feat(measured_boot): image hash measurement and recording in BL1

It looks safer and cleaner approach to record the measurement taken by BL1 straightaway in TCG Event Log instead of deferring these recordings to BL2. Hence pull in the full-fledged measured boot driver into BL1 that replaces the former ad-hoc platform interfaces i.e. bl1_plat_set_bl2_hash, bl2_plat_get_hash. As a result of this change the BL1 of Arm FVP platform now do the measurements and recordings of below images: 1. FW_CONFIG 2. TB_FW_CONFIG 3. BL2 Change-Id: I798c20336308b5e91b547da4f8ed57c24d490731 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
3 years ago · 48ba0345f7
9 changed files with 106 additions and 39 deletions
--- a/bl1/bl1_main.c
+++ b/bl1/bl1_main.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -126,6 +126,9 @@ void bl1_main(void)
 	auth_mod_init();
 #endif /* TRUSTED_BOARD_BOOT */

+	/* Initialize the measured boot */
+	bl1_plat_mboot_init();
+
 	/* Perform platform setup in BL1. */
 	bl1_platform_setup();

@ -147,6 +150,9 @@ void bl1_main(void)
 	else
 		NOTICE("BL1-FWU: *******FWU Process Started*******\n");

+	/* Teardown the measured boot driver */
+	bl1_plat_mboot_finish();
+
 	bl1_prepare_next_image(image_id);

 	console_flush();
--- a/common/bl_common.c
+++ b/common/bl_common.c
@ -203,7 +203,6 @@ static int load_auth_image_recursive(unsigned int image_id,
 	}

 	if (is_parent_image == 0) {
-#if IMAGE_BL2
 		/*
 		 * Measure the image.
 		 * We do not measure its parents because these only play a role
@ -212,11 +211,11 @@ static int load_auth_image_recursive(unsigned int image_id,
 		 * TODO: Change this code if we change our minds about measuring
 		 * certificates.
 		 */
-		rc = plat_mboot_measure_image(image_id);
+		rc = plat_mboot_measure_image(image_id, image_data);
 		if (rc != 0) {
 			return rc;
 		}
-#endif
+
 		/*
 		 * Flush the image to main memory so that it can be executed
 		 * later by any CPU, regardless of cache and MMU state. This
--- a/drivers/measured_boot/event_log/event_log.mk
+++ b/drivers/measured_boot/event_log/event_log.mk
@ -47,3 +47,4 @@ MEASURED_BOOT_SOURCES	:= ${MEASURED_BOOT_SRC_DIR}event_log.c		\
 			   ${MEASURED_BOOT_SRC_DIR}event_print.c

 BL2_SOURCES		+= ${MEASURED_BOOT_SOURCES}
+BL1_SOURCES             += ${MEASURED_BOOT_SOURCES}
--- a/include/drivers/measured_boot/event_log/event_log.h
+++ b/include/drivers/measured_boot/event_log/event_log.h
@ -48,12 +48,14 @@
 #define	BL32_EXTRA1_IMAGE_STRING	"BL32_EXTRA1_IMAGE"
 #define	BL32_EXTRA2_IMAGE_STRING	"BL32_EXTRA2_IMAGE"
 #define BL33_STRING			"BL_33"
+#define FW_CONFIG_STRING                "FW_CONFIG"
 #define GPT_IMAGE_STRING		"GPT"
 #define HW_CONFIG_STRING		"HW_CONFIG"
 #define NT_FW_CONFIG_STRING		"NT_FW_CONFIG"
 #define SCP_BL2_IMAGE_STRING		"SCP_BL2_IMAGE"
 #define SOC_FW_CONFIG_STRING		"SOC_FW_CONFIG"
 #define STM32_IMAGE_STRING		"STM32"
+#define TB_FW_CONFIG_STRING             "TB_FW_CONFIG"
 #define	TOS_FW_CONFIG_STRING		"TOS_FW_CONFIG"

 typedef struct {
--- a/include/plat/common/platform.h
+++ b/include/plat/common/platform.h
@ -122,6 +122,16 @@ const char *plat_log_get_prefix(unsigned int log_level);
 void bl2_plat_preload_setup(void);
 int plat_try_next_boot_source(void);

+#if MEASURED_BOOT
+int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data);
+#else
+static inline int plat_mboot_measure_image(unsigned int image_id __unused,
+					   image_info_t *image_data __unused)
+{
+	return 0;
+}
+#endif /* MEASURED_BOOT */
+
 /*******************************************************************************
 * Mandatory BL1 functions
 ******************************************************************************/
@ -181,6 +191,18 @@ __dead2 void bl1_plat_fwu_done(void *client_cookie, void *reserved);
 int bl1_plat_handle_pre_image_load(unsigned int image_id);
 int bl1_plat_handle_post_image_load(unsigned int image_id);

