1 /* 2 * Copyright (c) 2022-2024, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <stddef.h> 8 9 #include <mbedtls/version.h> 10 11 #include <common/tbbr/cot_def.h> 12 #include <drivers/auth/auth_mod.h> 13 #include <platform_def.h> 14 #include <tools_share/cca_oid.h> 15 16 /* 17 * Allocate static buffers to store the authentication parameters extracted from 18 * the certificates. 19 */ 20 static unsigned char fw_config_hash_buf[HASH_DER_LEN]; 21 static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; 22 static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; 23 24 /* 25 * Parameter type descriptors. 26 */ 27 static auth_param_type_desc_t cca_nv_ctr = AUTH_PARAM_TYPE_DESC( 28 AUTH_PARAM_NV_CTR, CCA_FW_NVCOUNTER_OID); 29 static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( 30 AUTH_PARAM_PUB_KEY, 0); 31 static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( 32 AUTH_PARAM_SIG, 0); 33 static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( 34 AUTH_PARAM_SIG_ALG, 0); 35 static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( 36 AUTH_PARAM_RAW_DATA, 0); 37 38 static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( 39 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); 40 static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC( 41 AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); 42 static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC( 43 AUTH_PARAM_HASH, FW_CONFIG_HASH_OID); 44 45 /* CCA Content Certificate */ 46 static const auth_img_desc_t cca_content_cert = { 47 .img_id = CCA_CONTENT_CERT_ID, 48 .img_type = IMG_CERT, 49 .parent = NULL, 50 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 51 [0] = { 52 .type = AUTH_METHOD_SIG, 53 .param.sig = { 54 .pk = &subject_pk, 55 .sig = &sig, 56 .alg = &sig_alg, 57 .data = &raw_data 58 } 59 }, 60 [1] = { 61 .type = AUTH_METHOD_NV_CTR, 62 .param.nv_ctr = { 63 .cert_nv_ctr = &cca_nv_ctr, 64 .plat_nv_ctr = &cca_nv_ctr 65 } 66 } 67 }, 68 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 69 [0] = { 70 .type_desc = &tb_fw_hash, 71 .data = { 72 .ptr = (void *)tb_fw_hash_buf, 73 .len = (unsigned int)HASH_DER_LEN 74 } 75 }, 76 [1] = { 77 .type_desc = &tb_fw_config_hash, 78 .data = { 79 .ptr = (void *)tb_fw_config_hash_buf, 80 .len = (unsigned int)HASH_DER_LEN 81 } 82 }, 83 [2] = { 84 .type_desc = &fw_config_hash, 85 .data = { 86 .ptr = (void *)fw_config_hash_buf, 87 .len = (unsigned int)HASH_DER_LEN 88 } 89 } 90 } 91 }; 92 93 static const auth_img_desc_t bl2_image = { 94 .img_id = BL2_IMAGE_ID, 95 .img_type = IMG_RAW, 96 .parent = &cca_content_cert, 97 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 98 [0] = { 99 .type = AUTH_METHOD_HASH, 100 .param.hash = { 101 .data = &raw_data, 102 .hash = &tb_fw_hash 103 } 104 } 105 } 106 }; 107 108 static const auth_img_desc_t tb_fw_config = { 109 .img_id = TB_FW_CONFIG_ID, 110 .img_type = IMG_RAW, 111 .parent = &cca_content_cert, 112 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 113 [0] = { 114 .type = AUTH_METHOD_HASH, 115 .param.hash = { 116 .data = &raw_data, 117 .hash = &tb_fw_config_hash 118 } 119 } 120 } 121 }; 122 123 static const auth_img_desc_t fw_config = { 124 .img_id = FW_CONFIG_ID, 125 .img_type = IMG_RAW, 126 .parent = &cca_content_cert, 127 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 128 [0] = { 129 .type = AUTH_METHOD_HASH, 130 .param.hash = { 131 .data = &raw_data, 132 .hash = &fw_config_hash 133 } 134 } 135 } 136 }; 137 138 static const auth_img_desc_t * const cot_desc[] = { 139 [CCA_CONTENT_CERT_ID] = &cca_content_cert, 140 [BL2_IMAGE_ID] = &bl2_image, 141 [TB_FW_CONFIG_ID] = &tb_fw_config, 142 [FW_CONFIG_ID] = &fw_config, 143 }; 144 145 REGISTER_COT(cot_desc); 146