Commit 84f95bed authored by danh-arm's avatar danh-arm
Browse files

Merge pull request #315 from jcastillo-arm/jc/tbb_tmp9

Authentication Framework
parents dba12894 d337aaaf
......@@ -28,20 +28,6 @@
# POSSIBILITY OF SUCH DAMAGE.
#
PLAT_INCLUDES += -Iinclude/plat/arm/board/common/
PLAT_BL_COMMON_SOURCES += plat/arm/board/common/board_css_common.c
PLAT_BL_COMMON_SOURCES += drivers/arm/pl011/pl011_console.S \
plat/arm/board/common/aarch64/board_arm_helpers.S \
plat/arm/board/common/board_css_common.c
#BL1_SOURCES +=
#BL2_SOURCES +=
#BL31_SOURCES +=
ifneq (${TRUSTED_BOARD_BOOT},0)
BL1_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
BL2_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
endif
include plat/arm/board/common/board_common.mk
:7zrG2s2IY^JJF"
\ No newline at end of file
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDLLGDVjWPUB3l+
xxaWvU0kTqyG5rdx48VUC+cUHL0pGsE/erYCqqs2xNk2aWziZcObsb89qFYmy/0E
AbqsPlQyynleu7IF6gZY8nS64fSHwBkKH2YHd4SDoRzv/yhZ58NofSYgQ+tWY/M5
MdgrUam8T9D23pXcX1vB7ZBv7CiRfhfteJD0YKfEx09Q7V0TOiErcMVhewghZTrN
glaMekesieilSEgx2R1G5YWGmKDlwKZqvQfkkldhB499Wk3Krja5VgQQ8my+9jts
gD6+DqNNx9R+p0nU8tK8zzCo53SPZN+8XEdozEBM+IPMy0A1BGDKs6QXnwPKHVr6
0a8hVxDTAgMBAAECggEAfwsc8ewbhDW4TwIGqfNtDUr0rtYN13VpqohW0ki2L8G/
HQaKUViO/wxQFqoNn/OqQO0AfHmKhXAAokTCiXngBHJ/OjF7vB7+IRhazZEE6u2/
uoivr/OYNQbFpXyTqsQ1eFzpPju6KKcPK7BzT4Mc89ek/vloFAi8w6LdMl8lbvOg
LBWqX+5A+UQoenPUTvYM4U22YNcEAWubkpsYAmViiWiac+a+uPRk39aKyfOedDNu
+ty9MtCwekivoUTfP/1+O+jFlDnPMJUOEkBmcBqxseYYAHu7blBpdHxYpAItC2pv
YwJJSvsE+HLBLPk177Jahg7sOUqcP0F/X+T65yuvIQKBgQDxdjXdJT5K8j7rG2fv
2bvF2H1GPaHaTYRk0EGI2Ql6Nn+ddfeCE6gaT7aPPgg87wAhNu93coFuYHw0p/sc
ZkXMJ+BmlstPV555cWXmwcxZLsni0fOXrt4YxwWkZwmh74m0NVM/cSFw56PU0oj1
yDNeq3fgmsJocmuNTe1eG9qA7QKBgQDXaAGrNA5Xel5mqqMYTHHQWI6l2uzdNtt7
eDn3K9+Eh3ywTqrwP845MAjKDU2Lq61I6t2H89dEifHq823VIcLCHd9BF04MrAH7
qDPzrmPP2iB9g+YFmGBKe+K0HFE1t1KrTlo9VV6ZAC6RJNLAgwD4kvfIVYNkCGwe
+hoZBdhgvwKBgBrOsPQ4ak4PzwRzKnrqhXpVqrLdrNZ7vLMkm+IBlpfG7SwiKLR8
UjF5oB8PGAML1cvaOYPdZplGhQOjkrF4eU9NLhC1tSS96Y46FMIlyfYsx6UzAgRZ
GbdOgUXbWqpr2bH0KaXlfXz3eqzqIuKGs41TJB//jo3iBibN/AhytzORAoGAeGov
5KDpE4XYl9Pz8HVremjG9Xh4yQENmOwQm1fvT4rd7UFM1ZkVk2qCv1DIdLe32vdQ
d9ucDzh+ADWsxGRnF1TTpPN+Mh9FzISu5h4qtdreJsxBHgecbIbsqHrb+wdMM29N
itPaWfV8Eq9fETcqp8qgsWD8XkNHDdoKFMrrtskCgYAoSt/Je1D3ZE/3HEjez7bq
fenS3J6KG2SEn2PNFn+R0R5vBo4DaV/cQysKh44GD2+sh0QDyh6nuWJufyhPzROP
DU6DCLbwNePj/yaGuzi36oLt6bBgfPWCiJY7jIdK8DmTLW25m7fRtCC5pxZlSzgl
KBf7R6cbaTvaFe05Y2FJXA==
-----END PRIVATE KEY-----
......@@ -55,6 +55,11 @@ arm_config_t arm_config;
DEVICE1_SIZE, \
MT_DEVICE | MT_RW | MT_SECURE)
#define MAP_DEVICE2 MAP_REGION_FLAT(DEVICE2_BASE, \
DEVICE2_SIZE, \
MT_DEVICE | MT_RO | MT_SECURE)
/*
* Table of regions for various BL stages to map using the MMU.
