diff options
| author | Masahiro Yamada <yamada.masahiro@socionext.com> | 2017-06-14 20:38:12 +0900 |
|---|---|---|
| committer | Masahiro Yamada <yamada.masahiro@socionext.com> | 2017-06-20 23:54:28 +0900 |
| commit | 63634800fcd82c3395959bcc88328427f6c06308 (patch) | |
| tree | e334cb88c8b3a1292d712ad38b774701f5cf29bd /plat/socionext | |
| parent | 0dc3c353054896722b7cbfbd04a4d845619485e7 (diff) | |
uniphier: embed ROTPK hash into BL1/BL2
Currently, ROTPK_NOT_DEPLOYED flag is set in plat_get_rotpk_info().
It is up to users how to retrieve ROTPK if the ROT verification is
desired. This is not nice.
This commit improves plat_get_rotpk_info() implementation and automates
the ROTPK deployment. UniPhier platform has no ROTPK storage, so it
should be embedded in BL1/BL2, like ARM_ROTPK_LOCATION=devel_rsa case.
This makes sense because UniPhier platform implements its internal ROM
i.e. BL1 is used as updatable pseudo ROM.
Things work like this:
- ROT_KEY (default: $(BUILD_PLAT)/rot_key.pem) is created if missing.
Users can override ROT_KEY from the command line if they want to
use a specific ROT key.
- ROTPK_HASH is generated based on ROT_KEY.
- ROTPK_HASH is included by uniphier_rotpk.S and compiled into BL1/BL2.
- ROT_KEY is input to cert_create tool.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Diffstat (limited to 'plat/socionext')
| -rw-r--r-- | plat/socionext/uniphier/platform.mk | 18 | ||||
| -rw-r--r-- | plat/socionext/uniphier/uniphier_rotpk.S | 15 | ||||
| -rw-r--r-- | plat/socionext/uniphier/uniphier_tbbr.c | 6 |
3 files changed, 38 insertions, 1 deletions
diff --git a/plat/socionext/uniphier/platform.mk b/plat/socionext/uniphier/platform.mk index af8e3ace..7ea0f108 100644 --- a/plat/socionext/uniphier/platform.mk +++ b/plat/socionext/uniphier/platform.mk @@ -86,11 +86,29 @@ TBB_SOURCES := drivers/auth/auth_mod.c \ drivers/auth/img_parser_mod.c \ drivers/auth/tbbr/tbbr_cot.c \ plat/common/tbbr/plat_tbbr.c \ + $(PLAT_PATH)/uniphier_rotpk.S \ $(PLAT_PATH)/uniphier_tbbr.c BL1_SOURCES += $(TBB_SOURCES) BL2_SOURCES += $(TBB_SOURCES) +ROT_KEY = $(BUILD_PLAT)/rot_key.pem +ROTPK_HASH = $(BUILD_PLAT)/rotpk_sha256.bin + +$(eval $(call add_define_val,ROTPK_HASH,'"$(ROTPK_HASH)"')) +$(BUILD_PLAT)/bl1/uniphier_rotpk.o: $(ROTPK_HASH) +$(BUILD_PLAT)/bl2/uniphier_rotpk.o: $(ROTPK_HASH) + +certificates: $(ROT_KEY) +$(ROT_KEY): + @echo " OPENSSL $@" + $(Q)openssl genrsa 2048 > $@ 2>/dev/null + +$(ROTPK_HASH): $(ROT_KEY) + @echo " OPENSSL $@" + $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ + openssl dgst -sha256 -binary > $@ 2>/dev/null + endif .PHONY: bl1_gzip diff --git a/plat/socionext/uniphier/uniphier_rotpk.S b/plat/socionext/uniphier/uniphier_rotpk.S new file mode 100644 index 00000000..0045a349 --- /dev/null +++ b/plat/socionext/uniphier/uniphier_rotpk.S @@ -0,0 +1,15 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + + .global uniphier_rotpk_hash + .global uniphier_rotpk_hash_end +uniphier_rotpk_hash: + /* DER header */ + .byte 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48 + .byte 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 + /* SHA256 */ + .incbin ROTPK_HASH +uniphier_rotpk_hash_end: diff --git a/plat/socionext/uniphier/uniphier_tbbr.c b/plat/socionext/uniphier/uniphier_tbbr.c index cafe1a37..1c834111 100644 --- a/plat/socionext/uniphier/uniphier_tbbr.c +++ b/plat/socionext/uniphier/uniphier_tbbr.c @@ -6,10 +6,14 @@ #include <platform.h> +extern char uniphier_rotpk_hash[], uniphier_rotpk_hash_end[]; + int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len, unsigned int *flags) { - *flags = ROTPK_NOT_DEPLOYED; + *key_ptr = uniphier_rotpk_hash; + *key_len = uniphier_rotpk_hash_end - uniphier_rotpk_hash; + *flags = ROTPK_IS_HASH; return 0; } |