1*3146a70aSXialin Liu /* 2*3146a70aSXialin Liu * Copyright (c) 2020-2024, Arm Limited. All rights reserved. 3*3146a70aSXialin Liu * 4*3146a70aSXialin Liu * SPDX-License-Identifier: BSD-3-Clause 5*3146a70aSXialin Liu */ 6*3146a70aSXialin Liu 7*3146a70aSXialin Liu #include <stddef.h> 8*3146a70aSXialin Liu 9*3146a70aSXialin Liu #include <mbedtls/version.h> 10*3146a70aSXialin Liu 11*3146a70aSXialin Liu #include <common/tbbr/cot_def.h> 12*3146a70aSXialin Liu #include <drivers/auth/auth_mod.h> 13*3146a70aSXialin Liu #include <platform_def.h> 14*3146a70aSXialin Liu #include <tools_share/dualroot_oid.h> 15*3146a70aSXialin Liu 16*3146a70aSXialin Liu /* 17*3146a70aSXialin Liu * Allocate static buffers to store the authentication parameters extracted from 18*3146a70aSXialin Liu * the certificates. 19*3146a70aSXialin Liu */ 20*3146a70aSXialin Liu static unsigned char fw_config_hash_buf[HASH_DER_LEN]; 21*3146a70aSXialin Liu static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; 22*3146a70aSXialin Liu static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN]; 23*3146a70aSXialin Liu static unsigned char scp_fw_hash_buf[HASH_DER_LEN]; 24*3146a70aSXialin Liu static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; 25*3146a70aSXialin Liu 26*3146a70aSXialin Liu /* 27*3146a70aSXialin Liu * Parameter type descriptors. 28*3146a70aSXialin Liu */ 29*3146a70aSXialin Liu static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 30*3146a70aSXialin Liu AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); 31*3146a70aSXialin Liu static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( 32*3146a70aSXialin Liu AUTH_PARAM_PUB_KEY, 0); 33*3146a70aSXialin Liu static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( 34*3146a70aSXialin Liu AUTH_PARAM_SIG, 0); 35*3146a70aSXialin Liu static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( 36*3146a70aSXialin Liu AUTH_PARAM_SIG_ALG, 0); 37*3146a70aSXialin Liu static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( 38*3146a70aSXialin Liu AUTH_PARAM_RAW_DATA, 0); 39*3146a70aSXialin Liu 40*3146a70aSXialin Liu static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( 41*3146a70aSXialin Liu AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); 42*3146a70aSXialin Liu static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC( 43*3146a70aSXialin Liu AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID); 44*3146a70aSXialin Liu static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC( 45*3146a70aSXialin Liu AUTH_PARAM_HASH, FW_CONFIG_HASH_OID); 46*3146a70aSXialin Liu static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( 47*3146a70aSXialin Liu AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); 48*3146a70aSXialin Liu static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( 49*3146a70aSXialin Liu AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID); 50*3146a70aSXialin Liu static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( 51*3146a70aSXialin Liu AUTH_PARAM_HASH, FWU_HASH_OID); 52*3146a70aSXialin Liu 53*3146a70aSXialin Liu static const auth_img_desc_t trusted_boot_fw_cert = { 54*3146a70aSXialin Liu .img_id = TRUSTED_BOOT_FW_CERT_ID, 55*3146a70aSXialin Liu .img_type = IMG_CERT, 56*3146a70aSXialin Liu .parent = NULL, 57*3146a70aSXialin Liu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 58*3146a70aSXialin Liu [0] = { 59*3146a70aSXialin Liu .type = AUTH_METHOD_SIG, 60*3146a70aSXialin Liu .param.sig = { 61*3146a70aSXialin Liu .pk = &subject_pk, 62*3146a70aSXialin Liu .sig = &sig, 63*3146a70aSXialin Liu .alg = &sig_alg, 64*3146a70aSXialin Liu .data = &raw_data 65*3146a70aSXialin Liu } 66*3146a70aSXialin Liu }, 67*3146a70aSXialin Liu [1] = { 68*3146a70aSXialin Liu .type = AUTH_METHOD_NV_CTR, 69*3146a70aSXialin