Merge changes from topic "cot_cca_nvctr" into integration

* changes:
  feat(fvp): mock support for CCA NV ctr
  feat(auth): add CCA NV ctr to CCA CoT
  feat(build): pass CCA NV ctr option to cert_create
  feat(cert-create): add new option for CCA NV ctr

drivers/auth/cca/cot.c

@@ -42,8 +42,8 @@ static unsigned char plat_pk_buf[PK_DER_LEN];
 /*
  * Parameter type descriptors.
  */
-static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
+static auth_param_type_desc_t cca_nv_ctr = AUTH_PARAM_TYPE_DESC(
-		AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
+		AUTH_PARAM_NV_CTR, CCA_FW_NVCOUNTER_OID);
 static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_PUB_KEY, 0);
 static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
@@ -69,6 +69,8 @@ static auth_param_type_desc_t rmm_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, RMM_HASH_OID);
 
 #ifdef IMAGE_BL2
+static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
 static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
 
@@ -127,8 +129,8 @@ static const auth_img_desc_t cca_content_cert = {
 		[1] = {
 			.type = AUTH_METHOD_NV_CTR,
 			.param.nv_ctr = {
-				.cert_nv_ctr = &trusted_nv_ctr,
+				.cert_nv_ctr = &cca_nv_ctr,
-				.plat_nv_ctr = &trusted_nv_ctr
+				.plat_nv_ctr = &cca_nv_ctr
 			}
 		}
 	},

include/tools_share/cca_oid.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -25,4 +25,7 @@
 /* Realm Monitor Manager (RMM) Hash */
 #define RMM_HASH_OID				"1.3.6.1.4.1.4128.2100.1106"
 
+/* CCAFirmwareNVCounter - Non-volatile counter extension */
+#define CCA_FW_NVCOUNTER_OID			"1.3.6.1.4.1.4128.2100.3"
+
 #endif /* CCA_OID_H */

make_helpers/tbbr/tbbr_tools.mk

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2015-2023, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -43,10 +43,14 @@ FWU_CERT		:=	${BUILD_PLAT}/fwu_cert.crt
 # Default non-volatile counter values (overridable by the platform)
 TFW_NVCTR_VAL		?=	0
 NTFW_NVCTR_VAL		?=	0
+CCAFW_NVCTR_VAL		?=	0
 
 # Pass the non-volatile counters to the cert_create tool
 $(eval $(call CERT_ADD_CMD_OPT,${TFW_NVCTR_VAL},--tfw-nvctr))
 $(eval $(call CERT_ADD_CMD_OPT,${NTFW_NVCTR_VAL},--ntfw-nvctr))
+ifeq (${COT},cca)
+$(eval $(call CERT_ADD_CMD_OPT,${CCAFW_NVCTR_VAL},--ccafw-nvctr))
+endif
 
 # Add Trusted Key certificate to the fiptool and cert_create command line options
 ifneq (${COT},cca)

plat/arm/board/common/board_common.mk

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -67,11 +67,16 @@ endif
 # ARM development platforms
 TFW_NVCTR_VAL	?=	31
 NTFW_NVCTR_VAL	?=	223
+# The CCA Non-Volatile Counter only exists on some Arm development platforms.
+# On others, we mock it by aliasing it to the Trusted Firmware Non-Volatile counter,
+# hence we set both counters to the same default value.
+CCAFW_NVCTR_VAL	?=	31
 else
 # Certificate NV-Counters when CryptoCell is integrated. For development
 # platforms we set the counter to first valid value.
 TFW_NVCTR_VAL	?=	0
 NTFW_NVCTR_VAL	?=	0
+CCAFW_NVCTR_VAL	?=	0
 endif
 BL1_SOURCES		+=	plat/arm/board/common/board_arm_trusted_boot.c \
 				${ARM_ROTPK_S}

plat/arm/board/fvp/fvp_trusted_boot.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2016-2023, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -14,7 +14,7 @@
 #include <plat/arm/common/fconf_nv_cntr_getter.h>
 #include <plat/common/platform.h>
 #include <platform_def.h>
-#include <tools_share/tbbr_oid.h>
+#include <tools_share/cca_oid.h>
 
