diff --git a/docs/design/auth-framework.rst b/docs/design/auth-framework.rst index 1a53e22..6913e66 100644 --- a/docs/design/auth-framework.rst +++ b/docs/design/auth-framework.rst @@ -619,11 +619,13 @@ The TBBR CoT ~~~~~~~~~~~~ -The CoT can be found in ``drivers/auth/tbbr/tbbr_cot.c``. This CoT consists of -an array of pointers to image descriptors and it is registered in the framework -using the macro ``REGISTER_COT(cot_desc)``, where ``cot_desc`` must be the name -of the array (passing a pointer or any other type of indirection will cause the -registration process to fail). +CoT specific to BL1 and BL2 can be found in ``drivers/auth/tbbr/tbbr_cot_bl1.c`` +and ``drivers/auth/tbbr/tbbr_cot_bl2.c`` respectively. The common CoT used across +BL1 and BL2 can be found in ``drivers/auth/tbbr/tbbr_cot_common.c``. +This CoT consists of an array of pointers to image descriptors and it is +registered in the framework using the macro ``REGISTER_COT(cot_desc)``, where +``cot_desc`` must be the name of the array (passing a pointer or any other +type of indirection will cause the registration process to fail). The number of images participating in the boot process depends on the CoT. There is, however, a minimum set of images that are mandatory in TF-A and thus @@ -702,7 +704,7 @@ address/size to store the parameter. The CoT is responsible for allocating the required memory to store the parameters. This pointer may be NULL. -In the ``tbbr_cot.c`` file, a set of buffers are allocated to store the parameters +In the ``tbbr_cot*.c`` file, a set of buffers are allocated to store the parameters extracted from the certificates. In the case of the TBBR CoT, these parameters are hashes and public keys. In DER format, an RSA-4096 public key requires 550 bytes, and a hash requires 51 bytes. Depending on the CoT and the authentication diff --git a/drivers/auth/dualroot/cot.c b/drivers/auth/dualroot/cot.c index eb0b020..8aca2be 100644 --- a/drivers/auth/dualroot/cot.c +++ b/drivers/auth/dualroot/cot.c @@ -13,44 +13,6 @@ #include /* - * TODO: Remove dependency on mbedTLS. The chain of trust should be agnostic of - * the specific cryptographic library in use. -*/ -/* - * Maximum key and hash sizes (in DER format). - * - * Both RSA and ECDSA keys may be used at the same time. In this case, the key - * buffers must be big enough to hold either. As RSA keys are bigger than ECDSA - * ones for all key sizes we support, they impose the minimum size of these - * buffers. - */ -#if TF_MBEDTLS_USE_RSA -#if TF_MBEDTLS_KEY_SIZE == 1024 -#define PK_DER_LEN 162 -#elif TF_MBEDTLS_KEY_SIZE == 2048 -#define PK_DER_LEN 294 -#elif TF_MBEDTLS_KEY_SIZE == 3072 -#define PK_DER_LEN 422 -#elif TF_MBEDTLS_KEY_SIZE == 4096 -#define PK_DER_LEN 550 -#else -#error "Invalid value for TF_MBEDTLS_KEY_SIZE" -#endif -#else /* Only using ECDSA keys. */ -#define PK_DER_LEN 91 -#endif - -#if TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256 -#define HASH_DER_LEN 51 -#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384 -#define HASH_DER_LEN 67 -#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512 -#define HASH_DER_LEN 83 -#else -#error "Invalid value for TF_MBEDTLS_HASH_ALG_ID" -#endif - -/* * Allocate static buffers to store the authentication parameters extracted from * the certificates. */ diff --git a/drivers/auth/tbbr/tbbr_cot.c b/drivers/auth/tbbr/tbbr_cot.c deleted file mode 100644 index 6f00b18..0000000 --- a/drivers/auth/tbbr/tbbr_cot.c +++ /dev/null @@ -1,855 +0,0 @@ -/* - * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#include - -#include -#include - -#include -#if USE_TBBR_DEFS -#include -#else -#include -#endif - - -/* - * Maximum key and hash sizes (in DER format). - * - * Both RSA and ECDSA keys may be used at the same time. In this case, the key - * buffers must be big enough to hold either. As RSA keys are bigger than ECDSA - * ones for all key sizes we support, they impose the minimum size of these - * buffers. - */ -#if TF_MBEDTLS_USE_RSA -#if TF_MBEDTLS_KEY_SIZE == 1024 -#define PK_DER_LEN 162 -#elif TF_MBEDTLS_KEY_SIZE == 2048 -#define PK_DER_LEN 294 -#elif TF_MBEDTLS_KEY_SIZE == 3072 -#define PK_DER_LEN 422 -#elif TF_MBEDTLS_KEY_SIZE == 4096 -#define PK_DER_LEN 550 -#else -#error "Invalid value for TF_MBEDTLS_KEY_SIZE" -#endif -#else /* Only using ECDSA keys. */ -#define PK_DER_LEN 91 -#endif - -#if TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256 -#define HASH_DER_LEN 51 -#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384 -#define HASH_DER_LEN 67 -#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512 -#define HASH_DER_LEN 83 -#else -#error "Invalid value for TF_MBEDTLS_HASH_ALG_ID" -#endif - -/* - * The platform must allocate buffers to store the authentication parameters - * extracted from the certificates. In this case, because of the way the CoT is - * established, we can reuse some of the buffers on different stages - */ - -static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; -static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; -static unsigned char hw_config_hash_buf[HASH_DER_LEN]; -static unsigned char scp_fw_hash_buf[HASH_DER_LEN]; -static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; - -#ifdef IMAGE_BL2 -static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; -static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; -static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; -static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; -static unsigned char trusted_world_pk_buf[PK_DER_LEN]; -static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; -static unsigned char content_pk_buf[PK_DER_LEN]; -static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; -static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; -static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; -#endif - -/* - * Parameter type descriptors - */ -static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); - -static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, 0); -static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_SIG, 0); -static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_SIG_ALG, 0); -static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_RAW_DATA, 0); - - -static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); -static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); -static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, HW_CONFIG_HASH_OID); -#ifdef IMAGE_BL1 -static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); -static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID); -static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, FWU_HASH_OID); -#endif /* IMAGE_BL1 */ - -#ifdef IMAGE_BL2 -static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); -static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); -static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); -static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID); -static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); -static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); -static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID); -static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, SCP_FW_HASH_OID); -static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); -static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID); -static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); -static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID); -static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); -static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); -static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); -static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); - -#endif /* IMAGE_BL2 */ - - - /* - * BL2 - */ -static const auth_img_desc_t trusted_boot_fw_cert = { - .img_id = TRUSTED_BOOT_FW_CERT_ID, - .img_type = IMG_CERT, - .parent = NULL, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_SIG, - .param.sig = { - .pk = &subject_pk, - .sig = &sig, - .alg = &sig_alg, - .data = &raw_data - } - }, - [1] = { - .type = AUTH_METHOD_NV_CTR, - .param.nv_ctr = { - .cert_nv_ctr = &trusted_nv_ctr, - .plat_nv_ctr = &trusted_nv_ctr - } - } - }, - .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { - [0] = { - .type_desc = &tb_fw_hash, - .data = { - .ptr = (void *)tb_fw_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - }, - [1] = { - .type_desc = &tb_fw_config_hash, - .data = { - .ptr = (void *)tb_fw_config_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - }, - [2] = { - .type_desc = &hw_config_hash, - .data = { - .ptr = (void *)hw_config_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - } - } - }; -#ifdef IMAGE_BL1 -static const auth_img_desc_t bl2_image = { - .img_id = BL2_IMAGE_ID, - .img_type = IMG_RAW, - .parent = &trusted_boot_fw_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &tb_fw_hash - } - } - } -}; -#endif /* IMAGE_BL1 */ -/* HW Config */ -static const auth_img_desc_t hw_config = { - .img_id = HW_CONFIG_ID, - .img_type = IMG_RAW, - .parent = &trusted_boot_fw_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &hw_config_hash - } - } - } -}; -/* TB FW Config */ -#ifdef IMAGE_BL1 -static const auth_img_desc_t tb_fw_config = { - .img_id = TB_FW_CONFIG_ID, - .img_type = IMG_RAW, - .parent = &trusted_boot_fw_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &tb_fw_config_hash - } - } - } -}; -#endif /* IMAGE_BL1 */ -#ifdef IMAGE_BL2 -/* - * Trusted key certificate - */ -static const auth_img_desc_t trusted_key_cert = { - .img_id = TRUSTED_KEY_CERT_ID, - .img_type = IMG_CERT, - .parent = NULL, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_SIG, - .param.sig = { - .pk = &subject_pk, - .sig = &sig, - .alg = &sig_alg, - .data = &raw_data - } - }, - [1] = { - .type = AUTH_METHOD_NV_CTR, - .param.nv_ctr = { - .cert_nv_ctr = &trusted_nv_ctr, - .plat_nv_ctr = &trusted_nv_ctr - } - } - }, - .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { - [0] = { - .type_desc = &trusted_world_pk, - .data = { - .ptr = (void *)trusted_world_pk_buf, - .len = (unsigned int)PK_DER_LEN - } - }, - [1] = { - .type_desc = &non_trusted_world_pk, - .data = { - .ptr = (void *)non_trusted_world_pk_buf, - .len = (unsigned int)PK_DER_LEN - } - } - } -}; -/* - * SCP Firmware - */ -static const auth_img_desc_t scp_fw_key_cert = { - .img_id = SCP_FW_KEY_CERT_ID, - .img_type = IMG_CERT, - .parent = &trusted_key_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_SIG, - .param.sig = { - .pk = &trusted_world_pk, - .sig = &sig, - .alg = &sig_alg, - .data = &raw_data - } - }, - [1] = { - .type = AUTH_METHOD_NV_CTR, - .param.nv_ctr = { - .cert_nv_ctr = &trusted_nv_ctr, - .plat_nv_ctr = &trusted_nv_ctr - } - } - }, - .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { - [0] = { - .type_desc = &scp_fw_content_pk, - .data = { - .ptr = (void *)content_pk_buf, - .len = (unsigned int)PK_DER_LEN - } - } - } -}; -static const auth_img_desc_t scp_fw_content_cert = { - .img_id = SCP_FW_CONTENT_CERT_ID, - .img_type = IMG_CERT, - .parent = &scp_fw_key_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_SIG, - .param.sig = { - .pk = &scp_fw_content_pk, - .sig = &sig, - .alg = &sig_alg, - .data = &raw_data - } - }, - [1] = { - .type = AUTH_METHOD_NV_CTR, - .param.nv_ctr = { - .cert_nv_ctr = &trusted_nv_ctr, - .plat_nv_ctr = &trusted_nv_ctr - } - } - }, - .