TBB: add tool to generate certificates
This patch adds a tool that generates all the necessary elements
to establish the chain of trust (CoT) between the images.
The tool reads the binary images and signing keys and outputs the
corresponding certificates that will be used by the target at run
time to verify the authenticity of the images.
Note: the platform port must provide the file platform_oid.h. This
file will define the OIDs of the x509 extensions that will be added
to the certificates in order to establish the CoT.
Change-Id: I2734d6808b964a2107ab3a4805110698066a04be
diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c
new file mode 100644
index 0000000..9705643
--- /dev/null
+++ b/tools/cert_create/src/cert.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/sha.h>
+#include <openssl/x509v3.h>
+
+#include "cert.h"
+#include "debug.h"
+#include "key.h"
+#include "platform_oid.h"
+#include "sha.h"
+
+#define SERIAL_RAND_BITS 64
+
+int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
+{
+ BIGNUM *btmp;
+ int ret = 0;
+ if (b)
+ btmp = b;
+ else
+ btmp = BN_new();
+
+ if (!btmp)
+ return 0;
+
+ if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
+ goto error;
+ if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
+ goto error;
+
+ ret = 1;
+
+error:
+
+ if (!b)
+ BN_free(btmp);
+
+ return ret;
+}
+
+int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
+{
+ X509_EXTENSION *ex;
+ X509V3_CTX ctx;
+
+ /* No configuration database */
+ X509V3_set_ctx_nodb(&ctx);
+
+ /* Set issuer and subject certificates in the context */
+ X509V3_set_ctx(&ctx, issuer, subject, NULL, NULL, 0);
+ ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
+ if (!ex) {
+ ERR_print_errors_fp(stdout);
+ return 0;
+ }
+
+ X509_add_ext(subject, ex, -1);
+ X509_EXTENSION_free(ex);
+
+ return 1;
+}
+
+
+int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
+{
+ EVP_PKEY *pkey = cert->key->key;
+ EVP_PKEY *ikey = cert->issuer->key->key;
+ X509 *issuer = cert->issuer->x;
+ X509 *x = NULL;
+ X509_EXTENSION *ex = NULL;
+ X509_NAME *name = NULL;
+ ASN1_INTEGER *sno = NULL;
+ int i, num;
+
+ /* Create the certificate structure */
+ x = X509_new();
+ if (!x) {
+ return 0;
+ }
+
+ /* If we do not have a key, use the issuer key (the certificate will
+ * become self signed). This happens in content certificates. */
+ if (!pkey) {
+ pkey = ikey;
+ }
+
+ /* If we do not have an issuer certificate, use our own (the certificate
+ * will become self signed) */
+ if (!issuer) {
+ issuer = x;
+ }
+
+ /* x509.v3 */
+ X509_set_version(x, 2);
+
+ /* Random serial number */
+ sno = ASN1_INTEGER_new();
+ rand_serial(NULL, sno);
+ X509_set_serialNumber(x, sno);
+ ASN1_INTEGER_free(sno);
+
+ X509_gmtime_adj(X509_get_notBefore(x), 0);
+ X509_gmtime_adj(X509_get_notAfter(x), (long)60*60*24*days);
+ X509_set_pubkey(x, pkey);
+
+ /* Subject name */
+ name = X509_get_subject_name(x);
+ X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+ (const unsigned char *)cert->cn, -1, -1, 0);
+ X509_set_subject_name(x, name);
+
+ /* Issuer name */
+ name = X509_get_issuer_name(x);
+ X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+ (const unsigned char *)cert->issuer->cn, -1, -1, 0);
+ X509_set_issuer_name(x, name);
+
+ /* Add various extensions: standard extensions */
+ cert_add_ext(issuer, x, NID_subject_key_identifier, "hash");
+ cert_add_ext(issuer, x, NID_authority_key_identifier, "keyid:always");
+ if (ca) {
+ cert_add_ext(issuer, x, NID_basic_constraints, "CA:TRUE");
+ cert_add_ext(issuer, x, NID_key_usage, "keyCertSign");
+ } else {
+ cert_add_ext(issuer, x, NID_basic_constraints, "CA:FALSE");
+ }
+
+ /* Add custom extensions */
+ if (sk != NULL) {
+ num = sk_X509_EXTENSION_num(sk);
+ for (i = 0; i < num; i++) {
+ ex = sk_X509_EXTENSION_value(sk, i);
+ X509_add_ext(x, ex, -1);
+ }
+ }
+
+ /* Sign the certificate with the issuer key */
+ if (!X509_sign(x, ikey, EVP_sha1())) {
+ ERR_print_errors_fp(stdout);
+ return 0;
+ }
+
+ cert->x = x;
+ return 1;
+}
diff --git a/tools/cert_create/src/ext.c b/tools/cert_create/src/ext.c
new file mode 100644
index 0000000..31f84a8
--- /dev/null
+++ b/tools/cert_create/src/ext.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stddef.h>
+#include <stdio.h>
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+#include "ext.h"
+
+DECLARE_ASN1_ITEM(ASN1_INTEGER)
+DECLARE_ASN1_ITEM(ASN1_OCTET_STRING)
+
+/*
+ * This function adds the TBB extensions to the internal extension list
+ * maintained by OpenSSL so they can be used later.
+ *
+ * It also initializes the methods to print the contents of the extension. If an
+ * alias is specified in the TBB extension, we reuse the methods of the alias.
+ * Otherwise, only methods for V_ASN1_INTEGER and V_ASN1_OCTET_STRING are
+ * provided. Any other type will be printed as a raw ascii string.
