Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 7ec175e2e7453c34d0bd5d66d63f6e008fd3435d / . / drivers / auth / dualroot / cot.c
blob: 8aca2be6d7a8827b0c3ea9d614beefba08702010 [file] [log] [blame]
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]1/*
2 * Copyright (c) 2020, Arm Limited. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include <stddef.h>
8
9#include <platform_def.h>
10
11#include <drivers/auth/mbedtls/mbedtls_config.h>
12#include <drivers/auth/auth_mod.h>
13#include <tools_share/dualroot_oid.h>
14
15/*
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]16 * Allocate static buffers to store the authentication parameters extracted from
17 * the certificates.
18 */
19static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
20static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
21static unsigned char hw_config_hash_buf[HASH_DER_LEN];
22static unsigned char scp_fw_hash_buf[HASH_DER_LEN];
23static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
24
25#ifdef IMAGE_BL2
26static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
27static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
28static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN];
29static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN];
30static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
31static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
32static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
33
34static unsigned char trusted_world_pk_buf[PK_DER_LEN];
35static unsigned char content_pk_buf[PK_DER_LEN];
36#endif
37
38/*
39 * Parameter type descriptors.
40 */
41static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
42 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
43static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
44 AUTH_PARAM_PUB_KEY, 0);
45static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
46 AUTH_PARAM_SIG, 0);
47static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
48 AUTH_PARAM_SIG_ALG, 0);
49static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
50 AUTH_PARAM_RAW_DATA, 0);
51
52static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
53 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
54static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
55 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
56static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
57 AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
58#ifdef IMAGE_BL1
59static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
60 AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
61static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
62 AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
63static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
64 AUTH_PARAM_HASH, FWU_HASH_OID);
65#endif /* IMAGE_BL1 */
66
67#ifdef IMAGE_BL2
68static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
69 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
70
71static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
72 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
73static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC(
74 AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID);
75static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC(
76 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID);
77static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC(
78 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID);
79static auth_param_type_desc_t prot_pk = AUTH_PARAM_TYPE_DESC(
80 AUTH_PARAM_PUB_KEY, PROT_PK_OID);
81
82static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC(
83 AUTH_PARAM_HASH, SCP_FW_HASH_OID);
84static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
85 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
86static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC(
87 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID);
88static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
89 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
90static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC(
91 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID);
92static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC(
93 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID);
94static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC(
95 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID);
96static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
97 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
98static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
99 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
100#endif /* IMAGE_BL2 */
101
102
103/* BL2 */
104static const auth_img_desc_t trusted_boot_fw_cert = {
105 .img_id = TRUSTED_BOOT_FW_CERT_ID,
106 .img_type = IMG_CERT,
107 .parent = NULL,
108 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
109 [0] = {
110 .type = AUTH_METHOD_SIG,
111 .param.sig = {
112 .pk = &subject_pk,
113 .sig = &sig,
114 .alg = &sig_alg,
115 .data = &raw_data
116 }
117 },
118 [1] = {
119 .type = AUTH_METHOD_NV_CTR,
120 .param.nv_ctr = {
121 .cert_nv_ctr = &trusted_nv_ctr,
122 .plat_nv_ctr = &trusted_nv_ctr
123 }
124 }
125 },
126 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
127 [0] = {
128 .type_desc = &tb_fw_hash,
129 .data = {
130 .ptr = (void *)tb_fw_hash_buf,
131 .len = (unsigned int)HASH_DER_LEN
132 }
133 },
134 [1] = {
135 .type_desc = &tb_fw_config_hash,
136 .data = {
137 .ptr = (void *)tb_fw_config_hash_buf,
138 .len = (unsigned int)HASH_DER_LEN
139 }
140 },
141 [2] = {
142 .type_desc = &hw_config_hash,
143 .data = {
144 .ptr = (void *)hw_config_hash_buf,
145 .len = (unsigned int)HASH_DER_LEN
146 }
147 }
148 }
149};
150
151#ifdef IMAGE_BL1
152static const auth_img_desc_t bl2_image = {
153 .img_id = BL2_IMAGE_ID,
154 .img_type = IMG_RAW,
155 .parent = &trusted_boot_fw_cert,
156 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
157 [0] = {
158 .type = AUTH_METHOD_HASH,
159 .param.hash = {
160 .data = &raw_data,
161 .hash = &tb_fw_hash
162 }
163 }
164 }
165};
166#endif /* IMAGE_BL1 */
167
168/* HW Config */
169static const auth_img_desc_t hw_config = {
170 .img_id = HW_CONFIG_ID,
171 .img_type = IMG_RAW,
172 .parent = &trusted_boot_fw_cert,
173 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
174 [0] = {
175 .type = AUTH_METHOD_HASH,
176 .param.hash = {
177 .data = &raw_data,
178 .hash = &hw_config_hash
179 }
180 }
181 }
182};
183
184/* TB FW Config */
185#ifdef IMAGE_BL1
186static const auth_img_desc_t tb_fw_config = {
187 .img_id = TB_FW_CONFIG_ID,
188 .img_type = IMG_RAW,
189 .parent = &trusted_boot_fw_cert,
190 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
191 [0] = {
192 .type = AUTH_METHOD_HASH,
193 .param.hash = {
194 .data = &raw_data,
195 .hash = &tb_fw_config_hash
196 }
197 }
198 }
199};
200#endif /* IMAGE_BL1 */
201
202#ifdef IMAGE_BL2
203/* Trusted key certificate */
204static const auth_img_desc_t trusted_key_cert = {
205 .img_id = TRUSTED_KEY_CERT_ID,
206 .img_type = IMG_CERT,
207 .parent = NULL,
208 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
209 [0] = {
210 .type = AUTH_METHOD_SIG,
211 .param.sig = {
212 .pk = &subject_pk,
213 .sig = &sig,
214 .alg = &sig_alg,
215 .data = &raw_data
216 }
217 },
218 [1] = {
219 .type = AUTH_METHOD_NV_CTR,
220 .param.nv_ctr = {
221 .cert_nv_ctr = &trusted_nv_ctr,
222 .plat_nv_ctr = &trusted_nv_ctr
223 }
224 }
225 },
226 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
227 [0] = {
228 .type_desc = &trusted_world_pk,
229 .data = {
230 .ptr = (void *)trusted_world_pk_buf,
231 .len = (unsigned int)PK_DER_LEN
232 }
233 },
234 }
235};
236
237/* SCP Firmware */
238static const auth_img_desc_t scp_fw_key_cert = {
239 .img_id = SCP_FW_KEY_CERT_ID,
240 .img_type = IMG_CERT,
241 .parent = &trusted_key_cert,
242 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
243 [0] = {
244 .type = AUTH_METHOD_SIG,
245 .param.sig = {
246 .pk = &trusted_world_pk,
247 .sig = &sig,
248 .alg = &sig_alg,
249 .data = &raw_data
250 }
251 },
252 [1] = {
253 .type = AUTH_METHOD_NV_CTR,
254 .param.nv_ctr = {
255 .cert_nv_ctr = &trusted_nv_ctr,
256 .plat_nv_ctr = &trusted_nv_ctr
257 }
258 }
259 },
260 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
261 [0] = {
262 .type_desc = &scp_fw_content_pk,
263 .data = {
264 .ptr = (void *)content_pk_buf,
265 .len = (unsigned int)PK_DER_LEN
266 }
267 }
268 }
269};
270
271static const auth_img_desc_t scp_fw_content_cert = {
272 .img_id = SCP_FW_CONTENT_CERT_ID,
273 .img_type = IMG_CERT,
274 .parent = &scp_fw_key_cert,
275 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
276 [0] = {
277 .type = AUTH_METHOD_SIG,
278 .param.sig = {
279 .pk = &scp_fw_content_pk,
280 .sig = &sig,
281 .alg = &sig_alg,
282 .data = &raw_data
283 }
284 },
285 [1] = {
286 .type = AUTH_METHOD_NV_CTR,
287 .param.nv_ctr = {
288 .cert_nv_ctr = &trusted_nv_ctr,
289 .plat_nv_ctr = &trusted_nv_ctr
290 }
291 }
292 },
293 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
294 [0] = {
295 .type_desc = &scp_fw_hash,
296 .data = {
297 .ptr = (void *)scp_fw_hash_buf,
298 .len = (unsigned int)HASH_DER_LEN
299 }
300 }
301 }
302};
303
304static const auth_img_desc_t scp_bl2_image = {
305 .img_id = SCP_BL2_IMAGE_ID,
306 .img_type = IMG_RAW,
307 .parent = &scp_fw_content_cert,
308 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
309 [0] = {
310 .type = AUTH_METHOD_HASH,
311 .param.hash = {
312 .data = &raw_data,
313 .hash = &scp_fw_hash
314 }
315 }
316 }
317};
318
319/* SoC Firmware */
320static const auth_img_desc_t soc_fw_key_cert = {
321 .img_id = SOC_FW_KEY_CERT_ID,
322 .img_type = IMG_CERT,
323 .parent = &trusted_key_cert,
324 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
325 [0] = {
326 .type = AUTH_METHOD_SIG,
327 .param.sig = {
328 .pk = &trusted_world_pk,
329 .sig = &sig,
330 .alg = &sig_alg,
331 .data = &raw_data
332 }
333 },
334 [1] = {
335 .type = AUTH_METHOD_NV_CTR,
336 .param.nv_ctr = {
337 .cert_nv_ctr = &trusted_nv_ctr,
338 .plat_nv_ctr = &trusted_nv_ctr
339 }
340 }
341 },
342 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
343 [0] = {
344 .type_desc = &soc_fw_content_pk,
345 .data = {
346 .ptr = (void *)content_pk_buf,
347 .len = (unsigned int)PK_DER_LEN
348 }
349 }
350 }
351};
352
353static const auth_img_desc_t soc_fw_content_cert = {
354 .img_id = SOC_FW_CONTENT_CERT_ID,
355 .img_type = IMG_CERT,
356 .parent = &soc_fw_key_cert,
357 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
358 [0] = {
359 .type = AUTH_METHOD_SIG,
360 .param.sig = {
361 .pk = &soc_fw_content_pk,
362 .sig = &sig,
363 .alg = &sig_alg,
364 .data = &raw_data
365 }
366 },
367 [1] = {
368 .type = AUTH_METHOD_NV_CTR,
369 .param.nv_ctr = {
370 .cert_nv_ctr = &trusted_nv_ctr,
371 .plat_nv_ctr = &trusted_nv_ctr
372 }
373 }
374 },
375 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
376 [0] = {
377 .type_desc = &soc_fw_hash,
378 .data = {
379 .ptr = (void *)soc_fw_hash_buf,
380 .len = (unsigned int)HASH_DER_LEN
381 }
382 },
383 [1] = {
384 .type_desc = &soc_fw_config_hash,
385 .data = {
386 .ptr = (void *)soc_fw_config_hash_buf,
387 .len = (unsigned int)HASH_DER_LEN
388 }
389 }
390 }
391};
392
393static const auth_img_desc_t bl31_image = {
394 .img_id = BL31_IMAGE_ID,
395 .img_type = IMG_RAW,
396 .parent = &soc_fw_content_cert,
397 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
398 [0] = {
399 .type = AUTH_METHOD_HASH,
400 .param.hash = {
401 .data = &raw_data,
402 .hash = &soc_fw_hash
403 }
404 }
405 }
406};
407
408/* SOC FW Config */
409static const auth_img_desc_t soc_fw_config = {
410 .img_id = SOC_FW_CONFIG_ID,
411 .img_type = IMG_RAW,
412 .parent = &soc_fw_content_cert,
413 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
414 [0] = {
415 .type = AUTH_METHOD_HASH,
416 .param.hash = {
417 .data = &raw_data,
418 .hash = &soc_fw_config_hash
419 }
420 }
421 }
422};
423
424/* Trusted OS Firmware */
425static const auth_img_desc_t trusted_os_fw_key_cert = {
426 .img_id = TRUSTED_OS_FW_KEY_CERT_ID,
427 .img_type = IMG_CERT,
428 .parent = &trusted_key_cert,
429 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
430 [0] = {
431 .type = AUTH_METHOD_SIG,
432 .param.sig = {
433 .pk = &trusted_world_pk,
434 .sig = &sig,
435 .alg = &sig_alg,
436 .data = &raw_data
437 }
438 },
439 [1] = {
440 .type = AUTH_METHOD_NV_CTR,
441 .param.nv_ctr = {
442 .cert_nv_ctr = &trusted_nv_ctr,
443 .plat_nv_ctr = &trusted_nv_ctr
444 }
445 }
446 },
447 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
448 [0] = {
449 .type_desc = &tos_fw_content_pk,
450 .data = {
451 .ptr = (void *)content_pk_buf,
452 .len = (unsigned int)PK_DER_LEN
453 }
454 }
455 }
456};
457
458static const auth_img_desc_t trusted_os_fw_content_cert = {
459 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID,
460 .img_type = IMG_CERT,
461 .parent = &trusted_os_fw_key_cert,
462 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
463 [0] = {
464 .type = AUTH_METHOD_SIG,
465 .param.sig = {
466 .pk = &tos_fw_content_pk,
467 .sig = &sig,
468 .alg = &sig_alg,
469 .data = &raw_data
470 }
471 },
472 [1] = {
473 .type = AUTH_METHOD_NV_CTR,
474 .param.nv_ctr = {
475 .cert_nv_ctr = &trusted_nv_ctr,
476 .plat_nv_ctr = &trusted_nv_ctr
477 }
478 }
479 },
480 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
481 [0] = {
482 .type_desc = &tos_fw_hash,
483 .data = {
484 .ptr = (void *)tos_fw_hash_buf,
485 .len = (unsigned int)HASH_DER_LEN
486 }
487 },
488 [1] = {
489 .type_desc = &tos_fw_extra1_hash,
490 .data = {
491 .ptr = (void *)tos_fw_extra1_hash_buf,
492 .len = (unsigned int)HASH_DER_LEN
493 }
494 },
495 [2] = {
496 .type_desc = &tos_fw_extra2_hash,
497 .data = {
498 .ptr = (void *)tos_fw_extra2_hash_buf,
499 .len = (unsigned int)HASH_DER_LEN
500 }
501 },
502 [3] = {
503 .type_desc = &tos_fw_config_hash,
504 .data = {
505 .ptr = (void *)tos_fw_config_hash_buf,
506 .len = (unsigned int)HASH_DER_LEN
507 }
508 }
509 }
510};
511
512static const auth_img_desc_t bl32_image = {
513 .img_id = BL32_IMAGE_ID,
514 .img_type = IMG_RAW,
515 .parent = &trusted_os_fw_content_cert,
516 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
517 [0] = {
518 .type = AUTH_METHOD_HASH,
519 .param.hash = {
520 .data = &raw_data,
521 .hash = &tos_fw_hash
522 }
523 }
524 }
525};
526
527static const auth_img_desc_t bl32_extra1_image = {
528 .img_id = BL32_EXTRA1_IMAGE_ID,
529 .img_type = IMG_RAW,
530 .parent = &trusted_os_fw_content_cert,
531 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
532 [0] = {
533 .type = AUTH_METHOD_HASH,
534 .param.hash = {
535 .data = &raw_data,
536 .hash = &tos_fw_extra1_hash
537 }
538 }
539 }
540};
541
542static const auth_img_desc_t bl32_extra2_image = {
543 .img_id = BL32_EXTRA2_IMAGE_ID,
544 .img_type = IMG_RAW,
545 .parent = &trusted_os_fw_content_cert,
546 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
547 [0] = {
548 .type = AUTH_METHOD_HASH,
549 .param.hash = {
550 .data = &raw_data,
551 .hash = &tos_fw_extra2_hash
552 }
553 }
554 }
555};
556
557/* TOS FW Config */
558static const auth_img_desc_t tos_fw_config = {
559 .img_id = TOS_FW_CONFIG_ID,
560 .img_type = IMG_RAW,
561 .parent = &trusted_os_fw_content_cert,
562 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
563 [0] = {
564 .type = AUTH_METHOD_HASH,
565 .param.hash = {
566 .data = &raw_data,
567 .hash = &tos_fw_config_hash
568 }
569 }
570 }
571};
572
573/* Non-Trusted Firmware */
574static const auth_img_desc_t non_trusted_fw_content_cert = {
575 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
576 .img_type = IMG_CERT,
577 .parent = NULL, /* Root certificate. */
578 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
579 [0] = {
580 .type = AUTH_METHOD_SIG,
581 .param.sig = {
582 .pk = &prot_pk,
583 .sig = &sig,
584 .alg = &sig_alg,
585 .data = &raw_data
586 }
587 },
588 [1] = {
589 .type = AUTH_METHOD_NV_CTR,
590 .param.nv_ctr = {
591 .cert_nv_ctr = &non_trusted_nv_ctr,
592 .plat_nv_ctr = &non_trusted_nv_ctr
593 }
594 }
595 },
596 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
597 [0] = {
598 .type_desc = &nt_world_bl_hash,
599 .data = {
600 .ptr = (void *)nt_world_bl_hash_buf,
601 .len = (unsigned int)HASH_DER_LEN
602 }
603 },
604 [1] = {
605 .type_desc = &nt_fw_config_hash,
606 .data = {
607 .ptr = (void *)nt_fw_config_hash_buf,
608 .len = (unsigned int)HASH_DER_LEN
609 }
610 }
611 }
612};
613
614static const auth_img_desc_t bl33_image = {
615 .img_id = BL33_IMAGE_ID,
616 .img_type = IMG_RAW,
617 .parent = &non_trusted_fw_content_cert,
618 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
619 [0] = {
620 .type = AUTH_METHOD_HASH,
621 .param.hash = {
622 .data = &raw_data,
623 .hash = &nt_world_bl_hash
624 }
625 }
626 }
627};
628
629/* NT FW Config */
630static const auth_img_desc_t nt_fw_config = {
631 .img_id = NT_FW_CONFIG_ID,
632 .img_type = IMG_RAW,
633 .parent = &non_trusted_fw_content_cert,
634 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
635 [0] = {
636 .type = AUTH_METHOD_HASH,
637 .param.hash = {
638 .data = &raw_data,
639 .hash = &nt_fw_config_hash
640 }
641 }
642 }
643};
644
645#else /* IMAGE_BL2 */
646
647/* FWU auth descriptor */
648static const auth_img_desc_t fwu_cert = {
649 .img_id = FWU_CERT_ID,
650 .img_type = IMG_CERT,
651 .parent = NULL,
652 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
653 [0] = {
654 .type = AUTH_METHOD_SIG,
655 .param.sig = {
656 .pk = &subject_pk,
657 .sig = &sig,
658 .alg = &sig_alg,
659 .data = &raw_data
660 }
661 }
662 },
663 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
664 [0] = {
665 .type_desc = &scp_bl2u_hash,
666 .data = {
667 .ptr = (void *)scp_fw_hash_buf,
668 .len = (unsigned int)HASH_DER_LEN
669 }
670 },
671 [1] = {
672 .type_desc = &bl2u_hash,
673 .data = {
674 .ptr = (void *)tb_fw_hash_buf,
675 .len = (unsigned int)HASH_DER_LEN
676 }
677 },
678 [2] = {
679 .type_desc = &ns_bl2u_hash,
680 .data = {
681 .ptr = (void *)nt_world_bl_hash_buf,
682 .len = (unsigned int)HASH_DER_LEN
683 }
684 }
685 }
686};
687
688/* SCP_BL2U */
689static const auth_img_desc_t scp_bl2u_image = {
690 .img_id = SCP_BL2U_IMAGE_ID,
691 .img_type = IMG_RAW,
692 .parent = &fwu_cert,
693 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
694 [0] = {
695 .type = AUTH_METHOD_HASH,
696 .param.hash = {
697 .data = &raw_data,
698 .hash = &scp_bl2u_hash
699 }
700 }
701 }
702};
703
704/* BL2U */
705static const auth_img_desc_t bl2u_image = {
706 .img_id = BL2U_IMAGE_ID,
707 .img_type = IMG_RAW,
708 .parent = &fwu_cert,
709 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
710 [0] = {
711 .type = AUTH_METHOD_HASH,
712 .param.hash = {
713 .data = &raw_data,
714 .hash = &bl2u_hash
715 }
716 }
717 }
718};
719
720/* NS_BL2U */
721static const auth_img_desc_t ns_bl2u_image = {
722 .img_id = NS_BL2U_IMAGE_ID,
723 .img_type = IMG_RAW,
724 .parent = &fwu_cert,
725 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
726 [0] = {
727 .type = AUTH_METHOD_HASH,
728 .param.hash = {
729 .data = &raw_data,
730 .hash = &ns_bl2u_hash
731 }
732 }
733 }
734};
735#endif /* IMAGE_BL2 */
736
737/*
738 * Chain of trust definition
739 */
740#ifdef IMAGE_BL1
741static const auth_img_desc_t * const cot_desc[] = {
742 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
743 [BL2_IMAGE_ID] = &bl2_image,
744 [HW_CONFIG_ID] = &hw_config,
745 [TB_FW_CONFIG_ID] = &tb_fw_config,
746 [FWU_CERT_ID] = &fwu_cert,
747 [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image,
748 [BL2U_IMAGE_ID] = &bl2u_image,
749 [NS_BL2U_IMAGE_ID] = &ns_bl2u_image
750};
751#else /* IMAGE_BL2 */
752static const auth_img_desc_t * const cot_desc[] = {
753 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
754 [HW_CONFIG_ID] = &hw_config,
755 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert,
756 [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert,
757 [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert,
758 [SCP_BL2_IMAGE_ID] = &scp_bl2_image,
759 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert,
760 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert,
761 [BL31_IMAGE_ID] = &bl31_image,
762 [SOC_FW_CONFIG_ID] = &soc_fw_config,
763 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert,
764 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert,
765 [BL32_IMAGE_ID] = &bl32_image,
766 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image,
767 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image,
768 [TOS_FW_CONFIG_ID] = &tos_fw_config,
769 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert,
770 [BL33_IMAGE_ID] = &bl33_image,
771 [NT_FW_CONFIG_ID] = &nt_fw_config,
772};
773#endif
774
775/* Register the CoT in the authentication module */
776REGISTER_COT(cot_desc);