1*a9d5c273SSandrine Bailleux /* 2*a9d5c273SSandrine Bailleux * Copyright (c) 2020, Arm Limited. All rights reserved. 3*a9d5c273SSandrine Bailleux * 4*a9d5c273SSandrine Bailleux * SPDX-License-Identifier: BSD-3-Clause 5*a9d5c273SSandrine Bailleux */ 6*a9d5c273SSandrine Bailleux 7*a9d5c273SSandrine Bailleux #include <dualroot_oid.h> 8*a9d5c273SSandrine Bailleux 9*a9d5c273SSandrine Bailleux #include "cert.h" 10*a9d5c273SSandrine Bailleux #include "ext.h" 11*a9d5c273SSandrine Bailleux #include "key.h" 12*a9d5c273SSandrine Bailleux 13*a9d5c273SSandrine Bailleux #include "dualroot/cot.h" 14*a9d5c273SSandrine Bailleux 15*a9d5c273SSandrine Bailleux /* 16*a9d5c273SSandrine Bailleux * Certificates used in the chain of trust. 17*a9d5c273SSandrine Bailleux * 18*a9d5c273SSandrine Bailleux * All certificates are self-signed so the issuer certificate field points to 19*a9d5c273SSandrine Bailleux * itself. 20*a9d5c273SSandrine Bailleux */ 21*a9d5c273SSandrine Bailleux static cert_t cot_certs[] = { 22*a9d5c273SSandrine Bailleux [TRUSTED_BOOT_FW_CERT] = { 23*a9d5c273SSandrine Bailleux .id = TRUSTED_BOOT_FW_CERT, 24*a9d5c273SSandrine Bailleux .opt = "tb-fw-cert", 25*a9d5c273SSandrine Bailleux .help_msg = "Trusted Boot FW Certificate (output file)", 26*a9d5c273SSandrine Bailleux .cn = "Trusted Boot FW Certificate", 27*a9d5c273SSandrine Bailleux .key = ROT_KEY, 28*a9d5c273SSandrine Bailleux .issuer = TRUSTED_BOOT_FW_CERT, 29*a9d5c273SSandrine Bailleux .ext = { 30*a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 31*a9d5c273SSandrine Bailleux TRUSTED_BOOT_FW_HASH_EXT, 32*a9d5c273SSandrine Bailleux TRUSTED_BOOT_FW_CONFIG_HASH_EXT, 33*a9d5c273SSandrine Bailleux HW_CONFIG_HASH_EXT 34*a9d5c273SSandrine Bailleux }, 35*a9d5c273SSandrine Bailleux .num_ext = 4 36*a9d5c273SSandrine Bailleux }, 37*a9d5c273SSandrine Bailleux 38*a9d5c273SSandrine Bailleux [TRUSTED_KEY_CERT] = { 39*a9d5c273SSandrine Bailleux .id = TRUSTED_KEY_CERT, 40*a9d5c273SSandrine Bailleux .opt = "trusted-key-cert", 41*a9d5c273SSandrine Bailleux .help_msg = "Trusted Key Certificate (output file)", 42*a9d5c273SSandrine Bailleux .cn = "Trusted Key Certificate", 43*a9d5c273SSandrine Bailleux .key = ROT_KEY, 44*a9d5c273SSandrine Bailleux .issuer = TRUSTED_KEY_CERT, 45*a9d5c273SSandrine Bailleux .ext = { 46*a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 47*a9d5c273SSandrine Bailleux TRUSTED_WORLD_PK_EXT, 48*a9d5c273SSandrine Bailleux }, 49*a9d5c273SSandrine Bailleux .num_ext = 2 50*a9d5c273SSandrine Bailleux }, 51*a9d5c273SSandrine Bailleux 52*a9d5c273SSandrine Bailleux [SCP_FW_KEY_CERT] = { 53*a9d5c273SSandrine Bailleux .id = SCP_FW_KEY_CERT, 54*a9d5c273SSandrine Bailleux .opt = "scp-fw-key-cert", 55*a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware Key Certificate (output file)", 56*a9d5c273SSandrine Bailleux .cn = "SCP Firmware Key Certificate", 57*a9d5c273SSandrine Bailleux .key = TRUSTED_WORLD_KEY, 58*a9d5c273SSandrine Bailleux .issuer = SCP_FW_KEY_CERT, 59*a9d5c273SSandrine Bailleux .ext = { 60*a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 61*a9d5c273SSandrine Bailleux SCP_FW_CONTENT_CERT_PK_EXT 