Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 0de3c9539102172ee2880e5fde1dbd52cebdb587 / . / drivers / auth / dualroot / cot.c
blob: 836850361c0389484bd719c0298b98c06e75bcc0 [file] [log] [blame]
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]1/*
Manish V Badarkheabf1b8d2022-01-27 13:50:23 +0000[diff] [blame]2 * Copyright (c) 2020-2022, Arm Limited. All rights reserved.
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include <stddef.h>
8
9#include <platform_def.h>
10
Manish V Badarkheabf1b8d2022-01-27 13:50:23 +0000[diff] [blame]11#include MBEDTLS_CONFIG_FILE
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]12#include <drivers/auth/auth_mod.h>
13#include <tools_share/dualroot_oid.h>
14
15/*
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]16 * Allocate static buffers to store the authentication parameters extracted from
17 * the certificates.
18 */
Louis Mayencourt244027d2020-06-11 21:15:15 +0100[diff] [blame]19static unsigned char fw_config_hash_buf[HASH_DER_LEN];
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]20static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
21static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
22static unsigned char hw_config_hash_buf[HASH_DER_LEN];
23static unsigned char scp_fw_hash_buf[HASH_DER_LEN];
24static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
25
26#ifdef IMAGE_BL2
27static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
28static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
29static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN];
30static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN];
31static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
32static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
33static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]34#if defined(SPD_spmd)
35static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN];
36#endif /* SPD_spmd */
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]37
38static unsigned char trusted_world_pk_buf[PK_DER_LEN];
39static unsigned char content_pk_buf[PK_DER_LEN];
40#endif
41
42/*
43 * Parameter type descriptors.
44 */
45static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
46 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
47static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
48 AUTH_PARAM_PUB_KEY, 0);
49static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
50 AUTH_PARAM_SIG, 0);
51static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
52 AUTH_PARAM_SIG_ALG, 0);
53static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
54 AUTH_PARAM_RAW_DATA, 0);
55
56static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
57 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
58static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
59 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
60static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
61 AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
Louis Mayencourt244027d2020-06-11 21:15:15 +0100[diff] [blame]62static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
63 AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]64#ifdef IMAGE_BL1
65static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
66 AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
67static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
68 AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
69static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
70 AUTH_PARAM_HASH, FWU_HASH_OID);
71#endif /* IMAGE_BL1 */
72
73#ifdef IMAGE_BL2
74static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
75 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
76
77static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
78 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
79static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC(
80 AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID);
