Commit 007be5ec authored by Sandrine Bailleux's avatar Sandrine Bailleux Committed by TrustedFirmware Code Review
Browse files

Merge changes from topic "sp_dual_signing" into integration

* changes:
  dualroot: add chain of trust for Platform owned SPs
  cert_create: add Platform owned secure partitions support
parents 26630942 2947412d
...@@ -743,29 +743,60 @@ static const auth_img_desc_t sip_sp_content_cert = { ...@@ -743,29 +743,60 @@ static const auth_img_desc_t sip_sp_content_cert = {
.ptr = (void *)sp_pkg_hash_buf[3], .ptr = (void *)sp_pkg_hash_buf[3],
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
}
}
};
DEFINE_SIP_SP_PKG(1);
DEFINE_SIP_SP_PKG(2);
DEFINE_SIP_SP_PKG(3);
DEFINE_SIP_SP_PKG(4);
static const auth_img_desc_t plat_sp_content_cert = {
.img_id = PLAT_SP_CONTENT_CERT_ID,
.img_type = IMG_CERT,
.parent = NULL,
.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = {
.type = AUTH_METHOD_SIG,
.param.sig = {
.pk = &prot_pk,
.sig = &sig,
.alg = &sig_alg,
.data = &raw_data
}
},
[1] = {
.type = AUTH_METHOD_NV_CTR,
.param.nv_ctr = {
.cert_nv_ctr = &non_trusted_nv_ctr,
.plat_nv_ctr = &non_trusted_nv_ctr
}
}
}, },
[4] = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = {
.type_desc = &sp_pkg5_hash, .type_desc = &sp_pkg5_hash,
.data = { .data = {
.ptr = (void *)sp_pkg_hash_buf[4], .ptr = (void *)sp_pkg_hash_buf[4],
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
}, },
[5] = { [1] = {
.type_desc = &sp_pkg6_hash, .type_desc = &sp_pkg6_hash,
.data = { .data = {
.ptr = (void *)sp_pkg_hash_buf[5], .ptr = (void *)sp_pkg_hash_buf[5],
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
}, },
[6] = { [2] = {
.type_desc = &sp_pkg7_hash, .type_desc = &sp_pkg7_hash,
.data = { .data = {
.ptr = (void *)sp_pkg_hash_buf[6], .ptr = (void *)sp_pkg_hash_buf[6],
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
}, },
[7] = { [3] = {
.type_desc = &sp_pkg8_hash, .type_desc = &sp_pkg8_hash,
.data = { .data = {
.ptr = (void *)sp_pkg_hash_buf[7], .ptr = (void *)sp_pkg_hash_buf[7],
...@@ -775,14 +806,10 @@ static const auth_img_desc_t sip_sp_content_cert = { ...@@ -775,14 +806,10 @@ static const auth_img_desc_t sip_sp_content_cert = {
} }
}; };
DEFINE_SIP_SP_PKG(1); DEFINE_PLAT_SP_PKG(5);
DEFINE_SIP_SP_PKG(2); DEFINE_PLAT_SP_PKG(6);
DEFINE_SIP_SP_PKG(3); DEFINE_PLAT_SP_PKG(7);
DEFINE_SIP_SP_PKG(4); DEFINE_PLAT_SP_PKG(8);
DEFINE_SIP_SP_PKG(5);
DEFINE_SIP_SP_PKG(6);
DEFINE_SIP_SP_PKG(7);
DEFINE_SIP_SP_PKG(8);
#endif /* SPD_spmd */ #endif /* SPD_spmd */
#else /* IMAGE_BL2 */ #else /* IMAGE_BL2 */
...@@ -915,6 +942,7 @@ static const auth_img_desc_t * const cot_desc[] = { ...@@ -915,6 +942,7 @@ static const auth_img_desc_t * const cot_desc[] = {
[NT_FW_CONFIG_ID] = &nt_fw_config, [NT_FW_CONFIG_ID] = &nt_fw_config,
#if defined(SPD_spmd) #if defined(SPD_spmd)
[SIP_SP_CONTENT_CERT_ID] = &sip_sp_content_cert, [SIP_SP_CONTENT_CERT_ID] = &sip_sp_content_cert,
[PLAT_SP_CONTENT_CERT_ID] = &plat_sp_content_cert,
[SP_PKG1_ID] = &sp_pkg1, [SP_PKG1_ID] = &sp_pkg1,
[SP_PKG2_ID] = &sp_pkg2, [SP_PKG2_ID] = &sp_pkg2,
[SP_PKG3_ID] = &sp_pkg3, [SP_PKG3_ID] = &sp_pkg3,
......