Liu .param.nv_ctr = { 70*3146a70aSXialin Liu .cert_nv_ctr = &trusted_nv_ctr, 71*3146a70aSXialin Liu .plat_nv_ctr = &trusted_nv_ctr 72*3146a70aSXialin Liu } 73*3146a70aSXialin Liu } 74*3146a70aSXialin Liu }, 75*3146a70aSXialin Liu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 76*3146a70aSXialin Liu [0] = { 77*3146a70aSXialin Liu .type_desc = &tb_fw_hash, 78*3146a70aSXialin Liu .data = { 79*3146a70aSXialin Liu .ptr = (void *)tb_fw_hash_buf, 80*3146a70aSXialin Liu .len = (unsigned int)HASH_DER_LEN 81*3146a70aSXialin Liu } 82*3146a70aSXialin Liu }, 83*3146a70aSXialin Liu [1] = { 84*3146a70aSXialin Liu .type_desc = &tb_fw_config_hash, 85*3146a70aSXialin Liu .data = { 86*3146a70aSXialin Liu .ptr = (void *)tb_fw_config_hash_buf, 87*3146a70aSXialin Liu .len = (unsigned int)HASH_DER_LEN 88*3146a70aSXialin Liu } 89*3146a70aSXialin Liu }, 90*3146a70aSXialin Liu [2] = { 91*3146a70aSXialin Liu .type_desc = &fw_config_hash, 92*3146a70aSXialin Liu .data = { 93*3146a70aSXialin Liu .ptr = (void *)fw_config_hash_buf, 94*3146a70aSXialin Liu .len = (unsigned int)HASH_DER_LEN 95*3146a70aSXialin Liu } 96*3146a70aSXialin Liu } 97*3146a70aSXialin Liu } 98*3146a70aSXialin Liu }; 99*3146a70aSXialin Liu 100*3146a70aSXialin Liu static const auth_img_desc_t bl2_image = { 101*3146a70aSXialin Liu .img_id = BL2_IMAGE_ID, 102*3146a70aSXialin Liu .img_type = IMG_RAW, 103*3146a70aSXialin Liu .parent = &trusted_boot_fw_cert, 104*3146a70aSXialin Liu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 105*3146a70aSXialin Liu [0] = { 106*3146a70aSXialin Liu .type = AUTH_METHOD_HASH, 107*3146a70aSXialin Liu .param.hash = { 108*3146a70aSXialin Liu .data = &raw_data, 109*3146a70aSXialin Liu .hash = &tb_fw_hash 110*3146a70aSXialin Liu } 111*3146a70aSXialin Liu } 112*3146a70aSXialin Liu } 113*3146a70aSXialin Liu }; 114*3146a70aSXialin Liu 115*3146a70aSXialin Liu /* TB FW Config */ 116*3146a70aSXialin Liu static const auth_img_desc_t tb_fw_config = { 117*3146a70aSXialin Liu .img_id = TB_FW_CONFIG_ID, 118*3146a70aSXialin Liu .img_type = IMG_RAW, 119*3146a70aSXialin Liu .parent = &trusted_boot_fw_cert, 120*3146a70aSXialin Liu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 121*3146a70aSXialin Liu [0] = { 122*3146a70aSXialin Liu .type = AUTH_METHOD_HASH, 123*3146a70aSXialin Liu .param.hash = { 124*3146a70aSXialin Liu .data = &raw_data, 125*3146a70aSXialin Liu .hash = &tb_fw_config_hash 126*3146a70aSXialin Liu } 127*3146a70aSXialin Liu } 128*3146a70aSXialin Liu } 129*3146a70aSXialin Liu }; 130*3146a70aSXialin Liu 131*3146a70aSXialin Liu static const auth_img_desc_t fw_config = { 132*3146a70aSXialin Liu .img_id = FW_CONFIG_ID, 133*3146a70aSXialin Liu .img_type = IMG_RAW, 134*3146a70aSXialin Liu .parent = &trusted_boot_fw_cert, 135*3146a70aSXialin Liu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 136*3146a70aSXialin Liu [0] = { 137*3146a70aSXialin Liu .type = AUTH_METHOD_HASH, 138*3146a70aSXialin Liu .param.hash = { 139*3146a70aSXialin Liu .data = &raw_data, 140*3146a70aSXialin Liu .hash = &fw_config_hash 141*3146a70aSXialin Liu } 142*3146a70aSXialin Liu } 143*3146a70aSXialin Liu } 144*3146a70aSXialin Liu }; 145*3146a70aSXialin Liu 146*3146a70aSXialin Liu /* FWU auth descriptor */ 147*3146a70aSXialin Liu static const auth_img_desc_t fwu_cert = { 148*3146a70aSXialin Liu .img_id = FWU_CERT_ID, 149*3146a70aSXialin Liu .img_type = IMG_CERT, 150*3146a70aSXialin Liu .parent = NULL, 151*3146a70aSXialin Liu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 152*3146a70aSXialin Liu [0] = { 153*3146a70aSXialin Liu .type = AUTH_METHOD_SIG, 154*3146a70aSXialin Liu .param.sig = { 155*3146a70aSXialin Liu .pk = &subject_pk, 156*3146a70aSXialin Liu .sig = &sig, 157*3146a70aSXialin Liu .alg = &sig_alg, 158*3146a70aSXialin Liu .data = &raw_data 159*3146a70aSXialin Liu } 160*3146a70aSXialin Liu } 161*3146a70aSXialin Liu }, 162*3146a70aSXialin Liu .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 163*3146a70aSXialin Liu [0] = { 164*3146a70aSXialin Liu .type_desc = &scp_bl2u_hash, 165*3146a70aSXialin Liu .data = { 166*3146a70aSXialin Liu .ptr = (void *)scp_fw_hash_buf, 167*3146a70aSXialin Liu .len = (unsigned int)HASH_DER_LEN 168*3146a70aSXialin Liu } 169*3146a70aSXialin Liu }, 170*3146a70aSXialin Liu [1] = { 171*3146a70aSXialin Liu .type_desc = &bl2u_hash, 172*3146a70aSXialin Liu .data = { 173*3146a70aSXialin Liu .ptr = (void *)tb_fw_hash_buf, 174*3146a70aSXialin Liu .len = (unsigned int)HASH_DER_LEN 175*3146a70aSXialin Liu } 176*3146a70aSXialin Liu }, 177*3146a70aSXialin Liu [2] = { 178*3146a70aSXialin Liu .type_desc = &ns_bl2u_hash, 179*3146a70aSXialin Liu .data = { 180*3146a70aSXialin Liu .ptr = (void *)nt_world_bl_hash_buf, 181*3146a70aSXialin Liu .len = (unsigned int)HASH_DER_LEN 182*3146a70aSXialin Liu } 183*3146a70aSXialin Liu } 184*3146a70aSXialin Liu } 185*3146a70aSXialin Liu }; 186*3146a70aSXialin Liu 187*3146a70aSXialin Liu /* SCP_BL2U */ 188*3146a70aSXialin Liu static const auth_img_desc_t scp_bl2u_image = { 189*3146a70aSXialin Liu .img_id = SCP_BL2U_IMAGE_ID, 190*3146a70aSXialin Liu .img_type = IMG_RAW, 191*3146a70aSXialin Liu .parent = &fwu_cert, 192*3146a70aSXialin Liu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 193*3146a70aSXialin Liu [0] = { 194*3146a70aSXialin Liu .type = AUTH_METHOD_HASH, 195*3146a70aSXialin Liu .param.hash = { 196*3146a70aSXialin Liu .data = &raw_data, 197*3146a70aSXialin Liu .hash = &scp_bl2u_hash 198*3146a70aSXialin Liu } 199*3146a70aSXialin Liu } 200*3146a70aSXialin Liu } 201*3146a70aSXialin Liu }; 202*3146a70aSXialin Liu 203*3146a70aSXialin Liu /* BL2U */ 204*3146a70aSXialin Liu static const auth_img_desc_t bl2u_image = { 205*3146a70aSXialin Liu .img_id = BL2U_IMAGE_ID, 206*3146a70aSXialin Liu .img_type = IMG_RAW, 207*3146a70aSXialin Liu .parent = &fwu_cert, 208*3146a70aSXialin Liu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 209*3146a70aSXialin Liu [0] = { 210*3146a70aSXialin Liu .type = AUTH_METHOD_HASH, 211*3146a70aSXialin Liu .param.hash = { 212*3146a70aSXialin Liu .data = &raw_data, 213*3146a70aSXialin Liu .hash = &bl2u_hash 214*3146a70aSXialin Liu } 215*3146a70aSXialin Liu } 216*3146a70aSXialin Liu } 217*3146a70aSXialin Liu }; 218*3146a70aSXialin Liu 219*3146a70aSXialin Liu /* NS_BL2U */ 220*3146a70aSXialin Liu static const auth_img_desc_t ns_bl2u_image = { 221*3146a70aSXialin Liu .img_id = NS_BL2U_IMAGE_ID, 222*3146a70aSXialin Liu .img_type = IMG_RAW, 223*3146a70aSXialin Liu .parent = &fwu_cert, 224*3146a70aSXialin Liu .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 225*3146a70aSXialin Liu [0] = { 226*3146a70aSXialin Liu .type = AUTH_METHOD_HASH, 227*3146a70aSXialin Liu .param.hash = { 228*3146a70aSXialin Liu .data = &raw_data, 229*3146a70aSXialin Liu .hash = &ns_bl2u_hash 230*3146a70aSXialin Liu } 231*3146a70aSXialin Liu } 232*3146a70aSXialin Liu } 233*3146a70aSXialin Liu }; 234*3146a70aSXialin Liu 235*3146a70aSXialin Liu static const auth_img_desc_t * const cot_desc[] = { 236*3146a70aSXialin Liu [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, 237*3146a70aSXialin Liu [BL2_IMAGE_ID] = &bl2_image, 238*3146a70aSXialin Liu [TB_FW_CONFIG_ID] = &tb_fw_config, 239*3146a70aSXialin Liu [FW_CONFIG_ID] = &fw_config, 240*3146a70aSXialin Liu [FWU_CERT_ID] = &fwu_cert, 241*3146a70aSXialin Liu [SCP_BL2U_IMAGE_ID] = &scp_bl2u_image, 242*3146a70aSXialin Liu [BL2U_IMAGE_ID] = &bl2u_image, 243*3146a70aSXialin Liu [NS_BL2U_IMAGE_ID] = &ns_bl2u_image 244*3146a70aSXialin Liu }; 245*3146a70aSXialin Liu 246*3146a70aSXialin Liu REGISTER_COT(cot_desc); 247