Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / c56203c7aa4e7faf59ba0f27ab82ec0938db5c72 / . / drivers / nxp / auth / tbbr / tbbr_cot.c
blob: ac4595f024acbca007e35d1c8a69d65ec206922a [file] [log] [blame]
Pankaj Gupta9247b402020-12-09 14:02:39 +0530[diff] [blame]1/*
Govindraj Rajae045e122023-02-28 11:37:02 +0000[diff] [blame]2 * Copyright (c) 2015-2023, ARM Limited and Contributors. All rights reserved.
Pankaj Gupta9247b402020-12-09 14:02:39 +0530[diff] [blame]3 *
4 * Copyright 2020 NXP
5 *
6 * SPDX-License-Identifier: BSD-3-Clause
7 */
8
9#include <stddef.h>
10
Govindraj Rajae045e122023-02-28 11:37:02 +0000[diff] [blame]11#include <common/tbbr/cot_def.h>
Pankaj Gupta9247b402020-12-09 14:02:39 +0530[diff] [blame]12#include <drivers/auth/auth_mod.h>
13
14#if USE_TBBR_DEFS
15#include <tools_share/tbbr_oid.h>
16#else
17#include <platform_oid.h>
18#endif
19
20
21#if TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256
22#define HASH_DER_LEN 51
23#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384
24#define HASH_DER_LEN 67
25#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512
26#define HASH_DER_LEN 83
27#else
28#error "Invalid value for TF_MBEDTLS_HASH_ALG_ID"
29#endif
30
31/*
32 * The platform must allocate buffers to store the authentication parameters
33 * extracted from the certificates. In this case, because of the way the CoT is
34 * established, we can reuse some of the buffers on different stages
35 */
36
37static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
38
39static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
40static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
41static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN];
42static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN];
43static unsigned char trusted_world_pk_buf[PK_DER_LEN];
44static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];
45static unsigned char content_pk_buf[PK_DER_LEN];
46static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
47static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
48static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
49
50#ifdef CONFIG_DDR_FIP_IMAGE
51static unsigned char ddr_fw_content_pk_buf[PK_DER_LEN];
52static unsigned char ddr_imem_udimm_1d_hash_buf[HASH_DER_LEN];
53static unsigned char ddr_imem_udimm_2d_hash_buf[HASH_DER_LEN];
54static unsigned char ddr_dmem_udimm_1d_hash_buf[HASH_DER_LEN];
55static unsigned char ddr_dmem_udimm_2d_hash_buf[HASH_DER_LEN];
56
57static unsigned char ddr_imem_rdimm_1d_hash_buf[HASH_DER_LEN];
58static unsigned char ddr_imem_rdimm_2d_hash_buf[HASH_DER_LEN];
59static unsigned char ddr_dmem_rdimm_1d_hash_buf[HASH_DER_LEN];
60static unsigned char ddr_dmem_rdimm_2d_hash_buf[HASH_DER_LEN];
61#endif
62
63/*
64 * Parameter type descriptors
65 */
66static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
67 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
68
69static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
70 AUTH_PARAM_PUB_KEY, 0);
71static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
72 AUTH_PARAM_SIG, 0);
73static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
74 AUTH_PARAM_SIG_ALG, 0);
75static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
76 AUTH_PARAM_RAW_DATA, 0);
77
78
79static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
80 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
