Merge changes from topic "cca_dtb" into integration
* changes:
docs(fconf): update bindings for multi-RoT CoTs
feat(fconf): support signing-key in root cert node
diff --git a/docs/components/cot-binding.rst b/docs/components/cot-binding.rst
index 4f8c8b7..702bb56 100644
--- a/docs/components/cot-binding.rst
+++ b/docs/components/cot-binding.rst
@@ -67,14 +67,16 @@
- signing-key
Usage:
- This property is used to refer public key node present in
- parent certificate node and it is required property for all
- non-root certificates which are authenticated using public-key
- present in parent certificate.
+ For non-root certificates, this property is used to refer
+ public key node present in parent certificate node and it is
+ required property for all non-root certificates which are
+ authenticated using public-key present in parent certificate.
- This property is not required for root-certificates
- as root-certificates are validated using root of trust
- public key provided by platform.
+ This property is not required for all root-certificates. If
+ omitted, the root certificate will be validated using the
+ default platform ROTPK. If instead the root certificate needs
+ validating using a different ROTPK, the signing-key property
+ should provide a reference to the ROTPK node to use.
Value type: <phandle>
@@ -323,10 +325,50 @@
};
};
+rot_keys node binding definition
+---------------------------------
+
+- rot_keys node
+ Description: Contains root-of-trust keys for the root certificates.
+
+ SUBNODES
+ - Description:
+
+ Root of trust key information present in the root certificates
+ are shown by these nodes.
+
+ - rot key node
+ Description: Provide ROT key information in the certificate.
+
+ PROPERTIES
+
+ - oid
+ Usage:
+
+ This property provides the Object ID of ROT key provided
+ in the certificate.
+
+ Value type: <string>
+
+Example:
+Below is rot_keys example for CCA platform
+
+.. code:: c
+
+ rot_keys {
+ swd_rot_pk: swd_rot_pk {
+ oid = SWD_ROT_PK_OID;
+ };
+
+ prot_pk: prot_pk {
+ oid = PROT_PK_OID;
+ };
+ };
+
Future update to chain of trust binding
---------------------------------------
This binding document needs to be revisited to generalise some terminologies
which are currently specific to X.509 certificates for e.g. Object IDs.
-*Copyright (c) 2020, Arm Limited. All rights reserved.*
+*Copyright (c) 2020-2024, Arm Limited. All rights reserved.*
diff --git a/lib/fconf/fconf_cot_getter.c b/lib/fconf/fconf_cot_getter.c
index 1033018..b9bc9de 100644
--- a/lib/fconf/fconf_cot_getter.c
+++ b/lib/fconf/fconf_cot_getter.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2024, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -237,13 +237,17 @@
* verified by signature and images are verified by hash.
*/
if (type == IMG_CERT) {
- if (root_certificate) {
- oid = NULL;
- } else {
- rc = get_oid(dtb, node, "signing-key", &oid);
- if (rc < 0) {
+ rc = get_oid(dtb, node, "signing-key", &oid);
+ if (rc < 0) {
+ /*
+ * The signing-key property is optional in root
+ * certificates, mandatory otherwise.
+ */
+ if (root_certificate) {
+ oid = NULL;
+ } else {
ERROR("FCONF: Can't read %s property\n",
- "signing-key");
+ "signing-key");
return rc;
}
}