• Manish Pandey's avatar
    dualroot: add chain of trust for secure partitions · 44f1aa8e
    Manish Pandey authored
    
    
    A new certificate "sip-sp-cert" has been added for Silicon Provider(SiP)
    owned Secure Partitions(SP). A similar support for Platform owned SP can
    be added in future. The certificate is also protected against anti-
    rollback using the trusted Non-Volatile counter.
    
    To avoid deviating from TBBR spec, support for SP CoT is only provided
    in dualroot.
    Secure Partition content certificate is assigned image ID 31 and SP
    images follows after it.
    
    The CoT for secure partition look like below.
    +------------------+       +-------------------+
    | ROTPK/ROTPK Hash |------>| Trusted Key       |
    +------------------+       | Certificate       |
                               | (Auth Image)      |
                              /+-------------------+
                             /                   |
                            /                    |
                           /                     |
                          /                      |
                         L                       v
    +------------------+       +-------------------+
    | Trusted World    |------>| SiP owned SPs     |
    | Public Key       |       | Content Cert      |
    +------------------+       | (Auth Image)      |
                            /   +-------------------+
                           /                      |
                          /                      v|
    +------------------+ L     +-------------------+
    | SP_PKG1 Hash     |------>| SP_PKG1           |
    |                  |       | (Data Image)      |
    +------------------+       +-------------------+
            .                           .
            .                           .
            .                           .
    +------------------+       +-------------------+
    | SP_PKG8 Hash     |------>| SP_PKG8           |
    |                  |       | (Data Image)      |
    +------------------+       +-------------------+
    Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
    Change-Id: Ia31546bac1327a3e0b5d37e8b99c808442d5e53f
    44f1aa8e
auth_mod.h 1.78 KB