1*91f16700Schasinglulu /* 2*91f16700Schasinglulu * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved. 3*91f16700Schasinglulu * 4*91f16700Schasinglulu * SPDX-License-Identifier: BSD-3-Clause 5*91f16700Schasinglulu */ 6*91f16700Schasinglulu 7*91f16700Schasinglulu #include <stddef.h> 8*91f16700Schasinglulu 9*91f16700Schasinglulu #include <mbedtls/version.h> 10*91f16700Schasinglulu 11*91f16700Schasinglulu #include <drivers/auth/auth_mod.h> 12*91f16700Schasinglulu #include <drivers/auth/tbbr_cot_common.h> 13*91f16700Schasinglulu 14*91f16700Schasinglulu #if USE_TBBR_DEFS 15*91f16700Schasinglulu #include <tools_share/tbbr_oid.h> 16*91f16700Schasinglulu #else 17*91f16700Schasinglulu #include <platform_oid.h> 18*91f16700Schasinglulu #endif 19*91f16700Schasinglulu 20*91f16700Schasinglulu #include <platform_def.h> 21*91f16700Schasinglulu 22*91f16700Schasinglulu static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; 23*91f16700Schasinglulu static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; 24*91f16700Schasinglulu static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; 25*91f16700Schasinglulu static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; 26*91f16700Schasinglulu static unsigned char trusted_world_pk_buf[PK_DER_LEN]; 27*91f16700Schasinglulu static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; 28*91f16700Schasinglulu static unsigned char content_pk_buf[PK_DER_LEN]; 29*91f16700Schasinglulu static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; 30*91f16700Schasinglulu static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; 31*91f16700Schasinglulu static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; 32*91f16700Schasinglulu #if defined(SPD_spmd) 33*91f16700Schasinglulu static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN]; 34*91f16700Schasinglulu #endif /* SPD_spmd */ 35*91f16700Schasinglulu 36*91f16700Schasinglulu static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 37*91f16700Schasinglulu AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); 38*91f16700Schasinglulu static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( 39*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); 40*91f16700Schasinglulu static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( 41*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); 42*91f16700Schasinglulu static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC( 43*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID); 44*91f16700Schasinglulu static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( 45*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); 46*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( 47*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); 48*91f16700Schasinglulu static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC( 49*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID); 50*91f16700Schasinglulu static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( 51*91f16700Schasinglulu AUTH_PARAM_HASH, SCP_FW_HASH_OID); 52*91f16700Schasinglulu static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( 53*91f16700Schasinglulu AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); 54*91f16700Schasinglulu static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC( 55*91f16700Schasinglulu AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID); 56*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( 57*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); 58*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC( 59*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID); 60*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( 61*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); 62*91f16700Schasinglulu static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( 63*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); 64*91f16700Schasinglulu static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( 65*91f16700Schasinglulu AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); 66*91f16700Schasinglulu