blob: b222d6949124e24db376df36c0cc87d323a34d3b [file] [log] [blame]
Tamas Ban5db57532019-07-17 10:59:02 +01001/*
Mingyang Sunc9bdcd72020-06-04 11:44:49 +08002 * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
Tamas Ban5db57532019-07-17 10:59:02 +01003 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 *
6 */
7
8#include <stdint.h>
Mingyang Sunc9bdcd72020-06-04 11:44:49 +08009#include "tfm_plat_crypto_keys.h"
Tamas Ban5db57532019-07-17 10:59:02 +010010/**
11 * \file tfm_rotpk.c
12 *
13 * This file contains the hash value (SHA256) of the public parts of the
14 * firmware signing keys in bl2/ext/mcuboot folder (*.pem files).
15 * This simulates when the hash of the Root of Trust Public Key is programmed
16 * to an immutable device memory to be able to validate the image verification
17 * key.
18 *
19 * \note These key-hash values must be provisioned to the SoC during the
20 * production, independently from firmware binaries. This solution
21 * (hard-coded key-hash values in firmware) is not suited for use in
22 * production!
23 */
24
25#if defined(BL2)
26#if (MCUBOOT_SIGN_RSA_LEN == 2048)
27/* Hash of public key: bl2/ext/mcuboot/root-rsa-2048.pem */
28uint8_t rotpk_hash_0[ROTPK_HASH_LEN] = {
29 0xfc, 0x57, 0x01, 0xdc, 0x61, 0x35, 0xe1, 0x32,
30 0x38, 0x47, 0xbd, 0xc4, 0x0f, 0x04, 0xd2, 0xe5,
31 0xbe, 0xe5, 0x83, 0x3b, 0x23, 0xc2, 0x9f, 0x93,
32 0x59, 0x3d, 0x00, 0x01, 0x8c, 0xfa, 0x99, 0x94,
33};
Tamas Ban78676ac2019-07-11 09:05:54 +010034/* Hash of public key: bl2/ext/mcuboot/root-rsa-2048_1.pem */
35#if (MCUBOOT_IMAGE_NUMBER == 2)
36uint8_t rotpk_hash_1[ROTPK_HASH_LEN] = {
37 0xe1, 0x80, 0x15, 0x99, 0x3d, 0x6d, 0x27, 0x60,
38 0xb4, 0x99, 0x27, 0x4b, 0xae, 0xf2, 0x64, 0xb8,
39 0x3a, 0xf2, 0x29, 0xe9, 0xa7, 0x85, 0xf3, 0xd5,
40 0xbf, 0x00, 0xb9, 0xd3, 0x2c, 0x1f, 0x03, 0x96,
41};
42#endif /* MCUBOOT_IMAGE_NUMBER */
Tamas Ban5db57532019-07-17 10:59:02 +010043
44#elif (MCUBOOT_SIGN_RSA_LEN == 3072)
45/* Hash of public key: bl2/ext/mcuboot/root-rsa-3072.pem */
46uint8_t rotpk_hash_0[ROTPK_HASH_LEN] = {
47 0xbf, 0xe6, 0xd8, 0x6f, 0x88, 0x26, 0xf4, 0xff,
48 0x97, 0xfb, 0x96, 0xc4, 0xe6, 0xfb, 0xc4, 0x99,
49 0x3e, 0x46, 0x19, 0xfc, 0x56, 0x5d, 0xa2, 0x6a,
50 0xdf, 0x34, 0xc3, 0x29, 0x48, 0x9a, 0xdc, 0x38,
51};
Tamas Ban78676ac2019-07-11 09:05:54 +010052/* Hash of public key: bl2/ext/mcuboot/root-rsa-3072_1.pem */
53#if (MCUBOOT_IMAGE_NUMBER == 2)
54uint8_t rotpk_hash_1[ROTPK_HASH_LEN] = {
55 0xb3, 0x60, 0xca, 0xf5, 0xc9, 0x8c, 0x6b, 0x94,
56 0x2a, 0x48, 0x82, 0xfa, 0x9d, 0x48, 0x23, 0xef,
57 0xb1, 0x66, 0xa9, 0xef, 0x6a, 0x6e, 0x4a, 0xa3,
58 0x7c, 0x19, 0x19, 0xed, 0x1f, 0xcc, 0xc0, 0x49,
59};
60#endif /* MCUBOOT_IMAGE_NUMBER */
Tamas Ban5db57532019-07-17 10:59:02 +010061#else
62#error "No public key available for given signing algorithm."
63#endif
64
65const struct tfm_plat_rotpk_t device_rotpk[] = {
66 {
67 .key_hash = rotpk_hash_0,
68 .hash_len = ROTPK_HASH_LEN,
69 },
Tamas Ban78676ac2019-07-11 09:05:54 +010070#if (MCUBOOT_IMAGE_NUMBER == 2)
71 {
72 .key_hash = rotpk_hash_1,
73 .hash_len = ROTPK_HASH_LEN,
74 },
75#endif
Tamas Ban5db57532019-07-17 10:59:02 +010076};
Tamas Ban78676ac2019-07-11 09:05:54 +010077const uint32_t rotpk_key_cnt = MCUBOOT_IMAGE_NUMBER;
Michel Jaouenca57edf2020-09-25 16:59:04 +020078
79/**
80 * \brief Copy the key to the destination buffer
81 *
82 * \param[out] p_dst Pointer to buffer where to store the key
83 * \param[in] p_src Pointer to the key
84 * \param[in] size Length of the key
85 */
86static inline void copy_key(uint8_t *p_dst, const uint8_t *p_src, size_t size)
87{
88 uint32_t i;
89
90 for (i = size; i > 0; i--) {
91 *p_dst = *p_src;
92 p_src++;
93 p_dst++;
94 }
95}
96
97enum tfm_plat_err_t
98tfm_plat_get_rotpk_hash(uint8_t image_id,
99 uint8_t *rotpk_hash,
100 uint32_t *rotpk_hash_size)
101{
102 if(*rotpk_hash_size < ROTPK_HASH_LEN) {
103 return TFM_PLAT_ERR_SYSTEM_ERR;
104 }
105
106 if (image_id >= rotpk_key_cnt) {
107 return TFM_PLAT_ERR_SYSTEM_ERR;
108 }
109
110 *rotpk_hash_size = ROTPK_HASH_LEN;
111 copy_key(rotpk_hash, device_rotpk[image_id].key_hash, *rotpk_hash_size);
112
113 return TFM_PLAT_ERR_SUCCESS;
114}
115
Tamas Ban5db57532019-07-17 10:59:02 +0100116#endif /* BL2 */