81static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
82 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
83static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC(
84 AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID);
85static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC(
86 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID);
87static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC(
88 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID);
89static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC(
90 AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID);
91static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
92 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
93static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC(
94 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID);
95static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
96 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
97static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC(
98 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID);
99static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC(
100 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID);
101static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC(
102 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID);
103static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
104 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
105static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
106 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
107
108#ifdef CONFIG_DDR_FIP_IMAGE
109static auth_param_type_desc_t ddr_fw_content_pk = AUTH_PARAM_TYPE_DESC(
110 AUTH_PARAM_PUB_KEY, DDR_FW_CONTENT_CERT_PK_OID);
111
112static auth_param_type_desc_t ddr_imem_udimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC(
113 AUTH_PARAM_HASH, DDR_IMEM_UDIMM_1D_HASH_OID);
114static auth_param_type_desc_t ddr_imem_udimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC(
115 AUTH_PARAM_HASH, DDR_IMEM_UDIMM_2D_HASH_OID);
116static auth_param_type_desc_t ddr_dmem_udimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC(
117 AUTH_PARAM_HASH, DDR_DMEM_UDIMM_1D_HASH_OID);
118static auth_param_type_desc_t ddr_dmem_udimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC(
119 AUTH_PARAM_HASH, DDR_DMEM_UDIMM_2D_HASH_OID);
120
121static auth_param_type_desc_t ddr_imem_rdimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC(
122 AUTH_PARAM_HASH, DDR_IMEM_RDIMM_1D_HASH_OID);
123static auth_param_type_desc_t ddr_imem_rdimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC(
124 AUTH_PARAM_HASH, DDR_IMEM_RDIMM_2D_HASH_OID);
125static auth_param_type_desc_t ddr_dmem_rdimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC(
126 AUTH_PARAM_HASH, DDR_DMEM_RDIMM_1D_HASH_OID);
127static auth_param_type_desc_t ddr_dmem_rdimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC(
128 AUTH_PARAM_HASH, DDR_DMEM_RDIMM_2D_HASH_OID);
129#endif
130
131
132/*
133 * Trusted key certificate
134 */
135static const auth_img_desc_t trusted_key_cert = {
136 .img_id = TRUSTED_KEY_CERT_ID,
137 .img_type = IMG_CERT,
138 .parent = NULL,
139 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
140 [0] = {
141 .type = AUTH_METHOD_SIG,
142 .param.sig = {
143 .pk = &subject_pk,
144 .sig = &sig,
145 .alg = &sig_alg,
