diff --git a/drivers/auth/tbbr/tbbr_cot.c b/drivers/auth/tbbr/tbbr_cot.c index 6ad0059..a950a7a 100644 --- a/drivers/auth/tbbr/tbbr_cot.c +++ b/drivers/auth/tbbr/tbbr_cot.c @@ -38,6 +38,9 @@ static unsigned char trusted_world_pk_buf[PK_DER_LEN]; static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; static unsigned char content_pk_buf[PK_DER_LEN]; +static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; +static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; +static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; /* * Parameter type descriptors @@ -80,14 +83,20 @@ AUTH_PARAM_HASH, SCP_FW_HASH_OID); static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); +static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID); static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); +static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID); static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); +static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( @@ -379,6 +388,13 @@ .ptr = (void *)soc_fw_hash_buf, .len = (unsigned int)HASH_DER_LEN } + }, + [1] = { + .type_desc = &soc_fw_config_hash, + .data = { + .ptr = (void *)soc_fw_config_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } } } }, @@ -396,6 +412,21 @@ } } }, + /* SOC FW Config */ + [SOC_FW_CONFIG_ID] = { + .img_id = SOC_FW_CONFIG_ID, + .img_type = IMG_RAW, + .parent = &cot_desc[SOC_FW_CONTENT_CERT_ID], + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &soc_fw_config_hash, + } + } + } + }, /* * Trusted OS Firmware */ @@ -474,6 +505,13 @@ .ptr = (void *)tos_fw_extra2_hash_buf, .len = (unsigned int)HASH_DER_LEN } + }, + [3] = { + .type_desc = &tos_fw_config_hash, + .data = { + .ptr = (void *)tos_fw_config_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } } } }, @@ -519,6 +557,21 @@ } } }, + /* TOS FW Config */ + [TOS_FW_CONFIG_ID] = { + .img_id = TOS_FW_CONFIG_ID, + .img_type = IMG_RAW, + .parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID], + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &tos_fw_config_hash, + } + } + } + }, /* * Non-Trusted Firmware */ @@ -583,6 +636,13 @@ .ptr = (void *)nt_world_bl_hash_buf, .len = (unsigned int)HASH_DER_LEN } + }, + [1] = { + .type_desc = &nt_fw_config_hash, + .data = { + .ptr = (void *)nt_fw_config_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } } } }, @@ -600,6 +660,21 @@ } } }, + /* NT FW Config */ + [NT_FW_CONFIG_ID] = { + .img_id = NT_FW_CONFIG_ID, + .img_type = IMG_RAW, + .parent = &cot_desc[NON_TRUSTED_FW_CONTENT_CERT_ID], + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &nt_fw_config_hash, + } + } + } + }, /* * FWU auth descriptor. */ diff --git a/include/tools_share/firmware_image_package.h b/include/tools_share/firmware_image_package.h index b7fac07..f258555 100644 --- a/include/tools_share/firmware_image_package.h +++ b/include/tools_share/firmware_image_package.h @@ -68,6 +68,12 @@ {0xd9f1b808, 0xcfc9, 0x4993, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} } #define UUID_TB_FW_CONFIG \ {0xff58046c, 0x6baf, 0x4f7d, 0x82, 0xed, {0xaa, 0x27, 0xbc, 0x69, 0xbf, 0xd2} } +#define UUID_SOC_FW_CONFIG \ + {0x4b817999, 0x7603, 0x46fb, 0x8c, 0x8e, {0x8d, 0x26, 0x7f, 0x78, 0x59, 0xe0} } +#define UUID_TOS_FW_CONFIG \ + {0x1a7c2526, 0xc6bd, 0x477f, 0x8d, 0x96, {0xc4, 0xc4, 0xb0, 0x24, 0x80, 0x21} } +#define UUID_NT_FW_CONFIG \ + {0x1598da28, 0xe893, 0x447e, 0xac, 0x66, {0x1a, 0xaf, 0x80, 0x15, 0x50, 0xf9} } typedef struct fip_toc_header { uint32_t name; diff --git a/include/tools_share/tbbr_oid.h b/include/tools_share/tbbr_oid.h index 18ddbdc..b0b95e4 100644 --- a/include/tools_share/tbbr_oid.h +++ b/include/tools_share/tbbr_oid.h @@ -75,7 +75,6 @@ /* SoCFirmwareContentCertPK */ #define SOC_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.501" - /* * SoC Firmware Content Certificate */ @@ -86,7 +85,8 @@ #define SOC_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.602" /* SoCAPFirmwareHash - BL31 */ #define SOC_AP_FW_HASH_OID "1.3.6.1.4.1.4128.2100.603" - +/* SoCFirmwareConfigHash = SOC_FW_CONFIG */ +#define SOC_FW_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.604" /* * SCP Firmware Key Certificate @@ -124,6 +124,8 @@ #define TRUSTED_OS_FW_EXTRA1_HASH_OID "1.3.6.1.4.1.4128.2100.1002" /* TrustedOSExtra2FirmwareHash - BL32 Extra2 */ #define TRUSTED_OS_FW_EXTRA2_HASH_OID "1.3.6.1.4.1.4128.2100.1003" +/* TrustedOSFirmwareConfigHash - TOS_FW_CONFIG */ +#define TRUSTED_OS_FW_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.1004" /* @@ -140,5 +142,7 @@ /* NonTrustedWorldBootloaderHash - BL33 */ #define NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID "1.3.6.1.4.1.4128.2100.1201" +/* NonTrustedFirmwareConfigHash - NT_FW_CONFIG */ +#define NON_TRUSTED_FW_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.1202" #endif /* __TBBR_OID_H__ */ diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h index 9b4ef5a..07bb337 100644 --- a/tools/cert_create/include/cert.h +++ b/tools/cert_create/include/cert.h @@ -12,7 +12,7 @@ #include "ext.h" #include "key.h" -#define CERT_MAX_EXT 4 +#define CERT_MAX_EXT 5 /* * This structure contains information related to the generation of the diff --git a/tools/cert_create/include/tbbr/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h index 5b427d3..075d5f3 100644 --- a/tools/cert_create/include/tbbr/tbb_ext.h +++ b/tools/cert_create/include/tbbr/tbb_ext.h @@ -21,12 +21,15 @@ SCP_FW_HASH_EXT, SOC_FW_CONTENT_CERT_PK_EXT, SOC_AP_FW_HASH_EXT, + SOC_FW_CONFIG_HASH_EXT, TRUSTED_OS_FW_CONTENT_CERT_PK_EXT, TRUSTED_OS_FW_HASH_EXT, TRUSTED_OS_FW_EXTRA1_HASH_EXT, TRUSTED_OS_FW_EXTRA2_HASH_EXT, + TRUSTED_OS_FW_CONFIG_HASH_EXT, NON_TRUSTED_FW_CONTENT_CERT_PK_EXT, NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, + NON_TRUSTED_FW_CONFIG_HASH_EXT, SCP_FWU_CFG_HASH_EXT, AP_FWU_CFG_HASH_EXT, FWU_HASH_EXT diff --git a/tools/cert_create/src/tbbr/tbb_cert.c b/tools/cert_create/src/tbbr/tbb_cert.c index 325b462..7fb32d8 100644 --- a/tools/cert_create/src/tbbr/tbb_cert.c +++ b/tools/cert_create/src/tbbr/tbb_cert.c @@ -99,9 +99,10 @@ .issuer = SOC_FW_CONTENT_CERT, .ext = { TRUSTED_FW_NVCOUNTER_EXT, - SOC_AP_FW_HASH_EXT + SOC_AP_FW_HASH_EXT, + SOC_FW_CONFIG_HASH_EXT, }, - .num_ext = 2 + .num_ext = 3 }, [TRUSTED_OS_FW_KEY_CERT] = { .id = TRUSTED_OS_FW_KEY_CERT, @@ -129,9 +130,10 @@ TRUSTED_FW_NVCOUNTER_EXT, TRUSTED_OS_FW_HASH_EXT, TRUSTED_OS_FW_EXTRA1_HASH_EXT, - TRUSTED_OS_FW_EXTRA2_HASH_EXT + TRUSTED_OS_FW_EXTRA2_HASH_EXT, + TRUSTED_OS_FW_CONFIG_HASH_EXT, }, - .num_ext = 4 + .num_ext = 5 }, [NON_TRUSTED_FW_KEY_CERT] = { .id = NON_TRUSTED_FW_KEY_CERT, @@ -157,9 +159,10 @@ .issuer = NON_TRUSTED_FW_CONTENT_CERT, .ext = { NON_TRUSTED_FW_NVCOUNTER_EXT, - NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT + NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, + NON_TRUSTED_FW_CONFIG_HASH_EXT, }, - .num_ext = 2 + .num_ext = 3 }, [FWU_CERT] = { .id = FWU_CERT, diff --git a/tools/cert_create/src/tbbr/tbb_ext.c b/tools/cert_create/src/tbbr/tbb_ext.c index 5f2cec1..d0038a2 100644 --- a/tools/cert_create/src/tbbr/tbb_ext.c +++ b/tools/cert_create/src/tbbr/tbb_ext.c @@ -123,6 +123,16 @@ .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH }, + [SOC_FW_CONFIG_HASH_EXT] = { + .oid = SOC_FW_CONFIG_HASH_OID, + .opt = "soc-fw-config", + .help_msg = "SoC Firmware Config file", + .sn = "SocFirmwareConfigHash", + .ln = "SoC Firmware Config hash", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = { .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID, .sn = "TrustedOSFirmwareContentCertPK", @@ -160,6 +170,16 @@ .type = EXT_TYPE_HASH, .optional = 1 }, + [TRUSTED_OS_FW_CONFIG_HASH_EXT] = { + .oid = TRUSTED_OS_FW_CONFIG_HASH_OID, + .opt = "tos-fw-config", + .help_msg = "Trusted OS Firmware Config file", + .sn = "TrustedOSFirmwareConfigHash", + .ln = "Trusted OS Firmware Config hash", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, [NON_TRUSTED_FW_CONTENT_CERT_PK_EXT] = { .oid = NON_TRUSTED_FW_CONTENT_CERT_PK_OID, .sn = "NonTrustedFirmwareContentCertPK", @@ -177,6 +197,16 @@ .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH }, + [NON_TRUSTED_FW_CONFIG_HASH_EXT] = { + .oid = NON_TRUSTED_FW_CONFIG_HASH_OID, + .opt = "nt-fw-config", + .help_msg = "Non Trusted OS Firmware Config file", + .sn = "NonTrustedOSFirmwareConfigHash", + .ln = "Non-Trusted OS Firmware Config hash", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, [SCP_FWU_CFG_HASH_EXT] = { .oid = SCP_FWU_CFG_HASH_OID, .opt = "scp-fwu-cfg", diff --git a/tools/fiptool/tbbr_config.c b/tools/fiptool/tbbr_config.c index 2c0adcd..c7df243 100644 --- a/tools/fiptool/tbbr_config.c +++ b/tools/fiptool/tbbr_config.c @@ -78,6 +78,21 @@ .uuid = UUID_TB_FW_CONFIG, .cmdline_name = "tb-fw-config" }, + { + .name = "SOC_FW_CONFIG", + .uuid = UUID_SOC_FW_CONFIG, + .cmdline_name = "soc-fw-config" + }, + { + .name = "TOS_FW_CONFIG", + .uuid = UUID_TOS_FW_CONFIG, + .cmdline_name = "tos-fw-config" + }, + { + .name = "NT_FW_CONFIG", + .uuid = UUID_NT_FW_CONFIG, + .cmdline_name = "nt-fw-config" + }, /* Key Certificates */ { .name = "Root Of Trust key certificate",