Boot: Add OTP provisioning functionality to MCUBoot
Add functionality to program hash of ROT public key and HUK to OTP. The
implementation is based on the CryptoCell CMPU and DMPU production
libraries.
If MCUBOOT_IMAGE_NUMBER=1, store the whole 32 byte hash of:
bl2/ext/mcuboot/root-rsa-<2048|3072>.pem key.
If MCUBOOT_IMAGE_NUMBER=2, separately store
the first 16 bytes of the hash of:
bl2/ext/mcuboot/root-rsa-<2048|3072>.pem key
and the first 16 bytes of the hash of:
bl2/ext/mcuboot/root-rsa-<2048|3072>_1.pem key.
OTP provisioning is disabled by default. In order to enable,
add this to CMake command line:
-DCRYPTO_HW_ACCELERATOR_OTP_STATE=PROVISIONING
Change-Id: Ica589319001f5ed77d853ba45ad8e6d3c266d172
Signed-off-by: Xu Yong <yong.xu@arm.com>
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index efa64eb..3464c52 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -92,7 +92,7 @@
set (MBEDCRYPTO_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/mbed-crypto/build")
set (MBEDCRYPTO_INSTALL_DIR ${MBEDCRYPTO_BINARY_DIR}/../install)
-if (CRYPTO_HW_ACCELERATOR)
+if (CRYPTO_HW_ACCELERATOR OR CRYPTO_HW_ACCELERATOR_OTP_STATE STREQUAL "PROVISIONING")
if(NOT DEFINED CRYPTO_HW_ACCELERATOR_CMAKE_BUILD)
message(FATAL_ERROR "CRYPTO_HW_ACCELERATOR_CMAKE_BUILD not defined.")
endif()
@@ -151,7 +151,7 @@
add_dependencies(${PROJECT_NAME} ${MBEDCRYPTO_TARGET_NAME}_install)
#Link crypto accelerator libraries if applicable
-if (CRYPTO_HW_ACCELERATOR)
+if (CRYPTO_HW_ACCELERATOR OR CRYPTO_HW_ACCELERATOR_OTP_STATE STREQUAL "PROVISIONING")
if(NOT DEFINED CRYPTO_HW_ACCELERATOR_CMAKE_LINK)
message(FATAL_ERROR "CRYPTO_HW_ACCELERATOR_CMAKE_LINK not defined.")
endif()
diff --git a/bl2/ext/mcuboot/bl2_main.c b/bl2/ext/mcuboot/bl2_main.c
index 26461c1..f1e289d 100644
--- a/bl2/ext/mcuboot/bl2_main.c
+++ b/bl2/ext/mcuboot/bl2_main.c
@@ -31,9 +31,10 @@
#if BOOT_LOG_LEVEL > BOOT_LOG_LEVEL_OFF
#include "uart_stdout.h"
#endif
-#ifdef CRYPTO_HW_ACCELERATOR
+#if defined(CRYPTO_HW_ACCELERATOR) || \
+ defined(CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING)
#include "crypto_hw.h"
-#endif /* CRYPTO_HW_ACCELERATOR */
+#endif
/* Avoids the semihosting issue */
#if defined (__ARMCC_VERSION) && (__ARMCC_VERSION >= 6010050)
@@ -213,6 +214,24 @@
}
#endif /* CRYPTO_HW_ACCELERATOR */
+/* This is a workaround to program the TF-M related cryptographic keys
+ * to CC312 OTP memory. This functionality is independent from secure boot,
+ * this is usually done in the factory floor during chip manufacturing.
+ */
+#ifdef CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING
+ BOOT_LOG_INF("OTP provisioning started.");
+ rc = crypto_hw_accelerator_otp_provisioning();
+ if (rc) {
+ BOOT_LOG_ERR("OTP provisioning FAILED: 0x%X", rc);
+ while (1);
+ } else {
+ BOOT_LOG_INF("OTP provisioning succeeded. TF-M won't be loaded.");
+
+ /* We don't need to boot - the only aim is provisioning. */
+ while (1);
+ }
+#endif /* CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING */
+
BOOT_LOG_INF("Bootloader chainload address offset: 0x%x",
rsp.br_image_off);
flash_area_warn_on_open();
diff --git a/bl2/ext/mcuboot/include/config-boot.h b/bl2/ext/mcuboot/include/config-boot.h
index 6b0c040..71667eb 100644
--- a/bl2/ext/mcuboot/include/config-boot.h
+++ b/bl2/ext/mcuboot/include/config-boot.h
@@ -64,6 +64,12 @@
/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
+#ifdef CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_AES_C
+#define MBEDTLS_CCM_C
+#endif /* CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING */
+
#ifdef CRYPTO_HW_ACCELERATOR
#include "mbedtls_accelerator_config.h"
#endif