xref: /rk3399_ARM-atf/services/std_svc/drtm/drtm_measurements.c (revision 94aa3d276cbb891ecdcb8b17163cda4063794c00) 
140814266SManish V Badarkhe /*
22ec44880SManish V Badarkhe  * Copyright (c) 2022-2025 Arm Limited. All rights reserved.
340814266SManish V Badarkhe  *
440814266SManish V Badarkhe  * SPDX-License-Identifier:    BSD-3-Clause
540814266SManish V Badarkhe  *
640814266SManish V Badarkhe  * DRTM measurements into TPM PCRs.
740814266SManish V Badarkhe  *
840814266SManish V Badarkhe  * Authors:
940814266SManish V Badarkhe  *      Lucian Paul-Trifu <lucian.paultrifu@gmail.com>
1040814266SManish V Badarkhe  *
1140814266SManish V Badarkhe  */
1240814266SManish V Badarkhe #include <assert.h>
1340814266SManish V Badarkhe 
1440814266SManish V Badarkhe #include <common/debug.h>
1540814266SManish V Badarkhe #include <drivers/auth/crypto_mod.h>
1640814266SManish V Badarkhe #include <drivers/measured_boot/event_log/event_log.h>
1740814266SManish V Badarkhe #include "drtm_main.h"
1840814266SManish V Badarkhe #include "drtm_measurements.h"
1940814266SManish V Badarkhe #include <lib/xlat_tables/xlat_tables_v2.h>
2040814266SManish V Badarkhe 
2140814266SManish V Badarkhe /* Event Log buffer */
2240814266SManish V Badarkhe static uint8_t drtm_event_log[PLAT_DRTM_EVENT_LOG_MAX_SIZE];
2340814266SManish V Badarkhe 
2440814266SManish V Badarkhe /*
2540814266SManish V Badarkhe  * Calculate and write hash of various payloads as per DRTM specification
2640814266SManish V Badarkhe  * to Event Log.
2740814266SManish V Badarkhe  *
2840814266SManish V Badarkhe  * @param[in] data_base         Address of data
2940814266SManish V Badarkhe  * @param[in] data_size         Size of data
3040814266SManish V Badarkhe  * @param[in] event_type        Type of Event
3140814266SManish V Badarkhe  * @param[in] event_name        Name of the Event
3240814266SManish V Badarkhe  * @return:
3340814266SManish V Badarkhe  *      0 = success
3440814266SManish V Badarkhe  *    < 0 = error
3540814266SManish V Badarkhe  */
3640814266SManish V Badarkhe static int drtm_event_log_measure_and_record(uintptr_t data_base,
3740814266SManish V Badarkhe 					     uint32_t data_size,
3840814266SManish V Badarkhe 					     uint32_t event_type,
3940814266SManish V Badarkhe 					     const char *event_name,
4040814266SManish V Badarkhe 					     unsigned int pcr)
4140814266SManish V Badarkhe {
4240814266SManish V Badarkhe 	int rc;
4340814266SManish V Badarkhe 	unsigned char hash_data[CRYPTO_MD_MAX_SIZE];
4440814266SManish V Badarkhe 	event_log_metadata_t metadata = {0};
4540814266SManish V Badarkhe 
4640814266SManish V Badarkhe 	metadata.name = event_name;
4740814266SManish V Badarkhe 	metadata.pcr = pcr;
4840814266SManish V Badarkhe 
4940814266SManish V Badarkhe 	/*
501b491eeaSElyes Haouas 	 * Measure the payloads requested by D-CRTM and DCE components
5140814266SManish V Badarkhe 	 * Hash algorithm decided by the Event Log driver at build-time
5240814266SManish V Badarkhe 	 */
5340814266SManish V Badarkhe 	rc = event_log_measure(data_base, data_size, hash_data);
5440814266SManish V Badarkhe 	if (rc != 0) {
5540814266SManish V Badarkhe 		return rc;
5640814266SManish V Badarkhe 	}
5740814266SManish V Badarkhe 
5840814266SManish V Badarkhe 	/* Record the mesasurement in the EventLog buffer */
59cb03020eSHarrison Mutai 	rc = event_log_record(hash_data, event_type, &metadata);
60cb03020eSHarrison Mutai 	if (rc != 0) {
61cb03020eSHarrison Mutai 		return rc;
62cb03020eSHarrison Mutai 	}
6340814266SManish V Badarkhe 
6440814266SManish V Badarkhe 	return 0;
6540814266SManish V Badarkhe }
6640814266SManish V Badarkhe 
6740814266SManish V Badarkhe /*
6840814266SManish V Badarkhe  * Initialise Event Log global variables, used during the recording
6940814266SManish V Badarkhe  * of various payload measurements into the Event Log buffer
7040814266SManish V Badarkhe  *
7140814266SManish V Badarkhe  * @param[in] event_log_start           Base address of Event Log buffer
7240814266SManish V Badarkhe  * @param[in] event_log_finish          End address of Event Log buffer,
7340814266SManish V Badarkhe  *                                      it is a first byte past end of the
7440814266SManish V Badarkhe  *                                      buffer
7540814266SManish V Badarkhe  */
7640814266SManish V Badarkhe static void drtm_event_log_init(uint8_t *event_log_start,
7740814266SManish V Badarkhe 				uint8_t *event_log_finish)
7840814266SManish V Badarkhe {
7940814266SManish V Badarkhe 	event_log_buf_init(event_log_start, event_log_finish);
8040814266SManish V Badarkhe 	event_log_write_specid_event();
8140814266SManish V Badarkhe }
8240814266SManish V Badarkhe 
8340814266SManish V Badarkhe enum drtm_retc drtm_take_measurements(const struct_drtm_dl_args *a)
8440814266SManish V Badarkhe {
8540814266SManish V Badarkhe 	int rc;
8640814266SManish V Badarkhe 	uintptr_t dlme_img_mapping;
8740814266SManish V Badarkhe 	uint64_t dlme_img_ep;
8840814266SManish V Badarkhe 	size_t dlme_img_mapping_bytes;
8940814266SManish V Badarkhe 	uint8_t drtm_null_data = 0U;
9040814266SManish V Badarkhe 	uint8_t pcr_schema = DL_ARGS_GET_PCR_SCHEMA(a);
9140814266SManish V Badarkhe 	const char *drtm_event_arm_sep_data = "ARM_DRTM";
9240814266SManish V Badarkhe 
9340814266SManish V Badarkhe 	/* Initialise the EventLog driver */
9440814266SManish V Badarkhe 	drtm_event_log_init(drtm_event_log, drtm_event_log +
9540814266SManish V Badarkhe 			    sizeof(drtm_event_log));
9640814266SManish V Badarkhe 
9740814266SManish V Badarkhe 	/**
9840814266SManish V Badarkhe 	 * Measurements extended into PCR-17.
9940814266SManish V Badarkhe 	 *
10040814266SManish V Badarkhe 	 * PCR-17: Measure the DCE image.  Extend digest of (char)0 into PCR-17
10140814266SManish V Badarkhe 	 * since the D-CRTM and the DCE are not separate.
10240814266SManish V Badarkhe 	 */
10340814266SManish V Badarkhe 	rc = drtm_event_log_measure_and_record((uintptr_t)&drtm_null_data,
10440814266SManish V Badarkhe 					       sizeof(drtm_null_data),
10540814266SManish V Badarkhe 					       DRTM_EVENT_ARM_DCE, NULL,
10640814266SManish V Badarkhe 					       PCR_17);
10740814266SManish V Badarkhe 	CHECK_RC(rc, drtm_event_log_measure_and_record(DRTM_EVENT_ARM_DCE));
10840814266SManish V Badarkhe 
10940814266SManish V Badarkhe 	/* PCR-17: Measure the PCR schema DRTM launch argument. */
11040814266SManish V Badarkhe 	rc = drtm_event_log_measure_and_record((uintptr_t)&pcr_schema,
11140814266SManish V Badarkhe 					       sizeof(pcr_schema),
11240814266SManish V Badarkhe 					       DRTM_EVENT_ARM_PCR_SCHEMA,
11340814266SManish V Badarkhe 					       NULL, PCR_17);
11440814266SManish V Badarkhe 	CHECK_RC(rc,
11540814266SManish V Badarkhe 		 drtm_event_log_measure_and_record(DRTM_EVENT_ARM_PCR_SCHEMA));
11640814266SManish V Badarkhe 
11740814266SManish V Badarkhe 	/* PCR-17: Measure the enable state of external-debug, and trace. */
11840814266SManish V Badarkhe 	/*
11940814266SManish V Badarkhe 	 * TODO: Measure the enable state of external-debug and trace.  This should
12040814266SManish V Badarkhe 	 * be returned through a platform-specific hook.
12140814266SManish V Badarkhe 	 */
12240814266SManish V Badarkhe 
12340814266SManish V Badarkhe 	/* PCR-17: Measure the security lifecycle state. */
12440814266SManish V Badarkhe 	/*
12540814266SManish V Badarkhe 	 * TODO: Measure the security lifecycle state.  This is an implementation-
12640814266SManish V Badarkhe 	 * defined value, retrieved through an implementation-defined mechanisms.
12740814266SManish V Badarkhe 	 */
12840814266SManish V Badarkhe 
12940814266SManish V Badarkhe 	/*
13040814266SManish V Badarkhe 	 * PCR-17: Optionally measure the NWd DCE.
13140814266SManish V Badarkhe 	 * It is expected that such subsequent DCE stages are signed and verified.
13240814266SManish V Badarkhe 	 * Whether they are measured in addition to signing is implementation
13340814266SManish V Badarkhe 	 * -defined.
13440814266SManish V Badarkhe 	 * Here the choice is to not measure any NWd DCE, in favour of PCR value
13540814266SManish V Badarkhe 	 * resilience to any NWd DCE updates.
13640814266SManish V Badarkhe 	 */
13740814266SManish V Badarkhe 
13840814266SManish V Badarkhe 	/* PCR-17: End of DCE measurements. */
13940814266SManish V Badarkhe 	rc = drtm_event_log_measure_and_record((uintptr_t)drtm_event_arm_sep_data,
14040814266SManish V Badarkhe 					       strlen(drtm_event_arm_sep_data),
141*94aa3d27SManish V Badarkhe 					       DRTM_EVENT_ARM_SEPARATOR,
142*94aa3d27SManish V Badarkhe 					       drtm_event_arm_sep_data,
14340814266SManish V Badarkhe 					       PCR_17);
14440814266SManish V Badarkhe 	CHECK_RC(rc, drtm_event_log_measure_and_record(DRTM_EVENT_ARM_SEPARATOR));
14540814266SManish V Badarkhe 
14640814266SManish V Badarkhe 	/**
14740814266SManish V Badarkhe 	 * Measurements extended into PCR-18.
14840814266SManish V Badarkhe 	 *
14940814266SManish V Badarkhe 	 * PCR-18: Measure the PCR schema DRTM launch argument.
15040814266SManish V Badarkhe 	 */
15140814266SManish V Badarkhe 	rc = drtm_event_log_measure_and_record((uintptr_t)&pcr_schema,
15240814266SManish V Badarkhe 					       sizeof(pcr_schema),
15340814266SManish V Badarkhe 					       DRTM_EVENT_ARM_PCR_SCHEMA,
15440814266SManish V Badarkhe 					       NULL, PCR_18);
15540814266SManish V Badarkhe 	CHECK_RC(rc,
15640814266SManish V Badarkhe 		 drtm_event_log_measure_and_record(DRTM_EVENT_ARM_PCR_SCHEMA));
15740814266SManish V Badarkhe 
15840814266SManish V Badarkhe 	/*
15940814266SManish V Badarkhe 	 * PCR-18: Measure the public key used to verify DCE image(s) signatures.
16040814266SManish V Badarkhe 	 * Extend digest of (char)0, since we do not expect the NWd DCE to be
16140814266SManish V Badarkhe 	 * present.
16240814266SManish V Badarkhe 	 */
16340814266SManish V Badarkhe 	assert(a->dce_nwd_size == 0);
16440814266SManish V Badarkhe 	rc = drtm_event_log_measure_and_record((uintptr_t)&drtm_null_data,
16540814266SManish V Badarkhe 					       sizeof(drtm_null_data),
16640814266SManish V Badarkhe 					       DRTM_EVENT_ARM_DCE_PUBKEY,
16740814266SManish V Badarkhe 					       NULL, PCR_18);
16840814266SManish V Badarkhe 	CHECK_RC(rc,
16940814266SManish V Badarkhe 		 drtm_event_log_measure_and_record(DRTM_EVENT_ARM_DCE_PUBKEY));
17040814266SManish V Badarkhe 
17140814266SManish V Badarkhe 	/* PCR-18: Measure the DLME image. */
17240814266SManish V Badarkhe 	dlme_img_mapping_bytes = page_align(a->dlme_img_size, UP);
17340814266SManish V Badarkhe 	rc = mmap_add_dynamic_region_alloc_va(a->dlme_paddr + a->dlme_img_off,
17440814266SManish V Badarkhe 					      &dlme_img_mapping,
17540814266SManish V Badarkhe 					      dlme_img_mapping_bytes, MT_RO_DATA | MT_NS);
17640814266SManish V Badarkhe 	if (rc) {
17740814266SManish V Badarkhe 		WARN("DRTM: %s: mmap_add_dynamic_region() failed rc=%d\n",
17840814266SManish V Badarkhe 		     __func__, rc);
17940814266SManish V Badarkhe 		return INTERNAL_ERROR;
18040814266SManish V Badarkhe 	}
18140814266SManish V Badarkhe 
18240814266SManish V Badarkhe 	rc = drtm_event_log_measure_and_record(dlme_img_mapping, a->dlme_img_size,
18340814266SManish V Badarkhe 					       DRTM_EVENT_ARM_DLME, NULL,
18440814266SManish V Badarkhe 					       PCR_18);
18540814266SManish V Badarkhe 	CHECK_RC(rc, drtm_event_log_measure_and_record(DRTM_EVENT_ARM_DLME));
18640814266SManish V Badarkhe 
18740814266SManish V Badarkhe 	rc = mmap_remove_dynamic_region(dlme_img_mapping, dlme_img_mapping_bytes);
18840814266SManish V Badarkhe 	CHECK_RC(rc, mmap_remove_dynamic_region);
18940814266SManish V Badarkhe 
19040814266SManish V Badarkhe 	/* PCR-18: Measure the DLME image entry point. */
19140814266SManish V Badarkhe 	dlme_img_ep = DL_ARGS_GET_DLME_ENTRY_POINT(a);
19240814266SManish V Badarkhe 	drtm_event_log_measure_and_record((uintptr_t)&dlme_img_ep,
19340814266SManish V Badarkhe 					  sizeof(dlme_img_ep),
19440814266SManish V Badarkhe 					  DRTM_EVENT_ARM_DLME_EP, NULL,
19540814266SManish V Badarkhe 					  PCR_18);
19640814266SManish V Badarkhe 	CHECK_RC(rc, drtm_event_log_measure_and_record(DRTM_EVENT_ARM_DLME_EP));
19740814266SManish V Badarkhe 
19840814266SManish V Badarkhe 	/* PCR-18: End of DCE measurements. */
19940814266SManish V Badarkhe 	rc = drtm_event_log_measure_and_record((uintptr_t)drtm_event_arm_sep_data,
20040814266SManish V Badarkhe 					       strlen(drtm_event_arm_sep_data),
201*94aa3d27SManish V Badarkhe 					       DRTM_EVENT_ARM_SEPARATOR,
202*94aa3d27SManish V Badarkhe 					       drtm_event_arm_sep_data,
20340814266SManish V Badarkhe 					       PCR_18);
20440814266SManish V Badarkhe 	CHECK_RC(rc,
20540814266SManish V Badarkhe 		 drtm_event_log_measure_and_record(DRTM_EVENT_ARM_SEPARATOR));
2062ec44880SManish V Badarkhe 
2072ec44880SManish V Badarkhe 	/* Measure no Action event but not extend it in PCR */
2082ec44880SManish V Badarkhe 	CHECK_RC(rc,
2092ec44880SManish V Badarkhe 		 drtm_event_log_measure_and_record(DRTM_EVENT_ARM_NO_ACTION));
21040814266SManish V Badarkhe 	/*
21140814266SManish V Badarkhe 	 * If the DCE is unable to log a measurement because there is no available
21240814266SManish V Badarkhe 	 * space in the event log region, the DCE must extend a hash of the value
21340814266SManish V Badarkhe 	 * 0xFF (1 byte in size) into PCR[17] and PCR[18] and enter remediation.
21440814266SManish V Badarkhe 	 */
21540814266SManish V Badarkhe 
21640814266SManish V Badarkhe 	return SUCCESS;
21740814266SManish V Badarkhe }
21840814266SManish V Badarkhe 
21940814266SManish V Badarkhe void drtm_serialise_event_log(uint8_t *dst, size_t *event_log_size_out)
22040814266SManish V Badarkhe {
22140814266SManish V Badarkhe 	*event_log_size_out = event_log_get_cur_size(drtm_event_log);
22240814266SManish V Badarkhe 	memcpy(dst, drtm_event_log, *event_log_size_out);
22340814266SManish V Badarkhe }
224