
-#endif /* MEASURED_BOOT */
+#endif /* MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENT */
/*******************************************************************************
* Mandatory BL2 functions
@@ -272,7 +272,7 @@
/*******************************************************************************
* Optional BL2 functions (may be overridden)
******************************************************************************/
-#if MEASURED_BOOT
+#if (MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENT)
void bl2_plat_mboot_init(void);
void bl2_plat_mboot_finish(void);
#else
@@ -282,7 +282,7 @@
static inline void bl2_plat_mboot_finish(void)
{
}
-#endif /* MEASURED_BOOT */
+#endif /* MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENTs */
/*******************************************************************************
* Mandatory BL2 at EL3 functions: Must be implemented
diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk
index 7fe8bf8..26d2a00 100644
--- a/make_helpers/defaults.mk
+++ b/make_helpers/defaults.mk
@@ -176,6 +176,9 @@
# Option to build TF with Measured Boot support
MEASURED_BOOT := 0
+# Option to enable the DICE Protection Environmnet as a Measured Boot backend
+DICE_PROTECTION_ENVIRONMENT :=0
+
# NS timer register save and restore
NS_TIMER_SWITCH := 0
diff --git a/plat/arm/board/tc/platform.mk b/plat/arm/board/tc/platform.mk
index 652a17e..36b89ac 100644
--- a/plat/arm/board/tc/platform.mk
+++ b/plat/arm/board/tc/platform.mk
@@ -170,27 +170,49 @@
# Include Measured Boot makefile before any Crypto library makefile.
# Crypto library makefile may need default definitions of Measured Boot build
# flags present in Measured Boot makefile.
+$(info Including rss_comms.mk)
ifeq (${MEASURED_BOOT},1)
- MEASURED_BOOT_MK := drivers/measured_boot/rss/rss_measured_boot.mk
- $(info Including ${MEASURED_BOOT_MK})
- include ${MEASURED_BOOT_MK}
- $(info Including rss_comms.mk)
- include drivers/arm/rss/rss_comms.mk
+ $(info Including rss_comms.mk)
+ include drivers/arm/rss/rss_comms.mk
- BL1_SOURCES += ${MEASURED_BOOT_SOURCES} \
+ BL1_SOURCES += ${RSS_COMMS_SOURCES}
+ BL2_SOURCES += ${RSS_COMMS_SOURCES}
+ PLAT_INCLUDES += -Iinclude/lib/psa
+
+ ifeq (${DICE_PROTECTION_ENVIRONMENT},1)
+ $(info Including qcbor.mk)
+ include drivers/measured_boot/rss/qcbor.mk
+ $(info Including dice_prot_env.mk)
+ include drivers/measured_boot/rss/dice_prot_env.mk
+
+ BL1_SOURCES += ${QCBOR_SOURCES} \
+ ${DPE_SOURCES} \
+ plat/arm/board/tc/tc_common_dpe.c \
+ plat/arm/board/tc/tc_bl1_dpe.c \
+ lib/psa/dice_protection_environment.c
+
+ BL2_SOURCES += ${QCBOR_SOURCES} \
+ ${DPE_SOURCES} \
+ plat/arm/board/tc/tc_common_dpe.c \
+ plat/arm/board/tc/tc_bl2_dpe.c \
+ lib/psa/dice_protection_environment.c
+
+ PLAT_INCLUDES += -I${QCBOR_INCLUDES} \
+ -Iinclude/lib/dice
+ else
+ $(info Including rss_measured_boot.mk)
+ include drivers/measured_boot/rss/rss_measured_boot.mk
+
+ BL1_SOURCES += ${MEASURED_BOOT_SOURCES} \
plat/arm/board/tc/tc_common_measured_boot.c \
plat/arm/board/tc/tc_bl1_measured_boot.c \
- lib/psa/measured_boot.c \
- ${RSS_COMMS_SOURCES}
+ lib/psa/measured_boot.c
- BL2_SOURCES += ${MEASURED_BOOT_SOURCES} \
+ BL2_SOURCES += ${MEASURED_BOOT_SOURCES} \
plat/arm/board/tc/tc_common_measured_boot.c \
plat/arm/board/tc/tc_bl2_measured_boot.c \
- lib/psa/measured_boot.c \
- ${RSS_COMMS_SOURCES}
-
-PLAT_INCLUDES += -Iinclude/lib/psa
-
+ lib/psa/measured_boot.c
+ endif
endif
ifneq (${PLATFORM_TEST},)
diff --git a/plat/arm/board/tc/tc_bl1_dpe.c b/plat/arm/board/tc/tc_bl1_dpe.c
new file mode 100644
index 0000000..67b1d02
--- /dev/null
+++ b/plat/arm/board/tc/tc_bl1_dpe.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdint.h>
+
+#include <drivers/arm/rss_comms.h>
+#include <drivers/measured_boot/metadata.h>
+#include <drivers/measured_boot/rss/dice_prot_env.h>
+#include <plat/arm/common/plat_arm.h>
+#include <plat/common/platform.h>
+#include <platform_def.h>
+#include <tools_share/zero_oid.h>
+
+struct dpe_metadata tc_dpe_metadata[] = {
+ {
+ .id = FW_CONFIG_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_FW_CONFIG_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = ZERO_OID },
+ {
+ .id = TB_FW_CONFIG_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_TB_FW_CONFIG_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = ZERO_OID },
+ {
+ .id = BL2_IMAGE_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_BL2_IMAGE_STRING,
+ .allow_new_context_to_derive = true,
+ .retain_parent_context = false,
+ .create_certificate = false,
+ .pk_oid = ZERO_OID },
+ {
+ .id = DPE_INVALID_ID }
+};
+
+
+void bl1_plat_mboot_init(void)
+{
+ /* Initialize the communication channel between AP and RSS */
+ (void)rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE,
+ PLAT_RSS_AP_RCV_MHU_BASE);
+
+ dpe_init(tc_dpe_metadata);
+}
+
+void bl1_plat_mboot_finish(void)
+{
+ /* Nothing to do. */
+}
diff --git a/plat/arm/board/tc/tc_bl2_dpe.c b/plat/arm/board/tc/tc_bl2_dpe.c
new file mode 100644
index 0000000..2d6b54d
--- /dev/null
+++ b/plat/arm/board/tc/tc_bl2_dpe.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdint.h>
+
+#include <drivers/arm/rss_comms.h>
+#include <drivers/measured_boot/metadata.h>
+#include <drivers/measured_boot/rss/dice_prot_env.h>
+#include <plat/arm/common/plat_arm.h>
+#include <plat/common/platform.h>
+#include <platform_def.h>
+#include <tools_share/zero_oid.h>
+
+/*
+ * The content and the values of this array depends on:
+ * - build config: Which components are loaded: SPMD, TOS, SPx, etc ?
