From 2971bad8d48c6f0ddb7436efd16375bd72ade6bd Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Tue, 11 Apr 2023 16:12:33 +0100 Subject: [PATCH 01/12] feat(measured-boot): introduce platform function to measure and publish Public Key Added a platform function to measure and publish Public Key information. Subsequent patches define this function for the FVP and TC platforms to measure Public Key and publishes it to RSS if MEASURED_BOOT is enabled. Change-Id: I1f61f44c7a83bb4cbafbd1af97b5adeb8398e8e8 Signed-off-by: Manish V Badarkhe --- include/plat/common/platform.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/plat/common/platform.h b/include/plat/common/platform.h index d146a2945..e024d916d 100644 --- a/include/plat/common/platform.h +++ b/include/plat/common/platform.h @@ -146,6 +146,8 @@ int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data); int plat_mboot_measure_critical_data(unsigned int critical_data_id, const void *base, size_t size); +int plat_mboot_measure_key(const void *pk_oid, const void *pk_ptr, + size_t pk_len); #else static inline int plat_mboot_measure_image(unsigned int image_id __unused, image_info_t *image_data __unused) @@ -159,6 +161,12 @@ static inline int plat_mboot_measure_critical_data( { return 0; } +static inline int plat_mboot_measure_key(const void *pk_oid __unused, + const void *pk_ptr __unused, + size_t pk_len __unused) +{ + return 0; +} #endif /* MEASURED_BOOT */ /******************************************************************************* From 97653189bccb71d6890a8c665013eb7384ae93af Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Tue, 11 Apr 2023 21:34:52 +0100 Subject: [PATCH 02/12] docs: add details about plat_mboot_measure_key function Added details of 'plat_mboot_measure_key' function in the porting-guide. Change-Id: Id62211abc0ba13a0f581dc8e24c7b367afe2dcf5 Signed-off-by: Manish V Badarkhe --- docs/design_documents/measured_boot.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/docs/design_documents/measured_boot.rst b/docs/design_documents/measured_boot.rst index 8130d7d7b..c4e521355 100644 --- a/docs/design_documents/measured_boot.rst +++ b/docs/design_documents/measured_boot.rst @@ -204,6 +204,28 @@ Responsibilities of these platform interfaces are - In FVP, Non volatile counters get measured and recorded as Critical data using the backend via this interface. +#. **Function : plat_mboot_measure_key()** + + .. code-block:: c + + int plat_mboot_measure_key(const void *pk_oid, const void *pk_ptr, + size_t pk_len); + + - This function is used by the platform to measure the passed key and + publicise it using any of the supported backends. + - The authentication module within the trusted boot framework calls this + function for every ROTPK involved in verifying the signature of a root + certificate and for every subsidiary key that gets extracted from a key + certificate for later authentication of a content certificate. + - A cookie, passed as the first argument, serves as a key-OID pointer + associated with the public key data, passed as the second argument. + - Public key data size is passed as the third argument to this function. + - This function must return 0 on success, a signed integer error code + otherwise. + - In FVP platform, this function is used to calculate the hash of the given + key and forward this hash to RSS alongside the measurement of the image + which the key signs. + -------------- *Copyright (c) 2023, Arm Limited. All rights reserved.