2 * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
4 * SPDX-License-Identifier: BSD-3-Clause
8 #include <platform_def.h>
14 #include <platform_oid.h>
19 * Maximum key and hash sizes (in DER format)
21 #define PK_DER_LEN 294
22 #define HASH_DER_LEN 83
25 * The platform must allocate buffers to store the authentication parameters
26 * extracted from the certificates. In this case, because of the way the CoT is
27 * established, we can reuse some of the buffers on different stages
29 static unsigned char tb_fw_hash_buf
[HASH_DER_LEN
];
30 static unsigned char tb_fw_config_hash_buf
[HASH_DER_LEN
];
31 static unsigned char hw_config_hash_buf
[HASH_DER_LEN
];
32 static unsigned char scp_fw_hash_buf
[HASH_DER_LEN
];
33 static unsigned char soc_fw_hash_buf
[HASH_DER_LEN
];
34 static unsigned char tos_fw_hash_buf
[HASH_DER_LEN
];
35 static unsigned char tos_fw_extra1_hash_buf
[HASH_DER_LEN
];
36 static unsigned char tos_fw_extra2_hash_buf
[HASH_DER_LEN
];
37 static unsigned char nt_world_bl_hash_buf
[HASH_DER_LEN
];
38 static unsigned char trusted_world_pk_buf
[PK_DER_LEN
];
39 static unsigned char non_trusted_world_pk_buf
[PK_DER_LEN
];
40 static unsigned char content_pk_buf
[PK_DER_LEN
];
41 static unsigned char soc_fw_config_hash_buf
[HASH_DER_LEN
];
42 static unsigned char tos_fw_config_hash_buf
[HASH_DER_LEN
];
43 static unsigned char nt_fw_config_hash_buf
[HASH_DER_LEN
];
46 * Parameter type descriptors
48 static auth_param_type_desc_t trusted_nv_ctr
= AUTH_PARAM_TYPE_DESC(
49 AUTH_PARAM_NV_CTR
, TRUSTED_FW_NVCOUNTER_OID
);
50 static auth_param_type_desc_t non_trusted_nv_ctr
= AUTH_PARAM_TYPE_DESC(
51 AUTH_PARAM_NV_CTR
, NON_TRUSTED_FW_NVCOUNTER_OID
);
53 static auth_param_type_desc_t subject_pk
= AUTH_PARAM_TYPE_DESC(
54 AUTH_PARAM_PUB_KEY
, 0);
55 static auth_param_type_desc_t sig
= AUTH_PARAM_TYPE_DESC(
57 static auth_param_type_desc_t sig_alg
= AUTH_PARAM_TYPE_DESC(
58 AUTH_PARAM_SIG_ALG
, 0);
59 static auth_param_type_desc_t raw_data
= AUTH_PARAM_TYPE_DESC(
60 AUTH_PARAM_RAW_DATA
, 0);
62 static auth_param_type_desc_t trusted_world_pk
= AUTH_PARAM_TYPE_DESC(
63 AUTH_PARAM_PUB_KEY
, TRUSTED_WORLD_PK_OID
);
64 static auth_param_type_desc_t non_trusted_world_pk
= AUTH_PARAM_TYPE_DESC(
65 AUTH_PARAM_PUB_KEY
, NON_TRUSTED_WORLD_PK_OID
);
67 static auth_param_type_desc_t scp_fw_content_pk
= AUTH_PARAM_TYPE_DESC(
68 AUTH_PARAM_PUB_KEY
, SCP_FW_CONTENT_CERT_PK_OID
);
69 static auth_param_type_desc_t soc_fw_content_pk
= AUTH_PARAM_TYPE_DESC(
70 AUTH_PARAM_PUB_KEY
, SOC_FW_CONTENT_CERT_PK_OID
);
71 static auth_param_type_desc_t tos_fw_content_pk
= AUTH_PARAM_TYPE_DESC(
72 AUTH_PARAM_PUB_KEY
, TRUSTED_OS_FW_CONTENT_CERT_PK_OID
);
73 static auth_param_type_desc_t nt_fw_content_pk
= AUTH_PARAM_TYPE_DESC(
