1 /*
2  * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  */
6 
7 #include <stddef.h>
8 
9 #include <mbedtls/version.h>
10 
11 #include <drivers/auth/auth_mod.h>
12 #include <drivers/auth/tbbr_cot_common.h>
13 
14 #if USE_TBBR_DEFS
15 #include <tools_share/tbbr_oid.h>
16 #else
17 #include <platform_oid.h>
18 #endif
19 
20 #include <platform_def.h>
21 
22 static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
23 		AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
24 static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
25 		AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
26 static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
27 		AUTH_PARAM_HASH, FWU_HASH_OID);
28 
29 static const auth_img_desc_t bl2_image = {
30 	.img_id = BL2_IMAGE_ID,
31 	.img_type = IMG_RAW,
32 	.parent = &trusted_boot_fw_cert,
33 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
34 		[0] = {
35 			.type = AUTH_METHOD_HASH,
36 			.param.hash = {
37 				.data = &raw_data,
38 				.hash = &tb_fw_hash
39 			}
40 		}
41 	}
42 };
43 
44 /*
45  * FWU auth descriptor.
46  */
47 static const auth_img_desc_t fwu_cert = {
48 	.img_id = FWU_CERT_ID,
49 	.img_type = IMG_CERT,
50 	.parent = NULL,
51 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
52 		[0] = {
53 			.type = AUTH_METHOD_SIG,
54 			.param.sig = {
55 				.pk = &subject_pk,
56 				.sig = &sig,
57 				.alg = &sig_alg,
58 				.data = &raw_data
59 			}
60 		}
61 	},
62 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
63 		[0] = {
64 			.type_desc = &scp_bl2u_hash,
65 			.data = {
66 				.ptr = (void *)scp_fw_hash_buf,
67 				.len = (unsigned int)HASH_DER_LEN
68 			}
69 		},
70 		[1] = {
71 			.type_desc = &bl2u_hash,
72 			.data = {
73 				.ptr = (void *)tb_fw_hash_buf,
74 				.len = (unsigned int)HASH_DER_LEN
75 			}
76 		},
77 		[2] = {
78 			.type_desc = &ns_bl2u_hash,
79 			.data = {
80 				.ptr = (void *)nt_world_bl_hash_buf,
81 				.len = (unsigned int)HASH_DER_LEN
82 			}
83 		}
84 	}
85 };
86 /*
87  * SCP_BL2U
88  */
89 static const auth_img_desc_t scp_bl2u_image = {
90 	.img_id = SCP_BL2U_IMAGE_ID,
91 	.img_type = IMG_RAW,
92 	.parent = &fwu_cert,
93 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
94 		[0] = {
95 			.type = AUTH_METHOD_HASH,
96 			.param.hash = {
97 				.data = &raw_data,
98 				.hash = &scp_bl2u_hash
99 			}
100 		}
101 	}
102 };
103 /*
104  * BL2U
105  */
106 static const auth_img_desc_t bl2u_image = {
107 	.img_id = BL2U_IMAGE_ID,
108 	.img_type = IMG_RAW,
109 	.parent = &fwu_cert,
110 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
111 		[0] = {
112 			.type = AUTH_METHOD_HASH,
113 			.param.hash = {
114 				.data = &raw_data,
115 				.hash = &bl2u_hash
116 			}
117 		}
118 	}
119 };
120 /*
121  * NS_BL2U
122  */
123 static const auth_img_desc_t ns_bl2u_image = {
124 	.img_id = NS_BL2U_IMAGE_ID,
125 	.img_type = IMG_RAW,
126 	.parent = &fwu_cert,
127 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
128 		[0] = {
129 			.type = AUTH_METHOD_HASH,
130 			.param.hash = {
131 				.data = &raw_data,
132 				.hash = &ns_bl2u_hash
133 				}
134 			}
135 		}
136 };
137 /*
138  * TB_FW_CONFIG
139  */
140 static const auth_img_desc_t tb_fw_config = {
141 	.img_id = TB_FW_CONFIG_ID,
142 	.img_type = IMG_RAW,
143 	.parent = &trusted_boot_fw_cert,
144 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
145 		[0] = {
146 			.type = AUTH_METHOD_HASH,
147 			.param.hash = {
148 				.data = &raw_data,
149 				.hash = &tb_fw_config_hash
150 			}
151 		}
152 	}
153 };
154 
155 static const auth_img_desc_t fw_config = {
156 	.img_id = FW_CONFIG_ID,
157 	.img_type = IMG_RAW,
158 	.parent = &trusted_boot_fw_cert,
159 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
160 		[0] = {
161 			.type = AUTH_METHOD_HASH,
162 			.param.hash = {
163 				.data = &raw_data,
164 				.hash = &fw_config_hash
165 			}
166 		}
167 	}
168 };
169 
170 /*
171  * TBBR Chain of trust definition
172  */
173 static const auth_img_desc_t * const cot_desc[] = {
174 	[TRUSTED_BOOT_FW_CERT_ID]		=	&trusted_boot_fw_cert,
175 	[BL2_IMAGE_ID]				=	&bl2_image,
176 	[HW_CONFIG_ID]				=	&hw_config,
177 	[TB_FW_CONFIG_ID]			=	&tb_fw_config,
178 	[FW_CONFIG_ID]				=	&fw_config,
179 	[FWU_CERT_ID]				=	&fwu_cert,
180 	[SCP_BL2U_IMAGE_ID]			=	&scp_bl2u_image,
181 	[BL2U_IMAGE_ID]				=	&bl2u_image,
182 	[NS_BL2U_IMAGE_ID]			=	&ns_bl2u_image
183 };
184 
185 /* Register the CoT in the authentication module */
186 REGISTER_COT(cot_desc);
187