dualroot: add chain of trust for Platform owned SPs
For dualroot CoT there are two sets of SP certificates, one owned by Silicon Provider(SiP) and other owned by Platform. Each certificate can have a maximum of 4 SPs. This patch reduces the number of SiP owned SPs from 8 to 4 and adds the remaining 4 to Plat owned SP. Plat owned SP certificate is signed using Platform RoT key and protected against anti-rollback using the Non-trusted Non-volatile counter. Change-Id: Idc3ddd87d6d85a5506a7435f45a6ec17c4c50425 Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
This commit is contained in:
Manish Pandey
parent
23d5f03ad0
commit
2947412d54
|
|
@ -743,29 +743,60 @@ static const auth_img_desc_t sip_sp_content_cert = {
|
|||
.ptr = (void *)sp_pkg_hash_buf[3],
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
DEFINE_SIP_SP_PKG(1);
|
||||
DEFINE_SIP_SP_PKG(2);
|
||||
DEFINE_SIP_SP_PKG(3);
|
||||
DEFINE_SIP_SP_PKG(4);
|
||||
|
||||
static const auth_img_desc_t plat_sp_content_cert = {
|
||||
.img_id = PLAT_SP_CONTENT_CERT_ID,
|
||||
.img_type = IMG_CERT,
|
||||
.parent = NULL,
|
||||
.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
|
||||
[0] = {
|
||||
.type = AUTH_METHOD_SIG,
|
||||
.param.sig = {
|
||||
.pk = &prot_pk,
|
||||
.sig = &sig,
|
||||
.alg = &sig_alg,
|
||||
.data = &raw_data
|
||||
}
|
||||
},
|
||||
[4] = {
|
||||
[1] = {
|
||||
.type = AUTH_METHOD_NV_CTR,
|
||||
.param.nv_ctr = {
|
||||
.cert_nv_ctr = &non_trusted_nv_ctr,
|
||||
.plat_nv_ctr = &non_trusted_nv_ctr
|
||||
}
|
||||
}
|
||||
},
|
||||
.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
|
||||
[0] = {
|
||||
.type_desc = &sp_pkg5_hash,
|
||||
.data = {
|
||||
.ptr = (void *)sp_pkg_hash_buf[4],
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
},
|
||||
[5] = {
|
||||
[1] = {
|
||||
.type_desc = &sp_pkg6_hash,
|
||||
.data = {
|
||||
.ptr = (void *)sp_pkg_hash_buf[5],
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
},
|
||||
[6] = {
|
||||
[2] = {
|
||||
.type_desc = &sp_pkg7_hash,
|
||||
.data = {
|
||||
.ptr = (void *)sp_pkg_hash_buf[6],
|
||||
.len = (unsigned int)HASH_DER_LEN
|
||||
}
|
||||
},
|
||||
[7] = {
|
||||
[3] = {
|
||||
.type_desc = &sp_pkg8_hash,
|
||||
.data = {
|
||||
.ptr = (void *)sp_pkg_hash_buf[7],
|
||||
|
|
@ -775,14 +806,10 @@ static const auth_img_desc_t sip_sp_content_cert = {
|
|||
}
|
||||
};
|
||||
|
||||
DEFINE_SIP_SP_PKG(1);
|
||||
DEFINE_SIP_SP_PKG(2);
|
||||
DEFINE_SIP_SP_PKG(3);
|
||||
DEFINE_SIP_SP_PKG(4);
|
||||
DEFINE_SIP_SP_PKG(5);
|
||||
DEFINE_SIP_SP_PKG(6);
|
||||
DEFINE_SIP_SP_PKG(7);
|
||||
DEFINE_SIP_SP_PKG(8);
|
||||
DEFINE_PLAT_SP_PKG(5);
|
||||
DEFINE_PLAT_SP_PKG(6);
|
||||
DEFINE_PLAT_SP_PKG(7);
|
||||
DEFINE_PLAT_SP_PKG(8);
|
||||
#endif /* SPD_spmd */
|
||||
|
||||
#else /* IMAGE_BL2 */
|
||||
|
|
@ -915,6 +942,7 @@ static const auth_img_desc_t * const cot_desc[] = {
|
|||
[NT_FW_CONFIG_ID] = &nt_fw_config,
|
||||
#if defined(SPD_spmd)
|
||||
[SIP_SP_CONTENT_CERT_ID] = &sip_sp_content_cert,
|
||||
[PLAT_SP_CONTENT_CERT_ID] = &plat_sp_content_cert,
|
||||
[SP_PKG1_ID] = &sp_pkg1,
|
||||
[SP_PKG2_ID] = &sp_pkg2,
|
||||
[SP_PKG3_ID] = &sp_pkg3,
|
||||
|
|
|
|||
|
|
@ -11,16 +11,17 @@
|
|||
|
||||
#if defined(SPD_spmd)
|
||||
#define SIP_SP_CONTENT_CERT_ID MAX_IMAGE_IDS
|
||||
#define SP_PKG1_ID (MAX_IMAGE_IDS + 1)
|
||||
#define SP_PKG2_ID (MAX_IMAGE_IDS + 2)
|
||||
#define SP_PKG3_ID (MAX_IMAGE_IDS + 3)
|
||||
#define SP_PKG4_ID (MAX_IMAGE_IDS + 4)
|
||||
#define SP_PKG5_ID (MAX_IMAGE_IDS + 5)
|
||||
#define SP_PKG6_ID (MAX_IMAGE_IDS + 6)
|
||||
#define SP_PKG7_ID (MAX_IMAGE_IDS + 7)
|
||||
#define SP_PKG8_ID (MAX_IMAGE_IDS + 8)
|
||||
#define PLAT_SP_CONTENT_CERT_ID (MAX_IMAGE_IDS + 1)
|
||||
#define SP_PKG1_ID (MAX_IMAGE_IDS + 2)
|
||||
#define SP_PKG2_ID (MAX_IMAGE_IDS + 3)
|
||||
#define SP_PKG3_ID (MAX_IMAGE_IDS + 4)
|
||||
#define SP_PKG4_ID (MAX_IMAGE_IDS + 5)
|
||||
#define SP_PKG5_ID (MAX_IMAGE_IDS + 6)
|
||||
#define SP_PKG6_ID (MAX_IMAGE_IDS + 7)
|
||||
#define SP_PKG7_ID (MAX_IMAGE_IDS + 8)
|
||||
#define SP_PKG8_ID (MAX_IMAGE_IDS + 9)
|
||||
#define MAX_SP_IDS U(8)
|
||||
#define MAX_NUMBER_IDS (MAX_IMAGE_IDS + MAX_SP_IDS + U(1))
|
||||
#define MAX_NUMBER_IDS (MAX_IMAGE_IDS + MAX_SP_IDS + U(2))
|
||||
#else
|
||||
#define MAX_NUMBER_IDS MAX_IMAGE_IDS
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -51,11 +51,15 @@ extern const size_t cot_desc_size;
|
|||
extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
|
||||
|
||||
#if defined(SPD_spmd)
|
||||
#define DEFINE_SIP_SP_PKG(n) \
|
||||
|
||||
#define DEFINE_SIP_SP_PKG(n) DEFINE_SP_PKG(n, sip_sp_content_cert)
|
||||
#define DEFINE_PLAT_SP_PKG(n) DEFINE_SP_PKG(n, plat_sp_content_cert)
|
||||
|
||||
#define DEFINE_SP_PKG(n, cert) \
|
||||
static const auth_img_desc_t sp_pkg##n = { \
|
||||
.img_id = SP_PKG##n##_ID, \
|
||||
.img_type = IMG_RAW, \
|
||||
.parent = &sip_sp_content_cert, \
|
||||
.parent = &cert, \
|
||||
.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { \
|
||||
[0] = { \
|
||||
.type = AUTH_METHOD_HASH, \
|
||||
|
|
@ -66,6 +70,7 @@ extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
|
|||
} \
|
||||
} \
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
#endif /* TRUSTED_BOARD_BOOT */
|
||||
|
|
|
|||
Loading…
Reference in New Issue