refactor(measured-boot): avoid Measured-Boot dependency on Trusted-Boot

Measured-Boot and Trusted-Boot are orthogonal to each other and hence removed dependency of Trusted-Boot on Measured-Boot by making below changes - 1. BL1 and BL2 main functions are used for initializing Crypto module instead of the authentication module 2. Updated Crypto module registration macro for MEASURED_BOOT with only necessary callbacks for calculating image hashes 3. The 'load_auth_image' function is now used for the image measurement during Trusted or Non-Trusted Boot flow Change-Id: I3570e80bae8ce8f5b58d84bd955aa43e925d9fff Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2021-12-16 10:41:47 +00:00 · 2021-12-16 10:41:47 +00:00 · 0aa0b3afd6
parent c9c56f6e2b
commit 0aa0b3afd6
10 changed files with 72 additions and 79 deletions
--- a/9
+++ b/9
@ -768,15 +768,6 @@ ifeq ($(CTX_INCLUDE_MTE_REGS),1)
    endif
 endif

-# Trusted Boot is a prerequisite for Measured Boot. It provides trust that the
-# code taking the measurements and recording them has not been tampered
-# with. This is referred to as the Root of Trust for Measurement.
-ifeq ($(MEASURED_BOOT),1)
-    ifneq (${TRUSTED_BOARD_BOOT},1)
-        $(error MEASURED_BOOT requires TRUSTED_BOARD_BOOT=1)
-    endif
-endif
-
 ifeq ($(PSA_FWU_SUPPORT),1)
    $(info PSA_FWU_SUPPORT is an experimental feature)
 endif
--- a/bl1/bl1_main.c
+++ b/bl1/bl1_main.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -15,6 +15,7 @@
 #include <common/bl_common.h>
 #include <common/debug.h>
 #include <drivers/auth/auth_mod.h>
+#include <drivers/auth/crypto_mod.h>
 #include <drivers/console.h>
 #include <lib/cpus/errata_report.h>
 #include <lib/utils.h>
@ -121,10 +122,10 @@ void bl1_main(void)
 	/* Perform remaining generic architectural setup from EL3 */
 	bl1_arch_setup();

-#if TRUSTED_BOARD_BOOT
+	crypto_mod_init();
+
 	/* Initialize authentication module */
 	auth_mod_init();
-#endif /* TRUSTED_BOARD_BOOT */

 	/* Initialize the measured boot */
 	bl1_plat_mboot_init();
--- a/bl2/bl2_main.c
+++ b/bl2/bl2_main.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -13,6 +13,7 @@
 #include <common/bl_common.h>
 #include <common/debug.h>
 #include <drivers/auth/auth_mod.h>
+#include <drivers/auth/crypto_mod.h>
 #include <drivers/console.h>
 #include <drivers/fwu/fwu.h>
 #include <lib/extensions/pauth.h>
@ -89,10 +90,10 @@ void bl2_main(void)
 	fwu_init();
 #endif /* PSA_FWU_SUPPORT */

-#if TRUSTED_BOARD_BOOT
+	crypto_mod_init();
+
 	/* Initialize authentication module */
 	auth_mod_init();
-#endif /* TRUSTED_BOARD_BOOT */

 	/* Initialize the Measured Boot backend */
 	bl2_plat_mboot_init();
--- a/common/bl_common.c
+++ b/common/bl_common.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -143,25 +143,6 @@ exit:
 	return io_result;
 }

-/*
- * Load an image and flush it out to main memory so that it can be executed
- * later by any CPU, regardless of cache and MMU state.
- */
-static int load_image_flush(unsigned int image_id,
-			    image_info_t *image_data)
-{
-	int rc;
-
-	rc = load_image(image_id, image_data);
-	if (rc == 0) {
-		flush_dcache_range(image_data->image_base,
-				   image_data->image_size);
-	}
-
-	return rc;
-}
-
-
 #if TRUSTED_BOARD_BOOT
 /*
 * This function uses recursion to authenticate the parent images up to the root
@ -202,30 +183,6 @@ static int load_auth_image_recursive(unsigned int image_id,
 		return -EAUTH;
 	}

-	if (is_parent_image == 0) {
-		/*
-		 * Measure the image.
-		 * We do not measure its parents because these only play a role
-		 * in authentication, which is orthogonal to measured boot.
-		 *
-		 * TODO: Change this code if we change our minds about measuring
-		 * certificates.
-		 */
-		rc = plat_mboot_measure_image(image_id, image_data);
-		if (rc != 0) {
-			return rc;
-		}
-
-		/*
-		 * Flush the image to main memory so that it can be executed
-		 * later by any CPU, regardless of cache and MMU state. This
-		 * is only needed for child images, not for the parents
-		 * (certificates).
-		 */
-		flush_dcache_range(image_data->image_base,
-				   image_data->image_size);
-	}
-
 	return 0;
 }
 #endif /* TRUSTED_BOARD_BOOT */
@ -239,7 +196,7 @@ static int load_auth_image_internal(unsigned int image_id,
 	}
 #endif

-	return load_image_flush(image_id, image_data);
+	return load_image(image_id, image_data);
 }

 /*******************************************************************************
@ -266,6 +223,25 @@ int load_auth_image(unsigned int image_id, image_info_t *image_data)
 	} while ((err != 0) && (plat_try_next_boot_source() != 0));
 #endif /* PSA_FWU_SUPPORT */

+	if (err == 0) {
+		/*
+		 * If loading of the image gets passed (along with its
+		 * authentication in case of Trusted-Boot flow) then measure
+		 * it (if MEASURED_BOOT flag is enabled).
+		 */
+		err = plat_mboot_measure_image(image_id, image_data);
+		if (err != 0) {
+			return err;
+		}
+
+		/*
+		 * Flush the image to main memory so that it can be executed
+		 * later by any CPU, regardless of cache and MMU state.
+		 */
+		flush_dcache_range(image_data->image_base,
+				   image_data->image_size);
+	}
+
 	return err;
 }

--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@ -529,9 +529,9 @@ Common build options
   the build. The default value is 40 in debug builds and 20 in release builds.

 -  ``MEASURED_BOOT``: Boolean flag to include support for the Measured Boot
-   feature. If this flag is enabled ``TRUSTED_BOARD_BOOT`` must be set as well
-   in order to provide trust that the code taking the measurements and recording
-   them has not been tampered with.
+   feature. This flag can be enabled with ``TRUSTED_BOARD_BOOT`` in order to
+   provide trust that the code taking the measurements and recording them has
+   not been tampered with.

   This option defaults to 0.

--- a/drivers/auth/auth_mod.c
+++ b/drivers/auth/auth_mod.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -339,9 +339,6 @@ void auth_mod_init(void)
 	/* Check we have a valid CoT registered */
 	assert(cot_desc_ptr != NULL);

-	/* Crypto module */
-	crypto_mod_init();
-
 	/* Image parser module */
 	img_parser_init();
 }
--- a/drivers/auth/crypto_mod.c
+++ b/drivers/auth/crypto_mod.c
@ -46,8 +46,13 @@ void crypto_mod_init(void)
 {
 	assert(crypto_lib_desc.name != NULL);
 	assert(crypto_lib_desc.init != NULL);
+#if TRUSTED_BOARD_BOOT
 	assert(crypto_lib_desc.verify_signature != NULL);
 	assert(crypto_lib_desc.verify_hash != NULL);
+#endif /* TRUSTED_BOARD_BOOT */
+#if MEASURED_BOOT
+	assert(crypto_lib_desc.calc_hash != NULL);
+#endif /* MEASURED_BOOT */

 	/* Initialize the cryptographic library */
 	crypto_lib_desc.init();
--- a/drivers/auth/mbedtls/mbedtls_crypto.c
+++ b/drivers/auth/mbedtls/mbedtls_crypto.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -60,6 +60,7 @@ static void init(void)
 	mbedtls_init();
 }

+#if TRUSTED_BOARD_BOOT
 /*
 * Verify a signature.
 *
@ -218,6 +219,7 @@ static int verify_hash(void *data_ptr, unsigned int data_len,

 	return CRYPTO_SUCCESS;
 }
+#endif /* TRUSTED_BOARD_BOOT */

 #if MEASURED_BOOT
 /*
@ -366,7 +368,7 @@ static int auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
 /*
 * Register crypto library descriptor
 */
-#if MEASURED_BOOT
+#if MEASURED_BOOT && TRUSTED_BOARD_BOOT
 #if TF_MBEDTLS_USE_AES_GCM
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
 		    auth_decrypt);
@ -374,11 +376,13 @@ REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
 		    NULL);
 #endif
-#else /* MEASURED_BOOT */
+#elif TRUSTED_BOARD_BOOT
 #if TF_MBEDTLS_USE_AES_GCM
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash,
 		    auth_decrypt);
 #else
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, NULL);
 #endif
-#endif /* MEASURED_BOOT */
+#elif MEASURED_BOOT
+REGISTER_CRYPTO_LIB(LIB_NAME, init, calc_hash);
+#endif /* MEASURED_BOOT && TRUSTED_BOARD_BOOT */
--- a/include/drivers/auth/auth_mod.h
+++ b/include/drivers/auth/auth_mod.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -7,8 +7,6 @@
 #ifndef AUTH_MOD_H
 #define AUTH_MOD_H

-#if TRUSTED_BOARD_BOOT
-
 #include <common/tbbr/cot_def.h>
 #include <common/tbbr/tbbr_img_def.h>
 #include <drivers/auth/auth_common.h>
@ -46,7 +44,13 @@ typedef struct auth_img_desc_s {
 #endif /* COT_DESC_IN_DTB && !IMAGE_BL1 */

 /* Public functions */
+#if TRUSTED_BOARD_BOOT
 void auth_mod_init(void);
+#else
+static inline void auth_mod_init(void)
+{
+}
+#endif /* TRUSTED_BOARD_BOOT */
 int auth_mod_get_parent_id(unsigned int img_id, unsigned int *parent_id);
 int auth_mod_verify_img(unsigned int img_id,
 			void *img_ptr,
@ -85,6 +89,4 @@ extern unsigned int auth_img_flags[MAX_NUMBER_IDS];

 #endif

-#endif /* TRUSTED_BOARD_BOOT */
-
 #endif /* AUTH_MOD_H */
--- a/include/drivers/auth/crypto_mod.h
+++ b/include/drivers/auth/crypto_mod.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -76,7 +76,14 @@ typedef struct crypto_lib_desc_s {
 } crypto_lib_desc_t;

 /* Public functions */
+#if CRYPTO_SUPPORT
 void crypto_mod_init(void);
+#else
+static inline void crypto_mod_init(void)
+{
+}
+#endif /* CRYPTO_SUPPORT */
+
 int crypto_mod_verify_signature(void *data_ptr, unsigned int data_len,
 				void *sig_ptr, unsigned int sig_len,
 				void *sig_alg_ptr, unsigned int sig_alg_len,
@ -93,7 +100,9 @@ int crypto_mod_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
 int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
 			 unsigned int data_len,
 			 unsigned char output[CRYPTO_MD_MAX_SIZE]);
+#endif /* MEASURED_BOOT */

+#if MEASURED_BOOT && TRUSTED_BOARD_BOOT
 /* Macro to register a cryptographic library */
 #define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
 			    _calc_hash, _auth_decrypt) \
@ -105,7 +114,7 @@ int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
 		.calc_hash = _calc_hash, \
 		.auth_decrypt = _auth_decrypt \
 	}
-#else
+#elif TRUSTED_BOARD_BOOT
 #define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
 			    _auth_decrypt) \
 	const crypto_lib_desc_t crypto_lib_desc = { \
@ -115,7 +124,14 @@ int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
 		.verify_hash = _verify_hash, \
 		.auth_decrypt = _auth_decrypt \
 	}
-#endif	/* MEASURED_BOOT */
+#elif MEASURED_BOOT
+#define REGISTER_CRYPTO_LIB(_name, _init, _calc_hash) \
+	const crypto_lib_desc_t crypto_lib_desc = { \
+		.name = _name, \
+		.init = _init, \
+		.calc_hash = _calc_hash, \
+	}
+#endif	/* MEASURED_BOOT && TRUSTED_BOARD_BOOT */

 extern const crypto_lib_desc_t crypto_lib_desc;