1*ad43c49eSManish V Badarkhe /* 2*ad43c49eSManish V Badarkhe * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. 3*ad43c49eSManish V Badarkhe * 4*ad43c49eSManish V Badarkhe * SPDX-License-Identifier: BSD-3-Clause 5*ad43c49eSManish V Badarkhe */ 6*ad43c49eSManish V Badarkhe 7*ad43c49eSManish V Badarkhe #include <stddef.h> 8*ad43c49eSManish V Badarkhe 9*ad43c49eSManish V Badarkhe #include <platform_def.h> 10*ad43c49eSManish V Badarkhe #include <drivers/auth/mbedtls/mbedtls_config.h> 11*ad43c49eSManish V Badarkhe 12*ad43c49eSManish V Badarkhe #include <drivers/auth/auth_mod.h> 13*ad43c49eSManish V Badarkhe #include <drivers/auth/tbbr_cot_common.h> 14*ad43c49eSManish V Badarkhe #if USE_TBBR_DEFS 15*ad43c49eSManish V Badarkhe #include <tools_share/tbbr_oid.h> 16*ad43c49eSManish V Badarkhe #else 17*ad43c49eSManish V Badarkhe #include <platform_oid.h> 18*ad43c49eSManish V Badarkhe #endif 19*ad43c49eSManish V Badarkhe 20*ad43c49eSManish V Badarkhe static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; 21*ad43c49eSManish V Badarkhe static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; 22*ad43c49eSManish V Badarkhe static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; 23*ad43c49eSManish V Badarkhe static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; 24*ad43c49eSManish V Badarkhe static unsigned char trusted_world_pk_buf[PK_DER_LEN]; 25*ad43c49eSManish V Badarkhe static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; 26*ad43c49eSManish V Badarkhe static unsigned char content_pk_buf[PK_DER_LEN]; 27*ad43c49eSManish V Badarkhe static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; 28*ad43c49eSManish V Badarkhe static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; 29*ad43c49eSManish V Badarkhe static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; 30*ad43c49eSManish V Badarkhe 31*ad43c49eSManish V Badarkhe static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 32*ad43c49eSManish V Badarkhe AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); 33*ad43c49eSManish V Badarkhe static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( 34*ad43c49eSManish V Badarkhe AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); 35*ad43c49eSManish V Badarkhe static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( 36*ad43c49eSManish V Badarkhe AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); 37*ad43c49eSManish V Badarkhe static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC( 38*ad43c49eSManish V Badarkhe AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID); 39*ad43c49eSManish V Badarkhe static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( 40*ad43c49eSManish V Badarkhe AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); 41*ad43c49eSManish V Badarkhe static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( 42*ad43c49eSManish V Badarkhe AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); 43*ad43c49eSManish V Badarkhe static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC( 44*ad43c49eSManish V Badarkhe AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID); 45*ad43c49eSManish V Badarkhe static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( 46*ad43c49eSManish V Badarkhe AUTH_PARAM_HASH, SCP_FW_HASH_OID); 47*ad43c49eSManish V Badarkhe static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( 48*ad43c49eSManish V Badarkhe AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); 49*ad43c49eSManish V Badarkhe static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC( 50*ad43c49eSManish V Badarkhe AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID); 51*ad43c49eSManish V Badarkhe static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( 52*ad43c49eSManish V Badarkhe AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); 53*ad43c49eSManish V Badarkhe static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC( 54*ad43c49eSManish V Badarkhe AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID); 55*ad43c49eSManish V Badarkhe static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( 56*ad43c49eSManish V Badarkhe AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); 57*ad43c49eSManish V Badarkhe static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( 58*ad43c49eSManish V Badarkhe AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); 59*ad43c49eSManish V Badarkhe static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( 60*ad43c49eSManish V Badarkhe AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); 61*ad43c49eSManish V Badarkhe static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( 62*ad43c49eSManish V Badarkhe AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); 63*ad43c49eSManish V Badarkhe 64*ad43c49eSManish V Badarkhe /* 65*ad43c49eSManish V Badarkhe * Trusted key certificate 66*ad43c49eSManish V Badarkhe */ 67*ad43c49eSManish V Badarkhe static const auth_img_desc_t trusted_key_cert = { 68*ad43c49eSManish V Badarkhe .img_id = TRUSTED_KEY_CERT_ID, 69*ad43c49eSManish V Badarkhe .img_type = IMG_CERT, 70*ad43c49eSManish V Badarkhe .parent = NULL, 71*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 72*ad43c49eSManish V Badarkhe [0] = { 73*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_SIG, 74*ad43c49eSManish V Badarkhe .param.sig = { 75*ad43c49eSManish V Badarkhe .pk = &subject_pk, 76*ad43c49eSManish V Badarkhe .sig = &sig, 77*ad43c49eSManish V Badarkhe .alg = &sig_alg, 78*ad43c49eSManish V Badarkhe .data = &raw_data 79*ad43c49eSManish V Badarkhe } 80*ad43c49eSManish V Badarkhe }, 81*ad43c49eSManish V Badarkhe [1] = { 82*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_NV_CTR, 83*ad43c49eSManish V Badarkhe .param.nv_ctr = { 84*ad43c49eSManish V Badarkhe .cert_nv_ctr = &trusted_nv_ctr, 85*ad43c49eSManish V Badarkhe .plat_nv_ctr = &trusted_nv_ctr 86*ad43c49eSManish V Badarkhe } 87*ad43c49eSManish V Badarkhe } 88*ad43c49eSManish V Badarkhe }, 89*ad43c49eSManish V Badarkhe .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 90*ad43c49eSManish V Badarkhe [0] = { 91*ad43c49eSManish V Badarkhe .type_desc = &trusted_world_pk, 92*ad43c49eSManish V Badarkhe .data = { 93*ad43c49eSManish V Badarkhe .ptr = (void *)trusted_world_pk_buf, 94*ad43c49eSManish V Badarkhe .len = (unsigned int)PK_DER_LEN 95*ad43c49eSManish V Badarkhe } 96*ad43c49eSManish V Badarkhe }, 97*ad43c49eSManish V Badarkhe [1] = { 98*ad43c49eSManish V Badarkhe .type_desc = &non_trusted_world_pk, 99*ad43c49eSManish V Badarkhe .data = { 100*ad43c49eSManish V Badarkhe .ptr = (void *)non_trusted_world_pk_buf, 101*ad43c49eSManish V Badarkhe .len = (unsigned int)PK_DER_LEN 102*ad43c49eSManish V Badarkhe } 103*ad43c49eSManish V Badarkhe } 104*ad43c49eSManish V Badarkhe } 105*ad43c49eSManish V Badarkhe }; 106*ad43c49eSManish V Badarkhe /* 107*ad43c49eSManish V Badarkhe * SCP Firmware 108*ad43c49eSManish V Badarkhe */ 109*ad43c49eSManish V Badarkhe static const auth_img_desc_t scp_fw_key_cert = { 110*ad43c49eSManish V Badarkhe .img_id = SCP_FW_KEY_CERT_ID, 111*ad43c49eSManish V Badarkhe .img_type = IMG_CERT, 112*ad43c49eSManish V Badarkhe .parent = &trusted_key_cert, 113*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 114*ad43c49eSManish V Badarkhe [0] = { 115*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_SIG, 116*ad43c49eSManish V Badarkhe .param.sig = { 117*ad43c49eSManish V Badarkhe .pk = &trusted_world_pk, 118*ad43c49eSManish V Badarkhe .sig = &sig, 119*ad43c49eSManish V Badarkhe .alg = &sig_alg, 120*ad43c49eSManish V Badarkhe .data = &raw_data 121*ad43c49eSManish V Badarkhe } 122*ad43c49eSManish V Badarkhe }, 123*ad43c49eSManish V Badarkhe [1] = { 124*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_NV_CTR, 125*ad43c49eSManish V Badarkhe .param.nv_ctr = { 126*ad43c49eSManish V Badarkhe .cert_nv_ctr = &trusted_nv_ctr, 127*ad43c49eSManish V Badarkhe .plat_nv_ctr = &trusted_nv_ctr 128*ad43c49eSManish V Badarkhe } 129*ad43c49eSManish V Badarkhe } 130*ad43c49eSManish V Badarkhe }, 131*ad43c49eSManish V Badarkhe .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 132*ad43c49eSManish V Badarkhe [0] = { 133*ad43c49eSManish V Badarkhe .type_desc = &scp_fw_content_pk, 134*ad43c49eSManish V Badarkhe .data = { 135*ad43c49eSManish V Badarkhe .ptr = (void *)content_pk_buf, 136*ad43c49eSManish V Badarkhe .len = (unsigned int)PK_DER_LEN 137*ad43c49eSManish V Badarkhe } 138*ad43c49eSManish V Badarkhe } 139*ad43c49eSManish V Badarkhe } 140*ad43c49eSManish V Badarkhe }; 141*ad43c49eSManish V Badarkhe static const auth_img_desc_t scp_fw_content_cert = { 142*ad43c49eSManish V Badarkhe .img_id = SCP_FW_CONTENT_CERT_ID, 143*ad43c49eSManish V Badarkhe .img_type = IMG_CERT, 144*ad43c49eSManish V Badarkhe .parent = &scp_fw_key_cert, 145*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 146*ad43c49eSManish V Badarkhe [0] = { 147*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_SIG, 148*ad43c49eSManish V Badarkhe .param.sig = { 149*ad43c49eSManish V Badarkhe .pk = &scp_fw_content_pk, 150*ad43c49eSManish V Badarkhe .sig = &sig, 151*ad43c49eSManish V Badarkhe .alg = &sig_alg, 152*ad43c49eSManish V Badarkhe .data = &raw_data 153*ad43c49eSManish V Badarkhe } 154*ad43c49eSManish V Badarkhe }, 155*ad43c49eSManish V Badarkhe [1] = { 156*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_NV_CTR, 157*ad43c49eSManish V Badarkhe .param.nv_ctr = { 158*ad43c49eSManish V Badarkhe .cert_nv_ctr = &trusted_nv_ctr, 159*ad43c49eSManish V Badarkhe .plat_nv_ctr = &trusted_nv_ctr 160*ad43c49eSManish V Badarkhe } 161*ad43c49eSManish V Badarkhe } 162*ad43c49eSManish V Badarkhe }, 163*ad43c49eSManish V Badarkhe .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 164*ad43c49eSManish V Badarkhe [0] = { 165*ad43c49eSManish V Badarkhe .type_desc = &scp_fw_hash, 166*ad43c49eSManish V Badarkhe .data = { 167*ad43c49eSManish V Badarkhe .ptr = (void *)scp_fw_hash_buf, 168*ad43c49eSManish V Badarkhe .len = (unsigned int)HASH_DER_LEN 169*ad43c49eSManish V Badarkhe } 170*ad43c49eSManish V Badarkhe } 171*ad43c49eSManish V Badarkhe } 172*ad43c49eSManish V Badarkhe }; 173*ad43c49eSManish V Badarkhe static const auth_img_desc_t scp_bl2_image = { 174*ad43c49eSManish V Badarkhe .img_id = SCP_BL2_IMAGE_ID, 175*ad43c49eSManish V Badarkhe .img_type = IMG_RAW, 176*ad43c49eSManish V Badarkhe .parent = &scp_fw_content_cert, 177*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 178*ad43c49eSManish V Badarkhe [0] = { 179*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_HASH, 180*ad43c49eSManish V Badarkhe .param.hash = { 181*ad43c49eSManish V Badarkhe .data = &raw_data, 182*ad43c49eSManish V Badarkhe .hash = &scp_fw_hash 183*ad43c49eSManish V Badarkhe } 184*ad43c49eSManish V Badarkhe } 185*ad43c49eSManish V Badarkhe } 186*ad43c49eSManish V Badarkhe }; 187*ad43c49eSManish V Badarkhe /* 188*ad43c49eSManish V Badarkhe * SoC Firmware 189*ad43c49eSManish V Badarkhe */ 190*ad43c49eSManish V Badarkhe static const auth_img_desc_t soc_fw_key_cert = { 191*ad43c49eSManish V Badarkhe .img_id = SOC_FW_KEY_CERT_ID, 192*ad43c49eSManish V Badarkhe .img_type = IMG_CERT, 193*ad43c49eSManish V Badarkhe .parent = &trusted_key_cert, 194*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 195*ad43c49eSManish V Badarkhe [0] = { 196*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_SIG, 197*ad43c49eSManish V Badarkhe .param.sig = { 198*ad43c49eSManish V Badarkhe .pk = &trusted_world_pk, 199*ad43c49eSManish V Badarkhe .sig = &sig, 200*ad43c49eSManish V Badarkhe .alg = &sig_alg, 201*ad43c49eSManish V Badarkhe .data = &raw_data 202*ad43c49eSManish V Badarkhe } 203*ad43c49eSManish V Badarkhe }, 204*ad43c49eSManish V Badarkhe [1] = { 205*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_NV_CTR, 206*ad43c49eSManish V Badarkhe .param.nv_ctr = { 207*ad43c49eSManish V Badarkhe .cert_nv_ctr = &trusted_nv_ctr, 208*ad43c49eSManish V Badarkhe .plat_nv_ctr = &trusted_nv_ctr 209*ad43c49eSManish V Badarkhe } 210*ad43c49eSManish V Badarkhe } 211*ad43c49eSManish V Badarkhe }, 212*ad43c49eSManish V Badarkhe .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 213*ad43c49eSManish V Badarkhe [0] = { 214*ad43c49eSManish V Badarkhe .type_desc = &soc_fw_content_pk, 215*ad43c49eSManish V Badarkhe .data = { 216*ad43c49eSManish V Badarkhe .ptr = (void *)content_pk_buf, 217*ad43c49eSManish V Badarkhe .len = (unsigned int)PK_DER_LEN 218*ad43c49eSManish V Badarkhe } 219*ad43c49eSManish V Badarkhe } 220*ad43c49eSManish V Badarkhe } 221*ad43c49eSManish V Badarkhe }; 222*ad43c49eSManish V Badarkhe static const auth_img_desc_t soc_fw_content_cert = { 223*ad43c49eSManish V Badarkhe .img_id = SOC_FW_CONTENT_CERT_ID, 224*ad43c49eSManish V Badarkhe .img_type = IMG_CERT, 225*ad43c49eSManish V Badarkhe .parent = &soc_fw_key_cert, 226*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 227*ad43c49eSManish V Badarkhe [0] = { 228*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_SIG, 229*ad43c49eSManish V Badarkhe .param.sig = { 230*ad43c49eSManish V Badarkhe .pk = &soc_fw_content_pk, 231*ad43c49eSManish V Badarkhe .sig = &sig, 232*ad43c49eSManish V Badarkhe .alg = &sig_alg, 233*ad43c49eSManish V Badarkhe .data = &raw_data 234*ad43c49eSManish V Badarkhe } 235*ad43c49eSManish V Badarkhe }, 236*ad43c49eSManish V Badarkhe [1] = { 237*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_NV_CTR, 238*ad43c49eSManish V Badarkhe .param.nv_ctr = { 239*ad43c49eSManish V Badarkhe .cert_nv_ctr = &trusted_nv_ctr, 240*ad43c49eSManish V Badarkhe .plat_nv_ctr = &trusted_nv_ctr 241*ad43c49eSManish V Badarkhe } 242*ad43c49eSManish V Badarkhe } 243*ad43c49eSManish V Badarkhe }, 244*ad43c49eSManish V Badarkhe .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 245*ad43c49eSManish V Badarkhe [0] = { 246*ad43c49eSManish V Badarkhe .type_desc = &soc_fw_hash, 247*ad43c49eSManish V Badarkhe .data = { 248*ad43c49eSManish V Badarkhe .ptr = (void *)soc_fw_hash_buf, 249*ad43c49eSManish V Badarkhe .len = (unsigned int)HASH_DER_LEN 250*ad43c49eSManish V Badarkhe } 251*ad43c49eSManish V Badarkhe }, 252*ad43c49eSManish V Badarkhe [1] = { 253*ad43c49eSManish V Badarkhe .type_desc = &soc_fw_config_hash, 254*ad43c49eSManish V Badarkhe .data = { 255*ad43c49eSManish V Badarkhe .ptr = (void *)soc_fw_config_hash_buf, 256*ad43c49eSManish V Badarkhe .len = (unsigned int)HASH_DER_LEN 257*ad43c49eSManish V Badarkhe } 258*ad43c49eSManish V Badarkhe } 259*ad43c49eSManish V Badarkhe } 260*ad43c49eSManish V Badarkhe }; 261*ad43c49eSManish V Badarkhe static const auth_img_desc_t bl31_image = { 262*ad43c49eSManish V Badarkhe .img_id = BL31_IMAGE_ID, 263*ad43c49eSManish V Badarkhe .img_type = IMG_RAW, 264*ad43c49eSManish V Badarkhe .parent = &soc_fw_content_cert, 265*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 266*ad43c49eSManish V Badarkhe [0] = { 267*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_HASH, 268*ad43c49eSManish V Badarkhe .param.hash = { 269*ad43c49eSManish V Badarkhe .data = &raw_data, 270*ad43c49eSManish V Badarkhe .hash = &soc_fw_hash 271*ad43c49eSManish V Badarkhe } 272*ad43c49eSManish V Badarkhe } 273*ad43c49eSManish V Badarkhe } 274*ad43c49eSManish V Badarkhe }; 275*ad43c49eSManish V Badarkhe /* SOC FW Config */ 276*ad43c49eSManish V Badarkhe static const auth_img_desc_t soc_fw_config = { 277*ad43c49eSManish V Badarkhe .img_id = SOC_FW_CONFIG_ID, 278*ad43c49eSManish V Badarkhe .img_type = IMG_RAW, 279*ad43c49eSManish V Badarkhe .parent = &soc_fw_content_cert, 280*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 281*ad43c49eSManish V Badarkhe [0] = { 282*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_HASH, 283*ad43c49eSManish V Badarkhe .param.hash = { 284*ad43c49eSManish V Badarkhe .data = &raw_data, 285*ad43c49eSManish V Badarkhe .hash = &soc_fw_config_hash 286*ad43c49eSManish V Badarkhe } 287*ad43c49eSManish V Badarkhe } 288*ad43c49eSManish V Badarkhe } 289*ad43c49eSManish V Badarkhe }; 290*ad43c49eSManish V Badarkhe /* 291*ad43c49eSManish V Badarkhe * Trusted OS Firmware 292*ad43c49eSManish V Badarkhe */ 293*ad43c49eSManish V Badarkhe static const auth_img_desc_t trusted_os_fw_key_cert = { 294*ad43c49eSManish V Badarkhe .img_id = TRUSTED_OS_FW_KEY_CERT_ID, 295*ad43c49eSManish V Badarkhe .img_type = IMG_CERT, 296*ad43c49eSManish V Badarkhe .parent = &trusted_key_cert, 297*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 298*ad43c49eSManish V Badarkhe [0] = { 299*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_SIG, 300*ad43c49eSManish V Badarkhe .param.sig = { 301*ad43c49eSManish V Badarkhe .pk = &trusted_world_pk, 302*ad43c49eSManish V Badarkhe .sig = &sig, 303*ad43c49eSManish V Badarkhe .alg = &sig_alg, 304*ad43c49eSManish V Badarkhe .data = &raw_data 305*ad43c49eSManish V Badarkhe } 306*ad43c49eSManish V Badarkhe }, 307*ad43c49eSManish V Badarkhe [1] = { 308*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_NV_CTR, 309*ad43c49eSManish V Badarkhe .param.nv_ctr = { 310*ad43c49eSManish V Badarkhe .cert_nv_ctr = &trusted_nv_ctr, 311*ad43c49eSManish V Badarkhe .plat_nv_ctr = &trusted_nv_ctr 312*ad43c49eSManish V Badarkhe } 313*ad43c49eSManish V Badarkhe } 314*ad43c49eSManish V Badarkhe }, 315*ad43c49eSManish V Badarkhe .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 316*ad43c49eSManish V Badarkhe [0] = { 317*ad43c49eSManish V Badarkhe .type_desc = &tos_fw_content_pk, 318*ad43c49eSManish V Badarkhe .data = { 319*ad43c49eSManish V Badarkhe .ptr = (void *)content_pk_buf, 320*ad43c49eSManish V Badarkhe .len = (unsigned int)PK_DER_LEN 321*ad43c49eSManish V Badarkhe } 322*ad43c49eSManish V Badarkhe } 323*ad43c49eSManish V Badarkhe } 324*ad43c49eSManish V Badarkhe }; 325*ad43c49eSManish V Badarkhe static const auth_img_desc_t trusted_os_fw_content_cert = { 326*ad43c49eSManish V Badarkhe .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, 327*ad43c49eSManish V Badarkhe .img_type = IMG_CERT, 328*ad43c49eSManish V Badarkhe .parent = &trusted_os_fw_key_cert, 329*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 330*ad43c49eSManish V Badarkhe [0] = { 331*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_SIG, 332*ad43c49eSManish V Badarkhe .param.sig = { 333*ad43c49eSManish V Badarkhe .pk = &tos_fw_content_pk, 334*ad43c49eSManish V Badarkhe .sig = &sig, 335*ad43c49eSManish V Badarkhe .alg = &sig_alg, 336*ad43c49eSManish V Badarkhe .data = &raw_data 337*ad43c49eSManish V Badarkhe } 338*ad43c49eSManish V Badarkhe }, 339*ad43c49eSManish V Badarkhe [1] = { 340*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_NV_CTR, 341*ad43c49eSManish V Badarkhe .param.nv_ctr = { 342*ad43c49eSManish V Badarkhe .cert_nv_ctr = &trusted_nv_ctr, 343*ad43c49eSManish V Badarkhe .plat_nv_ctr = &trusted_nv_ctr 344*ad43c49eSManish V Badarkhe } 345*ad43c49eSManish V Badarkhe } 346*ad43c49eSManish V Badarkhe }, 347*ad43c49eSManish V Badarkhe .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 348*ad43c49eSManish V Badarkhe [0] = { 349*ad43c49eSManish V Badarkhe .type_desc = &tos_fw_hash, 350*ad43c49eSManish V Badarkhe .data = { 351*ad43c49eSManish V Badarkhe .ptr = (void *)tos_fw_hash_buf, 352*ad43c49eSManish V Badarkhe .len = (unsigned int)HASH_DER_LEN 353*ad43c49eSManish V Badarkhe } 354*ad43c49eSManish V Badarkhe }, 355*ad43c49eSManish V Badarkhe [1] = { 356*ad43c49eSManish V Badarkhe .type_desc = &tos_fw_extra1_hash, 357*ad43c49eSManish V Badarkhe .data = { 358*ad43c49eSManish V Badarkhe .ptr = (void *)tos_fw_extra1_hash_buf, 359*ad43c49eSManish V Badarkhe .len = (unsigned int)HASH_DER_LEN 360*ad43c49eSManish V Badarkhe } 361*ad43c49eSManish V Badarkhe }, 362*ad43c49eSManish V Badarkhe [2] = { 363*ad43c49eSManish V Badarkhe .type_desc = &tos_fw_extra2_hash, 364*ad43c49eSManish V Badarkhe .data = { 365*ad43c49eSManish V Badarkhe .ptr = (void *)tos_fw_extra2_hash_buf, 366*ad43c49eSManish V Badarkhe .len = (unsigned int)HASH_DER_LEN 367*ad43c49eSManish V Badarkhe } 368*ad43c49eSManish V Badarkhe }, 369*ad43c49eSManish V Badarkhe [3] = { 370*ad43c49eSManish V Badarkhe .type_desc = &tos_fw_config_hash, 371*ad43c49eSManish V Badarkhe .data = { 372*ad43c49eSManish V Badarkhe .ptr = (void *)tos_fw_config_hash_buf, 373*ad43c49eSManish V Badarkhe .len = (unsigned int)HASH_DER_LEN 374*ad43c49eSManish V Badarkhe } 375*ad43c49eSManish V Badarkhe } 376*ad43c49eSManish V Badarkhe } 377*ad43c49eSManish V Badarkhe }; 378*ad43c49eSManish V Badarkhe static const auth_img_desc_t bl32_image = { 379*ad43c49eSManish V Badarkhe .img_id = BL32_IMAGE_ID, 380*ad43c49eSManish V Badarkhe .img_type = IMG_RAW, 381*ad43c49eSManish V Badarkhe .parent = &trusted_os_fw_content_cert, 382*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 383*ad43c49eSManish V Badarkhe [0] = { 384*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_HASH, 385*ad43c49eSManish V Badarkhe .param.hash = { 386*ad43c49eSManish V Badarkhe .data = &raw_data, 387*ad43c49eSManish V Badarkhe .hash = &tos_fw_hash 388*ad43c49eSManish V Badarkhe } 389*ad43c49eSManish V Badarkhe } 390*ad43c49eSManish V Badarkhe } 391*ad43c49eSManish V Badarkhe }; 392*ad43c49eSManish V Badarkhe static const auth_img_desc_t bl32_extra1_image = { 393*ad43c49eSManish V Badarkhe .img_id = BL32_EXTRA1_IMAGE_ID, 394*ad43c49eSManish V Badarkhe .img_type = IMG_RAW, 395*ad43c49eSManish V Badarkhe .parent = &trusted_os_fw_content_cert, 396*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 397*ad43c49eSManish V Badarkhe [0] = { 398*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_HASH, 399*ad43c49eSManish V Badarkhe .param.hash = { 400*ad43c49eSManish V Badarkhe .data = &raw_data, 401*ad43c49eSManish V Badarkhe .hash = &tos_fw_extra1_hash 402*ad43c49eSManish V Badarkhe } 403*ad43c49eSManish V Badarkhe } 404*ad43c49eSManish V Badarkhe } 405*ad43c49eSManish V Badarkhe }; 406*ad43c49eSManish V Badarkhe static const auth_img_desc_t bl32_extra2_image = { 407*ad43c49eSManish V Badarkhe .img_id = BL32_EXTRA2_IMAGE_ID, 408*ad43c49eSManish V Badarkhe .img_type = IMG_RAW, 409*ad43c49eSManish V Badarkhe .parent = &trusted_os_fw_content_cert, 410*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 411*ad43c49eSManish V Badarkhe [0] = { 412*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_HASH, 413*ad43c49eSManish V Badarkhe .param.hash = { 414*ad43c49eSManish V Badarkhe .data = &raw_data, 415*ad43c49eSManish V Badarkhe .hash = &tos_fw_extra2_hash 416*ad43c49eSManish V Badarkhe } 417*ad43c49eSManish V Badarkhe } 418*ad43c49eSManish V Badarkhe } 419*ad43c49eSManish V Badarkhe }; 420*ad43c49eSManish V Badarkhe /* TOS FW Config */ 421*ad43c49eSManish V Badarkhe static const auth_img_desc_t tos_fw_config = { 422*ad43c49eSManish V Badarkhe .img_id = TOS_FW_CONFIG_ID, 423*ad43c49eSManish V Badarkhe .img_type = IMG_RAW, 424*ad43c49eSManish V Badarkhe .parent = &trusted_os_fw_content_cert, 425*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 426*ad43c49eSManish V Badarkhe [0] = { 427*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_HASH, 428*ad43c49eSManish V Badarkhe .param.hash = { 429*ad43c49eSManish V Badarkhe .data = &raw_data, 430*ad43c49eSManish V Badarkhe .hash = &tos_fw_config_hash 431*ad43c49eSManish V Badarkhe } 432*ad43c49eSManish V Badarkhe } 433*ad43c49eSManish V Badarkhe } 434*ad43c49eSManish V Badarkhe }; 435*ad43c49eSManish V Badarkhe /* 436*ad43c49eSManish V Badarkhe * Non-Trusted Firmware 437*ad43c49eSManish V Badarkhe */ 438*ad43c49eSManish V Badarkhe static const auth_img_desc_t non_trusted_fw_key_cert = { 439*ad43c49eSManish V Badarkhe .img_id = NON_TRUSTED_FW_KEY_CERT_ID, 440*ad43c49eSManish V Badarkhe .img_type = IMG_CERT, 441*ad43c49eSManish V Badarkhe .parent = &trusted_key_cert, 442*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 443*ad43c49eSManish V Badarkhe [0] = { 444*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_SIG, 445*ad43c49eSManish V Badarkhe .param.sig = { 446*ad43c49eSManish V Badarkhe .pk = &non_trusted_world_pk, 447*ad43c49eSManish V Badarkhe .sig = &sig, 448*ad43c49eSManish V Badarkhe .alg = &sig_alg, 449*ad43c49eSManish V Badarkhe .data = &raw_data 450*ad43c49eSManish V Badarkhe } 451*ad43c49eSManish V Badarkhe }, 452*ad43c49eSManish V Badarkhe [1] = { 453*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_NV_CTR, 454*ad43c49eSManish V Badarkhe .param.nv_ctr = { 455*ad43c49eSManish V Badarkhe .cert_nv_ctr = &non_trusted_nv_ctr, 456*ad43c49eSManish V Badarkhe .plat_nv_ctr = &non_trusted_nv_ctr 457*ad43c49eSManish V Badarkhe } 458*ad43c49eSManish V Badarkhe } 459*ad43c49eSManish V Badarkhe }, 460*ad43c49eSManish V Badarkhe .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 461*ad43c49eSManish V Badarkhe [0] = { 462*ad43c49eSManish V Badarkhe .type_desc = &nt_fw_content_pk, 463*ad43c49eSManish V Badarkhe .data = { 464*ad43c49eSManish V Badarkhe .ptr = (void *)content_pk_buf, 465*ad43c49eSManish V Badarkhe .len = (unsigned int)PK_DER_LEN 466*ad43c49eSManish V Badarkhe } 467*ad43c49eSManish V Badarkhe } 468*ad43c49eSManish V Badarkhe } 469*ad43c49eSManish V Badarkhe }; 470*ad43c49eSManish V Badarkhe static const auth_img_desc_t non_trusted_fw_content_cert = { 471*ad43c49eSManish V Badarkhe .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, 472*ad43c49eSManish V Badarkhe .img_type = IMG_CERT, 473*ad43c49eSManish V Badarkhe .parent = &non_trusted_fw_key_cert, 474*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 475*ad43c49eSManish V Badarkhe [0] = { 476*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_SIG, 477*ad43c49eSManish V Badarkhe .param.sig = { 478*ad43c49eSManish V Badarkhe .pk = &nt_fw_content_pk, 479*ad43c49eSManish V Badarkhe .sig = &sig, 480*ad43c49eSManish V Badarkhe .alg = &sig_alg, 481*ad43c49eSManish V Badarkhe .data = &raw_data 482*ad43c49eSManish V Badarkhe } 483*ad43c49eSManish V Badarkhe }, 484*ad43c49eSManish V Badarkhe [1] = { 485*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_NV_CTR, 486*ad43c49eSManish V Badarkhe .param.nv_ctr = { 487*ad43c49eSManish V Badarkhe .cert_nv_ctr = &non_trusted_nv_ctr, 488*ad43c49eSManish V Badarkhe .plat_nv_ctr = &non_trusted_nv_ctr 489*ad43c49eSManish V Badarkhe } 490*ad43c49eSManish V Badarkhe } 491*ad43c49eSManish V Badarkhe }, 492*ad43c49eSManish V Badarkhe .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 493*ad43c49eSManish V Badarkhe [0] = { 494*ad43c49eSManish V Badarkhe .type_desc = &nt_world_bl_hash, 495*ad43c49eSManish V Badarkhe .data = { 496*ad43c49eSManish V Badarkhe .ptr = (void *)nt_world_bl_hash_buf, 497*ad43c49eSManish V Badarkhe .len = (unsigned int)HASH_DER_LEN 498*ad43c49eSManish V Badarkhe } 499*ad43c49eSManish V Badarkhe }, 500*ad43c49eSManish V Badarkhe [1] = { 501*ad43c49eSManish V Badarkhe .type_desc = &nt_fw_config_hash, 502*ad43c49eSManish V Badarkhe .data = { 503*ad43c49eSManish V Badarkhe .ptr = (void *)nt_fw_config_hash_buf, 504*ad43c49eSManish V Badarkhe .len = (unsigned int)HASH_DER_LEN 505*ad43c49eSManish V Badarkhe } 506*ad43c49eSManish V Badarkhe } 507*ad43c49eSManish V Badarkhe } 508*ad43c49eSManish V Badarkhe }; 509*ad43c49eSManish V Badarkhe static const auth_img_desc_t bl33_image = { 510*ad43c49eSManish V Badarkhe .img_id = BL33_IMAGE_ID, 511*ad43c49eSManish V Badarkhe .img_type = IMG_RAW, 512*ad43c49eSManish V Badarkhe .parent = &non_trusted_fw_content_cert, 513*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 514*ad43c49eSManish V Badarkhe [0] = { 515*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_HASH, 516*ad43c49eSManish V Badarkhe .param.hash = { 517*ad43c49eSManish V Badarkhe .data = &raw_data, 518*ad43c49eSManish V Badarkhe .hash = &nt_world_bl_hash 519*ad43c49eSManish V Badarkhe } 520*ad43c49eSManish V Badarkhe } 521*ad43c49eSManish V Badarkhe } 522*ad43c49eSManish V Badarkhe }; 523*ad43c49eSManish V Badarkhe /* NT FW Config */ 524*ad43c49eSManish V Badarkhe static const auth_img_desc_t nt_fw_config = { 525*ad43c49eSManish V Badarkhe .img_id = NT_FW_CONFIG_ID, 526*ad43c49eSManish V Badarkhe .img_type = IMG_RAW, 527*ad43c49eSManish V Badarkhe .parent = &non_trusted_fw_content_cert, 528*ad43c49eSManish V Badarkhe .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 529*ad43c49eSManish V Badarkhe [0] = { 530*ad43c49eSManish V Badarkhe .type = AUTH_METHOD_HASH, 531*ad43c49eSManish V Badarkhe .param.hash = { 532*ad43c49eSManish V Badarkhe .data = &raw_data, 533*ad43c49eSManish V Badarkhe .hash = &nt_fw_config_hash 534*ad43c49eSManish V Badarkhe } 535*ad43c49eSManish V Badarkhe } 536*ad43c49eSManish V Badarkhe } 537*ad43c49eSManish V Badarkhe }; 538*ad43c49eSManish V Badarkhe 539*ad43c49eSManish V Badarkhe static const auth_img_desc_t * const cot_desc[] = { 540*ad43c49eSManish V Badarkhe [TRUSTED_BOOT_FW_CERT_ID] = &trusted_boot_fw_cert, 541*ad43c49eSManish V Badarkhe [HW_CONFIG_ID] = &hw_config, 542*ad43c49eSManish V Badarkhe [TRUSTED_KEY_CERT_ID] = &trusted_key_cert, 543*ad43c49eSManish V Badarkhe [SCP_FW_KEY_CERT_ID] = &scp_fw_key_cert, 544*ad43c49eSManish V Badarkhe [SCP_FW_CONTENT_CERT_ID] = &scp_fw_content_cert, 545*ad43c49eSManish V Badarkhe [SCP_BL2_IMAGE_ID] = &scp_bl2_image, 546*ad43c49eSManish V Badarkhe [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert, 547*ad43c49eSManish V Badarkhe [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert, 548*ad43c49eSManish V Badarkhe [BL31_IMAGE_ID] = &bl31_image, 549*ad43c49eSManish V Badarkhe [SOC_FW_CONFIG_ID] = &soc_fw_config, 550*ad43c49eSManish V Badarkhe [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert, 551*ad43c49eSManish V Badarkhe [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert, 552*ad43c49eSManish V Badarkhe [BL32_IMAGE_ID] = &bl32_image, 553*ad43c49eSManish V Badarkhe [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image, 554*ad43c49eSManish V Badarkhe [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image, 555*ad43c49eSManish V Badarkhe [TOS_FW_CONFIG_ID] = &tos_fw_config, 556*ad43c49eSManish V Badarkhe [NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert, 557*ad43c49eSManish V Badarkhe [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, 558*ad43c49eSManish V Badarkhe [BL33_IMAGE_ID] = &bl33_image, 559*ad43c49eSManish V Badarkhe [NT_FW_CONFIG_ID] = &nt_fw_config, 560*ad43c49eSManish V Badarkhe }; 561*ad43c49eSManish V Badarkhe 562*ad43c49eSManish V Badarkhe /* Register the CoT in the authentication module */ 563*ad43c49eSManish V Badarkhe REGISTER_COT(cot_desc); 564