Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 9656a30bd4908c4b610e79295b4734180b46ab85 / . / drivers / auth / dualroot / cot.c
blob: f28ddaa9197cc72197c41138345d5a56a94cf003 [file] [log] [blame]
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]1/*
2 * Copyright (c) 2020, Arm Limited. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include <stddef.h>
8
9#include <platform_def.h>
10
11#include <drivers/auth/mbedtls/mbedtls_config.h>
12#include <drivers/auth/auth_mod.h>
13#include <tools_share/dualroot_oid.h>
14
15/*
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]16 * Allocate static buffers to store the authentication parameters extracted from
17 * the certificates.
18 */
19static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
20static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
21static unsigned char hw_config_hash_buf[HASH_DER_LEN];
22static unsigned char scp_fw_hash_buf[HASH_DER_LEN];
23static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
24
25#ifdef IMAGE_BL2
26static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
27static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
28static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN];
29static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN];
30static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
31static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
32static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]33#if defined(SPD_spmd)
34static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN];
35#endif /* SPD_spmd */
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]36
37static unsigned char trusted_world_pk_buf[PK_DER_LEN];
38static unsigned char content_pk_buf[PK_DER_LEN];
39#endif
40
41/*
42 * Parameter type descriptors.
43 */
44static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
45 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
46static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
47 AUTH_PARAM_PUB_KEY, 0);
48static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
49 AUTH_PARAM_SIG, 0);
50static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
51 AUTH_PARAM_SIG_ALG, 0);
52static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
53 AUTH_PARAM_RAW_DATA, 0);
54
55static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
56 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
57static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
58 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
59static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
60 AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
61#ifdef IMAGE_BL1
62static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
63 AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
64static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
65 AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
66static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
67 AUTH_PARAM_HASH, FWU_HASH_OID);
68#endif /* IMAGE_BL1 */
69
70#ifdef IMAGE_BL2
71static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
72 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
73
74static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
75 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
76static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC(
77 AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID);
78static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC(