...@@ -11,16 +11,17 @@ ...@@ -11,16 +11,17 @@
#if defined(SPD_spmd) #if defined(SPD_spmd)
#define SIP_SP_CONTENT_CERT_ID MAX_IMAGE_IDS #define SIP_SP_CONTENT_CERT_ID MAX_IMAGE_IDS
#define SP_PKG1_ID (MAX_IMAGE_IDS + 1) #define PLAT_SP_CONTENT_CERT_ID (MAX_IMAGE_IDS + 1)
#define SP_PKG2_ID (MAX_IMAGE_IDS + 2) #define SP_PKG1_ID (MAX_IMAGE_IDS + 2)
#define SP_PKG3_ID (MAX_IMAGE_IDS + 3) #define SP_PKG2_ID (MAX_IMAGE_IDS + 3)
#define SP_PKG4_ID (MAX_IMAGE_IDS + 4) #define SP_PKG3_ID (MAX_IMAGE_IDS + 4)
#define SP_PKG5_ID (MAX_IMAGE_IDS + 5) #define SP_PKG4_ID (MAX_IMAGE_IDS + 5)
#define SP_PKG6_ID (MAX_IMAGE_IDS + 6) #define SP_PKG5_ID (MAX_IMAGE_IDS + 6)
#define SP_PKG7_ID (MAX_IMAGE_IDS + 7) #define SP_PKG6_ID (MAX_IMAGE_IDS + 7)
#define SP_PKG8_ID (MAX_IMAGE_IDS + 8) #define SP_PKG7_ID (MAX_IMAGE_IDS + 8)
#define SP_PKG8_ID (MAX_IMAGE_IDS + 9)
#define MAX_SP_IDS U(8) #define MAX_SP_IDS U(8)
#define MAX_NUMBER_IDS (MAX_IMAGE_IDS + MAX_SP_IDS + U(1)) #define MAX_NUMBER_IDS (MAX_IMAGE_IDS + MAX_SP_IDS + U(2))
#else #else
#define MAX_NUMBER_IDS MAX_IMAGE_IDS #define MAX_NUMBER_IDS MAX_IMAGE_IDS
#endif #endif
......
...@@ -51,11 +51,15 @@ extern const size_t cot_desc_size; ...@@ -51,11 +51,15 @@ extern const size_t cot_desc_size;
extern unsigned int auth_img_flags[MAX_NUMBER_IDS]; extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
#if defined(SPD_spmd) #if defined(SPD_spmd)
#define DEFINE_SIP_SP_PKG(n) \
#define DEFINE_SIP_SP_PKG(n) DEFINE_SP_PKG(n, sip_sp_content_cert)
#define DEFINE_PLAT_SP_PKG(n) DEFINE_SP_PKG(n, plat_sp_content_cert)
#define DEFINE_SP_PKG(n, cert) \
static const auth_img_desc_t sp_pkg##n = { \ static const auth_img_desc_t sp_pkg##n = { \
.img_id = SP_PKG##n##_ID, \ .img_id = SP_PKG##n##_ID, \
.img_type = IMG_RAW, \ .img_type = IMG_RAW, \
.parent = &sip_sp_content_cert, \ .parent = &cert, \
.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { \ .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { \
[0] = { \ [0] = { \
.type = AUTH_METHOD_HASH, \ .type = AUTH_METHOD_HASH, \
...@@ -66,6 +70,7 @@ extern unsigned int auth_img_flags[MAX_NUMBER_IDS]; ...@@ -66,6 +70,7 @@ extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
} \ } \
} \ } \
} }
#endif #endif
#endif /* TRUSTED_BOARD_BOOT */ #endif /* TRUSTED_BOARD_BOOT */
......
...@@ -66,6 +66,8 @@ ...@@ -66,6 +66,8 @@
{{0x8e, 0xc4, 0xc1, 0xf3}, {0x5d, 0x63}, {0xe4, 0x11}, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} } {{0x8e, 0xc4, 0xc1, 0xf3}, {0x5d, 0x63}, {0xe4, 0x11}, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} }
#define UUID_SIP_SECURE_PARTITION_CONTENT_CERT \ #define UUID_SIP_SECURE_PARTITION_CONTENT_CERT \
{{0x77, 0x6d, 0xfd, 0x44}, {0x86, 0x97}, {0x4c, 0x3b}, 0x91, 0xeb, {0xc1, 0x3e, 0x02, 0x5a, 0x2a, 0x6f} } {{0x77, 0x6d, 0xfd, 0x44}, {0x86, 0x97}, {0x4c, 0x3b}, 0x91, 0xeb, {0xc1, 0x3e, 0x02, 0x5a, 0x2a, 0x6f} }
#define UUID_PLAT_SECURE_PARTITION_CONTENT_CERT \
{{0xdd, 0xcb, 0xbf, 0x4a}, {0xca, 0xd6}, {0x11, 0xea}, 0x87, 0xd0, {0x02, 0x42, 0xac, 0x13, 0x00, 0x03} }
/* Dynamic configs */ /* Dynamic configs */
#define UUID_HW_CONFIG \ #define UUID_HW_CONFIG \
{{0x08, 0xb8, 0xf1, 0xd9}, {0xc9, 0xcf}, {0x93, 0x49}, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} } {{0x08, 0xb8, 0xf1, 0xd9}, {0xc9, 0xcf}, {0x93, 0x49}, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} }
......
...@@ -76,7 +76,8 @@ static const struct uuidnames uuidnames[] = { ...@@ -76,7 +76,8 @@ static const struct uuidnames uuidnames[] = {
{"fw.cfg", UUID_FW_CONFIG}, {"fw.cfg", UUID_FW_CONFIG},
{"rot-k.crt", UUID_ROT_KEY_CERT}, {"rot-k.crt", UUID_ROT_KEY_CERT},
{"nt-k.crt", UUID_NON_TRUSTED_WORLD_KEY_CERT}, {"nt-k.crt", UUID_NON_TRUSTED_WORLD_KEY_CERT},
{"sip-sp.crt", UUID_SIP_SECURE_PARTITION_CONTENT_CERT} {"sip-sp.crt", UUID_SIP_SECURE_PARTITION_CONTENT_CERT},
{"plat-sp.crt", UUID_PLAT_SECURE_PARTITION_CONTENT_CERT}
}; };
/******************************************************************************* /*******************************************************************************
......
...@@ -103,4 +103,7 @@ endif ...@@ -103,4 +103,7 @@ endif
# Add SiP owned Secure Partitions CoT (image cert) # Add SiP owned Secure Partitions CoT (image cert)
ifneq (${SP_LAYOUT_FILE},) ifneq (${SP_LAYOUT_FILE},)
$(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/sip_sp_content.crt,--sip-sp-cert)) $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/sip_sp_content.crt,--sip-sp-cert))
ifeq (${COT},dualroot)
$(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/plat_sp_content.crt,--plat-sp-cert))
endif
endif endif
...@@ -23,6 +23,7 @@ enum { ...@@ -23,6 +23,7 @@ enum {
/* Certificates owned by the platform owner. */ /* Certificates owned by the platform owner. */
NON_TRUSTED_FW_CONTENT_CERT, NON_TRUSTED_FW_CONTENT_CERT,
PLAT_SECURE_PARTITION_CONTENT_CERT,
}; };
/* Certificate extensions. */ /* Certificate extensions. */
......
...@@ -152,12 +152,27 @@ static cert_t cot_certs[] = { ...@@ -152,12 +152,27 @@ static cert_t cot_certs[] = {
SP_PKG2_HASH_EXT, SP_PKG2_HASH_EXT,
SP_PKG3_HASH_EXT, SP_PKG3_HASH_EXT,
SP_PKG4_HASH_EXT, SP_PKG4_HASH_EXT,
},
.num_ext = 5
},
[PLAT_SECURE_PARTITION_CONTENT_CERT] = {
.id = PLAT_SECURE_PARTITION_CONTENT_CERT,
.opt = "plat-sp-cert",
.help_msg = "Platform owned Secure Partition Content Certificate (output file)",
.fn = NULL,
.cn = "Platform owned Secure Partition Content Certificate",
.key = PROT_KEY,
.issuer = PLAT_SECURE_PARTITION_CONTENT_CERT,
.ext = {
NON_TRUSTED_FW_NVCOUNTER_EXT,
SP_PKG5_HASH_EXT, SP_PKG5_HASH_EXT,
SP_PKG6_HASH_EXT, SP_PKG6_HASH_EXT,
SP_PKG7_HASH_EXT, SP_PKG7_HASH_EXT,
SP_PKG8_HASH_EXT, SP_PKG8_HASH_EXT,
PROT_PK_EXT,
}, },
.num_ext = 9 .num_ext = 6
}, },
[FWU_CERT] = { [FWU_CERT] = {
......
...@@ -161,6 +161,11 @@ toc_entry_t toc_entries[] = { ...@@ -161,6 +161,11 @@ toc_entry_t toc_entries[] = {
.uuid = UUID_SIP_SECURE_PARTITION_CONTENT_CERT, .uuid = UUID_SIP_SECURE_PARTITION_CONTENT_CERT,
.cmdline_name = "sip-sp-cert" .cmdline_name = "sip-sp-cert"
}, },
{
.name = "Platform owned Secure Partition content certificate",
.uuid = UUID_PLAT_SECURE_PARTITION_CONTENT_CERT,
.cmdline_name = "plat-sp-cert"
},
{ {
.name = NULL, .name = NULL,
.uuid = { {0} }, .uuid = { {0} },
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment