From 93273613b48048a4a884770e292e765fa85e3ad7 Mon Sep 17 00:00:00 2001 From: Ben Horgan Date: Tue, 29 Oct 2024 17:54:24 +0000 Subject: [PATCH 1/2] feat(sptool): populate secure partition number in makefile Calculate the secure partition number and saves it into the defined macro NUM_SP. Signed-off-by: Ben Horgan Signed-off-by: Leo Yan Change-Id: I4175a10d315482b65fd0f3eed4c6fd1e1e2b5e4d --- tools/sptool/sp_mk_generator.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/sptool/sp_mk_generator.py b/tools/sptool/sp_mk_generator.py index 1edb77d00..9bf5cd0bf 100644 --- a/tools/sptool/sp_mk_generator.py +++ b/tools/sptool/sp_mk_generator.py @@ -30,6 +30,9 @@ Secure Partition entry FIP_ARGS += --blob uuid=XXXXX-XXX...,file=sp1.pkg CRT_ARGS += --sp-pkg1 sp1.pkg +It populates the number of SP in the defined macro 'NUM_SP' + $(eval $(call add_define_val,NUM_SP,{len(sp_layout.keys())})) + A typical SP_LAYOUT_FILE file will look like { "SP1" : { @@ -151,6 +154,12 @@ def check_max_sps(sp_layout, _, args :dict): raise Exception(f"Too many SPs in SP layout file. Max: {MAX_SP}") return args +@SpSetupActions.sp_action(global_action=True) +def count_sps(sp_layout, _, args :dict): + ''' Count number of SP and put in NUM_SP ''' + write_to_sp_mk_gen(f"$(eval $(call add_define_val,NUM_SP,{len(sp_layout.keys())}))", args) + return args + @SpSetupActions.sp_action def gen_fdt_sources(sp_layout, sp, args :dict): ''' Generate FDT_SOURCES values for a given SP. ''' From 2e361319ac1907009b42da657f7c55a50a9ccca0 Mon Sep 17 00:00:00 2001 From: Ben Horgan Date: Tue, 29 Oct 2024 17:59:59 +0000 Subject: [PATCH 2/2] fix(tc): enable certificate on the last secure partition Distros (e.g. Buildroot and Android) can have different secure partition layout. This commit iterates the DPE metadata table and finds index (i) for the first entry of the secure partition, connecting with the defined secure partition number NUM_SP, so the last secure partition index is: i + NUM_SP - 1 Instead of setting the certificate in hard code, dynamically enables the certificate for the last secure partition base on calculated index. Signed-off-by: Ben Horgan Signed-off-by: Leo Yan Change-Id: Idd11b4f463bf5ccc8d82cd06bd21deeebbda67d9 --- plat/arm/board/tc/tc_bl2_dpe.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/plat/arm/board/tc/tc_bl2_dpe.c b/plat/arm/board/tc/tc_bl2_dpe.c index c56612b42..144e898ea 100644 --- a/plat/arm/board/tc/tc_bl2_dpe.c +++ b/plat/arm/board/tc/tc_bl2_dpe.c @@ -120,7 +120,7 @@ struct dpe_metadata tc_dpe_metadata[] = { .sw_type = MBOOT_SP1_STRING, .allow_new_context_to_derive = false, .retain_parent_context = true, - .create_certificate = true, /* With Trusty only one SP is loaded */ + .create_certificate = false, .target_locality = LOCALITY_NONE, /* won't derive don't care */ .pk_oid = NULL }, { @@ -230,10 +230,33 @@ void plat_dpe_get_context_handle(int *ctx_handle) void bl2_plat_mboot_init(void) { + size_t i; + const size_t array_size = ARRAY_SIZE(tc_dpe_metadata); + /* Initialize the communication channel between AP and RSE */ (void)rse_comms_init(PLAT_RSE_AP_SND_MHU_BASE, PLAT_RSE_AP_RCV_MHU_BASE); +#if defined(SPD_spmd) + for (i = 0U; i < array_size; i++) { + if (tc_dpe_metadata[i].id != SP_PKG1_ID) { + continue; + } + + if ((i + NUM_SP > array_size) || (i - 1 + NUM_SP < 0)) { + ERROR("Secure partition number is out-of-range\n"); + ERROR(" Non-Secure partition number: %ld\n", i); + ERROR(" Secure partition number: %d\n", NUM_SP); + ERROR(" Metadata array size: %ld\n", array_size); + panic(); + } + + /* Finalize the certificate on the last secure partition */ + tc_dpe_metadata[i - 1 + NUM_SP].create_certificate = true; + break; + } +#endif + dpe_init(tc_dpe_metadata); }