Merge pull request #484 from jcastillo-arm/jc/tf-issues/337

cert_create: update help message

cert_create: update help message

The help message printed by the cert_create tool using the command
line option -h (or --help) does not correctly list all the available
command line options.

This p

cert_create: update help message

The help message printed by the cert_create tool using the command
line option -h (or --help) does not correctly list all the available
command line options.

This patch reworks the print_help() function to print the help
messages in a data driven approach. For each command line option
registered, an optional help message can be specified, which will
be printed by print_help().

Help messages for the TBBR options (certificates, keys and images)
are also provided.

Fix a small bug in the short options string passed to getopt_long:
the ':' was missing in the '-a' option (this option must take an
argument).

Fixes ARM-software/tf-issues#337

Change-Id: I9d08c2dfd349022808fcc884724f677eefdc1452

show more ...

Merge pull request #467 from jcastillo-arm/jc/tbb_oid

Apply new image terminology

Replace all SCP FW (BL0, BL3-0) references

This patch replaces all references to the SCP Firmware (BL0, BL30,
BL3-0, bl30) with the image terminology detailed in the TF wiki
(https://github.com/ARM-

Replace all SCP FW (BL0, BL3-0) references

This patch replaces all references to the SCP Firmware (BL0, BL30,
BL3-0, bl30) with the image terminology detailed in the TF wiki
(https://github.com/ARM-software/arm-trusted-firmware/wiki):

BL0 --> SCP_BL1
BL30, BL3-0 --> SCP_BL2
bl30 --> scp_bl2

This change affects code, documentation, build system, tools and
platform ports that load SCP firmware. ARM plaforms have been
updated to the new porting API.

IMPORTANT: build option to specify the SCP FW image has changed:

BL30 --> SCP_BL2

IMPORTANT: This patch breaks compatibility for platforms that use BL2
to load SCP firmware. Affected platforms must be updated as follows:

BL30_IMAGE_ID --> SCP_BL2_IMAGE_ID
BL30_BASE --> SCP_BL2_BASE
bl2_plat_get_bl30_meminfo() --> bl2_plat_get_scp_bl2_meminfo()
bl2_plat_handle_bl30() --> bl2_plat_handle_scp_bl2()

Change-Id: I24c4c1a4f0e4b9f17c9e4929da815c4069549e58

show more ...

TBB: apply TBBR naming convention to certificates and extensions

This patch applies the TBBR naming convention to the certificates
and the corresponding extensions defined by the CoT:

* Certifi

TBB: apply TBBR naming convention to certificates and extensions

This patch applies the TBBR naming convention to the certificates
and the corresponding extensions defined by the CoT:

* Certificate UUID names
* Certificate identifier names
* OID names

Changes apply to:

* Generic code (variables and defines)
* The default certificate identifiers provided in the generic
code
* Build system
* ARM platforms port
* cert_create tool internal definitions
* fip_create and cert_create tools command line options
* Documentation

IMPORTANT: this change breaks the compatibility with platforms
that use TBBR. The platform will need to adapt the identifiers
and OIDs to the TBBR naming convention introduced by this patch:

Certificate UUIDs:

UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT --> UUID_TRUSTED_BOOT_FW_CERT
UUID_SCP_FIRMWARE_BL30_KEY_CERT --> UUID_SCP_FW_KEY_CERT
UUID_SCP_FIRMWARE_BL30_CERT --> UUID_SCP_FW_CONTENT_CERT
UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT --> UUID_SOC_FW_KEY_CERT
UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT --> UUID_SOC_FW_CONTENT_CERT
UUID_SECURE_PAYLOAD_BL32_KEY_CERT --> UUID_TRUSTED_OS_FW_KEY_CERT
UUID_SECURE_PAYLOAD_BL32_CERT --> UUID_TRUSTED_OS_FW_CONTENT_CERT
UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT --> UUID_NON_TRUSTED_FW_KEY_CERT
UUID_NON_TRUSTED_FIRMWARE_BL33_CERT --> UUID_NON_TRUSTED_FW_CONTENT_CERT

Certificate identifiers:

BL2_CERT_ID --> TRUSTED_BOOT_FW_CERT_ID
BL30_KEY_CERT_ID --> SCP_FW_KEY_CERT_ID
BL30_CERT_ID --> SCP_FW_CONTENT_CERT_ID
BL31_KEY_CERT_ID --> SOC_FW_KEY_CERT_ID
BL31_CERT_ID --> SOC_FW_CONTENT_CERT_ID
BL32_KEY_CERT_ID --> TRUSTED_OS_FW_KEY_CERT_ID
BL32_CERT_ID --> TRUSTED_OS_FW_CONTENT_CERT_ID
BL33_KEY_CERT_ID --> NON_TRUSTED_FW_KEY_CERT_ID
BL33_CERT_ID --> NON_TRUSTED_FW_CONTENT_CERT_ID

OIDs:

TZ_FW_NVCOUNTER_OID --> TRUSTED_FW_NVCOUNTER_OID
NTZ_FW_NVCOUNTER_OID --> NON_TRUSTED_FW_NVCOUNTER_OID
BL2_HASH_OID --> TRUSTED_BOOT_FW_HASH_OID
TZ_WORLD_PK_OID --> TRUSTED_WORLD_PK_OID
NTZ_WORLD_PK_OID --> NON_TRUSTED_WORLD_PK_OID
BL30_CONTENT_CERT_PK_OID --> SCP_FW_CONTENT_CERT_PK_OID
BL30_HASH_OID --> SCP_FW_HASH_OID
BL31_CONTENT_CERT_PK_OID --> SOC_FW_CONTENT_CERT_PK_OID
BL31_HASH_OID --> SOC_AP_FW_HASH_OID
BL32_CONTENT_CERT_PK_OID --> TRUSTED_OS_FW_CONTENT_CERT_PK_OID
BL32_HASH_OID --> TRUSTED_OS_FW_HASH_OID
BL33_CONTENT_CERT_PK_OID --> NON_TRUSTED_FW_CONTENT_CERT_PK_OID
BL33_HASH_OID --> NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID
BL2U_HASH_OID --> AP_FWU_CFG_HASH_OID
SCP_BL2U_HASH_OID --> SCP_FWU_CFG_HASH_OID
NS_BL2U_HASH_OID --> FWU_HASH_OID

Change-Id: I1e047ae046299ca913911c39ac3a6e123bd41079

show more ...

Merge pull request #453 from yatharth-arm/yk/fwu-6

Firmware Update patch stack

FWU: Add FWU support to `cert_create` tool

Firmware Update requires an X509v3 certificate which contains
hashes for SCP_BL2U, BL2U and NS_BL2U images as extensions.

This patch extends the Chain of

FWU: Add FWU support to `cert_create` tool

Firmware Update requires an X509v3 certificate which contains
hashes for SCP_BL2U, BL2U and NS_BL2U images as extensions.

This patch extends the Chain of Trust definition in the
'cert_create' tool to include the Firmware Update certificate
and the required extensions (including command line options).
A new field in the extension structure will be used to indicate
that the extension is optional. In the case of an image hash
extension, this field will tell the tool that the hash should
be included in the certificate, but filled with zeros.

Change-Id: I1f77a66b018826b71745910771f38d9cf6050388

show more ...

Merge pull request #413 from jcastillo-arm/jc/tbb_cert_opt

Certificate create tool flexibility improvements

cert_create: specify command line options in the CoT

This patch introduces a new API that allows to specify command
line options in the Chain of Trust description. These command line
options may be

cert_create: specify command line options in the CoT

This patch introduces a new API that allows to specify command
line options in the Chain of Trust description. These command line
options may be used to specify parameters related to the CoT (i.e.
keys or certificates), instead of keeping a hardcoded list of
options in main.c.

Change-Id: I282b0b01cb9add557b26bddc238a28253ce05e44

show more ...

cert_create: improve command line argument check

The certificate generation tool currently checks if all command
line options required to create all certificates in the CoT have
been specified. This

cert_create: improve command line argument check

The certificate generation tool currently checks if all command
line options required to create all certificates in the CoT have
been specified. This prevents using the tool to create individual
certificates when the whole CoT is not required.

This patch improves the checking function so only those options
required by the certificates specified in the command line are
verified.

Change-Id: I2c426a8e2e2dec85b15f2d98fd4ba949c1aed385

show more ...

Merge pull request #349 from jcastillo-arm/jc/tbb_cert_opt

TBB: rework cert_create tool to follow a data driven approach

TBB: rework cert_create tool to follow a data driven approach

This patch reworks the certificate generation tool to follow a data
driven approach. The user may specify at build time the certificates

TBB: rework cert_create tool to follow a data driven approach

This patch reworks the certificate generation tool to follow a data
driven approach. The user may specify at build time the certificates,
keys and extensions defined in the CoT, register them using the
appropiate macros and the tool will take care of creating the
certificates corresponding to the CoT specified.

Change-Id: I29950b39343c3e1b71718fce0e77dcf2a9a0be2f

show more ...

Merge pull request #326 from jcastillo-arm/jc/tbb_ecdsa

TBB: build 'cert_create' with ECDSA only if OpenSSL supports it

TBB: build 'cert_create' with ECDSA only if OpenSSL supports it

Some Linux distributions include an OpenSSL library which has been
built without ECDSA support. Trying to build the certificate
genera

TBB: build 'cert_create' with ECDSA only if OpenSSL supports it

Some Linux distributions include an OpenSSL library which has been
built without ECDSA support. Trying to build the certificate
generation tool on those distributions will result in a build error.

This patch fixes that issue by including ECDSA support only if
OpenSSL has been built with ECDSA. In that case, the OpenSSL
configuration file does not define the OPENSSL_NO_EC macro. The tool
will build successfully, although the resulting binary will not
support ECDSA keys.

Change-Id: I4627d1abd19eef7ad3251997d8218599187eb902

show more ...

Merge pull request #315 from jcastillo-arm/jc/tbb_tmp9

Authentication Framework

TBB: add ECDSA support to the certificate generation tool

This patch extends the 'cert_create' tool to support ECDSA keys
to sign the certificates. The '--key-alg' command line option
can be used to

TBB: add ECDSA support to the certificate generation tool

This patch extends the 'cert_create' tool to support ECDSA keys
to sign the certificates. The '--key-alg' command line option
can be used to specify the key algorithm when invoking the tool.
Available options are:

* 'rsa': create RSA-2048 keys (default option)
* 'ecdsa': create ECDSA-SECP256R1 keys

The TF Makefile has been updated to allow the platform to specify
the key algorithm by declaring the 'KEY_ALG' variable in the
platform makefile.

The behaviour regarding key management has changed. After applying
this patch, the tool will try first to open the keys from disk. If
one key does not exist or no key is specified, and the command line
option to create keys has been specified, new keys will be created.
Otherwise an error will be generated and the tool will exit. This
way, the user may specify certain keys while the tool will create
the remaining ones. This feature is useful for testing purposes
and CI infrastructures.

The OpenSSL directory may be specified using the build option
'OPENSSL_DIR' when building the certificate generation tool.
Default is '/usr'.

Change-Id: I98bcc2bfab28dd7179f17f1177ea7a65698df4e7

show more ...

TBB: use ASN.1 type DigestInfo to represent hashes

The cert_create tool calculates the hash of each BL image and includes
it as an ASN.1 OCTET STRING in the corresponding certificate extension.
With

TBB: use ASN.1 type DigestInfo to represent hashes

The cert_create tool calculates the hash of each BL image and includes
it as an ASN.1 OCTET STRING in the corresponding certificate extension.
Without additional information, the firmware running on the platform
has to know in advance the algorithm used to generate the hash.

This patch modifies the cert_create tool so the certificate extensions
that include an image hash are generated according to the following
ASN.1 structure:

DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}

AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}

The PolarSSL module has been updated to extract the image hash
from the certificate extension according to this structure.

Change-Id: I6d83430f12a8a0eea8447bec7c936e903f644c85

show more ...

Merge pull request #249 from danh-arm/jc/tbb_prototype

Trusted Board Boot Prototype

TBB: add tool to generate certificates

This patch adds a tool that generates all the necessary elements
to establish the chain of trust (CoT) between the images.

The tool reads the binary images an

TBB: add tool to generate certificates

This patch adds a tool that generates all the necessary elements
to establish the chain of trust (CoT) between the images.

The tool reads the binary images and signing keys and outputs the
corresponding certificates that will be used by the target at run
time to verify the authenticity of the images.

Note: the platform port must provide the file platform_oid.h. This
file will define the OIDs of the x509 extensions that will be added
to the certificates in order to establish the CoT.

Change-Id: I2734d6808b964a2107ab3a4805110698066a04be

show more ...