Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-27 23:35:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge changes from topic "full_dev_rsa_key" into integration

Browse source 
* changes:
  docs(arm): add ARM_ROTPK_LOCATION variant full key
  feat(arm): add ARM_ROTPK_LOCATION variant full key
This commit is contained in:
Lauren Wehrmeister 2022-12-12 22:18:26 +01:00 committed by TrustedFirmware Code Review
commit abd6d7ea60
7 changed files with 76 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
docs/design/trusted-board-boot-build.rst
View file

@ -42,7 +42,7 @@ images with support for these features:
are loaded from that path instead of the default OS path. Export this are loaded from that path instead of the default OS path. Export this
variable if necessary. variable if necessary.
In the case of Arm platforms, the location of the ROTPK hash must also be In the case of Arm platforms, the location of the ROTPK must also be
specified at build time. The following locations are currently supported (see specified at build time. The following locations are currently supported (see
``ARM_ROTPK_LOCATION`` build option): ``ARM_ROTPK_LOCATION`` build option):
@ -62,6 +62,9 @@ images with support for these features:
``plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin``. Enforce ``plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin``. Enforce
generation of the new hash if ``ROT_KEY`` is specified. generation of the new hash if ``ROT_KEY`` is specified.
- ``ARM_ROTPK_LOCATION=devel_full_dev_rsa_key``: use the key located in
``plat/arm/board/common/rotpk/arm_full_dev_rsa_rotpk.S``.
Example of command line using RSA development keys: Example of command line using RSA development keys:
.. code:: shell .. code:: shell

16
docs/plat/arm/arm-build-options.rst
View file

@ -49,7 +49,7 @@ Arm Platform Build Options
field of power-state parameter. field of power-state parameter.
- ``ARM_ROTPK_LOCATION``: used when ``TRUSTED_BOARD_BOOT=1``. It specifies the - ``ARM_ROTPK_LOCATION``: used when ``TRUSTED_BOARD_BOOT=1``. It specifies the
location of the ROTPK hash returned by the function ``plat_get_rotpk_info()`` location of the ROTPK returned by the function ``plat_get_rotpk_info()``
for Arm platforms. Depending on the selected option, the proper private key for Arm platforms. Depending on the selected option, the proper private key
must be specified using the ``ROT_KEY`` option when building the Trusted must be specified using the ``ROT_KEY`` option when building the Trusted
Firmware. This private key will be used by the certificate generation tool Firmware. This private key will be used by the certificate generation tool
@ -68,12 +68,16 @@ Arm Platform Build Options
``arm_rotpk_ecdsa.der``, located in ``plat/arm/board/common/rotpk``. To ``arm_rotpk_ecdsa.der``, located in ``plat/arm/board/common/rotpk``. To
use this option, ``arm_rotprivk_ecdsa.pem`` must be specified as use this option, ``arm_rotprivk_ecdsa.pem`` must be specified as
``ROT_KEY`` when creating the certificates. ``ROT_KEY`` when creating the certificates.
- ``devel_full_dev_rsa_key`` : returns a development public key embedded in
the BL1 and BL2 binaries. This key has been obtained from the RSA public
key ``arm_rotpk_rsa.der``, located in ``plat/arm/board/common/rotpk``.
- ``ARM_ROTPK_HASH``: used when ``ARM_ROTPK_LOCATION=devel_*``. Specifies the - ``ARM_ROTPK_HASH``: used when ``ARM_ROTPK_LOCATION=devel_*``, excluding
location of the ROTPK hash. Not expected to be a build option. This defaults to ``devel_full_dev_rsa_key``. Specifies the location of the ROTPK hash. Not
``plat/arm/board/common/rotpk/*_sha256.bin`` depending on the specified algorithm. expected to be a build option. This defaults to
Providing ``ROT_KEY`` enforces generation of the hash from the ``ROT_KEY`` and ``plat/arm/board/common/rotpk/*_sha256.bin`` depending on the specified
overwrites the default hash file. algorithm. Providing ``ROT_KEY`` enforces generation of the hash from the
``ROT_KEY`` and overwrites the default hash file.
- ``ARM_TSP_RAM_LOCATION``: location of the TSP binary. Options: - ``ARM_TSP_RAM_LOCATION``: location of the TSP binary. Options:

4
include/plat/arm/common/arm_def.h
View file

@ -20,10 +20,12 @@
*****************************************************************************/ *****************************************************************************/
/* /*
* Root of trust key hash lengths * Root of trust key lengths
*/ */
#define ARM_ROTPK_HEADER_LEN 19 #define ARM_ROTPK_HEADER_LEN 19
#define ARM_ROTPK_HASH_LEN 32 #define ARM_ROTPK_HASH_LEN 32
/* ARM_ROTPK_KEY_LEN includes DER header + raw key material */
#define ARM_ROTPK_KEY_LEN 294
/* Special value used to verify platform parameters from BL2 to BL31 */ /* Special value used to verify platform parameters from BL2 to BL31 */
#define ARM_BL31_PLAT_PARAM_VAL ULL(0x0f1e2d3c4b5a6978) #define ARM_BL31_PLAT_PARAM_VAL ULL(0x0f1e2d3c4b5a6978)

2
include/plat/arm/common/plat_arm.h
View file

@ -159,7 +159,7 @@ void arm_setup_romlib(void);
#define ARM_ROTPK_REGS_ID 1 #define ARM_ROTPK_REGS_ID 1
#define ARM_ROTPK_DEVEL_RSA_ID 2 #define ARM_ROTPK_DEVEL_RSA_ID 2
#define ARM_ROTPK_DEVEL_ECDSA_ID 3 #define ARM_ROTPK_DEVEL_ECDSA_ID 3
#define ARM_ROTPK_DEVEL_FULL_DEV_RSA_KEY_ID 4
/* IO storage utility functions */ /* IO storage utility functions */
int arm_io_setup(void); int arm_io_setup(void);

20
plat/arm/board/common/board_arm_trusted_boot.c
View file

@ -47,7 +47,8 @@ uintptr_t nv_cntr_base_addr[MAX_NV_CTR_IDS] = {
#pragma weak plat_get_nv_ctr #pragma weak plat_get_nv_ctr
#pragma weak plat_set_nv_ctr #pragma weak plat_set_nv_ctr
extern unsigned char arm_rotpk_header[], arm_rotpk_hash_end[]; extern unsigned char arm_rotpk_header[], arm_rotpk_key[], arm_rotpk_hash_end[],
arm_rotpk_key_end[];
#if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID) || ARM_CRYPTOCELL_INTEG #if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID) || ARM_CRYPTOCELL_INTEG
static unsigned char rotpk_hash_der[ARM_ROTPK_HEADER_LEN + ARM_ROTPK_HASH_LEN]; static unsigned char rotpk_hash_der[ARM_ROTPK_HEADER_LEN + ARM_ROTPK_HASH_LEN];
@ -93,16 +94,20 @@ int arm_get_rotpk_info_regs(void **key_ptr, unsigned int *key_len,
#endif #endif
#if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) || \ #if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) || \
(ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID) (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID) || \
/* (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_FULL_DEV_RSA_KEY_ID)
* Return development ROTPK hash generated from ROT_KEY.
*/
int arm_get_rotpk_info_dev(void **key_ptr, unsigned int *key_len, int arm_get_rotpk_info_dev(void **key_ptr, unsigned int *key_len,
unsigned int *flags) unsigned int *flags)
{ {
if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_FULL_DEV_RSA_KEY_ID) {
*key_ptr = arm_rotpk_key;
*key_len = arm_rotpk_key_end - arm_rotpk_key;
*flags = 0;
} else {
*key_ptr = arm_rotpk_header; *key_ptr = arm_rotpk_header;
*key_len = arm_rotpk_hash_end - arm_rotpk_header; *key_len = arm_rotpk_hash_end - arm_rotpk_header;
*flags = ROTPK_IS_HASH; *flags = ROTPK_IS_HASH;
}
return 0; return 0;
} }
#endif #endif
@ -130,7 +135,7 @@ int arm_get_rotpk_info_cc(void **key_ptr, unsigned int *key_len,
#endif #endif
/* /*
* Wrapper function for most Arm platforms to get ROTPK hash. * Wrapper function for most Arm platforms to get ROTPK info.
*/ */
static int get_rotpk_info(void **key_ptr, unsigned int *key_len, static int get_rotpk_info(void **key_ptr, unsigned int *key_len,
unsigned int *flags) unsigned int *flags)
@ -140,7 +145,8 @@ static int get_rotpk_info(void **key_ptr, unsigned int *key_len,
#else #else
#if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) || \ #if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) || \
(ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID) (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID) || \
(ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_FULL_DEV_RSA_KEY_ID)
return arm_get_rotpk_info_dev(key_ptr, key_len, flags); return arm_get_rotpk_info_dev(key_ptr, key_len, flags);
#elif (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID) #elif (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID)
return arm_get_rotpk_info_regs(key_ptr, key_len, flags); return arm_get_rotpk_info_regs(key_ptr, key_len, flags);

12
plat/arm/board/common/board_common.mk
View file

@ -20,6 +20,7 @@ else ifeq (${ARM_ROTPK_LOCATION}, devel_rsa)
CRYPTO_ALG=rsa CRYPTO_ALG=rsa
ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_RSA_ID ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_RSA_ID
ARM_ROTPK_HASH = plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin ARM_ROTPK_HASH = plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin
ARM_ROTPK_S = plat/arm/board/common/rotpk/arm_dev_rotpk.S
$(eval $(call add_define_val,ARM_ROTPK_HASH,'"$(ARM_ROTPK_HASH)"')) $(eval $(call add_define_val,ARM_ROTPK_HASH,'"$(ARM_ROTPK_HASH)"'))
$(BUILD_PLAT)/bl2/arm_dev_rotpk.o : $(ARM_ROTPK_HASH) $(BUILD_PLAT)/bl2/arm_dev_rotpk.o : $(ARM_ROTPK_HASH)
$(warning Development keys support for FVP is deprecated. Use `regs` \ $(warning Development keys support for FVP is deprecated. Use `regs` \
@ -28,10 +29,17 @@ else ifeq (${ARM_ROTPK_LOCATION}, devel_ecdsa)
CRYPTO_ALG=ec CRYPTO_ALG=ec
ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_ECDSA_ID ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_ECDSA_ID
ARM_ROTPK_HASH = plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin ARM_ROTPK_HASH = plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin
ARM_ROTPK_S = plat/arm/board/common/rotpk/arm_dev_rotpk.S
$(eval $(call add_define_val,ARM_ROTPK_HASH,'"$(ARM_ROTPK_HASH)"')) $(eval $(call add_define_val,ARM_ROTPK_HASH,'"$(ARM_ROTPK_HASH)"'))
$(BUILD_PLAT)/bl2/arm_dev_rotpk.o : $(ARM_ROTPK_HASH) $(BUILD_PLAT)/bl2/arm_dev_rotpk.o : $(ARM_ROTPK_HASH)
$(warning Development keys support for FVP is deprecated. Use `regs` \ $(warning Development keys support for FVP is deprecated. Use `regs` \
option instead) option instead)
else ifeq (${ARM_ROTPK_LOCATION}, devel_full_dev_rsa_key)
CRYPTO_ALG=rsa
ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_FULL_DEV_RSA_KEY_ID
ARM_ROTPK_S = plat/arm/board/common/rotpk/arm_full_dev_rsa_rotpk.S
$(warning Development keys support for FVP is deprecated. Use `regs` \
option instead)
else else
$(error "Unsupported ARM_ROTPK_LOCATION value") $(error "Unsupported ARM_ROTPK_LOCATION value")
endif endif
@ -67,9 +75,9 @@ TFW_NVCTR_VAL ?= 0
NTFW_NVCTR_VAL ?= 0 NTFW_NVCTR_VAL ?= 0
endif endif
BL1_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c \ BL1_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c \
plat/arm/board/common/rotpk/arm_dev_rotpk.S ${ARM_ROTPK_S}
BL2_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c \ BL2_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c \
plat/arm/board/common/rotpk/arm_dev_rotpk.S ${ARM_ROTPK_S}
# Allows platform code to provide implementation variants depending on the # Allows platform code to provide implementation variants depending on the
# selected chain of trust. # selected chain of trust.

