uniphier: embed ROTPK hash into BL1/BL2

Currently, ROTPK_NOT_DEPLOYED flag is set in plat_get_rotpk_info(). It is up to users how to retrieve ROTPK if the ROT verification is desired. This is not nice. This commit improves plat_get_rotpk_info() implementation and automates the ROTPK deployment. UniPhier platform has no ROTPK storage, so it should be embedded in BL1/BL2, like ARM_ROTPK_LOCATION=devel_rsa case. This makes sense because UniPhier platform implements its internal ROM i.e. BL1 is used as updatable pseudo ROM. Things work like this: - ROT_KEY (default: $(BUILD_PLAT)/rot_key.pem) is created if missing. Users can override ROT_KEY from the command line if they want to use a specific ROT key. - ROTPK_HASH is generated based on ROT_KEY. - ROTPK_HASH is included by uniphier_rotpk.S and compiled into BL1/BL2. - ROT_KEY is input to cert_create tool. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
8 years ago · 63634800fc
3 changed files with 38 additions and 1 deletions
--- a/plat/socionext/uniphier/platform.mk
+++ b/plat/socionext/uniphier/platform.mk
@ -86,11 +86,29 @@ TBB_SOURCES		:=	drivers/auth/auth_mod.c			\
 				drivers/auth/img_parser_mod.c		\
 				drivers/auth/tbbr/tbbr_cot.c		\
 				plat/common/tbbr/plat_tbbr.c		\
+				$(PLAT_PATH)/uniphier_rotpk.S		\
 				$(PLAT_PATH)/uniphier_tbbr.c

 BL1_SOURCES		+=	$(TBB_SOURCES)
 BL2_SOURCES		+=	$(TBB_SOURCES)

+ROT_KEY			= $(BUILD_PLAT)/rot_key.pem
+ROTPK_HASH		= $(BUILD_PLAT)/rotpk_sha256.bin
+
+$(eval $(call add_define_val,ROTPK_HASH,'"$(ROTPK_HASH)"'))
+$(BUILD_PLAT)/bl1/uniphier_rotpk.o: $(ROTPK_HASH)
+$(BUILD_PLAT)/bl2/uniphier_rotpk.o: $(ROTPK_HASH)
+
+certificates: $(ROT_KEY)
+$(ROT_KEY):
+	@echo "  OPENSSL $@"
+	$(Q)openssl genrsa 2048 > $@ 2>/dev/null
+
+$(ROTPK_HASH): $(ROT_KEY)
+	@echo "  OPENSSL $@"
+	$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+	openssl dgst -sha256 -binary > $@ 2>/dev/null
+
 endif

 .PHONY: bl1_gzip
--- a/plat/socionext/uniphier/uniphier_rotpk.S
+++ b/plat/socionext/uniphier/uniphier_rotpk.S
@ -0,0 +1,15 @@
+/*
+ * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+	.global uniphier_rotpk_hash
+	.global uniphier_rotpk_hash_end
+uniphier_rotpk_hash:
+	/* DER header */
+	.byte 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48
+	.byte 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
+	/* SHA256 */
+	.incbin ROTPK_HASH
+uniphier_rotpk_hash_end:
--- a/plat/socionext/uniphier/uniphier_tbbr.c
+++ b/plat/socionext/uniphier/uniphier_tbbr.c
@ -6,10 +6,14 @@

 #include <platform.h>

+extern char uniphier_rotpk_hash[], uniphier_rotpk_hash_end[];
+
 int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len,
 			unsigned int *flags)
 {
-	*flags = ROTPK_NOT_DEPLOYED;
+	*key_ptr = uniphier_rotpk_hash;
+	*key_len = uniphier_rotpk_hash_end - uniphier_rotpk_hash;
+	*flags = ROTPK_IS_HASH;

 	return 0;
 }