* This doesn't include TZRAM as the 'mem_layout' argument passed to
......@@ -67,6 +72,7 @@ const mmap_region_t plat_arm_mmap[] = {
V2M_MAP_IOFPGA,
MAP_DEVICE0,
MAP_DEVICE1,
MAP_DEVICE2,
{0}
};
#endif
......@@ -77,6 +83,7 @@ const mmap_region_t plat_arm_mmap[] = {
V2M_MAP_IOFPGA,
MAP_DEVICE0,
MAP_DEVICE1,
MAP_DEVICE2,
ARM_MAP_NS_DRAM1,
ARM_MAP_TSP_SEC_MEM,
{0}
......
......@@ -58,13 +58,25 @@
#define DEVICE1_BASE 0x2f000000
#define DEVICE1_SIZE 0x200000
/* Devices in the second GB */
#define DEVICE2_BASE 0x7fe00000
#define DEVICE2_SIZE 0x00200000
#define NSRAM_BASE 0x2e000000
#define NSRAM_SIZE 0x10000
#define PCIE_EXP_BASE 0x40000000
#define TZRNG_BASE 0x7fe60000
#define TZNVCTR_BASE 0x7fe70000
#define TZROOTKEY_BASE 0x7fe80000
/* Keys */
#define SOC_KEYS_BASE 0x7fe80000
#define TZ_PUB_KEY_HASH_BASE (SOC_KEYS_BASE + 0x0000)
#define TZ_PUB_KEY_HASH_SIZE 32
#define HU_KEY_BASE (SOC_KEYS_BASE + 0x0020)
#define HU_KEY_SIZE 16
#define END_KEY_BASE (SOC_KEYS_BASE + 0x0044)
#define END_KEY_SIZE 32
/* Constants to distinguish FVP type */
#define HBI_BASE_FVP 0x020
......
......@@ -29,16 +29,88 @@
*/
#include <assert.h>
#include <common_def.h>
#include <debug.h>
#include <io_driver.h>
#include <io_storage.h>
#include <io_semihosting.h>
#include <plat_arm.h>
#include <semihosting.h> /* For FOPEN_MODE_... */
/* Semihosting filenames */
#define BL2_IMAGE_NAME "bl2.bin"
#define BL31_IMAGE_NAME "bl31.bin"
#define BL32_IMAGE_NAME "bl32.bin"
#define BL33_IMAGE_NAME "bl33.bin"
#if TRUSTED_BOARD_BOOT
#define BL2_CERT_NAME "bl2.crt"
#define TRUSTED_KEY_CERT_NAME "trusted_key.crt"
#define BL31_KEY_CERT_NAME "bl31_key.crt"
#define BL32_KEY_CERT_NAME "bl32_key.crt"
#define BL33_KEY_CERT_NAME "bl33_key.crt"
#define BL31_CERT_NAME "bl31.crt"
#define BL32_CERT_NAME "bl32.crt"
#define BL33_CERT_NAME "bl33.crt"
#endif /* TRUSTED_BOARD_BOOT */
/* IO devices */
static const io_dev_connector_t *sh_dev_con;
static uintptr_t sh_dev_handle;
static const io_file_spec_t sh_file_spec[] = {
[BL2_IMAGE_ID] = {
.path = BL2_IMAGE_NAME,
.mode = FOPEN_MODE_RB
},
[BL31_IMAGE_ID] = {
.path = BL31_IMAGE_NAME,
.mode = FOPEN_MODE_RB
},
[BL32_IMAGE_ID] = {
.path = BL32_IMAGE_NAME,
.mode = FOPEN_MODE_RB
},
[BL33_IMAGE_ID] = {
.path = BL33_IMAGE_NAME,
.mode = FOPEN_MODE_RB
},
#if TRUSTED_BOARD_BOOT
[BL2_CERT_ID] = {
.path = BL2_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[TRUSTED_KEY_CERT_ID] = {
.path = TRUSTED_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL31_KEY_CERT_ID] = {
.path = BL31_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL32_KEY_CERT_ID] = {
.path = BL32_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL33_KEY_CERT_ID] = {
.path = BL33_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL31_CERT_ID] = {
.path = BL31_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL32_CERT_ID] = {
.path = BL32_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL33_CERT_ID] = {
.path = BL33_CERT_NAME,
.mode = FOPEN_MODE_RB
},
#endif /* TRUSTED_BOARD_BOOT */
};
static int open_semihosting(const uintptr_t spec)
{
......@@ -75,13 +147,17 @@ void plat_arm_io_setup(void)
(void)io_result;
}
int plat_arm_get_alt_image_source(
const uintptr_t image_spec,
uintptr_t *dev_handle)
/*
* FVP provides semihosting as an alternative to load images
*/
int plat_arm_get_alt_image_source(unsigned int image_id, uintptr_t *dev_handle,
uintptr_t *image_spec)
{
int result = open_semihosting(image_spec);
if (result == IO_SUCCESS)
int result = open_semihosting((const uintptr_t)&sh_file_spec[image_id]);
if (result == IO_SUCCESS) {
*dev_handle = sh_dev_handle;
*image_spec = (uintptr_t)&sh_file_spec[image_id];
}
return result;
}
