blob: 658b81c29bdc114778ae013e1a659e567c985c0b [file] [log] [blame]
/*
* Copyright (c) 2022-2024, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include "cca/cca_cot.h"
#include <cca_oid.h>
#include "cert.h"
#include "ext.h"
#include "key.h"
/*
* Certificates used in the chain of trust.
*
* All certificates are self-signed so the issuer certificate field points to
* itself.
*/
static cert_t cot_certs[] = {
[CCA_CONTENT_CERT] = {
.id = CCA_CONTENT_CERT,
.opt = "cca-cert",
.help_msg = "CCA Content Certificate (output file)",
.cn = "CCA Content Certificate",
.key = ROT_KEY,
.issuer = CCA_CONTENT_CERT,
.ext = {
CCA_FW_NVCOUNTER_EXT,
SOC_AP_FW_HASH_EXT,
SOC_FW_CONFIG_HASH_EXT,
RMM_HASH_EXT,
TRUSTED_BOOT_FW_HASH_EXT,
TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
HW_CONFIG_HASH_EXT,
FW_CONFIG_HASH_EXT,
},
.num_ext = 8
},
[CORE_SWD_KEY_CERT] = {
.id = CORE_SWD_KEY_CERT,
.opt = "core-swd-cert",
.help_msg = "Core Secure World Key Certificate (output file)",
.cn = "Core Secure World Key Certificate",
.key = SWD_ROT_KEY,
.issuer = CORE_SWD_KEY_CERT,
.ext = {
TRUSTED_FW_NVCOUNTER_EXT,
SWD_ROT_PK_EXT,
CORE_SWD_PK_EXT,
},
.num_ext = 3
},
[SPMC_CONTENT_CERT] = {
.id = SPMC_CONTENT_CERT,
.opt = "tos-fw-cert",
.help_msg = "SPMC Content Certificate (output file)",
.cn = "SPMC Content Certificate",
.key = CORE_SWD_KEY,
.issuer = SPMC_CONTENT_CERT,
.ext = {
TRUSTED_FW_NVCOUNTER_EXT,
TRUSTED_OS_FW_HASH_EXT,
TRUSTED_OS_FW_CONFIG_HASH_EXT,
},
.num_ext = 3
},
[SIP_SECURE_PARTITION_CONTENT_CERT] = {
.id = SIP_SECURE_PARTITION_CONTENT_CERT,
.opt = "sip-sp-cert",
.help_msg = "SiP owned Secure Partition Content Certificate (output file)",
.cn = "SiP owned Secure Partition Content Certificate",
.key = CORE_SWD_KEY,
.issuer = SIP_SECURE_PARTITION_CONTENT_CERT,
.ext = {
TRUSTED_FW_NVCOUNTER_EXT,
SP_PKG1_HASH_EXT,
SP_PKG2_HASH_EXT,
SP_PKG3_HASH_EXT,
SP_PKG4_HASH_EXT,
},
.num_ext = 5
},
[PLAT_KEY_CERT] = {
.id = PLAT_KEY_CERT,
.opt = "plat-key-cert",
.help_msg = "Platform Key Certificate (output file)",
.cn = "Platform Key Certificate",
.key = PROT_KEY,
.issuer = PLAT_KEY_CERT,
.ext = {
NON_TRUSTED_FW_NVCOUNTER_EXT,
PROT_PK_EXT,
PLAT_PK_EXT,
},
.num_ext = 3
},
[PLAT_SECURE_PARTITION_CONTENT_CERT] = {
.id = PLAT_SECURE_PARTITION_CONTENT_CERT,
.opt = "plat-sp-cert",
.help_msg = "Platform owned Secure Partition Content Certificate (output file)",
.cn = "Platform owned Secure Partition Content Certificate",
.key = PLAT_KEY,
.issuer = PLAT_SECURE_PARTITION_CONTENT_CERT,
.ext = {
NON_TRUSTED_FW_NVCOUNTER_EXT,
SP_PKG5_HASH_EXT,
SP_PKG6_HASH_EXT,
SP_PKG7_HASH_EXT,
SP_PKG8_HASH_EXT,
},
.num_ext = 5
},
[NON_TRUSTED_FW_CONTENT_CERT] = {
.id = NON_TRUSTED_FW_CONTENT_CERT,
.opt = "nt-fw-cert",
.help_msg = "Non-Trusted Firmware Content Certificate (output file)",
.cn = "Non-Trusted Firmware Content Certificate",
.key = PLAT_KEY,
.issuer = NON_TRUSTED_FW_CONTENT_CERT,
.ext = {
NON_TRUSTED_FW_NVCOUNTER_EXT,
NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
NON_TRUSTED_FW_CONFIG_HASH_EXT,
},
.num_ext = 3
},
};
REGISTER_COT(cot_certs);
/* Certificate extensions. */
static ext_t cot_ext[] = {
[CCA_FW_NVCOUNTER_EXT] = {
.oid = CCA_FW_NVCOUNTER_OID,
.opt = "ccafw-nvctr",
.help_msg = "CCA Firmware Non-Volatile counter value",
.sn = "CCANVCounter",
.ln = "CCA Non-Volatile counter",