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { - [0] = { - .type_desc = &scp_fw_hash, - .data = { - .ptr = (void *)scp_fw_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - } - } -}; -static const auth_img_desc_t scp_bl2_image = { - .img_id = SCP_BL2_IMAGE_ID, - .img_type = IMG_RAW, - .parent = &scp_fw_content_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &scp_fw_hash - } - } - } -}; -/* - * SoC Firmware - */ -static const auth_img_desc_t soc_fw_key_cert = { - .img_id = SOC_FW_KEY_CERT_ID, - .img_type = IMG_CERT, - .parent = &trusted_key_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_SIG, - .param.sig = { - .pk = &trusted_world_pk, - .sig = &sig, - .alg = &sig_alg, - .data = &raw_data - } - }, - [1] = { - .type = AUTH_METHOD_NV_CTR, - .param.nv_ctr = { - .cert_nv_ctr = &trusted_nv_ctr, - .plat_nv_ctr = &trusted_nv_ctr - } - } - }, - .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { - [0] = { - .type_desc = &soc_fw_content_pk, - .data = { - .ptr = (void *)content_pk_buf, - .len = (unsigned int)PK_DER_LEN - } - } - } -}; -static const auth_img_desc_t soc_fw_content_cert = { - .img_id = SOC_FW_CONTENT_CERT_ID, - .img_type = IMG_CERT, - .parent = &soc_fw_key_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_SIG, - .param.sig = { - .pk = &soc_fw_content_pk, - .sig = &sig, - .alg = &sig_alg, - .data = &raw_data - } - }, - [1] = { - .type = AUTH_METHOD_NV_CTR, - .param.nv_ctr = { - .cert_nv_ctr = &trusted_nv_ctr, - .plat_nv_ctr = &trusted_nv_ctr - } - } - }, - .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { - [0] = { - .type_desc = &soc_fw_hash, - .data = { - .ptr = (void *)soc_fw_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - }, - [1] = { - .type_desc = &soc_fw_config_hash, - .data = { - .ptr = (void *)soc_fw_config_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - } - } -}; -static const auth_img_desc_t bl31_image = { - .img_id = BL31_IMAGE_ID, - .img_type = IMG_RAW, - .parent = &soc_fw_content_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &soc_fw_hash - } - } - } -}; -/* SOC FW Config */ -static const auth_img_desc_t soc_fw_config = { - .img_id = SOC_FW_CONFIG_ID, - .img_type = IMG_RAW, - .parent = &soc_fw_content_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &soc_fw_config_hash - } - } - } -}; -/* - * Trusted OS Firmware - */ -static const auth_img_desc_t trusted_os_fw_key_cert = { - .img_id = TRUSTED_OS_FW_KEY_CERT_ID, - .img_type = IMG_CERT, - .parent = &trusted_key_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_SIG, - .param.sig = { - .pk = &trusted_world_pk, - .sig = &sig, - .alg = &sig_alg, - .data = &raw_data - } - }, - [1] = { - .type = AUTH_METHOD_NV_CTR, - .param.nv_ctr = { - .cert_nv_ctr = &trusted_nv_ctr, - .plat_nv_ctr = &trusted_nv_ctr - } - } - }, - .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { - [0] = { - .type_desc = &tos_fw_content_pk, - .data = { - .ptr = (void *)content_pk_buf, - .len = (unsigned int)PK_DER_LEN - } - } - } -}; -static const auth_img_desc_t trusted_os_fw_content_cert = { - .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, - .img_type = IMG_CERT, - .parent = &trusted_os_fw_key_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_SIG, - .param.sig = { - .pk = &tos_fw_content_pk, - .sig = &sig, - .alg = &sig_alg, - .data = &raw_data - } - }, - [1] = { - .type = AUTH_METHOD_NV_CTR, - .param.nv_ctr = { - .cert_nv_ctr = &trusted_nv_ctr, - .plat_nv_ctr = &trusted_nv_ctr - } - } - }, - .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { - [0] = { - .type_desc = &tos_fw_hash, - .data = { - .ptr = (void *)tos_fw_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - }, - [1] = { - .type_desc = &tos_fw_extra1_hash, - .data = { - .ptr = (void *)tos_fw_extra1_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - }, - [2] = { - .type_desc = &tos_fw_extra2_hash, - .data = { - .ptr = (void *)tos_fw_extra2_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - }, - [3] = { - .type_desc = &tos_fw_config_hash, - .data = { - .ptr = (void *)tos_fw_config_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - } - } -}; -static const auth_img_desc_t bl32_image = { - .img_id = BL32_IMAGE_ID, - .img_type = IMG_RAW, - .parent = &trusted_os_fw_content_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &tos_fw_hash - } - } - } -}; -static const auth_img_desc_t bl32_extra1_image = { - .img_id = BL32_EXTRA1_IMAGE_ID, - .img_type = IMG_RAW, - .parent = &trusted_os_fw_content_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &tos_fw_extra1_hash - } - } - } -}; -static const auth_img_desc_t bl32_extra2_image = { - .img_id = BL32_EXTRA2_IMAGE_ID, - .img_type = IMG_RAW, - .parent = &trusted_os_fw_content_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &tos_fw_extra2_hash - } - } - } -}; -/* TOS FW Config */ -static const auth_img_desc_t tos_fw_config = { - .img_id = TOS_FW_CONFIG_ID, - .img_type = IMG_RAW, - .parent = &trusted_os_fw_content_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &tos_fw_config_hash - } - } - } -}; -/* - * Non-Trusted Firmware - */ -static const auth_img_desc_t non_trusted_fw_key_cert = { - .img_id = NON_TRUSTED_FW_KEY_CERT_ID, - .img_type = IMG_CERT, - .parent = &trusted_key_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_SIG, - .param.sig = { - .pk = &non_trusted_world_pk, - .sig = &sig, - .alg = &sig_alg, - .data = &raw_data - } - }, - [1] = { - .type = AUTH_METHOD_NV_CTR, - .param.nv_ctr = { - .cert_nv_ctr = &non_trusted_nv_ctr, - .plat_nv_ctr = &non_trusted_nv_ctr - } - } - }, - .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { - [0] = { - .type_desc = &nt_fw_content_pk, - .data = { - .ptr = (void *)content_pk_buf, - .len = (unsigned int)PK_DER_LEN - } - } - } -}; -static const auth_img_desc_t non_trusted_fw_content_cert = { - .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, - .img_type = IMG_CERT, - .parent = &non_trusted_fw_key_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_SIG, - .param.sig = { - .pk = &nt_fw_content_pk, - .sig = &sig, - .alg = &sig_alg, - .data = &raw_data - } - }, - [1] = { - .type = AUTH_METHOD_NV_CTR, - .param.nv_ctr = { - .cert_nv_ctr = &non_trusted_nv_ctr, - .plat_nv_ctr = &non_trusted_nv_ctr - } - } - }, - .