Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 6c0566cc8d5ae75cc0188970d79f452333ced19d / . / drivers / auth / tbbr / tbbr_cot.c
blob: 79a89651424f39d391c5d7e3f21aa0b3e981c95b [file] [log] [blame]
Juan Castillo9b265a82015-05-07 14:52:44 +0100[diff] [blame]1/*
2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
6 *
7 * Redistributions of source code must retain the above copyright notice, this
8 * list of conditions and the following disclaimer.
9 *
10 * Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 *
14 * Neither the name of ARM nor the names of its contributors may be used
15 * to endorse or promote products derived from this software without specific
16 * prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include <auth_mod.h>
32#include <platform_def.h>
33#include <platform_oid.h>
34#include <stddef.h>
35
36/*
37 * Maximum key and hash sizes (in DER format)
38 */
39#define PK_DER_LEN 294
40#define HASH_DER_LEN 51
41
42/*
43 * The platform must allocate buffers to store the authentication parameters
44 * extracted from the certificates. In this case, because of the way the CoT is
45 * established, we can reuse some of the buffers on different stages
46 */
47static unsigned char plat_bl2_hash_buf[HASH_DER_LEN];
48static unsigned char plat_bl30_hash_buf[HASH_DER_LEN];
49static unsigned char plat_bl31_hash_buf[HASH_DER_LEN];
50static unsigned char plat_bl32_hash_buf[HASH_DER_LEN];
51static unsigned char plat_bl33_hash_buf[HASH_DER_LEN];
52static unsigned char plat_tz_world_pk_buf[PK_DER_LEN];
53static unsigned char plat_ntz_world_pk_buf[PK_DER_LEN];
54static unsigned char plat_content_pk[PK_DER_LEN];
55
56/*
57 * Parameter type descriptors
58 */
59static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
60 AUTH_PARAM_PUB_KEY, 0);
61static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
62 AUTH_PARAM_SIG, 0);
63static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
64 AUTH_PARAM_SIG_ALG, 0);
65static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
66 AUTH_PARAM_RAW_DATA, 0);
67
68static auth_param_type_desc_t tz_world_pk = AUTH_PARAM_TYPE_DESC(
69 AUTH_PARAM_PUB_KEY, TZ_WORLD_PK_OID);
70static auth_param_type_desc_t ntz_world_pk = AUTH_PARAM_TYPE_DESC(
71 AUTH_PARAM_PUB_KEY, NTZ_WORLD_PK_OID);
72
73static auth_param_type_desc_t bl30_content_pk = AUTH_PARAM_TYPE_DESC(
74 AUTH_PARAM_PUB_KEY, BL30_CONTENT_CERT_PK_OID);
75static auth_param_type_desc_t bl31_content_pk = AUTH_PARAM_TYPE_DESC(
76 AUTH_PARAM_PUB_KEY, BL31_CONTENT_CERT_PK_OID);
77static auth_param_type_desc_t bl32_content_pk = AUTH_PARAM_TYPE_DESC(
78 AUTH_PARAM_PUB_KEY, BL32_CONTENT_CERT_PK_OID);
79static auth_param_type_desc_t bl33_content_pk = AUTH_PARAM_TYPE_DESC(
80 AUTH_PARAM_PUB_KEY, BL33_CONTENT_CERT_PK_OID);
81
82static auth_param_type_desc_t bl2_hash = AUTH_PARAM_TYPE_DESC(
83 AUTH_PARAM_HASH, BL2_HASH_OID);
84static auth_param_type_desc_t bl30_hash = AUTH_PARAM_TYPE_DESC(
85 AUTH_PARAM_HASH, BL30_HASH_OID);
86static auth_param_type_desc_t bl31_hash = AUTH_PARAM_TYPE_DESC(
87 AUTH_PARAM_HASH, BL31_HASH_OID);
88static auth_param_type_desc_t bl32_hash = AUTH_PARAM_TYPE_DESC(
89 AUTH_PARAM_HASH, BL32_HASH_OID);
90static auth_param_type_desc_t bl33_hash = AUTH_PARAM_TYPE_DESC(
91 AUTH_PARAM_HASH, BL33_HASH_OID);
92
93/*
94 * TBBR Chain of trust definition
95 */
96static const auth_img_desc_t cot_desc[] = {
97 /*
98 * BL2
99 */
