Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 71c9a5e70d3ce826bc6820f60477e418fb4a4da7 / . / drivers / auth / tbbr / tbbr_cot.c
blob: 71634a19d1232ad75f91176ce110df949cc6e01e [file] [log] [blame]
Juan Castillo9b265a82015-05-07 14:52:44 +0100[diff] [blame]1/*
2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
6 *
7 * Redistributions of source code must retain the above copyright notice, this
8 * list of conditions and the following disclaimer.
9 *
10 * Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 *
14 * Neither the name of ARM nor the names of its contributors may be used
15 * to endorse or promote products derived from this software without specific
16 * prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include <auth_mod.h>
32#include <platform_def.h>
33#include <platform_oid.h>
34#include <stddef.h>
35
36/*
37 * Maximum key and hash sizes (in DER format)
38 */
39#define PK_DER_LEN 294
40#define HASH_DER_LEN 51
41
42/*
43 * The platform must allocate buffers to store the authentication parameters
44 * extracted from the certificates. In this case, because of the way the CoT is
45 * established, we can reuse some of the buffers on different stages
46 */
47static unsigned char plat_bl2_hash_buf[HASH_DER_LEN];
48static unsigned char plat_bl30_hash_buf[HASH_DER_LEN];
49static unsigned char plat_bl31_hash_buf[HASH_DER_LEN];
50static unsigned char plat_bl32_hash_buf[HASH_DER_LEN];
51static unsigned char plat_bl33_hash_buf[HASH_DER_LEN];
52static unsigned char plat_tz_world_pk_buf[PK_DER_LEN];
53static unsigned char plat_ntz_world_pk_buf[PK_DER_LEN];
54static unsigned char plat_content_pk[PK_DER_LEN];
55
56/*
57 * Parameter type descriptors
58 */
59static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
60 AUTH_PARAM_PUB_KEY, 0);
61static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
62 AUTH_PARAM_SIG, 0);
63static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
64 AUTH_PARAM_SIG_ALG, 0);
65static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
66 AUTH_PARAM_RAW_DATA, 0);
67
68static auth_param_type_desc_t tz_world_pk = AUTH_PARAM_TYPE_DESC(
69 AUTH_PARAM_PUB_KEY, TZ_WORLD_PK_OID);
70static auth_param_type_desc_t ntz_world_pk = AUTH_PARAM_TYPE_DESC(
71 AUTH_PARAM_PUB_KEY, NTZ_WORLD_PK_OID);
72
73static auth_param_type_desc_t bl30_content_pk = AUTH_PARAM_TYPE_DESC(
74 AUTH_PARAM_PUB_KEY, BL30_CONTENT_CERT_PK_OID);
75static auth_param_type_desc_t bl31_content_pk = AUTH_PARAM_TYPE_DESC(
76 AUTH_PARAM_PUB_KEY, BL31_CONTENT_CERT_PK_OID);
77static auth_param_type_desc_t bl32_content_pk = AUTH_PARAM_TYPE_DESC(
78 AUTH_PARAM_PUB_KEY, BL32_CONTENT_CERT_PK_OID);
79static auth_param_type_desc_t bl33_content_pk = AUTH_PARAM_TYPE_DESC(
80 AUTH_PARAM_PUB_KEY, BL33_CONTENT_CERT_PK_OID);
81
82static auth_param_type_desc_t bl2_hash = AUTH_PARAM_TYPE_DESC(
83 AUTH_PARAM_HASH, BL2_HASH_OID);
84static auth_param_type_desc_t bl30_hash = AUTH_PARAM_TYPE_DESC(
85 AUTH_PARAM_HASH, BL30_HASH_OID);
86static auth_param_type_desc_t bl31_hash = AUTH_PARAM_TYPE_DESC(
87 AUTH_PARAM_HASH, BL31_HASH_OID);
88static auth_param_type_desc_t bl32_hash = AUTH_PARAM_TYPE_DESC(
