Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
adam.huang
Arm Trusted Firmware
Commits
1c301e77
Commit
1c301e77
authored
May 26, 2020
by
Mark Dykes
Committed by
TrustedFirmware Code Review
May 26, 2020
Browse files
Merge "Cleanup the code for TBBR CoT descriptors" into integration
parents
a92d02d6
ad43c49e
Changes
15
Show whitespace changes
Inline
Side-by-side
docs/design/auth-framework.rst
View file @
1c301e77
...
...
@@ -619,11 +619,13 @@ recommended to read this guide along with the source code.
The TBBR CoT
~~~~~~~~~~~~
The CoT can be found in ``drivers/auth/tbbr/tbbr_cot.c``. This CoT consists of
an array of pointers to image descriptors and it is registered in the framework
using the macro ``REGISTER_COT(cot_desc)``, where ``cot_desc`` must be the name
of the array (passing a pointer or any other type of indirection will cause the
registration process to fail).
CoT specific to BL1 and BL2 can be found in ``drivers/auth/tbbr/tbbr_cot_bl1.c``
and ``drivers/auth/tbbr/tbbr_cot_bl2.c`` respectively. The common CoT used across
BL1 and BL2 can be found in ``drivers/auth/tbbr/tbbr_cot_common.c``.
This CoT consists of an array of pointers to image descriptors and it is
registered in the framework using the macro ``REGISTER_COT(cot_desc)``, where
``cot_desc`` must be the name of the array (passing a pointer or any other
type of indirection will cause the registration process to fail).
The number of images participating in the boot process depends on the CoT.
There is, however, a minimum set of images that are mandatory in TF-A and thus
...
...
@@ -702,7 +704,7 @@ Each image descriptor must specify:
address/size to store the parameter. The CoT is responsible for allocating
the required memory to store the parameters. This pointer may be NULL.
In the ``tbbr_cot.c`` file, a set of buffers are allocated to store the parameters
In the ``tbbr_cot
*
.c`` file, a set of buffers are allocated to store the parameters
extracted from the certificates. In the case of the TBBR CoT, these parameters
are hashes and public keys. In DER format, an RSA-4096 public key requires 550
bytes, and a hash requires 51 bytes. Depending on the CoT and the authentication
...
...
drivers/auth/dualroot/cot.c
View file @
1c301e77
...
...
@@ -12,44 +12,6 @@
#include <drivers/auth/auth_mod.h>
#include <tools_share/dualroot_oid.h>
/*
* TODO: Remove dependency on mbedTLS. The chain of trust should be agnostic of
* the specific cryptographic library in use.
*/
/*
* Maximum key and hash sizes (in DER format).
*
* Both RSA and ECDSA keys may be used at the same time. In this case, the key
* buffers must be big enough to hold either. As RSA keys are bigger than ECDSA
* ones for all key sizes we support, they impose the minimum size of these
* buffers.
*/
#if TF_MBEDTLS_USE_RSA
#if TF_MBEDTLS_KEY_SIZE == 1024
#define PK_DER_LEN 162
#elif TF_MBEDTLS_KEY_SIZE == 2048
#define PK_DER_LEN 294
#elif TF_MBEDTLS_KEY_SIZE == 3072
#define PK_DER_LEN 422
#elif TF_MBEDTLS_KEY_SIZE == 4096
#define PK_DER_LEN 550
#else
#error "Invalid value for TF_MBEDTLS_KEY_SIZE"
#endif
#else
/* Only using ECDSA keys. */
#define PK_DER_LEN 91
#endif
#if TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256
#define HASH_DER_LEN 51
#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384
#define HASH_DER_LEN 67
#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512
#define HASH_DER_LEN 83
#else
#error "Invalid value for TF_MBEDTLS_HASH_ALG_ID"
#endif
/*
* Allocate static buffers to store the authentication parameters extracted from
* the certificates.
...
