1 /*
2  * Copyright 2021 NXP
3  * All rights reserved.
4  *
5  * SPDX-License-Identifier: BSD-3-Clause
6  */
7 
8 #ifndef _FSL_NBOOT_HAL_H_
9 #define _FSL_NBOOT_HAL_H_
10 
11 #include "fsl_nboot.h"
12 
13 /*! @addtogroup nbot_hal */
14 /*! @{ */
15 
16 /*! @file */
17 
18 /*******************************************************************************
19  * Definitions
20  ******************************************************************************/
21 /*! @brief The size of the UUID. */
22 #define NBOOT_UUID_SIZE_IN_WORD (4)
23 #define NBOOT_UUID_SIZE_IN_BYTE (NBOOT_UUID_SIZE_IN_WORD * 4)
24 
25 /*! @brief The size of the PUF activation code. */
26 #define NBOOT_PUF_AC_SIZE_IN_BYTE (996)
27 /*! @brief The size of the PUF key code. */
28 #define NBOOT_PUF_KC_SIZE_IN_BYTE (84)
29 
30 /*! @brief The size of the key store. */
31 #define NBOOT_KEY_STORE_SIZE_IN_BYTE (NBOOT_PUF_AC_SIZE_IN_BYTE + 8)
32 
33 /*! @brief The size of the root of trust key table hash. */
34 #define NBOOT_ROOT_ROTKH_SIZE_IN_WORD (12)
35 #define NBOOT_ROOT_ROTKH_SIZE_IN_BYTE (NBOOT_ROOT_ROTKH_SIZE_IN_WORD * 4)
36 
37 /*! @brief The size of the blob with Key Blob. */
38 #define NBOOT_KEY_BLOB_SIZE_IN_BYTE_256 (32)
39 #define NBOOT_KEY_BLOB_SIZE_IN_BYTE_384 (48)
40 #define NBOOT_KEY_BLOB_SIZE_IN_BYTE_MAX (NBOOT_KEY_BLOB_SIZE_IN_BYTE_384)
41 
42 /*! @brief The mask of the value of the debug state . */
43 #define NBOOT_DBG_AUTH_DBG_STATE_MASK (0x0000FFFFu)
44 /*! @brief The shift inverted value of the debug state. */
45 #define NBOOT_DBG_AUTH_DBG_STATE_SHIFT (16)
46 /*! @brief The value with all debug feature disabled. */
47 #define NBOOT_DBG_AUTH_DBG_STATE_ALL_DISABLED (0xFFFF0000u)
48 
49 #define NBOOT_ROOT_OF_TRUST_HASH_SIZE_IN_BYTES (48u)
50 
51 #define NBOOT_EC_COORDINATE_384_SIZE_IN_BYTES (48u)
52 #define NBOOT_EC_COORDINATE_MAX_SIZE          NBOOT_EC_COORDINATE_384_SIZE_IN_BYTES
53 
54 /* SB3.1 */
55 #define NBOOT_SB3_CHUNK_SIZE_IN_BYTES         (256u)
56 #define NBOOT_SB3_BLOCK_HASH256_SIZE_IN_BYTES (32u)
57 #define NBOOT_SB3_BLOCK_HASH384_SIZE_IN_BYTES (48u)
58 
59 /*!
60  * @brief NBOOT type for a timestamp
61  *
62  * This type defines the NBOOT timestamp
63  *
64  */
65 typedef uint32_t nboot_timestamp_t[2];
66 
67 /*!
68  * @brief NBOOT SB3.1 header type
69  *
70  * This type defines the header used in the SB3.1 manifest
71  *
72  */
73 typedef struct _nboot_sb3_header
74 {
75     uint32_t magic;         /*!< offset 0x00: Fixed 4-byte string of 'sbv3' without the trailing NULL */
76     uint32_t formatVersion; /*!< offset 0x04: (major = 3, minor = 1); The format version determines the manifest
77                                (block0) size. */
78     uint32_t flags;         /*!< offset 0x08: not defined yet, keep zero for future compatibility */
79     uint32_t blockCount;    /*!< offset 0x0C: Number of blocks not including the manifest (block0). */
80     uint32_t
81         blockSize; /*!< offset 0x10: Size in bytes of data block (repeated blockCount times for SB3 data stream). */
82     nboot_timestamp_t timeStamp;     /*!< offset 0x14: 64-bit value used as key derivation data. */
83     uint32_t firmwareVersion;        /*!< offset 0x1c: Version number of the included firmware */
84     uint32_t imageTotalLength;       /*!< offset 0x20: Total manifest length in bytes, including signatures etc. */
85     uint32_t imageType;              /*!< offset 0x24: image type and flags */
86     uint32_t certificateBlockOffset; /*!< offset 0x28: Offset from start of header block to the certificate block. */
87     uint8_t description[16];         /*!< offset 0x32: This field provides description of the file. It is an arbitrary
88                                                       string injected by the signing tool, which helps to identify the file. */
89 } nboot_sb3_header_t;
90 
91 /*!
92  * @brief NBOOT type for the header of the certificate block
93  *
94  * This type defines the NBOOT header of the certificate block, it is part of the nboot_certificate_block_t
95  *
96  */
97 typedef struct _nboot_certificate_header_block
98 {
99     uint32_t magic;                   /*!< magic number. */
100     uint32_t formatMajorMinorVersion; /*!< format major minor version */
101     uint32_t certBlockSize;           /*!< Size of the full certificate block */
102 } nboot_certificate_header_block_t;
103 
104 typedef uint8_t nboot_ctrk_hash_t[NBOOT_ROOT_OF_TRUST_HASH_SIZE_IN_BYTES];
105 
106 /*!
107  * @brief NBOOT type for the hash table
108  *
109  * This type defines the NBOOT hash table
110  *
111  */
112 typedef struct _nboot_ctrk_hash_table
113 {
114     nboot_ctrk_hash_t ctrkHashTable[NBOOT_ROOT_CERT_COUNT];
115 } nboot_ctrk_hash_table_t;
116 
117 /*!
118  * @brief NBOOT type for an ECC coordinate
119  *
120  * This type defines the NBOOT ECC coordinate type
121  *
122  */
123 typedef uint8_t
124     nboot_ecc_coordinate_t[NBOOT_EC_COORDINATE_MAX_SIZE]; /*!< ECC point coordinate, up to 384-bits. big endian. */
125 
126 /*!
127  * @brief NBOOT type for an ECC point
128  *
129  * This type defines the NBOOT ECC point type
130  */
131 typedef struct
132 {
133     nboot_ecc_coordinate_t x; /*!< x portion of the ECDSA public key, up to 384-bits. big endian. */
134     nboot_ecc_coordinate_t y; /*!< y portion of the ECDSA public key, up to 384-bits. big endian. */
135 } nboot_ecdsa_public_key_t;
136 
137 /*!
138  * @brief NBOOT type for the root certificate block
139  *
140  * This type defines the NBOOT root certificate block, it is part of the nboot_certificate_block_t
141  */
142 typedef struct _nboot_root_certificate_block
143 {
144     uint32_t flags;                         /*!< root certificate flags */
145     nboot_ctrk_hash_table_t ctrkHashTable;  /*!< hash table */
146     nboot_ecdsa_public_key_t rootPublicKey; /*!< root public key */
147 } nboot_root_certificate_block_t;
148 
149 /*!
150  * @brief NBOOT type for an ECC signature
151  *
152  * This type defines the NBOOT ECC signature type
153  */
154 typedef struct
155 {
156     nboot_ecc_coordinate_t r; /*!< r portion of the ECDSA signature, up to 384-bits. big endian. */
157     nboot_ecc_coordinate_t s; /*!< s portion of the ECDSA signature, up to 384-bits. big endian. */
158 } nboot_ecdsa_signature_t;
159 
160 /*!
