TBB: rework cert_create tool to follow a data driven approach
This patch reworks the certificate generation tool to follow a data
driven approach. The user may specify at build time the certificates,
keys and extensions defined in the CoT, register them using the
appropiate macros and the tool will take care of creating the
certificates corresponding to the CoT specified.
Change-Id: I29950b39343c3e1b71718fce0e77dcf2a9a0be2f
diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h
index 48a4146..18129a7 100644
--- a/tools/cert_create/include/cert.h
+++ b/tools/cert_create/include/cert.h
@@ -33,8 +33,11 @@
#include <openssl/ossl_typ.h>
#include <openssl/x509.h>
+#include "ext.h"
#include "key.h"
+#define CERT_MAX_EXT 4
+
/*
* This structure contains information related to the generation of the
* certificates. All these fields must be known and specified at build time
@@ -52,18 +55,28 @@
int id; /* Unique identifier */
const char *fn; /* Filename to save the certificate */
- const char *bin; /* Image associated to this certificate */
-
const char *cn; /* Subject CN (Company Name) */
- X509 *x; /* X509 certificate container */
- key_t *key; /* Key to be signed */
+ /* These fields must be defined statically */
+ int key; /* Key to be signed */
+ int issuer; /* Issuer certificate */
+ int ext[CERT_MAX_EXT]; /* Certificate extensions */
+ int num_ext; /* Number of extensions in the certificate */
- cert_t *issuer; /* Issuer certificate */
+ X509 *x; /* X509 certificate container */
};
+/* Exported API */
int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value);
-
int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk);
+/* Macro to register the certificates used in the CoT */
+#define REGISTER_COT(_certs) \
+ cert_t *certs = &_certs[0]; \
+ const unsigned int num_certs = sizeof(_certs)/sizeof(_certs[0]);
+
+/* Exported variables */
+extern cert_t *certs;
+extern const unsigned int num_certs;
+
#endif /* CERT_H_ */
diff --git a/tools/cert_create/include/ext.h b/tools/cert_create/include/ext.h
index 57bb65f..60455e6 100644
--- a/tools/cert_create/include/ext.h
+++ b/tools/cert_create/include/ext.h
@@ -31,8 +31,16 @@
#ifndef EXT_H_
#define EXT_H_
+#include "key.h"
#include <openssl/x509v3.h>
+/* Extension types supported */
+enum {
+ EXT_TYPE_NVCOUNTER,
+ EXT_TYPE_PKEY,
+ EXT_TYPE_HASH
+};
+
/*
* This structure contains the relevant information to create the extensions
* to be included in the certificates. This extensions will be used to
@@ -42,11 +50,19 @@
const char *oid; /* OID of the extension */
const char *sn; /* Short name */
const char *ln; /* Long description */
- int type; /* OpenSSL ASN1 type of the extension data.
+ int asn1_type; /* OpenSSL ASN1 type of the extension data.
* Supported types are:
* - V_ASN1_INTEGER
* - V_ASN1_OCTET_STRING
*/
+ int type;
+ /* Extension data (depends on extension type) */
+ union {
+ const char *fn; /* File with extension data */
+ int nvcounter; /* Non volatile counter */
+ int key; /* Public key */
+ } data;
+
int alias; /* In case OpenSSL provides an standard
* extension of the same type, add the new
* extension as an alias of this one
@@ -62,10 +78,20 @@
EXT_CRIT = !EXT_NON_CRIT,
};
-int ext_init(ext_t *tbb_ext);
+/* Exported API */
+int ext_register(ext_t *tbb_ext);
X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
unsigned char *buf, size_t len);
X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value);
X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k);
+/* Macro to register the extensions used in the CoT */
+#define REGISTER_EXTENSIONS(_ext) \
+ ext_t *extensions = &_ext[0]; \
+ const unsigned int num_extensions = sizeof(_ext)/sizeof(_ext[0]);
+
+/* Exported variables */
+extern ext_t *extensions;
+extern const unsigned int num_extensions;
+
#endif /* EXT_H_ */
diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h
index 165ffa1..da9f119 100644
--- a/tools/cert_create/include/key.h
+++ b/tools/cert_create/include/key.h
@@ -68,8 +68,18 @@
EVP_PKEY *key; /* Key container */
} key_t;
+/* Exported API */
int key_create(key_t *key, int type);
int key_load(key_t *key, unsigned int *err_code);
int key_store(key_t *key);
+/* Macro to register the keys used in the CoT */
+#define REGISTER_KEYS(_keys) \
+ key_t *keys = &_keys[0]; \
+ const unsigned int num_keys = sizeof(_keys)/sizeof(_keys[0]);
+
+/* Exported variables */
+extern key_t *keys;
+extern const unsigned int num_keys;
+
#endif /* KEY_H_ */
diff --git a/tools/cert_create/include/tbb_cert.h b/tools/cert_create/include/tbbr/tbb_cert.h
similarity index 93%
rename from tools/cert_create/include/tbb_cert.h
rename to tools/cert_create/include/tbbr/tbb_cert.h
index 4e48125..21626c7 100644
--- a/tools/cert_create/include/tbb_cert.h
+++ b/tools/cert_create/include/tbbr/tbb_cert.h
@@ -46,13 +46,7 @@
BL32_KEY_CERT,
BL32_CERT,
BL33_KEY_CERT,
- BL33_CERT,
- NUM_CERTIFICATES,
+ BL33_CERT
};
-/*
- * Array containing the certificate instances
- */
-extern cert_t certs[NUM_CERTIFICATES];
-
#endif /* TBB_CERT_H_ */
diff --git a/tools/cert_create/include/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h
similarity index 84%
rename from tools/cert_create/include/tbb_ext.h
rename to tools/cert_create/include/tbbr/tbb_ext.h
index 155d3cb..03b12d7 100644
--- a/tools/cert_create/include/tbb_ext.h
+++ b/tools/cert_create/include/tbbr/tbb_ext.h
@@ -32,7 +32,21 @@
#include "ext.h"
-/* Array containing the extensions used in the chain of trust */
-extern ext_t tbb_ext[];
+/* TBBR extensions */
+enum {
+ TZ_FW_NVCOUNTER_EXT,
+ NTZ_FW_NVCOUNTER_EXT,
+ BL2_HASH_EXT,
+ TZ_WORLD_PK_EXT,
+ NTZ_WORLD_PK_EXT,
+ BL31_CONTENT_CERT_PK_EXT,
+ BL31_HASH_EXT,
+ BL30_CONTENT_CERT_PK_EXT,
+ BL30_HASH_EXT,
+ BL32_CONTENT_CERT_PK_EXT,
+ BL32_HASH_EXT,
+ BL33_CONTENT_CERT_PK_EXT,
+ BL33_HASH_EXT
+};
#endif /* TBB_EXT_H_ */
diff --git a/tools/cert_create/include/tbb_key.h b/tools/cert_create/include/tbbr/tbb_key.h
similarity index 95%
rename from tools/cert_create/include/tbb_key.h
rename to tools/cert_create/include/tbbr/tbb_key.h
index cc927d1..1590309 100644
--- a/tools/cert_create/include/tbb_key.h
+++ b/tools/cert_create/include/tbbr/tbb_key.h
@@ -43,13 +43,7 @@
BL30_KEY,
BL31_KEY,
BL32_KEY,
- BL33_KEY,
- NUM_KEYS
+ BL33_KEY
};
-/*
- * Array containing the key instances
- */
-extern key_t keys[];
-
#endif /* TBB_KEY_H_ */