Unverified Commit 0d018306 authored by Dimitris Papastamos's avatar Dimitris Papastamos Committed by GitHub
Browse files

Merge pull request #1386 from soby-mathew/sm/dyn_bl31

Extend dynamic configuration
parents 41e48fed 1d71ba14
...@@ -401,6 +401,16 @@ ifeq ($(FAULT_INJECTION_SUPPORT),1) ...@@ -401,6 +401,16 @@ ifeq ($(FAULT_INJECTION_SUPPORT),1)
endif endif
endif endif
# DYN_DISABLE_AUTH can be set only when TRUSTED_BOARD_BOOT=1 and LOAD_IMAGE_V2=1
ifeq ($(DYN_DISABLE_AUTH), 1)
ifeq (${TRUSTED_BOARD_BOOT}, 0)
$(error "TRUSTED_BOARD_BOOT must be enabled for DYN_DISABLE_AUTH to be set.")
endif
ifeq (${LOAD_IMAGE_V2}, 0)
$(error "DYN_DISABLE_AUTH is only supported for LOAD_IMAGE_V2.")
endif
endif
################################################################################ ################################################################################
# Process platform overrideable behaviour # Process platform overrideable behaviour
################################################################################ ################################################################################
...@@ -517,6 +527,7 @@ $(eval $(call assert_boolean,CTX_INCLUDE_AARCH32_REGS)) ...@@ -517,6 +527,7 @@ $(eval $(call assert_boolean,CTX_INCLUDE_AARCH32_REGS))
$(eval $(call assert_boolean,CTX_INCLUDE_FPREGS)) $(eval $(call assert_boolean,CTX_INCLUDE_FPREGS))
$(eval $(call assert_boolean,DEBUG)) $(eval $(call assert_boolean,DEBUG))
$(eval $(call assert_boolean,DISABLE_PEDANTIC)) $(eval $(call assert_boolean,DISABLE_PEDANTIC))
$(eval $(call assert_boolean,DYN_DISABLE_AUTH))
$(eval $(call assert_boolean,EL3_EXCEPTION_HANDLING)) $(eval $(call assert_boolean,EL3_EXCEPTION_HANDLING))
$(eval $(call assert_boolean,ENABLE_AMU)) $(eval $(call assert_boolean,ENABLE_AMU))
$(eval $(call assert_boolean,ENABLE_ASSERTIONS)) $(eval $(call assert_boolean,ENABLE_ASSERTIONS))
...@@ -620,6 +631,11 @@ else ...@@ -620,6 +631,11 @@ else
$(eval $(call add_define,AARCH64)) $(eval $(call add_define,AARCH64))
endif endif
# Define the DYN_DISABLE_AUTH flag only if set.
ifeq (${DYN_DISABLE_AUTH},1)
$(eval $(call add_define,DYN_DISABLE_AUTH))
endif
################################################################################ ################################################################################
# Build targets # Build targets
################################################################################ ################################################################################
......
/* /*
* Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2013-2018, ARM Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
...@@ -17,6 +17,35 @@ ...@@ -17,6 +17,35 @@
#include <utils.h> #include <utils.h>
#include <xlat_tables_defs.h> #include <xlat_tables_defs.h>
#if TRUSTED_BOARD_BOOT
# ifdef DYN_DISABLE_AUTH
static int disable_auth;
/******************************************************************************
* API to dynamically disable authentication. Only meant for development
* systems. This is only invoked if DYN_DISABLE_AUTH is defined. This
* capability is restricted to LOAD_IMAGE_V2.
*****************************************************************************/
void dyn_disable_auth(void)
{
INFO("Disabling authentication of images dynamically\n");
disable_auth = 1;
}
# endif /* DYN_DISABLE_AUTH */
/******************************************************************************
* Function to determine whether the authentication is disabled dynamically.
