mirror of
https://github.com/smaeul/u-boot.git
synced 2025-10-24 17:48:14 +01:00
Vendor Authorized Boot is a security feature for authenticating the images such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and etc loaded from FIT. After those images are loaded from FIT, the VAB certificate and signature block appended at the end of each image are sent to Secure Device Manager (SDM) for authentication. U-Boot will validate the SHA384 of the image against the SHA384 hash stored in the VAB certificate before sending the image to SDM for authentication. Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> Reviewed-by: Ley Foon Tan <ley.foon.tan@intel.com>
64 lines
1.7 KiB
C
64 lines
1.7 KiB
C
/* SPDX-License-Identifier: GPL-2.0
|
|
*
|
|
* Copyright (C) 2020 Intel Corporation <www.intel.com>
|
|
*
|
|
*/
|
|
|
|
#ifndef _SECURE_VAB_H_
|
|
#define _SECURE_VAB_H_
|
|
|
|
#include <linux/sizes.h>
|
|
#include <linux/stddef.h>
|
|
#include <u-boot/sha512.h>
|
|
|
|
#define VAB_DATA_SZ 64
|
|
|
|
#define SDM_CERT_MAGIC_NUM 0x25D04E7F
|
|
#define FCS_HPS_VAB_MAGIC_NUM 0xD0564142
|
|
|
|
#define MAX_CERT_SIZE (SZ_4K)
|
|
|
|
/*
|
|
* struct fcs_hps_vab_certificate_data
|
|
* @vab_cert_magic_num: VAB Certificate Magic Word (0xD0564142)
|
|
* @flags: TBD
|
|
* @fcs_data: Data words being certificate signed.
|
|
* @cert_sign_keychain: Certificate Signing Keychain
|
|
*/
|
|
struct fcs_hps_vab_certificate_data {
|
|
u32 vab_cert_magic_num; /* offset 0x10 */
|
|
u32 flags;
|
|
u8 rsvd0_1[8];
|
|
u8 fcs_sha384[SHA384_SUM_LEN]; /* offset 0x20 */
|
|
};
|
|
|
|
/*
|
|
* struct fcs_hps_vab_certificate_header
|
|
* @cert_magic_num: Certificate Magic Word (0x25D04E7F)
|
|
* @cert_data_sz: size of this certificate header (0x80)
|
|
* Includes magic number all the way to the certificate
|
|
* signing keychain (excludes cert. signing keychain)
|
|
* @cert_ver: Certificate Version
|
|
* @cert_type: Certificate Type
|
|
* @data: VAB HPS Image Certificate data
|
|
*/
|
|
struct fcs_hps_vab_certificate_header {
|
|
u32 cert_magic_num; /* offset 0 */
|
|
u32 cert_data_sz;
|
|
u32 cert_ver;
|
|
u32 cert_type;
|
|
struct fcs_hps_vab_certificate_data d; /* offset 0x10 */
|
|
/* keychain starts at offset 0x50 */
|
|
};
|
|
|
|
#define VAB_CERT_HEADER_SIZE sizeof(struct fcs_hps_vab_certificate_header)
|
|
#define VAB_CERT_MAGIC_OFFSET offsetof \
|
|
(struct fcs_hps_vab_certificate_header, d)
|
|
#define VAB_CERT_FIT_SHA384_OFFSET offsetof \
|
|
(struct fcs_hps_vab_certificate_data, \
|
|
fcs_sha384[0])
|
|
|
|
int socfpga_vendor_authentication(void **p_image, size_t *p_size);
|
|
|
|
#endif /* _SECURE_VAB_H_ */
|