Dynamic cfg: Enable support on CoT for other configs

This patch implements support for adding dynamic configurations for
BL31 (soc_fw_config), BL32 (tos_fw_config) and BL33 (nt_fw_config). The
necessary cert tool support and changes to default chain of trust are made
for these configs.

Change-Id: I25f266277b5b5501a196d2f2f79639d838794518
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

drivers/auth/tbbr/tbbr_cot.c

@@ -38,6 +38,9 @@ static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
 static unsigned char trusted_world_pk_buf[PK_DER_LEN];
 static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];
 static unsigned char content_pk_buf[PK_DER_LEN];
+static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
+static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
+static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
 
 /*
  * Parameter type descriptors
@@ -80,14 +83,20 @@ static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, SCP_FW_HASH_OID);
 static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
+static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID);
 static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
+static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID);
 static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID);
 static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID);
 static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
+static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
 static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
 static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
@@ -379,6 +388,13 @@ static const auth_img_desc_t cot_desc[] = {
 					.ptr = (void *)soc_fw_hash_buf,
 					.len = (unsigned int)HASH_DER_LEN
 				}
+			},
+			[1] = {
+				.type_desc = &soc_fw_config_hash,
+				.data = {
+					.ptr = (void *)soc_fw_config_hash_buf,
+					.len = (unsigned int)HASH_DER_LEN
+				}
 			}
 		}
 	},
@@ -396,6 +412,21 @@ static const auth_img_desc_t cot_desc[] = {
 			}
 		}
 	},
+	/* SOC FW Config */
+	[SOC_FW_CONFIG_ID] = {
+		.img_id = SOC_FW_CONFIG_ID,
+		.img_type = IMG_RAW,
+		.parent = &cot_desc[SOC_FW_CONTENT_CERT_ID],
+		.img_auth_methods = {
+			[0] = {
+				.type = AUTH_METHOD_HASH,
+				.param.hash = {
+					.data = &raw_data,
+					.hash = &soc_fw_config_hash,
+				}
+			}
+		}
+	},
 	/*
 	 * Trusted OS Firmware
 	 */
@@ -474,6 +505,13 @@ static const auth_img_desc_t cot_desc[] = {
 					.ptr = (void *)tos_fw_extra2_hash_buf,
 					.len = (unsigned int)HASH_DER_LEN
 				}
+			},
+			[3] = {
+				.type_desc = &tos_fw_config_hash,
+				.data = {
+					.ptr = (void *)tos_fw_config_hash_buf,
+					.len = (unsigned int)HASH_DER_LEN
+				}
 			}
 		}
 	},
@@ -519,6 +557,21 @@ static const auth_img_desc_t cot_desc[] = {
 			}
 		}
 	},
+	/* TOS FW Config */
+	[TOS_FW_CONFIG_ID] = {
+		.img_id = TOS_FW_CONFIG_ID,
+		.img_type = IMG_RAW,
+		.parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID],
+		.img_auth_methods = {
+			[0] = {
+				.type = AUTH_METHOD_HASH,
+				.param.hash = {
+					.data = &raw_data,
+					.hash = &tos_fw_config_hash,
+				}
+			}
+		}
+	},
 	/*
 	 * Non-Trusted Firmware
 	 */
@@ -583,6 +636,13 @@ static const auth_img_desc_t cot_desc[] = {
 					.ptr = (void *)nt_world_bl_hash_buf,
 					.len = (unsigned int)HASH_DER_LEN
 				}
+			},
+			[1] = {
+				.type_desc = &nt_fw_config_hash,
+				.data = {
+					.ptr = (void *)nt_fw_config_hash_buf,
+					.len = (unsigned int)HASH_DER_LEN
+				}
 			}
 		}
 	},
@@ -600,6 +660,21 @@ static const auth_img_desc_t cot_desc[] = {
 			}
 		}
 	},
+	/* NT FW Config */
+	[NT_FW_CONFIG_ID] = {
+		.img_id = NT_FW_CONFIG_ID,
+		.img_type = IMG_RAW,
+		.parent = &cot_desc[NON_TRUSTED_FW_CONTENT_CERT_ID],
+		.img_auth_methods = {
+			[0] = {
+				.type = AUTH_METHOD_HASH,
+				.param.hash = {
+					.data = &raw_data,
+					.hash = &nt_fw_config_hash,
+				}
+			}
+		}
+	},
 	/*
 	 * FWU auth descriptor.
 	 */

include/tools_share/firmware_image_package.h

@@ -68,6 +68,12 @@
 	{0xd9f1b808, 0xcfc9, 0x4993, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} }
 #define UUID_TB_FW_CONFIG \
 	{0xff58046c, 0x6baf, 0x4f7d, 0x82, 0xed, {0xaa, 0x27, 0xbc, 0x69, 0xbf, 0xd2} }
+#define UUID_SOC_FW_CONFIG \
+	{0x4b817999, 0x7603, 0x46fb, 0x8c, 0x8e, {0x8d, 0x26, 0x7f, 0x78, 0x59, 0xe0} }
+#define UUID_TOS_FW_CONFIG \
+	{0x1a7c2526, 0xc6bd, 0x477f, 0x8d, 0x96, {0xc4, 0xc4, 0xb0, 0x24, 0x80, 0x21} }
+#define UUID_NT_FW_CONFIG \
+	{0x1598da28, 0xe893, 0x447e, 0xac, 0x66, {0x1a, 0xaf, 0x80, 0x15, 0x50, 0xf9} }
 
 typedef struct fip_toc_header {
 	uint32_t	name;

include/tools_share/tbbr_oid.h

@@ -75,7 +75,6 @@
 /* SoCFirmwareContentCertPK */
 #define SOC_FW_CONTENT_CERT_PK_OID		"1.3.6.1.4.1.4128.2100.501"
 
-
 /*
  * SoC Firmware Content Certificate
  */
@@ -86,7 +85,8 @@
 #define SOC_CONFIG_HASH_OID			"1.3.6.1.4.1.4128.2100.602"
 /* SoCAPFirmwareHash - BL31 */
 #define SOC_AP_FW_HASH_OID			"1.3.6.1.4.1.4128.2100.603"
-
+/* SoCFirmwareConfigHash = SOC_FW_CONFIG */
+#define SOC_FW_CONFIG_HASH_OID			"1.3.6.1.4.1.4128.2100.604"
 
 /*
  * SCP Firmware Key Certificate
@@ -124,6 +124,8 @@
 #define TRUSTED_OS_FW_EXTRA1_HASH_OID		"1.3.6.1.4.1.4128.2100.1002"
 /* TrustedOSExtra2FirmwareHash - BL32 Extra2 */
 #define TRUSTED_OS_FW_EXTRA2_HASH_OID		"1.3.6.1.4.1.4128.2100.1003"
+/* TrustedOSFirmwareConfigHash - TOS_FW_CONFIG */
+#define TRUSTED_OS_FW_CONFIG_HASH_OID		"1.3.6.1.4.1.4128.2100.1004"
 
 
 /*
@@ -140,5 +142,7 @@
 
 /* NonTrustedWorldBootloaderHash - BL33 */
 #define NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID	"1.3.6.1.4.1.4128.2100.1201"
+/* NonTrustedFirmwareConfigHash - NT_FW_CONFIG */
+#define NON_TRUSTED_FW_CONFIG_HASH_OID		"1.3.6.1.4.1.4128.2100.1202"
 
 #endif /* __TBBR_OID_H__ */

tools/cert_create/include/cert.h

@@ -12,7 +12,7 @@
 #include "ext.h"
 #include "key.h"
 
-#define CERT_MAX_EXT			4
+#define CERT_MAX_EXT			5
 
 /*
  * This structure contains information related to the generation of the

tools/cert_create/include/tbbr/tbb_ext.h

@@ -21,12 +21,15 @@ enum {
 	SCP_FW_HASH_EXT,
 	SOC_FW_CONTENT_CERT_PK_EXT,
 	SOC_AP_FW_HASH_EXT,
+	SOC_FW_CONFIG_HASH_EXT,
 	TRUSTED_OS_FW_CONTENT_CERT_PK_EXT,
 	TRUSTED_OS_FW_HASH_EXT,
 	TRUSTED_OS_FW_EXTRA1_HASH_EXT,
 	TRUSTED_OS_FW_EXTRA2_HASH_EXT,
+	TRUSTED_OS_FW_CONFIG_HASH_EXT,
 	NON_TRUSTED_FW_CONTENT_CERT_PK_EXT,
 	NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
+	NON_TRUSTED_FW_CONFIG_HASH_EXT,
 	SCP_FWU_CFG_HASH_EXT,
 	AP_FWU_CFG_HASH_EXT,
 	FWU_HASH_EXT

tools/cert_create/src/tbbr/tbb_cert.c

@@ -99,9 +99,10 @@ static cert_t tbb_certs[] = {
 		.issuer = SOC_FW_CONTENT_CERT,
 		.ext = {
 			TRUSTED_FW_NVCOUNTER_EXT,
-			SOC_AP_FW_HASH_EXT
+			SOC_AP_FW_HASH_EXT,
+			SOC_FW_CONFIG_HASH_EXT,
 		},
-		.num_ext = 2
+		.num_ext = 3
 	},
 	[TRUSTED_OS_FW_KEY_CERT] = {
 		.id = TRUSTED_OS_FW_KEY_CERT,
@@ -129,9 +130,10 @@ static cert_t tbb_certs[] = {
 			TRUSTED_FW_NVCOUNTER_EXT,
 			TRUSTED_OS_FW_HASH_EXT,
 			TRUSTED_OS_FW_EXTRA1_HASH_EXT,
-			TRUSTED_OS_FW_EXTRA2_HASH_EXT
+			TRUSTED_OS_FW_EXTRA2_HASH_EXT,
+			TRUSTED_OS_FW_CONFIG_HASH_EXT,
 		},
-		.num_ext = 4
+		.num_ext = 5
 	},
 	[NON_TRUSTED_FW_KEY_CERT] = {
 		.id = NON_TRUSTED_FW_KEY_CERT,
@@ -157,9 +159,10 @@ static cert_t tbb_certs[] = {
 		.issuer = NON_TRUSTED_FW_CONTENT_CERT,
 		.ext = {
 			NON_TRUSTED_FW_NVCOUNTER_EXT,
-			NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT
+			NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
+			NON_TRUSTED_FW_CONFIG_HASH_EXT,
 		},
-		.num_ext = 2
+		.num_ext = 3
 	},
 	[FWU_CERT] = {
 		.id = FWU_CERT,

tools/cert_create/src/tbbr/tbb_ext.c

@@ -123,6 +123,16 @@ static ext_t tbb_ext[] = {
 		.asn1_type = V_ASN1_OCTET_STRING,
 		.type = EXT_TYPE_HASH
 	},
+	[SOC_FW_CONFIG_HASH_EXT] = {
+		.oid = SOC_FW_CONFIG_HASH_OID,
+		.opt = "soc-fw-config",
+		.help_msg = "SoC Firmware Config file",
+		.sn = "SocFirmwareConfigHash",
+		.ln = "SoC Firmware Config hash",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
 	[TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = {
 		.oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID,
 		.sn = "TrustedOSFirmwareContentCertPK",
@@ -160,6 +170,16 @@ static ext_t tbb_ext[] = {
 		.type = EXT_TYPE_HASH,
 		.optional = 1
 	},
+	[TRUSTED_OS_FW_CONFIG_HASH_EXT] = {
+		.oid = TRUSTED_OS_FW_CONFIG_HASH_OID,
+		.opt = "tos-fw-config",
+		.help_msg = "Trusted OS Firmware Config file",
+		.sn = "TrustedOSFirmwareConfigHash",
+		.ln = "Trusted OS Firmware Config hash",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
 	[NON_TRUSTED_FW_CONTENT_CERT_PK_EXT] = {
 		.oid = NON_TRUSTED_FW_CONTENT_CERT_PK_OID,
 		.sn = "NonTrustedFirmwareContentCertPK",
@@ -177,6 +197,16 @@ static ext_t tbb_ext[] = {
 		.asn1_type = V_ASN1_OCTET_STRING,
 		.type = EXT_TYPE_HASH
 	},
+	[NON_TRUSTED_FW_CONFIG_HASH_EXT] = {
+		.oid = NON_TRUSTED_FW_CONFIG_HASH_OID,
+		.opt = "nt-fw-config",
+		.help_msg = "Non Trusted OS Firmware Config file",
+		.sn = "NonTrustedOSFirmwareConfigHash",
+		.ln = "Non-Trusted OS Firmware Config hash",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
 	[SCP_FWU_CFG_HASH_EXT] = {
 		.oid = SCP_FWU_CFG_HASH_OID,
 		.opt = "scp-fwu-cfg",

tools/fiptool/tbbr_config.c

@@ -78,6 +78,21 @@ toc_entry_t toc_entries[] = {
 		.uuid = UUID_TB_FW_CONFIG,
 		.cmdline_name = "tb-fw-config"
 	},
+	{
+		.name = "SOC_FW_CONFIG",
+		.uuid = UUID_SOC_FW_CONFIG,
+		.cmdline_name = "soc-fw-config"
+	},
+	{
+		.name = "TOS_FW_CONFIG",
+		.uuid = UUID_TOS_FW_CONFIG,
+		.cmdline_name = "tos-fw-config"
+	},
+	{
+		.name = "NT_FW_CONFIG",
+		.uuid = UUID_NT_FW_CONFIG,
+		.cmdline_name = "nt-fw-config"
+	},
 	/* Key Certificates */
 	{
 		.name = "Root Of Trust key certificate",