BL2: Provision RoTPK sign policies

maulik-arm · adeaarm · commit db0b457aa63f · 2025-06-19T12:09:53.000Z
For multisignature, if policy support is enabled, provision the
corresponding key policy to the OTP.

For built in keys, also check the signature verification result
against the policy.

Signed-off-by: Maulik Patel &lt;maulik.patel@arm.com&gt;
Change-Id: If91a5967f3cea59cb12546c25f53280a2c7d4cb2
diff --git a/bl2/CMakeLists.txt b/bl2/CMakeLists.txt
@@ -94,6 +94,11 @@ list(APPEND BL2_CRYPTO_SRC
 
 add_library(bl2_crypto STATIC ${BL2_CRYPTO_SRC})
 
+target_compile_definitions(bl2_crypto
+    PRIVATE
+        $<$<BOOL:${MCUBOOT_ROTPK_SIGN_POLICY}>:MCUBOOT_ROTPK_SIGN_POLICY>
+)
+
 target_include_directories(bl2_crypto
     PUBLIC
         ${MBEDCRYPTO_PATH}/library
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
@@ -81,6 +81,7 @@ target_compile_definitions(bl2
         $<$<BOOL:${MCUBOOT_BUILTIN_KEY}>:TFM_NS_KEY_ID=${TFM_NS_KEY_ID}>
         MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE=${MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE}
         $<$<BOOL:${MCUBOOT_IMAGE_MULTI_SIG_SUPPORT}>:MCUBOOT_IMAGE_MULTI_SIG_SUPPORT>
+        $<$<BOOL:${MCUBOOT_ROTPK_SIGN_POLICY}>:MCUBOOT_ROTPK_SIGN_POLICY>
 )
 
 target_link_libraries(bl2
diff --git a/bl2/ext/mcuboot/keys.c b/bl2/ext/mcuboot/keys.c
@@ -534,6 +534,14 @@ int boot_retrieve_public_key_hash(uint8_t image_index,
                                    (uint32_t *)key_hash_size);
 }
 #elif defined(MCUBOOT_BUILTIN_KEY)
+
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+enum tfm_plat_err_t tfm_plat_get_bl2_rotpk_policies(uint8_t *buf, size_t buf_len)
+{
+    return tfm_plat_otp_read(PLAT_OTP_ID_BL2_ROTPK_POLICIES, buf_len, buf);
+}
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
+
 /* Maximum number of keys per image */
 #define MAX_KEYS_PER_IMAGE MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE
 
diff --git a/bl2/ext/mcuboot/mcuboot_default_config.cmake b/bl2/ext/mcuboot/mcuboot_default_config.cmake
@@ -60,6 +60,7 @@ set(TFM_NS_KEY_ID                       1                CACHE STRING    "Key ID
 set(MCUBOOT_IMAGE_MULTI_SIG_SUPPORT     OFF              CACHE BOOL      "Enable multiple signature support for images")
 if(MCUBOOT_IMAGE_MULTI_SIG_SUPPORT)
     set(MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE     2           CACHE STRING    "Maximum number of RoTPK keys per image to be used in BL2")
+    set(MCUBOOT_ROTPK_SIGN_POLICY            ON          CACHE BOOL      "Enable ROTPK signing policy")
 else()
     set(MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE     1           CACHE STRING    "Maximum number of RoTPK keys per image to be used in BL2")
 endif()
diff --git a/bl2/src/provisioning.c b/bl2/src/provisioning.c
@@ -17,6 +17,16 @@
 
 #define ASSEMBLY_AND_TEST_PROV_DATA_MAGIC 0xC0DEFEED
 
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+/* Key policy for each ROTPK
+ * bit 0 corresponds to bl2_rotpk_0,
+ * bit 1 coresponds to bl2_rotpk_1,
+ * ...
+ * If bit set, key is compulsory else optional
+ */
+#define BL2_ROTPK_POLICIES 0b00000111
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
+
 #ifdef MCUBOOT_SIGN_EC384
 #define PUB_KEY_HASH_SIZE (48)
 #define PUB_KEY_SIZE      (100) /* Size must be aligned to 4 Bytes */
@@ -33,6 +43,9 @@
 