74 AUTH_PARAM_PUB_KEY
, NON_TRUSTED_FW_CONTENT_CERT_PK_OID
);
76 static auth_param_type_desc_t tb_fw_hash
= AUTH_PARAM_TYPE_DESC(
77 AUTH_PARAM_HASH
, TRUSTED_BOOT_FW_HASH_OID
);
78 static auth_param_type_desc_t tb_fw_config_hash
= AUTH_PARAM_TYPE_DESC(
79 AUTH_PARAM_HASH
, TRUSTED_BOOT_FW_CONFIG_HASH_OID
);
80 static auth_param_type_desc_t hw_config_hash
= AUTH_PARAM_TYPE_DESC(
81 AUTH_PARAM_HASH
, HW_CONFIG_HASH_OID
);
82 static auth_param_type_desc_t scp_fw_hash
= AUTH_PARAM_TYPE_DESC(
83 AUTH_PARAM_HASH
, SCP_FW_HASH_OID
);
84 static auth_param_type_desc_t soc_fw_hash
= AUTH_PARAM_TYPE_DESC(
85 AUTH_PARAM_HASH
, SOC_AP_FW_HASH_OID
);
86 static auth_param_type_desc_t soc_fw_config_hash
= AUTH_PARAM_TYPE_DESC(
87 AUTH_PARAM_HASH
, SOC_FW_CONFIG_HASH_OID
);
88 static auth_param_type_desc_t tos_fw_hash
= AUTH_PARAM_TYPE_DESC(
89 AUTH_PARAM_HASH
, TRUSTED_OS_FW_HASH_OID
);
90 static auth_param_type_desc_t tos_fw_config_hash
= AUTH_PARAM_TYPE_DESC(
91 AUTH_PARAM_HASH
, TRUSTED_OS_FW_CONFIG_HASH_OID
);
92 static auth_param_type_desc_t tos_fw_extra1_hash
= AUTH_PARAM_TYPE_DESC(
93 AUTH_PARAM_HASH
, TRUSTED_OS_FW_EXTRA1_HASH_OID
);
94 static auth_param_type_desc_t tos_fw_extra2_hash
= AUTH_PARAM_TYPE_DESC(
95 AUTH_PARAM_HASH
, TRUSTED_OS_FW_EXTRA2_HASH_OID
);
96 static auth_param_type_desc_t nt_world_bl_hash
= AUTH_PARAM_TYPE_DESC(
97 AUTH_PARAM_HASH
, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID
);
98 static auth_param_type_desc_t nt_fw_config_hash
= AUTH_PARAM_TYPE_DESC(
99 AUTH_PARAM_HASH
, NON_TRUSTED_FW_CONFIG_HASH_OID
);
100 static auth_param_type_desc_t scp_bl2u_hash
= AUTH_PARAM_TYPE_DESC(
101 AUTH_PARAM_HASH
, SCP_FWU_CFG_HASH_OID
);
102 static auth_param_type_desc_t bl2u_hash
= AUTH_PARAM_TYPE_DESC(
103 AUTH_PARAM_HASH
, AP_FWU_CFG_HASH_OID
);
104 static auth_param_type_desc_t ns_bl2u_hash
= AUTH_PARAM_TYPE_DESC(
105 AUTH_PARAM_HASH
, FWU_HASH_OID
);
108 * TBBR Chain of trust definition
110 static const auth_img_desc_t cot_desc
[] = {
114 [TRUSTED_BOOT_FW_CERT_ID
] = {
115 .img_id
= TRUSTED_BOOT_FW_CERT_ID
,
116 .img_type
= IMG_CERT
,
118 .img_auth_methods
= {
120 .type
= AUTH_METHOD_SIG
,
129 .type
= AUTH_METHOD_NV_CTR
,
131 .cert_nv_ctr
= &trusted_nv_ctr
,
132 .plat_nv_ctr
= &trusted_nv_ctr
136 .authenticated_data
= {
138 .type_desc
= &tb_fw_hash
,
140 .ptr
= (void *)tb_fw_hash_buf
,
141 .len
= (unsigned int)HASH_DER_LEN
145 .type_desc
= &tb_fw_config_hash
,
147 .ptr
= (void *)tb_fw_config_hash_buf
,
148 .len
= (unsigned int)HASH_DER_LEN
152 .type_desc
= &hw_config_hash
,
154 .ptr
= (void *)hw_config_hash_buf
,
155 .len
= (unsigned int)HASH_DER_LEN
161 .img_id
= BL2_IMAGE_ID
,
163 .parent
= &cot_desc
[TRUSTED_BOOT_FW_CERT_ID
],
164 .img_auth_methods
= {
166 .type
= AUTH_METHOD_HASH
,
176 .img_id
