diff options
| author | Manish Pandey <manish.pandey2@arm.com> | 2020-07-31 16:25:17 +0100 |
|---|---|---|
| committer | Manish Pandey <manish.pandey2@arm.com> | 2020-08-12 14:30:31 +0100 |
| commit | 2947412d547307019c919e8131353538511f83d9 (patch) | |
| tree | fbe092970dbdc94dd4be01c4e1aeec9478e15249 /drivers | |
| parent | 23d5f03ad00a7a815555d52a15f34fdcc958cccd (diff) | |
| download | platform_external_arm-trusted-firmware-2947412d547307019c919e8131353538511f83d9.tar.gz platform_external_arm-trusted-firmware-2947412d547307019c919e8131353538511f83d9.tar.bz2 platform_external_arm-trusted-firmware-2947412d547307019c919e8131353538511f83d9.zip | |
dualroot: add chain of trust for Platform owned SPs
For dualroot CoT there are two sets of SP certificates, one owned by
Silicon Provider(SiP) and other owned by Platform. Each certificate can
have a maximum of 4 SPs.
This patch reduces the number of SiP owned SPs from 8 to 4 and adds
the remaining 4 to Plat owned SP.
Plat owned SP certificate is signed using Platform RoT key and
protected against anti-rollback using the Non-trusted Non-volatile
counter.
Change-Id: Idc3ddd87d6d85a5506a7435f45a6ec17c4c50425
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/auth/dualroot/cot.c | 52 |
1 files changed, 40 insertions, 12 deletions
diff --git a/drivers/auth/dualroot/cot.c b/drivers/auth/dualroot/cot.c index 68f3d467f..e1e47bca0 100644 --- a/drivers/auth/dualroot/cot.c +++ b/drivers/auth/dualroot/cot.c @@ -743,29 +743,60 @@ static const auth_img_desc_t sip_sp_content_cert = { .ptr = (void *)sp_pkg_hash_buf[3], .len = (unsigned int)HASH_DER_LEN } + } + } +}; + +DEFINE_SIP_SP_PKG(1); +DEFINE_SIP_SP_PKG(2); +DEFINE_SIP_SP_PKG(3); +DEFINE_SIP_SP_PKG(4); + +static const auth_img_desc_t plat_sp_content_cert = { + .img_id = PLAT_SP_CONTENT_CERT_ID, + .img_type = IMG_CERT, + .parent = NULL, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &prot_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } }, - [4] = { + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &non_trusted_nv_ctr, + .plat_nv_ctr = &non_trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { .type_desc = &sp_pkg5_hash, .data = { .ptr = (void *)sp_pkg_hash_buf[4], .len = (unsigned int)HASH_DER_LEN } }, - [5] = { + [1] = { .type_desc = &sp_pkg6_hash, .data = { .ptr = (void *)sp_pkg_hash_buf[5], .len = (unsigned int)HASH_DER_LEN } }, - [6] = { + [2] = { .type_desc = &sp_pkg7_hash, .data = { .ptr = (void *)sp_pkg_hash_buf[6], .len = (unsigned int)HASH_DER_LEN } }, - [7] = { + [3] = { .type_desc = &sp_pkg8_hash, .data = { .ptr = (void *)sp_pkg_hash_buf[7], @@ -775,14 +806,10 @@ static const auth_img_desc_t sip_sp_content_cert = { } }; -DEFINE_SIP_SP_PKG(1); -DEFINE_SIP_SP_PKG(2); -DEFINE_SIP_SP_PKG(3); -DEFINE_SIP_SP_PKG(4); -DEFINE_SIP_SP_PKG(5); -DEFINE_SIP_SP_PKG(6); -DEFINE_SIP_SP_PKG(7); -DEFINE_SIP_SP_PKG(8); +DEFINE_PLAT_SP_PKG(5); +DEFINE_PLAT_SP_PKG(6); +DEFINE_PLAT_SP_PKG(7); +DEFINE_PLAT_SP_PKG(8); #endif /* SPD_spmd */ #else /* IMAGE_BL2 */ @@ -915,6 +942,7 @@ static const auth_img_desc_t * const cot_desc[] = { [NT_FW_CONFIG_ID] = &nt_fw_config, #if defined(SPD_spmd) [SIP_SP_CONTENT_CERT_ID] = &sip_sp_content_cert, + [PLAT_SP_CONTENT_CERT_ID] = &plat_sp_content_cert, [SP_PKG1_ID] = &sp_pkg1, [SP_PKG2_ID] = &sp_pkg2, [SP_PKG3_ID] = &sp_pkg3, |