fix(tc): enable certificate on the last secure partition
Distros (e.g. Buildroot and Android) can have different secure partition
layout.
This commit iterates the DPE metadata table and finds index (i) for the
first entry of the secure partition, connecting with the defined secure
partition number NUM_SP, so the last secure partition index is:
i + NUM_SP - 1
Instead of setting the certificate in hard code, dynamically enables the
certificate for the last secure partition base on calculated index.
Signed-off-by: Ben Horgan <ben.horgan@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Change-Id: Idd11b4f463bf5ccc8d82cd06bd21deeebbda67d9
diff --git a/plat/arm/board/tc/tc_bl2_dpe.c b/plat/arm/board/tc/tc_bl2_dpe.c
index c56612b..144e898 100644
--- a/plat/arm/board/tc/tc_bl2_dpe.c
+++ b/plat/arm/board/tc/tc_bl2_dpe.c
@@ -120,7 +120,7 @@
.sw_type = MBOOT_SP1_STRING,
.allow_new_context_to_derive = false,
.retain_parent_context = true,
- .create_certificate = true, /* With Trusty only one SP is loaded */
+ .create_certificate = false,
.target_locality = LOCALITY_NONE, /* won't derive don't care */
.pk_oid = NULL },
{
@@ -230,10 +230,33 @@
void bl2_plat_mboot_init(void)
{
+ size_t i;
+ const size_t array_size = ARRAY_SIZE(tc_dpe_metadata);
+
/* Initialize the communication channel between AP and RSE */
(void)rse_comms_init(PLAT_RSE_AP_SND_MHU_BASE,
PLAT_RSE_AP_RCV_MHU_BASE);
+#if defined(SPD_spmd)
+ for (i = 0U; i < array_size; i++) {
+ if (tc_dpe_metadata[i].id != SP_PKG1_ID) {
+ continue;
+ }
+
+ if ((i + NUM_SP > array_size) || (i - 1 + NUM_SP < 0)) {
+ ERROR("Secure partition number is out-of-range\n");
+ ERROR(" Non-Secure partition number: %ld\n", i);
+ ERROR(" Secure partition number: %d\n", NUM_SP);
+ ERROR(" Metadata array size: %ld\n", array_size);
+ panic();
+ }
+
+ /* Finalize the certificate on the last secure partition */
+ tc_dpe_metadata[i - 1 + NUM_SP].create_certificate = true;
+ break;
+ }
+#endif
+
dpe_init(tc_dpe_metadata);
}