1*91f16700Schasinglulu /* 2*91f16700Schasinglulu * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved. 3*91f16700Schasinglulu * 4*91f16700Schasinglulu * SPDX-License-Identifier: BSD-3-Clause 5*91f16700Schasinglulu */ 6*91f16700Schasinglulu 7*91f16700Schasinglulu #include <stddef.h> 8*91f16700Schasinglulu 9*91f16700Schasinglulu #include <mbedtls/version.h> 10*91f16700Schasinglulu 11*91f16700Schasinglulu #include <drivers/auth/auth_mod.h> 12*91f16700Schasinglulu #include <drivers/auth/tbbr_cot_common.h> 13*91f16700Schasinglulu 14*91f16700Schasinglulu #if USE_TBBR_DEFS 15*91f16700Schasinglulu #include <tools_share/tbbr_oid.h> 16*91f16700Schasinglulu #else 17*91f16700Schasinglulu #include <platform_oid.h> 18*91f16700Schasinglulu #endif 19*91f16700Schasinglulu 20*91f16700Schasinglulu #include <platform_def.h> 21*91f16700Schasinglulu /* 22*91f16700Schasinglulu * The platform must allocate buffers to store the authentication parameters 23*91f16700Schasinglulu * extracted from the certificates. In this case, because of the way the CoT is 24*91f16700Schasinglulu * established, we can reuse some of the buffers on different stages 25*91f16700Schasinglulu */ 26*91f16700Schasinglulu 27*91f16700Schasinglulu static unsigned char fw_config_hash_buf[HASH_DER_LEN]; 28*91f16700Schasinglulu static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; 29*91f16700Schasinglulu static unsigned char hw_config_hash_buf[HASH_DER_LEN]; 30*91f16700Schasinglulu unsigned char tb_fw_hash_buf[HASH_DER_LEN]; 31*91f16700Schasinglulu unsigned char scp_fw_hash_buf[HASH_DER_LEN]; 32*91f16700Schasinglulu unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; 33*91f16700Schasinglulu 34*91f16700Schasinglulu /* 35*91f16700Schasinglulu * common Parameter type descriptors across BL1 and BL2 36*91f16700Schasinglulu */ 37*91f16700Schasinglulu auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 38*91f16700Schasinglulu AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); 39*91f16700Schasinglulu auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( 40*91f16700Schasinglulu AUTH_PARAM_PUB_KEY, 0); 41*91f16700Schasinglulu auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( 42*91f16700Schasinglulu AUTH_PARAM_SIG, 0); 43*91f16700Schasinglulu auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( 44*91f16700Schasinglulu AUTH_PARAM_SIG_ALG, 0); 45*91f16700Schasinglulu auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( 46*91f16700Schasinglulu AUTH_PARAM_RAW_DATA, 0); 47*91f16700Schasinglulu 48*91f16700Schasinglulu /* common hash used across BL1 and BL2 */ 49*91f16700Schasinglulu auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( 50*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); 51*91f16700Schasinglulu auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC( 52*91f16700Schasinglulu AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); 53*91f16700Schasinglulu auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC( 54*91f16700Schasinglulu AUTH_PARAM_HASH, FW_CONFIG_HASH_OID); 55*91f16700Schasinglulu static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC( 56*91f16700Schasinglulu AUTH_PARAM_HASH, HW_CONFIG_HASH_OID); 57*91f16700Schasinglulu 58*91f16700Schasinglulu /* trusted_boot_fw_cert */ 59*91f16700Schasinglulu const auth_img_desc_t trusted_boot_fw_cert = { 60*91f16700Schasinglulu .img_id = TRUSTED_BOOT_FW_CERT_ID, 61*91f16700Schasinglulu .img_type = IMG_CERT, 62*91f16700Schasinglulu .parent = NULL, 63*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 64*91f16700Schasinglulu [0] = { 65*91f16700Schasinglulu .type = AUTH_METHOD_SIG, 66*91f16700Schasinglulu .param.sig = { 67*91f16700Schasinglulu .pk = &subject_pk, 68*91f16700Schasinglulu .sig = &sig, 69*91f16700Schasinglulu .alg = &sig_alg, 70*91f16700Schasinglulu .data = &raw_data 71*91f16700Schasinglulu } 72*91f16700Schasinglulu }, 73*91f16700Schasinglulu [1] = { 74*91f16700Schasinglulu .type = AUTH_METHOD_NV_CTR, 75*91f16700Schasinglulu .param.nv_ctr = { 76*91f16700Schasinglulu .cert_nv_ctr = &trusted_nv_ctr, 77*91f16700Schasinglulu .plat_nv_ctr = &trusted_nv_ctr 78*91f16700Schasinglulu } 79*91f16700Schasinglulu } 80*91f16700Schasinglulu }, 81*91f16700Schasinglulu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 82*91f16700Schasinglulu [0] = { 83*91f16700Schasinglulu .type_desc = &tb_fw_hash, 84*91f16700Schasinglulu .data = { 85*91f16700Schasinglulu .ptr = (void *)tb_fw_hash_buf, 86*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 87*91f16700Schasinglulu } 88*91f16700Schasinglulu }, 89*91f16700Schasinglulu [1] = { 90*91f16700Schasinglulu .type_desc = &tb_fw_config_hash, 91*91f16700Schasinglulu .data = { 92*91f16700Schasinglulu .ptr = (void *)tb_fw_config_hash_buf, 93*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 94*91f16700Schasinglulu } 95*91f16700Schasinglulu }, 96*91f16700Schasinglulu [2] = { 97*91f16700Schasinglulu .type_desc = &hw_config_hash, 98*91f16700Schasinglulu .data = { 99*91f16700Schasinglulu .ptr = (void *)hw_config_hash_buf, 100*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 101*91f16700Schasinglulu } 102*91f16700Schasinglulu }, 103*91f16700Schasinglulu [3] = { 104*91f16700Schasinglulu .type_desc = &fw_config_hash, 105*91f16700Schasinglulu .data = { 106*91f16700Schasinglulu .ptr = (void *)fw_config_hash_buf, 107*91f16700Schasinglulu .len = (unsigned int)HASH_DER_LEN 108*91f16700Schasinglulu } 109*91f16700Schasinglulu } 110*91f16700Schasinglulu } 111*91f16700Schasinglulu }; 112*91f16700Schasinglulu 113*91f16700Schasinglulu /* HW Config */ 114*91f16700Schasinglulu const auth_img_desc_t hw_config = { 115*91f16700Schasinglulu .img_id = HW_CONFIG_ID, 116*91f16700Schasinglulu .img_type = IMG_RAW, 117*91f16700Schasinglulu .parent = &trusted_boot_fw_cert, 118*91f16700Schasinglulu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 119*91f16700Schasinglulu [0] = { 120*91f16700Schasinglulu .type = AUTH_METHOD_HASH, 121*91f16700Schasinglulu .param.hash = { 122*91f16700Schasinglulu .data = &raw_data, 123*91f16700Schasinglulu .hash = &hw_config_hash 124*91f16700Schasinglulu } 125*91f16700Schasinglulu } 126*91f16700Schasinglulu } 127*91f16700Schasinglulu }; 128