81static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC(
82 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID);
83static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC(
84 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID);
85static auth_param_type_desc_t prot_pk = AUTH_PARAM_TYPE_DESC(
86 AUTH_PARAM_PUB_KEY, PROT_PK_OID);
87
88static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC(
89 AUTH_PARAM_HASH, SCP_FW_HASH_OID);
90static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
91 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
92static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC(
93 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID);
94static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
95 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
96static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC(
97 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID);
98static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC(
99 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID);
100static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC(
101 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID);
102static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
103 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
104static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
105 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]106#if defined(SPD_spmd)
107static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC(
108 AUTH_PARAM_HASH, SP_PKG1_HASH_OID);
109static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC(
110 AUTH_PARAM_HASH, SP_PKG2_HASH_OID);
111static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC(
112 AUTH_PARAM_HASH, SP_PKG3_HASH_OID);
113static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC(
114 AUTH_PARAM_HASH, SP_PKG4_HASH_OID);
115static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC(
116 AUTH_PARAM_HASH, SP_PKG5_HASH_OID);
117static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC(
118 AUTH_PARAM_HASH, SP_PKG6_HASH_OID);
119static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC(
120 AUTH_PARAM_HASH, SP_PKG7_HASH_OID);
121static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC(
122 AUTH_PARAM_HASH, SP_PKG8_HASH_OID);
123#endif /* SPD_spmd */
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]124#endif /* IMAGE_BL2 */
125
126
127/* BL2 */
128static const auth_img_desc_t trusted_boot_fw_cert = {
129 .img_id = TRUSTED_BOOT_FW_CERT_ID,
130 .img_type = IMG_CERT,
131 .parent = NULL,
132 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
133 [0] = {
134 .type = AUTH_METHOD_SIG,
135 .param.sig = {
136 .pk = &subject_pk,
137 .sig = &sig,
138 .alg = &sig_alg,
139 .data = &raw_data
140 }
141 },
142 [1] = {
143 .type = AUTH_METHOD_NV_CTR,
144 .param.nv_ctr = {
145 .cert_nv_ctr = &trusted_nv_ctr,
146 .plat_nv_ctr = &trusted_nv_ctr
147 }
148 }
149 },
150 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
151 [0] = {
152 .type_desc = &tb_fw_hash,
153 .data = {
154 .ptr = (void *)tb_fw_hash_buf,
155 .len = (unsigned int)HASH_DER_LEN
156 }
157 },
158 [1] = {
159 .type_desc = &tb_fw_config_hash,
160 .data = {
161 .ptr = (void *)tb_fw_config_hash_buf,
162 .len = (unsigned int)HASH_DER_LEN
163 }
164 },
165 [2] = {
166 .type_desc = &hw_config_hash,
167 .data = {
168 .ptr = (void *)hw_config_hash_buf,
169 .len = (unsigned int)HASH_DER_LEN
170 }
Louis Mayencourt244027d2020-06-11 21:15:15 +0100[diff] [blame]171 },
172 [3] = {
173 .type_desc = &fw_config_hash,
174 .data = {
175 .ptr = (void *)fw_config_hash_buf,
176 .len = (unsigned int)HASH_DER_LEN
177 }
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]178 }
179 }
180};
181
182#ifdef IMAGE_BL1
183static const auth_img_desc_t bl2_image = {
184 .img_id = BL2_IMAGE_ID,
185 .img_type = IMG_RAW,
186 .parent = &trusted_boot_fw_cert,
