Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / e5dcf98ebd1f6c41ebccefc202adbab970009f92 / . / drivers / nxp / auth / tbbr / tbbr_cot.c
blob: bb21fa04cbcf5874aa24b98628cdb191ff24c1fb [file] [log] [blame]
Pankaj Gupta9247b402020-12-09 14:02:39 +0530[diff] [blame]1/*
2 * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
3 *
4 * Copyright 2020 NXP
5 *
6 * SPDX-License-Identifier: BSD-3-Clause
7 */
8
9#include <stddef.h>
10
11#include <drivers/auth/auth_mod.h>
12
13#if USE_TBBR_DEFS
14#include <tools_share/tbbr_oid.h>
15#else
16#include <platform_oid.h>
17#endif
18
19
20#if TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256
21#define HASH_DER_LEN 51
22#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384
23#define HASH_DER_LEN 67
24#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512
25#define HASH_DER_LEN 83
26#else
27#error "Invalid value for TF_MBEDTLS_HASH_ALG_ID"
28#endif
29
30/*
31 * The platform must allocate buffers to store the authentication parameters
32 * extracted from the certificates. In this case, because of the way the CoT is
33 * established, we can reuse some of the buffers on different stages
34 */
35
36static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
37
38static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
39static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
40static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN];
41static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN];
42static unsigned char trusted_world_pk_buf[PK_DER_LEN];
43static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];
44static unsigned char content_pk_buf[PK_DER_LEN];
45static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
46static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
47static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
48
49#ifdef CONFIG_DDR_FIP_IMAGE
50static unsigned char ddr_fw_content_pk_buf[PK_DER_LEN];
51static unsigned char ddr_imem_udimm_1d_hash_buf[HASH_DER_LEN];
52static unsigned char ddr_imem_udimm_2d_hash_buf[HASH_DER_LEN];
53static unsigned char ddr_dmem_udimm_1d_hash_buf[HASH_DER_LEN];
54static unsigned char ddr_dmem_udimm_2d_hash_buf[HASH_DER_LEN];
55
56static unsigned char ddr_imem_rdimm_1d_hash_buf[HASH_DER_LEN];
57static unsigned char ddr_imem_rdimm_2d_hash_buf[HASH_DER_LEN];
58static unsigned char ddr_dmem_rdimm_1d_hash_buf[HASH_DER_LEN];
59static unsigned char ddr_dmem_rdimm_2d_hash_buf[HASH_DER_LEN];
60#endif
61
62/*
63 * Parameter type descriptors
64 */
65static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
66 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
67
68static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
69 AUTH_PARAM_PUB_KEY, 0);
70static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
71 AUTH_PARAM_SIG, 0);
72static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
73 AUTH_PARAM_SIG_ALG, 0);
74static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
75 AUTH_PARAM_RAW_DATA, 0);
76
77
78static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
79 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
80static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
81 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
82static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC(
83 AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID);
