| Xialin Liu | e34a77b | 2024-06-27 12:07:10 -0500 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (c) 2020-2024, Arm Limited. All rights reserved. |
| 3 | * |
| 4 | * SPDX-License-Identifier: BSD-3-Clause |
| 5 | */ |
| 6 | |
| 7 | #include <stddef.h> |
| 8 | |
| 9 | #include <mbedtls/version.h> |
| 10 | |
| 11 | #include <common/tbbr/cot_def.h> |
| 12 | #include <drivers/auth/auth_mod.h> |
| 13 | #include <platform_def.h> |
| 14 | #include <tools_share/dualroot_oid.h> |
| 15 | |
| 16 | /* |
| 17 | * Allocate static buffers to store the authentication parameters extracted from |
| 18 | * the certificates. |
| 19 | */ |
| 20 | static unsigned char fw_config_hash_buf[HASH_DER_LEN]; |
| 21 | static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; |
| 22 | static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; |
| 23 | static unsigned char scp_fw_hash_buf[HASH_DER_LEN]; |
| 24 | static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; |
| 25 | |
| 26 | /* |
| 27 | * Parameter type descriptors. |
| 28 | */ |
| 29 | static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( |
| 30 | AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); |
| 31 | static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( |
| 32 | AUTH_PARAM_PUB_KEY, 0); |
| 33 | static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( |
| 34 | AUTH_PARAM_SIG, 0); |
| 35 | static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( |
| 36 | AUTH_PARAM_SIG_ALG, 0); |
| 37 | static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( |
| 38 | AUTH_PARAM_RAW_DATA, 0); |
| 39 | |
| 40 | static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( |
| 41 | AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); |
| 42 | static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC( |
| 43 | AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); |
| 44 | static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC( |
| 45 | AUTH_PARAM_HASH, FW_CONFIG_HASH_OID); |
| 46 | static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( |
| 47 | AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); |
| 48 | static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( |
| 49 | AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID); |
| 50 | static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( |
| 51 | AUTH_PARAM_HASH, FWU_HASH_OID); |
| 52 | |
| 53 | static const auth_img_desc_t trusted_boot_fw_cert = { |
| 54 | .img_id = TRUSTED_BOOT_FW_CERT_ID, |
| 55 | .img_type = IMG_CERT, |
| 56 | .parent = NULL, |
| 57 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 58 | [0] = { |
| 59 | .type = AUTH_METHOD_SIG, |
| 60 | .param.sig = { |
| 61 | .pk = &subject_pk, |
| 62 | .sig = &sig, |
| 63 | .alg = &sig_alg, |
| 64 | .data = &raw_data |
| 65 | } |
| 66 | }, |
| 67 | [1] = { |
| 68 | .type = AUTH_METHOD_NV_CTR, |
| 69 | .param.nv_ctr = { |
| 70 | .cert_nv_ctr = &trusted_nv_ctr, |
| 71 | .plat_nv_ctr = &trusted_nv_ctr |
| 72 | } |
| 73 | } |
| 74 | }, |
| 75 | .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { |
| 76 | [0] = { |
| 77 | .type_desc = &tb_fw_hash, |
| 78 | .data = { |
| 79 | .ptr = (void *)tb_fw_hash_buf, |
| 80 | .len = (unsigned int)HASH_DER_LEN |
| 81 | } |
| 82 | }, |
| 83 | [1] = { |
| 84 | .type_desc = &tb_fw_config_hash, |
| 85 | .data = { |
| 86 | .ptr = (void *)tb_fw_config_hash_buf, |
| 87 | .len = (unsigned int)HASH_DER_LEN |
| 88 | } |
| 89 | }, |
| 90 | [2] = { |
| 91 | .type_desc = &fw_config_hash, |
| 92 | .data = { |
| 93 | .ptr = (void *)fw_config_hash_buf, |
| 94 | .len = (unsigned int)HASH_DER_LEN |
| 95 | } |
| 96 | } |
| 97 | } |
| 98 | }; |
| 99 | |
| 100 | static const auth_img_desc_t bl2_image = { |
| 101 | .img_id = BL2_IMAGE_ID, |
| 102 | .img_type = IMG_RAW, |
| 103 | .parent = &trusted_boot_fw_cert, |
| 104 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 105 | [0] = { |
| 106 | .type = AUTH_METHOD_HASH, |
| 107 | .param.hash = { |
| 108 | .data = &raw_data, |
| 109 | .hash = &tb_fw_hash |
| 110 | } |
| 111 | } |
| 112 | } |
| 113 | }; |
| 114 | |
| 115 | /* TB FW Config */ |
| 116 | static const auth_img_desc_t tb_fw_config = { |
| 117 | .img_id = TB_FW_CONFIG_ID, |
| 118 | .img_type = IMG_RAW, |
| 119 | .parent = &trusted_boot_fw_cert, |
| 120 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 121 | [0] = { |
| 122 | .type = AUTH_METHOD_HASH, |
| 123 | .param.hash = { |
| 124 | .data = &raw_data, |
| 125 | .hash = &tb_fw_config_hash |
| 126 | } |
| 127 | } |
| 128 | } |
| 129 | }; |
| 130 | |
| 131 | static const auth_img_desc_t fw_config = { |
| 132 | .img_id = FW_CONFIG_ID, |
| 133 | .img_type = IMG_RAW, |
| 134 | .parent = &trusted_boot_fw_cert, |
| 135 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 136 | [0] = { |
| 137 | .type = AUTH_METHOD_HASH, |
| 138 | .param.hash = { |
| 139 | .data = &raw_data, |
| 140 | .hash = &fw_config_hash |
| 141 | } |
| 142 | } |
| 143 | } |
| 144 | }; |
| 145 | |
| 146 | /* FWU auth descriptor */ |
| 147 | static const auth_img_desc_t fwu_cert = { |
| 148 | .img_id = FWU_CERT_ID, |
| 149 | .img_type = IMG_CERT, |
| 150 | .parent = NULL, |
| 151 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 152 | [0] = { |
| 153 | .type = AUTH_METHOD_SIG, |
| 154 | .param.sig = { |
| 155 | .pk = &subject_pk, |
| 156 | .sig = &sig, |
| 157 | .alg = &sig_alg, |
| 158 | .data = &raw_data |
| 159 | } |
| 160 | } |
| 161 | }, |
| 162 | .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { |
| 163 | [0] = { |
| 164 | .type_desc = &scp_bl2u_hash, |
| 165 | .data = { |
| 166 | .ptr = (void *)scp_fw_hash_buf, |
| 167 | .len = (unsigned int)HASH_DER_LEN |
| 168 | } |
| 169 | }, |
| 170 | [1] = { |
| 171 | .type_desc = &bl2u_hash, |
| 172 | .data = { |
| 173 | .ptr = (void *)tb_fw_hash_buf, |
| 174 | .len = (unsigned int)HASH_DER_LEN |
| 175 | } |
| 176 | }, |
| 177 | [2] = { |
| 178 | .type_desc = &ns_bl2u_hash, |
| 179 | .data = { |
| 180 | .ptr = (void *)nt_world_bl_hash_buf, |
| 181 | .len = (unsigned int)HASH_DER_LEN |
| 182 | } |
| 183 | } |
| 184 | } |
| 185 | }; |
| 186 | |
| 187 | /* SCP_BL2U */ |
| 188 | static const auth_img_desc_t scp_bl2u_image = { |
| 189 | .img_id = SCP_BL2U_IMAGE_ID, |
| 190 | .img_type = IMG_RAW, |
| 191 | .parent = &fwu_cert, |
| 192 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 193 | [0] = { |
| 194 | .type = AUTH_METHOD_HASH, |
| 195 | .param.hash = { |
| 196 | .data = &raw_data, |
| 197 | .hash = &scp_bl2u_hash |
| 198 | } |
| 199 | } |
| 200 | } |
| 201 | }; |
| 202 | |
| 203 | /* BL2U */ |
| 204 | static const auth_img_desc_t bl2u_image = { |
| 205 | .img_id = BL2U_IMAGE_ID, |
| 206 | .img_type = IMG_RAW, |
| 207 | .parent = &fwu_cert, |
| 208 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 209 | [0] = { |
| 210 | .type = AUTH_METHOD_HASH, |
| 211 | .param.hash = { |
| 212 | .data = &raw_data, |
| 213 | .hash = &bl2u_hash |
| 214 | } |
| 215 | } |
| 216 | } |
| 217 | }; |
| 218 | |
| 219 | /* NS_BL2U */ |
| 220 | static const auth_img_desc_t ns_bl2u_image = { |
| 221 | .img_id = NS_BL2U_IMAGE_ID, |
| 222 | .img_type = IMG_RAW, |
| 223 | .parent = &fwu_cert, |
| 224 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 225 | [0] = { |
| 226 | .type = AUTH_METHOD_HASH, |
| 227 | .param.hash = { |
| 228 | .data = &raw_data, |
| 229 | .hash = &ns_bl2u_hash |
| 230 | } |
| 231 | } |
| 232 | } |
| 233 | }; |
| 234 | |
| 235 | static const auth_img_desc_t * const cot_desc[] = { |
| 236 | [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, |
| 237 | [BL2_IMAGE_ID] = &bl2_image, |
| 238 | [TB_FW_CONFIG_ID] = &tb_fw_config, |
| 239 | [FW_CONFIG_ID] = &fw_config, |
| 240 | [FWU_CERT_ID] = &fwu_cert, |
| 241 | [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image, |
| 242 | [BL2U_IMAGE_ID] = &bl2u_image, |
| 243 | [NS_BL2U_IMAGE_ID] = &ns_bl2u_image |
| 244 | }; |
| 245 | |
| 246 | REGISTER_COT(cot_desc); |