1 /* 2 * Copyright (c) 2001-2019, Arm Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 /*! 8 @addtogroup cc_sbrt 9 @{ 10 */ 11 12 /*! 13 @file 14 @brief This file contains CryptoCell Secure Boot certificate-chain processing APIs. 15 */ 16 17 #ifndef _MBEDTLS_CC_SBRT_H 18 #define _MBEDTLS_CC_SBRT_H 19 20 #ifdef __cplusplus 21 extern "C" 22 { 23 #endif 24 25 #include "secureboot_defs.h" 26 #include "secureboot_gen_defs.h" 27 /*! 28 @brief This function initializes the Secure Boot certificate-chain 29 processing. 30 31 It initializes the internal data fields of the certificate package. 32 33 @note This function must be the first API called when processing a Secure 34 Boot certificate chain. 35 36 @return \c CC_OK on success. 37 @return A non-zero value from bsv_error.h on failure. 38 */ 39 40 CCError_t mbedtls_sb_cert_chain_cerification_init( 41 /*! [in/out] A pointer to the information about the certificate package. */ 42 CCSbCertInfo_t *certPkgInfo 43 ); 44 45 /*! 46 @brief This function verifies a single certificate package containing 47 either a key or content certificate. 48 49 It verifies the following: 50 <ul><li>The public key as saved in the certificate, against its hash. 51 Its hash is found in either the OTP memory (HBK) or in \p certPkgInfo.</li> 52 <li>The RSA signature of the certificate.</li> 53 <li>The SW version in the certificate is higher than or equal to the minimal 54 SW version, as recorded on the device and passed in \p certPkgInfo.</li> 55 <li>For content certificates: Each SW module against its hash in the 56 certificate.</li></ul> 57 58 @note The certificates may reside in the memory or in the flash. The 59 flashReadFunc() must be implemented accordingly. \par 60 @note The certificates and images must both be placed either in the 61 memory or in the flash. \par 62 63 @return \c CC_OK on success. 64 @return A non-zero value from bsv_error.h on failure. 65 */ 66 CCError_t mbedtls_sb_cert_verify_single( 67 /*! [in] A pointer to the flash-read function. */ 68 CCSbFlashReadFunc flashReadFunc, 69 /*! [in] An additional pointer for flashRead() usage. May be NULL. */ 70 void *userContext, 71 /*! [in] The address where the certificate is located. This address is 72 provided to \p flashReadFunc. */ 73 CCAddr_t certStoreAddress, 74 /*! [in/out] A pointer to the certificate-package information. */ 75 CCSbCertInfo_t *pCertPkgInfo, 76 /*! [in/out] A pointer to a buffer used for extracting the X.509 TBS 77 Headers. Note: Must be NULL for proprietary certificates. */ 78 uint32_t *pHeader, 79 /*! [in] The size of \p pHeader in Bytes. Note: Must be 0 for 80 proprietary certificates. */ 81 uint32_t headerSize, 82 /*! [in] A buffer for the internal use of the function. */ 83 uint32_t *pWorkspace, 84 /*! [in] The size of the workspace in bytes. Note: Must be at least 85 #CC_SB_MIN_WORKSPACE_SIZE_IN_BYTES. */ 86 uint32_t workspaceSize 87 ); 88 89 /*! 90 @brief This function changes the storage address of a specific SW image in 91 the content certificate. 92 93 @note The certificate must be loaded to the RAM before calling this 94 function. \par 95 @note The function does not verify the certificate before the address change. \par 96 97 @return \c CC_OK on success. 98 @return A non-zero value from bsv_error.h on failure. 99 */ 100 CCError_t mbedtls_sb_sw_image_store_address_change( 101 /*! [in] The certificate address after it has been loaded to memory. */ 102 uint32_t *pCert, 103 /*! [in] The maximal memory size allocated for the certificate in words 104 (certificate boundaries). */ 105 uint32_t maxCertSizeWords, 106 /*! [in] The new storage address to change to. */ 107 CCAddr_t address, 108 /*! [in] The index of the SW image in the content certificate, starting 109 from 0. */ 110 uint32_t indexOfAddress 111 ); 112 113 #ifdef __cplusplus 114 } 115 116 #endif /*_MBEDTLS_SBRT_H*/ 117 118 /*! 119 @} 120 */ 121 #endif 122 123
