Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 7ec175e2e7453c34d0bd5d66d63f6e008fd3435d / . / tools / cert_create / src / dualroot / cot.c
blob: 8117ffc1694ef371322a1887b6c2fe8a3a48457d [file] [log] [blame]
Sandrine Bailleux5d505082020-01-10 14:32:30 +0100[diff] [blame]1/*
2 * Copyright (c) 2020, Arm Limited. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include <dualroot_oid.h>
8
9#include "cert.h"
10#include "ext.h"
11#include "key.h"
12
13#include "dualroot/cot.h"
14
15/*
16 * Certificates used in the chain of trust.
17 *
18 * All certificates are self-signed so the issuer certificate field points to
19 * itself.
20 */
21static cert_t cot_certs[] = {
22 [TRUSTED_BOOT_FW_CERT] = {
23 .id = TRUSTED_BOOT_FW_CERT,
24 .opt = "tb-fw-cert",
25 .help_msg = "Trusted Boot FW Certificate (output file)",
26 .cn = "Trusted Boot FW Certificate",
27 .key = ROT_KEY,
28 .issuer = TRUSTED_BOOT_FW_CERT,
29 .ext = {
30 TRUSTED_FW_NVCOUNTER_EXT,
31 TRUSTED_BOOT_FW_HASH_EXT,
32 TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
33 HW_CONFIG_HASH_EXT
34 },
35 .num_ext = 4
36 },
37
38 [TRUSTED_KEY_CERT] = {
39 .id = TRUSTED_KEY_CERT,
40 .opt = "trusted-key-cert",
41 .help_msg = "Trusted Key Certificate (output file)",
42 .cn = "Trusted Key Certificate",
43 .key = ROT_KEY,
44 .issuer = TRUSTED_KEY_CERT,
45 .ext = {
46 TRUSTED_FW_NVCOUNTER_EXT,
47 TRUSTED_WORLD_PK_EXT,
48 },
49 .num_ext = 2
50 },
51
52 [SCP_FW_KEY_CERT] = {
53 .id = SCP_FW_KEY_CERT,
54 .opt = "scp-fw-key-cert",
55 .help_msg = "SCP Firmware Key Certificate (output file)",
56 .cn = "SCP Firmware Key Certificate",
57 .key = TRUSTED_WORLD_KEY,
58 .issuer = SCP_FW_KEY_CERT,
59 .ext = {
60 TRUSTED_FW_NVCOUNTER_EXT,
61 SCP_FW_CONTENT_CERT_PK_EXT
62 },
63 .num_ext = 2
64 },
65
66 [SCP_FW_CONTENT_CERT] = {
67 .id = SCP_FW_CONTENT_CERT,
68 .opt = "scp-fw-cert",
69 .help_msg = "SCP Firmware Content Certificate (output file)",
70 .cn = "SCP Firmware Content Certificate",
71 .key = SCP_FW_CONTENT_CERT_KEY,
72 .issuer = SCP_FW_CONTENT_CERT,
73 .ext = {
74 TRUSTED_FW_NVCOUNTER_EXT,
75 SCP_FW_HASH_EXT
76 },
77 .num_ext = 2
78 },
79
80 [SOC_FW_KEY_CERT] = {
81 .id = SOC_FW_KEY_CERT,
82 .opt = "soc-fw-key-cert",
83 .help_msg = "SoC Firmware Key Certificate (output file)",
84 .cn = "SoC Firmware Key Certificate",
85 .key = TRUSTED_WORLD_KEY,
86 .issuer = SOC_FW_KEY_CERT,
87 .ext = {
88 TRUSTED_FW_NVCOUNTER_EXT,
89 SOC_FW_CONTENT_CERT_PK_EXT
90 },
91 .num_ext = 2
92 },
93
94 [SOC_FW_CONTENT_CERT] = {
95 .id = SOC_FW_CONTENT_CERT,
96 .opt = "soc-fw-cert",
97 .help_msg = "SoC Firmware Content Certificate (output file)",
