Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / c1be66fb65faa86d97d8cfc2283aafe5f785da4a / . / drivers / auth / dualroot / cot.c
blob: c89930c1ef4202331b2ae8979bd0c98048137e6b [file] [log] [blame]
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]1/*
Govindraj Raja9c7dfb02023-01-11 18:34:58 +0000[diff] [blame]2 * Copyright (c) 2020-2023, Arm Limited. All rights reserved.
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include <stddef.h>
8
Govindraj Raja9c7dfb02023-01-11 18:34:58 +0000[diff] [blame]9#include <mbedtls/version.h>
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]10
Govindraj Raja9c7dfb02023-01-11 18:34:58 +0000[diff] [blame]11#include <common/tbbr/cot_def.h>
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]12#include <drivers/auth/auth_mod.h>
Govindraj Raja9c7dfb02023-01-11 18:34:58 +0000[diff] [blame]13
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]14#include <tools_share/dualroot_oid.h>
15
Govindraj Raja9c7dfb02023-01-11 18:34:58 +0000[diff] [blame]16#include <platform_def.h>
17
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]18/*
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]19 * Allocate static buffers to store the authentication parameters extracted from
20 * the certificates.
21 */
Louis Mayencourt244027d2020-06-11 21:15:15 +0100[diff] [blame]22static unsigned char fw_config_hash_buf[HASH_DER_LEN];
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]23static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
24static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
25static unsigned char hw_config_hash_buf[HASH_DER_LEN];
26static unsigned char scp_fw_hash_buf[HASH_DER_LEN];
27static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
28
29#ifdef IMAGE_BL2
30static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
31static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
32static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN];
33static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN];
34static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
35static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
36static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]37#if defined(SPD_spmd)
38static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN];
39#endif /* SPD_spmd */
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]40
41static unsigned char trusted_world_pk_buf[PK_DER_LEN];
42static unsigned char content_pk_buf[PK_DER_LEN];
43#endif
44
45/*
46 * Parameter type descriptors.
47 */
48static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
49 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
50static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
51 AUTH_PARAM_PUB_KEY, 0);
52static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
53 AUTH_PARAM_SIG, 0);
54static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
55 AUTH_PARAM_SIG_ALG, 0);
56static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
57 AUTH_PARAM_RAW_DATA, 0);
58
59static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
60 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
61static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
62 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
63static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
64 AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
Louis Mayencourt244027d2020-06-11 21:15:15 +0100[diff] [blame]65static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