79 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID);
80static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC(
81 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID);
82static auth_param_type_desc_t prot_pk = AUTH_PARAM_TYPE_DESC(
83 AUTH_PARAM_PUB_KEY, PROT_PK_OID);
84
85static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC(
86 AUTH_PARAM_HASH, SCP_FW_HASH_OID);
87static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
88 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
89static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC(
90 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID);
91static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
92 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
93static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC(
94 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID);
95static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC(
96 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID);
97static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC(
98 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID);
99static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
100 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
101static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
102 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]103#if defined(SPD_spmd)
104static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC(
105 AUTH_PARAM_HASH, SP_PKG1_HASH_OID);
106static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC(
107 AUTH_PARAM_HASH, SP_PKG2_HASH_OID);
108static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC(
109 AUTH_PARAM_HASH, SP_PKG3_HASH_OID);
110static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC(
111 AUTH_PARAM_HASH, SP_PKG4_HASH_OID);
112static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC(
113 AUTH_PARAM_HASH, SP_PKG5_HASH_OID);
114static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC(
115 AUTH_PARAM_HASH, SP_PKG6_HASH_OID);
116static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC(
117 AUTH_PARAM_HASH, SP_PKG7_HASH_OID);
118static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC(
119 AUTH_PARAM_HASH, SP_PKG8_HASH_OID);
120#endif /* SPD_spmd */
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]121#endif /* IMAGE_BL2 */
122
123
124/* BL2 */
125static const auth_img_desc_t trusted_boot_fw_cert = {
126 .img_id = TRUSTED_BOOT_FW_CERT_ID,
127 .img_type = IMG_CERT,
128 .parent = NULL,
129 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
130 [0] = {
131 .type = AUTH_METHOD_SIG,
132 .param.sig = {
133 .pk = &subject_pk,
134 .sig = &sig,
135 .alg = &sig_alg,
136 .data = &raw_data
137 }
138 },
139 [1] = {
140 .type = AUTH_METHOD_NV_CTR,
141 .param.nv_ctr = {
142 .cert_nv_ctr = &trusted_nv_ctr,
143 .plat_nv_ctr = &trusted_nv_ctr
144 }
145 }
146 },
147 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
148 [0] = {
149 .type_desc = &tb_fw_hash,
150 .data = {
151 .ptr = (void *)tb_fw_hash_buf,
152 .len = (unsigned int)HASH_DER_LEN
153 }
154 },
155 [1] = {
156 .type_desc = &tb_fw_config_hash,
157 .data = {
158 .ptr = (void *)tb_fw_config_hash_buf,
159 .len = (unsigned int)HASH_DER_LEN
160 }
161 },
162 [2] = {
163 .type_desc = &hw_config_hash,
164 .data = {
165 .ptr = (void *)hw_config_hash_buf,
166 .len = (unsigned int)HASH_DER_LEN
167 }
168 }
169 }
170};
171
172#ifdef IMAGE_BL1
173static const auth_img_desc_t bl2_image = {
174 .img_id = BL2_IMAGE_ID,
175 .img_type = IMG_RAW,