84static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC(
85 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID);
86static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC(
87 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID);
88static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC(
89 AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID);
90static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
91 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
92static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC(
93 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID);
94static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
95 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
96static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC(
97 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID);
98static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC(
99 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID);
100static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC(
101 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID);
102static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
103 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
104static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
105 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
106
107#ifdef CONFIG_DDR_FIP_IMAGE
108static auth_param_type_desc_t ddr_fw_content_pk = AUTH_PARAM_TYPE_DESC(
109 AUTH_PARAM_PUB_KEY, DDR_FW_CONTENT_CERT_PK_OID);
110
111static auth_param_type_desc_t ddr_imem_udimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC(
112 AUTH_PARAM_HASH, DDR_IMEM_UDIMM_1D_HASH_OID);
113static auth_param_type_desc_t ddr_imem_udimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC(
114 AUTH_PARAM_HASH, DDR_IMEM_UDIMM_2D_HASH_OID);
115static auth_param_type_desc_t ddr_dmem_udimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC(
116 AUTH_PARAM_HASH, DDR_DMEM_UDIMM_1D_HASH_OID);
117static auth_param_type_desc_t ddr_dmem_udimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC(
118 AUTH_PARAM_HASH, DDR_DMEM_UDIMM_2D_HASH_OID);
119
120static auth_param_type_desc_t ddr_imem_rdimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC(
121 AUTH_PARAM_HASH, DDR_IMEM_RDIMM_1D_HASH_OID);
122static auth_param_type_desc_t ddr_imem_rdimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC(
123 AUTH_PARAM_HASH, DDR_IMEM_RDIMM_2D_HASH_OID);
124static auth_param_type_desc_t ddr_dmem_rdimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC(
125 AUTH_PARAM_HASH, DDR_DMEM_RDIMM_1D_HASH_OID);
126static auth_param_type_desc_t ddr_dmem_rdimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC(
127 AUTH_PARAM_HASH, DDR_DMEM_RDIMM_2D_HASH_OID);
128#endif
129
130
131/*
132 * Trusted key certificate
133 */
134static const auth_img_desc_t trusted_key_cert = {
135 .img_id = TRUSTED_KEY_CERT_ID,
136 .img_type = IMG_CERT,
137 .parent = NULL,
138 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
139 [0] = {
140 .type = AUTH_METHOD_SIG,
141 .param.sig = {
142 .pk = &subject_pk,
143 .sig = &sig,
144 .alg = &sig_alg,
145 .data = &raw_data
146 }
147 },
148 [1] = {
149 .type = AUTH_METHOD_NV_CTR,
150 .param.nv_ctr = {
151 .cert_nv_ctr = &trusted_nv_ctr,
152 .plat_nv_ctr = &trusted_nv_ctr
153 }
154 }
155 },