static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( 67*91f16700Schasinglulu AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); 68*91f16700Schasinglulu #if defined(SPD_spmd) 69*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC( 70*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG1_HASH_OID); 71*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC( 72*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG2_HASH_OID); 73*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC( 74*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG3_HASH_OID); 75*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC( 76*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG4_HASH_OID); 77*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC( 78*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG5_HASH_OID); 79*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC( 80*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG6_HASH_OID); 81*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC( 82*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG7_HASH_OID); 83*91f16700Schasinglulu static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC( 84*91f16700Schasinglulu AUTH_PARAM_HASH, SP_PKG8_HASH_OID); 85*91f16700Schasinglulu #endif /* SPD_spmd */ 86*91f16700Schasinglulu 87*91f16700Schasinglulu /* 88*91f16700Schasinglulu * Trusted key certificate 89*91f16700Schasinglulu */ 90*91f16700Schasinglulu static const auth_img_desc_t trusted_key_cert = { 91*91f16700Schasinglulu .img_id = TRUSTED_KEY_CERT_ID, 92*91f16700Schasinglulu .img_type = IMG_CERT, 93*91f16700Schasinglulu .parent = NULL, 94*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 95*91f16700Schasinglulu [0] = { 96*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 97*91f16700Schasinglulu .param.sig = { 98*91f16700Schasinglulu .pk = &subject_pk, 99*91f16700Schasinglulu .sig = &sig, 100*91f16700Schasinglulu .alg = &sig_alg, 101*91f16700Schasinglulu .data = &raw_data 102*91f16700Schasinglulu } 103*91f16700Schasinglulu }, 104*91f16700Schasinglulu [1] = { 105*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 106*91f16700Schasinglulu .param.nv_ctr = { 107*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 108*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 109*91f16700Schasinglulu } 110*91f16700Schasinglulu } 111*91f16700Schasinglulu }, 112*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 113*91f16700Schasinglulu [0] = { 114*91f16700Schasinglulu .type_desc = &trusted_world_pk, 115*91f16700Schasinglulu .data = { 116*91f16700Schasinglulu .ptr = (void *)trusted_world_pk_buf, 117*91f16700Schasinglulu .len = (unsigned int)PK_DER_LEN 118*91f16700Schasinglulu } 119*91f16700Schasinglulu }, 120*91f16700Schasinglulu [1] = { 121*91f16700Schasinglulu .type_desc = &non_trusted_world_pk, 122*91f16700Schasinglulu .data = { 123*91f16700Schasinglulu .ptr = (void *)non_trusted_world_pk_buf, 124*91f16700Schasinglulu .len = (unsigned int)PK_DER_LEN 125*91f16700Schasinglulu } 126*91f16700Schasinglulu } 127*91f16700Schasinglulu } 128*91f16700Schasinglulu }; 129*91f16700Schasinglulu /* 130*91f16700Schasinglulu * SCP Firmware 131*91f16700Schasinglulu */ 132*91f16700Schasinglulu static const auth_img_desc_t scp_fw_key_cert = { 133*91f16700Schasinglulu .img_id = SCP_FW_KEY_CERT_ID, 134*91f16700Schasinglulu .img_type = IMG_CERT, 135*91f16700Schasinglulu .parent = &trusted_key_cert, 136*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 137*91f16700Schasinglulu [0] = { 138*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 139*91f16700Schasinglulu .param.sig = { 140*91f16700Schasinglulu .pk = &trusted_world_pk, 141*91f16700Schasinglulu .sig = &sig, 142*91f16700Schasinglulu .alg = &sig_alg, 143*91f16700Schasinglulu .data = &raw_data 144*91f16700Schasinglulu } 145*91f16700Schasinglulu }, 146*91f16700Schasinglulu [1] = { 147*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 148*91f16700Schasinglulu .param.nv_ctr = { 149*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 150*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 151*91f16700Schasinglulu } 152*91f16700Schasinglulu } 153*91f16700Schasinglulu }, 154*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 155*91f16700Schasinglulu [0] = { 156*91f16700Schasinglulu .type_desc = &scp_fw_content_pk, 157*91f16700Schasinglulu .data = { 158*91f16700Schasinglulu .ptr = (void *)content_pk_buf, 159*91f16700Schasinglulu .len = (unsigned int)PK_DER_LEN 160*91f16700Schasinglulu } 161*91f16700Schasinglulu } 162*91f16700Schasinglulu } 163*91f16700Schasinglulu }; 164*91f16700Schasinglulu static const auth_img_desc_t scp_fw_content_cert = { 165*91f16700Schasinglulu .img_id = SCP_FW_CONTENT_CERT_ID, 166*91f16700Schasinglulu .img_type = IMG_CERT, 167*91f16700Schasinglulu .parent = &scp_fw_key_cert, 168*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 169*91f16700Schasinglulu [0] = { 170*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 171*91f16700Schasinglulu .param.sig = { 172*91f16700Schasinglulu .pk = &scp_fw_content_pk, 173*91f16700Schasinglulu .sig = &sig, 174*91f16700Schasinglulu .alg = &sig_alg, 175*91f16700Schasinglulu .data = &raw_data 176*91f16700Schasinglulu } 177*91f16700Schasinglulu }, 178*91f16700Schasinglulu [1] = { 179*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 180*91f16700Schasinglulu .param.nv_ctr = { 181*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 182*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 183*91f16700Schasinglulu } 184*91f16700Schasinglulu } 185*91f16700Schasinglulu }, 186*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 187*91f16700Schasinglulu [0] = { 188*91f16700Schasinglulu .type_desc = &scp_fw_hash, 189*91f16700Schasinglulu .data = { 190*91f16700Schasinglulu .ptr = (void *)scp_fw_hash_buf, 191*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 192*91f16700Schasinglulu } 193*91f16700Schasinglulu } 194*91f16700Schasinglulu } 195*91f16700Schasinglulu }; 196*91f16700Schasinglulu static const auth_img_desc_t scp_bl2_image = { 197*91f16700Schasinglulu .img_id = SCP_BL2_IMAGE_ID, 198*91f16700Schasinglulu .img_type = IMG_RAW, 199*91f16700Schasinglulu .parent = &scp_fw_content_cert, 200*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 201*91f16700Schasinglulu [0] = { 202*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 203*91f16700Schasinglulu .param.hash = { 204*91f16700Schasinglulu .data = &raw_data, 205*91f16700Schasinglulu .hash = &scp_fw_hash 206*91f16700Schasinglulu } 207*91f16700Schasinglulu } 208*91f16700Schasinglulu } 209*91f16700Schasinglulu }; 210*91f16700Schasinglulu /* 211*91f16700Schasinglulu * SoC Firmware 212*91f16700Schasinglulu */ 213*91f16700Schasinglulu static const auth_img_desc_t soc_fw_key_cert = { 214*91f16700Schasinglulu .img_id = SOC_FW_KEY_CERT_ID, 215*91f16700Schasinglulu .img_type = IMG_CERT, 216*91f16700Schasinglulu .parent = &trusted_key_cert, 217*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 218*91f16700Schasinglulu [0] = { 219*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 220*91f16700Schasinglulu .param.sig = { 221*91f16700Schasinglulu .pk = &trusted_world_pk, 222*91f16700Schasinglulu .sig = &sig, 223*91f16700Schasinglulu .alg = &sig_alg, 224*91f16700Schasinglulu .data = &raw_data 225*91f16700Schasinglulu } 226*91f16700Schasinglulu }, 227*91f16700Schasinglulu [1] = { 228*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 229*91f16700Schasinglulu .param.nv_ctr = { 230*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 231*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 232*91f16700Schasinglulu } 233*91f16700Schasinglulu } 234*91f16700Schasinglulu }, 235*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 236*91f16700Schasinglulu [0] = { 237*91f16700Schasinglulu .type_desc = &soc_fw_content_pk, 238*91f16700Schasinglulu .data = { 239*91f16700Schasinglulu .ptr = (void *)content_pk_buf, 240*91f16700Schasinglulu .len = (unsigned int)PK_DER_LEN 241*91f16700Schasinglulu } 242*91f16700Schasinglulu } 243*91f16700Schasinglulu } 244*91f16700Schasinglulu }; 245*91f16700Schasinglulu