66 AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]67#ifdef IMAGE_BL1
68static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
69 AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
70static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
71 AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
72static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
73 AUTH_PARAM_HASH, FWU_HASH_OID);
74#endif /* IMAGE_BL1 */
75
76#ifdef IMAGE_BL2
77static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
78 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
79
80static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
81 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
82static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC(
83 AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID);
84static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC(
85 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID);
86static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC(
87 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID);
88static auth_param_type_desc_t prot_pk = AUTH_PARAM_TYPE_DESC(
89 AUTH_PARAM_PUB_KEY, PROT_PK_OID);
90
91static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC(
92 AUTH_PARAM_HASH, SCP_FW_HASH_OID);
93static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
94 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
95static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC(
96 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID);
97static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
98 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
99static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC(
100 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID);
101static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC(
102 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID);
103static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC(
104 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID);
105static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
106 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
107static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
108 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]109#if defined(SPD_spmd)
110static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC(
111 AUTH_PARAM_HASH, SP_PKG1_HASH_OID);
112static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC(
113 AUTH_PARAM_HASH, SP_PKG2_HASH_OID);
114static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC(
115 AUTH_PARAM_HASH, SP_PKG3_HASH_OID);
116static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC(
117 AUTH_PARAM_HASH, SP_PKG4_HASH_OID);
118static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC(
119 AUTH_PARAM_HASH, SP_PKG5_HASH_OID);
120static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC(
121 AUTH_PARAM_HASH, SP_PKG6_HASH_OID);
122static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC(
123 AUTH_PARAM_HASH, SP_PKG7_HASH_OID);
124static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC(
125 AUTH_PARAM_HASH, SP_PKG8_HASH_OID);
126#endif /* SPD_spmd */
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]127#endif /* IMAGE_BL2 */
128
129
130/* BL2 */
131static const auth_img_desc_t trusted_boot_fw_cert = {
132 .img_id = TRUSTED_BOOT_FW_CERT_ID,
133 .img_type = IMG_CERT,
134 .parent = NULL,
135 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
136 [0] = {