......@@ -29,12 +29,10 @@
#
PLAT_INCLUDES := -Iinclude/plat/arm/board/common \
-Iplat/arm/board/fvp/include
PLAT_INCLUDES := -Iplat/arm/board/fvp/include
PLAT_BL_COMMON_SOURCES := drivers/arm/pl011/pl011_console.S \
plat/arm/board/fvp/aarch64/fvp_common.c
PLAT_BL_COMMON_SOURCES := plat/arm/board/fvp/aarch64/fvp_common.c
BL1_SOURCES += drivers/io/io_semihosting.c \
lib/cpus/aarch64/aem_generic.S \
......@@ -65,10 +63,5 @@ BL31_SOURCES += lib/cpus/aarch64/aem_generic.S \
plat/arm/board/fvp/aarch64/fvp_helpers.S \
plat/arm/board/fvp/drivers/pwrc/fvp_pwrc.c
ifneq (${TRUSTED_BOARD_BOOT},0)
BL1_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
BL2_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
endif
include plat/arm/board/common/board_common.mk
include plat/arm/common/arm_common.mk
......@@ -40,7 +40,6 @@ BL2_SOURCES += plat/arm/board/juno/juno_security.c \
BL31_SOURCES += lib/cpus/aarch64/cortex_a53.S \
lib/cpus/aarch64/cortex_a57.S
# Enable workarounds for selected Cortex-A57 erratas.
ERRATA_A57_806969 := 0
ERRATA_A57_813420 := 1
......@@ -53,3 +52,7 @@ include plat/arm/board/common/board_css.mk
include plat/arm/common/arm_common.mk
include plat/arm/soc/common/soc_css.mk
include plat/arm/css/common/css_common.mk
ifeq (${KEY_ALG},ecdsa)
$(error "ECDSA key algorithm is not fully supported on Juno.")
endif
......@@ -46,7 +46,8 @@ endif
# Process flags
$(eval $(call add_define,ARM_TSP_RAM_LOCATION_ID))
PLAT_INCLUDES += -Iinclude/plat/arm/common \
PLAT_INCLUDES += -Iinclude/common/tbbr \
-Iinclude/plat/arm/common \
-Iinclude/plat/arm/common/aarch64
......@@ -83,3 +84,31 @@ BL31_SOURCES += drivers/arm/cci/cci.c \
plat/arm/common/arm_topology.c \
plat/common/plat_gic.c \
plat/common/aarch64/platform_mp_stack.S
ifneq (${TRUSTED_BOARD_BOOT},0)
# By default, ARM platforms use RSA keys
KEY_ALG := rsa
# Include common TBB sources
AUTH_SOURCES := drivers/auth/auth_mod.c \
drivers/auth/crypto_mod.c \
drivers/auth/img_parser_mod.c \
drivers/auth/tbbr/tbbr_cot.c \
BL1_SOURCES += ${AUTH_SOURCES}
BL2_SOURCES += ${AUTH_SOURCES}
MBEDTLS_KEY_ALG := ${KEY_ALG}
# We expect to locate the *.mk files under the directories specified below
CRYPTO_LIB_MK := drivers/auth/mbedtls/mbedtls_crypto.mk
IMG_PARSER_LIB_MK := drivers/auth/mbedtls/mbedtls_x509.mk
$(info Including ${CRYPTO_LIB_MK})
include ${CRYPTO_LIB_MK}
$(info Including ${IMG_PARSER_LIB_MK})
include ${IMG_PARSER_LIB_MK}
endif
......@@ -28,13 +28,14 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <assert.h>
#include <bl_common.h> /* For ARRAY_SIZE */
#include <debug.h>
#include <firmware_image_package.h>
#include <io_driver.h>
#include <io_fip.h>
#include <io_memmap.h>
#include <io_storage.h>
#include <platform_def.h>
#include <semihosting.h> /* For FOPEN_MODE_... */
#include <string.h>
/* IO devices */
......@@ -48,179 +49,162 @@ static const io_block_spec_t fip_block_spec = {
.length = PLAT_ARM_FIP_MAX_SIZE
};
static const io_file_spec_t bl2_file_spec = {
.path = BL2_IMAGE_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl2_uuid_spec = {
.uuid = UUID_TRUSTED_BOOT_FIRMWARE_BL2,
};
static const io_file_spec_t bl30_file_spec = {
.path = BL30_IMAGE_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl30_uuid_spec = {
.uuid = UUID_SCP_FIRMWARE_BL30,
};
static const io_file_spec_t bl31_file_spec = {
.path = BL31_IMAGE_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl31_uuid_spec = {
.uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31,
};
static const io_file_spec_t bl32_file_spec = {
.path = BL32_IMAGE_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl32_uuid_spec = {
.uuid = UUID_SECURE_PAYLOAD_BL32,
};
static const io_file_spec_t bl33_file_spec = {