...
drivers/auth/tbbr/tbbr_cot_bl1.c
0 → 100644
View file @
1c301e77
/*
* Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
#include <platform_def.h>
#include <drivers/auth/mbedtls/mbedtls_config.h>
#include <drivers/auth/auth_mod.h>
#include <drivers/auth/tbbr_cot_common.h>
#if USE_TBBR_DEFS
#include <tools_share/tbbr_oid.h>
#else
#include <platform_oid.h>
#endif
static
auth_param_type_desc_t
scp_bl2u_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
SCP_FWU_CFG_HASH_OID
);
static
auth_param_type_desc_t
bl2u_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
AP_FWU_CFG_HASH_OID
);
static
auth_param_type_desc_t
ns_bl2u_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
FWU_HASH_OID
);
static
const
auth_img_desc_t
bl2_image
=
{
.
img_id
=
BL2_IMAGE_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
trusted_boot_fw_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
tb_fw_hash
}
}
}
};
/*
* FWU auth descriptor.
*/
static
const
auth_img_desc_t
fwu_cert
=
{
.
img_id
=
FWU_CERT_ID
,
.
img_type
=
IMG_CERT
,
.
parent
=
NULL
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_SIG
,
.
param
.
sig
=
{
.
pk
=
&
subject_pk
,
.
sig
=
&
sig
,
.
alg
=
&
sig_alg
,
.
data
=
&
raw_data
}
}
},
.
authenticated_data
=
(
const
auth_param_desc_t
[
COT_MAX_VERIFIED_PARAMS
])
{
[
0
]
=
{
.
type_desc
=
&
scp_bl2u_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
scp_fw_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
},
[
1
]
=
{
.
type_desc
=
&
bl2u_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
tb_fw_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
},
[
2
]
=
{
.
type_desc
=
&
ns_bl2u_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
nt_world_bl_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
}
}
};
/*
* SCP_BL2U
*/
static
const
auth_img_desc_t
scp_bl2u_image
=
{
.
img_id
=
SCP_BL2U_IMAGE_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
fwu_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
scp_bl2u_hash
}
}
}
};
/*
* BL2U
*/
static
const
auth_img_desc_t
bl2u_image
=
{
.
img_id
=
BL2U_IMAGE_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
fwu_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
bl2u_hash
}
}
}
};
/*
* NS_BL2U
*/
static
const
auth_img_desc_t
ns_bl2u_image
=
{
.
img_id
=
NS_BL2U_IMAGE_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
fwu_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
ns_bl2u_hash
}
}
}
};
/*
* TB_FW_CONFIG
*/
static
const
auth_img_desc_t
tb_fw_config
=
{
.
img_id
=
TB_FW_CONFIG_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
trusted_boot_fw_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
tb_fw_config_hash
}
}
}
};
/*
* TBBR Chain of trust definition
*/
static
const
auth_img_desc_t
*
const
cot_desc
[]
=
{
[
TRUSTED_BOOT_FW_CERT_ID
]
=
&
trusted_boot_fw_cert
,
[
BL2_IMAGE_ID
]
=
&
bl2_image
,
[
HW_CONFIG_ID
]
=
&
hw_config
,
[
TB_FW_CONFIG_ID
]
=
&
tb_fw_config
,
[
FWU_CERT_ID
]
=
&
fwu_cert
,
[
SCP_BL2U_IMAGE_ID
]
=
&
scp_bl2u_image
,
[
BL2U_IMAGE_ID
]
=
&
bl2u_image
,
[
NS_BL2U_IMAGE_ID
]
=
&
ns_bl2u_image
};
/* Register the CoT in the authentication module */
REGISTER_COT
(
cot_desc
);
drivers/auth/tbbr/tbbr_cot.c
→
drivers/auth/tbbr/tbbr_cot
_bl2
.c
View file @
1c301e77
...
...
@@ -10,60 +10,13 @@
#include <drivers/auth/mbedtls/mbedtls_config.h>
#include <drivers/auth/auth_mod.h>
#include <drivers/auth/tbbr_cot_common.h>
#if USE_TBBR_DEFS
#include <tools_share/tbbr_oid.h>
#else
#include <platform_oid.h>
#endif
/*
* Maximum key and hash sizes (in DER format).
*
* Both RSA and ECDSA keys may be used at the same time. In this case, the key
* buffers must be big enough to hold either. As RSA keys are bigger than ECDSA
* ones for all key sizes we support, they impose the minimum size of these
* buffers.
