Trusted Board Boot supports multiple hash algorithms, including SHA-256,
SHA-384, and SHA-512. These algorithms produce hashes of different
lengths, so the resulting DER-encoded hash objects are also of different
lengths. However, the common Trusted Board Boot code only stores the
contents of the object, not its length. Before commit
f47547b354, this was harmless: ASN.1
objects are self-delimiting, and any excess padding was ignored.
f47547b354 changed the code to reject
excess padding. However, this breaks using a shorter hash in a build
that supports longer hashes: the shorter hash will have padding after
it, and verify_hash() will reject it. This was found by an Arm
customer: TF-A v2.9 refused to boot, even though TF-A v2.6 (which did
not have f47547b354) worked just fine.
Storing the length of the hash turns out to be quite difficult.
However, it turns out that hashes verified by verify_hash() always come
from the ROTPK or an X.509 certificate extension. Furthermore, _all_
X.509 certificate extensions used by Trusted Board Boot are ASN.1
DER encoded, so it is possible to reject padding in get_ext(). Padding
after the ROTPK is harmless, and it is better to ignore that padding
than to refuse to boot the system.
Change-Id: I28a19d7783e6036b65e86426d78c8e5b2ed6f542
Fixes: f47547b354 ("fix(auth): reject invalid padding in digests")
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Modifying the CCA CoT description to put the CCA content certificate
under the new CCA NV counter.
Change-Id: Ib962cef5eaa15bb9ccce86012f21327d29d4adad
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Have only one definition for REGISTER_CRYPTO_LIB macro, with all the
possible fields. Worst case adds 4 u64 to crypto_lib_desc.
While at it, correct some MISRA violations:
MC3R1.R12.1: (advisory) The precedence of operators within expressions
should be made explicit.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I1342a20e6eef2354753182c2a81ff959e03e5c81
Following discussions in the reviews of the patch that introduced
plat_convert_pk() function [1], it was decided to deprecate it to
avoid weak function declaration.
A new optional function pointer convert_pk is added to crypto_lib_desc_t.
A new function crypto_mod_convert_pk() will either call
crypto_lib_desc.convert_pk() if it is defined, or do the same
as what was done by the weak function otherwise.
[1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/17174
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: I9358867f8bfd5e96b5ee238c066877da368e43c6
Compared the full ROTPK with the ROTPK obtained from the certificate
when the platform supports full ROTPK instead of hash of ROTPK.
Additionally, changed the code to verify the ROTPK before relying on
it for signature verification.
Change-Id: I52bb9deb1a1dd5b184d3156bddad14c238692de7
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Previously, extensions were parsed twice: once with error checking for
validation, and a second time without error checking to extract the
extension data. This is error prone and caused TFV-10 (CVE-2022-47630).
A simpler approach is to have get_ext() be responsible for all extension
parsing, and to treat a NULL OID as an indicator that get_ext() is only
being called for validation. cert_parse() checks that get_ext() returns
IMG_PARSER_OK and fails otherwise.
Change-Id: I65a2ff053a188351ba54799827a2b7bd833bb037
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The previous code was correct but unnecessarily verbose.
Change-Id: Ia19c667811a7c3b6957a0274d36076b0b16e36b7
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The unique IDs are handled identically, so just use a for loop to get
both of them.
Change-Id: I44baaa4747ca7f314d364a79dfcbce97315f5a92
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
TF-A support for mbedtls3.x has been overdue by number of releases.
As per mbedtls support it was advised to use latest and greatest
mbedtls-3.3. But mbedtls-3.x breaks API compatibility with
mbedtls-2.x
To maintain comptability for mbedtls-2.x and enable mbedtls-3.x
support add a functionality into makefile to determine the major version
of mbedtls and use that to selective include or compile files
that are present.
With mbedtls-3.x numerous other config changes have been done.
Some of the config options deprecated or enabled by default.
Thus we decided to introduce a new 3.x config file part of this
change for building TF-A with mbedtls-3.3.