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { - [0] = { - .type_desc = &nt_world_bl_hash, - .data = { - .ptr = (void *)nt_world_bl_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - }, - [1] = { - .type_desc = &nt_fw_config_hash, - .data = { - .ptr = (void *)nt_fw_config_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - } - } -}; -static const auth_img_desc_t bl33_image = { - .img_id = BL33_IMAGE_ID, - .img_type = IMG_RAW, - .parent = &non_trusted_fw_content_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &nt_world_bl_hash - } - } - } -}; -/* NT FW Config */ -static const auth_img_desc_t nt_fw_config = { - .img_id = NT_FW_CONFIG_ID, - .img_type = IMG_RAW, - .parent = &non_trusted_fw_content_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &nt_fw_config_hash - } - } - } -}; -#else /* IMAGE_BL2 */ -/* - * FWU auth descriptor. - */ -static const auth_img_desc_t fwu_cert = { - .img_id = FWU_CERT_ID, - .img_type = IMG_CERT, - .parent = NULL, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_SIG, - .param.sig = { - .pk = &subject_pk, - .sig = &sig, - .alg = &sig_alg, - .data = &raw_data - } - } - }, - .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { - [0] = { - .type_desc = &scp_bl2u_hash, - .data = { - .ptr = (void *)scp_fw_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - }, - [1] = { - .type_desc = &bl2u_hash, - .data = { - .ptr = (void *)tb_fw_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - }, - [2] = { - .type_desc = &ns_bl2u_hash, - .data = { - .ptr = (void *)nt_world_bl_hash_buf, - .len = (unsigned int)HASH_DER_LEN - } - } - } -}; -/* - * SCP_BL2U - */ -static const auth_img_desc_t scp_bl2u_image = { - .img_id = SCP_BL2U_IMAGE_ID, - .img_type = IMG_RAW, - .parent = &fwu_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &scp_bl2u_hash - } - } - } -}; -/* - * BL2U - */ -static const auth_img_desc_t bl2u_image = { - .img_id = BL2U_IMAGE_ID, - .img_type = IMG_RAW, - .parent = &fwu_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &bl2u_hash - } - } - } -}; -/* - * NS_BL2U - */ -static const auth_img_desc_t ns_bl2u_image = { - .img_id = NS_BL2U_IMAGE_ID, - .img_type = IMG_RAW, - .parent = &fwu_cert, - .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { - [0] = { - .type = AUTH_METHOD_HASH, - .param.hash = { - .data = &raw_data, - .hash = &ns_bl2u_hash - } - } - } - }; -#endif /* IMAGE_BL2 */ -/* - * TBBR Chain of trust definition - */ - -#ifdef IMAGE_BL1 -static const auth_img_desc_t * const cot_desc[] = { - [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, - [BL2_IMAGE_ID] = &bl2_image, - [HW_CONFIG_ID] = &hw_config, - [TB_FW_CONFIG_ID] = &tb_fw_config, - [FWU_CERT_ID] = &fwu_cert, - [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image, - [BL2U_IMAGE_ID] = &bl2u_image, - [NS_BL2U_IMAGE_ID] = &ns_bl2u_image -}; -#else /* IMAGE_BL2 */ -static const auth_img_desc_t * const cot_desc[] = { - [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, - [HW_CONFIG_ID] = &hw_config, - [TRUSTED_KEY_CERT_ID] = &trusted_key_cert, - [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert, - [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert, - [SCP_BL2_IMAGE_ID] = &scp_bl2_image, - [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert, - [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert, - [BL31_IMAGE_ID] = &bl31_image, - [SOC_FW_CONFIG_ID] = &soc_fw_config, - [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert, - [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert, - [BL32_IMAGE_ID] = &bl32_image, - [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image, - [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image, - [TOS_FW_CONFIG_ID] = &tos_fw_config, - [NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert, - [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, - [BL33_IMAGE_ID] = &bl33_image, - [NT_FW_CONFIG_ID] = &nt_fw_config, -}; -#endif - -/* Register the CoT in the authentication module */ -REGISTER_COT(cot_desc); diff --git a/drivers/auth/tbbr/tbbr_cot_bl1.c b/drivers/auth/tbbr/tbbr_cot_bl1.c new file mode 100644 index 0000000..f3bb376 --- /dev/null +++ b/drivers/auth/tbbr/tbbr_cot_bl1.c @@ -0,0 +1,168 @@ +/* + * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include + +#include +#include + +#include +#include +#if USE_TBBR_DEFS +#include +#else +#include +#endif + +static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); +static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID); +static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, FWU_HASH_OID); + +static const auth_img_desc_t bl2_image = { + .img_id = BL2_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &trusted_boot_fw_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &tb_fw_hash + } + } + } +}; + +/* + * FWU auth descriptor. + */ +static const auth_img_desc_t fwu_cert = { + .img_id = FWU_CERT_ID, + .img_type = IMG_CERT, + .parent = NULL, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &subject_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &scp_bl2u_hash, + .data = { + .ptr = (void *)scp_fw_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [1] = { + .type_desc = &bl2u_hash, + .data = { + .ptr = (void *)tb_fw_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [2] = { + .type_desc = &ns_bl2u_hash, + .data = { + .ptr = (void *)nt_world_bl_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + } + } +}; +/* + * SCP_BL2U + */ +static const auth_img_desc_t scp_bl2u_image = { + .img_id = SCP_BL2U_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &fwu_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &scp_bl2u_hash + } + } + } +}; +/* + * BL2U + */ +static const auth_img_desc_t bl2u_image = { + .img_id = BL2U_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &fwu_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &bl2u_hash + } + } + } +}; +/* + * NS_BL2U + */ +static const auth_img_desc_t ns_bl2u_image = { + .img_id = NS_BL2U_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &fwu_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &ns_bl2u_hash + } + } + } +}; +/* + * TB_FW_CONFIG + */ +static const auth_img_desc_t tb_fw_config = { + .img_id = TB_FW_CONFIG_ID, + .img_type = IMG_RAW, + .parent = &trusted_boot_fw_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &tb_fw_config_hash + } + } + } +}; + +/* + * TBBR Chain of trust definition + */ +static const auth_img_desc_t * const cot_desc[] = { + [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, + [BL2_IMAGE_ID] = &bl2_image, + [HW_CONFIG_ID] = &hw_config, + [TB_FW_CONFIG_ID] = &tb_fw_config, + [FWU_CERT_ID] = &fwu_cert, + [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image, + [BL2U_IMAGE_ID] = &bl2u_image, + [NS_BL2U_IMAGE_ID] = &ns_bl2u_image +}; + +/* Register the CoT in the authentication module */ +REGISTER_COT(cot_desc); diff --git a/drivers/auth/tbbr/tbbr_cot_bl2.c b/drivers/auth/tbbr/tbbr_cot_bl2.c new file mode 100644 index 0000000..c47bf1a --- /dev/null +++ b/drivers/auth/tbbr/tbbr_cot_bl2.c @@ -0,0 +1,563 @@ +/* + * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include + +#include +#include + +#include +#include +#if USE_TBBR_DEFS +#include +#else +#include +#endif + +static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; +static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; +static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; +static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; +static unsigned char trusted_world_pk_buf[PK_DER_LEN]; +static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; +static unsigned char content_pk_buf[PK_DER_LEN]; +static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; +static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; +static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; + +static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); +static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); +static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); +static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID); +static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); +static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); +static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID); +static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SCP_FW_HASH_OID); +static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); +static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID); +static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); +static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID); +static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); +static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); +static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); +static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); + +/* + * Trusted key certificate + */ +static const auth_img_desc_t trusted_key_cert = { + .img_id = TRUSTED_KEY_CERT_ID, + .img_type = IMG_CERT, + .parent = NULL, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &subject_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + }, + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &trusted_nv_ctr, + .plat_nv_ctr = &trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &trusted_world_pk, + .data = { + .ptr = (void *)trusted_world_pk_buf, + .len = (unsigned int)PK_DER_LEN + } + }, + [1] = { + .type_desc = &non_trusted_world_pk, + .data = { + .ptr = (void *)non_trusted_world_pk_buf, + .len = (unsigned int)PK_DER_LEN + } + } + } +}; +/* + * SCP Firmware + */ +static const auth_img_desc_t scp_fw_key_cert = { + .img_id = SCP_FW_KEY_CERT_ID, + .img_type = IMG_CERT, + .parent = &trusted_key_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + }, + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &trusted_nv_ctr, + .plat_nv_ctr = &trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &scp_fw_content_pk, + .data = { + .ptr = (void *)content_pk_buf, + .len = (unsigned int)PK_DER_LEN + } + } + } +}; +static const auth_img_desc_t scp_fw_content_cert = { + .img_id = SCP_FW_CONTENT_CERT_ID, + .img_type = IMG_CERT, + .parent = &scp_fw_key_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &scp_fw_content_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + }, + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &trusted_nv_ctr, + .plat_nv_ctr = &trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &scp_fw_hash, + .data = { + .ptr = (void *)scp_fw_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + } + } +}; +static const auth_img_desc_t scp_bl2_image = { + .img_id = SCP_BL2_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &scp_fw_content_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &scp_fw_hash + } + } + } +}; +/* + * SoC Firmware + */ +static const auth_img_desc_t soc_fw_key_cert = { + .img_id = SOC_FW_KEY_CERT_ID, + .img_type = IMG_CERT, + .parent = &trusted_key_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + }, + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &trusted_nv_ctr, + .plat_nv_ctr = &trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &soc_fw_content_pk, + .data = { + .ptr = (void *)content_pk_buf, + .len = (unsigned int)PK_DER_LEN + } + } + } +}; +static const auth_img_desc_t soc_fw_content_cert = { + .img_id = SOC_FW_CONTENT_CERT_ID, + .img_type = IMG_CERT, + .parent = &soc_fw_key_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &soc_fw_content_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + }, + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &trusted_nv_ctr, + .plat_nv_ctr = &trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &soc_fw_hash, + .data = { + .ptr = (void *)soc_fw_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [1] = { + .type_desc = &soc_fw_config_hash, + .data = { + .ptr = (void *)soc_fw_config_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + } + } +}; +static const auth_img_desc_t bl31_image = { + .img_id = BL31_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &soc_fw_content_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &soc_fw_hash + } + } + } +}; +/* SOC FW Config */ +static const auth_img_desc_t soc_fw_config = { + .img_id = SOC_FW_CONFIG_ID, + .img_type = IMG_RAW, + .parent = &soc_fw_content_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &soc_fw_config_hash + } + } + } +}; +/* + * Trusted OS Firmware + */ +static const auth_img_desc_t trusted_os_fw_key_cert = { + .img_id = TRUSTED_OS_FW_KEY_CERT_ID, + .img_type = IMG_CERT, + .parent = &trusted_key_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + }, + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &trusted_nv_ctr, + .plat_nv_ctr = &trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &tos_fw_content_pk, + .data = { + .ptr = (void *)content_pk_buf, + .len = (unsigned int)PK_DER_LEN + } + } + } +}; +static const auth_img_desc_t trusted_os_fw_content_cert = { + .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, + .img_type = IMG_CERT, + .parent = &trusted_os_fw_key_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &tos_fw_content_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + }, + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &trusted_nv_ctr, + .plat_nv_ctr = &trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &tos_fw_hash, + .data = { + .ptr = (void *)tos_fw_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [1] = { + .type_desc = &tos_fw_extra1_hash, + .data = { + .ptr = (void *)tos_fw_extra1_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [2] = { + .type_desc = &tos_fw_extra2_hash, + .data = { + .ptr = (void *)tos_fw_extra2_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [3] = { + .type_desc = &tos_fw_config_hash, + .data = { + .ptr = (void *)tos_fw_config_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + } + } +}; +static const auth_img_desc_t bl32_image = { + .img_id = BL32_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &trusted_os_fw_content_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &tos_fw_hash + } + } + } +}; +static const auth_img_desc_t bl32_extra1_image = { + .img_id = BL32_EXTRA1_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &trusted_os_fw_content_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &tos_fw_extra1_hash + } + } + } +}; +static const auth_img_desc_t bl32_extra2_image = { + .img_id = BL32_EXTRA2_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &trusted_os_fw_content_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &tos_fw_extra2_hash + } + } + } +}; +/* TOS FW Config */ +static const auth_img_desc_t tos_fw_config = { + .img_id = TOS_FW_CONFIG_ID, + .img_type = IMG_RAW, + .parent = &trusted_os_fw_content_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &tos_fw_config_hash + } + } + } +}; +/* + * Non-Trusted Firmware + */ +static const auth_img_desc_t non_trusted_fw_key_cert = { + .img_id = NON_TRUSTED_FW_KEY_CERT_ID, + .img_type = IMG_CERT, + .parent = &trusted_key_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + }, + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &non_trusted_nv_ctr, + .plat_nv_ctr = &non_trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &nt_fw_content_pk, + .data = { + .ptr = (void *)content_pk_buf, + .len = (unsigned int)PK_DER_LEN + } + } + } +}; +static const auth_img_desc_t non_trusted_fw_content_cert = { + .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, + .img_type = IMG_CERT, + .parent = &non_trusted_fw_key_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &nt_fw_content_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + }, + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &non_trusted_nv_ctr, + .plat_nv_ctr = &non_trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &nt_world_bl_hash, + .data = { + .ptr = (void *)nt_world_bl_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [1] = { + .type_desc = &nt_fw_config_hash, + .data = { + .ptr = (void *)nt_fw_config_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + } + } +}; +static const auth_img_desc_t bl33_image = { + .img_id = BL33_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &non_trusted_fw_content_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &nt_world_bl_hash + } + } + } +}; +/* NT FW Config */ +static const auth_img_desc_t nt_fw_config = { + .img_id = NT_FW_CONFIG_ID, + .img_type = IMG_RAW, + .parent = &non_trusted_fw_content_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &nt_fw_config_hash + } + } + } +}; + +static const auth_img_desc_t * const cot_desc[] = { + [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, + [HW_CONFIG_ID] = &hw_config, + [TRUSTED_KEY_CERT_ID] = &trusted_key_cert, + [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert, + [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert, + [SCP_BL2_IMAGE_ID] = &scp_bl2_image, + [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert, + [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert, + [BL31_IMAGE_ID] = &bl31_image, + [SOC_FW_CONFIG_ID] = &soc_fw_config, + [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert, + [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert, + [BL32_IMAGE_ID] = &bl32_image, + [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image, + [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image, + [TOS_FW_CONFIG_ID] = &tos_fw_config, + [NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert, + [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, + [BL33_IMAGE_ID] = &bl33_image, + [NT_FW_CONFIG_ID] = &nt_fw_config, +}; + +/* Register