1 /* 2 * Copyright (c) 2020, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <stddef.h> 8 9 #include <platform_def.h> 10 11 #include <drivers/auth/mbedtls/mbedtls_config.h> 12 #include <drivers/auth/auth_mod.h> 13 #include <tools_share/dualroot_oid.h> 14 15 /* 16 * Allocate static buffers to store the authentication parameters extracted from 17 * the certificates. 18 */ 19 static unsigned char fw_config_hash_buf[HASH_DER_LEN]; 20 static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; 21 static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; 22 static unsigned char hw_config_hash_buf[HASH_DER_LEN]; 23 static unsigned char scp_fw_hash_buf[HASH_DER_LEN]; 24 static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; 25 26 #ifdef IMAGE_BL2 27 static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; 28 static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; 29 static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; 30 static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; 31 static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; 32 static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; 33 static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; 34 #if defined(SPD_spmd) 35 static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN]; 36 #endif /* SPD_spmd */ 37 38 static unsigned char trusted_world_pk_buf[PK_DER_LEN]; 39 static unsigned char content_pk_buf[PK_DER_LEN]; 40 #endif 41 42 /* 43 * Parameter type descriptors. 44 */ 45 static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 46 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); 47 static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( 48 AUTH_PARAM_PUB_KEY, 0); 49 static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( 50 AUTH_PARAM_SIG, 0); 51 static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( 52 AUTH_PARAM_SIG_ALG, 0); 53 static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( 54 AUTH_PARAM_RAW_DATA, 0); 55 56 static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( 57 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); 58 static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC( 59 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); 60 static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC( 61 AUTH_PARAM_HASH, HW_CONFIG_HASH_OID); 62 static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC( 63 AUTH_PARAM_HASH, FW_CONFIG_HASH_OID); 64 #ifdef IMAGE_BL1 65 static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( 66 AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); 67 static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( 68 AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID); 69 static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( 70 AUTH_PARAM_HASH, FWU_HASH_OID); 71 #endif /* IMAGE_BL1 */ 72 73 #ifdef IMAGE_BL2 74 static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 75 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); 76 77 static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( 78 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); 79 static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC( 80 AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID); 81 static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( 82 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); 83 static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( 84 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); 85 static auth_param_type_desc_t prot_pk = AUTH_PARAM_TYPE_DESC( 86 AUTH_PARAM_PUB_KEY, PROT_PK_OID); 87 88 