+ *
+ * Return: 0 = success, Otherwise: error
+ */
+int ext_init(ext_t *tbb_ext)
+{
+ ext_t *ext;
+ X509V3_EXT_METHOD *m;
+ int i = 0, nid, ret;
+
+ while ((ext = &tbb_ext[i++]) && ext->oid) {
+ nid = OBJ_create(ext->oid, ext->sn, ext->ln);
+ if (ext->alias) {
+ X509V3_EXT_add_alias(nid, ext->alias);
+ } else {
+ m = &ext->method;
+ memset(m, 0x0, sizeof(X509V3_EXT_METHOD));
+ switch (ext->type) {
+ case V_ASN1_INTEGER:
+ m->it = ASN1_ITEM_ref(ASN1_INTEGER);
+ m->i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER;
+ m->s2i = (X509V3_EXT_S2I)s2i_ASN1_INTEGER;
+ break;
+ case V_ASN1_OCTET_STRING:
+ m->it = ASN1_ITEM_ref(ASN1_OCTET_STRING);
+ m->i2s = (X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING;
+ m->s2i = (X509V3_EXT_S2I)s2i_ASN1_OCTET_STRING;
+ break;
+ default:
+ continue;
+ }
+ m->ext_nid = nid;
+ ret = X509V3_EXT_add(m);
+ if (!ret) {
+ ERR_print_errors_fp(stdout);
+ return 1;
+ }
+ }
+ }
+ return 0;
+}
+
+/*
+ * Create a new extension
+ *
+ * Extension ::= SEQUENCE {
+ * id OBJECT IDENTIFIER,
+ * critical BOOLEAN DEFAULT FALSE,
+ * value OCTET STRING }
+ *
+ * Parameters:
+ * pex: OpenSSL extension pointer (output parameter)
+ * nid: extension identifier
+ * crit: extension critical (EXT_NON_CRIT, EXT_CRIT)
+ * data: extension data. This data will be encapsulated in an Octet String
+ *
+ * Return: Extension address, NULL if error
+ */
+static
+X509_EXTENSION *ext_new(int nid, int crit, unsigned char *data, int len)
+{
+ X509_EXTENSION *ex;
+ ASN1_OCTET_STRING *ext_data;
+
+ /* Octet string containing the extension data */
+ ext_data = ASN1_OCTET_STRING_new();
+ ASN1_OCTET_STRING_set(ext_data, data, len);
+
+ /* Create the extension */
+ ex = X509_EXTENSION_create_by_NID(NULL, nid, crit, ext_data);
+
+ /* The extension makes a copy of the data, so we can free this object */
+ ASN1_OCTET_STRING_free(ext_data);
+
+ return ex;
+}
+
+/*
+ * Creates a x509v3 extension containing a hash encapsulated in an ASN1 Octet
+ * String
+ *
+ * Parameters:
+ * pex: OpenSSL extension pointer (output parameter)
+ * nid: extension identifier
+ * crit: extension critical (EXT_NON_CRIT, EXT_CRIT)
+ * buf: pointer to the buffer that contains the hash
+ * len: size of the hash in bytes
+ *
+ * Return: Extension address, NULL if error
+ */
+X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len)
+{
+ X509_EXTENSION *ex = NULL;
+ ASN1_OCTET_STRING *hash = NULL;
+ unsigned char *p = NULL;
+ int sz = -1;
+
+ /* Encode Hash */
+ hash = ASN1_OCTET_STRING_new();
+ ASN1_OCTET_STRING_set(hash, buf, len);
+ sz = i2d_ASN1_OCTET_STRING(hash, NULL);
+ i2d_ASN1_OCTET_STRING(hash, &p);
+
+ /* Create the extension */
+ ex = ext_new(nid, crit, p, sz);
+
+ /* Clean up */
+ OPENSSL_free(p);
+ ASN1_OCTET_STRING_free(hash);
+
+ return ex;
+}
+
+/*
+ * Creates a x509v3 extension containing a nvcounter encapsulated in an ASN1
+ * Integer
+ *
+ * Parameters:
+ * pex: OpenSSL extension pointer (output parameter)
+ * nid: extension identifier
+ * crit: extension critical (EXT_NON_CRIT, EXT_CRIT)
+ * value: nvcounter value
+ *
+ * Return: Extension address, NULL if error
+ */
+X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value)
+{
+ X509_EXTENSION *ex = NULL;
+ ASN1_INTEGER *counter = NULL;
+ unsigned char *p = NULL;
+ int sz = -1;
+
+ /* Encode counter */
+ counter = ASN1_INTEGER_new();
+ ASN1_INTEGER_set(counter, value);
+ sz = i2d_ASN1_INTEGER(counter, NULL);
+ i2d_ASN1_INTEGER(counter, &p);
+
+ /* Create the extension */
+ ex = ext_new(nid, crit, p, sz);
+
+ /* Free objects */
+ OPENSSL_free(p);
+ ASN1_INTEGER_free(counter);
+
+ return ex;
+}
+
+/*
+ * Creates a x509v3 extension containing a public key in DER format:
+ *
+ * SubjectPublicKeyInfo ::= SEQUENCE {
+ * algorithm AlgorithmIdentifier,
+ * subjectPublicKey BIT STRING }
+ *
+ * Parameters:
+ * pex: OpenSSL extension pointer (output parameter)
+ * nid: extension identifier
+ * crit: extension critical (EXT_NON_CRIT, EXT_CRIT)
+ * k: key
+ *
+ * Return: Extension address, NULL if error
+ */
+X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k)
+{
+ X509_EXTENSION *ex = NULL;
+ unsigned char *p = NULL;
+ int sz = -1;
+
+ /* Encode key */
+ BIO *mem = BIO_new(BIO_s_mem());
+ if (i2d_PUBKEY_bio(mem, k) <= 0) {
+ ERR_print_errors_fp(stderr);
+ return NULL;
+ }
+ p = (unsigned char *)OPENSSL_malloc(4096);
+ sz = BIO_read(mem, p, 4096);
+
+ /* Create the extension */
+ ex = ext_new(nid, crit, p, sz);
+
+ /* Clean up */
+ OPENSSL_free(p);
+
+ return ex;
+}
diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c
new file mode 100644