146 .data = &raw_data
147 }
148 },
149 [1] = {
150 .type = AUTH_METHOD_NV_CTR,
151 .param.nv_ctr = {
152 .cert_nv_ctr = &trusted_nv_ctr,
153 .plat_nv_ctr = &trusted_nv_ctr
154 }
155 }
156 },
157 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
158 [0] = {
159 .type_desc = &trusted_world_pk,
160 .data = {
161 .ptr = (void *)trusted_world_pk_buf,
162 .len = (unsigned int)PK_DER_LEN
163 }
164 },
165 [1] = {
166 .type_desc = &non_trusted_world_pk,
167 .data = {
168 .ptr = (void *)non_trusted_world_pk_buf,
169 .len = (unsigned int)PK_DER_LEN
170 }
171 }
172 }
173};
174
175/*
176 * SoC Firmware
177 */
178static const auth_img_desc_t soc_fw_key_cert = {
179 .img_id = SOC_FW_KEY_CERT_ID,
180 .img_type = IMG_CERT,
181 .parent = &trusted_key_cert,
182 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
183 [0] = {
184 .type = AUTH_METHOD_SIG,
185 .param.sig = {
186 .pk = &trusted_world_pk,
187 .sig = &sig,
188 .alg = &sig_alg,
189 .data = &raw_data
190 }
191 },
192 [1] = {
193 .type = AUTH_METHOD_NV_CTR,
194 .param.nv_ctr = {
195 .cert_nv_ctr = &trusted_nv_ctr,
196 .plat_nv_ctr = &trusted_nv_ctr
197 }
198 }
199 },
200 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
201 [0] = {
202 .type_desc = &soc_fw_content_pk,
203 .data = {
204 .ptr = (void *)content_pk_buf,
205 .len = (unsigned int)PK_DER_LEN
206 }
207 }
208 }
209};
210static const auth_img_desc_t soc_fw_content_cert = {
211 .img_id = SOC_FW_CONTENT_CERT_ID,
212 .img_type = IMG_CERT,
213 .parent = &soc_fw_key_cert,
214 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
215 [0] = {
216 .type = AUTH_METHOD_SIG,
217 .param.sig = {
218 .pk = &soc_fw_content_pk,
219 .sig = &sig,
220 .alg = &sig_alg,
221 .data = &raw_data
222 }
223 },
224 [1] = {
225 .type = AUTH_METHOD_NV_CTR,
226 .param.nv_ctr = {
227 .cert_nv_ctr = &trusted_nv_ctr,
228 .plat_nv_ctr = &trusted_nv_ctr
229 }
230 }
231 },
232 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
233 [0] = {
234 .type_desc = &soc_fw_hash,
235 .data = {
236 .ptr = (void *)soc_fw_hash_buf,
237 .len = (unsigned int)HASH_DER_LEN
238 }
239 },
240 [1] = {
241 .type_desc = &soc_fw_config_hash,
242 .data = {
243 .ptr = (void *)soc_fw_config_hash_buf,
244 .len = (unsigned int)HASH_DER_LEN
245 }
246 }
247 }
248};
249static const auth_img_desc_t bl31_image = {
250 .img_id = BL31_IMAGE_ID,
251 .img_type = IMG_RAW,
252 .parent = &soc_fw_content_cert,
253 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
254 [0] = {
255 .type = AUTH_METHOD_HASH,
256 .param.hash = {
257 .data = &raw_data,
258 .hash = &soc_fw_hash
259 }
260 }
261 }
262};
263/* SOC FW Config */
264static const auth_img_desc_t soc_fw_config = {
265 .img_id = SOC_FW_CONFIG_ID,
266 .img_type = IMG_RAW,
267 .parent = &soc_fw_content_cert,
268 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
269 [0] = {
270 .type = AUTH_METHOD_HASH,
271 .param.hash = {
272 .data = &raw_data,
273 .hash = &soc_fw_config_hash
274 }
275 }
276 }
277};
278/*
279 * Trusted OS Firmware
280 */
281static const auth_img_desc_t trusted_os_fw_key_cert = {
282 .img_id = TRUSTED_OS_FW_KEY_CERT_ID,
283 .img_type = IMG_CERT,
284 .parent = &trusted_key_cert,
285 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
286 [0] = {
287 .type = AUTH_METHOD_SIG,
288 .param.sig = {
289 .pk = &trusted_world_pk,
290 .sig = &sig,
291 .alg = &sig_alg,
292 .data = &raw_data
293 }
294 },
295 [1] = {
296 .type = AUTH_METHOD_NV_CTR,
