1 /* 2 * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <assert.h> 8 #include <stdint.h> 9 #include <string.h> 10 11 #include <common/debug.h> 12 #include <drivers/arm/cryptocell/cc_rotpk.h> 13 #include <drivers/delay_timer.h> 14 #include <lib/cassert.h> 15 #include <lib/fconf/fconf.h> 16 #include <plat/arm/common/plat_arm.h> 17 #include <plat/arm/common/fconf_nv_cntr_getter.h> 18 #include <plat/common/common_def.h> 19 #include <plat/common/platform.h> 20 #include <platform_def.h> 21 22 #if defined(ARM_COT_tbbr) 23 #include <tools_share/tbbr_oid.h> 24 #elif defined(ARM_COT_dualroot) 25 #include <tools_share/dualroot_oid.h> 26 #endif 27 28 #if !ARM_CRYPTOCELL_INTEG 29 #if !ARM_ROTPK_LOCATION_ID 30 #error "ARM_ROTPK_LOCATION_ID not defined" 31 #endif 32 #endif 33 34 #if COT_DESC_IN_DTB && defined(IMAGE_BL2) 35 uintptr_t nv_cntr_base_addr[MAX_NV_CTR_IDS]; 36 #else 37 uintptr_t nv_cntr_base_addr[MAX_NV_CTR_IDS] = { 38 TFW_NVCTR_BASE, 39 NTFW_CTR_BASE 40 }; 41 #endif 42 43 44 /* Weak definition may be overridden in specific platform */ 45 #pragma weak plat_get_nv_ctr 46 #pragma weak plat_set_nv_ctr 47 48 extern unsigned char arm_rotpk_header[], arm_rotpk_hash_end[]; 49 50 static unsigned char rotpk_hash_der[ARM_ROTPK_HEADER_LEN + ARM_ROTPK_HASH_LEN]; 51 52 /* 53 * Return the ROTPK hash stored in dedicated registers. 54 */ 55 int arm_get_rotpk_info_regs(void **key_ptr, unsigned int *key_len, 56 unsigned int *flags) 57 { 58 uint8_t *dst; 59 uint32_t *src, tmp; 60 unsigned int words, i; 61 62 assert(key_ptr != NULL); 63 assert(key_len != NULL); 64 assert(flags != NULL); 65 66 /* Copy the DER header */ 67 68 memcpy(rotpk_hash_der, arm_rotpk_header, ARM_ROTPK_HEADER_LEN); 69 dst = (uint8_t *)&rotpk_hash_der[ARM_ROTPK_HEADER_LEN]; 70 71 words = ARM_ROTPK_HASH_LEN >> 2; 72 73 src = (uint32_t *)TZ_PUB_KEY_HASH_BASE; 74 for (i = 0 ; i < words ; i++) { 75 tmp = src[words - 1 - i]; 76 /* Words are read in little endian */ 77 *dst++ = (uint8_t)(tmp & 0xFF); 78 *dst++ = (uint8_t)((tmp >> 8) & 0xFF); 79 *dst++ = (uint8_t)((tmp >> 16) & 0xFF); 80 *dst++ = (uint8_t)((tmp >> 24) & 0xFF); 81 } 82 83 *key_ptr = (void *)rotpk_hash_der; 84 *key_len = (unsigned int)sizeof(rotpk_hash_der); 85 *flags = ROTPK_IS_HASH; 86 return 0; 87 } 88 89 #if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) || \ 90 (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID) 91 /* 92 * Return development ROTPK hash generated from ROT_KEY. 93 */ 94 int arm_get_rotpk_info_dev(void **key_ptr, unsigned int *key_len, 95 unsigned int *flags) 96 { 97 *key_ptr = arm_rotpk_header; 98 *key_len = arm_rotpk_hash_end - arm_rotpk_header; 99 *flags = ROTPK_IS_HASH; 100 return 0; 101 } 102 #endif 103 104 #if ARM_CRYPTOCELL_INTEG 105 /* 106 * Return ROTPK hash from CryptoCell. 