index 0000000..b5737d9
--- /dev/null
+++ b/tools/cert_create/src/key.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/conf.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+
+#include "cert.h"
+#include "debug.h"
+#include "key.h"
+#include "platform_oid.h"
+#include "sha.h"
+
+#define MAX_FILENAME_LEN 1024
+
+/*
+ * Create a new key
+ */
+int key_new(key_t *key)
+{
+ RSA *rsa = NULL;
+ EVP_PKEY *k = NULL;
+
+ /* Create key pair container */
+ k = EVP_PKEY_new();
+ if (k == NULL) {
+ return 0;
+ }
+
+ /* Generate a new RSA key */
+ rsa = RSA_generate_key(RSA_KEY_BITS, RSA_F4, NULL, NULL);
+ if (EVP_PKEY_assign_RSA(k, rsa)) {
+ key->key = k;
+ return 1;
+ } else {
+ printf("Cannot assign RSA key\n");
+ }
+
+ if (k)
+ EVP_PKEY_free(k);
+ return 0;
+}
+
+int key_load(key_t *key)
+{
+ FILE *fp = NULL;
+ EVP_PKEY *k = NULL;
+
+ /* Create key pair container */
+ k = EVP_PKEY_new();
+ if (k == NULL) {
+ return 0;
+ }
+
+ if (key->fn) {
+ /* Load key from file */
+ fp = fopen(key->fn, "r");
+ if (fp) {
+ k = PEM_read_PrivateKey(fp, &k, NULL, NULL);
+ fclose(fp);
+ if (k) {
+ key->key = k;
+ return 1;
+ } else {
+ ERROR("Cannot read key from %s\n", key->fn);
+ }
+ } else {
+ ERROR("Cannot open file %s\n", key->fn);
+ }
+ } else {
+ ERROR("Key filename not specified\n");
+ }
+
+ if (k)
+ EVP_PKEY_free(k);
+
+ return 0;
+}
+
+int key_store(key_t *key)
+{
+ FILE *fp = NULL;
+
+ if (key->fn) {
+ fp = fopen(key->fn, "w");
+ if (fp) {
+ PEM_write_PrivateKey(fp, key->key,
+ NULL, NULL, 0, NULL, NULL);
+ fclose(fp);
+ return 1;
+ } else {
+ ERROR("Cannot create file %s\n", key->fn);
+ }
+ } else {
+ ERROR("Key filename not specified\n");
+ }
+
+ return 0;
+}
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
new file mode 100644
index 0000000..6df367a
--- /dev/null
+++ b/tools/cert_create/src/main.c
@@ -0,0 +1,719 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/sha.h>
+#include <openssl/x509v3.h>
+
+#include "cert.h"
+#include "debug.h"
+#include "ext.h"
+#include "key.h"
+#include "platform_oid.h"
+#include "sha.h"
+#include "tbb_ext.h"
+#include "tbb_cert.h"
+#include "tbb_key.h"
+
+/*
+ * Helper macros to simplify the code. This macro assigns the return value of
+ * the 'fn' function to 'v' and exits if the value is NULL.
+ */
+#define CHECK_NULL(v, fn) \
+ do { \
+ v = fn; \
+ if (v == NULL) { \
+ ERROR("NULL object at %s:%d\n", __FILE__, __LINE__); \
+ exit(1); \
+ } \
+ } while (0)
+
+/*
+ * This macro assigns the NID corresponding to 'oid' to 'v' and exits if the
+ * NID is undefined.
+ */
+#define CHECK_OID(v, oid) \
+ do { \
+ v = OBJ_txt2nid(oid); \
+ if (v == NID_undef) { \
+ ERROR("Cannot find TBB extension %s\n", oid); \
+ exit(1); \
+ } \
+ } while (0)
+
+#define MAX_FILENAME_LEN 1024
+#define VAL_DAYS 7300
+#define ID_TO_BIT_MASK(id) (1 << id)
+#define NVCOUNTER_VALUE 0
+
+/* Files */
+enum {
+ /* Image file names (inputs) */
+ BL2_ID = 0,
+ BL30_ID,
+ BL31_ID,
+ BL32_ID,
+ BL33_ID,
+ /* Certificate file names (outputs) */
+ BL2_CERT_ID,
+ TRUSTED_KEY_CERT_ID,
+ BL30_KEY_CERT_ID,
+ BL30_CERT_ID,
+ BL31_KEY_CERT_ID,
+ BL31_CERT_ID,
+ BL32_KEY_CERT_ID,
+ BL32_CERT_ID,
+ BL33_KEY_CERT_ID,
+ BL33_CERT_ID,
+ /* Key file names (input/output) */
+ ROT_KEY_ID,
+ TRUSTED_WORLD_KEY_ID,
+ NON_TRUSTED_WORLD_KEY_ID,
+ BL30_KEY_ID,
+ BL31_KEY_ID,
+ BL32_KEY_ID,
+ BL33_KEY_ID,
+ NUM_OPTS
+};
+
+/* Global options */
+static int new_keys;
+static int save_keys;
+static int print_cert;
+static int bl30_present;
+static int bl32_present;
+
+/* We are not checking nvcounters in TF. Include them in the certificates but
+ * the value will be set to 0 */
+static int tf_nvcounter;
+static int non_tf_nvcounter;
+
+/* Info messages created in the Makefile */
+extern const char build_msg[];
+extern const char platform_msg[];
+
+
+static char *strdup(const char *str)
+{
+ int n = strlen(str) + 1;
+ char *dup = malloc(n);
+ if (dup) {
+ strcpy(dup, str);
+ }
+ return dup;
+}
+
+/* Command line options */
+static const struct option long_opt[] = {
+ /* Binary images */
+ {"bl2", required_argument, 0, BL2_ID},
+ {"bl30", required_argument, 0, BL30_ID},
+ {"bl31", required_argument, 0, BL31_ID},
+ {"bl32", required_argument, 0, BL32_ID},
+ {"bl33", required_argument, 0, BL33_ID},
+ /* Certificate files */
+ {"bl2-cert", required_argument, 0, BL2_CERT_ID},
+ {"trusted-key-cert", required_argument, 0, TRUSTED_KEY_CERT_ID},
+ {"bl30-key-cert", required_argument, 0, BL30_KEY_CERT_ID},
+ {"bl30-cert", required_argument, 0, BL30_CERT_ID},
+ {"bl31-key-cert", required_argument, 0, BL31_KEY_CERT_ID},
