1 /* 2 * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <stddef.h> 8 9 #include <platform_def.h> 10 #include <drivers/auth/mbedtls/mbedtls_config.h> 11 12 #include <drivers/auth/auth_mod.h> 13 #if USE_TBBR_DEFS 14 #include <tools_share/tbbr_oid.h> 15 #else 16 #include <platform_oid.h> 17 #endif 18 19 20 /* 21 * Maximum key and hash sizes (in DER format) 22 */ 23 #if TF_MBEDTLS_USE_RSA 24 #if TF_MBEDTLS_KEY_SIZE == 1024 25 #define PK_DER_LEN 162 26 #elif TF_MBEDTLS_KEY_SIZE == 2048 27 #define PK_DER_LEN 294 28 #elif TF_MBEDTLS_KEY_SIZE == 3072 29 #define PK_DER_LEN 422 30 #elif TF_MBEDTLS_KEY_SIZE == 4096 31 #define PK_DER_LEN 550 32 #else 33 #error "Invalid value for TF_MBEDTLS_KEY_SIZE" 34 #endif 35 #else 36 #define PK_DER_LEN 294 37 #endif 38 39 #define HASH_DER_LEN 83 40 41 /* 42 * The platform must allocate buffers to store the authentication parameters 43 * extracted from the certificates. In this case, because of the way the CoT is 44 * established, we can reuse some of the buffers on different stages 45 */ 46 47 static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; 48 static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; 49 static unsigned char hw_config_hash_buf[HASH_DER_LEN]; 50 static unsigned char scp_fw_hash_buf[HASH_DER_LEN]; 51 static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; 52 53 #ifdef IMAGE_BL2 54 static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; 55 static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; 56 static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; 57 static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; 58 static unsigned char trusted_world_pk_buf[PK_DER_LEN]; 59 static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; 60 static unsigned char content_pk_buf[PK_DER_LEN]; 61 static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; 62 static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; 63 static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; 64 #endif 65 66 /* 67 * Parameter type descriptors 68 */ 69 static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 70 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); 71 72 static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( 73 AUTH_PARAM_PUB_KEY, 0); 74 static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( 75 AUTH_PARAM_SIG, 0); 76 static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( 77 AUTH_PARAM_SIG_ALG, 0); 78 static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( 79 AUTH_PARAM_RAW_DATA, 0); 80 81 82 static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( 83 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); 84 static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC( 85 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); 86 static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC( 87 AUTH_PARAM_HASH, HW_CONFIG_HASH_OID); 88 #ifdef IMAGE_BL1 89 static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( 90 AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); 91 static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( 92 AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID); 93 static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( 94 AUTH_PARAM_HASH, FWU_HASH_OID); 95 #endif /* IMAGE_BL1 */ 96 97 #ifdef IMAGE_BL2 98 static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 99 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); 100 static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( 101 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); 102 static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( 103 AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); 104 static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC( 