*/
#if TF_MBEDTLS_USE_RSA
#if TF_MBEDTLS_KEY_SIZE == 1024
#define PK_DER_LEN 162
#elif TF_MBEDTLS_KEY_SIZE == 2048
#define PK_DER_LEN 294
#elif TF_MBEDTLS_KEY_SIZE == 3072
#define PK_DER_LEN 422
#elif TF_MBEDTLS_KEY_SIZE == 4096
#define PK_DER_LEN 550
#else
#error "Invalid value for TF_MBEDTLS_KEY_SIZE"
#endif
#else
/* Only using ECDSA keys. */
#define PK_DER_LEN 91
#endif
#if TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256
#define HASH_DER_LEN 51
#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384
#define HASH_DER_LEN 67
#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512
#define HASH_DER_LEN 83
#else
#error "Invalid value for TF_MBEDTLS_HASH_ALG_ID"
#endif
/*
* The platform must allocate buffers to store the authentication parameters
* extracted from the certificates. In this case, because of the way the CoT is
* established, we can reuse some of the buffers on different stages
*/
static
unsigned
char
tb_fw_hash_buf
[
HASH_DER_LEN
];
static
unsigned
char
tb_fw_config_hash_buf
[
HASH_DER_LEN
];
static
unsigned
char
hw_config_hash_buf
[
HASH_DER_LEN
];
static
unsigned
char
scp_fw_hash_buf
[
HASH_DER_LEN
];
static
unsigned
char
nt_world_bl_hash_buf
[
HASH_DER_LEN
];
#ifdef IMAGE_BL2
static
unsigned
char
soc_fw_hash_buf
[
HASH_DER_LEN
];
static
unsigned
char
tos_fw_hash_buf
[
HASH_DER_LEN
];
static
unsigned
char
tos_fw_extra1_hash_buf
[
HASH_DER_LEN
];
...
...
@@ -74,40 +27,7 @@ static unsigned char content_pk_buf[PK_DER_LEN];
static
unsigned
char
soc_fw_config_hash_buf
[
HASH_DER_LEN
];
static
unsigned
char
tos_fw_config_hash_buf
[
HASH_DER_LEN
];
static
unsigned
char
nt_fw_config_hash_buf
[
HASH_DER_LEN
];
#endif
/*
* Parameter type descriptors
*/
static
auth_param_type_desc_t
trusted_nv_ctr
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_NV_CTR
,
TRUSTED_FW_NVCOUNTER_OID
);
static
auth_param_type_desc_t
subject_pk
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_PUB_KEY
,
0
);
static
auth_param_type_desc_t
sig
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_SIG
,
0
);
static
auth_param_type_desc_t
sig_alg
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_SIG_ALG
,
0
);
static
auth_param_type_desc_t
raw_data
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_RAW_DATA
,
0
);
static
auth_param_type_desc_t
tb_fw_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
TRUSTED_BOOT_FW_HASH_OID
);
static
auth_param_type_desc_t
tb_fw_config_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
TRUSTED_BOOT_FW_CONFIG_HASH_OID
);
static
auth_param_type_desc_t
hw_config_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
HW_CONFIG_HASH_OID
);
#ifdef IMAGE_BL1
static
auth_param_type_desc_t
scp_bl2u_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
SCP_FWU_CFG_HASH_OID
);
static
auth_param_type_desc_t
bl2u_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
AP_FWU_CFG_HASH_OID
);
static
auth_param_type_desc_t
ns_bl2u_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
FWU_HASH_OID
);
#endif
/* IMAGE_BL1 */
#ifdef IMAGE_BL2
static
auth_param_type_desc_t
non_trusted_nv_ctr
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_NV_CTR
,
NON_TRUSTED_FW_NVCOUNTER_OID
);
static
auth_param_type_desc_t
trusted_world_pk
=
AUTH_PARAM_TYPE_DESC
(
...
...
@@ -141,107 +61,6 @@ static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
static
auth_param_type_desc_t
nt_fw_config_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
NON_TRUSTED_FW_CONFIG_HASH_OID
);
#endif
/* IMAGE_BL2 */
/*
* BL2
*/
static
const
auth_img_desc_t
trusted_boot_fw_cert
=
{
.
img_id
=
TRUSTED_BOOT_FW_CERT_ID
,
.
img_type
=
IMG_CERT
,
.
parent
=
NULL
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_SIG
,
.
param
.
sig
=
{
.
pk
=
&
subject_pk
,
.
sig
=
&
sig
,
.
alg
=
&
sig_alg
,
.
data
=
&
raw_data
}
},
[
1
]
=
{
.
type
=
AUTH_METHOD_NV_CTR
,
.
param
.
nv_ctr
=
{
.
