cert_create: updated tool for platform defined certs, keys & extensions
Changes to 'tools/cert_create' folder, to include platform defined
certificates, keys, and extensions.
NXP SoC lx2160a : based platforms requires additional
FIP DDR to be loaded before initializing the DDR.
To enable chain of trust on these platforms, FIP DDR
image needs to be authenticated, additionally.
Platform specific folder 'tools/nxp/cert_create_helper'
is added to support platform specific macros and definitions.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: I4752a30a9ff3aa1d403e9babe3a07ba0e6b2bf8f
diff --git a/tools/nxp/cert_create_helper/cert_create_tbbr.mk b/tools/nxp/cert_create_helper/cert_create_tbbr.mk
new file mode 100644
index 0000000..e3b2e91
--- /dev/null
+++ b/tools/nxp/cert_create_helper/cert_create_tbbr.mk
@@ -0,0 +1,31 @@
+#
+# Copyright 2021 NXP
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+# Compile time defines used by NXP platforms
+
+PLAT_DEF_OID := yes
+
+ifeq (${PLAT_DEF_OID},yes)
+
+$(eval $(call add_define, PLAT_DEF_OID))
+$(eval $(call add_define, PDEF_KEYS))
+$(eval $(call add_define, PDEF_CERTS))
+$(eval $(call add_define, PDEF_EXTS))
+
+
+INC_DIR += -I../../plat/nxp/common/fip_handler/common/
+
+PDEF_CERT_TOOL_PATH := ../nxp/cert_create_helper
+PLAT_INCLUDE += -I${PDEF_CERT_TOOL_PATH}/include
+
+PLAT_OBJECTS += ${PDEF_CERT_TOOL_PATH}/src/pdef_tbb_cert.o \
+ ${PDEF_CERT_TOOL_PATH}/src/pdef_tbb_ext.o \
+ ${PDEF_CERT_TOOL_PATH}/src/pdef_tbb_key.o
+
+$(shell rm ${PLAT_OBJECTS})
+
+OBJECTS += ${PLAT_OBJECTS}
+endif
diff --git a/tools/nxp/cert_create_helper/include/pdef_tbb_cert.h b/tools/nxp/cert_create_helper/include/pdef_tbb_cert.h
new file mode 100644
index 0000000..f185619
--- /dev/null
+++ b/tools/nxp/cert_create_helper/include/pdef_tbb_cert.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PDEF_TBB_CERT_H
+#define PDEF_TBB_CERT_H
+
+#include <tbbr/tbb_cert.h>
+
+/*
+ * Enumerate the certificates that are used to establish the chain of trust
+ */
+enum {
+ DDR_FW_KEY_CERT = FWU_CERT + 1,
+ DDR_UDIMM_FW_CONTENT_CERT,
+ DDR_RDIMM_FW_CONTENT_CERT
+};
+
+#endif /* PDEF_TBB_CERT_H */
diff --git a/tools/nxp/cert_create_helper/include/pdef_tbb_ext.h b/tools/nxp/cert_create_helper/include/pdef_tbb_ext.h
new file mode 100644
index 0000000..5fb349c
--- /dev/null
+++ b/tools/nxp/cert_create_helper/include/pdef_tbb_ext.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PDEF_TBB_EXT_H
+#define PDEF_TBB_EXT_H
+
+#include <tbbr/tbb_ext.h>
+
+/* Plat Defined TBBR extensions */
+enum {
+ DDR_FW_CONTENT_CERT_PK_EXT = FWU_HASH_EXT + 1,
+ DDR_IMEM_UDIMM_1D_HASH_EXT,
+ DDR_IMEM_UDIMM_2D_HASH_EXT,
+ DDR_DMEM_UDIMM_1D_HASH_EXT,
+ DDR_DMEM_UDIMM_2D_HASH_EXT,
+ DDR_IMEM_RDIMM_1D_HASH_EXT,
+ DDR_IMEM_RDIMM_2D_HASH_EXT,
+ DDR_DMEM_RDIMM_1D_HASH_EXT,
+ DDR_DMEM_RDIMM_2D_HASH_EXT
+};
+
+#endif /* PDEF_TBB_EXT_H */
diff --git a/tools/nxp/cert_create_helper/include/pdef_tbb_key.h b/tools/nxp/cert_create_helper/include/pdef_tbb_key.h
new file mode 100644
index 0000000..b26b651
--- /dev/null
+++ b/tools/nxp/cert_create_helper/include/pdef_tbb_key.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PDEF_TBB_KEY_H
