tbbr/dualroot: Add fw_config image in chain of trust

fw_config image is authenticated using secure boot framework by
adding it into the single root and dual root chain of trust.

The COT for fw_config image looks as below:

+------------------+       +-------------------+
| ROTPK/ROTPK Hash |------>| Trusted Boot fw   |
+------------------+       | Certificate       |
                           | (Auth Image)      |
                          /+-------------------+
                         /                   |
                        /                    |
                       /                     |
                      /                      |
                     L                       v
+------------------+       +-------------------+
| fw_config hash   |------>| fw_config         |
|                  |       | (Data Image)      |
+------------------+       +-------------------+

Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I08fc8ee95c29a95bb140c807dd06e772474c7367

diff --git a/drivers/auth/dualroot/cot.c b/drivers/auth/dualroot/cot.c
index f28ddaa9197cc72197c41138345d5a56a94cf003..31e5d65f4dd37476627c651a079001259326db48 100644 (file)
--- a/drivers/auth/dualroot/cot.c
+++ b/drivers/auth/dualroot/cot.c
@@ -16,6 +16,7 @@
  * Allocate static buffers to store the authentication parameters extracted from
  * the certificates.
  */
+static unsigned char fw_config_hash_buf[HASH_DER_LEN];
 static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
 static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
 static unsigned char hw_config_hash_buf[HASH_DER_LEN];
@@ -58,6 +59,8 @@ static auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
                AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
 static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
                AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
+static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
+               AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
 #ifdef IMAGE_BL1
 static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
                AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
@@ -165,6 +168,13 @@ static const auth_img_desc_t trusted_boot_fw_cert = {
                                .ptr = (void *)hw_config_hash_buf,
                                .len = (unsigned int)HASH_DER_LEN
                        }
+               },
+               [3] = {
+                       .type_desc = &fw_config_hash,
+                       .data = {
+                               .ptr = (void *)fw_config_hash_buf,
+                               .len = (unsigned int)HASH_DER_LEN
+                       }
                }
        }
 };
@@ -218,6 +228,22 @@ static const auth_img_desc_t tb_fw_config = {
                }
        }
 };
+
+static const auth_img_desc_t fw_config = {
+       .img_id = FW_CONFIG_ID,
+       .img_type = IMG_RAW,
+       .parent = &trusted_boot_fw_cert,
+       .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+               [0] = {
+                       .type = AUTH_METHOD_HASH,
+                       .param.hash = {
+                               .data = &raw_data,
+                               .hash = &fw_config_hash
+                       }
+               }
+       }
+};
+
 #endif /* IMAGE_BL1 */
 
 #ifdef IMAGE_BL2
@@ -860,6 +886,7 @@ static const auth_img_desc_t * const cot_desc[] = {
        [BL2_IMAGE_ID]                          =       &bl2_image,
        [HW_CONFIG_ID]                          =       &hw_config,
        [TB_FW_CONFIG_ID]                       =       &tb_fw_config,
+       [FW_CONFIG_ID]                          =       &fw_config,
        [FWU_CERT_ID]                           =       &fwu_cert,
        [SCP_BL2U_IMAGE_ID]                     =       &scp_bl2u_image,
        [BL2U_IMAGE_ID]                         =       &bl2u_image,

diff --git a/drivers/auth/tbbr/tbbr_cot_bl1.c b/drivers/auth/tbbr/tbbr_cot_bl1.c
index f3bb376743498ca3e960aa700be37ccc26b232ca..e4c92213ae9bdda40d9c629d5c73b10baaa484e3 100644 (file)
--- a/drivers/auth/tbbr/tbbr_cot_bl1.c
+++ b/drivers/auth/tbbr/tbbr_cot_bl1.c
@@ -150,6 +150,21 @@ static const auth_img_desc_t tb_fw_config = {
        }
 };
 
+static const auth_img_desc_t fw_config = {
+       .img_id = FW_CONFIG_ID,
+       .img_type = IMG_RAW,
+       .parent = &trusted_boot_fw_cert,
+       .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+               [0] = {
+                       .type = AUTH_METHOD_HASH,
+                       .param.hash = {
+                               .data = &raw_data,
+                               .hash = &fw_config_hash
+                       }
+               }
+       }
+};
+
 /*
  * TBBR Chain of trust definition
  */
@@ -158,6 +173,7 @@ static const auth_img_desc_t * const cot_desc[] = {
        [BL2_IMAGE_ID]                          =       &bl2_image,
        [HW_CONFIG_ID]                          =       &hw_config,
        [TB_FW_CONFIG_ID]                       =       &tb_fw_config,
+       [FW_CONFIG_ID]                          =       &fw_config,
        [FWU_CERT_ID]                           =       &fwu_cert,
        [SCP_BL2U_IMAGE_ID]                     =       &scp_bl2u_image,
        [BL2U_IMAGE_ID]                         =       &bl2u_image,

diff --git a/drivers/auth/tbbr/tbbr_cot_common.c b/drivers/auth/tbbr/tbbr_cot_common.c
index 0a4b75e00c81255294c718adda003fa02dbf364e..ff3f22de15099097af396399c223d60c117f1b09 100644 (file)
--- a/drivers/auth/tbbr/tbbr_cot_common.c
+++ b/drivers/auth/tbbr/tbbr_cot_common.c
@@ -23,9 +23,10 @@
  * established, we can reuse some of the buffers on different stages
  */
 
+static unsigned char fw_config_hash_buf[HASH_DER_LEN];
+static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
+static unsigned char hw_config_hash_buf[HASH_DER_LEN];
 unsigned char tb_fw_hash_buf[HASH_DER_LEN];
-unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
-unsigned char hw_config_hash_buf[HASH_DER_LEN];
 unsigned char scp_fw_hash_buf[HASH_DER_LEN];
 unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
 
@@ -48,7 +49,9 @@ auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
        AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
 auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
        AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
-auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
+auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
+       AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
+static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
        AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
 
 /* trusted_boot_fw_cert */
@@ -95,6 +98,13 @@ const auth_img_desc_t trusted_boot_fw_cert = {
                                .ptr = (void *)hw_config_hash_buf,
                                .len = (unsigned int)HASH_DER_LEN
                        }
+               },
+               [3] = {
+                       .type_desc = &fw_config_hash,
+                       .data = {
+                               .ptr = (void *)fw_config_hash_buf,
+                               .len = (unsigned int)HASH_DER_LEN
+                       }
                }
        }
 };

diff --git a/include/drivers/auth/tbbr_cot_common.h b/include/drivers/auth/tbbr_cot_common.h
index 0ea5f6575b4754b893cbb56719ae64d15de607d2..a51faee1aa8fb7c7958d0ba861637cfe9ea7c4db 100644 (file)
--- a/include/drivers/auth/tbbr_cot_common.h
+++ b/include/drivers/auth/tbbr_cot_common.h
@@ -10,8 +10,6 @@
 #include <drivers/auth/auth_mod.h>
 
 extern unsigned char tb_fw_hash_buf[HASH_DER_LEN];
-extern unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
-extern unsigned char hw_config_hash_buf[HASH_DER_LEN];
 extern unsigned char scp_fw_hash_buf[HASH_DER_LEN];
 extern unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
 
@@ -23,7 +21,7 @@ extern auth_param_type_desc_t raw_data;
 
 extern auth_param_type_desc_t tb_fw_hash;
 extern auth_param_type_desc_t tb_fw_config_hash;
-extern auth_param_type_desc_t hw_config_hash;
+extern auth_param_type_desc_t fw_config_hash;
 
 extern const auth_img_desc_t trusted_boot_fw_cert;
 extern const auth_img_desc_t hw_config;

diff --git a/include/export/common/tbbr/tbbr_img_def_exp.h b/include/export/common/tbbr/tbbr_img_def_exp.h
index a98c1b4f6de30266bee9c1898988a2a93d145dd2..18f012513765bbbf83b421f1010ce3fd4b0be21f 100644 (file)
--- a/include/export/common/tbbr/tbbr_img_def_exp.h
+++ b/include/export/common/tbbr/tbbr_img_def_exp.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2019-2020, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -88,7 +88,10 @@
 /* Encrypted image identifier */
 #define ENC_IMAGE_ID                   U(30)
 
+/* FW_CONFIG */
+#define FW_CONFIG_ID                   U(31)
+
 /* Max Images */
-#define MAX_IMAGE_IDS                  U(31)
+#define MAX_IMAGE_IDS                  U(32)
 
 #endif /* ARM_TRUSTED_FIRMWARE_EXPORT_COMMON_TBBR_TBBR_IMG_DEF_EXP_H */

diff --git a/plat/arm/common/fconf/arm_fconf_io.c b/plat/arm/common/fconf/arm_fconf_io.c
index 68cd9fb37fa4475a10478db86c5c4e7dc8802c20..48cc4fee3a187696ad9c30d00677c6f1e7d75131 100644 (file)
--- a/plat/arm/common/fconf/arm_fconf_io.c
+++ b/plat/arm/common/fconf/arm_fconf_io.c
@@ -25,6 +25,7 @@ const io_block_spec_t fip_block_spec = {
 const io_uuid_spec_t arm_uuid_spec[MAX_NUMBER_IDS] = {
        [BL2_IMAGE_ID] = {UUID_TRUSTED_BOOT_FIRMWARE_BL2},
        [TB_FW_CONFIG_ID] = {UUID_TB_FW_CONFIG},
+       [FW_CONFIG_ID] = {UUID_FW_CONFIG},
 #if !ARM_IO_IN_DTB
        [SCP_BL2_IMAGE_ID] = {UUID_SCP_FIRMWARE_SCP_BL2},
        [BL31_IMAGE_ID] = {UUID_EL3_RUNTIME_FIRMWARE_BL31},
@@ -73,6 +74,11 @@ struct plat_io_policy policies[MAX_NUMBER_IDS] = {
                (uintptr_t)&arm_uuid_spec[TB_FW_CONFIG_ID],
                open_fip
        },
+       [FW_CONFIG_ID] = {
+               &fip_dev_handle,
+               (uintptr_t)&arm_uuid_spec[FW_CONFIG_ID],
+               open_fip
+       },
 #if !ARM_IO_IN_DTB
        [SCP_BL2_IMAGE_ID] = {
                &fip_dev_handle,