62*a9d5c273SSandrine Bailleux }, 63*a9d5c273SSandrine Bailleux .num_ext = 2 64*a9d5c273SSandrine Bailleux }, 65*a9d5c273SSandrine Bailleux 66*a9d5c273SSandrine Bailleux [SCP_FW_CONTENT_CERT] = { 67*a9d5c273SSandrine Bailleux .id = SCP_FW_CONTENT_CERT, 68*a9d5c273SSandrine Bailleux .opt = "scp-fw-cert", 69*a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware Content Certificate (output file)", 70*a9d5c273SSandrine Bailleux .cn = "SCP Firmware Content Certificate", 71*a9d5c273SSandrine Bailleux .key = SCP_FW_CONTENT_CERT_KEY, 72*a9d5c273SSandrine Bailleux .issuer = SCP_FW_CONTENT_CERT, 73*a9d5c273SSandrine Bailleux .ext = { 74*a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 75*a9d5c273SSandrine Bailleux SCP_FW_HASH_EXT 76*a9d5c273SSandrine Bailleux }, 77*a9d5c273SSandrine Bailleux .num_ext = 2 78*a9d5c273SSandrine Bailleux }, 79*a9d5c273SSandrine Bailleux 80*a9d5c273SSandrine Bailleux [SOC_FW_KEY_CERT] = { 81*a9d5c273SSandrine Bailleux .id = SOC_FW_KEY_CERT, 82*a9d5c273SSandrine Bailleux .opt = "soc-fw-key-cert", 83*a9d5c273SSandrine Bailleux .help_msg = "SoC Firmware Key Certificate (output file)", 84*a9d5c273SSandrine Bailleux .cn = "SoC Firmware Key Certificate", 85*a9d5c273SSandrine Bailleux .key = TRUSTED_WORLD_KEY, 86*a9d5c273SSandrine Bailleux .issuer = SOC_FW_KEY_CERT, 87*a9d5c273SSandrine Bailleux .ext = { 88*a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 89*a9d5c273SSandrine Bailleux SOC_FW_CONTENT_CERT_PK_EXT 90*a9d5c273SSandrine Bailleux }, 91*a9d5c273SSandrine Bailleux .num_ext = 2 92*a9d5c273SSandrine Bailleux }, 93*a9d5c273SSandrine Bailleux 94*a9d5c273SSandrine Bailleux [SOC_FW_CONTENT_CERT] = { 95*a9d5c273SSandrine Bailleux .id = SOC_FW_CONTENT_CERT, 96*a9d5c273SSandrine Bailleux .opt = "soc-fw-cert", 97*a9d5c273SSandrine Bailleux .help_msg = "SoC Firmware Content Certificate (output file)", 98*a9d5c273SSandrine Bailleux .cn = "SoC Firmware Content Certificate", 99*a9d5c273SSandrine Bailleux .key = SOC_FW_CONTENT_CERT_KEY, 100*a9d5c273SSandrine Bailleux .issuer = SOC_FW_CONTENT_CERT, 101*a9d5c273SSandrine Bailleux .ext = { 102*a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 103*a9d5c273SSandrine Bailleux SOC_AP_FW_HASH_EXT, 104*a9d5c273SSandrine Bailleux SOC_FW_CONFIG_HASH_EXT, 105*a9d5c273SSandrine Bailleux }, 106*a9d5c273SSandrine Bailleux .num_ext = 3 107*a9d5c273SSandrine Bailleux }, 108*a9d5c273SSandrine Bailleux 109*a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_KEY_CERT] = { 110*a9d5c273SSandrine Bailleux .id = TRUSTED_OS_FW_KEY_CERT, 111*a9d5c273SSandrine Bailleux .opt = "tos-fw-key-cert", 112*a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Firmware Key Certificate (output file)", 113*a9d5c273SSandrine Bailleux .cn = "Trusted OS Firmware Key Certificate", 114*a9d5c273SSandrine Bailleux .key = TRUSTED_WORLD_KEY, 115*a9d5c273SSandrine Bailleux .issuer = TRUSTED_OS_FW_KEY_CERT, 116*a9d5c273SSandrine Bailleux .ext = { 117*a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 118*a9d5c273SSandrine Bailleux TRUSTED_OS_FW_CONTENT_CERT_PK_EXT 119*a9d5c273SSandrine Bailleux }, 120*a9d5c273SSandrine Bailleux .num_ext = 2 121*a9d5c273SSandrine Bailleux }, 122*a9d5c273SSandrine Bailleux 123*a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONTENT_CERT] = { 124*a9d5c273SSandrine Bailleux .id = TRUSTED_OS_FW_CONTENT_CERT, 125*a9d5c273SSandrine Bailleux .opt = "tos-fw-cert", 126*a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Firmware Content Certificate (output file)", 127*a9d5c273SSandrine Bailleux .cn = "Trusted OS Firmware Content Certificate", 128*a9d5c273SSandrine Bailleux .key = TRUSTED_OS_FW_CONTENT_CERT_KEY, 129*a9d5c273SSandrine Bailleux .issuer = TRUSTED_OS_FW_CONTENT_CERT, 130*a9d5c273SSandrine Bailleux .ext = { 131*a9d5c273SSandrine Bailleux TRUSTED_FW_NVCOUNTER_EXT, 132*a9d5c273SSandrine Bailleux TRUSTED_OS_FW_HASH_EXT, 133*a9d5c273SSandrine Bailleux TRUSTED_OS_FW_EXTRA1_HASH_EXT, 134*a9d5c273SSandrine Bailleux TRUSTED_OS_FW_EXTRA2_HASH_EXT, 135*a9d5c273SSandrine Bailleux TRUSTED_OS_FW_CONFIG_HASH_EXT, 136*a9d5c273SSandrine Bailleux }, 137*a9d5c273SSandrine Bailleux .num_ext = 5 138*a9d5c273SSandrine Bailleux }, 139*a9d5c273SSandrine Bailleux 140*a9d5c273SSandrine Bailleux [FWU_CERT] = { 141*a9d5c273SSandrine Bailleux .id = FWU_CERT, 142*a9d5c273SSandrine Bailleux .opt = "fwu-cert", 143*a9d5c273SSandrine Bailleux .help_msg = "Firmware Update Certificate (output file)", 144*a9d5c273SSandrine Bailleux .cn = "Firmware Update Certificate", 145*a9d5c273SSandrine Bailleux .key = ROT_KEY, 146*a9d5c273SSandrine Bailleux .issuer = FWU_CERT, 147*a9d5c273SSandrine Bailleux .ext = { 148*a9d5c273SSandrine Bailleux SCP_FWU_CFG_HASH_EXT, 149*a9d5c273SSandrine Bailleux AP_FWU_CFG_HASH_EXT, 150*a9d5c273SSandrine Bailleux FWU_HASH_EXT 151*a9d5c273SSandrine Bailleux }, 152*a9d5c273SSandrine Bailleux .num_ext = 3 153*a9d5c273SSandrine Bailleux }, 154*a9d5c273SSandrine Bailleux 155*a9d5c273SSandrine Bailleux [NON_TRUSTED_FW_CONTENT_CERT] = { 156*a9d5c273SSandrine Bailleux .id = NON_TRUSTED_FW_CONTENT_CERT, 157*a9d5c273SSandrine Bailleux .opt = "nt-fw-cert", 158*a9d5c273SSandrine Bailleux .help_msg = "Non-Trusted Firmware Content Certificate (output file)", 159*a9d5c273SSandrine Bailleux .cn = "Non-Trusted Firmware Content Certificate", 160*a9d5c273SSandrine Bailleux .key = PROT_KEY, 161*a9d5c273SSandrine Bailleux .issuer = NON_TRUSTED_FW_CONTENT_CERT, 162*a9d5c273SSandrine Bailleux .ext = { 163*a9d5c273SSandrine Bailleux NON_TRUSTED_FW_NVCOUNTER_EXT, 164*a9d5c273SSandrine Bailleux NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, 165*a9d5c273SSandrine Bailleux NON_TRUSTED_FW_CONFIG_HASH_EXT, 166*a9d5c273SSandrine Bailleux PROT_PK_EXT, 167*a9d5c273SSandrine Bailleux }, 168*a9d5c273SSandrine Bailleux .num_ext = 4 169*a9d5c273SSandrine Bailleux }, 170*a9d5c273SSandrine Bailleux }; 171*a9d5c273SSandrine Bailleux 172*a9d5c273SSandrine Bailleux REGISTER_COT(cot_certs); 173*a9d5c273SSandrine Bailleux 174*a9d5c273SSandrine Bailleux 175*a9d5c273SSandrine Bailleux /* Certificate extensions. */ 176*a9d5c273SSandrine Bailleux static ext_t cot_ext[] = { 177*a9d5c273SSandrine Bailleux [TRUSTED_FW_NVCOUNTER_EXT] = { 178*a9d5c273SSandrine Bailleux .oid = TRUSTED_FW_NVCOUNTER_OID, 