 __PACKED_STRUCT bl2_assembly_and_test_provisioning_data_t {
     uint32_t magic;
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+    uint32_t bl2_rotpk_policies;
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
     uint8_t bl2_rotpk_0[PROV_ROTPK_DATA_SIZE];
     uint8_t bl2_rotpk_1[PROV_ROTPK_DATA_SIZE];
 #if (MCUBOOT_IMAGE_NUMBER > 2)
@@ -198,6 +211,10 @@ __PACKED_STRUCT bl2_assembly_and_test_provisioning_data_t {
 
 static const struct bl2_assembly_and_test_provisioning_data_t bl2_assembly_and_test_prov_data = {
     ASSEMBLY_AND_TEST_PROV_DATA_MAGIC,
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+    BL2_ROTPK_POLICIES,
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
+
 #if defined(MCUBOOT_SIGN_RSA)
 #if (MCUBOOT_SIGN_RSA_LEN == 2048)
     ASSEMBLY_AND_TEST_PROV_DATA_KIND_0, /* bl2 rotpk 0 */
@@ -326,6 +343,16 @@ enum tfm_plat_err_t provision_assembly_and_test(void)
     }
 #endif /* MCUBOOT_IMAGE_NUMBER > 3 */
 
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+    /* Write the ROTPK policies */
+    err = tfm_plat_otp_write(PLAT_OTP_ID_BL2_ROTPK_POLICIES,
+                             sizeof(bl2_assembly_and_test_prov_data.bl2_rotpk_policies),
+                             (uint8_t *)&bl2_assembly_and_test_prov_data.bl2_rotpk_policies);
+    if ((err != TFM_PLAT_ERR_SUCCESS) && (err != TFM_PLAT_ERR_UNSUPPORTED)) {
+        return err;
+    }
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
+
 #ifdef PLATFORM_PSA_ADAC_SECURE_DEBUG
     err = tfm_plat_otp_write(PLAT_OTP_ID_SECURE_DEBUG_PK,
                              sizeof(bl2_assembly_and_test_prov_data.secure_debug_pk),
diff --git a/bl2/src/thin_psa_crypto_core.c b/bl2/src/thin_psa_crypto_core.c
@@ -21,7 +21,6 @@
 #include "psa_crypto_driver_wrappers_no_static.h"
 #if defined(MCUBOOT_BUILTIN_KEY)
 #include "tfm_plat_crypto_keys.h"
-#include "tfm_plat_otp.h"
 #endif /* MCUBOOT_BUILTIN_KEY */
 #ifdef PSA_WANT_ALG_LMS
 #include "mbedtls/lms.h"
@@ -169,6 +168,77 @@ static bool is_key_builtin(psa_key_id_t key_id)
     return true;
 }
 
+#if defined(MCUBOOT_BUILTIN_KEY)
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+/**
+ * @brief Retrieve the signing policy for a given key ID.
+ *
+ * @details This function fetches the signing policy associated with the
+ *          specified key ID and populates the provided policy structure.
+ *
+ * @param[in]  key_id The identifier of the key whose signing policy is to
+ *                     be retrieved.
+ * @param[out] policy  Pointer to a structure where the signing policy
+ *                     information will be stored.
+ *
+ * @return PSA_SUCCESS             If the policy was successfully retrieved.
+ * @return PSA_ERROR_DOES_NOT_EXIST If the key ID does not exist.
+ * @return PSA_ERROR_INVALID_ARGUMENT If the input arguments are invalid.
+ */
+static psa_status_t get_key_sign_policy(psa_key_id_t key_id,
+                                        enum tfm_bl2_key_policy_t *policy)
+{
+    uint32_t policies;
+    enum tfm_plat_err_t err;
+
+    err = tfm_plat_get_bl2_rotpk_policies((uint8_t *)&policies, sizeof(policies));
+    if (err != TFM_PLAT_ERR_SUCCESS) {
+        return PSA_ERROR_GENERIC_ERROR;
+    }
+
+    /* Check if the key id bit from the policies is set */
+    if (policies & (1 << key_id)) {
+        *policy = TFM_BL2_KEY_MUST_SIGN;
+    } else {
+        *policy = TFM_BL2_KEY_MIGHT_SIGN;
+    }
+
+    return PSA_SUCCESS;
+}
+#else
+static inline psa_status_t get_key_sign_policy(psa_key_id_t key,
+                                               enum tfm_bl2_key_policy_t *policy)
+{
+    (void)key; /* Unused parameter */
+    /* By default key policy is a MUST SIGN */
+    *policy = TFM_BL2_KEY_MUST_SIGN;
+
+    return PSA_SUCCESS;
+}
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
+
+int boot_plat_check_key_policy(bool valid_sig, psa_key_id_t key,
+                               bool *key_might_sign, bool *key_must_sign,
+                               uint8_t *key_must_sign_count)
+{
+    enum tfm_bl2_key_policy_t policy;
+
+    if (get_key_sign_policy(key, &policy) != PSA_SUCCESS) {
+        return -1;
+    }
+
+    if (policy == TFM_BL2_KEY_MIGHT_SIGN) {
+        *key_might_sign |= valid_sig;
+    } else {
+        *key_must_sign_count += 1;
+        *key_might_sign |= valid_sig;
+        *key_must_sign  &= valid_sig;
+    }
+
+    return 0;
+}
+#endif /* MCUBOOT_BUILTIN_KEY */
+
 /**
  * @brief Check in constant time if the \a a buffer matches the \a b
  *        buffer
diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt
@@ -230,6 +230,7 @@ if(BL2)
             BL2
             MCUBOOT_${MCUBOOT_UPGRADE_STRATEGY}
             $<$<BOOL:${MCUBOOT_DIRECT_XIP_REVERT}>:MCUBOOT_DIRECT_XIP_REVERT>
+            $<$<BOOL:${MCUBOOT_ROTPK_SIGN_POLICY}>:MCUBOOT_ROTPK_SIGN_POLICY>
             $<$<BOOL:${SYMMETRIC_INITIAL_ATTESTATION}>:SYMMETRIC_INITIAL_ATTESTATION>
             MCUBOOT_FIH_PROFILE_${MCUBOOT_FIH_PROFILE}
             $<$<BOOL:${PLATFORM_DEFAULT_OTP}>:PLATFORM_DEFAULT_OTP>
diff --git a/platform/ext/common/provisioning_bundle/provisioning_bundle.h b/platform/ext/common/provisioning_bundle/provisioning_bundle.h
@@ -54,6 +54,9 @@ __PACKED_STRUCT tfm_psa_rot_provisioning_data_t {
 };
 
 __PACKED_STRUCT bl2_assembly_and_test_provisioning_data_t {
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+    uint32_t bl2_rotpk_policies;
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
     uint8_t bl2_rotpk_0[PROV_ROTPK_DATA_SIZE];
     uint8_t bl2_rotpk_1[PROV_ROTPK_DATA_SIZE];
 #if (MCUBOOT_IMAGE_NUMBER > 2)
diff --git a/platform/ext/common/provisioning_bundle/provisioning_code.c b/platform/ext/common/provisioning_bundle/provisioning_code.c
@@ -53,6 +53,15 @@ enum tfm_plat_err_t __attribute__((section("DO_PROVISION"))) do_provision(void)
     }
 #endif /* MCUBOOT_IMAGE_NUMBER > 3 */
 
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+    err = tfm_plat_otp_write(PLAT_OTP_ID_BL2_ROTPK_POLICIES,
+                             sizeof(data.psa_rot_prov_data.bl2_rotpk_policies),
+                             (uint8_t*)&data.psa_rot_prov_data.bl2_rotpk_policies);
+    if (err != TFM_PLAT_ERR_SUCCESS && err != TFM_PLAT_ERR_UNSUPPORTED) {
+        return err;
+    }
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
+
 #ifdef PLATFORM_PSA_ADAC_SECURE_DEBUG
     err = tfm_plat_otp_write(PLAT_OTP_ID_SECURE_DEBUG_PK,
                              sizeof(data.bl2_assembly_and_test_prov_data.secure_debug_pk),
diff --git a/platform/ext/common/template/flash_otp_nv_counters_backend.h b/platform/ext/common/template/flash_otp_nv_counters_backend.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021-2024, Arm Limited. All rights reserved.
+ * SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -71,6 +71,7 @@ __PACKED_STRUCT flash_otp_nv_counters_region_t {
 
         uint8_t bl2_rotpk_2[BL2_ROTPK_SIZE];
         uint8_t bl2_rotpk_3[BL2_ROTPK_SIZE];
+        uint32_t bl2_rotpk_policies;
 #endif /* BL2 */
 
 #ifdef BL1
diff --git a/platform/ext/common/template/otp_flash.c b/platform/ext/common/template/otp_flash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021-2024, Arm Limited. All rights reserved.
+ * SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -84,6 +84,11 @@ enum tfm_plat_err_t tfm_plat_otp_read(enum tfm_otp_element_id_t id,
     case PLAT_OTP_ID_BL2_ROTPK_3:
        return write_to_output(id, offsetof(struct flash_otp_nv_counters_region_t, bl2_rotpk_3), out_len, out);
 
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+    case PLAT_OTP_ID_BL2_ROTPK_POLICIES:
+        return write_to_output(id, offsetof(struct flash_otp_nv_counters_region_t, bl2_rotpk_policies), out_len, out);
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
+
     case PLAT_OTP_ID_NV_COUNTER_BL2_0:
         return write_to_output(id, offsetof(struct flash_otp_nv_counters_region_t, bl2_nv_counter_0), out_len, out);
     case PLAT_OTP_ID_NV_COUNTER_BL2_1:
@@ -207,6 +212,11 @@ enum tfm_plat_err_t tfm_plat_otp_write(enum tfm_otp_element_id_t id,
     case PLAT_OTP_ID_BL2_ROTPK_3:
         return read_from_input(id, offsetof(struct flash_otp_nv_counters_region_t, bl2_rotpk_3), in_len, in);
 
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+    case PLAT_OTP_ID_BL2_ROTPK_POLICIES:
+        return read_from_input(id, offsetof(struct flash_otp_nv_counters_region_t, bl2_rotpk_policies), in_len, in);
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
+
     case PLAT_OTP_ID_NV_COUNTER_BL2_0:
         return read_from_input(id, offsetof(struct flash_otp_nv_counters_region_t, bl2_nv_counter_0), in_len, in);
     case PLAT_OTP_ID_NV_COUNTER_BL2_1:
@@ -312,6 +322,12 @@ enum tfm_plat_err_t tfm_plat_otp_get_size(enum tfm_otp_element_id_t id,
         *size = sizeof(((struct flash_otp_nv_counters_region_t*)0)->bl2_rotpk_3);
         break;
 
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+    case PLAT_OTP_ID_BL2_ROTPK_POLICIES:
+        *size = sizeof(((struct flash_otp_nv_counters_region_t*)0)->bl2_rotpk_policies);
+        break;
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
+
     case PLAT_OTP_ID_NV_COUNTER_BL2_0:
         *size = sizeof(((struct flash_otp_nv_counters_region_t*)0)->bl2_nv_counter_0);
         break;
diff --git a/platform/include/tfm_plat_crypto_keys.h b/platform/include/tfm_plat_crypto_keys.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017-2024, Arm Limited. All rights reserved.
+ * SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -8,6 +8,7 @@
 #ifndef __TFM_PLAT_CRYPTO_KEYS_H__
 #define __TFM_PLAT_CRYPTO_KEYS_H__
 
+#include <stdbool.h>
 #include <stdint.h>
 #include "psa/crypto.h"
 #include "tfm_plat_defs.h"
@@ -95,6 +96,50 @@ typedef struct {
  */
 size_t tfm_plat_builtin_key_get_policy_table_ptr(const tfm_plat_builtin_key_policy_t *desc_ptr[]);
 
+/**
+ * @brief Policy associated to the given key
+ *
+ * @enum tfm_bl2_key_policy_t
+ */
+enum tfm_bl2_key_policy_t {
+    TFM_BL2_KEY_MIGHT_SIGN = 0b00,
+    TFM_BL2_KEY_MUST_SIGN  = 0b01,
+};
+
+/**
+ * \brief Reads the BL2 Root-of-Trust Public Key (ROTPK) policies from OTP.
+ *
+ * \param[out] buf      Pointer to the buffer where the policy blob will be stored.
+ * \param[in]  buf_len  Size of the \p buf buffer in bytes.
+ *
+ * \retval TFM_PLAT_ERR_SUCCESS       The policies were read successfully.
+ * \retval tfm_plat_err_t (other)     An error code indicating why the read failed.
+ */
+enum tfm_plat_err_t tfm_plat_get_bl2_rotpk_policies(uint8_t *buf, size_t buf_len);
+
+/**
+ * @brief Check the key policy for a given key ID based on signature validity.
+ *
+ * @details This function evaluates the policy associated with the specified
+ *          key ID and determines whether the key might or must be used for
+ *          signing operations. It also tracks the count of keys that must
+ *          sign if applicable.
+ *
+ * @param[in]  valid_sig           Boolean indicating if the signature is valid.
+ * @param[in]  key                 The identifier of the key to check the policy for.
+ * @param[out] key_might_sign      Pointer to a boolean that will be set to true
+ *                                 if the key might be used for signing.
+ * @param[out] key_must_sign       Pointer to a boolean that will be set to true
+ *                                 if the key must be used for signing.
+ * @param[out] key_must_sign_count Pointer to a counter that will be incremented
+ *                                 if the key must sign.
+ *
+ * @return 0 on success, or an error code indicating the failure reason.
+ */
+int boot_plat_check_key_policy(bool valid_sig, psa_key_id_t key,
+                               bool *key_might_sign, bool *key_must_sign,
+                               uint8_t *key_must_sign_count);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/platform/include/tfm_plat_otp.h b/platform/include/tfm_plat_otp.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
+ * SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -59,6 +59,9 @@ enum tfm_otp_element_id_t {
     PLAT_OTP_ID_ENTROPY_SEED,
 
     PLAT_OTP_ID_SECURE_DEBUG_PK,
+#ifdef MCUBOOT_ROTPK_SIGN_POLICY
+    PLAT_OTP_ID_BL2_ROTPK_POLICIES,
+#endif /* MCUBOOT_ROTPK_SIGN_POLICY */
 
     PLAT_OTP_ID_MAX = UINT32_MAX,
 };

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,7 @@ target_compile_definitions(bl2`
`81`	`81`	`$<$<BOOL:${MCUBOOT_BUILTIN_KEY}>:TFM_NS_KEY_ID=${TFM_NS_KEY_ID}>`
`82`	`82`	`MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE=${MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE}`
`83`	`83`	`$<$<BOOL:${MCUBOOT_IMAGE_MULTI_SIG_SUPPORT}>:MCUBOOT_IMAGE_MULTI_SIG_SUPPORT>`
	`84`	`+ $<$<BOOL:${MCUBOOT_ROTPK_SIGN_POLICY}>:MCUBOOT_ROTPK_SIGN_POLICY>`
`84`	`85`	`)`
`85`	`86`
`86`	`87`	`target_link_libraries(bl2`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright (c) 2021-2024, Arm Limited. All rights reserved.`
	`2`	`+ * SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors`
`3`	`3`	`*`
`4`	`4`	`* SPDX-License-Identifier: BSD-3-Clause`
`5`	`5`	`*`
`@@ -71,6 +71,7 @@ __PACKED_STRUCT flash_otp_nv_counters_region_t {`
`71`	`71`
`72`	`72`	`uint8_t bl2_rotpk_2[BL2_ROTPK_SIZE];`
`73`	`73`	`uint8_t bl2_rotpk_3[BL2_ROTPK_SIZE];`
	`74`	`+ uint32_t bl2_rotpk_policies;`
`74`	`75`	`#endif /* BL2 */`
`75`	`76`
`76`	`77`	`#ifdef BL1`