1/* 2 * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7#include <auth_mod.h> 8#include <platform_def.h> 9#include <stddef.h> 10 11#if USE_TBBR_DEFS 12#include <tbbr_oid.h> 13#else 14#include <platform_oid.h> 15#endif 16 17 18/* 19 * Maximum key and hash sizes (in DER format) 20 */ 21#define PK_DER_LEN 294 22#define HASH_DER_LEN 51 23 24/* 25 * The platform must allocate buffers to store the authentication parameters 26 * extracted from the certificates. In this case, because of the way the CoT is 27 * established, we can reuse some of the buffers on different stages 28 */ 29static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; 30static unsigned char scp_fw_hash_buf[HASH_DER_LEN]; 31static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; 32static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; 33static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; 34static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; 35static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; 36static unsigned char trusted_world_pk_buf[PK_DER_LEN]; 37static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; 38static unsigned char content_pk_buf[PK_DER_LEN]; 39 40/* 41 * Parameter type descriptors 42 */ 43static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 44 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); 45static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 46 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); 47 48static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( 49 AUTH_PARAM_PUB_KEY, 0); 50static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( 51 AUTH_PARAM_SIG, 0); 52static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( 53 AUTH_PARAM_SIG_ALG, 0); 54static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( 55 AUTH_PARAM_RAW_DATA, 0); 56 57static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( 58 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); 59static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( 60 AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); 61 62static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC( 63 AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID); 64static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( 65 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); 66static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( 67 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); 68static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC( 69 AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID); 70 71static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( 72 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); 73static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( 74 AUTH_PARAM_HASH, SCP_FW_HASH_OID); 75static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( 76 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); 77static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( 78 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); 