179*a9d5c273SSandrine Bailleux .opt = "tfw-nvctr", 180*a9d5c273SSandrine Bailleux .help_msg = "Trusted Firmware Non-Volatile counter value", 181*a9d5c273SSandrine Bailleux .sn = "TrustedWorldNVCounter", 182*a9d5c273SSandrine Bailleux .ln = "Trusted World Non-Volatile counter", 183*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_INTEGER, 184*a9d5c273SSandrine Bailleux .type = EXT_TYPE_NVCOUNTER, 185*a9d5c273SSandrine Bailleux .attr.nvctr_type = NVCTR_TYPE_TFW 186*a9d5c273SSandrine Bailleux }, 187*a9d5c273SSandrine Bailleux 188*a9d5c273SSandrine Bailleux [TRUSTED_BOOT_FW_HASH_EXT] = { 189*a9d5c273SSandrine Bailleux .oid = TRUSTED_BOOT_FW_HASH_OID, 190*a9d5c273SSandrine Bailleux .opt = "tb-fw", 191*a9d5c273SSandrine Bailleux .help_msg = "Trusted Boot Firmware image file", 192*a9d5c273SSandrine Bailleux .sn = "TrustedBootFirmwareHash", 193*a9d5c273SSandrine Bailleux .ln = "Trusted Boot Firmware hash (SHA256)", 194*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 195*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 196*a9d5c273SSandrine Bailleux }, 197*a9d5c273SSandrine Bailleux 198*a9d5c273SSandrine Bailleux [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = { 199*a9d5c273SSandrine Bailleux .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID, 200*a9d5c273SSandrine Bailleux .opt = "tb-fw-config", 201*a9d5c273SSandrine Bailleux .help_msg = "Trusted Boot Firmware Config file", 202*a9d5c273SSandrine Bailleux .sn = "TrustedBootFirmwareConfigHash", 203*a9d5c273SSandrine Bailleux .ln = "Trusted Boot Firmware Config hash", 204*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 205*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 206*a9d5c273SSandrine Bailleux .optional = 1 207*a9d5c273SSandrine Bailleux }, 208*a9d5c273SSandrine Bailleux 209*a9d5c273SSandrine Bailleux [HW_CONFIG_HASH_EXT] = { 210*a9d5c273SSandrine Bailleux .oid = HW_CONFIG_HASH_OID, 211*a9d5c273SSandrine Bailleux .opt = "hw-config", 212*a9d5c273SSandrine Bailleux .help_msg = "HW Config file", 213*a9d5c273SSandrine Bailleux .sn = "HWConfigHash", 214*a9d5c273SSandrine Bailleux .ln = "HW Config hash", 215*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 216*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 217*a9d5c273SSandrine Bailleux .optional = 1 218*a9d5c273SSandrine Bailleux }, 219*a9d5c273SSandrine Bailleux 220*a9d5c273SSandrine Bailleux [TRUSTED_WORLD_PK_EXT] = { 221*a9d5c273SSandrine Bailleux .oid = TRUSTED_WORLD_PK_OID, 222*a9d5c273SSandrine Bailleux .sn = "TrustedWorldPublicKey", 223*a9d5c273SSandrine Bailleux .ln = "Trusted World Public Key", 224*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 225*a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 226*a9d5c273SSandrine Bailleux .attr.key = TRUSTED_WORLD_KEY 227*a9d5c273SSandrine Bailleux }, 228*a9d5c273SSandrine Bailleux 229*a9d5c273SSandrine Bailleux [SCP_FW_CONTENT_CERT_PK_EXT] = { 230*a9d5c273SSandrine Bailleux .oid = SCP_FW_CONTENT_CERT_PK_OID, 231*a9d5c273SSandrine Bailleux .sn = "SCPFirmwareContentCertPK", 232*a9d5c273SSandrine Bailleux .ln = "SCP Firmware content certificate public key", 