105 AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID); 106 static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( 107 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); 108 static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( 109 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); 110 static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC( 111 AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID); 112 static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( 113 AUTH_PARAM_HASH, SCP_FW_HASH_OID); 114 static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( 115 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); 116 static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC( 117 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID); 118 static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( 119 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); 120 static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC( 121 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID); 122 static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( 123 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); 124 static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( 125 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); 126 static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( 127 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); 128 static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( 129 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); 130 131 #endif /* IMAGE_BL2 */ 132 133 134 /* 135 * BL2 136 */ 137 static const auth_img_desc_t trusted_boot_fw_cert = { 138 .img_id = TRUSTED_BOOT_FW_CERT_ID, 139 .img_type = IMG_CERT, 140 .parent = NULL, 141 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 142 [0] = { 143 .type = AUTH_METHOD_SIG, 144 .param.sig = { 145 .pk = &subject_pk, 146 .sig = &sig, 147 .alg = &sig_alg, 148 .data = &raw_data 149 } 150 }, 151 [1] = { 152 .type = AUTH_METHOD_NV_CTR, 153 .param.nv_ctr = { 154 .cert_nv_ctr = &trusted_nv_ctr, 155 .plat_nv_ctr = &trusted_nv_ctr 156 } 157 } 158 }, 159 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 160 [0] = { 161 .type_desc = &tb_fw_hash, 162 .data = { 163 .ptr = (void *)tb_fw_hash_buf, 164 .len = (unsigned int)HASH_DER_LEN 165 } 166 }, 167 [1] = { 168 .type_desc = &tb_fw_config_hash, 169 .data = { 170 .ptr = (void *)tb_fw_config_hash_buf, 171 .len = (unsigned int)HASH_DER_LEN 172 } 173 }, 174 [2] = { 175 .type_desc = &hw_config_hash, 176 .data = { 177 .ptr = (void *)hw_config_hash_buf, 178 .len = (unsigned int)HASH_DER_LEN 179 } 180 } 181 } 182 }; 183 #ifdef IMAGE_BL1 184 static const auth_img_desc_t bl2_image = { 185 .img_id = BL2_IMAGE_ID, 186 .img_type = IMG_RAW, 187 .parent = &trusted_boot_fw_cert, 188 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 189 [0] = { 190 .type = AUTH_METHOD_HASH, 191 .param.hash = { 192 .data = &raw_data, 193 .hash = &tb_fw_hash 194 } 195 } 196 } 197 }; 198 #endif /* IMAGE_BL1 */ 199 /* HW Config */ 200 static const auth_img_desc_t hw_config = { 201 .img_id = HW_CONFIG_ID, 202 .img_type = IMG_RAW, 203 .parent = &trusted_boot_fw_cert, 204 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 205 [0] = { 206 .type = AUTH_METHOD_HASH, 207 .param.hash = { 208 .data = &raw_data, 209 .hash = &hw_config_hash 210 } 211 } 212 } 213 }; 214 /* TB FW Config */ 215 #ifdef IMAGE_BL1 216 static const auth_img_desc_t tb_fw_config = { 217 .img_id = TB_FW_CONFIG_ID, 218 .img_type = IMG_RAW, 219 .parent = &trusted_boot_fw_cert, 220 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 221 [0] = { 222 .type = AUTH_METHOD_HASH, 223 .param.hash = { 224 .data = &raw_data, 225 .hash = &tb_fw_config_hash 226 } 227 } 228 } 229 }; 230 #endif /* IMAGE_BL1 */ 231 #ifdef IMAGE_BL2 232 /* 233 * Trusted key certificate 234 */ 235 static const auth_img_desc_t trusted_key_cert = { 236 .img_id = TRUSTED_KEY_CERT_ID, 237 .img_type = IMG_CERT, 238 .parent = NULL, 239 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 240 [0] = { 241 .type = AUTH_METHOD_SIG, 242 .param.sig = { 243 .pk = &subject_pk, 244 .sig = &sig, 245 .alg = &sig_alg, 246 .data = &raw_data 247 } 248 }, 249 [1] = { 250 .type = AUTH_METHOD_NV_CTR, 251 .param.nv_ctr = { 252 .cert_nv_ctr = &trusted_nv_ctr, 253 .plat_nv_ctr = &trusted_nv_ctr 254 } 255 } 256 }, 257 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 258 [0] = { 259 .type_desc = &trusted_world_pk, 260 .data = { 261 .ptr = (void *)trusted_world_pk_buf, 262 .len = (unsigned int)PK_DER_LEN 263 } 264 }, 265 [1] = { 266 .type_desc = &non_trusted_world_pk, 267 .data = { 268 .ptr = (void *)non_trusted_world_pk_buf, 269 .len = (unsigned int)PK_DER_LEN 270 } 271 } 272 } 273 }; 274 /* 275 * SCP Firmware 276 */ 277 static const auth_img_desc_t scp_fw_key_cert = { 278 .img_id = SCP_FW_KEY_CERT_ID, 279 .img_type = IMG_CERT, 280 .parent = &trusted_key_cert, 281 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 282 [0] = { 283 .type = AUTH_METHOD_SIG, 284 .param.sig = { 285 .pk = &trusted_world_pk, 286 .sig = &sig, 287 .alg = &sig_alg, 288 .data = &raw_data 289 } 290 }, 291 [1] = { 292 .type = AUTH_METHOD_NV_CTR, 293 .param.nv_ctr = { 294 .cert_nv_ctr = &trusted_nv_ctr, 295 .plat_nv_ctr = &trusted_nv_ctr 296 } 297 } 298 }, 299 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 300 [0] = { 301 .type_desc = &scp_fw_content_pk, 302 .data = { 303 .ptr = (void *)content_pk_buf, 304 .len = (unsigned int)PK_DER_LEN 305 } 306 } 307 } 308 }; 309 static const auth_img_desc_t scp_fw_content_cert = { 310 .img_id = SCP_FW_CONTENT_CERT_ID, 311 .img_type = IMG_CERT, 312 .parent = &scp_fw_key_cert, 313 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 314 [0] = { 315 .type = AUTH_METHOD_SIG, 316 .param.sig = { 317 .pk = &scp_fw_content_pk, 318 .sig = &sig, 319 .alg = &sig_alg, 320 .data = &raw_data 321 } 322 }, 323 [1] = { 324 .type = AUTH_METHOD_NV_CTR, 325 .param.nv_ctr = { 326 .cert_nv_ctr = &trusted_nv_ctr, 327 .plat_nv_ctr = &trusted_nv_ctr 328 } 329 } 330 }, 331 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 332 [0] = { 333 .type_desc = &scp_fw_hash, 334 .data = { 335 .ptr = (void *)scp_fw_hash_buf, 336 .len = (unsigned int)HASH_DER_LEN 337 } 338 } 339 } 340 }; 341 static const auth_img_desc_t scp_bl2_image = { 342 .img_id = SCP_BL2_IMAGE_ID, 343 .img_type = IMG_RAW, 344 .parent = &scp_fw_content_cert, 345 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 346 [0] = { 347 .type = AUTH_METHOD_HASH, 348 .param.hash = { 349 .data = &raw_data, 350 .hash = &scp_fw_hash 351 } 352 } 353 } 354 }; 355 /* 356 * SoC Firmware 357 */ 358 static const auth_img_desc_t soc_fw_key_cert = { 359 .img_id = SOC_FW_KEY_CERT_ID, 360 .img_type = IMG_CERT, 361 .parent = &trusted_key_cert, 362 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 363 [0] = { 364 .type = AUTH_METHOD_SIG, 365 .param.sig = { 366 .pk = &trusted_world_pk, 367 .sig = &sig, 368 .alg = &sig_alg, 369 .data = &raw_data 370 } 371 }, 372 [1] = { 373 .type = AUTH_METHOD_NV_CTR, 374 .param.nv_ctr = { 375 .cert_nv_ctr = &trusted_nv_ctr, 376 .plat_nv_ctr = &trusted_nv_ctr 377 } 378 } 379 }, 380 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 381 [0] = { 382 .type_desc = &soc_fw_content_pk, 383 .data = { 384 .ptr = (void *)content_pk_buf, 385 .len = (unsigned int)PK_DER_LEN 386 } 387 } 388 } 389 }; 390 static const auth_img_desc_t soc_fw_content_cert = { 391 .img_id = SOC_FW_CONTENT_CERT_ID, 392 .img_type = IMG_CERT, 393 .parent = &soc_fw_key_cert, 394 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 395 [0] = { 396 .type = AUTH_METHOD_SIG, 397 .param.sig = { 398 .pk = &soc_fw_content_pk, 399 .sig = &sig, 400 .alg = &sig_alg, 401 .data = &raw_data 402 } 403 }, 404 [1] = { 405 .type = AUTH_METHOD_NV_CTR, 406 .param.nv_ctr = { 407 .cert_nv_ctr = &trusted_nv_ctr, 408 .plat_nv_ctr = &trusted_nv_ctr 409 } 410 } 411 }, 412 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 413 [0] = { 414 .type_desc = &soc_fw_hash, 415 .data = { 416 .ptr = (void *)soc_fw_hash_buf, 417 .len = (unsigned int)HASH_DER_LEN 418 } 419 }, 420 [1] = { 421 .type_desc = &soc_fw_config_hash, 422 .data = { 423 .ptr = (void *)soc_fw_config_hash_buf, 424 .len = (unsigned int)HASH_DER_LEN 425 } 426 } 427 } 428 }; 429 static const auth_img_desc_t bl31_image = { 430 .img_id = BL31_IMAGE_ID, 431 .img_type = IMG_RAW, 432 .parent = &soc_fw_content_cert, 433 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 434 [0] = { 435 .type = AUTH_METHOD_HASH, 436 .param.hash = { 437 .data = &raw_data, 438 .hash = &soc_fw_hash 439 } 440 } 441 } 442 }; 443 /* SOC FW Config */ 444 static const auth_img_desc_t soc_fw_config = { 445 .img_id = SOC_FW_CONFIG_ID, 446 .img_type = IMG_RAW, 447 .parent = &soc_fw_content_cert, 448 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 449 [0] = { 450 .type = AUTH_METHOD_HASH, 451 .param.hash = { 452 .data = &raw_data, 453 .hash = &soc_fw_config_hash 454 } 455 } 456 } 457 }; 458 /* 459 * Trusted OS Firmware 460 */ 461 static const auth_img_desc_t trusted_os_fw_key_cert = { 462 .img_id = TRUSTED_OS_FW_KEY_CERT_ID, 463 .img_type = IMG_CERT, 464 .parent = &trusted_key_cert, 465 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 466 [0] = { 467 .type = AUTH_METHOD_SIG, 468 .param.sig = { 469 .pk = &trusted_world_pk, 470 .sig = &sig, 471 .alg = &sig_alg, 472 .data = &raw_data 473 } 474 }, 475 [1] = { 476 .type = AUTH_METHOD_NV_CTR, 477 .param.nv_ctr = { 478 .cert_nv_ctr = &trusted_nv_ctr, 479 .plat_nv_ctr = &trusted_nv_ctr 480 } 481 } 482 }, 483 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 484 [0] = { 485 .type_desc = &tos_fw_content_pk, 486 .data = { 487 .ptr = (void *)content_pk_buf, 488 .len = (unsigned int)PK_DER_LEN 489 } 490 } 491 } 492 }; 493 static const auth_img_desc_t trusted_os_fw_content_cert = { 494 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, 495 .img_type = IMG_CERT, 496 .parent = &trusted_os_fw_key_cert, 497 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 498 [0] = { 499 .type = AUTH_METHOD_SIG, 500 .param.sig = { 501 .pk = &tos_fw_content_pk, 502 .sig = &sig, 503 .alg = &sig_alg, 504 .data = &raw_data 505 } 506 }, 507 [1] = { 508 .type = AUTH_METHOD_NV_CTR, 509 .param.nv_ctr = { 510 .cert_nv_ctr = &trusted_nv_ctr, 511 .plat_nv_ctr = &trusted_nv_ctr 512 } 513 } 514 }, 515 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 516 [0] = { 517 .type_desc = &tos_fw_hash, 518 .data = { 519 .ptr = (void *)tos_fw_hash_buf, 520 .len = (unsigned int)HASH_DER_LEN 521 } 522 }, 523 [1] = { 524 .type_desc = &tos_fw_extra1_hash, 525 .data = { 526 .ptr = (void *)tos_fw_extra1_hash_buf, 527 .len = (unsigned int)HASH_DER_LEN 528 } 529 }, 530 [2] = { 531 .type_desc = &tos_fw_extra2_hash, 532 .data = { 533 .ptr = (void *)tos_fw_extra2_hash_buf, 534 .len = (unsigned int)HASH_DER_LEN 535 } 536 }, 537 [3] = { 538 .type_desc = &tos_fw_config_hash, 539 .data = { 540 .ptr = (void *)tos_fw_config_hash_buf, 541 .len = (unsigned int)HASH_DER_LEN 542 } 543 } 544 } 545 }; 546 static const auth_img_desc_t bl32_image = { 547 .img_id = BL32_IMAGE_ID, 548 .img_type = IMG_RAW, 549 .parent = &trusted_os_fw_content_cert, 550 