89 AUTH_PARAM_HASH, BL32_HASH_OID);
90static auth_param_type_desc_t bl33_hash = AUTH_PARAM_TYPE_DESC(
91 AUTH_PARAM_HASH, BL33_HASH_OID);
Yatharth Kochar71c9a5e2015-10-10 19:06:53 +0100[diff] [blame^]92static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
93 AUTH_PARAM_HASH, SCP_BL2U_HASH_OID);
94static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
95 AUTH_PARAM_HASH, BL2U_HASH_OID);
96static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
97 AUTH_PARAM_HASH, NS_BL2U_HASH_OID);
Juan Castillo9b265a82015-05-07 14:52:44 +0100[diff] [blame]98
99/*
100 * TBBR Chain of trust definition
101 */
102static const auth_img_desc_t cot_desc[] = {
103 /*
104 * BL2
105 */
106 [BL2_CERT_ID] = {
107 .img_id = BL2_CERT_ID,
108 .img_type = IMG_CERT,
109 .parent = NULL,
110 .img_auth_methods = {
111 [0] = {
112 .type = AUTH_METHOD_SIG,
113 .param.sig = {
114 .pk = &subject_pk,
115 .sig = &sig,
116 .alg = &sig_alg,
117 .data = &raw_data,
118 }
119 }
120 },
121 .authenticated_data = {
122 [0] = {
123 .type_desc = &bl2_hash,
124 .data = {
125 .ptr = (void *)plat_bl2_hash_buf,
126 .len = (unsigned int)HASH_DER_LEN
127 }
128 }
129 }
130 },
131 [BL2_IMAGE_ID] = {
132 .img_id = BL2_IMAGE_ID,
133 .img_type = IMG_RAW,
134 .parent = &cot_desc[BL2_CERT_ID],
135 .img_auth_methods = {
136 [0] = {
137 .type = AUTH_METHOD_HASH,
138 .param.hash = {
139 .data = &raw_data,
140 .hash = &bl2_hash,
141 }
142 }
143 }
144 },
145 /*
146 * Trusted key certificate
147 */
148 [TRUSTED_KEY_CERT_ID] = {
149 .img_id = TRUSTED_KEY_CERT_ID,
150 .img_type = IMG_CERT,
151 .parent = NULL,
152 .img_auth_methods = {
153 [0] = {
154 .type = AUTH_METHOD_SIG,
155 .param.sig = {
156 .pk = &subject_pk,
157 .sig = &sig,
158 .alg = &sig_alg,
159 .data = &raw_data,
160 }
161 }
162 },
163 .authenticated_data = {
164 [0] = {
165 .type_desc = &tz_world_pk,
166 .data = {
167 .ptr = (void *)plat_tz_world_pk_buf,
168 .len = (unsigned int)PK_DER_LEN
169 }
170 },
171 [1] = {
172 .type_desc = &ntz_world_pk,
173 .data = {
174 .ptr = (void *)plat_ntz_world_pk_buf,
175 .len = (unsigned int)PK_DER_LEN
176 }
177 }
178 }
179 },
180 /*
181 * BL3-0
182 */
183 [BL30_KEY_CERT_ID] = {
184 .img_id = BL30_KEY_CERT_ID,
185 .img_type = IMG_CERT,
186 .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
187 .img_auth_methods = {
188 [0] = {
189 .type = AUTH_METHOD_SIG,
190 .param.sig = {
191 .pk = &tz_world_pk,
192 .sig = &sig,
193 .alg = &sig_alg,
194 .data = &raw_data,
195 }
196 }
197 },
198 .authenticated_data = {
199 [0] = {
200 .type_desc = &bl30_content_pk,
201 .data = {
202 .ptr = (void *)plat_content_pk,
203 .len = (unsigned int)PK_DER_LEN
204 }
205 }
206 }
207 },
208 [BL30_CERT_ID] = {
209 .img_id = BL30_CERT_ID,
210 .img_type = IMG_CERT,
211 .parent = &cot_desc[BL30_KEY_CERT_ID],
212 .img_auth_methods = {
213 [0] = {
214 .type = AUTH_METHOD_SIG,
215 .param.sig = {
216 .pk = &bl30_content_pk,
217 .sig = &sig,
218 .alg = &sig_alg,
219 .data = &raw_data,
220 }
221 }
222 },
223 .authenticated_data = {
224 [0] = {
225 .type_desc = &bl30_hash,
226 .data = {
227 .ptr = (void *)plat_bl30_hash_buf,