156 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
157 [0] = {
158 .type_desc = &trusted_world_pk,
159 .data = {
160 .ptr = (void *)trusted_world_pk_buf,
161 .len = (unsigned int)PK_DER_LEN
162 }
163 },
164 [1] = {
165 .type_desc = &non_trusted_world_pk,
166 .data = {
167 .ptr = (void *)non_trusted_world_pk_buf,
168 .len = (unsigned int)PK_DER_LEN
169 }
170 }
171 }
172};
173
174/*
175 * SoC Firmware
176 */
177static const auth_img_desc_t soc_fw_key_cert = {
178 .img_id = SOC_FW_KEY_CERT_ID,
179 .img_type = IMG_CERT,
180 .parent = &trusted_key_cert,
181 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
182 [0] = {
183 .type = AUTH_METHOD_SIG,
184 .param.sig = {
185 .pk = &trusted_world_pk,
186 .sig = &sig,
187 .alg = &sig_alg,
188 .data = &raw_data
189 }
190 },
191 [1] = {
192 .type = AUTH_METHOD_NV_CTR,
193 .param.nv_ctr = {
194 .cert_nv_ctr = &trusted_nv_ctr,
195 .plat_nv_ctr = &trusted_nv_ctr
196 }
197 }
198 },
199 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
200 [0] = {
201 .type_desc = &soc_fw_content_pk,
202 .data = {
203 .ptr = (void *)content_pk_buf,
204 .len = (unsigned int)PK_DER_LEN
205 }
206 }
207 }
208};
209static const auth_img_desc_t soc_fw_content_cert = {
210 .img_id = SOC_FW_CONTENT_CERT_ID,
211 .img_type = IMG_CERT,
212 .parent = &soc_fw_key_cert,
213 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
214 [0] = {
215 .type = AUTH_METHOD_SIG,
216 .param.sig = {
217 .pk = &soc_fw_content_pk,
218 .sig = &sig,
219 .alg = &sig_alg,
220 .data = &raw_data
221 }
222 },
223 [1] = {
224 .type = AUTH_METHOD_NV_CTR,
225 .param.nv_ctr = {
226 .cert_nv_ctr = &trusted_nv_ctr,
227 .plat_nv_ctr = &trusted_nv_ctr
228 }
229 }
230 },
231 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
232 [0] = {
233 .type_desc = &soc_fw_hash,
234 .data = {
235 .ptr = (void *)soc_fw_hash_buf,
236 .len = (unsigned int)HASH_DER_LEN
237 }
238 },
239 [1] = {
240 .type_desc = &soc_fw_config_hash,
241 .data = {
242 .ptr = (void *)soc_fw_config_hash_buf,
243 .len = (unsigned int)HASH_DER_LEN
244 }
245 }
246 }
247};
248static const auth_img_desc_t bl31_image = {
249 .img_id = BL31_IMAGE_ID,
250 .img_type = IMG_RAW,
251 .parent = &soc_fw_content_cert,
252 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
253 [0] = {
254 .type = AUTH_METHOD_HASH,
255 .param.hash = {
256 .data = &raw_data,
257 .hash = &soc_fw_hash
258 }
259 }
260 }
261};
262/* SOC FW Config */
263static const auth_img_desc_t soc_fw_config = {
264 .img_id = SOC_FW_CONFIG_ID,
265 .img_type = IMG_RAW,
266 .parent = &soc_fw_content_cert,
267 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
268 [0] = {
269 .type = AUTH_METHOD_HASH,
270 .param.hash = {
271 .data = &raw_data,
272 .hash = &soc_fw_config_hash
273 }
274 }
275 }
276};
277/*
278 * Trusted OS Firmware
279 */
280static const auth_img_desc_t trusted_os_fw_key_cert = {
281 .img_id = TRUSTED_OS_FW_KEY_CERT_ID,
282 .img_type = IMG_CERT,
283 .parent = &trusted_key_cert,
284 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
285 [0] = {
286 .type = AUTH_METHOD_SIG,
287 .param.sig = {
288 .pk = &trusted_world_pk,
289 .sig = &sig,
290 .alg = &sig_alg,
291 .data = &raw_data
292 }
293 },
294 [1] = {
295 .type = AUTH_METHOD_NV_CTR,
296 .param.nv_ctr = {
297 .cert_nv_ctr = &trusted_nv_ctr,
298 .plat_nv_ctr = &trusted_nv_ctr
299 }
300 }
301 },
302 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
