From 23d5f03ad00a7a815555d52a15f34fdcc958cccd Mon Sep 17 00:00:00 2001 From: Manish Pandey Date: Fri, 24 Jul 2020 16:43:54 +0100 Subject: [PATCH 1/2] cert_create: add Platform owned secure partitions support Add support to generate a certificate named "plat-sp-cert" for Secure Partitions(SP) owned by Platform. Earlier a single certificate file "sip-sp-cert" was generated which contained hash of all 8 SPs, with this change SPs are divided into two categories viz "SiP owned" and "Plat owned" containing 4 SPs each. Platform RoT key pair is used for signing. Signed-off-by: Manish Pandey Change-Id: I5bd493cfce4cf3fc14b87c8ed1045f633d0c92b6 --- include/tools_share/firmware_image_package.h | 2 ++ lib/debugfs/devfip.c | 3 ++- make_helpers/tbbr/tbbr_tools.mk | 3 +++ tools/cert_create/include/dualroot/cot.h | 1 + tools/cert_create/src/dualroot/cot.c | 17 ++++++++++++++++- tools/fiptool/tbbr_config.c | 5 +++++ 6 files changed, 29 insertions(+), 2 deletions(-) diff --git a/include/tools_share/firmware_image_package.h b/include/tools_share/firmware_image_package.h index 7342c0ced..bcde04fd1 100644 --- a/include/tools_share/firmware_image_package.h +++ b/include/tools_share/firmware_image_package.h @@ -66,6 +66,8 @@ {{0x8e, 0xc4, 0xc1, 0xf3}, {0x5d, 0x63}, {0xe4, 0x11}, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} } #define UUID_SIP_SECURE_PARTITION_CONTENT_CERT \ {{0x77, 0x6d, 0xfd, 0x44}, {0x86, 0x97}, {0x4c, 0x3b}, 0x91, 0xeb, {0xc1, 0x3e, 0x02, 0x5a, 0x2a, 0x6f} } +#define UUID_PLAT_SECURE_PARTITION_CONTENT_CERT \ + {{0xdd, 0xcb, 0xbf, 0x4a}, {0xca, 0xd6}, {0x11, 0xea}, 0x87, 0xd0, {0x02, 0x42, 0xac, 0x13, 0x00, 0x03} } /* Dynamic configs */ #define UUID_HW_CONFIG \ {{0x08, 0xb8, 0xf1, 0xd9}, {0xc9, 0xcf}, {0x93, 0x49}, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} } diff --git a/lib/debugfs/devfip.c b/lib/debugfs/devfip.c index b0ee39a11..d8b83b7a4 100644 --- a/lib/debugfs/devfip.c +++ b/lib/debugfs/devfip.c @@ -76,7 +76,8 @@ static const struct uuidnames uuidnames[] = { {"fw.cfg", UUID_FW_CONFIG}, {"rot-k.crt", UUID_ROT_KEY_CERT}, {"nt-k.crt", UUID_NON_TRUSTED_WORLD_KEY_CERT}, - {"sip-sp.crt", UUID_SIP_SECURE_PARTITION_CONTENT_CERT} + {"sip-sp.crt", UUID_SIP_SECURE_PARTITION_CONTENT_CERT}, + {"plat-sp.crt", UUID_PLAT_SECURE_PARTITION_CONTENT_CERT} }; /******************************************************************************* diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk index 952093443..9c92d3ffb 100644 --- a/make_helpers/tbbr/tbbr_tools.mk +++ b/make_helpers/tbbr/tbbr_tools.mk @@ -103,4 +103,7 @@ endif # Add SiP owned Secure Partitions CoT (image cert) ifneq (${SP_LAYOUT_FILE},) $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/sip_sp_content.crt,--sip-sp-cert)) +ifeq (${COT},dualroot) + $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/plat_sp_content.crt,--plat-sp-cert)) +endif endif diff --git a/tools/cert_create/include/dualroot/cot.h b/tools/cert_create/include/dualroot/cot.h index 1d959d465..3e50c8986 100644 --- a/tools/cert_create/include/dualroot/cot.h +++ b/tools/cert_create/include/dualroot/cot.h @@ -23,6 +23,7 @@ enum { /* Certificates owned by the platform owner. */ NON_TRUSTED_FW_CONTENT_CERT, + PLAT_SECURE_PARTITION_CONTENT_CERT, }; /* Certificate extensions. */ diff --git a/tools/cert_create/src/dualroot/cot.c b/tools/cert_create/src/dualroot/cot.c index a12ea21ff..4dd4cf033 100644 --- a/tools/cert_create/src/dualroot/cot.c +++ b/tools/cert_create/src/dualroot/cot.c @@ -152,12 +152,27 @@ static cert_t cot_certs[] = { SP_PKG2_HASH_EXT, SP_PKG3_HASH_EXT, SP_PKG4_HASH_EXT, + }, + .num_ext = 5 + }, + + [PLAT_SECURE_PARTITION_CONTENT_CERT] = { + .id = PLAT_SECURE_PARTITION_CONTENT_CERT, + .opt = "plat-sp-cert", + .help_msg = "Platform owned Secure Partition Content Certificate (output file)", + .fn = NULL, + .cn = "Platform owned Secure Partition Content Certificate", + .key = PROT_KEY, + .issuer = PLAT_SECURE_PARTITION_CONTENT_CERT, + .ext = { + NON_TRUSTED_FW_NVCOUNTER_EXT, SP_PKG5_HASH_EXT, SP_PKG6_HASH_EXT, SP_PKG7_HASH_EXT, SP_PKG8_HASH_EXT, + PROT_PK_EXT, }, - .num_ext = 9 + .num_ext = 6 }, [FWU_CERT] = { diff --git a/tools/fiptool/tbbr_config.c b/tools/fiptool/tbbr_config.c index bf721c1fa..c1e5217f0 100644 --- a/tools/fiptool/tbbr_config.c +++ b/tools/fiptool/tbbr_config.c @@ -161,6 +161,11 @@ toc_entry_t toc_entries[] = { .uuid = UUID_SIP_SECURE_PARTITION_CONTENT_CERT, .cmdline_name = "sip-sp-cert" }, + { + .name = "Platform owned Secure Partition content certificate", + .uuid = UUID_PLAT_SECURE_PARTITION_CONTENT_CERT, + .cmdline_name = "plat-sp-cert" + }, { .name = NULL, .uuid = { {0} }, From 2947412d547307019c919e8131353538511f83d9 Mon Sep 17 00:00:00 2001 From: Manish Pandey Date: Fri, 31 Jul 2020 16:25:17 +0100 Subject: [PATCH 2/2] dualroot: add chain of trust for Platform owned SPs For dualroot CoT there are two sets of SP certificates, one owned by Silicon Provider(SiP) and other owned by Platform. Each certificate can have a maximum of 4 SPs. This patch reduces the number of SiP owned SPs from 8 to 4 and adds the remaining 4 to Plat owned SP. Plat owned SP certificate is signed using Platform RoT key and protected against anti-rollback using the Non-trusted Non-volatile counter. Change-Id: Idc3ddd87d6d85a5506a7435f45a6ec17c4c50425 Signed-off-by: Manish Pandey --- drivers/auth/dualroot/cot.c | 52 +++++++++++++++++++++++------- include/common/tbbr/tbbr_img_def.h | 19 +++++------ include/drivers/auth/auth_mod.h | 9 ++++-- 3 files changed, 57 insertions(+), 23 deletions(-) diff --git a/drivers/auth/dualroot/cot.c b/drivers/auth/dualroot/cot.c index 68f3d467f..e1e47bca0 100644 --- a/drivers/auth/dualroot/cot.c +++ b/drivers/auth/dualroot/cot.c @@ -743,29 +743,60 @@ static const auth_img_desc_t sip_sp_content_cert = { .ptr = (void *)sp_pkg_hash_buf[3], .len = (unsigned int)HASH_DER_LEN } + } + } +}; + +DEFINE_SIP_SP_PKG(1); +DEFINE_SIP_SP_PKG(2); +DEFINE_SIP_SP_PKG(3); +DEFINE_SIP_SP_PKG(4); + +static const auth_img_desc_t plat_sp_content_cert = { + .img_id = PLAT_SP_CONTENT_CERT_ID, + .img_type = IMG_CERT, + .parent = NULL, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &prot_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } }, - [4] = { + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &non_trusted_nv_ctr, + .plat_nv_ctr = &non_trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { .type_desc = &sp_pkg5_hash, .data = { .ptr = (void *)sp_pkg_hash_buf[4], .len = (unsigned int)HASH_DER_LEN } }, - [5] = { + [1] = { .type_desc = &sp_pkg6_hash, .data = { .ptr = (void *)sp_pkg_hash_buf[5], .len = (unsigned int)HASH_DER_LEN } }, - [6] = { + [2] = { .type_desc = &sp_pkg7_hash, .data = { .ptr = (void *)sp_pkg_hash_buf[6], .len = (unsigned int)HASH_DER_LEN } }, - [7] = { + [3] = { .type_desc = &sp_pkg8_hash, .data = { .ptr = (void *)sp_pkg_hash_buf[7], @@ -775,14 +806,10 @@ static const auth_img_desc_t sip_sp_content_cert = { } }; -DEFINE_SIP_SP_PKG(1); -DEFINE_SIP_SP_PKG(2); -DEFINE_SIP_SP_PKG(3); -DEFINE_SIP_SP_PKG(4); -DEFINE_SIP_SP_PKG(5); -DEFINE_SIP_SP_PKG(6); -DEFINE_SIP_SP_PKG(7); -DEFINE_SIP_SP_PKG(8); +DEFINE_PLAT_SP_PKG(5); +DEFINE_PLAT_SP_PKG(6); +DEFINE_PLAT_SP_PKG(7); +DEFINE_PLAT_SP_PKG(8); #endif /* SPD_spmd */ #else /* IMAGE_BL2 */ @@ -915,6 +942,7 @@ static const auth_img_desc_t * const cot_desc[] = { [NT_FW_CONFIG_ID] = &nt_fw_config, #if defined(SPD_spmd) [SIP_SP_CONTENT_CERT_ID] = &sip_sp_content_cert, + [PLAT_SP_CONTENT_CERT_ID] = &plat_sp_content_cert, [SP_PKG1_ID] = &sp_pkg1, [SP_PKG2_ID] = &sp_pkg2, [SP_PKG3_ID] = &sp_pkg3, diff --git a/include/common/tbbr/tbbr_img_def.h b/include/common/tbbr/tbbr_img_def.h index b29b1354c..bd125e672 100644 --- a/include/common/tbbr/tbbr_img_def.h +++ b/include/common/tbbr/tbbr_img_def.h @@ -11,16 +11,17 @@ #if defined(SPD_spmd) #define SIP_SP_CONTENT_CERT_ID MAX_IMAGE_IDS -#define SP_PKG1_ID (MAX_IMAGE_IDS + 1) -#define SP_PKG2_ID (MAX_IMAGE_IDS + 2) -#define SP_PKG3_ID (MAX_IMAGE_IDS + 3) -#define SP_PKG4_ID (MAX_IMAGE_IDS + 4) -#define SP_PKG5_ID (MAX_IMAGE_IDS + 5) -#define SP_PKG6_ID (MAX_IMAGE_IDS + 6) -#define SP_PKG7_ID (MAX_IMAGE_IDS + 7) -#define SP_PKG8_ID (MAX_IMAGE_IDS + 8) +#define PLAT_SP_CONTENT_CERT_ID (MAX_IMAGE_IDS + 1) +#define SP_PKG1_ID (MAX_IMAGE_IDS + 2) +#define SP_PKG2_ID (MAX_IMAGE_IDS + 3) +#define SP_PKG3_ID (MAX_IMAGE_IDS + 4) +#define SP_PKG4_ID (MAX_IMAGE_IDS + 5) +#define SP_PKG5_ID (MAX_IMAGE_IDS + 6) +#define SP_PKG6_ID (MAX_IMAGE_IDS + 7) +#define SP_PKG7_ID (MAX_IMAGE_IDS + 8) +#define SP_PKG8_ID (MAX_IMAGE_IDS + 9) #define MAX_SP_IDS U(8) -#define MAX_NUMBER_IDS (MAX_IMAGE_IDS + MAX_SP_IDS + U(1)) +#define MAX_NUMBER_IDS (MAX_IMAGE_IDS + MAX_SP_IDS + U(2)) #else #define MAX_NUMBER_IDS MAX_IMAGE_IDS #endif diff --git a/include/drivers/auth/auth_mod.h b/include/drivers/auth/auth_mod.h index 504e53939..3965b58e7 100644 --- a/include/drivers/auth/auth_mod.h +++ b/include/drivers/auth/auth_mod.h @@ -51,11 +51,15 @@ extern const size_t cot_desc_size; extern unsigned int auth_img_flags[MAX_NUMBER_IDS]; #if defined(SPD_spmd) -#define DEFINE_SIP_SP_PKG(n) \ + +#define DEFINE_SIP_SP_PKG(n) DEFINE_SP_PKG(n, sip_sp_content_cert) +#define DEFINE_PLAT_SP_PKG(n) DEFINE_SP_PKG(n, plat_sp_content_cert) + +#define DEFINE_SP_PKG(n, cert) \ static const auth_img_desc_t sp_pkg##n = { \ .img_id = SP_PKG##n##_ID, \ .img_type = IMG_RAW, \ - .parent = &sip_sp_content_cert, \ + .parent = &cert, \ .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { \ [0] = { \ .type = AUTH_METHOD_HASH, \ @@ -66,6 +70,7 @@ extern unsigned int auth_img_flags[MAX_NUMBER_IDS]; } \ } \ } + #endif #endif /* TRUSTED_BOARD_BOOT */