.path = BL33_IMAGE_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl33_uuid_spec = {
.uuid = UUID_NON_TRUSTED_FIRMWARE_BL33,
};
#if TRUSTED_BOARD_BOOT
static const io_file_spec_t bl2_cert_file_spec = {
.path = BL2_CERT_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl2_cert_uuid_spec = {
.uuid = UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT,
};
static const io_file_spec_t trusted_key_cert_file_spec = {
.path = TRUSTED_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t trusted_key_cert_uuid_spec = {
.uuid = UUID_TRUSTED_KEY_CERT,
};
static const io_file_spec_t bl30_key_cert_file_spec = {
.path = BL30_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl30_key_cert_uuid_spec = {
.uuid = UUID_SCP_FIRMWARE_BL30_KEY_CERT,
};
static const io_file_spec_t bl31_key_cert_file_spec = {
.path = BL31_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl31_key_cert_uuid_spec = {
.uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT,
};
static const io_file_spec_t bl32_key_cert_file_spec = {
.path = BL32_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl32_key_cert_uuid_spec = {
.uuid = UUID_SECURE_PAYLOAD_BL32_KEY_CERT,
};
static const io_file_spec_t bl33_key_cert_file_spec = {
.path = BL33_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl33_key_cert_uuid_spec = {
.uuid = UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT,
};
static const io_file_spec_t bl30_cert_file_spec = {
.path = BL30_CERT_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl30_cert_uuid_spec = {
.uuid = UUID_SCP_FIRMWARE_BL30_CERT,
};
static const io_file_spec_t bl31_cert_file_spec = {
.path = BL31_CERT_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl31_cert_uuid_spec = {
.uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT,
};
static const io_file_spec_t bl32_cert_file_spec = {
.path = BL32_CERT_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl32_cert_uuid_spec = {
.uuid = UUID_SECURE_PAYLOAD_BL32_CERT,
};
static const io_file_spec_t bl33_cert_file_spec = {
.path = BL33_CERT_NAME,
.mode = FOPEN_MODE_RB
static const io_uuid_spec_t bl33_cert_uuid_spec = {
.uuid = UUID_NON_TRUSTED_FIRMWARE_BL33_CERT,
};
#endif /* TRUSTED_BOARD_BOOT */
static int open_fip(const uintptr_t spec);
static int open_memmap(const uintptr_t spec);
struct plat_io_policy {
const char *image_name;
uintptr_t *dev_handle;
uintptr_t image_spec;
int (*check)(const uintptr_t spec);
};
/* By default, ARM platforms load images from the FIP */
static const struct plat_io_policy policies[] = {
{
FIP_IMAGE_NAME,
[FIP_IMAGE_ID] = {
&memmap_dev_handle,
(uintptr_t)&fip_block_spec,
open_memmap
}, {
BL2_IMAGE_NAME,
},
[BL2_IMAGE_ID] = {
&fip_dev_handle,
(uintptr_t)&bl2_file_spec,
(uintptr_t)&bl2_uuid_spec,
open_fip
}, {
BL30_IMAGE_NAME,
},
[BL30_IMAGE_ID] = {
&fip_dev_handle,
(uintptr_t)&bl30_file_spec,
(uintptr_t)&bl30_uuid_spec,
open_fip
}, {
BL31_IMAGE_NAME,
},
[BL31_IMAGE_ID] = {
&fip_dev_handle,
(uintptr_t)&bl31_file_spec,
(uintptr_t)&bl31_uuid_spec,
open_fip
}, {
BL32_IMAGE_NAME,
},
[BL32_IMAGE_ID] = {
&fip_dev_handle,
(uintptr_t)&bl32_file_spec,
(uintptr_t)&bl32_uuid_spec,
open_fip
}, {
BL33_IMAGE_NAME,
},
[BL33_IMAGE_ID] = {
&fip_dev_handle,
(uintptr_t)&bl33_file_spec,
(uintptr_t)&bl33_uuid_spec,
open_fip
}, {
},
#if TRUSTED_BOARD_BOOT
BL2_CERT_NAME,
[BL2_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl2_cert_file_spec,
(uintptr_t)&bl2_cert_uuid_spec,
open_fip
}, {
TRUSTED_KEY_CERT_NAME,
},
[TRUSTED_KEY_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&trusted_key_cert_file_spec,
(uintptr_t)&trusted_key_cert_uuid_spec,
open_fip
}, {
BL30_KEY_CERT_NAME,
},