228 .len = (unsigned int)HASH_DER_LEN
229 }
230 }
231 }
232 },
233 [BL30_IMAGE_ID] = {
234 .img_id = BL30_IMAGE_ID,
235 .img_type = IMG_RAW,
236 .parent = &cot_desc[BL30_CERT_ID],
237 .img_auth_methods = {
238 [0] = {
239 .type = AUTH_METHOD_HASH,
240 .param.hash = {
241 .data = &raw_data,
242 .hash = &bl30_hash,
243 }
244 }
245 }
246 },
247 /*
248 * BL3-1
249 */
250 [BL31_KEY_CERT_ID] = {
251 .img_id = BL31_KEY_CERT_ID,
252 .img_type = IMG_CERT,
253 .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
254 .img_auth_methods = {
255 [0] = {
256 .type = AUTH_METHOD_SIG,
257 .param.sig = {
258 .pk = &tz_world_pk,
259 .sig = &sig,
260 .alg = &sig_alg,
261 .data = &raw_data,
262 }
263 }
264 },
265 .authenticated_data = {
266 [0] = {
267 .type_desc = &bl31_content_pk,
268 .data = {
269 .ptr = (void *)plat_content_pk,
270 .len = (unsigned int)PK_DER_LEN
271 }
272 }
273 }
274 },
275 [BL31_CERT_ID] = {
276 .img_id = BL31_CERT_ID,
277 .img_type = IMG_CERT,
278 .parent = &cot_desc[BL31_KEY_CERT_ID],
279 .img_auth_methods = {
280 [0] = {
281 .type = AUTH_METHOD_SIG,
282 .param.sig = {
283 .pk = &bl31_content_pk,
284 .sig = &sig,
285 .alg = &sig_alg,
286 .data = &raw_data,
287 }
288 }
289 },
290 .authenticated_data = {
291 [0] = {
292 .type_desc = &bl31_hash,
293 .data = {
294 .ptr = (void *)plat_bl31_hash_buf,
295 .len = (unsigned int)HASH_DER_LEN
296 }
297 }
298 }
299 },
300 [BL31_IMAGE_ID] = {
301 .img_id = BL31_IMAGE_ID,
302 .img_type = IMG_RAW,
303 .parent = &cot_desc[BL31_CERT_ID],
304 .img_auth_methods = {
305 [0] = {
306 .type = AUTH_METHOD_HASH,
307 .param.hash = {
308 .data = &raw_data,
309 .hash = &bl31_hash,
310 }
311 }
312 }
313 },
314 /*
315 * BL3-2
316 */
317 [BL32_KEY_CERT_ID] = {
318 .img_id = BL32_KEY_CERT_ID,
319 .img_type = IMG_CERT,
320 .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
321 .img_auth_methods = {
322 [0] = {
323 .type = AUTH_METHOD_SIG,
324 .param.sig = {
325 .pk = &tz_world_pk,
326 .sig = &sig,
327 .alg = &sig_alg,
328 .data = &raw_data,
329 }
330 }
331 },
332 .authenticated_data = {
333 [0] = {
334 .type_desc = &bl32_content_pk,
335 .data = {
336 .ptr = (void *)plat_content_pk,
337 .len = (unsigned int)PK_DER_LEN
338 }
339 }
340 }
341 },
342 [BL32_CERT_ID] = {
343 .img_id = BL32_CERT_ID,
344 .img_type = IMG_CERT,
345 .parent = &cot_desc[BL32_KEY_CERT_ID],
346 .img_auth_methods = {
347 [0] = {
348 .type = AUTH_METHOD_SIG,
349 .param.sig = {
350 .pk = &bl32_content_pk,
351 .sig = &sig,
352 .alg = &sig_alg,
353 .data = &raw_data,
354 }
355 }
356 },
357 .authenticated_data = {
358 [0] = {
359 .type_desc = &bl32_hash,
360 .data = {
361 .ptr = (void *)plat_bl32_hash_buf,
362 .len = (unsigned int)HASH_DER_LEN
363 }
364 }
365 }
366 },
367 [BL32_IMAGE_ID] = {
368 .img_id = BL32_IMAGE_ID,
369 .img_type = IMG_RAW,
370 .parent = &cot_desc[BL32_CERT_ID],
371 .img_auth_methods = {
372 [0] = {
373 .type = AUTH_METHOD_HASH,
374 .param.hash = {
375 .data = &raw_data,
376 .hash = &bl32_hash,
377 }
378 }
379 }
380 },
381 /*
382 * BL3-3
383 */
384 [BL33_KEY_CERT_ID] = {
385 .img_id = BL33_KEY_CERT_ID,
386 .img_type = IMG_CERT,
387 .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
388 .img_auth_methods = {
389 [0] = {
390 .type = AUTH_METHOD_SIG,
391 .param.sig = {
392 .pk = &ntz_world_pk,
393 .sig = &sig,
394 .alg = &sig_alg,
395 .data = &raw_data,
396 }
397 }
398 },
399 .authenticated_data = {
400 [0] = {
401 .type_desc = &bl33_content_pk,
402 .data = {
403 .ptr = (void *)plat_content_pk,
404 .len = (unsigned int)PK_DER_LEN
405 }
406 }
407 }
408 },
409 [BL33_CERT_ID] = {
410 .img_id = BL33_CERT_ID,
411 .img_type = IMG_CERT,
412 .parent = &cot_desc[BL33_KEY_CERT_ID],
413 .img_auth_methods = {
414 [0] = {
415 .type = AUTH_METHOD_SIG,
416 .param.sig = {
417 .pk = &bl33_content_pk,
418 .sig = &sig,
419 .alg = &sig_alg,
420 .data = &raw_data,
421 }
422 }
423 },
424 .authenticated_data = {
425 [0] = {
426 .type_desc = &bl33_hash,
427 .data = {
428 .ptr = (void *)plat_bl33_hash_buf,
429 .len = (unsigned int)HASH_DER_LEN
430 }
431 }
432 }
433 },
434 [BL33_IMAGE_ID] = {
435 .img_id = BL33_IMAGE_ID,
436 .img_type = IMG_RAW,
437 .parent = &cot_desc[BL33_CERT_ID],
438 .img_auth_methods = {
439 [0] = {
440 .type = AUTH_METHOD_HASH,
441 .param.hash = {
442 .data = &raw_data,
443 .hash = &bl33_hash,
444 }
445 }
446 }
Yatharth Kochar71c9a5e2015-10-10 19:06:53 +0100[diff] [blame^]447 },
448 /*
449 * FWU auth descriptor.
450 */
451 [FWU_CERT_ID] = {
452 .img_id = FWU_CERT_ID,
453 .img_type = IMG_CERT,
454 .parent = NULL,
455 .img_auth_methods = {
456 [0] = {
457 .type = AUTH_METHOD_SIG,
458 .param.sig = {
459 .pk = &subject_pk,
460 .sig = &sig,
461 .alg = &sig_alg,
462 .data = &raw_data,
463 }
464 }
465 },
466 .authenticated_data = {
467 [0] = {
468 .type_desc = &scp_bl2u_hash,
469 .data = {
470 .ptr = (void *)plat_bl30_hash_buf,
471 .len = (unsigned int)HASH_DER_LEN
472 }
473 },
474 [1] = {
475 .type_desc = &bl2u_hash,
476 .data = {
477 .ptr = (void *)plat_bl2_hash_buf,
478 .len = (unsigned int)HASH_DER_LEN
479 }
480 },
481 [2] = {
482 .type_desc = &ns_bl2u_hash,
483 .data = {
484 .ptr = (void *)plat_bl33_hash_buf,
485 .len = (unsigned int)HASH_DER_LEN
486 }
487 }
488 }
489 },
490 /*
491 * SCP_BL2U
492 */
493 [SCP_BL2U_IMAGE_ID] = {
494 .img_id = SCP_BL2U_IMAGE_ID,
495 .img_type = IMG_RAW,
496 .parent = &cot_desc[FWU_CERT_ID],
497 .img_auth_methods = {
498 [0] = {
499 .type = AUTH_METHOD_HASH,
500 .param.hash = {
501 .data = &raw_data,
502 .hash = &scp_bl2u_hash,
503 }
504 }
505 }
506 },
507 /*
508 * BL2U
509 */
510 [BL2U_IMAGE_ID] = {
511 .img_id = BL2U_IMAGE_ID,
512 .img_type = IMG_RAW,
513 .parent = &cot_desc[FWU_CERT_ID],
514 .img_auth_methods = {
515 [0] = {
516 .type = AUTH_METHOD_HASH,
517 .param.hash = {
518 .data = &raw_data,
519 .hash = &bl2u_hash,
520 }
521 }
522 }
523 },
524 /*
525 * NS_BL2U
526 */
527 [NS_BL2U_IMAGE_ID] = {
528 .img_id = NS_BL2U_IMAGE_ID,
529 .img_type = IMG_RAW,
530 .parent = &cot_desc[FWU_CERT_ID],
531 .img_auth_methods = {
532 [0] = {
533 .type = AUTH_METHOD_HASH,
534 .param.hash = {
535 .data = &raw_data,
536 .hash = &ns_bl2u_hash,
537 }
538 }
539 }
Juan Castillo9b265a82015-05-07 14:52:44 +0100[diff] [blame]540 }
541};
542
543/* Register the CoT in the authentication module */
544REGISTER_COT(cot_desc);