187 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
188 [0] = {
189 .type = AUTH_METHOD_HASH,
190 .param.hash = {
191 .data = &raw_data,
192 .hash = &tb_fw_hash
193 }
194 }
195 }
196};
197#endif /* IMAGE_BL1 */
198
199/* HW Config */
200static const auth_img_desc_t hw_config = {
201 .img_id = HW_CONFIG_ID,
202 .img_type = IMG_RAW,
203 .parent = &trusted_boot_fw_cert,
204 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
205 [0] = {
206 .type = AUTH_METHOD_HASH,
207 .param.hash = {
208 .data = &raw_data,
209 .hash = &hw_config_hash
210 }
211 }
212 }
213};
214
215/* TB FW Config */
216#ifdef IMAGE_BL1
217static const auth_img_desc_t tb_fw_config = {
218 .img_id = TB_FW_CONFIG_ID,
219 .img_type = IMG_RAW,
220 .parent = &trusted_boot_fw_cert,
221 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
222 [0] = {
223 .type = AUTH_METHOD_HASH,
224 .param.hash = {
225 .data = &raw_data,
226 .hash = &tb_fw_config_hash
227 }
228 }
229 }
230};
Louis Mayencourt244027d2020-06-11 21:15:15 +0100[diff] [blame]231
232static const auth_img_desc_t fw_config = {
233 .img_id = FW_CONFIG_ID,
234 .img_type = IMG_RAW,
235 .parent = &trusted_boot_fw_cert,
236 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
237 [0] = {
238 .type = AUTH_METHOD_HASH,
239 .param.hash = {
240 .data = &raw_data,
241 .hash = &fw_config_hash
242 }
243 }
244 }
245};
246
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]247#endif /* IMAGE_BL1 */
248
249#ifdef IMAGE_BL2
250/* Trusted key certificate */
251static const auth_img_desc_t trusted_key_cert = {
252 .img_id = TRUSTED_KEY_CERT_ID,
253 .img_type = IMG_CERT,
254 .parent = NULL,
255 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
256 [0] = {
257 .type = AUTH_METHOD_SIG,
258 .param.sig = {
259 .pk = &subject_pk,
260 .sig = &sig,
261 .alg = &sig_alg,
262 .data = &raw_data
263 }
264 },
265 [1] = {
266 .type = AUTH_METHOD_NV_CTR,
267 .param.nv_ctr = {
268 .cert_nv_ctr = &trusted_nv_ctr,
269 .plat_nv_ctr = &trusted_nv_ctr
270 }
271 }
272 },
273 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
274 [0] = {
275 .type_desc = &trusted_world_pk,
276 .data = {
277 .ptr = (void *)trusted_world_pk_buf,
278 .len = (unsigned int)PK_DER_LEN
279 }
280 },
281 }
282};
283
284/* SCP Firmware */
285static const auth_img_desc_t scp_fw_key_cert = {
286 .img_id = SCP_FW_KEY_CERT_ID,
287 .img_type = IMG_CERT,
288 .parent = &trusted_key_cert,
289 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
290 [0] = {
291 .type = AUTH_METHOD_SIG,
292 .param.sig = {
293 .pk = &trusted_world_pk,
294 .sig = &sig,
295 .alg = &sig_alg,
296 .data = &raw_data
297 }
298 },
299 [1] = {
300 .type = AUTH_METHOD_NV_CTR,
301 .param.nv_ctr = {
302 .cert_nv_ctr = &trusted_nv_ctr,
303 .plat_nv_ctr = &trusted_nv_ctr
304 }
305 }
306 },
307 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
308 [0] = {
309 .type_desc = &scp_fw_content_pk,
310 .data = {
311 .ptr = (void *)content_pk_buf,
312 .len = (unsigned int)PK_DER_LEN
313 }
314 }
315 }
316};
317
318static const auth_img_desc_t scp_fw_content_cert = {
319 .img_id = SCP_FW_CONTENT_CERT_ID,
320 .img_type = IMG_CERT,
321 .parent = &scp_fw_key_cert,
322 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
323 [0] = {
324 .type = AUTH_METHOD_SIG,
325 .param.sig = {
326 .pk = &scp_fw_content_pk,
327 .sig = &sig,
328 .alg = &sig_alg,
329 .data = &raw_data
330 }
331 },
332 [1] = {
333 .type = AUTH_METHOD_NV_CTR,
334 .param.nv_ctr = {
335 .cert_nv_ctr = &trusted_nv_ctr,
336 .plat_nv_ctr = &trusted_nv_ctr
337 }
338 }
339 },
340 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
341 [0] = {
342 .type_desc = &scp_fw_hash,
343 .data = {
344 .ptr = (void *)scp_fw_hash_buf,
345 .len = (unsigned int)HASH_DER_LEN
346 }
347 }
348 }
349};
350
351static const auth_img_desc_t scp_bl2_image = {
352 .img_id = SCP_BL2_IMAGE_ID,
353 .img_type = IMG_RAW,
354 .parent = &scp_fw_content_cert,
355 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