+ * - boot order: the last element in a layer should be treated differently.
+ */
+
+/*
+ * TODO:
+ * - The content of the array must be tailored according to the build
+ * config (TOS, SPMD, etc). All loaded components (executables and
+ * config blobs) must be present in this array.
+ * - Current content is according to the Trusty build config.
+ */
+struct dpe_metadata tc_dpe_metadata[] = {
+ {
+ .id = BL31_IMAGE_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_BL31_IMAGE_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = BL31_IMAGE_KEY_OID },
+ {
+ .id = BL32_IMAGE_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_BL32_IMAGE_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = BL32_IMAGE_KEY_OID },
+ {
+ .id = BL33_IMAGE_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_BL33_IMAGE_STRING,
+ .allow_new_context_to_derive = true,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = BL33_IMAGE_KEY_OID },
+
+ {
+ .id = HW_CONFIG_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_HW_CONFIG_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = HW_CONFIG_KEY_OID },
+ {
+ .id = NT_FW_CONFIG_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_NT_FW_CONFIG_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = NT_FW_CONFIG_KEY_OID },
+ {
+ .id = SCP_BL2_IMAGE_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_SCP_BL2_IMAGE_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = SCP_BL2_IMAGE_KEY_OID },
+ {
+ .id = SOC_FW_CONFIG_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_SOC_FW_CONFIG_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = SOC_FW_CONFIG_KEY_OID },
+ {
+ .id = TOS_FW_CONFIG_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_TOS_FW_CONFIG_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = TOS_FW_CONFIG_KEY_OID },
+#if defined(SPD_spmd)
+ {
+ .id = SP_PKG1_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_SP1_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = true, /* With Trusty only one SP is loaded */
+ .pk_oid = NULL },
+ {
+ .id = SP_PKG2_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_SP2_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = NULL },
+ {
+ .id = SP_PKG3_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_SP3_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = NULL },
+ {
+ .id = SP_PKG4_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_SP4_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = NULL },
+ {
+ .id = SP_PKG5_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_SP5_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = NULL },
+ {
+ .id = SP_PKG6_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_SP6_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = NULL },
+ {
+ .id = SP_PKG7_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_SP7_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = NULL },
+ {
+ .id = SP_PKG8_ID,
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_SP8_STRING,
+ .allow_new_context_to_derive = false,
+ .retain_parent_context = true,
+ .create_certificate = false,
+ .pk_oid = NULL },
+
+#endif
+ {
+ .id = DPE_INVALID_ID }
+};
+
+void bl2_plat_mboot_init(void)
+{
+ /* Initialize the communication channel between AP and RSS */
+ (void)rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE,
+ PLAT_RSS_AP_RCV_MHU_BASE);
+
+ dpe_init(tc_dpe_metadata);
+}
+
+void bl2_plat_mboot_finish(void)
+{
+ /* Nothing to do. */
+}
diff --git a/plat/arm/board/tc/tc_common_dpe.c b/plat/arm/board/tc/tc_common_dpe.c
new file mode 100644
index 0000000..42b5468
--- /dev/null
+++ b/plat/arm/board/tc/tc_common_dpe.c
@@ -0,0 +1,36 @@
+
+/*
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <stdint.h>
+
+#include <common/desc_image_load.h>
+#include <drivers/measured_boot/rss/dice_prot_env.h>
+
+extern struct dpe_metadata tc_dpe_metadata[];
+
+int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data)
+{
+ int err;
+
+ /* Calculate image hash and record it in the DPE service in RSS. */
+ err = dpe_measure_and_record(tc_dpe_metadata,
+ image_data->image_base,
+ image_data->image_size,
+ image_id);
+ if (err != 0) {
+ ERROR("%s%s image id %u (%i)\n",
+ "Failed to ", "record in DPE", image_id, err);
+ }
+
+ return err;
+}
+
+int plat_mboot_measure_key(void *pk_oid, void *pk_ptr, unsigned int pk_len)
+{
+ return dpe_set_signer_id(tc_dpe_metadata, pk_oid, pk_ptr, pk_len);
+}