the platform. Any other return value means a mismatch.
+### Function: plat_get_rotpk_info()
+
+ Argument : void *, void **, unsigned int *, unsigned int *
+ Return : int
+
+This function is mandatory when Trusted Board Boot is enabled. It returns a
+pointer to the ROTPK stored in the platform (or a hash of it) and its length.
+The ROTPK must be encoded in DER format according to the following ASN.1
+structure:
+
+ AlgorithmIdentifier ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY algorithm OPTIONAL
+ }
+
+ SubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm AlgorithmIdentifier,
+ subjectPublicKey BIT STRING
+ }
+
+In case the function returns a hash of the key:
+
+ DigestInfo ::= SEQUENCE {
+ digestAlgorithm AlgorithmIdentifier,
+ digest OCTET STRING
+ }
+
+The function returns 0 on success. Any other value means the ROTPK could not be
+retrieved from the platform. The function also reports extra information related
+to the ROTPK in the flags parameter.
+
+
2.3 Common optional modifications
---------------------------------
For a better understanding of these options, the ARM development platform memory
map is explained in the [Firmware Design].
+* `ARM_ROTPK_LOCATION`: used when `TRUSTED_BOARD_BOOT=1`. It specifies the
+ location of the ROTPK hash returned by the function `plat_get_rotpk_info()`
+ for ARM platforms. Depending on the selected option, the proper private key
+ must be specified using the `ROT_KEY` option when building the Trusted
+ Firmware. This private key will be used by the certificate generation tool
+ to sign the BL2 and Trusted Key certificates. Available options for
+ `ARM_ROTPK_LOCATION` are:
+
+ - `regs` : return the ROTPK hash stored in the Trusted root-key storage
+ registers. The private key corresponding to this ROTPK hash is not
+ currently available.
+ - `devel_rsa` : return a development public key hash embedded in the BL1
+ and BL2 binaries. This hash has been obtained from the RSA public key
+ `arm_rotpk_rsa.der`, located in `plat/arm/board/common/rotpk`. To use
+ this option, `arm_rotprivk_rsa.pem` must be specified as `ROT_KEY` when
+ creating the certificates.
+
#### ARM CSS platform specific build options
* `CSS_DETECT_PRE_1_7_0_SCP`: Boolean flag to detect SCP version
* plat_arm_mmap array defined for each BL stage.
*/
#if IMAGE_BL1
-# define PLAT_ARM_MMAP_ENTRIES 6
+# if PLAT_fvp
+# define PLAT_ARM_MMAP_ENTRIES 7
+# else
+# define PLAT_ARM_MMAP_ENTRIES 6
+# endif
#endif
#if IMAGE_BL2
-# define PLAT_ARM_MMAP_ENTRIES 8
+# if PLAT_fvp
+# define PLAT_ARM_MMAP_ENTRIES 9
+# else
+# define PLAT_ARM_MMAP_ENTRIES 8
+# endif
#endif
#if IMAGE_BL31
-# define PLAT_ARM_MMAP_ENTRIES 5
+#define PLAT_ARM_MMAP_ENTRIES 5
#endif
#if IMAGE_BL32
-# define PLAT_ARM_MMAP_ENTRIES 4
+#define PLAT_ARM_MMAP_ENTRIES 4
#endif
/*
* Platform specific page table and MMU setup constants
*/
#if IMAGE_BL1
-# if PLAT_fvp || PLAT_juno
+# if PLAT_juno
# define MAX_XLAT_TABLES 2
# else
# define MAX_XLAT_TABLES 3
# endif /* PLAT_ */
#elif IMAGE_BL2
-# define MAX_XLAT_TABLES 3
+# if PLAT_juno
+# define MAX_XLAT_TABLES 3
+# else
+# define MAX_XLAT_TABLES 4
+# endif /* PLAT_ */
#elif IMAGE_BL31
# define MAX_XLAT_TABLES 2
#elif IMAGE_BL32
*/
#define SOC_CSS_NIC400_APB4_BRIDGE 4
+/* Keys */
+#define SOC_KEYS_BASE 0x7fe80000
+#define TZ_PUB_KEY_HASH_BASE (SOC_KEYS_BASE + 0x0000)
+#define TZ_PUB_KEY_HASH_SIZE 32
+#define HU_KEY_BASE (SOC_KEYS_BASE + 0x0020)
+#define HU_KEY_SIZE 16
+#define END_KEY_BASE (SOC_KEYS_BASE + 0x0044)
+#define END_KEY_SIZE 32
#define SOC_CSS_MAP_DEVICE MAP_REGION_FLAT( \
SOC_CSS_DEVICE_BASE, \
struct entry_point_info;
struct bl31_params;
+/*******************************************************************************
+ * plat_get_rotpk_info() flags
+ ******************************************************************************/
+#define ROTPK_IS_HASH (1 << 0)
+
/*******************************************************************************
* Function declarations
******************************************************************************/
void bl32_plat_enable_mmu(uint32_t flags);
/*******************************************************************************
- * Trusted Boot functions
+ * Trusted Board Boot functions
******************************************************************************/
int plat_match_rotpk(const unsigned char *, unsigned int);
+int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len,
+ unsigned int *flags);
#endif /* __PLATFORM_H__ */
* POSSIBILITY OF SUCH DAMAGE.
*/
+#include <arm_def.h>
+#include <assert.h>
+#include <platform.h>
+#include <stdint.h>
+#include <string.h>
+
/* Weak definition may be overridden in specific platform */
#pragma weak plat_match_rotpk
+
+/* SHA256 algorithm */
+#define SHA256_BYTES 32
+
+/* ROTPK locations */
+#define ARM_ROTPK_REGS_ID 1
+#define ARM_ROTPK_DEVEL_RSA_ID 2
+
+#if !ARM_ROTPK_LOCATION_ID
+ #error "ARM_ROTPK_LOCATION_ID not defined"
+#endif
+
+static const unsigned char rotpk_hash_hdr[] = \
+ "\x30\x31\x30\x0D\x06\x09\x60\x86\x48" \
+ "\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20";
+static const unsigned int rotpk_hash_hdr_len = sizeof(rotpk_hash_hdr) - 1;
+static unsigned char rotpk_hash_der[sizeof(rotpk_hash_hdr) - 1 + SHA256_BYTES];
+
+#if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID)
+static const unsigned char arm_devel_rotpk_hash[] = \
+ "\xB0\xF3\x82\x09\x12\x97\xD8\x3A" \
+ "\x37\x7A\x72\x47\x1B\xEC\x32\x73" \
+ "\xE9\x92\x32\xE2\x49\x59\xF6\x5E" \
+ "\x8B\x4A\x4A\x46\xD8\x22\x9A\xDA";
+#endif
+
/*
* Check the validity of the key
*
/* TODO: check against the ROT key stored in the platform */
return 0;
}
+
+/*
+ * Return the ROTPK hash in the following ASN.1 structure in DER format:
+ *
+ * AlgorithmIdentifier ::= SEQUENCE {
+ * algorithm OBJECT IDENTIFIER,
+ * parameters ANY DEFINED BY algorithm OPTIONAL
+ * }
+ *
+ * DigestInfo ::= SEQUENCE {
+ * digestAlgorithm AlgorithmIdentifier,
+ * digest OCTET STRING
+ * }
+ */
+int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len,
+ unsigned int *flags)
+{
+ uint8_t *dst;
+
+ assert(key_ptr != NULL);
+ assert(key_len != NULL);
+ assert(flags != NULL);
+
+ /* Copy the DER header */
+ memcpy(rotpk_hash_der, rotpk_hash_hdr, rotpk_hash_hdr_len);
+ dst = (uint8_t *)&rotpk_hash_der[rotpk_hash_hdr_len];
+
+#if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID)
+ memcpy(dst, arm_devel_rotpk_hash, SHA256_BYTES);
+#elif (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID)
+ uint32_t *src, tmp;
+ unsigned int words, i;
+
+ /*
+ * Append the hash from Trusted Root-Key Storage registers. The hash has
+ * not been written linearly into the registers, so we have to do a bit
+ * of byte swapping:
+ *
+ * 0x00 0x04 0x08 0x0C 0x10 0x14 0x18 0x1C
+ * +---------------------------------------------------------------+
+ * | Reg0 | Reg1 | Reg2 | Reg3 | Reg4 | Reg5 | Reg6 | Reg7 |
+ * +---------------------------------------------------------------+
+ * | ... ... | | ... ... |
+ * | +--------------------+ | +-------+
+ * | | | |
+ * +----------------------------+ +----------------------------+
+ * | | | |
+ * +-------+ | +--------------------+ |
+ * | | | |
+ * v v v v
+ * +---------------------------------------------------------------+
+ * | | |
+ * +---------------------------------------------------------------+
+ * 0 15 16 31
+ *
+ * Additionally, we have to access the registers in 32-bit words
+ */
+ words = SHA256_BYTES >> 3;
+
+ /* Swap bytes 0-15 (first four registers) */
+ src = (uint32_t *)TZ_PUB_KEY_HASH_BASE;
+ for (i = 0 ; i < words ; i++) {
+ tmp = src[words - 1 - i];
+ /* Words are read in little endian */
+ *dst++ = (uint8_t)((tmp >> 24) & 0xFF);
+ *dst++ = (uint8_t)((tmp >> 16) & 0xFF);
+ *dst++ = (uint8_t)((tmp >> 8) & 0xFF);
+ *dst++ = (uint8_t)(tmp & 0xFF);
+ }
+
+ /* Swap bytes 16-31 (last four registers) */
+ src = (uint32_t *)(TZ_PUB_KEY_HASH_BASE + SHA256_BYTES / 2);
+ for (i = 0 ; i < words ; i++) {
+ tmp = src[words - 1 - i];
+ *dst++ = (uint8_t)((tmp >> 24) & 0xFF);
+ *dst++ = (uint8_t)((tmp >> 16) & 0xFF);
+ *dst++ = (uint8_t)((tmp >> 8) & 0xFF);
+ *dst++ = (uint8_t)(tmp & 0xFF);
+ }
+#endif /* (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) */
+
+ *key_ptr = (void *)rotpk_hash_der;
+ *key_len = (unsigned int)sizeof(rotpk_hash_der);
+ *flags = ROTPK_IS_HASH;
+ return 0;
+}
+
--- /dev/null
+#
+# Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+#
+# Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation
+# and/or other materials provided with the distribution.
+#
+# Neither the name of ARM nor the names of its contributors may be used
+# to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+PLAT_INCLUDES += -Iinclude/plat/arm/board/common/
+
+PLAT_BL_COMMON_SOURCES += drivers/arm/pl011/pl011_console.S \
+ plat/arm/board/common/aarch64/board_arm_helpers.S
+
+#BL1_SOURCES +=
+
+#BL2_SOURCES +=
+
+#BL31_SOURCES +=
+
+ifneq (${TRUSTED_BOARD_BOOT},0)
+ # ROTPK hash location
+ ifeq (${ARM_ROTPK_LOCATION}, regs)
+ ARM_ROTPK_LOCATION_ID = ARM_ROTPK_REGS_ID
+ else ifeq (${ARM_ROTPK_LOCATION}, devel_rsa)
+ ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_RSA_ID
+ else
+ $(error "Unsupported ARM_ROTPK_LOCATION value")
+ endif
+ $(eval $(call add_define,ARM_ROTPK_LOCATION_ID))
+
+ BL1_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
+ BL2_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
+endif
# POSSIBILITY OF SUCH DAMAGE.
#
-PLAT_INCLUDES += -Iinclude/plat/arm/board/common/
+PLAT_BL_COMMON_SOURCES += plat/arm/board/common/board_css_common.c
-PLAT_BL_COMMON_SOURCES += drivers/arm/pl011/pl011_console.S \
- plat/arm/board/common/aarch64/board_arm_helpers.S \
- plat/arm/board/common/board_css_common.c
-
-
-#BL1_SOURCES +=
-
-#BL2_SOURCES +=
-
-#BL31_SOURCES +=
-
-ifneq (${TRUSTED_BOARD_BOOT},0)
- BL1_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
- BL2_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
-endif
+include plat/arm/board/common/board_common.mk
--- /dev/null
+°ó\82 \12\97Ø:7zrG\eì2sé\922âIYö^\8bJJFØ"\9aÚ
\ No newline at end of file
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDLLGDVjWPUB3l+
+xxaWvU0kTqyG5rdx48VUC+cUHL0pGsE/erYCqqs2xNk2aWziZcObsb89qFYmy/0E
+AbqsPlQyynleu7IF6gZY8nS64fSHwBkKH2YHd4SDoRzv/yhZ58NofSYgQ+tWY/M5
+MdgrUam8T9D23pXcX1vB7ZBv7CiRfhfteJD0YKfEx09Q7V0TOiErcMVhewghZTrN
+glaMekesieilSEgx2R1G5YWGmKDlwKZqvQfkkldhB499Wk3Krja5VgQQ8my+9jts
+gD6+DqNNx9R+p0nU8tK8zzCo53SPZN+8XEdozEBM+IPMy0A1BGDKs6QXnwPKHVr6
+0a8hVxDTAgMBAAECggEAfwsc8ewbhDW4TwIGqfNtDUr0rtYN13VpqohW0ki2L8G/
+HQaKUViO/wxQFqoNn/OqQO0AfHmKhXAAokTCiXngBHJ/OjF7vB7+IRhazZEE6u2/
+uoivr/OYNQbFpXyTqsQ1eFzpPju6KKcPK7BzT4Mc89ek/vloFAi8w6LdMl8lbvOg
+LBWqX+5A+UQoenPUTvYM4U22YNcEAWubkpsYAmViiWiac+a+uPRk39aKyfOedDNu
++ty9MtCwekivoUTfP/1+O+jFlDnPMJUOEkBmcBqxseYYAHu7blBpdHxYpAItC2pv
+YwJJSvsE+HLBLPk177Jahg7sOUqcP0F/X+T65yuvIQKBgQDxdjXdJT5K8j7rG2fv
+2bvF2H1GPaHaTYRk0EGI2Ql6Nn+ddfeCE6gaT7aPPgg87wAhNu93coFuYHw0p/sc
+ZkXMJ+BmlstPV555cWXmwcxZLsni0fOXrt4YxwWkZwmh74m0NVM/cSFw56PU0oj1
+yDNeq3fgmsJocmuNTe1eG9qA7QKBgQDXaAGrNA5Xel5mqqMYTHHQWI6l2uzdNtt7
+eDn3K9+Eh3ywTqrwP845MAjKDU2Lq61I6t2H89dEifHq823VIcLCHd9BF04MrAH7
+qDPzrmPP2iB9g+YFmGBKe+K0HFE1t1KrTlo9VV6ZAC6RJNLAgwD4kvfIVYNkCGwe
++hoZBdhgvwKBgBrOsPQ4ak4PzwRzKnrqhXpVqrLdrNZ7vLMkm+IBlpfG7SwiKLR8
+UjF5oB8PGAML1cvaOYPdZplGhQOjkrF4eU9NLhC1tSS96Y46FMIlyfYsx6UzAgRZ
+GbdOgUXbWqpr2bH0KaXlfXz3eqzqIuKGs41TJB//jo3iBibN/AhytzORAoGAeGov
+5KDpE4XYl9Pz8HVremjG9Xh4yQENmOwQm1fvT4rd7UFM1ZkVk2qCv1DIdLe32vdQ
+d9ucDzh+ADWsxGRnF1TTpPN+Mh9FzISu5h4qtdreJsxBHgecbIbsqHrb+wdMM29N
+itPaWfV8Eq9fETcqp8qgsWD8XkNHDdoKFMrrtskCgYAoSt/Je1D3ZE/3HEjez7bq
+fenS3J6KG2SEn2PNFn+R0R5vBo4DaV/cQysKh44GD2+sh0QDyh6nuWJufyhPzROP
+DU6DCLbwNePj/yaGuzi36oLt6bBgfPWCiJY7jIdK8DmTLW25m7fRtCC5pxZlSzgl
+KBf7R6cbaTvaFe05Y2FJXA==
+-----END PRIVATE KEY-----
DEVICE1_SIZE, \
MT_DEVICE | MT_RW | MT_SECURE)
+#define MAP_DEVICE2 MAP_REGION_FLAT(DEVICE2_BASE, \
+ DEVICE2_SIZE, \
+ MT_DEVICE | MT_RO | MT_SECURE)
+
+
/*
* Table of regions for various BL stages to map using the MMU.
* This doesn't include TZRAM as the 'mem_layout' argument passed to
V2M_MAP_IOFPGA,
MAP_DEVICE0,
MAP_DEVICE1,
+ MAP_DEVICE2,
{0}
};
#endif
V2M_MAP_IOFPGA,
MAP_DEVICE0,
MAP_DEVICE1,
+ MAP_DEVICE2,
ARM_MAP_NS_DRAM1,
ARM_MAP_TSP_SEC_MEM,
{0}
#define DEVICE1_BASE 0x2f000000
#define DEVICE1_SIZE 0x200000
+/* Devices in the second GB */
+#define DEVICE2_BASE 0x7fe00000
+#define DEVICE2_SIZE 0x00200000
+
#define NSRAM_BASE 0x2e000000
#define NSRAM_SIZE 0x10000
#define PCIE_EXP_BASE 0x40000000
#define TZRNG_BASE 0x7fe60000
#define TZNVCTR_BASE 0x7fe70000
-#define TZROOTKEY_BASE 0x7fe80000
+
+/* Keys */
+#define SOC_KEYS_BASE 0x7fe80000
+#define TZ_PUB_KEY_HASH_BASE (SOC_KEYS_BASE + 0x0000)
+#define TZ_PUB_KEY_HASH_SIZE 32
+#define HU_KEY_BASE (SOC_KEYS_BASE + 0x0020)
+#define HU_KEY_SIZE 16
+#define END_KEY_BASE (SOC_KEYS_BASE + 0x0044)
+#define END_KEY_SIZE 32
/* Constants to distinguish FVP type */
#define HBI_BASE_FVP 0x020
#
-PLAT_INCLUDES := -Iinclude/plat/arm/board/common \
- -Iplat/arm/board/fvp/include
+PLAT_INCLUDES := -Iplat/arm/board/fvp/include
-PLAT_BL_COMMON_SOURCES := drivers/arm/pl011/pl011_console.S \
- plat/arm/board/fvp/aarch64/fvp_common.c
+PLAT_BL_COMMON_SOURCES := plat/arm/board/fvp/aarch64/fvp_common.c
BL1_SOURCES += drivers/io/io_semihosting.c \
lib/cpus/aarch64/aem_generic.S \
plat/arm/board/fvp/aarch64/fvp_helpers.S \
plat/arm/board/fvp/drivers/pwrc/fvp_pwrc.c
-ifneq (${TRUSTED_BOARD_BOOT},0)
- BL1_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
- BL2_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
-endif
-
-
+include plat/arm/board/common/board_common.mk
include plat/arm/common/arm_common.mk
projects / project / bcm63xx / atf.git / commitdiff