176 .parent = &trusted_boot_fw_cert,
177 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
178 [0] = {
179 .type = AUTH_METHOD_HASH,
180 .param.hash = {
181 .data = &raw_data,
182 .hash = &tb_fw_hash
183 }
184 }
185 }
186};
187#endif /* IMAGE_BL1 */
188
189/* HW Config */
190static const auth_img_desc_t hw_config = {
191 .img_id = HW_CONFIG_ID,
192 .img_type = IMG_RAW,
193 .parent = &trusted_boot_fw_cert,
194 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
195 [0] = {
196 .type = AUTH_METHOD_HASH,
197 .param.hash = {
198 .data = &raw_data,
199 .hash = &hw_config_hash
200 }
201 }
202 }
203};
204
205/* TB FW Config */
206#ifdef IMAGE_BL1
207static const auth_img_desc_t tb_fw_config = {
208 .img_id = TB_FW_CONFIG_ID,
209 .img_type = IMG_RAW,
210 .parent = &trusted_boot_fw_cert,
211 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
212 [0] = {
213 .type = AUTH_METHOD_HASH,
214 .param.hash = {
215 .data = &raw_data,
216 .hash = &tb_fw_config_hash
217 }
218 }
219 }
220};
221#endif /* IMAGE_BL1 */
222
223#ifdef IMAGE_BL2
224/* Trusted key certificate */
225static const auth_img_desc_t trusted_key_cert = {
226 .img_id = TRUSTED_KEY_CERT_ID,
227 .img_type = IMG_CERT,
228 .parent = NULL,
229 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
230 [0] = {
231 .type = AUTH_METHOD_SIG,
232 .param.sig = {
233 .pk = &subject_pk,
234 .sig = &sig,
235 .alg = &sig_alg,
236 .data = &raw_data
237 }
238 },
239 [1] = {
240 .type = AUTH_METHOD_NV_CTR,
241 .param.nv_ctr = {
242 .cert_nv_ctr = &trusted_nv_ctr,
243 .plat_nv_ctr = &trusted_nv_ctr
244 }
245 }
246 },
247 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
248 [0] = {
249 .type_desc = &trusted_world_pk,
250 .data = {
251 .ptr = (void *)trusted_world_pk_buf,
252 .len = (unsigned int)PK_DER_LEN
253 }
254 },
255 }
256};
257
258/* SCP Firmware */
259static const auth_img_desc_t scp_fw_key_cert = {
260 .img_id = SCP_FW_KEY_CERT_ID,
261 .img_type = IMG_CERT,
262 .parent = &trusted_key_cert,
263 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
264 [0] = {
265 .type = AUTH_METHOD_SIG,
266 .param.sig = {
267 .pk = &trusted_world_pk,
268 .sig = &sig,
269 .alg = &sig_alg,
270 .data = &raw_data
271 }
272 },
273 [1] = {
274 .type = AUTH_METHOD_NV_CTR,
275 .param.nv_ctr = {
276 .cert_nv_ctr = &trusted_nv_ctr,
277 .plat_nv_ctr = &trusted_nv_ctr
278 }
279 }
280 },
281 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
282 [0] = {
283 .type_desc = &scp_fw_content_pk,
284 .data = {
285 .ptr = (void *)content_pk_buf,
286 .len = (unsigned int)PK_DER_LEN
287 }
288 }
289 }
290};
291
292static const auth_img_desc_t scp_fw_content_cert = {
293 .img_id = SCP_FW_CONTENT_CERT_ID,
294 .img_type = IMG_CERT,
295 .parent = &scp_fw_key_cert,
296 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
297 [0] = {
298 .type = AUTH_METHOD_SIG,
299 .param.sig = {
300 .pk = &scp_fw_content_pk,
301 .sig = &sig,
302 .alg = &sig_alg,
303 .data = &raw_data
304 }
305 },
306 [1] = {
307 .type = AUTH_METHOD_NV_CTR,
308 .param.nv_ctr = {
309 .cert_nv_ctr = &trusted_nv_ctr,
310 .plat_nv_ctr = &trusted_nv_ctr
311 }
312 }
313 },
314 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
315 [0] = {
316 .type_desc = &scp_fw_hash,
317 .data = {
318 .ptr = (void *)scp_fw_hash_buf,
319 .len = (unsigned int)HASH_DER_LEN
320 }
321 }
322 }
323};
324
325static const auth_img_desc_t scp_bl2_image = {
326 .img_id = SCP_BL2_IMAGE_ID,
327 .img_type = IMG_RAW,
328 .parent = &scp_fw_content_cert,
329 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