297 .param.nv_ctr = {
298 .cert_nv_ctr = &trusted_nv_ctr,
299 .plat_nv_ctr = &trusted_nv_ctr
300 }
301 }
302 },
303 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
304 [0] = {
305 .type_desc = &tos_fw_content_pk,
306 .data = {
307 .ptr = (void *)content_pk_buf,
308 .len = (unsigned int)PK_DER_LEN
309 }
310 }
311 }
312};
313static const auth_img_desc_t trusted_os_fw_content_cert = {
314 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID,
315 .img_type = IMG_CERT,
316 .parent = &trusted_os_fw_key_cert,
317 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
318 [0] = {
319 .type = AUTH_METHOD_SIG,
320 .param.sig = {
321 .pk = &tos_fw_content_pk,
322 .sig = &sig,
323 .alg = &sig_alg,
324 .data = &raw_data
325 }
326 },
327 [1] = {
328 .type = AUTH_METHOD_NV_CTR,
329 .param.nv_ctr = {
330 .cert_nv_ctr = &trusted_nv_ctr,
331 .plat_nv_ctr = &trusted_nv_ctr
332 }
333 }
334 },
335 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
336 [0] = {
337 .type_desc = &tos_fw_hash,
338 .data = {
339 .ptr = (void *)tos_fw_hash_buf,
340 .len = (unsigned int)HASH_DER_LEN
341 }
342 },
343 [1] = {
344 .type_desc = &tos_fw_extra1_hash,
345 .data = {
346 .ptr = (void *)tos_fw_extra1_hash_buf,
347 .len = (unsigned int)HASH_DER_LEN
348 }
349 },
350 [2] = {
351 .type_desc = &tos_fw_extra2_hash,
352 .data = {
353 .ptr = (void *)tos_fw_extra2_hash_buf,
354 .len = (unsigned int)HASH_DER_LEN
355 }
356 },
357 [3] = {
358 .type_desc = &tos_fw_config_hash,
359 .data = {
360 .ptr = (void *)tos_fw_config_hash_buf,
361 .len = (unsigned int)HASH_DER_LEN
362 }
363 }
364 }
365};
366static const auth_img_desc_t bl32_image = {
367 .img_id = BL32_IMAGE_ID,
368 .img_type = IMG_RAW,
369 .parent = &trusted_os_fw_content_cert,
370 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
371 [0] = {
372 .type = AUTH_METHOD_HASH,
373 .param.hash = {
374 .data = &raw_data,
375 .hash = &tos_fw_hash
376 }
377 }
378 }
379};
380static const auth_img_desc_t bl32_extra1_image = {
381 .img_id = BL32_EXTRA1_IMAGE_ID,
382 .img_type = IMG_RAW,
383 .parent = &trusted_os_fw_content_cert,
384 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
385 [0] = {
386 .type = AUTH_METHOD_HASH,
387 .param.hash = {
388 .data = &raw_data,
389 .hash = &tos_fw_extra1_hash
390 }
391 }
392 }
393};
394static const auth_img_desc_t bl32_extra2_image = {
395 .img_id = BL32_EXTRA2_IMAGE_ID,
396 .img_type = IMG_RAW,
397 .parent = &trusted_os_fw_content_cert,
398 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
399 [0] = {
400 .type = AUTH_METHOD_HASH,
401 .param.hash = {
402 .data = &raw_data,
403 .hash = &tos_fw_extra2_hash
404 }
405 }
406 }
407};
408/* TOS FW Config */
409static const auth_img_desc_t tos_fw_config = {
410 .img_id = TOS_FW_CONFIG_ID,
411 .img_type = IMG_RAW,
412 .parent = &trusted_os_fw_content_cert,
413 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
414 [0] = {
415 .type = AUTH_METHOD_HASH,
416 .param.hash = {
417 .data = &raw_data,
418 .hash = &tos_fw_config_hash
419 }
420 }
421 }
422};
423/*
424 * Non-Trusted Firmware
425 */
426static const auth_img_desc_t non_trusted_fw_key_cert = {
427 .img_id = NON_TRUSTED_FW_KEY_CERT_ID,
428 .img_type = IMG_CERT,
429 .parent = &trusted_key_cert,
430 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
431 [0] = {
432 .type = AUTH_METHOD_SIG,
433 .param.sig = {
434 .pk = &non_trusted_world_pk,
435 .sig = &sig,
