128e9a55fSManish V Badarkhe /* 2*a8eadc51SGovindraj Raja * Copyright (c) 2020-2023, Arm Limited. All rights reserved. 328e9a55fSManish V Badarkhe * 428e9a55fSManish V Badarkhe * SPDX-License-Identifier: BSD-3-Clause 528e9a55fSManish V Badarkhe */ 628e9a55fSManish V Badarkhe 728e9a55fSManish V Badarkhe #include <assert.h> 828e9a55fSManish V Badarkhe #include <stddef.h> 928e9a55fSManish V Badarkhe 10*a8eadc51SGovindraj Raja #include <mbedtls/version.h> 11*a8eadc51SGovindraj Raja 1228e9a55fSManish V Badarkhe #include <common/fdt_wrappers.h> 13*a8eadc51SGovindraj Raja #include <common/tbbr/cot_def.h> 1428e9a55fSManish V Badarkhe #include <drivers/auth/auth_mod.h> 1528e9a55fSManish V Badarkhe #include <lib/fconf/fconf.h> 1628e9a55fSManish V Badarkhe #include <lib/object_pool.h> 1728e9a55fSManish V Badarkhe #include <libfdt.h> 1828e9a55fSManish V Badarkhe 1928e9a55fSManish V Badarkhe #include <tools_share/tbbr_oid.h> 2028e9a55fSManish V Badarkhe 2128e9a55fSManish V Badarkhe /* static structures used during authentication process */ 2228e9a55fSManish V Badarkhe static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( 2328e9a55fSManish V Badarkhe AUTH_PARAM_SIG, 0); 2428e9a55fSManish V Badarkhe static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( 2528e9a55fSManish V Badarkhe AUTH_PARAM_SIG_ALG, 0); 2628e9a55fSManish V Badarkhe static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( 2728e9a55fSManish V Badarkhe AUTH_PARAM_RAW_DATA, 0); 2828e9a55fSManish V Badarkhe 2928e9a55fSManish V Badarkhe /* pointers to an array of CoT descriptors */ 3028e9a55fSManish V Badarkhe static const auth_img_desc_t *cot_desc[MAX_NUMBER_IDS]; 3128e9a55fSManish V Badarkhe /* array of CoT descriptors */ 3228e9a55fSManish V Badarkhe static auth_img_desc_t auth_img_descs[MAX_NUMBER_IDS]; 3328e9a55fSManish V Badarkhe 3428e9a55fSManish V Badarkhe /* array of authentication methods structures */ 3528e9a55fSManish V Badarkhe static auth_method_desc_t auth_methods[MAX_NUMBER_IDS * AUTH_METHOD_NUM]; 3628e9a55fSManish V Badarkhe static OBJECT_POOL_ARRAY(auth_methods_pool, auth_methods); 3728e9a55fSManish V Badarkhe 3828e9a55fSManish V Badarkhe /* array of authentication params structures */ 3928e9a55fSManish V Badarkhe static auth_param_desc_t auth_params[MAX_NUMBER_IDS * COT_MAX_VERIFIED_PARAMS]; 4028e9a55fSManish V Badarkhe static OBJECT_POOL_ARRAY(auth_params_pool, auth_params); 4128e9a55fSManish V Badarkhe 4228e9a55fSManish V Badarkhe /* array of authentication param type structures */ 4328e9a55fSManish V Badarkhe static auth_param_type_desc_t auth_param_type_descs[MAX_NUMBER_IDS]; 4428e9a55fSManish V Badarkhe static OBJECT_POOL_ARRAY(auth_param_type_descs_pool, auth_param_type_descs); 4528e9a55fSManish V Badarkhe 4628e9a55fSManish V Badarkhe /* 4728e9a55fSManish V Badarkhe * array of OIDs 4828e9a55fSManish V Badarkhe * Object IDs are used to search hash, pk, counter values in certificate. 4928e9a55fSManish V Badarkhe * As per binding we have below 2 combinations: 5028e9a55fSManish V Badarkhe * 1. Certificates are validated using nv-cntr and pk 5128e9a55fSManish V Badarkhe * 2. Raw images are authenticated using hash 5228e9a55fSManish V Badarkhe * Hence in worst case, there are maximum 2 OIDs per image/certificate 5328e9a55fSManish V Badarkhe */ 5428e9a55fSManish V Badarkhe static unsigned char oids[(MAX_NUMBER_IDS * 2)][MAX_OID_NAME_LEN]; 5528e9a55fSManish V Badarkhe static OBJECT_POOL_ARRAY(oid_pool, oids); 5628e9a55fSManish V Badarkhe 5728e9a55fSManish V Badarkhe /* An array of auth buffer which holds hashes and pk 5828e9a55fSManish V Badarkhe * ToDo: Size decided with the current number of images and 5928e9a55fSManish V Badarkhe * certificates which are available in CoT. Size of these buffers bound to 6028e9a55fSManish V Badarkhe * increase in the future on the addition of images/certificates. 