Merge pull request #1386 from soby-mathew/sm/dyn_bl31
Extend dynamic configuration
This commit is contained in:
commit
0d018306d4
16
Makefile
16
Makefile
|
@ -401,6 +401,16 @@ ifeq ($(FAULT_INJECTION_SUPPORT),1)
|
|||
endif
|
||||
endif
|
||||
|
||||
# DYN_DISABLE_AUTH can be set only when TRUSTED_BOARD_BOOT=1 and LOAD_IMAGE_V2=1
|
||||
ifeq ($(DYN_DISABLE_AUTH), 1)
|
||||
ifeq (${TRUSTED_BOARD_BOOT}, 0)
|
||||
$(error "TRUSTED_BOARD_BOOT must be enabled for DYN_DISABLE_AUTH to be set.")
|
||||
endif
|
||||
ifeq (${LOAD_IMAGE_V2}, 0)
|
||||
$(error "DYN_DISABLE_AUTH is only supported for LOAD_IMAGE_V2.")
|
||||
endif
|
||||
endif
|
||||
|
||||
################################################################################
|
||||
# Process platform overrideable behaviour
|
||||
################################################################################
|
||||
|
@ -517,6 +527,7 @@ $(eval $(call assert_boolean,CTX_INCLUDE_AARCH32_REGS))
|
|||
$(eval $(call assert_boolean,CTX_INCLUDE_FPREGS))
|
||||
$(eval $(call assert_boolean,DEBUG))
|
||||
$(eval $(call assert_boolean,DISABLE_PEDANTIC))
|
||||
$(eval $(call assert_boolean,DYN_DISABLE_AUTH))
|
||||
$(eval $(call assert_boolean,EL3_EXCEPTION_HANDLING))
|
||||
$(eval $(call assert_boolean,ENABLE_AMU))
|
||||
$(eval $(call assert_boolean,ENABLE_ASSERTIONS))
|
||||
|
@ -620,6 +631,11 @@ else
|
|||
$(eval $(call add_define,AARCH64))
|
||||
endif
|
||||
|
||||
# Define the DYN_DISABLE_AUTH flag only if set.
|
||||
ifeq (${DYN_DISABLE_AUTH},1)
|
||||
$(eval $(call add_define,DYN_DISABLE_AUTH))
|
||||
endif
|
||||
|
||||
################################################################################
|
||||
# Build targets
|
||||
################################################################################
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved.
|
||||
* Copyright (c) 2013-2018, ARM Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
@ -17,6 +17,35 @@
|
|||
#include <utils.h>
|
||||
#include <xlat_tables_defs.h>
|
||||
|
||||
#if TRUSTED_BOARD_BOOT
|
||||
# ifdef DYN_DISABLE_AUTH
|
||||
static int disable_auth;
|
||||
|
||||
/******************************************************************************
|
||||
* API to dynamically disable authentication. Only meant for development
|
||||
* systems. This is only invoked if DYN_DISABLE_AUTH is defined. This
|
||||
* capability is restricted to LOAD_IMAGE_V2.
|
||||
*****************************************************************************/
|
||||
void dyn_disable_auth(void)
|
||||
{
|
||||
INFO("Disabling authentication of images dynamically\n");
|
||||
disable_auth = 1;
|
||||
}
|
||||
# endif /* DYN_DISABLE_AUTH */
|
||||
|
||||
/******************************************************************************
|
||||
* Function to determine whether the authentication is disabled dynamically.
|
||||
*****************************************************************************/
|
||||
static int dyn_is_auth_disabled(void)
|
||||
{
|
||||
# ifdef DYN_DISABLE_AUTH
|
||||
return disable_auth;
|
||||
# else
|
||||
return 0;
|
||||
# endif
|
||||
}
|
||||
#endif /* TRUSTED_BOARD_BOOT */
|
||||
|
||||
uintptr_t page_align(uintptr_t value, unsigned dir)
|
||||
{
|
||||
/* Round up the limit to the next page boundary */
|
||||
|
@ -287,14 +316,16 @@ static int load_auth_image_internal(unsigned int image_id,
|
|||
int rc;
|
||||
|
||||
#if TRUSTED_BOARD_BOOT
|
||||
unsigned int parent_id;
|
||||
if (dyn_is_auth_disabled() == 0) {
|
||||
unsigned int parent_id;
|
||||
|
||||
/* Use recursion to authenticate parent images */
|
||||
rc = auth_mod_get_parent_id(image_id, &parent_id);
|
||||
if (rc == 0) {
|
||||
rc = load_auth_image_internal(parent_id, image_data, 1);
|
||||
if (rc != 0) {
|
||||
return rc;
|
||||
/* Use recursion to authenticate parent images */
|
||||
rc = auth_mod_get_parent_id(image_id, &parent_id);
|
||||
if (rc == 0) {
|
||||
rc = load_auth_image_internal(parent_id, image_data, 1);
|
||||
if (rc != 0) {
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif /* TRUSTED_BOARD_BOOT */
|
||||
|
@ -306,17 +337,19 @@ static int load_auth_image_internal(unsigned int image_id,
|
|||
}
|
||||
|
||||
#if TRUSTED_BOARD_BOOT
|
||||
/* Authenticate it */
|
||||
rc = auth_mod_verify_img(image_id,
|
||||
(void *)image_data->image_base,
|
||||
image_data->image_size);
|
||||
if (rc != 0) {
|
||||
/* Authentication error, zero memory and flush it right away. */
|
||||
zero_normalmem((void *)image_data->image_base,
|
||||
image_data->image_size);
|
||||
flush_dcache_range(image_data->image_base,
|
||||
image_data->image_size);
|
||||
return -EAUTH;
|
||||
if (dyn_is_auth_disabled() == 0) {
|
||||
/* Authenticate it */
|
||||
rc = auth_mod_verify_img(image_id,
|
||||
(void *)image_data->image_base,
|
||||
image_data->image_size);
|
||||
if (rc != 0) {
|
||||
/* Authentication error, zero memory and flush it right away. */
|
||||
zero_normalmem((void *)image_data->image_base,
|
||||
image_data->image_size);
|
||||
flush_dcache_range(image_data->image_base,
|
||||
image_data->image_size);
|
||||
return -EAUTH;
|
||||
}
|
||||
}
|
||||
#endif /* TRUSTED_BOARD_BOOT */
|
||||
|
||||
|
|
|
@ -323,6 +323,11 @@ Common build options
|
|||
- ``DEBUG``: Chooses between a debug and release build. It can take either 0
|
||||
(release) or 1 (debug) as values. 0 is the default.