330 [0] = {
331 .type = AUTH_METHOD_HASH,
332 .param.hash = {
333 .data = &raw_data,
334 .hash = &scp_fw_hash
335 }
336 }
337 }
338};
339
340/* SoC Firmware */
341static const auth_img_desc_t soc_fw_key_cert = {
342 .img_id = SOC_FW_KEY_CERT_ID,
343 .img_type = IMG_CERT,
344 .parent = &trusted_key_cert,
345 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
346 [0] = {
347 .type = AUTH_METHOD_SIG,
348 .param.sig = {
349 .pk = &trusted_world_pk,
350 .sig = &sig,
351 .alg = &sig_alg,
352 .data = &raw_data
353 }
354 },
355 [1] = {
356 .type = AUTH_METHOD_NV_CTR,
357 .param.nv_ctr = {
358 .cert_nv_ctr = &trusted_nv_ctr,
359 .plat_nv_ctr = &trusted_nv_ctr
360 }
361 }
362 },
363 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
364 [0] = {
365 .type_desc = &soc_fw_content_pk,
366 .data = {
367 .ptr = (void *)content_pk_buf,
368 .len = (unsigned int)PK_DER_LEN
369 }
370 }
371 }
372};
373
374static const auth_img_desc_t soc_fw_content_cert = {
375 .img_id = SOC_FW_CONTENT_CERT_ID,
376 .img_type = IMG_CERT,
377 .parent = &soc_fw_key_cert,
378 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
379 [0] = {
380 .type = AUTH_METHOD_SIG,
381 .param.sig = {
382 .pk = &soc_fw_content_pk,
383 .sig = &sig,
384 .alg = &sig_alg,
385 .data = &raw_data
386 }
387 },
388 [1] = {
389 .type = AUTH_METHOD_NV_CTR,
390 .param.nv_ctr = {
391 .cert_nv_ctr = &trusted_nv_ctr,
392 .plat_nv_ctr = &trusted_nv_ctr
393 }
394 }
395 },
396 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
397 [0] = {
398 .type_desc = &soc_fw_hash,
399 .data = {
400 .ptr = (void *)soc_fw_hash_buf,
401 .len = (unsigned int)HASH_DER_LEN
402 }
403 },
404 [1] = {
405 .type_desc = &soc_fw_config_hash,
406 .data = {
407 .ptr = (void *)soc_fw_config_hash_buf,
408 .len = (unsigned int)HASH_DER_LEN
409 }
410 }
411 }
412};
413
414static const auth_img_desc_t bl31_image = {
415 .img_id = BL31_IMAGE_ID,
416 .img_type = IMG_RAW,
417 .parent = &soc_fw_content_cert,
418 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
419 [0] = {
420 .type = AUTH_METHOD_HASH,
421 .param.hash = {
422 .data = &raw_data,
423 .hash = &soc_fw_hash
424 }
425 }
426 }
427};
428
429/* SOC FW Config */
430static const auth_img_desc_t soc_fw_config = {
431 .img_id = SOC_FW_CONFIG_ID,
432 .img_type = IMG_RAW,
433 .parent = &soc_fw_content_cert,
434 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
435 [0] = {
436 .type = AUTH_METHOD_HASH,
437 .param.hash = {
438 .data = &raw_data,
439 .hash = &soc_fw_config_hash
440 }
441 }
442 }
443};
444
445/* Trusted OS Firmware */
446static const auth_img_desc_t trusted_os_fw_key_cert = {
447 .img_id = TRUSTED_OS_FW_KEY_CERT_ID,
448 .img_type = IMG_CERT,
449 .parent = &trusted_key_cert,
450 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
451 [0] = {
452 .type = AUTH_METHOD_SIG,
453 .param.sig = {
454 .pk = &trusted_world_pk,
455 .sig = &sig,
456 .alg = &sig_alg,
457 .data = &raw_data
458 }
459 },
460 [1] = {
461 .type = AUTH_METHOD_NV_CTR,
462 .param.nv_ctr = {
463 .cert_nv_ctr = &trusted_nv_ctr,
464 .plat_nv_ctr = &trusted_nv_ctr
465 }
466 }
467 },
468 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
469 [0] = {
470 .type_desc = &tos_fw_content_pk,
471 .data = {
472 .ptr = (void *)content_pk_buf,
473 .len = (unsigned int)PK_DER_LEN
474 }
475 }
476 }
477};
478
479static const auth_img_desc_t trusted_os_fw_content_cert = {
480 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID,
481 .img_type = IMG_CERT,
482 .parent = &trusted_os_fw_key_cert,
