diff options
Diffstat (limited to 'bl2/bl2_main.c')
-rw-r--r-- | bl2/bl2_main.c | 296 |
1 files changed, 42 insertions, 254 deletions
diff --git a/bl2/bl2_main.c b/bl2/bl2_main.c index aba0afcf..4c190025 100644 --- a/bl2/bl2_main.c +++ b/bl2/bl2_main.c @@ -31,7 +31,7 @@ #include <arch.h> #include <arch_helpers.h> #include <assert.h> -#include <auth.h> +#include <auth_mod.h> #include <bl_common.h> #include <debug.h> #include <platform.h> @@ -39,147 +39,6 @@ #include <stdint.h> #include "bl2_private.h" -#if TRUSTED_BOARD_BOOT - -#ifdef BL32_BASE -static int bl32_cert_error; -#endif - -/* - * Load and authenticate the key and content certificates for a BL3-x image. - * The _blob values identify the authentication objects (an object may be seen - * as a single stage in the authentication process). See auth.h for the complete - * list of objects. The _id values are passed to the IO framework to identify - * the images to load. - * - * Parameters: - * key_cert_blob: key certificate blob id (see auth.h) - * key_cert_id: key certificate image identifier (for IO framework) - * cont_cert_blob: content certificate blob id (see auth.h) - * cont_cert_id: content certificate image identifier (for IO framework) - * mem_layout: Trusted SRAM memory layout - * load_addr: load the certificates at this address - * - * Return: 0 = success, Otherwise = error - */ -static int load_cert_bl3x(unsigned int key_cert_blob, unsigned int key_cert_id, - unsigned int cont_cert_blob, unsigned int cont_cert_id, - meminfo_t *mem_layout, uint64_t load_addr) -{ - image_info_t image_info; - int err; - - /* Load Key certificate */ - image_info.h.version = VERSION_1; - err = load_image(mem_layout, key_cert_id, load_addr, &image_info, NULL); - if (err) { - ERROR("Cannot load key certificate id=%u\n", key_cert_id); - return err; - } - - err = auth_verify_obj(key_cert_blob, image_info.image_base, - image_info.image_size); - if (err) { - ERROR("Invalid key certificate id=%u\n", key_cert_id); - return err; - } - - /* Load Content certificate */ - image_info.h.version = VERSION_1; - err = load_image(mem_layout, cont_cert_id, load_addr, &image_info, NULL); - if (err) { - ERROR("Cannot load content certificate id=%u\n", - cont_cert_id); - return err; - } - - err = auth_verify_obj(cont_cert_blob, image_info.image_base, - image_info.image_size); - if (err) { - ERROR("Invalid content certificate id=%u\n", cont_cert_id); - return err; - } - - return 0; -} - -/* - * Load and authenticate the Trusted Key certificate the key and content - * certificates for each of the BL3-x images. - * - * Return: 0 = success, Otherwise = error - */ -static int load_certs(void) -{ - const uint64_t load_addr = BL31_BASE; - image_info_t image_info; - meminfo_t *mem_layout; - int err; - - /* Find out how much free trusted ram remains after BL2 load */ - mem_layout = bl2_plat_sec_mem_layout(); - - /* Load the Trusted Key certificate in the BL31 region */ - image_info.h.version = VERSION_1; - err = load_image(mem_layout, TRUSTED_KEY_CERT_ID, load_addr, - &image_info, NULL); - if (err) { - ERROR("Failed to load Trusted Key certificate.\n"); - return err; - } - - /* Validate the certificate */ - err = auth_verify_obj(AUTH_TRUSTED_KEY_CERT, image_info.image_base, - image_info.image_size); - if (err) { - ERROR("Invalid Trusted Key certificate.\n"); - return err; - } - - /* Load and validate Key and Content certificates for BL3-x images */ -#ifdef BL30_BASE - err = load_cert_bl3x(AUTH_BL30_KEY_CERT, BL30_KEY_CERT_ID, - AUTH_BL30_IMG_CERT, BL30_CERT_ID, - mem_layout, load_addr); - if (err) { - ERROR("Failed to verify BL3-0 authenticity\n"); - return err; - } -#endif /* BL30_BASE */ - - err = load_cert_bl3x(AUTH_BL31_KEY_CERT, BL31_KEY_CERT_ID, - AUTH_BL31_IMG_CERT, BL31_CERT_ID, - mem_layout, load_addr); - if (err) { - ERROR("Failed to verify BL3-1 authenticity\n"); - return err; - } - -#ifdef BL32_BASE - /* BL3-2 image is optional, but keep the return value in case the - * image is present but the certificate is missing */ - err = load_cert_bl3x(AUTH_BL32_KEY_CERT, BL32_KEY_CERT_ID, - AUTH_BL32_IMG_CERT, BL32_CERT_ID, - mem_layout, load_addr); - if (err) { - WARN("Failed to verify BL3-2 authenticity\n"); - } - bl32_cert_error = err; -#endif /* BL32_BASE */ - - err = load_cert_bl3x(AUTH_BL33_KEY_CERT, BL33_KEY_CERT_ID, - AUTH_BL33_IMG_CERT, BL33_CERT_ID, - mem_layout, load_addr); - if (err) { - ERROR("Failed to verify BL3-3 authenticity\n"); - return err; - } - - return 0; -} - -#endif /* TRUSTED_BOARD_BOOT */ - /******************************************************************************* * Load the BL3-0 image if there's one. * If a platform does not want to attempt to load BL3-0 image it must leave @@ -205,34 +64,18 @@ static int load_bl30(void) INFO("BL2: Loading BL3-0\n"); bl2_plat_get_bl30_meminfo(&bl30_mem_info); bl30_image_info.h.version = VERSION_1; - e = load_image(&bl30_mem_info, - BL30_IMAGE_ID, - BL30_BASE, - &bl30_image_info, - NULL); - - if (e) - return e; - -#if TRUSTED_BOARD_BOOT - e = auth_verify_obj(AUTH_BL30_IMG, - bl30_image_info.image_base, - bl30_image_info.image_size); - if (e) { - ERROR("Failed to authenticate BL3-0 image.\n"); - return e; - } - - /* After working with data, invalidate the data cache */ - inv_dcache_range(bl30_image_info.image_base, - (size_t)bl30_image_info.image_size); -#endif /* TRUSTED_BOARD_BOOT */ - - /* The subsequent handling of BL3-0 is platform specific */ - e = bl2_plat_handle_bl30(&bl30_image_info); - if (e) { - ERROR("Failure in platform-specific handling of BL3-0 image.\n"); - return e; + e = load_auth_image(&bl30_mem_info, + BL30_IMAGE_ID, + BL30_BASE, + &bl30_image_info, + NULL); + + if (e == 0) { + /* The subsequent handling of BL3-0 is platform specific */ + e = bl2_plat_handle_bl30(&bl30_image_info); + if (e) { + ERROR("Failure in platform-specific handling of BL3-0 image.\n"); + } } #endif /* BL30_BASE */ @@ -262,31 +105,17 @@ static int load_bl31(bl31_params_t *bl2_to_bl31_params, bl31_ep_info->args.arg0 = (unsigned long)bl2_to_bl31_params; /* Load the BL3-1 image */ - e = load_image(bl2_tzram_layout, - BL31_IMAGE_ID, - BL31_BASE, - bl2_to_bl31_params->bl31_image_info, - bl31_ep_info); - if (e) - return e; - -#if TRUSTED_BOARD_BOOT - e = auth_verify_obj(AUTH_BL31_IMG, - bl2_to_bl31_params->bl31_image_info->image_base, - bl2_to_bl31_params->bl31_image_info->image_size); - if (e) { - ERROR("Failed to authenticate BL3-1 image.\n"); - return e; + e = load_auth_image(bl2_tzram_layout, + BL31_IMAGE_ID, + BL31_BASE, + bl2_to_bl31_params->bl31_image_info, + bl31_ep_info); + + if (e == 0) { + bl2_plat_set_bl31_ep_info(bl2_to_bl31_params->bl31_image_info, + bl31_ep_info); } - /* After working with data, invalidate the data cache */ - inv_dcache_range(bl2_to_bl31_params->bl31_image_info->image_base, - (size_t)bl2_to_bl31_params->bl31_image_info->image_size); -#endif /* TRUSTED_BOARD_BOOT */ - - bl2_plat_set_bl31_ep_info(bl2_to_bl31_params->bl31_image_info, - bl31_ep_info); - return e; } @@ -314,37 +143,17 @@ static int load_bl32(bl31_params_t *bl2_to_bl31_params) * completely different memory. */ bl2_plat_get_bl32_meminfo(&bl32_mem_info); - e = load_image(&bl32_mem_info, - BL32_IMAGE_ID, - BL32_BASE, - bl2_to_bl31_params->bl32_image_info, - bl2_to_bl31_params->bl32_ep_info); - - if (e) - return e; - -#if TRUSTED_BOARD_BOOT - /* Image is present. Check if there is a valid certificate */ - if (bl32_cert_error) { - ERROR("Failed to authenticate BL3-2 certificates.\n"); - return bl32_cert_error; - } - - e = auth_verify_obj(AUTH_BL32_IMG, - bl2_to_bl31_params->bl32_image_info->image_base, - bl2_to_bl31_params->bl32_image_info->image_size); - if (e) { - ERROR("Failed to authenticate BL3-2 image.\n"); - return e; + e = load_auth_image(&bl32_mem_info, + BL32_IMAGE_ID, + BL32_BASE, + bl2_to_bl31_params->bl32_image_info, + bl2_to_bl31_params->bl32_ep_info); + + if (e == 0) { + bl2_plat_set_bl32_ep_info( + bl2_to_bl31_params->bl32_image_info, + bl2_to_bl31_params->bl32_ep_info); } - /* After working with data, invalidate the data cache */ - inv_dcache_range(bl2_to_bl31_params->bl32_image_info->image_base, - (size_t)bl2_to_bl31_params->bl32_image_info->image_size); -#endif /* TRUSTED_BOARD_BOOT */ - - bl2_plat_set_bl32_ep_info( - bl2_to_bl31_params->bl32_image_info, - bl2_to_bl31_params->bl32_ep_info); #endif /* BL32_BASE */ return e; @@ -367,30 +176,16 @@ static int load_bl33(bl31_params_t *bl2_to_bl31_params) bl2_plat_get_bl33_meminfo(&bl33_mem_info); /* Load the BL3-3 image in non-secure memory provided by the platform */ - e = load_image(&bl33_mem_info, - BL33_IMAGE_ID, - plat_get_ns_image_entrypoint(), - bl2_to_bl31_params->bl33_image_info, - bl2_to_bl31_params->bl33_ep_info); - - if (e) - return e; - -#if TRUSTED_BOARD_BOOT - e = auth_verify_obj(AUTH_BL33_IMG, - bl2_to_bl31_params->bl33_image_info->image_base, - bl2_to_bl31_params->bl33_image_info->image_size); - if (e) { - ERROR("Failed to authenticate BL3-3 image.\n"); - return e; + e = load_auth_image(&bl33_mem_info, + BL33_IMAGE_ID, + plat_get_ns_image_entrypoint(), + bl2_to_bl31_params->bl33_image_info, + bl2_to_bl31_params->bl33_ep_info); + + if (e == 0) { + bl2_plat_set_bl33_ep_info(bl2_to_bl31_params->bl33_image_info, + bl2_to_bl31_params->bl33_ep_info); } - /* After working with data, invalidate the data cache */ - inv_dcache_range(bl2_to_bl31_params->bl33_image_info->image_base, - (size_t)bl2_to_bl31_params->bl33_image_info->image_size); -#endif /* TRUSTED_BOARD_BOOT */ - - bl2_plat_set_bl33_ep_info(bl2_to_bl31_params->bl33_image_info, - bl2_to_bl31_params->bl33_ep_info); return e; } @@ -414,14 +209,7 @@ void bl2_main(void) #if TRUSTED_BOARD_BOOT /* Initialize authentication module */ - auth_init(); - - /* Validate the certificates involved in the Chain of Trust */ - e = load_certs(); - if (e) { - ERROR("Chain of Trust invalid. Aborting...\n"); - panic(); - } + auth_mod_init(); #endif /* TRUSTED_BOARD_BOOT */ /* |