From c44e50b72567205650c6455f3a258f36af0c84dd Mon Sep 17 00:00:00 2001 From: Tamas Ban Date: Fri, 11 Feb 2022 09:49:36 +0100 Subject: [PATCH] feat(plat/arm/fvp): enable RSS backend based measured boot Enable the RSS backend based measured boot feature. In the absence of RSS the mocked version of PSA APIs are used. They always return with success and hard-code data. Signed-off-by: Tamas Ban Change-Id: I7543e9033a7a21f1b836d911d8d9498c6e09b956 --- .../measured_boot/rss/rss_measured_boot.h | 2 ++ plat/arm/board/fvp/fvp_bl1_measured_boot.c | 32 ++++++++++++++++- plat/arm/board/fvp/fvp_bl2_measured_boot.c | 35 +++++++++++++++++++ plat/arm/board/fvp/fvp_common_measured_boot.c | 34 ++++++++++++++---- plat/arm/board/fvp/platform.mk | 26 ++++++++++++-- 5 files changed, 119 insertions(+), 10 deletions(-) diff --git a/include/drivers/measured_boot/rss/rss_measured_boot.h b/include/drivers/measured_boot/rss/rss_measured_boot.h index b8cf8dae9..fe885765c 100644 --- a/include/drivers/measured_boot/rss/rss_measured_boot.h +++ b/include/drivers/measured_boot/rss/rss_measured_boot.h @@ -24,8 +24,10 @@ */ #define RSS_MBOOT_BL2_STRING "BL_2" #define RSS_MBOOT_BL31_STRING "SECURE_RT_EL3" +#define RSS_MBOOT_HW_CONFIG_STRING "HW_CONFIG" #define RSS_MBOOT_FW_CONFIG_STRING "FW_CONFIG" #define RSS_MBOOT_TB_FW_CONFIG_STRING "TB_FW_CONFIG" +#define RSS_MBOOT_SOC_FW_CONFIG_STRING "SOC_FW_CONFIG" #define RSS_MBOOT_RMM_STRING "RMM" diff --git a/plat/arm/board/fvp/fvp_bl1_measured_boot.c b/plat/arm/board/fvp/fvp_bl1_measured_boot.c index 546855527..76cd91824 100644 --- a/plat/arm/board/fvp/fvp_bl1_measured_boot.c +++ b/plat/arm/board/fvp/fvp_bl1_measured_boot.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Arm Limited. All rights reserved. + * Copyright (c) 2021-2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -7,6 +7,7 @@ #include #include +#include #include /* Event Log data */ @@ -21,10 +22,39 @@ const event_log_metadata_t fvp_event_log_metadata[] = { { EVLOG_INVALID_ID, NULL, (unsigned int)(-1) } /* Terminator */ }; +/* FVP table with platform specific image IDs and metadata. Intentionally not a + * const struct, some members might set by bootloaders during trusted boot. + */ +struct rss_mboot_metadata fvp_rss_mboot_metadata[] = { + { + .id = FW_CONFIG_ID, + .slot = U(6), + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = RSS_MBOOT_FW_CONFIG_STRING, + .lock_measurement = true }, + { + .id = TB_FW_CONFIG_ID, + .slot = U(7), + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = RSS_MBOOT_TB_FW_CONFIG_STRING, + .lock_measurement = true }, + { + .id = BL2_IMAGE_ID, + .slot = U(8), + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = RSS_MBOOT_BL2_STRING, + .lock_measurement = true }, + + { + .id = RSS_MBOOT_INVALID_ID } +}; + void bl1_plat_mboot_init(void) { event_log_init(event_log, event_log + sizeof(event_log)); event_log_write_header(); + + rss_measured_boot_init(); } void bl1_plat_mboot_finish(void) diff --git a/plat/arm/board/fvp/fvp_bl2_measured_boot.c b/plat/arm/board/fvp/fvp_bl2_measured_boot.c index 1f3827831..fd15b70d3 100644 --- a/plat/arm/board/fvp/fvp_bl2_measured_boot.c +++ b/plat/arm/board/fvp/fvp_bl2_measured_boot.c @@ -7,6 +7,7 @@ #include #include +#include #include #include @@ -35,6 +36,38 @@ const event_log_metadata_t fvp_event_log_metadata[] = { { EVLOG_INVALID_ID, NULL, (unsigned int)(-1) } /* Terminator */ }; +/* FVP table with platform specific image IDs and metadata. Intentionally not a + * const struct, some members might set by bootloaders during trusted boot. + */ +struct rss_mboot_metadata fvp_rss_mboot_metadata[] = { + { + .id = BL31_IMAGE_ID, + .slot = U(9), + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = RSS_MBOOT_BL31_STRING, + .lock_measurement = true }, + { + .id = HW_CONFIG_ID, + .slot = U(10), + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = RSS_MBOOT_HW_CONFIG_STRING, + .lock_measurement = true }, + { + .id = SOC_FW_CONFIG_ID, + .slot = U(11), + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = RSS_MBOOT_SOC_FW_CONFIG_STRING, + .lock_measurement = true }, + { + .id = RMM_IMAGE_ID, + .slot = U(12), + .signer_id_size = SIGNER_ID_MIN_SIZE, + .sw_type = RSS_MBOOT_RMM_STRING, + .lock_measurement = true }, + { + .id = RSS_MBOOT_INVALID_ID } +}; + void bl2_plat_mboot_init(void) { uint8_t *event_log_start; @@ -64,6 +97,8 @@ void bl2_plat_mboot_init(void) PLAT_ARM_EVENT_LOG_MAX_SIZE); event_log_init((uint8_t *)event_log_start, event_log_finish); + + rss_measured_boot_init(); } int plat_mboot_measure_critical_data(unsigned int critical_data_id, diff --git a/plat/arm/board/fvp/fvp_common_measured_boot.c b/plat/arm/board/fvp/fvp_common_measured_boot.c index 6a403d945..93aa0558c 100644 --- a/plat/arm/board/fvp/fvp_common_measured_boot.c +++ b/plat/arm/board/fvp/fvp_common_measured_boot.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Arm Limited. All rights reserved. + * Copyright (c) 2021-2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -9,27 +9,47 @@ #include #include +#include #include #include extern event_log_metadata_t fvp_event_log_metadata[]; +extern struct rss_mboot_metadata fvp_rss_mboot_metadata[]; const event_log_metadata_t *plat_event_log_get_metadata(void) { return fvp_event_log_metadata; } +struct rss_mboot_metadata *plat_rss_mboot_get_metadata(void) +{ + return fvp_rss_mboot_metadata; +} + int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data) { + int err; + int rc = 0; + /* Calculate image hash and record data in Event Log */ - int err = event_log_measure_and_record(image_data->image_base, - image_data->image_size, - image_id); + err = event_log_measure_and_record(image_data->image_base, + image_data->image_size, + image_id); if (err != 0) { ERROR("%s%s image id %u (%i)\n", - "Failed to ", "record", image_id, err); - return err; + "Failed to ", "record in event log", image_id, err); + rc = err; } - return 0; + /* Calculate image hash and record data in RSS */ + err = rss_mboot_measure_and_record(image_data->image_base, + image_data->image_size, + image_id); + if (err != 0) { + ERROR("%s%s image id %u (%i)\n", + "Failed to ", "record in RSS", image_id, err); + rc = (rc == 0) ? err : -1; + } + + return rc; } diff --git a/plat/arm/board/fvp/platform.mk b/plat/arm/board/fvp/platform.mk index d89e91f71..89ca18540 100644 --- a/plat/arm/board/fvp/platform.mk +++ b/plat/arm/board/fvp/platform.mk @@ -367,14 +367,36 @@ ifneq (${BL2_AT_EL3}, 0) override BL1_SOURCES = endif +# Include Measured Boot makefile before any Crypto library makefile. +# Crypto library makefile may need default definitions of Measured Boot build +# flags present in Measured Boot makefile. +ifeq (${MEASURED_BOOT},1) + RSS_MEASURED_BOOT_MK := drivers/measured_boot/rss/rss_measured_boot.mk + $(info Including ${RSS_MEASURED_BOOT_MK}) + include ${RSS_MEASURED_BOOT_MK} + + BL1_SOURCES += ${MEASURED_BOOT_SOURCES} + BL2_SOURCES += ${MEASURED_BOOT_SOURCES} +endif + include plat/arm/board/common/board_common.mk include plat/arm/common/arm_common.mk ifeq (${MEASURED_BOOT},1) BL1_SOURCES += plat/arm/board/fvp/fvp_common_measured_boot.c \ - plat/arm/board/fvp/fvp_bl1_measured_boot.c + plat/arm/board/fvp/fvp_bl1_measured_boot.c \ + lib/psa/measured_boot.c + BL2_SOURCES += plat/arm/board/fvp/fvp_common_measured_boot.c \ - plat/arm/board/fvp/fvp_bl2_measured_boot.c + plat/arm/board/fvp/fvp_bl2_measured_boot.c \ + lib/psa/measured_boot.c + +PLAT_INCLUDES += -Iinclude/lib/psa + +# RSS is not supported on FVP right now. Thus, we use the mocked version +# of PSA Measured Boot APIs. They return with success and hard-coded data. +PLAT_RSS_NOT_SUPPORTED := 1 + endif ifeq (${TRUSTED_BOARD_BOOT}, 1)