feat(arm): use provided algs for (swd/p)rotpk
No longer hard code SHA-256 hashed rsa dev keys,
now the keys can use pair of key alg: rsa, p256, p384
and hash alg: sha256, sha384, sha512.
All public keys are now generated at build-time from the dev
keys.
Change-Id: I669438b7d1cd319962c4a135bb0e204e44d7447e
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
diff --git a/plat/arm/board/common/board_common.mk b/plat/arm/board/common/board_common.mk
index 567fe2a..124a44b 100644
--- a/plat/arm/board/common/board_common.mk
+++ b/plat/arm/board/common/board_common.mk
@@ -92,50 +92,73 @@
BL2_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c \
${ARM_ROTPK_S}
+ifeq ($(CRYPTO_ALG), ec)
+ifeq ($(KEY_SIZE), 384)
+ARM_PROT_KEY := plat/arm/board/common/protpk/arm_protprivk_ecdsa_secp384r1.pem
+ARM_SWD_ROT_KEY := plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa_secp384r1.pem
+else
+ARM_PROT_KEY := plat/arm/board/common/protpk/arm_protprivk_ecdsa.pem
+ARM_SWD_ROT_KEY := plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa.pem
+endif
+else
+ARM_PROT_KEY := plat/arm/board/common/protpk/arm_protprivk_rsa.pem
+ARM_SWD_ROT_KEY := plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_rsa.pem
+endif
+
# Allows platform code to provide implementation variants depending on the
# selected chain of trust.
$(eval $(call add_define,ARM_COT_${COT}))
ifeq (${COT},dualroot)
# Platform Root of Trust key files.
-ARM_PROT_KEY := plat/arm/board/common/protpk/arm_protprivk_rsa.pem
-ARM_PROTPK_HASH := plat/arm/board/common/protpk/arm_protpk_rsa_sha256.bin
+ARM_PROTPK := $(BUILD_PLAT)/arm_protpk.bin
# Provide the private key to cert_create tool. It needs it to sign the images.
PROT_KEY := ${ARM_PROT_KEY}
-$(eval $(call add_define_val,ARM_PROTPK_HASH,'"$(ARM_PROTPK_HASH)"'))
+$(eval $(call add_define_val,ARM_PROTPK,'"$(ARM_PROTPK)"'))
BL1_SOURCES += plat/arm/board/common/protpk/arm_dev_protpk.S
BL2_SOURCES += plat/arm/board/common/protpk/arm_dev_protpk.S
-$(BUILD_PLAT)/bl1/arm_dev_protpk.o: $(ARM_PROTPK_HASH)
-$(BUILD_PLAT)/bl2/arm_dev_protpk.o: $(ARM_PROTPK_HASH)
+$(BUILD_PLAT)/bl1/arm_dev_protpk.o: $(ARM_PROTPK)
+$(BUILD_PLAT)/bl2/arm_dev_protpk.o: $(ARM_PROTPK)
endif
ifeq (${COT},cca)
# Platform and Secure World Root of Trust key files.
-ARM_PROT_KEY := plat/arm/board/common/protpk/arm_protprivk_rsa.pem
-ARM_PROTPK_HASH := plat/arm/board/common/protpk/arm_protpk_rsa_sha256.bin
-ARM_SWD_ROT_KEY := plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_rsa.pem
-ARM_SWD_ROTPK_HASH := plat/arm/board/common/swd_rotpk/arm_swd_rotpk_rsa_sha256.bin