static const auth_img_desc_t soc_fw_content_cert = { 246*91f16700Schasinglulu .img_id = SOC_FW_CONTENT_CERT_ID, 247*91f16700Schasinglulu .img_type = IMG_CERT, 248*91f16700Schasinglulu .parent = &soc_fw_key_cert, 249*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 250*91f16700Schasinglulu [0] = { 251*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 252*91f16700Schasinglulu .param.sig = { 253*91f16700Schasinglulu .pk = &soc_fw_content_pk, 254*91f16700Schasinglulu .sig = &sig, 255*91f16700Schasinglulu .alg = &sig_alg, 256*91f16700Schasinglulu .data = &raw_data 257*91f16700Schasinglulu } 258*91f16700Schasinglulu }, 259*91f16700Schasinglulu [1] = { 260*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 261*91f16700Schasinglulu .param.nv_ctr = { 262*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 263*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 264*91f16700Schasinglulu } 265*91f16700Schasinglulu } 266*91f16700Schasinglulu }, 267*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 268*91f16700Schasinglulu [0] = { 269*91f16700Schasinglulu .type_desc = &soc_fw_hash, 270*91f16700Schasinglulu .data = { 271*91f16700Schasinglulu .ptr = (void *)soc_fw_hash_buf, 272*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 273*91f16700Schasinglulu } 274*91f16700Schasinglulu }, 275*91f16700Schasinglulu [1] = { 276*91f16700Schasinglulu .type_desc = &soc_fw_config_hash, 277*91f16700Schasinglulu .data = { 278*91f16700Schasinglulu .ptr = (void *)soc_fw_config_hash_buf, 279*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 280*91f16700Schasinglulu } 281*91f16700Schasinglulu } 282*91f16700Schasinglulu } 283*91f16700Schasinglulu }; 284*91f16700Schasinglulu static const auth_img_desc_t bl31_image = { 285*91f16700Schasinglulu .img_id = BL31_IMAGE_ID, 286*91f16700Schasinglulu .img_type = IMG_RAW, 287*91f16700Schasinglulu .parent = &soc_fw_content_cert, 288*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 289*91f16700Schasinglulu [0] = { 290*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 291*91f16700Schasinglulu .param.hash = { 292*91f16700Schasinglulu .data = &raw_data, 293*91f16700Schasinglulu .hash = &soc_fw_hash 294*91f16700Schasinglulu } 295*91f16700Schasinglulu } 296*91f16700Schasinglulu } 297*91f16700Schasinglulu }; 298*91f16700Schasinglulu /* SOC FW Config */ 299*91f16700Schasinglulu static const auth_img_desc_t soc_fw_config = { 300*91f16700Schasinglulu .img_id = SOC_FW_CONFIG_ID, 301*91f16700Schasinglulu .img_type = IMG_RAW, 302*91f16700Schasinglulu .parent = &soc_fw_content_cert, 303*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 304*91f16700Schasinglulu [0] = { 305*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 306*91f16700Schasinglulu .param.hash = { 307*91f16700Schasinglulu .data = &raw_data, 308*91f16700Schasinglulu .hash = &soc_fw_config_hash 309*91f16700Schasinglulu } 310*91f16700Schasinglulu } 311*91f16700Schasinglulu } 312*91f16700Schasinglulu }; 313*91f16700Schasinglulu /* 314*91f16700Schasinglulu * Trusted OS Firmware 315*91f16700Schasinglulu */ 316*91f16700Schasinglulu static const auth_img_desc_t trusted_os_fw_key_cert = { 317*91f16700Schasinglulu .img_id = TRUSTED_OS_FW_KEY_CERT_ID, 318*91f16700Schasinglulu .img_type = IMG_CERT, 319*91f16700Schasinglulu .parent = &trusted_key_cert, 320*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 321*91f16700Schasinglulu [0] = { 322*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 323*91f16700Schasinglulu .param.sig = { 324*91f16700Schasinglulu .pk = &trusted_world_pk, 325*91f16700Schasinglulu .sig = &sig, 326*91f16700Schasinglulu .alg = &sig_alg, 327*91f16700Schasinglulu .data = &raw_data 328*91f16700Schasinglulu } 329*91f16700Schasinglulu }, 330*91f16700Schasinglulu [1] = { 331*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 332*91f16700Schasinglulu .param.nv_ctr = { 333*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 334*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 335*91f16700Schasinglulu } 336*91f16700Schasinglulu } 337*91f16700Schasinglulu }, 338*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 339*91f16700Schasinglulu [0] = { 340*91f16700Schasinglulu .type_desc = &tos_fw_content_pk, 341*91f16700Schasinglulu .data = { 342*91f16700Schasinglulu .ptr = (void *)content_pk_buf, 343*91f16700Schasinglulu .len = (unsigned int)PK_DER_LEN 344*91f16700Schasinglulu } 345*91f16700Schasinglulu } 346*91f16700Schasinglulu } 347*91f16700Schasinglulu }; 348*91f16700Schasinglulu static const auth_img_desc_t trusted_os_fw_content_cert = { 349*91f16700Schasinglulu .