1 /* 2 * Copyright (c) 2020, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <dualroot_oid.h> 8 9 #include "cert.h" 10 #include "ext.h" 11 #include "key.h" 12 13 #include "dualroot/cot.h" 14 15 /* 16 * Certificates used in the chain of trust. 17 * 18 * All certificates are self-signed so the issuer certificate field points to 19 * itself. 20 */ 21 static cert_t cot_certs[] = { 22 [TRUSTED_BOOT_FW_CERT] = { 23 .id = TRUSTED_BOOT_FW_CERT, 24 .opt = "tb-fw-cert", 25 .help_msg = "Trusted Boot FW Certificate (output file)", 26 .cn = "Trusted Boot FW Certificate", 27 .key = ROT_KEY, 28 .issuer = TRUSTED_BOOT_FW_CERT, 29 .ext = { 30 TRUSTED_FW_NVCOUNTER_EXT, 31 TRUSTED_BOOT_FW_HASH_EXT, 32 TRUSTED_BOOT_FW_CONFIG_HASH_EXT, 33 HW_CONFIG_HASH_EXT, 34 FW_CONFIG_HASH_EXT 35 }, 36 .num_ext = 5 37 }, 38 39 [TRUSTED_KEY_CERT] = { 40 .id = TRUSTED_KEY_CERT, 41 .opt = "trusted-key-cert", 42 .help_msg = "Trusted Key Certificate (output file)", 43 .cn = "Trusted Key Certificate", 44 .key = ROT_KEY, 45 .issuer = TRUSTED_KEY_CERT, 46 .ext = { 47 TRUSTED_FW_NVCOUNTER_EXT, 48 TRUSTED_WORLD_PK_EXT, 49 }, 50 .num_ext = 2 51 }, 52 53 [SCP_FW_KEY_CERT] = { 54 .id = SCP_FW_KEY_CERT, 55 .opt = "scp-fw-key-cert", 56 .help_msg = "SCP Firmware Key Certificate (output file)", 57 .cn = "SCP Firmware Key Certificate", 58 .key = TRUSTED_WORLD_KEY, 59 .issuer = SCP_FW_KEY_CERT, 60 .ext = { 61 TRUSTED_FW_NVCOUNTER_EXT, 62 SCP_FW_CONTENT_CERT_PK_EXT 63 }, 64 .num_ext = 2 65 }, 66 67 [SCP_FW_CONTENT_CERT] = { 68 .id = SCP_FW_CONTENT_CERT, 69 .opt = "scp-fw-cert", 70 .help_msg = "SCP Firmware Content Certificate (output file)", 71 .cn = "SCP Firmware Content Certificate", 72 .key = SCP_FW_CONTENT_CERT_KEY, 73 .issuer = SCP_FW_CONTENT_CERT, 74 .ext = { 75 TRUSTED_FW_NVCOUNTER_EXT, 76 SCP_FW_HASH_EXT 77 }, 78 .num_ext = 2 79 }, 80 81 [SOC_FW_KEY_CERT] = { 82 .id = SOC_FW_KEY_CERT, 83 .opt = "soc-fw-key-cert", 84 .help_msg = "SoC Firmware Key Certificate (output file)", 85 .cn = "SoC Firmware Key Certificate", 86 .key = TRUSTED_WORLD_KEY, 87 .issuer = SOC_FW_KEY_CERT, 88 .ext = { 89 TRUSTED_FW_NVCOUNTER_EXT, 90 SOC_FW_CONTENT_CERT_PK_EXT 91 }, 92 .num_ext = 2 93 }, 94 95 [SOC_FW_CONTENT_CERT] = { 96 .id = SOC_FW_CONTENT_CERT, 97 .opt = "soc-fw-cert", 98 .help_msg = "SoC Firmware Content Certificate (output file)", 99 .cn = "SoC Firmware Content Certificate", 100 .key = SOC_FW_CONTENT_CERT_KEY, 101 .issuer = SOC_FW_CONTENT_CERT, 102 .ext = { 103 TRUSTED_FW_NVCOUNTER_EXT, 104 SOC_AP_FW_HASH_EXT, 105 SOC_FW_CONFIG_HASH_EXT, 106 }, 107 .num_ext = 3 108 }, 109 110 [TRUSTED_OS_FW_KEY_CERT] = { 111 .id = TRUSTED_OS_FW_KEY_CERT, 112 .opt = "tos-fw-key-cert", 113 .help_msg = "Trusted OS Firmware Key Certificate (output file)", 114 .cn = "Trusted OS Firmware Key Certificate", 115 .key = TRUSTED_WORLD_KEY, 116 .issuer = TRUSTED_OS_FW_KEY_CERT, 117 .ext = { 118 TRUSTED_FW_NVCOUNTER_EXT, 119 TRUSTED_OS_FW_CONTENT_CERT_PK_EXT 120 }, 121 .num_ext = 2 122 }, 123 