483 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
484 [0] = {
485 .type = AUTH_METHOD_SIG,
486 .param.sig = {
487 .pk = &tos_fw_content_pk,
488 .sig = &sig,
489 .alg = &sig_alg,
490 .data = &raw_data
491 }
492 },
493 [1] = {
494 .type = AUTH_METHOD_NV_CTR,
495 .param.nv_ctr = {
496 .cert_nv_ctr = &trusted_nv_ctr,
497 .plat_nv_ctr = &trusted_nv_ctr
498 }
499 }
500 },
501 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
502 [0] = {
503 .type_desc = &tos_fw_hash,
504 .data = {
505 .ptr = (void *)tos_fw_hash_buf,
506 .len = (unsigned int)HASH_DER_LEN
507 }
508 },
509 [1] = {
510 .type_desc = &tos_fw_extra1_hash,
511 .data = {
512 .ptr = (void *)tos_fw_extra1_hash_buf,
513 .len = (unsigned int)HASH_DER_LEN
514 }
515 },
516 [2] = {
517 .type_desc = &tos_fw_extra2_hash,
518 .data = {
519 .ptr = (void *)tos_fw_extra2_hash_buf,
520 .len = (unsigned int)HASH_DER_LEN
521 }
522 },
523 [3] = {
524 .type_desc = &tos_fw_config_hash,
525 .data = {
526 .ptr = (void *)tos_fw_config_hash_buf,
527 .len = (unsigned int)HASH_DER_LEN
528 }
529 }
530 }
531};
532
533static const auth_img_desc_t bl32_image = {
534 .img_id = BL32_IMAGE_ID,
535 .img_type = IMG_RAW,
536 .parent = &trusted_os_fw_content_cert,
537 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
538 [0] = {
539 .type = AUTH_METHOD_HASH,
540 .param.hash = {
541 .data = &raw_data,
542 .hash = &tos_fw_hash
543 }
544 }
545 }
546};
547
548static const auth_img_desc_t bl32_extra1_image = {
549 .img_id = BL32_EXTRA1_IMAGE_ID,
550 .img_type = IMG_RAW,
551 .parent = &trusted_os_fw_content_cert,
552 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
553 [0] = {
554 .type = AUTH_METHOD_HASH,
555 .param.hash = {
556 .data = &raw_data,
557 .hash = &tos_fw_extra1_hash
558 }
559 }
560 }
561};
562
563static const auth_img_desc_t bl32_extra2_image = {
564 .img_id = BL32_EXTRA2_IMAGE_ID,
565 .img_type = IMG_RAW,
566 .parent = &trusted_os_fw_content_cert,
567 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
568 [0] = {
569 .type = AUTH_METHOD_HASH,
570 .param.hash = {
571 .data = &raw_data,
572 .hash = &tos_fw_extra2_hash
573 }
574 }
575 }
576};
577
578/* TOS FW Config */
579static const auth_img_desc_t tos_fw_config = {
580 .img_id = TOS_FW_CONFIG_ID,
581 .img_type = IMG_RAW,
582 .parent = &trusted_os_fw_content_cert,
583 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
584 [0] = {
585 .type = AUTH_METHOD_HASH,
586 .param.hash = {
587 .data = &raw_data,
588 .hash = &tos_fw_config_hash
589 }
590 }
591 }
592};
593
594/* Non-Trusted Firmware */
595static const auth_img_desc_t non_trusted_fw_content_cert = {
596 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
597 .img_type = IMG_CERT,
598 .parent = NULL, /* Root certificate. */
599 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
600 [0] = {
601 .type = AUTH_METHOD_SIG,
602 .param.sig = {
603 .pk = &prot_pk,
604 .sig = &sig,
605 .alg = &sig_alg,
606 .data = &raw_data
607 }
608 },
609 [1] = {
610 .type = AUTH_METHOD_NV_CTR,
611 .param.nv_ctr = {
612 .cert_nv_ctr = &non_trusted_nv_ctr,
613 .plat_nv_ctr = &non_trusted_nv_ctr
614 }
615 }
616 },
617 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
618 [0] = {
619 .type_desc = &nt_world_bl_hash,
620 .data = {
621 .ptr = (void *)nt_world_bl_hash_buf,
622 .len = (unsigned int)HASH_DER_LEN
623 }
624 },
625 [1] = {
626 .type_desc = &nt_fw_config_hash,
627 .data = {
628 .ptr = (void *)nt_fw_config_hash_buf,
629 .len = (unsigned int)HASH_DER_LEN
630 }
631 }
632 }