356 [0] = {
357 .type = AUTH_METHOD_HASH,
358 .param.hash = {
359 .data = &raw_data,
360 .hash = &scp_fw_hash
361 }
362 }
363 }
364};
365
366/* SoC Firmware */
367static const auth_img_desc_t soc_fw_key_cert = {
368 .img_id = SOC_FW_KEY_CERT_ID,
369 .img_type = IMG_CERT,
370 .parent = &trusted_key_cert,
371 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
372 [0] = {
373 .type = AUTH_METHOD_SIG,
374 .param.sig = {
375 .pk = &trusted_world_pk,
376 .sig = &sig,
377 .alg = &sig_alg,
378 .data = &raw_data
379 }
380 },
381 [1] = {
382 .type = AUTH_METHOD_NV_CTR,
383 .param.nv_ctr = {
384 .cert_nv_ctr = &trusted_nv_ctr,
385 .plat_nv_ctr = &trusted_nv_ctr
386 }
387 }
388 },
389 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
390 [0] = {
391 .type_desc = &soc_fw_content_pk,
392 .data = {
393 .ptr = (void *)content_pk_buf,
394 .len = (unsigned int)PK_DER_LEN
395 }
396 }
397 }
398};
399
400static const auth_img_desc_t soc_fw_content_cert = {
401 .img_id = SOC_FW_CONTENT_CERT_ID,
402 .img_type = IMG_CERT,
403 .parent = &soc_fw_key_cert,
404 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
405 [0] = {
406 .type = AUTH_METHOD_SIG,
407 .param.sig = {
408 .pk = &soc_fw_content_pk,
409 .sig = &sig,
410 .alg = &sig_alg,
411 .data = &raw_data
412 }
413 },
414 [1] = {
415 .type = AUTH_METHOD_NV_CTR,
416 .param.nv_ctr = {
417 .cert_nv_ctr = &trusted_nv_ctr,
418 .plat_nv_ctr = &trusted_nv_ctr
419 }
420 }
421 },
422 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
423 [0] = {
424 .type_desc = &soc_fw_hash,
425 .data = {
426 .ptr = (void *)soc_fw_hash_buf,
427 .len = (unsigned int)HASH_DER_LEN
428 }
429 },
430 [1] = {
431 .type_desc = &soc_fw_config_hash,
432 .data = {
433 .ptr = (void *)soc_fw_config_hash_buf,
434 .len = (unsigned int)HASH_DER_LEN
435 }
436 }
437 }
438};
439
440static const auth_img_desc_t bl31_image = {
441 .img_id = BL31_IMAGE_ID,
442 .img_type = IMG_RAW,
443 .parent = &soc_fw_content_cert,
444 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
445 [0] = {
446 .type = AUTH_METHOD_HASH,
447 .param.hash = {
448 .data = &raw_data,
449 .hash = &soc_fw_hash
450 }
451 }
452 }
453};
454
455/* SOC FW Config */
456static const auth_img_desc_t soc_fw_config = {
457 .img_id = SOC_FW_CONFIG_ID,
458 .img_type = IMG_RAW,
459 .parent = &soc_fw_content_cert,
460 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
461 [0] = {
462 .type = AUTH_METHOD_HASH,
463 .param.hash = {
464 .data = &raw_data,
465 .hash = &soc_fw_config_hash
466 }
467 }
468 }
469};
470
471/* Trusted OS Firmware */
472static const auth_img_desc_t trusted_os_fw_key_cert = {
473 .img_id = TRUSTED_OS_FW_KEY_CERT_ID,
474 .img_type = IMG_CERT,
475 .parent = &trusted_key_cert,
476 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
477 [0] = {
478 .type = AUTH_METHOD_SIG,
479 .param.sig = {
480 .pk = &trusted_world_pk,
481 .sig = &sig,
482 .alg = &sig_alg,
483 .data = &raw_data
484 }
485 },
486 [1] = {
487 .type = AUTH_METHOD_NV_CTR,
488 .param.nv_ctr = {
489 .cert_nv_ctr = &trusted_nv_ctr,
490 .plat_nv_ctr = &trusted_nv_ctr
491 }
492 }
493 },
494 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
495 [0] = {
496 .type_desc = &tos_fw_content_pk,
497 .data = {
498 .ptr = (void *)content_pk_buf,
499 .len = (unsigned int)PK_DER_LEN
500 }
501 }
502 }
503};
504
505static const auth_img_desc_t trusted_os_fw_content_cert = {
506 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID,
507 .img_type = IMG_CERT,
508 .parent = &trusted_os_fw_key_cert,
509 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
510 [0] = {
511 .type = AUTH_METHOD_SIG,
512 .param.sig = {
513 .pk = &tos_fw_content_pk,
514 .sig = &sig,
515 .alg = &sig_alg,
516 .data = &raw_data
517 }
518 },
519 [1] = {
520 .type = AUTH_METHOD_NV_CTR,
521 .param.nv_ctr = {
522 .cert_nv_ctr = &trusted_nv_ctr,
523 .plat_nv_ctr = &trusted_nv_ctr
524 }
525 }
526 },
527 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
