Commit 999adb94 authored by Antonio Niño Díaz's avatar Antonio Niño Díaz Committed by TrustedFirmware Code Review
Browse files

Merge changes from topic "jh/cotdesc" into integration

* changes:
  Document changes to auth-framework
  cot-desc: optimise memory further
  Reduce memory needed for CoT description
parents 05c6693e 699475ac
...@@ -606,13 +606,13 @@ The following data structure describes an image in a CoT. ...@@ -606,13 +606,13 @@ The following data structure describes an image in a CoT.
unsigned int img_id; unsigned int img_id;
const struct auth_img_desc_s *parent; const struct auth_img_desc_s *parent;
img_type_t img_type; img_type_t img_type;
auth_method_desc_t img_auth_methods[AUTH_METHOD_NUM]; const auth_method_desc_t *const img_auth_methods;
auth_param_desc_t authenticated_data[COT_MAX_VERIFIED_PARAMS]; const auth_param_desc_t *const authenticated_data;
} auth_img_desc_t; } auth_img_desc_t;
A CoT is defined as an array of ``auth_image_desc_t`` structures linked together A CoT is defined as an array of pointers to ``auth_image_desc_t`` structures
by the ``parent`` field. Those nodes with no parent must be authenticated using linked together by the ``parent`` field. Those nodes with no parent must be
the ROTPK stored in the platform. authenticated using the ROTPK stored in the platform.
Implementation example Implementation example
---------------------- ----------------------
...@@ -625,15 +625,15 @@ recommended to read this guide along with the source code. ...@@ -625,15 +625,15 @@ recommended to read this guide along with the source code.
The TBBR CoT The TBBR CoT
~~~~~~~~~~~~ ~~~~~~~~~~~~
The CoT can be found in ``drivers/auth/tbbr/tbbr_cot.c``. This CoT consists of an The CoT can be found in ``drivers/auth/tbbr/tbbr_cot.c``. This CoT consists of
array of image descriptors and it is registered in the framework using the macro an array of pointers to image descriptors and it is registered in the framework
``REGISTER_COT(cot_desc)``, where 'cot_desc' must be the name of the array using the macro ``REGISTER_COT(cot_desc)``, where 'cot_desc' must be the name
(passing a pointer or any other type of indirection will cause the registration of the array (passing a pointer or any other type of indirection will cause the
process to fail). registration process to fail).
The number of images participating in the boot process depends on the CoT. There The number of images participating in the boot process depends on the CoT.
is, however, a minimum set of images that are mandatory in TF-A and thus all There is, however, a minimum set of images that are mandatory in TF-A and thus
CoTs must present: all CoTs must present:
- ``BL2`` - ``BL2``
- ``SCP_BL2`` (platform specific) - ``SCP_BL2`` (platform specific)
...@@ -674,13 +674,15 @@ Each image descriptor must specify: ...@@ -674,13 +674,15 @@ Each image descriptor must specify:
is NULL, the authentication parameters will be obtained from the platform is NULL, the authentication parameters will be obtained from the platform
(i.e. the BL2 and Trusted Key certificates are signed with the ROT private (i.e. the BL2 and Trusted Key certificates are signed with the ROT private
key, whose public part is stored in the platform). key, whose public part is stored in the platform).
- ``img_auth_methods``: this array defines the authentication methods that must - ``img_auth_methods``: this points to an array which defines the
be checked to consider an image authenticated. Each method consists of a authentication methods that must be checked to consider an image
type and a list of parameter descriptors. A parameter descriptor consists of authenticated. Each method consists of a type and a list of parameter
a type and a cookie which will point to specific information required to descriptors. A parameter descriptor consists of a type and a cookie which
extract that parameter from the image (i.e. if the parameter is stored in an will point to specific information required to extract that parameter from
x509v3 extension, the cookie will point to the extension OID). Depending on the image (i.e. if the parameter is stored in an x509v3 extension, the
the method type, a different number of parameters must be specified. cookie will point to the extension OID). Depending on the method type, a
different number of parameters must be specified. This pointer should not be
NULL.
