From 63634800fcd82c3395959bcc88328427f6c06308 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Wed, 14 Jun 2017 20:38:12 +0900 Subject: [PATCH] uniphier: embed ROTPK hash into BL1/BL2 Currently, ROTPK_NOT_DEPLOYED flag is set in plat_get_rotpk_info(). It is up to users how to retrieve ROTPK if the ROT verification is desired. This is not nice. This commit improves plat_get_rotpk_info() implementation and automates the ROTPK deployment. UniPhier platform has no ROTPK storage, so it should be embedded in BL1/BL2, like ARM_ROTPK_LOCATION=devel_rsa case. This makes sense because UniPhier platform implements its internal ROM i.e. BL1 is used as updatable pseudo ROM. Things work like this: - ROT_KEY (default: $(BUILD_PLAT)/rot_key.pem) is created if missing. Users can override ROT_KEY from the command line if they want to use a specific ROT key. - ROTPK_HASH is generated based on ROT_KEY. - ROTPK_HASH is included by uniphier_rotpk.S and compiled into BL1/BL2. - ROT_KEY is input to cert_create tool. Signed-off-by: Masahiro Yamada --- plat/socionext/uniphier/platform.mk | 18 ++++++++++++++++++ plat/socionext/uniphier/uniphier_rotpk.S | 15 +++++++++++++++ plat/socionext/uniphier/uniphier_tbbr.c | 6 +++++- 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 plat/socionext/uniphier/uniphier_rotpk.S diff --git a/plat/socionext/uniphier/platform.mk b/plat/socionext/uniphier/platform.mk index af8e3acea..7ea0f1080 100644 --- a/plat/socionext/uniphier/platform.mk +++ b/plat/socionext/uniphier/platform.mk @@ -86,11 +86,29 @@ TBB_SOURCES := drivers/auth/auth_mod.c \ drivers/auth/img_parser_mod.c \ drivers/auth/tbbr/tbbr_cot.c \ plat/common/tbbr/plat_tbbr.c \ + $(PLAT_PATH)/uniphier_rotpk.S \ $(PLAT_PATH)/uniphier_tbbr.c BL1_SOURCES += $(TBB_SOURCES) BL2_SOURCES += $(TBB_SOURCES) +ROT_KEY = $(BUILD_PLAT)/rot_key.pem +ROTPK_HASH = $(BUILD_PLAT)/rotpk_sha256.bin + +$(eval $(call add_define_val,ROTPK_HASH,'"$(ROTPK_HASH)"')) +$(BUILD_PLAT)/bl1/uniphier_rotpk.o: $(ROTPK_HASH) +$(BUILD_PLAT)/bl2/uniphier_rotpk.o: $(ROTPK_HASH) + +certificates: $(ROT_KEY) +$(ROT_KEY): + @echo " OPENSSL $@" + $(Q)openssl genrsa 2048 > $@ 2>/dev/null + +$(ROTPK_HASH): $(ROT_KEY) + @echo " OPENSSL $@" + $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ + openssl dgst -sha256 -binary > $@ 2>/dev/null + endif .PHONY: bl1_gzip diff --git a/plat/socionext/uniphier/uniphier_rotpk.S b/plat/socionext/uniphier/uniphier_rotpk.S new file mode 100644 index 000000000..0045a3495 --- /dev/null +++ b/plat/socionext/uniphier/uniphier_rotpk.S @@ -0,0 +1,15 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + + .global uniphier_rotpk_hash + .global uniphier_rotpk_hash_end +uniphier_rotpk_hash: + /* DER header */ + .byte 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48 + .byte 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 + /* SHA256 */ + .incbin ROTPK_HASH +uniphier_rotpk_hash_end: diff --git a/plat/socionext/uniphier/uniphier_tbbr.c b/plat/socionext/uniphier/uniphier_tbbr.c index cafe1a378..1c8341119 100644 --- a/plat/socionext/uniphier/uniphier_tbbr.c +++ b/plat/socionext/uniphier/uniphier_tbbr.c @@ -6,10 +6,14 @@ #include +extern char uniphier_rotpk_hash[], uniphier_rotpk_hash_end[]; + int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len, unsigned int *flags) { - *flags = ROTPK_NOT_DEPLOYED; + *key_ptr = uniphier_rotpk_hash; + *key_len = uniphier_rotpk_hash_end - uniphier_rotpk_hash; + *flags = ROTPK_IS_HASH; return 0; }