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 551 [0] = { 552 .type = AUTH_METHOD_HASH, 553 .param.hash = { 554 .data = &raw_data, 555 .hash = &tos_fw_hash 556 } 557 } 558 } 559 }; 560 static const auth_img_desc_t bl32_extra1_image = { 561 .img_id = BL32_EXTRA1_IMAGE_ID, 562 .img_type = IMG_RAW, 563 .parent = &trusted_os_fw_content_cert, 564 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 565 [0] = { 566 .type = AUTH_METHOD_HASH, 567 .param.hash = { 568 .data = &raw_data, 569 .hash = &tos_fw_extra1_hash 570 } 571 } 572 } 573 }; 574 static const auth_img_desc_t bl32_extra2_image = { 575 .img_id = BL32_EXTRA2_IMAGE_ID, 576 .img_type = IMG_RAW, 577 .parent = &trusted_os_fw_content_cert, 578 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 579 [0] = { 580 .type = AUTH_METHOD_HASH, 581 .param.hash = { 582 .data = &raw_data, 583 .hash = &tos_fw_extra2_hash 584 } 585 } 586 } 587 }; 588 /* TOS FW Config */ 589 static const auth_img_desc_t tos_fw_config = { 590 .img_id = TOS_FW_CONFIG_ID, 591 .img_type = IMG_RAW, 592 .parent = &trusted_os_fw_content_cert, 593 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 594 [0] = { 595 .type = AUTH_METHOD_HASH, 596 .param.hash = { 597 .data = &raw_data, 598 .hash = &tos_fw_config_hash 599 } 600 } 601 } 602 }; 603 /* 604 * Non-Trusted Firmware 605 */ 606 static const auth_img_desc_t non_trusted_fw_key_cert = { 607 .img_id = NON_TRUSTED_FW_KEY_CERT_ID, 608 .img_type = IMG_CERT, 609 .parent = &trusted_key_cert, 610 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 611 [0] = { 612 .type = AUTH_METHOD_SIG, 613 .param.sig = { 614 .pk = &non_trusted_world_pk, 615 .sig = &sig, 616 .alg = &sig_alg, 617 .data = &raw_data 618 } 619 }, 620 [1] = { 621 .type = AUTH_METHOD_NV_CTR, 622 .param.nv_ctr = { 623 .cert_nv_ctr = &non_trusted_nv_ctr, 624 .plat_nv_ctr = &non_trusted_nv_ctr 625 } 626 } 627 }, 628 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 629 [0] = { 630 .type_desc = &nt_fw_content_pk, 631 .data = { 632 .ptr = (void *)content_pk_buf, 633 .len = (unsigned int)PK_DER_LEN 634 } 635 } 636 } 637 }; 638 static const auth_img_desc_t non_trusted_fw_content_cert = { 639 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, 640 .img_type = IMG_CERT, 641 .parent = &non_trusted_fw_key_cert, 642 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 643 [0] = { 644 .type = AUTH_METHOD_SIG, 645 .param.sig = { 646 .pk = &nt_fw_content_pk, 647 .sig = &sig, 648 .alg = &sig_alg, 649 .data = &raw_data 650 } 651 }, 652 [1] = { 653 .type = AUTH_METHOD_NV_CTR, 654 .param.nv_ctr = { 655 .cert_nv_ctr = &non_trusted_nv_ctr, 656 .plat_nv_ctr = &non_trusted_nv_ctr 657 } 658 } 659 }, 660 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 661 [0] = { 662 .type_desc = &nt_world_bl_hash, 663 .data = { 664 .ptr = (void *)nt_world_bl_hash_buf, 665 .len = (unsigned int)HASH_DER_LEN 666 } 667 }, 668 [1] = { 669 .type_desc = &nt_fw_config_hash, 670 .data = { 671 .ptr = (void *)nt_fw_config_hash_buf, 672 .len = (unsigned int)HASH_DER_LEN 673 } 674 } 675 } 676 }; 677 static const auth_img_desc_t bl33_image = { 678 .img_id = BL33_IMAGE_ID, 679 .img_type = IMG_RAW, 680 .parent = &non_trusted_fw_content_cert, 681 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 682 [0] = { 683 .type = AUTH_METHOD_HASH, 684 .param.hash = { 685 .data = &raw_data, 686 .hash = &nt_world_bl_hash 687 } 688 } 689 } 690 }; 691 /* NT FW Config */ 692 static const auth_img_desc_t nt_fw_config = { 693 .img_id = NT_FW_CONFIG_ID, 694 .img_type = IMG_RAW, 695 .parent = &non_trusted_fw_content_cert, 696 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 697 [0] = { 698 .type = AUTH_METHOD_HASH, 699 .param.hash = { 700 .data = &raw_data, 701 .hash = &nt_fw_config_hash 702 } 703 } 704 } 705 }; 706 #else /* IMAGE_BL2 */ 707 /* 708 * FWU auth descriptor. 