1 /* 2 * Copyright (c) 2022-2024, STMicroelectronics - All Rights Reserved 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <endian.h> 8 #include <errno.h> 9 #include <limits.h> 10 11 #include <common/debug.h> 12 #include <common/tbbr/cot_def.h> 13 #include <drivers/clk.h> 14 #include <drivers/st/stm32_hash.h> 15 #include <lib/fconf/fconf.h> 16 #include <lib/fconf/fconf_dyn_cfg_getter.h> 17 #include <lib/fconf/fconf_tbbr_getter.h> 18 #include <lib/mmio.h> 19 #include <lib/xlat_tables/xlat_tables_v2.h> 20 #include <plat/common/platform.h> 21 22 #include <boot_api.h> 23 #include <platform_def.h> 24 25 #define HEADER_AND_EXT_TOTAL_SIZE 512 26 27 static uint8_t der_sha256_header[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 28 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 29 static uint8_t root_pk_hash[HASH_DER_LEN]; 30 31 static int copy_hash_from_otp(const char *otp_name, uint8_t *hash, size_t len) 32 { 33 uint32_t otp_idx; 34 uint32_t otp_len; 35 size_t i; 36 bool valid = false; 37 38 assert(len % sizeof(uint32_t) == 0); 39 40 if (stm32_get_otp_index(otp_name, &otp_idx, &otp_len) != 0) { 41 VERBOSE("%s: get %s index error\n", __func__, otp_name); 42 return -EINVAL; 43 } 44 if (otp_len != (len * CHAR_BIT)) { 45 VERBOSE("%s: length Error\n", __func__); 46 return -EINVAL; 47 } 48 49 for (i = 0U; i < len / sizeof(uint32_t); i++) { 50 uint32_t tmp; 51 uint32_t otp_val; 52 uint32_t first; 53 54 if (stm32_get_otp_value_from_idx(otp_idx + i, &otp_val) != 0) { 55 VERBOSE("%s: unable to read from otp\n", __func__); 56 return -EINVAL; 57 } 58 59 tmp = bswap32(otp_val); 60 memcpy(hash + i * sizeof(uint32_t), &tmp, sizeof(tmp)); 61 62 if (i == 0U) { 63 first = tmp; 64 } 65 66 /* 67 * Check if key hash values in OTP are 0 or 0xFFFFFFFFF 68 * programmed : Invalid Key 69 */ 70 if ((stm32mp_check_closed_device() == STM32MP_CHIP_SEC_OPEN) && !valid) { 71 if ((tmp != 0U) && (tmp != 0xFFFFFFFFU) && (tmp != first)) { 72 valid = true; 73 } 74 } 75 } 76 77 if ((stm32mp_check_closed_device() == STM32MP_CHIP_SEC_OPEN) && !valid) { 78 return 0; 79 } 80 81 return len; 82 } 83 84 #if STM32_HEADER_VERSION_MAJOR == 1 85 static int get_rotpk_hash(void *cookie, uint8_t *hash, size_t len) 86 { 87 if (cookie != NULL) { 88 return -EINVAL; 89 } 90 91 return copy_hash_from_otp(PKH_OTP, hash, len); 92 } 93 #else 94 static int get_rotpk_hash(void *cookie, uint8_t *hash, size_t len) 95 { 96 int ret; 97 uint32_t pk_idx = 0U; 98 uint8_t calc_hash[BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES]; 99 uint8_t otp_hash[BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES]; 100 boot_api_image_header_t *hdr = (boot_api_image_header_t *)(SRAM3_BASE + SRAM3_SIZE - 101 HEADER_AND_EXT_TOTAL_SIZE); 102 boot_extension_header_t *ext_header = (boot_extension_header_t *)hdr->ext_header; 103 boot_ext_header_params_authentication_t *param; 104 105 if (cookie != NULL) { 106 return -EINVAL; 107 } 108 109 if (hdr->header_version != BOOT_API_HEADER_VERSION) { 110 VERBOSE("%s: unexpected header_version\n", __func__); 111 return -EINVAL; 112 } 113 114 param = (boot_ext_header_params_authentication_t *)ext_header->params; 115 116 pk_idx = param->pk_idx; 117 118 stm32_hash_init(HASH_SHA256); 119 ret = stm32_hash_final_update((uint8_t *)param->pk_hashes, 120 param->nb_pk * sizeof(boot_api_sha256_t), calc_hash); 121 if (ret != 0) { 122 VERBOSE("%s: hash failed\n", __func__); 123 return -EINVAL; 124 } 125 126 ret = copy_hash_from_otp(PKH_OTP, otp_hash, len); 127 if (ret < 0) { 128 return -EINVAL; 129 } 130 131 if (ret != 0) { 132 ret = memcmp(calc_hash, otp_hash, sizeof(calc_hash)); 133 if (ret != 0) { 134 VERBOSE("%s: not expected digest\n", __func__); 135 return -EINVAL; 136 } 137 138 ret = sizeof(otp_hash); 139 } 140 141 memcpy(hash, param->pk_hashes[pk_idx], sizeof(otp_hash)); 142 143 return ret; 144 } 145 #endif 146 147 int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len, 148 unsigned int *flags) 149 { 150 size_t start_copy_idx = 0U; 151 int res; 152 153 memcpy(root_pk_hash, der_sha256_header, sizeof(der_sha256_header)); 154 start_copy_idx = sizeof(der_sha256_header); 155 156 res = get_rotpk_hash(cookie, root_pk_hash + start_copy_idx, 157 BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES); 158 if (res < 0) { 159 return -EINVAL; 160 } 161 162 *key_len = HASH_DER_LEN; 163 *key_ptr = &root_pk_hash; 164 *flags = ROTPK_IS_HASH; 165 166 if ((res == 0) && (stm32mp_check_closed_device() == STM32MP_CHIP_SEC_OPEN)) { 167 *flags |= ROTPK_NOT_DEPLOYED; 168 } 169 170 return 0; 171 } 172 173 int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr) 174 { 175 clk_enable(TAMP_BKP_REG_CLK); 176 *nv_ctr = mmio_read_32(TAMP_BASE + TAMP_COUNTR); 177 clk_disable(TAMP_BKP_REG_CLK); 178 179 return 0; 180 } 181 182 int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr) 183 { 184 clk_enable(TAMP_BKP_REG_CLK); 185 while (mmio_read_32(TAMP_BASE + TAMP_COUNTR) != nv_ctr) { 186 mmio_write_32(TAMP_BASE + TAMP_COUNTR, 1U); 187 } 188 clk_disable(TAMP_BKP_REG_CLK); 189 190 return 0; 191 } 192 193 int plat_get_mbedtls_heap(void **heap_addr, size_t *heap_size) 194 { 195 assert(heap_addr != NULL); 196 assert(heap_size != NULL); 197 198 #if STM32MP_USE_EXTERNAL_HEAP 199 /* Retrieve the already allocated heap's info from DTB */ 200 *heap_addr = FCONF_GET_PROPERTY(tbbr, dyn_config, mbedtls_heap_addr); 201 *heap_size = FCONF_GET_PROPERTY(tbbr, dyn_config, mbedtls_heap_size); 202 203 /* We expect heap already statically mapped */ 204 205 return 0; 206 #else 207 return get_mbedtls_heap_helper(heap_addr, heap_size); 208 #endif 209 } 210