From c4b35cebffb0d034aa7bdba7cfdb65ba93939e35 Mon Sep 17 00:00:00 2001 From: laurenw-arm Date: Tue, 9 Jan 2024 20:47:08 -0600 Subject: [PATCH 1/4] feat(dt-bindings): introduce CCA CoT, rename TBBR Add CCA CoT DTB and rename generic CoT DTB to TBBR CoT DTB This allows CCA platforms to get their chain of trust description from a configuration file, rather than hard-coding it into the firmware itself. Change-Id: I114788a5d21b9a8d625239cfb71b442d204e3654 Signed-off-by: Lauren Wehrmeister --- fdts/cca_cot_descriptors.dtsi | 287 ++++++++++++++++++ ...riptors.dtsi => tbbr_cot_descriptors.dtsi} | 2 +- 2 files changed, 288 insertions(+), 1 deletion(-) create mode 100644 fdts/cca_cot_descriptors.dtsi rename fdts/{cot_descriptors.dtsi => tbbr_cot_descriptors.dtsi} (99%) diff --git a/fdts/cca_cot_descriptors.dtsi b/fdts/cca_cot_descriptors.dtsi new file mode 100644 index 000000000..d52431b02 --- /dev/null +++ b/fdts/cca_cot_descriptors.dtsi @@ -0,0 +1,287 @@ +/* + * Copyright (c) 2023-2024, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include +#include +#include + +cot { + manifests { + compatible = "arm, cert-descs"; + + cca_content_cert: cca_content_cert { + root-certificate; + image-id =; + antirollback-counter = <&cca_nv_counter>; + + tb_fw_hash: tb_fw_hash { + oid = TRUSTED_BOOT_FW_HASH_OID; + }; + tb_fw_config_hash: tb_fw_config_hash { + oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID; + }; + hw_config_hash: hw_config_hash { + oid = HW_CONFIG_HASH_OID; + }; + fw_config_hash: fw_config_hash { + oid = FW_CONFIG_HASH_OID; + }; + soc_fw_hash: soc_fw_hash { + oid = SOC_AP_FW_HASH_OID; + }; + soc_fw_config_hash: soc_fw_config_hash { + oid = SOC_FW_CONFIG_HASH_OID; + }; + rmm_hash: rmm_hash { + oid = RMM_HASH_OID; + }; + }; + + core_swd_key_cert: core_swd_key_cert { + root-certificate; + image-id = ; + signing-key = <&swd_rot_pk>; + antirollback-counter = <&trusted_nv_counter>; + + core_swd_pk: core_swd_pk { + oid = CORE_SWD_PK_OID; + }; + }; + + trusted_os_fw_content_cert: trusted_os_fw_content_cert { + image-id = ; + parent = <&core_swd_key_cert>; + signing-key = <&core_swd_pk>; + antirollback-counter = <&trusted_nv_counter>; + + tos_fw_hash: tos_fw_hash { + oid = TRUSTED_OS_FW_HASH_OID; + }; + tos_fw_config_hash: tos_fw_config_hash { + oid = TRUSTED_OS_FW_CONFIG_HASH_OID; + }; + }; + + plat_key_cert: plat_key_cert { + root-certificate; + image-id = ; + signing-key = <&prot_pk>; + antirollback-counter = <&non_trusted_nv_counter>; + + plat_pk: plat_pk { + oid = PLAT_PK_OID; + }; + }; + + non_trusted_fw_content_cert: non_trusted_fw_content_cert { + image-id = ; + parent = <&plat_key_cert>; + signing-key = <&plat_pk>; + antirollback-counter = <&non_trusted_nv_counter>; + + nt_world_bl_hash: nt_world_bl_hash { + oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID; + }; + nt_fw_config_hash: nt_fw_config_hash { + oid = NON_TRUSTED_FW_CONFIG_HASH_OID; + }; + }; + +#if defined(SPD_spmd) + sip_sp_content_cert: sip_sp_content_cert { + image-id = ; + parent = <&core_swd_key_cert>; + signing-key = <&core_swd_pk>; + antirollback-counter = <&trusted_nv_counter>; + + sp_pkg1_hash: sp_pkg1_hash { + oid = SP_PKG1_HASH_OID; + }; + sp_pkg2_hash: sp_pkg2_hash { + oid = SP_PKG2_HASH_OID; + }; + sp_pkg3_hash: sp_pkg3_hash { + oid = SP_PKG3_HASH_OID; + }; + sp_pkg4_hash: sp_pkg4_hash { + oid = SP_PKG4_HASH_OID; + }; + }; + + plat_sp_content_cert: plat_sp_content_cert { + image-id = ; + parent = <&plat_key_cert>; + signing-key = <&plat_pk>; + antirollback-counter = <&non_trusted_nv_counter>; + + sp_pkg5_hash: sp_pkg5_hash { + oid = SP_PKG5_HASH_OID; + }; + sp_pkg6_hash: sp_pkg6_hash { + oid = SP_PKG6_HASH_OID; + }; + sp_pkg7_hash: sp_pkg7_hash { + oid = SP_PKG7_HASH_OID; + }; + sp_pkg8_hash: sp_pkg8_hash { + oid = SP_PKG8_HASH_OID; + }; + }; +#endif + }; + + images { + compatible = "arm, img-descs"; + + fw_config { + image-id = ; + parent = <&cca_content_cert>; + hash = <&fw_config_hash>; + }; + + hw_config { + image-id = ; + parent = <&cca_content_cert>; + hash = <&hw_config_hash>; + }; + + tb_fw_hash { + image-id = ; + parent = <&cca_content_cert>; + hash = <&tb_fw_hash>; + }; + + tb_fw_config { + image-id = ; + parent = <&cca_content_cert>; + hash = <&tb_fw_config_hash>; + }; + + bl31_image { + image-id = ; + parent = <&cca_content_cert>; + hash = <&soc_fw_hash>; + }; + + soc_fw_config { + image-id = ; + parent = <&cca_content_cert>; + hash = <&soc_fw_config_hash>; + }; + + rmm_image { + image-id = ; + parent = <&cca_content_cert>; + hash = <&rmm_hash>; + }; + + bl32_image { + image-id = ; + parent = <&trusted_os_fw_content_cert>; + hash = <&tos_fw_hash>; + }; + + tos_fw_config { + image-id = ; + parent = <&trusted_os_fw_content_cert>; + hash = <&tos_fw_config_hash>; + }; + + bl33_image { + image-id = ; + parent = <&non_trusted_fw_content_cert>; + hash = <&nt_world_bl_hash>; + }; + + nt_fw_config { + image-id = ; + parent = <&non_trusted_fw_content_cert>; + hash = <&nt_fw_config_hash>; + }; + +#if defined(SPD_spmd) + sp_pkg1 { + image-id = ; + parent = <&sip_sp_content_cert>; + hash = <&sp_pkg1_hash>; + }; + + sp_pkg2 { + image-id = ; + parent = <&sip_sp_content_cert>; + hash = <&sp_pkg2_hash>; + }; + + sp_pkg3 { + image-id = ; + parent = <&sip_sp_content_cert>; + hash = <&sp_pkg3_hash>; + }; + + sp_pkg4 { + image-id = ; + parent = <&sip_sp_content_cert>; + hash = <&sp_pkg4_hash>; + }; + + sp_pkg5 { + image-id = ; + parent = <&plat_sp_content_cert>; + hash = <&sp_pkg5_hash>; + }; + + sp_pkg6 { + image-id = ; + parent = <&plat_sp_content_cert>; + hash = <&sp_pkg6_hash>; + }; + + sp_pkg7 { + image-id = ; + parent = <&plat_sp_content_cert>; + hash = <&sp_pkg7_hash>; + }; + + sp_pkg8 { + image-id = ; + parent = <&plat_sp_content_cert>; + hash = <&sp_pkg8_hash>; + }; +#endif + }; +}; + +non_volatile_counters: non_volatile_counters { + compatible = "arm, non-volatile-counter"; + + #address-cells = <1>; + #size-cells = <0>; + + cca_nv_counter: cca_nv_counter { + id = ; + oid = CCA_FW_NVCOUNTER_OID; + }; + + trusted_nv_counter: trusted_nv_counter { + id = ; + oid = TRUSTED_FW_NVCOUNTER_OID; + }; + + non_trusted_nv_counter: non_trusted_nv_counter { + id = ; + oid = NON_TRUSTED_FW_NVCOUNTER_OID; + }; +}; + +rot_keys { + swd_rot_pk: swd_rot_pk { + oid = SWD_ROT_PK_OID; + }; + + prot_pk: prot_pk { + oid = PROT_PK_OID; + }; +}; diff --git a/fdts/cot_descriptors.dtsi b/fdts/tbbr_cot_descriptors.dtsi similarity index 99% rename from fdts/cot_descriptors.dtsi rename to fdts/tbbr_cot_descriptors.dtsi index 411bae6c1..ac39e4eb1 100644 --- a/fdts/cot_descriptors.dtsi +++ b/fdts/tbbr_cot_descriptors.dtsi @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020, ARM Limited. All rights reserved. + * Copyright (c) 2020-2024, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ From dc35bd320c3f1c7c4a8b9b74e2b2682fe2a54418 Mon Sep 17 00:00:00 2001 From: laurenw-arm Date: Tue, 28 Nov 2023 13:44:46 -0600 Subject: [PATCH 2/4] docs(arm): update TBBR CoT dtsi file name in doc Change-Id: I31ebee7574f5133aadbf2767377fd74a21775ce5 Signed-off-by: Lauren Wehrmeister --- docs/security_advisories/security-advisory-tfv-10.