633};
634
635static const auth_img_desc_t bl33_image = {
636 .img_id = BL33_IMAGE_ID,
637 .img_type = IMG_RAW,
638 .parent = &non_trusted_fw_content_cert,
639 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
640 [0] = {
641 .type = AUTH_METHOD_HASH,
642 .param.hash = {
643 .data = &raw_data,
644 .hash = &nt_world_bl_hash
645 }
646 }
647 }
648};
649
650/* NT FW Config */
651static const auth_img_desc_t nt_fw_config = {
652 .img_id = NT_FW_CONFIG_ID,
653 .img_type = IMG_RAW,
654 .parent = &non_trusted_fw_content_cert,
655 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
656 [0] = {
657 .type = AUTH_METHOD_HASH,
658 .param.hash = {
659 .data = &raw_data,
660 .hash = &nt_fw_config_hash
661 }
662 }
663 }
664};
665
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]666/*
667 * Secure Partitions
668 */
669#if defined(SPD_spmd)
670static const auth_img_desc_t sp_content_cert = {
671 .img_id = SP_CONTENT_CERT_ID,
672 .img_type = IMG_CERT,
673 .parent = &trusted_key_cert,
674 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
675 [0] = {
676 .type = AUTH_METHOD_SIG,
677 .param.sig = {
678 .pk = &trusted_world_pk,
679 .sig = &sig,
680 .alg = &sig_alg,
681 .data = &raw_data
682 }
683 },
684 [1] = {
685 .type = AUTH_METHOD_NV_CTR,
686 .param.nv_ctr = {
687 .cert_nv_ctr = &trusted_nv_ctr,
688 .plat_nv_ctr = &trusted_nv_ctr
689 }
690 }
691 },
692 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
693 [0] = {
694 .type_desc = &sp_pkg1_hash,
695 .data = {
696 .ptr = (void *)sp_pkg_hash_buf[0],
697 .len = (unsigned int)HASH_DER_LEN
698 }
699 },
700 [1] = {
701 .type_desc = &sp_pkg2_hash,
702 .data = {
703 .ptr = (void *)sp_pkg_hash_buf[1],
704 .len = (unsigned int)HASH_DER_LEN
705 }
706 },
707 [2] = {
708 .type_desc = &sp_pkg3_hash,
709 .data = {
710 .ptr = (void *)sp_pkg_hash_buf[2],
711 .len = (unsigned int)HASH_DER_LEN
712 }
713 },
714 [3] = {
715 .type_desc = &sp_pkg4_hash,
716 .data = {
717 .ptr = (void *)sp_pkg_hash_buf[3],
718 .len = (unsigned int)HASH_DER_LEN
719 }
720 },
721 [4] = {
722 .type_desc = &sp_pkg5_hash,
723 .data = {
724 .ptr = (void *)sp_pkg_hash_buf[4],
725 .len = (unsigned int)HASH_DER_LEN
726 }
727 },
728 [5] = {
729 .type_desc = &sp_pkg6_hash,
730 .data = {
731 .ptr = (void *)sp_pkg_hash_buf[5],
732 .len = (unsigned int)HASH_DER_LEN
733 }
734 },
735 [6] = {
736 .type_desc = &sp_pkg7_hash,
737 .data = {
738 .ptr = (void *)sp_pkg_hash_buf[6],
739 .len = (unsigned int)HASH_DER_LEN
740 }
741 },
742 [7] = {
743 .type_desc = &sp_pkg8_hash,
744 .data = {
745 .ptr = (void *)sp_pkg_hash_buf[7],
746 .len = (unsigned int)HASH_DER_LEN
747 }
748 }
749 }
750};
751
752DEFINE_SP_PKG(1);
753DEFINE_SP_PKG(2);
754DEFINE_SP_PKG(3);
755DEFINE_SP_PKG(4);
756DEFINE_SP_PKG(5);
757DEFINE_SP_PKG(6);
758DEFINE_SP_PKG(7);
759DEFINE_SP_PKG(8);
760#endif /* SPD_spmd */
761
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]762#else /* IMAGE_BL2 */
763
764/* FWU auth descriptor */
765static const auth_img_desc_t fwu_cert = {
766 .img_id = FWU_CERT_ID,
767 .img_type = IMG_CERT,
768 .parent = NULL,
769 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
770 [0] = {
771 .type = AUTH_METHOD_SIG,
772 .param.sig = {
773 .pk = &subject_pk,
774 .sig = &sig,
775 .alg = &sig_alg,
776 .data = &raw_data
777 }
778 }
779 },
780 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
781 [0] = {
782 .type_desc = &scp_bl2u_hash,
783 .data = {
784 .ptr = (void *)scp_fw_hash_buf,
785 .len = (unsigned int)HASH_DER_LEN
786 }
787 },
788 [1] = {
