dualroot: add chain of trust for secure partitions

Fork: 0

LuminaSensum / arm-trusted-firmware

Browse code dualroot: add chain of trust for secure partitions A new certificate "sip-sp-cert" has been added for Silicon Provider(SiP) owned Secure Partitions(SP). A similar support for Platform owned SP can be added in future. The certificate is also protected against anti- rollback using the trusted Non-Volatile counter. To avoid deviating from TBBR spec, support for SP CoT is only provided in dualroot. Secure Partition content certificate is assigned image ID 31 and SP images follows after it. The CoT for secure partition look like below. +------------------+ +-------------------+ \| ROTPK/ROTPK Hash \|------>\| Trusted Key \| +------------------+ \| Certificate \| \| (Auth Image) \| /+-------------------+ / \| / \| / \| / \| L v +------------------+ +-------------------+ \| Trusted World \|------>\| SiP owned SPs \| \| Public Key \| \| Content Cert \| +------------------+ \| (Auth Image) \| / +-------------------+ / \| / v\| +------------------+ L +-------------------+ \| SP_PKG1 Hash \|------>\| SP_PKG1 \| \| \| \| (Data Image) \| +------------------+ +-------------------+ . . . . . . +------------------+ +-------------------+ \| SP_PKG8 Hash \|------>\| SP_PKG8 \| \| \| \| (Data Image) \| +------------------+ +-------------------+ Signed-off-by: Manish Pandey <manish.pandey2@arm.com> Change-Id: Ia31546bac1327a3e0b5d37e8b99c808442d5e53f master v2.4-LS
1 parent 07c4447 commit 44f1aa8efe627e578c38fbc0623b083223109342 Manish Pandey authored on 27 May 2020

Browse code

A new certificate "sip-sp-cert" has been added for Silicon Provider(SiP)
owned Secure Partitions(SP). A similar support for Platform owned SP can
be added in future. The certificate is also protected against anti-
rollback using the trusted Non-Volatile counter.

To avoid deviating from TBBR spec, support for SP CoT is only provided
in dualroot.
Secure Partition content certificate is assigned image ID 31 and SP
images follows after it.

The CoT for secure partition look like below.
+------------------+       +-------------------+
| ROTPK/ROTPK Hash |------>| Trusted Key       |
+------------------+       | Certificate       |
                           | (Auth Image)      |
                          /+-------------------+
                         /                   |
                        /                    |
                       /                     |
                      /                      |
                     L                       v
+------------------+       +-------------------+
| Trusted World    |------>| SiP owned SPs     |
| Public Key       |       | Content Cert      |
+------------------+       | (Auth Image)      |
                        /   +-------------------+
                       /                      |
                      /                      v|
+------------------+ L     +-------------------+
| SP_PKG1 Hash     |------>| SP_PKG1           |
|                  |       | (Data Image)      |
+------------------+       +-------------------+
        .                           .
        .                           .
        .                           .
+------------------+       +-------------------+
| SP_PKG8 Hash     |------>| SP_PKG8           |
|                  |       | (Data Image)      |
+------------------+       +-------------------+

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia31546bac1327a3e0b5d37e8b99c808442d5e53f

master v2.4-LS

1 parent 07c4447 commit 44f1aa8efe627e578c38fbc0623b083223109342

Manish Pandey authored on 27 May 2020

Patch

Unified Split

Showing 8 changed files

Ignore Space Show notes View drivers/auth/dualroot/cot.c

Ignore Space Show notes View include/common/tbbr/cot_def.h

Ignore Space Show notes View include/common/tbbr/tbbr_img_def.h

Ignore Space Show notes View include/drivers/auth/auth_mod.h

Ignore Space Show notes View include/export/common/tbbr/tbbr_img_def_exp.h

Ignore Space Show notes View plat/arm/board/fvp/fdts/fvp_fw_config.dts

Ignore Space Show notes View plat/arm/common/fconf/arm_fconf_io.c

Ignore Space Show notes View plat/arm/common/fconf/arm_fconf_sp.c

Show line notes below