Supported methods are: Supported methods are:
- ``AUTH_METHOD_HASH``: the hash of the image must match the hash extracted - ``AUTH_METHOD_HASH``: the hash of the image must match the hash extracted
...@@ -700,11 +702,11 @@ Each image descriptor must specify: ...@@ -700,11 +702,11 @@ Each image descriptor must specify:
- ``alg``: the signature algorithm used (obtained from current image) - ``alg``: the signature algorithm used (obtained from current image)
- ``data``: the data to be signed (obtained from current image) - ``data``: the data to be signed (obtained from current image)
- ``authenticated_data``: this array indicates what authentication parameters - ``authenticated_data``: this array pointer indicates what authentication
must be extracted from an image once it has been authenticated. Each parameters must be extracted from an image once it has been authenticated.
parameter consists of a parameter descriptor and the buffer address/size Each parameter consists of a parameter descriptor and the buffer
to store the parameter. The CoT is responsible for allocating the required address/size to store the parameter. The CoT is responsible for allocating
memory to store the parameters. the required memory to store the parameters. This pointer may be NULL.
In the ``tbbr_cot.c`` file, a set of buffers are allocated to store the parameters In the ``tbbr_cot.c`` file, a set of buffers are allocated to store the parameters
extracted from the certificates. In the case of the TBBR CoT, these parameters extracted from the certificates. In the case of the TBBR CoT, these parameters
...@@ -722,22 +724,29 @@ Four image descriptors form the BL31 Chain of Trust: ...@@ -722,22 +724,29 @@ Four image descriptors form the BL31 Chain of Trust:
.. code:: c .. code:: c
[TRUSTED_KEY_CERT_ID] = { static const auth_img_desc_t trusted_key_cert = {
.img_id = TRUSTED_KEY_CERT_ID, .img_id = TRUSTED_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = NULL, .parent = NULL,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &subject_pk, .pk = &subject_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
}
},
[1] = {
.type = AUTH_METHOD_NV_CTR,
.param.nv_ctr = {
.cert_nv_ctr = &trusted_nv_ctr,
.plat_nv_ctr = &trusted_nv_ctr
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &trusted_world_pk, .type_desc = &trusted_world_pk,
.data = { .data = {
...@@ -753,23 +762,30 @@ Four image descriptors form the BL31 Chain of Trust: ...@@ -753,23 +762,30 @@ Four image descriptors form the BL31 Chain of Trust:
} }
} }
} }
}, };
[SOC_FW_KEY_CERT_ID] = { static const auth_img_desc_t soc_fw_key_cert = {
.img_id = SOC_FW_KEY_CERT_ID, .img_id = SOC_FW_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID], .parent = &trusted_key_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &trusted_world_pk, .pk = &trusted_world_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
}
},
[1] = {
.type = AUTH_METHOD_NV_CTR,
.param.nv_ctr = {
.cert_nv_ctr = &trusted_nv_ctr,
.plat_nv_ctr = &trusted_nv_ctr
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &soc_fw_content_pk, .type_desc = &soc_fw_content_pk,
.data = { .data = {
...@@ -778,46 +794,60 @@ Four image descriptors form the BL31 Chain of Trust: ...@@ -778,46 +794,60 @@ Four image descriptors form the BL31 Chain of Trust:
} }
} }
} }
}, };
[SOC_FW_CONTENT_CERT_ID] = { static const auth_img_desc_t soc_fw_content_cert = {
.img_id = SOC_FW_CONTENT_CERT_ID, .img_id = SOC_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[SOC_FW_KEY_CERT_ID], .parent = &soc_fw_key_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &soc_fw_content_pk, .pk = &soc_fw_content_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
}
},
[1] = {
.type = AUTH_METHOD_NV_CTR,
.param.nv_ctr = {
.cert_nv_ctr = &trusted_nv_ctr,
.plat_nv_ctr = &trusted_nv_ctr
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &soc_fw_hash, .type_desc = &soc_fw_hash,
.data = { .data = {
.ptr = (void *)soc_fw_hash_buf, .ptr = (void *)soc_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
},
[1] = {
.type_desc = &soc_fw_config_hash,
.data = {
.ptr = (void *)soc_fw_config_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
} }
} }
}, };
[BL31_IMAGE_ID] = { static const auth_img_desc_t bl31_image = {
.img_id = BL31_IMAGE_ID, .img_id = BL31_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[SOC_FW_CONTENT_CERT_ID], .parent = &soc_fw_content_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &soc_fw_hash, .hash = &soc_fw_hash
}
} }
} }
} }
};
The **Trusted Key certificate** is signed with the ROT private key and contains The **Trusted Key certificate** is signed with the ROT private key and contains
the Trusted World public key and the Non-Trusted World public key as x509v3 the Trusted World public key and the Non-Trusted World public key as x509v3
...@@ -935,7 +965,7 @@ of SHA-256 with smaller memory footprint (~1.5 KB less) but slower (~30%). ...@@ -935,7 +965,7 @@ of SHA-256 with smaller memory footprint (~1.5 KB less) but slower (~30%).
