xref: /arm-trusted-firmware/drivers/auth/cca/cot.c (revision 91f16700b400a8c0651d24a598fc48ee2997a0d7) 
1*91f16700Schasinglulu /*
2*91f16700Schasinglulu  * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
3*91f16700Schasinglulu  *
4*91f16700Schasinglulu  * SPDX-License-Identifier: BSD-3-Clause
5*91f16700Schasinglulu  */
6*91f16700Schasinglulu 
7*91f16700Schasinglulu #include <stddef.h>
8*91f16700Schasinglulu 
9*91f16700Schasinglulu #include <mbedtls/version.h>
10*91f16700Schasinglulu 
11*91f16700Schasinglulu #include <common/tbbr/cot_def.h>
12*91f16700Schasinglulu #include <drivers/auth/auth_mod.h>
13*91f16700Schasinglulu #include <tools_share/cca_oid.h>
14*91f16700Schasinglulu 
15*91f16700Schasinglulu #include <platform_def.h>
16*91f16700Schasinglulu 
17*91f16700Schasinglulu /*
18*91f16700Schasinglulu  * Allocate static buffers to store the authentication parameters extracted from
19*91f16700Schasinglulu  * the certificates.
20*91f16700Schasinglulu  */
21*91f16700Schasinglulu static unsigned char fw_config_hash_buf[HASH_DER_LEN];
22*91f16700Schasinglulu static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
23*91f16700Schasinglulu static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
24*91f16700Schasinglulu static unsigned char hw_config_hash_buf[HASH_DER_LEN];
25*91f16700Schasinglulu static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
26*91f16700Schasinglulu static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
27*91f16700Schasinglulu static unsigned char rmm_hash_buf[HASH_DER_LEN];
28*91f16700Schasinglulu 
29*91f16700Schasinglulu #ifdef IMAGE_BL2
30*91f16700Schasinglulu static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
31*91f16700Schasinglulu static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
32*91f16700Schasinglulu static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
33*91f16700Schasinglulu static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
34*91f16700Schasinglulu #if defined(SPD_spmd)
35*91f16700Schasinglulu static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN];
36*91f16700Schasinglulu #endif /* SPD_spmd */
37*91f16700Schasinglulu 
38*91f16700Schasinglulu static unsigned char core_swd_pk_buf[PK_DER_LEN];
39*91f16700Schasinglulu static unsigned char plat_pk_buf[PK_DER_LEN];
40*91f16700Schasinglulu #endif /* IMAGE_BL2 */
41*91f16700Schasinglulu 
42*91f16700Schasinglulu /*
43*91f16700Schasinglulu  * Parameter type descriptors.
44*91f16700Schasinglulu  */
45*91f16700Schasinglulu static auth_param_type_desc_t cca_nv_ctr = AUTH_PARAM_TYPE_DESC(
46*91f16700Schasinglulu 		AUTH_PARAM_NV_CTR, CCA_FW_NVCOUNTER_OID);
47*91f16700Schasinglulu static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
48*91f16700Schasinglulu 		AUTH_PARAM_PUB_KEY, 0);
49*91f16700Schasinglulu static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
50*91f16700Schasinglulu 		AUTH_PARAM_SIG, 0);
51*91f16700Schasinglulu static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
52*91f16700Schasinglulu 		AUTH_PARAM_SIG_ALG, 0);
53*91f16700Schasinglulu static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
54*91f16700Schasinglulu 		AUTH_PARAM_RAW_DATA, 0);
55*91f16700Schasinglulu 
56*91f16700Schasinglulu static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
57*91f16700Schasinglulu 		AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
58*91f16700Schasinglulu static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
59*91f16700Schasinglulu 		AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
60*91f16700Schasinglulu static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
61*91f16700Schasinglulu 		AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
62*91f16700Schasinglulu static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
63*91f16700Schasinglulu 		AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
64*91f16700Schasinglulu static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
65*91f16700Schasinglulu 		AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
66*91f16700Schasinglulu static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC(
