From 8c105290f3733eafb789e17da4a0649e85c7b360 Mon Sep 17 00:00:00 2001 From: Alexei Fedorov Date: Thu, 23 Jan 2020 14:27:38 +0000 Subject: [PATCH] Measured Boot: add function for hash calculation This patch adds 'calc_hash' function using Mbed TLS library required for Measured Boot support. Change-Id: Ifc5aee0162d04db58ec6391e0726a526f29a52bb Signed-off-by: Alexei Fedorov --- Makefile | 10 ++++++++++ docs/getting_started/build-options.rst | 5 +++++ drivers/auth/crypto_mod.c | 23 +++++++++++++++++++++- drivers/auth/mbedtls/mbedtls_crypto.c | 27 +++++++++++++++++++++++++- include/drivers/auth/crypto_mod.h | 24 ++++++++++++++++++++++- make_helpers/defaults.mk | 5 ++++- 6 files changed, 90 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index bd52c0bd7..72db2a74a 100644 --- a/Makefile +++ b/Makefile @@ -604,6 +604,14 @@ ifeq ($(CTX_INCLUDE_MTE_REGS),1) endif endif +ifeq ($(MEASURED_BOOT),1) + ifneq (${TRUSTED_BOARD_BOOT},1) + $(error MEASURED_BOOT requires TRUSTED_BOARD_BOOT=1") + else + $(info MEASURED_BOOT is an experimental feature) + endif +endif + ################################################################################ # Process platform overrideable behaviour ################################################################################ @@ -751,6 +759,7 @@ $(eval $(call assert_boolean,GENERATE_COT)) $(eval $(call assert_boolean,GICV2_G0_FOR_EL3)) $(eval $(call assert_boolean,HANDLE_EA_EL3_FIRST)) $(eval $(call assert_boolean,HW_ASSISTED_COHERENCY)) +$(eval $(call assert_boolean,MEASURED_BOOT)) $(eval $(call assert_boolean,NS_TIMER_SWITCH)) $(eval $(call assert_boolean,OVERRIDE_LIBC)) $(eval $(call assert_boolean,PL011_GENERIC_UART)) @@ -817,6 +826,7 @@ $(eval $(call add_define,GICV2_G0_FOR_EL3)) $(eval $(call add_define,HANDLE_EA_EL3_FIRST)) $(eval $(call add_define,HW_ASSISTED_COHERENCY)) $(eval $(call add_define,LOG_LEVEL)) +$(eval $(call add_define,MEASURED_BOOT)) $(eval $(call add_define,NS_TIMER_SWITCH)) $(eval $(call add_define,PL011_GENERIC_UART)) $(eval $(call add_define,PLAT_${PLAT})) diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst index fc4545571..b702c34de 100644 --- a/docs/getting_started/build-options.rst +++ b/docs/getting_started/build-options.rst @@ -387,6 +387,11 @@ Common build options All log output up to and including the selected log level is compiled into the build. The default value is 40 in debug builds and 20 in release builds. +- ``MEASURED_BOOT``: Boolean flag to include support for the Measured Boot + feature. If this flag is enabled ``TRUSTED_BOARD_BOOT`` must be set. + This option defaults to 0 and is an experimental feature in the stage of + development. + - ``NON_TRUSTED_WORLD_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the file that contains the Non-Trusted World private key in PEM format. If ``SAVE_KEYS=1``, this file name will be used to save the key. diff --git a/drivers/auth/crypto_mod.c b/drivers/auth/crypto_mod.c index 5e5ac2b03..110c5045f 100644 --- a/drivers/auth/crypto_mod.c +++ b/drivers/auth/crypto_mod.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -103,3 +103,24 @@ int crypto_mod_verify_hash(void *data_ptr, unsigned int data_len, return crypto_lib_desc.verify_hash(data_ptr, data_len, digest_info_ptr, digest_info_len); } + +#if MEASURED_BOOT +/* + * Calculate a hash + * + * Parameters: + * + * alg: message digest algorithm + * data_ptr, data_len: data to be hashed + * output: resulting hash + */ +int crypto_mod_calc_hash(unsigned int alg, void *data_ptr, + unsigned int data_len, unsigned char *output) +{ + assert(data_ptr != NULL); + assert(data_len != 0); + assert(output != NULL); + + return crypto_lib_desc.calc_hash(alg, data_ptr, data_len, output); +} +#endif /* MEASURED_BOOT */ diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c index 33420fbbd..04fbc648b 100644 --- a/drivers/auth/mbedtls/mbedtls_crypto.c +++ b/drivers/auth/mbedtls/mbedtls_crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -205,7 +205,32 @@ static int verify_hash(void *data_ptr, unsigned int data_len, return CRYPTO_SUCCESS; } +#if MEASURED_BOOT +/* + * Calculate a hash + * + * output points to the computed hash + */ +int calc_hash(unsigned int alg, void *data_ptr, + unsigned int data_len, unsigned char *output) +{ + const mbedtls_md_info_t *md_info; + + md_info = mbedtls_md_info_from_type((mbedtls_md_type_t)alg); + if (md_info == NULL) { + return CRYPTO_ERR_HASH; + } + + /* Calculate the hash of the data */ + return mbedtls_md(md_info, data_ptr, data_len, output); +} +#endif /* MEASURED_BOOT */ + /* * Register crypto library descriptor */ +#if MEASURED_BOOT +REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash); +#else REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash); +#endif /* MEASURED_BOOT */ diff --git a/include/drivers/auth/crypto_mod.h b/include/drivers/auth/crypto_mod.h index 3a4210569..f211035d7 100644 --- a/include/drivers/auth/crypto_mod.h +++ b/include/drivers/auth/crypto_mod.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -37,6 +37,13 @@ typedef struct crypto_lib_desc_s { /* Verify a hash. Return one of the 'enum crypto_ret_value' options */ int (*verify_hash)(void *data_ptr, unsigned int data_len, void *digest_info_ptr, unsigned int digest_info_len); + +#if MEASURED_BOOT + /* Calculate a hash. Return hash value */ + int (*calc_hash)(unsigned int alg, void *data_ptr, + unsigned int data_len, unsigned char *output); +#endif /* MEASURED_BOOT */ + } crypto_lib_desc_t; /* Public functions */ @@ -48,7 +55,21 @@ int crypto_mod_verify_signature(void *data_ptr, unsigned int data_len, int crypto_mod_verify_hash(void *data_ptr, unsigned int data_len, void *digest_info_ptr, unsigned int digest_info_len); +#if MEASURED_BOOT +int crypto_mod_calc_hash(unsigned int alg, void *data_ptr, + unsigned int data_len, unsigned char *output); + /* Macro to register a cryptographic library */ +#define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \ + _calc_hash) \ + const crypto_lib_desc_t crypto_lib_desc = { \ + .name = _name, \ + .init = _init, \ + .verify_signature = _verify_signature, \ + .verify_hash = _verify_hash, \ + .calc_hash = _calc_hash \ + } +#else #define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash) \ const crypto_lib_desc_t crypto_lib_desc = { \ .name = _name, \ @@ -56,6 +77,7 @@ int crypto_mod_verify_hash(void *data_ptr, unsigned int data_len, .verify_signature = _verify_signature, \ .verify_hash = _verify_hash \ } +#endif /* MEASURED_BOOT */ extern const crypto_lib_desc_t crypto_lib_desc; diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 53832c561..4af1da6b2 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2016-2019, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2016-2020, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -139,6 +139,9 @@ HW_ASSISTED_COHERENCY := 0 # Set the default algorithm for the generation of Trusted Board Boot keys KEY_ALG := rsa +# Option to build TF with Measured Boot support +MEASURED_BOOT := 0 + # NS timer register save and restore NS_TIMER_SWITCH := 0