1 /* 2 * Copyright (c) 2015-2023, ARM Limited and Contributors. All rights reserved. 3 * 4 * Copyright 2020 NXP 5 * 6 * SPDX-License-Identifier: BSD-3-Clause 7 */ 8 9 #include <stddef.h> 10 11 #include <common/tbbr/cot_def.h> 12 #include <drivers/auth/auth_mod.h> 13 14 #if USE_TBBR_DEFS 15 #include <tools_share/tbbr_oid.h> 16 #else 17 #include <platform_oid.h> 18 #endif 19 20 21 #if TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256 22 #define HASH_DER_LEN 51 23 #elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384 24 #define HASH_DER_LEN 67 25 #elif TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512 26 #define HASH_DER_LEN 83 27 #else 28 #error "Invalid value for TF_MBEDTLS_HASH_ALG_ID" 29 #endif 30 31 /* 32 * The platform must allocate buffers to store the authentication parameters 33 * extracted from the certificates. In this case, because of the way the CoT is 34 * established, we can reuse some of the buffers on different stages 35 */ 36 37 static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; 38 39 static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; 40 static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; 41 static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; 42 static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; 43 static unsigned char trusted_world_pk_buf[PK_DER_LEN]; 44 static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; 45 static unsigned char content_pk_buf[PK_DER_LEN]; 46 static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; 47 static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; 48 static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; 49 50 #ifdef CONFIG_DDR_FIP_IMAGE 51 static unsigned char ddr_fw_content_pk_buf[PK_DER_LEN]; 52 static unsigned char ddr_imem_udimm_1d_hash_buf[HASH_DER_LEN]; 53 static unsigned char ddr_imem_udimm_2d_hash_buf[HASH_DER_LEN]; 54 static unsigned char ddr_dmem_udimm_1d_hash_buf[HASH_DER_LEN]; 55 static unsigned char ddr_dmem_udimm_2d_hash_buf[HASH_DER_LEN]; 56 57 static unsigned char ddr_imem_rdimm_1d_hash_buf[HASH_DER_LEN]; 58 static unsigned char ddr_imem_rdimm_2d_hash_buf[HASH_DER_LEN]; 59 static unsigned char ddr_dmem_rdimm_1d_hash_buf[HASH_DER_LEN]; 60 static unsigned char ddr_dmem_rdimm_2d_hash_buf[HASH_DER_LEN]; 61 #endif 62 63 /* 64 * Parameter type descriptors 65 */ 66 static auth_param_type_desc_t trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 67 AUTH_PARAM_NV_CTR, TRUSTED_FW_NVCOUNTER_OID); 68 69 static auth_param_type_desc_t subject_pk = AUTH_PARAM_TYPE_DESC( 70 AUTH_PARAM_PUB_KEY, 0); 71 static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( 72 AUTH_PARAM_SIG, 0); 73 static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( 74 AUTH_PARAM_SIG_ALG, 0); 75 static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( 76 AUTH_PARAM_RAW_DATA, 0); 77 78 79 static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC( 80 AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID); 81 static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( 82 AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); 83 static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( 84 AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); 85 static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( 86 AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); 87 static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( 88 AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); 89 static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC( 90 AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID); 91 static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( 92 AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); 93 static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC( 94 AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID); 95 static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( 96 AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); 97 static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC( 98 AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID); 99 static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( 100 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); 101 static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( 102 AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); 103 static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( 104 AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); 105 static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( 106 AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); 107 108 #ifdef CONFIG_DDR_FIP_IMAGE 109 static auth_param_type_desc_t ddr_fw_content_pk = AUTH_PARAM_TYPE_DESC( 110 AUTH_PARAM_PUB_KEY, DDR_FW_CONTENT_CERT_PK_OID); 111 112 static auth_param_type_desc_t ddr_imem_udimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC( 113 AUTH_PARAM_HASH, DDR_IMEM_UDIMM_1D_HASH_OID); 114 static auth_param_type_desc_t ddr_imem_udimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC( 115 AUTH_PARAM_HASH, DDR_IMEM_UDIMM_2D_HASH_OID); 116 static auth_param_type_desc_t ddr_dmem_udimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC( 117 AUTH_PARAM_HASH, DDR_DMEM_UDIMM_1D_HASH_OID); 118 static auth_param_type_desc_t ddr_dmem_udimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC( 119 AUTH_PARAM_HASH, DDR_DMEM_UDIMM_2D_HASH_OID); 120 121 static auth_param_type_desc_t ddr_imem_rdimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC( 122 AUTH_PARAM_HASH, DDR_IMEM_RDIMM_1D_HASH_OID); 123 static auth_param_type_desc_t ddr_imem_rdimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC( 124 AUTH_PARAM_HASH, DDR_IMEM_RDIMM_2D_HASH_OID); 125 static auth_param_type_desc_t ddr_dmem_rdimm_1d_fw_hash = AUTH_PARAM_TYPE_DESC( 126 AUTH_PARAM_HASH, DDR_DMEM_RDIMM_1D_HASH_OID); 127 static auth_param_type_desc_t ddr_dmem_rdimm_2d_fw_hash = AUTH_PARAM_TYPE_DESC( 128 AUTH_PARAM_HASH, DDR_DMEM_RDIMM_2D_HASH_OID); 129 #endif 130 131 132 /* 133 * Trusted key certificate 134 */ 135 static const auth_img_desc_t trusted_key_cert = { 136 .img_id = TRUSTED_KEY_CERT_ID, 137 .img_type = IMG_CERT, 138 .parent = NULL, 139 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 140 [0] = { 141 .type = AUTH_METHOD_SIG, 142 .param.sig = { 143 .pk = &subject_pk, 144 .sig = &sig, 145 .alg = &sig_alg, 146 .data = &raw_data 147 } 148 }, 149 [1] = { 150 .type = AUTH_METHOD_NV_CTR, 151 .param.nv_ctr = { 152 .cert_nv_ctr = &trusted_nv_ctr, 153 .plat_nv_ctr = &trusted_nv_ctr 154 } 155 } 156 }, 157 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 158 [0] = { 159 .type_desc = &trusted_world_pk, 160 .data = { 161 .ptr = (void *)trusted_world_pk_buf, 162 .len = (unsigned int)PK_DER_LEN 163 } 164 }, 165 [1] = { 166 .type_desc = &non_trusted_world_pk, 167 .data = { 168 .ptr = (void *)non_trusted_world_pk_buf, 169 .len = (unsigned int)PK_DER_LEN 170 } 171 } 172 } 173 }; 174 175 /* 176 * SoC Firmware 177 */ 178 static const auth_img_desc_t soc_fw_key_cert = { 179 .img_id = SOC_FW_KEY_CERT_ID, 180 .img_type = IMG_CERT, 181 .parent = &trusted_key_cert, 182 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 183 [0] = { 184 .type = AUTH_METHOD_SIG, 185 .param.sig = { 186 .pk = &trusted_world_pk, 187 .sig = &sig, 188 .alg = &sig_alg, 189 .data = &raw_data 190 } 191 }, 192 [1] = { 193 .type = AUTH_METHOD_NV_CTR, 194 .param.nv_ctr = { 195 .cert_nv_ctr = &trusted_nv_ctr, 196 .plat_nv_ctr = &trusted_nv_ctr 197 } 198 } 199 }, 200 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 201 [0] = { 202 .type_desc = &soc_fw_content_pk, 203 .data = { 204 .ptr = (void *)content_pk_buf, 205 .len = (unsigned int)PK_DER_LEN 206 } 207 } 208 } 209 }; 210 static const auth_img_desc_t soc_fw_content_cert = { 211 .img_id = SOC_FW_CONTENT_CERT_ID, 212 .img_type = IMG_CERT, 213 .parent = &soc_fw_key_cert, 214 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 215 [0] = { 216 .type = AUTH_METHOD_SIG, 217 .param.sig = { 218 .pk = &soc_fw_content_pk, 219 .sig = &sig, 220 .alg = &sig_alg, 221 .data = &raw_data 222 } 223 }, 224 [1] = { 225 .type = AUTH_METHOD_NV_CTR, 226 .param.nv_ctr = { 227 .cert_nv_ctr = &trusted_nv_ctr, 228 .plat_nv_ctr = &trusted_nv_ctr 229 } 230 } 231 }, 232 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 233 [0] = { 234 .type_desc = &soc_fw_hash, 235 .data = { 236 .ptr = (void *)soc_fw_hash_buf, 237 .len = (unsigned int)HASH_DER_LEN 238 } 239 }, 240 [1] = { 241 .type_desc = &soc_fw_config_hash, 242 .data = { 243 .ptr = (void *)soc_fw_config_hash_buf, 244 .len = (unsigned int)HASH_DER_LEN 245 } 246 } 247 } 248 }; 249 static const auth_img_desc_t bl31_image = { 250 .img_id = BL31_IMAGE_ID, 251 .img_type = IMG_RAW, 252 .parent = &soc_fw_content_cert, 253 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 254 [0] = { 255 .type = AUTH_METHOD_HASH, 256 .param.hash = { 257 .data = &raw_data, 258 .hash = &soc_fw_hash 259 } 260 } 261 } 262 }; 263 /* SOC FW Config */ 264 static const auth_img_desc_t soc_fw_config = { 265 .img_id = SOC_FW_CONFIG_ID, 266 .img_type = IMG_RAW, 267 .parent = &soc_fw_content_cert, 268 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 269 [0] = { 270 .type = AUTH_METHOD_HASH, 271 .param.hash = { 272 .data = &raw_data, 273 .hash = &soc_fw_config_hash 274 } 275 } 276 } 277 }; 278 /* 279 * Trusted OS Firmware 280 */ 281 static const auth_img_desc_t trusted_os_fw_key_cert = { 282 .img_id = TRUSTED_OS_FW_KEY_CERT_ID, 283 .img_type = IMG_CERT, 284 .parent = &trusted_key_cert, 285 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 286 [0] = { 287 .type = AUTH_METHOD_SIG, 288 .param.sig = { 289 .pk = &trusted_world_pk, 290 .sig = &sig, 291 .alg = &sig_alg, 292 .data = &raw_data 293 } 294 }, 295 [1] = { 296 .type = AUTH_METHOD_NV_CTR, 297 .param.nv_ctr = { 298 .cert_nv_ctr = &trusted_nv_ctr, 299 .plat_nv_ctr = &trusted_nv_ctr 300 } 301 } 302 }, 303 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 304 [0] = { 305 .type_desc = &tos_fw_content_pk, 306 .data = { 307 .ptr = (void *)content_pk_buf, 308 .len = (unsigned int)PK_DER_LEN 309 } 310 } 311 } 312 }; 313 static const auth_img_desc_t trusted_os_fw_content_cert = { 314 .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, 315 .img_type = IMG_CERT, 316 .parent = &trusted_os_fw_key_cert, 317 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 318 [0] = { 319 .type = AUTH_METHOD_SIG, 320 .param.sig = { 321 .pk = &tos_fw_content_pk, 322 .sig = &sig, 323 .alg = &sig_alg, 324 .data = &raw_data 325 } 326 }, 327 [1] = { 328 .type = AUTH_METHOD_NV_CTR, 329 .param.nv_ctr = { 330 .cert_nv_ctr = &trusted_nv_ctr, 331 .plat_nv_ctr = &trusted_nv_ctr 332 } 333 } 334 }, 335 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 336 [0] = { 337 .type_desc = &tos_fw_hash, 338 .data = { 339 .ptr = (void *)tos_fw_hash_buf, 340 .len = (unsigned int)HASH_DER_LEN 341 } 342 }, 343 [1] = { 344 .type_desc = &tos_fw_extra1_hash, 345 .data = { 346 .ptr = (void *)tos_fw_extra1_hash_buf, 347 .len = (unsigned int)HASH_DER_LEN 348 } 349 }, 350 [2] = { 351 .type_desc = &tos_fw_extra2_hash, 352 .data = { 353 .ptr = (void *)tos_fw_extra2_hash_buf, 354 .len = (unsigned int)HASH_DER_LEN 355 } 356 }, 357 [3] = { 358 .type_desc = &tos_fw_config_hash, 359 .data = { 360 .ptr = (void *)tos_fw_config_hash_buf, 361 .len = (unsigned int)HASH_DER_LEN 362 } 363 } 364 } 365 }; 366 static const auth_img_desc_t bl32_image = { 367 .img_id = BL32_IMAGE_ID, 368 .img_type = IMG_RAW, 369 .parent = &trusted_os_fw_content_cert, 370 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 371 [0] = { 372 .type = AUTH_METHOD_HASH, 373 .param.hash = { 374 .data = &raw_data, 375 .hash = &tos_fw_hash 376 } 377 } 378 } 379 }; 380 static const auth_img_desc_t bl32_extra1_image = { 381 .img_id = BL32_EXTRA1_IMAGE_ID, 382 .img_type = IMG_RAW, 383 .parent = &trusted_os_fw_content_cert, 384 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 385 [0] = { 386 .type = AUTH_METHOD_HASH, 387 .param.hash = { 388 .data = &raw_data, 389 .hash = &tos_fw_extra1_hash 390 } 391 } 392 } 393 }; 394 static const auth_img_desc_t bl32_extra2_image = { 395 .img_id = BL32_EXTRA2_IMAGE_ID, 396 .img_type = IMG_RAW, 397 .parent = &trusted_os_fw_content_cert, 398 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 399 [0] = { 400 .type = AUTH_METHOD_HASH, 401 .param.hash = { 402 .data = &raw_data, 403 .hash = &tos_fw_extra2_hash 404 } 405 } 406 } 407 }; 408 /* TOS FW Config */ 409 static const auth_img_desc_t tos_fw_config = { 410 .img_id = TOS_FW_CONFIG_ID, 411 .img_type = IMG_RAW, 412 .parent = &trusted_os_fw_content_cert, 413 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 414 [0] = { 415 .type = AUTH_METHOD_HASH, 416 .param.hash = { 417 .data = &raw_data, 418 .hash = &tos_fw_config_hash 419 } 420 } 421 } 422 }; 423 /* 424 * Non-Trusted Firmware 425 */ 426 static const auth_img_desc_t non_trusted_fw_key_cert = { 427 .img_id = NON_TRUSTED_FW_KEY_CERT_ID, 428 .img_type = IMG_CERT, 429 .parent = &trusted_key_cert, 430 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 431 [0] = { 432 .type = AUTH_METHOD_SIG, 433 .param.sig = { 434 .pk = &non_trusted_world_pk, 435 .sig = &sig, 436 .alg = &sig_alg, 437 .data = &raw_data 438 } 439 }, 440 [1] = { 441 .type = AUTH_METHOD_NV_CTR, 442 .param.nv_ctr = { 443 .cert_nv_ctr = &non_trusted_nv_ctr, 444 .plat_nv_ctr = &non_trusted_nv_ctr 445 } 446 } 447 }, 448 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 449 [0] = { 450 .type_desc = &nt_fw_content_pk, 451 .data = { 452 .ptr = (void *)content_pk_buf, 453 .len = (unsigned int)PK_DER_LEN 454 } 455 } 456 } 457 }; 458 static const auth_img_desc_t non_trusted_fw_content_cert = { 459 .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, 460 .img_type = IMG_CERT, 461 .parent = &non_trusted_fw_key_cert, 462 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 463 [0] = { 464 .type = AUTH_METHOD_SIG, 465 .param.sig = { 466 .pk = &nt_fw_content_pk, 467 .sig = &sig, 468 .alg = &sig_alg, 469 .data = &raw_data 470 } 471 }, 472 [1] = { 473 .type = AUTH_METHOD_NV_CTR, 474 .param.nv_ctr = { 475 .cert_nv_ctr = &non_trusted_nv_ctr, 476 .plat_nv_ctr = &non_trusted_nv_ctr 477 } 478 } 479 }, 480 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 481 [0] = { 482 .type_desc = &nt_world_bl_hash, 483 .data = { 484 .ptr = (void *)nt_world_bl_hash_buf, 485 .len = (unsigned int)HASH_DER_LEN 486 } 487 }, 488 [1] = { 489 .type_desc = &nt_fw_config_hash, 490 .data = { 491 .ptr = (void *)nt_fw_config_hash_buf, 492 .len = (unsigned int)HASH_DER_LEN 493 } 494 } 495 } 496 }; 497 static const auth_img_desc_t bl33_image = { 498 .img_id = BL33_IMAGE_ID, 499 .img_type = IMG_RAW, 500 .parent = &non_trusted_fw_content_cert, 501 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 502 [0] = { 503 .type = AUTH_METHOD_HASH, 504 .param.hash = { 505 .data = &raw_data, 506 .hash = &nt_world_bl_hash 507 } 508 } 509 } 510 }; 511 /* NT FW Config */ 512 static const auth_img_desc_t nt_fw_config = { 513 .img_id = NT_FW_CONFIG_ID, 514 .img_type = IMG_RAW, 515 .parent = &non_trusted_fw_content_cert, 516 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 517 [0] = { 518 .type = AUTH_METHOD_HASH, 519 .param.hash = { 520 .data = &raw_data, 521 .hash = &nt_fw_config_hash 522 } 523 } 524 } 525 }; 526 #ifdef CONFIG_DDR_FIP_IMAGE 527 /* 528 * DDR Firmware 529 */ 530 static const auth_img_desc_t ddr_fw_key_cert = { 531 .img_id = DDR_FW_KEY_CERT_ID, 532 .img_type = IMG_CERT, 533 .parent = &trusted_key_cert, 534 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 535 [0] = { 536 .type = AUTH_METHOD_SIG, 537 .param.sig = { 538 .pk = &trusted_world_pk, 539 .sig = &sig, 540 .alg = &sig_alg, 541 .data = &raw_data 542 } 543 }, 544 [1] = { 545 .type = AUTH_METHOD_NV_CTR, 546 .param.nv_ctr = { 547 .cert_nv_ctr = &trusted_nv_ctr, 548 .plat_nv_ctr = &trusted_nv_ctr 549 } 550 } 551 }, 552 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 553 [0] = { 554 .type_desc = &ddr_fw_content_pk, 555 .data = { 556 .ptr = (void *)ddr_fw_content_pk_buf, 557 .len = (unsigned int)PK_DER_LEN 558 } 559 } 560 } 561 }; 562 static const auth_img_desc_t ddr_udimm_fw_content_cert = { 563 .img_id = DDR_UDIMM_FW_CONTENT_CERT_ID, 564 .img_type = IMG_CERT, 565 .parent = &ddr_fw_key_cert, 566 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 567 [0] = { 568 .type = AUTH_METHOD_SIG, 569 .param.sig = { 570 .pk = &ddr_fw_content_pk, 571 .sig = &sig, 572 .alg = &sig_alg, 573 .data = &raw_data 574 } 575 }, 576 [1] = { 577 .type = AUTH_METHOD_NV_CTR, 578 .param.nv_ctr = { 579 .cert_nv_ctr = &trusted_nv_ctr, 580 .plat_nv_ctr = &trusted_nv_ctr 581 } 582 } 583 }, 584 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 585 [0] = { 586 .type_desc = &ddr_imem_udimm_1d_fw_hash, 587 .data = { 588 .ptr = (void *)ddr_imem_udimm_1d_hash_buf, 589 .len = (unsigned int)HASH_DER_LEN 590 } 591 }, 592 [1] = { 593 .type_desc = &ddr_imem_udimm_2d_fw_hash, 594 .data = { 595 .ptr = (void *)ddr_imem_udimm_2d_hash_buf, 596 .len = (unsigned int)HASH_DER_LEN 597 } 598 }, 599 [2] = { 600 .type_desc = &ddr_dmem_udimm_1d_fw_hash, 601 .data = { 602 .ptr = (void *)ddr_dmem_udimm_1d_hash_buf, 603 .len = (unsigned int)HASH_DER_LEN 604 } 605 }, 606 [3] = { 607 .type_desc = &ddr_dmem_udimm_2d_fw_hash, 608 .data = { 609 .ptr = (void *)ddr_dmem_udimm_2d_hash_buf, 610 .len = (unsigned int)HASH_DER_LEN 611 } 612 }, 613 } 614 }; 615 616 static const auth_img_desc_t ddr_imem_udimm_1d_img = { 617 .img_id = DDR_IMEM_UDIMM_1D_IMAGE_ID, 618 .img_type = IMG_RAW, 619 .parent = &ddr_udimm_fw_content_cert, 620 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 621 [0] = { 622 .type = AUTH_METHOD_HASH, 623 .param.hash = { 624 .data = &raw_data, 625 .hash = &ddr_imem_udimm_1d_fw_hash 626 } 627 } 628 } 629 }; 630 static const auth_img_desc_t ddr_imem_udimm_2d_img = { 631 .img_id = DDR_IMEM_UDIMM_2D_IMAGE_ID, 632 .img_type = IMG_RAW, 633 .parent = &ddr_udimm_fw_content_cert, 634 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 635 [0] = { 636 .type = AUTH_METHOD_HASH, 637 .param.hash = { 638 .data = &raw_data, 639 .hash = &ddr_imem_udimm_2d_fw_hash 640 } 641 } 642 } 643 }; 644 static const auth_img_desc_t ddr_dmem_udimm_1d_img = { 645 .img_id = DDR_DMEM_UDIMM_1D_IMAGE_ID, 646 .img_type = IMG_RAW, 647 .parent = &ddr_udimm_fw_content_cert, 648 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 649 [0] = { 650 .type = AUTH_METHOD_HASH, 651 .param.hash = { 652 .data = &raw_data, 653 .hash = &ddr_dmem_udimm_1d_fw_hash 654 } 655 } 656 } 657 }; 658 static const auth_img_desc_t ddr_dmem_udimm_2d_img = { 659 .img_id = DDR_DMEM_UDIMM_2D_IMAGE_ID, 660 .img_type = IMG_RAW, 661 .parent = &ddr_udimm_fw_content_cert, 662 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 663 [0] = { 664 .type = AUTH_METHOD_HASH, 665 .param.hash = { 666 .data = &raw_data, 667 .hash = &ddr_dmem_udimm_2d_fw_hash 668 } 669 } 670 } 671 }; 672 673 static const auth_img_desc_t ddr_rdimm_fw_content_cert = { 674 .img_id = DDR_RDIMM_FW_CONTENT_CERT_ID, 675 .img_type = IMG_CERT, 676 .parent = &ddr_fw_key_cert, 677 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 678 [0] = { 679 .type = AUTH_METHOD_SIG, 680 .param.sig = { 681 .pk = &ddr_fw_content_pk, 682 .sig = &sig, 683 .alg = &sig_alg, 684 .data = &raw_data 685 } 686 }, 687 [1] = { 688 .type = AUTH_METHOD_NV_CTR, 689 .param.nv_ctr = { 690 .cert_nv_ctr = &trusted_nv_ctr, 691 .plat_nv_ctr = &trusted_nv_ctr 692 } 693 } 694 }, 695 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 696 [0] = { 697 .type_desc = &ddr_imem_rdimm_1d_fw_hash, 698 .data = { 699 .ptr = (void *)ddr_imem_rdimm_1d_hash_buf, 700 .len = (unsigned int)HASH_DER_LEN 701 } 702 }, 703 [1] = { 704 .type_desc = &ddr_imem_rdimm_2d_fw_hash, 705 .data = { 706 .ptr = (void *)ddr_imem_rdimm_2d_hash_buf, 707 .len = (unsigned int)HASH_DER_LEN 708 } 709 }, 710 [2] = { 711 .type_desc = &ddr_dmem_rdimm_1d_fw_hash, 712 .data = { 713 .ptr = (void *)ddr_dmem_rdimm_1d_hash_buf, 714 .len = (unsigned int)HASH_DER_LEN 715 } 716 }, 717 [3] = { 718 .type_desc = &ddr_dmem_rdimm_2d_fw_hash, 719 .data = { 720 .ptr = (void *)ddr_dmem_rdimm_2d_hash_buf, 721 .len = (unsigned int)HASH_DER_LEN 722 } 723 }, 724 } 725 }; 726 727 static const auth_img_desc_t ddr_imem_rdimm_1d_img = { 728 .img_id = DDR_IMEM_RDIMM_1D_IMAGE_ID, 729 .img_type = IMG_RAW, 730 .parent = &ddr_rdimm_fw_content_cert, 731 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 732 [0] = { 733 .type = AUTH_METHOD_HASH, 734 .param.hash = { 735 .data = &raw_data, 736 .hash = &ddr_imem_rdimm_1d_fw_hash 737 } 738 } 739 } 740 }; 741 static const auth_img_desc_t ddr_imem_rdimm_2d_img = { 742 .img_id = DDR_IMEM_RDIMM_2D_IMAGE_ID, 743 .img_type = IMG_RAW, 744 .parent = &ddr_rdimm_fw_content_cert, 745 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 746 [0] = { 747 .type = AUTH_METHOD_HASH, 748 .param.hash = { 749 .data = &raw_data, 750 .hash = &ddr_imem_rdimm_2d_fw_hash 751 } 752 } 753 } 754 }; 755 static const auth_img_desc_t ddr_dmem_rdimm_1d_img = { 756 .img_id = DDR_DMEM_RDIMM_1D_IMAGE_ID, 757 .img_type = IMG_RAW, 758 .parent = &ddr_rdimm_fw_content_cert, 759 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 760 [0] = { 761 .type = AUTH_METHOD_HASH, 762 .param.hash = { 763 .data = &raw_data, 764 .hash = &ddr_dmem_rdimm_1d_fw_hash 765 } 766 } 767 } 768 }; 769 static const auth_img_desc_t ddr_dmem_rdimm_2d_img = { 770 .img_id = DDR_DMEM_RDIMM_2D_IMAGE_ID, 771 .img_type = IMG_RAW, 772 .parent = &ddr_rdimm_fw_content_cert, 773 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 774 [0] = { 775 .type = AUTH_METHOD_HASH, 776 .param.hash = { 777 .data = &raw_data, 778 .hash = &ddr_dmem_rdimm_2d_fw_hash 779 } 780 } 781 } 782 }; 783 #endif 784 785 /* 786 * TBBR Chain of trust definition 787 */ 788 789 static const auth_img_desc_t * const cot_desc[] = { 790 [TRUSTED_KEY_CERT_ID] = &trusted_key_cert, 791 [SOC_FW_KEY_CERT_ID] = &soc_fw_key_cert, 792 [SOC_FW_CONTENT_CERT_ID] = &soc_fw_content_cert, 793 [BL31_IMAGE_ID] = &bl31_image, 794 [SOC_FW_CONFIG_ID] = &soc_fw_config, 795 [TRUSTED_OS_FW_KEY_CERT_ID] = &trusted_os_fw_key_cert, 796 [TRUSTED_OS_FW_CONTENT_CERT_ID] = &trusted_os_fw_content_cert, 797 [BL32_IMAGE_ID] = &bl32_image, 798 [BL32_EXTRA1_IMAGE_ID] = &bl32_extra1_image, 799 [BL32_EXTRA2_IMAGE_ID] = &bl32_extra2_image, 800 [TOS_FW_CONFIG_ID] = &tos_fw_config, 801 [NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert, 802 [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, 803 [BL33_IMAGE_ID] = &bl33_image, 804 [NT_FW_CONFIG_ID] = &nt_fw_config, 805 #ifdef CONFIG_DDR_FIP_IMAGE 806 [DDR_FW_KEY_CERT_ID] = &ddr_fw_key_cert, 807 [DDR_UDIMM_FW_CONTENT_CERT_ID] = &ddr_udimm_fw_content_cert, 808 [DDR_RDIMM_FW_CONTENT_CERT_ID] = &ddr_rdimm_fw_content_cert, 809 [DDR_IMEM_UDIMM_1D_IMAGE_ID] = &ddr_imem_udimm_1d_img, 810 [DDR_IMEM_UDIMM_2D_IMAGE_ID] = &ddr_imem_udimm_2d_img, 811 [DDR_DMEM_UDIMM_1D_IMAGE_ID] = &ddr_dmem_udimm_1d_img, 812 [DDR_DMEM_UDIMM_2D_IMAGE_ID] = &ddr_dmem_udimm_2d_img, 813 [DDR_IMEM_RDIMM_1D_IMAGE_ID] = &ddr_imem_rdimm_1d_img, 814 [DDR_IMEM_RDIMM_2D_IMAGE_ID] = &ddr_imem_rdimm_2d_img, 815 [DDR_DMEM_RDIMM_1D_IMAGE_ID] = &ddr_dmem_rdimm_1d_img, 816 [DDR_DMEM_RDIMM_2D_IMAGE_ID] = &ddr_dmem_rdimm_2d_img, 817 #endif 818 }; 819 820 /* Register the CoT in the authentication module */ 821 REGISTER_COT(cot_desc); 822