[BL30_KEY_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl30_key_cert_file_spec,
(uintptr_t)&bl30_key_cert_uuid_spec,
open_fip
}, {
BL31_KEY_CERT_NAME,
},
[BL31_KEY_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl31_key_cert_file_spec,
(uintptr_t)&bl31_key_cert_uuid_spec,
open_fip
}, {
BL32_KEY_CERT_NAME,
},
[BL32_KEY_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl32_key_cert_file_spec,
(uintptr_t)&bl32_key_cert_uuid_spec,
open_fip
}, {
BL33_KEY_CERT_NAME,
},
[BL33_KEY_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl33_key_cert_file_spec,
(uintptr_t)&bl33_key_cert_uuid_spec,
open_fip
}, {
BL30_CERT_NAME,
},
[BL30_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl30_cert_file_spec,
(uintptr_t)&bl30_cert_uuid_spec,
open_fip
}, {
BL31_CERT_NAME,
},
[BL31_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl31_cert_file_spec,
(uintptr_t)&bl31_cert_uuid_spec,
open_fip
}, {
BL32_CERT_NAME,
},
[BL32_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl32_cert_file_spec,
(uintptr_t)&bl32_cert_uuid_spec,
open_fip
}, {
BL33_CERT_NAME,
},
[BL33_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl33_cert_file_spec,
(uintptr_t)&bl33_cert_uuid_spec,
open_fip
}, {
},
#endif /* TRUSTED_BOARD_BOOT */
0, 0, 0
}
};
......@@ -235,7 +219,7 @@ static int open_fip(const uintptr_t spec)
uintptr_t local_image_handle;
/* See if a Firmware Image Package is available */
result = io_dev_init(fip_dev_handle, (uintptr_t)FIP_IMAGE_NAME);
result = io_dev_init(fip_dev_handle, (uintptr_t)FIP_IMAGE_ID);
if (result == IO_SUCCESS) {
result = io_open(fip_dev_handle, spec, &local_image_handle);
if (result == IO_SUCCESS) {
......@@ -293,8 +277,9 @@ void plat_arm_io_setup(void)
}
int plat_arm_get_alt_image_source(
const uintptr_t image_spec __attribute__((unused)),
uintptr_t *dev_handle __attribute__((unused)))
unsigned int image_id __attribute__((unused)),
uintptr_t *dev_handle __attribute__((unused)),
uintptr_t *image_spec __attribute__((unused)))
{
/* By default do not try an alternative */
return IO_FAIL;
......@@ -302,36 +287,24 @@ int plat_arm_get_alt_image_source(
/* Return an IO device handle and specification which can be used to access
* an image. Use this to enforce platform load policy */
int plat_get_image_source(const char *image_name, uintptr_t *dev_handle,
int plat_get_image_source(unsigned int image_id, uintptr_t *dev_handle,
uintptr_t *image_spec)
{
int result = IO_FAIL;
const struct plat_io_policy *policy;
if ((image_name != NULL) && (dev_handle != NULL) &&
(image_spec != NULL)) {
policy = policies;
while (policy->image_name != NULL) {
if (strcmp(policy->image_name, image_name) == 0) {
assert(image_id < ARRAY_SIZE(policies));
policy = &policies[image_id];
result = policy->check(policy->image_spec);
if (result == IO_SUCCESS) {
*image_spec = policy->image_spec;
*dev_handle = *(policy->dev_handle);
break;
}
VERBOSE("Trying alternative IO\n");
result = plat_arm_get_alt_image_source(
policy->image_spec,
dev_handle);
if (result == IO_SUCCESS) {
*image_spec = policy->image_spec;
break;
}
}
policy++;
}
} else {
result = IO_FAIL;
VERBOSE("Trying alternative IO\n");
result = plat_arm_get_alt_image_source(image_id, dev_handle,
image_spec);
}
return result;
}
......@@ -33,6 +33,7 @@ PLAT := none
V := 0
DEBUG := 0
BINARY := ${PROJECT}
OPENSSL_DIR := /usr
OBJECTS := src/cert.o \
src/ext.o \
......@@ -69,8 +70,8 @@ endif
# Make soft links and include from local directory otherwise wrong headers
# could get pulled in from firmware tree.
INC_DIR := -I ./include -I ${PLAT_INCLUDE}
LIB_DIR :=
INC_DIR := -I ./include -I ${PLAT_INCLUDE} -I ${OPENSSL_DIR}/include
LIB_DIR := -L ${OPENSSL_DIR}/lib
LIB := -lssl -lcrypto
CC := gcc
......