the CoT in the authentication module */ +REGISTER_COT(cot_desc); diff --git a/drivers/auth/tbbr/tbbr_cot_common.c b/drivers/auth/tbbr/tbbr_cot_common.c new file mode 100644 index 0000000..0a4b75e --- /dev/null +++ b/drivers/auth/tbbr/tbbr_cot_common.c @@ -0,0 +1,116 @@ +/* + * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include + +#include +#include + +#include +#include +#if USE_TBBR_DEFS +#include +#else +#include +#endif + +/* + * The platform must allocate buffers to store the authentication parameters + * extracted from the certificates. In this case, because of the way the CoT is + * established, we can reuse some of the buffers on different stages + */ + +unsigned char tb_fw_hash_buf[HASH_DER_LEN]; +unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; +unsigned char hw_config_hash_buf[HASH_DER_LEN]; +unsigned char scp_fw_hash_buf[HASH_DER_LEN]; +unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; + +/* + * common Parameter type descriptors across BL1 and BL2 + */ +auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); +auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, 0); +auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_SIG, 0); +auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_SIG_ALG, 0); +auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_RAW_DATA, 0); + +/* common hash used across BL1 and BL2 */ +auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); +auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); +auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, HW_CONFIG_HASH_OID); + +/* trusted_boot_fw_cert */ +const auth_img_desc_t trusted_boot_fw_cert = { + .img_id = TRUSTED_BOOT_FW_CERT_ID, + .img_type = IMG_CERT, + .parent = NULL, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &subject_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + }, + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &trusted_nv_ctr, + .plat_nv_ctr = &trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &tb_fw_hash, + .data = { + .ptr = (void *)tb_fw_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [1] = { + .type_desc = &tb_fw_config_hash, + .data = { + .ptr = (void *)tb_fw_config_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [2] = { + .type_desc = &hw_config_hash, + .data = { + .ptr = (void *)hw_config_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + } + } +}; + +/* HW Config */ +const auth_img_desc_t hw_config = { + .img_id = HW_CONFIG_ID, + .img_type = IMG_RAW, + .parent = &trusted_boot_fw_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &hw_config_hash + } + } + } +}; diff --git a/include/common/tbbr/cot_def.h b/include/common/tbbr/cot_def.h index 33350a0..c411146 100644 --- a/include/common/tbbr/cot_def.h +++ b/include/common/tbbr/cot_def.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -11,4 +11,38 @@ #define COT_MAX_VERIFIED_PARAMS 4 +/* + * Maximum key and hash sizes (in DER format). + * + * Both RSA and ECDSA keys may be used at the same time. In this case, the key + * buffers must be big enough to hold either. As RSA keys are bigger than ECDSA + * ones for all key sizes we support, they impose the minimum size of these + * buffers. + */ +#if TF_MBEDTLS_USE_RSA +#if TF_MBEDTLS_KEY_SIZE == 1024 +#define PK_DER_LEN 162 +#elif TF_MBEDTLS_KEY_SIZE == 2048 +#define PK_DER_LEN 294 +#elif TF_MBEDTLS_KEY_SIZE == 3072 +#define PK_DER_LEN 422 +#elif TF_MBEDTLS_KEY_SIZE == 4096 +#define PK_DER_LEN 550 +#else +#error "Invalid value for TF_MBEDTLS_KEY_SIZE" +#endif +#else /* Only using ECDSA keys. */ +#define PK_DER_LEN 91 +#endif + +#if TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256 +#define HASH_DER_LEN 51 +#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384 +#define HASH_DER_LEN 67 +#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512 +#define HASH_DER_LEN 83 +#else +#error "Invalid value for TF_MBEDTLS_HASH_ALG_ID" +#endif + #endif /* COT_DEF_H */ diff --git a/include/drivers/auth/tbbr_cot_common.h b/include/drivers/auth/tbbr_cot_common.h new file mode 100644 index 0000000..0ea5f65 --- /dev/null +++ b/include/drivers/auth/tbbr_cot_common.h @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2020, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef TBBR_COT_COMMON_H +#define TBBR_COT_COMMON_H + +#include + +extern unsigned char tb_fw_hash_buf[HASH_DER_LEN]; +extern unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; +extern unsigned char hw_config_hash_buf[HASH_DER_LEN]; +extern unsigned char scp_fw_hash_buf[HASH_DER_LEN]; +extern unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; + +extern auth_param_type_desc_t trusted_nv_ctr; +extern auth_param_type_desc_t subject_pk; +extern auth_param_type_desc_t sig; +extern auth_param_type_desc_t sig_alg; +extern auth_param_type_desc_t raw_data; + +extern auth_param_type_desc_t tb_fw_hash; +extern auth_param_type_desc_t tb_fw_config_hash; +extern auth_param_type_desc_t hw_config_hash; + +extern const auth_img_desc_t trusted_boot_fw_cert; +extern const auth_img_desc_t hw_config; + +#endif /* TBBR_COT_COMMON_H */ diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk index 387c131..a287368 100644 --- a/plat/arm/common/arm_common.mk +++ b/plat/arm/common/arm_common.mk @@ -297,7 +297,7 @@ # Include the selected chain of trust sources. ifeq (${COT},tbbr) - AUTH_SOURCES += drivers/auth/tbbr/tbbr_cot.c + AUTH_SOURCES += drivers/auth/tbbr/tbbr_cot_common.c else ifeq (${COT},dualroot) AUTH_SOURCES += drivers/auth/dualroot/cot.c else @@ -307,10 +307,12 @@ BL1_SOURCES += ${AUTH_SOURCES} \ bl1/tbbr/tbbr_img_desc.c \ plat/arm/common/arm_bl1_fwu.c \ + drivers/auth/tbbr/tbbr_cot_bl1.c \ plat/common/tbbr/plat_tbbr.c BL2_SOURCES += ${AUTH_SOURCES} \ - plat/common/tbbr/plat_tbbr.c + plat/common/tbbr/plat_tbbr.c \ + drivers/auth/tbbr/tbbr_cot_bl2.c $(eval $(call TOOL_ADD_IMG,ns_bl2u,--fwu,FWU_)) diff --git a/plat/brcm/board/common/board_common.mk b/plat/brcm/board/common/board_common.mk index 1795ce7..808a107 100644 --- a/plat/brcm/board/common/board_common.mk +++ b/plat/brcm/board/common/board_common.mk @@ -213,7 +213,8 @@ AUTH_SOURCES += drivers/auth/auth_mod.c \ drivers/auth/crypto_mod.c \ drivers/auth/img_parser_mod.c \ - drivers/auth/tbbr/tbbr_cot.c + drivers/auth/tbbr/tbbr_cot_common.c \ + drivers/auth/tbbr/tbbr_cot_bl2.c BL2_SOURCES += ${AUTH_SOURCES} diff --git a/plat/hisilicon/hikey/platform.mk b/plat/hisilicon/hikey/platform.mk index fbf7432..18197cf 100644 --- a/plat/hisilicon/hikey/platform.mk +++ b/plat/hisilicon/hikey/platform.