436 .alg = &sig_alg,
437 .data = &raw_data
438 }
439 },
440 [1] = {
441 .type = AUTH_METHOD_NV_CTR,
442 .param.nv_ctr = {
443 .cert_nv_ctr = &non_trusted_nv_ctr,
444 .plat_nv_ctr = &non_trusted_nv_ctr
445 }
446 }
447 },
448 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
449 [0] = {
450 .type_desc = &nt_fw_content_pk,
451 .data = {
452 .ptr = (void *)content_pk_buf,
453 .len = (unsigned int)PK_DER_LEN
454 }
455 }
456 }
457};
458static const auth_img_desc_t non_trusted_fw_content_cert = {
459 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
460 .img_type = IMG_CERT,
461 .parent = &non_trusted_fw_key_cert,
462 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
463 [0] = {
464 .type = AUTH_METHOD_SIG,
465 .param.sig = {
466 .pk = &nt_fw_content_pk,
467 .sig = &sig,
468 .alg = &sig_alg,
469 .data = &raw_data
470 }
471 },
472 [1] = {
473 .type = AUTH_METHOD_NV_CTR,
474 .param.nv_ctr = {
475 .cert_nv_ctr = &non_trusted_nv_ctr,
476 .plat_nv_ctr = &non_trusted_nv_ctr
477 }
478 }
479 },
480 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
481 [0] = {
482 .type_desc = &nt_world_bl_hash,
483 .data = {
484 .ptr = (void *)nt_world_bl_hash_buf,
485 .len = (unsigned int)HASH_DER_LEN
486 }
487 },
488 [1] = {
489 .type_desc = &nt_fw_config_hash,
490 .data = {
491 .ptr = (void *)nt_fw_config_hash_buf,
492 .len = (unsigned int)HASH_DER_LEN
493 }
494 }
495 }
496};
497static const auth_img_desc_t bl33_image = {
498 .img_id = BL33_IMAGE_ID,
499 .img_type = IMG_RAW,
500 .parent = &non_trusted_fw_content_cert,
501 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
502 [0] = {
503 .type = AUTH_METHOD_HASH,
504 .param.hash = {
505 .data = &raw_data,
506 .hash = &nt_world_bl_hash
507 }
508 }
509 }
510};
511/* NT FW Config */
512static const auth_img_desc_t nt_fw_config = {
513 .img_id = NT_FW_CONFIG_ID,
514 .img_type = IMG_RAW,
515 .parent = &non_trusted_fw_content_cert,
516 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
517 [0] = {
518 .type = AUTH_METHOD_HASH,
519 .param.hash = {
520 .data = &raw_data,
521 .hash = &nt_fw_config_hash
522 }
523 }
524 }
525};
526#ifdef CONFIG_DDR_FIP_IMAGE
527/*
528 * DDR Firmware
529 */
530static const auth_img_desc_t ddr_fw_key_cert = {
531 .img_id = DDR_FW_KEY_CERT_ID,
532 .img_type = IMG_CERT,
533 .parent = &trusted_key_cert,
534 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
535 [0] = {
536 .type = AUTH_METHOD_SIG,
537 .param.sig = {
538 .pk = &trusted_world_pk,
539 .sig = &sig,
540 .alg = &sig_alg,
541 .data = &raw_data
542 }
543 },
544 [1] = {
545 .type = AUTH_METHOD_NV_CTR,
546 .param.nv_ctr = {
547 .cert_nv_ctr = &trusted_nv_ctr,
548 .plat_nv_ctr = &trusted_nv_ctr
549 }
550 }
551 },
552 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
553 [0] = {
554 .type_desc = &ddr_fw_content_pk,
555 .data = {
556 .ptr = (void *)ddr_fw_content_pk_buf,
557 .len = (unsigned int)PK_DER_LEN
558 }
559 }
560 }
561};
562static const auth_img_desc_t ddr_udimm_fw_content_cert = {
563 .img_id = DDR_UDIMM_FW_CONTENT_CERT_ID,
564 .img_type = IMG_CERT,
565 .parent = &ddr_fw_key_cert,
566 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
567 [0] = {
568 .type = AUTH_METHOD_SIG,
569 .param.sig = {
570 .pk = &ddr_fw_content_pk,
571 .sig = &sig,
572 .alg = &sig_alg,
573 .data = &raw_data
574 }
575 },
576 [1] = {
577 .type = AUTH_METHOD_NV_CTR,
578 .param.nv_ctr = {
579 .cert_nv_ctr = &trusted_nv_ctr,