|
||||
|
||||
- ``DYN_DISABLE_AUTH``: Enables the capability to disable Trusted Board Boot
|
||||
authentication. This option is only meant to be enabled for development
|
||||
platforms. Both TRUSTED_BOARD_BOOT and the LOAD_IMAGE_V2 flags need to be
|
||||
set if this flag has to be enabled. 0 is the default.
|
||||
|
||||
- ``EL3_PAYLOAD_BASE``: This option enables booting an EL3 payload instead of
|
||||
the normal boot flow. It must specify the entry point address of the EL3
|
||||
payload. Please refer to the "Booting an EL3 payload" section for more
|
||||
|
|
|
@ -38,6 +38,9 @@ static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
|
|||
static unsigned char trusted_world_pk_buf[PK_DER_LEN];
|
||||
static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];
|
||||
static unsigned char content_pk_buf[PK_DER_LEN];
|
||||
static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
|
||||
static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
|
||||
static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
|
||||
|
||||
/*
|
||||
* Parameter type descriptors
|
||||
|
@ -80,14 +83,20 @@ static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC(
|
|||
AUTH_PARAM_HASH, SCP_FW_HASH_OID);
|
||||
static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
|
||||
static auth_param_type_desc_t soc_fw_config_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, SOC_FW_CONFIG_HASH_OID);
|
||||
static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
|
||||
static auth_param_type_desc_t tos_fw_config_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, TRUSTED_OS_FW_CONFIG_HASH_OID);
|
||||
static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID);
|
||||
static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID);
|
||||
static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
|
||||
static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
|
||||
static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
|
||||
AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
|
||||
static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
|
||||
|
@ -379,6 +388,13 @@ static const auth_img_desc_t cot_desc[] = {
|
|||
.ptr = (void *)soc_fw_hash_buf,
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
},
|
||||
[1] = {
|
||||
.type_desc = &soc_fw_config_hash,
|
||||
.data = {
|
||||
.ptr = (void *)soc_fw_config_hash_buf,
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
|
@ -396,6 +412,21 @@ static const auth_img_desc_t cot_desc[] = {
|
|||
}
|
||||
}
|
||||
},
|
||||
/* SOC FW Config */
|
||||
[SOC_FW_CONFIG_ID] = {
|
||||
.img_id = SOC_FW_CONFIG_ID,
|
||||
.img_type = IMG_RAW,
|
||||
.parent = &cot_desc[SOC_FW_CONTENT_CERT_ID],
|
||||
.img_auth_methods = {
|
||||
[0] = {
|
||||
.type = AUTH_METHOD_HASH,
|
||||
.param.hash = {
|
||||
.data = &raw_data,
|
||||
.hash = &soc_fw_config_hash,
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
/*
|
||||
* Trusted OS Firmware
|
||||
*/
|
||||
|
@ -474,6 +505,13 @@ static const auth_img_desc_t cot_desc[] = {
|
|||
.ptr = (void *)tos_fw_extra2_hash_buf,
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
},
|
||||
[3] = {
|
||||
.type_desc = &tos_fw_config_hash,
|
||||
.data = {
|
||||
.ptr = (void *)tos_fw_config_hash_buf,
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
|
@ -519,6 +557,21 @@ static const auth_img_desc_t cot_desc[] = {
|
|||
}
|
||||
}
|
||||
},
|
||||
/* TOS FW Config */
|
||||
[TOS_FW_CONFIG_ID] = {
|
||||
.img_id = TOS_FW_CONFIG_ID,
|
||||
.img_type = IMG_RAW,
|
||||
.parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID],
|
||||
.img_auth_methods = {
|
||||
[0] = {
|
||||
.type = AUTH_METHOD_HASH,
|
||||
.param.hash = {
|
||||
.data = &raw_data,
|
||||
.hash = &tos_fw_config_hash,
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
/*
|
||||
* Non-Trusted Firmware
|
||||
*/
|
||||
|
@ -583,6 +636,13 @@ static const auth_img_desc_t cot_desc[] = {
|
|||
.ptr = (void *)nt_world_bl_hash_buf,
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
},
|
||||
[1] = {
|
||||
.type_desc = &nt_fw_config_hash,
|
||||
.data = {
|
||||
.ptr = (void *)nt_fw_config_hash_buf,
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
|
@ -600,6 +660,21 @@ static const auth_img_desc_t cot_desc[] = {
|
|||
}
|
||||
}
|
||||
},
|
||||
/* NT FW Config */
|
||||
[NT_FW_CONFIG_ID] = {
|
||||
.img_id = NT_FW_CONFIG_ID,
|
||||
.img_type = IMG_RAW,
|
||||
.parent = &cot_desc[NON_TRUSTED_FW_CONTENT_CERT_ID],
|
||||
.img_auth_methods = {
|
||||
[0] = {
|
||||
.type = AUTH_METHOD_HASH,
|
||||
.param.hash = {
|
||||
.data = &raw_data,
|
||||
.hash = &nt_fw_config_hash,
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
/*
|
||||
* FWU auth descriptor.
|
||||
*/
|
||||
|
|
|
@ -233,6 +233,14 @@ void reserve_mem(uintptr_t *free_base, size_t *free_size,
|
|||
|
||||
#endif /* LOAD_IMAGE_V2 */
|
||||
|
||||
#if TRUSTED_BOARD_BOOT && defined(DYN_DISABLE_AUTH)
|
||||
/*
|
||||
* API to dynamically disable authentication. Only meant for development
|
||||
* systems.
|
||||
*/
|
||||
void dyn_disable_auth(void);
|
||||
#endif
|
||||
|
||||
extern const char build_message[];
|
||||
extern const char version_string[];
|
||||
|
||||
|
|
|
@ -87,7 +87,7 @@
|
|||
#if TRUSTED_BOARD_BOOT
|
||||
# define PLAT_ARM_MAX_BL2_SIZE 0x1E000
|
||||
#else
|
||||
# define PLAT_ARM_MAX_BL2_SIZE 0xF000
|
||||
# define PLAT_ARM_MAX_BL2_SIZE 0x10000
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
|
|
@ -317,7 +317,7 @@
|
|||
* and limit. Leave enough space of BL2 meminfo.
|
||||
*/
|
||||
#define ARM_TB_FW_CONFIG_BASE ARM_BL_RAM_BASE + sizeof(meminfo_t)
|
||||
#define ARM_TB_FW_CONFIG_LIMIT BL2_LIMIT
|
||||
#define ARM_TB_FW_CONFIG_LIMIT BL2_BASE
|
||||
|
||||
/*******************************************************************************
|
||||
* BL1 specific defines.
|
||||
|
|
|
@ -9,8 +9,9 @@
|
|||
#include <stdint.h>
|
||||
|
||||
/* Function declaration */
|
||||
int arm_dyn_get_hwconfig_info(void *dtb, int node,
|
||||
uint64_t *hw_config_addr, uint32_t *hw_config_size);
|
||||
int arm_dyn_get_config_load_info(void *dtb, int node, unsigned int config_id,
|
||||
uint64_t *config_addr, uint32_t *config_size);
|
||||
int arm_dyn_tb_fw_cfg_init(void *dtb, int *node);
|
||||
int arm_dyn_get_disable_auth(void *dtb, int node, uint32_t *disable_auth);
|
||||
|
||||
#endif /* __ARM_DYN_CFG_HELPERS_H__ */
|
||||
|
|
|
@ -68,6 +68,12 @@
|
|||
{0xd9f1b808, 0xcfc9, 0x4993, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} }
|
||||
#define UUID_TB_FW_CONFIG \
|
||||
{0xff58046c, 0x6baf, 0x4f7d, 0x82, 0xed, {0xaa, 0x27, 0xbc, 0x69, 0xbf, 0xd2} }
|
||||
#define UUID_SOC_FW_CONFIG \
|
||||
{0x4b817999, 0x7603, 0x46fb, 0x8c, 0x8e, {0x8d, 0x26, 0x7f, 0x78, 0x59, 0xe0} }
|
||||
#define UUID_TOS_FW_CONFIG \
|
||||
{0x1a7c2526, 0xc6bd, 0x477f, 0x8d, 0x96, {0xc4, 0xc4, 0xb0, 0x24, 0x80, 0x21} }
|
||||
#define UUID_NT_FW_CONFIG \
|
||||
{0x1598da28, 0xe893, 0x447e, 0xac, 0x66, {0x1a, 0xaf, 0x80, 0x15, 0x50, 0xf9} }
|
||||
|
||||
typedef struct fip_toc_header {
|
||||
uint32_t name;
|
||||
|
|
|
@ -75,7 +75,6 @@
|
|||
/* SoCFirmwareContentCertPK */
|
||||
#define SOC_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.501"
|
||||
|
||||
|
||||
/*
|
||||
* SoC Firmware Content Certificate
|
||||
*/
|
||||
|
@ -86,7 +85,8 @@
|
|||
#define SOC_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.602"
|
||||
/* SoCAPFirmwareHash - BL31 */
|
||||
#define SOC_AP_FW_HASH_OID "1.3.6.1.4.1.4128.2100.603"
|
||||
|
||||
/* SoCFirmwareConfigHash = SOC_FW_CONFIG */
|
||||
#define SOC_FW_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.604"
|
||||
|
||||
/*
|
||||
* SCP Firmware Key Certificate
|
||||
|
@ -124,6 +124,8 @@
|
|||
#define TRUSTED_OS_FW_EXTRA1_HASH_OID "1.3.6.1.4.1.4128.2100.1002"
|
||||
/* TrustedOSExtra2FirmwareHash - BL32 Extra2 */
|
||||
#define TRUSTED_OS_FW_EXTRA2_HASH_OID "1.3.6.1.4.1.4128.2100.1003"
|
||||
/* TrustedOSFirmwareConfigHash - TOS_FW_CONFIG */
|
||||
#define TRUSTED_OS_FW_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.1004"
|
||||
|
||||
|
||||
/*
|
||||
|
@ -140,5 +142,7 @@
|
|||
|
||||
/* NonTrustedWorldBootloaderHash - BL33 */
|
||||
#define NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID "1.3.6.1.4.1.4128.2100.1201"
|
||||
/* NonTrustedFirmwareConfigHash - NT_FW_CONFIG */
|
||||
#define NON_TRUSTED_FW_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.1202"
|
||||
|
||||
#endif /* __TBBR_OID_H__ */
|
||||
|
|
|
@ -58,6 +58,10 @@ DEBUG := 0
|
|||
# Build platform
|
||||
DEFAULT_PLAT := fvp
|
||||
|
||||
# Enable capability to disable authentication dynamically. Only meant for
|
||||
# development platforms.
|
||||
DYN_DISABLE_AUTH := 0
|
||||
|
||||
# Flag to enable Performance Measurement Framework
|
||||
ENABLE_PMF := 0
|
||||
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
/*
|
||||
* Copyright (c) 2018, ARM Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
/dts-v1/;
|
||||
|
||||
/ {
|
||||
|
||||
};
|
|
@ -0,0 +1,11 @@
|
|||
/*
|
||||
* Copyright (c) 2018, ARM Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
/dts-v1/;
|
||||
|
||||
/ {
|
||||
|
||||
};
|
|
@ -12,5 +12,19 @@
|
|||
compatible = "arm,tb_fw";
|
||||
hw_config_addr = <0x0 0x82000000>;
|
||||
hw_config_max_size = <0x01000000>;
|
||||
/* Disable authentication for development */
|
||||
disable_auth = <0x1>;
|
||||
/*
|
||||
* Load SoC and TOS firmware configs at the base of
|
||||
* non shared SRAM. The runtime checks ensure we don't
|
||||
* overlap BL2, BL31 or BL32. The NT firmware config
|
||||
* is loaded at base of DRAM.
