From 2e361319ac1907009b42da657f7c55a50a9ccca0 Mon Sep 17 00:00:00 2001
From: Ben Horgan <ben.horgan@arm.com>
Date: Tue, 29 Oct 2024 17:59:59 +0000
Subject: [PATCH] fix(tc): enable certificate on the last secure partition

Distros (e.g. Buildroot and Android) can have different secure partition
layout.

This commit iterates the DPE metadata table and finds index (i) for the
first entry of the secure partition, connecting with the defined secure
partition number NUM_SP, so the last secure partition index is:

   i + NUM_SP - 1

Instead of setting the certificate in hard code, dynamically enables the
certificate for the last secure partition base on calculated index.

Signed-off-by: Ben Horgan <ben.horgan@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Change-Id: Idd11b4f463bf5ccc8d82cd06bd21deeebbda67d9
---
 plat/arm/board/tc/tc_bl2_dpe.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/plat/arm/board/tc/tc_bl2_dpe.c b/plat/arm/board/tc/tc_bl2_dpe.c
index c56612b42..144e898ea 100644
--- a/plat/arm/board/tc/tc_bl2_dpe.c
+++ b/plat/arm/board/tc/tc_bl2_dpe.c
@@ -120,7 +120,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.sw_type = MBOOT_SP1_STRING,
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
-		.create_certificate = true, /* With Trusty only one SP is loaded */
+		.create_certificate = false,
 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = NULL },
 	{
@@ -230,10 +230,33 @@ void plat_dpe_get_context_handle(int *ctx_handle)
 
 void bl2_plat_mboot_init(void)
 {
+	size_t i;
+	const size_t array_size = ARRAY_SIZE(tc_dpe_metadata);
+
 	/* Initialize the communication channel between AP and RSE */
 	(void)rse_comms_init(PLAT_RSE_AP_SND_MHU_BASE,
 			     PLAT_RSE_AP_RCV_MHU_BASE);
 
+#if defined(SPD_spmd)
+	for (i = 0U; i < array_size; i++) {
+		if (tc_dpe_metadata[i].id != SP_PKG1_ID) {
+			continue;
+		}
+
+		if ((i + NUM_SP > array_size) || (i - 1 + NUM_SP < 0)) {
+			ERROR("Secure partition number is out-of-range\n");
+			ERROR("  Non-Secure partition number: %ld\n", i);
+			ERROR("  Secure partition number: %d\n", NUM_SP);
+			ERROR("  Metadata array size: %ld\n", array_size);
+			panic();
+		}
+
+		/* Finalize the certificate on the last secure partition */
+		tc_dpe_metadata[i - 1 + NUM_SP].create_certificate = true;
+		break;
+	}
+#endif
+
 	dpe_init(tc_dpe_metadata);
 }