107 */ 108 int arm_get_rotpk_info_cc(void **key_ptr, unsigned int *key_len, 109 unsigned int *flags) 110 { 111 unsigned char *dst; 112 113 assert(key_ptr != NULL); 114 assert(key_len != NULL); 115 assert(flags != NULL); 116 117 /* Copy the DER header */ 118 memcpy(rotpk_hash_der, arm_rotpk_header, ARM_ROTPK_HEADER_LEN); 119 dst = &rotpk_hash_der[ARM_ROTPK_HEADER_LEN]; 120 *key_ptr = rotpk_hash_der; 121 *key_len = sizeof(rotpk_hash_der); 122 return cc_get_rotpk_hash(dst, ARM_ROTPK_HASH_LEN, flags); 123 } 124 #endif 125 126 /* 127 * Wrapper function for most Arm platforms to get ROTPK hash. 128 */ 129 static int get_rotpk_info(void **key_ptr, unsigned int *key_len, 130 unsigned int *flags) 131 { 132 #if ARM_CRYPTOCELL_INTEG 133 return arm_get_rotpk_info_cc(key_ptr, key_len, flags); 134 #else 135 136 #if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) || \ 137 (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID) 138 return arm_get_rotpk_info_dev(key_ptr, key_len, flags); 139 #elif (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID) 140 return arm_get_rotpk_info_regs(key_ptr, key_len, flags); 141 #else 142 return 1; 143 #endif 144 #endif /* ARM_CRYPTOCELL_INTEG */ 145 } 146 147 #if defined(ARM_COT_tbbr) 148 149 int arm_get_rotpk_info(void *cookie __unused, void **key_ptr, 150 unsigned int *key_len, unsigned int *flags) 151 { 152 return get_rotpk_info(key_ptr, key_len, flags); 153 } 154 155 #elif defined(ARM_COT_dualroot) 156 157 int arm_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len, 158 unsigned int *flags) 159 { 160 /* 161 * Return the right root of trust key hash based on the cookie value: 162 * - NULL means the primary ROTPK. 163 * - Otherwise, interpret cookie as the OID of the certificate 164 * extension containing the key. 165 */ 166 if (cookie == NULL) { 167 return get_rotpk_info(key_ptr, key_len, flags); 168 } else if (strcmp(cookie, PROT_PK_OID) == 0) { 169 extern unsigned char arm_protpk_hash[]; 170 extern unsigned char arm_protpk_hash_end[]; 171 *key_ptr = arm_protpk_hash; 172 *key_len = arm_protpk_hash_end - arm_protpk_hash; 173 *flags = ROTPK_IS_HASH; 174 return 0; 175 } else { 176 /* Invalid key ID. */ 177 return 1; 178 } 179 } 180 #endif 181 182 /* 183 * Return the non-volatile counter value stored in the platform. The cookie 184 * will contain the OID of the counter in the certificate. 185 * 186 * Return: 0 = success, Otherwise = error 187 */ 188 int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr) 189 { 190 const char *oid; 191 uint32_t *nv_ctr_addr; 192 193 assert(cookie != NULL); 194 assert(nv_ctr != NULL); 195 196 oid = (const char *)cookie; 197 if (strcmp(oid, TRUSTED_FW_NVCOUNTER_OID) == 0) { 198 nv_ctr_addr = (uint32_t *)FCONF_GET_PROPERTY(cot, nv_cntr_addr, 199 TRUSTED_NV_CTR_ID); 200 } else if (strcmp(oid, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) { 201 nv_ctr_addr = (uint32_t *)FCONF_GET_PROPERTY(cot, nv_cntr_addr, 202 NON_TRUSTED_NV_CTR_ID); 203 } else { 204 return 1; 205 } 206 207 *nv_ctr = (unsigned int)(*nv_ctr_addr); 208 209 return 0; 210 } 211 212 /* 213 * Store a new non-volatile counter value. By default on ARM development 214 * platforms, the non-volatile counters are RO and cannot be modified. We expect 215 * the values in the certificates to always match the RO values so that this 216 * function is never called. 217 * 218 * Return: 0 = success, Otherwise = error 219 */ 220 int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr) 221 { 222 return 1; 223 } 224