+ARM_PROTPK := $(BUILD_PLAT)/arm_protpk.bin
+ARM_SWD_ROTPK := $(BUILD_PLAT)/arm_swd_rotpk.bin
# Provide the private keys to cert_create tool. It needs them to sign the images.
PROT_KEY := ${ARM_PROT_KEY}
SWD_ROT_KEY := ${ARM_SWD_ROT_KEY}
-$(eval $(call add_define_val,ARM_PROTPK_HASH,'"$(ARM_PROTPK_HASH)"'))
-$(eval $(call add_define_val,ARM_SWD_ROTPK_HASH,'"$(ARM_SWD_ROTPK_HASH)"'))
+$(eval $(call add_define_val,ARM_PROTPK,'"$(ARM_PROTPK)"'))
+$(eval $(call add_define_val,ARM_SWD_ROTPK,'"$(ARM_SWD_ROTPK)"'))
BL1_SOURCES += plat/arm/board/common/protpk/arm_dev_protpk.S \
plat/arm/board/common/swd_rotpk/arm_dev_swd_rotpk.S
BL2_SOURCES += plat/arm/board/common/protpk/arm_dev_protpk.S \
plat/arm/board/common/swd_rotpk/arm_dev_swd_rotpk.S
-$(BUILD_PLAT)/bl1/arm_dev_protpk.o: $(ARM_PROTPK_HASH)
-$(BUILD_PLAT)/bl1/arm_dev_swd_rotpk.o: $(ARM_SWD_ROTPK_HASH)
-$(BUILD_PLAT)/bl2/arm_dev_protpk.o: $(ARM_PROTPK_HASH)
-$(BUILD_PLAT)/bl2/arm_dev_swd_rotpk.o: $(ARM_SWD_ROTPK_HASH)
+$(BUILD_PLAT)/bl1/arm_dev_protpk.o: $(ARM_PROTPK)
+$(BUILD_PLAT)/bl1/arm_dev_swd_rotpk.o: $(ARM_SWD_ROTPK)
+$(BUILD_PLAT)/bl2/arm_dev_protpk.o: $(ARM_PROTPK)
+$(BUILD_PLAT)/bl2/arm_dev_swd_rotpk.o: $(ARM_SWD_ROTPK)
endif
+$(ARM_PROTPK): $(ARM_PROT_KEY)
+ifndef ARM_PROT_KEY
+ $(error Cannot generate hash: no PROT_KEY defined)
+endif
+ ${OPENSSL_BIN_PATH}/openssl ${CRYPTO_ALG} -in ${ARM_PROT_KEY} -pubout -outform DER | \
+ ${OPENSSL_BIN_PATH}/openssl dgst -${HASH_ALG} -binary -out $@
+
+$(ARM_SWD_ROTPK): $(ARM_SWD_ROT_KEY)
+ifndef ARM_SWD_ROT_KEY
+ $(error Cannot generate hash: no SWD_KEY defined)
+endif
+ ${OPENSSL_BIN_PATH}/openssl ${CRYPTO_ALG} -in ${ARM_SWD_ROT_KEY} -pubout -outform DER | \
+ ${OPENSSL_BIN_PATH}/openssl dgst -${HASH_ALG} -binary -out $@
endif
diff --git a/plat/arm/board/common/protpk/README b/plat/arm/board/common/protpk/README
index 3aca180..15a0a9a 100644
--- a/plat/arm/board/common/protpk/README
+++ b/plat/arm/board/common/protpk/README
@@ -6,9 +6,12 @@
openssl genrsa 2048 > arm_protprivk_rsa.pem
-* arm_protpk_rsa_sha256.bin is the SHA-256 hash of the DER-encoded public key
- associated with the above private key. It has been generated using the openssl
- command line tool:
+* arm_protprivk_ecdsa.pem is a P-256 ECSA private key in PEM format. It has been
+ generated using the openssl command line tool:
+
+ openssl ecparam -name prime256v1 -genkey -outform PEM -noout -out arm_protprivk_ecdsa.pem
+
+* arm_protprivk_ecdsa_secp384r1.pem is a P-384 ECSA private key in PEM format. It has been
+ generated using the openssl command line tool:
- openssl rsa -in arm_protprivk_rsa.pem -pubout -outform DER | \
- openssl dgst -sha256 -binary > arm_protpk_rsa_sha256.bin
+ openssl ecparam -name secp384r1 -genkey -outform PEM -noout -out arm_protprivk_ecdsa_secp384r1.pem
\ No newline at end of file
diff --git a/plat/arm/board/common/protpk/arm_dev_protpk.S b/plat/arm/board/common/protpk/arm_dev_protpk.S
index 2688cbb..79b8c36 100644
--- a/plat/arm/board/common/protpk/arm_dev_protpk.S
+++ b/plat/arm/board/common/protpk/arm_dev_protpk.S
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -9,10 +9,31 @@
.section .rodata.arm_protpk_hash, "a"
+/*
+* The protpk header is dependent only on the algorithm used to
+* generate the hash.
+* ASN1_HASH_ALG is the last byte used to encode the OID for
+* the hash algorithm into the header,
+* this byte distinguishes between SHA256, SHA384 and SHA512.