= HW_CONFIG_ID
,
178 .parent
= &cot_desc
[TRUSTED_BOOT_FW_CERT_ID
],
179 .img_auth_methods
= {
181 .type
= AUTH_METHOD_HASH
,
184 .hash
= &hw_config_hash
,
190 [TB_FW_CONFIG_ID
] = {
191 .img_id
= TB_FW_CONFIG_ID
,
193 .parent
= &cot_desc
[TRUSTED_BOOT_FW_CERT_ID
],
194 .img_auth_methods
= {
196 .type
= AUTH_METHOD_HASH
,
199 .hash
= &tb_fw_config_hash
,
205 * Trusted key certificate
207 [TRUSTED_KEY_CERT_ID
] = {
208 .img_id
= TRUSTED_KEY_CERT_ID
,
209 .img_type
= IMG_CERT
,
211 .img_auth_methods
= {
213 .type
= AUTH_METHOD_SIG
,
222 .type
= AUTH_METHOD_NV_CTR
,
224 .cert_nv_ctr
= &trusted_nv_ctr
,
225 .plat_nv_ctr
= &trusted_nv_ctr
229 .authenticated_data
= {
231 .type_desc
= &trusted_world_pk
,
233 .ptr
= (void *)trusted_world_pk_buf
,
234 .len
= (unsigned int)PK_DER_LEN
238 .type_desc
= &non_trusted_world_pk
,
240 .ptr
= (void *)non_trusted_world_pk_buf
,
241 .len
= (unsigned int)PK_DER_LEN
249 [SCP_FW_KEY_CERT_ID
] = {
250 .img_id
= SCP_FW_KEY_CERT_ID
,
251 .img_type
= IMG_CERT
,
252 .parent
= &cot_desc
[TRUSTED_KEY_CERT_ID
],
253 .img_auth_methods
= {
255 .type
= AUTH_METHOD_SIG
,
257 .pk
= &trusted_world_pk
,
264 .type
= AUTH_METHOD_NV_CTR
,
266 .cert_nv_ctr
= &trusted_nv_ctr
,
267 .plat_nv_ctr
= &trusted_nv_ctr
271 .authenticated_data
= {
273 .type_desc
= &scp_fw_content_pk
,
275 .ptr
= (void *)content_pk_buf
,
276 .len
= (unsigned int)PK_DER_LEN
281 [SCP_FW_CONTENT_CERT_ID
] = {
282 .img_id
= SCP_FW_CONTENT_CERT_ID
,
283 .img_type
= IMG_CERT
,
284 .parent
= &cot_desc
[SCP_FW_KEY_CERT_ID
],
285 .img_auth_methods
= {
287 .type
= AUTH_METHOD_SIG
,
289 .pk
= &scp_fw_content_pk
,
296 .type
= AUTH_METHOD_NV_CTR
,
298 .cert_nv_ctr
= &trusted_nv_ctr
,
299 .plat_nv_ctr
= &trusted_nv_ctr
303 .authenticated_data
= {
305 .type_desc
= &scp_fw_hash
,
307 .ptr
= (void *)scp_fw_hash_buf
,
308 .len
= (unsigned int)HASH_DER_LEN
313 [SCP_BL2_IMAGE_ID
] = {
314 .img_id
= SCP_BL2_IMAGE_ID
,
316 .parent
= &cot_desc
[SCP_FW_CONTENT_CERT_ID
],
317 .img_auth_methods
= {
319 .type
= AUTH_METHOD_HASH
,
322 .hash
= &scp_fw_hash
,
330 [SOC_FW_KEY_CERT_ID
] = {
331 .img_id
= SOC_FW_KEY_CERT_ID
,
332 .img_type
= IMG_CERT
,
333 .parent
= &cot_desc
[TRUSTED_KEY_CERT_ID
],
334 .img_auth_methods
= {
336 .type
= AUTH_METHOD_SIG
,
338 .pk
= &trusted_world_pk
,
345 .type
= AUTH_METHOD_NV_CTR
,
347 .cert_nv_ctr
= &trusted_nv_ctr
,
348 .plat_nv_ctr
= &trusted_nv_ctr
352 .authenticated_data
= {
354 .type_desc
= &soc_fw_content_pk
,
356 .ptr
= (void *)content_pk_buf
,
357 .len
= (unsigned int)PK_DER_LEN
362 [SOC_FW_CONTENT_CERT_ID
] = {
363 .img_id
= SOC_FW_CONTENT_CERT_ID
,
364 .img_type
= IMG_CERT
,
365 .parent
= &cot_desc
[SOC_FW_KEY_CERT_ID
],
366 .img_auth_methods
= {
368 .type
= AUTH_METHOD_SIG
,
370 .pk
= &soc_fw_content_pk
,
377 .type
