1*91f16700Schasinglulu /* 2*91f16700Schasinglulu * Copyright (c) 2020-2023, Arm Limited. All rights reserved. 3*91f16700Schasinglulu * 4*91f16700Schasinglulu * SPDX-License-Identifier: BSD-3-Clause 5*91f16700Schasinglulu */ 6*91f16700Schasinglulu 7*91f16700Schasinglulu #include <stddef.h> 8*91f16700Schasinglulu 9*91f16700Schasinglulu #include <mbedtls/version.h> 10*91f16700Schasinglulu 11*91f16700Schasinglulu #include <common/tbbr/cot_def.h> 12*91f16700Schasinglulu #include <drivers/auth/auth_mod.h> 13*91f16700Schasinglulu 14*91f16700Schasinglulu #include <tools_share/dualroot_oid.h> 15*91f16700Schasinglulu 16*91f16700Schasinglulu #include <platform_def.h> 17*91f16700Schasinglulu 18*91f16700Schasinglulu /* 19*91f16700Schasinglulu * Allocate static buffers to store the authentication parameters extracted from 20*91f16700Schasinglulu * the certificates. 21*91f16700Schasinglulu */ 22*91f16700Schasinglulu static unsigned char fw_config_hash_buf[HASH_DER_LEN]; 23*91f16700Schasinglulu static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; 24*91f16700Schasinglulu static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; 25*91f16700Schasinglulu static unsigned char hw_config_hash_buf[HASH_DER_LEN]; 26*91f16700Schasinglulu static unsigned char scp_fw_hash_buf[HASH_DER_LEN]; 27*91f16700Schasinglulu static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; 28*91f16700Schasinglulu 29*91f16700Schasinglulu #ifdef IMAGE_BL2 30*91f16700Schasinglulu static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; 31*91f16700Schasinglulu static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; 32*91f16700Schasinglulu static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; 33*91f16700Schasinglulu static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; 34*91f16700Schasinglulu static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; 35*91f16700Schasinglulu static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; 36*91f16700Schasinglulu static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; 37*91f16700Schasinglulu #if defined(SPD_spmd) 38*91f16700Schasinglulu static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN]; 39*91f16700Schasinglulu #endif /* SPD_spmd */ 40*91f16700Schasinglulu 41*91f16700Schasinglulu static unsigned char trusted_world_pk_buf[PK_DER_LEN]; 42*91f16700Schasinglulu static unsigned char content_pk_buf[PK_DER_LEN]; 43*91f16700Schasinglulu #endif 44*91f16700Schasinglulu 45*91f16700Schasinglulu /* 46*91f16700Schasinglulu * Parameter type descriptors. 47*91f16700Schasinglulu */ 48*91f16700Schasinglulu static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 49*91f16700Schasinglulu AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); 50*91f16700Schasinglulu static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( 51*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, 0); 52*91f16700Schasinglulu static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( 53*91f16700Schasinglulu AUTH_PARAM_SIG, 0); 54*91f16700Schasinglulu static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( 55*91f16700Schasinglulu AUTH_PARAM_SIG_ALG, 0); 56*91f16700Schasinglulu static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( 57*91f16700Schasinglulu AUTH_PARAM_RAW_DATA, 0); 58*91f16700Schasinglulu 59*91f16700Schasinglulu static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( 60*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); 61*91f16700Schasinglulu static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC( 62*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); 63*91f16700Schasinglulu static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC( 64*91f16700Schasinglulu AUTH_PARAM_HASH, HW_CONFIG_HASH_OID); 65*91f16700Schasinglulu static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC( 66*91f16700Schasinglulu AUTH_PARAM_HASH, FW_CONFIG_HASH_OID); 67*91f16700Schasinglulu #ifdef IMAGE_BL1 68*91f16700Schasinglulu static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( 69*91f16700Schasinglulu AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); 70*91f16700Schasinglulu static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( 71*91f16700Schasinglulu AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID); 72*91f16700Schasinglulu static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( 73*91f16700Schasinglulu AUTH_PARAM_HASH, FWU_HASH_OID); 74*91f16700Schasinglulu #endif /* IMAGE_BL1 */ 75*91f16700Schasinglulu 76*91f16700Schasinglulu #ifdef IMAGE_BL2 77*91f16700Schasinglulu static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 78*91f16700Schasinglulu AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); 79*91f16700Schasinglulu 80*91f16700Schasinglulu static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( 81*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); 82*91f16700Schasinglulu static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC( 83*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID); 84*91f16700Schasinglulu static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( 85*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); 86*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( 87*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); 88*91f16700Schasinglulu static auth_param_type_desc_t prot_pk = AUTH_PARAM_TYPE_DESC( 89*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, PROT_PK_OID); 90*91f16700Schasinglulu 91*91f16700Schasinglulu static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( 92*91f16700Schasinglulu AUTH_PARAM_HASH, SCP_FW_HASH_OID); 