528 [0] = {
529 .type_desc = &tos_fw_hash,
530 .data = {
531 .ptr = (void *)tos_fw_hash_buf,
532 .len = (unsigned int)HASH_DER_LEN
533 }
534 },
535 [1] = {
536 .type_desc = &tos_fw_extra1_hash,
537 .data = {
538 .ptr = (void *)tos_fw_extra1_hash_buf,
539 .len = (unsigned int)HASH_DER_LEN
540 }
541 },
542 [2] = {
543 .type_desc = &tos_fw_extra2_hash,
544 .data = {
545 .ptr = (void *)tos_fw_extra2_hash_buf,
546 .len = (unsigned int)HASH_DER_LEN
547 }
548 },
549 [3] = {
550 .type_desc = &tos_fw_config_hash,
551 .data = {
552 .ptr = (void *)tos_fw_config_hash_buf,
553 .len = (unsigned int)HASH_DER_LEN
554 }
555 }
556 }
557};
558
559static const auth_img_desc_t bl32_image = {
560 .img_id = BL32_IMAGE_ID,
561 .img_type = IMG_RAW,
562 .parent = &trusted_os_fw_content_cert,
563 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
564 [0] = {
565 .type = AUTH_METHOD_HASH,
566 .param.hash = {
567 .data = &raw_data,
568 .hash = &tos_fw_hash
569 }
570 }
571 }
572};
573
574static const auth_img_desc_t bl32_extra1_image = {
575 .img_id = BL32_EXTRA1_IMAGE_ID,
576 .img_type = IMG_RAW,
577 .parent = &trusted_os_fw_content_cert,
578 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
579 [0] = {
580 .type = AUTH_METHOD_HASH,
581 .param.hash = {
582 .data = &raw_data,
583 .hash = &tos_fw_extra1_hash
584 }
585 }
586 }
587};
588
589static const auth_img_desc_t bl32_extra2_image = {
590 .img_id = BL32_EXTRA2_IMAGE_ID,
591 .img_type = IMG_RAW,
592 .parent = &trusted_os_fw_content_cert,
593 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
594 [0] = {
595 .type = AUTH_METHOD_HASH,
596 .param.hash = {
597 .data = &raw_data,
598 .hash = &tos_fw_extra2_hash
599 }
600 }
601 }
602};
603
604/* TOS FW Config */
605static const auth_img_desc_t tos_fw_config = {
606 .img_id = TOS_FW_CONFIG_ID,
607 .img_type = IMG_RAW,
608 .parent = &trusted_os_fw_content_cert,
609 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
610 [0] = {
611 .type = AUTH_METHOD_HASH,
612 .param.hash = {
613 .data = &raw_data,
614 .hash = &tos_fw_config_hash
615 }
616 }
617 }
618};
619
620/* Non-Trusted Firmware */
621static const auth_img_desc_t non_trusted_fw_content_cert = {
622 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
623 .img_type = IMG_CERT,
624 .parent = NULL, /* Root certificate. */
625 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
626 [0] = {
627 .type = AUTH_METHOD_SIG,
628 .param.sig = {
629 .pk = &prot_pk,
630 .sig = &sig,
631 .alg = &sig_alg,
632 .data = &raw_data
633 }
634 },
635 [1] = {
636 .type = AUTH_METHOD_NV_CTR,
637 .param.nv_ctr = {
638 .cert_nv_ctr = &non_trusted_nv_ctr,
639 .plat_nv_ctr = &non_trusted_nv_ctr
640 }
641 }
642 },
643 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
644 [0] = {
645 .type_desc = &nt_world_bl_hash,
646 .data = {
647 .ptr = (void *)nt_world_bl_hash_buf,
648 .len = (unsigned int)HASH_DER_LEN
649 }
650 },
651 [1] = {
652 .type_desc = &nt_fw_config_hash,
653 .data = {
654 .ptr = (void *)nt_fw_config_hash_buf,
655 .len = (unsigned int)HASH_DER_LEN
656 }
657 }
658 }
659};
660
661static const auth_img_desc_t bl33_image = {
662 .img_id = BL33_IMAGE_ID,
663 .img_type = IMG_RAW,
664 .parent = &non_trusted_fw_content_cert,
665 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
666 [0] = {
667 .type = AUTH_METHOD_HASH,
668 .param.hash = {
669 .data = &raw_data,
670 .hash = &nt_world_bl_hash
671 }
672 }
673 }
674};
675
676/* NT FW Config */
677static const auth_img_desc_t nt_fw_config = {
678 .img_id = NT_FW_CONFIG_ID,
679 .img_type = IMG_RAW,
680 .parent = &non_trusted_fw_content_cert,
681 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
682 [0] = {
683 .type = AUTH_METHOD_HASH,
684 .param.hash = {
685 .data = &raw_data,
686 .hash = &nt_fw_config_hash
687 }
688 }
689 }
690};
691
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]692/*
693 * Secure Partitions
694 */
695#if defined(SPD_spmd)