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2017-2020, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -126,17 +126,19 @@ AUTH_SOURCES := drivers/auth/auth_mod.c \ drivers/auth/crypto_mod.c \ drivers/auth/img_parser_mod.c \ - drivers/auth/tbbr/tbbr_cot.c + drivers/auth/tbbr/tbbr_cot_common.c BL1_SOURCES += ${AUTH_SOURCES} \ plat/common/tbbr/plat_tbbr.c \ plat/hisilicon/hikey/hikey_tbbr.c \ - plat/hisilicon/hikey/hikey_rotpk.S + plat/hisilicon/hikey/hikey_rotpk.S \ + drivers/auth/tbbr/tbbr_cot_bl1.c BL2_SOURCES += ${AUTH_SOURCES} \ plat/common/tbbr/plat_tbbr.c \ plat/hisilicon/hikey/hikey_tbbr.c \ - plat/hisilicon/hikey/hikey_rotpk.S + plat/hisilicon/hikey/hikey_rotpk.S \ + drivers/auth/tbbr/tbbr_cot_bl2.c ROT_KEY = $(BUILD_PLAT)/rot_key.pem ROTPK_HASH = $(BUILD_PLAT)/rotpk_sha256.bin diff --git a/plat/hisilicon/hikey960/platform.mk b/plat/hisilicon/hikey960/platform.mk index 8ebabeb..fc2c209 100644 --- a/plat/hisilicon/hikey960/platform.mk +++ b/plat/hisilicon/hikey960/platform.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2017-2020, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -118,17 +118,19 @@ AUTH_SOURCES := drivers/auth/auth_mod.c \ drivers/auth/crypto_mod.c \ drivers/auth/img_parser_mod.c \ - drivers/auth/tbbr/tbbr_cot.c + drivers/auth/tbbr/tbbr_cot_common.c BL1_SOURCES += ${AUTH_SOURCES} \ plat/common/tbbr/plat_tbbr.c \ plat/hisilicon/hikey960/hikey960_tbbr.c \ - plat/hisilicon/hikey960/hikey960_rotpk.S + plat/hisilicon/hikey960/hikey960_rotpk.S \ + drivers/auth/tbbr/tbbr_cot_bl1.c BL2_SOURCES += ${AUTH_SOURCES} \ plat/common/tbbr/plat_tbbr.c \ plat/hisilicon/hikey960/hikey960_tbbr.c \ - plat/hisilicon/hikey960/hikey960_rotpk.S + plat/hisilicon/hikey960/hikey960_rotpk.S \ + drivers/auth/tbbr/tbbr_cot_bl2.c ROT_KEY = $(BUILD_PLAT)/rot_key.pem ROTPK_HASH = $(BUILD_PLAT)/rotpk_sha256.bin diff --git a/plat/imx/imx7/common/imx7.mk b/plat/imx/imx7/common/imx7.mk index 849ddcd..3a95772 100644 --- a/plat/imx/imx7/common/imx7.mk +++ b/plat/imx/imx7/common/imx7.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2018-2019, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2018-2020, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -58,12 +58,13 @@ AUTH_SOURCES := drivers/auth/auth_mod.c \ drivers/auth/crypto_mod.c \ drivers/auth/img_parser_mod.c \ - drivers/auth/tbbr/tbbr_cot.c + drivers/auth/tbbr/tbbr_cot_common.c BL2_SOURCES += ${AUTH_SOURCES} \ plat/common/tbbr/plat_tbbr.c \ plat/imx/imx7/common/imx7_trusted_boot.c \ - plat/imx/imx7/common/imx7_rotpk.S + plat/imx/imx7/common/imx7_rotpk.S \ + drivers/auth/tbbr/tbbr_cot_bl2.c ROT_KEY = $(BUILD_PLAT)/rot_key.pem ROTPK_HASH = $(BUILD_PLAT)/rotpk_sha256.bin diff --git a/plat/qemu/qemu/platform.mk b/plat/qemu/qemu/platform.mk index 1bf4e08..9441437 100644 --- a/plat/qemu/qemu/platform.mk +++ b/plat/qemu/qemu/platform.mk @@ -59,18 +59,20 @@ AUTH_SOURCES := drivers/auth/auth_mod.c \ drivers/auth/crypto_mod.c \ drivers/auth/img_parser_mod.c \ - drivers/auth/tbbr/tbbr_cot.c + drivers/auth/tbbr/tbbr_cot_common.c BL1_SOURCES += ${AUTH_SOURCES} \ bl1/tbbr/tbbr_img_desc.c \ plat/common/tbbr/plat_tbbr.c \ ${PLAT_QEMU_COMMON_PATH}/qemu_trusted_boot.c \ - $(PLAT_QEMU_COMMON_PATH)/qemu_rotpk.S + $(PLAT_QEMU_COMMON_PATH)/qemu_rotpk.S \ + drivers/auth/tbbr/tbbr_cot_bl1.c BL2_SOURCES += ${AUTH_SOURCES} \ plat/common/tbbr/plat_tbbr.c \ ${PLAT_QEMU_COMMON_PATH}/qemu_trusted_boot.c \ - $(PLAT_QEMU_COMMON_PATH)/qemu_rotpk.S + $(PLAT_QEMU_COMMON_PATH)/qemu_rotpk.S \ + drivers/auth/tbbr/tbbr_cot_bl2.c ROT_KEY = $(BUILD_PLAT)/rot_key.pem ROTPK_HASH = $(BUILD_PLAT)/rotpk_sha256.bin diff --git a/plat/rpi/rpi3/platform.mk b/plat/rpi/rpi3/platform.mk index bcfc34e..4d627b8 100644 --- a/plat/rpi/rpi3/platform.mk +++ b/plat/rpi/rpi3/platform.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2013-2019, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -185,18 +185,20 @@ AUTH_SOURCES := drivers/auth/auth_mod.c \ drivers/auth/crypto_mod.c \ drivers/auth/img_parser_mod.c \ - drivers/auth/tbbr/tbbr_cot.c + drivers/auth/tbbr/tbbr_cot_common.c BL1_SOURCES += ${AUTH_SOURCES} \ bl1/tbbr/tbbr_img_desc.c \ plat/common/tbbr/plat_tbbr.c \ plat/rpi/common/rpi3_trusted_boot.c \ - plat/rpi/common/rpi3_rotpk.S + plat/rpi/common/rpi3_rotpk.S \ + drivers/auth/tbbr/tbbr_cot_bl1.c BL2_SOURCES += ${AUTH_SOURCES} \ plat/common/tbbr/plat_tbbr.c \ plat/rpi/common/rpi3_trusted_boot.c \ - plat/rpi/common/rpi3_rotpk.S + plat/rpi/common/rpi3_rotpk.S \ + drivers/auth/tbbr/tbbr_cot_bl2.c ROT_KEY = $(BUILD_PLAT)/rot_key.pem ROTPK_HASH = $(BUILD_PLAT)/rotpk_sha256.bin diff --git a/plat/socionext/uniphier/platform.mk b/plat/socionext/uniphier/platform.mk index 2c0ed92..6edd181 100644 --- a/plat/socionext/uniphier/platform.mk +++ b/plat/socionext/uniphier/platform.mk @@ -92,7 +92,8 @@ BL2_SOURCES += drivers/auth/auth_mod.c \ drivers/auth/crypto_mod.c \ drivers/auth/img_parser_mod.c \ - drivers/auth/tbbr/tbbr_cot.c \ + drivers/auth/tbbr/tbbr_cot_common.c \ + drivers/auth/tbbr/tbbr_cot_bl2.c \ plat/common/tbbr/plat_tbbr.c \ $(PLAT_PATH)/uniphier_rotpk.S \ $(PLAT_PATH)/uniphier_tbbr.c