For futher information on migrating to mbedtls 3.x refer to:
https://github.com/Mbed-TLS/mbedtls/blob/development/docs/3.0-migration-guide.md
Change-Id: Ia8106d6f526809df927d608db27fe149623258ed
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
In preparation for supporting mbedtls 3.3, usage of
mbedtls_pk_rsassa_pss_options[1] is made private and is broken on 3.3
However looking closely into the usage in 'verify_signature' function
is no hard reason behind usage of this struct and they could be easily
replaced with independent variables.
This Minor refactor to avoid using the struct mbedtls_pk_rsassa_pss_options
and use independent variable will provide compatibility with both 2.x
and 3.x
[1]: https://github.com/Mbed-TLS/mbedtls/issues/7040
Change-Id: If0107d860d11d13cba7fd5d7941e7142e70c7b11
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Currently we include MBEDTLS_CONFIG_FILE directly and if a custom
config file is used it will included.
However from mbedtls-3.x onwards it discourages usage of
MBEDTLS_CONFIG_FILE include directly, so to resolve this and keep 2.28
compatibility include version.h which would include the custom config
file if present and also would expose us with mbedtls-major-version
number which could be used for selecting features and functions for
mbedtls 2.28 or 3.3
Change-Id: I029992311be2a38b588ebbb350875b03ea29acdb
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
This was triggered by sparse tool:
drivers/auth/mbedtls/mbedtls_x509_parser.c:481:42: warning:
Using plain integer as NULL pointer
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I392316c2a81ef8da7597e35f136e038f152d19d1
get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succeed. However, it passes the end of an extension as the end
pointer to these functions, whereas cert_parse() passes the end of the
TBSCertificate. Furthermore, cert_parse() does *not* check that the
contents of the extension have the same length as the extension itself.
Before fd37982a19 ("fix(auth): forbid junk after extensions"),
cert_parse() also does not check that the extension block extends to the
end of the TBSCertificate.
This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len
undefined on failure. In practice, this results in get_ext() continuing
to parse at different offsets than were used (and validated) by
cert_parse(), which means that the in-bounds guarantee provided by
cert_parse() no longer holds.
This patch fixes the remaining flaw by enforcing that the contents of an
extension are the same length as the extension itself.
Change-Id: Id4570f911402e34d5d6c799ae01a01f184c68d7c
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
auth_nvctr() does not check that the buffer provided is long enough to
hold an ASN.1 INTEGER, or even that the buffer is non-empty. Since
auth_nvctr() will only ever read 6 bytes, it is possible to read up to
6 bytes past the end of the buffer.
This out-of-bounds read turns out to be harmless. The only caller of
auth_nvctr() always passes a pointer into an X.509 TBSCertificate, and
all in-tree chains of trust require that the certificate’s signature has
already been validated. This means that the signature algorithm
identifier is at least 4 bytes and the signature itself more than that.
Therefore, the data read will be from the certificate itself. Even if
the certificate signature has not been validated, an out-of-bounds read
is still not possible. Since there are at least two bytes (tag and
length) in both the signature algorithm ID and the signature itself, an
out-of-bounds read would require that the tag byte of the signature
algorithm ID would need to be either the tag or length byte of the
DER-encoded nonvolatile counter. However, this byte must be
(MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) (0x30), which is
greater than 4 and not equal to MBEDTLS_ASN1_INTEGER (2). Therefore,
auth_nvctr() will error out before reading the integer itself,
preventing an out-of-bounds read.
Change-Id: Ibdf1af702fbeb98a94c0c96456ebddd3d392ad44
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This makes the code a little bit smaller. No functional change
intended.
Change-Id: I794d2927fcd034a79e29c9bba1f8e4410203f547
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Certificates must not allow trailing junk after them.
Change-Id: Ie33205fb051fc63af5b72c326822da7f62eec1d1
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This is already checked by the crypto module or by mbedTLS, but checking
it in the X.509 parser is harmless.
Change-Id: Ifdbe3b4c6d04481bb8e93106ee04b49a70f50d5d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Since the two instances of the signature algorithm in a certificate must
be bitwise identical, it is not necessary to parse both of them.
Instead, it suffices to parse one of them, and then check that the other
fits in the remaining buffer space and is equal to the first.
Change-Id: Id0a0663165f147879ac83b6a540378fd4873b0dd
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This reduces the likelihood of future problems later.
Change-Id: Ia748b6ae31a7a48f17ec7f0fc08310a50cd1b135
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Digests must not have padding after the SEQUENCE or OCTET STRING.
Change-Id: Id25ab23111781f8c8a97c2c3c8edf1cc4a4384c0
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
X.509 and RFC5280 allow omitting the extensions entirely, but require
that if the extensions field is present at all, it must contain at least
one certificate. TF-A already requires the extensions to be present,
but allows them to be empty. However, a certificate with an empty
extensions field will always fail later on, as the extensions contain
the information needed to validate the next stage in the boot chain.
Therefore, it is simpler to require the extension field to be present
and contain at least one extension. Also add a comment explaining why
the extensions field is required, even though it is OPTIONAL in the
ASN.1 syntax.
Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The extensions must use all remaining bytes in the TBSCertificate.
Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
v1 and v2 are forbidden as at least one extension is required. Instead
of actually parsing the version number, just compare it with a
hard-coded string.
Change-Id: Ib8fd34304a0049787db77ec8c2359d0930cd4ba1
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The platform.mk can add extra MbedTLS source files to LIBMBEDTLS_SRC.
Change-Id: Ida9abfd59d8b02eae23ec0a7f326db060b42bf49
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
Correct the warning due to comparison between signed and
unsigned variable.
drivers/auth/mbedtls/mbedtls_x509_parser.c: In function 'get_ext':
drivers/auth/mbedtls/mbedtls_x509_parser.c:120:30:
error: comparison of integer expressions of different
signedness: 'int' and 'size_t' {aka 'unsigned int'}
[-Werror=sign-compare]
120 | if ((oid_len == strlen(oid_str)) && !strcmp(oid, oid_str)) {
| ^~
Change-Id: Ic12527f5f92a34e925bee3047c168eacf5e99d8a
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
In some platform the digest of the public key saved in the OTP is not
the digest of the exact same public key buffer needed to check the
signature. Typically, platform checks signature using the DER ROTPK
whereas some others add some related information. Add a new platform
weak function to transform the public key buffer used by
verify_signature to a platform specific public key.
Mark this new weak function as deprecated as it will be replaced
by another framework implementation.
Change-Id: I71017b41e3eca9398cededf317ad97e9b511be5f
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Updated mbedTLS driver to include mbedTLS functions necessary for a
DRTM supported build.
Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com>
Change-Id: If0120374a971519cf84f93e0c59e1a320a72cd97
Updated crypto module to include crypto calls necessary for a
DRTM supported build.
Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com>
Change-Id: I4f945997824393f46864b7fb7fd380308a025452
- Removing platform dependencies from libc modules.
- Replacing panicking with actual error handling.
- Debug macros are included indirectly from assert.h. Removing
"platform_def.h" from assert.h and adding "common/debug.h"
where the macros are used.
- Removing hack for fixing PLAT_LOG_LEVEL_ASSERT to 40.
Instead removing assert with expression, as this
does not provide additional information.
Signed-off-by: Claus Pedersen <claustbp@google.com>
Change-Id: Icc201ea7b63c1277e423c1cfd13fd6816c2bc568
With RSS now introduced, we have 2 Measured Boot backends. Both backends
can be used in the same firmware build with potentially different hash
algorithms, so now there can be more than one hash algorithm in a build.
Therefore the logic for selecting the measured boot hash algorithm needs
to be updated and the coordination of algorithm selection added. This is
done by:
- Adding MBOOT_EL_HASH_ALG for Event Log to define the hash algorithm
to replace TPM_HASH_ALG, removing reference to TPM.
- Adding MBOOT_RSS_HASH_ALG for RSS to define the hash algorithm to
replace TPM_HASH_ALG.
- Coordinating MBOOT_EL_HASH_ALG and MBOOT_RSS_HASH_ALG to define the
Measured Boot configuration macros through defining
TF_MBEDTLS_MBOOT_USE_SHA512 to pull in SHA-512 support if either
backend requires a stronger algorithm than SHA-256.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I4ddf06ebdc3835beb4d1b6c7bab5a257ffc5c71a
This chain of trust is targeted at Arm CCA solutions and defines 3
independent signing domains:
1) CCA signing domain. The Arm CCA Security Model (Arm DEN-0096.A.a) [1]
refers to the CCA signing domain as the provider of CCA components
running on the CCA platform. The CCA signing domain might be independent
from other signing domains providing other firmware blobs.
