xref: /rk3399_ARM-atf/drivers/auth/dualroot/bl1_cot.c (revision 522c175d2d03470de4073a4e5716851073d2bf22) 
1 /*
2  * Copyright (c) 2020-2024, Arm Limited. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  */
6 
7 #include <stddef.h>
8 
9 #include <mbedtls/version.h>
10 
11 #include <common/tbbr/cot_def.h>
12 #include <drivers/auth/auth_mod.h>
13 #include <platform_def.h>
14 #include <tools_share/dualroot_oid.h>
15 
16 /*
17  * Allocate static buffers to store the authentication parameters extracted from
18  * the certificates.
19  */
20 static unsigned char fw_config_hash_buf[HASH_DER_LEN];
21 static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
22 static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
23 static unsigned char scp_fw_hash_buf[HASH_DER_LEN];
24 static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
25 
26 /*
27  * Parameter type descriptors.
28  */
29 static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
30 		AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID);
31 static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC(
32 		AUTH_PARAM_PUB_KEY, 0);
33 static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC(
34 		AUTH_PARAM_SIG, 0);
35 static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
36 		AUTH_PARAM_SIG_ALG, 0);
37 static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
38 		AUTH_PARAM_RAW_DATA, 0);
39 
40 static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
41 		AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
42 static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
43 		AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
44 static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
45 		AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
46 static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
47 		AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
48 static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
49 		AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
50 static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
51 		AUTH_PARAM_HASH, FWU_HASH_OID);
52 
53 static const auth_img_desc_t trusted_boot_fw_cert = {
54 	.img_id = TRUSTED_BOOT_FW_CERT_ID,
55 	.img_type = IMG_CERT,
56 	.parent = NULL,
57 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
58 		[0] = {
59 			.type = AUTH_METHOD_SIG,
60 			.param.sig = {
61 				.pk = &subject_pk,
62 				.sig = &sig,
63 				.alg = &sig_alg,
64 				.data = &raw_data
65 			}
66 		},
67 		[1] = {
68 			.type = AUTH_METHOD_NV_CTR,
69 			.param.nv_ctr = {
70 				.cert_nv_ctr = &trusted_nv_ctr,
71 				.plat_nv_ctr = &trusted_nv_ctr
72 			}
73 		}
74 	},
75 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
76 		[0] = {
77 			.type_desc = &tb_fw_hash,
78 			.data = {
79 				.ptr = (void *)tb_fw_hash_buf,
80 				.len = (unsigned int)HASH_DER_LEN
81 			}
82 		},
83 		[1] = {
84 			.type_desc = &tb_fw_config_hash,
85 			.data = {
86 				.ptr = (void *)tb_fw_config_hash_buf,
87 				.len = (unsigned int)HASH_DER_LEN
88 			}
89 		},
90 		[2] = {
91 			.type_desc = &fw_config_hash,
92 			.data = {
93 				.ptr = (void *)fw_config_hash_buf,
94 				.len = (unsigned int)HASH_DER_LEN
95 			}
96 		}
97 	}
98 };
99 
100 static const auth_img_desc_t bl2_image = {
101 	.img_id = BL2_IMAGE_ID,
102 	.img_type = IMG_RAW,
103 	.parent = &trusted_boot_fw_cert,
104 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
105 		[0] = {
106 			.type = AUTH_METHOD_HASH,
107 			.param.hash = {
108 				.data = &raw_data,
109 				.hash = &tb_fw_hash
110 			}
111 		}
112 	}
113 };
114 
115 /* TB FW Config */
116 static const auth_img_desc_t tb_fw_config = {
117 	.img_id = TB_FW_CONFIG_ID,
118 	.img_type = IMG_RAW,
119 	.parent = &trusted_boot_fw_cert,
120 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
121 		[0] = {
122 			.type = AUTH_METHOD_HASH,
123 			.param.hash = {
124 				.data = &raw_data,
125 				.hash = &tb_fw_config_hash
126 			}
127 		}
128 	}
129 };
130 
131 static const auth_img_desc_t fw_config = {
132 	.img_id = FW_CONFIG_ID,
133 	.img_type = IMG_RAW,
134 	.parent = &trusted_boot_fw_cert,
135 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
136 		[0] = {
137 			.type = AUTH_METHOD_HASH,
138 			.param.hash = {
139 				.data = &raw_data,
140 				.hash = &fw_config_hash
141 			}
142 		}
143 	}
144 };
145 
146 /* FWU auth descriptor */
147 static const auth_img_desc_t fwu_cert = {
148 	.img_id = FWU_CERT_ID,
149 	.img_type = IMG_CERT,
150 	.parent = NULL,
151 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
152 		[0] = {
153 			.type = AUTH_METHOD_SIG,
154 			.param.sig = {
155 				.pk = &subject_pk,
156 				.sig = &sig,
157 				.alg = &sig_alg,
158 				.data = &raw_data
159 			}
160 		}
161 	},
162 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
163 		[0] = {
164 			.type_desc = &scp_bl2u_hash,
165 			.data = {
166 				.ptr = (void *)scp_fw_hash_buf,
167 				.len = (unsigned int)HASH_DER_LEN
168 			}
169 		},
170 		[1] = {
171 			.type_desc = &bl2u_hash,
172 			.data = {
173 				.ptr = (void *)tb_fw_hash_buf,
174 				.len = (unsigned int)HASH_DER_LEN
175 			}
176 		},
177 		[2] = {
178 			.type_desc = &ns_bl2u_hash,
179 			.data = {
180 				.ptr = (void *)nt_world_bl_hash_buf,
181 				.len = (unsigned int)HASH_DER_LEN
182 			}
183 		}
184 	}
185 };
186 
187 /* SCP_BL2U */
188 static const auth_img_desc_t scp_bl2u_image = {
189 	.img_id = SCP_BL2U_IMAGE_ID,
190 	.img_type = IMG_RAW,
191 	.parent = &fwu_cert,
192 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
193 		[0] = {
194 			.type = AUTH_METHOD_HASH,
195 			.param.hash = {
196 				.data = &raw_data,
197 				.hash = &scp_bl2u_hash
198 			}
199 		}
200 	}
201 };
202 
203 /* BL2U */
204 static const auth_img_desc_t bl2u_image = {
205 	.img_id = BL2U_IMAGE_ID,
206 	.img_type = IMG_RAW,
207 	.parent = &fwu_cert,
208 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
209 		[0] = {
210 			.type = AUTH_METHOD_HASH,
211 			.param.hash = {
212 				.data = &raw_data,
213 				.hash = &bl2u_hash
214 			}
215 		}
216 	}
217 };
218 
219 /* NS_BL2U */
220 static const auth_img_desc_t ns_bl2u_image = {
221 	.img_id = NS_BL2U_IMAGE_ID,
222 	.img_type = IMG_RAW,
223 	.parent = &fwu_cert,
224 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
225 		[0] = {
226 			.type = AUTH_METHOD_HASH,
227 			.param.hash = {
228 				.data = &raw_data,
229 				.hash = &ns_bl2u_hash
230 			}
231 		}
232 	}
233 };
234 
235 static const auth_img_desc_t * const cot_desc[] = {
236 	[TRUSTED_BOOT_FW_CERT_ID]		=	&trusted_boot_fw_cert,
237 	[BL2_IMAGE_ID]				=	&bl2_image,
238 	[TB_FW_CONFIG_ID]			=	&tb_fw_config,
239 	[FW_CONFIG_ID]				=	&fw_config,
240 	[FWU_CERT_ID]				=	&fwu_cert,
241 	[SCP_BL2U_IMAGE_ID]			=	&scp_bl2u_image,
242 	[BL2U_IMAGE_ID]				=	&bl2u_image,
243 	[NS_BL2U_IMAGE_ID]			=	&ns_bl2u_image
244 };
245 
246 REGISTER_COT(cot_desc);
247