1 /*
2 * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7 #include <arm_def.h>
8 #include <assert.h>
9 #include <cassert.h>
10 #include <platform.h>
11 #include <stdint.h>
12 #include <string.h>
13 #include <tbbr_oid.h>
14
15 /* SHA256 algorithm */
16 #define SHA256_BYTES 32
17
18 /* ROTPK locations */
19 #define ARM_ROTPK_REGS_ID 1
20 #define ARM_ROTPK_DEVEL_RSA_ID 2
21 #define ARM_ROTPK_DEVEL_ECDSA_ID 3
22
23 static const unsigned char rotpk_hash_hdr[] = \
24 "\x30\x31\x30\x0D\x06\x09\x60\x86\x48" \
25 "\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20";
26 static const unsigned int rotpk_hash_hdr_len = sizeof(rotpk_hash_hdr) - 1;
27 static unsigned char rotpk_hash_der[sizeof(rotpk_hash_hdr) - 1 + SHA256_BYTES];
28
29 /* Use the cryptocell variants if Cryptocell is present */
30 #if !ARM_CRYPTOCELL_INTEG
31 #if !ARM_ROTPK_LOCATION_ID
32 #error "ARM_ROTPK_LOCATION_ID not defined"
33 #endif
34
35 /* Weak definition may be overridden in specific platform */
36 #pragma weak plat_get_nv_ctr
37 #pragma weak plat_set_nv_ctr
38
39 #if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID)
40 static const unsigned char arm_devel_rotpk_hash[] = \
41 "\xB0\xF3\x82\x09\x12\x97\xD8\x3A" \
42 "\x37\x7A\x72\x47\x1B\xEC\x32\x73" \
43 "\xE9\x92\x32\xE2\x49\x59\xF6\x5E" \
44 "\x8B\x4A\x4A\x46\xD8\x22\x9A\xDA";
45 #elif (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID)
46 static const unsigned char arm_devel_rotpk_hash[] = \
47 "\x2E\x40\xBF\x6E\xF9\x12\xBB\x98" \
48 "\x31\x71\x09\x0E\x1E\x15\x3D\x0B" \
49 "\xFD\xD1\xCC\x69\x4A\x98\xEB\x8B" \
50 "\xA0\xB0\x20\x86\x4E\x6C\x07\x17";
51 #endif
52
53 /*
54 * Return the ROTPK hash in the following ASN.1 structure in DER format:
55 *
56 * AlgorithmIdentifier ::= SEQUENCE {
57 * algorithm OBJECT IDENTIFIER,
58 * parameters ANY DEFINED BY algorithm OPTIONAL
59 * }
60 *
61 * DigestInfo ::= SEQUENCE {
62 * digestAlgorithm AlgorithmIdentifier,
63 * digest OCTET STRING
64 * }
65 */
plat_get_rotpk_info(void * cookie,void ** key_ptr,unsigned int * key_len,unsigned int * flags)66 int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len,
67 unsigned int *flags)
68 {
69 uint8_t *dst;
70
71 assert(key_ptr != NULL);
72 assert(key_len != NULL);
73 assert(flags != NULL);
74
75 /* Copy the DER header */
76 memcpy(rotpk_hash_der, rotpk_hash_hdr, rotpk_hash_hdr_len);
77 dst = (uint8_t *)&rotpk_hash_der[rotpk_hash_hdr_len];
78
79 #if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) \
80 || (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID)
81 memcpy(dst, arm_devel_rotpk_hash, SHA256_BYTES);
82 #elif (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID)
83 uint32_t *src, tmp;
84 unsigned int words, i;
85
86 /*
87 * Append the hash from Trusted Root-Key Storage registers. The hash has
88 * not been written linearly into the registers, so we have to do a bit
89 * of byte swapping:
90 *
91 * 0x00 0x04 0x08 0x0C 0x10 0x14 0x18 0x1C
92 * +---------------------------------------------------------------+
93 * | Reg0 | Reg1 | Reg2 | Reg3 | Reg4 | Reg5 | Reg6 | Reg7 |
94 * +---------------------------------------------------------------+
95 * | ... ... | | ... ... |
96 * | +--------------------+ | +-------+
97 * | | | |
98 * +----------------------------+ +----------------------------+
99 * | | | |
100 * +-------+ | +--------------------+ |
101 * | | | |
102 * v v v v
103 * +---------------------------------------------------------------+
104 * | | |
105 * +---------------------------------------------------------------+
106 * 0 15 16 31
107 *
108 * Additionally, we have to access the registers in 32-bit words
109 */
110 words = SHA256_BYTES >> 3;
111
112 /* Swap bytes 0-15 (first four registers) */
113 src = (uint32_t *)TZ_PUB_KEY_HASH_BASE;
114 for (i = 0 ; i < words ; i++) {
115 tmp = src[words - 1 - i];
116 /* Words are read in little endian */
117 *dst++ = (uint8_t)((tmp >> 24) & 0xFF);
118 *dst++ = (uint8_t)((tmp >> 16) & 0xFF);
119 *dst++ = (uint8_t)((tmp >> 8) & 0xFF);
120 *dst++ = (uint8_t)(tmp & 0xFF);
121 }
122
123 /* Swap bytes 16-31 (last four registers) */
124 src = (uint32_t *)(TZ_PUB_KEY_HASH_BASE + SHA256_BYTES / 2);
125 for (i = 0 ; i < words ; i++) {
126 tmp = src[words - 1 - i];
127 *dst++ = (uint8_t)((tmp >> 24) & 0xFF);
128 *dst++ = (uint8_t)((tmp >> 16) & 0xFF);
129 *dst++ = (uint8_t)((tmp >> 8) & 0xFF);
130 *dst++ = (uint8_t)(tmp & 0xFF);
131 }
132 #endif /* (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) \
133 || (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_ECDSA_ID) */
134
135 *key_ptr = (void *)rotpk_hash_der;
136 *key_len = (unsigned int)sizeof(rotpk_hash_der);
137 *flags = ROTPK_IS_HASH;
138 return 0;
139 }
140
141 /*
142 * Return the non-volatile counter value stored in the platform. The cookie
143 * will contain the OID of the counter in the certificate.
144 *
145 * Return: 0 = success, Otherwise = error
146 */
plat_get_nv_ctr(void * cookie,unsigned int * nv_ctr)147 int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr)
148 {
149 const char *oid;
150 uint32_t *nv_ctr_addr;
151
152 assert(cookie != NULL);
153 assert(nv_ctr != NULL);
154
155 oid = (const char *)cookie;
156 if (strcmp(oid, TRUSTED_FW_NVCOUNTER_OID) == 0) {
157 nv_ctr_addr = (uint32_t *)TFW_NVCTR_BASE;
158 } else if (strcmp(oid, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) {
159 nv_ctr_addr = (uint32_t *)NTFW_CTR_BASE;
160 } else {
161 return 1;
162 }
163
164 *nv_ctr = (unsigned int)(*nv_ctr_addr);
165
166 return 0;
167 }
168
169 /*
170 * Store a new non-volatile counter value. By default on ARM development
171 * platforms, the non-volatile counters are RO and cannot be modified. We expect
172 * the values in the certificates to always match the RO values so that this
173 * function is never called.
174 *
175 * Return: 0 = success, Otherwise = error
176 */
plat_set_nv_ctr(void * cookie,unsigned int nv_ctr)177 int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr)
178 {
179 return 1;
180 }
181 #else /* ARM_CRYPTOCELL_INTEG */
182
183 #include <nvm.h>
184 #include <nvm_otp.h>
185 #include <sbrom_bsv_api.h>
186
187 CASSERT(HASH_RESULT_SIZE_IN_BYTES == SHA256_BYTES,
188 assert_mismatch_in_hash_result_size);
189
190 /*
191 * Return the ROTPK hash in the following ASN.1 structure in DER format:
192 *
193 * AlgorithmIdentifier ::= SEQUENCE {
194 * algorithm OBJECT IDENTIFIER,
195 * parameters ANY DEFINED BY algorithm OPTIONAL
196 * }
197 *
198 * DigestInfo ::= SEQUENCE {
199 * digestAlgorithm AlgorithmIdentifier,
200 * digest OCTET STRING
201 * }
202 */
plat_get_rotpk_info(void * cookie,void ** key_ptr,unsigned int * key_len,unsigned int * flags)203 int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len,
204 unsigned int *flags)
205 {
206 unsigned char *dst;
207 CCError_t error;
208 uint32_t lcs;
209
210 assert(key_ptr != NULL);
211 assert(key_len != NULL);
212 assert(flags != NULL);
213
214 error = NVM_GetLCS(PLAT_CRYPTOCELL_BASE, &lcs);
215 if (error != CC_OK)
216 return 1;
217
218 /* If the lifecycle state is `SD`, return failure */
219 if (lcs == CC_BSV_SECURITY_DISABLED_LCS)
220 return 1;
221
222 /*
223 * If the lifecycle state is `CM` or `DM`, ROTPK shouldn't be verified.
224 * Return success after setting ROTPK_NOT_DEPLOYED flag
225 */
226 if ((lcs == CC_BSV_CHIP_MANUFACTURE_LCS) ||
227 (lcs == CC_BSV_DEVICE_MANUFACTURE_LCS)) {
228 *key_len = 0;
229 *flags = ROTPK_NOT_DEPLOYED;
230 return 0;
231 }
232
233 /* Copy the DER header */
234 memcpy(rotpk_hash_der, rotpk_hash_hdr, rotpk_hash_hdr_len);
235 dst = &rotpk_hash_der[rotpk_hash_hdr_len];
236 error = NVM_ReadHASHPubKey(PLAT_CRYPTOCELL_BASE,
237 CC_SB_HASH_BOOT_KEY_256B,
238 (uint32_t *)dst, HASH_RESULT_SIZE_IN_WORDS);
239 if (error != CC_OK)
240 return 1;
241
242 *key_ptr = rotpk_hash_der;
243 *key_len = sizeof(rotpk_hash_der);
244 *flags = ROTPK_IS_HASH;
245 return 0;
246 }
247
248 /*
249 * Return the non-volatile counter value stored in the platform. The cookie
250 * specifies the OID of the counter in the certificate.
251 *
252 * Return: 0 = success, Otherwise = error
253 */
plat_get_nv_ctr(void * cookie,unsigned int * nv_ctr)254 int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr)
255 {
256 CCError_t error = CC_FAIL;
257
258 if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) {
259 error = NVM_GetSwVersion(PLAT_CRYPTOCELL_BASE,
260 CC_SW_VERSION_COUNTER1, nv_ctr);
261 } else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) {
262 error = NVM_GetSwVersion(PLAT_CRYPTOCELL_BASE,
263 CC_SW_VERSION_COUNTER2, nv_ctr);
264 }
265
266 return (error != CC_OK);
267 }
268
269 /*
270 * Store a new non-volatile counter value in the counter specified by the OID
271 * in the cookie. This function is not expected to be called if the Lifecycle
272 * state is RMA as the values in the certificate are expected to always match
273 * the nvcounter values. But if called when the LCS is RMA, the underlying
274 * helper functions will return success but without updating the counter.
275 *
276 * Return: 0 = success, Otherwise = error
277 */
plat_set_nv_ctr(void * cookie,unsigned int nv_ctr)278 int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr)
279 {
280 CCError_t error = CC_FAIL;
281
282 if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) {
283 error = NVM_SetSwVersion(PLAT_CRYPTOCELL_BASE,
284 CC_SW_VERSION_COUNTER1, nv_ctr);
285 } else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) {
286 error = NVM_SetSwVersion(PLAT_CRYPTOCELL_BASE,
287 CC_SW_VERSION_COUNTER2, nv_ctr);
288 }
289
290 return (error != CC_OK);
291 }
292
293 #endif /* ARM_CRYPTOCELL_INTEG */
294