+#if MEASURED_BOOT
+void bl1_plat_mboot_init(void);
+void bl1_plat_mboot_finish(void);
+#else
+static inline void bl1_plat_mboot_init(void)
+{
+}
+static inline void bl1_plat_mboot_finish(void)
+{
+}
+#endif /* MEASURED_BOOT */
+
 /*******************************************************************************
 * Mandatory BL2 functions
 ******************************************************************************/
@ -202,7 +224,6 @@ int bl2_plat_handle_post_image_load(unsigned int image_id);
 #if MEASURED_BOOT
 void bl2_plat_mboot_init(void);
 void bl2_plat_mboot_finish(void);
-int plat_mboot_measure_image(unsigned int image_id);
 #else
 static inline void bl2_plat_mboot_init(void)
 {
@ -210,10 +231,6 @@ static inline void bl2_plat_mboot_init(void)
 static inline void bl2_plat_mboot_finish(void)
 {
 }
-static inline int plat_mboot_measure_image(unsigned int image_id __unused)
-{
-	return 0;
-}
 #endif /* MEASURED_BOOT */

 /*******************************************************************************
--- a/plat/arm/board/fvp/fvp_bl1_measured_boot.c
+++ b/plat/arm/board/fvp/fvp_bl1_measured_boot.c
@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdint.h>
+
+#include <drivers/measured_boot/event_log/event_log.h>
+
+/* Event Log data */
+static uint8_t event_log[PLAT_ARM_EVENT_LOG_MAX_SIZE];
+
+/* FVP table with platform specific image IDs, names and PCRs */
+const event_log_metadata_t fvp_event_log_metadata[] = {
+	{ FW_CONFIG_ID, FW_CONFIG_STRING, PCR_0 },
+	{ TB_FW_CONFIG_ID, TB_FW_CONFIG_STRING, PCR_0 },
+	{ BL2_IMAGE_ID, BL2_STRING, PCR_0 },
+	{ INVALID_ID, NULL, (unsigned int)(-1) }	/* Terminator */
+};
+
+void bl1_plat_mboot_init(void)
+{
+	event_log_init(event_log, PLAT_ARM_EVENT_LOG_MAX_SIZE, 0U);
+}
+
+void bl1_plat_mboot_finish(void)
+{
+	/*
+	 * ToDo: populate tb_fw_config with Event Log address, its maximum size
+	 * and filled size
+	 */
+}
--- a/plat/arm/board/fvp/fvp_bl2_measured_boot.c
+++ b/plat/arm/board/fvp/fvp_bl2_measured_boot.c
@ -27,11 +27,6 @@ const event_log_metadata_t fvp_event_log_metadata[] = {
 	{ INVALID_ID, NULL, (unsigned int)(-1) }	/* Terminator */
 };

-const event_log_metadata_t *plat_event_log_get_metadata(void)
-{
-	return fvp_event_log_metadata;
-}
-
 void bl2_plat_mboot_init(void)
 {
 	event_log_init(event_log, event_log + sizeof(event_log));
@ -88,27 +83,3 @@ void bl2_plat_mboot_finish(void)

 	dump_event_log(event_log, event_log_cur_size);
 }
-
-int plat_mboot_measure_image(unsigned int image_id)
-{
-	const bl_mem_params_node_t *bl_mem_params =
-		get_bl_mem_params_node(image_id);
-
-	assert(bl_mem_params != NULL);
-
-	image_info_t info = bl_mem_params->image_info;
-	int err;
-
-	if ((info.h.attr & IMAGE_ATTRIB_SKIP_LOADING) == 0U) {
-		/* Calculate image hash and record data in Event Log */
-		err = event_log_measure_record(info.image_base,
-					       info.image_size, image_id);
-		if (err != 0) {
-			ERROR("%s%s image id %u (%i)\n",
-			      "BL2: Failed to ", "record", image_id, err);
-			return err;
-		}
-	}
-
-	return 0;
-}
--- a/plat/arm/board/fvp/fvp_common_measured_boot.c
+++ b/plat/arm/board/fvp/fvp_common_measured_boot.c
@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <stdint.h>
+
+#include <common/desc_image_load.h>
+#include <drivers/measured_boot/event_log/event_log.h>
+#include <plat/arm/common/plat_arm.h>
+#include <plat/common/platform.h>
+
+extern event_log_metadata_t fvp_event_log_metadata[];
+
+const event_log_metadata_t *plat_event_log_get_metadata(void)
+{
+	return fvp_event_log_metadata;
+}
+
+int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data)
+{
+	/* Calculate image hash and record data in Event Log */
+	int err = event_log_measure_and_record(image_data->image_base,
+					       image_data->image_size,
+					       image_id);
+	if (err != 0) {
+		ERROR("%s%s image id %u (%i)\n",
+		      "Failed to ", "record", image_id, err);
+		return err;
+	}
+
+	return 0;
+}
--- a/plat/arm/board/fvp/platform.mk
+++ b/plat/arm/board/fvp/platform.mk
@ -376,7 +376,10 @@ BL1_SOURCES		+=	plat/arm/board/fvp/fvp_trusted_boot.c
 BL2_SOURCES		+=	plat/arm/board/fvp/fvp_trusted_boot.c

 ifeq (${MEASURED_BOOT},1)
-BL2_SOURCES		+=	plat/arm/board/fvp/fvp_measured_boot.c
+BL1_SOURCES		+=	plat/arm/board/fvp/fvp_common_measured_boot.c	\
+				plat/arm/board/fvp/fvp_bl1_measured_boot.c
+BL2_SOURCES		+=	plat/arm/board/fvp/fvp_common_measured_boot.c	\
+				plat/arm/board/fvp/fvp_bl2_measured_boot.c
 endif

 # FVP being a development platform, enable capability to disable Authentication