79static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( 80 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); 81static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( 82 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); 83static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( 84 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); 85static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( 86 AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); 87static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( 88 AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID); 89static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( 90 AUTH_PARAM_HASH, FWU_HASH_OID); 91 92/* 93 * TBBR Chain of trust definition 94 */ 95static const auth_img_desc_t cot_desc[] = { 96 /* 97 * BL2 98 */ 99 [TRUSTED_BOOT_FW_CERT_ID] = { 100 .img_id = TRUSTED_BOOT_FW_CERT_ID, 101 .img_type = IMG_CERT, 102 .parent = NULL, 103 .img_auth_methods = { 104 [0] = { 105 .type = AUTH_METHOD_SIG, 106 .param.sig = { 107 .pk = &subject_pk, 108 .sig = &sig, 109 .alg = &sig_alg, 110 .data = &raw_data, 111 } 112 }, 113 [1] = { 114 .type = AUTH_METHOD_NV_CTR, 115 .param.nv_ctr = { 116 .cert_nv_ctr = &trusted_nv_ctr, 117 .plat_nv_ctr = &trusted_nv_ctr 118 } 119 } 120 }, 121 .authenticated_data = { 122 [0] = { 123 .type_desc = &tb_fw_hash, 124 .data = { 125 .ptr = (void *)tb_fw_hash_buf, 126 .len = (unsigned int)HASH_DER_LEN 127 } 128 } 129 } 130 }, 131 [BL2_IMAGE_ID] = { 132 .img_id = BL2_IMAGE_ID, 133 .img_type = IMG_RAW, 134 .parent = &cot_desc[TRUSTED_BOOT_FW_CERT_ID], 135 .img_auth_methods = { 136 [0] = { 137 .type = AUTH_METHOD_HASH, 138 .param.hash = { 139 .data = &raw_data, 140 .hash = &tb_fw_hash, 141 } 142 } 143 } 144 }, 145 /* 146 * Trusted key certificate 147 */ 148 [TRUSTED_KEY_CERT_ID] = { 149 .img_id = TRUSTED_KEY_CERT_ID, 150 .img_type = IMG_CERT, 151 .parent = NULL, 152 .img_auth_methods = { 153 [0] = { 154 .type = AUTH_METHOD_SIG, 155 .param.sig = { 156 .pk = &subject_pk, 157 .sig = &sig, 158 .alg = &sig_alg, 159 .data = &raw_data, 160 } 161 }, 162 [1] = { 163 .type = AUTH_METHOD_NV_CTR, 164 .param.nv_ctr = { 165 .cert_nv_ctr = &trusted_nv_ctr, 166 .plat_nv_ctr = &trusted_nv_ctr 167 } 168 } 169 }, 170 .authenticated_data = { 171 [0] = { 172 .type_desc = &trusted_world_pk, 173 .data = { 174 .ptr = (void *)trusted_world_pk_buf, 175 .len = (unsigned int)PK_DER_LEN 176 } 177 }, 178 [1] = { 179 .type_desc = &non_trusted_world_pk, 180 .data = { 181 .ptr = (void *)non_trusted_world_pk_buf, 182 .len = (unsigned int)PK_DER_LEN 183 } 184 } 185 } 186 }, 187 /* 188 * SCP Firmware 189 */ 190 [SCP_FW_KEY_CERT_ID] = { 191 .img_id = SCP_FW_KEY_CERT_ID, 192 .img_type = IMG_CERT, 193 .parent = &cot_desc[TRUSTED_KEY_CERT_ID], 194 .img_auth_methods = { 195 [0] = { 196 .type = AUTH_METHOD_SIG, 197 .param.sig = { 198 .pk = &trusted_world_pk, 199 .sig = &sig, 200 .alg = &sig_alg, 201 .data = &raw_data, 202 } 203 }, 204 [1] = { 205 .type = AUTH_METHOD_NV_CTR, 206 .param.nv_ctr = { 207 .cert_nv_ctr = &trusted_nv_ctr, 