93*91f16700Schasinglulu static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( 94*91f16700Schasinglulu AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); 95*91f16700Schasinglulu static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC( 96*91f16700Schasinglulu AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID); 97*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( 98*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); 99*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC( 100*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID); 101*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( 102*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); 103*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( 104*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); 105*91f16700Schasinglulu static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( 106*91f16700Schasinglulu AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); 107*91f16700Schasinglulu static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( 108*91f16700Schasinglulu AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); 109*91f16700Schasinglulu #if defined(SPD_spmd) 110*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC( 111*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG1_HASH_OID); 112*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC( 113*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG2_HASH_OID); 114*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC( 115*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG3_HASH_OID); 116*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC( 117*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG4_HASH_OID); 118*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC( 119*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG5_HASH_OID); 120*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC( 121*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG6_HASH_OID); 122*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC( 123*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG7_HASH_OID); 124*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC( 125*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG8_HASH_OID); 126*91f16700Schasinglulu #endif /* SPD_spmd */ 127*91f16700Schasinglulu #endif /* IMAGE_BL2 */ 128*91f16700Schasinglulu 129*91f16700Schasinglulu 130*91f16700Schasinglulu /* BL2 */ 131*91f16700Schasinglulu static const auth_img_desc_t trusted_boot_fw_cert = { 132*91f16700Schasinglulu .img_id = TRUSTED_BOOT_FW_CERT_ID, 133*91f16700Schasinglulu .img_type = IMG_CERT, 134*91f16700Schasinglulu .parent = NULL, 135*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 136*91f16700Schasinglulu [0] = { 137*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 138*91f16700Schasinglulu .param.sig = { 139*91f16700Schasinglulu .pk = &subject_pk, 140*91f16700Schasinglulu .sig = &sig, 141*91f16700Schasinglulu .alg = &sig_alg, 142*91f16700Schasinglulu .data = &raw_data 143*91f16700Schasinglulu } 144*91f16700Schasinglulu }, 145*91f16700Schasinglulu [1] = { 146*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 147*91f16700Schasinglulu .param.nv_ctr = { 148*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 149*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 150*91f16700Schasinglulu } 151*91f16700Schasinglulu } 152*91f16700Schasinglulu }, 153*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 154*91f16700Schasinglulu [0] = { 155*91f16700Schasinglulu .type_desc = &tb_fw_hash, 156*91f16700Schasinglulu .data = { 157*91f16700Schasinglulu .ptr = (void *)tb_fw_hash_buf, 158*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 159*91f16700Schasinglulu } 160*91f16700Schasinglulu }, 161*91f16700Schasinglulu [1] = { 162*91f16700Schasinglulu .type_desc = &tb_fw_config_hash, 163*91f16700Schasinglulu .data = { 164*91f16700Schasinglulu .ptr = (void *)tb_fw_config_hash_buf, 165*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 166*91f16700Schasinglulu } 167*91f16700Schasinglulu }, 168*91f16700Schasinglulu [2] = { 169*91f16700Schasinglulu .type_desc = &hw_config_hash, 170*91f16700Schasinglulu .data = { 171*91f16700Schasinglulu .ptr = (void *)hw_config_hash_buf, 172*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 173*91f16700Schasinglulu } 174*91f16700Schasinglulu }, 175*91f16700Schasinglulu [3] = { 176*91f16700Schasinglulu .type_desc = &fw_config_hash, 177*91f16700Schasinglulu .data = { 178*91f16700Schasinglulu .ptr = (void *)fw_config_hash_buf, 179*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 180*91f16700Schasinglulu } 181*91f16700Schasinglulu } 182*91f16700Schasinglulu } 183*91f16700Schasinglulu }; 184*91f16700Schasinglulu 185*91f16700Schasinglulu #ifdef IMAGE_BL1 186*91f16700Schasinglulu static const auth_img_desc_t bl2_image = { 187*91f16700Schasinglulu .img_id = BL2_IMAGE_ID, 188*91f16700Schasinglulu .img_type = IMG_RAW, 189*91f16700Schasinglulu .parent = &trusted_boot_fw_cert, 190*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 191*91f16700Schasinglulu [0] = { 192*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 193*91f16700Schasinglulu .param.hash = { 194*91f16700Schasinglulu .data = &raw_data, 195*91f16700Schasinglulu .hash = &tb_fw_hash 196*91f16700Schasinglulu } 197*91f16700Schasinglulu } 198*91f16700Schasinglulu } 199*91f16700Schasinglulu }; 200*91f16700Schasinglulu #endif /* IMAGE_BL1 */ 201*91f16700Schasinglulu 202*91f16700Schasinglulu /* HW Config */ 203*91f16700Schasinglulu static const auth_img_desc_t hw_config = { 204*91f16700Schasinglulu .img_id = HW_CONFIG_ID, 205*91f16700Schasinglulu .img_type = IMG_RAW, 206*91f16700Schasinglulu .parent = &trusted_boot_fw_cert, 207*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 208*91f16700Schasinglulu [0] = { 209*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 210*91f16700Schasinglulu .param.hash = { 211*91f16700Schasinglulu .data = &raw_data, 212*91f16700Schasinglulu .hash = &hw_config_hash 213*91f16700Schasinglulu } 214*91f16700Schasinglulu } 215*91f16700Schasinglulu } 216*91f16700Schasinglulu }; 217*91f16700Schasinglulu 218*91f16700Schasinglulu /* TB FW Config */ 219*91f16700Schasinglulu #ifdef IMAGE_BL1 220*91f16700Schasinglulu static const auth_img_desc_t tb_fw_config = { 221*91f16700Schasinglulu .img_id = TB_FW_CONFIG_ID, 222*91f16700Schasinglulu .img_type = IMG_RAW, 223*91f16700Schasinglulu .parent = &trusted_boot_fw_cert, 224*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 225*91f16700Schasinglulu [0] = { 226*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 227*91f16700Schasinglulu .param.hash = { 228*91f16700Schasinglulu .data = &raw_data, 229*91f16700Schasinglulu .hash = &tb_fw_config_hash 230*91f16700Schasinglulu } 231*91f16700Schasinglulu } 232*91f16700Schasinglulu } 233*91f16700Schasinglulu }; 234*91f16700Schasinglulu 235*91f16700Schasinglulu static const auth_img_desc_t fw_config = { 236*91f16700Schasinglulu .img_id = FW_CONFIG_ID, 237*91f16700Schasinglulu .img_type = IMG_RAW, 238*91f16700Schasinglulu .parent = &trusted_boot_fw_cert, 239*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 240*91f16700Schasinglulu [0] = { 241*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 242*91f16700Schasinglulu .param.hash = { 243*91f16700Schasinglulu .data = &raw_data, 244*91f16700Schasinglulu .hash = &fw_config_hash 245*91f16700Schasinglulu } 246*91f16700Schasinglulu } 247*91f16700Schasinglulu } 248*91f16700Schasinglulu }; 249*91f16700Schasinglulu 250*91f16700Schasinglulu #endif /* IMAGE_BL1 */ 251*91f16700Schasinglulu 252*91f16700Schasinglulu #ifdef IMAGE_BL2 253*91f16700Schasinglulu /* Trusted key certificate */ 254*91f16700Schasinglulu static const auth_img_desc_t trusted_key_cert = { 255*91f16700Schasinglulu .img_id = TRUSTED_KEY_CERT_ID, 256*91f16700Schasinglulu .img_type = IMG_CERT, 257*91f16700Schasinglulu .parent = NULL, 258*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 259*91f16700Schasinglulu [0] = { 260*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 261*91f16700Schasinglulu .param.sig = { 262*91f16700Schasinglulu .pk = &subject_pk, 263*91f16700Schasinglulu .sig = &sig, 264*91f16700Schasinglulu .alg = &sig_alg, 265*91f16700Schasinglulu .data = &raw_data 266*91f16700Schasinglulu } 267*91f16700Schasinglulu }, 268*91f16700Schasinglulu [1] = { 269*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 270*91f16700Schasinglulu .param.nv_ctr = { 271*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 272*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 273*91f16700Schasinglulu } 274*91f16700Schasinglulu } 275*91f16700Schasinglulu }, 276*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 277*91f16700Schasinglulu [0] = { 278*91f16700Schasinglulu .type_desc = &trusted_world_pk, 279*91f16700Schasinglulu .data = { 280*91f16700Schasinglulu .ptr = (void *)trusted_world_pk_buf, 281*91f16700Schasinglulu .len = (unsigned int)PK_DER_LEN 282*91f16700Schasinglulu } 283*91f16700Schasinglulu }, 284*91f16700Schasinglulu } 285*91f16700Schasinglulu }; 286*91f16700Schasinglulu 287*91f16700Schasinglulu /* SCP Firmware */ 288*91f16700Schasinglulu static const auth_img_desc_t scp_fw_key_cert = { 289*91f16700Schasinglulu .img_id = SCP_FW_KEY_CERT_ID, 290*91f16700Schasinglulu .img_type = IMG_CERT, 291*91f16700Schasinglulu .parent = &trusted_key_cert, 292*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 293*91f16700Schasinglulu [0] = { 294*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 295*91f16700Schasinglulu .param.sig = { 296*91f16700Schasinglulu .pk = &trusted_world_pk, 297*91f16700Schasinglulu .sig = &sig, 298*91f16700Schasinglulu .alg = &sig_alg, 299*91f16700Schasinglulu .data = &raw_data 300*91f16700Schasinglulu } 301*91f16700Schasinglulu }, 302*91f16700Schasinglulu [1] = { 303*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 304*91f16700Schasinglulu .param.nv_ctr = { 305*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 306*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 307*91f16700Schasinglulu } 308*91f16700Schasinglulu } 309*91f16700Schasinglulu }, 310*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 311*91f16700Schasinglulu [0] = { 312*91f16700Schasinglulu .type_desc = &scp_fw_content_pk, 313*91f16700Schasinglulu .data = { 314*91f16700Schasinglulu .ptr = (void *)content_pk_buf, 315*91f16700Schasinglulu .len = (unsigned int)PK_DER_LEN 316*91f16700Schasinglulu } 317*91f16700Schasinglulu } 318*91f16700Schasinglulu } 319*91f16700Schasinglulu }; 320*91f16700Schasinglulu 321*91f16700Schasinglulu static const auth_img_desc_t scp_fw_content_cert = { 322*91f16700Schasinglulu .img_id = SCP_FW_CONTENT_CERT_ID, 323*91f16700Schasinglulu .img_type = IMG_CERT, 324*91f16700Schasinglulu .parent = &scp_fw_key_cert, 325*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 326*91f16700Schasinglulu [0] = { 327*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 328*91f16700Schasinglulu .param.sig = { 329*91f16700Schasinglulu .pk = &scp_fw_content_pk, 330*91f16700Schasinglulu .sig = &sig, 331*91f16700Schasinglulu .alg = &sig_alg, 332*91f16700Schasinglulu .data = &raw_data 333*91f16700Schasinglulu } 334*91f16700Schasinglulu }, 335*91f16700Schasinglulu [1] = { 336*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 337*91f16700Schasinglulu .param.nv_ctr = { 338*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 339*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 340*91f16700Schasinglulu } 341*91f16700Schasinglulu } 342*91f16700Schasinglulu }, 343*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 344*91f16700Schasinglulu [0] = { 345*91f16700Schasinglulu .type_desc = &scp_fw_hash, 346*91f16700Schasinglulu .data = { 347*91f16700Schasinglulu .ptr = (void *)scp_fw_hash_buf, 348*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 349*91f16700Schasinglulu } 350*91f16700Schasinglulu } 351*91f16700Schasinglulu } 352*91f16700Schasinglulu }; 353*91f16700Schasinglulu 354*91f16700Schasinglulu static const auth_img_desc_t scp_bl2_image = { 355*91f16700Schasinglulu .img_id = SCP_BL2_IMAGE_ID, 356*91f16700Schasinglulu .img_type = IMG_RAW, 357*91f16700Schasinglulu .parent = &scp_fw_content_cert, 358*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 359*91f16700Schasinglulu [0] = { 360*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 361*91f16700Schasinglulu .param.hash = { 362*91f16700Schasinglulu .data = &raw_data, 363*91f16700Schasinglulu .hash = &scp_fw_hash 364*91f16700Schasinglulu } 365*91f16700Schasinglulu } 366*91f16700Schasinglulu } 367*91f16700Schasinglulu }; 368*91f16700Schasinglulu 369*91f16700Schasinglulu /* SoC Firmware */ 370*91f16700Schasinglulu static const auth_img_desc_t soc_fw_key_cert = { 371*91f16700Schasinglulu .img_id = SOC_FW_KEY_CERT_ID, 372*91f16700Schasinglulu .img_type = IMG_CERT, 373*91f16700Schasinglulu .parent = &trusted_key_cert, 374*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 375*91f16700Schasinglulu [0] = { 376*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 377*91f16700Schasinglulu .param.sig = { 378*91f16700Schasinglulu .pk = &trusted_world_pk, 379*91f16700Schasinglulu .sig = &sig, 380*91f16700Schasinglulu .alg = &sig_alg, 381*91f16700Schasinglulu .data = &raw_data 382*91f16700Schasinglulu } 383*91f16700Schasinglulu }, 384*91f16700Schasinglulu [1] = { 385*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 386*91f16700Schasinglulu .param.nv_ctr = { 387*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 388*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 389*91f16700Schasinglulu } 390*91f16700Schasinglulu } 391*91f16700Schasinglulu }, 392*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 393*91f16700Schasinglulu [0] = { 394*91f16700Schasinglulu .type_desc = &soc_fw_content_pk, 395*91f16700Schasinglulu .data = { 396*91f16700Schasinglulu .ptr = (void *)content_pk_buf, 397*91f16700Schasinglulu .len = (unsigned int)PK_DER_LEN 398*91f16700Schasinglulu } 399*91f16700Schasinglulu } 400*91f16700Schasinglulu } 401*91f16700Schasinglulu }; 402*91f16700Schasinglulu 403*91f16700Schasinglulu static const auth_img_desc_t soc_fw_content_cert = { 404*91f16700Schasinglulu .img_id = SOC_FW_CONTENT_CERT_ID, 405*91f16700Schasinglulu .img_type = IMG_CERT, 406*91f16700Schasinglulu .parent = &soc_fw_key_cert, 407*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 408*91f16700Schasinglulu [0] = { 409*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 410*91f16700Schasinglulu .param.sig = { 411*91f16700Schasinglulu .pk = &soc_fw_content_pk, 412*91f16700Schasinglulu .sig = &sig, 413*91f16700Schasinglulu .alg = &sig_alg, 414*91f16700Schasinglulu .data = &raw_data 415*91f16700Schasinglulu } 416*91f16700Schasinglulu }, 417*91f16700Schasinglulu [1] = { 418*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 419*91f16700Schasinglulu .param.nv_ctr = { 420*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 421*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 422*91f16700Schasinglulu } 423*91f16700Schasinglulu } 424*91f16700Schasinglulu }, 425*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 426*91f16700Schasinglulu [0] = { 427*91f16700Schasinglulu .type_desc = &soc_fw_hash, 428*91f16700Schasinglulu .data = { 429*91f16700Schasinglulu .ptr = (void *)soc_fw_hash_buf, 430*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 431*91f16700Schasinglulu } 432*91f16700Schasinglulu }, 433*91f16700Schasinglulu [1] = { 434*91f16700Schasinglulu .type_desc = &soc_fw_config_hash, 435*91f16700Schasinglulu .data = { 436*91f16700Schasinglulu .ptr = (void *)soc_fw_config_hash_buf, 437*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 438*91f16700Schasinglulu } 439*91f16700Schasinglulu } 440*91f16700Schasinglulu } 441*91f16700Schasinglulu }; 442*91f16700Schasinglulu 443*91f16700Schasinglulu static const auth_img_desc_t bl31_image = { 444*91f16700Schasinglulu .img_id = BL31_IMAGE_ID, 445*91f16700Schasinglulu .img_type = IMG_RAW, 446*91f16700Schasinglulu .parent = &soc_fw_content_cert, 447*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 448*91f16700Schasinglulu [0] = { 449*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 450*91f16700Schasinglulu .param.hash = { 451*91f16700Schasinglulu .data = &raw_data, 452*91f16700Schasinglulu .hash = &soc_fw_hash 453*91f16700Schasinglulu } 454*91f16700Schasinglulu } 455*91f16700Schasinglulu } 456*91f16700Schasinglulu }; 457*91f16700Schasinglulu 458*91f16700Schasinglulu /* SOC FW Config */ 459*91f16700Schasinglulu static const auth_img_desc_t soc_fw_config = { 460*91f16700Schasinglulu .img_id = SOC_FW_CONFIG_ID, 461*91f16700Schasinglulu .img_type = IMG_RAW, 462*91f16700Schasinglulu .parent = &soc_fw_content_cert, 463*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 