 /*
  * Return the ROTPK hash in the following ASN.1 structure in DER format:
@@ -57,6 +57,10 @@ int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr)
 	} else if (strcmp(oid, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) {
 		nv_ctr_addr = FCONF_GET_PROPERTY(cot, nv_cntr_addr,
 						NON_TRUSTED_NV_CTR_ID);
+	} else if (strcmp(oid, CCA_FW_NVCOUNTER_OID) == 0) {
+		/* FVP does not support the CCA NV Counter so use the Trusted NV */
+		nv_ctr_addr = FCONF_GET_PROPERTY(cot, nv_cntr_addr,
+						TRUSTED_NV_CTR_ID);
 	} else {
 		return 1;
 	}
@@ -69,3 +73,37 @@ int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr)
 	 */
 	return (mmio_read_32(nv_ctr_addr) == nv_ctr) ? 0 : 1;
 }
+
+/*
+ * Return the non-volatile counter value stored in the platform. The cookie
+ * will contain the OID of the counter in the certificate.
+ *
+ * Return: 0 = success, Otherwise = error
+ */
+int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr)
+{
+	const char *oid;
+	uint32_t *nv_ctr_addr;
+
+	assert(cookie != NULL);
+	assert(nv_ctr != NULL);
+
+	oid = (const char *)cookie;
+	if (strcmp(oid, TRUSTED_FW_NVCOUNTER_OID) == 0) {
+		nv_ctr_addr = (uint32_t *)FCONF_GET_PROPERTY(cot, nv_cntr_addr,
+							TRUSTED_NV_CTR_ID);
+	} else if (strcmp(oid, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) {
+		nv_ctr_addr = (uint32_t *)FCONF_GET_PROPERTY(cot, nv_cntr_addr,
+							NON_TRUSTED_NV_CTR_ID);
+	} else if (strcmp(oid, CCA_FW_NVCOUNTER_OID) == 0) {
+		/* FVP does not support the CCA NV Counter so use the Trusted NV */
+		nv_ctr_addr = (uint32_t *)FCONF_GET_PROPERTY(cot, nv_cntr_addr,
+							TRUSTED_NV_CTR_ID);
+	} else {
+		return 1;
+	}
+
+	*nv_ctr = (unsigned int)(*nv_ctr_addr);
+
+	return 0;
+}

tools/cert_create/include/cca/cca_cot.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -24,6 +24,7 @@ enum {
 /* Certificate extensions. */
 enum {
 	/* Extensions used in certificates owned by the silicon provider. */
+	CCA_FW_NVCOUNTER_EXT,
 	TRUSTED_FW_NVCOUNTER_EXT,
 	TRUSTED_BOOT_FW_HASH_EXT,
 	TRUSTED_BOOT_FW_CONFIG_HASH_EXT,

tools/cert_create/include/ext.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -20,7 +20,8 @@ enum ext_type_e {
 /* NV-Counter types */
 enum nvctr_type_e {
 	NVCTR_TYPE_TFW,
-	NVCTR_TYPE_NTFW
+	NVCTR_TYPE_NTFW,
+	NVCTR_TYPE_CCAFW
 };
 
 /*

tools/cert_create/src/cca/cot.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -27,7 +27,7 @@ static cert_t cot_certs[] = {
 		.key = ROT_KEY,
 		.issuer = CCA_CONTENT_CERT,
 		.ext = {
-			TRUSTED_FW_NVCOUNTER_EXT,
+			CCA_FW_NVCOUNTER_EXT,
 			SOC_AP_FW_HASH_EXT,
 			SOC_FW_CONFIG_HASH_EXT,
 			RMM_HASH_EXT,
@@ -139,6 +139,17 @@ REGISTER_COT(cot_certs);
 
 /* Certificate extensions. */
 static ext_t cot_ext[] = {
+	[CCA_FW_NVCOUNTER_EXT] = {
+		.oid = CCA_FW_NVCOUNTER_OID,
+		.opt = "ccafw-nvctr",
+		.help_msg = "CCA Firmware Non-Volatile counter value",
+		.sn = "CCANVCounter",
+		.ln = "CCA Non-Volatile counter",
+		.asn1_type = V_ASN1_INTEGER,
+		.type = EXT_TYPE_NVCOUNTER,
+		.attr.nvctr_type = NVCTR_TYPE_CCAFW
+	},
+
 	[TRUSTED_FW_NVCOUNTER_EXT] = {
 		.oid = TRUSTED_FW_NVCOUNTER_OID,
 		.opt = "tfw-nvctr",