= AUTH_METHOD_NV_CTR
,
379 .cert_nv_ctr
= &trusted_nv_ctr
,
380 .plat_nv_ctr
= &trusted_nv_ctr
384 .authenticated_data
= {
386 .type_desc
= &soc_fw_hash
,
388 .ptr
= (void *)soc_fw_hash_buf
,
389 .len
= (unsigned int)HASH_DER_LEN
393 .type_desc
= &soc_fw_config_hash
,
395 .ptr
= (void *)soc_fw_config_hash_buf
,
396 .len
= (unsigned int)HASH_DER_LEN
402 .img_id
= BL31_IMAGE_ID
,
404 .parent
= &cot_desc
[SOC_FW_CONTENT_CERT_ID
],
405 .img_auth_methods
= {
407 .type
= AUTH_METHOD_HASH
,
410 .hash
= &soc_fw_hash
,
416 [SOC_FW_CONFIG_ID
] = {
417 .img_id
= SOC_FW_CONFIG_ID
,
419 .parent
= &cot_desc
[SOC_FW_CONTENT_CERT_ID
],
420 .img_auth_methods
= {
422 .type
= AUTH_METHOD_HASH
,
425 .hash
= &soc_fw_config_hash
,
431 * Trusted OS Firmware
433 [TRUSTED_OS_FW_KEY_CERT_ID
] = {
434 .img_id
= TRUSTED_OS_FW_KEY_CERT_ID
,
435 .img_type
= IMG_CERT
,
436 .parent
= &cot_desc
[TRUSTED_KEY_CERT_ID
],
437 .img_auth_methods
= {
439 .type
= AUTH_METHOD_SIG
,
441 .pk
= &trusted_world_pk
,
448 .type
= AUTH_METHOD_NV_CTR
,
450 .cert_nv_ctr
= &trusted_nv_ctr
,
451 .plat_nv_ctr
= &trusted_nv_ctr
455 .authenticated_data
= {
457 .type_desc
= &tos_fw_content_pk
,
459 .ptr
= (void *)content_pk_buf
,
460 .len
= (unsigned int)PK_DER_LEN
465 [TRUSTED_OS_FW_CONTENT_CERT_ID
] = {
466 .img_id
= TRUSTED_OS_FW_CONTENT_CERT_ID
,
467 .img_type
= IMG_CERT
,
468 .parent
= &cot_desc
[TRUSTED_OS_FW_KEY_CERT_ID
],
469 .img_auth_methods
= {
471 .type
= AUTH_METHOD_SIG
,
473 .pk
= &tos_fw_content_pk
,
480 .type
= AUTH_METHOD_NV_CTR
,
482 .cert_nv_ctr
= &trusted_nv_ctr
,
483 .plat_nv_ctr
= &trusted_nv_ctr
487 .authenticated_data
= {
489 .type_desc
= &tos_fw_hash
,
491 .ptr
= (void *)tos_fw_hash_buf
,
492 .len
= (unsigned int)HASH_DER_LEN
496 .type_desc
= &tos_fw_extra1_hash
,
498 .ptr
= (void *)tos_fw_extra1_hash_buf
,
499 .len
= (unsigned int)HASH_DER_LEN
503 .type_desc
= &tos_fw_extra2_hash
,
505 .ptr
= (void *)tos_fw_extra2_hash_buf
,
506 .len
= (unsigned int)HASH_DER_LEN
510 .type_desc
= &tos_fw_config_hash
,
512 .ptr
= (void *)tos_fw_config_hash_buf
,
513 .len
= (unsigned int)HASH_DER_LEN
519 .img_id
= BL32_IMAGE_ID
,
521 .parent
= &cot_desc
[TRUSTED_OS_FW_CONTENT_CERT_ID
],
522 .img_auth_methods
= {
524 .type
= AUTH_METHOD_HASH
,
527 .hash
= &tos_fw_hash
,
532 [BL32_EXTRA1_IMAGE_ID
] = {
533 .img_id
= BL32_EXTRA1_IMAGE_ID
,
535 .parent
= &cot_desc
[TRUSTED_OS_FW_CONTENT_CERT_ID
],
536 .img_auth_methods
= {
538 .type
= AUTH_METHOD_HASH
,
541 .hash
= &tos_fw_extra1_hash
,
546 [BL32_EXTRA2_IMAGE_ID
] = {
547 .img_id
= BL32_EXTRA2_IMAGE_ID
,
549 .parent
= &cot_desc
[TRUSTED_OS_FW_CONTENT_CERT_ID
],
550 .img_auth_methods
= {
552 .type
= AUTH_METHOD_HASH
,
555 .hash
= &tos_fw_extra2_hash
,
561 [TOS_FW_CONFIG_ID
] = {
562 .img_id
= TOS_FW_CONFIG_ID
,
564 .parent
= &cot_desc
[TRUSTED_OS_FW_CONTENT_CERT_ID
],
565 .img_auth_methods
= {
567 .type
= AUTH_METHOD_HASH
,
570 .hash
= &tos_fw_config_hash
,
576 * Non-Trusted Firmware
578 [NON_TRUSTED_FW_KEY_CERT_ID
] = {
579 .img_id
= NON_TRUSTED_FW_KEY_CERT_ID
,
580 .img_type
= IMG_CERT
,
581 .parent
= &cot_desc
[TRUSTED_KEY_CERT_ID
],
582 .img_auth_methods
= {
584 .type
= AUTH_METHOD_SIG
,
586 .pk
= &non_trusted_world_pk
,
593 .type
= AUTH_METHOD_NV_CTR
,
595 .cert_nv_ctr
= &non_trusted_nv_ctr
,
596 .plat_nv_ctr
= &non_trusted_nv_ctr
600 .authenticated_data
= {
602 .type_desc
= &nt_fw_content_pk
,
604 .ptr
= (void *)content_pk_buf
,
605 .len
= (unsigned int)PK_DER_LEN
610 [NON_TRUSTED_FW_CONTENT_CERT_ID
] = {
611 .img_id
= NON_TRUSTED_FW_CONTENT_CERT_ID
,
612 .img_type
= IMG_CERT
,
613 .parent
= &cot_desc
[NON_TRUSTED_FW_KEY_CERT_ID
],
614 .img_auth_methods
= {
616 .type
= AUTH_METHOD_SIG
,
618 .pk
= &nt_fw_content_pk
,
625 .type
= AUTH_METHOD_NV_CTR
,
627 .cert_nv_ctr
= &non_trusted_nv_ctr
,
628 .plat_nv_ctr
= &non_trusted_nv_ctr
632 .authenticated_data
= {
634 .type_desc
= &nt_world_bl_hash
,
636 .ptr
= (void *)nt_world_bl_hash_buf
,
637 .len
= (unsigned int)HASH_DER_LEN
641 .type_desc
= &nt_fw_config_hash
,
643 .ptr
= (void *)nt_fw_config_hash_buf
,
644 .len
= (unsigned int)HASH_DER_LEN
650 .img_id
= BL33_IMAGE_ID
,
652 .parent
= &cot_desc
[NON_TRUSTED_FW_CONTENT_CERT_ID
],
653 .img_auth_methods
= {
655 .type
= AUTH_METHOD_HASH
,
658 .hash
= &nt_world_bl_hash
,
664 [NT_FW_CONFIG_ID
] = {
665 .img_id
= NT_FW_CONFIG_ID
,
667 .parent
= &cot_desc
[NON_TRUSTED_FW_CONTENT_CERT_ID
],
668 .img_auth_methods
= {
670 .type
= AUTH_METHOD_HASH
,
673 .hash
= &nt_fw_config_hash
,
679 * FWU auth descriptor.
682 .img_id
= FWU_CERT_ID
,
683 .img_type
= IMG_CERT
,
685 .img_auth_methods
= {
687 .type
= AUTH_METHOD_SIG
,
696 .authenticated_data
= {
698 .type_desc
= &scp_bl2u_hash
,
700 .ptr
= (void *)scp_fw_hash_buf
,
701 .len
= (unsigned int)HASH_DER_LEN
705 .type_desc
= &bl2u_hash
,
707 .ptr
= (void *)tb_fw_hash_buf
,
708 .len
= (unsigned int)HASH_DER_LEN
712 .type_desc
= &ns_bl2u_hash
,
714 .ptr
= (void *)nt_world_bl_hash_buf
,
715 .len
= (unsigned int)HASH_DER_LEN
723 [SCP_BL2U_IMAGE_ID
] = {
724 .img_id
= SCP_BL2U_IMAGE_ID
,
726 .parent
= &cot_desc
[FWU_CERT_ID
],
727 .img_auth_methods
= {
729 .type
= AUTH_METHOD_HASH
,
732 .hash
= &scp_bl2u_hash
,
741 .img_id
= BL2U_IMAGE_ID
,
743 .parent
= &cot_desc
[FWU_CERT_ID
],
744 .img_auth_methods
= {
746 .type
= AUTH_METHOD_HASH
,
757 [NS_BL2U_IMAGE_ID
] = {
758 .img_id
= NS_BL2U_IMAGE_ID
,
760 .parent
= &cot_desc
[FWU_CERT_ID
],
761 .img_auth_methods
= {
763 .type
= AUTH_METHOD_HASH
,
766 .hash
= &ns_bl2u_hash
,
773 /* Register the CoT in the authentication module */
774 REGISTER_COT(cot_desc
);