Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / b3e8580a25cd6fd54c26b4b711c38a9de5deb16f^! / . / drivers / auth / auth_mod.c
commitb3e8580a25cd6fd54c26b4b711c38a9de5deb16f[log] [tgz]
authordp-arm <dimitris.papastamos@arm.com>Mon Dec 12 14:48:13 2016 +0000
committerdp-arm <dimitris.papastamos@arm.com>Thu Dec 15 14:12:35 2016 +0000
treefcd8e5144a9646fe439cc7a69b3a241b2fb1776f
parentef40c28683657b63a82f3fe31412769f74d1b42c [diff] [blame]
tbbr: Fix updating of Non-Trusted NV counter

The previous code required that a certificate be signed with the ROT
key before the platform's NV counter could be updated with the value
in the certificate.  This implies that the Non-Trusted NV counter was
not being updated for Non-Trusted content certificates, as they cannot
be signed with the ROT key in the TBBR CoT scheme.

The code is reworked to only allow updating the platform's Trusted NV
counter when a certificate protected by the Trusted NV counter is
signed with the ROT key.

Content certificates protected by the Non-Trusted NV counter are
allowed to update the platform's Non-Trusted NV counter, assuming
that the certificate value is higher than the platform's value.

A new optional platform API has been introduced, named
plat_set_nv_ctr2().  Platforms may choose to implement it and perform
additional checks based on the authentication image descriptor before
modifying the NV counters.  A default weak implementation is available
that just calls into plat_set_nv_ctr().

Fixes ARM-software/tf-issues#426

Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

diff --git a/drivers/auth/auth_mod.c b/drivers/auth/auth_mod.c
index 88ef0b0..2c8643f 100644
--- a/drivers/auth/auth_mod.c
+++ b/drivers/auth/auth_mod.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2016, ARM Limited and Contributors. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
@@ -50,6 +50,8 @@
 		} \
 	} while (0)
 
+#pragma weak plat_set_nv_ctr2
+
 /* Pointer to CoT */
 extern const auth_img_desc_t *const cot_desc_ptr;
 extern unsigned int auth_img_flags[];
@@ -297,21 +299,20 @@
 		/* Invalid NV-counter */
 		return 1;
 	} else if (cert_nv_ctr > plat_nv_ctr) {
-		if (img_desc->parent == NULL) {
-			/* This certificate has been signed with the ROT key.
-			 * Update the platform counter value */
-			rc = plat_set_nv_ctr(param->plat_nv_ctr->cookie,
-					     cert_nv_ctr);
-			return_if_error(rc);
-		} else {
-			/* Secondary certificates cannot modify the counter */
-			return 1;
-		}
+		rc = plat_set_nv_ctr2(param->plat_nv_ctr->cookie,
+			img_desc, cert_nv_ctr);
+		return_if_error(rc);
 	}
 
 	return 0;
 }
 
+int plat_set_nv_ctr2(void *cookie, const auth_img_desc_t *img_desc __unused,
+		unsigned int nv_ctr)
+{
+	return plat_set_nv_ctr(cookie, nv_ctr);
+}
+
 /*
  * Return the parent id in the output parameter '*parent_id'
  *