Browse Source

tbbr/dualroot: Add fw_config image in chain of trust

fw_config image is authenticated using secure boot framework by
adding it into the single root and dual root chain of trust.

The COT for fw_config image looks as below:

+------------------+       +-------------------+
| ROTPK/ROTPK Hash |------>| Trusted Boot fw   |
+------------------+       | Certificate       |
                           | (Auth Image)      |
                          /+-------------------+
                         /                   |
                        /                    |
                       /                     |
                      /                      |
                     L                       v
+------------------+       +-------------------+
| fw_config hash   |------>| fw_config         |
|                  |       | (Data Image)      |
+------------------+       +-------------------+

Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I08fc8ee95c29a95bb140c807dd06e772474c7367
pull/1979/head
Louis Mayencourt 4 years ago
committed by Manish V Badarkhe
parent
commit
243875eaf9
  1. 27
      drivers/auth/dualroot/cot.c
  2. 16
      drivers/auth/tbbr/tbbr_cot_bl1.c
  3. 16
      drivers/auth/tbbr/tbbr_cot_common.c
  4. 4
      include/drivers/auth/tbbr_cot_common.h
  5. 7
      include/export/common/tbbr/tbbr_img_def_exp.h
  6. 6
      plat/arm/common/fconf/arm_fconf_io.c

27
drivers/auth/dualroot/cot.c

@ -16,6 +16,7 @@
* Allocate static buffers to store the authentication parameters extracted from * Allocate static buffers to store the authentication parameters extracted from
* the certificates. * the certificates.
*/ */
static unsigned char fw_config_hash_buf[HASH_DER_LEN];
static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
static unsigned char hw_config_hash_buf[HASH_DER_LEN]; static unsigned char hw_config_hash_buf[HASH_DER_LEN];
@ -58,6 +59,8 @@ static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, HW_CONFIG_HASH_OID); AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
#ifdef IMAGE_BL1 #ifdef IMAGE_BL1
static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
@ -165,6 +168,13 @@ static const auth_img_desc_t trusted_boot_fw_cert = {
.ptr = (void *)hw_config_hash_buf, .ptr = (void *)hw_config_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
},
[3] = {
.type_desc = &fw_config_hash,
.data = {
.ptr = (void *)fw_config_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
} }
} }
}; };
@ -218,6 +228,22 @@ static const auth_img_desc_t tb_fw_config = {
} }
} }
}; };
static const auth_img_desc_t fw_config = {
.img_id = FW_CONFIG_ID,
.img_type = IMG_RAW,
.parent = &trusted_boot_fw_cert,
.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = {
.type = AUTH_METHOD_HASH,
.param.hash = {
.data = &raw_data,
.hash = &fw_config_hash
}
}
}
};
#endif /* IMAGE_BL1 */ #endif /* IMAGE_BL1 */
#ifdef IMAGE_BL2 #ifdef IMAGE_BL2
@ -860,6 +886,7 @@ static const auth_img_desc_t * const cot_desc[] = {
[BL2_IMAGE_ID] = &bl2_image, [BL2_IMAGE_ID] = &bl2_image,
[HW_CONFIG_ID] = &hw_config, [HW_CONFIG_ID] = &hw_config,
[TB_FW_CONFIG_ID] = &tb_fw_config, [TB_FW_CONFIG_ID] = &tb_fw_config,
[FW_CONFIG_ID] = &fw_config,
[FWU_CERT_ID] = &fwu_cert, [FWU_CERT_ID] = &fwu_cert,
[SCP_BL2U_IMAGE_ID] = &scp_bl2u_image, [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image,
[BL2U_IMAGE_ID] = &bl2u_image, [BL2U_IMAGE_ID] = &bl2u_image,

16
drivers/auth/tbbr/tbbr_cot_bl1.c

@ -150,6 +150,21 @@ static const auth_img_desc_t tb_fw_config = {
} }
}; };
static const auth_img_desc_t fw_config = {
.img_id = FW_CONFIG_ID,
.img_type = IMG_RAW,
.parent = &trusted_boot_fw_cert,
.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
[0] = {
.type = AUTH_METHOD_HASH,
.param.hash = {
.data = &raw_data,
.hash = &fw_config_hash
}
}
}
};
/* /*
* TBBR Chain of trust definition * TBBR Chain of trust definition
*/ */
@ -158,6 +173,7 @@ static const auth_img_desc_t * const cot_desc[] = {
[BL2_IMAGE_ID] = &bl2_image, [BL2_IMAGE_ID] = &bl2_image,
[HW_CONFIG_ID] = &hw_config, [HW_CONFIG_ID] = &hw_config,
[TB_FW_CONFIG_ID] = &tb_fw_config, [TB_FW_CONFIG_ID] = &tb_fw_config,
[FW_CONFIG_ID] = &fw_config,
[FWU_CERT_ID] = &fwu_cert, [FWU_CERT_ID] = &fwu_cert,
[SCP_BL2U_IMAGE_ID] = &scp_bl2u_image, [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image,
[BL2U_IMAGE_ID] = &bl2u_image, [BL2U_IMAGE_ID] = &bl2u_image,

