1 /* 2 * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. 3 * 4 * Copyright 2020 NXP 5 * 6 * SPDX-License-Identifier: BSD-3-Clause 7 */ 8 9 #include <stddef.h> 10 11 #include <drivers/auth/auth_mod.h> 12 13 #if USE_TBBR_DEFS 14 #include <tools_share/tbbr_oid.h> 15 #else 16 #include <platform_oid.h> 17 #endif 18 19 20 #if TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256 21 #define HASH_DER_LEN 51 22 #elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384 23 #define HASH_DER_LEN 67 24 #elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512 25 #define HASH_DER_LEN 83 26 #else 27 #error "Invalid value for TF_MBEDTLS_HASH_ALG_ID" 28 #endif 29 30 /* 31 * The platform must allocate buffers to store the authentication parameters 32 * extracted from the certificates. In this case, because of the way the CoT is 33 * established, we can reuse some of the buffers on different stages 34 */ 35 36 static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; 37 38 static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; 39 static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; 40 static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; 41 static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; 42 static unsigned char trusted_world_pk_buf[PK_DER_LEN]; 43 static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; 44 static unsigned char content_pk_buf[PK_DER_LEN]; 45 static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; 46 static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; 47 static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; 48 49 #ifdef CONFIG_DDR_FIP_IMAGE 50 static unsigned char ddr_fw_content_pk_buf[PK_DER_LEN]; 51 static unsigned char ddr_imem_udimm_1d_hash_buf[HASH_DER_LEN]; 52 static unsigned char ddr_imem_udimm_2d_hash_buf[HASH_DER_LEN]; 53 static unsigned char ddr_dmem_udimm_1d_hash_buf[HASH_DER_LEN]; 54 static unsigned char ddr_dmem_udimm_2d_hash_buf[HASH_DER_LEN]; 55 56 static unsigned char ddr_imem_rdimm_1d_hash_buf[HASH_DER_LEN]; 57 static unsigned char ddr_imem_rdimm_2d_hash_buf[HASH_DER_LEN]; 58 static unsigned char ddr_dmem_rdimm_1d_hash_buf[HASH_DER_LEN]; 59 static unsigned char ddr_dmem_rdimm_2d_hash_buf[HASH_DER_LEN]; 60 #endif 61 62 /* 63 * Parameter type descriptors 64 */ 65 static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 66 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); 67 68 static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( 69 AUTH_PARAM_PUB_KEY, 0); 70 static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( 71 AUTH_PARAM_SIG, 0); 72 static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( 73 AUTH_PARAM_SIG_ALG, 0); 74 static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( 75 AUTH_PARAM_RAW_DATA, 0); 76 77 78 static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 79 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); 80 static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( 81 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); 82 static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( 83 AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); 84 static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( 85 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); 86 static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( 87 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); 88 static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC( 89 AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID); 90 static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( 91 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); 92 static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC( 93 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID); 94 static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( 95 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); 96 static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC( 97 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID); 98 static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( 99 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); 100 static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( 101 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); 102 static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( 103 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); 104 static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( 105 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); 106 107 #ifdef CONFIG_DDR_FIP_IMAGE 108 static auth_param_type_desc_t ddr_fw_content_pk = AUTH_PARAM_TYPE_DESC( 109 AUTH_PARAM_PUB_KEY, DDR_FW_CONTENT_CERT_PK_OID); 110 111 static auth_param_type_desc_t ddr_imem_udimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC( 112 AUTH_PARAM_HASH, DDR_IMEM_UDIMM_1D_HASH_OID); 113 static auth_param_type_desc_t ddr_imem_udimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC( 114 AUTH_PARAM_HASH, DDR_IMEM_UDIMM_2D_HASH_OID); 115 static auth_param_type_desc_t ddr_dmem_udimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC( 116 AUTH_PARAM_HASH, DDR_DMEM_UDIMM_1D_HASH_OID); 117 static auth_param_type_desc_t ddr_dmem_udimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC( 118 AUTH_PARAM_HASH, DDR_DMEM_UDIMM_2D_HASH_OID); 119 120 static auth_param_type_desc_t ddr_imem_rdimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC( 121 AUTH_PARAM_HASH, DDR_IMEM_RDIMM_1D_HASH_OID); 122 static auth_param_type_desc_t ddr_imem_rdimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC( 123 AUTH_PARAM_HASH, DDR_IMEM_RDIMM_2D_HASH_OID); 124 static auth_param_type_desc_t ddr_dmem_rdimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC( 125 AUTH_PARAM_HASH, DDR_DMEM_RDIMM_1D_HASH_OID); 126 static auth_param_type_desc_t ddr_dmem_rdimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC( 127 AUTH_PARAM_HASH, DDR_DMEM_RDIMM_2D_HASH_OID); 128 #endif 129 130 131 /* 132 * Trusted key certificate 133 */ 134 static const auth_img_desc_t trusted_key_cert = { 135 .img_id = TRUSTED_KEY_CERT_ID, 136 .img_type = IMG_CERT, 137 .parent = NULL, 138 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 139 [0] = { 140 .type = AUTH_METHOD_SIG, 141 .param.sig = { 142 .pk = &subject_pk, 143 .sig = &sig, 144 .alg = &sig_alg, 145 .data = &raw_data 146 } 147 }, 148 [1] = { 149 .type = AUTH_METHOD_NV_CTR, 150 .param.nv_ctr = { 151 .cert_nv_ctr = &trusted_nv_ctr, 152 .plat_nv_ctr = &trusted_nv_ctr 153 } 154 } 155 }, 156 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 157 [0] = { 158 .type_desc = &trusted_world_pk, 159 .data = { 160 .ptr = (void *)trusted_world_pk_buf, 161 .len = (unsigned int)PK_DER_LEN 162 } 163 }, 164 [1] = { 165 .type_desc = &non_trusted_world_pk, 166 .data = { 167 .ptr = (void *)non_trusted_world_pk_buf, 168 .len = (unsigned int)PK_DER_LEN 169 } 170 } 171 } 172 }; 173 174 /* 175 * SoC Firmware 176 */ 177 static const auth_img_desc_t soc_fw_key_cert = { 178 .img_id = SOC_FW_KEY_CERT_ID, 179 .img_type = IMG_CERT, 180 .parent = &trusted_key_cert, 181 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 182 [0] = { 183 .type = AUTH_METHOD_SIG, 184 .param.sig = { 185 .pk = &trusted_world_pk, 186 .sig = &sig, 187 .alg = &sig_alg, 188 .data = &raw_data 189 } 190 }, 191 [1] = { 192 .type = AUTH_METHOD_NV_CTR, 193 .param.nv_ctr = { 194 .cert_nv_ctr = &trusted_nv_ctr, 195 .plat_nv_ctr = &trusted_nv_ctr 196 } 197 } 198 }, 199 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 200 [0] = { 201 .type_desc = &soc_fw_content_pk, 202 .data = { 203 .ptr = (void *)content_pk_buf, 204 .len = (unsigned int)PK_DER_LEN 205 } 206 } 207 } 208 }; 209 static const auth_img_desc_t soc_fw_content_cert = { 210 .img_id = SOC_FW_CONTENT_CERT_ID, 211 .img_type = IMG_CERT, 212 .parent = &soc_fw_key_cert, 213 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 214 [0] = { 215 .type = AUTH_METHOD_SIG, 216 .param.sig = { 217 .pk = &soc_fw_content_pk, 218 .sig = &sig, 219 .alg = &sig_alg, 220 .data = &raw_data 221 } 222 }, 223 [1] = { 224 .type = AUTH_METHOD_NV_CTR, 225 .param.nv_ctr = { 226 .cert_nv_ctr = &trusted_nv_ctr, 227 .plat_nv_ctr = &trusted_nv_ctr 228 } 229 } 230 }, 231 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 232 [0] = { 233 .type_desc = &soc_fw_hash, 234 .data = { 235 .ptr = (void *)soc_fw_hash_buf, 236 .len = (unsigned int)HASH_DER_LEN 237 } 238 }, 239 [1] = { 240 .type_desc = &soc_fw_config_hash, 241 .data = { 242 .ptr = (void *)soc_fw_config_hash_buf, 243 .len = (unsigned int)HASH_DER_LEN 244 } 245 } 246 } 247 }; 248 static const auth_img_desc_t bl31_image = { 249 .img_id = BL31_IMAGE_ID, 250 .img_type = IMG_RAW, 251 .parent = &soc_fw_content_cert, 252 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 253 [0] = { 254 .type = AUTH_METHOD_HASH, 255 .param.hash = { 256 .data = &raw_data, 257 .hash = &soc_fw_hash 258 } 259 } 260 } 261 }; 262 /* SOC FW Config */ 263 static const auth_img_desc_t soc_fw_config = { 264 .img_id = SOC_FW_CONFIG_ID, 265 .img_type = IMG_RAW, 266 .parent = &soc_fw_content_cert, 267 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 268 [0] = { 269 .type = AUTH_METHOD_HASH, 270 .param.hash = { 271 .data = &raw_data, 272 .hash = &soc_fw_config_hash 273 } 274 } 275 } 276 }; 277 /* 278 * Trusted OS Firmware 279 */ 280 static const auth_img_desc_t trusted_os_fw_key_cert = { 281 .img_id = TRUSTED_OS_FW_KEY_CERT_ID, 282 .img_type = IMG_CERT, 283 .parent = &trusted_key_cert, 284 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 285 [0] = { 286 .type = AUTH_METHOD_SIG, 287 .param.sig = { 288 .pk = &trusted_world_pk, 289 .sig = &sig, 290 .alg = &sig_alg, 291 .data = &raw_data 292 } 293 }, 294 [1] = { 295 .type = AUTH_METHOD_NV_CTR, 296 .param.nv_ctr = { 297 .cert_nv_ctr = &trusted_nv_ctr, 298 .plat_nv_ctr = &trusted_nv_ctr 299 } 300 } 301 }, 302 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 303 [0] = { 304 .type_desc = &tos_fw_content_pk, 305 .data = { 306 .ptr = (void *)content_pk_buf, 307 .len = (unsigned int)PK_DER_LEN 308 } 309 } 310 } 311 }; 312 static const auth_img_desc_t trusted_os_fw_content_cert = { 313 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, 314 .img_type = IMG_CERT, 315 .parent = &trusted_os_fw_key_cert, 316 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 317 [0] = { 318 .type = AUTH_METHOD_SIG, 319 .param.sig = { 320 .pk = &tos_fw_content_pk, 321 .sig = &sig, 322 .alg = &sig_alg, 323 .data = &raw_data 324 } 325 }, 326 [1] = { 327 .type = AUTH_METHOD_NV_CTR, 328 .param.nv_ctr = { 329 .cert_nv_ctr = &trusted_nv_ctr, 330 .plat_nv_ctr = &trusted_nv_ctr 331 } 332 } 333 }, 334 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 335 [0] = { 336 .type_desc = &tos_fw_hash, 337 .data = { 338 .ptr = (void *)tos_fw_hash_buf, 339 .len = (unsigned int)HASH_DER_LEN 340 } 341 }, 342 [1] = { 343 .type_desc = &tos_fw_extra1_hash, 344 .data = { 345 .ptr = (void *)tos_fw_extra1_hash_buf, 346 .len = (unsigned int)HASH_DER_LEN 347 } 348 }, 349 [2] = { 350 .type_desc = &tos_fw_extra2_hash, 351 .data = { 352 .ptr = (void *)tos_fw_extra2_hash_buf, 353 .len = (unsigned int)HASH_DER_LEN 354 } 355 }, 356 [3] = { 357 .type_desc = &tos_fw_config_hash, 358 .data = { 359 .ptr = (void *)tos_fw_config_hash_buf, 360 .len = (unsigned int)HASH_DER_LEN 361 } 362 } 363 } 364 }; 365 static const auth_img_desc_t bl32_image = { 366 .img_id = BL32_IMAGE_ID, 367 .img_type = IMG_RAW, 368 .parent = &trusted_os_fw_content_cert, 369 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 370 [0] = { 371 .type = AUTH_METHOD_HASH, 372 .param.hash = { 373 .data = &raw_data, 374 .hash = &tos_fw_hash 375 } 376 } 377 } 378 }; 379 static const auth_img_desc_t bl32_extra1_image = { 380 .img_id = BL32_EXTRA1_IMAGE_ID, 381 .img_type = IMG_RAW, 382 .parent = &trusted_os_fw_content_cert, 383 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 384 [0] = { 385 .type = AUTH_METHOD_HASH, 386 .param.hash = { 387 .data = &raw_data, 388 .hash = &tos_fw_extra1_hash 389 } 390 } 391 } 392 }; 393 static const auth_img_desc_t bl32_extra2_image = { 394 .img_id = BL32_EXTRA2_IMAGE_ID, 395 .img_type = IMG_RAW, 396 .parent = &trusted_os_fw_content_cert, 397 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 398 [0] = { 399 .type = AUTH_METHOD_HASH, 400 .param.hash = { 401 .data = &raw_data, 402 .hash = &tos_fw_extra2_hash 403 } 404 } 405 } 406 }; 407 /* TOS FW Config */ 408 static const auth_img_desc_t tos_fw_config = { 409 .img_id = TOS_FW_CONFIG_ID, 410 .img_type = IMG_RAW, 411 .parent = &trusted_os_fw_content_cert, 412 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 413 [0] = { 414 .type = AUTH_METHOD_HASH, 415 .param.hash = { 416 .data = &raw_data, 417 .hash = &tos_fw_config_hash 418 } 419 } 420 } 421 }; 422 /* 423 * Non-Trusted Firmware 424 */ 425 static const auth_img_desc_t non_trusted_fw_key_cert = { 426 .img_id = NON_TRUSTED_FW_KEY_CERT_ID, 427 .img_type = IMG_CERT, 428 .parent = &trusted_key_cert, 429 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 430 [0] = { 431 .type = AUTH_METHOD_SIG, 432 .param.sig = { 433 .pk = &non_trusted_world_pk, 434 .sig = &sig, 435 .alg = &sig_alg, 436 .data = &raw_data 437 } 438 }, 439 [1] = { 440 .type = AUTH_METHOD_NV_CTR, 441 .param.nv_ctr = { 442 .cert_nv_ctr = &non_trusted_nv_ctr, 443 .plat_nv_ctr = &non_trusted_nv_ctr 444 } 445 } 446 }, 447 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 448 [0] = { 449 .type_desc = &nt_fw_content_pk, 450 .data = { 451 .ptr = (void *)content_pk_buf, 452 .len = (unsigned int)PK_DER_LEN 453 } 454 } 455 } 456 }; 457 static const auth_img_desc_t non_trusted_fw_content_cert = { 458 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, 459 .img_type = IMG_CERT, 460 .parent = &non_trusted_fw_key_cert, 461 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 462 [0] = { 463 .type = AUTH_METHOD_SIG, 464 .param.sig = { 465 .pk = &nt_fw_content_pk, 466 .sig = &sig, 467 .alg = &sig_alg, 468 .data = &raw_data 469 } 470 }, 471 [1] = { 472 .type = AUTH_METHOD_NV_CTR, 473 .param.nv_ctr = { 474 .cert_nv_ctr = &non_trusted_nv_ctr, 475 .plat_nv_ctr = &non_trusted_nv_ctr 476 } 477 } 478 }, 479 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 480 [0] = { 481 .type_desc = &nt_world_bl_hash, 482 .data = { 483 .ptr = (void *)nt_world_bl_hash_buf, 484 .len = (unsigned int)HASH_DER_LEN 485 } 486 }, 487 [1] = { 488 .type_desc = &nt_fw_config_hash, 489 .data = { 490 .ptr = (void *)nt_fw_config_hash_buf, 491 .len = (unsigned int)HASH_DER_LEN 492 } 493 } 494 } 495 }; 496 static const auth_img_desc_t bl33_image = { 497 .img_id = BL33_IMAGE_ID, 498 .img_type = IMG_RAW, 499 .parent = &non_trusted_fw_content_cert, 500 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 501 [0] = { 502 .type = AUTH_METHOD_HASH, 503 .param.hash = { 504 .data = &raw_data, 505 .hash = &nt_world_bl_hash 506 } 507 } 508 } 509 }; 510 /* NT FW Config */ 511 static const auth_img_desc_t nt_fw_config = { 512 .img_id = NT_FW_CONFIG_ID, 513 .img_type = IMG_RAW, 514 .parent = &non_trusted_fw_content_cert, 515 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 516 [0] = { 517 .type = AUTH_METHOD_HASH, 518 .param.hash = { 519 .data = &raw_data, 520 .hash = &nt_fw_config_hash 521 } 522 } 523 } 524 }; 525 #ifdef CONFIG_DDR_FIP_IMAGE 526 /* 527 * DDR Firmware 528 */ 529 static const auth_img_desc_t ddr_fw_key_cert = { 530 .img_id = DDR_FW_KEY_CERT_ID, 531 .img_type = IMG_CERT, 532 .parent = &trusted_key_cert, 533 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 534 [0] = { 535 .type = AUTH_METHOD_SIG, 536 .param.sig = { 537 .pk = &trusted_world_pk, 538 .sig = &sig, 539 .alg = &sig_alg, 540 .data = &raw_data 541 } 542 }, 543 [1] = { 544 .type = AUTH_METHOD_NV_CTR, 545 .param.nv_ctr = { 546 .cert_nv_ctr = &trusted_nv_ctr, 547 .plat_nv_ctr = &trusted_nv_ctr 548 } 549 } 550 }, 551 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 552 [0] = { 553 .type_desc = &ddr_fw_content_pk, 554 .data = { 555 .ptr = (void *)ddr_fw_content_pk_buf, 556 .len = (unsigned int)PK_DER_LEN 557 } 558 } 559 } 560 }; 561 static const auth_img_desc_t ddr_udimm_fw_content_cert = { 562 .img_id = DDR_UDIMM_FW_CONTENT_CERT_ID, 563 .img_type = IMG_CERT, 564 .parent = &ddr_fw_key_cert, 565 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 566 [0] = { 567 .type = AUTH_METHOD_SIG, 568 .param.sig = { 569 .pk = &ddr_fw_content_pk, 570 .sig = &sig, 571 .alg = &sig_alg, 572 .data = &raw_data 573 } 574 }, 575 [1] = { 576 .type = AUTH_METHOD_NV_CTR, 577 .param.nv_ctr = { 578 .cert_nv_ctr = &trusted_nv_ctr, 579 .plat_nv_ctr = &trusted_nv_ctr 580 } 581 } 582 }, 583 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 584 [0] = { 585 .type_desc = &ddr_imem_udimm_1d_fw_hash, 586 .data = { 587 .ptr = (void *)ddr_imem_udimm_1d_hash_buf, 588 .len = (unsigned int)HASH_DER_LEN 589 } 590 }, 591 [1] = { 592 .type_desc = &ddr_imem_udimm_2d_fw_hash, 593 .data = { 594 .ptr = (void *)ddr_imem_udimm_2d_hash_buf, 595 .len = (unsigned int)HASH_DER_LEN 596 } 597 }, 598 [2] = { 599 .type_desc = &ddr_dmem_udimm_1d_fw_hash, 600 .data = { 601 .ptr = (void *)ddr_dmem_udimm_1d_hash_buf, 602 .len = (unsigned int)HASH_DER_LEN 603 } 604 }, 605 [3] = { 606 .type_desc = &ddr_dmem_udimm_2d_fw_hash, 607 .data = { 608 .ptr = (void *)ddr_dmem_udimm_2d_hash_buf, 609 .len = (unsigned int)HASH_DER_LEN 610 } 611 }, 612 } 613 }; 614 615 static const auth_img_desc_t ddr_imem_udimm_1d_img = { 616 .img_id = DDR_IMEM_UDIMM_1D_IMAGE_ID, 617 .img_type = IMG_RAW, 618 .parent = &ddr_udimm_fw_content_cert, 619 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 620 [0] = { 621 .type = AUTH_METHOD_HASH, 622 .param.hash = { 623 .data = &raw_data, 624 .hash = &ddr_imem_udimm_1d_fw_hash 625 } 626 } 627 } 628 }; 629 static const auth_img_desc_t ddr_imem_udimm_2d_img = { 630 .img_id = DDR_IMEM_UDIMM_2D_IMAGE_ID, 631 .img_type = IMG_RAW, 632 .parent = &ddr_udimm_fw_content_cert, 633 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 634 [0] = { 635 .type = AUTH_METHOD_HASH, 636 .param.hash = { 637 .data = &raw_data, 638 .hash = &ddr_imem_udimm_2d_fw_hash 639 } 640 } 641 } 642 }; 643 static const auth_img_desc_t ddr_dmem_udimm_1d_img = { 644 .img_id = DDR_DMEM_UDIMM_1D_IMAGE_ID, 645 .img_type = IMG_RAW, 646 .parent = &ddr_udimm_fw_content_cert, 647 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 648 [0] = { 649 .type = AUTH_METHOD_HASH, 650 .param.hash = { 651 .data = &raw_data, 652 .hash = &ddr_dmem_udimm_1d_fw_hash 653 } 654 } 655 } 656 }; 657 static const auth_img_desc_t ddr_dmem_udimm_2d_img = { 658 .img_id = DDR_DMEM_UDIMM_2D_IMAGE_ID, 659 .img_type = IMG_RAW, 660 .parent = &ddr_udimm_fw_content_cert, 661 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 662 [0] = { 663 .type = AUTH_METHOD_HASH, 664 .param.hash = { 665 .data = &raw_data, 666 .hash = &ddr_dmem_udimm_2d_fw_hash 667 } 668 } 669 } 670 }; 671 672 static const auth_img_desc_t ddr_rdimm_fw_content_cert = { 673 .img_id = DDR_RDIMM_FW_CONTENT_CERT_ID, 674 .img_type = IMG_CERT, 675 .parent = &ddr_fw_key_cert, 676 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 677 [0] = { 678 .type = AUTH_METHOD_SIG, 679 .param.sig = { 680 .pk = &ddr_fw_content_pk, 681 .sig = &sig, 682 .alg = &sig_alg, 683 .data = &raw_data 684 } 685 }, 686 [1] = { 687 .type = AUTH_METHOD_NV_CTR, 688 .param.nv_ctr = { 689 .cert_nv_ctr = &trusted_nv_ctr, 690 .plat_nv_ctr = &trusted_nv_ctr 691 } 692 } 693 }, 694 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 695 [0] = { 696 .type_desc = &ddr_imem_rdimm_1d_fw_hash, 697 .data = { 698 .ptr = (void *)ddr_imem_rdimm_1d_hash_buf, 699 .len = (unsigned int)HASH_DER_LEN 700 } 701 }, 702 [1] = { 703 .type_desc = &ddr_imem_rdimm_2d_fw_hash, 704 .data = { 705 .ptr = (void *)ddr_imem_rdimm_2d_hash_buf, 706 .len = (unsigned int)HASH_DER_LEN 707 } 708 }, 709 [2] = { 710 .type_desc = &ddr_dmem_rdimm_1d_fw_hash, 711 .data = { 712 .ptr = (void *)ddr_dmem_rdimm_1d_hash_buf, 713 .len = (unsigned int)HASH_DER_LEN 714 } 715 }, 716 [3] = { 717 .type_desc = &ddr_dmem_rdimm_2d_fw_hash, 718 .data = { 719 .ptr = (void *)ddr_dmem_rdimm_2d_hash_buf, 720 .len = (unsigned int)HASH_DER_LEN 721 } 722 }, 723 } 724 }; 725 726 static const auth_img_desc_t ddr_imem_rdimm_1d_img = { 727 .img_id = DDR_IMEM_RDIMM_1D_IMAGE_ID, 728 .img_type = IMG_RAW, 729 .parent = &ddr_rdimm_fw_content_cert, 730 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 731 [0] = { 732 .type = AUTH_METHOD_HASH, 733 .param.hash = { 734 .data = &raw_data, 735 .hash = &ddr_imem_rdimm_1d_fw_hash 736 } 737 } 738 } 739 }; 740 static const auth_img_desc_t ddr_imem_rdimm_2d_img = { 741 .img_id = DDR_IMEM_RDIMM_2D_IMAGE_ID, 742 .img_type = IMG_RAW, 743 .parent = &ddr_rdimm_fw_content_cert, 744 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 745 [0] = { 746 .type = AUTH_METHOD_HASH, 747 .param.hash = { 748 .data = &raw_data, 749 .hash = &ddr_imem_rdimm_2d_fw_hash 750 } 751 } 752 } 753 }; 754 static const auth_img_desc_t ddr_dmem_rdimm_1d_img = { 755 .img_id = DDR_DMEM_RDIMM_1D_IMAGE_ID, 756 .img_type = IMG_RAW, 757 .parent = &ddr_rdimm_fw_content_cert, 758 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 759 [0] = { 760 .type = AUTH_METHOD_HASH, 761 .param.hash = { 762 .data = &raw_data, 763 .hash = &ddr_dmem_rdimm_1d_fw_hash 764 } 765 } 766 } 767 }; 768 static const auth_img_desc_t ddr_dmem_rdimm_2d_img = { 769 .img_id = DDR_DMEM_RDIMM_2D_IMAGE_ID, 770 .img_type = IMG_RAW, 771 .parent = &ddr_rdimm_fw_content_cert, 772 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 773 [0] = { 774 .type = AUTH_METHOD_HASH, 775 .param.hash = { 776 .data = &raw_data, 777 .hash = &ddr_dmem_rdimm_2d_fw_hash 778 } 779 } 780 } 781 }; 782 #endif 783 784 /* 785 * TBBR Chain of trust definition 786 */ 787 788 static const auth_img_desc_t * const cot_desc[] = { 789 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert, 790 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert, 791 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert, 792 [BL31_IMAGE_ID] = &bl31_image, 793 [SOC_FW_CONFIG_ID] = &soc_fw_config, 794 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert, 795 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert, 796 [BL32_IMAGE_ID] = &bl32_image, 797 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image, 798 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image, 799 [TOS_FW_CONFIG_ID] = &tos_fw_config, 800 [NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert, 801 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, 802 [BL33_IMAGE_ID] = &bl33_image, 803 [NT_FW_CONFIG_ID] = &nt_fw_config, 804 #ifdef CONFIG_DDR_FIP_IMAGE 805 [DDR_FW_KEY_CERT_ID] = &ddr_fw_key_cert, 806 [DDR_UDIMM_FW_CONTENT_CERT_ID] = &ddr_udimm_fw_content_cert, 807 [DDR_RDIMM_FW_CONTENT_CERT_ID] = &ddr_rdimm_fw_content_cert, 808 [DDR_IMEM_UDIMM_1D_IMAGE_ID] = &ddr_imem_udimm_1d_img, 809 [DDR_IMEM_UDIMM_2D_IMAGE_ID] = &ddr_imem_udimm_2d_img, 810 [DDR_DMEM_UDIMM_1D_IMAGE_ID] = &ddr_dmem_udimm_1d_img, 811 [DDR_DMEM_UDIMM_2D_IMAGE_ID] = &ddr_dmem_udimm_2d_img, 812 [DDR_IMEM_RDIMM_1D_IMAGE_ID] = &ddr_imem_rdimm_1d_img, 813 [DDR_IMEM_RDIMM_2D_IMAGE_ID] = &ddr_imem_rdimm_2d_img, 814 [DDR_DMEM_RDIMM_1D_IMAGE_ID] = &ddr_dmem_rdimm_1d_img, 815 [DDR_DMEM_RDIMM_2D_IMAGE_ID] = &ddr_dmem_rdimm_2d_img, 816 #endif 817 }; 818 819 /* Register the CoT in the authentication module */ 820 REGISTER_COT(cot_desc); 821