Merge changes from topic "gby/cryptocell-multi-vers" into integration

* changes:
  cryptocell: add product version awareness support
  cryptocell: move Cryptocell specific API into driver

drivers/auth/cryptocell/712/cryptocell_crypto.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -11,19 +11,19 @@
 
 #include <arch_helpers.h>
 #include <common/debug.h>
-#include <drivers/arm/cryptocell/crypto_driver.h>
-#include <drivers/arm/cryptocell/rsa.h>
-#include <drivers/arm/cryptocell/sbrom_bsv_api.h>
-#include <drivers/arm/cryptocell/secureboot_base_func.h>
-#include <drivers/arm/cryptocell/secureboot_gen_defs.h>
-#include <drivers/arm/cryptocell/util.h>
+#include <drivers/arm/cryptocell/712/crypto_driver.h>
+#include <drivers/arm/cryptocell/712/rsa.h>
+#include <drivers/arm/cryptocell/712/sbrom_bsv_api.h>
+#include <drivers/arm/cryptocell/712/secureboot_base_func.h>
+#include <drivers/arm/cryptocell/712/secureboot_gen_defs.h>
+#include <drivers/arm/cryptocell/712/util.h>
 #include <drivers/auth/crypto_mod.h>
 #include <drivers/auth/mbedtls/mbedtls_common.h>
 #include <lib/utils.h>
 
 #include <mbedtls/oid.h>
 
-#define LIB_NAME		"CryptoCell SBROM"
+#define LIB_NAME		"CryptoCell 712 SBROM"
 #define RSA_SALT_LEN		32
 #define RSA_EXPONENT		65537
 
@@ -303,4 +303,3 @@ static int verify_hash(void *data_ptr, unsigned int data_len,
  */
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash);
 
-

drivers/auth/cryptocell/712/cryptocell_plat_helpers.c

@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <stddef.h>
+#include <string.h>
+
+#include <platform_def.h>
+
+#include <plat/common/platform.h>
+#include <tools_share/tbbr_oid.h>
+
+#include <common/debug.h>
+#include <drivers/arm/cryptocell/712/sbrom_bsv_api.h>
+#include <drivers/arm/cryptocell/712/nvm.h>
+#include <drivers/arm/cryptocell/712/nvm_otp.h>
+
+/*
+ * Return the ROTPK hash
+ *
+ * dst:   buffer into which the ROTPK hash will be copied into
+ * len:   length of the provided buffer, which must be at least enough for a
+ *        SHA256 hash
+ * flags: a pointer to integer that will be set to indicate the ROTPK status
+ *
+ * Return: 0 = success, Otherwise = error
+ */
+int cc_get_rotpk_hash(unsigned char *dst, unsigned int len, unsigned int *flags)
+{
+	CCError_t error;
+	uint32_t lcs;
+
+	assert(dst != NULL);
+	assert(len >= HASH_RESULT_SIZE_IN_WORDS);
+	assert(flags != NULL);
+
+	error = NVM_GetLCS(PLAT_CRYPTOCELL_BASE, &lcs);
+	if (error != CC_OK)
+		return 1;
+
+	/* If the lifecycle state is `SD`, return failure */
+	if (lcs == CC_BSV_SECURITY_DISABLED_LCS)
+		return 1;
+
+	/*
+	 * If the lifecycle state is `CM` or `DM`, ROTPK shouldn't be verified.
+	 * Return success after setting ROTPK_NOT_DEPLOYED flag
+	 */
+	if ((lcs == CC_BSV_CHIP_MANUFACTURE_LCS) ||
+			(lcs == CC_BSV_DEVICE_MANUFACTURE_LCS)) {
+		*flags = ROTPK_NOT_DEPLOYED;
+		return 0;
+	}
+
+	/* Copy the DER header */
+	error = NVM_ReadHASHPubKey(PLAT_CRYPTOCELL_BASE,
+			CC_SB_HASH_BOOT_KEY_256B,
+			(uint32_t *)dst, HASH_RESULT_SIZE_IN_WORDS);
+	if (error != CC_OK)
+		return 1;
+
+	*flags = ROTPK_IS_HASH;
+	return 0;
+}
+
+/*
+ * Return the non-volatile counter value stored in the platform. The cookie
+ * specifies the OID of the counter in the certificate.
+ *
+ * Return: 0 = success, Otherwise = error
+ */
+int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr)
+{
+	CCError_t error = CC_FAIL;
+
+	if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) {
+		error = NVM_GetSwVersion(PLAT_CRYPTOCELL_BASE,
+				CC_SW_VERSION_COUNTER1, nv_ctr);
+	} else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) {
+		error = NVM_GetSwVersion(PLAT_CRYPTOCELL_BASE,
+				CC_SW_VERSION_COUNTER2, nv_ctr);
+	}
+
+	return (error != CC_OK);
+}
+
+/*
+ * Store a new non-volatile counter value in the counter specified by the OID
+ * in the cookie. This function is not expected to be called if the Lifecycle
+ * state is RMA as the values in the certificate are expected to always match
+ * the nvcounter values. But if called when the LCS is RMA, the underlying
+ * helper functions will return success but without updating the counter.
+ *
+ * Return: 0 = success, Otherwise = error
+ */
+int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr)
+{
+	CCError_t error = CC_FAIL;
+
+	if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) {
+		error = NVM_SetSwVersion(PLAT_CRYPTOCELL_BASE,
+				CC_SW_VERSION_COUNTER1, nv_ctr);
+	} else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) {
+		error = NVM_SetSwVersion(PLAT_CRYPTOCELL_BASE,
+				CC_SW_VERSION_COUNTER2, nv_ctr);
+	}
+
+	return (error != CC_OK);
+}
+

drivers/auth/cryptocell/cryptocell_crypto.mk

@@ -17,10 +17,20 @@ ifeq (${CCSBROM_LIB_PATH},)
   $(error Error: CCSBROM_LIB_PATH not set)
 endif
 
+CRYPTOCELL_VERSION ?= 712
+ifeq (${CRYPTOCELL_VERSION},712)
+  CCSBROM_LIB_FILENAME := cc_712sbromx509
+else
+  $(error Error: CRYPTOCELL_VERSION set to invalid version)
+endif
+
+CRYPTOCELL_SRC_DIR	:= drivers/auth/cryptocell/${CRYPTOCELL_VERSION}/
+
+CRYPTOCELL_SOURCES	:= ${CRYPTOCELL_SRC_DIR}/cryptocell_crypto.c \
+			   ${CRYPTOCELL_SRC_DIR}/cryptocell_plat_helpers.c
+
 TF_LDFLAGS		+= -L$(CCSBROM_LIB_PATH)
-LDLIBS			+= -lcc_712sbromx509
+LDLIBS			+= -l$(CCSBROM_LIB_FILENAME)
 
-CRYPTOCELL_SOURCES	:=	drivers/auth/cryptocell/cryptocell_crypto.c
-
-BL1_SOURCES		+=	${CRYPTOCELL_SOURCES}
-BL2_SOURCES		+=	${CRYPTOCELL_SOURCES}
+BL1_SOURCES		+= ${CRYPTOCELL_SOURCES}
+BL2_SOURCES		+= ${CRYPTOCELL_SOURCES}

include/drivers/arm/cryptocell/cc_rotpk.h

@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2019, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef _CC_ROTPK_H
+#define _CC_ROTPK_H
+
+int cc_get_rotpk_hash(unsigned char *dst, unsigned int len,
+		      unsigned int *flags);
+
+#endif

plat/arm/board/common/board_arm_trusted_boot.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -181,12 +181,7 @@ int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr)
 }
 #else /* ARM_CRYPTOCELL_INTEG */
 
-#include <drivers/arm/cryptocell/nvm.h>
-#include <drivers/arm/cryptocell/nvm_otp.h>
-#include <drivers/arm/cryptocell/sbrom_bsv_api.h>
-
-CASSERT(HASH_RESULT_SIZE_IN_BYTES == SHA256_BYTES,
-		assert_mismatch_in_hash_result_size);
+#include <drivers/arm/cryptocell/cc_rotpk.h>
 
 /*
  * Return the ROTPK hash in the following ASN.1 structure in DER format:
@@ -205,90 +200,16 @@ int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len,
 			unsigned int *flags)
 {
 	unsigned char *dst;
-	CCError_t error;
-	uint32_t lcs;
 
 	assert(key_ptr != NULL);
 	assert(key_len != NULL);
 	assert(flags != NULL);
 
-	error = NVM_GetLCS(PLAT_CRYPTOCELL_BASE, &lcs);
-	if (error != CC_OK)
-		return 1;
-
-	/* If the lifecycle state is `SD`, return failure */
-	if (lcs == CC_BSV_SECURITY_DISABLED_LCS)
-		return 1;
-
-	/*
-	 * If the lifecycle state is `CM` or `DM`, ROTPK shouldn't be verified.
-	 * Return success after setting ROTPK_NOT_DEPLOYED flag
-	 */
-	if ((lcs == CC_BSV_CHIP_MANUFACTURE_LCS) ||
-			(lcs == CC_BSV_DEVICE_MANUFACTURE_LCS)) {
-		*key_len = 0;
-		*flags = ROTPK_NOT_DEPLOYED;
-		return 0;
-	}
-
 	/* Copy the DER header */
 	memcpy(rotpk_hash_der, rotpk_hash_hdr, rotpk_hash_hdr_len);
 	dst = &rotpk_hash_der[rotpk_hash_hdr_len];
-	error = NVM_ReadHASHPubKey(PLAT_CRYPTOCELL_BASE,
-			CC_SB_HASH_BOOT_KEY_256B,
-			(uint32_t *)dst, HASH_RESULT_SIZE_IN_WORDS);
-	if (error != CC_OK)
-		return 1;
-
 	*key_ptr = rotpk_hash_der;
 	*key_len = sizeof(rotpk_hash_der);
-	*flags = ROTPK_IS_HASH;
-	return 0;
+	return cc_get_rotpk_hash(dst, SHA256_BYTES, flags);
 }
-
-/*
- * Return the non-volatile counter value stored in the platform. The cookie
- * specifies the OID of the counter in the certificate.
- *
- * Return: 0 = success, Otherwise = error
- */
-int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr)
-{
-	CCError_t error = CC_FAIL;
-
-	if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) {
-		error = NVM_GetSwVersion(PLAT_CRYPTOCELL_BASE,
-				CC_SW_VERSION_COUNTER1, nv_ctr);
-	} else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) {
-		error = NVM_GetSwVersion(PLAT_CRYPTOCELL_BASE,
-				CC_SW_VERSION_COUNTER2, nv_ctr);
-	}
-
-	return (error != CC_OK);
-}
-
-/*
- * Store a new non-volatile counter value in the counter specified by the OID
- * in the cookie. This function is not expected to be called if the Lifecycle
- * state is RMA as the values in the certificate are expected to always match
- * the nvcounter values. But if called when the LCS is RMA, the underlying
- * helper functions will return success but without updating the counter.
- *
- * Return: 0 = success, Otherwise = error
- */
-int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr)
-{
-	CCError_t error = CC_FAIL;
-
-	if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) {
-		error = NVM_SetSwVersion(PLAT_CRYPTOCELL_BASE,
-				CC_SW_VERSION_COUNTER1, nv_ctr);
-	} else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) {
-		error = NVM_SetSwVersion(PLAT_CRYPTOCELL_BASE,
-				CC_SW_VERSION_COUNTER2, nv_ctr);
-	}
-
-	return (error != CC_OK);
-}
-
 #endif /* ARM_CRYPTOCELL_INTEG */