580 .plat_nv_ctr = &trusted_nv_ctr
581 }
582 }
583 },
584 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
585 [0] = {
586 .type_desc = &ddr_imem_udimm_1d_fw_hash,
587 .data = {
588 .ptr = (void *)ddr_imem_udimm_1d_hash_buf,
589 .len = (unsigned int)HASH_DER_LEN
590 }
591 },
592 [1] = {
593 .type_desc = &ddr_imem_udimm_2d_fw_hash,
594 .data = {
595 .ptr = (void *)ddr_imem_udimm_2d_hash_buf,
596 .len = (unsigned int)HASH_DER_LEN
597 }
598 },
599 [2] = {
600 .type_desc = &ddr_dmem_udimm_1d_fw_hash,
601 .data = {
602 .ptr = (void *)ddr_dmem_udimm_1d_hash_buf,
603 .len = (unsigned int)HASH_DER_LEN
604 }
605 },
606 [3] = {
607 .type_desc = &ddr_dmem_udimm_2d_fw_hash,
608 .data = {
609 .ptr = (void *)ddr_dmem_udimm_2d_hash_buf,
610 .len = (unsigned int)HASH_DER_LEN
611 }
612 },
613 }
614};
615
616static const auth_img_desc_t ddr_imem_udimm_1d_img = {
617 .img_id = DDR_IMEM_UDIMM_1D_IMAGE_ID,
618 .img_type = IMG_RAW,
619 .parent = &ddr_udimm_fw_content_cert,
620 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
621 [0] = {
622 .type = AUTH_METHOD_HASH,
623 .param.hash = {
624 .data = &raw_data,
625 .hash = &ddr_imem_udimm_1d_fw_hash
626 }
627 }
628 }
629};
630static const auth_img_desc_t ddr_imem_udimm_2d_img = {
631 .img_id = DDR_IMEM_UDIMM_2D_IMAGE_ID,
632 .img_type = IMG_RAW,
633 .parent = &ddr_udimm_fw_content_cert,
634 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
635 [0] = {
636 .type = AUTH_METHOD_HASH,
637 .param.hash = {
638 .data = &raw_data,
639 .hash = &ddr_imem_udimm_2d_fw_hash
640 }
641 }
642 }
643};
644static const auth_img_desc_t ddr_dmem_udimm_1d_img = {
645 .img_id = DDR_DMEM_UDIMM_1D_IMAGE_ID,
646 .img_type = IMG_RAW,
647 .parent = &ddr_udimm_fw_content_cert,
648 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
649 [0] = {
650 .type = AUTH_METHOD_HASH,
651 .param.hash = {
652 .data = &raw_data,
653 .hash = &ddr_dmem_udimm_1d_fw_hash
654 }
655 }
656 }
657};
658static const auth_img_desc_t ddr_dmem_udimm_2d_img = {
659 .img_id = DDR_DMEM_UDIMM_2D_IMAGE_ID,
660 .img_type = IMG_RAW,
661 .parent = &ddr_udimm_fw_content_cert,
662 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
663 [0] = {
664 .type = AUTH_METHOD_HASH,
665 .param.hash = {
666 .data = &raw_data,
667 .hash = &ddr_dmem_udimm_2d_fw_hash
668 }
669 }
670 }
671};
672
673static const auth_img_desc_t ddr_rdimm_fw_content_cert = {
674 .img_id = DDR_RDIMM_FW_CONTENT_CERT_ID,
675 .img_type = IMG_CERT,
676 .parent = &ddr_fw_key_cert,
677 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
678 [0] = {
679 .type = AUTH_METHOD_SIG,
680 .param.sig = {
681 .pk = &ddr_fw_content_pk,
682 .sig = &sig,
683 .alg = &sig_alg,
684 .data = &raw_data
685 }
686 },
687 [1] = {
688 .type = AUTH_METHOD_NV_CTR,
689 .param.nv_ctr = {
690 .cert_nv_ctr = &trusted_nv_ctr,
691 .plat_nv_ctr = &trusted_nv_ctr
692 }
693 }
694 },
695 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
696 [0] = {
697 .type_desc = &ddr_imem_rdimm_1d_fw_hash,
698 .data = {
699 .ptr = (void *)ddr_imem_rdimm_1d_hash_buf,
700 .len = (unsigned int)HASH_DER_LEN
701 }
702 },
703 [1] = {
704 .type_desc = &ddr_imem_rdimm_2d_fw_hash,
705 .data = {
706 .ptr = (void *)ddr_imem_rdimm_2d_hash_buf,
707 .len = (unsigned int)HASH_DER_LEN
708 }
709 },
710 [2] = {
711 .type_desc = &ddr_dmem_rdimm_1d_fw_hash,
712 .data = {
713 .ptr = (void *)ddr_dmem_rdimm_1d_hash_buf,
714 .len = (unsigned int)HASH_DER_LEN
715 }
716 },
717 [3] = {
718 .type_desc = &ddr_dmem_rdimm_2d_fw_hash,
719 .data = {
720 .ptr = (void *)ddr_dmem_rdimm_2d_hash_buf,
721 .len = (unsigned int)HASH_DER_LEN
722 }
723 },
724 }
725};
726
727static const auth_img_desc_t ddr_imem_rdimm_1d_img = {
728 .img_id = DDR_IMEM_RDIMM_1D_IMAGE_ID,
729 .img_type = IMG_RAW,
730 .parent = &ddr_rdimm_fw_content_cert,
731 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
732 [0] = {
733 .type = AUTH_METHOD_HASH,
734 .param.hash = {
735 .data = &raw_data,
736 .hash = &ddr_imem_rdimm_1d_fw_hash
737 }
738 }
739 }
740};
741static const auth_img_desc_t ddr_imem_rdimm_2d_img = {
742 .img_id = DDR_IMEM_RDIMM_2D_IMAGE_ID,
743 .img_type = IMG_RAW,
744 .parent = &ddr_rdimm_fw_content_cert,
745 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
746 [0] = {
747 .type = AUTH_METHOD_HASH,
748 .param.hash = {
749 .data = &raw_data,
750 .hash = &ddr_imem_rdimm_2d_fw_hash
751 }
752 }
753 }
754};
755static const auth_img_desc_t ddr_dmem_rdimm_1d_img = {
756 .img_id = DDR_DMEM_RDIMM_1D_IMAGE_ID,
757 .img_type = IMG_RAW,
758 .parent = &ddr_rdimm_fw_content_cert,
759 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
760 [0] = {
761 .type = AUTH_METHOD_HASH,
762 .param.hash = {
763 .data = &raw_data,
764 .hash = &ddr_dmem_rdimm_1d_fw_hash
765 }
766 }
767 }
768};
769static const auth_img_desc_t ddr_dmem_rdimm_2d_img = {
770 .img_id = DDR_DMEM_RDIMM_2D_IMAGE_ID,
771 .img_type = IMG_RAW,
772 .parent = &ddr_rdimm_fw_content_cert,
773 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
774 [0] = {
775 .type = AUTH_METHOD_HASH,
776 .param.hash = {
777 .data = &raw_data,
778 .hash = &ddr_dmem_rdimm_2d_fw_hash
779 }
780 }
781 }
782};
783#endif
784
785/*
786 * TBBR Chain of trust definition
787 */
788
789static const auth_img_desc_t * const cot_desc[] = {
790 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert,
791 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert,
792 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert,
793 [BL31_IMAGE_ID] = &bl31_image,
794 [SOC_FW_CONFIG_ID] = &soc_fw_config,
795 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert,
796 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert,
797 [BL32_IMAGE_ID] = &bl32_image,
798 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image,
799 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image,
800 [TOS_FW_CONFIG_ID] = &tos_fw_config,
801 [NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert,
802 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert,
803 [BL33_IMAGE_ID] = &bl33_image,
804 [NT_FW_CONFIG_ID] = &nt_fw_config,
805#ifdef CONFIG_DDR_FIP_IMAGE
806 [DDR_FW_KEY_CERT_ID] = &ddr_fw_key_cert,
807 [DDR_UDIMM_FW_CONTENT_CERT_ID] = &ddr_udimm_fw_content_cert,
808 [DDR_RDIMM_FW_CONTENT_CERT_ID] = &ddr_rdimm_fw_content_cert,
809 [DDR_IMEM_UDIMM_1D_IMAGE_ID] = &ddr_imem_udimm_1d_img,
810 [DDR_IMEM_UDIMM_2D_IMAGE_ID] = &ddr_imem_udimm_2d_img,
811 [DDR_DMEM_UDIMM_1D_IMAGE_ID] = &ddr_dmem_udimm_1d_img,
812 [DDR_DMEM_UDIMM_2D_IMAGE_ID] = &ddr_dmem_udimm_2d_img,
813 [DDR_IMEM_RDIMM_1D_IMAGE_ID] = &ddr_imem_rdimm_1d_img,
814 [DDR_IMEM_RDIMM_2D_IMAGE_ID] = &ddr_imem_rdimm_2d_img,
815 [DDR_DMEM_RDIMM_1D_IMAGE_ID] = &ddr_dmem_rdimm_1d_img,
816 [DDR_DMEM_RDIMM_2D_IMAGE_ID] = &ddr_dmem_rdimm_2d_img,
817#endif
818};
819
820/* Register the CoT in the authentication module */
821REGISTER_COT(cot_desc);