feat(rpi3): implement mboot for rpi3

Add Measured Boot support using the Event Log backend for the rpi3
platform.
-Implement measured boot infrastructure in BL1 & BL2, including
 the init, measure image, and finish phases.
-Pass the eventlog addr and size from BL1 to BL2 using the
 image entry point args.
-dump the eventlog after measuring BL2, and after all images are
 measured in BL2.

Signed-off-by: Tushar Khandelwal <tushar.khandelwal@arm.com>
Signed-off-by: Abhi Singh <abhi.singh@arm.com>
Change-Id: I7c040c4a2d001a933fefb0b16f0fdf2a43a11be9

plat/rpi/rpi3/include/platform_def.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2024, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2025, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -261,4 +261,9 @@
  */
 #define SYS_COUNTER_FREQ_IN_TICKS	ULL(19200000)
 
+/*
+ * TCG Event Log
+ */
+#define PLAT_ARM_EVENT_LOG_MAX_SIZE UL(0x400)
+
 #endif /* PLATFORM_DEF_H */

plat/rpi/rpi3/include/rpi3_measured_boot.h

@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef RPI3_MEASURED_BOOT_H
+#define RPI3_MEASURED_BOOT_H
+
+#include <stdint.h>
+
+#include <arch_helpers.h>
+
+void rpi3_mboot_fetch_eventlog_info(uint8_t **eventlog_addr, size_t *eventlog_size);
+
+#endif /* RPI3_MEASURED_BOOT_H */

plat/rpi/rpi3/platform.mk

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2024, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2013-2025, Arm Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -20,6 +20,25 @@ PLAT_BL_COMMON_SOURCES	:=	drivers/ti/uart/aarch64/16550_console.S	\
 				plat/rpi/common/rpi3_console_dual.c	\
 				${XLAT_TABLES_LIB_SRCS}
 
+ifeq (${MEASURED_BOOT},1)
+MEASURED_BOOT_MK := drivers/measured_boot/event_log/event_log.mk
+$(info Including ${MEASURED_BOOT_MK})
+include ${MEASURED_BOOT_MK}
+
+PLAT_BL_COMMON_SOURCES	+=	${EVENT_LOG_SOURCES}
+
+BL1_SOURCES		+= 	plat/rpi/rpi3/rpi3_bl1_mboot.c
+BL2_SOURCES		+= 	plat/rpi/rpi3/rpi3_bl2_mboot.c
+
+CRYPTO_SOURCES		:=	drivers/auth/crypto_mod.c
+
+BL1_SOURCES		+=	${CRYPTO_SOURCES}
+BL2_SOURCES		+=	${CRYPTO_SOURCES}
+
+include drivers/auth/mbedtls/mbedtls_crypto.mk
+
+endif
+
 BL1_SOURCES		+=	drivers/io/io_fip.c			\
 				drivers/io/io_memmap.c			\
 				drivers/io/io_storage.c			\

plat/rpi/rpi3/rpi3_bl1_mboot.c

@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2025, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <stdarg.h>
+#include <stdint.h>
+
+#include <common/desc_image_load.h>
+#include <common/ep_info.h>
+#include <drivers/auth/crypto_mod.h>
+#include <drivers/measured_boot/event_log/event_log.h>
+#include <drivers/measured_boot/metadata.h>
+#include <plat/arm/common/plat_arm.h>
+#include <plat/common/platform.h>
+#include <platform_def.h>
+
+/* Event Log data */
+uint8_t event_log[PLAT_ARM_EVENT_LOG_MAX_SIZE];
+
+/* RPI3 table with platform specific image IDs, names and PCRs */
+const event_log_metadata_t rpi3_event_log_metadata[] = {
+	{ FW_CONFIG_ID, MBOOT_FW_CONFIG_STRING, PCR_0 },
+	{ TB_FW_CONFIG_ID, MBOOT_TB_FW_CONFIG_STRING, PCR_0 },
+	{ BL2_IMAGE_ID, MBOOT_BL2_IMAGE_STRING, PCR_0 },
+
+	{ EVLOG_INVALID_ID, NULL, (unsigned int)(-1) }	/* Terminator */
+};
+
+void bl1_plat_mboot_init(void)
+{
+	event_log_init(event_log, event_log + sizeof(event_log));
+	event_log_write_header();
+}
+
+void bl1_plat_mboot_finish(void)
+{
+	size_t event_log_cur_size;
+	image_desc_t *image_desc;
+	entry_point_info_t *ep_info;
+
+	event_log_cur_size = event_log_get_cur_size(event_log);
+	image_desc = bl1_plat_get_image_desc(BL2_IMAGE_ID);
+	assert(image_desc != NULL);
+
+	/* Get the entry point info */
+	ep_info = &image_desc->ep_info;
+	ep_info->args.arg2 = (uint64_t) event_log;
+	ep_info->args.arg3 = (uint32_t) event_log_cur_size;
+}
+
+int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data)
+{
+	int rc = 0;
+	unsigned char hash_data[CRYPTO_MD_MAX_SIZE];
+	const event_log_metadata_t *metadata_ptr = rpi3_event_log_metadata;
+
+	rc = event_log_measure(image_data->image_base, image_data->image_size, hash_data);
+	if (rc != 0) {
+		return rc;
+	}
+
+	while ((metadata_ptr->id != EVLOG_INVALID_ID) &&
+		(metadata_ptr->id != image_id)) {
+		metadata_ptr++;
+	}
+	assert(metadata_ptr->id != EVLOG_INVALID_ID);
+
+	event_log_record(hash_data, EV_POST_CODE, metadata_ptr);
+
+	/* Dump Event Log for user view */
+	dump_event_log((uint8_t *)event_log, event_log_get_cur_size(event_log));
+
+	return rc;
+}

plat/rpi/rpi3/rpi3_bl2_mboot.c

@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2025, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <stdarg.h>
+#include <stdint.h>
+
+#include "./include/rpi3_measured_boot.h"
+
+#include <drivers/auth/crypto_mod.h>
+#include <drivers/measured_boot/event_log/event_log.h>
+#include <drivers/measured_boot/metadata.h>
+#include <plat/common/common_def.h>
+#include <plat/common/platform.h>
+#include <platform_def.h>
+#include <tools_share/tbbr_oid.h>
+
+/* RPI3 table with platform specific image IDs, names and PCRs */
+const event_log_metadata_t rpi3_event_log_metadata[] = {
+	{ BL31_IMAGE_ID, MBOOT_BL31_IMAGE_STRING, PCR_0 },
+	{ BL33_IMAGE_ID, MBOOT_BL33_IMAGE_STRING, PCR_0 },
+	{ NT_FW_CONFIG_ID, MBOOT_NT_FW_CONFIG_STRING, PCR_0 },
+
+	{ EVLOG_INVALID_ID, NULL, (unsigned int)(-1) }	/* Terminator */
+};
+
+static uint8_t *event_log_start;
+static size_t event_log_size;
+
+void bl2_plat_mboot_init(void)
+{
+	uint8_t *bl2_event_log_start;
+	uint8_t *bl2_event_log_finish;
+
+	rpi3_mboot_fetch_eventlog_info(&event_log_start, &event_log_size);
+	bl2_event_log_start = event_log_start + event_log_size;
+	bl2_event_log_finish = event_log_start + PLAT_ARM_EVENT_LOG_MAX_SIZE;
+	event_log_init(bl2_event_log_start, bl2_event_log_finish);
+}
+
+void bl2_plat_mboot_finish(void)
+{
+	/* Event Log filled size */
+	size_t event_log_cur_size;
+
+	event_log_cur_size = event_log_get_cur_size((uint8_t *)event_log_start);
+
+	/* Dump Event Log for user view */
+	dump_event_log((uint8_t *)event_log_start, event_log_cur_size);
+}
+
+int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data)
+{
+	int rc = 0;
+
+	unsigned char hash_data[CRYPTO_MD_MAX_SIZE];
+	const event_log_metadata_t *metadata_ptr = rpi3_event_log_metadata;
+
+	/* Measure the payload with algorithm selected by EventLog driver */
+	rc = event_log_measure(image_data->image_base, image_data->image_size, hash_data);
+	if (rc != 0) {
+		return rc;
+	}
+
+	while ((metadata_ptr->id != EVLOG_INVALID_ID) &&
+		(metadata_ptr->id != image_id)) {
+		metadata_ptr++;
+	}
+	assert(metadata_ptr->id != EVLOG_INVALID_ID);
+
+	event_log_record(hash_data, EV_POST_CODE, metadata_ptr);
+
+	return rc;
+}

plat/rpi/rpi3/rpi3_bl2_setup.c

@@ -1,12 +1,12 @@
 /*
- * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2025, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
 #include <assert.h>
 
-#include <platform_def.h>
+#include "./include/rpi3_measured_boot.h"
 
 #include <arch_helpers.h>
 #include <common/bl_common.h>
@@ -18,6 +18,7 @@
 #include <drivers/generic_delay_timer.h>
 #include <drivers/rpi3/gpio/rpi3_gpio.h>
 #include <drivers/rpi3/sdhost/rpi3_sdhost.h>
+#include <platform_def.h>
 
 #include <rpi_shared.h>
 
@@ -27,6 +28,10 @@ static meminfo_t bl2_tzram_layout __aligned(CACHE_WRITEBACK_GRANULE);
 /* Data structure which holds the MMC info */
 static struct mmc_device_info mmc_info;
 
+/* Variables that hold the eventlog addr and size for use in BL2 Measured Boot */
+static uint8_t *event_log_start;
+static size_t event_log_size;
+
 static void rpi3_sdhost_setup(void)
 {
 	struct rpi3_sdhost_params params;
@@ -41,6 +46,12 @@ static void rpi3_sdhost_setup(void)
 	rpi3_sdhost_init(&params, &mmc_info);
 }
 
+void rpi3_mboot_fetch_eventlog_info(uint8_t **eventlog_addr, size_t *eventlog_size)
+{
+	*eventlog_addr = event_log_start;
+	*eventlog_size = event_log_size;
+}
+
 /*******************************************************************************
  * BL1 has passed the extents of the trusted SRAM that should be visible to BL2
  * in x0. This memory layout is sitting at the base of the free trusted SRAM.
@@ -67,6 +78,10 @@ void bl2_early_platform_setup2(u_register_t arg0, u_register_t arg1,
 	/* Setup SDHost driver */
 	rpi3_sdhost_setup();
 
+	/* populate eventlog addr and size for use in bl2 mboot */
+	event_log_start = (uint8_t *)(uintptr_t)arg2;
+	event_log_size = arg3;
+
 	plat_rpi3_io_setup();
 }