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, 350*91f16700Schasinglulu .img_type = IMG_CERT, 351*91f16700Schasinglulu .parent = &trusted_os_fw_key_cert, 352*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 353*91f16700Schasinglulu [0] = { 354*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 355*91f16700Schasinglulu .param.sig = { 356*91f16700Schasinglulu .pk = &tos_fw_content_pk, 357*91f16700Schasinglulu .sig = &sig, 358*91f16700Schasinglulu .alg = &sig_alg, 359*91f16700Schasinglulu .data = &raw_data 360*91f16700Schasinglulu } 361*91f16700Schasinglulu }, 362*91f16700Schasinglulu [1] = { 363*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 364*91f16700Schasinglulu .param.nv_ctr = { 365*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 366*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 367*91f16700Schasinglulu } 368*91f16700Schasinglulu } 369*91f16700Schasinglulu }, 370*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 371*91f16700Schasinglulu [0] = { 372*91f16700Schasinglulu .type_desc = &tos_fw_hash, 373*91f16700Schasinglulu .data = { 374*91f16700Schasinglulu .ptr = (void *)tos_fw_hash_buf, 375*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 376*91f16700Schasinglulu } 377*91f16700Schasinglulu }, 378*91f16700Schasinglulu [1] = { 379*91f16700Schasinglulu .type_desc = &tos_fw_extra1_hash, 380*91f16700Schasinglulu .data = { 381*91f16700Schasinglulu .ptr = (void *)tos_fw_extra1_hash_buf, 382*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 383*91f16700Schasinglulu } 384*91f16700Schasinglulu }, 385*91f16700Schasinglulu [2] = { 386*91f16700Schasinglulu .type_desc = &tos_fw_extra2_hash, 387*91f16700Schasinglulu .data = { 388*91f16700Schasinglulu .ptr = (void *)tos_fw_extra2_hash_buf, 389*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 390*91f16700Schasinglulu } 391*91f16700Schasinglulu }, 392*91f16700Schasinglulu [3] = { 393*91f16700Schasinglulu .type_desc = &tos_fw_config_hash, 394*91f16700Schasinglulu .data = { 395*91f16700Schasinglulu .ptr = (void *)tos_fw_config_hash_buf, 396*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 397*91f16700Schasinglulu } 398*91f16700Schasinglulu } 399*91f16700Schasinglulu } 400*91f16700Schasinglulu }; 401*91f16700Schasinglulu static const auth_img_desc_t bl32_image = { 402*91f16700Schasinglulu .img_id = BL32_IMAGE_ID, 403*91f16700Schasinglulu .img_type = IMG_RAW, 404*91f16700Schasinglulu .parent = &trusted_os_fw_content_cert, 405*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 406*91f16700Schasinglulu [0] = { 407*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 408*91f16700Schasinglulu .param.hash = { 409*91f16700Schasinglulu .data = &raw_data, 410*91f16700Schasinglulu .hash = &tos_fw_hash 411*91f16700Schasinglulu } 412*91f16700Schasinglulu } 413*91f16700Schasinglulu } 414*91f16700Schasinglulu }; 415*91f16700Schasinglulu static const auth_img_desc_t bl32_extra1_image = { 416*91f16700Schasinglulu .img_id = BL32_EXTRA1_IMAGE_ID, 417*91f16700Schasinglulu .img_type = IMG_RAW, 418*91f16700Schasinglulu .parent = &trusted_os_fw_content_cert, 419*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 420*91f16700Schasinglulu [0] = { 421*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 422*91f16700Schasinglulu .param.hash = { 423*91f16700Schasinglulu .data = &raw_data, 424*91f16700Schasinglulu .hash = &tos_fw_extra1_hash 425*91f16700Schasinglulu } 426*91f16700Schasinglulu } 427*91f16700Schasinglulu } 428*91f16700Schasinglulu }; 429*91f16700Schasinglulu static const auth_img_desc_t bl32_extra2_image = { 430*91f16700Schasinglulu .img_id = BL32_EXTRA2_IMAGE_ID, 431*91f16700Schasinglulu .img_type = IMG_RAW, 432*91f16700Schasinglulu .parent = &trusted_os_fw_content_cert, 433*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 434*91f16700Schasinglulu [0] = { 435*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 436*91f16700Schasinglulu .param.hash = { 437*91f16700Schasinglulu .data = &raw_data, 438*91f16700Schasinglulu .hash = &tos_fw_extra2_hash 439*91f16700Schasinglulu } 440*91f16700Schasinglulu } 441*91f16700Schasinglulu } 442*91f16700Schasinglulu }; 443*91f16700Schasinglulu /* TOS FW Config */ 444*91f16700Schasinglulu static const auth_img_desc_t tos_fw_config = { 445*91f16700Schasinglulu .img_id = TOS_FW_CONFIG_ID, 446*91f16700Schasinglulu .img_type = IMG_RAW, 447*91f16700Schasinglulu .parent = &trusted_os_fw_content_cert, 448*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 449*91f16700Schasinglulu [0] = { 450*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 451*91f16700Schasinglulu .param.hash = { 452*91f16700Schasinglulu .data = &raw_data, 453*91f16700Schasinglulu .hash = &tos_fw_config_hash 454*91f16700Schasinglulu } 455*91f16700Schasinglulu } 456*91f16700Schasinglulu } 457*91f16700Schasinglulu }; 458*91f16700Schasinglulu /* 459*91f16700Schasinglulu * Non-Trusted Firmware 460*91f16700Schasinglulu */ 461*91f16700Schasinglulu static const auth_img_desc_t non_trusted_fw_key_cert = { 462*91f16700Schasinglulu .img_id = NON_TRUSTED_FW_KEY_CERT_ID, 463*91f16700Schasinglulu .img_type = IMG_CERT, 464*91f16700Schasinglulu .parent = &trusted_key_cert, 465*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 466*91f16700Schasinglulu [0] = { 467*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 468*91f16700Schasinglulu .param.sig = { 469*91f16700Schasinglulu .pk = &non_trusted_world_pk, 470*91f16700Schasinglulu .sig = &sig, 471*91f16700Schasinglulu .alg = &sig_alg, 472*91f16700Schasinglulu .data = &raw_data 473*91f16700Schasinglulu } 474*91f16700Schasinglulu }, 475*91f16700Schasinglulu [1] = { 476*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 477*91f16700Schasinglulu .param.nv_ctr = { 478*91f16700Schasinglulu .cert_nv_ctr = &non_trusted_nv_ctr, 479*91f16700Schasinglulu .plat_nv_ctr = &non_trusted_nv_ctr 480*91f16700Schasinglulu } 481*91f16700Schasinglulu } 482*91f16700Schasinglulu }, 483*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 484*91f16700Schasinglulu [0] = { 485*91f16700Schasinglulu .type_desc = &nt_fw_content_pk, 486*91f16700Schasinglulu .data = { 487*91f16700Schasinglulu .ptr = (void *)content_pk_buf, 488*91f16700Schasinglulu .len = (unsigned int)PK_DER_LEN 489*91f16700Schasinglulu } 490*91f16700Schasinglulu } 491*91f16700Schasinglulu } 492*91f16700Schasinglulu }; 493*91f16700Schasinglulu static const auth_img_desc_t non_trusted_fw_content_cert = { 494*91f16700Schasinglulu .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, 495*91f16700Schasinglulu .img_type = IMG_CERT, 496*91f16700Schasinglulu .parent = &non_trusted_fw_key_cert, 497*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 498*91f16700Schasinglulu [0] = { 499*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 500*91f16700Schasinglulu .param.sig = { 501*91f16700Schasinglulu .pk = &nt_fw_content_pk, 502*91f16700Schasinglulu .sig = &sig, 503*91f16700Schasinglulu .alg = &sig_alg, 504*91f16700Schasinglulu .data = &raw_data 505*91f16700Schasinglulu } 506*91f16700Schasinglulu }, 507*91f16700Schasinglulu [1] = { 508*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 509*91f16700Schasinglulu .param.nv_ctr = { 510*91f16700Schasinglulu .cert_nv_ctr = &non_trusted_nv_ctr, 511*91f16700Schasinglulu .plat_nv_ctr = &non_trusted_nv_ctr 512*91f16700Schasinglulu } 513*91f16700Schasinglulu } 514*91f16700Schasinglulu }, 515*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 516*91f16700Schasinglulu [0] = { 517*91f16700Schasinglulu .type_desc = &nt_world_bl_hash, 518*91f16700Schasinglulu .data = { 519*91f16700Schasinglulu .ptr = (void *)nt_world_bl_hash_buf, 520*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 521*91f16700Schasinglulu } 522*91f16700Schasinglulu }, 523*91f16700Schasinglulu [1] = { 524*91f16700Schasinglulu .type_desc = &nt_fw_config_hash, 525*91f16700Schasinglulu .data = { 526*91f16700Schasinglulu .ptr = (void *)nt_fw_config_hash_buf, 527*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 528*91f16700Schasinglulu } 529*91f16700Schasinglulu } 530*91f16700Schasinglulu } 531*91f16700Schasinglulu }; 532*91f16700Schasinglulu static const auth_img_desc_t bl33_image = { 533*91f16700Schasinglulu .img_id = BL33_IMAGE_ID, 534*91f16700Schasinglulu .img_type = IMG_RAW, 535*91f16700Schasinglulu .parent = &non_trusted_fw_content_cert, 536*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 537*91f16700Schasinglulu [0] = { 538*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 539*91f16700Schasinglulu .param.hash = { 540*91f16700Schasinglulu .data = &raw_data, 541*91f16700Schasinglulu .hash = &nt_world_bl_hash 542*91f16700Schasinglulu } 543*91f16700Schasinglulu } 544*91f16700Schasinglulu } 545*91f16700Schasinglulu }; 546*91f16700Schasinglulu /* NT FW Config */ 547*91f16700Schasinglulu static const auth_img_desc_t nt_fw_config = { 548*91f16700Schasinglulu .img_id = NT_FW_CONFIG_ID, 549*91f16700Schasinglulu .img_type = IMG_RAW, 550*91f16700Schasinglulu .parent = &non_trusted_fw_content_cert, 551*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 552*91f16700Schasinglulu [0] = { 553*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 554*91f16700Schasinglulu .param.hash = { 555*91f16700Schasinglulu .data = &raw_data, 556*91f16700Schasinglulu .hash = &nt_fw_config_hash 557*91f16700Schasinglulu } 558*91f16700Schasinglulu } 559*91f16700Schasinglulu } 560*91f16700Schasinglulu }; 561*91f16700Schasinglulu /* Secure Partitions */ 562*91f16700Schasinglulu #if defined(SPD_spmd) 563*91f16700Schasinglulu static const auth_img_desc_t sip_sp_content_cert = { 564*91f16700Schasinglulu .img_id = SIP_SP_CONTENT_CERT_ID, 565*91f16700Schasinglulu .img_type = IMG_CERT, 566*91f16700Schasinglulu .parent = &trusted_key_cert, 567*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 568*91f16700Schasinglulu [0] = { 569*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 570*91f16700Schasinglulu .param.sig = { 571*91f16700Schasinglulu .pk = &trusted_world_pk, 572*91f16700Schasinglulu .sig = &sig, 573*91f16700Schasinglulu .alg = &sig_alg, 574*91f16700Schasinglulu .data = &raw_data 575*91f16700Schasinglulu } 576*91f16700Schasinglulu }, 577*91f16700Schasinglulu [1] = { 578*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 579*91f16700Schasinglulu .param.nv_ctr = { 580*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 581*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 582*91f16700Schasinglulu } 583*91f16700Schasinglulu } 584*91f16700Schasinglulu }, 585*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 586*91f16700Schasinglulu [0] = { 587*91f16700Schasinglulu .type_desc = &sp_pkg1_hash, 588*91f16700Schasinglulu .data = { 589*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[0], 590*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 591*91f16700Schasinglulu } 592*91f16700Schasinglulu }, 593*91f16700Schasinglulu [1] = { 594*91f16700Schasinglulu .type_desc = &sp_pkg2_hash, 595*91f16700Schasinglulu .data = { 596*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[1], 597*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 598*91f16700Schasinglulu } 599*91f16700Schasinglulu }, 600*91f16700Schasinglulu [2] = { 601*91f16700Schasinglulu .type_desc = &sp_pkg3_hash, 602*91f16700Schasinglulu .data = { 603*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[2], 604*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 605*91f16700Schasinglulu } 606*91f16700Schasinglulu }, 607*91f16700Schasinglulu [3] = { 608*91f16700Schasinglulu .type_desc = &sp_pkg4_hash, 609*91f16700Schasinglulu .data = { 610*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[3], 611*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 612*91f16700Schasinglulu } 613*91f16700Schasinglulu }, 614*91f16700Schasinglulu [4] = { 615*91f16700Schasinglulu .type_desc = &sp_pkg5_hash, 616*91f16700Schasinglulu .data = { 617*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[4], 618*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 619*91f16700Schasinglulu } 620*91f16700Schasinglulu }, 621*91f16700Schasinglulu [5] = { 622*91f16700Schasinglulu .type_desc = &sp_pkg6_hash, 623*91f16700Schasinglulu .data = { 624*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[5], 625*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 626*91f16700Schasinglulu } 627*91f16700Schasinglulu }, 628*91f16700Schasinglulu [6] = { 629*91f16700Schasinglulu .type_desc = &sp_pkg7_hash, 630*91f16700Schasinglulu .data = { 631*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[6], 632*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 633*91f16700Schasinglulu } 634*91f16700Schasinglulu }, 635*91f16700Schasinglulu [7] = { 636*91f16700Schasinglulu .type_desc = &sp_pkg8_hash, 637*91f16700Schasinglulu .data = { 638*91f16700Schasinglulu .ptr = (void *)sp_pkg_hash_buf[7], 639*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 640*91f16700Schasinglulu } 641*91f16700Schasinglulu } 642*91f16700Schasinglulu } 643*91f16700Schasinglulu }; 644*91f16700Schasinglulu 645*91f16700Schasinglulu DEFINE_SIP_SP_PKG(1); 646*91f16700Schasinglulu DEFINE_SIP_SP_PKG(2); 647*91f16700Schasinglulu DEFINE_SIP_SP_PKG(3); 648*91f16700Schasinglulu DEFINE_SIP_SP_PKG(4); 649*91f16700Schasinglulu DEFINE_SIP_SP_PKG(5); 650*91f16700Schasinglulu DEFINE_SIP_SP_PKG(6); 651*91f16700Schasinglulu DEFINE_SIP_SP_PKG(7); 652*91f16700Schasinglulu DEFINE_SIP_SP_PKG(8); 653*91f16700Schasinglulu #endif /* SPD_spmd */ 654*91f16700Schasinglulu 655*91f16700Schasinglulu static const auth_img_desc_t * const cot_desc[] = { 656*91f16700Schasinglulu [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, 657*91f16700Schasinglulu [HW_CONFIG_ID] = &hw_config, 658*91f16700Schasinglulu [TRUSTED_KEY_CERT_ID] = &trusted_key_cert, 659*91f16700Schasinglulu [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert, 660*91f16700Schasinglulu [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert, 661*91f16700Schasinglulu [SCP_BL2_IMAGE_ID] = &scp_bl2_image, 662*91f16700Schasinglulu [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert, 663*91f16700Schasinglulu [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert, 664*91f16700Schasinglulu [BL31_IMAGE_ID] = &bl31_image, 665*91f16700Schasinglulu [SOC_FW_CONFIG_ID] = &soc_fw_config, 666*91f16700Schasinglulu [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert, 667*91f16700Schasinglulu [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert, 668*91f16700Schasinglulu [BL32_IMAGE_ID] = &bl32_image, 669*91f16700Schasinglulu [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image, 670*91f16700Schasinglulu [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image, 671*91f16700Schasinglulu [TOS_FW_CONFIG_ID] = &tos_fw_config, 672*91f16700Schasinglulu [NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert, 673*91f16700Schasinglulu [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, 674*91f16700Schasinglulu [BL33_IMAGE_ID] = &bl33_image, 675*91f16700Schasinglulu [NT_FW_CONFIG_ID] = &nt_fw_config, 676*91f16700Schasinglulu #if defined(SPD_spmd) 677*91f16700Schasinglulu [SIP_SP_CONTENT_CERT_ID] = &sip_sp_content_cert, 678*91f16700Schasinglulu [SP_PKG1_ID] = &sp_pkg1, 679*91f16700Schasinglulu [SP_PKG2_ID] = &sp_pkg2, 680*91f16700Schasinglulu [SP_PKG3_ID] = &sp_pkg3, 681*91f16700Schasinglulu [SP_PKG4_ID] = &sp_pkg4, 682*91f16700Schasinglulu [SP_PKG5_ID] = &sp_pkg5, 683*91f16700Schasinglulu [SP_PKG6_ID] = &sp_pkg6, 684*91f16700Schasinglulu [SP_PKG7_ID] = &sp_pkg7, 685*91f16700Schasinglulu [SP_PKG8_ID] = &sp_pkg8, 686*91f16700Schasinglulu #endif 687*91f16700Schasinglulu }; 688*91f16700Schasinglulu 689*91f16700Schasinglulu /* Register the CoT in the authentication module */ 690*91f16700Schasinglulu REGISTER_COT(cot_desc); 691