233*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 234*a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 235*a9d5c273SSandrine Bailleux .attr.key = SCP_FW_CONTENT_CERT_KEY 236*a9d5c273SSandrine Bailleux }, 237*a9d5c273SSandrine Bailleux 238*a9d5c273SSandrine Bailleux [SCP_FW_HASH_EXT] = { 239*a9d5c273SSandrine Bailleux .oid = SCP_FW_HASH_OID, 240*a9d5c273SSandrine Bailleux .opt = "scp-fw", 241*a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware image file", 242*a9d5c273SSandrine Bailleux .sn = "SCPFirmwareHash", 243*a9d5c273SSandrine Bailleux .ln = "SCP Firmware hash (SHA256)", 244*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 245*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 246*a9d5c273SSandrine Bailleux }, 247*a9d5c273SSandrine Bailleux 248*a9d5c273SSandrine Bailleux [SOC_FW_CONTENT_CERT_PK_EXT] = { 249*a9d5c273SSandrine Bailleux .oid = SOC_FW_CONTENT_CERT_PK_OID, 250*a9d5c273SSandrine Bailleux .sn = "SoCFirmwareContentCertPK", 251*a9d5c273SSandrine Bailleux .ln = "SoC Firmware content certificate public key", 252*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 253*a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 254*a9d5c273SSandrine Bailleux .attr.key = SOC_FW_CONTENT_CERT_KEY 255*a9d5c273SSandrine Bailleux }, 256*a9d5c273SSandrine Bailleux 257*a9d5c273SSandrine Bailleux [SOC_AP_FW_HASH_EXT] = { 258*a9d5c273SSandrine Bailleux .oid = SOC_AP_FW_HASH_OID, 259*a9d5c273SSandrine Bailleux .opt = "soc-fw", 260*a9d5c273SSandrine Bailleux .help_msg = "SoC AP Firmware image file", 261*a9d5c273SSandrine Bailleux .sn = "SoCAPFirmwareHash", 262*a9d5c273SSandrine Bailleux .ln = "SoC AP Firmware hash (SHA256)", 263*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 264*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 265*a9d5c273SSandrine Bailleux }, 266*a9d5c273SSandrine Bailleux 267*a9d5c273SSandrine Bailleux [SOC_FW_CONFIG_HASH_EXT] = { 268*a9d5c273SSandrine Bailleux .oid = SOC_FW_CONFIG_HASH_OID, 269*a9d5c273SSandrine Bailleux .opt = "soc-fw-config", 270*a9d5c273SSandrine Bailleux .help_msg = "SoC Firmware Config file", 271*a9d5c273SSandrine Bailleux .sn = "SocFirmwareConfigHash", 272*a9d5c273SSandrine Bailleux .ln = "SoC Firmware Config hash", 273*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 274*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 275*a9d5c273SSandrine Bailleux .optional = 1 276*a9d5c273SSandrine Bailleux }, 277*a9d5c273SSandrine Bailleux 278*a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = { 279*a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID, 280*a9d5c273SSandrine Bailleux .sn = "TrustedOSFirmwareContentCertPK", 281*a9d5c273SSandrine Bailleux .ln = "Trusted OS Firmware content certificate public key", 282*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 283*a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 284*a9d5c273SSandrine Bailleux .