|
||||
*/
|
||||
soc_fw_config_addr = <0x0 0x04001000>;
|
||||
soc_fw_config_max_size = <0x200>;
|
||||
tos_fw_config_addr = <0x0 0x04001200>;
|
||||
tos_fw_config_max_size = <0x200>;
|
||||
nt_fw_config_addr = <0x0 0x80000000>;
|
||||
nt_fw_config_max_size = <0x200>;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
/*
|
||||
* Copyright (c) 2018, ARM Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
/dts-v1/;
|
||||
|
||||
/ {
|
||||
|
||||
};
|
|
@ -166,11 +166,30 @@ BL31_SOURCES += drivers/arm/smmu/smmu_v3.c \
|
|||
# Add the FDT_SOURCES and options for Dynamic Config (only for Unix env)
|
||||
ifdef UNIX_MK
|
||||
FVP_HW_CONFIG_DTS := fdts/${FVP_DT_PREFIX}.dts
|
||||
FDT_SOURCES += plat/arm/board/fvp/fdts/${PLAT}_tb_fw_config.dts
|
||||
FDT_SOURCES += $(addprefix plat/arm/board/fvp/fdts/, \
|
||||
${PLAT}_tb_fw_config.dts \
|
||||
${PLAT}_soc_fw_config.dts \
|
||||
${PLAT}_nt_fw_config.dts \
|
||||
)
|
||||
|
||||
FVP_TB_FW_CONFIG := ${BUILD_PLAT}/fdts/${PLAT}_tb_fw_config.dtb
|
||||
FVP_SOC_FW_CONFIG := ${BUILD_PLAT}/fdts/${PLAT}_soc_fw_config.dtb
|
||||
FVP_NT_FW_CONFIG := ${BUILD_PLAT}/fdts/${PLAT}_nt_fw_config.dtb
|
||||
|
||||
ifeq (${SPD},tspd)
|
||||
FDT_SOURCES += plat/arm/board/fvp/fdts/${PLAT}_tsp_fw_config.dts
|
||||
FVP_TOS_FW_CONFIG := ${BUILD_PLAT}/fdts/${PLAT}_tsp_fw_config.dtb
|
||||
|
||||
# Add the TOS_FW_CONFIG to FIP and specify the same to certtool
|
||||
$(eval $(call TOOL_ADD_PAYLOAD,${FVP_TOS_FW_CONFIG},--tos-fw-config))
|
||||
endif
|
||||
|
||||
# Add the TB_FW_CONFIG to FIP and specify the same to certtool
|
||||
$(eval $(call TOOL_ADD_PAYLOAD,${FVP_TB_FW_CONFIG},--tb-fw-config))
|
||||
# Add the SOC_FW_CONFIG to FIP and specify the same to certtool
|
||||
$(eval $(call TOOL_ADD_PAYLOAD,${FVP_SOC_FW_CONFIG},--soc-fw-config))
|
||||
# Add the NT_FW_CONFIG to FIP and specify the same to certtool
|
||||
$(eval $(call TOOL_ADD_PAYLOAD,${FVP_NT_FW_CONFIG},--nt-fw-config))
|
||||
|
||||
FDT_SOURCES += ${FVP_HW_CONFIG_DTS}
|
||||
$(eval FVP_HW_CONFIG := ${BUILD_PLAT}/$(patsubst %.dts,%.dtb,$(FVP_HW_CONFIG_DTS)))
|
||||
|
@ -208,3 +227,11 @@ endif
|
|||
|
||||
include plat/arm/board/common/board_common.mk
|
||||
include plat/arm/common/arm_common.mk
|
||||
|
||||
# FVP being a development platform, enable capability to disable Authentication
|
||||
# dynamically if TRUSTED_BOARD_BOOT and LOAD_IMAGE_V2 is set.
|
||||
ifeq (${TRUSTED_BOARD_BOOT}, 1)
|
||||
ifeq (${LOAD_IMAGE_V2}, 1)
|
||||
DYN_DISABLE_AUTH := 1
|
||||
endif
|
||||
endif
|
||||
|
|
|
@ -91,6 +91,15 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = {
|
|||
VERSION_2, image_info_t, IMAGE_ATTRIB_SKIP_LOADING),
|
||||
.next_handoff_image_id = INVALID_IMAGE_ID,
|
||||
},
|
||||
/* Fill SOC_FW_CONFIG related information */
|
||||
{
|
||||
.image_id = SOC_FW_CONFIG_ID,
|
||||
SET_STATIC_PARAM_HEAD(ep_info, PARAM_IMAGE_BINARY,
|
||||
VERSION_2, entry_point_info_t, SECURE | NON_EXECUTABLE),
|
||||
SET_STATIC_PARAM_HEAD(image_info, PARAM_IMAGE_BINARY,
|
||||
VERSION_2, image_info_t, IMAGE_ATTRIB_SKIP_LOADING),
|
||||
.next_handoff_image_id = INVALID_IMAGE_ID,
|
||||
},
|
||||
# ifdef BL32_BASE
|
||||
/* Fill BL32 related information */
|
||||
{
|
||||
|
@ -144,6 +153,16 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = {
|
|||
#endif
|
||||
.next_handoff_image_id = INVALID_IMAGE_ID,
|
||||
},
|
||||
|
||||
/* Fill TOS_FW_CONFIG related information */
|
||||
{
|
||||
.image_id = TOS_FW_CONFIG_ID,
|
||||
SET_STATIC_PARAM_HEAD(ep_info, PARAM_IMAGE_BINARY,
|
||||
VERSION_2, entry_point_info_t, SECURE | NON_EXECUTABLE),
|
||||
SET_STATIC_PARAM_HEAD(image_info, PARAM_IMAGE_BINARY,
|
||||
VERSION_2, image_info_t, IMAGE_ATTRIB_SKIP_LOADING),
|
||||
.next_handoff_image_id = INVALID_IMAGE_ID,
|
||||
},
|
||||
# endif /* BL32_BASE */
|
||||
|
||||
/* Fill BL33 related information */
|
||||
|
@ -166,6 +185,15 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = {
|
|||
# endif /* PRELOADED_BL33_BASE */
|
||||
|
||||
.next_handoff_image_id = INVALID_IMAGE_ID,
|
||||
},
|
||||
/* Fill NT_FW_CONFIG related information */
|
||||
{
|
||||
.image_id = NT_FW_CONFIG_ID,
|
||||
SET_STATIC_PARAM_HEAD(ep_info, PARAM_IMAGE_BINARY,
|
||||
VERSION_2, entry_point_info_t, NON_SECURE | NON_EXECUTABLE),
|
||||
SET_STATIC_PARAM_HEAD(image_info, PARAM_IMAGE_BINARY,
|
||||
VERSION_2, image_info_t, IMAGE_ATTRIB_SKIP_LOADING),
|
||||
.next_handoff_image_id = INVALID_IMAGE_ID,
|
||||
}
|
||||
#endif /* EL3_PAYLOAD_BASE */
|
||||
};
|
||||
|
|
|
@ -207,14 +207,21 @@ void bl2_early_platform_setup2(u_register_t arg0, u_register_t arg1, u_register_
|
|||
}
|
||||
|
||||
/*
|
||||
* Perform ARM standard platform setup.