137 .type = AUTH_METHOD_SIG,
138 .param.sig = {
139 .pk = &subject_pk,
140 .sig = &sig,
141 .alg = &sig_alg,
142 .data = &raw_data
143 }
144 },
145 [1] = {
146 .type = AUTH_METHOD_NV_CTR,
147 .param.nv_ctr = {
148 .cert_nv_ctr = &trusted_nv_ctr,
149 .plat_nv_ctr = &trusted_nv_ctr
150 }
151 }
152 },
153 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
154 [0] = {
155 .type_desc = &tb_fw_hash,
156 .data = {
157 .ptr = (void *)tb_fw_hash_buf,
158 .len = (unsigned int)HASH_DER_LEN
159 }
160 },
161 [1] = {
162 .type_desc = &tb_fw_config_hash,
163 .data = {
164 .ptr = (void *)tb_fw_config_hash_buf,
165 .len = (unsigned int)HASH_DER_LEN
166 }
167 },
168 [2] = {
169 .type_desc = &hw_config_hash,
170 .data = {
171 .ptr = (void *)hw_config_hash_buf,
172 .len = (unsigned int)HASH_DER_LEN
173 }
Louis Mayencourt244027d2020-06-11 21:15:15 +0100[diff] [blame]174 },
175 [3] = {
176 .type_desc = &fw_config_hash,
177 .data = {
178 .ptr = (void *)fw_config_hash_buf,
179 .len = (unsigned int)HASH_DER_LEN
180 }
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]181 }
182 }
183};
184
185#ifdef IMAGE_BL1
186static const auth_img_desc_t bl2_image = {
187 .img_id = BL2_IMAGE_ID,
188 .img_type = IMG_RAW,
189 .parent = &trusted_boot_fw_cert,
190 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
191 [0] = {
192 .type = AUTH_METHOD_HASH,
193 .param.hash = {
194 .data = &raw_data,
195 .hash = &tb_fw_hash
196 }
197 }
198 }
199};
200#endif /* IMAGE_BL1 */
201
202/* HW Config */
203static const auth_img_desc_t hw_config = {
204 .img_id = HW_CONFIG_ID,
205 .img_type = IMG_RAW,
206 .parent = &trusted_boot_fw_cert,
207 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
208 [0] = {
209 .type = AUTH_METHOD_HASH,
210 .param.hash = {
211 .data = &raw_data,
212 .hash = &hw_config_hash
213 }
214 }
215 }
216};
217
218/* TB FW Config */
219#ifdef IMAGE_BL1
220static const auth_img_desc_t tb_fw_config = {
221 .img_id = TB_FW_CONFIG_ID,
222 .img_type = IMG_RAW,
223 .parent = &trusted_boot_fw_cert,
224 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
225 [0] = {
226 .type = AUTH_METHOD_HASH,
227 .param.hash = {
228 .data = &raw_data,
229 .hash = &tb_fw_config_hash
230 }
231 }
232 }
233};
Louis Mayencourt244027d2020-06-11 21:15:15 +0100[diff] [blame]234
235static const auth_img_desc_t fw_config = {
236 .img_id = FW_CONFIG_ID,
237 .img_type = IMG_RAW,
238 .parent = &trusted_boot_fw_cert,
239 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
240 [0] = {
241 .type = AUTH_METHOD_HASH,
242 .param.hash = {
243 .data = &raw_data,
244 .hash = &fw_config_hash
245 }
246 }
247 }
248};
249
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]250#endif /* IMAGE_BL1 */
251
252#ifdef IMAGE_BL2
253/* Trusted key certificate */
254static const auth_img_desc_t trusted_key_cert = {
255 .img_id = TRUSTED_KEY_CERT_ID,
256 .img_type = IMG_CERT,
257 .parent = NULL,
258 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
259 [0] = {
260 .type = AUTH_METHOD_SIG,
261 .param.sig = {
262 .pk = &subject_pk,
263 .sig = &sig,
264 .alg = &sig_alg,
265 .data = &raw_data
266 }
267 },
268 [1] = {
269 .type = AUTH_METHOD_NV_CTR,
270 .param.nv_ctr = {
271 .cert_nv_ctr = &trusted_nv_ctr,
272 .plat_nv_ctr = &trusted_nv_ctr
273 }
274 }
275 },
276 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
277 [0] = {
278 .type_desc = &trusted_world_pk,
279 .data = {
280 .ptr = (void *)trusted_world_pk_buf,
281 .len = (unsigned int)PK_DER_LEN
282 }
283 },
284 }
285};
286
