From e7f1181f8a7729acb07ebac86944e36932bcd09e Mon Sep 17 00:00:00 2001 From: Tamas Ban Date: Wed, 7 Jun 2023 13:35:04 +0200 Subject: [PATCH] feat(tc): add DPE backend to the measured boot framework The client platform relies on the DICE attestation scheme. RSS provides the DICE Protection Environment (DPE) service. TF-A measured boot framework supports multiple backends. A given platform always enables the corresponding backend which is required by the attestation scheme. Signed-off-by: Tamas Ban Change-Id: Idc3360d0d7216e4859e99b5db3d377407e0aeee5 --- Makefile | 2 + docs/getting_started/build-options.rst | 7 + include/plat/common/platform.h | 10 +- make_helpers/defaults.mk | 3 + plat/arm/board/tc/platform.mk | 50 +++++-- plat/arm/board/tc/tc_bl1_dpe.c | 59 ++++++++ plat/arm/board/tc/tc_bl2_dpe.c | 179 +++++++++++++++++++++++++ plat/arm/board/tc/tc_common_dpe.c | 36 +++++ 8 files changed, 327 insertions(+), 19 deletions(-) create mode 100644 plat/arm/board/tc/tc_bl1_dpe.c create mode 100644 plat/arm/board/tc/tc_bl2_dpe.c create mode 100644 plat/arm/board/tc/tc_common_dpe.c diff --git a/Makefile b/Makefile index ef570b2f6..800346ad4 100644 --- a/Makefile +++ b/Makefile @@ -1145,6 +1145,7 @@ $(eval $(call assert_booleans,\ HARDEN_SLS \ HW_ASSISTED_COHERENCY \ MEASURED_BOOT \ + DICE_PROTECTION_ENVIRONMENT \ DRTM_SUPPORT \ NS_TIMER_SWITCH \ OVERRIDE_LIBC \ @@ -1312,6 +1313,7 @@ $(eval $(call add_defines,\ HW_ASSISTED_COHERENCY \ LOG_LEVEL \ MEASURED_BOOT \ + DICE_PROTECTION_ENVIRONMENT \ DRTM_SUPPORT \ NS_TIMER_SWITCH \ PL011_GENERIC_UART \ diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst index a8b40ad8e..f817da0f8 100644 --- a/docs/getting_started/build-options.rst +++ b/docs/getting_started/build-options.rst @@ -706,6 +706,13 @@ Common build options This option defaults to 0. +- ``DICE_PROTECTION_ENVIRONMENT``: Boolean flag to specify the measured boot + backend when ``MEASURED_BOOT`` is enabled. The default value is ``0``. When + set to ``1`` then measurements and additional metadata collected during the + measured boot process are sent to the DICE Protection Environment for storage + and processing. A certificate chain, which represents the boot state of the + device, can be queried from the DPE. + - ``MARCH_DIRECTIVE``: used to pass a -march option from the platform build options to the compiler. An example usage: diff --git a/include/plat/common/platform.h b/include/plat/common/platform.h index 4d1b1c17c..714d9a9de 100644 --- a/include/plat/common/platform.h +++ b/include/plat/common/platform.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2023, Arm Limited and Contributors. All rights reserved. + * Copyright (c) 2013-2024, Arm Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -242,7 +242,7 @@ __dead2 void bl1_plat_fwu_done(void *client_cookie, void *reserved); int bl1_plat_handle_pre_image_load(unsigned int image_id); int bl1_plat_handle_post_image_load(unsigned int image_id); -#if MEASURED_BOOT +#if (MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENT) void bl1_plat_mboot_init(void); void bl1_plat_mboot_finish(void); #else @@ -252,7 +252,7 @@ static inline void bl1_plat_mboot_init(void) static inline void bl1_plat_mboot_finish(void) { } -#endif /* MEASURED_BOOT */ +#endif /* MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENT */ /******************************************************************************* * Mandatory BL2 functions @@ -272,7 +272,7 @@ int bl2_plat_handle_post_image_load(unsigned int image_id); /******************************************************************************* * Optional BL2 functions (may be overridden) ******************************************************************************/ -#if MEASURED_BOOT +#if (MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENT) void bl2_plat_mboot_init(void); void bl2_plat_mboot_finish(void); #else @@ -282,7 +282,7 @@ static inline void bl2_plat_mboot_init(void) static inline void bl2_plat_mboot_finish(void) { } -#endif /* MEASURED_BOOT */ +#endif /* MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENTs */ /******************************************************************************* * Mandatory BL2 at EL3 functions: Must be implemented diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 7fe8bf81d..26d2a00cd 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -176,6 +176,9 @@ endif # Option to build TF with Measured Boot support MEASURED_BOOT := 0 +# Option to enable the DICE Protection Environmnet as a Measured Boot backend +DICE_PROTECTION_ENVIRONMENT :=0 + # NS timer register save and restore NS_TIMER_SWITCH := 0 diff --git a/plat/arm/board/tc/platform.mk b/plat/arm/board/tc/platform.mk index 652a17e33..36b89ac11 100644 --- a/plat/arm/board/tc/platform.mk +++ b/plat/arm/board/tc/platform.mk @@ -170,27 +170,49 @@ $(eval $(call TOOL_ADD_PAYLOAD,${TC_HW_CONFIG},--hw-config,${TC_HW_CONFIG})) # Include Measured Boot makefile before any Crypto library makefile. # Crypto library makefile may need default definitions of Measured Boot build # flags present in Measured Boot makefile. +$(info Including rss_comms.mk) ifeq (${MEASURED_BOOT},1) - MEASURED_BOOT_MK := drivers/measured_boot/rss/rss_measured_boot.mk - $(info Including ${MEASURED_BOOT_MK}) - include ${MEASURED_BOOT_MK} - $(info Including rss_comms.mk) - include drivers/arm/rss/rss_comms.mk + $(info Including rss_comms.mk) + include drivers/arm/rss/rss_comms.mk - BL1_SOURCES += ${MEASURED_BOOT_SOURCES} \ + BL1_SOURCES += ${RSS_COMMS_SOURCES} + BL2_SOURCES += ${RSS_COMMS_SOURCES} + PLAT_INCLUDES += -Iinclude/lib/psa + + ifeq (${DICE_PROTECTION_ENVIRONMENT},1) + $(info Including qcbor.mk) + include drivers/measured_boot/rss/qcbor.mk + $(info Including dice_prot_env.mk) + include drivers/measured_boot/rss/dice_prot_env.mk + + BL1_SOURCES += ${QCBOR_SOURCES} \ + ${DPE_SOURCES} \ + plat/arm/board/tc/tc_common_dpe.c \ + plat/arm/board/tc/tc_bl1_dpe.c \ + lib/psa/dice_protection_environment.c + + BL2_SOURCES += ${QCBOR_SOURCES} \ + ${DPE_SOURCES} \ + plat/arm/board/tc/tc_common_dpe.c \ + plat/arm/board/tc/tc_bl2_dpe.c \ + lib/psa/dice_protection_environment.c + + PLAT_INCLUDES += -I${QCBOR_INCLUDES} \ + -Iinclude/lib/dice + else + $(info Including rss_measured_boot.mk) + include drivers/measured_boot/rss/rss_measured_boot.mk + + BL1_SOURCES += ${MEASURED_BOOT_SOURCES} \ plat/arm/board/tc/tc_common_measured_boot.c \ plat/arm/board/tc/tc_bl1_measured_boot.c \ - lib/psa/measured_boot.c \ - ${RSS_COMMS_SOURCES} + lib/psa/measured_boot.c - BL2_SOURCES += ${MEASURED_BOOT_SOURCES} \ + BL2_SOURCES += ${MEASURED_BOOT_SOURCES} \ plat/arm/board/tc/tc_common_measured_boot.c \ plat/arm/board/tc/tc_bl2_measured_boot.c \ - lib/psa/measured_boot.c \ - ${RSS_COMMS_SOURCES} - -PLAT_INCLUDES += -Iinclude/lib/psa - + lib/psa/measured_boot.c + endif endif ifneq (${PLATFORM_TEST},) diff --git a/plat/arm/board/tc/tc_bl1_dpe.c b/plat/arm/board/tc/tc_bl1_dpe.c new file mode 100644 index 000000000..67b1d0228 --- /dev/null +++ b/plat/arm/board/tc/tc_bl1_dpe.c @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2024, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include + +#include +#include +#include +#include +#include +#include +#include + +struct dpe_metadata tc_dpe_metadata[] = { + { + .id = FW_CONFIG_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_FW_CONFIG_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = ZERO_OID }, + { + .id = TB_FW_CONFIG_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_TB_FW_CONFIG_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = ZERO_OID }, + { + .id = BL2_IMAGE_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_BL2_IMAGE_STRING, + .allow_new_context_to_derive = true, + .retain_parent_context = false, + .create_certificate = false, + .pk_oid = ZERO_OID }, + { + .id = DPE_INVALID_ID } +}; + + +void bl1_plat_mboot_init(void) +{ + /* Initialize the communication channel between AP and RSS */ + (void)rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE, + PLAT_RSS_AP_RCV_MHU_BASE); + + dpe_init(tc_dpe_metadata); +} + +void bl1_plat_mboot_finish(void) +{ + /* Nothing to do. */ +} diff --git a/plat/arm/board/tc/tc_bl2_dpe.c b/plat/arm/board/tc/tc_bl2_dpe.c new file mode 100644 index 000000000..2d6b54d96 --- /dev/null +++ b/plat/arm/board/tc/tc_bl2_dpe.c @@ -0,0 +1,179 @@ +/* + * Copyright (c) 2024, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include + +#include +#include +#include +#include +#include +#include +#include + +/* + * The content and the values of this array depends on: + * - build config: Which components are loaded: SPMD, TOS, SPx, etc ? + * - boot order: the last element in a layer should be treated differently. + */ + +/* + * TODO: + * - The content of the array must be tailored according to the build + * config (TOS, SPMD, etc). All loaded components (executables and + * config blobs) must be present in this array. + * - Current content is according to the Trusty build config. + */ +struct dpe_metadata tc_dpe_metadata[] = { + { + .id = BL31_IMAGE_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_BL31_IMAGE_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = BL31_IMAGE_KEY_OID }, + { + .id = BL32_IMAGE_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_BL32_IMAGE_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = BL32_IMAGE_KEY_OID }, + { + .id = BL33_IMAGE_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_BL33_IMAGE_STRING, + .allow_new_context_to_derive = true, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = BL33_IMAGE_KEY_OID }, + + { + .id = HW_CONFIG_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_HW_CONFIG_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = HW_CONFIG_KEY_OID }, + { + .id = NT_FW_CONFIG_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_NT_FW_CONFIG_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = NT_FW_CONFIG_KEY_OID }, + { + .id = SCP_BL2_IMAGE_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_SCP_BL2_IMAGE_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = SCP_BL2_IMAGE_KEY_OID }, + { + .id = SOC_FW_CONFIG_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_SOC_FW_CONFIG_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = SOC_FW_CONFIG_KEY_OID }, + { + .id = TOS_FW_CONFIG_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_TOS_FW_CONFIG_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = TOS_FW_CONFIG_KEY_OID }, +#if defined(SPD_spmd) + { + .id = SP_PKG1_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_SP1_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = true, /* With Trusty only one SP is loaded */ + .pk_oid = NULL }, + { + .id = SP_PKG2_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_SP2_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = NULL }, + { + .id = SP_PKG3_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_SP3_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = NULL }, + { + .id = SP_PKG4_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_SP4_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = NULL }, + { + .id = SP_PKG5_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_SP5_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = NULL }, + { + .id = SP_PKG6_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_SP6_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = NULL }, + { + .id = SP_PKG7_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_SP7_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = NULL }, + { + .id = SP_PKG8_ID, + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = MBOOT_SP8_STRING, + .allow_new_context_to_derive = false, + .retain_parent_context = true, + .create_certificate = false, + .pk_oid = NULL }, + +#endif + { + .id = DPE_INVALID_ID } +}; + +void bl2_plat_mboot_init(void) +{ + /* Initialize the communication channel between AP and RSS */ + (void)rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE, + PLAT_RSS_AP_RCV_MHU_BASE); + + dpe_init(tc_dpe_metadata); +} + +void bl2_plat_mboot_finish(void) +{ + /* Nothing to do. */ +} diff --git a/plat/arm/board/tc/tc_common_dpe.c b/plat/arm/board/tc/tc_common_dpe.c new file mode 100644 index 000000000..42b546864 --- /dev/null +++ b/plat/arm/board/tc/tc_common_dpe.c @@ -0,0 +1,36 @@ + +/* + * Copyright (c) 2024, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include +#include + +#include +#include + +extern struct dpe_metadata tc_dpe_metadata[]; + +int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data) +{ + int err; + + /* Calculate image hash and record it in the DPE service in RSS. */ + err = dpe_measure_and_record(tc_dpe_metadata, + image_data->image_base, + image_data->image_size, + image_id); + if (err != 0) { + ERROR("%s%s image id %u (%i)\n", + "Failed to ", "record in DPE", image_id, err); + } + + return err; +} + +int plat_mboot_measure_key(void *pk_oid, void *pk_ptr, unsigned int pk_len) +{ + return dpe_set_signer_id(tc_dpe_metadata, pk_oid, pk_ptr, pk_len); +}