*****************************************************************************/
static int dyn_is_auth_disabled(void)
{
# ifdef DYN_DISABLE_AUTH
return disable_auth;
# else
return 0;
# endif
}
#endif /* TRUSTED_BOARD_BOOT */
uintptr_t page_align(uintptr_t value, unsigned dir) uintptr_t page_align(uintptr_t value, unsigned dir)
{ {
/* Round up the limit to the next page boundary */ /* Round up the limit to the next page boundary */
...@@ -287,14 +316,16 @@ static int load_auth_image_internal(unsigned int image_id, ...@@ -287,14 +316,16 @@ static int load_auth_image_internal(unsigned int image_id,
int rc; int rc;
#if TRUSTED_BOARD_BOOT #if TRUSTED_BOARD_BOOT
unsigned int parent_id; if (dyn_is_auth_disabled() == 0) {
unsigned int parent_id;
/* Use recursion to authenticate parent images */
rc = auth_mod_get_parent_id(image_id, &parent_id); /* Use recursion to authenticate parent images */
if (rc == 0) { rc = auth_mod_get_parent_id(image_id, &parent_id);
rc = load_auth_image_internal(parent_id, image_data, 1); if (rc == 0) {
if (rc != 0) { rc = load_auth_image_internal(parent_id, image_data, 1);
return rc; if (rc != 0) {
return rc;
}
} }
} }
#endif /* TRUSTED_BOARD_BOOT */ #endif /* TRUSTED_BOARD_BOOT */
...@@ -306,17 +337,19 @@ static int load_auth_image_internal(unsigned int image_id, ...@@ -306,17 +337,19 @@ static int load_auth_image_internal(unsigned int image_id,
} }
#if TRUSTED_BOARD_BOOT #if TRUSTED_BOARD_BOOT
/* Authenticate it */ if (dyn_is_auth_disabled() == 0) {
rc = auth_mod_verify_img(image_id, /* Authenticate it */
(void *)image_data->image_base, rc = auth_mod_verify_img(image_id,
image_data->image_size); (void *)image_data->image_base,
if (rc != 0) { image_data->image_size);
/* Authentication error, zero memory and flush it right away. */ if (rc != 0) {
zero_normalmem((void *)image_data->image_base, /* Authentication error, zero memory and flush it right away. */
image_data->image_size); zero_normalmem((void *)image_data->image_base,
flush_dcache_range(image_data->image_base, image_data->image_size);
image_data->image_size); flush_dcache_range(image_data->image_base,
return -EAUTH; image_data->image_size);
return -EAUTH;
}
} }
#endif /* TRUSTED_BOARD_BOOT */ #endif /* TRUSTED_BOARD_BOOT */
......
...@@ -323,6 +323,11 @@ Common build options ...@@ -323,6 +323,11 @@ Common build options
- ``DEBUG``: Chooses between a debug and release build. It can take either 0 - ``DEBUG``: Chooses between a debug and release build. It can take either 0
(release) or 1 (debug) as values. 0 is the default. (release) or 1 (debug) as values. 0 is the default.
- ``DYN_DISABLE_AUTH``: Enables the capability to disable Trusted Board Boot
authentication. This option is only meant to be enabled for development
platforms. Both TRUSTED_BOARD_BOOT and the LOAD_IMAGE_V2 flags need to be
set if this flag has to be enabled. 0 is the default.
- ``EL3_PAYLOAD_BASE``: This option enables booting an EL3 payload instead of - ``EL3_PAYLOAD_BASE``: This option enables booting an EL3 payload instead of
the normal boot flow. It must specify the entry point address of the EL3 the normal boot flow. It must specify the entry point address of the EL3
payload. Please refer to the "Booting an EL3 payload" section for more payload. Please refer to the "Booting an EL3 payload" section for more
......
...@@ -38,6 +38,9 @@ static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; ...@@ -38,6 +38,9 @@ static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
static unsigned char trusted_world_pk_buf[PK_DER_LEN]; static unsigned char trusted_world_pk_buf[PK_DER_LEN];
static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];
static unsigned char content_pk_buf[PK_DER_LEN]; static unsigned char content_pk_buf[PK_DER_LEN];
static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
/* /*
* Parameter type descriptors * Parameter type descriptors
...@@ -80,14 +83,20 @@ static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( ...@@ -80,14 +83,20 @@ static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SCP_FW_HASH_OID); AUTH_PARAM_HASH, SCP_FW_HASH_OID);
static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID);
static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID);
static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID);
static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID);
static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
...@@ -379,6 +388,13 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -379,6 +388,13 @@ static const auth_img_desc_t cot_desc[] = {
.ptr = (void *)soc_fw_hash_buf, .ptr = (void *)soc_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
},
[1] = {
.type_desc = &soc_fw_config_hash,
.data = {
.ptr = (void *)soc_fw_config_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
} }
} }
}, },
...@@ -396,6 +412,21 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -396,6 +412,21 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
/* SOC FW Config */
[SOC_FW_CONFIG_ID] = {
.img_id = SOC_FW_CONFIG_ID,
.img_type = IMG_RAW,
.parent = &cot_desc[SOC_FW_CONTENT_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_HASH,
.param.hash = {
.data = &raw_data,
.hash = &soc_fw_config_hash,
}
}
}
},
/* /*
* Trusted OS Firmware * Trusted OS Firmware
*/ */
...@@ -474,6 +505,13 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -474,6 +505,13 @@ static const auth_img_desc_t cot_desc[] = {
.ptr = (void *)tos_fw_extra2_hash_buf, .ptr = (void *)tos_fw_extra2_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
},
[3] = {
.type_desc = &tos_fw_config_hash,
.data = {
.ptr = (void *)tos_fw_config_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
} }
} }
}, },
...@@ -519,6 +557,21 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -519,6 +557,21 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
/* TOS FW Config */
[TOS_FW_CONFIG_ID] = {
.img_id = TOS_FW_CONFIG_ID,
.img_type = IMG_RAW,
.parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_HASH,
.param.hash = {
.data = &raw_data,
.hash = &tos_fw_config_hash,
}
}
}
},
/* /*
* Non-Trusted Firmware * Non-Trusted Firmware
*/ */
...@@ -583,6 +636,13 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -583,6 +636,13 @@ static const auth_img_desc_t cot_desc[] = {
.ptr = (void *)nt_world_bl_hash_buf, .ptr = (void *)nt_world_bl_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
},
[1] = {
.type_desc = &nt_fw_config_hash,
.data = {
.ptr = (void *)nt_fw_config_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
} }
} }
}, },
...@@ -600,6 +660,21 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -600,6 +660,21 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
/* NT FW Config */
[NT_FW_CONFIG_ID] = {
.img_id = NT_FW_CONFIG_ID,
.img_type = IMG_RAW,
.parent = &cot_desc[NON_TRUSTED_FW_CONTENT_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_HASH,
.param.hash = {
.data = &raw_data,
.hash = &nt_fw_config_hash,
}
}
}
},
/* /*
* FWU auth descriptor. * FWU auth descriptor.
*/ */
......
...@@ -233,6 +233,14 @@ void reserve_mem(uintptr_t *free_base, size_t *free_size, ...@@ -233,6 +233,14 @@ void reserve_mem(uintptr_t *free_base, size_t *free_size,
#endif /* LOAD_IMAGE_V2 */ #endif /* LOAD_IMAGE_V2 */
#if TRUSTED_BOARD_BOOT && defined(DYN_DISABLE_AUTH)
/*
* API to dynamically disable authentication. Only meant for development
* systems.
*/
void dyn_disable_auth(void);
#endif
extern const char build_message[]; extern const char build_message[];
extern const char version_string[]; extern const char version_string[];
......
...@@ -87,7 +87,7 @@ ...@@ -87,7 +87,7 @@
#if TRUSTED_BOARD_BOOT #if TRUSTED_BOARD_BOOT
# define PLAT_ARM_MAX_BL2_SIZE 0x1E000 # define PLAT_ARM_MAX_BL2_SIZE 0x1E000
#else #else
# define PLAT_ARM_MAX_BL2_SIZE 0xF000 # define PLAT_ARM_MAX_BL2_SIZE 0x10000
#endif #endif
/* /*
......
...@@ -317,7 +317,7 @@ ...@@ -317,7 +317,7 @@
* and limit. Leave enough space of BL2 meminfo. * and limit. Leave enough space of BL2 meminfo.
*/ */
#define ARM_TB_FW_CONFIG_BASE ARM_BL_RAM_BASE + sizeof(meminfo_t) #define ARM_TB_FW_CONFIG_BASE ARM_BL_RAM_BASE + sizeof(meminfo_t)
#define ARM_TB_FW_CONFIG_LIMIT BL2_LIMIT #define ARM_TB_FW_CONFIG_LIMIT BL2_BASE
/******************************************************************************* /*******************************************************************************
* BL1 specific defines. * BL1 specific defines.
......