709 */ 710 static const auth_img_desc_t fwu_cert = { 711 .img_id = FWU_CERT_ID, 712 .img_type = IMG_CERT, 713 .parent = NULL, 714 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 715 [0] = { 716 .type = AUTH_METHOD_SIG, 717 .param.sig = { 718 .pk = &subject_pk, 719 .sig = &sig, 720 .alg = &sig_alg, 721 .data = &raw_data 722 } 723 } 724 }, 725 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 726 [0] = { 727 .type_desc = &scp_bl2u_hash, 728 .data = { 729 .ptr = (void *)scp_fw_hash_buf, 730 .len = (unsigned int)HASH_DER_LEN 731 } 732 }, 733 [1] = { 734 .type_desc = &bl2u_hash, 735 .data = { 736 .ptr = (void *)tb_fw_hash_buf, 737 .len = (unsigned int)HASH_DER_LEN 738 } 739 }, 740 [2] = { 741 .type_desc = &ns_bl2u_hash, 742 .data = { 743 .ptr = (void *)nt_world_bl_hash_buf, 744 .len = (unsigned int)HASH_DER_LEN 745 } 746 } 747 } 748 }; 749 /* 750 * SCP_BL2U 751 */ 752 static const auth_img_desc_t scp_bl2u_image = { 753 .img_id = SCP_BL2U_IMAGE_ID, 754 .img_type = IMG_RAW, 755 .parent = &fwu_cert, 756 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 757 [0] = { 758 .type = AUTH_METHOD_HASH, 759 .param.hash = { 760 .data = &raw_data, 761 .hash = &scp_bl2u_hash 762 } 763 } 764 } 765 }; 766 /* 767 * BL2U 768 */ 769 static const auth_img_desc_t bl2u_image = { 770 .img_id = BL2U_IMAGE_ID, 771 .img_type = IMG_RAW, 772 .parent = &fwu_cert, 773 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 774 [0] = { 775 .type = AUTH_METHOD_HASH, 776 .param.hash = { 777 .data = &raw_data, 778 .hash = &bl2u_hash 779 } 780 } 781 } 782 }; 783 /* 784 * NS_BL2U 785 */ 786 static const auth_img_desc_t ns_bl2u_image = { 787 .img_id = NS_BL2U_IMAGE_ID, 788 .img_type = IMG_RAW, 789 .parent = &fwu_cert, 790 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 791 [0] = { 792 .type = AUTH_METHOD_HASH, 793 .param.hash = { 794 .data = &raw_data, 795 .hash = &ns_bl2u_hash 796 } 797 } 798 } 799 }; 800 #endif /* IMAGE_BL2 */ 801 /* 802 * TBBR Chain of trust definition 803 */ 804 805 #ifdef IMAGE_BL1 806 static const auth_img_desc_t * const cot_desc[] = { 807 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, 808 [BL2_IMAGE_ID] = &bl2_image, 809 [HW_CONFIG_ID] = &hw_config, 810 [TB_FW_CONFIG_ID] = &tb_fw_config, 811 [FWU_CERT_ID] = &fwu_cert, 812 [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image, 813 [BL2U_IMAGE_ID] = &bl2u_image, 814 [NS_BL2U_IMAGE_ID] = &ns_bl2u_image 815 }; 816 #else /* IMAGE_BL2 */ 817 static const auth_img_desc_t * const cot_desc[] = { 818 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, 819 [HW_CONFIG_ID] = &hw_config, 820 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert, 821 [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert, 822 [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert, 823 [SCP_BL2_IMAGE_ID] = &scp_bl2_image, 824 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert, 825 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert, 826 [BL31_IMAGE_ID] = &bl31_image, 827 [SOC_FW_CONFIG_ID] = &soc_fw_config, 828 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert, 829 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert, 830 [BL32_IMAGE_ID] = &bl32_image, 831 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image, 832 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image, 833 [TOS_FW_CONFIG_ID] = &tos_fw_config, 834 [NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert, 835 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, 836 [BL33_IMAGE_ID] = &bl33_image, 837 [NT_FW_CONFIG_ID] = &nt_fw_config, 838 }; 839 #endif 840 841 /* Register the CoT in the authentication module */ 842 REGISTER_COT(cot_desc); 843