-------------- --------------
*Copyright (c) 2017-2018, Arm Limited and Contributors. All rights reserved.* *Copyright (c) 2017-2019, Arm Limited and Contributors. All rights reserved.*
.. _Trusted Board Boot: ./trusted-board-boot.rst .. _Trusted Board Boot: ./trusted-board-boot.rst
.. _Platform Porting Guide: ./porting-guide.rst .. _Platform Porting Guide: ./porting-guide.rst
...@@ -30,6 +30,10 @@ ...@@ -30,6 +30,10 @@
#pragma weak plat_set_nv_ctr2 #pragma weak plat_set_nv_ctr2
/* Pointer to CoT */
extern const auth_img_desc_t **const cot_desc_ptr;
extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
static int cmp_auth_param_type_desc(const auth_param_type_desc_t *a, static int cmp_auth_param_type_desc(const auth_param_type_desc_t *a,
const auth_param_type_desc_t *b) const auth_param_type_desc_t *b)
{ {
...@@ -49,6 +53,9 @@ static int auth_get_param(const auth_param_type_desc_t *param_type_desc, ...@@ -49,6 +53,9 @@ static int auth_get_param(const auth_param_type_desc_t *param_type_desc,
{ {
int i; int i;
if (img_desc->authenticated_data == NULL)
return 1;
for (i = 0 ; i < COT_MAX_VERIFIED_PARAMS ; i++) { for (i = 0 ; i < COT_MAX_VERIFIED_PARAMS ; i++) {
if (0 == cmp_auth_param_type_desc(param_type_desc, if (0 == cmp_auth_param_type_desc(param_type_desc,
img_desc->authenticated_data[i].type_desc)) { img_desc->authenticated_data[i].type_desc)) {
...@@ -300,7 +307,7 @@ int auth_mod_get_parent_id(unsigned int img_id, unsigned int *parent_id) ...@@ -300,7 +307,7 @@ int auth_mod_get_parent_id(unsigned int img_id, unsigned int *parent_id)
assert(parent_id != NULL); assert(parent_id != NULL);
/* Get the image descriptor */ /* Get the image descriptor */
img_desc = &cot_desc_ptr[img_id]; img_desc = cot_desc_ptr[img_id];
/* Check if the image has no parent (ROT) */ /* Check if the image has no parent (ROT) */
if (img_desc->parent == NULL) { if (img_desc->parent == NULL) {
...@@ -349,7 +356,7 @@ int auth_mod_verify_img(unsigned int img_id, ...@@ -349,7 +356,7 @@ int auth_mod_verify_img(unsigned int img_id,
int rc, i; int rc, i;
/* Get the image descriptor from the chain of trust */ /* Get the image descriptor from the chain of trust */
img_desc = &cot_desc_ptr[img_id]; img_desc = cot_desc_ptr[img_id];
/* Ask the parser to check the image integrity */ /* Ask the parser to check the image integrity */
rc = img_parser_check_integrity(img_desc->img_type, img_ptr, img_len); rc = img_parser_check_integrity(img_desc->img_type, img_ptr, img_len);
...@@ -357,6 +364,8 @@ int auth_mod_verify_img(unsigned int img_id, ...@@ -357,6 +364,8 @@ int auth_mod_verify_img(unsigned int img_id,
/* Authenticate the image using the methods indicated in the image /* Authenticate the image using the methods indicated in the image
* descriptor. */ * descriptor. */
if(img_desc->img_auth_methods == NULL)
return 1;
for (i = 0 ; i < AUTH_METHOD_NUM ; i++) { for (i = 0 ; i < AUTH_METHOD_NUM ; i++) {
auth_method = &img_desc->img_auth_methods[i]; auth_method = &img_desc->img_auth_methods[i];
switch (auth_method->type) { switch (auth_method->type) {
...@@ -385,6 +394,7 @@ int auth_mod_verify_img(unsigned int img_id, ...@@ -385,6 +394,7 @@ int auth_mod_verify_img(unsigned int img_id,
/* Extract the parameters indicated in the image descriptor to /* Extract the parameters indicated in the image descriptor to
* authenticate the children images. */ * authenticate the children images. */
if (img_desc->authenticated_data != NULL) {
for (i = 0 ; i < COT_MAX_VERIFIED_PARAMS ; i++) { for (i = 0 ; i < COT_MAX_VERIFIED_PARAMS ; i++) {
if (img_desc->authenticated_data[i].type_desc == NULL) { if (img_desc->authenticated_data[i].type_desc == NULL) {
continue; continue;
...@@ -405,6 +415,7 @@ int auth_mod_verify_img(unsigned int img_id, ...@@ -405,6 +415,7 @@ int auth_mod_verify_img(unsigned int img_id,
memcpy((void *)img_desc->authenticated_data[i].data.ptr, memcpy((void *)img_desc->authenticated_data[i].data.ptr,
(void *)param_ptr, param_len); (void *)param_ptr, param_len);
