| laurenw-arm | 56f1e3e | 2021-03-03 14:19:38 -0600 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright (c) 2021, ARM Limited and Contributors. All rights reserved. |
| 3 | * |
| 4 | * SPDX-License-Identifier: BSD-3-Clause |
| 5 | */ |
| 6 | |
| 7 | #include <stddef.h> |
| 8 | |
| 9 | #include <drivers/auth/auth_mod.h> |
| 10 | #include <drivers/auth/mbedtls/mbedtls_config.h> |
| 11 | #include <drivers/auth/tbbr_cot_common.h> |
| 12 | |
| 13 | #if USE_TBBR_DEFS |
| 14 | #include <tools_share/tbbr_oid.h> |
| 15 | #else |
| 16 | #include <platform_oid.h> |
| 17 | #endif |
| 18 | #include <platform_def.h> |
| 19 | |
| 20 | |
| 21 | static unsigned char trusted_world_pk_buf[PK_DER_LEN]; |
| 22 | static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; |
| 23 | static unsigned char content_pk_buf[PK_DER_LEN]; |
| 24 | static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; |
| 25 | |
| 26 | static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( |
| 27 | AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); |
| 28 | static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( |
| 29 | AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); |
| 30 | static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( |
| 31 | AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); |
| 32 | static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC( |
| 33 | AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID); |
| 34 | static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( |
| 35 | AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); |
| 36 | static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( |
| 37 | AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); |
| 38 | /* |
| 39 | * Trusted key certificate |
| 40 | */ |
| 41 | static const auth_img_desc_t trusted_key_cert = { |
| 42 | .img_id = TRUSTED_KEY_CERT_ID, |
| 43 | .img_type = IMG_CERT, |
| 44 | .parent = NULL, |
| 45 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 46 | [0] = { |
| 47 | .type = AUTH_METHOD_SIG, |
| 48 | .param.sig = { |
| 49 | .pk = &subject_pk, |
| 50 | .sig = &sig, |
| 51 | .alg = &sig_alg, |
| 52 | .data = &raw_data |
| 53 | } |
| 54 | }, |
| 55 | [1] = { |
| 56 | .type = AUTH_METHOD_NV_CTR, |
| 57 | .param.nv_ctr = { |
| 58 | .cert_nv_ctr = &trusted_nv_ctr, |
| 59 | .plat_nv_ctr = &trusted_nv_ctr |
| 60 | } |
| 61 | } |
| 62 | }, |
| 63 | .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { |
| 64 | [0] = { |
| 65 | .type_desc = &trusted_world_pk, |
| 66 | .data = { |
| 67 | .ptr = (void *)trusted_world_pk_buf, |
| 68 | .len = (unsigned int)PK_DER_LEN |
| 69 | } |
| 70 | }, |
| 71 | [1] = { |
| 72 | .type_desc = &non_trusted_world_pk, |
| 73 | .data = { |
| 74 | .ptr = (void *)non_trusted_world_pk_buf, |
| 75 | .len = (unsigned int)PK_DER_LEN |
| 76 | } |
| 77 | } |
| 78 | } |
| 79 | }; |
| 80 | /* |
| 81 | * Non-Trusted Firmware |
| 82 | */ |
| 83 | static const auth_img_desc_t non_trusted_fw_key_cert = { |
| 84 | .img_id = NON_TRUSTED_FW_KEY_CERT_ID, |
| 85 | .img_type = IMG_CERT, |
| 86 | .parent = &trusted_key_cert, |
| 87 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 88 | [0] = { |
| 89 | .type = AUTH_METHOD_SIG, |
| 90 | .param.sig = { |
| 91 | .pk = &non_trusted_world_pk, |
| 92 | .sig = &sig, |
| 93 | .alg = &sig_alg, |
| 94 | .data = &raw_data |
| 95 | } |
| 96 | }, |
| 97 | [1] = { |
| 98 | .type = AUTH_METHOD_NV_CTR, |
| 99 | .param.nv_ctr = { |
| 100 | .cert_nv_ctr = &non_trusted_nv_ctr, |
| 101 | .plat_nv_ctr = &non_trusted_nv_ctr |
| 102 | } |
| 103 | } |
| 104 | }, |
| 105 | .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { |
| 106 | [0] = { |
| 107 | .type_desc = &nt_fw_content_pk, |
| 108 | .data = { |
| 109 | .ptr = (void *)content_pk_buf, |
| 110 | .len = (unsigned int)PK_DER_LEN |
| 111 | } |
| 112 | } |
| 113 | } |
| 114 | }; |
| 115 | static const auth_img_desc_t non_trusted_fw_content_cert = { |
| 116 | .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, |
| 117 | .img_type = IMG_CERT, |
| 118 | .parent = &non_trusted_fw_key_cert, |
| 119 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 120 | [0] = { |
| 121 | .type = AUTH_METHOD_SIG, |
| 122 | .param.sig = { |
| 123 | .pk = &nt_fw_content_pk, |
| 124 | .sig = &sig, |
| 125 | .alg = &sig_alg, |
| 126 | .data = &raw_data |
| 127 | } |
| 128 | }, |
| 129 | [1] = { |
| 130 | .type = AUTH_METHOD_NV_CTR, |
| 131 | .param.nv_ctr = { |
| 132 | .cert_nv_ctr = &non_trusted_nv_ctr, |
| 133 | .plat_nv_ctr = &non_trusted_nv_ctr |
| 134 | } |
| 135 | } |
| 136 | }, |
| 137 | .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { |
| 138 | [0] = { |
| 139 | .type_desc = &nt_world_bl_hash, |
| 140 | .data = { |
| 141 | .ptr = (void *)nt_world_bl_hash_buf, |
| 142 | .len = (unsigned int)HASH_DER_LEN |
| 143 | } |
| 144 | }, |
| 145 | [1] = { |
| 146 | .type_desc = &nt_fw_config_hash, |
| 147 | .data = { |
| 148 | .ptr = (void *)nt_fw_config_hash_buf, |
| 149 | .len = (unsigned int)HASH_DER_LEN |
| 150 | } |
| 151 | } |
| 152 | } |
| 153 | }; |
| 154 | static const auth_img_desc_t bl33_image = { |
| 155 | .img_id = BL33_IMAGE_ID, |
| 156 | .img_type = IMG_RAW, |
| 157 | .parent = &non_trusted_fw_content_cert, |
| 158 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 159 | [0] = { |
| 160 | .type = AUTH_METHOD_HASH, |
| 161 | .param.hash = { |
| 162 | .data = &raw_data, |
| 163 | .hash = &nt_world_bl_hash |
| 164 | } |
| 165 | } |
| 166 | } |
| 167 | }; |
| 168 | |
| 169 | static const auth_img_desc_t * const cot_desc[] = { |
| 170 | [TRUSTED_KEY_CERT_ID] = &trusted_key_cert, |
| 171 | [NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert, |
| 172 | [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, |
| 173 | [BL33_IMAGE_ID] = &bl33_image, |
| 174 | }; |
| 175 | |
| 176 | /* Register the CoT in the authentication module */ |
| 177 | REGISTER_COT(cot_desc); |