cert_nv_ctr
=
&
trusted_nv_ctr
,
.
plat_nv_ctr
=
&
trusted_nv_ctr
}
}
},
.
authenticated_data
=
(
const
auth_param_desc_t
[
COT_MAX_VERIFIED_PARAMS
])
{
[
0
]
=
{
.
type_desc
=
&
tb_fw_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
tb_fw_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
},
[
1
]
=
{
.
type_desc
=
&
tb_fw_config_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
tb_fw_config_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
},
[
2
]
=
{
.
type_desc
=
&
hw_config_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
hw_config_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
}
}
};
#ifdef IMAGE_BL1
static
const
auth_img_desc_t
bl2_image
=
{
.
img_id
=
BL2_IMAGE_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
trusted_boot_fw_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
tb_fw_hash
}
}
}
};
#endif
/* IMAGE_BL1 */
/* HW Config */
static
const
auth_img_desc_t
hw_config
=
{
.
img_id
=
HW_CONFIG_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
trusted_boot_fw_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
hw_config_hash
}
}
}
};
/* TB FW Config */
#ifdef IMAGE_BL1
static
const
auth_img_desc_t
tb_fw_config
=
{
.
img_id
=
TB_FW_CONFIG_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
trusted_boot_fw_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
tb_fw_config_hash
}
}
}
};
#endif
/* IMAGE_BL1 */
#ifdef IMAGE_BL2
/*
* Trusted key certificate
*/
...
...
@@ -716,117 +535,7 @@ static const auth_img_desc_t nt_fw_config = {
}
}
};
#else
/* IMAGE_BL2 */
/*
* FWU auth descriptor.
*/
static
const
auth_img_desc_t
fwu_cert
=
{
.
img_id
=
FWU_CERT_ID
,
.
img_type
=
IMG_CERT
,
.
parent
=
NULL
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_SIG
,
.
param
.
sig
=
{
.
pk
=
&
subject_pk
,
.
sig
=
&
sig
,
.
alg
=
&
sig_alg
,
.
data
=
&
raw_data
}
}
},
.
authenticated_data
=
(
const
auth_param_desc_t
[
COT_MAX_VERIFIED_PARAMS
])
{
[
0
]
=
{
.
type_desc
=
&
scp_bl2u_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
scp_fw_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
},
[
1
]
=
{
.
type_desc
=
&
bl2u_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
tb_fw_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
},
[
2
]
=
{
.
type_desc
=
&
ns_bl2u_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
nt_world_bl_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
}
}
};
/*
* SCP_BL2U
*/
static
const
auth_img_desc_t
scp_bl2u_image
=
{
.
img_id
=
SCP_BL2U_IMAGE_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
fwu_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
scp_bl2u_hash
}
}
}
};
/*
* BL2U
*/
static
const
auth_img_desc_t
bl2u_image
=
{
.
img_id
=
BL2U_IMAGE_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
fwu_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
bl2u_hash
}
}
}
};
/*
* NS_BL2U
*/
static
const
auth_img_desc_t
ns_bl2u_image
=
{
.
img_id
=
NS_BL2U_IMAGE_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
fwu_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
ns_bl2u_hash
}
}
}
};
#endif
/* IMAGE_BL2 */
/*
* TBBR Chain of trust definition
*/
#ifdef IMAGE_BL1
static
const
auth_img_desc_t
*
const
cot_desc
[]
=
{
[
TRUSTED_BOOT_FW_CERT_ID
]
=
&
trusted_boot_fw_cert
,
[
BL2_IMAGE_ID
]
=
&
bl2_image
,
[
HW_CONFIG_ID
]
=
&
hw_config
,
[
TB_FW_CONFIG_ID
]
=
&
tb_fw_config
,
[
FWU_CERT_ID
]
=
&
fwu_cert
,
[
SCP_BL2U_IMAGE_ID
]
=
&
scp_bl2u_image
,
[
BL2U_IMAGE_ID
]
=
&
bl2u_image
,
[
NS_BL2U_IMAGE_ID
]
=
&
ns_bl2u_image
};
#else
/* IMAGE_BL2 */
static
const
auth_img_desc_t
*
const
cot_desc
[]
=
{
[
TRUSTED_BOOT_FW_CERT_ID
]
=
&
trusted_boot_fw_cert
,
[
HW_CONFIG_ID
]
=
&
hw_config
,
...