static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( 89 AUTH_PARAM_HASH, SCP_FW_HASH_OID); 90 static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( 91 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); 92 static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC( 93 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID); 94 static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( 95 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); 96 static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC( 97 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID); 98 static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( 99 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); 100 static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( 101 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); 102 static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( 103 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); 104 static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( 105 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); 106 #if defined(SPD_spmd) 107 static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC( 108 AUTH_PARAM_HASH, SP_PKG1_HASH_OID); 109 static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC( 110 AUTH_PARAM_HASH, SP_PKG2_HASH_OID); 111 static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC( 112 AUTH_PARAM_HASH, SP_PKG3_HASH_OID); 113 static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC( 114 AUTH_PARAM_HASH, SP_PKG4_HASH_OID); 115 static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC( 116 AUTH_PARAM_HASH, SP_PKG5_HASH_OID); 117 static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC( 118 AUTH_PARAM_HASH, SP_PKG6_HASH_OID); 119 static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC( 120 AUTH_PARAM_HASH, SP_PKG7_HASH_OID); 121 static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC( 122 AUTH_PARAM_HASH, SP_PKG8_HASH_OID); 123 #endif /* SPD_spmd */ 124 #endif /* IMAGE_BL2 */ 125 126 127 /* BL2 */ 128 static const auth_img_desc_t trusted_boot_fw_cert = { 129 .img_id = TRUSTED_BOOT_FW_CERT_ID, 130 .img_type = IMG_CERT, 131 .parent = NULL, 132 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 133 [0] = { 134 .type = AUTH_METHOD_SIG, 135 .param.sig = { 136 .pk = &subject_pk, 137 .sig = &sig, 138 .alg = &sig_alg, 139 .data = &raw_data 140 } 141 }, 142 [1] = { 143 .type = AUTH_METHOD_NV_CTR, 144 .param.nv_ctr = { 145 .cert_nv_ctr = &trusted_nv_ctr, 146 .plat_nv_ctr = &trusted_nv_ctr 147 } 148 } 149 }, 150 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 151 [0] = { 152 .type_desc = &tb_fw_hash, 153 .data = { 154 .ptr = (void *)tb_fw_hash_buf, 155 .len = (unsigned int)HASH_DER_LEN 156 } 157 }, 158 [1] = { 159 .type_desc = &tb_fw_config_hash, 160 .data = { 161 .ptr = (void *)tb_fw_config_hash_buf, 162 .len = (unsigned int)HASH_DER_LEN 163 } 164 }, 165 [2] = { 166 .type_desc = &hw_config_hash, 167 .data = { 168 .ptr = (void *)hw_config_hash_buf, 169 .len = (unsigned int)HASH_DER_LEN 170 } 171 }, 172 [3] = { 173 .type_desc = &fw_config_hash, 174 .data = { 175 .ptr = (void *)fw_config_hash_buf, 176 .len = (unsigned int)HASH_DER_LEN 177 } 178 } 179 } 180 }; 181 182 #ifdef IMAGE_BL1 183 static const auth_img_desc_t bl2_image = { 184 .img_id = BL2_IMAGE_ID, 185 .img_type = IMG_RAW, 186 .parent = &trusted_boot_fw_cert, 187 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 188 [0] = { 189 .type = AUTH_METHOD_HASH, 190 .param.hash = { 191 .data = &raw_data, 192 .hash = &tb_fw_hash 193 } 194 } 195 } 196 }; 197 #endif /* IMAGE_BL1 */ 198 199 /* HW Config */ 200 static const auth_img_desc_t hw_config = { 201 .img_id = HW_CONFIG_ID, 202 .img_type = IMG_RAW, 203 .parent = &trusted_boot_fw_cert, 204 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 205 [0] = { 206 .type = AUTH_METHOD_HASH, 207 .param.hash = { 208 .data = &raw_data, 209 .hash = &hw_config_hash 210 } 211 } 212 } 213 }; 214 215 /* TB FW Config */ 216 #ifdef IMAGE_BL1 217 static const auth_img_desc_t tb_fw_config = { 218 .img_id = TB_FW_CONFIG_ID, 219 .img_type = IMG_RAW, 220 .parent = &trusted_boot_fw_cert, 221 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 222 [0] = { 223 .type = AUTH_METHOD_HASH, 224 .param.hash = { 225 .data = &raw_data, 226 .hash = &tb_fw_config_hash 227 } 228 } 229 } 230 }; 231 232 static const auth_img_desc_t fw_config = { 233 .img_id = FW_CONFIG_ID, 234 .img_type = IMG_RAW, 235 .parent = &trusted_boot_fw_cert, 236 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 237 [0] = { 238 .type = AUTH_METHOD_HASH, 239 .param.hash = { 240 .data = &raw_data, 241 .hash = &fw_config_hash 242 } 243 } 244 } 245 }; 246 247 #endif /* IMAGE_BL1 */ 248 249 #ifdef IMAGE_BL2 250 /* Trusted key certificate */ 251 static const auth_img_desc_t trusted_key_cert = { 252 .img_id = TRUSTED_KEY_CERT_ID, 253 .img_type = IMG_CERT, 254 .parent = NULL, 255 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 256 [0] = { 257 .type = AUTH_METHOD_SIG, 258 .param.sig = { 259 .pk = &subject_pk, 260 .sig = &sig, 261 .alg = &sig_alg, 262 .data = &raw_data 263 } 264 }, 265 [1] = { 266 .type = AUTH_METHOD_NV_CTR, 267 .param.nv_ctr = { 268 .cert_nv_ctr = &trusted_nv_ctr, 269 .plat_nv_ctr = &trusted_nv_ctr 270 } 271 } 272 }, 273 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 274 [0] = { 275 .type_desc = &trusted_world_pk, 276 .data = { 277 .ptr = (void *)trusted_world_pk_buf, 278 .len = (unsigned int)PK_DER_LEN 279 } 280 }, 281 } 282 }; 283 284 /* SCP Firmware */ 285 static const auth_img_desc_t scp_fw_key_cert = { 286 .img_id = SCP_FW_KEY_CERT_ID, 287 .img_type = IMG_CERT, 288 .parent = &trusted_key_cert, 289 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 290 [0] = { 291 .type = AUTH_METHOD_SIG, 292 .param.sig = { 293 .pk = &trusted_world_pk, 294 .sig = &sig, 295 .alg = &sig_alg, 296 .data = &raw_data 297 } 298 }, 299 [1] = { 300 .type = AUTH_METHOD_NV_CTR, 301 .param.nv_ctr = { 302 .cert_nv_ctr = &trusted_nv_ctr, 303 .plat_nv_ctr = &trusted_nv_ctr 304 } 305 } 306 }, 307 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 308 [0] = { 309 .type_desc = &scp_fw_content_pk, 310 .data = { 311 .ptr = (void *)content_pk_buf, 312 .len = (unsigned int)PK_DER_LEN 313 } 314 } 315 } 316 }; 317 318 static const auth_img_desc_t scp_fw_content_cert = { 319 .img_id = SCP_FW_CONTENT_CERT_ID, 320 .img_type = IMG_CERT, 321 .parent = &scp_fw_key_cert, 322 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 323 [0] = { 324 .type = AUTH_METHOD_SIG, 325 .param.sig = { 326 .pk = &scp_fw_content_pk, 327 .sig = &sig, 328 .alg = &sig_alg, 329 .data = &raw_data 330 } 331 }, 332 [1] = { 333 .type = AUTH_METHOD_NV_CTR, 334 .param.nv_ctr = { 335 .cert_nv_ctr = &trusted_nv_ctr, 336 .plat_nv_ctr = &trusted_nv_ctr 337 } 338 } 339 }, 340 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 341 [0] = { 342 .type_desc = &scp_fw_hash, 343 .data = { 344 .ptr = (void *)scp_fw_hash_buf, 345 .len = (unsigned int)HASH_DER_LEN 346 } 347 } 348 } 349 }; 350 351 static const auth_img_desc_t scp_bl2_image = { 352 .img_id = SCP_BL2_IMAGE_ID, 353 .img_type = IMG_RAW, 354 .parent = &scp_fw_content_cert, 355 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 356 [0] = { 357 .type = AUTH_METHOD_HASH, 358 .param.hash = { 359 .data = &raw_data, 360 .hash = &scp_fw_hash 361 } 362 } 363 } 364 }; 365 366 /* SoC Firmware */ 367 static const auth_img_desc_t soc_fw_key_cert = { 368 .img_id = SOC_FW_KEY_CERT_ID, 369 .img_type = IMG_CERT, 370 .parent = &trusted_key_cert, 371 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 372 [0] = { 373 .type = AUTH_METHOD_SIG, 374 .param.sig = { 375 .pk = &trusted_world_pk, 376 .sig = &sig, 377 .alg = &sig_alg, 378 .data = &raw_data 379 } 380 }, 381 [1] = { 382 .type = AUTH_METHOD_NV_CTR, 383 .param.nv_ctr = { 384 .cert_nv_ctr = &trusted_nv_ctr, 385 .plat_nv_ctr = &trusted_nv_ctr 386 } 387 } 388 }, 389 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 390 [0] = { 391 .type_desc = &soc_fw_content_pk, 392 .data = { 393 .ptr = (void *)content_pk_buf, 394 .len = (unsigned int)PK_DER_LEN 395 } 396 } 397 } 398 }; 399 400 static const auth_img_desc_t soc_fw_content_cert = { 401 .img_id = SOC_FW_CONTENT_CERT_ID, 402 .img_type = IMG_CERT, 403 .parent = &soc_fw_key_cert, 404 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 405 [0] = { 406 .type = AUTH_METHOD_SIG, 407 .param.sig = { 408 .pk = &soc_fw_content_pk, 409 .sig = &sig, 410 .alg = &sig_alg, 411 .data = &raw_data 412 } 413 }, 414 [1] = { 415 .type = AUTH_METHOD_NV_CTR, 416 .param.nv_ctr = { 417 .cert_nv_ctr = &trusted_nv_ctr, 418 .plat_nv_ctr = &trusted_nv_ctr 419 } 420 } 421 }, 422 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 423 [0] = { 424 .type_desc = &soc_fw_hash, 425 .data = { 426 .ptr = (void *)soc_fw_hash_buf, 427 .len = (unsigned int)HASH_DER_LEN 428 } 429 }, 430 [1] = { 431 .type_desc = &soc_fw_config_hash, 432 .data = { 433 .ptr = (void *)soc_fw_config_hash_buf, 434 .len = (unsigned int)HASH_DER_LEN 435 } 436 } 437 } 438 }; 439 440 static const auth_img_desc_t bl31_image = { 441 .img_id = BL31_IMAGE_ID, 442 .img_type = IMG_RAW, 443 .parent = &soc_fw_content_cert, 444 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 445 [0] = { 446 .type = AUTH_METHOD_HASH, 447 .param.hash = { 448 .data = &raw_data, 449 .hash = &soc_fw_hash 450 } 451 } 452 } 453 }; 454 455 /* SOC FW Config */ 456 static const auth_img_desc_t soc_fw_config = { 457 .img_id = SOC_FW_CONFIG_ID, 458 .img_type = IMG_RAW, 459 .parent = &soc_fw_content_cert, 460 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 461 [0] = { 462 .type = AUTH_METHOD_HASH, 463 .param.hash = { 464 .data = &raw_data, 465 .hash = &soc_fw_config_hash 466 } 467 } 468 } 469 }; 470 471 /* Trusted OS Firmware */ 472 static const auth_img_desc_t trusted_os_fw_key_cert = { 473 .img_id = TRUSTED_OS_FW_KEY_CERT_ID, 474 .img_type = IMG_CERT, 475 .parent = &trusted_key_cert, 476 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 477 [0] = { 478 .type = AUTH_METHOD_SIG, 479 .param.sig = { 480 .pk = &trusted_world_pk, 481 .sig = &sig, 482 .alg = &sig_alg, 483 .data = &raw_data 484 } 485 }, 486 [1] = { 487 .type = AUTH_METHOD_NV_CTR, 488 .param.nv_ctr = { 489 .cert_nv_ctr = &trusted_nv_ctr, 490 .plat_nv_ctr = &trusted_nv_ctr 491 } 492 } 493 }, 494 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 495 [0] = { 496 .type_desc = &tos_fw_content_pk, 497 .data = { 498 .ptr = (void *)content_pk_buf, 499 .len = (unsigned int)PK_DER_LEN 500 } 501 } 502 } 503 }; 504 505 static const auth_img_desc_t trusted_os_fw_content_cert = { 506 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, 507 .img_type = IMG_CERT, 508 .parent = &trusted_os_fw_key_cert, 509 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 510 [0] = { 511 .type = AUTH_METHOD_SIG, 512 .param.sig = { 513 .pk = &tos_fw_content_pk, 514 .sig = &sig, 515 .alg = &sig_alg, 516 .data = &raw_data 517 } 518 }, 519 [1] = { 520 .type = AUTH_METHOD_NV_CTR, 521 .param.nv_ctr = { 522 .cert_nv_ctr = &trusted_nv_ctr, 523 .plat_nv_ctr = &trusted_nv_ctr 524 } 525 } 526 }, 527 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 528 [0] = { 529 .type_desc = &tos_fw_hash, 530 .data = { 531 .ptr = (void *)tos_fw_hash_buf, 532 .len = (unsigned int)HASH_DER_LEN 533 } 534 }, 535 [1] = { 536 .type_desc = &tos_fw_extra1_hash, 537 .data = { 538 .ptr = (void *)tos_fw_extra1_hash_buf, 539 .len = (unsigned int)HASH_DER_LEN 540 } 541 }, 542 [2] = { 543 .type_desc = &tos_fw_extra2_hash, 544 .data = { 545 .ptr = (void *)tos_fw_extra2_hash_buf, 546 .len = (unsigned int)HASH_DER_LEN 547 } 548 }, 549 [3] = { 550 .type_desc = &tos_fw_config_hash, 551 .data = { 552 .ptr = (void *)tos_fw_config_hash_buf, 553 .len = (unsigned int)HASH_DER_LEN 554 } 555 } 556 } 557 }; 558 559 static const auth_img_desc_t bl32_image = { 560 .img_id = BL32_IMAGE_ID, 561 .img_type = IMG_RAW, 562 .parent = &trusted_os_fw_content_cert, 563 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 564 [0] = { 565 .type = AUTH_METHOD_HASH, 566 .param.hash = { 567 .data = &raw_data, 568 .hash = &tos_fw_hash 569 } 570 } 571 } 572 }; 573 574 static const auth_img_desc_t bl32_extra1_image = { 575 .img_id = BL32_EXTRA1_IMAGE_ID, 576 .img_type = IMG_RAW, 577 .parent = &trusted_os_fw_content_cert, 578 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 579 [0] = { 580 .type = AUTH_METHOD_HASH, 581 .param.hash = { 582 .data = &raw_data, 583 .hash = &tos_fw_extra1_hash 584 } 585 } 586 } 587 }; 588 589 static const auth_img_desc_t bl32_extra2_image = { 590 .img_id = BL32_EXTRA2_IMAGE_ID, 591 .img_type = IMG_RAW, 592 .parent = &trusted_os_fw_content_cert, 593 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 594 [0] = { 595 .type = AUTH_METHOD_HASH, 596 .param.hash = { 597 .data = &raw_data, 598 .hash = &tos_fw_extra2_hash 599 } 600 } 601 } 602 }; 603 604 /* TOS FW Config */ 605 static const auth_img_desc_t tos_fw_config = { 606 .img_id = TOS_FW_CONFIG_ID, 607 .img_type = IMG_RAW, 608 .parent = &trusted_os_fw_content_cert, 609 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 610 [0] = { 611 .type = AUTH_METHOD_HASH, 612 .param.hash = { 613 .data = &raw_data, 614 .hash = &tos_fw_config_hash 615 } 616 } 617 } 618 }; 619 620 /* Non-Trusted Firmware */ 621 static const auth_img_desc_t non_trusted_fw_content_cert = { 622 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, 623 .img_type = IMG_CERT, 624 .parent = NULL, /* Root certificate. */ 625 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 626 [0] = { 627 .type = AUTH_METHOD_SIG, 628 .param.sig = { 629 .pk = &prot_pk, 630 .sig = &sig, 631 .alg = &sig_alg, 632 .data = &raw_data 633 } 634 }, 635 [1] = { 636 .type = AUTH_METHOD_NV_CTR, 637 .param.nv_ctr = { 638 .cert_nv_ctr = &non_trusted_nv_ctr, 639 .plat_nv_ctr = &non_trusted_nv_ctr 640 } 641 } 642 }, 643 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 644 [0] = { 645 .type_desc = &nt_world_bl_hash, 646 .data = { 647 .ptr = (void *)nt_world_bl_hash_buf, 648 .len = (unsigned int)HASH_DER_LEN 649 } 650 }, 651 [1] = { 652 .type_desc = &nt_fw_config_hash, 653 .data = { 654 .ptr = (void *)nt_fw_config_hash_buf, 655 .len = (unsigned int)HASH_DER_LEN 656 } 657 } 658 } 659 }; 660 661 static const auth_img_desc_t bl33_image = { 662 .img_id = BL33_IMAGE_ID, 663 .img_type = IMG_RAW, 664 .parent = &non_trusted_fw_content_cert, 665 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 666 [0] = { 667 .type = AUTH_METHOD_HASH, 668 .param.hash = { 669 .data = &raw_data, 670 .hash = &nt_world_bl_hash 671 } 672 } 673 } 674 }; 675 676 /* NT FW Config */ 677 static const auth_img_desc_t nt_fw_config = { 678 .img_id = NT_FW_CONFIG_ID, 679 .img_type = IMG_RAW, 680 .parent = &non_trusted_fw_content_cert, 681 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 682 [0] = { 683 .type = AUTH_METHOD_HASH, 684 .param.hash = { 685 .data = &raw_data, 686 .hash = &nt_fw_config_hash 687 } 688 } 689 } 690 }; 691 692 /* 693 * Secure Partitions 694 */ 695 #if defined(SPD_spmd) 696 static const auth_img_desc_t sip_sp_content_cert = { 697 .img_id = SIP_SP_CONTENT_CERT_ID, 698 .img_type = IMG_CERT, 699 .parent = &trusted_key_cert, 700 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 701 [0] = { 702 .type = AUTH_METHOD_SIG, 703 .param.sig = { 704 .pk = &trusted_world_pk, 705 .sig = &sig, 706 .alg = &sig_alg, 707 .data = &raw_data 708 } 709 }, 710 [1] = { 711 .type = AUTH_METHOD_NV_CTR, 712 .param.nv_ctr = { 713 .cert_nv_ctr = &trusted_nv_ctr, 714 .plat_nv_ctr = &trusted_nv_ctr 715 } 716 } 717 }, 718 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 719 [0] = { 720 .type_desc = &sp_pkg1_hash, 721 .data = { 722 .ptr = (void *)sp_pkg_hash_buf[0], 723 .len = (unsigned int)HASH_DER_LEN 724 } 725 }, 726 [1] = { 727 .type_desc = &sp_pkg2_hash, 728 .data = { 729 .ptr = (void *)sp_pkg_hash_buf[1], 730 .len = (unsigned int)HASH_DER_LEN 731 } 732 }, 733 [2] = { 734 .type_desc = &sp_pkg3_hash, 735 .data = { 736 .ptr = (void *)sp_pkg_hash_buf[2], 737 .len = (unsigned int)HASH_DER_LEN 738 } 739 }, 740 [3] = { 741 .type_desc = &sp_pkg4_hash, 742 .data = { 743 .ptr = (void *)sp_pkg_hash_buf[3], 744 .len = (unsigned int)HASH_DER_LEN 745 } 746 } 747 } 748 }; 749 750 DEFINE_SIP_SP_PKG(1); 751 DEFINE_SIP_SP_PKG(2); 752 DEFINE_SIP_SP_PKG(3); 753 DEFINE_SIP_SP_PKG(4); 754 755 static const auth_img_desc_t plat_sp_content_cert = { 756 .img_id = PLAT_SP_CONTENT_CERT_ID, 757 .img_type = IMG_CERT, 758 .parent = NULL, 759 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 760 [0] = { 761 .type = AUTH_METHOD_SIG, 762 .param.sig = { 763 .pk = &prot_pk, 764 .sig = &sig, 765 .alg = &sig_alg, 766 .data = &raw_data 767 } 768 }, 769 [1] = { 770 .type = AUTH_METHOD_NV_CTR, 771 .param.nv_ctr = { 772 .cert_nv_ctr = &non_trusted_nv_ctr, 773 .plat_nv_ctr = &non_trusted_nv_ctr 774 } 775 } 776 }, 777 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 778 [0] = { 779 .type_desc = &sp_pkg5_hash, 780 .data = { 781 .ptr = (void *)sp_pkg_hash_buf[4], 782 .len = (unsigned int)HASH_DER_LEN 783 } 784 }, 785 [1] = { 786 .type_desc = &sp_pkg6_hash, 787 .data = { 788 .ptr = (void *)sp_pkg_hash_buf[5], 789 .len = (unsigned int)HASH_DER_LEN 790 } 791 }, 792 [2] = { 793 .type_desc = &sp_pkg7_hash, 794 .data = { 795 .ptr = (void *)sp_pkg_hash_buf[6], 796 .len = (unsigned int)HASH_DER_LEN 797 } 798 }, 799 [3] = { 800 .type_desc = &sp_pkg8_hash, 801 .data = { 802 .ptr = (void *)sp_pkg_hash_buf[7], 803 .len = (unsigned int)HASH_DER_LEN 804 } 805 } 806 } 807 }; 808 809 DEFINE_PLAT_SP_PKG(5); 810 DEFINE_PLAT_SP_PKG(6); 811 DEFINE_PLAT_SP_PKG(7); 812 DEFINE_PLAT_SP_PKG(8); 813 #endif /* SPD_spmd */ 814 815 #else /* IMAGE_BL2 */ 816 817 /* FWU auth descriptor */ 818 static const auth_img_desc_t fwu_cert = { 819 .img_id = FWU_CERT_ID, 820 .img_type = IMG_CERT, 821 .parent = NULL, 822 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 823 [0] = { 824 .type = AUTH_METHOD_SIG, 825 .param.sig = { 826 .pk = &subject_pk, 827 .sig = &sig, 828 .alg = &sig_alg, 829 .data = &raw_data 830 } 831 } 832 }, 833 