Manish Pandeyd07d0172020-07-23 16:54:30 +0100[diff] [blame]696static const auth_img_desc_t sip_sp_content_cert = {
697 .img_id = SIP_SP_CONTENT_CERT_ID,
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]698 .img_type = IMG_CERT,
699 .parent = &trusted_key_cert,
700 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
701 [0] = {
702 .type = AUTH_METHOD_SIG,
703 .param.sig = {
704 .pk = &trusted_world_pk,
705 .sig = &sig,
706 .alg = &sig_alg,
707 .data = &raw_data
708 }
709 },
710 [1] = {
711 .type = AUTH_METHOD_NV_CTR,
712 .param.nv_ctr = {
713 .cert_nv_ctr = &trusted_nv_ctr,
714 .plat_nv_ctr = &trusted_nv_ctr
715 }
716 }
717 },
718 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
719 [0] = {
720 .type_desc = &sp_pkg1_hash,
721 .data = {
722 .ptr = (void *)sp_pkg_hash_buf[0],
723 .len = (unsigned int)HASH_DER_LEN
724 }
725 },
726 [1] = {
727 .type_desc = &sp_pkg2_hash,
728 .data = {
729 .ptr = (void *)sp_pkg_hash_buf[1],
730 .len = (unsigned int)HASH_DER_LEN
731 }
732 },
733 [2] = {
734 .type_desc = &sp_pkg3_hash,
735 .data = {
736 .ptr = (void *)sp_pkg_hash_buf[2],
737 .len = (unsigned int)HASH_DER_LEN
738 }
739 },
740 [3] = {
741 .type_desc = &sp_pkg4_hash,
742 .data = {
743 .ptr = (void *)sp_pkg_hash_buf[3],
744 .len = (unsigned int)HASH_DER_LEN
745 }
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]746 }
747 }
748};
749
750DEFINE_SIP_SP_PKG(1);
751DEFINE_SIP_SP_PKG(2);
752DEFINE_SIP_SP_PKG(3);
753DEFINE_SIP_SP_PKG(4);
754
755static const auth_img_desc_t plat_sp_content_cert = {
756 .img_id = PLAT_SP_CONTENT_CERT_ID,
757 .img_type = IMG_CERT,
758 .parent = NULL,
759 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
760 [0] = {
761 .type = AUTH_METHOD_SIG,
762 .param.sig = {
763 .pk = &prot_pk,
764 .sig = &sig,
765 .alg = &sig_alg,
766 .data = &raw_data
767 }
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]768 },
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]769 [1] = {
770 .type = AUTH_METHOD_NV_CTR,
771 .param.nv_ctr = {
772 .cert_nv_ctr = &non_trusted_nv_ctr,
773 .plat_nv_ctr = &non_trusted_nv_ctr
774 }
775 }
776 },
777 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
778 [0] = {
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]779 .type_desc = &sp_pkg5_hash,
780 .data = {
781 .ptr = (void *)sp_pkg_hash_buf[4],
782 .len = (unsigned int)HASH_DER_LEN
783 }
784 },
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]785 [1] = {
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]786 .type_desc = &sp_pkg6_hash,
787 .data = {
788 .ptr = (void *)sp_pkg_hash_buf[5],
789 .len = (unsigned int)HASH_DER_LEN
790 }
791 },
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]792 [2] = {
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]793 .type_desc = &sp_pkg7_hash,
794 .data = {
795 .ptr = (void *)sp_pkg_hash_buf[6],
796 .len = (unsigned int)HASH_DER_LEN
797 }
798 },
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]799 [3] = {
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]800 .type_desc = &sp_pkg8_hash,
801 .data = {
802 .ptr = (void *)sp_pkg_hash_buf[7],
803 .len = (unsigned int)HASH_DER_LEN
804 }
805 }
806 }
807};
808
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]809DEFINE_PLAT_SP_PKG(5);
810DEFINE_PLAT_SP_PKG(6);
811DEFINE_PLAT_SP_PKG(7);
812DEFINE_PLAT_SP_PKG(8);
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]813#endif /* SPD_spmd */
814
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]815#else /* IMAGE_BL2 */
816
817/* FWU auth descriptor */
818static const auth_img_desc_t fwu_cert = {
819 .img_id = FWU_CERT_ID,
820 .img_type = IMG_CERT,
821 .parent = NULL,
822 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
823 [0] = {
824 .type = AUTH_METHOD_SIG,
825 .param.sig = {
826 .pk = &subject_pk,
827 .sig = &sig,
828 .alg = &sig_alg,
829 .data = &raw_data
830 }
831 }
832 },
833 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
834 [0] = {
835 .type_desc = &scp_bl2u_hash,
836 .data = {