|
||||
* Perform BL2 preload setup. Currently we initialise the dynamic
|
||||
* configuration here.
|
||||
*/
|
||||
void arm_bl2_platform_setup(void)
|
||||
void bl2_plat_preload_setup(void)
|
||||
{
|
||||
#if LOAD_IMAGE_V2
|
||||
arm_bl2_dyn_cfg_init();
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* Perform ARM standard platform setup.
|
||||
*/
|
||||
void arm_bl2_platform_setup(void)
|
||||
{
|
||||
/* Initialize the secure environment */
|
||||
plat_arm_security_setup();
|
||||
|
||||
|
|
|
@ -157,7 +157,6 @@ BL1_SOURCES += drivers/arm/sp805/sp805.c \
|
|||
drivers/io/io_memmap.c \
|
||||
drivers/io/io_storage.c \
|
||||
plat/arm/common/arm_bl1_setup.c \
|
||||
plat/arm/common/arm_dyn_cfg.c \
|
||||
plat/arm/common/arm_err.c \
|
||||
plat/arm/common/arm_io_storage.c
|
||||
ifdef EL3_PAYLOAD_BASE
|
||||
|
@ -177,11 +176,15 @@ BL2_SOURCES += drivers/delay_timer/delay_timer.c \
|
|||
|
||||
# Add `libfdt` and Arm common helpers required for Dynamic Config
|
||||
include lib/libfdt/libfdt.mk
|
||||
BL2_SOURCES += plat/arm/common/arm_dyn_cfg.c \
|
||||
|
||||
DYN_CFG_SOURCES += plat/arm/common/arm_dyn_cfg.c \
|
||||
plat/arm/common/arm_dyn_cfg_helpers.c \
|
||||
common/fdt_wrappers.c \
|
||||
${LIBFDT_SRCS}
|
||||
|
||||
BL1_SOURCES += ${DYN_CFG_SOURCES}
|
||||
BL2_SOURCES += ${DYN_CFG_SOURCES}
|
||||
|
||||
ifeq (${BL2_AT_EL3},1)
|
||||
BL2_SOURCES += plat/arm/common/arm_bl2_el3_setup.c
|
||||
endif
|
||||
|
|
|
@ -54,6 +54,24 @@ void arm_load_tb_fw_config(void)
|
|||
|
||||
INFO("BL1: TB_FW_CONFIG loaded at address = %p\n",
|
||||
(void *) config_base);
|
||||
|
||||
#if TRUSTED_BOARD_BOOT && defined(DYN_DISABLE_AUTH)
|
||||
int tb_fw_node;
|
||||
uint32_t disable_auth = 0;
|
||||
|
||||
err = arm_dyn_tb_fw_cfg_init((void *)config_base, &tb_fw_node);
|
||||
if (err < 0) {
|
||||
WARN("Invalid TB_FW_CONFIG loaded\n");
|
||||
return;
|
||||
}
|
||||
|
||||
err = arm_dyn_get_disable_auth((void *)config_base, tb_fw_node, &disable_auth);
|
||||
if (err < 0)
|
||||
return;
|
||||
|
||||
if (disable_auth == 1)
|
||||
dyn_disable_auth();
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -67,14 +85,25 @@ void arm_bl2_set_tb_cfg_addr(void *dtb)
|
|||
|
||||
/*
|
||||
* BL2 utility function to initialize dynamic configuration specified by
|
||||
* TB_FW_CONFIG. Return early if TB_FW_CONFIG is not found or HW_CONFIG is
|
||||
* not specified in TB_FW_CONFIG.
|
||||
* TB_FW_CONFIG. Populate the bl_mem_params_node_t of other FW_CONFIGs if
|
||||
* specified in TB_FW_CONFIG.
|
||||
*/
|
||||
void arm_bl2_dyn_cfg_init(void)
|
||||
{
|
||||
int err = 0;
|
||||
int tb_fw_node;
|
||||
bl_mem_params_node_t *hw_cfg_mem_params = NULL;
|
||||
int err = 0, tb_fw_node;
|
||||
unsigned int i;
|
||||
bl_mem_params_node_t *cfg_mem_params = NULL;
|
||||
uint64_t image_base;
|
||||
uint32_t image_size;
|
||||
const unsigned int config_ids[] = {
|
||||
HW_CONFIG_ID,
|
||||
SOC_FW_CONFIG_ID,
|
||||
NT_FW_CONFIG_ID,
|
||||
#ifdef SPD_tspd
|
||||
/* Currently tos_fw_config is only present for TSP */
|
||||
TOS_FW_CONFIG_ID
|
||||
#endif
|
||||
};
|
||||
|
||||
if (tb_fw_cfg_dtb == NULL) {
|
||||
VERBOSE("No TB_FW_CONFIG specified\n");
|
||||
|
@ -87,23 +116,69 @@ void arm_bl2_dyn_cfg_init(void)
|
|||
panic();
|
||||
}
|
||||
|
||||
/* Get the hw_config load address and size from TB_FW_CONFIG */
|
||||
hw_cfg_mem_params = get_bl_mem_params_node(HW_CONFIG_ID);
|
||||
if (hw_cfg_mem_params == NULL) {
|
||||
VERBOSE("Couldn't find HW_CONFIG in bl_mem_params_node\n");
|
||||
return;
|
||||
/* Iterate through all the fw config IDs */
|
||||
for (i = 0; i < ARRAY_SIZE(config_ids); i++) {
|
||||
/* Get the config load address and size from TB_FW_CONFIG */
|
||||
cfg_mem_params = get_bl_mem_params_node(config_ids[i]);
|
||||
if (cfg_mem_params == NULL) {
|
||||
VERBOSE("Couldn't find HW_CONFIG in bl_mem_params_node\n");
|
||||
continue;
|
||||
}
|
||||
|
||||
err = arm_dyn_get_config_load_info((void *)tb_fw_cfg_dtb, tb_fw_node,
|
||||
config_ids[i], &image_base, &image_size);
|
||||
if (err < 0) {
|
||||
VERBOSE("Couldn't find config_id %d load info in TB_FW_CONFIG\n",
|
||||
config_ids[i]);
|
||||
continue;
|
||||
}
|
||||
|
||||
/*
|
||||
* Do some runtime checks on the load addresses of soc_fw_config,
|
||||
* tos_fw_config, nt_fw_config. This is not a comprehensive check
|
||||
* of all invalid addresses but to prevent trivial porting errors.
|
||||
*/
|
||||
if (config_ids[i] != HW_CONFIG_ID) {
|
||||
|
||||
if (check_uptr_overflow(image_base, image_size) != 0)
|
||||
continue;
|
||||
|
||||
/* Ensure the configs don't overlap with BL2 */
|
||||
if ((image_base > BL2_BASE) || ((image_base + image_size) > BL2_BASE))
|
||||
continue;
|
||||
|
||||
/* Ensure the configs are loaded in a valid address */
|
||||
if (image_base < ARM_BL_RAM_BASE)
|
||||
continue;
|
||||
#ifdef BL32_BASE
|
||||
/*
|
||||
* If BL32 is present, ensure that the configs don't
|
||||
* overlap with it.
|
||||
*/
|
||||
if (image_base >= BL32_BASE && image_base <= BL32_LIMIT)
|
||||
continue;
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
cfg_mem_params->image_info.image_base = (uintptr_t)image_base;
|
||||
cfg_mem_params->image_info.image_max_size = image_size;
|
||||
|
||||
/* Remove the IMAGE_ATTRIB_SKIP_LOADING attribute from HW_CONFIG node */
|
||||
cfg_mem_params->image_info.h.attr &= ~IMAGE_ATTRIB_SKIP_LOADING;
|
||||
}
|
||||
|
||||
err = arm_dyn_get_hwconfig_info((void *)tb_fw_cfg_dtb, tb_fw_node,
|
||||
(uint64_t *) &hw_cfg_mem_params->image_info.image_base,
|
||||
&hw_cfg_mem_params->image_info.image_max_size);
|
||||
if (err < 0) {
|
||||
VERBOSE("Couldn't find HW_CONFIG load info in TB_FW_CONFIG\n");
|
||||
return;
|
||||
}
|
||||
#if TRUSTED_BOARD_BOOT && defined(DYN_DISABLE_AUTH)
|
||||
uint32_t disable_auth = 0;
|
||||
|
||||
/* Remove the IMAGE_ATTRIB_SKIP_LOADING attribute from HW_CONFIG node */
|
||||
hw_cfg_mem_params->image_info.h.attr &= ~IMAGE_ATTRIB_SKIP_LOADING;
|
||||
err = arm_dyn_get_disable_auth((void *)tb_fw_cfg_dtb, tb_fw_node,
|
||||
&disable_auth);
|
||||
if (err < 0)
|
||||
return;
|
||||
|
||||
if (disable_auth == 1)
|
||||
dyn_disable_auth();
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif /* LOAD_IMAGE_V2 */
|
||||
|
|
|
@ -11,31 +11,57 @@
|
|||
#include <libfdt.h>
|
||||
#include <plat_arm.h>
|
||||
|
||||
|
||||
typedef struct config_load_info_prop {
|
||||
unsigned int config_id;
|
||||
const char *config_addr;
|
||||
const char *config_max_size;
|
||||
} config_load_info_prop_t;
|
||||
|
||||
static const config_load_info_prop_t prop_names[] = {
|
||||
{HW_CONFIG_ID, "hw_config_addr", "hw_config_max_size"},
|
||||
{SOC_FW_CONFIG_ID, "soc_fw_config_addr", "soc_fw_config_max_size"},
|
||||
{TOS_FW_CONFIG_ID, "tos_fw_config_addr", "tos_fw_config_max_size"},
|
||||
{NT_FW_CONFIG_ID, "nt_fw_config_addr", "nt_fw_config_max_size"}
|
||||
};
|
||||
|
||||
/*******************************************************************************
|
||||
* Helper to read the `hw_config` property in config DTB. This function
|
||||
* expects the following properties to be present in the config DTB.
|
||||
* name : hw_config_addr size : 2 cells
|
||||
* name : hw_config_max_size size : 1 cell
|
||||
* Helper to read the load information corresponding to the `config_id` in
|
||||
* TB_FW_CONFIG. This function expects the following properties to be defined :
|
||||
* <config>_addr size : 2 cells
|
||||
* <config>_max_size size : 1 cell
|
||||
*
|
||||
* Arguments:
|
||||
* void *dtb - pointer to the TB_FW_CONFIG in memory
|
||||
* int node - The node offset to appropriate node in the
|
||||
* DTB.
|
||||
* uint64_t *hw_config_addr - Returns the `hw_config` load address if read
|
||||
* unsigned int config_id - The configuration id
|
||||
* uint64_t *config_addr - Returns the `config` load address if read
|
||||
* is successful.
|
||||
* uint32_t *hw_config_size - Returns the `hw_config` size if read is
|
||||
* uint32_t *config_size - Returns the `config` size if read is
|
||||
* successful.
|
||||
*
|
||||
* Returns 0 on success and -1 on error.
|
||||
******************************************************************************/
|
||||
int arm_dyn_get_hwconfig_info(void *dtb, int node,
|
||||
uint64_t *hw_config_addr, uint32_t *hw_config_size)
|
||||
int arm_dyn_get_config_load_info(void *dtb, int node, unsigned int config_id,
|
||||
uint64_t *config_addr, uint32_t *config_size)
|
||||
{
|
||||
int err;
|
||||
unsigned int i;
|
||||
|
||||
assert(dtb != NULL);
|
||||
assert(hw_config_addr != NULL);
|
||||
assert(hw_config_size != NULL);
|
||||
assert(config_addr != NULL);
|
||||
assert(config_size != NULL);
|
||||
|
||||
for (i = 0; i < ARRAY_SIZE(prop_names); i++) {
|
||||
if (prop_names[i].config_id == config_id)
|
||||
break;
|
||||
}
|
||||
|
||||
if (i == ARRAY_SIZE(prop_names)) {
|
||||
WARN("Invalid config id %d\n", config_id);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Check if the pointer to DT is correct */
|
||||
assert(fdt_check_header(dtb) == 0);
|
||||
|
@ -43,26 +69,71 @@ int arm_dyn_get_hwconfig_info(void *dtb, int node,
|
|||
/* Assert the node offset point to "arm,tb_fw" compatible property */
|
||||
assert(node == fdt_node_offset_by_compatible(dtb, -1, "arm,tb_fw"));
|
||||
|
||||
err = fdtw_read_cells(dtb, node, "hw_config_addr", 2,
|
||||
(void *) hw_config_addr);
|
||||
err = fdtw_read_cells(dtb, node, prop_names[i].config_addr, 2,
|
||||
(void *) config_addr);
|
||||
if (err < 0) {
|
||||
WARN("Read cell failed for hw_config_addr\n");
|
||||
WARN("Read cell failed for %s\n", prop_names[i].config_addr);
|
||||
return -1;
|
||||
}
|
||||
|
||||
err = fdtw_read_cells(dtb, node, "hw_config_max_size", 1,
|
||||
(void *) hw_config_size);
|
||||
err = fdtw_read_cells(dtb, node, prop_names[i].config_max_size, 1,
|
||||
(void *) config_size);
|
||||
if (err < 0) {
|
||||
WARN("Read cell failed for hw_config_max_size\n");
|
||||
WARN("Read cell failed for %s\n", prop_names[i].config_max_size);
|
||||
return -1;
|
||||
}
|
||||
|
||||
VERBOSE("Dyn cfg: Read hw_config address from TB_FW_CONFIG 0x%p %p\n",
|
||||
hw_config_addr, hw_config_size);
|
||||
VERBOSE("Dyn cfg: Read config_id %d load info from TB_FW_CONFIG 0x%llx 0x%x\n",
|
||||
config_id, (unsigned long long)*config_addr, *config_size);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*******************************************************************************
|
||||
* Helper to read the `disable_auth` property in config DTB. This function
|
||||
* expects the following properties to be present in the config DTB.
|
||||
* name : disable_auth size : 1 cell
|
||||
*
|
||||
* Arguments:
|
||||
* void *dtb - pointer to the TB_FW_CONFIG in memory
|
||||
* int node - The node offset to appropriate node in the
|
||||
* DTB.
|
||||
* uint64_t *disable_auth - The value of `disable_auth` property on
|
||||
* successful read. Must be 0 or 1.
|
||||
*
|
||||
* Returns 0 on success and -1 on error.
|
||||
******************************************************************************/
|
||||
int arm_dyn_get_disable_auth(void *dtb, int node, uint32_t *disable_auth)
|
||||
{
|
||||
int err;
|
||||
|
||||
assert(dtb != NULL);
|
||||
assert(disable_auth != NULL);
|
||||
|
||||
/* Check if the pointer to DT is correct */
|
||||
assert(fdt_check_header(dtb) == 0);
|
||||
|
||||
/* Assert the node offset point to "arm,tb_fw" compatible property */
|
||||
assert(node == fdt_node_offset_by_compatible(dtb, -1, "arm,tb_fw"));
|
||||
|
||||
/* Locate the disable_auth cell and read the value */
|
||||
err = fdtw_read_cells(dtb, node, "disable_auth", 1, disable_auth);
|
||||
if (err < 0) {
|
||||
WARN("Read cell failed for `disable_auth`\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Check if the value is boolean */
|
||||
if ((*disable_auth != 0U) && (*disable_auth != 1U)) {
|
||||
WARN("Invalid value for `disable_auth` cell %d\n", *disable_auth);
|
||||
return -1;
|
||||
}
|
||||
|
||||
VERBOSE("Dyn cfg: `disable_auth` cell found with value = %d\n",
|
||||
*disable_auth);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*******************************************************************************
|
||||
* Validate the tb_fw_config is a valid DTB file and returns the node offset
|
||||
* to "arm,tb_fw" property.
|
||||
|
|
|
@ -63,6 +63,18 @@ static const io_uuid_spec_t hw_config_uuid_spec = {
|
|||
.uuid = UUID_HW_CONFIG,
|
||||
};
|
||||
|
||||
static const io_uuid_spec_t soc_fw_config_uuid_spec = {
|
||||
.uuid = UUID_SOC_FW_CONFIG,
|
||||
};
|
||||
|
||||
static const io_uuid_spec_t tos_fw_config_uuid_spec = {
|
||||
.uuid = UUID_TOS_FW_CONFIG,
|
||||
};
|
||||
|
||||
static const io_uuid_spec_t nt_fw_config_uuid_spec = {
|
||||
.uuid = UUID_NT_FW_CONFIG,
|
||||
};
|
||||
|
||||
#if TRUSTED_BOARD_BOOT
|
||||
static const io_uuid_spec_t tb_fw_cert_uuid_spec = {
|
||||
.uuid = UUID_TRUSTED_BOOT_FW_CERT,
|
||||
|
@ -167,6 +179,21 @@ static const struct plat_io_policy policies[] = {
|
|||
(uintptr_t)&hw_config_uuid_spec,
|
||||
open_fip
|
||||
},
|
||||
[SOC_FW_CONFIG_ID] = {
|
||||
&fip_dev_handle,
|
||||
(uintptr_t)&soc_fw_config_uuid_spec,
|
||||
open_fip
|
||||
},
|
||||
[TOS_FW_CONFIG_ID] = {
|
||||
&fip_dev_handle,
|
||||
(uintptr_t)&tos_fw_config_uuid_spec,
|
||||
open_fip
|
||||
},
|
||||
[NT_FW_CONFIG_ID] = {
|
||||
&fip_dev_handle,
|
||||
(uintptr_t)&nt_fw_config_uuid_spec,
|
||||
open_fip
|
||||
},
|
||||
#if TRUSTED_BOARD_BOOT
|
||||
[TRUSTED_BOOT_FW_CERT_ID] = {
|
||||
&fip_dev_handle,
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
#include "ext.h"
|
||||
#include "key.h"
|
||||
|
||||
#define CERT_MAX_EXT 4
|
||||
#define CERT_MAX_EXT 5
|
||||
|
||||
/*
|
||||
* This structure contains information related to the generation of the
|
||||
|
|
|
@ -21,12 +21,15 @@ enum {
|
|||
SCP_FW_HASH_EXT,
|
||||
SOC_FW_CONTENT_CERT_PK_EXT,
|
||||
SOC_AP_FW_HASH_EXT,
|
||||
SOC_FW_CONFIG_HASH_EXT,
|
||||
TRUSTED_OS_FW_CONTENT_CERT_PK_EXT,
|
||||
TRUSTED_OS_FW_HASH_EXT,
|
||||
TRUSTED_OS_FW_EXTRA1_HASH_EXT,
|
||||
TRUSTED_OS_FW_EXTRA2_HASH_EXT,
|
||||
TRUSTED_OS_FW_CONFIG_HASH_EXT,
|
||||
NON_TRUSTED_FW_CONTENT_CERT_PK_EXT,
|
||||
NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
|
||||
NON_TRUSTED_FW_CONFIG_HASH_EXT,
|
||||
SCP_FWU_CFG_HASH_EXT,
|
||||
AP_FWU_CFG_HASH_EXT,
|
||||
FWU_HASH_EXT
|
||||
|
|
|
@ -99,9 +99,10 @@ static cert_t tbb_certs[] = {
|
|||
.issuer = SOC_FW_CONTENT_CERT,
|
||||
.ext = {
|
||||
TRUSTED_FW_NVCOUNTER_EXT,
|
||||
SOC_AP_FW_HASH_EXT
|
||||
SOC_AP_FW_HASH_EXT,
|
||||
SOC_FW_CONFIG_HASH_EXT,
|
||||
},
|
||||
.num_ext = 2
|
||||
.num_ext = 3
|
||||
},
|
||||
[TRUSTED_OS_FW_KEY_CERT] = {
|
||||
.id = TRUSTED_OS_FW_KEY_CERT,
|
||||
|
@ -129,9 +130,10 @@ static cert_t tbb_certs[] = {
|
|||
TRUSTED_FW_NVCOUNTER_EXT,
|
||||
TRUSTED_OS_FW_HASH_EXT,
|
||||
TRUSTED_OS_FW_EXTRA1_HASH_EXT,
|
||||
TRUSTED_OS_FW_EXTRA2_HASH_EXT
|
||||
TRUSTED_OS_FW_EXTRA2_HASH_EXT,
|
||||
TRUSTED_OS_FW_CONFIG_HASH_EXT,
|
||||
},
|
||||
.num_ext = 4
|
||||
.num_ext = 5
|
||||
},
|
||||
[NON_TRUSTED_FW_KEY_CERT] = {
|
||||
.id = NON_TRUSTED_FW_KEY_CERT,
|
||||
|
@ -157,9 +159,10 @@ static cert_t tbb_certs[] = {
|
|||
.issuer = NON_TRUSTED_FW_CONTENT_CERT,
|
||||
.ext = {
|
||||
NON_TRUSTED_FW_NVCOUNTER_EXT,
|
||||
NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT
|
||||
NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
|
||||
NON_TRUSTED_FW_CONFIG_HASH_EXT,
|
||||
},
|
||||
.num_ext = 2
|
||||
.num_ext = 3
|
||||
},
|
||||
[FWU_CERT] = {
|
||||
.id = FWU_CERT,
|
||||
|
|
|
@ -123,6 +123,16 @@ static ext_t tbb_ext[] = {
|
|||
.asn1_type = V_ASN1_OCTET_STRING,
|
||||
.type = EXT_TYPE_HASH
|
||||
},
|
||||
[SOC_FW_CONFIG_HASH_EXT] = {
|
||||
.oid = SOC_FW_CONFIG_HASH_OID,
|
||||
.opt = "soc-fw-config",
|
||||
.help_msg = "SoC Firmware Config file",
|
||||
.sn = "SocFirmwareConfigHash",
|
||||
.ln = "SoC Firmware Config hash",
|
||||
.asn1_type = V_ASN1_OCTET_STRING,
|
||||
.type = EXT_TYPE_HASH,
|
||||
.optional = 1
|
||||
},
|
||||
[TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = {
|
||||
.oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID,
|
||||
.sn = "TrustedOSFirmwareContentCertPK",
|
||||
|
@ -160,6 +170,16 @@ static ext_t tbb_ext[] = {
|
|||
.type = EXT_TYPE_HASH,
|
||||
.optional = 1
|
||||
},
|
||||
[TRUSTED_OS_FW_CONFIG_HASH_EXT] = {
|
||||
.oid = TRUSTED_OS_FW_CONFIG_HASH_OID,
|
||||
.opt = "tos-fw-config",
|
||||
.help_msg = "Trusted OS Firmware Config file",
|
||||
.sn = "TrustedOSFirmwareConfigHash",
|
||||
.ln = "Trusted OS Firmware Config hash",
|
||||
.asn1_type = V_ASN1_OCTET_STRING,
|
||||
.type = EXT_TYPE_HASH,
|
||||
.optional = 1
|
||||
},
|
||||
[NON_TRUSTED_FW_CONTENT_CERT_PK_EXT] = {
|
||||
.oid = NON_TRUSTED_FW_CONTENT_CERT_PK_OID,
|
||||
.sn = "NonTrustedFirmwareContentCertPK",
|
||||
|
@ -177,6 +197,16 @@ static ext_t tbb_ext[] = {
|
|||
.asn1_type = V_ASN1_OCTET_STRING,
|
||||
.type = EXT_TYPE_HASH
|
||||
},
|
||||
[NON_TRUSTED_FW_CONFIG_HASH_EXT] = {
|
||||
.oid = NON_TRUSTED_FW_CONFIG_HASH_OID,
|
||||
.opt = "nt-fw-config",
|
||||
.help_msg = "Non Trusted OS Firmware Config file",
|
||||
.sn = "NonTrustedOSFirmwareConfigHash",
|
||||
.ln = "Non-Trusted OS Firmware Config hash",
|
||||
.asn1_type = V_ASN1_OCTET_STRING,
|
||||
.type = EXT_TYPE_HASH,
|
||||
.optional = 1
|
||||
},
|
||||
[SCP_FWU_CFG_HASH_EXT] = {
|
||||
.oid = SCP_FWU_CFG_HASH_OID,
|
||||
.opt = "scp-fwu-cfg",
|
||||
|
|
|
@ -78,6 +78,21 @@ toc_entry_t toc_entries[] = {
|
|||
.uuid = UUID_TB_FW_CONFIG,
|
||||
.cmdline_name = "tb-fw-config"
|
||||
},
|
||||
{
|
||||
.name = "SOC_FW_CONFIG",
|
||||
.uuid = UUID_SOC_FW_CONFIG,
|
||||
.cmdline_name = "soc-fw-config"
|
||||
},
|
||||
{
|
||||
.name = "TOS_FW_CONFIG",
|
||||
.uuid = UUID_TOS_FW_CONFIG,
|
||||
.cmdline_name = "tos-fw-config"
|
||||
},
|
||||
{
|
||||
.name = "NT_FW_CONFIG",
|
||||
.uuid = UUID_NT_FW_CONFIG,
|
||||
.cmdline_name = "nt-fw-config"
|
||||
},
|
||||
/* Key Certificates */
|
||||
{
|
||||
.name = "Root Of Trust key certificate",
|
||||
|
|
Loading…
Reference in New Issue