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY 285*a9d5c273SSandrine Bailleux }, 286*a9d5c273SSandrine Bailleux 287*a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_HASH_EXT] = { 288*a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_HASH_OID, 289*a9d5c273SSandrine Bailleux .opt = "tos-fw", 290*a9d5c273SSandrine Bailleux .help_msg = "Trusted OS image file", 291*a9d5c273SSandrine Bailleux .sn = "TrustedOSHash", 292*a9d5c273SSandrine Bailleux .ln = "Trusted OS hash (SHA256)", 293*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 294*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 295*a9d5c273SSandrine Bailleux }, 296*a9d5c273SSandrine Bailleux 297*a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_EXTRA1_HASH_EXT] = { 298*a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_EXTRA1_HASH_OID, 299*a9d5c273SSandrine Bailleux .opt = "tos-fw-extra1", 300*a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Extra1 image file", 301*a9d5c273SSandrine Bailleux .sn = "TrustedOSExtra1Hash", 302*a9d5c273SSandrine Bailleux .ln = "Trusted OS Extra1 hash (SHA256)", 303*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 304*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 305*a9d5c273SSandrine Bailleux .optional = 1 306*a9d5c273SSandrine Bailleux }, 307*a9d5c273SSandrine Bailleux 308*a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_EXTRA2_HASH_EXT] = { 309*a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_EXTRA2_HASH_OID, 310*a9d5c273SSandrine Bailleux .opt = "tos-fw-extra2", 311*a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Extra2 image file", 312*a9d5c273SSandrine Bailleux .sn = "TrustedOSExtra2Hash", 313*a9d5c273SSandrine Bailleux .ln = "Trusted OS Extra2 hash (SHA256)", 314*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 315*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 316*a9d5c273SSandrine Bailleux .optional = 1 317*a9d5c273SSandrine Bailleux }, 318*a9d5c273SSandrine Bailleux 319*a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONFIG_HASH_EXT] = { 320*a9d5c273SSandrine Bailleux .oid = TRUSTED_OS_FW_CONFIG_HASH_OID, 321*a9d5c273SSandrine Bailleux .opt = "tos-fw-config", 322*a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Firmware Config file", 323*a9d5c273SSandrine Bailleux .sn = "TrustedOSFirmwareConfigHash", 324*a9d5c273SSandrine Bailleux .ln = "Trusted OS Firmware Config hash", 325*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 326*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 327*a9d5c273SSandrine Bailleux .optional = 1 328*a9d5c273SSandrine Bailleux }, 329*a9d5c273SSandrine Bailleux 330*a9d5c273SSandrine Bailleux [SCP_FWU_CFG_HASH_EXT] = { 331*a9d5c273SSandrine Bailleux .oid = SCP_FWU_CFG_HASH_OID, 332*a9d5c273SSandrine Bailleux .opt = "scp-fwu-cfg", 333*a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware Update Config image file", 334*a9d5c273SSandrine Bailleux .sn = "SCPFWUpdateConfig", 335*a9d5c273SSandrine Bailleux .ln = "SCP Firmware Update Config hash (SHA256)", 336*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 337*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 338*a9d5c273SSandrine Bailleux .optional = 1 339*a9d5c273SSandrine Bailleux }, 340*a9d5c273SSandrine Bailleux 341*a9d5c273SSandrine Bailleux [AP_FWU_CFG_HASH_EXT] = { 342*a9d5c273SSandrine Bailleux .oid = AP_FWU_CFG_HASH_OID, 343*a9d5c273SSandrine Bailleux .opt = "ap-fwu-cfg", 344*a9d5c273SSandrine Bailleux .help_msg = "AP Firmware Update Config image file", 345*a9d5c273SSandrine Bailleux .sn = "APFWUpdateConfig", 346*a9d5c273SSandrine Bailleux .ln = "AP Firmware Update Config hash (SHA256)", 347*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 348*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 349*a9d5c273SSandrine Bailleux .optional = 1 350*a9d5c273SSandrine Bailleux }, 351*a9d5c273SSandrine Bailleux 352*a9d5c273SSandrine Bailleux [FWU_HASH_EXT] = { 353*a9d5c273SSandrine Bailleux .oid = FWU_HASH_OID, 354*a9d5c273SSandrine Bailleux .opt = "fwu", 355*a9d5c273SSandrine Bailleux .help_msg = "Firmware Updater image file", 356*a9d5c273SSandrine Bailleux .sn = "FWUpdaterHash", 357*a9d5c273SSandrine Bailleux .ln = "Firmware Updater hash (SHA256)", 358*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 359*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 360*a9d5c273SSandrine Bailleux .optional = 1 361*a9d5c273SSandrine Bailleux }, 362*a9d5c273SSandrine Bailleux 363*a9d5c273SSandrine Bailleux [PROT_PK_EXT] = { 364*a9d5c273SSandrine Bailleux .oid = PROT_PK_OID, 365*a9d5c273SSandrine Bailleux .sn = "PlatformRoTKey", 366*a9d5c273SSandrine Bailleux .ln = "Platform Root of Trust Public Key", 367*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 368*a9d5c273SSandrine Bailleux .type = EXT_TYPE_PKEY, 369*a9d5c273SSandrine Bailleux .attr.key = PROT_KEY 370*a9d5c273SSandrine Bailleux }, 371*a9d5c273SSandrine Bailleux 372*a9d5c273SSandrine Bailleux [NON_TRUSTED_FW_NVCOUNTER_EXT] = { 373*a9d5c273SSandrine Bailleux .oid = NON_TRUSTED_FW_NVCOUNTER_OID, 374*a9d5c273SSandrine Bailleux .opt = "ntfw-nvctr", 375*a9d5c273SSandrine Bailleux .help_msg = "Non-Trusted Firmware Non-Volatile counter value", 376*a9d5c273SSandrine Bailleux .sn = "NormalWorldNVCounter", 377*a9d5c273SSandrine Bailleux .ln = "Non-Trusted Firmware Non-Volatile counter", 378*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_INTEGER, 379*a9d5c273SSandrine Bailleux .type = EXT_TYPE_NVCOUNTER, 380*a9d5c273SSandrine Bailleux .attr.nvctr_type = NVCTR_TYPE_NTFW 381*a9d5c273SSandrine Bailleux }, 382*a9d5c273SSandrine Bailleux 383*a9d5c273SSandrine Bailleux [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { 384*a9d5c273SSandrine Bailleux .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID, 385*a9d5c273SSandrine Bailleux .opt = "nt-fw", 386*a9d5c273SSandrine Bailleux .help_msg = "Non-Trusted World Bootloader image file", 387*a9d5c273SSandrine Bailleux .sn = "NonTrustedWorldBootloaderHash", 388*a9d5c273SSandrine Bailleux .ln = "Non-Trusted World hash (SHA256)", 389*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 390*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH 391*a9d5c273SSandrine Bailleux }, 392*a9d5c273SSandrine Bailleux 393*a9d5c273SSandrine Bailleux [NON_TRUSTED_FW_CONFIG_HASH_EXT] = { 394*a9d5c273SSandrine Bailleux .oid = NON_TRUSTED_FW_CONFIG_HASH_OID, 395*a9d5c273SSandrine Bailleux .opt = "nt-fw-config", 396*a9d5c273SSandrine Bailleux .help_msg = "Non Trusted OS Firmware Config