837 .ptr = (void *)scp_fw_hash_buf,
838 .len = (unsigned int)HASH_DER_LEN
839 }
840 },
841 [1] = {
842 .type_desc = &bl2u_hash,
843 .data = {
844 .ptr = (void *)tb_fw_hash_buf,
845 .len = (unsigned int)HASH_DER_LEN
846 }
847 },
848 [2] = {
849 .type_desc = &ns_bl2u_hash,
850 .data = {
851 .ptr = (void *)nt_world_bl_hash_buf,
852 .len = (unsigned int)HASH_DER_LEN
853 }
854 }
855 }
856};
857
858/* SCP_BL2U */
859static const auth_img_desc_t scp_bl2u_image = {
860 .img_id = SCP_BL2U_IMAGE_ID,
861 .img_type = IMG_RAW,
862 .parent = &fwu_cert,
863 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
864 [0] = {
865 .type = AUTH_METHOD_HASH,
866 .param.hash = {
867 .data = &raw_data,
868 .hash = &scp_bl2u_hash
869 }
870 }
871 }
872};
873
874/* BL2U */
875static const auth_img_desc_t bl2u_image = {
876 .img_id = BL2U_IMAGE_ID,
877 .img_type = IMG_RAW,
878 .parent = &fwu_cert,
879 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
880 [0] = {
881 .type = AUTH_METHOD_HASH,
882 .param.hash = {
883 .data = &raw_data,
884 .hash = &bl2u_hash
885 }
886 }
887 }
888};
889
890/* NS_BL2U */
891static const auth_img_desc_t ns_bl2u_image = {
892 .img_id = NS_BL2U_IMAGE_ID,
893 .img_type = IMG_RAW,
894 .parent = &fwu_cert,
895 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
896 [0] = {
897 .type = AUTH_METHOD_HASH,
898 .param.hash = {
899 .data = &raw_data,
900 .hash = &ns_bl2u_hash
901 }
902 }
903 }
904};
905#endif /* IMAGE_BL2 */
906
907/*
908 * Chain of trust definition
909 */
910#ifdef IMAGE_BL1
911static const auth_img_desc_t * const cot_desc[] = {
912 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
913 [BL2_IMAGE_ID] = &bl2_image,
914 [HW_CONFIG_ID] = &hw_config,
915 [TB_FW_CONFIG_ID] = &tb_fw_config,
Louis Mayencourt244027d2020-06-11 21:15:15 +0100[diff] [blame]916 [FW_CONFIG_ID] = &fw_config,
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]917 [FWU_CERT_ID] = &fwu_cert,
918 [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image,
919 [BL2U_IMAGE_ID] = &bl2u_image,
920 [NS_BL2U_IMAGE_ID] = &ns_bl2u_image
921};
922#else /* IMAGE_BL2 */
923static const auth_img_desc_t * const cot_desc[] = {
924 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
925 [HW_CONFIG_ID] = &hw_config,
926 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert,
927 [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert,
928 [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert,
929 [SCP_BL2_IMAGE_ID] = &scp_bl2_image,
930 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert,
931 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert,
932 [BL31_IMAGE_ID] = &bl31_image,
933 [SOC_FW_CONFIG_ID] = &soc_fw_config,
934 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert,
935 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert,
936 [BL32_IMAGE_ID] = &bl32_image,
937 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image,
938 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image,
939 [TOS_FW_CONFIG_ID] = &tos_fw_config,
940 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert,
941 [BL33_IMAGE_ID] = &bl33_image,
942 [NT_FW_CONFIG_ID] = &nt_fw_config,
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]943#if defined(SPD_spmd)
Manish Pandeyd07d0172020-07-23 16:54:30 +0100[diff] [blame]944 [SIP_SP_CONTENT_CERT_ID] = &sip_sp_content_cert,
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]945 [PLAT_SP_CONTENT_CERT_ID] = &plat_sp_content_cert,
Manish Pandeyd07d0172020-07-23 16:54:30 +0100[diff] [blame]946 [SP_PKG1_ID] = &sp_pkg1,
947 [SP_PKG2_ID] = &sp_pkg2,
948 [SP_PKG3_ID] = &sp_pkg3,
949 [SP_PKG4_ID] = &sp_pkg4,
950 [SP_PKG5_ID] = &sp_pkg5,
951 [SP_PKG6_ID] = &sp_pkg6,
952 [SP_PKG7_ID] = &sp_pkg7,
953 [SP_PKG8_ID] = &sp_pkg8,
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]954#endif
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]955};
956#endif
957
958/* Register the CoT in the authentication module */
959REGISTER_COT(cot_desc);