blob: 29658281c90068a0f22fe39f56e1666f05af1a3c [file] [log] [blame]
Sandrine Bailleux5d505082020-01-10 14:32:30 +01001/*
2 * Copyright (c) 2020, Arm Limited. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include <dualroot_oid.h>
8
9#include "cert.h"
10#include "ext.h"
11#include "key.h"
12
13#include "dualroot/cot.h"
14
15/*
16 * Certificates used in the chain of trust.
17 *
18 * All certificates are self-signed so the issuer certificate field points to
19 * itself.
20 */
21static cert_t cot_certs[] = {
22 [TRUSTED_BOOT_FW_CERT] = {
23 .id = TRUSTED_BOOT_FW_CERT,
24 .opt = "tb-fw-cert",
25 .help_msg = "Trusted Boot FW Certificate (output file)",
26 .cn = "Trusted Boot FW Certificate",
27 .key = ROT_KEY,
28 .issuer = TRUSTED_BOOT_FW_CERT,
29 .ext = {
30 TRUSTED_FW_NVCOUNTER_EXT,
31 TRUSTED_BOOT_FW_HASH_EXT,
32 TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
33 HW_CONFIG_HASH_EXT
34 },
35 .num_ext = 4
36 },
37
38 [TRUSTED_KEY_CERT] = {
39 .id = TRUSTED_KEY_CERT,
40 .opt = "trusted-key-cert",
41 .help_msg = "Trusted Key Certificate (output file)",
42 .cn = "Trusted Key Certificate",
43 .key = ROT_KEY,
44 .issuer = TRUSTED_KEY_CERT,
45 .ext = {
46 TRUSTED_FW_NVCOUNTER_EXT,
47 TRUSTED_WORLD_PK_EXT,
48 },
49 .num_ext = 2
50 },
51
52 [SCP_FW_KEY_CERT] = {
53 .id = SCP_FW_KEY_CERT,
54 .opt = "scp-fw-key-cert",
55 .help_msg = "SCP Firmware Key Certificate (output file)",
56 .cn = "SCP Firmware Key Certificate",
57 .key = TRUSTED_WORLD_KEY,
58 .issuer = SCP_FW_KEY_CERT,
59 .ext = {
60 TRUSTED_FW_NVCOUNTER_EXT,
61 SCP_FW_CONTENT_CERT_PK_EXT
62 },
63 .num_ext = 2
64 },
65
66 [SCP_FW_CONTENT_CERT] = {
67 .id = SCP_FW_CONTENT_CERT,
68 .opt = "scp-fw-cert",
69 .help_msg = "SCP Firmware Content Certificate (output file)",
70 .cn = "SCP Firmware Content Certificate",
71 .key = SCP_FW_CONTENT_CERT_KEY,
72 .issuer = SCP_FW_CONTENT_CERT,
73 .ext = {
74 TRUSTED_FW_NVCOUNTER_EXT,
75 SCP_FW_HASH_EXT
76 },
77 .num_ext = 2
78 },
79
80 [SOC_FW_KEY_CERT] = {
81 .id = SOC_FW_KEY_CERT,
82 .opt = "soc-fw-key-cert",
83 .help_msg = "SoC Firmware Key Certificate (output file)",
84 .cn = "SoC Firmware Key Certificate",
85 .key = TRUSTED_WORLD_KEY,
86 .issuer = SOC_FW_KEY_CERT,
87 .ext = {
88 TRUSTED_FW_NVCOUNTER_EXT,
89 SOC_FW_CONTENT_CERT_PK_EXT
90 },
91 .num_ext = 2
92 },
93
94 [SOC_FW_CONTENT_CERT] = {
95 .id = SOC_FW_CONTENT_CERT,
96 .opt = "soc-fw-cert",
97 .help_msg = "SoC Firmware Content Certificate (output file)",
98 .cn = "SoC Firmware Content Certificate",
99 .key = SOC_FW_CONTENT_CERT_KEY,
100 .issuer = SOC_FW_CONTENT_CERT,
101 .ext = {
102 TRUSTED_FW_NVCOUNTER_EXT,
103 SOC_AP_FW_HASH_EXT,
104 SOC_FW_CONFIG_HASH_EXT,
105 },
106 .num_ext = 3
107 },
108
109 [TRUSTED_OS_FW_KEY_CERT] = {
110 .id = TRUSTED_OS_FW_KEY_CERT,
111 .opt = "tos-fw-key-cert",
112 .help_msg = "Trusted OS Firmware Key Certificate (output file)",
113 .cn = "Trusted OS Firmware Key Certificate",
114 .key = TRUSTED_WORLD_KEY,
115 .issuer = TRUSTED_OS_FW_KEY_CERT,
116 .ext = {
117 TRUSTED_FW_NVCOUNTER_EXT,
118 TRUSTED_OS_FW_CONTENT_CERT_PK_EXT
119 },
120 .num_ext = 2
121 },
122
123 [TRUSTED_OS_FW_CONTENT_CERT] = {
124 .id = TRUSTED_OS_FW_CONTENT_CERT,
125 .opt = "tos-fw-cert",
126 .help_msg = "Trusted OS Firmware Content Certificate (output file)",
127 .cn = "Trusted OS Firmware Content Certificate",
128 .key = TRUSTED_OS_FW_CONTENT_CERT_KEY,
129 .issuer = TRUSTED_OS_FW_CONTENT_CERT,
130 .ext = {
131 TRUSTED_FW_NVCOUNTER_EXT,
132 TRUSTED_OS_FW_HASH_EXT,
133 TRUSTED_OS_FW_EXTRA1_HASH_EXT,
134 TRUSTED_OS_FW_EXTRA2_HASH_EXT,
135 TRUSTED_OS_FW_CONFIG_HASH_EXT,
136 },
137 .num_ext = 5
138 },
139
Manish Pandey0a658842020-05-22 12:27:28 +0100140 [SIP_SECURE_PARTITION_CONTENT_CERT] = {
141 .id = SIP_SECURE_PARTITION_CONTENT_CERT,
142 .opt = "sip-sp-cert",
143 .help_msg = "SiP owned Secure Partition Content Certificate (output file)",
144 .fn = NULL,
145 .cn = "SiP owned Secure Partition Content Certificate",
146 .key = TRUSTED_WORLD_KEY,
147 .issuer = SIP_SECURE_PARTITION_CONTENT_CERT,
148 .ext = {
149 TRUSTED_FW_NVCOUNTER_EXT,
150 SP_PKG1_HASH_EXT,
151 SP_PKG2_HASH_EXT,
152 SP_PKG3_HASH_EXT,
153 SP_PKG4_HASH_EXT,
154 SP_PKG5_HASH_EXT,
155 SP_PKG6_HASH_EXT,
156 SP_PKG7_HASH_EXT,
157 SP_PKG8_HASH_EXT,
158 },
159 .num_ext = 9
160 },
161
Sandrine Bailleux5d505082020-01-10 14:32:30 +0100162 [FWU_CERT] = {
163 .id = FWU_CERT,
164 .opt = "fwu-cert",
165 .help_msg = "Firmware Update Certificate (output file)",
166 .cn = "Firmware Update Certificate",
167 .key = ROT_KEY,
168 .issuer = FWU_CERT,
169 .ext = {
170 SCP_FWU_CFG_HASH_EXT,
171 AP_FWU_CFG_HASH_EXT,
172 FWU_HASH_EXT
173 },
174 .num_ext = 3
175 },
176
177 [NON_TRUSTED_FW_CONTENT_CERT] = {
178 .id = NON_TRUSTED_FW_CONTENT_CERT,
179 .opt = "nt-fw-cert",
180 .help_msg = "Non-Trusted Firmware Content Certificate (output file)",
181 .cn = "Non-Trusted Firmware Content Certificate",
182 .key = PROT_KEY,
183 .issuer = NON_TRUSTED_FW_CONTENT_CERT,
184 .ext = {
185 NON_TRUSTED_FW_NVCOUNTER_EXT,
186 NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
187 NON_TRUSTED_FW_CONFIG_HASH_EXT,
188 PROT_PK_EXT,
189 },
190 .num_ext = 4
191 },
192};
193
194REGISTER_COT(cot_certs);
195
196
197/* Certificate extensions. */
198static ext_t cot_ext[] = {
199 [TRUSTED_FW_NVCOUNTER_EXT] = {
200 .oid = TRUSTED_FW_NVCOUNTER_OID,
201 .opt = "tfw-nvctr",
202 .help_msg = "Trusted Firmware Non-Volatile counter value",
203 .sn = "TrustedWorldNVCounter",
204 .ln = "Trusted World Non-Volatile counter",
205 .asn1_type = V_ASN1_INTEGER,
206 .type = EXT_TYPE_NVCOUNTER,
207 .attr.nvctr_type = NVCTR_TYPE_TFW
208 },
209
210 [TRUSTED_BOOT_FW_HASH_EXT] = {
211 .oid = TRUSTED_BOOT_FW_HASH_OID,
212 .opt = "tb-fw",
213 .help_msg = "Trusted Boot Firmware image file",
214 .sn = "TrustedBootFirmwareHash",
215 .ln = "Trusted Boot Firmware hash (SHA256)",
216 .asn1_type = V_ASN1_OCTET_STRING,
217 .type = EXT_TYPE_HASH
218 },
219
220 [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = {
221 .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID,
222 .opt = "tb-fw-config",
223 .help_msg = "Trusted Boot Firmware Config file",
224 .sn = "TrustedBootFirmwareConfigHash",
225 .ln = "Trusted Boot Firmware Config hash",
226 .asn1_type = V_ASN1_OCTET_STRING,
227 .type = EXT_TYPE_HASH,
228 .optional = 1
229 },
230
231 [HW_CONFIG_HASH_EXT] = {
232 .oid = HW_CONFIG_HASH_OID,
233 .opt = "hw-config",
234 .help_msg = "HW Config file",
235 .sn = "HWConfigHash",
236 .ln = "HW Config hash",
237 .asn1_type = V_ASN1_OCTET_STRING,
238 .type = EXT_TYPE_HASH,
239 .optional = 1
240 },
241
242 [TRUSTED_WORLD_PK_EXT] = {
243 .oid = TRUSTED_WORLD_PK_OID,
244 .sn = "TrustedWorldPublicKey",
245 .ln = "Trusted World Public Key",
246 .asn1_type = V_ASN1_OCTET_STRING,
247 .type = EXT_TYPE_PKEY,
248 .attr.key = TRUSTED_WORLD_KEY
249 },
250
251 [SCP_FW_CONTENT_CERT_PK_EXT] = {
252 .oid = SCP_FW_CONTENT_CERT_PK_OID,
253 .sn = "SCPFirmwareContentCertPK",
254 .ln = "SCP Firmware content certificate public key",
255 .asn1_type = V_ASN1_OCTET_STRING,
256 .type = EXT_TYPE_PKEY,
257 .attr.key = SCP_FW_CONTENT_CERT_KEY
258 },
259
260 [SCP_FW_HASH_EXT] = {
261 .oid = SCP_FW_HASH_OID,
262 .opt = "scp-fw",
263 .help_msg = "SCP Firmware image file",
264 .sn = "SCPFirmwareHash",
265 .ln = "SCP Firmware hash (SHA256)",
266 .asn1_type = V_ASN1_OCTET_STRING,
267 .type = EXT_TYPE_HASH
268 },
269
270 [SOC_FW_CONTENT_CERT_PK_EXT] = {
271 .oid = SOC_FW_CONTENT_CERT_PK_OID,
272 .sn = "SoCFirmwareContentCertPK",
273 .ln = "SoC Firmware content certificate public key",
274 .asn1_type = V_ASN1_OCTET_STRING,
275 .type = EXT_TYPE_PKEY,
276 .attr.key = SOC_FW_CONTENT_CERT_KEY
277 },
278
279 [SOC_AP_FW_HASH_EXT] = {
280 .oid = SOC_AP_FW_HASH_OID,
281 .opt = "soc-fw",
282 .help_msg = "SoC AP Firmware image file",
283 .sn = "SoCAPFirmwareHash",
284 .ln = "SoC AP Firmware hash (SHA256)",
285 .asn1_type = V_ASN1_OCTET_STRING,
286 .type = EXT_TYPE_HASH
287 },
288
289 [SOC_FW_CONFIG_HASH_EXT] = {
290 .oid = SOC_FW_CONFIG_HASH_OID,
291 .opt = "soc-fw-config",
292 .help_msg = "SoC Firmware Config file",
293 .sn = "SocFirmwareConfigHash",
294 .ln = "SoC Firmware Config hash",
295 .asn1_type = V_ASN1_OCTET_STRING,
296 .type = EXT_TYPE_HASH,
297 .optional = 1
298 },
299
300 [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = {
301 .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID,
302 .sn = "TrustedOSFirmwareContentCertPK",
303 .ln = "Trusted OS Firmware content certificate public key",
304 .asn1_type = V_ASN1_OCTET_STRING,
305 .type = EXT_TYPE_PKEY,
306 .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY
307 },
308
309 [TRUSTED_OS_FW_HASH_EXT] = {
310 .oid = TRUSTED_OS_FW_HASH_OID,
311 .opt = "tos-fw",
312 .help_msg = "Trusted OS image file",
313 .sn = "TrustedOSHash",
314 .ln = "Trusted OS hash (SHA256)",
315 .asn1_type = V_ASN1_OCTET_STRING,
316 .type = EXT_TYPE_HASH
317 },
318
319 [TRUSTED_OS_FW_EXTRA1_HASH_EXT] = {
320 .oid = TRUSTED_OS_FW_EXTRA1_HASH_OID,
321 .opt = "tos-fw-extra1",
322 .help_msg = "Trusted OS Extra1 image file",
323 .sn = "TrustedOSExtra1Hash",
324 .ln = "Trusted OS Extra1 hash (SHA256)",
325 .asn1_type = V_ASN1_OCTET_STRING,
326 .type = EXT_TYPE_HASH,
327 .optional = 1
328 },
329
330 [TRUSTED_OS_FW_EXTRA2_HASH_EXT] = {
331 .oid = TRUSTED_OS_FW_EXTRA2_HASH_OID,
332 .opt = "tos-fw-extra2",
333 .help_msg = "Trusted OS Extra2 image file",
334 .sn = "TrustedOSExtra2Hash",
335 .ln = "Trusted OS Extra2 hash (SHA256)",
336 .asn1_type = V_ASN1_OCTET_STRING,
337 .type = EXT_TYPE_HASH,
338 .optional = 1
339 },
340
341 [TRUSTED_OS_FW_CONFIG_HASH_EXT] = {
342 .oid = TRUSTED_OS_FW_CONFIG_HASH_OID,
343 .opt = "tos-fw-config",
344 .help_msg = "Trusted OS Firmware Config file",
345 .sn = "TrustedOSFirmwareConfigHash",
346 .ln = "Trusted OS Firmware Config hash",
347 .asn1_type = V_ASN1_OCTET_STRING,
348 .type = EXT_TYPE_HASH,
349 .optional = 1
350 },
351
Manish Pandey0a658842020-05-22 12:27:28 +0100352 [SP_PKG1_HASH_EXT] = {
353 .oid = SP_PKG1_HASH_OID,
354 .opt = "sp-pkg1",
355 .help_msg = "Secure Partition Package1 file",
356 .sn = "SPPkg1Hash",
357 .ln = "SP Pkg1 hash (SHA256)",
358 .asn1_type = V_ASN1_OCTET_STRING,
359 .type = EXT_TYPE_HASH,
360 .optional = 1
361 },
362 [SP_PKG2_HASH_EXT] = {
363 .oid = SP_PKG2_HASH_OID,
364 .opt = "sp-pkg2",
365 .help_msg = "Secure Partition Package2 file",
366 .sn = "SPPkg2Hash",
367 .ln = "SP Pkg2 hash (SHA256)",
368 .asn1_type = V_ASN1_OCTET_STRING,
369 .type = EXT_TYPE_HASH,
370 .optional = 1
371 },
372 [SP_PKG3_HASH_EXT] = {
373 .oid = SP_PKG3_HASH_OID,
374 .opt = "sp-pkg3",
375 .help_msg = "Secure Partition Package3 file",
376 .sn = "SPPkg3Hash",
377 .ln = "SP Pkg3 hash (SHA256)",
378 .asn1_type = V_ASN1_OCTET_STRING,
379 .type = EXT_TYPE_HASH,
380 .optional = 1
381 },
382 [SP_PKG4_HASH_EXT] = {
383 .oid = SP_PKG4_HASH_OID,
384 .opt = "sp-pkg4",
385 .help_msg = "Secure Partition Package4 file",
386 .sn = "SPPkg4Hash",
387 .ln = "SP Pkg4 hash (SHA256)",
388 .asn1_type = V_ASN1_OCTET_STRING,
389 .type = EXT_TYPE_HASH,
390 .optional = 1
391 },
392 [SP_PKG5_HASH_EXT] = {
393 .oid = SP_PKG5_HASH_OID,
394 .opt = "sp-pkg5",
395 .help_msg = "Secure Partition Package5 file",
396 .sn = "SPPkg5Hash",
397 .ln = "SP Pkg5 hash (SHA256)",
398 .asn1_type = V_ASN1_OCTET_STRING,
399 .type = EXT_TYPE_HASH,
400 .optional = 1
401 },
402 [SP_PKG6_HASH_EXT] = {
403 .oid = SP_PKG6_HASH_OID,
404 .opt = "sp-pkg6",
405 .help_msg = "Secure Partition Package6 file",
406 .sn = "SPPkg6Hash",
407 .ln = "SP Pkg6 hash (SHA256)",
408 .asn1_type = V_ASN1_OCTET_STRING,
409 .type = EXT_TYPE_HASH,
410 .optional = 1
411 },
412 [SP_PKG7_HASH_EXT] = {
413 .oid = SP_PKG7_HASH_OID,
414 .opt = "sp-pkg7",
415 .help_msg = "Secure Partition Package7 file",
416 .sn = "SPPkg7Hash",
417 .ln = "SP Pkg7 hash (SHA256)",
418 .asn1_type = V_ASN1_OCTET_STRING,
419 .type = EXT_TYPE_HASH,
420 .optional = 1
421 },
422 [SP_PKG8_HASH_EXT] = {
423 .oid = SP_PKG8_HASH_OID,
424 .opt = "sp-pkg8",
425 .help_msg = "Secure Partition Package8 file",
426 .sn = "SPPkg8Hash",
427 .ln = "SP Pkg8 hash (SHA256)",
428 .asn1_type = V_ASN1_OCTET_STRING,
429 .type = EXT_TYPE_HASH,
430 .optional = 1
431 },
432
Sandrine Bailleux5d505082020-01-10 14:32:30 +0100433 [SCP_FWU_CFG_HASH_EXT] = {
434 .oid = SCP_FWU_CFG_HASH_OID,
435 .opt = "scp-fwu-cfg",
436 .help_msg = "SCP Firmware Update Config image file",
437 .sn = "SCPFWUpdateConfig",
438 .ln = "SCP Firmware Update Config hash (SHA256)",
439 .asn1_type = V_ASN1_OCTET_STRING,
440 .type = EXT_TYPE_HASH,
441 .optional = 1
442 },
443
444 [AP_FWU_CFG_HASH_EXT] = {
445 .oid = AP_FWU_CFG_HASH_OID,
446 .opt = "ap-fwu-cfg",
447 .help_msg = "AP Firmware Update Config image file",
448 .sn = "APFWUpdateConfig",
449 .ln = "AP Firmware Update Config hash (SHA256)",
450 .asn1_type = V_ASN1_OCTET_STRING,
451 .type = EXT_TYPE_HASH,
452 .optional = 1
453 },
454
455 [FWU_HASH_EXT] = {
456 .oid = FWU_HASH_OID,
457 .opt = "fwu",
458 .help_msg = "Firmware Updater image file",
459 .sn = "FWUpdaterHash",
460 .ln = "Firmware Updater hash (SHA256)",
461 .asn1_type = V_ASN1_OCTET_STRING,
462 .type = EXT_TYPE_HASH,
463 .optional = 1
464 },
465
466 [PROT_PK_EXT] = {
467 .oid = PROT_PK_OID,
468 .sn = "PlatformRoTKey",
469 .ln = "Platform Root of Trust Public Key",
470 .asn1_type = V_ASN1_OCTET_STRING,
471 .type = EXT_TYPE_PKEY,
472 .attr.key = PROT_KEY
473 },
474
475 [NON_TRUSTED_FW_NVCOUNTER_EXT] = {
476 .oid = NON_TRUSTED_FW_NVCOUNTER_OID,
477 .opt = "ntfw-nvctr",
478 .help_msg = "Non-Trusted Firmware Non-Volatile counter value",
479 .sn = "NormalWorldNVCounter",
480 .ln = "Non-Trusted Firmware Non-Volatile counter",
481 .asn1_type = V_ASN1_INTEGER,
482 .type = EXT_TYPE_NVCOUNTER,
483 .attr.nvctr_type = NVCTR_TYPE_NTFW
484 },
485
486 [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = {
487 .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID,
488 .opt = "nt-fw",
489 .help_msg = "Non-Trusted World Bootloader image file",
490 .sn = "NonTrustedWorldBootloaderHash",
491 .ln = "Non-Trusted World hash (SHA256)",
492 .asn1_type = V_ASN1_OCTET_STRING,
493 .type = EXT_TYPE_HASH
494 },
495
496 [NON_TRUSTED_FW_CONFIG_HASH_EXT] = {
497 .oid = NON_TRUSTED_FW_CONFIG_HASH_OID,
498 .opt = "nt-fw-config",
499 .help_msg = "Non Trusted OS Firmware Config file",
500 .sn = "NonTrustedOSFirmwareConfigHash",
501 .ln = "Non-Trusted OS Firmware Config hash",
502 .asn1_type = V_ASN1_OCTET_STRING,
503 .type = EXT_TYPE_HASH,
504 .optional = 1
505 },
506};
507
508REGISTER_EXTENSIONS(cot_ext);
509
510
511/* Keys used to establish the chain of trust. */
512static key_t cot_keys[] = {
513 [ROT_KEY] = {
514 .id = ROT_KEY,
515 .opt = "rot-key",
516 .help_msg = "Root Of Trust key (input/output file)",
517 .desc = "Root Of Trust key"
518 },
519
520 [TRUSTED_WORLD_KEY] = {
521 .id = TRUSTED_WORLD_KEY,
522 .opt = "trusted-world-key",
523 .help_msg = "Trusted World key (input/output file)",
524 .desc = "Trusted World key"
525 },
526
527 [SCP_FW_CONTENT_CERT_KEY] = {
528 .id = SCP_FW_CONTENT_CERT_KEY,
529 .opt = "scp-fw-key",
530 .help_msg = "SCP Firmware Content Certificate key (input/output file)",
531 .desc = "SCP Firmware Content Certificate key"
532 },
533
534 [SOC_FW_CONTENT_CERT_KEY] = {
535 .id = SOC_FW_CONTENT_CERT_KEY,
536 .opt = "soc-fw-key",
537 .help_msg = "SoC Firmware Content Certificate key (input/output file)",
538 .desc = "SoC Firmware Content Certificate key"
539 },
540
541 [TRUSTED_OS_FW_CONTENT_CERT_KEY] = {
542 .id = TRUSTED_OS_FW_CONTENT_CERT_KEY,
543 .opt = "tos-fw-key",
544 .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)",
545 .desc = "Trusted OS Firmware Content Certificate key"
546 },
547
548 [PROT_KEY] = {
549 .id = PROT_KEY,
550 .opt = "prot-key",
551 .help_msg = "Platform Root of Trust key",
552 .desc = "Platform Root of Trust key"
553 },
554};
555
556REGISTER_KEYS(cot_keys);