xref: /arm-trusted-firmware/drivers/auth/tbbr/tbbr_cot_bl1.c (revision 91f16700b400a8c0651d24a598fc48ee2997a0d7) 
1*91f16700Schasinglulu /*
2*91f16700Schasinglulu  * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
3*91f16700Schasinglulu  *
4*91f16700Schasinglulu  * SPDX-License-Identifier: BSD-3-Clause
5*91f16700Schasinglulu  */
6*91f16700Schasinglulu 
7*91f16700Schasinglulu #include <stddef.h>
8*91f16700Schasinglulu 
9*91f16700Schasinglulu #include <mbedtls/version.h>
10*91f16700Schasinglulu 
11*91f16700Schasinglulu #include <drivers/auth/auth_mod.h>
12*91f16700Schasinglulu #include <drivers/auth/tbbr_cot_common.h>
13*91f16700Schasinglulu 
14*91f16700Schasinglulu #if USE_TBBR_DEFS
15*91f16700Schasinglulu #include <tools_share/tbbr_oid.h>
16*91f16700Schasinglulu #else
17*91f16700Schasinglulu #include <platform_oid.h>
18*91f16700Schasinglulu #endif
19*91f16700Schasinglulu 
20*91f16700Schasinglulu #include <platform_def.h>
21*91f16700Schasinglulu 
22*91f16700Schasinglulu static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
23*91f16700Schasinglulu 		AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
24*91f16700Schasinglulu static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
25*91f16700Schasinglulu 		AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
26*91f16700Schasinglulu static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
27*91f16700Schasinglulu 		AUTH_PARAM_HASH, FWU_HASH_OID);
28*91f16700Schasinglulu 
29*91f16700Schasinglulu static const auth_img_desc_t bl2_image = {
30*91f16700Schasinglulu 	.img_id = BL2_IMAGE_ID,
31*91f16700Schasinglulu 	.img_type = IMG_RAW,
32*91f16700Schasinglulu 	.parent = &trusted_boot_fw_cert,
33*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
34*91f16700Schasinglulu 		[0] = {
35*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
36*91f16700Schasinglulu 			.param.hash = {
37*91f16700Schasinglulu 				.data = &raw_data,
38*91f16700Schasinglulu 				.hash = &tb_fw_hash
39*91f16700Schasinglulu 			}
40*91f16700Schasinglulu 		}
41*91f16700Schasinglulu 	}
42*91f16700Schasinglulu };
43*91f16700Schasinglulu 
44*91f16700Schasinglulu /*
45*91f16700Schasinglulu  * FWU auth descriptor.
46*91f16700Schasinglulu  */
47*91f16700Schasinglulu static const auth_img_desc_t fwu_cert = {
48*91f16700Schasinglulu 	.img_id = FWU_CERT_ID,
49*91f16700Schasinglulu 	.img_type = IMG_CERT,
50*91f16700Schasinglulu 	.parent = NULL,
51*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
52*91f16700Schasinglulu 		[0] = {
53*91f16700Schasinglulu 			.type = AUTH_METHOD_SIG,
54*91f16700Schasinglulu 			.param.sig = {
55*91f16700Schasinglulu 				.pk = &subject_pk,
56*91f16700Schasinglulu 				.sig = &sig,
57*91f16700Schasinglulu 				.alg = &sig_alg,
58*91f16700Schasinglulu 				.data = &raw_data
59*91f16700Schasinglulu 			}
60*91f16700Schasinglulu 		}
61*91f16700Schasinglulu 	},
62*91f16700Schasinglulu 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
63*91f16700Schasinglulu 		[0] = {
64*91f16700Schasinglulu 			.type_desc = &scp_bl2u_hash,
65*91f16700Schasinglulu 			.data = {
66*91f16700Schasinglulu 				.ptr = (void *)scp_fw_hash_buf,
67*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
68*91f16700Schasinglulu 			}
69*91f16700Schasinglulu 		},
70*91f16700Schasinglulu 		[1] = {
71*91f16700Schasinglulu 			.type_desc = &bl2u_hash,
72*91f16700Schasinglulu 			.data = {
73*91f16700Schasinglulu 				.ptr = (void *)tb_fw_hash_buf,
74*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
75*91f16700Schasinglulu 			}
76*91f16700Schasinglulu 		},
77*91f16700Schasinglulu 		[2] = {
78*91f16700Schasinglulu 			.type_desc = &ns_bl2u_hash,
79*91f16700Schasinglulu 			.data = {
80*91f16700Schasinglulu 				.ptr = (void *)nt_world_bl_hash_buf,
81*91f16700Schasinglulu 				.len = (unsigned int)HASH_DER_LEN
82*91f16700Schasinglulu 			}
83*91f16700Schasinglulu 		}
84*91f16700Schasinglulu 	}
85*91f16700Schasinglulu };
86*91f16700Schasinglulu /*
87*91f16700Schasinglulu  * SCP_BL2U
88*91f16700Schasinglulu  */
89*91f16700Schasinglulu static const auth_img_desc_t scp_bl2u_image = {
90*91f16700Schasinglulu 	.img_id = SCP_BL2U_IMAGE_ID,
91*91f16700Schasinglulu 	.img_type = IMG_RAW,
92*91f16700Schasinglulu 	.parent = &fwu_cert,
