fix(tc): add SCP_BL2 to RSE measured boot

SCP_BL2 is part of CCA's TCB. The SCP_BL1 is loaded by RSE. It has already added to the platform attestation token. SCP_BL2 was missed, so it is fixed now. Signed-off-by: Tamas Ban <tamas.ban@arm.com> Change-Id: Ic87743564136f03a901c90ff1ec614f5965b9a47
2025-04-07 21:33:54 +00:00 · 2024-04-30 16:02:14 +02:00 · 2024-04-30 16:02:14 +02:00 · 79841546a2
commit 79841546a2
parent 517b7f96c9
2 changed files with 11 additions and 2 deletions
--- a/include/tools_share/cca_oid.h
+++ b/include/tools_share/cca_oid.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -30,15 +30,17 @@

 /*
 * First undef previous definitions from tbbr_oid.h.
- * CCA ROTPK authenticates BL31 and its configuration image in
+ * CCA ROTPK authenticates BL31, SCP_BL2 and its configuration image in
 * CCA CoT.
 **/
 #undef BL31_IMAGE_KEY_OID
 #undef SOC_FW_CONFIG_KEY_OID
 #undef HW_CONFIG_KEY_OID
+#undef SCP_BL2_IMAGE_KEY_OID
 #define BL31_IMAGE_KEY_OID			ZERO_OID
 #define SOC_FW_CONFIG_KEY_OID			ZERO_OID
 #define HW_CONFIG_KEY_OID			ZERO_OID
+#define SCP_BL2_IMAGE_KEY_OID			ZERO_OID
 #define RMM_IMAGE_KEY_OID			ZERO_OID

 #endif /* CCA_OID_H */
--- a/plat/arm/board/tc/tc_bl2_measured_boot.c
+++ b/plat/arm/board/tc/tc_bl2_measured_boot.c
@ -39,6 +39,13 @@ struct rse_mboot_metadata tc_rse_mboot_metadata[] = {
 		.sw_type = MBOOT_SOC_FW_CONFIG_STRING,
 		.pk_oid = SOC_FW_CONFIG_KEY_OID,
 		.lock_measurement = true },
+	{
+		.id = SCP_BL2_IMAGE_ID,
+		.slot = U(12),
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_SCP_BL2_IMAGE_STRING,
+		.pk_oid = SCP_BL2_IMAGE_KEY_OID,
+		.lock_measurement = true },
 	{
 		.id = RSE_MBOOT_INVALID_ID }
 };