+ {"bl31-cert", required_argument, 0, BL31_CERT_ID},
+ {"bl32-key-cert", required_argument, 0, BL32_KEY_CERT_ID},
+ {"bl32-cert", required_argument, 0, BL32_CERT_ID},
+ {"bl33-key-cert", required_argument, 0, BL33_KEY_CERT_ID},
+ {"bl33-cert", required_argument, 0, BL33_CERT_ID},
+ /* Private key files */
+ {"rot-key", required_argument, 0, ROT_KEY_ID},
+ {"trusted-world-key", required_argument, 0, TRUSTED_WORLD_KEY_ID},
+ {"non-trusted-world-key", required_argument, 0, NON_TRUSTED_WORLD_KEY_ID},
+ {"bl30-key", required_argument, 0, BL30_KEY_ID},
+ {"bl31-key", required_argument, 0, BL31_KEY_ID},
+ {"bl32-key", required_argument, 0, BL32_KEY_ID},
+ {"bl33-key", required_argument, 0, BL33_KEY_ID},
+ /* Common options */
+ {"help", no_argument, 0, 'h'},
+ {"save-keys", no_argument, 0, 'k'},
+ {"new-chain", no_argument, 0, 'n'},
+ {"print-cert", no_argument, 0, 'p'},
+ {0, 0, 0, 0}
+};
+
+static void print_help(const char *cmd)
+{
+ int i = 0;
+ printf("\n\n");
+ printf("The certificate generation tool loads the binary images and\n"
+ "optionally the RSA keys, and outputs the key and content\n"
+ "certificates properly signed to implement the chain of trust.\n"
+ "If keys are provided, they must be in PEM format.\n"
+ "Certificates are generated in DER format.\n");
+ printf("\n");
+ printf("Usage:\n\n");
+ printf(" %s [-hknp] \\\n", cmd);
+ for (i = 0; i < NUM_OPTS; i++) {
+ printf(" --%s <file> \\\n", long_opt[i].name);
+ }
+ printf("\n");
+ printf("-h Print help and exit\n");
+ printf("-k Save key pairs into files. Filenames must be provided\n");
+ printf("-n Generate new key pairs if no key files are provided\n");
+ printf("-p Print the certificates in the standard output\n");
+ printf("\n");
+
+ exit(0);
+}
+
+static void check_cmd_params(void)
+{
+ /* BL2, BL31 and BL33 are mandatory */
+ if (certs[BL2_CERT].bin == NULL) {
+ ERROR("BL2 image not specified\n");
+ exit(1);
+ }
+
+ if (certs[BL31_CERT].bin == NULL) {
+ ERROR("BL31 image not specified\n");
+ exit(1);
+ }
+
+ if (certs[BL33_CERT].bin == NULL) {
+ ERROR("BL33 image not specified\n");
+ exit(1);
+ }
+
+ /* BL30 and BL32 are optional */
+ if (certs[BL30_CERT].bin != NULL) {
+ bl30_present = 1;
+ }
+
+ if (certs[BL32_CERT].bin != NULL) {
+ bl32_present = 1;
+ }
+
+ /* TODO: Certificate filenames */
+
+ /* Filenames to store keys must be specified */
+ if (save_keys || !new_keys) {
+ if (keys[ROT_KEY].fn == NULL) {
+ ERROR("ROT key not specified\n");
+ exit(1);
+ }
+
+ if (keys[TRUSTED_WORLD_KEY].fn == NULL) {
+ ERROR("Trusted World key not specified\n");
+ exit(1);
+ }
+
+ if (keys[NON_TRUSTED_WORLD_KEY].fn == NULL) {
+ ERROR("Non-trusted World key not specified\n");
+ exit(1);
+ }
+
+ if (keys[BL31_KEY].fn == NULL) {
+ ERROR("BL31 key not specified\n");
+ exit(1);
+ }
+
+ if (keys[BL33_KEY].fn == NULL) {
+ ERROR("BL33 key not specified\n");
+ exit(1);
+ }
+
+ if (bl30_present && (keys[BL30_KEY].fn == NULL)) {
+ ERROR("BL30 key not specified\n");
+ exit(1);
+ }
+
+ if (bl32_present && (keys[BL32_KEY].fn == NULL)) {
+ ERROR("BL32 key not specified\n");
+ exit(1);
+ }
+ }
+}
+
+int main(int argc, char *argv[])
+{
+ STACK_OF(X509_EXTENSION) * sk = NULL;
+ X509_EXTENSION *hash_ext = NULL;
+ X509_EXTENSION *nvctr_ext = NULL;
+ X509_EXTENSION *trusted_key_ext = NULL;
+ X509_EXTENSION *non_trusted_key_ext = NULL;
+ FILE *file = NULL;
+ int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
+ int c, opt_idx = 0;
+ unsigned char md[SHA256_DIGEST_LENGTH];
+
+ NOTICE("CoT Generation Tool: %s\n", build_msg);
+ NOTICE("Target platform: %s\n", platform_msg);
+
+ while (1) {
+ /* getopt_long stores the option index here. */
+ c = getopt_long(argc, argv, "hknp", long_opt, &opt_idx);
+
+ /* Detect the end of the options. */
+ if (c == -1) {
+ break;
+ }
+
+ switch (c) {
+ case 'h':
+ print_help(argv[0]);
+ break;
+ case 'k':
+ save_keys = 1;
+ break;
+ case 'n':
+ new_keys = 1;
+ break;
+ case 'p':
+ print_cert = 1;
+ break;
+ case BL2_ID:
+ certs[BL2_CERT].bin = strdup(optarg);
+ break;
+ case BL30_ID:
+ certs[BL30_CERT].bin = strdup(optarg);
+ break;
+ case BL31_ID:
+ certs[BL31_CERT].bin = strdup(optarg);
+ break;
+ case BL32_ID:
+ certs[BL32_CERT].bin = strdup(optarg);
+ break;
+ case BL33_ID:
+ certs[BL33_CERT].bin = strdup(optarg);
+ break;
+ case BL2_CERT_ID:
+ certs[BL2_CERT].fn = strdup(optarg);
+ break;
+ case TRUSTED_KEY_CERT_ID:
+ certs[TRUSTED_KEY_CERT].fn = strdup(optarg);
+ break;
+ case BL30_KEY_CERT_ID:
+ certs[BL30_KEY_CERT].fn = strdup(optarg);
+ break;
+ case BL30_CERT_ID:
+ certs[BL30_CERT].fn = strdup(optarg);
