Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / e045e1287580be4b4843d27cfe465ce9dd44b7a1 / . / tools / cert_create / src / cca / cot.c
blob: 5a35ff6065735c955b738efec4e2bf4fdabf3130 [file] [log] [blame]
laurenw-arm1c7c5762022-04-21 16:21:53 -0500[diff] [blame]1/*
2 * Copyright (c) 2022, Arm Limited. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include "cca/cca_cot.h"
8
9#include <cca_oid.h>
10
11#include "cert.h"
12#include "ext.h"
13#include "key.h"
14
15/*
16 * Certificates used in the chain of trust.
17 *
18 * All certificates are self-signed so the issuer certificate field points to
19 * itself.
20 */
21static cert_t cot_certs[] = {
22 [CCA_CONTENT_CERT] = {
23 .id = CCA_CONTENT_CERT,
24 .opt = "cca-cert",
25 .help_msg = "CCA Content Certificate (output file)",
26 .cn = "CCA Content Certificate",
27 .key = ROT_KEY,
28 .issuer = CCA_CONTENT_CERT,
29 .ext = {
30 TRUSTED_FW_NVCOUNTER_EXT,
31 SOC_AP_FW_HASH_EXT,
32 SOC_FW_CONFIG_HASH_EXT,
33 RMM_HASH_EXT,
34 TRUSTED_BOOT_FW_HASH_EXT,
35 TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
36 HW_CONFIG_HASH_EXT,
37 FW_CONFIG_HASH_EXT,
38 },
39 .num_ext = 8
40 },
41
42 [CORE_SWD_KEY_CERT] = {
43 .id = CORE_SWD_KEY_CERT,
44 .opt = "core-swd-cert",
45 .help_msg = "Core Secure World Key Certificate (output file)",
46 .cn = "Core Secure World Key Certificate",
47 .key = SWD_ROT_KEY,
48 .issuer = CORE_SWD_KEY_CERT,
49 .ext = {
50 TRUSTED_FW_NVCOUNTER_EXT,
51 SWD_ROT_PK_EXT,
52 CORE_SWD_PK_EXT,
53 },
54 .num_ext = 3
55 },
56
57 [SPMC_CONTENT_CERT] = {
58 .id = SPMC_CONTENT_CERT,
59 .opt = "tos-fw-cert",
60 .help_msg = "SPMC Content Certificate (output file)",
61 .cn = "SPMC Content Certificate",
62 .key = CORE_SWD_KEY,
63 .issuer = SPMC_CONTENT_CERT,
64 .ext = {
65 TRUSTED_FW_NVCOUNTER_EXT,
66 TRUSTED_OS_FW_HASH_EXT,
67 TRUSTED_OS_FW_CONFIG_HASH_EXT,
68 },
69 .num_ext = 3
70 },
71
72 [SIP_SECURE_PARTITION_CONTENT_CERT] = {
73 .id = SIP_SECURE_PARTITION_CONTENT_CERT,
74 .opt = "sip-sp-cert",
75 .help_msg = "SiP owned Secure Partition Content Certificate (output file)",
76 .cn = "SiP owned Secure Partition Content Certificate",
77 .key = CORE_SWD_KEY,
78 .issuer = SIP_SECURE_PARTITION_CONTENT_CERT,
79 .ext = {
80 TRUSTED_FW_NVCOUNTER_EXT,
81 SP_PKG1_HASH_EXT,
82 SP_PKG2_HASH_EXT,
83 SP_PKG3_HASH_EXT,
84 SP_PKG4_HASH_EXT,
85 },
86 .num_ext = 5
87 },
88
89 [PLAT_KEY_CERT] = {
90 .id = PLAT_KEY_CERT,
91 .opt = "plat-key-cert",
92 .help_msg = "Platform Key Certificate (output file)",
93 .cn = "Platform Key Certificate",
94 .key = PROT_KEY,
95 .issuer = PLAT_KEY_CERT,
96 .ext = {
97 NON_TRUSTED_FW_NVCOUNTER_EXT,
98 PROT_PK_EXT,
99 PLAT_PK_EXT,
100 },
101 .num_ext = 3
102 },
103
104 [PLAT_SECURE_PARTITION_CONTENT_CERT] = {
105 .id = PLAT_SECURE_PARTITION_CONTENT_CERT,
106 .opt = "plat-sp-cert",
107 .help_msg = "Platform owned Secure Partition Content Certificate (output file)",
108 .cn = "Platform owned Secure Partition Content Certificate",
109 .key = PLAT_KEY,