16
drivers/auth/tbbr/tbbr_cot_common.c

@ -23,9 +23,10 @@
* established, we can reuse some of the buffers on different stages * established, we can reuse some of the buffers on different stages
*/ */
static unsigned char fw_config_hash_buf[HASH_DER_LEN];
static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
static unsigned char hw_config_hash_buf[HASH_DER_LEN];
unsigned char tb_fw_hash_buf[HASH_DER_LEN]; unsigned char tb_fw_hash_buf[HASH_DER_LEN];
unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
unsigned char hw_config_hash_buf[HASH_DER_LEN];
unsigned char scp_fw_hash_buf[HASH_DER_LEN]; unsigned char scp_fw_hash_buf[HASH_DER_LEN];
unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
@ -48,7 +49,9 @@ auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC( auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC( auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, HW_CONFIG_HASH_OID); AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
/* trusted_boot_fw_cert */ /* trusted_boot_fw_cert */
@ -95,6 +98,13 @@ const auth_img_desc_t trusted_boot_fw_cert = {
.ptr = (void *)hw_config_hash_buf, .ptr = (void *)hw_config_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
},
[3] = {
.type_desc = &fw_config_hash,
.data = {
.ptr = (void *)fw_config_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
} }
} }
}; };

4
include/drivers/auth/tbbr_cot_common.h

@ -10,8 +10,6 @@
#include <drivers/auth/auth_mod.h> #include <drivers/auth/auth_mod.h>
extern unsigned char tb_fw_hash_buf[HASH_DER_LEN]; extern unsigned char tb_fw_hash_buf[HASH_DER_LEN];
extern unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
extern unsigned char hw_config_hash_buf[HASH_DER_LEN];
extern unsigned char scp_fw_hash_buf[HASH_DER_LEN]; extern unsigned char scp_fw_hash_buf[HASH_DER_LEN];
extern unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; extern unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
@ -23,7 +21,7 @@ extern auth_param_type_desc_t raw_data;
extern auth_param_type_desc_t tb_fw_hash; extern auth_param_type_desc_t tb_fw_hash;
extern auth_param_type_desc_t tb_fw_config_hash; extern auth_param_type_desc_t tb_fw_config_hash;
extern auth_param_type_desc_t hw_config_hash; extern auth_param_type_desc_t fw_config_hash;
extern const auth_img_desc_t trusted_boot_fw_cert; extern const auth_img_desc_t trusted_boot_fw_cert;
extern const auth_img_desc_t hw_config; extern const auth_img_desc_t hw_config;

7
include/export/common/tbbr/tbbr_img_def_exp.h

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2019, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2019-2020, ARM Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -88,7 +88,10 @@
/* Encrypted image identifier */ /* Encrypted image identifier */
#define ENC_IMAGE_ID U(30) #define ENC_IMAGE_ID U(30)
/* FW_CONFIG */
#define FW_CONFIG_ID U(31)
/* Max Images */ /* Max Images */
#define MAX_IMAGE_IDS U(31) #define MAX_IMAGE_IDS U(32)
#endif /* ARM_TRUSTED_FIRMWARE_EXPORT_COMMON_TBBR_TBBR_IMG_DEF_EXP_H */ #endif /* ARM_TRUSTED_FIRMWARE_EXPORT_COMMON_TBBR_TBBR_IMG_DEF_EXP_H */

6
plat/arm/common/fconf/arm_fconf_io.c

@ -25,6 +25,7 @@ const io_block_spec_t fip_block_spec = {
const io_uuid_spec_t arm_uuid_spec[MAX_NUMBER_IDS] = { const io_uuid_spec_t arm_uuid_spec[MAX_NUMBER_IDS] = {
[BL2_IMAGE_ID] = {UUID_TRUSTED_BOOT_FIRMWARE_BL2}, [BL2_IMAGE_ID] = {UUID_TRUSTED_BOOT_FIRMWARE_BL2},
[TB_FW_CONFIG_ID] = {UUID_TB_FW_CONFIG}, [TB_FW_CONFIG_ID] = {UUID_TB_FW_CONFIG},
[FW_CONFIG_ID] = {UUID_FW_CONFIG},
#if !ARM_IO_IN_DTB #if !ARM_IO_IN_DTB
[SCP_BL2_IMAGE_ID] = {UUID_SCP_FIRMWARE_SCP_BL2}, [SCP_BL2_IMAGE_ID] = {UUID_SCP_FIRMWARE_SCP_BL2},
[BL31_IMAGE_ID] = {UUID_EL3_RUNTIME_FIRMWARE_BL31}, [BL31_IMAGE_ID] = {UUID_EL3_RUNTIME_FIRMWARE_BL31},
@ -73,6 +74,11 @@ struct plat_io_policy policies[MAX_NUMBER_IDS] = {
(uintptr_t)&arm_uuid_spec[TB_FW_CONFIG_ID], (uintptr_t)&arm_uuid_spec[TB_FW_CONFIG_ID],
open_fip open_fip
}, },
[FW_CONFIG_ID] = {
&fip_dev_handle,
(uintptr_t)&arm_uuid_spec[FW_CONFIG_ID],
open_fip
},
#if !ARM_IO_IN_DTB #if !ARM_IO_IN_DTB
[SCP_BL2_IMAGE_ID] = { [SCP_BL2_IMAGE_ID] = {
&fip_dev_handle, &fip_dev_handle,

Loading…
Cancel
Save