xref: /rk3399_ARM-atf/plat/arm/board/tc/tc_bl2_dpe.c (revision e0be63c88050a0436e19e52edd4e1cc28336f8e8) 
1e7f1181fSTamas Ban /*
2*5b46aaccSYann Gautier  * Copyright (c) 2024-2025, Arm Limited and Contributors. All rights reserved.
3e7f1181fSTamas Ban  *
4e7f1181fSTamas Ban  * SPDX-License-Identifier: BSD-3-Clause
5e7f1181fSTamas Ban  */
6e7f1181fSTamas Ban 
7e7f1181fSTamas Ban #include <stdint.h>
8e7f1181fSTamas Ban 
903d388d8STamas Ban #include <common/debug.h>
10e7f1181fSTamas Ban #include <drivers/measured_boot/metadata.h>
117f8589cdSTamas Ban #include <drivers/measured_boot/rse/dice_prot_env.h>
12e7f1181fSTamas Ban #include <plat/arm/common/plat_arm.h>
13e7f1181fSTamas Ban #include <plat/common/platform.h>
14e7f1181fSTamas Ban #include <platform_def.h>
1503d388d8STamas Ban #include <tools_share/tbbr_oid.h>
16e7f1181fSTamas Ban 
174f5beb56STamas Ban #include "tc_dpe.h"
18*5b46aaccSYann Gautier #include <tc_rse_comms.h>
196df8d764STamas Ban 
20e7f1181fSTamas Ban /*
21e7f1181fSTamas Ban  * The content and the values of this array depends on:
22e7f1181fSTamas Ban  * - build config: Which components are loaded: SPMD, TOS, SPx, etc ?
23e7f1181fSTamas Ban  * - boot order: the last element in a layer should be treated differently.
24e7f1181fSTamas Ban  */
25e7f1181fSTamas Ban 
26e7f1181fSTamas Ban /*
27e7f1181fSTamas Ban  * TODO:
28e7f1181fSTamas Ban  *     - The content of the array must be tailored according to the build
29e7f1181fSTamas Ban  *       config (TOS, SPMD, etc). All loaded components (executables and
30e7f1181fSTamas Ban  *       config blobs) must be present in this array.
31e7f1181fSTamas Ban  *     - Current content is according to the Trusty build config.
32e7f1181fSTamas Ban  */
33e7f1181fSTamas Ban struct dpe_metadata tc_dpe_metadata[] = {
34e7f1181fSTamas Ban 	{
35e7f1181fSTamas Ban 		.id = BL31_IMAGE_ID,
366df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
37e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
38e7f1181fSTamas Ban 		.sw_type = MBOOT_BL31_IMAGE_STRING,
39e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
40e7f1181fSTamas Ban 		.retain_parent_context = true,
41e7f1181fSTamas Ban 		.create_certificate = false,
423201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
43e7f1181fSTamas Ban 		.pk_oid = BL31_IMAGE_KEY_OID },
44e7f1181fSTamas Ban 	{
45e7f1181fSTamas Ban 		.id = BL32_IMAGE_ID,
466df8d764STamas Ban 		.cert_id =  DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
47e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
48e7f1181fSTamas Ban 		.sw_type = MBOOT_BL32_IMAGE_STRING,
49e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
50e7f1181fSTamas Ban 		.retain_parent_context = true,
51e7f1181fSTamas Ban 		.create_certificate = false,
523201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
53e7f1181fSTamas Ban 		.pk_oid = BL32_IMAGE_KEY_OID },
54e7f1181fSTamas Ban 	{
55e7f1181fSTamas Ban 		.id = BL33_IMAGE_ID,
566df8d764STamas Ban 		.cert_id = DPE_HYPERVISOR_CERT_ID,
57e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
58e7f1181fSTamas Ban 		.sw_type = MBOOT_BL33_IMAGE_STRING,
59e7f1181fSTamas Ban 		.allow_new_context_to_derive = true,
60e7f1181fSTamas Ban 		.retain_parent_context = true,
61e7f1181fSTamas Ban 		.create_certificate = false,
623201faf3STamas Ban 		.target_locality = LOCALITY_AP_NS,
63e7f1181fSTamas Ban 		.pk_oid = BL33_IMAGE_KEY_OID },
64e7f1181fSTamas Ban 
65e7f1181fSTamas Ban 	{
66e7f1181fSTamas Ban 		.id = HW_CONFIG_ID,
676df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
68e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
69e7f1181fSTamas Ban 		.sw_type = MBOOT_HW_CONFIG_STRING,
70e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
71e7f1181fSTamas Ban 		.retain_parent_context = true,
72e7f1181fSTamas Ban 		.create_certificate = false,
733201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
74e7f1181fSTamas Ban 		.pk_oid = HW_CONFIG_KEY_OID },
75e7f1181fSTamas Ban 	{
76e7f1181fSTamas Ban 		.id = NT_FW_CONFIG_ID,
776df8d764STamas Ban 		.cert_id = DPE_HYPERVISOR_CERT_ID,
78e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
79e7f1181fSTamas Ban 		.sw_type = MBOOT_NT_FW_CONFIG_STRING,
80e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
81e7f1181fSTamas Ban 		.retain_parent_context = true,
82e7f1181fSTamas Ban 		.create_certificate = false,
833201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
84e7f1181fSTamas Ban 		.pk_oid = NT_FW_CONFIG_KEY_OID },
85e7f1181fSTamas Ban 	{
86e7f1181fSTamas Ban 		.id = SCP_BL2_IMAGE_ID,
876df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
88e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
89e7f1181fSTamas Ban 		.sw_type = MBOOT_SCP_BL2_IMAGE_STRING,
90e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
91e7f1181fSTamas Ban 		.retain_parent_context = true,
92e7f1181fSTamas Ban 		.create_certificate = false,
933201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
94e7f1181fSTamas Ban 		.pk_oid = SCP_BL2_IMAGE_KEY_OID },
95e7f1181fSTamas Ban 	{
96e7f1181fSTamas Ban 		.id = SOC_FW_CONFIG_ID,
976df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
98e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
99e7f1181fSTamas Ban 		.sw_type = MBOOT_SOC_FW_CONFIG_STRING,
100e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
101e7f1181fSTamas Ban 		.retain_parent_context = true,
102e7f1181fSTamas Ban 		.create_certificate = false,
1033201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
104e7f1181fSTamas Ban 		.pk_oid = SOC_FW_CONFIG_KEY_OID },
105e7f1181fSTamas Ban 	{
106e7f1181fSTamas Ban 		.id = TOS_FW_CONFIG_ID,
1076df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
108e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
109e7f1181fSTamas Ban 		.sw_type = MBOOT_TOS_FW_CONFIG_STRING,
110e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
111e7f1181fSTamas Ban 		.retain_parent_context = true,
112e7f1181fSTamas Ban 		.create_certificate = false,
1133201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
114e7f1181fSTamas Ban 		.pk_oid = TOS_FW_CONFIG_KEY_OID },
115e7f1181fSTamas Ban #if defined(SPD_spmd)
116e7f1181fSTamas Ban 	{
117e7f1181fSTamas Ban 		.id = SP_PKG1_ID,
1186df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
119e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
120e7f1181fSTamas Ban 		.sw_type = MBOOT_SP1_STRING,
121e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
122e7f1181fSTamas Ban 		.retain_parent_context = true,
1232e361319SBen Horgan 		.create_certificate = false,
1243201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
125e7f1181fSTamas Ban 		.pk_oid = NULL },
126e7f1181fSTamas Ban 	{
127e7f1181fSTamas Ban 		.id = SP_PKG2_ID,
1286df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
129e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
130e7f1181fSTamas Ban 		.sw_type = MBOOT_SP2_STRING,
131e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
132e7f1181fSTamas Ban 		.retain_parent_context = true,
133e7f1181fSTamas Ban 		.create_certificate = false,
1343201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
135e7f1181fSTamas Ban 		.pk_oid = NULL },
136e7f1181fSTamas Ban 	{
137e7f1181fSTamas Ban 		.id = SP_PKG3_ID,
1386df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
139e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
140e7f1181fSTamas Ban 		.sw_type = MBOOT_SP3_STRING,
141e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
142e7f1181fSTamas Ban 		.retain_parent_context = true,
143e7f1181fSTamas Ban 		.create_certificate = false,
1443201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
145e7f1181fSTamas Ban 		.pk_oid = NULL },
146e7f1181fSTamas Ban 	{
147e7f1181fSTamas Ban 		.id = SP_PKG4_ID,
1486df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
149e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
150e7f1181fSTamas Ban 		.sw_type = MBOOT_SP4_STRING,
151e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
152e7f1181fSTamas Ban 		.retain_parent_context = true,
153e7f1181fSTamas Ban 		.create_certificate = false,
1543201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
155e7f1181fSTamas Ban 		.pk_oid = NULL },
156e7f1181fSTamas Ban 	{
157e7f1181fSTamas Ban 		.id = SP_PKG5_ID,
1586df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
159e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
160e7f1181fSTamas Ban 		.sw_type = MBOOT_SP5_STRING,
161e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
162e7f1181fSTamas Ban 		.retain_parent_context = true,
163e7f1181fSTamas Ban 		.create_certificate = false,
1643201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
165e7f1181fSTamas Ban 		.pk_oid = NULL },
166e7f1181fSTamas Ban 	{
167e7f1181fSTamas Ban 		.id = SP_PKG6_ID,
1686df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
169e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
170e7f1181fSTamas Ban 		.sw_type = MBOOT_SP6_STRING,
171e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
172e7f1181fSTamas Ban 		.retain_parent_context = true,
173e7f1181fSTamas Ban 		.create_certificate = false,
1743201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
175e7f1181fSTamas Ban 		.pk_oid = NULL },
176e7f1181fSTamas Ban 	{
177e7f1181fSTamas Ban 		.id = SP_PKG7_ID,
1786df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
179e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
180e7f1181fSTamas Ban 		.sw_type = MBOOT_SP7_STRING,
181e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
182e7f1181fSTamas Ban 		.retain_parent_context = true,
183e7f1181fSTamas Ban 		.create_certificate = false,
1843201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
185e7f1181fSTamas Ban 		.pk_oid = NULL },
186e7f1181fSTamas Ban 	{
187e7f1181fSTamas Ban 		.id = SP_PKG8_ID,
1886df8d764STamas Ban 		.cert_id = DPE_CERT_ID_SAME_AS_PARENT, /* AP_BL2: DPE_AP_FW_CERT_ID */
189e7f1181fSTamas Ban 		.signer_id_size = SIGNER_ID_MIN_SIZE,
190e7f1181fSTamas Ban 		.sw_type = MBOOT_SP8_STRING,
191e7f1181fSTamas Ban 		.allow_new_context_to_derive = false,
192e7f1181fSTamas Ban 		.retain_parent_context = true,
193e7f1181fSTamas Ban 		.create_certificate = false,
1943201faf3STamas Ban 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
195e7f1181fSTamas Ban 		.pk_oid = NULL },
196e7f1181fSTamas Ban 
197e7f1181fSTamas Ban #endif
198e7f1181fSTamas Ban 	{
199e7f1181fSTamas Ban 		.id = DPE_INVALID_ID }
200e7f1181fSTamas Ban };
201e7f1181fSTamas Ban 
20203d388d8STamas Ban /* Context handle is meant to be used by BL33. Sharing it via NT_FW_CONFIG */
20303d388d8STamas Ban static int new_ctx_handle;
20403d388d8STamas Ban 
plat_dpe_share_context_handle(int * ctx_handle,int * parent_ctx_handle)2058e0fd0bfSTamas Ban void plat_dpe_share_context_handle(int *ctx_handle, int *parent_ctx_handle)
20603d388d8STamas Ban {
20703d388d8STamas Ban 	new_ctx_handle = *ctx_handle;
2088e0fd0bfSTamas Ban 
2098e0fd0bfSTamas Ban 	/* Irrelevant in BL2 because cold restart resumes CPU in BL1 */
2108e0fd0bfSTamas Ban 	(void)parent_ctx_handle;
21103d388d8STamas Ban }
21203d388d8STamas Ban 
plat_dpe_get_context_handle(int * ctx_handle)213467bdf26STamas Ban void plat_dpe_get_context_handle(int *ctx_handle)
214467bdf26STamas Ban {
215467bdf26STamas Ban 	int rc;
216467bdf26STamas Ban 
217467bdf26STamas Ban 	rc = arm_get_tb_fw_info(ctx_handle);
218467bdf26STamas Ban 	if (rc != 0) {
219467bdf26STamas Ban 		ERROR("Unable to get DPE context handle from TB_FW_CONFIG\n");
220467bdf26STamas Ban 		/*
221467bdf26STamas Ban 		 * It is a fatal error because on FVP platform, BL2 software
222467bdf26STamas Ban 		 * assumes that a valid DPE context_handle is passed through
223467bdf26STamas Ban 		 * the DTB object by BL1.
224467bdf26STamas Ban 		 */
225467bdf26STamas Ban 		plat_panic_handler();
226467bdf26STamas Ban 	}
227467bdf26STamas Ban 
228467bdf26STamas Ban 	VERBOSE("Received DPE context handle: 0x%x\n", *ctx_handle);
229467bdf26STamas Ban }
230467bdf26STamas Ban 
bl2_plat_mboot_init(void)231e7f1181fSTamas Ban void bl2_plat_mboot_init(void)
232e7f1181fSTamas Ban {
23326a520b2SLeo Yan #if defined(SPD_spmd)
2342e361319SBen Horgan 	size_t i;
2352e361319SBen Horgan 	const size_t array_size = ARRAY_SIZE(tc_dpe_metadata);
2362e361319SBen Horgan 
2372e361319SBen Horgan 	for (i = 0U; i < array_size; i++) {
2382e361319SBen Horgan 		if (tc_dpe_metadata[i].id != SP_PKG1_ID) {
2392e361319SBen Horgan 			continue;
2402e361319SBen Horgan 		}
2412e361319SBen Horgan 
2422e361319SBen Horgan 		if ((i + NUM_SP > array_size) || (i - 1 + NUM_SP < 0)) {
2432e361319SBen Horgan 			ERROR("Secure partition number is out-of-range\n");
2442e361319SBen Horgan 			ERROR("  Non-Secure partition number: %ld\n", i);
2452e361319SBen Horgan 			ERROR("  Secure partition number: %d\n", NUM_SP);
2462e361319SBen Horgan 			ERROR("  Metadata array size: %ld\n", array_size);
2472e361319SBen Horgan 			panic();
2482e361319SBen Horgan 		}
2492e361319SBen Horgan 
2502e361319SBen Horgan 		/* Finalize the certificate on the last secure partition */
2512e361319SBen Horgan 		tc_dpe_metadata[i - 1 + NUM_SP].create_certificate = true;
2522e361319SBen Horgan 		break;
2532e361319SBen Horgan 	}
2542e361319SBen Horgan #endif
2552e361319SBen Horgan 
25626a520b2SLeo Yan 	/* Initialize the communication channel between AP and RSE */
257*5b46aaccSYann Gautier 	(void)plat_rse_comms_init();
25826a520b2SLeo Yan 
259e7f1181fSTamas Ban 	dpe_init(tc_dpe_metadata);
260e7f1181fSTamas Ban }
261e7f1181fSTamas Ban 
bl2_plat_mboot_finish(void)262e7f1181fSTamas Ban void bl2_plat_mboot_finish(void)
263e7f1181fSTamas Ban {
26403d388d8STamas Ban 	int rc;
26503d388d8STamas Ban 
26603d388d8STamas Ban 	VERBOSE("Share DPE context handle with BL33: 0x%x\n", new_ctx_handle);
26703d388d8STamas Ban 	rc = arm_set_nt_fw_info(&new_ctx_handle);
26803d388d8STamas Ban 	if (rc != 0) {
26903d388d8STamas Ban 		ERROR("Unable to set DPE context handle in NT_FW_CONFIG\n");
27003d388d8STamas Ban 		/*
27103d388d8STamas Ban 		 * It is a fatal error because on TC platform, BL33 software
27203d388d8STamas Ban 		 * assumes that a valid DPE context_handle is passed through
27303d388d8STamas Ban 		 * the DTB object by BL2.
27403d388d8STamas Ban 		 */
27503d388d8STamas Ban 		plat_panic_handler();
27603d388d8STamas Ban 	}
277e7f1181fSTamas Ban }
278