feat(arm): add ARM_ROTPK_LOCATION variant full key

Add support for ARM_ROTPK_LOCATION=devel_full_dev_rsa_key, which
implements the scenario where the platform provides the full ROTPK, as
opposed to the hash of it. This returns a 2kB development RSA key
embedded into the firmware.

The motivation for this patch is to extend our test coverage in the CI.
Right now, the authentication framework allows platforms to return
either the full ROTPK or a hash of it (*). However, the FVP platform
only supports returning a hash currently so we cannot easily exercise
the full key scenario. This patch adds that capability.

(*) Or even no key at all if it's not deployed on the platform yet, as
is typically the case on pre-production/developement platforms.

Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: Ie869cca1082410e63894e2b7dea2d31155684105

diff --git a/include/plat/arm/common/arm_def.h b/include/plat/arm/common/arm_def.h
index ab0e4ff2cc3202e12ea11ea8e6fc762bc65ae52e..36b1bdb6d1b93e861508aad2bc9f1511227ea393 100644 (file)
--- a/include/plat/arm/common/arm_def.h
+++ b/include/plat/arm/common/arm_def.h
@@ -20,10 +20,12 @@
  *****************************************************************************/
 
 /*
- * Root of trust key hash lengths
+ * Root of trust key lengths
  */
 #define ARM_ROTPK_HEADER_LEN           19
 #define ARM_ROTPK_HASH_LEN             32
+/* ARM_ROTPK_KEY_LEN includes DER header + raw key material */
+#define ARM_ROTPK_KEY_LEN              294
 
 /* Special value used to verify platform parameters from BL2 to BL31 */
 #define ARM_BL31_PLAT_PARAM_VAL                ULL(0x0f1e2d3c4b5a6978)

diff --git a/include/plat/arm/common/plat_arm.h b/include/plat/arm/common/plat_arm.h
index 6c0d91d1feb958b1f1b6d6103cb64d5b70671c23..494e4705f8461755b14ae40733cf9ee48e6b90f0 100644 (file)
--- a/include/plat/arm/common/plat_arm.h
+++ b/include/plat/arm/common/plat_arm.h
@@ -159,7 +159,7 @@ void arm_setup_romlib(void);
 #define ARM_ROTPK_REGS_ID              1
 #define ARM_ROTPK_DEVEL_RSA_ID         2
 #define ARM_ROTPK_DEVEL_ECDSA_ID       3
-
+#define ARM_ROTPK_DEVEL_FULL_DEV_RSA_KEY_ID    4
 
 /* IO storage utility functions */
 int arm_io_setup(void);

diff --git a/plat/arm/board/common/board_arm_trusted_boot.c b/plat/arm/board/common/board_arm_trusted_boot.c
index 714c444e7c962bc031844a5c00ec4da5155384b8..24d88eec2fe791a7e126f1ae5b35a607214b5bbd 100644 (file)
--- a/plat/arm/board/common/board_arm_trusted_boot.c
+++ b/plat/arm/board/common/board_arm_trusted_boot.c
@@ -47,7 +47,8 @@ uintptr_t nv_cntr_base_addr[MAX_NV_CTR_IDS] = {
 #pragma weak plat_get_nv_ctr
 #pragma weak plat_set_nv_ctr
 
-extern unsigned char arm_rotpk_header[], arm_rotpk_hash_end[];
+extern unsigned char arm_rotpk_header[], arm_rotpk_key[], arm_rotpk_hash_end[],
+       arm_rotpk_key_end[];
 
 #if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID) || ARM_CRYPTOCELL_INTEG
 static unsigned char rotpk_hash_der[ARM_ROTPK_HEADER_LEN + ARM_ROTPK_HASH_LEN];
@@ -93,16 +94,20 @@ int arm_get_rotpk_info_regs(void **key_ptr, unsigned int *key_len,
 #endif
 
 #if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) || \
-    (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID)
-/*
- * Return development ROTPK hash generated from ROT_KEY.
- */
+    (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID) || \
+    (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_FULL_DEV_RSA_KEY_ID)
 int arm_get_rotpk_info_dev(void **key_ptr, unsigned int *key_len,
                        unsigned int *flags)
 {
-       *key_ptr = arm_rotpk_header;
-       *key_len = arm_rotpk_hash_end - arm_rotpk_header;
-       *flags = ROTPK_IS_HASH;
+       if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_FULL_DEV_RSA_KEY_ID) {
+               *key_ptr = arm_rotpk_key;
+               *key_len = arm_rotpk_key_end - arm_rotpk_key;
+               *flags = 0;
+       } else {
+               *key_ptr = arm_rotpk_header;
+               *key_len = arm_rotpk_hash_end - arm_rotpk_header;
+               *flags = ROTPK_IS_HASH;
+       }
        return 0;
 }
 #endif
@@ -130,7 +135,7 @@ int arm_get_rotpk_info_cc(void **key_ptr, unsigned int *key_len,
 #endif
 
 /*
- * Wrapper function for most Arm platforms to get ROTPK hash.
+ * Wrapper function for most Arm platforms to get ROTPK info.
  */
 static int get_rotpk_info(void **key_ptr, unsigned int *key_len,
                                unsigned int *flags)
@@ -140,7 +145,8 @@ static int get_rotpk_info(void **key_ptr, unsigned int *key_len,
 #else
 
 #if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) || \
-    (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID)
+    (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID) || \
+    (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_FULL_DEV_RSA_KEY_ID)
        return arm_get_rotpk_info_dev(key_ptr, key_len, flags);
 #elif (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID)
        return arm_get_rotpk_info_regs(key_ptr, key_len, flags);

diff --git a/plat/arm/board/common/board_common.mk b/plat/arm/board/common/board_common.mk
index 1d0eb136ea5d9587d57e26c3bf8be0ee25b6b241..1f59a4ffcb32b00c29fcd103a6ffeb1beac5db05 100644 (file)
--- a/plat/arm/board/common/board_common.mk
+++ b/plat/arm/board/common/board_common.mk
@@ -20,6 +20,7 @@ else ifeq (${ARM_ROTPK_LOCATION}, devel_rsa)
        CRYPTO_ALG=rsa
        ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_RSA_ID
        ARM_ROTPK_HASH = plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin
+       ARM_ROTPK_S = plat/arm/board/common/rotpk/arm_dev_rotpk.S
 $(eval $(call add_define_val,ARM_ROTPK_HASH,'"$(ARM_ROTPK_HASH)"'))
 $(BUILD_PLAT)/bl2/arm_dev_rotpk.o : $(ARM_ROTPK_HASH)
 $(warning Development keys support for FVP is deprecated. Use `regs` \
@@ -28,10 +29,17 @@ else ifeq (${ARM_ROTPK_LOCATION}, devel_ecdsa)
        CRYPTO_ALG=ec
        ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_ECDSA_ID
        ARM_ROTPK_HASH = plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin
+       ARM_ROTPK_S = plat/arm/board/common/rotpk/arm_dev_rotpk.S
 $(eval $(call add_define_val,ARM_ROTPK_HASH,'"$(ARM_ROTPK_HASH)"'))
 $(BUILD_PLAT)/bl2/arm_dev_rotpk.o : $(ARM_ROTPK_HASH)
 $(warning Development keys support for FVP is deprecated. Use `regs` \
 option instead)
+else ifeq (${ARM_ROTPK_LOCATION}, devel_full_dev_rsa_key)
+       CRYPTO_ALG=rsa
+       ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_FULL_DEV_RSA_KEY_ID
+       ARM_ROTPK_S = plat/arm/board/common/rotpk/arm_full_dev_rsa_rotpk.S
+$(warning Development keys support for FVP is deprecated. Use `regs` \
+option instead)
 else
 $(error "Unsupported ARM_ROTPK_LOCATION value")
 endif
@@ -67,9 +75,9 @@ TFW_NVCTR_VAL ?=      0
 NTFW_NVCTR_VAL ?=      0
 endif
 BL1_SOURCES            +=      plat/arm/board/common/board_arm_trusted_boot.c \
-                               plat/arm/board/common/rotpk/arm_dev_rotpk.S
+                               ${ARM_ROTPK_S}
 BL2_SOURCES            +=      plat/arm/board/common/board_arm_trusted_boot.c \
-                               plat/arm/board/common/rotpk/arm_dev_rotpk.S
+                               ${ARM_ROTPK_S}
 
 # Allows platform code to provide implementation variants depending on the
 # selected chain of trust.

diff --git a/plat/arm/board/common/rotpk/arm_full_dev_rsa_rotpk.S b/plat/arm/board/common/rotpk/arm_full_dev_rsa_rotpk.S
new file mode 100644 (file)
index 0000000..4bb04dc
--- /dev/null
+++ b/plat/arm/board/common/rotpk/arm_full_dev_rsa_rotpk.S
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2022, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/* corstone1000 platform provides custom values for the macros defined in
+ * arm_def.h , so only platform_def.h needs to be included
+ */
+#if !defined(TARGET_PLATFORM_FVP) && !defined(TARGET_PLATFORM_FPGA)
+#include "plat/arm/common/arm_def.h"
+#else
+#include <platform_def.h>
+#endif
+
+       .global arm_rotpk_key
+       .global arm_rotpk_key_end
+
+       .section .rodata.arm_rotpk_key, "a"
+
+arm_rotpk_key:
+       .byte 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01
+       .byte 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01
+       .byte 0x00, 0xCB, 0x2C, 0x60, 0xD5, 0x8D, 0x63, 0xD4, 0x07, 0x79, 0x7E, 0xC7, 0x16, 0x96, 0xBD, 0x4D, 0x24, 0x4E, 0xAC, 0x86, 0xE6, 0xB7, 0x71, 0xE3, 0xC5, 0x54, 0x0B, 0xE7, 0x14, 0x1C, 0xBD, 0x29, 0x1A, 0xC1, 0x3F, 0x7A, 0xB6, 0x02, 0xAA, 0xAB, 0x36, 0xC4, 0xD9, 0x36, 0x69, 0x6C, 0xE2, 0x65, 0xC3, 0x9B, 0xB1, 0xBF, 0x3D, 0xA8, 0x56, 0x26, 0xCB, 0xFD, 0x04, 0x01, 0xBA, 0xAC, 0x3E, 0x54, 0x32, 0xCA, 0x79, 0x5E, 0xBB, 0xB2, 0x05, 0xEA, 0x06, 0x58, 0xF2, 0x74, 0xBA, 0xE1, 0xF4, 0x87, 0xC0, 0x19, 0x0A, 0x1F, 0x66, 0x07, 0x77, 0x84, 0x83, 0xA1, 0x1C, 0xEF, 0xFF, 0x28, 0x59, 0xE7, 0xC3, 0x68, 0x7D, 0x26, 0x20, 0x43, 0xEB, 0x56, 0x63, 0xF3, 0x39, 0x31, 0xD8, 0x2B, 0x51, 0xA9, 0xBC, 0x4F, 0xD0, 0xF6, 0xDE, 0x95, 0xDC, 0x5F, 0x5B, 0xC1, 0xED, 0x90, 0x6F, 0xEC, 0x28, 0x91, 0x7E, 0x17, 0xED, 0x78, 0x90, 0xF4, 0x60, 0xA7, 0xC4, 0xC7, 0x4F, 0x50, 0xED, 0x5D, 0x13, 0x3A, 0x21, 0x2B, 0x70, 0xC5, 0x61, 0x7B, 0x08, 0x21, 0x65, 0x3A, 0xCD, 0x82, 0x56, 0x8C, 0x7A, 0x47, 0xAC, 0x89, 0xE8, 0xA5, 0x48, 0x48
+       .byte 0x31, 0xD9, 0x1D, 0x46, 0xE5, 0x85, 0x86, 0x98, 0xA0, 0xE5, 0xC0, 0xA6, 0x6A, 0xBD, 0x07, 0xE4, 0x92, 0x57, 0x61, 0x07, 0x8F, 0x7D, 0x5A, 0x4D, 0xCA, 0xAE, 0x36, 0xB9, 0x56, 0x04, 0x10, 0xF2, 0x6C, 0xBE, 0xF6, 0x3B, 0x6C, 0x80, 0x3E, 0xBE , 0x0E, 0xA3, 0x4D , 0xC7 , 0xD4, 0x7E , 0xA7  , 0x49, 0xD4, 0xF2, 0xD2, 0xBC, 0xCF, 0x30, 0xA8, 0xE7, 0x74, 0x8F, 0x64, 0xDF, 0xBC, 0x5C, 0x47, 0x68, 0xCC, 0x40, 0x4C, 0xF8, 0x83, 0xCC, 0xCB, 0x40, 0x35, 0x04, 0x60, 0xCA, 0xB3, 0xA4, 0x17, 0x9F, 0x03, 0xCA, 0x1D, 0x5A, 0xFA, 0xD1, 0xAF, 0x21, 0x57, 0x10, 0xD3, 0x02, 0x03, 0x01, 0x00, 0x01
+
+arm_rotpk_key_end:
+
+.if ARM_ROTPK_KEY_LEN != arm_rotpk_key_end - arm_rotpk_key
+.error "Invalid ROTPK length."
+.endif
+