...@@ -9,8 +9,9 @@ ...@@ -9,8 +9,9 @@
#include <stdint.h> #include <stdint.h>
/* Function declaration */ /* Function declaration */
int arm_dyn_get_hwconfig_info(void *dtb, int node, int arm_dyn_get_config_load_info(void *dtb, int node, unsigned int config_id,
uint64_t *hw_config_addr, uint32_t *hw_config_size); uint64_t *config_addr, uint32_t *config_size);
int arm_dyn_tb_fw_cfg_init(void *dtb, int *node); int arm_dyn_tb_fw_cfg_init(void *dtb, int *node);
int arm_dyn_get_disable_auth(void *dtb, int node, uint32_t *disable_auth);
#endif /* __ARM_DYN_CFG_HELPERS_H__ */ #endif /* __ARM_DYN_CFG_HELPERS_H__ */
...@@ -68,6 +68,12 @@ ...@@ -68,6 +68,12 @@
{0xd9f1b808, 0xcfc9, 0x4993, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} } {0xd9f1b808, 0xcfc9, 0x4993, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} }
#define UUID_TB_FW_CONFIG \ #define UUID_TB_FW_CONFIG \
{0xff58046c, 0x6baf, 0x4f7d, 0x82, 0xed, {0xaa, 0x27, 0xbc, 0x69, 0xbf, 0xd2} } {0xff58046c, 0x6baf, 0x4f7d, 0x82, 0xed, {0xaa, 0x27, 0xbc, 0x69, 0xbf, 0xd2} }
#define UUID_SOC_FW_CONFIG \
{0x4b817999, 0x7603, 0x46fb, 0x8c, 0x8e, {0x8d, 0x26, 0x7f, 0x78, 0x59, 0xe0} }
#define UUID_TOS_FW_CONFIG \
{0x1a7c2526, 0xc6bd, 0x477f, 0x8d, 0x96, {0xc4, 0xc4, 0xb0, 0x24, 0x80, 0x21} }
#define UUID_NT_FW_CONFIG \
{0x1598da28, 0xe893, 0x447e, 0xac, 0x66, {0x1a, 0xaf, 0x80, 0x15, 0x50, 0xf9} }
typedef struct fip_toc_header { typedef struct fip_toc_header {
uint32_t name; uint32_t name;
......
...@@ -75,7 +75,6 @@ ...@@ -75,7 +75,6 @@
/* SoCFirmwareContentCertPK */ /* SoCFirmwareContentCertPK */
#define SOC_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.501" #define SOC_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.501"
/* /*
* SoC Firmware Content Certificate * SoC Firmware Content Certificate
*/ */
...@@ -86,7 +85,8 @@ ...@@ -86,7 +85,8 @@
#define SOC_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.602" #define SOC_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.602"
/* SoCAPFirmwareHash - BL31 */ /* SoCAPFirmwareHash - BL31 */
#define SOC_AP_FW_HASH_OID "1.3.6.1.4.1.4128.2100.603" #define SOC_AP_FW_HASH_OID "1.3.6.1.4.1.4128.2100.603"
/* SoCFirmwareConfigHash = SOC_FW_CONFIG */
#define SOC_FW_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.604"
/* /*
* SCP Firmware Key Certificate * SCP Firmware Key Certificate
...@@ -124,6 +124,8 @@ ...@@ -124,6 +124,8 @@
#define TRUSTED_OS_FW_EXTRA1_HASH_OID "1.3.6.1.4.1.4128.2100.1002" #define TRUSTED_OS_FW_EXTRA1_HASH_OID "1.3.6.1.4.1.4128.2100.1002"
/* TrustedOSExtra2FirmwareHash - BL32 Extra2 */ /* TrustedOSExtra2FirmwareHash - BL32 Extra2 */
#define TRUSTED_OS_FW_EXTRA2_HASH_OID "1.3.6.1.4.1.4128.2100.1003" #define TRUSTED_OS_FW_EXTRA2_HASH_OID "1.3.6.1.4.1.4128.2100.1003"
/* TrustedOSFirmwareConfigHash - TOS_FW_CONFIG */
#define TRUSTED_OS_FW_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.1004"
/* /*
...@@ -140,5 +142,7 @@ ...@@ -140,5 +142,7 @@
/* NonTrustedWorldBootloaderHash - BL33 */ /* NonTrustedWorldBootloaderHash - BL33 */
#define NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID "1.3.6.1.4.1.4128.2100.1201" #define NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID "1.3.6.1.4.1.4128.2100.1201"
/* NonTrustedFirmwareConfigHash - NT_FW_CONFIG */
#define NON_TRUSTED_FW_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.1202"
#endif /* __TBBR_OID_H__ */ #endif /* __TBBR_OID_H__ */
...@@ -58,6 +58,10 @@ DEBUG := 0 ...@@ -58,6 +58,10 @@ DEBUG := 0
# Build platform # Build platform
DEFAULT_PLAT := fvp DEFAULT_PLAT := fvp
# Enable capability to disable authentication dynamically. Only meant for
# development platforms.
DYN_DISABLE_AUTH := 0
# Flag to enable Performance Measurement Framework # Flag to enable Performance Measurement Framework
ENABLE_PMF := 0 ENABLE_PMF := 0
......