287/* SCP Firmware */
288static const auth_img_desc_t scp_fw_key_cert = {
289 .img_id = SCP_FW_KEY_CERT_ID,
290 .img_type = IMG_CERT,
291 .parent = &trusted_key_cert,
292 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
293 [0] = {
294 .type = AUTH_METHOD_SIG,
295 .param.sig = {
296 .pk = &trusted_world_pk,
297 .sig = &sig,
298 .alg = &sig_alg,
299 .data = &raw_data
300 }
301 },
302 [1] = {
303 .type = AUTH_METHOD_NV_CTR,
304 .param.nv_ctr = {
305 .cert_nv_ctr = &trusted_nv_ctr,
306 .plat_nv_ctr = &trusted_nv_ctr
307 }
308 }
309 },
310 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
311 [0] = {
312 .type_desc = &scp_fw_content_pk,
313 .data = {
314 .ptr = (void *)content_pk_buf,
315 .len = (unsigned int)PK_DER_LEN
316 }
317 }
318 }
319};
320
321static const auth_img_desc_t scp_fw_content_cert = {
322 .img_id = SCP_FW_CONTENT_CERT_ID,
323 .img_type = IMG_CERT,
324 .parent = &scp_fw_key_cert,
325 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
326 [0] = {
327 .type = AUTH_METHOD_SIG,
328 .param.sig = {
329 .pk = &scp_fw_content_pk,
330 .sig = &sig,
331 .alg = &sig_alg,
332 .data = &raw_data
333 }
334 },
335 [1] = {
336 .type = AUTH_METHOD_NV_CTR,
337 .param.nv_ctr = {
338 .cert_nv_ctr = &trusted_nv_ctr,
339 .plat_nv_ctr = &trusted_nv_ctr
340 }
341 }
342 },
343 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
344 [0] = {
345 .type_desc = &scp_fw_hash,
346 .data = {
347 .ptr = (void *)scp_fw_hash_buf,
348 .len = (unsigned int)HASH_DER_LEN
349 }
350 }
351 }
352};
353
354static const auth_img_desc_t scp_bl2_image = {
355 .img_id = SCP_BL2_IMAGE_ID,
356 .img_type = IMG_RAW,
357 .parent = &scp_fw_content_cert,
358 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
359 [0] = {
360 .type = AUTH_METHOD_HASH,
361 .param.hash = {
362 .data = &raw_data,
363 .hash = &scp_fw_hash
364 }
365 }
366 }
367};
368
369/* SoC Firmware */
370static const auth_img_desc_t soc_fw_key_cert = {
371 .img_id = SOC_FW_KEY_CERT_ID,
372 .img_type = IMG_CERT,
373 .parent = &trusted_key_cert,
374 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
375 [0] = {
376 .type = AUTH_METHOD_SIG,
377 .param.sig = {
378 .pk = &trusted_world_pk,
379 .sig = &sig,
380 .alg = &sig_alg,
381 .data = &raw_data
382 }
383 },
384 [1] = {
385 .type = AUTH_METHOD_NV_CTR,
386 .param.nv_ctr = {
387 .cert_nv_ctr = &trusted_nv_ctr,
388 .plat_nv_ctr = &trusted_nv_ctr
389 }
390 }
391 },
392 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
393 [0] = {
394 .type_desc = &soc_fw_content_pk,
395 .data = {
396 .ptr = (void *)content_pk_buf,
397 .len = (unsigned int)PK_DER_LEN
398 }
399 }
400 }
401};
402
403static const auth_img_desc_t soc_fw_content_cert = {
404 .img_id = SOC_FW_CONTENT_CERT_ID,
405 .img_type = IMG_CERT,
406 .parent = &soc_fw_key_cert,
407 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
408 [0] = {
409 .type = AUTH_METHOD_SIG,
410 .param.sig = {
411 .pk = &soc_fw_content_pk,
412 .sig = &sig,
413 .alg = &sig_alg,
414 .data = &raw_data
415 }
416 },
417 [1] = {
418 .type = AUTH_METHOD_NV_CTR,
419 .param.nv_ctr = {
420 .cert_nv_ctr = &trusted_nv_ctr,
421 .plat_nv_ctr = &trusted_nv_ctr
422 }
423 }
424 },
425 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
426 [0] = {
427 .type_desc = &soc_fw_hash,
428 .data = {
429 .ptr = (void *)soc_fw_hash_buf,
430 .len = (unsigned int)HASH_DER_LEN
431 }
432 },
433 [1] = {
434 .type_desc = &soc_fw_config_hash,
435 .data = {
436 .ptr = (void *)soc_fw_config_hash_buf,
437 .len = (unsigned int)HASH_DER_LEN
