1 /*
2  * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  */
6 
7 #include <stddef.h>
8 
9 #include <drivers/auth/auth_mod.h>
10 #include MBEDTLS_CONFIG_FILE
11 #include <drivers/auth/tbbr_cot_common.h>
12 
13 #if USE_TBBR_DEFS
14 #include <tools_share/tbbr_oid.h>
15 #else
16 #include <platform_oid.h>
17 #endif
18 #include <platform_def.h>
19 
20 
21 static unsigned char trusted_world_pk_buf[PK_DER_LEN];
22 static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];
23 static unsigned char content_pk_buf[PK_DER_LEN];
24 static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
25 
26 static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
27 		AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
28 static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
29 		AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
30 static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC(
31 		AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID);
32 static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC(
33 		AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID);
34 static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
35 		AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
36 static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
37 		AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
38 /*
39  * Trusted key certificate
40  */
41 static const auth_img_desc_t trusted_key_cert = {
42 	.img_id = TRUSTED_KEY_CERT_ID,
43 	.img_type = IMG_CERT,
44 	.parent = NULL,
45 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
46 		[0] = {
47 			.type = AUTH_METHOD_SIG,
48 			.param.sig = {
49 				.pk = &subject_pk,
50 				.sig = &sig,
51 				.alg = &sig_alg,
52 				.data = &raw_data
53 			}
54 		},
55 		[1] = {
56 			.type = AUTH_METHOD_NV_CTR,
57 			.param.nv_ctr = {
58 				.cert_nv_ctr = &trusted_nv_ctr,
59 				.plat_nv_ctr = &trusted_nv_ctr
60 			}
61 		}
62 	},
63 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
64 		[0] = {
65 			.type_desc = &trusted_world_pk,
66 			.data = {
67 				.ptr = (void *)trusted_world_pk_buf,
68 				.len = (unsigned int)PK_DER_LEN
69 			}
70 		},
71 		[1] = {
72 			.type_desc = &non_trusted_world_pk,
73 			.data = {
74 				.ptr = (void *)non_trusted_world_pk_buf,
75 				.len = (unsigned int)PK_DER_LEN
76 			}
77 		}
78 	}
79 };
80 /*
81  * Non-Trusted Firmware
82  */
83 static const auth_img_desc_t non_trusted_fw_key_cert = {
84 	.img_id = NON_TRUSTED_FW_KEY_CERT_ID,
85 	.img_type = IMG_CERT,
86 	.parent = &trusted_key_cert,
87 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
88 		[0] = {
89 			.type = AUTH_METHOD_SIG,
90 			.param.sig = {
91 				.pk = &non_trusted_world_pk,
92 				.sig = &sig,
93 				.alg = &sig_alg,
94 				.data = &raw_data
95 			}
96 		},
97 		[1] = {
98 			.type = AUTH_METHOD_NV_CTR,
99 			.param.nv_ctr = {
100 				.cert_nv_ctr = &non_trusted_nv_ctr,
101 				.plat_nv_ctr = &non_trusted_nv_ctr
102 			}
103 		}
104 	},
105 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
106 		[0] = {
107 			.type_desc = &nt_fw_content_pk,
108 			.data = {
109 				.ptr = (void *)content_pk_buf,
110 				.len = (unsigned int)PK_DER_LEN
111 			}
112 		}
113 	}
114 };
115 static const auth_img_desc_t non_trusted_fw_content_cert = {
116 	.img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
117 	.img_type = IMG_CERT,
118 	.parent = &non_trusted_fw_key_cert,
119 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
120 		[0] = {
121 			.type = AUTH_METHOD_SIG,
122 			.param.sig = {
123 				.pk = &nt_fw_content_pk,
124 				.sig = &sig,
125 				.alg = &sig_alg,
126 				.data = &raw_data
127 			}
128 		},
129 		[1] = {
130 			.type = AUTH_METHOD_NV_CTR,
131 			.param.nv_ctr = {
132 				.cert_nv_ctr = &non_trusted_nv_ctr,
133 				.plat_nv_ctr = &non_trusted_nv_ctr
134 			}
135 		}
136 	},
137 	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
138 		[0] = {
139 			.type_desc = &nt_world_bl_hash,
140 			.data = {
141 				.ptr = (void *)nt_world_bl_hash_buf,
142 				.len = (unsigned int)HASH_DER_LEN
143 			}
144 		},
145 		[1] = {
146 			.type_desc = &nt_fw_config_hash,
147 			.data = {
148 				.ptr = (void *)nt_fw_config_hash_buf,
149 				.len = (unsigned int)HASH_DER_LEN
150 			}
151 		}
152 	}
153 };
154 static const auth_img_desc_t bl33_image = {
155 	.img_id = BL33_IMAGE_ID,
156 	.img_type = IMG_RAW,
157 	.parent = &non_trusted_fw_content_cert,
158 	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
159 		[0] = {
160 			.type = AUTH_METHOD_HASH,
161 			.param.hash = {
162 				.data = &raw_data,
163 				.hash = &nt_world_bl_hash
164 			}
165 		}
166 	}
167 };
168 
169 static const auth_img_desc_t * const cot_desc[] = {
170 	[TRUSTED_KEY_CERT_ID]			=	&trusted_key_cert,
171 	[NON_TRUSTED_FW_KEY_CERT_ID]		=	&non_trusted_fw_key_cert,
172 	[NON_TRUSTED_FW_CONTENT_CERT_ID]	=	&non_trusted_fw_content_cert,
173 	[BL33_IMAGE_ID]				=	&bl33_image,
174 };
175 
176 /* Register the CoT in the authentication module */
177 REGISTER_COT(cot_desc);
178