32
plat/arm/board/common/rotpk/arm_full_dev_rsa_rotpk.S Normal file
View file

@ -0,0 +1,32 @@
/*
* Copyright (c) 2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
/* corstone1000 platform provides custom values for the macros defined in
* arm_def.h , so only platform_def.h needs to be included
*/
#if !defined(TARGET_PLATFORM_FVP) && !defined(TARGET_PLATFORM_FPGA)
#include "plat/arm/common/arm_def.h"
#else
#include <platform_def.h>
#endif
.global arm_rotpk_key
.global arm_rotpk_key_end
.section .rodata.arm_rotpk_key, "a"
arm_rotpk_key:
.byte 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01
.byte 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01
.byte 0x00, 0xCB, 0x2C, 0x60, 0xD5, 0x8D, 0x63, 0xD4, 0x07, 0x79, 0x7E, 0xC7, 0x16, 0x96, 0xBD, 0x4D, 0x24, 0x4E, 0xAC, 0x86, 0xE6, 0xB7, 0x71, 0xE3, 0xC5, 0x54, 0x0B, 0xE7, 0x14, 0x1C, 0xBD, 0x29, 0x1A, 0xC1, 0x3F, 0x7A, 0xB6, 0x02, 0xAA, 0xAB, 0x36, 0xC4, 0xD9, 0x36, 0x69, 0x6C, 0xE2, 0x65, 0xC3, 0x9B, 0xB1, 0xBF, 0x3D, 0xA8, 0x56, 0x26, 0xCB, 0xFD, 0x04, 0x01, 0xBA, 0xAC, 0x3E, 0x54, 0x32, 0xCA, 0x79, 0x5E, 0xBB, 0xB2, 0x05, 0xEA, 0x06, 0x58, 0xF2, 0x74, 0xBA, 0xE1, 0xF4, 0x87, 0xC0, 0x19, 0x0A, 0x1F, 0x66, 0x07, 0x77, 0x84, 0x83, 0xA1, 0x1C, 0xEF, 0xFF, 0x28, 0x59, 0xE7, 0xC3, 0x68, 0x7D, 0x26, 0x20, 0x43, 0xEB, 0x56, 0x63, 0xF3, 0x39, 0x31, 0xD8, 0x2B, 0x51, 0xA9, 0xBC, 0x4F, 0xD0, 0xF6, 0xDE, 0x95, 0xDC, 0x5F, 0x5B, 0xC1, 0xED, 0x90, 0x6F, 0xEC, 0x28, 0x91, 0x7E, 0x17, 0xED, 0x78, 0x90, 0xF4, 0x60, 0xA7, 0xC4, 0xC7, 0x4F, 0x50, 0xED, 0x5D, 0x13, 0x3A, 0x21, 0x2B, 0x70, 0xC5, 0x61, 0x7B, 0x08, 0x21, 0x65, 0x3A, 0xCD, 0x82, 0x56, 0x8C, 0x7A, 0x47, 0xAC, 0x89, 0xE8, 0xA5, 0x48, 0x48
.byte 0x31, 0xD9, 0x1D, 0x46, 0xE5, 0x85, 0x86, 0x98, 0xA0, 0xE5, 0xC0, 0xA6, 0x6A, 0xBD, 0x07, 0xE4, 0x92, 0x57, 0x61, 0x07, 0x8F, 0x7D, 0x5A, 0x4D, 0xCA, 0xAE, 0x36, 0xB9, 0x56, 0x04, 0x10, 0xF2, 0x6C, 0xBE, 0xF6, 0x3B, 0x6C, 0x80, 0x3E, 0xBE , 0x0E, 0xA3, 0x4D , 0xC7 , 0xD4, 0x7E , 0xA7 , 0x49, 0xD4, 0xF2, 0xD2, 0xBC, 0xCF, 0x30, 0xA8, 0xE7, 0x74, 0x8F, 0x64, 0xDF, 0xBC, 0x5C, 0x47, 0x68, 0xCC, 0x40, 0x4C, 0xF8, 0x83, 0xCC, 0xCB, 0x40, 0x35, 0x04, 0x60, 0xCA, 0xB3, 0xA4, 0x17, 0x9F, 0x03, 0xCA, 0x1D, 0x5A, 0xFA, 0xD1, 0xAF, 0x21, 0x57, 0x10, 0xD3, 0x02, 0x03, 0x01, 0x00, 0x01
arm_rotpk_key_end:
.if ARM_ROTPK_KEY_LEN != arm_rotpk_key_end - arm_rotpk_key
.error "Invalid ROTPK length."
.endif