TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-A / trusted-firmware-a.git / d35dee23b68366af90502c04da4f3eb29d5fe92a^! / . / docs / porting-guide.md
commitd35dee23b68366af90502c04da4f3eb29d5fe92a[log] [tgz]
authordp-arm <dimitris.papastamos@arm.com>Mon Dec 12 14:48:13 2016 +0000
committerdp-arm <dimitris.papastamos@arm.com>Thu Dec 15 14:12:35 2016 +0000
treefcd8e5144a9646fe439cc7a69b3a241b2fb1776f
parenta4af0c2e8409696667695f3781a22cba2eafbd2c [diff] [blame]
tbbr: Fix updating of Non-Trusted NV counter

The previous code required that a certificate be signed with the ROT
key before the platform's NV counter could be updated with the value
in the certificate.  This implies that the Non-Trusted NV counter was
not being updated for Non-Trusted content certificates, as they cannot
be signed with the ROT key in the TBBR CoT scheme.

The code is reworked to only allow updating the platform's Trusted NV
counter when a certificate protected by the Trusted NV counter is
signed with the ROT key.

Content certificates protected by the Non-Trusted NV counter are
allowed to update the platform's Non-Trusted NV counter, assuming
that the certificate value is higher than the platform's value.

A new optional platform API has been introduced, named
plat_set_nv_ctr2().  Platforms may choose to implement it and perform
additional checks based on the authentication image descriptor before
modifying the NV counters.  A default weak implementation is available
that just calls into plat_set_nv_ctr().

Fixes ARM-software/tf-issues#426

Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

diff --git a/docs/porting-guide.md b/docs/porting-guide.md
index 74a0a85..57f2c40 100644
--- a/docs/porting-guide.md
+++ b/docs/porting-guide.md

@@ -690,12 +690,32 @@
 
 This function is mandatory when Trusted Board Boot is enabled. It sets a new
 counter value in the platform. The cookie in the first argument may be used to
-select the counter (as explained in plat_get_nv_ctr()).
+select the counter (as explained in plat_get_nv_ctr()). The second argument is
+the updated counter value to be written to the NV counter.
 
 The function returns 0 on success. Any other value means the counter value could
 not be updated.
 
 
+### Function: plat_set_nv_ctr2()
+
+    Argument : void *, const auth_img_desc_t *, unsigned int
+    Return   : int
+
+This function is optional when Trusted Board Boot is enabled. If this
+interface is defined, then `plat_set_nv_ctr()` need not be defined. The
+first argument passed is a cookie and is typically used to
+differentiate between a Non Trusted NV Counter and a Trusted NV
+Counter. The second argument is a pointer to an authentication image
+descriptor and may be used to decide if the counter is allowed to be
+updated or not. The third argument is the updated counter value to
+be written to the NV counter.
+
+The function returns 0 on success. Any other value means the counter value
+either could not be updated or the authentication image descriptor indicates
+that it is not allowed to be updated.
+
+
 2.3 Common mandatory function modifications
 ---------------------------------