+#define PDEF_TBB_KEY_H
+
+#include <tbbr/tbb_key.h>
+
+/*
+ * Enumerate the pltform defined keys that are used to establish the chain of trust
+ */
+enum {
+ DDR_FW_CONTENT_KEY = NON_TRUSTED_FW_CONTENT_CERT_KEY + 1,
+};
+#endif /* PDEF_TBB_KEY_H */
diff --git a/tools/nxp/cert_create_helper/src/pdef_tbb_cert.c b/tools/nxp/cert_create_helper/src/pdef_tbb_cert.c
new file mode 100644
index 0000000..40bd928
--- /dev/null
+++ b/tools/nxp/cert_create_helper/src/pdef_tbb_cert.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <pdef_tbb_cert.h>
+#include <pdef_tbb_ext.h>
+#include <pdef_tbb_key.h>
+
+static cert_t pdef_tbb_certs[] = {
+ [DDR_FW_KEY_CERT - DDR_FW_KEY_CERT] = {
+ .id = DDR_FW_KEY_CERT,
+ .opt = "ddr-fw-key-cert",
+ .help_msg = "DDR Firmware Key Certificate (output file)",
+ .fn = NULL,
+ .cn = "DDR Firmware Key Certificate",
+ .key = TRUSTED_WORLD_KEY,
+ .issuer = DDR_FW_KEY_CERT,
+ .ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
+ DDR_FW_CONTENT_CERT_PK_EXT,
+ },
+ .num_ext = 2
+ },
+ [DDR_UDIMM_FW_CONTENT_CERT - DDR_FW_KEY_CERT] = {
+ .id = DDR_UDIMM_FW_CONTENT_CERT,
+ .opt = "ddr-udimm-fw-cert",
+ .help_msg = "DDR UDIMM Firmware Content Certificate (output file)",
+ .fn = NULL,
+ .cn = "DDR UDIMM Firmware Content Certificate",
+ .key = DDR_FW_CONTENT_KEY,
+ .issuer = DDR_UDIMM_FW_CONTENT_CERT,
+ .ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
+ DDR_IMEM_UDIMM_1D_HASH_EXT,
+ DDR_IMEM_UDIMM_2D_HASH_EXT,
+ DDR_DMEM_UDIMM_1D_HASH_EXT,
+ DDR_DMEM_UDIMM_2D_HASH_EXT,
+ },
+ .num_ext = 5
+ },
+ [DDR_RDIMM_FW_CONTENT_CERT - DDR_FW_KEY_CERT] = {
+ .id = DDR_RDIMM_FW_CONTENT_CERT,
+ .opt = "ddr-rdimm-fw-cert",
+ .help_msg = "DDR RDIMM Firmware Content Certificate (output file)",
+ .fn = NULL,
+ .cn = "DDR RDIMM Firmware Content Certificate",
+ .key = DDR_FW_CONTENT_KEY,
+ .issuer = DDR_RDIMM_FW_CONTENT_CERT,
+ .ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
+ DDR_IMEM_RDIMM_1D_HASH_EXT,
+ DDR_IMEM_RDIMM_2D_HASH_EXT,
+ DDR_DMEM_RDIMM_1D_HASH_EXT,
+ DDR_DMEM_RDIMM_2D_HASH_EXT,
+ },
+ .num_ext = 5
+ }
+};
+
+PLAT_REGISTER_COT(pdef_tbb_certs);
diff --git a/tools/nxp/cert_create_helper/src/pdef_tbb_ext.c b/tools/nxp/cert_create_helper/src/pdef_tbb_ext.c
new file mode 100644
index 0000000..f6da6dd
--- /dev/null
+++ b/tools/nxp/cert_create_helper/src/pdef_tbb_ext.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+#if USE_TBBR_DEFS
+#include <tbbr_oid.h>
+#else
+#include <platform_oid.h>
+#endif
+
+#include "ext.h"
+#include "tbbr/tbb_ext.h"
+#include "tbbr/tbb_key.h"
+
+#include <pdef_tbb_ext.h>
+#include <pdef_tbb_key.h>
+
+static ext_t pdef_tbb_ext[] = {
+ [DDR_FW_CONTENT_CERT_PK_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+ .oid = DDR_FW_CONTENT_CERT_PK_OID,
+ .sn = "DDR FirmwareContentCertPK",
+ .ln = "DDR Firmware content certificate public key",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_PKEY,
+ .attr.key = DDR_FW_CONTENT_KEY
+ },
+ [DDR_IMEM_UDIMM_1D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+ .oid = DDR_IMEM_UDIMM_1D_HASH_OID,
+ .opt = "ddr-immem-udimm-1d",
+ .help_msg = "DDR Firmware IMEM UDIMM 1D image file",
+ .sn = "DDR UDIMM IMEM 1D FirmwareHash",
+ .ln = "DDR UDIMM IMEM 1D Firmware hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ },
+ [DDR_IMEM_UDIMM_2D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+ .oid = DDR_IMEM_UDIMM_2D_HASH_OID,
+ .opt = "ddr-immem-udimm-2d",
+ .help_msg = "DDR Firmware IMEM UDIMM 2D image file",
+ .sn = "DDR UDIMM IMEM 2D FirmwareHash",
+ .ln = "DDR UDIMM IMEM 2D Firmware hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ },
+ [DDR_DMEM_UDIMM_1D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+ .oid = DDR_DMEM_UDIMM_1D_HASH_OID,
+ .opt = "ddr-dmmem-udimm-1d",
+ .help_msg = "DDR Firmware DMEM UDIMM 1D image file",
+ .sn = "DDR UDIMM DMEM 1D FirmwareHash",
+ .ln = "DDR UDIMM DMEM 1D Firmware hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ },
+ [DDR_DMEM_UDIMM_2D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+ .oid = DDR_DMEM_UDIMM_2D_HASH_OID,
+ .opt = "ddr-dmmem-udimm-2d",
+ .help_msg = "DDR Firmware DMEM UDIMM 2D image file",
+ .sn = "DDR UDIMM DMEM 2D FirmwareHash",
+ .ln = "DDR UDIMM DMEM 2D Firmware hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ },
+ [DDR_IMEM_RDIMM_1D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+ .oid = DDR_IMEM_RDIMM_1D_HASH_OID,
+ .opt = "ddr-immem-rdimm-1d",
+ .help_msg = "DDR Firmware IMEM RDIMM 1D image file",
+ .sn = "DDR RDIMM IMEM 1D FirmwareHash",
+ .ln = "DDR RDIMM IMEM 1D Firmware hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ },
+ [DDR_IMEM_RDIMM_2D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+ .oid = DDR_IMEM_RDIMM_2D_HASH_OID,
+ .opt = "ddr-immem-rdimm-2d",
+ .help_msg = "DDR Firmware IMEM RDIMM 2D image file",
+ .sn = "DDR RDIMM IMEM 2D FirmwareHash",
+ .ln = "DDR RDIMM IMEM 2D Firmware hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ },
+ [DDR_DMEM_RDIMM_1D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+ .oid = DDR_DMEM_RDIMM_1D_HASH_OID,
+ .opt = "ddr-dmmem-rdimm-1d",
+ .help_msg = "DDR Firmware DMEM RDIMM 1D image file",
+ .sn = "DDR RDIMM DMEM 1D FirmwareHash",
+ .ln = "DDR RDIMM DMEM 1D Firmware hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ },
+ [DDR_DMEM_RDIMM_2D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+ .oid = DDR_DMEM_RDIMM_2D_HASH_OID,
+ .opt = "ddr-dmmem-rdimm-2d",
+ .help_msg = "DDR Firmware DMEM RDIMM 2D image file",
+ .sn = "DDR RDIMM DMEM 2D FirmwareHash",
+ .ln = "DDR RDIMM DMEM 2D Firmware hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ }
+};
+
+PLAT_REGISTER_EXTENSIONS(pdef_tbb_ext);
diff --git a/tools/nxp/cert_create_helper/src/pdef_tbb_key.c b/tools/nxp/cert_create_helper/src/pdef_tbb_key.c
new file mode 100644
index 0000000..cf2ebda
--- /dev/null
+++ b/tools/nxp/cert_create_helper/src/pdef_tbb_key.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <pdef_tbb_key.h>
+
+static key_t pdef_tbb_keys[] = {
+ [DDR_FW_CONTENT_KEY - DDR_FW_CONTENT_KEY] = {
+ .id = DDR_FW_CONTENT_KEY,
+ .opt = "ddr-fw-key",
+ .help_msg = "DDR Firmware Content Certificate key (input/output file)",
+ .desc = "DDR Firmware Content Certificate key"
+ }
+};
+
+PLAT_REGISTER_KEYS(pdef_tbb_keys);