The CCA platform is a collective term used to identify all hardware and
firmware components involved in delivering the CCA security guarantee.
Hence, all hardware and firmware components on a CCA enabled system that
a Realm is required to trust.
In the context of TF-A, this corresponds to BL1, BL2, BL31, RMM and
associated configuration files.
The CCA signing domain is rooted in the Silicon ROTPK, just as in the
TBBR CoT.
2) Non-CCA Secure World signing domain. This includes SPMC (and
associated configuration file) as the expected BL32 image as well as
SiP-owned secure partitions. It is rooted in a new SiP-owned key called
Secure World ROTPK, or SWD_ROTPK for short.
3) Platform owner signing domain. This includes BL33 (and associated
configuration file) and the platform owner's secure partitions. It is
rooted in the Platform ROTPK, or PROTPK.
[1] https://developer.arm.com/documentation/DEN0096/A_a
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I6ffef3f53d710e6a2072fb4374401249122a2805
Upgrade to the latest and greatest 2.x release of Mbed TLS library
(i.e. v2.28.0) to take advantage of their bug fixes.
Note that the Mbed TLS project published version 3.x some time
ago. However, as this is a major release with API breakages, upgrading
to 3.x might require some more involved changes in TF-A, which we are
not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7
release of TF-A.
Actually, the upgrade this time simply boils down to including the new
source code module 'constant_time.c' into the firmware.
To quote mbed TLS v2.28.0 release notes [1]:
The mbedcrypto library includes a new source code module
constant_time.c, containing various functions meant to resist timing
side channel attacks. This module does not have a separate
configuration option, and functions from this module will be
included in the build as required.
As a matter of fact, if one is attempting to link TF-A against mbed
TLS v2.28.0 without the present patch, one gets some linker errors
due to missing symbols from this new module.
Apart from this, none of the items listed in mbed TLS release
notes [1] directly affect TF-A. Special note on the following one:
Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
exceeds 2^32.
In TF-A, we do use mbedtls_gcm_starts() when the firmware decryption
feature is enabled with AES-GCM as the authenticated decryption
algorithm (DECRYPTION_SUPPORT=aes_gcm). However, the iv_len variable
which gets passed to mbedtls_gcm_starts() is an unsigned int, i.e. a
32-bit value which by definition is always less than 2**32. Therefore,
we are immune to this bug.
With this upgrade, the size of BL1 and BL2 binaries does not appear to
change on a standard sample test build (with trusted boot and measured
boot enabled).
[1] https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.0
Change-Id: Icd5dbf527395e9e22c8fd6b77427188bd7237fd6
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Common mbedTLS implementation include the fixed configuration
file of mbedTLS and that does not gives flexilibility to the
platform to include their own mbedTLS configuration.
Hence changes are done so that platform can include their own
mbedTLS configuration file.
Signed-off-by: Lucian Paul-Trifu <lucian.paul-trifu@arm.com>
Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com>
Change-Id: I04546589f67299e26b0a6a6e151cdf1fdb302607
Measured-Boot and Trusted-Boot are orthogonal to each other and hence
removed dependency of Trusted-Boot on Measured-Boot by making below
changes -
1. BL1 and BL2 main functions are used for initializing Crypto module
instead of the authentication module
2. Updated Crypto module registration macro for MEASURED_BOOT with only
necessary callbacks for calculating image hashes
3. The 'load_auth_image' function is now used for the image measurement
during Trusted or Non-Trusted Boot flow
Change-Id: I3570e80bae8ce8f5b58d84bd955aa43e925d9fff
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
It doesn't look correct to use mbed TLS defines directly in the Event
Log driver as this driver may use another Crypto library in future.
Hence mbed TLS Crypto dependency on Event Log driver is removed by
introducing generic Crypto defines and uses those in the Event Log
driver to call Crypto functions.
