From 3201faf3563930d90a0eb2fa6fad92f65b01101e Mon Sep 17 00:00:00 2001
From: Tamas Ban <tamas.ban@arm.com>
Date: Fri, 14 Jun 2024 14:55:31 +0200
Subject: [PATCH] feat(tc): provide target_locality info of AP FW components

The target_locality attribute is meant to specify that
a certain SW component is expected to run and thereby
send DPE commands from a given security domain. The DPE
service must be capable of determining the locality of
a client on his own. RSE determines the client's locality
based on the MHU channel used for communication.

If the expected locality (specified by the parent component)
is not matching with the determined locality by DPE
service then command fails.

The goal is to protect against spoofing when a
context_handle is stolen and used by a component
that should not have access.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I96d255de231611cfed10eef4335a47b91c2c94de
---
 drivers/measured_boot/rse/dice_prot_env.c        |  2 +-
 .../drivers/measured_boot/rse/dice_prot_env.h    |  1 +
 plat/arm/board/tc/tc_bl1_dpe.c                   |  3 +++
 plat/arm/board/tc/tc_bl2_dpe.c                   | 16 ++++++++++++++++
 plat/arm/board/tc/tc_dpe.h                       | 14 ++++++++++++++
 5 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/drivers/measured_boot/rse/dice_prot_env.c b/drivers/measured_boot/rse/dice_prot_env.c
index da98afe18..dad30b2c7 100644
--- a/drivers/measured_boot/rse/dice_prot_env.c
+++ b/drivers/measured_boot/rse/dice_prot_env.c
@@ -115,7 +115,7 @@ int dpe_measure_and_record(struct dpe_metadata *metadata,
 				 metadata->allow_new_context_to_derive,
 				 metadata->create_certificate,
 				 &dice_inputs,
-				 0, /* target_locality */
+				 metadata->target_locality,
 				 false, /* return_certificate */
 				 true, /* allow_new_context_to_export */
 				 false, /* export_cdi */
diff --git a/include/drivers/measured_boot/rse/dice_prot_env.h b/include/drivers/measured_boot/rse/dice_prot_env.h
index e4531987a..e5aef516c 100644
--- a/include/drivers/measured_boot/rse/dice_prot_env.h
+++ b/include/drivers/measured_boot/rse/dice_prot_env.h
@@ -27,6 +27,7 @@ struct dpe_metadata {
 	bool allow_new_context_to_derive;
 	bool retain_parent_context;
 	bool create_certificate;
+	int target_locality;
 	void *pk_oid;
 };
 
diff --git a/plat/arm/board/tc/tc_bl1_dpe.c b/plat/arm/board/tc/tc_bl1_dpe.c
index 3a39c66e3..de5702a71 100644
--- a/plat/arm/board/tc/tc_bl1_dpe.c
+++ b/plat/arm/board/tc/tc_bl1_dpe.c
@@ -29,6 +29,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = ZERO_OID },
 	{
 		.id = TB_FW_CONFIG_ID,
@@ -38,6 +39,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = ZERO_OID },
 	{
 		.id = BL2_IMAGE_ID,
@@ -46,6 +48,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.sw_type = MBOOT_BL2_IMAGE_STRING,
 		.allow_new_context_to_derive = true,
 		.retain_parent_context = true, /* To handle restart */
+		.target_locality = LOCALITY_AP_S,
 		.create_certificate = false,
 		.pk_oid = ZERO_OID },
 	{
diff --git a/plat/arm/board/tc/tc_bl2_dpe.c b/plat/arm/board/tc/tc_bl2_dpe.c
index 02aca43d9..c56612b42 100644
--- a/plat/arm/board/tc/tc_bl2_dpe.c
+++ b/plat/arm/board/tc/tc_bl2_dpe.c
@@ -39,6 +39,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = BL31_IMAGE_KEY_OID },
 	{
 		.id = BL32_IMAGE_ID,
@@ -48,6 +49,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = BL32_IMAGE_KEY_OID },
 	{
 		.id = BL33_IMAGE_ID,
@@ -57,6 +59,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = true,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_AP_NS,
 		.pk_oid = BL33_IMAGE_KEY_OID },
 
 	{
@@ -67,6 +70,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = HW_CONFIG_KEY_OID },
 	{
 		.id = NT_FW_CONFIG_ID,
@@ -76,6 +80,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = NT_FW_CONFIG_KEY_OID },
 	{
 		.id = SCP_BL2_IMAGE_ID,
@@ -85,6 +90,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = SCP_BL2_IMAGE_KEY_OID },
 	{
 		.id = SOC_FW_CONFIG_ID,
@@ -94,6 +100,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = SOC_FW_CONFIG_KEY_OID },
 	{
 		.id = TOS_FW_CONFIG_ID,
@@ -103,6 +110,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = TOS_FW_CONFIG_KEY_OID },
 #if defined(SPD_spmd)
 	{
@@ -113,6 +121,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = true, /* With Trusty only one SP is loaded */
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = NULL },
 	{
 		.id = SP_PKG2_ID,
@@ -122,6 +131,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = NULL },
 	{
 		.id = SP_PKG3_ID,
@@ -131,6 +141,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = NULL },
 	{
 		.id = SP_PKG4_ID,
@@ -140,6 +151,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = NULL },
 	{
 		.id = SP_PKG5_ID,
@@ -149,6 +161,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = NULL },
 	{
 		.id = SP_PKG6_ID,
@@ -158,6 +171,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = NULL },
 	{
 		.id = SP_PKG7_ID,
@@ -167,6 +181,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = NULL },
 	{
 		.id = SP_PKG8_ID,
@@ -176,6 +191,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
 		.create_certificate = false,
+		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = NULL },
 
 #endif
diff --git a/plat/arm/board/tc/tc_dpe.h b/plat/arm/board/tc/tc_dpe.h
index d5f4f6be7..3e1af5a81 100644
--- a/plat/arm/board/tc/tc_dpe.h
+++ b/plat/arm/board/tc/tc_dpe.h
@@ -36,4 +36,18 @@
 /* Common definition */
 #define DPE_CERT_ID_SAME_AS_PARENT	0xFFFFFFFF
 
+/*
+ * Target Locality:
+ *    The goal is to specify that a certain component is expected to run and
+ *    thereby send DPE commands from a given security domain. RSE is capable of
+ *    of distinguishing the client's locality based on the MHU channel used for
+ *    communication.
+ *    Defines here must match with RSE side:
+ */
+#define LOCALITY_NONE		-1
+/* #define LOCALITY_RSE_S	0 */  /* Not applicable on AP side */
+/* #define LOCALITY_RSE_NS	1 */  /* Not applicable on AP side */
+#define LOCALITY_AP_S		 2
+#define LOCALITY_AP_NS		 3
+
 #endif /* TC_DPE_H */