/*
* Copyright (c) 2018, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
/dts-v1/;
/ {
};
/*
* Copyright (c) 2018, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
/dts-v1/;
/ {
};
...@@ -12,5 +12,19 @@ ...@@ -12,5 +12,19 @@
compatible = "arm,tb_fw"; compatible = "arm,tb_fw";
hw_config_addr = <0x0 0x82000000>; hw_config_addr = <0x0 0x82000000>;
hw_config_max_size = <0x01000000>; hw_config_max_size = <0x01000000>;
/* Disable authentication for development */
disable_auth = <0x1>;
/*
* Load SoC and TOS firmware configs at the base of
* non shared SRAM. The runtime checks ensure we don't
* overlap BL2, BL31 or BL32. The NT firmware config
* is loaded at base of DRAM.
*/
soc_fw_config_addr = <0x0 0x04001000>;
soc_fw_config_max_size = <0x200>;
tos_fw_config_addr = <0x0 0x04001200>;
tos_fw_config_max_size = <0x200>;
nt_fw_config_addr = <0x0 0x80000000>;
nt_fw_config_max_size = <0x200>;
}; };
}; };
/*
* Copyright (c) 2018, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
/dts-v1/;
/ {
};
...@@ -166,11 +166,30 @@ BL31_SOURCES += drivers/arm/smmu/smmu_v3.c \ ...@@ -166,11 +166,30 @@ BL31_SOURCES += drivers/arm/smmu/smmu_v3.c \
# Add the FDT_SOURCES and options for Dynamic Config (only for Unix env) # Add the FDT_SOURCES and options for Dynamic Config (only for Unix env)
ifdef UNIX_MK ifdef UNIX_MK
FVP_HW_CONFIG_DTS := fdts/${FVP_DT_PREFIX}.dts FVP_HW_CONFIG_DTS := fdts/${FVP_DT_PREFIX}.dts
FDT_SOURCES += plat/arm/board/fvp/fdts/${PLAT}_tb_fw_config.dts FDT_SOURCES += $(addprefix plat/arm/board/fvp/fdts/, \
${PLAT}_tb_fw_config.dts \
${PLAT}_soc_fw_config.dts \
${PLAT}_nt_fw_config.dts \
)
FVP_TB_FW_CONFIG := ${BUILD_PLAT}/fdts/${PLAT}_tb_fw_config.dtb FVP_TB_FW_CONFIG := ${BUILD_PLAT}/fdts/${PLAT}_tb_fw_config.dtb
FVP_SOC_FW_CONFIG := ${BUILD_PLAT}/fdts/${PLAT}_soc_fw_config.dtb
FVP_NT_FW_CONFIG := ${BUILD_PLAT}/fdts/${PLAT}_nt_fw_config.dtb
ifeq (${SPD},tspd)
FDT_SOURCES += plat/arm/board/fvp/fdts/${PLAT}_tsp_fw_config.dts
FVP_TOS_FW_CONFIG := ${BUILD_PLAT}/fdts/${PLAT}_tsp_fw_config.dtb
# Add the TOS_FW_CONFIG to FIP and specify the same to certtool
$(eval $(call TOOL_ADD_PAYLOAD,${FVP_TOS_FW_CONFIG},--tos-fw-config))
endif
# Add the TB_FW_CONFIG to FIP and specify the same to certtool # Add the TB_FW_CONFIG to FIP and specify the same to certtool
$(eval $(call TOOL_ADD_PAYLOAD,${FVP_TB_FW_CONFIG},--tb-fw-config)) $(eval $(call TOOL_ADD_PAYLOAD,${FVP_TB_FW_CONFIG},--tb-fw-config))
# Add the SOC_FW_CONFIG to FIP and specify the same to certtool
$(eval $(call TOOL_ADD_PAYLOAD,${FVP_SOC_FW_CONFIG},--soc-fw-config))
# Add the NT_FW_CONFIG to FIP and specify the same to certtool
$(eval $(call TOOL_ADD_PAYLOAD,${FVP_NT_FW_CONFIG},--nt-fw-config))
FDT_SOURCES += ${FVP_HW_CONFIG_DTS} FDT_SOURCES += ${FVP_HW_CONFIG_DTS}
$(eval FVP_HW_CONFIG := ${BUILD_PLAT}/$(patsubst %.dts,%.dtb,$(FVP_HW_CONFIG_DTS))) $(eval FVP_HW_CONFIG := ${BUILD_PLAT}/$(patsubst %.dts,%.dtb,$(FVP_HW_CONFIG_DTS)))
...@@ -208,3 +227,11 @@ endif ...@@ -208,3 +227,11 @@ endif
include plat/arm/board/common/board_common.mk include plat/arm/board/common/board_common.mk