......@@ -63,7 +63,8 @@ enum {
};
int ext_init(ext_t *tbb_ext);
X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len);
X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
unsigned char *buf, size_t len);
X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value);
X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k);
......
......@@ -35,6 +35,21 @@
#define RSA_KEY_BITS 2048
/* Error codes */
enum {
KEY_ERR_NONE,
KEY_ERR_MALLOC,
KEY_ERR_FILENAME,
KEY_ERR_OPEN,
KEY_ERR_LOAD
};
/* Supported key algorithms */
enum {
KEY_ALG_RSA,
KEY_ALG_ECDSA
};
/*
* This structure contains the relevant information to create the keys
* required to sign the certificates.
......@@ -50,8 +65,8 @@ typedef struct key_s {
EVP_PKEY *key; /* Key container */
} key_t;
int key_new(key_t *key);
int key_load(key_t *key);
int key_create(key_t *key, int type);
int key_load(key_t *key, unsigned int *err_code);
int key_store(key_t *key);
#endif /* KEY_H_ */
......@@ -31,13 +31,29 @@
#include <stddef.h>
#include <stdio.h>
#include <string.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
#include "ext.h"
DECLARE_ASN1_ITEM(ASN1_INTEGER)
DECLARE_ASN1_ITEM(X509_ALGOR)
DECLARE_ASN1_ITEM(ASN1_OCTET_STRING)
typedef struct {
X509_ALGOR *hashAlgorithm;
ASN1_OCTET_STRING *dataHash;
} HASH;
ASN1_SEQUENCE(HASH) = {
ASN1_SIMPLE(HASH, hashAlgorithm, X509_ALGOR),
ASN1_SIMPLE(HASH, dataHash, ASN1_OCTET_STRING),
} ASN1_SEQUENCE_END(HASH)
DECLARE_ASN1_FUNCTIONS(HASH)
IMPLEMENT_ASN1_FUNCTIONS(HASH)
/*
* This function adds the TBB extensions to the internal extension list
* maintained by OpenSSL so they can be used later.
......@@ -123,37 +139,85 @@ X509_EXTENSION *ext_new(int nid, int crit, unsigned char *data, int len)
}
/*
* Creates a x509v3 extension containing a hash encapsulated in an ASN1 Octet
* String
* Creates a x509v3 extension containing a hash
*
* DigestInfo ::= SEQUENCE {
* digestAlgorithm AlgorithmIdentifier,
* digest OCTET STRING
* }
*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL
* }
*
* Parameters:
* pex: OpenSSL extension pointer (output parameter)
* nid: extension identifier
* crit: extension critical (EXT_NON_CRIT, EXT_CRIT)
* md: hash algorithm
* buf: pointer to the buffer that contains the hash
* len: size of the hash in bytes
*
* Return: Extension address, NULL if error
*/
X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len)
X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
unsigned char *buf, size_t len)
{
X509_EXTENSION *ex = NULL;
ASN1_OCTET_STRING *hash = NULL;
ASN1_OCTET_STRING *octet = NULL;
HASH *hash = NULL;
ASN1_OBJECT *algorithm = NULL;
X509_ALGOR *x509_algor = NULL;
unsigned char *p = NULL;
int sz = -1;
/* Encode Hash */
hash = ASN1_OCTET_STRING_new();
ASN1_OCTET_STRING_set(hash, buf, len);
sz = i2d_ASN1_OCTET_STRING(hash, NULL);
i2d_ASN1_OCTET_STRING(hash, &p);
/* OBJECT_IDENTIFIER with hash algorithm */
algorithm = OBJ_nid2obj(md->type);
if (algorithm == NULL) {
return NULL;
}
/* Create X509_ALGOR */
x509_algor = X509_ALGOR_new();
if (x509_algor == NULL) {
return NULL;
}
x509_algor->algorithm = algorithm;
x509_algor->parameter = ASN1_TYPE_new();
ASN1_TYPE_set(x509_algor->parameter, V_ASN1_NULL, NULL);
/* OCTET_STRING with the actual hash */
octet = ASN1_OCTET_STRING_new();
if (octet == NULL) {
X509_ALGOR_free(x509_algor);
return NULL;
}
ASN1_OCTET_STRING_set(octet, buf, len);
/* HASH structure containing algorithm + hash */
hash = HASH_new();
if (hash == NULL) {
ASN1_OCTET_STRING_free(octet);
X509_ALGOR_free(x509_algor);
return NULL;
}
hash->hashAlgorithm = x509_algor;
hash->dataHash = octet;
/* DER encoded HASH */
sz = i2d_HASH(hash, &p);
if ((sz <= 0) || (p == NULL)) {
HASH_free(hash);
X509_ALGOR_free(x509_algor);
return NULL;
}
/* Create the extension */
ex = ext_new(nid, crit, p, sz);
/* Clean up */
OPENSSL_free(p);
ASN1_OCTET_STRING_free(hash);
HASH_free(hash);
return ex;
}
......
......@@ -46,41 +46,81 @@
#define MAX_FILENAME_LEN 1024
/*
* Create a new key
* Create a new key container
*/
int key_new(key_t *key)
static int key_new(key_t *key)
{
RSA *rsa = NULL;
EVP_PKEY *k = NULL;
/* Create key pair container */
k = EVP_PKEY_new();
if (k == NULL) {
key->key = EVP_PKEY_new();
if (key->key == NULL) {
return 0;
}
return 1;
}
int key_create(key_t *key, int type)
{
RSA *rsa = NULL;
EC_KEY *ec = NULL;
/* Create OpenSSL key container */
if (!key_new(key)) {
goto err;
}
switch (type) {
case KEY_ALG_RSA:
/* Generate a new RSA key */
rsa = RSA_generate_key(RSA_KEY_BITS, RSA_F4, NULL, NULL);
if (EVP_PKEY_assign_RSA(k, rsa)) {
key->key = k;
return 1;
} else {
if (rsa == NULL) {
printf("Cannot create RSA key\n");
goto err;
}
if (!EVP_PKEY_assign_RSA(key->key, rsa)) {
printf("Cannot assign RSA key\n");
goto err;
}
break;
case KEY_ALG_ECDSA:
/* Generate a new ECDSA key */
ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ec == NULL) {
printf("Cannot create EC key\n");
goto err;
}
if (!EC_KEY_generate_key(ec)) {
printf("Cannot generate EC key\n");
goto err;
}
EC_KEY_set_flags(ec, EC_PKEY_NO_PARAMETERS);
EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
if (!EVP_PKEY_assign_EC_KEY(key->key, ec)) {
printf("Cannot assign EC key\n");
goto err;
}
break;
default:
goto err;
}
if (k)
EVP_PKEY_free(k);
return 1;
err:
RSA_free(rsa);
EC_KEY_free(ec);
return 0;
}
int key_load(key_t *key)
int key_load(key_t *key, unsigned int *err_code)
{
FILE *fp = NULL;
EVP_PKEY *k = NULL;
/* Create key pair container */
k = EVP_PKEY_new();
if (k == NULL) {
/* Create OpenSSL key container */
if (!key_new(key)) {
*err_code = KEY_ERR_MALLOC;
return 0;
}
......@@ -88,24 +128,24 @@ int key_load(key_t *key)
/* Load key from file */
fp = fopen(key->fn, "r");
if (fp) {
k = PEM_read_PrivateKey(fp, &k, NULL, NULL);
k = PEM_read_PrivateKey(fp, &key->key, NULL, NULL);
fclose(fp);
if (k) {
key->key = k;
*err_code = KEY_ERR_NONE;
return 1;
} else {
ERROR("Cannot read key from %s\n", key->fn);
ERROR("Cannot load key from %s\n", key->fn);
*err_code = KEY_ERR_LOAD;
}
} else {
ERROR("Cannot open file %s\n", key->fn);
WARN("Cannot open file %s\n", key->fn);
*err_code = KEY_ERR_OPEN;
}
} else {
ERROR("Key filename not specified\n");
WARN("Key filename not specified\n");
*err_code = KEY_ERR_FILENAME;
}
if (k)
EVP_PKEY_free(k);
return 0;
}
......
