diff options
| author | Juan Castillo <juan.castillo@arm.com> | 2015-01-07 13:49:59 +0000 |
|---|---|---|
| committer | Dan Handley <dan.handley@arm.com> | 2015-01-28 18:27:54 +0000 |
| commit | 01df3c14677db0eab68f088f2721542f88ea4004 (patch) | |
| tree | 0969d3733cd4269c516bfab5a6f0399074086cfe /bl1/bl1_main.c | |
| parent | 40febc3ac81c9255bd64848cef0a37c0376740fa (diff) | |
TBB: authenticate BL2 image and certificate
This patch adds support to authenticate the BL2 content certificate
and image using the authentication module in BL1.
The FIP driver has been extended to include the BL2 certificate
UUID.
FVP and Juno ports include the BL2 certificate FIP file
definition.
Change-Id: I32680e9bd123c8db4a4193c14448c9b32b0e9325
Diffstat (limited to 'bl1/bl1_main.c')
| -rw-r--r-- | bl1/bl1_main.c | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/bl1/bl1_main.c b/bl1/bl1_main.c index a5bd648c..491fd5cf 100644 --- a/bl1/bl1_main.c +++ b/bl1/bl1_main.c @@ -31,6 +31,7 @@ #include <arch.h> #include <arch_helpers.h> #include <assert.h> +#include <auth.h> #include <bl_common.h> #include <debug.h> #include <platform.h> @@ -141,6 +142,34 @@ void bl1_main(void) /* Find out how much free trusted ram remains after BL1 load */ bl1_tzram_layout = bl1_plat_sec_mem_layout(); +#if TRUSTED_BOARD_BOOT + /* Initialize authentication module */ + auth_init(); + + /* + * Load the BL2 certificate into the BL2 region. This region will be + * overwritten by the image, so the authentication module is responsible + * for storing the relevant data from the certificate (keys, hashes, + * etc.) so it can be used later. + */ + err = load_image(bl1_tzram_layout, + BL2_CERT_NAME, + BL2_BASE, + &bl2_image_info, + NULL); + if (err) { + ERROR("Failed to load BL2 certificate.\n"); + panic(); + } + + err = auth_verify_obj(AUTH_BL2_IMG_CERT, bl2_image_info.image_base, + bl2_image_info.image_size); + if (err) { + ERROR("Failed to validate BL2 certificate.\n"); + panic(); + } +#endif /* TRUSTED_BOARD_BOOT */ + /* Load the BL2 image */ err = load_image(bl1_tzram_layout, BL2_IMAGE_NAME, @@ -155,6 +184,20 @@ void bl1_main(void) ERROR("Failed to load BL2 firmware.\n"); panic(); } + +#if TRUSTED_BOARD_BOOT + err = auth_verify_obj(AUTH_BL2_IMG, bl2_image_info.image_base, + bl2_image_info.image_size); + if (err) { + ERROR("Failed to validate BL2 image.\n"); + panic(); + } + + /* After working with data, invalidate the data cache */ + inv_dcache_range(bl2_image_info.image_base, + (size_t)bl2_image_info.image_size); +#endif /* TRUSTED_BOARD_BOOT */ + /* * Create a new layout of memory for BL2 as seen by BL1 i.e. * tell it the amount of total and free memory available. |