+*/
+.equ HASH_ASN1_LEN, ARM_ROTPK_HASH_LEN
+#if ARM_ROTPK_HASH_LEN == 48
+ .equ ASN1_HASH_ALG, 0x02
+ .equ TOTAL_ASN1_LEN, 0x41
+#elif ARM_ROTPK_HASH_LEN == 64
+ .equ ASN1_HASH_ALG, 0x03
+ .equ TOTAL_ASN1_LEN, 0x51
+#elif ARM_ROTPK_HASH_LEN == 32
+ .equ ASN1_HASH_ALG, 0x01
+ .equ TOTAL_ASN1_LEN, 0x31
+#else
+ .error "Invalid PROTPK hash length."
+#endif
+
arm_protpk_hash:
/* DER header. */
- .byte 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48
- .byte 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
+ .byte 0x30, TOTAL_ASN1_LEN, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48
+ .byte 0x01, 0x65, 0x03, 0x04, 0x02, ASN1_HASH_ALG, 0x05, 0x00, 0x04, HASH_ASN1_LEN
/* Key hash. */
- .incbin ARM_PROTPK_HASH
+ .incbin ARM_PROTPK
arm_protpk_hash_end:
diff --git a/plat/arm/board/common/protpk/arm_protpk_rsa_sha256.bin b/plat/arm/board/common/protpk/arm_protpk_rsa_sha256.bin
deleted file mode 100644
index 587da66..0000000
--- a/plat/arm/board/common/protpk/arm_protpk_rsa_sha256.bin
+++ /dev/null
@@ -1 +0,0 @@
-�ó6��{W*
`�tíve×·§è£� ¾PÆK{9
\ No newline at end of file
diff --git a/plat/arm/board/common/protpk/arm_protprivk_ecdsa.pem b/plat/arm/board/common/protpk/arm_protprivk_ecdsa.pem
new file mode 100644
index 0000000..5888e10
--- /dev/null
+++ b/plat/arm/board/common/protpk/arm_protprivk_ecdsa.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILviumKhnibRT6+73/WOURk8lCxu/AHRQVcbCn/nGAr8oAoGCCqGSM49
+AwEHoUQDQgAE2HPZeAd+P8kZKHcCMfNUE+MlZSKJV360gYYC1JEdogyYztJ/QbKj
+26CZijUU/He2b9kkCOpZoJp3UuMRlsQE4Q==
+-----END EC PRIVATE KEY-----
diff --git a/plat/arm/board/common/protpk/arm_protprivk_ecdsa_secp384r1.pem b/plat/arm/board/common/protpk/arm_protprivk_ecdsa_secp384r1.pem
new file mode 100644
index 0000000..d9db645
--- /dev/null
+++ b/plat/arm/board/common/protpk/arm_protprivk_ecdsa_secp384r1.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCn+L3kRlvrZKnemt8aDOH+ujwuhpdwAM2ZxacxudJPy5qrWCjXGIh1
+gOAMHlGESySgBwYFK4EEACKhZANiAASM5exqdUZi0msFLGi42bIMW7FPqWsJ8YmL
+scDkI6BUYRoP0V4XZWB7NOjP6y/tm5Uwid9q25QTlhNKUo5qki1YH3T6unHuylWN
+63KRHQLOaXCXZqhMhT0wccg0gG3hs+0=
+-----END EC PRIVATE KEY-----
diff --git a/plat/arm/board/common/swd_rotpk/README b/plat/arm/board/common/swd_rotpk/README
index b628a5f..18fea4c 100644
--- a/plat/arm/board/common/swd_rotpk/README
+++ b/plat/arm/board/common/swd_rotpk/README
@@ -6,9 +6,12 @@
openssl genrsa 2048 > arm_swd_rotprivk_rsa.pem
-* swd_rotpk_rsa_sha256.bin is the SHA-256 hash of the DER-encoded public key
- associated with the above private key. It has been generated using the openssl
- command line tool:
+* arm_swd_rotprivk_ecdsa.pem is a P-256 ECSA private key in PEM format. It has been
+ generated using the openssl command line tool:
+
+ openssl ecparam -name prime256v1 -genkey -outform PEM -noout -out arm_swd_rotprivk_ecdsa.pem
+
+* arm_swd_rotprivk_ecdsa_secp384r1.pem is a P-384 ECSA private key in PEM format. It has been
+ generated using the openssl command line tool:
- openssl rsa -in arm_swd_rotprivk_rsa.pem -pubout -outform DER | \
- openssl dgst -sha256 -binary > arm_swd_rotpk_rsa_sha256.bin
+ openssl ecparam -name secp384r1 -genkey -outform PEM -noout -out arm_swd_rotprivk_ecdsa_secp384r1.pem
diff --git a/plat/arm/board/common/swd_rotpk/arm_dev_swd_rotpk.S b/plat/arm/board/common/swd_rotpk/arm_dev_swd_rotpk.S
index ae4f9d2..2056bbe 100644
--- a/plat/arm/board/common/swd_rotpk/arm_dev_swd_rotpk.S
+++ b/plat/arm/board/common/swd_rotpk/arm_dev_swd_rotpk.S
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -9,10 +9,31 @@
.section .rodata.arm_swd_rotpk_hash, "a"
+/*
+* The swd_roptpk header is dependent only on the algorithm used to
+* generate the hash.
+* ASN1_HASH_ALG is the last byte used to encode the OID for
+* the hash algorithm into the header,
+* this byte distinguishes between SHA256, SHA384 and SHA512.
+*/
+.equ HASH_ASN1_LEN, ARM_ROTPK_HASH_LEN
+#if ARM_ROTPK_HASH_LEN == 48
+ .equ ASN1_HASH_ALG, 0x02
+ .equ TOTAL_ASN1_LEN, 0x41
+#elif ARM_ROTPK_HASH_LEN == 64
+ .equ ASN1_HASH_ALG, 0x03
+ .equ TOTAL_ASN1_LEN, 0x51
+#elif ARM_ROTPK_HASH_LEN == 32
+ .equ ASN1_HASH_ALG, 0x01
+ .equ TOTAL_ASN1_LEN, 0x31
+#else
+ .error "Invalid SWD_ROTPK hash length."
+#endif
+
arm_swd_rotpk_hash:
/* DER header. */
- .byte 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48
- .byte 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
+ .byte 0x30, TOTAL_ASN1_LEN, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48
+ .byte 0x01, 0x65, 0x03, 0x04, 0x02, ASN1_HASH_ALG, 0x05, 0x00, 0x04, HASH_ASN1_LEN
/* Key hash. */
- .incbin ARM_SWD_ROTPK_HASH
+ .incbin ARM_SWD_ROTPK
arm_swd_rotpk_hash_end:
diff --git a/plat/arm/board/common/swd_rotpk/arm_swd_rotpk_rsa_sha256.bin b/plat/arm/board/common/swd_rotpk/arm_swd_rotpk_rsa_sha256.bin
deleted file mode 100644
index b2f3e60..0000000
--- a/plat/arm/board/common/swd_rotpk/arm_swd_rotpk_rsa_sha256.bin
+++ /dev/null
@@ -1 +0,0 @@
-�0¾âÃ�æ�ÈË��(ì¨0wIÓÕ�éã¡g�k
\ No newline at end of file
diff --git a/plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa.pem b/plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa.pem
new file mode 100644
index 0000000..be40565
--- /dev/null
+++ b/plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFmIjAPUmyqDfKXT+kKRMvyFzQfaZekczIzSPfLeQUGyoAoGCCqGSM49
+AwEHoUQDQgAEtZB8OrBV7hPl+lBrc5ypKetwGsUi+SpTK8OoMw0GwA17rGDYdBTV
+JK2ttZNtCsGzlDrXeHu6bcTmrleMdW9NdQ==
+-----END EC PRIVATE KEY-----
diff --git a/plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa_secp384r1.pem b/plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa_secp384r1.pem
new file mode 100644
index 0000000..14ad7f7
--- /dev/null
+++ b/plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa_secp384r1.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDC348NhWsLI30vzJnWofKae6t3S6YIb5rdLEJSUyI9XwKj8FyJO8N3G
+DNgvVBwk4NigBwYFK4EEACKhZANiAARodLWP/EGH7/SrImvwDJr1zACOrh8acVH/
+eymfvZW2af4DPRMPyUC5Ftzv6NwGz6yPzBbAg9+qDgLgO7cqwXOwVON+hAU+ECEZ
+3AIQ7zLDfnXcfNz8dv1kwkwhfDJeQCs=
+-----END EC PRIVATE KEY-----