438 }
439 }
440 }
441};
442
443static const auth_img_desc_t bl31_image = {
444 .img_id = BL31_IMAGE_ID,
445 .img_type = IMG_RAW,
446 .parent = &soc_fw_content_cert,
447 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
448 [0] = {
449 .type = AUTH_METHOD_HASH,
450 .param.hash = {
451 .data = &raw_data,
452 .hash = &soc_fw_hash
453 }
454 }
455 }
456};
457
458/* SOC FW Config */
459static const auth_img_desc_t soc_fw_config = {
460 .img_id = SOC_FW_CONFIG_ID,
461 .img_type = IMG_RAW,
462 .parent = &soc_fw_content_cert,
463 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
464 [0] = {
465 .type = AUTH_METHOD_HASH,
466 .param.hash = {
467 .data = &raw_data,
468 .hash = &soc_fw_config_hash
469 }
470 }
471 }
472};
473
474/* Trusted OS Firmware */
475static const auth_img_desc_t trusted_os_fw_key_cert = {
476 .img_id = TRUSTED_OS_FW_KEY_CERT_ID,
477 .img_type = IMG_CERT,
478 .parent = &trusted_key_cert,
479 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
480 [0] = {
481 .type = AUTH_METHOD_SIG,
482 .param.sig = {
483 .pk = &trusted_world_pk,
484 .sig = &sig,
485 .alg = &sig_alg,
486 .data = &raw_data
487 }
488 },
489 [1] = {
490 .type = AUTH_METHOD_NV_CTR,
491 .param.nv_ctr = {
492 .cert_nv_ctr = &trusted_nv_ctr,
493 .plat_nv_ctr = &trusted_nv_ctr
494 }
495 }
496 },
497 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
498 [0] = {
499 .type_desc = &tos_fw_content_pk,
500 .data = {
501 .ptr = (void *)content_pk_buf,
502 .len = (unsigned int)PK_DER_LEN
503 }
504 }
505 }
506};
507
508static const auth_img_desc_t trusted_os_fw_content_cert = {
509 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID,
510 .img_type = IMG_CERT,
511 .parent = &trusted_os_fw_key_cert,
512 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
513 [0] = {
514 .type = AUTH_METHOD_SIG,
515 .param.sig = {
516 .pk = &tos_fw_content_pk,
517 .sig = &sig,
518 .alg = &sig_alg,
519 .data = &raw_data
520 }
521 },
522 [1] = {
523 .type = AUTH_METHOD_NV_CTR,
524 .param.nv_ctr = {
525 .cert_nv_ctr = &trusted_nv_ctr,
526 .plat_nv_ctr = &trusted_nv_ctr
527 }
528 }
529 },
530 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
531 [0] = {
532 .type_desc = &tos_fw_hash,
533 .data = {
534 .ptr = (void *)tos_fw_hash_buf,
535 .len = (unsigned int)HASH_DER_LEN
536 }
537 },
538 [1] = {
539 .type_desc = &tos_fw_extra1_hash,
540 .data = {
541 .ptr = (void *)tos_fw_extra1_hash_buf,
542 .len = (unsigned int)HASH_DER_LEN
543 }
544 },
545 [2] = {
546 .type_desc = &tos_fw_extra2_hash,
547 .data = {
548 .ptr = (void *)tos_fw_extra2_hash_buf,
549 .len = (unsigned int)HASH_DER_LEN
550 }
551 },
552 [3] = {
553 .type_desc = &tos_fw_config_hash,
554 .data = {
555 .ptr = (void *)tos_fw_config_hash_buf,
556 .len = (unsigned int)HASH_DER_LEN
557 }
558 }
559 }
560};
561
562static const auth_img_desc_t bl32_image = {
563 .img_id = BL32_IMAGE_ID,
564 .img_type = IMG_RAW,
565 .parent = &trusted_os_fw_content_cert,
566 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
567 [0] = {
568 .type = AUTH_METHOD_HASH,
569 .param.hash = {
570 .data = &raw_data,
571 .hash = &tos_fw_hash
572 }
573 }
574 }
575};
576
577static const auth_img_desc_t bl32_extra1_image = {
578 .img_id = BL32_EXTRA1_IMAGE_ID,
579 .img_type = IMG_RAW,
580 .parent = &trusted_os_fw_content_cert,
581 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
582 [0] = {
583 .type = AUTH_METHOD_HASH,
584 .param.hash = {
585 .data = &raw_data,
586 .hash = &tos_fw_extra1_hash
587 }
588 }
589 }
590};
591