789 .type_desc = &bl2u_hash,
790 .data = {
791 .ptr = (void *)tb_fw_hash_buf,
792 .len = (unsigned int)HASH_DER_LEN
793 }
794 },
795 [2] = {
796 .type_desc = &ns_bl2u_hash,
797 .data = {
798 .ptr = (void *)nt_world_bl_hash_buf,
799 .len = (unsigned int)HASH_DER_LEN
800 }
801 }
802 }
803};
804
805/* SCP_BL2U */
806static const auth_img_desc_t scp_bl2u_image = {
807 .img_id = SCP_BL2U_IMAGE_ID,
808 .img_type = IMG_RAW,
809 .parent = &fwu_cert,
810 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
811 [0] = {
812 .type = AUTH_METHOD_HASH,
813 .param.hash = {
814 .data = &raw_data,
815 .hash = &scp_bl2u_hash
816 }
817 }
818 }
819};
820
821/* BL2U */
822static const auth_img_desc_t bl2u_image = {
823 .img_id = BL2U_IMAGE_ID,
824 .img_type = IMG_RAW,
825 .parent = &fwu_cert,
826 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
827 [0] = {
828 .type = AUTH_METHOD_HASH,
829 .param.hash = {
830 .data = &raw_data,
831 .hash = &bl2u_hash
832 }
833 }
834 }
835};
836
837/* NS_BL2U */
838static const auth_img_desc_t ns_bl2u_image = {
839 .img_id = NS_BL2U_IMAGE_ID,
840 .img_type = IMG_RAW,
841 .parent = &fwu_cert,
842 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
843 [0] = {
844 .type = AUTH_METHOD_HASH,
845 .param.hash = {
846 .data = &raw_data,
847 .hash = &ns_bl2u_hash
848 }
849 }
850 }
851};
852#endif /* IMAGE_BL2 */
853
854/*
855 * Chain of trust definition
856 */
857#ifdef IMAGE_BL1
858static const auth_img_desc_t * const cot_desc[] = {
859 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
860 [BL2_IMAGE_ID] = &bl2_image,
861 [HW_CONFIG_ID] = &hw_config,
862 [TB_FW_CONFIG_ID] = &tb_fw_config,
863 [FWU_CERT_ID] = &fwu_cert,
864 [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image,
865 [BL2U_IMAGE_ID] = &bl2u_image,
866 [NS_BL2U_IMAGE_ID] = &ns_bl2u_image
867};
868#else /* IMAGE_BL2 */
869static const auth_img_desc_t * const cot_desc[] = {
870 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
871 [HW_CONFIG_ID] = &hw_config,
872 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert,
873 [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert,
874 [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert,
875 [SCP_BL2_IMAGE_ID] = &scp_bl2_image,
876 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert,
877 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert,
878 [BL31_IMAGE_ID] = &bl31_image,
879 [SOC_FW_CONFIG_ID] = &soc_fw_config,
880 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert,
881 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert,
882 [BL32_IMAGE_ID] = &bl32_image,
883 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image,
884 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image,
885 [TOS_FW_CONFIG_ID] = &tos_fw_config,
886 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert,
887 [BL33_IMAGE_ID] = &bl33_image,
888 [NT_FW_CONFIG_ID] = &nt_fw_config,
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]889#if defined(SPD_spmd)
890 [SP_CONTENT_CERT_ID] = &sp_content_cert,
891 [SP_CONTENT_CERT_ID + 1] = &sp_pkg1,
892 [SP_CONTENT_CERT_ID + 2] = &sp_pkg2,
893 [SP_CONTENT_CERT_ID + 3] = &sp_pkg3,
894 [SP_CONTENT_CERT_ID + 4] = &sp_pkg4,
895 [SP_CONTENT_CERT_ID + 5] = &sp_pkg5,
896 [SP_CONTENT_CERT_ID + 6] = &sp_pkg6,
897 [SP_CONTENT_CERT_ID + 7] = &sp_pkg7,
898 [SP_CONTENT_CERT_ID + 8] = &sp_pkg8,
899#endif
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]900};
901#endif
902
903/* Register the CoT in the authentication module */
904REGISTER_COT(cot_desc);