} }
}
/* Mark image as authenticated */ /* Mark image as authenticated */
auth_img_flags[img_desc->img_id] |= IMG_FLAG_AUTHENTICATED; auth_img_flags[img_desc->img_id] |= IMG_FLAG_AUTHENTICATED;
......
/* /*
* Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
...@@ -27,29 +27,31 @@ ...@@ -27,29 +27,31 @@
* extracted from the certificates. In this case, because of the way the CoT is * extracted from the certificates. In this case, because of the way the CoT is
* established, we can reuse some of the buffers on different stages * established, we can reuse some of the buffers on different stages
*/ */
static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
static unsigned char hw_config_hash_buf[HASH_DER_LEN]; static unsigned char hw_config_hash_buf[HASH_DER_LEN];
static unsigned char scp_fw_hash_buf[HASH_DER_LEN]; static unsigned char scp_fw_hash_buf[HASH_DER_LEN];
static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
#ifdef IMAGE_BL2
static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN];
static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
static unsigned char trusted_world_pk_buf[PK_DER_LEN]; static unsigned char trusted_world_pk_buf[PK_DER_LEN];
static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];
static unsigned char content_pk_buf[PK_DER_LEN]; static unsigned char content_pk_buf[PK_DER_LEN];
static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
#endif
/* /*
* Parameter type descriptors * Parameter type descriptors
*/ */
static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, 0); AUTH_PARAM_PUB_KEY, 0);
...@@ -60,11 +62,29 @@ static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( ...@@ -60,11 +62,29 @@ static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_RAW_DATA, 0); AUTH_PARAM_RAW_DATA, 0);
static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
#ifdef IMAGE_BL1
static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, FWU_HASH_OID);
#endif /* IMAGE_BL1 */
#ifdef IMAGE_BL2
static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID);
static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID); AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC(
...@@ -73,13 +93,6 @@ static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( ...@@ -73,13 +93,6 @@ static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID); AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SCP_FW_HASH_OID); AUTH_PARAM_HASH, SCP_FW_HASH_OID);
static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
...@@ -98,32 +111,25 @@ static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( ...@@ -98,32 +111,25 @@ static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, FWU_HASH_OID);
/* #endif /* IMAGE_BL2 */
* TBBR Chain of trust definition
*/
static const auth_img_desc_t cot_desc[] = {
/* /*
* BL2 * BL2
*/ */
[TRUSTED_BOOT_FW_CERT_ID] = { static const auth_img_desc_t trusted_boot_fw_cert = {
.img_id = TRUSTED_BOOT_FW_CERT_ID, .img_id = TRUSTED_BOOT_FW_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = NULL, .parent = NULL,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &subject_pk, .pk = &subject_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
} }
}, },
[1] = { [1] = {
...@@ -134,7 +140,7 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -134,7 +140,7 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &tb_fw_hash, .type_desc = &tb_fw_hash,
.data = { .data = {
...@@ -157,66 +163,71 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -157,66 +163,71 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
} }
}, };
[BL2_IMAGE_ID] = { #ifdef IMAGE_BL1
static const auth_img_desc_t bl2_image = {
.img_id = BL2_IMAGE_ID, .img_id = BL2_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[TRUSTED_BOOT_FW_CERT_ID], .parent = &trusted_boot_fw_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &tb_fw_hash, .hash = &tb_fw_hash
} }
} }
} }
}, };
/* HW Config */ #endif /* IMAGE_BL1 */
[HW_CONFIG_ID] = { /* HW Config */