* From 9505d03e368d8e620c4defeb53dad846d5bc7e62 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Tue, 11 Apr 2023 12:57:12 +0100 Subject: [PATCH 03/12] feat(auth): create a zero-OID for Subject Public Key Created an explicit zero-OID which can be used for Subject Public Key that do not have their own key identifier. With this, all keys (including the subject public key) have a proper key OID string so we don't need to make a special case of null pointers when it comes to handling key OIDs. Change-Id: Ice6923951699b6e253d7fd87e4c1b912470e0391 Signed-off-by: Manish V Badarkhe --- include/tools_share/cca_oid.h | 1 + include/tools_share/dualroot_oid.h | 3 ++- include/tools_share/zero_oid.h | 12 ++++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 include/tools_share/zero_oid.h diff --git a/include/tools_share/cca_oid.h b/include/tools_share/cca_oid.h index 2ca12c9cf..d964aa743 100644 --- a/include/tools_share/cca_oid.h +++ b/include/tools_share/cca_oid.h @@ -9,6 +9,7 @@ /* Reuse the Object IDs defined by TBBR for certificate extensions. */ #include "tbbr_oid.h" +#include "zero_oid.h" /* * Assign arbitrary Object ID values that do not conflict with any of the diff --git a/include/tools_share/dualroot_oid.h b/include/tools_share/dualroot_oid.h index 3e88a6d22..76fffbaf9 100644 --- a/include/tools_share/dualroot_oid.h +++ b/include/tools_share/dualroot_oid.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020, Arm Limited. All rights reserved. + * Copyright (c) 2020-2023, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -9,6 +9,7 @@ /* Reuse the Object IDs defined by TBBR for certificate extensions. */ #include "tbbr_oid.h" +#include "zero_oid.h" /* * Platform root-of-trust public key. diff --git a/include/tools_share/zero_oid.h b/include/tools_share/zero_oid.h new file mode 100644 index 000000000..9b8309428 --- /dev/null +++ b/include/tools_share/zero_oid.h @@ -0,0 +1,12 @@ +/* + * Copyright (c) 2023, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef ZERO_OID_H +#define ZERO_OID_H + +#define ZERO_OID "0.0.0.0.0.0.0.0.0" + +#endif /* ZERO_OID_H */ From 60861a04e06d98ba6a9ae984cc5565f064fac9d1 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Tue, 11 Apr 2023 12:57:58 +0100 Subject: [PATCH 04/12] feat(rss): set the signer-ID in the RSS metadata Calculate a hash of the public key and put that into the signer-ID field of the relevant RSS metadata. The signer-ID metadata is mandatory in the Arm CCA attestation scheme. Change-Id: Ic846d8bf882cfea8581d3523a3461c919462df30 Signed-off-by: Manish V Badarkhe --- drivers/measured_boot/rss/rss_measured_boot.c | 71 +++++++++++++------ .../measured_boot/rss/rss_measured_boot.h | 4 +- 2 files changed, 53 insertions(+), 22 deletions(-) diff --git a/drivers/measured_boot/rss/rss_measured_boot.c b/drivers/measured_boot/rss/rss_measured_boot.c index 1b2f17720..258aa8d4c 100644 --- a/drivers/measured_boot/rss/rss_measured_boot.c +++ b/drivers/measured_boot/rss/rss_measured_boot.c @@ -32,6 +32,19 @@ # error Invalid Measured Boot algorithm. #endif /* MBOOT_ALG_ID */ +#if ENABLE_ASSERTIONS +static bool null_arr(const uint8_t *signer_id, size_t signer_id_size) +{ + for (size_t i = 0U; i < signer_id_size; i++) { + if (signer_id[i] != 0U) { + return false; + } + } + + return true; +} +#endif /* ENABLE_ASSERTIONS */ + /* Functions' declarations */ void rss_measured_boot_init(struct rss_mboot_metadata *metadata_ptr) { @@ -39,6 +52,7 @@ void rss_measured_boot_init(struct rss_mboot_metadata *metadata_ptr) /* Init the non-const members of the metadata structure */ while (metadata_ptr->id != RSS_MBOOT_INVALID_ID) { + assert(null_arr(metadata_ptr->signer_id, MBOOT_DIGEST_SIZE)); metadata_ptr->sw_type_size = strlen((const char *)&metadata_ptr->sw_type) + 1; metadata_ptr++; @@ -93,36 +107,53 @@ int rss_mboot_measure_and_record(struct rss_mboot_metadata *metadata_ptr, } int rss_mboot_set_signer_id(struct rss_mboot_metadata *metadata_ptr, - unsigned int img_id, + const void *pk_oid, const void *pk_ptr, size_t pk_len) { unsigned char hash_data[CRYPTO_MD_MAX_SIZE]; int rc; + bool hash_calc_done = false; assert(metadata_ptr != NULL); - /* Get the metadata associated with this image. */ - while ((metadata_ptr->id != RSS_MBOOT_INVALID_ID) && - (metadata_ptr->id != img_id)) { + /* + * Do an exhaustive search over the platform metadata to find + * all