Merge "fix(tc): add SCP_BL2 to RSE measured boot" into integration

fix(tc): add SCP_BL2 to RSE measured boot

SCP_BL2 is part of CCA's TCB. The SCP_BL1 is loaded
by RSE. It has already added to the platform
attestation token. SCP_BL2 was missed, so it is
fixed now.

fix(tc): add SCP_BL2 to RSE measured boot

SCP_BL2 is part of CCA's TCB. The SCP_BL1 is loaded
by RSE. It has already added to the platform
attestation token. SCP_BL2 was missed, so it is
fixed now.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ic87743564136f03a901c90ff1ec614f5965b9a47

show more ...

Merge changes from topic "mb/mb-signer-id" into integration

* changes:
feat(qemu): add dummy plat_mboot_measure_key() function
docs(rss): update RSS doc for signer-ID
feat(imx): add dummy 'pla

Merge changes from topic "mb/mb-signer-id" into integration

* changes:
feat(qemu): add dummy plat_mboot_measure_key() function
docs(rss): update RSS doc for signer-ID
feat(imx): add dummy 'plat_mboot_measure_key' function
feat(tc): implement platform function to measure and publish Public Key
feat(auth): measure and publicise the Public Key
feat(fvp): implement platform function to measure and publish Public Key
feat(fvp): add public key-OID information in RSS metadata structure
feat(auth): add explicit entries for key OIDs
feat(rss): set the signer-ID in the RSS metadata
feat(auth): create a zero-OID for Subject Public Key
docs: add details about plat_mboot_measure_key function
feat(measured-boot): introduce platform function to measure and publish Public Key

show more ...

feat(auth): add explicit entries for key OIDs

Key-OIDs that authenticate BL31, BL31(SOC)-FW config, and HW config
images have been explicitly entered.
Implementations of signer-ID consume these entr

feat(auth): add explicit entries for key OIDs

Key-OIDs that authenticate BL31, BL31(SOC)-FW config, and HW config
images have been explicitly entered.
Implementations of signer-ID consume these entries.

Change-Id: I24c9085ed5f266af06d40fb73302e35d857a9d5b
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

feat(auth): create a zero-OID for Subject Public Key

Created an explicit zero-OID which can be used for Subject
Public Key that do not have their own key identifier.

With this, all keys (including

feat(auth): create a zero-OID for Subject Public Key

Created an explicit zero-OID which can be used for Subject
Public Key that do not have their own key identifier.

With this, all keys (including the subject public key) have
a proper key OID string so we don't need to make a special
case of null pointers when it comes to handling key OIDs.

Change-Id: Ice6923951699b6e253d7fd87e4c1b912470e0391
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

Merge changes from topic "cot_cca_nvctr" into integration

* changes:
feat(fvp): mock support for CCA NV ctr
feat(auth): add CCA NV ctr to CCA CoT
feat(build): pass CCA NV ctr option to cert_cr

Merge changes from topic "cot_cca_nvctr" into integration

* changes:
feat(fvp): mock support for CCA NV ctr
feat(auth): add CCA NV ctr to CCA CoT
feat(build): pass CCA NV ctr option to cert_create
feat(cert-create): add new option for CCA NV ctr

show more ...

feat(cert-create): add new option for CCA NV ctr

Extends cert_create tool with a new option for CCA NV
counter: ccafw_nvctr.

And changes the non-volatile counter used to protect
the CCA Content Cer

feat(cert-create): add new option for CCA NV ctr

Extends cert_create tool with a new option for CCA NV
counter: ccafw_nvctr.

And changes the non-volatile counter used to protect
the CCA Content Certificate from the Trusted FW NV counter
to the CCA FW NV counter in the CCA CoT description.

Change-Id: I27f3ab2e25809f0dcc56fa05e5c3a25a2e861ef6
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>

show more ...

Merge changes from topic "lw/cca_cot" into integration

* changes:
feat(arm): retrieve the right ROTPK for cca
feat(arm): add support for cca CoT
feat(arm): provide some swd rotpk files
build

Merge changes from topic "lw/cca_cot" into integration

* changes:
feat(arm): retrieve the right ROTPK for cca
feat(arm): add support for cca CoT
feat(arm): provide some swd rotpk files
build(tbbr): drive cert_create changes for cca CoT
refactor(arm): add cca CoT certificates to fconf
feat(fiptool): add cca, core_swd, plat cert in FIP
feat(cert_create): define the cca chain of trust
feat(cca): introduce new "cca" chain of trust
build(changelog): add new scope for CCA
refactor(fvp): increase bl2 size when bl31 in DRAM

show more ...

feat(cca): introduce new "cca" chain of trust

This chain of trust is targeted at Arm CCA solutions and defines 3
independent signing domains:

1) CCA signing domain. The Arm CCA Security Model (Arm

feat(cca): introduce new "cca" chain of trust

This chain of trust is targeted at Arm CCA solutions and defines 3
independent signing domains:

1) CCA signing domain. The Arm CCA Security Model (Arm DEN-0096.A.a) [1]
refers to the CCA signing domain as the provider of CCA components
running on the CCA platform. The CCA signing domain might be independent
from other signing domains providing other firmware blobs.

The CCA platform is a collective term used to identify all hardware and
firmware components involved in delivering the CCA security guarantee.
Hence, all hardware and firmware components on a CCA enabled system that
a Realm is required to trust.

In the context of TF-A, this corresponds to BL1, BL2, BL31, RMM and
associated configuration files.

The CCA signing domain is rooted in the Silicon ROTPK, just as in the
TBBR CoT.

2) Non-CCA Secure World signing domain. This includes SPMC (and
associated configuration file) as the expected BL32 image as well as
SiP-owned secure partitions. It is rooted in a new SiP-owned key called
Secure World ROTPK, or SWD_ROTPK for short.

3) Platform owner signing domain. This includes BL33 (and associated
configuration file) and the platform owner's secure partitions. It is
rooted in the Platform ROTPK, or PROTPK.

[1] https://developer.arm.com/documentation/DEN0096/A_a

Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I6ffef3f53d710e6a2072fb4374401249122a2805

show more ...