67*91f16700Schasinglulu 		AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID);
68*91f16700Schasinglulu static auth_param_type_desc_t rmm_hash = AUTH_PARAM_TYPE_DESC(
69*91f16700Schasinglulu 		AUTH_PARAM_HASH, RMM_HASH_OID);
70*91f16700Schasinglulu 
71*91f16700Schasinglulu #ifdef IMAGE_BL2
72*91f16700Schasinglulu static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
73*91f16700Schasinglulu 		AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
74*91f16700Schasinglulu static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
75*91f16700Schasinglulu 		AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
76*91f16700Schasinglulu 
77*91f16700Schasinglulu static auth_param_type_desc_t prot_pk = AUTH_PARAM_TYPE_DESC(
78*91f16700Schasinglulu 		AUTH_PARAM_PUB_KEY, PROT_PK_OID);
79*91f16700Schasinglulu static auth_param_type_desc_t swd_rot_pk = AUTH_PARAM_TYPE_DESC(
80*91f16700Schasinglulu 		AUTH_PARAM_PUB_KEY, SWD_ROT_PK_OID);
81*91f16700Schasinglulu static auth_param_type_desc_t core_swd_pk = AUTH_PARAM_TYPE_DESC(
82*91f16700Schasinglulu 		AUTH_PARAM_PUB_KEY, CORE_SWD_PK_OID);
83*91f16700Schasinglulu static auth_param_type_desc_t plat_pk = AUTH_PARAM_TYPE_DESC(
84*91f16700Schasinglulu 		AUTH_PARAM_PUB_KEY, PLAT_PK_OID);
85*91f16700Schasinglulu 
86*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
87*91f16700Schasinglulu 		AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
88*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC(
89*91f16700Schasinglulu 		AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID);
90*91f16700Schasinglulu static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
91*91f16700Schasinglulu 		AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
92*91f16700Schasinglulu static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
93*91f16700Schasinglulu 		AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
94*91f16700Schasinglulu #if defined(SPD_spmd)
95*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC(
96*91f16700Schasinglulu 		AUTH_PARAM_HASH, SP_PKG1_HASH_OID);
97*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC(
98*91f16700Schasinglulu 		AUTH_PARAM_HASH, SP_PKG2_HASH_OID);
99*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC(
100*91f16700Schasinglulu 		AUTH_PARAM_HASH, SP_PKG3_HASH_OID);
101*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC(
102*91f16700Schasinglulu 		AUTH_PARAM_HASH, SP_PKG4_HASH_OID);
103*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC(
104*91f16700Schasinglulu 		AUTH_PARAM_HASH, SP_PKG5_HASH_OID);
105*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC(
106*91f16700Schasinglulu 		AUTH_PARAM_HASH, SP_PKG6_HASH_OID);
107*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC(
108*91f16700Schasinglulu 		AUTH_PARAM_HASH, SP_PKG7_HASH_OID);
109*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC(
110*91f16700Schasinglulu 		AUTH_PARAM_HASH, SP_PKG8_HASH_OID);
111*91f16700Schasinglulu #endif /* SPD_spmd */
112*91f16700Schasinglulu #endif /* IMAGE_BL2 */
113*91f16700Schasinglulu 
114*91f16700Schasinglulu /* CCA Content Certificate */
115*91f16700Schasinglulu static const auth_img_desc_t cca_content_cert = {
116*91f16700Schasinglulu 	.img_id = CCA_CONTENT_CERT_ID,
117*91f16700Schasinglulu 	.img_type = IMG_CERT,
118*91f16700Schasinglulu 	.parent = NULL,
119*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
120*91f16700Schasinglulu 		[0] = {
121*91f16700Schasinglulu 			.type = AUTH_METHOD_SIG,
122*91f16700Schasinglulu 			.param.sig = {
123*91f16700Schasinglulu 				.pk = &subject_pk,
124*91f16700Schasinglulu 				.sig = &sig,
125*91f16700Schasinglulu 				.alg = &sig_alg,
126*91f16700Schasinglulu 				.data = &raw_data
127*91f16700Schasinglulu 			}
128*91f16700Schasinglulu 		},
129*91f16700Schasinglulu 		[1] = {
130*91f16700Schasinglulu 			.type = AUTH_METHOD_NV_CTR,
131*91f16700Schasinglulu 			.param.nv_ctr = {
132*91f16700Schasinglulu 				.cert_nv_ctr = &cca_nv_ctr,
133*91f16700Schasinglulu 				.plat_nv_ctr = &cca_nv_ctr
134*91f16700Schasinglulu 			}
135*91f16700Schasinglulu 		}
136*91f16700Schasinglulu 	},
137*91f16700Schasinglulu 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
138*91f16700Schasinglulu 		[0] = {
139*91f16700Schasinglulu 			.type_desc = &tb_fw_hash,
140*91f16700Schasinglulu 			.data = {
141*91f16700Schasinglulu 				.ptr = (void *)tb_fw_hash_buf,
142*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
143*91f16700Schasinglulu 			}
144*91f16700Schasinglulu 		},
145*91f16700Schasinglulu 		[1] = {
146*91f16700Schasinglulu 			.type_desc = &tb_fw_config_hash,
147*91f16700Schasinglulu 			.data = {
148*91f16700Schasinglulu 				.ptr = (void *)tb_fw_config_hash_buf,
149*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
150*91f16700Schasinglulu 			}
151*91f16700Schasinglulu 		},
152*91f16700Schasinglulu 		[2] = {
153*91f16700Schasinglulu 			.type_desc = &fw_config_hash,
154*91f16700Schasinglulu 			.data = {
155*91f16700Schasinglulu 				.ptr = (void *)fw_config_hash_buf,
156*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
157*91f16700Schasinglulu 			}
158*91f16700Schasinglulu 		},
159*91f16700Schasinglulu 		[3] = {
160*91f16700Schasinglulu 			.type_desc = &hw_config_hash,
161*91f16700Schasinglulu 			.data = {
162*91f16700Schasinglulu 				.ptr = (void *)hw_config_hash_buf,
163*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
164*91f16700Schasinglulu 			}
165*91f16700Schasinglulu 		},
166*91f16700Schasinglulu 		[4] = {
167*91f16700Schasinglulu 			.type_desc = &soc_fw_hash,
168*91f16700Schasinglulu 			.data = {
169*91f16700Schasinglulu 				.ptr = (void *)soc_fw_hash_buf,
170*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
171*91f16700Schasinglulu 			}
172*91f16700Schasinglulu 		},
173*91f16700Schasinglulu 		[5] = {
174*91f16700Schasinglulu 			.type_desc = &soc_fw_config_hash,
175*91f16700Schasinglulu 			.data = {
176*91f16700Schasinglulu 				.ptr = (void *)soc_fw_config_hash_buf,
177*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
178*91f16700Schasinglulu 			}
179*91f16700Schasinglulu 		},
180*91f16700Schasinglulu 		[6] = {
181*91f16700Schasinglulu 			.type_desc = &rmm_hash,
182*91f16700Schasinglulu 			.data = {
183*91f16700Schasinglulu 				.ptr = (void *)rmm_hash_buf,
184*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
185*91f16700Schasinglulu 			}
186*91f16700Schasinglulu 		}
187*91f16700Schasinglulu 	}
188*91f16700Schasinglulu };
189*91f16700Schasinglulu 
190*91f16700Schasinglulu #ifdef IMAGE_BL1
191*91f16700Schasinglulu static const auth_img_desc_t bl2_image = {
192*91f16700Schasinglulu 	.img_id = BL2_IMAGE_ID,
193*91f16700Schasinglulu 	.img_type = IMG_RAW,
194*91f16700Schasinglulu 	.parent = &cca_content_cert,
195*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
196*91f16700Schasinglulu 		[0] = {
197*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
198*91f16700Schasinglulu 			.param.hash = {
199*91f16700Schasinglulu 				.data = &raw_data,
200*91f16700Schasinglulu 				.hash = &tb_fw_hash
201*91f16700Schasinglulu 			}
202*91f16700Schasinglulu 		}
203*91f16700Schasinglulu 	}
204*91f16700Schasinglulu };
205*91f16700Schasinglulu 
206*91f16700Schasinglulu static const auth_img_desc_t tb_fw_config = {
207*91f16700Schasinglulu 	.img_id = TB_FW_CONFIG_ID,
208*91f16700Schasinglulu 	.img_type = IMG_RAW,
209*91f16700Schasinglulu 	.parent = &cca_content_cert,
210*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
211*91f16700Schasinglulu 		[0] = {
212*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
213*91f16700Schasinglulu 			.param.hash = {
214*91f16700Schasinglulu 				.data = &raw_data,
215*91f16700Schasinglulu 				.hash = &tb_fw_config_hash
216*91f16700Schasinglulu 			}
217*91f16700Schasinglulu 		}
218*91f16700Schasinglulu 	}
219*91f16700Schasinglulu };
220*91f16700Schasinglulu 
221*91f16700Schasinglulu static const auth_img_desc_t fw_config = {
222*91f16700Schasinglulu 	.img_id = FW_CONFIG_ID,
223*91f16700Schasinglulu 	.img_type = IMG_RAW,
224*91f16700Schasinglulu 	.parent = &cca_content_cert,
225*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
226*91f16700Schasinglulu 		[0] = {
227*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
228*91f16700Schasinglulu 			.param.hash = {
229*91f16700Schasinglulu 				.data = &raw_data,
230*91f16700Schasinglulu 				.hash = &fw_config_hash
231*91f16700Schasinglulu 			}
232*91f16700Schasinglulu 		}
233*91f16700Schasinglulu 	}
234*91f16700Schasinglulu };
235*91f16700Schasinglulu #endif /* IMAGE_BL1 */
236*91f16700Schasinglulu 
237*91f16700Schasinglulu #ifdef IMAGE_BL2
238*91f16700Schasinglulu /* HW Config */
239*91f16700Schasinglulu static const auth_img_desc_t hw_config = {
240*91f16700Schasinglulu 	.img_id = HW_CONFIG_ID,
241*91f16700Schasinglulu 	.img_type = IMG_RAW,
242*91f16700Schasinglulu 	.parent = &cca_content_cert,
243*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
244*91f16700Schasinglulu 		[0] = {
245*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
246*91f16700Schasinglulu 			.param.hash = {
247*91f16700Schasinglulu 				.data = &raw_data,
248*91f16700Schasinglulu 				.hash = &hw_config_hash
249*91f16700Schasinglulu 			}
250*91f16700Schasinglulu 		}
251*91f16700Schasinglulu 	}
252*91f16700Schasinglulu };
253*91f16700Schasinglulu 
254*91f16700Schasinglulu /* BL31 */
255*91f16700Schasinglulu static const auth_img_desc_t bl31_image = {
256*91f16700Schasinglulu 	.img_id = BL31_IMAGE_ID,
257*91f16700Schasinglulu 	.img_type = IMG_RAW,
258*91f16700Schasinglulu 	.parent = &cca_content_cert,
259*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
260*91f16700Schasinglulu 		[0] = {
261*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
262*91f16700Schasinglulu 			.param.hash = {
263*91f16700Schasinglulu 				.data = &raw_data,
264*91f16700Schasinglulu 				.hash = &soc_fw_hash
265*91f16700Schasinglulu 			}
266*91f16700Schasinglulu 		}
267*91f16700Schasinglulu 	}
268*91f16700Schasinglulu };
269*91f16700Schasinglulu 
270*91f16700Schasinglulu /* BL31 Config */
271*91f16700Schasinglulu static const auth_img_desc_t soc_fw_config = {
272*91f16700Schasinglulu 	.img_id = SOC_FW_CONFIG_ID,
273*91f16700Schasinglulu 	.img_type = IMG_RAW,
274*91f16700Schasinglulu 	.parent = &cca_content_cert,
275*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
276*91f16700Schasinglulu 		[0] = {
277*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
278*91f16700Schasinglulu 			.param.hash = {
279*91f16700Schasinglulu 				.data = &raw_data,
280*91f16700Schasinglulu 				.hash = &soc_fw_config_hash
281*91f16700Schasinglulu 			}
282*91f16700Schasinglulu 		}
283*91f16700Schasinglulu 	}
284*91f16700Schasinglulu };
285*91f16700Schasinglulu 
286*91f16700Schasinglulu /* RMM */
287*91f16700Schasinglulu static const auth_img_desc_t rmm_image = {
288*91f16700Schasinglulu 	.img_id = RMM_IMAGE_ID,
289*91f16700Schasinglulu 	.img_type = IMG_RAW,
290*91f16700Schasinglulu 	.parent = &cca_content_cert,
291*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
292*91f16700Schasinglulu 		[0] = {
293*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
294*91f16700Schasinglulu 			.param.hash = {
295*91f16700Schasinglulu 				.data = &raw_data,
296*91f16700Schasinglulu 				.hash = &rmm_hash
297*91f16700Schasinglulu 			}
298*91f16700Schasinglulu 		}
299*91f16700Schasinglulu 	}
300*91f16700Schasinglulu };
301*91f16700Schasinglulu 
302*91f16700Schasinglulu /* Core SWD Key Certificate */
303*91f16700Schasinglulu static const auth_img_desc_t core_swd_key_cert = {
304*91f16700Schasinglulu 	.img_id = CORE_SWD_KEY_CERT_ID,
305*91f16700Schasinglulu 	.img_type = IMG_CERT,
306*91f16700Schasinglulu 	.parent = NULL, /* SWD ROOT CERT */
307*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
308*91f16700Schasinglulu 		[0] = {
309*91f16700Schasinglulu 			.type = AUTH_METHOD_SIG,
310*91f16700Schasinglulu 			.param.sig = {
311*91f16700Schasinglulu 				.pk = &swd_rot_pk,
312*91f16700Schasinglulu 				.sig = &sig,
313*91f16700Schasinglulu 				.alg = &sig_alg,
314*91f16700Schasinglulu 				.data = &raw_data
315*91f16700Schasinglulu 			}
316*91f16700Schasinglulu 		},
317*91f16700Schasinglulu 		[1] = {
318*91f16700Schasinglulu 			.type = AUTH_METHOD_NV_CTR,
319*91f16700Schasinglulu 			.param.nv_ctr = {
320*91f16700Schasinglulu 				.cert_nv_ctr = &trusted_nv_ctr,
321*91f16700Schasinglulu 				.plat_nv_ctr = &trusted_nv_ctr
322*91f16700Schasinglulu 			}
323*91f16700Schasinglulu 		}
324*91f16700Schasinglulu 	},
325*91f16700Schasinglulu 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
326*91f16700Schasinglulu 		[0] = {
327*91f16700Schasinglulu 			.type_desc = &core_swd_pk,
328*91f16700Schasinglulu 			.data = {
329*91f16700Schasinglulu 				.ptr = (void *)core_swd_pk_buf,
330*91f16700Schasinglulu 				.len = (unsigned int)PK_DER_LEN
331*91f16700Schasinglulu 			}
332*91f16700Schasinglulu 		}
333*91f16700Schasinglulu 	}
334*91f16700Schasinglulu };
335*91f16700Schasinglulu 
336*91f16700Schasinglulu /* SPMC Content Certificate */
337*91f16700Schasinglulu static const auth_img_desc_t trusted_os_fw_content_cert = {
338*91f16700Schasinglulu 	.img_id = TRUSTED_OS_FW_CONTENT_CERT_ID,
339*91f16700Schasinglulu 	.img_type = IMG_CERT,
340*91f16700Schasinglulu 	.parent = &core_swd_key_cert,
341*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
342*91f16700Schasinglulu 		[0] = {
343*91f16700Schasinglulu 			.type = AUTH_METHOD_SIG,
344*91f16700Schasinglulu 			.param.sig = {
345*91f16700Schasinglulu 				.pk = &core_swd_pk,
346*91f16700Schasinglulu 				.sig = &sig,
347*91f16700Schasinglulu 				.alg = &sig_alg,
348*91f16700Schasinglulu 				.data = &raw_data
349*91f16700Schasinglulu 			}
350*91f16700Schasinglulu 		},
351*91f16700Schasinglulu 		[1] = {
352*91f16700Schasinglulu 			.type = AUTH_METHOD_NV_CTR,
353*91f16700Schasinglulu 			.param.nv_ctr = {
354*91f16700Schasinglulu 				.cert_nv_ctr = &trusted_nv_ctr,
355*91f16700Schasinglulu 				.plat_nv_ctr = &trusted_nv_ctr
356*91f16700Schasinglulu 			}
357*91f16700Schasinglulu 		}
358*91f16700Schasinglulu 	},
359*91f16700Schasinglulu 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
360*91f16700Schasinglulu 		[0] = {
361*91f16700Schasinglulu 			.type_desc = &tos_fw_hash,
362*91f16700Schasinglulu 			.data = {
363*91f16700Schasinglulu 				.ptr = (void *)tos_fw_hash_buf,
364*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
365*91f16700Schasinglulu 			}
366*91f16700Schasinglulu 		},
367*91f16700Schasinglulu 		[1] = {
368*91f16700Schasinglulu 			.type_desc = &tos_fw_config_hash,
369*91f16700Schasinglulu 			.data = {
370*91f16700Schasinglulu 				.ptr = (void *)tos_fw_config_hash_buf,
371*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
372*91f16700Schasinglulu 			}
373*91f16700Schasinglulu 		}
374*91f16700Schasinglulu 	}
375*91f16700Schasinglulu };
376*91f16700Schasinglulu 
377*91f16700Schasinglulu /* SPMC */
378*91f16700Schasinglulu static const auth_img_desc_t bl32_image = {
379*91f16700Schasinglulu 	.img_id = BL32_IMAGE_ID,
380*91f16700Schasinglulu 	.img_type = IMG_RAW,
381*91f16700Schasinglulu 	.parent = &trusted_os_fw_content_cert,
382*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
383*91f16700Schasinglulu 		[0] = {
384*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
385*91f16700Schasinglulu 			.param.hash = {
386*91f16700Schasinglulu 				.data = &raw_data,
387*91f16700Schasinglulu 				.hash = &tos_fw_hash
388*91f16700Schasinglulu 			}
389*91f16700Schasinglulu 		}
390*91f16700Schasinglulu 	}
391*91f16700Schasinglulu };
392*91f16700Schasinglulu 
393*91f16700Schasinglulu /* SPM Config */
394*91f16700Schasinglulu static const auth_img_desc_t tos_fw_config = {
395*91f16700Schasinglulu 	.img_id = TOS_FW_CONFIG_ID,
396*91f16700Schasinglulu 	.img_type = IMG_RAW,
397*91f16700Schasinglulu 	.parent = &trusted_os_fw_content_cert,
398*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
399*91f16700Schasinglulu 		[0] = {
400*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
401*91f16700Schasinglulu 			.param.hash = {
402*91f16700Schasinglulu 				.data = &raw_data,
403*91f16700Schasinglulu 				.hash = &tos_fw_config_hash
404*91f16700Schasinglulu 			}
405*91f16700Schasinglulu 		}
406*91f16700Schasinglulu 	}
407*91f16700Schasinglulu };
408*91f16700Schasinglulu 
409*91f16700Schasinglulu /* Platform Key Certificate */
410*91f16700Schasinglulu static const auth_img_desc_t plat_key_cert = {
411*91f16700Schasinglulu 	.img_id = PLAT_KEY_CERT_ID,
412*91f16700Schasinglulu 	.img_type = IMG_CERT,
413*91f16700Schasinglulu 	.parent = NULL, /* PLATFORM ROOT CERT */
414*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
415*91f16700Schasinglulu 		[0] = {
416*91f16700Schasinglulu 			.type = AUTH_METHOD_SIG,
417*91f16700Schasinglulu 			.param.sig = {
418*91f16700Schasinglulu 				.pk = &prot_pk,
419*91f16700Schasinglulu 				.sig = &sig,
420*91f16700Schasinglulu 				.alg = &sig_alg,
421*91f16700Schasinglulu 				.data = &raw_data
422*91f16700Schasinglulu 			}
423*91f16700Schasinglulu 		},
424*91f16700Schasinglulu 		[1] = {
425*91f16700Schasinglulu 			.type = AUTH_METHOD_NV_CTR,
426*91f16700Schasinglulu 			.param.nv_ctr = {
427*91f16700Schasinglulu 				.cert_nv_ctr = &non_trusted_nv_ctr,
428*91f16700Schasinglulu 				.plat_nv_ctr = &non_trusted_nv_ctr
429*91f16700Schasinglulu 			}
430*91f16700Schasinglulu 		}
431*91f16700Schasinglulu 	},
432*91f16700Schasinglulu 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
433*91f16700Schasinglulu 		[0] = {
434*91f16700Schasinglulu 			.type_desc = &plat_pk,
435*91f16700Schasinglulu 			.data = {
436*91f16700Schasinglulu 				.ptr = (void *)plat_pk_buf,
437*91f16700Schasinglulu 				.len = (unsigned int)PK_DER_LEN
438*91f16700Schasinglulu 			}
439*91f16700Schasinglulu 		}
440*91f16700Schasinglulu 	}
441*91f16700Schasinglulu };
442*91f16700Schasinglulu 
443*91f16700Schasinglulu /* Non-Trusted Firmware */
444*91f16700Schasinglulu static const auth_img_desc_t non_trusted_fw_content_cert = {
445*91f16700Schasinglulu 	.img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
446*91f16700Schasinglulu 	.img_type = IMG_CERT,
447*91f16700Schasinglulu 	.parent = &plat_key_cert,
448*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
449*91f16700Schasinglulu 		[0] = {
450*91f16700Schasinglulu 			.type = AUTH_METHOD_SIG,
451*91f16700Schasinglulu 			.param.sig = {
452*91f16700Schasinglulu 				.pk = &plat_pk,
453*91f16700Schasinglulu 				.sig = &sig,
454*91f16700Schasinglulu 				.alg = &sig_alg,
455*91f16700Schasinglulu 				.data = &raw_data
456*91f16700Schasinglulu 			}
457*91f16700Schasinglulu 		},
458*91f16700Schasinglulu 		[1] = {
459*91f16700Schasinglulu 			.type = AUTH_METHOD_NV_CTR,
460*91f16700Schasinglulu 			.param.nv_ctr = {
461*91f16700Schasinglulu 				.cert_nv_ctr = &non_trusted_nv_ctr,
462*91f16700Schasinglulu 				.plat_nv_ctr = &non_trusted_nv_ctr
463*91f16700Schasinglulu 			}
464*91f16700Schasinglulu 		}
465*91f16700Schasinglulu 	},
466*91f16700Schasinglulu 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
467*91f16700Schasinglulu 		[0] = {
468*91f16700Schasinglulu 			.type_desc = &nt_world_bl_hash,
469*91f16700Schasinglulu 			.data = {
470*91f16700Schasinglulu 				.ptr = (void *)nt_world_bl_hash_buf,
471*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
472*91f16700Schasinglulu 			}
473*91f16700Schasinglulu 		},
474*91f16700Schasinglulu 		[1] = {
475*91f16700Schasinglulu 			.type_desc = &nt_fw_config_hash,
476*91f16700Schasinglulu 			.data = {
477*91f16700Schasinglulu 				.ptr = (void *)nt_fw_config_hash_buf,
478*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
479*91f16700Schasinglulu 			}
480*91f16700Schasinglulu 		}
481*91f16700Schasinglulu 	}
482*91f16700Schasinglulu };
483*91f16700Schasinglulu 
484*91f16700Schasinglulu static const auth_img_desc_t bl33_image = {
485*91f16700Schasinglulu 	.img_id = BL33_IMAGE_ID,
486*91f16700Schasinglulu 	.img_type = IMG_RAW,
487*91f16700Schasinglulu 	.parent = &non_trusted_fw_content_cert,
488*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
489*91f16700Schasinglulu 		[0] = {
490*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
491*91f16700Schasinglulu 			.param.hash = {
492*91f16700Schasinglulu 				.data = &raw_data,
493*91f16700Schasinglulu 				.hash = &nt_world_bl_hash
494*91f16700Schasinglulu 			}
495*91f16700Schasinglulu 		}
496*91f16700Schasinglulu 	}
497*91f16700Schasinglulu };
498*91f16700Schasinglulu 
499*91f16700Schasinglulu /* NT FW Config */
500*91f16700Schasinglulu static const auth_img_desc_t nt_fw_config = {
501*91f16700Schasinglulu 	.img_id = NT_FW_CONFIG_ID,
502*91f16700Schasinglulu 	.img_type = IMG_RAW,
503*91f16700Schasinglulu 	.parent = &non_trusted_fw_content_cert,
504*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
505*91f16700Schasinglulu 		[0] = {
506*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
507*91f16700Schasinglulu 			.param.hash = {
508*91f16700Schasinglulu 				.data = &raw_data,
509*91f16700Schasinglulu 				.hash = &nt_fw_config_hash
510*91f16700Schasinglulu 			}
511*91f16700Schasinglulu 		}
512*91f16700Schasinglulu 	}
513*91f16700Schasinglulu };
514*91f16700Schasinglulu 
515*91f16700Schasinglulu /*
516*91f16700Schasinglulu  * Secure Partitions
517*91f16700Schasinglulu  */
518*91f16700Schasinglulu #if defined(SPD_spmd)
519*91f16700Schasinglulu static const auth_img_desc_t sip_sp_content_cert = {
520*91f16700Schasinglulu 	.img_id = SIP_SP_CONTENT_CERT_ID,
521*91f16700Schasinglulu 	.img_type = IMG_CERT,
522*91f16700Schasinglulu 	.parent = &core_swd_key_cert,
523*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
524*91f16700Schasinglulu 		[0] = {
525*91f16700Schasinglulu 			.type = AUTH_METHOD_SIG,
526*91f16700Schasinglulu 			.param.sig = {
527*91f16700Schasinglulu 				.pk = &core_swd_pk,
528*91f16700Schasinglulu 				.sig = &sig,
529*91f16700Schasinglulu 				.alg = &sig_alg,
530*91f16700Schasinglulu 				.data = &raw_data
531*91f16700Schasinglulu 			}
532*91f16700Schasinglulu 		},
533*91f16700Schasinglulu 		[1] = {
534*91f16700Schasinglulu 			.type = AUTH_METHOD_NV_CTR,
535*91f16700Schasinglulu 			.param.nv_ctr = {
536*91f16700Schasinglulu 				.cert_nv_ctr = &trusted_nv_ctr,
537*91f16700Schasinglulu 				.plat_nv_ctr = &trusted_nv_ctr
538*91f16700Schasinglulu 			}
539*91f16700Schasinglulu 		}
540*91f16700Schasinglulu 	},
541*91f16700Schasinglulu 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
542*91f16700Schasinglulu 		[0] = {
543*91f16700Schasinglulu 			.type_desc = &sp_pkg1_hash,
544*91f16700Schasinglulu 			.data = {
545*91f16700Schasinglulu 				.ptr = (void *)sp_pkg_hash_buf[0],
546*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
547*91f16700Schasinglulu 			}
548*91f16700Schasinglulu 		},
549*91f16700Schasinglulu 		[1] = {
550*91f16700Schasinglulu 			.type_desc = &sp_pkg2_hash,
551*91f16700Schasinglulu 			.data = {
552*91f16700Schasinglulu 				.ptr = (void *)sp_pkg_hash_buf[1],
553*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
554*91f16700Schasinglulu 			}
555*91f16700Schasinglulu 		},
556*91f16700Schasinglulu 		[2] = {
557*91f16700Schasinglulu 			.type_desc = &sp_pkg3_hash,
558*91f16700Schasinglulu 			.data = {
559*91f16700Schasinglulu 				.ptr = (void *)sp_pkg_hash_buf[2],
560*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
561*91f16700Schasinglulu 			}
562*91f16700Schasinglulu 		},
563*91f16700Schasinglulu 		[3] = {
564*91f16700Schasinglulu 			.type_desc = &sp_pkg4_hash,
565*91f16700Schasinglulu 			.data = {
566*91f16700Schasinglulu 				.ptr = (void *)sp_pkg_hash_buf[3],
567*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
568*91f16700Schasinglulu 			}
569*91f16700Schasinglulu 		}
570*91f16700Schasinglulu 	}
571*91f16700Schasinglulu };
572*91f16700Schasinglulu 
573*91f16700Schasinglulu DEFINE_SIP_SP_PKG(1);
574*91f16700Schasinglulu DEFINE_SIP_SP_PKG(2);
575*91f16700Schasinglulu DEFINE_SIP_SP_PKG(3);
576*91f16700Schasinglulu DEFINE_SIP_SP_PKG(4);
577*91f16700Schasinglulu 
578*91f16700Schasinglulu static const auth_img_desc_t plat_sp_content_cert = {
579*91f16700Schasinglulu 	.img_id = PLAT_SP_CONTENT_CERT_ID,
580*91f16700Schasinglulu 	.img_type = IMG_CERT,
581*91f16700Schasinglulu 	.parent = &plat_key_cert,
582*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
583*91f16700Schasinglulu 		[0] = {
584*91f16700Schasinglulu 			.type = AUTH_METHOD_SIG,
585*91f16700Schasinglulu 			.param.sig = {
586*91f16700Schasinglulu 				.pk = &plat_pk,
587*91f16700Schasinglulu 				.sig = &sig,
588*91f16700Schasinglulu 				.alg = &sig_alg,
589*91f16700Schasinglulu 				.data = &raw_data
590*91f16700Schasinglulu 			}
591*91f16700Schasinglulu 		},
592*91f16700Schasinglulu 		[1] = {
593*91f16700Schasinglulu 			.type = AUTH_METHOD_NV_CTR,
594*91f16700Schasinglulu 			.param.nv_ctr = {
595*91f16700Schasinglulu 				.cert_nv_ctr = &non_trusted_nv_ctr,
596*91f16700Schasinglulu 				.plat_nv_ctr = &non_trusted_nv_ctr
597*91f16700Schasinglulu 			}
598*91f16700Schasinglulu 		}
599*91f16700Schasinglulu 	},
600*91f16700Schasinglulu 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
601*91f16700Schasinglulu 		[0] = {
602*91f16700Schasinglulu 			.type_desc = &sp_pkg5_hash,
603*91f16700Schasinglulu 			.data = {
604*91f16700Schasinglulu 				.ptr = (void *)sp_pkg_hash_buf[4],
605*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
606*91f16700Schasinglulu 			}
607*91f16700Schasinglulu 		},
608*91f16700Schasinglulu 		[1] = {
609*91f16700Schasinglulu 			.type_desc = &sp_pkg6_hash,
610*91f16700Schasinglulu 			.data = {
611*91f16700Schasinglulu 				.ptr = (void *)sp_pkg_hash_buf[5],
612*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
613*91f16700Schasinglulu 			}
614*91f16700Schasinglulu 		},
615*91f16700Schasinglulu 		[2] = {
616*91f16700Schasinglulu 			.type_desc = &sp_pkg7_hash,
617*91f16700Schasinglulu 			.data = {
618*91f16700Schasinglulu 				.ptr = (void *)sp_pkg_hash_buf[6],
619*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
620*91f16700Schasinglulu 			}
621*91f16700Schasinglulu 		},
622*91f16700Schasinglulu 		[3] = {
623*91f16700Schasinglulu 			.type_desc = &sp_pkg8_hash,
624*91f16700Schasinglulu 			.data = {
625*91f16700Schasinglulu 				.ptr = (void *)sp_pkg_hash_buf[7],
626*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
627*91f16700Schasinglulu 			}
628*91f16700Schasinglulu 		}
629*91f16700Schasinglulu 	}
630*91f16700Schasinglulu };
631*91f16700Schasinglulu 
632*91f16700Schasinglulu DEFINE_PLAT_SP_PKG(5);
633*91f16700Schasinglulu DEFINE_PLAT_SP_PKG(6);
634*91f16700Schasinglulu DEFINE_PLAT_SP_PKG(7);
635*91f16700Schasinglulu DEFINE_PLAT_SP_PKG(8);
636*91f16700Schasinglulu #endif /* SPD_spmd */
637*91f16700Schasinglulu #endif /* IMAGE_BL2 */
638*91f16700Schasinglulu /*
639*91f16700Schasinglulu  * Chain of trust definition
640*91f16700Schasinglulu  */
641*91f16700Schasinglulu #ifdef IMAGE_BL1
642*91f16700Schasinglulu static const auth_img_desc_t * const cot_desc[] = {
643*91f16700Schasinglulu 	[CCA_CONTENT_CERT_ID]			=	&cca_content_cert,
644*91f16700Schasinglulu 	[BL2_IMAGE_ID]				=	&bl2_image,
645*91f16700Schasinglulu 	[TB_FW_CONFIG_ID]			=	&tb_fw_config,
646*91f16700Schasinglulu 	[FW_CONFIG_ID]				=	&fw_config,
647*91f16700Schasinglulu };
648*91f16700Schasinglulu #else /* IMAGE_BL2 */
649*91f16700Schasinglulu static const auth_img_desc_t * const cot_desc[] = {
650*91f16700Schasinglulu 	[CCA_CONTENT_CERT_ID]			=	&cca_content_cert,
651*91f16700Schasinglulu 	[HW_CONFIG_ID]				=	&hw_config,
652*91f16700Schasinglulu 	[BL31_IMAGE_ID]				=	&bl31_image,
653*91f16700Schasinglulu 	[SOC_FW_CONFIG_ID]			=	&soc_fw_config,
654*91f16700Schasinglulu 	[RMM_IMAGE_ID]				=	&rmm_image,
655*91f16700Schasinglulu 	[CORE_SWD_KEY_CERT_ID]			=	&core_swd_key_cert,
656*91f16700Schasinglulu 	[TRUSTED_OS_FW_CONTENT_CERT_ID]		=	&trusted_os_fw_content_cert,
657*91f16700Schasinglulu 	[BL32_IMAGE_ID]				=	&bl32_image,
658*91f16700Schasinglulu 	[TOS_FW_CONFIG_ID]			=	&tos_fw_config,
659*91f16700Schasinglulu 	[PLAT_KEY_CERT_ID]			=	&plat_key_cert,
660*91f16700Schasinglulu 	[NON_TRUSTED_FW_CONTENT_CERT_ID]	=	&non_trusted_fw_content_cert,
661*91f16700Schasinglulu 	[BL33_IMAGE_ID]				=	&bl33_image,
662*91f16700Schasinglulu 	[NT_FW_CONFIG_ID]			=	&nt_fw_config,
663*91f16700Schasinglulu #if defined(SPD_spmd)
664*91f16700Schasinglulu 	[SIP_SP_CONTENT_CERT_ID]		=	&sip_sp_content_cert,
665*91f16700Schasinglulu 	[PLAT_SP_CONTENT_CERT_ID]		=	&plat_sp_content_cert,
666*91f16700Schasinglulu 	[SP_PKG1_ID]				=	&sp_pkg1,
667*91f16700Schasinglulu 	[SP_PKG2_ID]				=	&sp_pkg2,
668*91f16700Schasinglulu 	[SP_PKG3_ID]				=	&sp_pkg3,
669*91f16700Schasinglulu 	[SP_PKG4_ID]				=	&sp_pkg4,
670*91f16700Schasinglulu 	[SP_PKG5_ID]				=	&sp_pkg5,
671*91f16700Schasinglulu 	[SP_PKG6_ID]				=	&sp_pkg6,
672*91f16700Schasinglulu 	[SP_PKG7_ID]				=	&sp_pkg7,
673*91f16700Schasinglulu 	[SP_PKG8_ID]				=       &sp_pkg8,
674*91f16700Schasinglulu #endif
675*91f16700Schasinglulu };
676*91f16700Schasinglulu #endif /* IMAGE_BL1 */
677*91f16700Schasinglulu 
678*91f16700Schasinglulu /* Register the CoT in the authentication module */
679*91f16700Schasinglulu REGISTER_COT(cot_desc);
680