images whose key OID matches the one passed in argument. + * + * Note that it is not an error if do not get any matches. + * The platform may decide not to measure all of the images + * in the system. + */ + while (metadata_ptr->id != RSS_MBOOT_INVALID_ID) { + /* Get the metadata associated with this key-oid */ + if (metadata_ptr->pk_oid == pk_oid) { + if (!hash_calc_done) { + /* Calculate public key hash */ + rc = crypto_mod_calc_hash(CRYPTO_MD_ID, + (void *)pk_ptr, + pk_len, hash_data); + if (rc != 0) { + return rc; + } + + hash_calc_done = true; + } + + /* + * Fill the signer-ID field with the newly/already + * computed hash of the public key and update its + * signer ID size field with compile-time decided + * digest size. + */ + (void)memcpy(metadata_ptr->signer_id, + hash_data, + MBOOT_DIGEST_SIZE); + metadata_ptr->signer_id_size = MBOOT_DIGEST_SIZE; + } + metadata_ptr++; } - /* If image is not present in metadata array then skip */ - if (metadata_ptr->id == RSS_MBOOT_INVALID_ID) { - return 0; - } - - /* Calculate public key hash */ - rc = crypto_mod_calc_hash(CRYPTO_MD_ID, (void *)pk_ptr, - pk_len, hash_data); - if (rc != 0) { - return rc; - } - - /* Update metadata struct with the received signer_id */ - (void)memcpy(metadata_ptr->signer_id, hash_data, MBOOT_DIGEST_SIZE); - metadata_ptr->signer_id_size = MBOOT_DIGEST_SIZE; - return 0; } diff --git a/include/drivers/measured_boot/rss/rss_measured_boot.h b/include/drivers/measured_boot/rss/rss_measured_boot.h index 76affd81d..7ab517c18 100644 --- a/include/drivers/measured_boot/rss/rss_measured_boot.h +++ b/include/drivers/measured_boot/rss/rss_measured_boot.h @@ -40,6 +40,7 @@ struct rss_mboot_metadata { size_t version_size; uint8_t sw_type[SW_TYPE_MAX_SIZE]; size_t sw_type_size; + void *pk_oid; bool lock_measurement; }; @@ -49,9 +50,8 @@ int rss_mboot_measure_and_record(struct rss_mboot_metadata *metadata_ptr, uintptr_t data_base, uint32_t data_size, uint32_t data_id); -/* TODO: These metadata are currently not available during TF-A boot */ int rss_mboot_set_signer_id(struct rss_mboot_metadata *metadata_ptr, - unsigned int img_id, const void *pk_ptr, + const void *pk_oid, const void *pk_ptr, size_t pk_len); #endif /* RSS_MEASURED_BOOT_H */ From 0cffcdd617986f0750b384620f5b960059d91fc9 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Wed, 19 Jul 2023 10:39:08 +0100 Subject: [PATCH 05/12] feat(auth): add explicit entries for key OIDs Key-OIDs that authenticate BL31, BL31(SOC)-FW config, and HW config images have been explicitly entered. Implementations of signer-ID consume these entries. Change-Id: I24c9085ed5f266af06d40fb73302e35d857a9d5b Signed-off-by: Manish V Badarkhe --- include/tools_share/cca_oid.h | 14 +++++++++++++- include/tools_share/dualroot_oid.h | 1 - include/tools_share/tbbr_oid.h | 12 +++++++++++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/include/tools_share/cca_oid.h b/include/tools_share/cca_oid.h index d964aa743..8c53ef955 100644 --- a/include/tools_share/cca_oid.h +++ b/include/tools_share/cca_oid.h @@ -9,7 +9,6 @@ /* Reuse the Object IDs defined by TBBR for certificate extensions. */ #include "tbbr_oid.h" -#include "zero_oid.h" /* * Assign arbitrary Object ID values that do not conflict with any of the @@ -29,4 +28,17 @@ /* CCAFirmwareNVCounter - Non-volatile counter extension */ #define CCA_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.3" +/* + * First undef previous definitions from tbbr_oid.h. + * CCA ROTPK authenticates BL31 and its configuration image in + * CCA CoT. + **/ +#undef BL31_IMAGE_KEY_OID +#undef SOC_FW_CONFIG_KEY_OID +#undef HW_CONFIG_KEY_OID +#define BL31_IMAGE_KEY_OID ZERO_OID +#define SOC_FW_CONFIG_KEY_OID ZERO_OID +#define HW_CONFIG_KEY_OID ZERO_OID +#define RMM_IMAGE_KEY_OID ZERO_OID + #endif /* CCA_OID_H */ diff --git a/include/tools_share/dualroot_oid.h b/include/tools_share/dualroot_oid.h index 76fffbaf9..3762c7937 100644 --- a/include/tools_share/dualroot_oid.h +++ b/include/tools_share/dualroot_oid.h @@ -9,7 +9,6 @@ /* Reuse the Object IDs defined by TBBR for certificate extensions. */ #include "tbbr_oid.h" -#include "zero_oid.h" /* * Platform root-of-trust public key. diff --git a/include/tools_share/tbbr_oid.h b/include/tools_share/tbbr_oid.h index 52b43ab3e..9881d1a18 100644 --- a/include/tools_share/tbbr_oid.h +++ b/include/tools_share/tbbr_oid.