diff options
| -rw-r--r-- | docs/user-guide.rst | 6 | ||||
| -rw-r--r-- | drivers/auth/tbbr/tbbr_cot.c | 48 | ||||
| -rw-r--r-- | include/common/tbbr/tbbr_img_def.h | 8 | ||||
| -rw-r--r-- | include/tools_share/firmware_image_package.h | 6 | ||||
| -rw-r--r-- | include/tools_share/tbbr_oid.h | 4 | ||||
| -rw-r--r-- | make_helpers/tbbr/tbbr_tools.mk | 8 | ||||
| -rw-r--r-- | plat/arm/common/arm_common.mk | 9 | ||||
| -rw-r--r-- | plat/arm/common/arm_io_storage.c | 20 | ||||
| -rw-r--r-- | tools/cert_create/include/tbbr/tbb_ext.h | 4 | ||||
| -rw-r--r-- | tools/cert_create/src/tbbr/tbb_cert.c | 8 | ||||
| -rw-r--r-- | tools/cert_create/src/tbbr/tbb_ext.c | 20 | ||||
| -rw-r--r-- | tools/fiptool/fip_create.sh | 4 | ||||
| -rw-r--r-- | tools/fiptool/tbbr_config.c | 10 |
13 files changed, 147 insertions, 8 deletions
diff --git a/docs/user-guide.rst b/docs/user-guide.rst index ec8c2333..7f949d49 100644 --- a/docs/user-guide.rst +++ b/docs/user-guide.rst @@ -256,6 +256,12 @@ Common build options BL32 image for the ``fip`` target. In this case, the BL32 in the ARM Trusted Firmware will not be built. +- ``BL32_EXTRA1``: This is an optional build option which specifies the path to + Trusted OS Extra1 image for the ``fip`` target. + +- ``BL32_EXTRA2``: This is an optional build option which specifies the path to + Trusted OS Extra2 image for the ``fip`` target. + - ``BL32_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the file that contains the BL32 private key in PEM format. If ``SAVE_KEYS=1``, this file name will be used to save the key. diff --git a/drivers/auth/tbbr/tbbr_cot.c b/drivers/auth/tbbr/tbbr_cot.c index a9a4b37f..4aaab390 100644 --- a/drivers/auth/tbbr/tbbr_cot.c +++ b/drivers/auth/tbbr/tbbr_cot.c @@ -30,6 +30,8 @@ static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; static unsigned char scp_fw_hash_buf[HASH_DER_LEN]; static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; +static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN]; +static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN]; static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; static unsigned char trusted_world_pk_buf[PK_DER_LEN]; static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; @@ -74,6 +76,10 @@ static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); +static auth_param_type_desc_t tos_fw_extra1_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA1_HASH_OID); +static auth_param_type_desc_t tos_fw_extra2_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, TRUSTED_OS_FW_EXTRA2_HASH_OID); static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( @@ -404,6 +410,20 @@ static const auth_img_desc_t cot_desc[] = { .ptr = (void *)tos_fw_hash_buf, .len = (unsigned int)HASH_DER_LEN } + }, + [1] = { + .type_desc = &tos_fw_extra1_hash, + .data = { + .ptr = (void *)tos_fw_extra1_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [2] = { + .type_desc = &tos_fw_extra2_hash, + .data = { + .ptr = (void *)tos_fw_extra2_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } } } }, @@ -421,6 +441,34 @@ static const auth_img_desc_t cot_desc[] = { } } }, + [BL32_EXTRA1_IMAGE_ID] = { + .img_id = BL32_EXTRA1_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID], + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &tos_fw_extra1_hash, + } + } + } + }, + [BL32_EXTRA2_IMAGE_ID] = { + .img_id = BL32_EXTRA2_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID], + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &tos_fw_extra2_hash, + } + } + } + }, /* * Non-Trusted Firmware */ diff --git a/include/common/tbbr/tbbr_img_def.h b/include/common/tbbr/tbbr_img_def.h index bf03c1c7..3e68b648 100644 --- a/include/common/tbbr/tbbr_img_def.h +++ b/include/common/tbbr/tbbr_img_def.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -54,4 +54,10 @@ /* Non-Trusted FWU Firmware NS_BL2U */ #define NS_BL2U_IMAGE_ID 20 +/* Secure Payload BL32_EXTRA1 (Trusted OS Extra1) */ +#define BL32_EXTRA1_IMAGE_ID 21 + +/* Secure Payload BL32_EXTRA2 (Trusted OS Extra2) */ +#define BL32_EXTRA2_IMAGE_ID 22 + #endif /* __TBBR_IMG_DEF_H__ */ diff --git a/include/tools_share/firmware_image_package.h b/include/tools_share/firmware_image_package.h index dcf16b48..c39e6f02 100644 --- a/include/tools_share/firmware_image_package.h +++ b/include/tools_share/firmware_image_package.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2014-2017, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -31,6 +31,10 @@ {0x6d08d447, 0xfe4c, 0x4698, 0x9b, 0x95, {0x29, 0x50, 0xcb, 0xbd, 0x5a, 0x00} } #define UUID_SECURE_PAYLOAD_BL32 \ {0x89e1d005, 0xdc53, 0x4713, 0x8d, 0x2b, {0x50, 0x0a, 0x4b, 0x7a, 0x3e, 0x38} } +#define UUID_SECURE_PAYLOAD_BL32_EXTRA1 \ + {0x9bc2700b, 0x5a2a, 0x4078, 0x9f, 0x65, {0x0a, 0x56, 0x82, 0x73, 0x82, 0x88} } +#define UUID_SECURE_PAYLOAD_BL32_EXTRA2 \ + {0xb17ba88e, 0xa2cf, 0x4d3f, 0x85, 0xfd, {0xe7, 0xbb, 0xa5, 0x02, 0x20, 0xd9} } #define UUID_NON_TRUSTED_FIRMWARE_BL33 \ {0xa7eed0d6, 0xeafc, 0x4bd5, 0x97, 0x82, {0x99, 0x34, 0xf2, 0x34, 0xb6, 0xe4} } /* Key certificates */ diff --git a/include/tools_share/tbbr_oid.h b/include/tools_share/tbbr_oid.h index 7a340878..e57790c6 100644 --- a/include/tools_share/tbbr_oid.h +++ b/include/tools_share/tbbr_oid.h @@ -119,6 +119,10 @@ /* TrustedOSFirmwareHash - BL32 */ #define TRUSTED_OS_FW_HASH_OID "1.3.6.1.4.1.4128.2100.1001" +/* TrustedOSExtra1FirmwareHash - BL32 Extra1 */ +#define TRUSTED_OS_FW_EXTRA1_HASH_OID "1.3.6.1.4.1.4128.2100.1002" +/* TrustedOSExtra2FirmwareHash - BL32 Extra2 */ +#define TRUSTED_OS_FW_EXTRA2_HASH_OID "1.3.6.1.4.1.4128.2100.1003" /* diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk index 610ccb88..712fa6f6 100644 --- a/make_helpers/tbbr/tbbr_tools.mk +++ b/make_helpers/tbbr/tbbr_tools.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -95,6 +95,12 @@ ifeq (${NEED_BL32},yes) $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/tos_fw_key.crt,--tos-fw-key-cert)) $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/tos_fw_content.crt,--tos-fw-cert)) $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/tos_fw_key.crt,--tos-fw-key-cert)) +ifneq (${BL32_EXTRA1},) + $(eval $(call CERT_ADD_CMD_OPT,${BL32_EXTRA1},--tos-fw-extra1,true)) +endif +ifneq (${BL32_EXTRA2},) + $(eval $(call CERT_ADD_CMD_OPT,${BL32_EXTRA2},--tos-fw-extra2,true)) +endif endif # Add the BL33 CoT (key cert + img cert + image) diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk index e0b7af40..807a1f83 100644 --- a/plat/arm/common/arm_common.mk +++ b/plat/arm/common/arm_common.mk @@ -80,6 +80,15 @@ $(eval $(call add_define,ARM_XLAT_TABLES_LIB_V1)) # speed. $(eval $(call add_define,MBEDTLS_SHA256_SMALLER)) +# Add the build options to pack Trusted OS Extra1 and Trusted OS Extra2 images +# in the FIP if the platform requires. +ifneq ($(BL32_EXTRA1),) +$(eval $(call FIP_ADD_IMG,BL32_EXTRA1,--tos-fw-extra1)) +endif +ifneq ($(BL32_EXTRA2),) +$(eval $(call FIP_ADD_IMG,BL32_EXTRA2,--tos-fw-extra2)) +endif + # Enable PSCI_STAT_COUNT/RESIDENCY APIs on ARM platforms ENABLE_PSCI_STAT := 1 ENABLE_PMF := 1 diff --git a/plat/arm/common/arm_io_storage.c b/plat/arm/common/arm_io_storage.c index 74e68245..794ef619 100644 --- a/plat/arm/common/arm_io_storage.c +++ b/plat/arm/common/arm_io_storage.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2016, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -41,6 +41,14 @@ static const io_uuid_spec_t bl32_uuid_spec = { .uuid = UUID_SECURE_PAYLOAD_BL32, }; +static const io_uuid_spec_t bl32_extra1_uuid_spec = { + .uuid = UUID_SECURE_PAYLOAD_BL32_EXTRA1, +}; + +static const io_uuid_spec_t bl32_extra2_uuid_spec = { + .uuid = UUID_SECURE_PAYLOAD_BL32_EXTRA2, +}; + static const io_uuid_spec_t bl33_uuid_spec = { .uuid = UUID_NON_TRUSTED_FIRMWARE_BL33, }; @@ -124,6 +132,16 @@ static const struct plat_io_policy policies[] = { (uintptr_t)&bl32_uuid_spec, open_fip }, + [BL32_EXTRA1_IMAGE_ID] = { + &fip_dev_handle, + (uintptr_t)&bl32_extra1_uuid_spec, + open_fip + }, + [BL32_EXTRA2_IMAGE_ID] = { + &fip_dev_handle, + (uintptr_t)&bl32_extra2_uuid_spec, + open_fip + }, [BL33_IMAGE_ID] = { &fip_dev_handle, (uintptr_t)&bl33_uuid_spec, diff --git a/tools/cert_create/include/tbbr/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h index 72d33854..85ad3595 100644 --- a/tools/cert_create/include/tbbr/tbb_ext.h +++ b/tools/cert_create/include/tbbr/tbb_ext.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -21,6 +21,8 @@ enum { SOC_AP_FW_HASH_EXT, TRUSTED_OS_FW_CONTENT_CERT_PK_EXT, TRUSTED_OS_FW_HASH_EXT, + TRUSTED_OS_FW_EXTRA1_HASH_EXT, + TRUSTED_OS_FW_EXTRA2_HASH_EXT, NON_TRUSTED_FW_CONTENT_CERT_PK_EXT, NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, SCP_FWU_CFG_HASH_EXT, diff --git a/tools/cert_create/src/tbbr/tbb_cert.c b/tools/cert_create/src/tbbr/tbb_cert.c index 376096b6..c815178c 100644 --- a/tools/cert_create/src/tbbr/tbb_cert.c +++ b/tools/cert_create/src/tbbr/tbb_cert.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -125,9 +125,11 @@ static cert_t tbb_certs[] = { .issuer = TRUSTED_OS_FW_CONTENT_CERT, .ext = { TRUSTED_FW_NVCOUNTER_EXT, - TRUSTED_OS_FW_HASH_EXT + TRUSTED_OS_FW_HASH_EXT, + TRUSTED_OS_FW_EXTRA1_HASH_EXT, + TRUSTED_OS_FW_EXTRA2_HASH_EXT }, - .num_ext = 2 + .num_ext = 4 }, [NON_TRUSTED_FW_KEY_CERT] = { .id = NON_TRUSTED_FW_KEY_CERT, diff --git a/tools/cert_create/src/tbbr/tbb_ext.c b/tools/cert_create/src/tbbr/tbb_ext.c index d9a8ea26..504b0fc0 100644 --- a/tools/cert_create/src/tbbr/tbb_ext.c +++ b/tools/cert_create/src/tbbr/tbb_ext.c @@ -120,6 +120,26 @@ static ext_t tbb_ext[] = { .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH }, + [TRUSTED_OS_FW_EXTRA1_HASH_EXT] = { + .oid = TRUSTED_OS_FW_EXTRA1_HASH_OID, + .opt = "tos-fw-extra1", + .help_msg = "Trusted OS Extra1 image file", + .sn = "TrustedOSExtra1Hash", + .ln = "Trusted OS Extra1 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [TRUSTED_OS_FW_EXTRA2_HASH_EXT] = { + .oid = TRUSTED_OS_FW_EXTRA2_HASH_OID, + .opt = "tos-fw-extra2", + .help_msg = "Trusted OS Extra2 image file", + .sn = "TrustedOSExtra2Hash", + .ln = "Trusted OS Extra2 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, [NON_TRUSTED_FW_CONTENT_CERT_PK_EXT] = { .oid = NON_TRUSTED_FW_CONTENT_CERT_PK_OID, .sn = "NonTrustedFirmwareContentCertPK", diff --git a/tools/fiptool/fip_create.sh b/tools/fiptool/fip_create.sh index f1e1f451..0e80199f 100644 --- a/tools/fiptool/fip_create.sh +++ b/tools/fiptool/fip_create.sh @@ -28,6 +28,8 @@ Components that can be added/updated: --scp-fw FILENAME SCP Firmware SCP_BL2 --soc-fw FILENAME EL3 Runtime Firmware BL31 --tos-fw FILENAME Secure Payload BL32 (Trusted OS) + --tos-fw-extra1 FILENAME Secure Payload BL32 Extra1 (Trusted OS Extra1) + --tos-fw-extra2 FILENAME Secure Payload BL32 Extra2 (Trusted OS Extra2) --nt-fw FILENAME Non-Trusted Firmware BL33 --rot-cert FILENAME Root Of Trust key certificate --trusted-key-cert FILENAME Trusted key certificate @@ -69,6 +71,8 @@ while :; do --scp-fw | \ --soc-fw | \ --tos-fw | \ + --tos-fw-extra1 | \ + --tos-fw-extra2 | \ --nt-fw | \ --rot-cert | \ --trusted-key-cert | \ diff --git a/tools/fiptool/tbbr_config.c b/tools/fiptool/tbbr_config.c index 7c6c24be..827cab28 100644 --- a/tools/fiptool/tbbr_config.c +++ b/tools/fiptool/tbbr_config.c @@ -53,6 +53,16 @@ toc_entry_t toc_entries[] = { .cmdline_name = "tos-fw" }, { + .name = "Secure Payload BL32 Extra1 (Trusted OS Extra1)", + .uuid = UUID_SECURE_PAYLOAD_BL32_EXTRA1, + .cmdline_name = "tos-fw-extra1" + }, + { + .name = "Secure Payload BL32 Extra2 (Trusted OS Extra2)", + .uuid = UUID_SECURE_PAYLOAD_BL32_EXTRA2, + .cmdline_name = "tos-fw-extra2" + }, + { .name = "Non-Trusted Firmware BL33", .uuid = UUID_NON_TRUSTED_FIRMWARE_BL33, .cmdline_name = "nt-fw" |