Also, updated mbed TLS glue layer to map these generic Crypto defines
to mbed TLS library defines.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ibc9c751f60cbce4d3f3cf049b7c53b3d05cc6735
Fixed a below build failure with CC-713 library
error:
implicit declaration of function ‘mbedtls_x509_get_rsassa_pss_params’
[-Werror=implicit-function-declaration]
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: If298ec16d133cf54413c299327b2c007ec4117b2
Adding load, authentication, and transfer functionality from FVP R BL1 to
BL33, which will be the partner runtime code.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I293cad09739dacac0d20dd57c1d98178dbe84d40
Avoided NV counter update when the system is running in
trial run state.
Change-Id: I5da6a6760f8a9faff777f2ff879156e9c3c76726
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Platform NV counter get updated (if cert NV counter > plat NV counter)
before authenticating the certificate if the platform specifies NV
counter method before signature authentication in its CoT, and this
provides an opportunity for a tempered certificate to upgrade the
platform NV counter. This is theoretical issue, as in practice none
of the standard CoT (TBBR, dualroot) or upstream platforms ones (NXP)
exercised this issue.
To fix this issue, modified the auth_nvctr method to do only NV
counter check, and flags if the NV counter upgrade is needed or not.
Then ensured that the platform NV counter gets upgraded with the NV
counter value from the certificate only after that certificate gets
authenticated.
This change is verified manually by modifying the CoT that specifies
certificate with:
1. NV counter authentication before signature authentication
method
2. NV counter authentication method only
Change-Id: I1ad17f1a911fb1035a1a60976cc26b2965b05166
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
This patch migrates the mbedcrypto dependency for TF-A
to mbedTLS repo v2.24.0 which is the latest release tag.
The relevant documentation is updated to reflect the
use of new version.
Change-Id: I116f44242e8c98e856416ea871d11abd3234dac1
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Loop macros make it easier for developers to include new variables to
assert or define and also help code code readability on makefiles.
Change-Id: I0d21d6e67b3eca8976c4d856ac8ccc02c8bb5ffa
Signed-off-by: Leonardo Sandoval <leonardo.sandoval@linaro.org>
For dualroot CoT there are two sets of SP certificates, one owned by
Silicon Provider(SiP) and other owned by Platform. Each certificate can
have a maximum of 4 SPs.
This patch reduces the number of SiP owned SPs from 8 to 4 and adds
the remaining 4 to Plat owned SP.
Plat owned SP certificate is signed using Platform RoT key and
protected against anti-rollback using the Non-trusted Non-volatile
counter.
Change-Id: Idc3ddd87d6d85a5506a7435f45a6ec17c4c50425
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Currently only single signing domain is supported for SP packages but
there is plan to support dual signing domains if CoT is dualroot.
SP_CONTENT_CERT_ID is the certificate file which is currently generated
and signed with trusted world key which in-turn is derived from Silicon
provider RoT key.
To allow dual signing domain for SP packages, other certificate file
will be derived from Platform owned RoT key.
This patch renames "SP_CONTENT_CERT_ID" to "SIP_SP_CONTENT_CERT_ID" and
does other related changes.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I0bc445a3ab257e2dac03faa64f46e36a9fed5e93
This patch adds support for Event Log generation required
for Measured Boot functionality.
Change-Id: I34f05a33565e6659e78499d62cc6fb00b7d6c2dc
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
with sha 44f1aa8, support for Silicon Provider(SiP) owned Secure
Partition(SP) was added for dualroot CoT. This patch extends this
support for tbbr CoT.
Earlier tbbr CoT for SPs was left to avoid adding new image types in
TBBR which could possibly be seen as deviation from specification.
But with further discussions it is understood that TBBR being a
*minimal* set of requirements that can be extended as long as we don't
violate any of the musts, which is the case with adding SP support.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I1b9e3ebdd7d653f1fd4cc3bd910a69871b55ecbb
Demi Marie Obenour
laurenw-arm
Yann Gautier
Yann Gautier
Manish V Badarkhe
Elyes Haouas
Govindraj Raja
Mate Toth-Pal
Nicolas Toromanoff
Claus Pedersen
Sandrine Bailleux
Alexei Fedorov
Leonardo Sandoval
Manish Pandey
Louis Mayencourt