303 [0] = {
304 .type_desc = &tos_fw_content_pk,
305 .data = {
306 .ptr = (void *)content_pk_buf,
307 .len = (unsigned int)PK_DER_LEN
308 }
309 }
310 }
311};
312static const auth_img_desc_t trusted_os_fw_content_cert = {
313 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID,
314 .img_type = IMG_CERT,
315 .parent = &trusted_os_fw_key_cert,
316 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
317 [0] = {
318 .type = AUTH_METHOD_SIG,
319 .param.sig = {
320 .pk = &tos_fw_content_pk,
321 .sig = &sig,
322 .alg = &sig_alg,
323 .data = &raw_data
324 }
325 },
326 [1] = {
327 .type = AUTH_METHOD_NV_CTR,
328 .param.nv_ctr = {
329 .cert_nv_ctr = &trusted_nv_ctr,
330 .plat_nv_ctr = &trusted_nv_ctr
331 }
332 }
333 },
334 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
335 [0] = {
336 .type_desc = &tos_fw_hash,
337 .data = {
338 .ptr = (void *)tos_fw_hash_buf,
339 .len = (unsigned int)HASH_DER_LEN
340 }
341 },
342 [1] = {
343 .type_desc = &tos_fw_extra1_hash,
344 .data = {
345 .ptr = (void *)tos_fw_extra1_hash_buf,
346 .len = (unsigned int)HASH_DER_LEN
347 }
348 },
349 [2] = {
350 .type_desc = &tos_fw_extra2_hash,
351 .data = {
352 .ptr = (void *)tos_fw_extra2_hash_buf,
353 .len = (unsigned int)HASH_DER_LEN
354 }
355 },
356 [3] = {
357 .type_desc = &tos_fw_config_hash,
358 .data = {
359 .ptr = (void *)tos_fw_config_hash_buf,
360 .len = (unsigned int)HASH_DER_LEN
361 }
362 }
363 }
364};
365static const auth_img_desc_t bl32_image = {
366 .img_id = BL32_IMAGE_ID,
367 .img_type = IMG_RAW,
368 .parent = &trusted_os_fw_content_cert,
369 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
370 [0] = {
371 .type = AUTH_METHOD_HASH,
372 .param.hash = {
373 .data = &raw_data,
374 .hash = &tos_fw_hash
375 }
376 }
377 }
378};
379static const auth_img_desc_t bl32_extra1_image = {
380 .img_id = BL32_EXTRA1_IMAGE_ID,
381 .img_type = IMG_RAW,
382 .parent = &trusted_os_fw_content_cert,
383 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
384 [0] = {
385 .type = AUTH_METHOD_HASH,
386 .param.hash = {
387 .data = &raw_data,
388 .hash = &tos_fw_extra1_hash
389 }
390 }
391 }
392};
393static const auth_img_desc_t bl32_extra2_image = {
394 .img_id = BL32_EXTRA2_IMAGE_ID,
395 .img_type = IMG_RAW,
396 .parent = &trusted_os_fw_content_cert,
397 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
398 [0] = {
399 .type = AUTH_METHOD_HASH,
400 .param.hash = {
401 .data = &raw_data,
402 .hash = &tos_fw_extra2_hash
403 }
404 }
405 }
406};
407/* TOS FW Config */
408static const auth_img_desc_t tos_fw_config = {
409 .img_id = TOS_FW_CONFIG_ID,
410 .img_type = IMG_RAW,
411 .parent = &trusted_os_fw_content_cert,
412 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
413 [0] = {
414 .type = AUTH_METHOD_HASH,
415 .param.hash = {
416 .data = &raw_data,
417 .hash = &tos_fw_config_hash
418 }
419 }
420 }
421};
422/*
423 * Non-Trusted Firmware
424 */
425static const auth_img_desc_t non_trusted_fw_key_cert = {
426 .img_id = NON_TRUSTED_FW_KEY_CERT_ID,
427 .img_type = IMG_CERT,
428 .parent = &trusted_key_cert,
429 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
430 [0] = {
431 .type = AUTH_METHOD_SIG,
432 .param.sig = {
433 .pk = &non_trusted_world_pk,
434 .sig = &sig,
435 .alg = &sig_alg,
436 .data = &raw_data
437 }
438 },
439 [1] = {
440 .type = AUTH_METHOD_NV_CTR,
441 .param.nv_ctr = {
