Platform: Get the hash of ROTPK from CC312 OTP
Modify Musca-B1 platform code to be able to read the hash of ROTPK
from CC312 OTP memory to validate image authentication public key.
Change-Id: Ica84e65bfbf1b1a0c8d557013265d60d1a6ff48c
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
diff --git a/platform/ext/common/cc312/cc312.c b/platform/ext/common/cc312/cc312.c
index c4f9065..f1a65e3 100644
--- a/platform/ext/common/cc312/cc312.c
+++ b/platform/ext/common/cc312/cc312.c
@@ -129,3 +129,40 @@
key, key_size);
}
+
+int crypto_hw_accelerator_get_rotpk_hash(uint8_t image_id,
+ uint8_t *rotpk_hash,
+ uint32_t *rotpk_hash_size)
+{
+ int32_t ret;
+ mbedtls_mng_pubKeyType_t key_index;
+ uint32_t rotpk_hash_size_in_words;
+
+ if (image_id == 0) {
+#if (MCUBOOT_IMAGE_NUMBER == 1)
+ key_index = CC_MNG_HASH_BOOT_KEY_256B;
+ rotpk_hash_size_in_words = 8;
+#elif (MCUBOOT_IMAGE_NUMBER == 2)
+ key_index = CC_MNG_HASH_BOOT_KEY_0_128B;
+ rotpk_hash_size_in_words = 4;
+ } else if (image_id == 1) {
+ key_index = CC_MNG_HASH_BOOT_KEY_1_128B;
+ rotpk_hash_size_in_words = 4;
+#endif /* MCUBOOT_IMAGE_NUMBER == 1 */
+ } else {
+ return -1;
+ }
+
+ if (*rotpk_hash_size < rotpk_hash_size_in_words * sizeof(uint32_t)) {
+ return -1;
+ }
+ *rotpk_hash_size = rotpk_hash_size_in_words * sizeof(uint32_t);
+
+ ret = mbedtls_mng_pubKeyHashGet(key_index, (uint32_t *)rotpk_hash,
+ rotpk_hash_size_in_words);
+ if (ret) {
+ return ret;
+ }
+
+ return 0;
+}
diff --git a/platform/ext/common/cc312/crypto_hw.h b/platform/ext/common/cc312/crypto_hw.h
index 5951e29..aaa0aa8 100644
--- a/platform/ext/common/cc312/crypto_hw.h
+++ b/platform/ext/common/cc312/crypto_hw.h
@@ -67,7 +67,22 @@
*/
int crypto_hw_accelerator_otp_provisioning(void);
-/** \brief Retrieve the device lifecycle
+/**
+ * \brief Retrieve the hash of ROTPK from OTP
+ *
+ * \param[in] image_id The identifier of firmware image
+ * \param[out] rotpk_hash Buffer to store the key-hash in
+ * \param[in,out] rotpk_hash_size As input the size of the buffer. As output
+ * the actual key-hash length.
+ *
+ * \return 0 on success, non-zero otherwise
+ */
+int crypto_hw_accelerator_get_rotpk_hash(uint8_t image_id,
+ uint8_t *rotpk_hash,
+ uint32_t *rotpk_hash_size);
+
+/**
+ * \brief Retrieve the device lifecycle
*
* \param[out] lcs Pointer to store lifecycle state
*
diff --git a/platform/ext/target/musca_b1/dummy_crypto_keys.c b/platform/ext/target/musca_b1/dummy_crypto_keys.c
index 0cc431f..4af3404 100644
--- a/platform/ext/target/musca_b1/dummy_crypto_keys.c
+++ b/platform/ext/target/musca_b1/dummy_crypto_keys.c
@@ -144,7 +144,13 @@
uint8_t *rotpk_hash,
uint32_t *rotpk_hash_size)
{
- if(*rotpk_hash_size < ROTPK_HASH_LEN) {
+ int rc = 0;
+
+#ifdef CRYPTO_HW_ACCELERATOR_OTP_ENABLED
+ rc = crypto_hw_accelerator_get_rotpk_hash(image_id, rotpk_hash,
+ rotpk_hash_size);
+#else
+ if (*rotpk_hash_size < ROTPK_HASH_LEN) {
return TFM_PLAT_ERR_SYSTEM_ERR;
}
@@ -153,8 +159,14 @@
}
*rotpk_hash_size = ROTPK_HASH_LEN;
+
copy_key(rotpk_hash, device_rotpk[image_id].key_hash, *rotpk_hash_size);
+#endif /* CRYPTO_HW_ACCELERATOR_OTP_ENABLED */
+
+ if (rc) {
+ return TFM_PLAT_ERR_SYSTEM_ERR;
+ }
return TFM_PLAT_ERR_SUCCESS;
}
-#endif
+#endif /* BL2 */