93*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
94*91f16700Schasinglulu 		[0] = {
95*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
96*91f16700Schasinglulu 			.param.hash = {
97*91f16700Schasinglulu 				.data = &raw_data,
98*91f16700Schasinglulu 				.hash = &scp_bl2u_hash
99*91f16700Schasinglulu 			}
100*91f16700Schasinglulu 		}
101*91f16700Schasinglulu 	}
102*91f16700Schasinglulu };
103*91f16700Schasinglulu /*
104*91f16700Schasinglulu  * BL2U
105*91f16700Schasinglulu  */
106*91f16700Schasinglulu static const auth_img_desc_t bl2u_image = {
107*91f16700Schasinglulu 	.img_id = BL2U_IMAGE_ID,
108*91f16700Schasinglulu 	.img_type = IMG_RAW,
109*91f16700Schasinglulu 	.parent = &fwu_cert,
110*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
111*91f16700Schasinglulu 		[0] = {
112*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
113*91f16700Schasinglulu 			.param.hash = {
114*91f16700Schasinglulu 				.data = &raw_data,
115*91f16700Schasinglulu 				.hash = &bl2u_hash
116*91f16700Schasinglulu 			}
117*91f16700Schasinglulu 		}
118*91f16700Schasinglulu 	}
119*91f16700Schasinglulu };
120*91f16700Schasinglulu /*
121*91f16700Schasinglulu  * NS_BL2U
122*91f16700Schasinglulu  */
123*91f16700Schasinglulu static const auth_img_desc_t ns_bl2u_image = {
124*91f16700Schasinglulu 	.img_id = NS_BL2U_IMAGE_ID,
125*91f16700Schasinglulu 	.img_type = IMG_RAW,
126*91f16700Schasinglulu 	.parent = &fwu_cert,
127*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
128*91f16700Schasinglulu 		[0] = {
129*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
130*91f16700Schasinglulu 			.param.hash = {
131*91f16700Schasinglulu 				.data = &raw_data,
132*91f16700Schasinglulu 				.hash = &ns_bl2u_hash
133*91f16700Schasinglulu 				}
134*91f16700Schasinglulu 			}
135*91f16700Schasinglulu 		}
136*91f16700Schasinglulu };
137*91f16700Schasinglulu /*
138*91f16700Schasinglulu  * TB_FW_CONFIG
139*91f16700Schasinglulu  */
140*91f16700Schasinglulu static const auth_img_desc_t tb_fw_config = {
141*91f16700Schasinglulu 	.img_id = TB_FW_CONFIG_ID,
142*91f16700Schasinglulu 	.img_type = IMG_RAW,
143*91f16700Schasinglulu 	.parent = &trusted_boot_fw_cert,
144*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
145*91f16700Schasinglulu 		[0] = {
146*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
147*91f16700Schasinglulu 			.param.hash = {
148*91f16700Schasinglulu 				.data = &raw_data,
149*91f16700Schasinglulu 				.hash = &tb_fw_config_hash
150*91f16700Schasinglulu 			}
151*91f16700Schasinglulu 		}
152*91f16700Schasinglulu 	}
153*91f16700Schasinglulu };
154*91f16700Schasinglulu 
155*91f16700Schasinglulu static const auth_img_desc_t fw_config = {
156*91f16700Schasinglulu 	.img_id = FW_CONFIG_ID,
157*91f16700Schasinglulu 	.img_type = IMG_RAW,
158*91f16700Schasinglulu 	.parent = &trusted_boot_fw_cert,
159*91f16700Schasinglulu 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
160*91f16700Schasinglulu 		[0] = {
161*91f16700Schasinglulu 			.type = AUTH_METHOD_HASH,
162*91f16700Schasinglulu 			.param.hash = {
163*91f16700Schasinglulu 				.data = &raw_data,
164*91f16700Schasinglulu 				.hash = &fw_config_hash
165*91f16700Schasinglulu 			}
166*91f16700Schasinglulu 		}
167*91f16700Schasinglulu 	}
168*91f16700Schasinglulu };
169*91f16700Schasinglulu 
170*91f16700Schasinglulu /*
171*91f16700Schasinglulu  * TBBR Chain of trust definition
172*91f16700Schasinglulu  */
173*91f16700Schasinglulu static const auth_img_desc_t * const cot_desc[] = {
174*91f16700Schasinglulu 	[TRUSTED_BOOT_FW_CERT_ID]		=	&trusted_boot_fw_cert,
175*91f16700Schasinglulu 	[BL2_IMAGE_ID]				=	&bl2_image,
176*91f16700Schasinglulu 	[HW_CONFIG_ID]				=	&hw_config,
177*91f16700Schasinglulu 	[TB_FW_CONFIG_ID]			=	&tb_fw_config,
178*91f16700Schasinglulu 	[FW_CONFIG_ID]				=	&fw_config,
179*91f16700Schasinglulu 	[FWU_CERT_ID]				=	&fwu_cert,
180*91f16700Schasinglulu 	[SCP_BL2U_IMAGE_ID]			=	&scp_bl2u_image,
181*91f16700Schasinglulu 	[BL2U_IMAGE_ID]				=	&bl2u_image,
182*91f16700Schasinglulu 	[NS_BL2U_IMAGE_ID]			=	&ns_bl2u_image
183*91f16700Schasinglulu };
184*91f16700Schasinglulu 
185*91f16700Schasinglulu /* Register the CoT in the authentication module */
186*91f16700Schasinglulu REGISTER_COT(cot_desc);
187