file", 397*a9d5c273SSandrine Bailleux .sn = "NonTrustedOSFirmwareConfigHash", 398*a9d5c273SSandrine Bailleux .ln = "Non-Trusted OS Firmware Config hash", 399*a9d5c273SSandrine Bailleux .asn1_type = V_ASN1_OCTET_STRING, 400*a9d5c273SSandrine Bailleux .type = EXT_TYPE_HASH, 401*a9d5c273SSandrine Bailleux .optional = 1 402*a9d5c273SSandrine Bailleux }, 403*a9d5c273SSandrine Bailleux }; 404*a9d5c273SSandrine Bailleux 405*a9d5c273SSandrine Bailleux REGISTER_EXTENSIONS(cot_ext); 406*a9d5c273SSandrine Bailleux 407*a9d5c273SSandrine Bailleux 408*a9d5c273SSandrine Bailleux /* Keys used to establish the chain of trust. */ 409*a9d5c273SSandrine Bailleux static key_t cot_keys[] = { 410*a9d5c273SSandrine Bailleux [ROT_KEY] = { 411*a9d5c273SSandrine Bailleux .id = ROT_KEY, 412*a9d5c273SSandrine Bailleux .opt = "rot-key", 413*a9d5c273SSandrine Bailleux .help_msg = "Root Of Trust key (input/output file)", 414*a9d5c273SSandrine Bailleux .desc = "Root Of Trust key" 415*a9d5c273SSandrine Bailleux }, 416*a9d5c273SSandrine Bailleux 417*a9d5c273SSandrine Bailleux [TRUSTED_WORLD_KEY] = { 418*a9d5c273SSandrine Bailleux .id = TRUSTED_WORLD_KEY, 419*a9d5c273SSandrine Bailleux .opt = "trusted-world-key", 420*a9d5c273SSandrine Bailleux .help_msg = "Trusted World key (input/output file)", 421*a9d5c273SSandrine Bailleux .desc = "Trusted World key" 422*a9d5c273SSandrine Bailleux }, 423*a9d5c273SSandrine Bailleux 424*a9d5c273SSandrine Bailleux [SCP_FW_CONTENT_CERT_KEY] = { 425*a9d5c273SSandrine Bailleux .id = SCP_FW_CONTENT_CERT_KEY, 426*a9d5c273SSandrine Bailleux .opt = "scp-fw-key", 427*a9d5c273SSandrine Bailleux .help_msg = "SCP Firmware Content Certificate key (input/output file)", 428*a9d5c273SSandrine Bailleux .desc = "SCP Firmware Content Certificate key" 429*a9d5c273SSandrine Bailleux }, 430*a9d5c273SSandrine Bailleux 431*a9d5c273SSandrine Bailleux [SOC_FW_CONTENT_CERT_KEY] = { 432*a9d5c273SSandrine Bailleux .id = SOC_FW_CONTENT_CERT_KEY, 433*a9d5c273SSandrine Bailleux .opt = "soc-fw-key", 434*a9d5c273SSandrine Bailleux .help_msg = "SoC Firmware Content Certificate key (input/output file)", 435*a9d5c273SSandrine Bailleux .desc = "SoC Firmware Content Certificate key" 436*a9d5c273SSandrine Bailleux }, 437*a9d5c273SSandrine Bailleux 438*a9d5c273SSandrine Bailleux [TRUSTED_OS_FW_CONTENT_CERT_KEY] = { 439*a9d5c273SSandrine Bailleux .id = TRUSTED_OS_FW_CONTENT_CERT_KEY, 440*a9d5c273SSandrine Bailleux .opt = "tos-fw-key", 441*a9d5c273SSandrine Bailleux .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)", 442*a9d5c273SSandrine Bailleux .desc = "Trusted OS Firmware Content Certificate key" 443*a9d5c273SSandrine Bailleux }, 444*a9d5c273SSandrine Bailleux 445*a9d5c273SSandrine Bailleux [PROT_KEY] = { 446*a9d5c273SSandrine Bailleux .id = PROT_KEY, 447*a9d5c273SSandrine Bailleux .opt = "prot-key", 448*a9d5c273SSandrine Bailleux .help_msg = "Platform Root of Trust key", 449*a9d5c273SSandrine Bailleux .desc = "Platform Root of Trust key" 450*a9d5c273SSandrine Bailleux }, 451*a9d5c273SSandrine Bailleux }; 452*a9d5c273SSandrine Bailleux 453*a9d5c273SSandrine Bailleux REGISTER_KEYS(cot_keys); 454