static const auth_img_desc_t hw_config = {
.img_id = HW_CONFIG_ID, .img_id = HW_CONFIG_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[TRUSTED_BOOT_FW_CERT_ID], .parent = &trusted_boot_fw_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &hw_config_hash, .hash = &hw_config_hash
} }
} }
} }
}, };
/* TB FW Config */ /* TB FW Config */
[TB_FW_CONFIG_ID] = { #ifdef IMAGE_BL1
static const auth_img_desc_t tb_fw_config = {
.img_id = TB_FW_CONFIG_ID, .img_id = TB_FW_CONFIG_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[TRUSTED_BOOT_FW_CERT_ID], .parent = &trusted_boot_fw_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &tb_fw_config_hash, .hash = &tb_fw_config_hash
} }
} }
} }
}, };
/* #endif /* IMAGE_BL1 */
#ifdef IMAGE_BL2
/*
* Trusted key certificate * Trusted key certificate
*/ */
[TRUSTED_KEY_CERT_ID] = { static const auth_img_desc_t trusted_key_cert = {
.img_id = TRUSTED_KEY_CERT_ID, .img_id = TRUSTED_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = NULL, .parent = NULL,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &subject_pk, .pk = &subject_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
} }
}, },
[1] = { [1] = {
...@@ -227,7 +238,7 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -227,7 +238,7 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &trusted_world_pk, .type_desc = &trusted_world_pk,
.data = { .data = {
...@@ -243,22 +254,22 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -243,22 +254,22 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
} }
}, };
/* /*
* SCP Firmware * SCP Firmware
*/ */
[SCP_FW_KEY_CERT_ID] = { static const auth_img_desc_t scp_fw_key_cert = {
.img_id = SCP_FW_KEY_CERT_ID, .img_id = SCP_FW_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID], .parent = &trusted_key_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &trusted_world_pk, .pk = &trusted_world_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
} }
}, },
[1] = { [1] = {
...@@ -269,7 +280,7 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -269,7 +280,7 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &scp_fw_content_pk, .type_desc = &scp_fw_content_pk,
.data = { .data = {
...@@ -278,19 +289,19 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -278,19 +289,19 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
} }
}, };
[SCP_FW_CONTENT_CERT_ID] = { static const auth_img_desc_t scp_fw_content_cert = {
.img_id = SCP_FW_CONTENT_CERT_ID, .img_id = SCP_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[SCP_FW_KEY_CERT_ID], .parent = &scp_fw_key_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &scp_fw_content_pk, .pk = &scp_fw_content_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
} }
}, },
[1] = { [1] = {
...@@ -301,7 +312,7 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -301,7 +312,7 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &scp_fw_hash, .type_desc = &scp_fw_hash,
.data = { .data = {
...@@ -310,36 +321,36 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -310,36 +321,36 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
} }
}, };
[SCP_BL2_IMAGE_ID] = { static const auth_img_desc_t scp_bl2_image = {
.img_id = SCP_BL2_IMAGE_ID, .img_id = SCP_BL2_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[SCP_FW_CONTENT_CERT_ID], .parent = &scp_fw_content_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &scp_fw_hash, .hash = &scp_fw_hash
} }
} }
} }
}, };
/* /*
* SoC Firmware * SoC Firmware
*/ */
[SOC_FW_KEY_CERT_ID] = { static const auth_img_desc_t soc_fw_key_cert = {
.img_id = SOC_FW_KEY_CERT_ID, .img_id = SOC_FW_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID], .parent = &trusted_key_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &trusted_world_pk, .pk = &trusted_world_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
} }
}, },
[1] = { [1] = {
...@@ -350,7 +361,7 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -350,7 +361,7 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &soc_fw_content_pk, .type_desc = &soc_fw_content_pk,