6128e9a55fSManish V Badarkhe */ 6228e9a55fSManish V Badarkhe static unsigned char hash_auth_bufs[20][HASH_DER_LEN]; 6328e9a55fSManish V Badarkhe static OBJECT_POOL_ARRAY(hash_auth_buf_pool, hash_auth_bufs); 6428e9a55fSManish V Badarkhe static unsigned char pk_auth_bufs[12][PK_DER_LEN]; 6528e9a55fSManish V Badarkhe static OBJECT_POOL_ARRAY(pk_auth_buf_pool, pk_auth_bufs); 6628e9a55fSManish V Badarkhe 6728e9a55fSManish V Badarkhe /******************************************************************************* 6828e9a55fSManish V Badarkhe * update_parent_auth_data() - Update authentication data structure 6928e9a55fSManish V Badarkhe * @auth_desc[in]: Pointer to the auth image descriptor 7028e9a55fSManish V Badarkhe * @type_desc[in]: Pointer to authentication parameter 7128e9a55fSManish V Badarkhe * @auth_buf_size[in]: Buffer size to hold pk or hash 7228e9a55fSManish V Badarkhe * 7328e9a55fSManish V Badarkhe * Return 0 on success or an error value otherwise. 7428e9a55fSManish V Badarkhe ******************************************************************************/ 7528e9a55fSManish V Badarkhe static int update_parent_auth_data(const auth_img_desc_t *auth_desc, 7628e9a55fSManish V Badarkhe auth_param_type_desc_t *type_desc, 7728e9a55fSManish V Badarkhe unsigned int auth_buf_size) 7828e9a55fSManish V Badarkhe { 7928e9a55fSManish V Badarkhe unsigned int i; 8028e9a55fSManish V Badarkhe auth_param_desc_t *auth_data = &auth_desc->authenticated_data[0]; 8128e9a55fSManish V Badarkhe unsigned char *auth_buf; 8228e9a55fSManish V Badarkhe 8328e9a55fSManish V Badarkhe for (i = 0U; i < COT_MAX_VERIFIED_PARAMS; i++) { 8428e9a55fSManish V Badarkhe if (auth_data[i].type_desc == type_desc) { 8528e9a55fSManish V Badarkhe return 0; 8628e9a55fSManish V Badarkhe } 8728e9a55fSManish V Badarkhe if (auth_data[i].type_desc == NULL) { 8828e9a55fSManish V Badarkhe break; 8928e9a55fSManish V Badarkhe } 9028e9a55fSManish V Badarkhe } 9128e9a55fSManish V Badarkhe 9228e9a55fSManish V Badarkhe if (auth_buf_size == HASH_DER_LEN) { 9328e9a55fSManish V Badarkhe auth_buf = pool_alloc(&hash_auth_buf_pool); 9428e9a55fSManish V Badarkhe } else if (auth_buf_size == PK_DER_LEN) { 9528e9a55fSManish V Badarkhe auth_buf = pool_alloc(&pk_auth_buf_pool); 9628e9a55fSManish V Badarkhe } else { 9728e9a55fSManish V Badarkhe return -1; 9828e9a55fSManish V Badarkhe } 9928e9a55fSManish V Badarkhe 10028e9a55fSManish V Badarkhe if (i < COT_MAX_VERIFIED_PARAMS) { 10128e9a55fSManish V Badarkhe auth_data[i].type_desc = type_desc; 10228e9a55fSManish V Badarkhe auth_data[i].data.ptr = auth_buf; 10328e9a55fSManish V Badarkhe auth_data[i].data.len = auth_buf_size; 10428e9a55fSManish V Badarkhe } else { 10528e9a55fSManish V Badarkhe ERROR("Out of authentication data array\n"); 10628e9a55fSManish V Badarkhe return -1; 10728e9a55fSManish V Badarkhe } 10828e9a55fSManish V Badarkhe 10928e9a55fSManish V Badarkhe return 0; 11028e9a55fSManish V Badarkhe } 11128e9a55fSManish V Badarkhe 11228e9a55fSManish V Badarkhe /******************************************************************************* 11328e9a55fSManish V Badarkhe * get_auth_param_type_desc() - Get pointer of authentication parameter 11428e9a55fSManish V Badarkhe * @img_id[in]: Image Id 11528e9a55fSManish V Badarkhe * @type_desc[out]: Pointer to authentication parameter 11628e9a55fSManish V Badarkhe * @buf_size[out]: Buffer size which hold hash/pk 11728e9a55fSManish V Badarkhe * 11828e9a55fSManish V Badarkhe * Return 0 on success or an error value otherwise. 11928e9a55fSManish V Badarkhe ******************************************************************************/ 12028e9a55fSManish V Badarkhe static int get_auth_param_type_desc(unsigned int img_id, 12128e9a55fSManish V Badarkhe auth_param_type_desc_t **type_desc, 12228e9a55fSManish V Badarkhe unsigned int *buf_size) 12328e9a55fSManish V Badarkhe { 12428e9a55fSManish V Badarkhe auth_method_desc_t *img_auth_method = NULL; 12528e9a55fSManish V Badarkhe img_type_t type = auth_img_descs[img_id].img_type; 12628e9a55fSManish V Badarkhe 12728e9a55fSManish V Badarkhe if (type == IMG_CERT) { 12828e9a55fSManish V Badarkhe img_auth_method = 12928e9a55fSManish V Badarkhe &auth_img_descs[img_id].img_auth_methods[AUTH_METHOD_SIG]; 13028e9a55fSManish V Badarkhe *type_desc = img_auth_method->param.sig.pk; 13128e9a55fSManish V Badarkhe *buf_size = PK_DER_LEN; 13228e9a55fSManish V Badarkhe } else if (type == IMG_RAW) { 13328e9a55fSManish V Badarkhe img_auth_method = 13428e9a55fSManish V Badarkhe &auth_img_descs[img_id].img_auth_methods[AUTH_METHOD_HASH]; 13528e9a55fSManish V Badarkhe *type_desc = img_auth_method->param.hash.hash; 13628e9a55fSManish V Badarkhe *buf_size = HASH_DER_LEN; 13728e9a55fSManish V Badarkhe } else { 13828e9a55fSManish V Badarkhe return -1; 13928e9a55fSManish V Badarkhe } 14028e9a55fSManish V Badarkhe 14128e9a55fSManish V Badarkhe return 0; 14228e9a55fSManish V Badarkhe } 14328e9a55fSManish V Badarkhe 14428e9a55fSManish V Badarkhe /******************************************************************************* 14528e9a55fSManish V Badarkhe * set_auth_method() - Update global auth image descriptors with authentication 14628e9a55fSManish V Badarkhe * method data 14728e9a55fSManish V Badarkhe * @auth_method_type[in]: Type of authentication method 14828e9a55fSManish V Badarkhe * @oid[in]: Object Idetifier for pk/hash search 14928e9a55fSManish V Badarkhe * @auth_method[in]: Pointer to authentication method to set 15028e9a55fSManish V Badarkhe ******************************************************************************/ 15128e9a55fSManish V Badarkhe static void set_auth_method(auth_method_type_t auth_method_type, char *oid, 15228e9a55fSManish V Badarkhe auth_method_desc_t *auth_method) 15328e9a55fSManish V Badarkhe { 15428e9a55fSManish V Badarkhe auth_param_type_t auth_param_type = AUTH_PARAM_NONE; 15528e9a55fSManish V Badarkhe auth_param_type_desc_t *auth_param_type_desc; 15628e9a55fSManish V Badarkhe 15728e9a55fSManish V Badarkhe assert(auth_method != NULL); 15828e9a55fSManish V Badarkhe 15928e9a55fSManish V Badarkhe auth_param_type_desc = pool_alloc(&auth_param_type_descs_pool); 16028e9a55fSManish V Badarkhe auth_method->type = auth_method_type; 16128e9a55fSManish V Badarkhe 16228e9a55fSManish V Badarkhe if (auth_method_type == AUTH_METHOD_SIG) { 16328e9a55fSManish V Badarkhe auth_param_type = AUTH_PARAM_PUB_KEY; 16428e9a55fSManish V Badarkhe auth_method->param.sig.sig = &sig; 16528e9a55fSManish V Badarkhe auth_method->param.sig.alg = &sig_alg; 16628e9a55fSManish V Badarkhe auth_method->param.sig.data = &raw_data; 16728e9a55fSManish V Badarkhe auth_method->param.sig.pk = auth_param_type_desc; 16828e9a55fSManish V Badarkhe } else if (auth_method_type == AUTH_METHOD_HASH) { 16928e9a55fSManish V Badarkhe auth_param_type = AUTH_PARAM_HASH; 17028e9a55fSManish V Badarkhe auth_method->param.hash.data = &raw_data; 17128e9a55fSManish V Badarkhe auth_method->param.hash.hash = auth_param_type_desc; 17228e9a55fSManish V Badarkhe } else if (auth_method_type == AUTH_METHOD_NV_CTR) { 17328e9a55fSManish V Badarkhe auth_param_type = AUTH_PARAM_NV_CTR; 17428e9a55fSManish V Badarkhe auth_method->param.nv_ctr.cert_nv_ctr = auth_param_type_desc; 17528e9a55fSManish V Badarkhe auth_method->param.nv_ctr.plat_nv_ctr = auth_param_type_desc; 17628e9a55fSManish V Badarkhe } 17728e9a55fSManish V Badarkhe 17828e9a55fSManish V Badarkhe auth_param_type_desc->type = auth_param_type; 17928e9a55fSManish V Badarkhe auth_param_type_desc->cookie = (void *)oid; 18028e9a55fSManish V Badarkhe } 18128e9a55fSManish V Badarkhe 18228e9a55fSManish V Badarkhe /******************************************************************************* 18328e9a55fSManish V Badarkhe * get_oid() - get object identifier from device tree 18428e9a55fSManish V Badarkhe * @dtb[in]: Pointer to the device tree blob in memory 18528e9a55fSManish V Badarkhe * @node[in]: Offset of the node 18628e9a55fSManish V Badarkhe * @prop[in]: Property to read from the given node 18728e9a55fSManish V Badarkhe * @oid[out]: Object Indentifier of key/hash/nv-counter in certificate 18828e9a55fSManish V Badarkhe * 18928e9a55fSManish V Badarkhe * Return 0 on success or an error value otherwise. 19028e9a55fSManish V Badarkhe ******************************************************************************/ 19128e9a55fSManish V Badarkhe static int get_oid(const void *dtb, int node, const char *prop, char **oid) 19228e9a55fSManish V Badarkhe { 19328e9a55fSManish V Badarkhe uint32_t phandle; 19428e9a55fSManish V Badarkhe int rc; 19528e9a55fSManish V Badarkhe 19628e9a55fSManish V Badarkhe rc = fdt_read_uint32(dtb, node, prop, &phandle); 19728e9a55fSManish V Badarkhe if (rc < 0) { 19828e9a55fSManish V Badarkhe return rc; 19928e9a55fSManish V Badarkhe } 20028e9a55fSManish V Badarkhe 20128e9a55fSManish V Badarkhe node = fdt_node_offset_by_phandle(dtb, phandle); 20228e9a55fSManish V Badarkhe if (node < 0) { 20328e9a55fSManish V Badarkhe return node; 20428e9a55fSManish V Badarkhe } 20528e9a55fSManish V Badarkhe 20628e9a55fSManish V Badarkhe *oid = pool_alloc(&oid_pool); 20728e9a55fSManish V Badarkhe rc = fdtw_read_string(dtb, node, "oid", *oid, MAX_OID_NAME_LEN); 20828e9a55fSManish V Badarkhe 20928e9a55fSManish V Badarkhe return rc; 21028e9a55fSManish V Badarkhe } 21128e9a55fSManish V Badarkhe 21228e9a55fSManish V Badarkhe /******************************************************************************* 21328e9a55fSManish V Badarkhe * populate_and_set_auth_methods() - Populate auth method parameters from 21428e9a55fSManish V Badarkhe * device tree and set authentication method 21528e9a55fSManish V Badarkhe * structure. 21628e9a55fSManish V Badarkhe * @dtb[in]: Pointer to the device tree blob in memory 21728e9a55fSManish V Badarkhe * @node[in]: Offset of the node 21828e9a55fSManish V Badarkhe * @img_id[in]: Image identifier 21928e9a55fSManish V Badarkhe * @type[in]: Type of image 22028e9a55fSManish V Badarkhe * @root_certificate[in]:Root certificate (authenticated by ROTPK) 22128e9a55fSManish V Badarkhe * 22228e9a55fSManish V Badarkhe * Return 0 on success or an error value otherwise. 22328e9a55fSManish V Badarkhe ******************************************************************************/ 22428e9a55fSManish V Badarkhe static int populate_and_set_auth_methods(const void *dtb, int node, 22528e9a55fSManish V Badarkhe unsigned int img_id, img_type_t type, 22628e9a55fSManish V Badarkhe bool root_certificate) 22728e9a55fSManish V Badarkhe { 22828e9a55fSManish V Badarkhe auth_method_type_t auth_method_type = AUTH_METHOD_NONE; 22928e9a55fSManish V Badarkhe int rc; 23028e9a55fSManish V Badarkhe char *oid = NULL; 23128e9a55fSManish V Badarkhe 23228e9a55fSManish V Badarkhe auth_method_desc_t *auth_method = pool_alloc_n(&auth_methods_pool, 23328e9a55fSManish V Badarkhe AUTH_METHOD_NUM); 23428e9a55fSManish V Badarkhe 23528e9a55fSManish V Badarkhe /* 23628e9a55fSManish V Badarkhe * This is as per binding document where certificates are 23728e9a55fSManish V Badarkhe * verified by signature and images are verified by hash. 23828e9a55fSManish V Badarkhe */ 23928e9a55fSManish V Badarkhe if (type == IMG_CERT) { 24028e9a55fSManish V Badarkhe if (root_certificate) { 24128e9a55fSManish V Badarkhe oid = NULL; 24228e9a55fSManish V Badarkhe } else { 24328e9a55fSManish V Badarkhe rc = get_oid(dtb, node, "signing-key", &oid); 24428e9a55fSManish V Badarkhe if (rc < 0) { 24528e9a55fSManish V Badarkhe ERROR("FCONF: Can't read %s property\n", 24628e9a55fSManish V Badarkhe "signing-key"); 24728e9a55fSManish V Badarkhe return rc; 24828e9a55fSManish V Badarkhe } 24928e9a55fSManish V Badarkhe } 25028e9a55fSManish V Badarkhe auth_method_type = AUTH_METHOD_SIG; 25128e9a55fSManish V Badarkhe } else if (type == IMG_RAW) { 25228e9a55fSManish V Badarkhe rc = get_oid(dtb, node, "hash", &oid); 25328e9a55fSManish V Badarkhe if (rc < 0) { 25428e9a55fSManish V Badarkhe ERROR("FCONF: Can't read %s property\n", 25528e9a55fSManish V Badarkhe "hash"); 25628e9a55fSManish V Badarkhe return rc; 25728e9a55fSManish V Badarkhe } 25828e9a55fSManish V Badarkhe auth_method_type = AUTH_METHOD_HASH; 25928e9a55fSManish V Badarkhe } else { 26028e9a55fSManish V Badarkhe return -1; 26128e9a55fSManish V Badarkhe } 26228e9a55fSManish V Badarkhe 26328e9a55fSManish V Badarkhe set_auth_method(auth_method_type, oid, 26428e9a55fSManish V Badarkhe &auth_method[auth_method_type]); 26528e9a55fSManish V Badarkhe 26628e9a55fSManish V Badarkhe /* Retrieve the optional property */ 26728e9a55fSManish V Badarkhe rc = get_oid(dtb, node, "antirollback-counter", &oid); 26828e9a55fSManish V Badarkhe if (rc == 0) { 26928e9a55fSManish V Badarkhe auth_method_type = AUTH_METHOD_NV_CTR; 27028e9a55fSManish V Badarkhe set_auth_method(auth_method_type, oid, 27128e9a55fSManish V Badarkhe &auth_method[auth_method_type]); 27228e9a55fSManish V Badarkhe } 27328e9a55fSManish V Badarkhe 27428e9a55fSManish V Badarkhe auth_img_descs[img_id].img_auth_methods = &auth_method[0]; 27528e9a55fSManish V Badarkhe 27628e9a55fSManish V Badarkhe return 0; 27728e9a55fSManish V Badarkhe } 27828e9a55fSManish V Badarkhe 27928e9a55fSManish V Badarkhe /******************************************************************************* 28028e9a55fSManish V Badarkhe * get_parent_img_id() - Get parent image id for given child node 28128e9a55fSManish V Badarkhe * @dtb[in]: Pointer to the device tree blob in memory 28228e9a55fSManish V Badarkhe * @node[in]: Offset of the child node 28328e9a55fSManish V Badarkhe * @parent_img_id[out]: Image id of parent 28428e9a55fSManish V Badarkhe * 28528e9a55fSManish V Badarkhe * Return 0 on success or an error value otherwise. 28628e9a55fSManish V Badarkhe ******************************************************************************/ 28728e9a55fSManish V Badarkhe static int get_parent_img_id(const void *dtb, int node, 28828e9a55fSManish V Badarkhe unsigned int *parent_img_id) 28928e9a55fSManish V Badarkhe { 29028e9a55fSManish V Badarkhe uint32_t phandle; 29128e9a55fSManish V Badarkhe int err; 29228e9a55fSManish V Badarkhe 29328e9a55fSManish V Badarkhe err = fdt_read_uint32(dtb, node, "parent", &phandle); 29428e9a55fSManish V Badarkhe if (err < 0) { 29528e9a55fSManish V Badarkhe ERROR("FCONF: Could not read %s property in node\n", 29628e9a55fSManish V Badarkhe "parent"); 29728e9a55fSManish V Badarkhe return err; 29828e9a55fSManish V Badarkhe } 29928e9a55fSManish V Badarkhe 30028e9a55fSManish V Badarkhe node = fdt_node_offset_by_phandle(dtb, phandle); 30128e9a55fSManish V Badarkhe if (node < 0) { 30228e9a55fSManish V Badarkhe ERROR("FCONF: Failed to locate node using its phandle\n"); 30328e9a55fSManish V Badarkhe return node; 30428e9a55fSManish V Badarkhe } 30528e9a55fSManish V Badarkhe 30628e9a55fSManish V Badarkhe err = fdt_read_uint32(dtb, node, "image-id", parent_img_id); 30728e9a55fSManish V Badarkhe if (err < 0) { 30828e9a55fSManish V Badarkhe ERROR("FCONF: Could not read %s property in node\n", 30928e9a55fSManish V Badarkhe "image-id"); 31028e9a55fSManish V Badarkhe } 31128e9a55fSManish V Badarkhe 31228e9a55fSManish V Badarkhe return err; 31328e9a55fSManish V Badarkhe } 31428e9a55fSManish V Badarkhe 31528e9a55fSManish V Badarkhe /******************************************************************************* 31628e9a55fSManish V Badarkhe * set_desc_data() - Update data in descriptor's structure 31728e9a55fSManish V Badarkhe * @dtb[in]: Pointer to the device tree blob in memory 31828e9a55fSManish V Badarkhe * @node[in]: Offset of the node 31928e9a55fSManish V Badarkhe * @type[in]: Type of image (RAW/CERT) 32028e9a55fSManish V Badarkhe * 32128e9a55fSManish V Badarkhe * Return 0 on success or an error value otherwise. 32228e9a55fSManish V Badarkhe ******************************************************************************/ 32328e9a55fSManish V Badarkhe static int set_desc_data(const void *dtb, int node, img_type_t type) 32428e9a55fSManish V Badarkhe { 32528e9a55fSManish V Badarkhe int rc; 32628e9a55fSManish V Badarkhe bool root_certificate = false; 32728e9a55fSManish V Badarkhe unsigned int img_id, parent_img_id; 32828e9a55fSManish V Badarkhe 32928e9a55fSManish V Badarkhe rc = fdt_read_uint32(dtb, node, "image-id", &img_id); 33028e9a55fSManish V Badarkhe if (rc < 0) { 33128e9a55fSManish V Badarkhe ERROR("FCONF: Can't find property %s in node\n", 33228e9a55fSManish V Badarkhe "image-id"); 33328e9a55fSManish V Badarkhe return rc; 33428e9a55fSManish V Badarkhe } 33528e9a55fSManish V Badarkhe 33628e9a55fSManish V Badarkhe if (fdt_getprop(dtb, node, "root-certificate", 33728e9a55fSManish V Badarkhe NULL) != NULL) { 33828e9a55fSManish V Badarkhe root_certificate = true; 33928e9a55fSManish V Badarkhe } 34028e9a55fSManish V Badarkhe 34128e9a55fSManish V Badarkhe if (!root_certificate) { 34228e9a55fSManish V Badarkhe rc = get_parent_img_id(dtb, node, &parent_img_id); 34328e9a55fSManish V Badarkhe if (rc < 0) { 34428e9a55fSManish V Badarkhe return rc; 34528e9a55fSManish V Badarkhe } 34628e9a55fSManish V Badarkhe auth_img_descs[img_id].parent = &auth_img_descs[parent_img_id]; 34728e9a55fSManish V Badarkhe } 34828e9a55fSManish V Badarkhe 34928e9a55fSManish V Badarkhe auth_img_descs[img_id].img_id = img_id; 35028e9a55fSManish V Badarkhe auth_img_descs[img_id].img_type = type; 35128e9a55fSManish V Badarkhe 35228e9a55fSManish V Badarkhe rc = populate_and_set_auth_methods(dtb, node, img_id, type, 35328e9a55fSManish V Badarkhe root_certificate); 35428e9a55fSManish V Badarkhe if (rc < 0) { 35528e9a55fSManish V Badarkhe return rc; 35628e9a55fSManish V Badarkhe } 35728e9a55fSManish V Badarkhe 35828e9a55fSManish V Badarkhe if (type == IMG_CERT) { 35928e9a55fSManish V Badarkhe auth_param_desc_t *auth_param = 36028e9a55fSManish V Badarkhe pool_alloc_n(&auth_params_pool, 36128e9a55fSManish V Badarkhe COT_MAX_VERIFIED_PARAMS); 36228e9a55fSManish V Badarkhe auth_img_descs[img_id].authenticated_data = &auth_param[0]; 36328e9a55fSManish V Badarkhe } 36428e9a55fSManish V Badarkhe 36528e9a55fSManish V Badarkhe cot_desc[img_id] = &auth_img_descs[img_id]; 36628e9a55fSManish V Badarkhe 36728e9a55fSManish V Badarkhe return rc; 36828e9a55fSManish V Badarkhe } 36928e9a55fSManish V Badarkhe 37028e9a55fSManish V Badarkhe /******************************************************************************* 37128e9a55fSManish V Badarkhe * populate_manifest_descs() - Populate CoT descriptors and update global 37228e9a55fSManish V Badarkhe * certificate structures 37328e9a55fSManish V Badarkhe * @dtb[in]: Pointer to the device tree blob in memory 37428e9a55fSManish V Badarkhe * 37528e9a55fSManish V Badarkhe * Return 0 on success or an error value otherwise. 37628e9a55fSManish V Badarkhe ******************************************************************************/ 37728e9a55fSManish V Badarkhe static int populate_manifest_descs(const void *dtb) 37828e9a55fSManish V Badarkhe { 37928e9a55fSManish V Badarkhe int node, child; 38028e9a55fSManish V Badarkhe int rc; 38128e9a55fSManish V Badarkhe 38228e9a55fSManish V Badarkhe /* 38328e9a55fSManish V Badarkhe * Assert the node offset points to "arm, cert-descs" 38428e9a55fSManish V Badarkhe * compatible property 38528e9a55fSManish V Badarkhe */ 38628e9a55fSManish V Badarkhe const char *compatible_str = "arm, cert-descs"; 38728e9a55fSManish V Badarkhe 38828e9a55fSManish V Badarkhe node = fdt_node_offset_by_compatible(dtb, -1, compatible_str); 38928e9a55fSManish V Badarkhe if (node < 0) { 39028e9a55fSManish V Badarkhe ERROR("FCONF: Can't find %s compatible in node\n", 39128e9a55fSManish V Badarkhe compatible_str); 39228e9a55fSManish V Badarkhe return node; 39328e9a55fSManish V Badarkhe } 39428e9a55fSManish V Badarkhe 39528e9a55fSManish V Badarkhe fdt_for_each_subnode(child, dtb, node) { 39628e9a55fSManish V Badarkhe rc = set_desc_data(dtb, child, IMG_CERT); 39728e9a55fSManish V Badarkhe if (rc < 0) { 39828e9a55fSManish V Badarkhe return rc; 39928e9a55fSManish V Badarkhe } 40028e9a55fSManish V Badarkhe } 40128e9a55fSManish V Badarkhe 40228e9a55fSManish V Badarkhe return 0; 40328e9a55fSManish V Badarkhe } 40428e9a55fSManish V Badarkhe 40528e9a55fSManish V Badarkhe /******************************************************************************* 40628e9a55fSManish V Badarkhe * populate_image_descs() - Populate CoT descriptors and update global 40728e9a55fSManish V Badarkhe * image descriptor structures. 40828e9a55fSManish V Badarkhe * @dtb[in]: Pointer to the device tree blob in memory 40928e9a55fSManish V Badarkhe * 41028e9a55fSManish V Badarkhe * Return 0 on success or an error value otherwise. 41128e9a55fSManish V Badarkhe ******************************************************************************/ 41228e9a55fSManish V Badarkhe static int populate_image_descs(const void *dtb) 41328e9a55fSManish V Badarkhe { 41428e9a55fSManish V Badarkhe int node, child; 41528e9a55fSManish V Badarkhe int rc; 41628e9a55fSManish V Badarkhe 41728e9a55fSManish V Badarkhe /* 41828e9a55fSManish V Badarkhe * Assert the node offset points to "arm, img-descs" 41928e9a55fSManish V Badarkhe * compatible property 42028e9a55fSManish V Badarkhe */ 42128e9a55fSManish V Badarkhe const char *compatible_str = "arm, img-descs"; 42228e9a55fSManish V Badarkhe 42328e9a55fSManish V Badarkhe node = fdt_node_offset_by_compatible(dtb, -1, compatible_str); 42428e9a55fSManish V Badarkhe if (node < 0) { 42528e9a55fSManish V Badarkhe ERROR("FCONF: Can't find %s compatible in node\n", 42628e9a55fSManish V Badarkhe compatible_str); 42728e9a55fSManish V Badarkhe return node; 42828e9a55fSManish V Badarkhe } 42928e9a55fSManish V Badarkhe 43028e9a55fSManish V Badarkhe fdt_for_each_subnode(child, dtb, node) { 43128e9a55fSManish V Badarkhe rc = set_desc_data(dtb, child, IMG_RAW); 43228e9a55fSManish V Badarkhe if (rc < 0) { 43328e9a55fSManish V Badarkhe return rc; 43428e9a55fSManish V Badarkhe } 43528e9a55fSManish V Badarkhe } 43628e9a55fSManish V Badarkhe 43728e9a55fSManish V Badarkhe return 0; 43828e9a55fSManish V Badarkhe } 43928e9a55fSManish V Badarkhe 44028e9a55fSManish V Badarkhe /******************************************************************************* 44128e9a55fSManish V Badarkhe * fconf_populate_cot_descs() - Populate CoT descriptors and update global 44228e9a55fSManish V Badarkhe * structures 44328e9a55fSManish V Badarkhe * @config[in]: Pointer to the device tree blob in memory 44428e9a55fSManish V Badarkhe * 44528e9a55fSManish V Badarkhe * Return 0 on success or an error value otherwise. 44628e9a55fSManish V Badarkhe ******************************************************************************/ 44728e9a55fSManish V Badarkhe static int fconf_populate_cot_descs(uintptr_t config) 44828e9a55fSManish V Badarkhe { 44928e9a55fSManish V Badarkhe auth_param_type_desc_t *type_desc = NULL; 45028e9a55fSManish V Badarkhe unsigned int auth_buf_size = 0U; 45128e9a55fSManish V Badarkhe int rc; 45228e9a55fSManish V Badarkhe 45328e9a55fSManish V Badarkhe /* As libfdt uses void *, we can't avoid this cast */ 45428e9a55fSManish V Badarkhe const void *dtb = (void *)config; 45528e9a55fSManish V Badarkhe 45628e9a55fSManish V Badarkhe /* populate manifest descs information */ 45728e9a55fSManish V Badarkhe rc = populate_manifest_descs(dtb); 45828e9a55fSManish V Badarkhe if (rc < 0) { 45928e9a55fSManish V Badarkhe ERROR("FCONF: population of %s descs failed %d\n", 46028e9a55fSManish V Badarkhe "manifest", rc); 46128e9a55fSManish V Badarkhe return rc; 46228e9a55fSManish V Badarkhe } 46328e9a55fSManish V Badarkhe 46428e9a55fSManish V Badarkhe /* populate image descs information */ 46528e9a55fSManish V Badarkhe rc = populate_image_descs(dtb); 46628e9a55fSManish V Badarkhe if (rc < 0) { 46728e9a55fSManish V Badarkhe ERROR("FCONF: population of %s descs failed %d\n", 46828e9a55fSManish V Badarkhe "images", rc); 46928e9a55fSManish V Badarkhe return rc; 47028e9a55fSManish V Badarkhe } 47128e9a55fSManish V Badarkhe 47228e9a55fSManish V Badarkhe /* update parent's authentication data */ 47328e9a55fSManish V Badarkhe for (unsigned int i = 0U; i < MAX_NUMBER_IDS; i++) { 47428e9a55fSManish V Badarkhe if (auth_img_descs[i].parent != NULL) { 47528e9a55fSManish V Badarkhe rc = get_auth_param_type_desc(i, 47628e9a55fSManish V Badarkhe &type_desc, 47728e9a55fSManish V Badarkhe &auth_buf_size); 47828e9a55fSManish V Badarkhe if (rc < 0) { 47928e9a55fSManish V Badarkhe ERROR("FCONF: failed to get auth data %d\n", 48028e9a55fSManish V Badarkhe rc); 48128e9a55fSManish V Badarkhe return rc; 48228e9a55fSManish V Badarkhe } 48328e9a55fSManish V Badarkhe 48428e9a55fSManish V Badarkhe rc = update_parent_auth_data(auth_img_descs[i].parent, 48528e9a55fSManish V Badarkhe type_desc, 48628e9a55fSManish V Badarkhe auth_buf_size); 48728e9a55fSManish V Badarkhe if (rc < 0) { 48828e9a55fSManish V Badarkhe ERROR("FCONF: auth data update failed %d\n", 48928e9a55fSManish V Badarkhe rc); 49028e9a55fSManish V Badarkhe return rc; 49128e9a55fSManish V Badarkhe } 49228e9a55fSManish V Badarkhe } 49328e9a55fSManish V Badarkhe } 49428e9a55fSManish V Badarkhe 49528e9a55fSManish V Badarkhe return rc; 49628e9a55fSManish V Badarkhe } 49728e9a55fSManish V Badarkhe 49828e9a55fSManish V Badarkhe FCONF_REGISTER_POPULATOR(TB_FW, cot_desc, fconf_populate_cot_descs); 49928e9a55fSManish V Badarkhe REGISTER_COT(cot_desc); 500