110 .issuer = PLAT_SECURE_PARTITION_CONTENT_CERT,
111 .ext = {
112 NON_TRUSTED_FW_NVCOUNTER_EXT,
113 SP_PKG5_HASH_EXT,
114 SP_PKG6_HASH_EXT,
115 SP_PKG7_HASH_EXT,
116 SP_PKG8_HASH_EXT,
117 },
118 .num_ext = 5
119 },
120
121 [NON_TRUSTED_FW_CONTENT_CERT] = {
122 .id = NON_TRUSTED_FW_CONTENT_CERT,
123 .opt = "nt-fw-cert",
124 .help_msg = "Non-Trusted Firmware Content Certificate (output file)",
125 .cn = "Non-Trusted Firmware Content Certificate",
126 .key = PLAT_KEY,
127 .issuer = NON_TRUSTED_FW_CONTENT_CERT,
128 .ext = {
129 NON_TRUSTED_FW_NVCOUNTER_EXT,
130 NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
131 NON_TRUSTED_FW_CONFIG_HASH_EXT,
132 },
133 .num_ext = 3
134 },
135};
136
137REGISTER_COT(cot_certs);
138
139
140/* Certificate extensions. */
141static ext_t cot_ext[] = {
142 [TRUSTED_FW_NVCOUNTER_EXT] = {
143 .oid = TRUSTED_FW_NVCOUNTER_OID,
144 .opt = "tfw-nvctr",
145 .help_msg = "Trusted Firmware Non-Volatile counter value",
146 .sn = "TrustedWorldNVCounter",
147 .ln = "Trusted World Non-Volatile counter",
148 .asn1_type = V_ASN1_INTEGER,
149 .type = EXT_TYPE_NVCOUNTER,
150 .attr.nvctr_type = NVCTR_TYPE_TFW
151 },
152
153 [TRUSTED_BOOT_FW_HASH_EXT] = {
154 .oid = TRUSTED_BOOT_FW_HASH_OID,
155 .opt = "tb-fw",
156 .help_msg = "Trusted Boot Firmware image file",
157 .sn = "TrustedBootFirmwareHash",
158 .ln = "Trusted Boot Firmware hash (SHA256)",
159 .asn1_type = V_ASN1_OCTET_STRING,
160 .type = EXT_TYPE_HASH
161 },
162
163 [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = {
164 .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID,
165 .opt = "tb-fw-config",
166 .help_msg = "Trusted Boot Firmware Config file",
167 .sn = "TrustedBootFirmwareConfigHash",
168 .ln = "Trusted Boot Firmware Config hash",
169 .asn1_type = V_ASN1_OCTET_STRING,
170 .type = EXT_TYPE_HASH,
171 .optional = 1
172 },
173
174 [HW_CONFIG_HASH_EXT] = {
175 .oid = HW_CONFIG_HASH_OID,
176 .opt = "hw-config",
177 .help_msg = "HW Config file",
178 .sn = "HWConfigHash",
179 .ln = "HW Config hash",
180 .asn1_type = V_ASN1_OCTET_STRING,
181 .type = EXT_TYPE_HASH,
182 .optional = 1
183 },
184
185 [FW_CONFIG_HASH_EXT] = {
186 .oid = FW_CONFIG_HASH_OID,
187 .opt = "fw-config",
188 .help_msg = "Firmware Config file",
189 .sn = "FirmwareConfigHash",
190 .ln = "Firmware Config hash",
191 .asn1_type = V_ASN1_OCTET_STRING,
192 .type = EXT_TYPE_HASH,
193 .optional = 1
194 },
195
196 [SWD_ROT_PK_EXT] = {
197 .oid = SWD_ROT_PK_OID,
198 .sn = "SWDRoTKey",
199 .ln = "Secure World Root of Trust Public Key",
200 .asn1_type = V_ASN1_OCTET_STRING,
201 .type = EXT_TYPE_PKEY,
202 .attr.key = SWD_ROT_KEY
203 },
204
205 [CORE_SWD_PK_EXT] = {
206 .oid = CORE_SWD_PK_OID,
207 .sn = "CORESWDKey",
208 .ln = "Core Secure World Public Key",
209 .asn1_type = V_ASN1_OCTET_STRING,
210 .type = EXT_TYPE_PKEY,
211 .attr.key = CORE_SWD_KEY
212 },
213
214 [SOC_AP_FW_HASH_EXT] = {
215 .oid = SOC_AP_FW_HASH_OID,
216 .opt = "soc-fw",
217 .help_msg = "SoC AP Firmware image file",
218 .sn = "SoCAPFirmwareHash",
219 .ln = "SoC AP Firmware hash (SHA256)",
220 .asn1_type = V_ASN1_OCTET_STRING,
221 .type = EXT_TYPE_HASH
222 },
223
224 [SOC_FW_CONFIG_HASH_EXT] = {
225 .oid = SOC_FW_CONFIG_HASH_OID,
226 .opt = "soc-fw-config",
227 .help_msg = "SoC Firmware Config file",
228 .sn = "SocFirmwareConfigHash",
229 .ln = "SoC Firmware Config hash",
230 .asn1_type = V_ASN1_OCTET_STRING,
231 .type = EXT_TYPE_HASH,
232 .optional = 1
233 },
234
235 [RMM_HASH_EXT] = {
236 .oid = RMM_HASH_OID,
237 .opt = "rmm-fw",
238 .help_msg = "RMM Firmware image file",
239 .sn = "RMMFirmwareHash",
240 .ln = "RMM Firmware hash (SHA256)",
241 .asn1_type = V_ASN1_OCTET_STRING,
242 .type = EXT_TYPE_HASH
243 },
244
245 [TRUSTED_OS_FW_HASH_EXT] = {
246 .oid = TRUSTED_OS_FW_HASH_OID,
247 .opt = "tos-fw",
248 .help_msg = "Trusted OS image file",
249 .sn = "TrustedOSHash",
250 .ln = "Trusted OS hash (SHA256)",
251 .asn1_type = V_ASN1_OCTET_STRING,
252 .type = EXT_TYPE_HASH
253 },
254
255 [TRUSTED_OS_FW_CONFIG_HASH_EXT] = {
256 .oid = TRUSTED_OS_FW_CONFIG_HASH_OID,
257 .opt = "tos-fw-config",
258 .help_msg = "Trusted OS Firmware Config file",
259 .sn = "TrustedOSFirmwareConfigHash",
260 .ln = "Trusted OS Firmware Config hash",
261 .asn1_type = V_ASN1_OCTET_STRING,
262 .type = EXT_TYPE_HASH,
263 .optional = 1
264 },
265
266 [SP_PKG1_HASH_EXT] = {
267 .oid = SP_PKG1_HASH_OID,
268 .opt = "sp-pkg1",
269 .help_msg = "Secure Partition Package1 file",
270 .sn = "SPPkg1Hash",
271 .ln = "SP Pkg1 hash (SHA256)",
272 .asn1_type = V_ASN1_OCTET_STRING,
273 .type = EXT_TYPE_HASH,
274 .optional = 1
275 },
276 [SP_PKG2_HASH_EXT] = {
277 .oid = SP_PKG2_HASH_OID,
278 .opt = "sp-pkg2",
279 .help_msg = "Secure Partition Package2 file",
280 .sn = "SPPkg2Hash",
281 .ln = "SP Pkg2 hash (SHA256)",
282 .asn1_type = V_ASN1_OCTET_STRING,
283 .type = EXT_TYPE_HASH,
284 .optional = 1
285 },
286 [SP_PKG3_HASH_EXT] = {
287 .oid = SP_PKG3_HASH_OID,
288 .opt = "sp-pkg3",
289 .help_msg = "Secure Partition Package3 file",
290 .sn = "SPPkg3Hash",
291 .ln = "SP Pkg3 hash (SHA256)",
292 .asn1_type = V_ASN1_OCTET_STRING,
293 .type = EXT_TYPE_HASH,
294 .optional = 1
295 },
296 [SP_PKG4_HASH_EXT] = {
297 .oid = SP_PKG4_HASH_OID,
298 .opt = "sp-pkg4",
299 .help_msg = "Secure Partition Package4 file",
300 .sn = "SPPkg4Hash",
301 .ln = "SP Pkg4 hash (SHA256)",
302 .asn1_type = V_ASN1_OCTET_STRING,
303 .type = EXT_TYPE_HASH,
304 .optional = 1
305 },
306
307 [PROT_PK_EXT] = {
308 .oid = PROT_PK_OID,
309 .sn = "PlatformRoTKey",
310 .ln = "Platform Root of Trust Public Key",
311 .asn1_type = V_ASN1_OCTET_STRING,
312 .type = EXT_TYPE_PKEY,
313 .attr.key = PROT_KEY
314 },
315
316 [PLAT_PK_EXT] = {
317 .oid = PLAT_PK_OID,
318 .sn = "PLATKey",
319 .ln = "Platform Public Key",
320 .asn1_type = V_ASN1_OCTET_STRING,
321 .type = EXT_TYPE_PKEY,
322 .attr.key = PLAT_KEY
323 },
324
325 [SP_PKG5_HASH_EXT] = {
326 .oid = SP_PKG5_HASH_OID,
327 .opt = "sp-pkg5",
328 .help_msg = "Secure Partition Package5 file",
329 .sn = "SPPkg5Hash",
330 .ln = "SP Pkg5 hash (SHA256)",
331 .asn1_type = V_ASN1_OCTET_STRING,
332 .type = EXT_TYPE_HASH,
333 .optional = 1
334 },
335 [SP_PKG6_HASH_EXT] = {
336 .oid = SP_PKG6_HASH_OID,
337 .opt = "sp-pkg6",
338 .help_msg = "Secure Partition Package6 file",
339 .sn = "SPPkg6Hash",
340 .ln = "SP Pkg6 hash (SHA256)",
341 .asn1_type = V_ASN1_OCTET_STRING,
342 .type = EXT_TYPE_HASH,
343 .optional = 1
344 },
345 [SP_PKG7_HASH_EXT] = {
346 .oid = SP_PKG7_HASH_OID,
347 .opt = "sp-pkg7",
348 .help_msg = "Secure Partition Package7 file",
349 .sn = "SPPkg7Hash",
350 .ln = "SP Pkg7 hash (SHA256)",
351 .asn1_type = V_ASN1_OCTET_STRING,
352 .type = EXT_TYPE_HASH,
353 .optional = 1
354 },
355 [SP_PKG8_HASH_EXT] = {
356 .oid = SP_PKG8_HASH_OID,
357 .opt = "sp-pkg8",
358 .help_msg = "Secure Partition Package8 file",
359 .sn = "SPPkg8Hash",
360 .ln = "SP Pkg8 hash (SHA256)",
361 .asn1_type = V_ASN1_OCTET_STRING,
362 .type = EXT_TYPE_HASH,
363 .optional = 1
364 },
365
366 [NON_TRUSTED_FW_NVCOUNTER_EXT] = {
367 .oid = NON_TRUSTED_FW_NVCOUNTER_OID,
368 .opt = "ntfw-nvctr",
369 .help_msg = "Non-Trusted Firmware Non-Volatile counter value",
370 .sn = "NormalWorldNVCounter",
371 .ln = "Non-Trusted Firmware Non-Volatile counter",
372 .asn1_type = V_ASN1_INTEGER,
373 .type = EXT_TYPE_NVCOUNTER,
374 .attr.nvctr_type = NVCTR_TYPE_NTFW
375 },
376
377 [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = {
378 .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID,
379 .opt = "nt-fw",
380 .help_msg = "Non-Trusted World Bootloader image file",
381 .sn = "NonTrustedWorldBootloaderHash",
382 .ln = "Non-Trusted World hash (SHA256)",
383 .asn1_type = V_ASN1_OCTET_STRING,
384 .type = EXT_TYPE_HASH
385 },
386
387 [NON_TRUSTED_FW_CONFIG_HASH_EXT] = {
388 .oid = NON_TRUSTED_FW_CONFIG_HASH_OID,
389 .opt = "nt-fw-config",
390 .help_msg = "Non Trusted OS Firmware Config file",
391 .sn = "NonTrustedOSFirmwareConfigHash",
392 .ln = "Non-Trusted OS Firmware Config hash",
393 .asn1_type = V_ASN1_OCTET_STRING,
394 .type = EXT_TYPE_HASH,
395 .optional = 1
396 },
397};
398
399REGISTER_EXTENSIONS(cot_ext);
400
401/* Keys used to establish the chain of trust. */
402static key_t cot_keys[] = {
403 [ROT_KEY] = {
404 .id = ROT_KEY,
405 .opt = "rot-key",
406 .help_msg = "Root Of Trust key (input/output file)",
407 .desc = "Root Of Trust key"
408 },
409
410 [SWD_ROT_KEY] = {
411 .id = SWD_ROT_KEY,
412 .opt = "swd-rot-key",
413 .help_msg = "Secure World Root of Trust key",
414 .desc = "Secure World Root of Trust key"
415 },
416
417 [CORE_SWD_KEY] = {
418 .id = CORE_SWD_KEY,
419 .opt = "core-swd-key",
420 .help_msg = "Core Secure World key",
421 .desc = "Core Secure World key"
422 },
423
424 [PROT_KEY] = {
425 .id = PROT_KEY,
426 .opt = "prot-key",
427 .help_msg = "Platform Root of Trust key",
428 .desc = "Platform Root of Trust key"
429 },
430
431 [PLAT_KEY] = {
432 .id = PLAT_KEY,
433 .opt = "plat-key",
434 .help_msg = "Platform key",
435 .desc = "Platform key"
436 },
437};
438
439REGISTER_KEYS(cot_keys);