fix(intel): update certificate mask for FPGA Attestation
Update the certificate mask to 0xff to cover all certificate
in Agilex family.
Signed-off-by: Boon Khai Ng <boon.khai.ng@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: Id40bc3aa4b3e4f7568a58581bbb03a75b0f20a0b
diff --git a/plat/intel/soc/common/include/socfpga_fcs.h b/plat/intel/soc/common/include/socfpga_fcs.h
index 6b1f160..3a71b4f 100644
--- a/plat/intel/soc/common/include/socfpga_fcs.h
+++ b/plat/intel/soc/common/include/socfpga_fcs.h
@@ -48,11 +48,12 @@
/* FCS Attestation Cert Request Parameter */
-#define FCS_ALIAS_CERT 0x01
-#define FCS_DEV_ID_SELF_SIGN_CERT 0x02
-#define FCS_DEV_ID_ENROLL_CERT 0x04
-#define FCS_ENROLL_SELF_SIGN_CERT 0x08
-#define FCS_PLAT_KEY_CERT 0x10
+#define FCS_ATTEST_FIRMWARE_CERT 0x01
+#define FCS_ATTEST_DEV_ID_SELF_SIGN_CERT 0x02
+#define FCS_ATTEST_DEV_ID_ENROLL_CERT 0x04
+#define FCS_ATTEST_ENROLL_SELF_SIGN_CERT 0x08
+#define FCS_ATTEST_ALIAS_CERT 0x10
+#define FCS_ATTEST_CERT_MAX_REQ_PARAM 0xFF
/* FCS Crypto Service */
diff --git a/plat/intel/soc/common/sip/socfpga_sip_fcs.c b/plat/intel/soc/common/sip/socfpga_sip_fcs.c
index 35dd2c5..2342e45 100644
--- a/plat/intel/soc/common/sip/socfpga_sip_fcs.c
+++ b/plat/intel/soc/common/sip/socfpga_sip_fcs.c
@@ -569,13 +569,8 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
- if (cert_request < FCS_ALIAS_CERT ||
- cert_request >
- (FCS_ALIAS_CERT |
- FCS_DEV_ID_SELF_SIGN_CERT |
- FCS_DEV_ID_ENROLL_CERT |
- FCS_ENROLL_SELF_SIGN_CERT |
- FCS_PLAT_KEY_CERT)) {
+ if (cert_request < FCS_ATTEST_FIRMWARE_CERT ||
+ cert_request > FCS_ATTEST_CERT_MAX_REQ_PARAM) {
return INTEL_SIP_SMC_STATUS_REJECTED;
}
@@ -607,13 +602,8 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
- if (cert_request < FCS_ALIAS_CERT ||
- cert_request >
- (FCS_ALIAS_CERT |
- FCS_DEV_ID_SELF_SIGN_CERT |
- FCS_DEV_ID_ENROLL_CERT |
- FCS_ENROLL_SELF_SIGN_CERT |
- FCS_PLAT_KEY_CERT)) {
+ if (cert_request < FCS_ATTEST_FIRMWARE_CERT ||
+ cert_request > FCS_ATTEST_CERT_MAX_REQ_PARAM) {
return INTEL_SIP_SMC_STATUS_REJECTED;
}
@@ -859,7 +849,7 @@
{
int status;
uint32_t i;
- uint32_t resp_len = *dst_size / MBOX_WORD_BYTE;
+ uint32_t resp_len;
uint32_t payload[FCS_GET_DIGEST_CMD_MAX_WORD_SIZE] = {0U};
if (dst_size == NULL || mbox_error == NULL) {
@@ -881,6 +871,8 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ resp_len = *dst_size / MBOX_WORD_BYTE;
+
/* Prepare command payload */
i = 0;
/* Crypto header */
@@ -944,7 +936,7 @@
{
int status;
uint32_t i;
- uint32_t resp_len = *dst_size / MBOX_WORD_BYTE;
+ uint32_t resp_len;
uint32_t payload[FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
uintptr_t mac_offset;
@@ -971,6 +963,8 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ resp_len = *dst_size / MBOX_WORD_BYTE;
+
/* Prepare command payload */
i = 0;
/* Crypto header */
@@ -1040,7 +1034,7 @@
int status;
uint32_t i;
uint32_t payload[FCS_ECDSA_HASH_SIGN_CMD_MAX_WORD_SIZE] = {0U};
- uint32_t resp_len = *dst_size / MBOX_WORD_BYTE;
+ uint32_t resp_len;
uintptr_t hash_data_addr;
if ((dst_size == NULL) || (mbox_error == NULL)) {
@@ -1057,6 +1051,8 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ resp_len = *dst_size / MBOX_WORD_BYTE;
+
/* Prepare command payload */
/* Crypto header */
i = 0;
@@ -1122,7 +1118,7 @@
int status;
uint32_t i = 0;
uint32_t payload[FCS_ECDSA_HASH_SIG_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
- uint32_t resp_len = *dst_size / MBOX_WORD_BYTE;
+ uint32_t resp_len;
uintptr_t hash_sig_pubkey_addr;
if ((dst_size == NULL) || (mbox_error == NULL)) {
@@ -1139,6 +1135,8 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ resp_len = *dst_size / MBOX_WORD_BYTE;
+
/* Prepare command payload */
/* Crypto header */
i = 0;
@@ -1207,7 +1205,7 @@
int status;
int i;
uint32_t payload[FCS_ECDSA_SHA2_DATA_SIGN_CMD_MAX_WORD_SIZE] = {0U};
- uint32_t resp_len = *dst_size / MBOX_WORD_BYTE;
+ uint32_t resp_len;
if ((dst_size == NULL) || (mbox_error == NULL)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1228,6 +1226,8 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ resp_len = *dst_size / MBOX_WORD_BYTE;
+
/* Prepare command payload */
/* Crypto header */
i = 0;
@@ -1291,7 +1291,7 @@
int status;
uint32_t i;
uint32_t payload[FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
- uint32_t resp_len = *dst_size / MBOX_WORD_BYTE;
+ uint32_t resp_len;
uintptr_t sig_pubkey_offset;
if ((dst_size == NULL) || (mbox_error == NULL)) {
@@ -1317,6 +1317,8 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ resp_len = *dst_size / MBOX_WORD_BYTE;
+
/* Prepare command payload */
/* Crypto header */
i = 0;
@@ -1384,7 +1386,7 @@
int status;
int i;
uint32_t crypto_header;
- uint32_t ret_size = *dst_size / MBOX_WORD_BYTE;
+ uint32_t ret_size;
uint32_t payload[FCS_ECDSA_GET_PUBKEY_MAX_WORD_SIZE] = {0U};
if ((dst_size == NULL) || (mbox_error == NULL)) {
@@ -1396,6 +1398,8 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ ret_size = *dst_size / MBOX_WORD_BYTE;
+
crypto_header = ((FCS_CS_FIELD_FLAG_INIT |
FCS_CS_FIELD_FLAG_UPDATE |
FCS_CS_FIELD_FLAG_FINALIZE) <<
@@ -1451,7 +1455,7 @@
int status;
uint32_t i;
uint32_t payload[FCS_ECDH_REQUEST_CMD_MAX_WORD_SIZE] = {0U};
- uint32_t resp_len = *dst_size / MBOX_WORD_BYTE;
+ uint32_t resp_len;
uintptr_t pubkey;
if ((dst_size == NULL) || (mbox_error == NULL)) {
@@ -1468,6 +1472,8 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ resp_len = *dst_size / MBOX_WORD_BYTE;
+
/* Prepare command payload */
i = 0;
/* Crypto header */