......@@ -80,6 +80,7 @@
#define VAL_DAYS 7300
#define ID_TO_BIT_MASK(id) (1 << id)
#define NVCOUNTER_VALUE 0
#define NUM_ELEM(x) ((sizeof(x)) / (sizeof(x[0])))
/* Files */
enum {
......@@ -112,6 +113,7 @@ enum {
};
/* Global options */
static int key_alg;
static int new_keys;
static int save_keys;
static int print_cert;
......@@ -138,6 +140,11 @@ static char *strdup(const char *str)
return dup;
}
static const char *key_algs_str[] = {
[KEY_ALG_RSA] = "rsa",
[KEY_ALG_ECDSA] = "ecdsa"
};
/* Command line options */
static const struct option long_opt[] = {
/* Binary images */
......@@ -166,6 +173,7 @@ static const struct option long_opt[] = {
{"bl32-key", required_argument, 0, BL32_KEY_ID},
{"bl33-key", required_argument, 0, BL33_KEY_ID},
/* Common options */
{"key-alg", required_argument, 0, 'a'},
{"help", no_argument, 0, 'h'},
{"save-keys", no_argument, 0, 'k'},
{"new-chain", no_argument, 0, 'n'},
......@@ -189,6 +197,7 @@ static void print_help(const char *cmd)
printf(" --%s <file> \\\n", long_opt[i].name);
}
printf("\n");
printf("-a Key algorithm: rsa (default), ecdsa\n");
printf("-h Print help and exit\n");
printf("-k Save key pairs into files. Filenames must be provided\n");
printf("-n Generate new key pairs if no key files are provided\n");
......@@ -198,8 +207,27 @@ static void print_help(const char *cmd)
exit(0);
}
static int get_key_alg(const char *key_alg_str)
{
int i;
for (i = 0 ; i < NUM_ELEM(key_algs_str) ; i++) {
if (0 == strcmp(key_alg_str, key_algs_str[i])) {
return i;
}
}
return -1;
}
static void check_cmd_params(void)
{
/* Only save new keys */
if (save_keys && !new_keys) {
ERROR("Only new keys can be saved to disk\n");
exit(1);
}
/* BL2, BL31 and BL33 are mandatory */
if (certs[BL2_CERT].bin == NULL) {
ERROR("BL2 image not specified\n");
......@@ -276,14 +304,19 @@ int main(int argc, char *argv[])
FILE *file = NULL;
int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
int c, opt_idx = 0;
unsigned int err_code;
unsigned char md[SHA256_DIGEST_LENGTH];
const EVP_MD *md_info;
NOTICE("CoT Generation Tool: %s\n", build_msg);
NOTICE("Target platform: %s\n", platform_msg);
/* Set default options */
key_alg = KEY_ALG_RSA;
while (1) {
/* getopt_long stores the option index here. */
c = getopt_long(argc, argv, "hknp", long_opt, &opt_idx);
c = getopt_long(argc, argv, "ahknp", long_opt, &opt_idx);
/* Detect the end of the options. */
if (c == -1) {
......@@ -291,6 +324,13 @@ int main(int argc, char *argv[])
}
switch (c) {
case 'a':
key_alg = get_key_alg(optarg);
if (key_alg < 0) {
ERROR("Invalid key algorithm '%s'\n", optarg);
exit(1);
}
break;
case 'h':
print_help(argv[0]);
break;
......@@ -389,24 +429,50 @@ int main(int argc, char *argv[])
exit(1);
}
/* Indicate SHA256 as image hash algorithm in the certificate
* extension */
md_info = EVP_sha256();
/* Get non-volatile counters NIDs */
CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
/* Load private keys from files (or generate new ones) */
if (new_keys) {
for (i = 0 ; i < NUM_KEYS ; i++) {
if (!key_new(&keys[i])) {
ERROR("Error creating %s\n", keys[i].desc);
/* First try to load the key from disk */
if (key_load(&keys[i], &err_code)) {
/* Key loaded successfully */
continue;
}
/* Key not loaded. Check the error code */
if (err_code == KEY_ERR_MALLOC) {
/* Cannot allocate memory. Abort. */
ERROR("Malloc error while loading '%s'\n", keys[i].fn);
exit(1);
} else if (err_code == KEY_ERR_LOAD) {
/* File exists, but it does not contain a valid private
* key. Abort. */
ERROR("Error loading '%s'\n", keys[i].fn);
exit(1);
}
/* File does not exist, could not be opened or no filename was
* given */
if (new_keys) {
/* Try to create a new key */
NOTICE("Creating new key for '%s'\n", keys[i].desc);
if (!key_create(&keys[i], key_alg)) {
ERROR("Error creating key '%s'\n", keys[i].desc);
exit(1);
}
} else {
for (i = 0 ; i < NUM_KEYS ; i++) {
if (!key_load(&keys[i])) {
ERROR("Error loading %s\n", keys[i].desc);
exit(1);
if (err_code == KEY_ERR_OPEN) {
ERROR("Error opening '%s'\n", keys[i].fn);
} else {
ERROR("Key '%s' not specified\n", keys[i].desc);
}
exit(1);
}
}
......@@ -430,7 +496,7 @@ int main(int argc, char *argv[])
exit(1);
}
CHECK_OID(hash_nid, BL2_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
......@@ -509,8 +575,8 @@ int main(int argc, char *argv[])
exit(1);
}
CHECK_OID(hash_nid, BL30_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
SHA256_DIGEST_LENGTH));
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
md, SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
......@@ -559,7 +625,7 @@ int main(int argc, char *argv[])
exit(1);
}
CHECK_OID(hash_nid, BL31_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
......@@ -612,8 +678,8 @@ int main(int argc, char *argv[])
exit(1);
}
CHECK_OID(hash_nid, BL32_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
SHA256_DIGEST_LENGTH));
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
md, SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
......@@ -662,7 +728,7 @@ int main(int argc, char *argv[])
exit(1);
}
CHECK_OID(hash_nid, BL33_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment