Boot: Save boot status to shared data area
Details:
- PSA requirement: Attestation service must include
the measured boot status to attestation token. Secure
bootloader measuring the runtime SW (calculatinig its hash)
ans shares the measurements with runtime SW through a shared
memory area.
- add new functions to save the boot status in TLV
encoded format to the shared data area
- save combined (S+NS) image hash to boot status
Change-Id: I4f7b4f134294aea75fe5bce10cd98c74614c32e8
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index 1713580..d488825 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -58,7 +58,8 @@
endif()
#Append all our source files to global lists.
-list(APPEND ALL_SRC_C "${MCUBOOT_DIR}/bl2_main.c"
+list(APPEND ALL_SRC_C
+ "${MCUBOOT_DIR}/bl2_main.c"
"${MCUBOOT_DIR}/flash_map.c"
"${MCUBOOT_DIR}/keys.c"
"${MCUBOOT_DIR}/bootutil/src/loader.c"
@@ -66,6 +67,7 @@
"${MCUBOOT_DIR}/bootutil/src/image_validate.c"
"${MCUBOOT_DIR}/bootutil/src/image_rsa.c"
"${MCUBOOT_DIR}/bootutil/src/caps.c"
+ "${TFM_ROOT_DIR}/bl2/src/boot_record.c"
)
#Define location of mbedtls source, build, and installation directory.
@@ -92,6 +94,7 @@
#Setting include directories
embedded_target_include_directories(TARGET ${PROJECT_NAME} PATH ${TFM_ROOT_DIR} ABSOLUTE APPEND)
+embedded_target_include_directories(TARGET ${PROJECT_NAME} PATH ${TFM_ROOT_DIR}/bl2/include ABSOLUTE APPEND)
embedded_target_include_directories(TARGET ${PROJECT_NAME} PATH ${TFM_ROOT_DIR}/bl2/ext/mcuboot/include ABSOLUTE APPEND)
embedded_target_include_directories(TARGET ${PROJECT_NAME} PATH ${TFM_ROOT_DIR}/bl2/ext/mcuboot/bootutil/include/ ABSOLUTE APPEND)
embedded_target_include_directories(TARGET ${PROJECT_NAME} PATH ${MBEDTLS_INSTALL_DIR}/include ABSOLUTE APPEND)
diff --git a/bl2/ext/mcuboot/bl2_main.c b/bl2/ext/mcuboot/bl2_main.c
index 42db36f..79e5eec 100644
--- a/bl2/ext/mcuboot/bl2_main.c
+++ b/bl2/ext/mcuboot/bl2_main.c
@@ -27,6 +27,7 @@
#include "bootutil/image.h"
#include "bootutil/bootutil.h"
#include "flash_map/flash_map.h"
+#include "bl2/include/boot_record.h"
/* Avoids the semihosting issue */
#if defined (__ARMCC_VERSION) && (__ARMCC_VERSION >= 6010050)
diff --git a/bl2/ext/mcuboot/bootutil/src/loader.c b/bl2/ext/mcuboot/bootutil/src/loader.c
index c268d93..888118e 100644
--- a/bl2/ext/mcuboot/bootutil/src/loader.c
+++ b/bl2/ext/mcuboot/bootutil/src/loader.c
@@ -38,6 +38,8 @@
#include "bootutil/bootutil.h"
#include "bootutil/image.h"
#include "bootutil_priv.h"
+#include "bl2/include/tfm_boot_status.h"
+#include "bl2/include/boot_record.h"
#define BOOT_LOG_LEVEL BOOT_LOG_LEVEL_INFO
#include "bootutil/bootutil_log.h"
@@ -249,12 +251,12 @@
* Validate image hash/signature in a slot.
*/
static int
-boot_image_check(struct image_header *hdr, const struct flash_area *fap)
+boot_image_check(struct image_header *hdr, const struct flash_area *fap, uint8_t *out_hash)
{
static uint8_t tmpbuf[BOOT_TMPBUF_SZ];
if (bootutil_img_validate(hdr, fap, tmpbuf, BOOT_TMPBUF_SZ,
- NULL, 0, NULL)) {
+ NULL, 0, out_hash)) {
return BOOT_EBADIMAGE;
}
return 0;
@@ -265,6 +267,7 @@
{
const struct flash_area *fap;
struct image_header *hdr;
+ uint8_t hash[32];
int rc;
hdr = boot_img_hdr(&boot_data, slot);
@@ -278,7 +281,8 @@
return BOOT_EFLASH;
}
- if ((hdr->ih_magic != IMAGE_MAGIC || boot_image_check(hdr, fap) != 0)) {
+ if ((hdr->ih_magic != IMAGE_MAGIC ||
+ boot_image_check(hdr, fap, hash) != 0)) {
if (slot != 0) {
rc = flash_area_erase(fap, 0, fap->fa_size);
if(rc != 0) {
@@ -292,6 +296,13 @@
BOOT_LOG_ERR("Authentication failed! Image in slot %d is not valid.",
slot);
return -1;
+ } else {
+ if (0 != boot_add_data_to_shared_area(TLV_MAJOR_IAS,
+ TLV_MINOR_IAS_S_NS_SHA256,
+ sizeof(hash),
+ hash)) {
+ BOOT_LOG_ERR("Failed to add data to shared area");
+ }
}
flash_area_close(fap);