tbbr: add chain of trust for Secure Partitions with sha 44f1aa8, support for Silicon Provider(SiP) owned Secure Partition(SP) was added for dualroot CoT. This patch extends this support for tbbr CoT. Earlier tbbr CoT for SPs was left to avoid adding new image types in TBBR which could possibly be seen as deviation from specification. But with further discussions it is understood that TBBR being a *minimal* set of requirements that can be extended as long as we don't violate any of the musts, which is the case with adding SP support. Signed-off-by: Manish Pandey <manish.pandey2@arm.com> Change-Id: I1b9e3ebdd7d653f1fd4cc3bd910a69871b55ecbb

commit: ceea9992a8a9d424c1f117bdd5400848ef7365ba [log] [tgz]
author: Manish Pandey <manish.pandey2@arm.com> Wed Jun 10 16:19:53 2020 +0100
committer: Manish Pandey <manish.pandey2@arm.com> Mon Jun 15 14:49:26 2020 +0100
tree: 6cf43d20dc004683201abe384df1cc2b124a6823
parent: c70b4b4dcaedb5ae88bf3bc65f11c1504d78f5bf [diff]
diff --git a/drivers/auth/tbbr/tbbr_cot_bl2.c b/drivers/auth/tbbr/tbbr_cot_bl2.c
index c47bf1a..63c18fa 100644
--- a/drivers/auth/tbbr/tbbr_cot_bl2.c
+++ b/drivers/auth/tbbr/tbbr_cot_bl2.c

@@ -27,6 +27,9 @@
 static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
 static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
 static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
+#if defined(SPD_spmd)
+static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN];
+#endif /* SPD_spmd */
 
 static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
@@ -60,6 +63,24 @@
 		AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
 static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
+#if defined(SPD_spmd)
+static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG1_HASH_OID);
+static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG2_HASH_OID);
+static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG3_HASH_OID);
+static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG4_HASH_OID);
+static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG5_HASH_OID);
+static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG6_HASH_OID);
+static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG7_HASH_OID);
+static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG8_HASH_OID);
+#endif /* SPD_spmd */
 
 /*
  * Trusted key certificate
@@ -535,6 +556,99 @@
 		}
 	}
 };
+/* Secure Partitions */
+#if defined(SPD_spmd)
+static const auth_img_desc_t sp_content_cert = {
+	.img_id = SP_CONTENT_CERT_ID,
+	.img_type = IMG_CERT,
+	.parent = &trusted_key_cert,
+	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+		[0] = {
+			.type = AUTH_METHOD_SIG,
+			.param.sig = {
+				.pk = &trusted_world_pk,
+				.sig = &sig,
+				.alg = &sig_alg,
+				.data = &raw_data
+			}
+		},
+		[1] = {
+			.type = AUTH_METHOD_NV_CTR,
+			.param.nv_ctr = {
+				.cert_nv_ctr = &trusted_nv_ctr,
+				.plat_nv_ctr = &trusted_nv_ctr
+			}
+		}
+	},
+	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
+		[0] = {
+			.type_desc = &sp_pkg1_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[0],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[1] = {
+			.type_desc = &sp_pkg2_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[1],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[2] = {
+			.type_desc = &sp_pkg3_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[2],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[3] = {
+			.type_desc = &sp_pkg4_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[3],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[4] = {
+			.type_desc = &sp_pkg5_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[4],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[5] = {
+			.type_desc = &sp_pkg6_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[5],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[6] = {
+			.type_desc = &sp_pkg7_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[6],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[7] = {
+			.type_desc = &sp_pkg8_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[7],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		}
+	}
+};
+
+DEFINE_SP_PKG(1);
+DEFINE_SP_PKG(2);
+DEFINE_SP_PKG(3);
+DEFINE_SP_PKG(4);
+DEFINE_SP_PKG(5);
+DEFINE_SP_PKG(6);
+DEFINE_SP_PKG(7);
+DEFINE_SP_PKG(8);
+#endif /* SPD_spmd */
 
 static const auth_img_desc_t * const cot_desc[] = {
 	[TRUSTED_BOOT_FW_CERT_ID]		=	&trusted_boot_fw_cert,
@@ -557,6 +671,17 @@
 	[NON_TRUSTED_FW_CONTENT_CERT_ID]	=	&non_trusted_fw_content_cert,
 	[BL33_IMAGE_ID]				=	&bl33_image,
 	[NT_FW_CONFIG_ID]			=	&nt_fw_config,
+#if defined(SPD_spmd)
+	[SP_CONTENT_CERT_ID]			=	&sp_content_cert,
+	[SP_CONTENT_CERT_ID + 1]		=	&sp_pkg1,
+	[SP_CONTENT_CERT_ID + 2]		=	&sp_pkg2,
+	[SP_CONTENT_CERT_ID + 3]		=	&sp_pkg3,
+	[SP_CONTENT_CERT_ID + 4]		=	&sp_pkg4,
+	[SP_CONTENT_CERT_ID + 5]		=	&sp_pkg5,
+	[SP_CONTENT_CERT_ID + 6]		=	&sp_pkg6,
+	[SP_CONTENT_CERT_ID + 7]		=	&sp_pkg7,
+	[SP_CONTENT_CERT_ID + 8]		=       &sp_pkg8,
+#endif
 };
 
 /* Register the CoT in the authentication module */
commit	ceea9992a8a9d424c1f117bdd5400848ef7365ba	[log] [tgz]
author	Manish Pandey <manish.pandey2@arm.com>	Wed Jun 10 16:19:53 2020 +0100
committer	Manish Pandey <manish.pandey2@arm.com>	Mon Jun 15 14:49:26 2020 +0100
tree	6cf43d20dc004683201abe384df1cc2b124a6823
parent	c70b4b4dcaedb5ae88bf3bc65f11c1504d78f5bf [diff]