mirror of
https://github.com/ARM-software/arm-trusted-firmware.git
synced 2025-04-16 09:34:18 +00:00
tbbr/dualroot: Add fw_config image in chain of trust
fw_config image is authenticated using secure boot framework by
adding it into the single root and dual root chain of trust.
The COT for fw_config image looks as below:
+------------------+ +-------------------+
| ROTPK/ROTPK Hash |------>| Trusted Boot fw |
+------------------+ | Certificate |
| (Auth Image) |
/+-------------------+
/ |
/ |
/ |
/ |
L v
+------------------+ +-------------------+
| fw_config hash |------>| fw_config |
| | | (Data Image) |
+------------------+ +-------------------+
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I08fc8ee95c29a95bb140c807dd06e772474c7367
This commit is contained in:
Louis Mayencourt
Manish V Badarkhe
parent
9b3ca9b120
commit
243875eaf9
6 changed files with 68 additions and 8 deletions
|
|
@ -16,6 +16,7 @@
|
|||
* Allocate static buffers to store the authentication parameters extracted from
|
||||
* the certificates.
|
||||
*/
|
||||
static unsigned char fw_config_hash_buf[HASH_DER_LEN];
|
||||
static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
|
||||
static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
|
||||
static unsigned char hw_config_hash_buf[HASH_DER_LEN];
|
||||
|
|
@ -58,6 +59,8 @@ static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
|
|||
AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
|
||||
static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
|
||||
static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
|
||||
#ifdef IMAGE_BL1
|
||||
static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
|
||||
|
|
@ -165,6 +168,13 @@ static const auth_img_desc_t trusted_boot_fw_cert = {
|
|||
.ptr = (void *)hw_config_hash_buf,
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
},
|
||||
[3] = {
|
||||
.type_desc = &fw_config_hash,
|
||||
.data = {
|
||||
.ptr = (void *)fw_config_hash_buf,
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
}
|
||||
}
|
||||
};
|
||||
|
|
@ -218,6 +228,22 @@ static const auth_img_desc_t tb_fw_config = {
|
|||
}
|
||||
}
|
||||
};
|
||||
|
||||
static const auth_img_desc_t fw_config = {
|
||||
.img_id = FW_CONFIG_ID,
|
||||
.img_type = IMG_RAW,
|
||||
.parent = &trusted_boot_fw_cert,
|
||||
.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
|
||||
[0] = {
|
||||
.type = AUTH_METHOD_HASH,
|
||||
.param.hash = {
|
||||
.data = &raw_data,
|
||||
.hash = &fw_config_hash
|
||||
}
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
#endif /* IMAGE_BL1 */
|
||||
|
||||
#ifdef IMAGE_BL2
|
||||
|
|
@ -860,6 +886,7 @@ static const auth_img_desc_t * const cot_desc[] = {
|
|||
[BL2_IMAGE_ID] = &bl2_image,
|
||||
[HW_CONFIG_ID] = &hw_config,
|
||||
[TB_FW_CONFIG_ID] = &tb_fw_config,
|
||||
[FW_CONFIG_ID] = &fw_config,
|
||||
[FWU_CERT_ID] = &fwu_cert,
|
||||
[SCP_BL2U_IMAGE_ID] = &scp_bl2u_image,
|
||||
[BL2U_IMAGE_ID] = &bl2u_image,
|
||||
|
|
|
|||
|
|
@ -150,6 +150,21 @@ static const auth_img_desc_t tb_fw_config = {
|
|||
}
|
||||
};
|
||||
|
||||
static const auth_img_desc_t fw_config = {
|
||||
.img_id = FW_CONFIG_ID,
|
||||
.img_type = IMG_RAW,
|
||||
.parent = &trusted_boot_fw_cert,
|
||||
.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
|
||||
[0] = {
|
||||
.type = AUTH_METHOD_HASH,
|
||||
.param.hash = {
|
||||
.data = &raw_data,
|
||||
.hash = &fw_config_hash
|
||||
}
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
/*
|
||||
* TBBR Chain of trust definition
|
||||
*/
|
||||
|
|
@ -158,6 +173,7 @@ static const auth_img_desc_t * const cot_desc[] = {
|
|||
[BL2_IMAGE_ID] = &bl2_image,
|
||||
[HW_CONFIG_ID] = &hw_config,
|
||||
[TB_FW_CONFIG_ID] = &tb_fw_config,
|
||||
[FW_CONFIG_ID] = &fw_config,
|
||||
[FWU_CERT_ID] = &fwu_cert,
|
||||
[SCP_BL2U_IMAGE_ID] = &scp_bl2u_image,
|
||||
[BL2U_IMAGE_ID] = &bl2u_image,
|
||||
|
|
|
|||
|
|
@ -23,9 +23,10 @@
|
|||
* established, we can reuse some of the buffers on different stages
|
||||
*/
|
||||
|
||||
static unsigned char fw_config_hash_buf[HASH_DER_LEN];
|
||||
static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
|
||||
static unsigned char hw_config_hash_buf[HASH_DER_LEN];
|
||||
unsigned char tb_fw_hash_buf[HASH_DER_LEN];
|
||||
unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
|
||||
unsigned char hw_config_hash_buf[HASH_DER_LEN];
|
||||
unsigned char scp_fw_hash_buf[HASH_DER_LEN];
|
||||
unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
|
||||
|
||||
|
|
@ -48,7 +49,9 @@ auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
|
|||
AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
|
||||
auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
|
||||
auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
|
||||
auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
|
||||
static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
|
||||
|
||||
/* trusted_boot_fw_cert */
|
||||
|
|
@ -95,6 +98,13 @@ const auth_img_desc_t trusted_boot_fw_cert = {
|
|||
.ptr = (void *)hw_config_hash_buf,
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
},
|
||||
[3] = {
|
||||
.type_desc = &fw_config_hash,
|
||||
.data = {
|
||||
.ptr = (void *)fw_config_hash_buf,
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
}
|
||||
}
|
||||
};
|
||||
|
|
|
|||
|
|
@ -10,8 +10,6 @@
|
|||
#include <drivers/auth/auth_mod.h>
|
||||
|
||||
extern unsigned char tb_fw_hash_buf[HASH_DER_LEN];
|
||||
extern unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
|
||||
extern unsigned char hw_config_hash_buf[HASH_DER_LEN];
|
||||
extern unsigned char scp_fw_hash_buf[HASH_DER_LEN];
|
||||
extern unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
|
||||
|
||||
|
|
@ -23,7 +21,7 @@ extern auth_param_type_desc_t raw_data;
|
|||
|
||||
extern auth_param_type_desc_t tb_fw_hash;
|
||||
extern auth_param_type_desc_t tb_fw_config_hash;
|
||||
extern auth_param_type_desc_t hw_config_hash;
|
||||
extern auth_param_type_desc_t fw_config_hash;
|
||||
|
||||
extern const auth_img_desc_t trusted_boot_fw_cert;
|
||||
extern const auth_img_desc_t hw_config;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2019, ARM Limited and Contributors. All rights reserved.
|
||||
* Copyright (c) 2019-2020, ARM Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
|
@ -88,7 +88,10 @@
|
|||
/* Encrypted image identifier */
|
||||
#define ENC_IMAGE_ID U(30)
|
||||
|
||||
/* FW_CONFIG */
|
||||
#define FW_CONFIG_ID U(31)
|
||||
|
||||
/* Max Images */
|
||||
#define MAX_IMAGE_IDS U(31)
|
||||
#define MAX_IMAGE_IDS U(32)
|
||||
|
||||
#endif /* ARM_TRUSTED_FIRMWARE_EXPORT_COMMON_TBBR_TBBR_IMG_DEF_EXP_H */
|
||||
|
|
|
|||
|
|
@ -25,6 +25,7 @@ const io_block_spec_t fip_block_spec = {
|
|||
const io_uuid_spec_t arm_uuid_spec[MAX_NUMBER_IDS] = {
|
||||
[BL2_IMAGE_ID] = {UUID_TRUSTED_BOOT_FIRMWARE_BL2},
|
||||
[TB_FW_CONFIG_ID] = {UUID_TB_FW_CONFIG},
|
||||
[FW_CONFIG_ID] = {UUID_FW_CONFIG},
|
||||
#if !ARM_IO_IN_DTB
|
||||
[SCP_BL2_IMAGE_ID] = {UUID_SCP_FIRMWARE_SCP_BL2},
|
||||
[BL31_IMAGE_ID] = {UUID_EL3_RUNTIME_FIRMWARE_BL31},
|
||||
|
|
@ -73,6 +74,11 @@ struct plat_io_policy policies[MAX_NUMBER_IDS] = {
|
|||
(uintptr_t)&arm_uuid_spec[TB_FW_CONFIG_ID],
|
||||
open_fip
|
||||
},
|
||||
[FW_CONFIG_ID] = {
|
||||
&fip_dev_handle,
|
||||
(uintptr_t)&arm_uuid_spec[FW_CONFIG_ID],
|
||||
open_fip
|
||||
},
|
||||
#if !ARM_IO_IN_DTB
|
||||
[SCP_BL2_IMAGE_ID] = {
|
||||
&fip_dev_handle,
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue