#include <arch.h>
#include <arch_helpers.h>
#include <assert.h>
+#include <auth.h>
#include <bl_common.h>
#include <debug.h>
#include <platform.h>
/* Find out how much free trusted ram remains after BL1 load */
bl1_tzram_layout = bl1_plat_sec_mem_layout();
+#if TRUSTED_BOARD_BOOT
+ /* Initialize authentication module */
+ auth_init();
+
+ /*
+ * Load the BL2 certificate into the BL2 region. This region will be
+ * overwritten by the image, so the authentication module is responsible
+ * for storing the relevant data from the certificate (keys, hashes,
+ * etc.) so it can be used later.
+ */
+ err = load_image(bl1_tzram_layout,
+ BL2_CERT_NAME,
+ BL2_BASE,
+ &bl2_image_info,
+ NULL);
+ if (err) {
+ ERROR("Failed to load BL2 certificate.\n");
+ panic();
+ }
+
+ err = auth_verify_obj(AUTH_BL2_IMG_CERT, bl2_image_info.image_base,
+ bl2_image_info.image_size);
+ if (err) {
+ ERROR("Failed to validate BL2 certificate.\n");
+ panic();
+ }
+#endif /* TRUSTED_BOARD_BOOT */
+
/* Load the BL2 image */
err = load_image(bl1_tzram_layout,
BL2_IMAGE_NAME,
ERROR("Failed to load BL2 firmware.\n");
panic();
}
+
+#if TRUSTED_BOARD_BOOT
+ err = auth_verify_obj(AUTH_BL2_IMG, bl2_image_info.image_base,
+ bl2_image_info.image_size);
+ if (err) {
+ ERROR("Failed to validate BL2 image.\n");
+ panic();
+ }
+
+ /* After working with data, invalidate the data cache */
+ inv_dcache_range(bl2_image_info.image_base,
+ (size_t)bl2_image_info.image_size);
+#endif /* TRUSTED_BOARD_BOOT */
+
/*
* Create a new layout of memory for BL2 as seen by BL1 i.e.
* tell it the amount of total and free memory available.
{BL32_IMAGE_NAME, UUID_SECURE_PAYLOAD_BL32},
#endif /* BL32_IMAGE_NAME */
{BL33_IMAGE_NAME, UUID_NON_TRUSTED_FIRMWARE_BL33},
+#if TRUSTED_BOARD_BOOT
+ /* Certificates */
+ {BL2_CERT_NAME, UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT},
+#endif /* TRUSTED_BOARD_BOOT */
};
static const uuid_t uuid_null = {0};
.mode = FOPEN_MODE_RB
};
+#if TRUSTED_BOARD_BOOT
+static const io_file_spec_t bl2_cert_file_spec = {
+ .path = BL2_CERT_NAME,
+ .mode = FOPEN_MODE_RB
+};
+#endif /* TRUSTED_BOARD_BOOT */
+
static int open_fip(const uintptr_t spec);
static int open_memmap(const uintptr_t spec);
(uintptr_t)&bl33_file_spec,
open_fip
}, {
+#if TRUSTED_BOARD_BOOT
+ BL2_CERT_NAME,
+ &fip_dev_handle,
+ (uintptr_t)&bl2_cert_file_spec,
+ open_fip
+ }, {
+#endif /* TRUSTED_BOARD_BOOT */
0, 0, 0
}
};
/* Non-Trusted Firmware BL33 */
#define BL33_IMAGE_NAME "bl33.bin" /* e.g. UEFI */
+#if TRUSTED_BOARD_BOOT
+/* Certificates */
+# define BL2_CERT_NAME "bl2.crt"
+#endif /* TRUSTED_BOARD_BOOT */
+
#define PLATFORM_CACHE_LINE_SIZE 64
#define PLATFORM_CLUSTER_COUNT 2ull
#define PLATFORM_CLUSTER0_CORE_COUNT 4
/* Firmware Image Package */
#define FIP_IMAGE_NAME "fip.bin"
+#if TRUSTED_BOARD_BOOT
+/* Certificates */
+# define BL2_CERT_NAME "bl2.crt"
+#endif /* TRUSTED_BOARD_BOOT */
+
#define PLATFORM_CACHE_LINE_SIZE 64
#define PLATFORM_CLUSTER_COUNT 2
#define PLATFORM_CORE_COUNT 6
.mode = FOPEN_MODE_RB
};
+#if TRUSTED_BOARD_BOOT
+static const io_file_spec_t bl2_cert_file_spec = {
+ .path = BL2_CERT_NAME,
+ .mode = FOPEN_MODE_RB
+};
+#endif /* TRUSTED_BOARD_BOOT */
+
static int open_fip(const uintptr_t spec);
static int open_memmap(const uintptr_t spec);
(uintptr_t)&bl33_file_spec,
open_fip
}, {
+#if TRUSTED_BOARD_BOOT
+ BL2_CERT_NAME,
+ &fip_dev_handle,
+ (uintptr_t)&bl2_cert_file_spec,
+ open_fip
+ }, {
+#endif /* TRUSTED_BOARD_BOOT */
0, 0, 0
}
};
projects / project / bcm63xx / atf.git / commitdiff