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 834 [0] = { 835 .type_desc = &scp_bl2u_hash, 836 .data = { 837 .ptr = (void *)scp_fw_hash_buf, 838 .len = (unsigned int)HASH_DER_LEN 839 } 840 }, 841 [1] = { 842 .type_desc = &bl2u_hash, 843 .data = { 844 .ptr = (void *)tb_fw_hash_buf, 845 .len = (unsigned int)HASH_DER_LEN 846 } 847 }, 848 [2] = { 849 .type_desc = &ns_bl2u_hash, 850 .data = { 851 .ptr = (void *)nt_world_bl_hash_buf, 852 .len = (unsigned int)HASH_DER_LEN 853 } 854 } 855 } 856 }; 857 858 /* SCP_BL2U */ 859 static const auth_img_desc_t scp_bl2u_image = { 860 .img_id = SCP_BL2U_IMAGE_ID, 861 .img_type = IMG_RAW, 862 .parent = &fwu_cert, 863 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 864 [0] = { 865 .type = AUTH_METHOD_HASH, 866 .param.hash = { 867 .data = &raw_data, 868 .hash = &scp_bl2u_hash 869 } 870 } 871 } 872 }; 873 874 /* BL2U */ 875 static const auth_img_desc_t bl2u_image = { 876 .img_id = BL2U_IMAGE_ID, 877 .img_type = IMG_RAW, 878 .parent = &fwu_cert, 879 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 880 [0] = { 881 .type = AUTH_METHOD_HASH, 882 .param.hash = { 883 .data = &raw_data, 884 .hash = &bl2u_hash 885 } 886 } 887 } 888 }; 889 890 /* NS_BL2U */ 891 static const auth_img_desc_t ns_bl2u_image = { 892 .img_id = NS_BL2U_IMAGE_ID, 893 .img_type = IMG_RAW, 894 .parent = &fwu_cert, 895 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 896 [0] = { 897 .type = AUTH_METHOD_HASH, 898 .param.hash = { 899 .data = &raw_data, 900 .hash = &ns_bl2u_hash 901 } 902 } 903 } 904 }; 905 #endif /* IMAGE_BL2 */ 906 907 /* 908 * Chain of trust definition 909 */ 910 #ifdef IMAGE_BL1 911 static const auth_img_desc_t * const cot_desc[] = { 912 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, 913 [BL2_IMAGE_ID] = &bl2_image, 914 [HW_CONFIG_ID] = &hw_config, 915 [TB_FW_CONFIG_ID] = &tb_fw_config, 916 [FW_CONFIG_ID] = &fw_config, 917 [FWU_CERT_ID] = &fwu_cert, 918 [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image, 919 [BL2U_IMAGE_ID] = &bl2u_image, 920 [NS_BL2U_IMAGE_ID] = &ns_bl2u_image 921 }; 922 #else /* IMAGE_BL2 */ 923 static const auth_img_desc_t * const cot_desc[] = { 924 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, 925 [HW_CONFIG_ID] = &hw_config, 926 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert, 927 [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert, 928 [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert, 929 [SCP_BL2_IMAGE_ID] = &scp_bl2_image, 930 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert, 931 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert, 932 [BL31_IMAGE_ID] = &bl31_image, 933 [SOC_FW_CONFIG_ID] = &soc_fw_config, 934 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert, 935 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert, 936 [BL32_IMAGE_ID] = &bl32_image, 937 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image, 938 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image, 939 [TOS_FW_CONFIG_ID] = &tos_fw_config, 940 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, 941 [BL33_IMAGE_ID] = &bl33_image, 942 [NT_FW_CONFIG_ID] = &nt_fw_config, 943 #if defined(SPD_spmd) 944 [SIP_SP_CONTENT_CERT_ID] = &sip_sp_content_cert, 945 [PLAT_SP_CONTENT_CERT_ID] = &plat_sp_content_cert, 946 [SP_PKG1_ID] = &sp_pkg1, 947 [SP_PKG2_ID] = &sp_pkg2, 948 [SP_PKG3_ID] = &sp_pkg3, 949 [SP_PKG4_ID] = &sp_pkg4, 950 [SP_PKG5_ID] = &sp_pkg5, 951 [SP_PKG6_ID] = &sp_pkg6, 952 [SP_PKG7_ID] = &sp_pkg7, 953 [SP_PKG8_ID] = &sp_pkg8, 954 #endif 955 }; 956 #endif 957 958 /* Register the CoT in the authentication module */ 959 REGISTER_COT(cot_desc); 960