feat(rdfremont): add support for measured boot at BL1 and BL2
RD-Fremont platforms include Runtime Security Engine (RSE) as the
hardware crypto module. Add rse_measured_boot driver based platform
hooks to measure and record firmware image measurements.
Additionally, add support for measured boot at BL1 and BL2 boot stages
on RD-Fremont platforms. The patch adds the RSE measured boot metadata
that includes firmware image IDs, measurement slot number and other
information. It also initializes the AP communication with RSE over
AP-RSE root MHUv3 channel to pass firmware image measurements to RSE to
support extended measurements.
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Rohit Mathew <rohit.mathew@arm.com>
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Signed-off-by: Vivek Gautam <vivek.gautam@arm.com>
Change-Id: Ia1b0bf673e865b31862cb8af79c4c71a5ba4dbea
diff --git a/plat/arm/board/neoverse_rd/platform/rdfremont/platform.mk b/plat/arm/board/neoverse_rd/platform/rdfremont/platform.mk
index 9a4ca1c..bca6172 100644
--- a/plat/arm/board/neoverse_rd/platform/rdfremont/platform.mk
+++ b/plat/arm/board/neoverse_rd/platform/rdfremont/platform.mk
@@ -44,6 +44,9 @@
include plat/arm/board/neoverse_rd/common/nrd-common.mk
include drivers/arm/rse/rse_comms.mk
include drivers/auth/mbedtls/mbedtls_common.mk
+ifeq (${MEASURED_BOOT},1)
+include drivers/measured_boot/rse/rse_measured_boot.mk
+endif
RDFREMONT_BASE = plat/arm/board/neoverse_rd/platform/rdfremont
@@ -58,20 +61,36 @@
+= ${NRD_COMMON_BASE}/nrd_plat3.c \
${RDFREMONT_BASE}/rdfremont_common.c
+PLAT_MEASURED_BOOT_SOURCES \
+ := ${MEASURED_BOOT_SOURCES} \
+ ${RSE_COMMS_SOURCES} \
+ ${RDFREMONT_BASE}/rdfremont_common_measured_boot.c \
+ lib/psa/measured_boot.c
+
BL1_SOURCES += ${NRD_CPU_SOURCES} \
- ${RDFREMONT_BASE}/rdfremont_err.c
+ ${RDFREMONT_BASE}/rdfremont_err.c \
+ ${RDFREMONT_BASE}/rdfremont_mhuv3.c
ifeq (${TRUSTED_BOARD_BOOT}, 1)
BL1_SOURCES += ${RDFREMONT_BASE}/rdfremont_trusted_boot.c
endif
+ifeq (${MEASURED_BOOT},1)
+BL1_SOURCES += ${PLAT_MEASURED_BOOT_SOURCES} \
+ ${RDFREMONT_BASE}/rdfremont_bl1_measured_boot.c
+endif
-BL2_SOURCES += ${RDFREMONT_BASE}/rdfremont_security.c \
+BL2_SOURCES += ${RDFREMONT_BASE}/rdfremont_bl2_setup.c \
${RDFREMONT_BASE}/rdfremont_err.c \
- ${RDFREMONT_BASE}/rdfremont_bl2_setup.c \
+ ${RDFREMONT_BASE}/rdfremont_mhuv3.c \
+ ${RDFREMONT_BASE}/rdfremont_security.c \
lib/utils/mem_region.c \
plat/arm/common/arm_nor_psci_mem_protect.c
ifeq (${TRUSTED_BOARD_BOOT}, 1)
BL2_SOURCES += ${RDFREMONT_BASE}/rdfremont_trusted_boot.c
endif
+ifeq (${MEASURED_BOOT},1)
+BL2_SOURCES += ${PLAT_MEASURED_BOOT_SOURCES} \
+ ${RDFREMONT_BASE}/rdfremont_bl2_measured_boot.c
+endif
BL31_SOURCES += ${NRD_CPU_SOURCES} \
${MBEDTLS_SOURCES} \
@@ -86,6 +105,7 @@
lib/psa/cca_attestation.c \
lib/psa/delegated_attestation.c \
lib/utils/mem_region.c \
+ plat/arm/common/arm_dyn_cfg.c \
plat/arm/common/arm_nor_psci_mem_protect.c
ifeq (${NRD_PLATFORM_VARIANT}, 2)
BL31_SOURCES += drivers/arm/gic/v3/gic600_multichip.c
diff --git a/plat/arm/board/neoverse_rd/platform/rdfremont/rdfremont_bl1_measured_boot.c b/plat/arm/board/neoverse_rd/platform/rdfremont/rdfremont_bl1_measured_boot.c
new file mode 100644
index 0000000..92e96c2
--- /dev/null
+++ b/plat/arm/board/neoverse_rd/platform/rdfremont/rdfremont_bl1_measured_boot.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdint.h>
+
+#include <drivers/arm/rse_comms.h>
+#include <drivers/measured_boot/rse/rse_measured_boot.h>
+#include <lib/psa/measured_boot.h>
+#include <plat/arm/common/plat_arm.h>
+#include <platform_def.h>
+
+#include <nrd_plat.h>
+#include <rdfremont_rse_comms.h>
+
+/*
+ * Platform specific table with image IDs and metadata. Intentionally not a
+ * const struct, some members might set by bootloaders during trusted boot.
+ */
+struct rse_mboot_metadata rdfremont_rse_mboot_metadata[] = {
+ {
+ .id = FW_CONFIG_ID,
+ .slot = U(8),
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_FW_CONFIG_STRING,
+ .lock_measurement = false
+ },
+ {
+ .id = TB_FW_CONFIG_ID,
+ .slot = U(9),
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_TB_FW_CONFIG_STRING,
+ .lock_measurement = false
+ },
+ {
+ .id = BL2_IMAGE_ID,
+ .slot = U(10),
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_BL2_IMAGE_STRING,
+ .lock_measurement = false
+ },
+ {
+ .id = RSE_MBOOT_INVALID_ID
+ }
+};
+
+void bl1_plat_mboot_init(void)
+{
+ /* Initialize the communication channel between AP and RSE */
+ (void)plat_rse_comms_init();
+
+ rse_measured_boot_init(rdfremont_rse_mboot_metadata);
+}
+
+void bl1_plat_mboot_finish(void)
+{
+ /* Nothing to do. */
+}
diff --git a/plat/arm/board/neoverse_rd/platform/rdfremont/rdfremont_bl2_measured_boot.c b/plat/arm/board/neoverse_rd/platform/rdfremont/rdfremont_bl2_measured_boot.c
new file mode 100644
index 0000000..570c33a
--- /dev/null
+++ b/plat/arm/board/neoverse_rd/platform/rdfremont/rdfremont_bl2_measured_boot.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdint.h>
+
+#include <drivers/arm/rse_comms.h>
+#include <drivers/measured_boot/rse/rse_measured_boot.h>
+#include <lib/psa/measured_boot.h>
+#include <plat/common/common_def.h>
+#include <platform_def.h>
+
+#include <nrd_plat.h>
+#include <rdfremont_rse_comms.h>
+
+/*
+ * Platform specific table with image IDs and metadata. Intentionally not a
+ * const struct, some members might set by bootloaders during trusted boot.
+ */
+struct rse_mboot_metadata rdfremont_rse_mboot_metadata[] = {
+ {
+ .id = BL31_IMAGE_ID,
+ .slot = U(11),
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_BL31_IMAGE_STRING,
+ .lock_measurement = false
+ },
+ {
+ .id = HW_CONFIG_ID,
+ .slot = U(12),
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_HW_CONFIG_STRING,
+ .lock_measurement = false
+ },
+ {
+ .id = SOC_FW_CONFIG_ID,
+ .slot = U(13),
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_SOC_FW_CONFIG_STRING,
+ .lock_measurement = false
+ },
+#if ENABLE_RME
+ {
+ .id = RMM_IMAGE_ID,
+ .slot = U(14),
+ .signer_id_size = SIGNER_ID_MIN_SIZE,
+ .sw_type = MBOOT_RMM_IMAGE_STRING,
+ .lock_measurement = false
+ },
+#endif /* ENABLE_RME */
+ {
+ .id = RSE_MBOOT_INVALID_ID
+ }
+};
+
+void bl2_plat_mboot_init(void)
+{
+ /* Initialize the communication channel between AP and RSE */
+ (void)plat_rse_comms_init();
+
+ rse_measured_boot_init(rdfremont_rse_mboot_metadata);
+}
+
+void bl2_plat_mboot_finish(void)
+{
+ /* Nothing to do. */
+}
diff --git a/plat/arm/board/neoverse_rd/platform/rdfremont/rdfremont_common_measured_boot.c b/plat/arm/board/neoverse_rd/platform/rdfremont/rdfremont_common_measured_boot.c
new file mode 100644
index 0000000..e95c544
--- /dev/null
+++ b/plat/arm/board/neoverse_rd/platform/rdfremont/rdfremont_common_measured_boot.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <stdint.h>
+
+#include <common/desc_image_load.h>
+#include <drivers/measured_boot/rse/rse_measured_boot.h>
+
+extern struct rse_mboot_metadata rdfremont_rse_mboot_metadata[];
+
+struct rse_mboot_metadata *plat_rse_mboot_get_metadata(void)
+{
+ return rdfremont_rse_mboot_metadata;
+}
+
+int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data)
+{
+ int err;
+
+ /* Calculate image hash and record data in RSE */
+ err = rse_mboot_measure_and_record(rdfremont_rse_mboot_metadata,
+ image_data->image_base,
+ image_data->image_size,
+ image_id);
+ if (err != 0) {
+ ERROR("Measure and record failed for image id %u, err (%i)\n",
+ image_id, err);
+ }
+
+ return err;
+}
+
+int plat_mboot_measure_key(void *pk_oid, void *pk_ptr, unsigned int pk_len)
+{
+ return rse_mboot_set_signer_id(rdfremont_rse_mboot_metadata, pk_oid,
+ pk_ptr, pk_len);
+}