.asn1_type = V_ASN1_INTEGER,
.type = EXT_TYPE_NVCOUNTER,
.attr.nvctr_type = NVCTR_TYPE_CCAFW
},
[TRUSTED_FW_NVCOUNTER_EXT] = {
.oid = TRUSTED_FW_NVCOUNTER_OID,
.opt = "tfw-nvctr",
.help_msg = "Trusted Firmware Non-Volatile counter value",
.sn = "TrustedWorldNVCounter",
.ln = "Trusted World Non-Volatile counter",
.asn1_type = V_ASN1_INTEGER,
.type = EXT_TYPE_NVCOUNTER,
.attr.nvctr_type = NVCTR_TYPE_TFW
},
[TRUSTED_BOOT_FW_HASH_EXT] = {
.oid = TRUSTED_BOOT_FW_HASH_OID,
.opt = "tb-fw",
.help_msg = "Trusted Boot Firmware image file",
.sn = "TrustedBootFirmwareHash",
.ln = "Trusted Boot Firmware hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH
},
[TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = {
.oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID,
.opt = "tb-fw-config",
.help_msg = "Trusted Boot Firmware Config file",
.sn = "TrustedBootFirmwareConfigHash",
.ln = "Trusted Boot Firmware Config hash",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[HW_CONFIG_HASH_EXT] = {
.oid = HW_CONFIG_HASH_OID,
.opt = "hw-config",
.help_msg = "HW Config file",
.sn = "HWConfigHash",
.ln = "HW Config hash",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[FW_CONFIG_HASH_EXT] = {
.oid = FW_CONFIG_HASH_OID,
.opt = "fw-config",
.help_msg = "Firmware Config file",
.sn = "FirmwareConfigHash",
.ln = "Firmware Config hash",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SWD_ROT_PK_EXT] = {
.oid = SWD_ROT_PK_OID,
.sn = "SWDRoTKey",
.ln = "Secure World Root of Trust Public Key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
.attr.key = SWD_ROT_KEY
},
[CORE_SWD_PK_EXT] = {
.oid = CORE_SWD_PK_OID,
.sn = "CORESWDKey",
.ln = "Core Secure World Public Key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
.attr.key = CORE_SWD_KEY
},
[SOC_AP_FW_HASH_EXT] = {
.oid = SOC_AP_FW_HASH_OID,
.opt = "soc-fw",
.help_msg = "SoC AP Firmware image file",
.sn = "SoCAPFirmwareHash",
.ln = "SoC AP Firmware hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH
},
[SOC_FW_CONFIG_HASH_EXT] = {
.oid = SOC_FW_CONFIG_HASH_OID,
.opt = "soc-fw-config",
.help_msg = "SoC Firmware Config file",
.sn = "SocFirmwareConfigHash",
.ln = "SoC Firmware Config hash",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[RMM_HASH_EXT] = {
.oid = RMM_HASH_OID,
.opt = "rmm-fw",
.help_msg = "RMM Firmware image file",
.sn = "RMMFirmwareHash",
.ln = "RMM Firmware hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH
},
[TRUSTED_OS_FW_HASH_EXT] = {
.oid = TRUSTED_OS_FW_HASH_OID,
.opt = "tos-fw",
.help_msg = "Trusted OS image file",
.sn = "TrustedOSHash",
.ln = "Trusted OS hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH
},
[TRUSTED_OS_FW_CONFIG_HASH_EXT] = {
.oid = TRUSTED_OS_FW_CONFIG_HASH_OID,
.opt = "tos-fw-config",
.help_msg = "Trusted OS Firmware Config file",
.sn = "TrustedOSFirmwareConfigHash",
.ln = "Trusted OS Firmware Config hash",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG1_HASH_EXT] = {
.oid = SP_PKG1_HASH_OID,
.opt = "sp-pkg1",
.help_msg = "Secure Partition Package1 file",
.sn = "SPPkg1Hash",
.ln = "SP Pkg1 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG2_HASH_EXT] = {
.oid = SP_PKG2_HASH_OID,
.opt = "sp-pkg2",
.help_msg = "Secure Partition Package2 file",
.sn = "SPPkg2Hash",
.ln = "SP Pkg2 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG3_HASH_EXT] = {
.oid = SP_PKG3_HASH_OID,
.opt = "sp-pkg3",
.help_msg = "Secure Partition Package3 file",
.sn = "SPPkg3Hash",
.ln = "SP Pkg3 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG4_HASH_EXT] = {
.oid = SP_PKG4_HASH_OID,
.opt = "sp-pkg4",
.help_msg = "Secure Partition Package4 file",
.sn = "SPPkg4Hash",
.ln = "SP Pkg4 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[PROT_PK_EXT] = {
.oid = PROT_PK_OID,
.sn = "PlatformRoTKey",
.ln = "Platform Root of Trust Public Key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
.attr.key = PROT_KEY
},
[PLAT_PK_EXT] = {
.oid = PLAT_PK_OID,
.sn = "PLATKey",
.ln = "Platform Public Key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
.attr.key = PLAT_KEY
},
[SP_PKG5_HASH_EXT] = {
.oid = SP_PKG5_HASH_OID,
.opt = "sp-pkg5",
.help_msg = "Secure Partition Package5 file",
.sn = "SPPkg5Hash",
.ln = "SP Pkg5 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG6_HASH_EXT] = {
.oid = SP_PKG6_HASH_OID,
.opt = "sp-pkg6",
.help_msg = "Secure Partition Package6 file",
.sn = "SPPkg6Hash",
.ln = "SP Pkg6 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG7_HASH_EXT] = {
.oid = SP_PKG7_HASH_OID,
.opt = "sp-pkg7",
.help_msg = "Secure Partition Package7 file",
.sn = "SPPkg7Hash",
.ln = "SP Pkg7 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG8_HASH_EXT] = {
.oid = SP_PKG8_HASH_OID,
.opt = "sp-pkg8",
.help_msg = "Secure Partition Package8 file",
.sn = "SPPkg8Hash",
.ln = "SP Pkg8 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[NON_TRUSTED_FW_NVCOUNTER_EXT] = {
.oid = NON_TRUSTED_FW_NVCOUNTER_OID,
.opt = "ntfw-nvctr",
.help_msg = "Non-Trusted Firmware Non-Volatile counter value",
.sn = "NormalWorldNVCounter",
.ln = "Non-Trusted Firmware Non-Volatile counter",
.asn1_type = V_ASN1_INTEGER,
.type = EXT_TYPE_NVCOUNTER,
.attr.nvctr_type = NVCTR_TYPE_NTFW
},
[NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = {
.oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID,
.opt = "nt-fw",
.help_msg = "Non-Trusted World Bootloader image file",
.sn = "NonTrustedWorldBootloaderHash",
.ln = "Non-Trusted World hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH
},
[NON_TRUSTED_FW_CONFIG_HASH_EXT] = {
.oid = NON_TRUSTED_FW_CONFIG_HASH_OID,
.opt = "nt-fw-config",
.help_msg = "Non Trusted OS Firmware Config file",
.sn = "NonTrustedOSFirmwareConfigHash",
.ln = "Non-Trusted OS Firmware Config hash",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
};
REGISTER_EXTENSIONS(cot_ext);
/* Keys used to establish the chain of trust. */
static cert_key_t cot_keys[] = {
[ROT_KEY] = {
.id = ROT_KEY,
.opt = "rot-key",
.help_msg = "Root Of Trust key file or PKCS11 URI",
.desc = "Root Of Trust key"
},
[SWD_ROT_KEY] = {
.id = SWD_ROT_KEY,
.opt = "swd-rot-key",
.help_msg = "Secure World Root of Trust key file or PKCS11 URI",
.desc = "Secure World Root of Trust key"
},
[CORE_SWD_KEY] = {
.id = CORE_SWD_KEY,
.opt = "core-swd-key",
.help_msg = "Core Secure World key file or PKCS11 URI",
.desc = "Core Secure World key"
},
[PROT_KEY] = {
.id = PROT_KEY,
.opt = "prot-key",
.help_msg = "Platform Root of Trust key file or PKCS11 URI",
.desc = "Platform Root of Trust key"
},
[PLAT_KEY] = {
.id = PLAT_KEY,
.opt = "plat-key",
.help_msg = "Platform key file or PKCS11 URI",
.desc = "Platform key"
},
};
REGISTER_KEYS(cot_keys);