592static const auth_img_desc_t bl32_extra2_image = {
593 .img_id = BL32_EXTRA2_IMAGE_ID,
594 .img_type = IMG_RAW,
595 .parent = &trusted_os_fw_content_cert,
596 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
597 [0] = {
598 .type = AUTH_METHOD_HASH,
599 .param.hash = {
600 .data = &raw_data,
601 .hash = &tos_fw_extra2_hash
602 }
603 }
604 }
605};
606
607/* TOS FW Config */
608static const auth_img_desc_t tos_fw_config = {
609 .img_id = TOS_FW_CONFIG_ID,
610 .img_type = IMG_RAW,
611 .parent = &trusted_os_fw_content_cert,
612 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
613 [0] = {
614 .type = AUTH_METHOD_HASH,
615 .param.hash = {
616 .data = &raw_data,
617 .hash = &tos_fw_config_hash
618 }
619 }
620 }
621};
622
623/* Non-Trusted Firmware */
624static const auth_img_desc_t non_trusted_fw_content_cert = {
625 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
626 .img_type = IMG_CERT,
627 .parent = NULL, /* Root certificate. */
628 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
629 [0] = {
630 .type = AUTH_METHOD_SIG,
631 .param.sig = {
632 .pk = &prot_pk,
633 .sig = &sig,
634 .alg = &sig_alg,
635 .data = &raw_data
636 }
637 },
638 [1] = {
639 .type = AUTH_METHOD_NV_CTR,
640 .param.nv_ctr = {
641 .cert_nv_ctr = &non_trusted_nv_ctr,
642 .plat_nv_ctr = &non_trusted_nv_ctr
643 }
644 }
645 },
646 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
647 [0] = {
648 .type_desc = &nt_world_bl_hash,
649 .data = {
650 .ptr = (void *)nt_world_bl_hash_buf,
651 .len = (unsigned int)HASH_DER_LEN
652 }
653 },
654 [1] = {
655 .type_desc = &nt_fw_config_hash,
656 .data = {
657 .ptr = (void *)nt_fw_config_hash_buf,
658 .len = (unsigned int)HASH_DER_LEN
659 }
660 }
661 }
662};
663
664static const auth_img_desc_t bl33_image = {
665 .img_id = BL33_IMAGE_ID,
666 .img_type = IMG_RAW,
667 .parent = &non_trusted_fw_content_cert,
668 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
669 [0] = {
670 .type = AUTH_METHOD_HASH,
671 .param.hash = {
672 .data = &raw_data,
673 .hash = &nt_world_bl_hash
674 }
675 }
676 }
677};
678
679/* NT FW Config */
680static const auth_img_desc_t nt_fw_config = {
681 .img_id = NT_FW_CONFIG_ID,
682 .img_type = IMG_RAW,
683 .parent = &non_trusted_fw_content_cert,
684 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
685 [0] = {
686 .type = AUTH_METHOD_HASH,
687 .param.hash = {
688 .data = &raw_data,
689 .hash = &nt_fw_config_hash
690 }
691 }
692 }
693};
694
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]695/*
696 * Secure Partitions
697 */
698#if defined(SPD_spmd)
Manish Pandeyd07d0172020-07-23 16:54:30 +0100[diff] [blame]699static const auth_img_desc_t sip_sp_content_cert = {
700 .img_id = SIP_SP_CONTENT_CERT_ID,
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]701 .img_type = IMG_CERT,
702 .parent = &trusted_key_cert,
703 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
704 [0] = {
705 .type = AUTH_METHOD_SIG,
706 .param.sig = {
707 .pk = &trusted_world_pk,
708 .sig = &sig,
709 .alg = &sig_alg,
710 .data = &raw_data
711 }
712 },
713 [1] = {
714 .type = AUTH_METHOD_NV_CTR,
715 .param.nv_ctr = {
716 .cert_nv_ctr = &trusted_nv_ctr,
717 .plat_nv_ctr = &trusted_nv_ctr
718 }
719 }
720 },
721 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
722 [0] = {
723 .type_desc = &sp_pkg1_hash,
724 .data = {
725 .ptr = (void *)sp_pkg_hash_buf[0],
726 .len = (unsigned int)HASH_DER_LEN
727 }
728 },
729 [1] = {
730 .type_desc = &sp_pkg2_hash,
731 .data = {
732 .ptr = (void *)sp_pkg_hash_buf[1],
733 .len = (unsigned int)HASH_DER_LEN
734 }
735 },
736 [2] = {
737 .type_desc = &sp_pkg3_hash,
738 .data = {
739 .ptr = (void *)sp_pkg_hash_buf[2],
740 .len = (unsigned int)HASH_DER_LEN
741 }
742 },
743 [3] = {
744 .type_desc = &sp_pkg4_hash,
745 .data = {
746 .ptr = (void *)sp_pkg_hash_buf[3],
747 .len = (unsigned int)HASH_DER_LEN
748 }
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]749 }
750 }
751};
752
753DEFINE_SIP_SP_PKG(1);
754DEFINE_SIP_SP_PKG(2);
755DEFINE_SIP_SP_PKG(3);
756DEFINE_SIP_SP_PKG(4);
757
758static const auth_img_desc_t plat_sp_content_cert = {
759 .img_id = PLAT_SP_CONTENT_CERT_ID,
760 .img_type = IMG_CERT,
761 .parent = NULL,
762 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
763 [0] = {
764 .type = AUTH_METHOD_SIG,
765 .param.sig = {
766 .pk = &prot_pk,
767 .sig = &sig,
768 .alg = &sig_alg,
769 .data = &raw_data
770 }
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]771 },
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]772 [1] = {
773 .type = AUTH_METHOD_NV_CTR,
774 .param.nv_ctr = {
775 .cert_nv_ctr = &non_trusted_nv_ctr,
776 .plat_nv_ctr = &non_trusted_nv_ctr
777 }
778 }
779 },
780 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
781 [0] = {
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]782 .type_desc = &sp_pkg5_hash,
783 .data = {
784 .ptr = (void *)sp_pkg_hash_buf[4],
785 .len = (unsigned int)HASH_DER_LEN
786 }
787 },
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]788 [1] = {
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]789 .type_desc = &sp_pkg6_hash,
790 .data = {
791 .ptr = (void *)sp_pkg_hash_buf[5],
792 .len = (unsigned int)HASH_DER_LEN
793 }
794 },
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]795 [2] = {
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]796 .type_desc = &sp_pkg7_hash,
797 .data = {
798 .ptr = (void *)sp_pkg_hash_buf[6],
799 .len = (unsigned int)HASH_DER_LEN
800 }
801 },
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]802 [3] = {
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]803 .type_desc = &sp_pkg8_hash,
804 .data = {
805 .ptr = (void *)sp_pkg_hash_buf[7],
806 .len = (unsigned int)HASH_DER_LEN
807 }
808 }
809 }
810};
811
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]812DEFINE_PLAT_SP_PKG(5);
813DEFINE_PLAT_SP_PKG(6);
814DEFINE_PLAT_SP_PKG(7);
815DEFINE_PLAT_SP_PKG(8);
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]816#endif /* SPD_spmd */
817
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]818#else /* IMAGE_BL2 */
819
820/* FWU auth descriptor */
821static const auth_img_desc_t fwu_cert = {
822 .img_id = FWU_CERT_ID,
823 .img_type = IMG_CERT,
824 .parent = NULL,
825 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
826 [0] = {
827 .type = AUTH_METHOD_SIG,
828 .param.sig = {
829 .pk = &subject_pk,
830 .sig = &sig,
831 .alg = &sig_alg,
832 .data = &raw_data
833 }
834 }
835 },
836 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
837 [0] = {
838 .type_desc = &scp_bl2u_hash,
839 .data = {
840 .ptr = (void *)scp_fw_hash_buf,
841 .len = (unsigned int)HASH_DER_LEN
842 }
843 },
844 [1] = {
845 .type_desc = &bl2u_hash,
846 .data = {
847 .ptr = (void *)tb_fw_hash_buf,
848 .len = (unsigned int)HASH_DER_LEN
849 }
850 },
851 [2] = {
852 .type_desc = &ns_bl2u_hash,
853 .data = {
854 .ptr = (void *)nt_world_bl_hash_buf,
855 .len = (unsigned int)HASH_DER_LEN
856 }
857 }
858 }
859};
860
861/* SCP_BL2U */
862static const auth_img_desc_t scp_bl2u_image = {
863 .img_id = SCP_BL2U_IMAGE_ID,
864 .img_type = IMG_RAW,
865 .parent = &fwu_cert,
866 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
867 [0] = {
868 .type = AUTH_METHOD_HASH,
869 .param.hash = {
870 .data = &raw_data,
871 .hash = &scp_bl2u_hash
872 }
873 }
874 }
875};
876
877/* BL2U */
878static const auth_img_desc_t bl2u_image = {
879 .img_id = BL2U_IMAGE_ID,
880 .img_type = IMG_RAW,
881 .parent = &fwu_cert,
882 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
883 [0] = {
884 .type = AUTH_METHOD_HASH,
885 .param.hash = {
886 .data = &raw_data,
887 .hash = &bl2u_hash
888 }
889 }
890 }
891};
892
893/* NS_BL2U */
894static const auth_img_desc_t ns_bl2u_image = {
895 .img_id = NS_BL2U_IMAGE_ID,
896 .img_type = IMG_RAW,
897 .parent = &fwu_cert,
898 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
899 [0] = {
900 .type = AUTH_METHOD_HASH,
901 .param.hash = {
902 .data = &raw_data,
903 .hash = &ns_bl2u_hash
904 }
905 }
906 }
907};
908#endif /* IMAGE_BL2 */
909
910/*
911 * Chain of trust definition
912 */
913#ifdef IMAGE_BL1
914static const auth_img_desc_t * const cot_desc[] = {
915 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
916 [BL2_IMAGE_ID] = &bl2_image,
917 [HW_CONFIG_ID] = &hw_config,
918 [TB_FW_CONFIG_ID] = &tb_fw_config,
Louis Mayencourt244027d2020-06-11 21:15:15 +0100[diff] [blame]919 [FW_CONFIG_ID] = &fw_config,
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]920 [FWU_CERT_ID] = &fwu_cert,
921 [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image,
922 [BL2U_IMAGE_ID] = &bl2u_image,
923 [NS_BL2U_IMAGE_ID] = &ns_bl2u_image
924};
925#else /* IMAGE_BL2 */
926static const auth_img_desc_t * const cot_desc[] = {
927 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
928 [HW_CONFIG_ID] = &hw_config,
929 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert,
930 [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert,
931 [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert,
932 [SCP_BL2_IMAGE_ID] = &scp_bl2_image,
933 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert,
934 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert,
935 [BL31_IMAGE_ID] = &bl31_image,
936 [SOC_FW_CONFIG_ID] = &soc_fw_config,
937 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert,
938 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert,
939 [BL32_IMAGE_ID] = &bl32_image,
940 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image,
941 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image,
942 [TOS_FW_CONFIG_ID] = &tos_fw_config,
943 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert,
944 [BL33_IMAGE_ID] = &bl33_image,
945 [NT_FW_CONFIG_ID] = &nt_fw_config,
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]946#if defined(SPD_spmd)
Manish Pandeyd07d0172020-07-23 16:54:30 +0100[diff] [blame]947 [SIP_SP_CONTENT_CERT_ID] = &sip_sp_content_cert,
Manish Pandey6aef2cc2020-07-31 16:25:17 +0100[diff] [blame]948 [PLAT_SP_CONTENT_CERT_ID] = &plat_sp_content_cert,
Manish Pandeyd07d0172020-07-23 16:54:30 +0100[diff] [blame]949 [SP_PKG1_ID] = &sp_pkg1,
950 [SP_PKG2_ID] = &sp_pkg2,
951 [SP_PKG3_ID] = &sp_pkg3,
952 [SP_PKG4_ID] = &sp_pkg4,
953 [SP_PKG5_ID] = &sp_pkg5,
954 [SP_PKG6_ID] = &sp_pkg6,
955 [SP_PKG7_ID] = &sp_pkg7,
956 [SP_PKG8_ID] = &sp_pkg8,
Manish Pandey5f8e1a02020-05-27 22:40:10 +0100[diff] [blame]957#endif
Sandrine Bailleux6ae00742020-02-06 14:59:14 +0100[diff] [blame]958};
959#endif
960
961/* Register the CoT in the authentication module */
962REGISTER_COT(cot_desc);