Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-16 09:34:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(arm): use the provided hash alg to hash rotpk

Browse source 
No longer hard code SHA-256 hashed dev rotpks, instead
use the algorithm given by HASH_ALG. This means that
we no longer need the plat_arm_configs (once the protpk and
swd_rotpk are also updated to use HASH_ALG).

The rot public key is now generated at build time, as is
the header for the key.

Also support some default 3k and 4k RSA keys.

Change-Id: I33538124aeb4fa7d67918d878d17f2a84d3a6756
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
This commit is contained in:
Ryan Everett 2024-11-11 18:02:10 +00:00
parent 999503d285
commit d51981e15d
16 changed files with 177 additions and 189 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
include/plat/arm/board/common/rotpk/rotpk_def.h
View file

@ -18,7 +18,4 @@
#ifndef ARM_ROTPK_HEADER_LEN
#define ARM_ROTPK_HEADER_LEN 19
#endif
#ifndef ARM_ROTPK_HASH_LEN
#define ARM_ROTPK_HASH_LEN 32
#endif
#endif /* ROTPK_DEF_H */

3
include/plat/nuvoton/common/npcm845x_arm_def.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015-2023, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2015-2024, ARM Limited and Contributors. All rights reserved.
*
* Copyright (C) 2017-2023 Nuvoton Ltd.
*
@ -33,7 +33,6 @@
* Root of trust key hash lengths
*/
#define ARM_ROTPK_HEADER_LEN 19
#define ARM_ROTPK_HASH_LEN 32
/* Special value used to verify platform parameters from BL2 to BL31 */
#define ARM_BL31_PLAT_PARAM_VAL ULL(0x0f1e2d3c4b5a6978)

45
plat/arm/board/common/board_common.mk
View file

@ -1,5 +1,5 @@
#
# Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
# Copyright (c) 2015-2024, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@ -13,63 +13,70 @@ BL2_SOURCES += drivers/cfi/v2m/v2m_flash.c
ifneq (${TRUSTED_BOARD_BOOT},0)
ARM_ROTPK_S = plat/arm/board/common/rotpk/arm_dev_rotpk.S
ARM_ROTPK = $(BUILD_PLAT)/arm_rotpk.bin
ARM_ROTPK_IS_HASH := 1
$(eval $(call add_define_val,ARM_ROTPK,'"$(ARM_ROTPK)"'))
# ROTPK hash location
ifeq (${ARM_ROTPK_LOCATION}, regs)
ARM_ROTPK_LOCATION_ID = ARM_ROTPK_REGS_ID
else ifeq (${ARM_ROTPK_LOCATION}, devel_rsa)
else
# The ROTPK is a development key
ifeq (${ARM_ROTPK_LOCATION}, devel_rsa)
CRYPTO_ALG=rsa
ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_RSA_ID
ARM_ROTPK_HASH = plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin
$(eval $(call add_define_val,ARM_ROTPK_HASH,'"$(ARM_ROTPK_HASH)"'))
$(BUILD_PLAT)/bl2/arm_dev_rotpk.o : $(ARM_ROTPK_HASH)
ROT_KEY ?= plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem
$(warning Development keys support for FVP is deprecated. Use `regs` \
option instead)
else ifeq (${ARM_ROTPK_LOCATION}, devel_ecdsa)
CRYPTO_ALG=ec
ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_ECDSA_ID
ARM_ROTPK_HASH = plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin
$(eval $(call add_define_val,ARM_ROTPK_HASH,'"$(ARM_ROTPK_HASH)"'))
$(BUILD_PLAT)/bl2/arm_dev_rotpk.o : $(ARM_ROTPK_HASH)
ROT_KEY ?= plat/arm/board/common/rotpk/arm_rotprivk_ecdsa.pem
$(warning Development keys support for FVP is deprecated. Use `regs` \
option instead)
else ifeq (${ARM_ROTPK_LOCATION}, devel_full_dev_rsa_key)
CRYPTO_ALG=rsa
ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_FULL_DEV_RSA_KEY_ID
ARM_ROTPK_S = plat/arm/board/common/rotpk/arm_full_dev_rsa_rotpk.S
ROT_KEY ?= plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem
ARM_ROTPK_IS_HASH = 0
$(warning Development keys support for FVP is deprecated. Use `regs` \
option instead)
else ifeq (${ARM_ROTPK_LOCATION}, devel_full_dev_ecdsa_key)
CRYPTO_ALG=ec
ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_FULL_DEV_ECDSA_KEY_ID
ifeq (${KEY_SIZE},384)
ARM_ROTPK_S = plat/arm/board/common/rotpk/arm_full_dev_ecdsa_p384_rotpk.S
else
ARM_ROTPK_S = plat/arm/board/common/rotpk/arm_full_dev_ecdsa_p256_rotpk.S
endif
ROT_KEY ?= plat/arm/board/common/rotpk/arm_rotprivk_ecdsa.pem
ARM_ROTPK_IS_HASH = 0
$(warning Development keys support for FVP is deprecated. Use `regs` \
option instead)
else
$(error "Unsupported ARM_ROTPK_LOCATION value")
endif
$(BUILD_PLAT)/bl1/arm_dev_rotpk.o : $(ARM_ROTPK)
$(BUILD_PLAT)/bl2/arm_dev_rotpk.o : $(ARM_ROTPK)
endif
$(eval $(call add_define,ARM_ROTPK_LOCATION_ID))
$(eval $(call add_define,ARM_ROTPK_IS_HASH))
ifeq (${ENABLE_RME}, 1)
COT := cca
endif
# Force generation of the new hash if ROT_KEY is specified
# Force generation of the ROT public key if ROT_KEY is specified
ifdef ROT_KEY
HASH_PREREQUISITES = $(ROT_KEY) FORCE
PK_PREREQUISITES = $(ROT_KEY) FORCE
endif
$(ARM_ROTPK_HASH) : $(HASH_PREREQUISITES)
$(ARM_ROTPK) : $(PK_PREREQUISITES)
ifndef ROT_KEY
$(error Cannot generate hash: no ROT_KEY defined)
$(error Cannot generate public key: no ROT_KEY defined)
endif
ifeq ($(ARM_ROTPK_IS_HASH), 1)
${OPENSSL_BIN_PATH}/openssl ${CRYPTO_ALG} -in $< -pubout -outform DER | \
${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@
${OPENSSL_BIN_PATH}/openssl dgst -${HASH_ALG} -binary -out $@
else
${OPENSSL_BIN_PATH}/openssl ${CRYPTO_ALG} -in $< -pubout -outform DER -out $@
endif
# Certificate NV-Counters. Use values corresponding to tied off values in
# ARM development platforms

60
plat/arm/board/common/rotpk/arm_dev_rotpk.S
View file

@ -6,20 +6,64 @@
#include <plat/arm/board/common/rotpk/rotpk_def.h>
#if ARM_ROTPK_IS_HASH == 1
.global arm_rotpk_header
.global arm_rotpk_hash_end
.section .rodata.arm_rotpk_hash, "a"
#ifndef ARM_ROTPK_HASH_LEN
.error "ROTPK hash not defined."
#endif
/*
* The rotpk header is dependent only on the algorithm used to
* generate the hash.
* ASN1_HASH_ALG is the last byte used to encode the OID for
* the hash algorithm into the header,
* this byte distinguishes between SHA256, SHA384 and SHA512.
*/
.equ HASH_ASN1_LEN, ARM_ROTPK_HASH_LEN
#if ARM_ROTPK_HASH_LEN == 48
.equ ASN1_HASH_ALG, 0x02
.equ TOTAL_ASN1_LEN, 0x41
#elif ARM_ROTPK_HASH_LEN == 64
.equ ASN1_HASH_ALG, 0x03
.equ TOTAL_ASN1_LEN, 0x51
#elif ARM_ROTPK_HASH_LEN == 32
.equ ASN1_HASH_ALG, 0x01
.equ TOTAL_ASN1_LEN, 0x31
#else
.error "Invalid ROTPK hash length."
#endif
arm_rotpk_header:
.byte 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48
.byte 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
.byte 0x30, TOTAL_ASN1_LEN, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48
.byte 0x01, 0x65, 0x03, 0x04, 0x02, ASN1_HASH_ALG, 0x05, 0x00, 0x04, HASH_ASN1_LEN
arm_rotpk_header_len:
#ifdef ARM_ROTPK_HASH
.global arm_rotpk_hash_end
.incbin ARM_ROTPK_HASH
#ifdef ARM_ROTPK
.incbin ARM_ROTPK
arm_rotpk_hash_end:
#endif
.if ARM_ROTPK_HEADER_LEN != arm_rotpk_header_len - arm_rotpk_header
.error "Invalid ROTPK header length."
.endif
.if ARM_ROTPK_HEADER_LEN != arm_rotpk_header_len - arm_rotpk_header
.error "Invalid ROTPK header length."
.endif
#else
/*
* The rotpk is an unhashed public key in DER format.
* We do not need a header in this case.
*/
.global arm_rotpk_key
.section .rodata.arm_rotpk_key, "a"
arm_rotpk_key:
#ifdef ARM_ROTPK
.global arm_rotpk_key_end
.incbin ARM_ROTPK
arm_rotpk_key_end:
#else
.error "ROTPK not found."
#endif
#endif

23
plat/arm/board/common/rotpk/arm_full_dev_ecdsa_p256_rotpk.S
View file

@ -1,23 +0,0 @@
/*
* Copyright (c) 2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
.global arm_rotpk_key
.global arm_rotpk_key_end
.section .rodata.arm_rotpk_key, "a"
/* Derived from arm_rotprivk_ecdsa.pem private key file. */
arm_rotpk_key:
.byte 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D
.byte 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01
.byte 0x07, 0x03, 0x42, 0x00, 0x04, 0x9B, 0xE6, 0x48, 0xBD, 0x34, 0x38
.byte 0xE1, 0xA2, 0xA4, 0xF3, 0x70, 0xE1, 0x54, 0xBB, 0x2F, 0xB0, 0x5A
.byte 0x4A, 0x0C, 0xFF, 0xC2, 0x87, 0xDB, 0xC0, 0xFB, 0x81, 0xE9, 0xF9
.byte 0xF9, 0x95, 0x7D, 0x7E, 0xA0, 0x0C, 0x7F, 0x0A, 0xD4, 0xE0, 0x62
.byte 0x4A, 0x94, 0x5F, 0xEC, 0x52, 0x7D, 0x44, 0x63, 0xC8, 0x9F, 0x61
.byte 0xFA, 0xC6, 0xCB, 0x7E, 0x6B, 0x53, 0xAD, 0x2C, 0xC5, 0x94, 0x0D
.byte 0x1A, 0x86, 0x91
arm_rotpk_key_end:

25
plat/arm/board/common/rotpk/arm_full_dev_ecdsa_p384_rotpk.S
View file

@ -1,25 +0,0 @@
/*
* Copyright (c) 2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
.global arm_rotpk_key
.global arm_rotpk_key_end
.section .rodata.arm_rotpk_key, "a"
/* Derived from arm_rotprivk_ecdsa_secp384r1.pem private key file. */
arm_rotpk_key:
.byte 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D
.byte 0x02, 0x01, 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62
.byte 0x00, 0x04, 0xB8, 0xB0, 0xC7, 0xC4, 0x57, 0x19, 0xB7, 0x5A, 0x06
.byte 0x36, 0xC5, 0xD8, 0x3C, 0x4E, 0xC3, 0xB5, 0xE1, 0x15, 0x60, 0x0E
.byte 0x63, 0xD8, 0xAF, 0x22, 0x2C, 0x6D, 0x79, 0x29, 0xDF, 0x46, 0xA9
.byte 0x30, 0x12, 0x16, 0x2D, 0x4F, 0x0F, 0x96, 0x6B, 0x1F, 0x87, 0x06
.byte 0xDB, 0x8F, 0xD7, 0x08, 0x46, 0xE4, 0x4C, 0x22, 0xF3, 0xDE, 0xCE
.byte 0x0F, 0x72, 0x27, 0x00, 0xAA, 0xD8, 0xC3, 0x79, 0x80, 0x5E, 0xF1
.byte 0x35, 0x1B, 0x33, 0xB6, 0x31, 0xC4, 0x59, 0xD4, 0xE9, 0x65, 0x91
.byte 0x22, 0x58, 0x2F, 0x87, 0xF1, 0x6C, 0x27, 0xBE, 0x99, 0x6F, 0x5F
.byte 0x6C, 0x14, 0xC5, 0x37, 0x0C, 0x73, 0xB4, 0xE4, 0x8A, 0x63
arm_rotpk_key_end:

40
plat/arm/board/common/rotpk/arm_full_dev_rsa_rotpk.S
View file

@ -1,40 +0,0 @@
/*
* Copyright (c) 2022-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
.global arm_rotpk_key
.global arm_rotpk_key_end
.section .rodata.arm_rotpk_key, "a"
arm_rotpk_key:
.byte 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48
.byte 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01
.byte 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00
.byte 0xCB, 0x2C, 0x60, 0xD5, 0x8D, 0x63, 0xD4, 0x07, 0x79, 0x7E, 0xC7
.byte 0x16, 0x96, 0xBD, 0x4D, 0x24, 0x4E, 0xAC, 0x86, 0xE6, 0xB7, 0x71
.byte 0xE3, 0xC5, 0x54, 0x0B, 0xE7, 0x14, 0x1C, 0xBD, 0x29, 0x1A, 0xC1
.byte 0x3F, 0x7A, 0xB6, 0x02, 0xAA, 0xAB, 0x36, 0xC4, 0xD9, 0x36, 0x69
.byte 0x6C, 0xE2, 0x65, 0xC3, 0x9B, 0xB1, 0xBF, 0x3D, 0xA8, 0x56, 0x26
.byte 0xCB, 0xFD, 0x04, 0x01, 0xBA, 0xAC, 0x3E, 0x54, 0x32, 0xCA, 0x79
.byte 0x5E, 0xBB, 0xB2, 0x05, 0xEA, 0x06, 0x58, 0xF2, 0x74, 0xBA, 0xE1
.byte 0xF4, 0x87, 0xC0, 0x19, 0x0A, 0x1F, 0x66, 0x07, 0x77, 0x84, 0x83
.byte 0xA1, 0x1C, 0xEF, 0xFF, 0x28, 0x59, 0xE7, 0xC3, 0x68, 0x7D, 0x26
.byte 0x20, 0x43, 0xEB, 0x56, 0x63, 0xF3, 0x39, 0x31, 0xD8, 0x2B, 0x51
.byte 0xA9, 0xBC, 0x4F, 0xD0, 0xF6, 0xDE, 0x95, 0xDC, 0x5F, 0x5B, 0xC1
.byte 0xED, 0x90, 0x6F, 0xEC, 0x28, 0x91, 0x7E, 0x17, 0xED, 0x78, 0x90
.byte 0xF4, 0x60, 0xA7, 0xC4, 0xC7, 0x4F, 0x50, 0xED, 0x5D, 0x13, 0x3A
.byte 0x21, 0x2B, 0x70, 0xC5, 0x61, 0x7B, 0x08, 0x21, 0x65, 0x3A, 0xCD
.byte 0x82, 0x56, 0x8C, 0x7A, 0x47, 0xAC, 0x89, 0xE8, 0xA5, 0x48, 0x48
.byte 0x31, 0xD9, 0x1D, 0x46, 0xE5, 0x85, 0x86, 0x98, 0xA0, 0xE5, 0xC0
.byte 0xA6, 0x6A, 0xBD, 0x07, 0xE4, 0x92, 0x57, 0x61, 0x07, 0x8F, 0x7D
.byte 0x5A, 0x4D, 0xCA, 0xAE, 0x36, 0xB9, 0x56, 0x04, 0x10, 0xF2, 0x6C
.byte 0xBE, 0xF6, 0x3B, 0x6C, 0x80, 0x3E, 0xBE, 0x0E, 0xA3, 0x4D, 0xC7
.byte 0xD4, 0x7E, 0xA7, 0x49, 0xD4, 0xF2, 0xD2, 0xBC, 0xCF, 0x30, 0xA8
.byte 0xE7, 0x74, 0x8F, 0x64, 0xDF, 0xBC, 0x5C, 0x47, 0x68, 0xCC, 0x40
.byte 0x4C, 0xF8, 0x83, 0xCC, 0xCB, 0x40, 0x35, 0x04, 0x60, 0xCA, 0xB3
.byte 0xA4, 0x17, 0x9F, 0x03, 0xCA, 0x1D, 0x5A, 0xFA, 0xD1, 0xAF, 0x21
.byte 0x57, 0x10, 0xD3, 0x02, 0x03, 0x01, 0x00, 0x01
arm_rotpk_key_end:

BIN
plat/arm/board/common/rotpk/arm_rotpk_ecdsa.der
View file

Binary file not shown.

1
plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin
View file

@ -1 +0,0 @@
.@<40>n<EFBFBD><12><>1q = <0B><><EFBFBD>iJ<69><EFBFBD> <20>Nl

BIN
plat/arm/board/common/rotpk/arm_rotpk_rsa.der
View file

Binary file not shown.

1
plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin
View file

@ -1 +0,0 @@
Аѓ<EFBFBD> <12>и:7zrGь2sщ<73>2тIYі^<5E>JJFи"<22>к

40
plat/arm/board/common/rotpk/arm_rotprivk_rsa_3k.pem Normal file
View file

@ -0,0 +1,40 @@
-----BEGIN PRIVATE KEY-----
MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCi82DxdQ1Z88RT
DBoK8nBZ3SF4YSnOSV3KXODZHtEJq/D1HihLpCITsB1GkR17qGX5XzjcIvrS7tGC
1Y/ELC+wL1DNoNlLsgwfZdQ3+MGGlkymnK37/b5Q1bvkuthAHg415skvdzX+6tpM
y3bbGn55oW+hjynGo9lhixZiOA22sKhHFM6TBgpyNyXt/EpxGHcL4HM59LSWgB3I
UX6l0Fb5MLb3XRzOkPcf6tQwnupDRS8rcRKHlkq8m0kIZ619zDkj4DZVW7VSU3hj
vnzMMTEqbJ9uBnGFLdTqw2O822jOtKJ8pDqcN1xEe60a0CN0abN5uNzr9WPgLw5d
ZjWqTx2kFVbjIr5nAiY6KTUoas/radidv/r5BY4wXvbi/SVNHip4oLoKCgu6T+Un
pIc5DG0osXKO/xtT5gsQUZ/AXEztCsEeuwkueEZ8c1AG+ceoOul/zH4y0YrFGzxV
apwwRuXZQtjU0lXpFlD1Yy83QzkrxWgEfE5mUm402TRF92oLsY8CAwEAAQKCAYA5
QBwLyW3G8FPGP8a4mOQrVntncW/AN9uZeRdQgTi9VqkiXZWXudN1Klemzt5Wb1xg
iHmQMkQArwJyHrlTmZippH4VuNEPfL8wmtS8U4wezpigowSnt8dRXD6XBqRqpoSk
oHCH2jDg3r+S4ptgMIdGEZeIYiWx0ihSUo0rNflvedKtopxPYHx0E3cijZTT9l4B
ELs7HgQCqoGMO0GtXSzpgRmPgCnaU2lXz+f8KyEwQFLpxuDVPVMFv+Mhblewjnrn
IpDUAocRPI1n0cOrObHHnnpVzkKpz4usxBfsvc+9Qg37hS/1ccbOWKPjA/LS9dOC
w29J6pa3Az9AGQ6OdZlhbaOH7hMj4gmreC/4omtgV+IhOL65TeMeBwIY0Vb4gtCQ
yHhu2eT99MeL+G/Zw+00RRqzKl898tnYTvBkFG1llIFyT9LRqPY8lRHAQzzgNTRq
ZpwTAijCRxmBAIDdBkXQai/En2PP3LMuORZ9+2zYu5uIJeZnBoHKONtDlpOpKpkC
gcEA2HkeVlfmFgiBen4QMRKCseB9II9s+xiPjk8VpWT2TRmsVPEmKRrIKkXER2YO
yYG97vBocECQXOHB0dNNUTMtbnFvY9B0FAswcUwtWPdjafrqmPe6iIZkynTaFqCG
nY52P4EYZsSF3YthXkkzZuwzaQ/zyVA5W2HXp/XL8SKj9uPA3dEMP114Of9jNlmH
+gfpNY49tiXomR1DX/k6nmyJyeG9eUVBGlmxERK72g/7OynYLK8o/7T3m8SUW5lq
R5hZAoHBAMC0ZI36iq2m18xtEx84nrlipbRRRahIeb2bXziPBL3yEbomotwrabDl
GExl3PpfAEUlNnqseZ3GS2EpESsEbOBnLuWmviF528pX/H/pw87AVjuseUZQOjzI
GzuJu+Of0DNlt7FJsaWrOJeNqT0t1w0JiII3uEekmIC59740lyUJ2sVZlDq6Gf7i
etV+7oqGn+aAmXgug0wszezMaYH8ZNjLgrxkxIsLSONQ8tUX3CYXglkqty0/JRVA
ZCluTQ/cJwKBwHzESlz/qoi2fFIqiJCQF64IMnZq1ChhPpSKNnKun1tO2cnXd+Qn
IIlkzr1MMGeqFNu7yqYwQESYhgq23BBaC+xlCwufoNfQnyod+uEVLUJvMXnbBrMb
qsoZ0X1LJmt3KeZuNK8+w90uMX+Td0HyD6uVWzCDwZtO6GpRPCuOiKyLFqWCkKmQ
6POcpAU2Uy4kEyEgC6eJb+eYOzX8wvF+o2gtaPSVmvFiErFBd+42Wdn+wy72Ag5n
snMgOVYWNXBweQKBwQCcsBEzAIzSNd8x8V6i/D7TLkreG1cwRf33FeaO7ntElxei
7Ndvfj0qAJ2JQSo0yhpGHsP1a1hX2WxhTCsRdz+wFzYitTnTrmnwVSqSN1lnOyzi
yJKzgXhZA7xg5NVJeCCqKgL6vJkdw+L4F8+MV0GM8Dt25ieI2WTHBm9S0SA0lZa0
8Ol99uQ8Q5rtDZCYQm6x1c7z0Z4gyi2GZY9EihzVymQ7GxRUmpBhhOhuLEBtGKB8
MCdROw7EAN9wcKdoRfECgcB5zqNzKu2kbpa0oeHLLDpcOK1w9e7khN3/j3dTrpRw
em8+HoCF54PoyfkPWANTHfg+Bs2gktgvUsxfLy0/DDBIRUBQXo6AyztfB34D5/3L
QIPyPjSgQKxOCnUCcDAkvVRY+6J7W6J/pW385ZhzikCUrRSKrbc3UYEu3UZwypSC
mJGKLUzhDhPYvIginpIugE9Pv3WXfKas3HRrk7UdqjIMpJxIRF5CULsEaZua6tje
1oA5miNwoiXHcxPoo2qMtz8=
-----END PRIVATE KEY-----

52
plat/arm/board/common/rotpk/arm_rotprivk_rsa_4k.pem Normal file
View file

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDGeG6dmMX7DHdx
LJ5vi3HpqSLVfyiGzYmjN14bcOORf1efCXy+0KfZ4M/N1rw/fVzIH6LP6iKm8rrH
HQleKMb2rklbu8Azchr9fAJCbbbhENjhbp+lnh5W+bMWlhz4ePoSft/VNDssK/30
tedSX7AEqs8nXOcqIjcOTnkB1UocNSAd98WP+m7oeqcwrJZGFj2HKHPkZiveX4c6
5pN7xsdeuJ00FbOau7R3tX+0hInbTCxuA9UfPR9O+TrElMETPBCwvYUDo8SO0Oj9
Vn3VsMYLuYfOQuHY65pgepBytgu6MTL8mKGxMTZ3HeaBfD2cDzf1tOe3PoN2eeBA
eGHt/L9R7z0/84kfWDJg8zG9eSfCofXJy3HNlYAWo7fIdRaidNc75vU3DWRYrCE2
OLwR+3pIRUoP+Pa1Xhaal/mXH9MHKNvK2aBz2QPgjaujMNlh9yLLtBjnBAcO9IXh
ktS2pnEYwf+Rh2Nepy2sJa4Q88ZD7Uz8MZl7z/zNUjNpehDIe7oM8NXMt/i1DWqe
XZoLfTdb7C77hgNfporBxkeqduhGGcu+RUgdAOMEJvFA4022iiZIJDkWeaiFZWI4
iy9bmFd+VOXabCIAjb0Nl6F5TAROJ/mH9UjyT8hKlXYhnRu912+yEaFAlqiXk2rz
kYbGGzj9zUMzClM52wJ7Btj50dz0eQIDAQABAoICAB62uHePEuRc84cCHqqoa8J7
ODbN7NmfqTMm+FtKxwzXJhoof7OP2snu7nmuR4eTwO3/Z1TBqQco/RqfNbnqmY/H
PPcDQSU0/VRJApiBHhIKZ2XLls0sgQl4ruxJ4sXZAuol1EHMSXP2guCB3gBzamvu
ewxeZi+xB9Ag+Lz94vAmkIfStjIn0U4M3R69Nqw1+OOXsQehgBxzsBu/XweCpYvV
Cg7rZNYHQlBcOB0ZfbQAP8fus+aXsOapzxxo4NA3NWYEjjcX+u0XC1dZMTQGnT9n
QMr8srK9EzDnBr+ZyIrR3lAU1sDzGrioWemj7mzeNgzCKDHFbNbC2Z9ggdcwi/K+
SX3ckR8phNkhGyIWImt5ChY19d/yh53A/FwFEJU4R/HiM0GFj8bxWMRr01R1TJV6
UUb6c4L/T95URqe05bTAWz/BUUWirGs8F03NUp/8PvXquUJiKs3eEMHeyHDIt2Rj
mB0bi+nr0qe4C7Y5yU9+Giw9RnV7slBkQvohA7mHXRlneenQx+Lh1v2fNk+Z+eVF
Y7HBdTiNeavW8ZReoVgicqA8w2KZgbiDAhhJ2pzefpREjVAnY2endbMX4faqfEMF
y6StIsg4rplrxojVIYftQ+nenSV0H+5I6+YsIk4XTirGYuBhccoko0ApRJx9VdX2
+UJU49UPHK2fTdqqouc5AoIBAQDmEqfyXQdf+5njZ3zx9cJFKRXB8SiFIDNZeSDL
b8ph7py1YfinM163Xyb2/5oTB19tcNcfAaPoFOHJ8FDzXmSW3aUHKrB+sh8Q+aOH
/3u6y2+dBEBNGPbtSxmMswVYK2z0K6NzzeZSZnqus0J61RPuG8EnO25PdMx9xOg/
cPWTrxYNUYIBqSdhjm8K5BaTrkOf49Wur/0MZlcULVoatFzc3H/L3qyePvptKAwT
V68bZeM2mXWhC3X953kxX5haClWZPJhf9sLESIeoOleaMi5yBvX6r7JKiFJy3Fwk
dV7lPWr9fEkVtVoveHklCW8Ra6JbMizV7i1S5fmUcaUmgbbTAoIBAQDc1hTMI98o
7hDEqh1cHtPmh1u9rLgJEMYLirUn/u4QDV6SUpT1Bpu55usLn+NFDyKfpEh1IU4r
4CjfrjP15e2WLs+IOU+LvbDqbps7mEnq/TFWwr1YcjUVpur4SphJkqFHU/ztV6RC
FbTA8656kb34YrILDnjgM7G1TKvWRHxzqdDCasPnlv7ch2/vtwv5zcVfTSNjixFb
b8FCPy8WI6/LIFjKmSliLaeRb0NaUAWwMQ2qMEuP+rsGaq4Lr/6zf/UjSUcTgKzQ
GSVm5cdJqjcqULFQzFZaOoG7Dht+ZJXumwc0G+k1eTuDAnYRs5CkEggtrnK9WfGm
nBvGOAdeBvADAoIBAAPayCmNWXRIONnQgA1luq2B9LVdHvqsAXA8UUpXQyLE5qc7
TvkuKSYVWAfHXIN5GiYxP8lrM53Ny8KgXhrVuAW3DO7DzlUxEsgsBotewmnswp/0
1Eb2Zhyvp2vuC+bgQ2EL4h8skfFLej63DiQUsdLJcEECA+Uc5dgtll6Ju/OPeWUb
unvgo6JEyqN6Es7CmqtxG8FjfW/Zvxe9cscDwpKItzNpNacpEvUFOL6SN4LUACyI
AaqDEKUCXctv+JN5nNmGZF8nOTgkpvEwmQsiUBjk+PYMP4Z0Jj16Z6jMtpxMnSBG
FstgUHR/JjhyogO+s+enPY0QAn5jD/1msgelILUCggEBAMV5emeBvFBxcfUq2c5C
kuIWMGdQR9FzemVfx9bYFDGugt79kc359s8qOwzOEQD0I9X1pgV3ntuFO4ep0zUU
QnyFp3b9KLChE87O0WldKNxFRRV8Vqz8k5OlC4Cz07IWuLl71TS3pl6h4lyYi3F3
WhT+zI8uhdCW6VZiFVcpLtCPDeqMZlp1n7m8MtB9MuxSoSgzZm3hMcg+CucecRCv
IMfXSQ8CHwt4H9vhTq032Z5QfxOs1CUP5KY8Rx6UZoJE7gR7xl8eNWpw0g1NdAPf
fi0Ms0K5No7Aurl2SAeiEqCnaK2kN8plel4QmVwC4liU91NCJ8BC6eA+wGdkOtJO
CdkCggEAG6v3cc6mw/kA3l+z21NzAXFUnYy7Q9xxl6noNBdNtT+vBQJ2jbEISSqi
RM48KKtky2pgFWB980XUS1ZI8SiZ9GveM9bCSgpN+zupSdKNBaxT7+AKO/MPKMeO
hukkWqtNCwFs6opByhLMRMC2UAKRSvTZBlrCUyIBY2EB6IzsqqQGdoAHOw2fDWay
7C79JxtEl/XH10Et7zeWEI2uz6JK4TmSd2ZZu6m/X1UU6BHZJTHpItZlTnp14QYc
hpHcRHU5d5i+ARQ+kUUynfEyAabY6sBIn3lxXqa9FplR0vqbtxyZPtQh1ZP11drD
ihQEUR+haaYi8LFFpxe3Lja8D5eclg==
-----END PRIVATE KEY-----

10
plat/arm/common/arm_common.mk
View file

@ -382,12 +382,14 @@ endif
ifneq ($(filter 1,${MEASURED_BOOT} ${TRUSTED_BOARD_BOOT} ${DRTM_SUPPORT}),)
PLAT_INCLUDES += -Iplat/arm/common \
-Iinclude/drivers/auth/mbedtls
# Specify mbed TLS configuration file
ifeq (${PSA_CRYPTO},1)
MBEDTLS_CONFIG_FILE ?= "<plat_arm_psa_mbedtls_config.h>"
ifeq (${HASH_ALG}, sha512)
ARM_ROTPK_HASH_LEN := 64
else ifeq (${HASH_ALG}, sha384)
ARM_ROTPK_HASH_LEN := 48
else
MBEDTLS_CONFIG_FILE ?= "<plat_arm_mbedtls_config.h>"
ARM_ROTPK_HASH_LEN := 32
endif
$(eval $(call add_define,ARM_ROTPK_HASH_LEN))
endif
ifneq (${TRUSTED_BOARD_BOOT},0)

26
plat/arm/common/plat_arm_mbedtls_config.h
View file

@ -1,26 +0,0 @@
/*
* Copyright (c) 2024, Arm Ltd. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#ifndef PLAT_ARM_MBEDTLS_CONFIG_H
#define PLAT_ARM_MBEDTLS_CONFIG_H
#include <default_mbedtls_config.h>
/**
* On Arm platforms, the ROTPK is always hashed using the SHA-256
* algorithm.
* TODO: Update to hash the ROTPK with the selected HASH_ALG to avoid
* the need for explicitly enabling the SHA-256 configuration in mbedTLS.
*/
#define MBEDTLS_SHA256_C
/*
* Use an implementation of SHA-256 with a smaller memory footprint
* but reduced speed.
*/
#define MBEDTLS_SHA256_SMALLER
#endif /* PLAT_ARM_MBEDTLS_CONFIG_H */

37
plat/arm/common/plat_arm_psa_mbedtls_config.h
View file

@ -1,37 +0,0 @@
/*
* Copyright (c) 2024, Arm Ltd. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#ifndef PLAT_ARM_PSA_MBEDTLS_CONFIG_H
#define PLAT_ARM_PSA_MBEDTLS_CONFIG_H
#include "plat_arm_mbedtls_config.h"
#define MBEDTLS_PSA_CRYPTO_C
#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
/*
* Using PSA crypto API requires an RNG right now. If we don't define the macro
* below then we get build errors.
*
* This is a functionality gap in mbedTLS. The technical limitation is that
* psa_crypto_init() is all-or-nothing, and fixing that would require separate
* initialization of the keystore, the RNG, etc.
*
* By defining MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG, we pretend using an external
* RNG. As a result, the PSA crypto init code does nothing when it comes to
* initializing the RNG, as we are supposed to take care of that ourselves.
*/
#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
/*
* Override heap size for PSA Crypto when RSA key size > 2048.
*/
#if TF_MBEDTLS_USE_RSA && TF_MBEDTLS_KEY_SIZE > 2048
#undef TF_MBEDTLS_HEAP_SIZE
#define TF_MBEDTLS_HEAP_SIZE U(12 * 1024)
#endif
#endif /* PLAT_ARM_PSA_MBEDTLS_CONFIG_H */