include plat/arm/common/arm_common.mk include plat/arm/common/arm_common.mk
# FVP being a development platform, enable capability to disable Authentication
# dynamically if TRUSTED_BOARD_BOOT and LOAD_IMAGE_V2 is set.
ifeq (${TRUSTED_BOARD_BOOT}, 1)
ifeq (${LOAD_IMAGE_V2}, 1)
DYN_DISABLE_AUTH := 1
endif
endif
...@@ -91,6 +91,15 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = { ...@@ -91,6 +91,15 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = {
VERSION_2, image_info_t, IMAGE_ATTRIB_SKIP_LOADING), VERSION_2, image_info_t, IMAGE_ATTRIB_SKIP_LOADING),
.next_handoff_image_id = INVALID_IMAGE_ID, .next_handoff_image_id = INVALID_IMAGE_ID,
}, },
/* Fill SOC_FW_CONFIG related information */
{
.image_id = SOC_FW_CONFIG_ID,
SET_STATIC_PARAM_HEAD(ep_info, PARAM_IMAGE_BINARY,
VERSION_2, entry_point_info_t, SECURE | NON_EXECUTABLE),
SET_STATIC_PARAM_HEAD(image_info, PARAM_IMAGE_BINARY,
VERSION_2, image_info_t, IMAGE_ATTRIB_SKIP_LOADING),
.next_handoff_image_id = INVALID_IMAGE_ID,
},
# ifdef BL32_BASE # ifdef BL32_BASE
/* Fill BL32 related information */ /* Fill BL32 related information */
{ {
...@@ -144,6 +153,16 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = { ...@@ -144,6 +153,16 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = {
#endif #endif
.next_handoff_image_id = INVALID_IMAGE_ID, .next_handoff_image_id = INVALID_IMAGE_ID,
}, },
/* Fill TOS_FW_CONFIG related information */
{
.image_id = TOS_FW_CONFIG_ID,
SET_STATIC_PARAM_HEAD(ep_info, PARAM_IMAGE_BINARY,
VERSION_2, entry_point_info_t, SECURE | NON_EXECUTABLE),
SET_STATIC_PARAM_HEAD(image_info, PARAM_IMAGE_BINARY,
VERSION_2, image_info_t, IMAGE_ATTRIB_SKIP_LOADING),
.next_handoff_image_id = INVALID_IMAGE_ID,
},
# endif /* BL32_BASE */ # endif /* BL32_BASE */
/* Fill BL33 related information */ /* Fill BL33 related information */
...@@ -166,6 +185,15 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = { ...@@ -166,6 +185,15 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = {
# endif /* PRELOADED_BL33_BASE */ # endif /* PRELOADED_BL33_BASE */
.next_handoff_image_id = INVALID_IMAGE_ID, .next_handoff_image_id = INVALID_IMAGE_ID,
},
/* Fill NT_FW_CONFIG related information */
{
.image_id = NT_FW_CONFIG_ID,
SET_STATIC_PARAM_HEAD(ep_info, PARAM_IMAGE_BINARY,
VERSION_2, entry_point_info_t, NON_SECURE | NON_EXECUTABLE),
SET_STATIC_PARAM_HEAD(image_info, PARAM_IMAGE_BINARY,
VERSION_2, image_info_t, IMAGE_ATTRIB_SKIP_LOADING),
.next_handoff_image_id = INVALID_IMAGE_ID,
} }
#endif /* EL3_PAYLOAD_BASE */ #endif /* EL3_PAYLOAD_BASE */
}; };
......
...@@ -207,14 +207,21 @@ void bl2_early_platform_setup2(u_register_t arg0, u_register_t arg1, u_register_ ...@@ -207,14 +207,21 @@ void bl2_early_platform_setup2(u_register_t arg0, u_register_t arg1, u_register_
} }
/* /*
* Perform ARM standard platform setup. * Perform BL2 preload setup. Currently we initialise the dynamic
* configuration here.
*/ */
void arm_bl2_platform_setup(void) void bl2_plat_preload_setup(void)
{ {
#if LOAD_IMAGE_V2 #if LOAD_IMAGE_V2
arm_bl2_dyn_cfg_init(); arm_bl2_dyn_cfg_init();
#endif #endif
}
/*
* Perform ARM standard platform setup.
*/
void arm_bl2_platform_setup(void)
{
/* Initialize the secure environment */ /* Initialize the secure environment */
plat_arm_security_setup(); plat_arm_security_setup();
......
...@@ -157,7 +157,6 @@ BL1_SOURCES += drivers/arm/sp805/sp805.c \ ...@@ -157,7 +157,6 @@ BL1_SOURCES += drivers/arm/sp805/sp805.c \
drivers/io/io_memmap.c \ drivers/io/io_memmap.c \
drivers/io/io_storage.c \ drivers/io/io_storage.c \
plat/arm/common/arm_bl1_setup.c \ plat/arm/common/arm_bl1_setup.c \
plat/arm/common/arm_dyn_cfg.c \
plat/arm/common/arm_err.c \ plat/arm/common/arm_err.c \
plat/arm/common/arm_io_storage.c plat/arm/common/arm_io_storage.c
ifdef EL3_PAYLOAD_BASE ifdef EL3_PAYLOAD_BASE
...@@ -177,11 +176,15 @@ BL2_SOURCES += drivers/delay_timer/delay_timer.c \ ...@@ -177,11 +176,15 @@ BL2_SOURCES += drivers/delay_timer/delay_timer.c \
# Add `libfdt` and Arm common helpers required for Dynamic Config # Add `libfdt` and Arm common helpers required for Dynamic Config
include lib/libfdt/libfdt.mk include lib/libfdt/libfdt.mk
BL2_SOURCES += plat/arm/common/arm_dyn_cfg.c \
DYN_CFG_SOURCES += plat/arm/common/arm_dyn_cfg.c \
plat/arm/common/arm_dyn_cfg_helpers.c \ plat/arm/common/arm_dyn_cfg_helpers.c \
common/fdt_wrappers.c \ common/fdt_wrappers.c \
${LIBFDT_SRCS} ${LIBFDT_SRCS}
BL1_SOURCES += ${DYN_CFG_SOURCES}
BL2_SOURCES += ${DYN_CFG_SOURCES}
ifeq (${BL2_AT_EL3},1) ifeq (${BL2_AT_EL3},1)
BL2_SOURCES += plat/arm/common/arm_bl2_el3_setup.c BL2_SOURCES += plat/arm/common/arm_bl2_el3_setup.c
endif endif
......
...@@ -54,6 +54,24 @@ void arm_load_tb_fw_config(void) ...@@ -54,6 +54,24 @@ void arm_load_tb_fw_config(void)
INFO("BL1: TB_FW_CONFIG loaded at address = %p\n", INFO("BL1: TB_FW_CONFIG loaded at address = %p\n",
(void *) config_base); (void *) config_base);
#if TRUSTED_BOARD_BOOT && defined(DYN_DISABLE_AUTH)
int tb_fw_node;
uint32_t disable_auth = 0;
err = arm_dyn_tb_fw_cfg_init((void *)config_base, &tb_fw_node);
if (err < 0) {
WARN("Invalid TB_FW_CONFIG loaded\n");
return;
}
err = arm_dyn_get_disable_auth((void *)config_base, tb_fw_node, &disable_auth);
if (err < 0)
return;
if (disable_auth == 1)
dyn_disable_auth();
#endif
} }
/* /*
...@@ -67,14 +85,25 @@ void arm_bl2_set_tb_cfg_addr(void *dtb) ...@@ -67,14 +85,25 @@ void arm_bl2_set_tb_cfg_addr(void *dtb)
/* /*
* BL2 utility function to initialize dynamic configuration specified by * BL2 utility function to initialize dynamic configuration specified by
* TB_FW_CONFIG. Return early if TB_FW_CONFIG is not found or HW_CONFIG is * TB_FW_CONFIG. Populate the bl_mem_params_node_t of other FW_CONFIGs if
* not specified in TB_FW_CONFIG. * specified in TB_FW_CONFIG.
*/ */
void arm_bl2_dyn_cfg_init(void) void arm_bl2_dyn_cfg_init(void)
{ {
int err = 0; int err = 0, tb_fw_node;
int tb_fw_node; unsigned int i;
bl_mem_params_node_t *hw_cfg_mem_params = NULL; bl_mem_params_node_t *cfg_mem_params = NULL;
uint64_t image_base;
uint32_t image_size;
const unsigned int config_ids[] = {
HW_CONFIG_ID,
SOC_FW_CONFIG_ID,
NT_FW_CONFIG_ID,
#ifdef SPD_tspd
/* Currently tos_fw_config is only present for TSP */
TOS_FW_CONFIG_ID
#endif
};
if (tb_fw_cfg_dtb == NULL) { if (tb_fw_cfg_dtb == NULL) {
VERBOSE("No TB_FW_CONFIG specified\n"); VERBOSE("No TB_FW_CONFIG specified\n");
...@@ -87,23 +116,69 @@ void arm_bl2_dyn_cfg_init(void) ...@@ -87,23 +116,69 @@ void arm_bl2_dyn_cfg_init(void)
panic(); panic();
} }
/* Get the hw_config load address and size from TB_FW_CONFIG */ /* Iterate through all the fw config IDs */
hw_cfg_mem_params = get_bl_mem_params_node(HW_CONFIG_ID); for (i = 0; i < ARRAY_SIZE(config_ids); i++) {
if (hw_cfg_mem_params == NULL) { /* Get the config load address and size from TB_FW_CONFIG */
VERBOSE("Couldn't find HW_CONFIG in bl_mem_params_node\n"); cfg_mem_params = get_bl_mem_params_node(config_ids[i]);
return; if (cfg_mem_params == NULL) {
VERBOSE("Couldn't find HW_CONFIG in bl_mem_params_node\n");
continue;
}
err = arm_dyn_get_config_load_info((void *)tb_fw_cfg_dtb, tb_fw_node,
config_ids[i], &image_base, &image_size);
if (err < 0) {
VERBOSE("Couldn't find config_id %d load info in TB_FW_CONFIG\n",
config_ids[i]);
continue;
}
/*
* Do some runtime checks on the load addresses of soc_fw_config,
* tos_fw_config, nt_fw_config. This is not a comprehensive check
* of all invalid addresses but to prevent trivial porting errors.
*/
if (config_ids[i] != HW_CONFIG_ID) {
if (check_uptr_overflow(image_base, image_size) != 0)
continue;
/* Ensure the configs don't overlap with BL2 */
if ((image_base > BL2_BASE) || ((image_base + image_size) > BL2_BASE))
continue;
/* Ensure the configs are loaded in a valid address */
if (image_base < ARM_BL_RAM_BASE)
continue;
#ifdef BL32_BASE
/*
* If BL32 is present, ensure that the configs don't
* overlap with it.
*/
if (image_base >= BL32_BASE && image_base <= BL32_LIMIT)
continue;
#endif
}
cfg_mem_params->image_info.image_base = (uintptr_t)image_base;
cfg_mem_params->image_info.image_max_size = image_size;
/* Remove the IMAGE_ATTRIB_SKIP_LOADING attribute from HW_CONFIG node */
cfg_mem_params->image_info.h.attr &= ~IMAGE_ATTRIB_SKIP_LOADING;
} }
err = arm_dyn_get_hwconfig_info((void *)tb_fw_cfg_dtb, tb_fw_node, #if TRUSTED_BOARD_BOOT && defined(DYN_DISABLE_AUTH)
(uint64_t *) &hw_cfg_mem_params->image_info.image_base, uint32_t disable_auth = 0;
&hw_cfg_mem_params->image_info.image_max_size);
if (err < 0) { err = arm_dyn_get_disable_auth((void *)tb_fw_cfg_dtb, tb_fw_node,
VERBOSE("Couldn't find HW_CONFIG load info in TB_FW_CONFIG\n"); &disable_auth);
if (err < 0)
return; return;
}
/* Remove the IMAGE_ATTRIB_SKIP_LOADING attribute from HW_CONFIG node */ if (disable_auth == 1)
hw_cfg_mem_params->image_info.h.attr &= ~IMAGE_ATTRIB_SKIP_LOADING; dyn_disable_auth();
#endif
} }
#endif /* LOAD_IMAGE_V2 */ #endif /* LOAD_IMAGE_V2 */
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment