feat(tc): add DPE backend to the measured boot framework

The client platform relies on the DICE attestation
scheme. RSS provides the DICE Protection Environment
(DPE) service. TF-A measured boot framework supports
multiple backends. A given platform always enables
the corresponding backend which is required by the
attestation scheme.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Idc3360d0d7216e4859e99b5db3d377407e0aeee5

Makefile

@@ -1145,6 +1145,7 @@ $(eval $(call assert_booleans,\
 	HARDEN_SLS \
 	HW_ASSISTED_COHERENCY \
 	MEASURED_BOOT \
+	DICE_PROTECTION_ENVIRONMENT \
 	DRTM_SUPPORT \
 	NS_TIMER_SWITCH \
 	OVERRIDE_LIBC \
@@ -1312,6 +1313,7 @@ $(eval $(call add_defines,\
 	HW_ASSISTED_COHERENCY \
 	LOG_LEVEL \
 	MEASURED_BOOT \
+	DICE_PROTECTION_ENVIRONMENT \
 	DRTM_SUPPORT \
 	NS_TIMER_SWITCH \
 	PL011_GENERIC_UART \

docs/getting_started/build-options.rst

@@ -706,6 +706,13 @@ Common build options
 
    This option defaults to 0.
 
+-  ``DICE_PROTECTION_ENVIRONMENT``: Boolean flag to specify the measured boot
+   backend when ``MEASURED_BOOT`` is enabled. The default value is ``0``. When
+   set to ``1`` then measurements and additional metadata collected during the
+   measured boot process are sent to the DICE Protection Environment for storage
+   and processing. A certificate chain, which represents the boot state of the
+   device, can be queried from the DPE.
+
 -  ``MARCH_DIRECTIVE``: used to pass a -march option from the platform build
    options to the compiler. An example usage:
 

include/plat/common/platform.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2023, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2024, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -242,7 +242,7 @@ __dead2 void bl1_plat_fwu_done(void *client_cookie, void *reserved);
 int bl1_plat_handle_pre_image_load(unsigned int image_id);
 int bl1_plat_handle_post_image_load(unsigned int image_id);
 
-#if MEASURED_BOOT
+#if (MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENT)
 void bl1_plat_mboot_init(void);
 void bl1_plat_mboot_finish(void);
 #else
@@ -252,7 +252,7 @@ static inline void bl1_plat_mboot_init(void)
 static inline void bl1_plat_mboot_finish(void)
 {
 }
-#endif /* MEASURED_BOOT */
+#endif /* MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENT */
 
 /*******************************************************************************
  * Mandatory BL2 functions
@@ -272,7 +272,7 @@ int bl2_plat_handle_post_image_load(unsigned int image_id);
 /*******************************************************************************
  * Optional BL2 functions (may be overridden)
  ******************************************************************************/
-#if MEASURED_BOOT
+#if (MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENT)
 void bl2_plat_mboot_init(void);
 void bl2_plat_mboot_finish(void);
 #else
@@ -282,7 +282,7 @@ static inline void bl2_plat_mboot_init(void)
 static inline void bl2_plat_mboot_finish(void)
 {
 }
-#endif /* MEASURED_BOOT */
+#endif /* MEASURED_BOOT || DICE_PROTECTION_ENVIRONMENTs */
 
 /*******************************************************************************
  * Mandatory BL2 at EL3 functions: Must be implemented

make_helpers/defaults.mk

@@ -176,6 +176,9 @@ endif
 # Option to build TF with Measured Boot support
 MEASURED_BOOT			:= 0
 
+# Option to enable the DICE Protection Environmnet as a Measured Boot backend
+DICE_PROTECTION_ENVIRONMENT	:=0
+
 # NS timer register save and restore
 NS_TIMER_SWITCH			:= 0
 

plat/arm/board/tc/platform.mk

@@ -170,27 +170,49 @@ $(eval $(call TOOL_ADD_PAYLOAD,${TC_HW_CONFIG},--hw-config,${TC_HW_CONFIG}))
 # Include Measured Boot makefile before any Crypto library makefile.
 # Crypto library makefile may need default definitions of Measured Boot build
 # flags present in Measured Boot makefile.
+$(info Including rss_comms.mk)
 ifeq (${MEASURED_BOOT},1)
-    MEASURED_BOOT_MK := drivers/measured_boot/rss/rss_measured_boot.mk
-    $(info Including ${MEASURED_BOOT_MK})
-    include ${MEASURED_BOOT_MK}
         $(info Including rss_comms.mk)
         include drivers/arm/rss/rss_comms.mk
 
+	BL1_SOURCES	+=	${RSS_COMMS_SOURCES}
+	BL2_SOURCES	+=	${RSS_COMMS_SOURCES}
+	PLAT_INCLUDES	+=	-Iinclude/lib/psa
+
+    ifeq (${DICE_PROTECTION_ENVIRONMENT},1)
+        $(info Including qcbor.mk)
+        include drivers/measured_boot/rss/qcbor.mk
+        $(info Including dice_prot_env.mk)
+        include drivers/measured_boot/rss/dice_prot_env.mk
+
+	BL1_SOURCES	+=	${QCBOR_SOURCES} \
+				${DPE_SOURCES} \
+				plat/arm/board/tc/tc_common_dpe.c \
+				plat/arm/board/tc/tc_bl1_dpe.c \
+				lib/psa/dice_protection_environment.c
+
+	BL2_SOURCES	+=	${QCBOR_SOURCES} \
+				${DPE_SOURCES} \
+				plat/arm/board/tc/tc_common_dpe.c \
+				plat/arm/board/tc/tc_bl2_dpe.c \
+				lib/psa/dice_protection_environment.c
+
+	PLAT_INCLUDES	+=	-I${QCBOR_INCLUDES} \
+				-Iinclude/lib/dice
+    else
+        $(info Including rss_measured_boot.mk)
+        include drivers/measured_boot/rss/rss_measured_boot.mk
+
 	BL1_SOURCES	+=	${MEASURED_BOOT_SOURCES} \
 				plat/arm/board/tc/tc_common_measured_boot.c \
 				plat/arm/board/tc/tc_bl1_measured_boot.c \
-				lib/psa/measured_boot.c			 \
+				lib/psa/measured_boot.c
-				${RSS_COMMS_SOURCES}
 
 	BL2_SOURCES		+=	${MEASURED_BOOT_SOURCES} \
 				plat/arm/board/tc/tc_common_measured_boot.c \
 				plat/arm/board/tc/tc_bl2_measured_boot.c \
-				lib/psa/measured_boot.c			 \
+				lib/psa/measured_boot.c
-				${RSS_COMMS_SOURCES}
+    endif
-
-PLAT_INCLUDES		+=	-Iinclude/lib/psa
-
 endif
 
 ifneq (${PLATFORM_TEST},)

plat/arm/board/tc/tc_bl1_dpe.c

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdint.h>
+
+#include <drivers/arm/rss_comms.h>
+#include <drivers/measured_boot/metadata.h>
+#include <drivers/measured_boot/rss/dice_prot_env.h>
+#include <plat/arm/common/plat_arm.h>
+#include <plat/common/platform.h>
+#include <platform_def.h>
+#include <tools_share/zero_oid.h>
+
+struct dpe_metadata tc_dpe_metadata[] = {
+	{
+		.id = FW_CONFIG_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_FW_CONFIG_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = ZERO_OID },
+	{
+		.id = TB_FW_CONFIG_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_TB_FW_CONFIG_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = ZERO_OID },
+	{
+		.id = BL2_IMAGE_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_BL2_IMAGE_STRING,
+		.allow_new_context_to_derive = true,
+		.retain_parent_context = false,
+		.create_certificate = false,
+		.pk_oid = ZERO_OID },
+	{
+		.id = DPE_INVALID_ID }
+};
+
+
+void bl1_plat_mboot_init(void)
+{
+	/* Initialize the communication channel between AP and RSS */
+	(void)rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE,
+			     PLAT_RSS_AP_RCV_MHU_BASE);
+
+	dpe_init(tc_dpe_metadata);
+}
+
+void bl1_plat_mboot_finish(void)
+{
+	/* Nothing to do. */
+}

plat/arm/board/tc/tc_bl2_dpe.c

@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdint.h>
+
+#include <drivers/arm/rss_comms.h>
+#include <drivers/measured_boot/metadata.h>
+#include <drivers/measured_boot/rss/dice_prot_env.h>
+#include <plat/arm/common/plat_arm.h>
+#include <plat/common/platform.h>
+#include <platform_def.h>
+#include <tools_share/zero_oid.h>
+
+/*
+ * The content and the values of this array depends on:
+ * - build config: Which components are loaded: SPMD, TOS, SPx, etc ?
+ * - boot order: the last element in a layer should be treated differently.
+ */
+
+/*
+ * TODO:
+ *     - The content of the array must be tailored according to the build
+ *       config (TOS, SPMD, etc). All loaded components (executables and
+ *       config blobs) must be present in this array.
+ *     - Current content is according to the Trusty build config.
+ */
+struct dpe_metadata tc_dpe_metadata[] = {
+	{
+		.id = BL31_IMAGE_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_BL31_IMAGE_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = BL31_IMAGE_KEY_OID },
+	{
+		.id = BL32_IMAGE_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_BL32_IMAGE_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = BL32_IMAGE_KEY_OID },
+	{
+		.id = BL33_IMAGE_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_BL33_IMAGE_STRING,
+		.allow_new_context_to_derive = true,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = BL33_IMAGE_KEY_OID },
+
+	{
+		.id = HW_CONFIG_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_HW_CONFIG_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = HW_CONFIG_KEY_OID },
+	{
+		.id = NT_FW_CONFIG_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_NT_FW_CONFIG_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = NT_FW_CONFIG_KEY_OID },
+	{
+		.id = SCP_BL2_IMAGE_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_SCP_BL2_IMAGE_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = SCP_BL2_IMAGE_KEY_OID },
+	{
+		.id = SOC_FW_CONFIG_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_SOC_FW_CONFIG_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = SOC_FW_CONFIG_KEY_OID },
+	{
+		.id = TOS_FW_CONFIG_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_TOS_FW_CONFIG_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = TOS_FW_CONFIG_KEY_OID },
+#if defined(SPD_spmd)
+	{
+		.id = SP_PKG1_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_SP1_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = true, /* With Trusty only one SP is loaded */
+		.pk_oid = NULL },
+	{
+		.id = SP_PKG2_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_SP2_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = NULL },
+	{
+		.id = SP_PKG3_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_SP3_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = NULL },
+	{
+		.id = SP_PKG4_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_SP4_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = NULL },
+	{
+		.id = SP_PKG5_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_SP5_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = NULL },
+	{
+		.id = SP_PKG6_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_SP6_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = NULL },
+	{
+		.id = SP_PKG7_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_SP7_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = NULL },
+	{
+		.id = SP_PKG8_ID,
+		.signer_id_size = SIGNER_ID_MIN_SIZE,
+		.sw_type = MBOOT_SP8_STRING,
+		.allow_new_context_to_derive = false,
+		.retain_parent_context = true,
+		.create_certificate = false,
+		.pk_oid = NULL },
+
+#endif
+	{
+		.id = DPE_INVALID_ID }
+};
+
+void bl2_plat_mboot_init(void)
+{
+	/* Initialize the communication channel between AP and RSS */
+	(void)rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE,
+			     PLAT_RSS_AP_RCV_MHU_BASE);
+
+	dpe_init(tc_dpe_metadata);
+}
+
+void bl2_plat_mboot_finish(void)
+{
+	/* Nothing to do. */
+}

plat/arm/board/tc/tc_common_dpe.c

@@ -0,0 +1,36 @@
+
+/*
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <stdint.h>
+
+#include <common/desc_image_load.h>
+#include <drivers/measured_boot/rss/dice_prot_env.h>
+
+extern struct dpe_metadata tc_dpe_metadata[];
+
+int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data)
+{
+	int err;
+
+	/* Calculate image hash and record it in the DPE service in RSS. */
+	err = dpe_measure_and_record(tc_dpe_metadata,
+				     image_data->image_base,
+				     image_data->image_size,
+				     image_id);
+	if (err != 0) {
+		ERROR("%s%s image id %u (%i)\n",
+		      "Failed to ", "record in DPE", image_id, err);
+	}
+
+	return err;
+}
+
+int plat_mboot_measure_key(void *pk_oid, void *pk_ptr, unsigned int pk_len)
+{
+	return dpe_set_signer_id(tc_dpe_metadata, pk_oid, pk_ptr, pk_len);
+}