Fork: 0
LuminaSensum / arm-trusted-firmware
Transfer to URL with SHA Find file
Newer
Older
arm-trusted-firmware / plat / st / common / stm32mp_auth.c
@Lionel Debieve Lionel Debieve on 23 Sep 2019 2 KB stm32mp1: add authentication support for stm32image
Raw Blame History 
/*
 * Copyright (c) 2019, STMicroelectronics - All Rights Reserved
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

#include <errno.h>

#include <platform_def.h>

#include <common/debug.h>
#include <drivers/io/io_storage.h>
#include <drivers/st/bsec.h>
#include <drivers/st/stm32_hash.h>
#include <lib/xlat_tables/xlat_tables_v2.h>
#include <plat/common/platform.h>

static const struct stm32mp_auth_ops *auth_ops;

void stm32mp_init_auth(struct stm32mp_auth_ops *init_ptr)
{
	if ((init_ptr == NULL) ||
	    (init_ptr->check_key == NULL) ||
	    (init_ptr->verify_signature == NULL) ||
	    (stm32_hash_register() != 0)) {
		panic();
	}

	auth_ops = init_ptr;
}

int stm32mp_auth_image(boot_api_image_header_t *header, uintptr_t buffer)
{
	int ret;
	uint8_t image_hash[BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES];
	uint32_t header_skip_cksum = sizeof(header->magic) +
				     sizeof(header->image_signature) +
				     sizeof(header->payload_checksum);

	/* Check Security Status */
	if (!stm32mp_is_closed_device()) {
		if (header->option_flags != 0U) {
			WARN("Skip signature check (header option)\n");
			return 0;
		}
		INFO("Check signature on Open device\n");
	}

	ret = mmap_add_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_BASE,
				      STM32MP_ROM_SIZE, MT_CODE | MT_SECURE);
	if (ret != 0) {
		return ret;
	}

	/* Check Public Key */
	if (auth_ops->check_key(header->ecc_pubk, NULL) != BOOT_API_RETURN_OK) {
		ret = -EINVAL;
		goto err;
	}

	/* Compute end of header hash and payload hash */
	stm32_hash_init(HASH_SHA256);

	ret = stm32_hash_update((uint8_t *)&header->header_version,
				sizeof(boot_api_image_header_t) -
				header_skip_cksum);
	if (ret != 0) {
		ERROR("Hash of header failed, %i\n", ret);
		goto err;
	}

	ret = stm32_hash_final_update((uint8_t *)buffer,
			       header->image_length, image_hash);
	if (ret != 0) {
		ERROR("Hash of payload failed\n");
		goto err;
	}

	/* Verify signature */
	if (auth_ops->verify_signature(image_hash, header->ecc_pubk,
				       header->image_signature,
				       header->ecc_algo_type) !=
	    BOOT_API_RETURN_OK) {
		ret = -EINVAL;
	}

err:
	mmap_remove_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_SIZE);
	return ret;
}