xref: /rk3399_ARM-atf/tools/cert_create/src/cca/cot.c (revision ccbfd01d95b9b35acb3e2ca5f25379ce8fa0ed1c) 
10a6bf811Slaurenw-arm /*
2*ccbfd01dSManish V Badarkhe  * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
30a6bf811Slaurenw-arm  *
40a6bf811Slaurenw-arm  * SPDX-License-Identifier: BSD-3-Clause
50a6bf811Slaurenw-arm  */
60a6bf811Slaurenw-arm 
70a6bf811Slaurenw-arm #include "cca/cca_cot.h"
80a6bf811Slaurenw-arm 
90a6bf811Slaurenw-arm #include <cca_oid.h>
100a6bf811Slaurenw-arm 
110a6bf811Slaurenw-arm #include "cert.h"
120a6bf811Slaurenw-arm #include "ext.h"
130a6bf811Slaurenw-arm #include "key.h"
140a6bf811Slaurenw-arm 
150a6bf811Slaurenw-arm /*
160a6bf811Slaurenw-arm  * Certificates used in the chain of trust.
170a6bf811Slaurenw-arm  *
180a6bf811Slaurenw-arm  * All certificates are self-signed so the issuer certificate field points to
190a6bf811Slaurenw-arm  * itself.
200a6bf811Slaurenw-arm  */
210a6bf811Slaurenw-arm static cert_t cot_certs[] = {
220a6bf811Slaurenw-arm 	[CCA_CONTENT_CERT] = {
230a6bf811Slaurenw-arm 		.id = CCA_CONTENT_CERT,
240a6bf811Slaurenw-arm 		.opt = "cca-cert",
250a6bf811Slaurenw-arm 		.help_msg = "CCA Content Certificate (output file)",
260a6bf811Slaurenw-arm 		.cn = "CCA Content Certificate",
270a6bf811Slaurenw-arm 		.key = ROT_KEY,
280a6bf811Slaurenw-arm 		.issuer = CCA_CONTENT_CERT,
290a6bf811Slaurenw-arm 		.ext = {
3060753a63Slaurenw-arm 			CCA_FW_NVCOUNTER_EXT,
310a6bf811Slaurenw-arm 			SOC_AP_FW_HASH_EXT,
320a6bf811Slaurenw-arm 			SOC_FW_CONFIG_HASH_EXT,
330a6bf811Slaurenw-arm 			RMM_HASH_EXT,
340a6bf811Slaurenw-arm 			TRUSTED_BOOT_FW_HASH_EXT,
350a6bf811Slaurenw-arm 			TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
360a6bf811Slaurenw-arm 			HW_CONFIG_HASH_EXT,
370a6bf811Slaurenw-arm 			FW_CONFIG_HASH_EXT,
380a6bf811Slaurenw-arm 		},
390a6bf811Slaurenw-arm 		.num_ext = 8
400a6bf811Slaurenw-arm 	},
410a6bf811Slaurenw-arm 
420a6bf811Slaurenw-arm 	[CORE_SWD_KEY_CERT] = {
430a6bf811Slaurenw-arm 		.id = CORE_SWD_KEY_CERT,
440a6bf811Slaurenw-arm 		.opt = "core-swd-cert",
450a6bf811Slaurenw-arm 		.help_msg = "Core Secure World Key Certificate (output file)",
460a6bf811Slaurenw-arm 		.cn = "Core Secure World Key Certificate",
470a6bf811Slaurenw-arm 		.key = SWD_ROT_KEY,
480a6bf811Slaurenw-arm 		.issuer = CORE_SWD_KEY_CERT,
490a6bf811Slaurenw-arm 		.ext = {
500a6bf811Slaurenw-arm 			TRUSTED_FW_NVCOUNTER_EXT,
510a6bf811Slaurenw-arm 			SWD_ROT_PK_EXT,
520a6bf811Slaurenw-arm 			CORE_SWD_PK_EXT,
530a6bf811Slaurenw-arm 		},
540a6bf811Slaurenw-arm 		.num_ext = 3
550a6bf811Slaurenw-arm 	},
560a6bf811Slaurenw-arm 
570a6bf811Slaurenw-arm 	[SPMC_CONTENT_CERT] = {
580a6bf811Slaurenw-arm 		.id = SPMC_CONTENT_CERT,
590a6bf811Slaurenw-arm 		.opt = "tos-fw-cert",
600a6bf811Slaurenw-arm 		.help_msg = "SPMC Content Certificate (output file)",
610a6bf811Slaurenw-arm 		.cn = "SPMC Content Certificate",
620a6bf811Slaurenw-arm 		.key = CORE_SWD_KEY,
630a6bf811Slaurenw-arm 		.issuer = SPMC_CONTENT_CERT,
640a6bf811Slaurenw-arm 		.ext = {
650a6bf811Slaurenw-arm 			TRUSTED_FW_NVCOUNTER_EXT,
660a6bf811Slaurenw-arm 			TRUSTED_OS_FW_HASH_EXT,
670a6bf811Slaurenw-arm 			TRUSTED_OS_FW_CONFIG_HASH_EXT,
680a6bf811Slaurenw-arm 		},
690a6bf811Slaurenw-arm 		.num_ext = 3
700a6bf811Slaurenw-arm 	},
710a6bf811Slaurenw-arm 
720a6bf811Slaurenw-arm 	[SIP_SECURE_PARTITION_CONTENT_CERT] = {
730a6bf811Slaurenw-arm 		.id = SIP_SECURE_PARTITION_CONTENT_CERT,
740a6bf811Slaurenw-arm 		.opt = "sip-sp-cert",
750a6bf811Slaurenw-arm 		.help_msg = "SiP owned Secure Partition Content Certificate (output file)",
760a6bf811Slaurenw-arm 		.cn = "SiP owned Secure Partition Content Certificate",
770a6bf811Slaurenw-arm 		.key = CORE_SWD_KEY,
780a6bf811Slaurenw-arm 		.issuer = SIP_SECURE_PARTITION_CONTENT_CERT,
790a6bf811Slaurenw-arm 		.ext = {
800a6bf811Slaurenw-arm 			TRUSTED_FW_NVCOUNTER_EXT,
810a6bf811Slaurenw-arm 			SP_PKG1_HASH_EXT,
820a6bf811Slaurenw-arm 			SP_PKG2_HASH_EXT,
830a6bf811Slaurenw-arm 			SP_PKG3_HASH_EXT,
840a6bf811Slaurenw-arm 			SP_PKG4_HASH_EXT,
850a6bf811Slaurenw-arm 		},
860a6bf811Slaurenw-arm 		.num_ext = 5
870a6bf811Slaurenw-arm 	},
880a6bf811Slaurenw-arm 
890a6bf811Slaurenw-arm 	[PLAT_KEY_CERT] = {
900a6bf811Slaurenw-arm 		.id = PLAT_KEY_CERT,
910a6bf811Slaurenw-arm 		.opt = "plat-key-cert",
920a6bf811Slaurenw-arm 		.help_msg = "Platform Key Certificate (output file)",
930a6bf811Slaurenw-arm 		.cn = "Platform Key Certificate",
940a6bf811Slaurenw-arm 		.key = PROT_KEY,
950a6bf811Slaurenw-arm 		.issuer = PLAT_KEY_CERT,
960a6bf811Slaurenw-arm 		.ext = {
970a6bf811Slaurenw-arm 			NON_TRUSTED_FW_NVCOUNTER_EXT,
980a6bf811Slaurenw-arm 			PROT_PK_EXT,
990a6bf811Slaurenw-arm 			PLAT_PK_EXT,
1000a6bf811Slaurenw-arm 		},
1010a6bf811Slaurenw-arm 		.num_ext = 3
1020a6bf811Slaurenw-arm 	},
1030a6bf811Slaurenw-arm 
1040a6bf811Slaurenw-arm 	[PLAT_SECURE_PARTITION_CONTENT_CERT] = {
1050a6bf811Slaurenw-arm 		.id = PLAT_SECURE_PARTITION_CONTENT_CERT,
1060a6bf811Slaurenw-arm 		.opt = "plat-sp-cert",
1070a6bf811Slaurenw-arm 		.help_msg = "Platform owned Secure Partition Content Certificate (output file)",
1080a6bf811Slaurenw-arm 		.cn = "Platform owned Secure Partition Content Certificate",
1090a6bf811Slaurenw-arm 		.key = PLAT_KEY,
1100a6bf811Slaurenw-arm 		.issuer = PLAT_SECURE_PARTITION_CONTENT_CERT,
1110a6bf811Slaurenw-arm 		.ext = {
1120a6bf811Slaurenw-arm 			NON_TRUSTED_FW_NVCOUNTER_EXT,
1130a6bf811Slaurenw-arm 			SP_PKG5_HASH_EXT,
1140a6bf811Slaurenw-arm 			SP_PKG6_HASH_EXT,
1150a6bf811Slaurenw-arm 			SP_PKG7_HASH_EXT,
1160a6bf811Slaurenw-arm 			SP_PKG8_HASH_EXT,
1170a6bf811Slaurenw-arm 		},
1180a6bf811Slaurenw-arm 		.num_ext = 5
1190a6bf811Slaurenw-arm 	},
1200a6bf811Slaurenw-arm 
1210a6bf811Slaurenw-arm 	[NON_TRUSTED_FW_CONTENT_CERT] = {
1220a6bf811Slaurenw-arm 		.id = NON_TRUSTED_FW_CONTENT_CERT,
1230a6bf811Slaurenw-arm 		.opt = "nt-fw-cert",
1240a6bf811Slaurenw-arm 		.help_msg = "Non-Trusted Firmware Content Certificate (output file)",
1250a6bf811Slaurenw-arm 		.cn = "Non-Trusted Firmware Content Certificate",
1260a6bf811Slaurenw-arm 		.key = PLAT_KEY,
1270a6bf811Slaurenw-arm 		.issuer = NON_TRUSTED_FW_CONTENT_CERT,
1280a6bf811Slaurenw-arm 		.ext = {
1290a6bf811Slaurenw-arm 			NON_TRUSTED_FW_NVCOUNTER_EXT,
1300a6bf811Slaurenw-arm 			NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
1310a6bf811Slaurenw-arm 			NON_TRUSTED_FW_CONFIG_HASH_EXT,
1320a6bf811Slaurenw-arm 		},
1330a6bf811Slaurenw-arm 		.num_ext = 3
1340a6bf811Slaurenw-arm 	},
1350a6bf811Slaurenw-arm };
1360a6bf811Slaurenw-arm 
1370a6bf811Slaurenw-arm REGISTER_COT(cot_certs);
1380a6bf811Slaurenw-arm 
1390a6bf811Slaurenw-arm 
1400a6bf811Slaurenw-arm /* Certificate extensions. */
1410a6bf811Slaurenw-arm static ext_t cot_ext[] = {
14260753a63Slaurenw-arm 	[CCA_FW_NVCOUNTER_EXT] = {
14360753a63Slaurenw-arm 		.oid = CCA_FW_NVCOUNTER_OID,
14460753a63Slaurenw-arm 		.opt = "ccafw-nvctr",
14560753a63Slaurenw-arm 		.help_msg = "CCA Firmware Non-Volatile counter value",
14660753a63Slaurenw-arm 		.sn = "CCANVCounter",
14760753a63Slaurenw-arm 		.ln = "CCA Non-Volatile counter",
14860753a63Slaurenw-arm 		.asn1_type = V_ASN1_INTEGER,
14960753a63Slaurenw-arm 		.type = EXT_TYPE_NVCOUNTER,
15060753a63Slaurenw-arm 		.attr.nvctr_type = NVCTR_TYPE_CCAFW
15160753a63Slaurenw-arm 	},
15260753a63Slaurenw-arm 
1530a6bf811Slaurenw-arm 	[TRUSTED_FW_NVCOUNTER_EXT] = {
1540a6bf811Slaurenw-arm 		.oid = TRUSTED_FW_NVCOUNTER_OID,
1550a6bf811Slaurenw-arm 		.opt = "tfw-nvctr",
1560a6bf811Slaurenw-arm 		.help_msg = "Trusted Firmware Non-Volatile counter value",
1570a6bf811Slaurenw-arm 		.sn = "TrustedWorldNVCounter",
1580a6bf811Slaurenw-arm 		.ln = "Trusted World Non-Volatile counter",
1590a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_INTEGER,
1600a6bf811Slaurenw-arm 		.type = EXT_TYPE_NVCOUNTER,
1610a6bf811Slaurenw-arm 		.attr.nvctr_type = NVCTR_TYPE_TFW
1620a6bf811Slaurenw-arm 	},
1630a6bf811Slaurenw-arm 
1640a6bf811Slaurenw-arm 	[TRUSTED_BOOT_FW_HASH_EXT] = {
1650a6bf811Slaurenw-arm 		.oid = TRUSTED_BOOT_FW_HASH_OID,
1660a6bf811Slaurenw-arm 		.opt = "tb-fw",
1670a6bf811Slaurenw-arm 		.help_msg = "Trusted Boot Firmware image file",
1680a6bf811Slaurenw-arm 		.sn = "TrustedBootFirmwareHash",
1690a6bf811Slaurenw-arm 		.ln = "Trusted Boot Firmware hash (SHA256)",
1700a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
1710a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH
1720a6bf811Slaurenw-arm 	},
1730a6bf811Slaurenw-arm 
1740a6bf811Slaurenw-arm 	[TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = {
1750a6bf811Slaurenw-arm 		.oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID,
1760a6bf811Slaurenw-arm 		.opt = "tb-fw-config",
1770a6bf811Slaurenw-arm 		.help_msg = "Trusted Boot Firmware Config file",
1780a6bf811Slaurenw-arm 		.sn = "TrustedBootFirmwareConfigHash",
1790a6bf811Slaurenw-arm 		.ln = "Trusted Boot Firmware Config hash",
1800a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
1810a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
1820a6bf811Slaurenw-arm 		.optional = 1
1830a6bf811Slaurenw-arm 	},
1840a6bf811Slaurenw-arm 
1850a6bf811Slaurenw-arm 	[HW_CONFIG_HASH_EXT] = {
1860a6bf811Slaurenw-arm 		.oid = HW_CONFIG_HASH_OID,
1870a6bf811Slaurenw-arm 		.opt = "hw-config",
1880a6bf811Slaurenw-arm 		.help_msg = "HW Config file",
1890a6bf811Slaurenw-arm 		.sn = "HWConfigHash",
1900a6bf811Slaurenw-arm 		.ln = "HW Config hash",
1910a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
1920a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
1930a6bf811Slaurenw-arm 		.optional = 1
1940a6bf811Slaurenw-arm 	},
1950a6bf811Slaurenw-arm 
1960a6bf811Slaurenw-arm 	[FW_CONFIG_HASH_EXT] = {
1970a6bf811Slaurenw-arm 		.oid = FW_CONFIG_HASH_OID,
1980a6bf811Slaurenw-arm 		.opt = "fw-config",
1990a6bf811Slaurenw-arm 		.help_msg = "Firmware Config file",
2000a6bf811Slaurenw-arm 		.sn = "FirmwareConfigHash",
2010a6bf811Slaurenw-arm 		.ln = "Firmware Config hash",
2020a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
2030a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
2040a6bf811Slaurenw-arm 		.optional = 1
2050a6bf811Slaurenw-arm 	},
2060a6bf811Slaurenw-arm 
2070a6bf811Slaurenw-arm 	[SWD_ROT_PK_EXT] = {
2080a6bf811Slaurenw-arm 		.oid = SWD_ROT_PK_OID,
2090a6bf811Slaurenw-arm 		.sn = "SWDRoTKey",
2100a6bf811Slaurenw-arm 		.ln = "Secure World Root of Trust Public Key",
2110a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
2120a6bf811Slaurenw-arm 		.type = EXT_TYPE_PKEY,
2130a6bf811Slaurenw-arm 		.attr.key = SWD_ROT_KEY
2140a6bf811Slaurenw-arm 	},
2150a6bf811Slaurenw-arm 
2160a6bf811Slaurenw-arm 	[CORE_SWD_PK_EXT] = {
2170a6bf811Slaurenw-arm 		.oid = CORE_SWD_PK_OID,
2180a6bf811Slaurenw-arm 		.sn = "CORESWDKey",
2190a6bf811Slaurenw-arm 		.ln = "Core Secure World Public Key",
2200a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
2210a6bf811Slaurenw-arm 		.type = EXT_TYPE_PKEY,
2220a6bf811Slaurenw-arm 		.attr.key = CORE_SWD_KEY
2230a6bf811Slaurenw-arm 	},
2240a6bf811Slaurenw-arm 
2250a6bf811Slaurenw-arm 	[SOC_AP_FW_HASH_EXT] = {
2260a6bf811Slaurenw-arm 		.oid = SOC_AP_FW_HASH_OID,
2270a6bf811Slaurenw-arm 		.opt = "soc-fw",
2280a6bf811Slaurenw-arm 		.help_msg = "SoC AP Firmware image file",
2290a6bf811Slaurenw-arm 		.sn = "SoCAPFirmwareHash",
2300a6bf811Slaurenw-arm 		.ln = "SoC AP Firmware hash (SHA256)",
2310a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
2320a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH
2330a6bf811Slaurenw-arm 	},
2340a6bf811Slaurenw-arm 
2350a6bf811Slaurenw-arm 	[SOC_FW_CONFIG_HASH_EXT] = {
2360a6bf811Slaurenw-arm 		.oid = SOC_FW_CONFIG_HASH_OID,
2370a6bf811Slaurenw-arm 		.opt = "soc-fw-config",
2380a6bf811Slaurenw-arm 		.help_msg = "SoC Firmware Config file",
2390a6bf811Slaurenw-arm 		.sn = "SocFirmwareConfigHash",
2400a6bf811Slaurenw-arm 		.ln = "SoC Firmware Config hash",
2410a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
2420a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
2430a6bf811Slaurenw-arm 		.optional = 1
2440a6bf811Slaurenw-arm 	},
2450a6bf811Slaurenw-arm 
2460a6bf811Slaurenw-arm 	[RMM_HASH_EXT] = {
2470a6bf811Slaurenw-arm 		.oid = RMM_HASH_OID,
2480a6bf811Slaurenw-arm 		.opt = "rmm-fw",
2490a6bf811Slaurenw-arm 		.help_msg = "RMM Firmware image file",
2500a6bf811Slaurenw-arm 		.sn = "RMMFirmwareHash",
2510a6bf811Slaurenw-arm 		.ln = "RMM Firmware hash (SHA256)",
2520a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
2530a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH
2540a6bf811Slaurenw-arm 	},
2550a6bf811Slaurenw-arm 
2560a6bf811Slaurenw-arm 	[TRUSTED_OS_FW_HASH_EXT] = {
2570a6bf811Slaurenw-arm 		.oid = TRUSTED_OS_FW_HASH_OID,
2580a6bf811Slaurenw-arm 		.opt = "tos-fw",
2590a6bf811Slaurenw-arm 		.help_msg = "Trusted OS image file",
2600a6bf811Slaurenw-arm 		.sn = "TrustedOSHash",
2610a6bf811Slaurenw-arm 		.ln = "Trusted OS hash (SHA256)",
2620a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
2630a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH
2640a6bf811Slaurenw-arm 	},
2650a6bf811Slaurenw-arm 
2660a6bf811Slaurenw-arm 	[TRUSTED_OS_FW_CONFIG_HASH_EXT] = {
2670a6bf811Slaurenw-arm 		.oid = TRUSTED_OS_FW_CONFIG_HASH_OID,
2680a6bf811Slaurenw-arm 		.opt = "tos-fw-config",
2690a6bf811Slaurenw-arm 		.help_msg = "Trusted OS Firmware Config file",
2700a6bf811Slaurenw-arm 		.sn = "TrustedOSFirmwareConfigHash",
2710a6bf811Slaurenw-arm 		.ln = "Trusted OS Firmware Config hash",
2720a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
2730a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
2740a6bf811Slaurenw-arm 		.optional = 1
2750a6bf811Slaurenw-arm 	},
2760a6bf811Slaurenw-arm 
2770a6bf811Slaurenw-arm 	[SP_PKG1_HASH_EXT] = {
2780a6bf811Slaurenw-arm 		.oid = SP_PKG1_HASH_OID,
2790a6bf811Slaurenw-arm 		.opt = "sp-pkg1",
2800a6bf811Slaurenw-arm 		.help_msg = "Secure Partition Package1 file",
2810a6bf811Slaurenw-arm 		.sn = "SPPkg1Hash",
2820a6bf811Slaurenw-arm 		.ln = "SP Pkg1 hash (SHA256)",
2830a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
2840a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
2850a6bf811Slaurenw-arm 		.optional = 1
2860a6bf811Slaurenw-arm 	},
2870a6bf811Slaurenw-arm 	[SP_PKG2_HASH_EXT] = {
2880a6bf811Slaurenw-arm 		.oid = SP_PKG2_HASH_OID,
2890a6bf811Slaurenw-arm 		.opt = "sp-pkg2",
2900a6bf811Slaurenw-arm 		.help_msg = "Secure Partition Package2 file",
2910a6bf811Slaurenw-arm 		.sn = "SPPkg2Hash",
2920a6bf811Slaurenw-arm 		.ln = "SP Pkg2 hash (SHA256)",
2930a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
2940a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
2950a6bf811Slaurenw-arm 		.optional = 1
2960a6bf811Slaurenw-arm 	},
2970a6bf811Slaurenw-arm 	[SP_PKG3_HASH_EXT] = {
2980a6bf811Slaurenw-arm 		.oid = SP_PKG3_HASH_OID,
2990a6bf811Slaurenw-arm 		.opt = "sp-pkg3",
3000a6bf811Slaurenw-arm 		.help_msg = "Secure Partition Package3 file",
3010a6bf811Slaurenw-arm 		.sn = "SPPkg3Hash",
3020a6bf811Slaurenw-arm 		.ln = "SP Pkg3 hash (SHA256)",
3030a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
3040a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
3050a6bf811Slaurenw-arm 		.optional = 1
3060a6bf811Slaurenw-arm 	},
3070a6bf811Slaurenw-arm 	[SP_PKG4_HASH_EXT] = {
3080a6bf811Slaurenw-arm 		.oid = SP_PKG4_HASH_OID,
3090a6bf811Slaurenw-arm 		.opt = "sp-pkg4",
3100a6bf811Slaurenw-arm 		.help_msg = "Secure Partition Package4 file",
3110a6bf811Slaurenw-arm 		.sn = "SPPkg4Hash",
3120a6bf811Slaurenw-arm 		.ln = "SP Pkg4 hash (SHA256)",
3130a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
3140a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
3150a6bf811Slaurenw-arm 		.optional = 1
3160a6bf811Slaurenw-arm 	},
3170a6bf811Slaurenw-arm 
3180a6bf811Slaurenw-arm 	[PROT_PK_EXT] = {
3190a6bf811Slaurenw-arm 		.oid = PROT_PK_OID,
3200a6bf811Slaurenw-arm 		.sn = "PlatformRoTKey",
3210a6bf811Slaurenw-arm 		.ln = "Platform Root of Trust Public Key",
3220a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
3230a6bf811Slaurenw-arm 		.type = EXT_TYPE_PKEY,
3240a6bf811Slaurenw-arm 		.attr.key = PROT_KEY
3250a6bf811Slaurenw-arm 	},
3260a6bf811Slaurenw-arm 
3270a6bf811Slaurenw-arm 	[PLAT_PK_EXT] = {
3280a6bf811Slaurenw-arm 		.oid = PLAT_PK_OID,
3290a6bf811Slaurenw-arm 		.sn = "PLATKey",
3300a6bf811Slaurenw-arm 		.ln = "Platform Public Key",
3310a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
3320a6bf811Slaurenw-arm 		.type = EXT_TYPE_PKEY,
3330a6bf811Slaurenw-arm 		.attr.key = PLAT_KEY
3340a6bf811Slaurenw-arm 	},
3350a6bf811Slaurenw-arm 
3360a6bf811Slaurenw-arm 	[SP_PKG5_HASH_EXT] = {
3370a6bf811Slaurenw-arm 		.oid = SP_PKG5_HASH_OID,
3380a6bf811Slaurenw-arm 		.opt = "sp-pkg5",
3390a6bf811Slaurenw-arm 		.help_msg = "Secure Partition Package5 file",
3400a6bf811Slaurenw-arm 		.sn = "SPPkg5Hash",
3410a6bf811Slaurenw-arm 		.ln = "SP Pkg5 hash (SHA256)",
3420a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
3430a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
3440a6bf811Slaurenw-arm 		.optional = 1
3450a6bf811Slaurenw-arm 	},
3460a6bf811Slaurenw-arm 	[SP_PKG6_HASH_EXT] = {
3470a6bf811Slaurenw-arm 		.oid = SP_PKG6_HASH_OID,
3480a6bf811Slaurenw-arm 		.opt = "sp-pkg6",
3490a6bf811Slaurenw-arm 		.help_msg = "Secure Partition Package6 file",
3500a6bf811Slaurenw-arm 		.sn = "SPPkg6Hash",
3510a6bf811Slaurenw-arm 		.ln = "SP Pkg6 hash (SHA256)",
3520a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
3530a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
3540a6bf811Slaurenw-arm 		.optional = 1
3550a6bf811Slaurenw-arm 	},
3560a6bf811Slaurenw-arm 	[SP_PKG7_HASH_EXT] = {
3570a6bf811Slaurenw-arm 		.oid = SP_PKG7_HASH_OID,
3580a6bf811Slaurenw-arm 		.opt = "sp-pkg7",
3590a6bf811Slaurenw-arm 		.help_msg = "Secure Partition Package7 file",
3600a6bf811Slaurenw-arm 		.sn = "SPPkg7Hash",
3610a6bf811Slaurenw-arm 		.ln = "SP Pkg7 hash (SHA256)",
3620a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
3630a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
3640a6bf811Slaurenw-arm 		.optional = 1
3650a6bf811Slaurenw-arm 	},
3660a6bf811Slaurenw-arm 	[SP_PKG8_HASH_EXT] = {
3670a6bf811Slaurenw-arm 		.oid = SP_PKG8_HASH_OID,
3680a6bf811Slaurenw-arm 		.opt = "sp-pkg8",
3690a6bf811Slaurenw-arm 		.help_msg = "Secure Partition Package8 file",
3700a6bf811Slaurenw-arm 		.sn = "SPPkg8Hash",
3710a6bf811Slaurenw-arm 		.ln = "SP Pkg8 hash (SHA256)",
3720a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
3730a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
3740a6bf811Slaurenw-arm 		.optional = 1
3750a6bf811Slaurenw-arm 	},
3760a6bf811Slaurenw-arm 
3770a6bf811Slaurenw-arm 	[NON_TRUSTED_FW_NVCOUNTER_EXT] = {
3780a6bf811Slaurenw-arm 		.oid = NON_TRUSTED_FW_NVCOUNTER_OID,
3790a6bf811Slaurenw-arm 		.opt = "ntfw-nvctr",
3800a6bf811Slaurenw-arm 		.help_msg = "Non-Trusted Firmware Non-Volatile counter value",
3810a6bf811Slaurenw-arm 		.sn = "NormalWorldNVCounter",
3820a6bf811Slaurenw-arm 		.ln = "Non-Trusted Firmware Non-Volatile counter",
3830a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_INTEGER,
3840a6bf811Slaurenw-arm 		.type = EXT_TYPE_NVCOUNTER,
3850a6bf811Slaurenw-arm 		.attr.nvctr_type = NVCTR_TYPE_NTFW
3860a6bf811Slaurenw-arm 	},
3870a6bf811Slaurenw-arm 
3880a6bf811Slaurenw-arm 	[NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = {
3890a6bf811Slaurenw-arm 		.oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID,
3900a6bf811Slaurenw-arm 		.opt = "nt-fw",
3910a6bf811Slaurenw-arm 		.help_msg = "Non-Trusted World Bootloader image file",
3920a6bf811Slaurenw-arm 		.sn = "NonTrustedWorldBootloaderHash",
3930a6bf811Slaurenw-arm 		.ln = "Non-Trusted World hash (SHA256)",
3940a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
3950a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH
3960a6bf811Slaurenw-arm 	},
3970a6bf811Slaurenw-arm 
3980a6bf811Slaurenw-arm 	[NON_TRUSTED_FW_CONFIG_HASH_EXT] = {
3990a6bf811Slaurenw-arm 		.oid = NON_TRUSTED_FW_CONFIG_HASH_OID,
4000a6bf811Slaurenw-arm 		.opt = "nt-fw-config",
4010a6bf811Slaurenw-arm 		.help_msg = "Non Trusted OS Firmware Config file",
4020a6bf811Slaurenw-arm 		.sn = "NonTrustedOSFirmwareConfigHash",
4030a6bf811Slaurenw-arm 		.ln = "Non-Trusted OS Firmware Config hash",
4040a6bf811Slaurenw-arm 		.asn1_type = V_ASN1_OCTET_STRING,
4050a6bf811Slaurenw-arm 		.type = EXT_TYPE_HASH,
4060a6bf811Slaurenw-arm 		.optional = 1
4070a6bf811Slaurenw-arm 	},
4080a6bf811Slaurenw-arm };
4090a6bf811Slaurenw-arm 
4100a6bf811Slaurenw-arm REGISTER_EXTENSIONS(cot_ext);
4110a6bf811Slaurenw-arm 
4120a6bf811Slaurenw-arm /* Keys used to establish the chain of trust. */
413*ccbfd01dSManish V Badarkhe static cert_key_t cot_keys[] = {
4140a6bf811Slaurenw-arm 	[ROT_KEY] = {
4150a6bf811Slaurenw-arm 		.id = ROT_KEY,
4160a6bf811Slaurenw-arm 		.opt = "rot-key",
417616b3ce2SRobin van der Gracht 		.help_msg = "Root Of Trust key file or PKCS11 URI",
4180a6bf811Slaurenw-arm 		.desc = "Root Of Trust key"
4190a6bf811Slaurenw-arm 	},
4200a6bf811Slaurenw-arm 
4210a6bf811Slaurenw-arm 	[SWD_ROT_KEY] = {
4220a6bf811Slaurenw-arm 		.id = SWD_ROT_KEY,
4230a6bf811Slaurenw-arm 		.opt = "swd-rot-key",
424616b3ce2SRobin van der Gracht 		.help_msg = "Secure World Root of Trust key file or PKCS11 URI",
4250a6bf811Slaurenw-arm 		.desc = "Secure World Root of Trust key"
4260a6bf811Slaurenw-arm 	},
4270a6bf811Slaurenw-arm 
4280a6bf811Slaurenw-arm 	[CORE_SWD_KEY] = {
4290a6bf811Slaurenw-arm 		.id = CORE_SWD_KEY,
4300a6bf811Slaurenw-arm 		.opt = "core-swd-key",
431616b3ce2SRobin van der Gracht 		.help_msg = "Core Secure World key file or PKCS11 URI",
4320a6bf811Slaurenw-arm 		.desc = "Core Secure World key"
4330a6bf811Slaurenw-arm 	},
4340a6bf811Slaurenw-arm 
4350a6bf811Slaurenw-arm 	[PROT_KEY] = {
4360a6bf811Slaurenw-arm 		.id = PROT_KEY,
4370a6bf811Slaurenw-arm 		.opt = "prot-key",
438616b3ce2SRobin van der Gracht 		.help_msg = "Platform Root of Trust key file or PKCS11 URI",
4390a6bf811Slaurenw-arm 		.desc = "Platform Root of Trust key"
4400a6bf811Slaurenw-arm 	},
4410a6bf811Slaurenw-arm 
4420a6bf811Slaurenw-arm 	[PLAT_KEY] = {
4430a6bf811Slaurenw-arm 		.id = PLAT_KEY,
4440a6bf811Slaurenw-arm 		.opt = "plat-key",
445616b3ce2SRobin van der Gracht 		.help_msg = "Platform key file or PKCS11 URI",
4460a6bf811Slaurenw-arm 		.desc = "Platform key"
4470a6bf811Slaurenw-arm 	},
4480a6bf811Slaurenw-arm };
4490a6bf811Slaurenw-arm 
4500a6bf811Slaurenw-arm REGISTER_KEYS(cot_keys);
451