Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 3e2b154674e684892f0b5765c951802f8808e3a4 / . / drivers / auth / dualroot / cot.c
blob: eb0b020d794e68d7c58f8060fdb0da7d7bf38a8c [file] [log] [blame]
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]1/*
2 * Copyright (c) 2020, Arm Limited. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include <stddef.h>
8
9#include <platform_def.h>
10
11#include <drivers/auth/mbedtls/mbedtls_config.h>
12#include <drivers/auth/auth_mod.h>
13#include <tools_share/dualroot_oid.h>
14
15/*
16 * TODO: Remove dependency on mbedTLS. The chain of trust should be agnostic of
17 * the specific cryptographic library in use.
18*/
19/*
20 * Maximum key and hash sizes (in DER format).
21 *
22 * Both RSA and ECDSA keys may be used at the same time. In this case, the key
23 * buffers must be big enough to hold either. As RSA keys are bigger than ECDSA
24 * ones for all key sizes we support, they impose the minimum size of these
25 * buffers.
26 */
27#if TF_MBEDTLS_USE_RSA
28#if TF_MBEDTLS_KEY_SIZE == 1024
29#define PK_DER_LEN 162
30#elif TF_MBEDTLS_KEY_SIZE == 2048
31#define PK_DER_LEN 294
32#elif TF_MBEDTLS_KEY_SIZE == 3072
33#define PK_DER_LEN 422
34#elif TF_MBEDTLS_KEY_SIZE == 4096
35#define PK_DER_LEN 550
36#else
37#error "Invalid value for TF_MBEDTLS_KEY_SIZE"
38#endif
39#else /* Only using ECDSA keys. */
40#define PK_DER_LEN 91
41#endif
42
43#if TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256
44#define HASH_DER_LEN 51
45#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384
46#define HASH_DER_LEN 67
47#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512
48#define HASH_DER_LEN 83
49#else
50#error "Invalid value for TF_MBEDTLS_HASH_ALG_ID"
51#endif
52
53/*
54 * Allocate static buffers to store the authentication parameters extracted from
55 * the certificates.
56 */
57static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
58static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
59static unsigned char hw_config_hash_buf[HASH_DER_LEN];
60static unsigned char scp_fw_hash_buf[HASH_DER_LEN];
61static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
62
63#ifdef IMAGE_BL2
64static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
65static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
66static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN];
67static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN];
68static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
69static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
70static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
71
72static unsigned char trusted_world_pk_buf[PK_DER_LEN];
73static unsigned char content_pk_buf[PK_DER_LEN];
74#endif
75
76/*
77 * Parameter type descriptors.
78 */
79static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
80 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
81static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
82 AUTH_PARAM_PUB_KEY, 0);
83static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
84 AUTH_PARAM_SIG, 0);
85static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
86 AUTH_PARAM_SIG_ALG, 0);
87static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
88 AUTH_PARAM_RAW_DATA, 0);
89
90static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
91 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
92static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
93 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
94static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
95 AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
96#ifdef IMAGE_BL1
97static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
98 AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
99static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
100 AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
101static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
102 AUTH_PARAM_HASH, FWU_HASH_OID);
103#endif /* IMAGE_BL1 */
104
105#ifdef IMAGE_BL2
106static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
107 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
108
109static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
110 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
111static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC(
112 AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID);
113static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC(
114 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID);
115static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC(
116 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID);
117static auth_param_type_desc_t prot_pk = AUTH_PARAM_TYPE_DESC(
118 AUTH_PARAM_PUB_KEY, PROT_PK_OID);
119
120static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC(
121 AUTH_PARAM_HASH, SCP_FW_HASH_OID);
122static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
123 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
124static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC(
125 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID);
126static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
127 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
128static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC(
129 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID);
130static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC(
131 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID);
132static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC(
133 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID);
134static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
135 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
136static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
137 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
138#endif /* IMAGE_BL2 */
139
140
141/* BL2 */
142static const auth_img_desc_t trusted_boot_fw_cert = {
143 .img_id = TRUSTED_BOOT_FW_CERT_ID,
144 .img_type = IMG_CERT,
145 .parent = NULL,
146 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
147 [0] = {
148 .type = AUTH_METHOD_SIG,
149 .param.sig = {
150 .pk = &subject_pk,
151 .sig = &sig,
152 .alg = &sig_alg,
153 .data = &raw_data
154 }
155 },
156 [1] = {
157 .type = AUTH_METHOD_NV_CTR,
158 .param.nv_ctr = {
159 .cert_nv_ctr = &trusted_nv_ctr,
160 .plat_nv_ctr = &trusted_nv_ctr
161 }
162 }
163 },
164 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
165 [0] = {
166 .type_desc = &tb_fw_hash,
167 .data = {
168 .ptr = (void *)tb_fw_hash_buf,
169 .len = (unsigned int)HASH_DER_LEN
170 }
171 },
172 [1] = {
173 .type_desc = &tb_fw_config_hash,
174 .data = {
175 .ptr = (void *)tb_fw_config_hash_buf,
176 .len = (unsigned int)HASH_DER_LEN
177 }
178 },
179 [2] = {
180 .type_desc = &hw_config_hash,
181 .data = {
182 .ptr = (void *)hw_config_hash_buf,
183 .len = (unsigned int)HASH_DER_LEN
184 }
185 }
186 }
187};
188
189#ifdef IMAGE_BL1
190static const auth_img_desc_t bl2_image = {
191 .img_id = BL2_IMAGE_ID,
192 .img_type = IMG_RAW,
193 .parent = &trusted_boot_fw_cert,
194 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
195 [0] = {
196 .type = AUTH_METHOD_HASH,
197 .param.hash = {
198 .data = &raw_data,
199 .hash = &tb_fw_hash
200 }
201 }
202 }
203};
204#endif /* IMAGE_BL1 */
205
206/* HW Config */
207static const auth_img_desc_t hw_config = {
208 .img_id = HW_CONFIG_ID,
209 .img_type = IMG_RAW,
210 .parent = &trusted_boot_fw_cert,
211 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
212 [0] = {
213 .type = AUTH_METHOD_HASH,
214 .param.hash = {
215 .data = &raw_data,
216 .hash = &hw_config_hash
217 }
218 }
219 }
220};
221
222/* TB FW Config */
223#ifdef IMAGE_BL1
224static const auth_img_desc_t tb_fw_config = {
225 .img_id = TB_FW_CONFIG_ID,
226 .img_type = IMG_RAW,
227 .parent = &trusted_boot_fw_cert,
228 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
229 [0] = {
230 .type = AUTH_METHOD_HASH,
231 .param.hash = {
232 .data = &raw_data,
233 .hash = &tb_fw_config_hash
234 }
235 }
236 }
237};
238#endif /* IMAGE_BL1 */
239
240#ifdef IMAGE_BL2
241/* Trusted key certificate */
242static const auth_img_desc_t trusted_key_cert = {
243 .img_id = TRUSTED_KEY_CERT_ID,
244 .img_type = IMG_CERT,
245 .parent = NULL,
246 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
247 [0] = {
248 .type = AUTH_METHOD_SIG,
249 .param.sig = {
250 .pk = &subject_pk,
251 .sig = &sig,
252 .alg = &sig_alg,
253 .data = &raw_data
254 }
255 },
256 [1] = {
257 .type = AUTH_METHOD_NV_CTR,
258 .param.nv_ctr = {
259 .cert_nv_ctr = &trusted_nv_ctr,
260 .plat_nv_ctr = &trusted_nv_ctr
261 }
262 }
263 },
264 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
265 [0] = {
266 .type_desc = &trusted_world_pk,
267 .data = {
268 .ptr = (void *)trusted_world_pk_buf,
269 .len = (unsigned int)PK_DER_LEN
270 }
271 },
272 }
273};
274
275/* SCP Firmware */
276static const auth_img_desc_t scp_fw_key_cert = {
277 .img_id = SCP_FW_KEY_CERT_ID,
278 .img_type = IMG_CERT,
279 .parent = &trusted_key_cert,
280 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
281 [0] = {
282 .type = AUTH_METHOD_SIG,
283 .param.sig = {
284 .pk = &trusted_world_pk,
285 .sig = &sig,
286 .alg = &sig_alg,
287 .data = &raw_data
288 }
289 },
290 [1] = {
291 .type = AUTH_METHOD_NV_CTR,
292 .param.nv_ctr = {
293 .cert_nv_ctr = &trusted_nv_ctr,
294 .plat_nv_ctr = &trusted_nv_ctr
295 }
296 }
297 },
298 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
299 [0] = {
300 .type_desc = &scp_fw_content_pk,
301 .data = {
302 .ptr = (void *)content_pk_buf,
303 .len = (unsigned int)PK_DER_LEN
304 }
305 }
306 }
307};
308
309static const auth_img_desc_t scp_fw_content_cert = {
310 .img_id = SCP_FW_CONTENT_CERT_ID,
311 .img_type = IMG_CERT,
312 .parent = &scp_fw_key_cert,
313 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
314 [0] = {
315 .type = AUTH_METHOD_SIG,
316 .param.sig = {
317 .pk = &scp_fw_content_pk,
318 .sig = &sig,
319 .alg = &sig_alg,
320 .data = &raw_data
321 }
322 },
323 [1] = {
324 .type = AUTH_METHOD_NV_CTR,
325 .param.nv_ctr = {
326 .cert_nv_ctr = &trusted_nv_ctr,
327 .plat_nv_ctr = &trusted_nv_ctr
328 }
329 }
330 },
331 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
332 [0] = {
333 .type_desc = &scp_fw_hash,
334 .data = {
335 .ptr = (void *)scp_fw_hash_buf,
336 .len = (unsigned int)HASH_DER_LEN
337 }
338 }
339 }
340};
341
342static const auth_img_desc_t scp_bl2_image = {
343 .img_id = SCP_BL2_IMAGE_ID,
344 .img_type = IMG_RAW,
345 .parent = &scp_fw_content_cert,
346 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
347 [0] = {
348 .type = AUTH_METHOD_HASH,
349 .param.hash = {
350 .data = &raw_data,
351 .hash = &scp_fw_hash
352 }
353 }
354 }
355};
356
357/* SoC Firmware */
358static const auth_img_desc_t soc_fw_key_cert = {
359 .img_id = SOC_FW_KEY_CERT_ID,
360 .img_type = IMG_CERT,
361 .parent = &trusted_key_cert,
362 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
363 [0] = {
364 .type = AUTH_METHOD_SIG,
365 .param.sig = {
366 .pk = &trusted_world_pk,
367 .sig = &sig,
368 .alg = &sig_alg,
369 .data = &raw_data
370 }
371 },
372 [1] = {
373 .type = AUTH_METHOD_NV_CTR,
374 .param.nv_ctr = {
375 .cert_nv_ctr = &trusted_nv_ctr,
376 .plat_nv_ctr = &trusted_nv_ctr
377 }
378 }
379 },
380 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
381 [0] = {
382 .type_desc = &soc_fw_content_pk,
383 .data = {
384 .ptr = (void *)content_pk_buf,
385 .len = (unsigned int)PK_DER_LEN
386 }
387 }
388 }
389};
390
391static const auth_img_desc_t soc_fw_content_cert = {
392 .img_id = SOC_FW_CONTENT_CERT_ID,
393 .img_type = IMG_CERT,
394 .parent = &soc_fw_key_cert,
395 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
396 [0] = {
397 .type = AUTH_METHOD_SIG,
398 .param.sig = {
399 .pk = &soc_fw_content_pk,
400 .sig = &sig,
401 .alg = &sig_alg,
402 .data = &raw_data
403 }
404 },
405 [1] = {
406 .type = AUTH_METHOD_NV_CTR,
407 .param.nv_ctr = {
408 .cert_nv_ctr = &trusted_nv_ctr,
409 .plat_nv_ctr = &trusted_nv_ctr
410 }
411 }
412 },
413 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
414 [0] = {
415 .type_desc = &soc_fw_hash,
416 .data = {
417 .ptr = (void *)soc_fw_hash_buf,
418 .len = (unsigned int)HASH_DER_LEN
419 }
420 },
421 [1] = {
422 .type_desc = &soc_fw_config_hash,
423 .data = {
424 .ptr = (void *)soc_fw_config_hash_buf,
425 .len = (unsigned int)HASH_DER_LEN
426 }
427 }
428 }
429};
430
431static const auth_img_desc_t bl31_image = {
432 .img_id = BL31_IMAGE_ID,
433 .img_type = IMG_RAW,
434 .parent = &soc_fw_content_cert,
435 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
436 [0] = {
437 .type = AUTH_METHOD_HASH,
438 .param.hash = {
439 .data = &raw_data,
440 .hash = &soc_fw_hash
441 }
442 }
443 }
444};
445
446/* SOC FW Config */
447static const auth_img_desc_t soc_fw_config = {
448 .img_id = SOC_FW_CONFIG_ID,
449 .img_type = IMG_RAW,
450 .parent = &soc_fw_content_cert,
451 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
452 [0] = {
453 .type = AUTH_METHOD_HASH,
454 .param.hash = {
455 .data = &raw_data,
456 .hash = &soc_fw_config_hash
457 }
458 }
459 }
460};
461
462/* Trusted OS Firmware */
463static const auth_img_desc_t trusted_os_fw_key_cert = {
464 .img_id = TRUSTED_OS_FW_KEY_CERT_ID,
465 .img_type = IMG_CERT,
466 .parent = &trusted_key_cert,
467 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
468 [0] = {
469 .type = AUTH_METHOD_SIG,
470 .param.sig = {
471 .pk = &trusted_world_pk,
472 .sig = &sig,
473 .alg = &sig_alg,
474 .data = &raw_data
475 }
476 },
477 [1] = {
478 .type = AUTH_METHOD_NV_CTR,
479 .param.nv_ctr = {
480 .cert_nv_ctr = &trusted_nv_ctr,
481 .plat_nv_ctr = &trusted_nv_ctr
482 }
483 }
484 },
485 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
486 [0] = {
487 .type_desc = &tos_fw_content_pk,
488 .data = {
489 .ptr = (void *)content_pk_buf,
490 .len = (unsigned int)PK_DER_LEN
491 }
492 }
493 }
494};
495
496static const auth_img_desc_t trusted_os_fw_content_cert = {
497 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID,
498 .img_type = IMG_CERT,
499 .parent = &trusted_os_fw_key_cert,
500 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
501 [0] = {
502 .type = AUTH_METHOD_SIG,
503 .param.sig = {
504 .pk = &tos_fw_content_pk,
505 .sig = &sig,
506 .alg = &sig_alg,
507 .data = &raw_data
508 }
509 },
510 [1] = {
511 .type = AUTH_METHOD_NV_CTR,
512 .param.nv_ctr = {
513 .cert_nv_ctr = &trusted_nv_ctr,
514 .plat_nv_ctr = &trusted_nv_ctr
515 }
516 }
517 },
518 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
519 [0] = {
520 .type_desc = &tos_fw_hash,
521 .data = {
522 .ptr = (void *)tos_fw_hash_buf,
523 .len = (unsigned int)HASH_DER_LEN
524 }
525 },
526 [1] = {
527 .type_desc = &tos_fw_extra1_hash,
528 .data = {
529 .ptr = (void *)tos_fw_extra1_hash_buf,
530 .len = (unsigned int)HASH_DER_LEN
531 }
532 },
533 [2] = {
534 .type_desc = &tos_fw_extra2_hash,
535 .data = {
536 .ptr = (void *)tos_fw_extra2_hash_buf,
537 .len = (unsigned int)HASH_DER_LEN
538 }
539 },
540 [3] = {
541 .type_desc = &tos_fw_config_hash,
542 .data = {
543 .ptr = (void *)tos_fw_config_hash_buf,
544 .len = (unsigned int)HASH_DER_LEN
545 }
546 }
547 }
548};
549
550static const auth_img_desc_t bl32_image = {
551 .img_id = BL32_IMAGE_ID,
552 .img_type = IMG_RAW,
553 .parent = &trusted_os_fw_content_cert,
554 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
555 [0] = {
556 .type = AUTH_METHOD_HASH,
557 .param.hash = {
558 .data = &raw_data,
559 .hash = &tos_fw_hash
560 }
561 }
562 }
563};
564
565static const auth_img_desc_t bl32_extra1_image = {
566 .img_id = BL32_EXTRA1_IMAGE_ID,
567 .img_type = IMG_RAW,
568 .parent = &trusted_os_fw_content_cert,
569 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
570 [0] = {
571 .type = AUTH_METHOD_HASH,
572 .param.hash = {
573 .data = &raw_data,
574 .hash = &tos_fw_extra1_hash
575 }
576 }
577 }
578};
579
580static const auth_img_desc_t bl32_extra2_image = {
581 .img_id = BL32_EXTRA2_IMAGE_ID,
582 .img_type = IMG_RAW,
583 .parent = &trusted_os_fw_content_cert,
584 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
585 [0] = {
586 .type = AUTH_METHOD_HASH,
587 .param.hash = {
588 .data = &raw_data,
589 .hash = &tos_fw_extra2_hash
590 }
591 }
592 }
593};
594
595/* TOS FW Config */
596static const auth_img_desc_t tos_fw_config = {
597 .img_id = TOS_FW_CONFIG_ID,
598 .img_type = IMG_RAW,
599 .parent = &trusted_os_fw_content_cert,
600 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
601 [0] = {
602 .type = AUTH_METHOD_HASH,
603 .param.hash = {
604 .data = &raw_data,
605 .hash = &tos_fw_config_hash
606 }
607 }
608 }
609};
610
611/* Non-Trusted Firmware */
612static const auth_img_desc_t non_trusted_fw_content_cert = {
613 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
614 .img_type = IMG_CERT,
615 .parent = NULL, /* Root certificate. */
616 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
617 [0] = {
618 .type = AUTH_METHOD_SIG,
619 .param.sig = {
620 .pk = &prot_pk,
621 .sig = &sig,
622 .alg = &sig_alg,
623 .data = &raw_data
624 }
625 },
626 [1] = {
627 .type = AUTH_METHOD_NV_CTR,
628 .param.nv_ctr = {
629 .cert_nv_ctr = &non_trusted_nv_ctr,
630 .plat_nv_ctr = &non_trusted_nv_ctr
631 }
632 }
633 },
634 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
635 [0] = {
636 .type_desc = &nt_world_bl_hash,
637 .data = {
638 .ptr = (void *)nt_world_bl_hash_buf,
639 .len = (unsigned int)HASH_DER_LEN
640 }
641 },
642 [1] = {
643 .type_desc = &nt_fw_config_hash,
644 .data = {
645 .ptr = (void *)nt_fw_config_hash_buf,
646 .len = (unsigned int)HASH_DER_LEN
647 }
648 }
649 }
650};
651
652static const auth_img_desc_t bl33_image = {
653 .img_id = BL33_IMAGE_ID,
654 .img_type = IMG_RAW,
655 .parent = &non_trusted_fw_content_cert,
656 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
657 [0] = {
658 .type = AUTH_METHOD_HASH,
659 .param.hash = {
660 .data = &raw_data,
661 .hash = &nt_world_bl_hash
662 }
663 }
664 }
665};
666
667/* NT FW Config */
668static const auth_img_desc_t nt_fw_config = {
669 .img_id = NT_FW_CONFIG_ID,
670 .img_type = IMG_RAW,
671 .parent = &non_trusted_fw_content_cert,
672 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
673 [0] = {
674 .type = AUTH_METHOD_HASH,
675 .param.hash = {
676 .data = &raw_data,
677 .hash = &nt_fw_config_hash
678 }
679 }
680 }
681};
682
683#else /* IMAGE_BL2 */
684
685/* FWU auth descriptor */
686static const auth_img_desc_t fwu_cert = {
687 .img_id = FWU_CERT_ID,
688 .img_type = IMG_CERT,
689 .parent = NULL,
690 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
691 [0] = {
692 .type = AUTH_METHOD_SIG,
693 .param.sig = {
694 .pk = &subject_pk,
695 .sig = &sig,
696 .alg = &sig_alg,
697 .data = &raw_data
698 }
699 }
700 },
701 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
702 [0] = {
703 .type_desc = &scp_bl2u_hash,
704 .data = {
705 .ptr = (void *)scp_fw_hash_buf,
706 .len = (unsigned int)HASH_DER_LEN
707 }
708 },
709 [1] = {
710 .type_desc = &bl2u_hash,
711 .data = {
712 .ptr = (void *)tb_fw_hash_buf,
713 .len = (unsigned int)HASH_DER_LEN
714 }
715 },
716 [2] = {
717 .type_desc = &ns_bl2u_hash,
718 .data = {
719 .ptr = (void *)nt_world_bl_hash_buf,
720 .len = (unsigned int)HASH_DER_LEN
721 }
722 }
723 }
724};
725
726/* SCP_BL2U */
727static const auth_img_desc_t scp_bl2u_image = {
728 .img_id = SCP_BL2U_IMAGE_ID,
729 .img_type = IMG_RAW,
730 .parent = &fwu_cert,
731 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
732 [0] = {
733 .type = AUTH_METHOD_HASH,
734 .param.hash = {
735 .data = &raw_data,
736 .hash = &scp_bl2u_hash
737 }
738 }
739 }
740};
741
742/* BL2U */
743static const auth_img_desc_t bl2u_image = {
744 .img_id = BL2U_IMAGE_ID,
745 .img_type = IMG_RAW,
746 .parent = &fwu_cert,
747 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
748 [0] = {
749 .type = AUTH_METHOD_HASH,
750 .param.hash = {
751 .data = &raw_data,
752 .hash = &bl2u_hash
753 }
754 }
755 }
756};
757
758/* NS_BL2U */
759static const auth_img_desc_t ns_bl2u_image = {
760 .img_id = NS_BL2U_IMAGE_ID,
761 .img_type = IMG_RAW,
762 .parent = &fwu_cert,
763 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
764 [0] = {
765 .type = AUTH_METHOD_HASH,
766 .param.hash = {
767 .data = &raw_data,
768 .hash = &ns_bl2u_hash
769 }
770 }
771 }
772};
773#endif /* IMAGE_BL2 */
774
775/*
776 * Chain of trust definition
777 */
778#ifdef IMAGE_BL1
779static const auth_img_desc_t * const cot_desc[] = {
780 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
781 [BL2_IMAGE_ID] = &bl2_image,
782 [HW_CONFIG_ID] = &hw_config,
783 [TB_FW_CONFIG_ID] = &tb_fw_config,
784 [FWU_CERT_ID] = &fwu_cert,
785 [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image,
786 [BL2U_IMAGE_ID] = &bl2u_image,
787 [NS_BL2U_IMAGE_ID] = &ns_bl2u_image
788};
789#else /* IMAGE_BL2 */
790static const auth_img_desc_t * const cot_desc[] = {
791 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
792 [HW_CONFIG_ID] = &hw_config,
793 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert,
794 [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert,
795 [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert,
796 [SCP_BL2_IMAGE_ID] = &scp_bl2_image,
797 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert,
798 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert,
799 [BL31_IMAGE_ID] = &bl31_image,
800 [SOC_FW_CONFIG_ID] = &soc_fw_config,
801 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert,
802 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert,
803 [BL32_IMAGE_ID] = &bl32_image,
804 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image,
805 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image,
806 [TOS_FW_CONFIG_ID] = &tos_fw_config,
807 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert,
808 [BL33_IMAGE_ID] = &bl33_image,
809 [NT_FW_CONFIG_ID] = &nt_fw_config,
810};
811#endif
812
813/* Register the CoT in the authentication module */
814REGISTER_COT(cot_desc);