.data = { .data = {
...@@ -359,19 +370,19 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -359,19 +370,19 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
} }
}, };
[SOC_FW_CONTENT_CERT_ID] = { static const auth_img_desc_t soc_fw_content_cert = {
.img_id = SOC_FW_CONTENT_CERT_ID, .img_id = SOC_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[SOC_FW_KEY_CERT_ID], .parent = &soc_fw_key_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &soc_fw_content_pk, .pk = &soc_fw_content_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
} }
}, },
[1] = { [1] = {
...@@ -382,7 +393,7 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -382,7 +393,7 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &soc_fw_hash, .type_desc = &soc_fw_hash,
.data = { .data = {
...@@ -398,51 +409,51 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -398,51 +409,51 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
} }
}, };
[BL31_IMAGE_ID] = { static const auth_img_desc_t bl31_image = {
.img_id = BL31_IMAGE_ID, .img_id = BL31_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[SOC_FW_CONTENT_CERT_ID], .parent = &soc_fw_content_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &soc_fw_hash, .hash = &soc_fw_hash
} }
} }
} }
}, };
/* SOC FW Config */ /* SOC FW Config */
[SOC_FW_CONFIG_ID] = { static const auth_img_desc_t soc_fw_config = {
.img_id = SOC_FW_CONFIG_ID, .img_id = SOC_FW_CONFIG_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[SOC_FW_CONTENT_CERT_ID], .parent = &soc_fw_content_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &soc_fw_config_hash, .hash = &soc_fw_config_hash
} }
} }
} }
}, };
/* /*
* Trusted OS Firmware * Trusted OS Firmware
*/ */
[TRUSTED_OS_FW_KEY_CERT_ID] = { static const auth_img_desc_t trusted_os_fw_key_cert = {
.img_id = TRUSTED_OS_FW_KEY_CERT_ID, .img_id = TRUSTED_OS_FW_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID], .parent = &trusted_key_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &trusted_world_pk, .pk = &trusted_world_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
} }
}, },
[1] = { [1] = {
...@@ -453,7 +464,7 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -453,7 +464,7 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &tos_fw_content_pk, .type_desc = &tos_fw_content_pk,
.data = { .data = {
...@@ -462,19 +473,19 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -462,19 +473,19 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
} }
}, };
[TRUSTED_OS_FW_CONTENT_CERT_ID] = { static const auth_img_desc_t trusted_os_fw_content_cert = {
.img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_OS_FW_KEY_CERT_ID], .parent = &trusted_os_fw_key_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &tos_fw_content_pk, .pk = &tos_fw_content_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
} }
}, },
[1] = { [1] = {
...@@ -485,7 +496,7 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -485,7 +496,7 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &tos_fw_hash, .type_desc = &tos_fw_hash,
.data = { .data = {
...@@ -515,79 +526,79 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -515,79 +526,79 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
} }
}, };
[BL32_IMAGE_ID] = { static const auth_img_desc_t bl32_image = {
.img_id = BL32_IMAGE_ID, .img_id = BL32_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID], .parent = &trusted_os_fw_content_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &tos_fw_hash, .hash = &tos_fw_hash
} }
} }
} }
}, };
[BL32_EXTRA1_IMAGE_ID] = { static const auth_img_desc_t bl32_extra1_image = {
.img_id = BL32_EXTRA1_IMAGE_ID, .img_id = BL32_EXTRA1_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID], .parent = &trusted_os_fw_content_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &tos_fw_extra1_hash, .hash = &tos_fw_extra1_hash
} }
} }
} }
}, };
[BL32_EXTRA2_IMAGE_ID] = { static const auth_img_desc_t bl32_extra2_image = {