124 [TRUSTED_OS_FW_CONTENT_CERT] = { 125 .id = TRUSTED_OS_FW_CONTENT_CERT, 126 .opt = "tos-fw-cert", 127 .help_msg = "Trusted OS Firmware Content Certificate (output file)", 128 .cn = "Trusted OS Firmware Content Certificate", 129 .key = TRUSTED_OS_FW_CONTENT_CERT_KEY, 130 .issuer = TRUSTED_OS_FW_CONTENT_CERT, 131 .ext = { 132 TRUSTED_FW_NVCOUNTER_EXT, 133 TRUSTED_OS_FW_HASH_EXT, 134 TRUSTED_OS_FW_EXTRA1_HASH_EXT, 135 TRUSTED_OS_FW_EXTRA2_HASH_EXT, 136 TRUSTED_OS_FW_CONFIG_HASH_EXT, 137 }, 138 .num_ext = 5 139 }, 140 141 [SIP_SECURE_PARTITION_CONTENT_CERT] = { 142 .id = SIP_SECURE_PARTITION_CONTENT_CERT, 143 .opt = "sip-sp-cert", 144 .help_msg = "SiP owned Secure Partition Content Certificate (output file)", 145 .fn = NULL, 146 .cn = "SiP owned Secure Partition Content Certificate", 147 .key = TRUSTED_WORLD_KEY, 148 .issuer = SIP_SECURE_PARTITION_CONTENT_CERT, 149 .ext = { 150 TRUSTED_FW_NVCOUNTER_EXT, 151 SP_PKG1_HASH_EXT, 152 SP_PKG2_HASH_EXT, 153 SP_PKG3_HASH_EXT, 154 SP_PKG4_HASH_EXT, 155 SP_PKG5_HASH_EXT, 156 SP_PKG6_HASH_EXT, 157 SP_PKG7_HASH_EXT, 158 SP_PKG8_HASH_EXT, 159 }, 160 .num_ext = 9 161 }, 162 163 [FWU_CERT] = { 164 .id = FWU_CERT, 165 .opt = "fwu-cert", 166 .help_msg = "Firmware Update Certificate (output file)", 167 .cn = "Firmware Update Certificate", 168 .key = ROT_KEY, 169 .issuer = FWU_CERT, 170 .ext = { 171 SCP_FWU_CFG_HASH_EXT, 172 AP_FWU_CFG_HASH_EXT, 173 FWU_HASH_EXT 174 }, 175 .num_ext = 3 176 }, 177 178 [NON_TRUSTED_FW_CONTENT_CERT] = { 179 .id = NON_TRUSTED_FW_CONTENT_CERT, 180 .opt = "nt-fw-cert", 181 .help_msg = "Non-Trusted Firmware Content Certificate (output file)", 182 .cn = "Non-Trusted Firmware Content Certificate", 183 .key = PROT_KEY, 184 .issuer = NON_TRUSTED_FW_CONTENT_CERT, 185 .ext = { 186 NON_TRUSTED_FW_NVCOUNTER_EXT, 187 NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, 188 NON_TRUSTED_FW_CONFIG_HASH_EXT, 189 PROT_PK_EXT, 190 }, 191 .num_ext = 4 192 }, 193 }; 194 195 REGISTER_COT(cot_certs); 196 197 198 /* Certificate extensions. */ 199 static ext_t cot_ext[] = { 200 [TRUSTED_FW_NVCOUNTER_EXT] = { 201 .oid = TRUSTED_FW_NVCOUNTER_OID, 202 .opt = "tfw-nvctr", 203 .help_msg = "Trusted Firmware Non-Volatile counter value", 204 .sn = "TrustedWorldNVCounter", 205 .ln = "Trusted World Non-Volatile counter", 206 .asn1_type = V_ASN1_INTEGER, 207 .type = EXT_TYPE_NVCOUNTER, 208 .attr.nvctr_type = NVCTR_TYPE_TFW 209 }, 210 211 [TRUSTED_BOOT_FW_HASH_EXT] = { 212 .oid = TRUSTED_BOOT_FW_HASH_OID, 213 .opt = "tb-fw", 214 .help_msg = "Trusted Boot Firmware image file", 215 .sn = "TrustedBootFirmwareHash", 216 .ln = "Trusted Boot Firmware hash (SHA256)", 217 .asn1_type = V_ASN1_OCTET_STRING, 218 .type = EXT_TYPE_HASH 219 }, 220 221 [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = { 222 .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID, 223 .opt = "tb-fw-config", 224 .help_msg = "Trusted Boot Firmware Config file", 225 .sn = "TrustedBootFirmwareConfigHash", 226 .ln = "Trusted Boot Firmware Config hash", 227 .asn1_type = V_ASN1_OCTET_STRING, 228 .type = EXT_TYPE_HASH, 229 .optional = 1 230 }, 231 232 [HW_CONFIG_HASH_EXT] = { 233 .oid = HW_CONFIG_HASH_OID, 234 .opt = "hw-config", 235 .help_msg = "HW Config file", 236 .sn = "HWConfigHash", 237 .ln = "HW Config hash", 238 .asn1_type = V_ASN1_OCTET_STRING, 239 .type = EXT_TYPE_HASH, 240 .optional = 1 241 }, 242 243 [FW_CONFIG_HASH_EXT] = { 244 .oid = FW_CONFIG_HASH_OID, 245 .opt = "fw-config", 246 .help_msg = "Firmware Config file", 247 .sn = "FirmwareConfigHash", 248 .ln = "Firmware Config hash", 249 .asn1_type = V_ASN1_OCTET_STRING, 250 .type = EXT_TYPE_HASH, 251 .optional = 1 252 }, 253 254 [TRUSTED_WORLD_PK_EXT] = { 255 .oid = TRUSTED_WORLD_PK_OID, 256 .sn = "TrustedWorldPublicKey", 257 .ln = "Trusted World Public Key", 258 .asn1_type = V_ASN1_OCTET_STRING, 259 .type = EXT_TYPE_PKEY, 260 .attr.key = TRUSTED_WORLD_KEY 261 }, 262 263 [SCP_FW_CONTENT_CERT_PK_EXT] = { 264 .oid = SCP_FW_CONTENT_CERT_PK_OID, 265 .sn = "SCPFirmwareContentCertPK", 266 .ln = "SCP Firmware content certificate public key", 267 .asn1_type = V_ASN1_OCTET_STRING, 268 .type = EXT_TYPE_PKEY, 269 .attr.key = SCP_FW_CONTENT_CERT_KEY 270 }, 271 272 [SCP_FW_HASH_EXT] = { 273 .oid = SCP_FW_HASH_OID, 274 .opt = "scp-fw", 275 .help_msg = "SCP Firmware image file", 276 .sn = "SCPFirmwareHash", 277 .ln = "SCP Firmware hash (SHA256)", 278 .asn1_type = V_ASN1_OCTET_STRING, 279 .type = EXT_TYPE_HASH 280 }, 281 282 [SOC_FW_CONTENT_CERT_PK_EXT] = { 283 .oid = SOC_FW_CONTENT_CERT_PK_OID, 284 .sn = "SoCFirmwareContentCertPK", 285 .ln = "SoC Firmware content certificate public key", 286 .asn1_type = V_ASN1_OCTET_STRING, 287 .type = EXT_TYPE_PKEY, 288 .attr.key = SOC_FW_CONTENT_CERT_KEY 289 }, 290 291 [SOC_AP_FW_HASH_EXT] = { 292 .oid = SOC_AP_FW_HASH_OID, 293 .opt = "soc-fw", 294 .help_msg = "SoC AP Firmware image file", 295 .sn = "SoCAPFirmwareHash", 296 .ln = "SoC AP Firmware hash (SHA256)", 297 .asn1_type = V_ASN1_OCTET_STRING, 298 .type = EXT_TYPE_HASH 299 }, 300 301 [SOC_FW_CONFIG_HASH_EXT] = { 302 .oid = SOC_FW_CONFIG_HASH_OID, 303 .opt = "soc-fw-config", 304 .help_msg = "SoC Firmware Config file", 305 .sn = "SocFirmwareConfigHash", 306 .ln = "SoC Firmware Config hash", 307 .asn1_type = V_ASN1_OCTET_STRING, 308 .type = EXT_TYPE_HASH, 309 .optional = 1 310 }, 311 312 [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = { 313 .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID, 314 .sn = "TrustedOSFirmwareContentCertPK", 315 .ln = "Trusted OS Firmware content certificate public key", 316 .asn1_type = V_ASN1_OCTET_STRING, 317 .type = EXT_TYPE_PKEY, 318 .