442 .cert_nv_ctr = &non_trusted_nv_ctr,
443 .plat_nv_ctr = &non_trusted_nv_ctr
444 }
445 }
446 },
447 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
448 [0] = {
449 .type_desc = &nt_fw_content_pk,
450 .data = {
451 .ptr = (void *)content_pk_buf,
452 .len = (unsigned int)PK_DER_LEN
453 }
454 }
455 }
456};
457static const auth_img_desc_t non_trusted_fw_content_cert = {
458 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
459 .img_type = IMG_CERT,
460 .parent = &non_trusted_fw_key_cert,
461 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
462 [0] = {
463 .type = AUTH_METHOD_SIG,
464 .param.sig = {
465 .pk = &nt_fw_content_pk,
466 .sig = &sig,
467 .alg = &sig_alg,
468 .data = &raw_data
469 }
470 },
471 [1] = {
472 .type = AUTH_METHOD_NV_CTR,
473 .param.nv_ctr = {
474 .cert_nv_ctr = &non_trusted_nv_ctr,
475 .plat_nv_ctr = &non_trusted_nv_ctr
476 }
477 }
478 },
479 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
480 [0] = {
481 .type_desc = &nt_world_bl_hash,
482 .data = {
483 .ptr = (void *)nt_world_bl_hash_buf,
484 .len = (unsigned int)HASH_DER_LEN
485 }
486 },
487 [1] = {
488 .type_desc = &nt_fw_config_hash,
489 .data = {
490 .ptr = (void *)nt_fw_config_hash_buf,
491 .len = (unsigned int)HASH_DER_LEN
492 }
493 }
494 }
495};
496static const auth_img_desc_t bl33_image = {
497 .img_id = BL33_IMAGE_ID,
498 .img_type = IMG_RAW,
499 .parent = &non_trusted_fw_content_cert,
500 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
501 [0] = {
502 .type = AUTH_METHOD_HASH,
503 .param.hash = {
504 .data = &raw_data,
505 .hash = &nt_world_bl_hash
506 }
507 }
508 }
509};
510/* NT FW Config */
511static const auth_img_desc_t nt_fw_config = {
512 .img_id = NT_FW_CONFIG_ID,
513 .img_type = IMG_RAW,
514 .parent = &non_trusted_fw_content_cert,
515 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
516 [0] = {
517 .type = AUTH_METHOD_HASH,
518 .param.hash = {
519 .data = &raw_data,
520 .hash = &nt_fw_config_hash
521 }
522 }
523 }
524};
525#ifdef CONFIG_DDR_FIP_IMAGE
526/*
527 * DDR Firmware
528 */
529static const auth_img_desc_t ddr_fw_key_cert = {
530 .img_id = DDR_FW_KEY_CERT_ID,
531 .img_type = IMG_CERT,
532 .parent = &trusted_key_cert,
533 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
534 [0] = {
535 .type = AUTH_METHOD_SIG,
536 .param.sig = {
537 .pk = &trusted_world_pk,
538 .sig = &sig,
539 .alg = &sig_alg,
540 .data = &raw_data
541 }
542 },
543 [1] = {
544 .type = AUTH_METHOD_NV_CTR,
545 .param.nv_ctr = {
546 .cert_nv_ctr = &trusted_nv_ctr,
547 .plat_nv_ctr = &trusted_nv_ctr
548 }
549 }
550 },
551 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
552 [0] = {
553 .type_desc = &ddr_fw_content_pk,
554 .data = {
555 .ptr = (void *)ddr_fw_content_pk_buf,
556 .len = (unsigned int)PK_DER_LEN
557 }
558 }
559 }
560};
561static const auth_img_desc_t ddr_udimm_fw_content_cert = {
562 .img_id = DDR_UDIMM_FW_CONTENT_CERT_ID,
563 .img_type = IMG_CERT,
564 .parent = &ddr_fw_key_cert,
565 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
566 [0] = {
567 .type = AUTH_METHOD_SIG,
568 .param.sig = {
569 .pk = &ddr_fw_content_pk,
570 .sig = &sig,
571 .alg = &sig_alg,
572 .data = &raw_data
573 }
574 },
575 [1] = {
576 .type = AUTH_METHOD_NV_CTR,
577 .param.nv_ctr = {
578 .cert_nv_ctr = &trusted_nv_ctr,
579 .plat_nv_ctr = &trusted_nv_ctr
580 }
581 }
582 },
583 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
584 [0] = {
585 .type_desc = &ddr_imem_udimm_1d_fw_hash,
586 .data = {
587 .ptr = (void *)ddr_imem_udimm_1d_hash_buf,
588 .len = (unsigned int)HASH_DER_LEN
589 }
590 },
591 [1] = {
592 .type_desc = &ddr_imem_udimm_2d_fw_hash,
593 .data = {
594 .ptr = (void *)ddr_imem_udimm_2d_hash_buf,
595 .len = (unsigned int)HASH_DER_LEN
596 }
597 },
598 [2] = {
599 .type_desc = &ddr_dmem_udimm_1d_fw_hash,
600 .data = {
601 .ptr = (void *)ddr_dmem_udimm_1d_hash_buf,
602 .len = (unsigned int)HASH_DER_LEN
603 }
604 },
605 [3] = {
606 .type_desc = &ddr_dmem_udimm_2d_fw_hash,
607 .data = {
608 .ptr = (void *)ddr_dmem_udimm_2d_hash_buf,
609 .len = (unsigned int)HASH_DER_LEN
610 }
611 },
612 }
613};
614
615static const auth_img_desc_t ddr_imem_udimm_1d_img = {
616 .img_id = DDR_IMEM_UDIMM_1D_IMAGE_ID,
617 .img_type = IMG_RAW,
618 .parent = &ddr_udimm_fw_content_cert,
619 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
620 [0] = {
621 .type = AUTH_METHOD_HASH,
622 .param.hash = {
623 .data = &raw_data,
624 .hash = &ddr_imem_udimm_1d_fw_hash
625 }
626 }
627 }
628};
629static const auth_img_desc_t ddr_imem_udimm_2d_img = {
630 .img_id = DDR_IMEM_UDIMM_2D_IMAGE_ID,
631 .img_type = IMG_RAW,
632 .parent = &ddr_udimm_fw_content_cert,
633 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
634 [0] = {
635 .type = AUTH_METHOD_HASH,
636 .param.hash = {
637 .data = &raw_data,
638 .hash = &ddr_imem_udimm_2d_fw_hash
639 }
640 }
641 }
642};
643static const auth_img_desc_t ddr_dmem_udimm_1d_img = {
644 .img_id = DDR_DMEM_UDIMM_1D_IMAGE_ID,
645 .img_type = IMG_RAW,
646 .parent = &ddr_udimm_fw_content_cert,
647 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
648 [0] = {
649 .type = AUTH_METHOD_HASH,
650 .param.hash = {
651 .data = &raw_data,
652 .hash = &ddr_dmem_udimm_1d_fw_hash
653 }
654 }
655 }
656};
657static const auth_img_desc_t ddr_dmem_udimm_2d_img = {
658 .img_id = DDR_DMEM_UDIMM_2D_IMAGE_ID,
659 .img_type = IMG_RAW,
660 .parent = &ddr_udimm_fw_content_cert,
661 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
662 [0] = {
663 .type = AUTH_METHOD_HASH,
664 .param.hash = {
665 .data = &raw_data,
666 .hash = &ddr_dmem_udimm_2d_fw_hash
667 }
668 }
669 }
670};
671
672static const auth_img_desc_t ddr_rdimm_fw_content_cert = {
673 .img_id = DDR_RDIMM_FW_CONTENT_CERT_ID,
674 .img_type = IMG_CERT,
675 .parent = &ddr_fw_key_cert,
676 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
677 [0] = {
678 .type = AUTH_METHOD_SIG,
679 .param.sig = {
680 .pk = &ddr_fw_content_pk,
681 .sig = &sig,
682 .alg = &sig_alg,
683 .data = &raw_data
684 }
685 },
686 [1] = {
687 .type = AUTH_METHOD_NV_CTR,
688 .param.nv_ctr = {
689 .cert_nv_ctr = &trusted_nv_ctr,
690 .plat_nv_ctr = &trusted_nv_ctr
691 }
692 }
693 },
694 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
695 [0] = {
696 .type_desc = &ddr_imem_rdimm_1d_fw_hash,
697 .data = {
698 .ptr = (void *)ddr_imem_rdimm_1d_hash_buf,
699 .len = (unsigned int)HASH_DER_LEN
700 }
701 },
702 [1] = {
703 .type_desc = &ddr_imem_rdimm_2d_fw_hash,
704 .data = {
705 .ptr = (void *)ddr_imem_rdimm_2d_hash_buf,
706 .len = (unsigned int)HASH_DER_LEN
707 }
708 },
709 [2] = {
710 .type_desc = &ddr_dmem_rdimm_1d_fw_hash,
711 .data = {
712 .ptr = (void *)ddr_dmem_rdimm_1d_hash_buf,
713 .len = (unsigned int)HASH_DER_LEN
714 }
715 },
716 [3] = {
717 .type_desc = &ddr_dmem_rdimm_2d_fw_hash,
718 .data = {
719 .ptr = (void *)ddr_dmem_rdimm_2d_hash_buf,
720 .len = (unsigned int)HASH_DER_LEN
721 }
722 },
723 }
724};
725
726static const auth_img_desc_t ddr_imem_rdimm_1d_img = {
727 .img_id = DDR_IMEM_RDIMM_1D_IMAGE_ID,
728 .img_type = IMG_RAW,
729 .parent = &ddr_rdimm_fw_content_cert,
730 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
731 [0] = {
732 .type = AUTH_METHOD_HASH,
733 .param.hash = {
734 .data = &raw_data,
735 .hash = &ddr_imem_rdimm_1d_fw_hash
736 }
737 }
738 }
739};
740static const auth_img_desc_t ddr_imem_rdimm_2d_img = {
741 .img_id = DDR_IMEM_RDIMM_2D_IMAGE_ID,
742 .img_type = IMG_RAW,
743 .parent = &ddr_rdimm_fw_content_cert,
744 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
745 [0] = {
746 .type = AUTH_METHOD_HASH,
747 .param.hash = {
748 .data = &raw_data,
749 .hash = &ddr_imem_rdimm_2d_fw_hash
750 }
751 }
752 }
753};
754static const auth_img_desc_t ddr_dmem_rdimm_1d_img = {
755 .img_id = DDR_DMEM_RDIMM_1D_IMAGE_ID,
756 .img_type = IMG_RAW,
757 .parent = &ddr_rdimm_fw_content_cert,
758 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
759 [0] = {
760 .type = AUTH_METHOD_HASH,
761 .param.hash = {
762 .data = &raw_data,
763 .hash = &ddr_dmem_rdimm_1d_fw_hash
764 }
765 }
766 }
767};
768static const auth_img_desc_t ddr_dmem_rdimm_2d_img = {
769 .img_id = DDR_DMEM_RDIMM_2D_IMAGE_ID,
770 .img_type = IMG_RAW,
771 .parent = &ddr_rdimm_fw_content_cert,
772 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
773 [0] = {
774 .type = AUTH_METHOD_HASH,
775 .param.hash = {
776 .data = &raw_data,
777 .hash = &ddr_dmem_rdimm_2d_fw_hash
778 }
779 }
780 }
781};
782#endif
783
784/*
785 * TBBR Chain of trust definition
786 */
787
788static const auth_img_desc_t * const cot_desc[] = {
789 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert,
790 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert,
791 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert,
792 [BL31_IMAGE_ID] = &bl31_image,
793 [SOC_FW_CONFIG_ID] = &soc_fw_config,
794 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert,
795 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert,
796 [BL32_IMAGE_ID] = &bl32_image,
797 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image,
798 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image,
799 [TOS_FW_CONFIG_ID] = &tos_fw_config,
800 [NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert,
801 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert,
802 [BL33_IMAGE_ID] = &bl33_image,
803 [NT_FW_CONFIG_ID] = &nt_fw_config,
804#ifdef CONFIG_DDR_FIP_IMAGE
805 [DDR_FW_KEY_CERT_ID] = &ddr_fw_key_cert,
806 [DDR_UDIMM_FW_CONTENT_CERT_ID] = &ddr_udimm_fw_content_cert,
807 [DDR_RDIMM_FW_CONTENT_CERT_ID] = &ddr_rdimm_fw_content_cert,
808 [DDR_IMEM_UDIMM_1D_IMAGE_ID] = &ddr_imem_udimm_1d_img,
809 [DDR_IMEM_UDIMM_2D_IMAGE_ID] = &ddr_imem_udimm_2d_img,
810 [DDR_DMEM_UDIMM_1D_IMAGE_ID] = &ddr_dmem_udimm_1d_img,
811 [DDR_DMEM_UDIMM_2D_IMAGE_ID] = &ddr_dmem_udimm_2d_img,
812 [DDR_IMEM_RDIMM_1D_IMAGE_ID] = &ddr_imem_rdimm_1d_img,
813 [DDR_IMEM_RDIMM_2D_IMAGE_ID] = &ddr_imem_rdimm_2d_img,
814 [DDR_DMEM_RDIMM_1D_IMAGE_ID] = &ddr_dmem_rdimm_1d_img,
815 [DDR_DMEM_RDIMM_2D_IMAGE_ID] = &ddr_dmem_rdimm_2d_img,
816#endif
817};
818
819/* Register the CoT in the authentication module */
820REGISTER_COT(cot_desc);