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/security_advisories/security-advisory-tfv-10.rst b/docs/security_advisories/security-advisory-tfv-10.rst index 91dba074a..f53bae13a 100644 --- a/docs/security_advisories/security-advisory-tfv-10.rst +++ b/docs/security_advisories/security-advisory-tfv-10.rst @@ -98,7 +98,7 @@ All standard chains of trust provided in TF-A source tree (that is, under ``drivers/auth/``) require that the certificate's signature has already been validated prior to calling ``get_ext()``, or any function that calls ``get_ext()``. Platforms taking their chain of trust from a dynamic configuration file (such as -``fdts/cot_descriptors.dtsi``) are also safe, as signature verification will +``fdts/tbbr_cot_descriptors.dtsi``) are also safe, as signature verification will always be done prior to any calls to ``get_ext()`` or ``auth_nvctr()`` in this case, no matter the order of the properties in the file. Therefore, it is not possible to exploit this vulnerability pre-authentication in upstream TF-A. From 4c79b86ed6a36b572cf9e96f0269eb5dd0b46d5f Mon Sep 17 00:00:00 2001 From: laurenw-arm Date: Tue, 9 Jan 2024 20:51:30 -0600 Subject: [PATCH 3/4] feat(fvp): add CCA CoT in DTB support Adding support for CCA CoT in DTB. This makes it possible for BL2 to retrieve its chain of trust description from a configuration file in DTB format. With this, the CoT description may be updated without rebuilding BL2 image. This feature can be enabled by building BL2 with COT_DESC_IN_DTB=1 and COT=cca. The default behaviour remains to embed the CoT description into BL2 image. Change-Id: I5912aad5ae529281a93a76e6b8f4b89d867445fe Signed-off-by: Lauren Wehrmeister --- plat/arm/board/fvp/fdts/fvp_tb_fw_config.dts | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/plat/arm/board/fvp/fdts/fvp_tb_fw_config.dts b/plat/arm/board/fvp/fdts/fvp_tb_fw_config.dts index 6ba76db60..9eb2177c7 100644 --- a/plat/arm/board/fvp/fdts/fvp_tb_fw_config.dts +++ b/plat/arm/board/fvp/fdts/fvp_tb_fw_config.dts @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020-2023, ARM Limited. All rights reserved. + * Copyright (c) 2020-2024, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -104,7 +104,11 @@ }; #if COT_DESC_IN_DTB - #include "cot_descriptors.dtsi" + #if defined(ARM_COT_cca) + #include "cca_cot_descriptors.dtsi" + #elif defined(ARM_COT_tbbr) + #include "tbbr_cot_descriptors.dtsi" + #endif #endif #if MEASURED_BOOT @@ -117,6 +121,13 @@ #include "../fvp_def.h" +#if defined(ARM_COT_cca) +/* FVP does not support the CCA NV Counter so use the Trusted one. */ +&cca_nv_counter { + reg = ; +}; +#endif + &trusted_nv_counter { reg = ; }; From b76a43c9382e85969cac896cd4d5d6774d0d1553 Mon Sep 17 00:00:00 2001 From: laurenw-arm Date: Tue, 28 Nov 2023 13:42:36 -0600 Subject: [PATCH 4/4] feat(arm): add COT_DESC_IN_DTB option for CCA CoT Add support for BL2 to get the CCA chain of trust description through the Firmware Configuration Framework (FCONF). This makes it possible to export the part of the CCA chain of trust enforced by BL2 in BL2's configuration file (TB_FW_CONFIG DTB file). BL2 will parse it when setting up the platform. This feature can be enabled through the COT_DESC_IN_DTB=1 option. The default behaviour (COT_DESC_IN_DTB=0) remains to hard-code the CCA CoT into BL2 image. Change-Id: Iec4f623d5e42b7c166beeb3ad6b35d918969f7e2 Signed-off-by: Lauren Wehrmeister --- plat/arm/common/arm_common.mk | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk index ae0d85daf..5084ea95e 100644 --- a/plat/arm/common/arm_common.mk +++ b/plat/arm/common/arm_common.mk @@ -383,7 +383,12 @@ ifneq (${TRUSTED_BOARD_BOOT},0) else ifeq (${COT},dualroot) AUTH_SOURCES += drivers/auth/dualroot/cot.c else ifeq (${COT},cca) - AUTH_SOURCES += drivers/auth/cca/cot.c + BL1_SOURCES += drivers/auth/cca/cot.c + ifneq (${COT_DESC_IN_DTB},0) + BL2_SOURCES += lib/fconf/fconf_cot_getter.c + else + BL2_SOURCES += drivers/auth/cca/cot.c + endif else $(error Unknown chain of trust ${COT}) endif