...
@@ -849,7 +558,6 @@ static const auth_img_desc_t * const cot_desc[] = {
[
BL33_IMAGE_ID
]
=
&
bl33_image
,
[
NT_FW_CONFIG_ID
]
=
&
nt_fw_config
,
};
#endif
/* Register the CoT in the authentication module */
REGISTER_COT
(
cot_desc
);
drivers/auth/tbbr/tbbr_cot_common.c
0 → 100644
View file @
1c301e77
/*
* Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
#include <platform_def.h>
#include <drivers/auth/mbedtls/mbedtls_config.h>
#include <drivers/auth/auth_mod.h>
#include <drivers/auth/tbbr_cot_common.h>
#if USE_TBBR_DEFS
#include <tools_share/tbbr_oid.h>
#else
#include <platform_oid.h>
#endif
/*
* The platform must allocate buffers to store the authentication parameters
* extracted from the certificates. In this case, because of the way the CoT is
* established, we can reuse some of the buffers on different stages
*/
unsigned
char
tb_fw_hash_buf
[
HASH_DER_LEN
];
unsigned
char
tb_fw_config_hash_buf
[
HASH_DER_LEN
];
unsigned
char
hw_config_hash_buf
[
HASH_DER_LEN
];
unsigned
char
scp_fw_hash_buf
[
HASH_DER_LEN
];
unsigned
char
nt_world_bl_hash_buf
[
HASH_DER_LEN
];
/*
* common Parameter type descriptors across BL1 and BL2
*/
auth_param_type_desc_t
trusted_nv_ctr
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_NV_CTR
,
TRUSTED_FW_NVCOUNTER_OID
);
auth_param_type_desc_t
subject_pk
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_PUB_KEY
,
0
);
auth_param_type_desc_t
sig
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_SIG
,
0
);
auth_param_type_desc_t
sig_alg
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_SIG_ALG
,
0
);
auth_param_type_desc_t
raw_data
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_RAW_DATA
,
0
);
/* common hash used across BL1 and BL2 */
auth_param_type_desc_t
tb_fw_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
TRUSTED_BOOT_FW_HASH_OID
);
auth_param_type_desc_t
tb_fw_config_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
TRUSTED_BOOT_FW_CONFIG_HASH_OID
);
auth_param_type_desc_t
hw_config_hash
=
AUTH_PARAM_TYPE_DESC
(
AUTH_PARAM_HASH
,
HW_CONFIG_HASH_OID
);
/* trusted_boot_fw_cert */
const
auth_img_desc_t
trusted_boot_fw_cert
=
{
.
img_id
=
TRUSTED_BOOT_FW_CERT_ID
,
.
img_type
=
IMG_CERT
,
.
parent
=
NULL
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_SIG
,
.
param
.
sig
=
{
.
pk
=
&
subject_pk
,
.
sig
=
&
sig
,
.
alg
=
&
sig_alg
,
.
data
=
&
raw_data
}
},
[
1
]
=
{
.
type
=
AUTH_METHOD_NV_CTR
,
.
param
.
nv_ctr
=
{
.
cert_nv_ctr
=
&
trusted_nv_ctr
,
.
plat_nv_ctr
=
&
trusted_nv_ctr
}
}
},
.
authenticated_data
=
(
const
auth_param_desc_t
[
COT_MAX_VERIFIED_PARAMS
])
{
[
0
]
=
{
.
type_desc
=
&
tb_fw_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
tb_fw_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
},
[
1
]
=
{
.
type_desc
=
&
tb_fw_config_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
tb_fw_config_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
},
[
2
]
=
{
.
type_desc
=
&
hw_config_hash
,
.
data
=
{
.
ptr
=
(
void
*
)
hw_config_hash_buf
,
.
len
=
(
unsigned
int
)
HASH_DER_LEN
}
}
}
};
/* HW Config */
const
auth_img_desc_t
hw_config
=
{
.
img_id
=
HW_CONFIG_ID
,
.
img_type
=
IMG_RAW
,
.
parent
=
&
trusted_boot_fw_cert
,
.
img_auth_methods
=
(
const
auth_method_desc_t
[
AUTH_METHOD_NUM
])
{
[
0
]
=
{
.
type
=
AUTH_METHOD_HASH
,
.
param
.
hash
=
{
.
data
=
&
raw_data
,
.
hash
=
&
hw_config_hash
}
}
}
};
include/common/tbbr/cot_def.h
View file @
1c301e77
/*
* Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2015
-2020
, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
...
