feat(tc): group components into certificates
Set the cert_id argument to group the components
into certificates. The grouping reflects the likely units
of updateability.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ie7a1f10c84af727d0cd39e3a78b0cb59cbc2e457
diff --git a/plat/arm/board/tc/tc_bl1_dpe.c b/plat/arm/board/tc/tc_bl1_dpe.c
index c206b55..dc60fb6 100644
--- a/plat/arm/board/tc/tc_bl1_dpe.c
+++ b/plat/arm/board/tc/tc_bl1_dpe.c
@@ -18,9 +18,12 @@
#include <platform_def.h>
#include <tools_share/zero_oid.h>
+#include "tc_dpe_cert.h"
+
struct dpe_metadata tc_dpe_metadata[] = {
{
.id = FW_CONFIG_ID,
+ .cert_id = DPE_AP_FW_CERT_ID,
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_FW_CONFIG_STRING,
.allow_new_context_to_derive = false,
@@ -29,6 +32,7 @@
.pk_oid = ZERO_OID },
{
.id = TB_FW_CONFIG_ID,
+ .cert_id = DPE_AP_FW_CERT_ID,
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_TB_FW_CONFIG_STRING,
.allow_new_context_to_derive = false,
@@ -37,6 +41,7 @@
.pk_oid = ZERO_OID },
{
.id = BL2_IMAGE_ID,
+ .cert_id = DPE_AP_FW_CERT_ID,
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_BL2_IMAGE_STRING,
.allow_new_context_to_derive = true,
diff --git a/plat/arm/board/tc/tc_bl2_dpe.c b/plat/arm/board/tc/tc_bl2_dpe.c
index 3742f26..e50508f 100644
--- a/plat/arm/board/tc/tc_bl2_dpe.c
+++ b/plat/arm/board/tc/tc_bl2_dpe.c
@@ -15,6 +15,8 @@
#include <platform_def.h>
#include <tools_share/tbbr_oid.h>
+#include "tc_dpe_cert.h"
+
/*
* The content and the values of this array depends on:
* - build config: Which components are loaded: SPMD, TOS, SPx, etc ?
@@ -31,6 +33,7 @@
struct dpe_metadata tc_dpe_metadata[] = {
{
.id = BL31_IMAGE_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_BL31_IMAGE_STRING,
.allow_new_context_to_derive = false,
@@ -39,6 +42,7 @@
.pk_oid = BL31_IMAGE_KEY_OID },
{
.id = BL32_IMAGE_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_BL32_IMAGE_STRING,
.allow_new_context_to_derive = false,
@@ -47,6 +51,7 @@
.pk_oid = BL32_IMAGE_KEY_OID },
{
.id = BL33_IMAGE_ID,
+ .cert_id = DPE_HYPERVISOR_CERT_ID,
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_BL33_IMAGE_STRING,
.allow_new_context_to_derive = true,
@@ -56,6 +61,7 @@
{
.id = HW_CONFIG_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_HW_CONFIG_STRING,
.allow_new_context_to_derive = false,
@@ -64,6 +70,7 @@
.pk_oid = HW_CONFIG_KEY_OID },
{
.id = NT_FW_CONFIG_ID,
+ .cert_id = DPE_HYPERVISOR_CERT_ID,
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_NT_FW_CONFIG_STRING,
.allow_new_context_to_derive = false,
@@ -72,6 +79,7 @@
.pk_oid = NT_FW_CONFIG_KEY_OID },
{
.id = SCP_BL2_IMAGE_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_SCP_BL2_IMAGE_STRING,
.allow_new_context_to_derive = false,
@@ -80,6 +88,7 @@
.pk_oid = SCP_BL2_IMAGE_KEY_OID },
{
.id = SOC_FW_CONFIG_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_SOC_FW_CONFIG_STRING,
.allow_new_context_to_derive = false,
@@ -88,6 +97,7 @@
.pk_oid = SOC_FW_CONFIG_KEY_OID },
{
.id = TOS_FW_CONFIG_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_TOS_FW_CONFIG_STRING,
.allow_new_context_to_derive = false,
@@ -97,6 +107,7 @@
#if defined(SPD_spmd)
{
.id = SP_PKG1_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_SP1_STRING,
.allow_new_context_to_derive = false,
@@ -105,6 +116,7 @@
.pk_oid = NULL },
{
.id = SP_PKG2_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_SP2_STRING,
.allow_new_context_to_derive = false,
@@ -113,6 +125,7 @@
.pk_oid = NULL },
{
.id = SP_PKG3_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_SP3_STRING,
.allow_new_context_to_derive = false,
@@ -121,6 +134,7 @@
.pk_oid = NULL },
{
.id = SP_PKG4_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_SP4_STRING,
.allow_new_context_to_derive = false,
@@ -129,6 +143,7 @@
.pk_oid = NULL },
{
.id = SP_PKG5_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_SP5_STRING,
.allow_new_context_to_derive = false,
@@ -137,6 +152,7 @@
.pk_oid = NULL },
{
.id = SP_PKG6_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_SP6_STRING,
.allow_new_context_to_derive = false,
@@ -145,6 +161,7 @@
.pk_oid = NULL },
{
.id = SP_PKG7_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_SP7_STRING,
.allow_new_context_to_derive = false,
@@ -153,6 +170,7 @@
.pk_oid = NULL },
{
.id = SP_PKG8_ID,
+ .cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
.signer_id_size = SIGNER_ID_MIN_SIZE,
.sw_type = MBOOT_SP8_STRING,
.allow_new_context_to_derive = false,
diff --git a/plat/arm/board/tc/tc_dpe_cert.h b/plat/arm/board/tc/tc_dpe_cert.h
new file mode 100644
index 0000000..25855ec
--- /dev/null
+++ b/plat/arm/board/tc/tc_dpe_cert.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef TC_DPE_CERT_H
+#define TC_DPE_CERT_H
+
+/*
+ * The certificate structure on the TC platform:
+ * - The arrows indicate the parent/child relationships (who loads who).
+ * - The boxes indicate the certificates.
+ *
+ * AP FW Cert.
+ * +--------------------------------+
+ * | |
+ * Plat Cert. | +->SPx | Hyper Cert.
+ * +--------------------------+ | +->SP1 | +--------------------+
+ * RoT Cert. | | | +->TOS_FW_CONF | | |
+ * +------------+ | +->SCP_BL1 +-----+-----+-->FW_CONF +->AP_BL32 | | +->PVMFW |
+ * | | | | | | | | | | | |
+ * | RSS_BL1_2--+-----+-->RSS_BL2------->AP_BL1--+-----+------------->AP_BL2------------+-----+-->AP_BL33 |
+ * | | | | | | | | | | | |
+ * +------------+ | +->RSS_S +-----+-----+-->TB_FW_CONF +->AP_BL31 | | +->HYPERVISOR |
+ * | +->RSS_NS | | +->SCP_BL2 | | |
+ * | | | +->HW_CONF | | |
+ * +--------------------------+ | +---------------+-----+-->NT_FW_CONF |
+ * | | | |
+ * +--------------------------------+ +--------------------+
+ */
+
+#define DPE_AP_FW_CERT_ID 0x300 /* Includes: FW_CONF - SP1 */
+#define DPE_HYPERVISOR_CERT_ID 0x400 /* Includes: AP_BL33 - PVMFW */
+
+/* Common definition */
+#define DPE_CERT_ID_SAME_AS_PARENT 0xFFFFFFFF
+
+#endif /* TC_DPE_CERT_H */