98 .cn = "SoC Firmware Content Certificate",
99 .key = SOC_FW_CONTENT_CERT_KEY,
100 .issuer = SOC_FW_CONTENT_CERT,
101 .ext = {
102 TRUSTED_FW_NVCOUNTER_EXT,
103 SOC_AP_FW_HASH_EXT,
104 SOC_FW_CONFIG_HASH_EXT,
105 },
106 .num_ext = 3
107 },
108
109 [TRUSTED_OS_FW_KEY_CERT] = {
110 .id = TRUSTED_OS_FW_KEY_CERT,
111 .opt = "tos-fw-key-cert",
112 .help_msg = "Trusted OS Firmware Key Certificate (output file)",
113 .cn = "Trusted OS Firmware Key Certificate",
114 .key = TRUSTED_WORLD_KEY,
115 .issuer = TRUSTED_OS_FW_KEY_CERT,
116 .ext = {
117 TRUSTED_FW_NVCOUNTER_EXT,
118 TRUSTED_OS_FW_CONTENT_CERT_PK_EXT
119 },
120 .num_ext = 2
121 },
122
123 [TRUSTED_OS_FW_CONTENT_CERT] = {
124 .id = TRUSTED_OS_FW_CONTENT_CERT,
125 .opt = "tos-fw-cert",
126 .help_msg = "Trusted OS Firmware Content Certificate (output file)",
127 .cn = "Trusted OS Firmware Content Certificate",
128 .key = TRUSTED_OS_FW_CONTENT_CERT_KEY,
129 .issuer = TRUSTED_OS_FW_CONTENT_CERT,
130 .ext = {
131 TRUSTED_FW_NVCOUNTER_EXT,
132 TRUSTED_OS_FW_HASH_EXT,
133 TRUSTED_OS_FW_EXTRA1_HASH_EXT,
134 TRUSTED_OS_FW_EXTRA2_HASH_EXT,
135 TRUSTED_OS_FW_CONFIG_HASH_EXT,
136 },
137 .num_ext = 5
138 },
139
140 [FWU_CERT] = {
141 .id = FWU_CERT,
142 .opt = "fwu-cert",
143 .help_msg = "Firmware Update Certificate (output file)",
144 .cn = "Firmware Update Certificate",
145 .key = ROT_KEY,
146 .issuer = FWU_CERT,
147 .ext = {
148 SCP_FWU_CFG_HASH_EXT,
149 AP_FWU_CFG_HASH_EXT,
150 FWU_HASH_EXT
151 },
152 .num_ext = 3
153 },
154
155 [NON_TRUSTED_FW_CONTENT_CERT] = {
156 .id = NON_TRUSTED_FW_CONTENT_CERT,
157 .opt = "nt-fw-cert",
158 .help_msg = "Non-Trusted Firmware Content Certificate (output file)",
159 .cn = "Non-Trusted Firmware Content Certificate",
160 .key = PROT_KEY,
161 .issuer = NON_TRUSTED_FW_CONTENT_CERT,
162 .ext = {
163 NON_TRUSTED_FW_NVCOUNTER_EXT,
164 NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
165 NON_TRUSTED_FW_CONFIG_HASH_EXT,
166 PROT_PK_EXT,
167 },
168 .num_ext = 4
169 },
170};
171
172REGISTER_COT(cot_certs);
173
174
175/* Certificate extensions. */
176static ext_t cot_ext[] = {
177 [TRUSTED_FW_NVCOUNTER_EXT] = {
178 .oid = TRUSTED_FW_NVCOUNTER_OID,
179 .opt = "tfw-nvctr",
180 .help_msg = "Trusted Firmware Non-Volatile counter value",
181 .sn = "TrustedWorldNVCounter",
182 .ln = "Trusted World Non-Volatile counter",
183 .asn1_type = V_ASN1_INTEGER,
184 .type = EXT_TYPE_NVCOUNTER,
185 .attr.nvctr_type = NVCTR_TYPE_TFW
186 },
187
188 [TRUSTED_BOOT_FW_HASH_EXT] = {
189 .oid = TRUSTED_BOOT_FW_HASH_OID,
190 .opt = "tb-fw",
191 .help_msg = "Trusted Boot Firmware image file",
192 .sn = "TrustedBootFirmwareHash",
193 .ln = "Trusted Boot Firmware hash (SHA256)",
194 .asn1_type = V_ASN1_OCTET_STRING,
195 .type = EXT_TYPE_HASH
196 },
197
198 [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = {
199 .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID,
200 .opt = "tb-fw-config",
201 .help_msg = "Trusted Boot Firmware Config file",
202 .sn = "TrustedBootFirmwareConfigHash",
203 .ln = "Trusted Boot Firmware Config hash",
204 .asn1_type = V_ASN1_OCTET_STRING,
205 .type = EXT_TYPE_HASH,
206 .optional = 1
207 },
208
209 [HW_CONFIG_HASH_EXT] = {
210 .oid = HW_CONFIG_HASH_OID,
211 .opt = "hw-config",
212 .help_msg = "HW Config file",
213 .sn = "HWConfigHash",
214 .ln = "HW Config hash",
215 .asn1_type = V_ASN1_OCTET_STRING,
216 .type = EXT_TYPE_HASH,
217 .optional = 1
218 },
219
220 [TRUSTED_WORLD_PK_EXT] = {
221 .oid = TRUSTED_WORLD_PK_OID,
222 .sn = "TrustedWorldPublicKey",
223 .ln = "Trusted World Public Key",
224 .asn1_type = V_ASN1_OCTET_STRING,
225 .type = EXT_TYPE_PKEY,
226 .attr.key = TRUSTED_WORLD_KEY
227 },
228
229 [SCP_FW_CONTENT_CERT_PK_EXT] = {
230 .oid = SCP_FW_CONTENT_CERT_PK_OID,
231 .sn = "SCPFirmwareContentCertPK",
232 .ln = "SCP Firmware content certificate public key",
233 .asn1_type = V_ASN1_OCTET_STRING,
234 .type = EXT_TYPE_PKEY,
235 .attr.key = SCP_FW_CONTENT_CERT_KEY
236 },
237
238 [SCP_FW_HASH_EXT] = {
239 .oid = SCP_FW_HASH_OID,
240 .opt = "scp-fw",
241 .help_msg = "SCP Firmware image file",
242 .sn = "SCPFirmwareHash",
243 .ln = "SCP Firmware hash (SHA256)",
244 .asn1_type = V_ASN1_OCTET_STRING,
245 .type = EXT_TYPE_HASH
246 },
247
248 [SOC_FW_CONTENT_CERT_PK_EXT] = {
249 .oid = SOC_FW_CONTENT_CERT_PK_OID,
250 .sn = "SoCFirmwareContentCertPK",
251 .ln = "SoC Firmware content certificate public key",
252 .asn1_type = V_ASN1_OCTET_STRING,
253 .type = EXT_TYPE_PKEY,
254 .attr.key = SOC_FW_CONTENT_CERT_KEY
255 },
256
257 [SOC_AP_FW_HASH_EXT] = {
258 .oid = SOC_AP_FW_HASH_OID,
259 .opt = "soc-fw",
260 .help_msg = "SoC AP Firmware image file",
261 .sn = "SoCAPFirmwareHash",
262 .ln = "SoC AP Firmware hash (SHA256)",
263 .asn1_type = V_ASN1_OCTET_STRING,
264 .type = EXT_TYPE_HASH
265 },
266
267 [SOC_FW_CONFIG_HASH_EXT] = {
268 .oid = SOC_FW_CONFIG_HASH_OID,
269 .opt = "soc-fw-config",
270 .help_msg = "SoC Firmware Config file",
271 .sn = "SocFirmwareConfigHash",
272 .ln = "SoC Firmware Config hash",
273 .asn1_type = V_ASN1_OCTET_STRING,
274 .type = EXT_TYPE_HASH,
275 .optional = 1
276 },
277
278 [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = {
279 .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID,
280 .sn = "TrustedOSFirmwareContentCertPK",
281 .ln = "Trusted OS Firmware content certificate public key",
282 .asn1_type = V_ASN1_OCTET_STRING,
283 .type = EXT_TYPE_PKEY,
284 .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY
285 },
286
287 [TRUSTED_OS_FW_HASH_EXT] = {
288 .oid = TRUSTED_OS_FW_HASH_OID,
289 .opt = "tos-fw",
290 .help_msg = "Trusted OS image file",
291 .sn = "TrustedOSHash",
292 .ln = "Trusted OS hash (SHA256)",
293 .asn1_type = V_ASN1_OCTET_STRING,
294 .type = EXT_TYPE_HASH
295 },
296
297 [TRUSTED_OS_FW_EXTRA1_HASH_EXT] = {
298 .oid = TRUSTED_OS_FW_EXTRA1_HASH_OID,
299 .opt = "tos-fw-extra1",
300 .help_msg = "Trusted OS Extra1 image file",
301 .sn = "TrustedOSExtra1Hash",
302 .ln = "Trusted OS Extra1 hash (SHA256)",
303 .asn1_type = V_ASN1_OCTET_STRING,
304 .type = EXT_TYPE_HASH,
305 .optional = 1
306 },
307
308 [TRUSTED_OS_FW_EXTRA2_HASH_EXT] = {
309 .oid = TRUSTED_OS_FW_EXTRA2_HASH_OID,
310 .opt = "tos-fw-extra2",
311 .help_msg = "Trusted OS Extra2 image file",
312 .sn = "TrustedOSExtra2Hash",
313 .ln = "Trusted OS Extra2 hash (SHA256)",
314 .asn1_type = V_ASN1_OCTET_STRING,
315 .type = EXT_TYPE_HASH,
316 .optional = 1
317 },
318
319 [TRUSTED_OS_FW_CONFIG_HASH_EXT] = {
320 .oid = TRUSTED_OS_FW_CONFIG_HASH_OID,
321 .opt = "tos-fw-config",
322 .help_msg = "Trusted OS Firmware Config file",
323 .sn = "TrustedOSFirmwareConfigHash",
324 .ln = "Trusted OS Firmware Config hash",
325 .asn1_type = V_ASN1_OCTET_STRING,
326 .type = EXT_TYPE_HASH,
327 .optional = 1
328 },
329
330 [SCP_FWU_CFG_HASH_EXT] = {
331 .oid = SCP_FWU_CFG_HASH_OID,
332 .opt = "scp-fwu-cfg",
333 .help_msg = "SCP Firmware Update Config image file",
334 .sn = "SCPFWUpdateConfig",
335 .ln = "SCP Firmware Update Config hash (SHA256)",
336 .asn1_type = V_ASN1_OCTET_STRING,
337 .type = EXT_TYPE_HASH,
338 .optional = 1
339 },
340
341 [AP_FWU_CFG_HASH_EXT] = {
342 .oid = AP_FWU_CFG_HASH_OID,
343 .opt = "ap-fwu-cfg",
344 .help_msg = "AP Firmware Update Config image file",
345 .sn = "APFWUpdateConfig",
346 .ln = "AP Firmware Update Config hash (SHA256)",
347 .asn1_type = V_ASN1_OCTET_STRING,
348 .type = EXT_TYPE_HASH,
349 .optional = 1
350 },
351
352 [FWU_HASH_EXT] = {
353 .oid = FWU_HASH_OID,
354 .opt = "fwu",
355 .help_msg = "Firmware Updater image file",
356 .sn = "FWUpdaterHash",
357 .ln = "Firmware Updater hash (SHA256)",
358 .asn1_type = V_ASN1_OCTET_STRING,
359 .type = EXT_TYPE_HASH,
360 .optional = 1
361 },
362
363 [PROT_PK_EXT] = {
364 .oid = PROT_PK_OID,
365 .sn = "PlatformRoTKey",
366 .ln = "Platform Root of Trust Public Key",
367 .asn1_type = V_ASN1_OCTET_STRING,
368 .type = EXT_TYPE_PKEY,
369 .attr.key = PROT_KEY
370 },
371
372 [NON_TRUSTED_FW_NVCOUNTER_EXT] = {
373 .oid = NON_TRUSTED_FW_NVCOUNTER_OID,
374 .opt = "ntfw-nvctr",
375 .help_msg = "Non-Trusted Firmware Non-Volatile counter value",
376 .sn = "NormalWorldNVCounter",
377 .ln = "Non-Trusted Firmware Non-Volatile counter",
378 .asn1_type = V_ASN1_INTEGER,
379 .type = EXT_TYPE_NVCOUNTER,
380 .attr.nvctr_type = NVCTR_TYPE_NTFW
381 },
382
383 [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = {
384 .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID,
385 .opt = "nt-fw",
386 .help_msg = "Non-Trusted World Bootloader image file",
387 .sn = "NonTrustedWorldBootloaderHash",
388 .ln = "Non-Trusted World hash (SHA256)",
389 .asn1_type = V_ASN1_OCTET_STRING,
390 .type = EXT_TYPE_HASH
391 },
392
393 [NON_TRUSTED_FW_CONFIG_HASH_EXT] = {
394 .oid = NON_TRUSTED_FW_CONFIG_HASH_OID,
395 .opt = "nt-fw-config",
396 .help_msg = "Non Trusted OS Firmware Config file",
397 .sn = "NonTrustedOSFirmwareConfigHash",
398 .ln = "Non-Trusted OS Firmware Config hash",
399 .asn1_type = V_ASN1_OCTET_STRING,
400 .type = EXT_TYPE_HASH,
401 .optional = 1
402 },
403};
404
405REGISTER_EXTENSIONS(cot_ext);
406
407
408/* Keys used to establish the chain of trust. */
409static key_t cot_keys[] = {
410 [ROT_KEY] = {
411 .id = ROT_KEY,
412 .opt = "rot-key",
413 .help_msg = "Root Of Trust key (input/output file)",
414 .desc = "Root Of Trust key"
415 },
416
417 [TRUSTED_WORLD_KEY] = {
418 .id = TRUSTED_WORLD_KEY,
419 .opt = "trusted-world-key",
420 .help_msg = "Trusted World key (input/output file)",
421 .desc = "Trusted World key"
422 },
423
424 [SCP_FW_CONTENT_CERT_KEY] = {
425 .id = SCP_FW_CONTENT_CERT_KEY,
426 .opt = "scp-fw-key",
427 .help_msg = "SCP Firmware Content Certificate key (input/output file)",
428 .desc = "SCP Firmware Content Certificate key"
429 },
430
431 [SOC_FW_CONTENT_CERT_KEY] = {
432 .id = SOC_FW_CONTENT_CERT_KEY,
433 .opt = "soc-fw-key",
434 .help_msg = "SoC Firmware Content Certificate key (input/output file)",
435 .desc = "SoC Firmware Content Certificate key"
436 },
437
438 [TRUSTED_OS_FW_CONTENT_CERT_KEY] = {
439 .id = TRUSTED_OS_FW_CONTENT_CERT_KEY,
440 .opt = "tos-fw-key",
441 .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)",
442 .desc = "Trusted OS Firmware Content Certificate key"
443 },
444
445 [PROT_KEY] = {
446 .id = PROT_KEY,
447 .opt = "prot-key",
448 .help_msg = "Platform Root of Trust key",
449 .desc = "Platform Root of Trust key"
450 },
451};
452
453REGISTER_KEYS(cot_keys);