...
@@ -11,4 +11,38 @@
#define COT_MAX_VERIFIED_PARAMS 4
/*
* Maximum key and hash sizes (in DER format).
*
* Both RSA and ECDSA keys may be used at the same time. In this case, the key
* buffers must be big enough to hold either. As RSA keys are bigger than ECDSA
* ones for all key sizes we support, they impose the minimum size of these
* buffers.
*/
#if TF_MBEDTLS_USE_RSA
#if TF_MBEDTLS_KEY_SIZE == 1024
#define PK_DER_LEN 162
#elif TF_MBEDTLS_KEY_SIZE == 2048
#define PK_DER_LEN 294
#elif TF_MBEDTLS_KEY_SIZE == 3072
#define PK_DER_LEN 422
#elif TF_MBEDTLS_KEY_SIZE == 4096
#define PK_DER_LEN 550
#else
#error "Invalid value for TF_MBEDTLS_KEY_SIZE"
#endif
#else
/* Only using ECDSA keys. */
#define PK_DER_LEN 91
#endif
#if TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256
#define HASH_DER_LEN 51
#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384
#define HASH_DER_LEN 67
#elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512
#define HASH_DER_LEN 83
#else
#error "Invalid value for TF_MBEDTLS_HASH_ALG_ID"
#endif
#endif
/* COT_DEF_H */
include/drivers/auth/tbbr_cot_common.h
0 → 100644
View file @
1c301e77
/*
* Copyright (c) 2020, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#ifndef TBBR_COT_COMMON_H
#define TBBR_COT_COMMON_H
#include <drivers/auth/auth_mod.h>
extern
unsigned
char
tb_fw_hash_buf
[
HASH_DER_LEN
];
extern
unsigned
char
tb_fw_config_hash_buf
[
HASH_DER_LEN
];
extern
unsigned
char
hw_config_hash_buf
[
HASH_DER_LEN
];
extern
unsigned
char
scp_fw_hash_buf
[
HASH_DER_LEN
];
extern
unsigned
char
nt_world_bl_hash_buf
[
HASH_DER_LEN
];
extern
auth_param_type_desc_t
trusted_nv_ctr
;
extern
auth_param_type_desc_t
subject_pk
;
extern
auth_param_type_desc_t
sig
;
extern
auth_param_type_desc_t
sig_alg
;
extern
auth_param_type_desc_t
raw_data
;
extern
auth_param_type_desc_t
tb_fw_hash
;
extern
auth_param_type_desc_t
tb_fw_config_hash
;
extern
auth_param_type_desc_t
hw_config_hash
;
extern
const
auth_img_desc_t
trusted_boot_fw_cert
;
extern
const
auth_img_desc_t
hw_config
;
#endif
/* TBBR_COT_COMMON_H */
plat/arm/common/arm_common.mk
View file @
1c301e77
...
...
@@ -297,7 +297,7 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
# Include the selected chain of trust sources.
ifeq
(${COT},tbbr)
AUTH_SOURCES
+=
drivers/auth/tbbr/tbbr_cot.c
AUTH_SOURCES
+=
drivers/auth/tbbr/tbbr_cot
_common
.c
else
ifeq
(${COT},dualroot)
AUTH_SOURCES
+=
drivers/auth/dualroot/cot.c
else
...
...
@@ -307,10 +307,12 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
BL1_SOURCES
+=
${AUTH_SOURCES}
\
bl1/tbbr/tbbr_img_desc.c
\
plat/arm/common/arm_bl1_fwu.c
\
drivers/auth/tbbr/tbbr_cot_bl1.c
\
plat/common/tbbr/plat_tbbr.c
BL2_SOURCES
+=
${AUTH_SOURCES}
\
plat/common/tbbr/plat_tbbr.c
plat/common/tbbr/plat_tbbr.c
\
drivers/auth/tbbr/tbbr_cot_bl2.c
$(eval
$(call
TOOL_ADD_IMG,ns_bl2u,--fwu,FWU_))
...
...
plat/brcm/board/common/board_common.mk
View file @
1c301e77
...
...
@@ -213,7 +213,8 @@ KEY_ALG := rsa_1_5
AUTH_SOURCES
+=
drivers/auth/auth_mod.c
\
drivers/auth/crypto_mod.c
\
drivers/auth/img_parser_mod.c
\
drivers/auth/tbbr/tbbr_cot.c
drivers/auth/tbbr/tbbr_cot_common.c
\
drivers/auth/tbbr/tbbr_cot_bl2.c
BL2_SOURCES
+=
${AUTH_SOURCES}
...
...
plat/hisilicon/hikey/platform.mk
View file @
1c301e77
#
# Copyright (c) 2017-20
18
, ARM Limited and Contributors. All rights reserved.
# Copyright (c) 2017-20
20
, ARM Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
...
...
@@ -126,17 +126,19 @@ include drivers/auth/mbedtls/mbedtls_x509.mk
AUTH_SOURCES
:=
drivers/auth/auth_mod.c
\
drivers/auth/crypto_mod.c
\
drivers/auth/img_parser_mod.c
\
drivers/auth/tbbr/tbbr_cot.c
drivers/auth/tbbr/tbbr_cot
_common
.c
BL1_SOURCES
+=
${AUTH_SOURCES}
\
plat/common/tbbr/plat_tbbr.c
\
plat/hisilicon/hikey/hikey_tbbr.c
\
plat/hisilicon/hikey/hikey_rotpk.S
plat/hisilicon/hikey/hikey_rotpk.S
\
drivers/auth/tbbr/tbbr_cot_bl1.c
BL2_SOURCES
+=
${AUTH_SOURCES}
\
plat/common/tbbr/plat_tbbr.c
\
plat/hisilicon/hikey/hikey_tbbr.c
\
plat/hisilicon/hikey/hikey_rotpk.S
plat/hisilicon/hikey/hikey_rotpk.S
\
drivers/auth/tbbr/tbbr_cot_bl2.c
ROT_KEY
=
$(BUILD_PLAT)
/rot_key.pem
ROTPK_HASH
=
$(BUILD_PLAT)
/rotpk_sha256.bin
...
...
plat/hisilicon/hikey960/platform.mk
View file @
1c301e77
#
# Copyright (c) 2017-20
18
, ARM Limited and Contributors. All rights reserved.
# Copyright (c) 2017-20
20
, ARM Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
...
...
@@ -118,17 +118,19 @@ include drivers/auth/mbedtls/mbedtls_x509.mk
AUTH_SOURCES
:=
drivers/auth/auth_mod.c
\
drivers/auth/crypto_mod.c
\
drivers/auth/img_parser_mod.c
\
drivers/auth/tbbr/tbbr_cot.c
drivers/auth/tbbr/tbbr_cot
_common
.c
BL1_SOURCES
+=
${AUTH_SOURCES}
\
plat/common/tbbr/plat_tbbr.c
\
plat/hisilicon/hikey960/hikey960_tbbr.c
\
plat/hisilicon/hikey960/hikey960_rotpk.S
plat/hisilicon/hikey960/hikey960_rotpk.S
\
drivers/auth/tbbr/tbbr_cot_bl1.c
BL2_SOURCES
+=
${AUTH_SOURCES}
\
plat/common/tbbr/plat_tbbr.c
\
plat/hisilicon/hikey960/hikey960_tbbr.c
\
plat/hisilicon/hikey960/hikey960_rotpk.S
plat/hisilicon/hikey960/hikey960_rotpk.S
\
drivers/auth/tbbr/tbbr_cot_bl2.c
ROT_KEY
=
$(BUILD_PLAT)
/rot_key.pem
ROTPK_HASH
=
$(BUILD_PLAT)
/rotpk_sha256.bin
...
...
plat/imx/imx7/common/imx7.mk
View file @
1c301e77
#
# Copyright (c) 2018-20
19
, ARM Limited and Contributors. All rights reserved.
# Copyright (c) 2018-20
20
, ARM Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
...
...
@@ -58,12 +58,13 @@ include drivers/auth/mbedtls/mbedtls_x509.mk
AUTH_SOURCES
:=
drivers/auth/auth_mod.c
\
drivers/auth/crypto_mod.c
\
drivers/auth/img_parser_mod.c
\
drivers/auth/tbbr/tbbr_cot.c
drivers/auth/tbbr/tbbr_cot
_common
.c
BL2_SOURCES
+=
${AUTH_SOURCES}
\
plat/common/tbbr/plat_tbbr.c
\
plat/imx/imx7/common/imx7_trusted_boot.c
\
plat/imx/imx7/common/imx7_rotpk.S
plat/imx/imx7/common/imx7_rotpk.S
\
drivers/auth/tbbr/tbbr_cot_bl2.c
ROT_KEY
=
$(BUILD_PLAT)
/rot_key.pem
ROTPK_HASH
=
$(BUILD_PLAT)
/rotpk_sha256.bin
...
