1a9d5c273SSandrine Bailleux /* 2*ccbfd01dSManish V Badarkhe * Copyright (c) 2020-2024, Arm Limited. All rights reserved. 3a9d5c273SSandrine Bailleux * 4a9d5c273SSandrine Bailleux * SPDX-License-Identifier: BSD-3-Clause 5a9d5c273SSandrine Bailleux */ 6a9d5c273SSandrine Bailleux 7a9d5c273SSandrine Bailleux #include <dualroot_oid.h> 8a9d5c273SSandrine Bailleux 9a9d5c273SSandrine Bailleux #include "cert.h" 10a9d5c273SSandrine Bailleux #include "ext.h" 11a9d5c273SSandrine Bailleux #include "key.h" 12a9d5c273SSandrine Bailleux 13a9d5c273SSandrine Bailleux #include "dualroot/cot.h" 14a9d5c273SSandrine Bailleux 15a9d5c273SSandrine Bailleux /* 16a9d5c273SSandrine Bailleux * Certificates used in the chain of trust. 17a9d5c273SSandrine Bailleux * 18a9d5c273SSandrine Bailleux * All certificates are self-signed so the issuer certificate field points to 19a9d5c273SSandrine Bailleux * itself. 20a9d5c273SSandrine Bailleux */ 21a9d5c273SSandrine Bailleux static cert_t cot_certs[] = { 22a9d5c273SSandrine Bailleux [TRUSTED_BOOT_FW_CERT] = { 23a9d5c273SSandrine Bailleux .id = TRUSTED_BOOT_FW_CERT, 24a9d5c273SSandrine Bailleux .opt = "tb-fw-cert", 25a9d5c273SSandrine Bailleux .help_msg = "Trusted Boot FW Certificate (output file)", 26a9d5c273SSandrine Bailleux .cn = "Trusted Boot FW Certificate", 27a9d5c273SSandrine Bailleux .key = ROT_KEY, 28a9d5c273SSandrine Bailleux .issuer = TRUSTED_BOOT_FW_CERT, 29a9d5c273SSandrine Bailleux .ext = { 30a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 31a9d5c273SSandrine Bailleux TRUSTED_BOOT_FW_HASH_EXT, 32a9d5c273SSandrine Bailleux TRUSTED_BOOT_FW_CONFIG_HASH_EXT, 339b3ca9b1SManish V Badarkhe HW_CONFIG_HASH_EXT, 349b3ca9b1SManish V Badarkhe FW_CONFIG_HASH_EXT 35a9d5c273SSandrine Bailleux }, 369b3ca9b1SManish V Badarkhe .num_ext = 5 37a9d5c273SSandrine Bailleux }, 38a9d5c273SSandrine Bailleux 39a9d5c273SSandrine Bailleux [TRUSTED_KEY_CERT] = { 40a9d5c273SSandrine Bailleux .id = TRUSTED_KEY_CERT, 41a9d5c273SSandrine Bailleux .opt = "trusted-key-cert", 42a9d5c273SSandrine Bailleux .help_msg = "Trusted Key Certificate (output file)", 43a9d5c273SSandrine Bailleux .cn = "Trusted Key Certificate", 44a9d5c273SSandrine Bailleux .key = ROT_KEY, 45a9d5c273SSandrine Bailleux .issuer = TRUSTED_KEY_CERT, 46a9d5c273SSandrine Bailleux .ext = { 47a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 48a9d5c273SSandrine Bailleux TRUSTED_WORLD_PK_EXT, 49a9d5c273SSandrine Bailleux }, 50a9d5c273SSandrine Bailleux .num_ext = 2 51a9d5c273SSandrine Bailleux }, 52a9d5c273SSandrine Bailleux 53a9d5c273SSandrine Bailleux [SCP_FW_KEY_CERT] = { 54a9d5c273SSandrine Bailleux .id = SCP_FW_KEY_CERT, 55a9d5c273SSandrine Bailleux .opt = "scp-fw-key-cert", 56a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware Key Certificate (output file)", 57a9d5c273SSandrine Bailleux .cn = "SCP Firmware Key Certificate", 58a9d5c273SSandrine Bailleux .key = TRUSTED_WORLD_KEY, 59a9d5c273SSandrine Bailleux .issuer = SCP_FW_KEY_CERT, 60a9d5c273SSandrine Bailleux .ext = { 61a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 62a9d5c273SSandrine Bailleux SCP_FW_CONTENT_CERT_PK_EXT 63a9d5c273SSandrine Bailleux }, 64a9d5c273SSandrine Bailleux .num_ext = 2 65a9d5c273SSandrine Bailleux }, 66a9d5c273SSandrine Bailleux 67a9d5c273SSandrine Bailleux [SCP_FW_CONTENT_CERT] = { 68a9d5c273SSandrine Bailleux .id = SCP_FW_CONTENT_CERT, 69a9d5c273SSandrine Bailleux .opt = "scp-fw-cert", 70a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware Content Certificate (output file)", 71a9d5c273SSandrine Bailleux .cn = "SCP Firmware Content Certificate", 72a9d5c273SSandrine Bailleux .key = SCP_FW_CONTENT_CERT_KEY, 73a9d5c273SSandrine Bailleux .issuer = SCP_FW_CONTENT_CERT, 74a9d5c273SSandrine Bailleux .ext = { 75a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 76a9d5c273SSandrine Bailleux SCP_FW_HASH_EXT 77a9d5c273SSandrine Bailleux }, 78a9d5c273SSandrine Bailleux .num_ext = 2 79a9d5c273SSandrine Bailleux }, 80a9d5c273SSandrine Bailleux 81a9d5c273SSandrine Bailleux [SOC_FW_KEY_CERT] = { 82a9d5c273SSandrine Bailleux .id = SOC_FW_KEY_CERT, 83a9d5c273SSandrine Bailleux .opt = "soc-fw-key-cert", 84a9d5c273SSandrine Bailleux .help_msg = "SoC Firmware Key Certificate (output file)", 85a9d5c273SSandrine Bailleux .cn = "SoC Firmware Key Certificate", 86a9d5c273SSandrine Bailleux .key = TRUSTED_WORLD_KEY, 87a9d5c273SSandrine Bailleux .issuer = SOC_FW_KEY_CERT, 88a9d5c273SSandrine Bailleux .ext = { 89a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 90a9d5c273SSandrine Bailleux SOC_FW_CONTENT_CERT_PK_EXT 91a9d5c273SSandrine Bailleux }, 92a9d5c273SSandrine Bailleux .num_ext = 2 93a9d5c273SSandrine Bailleux }, 94a9d5c273SSandrine Bailleux 95a9d5c273SSandrine Bailleux [SOC_FW_CONTENT_CERT] = { 96a9d5c273SSandrine Bailleux .id = SOC_FW_CONTENT_CERT, 97a9d5c273SSandrine Bailleux .opt = "soc-fw-cert", 98a9d5c273SSandrine Bailleux .help_msg = "SoC Firmware Content Certificate (output file)", 99a9d5c273SSandrine Bailleux .cn = "SoC Firmware Content Certificate", 100a9d5c273SSandrine Bailleux .key = SOC_FW_CONTENT_CERT_KEY, 101a9d5c273SSandrine Bailleux .issuer = SOC_FW_CONTENT_CERT, 102a9d5c273SSandrine Bailleux .ext = { 103a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 104a9d5c273SSandrine Bailleux SOC_AP_FW_HASH_EXT, 105a9d5c273SSandrine Bailleux SOC_FW_CONFIG_HASH_EXT, 106a9d5c273SSandrine Bailleux }, 107a9d5c273SSandrine Bailleux .num_ext = 3 108a9d5c273SSandrine Bailleux }, 109a9d5c273SSandrine Bailleux 110a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_KEY_CERT] = { 111a9d5c273SSandrine Bailleux .id = TRUSTED_OS_FW_KEY_CERT, 112a9d5c273SSandrine Bailleux .opt = "tos-fw-key-cert", 113a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Firmware Key Certificate (output file)", 114a9d5c273SSandrine Bailleux .cn = "Trusted OS Firmware Key Certificate", 115a9d5c273SSandrine Bailleux .key = TRUSTED_WORLD_KEY, 116a9d5c273SSandrine Bailleux .issuer = TRUSTED_OS_FW_KEY_CERT, 117a9d5c273SSandrine Bailleux .ext = { 118a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 119a9d5c273SSandrine Bailleux TRUSTED_OS_FW_CONTENT_CERT_PK_EXT 120a9d5c273SSandrine Bailleux }, 121a9d5c273SSandrine Bailleux .num_ext = 2 122a9d5c273SSandrine Bailleux }, 123a9d5c273SSandrine Bailleux 124a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONTENT_CERT] = { 125a9d5c273SSandrine Bailleux .id = TRUSTED_OS_FW_CONTENT_CERT, 126a9d5c273SSandrine Bailleux .opt = "tos-fw-cert", 127a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Firmware Content Certificate (output file)", 128a9d5c273SSandrine Bailleux .cn = "Trusted OS Firmware Content Certificate", 129a9d5c273SSandrine Bailleux .key = TRUSTED_OS_FW_CONTENT_CERT_KEY, 130a9d5c273SSandrine Bailleux .issuer = TRUSTED_OS_FW_CONTENT_CERT, 131a9d5c273SSandrine Bailleux .ext = { 132a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 133a9d5c273SSandrine Bailleux TRUSTED_OS_FW_HASH_EXT, 134a9d5c273SSandrine Bailleux TRUSTED_OS_FW_EXTRA1_HASH_EXT, 135a9d5c273SSandrine Bailleux TRUSTED_OS_FW_EXTRA2_HASH_EXT, 136a9d5c273SSandrine Bailleux TRUSTED_OS_FW_CONFIG_HASH_EXT, 137a9d5c273SSandrine Bailleux }, 138a9d5c273SSandrine Bailleux .num_ext = 5 139a9d5c273SSandrine Bailleux }, 140a9d5c273SSandrine Bailleux 1410792dd7dSManish Pandey [SIP_SECURE_PARTITION_CONTENT_CERT] = { 1420792dd7dSManish Pandey .id = SIP_SECURE_PARTITION_CONTENT_CERT, 1430792dd7dSManish Pandey .opt = "sip-sp-cert", 1440792dd7dSManish Pandey .help_msg = "SiP owned Secure Partition Content Certificate (output file)", 1450792dd7dSManish Pandey .fn = NULL, 1460792dd7dSManish Pandey .cn = "SiP owned Secure Partition Content Certificate", 1470792dd7dSManish Pandey .key = TRUSTED_WORLD_KEY, 1480792dd7dSManish Pandey .issuer = SIP_SECURE_PARTITION_CONTENT_CERT, 1490792dd7dSManish Pandey .ext = { 1500792dd7dSManish Pandey TRUSTED_FW_NVCOUNTER_EXT, 1510792dd7dSManish Pandey SP_PKG1_HASH_EXT, 1520792dd7dSManish Pandey SP_PKG2_HASH_EXT, 1530792dd7dSManish Pandey SP_PKG3_HASH_EXT, 1540792dd7dSManish Pandey SP_PKG4_HASH_EXT, 15523d5f03aSManish Pandey }, 15623d5f03aSManish Pandey .num_ext = 5 15723d5f03aSManish Pandey }, 15823d5f03aSManish Pandey 15923d5f03aSManish Pandey [PLAT_SECURE_PARTITION_CONTENT_CERT] = { 16023d5f03aSManish Pandey .id = PLAT_SECURE_PARTITION_CONTENT_CERT, 16123d5f03aSManish Pandey .opt = "plat-sp-cert", 16223d5f03aSManish Pandey .help_msg = "Platform owned Secure Partition Content Certificate (output file)", 16323d5f03aSManish Pandey .fn = NULL, 16423d5f03aSManish Pandey .cn = "Platform owned Secure Partition Content Certificate", 16523d5f03aSManish Pandey .key = PROT_KEY, 16623d5f03aSManish Pandey .issuer = PLAT_SECURE_PARTITION_CONTENT_CERT, 16723d5f03aSManish Pandey .ext = { 16823d5f03aSManish Pandey NON_TRUSTED_FW_NVCOUNTER_EXT, 1690792dd7dSManish Pandey SP_PKG5_HASH_EXT, 1700792dd7dSManish Pandey SP_PKG6_HASH_EXT, 1710792dd7dSManish Pandey SP_PKG7_HASH_EXT, 1720792dd7dSManish Pandey SP_PKG8_HASH_EXT, 17323d5f03aSManish Pandey PROT_PK_EXT, 1740792dd7dSManish Pandey }, 17523d5f03aSManish Pandey .num_ext = 6 1760792dd7dSManish Pandey }, 1770792dd7dSManish Pandey 178a9d5c273SSandrine Bailleux [FWU_CERT] = { 179a9d5c273SSandrine Bailleux .id = FWU_CERT, 180a9d5c273SSandrine Bailleux .opt = "fwu-cert", 181a9d5c273SSandrine Bailleux .help_msg = "Firmware Update Certificate (output file)", 182a9d5c273SSandrine Bailleux .cn = "Firmware Update Certificate", 183a9d5c273SSandrine Bailleux .key = ROT_KEY, 184a9d5c273SSandrine Bailleux .issuer = FWU_CERT, 185a9d5c273SSandrine Bailleux .ext = { 186a9d5c273SSandrine Bailleux SCP_FWU_CFG_HASH_EXT, 187a9d5c273SSandrine Bailleux AP_FWU_CFG_HASH_EXT, 188a9d5c273SSandrine Bailleux FWU_HASH_EXT 189a9d5c273SSandrine Bailleux }, 190a9d5c273SSandrine Bailleux .num_ext = 3 191a9d5c273SSandrine Bailleux }, 192a9d5c273SSandrine Bailleux 193a9d5c273SSandrine Bailleux [NON_TRUSTED_FW_CONTENT_CERT] = { 194a9d5c273SSandrine Bailleux .id = NON_TRUSTED_FW_CONTENT_CERT, 195a9d5c273SSandrine Bailleux .opt = "nt-fw-cert", 196a9d5c273SSandrine Bailleux .help_msg = "Non-Trusted Firmware Content Certificate (output file)", 197a9d5c273SSandrine Bailleux .cn = "Non-Trusted Firmware Content Certificate", 198a9d5c273SSandrine Bailleux .key = PROT_KEY, 199a9d5c273SSandrine Bailleux .issuer = NON_TRUSTED_FW_CONTENT_CERT, 200a9d5c273SSandrine Bailleux .ext = { 201a9d5c273SSandrine Bailleux NON_TRUSTED_FW_NVCOUNTER_EXT, 202a9d5c273SSandrine Bailleux NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, 203a9d5c273SSandrine Bailleux NON_TRUSTED_FW_CONFIG_HASH_EXT, 204a9d5c273SSandrine Bailleux PROT_PK_EXT, 205a9d5c273SSandrine Bailleux }, 206a9d5c273SSandrine Bailleux .num_ext = 4 207a9d5c273SSandrine Bailleux }, 208a9d5c273SSandrine Bailleux }; 209a9d5c273SSandrine Bailleux 210a9d5c273SSandrine Bailleux REGISTER_COT(cot_certs); 211a9d5c273SSandrine Bailleux 212a9d5c273SSandrine Bailleux 213a9d5c273SSandrine Bailleux /* Certificate extensions. */ 214a9d5c273SSandrine Bailleux static ext_t cot_ext[] = { 215a9d5c273SSandrine Bailleux [TRUSTED_FW_NVCOUNTER_EXT] = { 216a9d5c273SSandrine Bailleux .oid = TRUSTED_FW_NVCOUNTER_OID, 217a9d5c273SSandrine Bailleux .opt = "tfw-nvctr", 218a9d5c273SSandrine Bailleux .help_msg = "Trusted Firmware Non-Volatile counter value", 219a9d5c273SSandrine Bailleux .sn = "TrustedWorldNVCounter", 220a9d5c273SSandrine Bailleux .ln = "Trusted World Non-Volatile counter", 221a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_INTEGER, 222a9d5c273SSandrine Bailleux .type = EXT_TYPE_NVCOUNTER, 223a9d5c273SSandrine Bailleux .attr.nvctr_type = NVCTR_TYPE_TFW 224a9d5c273SSandrine Bailleux }, 225a9d5c273SSandrine Bailleux 226a9d5c273SSandrine Bailleux [TRUSTED_BOOT_FW_HASH_EXT] = { 227a9d5c273SSandrine Bailleux .oid = TRUSTED_BOOT_FW_HASH_OID, 228a9d5c273SSandrine Bailleux .opt = "tb-fw", 229a9d5c273SSandrine Bailleux .help_msg = "Trusted Boot Firmware image file", 230a9d5c273SSandrine Bailleux .sn = "TrustedBootFirmwareHash", 231a9d5c273SSandrine Bailleux .ln = "Trusted Boot Firmware hash (SHA256)", 232a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 233a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 234a9d5c273SSandrine Bailleux }, 235a9d5c273SSandrine Bailleux 236a9d5c273SSandrine Bailleux [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = { 237a9d5c273SSandrine Bailleux .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID, 238a9d5c273SSandrine Bailleux .opt = "tb-fw-config", 239a9d5c273SSandrine Bailleux .help_msg = "Trusted Boot Firmware Config file", 240a9d5c273SSandrine Bailleux .sn = "TrustedBootFirmwareConfigHash", 241a9d5c273SSandrine Bailleux .ln = "Trusted Boot Firmware Config hash", 242a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 243a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 244a9d5c273SSandrine Bailleux .optional = 1 245a9d5c273SSandrine Bailleux }, 246a9d5c273SSandrine Bailleux 247a9d5c273SSandrine Bailleux [HW_CONFIG_HASH_EXT] = { 248a9d5c273SSandrine Bailleux .oid = HW_CONFIG_HASH_OID, 249a9d5c273SSandrine Bailleux .opt = "hw-config", 250a9d5c273SSandrine Bailleux .help_msg = "HW Config file", 251a9d5c273SSandrine Bailleux .sn = "HWConfigHash", 252a9d5c273SSandrine Bailleux .ln = "HW Config hash", 253a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 254a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 255a9d5c273SSandrine Bailleux .optional = 1 256a9d5c273SSandrine Bailleux }, 257a9d5c273SSandrine Bailleux 2589b3ca9b1SManish V Badarkhe [FW_CONFIG_HASH_EXT] = { 2599b3ca9b1SManish V Badarkhe .oid = FW_CONFIG_HASH_OID, 2609b3ca9b1SManish V Badarkhe .opt = "fw-config", 2619b3ca9b1SManish V Badarkhe .help_msg = "Firmware Config file", 2629b3ca9b1SManish V Badarkhe .sn = "FirmwareConfigHash", 2639b3ca9b1SManish V Badarkhe .ln = "Firmware Config hash", 2649b3ca9b1SManish V Badarkhe .asn1_type = V_ASN1_OCTET_STRING, 2659b3ca9b1SManish V Badarkhe .type = EXT_TYPE_HASH, 2669b3ca9b1SManish V Badarkhe .optional = 1 2679b3ca9b1SManish V Badarkhe }, 2689b3ca9b1SManish V Badarkhe 269a9d5c273SSandrine Bailleux [TRUSTED_WORLD_PK_EXT] = { 270a9d5c273SSandrine Bailleux .oid = TRUSTED_WORLD_PK_OID, 271a9d5c273SSandrine Bailleux .sn = "TrustedWorldPublicKey", 272a9d5c273SSandrine Bailleux .ln = "Trusted World Public Key", 273a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 274a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 275a9d5c273SSandrine Bailleux .attr.key = TRUSTED_WORLD_KEY 276a9d5c273SSandrine Bailleux }, 277a9d5c273SSandrine Bailleux 278a9d5c273SSandrine Bailleux [SCP_FW_CONTENT_CERT_PK_EXT] = { 279a9d5c273SSandrine Bailleux .oid = SCP_FW_CONTENT_CERT_PK_OID, 280a9d5c273SSandrine Bailleux .sn = "SCPFirmwareContentCertPK", 281a9d5c273SSandrine Bailleux .ln = "SCP Firmware content certificate public key", 282a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 283a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 284a9d5c273SSandrine Bailleux .attr.key = SCP_FW_CONTENT_CERT_KEY 285a9d5c273SSandrine Bailleux }, 286a9d5c273SSandrine Bailleux 287a9d5c273SSandrine Bailleux [SCP_FW_HASH_EXT] = { 288a9d5c273SSandrine Bailleux .oid = SCP_FW_HASH_OID, 289a9d5c273SSandrine Bailleux .opt = "scp-fw", 290a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware image file", 291a9d5c273SSandrine Bailleux .sn = "SCPFirmwareHash", 292a9d5c273SSandrine Bailleux .ln = "SCP Firmware hash (SHA256)", 293a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 294a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 295a9d5c273SSandrine Bailleux }, 296a9d5c273SSandrine Bailleux 297a9d5c273SSandrine Bailleux [SOC_FW_CONTENT_CERT_PK_EXT] = { 298a9d5c273SSandrine Bailleux .oid = SOC_FW_CONTENT_CERT_PK_OID, 299a9d5c273SSandrine Bailleux .sn = "SoCFirmwareContentCertPK", 300a9d5c273SSandrine Bailleux .ln = "SoC Firmware content certificate public key", 301a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 302a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 303a9d5c273SSandrine Bailleux .attr.key = SOC_FW_CONTENT_CERT_KEY 304a9d5c273SSandrine Bailleux }, 305a9d5c273SSandrine Bailleux 306a9d5c273SSandrine Bailleux [SOC_AP_FW_HASH_EXT] = { 307a9d5c273SSandrine Bailleux .oid = SOC_AP_FW_HASH_OID, 308a9d5c273SSandrine Bailleux .opt = "soc-fw", 309a9d5c273SSandrine Bailleux .help_msg = "SoC AP Firmware image file", 310a9d5c273SSandrine Bailleux .sn = "SoCAPFirmwareHash", 311a9d5c273SSandrine Bailleux .ln = "SoC AP Firmware hash (SHA256)", 312a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 313a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 314a9d5c273SSandrine Bailleux }, 315a9d5c273SSandrine Bailleux 316a9d5c273SSandrine Bailleux [SOC_FW_CONFIG_HASH_EXT] = { 317a9d5c273SSandrine Bailleux .oid = SOC_FW_CONFIG_HASH_OID, 318a9d5c273SSandrine Bailleux .opt = "soc-fw-config", 319a9d5c273SSandrine Bailleux .help_msg = "SoC Firmware Config file", 320a9d5c273SSandrine Bailleux .sn = "SocFirmwareConfigHash", 321a9d5c273SSandrine Bailleux .ln = "SoC Firmware Config hash", 322a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 323a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 324a9d5c273SSandrine Bailleux .optional = 1 325a9d5c273SSandrine Bailleux }, 326a9d5c273SSandrine Bailleux 327a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = { 328a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID, 329a9d5c273SSandrine Bailleux .sn = "TrustedOSFirmwareContentCertPK", 330a9d5c273SSandrine Bailleux .ln = "Trusted OS Firmware content certificate public key", 331a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 332a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 333a9d5c273SSandrine Bailleux .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY 334a9d5c273SSandrine Bailleux }, 335a9d5c273SSandrine Bailleux 336a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_HASH_EXT] = { 337a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_HASH_OID, 338a9d5c273SSandrine Bailleux .opt = "tos-fw", 339a9d5c273SSandrine Bailleux .help_msg = "Trusted OS image file", 340a9d5c273SSandrine Bailleux .sn = "TrustedOSHash", 341a9d5c273SSandrine Bailleux .ln = "Trusted OS hash (SHA256)", 342a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 343a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 344a9d5c273SSandrine Bailleux }, 345a9d5c273SSandrine Bailleux 346a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_EXTRA1_HASH_EXT] = { 347a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_EXTRA1_HASH_OID, 348a9d5c273SSandrine Bailleux .opt = "tos-fw-extra1", 349a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Extra1 image file", 350a9d5c273SSandrine Bailleux .sn = "TrustedOSExtra1Hash", 351a9d5c273SSandrine Bailleux .ln = "Trusted OS Extra1 hash (SHA256)", 352a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 353a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 354a9d5c273SSandrine Bailleux .optional = 1 355a9d5c273SSandrine Bailleux }, 356a9d5c273SSandrine Bailleux 357a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_EXTRA2_HASH_EXT] = { 358a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_EXTRA2_HASH_OID, 359a9d5c273SSandrine Bailleux .opt = "tos-fw-extra2", 360a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Extra2 image file", 361a9d5c273SSandrine Bailleux .sn = "TrustedOSExtra2Hash", 362a9d5c273SSandrine Bailleux .ln = "Trusted OS Extra2 hash (SHA256)", 363a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 364a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 365a9d5c273SSandrine Bailleux .optional = 1 366a9d5c273SSandrine Bailleux }, 367a9d5c273SSandrine Bailleux 368a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONFIG_HASH_EXT] = { 369a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_CONFIG_HASH_OID, 370a9d5c273SSandrine Bailleux .opt = "tos-fw-config", 371a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Firmware Config file", 372a9d5c273SSandrine Bailleux .sn = "TrustedOSFirmwareConfigHash", 373a9d5c273SSandrine Bailleux .ln = "Trusted OS Firmware Config hash", 374a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 375a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 376a9d5c273SSandrine Bailleux .optional = 1 377a9d5c273SSandrine Bailleux }, 378a9d5c273SSandrine Bailleux 3790792dd7dSManish Pandey [SP_PKG1_HASH_EXT] = { 3800792dd7dSManish Pandey .oid = SP_PKG1_HASH_OID, 3810792dd7dSManish Pandey .opt = "sp-pkg1", 3820792dd7dSManish Pandey .help_msg = "Secure Partition Package1 file", 3830792dd7dSManish Pandey .sn = "SPPkg1Hash", 3840792dd7dSManish Pandey .ln = "SP Pkg1 hash (SHA256)", 3850792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 3860792dd7dSManish Pandey .type = EXT_TYPE_HASH, 3870792dd7dSManish Pandey .optional = 1 3880792dd7dSManish Pandey }, 3890792dd7dSManish Pandey [SP_PKG2_HASH_EXT] = { 3900792dd7dSManish Pandey .oid = SP_PKG2_HASH_OID, 3910792dd7dSManish Pandey .opt = "sp-pkg2", 3920792dd7dSManish Pandey .help_msg = "Secure Partition Package2 file", 3930792dd7dSManish Pandey .sn = "SPPkg2Hash", 3940792dd7dSManish Pandey .ln = "SP Pkg2 hash (SHA256)", 3950792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 3960792dd7dSManish Pandey .type = EXT_TYPE_HASH, 3970792dd7dSManish Pandey .optional = 1 3980792dd7dSManish Pandey }, 3990792dd7dSManish Pandey [SP_PKG3_HASH_EXT] = { 4000792dd7dSManish Pandey .oid = SP_PKG3_HASH_OID, 4010792dd7dSManish Pandey .opt = "sp-pkg3", 4020792dd7dSManish Pandey .help_msg = "Secure Partition Package3 file", 4030792dd7dSManish Pandey .sn = "SPPkg3Hash", 4040792dd7dSManish Pandey .ln = "SP Pkg3 hash (SHA256)", 4050792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 4060792dd7dSManish Pandey .type = EXT_TYPE_HASH, 4070792dd7dSManish Pandey .optional = 1 4080792dd7dSManish Pandey }, 4090792dd7dSManish Pandey [SP_PKG4_HASH_EXT] = { 4100792dd7dSManish Pandey .oid = SP_PKG4_HASH_OID, 4110792dd7dSManish Pandey .opt = "sp-pkg4", 4120792dd7dSManish Pandey .help_msg = "Secure Partition Package4 file", 4130792dd7dSManish Pandey .sn = "SPPkg4Hash", 4140792dd7dSManish Pandey .ln = "SP Pkg4 hash (SHA256)", 4150792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 4160792dd7dSManish Pandey .type = EXT_TYPE_HASH, 4170792dd7dSManish Pandey .optional = 1 4180792dd7dSManish Pandey }, 4190792dd7dSManish Pandey [SP_PKG5_HASH_EXT] = { 4200792dd7dSManish Pandey .oid = SP_PKG5_HASH_OID, 4210792dd7dSManish Pandey .opt = "sp-pkg5", 4220792dd7dSManish Pandey .help_msg = "Secure Partition Package5 file", 4230792dd7dSManish Pandey .sn = "SPPkg5Hash", 4240792dd7dSManish Pandey .ln = "SP Pkg5 hash (SHA256)", 4250792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 4260792dd7dSManish Pandey .type = EXT_TYPE_HASH, 4270792dd7dSManish Pandey .optional = 1 4280792dd7dSManish Pandey }, 4290792dd7dSManish Pandey [SP_PKG6_HASH_EXT] = { 4300792dd7dSManish Pandey .oid = SP_PKG6_HASH_OID, 4310792dd7dSManish Pandey .opt = "sp-pkg6", 4320792dd7dSManish Pandey .help_msg = "Secure Partition Package6 file", 4330792dd7dSManish Pandey .sn = "SPPkg6Hash", 4340792dd7dSManish Pandey .ln = "SP Pkg6 hash (SHA256)", 4350792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 4360792dd7dSManish Pandey .type = EXT_TYPE_HASH, 4370792dd7dSManish Pandey .optional = 1 4380792dd7dSManish Pandey }, 4390792dd7dSManish Pandey [SP_PKG7_HASH_EXT] = { 4400792dd7dSManish Pandey .oid = SP_PKG7_HASH_OID, 4410792dd7dSManish Pandey .opt = "sp-pkg7", 4420792dd7dSManish Pandey .help_msg = "Secure Partition Package7 file", 4430792dd7dSManish Pandey .sn = "SPPkg7Hash", 4440792dd7dSManish Pandey .ln = "SP Pkg7 hash (SHA256)", 4450792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 4460792dd7dSManish Pandey .type = EXT_TYPE_HASH, 4470792dd7dSManish Pandey .optional = 1 4480792dd7dSManish Pandey }, 4490792dd7dSManish Pandey [SP_PKG8_HASH_EXT] = { 4500792dd7dSManish Pandey .oid = SP_PKG8_HASH_OID, 4510792dd7dSManish Pandey .opt = "sp-pkg8", 4520792dd7dSManish Pandey .help_msg = "Secure Partition Package8 file", 4530792dd7dSManish Pandey .sn = "SPPkg8Hash", 4540792dd7dSManish Pandey .ln = "SP Pkg8 hash (SHA256)", 4550792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 4560792dd7dSManish Pandey .type = EXT_TYPE_HASH, 4570792dd7dSManish Pandey .optional = 1 4580792dd7dSManish Pandey }, 4590792dd7dSManish Pandey 460a9d5c273SSandrine Bailleux [SCP_FWU_CFG_HASH_EXT] = { 461a9d5c273SSandrine Bailleux .oid = SCP_FWU_CFG_HASH_OID, 462a9d5c273SSandrine Bailleux .opt = "scp-fwu-cfg", 463a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware Update Config image file", 464a9d5c273SSandrine Bailleux .sn = "SCPFWUpdateConfig", 465a9d5c273SSandrine Bailleux .ln = "SCP Firmware Update Config hash (SHA256)", 466a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 467a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 468a9d5c273SSandrine Bailleux .optional = 1 469a9d5c273SSandrine Bailleux }, 470a9d5c273SSandrine Bailleux 471a9d5c273SSandrine Bailleux [AP_FWU_CFG_HASH_EXT] = { 472a9d5c273SSandrine Bailleux .oid = AP_FWU_CFG_HASH_OID, 473a9d5c273SSandrine Bailleux .opt = "ap-fwu-cfg", 474a9d5c273SSandrine Bailleux .help_msg = "AP Firmware Update Config image file", 475a9d5c273SSandrine Bailleux .sn = "APFWUpdateConfig", 476a9d5c273SSandrine Bailleux .ln = "AP Firmware Update Config hash (SHA256)", 477a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 478a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 479a9d5c273SSandrine Bailleux .optional = 1 480a9d5c273SSandrine Bailleux }, 481a9d5c273SSandrine Bailleux 482a9d5c273SSandrine Bailleux [FWU_HASH_EXT] = { 483a9d5c273SSandrine Bailleux .oid = FWU_HASH_OID, 484a9d5c273SSandrine Bailleux .opt = "fwu", 485a9d5c273SSandrine Bailleux .help_msg = "Firmware Updater image file", 486a9d5c273SSandrine Bailleux .sn = "FWUpdaterHash", 487a9d5c273SSandrine Bailleux .ln = "Firmware Updater hash (SHA256)", 488a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 489a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 490a9d5c273SSandrine Bailleux .optional = 1 491a9d5c273SSandrine Bailleux }, 492a9d5c273SSandrine Bailleux 493a9d5c273SSandrine Bailleux [PROT_PK_EXT] = { 494a9d5c273SSandrine Bailleux .oid = PROT_PK_OID, 495a9d5c273SSandrine Bailleux .sn = "PlatformRoTKey", 496a9d5c273SSandrine Bailleux .ln = "Platform Root of Trust Public Key", 497a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 498a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 499a9d5c273SSandrine Bailleux .attr.key = PROT_KEY 500a9d5c273SSandrine Bailleux }, 501a9d5c273SSandrine Bailleux 502a9d5c273SSandrine Bailleux [NON_TRUSTED_FW_NVCOUNTER_EXT] = { 503a9d5c273SSandrine Bailleux .oid = NON_TRUSTED_FW_NVCOUNTER_OID, 504a9d5c273SSandrine Bailleux .opt = "ntfw-nvctr", 505a9d5c273SSandrine Bailleux .help_msg = "Non-Trusted Firmware Non-Volatile counter value", 506a9d5c273SSandrine Bailleux .sn = "NormalWorldNVCounter", 507a9d5c273SSandrine Bailleux .ln = "Non-Trusted Firmware Non-Volatile counter", 508a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_INTEGER, 509a9d5c273SSandrine Bailleux .type = EXT_TYPE_NVCOUNTER, 510a9d5c273SSandrine Bailleux .attr.nvctr_type = NVCTR_TYPE_NTFW 511a9d5c273SSandrine Bailleux }, 512a9d5c273SSandrine Bailleux 513a9d5c273SSandrine Bailleux [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { 514a9d5c273SSandrine Bailleux .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID, 515a9d5c273SSandrine Bailleux .opt = "nt-fw", 516a9d5c273SSandrine Bailleux .help_msg = "Non-Trusted World Bootloader image file", 517a9d5c273SSandrine Bailleux .sn = "NonTrustedWorldBootloaderHash", 518a9d5c273SSandrine Bailleux .ln = "Non-Trusted World hash (SHA256)", 519a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 520a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 521a9d5c273SSandrine Bailleux }, 522a9d5c273SSandrine Bailleux 523a9d5c273SSandrine Bailleux [NON_TRUSTED_FW_CONFIG_HASH_EXT] = { 524a9d5c273SSandrine Bailleux .oid = NON_TRUSTED_FW_CONFIG_HASH_OID, 525a9d5c273SSandrine Bailleux .opt = "nt-fw-config", 526a9d5c273SSandrine Bailleux .help_msg = "Non Trusted OS Firmware Config file", 527a9d5c273SSandrine Bailleux .sn = "NonTrustedOSFirmwareConfigHash", 528a9d5c273SSandrine Bailleux .ln = "Non-Trusted OS Firmware Config hash", 529a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 530a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 531a9d5c273SSandrine Bailleux .optional = 1 532a9d5c273SSandrine Bailleux }, 533a9d5c273SSandrine Bailleux }; 534a9d5c273SSandrine Bailleux 535a9d5c273SSandrine Bailleux REGISTER_EXTENSIONS(cot_ext); 536a9d5c273SSandrine Bailleux 537a9d5c273SSandrine Bailleux 538a9d5c273SSandrine Bailleux /* Keys used to establish the chain of trust. */ 539*ccbfd01dSManish V Badarkhe static cert_key_t cot_keys[] = { 540a9d5c273SSandrine Bailleux [ROT_KEY] = { 541a9d5c273SSandrine Bailleux .id = ROT_KEY, 542a9d5c273SSandrine Bailleux .opt = "rot-key", 543616b3ce2SRobin van der Gracht .help_msg = "Root Of Trust key file or PKCS11 URI", 544a9d5c273SSandrine Bailleux .desc = "Root Of Trust key" 545a9d5c273SSandrine Bailleux }, 546a9d5c273SSandrine Bailleux 547a9d5c273SSandrine Bailleux [TRUSTED_WORLD_KEY] = { 548a9d5c273SSandrine Bailleux .id = TRUSTED_WORLD_KEY, 549a9d5c273SSandrine Bailleux .opt = "trusted-world-key", 550616b3ce2SRobin van der Gracht .help_msg = "Trusted World key file or PKCS11 URI", 551a9d5c273SSandrine Bailleux .desc = "Trusted World key" 552a9d5c273SSandrine Bailleux }, 553a9d5c273SSandrine Bailleux 554a9d5c273SSandrine Bailleux [SCP_FW_CONTENT_CERT_KEY] = { 555a9d5c273SSandrine Bailleux .id = SCP_FW_CONTENT_CERT_KEY, 556a9d5c273SSandrine Bailleux .opt = "scp-fw-key", 557616b3ce2SRobin van der Gracht .help_msg = "SCP Firmware Content Certificate key file or PKCS11 URI", 558a9d5c273SSandrine Bailleux .desc = "SCP Firmware Content Certificate key" 559a9d5c273SSandrine Bailleux }, 560a9d5c273SSandrine Bailleux 561a9d5c273SSandrine Bailleux [SOC_FW_CONTENT_CERT_KEY] = { 562a9d5c273SSandrine Bailleux .id = SOC_FW_CONTENT_CERT_KEY, 563a9d5c273SSandrine Bailleux .opt = "soc-fw-key", 564616b3ce2SRobin van der Gracht .help_msg = "SoC Firmware Content Certificate key file or PKCS11 URI", 565a9d5c273SSandrine Bailleux .desc = "SoC Firmware Content Certificate key" 566a9d5c273SSandrine Bailleux }, 567a9d5c273SSandrine Bailleux 568a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONTENT_CERT_KEY] = { 569a9d5c273SSandrine Bailleux .id = TRUSTED_OS_FW_CONTENT_CERT_KEY, 570a9d5c273SSandrine Bailleux .opt = "tos-fw-key", 571616b3ce2SRobin van der Gracht .help_msg = "Trusted OS Firmware Content Certificate key file or PKCS11 URI", 572a9d5c273SSandrine Bailleux .desc = "Trusted OS Firmware Content Certificate key" 573a9d5c273SSandrine Bailleux }, 574a9d5c273SSandrine Bailleux 575a9d5c273SSandrine Bailleux [PROT_KEY] = { 576a9d5c273SSandrine Bailleux .id = PROT_KEY, 577a9d5c273SSandrine Bailleux .opt = "prot-key", 578616b3ce2SRobin van der Gracht .help_msg = "Platform Root of Trust key file or PKCS11 URI", 579a9d5c273SSandrine Bailleux .desc = "Platform Root of Trust key" 580a9d5c273SSandrine Bailleux }, 581a9d5c273SSandrine Bailleux }; 582a9d5c273SSandrine Bailleux 583a9d5c273SSandrine Bailleux REGISTER_KEYS(cot_keys); 584