464*91f16700Schasinglulu [0] = { 465*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 466*91f16700Schasinglulu .param.hash = { 467*91f16700Schasinglulu .data = &raw_data, 468*91f16700Schasinglulu .hash = &soc_fw_config_hash 469*91f16700Schasinglulu } 470*91f16700Schasinglulu } 471*91f16700Schasinglulu } 472*91f16700Schasinglulu }; 473*91f16700Schasinglulu 474*91f16700Schasinglulu /* Trusted OS Firmware */ 475*91f16700Schasinglulu static const auth_img_desc_t trusted_os_fw_key_cert = { 476*91f16700Schasinglulu .img_id = TRUSTED_OS_FW_KEY_CERT_ID, 477*91f16700Schasinglulu .img_type = IMG_CERT, 478*91f16700Schasinglulu .parent = &trusted_key_cert, 479*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 480*91f16700Schasinglulu [0] = { 481*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 482*91f16700Schasinglulu .param.sig = { 483*91f16700Schasinglulu .pk = &trusted_world_pk, 484*91f16700Schasinglulu .sig = &sig, 485*91f16700Schasinglulu .alg = &sig_alg, 486*91f16700Schasinglulu .data = &raw_data 487*91f16700Schasinglulu } 488*91f16700Schasinglulu }, 489*91f16700Schasinglulu [1] = { 490*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 491*91f16700Schasinglulu .param.nv_ctr = { 492*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 493*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 494*91f16700Schasinglulu } 495*91f16700Schasinglulu } 496*91f16700Schasinglulu }, 497*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 498*91f16700Schasinglulu [0] = { 499*91f16700Schasinglulu .type_desc = &tos_fw_content_pk, 500*91f16700Schasinglulu .data = { 501*91f16700Schasinglulu .ptr = (void *)content_pk_buf, 502*91f16700Schasinglulu .len = (unsigned int)PK_DER_LEN 503*91f16700Schasinglulu } 504*91f16700Schasinglulu } 505*91f16700Schasinglulu } 506*91f16700Schasinglulu }; 507*91f16700Schasinglulu 508*91f16700Schasinglulu static const auth_img_desc_t trusted_os_fw_content_cert = { 509*91f16700Schasinglulu .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, 510*91f16700Schasinglulu .img_type = IMG_CERT, 511*91f16700Schasinglulu .parent = &trusted_os_fw_key_cert, 512*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 513*91f16700Schasinglulu [0] = { 514*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 515*91f16700Schasinglulu .param.sig = { 516*91f16700Schasinglulu .pk = &tos_fw_content_pk, 517*91f16700Schasinglulu .sig = &sig, 518*91f16700Schasinglulu .alg = &sig_alg, 519*91f16700Schasinglulu .data = &raw_data 520*91f16700Schasinglulu } 521*91f16700Schasinglulu }, 522*91f16700Schasinglulu [1] = { 523*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 524*91f16700Schasinglulu .param.nv_ctr = { 525*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 526*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 527*91f16700Schasinglulu } 528*91f16700Schasinglulu } 529*91f16700Schasinglulu }, 530*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 531*91f16700Schasinglulu [0] = { 532*91f16700Schasinglulu .type_desc = &tos_fw_hash, 533*91f16700Schasinglulu .data = { 534*91f16700Schasinglulu .ptr = (void *)tos_fw_hash_buf, 535*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 536*91f16700Schasinglulu } 537*91f16700Schasinglulu }, 538*91f16700Schasinglulu [1] = { 539*91f16700Schasinglulu .type_desc = &tos_fw_extra1_hash, 540*91f16700Schasinglulu .data = { 541*91f16700Schasinglulu .ptr = (void *)tos_fw_extra1_hash_buf, 542*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 543*91f16700Schasinglulu } 544*91f16700Schasinglulu }, 545*91f16700Schasinglulu [2] = { 546*91f16700Schasinglulu .type_desc = &tos_fw_extra2_hash, 547*91f16700Schasinglulu .data = { 548*91f16700Schasinglulu .ptr = (void *)tos_fw_extra2_hash_buf, 549*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 550*91f16700Schasinglulu } 551*91f16700Schasinglulu }, 552*91f16700Schasinglulu [3] = { 553*91f16700Schasinglulu .type_desc = &tos_fw_config_hash, 554*91f16700Schasinglulu .data = { 555*91f16700Schasinglulu .ptr = (void *)tos_fw_config_hash_buf, 556*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 557*91f16700Schasinglulu } 558*91f16700Schasinglulu } 559*91f16700Schasinglulu } 560*91f16700Schasinglulu }; 561*91f16700Schasinglulu 562*91f16700Schasinglulu static const auth_img_desc_t bl32_image = { 563*91f16700Schasinglulu .img_id = BL32_IMAGE_ID, 564*91f16700Schasinglulu .img_type = IMG_RAW, 565*91f16700Schasinglulu .parent = &trusted_os_fw_content_cert, 566*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 567*91f16700Schasinglulu [0] = { 568*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 569*91f16700Schasinglulu .param.hash = { 570*91f16700Schasinglulu .data = &raw_data, 571*91f16700Schasinglulu .hash = &tos_fw_hash 572*91f16700Schasinglulu } 573*91f16700Schasinglulu } 574*91f16700Schasinglulu } 575*91f16700Schasinglulu }; 576*91f16700Schasinglulu 577*91f16700Schasinglulu static const auth_img_desc_t bl32_extra1_image = { 578*91f16700Schasinglulu .img_id = BL32_EXTRA1_IMAGE_ID, 579*91f16700Schasinglulu .img_type = IMG_RAW, 580*91f16700Schasinglulu .parent = &trusted_os_fw_content_cert, 581*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 582*91f16700Schasinglulu [0] = { 583*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 584*91f16700Schasinglulu .param.hash = { 585*91f16700Schasinglulu .data = &raw_data, 586*91f16700Schasinglulu .hash = &tos_fw_extra1_hash 587*91f16700Schasinglulu } 588*91f16700Schasinglulu } 589*91f16700Schasinglulu } 590*91f16700Schasinglulu }; 591*91f16700Schasinglulu 592*91f16700Schasinglulu static const auth_img_desc_t bl32_extra2_image = { 593*91f16700Schasinglulu .img_id = BL32_EXTRA2_IMAGE_ID, 594*91f16700Schasinglulu .img_type = IMG_RAW, 595*91f16700Schasinglulu .parent = &trusted_os_fw_content_cert, 596*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 597*91f16700Schasinglulu [0] = { 598*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 599*91f16700Schasinglulu .param.hash = { 600*91f16700Schasinglulu .data = &raw_data, 601*91f16700Schasinglulu .hash = &tos_fw_extra2_hash 602*91f16700Schasinglulu } 603*91f16700Schasinglulu } 604*91f16700Schasinglulu } 605*91f16700Schasinglulu }; 606*91f16700Schasinglulu 607*91f16700Schasinglulu /* TOS FW Config */ 608*91f16700Schasinglulu static const auth_img_desc_t tos_fw_config = { 609*91f16700Schasinglulu .img_id = TOS_FW_CONFIG_ID, 610*91f16700Schasinglulu .img_type = IMG_RAW, 611*91f16700Schasinglulu .parent = &trusted_os_fw_content_cert, 612*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 613*91f16700Schasinglulu [0] = { 614*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 615*91f16700Schasinglulu .param.hash = { 616*91f16700Schasinglulu .data = &raw_data, 617*91f16700Schasinglulu .hash = &tos_fw_config_hash 618*91f16700Schasinglulu } 619*91f16700Schasinglulu } 620*91f16700Schasinglulu } 621*91f16700Schasinglulu }; 622*91f16700Schasinglulu 623*91f16700Schasinglulu /* Non-Trusted Firmware */ 624*91f16700Schasinglulu static const auth_img_desc_t non_trusted_fw_content_cert = { 625*91f16700Schasinglulu .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, 626*91f16700Schasinglulu .img_type = IMG_CERT, 627*91f16700Schasinglulu .parent = NULL, /* Root certificate. */ 628*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 629*91f16700Schasinglulu [0] = { 630*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 631*91f16700Schasinglulu .param.sig = { 632*91f16700Schasinglulu .pk = &prot_pk, 633*91f16700Schasinglulu .sig = &sig, 634*91f16700Schasinglulu .alg = &sig_alg, 635*91f16700Schasinglulu .data = &raw_data 636*91f16700Schasinglulu } 637*91f16700Schasinglulu }, 638*91f16700Schasinglulu [1] = { 639*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 640*91f16700Schasinglulu .param.nv_ctr = { 641*91f16700Schasinglulu .cert_nv_ctr = &non_trusted_nv_ctr, 642*91f16700Schasinglulu .plat_nv_ctr = &non_trusted_nv_ctr 643*91f16700Schasinglulu } 644*91f16700Schasinglulu } 645*91f16700Schasinglulu }, 646*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 647*91f16700Schasinglulu [0] = { 648*91f16700Schasinglulu .type_desc = &nt_world_bl_hash, 649*91f16700Schasinglulu .data = { 650*91f16700Schasinglulu .ptr = (void *)nt_world_bl_hash_buf, 651*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 652*91f16700Schasinglulu } 653*91f16700Schasinglulu }, 654*91f16700Schasinglulu [1] = { 655*91f16700Schasinglulu .type_desc = &nt_fw_config_hash, 656*91f16700Schasinglulu .data = { 657*91f16700Schasinglulu .ptr = (void *)nt_fw_config_hash_buf, 658*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 659*91f16700Schasinglulu } 660*91f16700Schasinglulu } 661*91f16700Schasinglulu } 662*91f16700Schasinglulu }; 663*91f16700Schasinglulu 664*91f16700Schasinglulu static const auth_img_desc_t bl33_image = { 665*91f16700Schasinglulu .img_id = BL33_IMAGE_ID, 666*91f16700Schasinglulu .img_type = IMG_RAW, 667*91f16700Schasinglulu .parent = &non_trusted_fw_content_cert, 668*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 669*91f16700Schasinglulu [0] = { 670*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 671*91f16700Schasinglulu .param.hash = { 672*91f16700Schasinglulu .data = &raw_data, 673*91f16700Schasinglulu .hash = &nt_world_bl_hash 674*91f16700Schasinglulu } 675*91f16700Schasinglulu } 676*91f16700Schasinglulu } 677*91f16700Schasinglulu }; 678*91f16700Schasinglulu 679*91f16700Schasinglulu /* NT FW Config */ 680*91f16700Schasinglulu static const auth_img_desc_t nt_fw_config = { 681*91f16700Schasinglulu .img_id = NT_FW_CONFIG_ID, 682*91f16700Schasinglulu .img_type = IMG_RAW, 683*91f16700Schasinglulu .parent = &non_trusted_fw_content_cert, 684*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 685*91f16700Schasinglulu [0] = { 686*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 687*91f16700Schasinglulu .param.hash = { 688*91f16700Schasinglulu .data = &raw_data, 689*91f16700Schasinglulu .hash = &nt_fw_config_hash 690*91f16700Schasinglulu } 691*91f16700Schasinglulu } 692*91f16700Schasinglulu } 693*91f16700Schasinglulu }; 694*91f16700Schasinglulu 695*91f16700Schasinglulu /* 696*91f16700Schasinglulu * Secure Partitions 697*91f16700Schasinglulu */ 698*91f16700Schasinglulu #if defined(SPD_spmd) 699*91f16700Schasinglulu static const auth_img_desc_t sip_sp_content_cert = { 700*91f16700Schasinglulu .img_id = SIP_SP_CONTENT_CERT_ID, 701*91f16700Schasinglulu .img_type = IMG_CERT, 702*91f16700Schasinglulu .parent = &trusted_key_cert, 703*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 704*91f16700Schasinglulu [0] = { 705*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 706*91f16700Schasinglulu .param.sig = { 707*91f16700Schasinglulu .pk = &trusted_world_pk, 708*91f16700Schasinglulu .sig = &sig, 709*91f16700Schasinglulu .alg = &sig_alg, 710*91f16700Schasinglulu .data = &raw_data 711*91f16700Schasinglulu } 712*91f16700Schasinglulu }, 713*91f16700Schasinglulu [1] = { 714*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 715*91f16700Schasinglulu .param.nv_ctr = { 716*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 717*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 718*91f16700Schasinglulu } 719*91f16700Schasinglulu } 720*91f16700Schasinglulu }, 721*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 722*91f16700Schasinglulu [0] = { 723*91f16700Schasinglulu .type_desc = &sp_pkg1_hash, 724*91f16700Schasinglulu .data = { 725*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[0], 726*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 727*91f16700Schasinglulu } 728*91f16700Schasinglulu }, 729*91f16700Schasinglulu [1] = { 730*91f16700Schasinglulu .type_desc = &sp_pkg2_hash, 731*91f16700Schasinglulu .data = { 732*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[1], 733*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 734*91f16700Schasinglulu } 735*91f16700Schasinglulu }, 736*91f16700Schasinglulu [2] = { 737*91f16700Schasinglulu .type_desc = &sp_pkg3_hash, 738*91f16700Schasinglulu .data = { 739*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[2], 740*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 741*91f16700Schasinglulu } 742*91f16700Schasinglulu }, 743*91f16700Schasinglulu [3] = { 744*91f16700Schasinglulu .type_desc = &sp_pkg4_hash, 745*91f16700Schasinglulu .data = { 746*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[3], 747*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 748*91f16700Schasinglulu } 749*91f16700Schasinglulu } 750*91f16700Schasinglulu } 751*91f16700Schasinglulu }; 752*91f16700Schasinglulu 753*91f16700Schasinglulu DEFINE_SIP_SP_PKG(1); 754*91f16700Schasinglulu DEFINE_SIP_SP_PKG(2); 755*91f16700Schasinglulu DEFINE_SIP_SP_PKG(3); 756*91f16700Schasinglulu DEFINE_SIP_SP_PKG(4); 757*91f16700Schasinglulu 758*91f16700Schasinglulu static const auth_img_desc_t plat_sp_content_cert = { 759*91f16700Schasinglulu .img_id = PLAT_SP_CONTENT_CERT_ID, 760*91f16700Schasinglulu .img_type = IMG_CERT, 761*91f16700Schasinglulu .parent = NULL, 762*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 763*91f16700Schasinglulu [0] = { 764*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 765*91f16700Schasinglulu .param.sig = { 766*91f16700Schasinglulu .pk = &prot_pk, 767*91f16700Schasinglulu .sig = &sig, 768*91f16700Schasinglulu .alg = &sig_alg, 769*91f16700Schasinglulu .data = &raw_data 770*91f16700Schasinglulu } 771*91f16700Schasinglulu }, 772*91f16700Schasinglulu [1] = { 773*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 774*91f16700Schasinglulu .param.nv_ctr = { 775*91f16700Schasinglulu .cert_nv_ctr = &non_trusted_nv_ctr, 776*91f16700Schasinglulu .plat_nv_ctr = &non_trusted_nv_ctr 777*91f16700Schasinglulu } 778*91f16700Schasinglulu } 779*91f16700Schasinglulu }, 780*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 781*91f16700Schasinglulu [0] = { 782*91f16700Schasinglulu .type_desc = &sp_pkg5_hash, 783*91f16700Schasinglulu .data = { 784*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[4], 785*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 786*91f16700Schasinglulu } 787*91f16700Schasinglulu }, 788*91f16700Schasinglulu [1] = { 789*91f16700Schasinglulu .type_desc = &sp_pkg6_hash, 790*91f16700Schasinglulu .data = { 791*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[5], 792*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 793*91f16700Schasinglulu } 794*91f16700Schasinglulu }, 795*91f16700Schasinglulu [2] = { 796*91f16700Schasinglulu .type_desc = &sp_pkg7_hash, 797*91f16700Schasinglulu .data = { 798*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[6], 799*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 800*91f16700Schasinglulu } 801*91f16700Schasinglulu }, 802*91f16700Schasinglulu [3] = { 803*91f16700Schasinglulu .type_desc = &sp_pkg8_hash, 804*91f16700Schasinglulu .data = { 805*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[7], 806*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 807*91f16700Schasinglulu } 808*91f16700Schasinglulu } 809*91f16700Schasinglulu } 810*91f16700Schasinglulu }; 811*91f16700Schasinglulu 812*91f16700Schasinglulu DEFINE_PLAT_SP_PKG(5); 813*91f16700Schasinglulu DEFINE_PLAT_SP_PKG(6); 814*91f16700Schasinglulu DEFINE_PLAT_SP_PKG(7); 815*91f16700Schasinglulu DEFINE_PLAT_SP_PKG(8); 816*91f16700Schasinglulu #endif /* SPD_spmd */ 817*91f16700Schasinglulu 818*91f16700Schasinglulu #else /* IMAGE_BL2 */ 819*91f16700Schasinglulu 820*91f16700Schasinglulu /* FWU auth descriptor */ 821*91f16700Schasinglulu static const auth_img_desc_t fwu_cert = { 822*91f16700Schasinglulu .img_id = FWU_CERT_ID, 823*91f16700Schasinglulu .img_type = IMG_CERT, 824*91f16700Schasinglulu .parent = NULL, 825*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 826*91f16700Schasinglulu [0] = { 827*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 828*91f16700Schasinglulu .param.sig = { 829*91f16700Schasinglulu .pk = &subject_pk, 830*91f16700Schasinglulu .sig = &sig, 831*91f16700Schasinglulu .alg = &sig_alg, 832*91f16700Schasinglulu .data = &raw_data 833*91f16700Schasinglulu } 834*91f16700Schasinglulu } 835*91f16700Schasinglulu }, 836*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 837*91f16700Schasinglulu [0] = { 838*91f16700Schasinglulu .type_desc = &scp_bl2u_hash, 839*91f16700Schasinglulu .data = { 840*91f16700Schasinglulu .ptr = (void *)scp_fw_hash_buf, 841*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 842*91f16700Schasinglulu } 843*91f16700Schasinglulu }, 844*91f16700Schasinglulu [1] = { 845*91f16700Schasinglulu .type_desc = &bl2u_hash, 846*91f16700Schasinglulu .data = { 847*91f16700Schasinglulu .ptr = (void *)tb_fw_hash_buf, 848*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 849*91f16700Schasinglulu } 850*91f16700Schasinglulu }, 851*91f16700Schasinglulu [2] = { 852*91f16700Schasinglulu .type_desc = &ns_bl2u_hash, 853*91f16700Schasinglulu .data = { 854*91f16700Schasinglulu .ptr = (void *)nt_world_bl_hash_buf, 855*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 856*91f16700Schasinglulu } 857*91f16700Schasinglulu } 858*91f16700Schasinglulu } 859*91f16700Schasinglulu }; 860*91f16700Schasinglulu 861*91f16700Schasinglulu /* SCP_BL2U */ 862*91f16700Schasinglulu static const auth_img_desc_t scp_bl2u_image = { 863*91f16700Schasinglulu .img_id = SCP_BL2U_IMAGE_ID, 864*91f16700Schasinglulu .img_type = IMG_RAW, 865*91f16700Schasinglulu .parent = &fwu_cert, 866*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 867*91f16700Schasinglulu [0] = { 868*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 869*91f16700Schasinglulu .param.hash = { 870*91f16700Schasinglulu .data = &raw_data, 871*91f16700Schasinglulu .hash = &scp_bl2u_hash 872*91f16700Schasinglulu } 873*91f16700Schasinglulu } 874*91f16700Schasinglulu } 875*91f16700Schasinglulu }; 876*91f16700Schasinglulu 877*91f16700Schasinglulu /* BL2U */ 878*91f16700Schasinglulu static const auth_img_desc_t bl2u_image = { 879*91f16700Schasinglulu .img_id = BL2U_IMAGE_ID, 880*91f16700Schasinglulu .img_type = IMG_RAW, 881*91f16700Schasinglulu .parent = &fwu_cert, 882*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 883*91f16700Schasinglulu [0] = { 884*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 885*91f16700Schasinglulu .param.hash = { 886*91f16700Schasinglulu .data = &raw_data, 887*91f16700Schasinglulu .hash = &bl2u_hash 888*91f16700Schasinglulu } 889*91f16700Schasinglulu } 890*91f16700Schasinglulu } 891*91f16700Schasinglulu }; 892*91f16700Schasinglulu 893*91f16700Schasinglulu /* NS_BL2U */ 894*91f16700Schasinglulu static const auth_img_desc_t ns_bl2u_image = { 895*91f16700Schasinglulu .img_id = NS_BL2U_IMAGE_ID, 896*91f16700Schasinglulu .img_type = IMG_RAW, 897*91f16700Schasinglulu .parent = &fwu_cert, 898*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 899*91f16700Schasinglulu [0] = { 900*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 901*91f16700Schasinglulu .param.hash = { 902*91f16700Schasinglulu .data = &raw_data, 903*91f16700Schasinglulu .hash = &ns_bl2u_hash 904*91f16700Schasinglulu } 905*91f16700Schasinglulu } 906*91f16700Schasinglulu } 907*91f16700Schasinglulu }; 908*91f16700Schasinglulu #endif /* IMAGE_BL2 */ 909*91f16700Schasinglulu 910*91f16700Schasinglulu /* 911*91f16700Schasinglulu * Chain of trust definition 912*91f16700Schasinglulu */ 913*91f16700Schasinglulu #ifdef IMAGE_BL1 914*91f16700Schasinglulu static const auth_img_desc_t * const cot_desc[] = { 915*91f16700Schasinglulu [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, 916*91f16700Schasinglulu [BL2_IMAGE_ID] = &bl2_image, 917*91f16700Schasinglulu [HW_CONFIG_ID] = &hw_config, 918*91f16700Schasinglulu [TB_FW_CONFIG_ID] = &tb_fw_config, 919*91f16700Schasinglulu [FW_CONFIG_ID] = &fw_config, 920*91f16700Schasinglulu [FWU_CERT_ID] = &fwu_cert, 921*91f16700Schasinglulu [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image, 922*91f16700Schasinglulu [BL2U_IMAGE_ID] = &bl2u_image, 923*91f16700Schasinglulu [NS_BL2U_IMAGE_ID] = &ns_bl2u_image 924*91f16700Schasinglulu }; 925*91f16700Schasinglulu #else /* IMAGE_BL2 */ 926*91f16700Schasinglulu static const auth_img_desc_t * const cot_desc[] = { 927*91f16700Schasinglulu [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, 928*91f16700Schasinglulu [HW_CONFIG_ID] = &hw_config, 929*91f16700Schasinglulu [TRUSTED_KEY_CERT_ID] = &trusted_key_cert, 930*91f16700Schasinglulu [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert, 931*91f16700Schasinglulu [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert, 932*91f16700Schasinglulu [SCP_BL2_IMAGE_ID] = &scp_bl2_image, 933*91f16700Schasinglulu [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert, 934*91f16700Schasinglulu [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert, 935*91f16700Schasinglulu [BL31_IMAGE_ID] = &bl31_image, 936*91f16700Schasinglulu [SOC_FW_CONFIG_ID] = &soc_fw_config, 937*91f16700Schasinglulu [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert, 938*91f16700Schasinglulu [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert, 939*91f16700Schasinglulu [BL32_IMAGE_ID] = &bl32_image, 940*91f16700Schasinglulu [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image, 941*91f16700Schasinglulu [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image, 942*91f16700Schasinglulu [TOS_FW_CONFIG_ID] = &tos_fw_config, 943*91f16700Schasinglulu [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, 944*91f16700Schasinglulu [BL33_IMAGE_ID] = &bl33_image, 945*91f16700Schasinglulu [NT_FW_CONFIG_ID] = &nt_fw_config, 946*91f16700Schasinglulu #if defined(SPD_spmd) 947*91f16700Schasinglulu [SIP_SP_CONTENT_CERT_ID] = &sip_sp_content_cert, 948*91f16700Schasinglulu [PLAT_SP_CONTENT_CERT_ID] = &plat_sp_content_cert, 949*91f16700Schasinglulu [SP_PKG1_ID] = &sp_pkg1, 950*91f16700Schasinglulu [SP_PKG2_ID] = &sp_pkg2, 951*91f16700Schasinglulu [SP_PKG3_ID] = &sp_pkg3, 952*91f16700Schasinglulu [SP_PKG4_ID] = &sp_pkg4, 953*91f16700Schasinglulu [SP_PKG5_ID] = &sp_pkg5, 954*91f16700Schasinglulu [SP_PKG6_ID] = &sp_pkg6, 955*91f16700Schasinglulu [SP_PKG7_ID] = &sp_pkg7, 956*91f16700Schasinglulu [SP_PKG8_ID] = &sp_pkg8, 957*91f16700Schasinglulu #endif 958*91f16700Schasinglulu }; 959*91f16700Schasinglulu #endif 960*91f16700Schasinglulu 961*91f16700Schasinglulu /* Register the CoT in the authentication module */ 962*91f16700Schasinglulu REGISTER_COT(cot_desc); 963