Platform: Add provisioning api and implementation
Provision data and secrets to OTP memory, where they can later be
retrieved. Used for all data that should be changed on a per-device /
per-implementation basis. Add a cmake option to replace with
platform-specific implementation. Update provisioning documentation.
Change-Id: I0f2e85e93c12bd47b9f68490672d0fc0695e1612
Signed-off-by: Raef Coles <raef.coles@arm.com>
diff --git a/bl2/ext/mcuboot/bl2_main.c b/bl2/ext/mcuboot/bl2_main.c
index 9876239..1674e13 100644
--- a/bl2/ext/mcuboot/bl2_main.c
+++ b/bl2/ext/mcuboot/bl2_main.c
@@ -29,6 +29,8 @@
#include "flash_map_backend/flash_map_backend.h"
#include "boot_hal.h"
#include "uart_stdout.h"
+#include "tfm_plat_otp.h"
+#include "tfm_plat_provisioning.h"
/* Avoids the semihosting issue */
#if defined (__ARMCC_VERSION) && (__ARMCC_VERSION >= 6010050)
@@ -85,6 +87,7 @@
{
struct boot_rsp rsp;
fih_int fih_rc = FIH_FAILURE;
+ enum tfm_plat_err_t plat_err;
/* Initialise the mbedtls static memory allocator so that mbedtls allocates
* memory from the provided static buffer instead of from the heap.
@@ -103,6 +106,22 @@
BOOT_LOG_INF("Starting bootloader");
+ plat_err = tfm_plat_otp_init();
+ if (plat_err != TFM_PLAT_ERR_SUCCESS) {
+ BOOT_LOG_ERR("OTP system initialization failed");
+ FIH_PANIC;
+ }
+
+ if (tfm_plat_provisioning_is_required()) {
+ plat_err = tfm_plat_provisioning_perform();
+ if (plat_err != TFM_PLAT_ERR_SUCCESS) {
+ BOOT_LOG_ERR("Provisioning failed");
+ FIH_PANIC;
+ }
+ } else {
+ tfm_plat_provisioning_check_for_dummy_keys();
+ }
+
FIH_CALL(boot_nv_security_counter_init, fih_rc);
if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
BOOT_LOG_ERR("Error while initializing the security counter");