208 .plat_nv_ctr = &trusted_nv_ctr 209 } 210 } 211 }, 212 .authenticated_data = { 213 [0] = { 214 .type_desc = &scp_fw_content_pk, 215 .data = { 216 .ptr = (void *)content_pk_buf, 217 .len = (unsigned int)PK_DER_LEN 218 } 219 } 220 } 221 }, 222 [SCP_FW_CONTENT_CERT_ID] = { 223 .img_id = SCP_FW_CONTENT_CERT_ID, 224 .img_type = IMG_CERT, 225 .parent = &cot_desc[SCP_FW_KEY_CERT_ID], 226 .img_auth_methods = { 227 [0] = { 228 .type = AUTH_METHOD_SIG, 229 .param.sig = { 230 .pk = &scp_fw_content_pk, 231 .sig = &sig, 232 .alg = &sig_alg, 233 .data = &raw_data, 234 } 235 }, 236 [1] = { 237 .type = AUTH_METHOD_NV_CTR, 238 .param.nv_ctr = { 239 .cert_nv_ctr = &trusted_nv_ctr, 240 .plat_nv_ctr = &trusted_nv_ctr 241 } 242 } 243 }, 244 .authenticated_data = { 245 [0] = { 246 .type_desc = &scp_fw_hash, 247 .data = { 248 .ptr = (void *)scp_fw_hash_buf, 249 .len = (unsigned int)HASH_DER_LEN 250 } 251 } 252 } 253 }, 254 [SCP_BL2_IMAGE_ID] = { 255 .img_id = SCP_BL2_IMAGE_ID, 256 .img_type = IMG_RAW, 257 .parent = &cot_desc[SCP_FW_CONTENT_CERT_ID], 258 .img_auth_methods = { 259 [0] = { 260 .type = AUTH_METHOD_HASH, 261 .param.hash = { 262 .data = &raw_data, 263 .hash = &scp_fw_hash, 264 } 265 } 266 } 267 }, 268 /* 269 * SoC Firmware 270 */ 271 [SOC_FW_KEY_CERT_ID] = { 272 .img_id = SOC_FW_KEY_CERT_ID, 273 .img_type = IMG_CERT, 274 .parent = &cot_desc[TRUSTED_KEY_CERT_ID], 275 .img_auth_methods = { 276 [0] = { 277 .type = AUTH_METHOD_SIG, 278 .param.sig = { 279 .pk = &trusted_world_pk, 280 .sig = &sig, 281 .alg = &sig_alg, 282 .data = &raw_data, 283 } 284 }, 285 [1] = { 286 .type = AUTH_METHOD_NV_CTR, 287 .param.nv_ctr = { 288 .cert_nv_ctr = &trusted_nv_ctr, 289 .plat_nv_ctr = &trusted_nv_ctr 290 } 291 } 292 }, 293 .authenticated_data = { 294 [0] = { 295 .type_desc = &soc_fw_content_pk, 296 .data = { 297 .ptr = (void *)content_pk_buf, 298 .len = (unsigned int)PK_DER_LEN 299 } 300 } 301 } 302 }, 303 [SOC_FW_CONTENT_CERT_ID] = { 304 .img_id = SOC_FW_CONTENT_CERT_ID, 305 .img_type = IMG_CERT, 306 .parent = &cot_desc[SOC_FW_KEY_CERT_ID], 307 .img_auth_methods = { 308 [0] = { 309 .type = AUTH_METHOD_SIG, 310 .param.sig = { 311 .pk = &soc_fw_content_pk, 312 .sig = &sig, 313 .alg = &sig_alg, 314 .data = &raw_data, 315 } 316 }, 317 [1] = { 318 .type = AUTH_METHOD_NV_CTR, 319 .param.nv_ctr = { 320 .cert_nv_ctr = &trusted_nv_ctr, 321 .plat_nv_ctr = &trusted_nv_ctr 322 } 323 } 324 }, 325 .authenticated_data = { 326 [0] = { 327 .type_desc = &soc_fw_hash, 328 .data = { 329 .ptr = (void *)soc_fw_hash_buf, 330 .len = (unsigned int)HASH_DER_LEN 331 } 332 } 333 } 334 }, 335 [BL31_IMAGE_ID] = { 336 .img_id = BL31_IMAGE_ID, 337 .img_type = IMG_RAW, 338 .parent = &cot_desc[SOC_FW_CONTENT_CERT_ID], 339 .img_auth_methods = { 340 [0] = { 341 .type = AUTH_METHOD_HASH, 342 .param.hash = { 343 .data = &raw_data, 344 .hash = &soc_fw_hash, 345 } 346 } 347 } 348 }, 349 /* 350 * Trusted OS Firmware 351 */ 352 [TRUSTED_OS_FW_KEY_CERT_ID] = { 353 .img_id = TRUSTED_OS_FW_KEY_CERT_ID, 354 .img_type = IMG_CERT, 355 .parent = &cot_desc[TRUSTED_KEY_CERT_ID], 356 .img_auth_methods = { 357 [0] = { 358 .type = AUTH_METHOD_SIG, 359 .param.sig = { 360 .pk = &trusted_world_pk, 361 .sig = &sig, 362 .alg = &sig_alg, 363 .data = &raw_data, 364 } 365 }, 366 [1] = { 367 .type = AUTH_METHOD_NV_CTR, 368 .param.nv_ctr = { 369 .cert_nv_ctr = &trusted_nv_ctr, 370 .plat_nv_ctr = &trusted_nv_ctr 371 } 372 } 373 }, 374 .authenticated_data = { 375 [0] = { 376 .type_desc = &tos_fw_content_pk, 377 .data = { 378 .ptr = (void *)content_pk_buf, 379 .len = (unsigned int)PK_DER_LEN 380 } 381 } 382 } 383 }, 384 [TRUSTED_OS_FW_CONTENT_CERT_ID] = { 385 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, 386 .img_type = IMG_CERT, 387 .parent = &cot_desc[TRUSTED_OS_FW_KEY_CERT_ID], 388 .img_auth_methods = { 389 [0] = { 390 .type = AUTH_METHOD_SIG, 391 .param.sig = { 392 .pk = &tos_fw_content_pk, 393 .sig = &sig, 394 .alg = &sig_alg, 395 .data = &raw_data, 396 } 397 }, 398 [1] = { 399 .type = AUTH_METHOD_NV_CTR, 400 .param.nv_ctr = { 401 .cert_nv_ctr = &trusted_nv_ctr, 402 .plat_nv_ctr = &trusted_nv_ctr 403 } 404 } 405 }, 406 .authenticated_data = { 407 [0] = { 408 .type_desc = &tos_fw_hash, 409 .data = { 410 .ptr = (void *)tos_fw_hash_buf, 411 .len = (unsigned int)HASH_DER_LEN 412 } 413 }, 414 [1] = { 415 .type_desc = &tos_fw_extra1_hash, 416 .data = { 417 .ptr = (void *)tos_fw_extra1_hash_buf, 418 .len = (unsigned int)HASH_DER_LEN 419 } 420 }, 421 [2] = { 422 .type_desc = &tos_fw_extra2_hash, 423 .data = { 424 .ptr = (void *)tos_fw_extra2_hash_buf, 425 .len = (unsigned int)HASH_DER_LEN 426 } 427 } 428 } 429 }, 430 [BL32_IMAGE_ID] = { 431 .img_id = BL32_IMAGE_ID, 432 .img_type = IMG_RAW, 433 .parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID], 434 .img_auth_methods = { 435 [0] = { 436 .type = AUTH_METHOD_HASH, 437 .param.hash = { 438 .data = &raw_data, 439 .hash = &tos_fw_hash, 440 } 441 } 442 } 443 }, 444 [BL32_EXTRA1_IMAGE_ID] = { 445 .img_id = BL32_EXTRA1_IMAGE_ID, 446 .img_type = IMG_RAW, 447 .parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID], 448 .img_auth_methods = { 449 [0] = { 450 .type = AUTH_METHOD_HASH, 451 .param.hash = { 452 .data = &raw_data, 453 .hash = &tos_fw_extra1_hash, 454 } 455 } 456 } 457 }, 458 [BL32_EXTRA2_IMAGE_ID] = { 459 .img_id = BL32_EXTRA2_IMAGE_ID, 460 .img_type = IMG_RAW, 461 .parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID], 462 .img_auth_methods = { 463 [0] = { 464 .type = AUTH_METHOD_HASH, 465 .param.hash = { 466 .data = &raw_data, 467 .hash = &tos_fw_extra2_hash, 468 } 469 } 470 } 471 }, 472 /* 473 * Non-Trusted Firmware 474 */ 475 [NON_TRUSTED_FW_KEY_CERT_ID] = { 476 .img_id = NON_TRUSTED_FW_KEY_CERT_ID, 477 .img_type = IMG_CERT, 478 .parent = &cot_desc[TRUSTED_KEY_CERT_ID], 479 .img_auth_methods = { 480 [0] = { 481 .type = AUTH_METHOD_SIG, 482 .param.sig = { 483 .pk = &non_trusted_world_pk, 484 .sig = &sig, 485 .alg = &sig_alg, 486 .data = &raw_data, 487 } 488 }, 489 [1] = { 490 .type = AUTH_METHOD_NV_CTR, 491 .param.nv_ctr = { 492 .cert_nv_ctr = &non_trusted_nv_ctr, 493 .plat_nv_ctr = &non_trusted_nv_ctr 494 } 495 } 496 }, 497 .authenticated_data = { 498 [0] = { 499 .type_desc = &nt_fw_content_pk, 500 .data = { 501 .ptr = (void *)content_pk_buf, 502 .len = (unsigned int)PK_DER_LEN 503 } 504 } 505 } 506 }, 507 [NON_TRUSTED_FW_CONTENT_CERT_ID] = { 508 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, 509 .img_type = IMG_CERT, 510 .parent = &cot_desc[NON_TRUSTED_FW_KEY_CERT_ID], 511 .img_auth_methods = { 512 [0] = { 513 .type = AUTH_METHOD_SIG, 514 .param.sig = { 515 .pk = &nt_fw_content_pk, 516 .sig = &sig, 517 .alg = &sig_alg, 518 .data = &raw_data, 519 } 520 }, 521 [1] = { 522 .type = AUTH_METHOD_NV_CTR, 523 .param.nv_ctr = { 524 .cert_nv_ctr = &non_trusted_nv_ctr, 525 .plat_nv_ctr = &non_trusted_nv_ctr 526 } 527 } 528 }, 529 .authenticated_data = { 530 [0] = { 531 .type_desc = &nt_world_bl_hash, 532 .data = { 533 .ptr = (void *)nt_world_bl_hash_buf, 534 .len = (unsigned int)HASH_DER_LEN 535 } 536 } 537 } 538 }, 539 [BL33_IMAGE_ID] = { 540 .img_id = BL33_IMAGE_ID, 541 .img_type = IMG_RAW, 542 .parent = &cot_desc[NON_TRUSTED_FW_CONTENT_CERT_ID], 543 .img_auth_methods = { 544 [0] = { 545 .type = AUTH_METHOD_HASH, 546 .param.hash = { 547 .data = &raw_data, 548 .hash = &nt_world_bl_hash, 549 } 550 } 551 } 552 }, 553 /* 554 * FWU auth descriptor. 555 */ 556 [FWU_CERT_ID] = { 557 .img_id = FWU_CERT_ID, 558 .img_type = IMG_CERT, 559 .parent = NULL, 560 .img_auth_methods = { 561 [0] = { 562 .type = AUTH_METHOD_SIG, 563 .param.sig = { 564 .pk = &subject_pk, 565 .sig = &sig, 566 .alg = &sig_alg, 567 .data = &raw_data, 568 } 569 } 570 }, 571 .authenticated_data = { 572 [0] = { 573 .type_desc = &scp_bl2u_hash, 574 .data = { 575 .ptr = (void *)scp_fw_hash_buf, 576 .len = (unsigned int)HASH_DER_LEN 577 } 578 }, 579 [1] = { 580 .type_desc = &bl2u_hash, 581 .data = { 582 .ptr = (void *)tb_fw_hash_buf, 583 .len = (unsigned int)HASH_DER_LEN 584 } 585 }, 586 [2] = { 587 .type_desc = &ns_bl2u_hash, 588 .data = { 589 .ptr = (void *)nt_world_bl_hash_buf, 590 .len = (unsigned int)HASH_DER_LEN 591 } 592 } 593 } 594 }, 595 /* 596 * SCP_BL2U 597 */ 598 [SCP_BL2U_IMAGE_ID] = { 599 .img_id = SCP_BL2U_IMAGE_ID, 600 .img_type = IMG_RAW, 601 .parent = &cot_desc[FWU_CERT_ID], 602 .img_auth_methods = { 603 [0] = { 604 .type = AUTH_METHOD_HASH, 605 .param.hash = { 606 .data = &raw_data, 607 .hash = &scp_bl2u_hash, 608 } 609 } 610 } 611 }, 612 /* 613 * BL2U 614 */ 615 [BL2U_IMAGE_ID] = { 616 .img_id = BL2U_IMAGE_ID, 617 .img_type = IMG_RAW, 618 .parent = &cot_desc[FWU_CERT_ID], 619 .img_auth_methods = { 620 [0] = { 621 .type = AUTH_METHOD_HASH, 622 .param.hash = { 623 .data = &raw_data, 624 .hash = &bl2u_hash, 625 } 626 } 627 } 628 }, 629 /* 630 * NS_BL2U 631 */ 632 [NS_BL2U_IMAGE_ID] = { 633 .img_id = NS_BL2U_IMAGE_ID, 634 .img_type = IMG_RAW, 635 .parent = &cot_desc[FWU_CERT_ID], 636 .img_auth_methods = { 637 [0] = { 638 .type = AUTH_METHOD_HASH, 639 .param.hash = { 640 .data = &raw_data, 641 .hash = &ns_bl2u_hash, 642 } 643 } 644 } 645 } 646}; 647 648/* Register the CoT in the authentication module */ 649REGISTER_COT(cot_desc); 650