161  * @brief NBOOT type for the isk block
162  *
163  * This type defines the constant length part of an NBOOT isk block
164  */
165 typedef struct
166 {
167     uint32_t signatureOffset; /*!< Offset of signature in ISK block. */
168     uint32_t constraints;     /*!< Version number of signing certificate. */
169     uint32_t iskFlags;        /*!< Reserved for definiton of ISK certificate flags. */
170     nboot_ecdsa_public_key_t
171         iskPubKey; /*!< Public key of signing certificate. Variable length; only used to determine start address*/
172     nboot_ecdsa_public_key_t userData; /*!< Space for at lest one addition public key*/
173     nboot_ecdsa_signature_t iskSign;   /*!< ISK signature*/
174 } nboot_isk_block_t;
175 
176 /*!
177  * @brief NBOOT type for the certificate block
178  *
179  * This type defines the constant length part of an NBOOT certificate block
180  */
181 typedef struct _nboot_certificate_block
182 {
183     nboot_certificate_header_block_t header;
184     nboot_root_certificate_block_t rootCertBlock; /*! Details of selected root certificate (root certificate which will
185                                                      be used for ISK signing/SB3 header signing) */
186     nboot_isk_block_t iskBlock;
187 } nboot_certificate_block_t;
188 
189 #define NBOOT_SB3_MANIFEST_MAX_SIZE_IN_BYTES                                                                  \
190     (sizeof(nboot_sb3_header_t) + NBOOT_SB3_BLOCK_HASH384_SIZE_IN_BYTES + sizeof(nboot_certificate_block_t) + \
191      NBOOT_EC_COORDINATE_MAX_SIZE * 2)
192 #define NBOOT_SB3_BLOCK_MAX_SIZE_IN_BYTES \
193     (4 /* blockNumber */ + NBOOT_SB3_BLOCK_HASH384_SIZE_IN_BYTES + NBOOT_SB3_CHUNK_SIZE_IN_BYTES)
194 
195 /*! @brief The size of the DICE certificate. */
196 #define NBOOT_DICE_CSR_SIZE_IN_WORD  (36)
197 #define NBOOT_DICE_CSR_SIZE_IN_BYTES (NBOOT_DICE_CSR_SIZE_IN_WORD * 4)
198 
199 /*! @brief The physical address to put the DICE certificate. */
200 #define NBOOT_DICE_CSR_ADDRESS (0x30000000u)
201 
202 /*! @brief The offset for the PRCINE/IPED erase region return by nboot mem checker. */
203 #define NBOOT_IPED_IV_OFFSET (3U)
204 
205 #define NBOOT_IMAGE_CMAC_UPDATE_NONE   (0u)
206 #define NBOOT_IMAGE_CMAC_UPDATE_INDEX0 (1u)
207 #define NBOOT_IMAGE_CMAC_UPDATE_INDEX1 (2u)
208 #define NBOOT_IMAGE_CMAC_UPDATE_BOTH   (3u)
209 #define NBOOT_IMAGE_CMAC_UPDATE_MASK   (3u)
210 
211 #define NBOOT_CMPA_CMAC_UPDATE_MASK  (0x1Cu)
212 #define NBOOT_CMPA_CMAC_UPDATE_SHIFT (0x2u)
213 
214 #define NBOOT_CMPA_UPDATE_CMAC_PFR                (0x2u)
215 #define NBOOT_CMPA_UPDATE_CMAC_PFR_OTP_OEM_SECURE (0x3u)
216 #define NBOOT_CMPA_UPDATE_CMAC_PFR_OTP_OEM_CLOSE  (0x5u)
217 #define NBOOT_CMPA_UPDATE_CMAC_PFR_OTP_OEM_LOCKED (0x6u)
218 
219 /*! @brief Algorithm used for nboot HASH operation */
220 typedef enum _nboot_hash_algo_t
221 {
222     kHASH_Sha1   = 1, /*!< SHA_1 */
223     kHASH_Sha256 = 2, /*!< SHA_256 */
224     kHASH_Sha512 = 3, /*!< SHA_512 */
225     kHASH_Aes    = 4, /*!< AES */
226     kHASH_AesIcb = 5, /*!< AES_ICB */
227 } nboot_hash_algo_t;
228 
229 /*! @} */
230 
231 #endif /*_FSL_NBOOT_HAL_H_ */
232