.img_id = BL32_EXTRA2_IMAGE_ID, .img_id = BL32_EXTRA2_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID], .parent = &trusted_os_fw_content_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &tos_fw_extra2_hash, .hash = &tos_fw_extra2_hash
} }
} }
} }
}, };
/* TOS FW Config */ /* TOS FW Config */
[TOS_FW_CONFIG_ID] = { static const auth_img_desc_t tos_fw_config = {
.img_id = TOS_FW_CONFIG_ID, .img_id = TOS_FW_CONFIG_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID], .parent = &trusted_os_fw_content_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &tos_fw_config_hash, .hash = &tos_fw_config_hash
} }
} }
} }
}, };
/* /*
* Non-Trusted Firmware * Non-Trusted Firmware
*/ */
[NON_TRUSTED_FW_KEY_CERT_ID] = { static const auth_img_desc_t non_trusted_fw_key_cert = {
.img_id = NON_TRUSTED_FW_KEY_CERT_ID, .img_id = NON_TRUSTED_FW_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID], .parent = &trusted_key_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &non_trusted_world_pk, .pk = &non_trusted_world_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
} }
}, },
[1] = { [1] = {
...@@ -598,7 +609,7 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -598,7 +609,7 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &nt_fw_content_pk, .type_desc = &nt_fw_content_pk,
.data = { .data = {
...@@ -607,19 +618,19 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -607,19 +618,19 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
} }
}, };
[NON_TRUSTED_FW_CONTENT_CERT_ID] = { static const auth_img_desc_t non_trusted_fw_content_cert = {
.img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[NON_TRUSTED_FW_KEY_CERT_ID], .parent = &non_trusted_fw_key_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &nt_fw_content_pk, .pk = &nt_fw_content_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
} }
}, },
[1] = { [1] = {
...@@ -630,7 +641,7 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -630,7 +641,7 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &nt_world_bl_hash, .type_desc = &nt_world_bl_hash,
.data = { .data = {
...@@ -646,55 +657,56 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -646,55 +657,56 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
} }
}, };
[BL33_IMAGE_ID] = { static const auth_img_desc_t bl33_image = {
.img_id = BL33_IMAGE_ID, .img_id = BL33_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[NON_TRUSTED_FW_CONTENT_CERT_ID], .parent = &non_trusted_fw_content_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &nt_world_bl_hash, .hash = &nt_world_bl_hash
} }
} }
} }
}, };
/* NT FW Config */ /* NT FW Config */
[NT_FW_CONFIG_ID] = { static const auth_img_desc_t nt_fw_config = {
.img_id = NT_FW_CONFIG_ID, .img_id = NT_FW_CONFIG_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[NON_TRUSTED_FW_CONTENT_CERT_ID], .parent = &non_trusted_fw_content_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &nt_fw_config_hash, .hash = &nt_fw_config_hash
} }
} }
} }
}, };
/* #else /* IMAGE_BL2 */
/*
* FWU auth descriptor. * FWU auth descriptor.
*/ */
[FWU_CERT_ID] = { static const auth_img_desc_t fwu_cert = {
.img_id = FWU_CERT_ID, .img_id = FWU_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = NULL, .parent = NULL,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &subject_pk, .pk = &subject_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data
} }
} }
}, },
.authenticated_data = { .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
[0] = { [0] = {
.type_desc = &scp_bl2u_hash, .type_desc = &scp_bl2u_hash,
.data = { .data = {
...@@ -717,59 +729,98 @@ static const auth_img_desc_t cot_desc[] = { ...@@ -717,59 +729,98 @@ static const auth_img_desc_t cot_desc[] = {
} }
} }
} }
}, };
/* /*
* SCP_BL2U * SCP_BL2U
*/ */
[SCP_BL2U_IMAGE_ID] = { static const auth_img_desc_t scp_bl2u_image = {
.img_id = SCP_BL2U_IMAGE_ID, .img_id = SCP_BL2U_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[FWU_CERT_ID], .parent = &fwu_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &scp_bl2u_hash, .hash = &scp_bl2u_hash
} }
} }
} }
}, };
/* /*
* BL2U * BL2U
*/ */
[BL2U_IMAGE_ID] = { static const auth_img_desc_t bl2u_image = {
.img_id = BL2U_IMAGE_ID, .img_id = BL2U_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[FWU_CERT_ID], .parent = &fwu_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &bl2u_hash, .hash = &bl2u_hash
} }
} }
} }
}, };
/* /*
* NS_BL2U * NS_BL2U
*/ */
[NS_BL2U_IMAGE_ID] = { static const auth_img_desc_t ns_bl2u_image = {
.img_id = NS_BL2U_IMAGE_ID, .img_id = NS_BL2U_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[FWU_CERT_ID], .parent = &fwu_cert,
.img_auth_methods = { .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &ns_bl2u_hash, .hash = &ns_bl2u_hash
}
} }
} }
} }
};
#endif /* IMAGE_BL2 */
/*
* TBBR Chain of trust definition
*/
#ifdef IMAGE_BL1
static const auth_img_desc_t * const cot_desc[] = {
[TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
[BL2_IMAGE_ID] = &bl2_image,
[HW_CONFIG_ID] = &hw_config,
[TB_FW_CONFIG_ID] = &tb_fw_config,
[FWU_CERT_ID] = &fwu_cert,
[SCP_BL2U_IMAGE_ID] = &scp_bl2u_image,
[BL2U_IMAGE_ID] = &bl2u_image,
[NS_BL2U_IMAGE_ID] = &ns_bl2u_image
};
#else /* IMAGE_BL2 */
static const auth_img_desc_t * const cot_desc[] = {
[TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert,
[HW_CONFIG_ID] = &hw_config,
[TRUSTED_KEY_CERT_ID] = &trusted_key_cert,
[SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert,
[SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert,
[SCP_BL2_IMAGE_ID] = &scp_bl2_image,
[SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert,
[SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert,
[BL31_IMAGE_ID] = &bl31_image,
[SOC_FW_CONFIG_ID] = &soc_fw_config,
[TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert,
[TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert,
[BL32_IMAGE_ID] = &bl32_image,
[BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image,
[BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image,
[TOS_FW_CONFIG_ID] = &tos_fw_config,
[NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert,
[NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert,
[BL33_IMAGE_ID] = &bl33_image,
[NT_FW_CONFIG_ID] = &nt_fw_config,
}; };
#endif
/* Register the CoT in the authentication module */ /* Register the CoT in the authentication module */
REGISTER_COT(cot_desc); REGISTER_COT(cot_desc);
/* /*
* Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
...@@ -27,8 +27,8 @@ typedef struct auth_img_desc_s { ...@@ -27,8 +27,8 @@ typedef struct auth_img_desc_s {
unsigned int img_id; unsigned int img_id;
img_type_t img_type; img_type_t img_type;
const struct auth_img_desc_s *parent; const struct auth_img_desc_s *parent;
auth_method_desc_t img_auth_methods[AUTH_METHOD_NUM]; const auth_method_desc_t *const img_auth_methods;
auth_param_desc_t authenticated_data[COT_MAX_VERIFIED_PARAMS]; const auth_param_desc_t *const authenticated_data;
} auth_img_desc_t; } auth_img_desc_t;
/* Public functions */ /* Public functions */
...@@ -38,13 +38,13 @@ int auth_mod_verify_img(unsigned int img_id, ...@@ -38,13 +38,13 @@ int auth_mod_verify_img(unsigned int img_id,
void *img_ptr, void *img_ptr,
unsigned int img_len); unsigned int img_len);
/* Macro to register a CoT defined as an array of auth_img_desc_t */ /* Macro to register a CoT defined as an array of auth_img_desc_t pointers */
#define REGISTER_COT(_cot) \ #define REGISTER_COT(_cot) \
const auth_img_desc_t *const cot_desc_ptr = \ const auth_img_desc_t **const cot_desc_ptr = \
(const auth_img_desc_t *const)&_cot[0]; \ (const auth_img_desc_t **const)_cot; \
unsigned int auth_img_flags[MAX_NUMBER_IDS] unsigned int auth_img_flags[MAX_NUMBER_IDS]
extern const auth_img_desc_t *const cot_desc_ptr; extern const auth_img_desc_t **const cot_desc_ptr;
extern unsigned int auth_img_flags[MAX_NUMBER_IDS]; extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
#endif /* TRUSTED_BOARD_BOOT */ #endif /* TRUSTED_BOARD_BOOT */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment