1 /* 2 * Copyright (c) 2020-2023, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <stddef.h> 8 9 #include <mbedtls/version.h> 10 11 #include <common/tbbr/cot_def.h> 12 #include <drivers/auth/auth_mod.h> 13 14 #include <tools_share/dualroot_oid.h> 15 16 #include <platform_def.h> 17 18 /* 19 * Allocate static buffers to store the authentication parameters extracted from 20 * the certificates. 21 */ 22 static unsigned char fw_config_hash_buf[HASH_DER_LEN]; 23 static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; 24 static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; 25 static unsigned char hw_config_hash_buf[HASH_DER_LEN]; 26 static unsigned char scp_fw_hash_buf[HASH_DER_LEN]; 27 static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; 28 29 #ifdef IMAGE_BL2 30 static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; 31 static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; 32 static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; 33 static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; 34 static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; 35 static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; 36 static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; 37 #if defined(SPD_spmd) 38 static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN]; 39 #endif /* SPD_spmd */ 40 41 static unsigned char trusted_world_pk_buf[PK_DER_LEN]; 42 static unsigned char content_pk_buf[PK_DER_LEN]; 43 #endif 44 45 /* 46 * Parameter type descriptors. 47 */ 48 static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 49 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); 50 static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( 51 AUTH_PARAM_PUB_KEY, 0); 52 static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( 53 AUTH_PARAM_SIG, 0); 54 static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( 55 AUTH_PARAM_SIG_ALG, 0); 56 static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( 57 AUTH_PARAM_RAW_DATA, 0); 58 59 static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( 60 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); 61 static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC( 62 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); 63 static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC( 64 AUTH_PARAM_HASH, HW_CONFIG_HASH_OID); 65 static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC( 66 AUTH_PARAM_HASH, FW_CONFIG_HASH_OID); 67 #ifdef IMAGE_BL1 68 static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( 69 AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); 70 static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( 71 AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID); 72 static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( 73 AUTH_PARAM_HASH, FWU_HASH_OID); 74 #endif /* IMAGE_BL1 */ 75 76 #ifdef IMAGE_BL2 77 static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 78 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); 79 80 static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( 81 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); 82 static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC( 83 AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID); 84 static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( 85 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); 86 static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( 87 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); 88 static auth_param_type_desc_t prot_pk = AUTH_PARAM_TYPE_DESC( 89 AUTH_PARAM_PUB_KEY, PROT_PK_OID); 90 91 static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( 92 AUTH_PARAM_HASH, SCP_FW_HASH_OID); 93 static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( 94 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); 95 static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC( 96 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID); 97 static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( 98 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); 99 static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC( 100 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID); 101 static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( 102 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); 103 static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( 104 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); 105 static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( 106 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); 107 static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( 108 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); 109 #if defined(SPD_spmd) 110 static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC( 111 AUTH_PARAM_HASH, SP_PKG1_HASH_OID); 112 static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC( 113 AUTH_PARAM_HASH, SP_PKG2_HASH_OID); 114 static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC( 115 AUTH_PARAM_HASH, SP_PKG3_HASH_OID); 116 static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC( 117 AUTH_PARAM_HASH, SP_PKG4_HASH_OID); 118 static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC( 119 AUTH_PARAM_HASH, SP_PKG5_HASH_OID); 120 static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC( 121 AUTH_PARAM_HASH, SP_PKG6_HASH_OID); 122 static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC( 123 AUTH_PARAM_HASH, SP_PKG7_HASH_OID); 124 static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC( 125 AUTH_PARAM_HASH, SP_PKG8_HASH_OID); 126 #endif /* SPD_spmd */ 127 #endif /* IMAGE_BL2 */ 128 129 130 /* BL2 */ 131 static const auth_img_desc_t trusted_boot_fw_cert = { 132 .img_id = TRUSTED_BOOT_FW_CERT_ID, 133 .img_type = IMG_CERT, 134 .parent = NULL, 135 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 136 [0] = { 137 .type = AUTH_METHOD_SIG, 138 .param.sig = { 139 .pk = &subject_pk, 140 .sig = &sig, 141 .alg = &sig_alg, 142 .data = &raw_data 143 } 144 }, 145 [1] = { 146 .type = AUTH_METHOD_NV_CTR, 147 .param.nv_ctr = { 148 .cert_nv_ctr = &trusted_nv_ctr, 149 .plat_nv_ctr = &trusted_nv_ctr 150 } 151 } 152 }, 153 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 154 [0] = { 155 .type_desc = &tb_fw_hash, 156 .data = { 157 .ptr = (void *)tb_fw_hash_buf, 158 .len = (unsigned int)HASH_DER_LEN 159 } 160 }, 161 [1] = { 162 .type_desc = &tb_fw_config_hash, 163 .data = { 164 .ptr = (void *)tb_fw_config_hash_buf, 165 .len = (unsigned int)HASH_DER_LEN 166 } 167 }, 168 [2] = { 169 .type_desc = &hw_config_hash, 170 .data = { 171 .ptr = (void *)hw_config_hash_buf, 172 .len = (unsigned int)HASH_DER_LEN 173 } 174 }, 175 [3] = { 176 .type_desc = &fw_config_hash, 177 .data = { 178 .ptr = (void *)fw_config_hash_buf, 179 .len = (unsigned int)HASH_DER_LEN 180 } 181 } 182 } 183 }; 184 185 #ifdef IMAGE_BL1 186 static const auth_img_desc_t bl2_image = { 187 .img_id = BL2_IMAGE_ID, 188 .img_type = IMG_RAW, 189 .parent = &trusted_boot_fw_cert, 190 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 191 [0] = { 192 .type = AUTH_METHOD_HASH, 193 .param.hash = { 194 .data = &raw_data, 195 .hash = &tb_fw_hash 196 } 197 } 198 } 199 }; 200 #endif /* IMAGE_BL1 */ 201 202 /* HW Config */ 203 static const auth_img_desc_t hw_config = { 204 .img_id = HW_CONFIG_ID, 205 .img_type = IMG_RAW, 206 .parent = &trusted_boot_fw_cert, 207 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 208 [0] = { 209 .type = AUTH_METHOD_HASH, 210 .param.hash = { 211 .data = &raw_data, 212 .hash = &hw_config_hash 213 } 214 } 215 } 216 }; 217 218 /* TB FW Config */ 219 #ifdef IMAGE_BL1 220 static const auth_img_desc_t tb_fw_config = { 221 .img_id = TB_FW_CONFIG_ID, 222 .img_type = IMG_RAW, 223 .parent = &trusted_boot_fw_cert, 224 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 225 [0] = { 226 .type = AUTH_METHOD_HASH, 227 .param.hash = { 228 .data = &raw_data, 229 .hash = &tb_fw_config_hash 230 } 231 } 232 } 233 }; 234 235 static const auth_img_desc_t fw_config = { 236 .img_id = FW_CONFIG_ID, 237 .img_type = IMG_RAW, 238 .parent = &trusted_boot_fw_cert, 239 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 240 [0] = { 241 .type = AUTH_METHOD_HASH, 242 .param.hash = { 243 .data = &raw_data, 244 .hash = &fw_config_hash 245 } 246 } 247 } 248 }; 249 250 #endif /* IMAGE_BL1 */ 251 252 #ifdef IMAGE_BL2 253 /* Trusted key certificate */ 254 static const auth_img_desc_t trusted_key_cert = { 255 .img_id = TRUSTED_KEY_CERT_ID, 256 .img_type = IMG_CERT, 257 .parent = NULL, 258 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 259 [0] = { 260 .type = AUTH_METHOD_SIG, 261 .param.sig = { 262 .pk = &subject_pk, 263 .sig = &sig, 264 .alg = &sig_alg, 265 .data = &raw_data 266 } 267 }, 268 [1] = { 269 .type = AUTH_METHOD_NV_CTR, 270 .param.nv_ctr = { 271 .cert_nv_ctr = &trusted_nv_ctr, 272 .plat_nv_ctr = &trusted_nv_ctr 273 } 274 } 275 }, 276 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 277 [0] = { 278 .type_desc = &trusted_world_pk, 279 .data = { 280 .ptr = (void *)trusted_world_pk_buf, 281 .len = (unsigned int)PK_DER_LEN 282 } 283 }, 284 } 285 }; 286 287 /* SCP Firmware */ 288 static const auth_img_desc_t scp_fw_key_cert = { 289 .img_id = SCP_FW_KEY_CERT_ID, 290 .img_type = IMG_CERT, 291 .parent = &trusted_key_cert, 292 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 293 [0] = { 294 .type = AUTH_METHOD_SIG, 295 .param.sig = { 296 .pk = &trusted_world_pk, 297 .sig = &sig, 298 .alg = &sig_alg, 299 .data = &raw_data 300 } 301 }, 302 [1] = { 303 .type = AUTH_METHOD_NV_CTR, 304 .param.nv_ctr = { 305 .cert_nv_ctr = &trusted_nv_ctr, 306 .plat_nv_ctr = &trusted_nv_ctr 307 } 308 } 309 }, 310 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 311 [0] = { 312 .type_desc = &scp_fw_content_pk, 313 .data = { 314 .ptr = (void *)content_pk_buf, 315 .len = (unsigned int)PK_DER_LEN 316 } 317 } 318 } 319 }; 320 321 static const auth_img_desc_t scp_fw_content_cert = { 322 .img_id = SCP_FW_CONTENT_CERT_ID, 323 .img_type = IMG_CERT, 324 .parent = &scp_fw_key_cert, 325 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 326 [0] = { 327 .type = AUTH_METHOD_SIG, 328 .param.sig = { 329 .pk = &scp_fw_content_pk, 330 .sig = &sig, 331 .alg = &sig_alg, 332 .data = &raw_data 333 } 334 }, 335 [1] = { 336 .type = AUTH_METHOD_NV_CTR, 337 .param.nv_ctr = { 338 .cert_nv_ctr = &trusted_nv_ctr, 339 .plat_nv_ctr = &trusted_nv_ctr 340 } 341 } 342 }, 343 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 344 [0] = { 345 .type_desc = &scp_fw_hash, 346 .data = { 347 .ptr = (void *)scp_fw_hash_buf, 348 .len = (unsigned int)HASH_DER_LEN 349 } 350 } 351 } 352 }; 353 354 static const auth_img_desc_t scp_bl2_image = { 355 .img_id = SCP_BL2_IMAGE_ID, 356 .img_type = IMG_RAW, 357 .parent = &scp_fw_content_cert, 358 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 359 [0] = { 360 .type = AUTH_METHOD_HASH, 361 .param.hash = { 362 .data = &raw_data, 363 .hash = &scp_fw_hash 364 } 365 } 366 } 367 }; 368 369 /* SoC Firmware */ 370 static const auth_img_desc_t soc_fw_key_cert = { 371 .img_id = SOC_FW_KEY_CERT_ID, 372 .img_type = IMG_CERT, 373 .parent = &trusted_key_cert, 374 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 375 [0] = { 376 .type = AUTH_METHOD_SIG, 377 .param.sig = { 378 .pk = &trusted_world_pk, 379 .sig = &sig, 380 .alg = &sig_alg, 381 .data = &raw_data 382 } 383 }, 384 [1] = { 385 .type = AUTH_METHOD_NV_CTR, 386 .param.nv_ctr = { 387 .cert_nv_ctr = &trusted_nv_ctr, 388 .plat_nv_ctr = &trusted_nv_ctr 389 } 390 } 391 }, 392 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 393 [0] = { 394 .type_desc = &soc_fw_content_pk, 395 .data = { 396 .ptr = (void *)content_pk_buf, 397 .len = (unsigned int)PK_DER_LEN 398 } 399 } 400 } 401 }; 402 403 static const auth_img_desc_t soc_fw_content_cert = { 404 .img_id = SOC_FW_CONTENT_CERT_ID, 405 .img_type = IMG_CERT, 406 .parent = &soc_fw_key_cert, 407 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 408 [0] = { 409 .type = AUTH_METHOD_SIG, 410 .param.sig = { 411 .pk = &soc_fw_content_pk, 412 .sig = &sig, 413 .alg = &sig_alg, 414 .data = &raw_data 415 } 416 }, 417 [1] = { 418 .type = AUTH_METHOD_NV_CTR, 419 .param.nv_ctr = { 420 .cert_nv_ctr = &trusted_nv_ctr, 421 .plat_nv_ctr = &trusted_nv_ctr 422 } 423 } 424 }, 425 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 426 [0] = { 427 .type_desc = &soc_fw_hash, 428 .data = { 429 .ptr = (void *)soc_fw_hash_buf, 430 .len = (unsigned int)HASH_DER_LEN 431 } 432 }, 433 [1] = { 434 .type_desc = &soc_fw_config_hash, 435 .data = { 436 .ptr = (void *)soc_fw_config_hash_buf, 437 .len = (unsigned int)HASH_DER_LEN 438 } 439 } 440 } 441 }; 442 443 static const auth_img_desc_t bl31_image = { 444 .img_id = BL31_IMAGE_ID, 445 .img_type = IMG_RAW, 446 .parent = &soc_fw_content_cert, 447 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 448 [0] = { 449 .type = AUTH_METHOD_HASH, 450 .param.hash = { 451 .data = &raw_data, 452 .hash = &soc_fw_hash 453 } 454 } 455 } 456 }; 457 458 /* SOC FW Config */ 459 static const auth_img_desc_t soc_fw_config = { 460 .img_id = SOC_FW_CONFIG_ID, 461 .img_type = IMG_RAW, 462 .parent = &soc_fw_content_cert, 463 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 464 [0] = { 465 .type = AUTH_METHOD_HASH, 466 .param.hash = { 467 .data = &raw_data, 468 .hash = &soc_fw_config_hash 469 } 470 } 471 } 472 }; 473 474 /* Trusted OS Firmware */ 475 static const auth_img_desc_t trusted_os_fw_key_cert = { 476 .img_id = TRUSTED_OS_FW_KEY_CERT_ID, 477 .img_type = IMG_CERT, 478 .parent = &trusted_key_cert, 479 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 480 [0] = { 481 .type = AUTH_METHOD_SIG, 482 .param.sig = { 483 .pk = &trusted_world_pk, 484 .sig = &sig, 485 .alg = &sig_alg, 486 .data = &raw_data 487 } 488 }, 489 [1] = { 490 .type = AUTH_METHOD_NV_CTR, 491 .param.nv_ctr = { 492 .cert_nv_ctr = &trusted_nv_ctr, 493 .plat_nv_ctr = &trusted_nv_ctr 494 } 495 } 496 }, 497 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 498 [0] = { 499 .type_desc = &tos_fw_content_pk, 500 .data = { 501 .ptr = (void *)content_pk_buf, 502 .len = (unsigned int)PK_DER_LEN 503 } 504 } 505 } 506 }; 507 508 static const auth_img_desc_t trusted_os_fw_content_cert = { 509 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, 510 .img_type = IMG_CERT, 511 .parent = &trusted_os_fw_key_cert, 512 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 513 [0] = { 514 .type = AUTH_METHOD_SIG, 515 .param.sig = { 516 .pk = &tos_fw_content_pk, 517 .sig = &sig, 518 .alg = &sig_alg, 519 .data = &raw_data 520 } 521 }, 522 [1] = { 523 .type = AUTH_METHOD_NV_CTR, 524 .param.nv_ctr = { 525 .cert_nv_ctr = &trusted_nv_ctr, 526 .plat_nv_ctr = &trusted_nv_ctr 527 } 528 } 529 }, 530 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 531 [0] = { 532 .type_desc = &tos_fw_hash, 533 .data = { 534 .ptr = (void *)tos_fw_hash_buf, 535 .len = (unsigned int)HASH_DER_LEN 536 } 537 }, 538 [1] = { 539 .type_desc = &tos_fw_extra1_hash, 540 .data = { 541 .ptr = (void *)tos_fw_extra1_hash_buf, 542 .len = (unsigned int)HASH_DER_LEN 543 } 544 }, 545 [2] = { 546 .type_desc = &tos_fw_extra2_hash, 547 .data = { 548 .ptr = (void *)tos_fw_extra2_hash_buf, 549 .len = (unsigned int)HASH_DER_LEN 550 } 551 }, 552 [3] = { 553 .type_desc = &tos_fw_config_hash, 554 .data = { 555 .ptr = (void *)tos_fw_config_hash_buf, 556 .len = (unsigned int)HASH_DER_LEN 557 } 558 } 559 } 560 }; 561 562 static const auth_img_desc_t bl32_image = { 563 .img_id = BL32_IMAGE_ID, 564 .img_type = IMG_RAW, 565 .parent = &trusted_os_fw_content_cert, 566 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 567 [0] = { 568 .type = AUTH_METHOD_HASH, 569 .param.hash = { 570 .data = &raw_data, 571 .hash = &tos_fw_hash 572 } 573 } 574 } 575 }; 576 577 static const auth_img_desc_t bl32_extra1_image = { 578 .img_id = BL32_EXTRA1_IMAGE_ID, 579 .img_type = IMG_RAW, 580 .parent = &trusted_os_fw_content_cert, 581 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 582 [0] = { 583 .type = AUTH_METHOD_HASH, 584 .param.hash = { 585 .data = &raw_data, 586 .hash = &tos_fw_extra1_hash 587 } 588 } 589 } 590 }; 591 592 static const auth_img_desc_t bl32_extra2_image = { 593 .img_id = BL32_EXTRA2_IMAGE_ID, 594 .img_type = IMG_RAW, 595 .parent = &trusted_os_fw_content_cert, 596 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 597 [0] = { 598 .type = AUTH_METHOD_HASH, 599 .param.hash = { 600 .data = &raw_data, 601 .hash = &tos_fw_extra2_hash 602 } 603 } 604 } 605 }; 606 607 /* TOS FW Config */ 608 static const auth_img_desc_t tos_fw_config = { 609 .img_id = TOS_FW_CONFIG_ID, 610 .img_type = IMG_RAW, 611 .parent = &trusted_os_fw_content_cert, 612 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 613 [0] = { 614 .type = AUTH_METHOD_HASH, 615 .param.hash = { 616 .data = &raw_data, 617 .hash = &tos_fw_config_hash 618 } 619 } 620 } 621 }; 622 623 /* Non-Trusted Firmware */ 624 static const auth_img_desc_t non_trusted_fw_content_cert = { 625 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, 626 .img_type = IMG_CERT, 627 .parent = NULL, /* Root certificate. */ 628 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 629 [0] = { 630 .type = AUTH_METHOD_SIG, 631 .param.sig = { 632 .pk = &prot_pk, 633 .sig = &sig, 634 .alg = &sig_alg, 635 .data = &raw_data 636 } 637 }, 638 [1] = { 639 .type = AUTH_METHOD_NV_CTR, 640 .param.nv_ctr = { 641 .cert_nv_ctr = &non_trusted_nv_ctr, 642 .plat_nv_ctr = &non_trusted_nv_ctr 643 } 644 } 645 }, 646 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 647 [0] = { 648 .type_desc = &nt_world_bl_hash, 649 .data = { 650 .ptr = (void *)nt_world_bl_hash_buf, 651 .len = (unsigned int)HASH_DER_LEN 652 } 653 }, 654 [1] = { 655 .type_desc = &nt_fw_config_hash, 656 .data = { 657 .ptr = (void *)nt_fw_config_hash_buf, 658 .len = (unsigned int)HASH_DER_LEN 659 } 660 } 661 } 662 }; 663 664 static const auth_img_desc_t bl33_image = { 665 .img_id = BL33_IMAGE_ID, 666 .img_type = IMG_RAW, 667 .parent = &non_trusted_fw_content_cert, 668 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 669 [0] = { 670 .type = AUTH_METHOD_HASH, 671 .param.hash = { 672 .data = &raw_data, 673 .hash = &nt_world_bl_hash 674 } 675 } 676 } 677 }; 678 679 /* NT FW Config */ 680 static const auth_img_desc_t nt_fw_config = { 681 .img_id = NT_FW_CONFIG_ID, 682 .img_type = IMG_RAW, 683 .parent = &non_trusted_fw_content_cert, 684 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 685 [0] = { 686 .type = AUTH_METHOD_HASH, 687 .param.hash = { 688 .data = &raw_data, 689 .hash = &nt_fw_config_hash 690 } 691 } 692 } 693 }; 694 695 /* 696 * Secure Partitions 697 */ 698 #if defined(SPD_spmd) 699 static const auth_img_desc_t sip_sp_content_cert = { 700 .img_id = SIP_SP_CONTENT_CERT_ID, 701 .img_type = IMG_CERT, 702 .parent = &trusted_key_cert, 703 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 704 [0] = { 705 .type = AUTH_METHOD_SIG, 706 .param.sig = { 707 .pk = &trusted_world_pk, 708 .sig = &sig, 709 .alg = &sig_alg, 710 .data = &raw_data 711 } 712 }, 713 [1] = { 714 .type = AUTH_METHOD_NV_CTR, 715 .param.nv_ctr = { 716 .cert_nv_ctr = &trusted_nv_ctr, 717 .plat_nv_ctr = &trusted_nv_ctr 718 } 719 } 720 }, 721 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 722 [0] = { 723 .type_desc = &sp_pkg1_hash, 724 .data = { 725 .ptr = (void *)sp_pkg_hash_buf[0], 726 .len = (unsigned int)HASH_DER_LEN 727 } 728 }, 729 [1] = { 730 .type_desc = &sp_pkg2_hash, 731 .data = { 732 .ptr = (void *)sp_pkg_hash_buf[1], 733 .len = (unsigned int)HASH_DER_LEN 734 } 735 }, 736 [2] = { 737 .type_desc = &sp_pkg3_hash, 738 .data = { 739 .ptr = (void *)sp_pkg_hash_buf[2], 740 .len = (unsigned int)HASH_DER_LEN 741 } 742 }, 743 [3] = { 744 .type_desc = &sp_pkg4_hash, 745 .data = { 746 .ptr = (void *)sp_pkg_hash_buf[3], 747 .len = (unsigned int)HASH_DER_LEN 748 } 749 } 750 } 751 }; 752 753 DEFINE_SIP_SP_PKG(1); 754 DEFINE_SIP_SP_PKG(2); 755 DEFINE_SIP_SP_PKG(3); 756 DEFINE_SIP_SP_PKG(4); 757 758 static const auth_img_desc_t plat_sp_content_cert = { 759 .img_id = PLAT_SP_CONTENT_CERT_ID, 760 .img_type = IMG_CERT, 761 .parent = NULL, 762 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 763 [0] = { 764 .type = AUTH_METHOD_SIG, 765 .param.sig = { 766 .pk = &prot_pk, 767 .sig = &sig, 768 .alg = &sig_alg, 769 .data = &raw_data 770 } 771 }, 772 [1] = { 773 .type = AUTH_METHOD_NV_CTR, 774 .param.nv_ctr = { 775 .cert_nv_ctr = &non_trusted_nv_ctr, 776 .plat_nv_ctr = &non_trusted_nv_ctr 777 } 778 } 779 }, 780 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 781 [0] = { 782 .type_desc = &sp_pkg5_hash, 783 .data = { 784 .ptr = (void *)sp_pkg_hash_buf[4], 785 .len = (unsigned int)HASH_DER_LEN 786 } 787 }, 788 [1] = { 789 .type_desc = &sp_pkg6_hash, 790 .data = { 791 .ptr = (void *)sp_pkg_hash_buf[5], 792 .len = (unsigned int)HASH_DER_LEN 793 } 794 }, 795 [2] = { 796 .type_desc = &sp_pkg7_hash, 797 .data = { 798 .ptr = (void *)sp_pkg_hash_buf[6], 799 .len = (unsigned int)HASH_DER_LEN 800 } 801 }, 802 [3] = { 803 .type_desc = &sp_pkg8_hash, 804 .data = { 805 .ptr = (void *)sp_pkg_hash_buf[7], 806 .len = (unsigned int)HASH_DER_LEN 807 } 808 } 809 } 810 }; 811 812 DEFINE_PLAT_SP_PKG(5); 813 DEFINE_PLAT_SP_PKG(6); 814 DEFINE_PLAT_SP_PKG(7); 815 DEFINE_PLAT_SP_PKG(8); 816 #endif /* SPD_spmd */ 817 818 #else /* IMAGE_BL2 */ 819 820 /* FWU auth descriptor */ 821 static const auth_img_desc_t fwu_cert = { 822 .img_id = FWU_CERT_ID, 823 .img_type = IMG_CERT, 824 .parent = NULL, 825 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 826 [0] = { 827 .type = AUTH_METHOD_SIG, 828 .param.sig = { 829 .pk = &subject_pk, 830 .sig = &sig, 831 .alg = &sig_alg, 832 .data = &raw_data 833 } 834 } 835 }, 836 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 837 [0] = { 838 .type_desc = &scp_bl2u_hash, 839 .data = { 840 .ptr = (void *)scp_fw_hash_buf, 841 .len = (unsigned int)HASH_DER_LEN 842 } 843 }, 844 [1] = { 845 .type_desc = &bl2u_hash, 846 .data = { 847 .ptr = (void *)tb_fw_hash_buf, 848 .len = (unsigned int)HASH_DER_LEN 849 } 850 }, 851 [2] = { 852 .type_desc = &ns_bl2u_hash, 853 .data = { 854 .ptr = (void *)nt_world_bl_hash_buf, 855 .len = (unsigned int)HASH_DER_LEN 856 } 857 } 858 } 859 }; 860 861 /* SCP_BL2U */ 862 static const auth_img_desc_t scp_bl2u_image = { 863 .img_id = SCP_BL2U_IMAGE_ID, 864 .img_type = IMG_RAW, 865 .parent = &fwu_cert, 866 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 867 [0] = { 868 .type = AUTH_METHOD_HASH, 869 .param.hash = { 870 .data = &raw_data, 871 .hash = &scp_bl2u_hash 872 } 873 } 874 } 875 }; 876 877 /* BL2U */ 878 static const auth_img_desc_t bl2u_image = { 879 .img_id = BL2U_IMAGE_ID, 880 .img_type = IMG_RAW, 881 .parent = &fwu_cert, 882 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 883 [0] = { 884 .type = AUTH_METHOD_HASH, 885 .param.hash = { 886 .data = &raw_data, 887 .hash = &bl2u_hash 888 } 889 } 890 } 891 }; 892 893 /* NS_BL2U */ 894 static const auth_img_desc_t ns_bl2u_image = { 895 .img_id = NS_BL2U_IMAGE_ID, 896 .img_type = IMG_RAW, 897 .parent = &fwu_cert, 898 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 899 [0] = { 900 .type = AUTH_METHOD_HASH, 901 .param.hash = { 902 .data = &raw_data, 903 .hash = &ns_bl2u_hash 904 } 905 } 906 } 907 }; 908 #endif /* IMAGE_BL2 */ 909 910 /* 911 * Chain of trust definition 912 */ 913 #ifdef IMAGE_BL1 914 static const auth_img_desc_t * const cot_desc[] = { 915 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, 916 [BL2_IMAGE_ID] = &bl2_image, 917 [HW_CONFIG_ID] = &hw_config, 918 [TB_FW_CONFIG_ID] = &tb_fw_config, 919 [FW_CONFIG_ID] = &fw_config, 920 [FWU_CERT_ID] = &fwu_cert, 921 [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image, 922 [BL2U_IMAGE_ID] = &bl2u_image, 923 [NS_BL2U_IMAGE_ID] = &ns_bl2u_image 924 }; 925 #else /* IMAGE_BL2 */ 926 static const auth_img_desc_t * const cot_desc[] = { 927 [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, 928 [HW_CONFIG_ID] = &hw_config, 929 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert, 930 [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert, 931 [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert, 932 [SCP_BL2_IMAGE_ID] = &scp_bl2_image, 933 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert, 934 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert, 935 [BL31_IMAGE_ID] = &bl31_image, 936 [SOC_FW_CONFIG_ID] = &soc_fw_config, 937 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert, 938 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert, 939 [BL32_IMAGE_ID] = &bl32_image, 940 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image, 941 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image, 942 [TOS_FW_CONFIG_ID] = &tos_fw_config, 943 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, 944 [BL33_IMAGE_ID] = &bl33_image, 945 [NT_FW_CONFIG_ID] = &nt_fw_config, 946 #if defined(SPD_spmd) 947 [SIP_SP_CONTENT_CERT_ID] = &sip_sp_content_cert, 948 [PLAT_SP_CONTENT_CERT_ID] = &plat_sp_content_cert, 949 [SP_PKG1_ID] = &sp_pkg1, 950 [SP_PKG2_ID] = &sp_pkg2, 951 [SP_PKG3_ID] = &sp_pkg3, 952 [SP_PKG4_ID] = &sp_pkg4, 953 [SP_PKG5_ID] = &sp_pkg5, 954 [SP_PKG6_ID] = &sp_pkg6, 955 [SP_PKG7_ID] = &sp_pkg7, 956 [SP_PKG8_ID] = &sp_pkg8, 957 #endif 958 }; 959 #endif 960 961 /* Register the CoT in the authentication module */ 962 REGISTER_COT(cot_desc); 963