+ break;
+ case BL31_KEY_CERT_ID:
+ certs[BL31_KEY_CERT].fn = strdup(optarg);
+ break;
+ case BL31_CERT_ID:
+ certs[BL31_CERT].fn = strdup(optarg);
+ break;
+ case BL32_KEY_CERT_ID:
+ certs[BL32_KEY_CERT].fn = strdup(optarg);
+ break;
+ case BL32_CERT_ID:
+ certs[BL32_CERT].fn = strdup(optarg);
+ break;
+ case BL33_KEY_CERT_ID:
+ certs[BL33_KEY_CERT].fn = strdup(optarg);
+ break;
+ case BL33_CERT_ID:
+ certs[BL33_CERT].fn = strdup(optarg);
+ break;
+ case ROT_KEY_ID:
+ keys[ROT_KEY].fn = strdup(optarg);
+ break;
+ case TRUSTED_WORLD_KEY_ID:
+ keys[TRUSTED_WORLD_KEY].fn = strdup(optarg);
+ break;
+ case NON_TRUSTED_WORLD_KEY_ID:
+ keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg);
+ break;
+ case BL30_KEY_ID:
+ keys[BL30_KEY].fn = strdup(optarg);
+ break;
+ case BL31_KEY_ID:
+ keys[BL31_KEY].fn = strdup(optarg);
+ break;
+ case BL32_KEY_ID:
+ keys[BL32_KEY].fn = strdup(optarg);
+ break;
+ case BL33_KEY_ID:
+ keys[BL33_KEY].fn = strdup(optarg);
+ break;
+ case '?':
+ default:
+ printf("%s\n", optarg);
+ exit(1);
+ }
+ }
+
+ /* Set the value of the NVCounters */
+ tf_nvcounter = NVCOUNTER_VALUE;
+ non_tf_nvcounter = NVCOUNTER_VALUE;
+
+ /* Check command line arguments */
+ check_cmd_params();
+
+ /* Register the new types and OIDs for the extensions */
+ if (ext_init(tbb_ext) != 0) {
+ ERROR("Cannot initialize TBB extensions\n");
+ exit(1);
+ }
+
+ /* Get non-volatile counters NIDs */
+ CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
+ CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
+
+ /* Load private keys from files (or generate new ones) */
+ if (new_keys) {
+ for (i = 0 ; i < NUM_KEYS ; i++) {
+ if (!key_new(&keys[i])) {
+ ERROR("Error creating %s\n", keys[i].desc);
+ exit(1);
+ }
+ }
+ } else {
+ for (i = 0 ; i < NUM_KEYS ; i++) {
+ if (!key_load(&keys[i])) {
+ ERROR("Error loading %s\n", keys[i].desc);
+ exit(1);
+ }
+ }
+ }
+
+ /* *********************************************************************
+ * BL2 certificate (Trusted Boot Firmware certificate):
+ * - Self-signed with OEM ROT private key
+ * - Extensions:
+ * - TrustedFirmwareNVCounter (TODO)
+ * - BL2 hash
+ **********************************************************************/
+ CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
+
+ /* Add the NVCounter as a critical extension */
+ CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
+ tf_nvcounter));
+ sk_X509_EXTENSION_push(sk, nvctr_ext);
+
+ /* Add hash of BL2 as an extension */
+ if (!sha_file(certs[BL2_CERT].bin, md)) {
+ ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin);
+ exit(1);
+ }
+ CHECK_OID(hash_nid, BL2_HASH_OID);
+ CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
+ SHA256_DIGEST_LENGTH));
+ sk_X509_EXTENSION_push(sk, hash_ext);
+
+ /* Create certificate. Signed with ROT key */
+ if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) {
+ ERROR("Cannot create %s\n", certs[BL2_CERT].cn);
+ exit(1);
+ }
+ sk_X509_EXTENSION_free(sk);
+
+ /* *********************************************************************
+ * Trusted Key certificate:
+ * - Self-signed with OEM ROT private key
+ * - Extensions:
+ * - TrustedFirmwareNVCounter (TODO)
+ * - TrustedWorldPK
+ * - NonTrustedWorldPK
+ **********************************************************************/
+ CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
+ CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
+ tf_nvcounter));
+ sk_X509_EXTENSION_push(sk, nvctr_ext);
+ CHECK_OID(pk_nid, TZ_WORLD_PK_OID);
+ CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
+ keys[TRUSTED_WORLD_KEY].key));
+ sk_X509_EXTENSION_push(sk, trusted_key_ext);
+ CHECK_OID(pk_nid, NTZ_WORLD_PK_OID);
+ CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
+ keys[NON_TRUSTED_WORLD_KEY].key));
+ sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
+ if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) {
+ ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn);
+ exit(1);
+ }
+ sk_X509_EXTENSION_free(sk);
+
+ /* *********************************************************************
+ * BL30 Key certificate (Trusted SCP Firmware Key certificate):
+ * - Self-signed with Trusted World key
+ * - Extensions:
+ * - TrustedFirmwareNVCounter (TODO)
+ * - SCPFirmwareContentCertPK
+ **********************************************************************/
+ if (bl30_present) {
+ CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
+ CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
+ tf_nvcounter));
+ sk_X509_EXTENSION_push(sk, nvctr_ext);
+ CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID);
+ CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
+ keys[BL30_KEY].key));
+ sk_X509_EXTENSION_push(sk, trusted_key_ext);
+ if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) {
+ ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn);
+ exit(1);
+ }
+ sk_X509_EXTENSION_free(sk);
+ }
+
+ /* *********************************************************************
+ * BL30 certificate (SCP Firmware Content certificate):
+ * - Signed with Trusted World Key
+ * - Extensions:
+ * - TrustedFirmwareNVCounter (TODO)
+ * - SCPFirmwareHash
+ **********************************************************************/
+ if (bl30_present) {
+ CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
+ CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
+ tf_nvcounter));
+ sk_X509_EXTENSION_push(sk, nvctr_ext);
+
+ if (!sha_file(certs[BL30_CERT].bin, md)) {
+ ERROR("Cannot calculate the hash of %s\n",
+ certs[BL30_CERT].bin);
+ exit(1);
+ }
+ CHECK_OID(hash_nid, BL30_HASH_OID);
+ CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
+ SHA256_DIGEST_LENGTH));
+ sk_X509_EXTENSION_push(sk, hash_ext);
+
+ if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
+ ERROR("Cannot create %s\n", certs[BL30_CERT].cn);
+ exit(1);
+ }
+
+ sk_X509_EXTENSION_free(sk);
+ }
+
+ /* *********************************************************************
+ * BL31 Key certificate (Trusted SoC Firmware Key certificate):
+ * - Self-signed with Trusted World key
+ * - Extensions:
+ * - TrustedFirmwareNVCounter (TODO)
+ * - SoCFirmwareContentCertPK
+ **********************************************************************/
+ CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
+ CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
+ tf_nvcounter));
+ sk_X509_EXTENSION_push(sk, nvctr_ext);
+ CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID);
+ CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
+ keys[BL31_KEY].key));
+ sk_X509_EXTENSION_push(sk, trusted_key_ext);
+ if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) {
+ ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn);
+ exit(1);
+ }
+ sk_X509_EXTENSION_free(sk);
+
+ /* *********************************************************************
+ * BL31 certificate (SOC Firmware Content certificate):
+ * - Signed with Trusted World Key
+ * - Extensions:
+ * - TrustedFirmwareNVCounter (TODO)
+ * - BL31 hash
+ **********************************************************************/
+ CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
+ CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
+ tf_nvcounter));
+ sk_X509_EXTENSION_push(sk, nvctr_ext);
+
+ if (!sha_file(certs[BL31_CERT].bin, md)) {
+ ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin);
+ exit(1);
+ }
+ CHECK_OID(hash_nid, BL31_HASH_OID);
+ CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
+ SHA256_DIGEST_LENGTH));
+ sk_X509_EXTENSION_push(sk, hash_ext);
+
+ if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) {
+ ERROR("Cannot create %s\n", certs[BL31_CERT].cn);
+ exit(1);
+ }
+
+ sk_X509_EXTENSION_free(sk);
+
+ /* *********************************************************************
+ * BL32 Key certificate (Trusted OS Firmware Key certificate):
+ * - Self-signed with Trusted World key
+ * - Extensions:
+ * - TrustedFirmwareNVCounter (TODO)
+ * - TrustedOSFirmwareContentCertPK
+ **********************************************************************/
+ if (bl32_present) {
+ CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
+ CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
+ tf_nvcounter));
+ sk_X509_EXTENSION_push(sk, nvctr_ext);
+ CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID);
+ CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
+ keys[BL32_KEY].key));
+ sk_X509_EXTENSION_push(sk, trusted_key_ext);
+ if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) {
+ ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn);
+ exit(1);
+ }
+ sk_X509_EXTENSION_free(sk);
+ }
+
+ /* *********************************************************************
+ * BL32 certificate (TrustedOS Firmware Content certificate):
+ * - Signed with Trusted World Key
+ * - Extensions:
+ * - TrustedFirmwareNVCounter (TODO)
+ * - BL32 hash
+ **********************************************************************/
+ if (bl32_present) {
+ CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
+ CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
+ tf_nvcounter));
+ sk_X509_EXTENSION_push(sk, nvctr_ext);
+
+ if (!sha_file(certs[BL32_CERT].bin, md)) {
+ ERROR("Cannot calculate the hash of %s\n",
+ certs[BL32_CERT].bin);
+ exit(1);
+ }
+ CHECK_OID(hash_nid, BL32_HASH_OID);
+ CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
+ SHA256_DIGEST_LENGTH));
+ sk_X509_EXTENSION_push(sk, hash_ext);
+
+ if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
+ ERROR("Cannot create %s\n", certs[BL32_CERT].cn);
+ exit(1);
+ }
+
+ sk_X509_EXTENSION_free(sk);
+ }
+
+ /* *********************************************************************
+ * BL33 Key certificate (Non Trusted Firmware Key certificate):
+ * - Self-signed with Non Trusted World key
+ * - Extensions:
+ * - NonTrustedFirmwareNVCounter (TODO)
+ * - NonTrustedFirmwareContentCertPK
+ **********************************************************************/
+ CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
+ CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
+ non_tf_nvcounter));
+ sk_X509_EXTENSION_push(sk, nvctr_ext);
+ CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID);
+ CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
+ keys[BL33_KEY].key));
+ sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
+ if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) {
+ ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn);
+ exit(1);
+ }
+ sk_X509_EXTENSION_free(sk);
+
+ /* *********************************************************************
+ * BL33 certificate (Non-Trusted World Content certificate):
+ * - Signed with Non-Trusted World Key
+ * - Extensions:
+ * - NonTrustedFirmwareNVCounter (TODO)
+ * - BL33 hash
+ **********************************************************************/
+ CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
+ CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
+ non_tf_nvcounter));
+ sk_X509_EXTENSION_push(sk, nvctr_ext);
+
+ if (!sha_file(certs[BL33_CERT].bin, md)) {
+ ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin);
+ exit(1);
+ }
+ CHECK_OID(hash_nid, BL33_HASH_OID);
+ CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
+ SHA256_DIGEST_LENGTH));
+ sk_X509_EXTENSION_push(sk, hash_ext);
+
+ if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) {
+ ERROR("Cannot create %s\n", certs[BL33_CERT].cn);
+ exit(1);
+ }
+ sk_X509_EXTENSION_free(sk);
+
+ /* Print the certificates */
+ if (print_cert) {
+ for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
+ if (!certs[i].x) {
+ continue;
+ }
+ printf("\n\n=====================================\n\n");
+ X509_print_fp(stdout, certs[i].x);
+ }
+ }
+
+ /* Save created certificates to files */
+ for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
+ if (certs[i].x && certs[i].fn) {
+ file = fopen(certs[i].fn, "w");
+ if (file != NULL) {
+ i2d_X509_fp(file, certs[i].x);
+ fclose(file);
+ } else {
+ ERROR("Cannot create file %s\n", certs[i].fn);
+ }
+ }
+ }
+
+ /* Save keys */
+ if (save_keys) {
+ for (i = 0 ; i < NUM_KEYS ; i++) {
+ if (!key_store(&keys[i])) {
+ ERROR("Cannot save %s\n", keys[i].desc);
+ }
+ }
+ }
+
+ X509_EXTENSION_free(hash_ext);
+ X509_EXTENSION_free(nvctr_ext);
+ X509_EXTENSION_free(trusted_key_ext);
+ X509_EXTENSION_free(non_trusted_key_ext);
+
+#ifndef OPENSSL_NO_ENGINE
+ ENGINE_cleanup();
+#endif
+ CRYPTO_cleanup_all_ex_data();
+
+ return 0;
+}
diff --git a/tools/cert_create/src/sha.c b/tools/cert_create/src/sha.c
new file mode 100644
index 0000000..57026b5
--- /dev/null
+++ b/tools/cert_create/src/sha.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <openssl/sha.h>
+
+#include "debug.h"
+
+#define BUFFER_SIZE 256
+
+int sha_file(const char *filename, unsigned char *md)
+{
+ FILE *inFile;
+ SHA256_CTX shaContext;
+ int bytes;
+ unsigned char data[BUFFER_SIZE];
+
+ if ((filename == NULL) || (md == NULL)) {
+ ERROR("%s(): NULL argument\n", __FUNCTION__);
+ return 0;
+ }
+
+ inFile = fopen(filename, "rb");
+ if (inFile == NULL) {
+ ERROR("Cannot read %s\n", filename);
+ return 0;
+ }
+
+ SHA256_Init(&shaContext);
+ while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) {
+ SHA256_Update(&shaContext, data, bytes);
+ }
+ SHA256_Final(md, &shaContext);
+
+ fclose(inFile);
+ return 1;
+}
diff --git a/tools/cert_create/src/tbb_cert.c b/tools/cert_create/src/tbb_cert.c
new file mode 100644
index 0000000..8dfda60
--- /dev/null
+++ b/tools/cert_create/src/tbb_cert.c
@@ -0,0 +1,111 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "tbb_cert.h"
+#include "tbb_key.h"
+
+/*
+ * Certificates used in the chain of trust
+ *
+ * The order of the certificates must follow the enumeration specified in
+ * tbb_cert.h. All certificates are self-signed.
+ */
+cert_t certs[NUM_CERTIFICATES] = {
+ {
+ .id = BL2_CERT,
+ .fn = NULL,
+ .cn = "BL2 Certificate",
+ .key = &keys[ROT_KEY],
+ .issuer = &certs[BL2_CERT],
+ },
+ {
+ .id = TRUSTED_KEY_CERT,
+ .fn = NULL,
+ .cn = "Trusted Key Certificate",
+ .key = &keys[ROT_KEY],
+ .issuer = &certs[TRUSTED_KEY_CERT],
+ },
+ {
+ .id = BL30_KEY_CERT,
+ .fn = NULL,
+ .cn = "BL3-0 Key Certificate",
+ .key = &keys[TRUSTED_WORLD_KEY],
+ .issuer = &certs[BL30_KEY_CERT],
+ },
+ {
+ .id = BL30_CERT,
+ .fn = NULL,
+ .cn = "BL3-0 Content Certificate",
+ .key = &keys[BL30_KEY],
+ .issuer = &certs[BL30_CERT],
+ },
+ {
+ .id = BL31_KEY_CERT,
+ .fn = NULL,
+ .cn = "BL3-1 Key Certificate",
+ .key = &keys[TRUSTED_WORLD_KEY],
+ .issuer = &certs[BL31_KEY_CERT],
+ },
+ {
+ .id = BL31_CERT,
+ .fn = NULL,
+ .cn = "BL3-1 Content Certificate",
+ .key = &keys[BL31_KEY],
+ .issuer = &certs[BL31_CERT],
+ },
+ {
+ .id = BL32_KEY_CERT,
+ .fn = NULL,
+ .cn = "BL3-2 Key Certificate",
+ .key = &keys[TRUSTED_WORLD_KEY],
+ .issuer = &certs[BL32_KEY_CERT],
+ },
+ {
+ .id = BL32_CERT,
+ .fn = NULL,
+ .cn = "BL3-2 Content Certificate",
+ .key = &keys[BL32_KEY],
+ .issuer = &certs[BL32_CERT],
+ },
+ {
+ .id = BL33_KEY_CERT,
+ .fn = NULL,
+ .cn = "BL3-3 Key Certificate",
+ .key = &keys[NON_TRUSTED_WORLD_KEY],
+ .issuer = &certs[BL33_KEY_CERT],
+ },
+ {
+ .id = BL33_CERT,
+ .fn = NULL,
+ .cn = "BL3-3 Content Certificate",
+ .key = &keys[BL33_KEY],
+ .issuer = &certs[BL33_CERT],
+ }
+};
diff --git a/tools/cert_create/src/tbb_ext.c b/tools/cert_create/src/tbb_ext.c
new file mode 100644
index 0000000..0022611
--- /dev/null
+++ b/tools/cert_create/src/tbb_ext.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+#include "ext.h"
+#include "platform_oid.h"
+
+ext_t tbb_ext[] = {
+ {
+ .oid = TZ_FW_NVCOUNTER_OID,
+ .sn = "TrustedNvCounter",
+ .ln = "Non-volatile trusted counter",
+ .type = V_ASN1_INTEGER
+ },
+ {
+ .oid = NTZ_FW_NVCOUNTER_OID,
+ .sn = "NonTrustedNvCounter",
+ .ln = "Non-volatile non-trusted counter",
+ .type = V_ASN1_INTEGER
+ },
+ {
+ .oid = BL2_HASH_OID,
+ .sn = "TrustedBootFirmwareHash",
+ .ln = "Trusted Boot Firmware (BL2) hash (SHA256)",
+ .type = V_ASN1_OCTET_STRING
+ },
+ {
+ .oid = TZ_WORLD_PK_OID,
+ .sn = "TrustedWorldPublicKey",
+ .ln = "Trusted World Public Key",
+ .type = V_ASN1_OCTET_STRING
+ },
+ {
+ .oid = NTZ_WORLD_PK_OID,
+ .sn = "NonTrustedWorldPublicKey",
+ .ln = "Non-Trusted World Public Key",
+ .type = V_ASN1_OCTET_STRING
+ },
+ {
+ .oid = BL31_CONTENT_CERT_PK_OID,
+ .sn = "SoCFirmwareContentCertPK",
+ .ln = "SoC Firmware content certificate public key",
+ .type = V_ASN1_OCTET_STRING
+ },
+ {
+ .oid = BL31_HASH_OID,
+ .sn = "APROMPatchHash",
+ .ln = "AP ROM patch hash",
+ .type = V_ASN1_OCTET_STRING
+ },
+ {
+ .oid = BL30_CONTENT_CERT_PK_OID,
+ .sn = "SCPFirmwareContentCertPK",
+ .ln = "SCP Firmware content certificate public key",
+ .type = V_ASN1_OCTET_STRING
+ },
+ {
+ .oid = BL30_HASH_OID,
+ .sn = "SCPFirmwareHash",
+ .ln = "SCP Firmware (BL30) hash (SHA256)",
+ .type = V_ASN1_OCTET_STRING
+ },
+ {
+ .oid = BL32_CONTENT_CERT_PK_OID,
+ .sn = "TrustedOSFirmwareContentCertPK",
+ .ln = "Trusted OS Firmware content certificate public key",
+ .type = V_ASN1_OCTET_STRING
+ },
+ {
+ .oid = BL32_HASH_OID,
+ .sn = "TrustedOSHash",
+ .ln = "Trusted OS (BL32) hash (SHA256)",
+ .type = V_ASN1_OCTET_STRING
+ },
+ {
+ .oid = BL33_CONTENT_CERT_PK_OID,
+ .sn = "NonTrustedFirmwareContentCertPK",
+ .ln = "Non-Trusted Firmware content certificate public key",
+ .type = V_ASN1_OCTET_STRING
+ },
+ {
+ .oid = BL33_HASH_OID,
+ .sn = "NonTrustedWorldBootloaderHash",
+ .ln = "Non-Trusted World (BL33) hash (SHA256)",
+ .type = V_ASN1_OCTET_STRING
+ },
+ { 0, 0, 0, 0 }
+};
diff --git a/tools/cert_create/src/tbb_key.c b/tools/cert_create/src/tbb_key.c
new file mode 100644
index 0000000..140aeda
--- /dev/null
+++ b/tools/cert_create/src/tbb_key.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "tbb_key.h"
+
+/*
+ * Keys used to establish the chain of trust
+ *
+ * The order of the keys must follow the enumeration specified in tbb_key.h
+ */
+key_t keys[NUM_KEYS] = {
+ {
+ .id = ROT_KEY,
+ .desc = "Root Of Trust key"
+ },
+ {
+ .id = TRUSTED_WORLD_KEY,
+ .desc = "Trusted World key"
+ },
+ {
+ .id = NON_TRUSTED_WORLD_KEY,
+ .desc = "Non Trusted World key"
+ },
+ {
+ .id = BL30_KEY,
+ .desc = "BL30 key"
+ },
+ {
+ .id = BL31_KEY,
+ .desc = "BL31 key"
+ },
+ {
+ .id = BL32_KEY,
+ .desc = "BL32 key"
+ },
+ {
+ .id = BL33_KEY,
+ .desc = "BL33 key"
+ }
+};