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -7,6 +7,8 @@ #ifndef TBBR_OID_H #define TBBR_OID_H +#include "zero_oid.h" + #define MAX_OID_NAME_LEN 30 /* @@ -160,6 +162,14 @@ #define SP_PKG7_HASH_OID "1.3.6.1.4.1.4128.2100.1307" #define SP_PKG8_HASH_OID "1.3.6.1.4.1.4128.2100.1308" +/* + * Public Keys present in SOC FW content certificates authenticate BL31 and + * its configuration. + */ +#define BL31_IMAGE_KEY_OID SOC_FW_CONTENT_CERT_PK_OID +#define SOC_FW_CONFIG_KEY_OID SOC_FW_CONTENT_CERT_PK_OID +#define HW_CONFIG_KEY_OID ZERO_OID + #ifdef PLAT_DEF_OID #include #endif From bfbb1cbaac3e74da37d906c9ce1d39993dce8b66 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Tue, 11 Apr 2023 14:46:10 +0100 Subject: [PATCH 06/12] feat(fvp): add public key-OID information in RSS metadata structure Added public key-OID information in the RSS metadata structure. Change-Id: I5ee5d41519980091296deaa1882fdfe9ae6766c0 Signed-off-by: Manish V Badarkhe --- plat/arm/board/fvp/fvp_bl1_measured_boot.c | 4 ++++ plat/arm/board/fvp/fvp_bl2_measured_boot.c | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/plat/arm/board/fvp/fvp_bl1_measured_boot.c b/plat/arm/board/fvp/fvp_bl1_measured_boot.c index b8431c5cf..dc95ba1c0 100644 --- a/plat/arm/board/fvp/fvp_bl1_measured_boot.c +++ b/plat/arm/board/fvp/fvp_bl1_measured_boot.c @@ -9,6 +9,7 @@ #include #include #include +#include /* Event Log data */ static uint8_t event_log[PLAT_ARM_EVENT_LOG_MAX_SIZE]; @@ -31,18 +32,21 @@ struct rss_mboot_metadata fvp_rss_mboot_metadata[] = { .slot = U(6), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_FW_CONFIG_STRING, + .pk_oid = ZERO_OID, .lock_measurement = true }, { .id = TB_FW_CONFIG_ID, .slot = U(7), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_TB_FW_CONFIG_STRING, + .pk_oid = ZERO_OID, .lock_measurement = true }, { .id = BL2_IMAGE_ID, .slot = U(8), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_BL2_STRING, + .pk_oid = ZERO_OID, .lock_measurement = true }, { diff --git a/plat/arm/board/fvp/fvp_bl2_measured_boot.c b/plat/arm/board/fvp/fvp_bl2_measured_boot.c index 564118ef2..349e064d8 100644 --- a/plat/arm/board/fvp/fvp_bl2_measured_boot.c +++ b/plat/arm/board/fvp/fvp_bl2_measured_boot.c @@ -9,7 +9,11 @@ #include #include #include +#if defined(ARM_COT_cca) +#include +#else #include +#endif /* ARM_COT_cca */ #include #include @@ -62,25 +66,31 @@ struct rss_mboot_metadata fvp_rss_mboot_metadata[] = { .slot = U(9), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_BL31_STRING, + .pk_oid = BL31_IMAGE_KEY_OID, .lock_measurement = true }, { .id = HW_CONFIG_ID, .slot = U(10), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_HW_CONFIG_STRING, + .pk_oid = HW_CONFIG_KEY_OID, .lock_measurement = true }, { .id = SOC_FW_CONFIG_ID, .slot = U(11), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_SOC_FW_CONFIG_STRING, + .pk_oid = SOC_FW_CONFIG_KEY_OID, .lock_measurement = true }, +#if ENABLE_RME { .id = RMM_IMAGE_ID, .slot = U(12), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_RMM_STRING, + .pk_oid = RMM_IMAGE_KEY_OID, .lock_measurement = true }, +#endif /* ENABLE_RME */ { .id = RSS_MBOOT_INVALID_ID } }; From db55d23d34b687cf6ce79c0723fedf10ef7227be Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Tue, 11 Apr 2023 16:13:09 +0100 Subject: [PATCH 07/12] feat(fvp): implement platform function to measure and publish Public Key Implemented 'plat_mboot_measure_key' platform function for FVP platform to measure and publish the public key information via RSS. Change-Id: I0c9d6d6ac3650a939437e9331ed3c9246f242830 Signed-off-by: Manish V Badarkhe --- plat/arm/board/fvp/fvp_common_measured_boot.