...
plat/qemu/qemu/platform.mk
View file @
1c301e77
...
...
@@ -59,18 +59,20 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
AUTH_SOURCES
:=
drivers/auth/auth_mod.c
\
drivers/auth/crypto_mod.c
\
drivers/auth/img_parser_mod.c
\
drivers/auth/tbbr/tbbr_cot.c
drivers/auth/tbbr/tbbr_cot
_common
.c
BL1_SOURCES
+=
${AUTH_SOURCES}
\
bl1/tbbr/tbbr_img_desc.c
\
plat/common/tbbr/plat_tbbr.c
\
${PLAT_QEMU_COMMON_PATH}
/qemu_trusted_boot.c
\
$(PLAT_QEMU_COMMON_PATH)
/qemu_rotpk.S
$(PLAT_QEMU_COMMON_PATH)
/qemu_rotpk.S
\
drivers/auth/tbbr/tbbr_cot_bl1.c
BL2_SOURCES
+=
${AUTH_SOURCES}
\
plat/common/tbbr/plat_tbbr.c
\
${PLAT_QEMU_COMMON_PATH}
/qemu_trusted_boot.c
\
$(PLAT_QEMU_COMMON_PATH)
/qemu_rotpk.S
$(PLAT_QEMU_COMMON_PATH)
/qemu_rotpk.S
\
drivers/auth/tbbr/tbbr_cot_bl2.c
ROT_KEY
=
$(BUILD_PLAT)
/rot_key.pem
ROTPK_HASH
=
$(BUILD_PLAT)
/rotpk_sha256.bin
...
...
plat/rpi/rpi3/platform.mk
View file @
1c301e77
#
# Copyright (c) 2013-20
19
, ARM Limited and Contributors. All rights reserved.
# Copyright (c) 2013-20
20
, ARM Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
...
...
@@ -185,18 +185,20 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
AUTH_SOURCES
:=
drivers/auth/auth_mod.c
\
drivers/auth/crypto_mod.c
\
drivers/auth/img_parser_mod.c
\
drivers/auth/tbbr/tbbr_cot.c
drivers/auth/tbbr/tbbr_cot
_common
.c
BL1_SOURCES
+=
${AUTH_SOURCES}
\
bl1/tbbr/tbbr_img_desc.c
\
plat/common/tbbr/plat_tbbr.c
\
plat/rpi/common/rpi3_trusted_boot.c
\
plat/rpi/common/rpi3_rotpk.S
plat/rpi/common/rpi3_rotpk.S
\
drivers/auth/tbbr/tbbr_cot_bl1.c
BL2_SOURCES
+=
${AUTH_SOURCES}
\
plat/common/tbbr/plat_tbbr.c
\
plat/rpi/common/rpi3_trusted_boot.c
\
plat/rpi/common/rpi3_rotpk.S
plat/rpi/common/rpi3_rotpk.S
\
drivers/auth/tbbr/tbbr_cot_bl2.c
ROT_KEY
=
$(BUILD_PLAT)
/rot_key.pem
ROTPK_HASH
=
$(BUILD_PLAT)
/rotpk_sha256.bin
...
...
plat/socionext/uniphier/platform.mk
View file @
1c301e77
...
...
@@ -92,7 +92,8 @@ include drivers/auth/mbedtls/mbedtls_x509.mk
BL2_SOURCES
+=
drivers/auth/auth_mod.c
\
drivers/auth/crypto_mod.c
\
drivers/auth/img_parser_mod.c
\
drivers/auth/tbbr/tbbr_cot.c
\
drivers/auth/tbbr/tbbr_cot_common.c
\
drivers/auth/tbbr/tbbr_cot_bl2.c
\
plat/common/tbbr/plat_tbbr.c
\
$(PLAT_PATH)
/uniphier_rotpk.S
\
$(PLAT_PATH)
/uniphier_tbbr.c
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment