1a9d5c273SSandrine Bailleux /* 2a9d5c273SSandrine Bailleux * Copyright (c) 2020, Arm Limited. All rights reserved. 3a9d5c273SSandrine Bailleux * 4a9d5c273SSandrine Bailleux * SPDX-License-Identifier: BSD-3-Clause 5a9d5c273SSandrine Bailleux */ 6a9d5c273SSandrine Bailleux 7a9d5c273SSandrine Bailleux #include <dualroot_oid.h> 8a9d5c273SSandrine Bailleux 9a9d5c273SSandrine Bailleux #include "cert.h" 10a9d5c273SSandrine Bailleux #include "ext.h" 11a9d5c273SSandrine Bailleux #include "key.h" 12a9d5c273SSandrine Bailleux 13a9d5c273SSandrine Bailleux #include "dualroot/cot.h" 14a9d5c273SSandrine Bailleux 15a9d5c273SSandrine Bailleux /* 16a9d5c273SSandrine Bailleux * Certificates used in the chain of trust. 17a9d5c273SSandrine Bailleux * 18a9d5c273SSandrine Bailleux * All certificates are self-signed so the issuer certificate field points to 19a9d5c273SSandrine Bailleux * itself. 20a9d5c273SSandrine Bailleux */ 21a9d5c273SSandrine Bailleux static cert_t cot_certs[] = { 22a9d5c273SSandrine Bailleux [TRUSTED_BOOT_FW_CERT] = { 23a9d5c273SSandrine Bailleux .id = TRUSTED_BOOT_FW_CERT, 24a9d5c273SSandrine Bailleux .opt = "tb-fw-cert", 25a9d5c273SSandrine Bailleux .help_msg = "Trusted Boot FW Certificate (output file)", 26a9d5c273SSandrine Bailleux .cn = "Trusted Boot FW Certificate", 27a9d5c273SSandrine Bailleux .key = ROT_KEY, 28a9d5c273SSandrine Bailleux .issuer = TRUSTED_BOOT_FW_CERT, 29a9d5c273SSandrine Bailleux .ext = { 30a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 31a9d5c273SSandrine Bailleux TRUSTED_BOOT_FW_HASH_EXT, 32a9d5c273SSandrine Bailleux TRUSTED_BOOT_FW_CONFIG_HASH_EXT, 33a9d5c273SSandrine Bailleux HW_CONFIG_HASH_EXT 34a9d5c273SSandrine Bailleux }, 35a9d5c273SSandrine Bailleux .num_ext = 4 36a9d5c273SSandrine Bailleux }, 37a9d5c273SSandrine Bailleux 38a9d5c273SSandrine Bailleux [TRUSTED_KEY_CERT] = { 39a9d5c273SSandrine Bailleux .id = TRUSTED_KEY_CERT, 40a9d5c273SSandrine Bailleux .opt = "trusted-key-cert", 41a9d5c273SSandrine Bailleux .help_msg = "Trusted Key Certificate (output file)", 42a9d5c273SSandrine Bailleux .cn = "Trusted Key Certificate", 43a9d5c273SSandrine Bailleux .key = ROT_KEY, 44a9d5c273SSandrine Bailleux .issuer = TRUSTED_KEY_CERT, 45a9d5c273SSandrine Bailleux .ext = { 46a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 47a9d5c273SSandrine Bailleux TRUSTED_WORLD_PK_EXT, 48a9d5c273SSandrine Bailleux }, 49a9d5c273SSandrine Bailleux .num_ext = 2 50a9d5c273SSandrine Bailleux }, 51a9d5c273SSandrine Bailleux 52a9d5c273SSandrine Bailleux [SCP_FW_KEY_CERT] = { 53a9d5c273SSandrine Bailleux .id = SCP_FW_KEY_CERT, 54a9d5c273SSandrine Bailleux .opt = "scp-fw-key-cert", 55a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware Key Certificate (output file)", 56a9d5c273SSandrine Bailleux .cn = "SCP Firmware Key Certificate", 57a9d5c273SSandrine Bailleux .key = TRUSTED_WORLD_KEY, 58a9d5c273SSandrine Bailleux .issuer = SCP_FW_KEY_CERT, 59a9d5c273SSandrine Bailleux .ext = { 60a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 61a9d5c273SSandrine Bailleux SCP_FW_CONTENT_CERT_PK_EXT 62a9d5c273SSandrine Bailleux }, 63a9d5c273SSandrine Bailleux .num_ext = 2 64a9d5c273SSandrine Bailleux }, 65a9d5c273SSandrine Bailleux 66a9d5c273SSandrine Bailleux [SCP_FW_CONTENT_CERT] = { 67a9d5c273SSandrine Bailleux .id = SCP_FW_CONTENT_CERT, 68a9d5c273SSandrine Bailleux .opt = "scp-fw-cert", 69a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware Content Certificate (output file)", 70a9d5c273SSandrine Bailleux .cn = "SCP Firmware Content Certificate", 71a9d5c273SSandrine Bailleux .key = SCP_FW_CONTENT_CERT_KEY, 72a9d5c273SSandrine Bailleux .issuer = SCP_FW_CONTENT_CERT, 73a9d5c273SSandrine Bailleux .ext = { 74a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 75a9d5c273SSandrine Bailleux SCP_FW_HASH_EXT 76a9d5c273SSandrine Bailleux }, 77a9d5c273SSandrine Bailleux .num_ext = 2 78a9d5c273SSandrine Bailleux }, 79a9d5c273SSandrine Bailleux 80a9d5c273SSandrine Bailleux [SOC_FW_KEY_CERT] = { 81a9d5c273SSandrine Bailleux .id = SOC_FW_KEY_CERT, 82a9d5c273SSandrine Bailleux .opt = "soc-fw-key-cert", 83a9d5c273SSandrine Bailleux .help_msg = "SoC Firmware Key Certificate (output file)", 84a9d5c273SSandrine Bailleux .cn = "SoC Firmware Key Certificate", 85a9d5c273SSandrine Bailleux .key = TRUSTED_WORLD_KEY, 86a9d5c273SSandrine Bailleux .issuer = SOC_FW_KEY_CERT, 87a9d5c273SSandrine Bailleux .ext = { 88a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 89a9d5c273SSandrine Bailleux SOC_FW_CONTENT_CERT_PK_EXT 90a9d5c273SSandrine Bailleux }, 91a9d5c273SSandrine Bailleux .num_ext = 2 92a9d5c273SSandrine Bailleux }, 93a9d5c273SSandrine Bailleux 94a9d5c273SSandrine Bailleux [SOC_FW_CONTENT_CERT] = { 95a9d5c273SSandrine Bailleux .id = SOC_FW_CONTENT_CERT, 96a9d5c273SSandrine Bailleux .opt = "soc-fw-cert", 97a9d5c273SSandrine Bailleux .help_msg = "SoC Firmware Content Certificate (output file)", 98a9d5c273SSandrine Bailleux .cn = "SoC Firmware Content Certificate", 99a9d5c273SSandrine Bailleux .key = SOC_FW_CONTENT_CERT_KEY, 100a9d5c273SSandrine Bailleux .issuer = SOC_FW_CONTENT_CERT, 101a9d5c273SSandrine Bailleux .ext = { 102a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 103a9d5c273SSandrine Bailleux SOC_AP_FW_HASH_EXT, 104a9d5c273SSandrine Bailleux SOC_FW_CONFIG_HASH_EXT, 105a9d5c273SSandrine Bailleux }, 106a9d5c273SSandrine Bailleux .num_ext = 3 107a9d5c273SSandrine Bailleux }, 108a9d5c273SSandrine Bailleux 109a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_KEY_CERT] = { 110a9d5c273SSandrine Bailleux .id = TRUSTED_OS_FW_KEY_CERT, 111a9d5c273SSandrine Bailleux .opt = "tos-fw-key-cert", 112a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Firmware Key Certificate (output file)", 113a9d5c273SSandrine Bailleux .cn = "Trusted OS Firmware Key Certificate", 114a9d5c273SSandrine Bailleux .key = TRUSTED_WORLD_KEY, 115a9d5c273SSandrine Bailleux .issuer = TRUSTED_OS_FW_KEY_CERT, 116a9d5c273SSandrine Bailleux .ext = { 117a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 118a9d5c273SSandrine Bailleux TRUSTED_OS_FW_CONTENT_CERT_PK_EXT 119a9d5c273SSandrine Bailleux }, 120a9d5c273SSandrine Bailleux .num_ext = 2 121a9d5c273SSandrine Bailleux }, 122a9d5c273SSandrine Bailleux 123a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONTENT_CERT] = { 124a9d5c273SSandrine Bailleux .id = TRUSTED_OS_FW_CONTENT_CERT, 125a9d5c273SSandrine Bailleux .opt = "tos-fw-cert", 126a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Firmware Content Certificate (output file)", 127a9d5c273SSandrine Bailleux .cn = "Trusted OS Firmware Content Certificate", 128a9d5c273SSandrine Bailleux .key = TRUSTED_OS_FW_CONTENT_CERT_KEY, 129a9d5c273SSandrine Bailleux .issuer = TRUSTED_OS_FW_CONTENT_CERT, 130a9d5c273SSandrine Bailleux .ext = { 131a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 132a9d5c273SSandrine Bailleux TRUSTED_OS_FW_HASH_EXT, 133a9d5c273SSandrine Bailleux TRUSTED_OS_FW_EXTRA1_HASH_EXT, 134a9d5c273SSandrine Bailleux TRUSTED_OS_FW_EXTRA2_HASH_EXT, 135a9d5c273SSandrine Bailleux TRUSTED_OS_FW_CONFIG_HASH_EXT, 136a9d5c273SSandrine Bailleux }, 137a9d5c273SSandrine Bailleux .num_ext = 5 138a9d5c273SSandrine Bailleux }, 139a9d5c273SSandrine Bailleux 140*0792dd7dSManish Pandey [SIP_SECURE_PARTITION_CONTENT_CERT] = { 141*0792dd7dSManish Pandey .id = SIP_SECURE_PARTITION_CONTENT_CERT, 142*0792dd7dSManish Pandey .opt = "sip-sp-cert", 143*0792dd7dSManish Pandey .help_msg = "SiP owned Secure Partition Content Certificate (output file)", 144*0792dd7dSManish Pandey .fn = NULL, 145*0792dd7dSManish Pandey .cn = "SiP owned Secure Partition Content Certificate", 146*0792dd7dSManish Pandey .key = TRUSTED_WORLD_KEY, 147*0792dd7dSManish Pandey .issuer = SIP_SECURE_PARTITION_CONTENT_CERT, 148*0792dd7dSManish Pandey .ext = { 149*0792dd7dSManish Pandey TRUSTED_FW_NVCOUNTER_EXT, 150*0792dd7dSManish Pandey SP_PKG1_HASH_EXT, 151*0792dd7dSManish Pandey SP_PKG2_HASH_EXT, 152*0792dd7dSManish Pandey SP_PKG3_HASH_EXT, 153*0792dd7dSManish Pandey SP_PKG4_HASH_EXT, 154*0792dd7dSManish Pandey SP_PKG5_HASH_EXT, 155*0792dd7dSManish Pandey SP_PKG6_HASH_EXT, 156*0792dd7dSManish Pandey SP_PKG7_HASH_EXT, 157*0792dd7dSManish Pandey SP_PKG8_HASH_EXT, 158*0792dd7dSManish Pandey }, 159*0792dd7dSManish Pandey .num_ext = 9 160*0792dd7dSManish Pandey }, 161*0792dd7dSManish Pandey 162a9d5c273SSandrine Bailleux [FWU_CERT] = { 163a9d5c273SSandrine Bailleux .id = FWU_CERT, 164a9d5c273SSandrine Bailleux .opt = "fwu-cert", 165a9d5c273SSandrine Bailleux .help_msg = "Firmware Update Certificate (output file)", 166a9d5c273SSandrine Bailleux .cn = "Firmware Update Certificate", 167a9d5c273SSandrine Bailleux .key = ROT_KEY, 168a9d5c273SSandrine Bailleux .issuer = FWU_CERT, 169a9d5c273SSandrine Bailleux .ext = { 170a9d5c273SSandrine Bailleux SCP_FWU_CFG_HASH_EXT, 171a9d5c273SSandrine Bailleux AP_FWU_CFG_HASH_EXT, 172a9d5c273SSandrine Bailleux FWU_HASH_EXT 173a9d5c273SSandrine Bailleux }, 174a9d5c273SSandrine Bailleux .num_ext = 3 175a9d5c273SSandrine Bailleux }, 176a9d5c273SSandrine Bailleux 177a9d5c273SSandrine Bailleux [NON_TRUSTED_FW_CONTENT_CERT] = { 178a9d5c273SSandrine Bailleux .id = NON_TRUSTED_FW_CONTENT_CERT, 179a9d5c273SSandrine Bailleux .opt = "nt-fw-cert", 180a9d5c273SSandrine Bailleux .help_msg = "Non-Trusted Firmware Content Certificate (output file)", 181a9d5c273SSandrine Bailleux .cn = "Non-Trusted Firmware Content Certificate", 182a9d5c273SSandrine Bailleux .key = PROT_KEY, 183a9d5c273SSandrine Bailleux .issuer = NON_TRUSTED_FW_CONTENT_CERT, 184a9d5c273SSandrine Bailleux .ext = { 185a9d5c273SSandrine Bailleux NON_TRUSTED_FW_NVCOUNTER_EXT, 186a9d5c273SSandrine Bailleux NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, 187a9d5c273SSandrine Bailleux NON_TRUSTED_FW_CONFIG_HASH_EXT, 188a9d5c273SSandrine Bailleux PROT_PK_EXT, 189a9d5c273SSandrine Bailleux }, 190a9d5c273SSandrine Bailleux .num_ext = 4 191a9d5c273SSandrine Bailleux }, 192a9d5c273SSandrine Bailleux }; 193a9d5c273SSandrine Bailleux 194a9d5c273SSandrine Bailleux REGISTER_COT(cot_certs); 195a9d5c273SSandrine Bailleux 196a9d5c273SSandrine Bailleux 197a9d5c273SSandrine Bailleux /* Certificate extensions. */ 198a9d5c273SSandrine Bailleux static ext_t cot_ext[] = { 199a9d5c273SSandrine Bailleux [TRUSTED_FW_NVCOUNTER_EXT] = { 200a9d5c273SSandrine Bailleux .oid = TRUSTED_FW_NVCOUNTER_OID, 201a9d5c273SSandrine Bailleux .opt = "tfw-nvctr", 202a9d5c273SSandrine Bailleux .help_msg = "Trusted Firmware Non-Volatile counter value", 203a9d5c273SSandrine Bailleux .sn = "TrustedWorldNVCounter", 204a9d5c273SSandrine Bailleux .ln = "Trusted World Non-Volatile counter", 205a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_INTEGER, 206a9d5c273SSandrine Bailleux .type = EXT_TYPE_NVCOUNTER, 207a9d5c273SSandrine Bailleux .attr.nvctr_type = NVCTR_TYPE_TFW 208a9d5c273SSandrine Bailleux }, 209a9d5c273SSandrine Bailleux 210a9d5c273SSandrine Bailleux [TRUSTED_BOOT_FW_HASH_EXT] = { 211a9d5c273SSandrine Bailleux .oid = TRUSTED_BOOT_FW_HASH_OID, 212a9d5c273SSandrine Bailleux .opt = "tb-fw", 213a9d5c273SSandrine Bailleux .help_msg = "Trusted Boot Firmware image file", 214a9d5c273SSandrine Bailleux .sn = "TrustedBootFirmwareHash", 215a9d5c273SSandrine Bailleux .ln = "Trusted Boot Firmware hash (SHA256)", 216a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 217a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 218a9d5c273SSandrine Bailleux }, 219a9d5c273SSandrine Bailleux 220a9d5c273SSandrine Bailleux [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = { 221a9d5c273SSandrine Bailleux .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID, 222a9d5c273SSandrine Bailleux .opt = "tb-fw-config", 223a9d5c273SSandrine Bailleux .help_msg = "Trusted Boot Firmware Config file", 224a9d5c273SSandrine Bailleux .sn = "TrustedBootFirmwareConfigHash", 225a9d5c273SSandrine Bailleux .ln = "Trusted Boot Firmware Config hash", 226a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 227a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 228a9d5c273SSandrine Bailleux .optional = 1 229a9d5c273SSandrine Bailleux }, 230a9d5c273SSandrine Bailleux 231a9d5c273SSandrine Bailleux [HW_CONFIG_HASH_EXT] = { 232a9d5c273SSandrine Bailleux .oid = HW_CONFIG_HASH_OID, 233a9d5c273SSandrine Bailleux .opt = "hw-config", 234a9d5c273SSandrine Bailleux .help_msg = "HW Config file", 235a9d5c273SSandrine Bailleux .sn = "HWConfigHash", 236a9d5c273SSandrine Bailleux .ln = "HW Config hash", 237a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 238a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 239a9d5c273SSandrine Bailleux .optional = 1 240a9d5c273SSandrine Bailleux }, 241a9d5c273SSandrine Bailleux 242a9d5c273SSandrine Bailleux [TRUSTED_WORLD_PK_EXT] = { 243a9d5c273SSandrine Bailleux .oid = TRUSTED_WORLD_PK_OID, 244a9d5c273SSandrine Bailleux .sn = "TrustedWorldPublicKey", 245a9d5c273SSandrine Bailleux .ln = "Trusted World Public Key", 246a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 247a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 248a9d5c273SSandrine Bailleux .attr.key = TRUSTED_WORLD_KEY 249a9d5c273SSandrine Bailleux }, 250a9d5c273SSandrine Bailleux 251a9d5c273SSandrine Bailleux [SCP_FW_CONTENT_CERT_PK_EXT] = { 252a9d5c273SSandrine Bailleux .oid = SCP_FW_CONTENT_CERT_PK_OID, 253a9d5c273SSandrine Bailleux .sn = "SCPFirmwareContentCertPK", 254a9d5c273SSandrine Bailleux .ln = "SCP Firmware content certificate public key", 255a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 256a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 257a9d5c273SSandrine Bailleux .attr.key = SCP_FW_CONTENT_CERT_KEY 258a9d5c273SSandrine Bailleux }, 259a9d5c273SSandrine Bailleux 260a9d5c273SSandrine Bailleux [SCP_FW_HASH_EXT] = { 261a9d5c273SSandrine Bailleux .oid = SCP_FW_HASH_OID, 262a9d5c273SSandrine Bailleux .opt = "scp-fw", 263a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware image file", 264a9d5c273SSandrine Bailleux .sn = "SCPFirmwareHash", 265a9d5c273SSandrine Bailleux .ln = "SCP Firmware hash (SHA256)", 266a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 267a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 268a9d5c273SSandrine Bailleux }, 269a9d5c273SSandrine Bailleux 270a9d5c273SSandrine Bailleux [SOC_FW_CONTENT_CERT_PK_EXT] = { 271a9d5c273SSandrine Bailleux .oid = SOC_FW_CONTENT_CERT_PK_OID, 272a9d5c273SSandrine Bailleux .sn = "SoCFirmwareContentCertPK", 273a9d5c273SSandrine Bailleux .ln = "SoC Firmware content certificate public key", 274a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 275a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 276a9d5c273SSandrine Bailleux .attr.key = SOC_FW_CONTENT_CERT_KEY 277a9d5c273SSandrine Bailleux }, 278a9d5c273SSandrine Bailleux 279a9d5c273SSandrine Bailleux [SOC_AP_FW_HASH_EXT] = { 280a9d5c273SSandrine Bailleux .oid = SOC_AP_FW_HASH_OID, 281a9d5c273SSandrine Bailleux .opt = "soc-fw", 282a9d5c273SSandrine Bailleux .help_msg = "SoC AP Firmware image file", 283a9d5c273SSandrine Bailleux .sn = "SoCAPFirmwareHash", 284a9d5c273SSandrine Bailleux .ln = "SoC AP Firmware hash (SHA256)", 285a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 286a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 287a9d5c273SSandrine Bailleux }, 288a9d5c273SSandrine Bailleux 289a9d5c273SSandrine Bailleux [SOC_FW_CONFIG_HASH_EXT] = { 290a9d5c273SSandrine Bailleux .oid = SOC_FW_CONFIG_HASH_OID, 291a9d5c273SSandrine Bailleux .opt = "soc-fw-config", 292a9d5c273SSandrine Bailleux .help_msg = "SoC Firmware Config file", 293a9d5c273SSandrine Bailleux .sn = "SocFirmwareConfigHash", 294a9d5c273SSandrine Bailleux .ln = "SoC Firmware Config hash", 295a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 296a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 297a9d5c273SSandrine Bailleux .optional = 1 298a9d5c273SSandrine Bailleux }, 299a9d5c273SSandrine Bailleux 300a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = { 301a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID, 302a9d5c273SSandrine Bailleux .sn = "TrustedOSFirmwareContentCertPK", 303a9d5c273SSandrine Bailleux .ln = "Trusted OS Firmware content certificate public key", 304a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 305a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 306a9d5c273SSandrine Bailleux .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY 307a9d5c273SSandrine Bailleux }, 308a9d5c273SSandrine Bailleux 309a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_HASH_EXT] = { 310a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_HASH_OID, 311a9d5c273SSandrine Bailleux .opt = "tos-fw", 312a9d5c273SSandrine Bailleux .help_msg = "Trusted OS image file", 313a9d5c273SSandrine Bailleux .sn = "TrustedOSHash", 314a9d5c273SSandrine Bailleux .ln = "Trusted OS hash (SHA256)", 315a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 316a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 317a9d5c273SSandrine Bailleux }, 318a9d5c273SSandrine Bailleux 319a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_EXTRA1_HASH_EXT] = { 320a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_EXTRA1_HASH_OID, 321a9d5c273SSandrine Bailleux .opt = "tos-fw-extra1", 322a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Extra1 image file", 323a9d5c273SSandrine Bailleux .sn = "TrustedOSExtra1Hash", 324a9d5c273SSandrine Bailleux .ln = "Trusted OS Extra1 hash (SHA256)", 325a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 326a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 327a9d5c273SSandrine Bailleux .optional = 1 328a9d5c273SSandrine Bailleux }, 329a9d5c273SSandrine Bailleux 330a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_EXTRA2_HASH_EXT] = { 331a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_EXTRA2_HASH_OID, 332a9d5c273SSandrine Bailleux .opt = "tos-fw-extra2", 333a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Extra2 image file", 334a9d5c273SSandrine Bailleux .sn = "TrustedOSExtra2Hash", 335a9d5c273SSandrine Bailleux .ln = "Trusted OS Extra2 hash (SHA256)", 336a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 337a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 338a9d5c273SSandrine Bailleux .optional = 1 339a9d5c273SSandrine Bailleux }, 340a9d5c273SSandrine Bailleux 341a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONFIG_HASH_EXT] = { 342a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_CONFIG_HASH_OID, 343a9d5c273SSandrine Bailleux .opt = "tos-fw-config", 344a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Firmware Config file", 345a9d5c273SSandrine Bailleux .sn = "TrustedOSFirmwareConfigHash", 346a9d5c273SSandrine Bailleux .ln = "Trusted OS Firmware Config hash", 347a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 348a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 349a9d5c273SSandrine Bailleux .optional = 1 350a9d5c273SSandrine Bailleux }, 351a9d5c273SSandrine Bailleux 352*0792dd7dSManish Pandey [SP_PKG1_HASH_EXT] = { 353*0792dd7dSManish Pandey .oid = SP_PKG1_HASH_OID, 354*0792dd7dSManish Pandey .opt = "sp-pkg1", 355*0792dd7dSManish Pandey .help_msg = "Secure Partition Package1 file", 356*0792dd7dSManish Pandey .sn = "SPPkg1Hash", 357*0792dd7dSManish Pandey .ln = "SP Pkg1 hash (SHA256)", 358*0792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 359*0792dd7dSManish Pandey .type = EXT_TYPE_HASH, 360*0792dd7dSManish Pandey .optional = 1 361*0792dd7dSManish Pandey }, 362*0792dd7dSManish Pandey [SP_PKG2_HASH_EXT] = { 363*0792dd7dSManish Pandey .oid = SP_PKG2_HASH_OID, 364*0792dd7dSManish Pandey .opt = "sp-pkg2", 365*0792dd7dSManish Pandey .help_msg = "Secure Partition Package2 file", 366*0792dd7dSManish Pandey .sn = "SPPkg2Hash", 367*0792dd7dSManish Pandey .ln = "SP Pkg2 hash (SHA256)", 368*0792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 369*0792dd7dSManish Pandey .type = EXT_TYPE_HASH, 370*0792dd7dSManish Pandey .optional = 1 371*0792dd7dSManish Pandey }, 372*0792dd7dSManish Pandey [SP_PKG3_HASH_EXT] = { 373*0792dd7dSManish Pandey .oid = SP_PKG3_HASH_OID, 374*0792dd7dSManish Pandey .opt = "sp-pkg3", 375*0792dd7dSManish Pandey .help_msg = "Secure Partition Package3 file", 376*0792dd7dSManish Pandey .sn = "SPPkg3Hash", 377*0792dd7dSManish Pandey .ln = "SP Pkg3 hash (SHA256)", 378*0792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 379*0792dd7dSManish Pandey .type = EXT_TYPE_HASH, 380*0792dd7dSManish Pandey .optional = 1 381*0792dd7dSManish Pandey }, 382*0792dd7dSManish Pandey [SP_PKG4_HASH_EXT] = { 383*0792dd7dSManish Pandey .oid = SP_PKG4_HASH_OID, 384*0792dd7dSManish Pandey .opt = "sp-pkg4", 385*0792dd7dSManish Pandey .help_msg = "Secure Partition Package4 file", 386*0792dd7dSManish Pandey .sn = "SPPkg4Hash", 387*0792dd7dSManish Pandey .ln = "SP Pkg4 hash (SHA256)", 388*0792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 389*0792dd7dSManish Pandey .type = EXT_TYPE_HASH, 390*0792dd7dSManish Pandey .optional = 1 391*0792dd7dSManish Pandey }, 392*0792dd7dSManish Pandey [SP_PKG5_HASH_EXT] = { 393*0792dd7dSManish Pandey .oid = SP_PKG5_HASH_OID, 394*0792dd7dSManish Pandey .opt = "sp-pkg5", 395*0792dd7dSManish Pandey .help_msg = "Secure Partition Package5 file", 396*0792dd7dSManish Pandey .sn = "SPPkg5Hash", 397*0792dd7dSManish Pandey .ln = "SP Pkg5 hash (SHA256)", 398*0792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 399*0792dd7dSManish Pandey .type = EXT_TYPE_HASH, 400*0792dd7dSManish Pandey .optional = 1 401*0792dd7dSManish Pandey }, 402*0792dd7dSManish Pandey [SP_PKG6_HASH_EXT] = { 403*0792dd7dSManish Pandey .oid = SP_PKG6_HASH_OID, 404*0792dd7dSManish Pandey .opt = "sp-pkg6", 405*0792dd7dSManish Pandey .help_msg = "Secure Partition Package6 file", 406*0792dd7dSManish Pandey .sn = "SPPkg6Hash", 407*0792dd7dSManish Pandey .ln = "SP Pkg6 hash (SHA256)", 408*0792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 409*0792dd7dSManish Pandey .type = EXT_TYPE_HASH, 410*0792dd7dSManish Pandey .optional = 1 411*0792dd7dSManish Pandey }, 412*0792dd7dSManish Pandey [SP_PKG7_HASH_EXT] = { 413*0792dd7dSManish Pandey .oid = SP_PKG7_HASH_OID, 414*0792dd7dSManish Pandey .opt = "sp-pkg7", 415*0792dd7dSManish Pandey .help_msg = "Secure Partition Package7 file", 416*0792dd7dSManish Pandey .sn = "SPPkg7Hash", 417*0792dd7dSManish Pandey .ln = "SP Pkg7 hash (SHA256)", 418*0792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 419*0792dd7dSManish Pandey .type = EXT_TYPE_HASH, 420*0792dd7dSManish Pandey .optional = 1 421*0792dd7dSManish Pandey }, 422*0792dd7dSManish Pandey [SP_PKG8_HASH_EXT] = { 423*0792dd7dSManish Pandey .oid = SP_PKG8_HASH_OID, 424*0792dd7dSManish Pandey .opt = "sp-pkg8", 425*0792dd7dSManish Pandey .help_msg = "Secure Partition Package8 file", 426*0792dd7dSManish Pandey .sn = "SPPkg8Hash", 427*0792dd7dSManish Pandey .ln = "SP Pkg8 hash (SHA256)", 428*0792dd7dSManish Pandey .asn1_type = V_ASN1_OCTET_STRING, 429*0792dd7dSManish Pandey .type = EXT_TYPE_HASH, 430*0792dd7dSManish Pandey .optional = 1 431*0792dd7dSManish Pandey }, 432*0792dd7dSManish Pandey 433a9d5c273SSandrine Bailleux [SCP_FWU_CFG_HASH_EXT] = { 434a9d5c273SSandrine Bailleux .oid = SCP_FWU_CFG_HASH_OID, 435a9d5c273SSandrine Bailleux .opt = "scp-fwu-cfg", 436a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware Update Config image file", 437a9d5c273SSandrine Bailleux .sn = "SCPFWUpdateConfig", 438a9d5c273SSandrine Bailleux .ln = "SCP Firmware Update Config hash (SHA256)", 439a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 440a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 441a9d5c273SSandrine Bailleux .optional = 1 442a9d5c273SSandrine Bailleux }, 443a9d5c273SSandrine Bailleux 444a9d5c273SSandrine Bailleux [AP_FWU_CFG_HASH_EXT] = { 445a9d5c273SSandrine Bailleux .oid = AP_FWU_CFG_HASH_OID, 446a9d5c273SSandrine Bailleux .opt = "ap-fwu-cfg", 447a9d5c273SSandrine Bailleux .help_msg = "AP Firmware Update Config image file", 448a9d5c273SSandrine Bailleux .sn = "APFWUpdateConfig", 449a9d5c273SSandrine Bailleux .ln = "AP Firmware Update Config hash (SHA256)", 450a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 451a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 452a9d5c273SSandrine Bailleux .optional = 1 453a9d5c273SSandrine Bailleux }, 454a9d5c273SSandrine Bailleux 455a9d5c273SSandrine Bailleux [FWU_HASH_EXT] = { 456a9d5c273SSandrine Bailleux .oid = FWU_HASH_OID, 457a9d5c273SSandrine Bailleux .opt = "fwu", 458a9d5c273SSandrine Bailleux .help_msg = "Firmware Updater image file", 459a9d5c273SSandrine Bailleux .sn = "FWUpdaterHash", 460a9d5c273SSandrine Bailleux .ln = "Firmware Updater hash (SHA256)", 461a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 462a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 463a9d5c273SSandrine Bailleux .optional = 1 464a9d5c273SSandrine Bailleux }, 465a9d5c273SSandrine Bailleux 466a9d5c273SSandrine Bailleux [PROT_PK_EXT] = { 467a9d5c273SSandrine Bailleux .oid = PROT_PK_OID, 468a9d5c273SSandrine Bailleux .sn = "PlatformRoTKey", 469a9d5c273SSandrine Bailleux .ln = "Platform Root of Trust Public Key", 470a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 471a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 472a9d5c273SSandrine Bailleux .attr.key = PROT_KEY 473a9d5c273SSandrine Bailleux }, 474a9d5c273SSandrine Bailleux 475a9d5c273SSandrine Bailleux [NON_TRUSTED_FW_NVCOUNTER_EXT] = { 476a9d5c273SSandrine Bailleux .oid = NON_TRUSTED_FW_NVCOUNTER_OID, 477a9d5c273SSandrine Bailleux .opt = "ntfw-nvctr", 478a9d5c273SSandrine Bailleux .help_msg = "Non-Trusted Firmware Non-Volatile counter value", 479a9d5c273SSandrine Bailleux .sn = "NormalWorldNVCounter", 480a9d5c273SSandrine Bailleux .ln = "Non-Trusted Firmware Non-Volatile counter", 481a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_INTEGER, 482a9d5c273SSandrine Bailleux .type = EXT_TYPE_NVCOUNTER, 483a9d5c273SSandrine Bailleux .attr.nvctr_type = NVCTR_TYPE_NTFW 484a9d5c273SSandrine Bailleux }, 485a9d5c273SSandrine Bailleux 486a9d5c273SSandrine Bailleux [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { 487a9d5c273SSandrine Bailleux .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID, 488a9d5c273SSandrine Bailleux .opt = "nt-fw", 489a9d5c273SSandrine Bailleux .help_msg = "Non-Trusted World Bootloader image file", 490a9d5c273SSandrine Bailleux .sn = "NonTrustedWorldBootloaderHash", 491a9d5c273SSandrine Bailleux .ln = "Non-Trusted World hash (SHA256)", 492a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 493a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 494a9d5c273SSandrine Bailleux }, 495a9d5c273SSandrine Bailleux 496a9d5c273SSandrine Bailleux [NON_TRUSTED_FW_CONFIG_HASH_EXT] = { 497a9d5c273SSandrine Bailleux .oid = NON_TRUSTED_FW_CONFIG_HASH_OID, 498a9d5c273SSandrine Bailleux .opt = "nt-fw-config", 499a9d5c273SSandrine Bailleux .help_msg = "Non Trusted OS Firmware Config file", 500a9d5c273SSandrine Bailleux .sn = "NonTrustedOSFirmwareConfigHash", 501a9d5c273SSandrine Bailleux .ln = "Non-Trusted OS Firmware Config hash", 502a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 503a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 504a9d5c273SSandrine Bailleux .optional = 1 505a9d5c273SSandrine Bailleux }, 506a9d5c273SSandrine Bailleux }; 507a9d5c273SSandrine Bailleux 508a9d5c273SSandrine Bailleux REGISTER_EXTENSIONS(cot_ext); 509a9d5c273SSandrine Bailleux 510a9d5c273SSandrine Bailleux 511a9d5c273SSandrine Bailleux /* Keys used to establish the chain of trust. */ 512a9d5c273SSandrine Bailleux static key_t cot_keys[] = { 513a9d5c273SSandrine Bailleux [ROT_KEY] = { 514a9d5c273SSandrine Bailleux .id = ROT_KEY, 515a9d5c273SSandrine Bailleux .opt = "rot-key", 516a9d5c273SSandrine Bailleux .help_msg = "Root Of Trust key (input/output file)", 517a9d5c273SSandrine Bailleux .desc = "Root Of Trust key" 518a9d5c273SSandrine Bailleux }, 519a9d5c273SSandrine Bailleux 520a9d5c273SSandrine Bailleux [TRUSTED_WORLD_KEY] = { 521a9d5c273SSandrine Bailleux .id = TRUSTED_WORLD_KEY, 522a9d5c273SSandrine Bailleux .opt = "trusted-world-key", 523a9d5c273SSandrine Bailleux .help_msg = "Trusted World key (input/output file)", 524a9d5c273SSandrine Bailleux .desc = "Trusted World key" 525a9d5c273SSandrine Bailleux }, 526a9d5c273SSandrine Bailleux 527a9d5c273SSandrine Bailleux [SCP_FW_CONTENT_CERT_KEY] = { 528a9d5c273SSandrine Bailleux .id = SCP_FW_CONTENT_CERT_KEY, 529a9d5c273SSandrine Bailleux .opt = "scp-fw-key", 530a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware Content Certificate key (input/output file)", 531a9d5c273SSandrine Bailleux .desc = "SCP Firmware Content Certificate key" 532a9d5c273SSandrine Bailleux }, 533a9d5c273SSandrine Bailleux 534a9d5c273SSandrine Bailleux [SOC_FW_CONTENT_CERT_KEY] = { 535a9d5c273SSandrine Bailleux .id = SOC_FW_CONTENT_CERT_KEY, 536a9d5c273SSandrine Bailleux .opt = "soc-fw-key", 537a9d5c273SSandrine Bailleux .help_msg = "SoC Firmware Content Certificate key (input/output file)", 538a9d5c273SSandrine Bailleux .desc = "SoC Firmware Content Certificate key" 539a9d5c273SSandrine Bailleux }, 540a9d5c273SSandrine Bailleux 541a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONTENT_CERT_KEY] = { 542a9d5c273SSandrine Bailleux .id = TRUSTED_OS_FW_CONTENT_CERT_KEY, 543a9d5c273SSandrine Bailleux .opt = "tos-fw-key", 544a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)", 545a9d5c273SSandrine Bailleux .desc = "Trusted OS Firmware Content Certificate key" 546a9d5c273SSandrine Bailleux }, 547a9d5c273SSandrine Bailleux 548a9d5c273SSandrine Bailleux [PROT_KEY] = { 549a9d5c273SSandrine Bailleux .id = PROT_KEY, 550a9d5c273SSandrine Bailleux .opt = "prot-key", 551a9d5c273SSandrine Bailleux .help_msg = "Platform Root of Trust key", 552a9d5c273SSandrine Bailleux .desc = "Platform Root of Trust key" 553a9d5c273SSandrine Bailleux }, 554a9d5c273SSandrine Bailleux }; 555a9d5c273SSandrine Bailleux 556a9d5c273SSandrine Bailleux REGISTER_KEYS(cot_keys); 557