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/plat/arm/board/fvp/fvp_common_measured_boot.c b/plat/arm/board/fvp/fvp_common_measured_boot.c index 7419e5e96..0c1d5e706 100644 --- a/plat/arm/board/fvp/fvp_common_measured_boot.c +++ b/plat/arm/board/fvp/fvp_common_measured_boot.c @@ -45,3 +45,10 @@ int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data) return rc; } + +int plat_mboot_measure_key(const void *pk_oid, const void *pk_ptr, + size_t pk_len) +{ + return rss_mboot_set_signer_id(fvp_rss_mboot_metadata, pk_oid, pk_ptr, + pk_len); +} From 9eaa5a09ed5805ec6423bc751b4254fba19090c1 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Tue, 11 Apr 2023 12:55:07 +0100 Subject: [PATCH 08/12] feat(auth): measure and publicise the Public Key Once the Public Key has been verified, call 'plat_mboot_measure_key' to measure and publicise it. Change-Id: I46ea71dcbba96db3706602ccd89f22596ae68416 Signed-off-by: Manish V Badarkhe --- drivers/auth/auth_mod.c | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/drivers/auth/auth_mod.c b/drivers/auth/auth_mod.c index 7a9cca8e3..105dc054f 100644 --- a/drivers/auth/auth_mod.c +++ b/drivers/auth/auth_mod.c @@ -20,6 +20,8 @@ #include #include +#include + /* ASN.1 tags */ #define ASN1_INTEGER 0x02 @@ -148,7 +150,7 @@ static int auth_signature(const auth_method_param_sig_t *param, const auth_img_desc_t *img_desc, void *img, unsigned int img_len) { - void *data_ptr, *pk_ptr, *pk_plat_ptr, *sig_ptr, *sig_alg_ptr; + void *data_ptr, *pk_ptr, *pk_plat_ptr, *sig_ptr, *sig_alg_ptr, *pk_oid; unsigned int data_len, pk_len, pk_plat_len, sig_len, sig_alg_len; unsigned int flags = 0; int rc = 0; @@ -226,6 +228,25 @@ static int auth_signature(const auth_method_param_sig_t *param, return -1; } } + + /* + * Set Zero-OID for ROTPK(subject key) as a the certificate + * does not hold Key-OID information for ROTPK. + */ + if (param->pk->cookie != NULL) { + pk_oid = param->pk->cookie; + } else { + pk_oid = ZERO_OID; + } + + /* + * Public key is verified at this stage, notify platform + * to measure and publish it. + */ + rc = plat_mboot_measure_key(pk_oid, pk_ptr, pk_len); + if (rc != 0) { + WARN("Public Key measurement failure = %d\n", rc); + } } /* Ask the crypto module to verify the signature */ @@ -381,6 +402,7 @@ int auth_mod_verify_img(unsigned int img_id, unsigned int img_len) { const auth_img_desc_t *img_desc = NULL; + const auth_param_type_desc_t *type_desc = NULL; const auth_method_desc_t *auth_method = NULL; void *param_ptr; unsigned int param_len; @@ -462,6 +484,21 @@ int auth_mod_verify_img(unsigned int img_id, /* Copy the parameter for later use */ memcpy((void *)img_desc->authenticated_data[i].data.ptr, (void *)param_ptr, param_len); + + /* + * If this is a public key then measure and publicise + * it. + */ + type_desc = img_desc->authenticated_data[i].type_desc; + if (type_desc->type == AUTH_PARAM_PUB_KEY) { + rc = plat_mboot_measure_key(type_desc->cookie, + param_ptr, + param_len); + if (rc != 0) { + WARN("Public Key measurement " + "failure = %d\n", rc); + } + } } } From eee9fb02f7b2c29befa27a0f2f0b6cb966f6d7c5 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Wed, 12 Jul 2023 10:21:38 +0100 Subject: [PATCH 09/12] feat(tc): implement platform function to measure and publish Public Key Implemented 'plat_mboot_measure_key' platform function for TC platform to measure and publicise the public key information via RSS. Change-Id: I10d90e921b135e729d5450d5a7468d0598072e60 Signed-off-by: Manish V Badarkhe --- plat/arm/board/tc/tc_bl1_measured_boot.c | 4 ++++ plat/arm/board/tc/tc_bl2_measured_boot.c | 4 ++++ plat/arm/board/tc/tc_common_measured_boot.c | 6 ++++++ 3 files changed, 14 insertions(+) diff --git a/plat/arm/board/tc/tc_bl1_measured_boot.c b/plat/arm/board/tc/tc_bl1_measured_boot.c index 6d4bb07c6..6821a6ab5 100644 --- a/plat/arm/board/tc/tc_bl1_measured_boot.c +++ b/plat/arm/board/tc/tc_bl1_measured_boot.