100 [BL2_CERT_ID] = {
101 .img_id = BL2_CERT_ID,
102 .img_type = IMG_CERT,
103 .parent = NULL,
104 .img_auth_methods = {
105 [0] = {
106 .type = AUTH_METHOD_SIG,
107 .param.sig = {
108 .pk = &subject_pk,
109 .sig = &sig,
110 .alg = &sig_alg,
111 .data = &raw_data,
112 }
113 }
114 },
115 .authenticated_data = {
116 [0] = {
117 .type_desc = &bl2_hash,
118 .data = {
119 .ptr = (void *)plat_bl2_hash_buf,
120 .len = (unsigned int)HASH_DER_LEN
121 }
122 }
123 }
124 },
125 [BL2_IMAGE_ID] = {
126 .img_id = BL2_IMAGE_ID,
127 .img_type = IMG_RAW,
128 .parent = &cot_desc[BL2_CERT_ID],
129 .img_auth_methods = {
130 [0] = {
131 .type = AUTH_METHOD_HASH,
132 .param.hash = {
133 .data = &raw_data,
134 .hash = &bl2_hash,
135 }
136 }
137 }
138 },
139 /*
140 * Trusted key certificate
141 */
142 [TRUSTED_KEY_CERT_ID] = {
143 .img_id = TRUSTED_KEY_CERT_ID,
144 .img_type = IMG_CERT,
145 .parent = NULL,
146 .img_auth_methods = {
147 [0] = {
148 .type = AUTH_METHOD_SIG,
149 .param.sig = {
150 .pk = &subject_pk,
151 .sig = &sig,
152 .alg = &sig_alg,
153 .data = &raw_data,
154 }
155 }
156 },
157 .authenticated_data = {
158 [0] = {
159 .type_desc = &tz_world_pk,
160 .data = {
161 .ptr = (void *)plat_tz_world_pk_buf,
162 .len = (unsigned int)PK_DER_LEN
163 }
164 },
165 [1] = {
166 .type_desc = &ntz_world_pk,
167 .data = {
168 .ptr = (void *)plat_ntz_world_pk_buf,
169 .len = (unsigned int)PK_DER_LEN
170 }
171 }
172 }
173 },
174 /*
175 * BL3-0
176 */
177 [BL30_KEY_CERT_ID] = {
178 .img_id = BL30_KEY_CERT_ID,
179 .img_type = IMG_CERT,
180 .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
181 .img_auth_methods = {
182 [0] = {
183 .type = AUTH_METHOD_SIG,
184 .param.sig = {
185 .pk = &tz_world_pk,
186 .sig = &sig,
187 .alg = &sig_alg,
188 .data = &raw_data,
189 }
190 }
191 },
192 .authenticated_data = {
193 [0] = {
194 .type_desc = &bl30_content_pk,
195 .data = {
196 .ptr = (void *)plat_content_pk,
197 .len = (unsigned int)PK_DER_LEN
198 }
199 }
200 }
201 },
202 [BL30_CERT_ID] = {
203 .img_id = BL30_CERT_ID,
204 .img_type = IMG_CERT,
205 .parent = &cot_desc[BL30_KEY_CERT_ID],
206 .img_auth_methods = {
207 [0] = {
208 .type = AUTH_METHOD_SIG,
209 .param.sig = {
210 .pk = &bl30_content_pk,
211 .sig = &sig,
212 .alg = &sig_alg,
213 .data = &raw_data,
214 }
215 }
216 },
217 .authenticated_data = {
218 [0] = {
219 .type_desc = &bl30_hash,
220 .data = {
221 .ptr = (void *)plat_bl30_hash_buf,
222 .len = (unsigned int)HASH_DER_LEN
223 }
224 }
225 }
226 },
227 [BL30_IMAGE_ID] = {
228 .img_id = BL30_IMAGE_ID,
229 .img_type = IMG_RAW,
230 .parent = &cot_desc[BL30_CERT_ID],
231 .img_auth_methods = {
232 [0] = {
233 .type = AUTH_METHOD_HASH,
234 .param.hash = {
235 .data = &raw_data,
236 .hash = &bl30_hash,
237 }
238 }
239 }
240 },
241 /*
242 * BL3-1
243 */
244 [BL31_KEY_CERT_ID] = {
245 .img_id = BL31_KEY_CERT_ID,
246 .img_type = IMG_CERT,
247 .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
248 .img_auth_methods = {
249 [0] = {
250 .type = AUTH_METHOD_SIG,
251 .param.sig = {
252 .pk = &tz_world_pk,
253 .sig = &sig,
254 .alg = &sig_alg,
255 .data = &raw_data,
256 }
257 }
258 },
259 .authenticated_data = {
260 [0] = {
261 .type_desc = &bl31_content_pk,
262 .data = {
263 .ptr = (void *)plat_content_pk,
264 .len = (unsigned int)PK_DER_LEN
265 }
266 }
267 }
268 },
269 [BL31_CERT_ID] = {
270 .img_id = BL31_CERT_ID,
271 .img_type = IMG_CERT,
272 .parent = &cot_desc[BL31_KEY_CERT_ID],
273 .img_auth_methods = {
274 [0] = {
275 .type = AUTH_METHOD_SIG,
276 .param.sig = {
277 .pk = &bl31_content_pk,
278 .sig = &sig,
279 .alg = &sig_alg,
280 .data = &raw_data,
281 }
282 }
283 },
284 .authenticated_data = {
285 [0] = {
286 .type_desc = &bl31_hash,
287 .data = {
288 .ptr = (void *)plat_bl31_hash_buf,
289 .len = (unsigned int)HASH_DER_LEN
290 }
291 }
292 }
293 },
294 [BL31_IMAGE_ID] = {
295 .img_id = BL31_IMAGE_ID,
296 .img_type = IMG_RAW,
297 .parent = &cot_desc[BL31_CERT_ID],
298 .img_auth_methods = {
299 [0] = {
300 .type = AUTH_METHOD_HASH,
301 .param.hash = {
302 .data = &raw_data,
303 .hash = &bl31_hash,
304 }
305 }
306 }
307 },
308 /*
309 * BL3-2
310 */
311 [BL32_KEY_CERT_ID] = {
312 .img_id = BL32_KEY_CERT_ID,
313 .img_type = IMG_CERT,
314 .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
315 .img_auth_methods = {
316 [0] = {
317 .type = AUTH_METHOD_SIG,
318 .param.sig = {
319 .pk = &tz_world_pk,
320 .sig = &sig,
321 .alg = &sig_alg,
322 .data = &raw_data,
323 }
324 }
325 },
326 .authenticated_data = {
327 [0] = {
328 .type_desc = &bl32_content_pk,
329 .data = {
330 .ptr = (void *)plat_content_pk,
331 .len = (unsigned int)PK_DER_LEN
332 }
333 }
334 }
335 },
336 [BL32_CERT_ID] = {
337 .img_id = BL32_CERT_ID,
338 .img_type = IMG_CERT,
339 .parent = &cot_desc[BL32_KEY_CERT_ID],
340 .img_auth_methods = {
341 [0] = {
342 .type = AUTH_METHOD_SIG,
343 .param.sig = {
344 .pk = &bl32_content_pk,
345 .sig = &sig,
346 .alg = &sig_alg,
347 .data = &raw_data,
348 }
349 }
350 },
351 .authenticated_data = {
352 [0] = {
353 .type_desc = &bl32_hash,
354 .data = {
355 .ptr = (void *)plat_bl32_hash_buf,
356 .len = (unsigned int)HASH_DER_LEN
357 }
358 }
359 }
360 },
361 [BL32_IMAGE_ID] = {
362 .img_id = BL32_IMAGE_ID,
363 .img_type = IMG_RAW,
364 .parent = &cot_desc[BL32_CERT_ID],
365 .img_auth_methods = {
366 [0] = {
367 .type = AUTH_METHOD_HASH,
368 .param.hash = {
369 .data = &raw_data,
370 .hash = &bl32_hash,
371 }
372 }
373 }
374 },
375 /*
376 * BL3-3
377 */
378 [BL33_KEY_CERT_ID] = {
379 .img_id = BL33_KEY_CERT_ID,
380 .img_type = IMG_CERT,
381 .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
382 .img_auth_methods = {
383 [0] = {
384 .type = AUTH_METHOD_SIG,
385 .param.sig = {
386 .pk = &ntz_world_pk,
387 .sig = &sig,
388 .alg = &sig_alg,
389 .data = &raw_data,
390 }
391 }
392 },
393 .authenticated_data = {
394 [0] = {
395 .type_desc = &bl33_content_pk,
396 .data = {
397 .ptr = (void *)plat_content_pk,
398 .len = (unsigned int)PK_DER_LEN
399 }
400 }
401 }
402 },
403 [BL33_CERT_ID] = {
404 .img_id = BL33_CERT_ID,
405 .img_type = IMG_CERT,
406 .parent = &cot_desc[BL33_KEY_CERT_ID],
407 .img_auth_methods = {
408 [0] = {
409 .type = AUTH_METHOD_SIG,
410 .param.sig = {
411 .pk = &bl33_content_pk,
412 .sig = &sig,
413 .alg = &sig_alg,
414 .data = &raw_data,
415 }
416 }
417 },
418 .authenticated_data = {
419 [0] = {
420 .type_desc = &bl33_hash,
421 .data = {
422 .ptr = (void *)plat_bl33_hash_buf,
423 .len = (unsigned int)HASH_DER_LEN
424 }
425 }
426 }
427 },
428 [BL33_IMAGE_ID] = {
429 .img_id = BL33_IMAGE_ID,
430 .img_type = IMG_RAW,
431 .parent = &cot_desc[BL33_CERT_ID],
432 .img_auth_methods = {
433 [0] = {
434 .type = AUTH_METHOD_HASH,
435 .param.hash = {
436 .data = &raw_data,
437 .hash = &bl33_hash,
438 }
439 }
440 }
441 }
442};
443
444/* Register the CoT in the authentication module */
445REGISTER_COT(cot_desc);