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include @@ -22,18 +23,21 @@ struct rss_mboot_metadata tc_rss_mboot_metadata[] = { .slot = U(6), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_FW_CONFIG_STRING, + .pk_oid = ZERO_OID, .lock_measurement = true }, { .id = TB_FW_CONFIG_ID, .slot = U(7), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_TB_FW_CONFIG_STRING, + .pk_oid = ZERO_OID, .lock_measurement = true }, { .id = BL2_IMAGE_ID, .slot = U(8), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_BL2_STRING, + .pk_oid = ZERO_OID, .lock_measurement = true }, { diff --git a/plat/arm/board/tc/tc_bl2_measured_boot.c b/plat/arm/board/tc/tc_bl2_measured_boot.c index 903985364..4b7917084 100644 --- a/plat/arm/board/tc/tc_bl2_measured_boot.c +++ b/plat/arm/board/tc/tc_bl2_measured_boot.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include @@ -22,18 +23,21 @@ struct rss_mboot_metadata tc_rss_mboot_metadata[] = { .slot = U(9), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_BL31_STRING, + .pk_oid = BL31_IMAGE_KEY_OID, .lock_measurement = true }, { .id = HW_CONFIG_ID, .slot = U(10), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_HW_CONFIG_STRING, + .pk_oid = HW_CONFIG_KEY_OID, .lock_measurement = true }, { .id = SOC_FW_CONFIG_ID, .slot = U(11), .signer_id_size = SIGNER_ID_MIN_SIZE, .sw_type = RSS_MBOOT_SOC_FW_CONFIG_STRING, + .pk_oid = SOC_FW_CONFIG_KEY_OID, .lock_measurement = true }, { .id = RSS_MBOOT_INVALID_ID } diff --git a/plat/arm/board/tc/tc_common_measured_boot.c b/plat/arm/board/tc/tc_common_measured_boot.c index eddcc8150..925a41142 100644 --- a/plat/arm/board/tc/tc_common_measured_boot.c +++ b/plat/arm/board/tc/tc_common_measured_boot.c @@ -28,3 +28,9 @@ int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data) return err; } + +int plat_mboot_measure_key(void *pk_oid, void *pk_ptr, unsigned int pk_len) +{ + return rss_mboot_set_signer_id(tc_rss_mboot_metadata, pk_oid, pk_ptr, + pk_len); +} From b9bceef8eebf5c0f7f213921cca885a3f3c64ec1 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Wed, 12 Jul 2023 10:22:39 +0100 Subject: [PATCH 10/12] feat(imx): add dummy 'plat_mboot_measure_key' function Added dummy implementation of 'plat_mboot_measure_key' function for IMX platform. Change-Id: Ib41fd86a9da330f62561707bda7d16f2825c0a7f Signed-off-by: Manish V Badarkhe --- plat/imx/imx8m/imx8m_measured_boot.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/plat/imx/imx8m/imx8m_measured_boot.c b/plat/imx/imx8m/imx8m_measured_boot.c index e9ea2d873..bfcd6ceb2 100644 --- a/plat/imx/imx8m/imx8m_measured_boot.c +++ b/plat/imx/imx8m/imx8m_measured_boot.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2022, Arm Limited. All rights reserved. + * Copyright (c) 2022-2023, Arm Limited. All rights reserved. * Copyright (c) 2022, Linaro. * * SPDX-License-Identifier: BSD-3-Clause @@ -79,3 +79,9 @@ void bl2_plat_mboot_finish(void) dump_event_log((uint8_t *)event_log, event_log_cur_size); } + +int plat_mboot_measure_key(const void *pk_oid, const void *pk_ptr, + size_t pk_len) +{ + return 0; +} From 137d934dd9e4f32a7b5233931aa049f84cdf8a29 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Mon, 17 Jul 2023 09:56:13 +0100 Subject: [PATCH 11/12] docs(rss): update RSS doc for signer-ID Added details about the API that calculates the signer-ID and updated console log details to provide signer-ID information for each image. Change-Id: If637b3719418e9c0b8d2844c92bddbdfe454bfb8 Signed-off-by: Manish V Badarkhe --- docs/design_documents/rss.rst | 80 ++++++++++++++++++++++++----------- 1 file changed, 55 insertions(+), 25 deletions(-) diff --git a/docs/design_documents/rss.rst b/docs/design_documents/rss.rst index 2be806795..2ad2ee72f 100644 --- a/docs/design_documents/rss.rst +++ b/docs/design_documents/rss.rst @@ -262,7 +262,8 @@ The following metadata can be stored alongside the measurement: - ``SW type``: Optional. Short text description (e.g.: BL1, BL2, BL31, etc.) .. Note:: - Signer-id and version info is not implemented in TF-A yet. + Version info is not implemented in TF-A yet. + The caller must specify in which measurement slot to extend a certain measurement and metadata. A measurement slot can be extended by multiple @@ -321,9 +322,38 @@ structure is defined in size_t version_size; uint8_t sw_type[SW_TYPE_MAX_SIZE]; size_t sw_type_size; + void *pk_oid; bool lock_measurement; }; +Signer-ID API +^^^^^^^^^^^^^ + +This function calculates the hash of a public key (signer-ID) using the +``Measurement algorithm`` and stores it in the ``rss_mboot_metadata`` field +named ``signer_id``. +Prior to calling this function, the caller must ensure that the ``signer_id`` +field points to the zero-filled buffer. + +Defined here: + +- ``include/drivers/measured_boot/rss/rss_measured_boot.h`` + +.. code-block:: c + + int rss_mboot_set_signer_id(struct rss_mboot_metadata *metadata_ptr, + const void *pk_oid, + const void *pk_ptr, + size_t pk_len) + + +- First parameter is the pointer to the ``rss_mboot_metadata`` structure. +- Second parameter is the pointer to the key-OID of the public key. +- Third parameter is the pointer to the public key buffer. +- Fourth parameter is the size of public key buffer. +- This function returns 0 on success, a signed integer error code + otherwise. + Build time config options ^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -361,8 +391,8 @@ Sample console log INFO: Image id=24 loaded: 0x4001300 - 0x400153a INFO: Measured boot extend measurement: INFO: - slot : 7 - INFO: - signer_id : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - INFO: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 + INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da INFO: - version : INFO: - version_size: 0 INFO: - sw_type : TB_FW_CONFIG @@ -377,8 +407,8 @@ Sample console log INFO: Image id=1 loaded: 0x404d000 - 0x406412a INFO: Measured boot extend measurement: INFO: - slot : 8 - INFO: - signer_id : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - INFO: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 + INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da INFO: - version : INFO: - version_size: 0 INFO: - sw_type : BL_2 @@ -483,31 +513,31 @@ Binary format: INFO: a2 6a df 34 c3 29 48 9a dc 38 04 67 31 2e 35 2e INFO: 30 2b 30 01 60 02 58 20 b8 01 65 a7 78 8b c6 59 INFO: 42 8d 33 10 85 d1 49 0a dc 9e c3 ee df 85 1b d2 - INFO: f0 73 73 6a 0c 07 11 b8 a4 05 58 20 00 00 00 00 - INFO: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - INFO: 00 00 00 00 00 00 00 00 00 00 00 00 04 60 01 6a + INFO: f0 73 73 6a 0c 07 11 b8 a4 05 58 20 b0 f3 82 09 + INFO: 12 97 d8 3a 37 7a 72 47 1b ec 32 73 e9 92 32 e2 + INFO: 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 04 60 01 6a INFO: 46 57 5f 43 4f 4e 46 49 47 00 02 58 20 21 9e a0 INFO: 13 82 e6 d7 97 5a 11 13 a3 5f 45 39 68 b1 d9 a3 INFO: ea 6a ab 84 23 3b 8c 06 16 98 20 ba b9 a4 05 58 - INFO: 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - INFO: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - INFO: 00 04 60 01 6d 54 42 5f 46 57 5f 43 4f 4e 46 49 + INFO: 20 b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 + INFO: 73 e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a + INFO: da 04 60 01 6d 54 42 5f 46 57 5f 43 4f 4e 46 49 INFO: 47 00 02 58 20 41 39 f6 c2 10 84 53 c5 17 ae 9a INFO: e5 be c1 20 7b cc 24 24 f3 9d 20 a8 fb c7 b3 10 - INFO: e3 ee af 1b 05 a4 05 58 20 00 00 00 00 00 00 00 - INFO: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - INFO: 00 00 00 00 00 00 00 00 00 04 60 01 65 42 4c 5f + INFO: e3 ee af 1b 05 a4 05 58 20 b0 f3 82 09 12 97 d8 + INFO: 3a 37 7a 72 47 1b ec 32 73 e9 92 32 e2 49 59 f6 + INFO: 5e 8b 4a 4a 46 d8 22 9a da 04 60 01 65 42 4c 5f INFO: 32 00 02 58 20 5c 96 20 e1 e3 3b 0f 2c eb c1 8e INFO: 1a 02 a6 65 86 dd 34 97 a7 4c 98 13 bf 74 14 45 - INFO: 2d 30 28 05 c3 a4 05 58 20 00 00 00 00 00 00 00 - INFO: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - INFO: 00 00 00 00 00 00 00 00 00 04 60 01 6e 53 45 43 + INFO: 2d 30 28 05 c3 a4 05 58 20 b0 f3 82 09 12 97 d8 + INFO: 3a 37 7a 72 47 1b ec 32 73 e9 92 32 e2 49 59 f6 + INFO: 5e 8b 4a 4a 46 d8 22 9a da 04 60 01 6e 53 45 43 INFO: 55 52 45 5f 52 54 5f 45 4c 33 00 02 58 20 f6 fb INFO: 62 99 a5 0c df db 02 0b 72 5b 1c 0b 63 6e 94 ee INFO: 66 50 56 3a 29 9c cb 38 f0 ec 59 99 d4 2e a4 05 - INFO: 58 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - INFO: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - INFO: 00 00 04 60 01 6a 48 57 5f 43 4f 4e 46 49 47 00 + INFO: 58 20 b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec + INFO: 32 73 e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 + INFO: 9a da 04 60 01 6a 48 57 5f 43 4f 4e 46 49 47 00 INFO: 02 58 20 98 5d 87 21 84 06 33 9d c3 1f 91 f5 68 INFO: 8d a0 5a f0 d7 7e 20 51 ce 3b f2 a5 c3 05 2e 3c INFO: 8b 52 31 19 01 09 78 1c 68 74 74 70 3a 2f 2f 61 @@ -559,31 +589,31 @@ JSON format: "MEASUREMENT_VALUE": "b'B80165A7788BC659428D331085D1490ADC9EC3EEDF851BD2F073736A0C0711B8'" }, { - "SIGNER_ID": "b'0000000000000000000000000000000000000000000000000000000000000000'", + "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", "SW_COMPONENT_VERSION": "", "SW_COMPONENT_TYPE": "FW_CONFIG\u0000", "MEASUREMENT_VALUE": "b'219EA01382E6D7975A1113A35F453968B1D9A3EA6AAB84233B8C06169820BAB9'" }, { - "SIGNER_ID": "b'0000000000000000000000000000000000000000000000000000000000000000'", + "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", "SW_COMPONENT_VERSION": "", "SW_COMPONENT_TYPE": "TB_FW_CONFIG\u0000", "MEASUREMENT_VALUE": "b'4139F6C2108453C517AE9AE5BEC1207BCC2424F39D20A8FBC7B310E3EEAF1B05'" }, { - "SIGNER_ID": "b'0000000000000000000000000000000000000000000000000000000000000000'", + "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", "SW_COMPONENT_VERSION": "", "SW_COMPONENT_TYPE": "BL_2\u0000", "MEASUREMENT_VALUE": "b'5C9620E1E33B0F2CEBC18E1A02A66586DD3497A74C9813BF7414452D302805C3'" }, { - "SIGNER_ID": "b'0000000000000000000000000000000000000000000000000000000000000000'", + "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", "SW_COMPONENT_VERSION": "", "SW_COMPONENT_TYPE": "SECURE_RT_EL3\u0000", "MEASUREMENT_VALUE": "b'F6FB6299A50CDFDB020B725B1C0B636E94EE6650563A299CCB38F0EC5999D42E'" }, { - "SIGNER_ID": "b'0000000000000000000000000000000000000000000000000000000000000000'", + "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", "SW_COMPONENT_VERSION": "", "SW_COMPONENT_TYPE": "HW_CONFIG\u0000", "MEASUREMENT_VALUE": "b'985D87218406339DC31F91F5688DA05AF0D77E2051CE3BF2A5C3052E3C8B5231'" From f0f11acd86650da04a41298acbf4ae38b7e25894 Mon Sep 17 00:00:00 2001 From: Jens Wiklander Date: Wed, 19 Jul 2023 10:37:39 +0200 Subject: [PATCH 12/12] feat(qemu): add dummy plat_mboot_measure_key() function Adds a dummy implementation of the plat_mboot_measure_key() function for QEMU platform. Signed-off-by: Jens Wiklander Change-Id: I64c1c751348c04cd359c075fc15a0d180ff55918 --- plat/qemu/qemu/qemu_measured_boot.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/plat/qemu/qemu/qemu_measured_boot.c b/plat/qemu/qemu/qemu_measured_boot.c index 122bb23b1..077f7a486 100644 --- a/plat/qemu/qemu/qemu_measured_boot.c +++ b/plat/qemu/qemu/qemu_measured_boot.c @@ -1,6 +1,6 @@ /* * Copyright (c) 2022, Arm Limited. All rights reserved. - * Copyright (c) 2022, Linaro. + * Copyright (c) 2022-2023, Linaro. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -118,3 +118,9 @@ int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data) return 0; } + +int plat_mboot_measure_key(const void *pk_oid, const void *pk_ptr, + size_t pk_len) +{ + return 0; +}