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY 319 }, 320 321 [TRUSTED_OS_FW_HASH_EXT] = { 322 .oid = TRUSTED_OS_FW_HASH_OID, 323 .opt = "tos-fw", 324 .help_msg = "Trusted OS image file", 325 .sn = "TrustedOSHash", 326 .ln = "Trusted OS hash (SHA256)", 327 .asn1_type = V_ASN1_OCTET_STRING, 328 .type = EXT_TYPE_HASH 329 }, 330 331 [TRUSTED_OS_FW_EXTRA1_HASH_EXT] = { 332 .oid = TRUSTED_OS_FW_EXTRA1_HASH_OID, 333 .opt = "tos-fw-extra1", 334 .help_msg = "Trusted OS Extra1 image file", 335 .sn = "TrustedOSExtra1Hash", 336 .ln = "Trusted OS Extra1 hash (SHA256)", 337 .asn1_type = V_ASN1_OCTET_STRING, 338 .type = EXT_TYPE_HASH, 339 .optional = 1 340 }, 341 342 [TRUSTED_OS_FW_EXTRA2_HASH_EXT] = { 343 .oid = TRUSTED_OS_FW_EXTRA2_HASH_OID, 344 .opt = "tos-fw-extra2", 345 .help_msg = "Trusted OS Extra2 image file", 346 .sn = "TrustedOSExtra2Hash", 347 .ln = "Trusted OS Extra2 hash (SHA256)", 348 .asn1_type = V_ASN1_OCTET_STRING, 349 .type = EXT_TYPE_HASH, 350 .optional = 1 351 }, 352 353 [TRUSTED_OS_FW_CONFIG_HASH_EXT] = { 354 .oid = TRUSTED_OS_FW_CONFIG_HASH_OID, 355 .opt = "tos-fw-config", 356 .help_msg = "Trusted OS Firmware Config file", 357 .sn = "TrustedOSFirmwareConfigHash", 358 .ln = "Trusted OS Firmware Config hash", 359 .asn1_type = V_ASN1_OCTET_STRING, 360 .type = EXT_TYPE_HASH, 361 .optional = 1 362 }, 363 364 [SP_PKG1_HASH_EXT] = { 365 .oid = SP_PKG1_HASH_OID, 366 .opt = "sp-pkg1", 367 .help_msg = "Secure Partition Package1 file", 368 .sn = "SPPkg1Hash", 369 .ln = "SP Pkg1 hash (SHA256)", 370 .asn1_type = V_ASN1_OCTET_STRING, 371 .type = EXT_TYPE_HASH, 372 .optional = 1 373 }, 374 [SP_PKG2_HASH_EXT] = { 375 .oid = SP_PKG2_HASH_OID, 376 .opt = "sp-pkg2", 377 .help_msg = "Secure Partition Package2 file", 378 .sn = "SPPkg2Hash", 379 .ln = "SP Pkg2 hash (SHA256)", 380 .asn1_type = V_ASN1_OCTET_STRING, 381 .type = EXT_TYPE_HASH, 382 .optional = 1 383 }, 384 [SP_PKG3_HASH_EXT] = { 385 .oid = SP_PKG3_HASH_OID, 386 .opt = "sp-pkg3", 387 .help_msg = "Secure Partition Package3 file", 388 .sn = "SPPkg3Hash", 389 .ln = "SP Pkg3 hash (SHA256)", 390 .asn1_type = V_ASN1_OCTET_STRING, 391 .type = EXT_TYPE_HASH, 392 .optional = 1 393 }, 394 [SP_PKG4_HASH_EXT] = { 395 .oid = SP_PKG4_HASH_OID, 396 .opt = "sp-pkg4", 397 .help_msg = "Secure Partition Package4 file", 398 .sn = "SPPkg4Hash", 399 .ln = "SP Pkg4 hash (SHA256)", 400 .asn1_type = V_ASN1_OCTET_STRING, 401 .type = EXT_TYPE_HASH, 402 .optional = 1 403 }, 404 [SP_PKG5_HASH_EXT] = { 405 .oid = SP_PKG5_HASH_OID, 406 .opt = "sp-pkg5", 407 .help_msg = "Secure Partition Package5 file", 408 .sn = "SPPkg5Hash", 409 .ln = "SP Pkg5 hash (SHA256)", 410 .asn1_type = V_ASN1_OCTET_STRING, 411 .type = EXT_TYPE_HASH, 412 .optional = 1 413 }, 414 [SP_PKG6_HASH_EXT] = { 415 .oid = SP_PKG6_HASH_OID, 416 .opt = "sp-pkg6", 417 .help_msg = "Secure Partition Package6 file", 418 .sn = "SPPkg6Hash", 419 .ln = "SP Pkg6 hash (SHA256)", 420 .asn1_type = V_ASN1_OCTET_STRING, 421 .type = EXT_TYPE_HASH, 422 .optional = 1 423 }, 424 [SP_PKG7_HASH_EXT] = { 425 .oid = SP_PKG7_HASH_OID, 426 .opt = "sp-pkg7", 427 .help_msg = "Secure Partition Package7 file", 428 .sn = "SPPkg7Hash", 429 .ln = "SP Pkg7 hash (SHA256)", 430 .asn1_type = V_ASN1_OCTET_STRING, 431 .type = EXT_TYPE_HASH, 432 .optional = 1 433 }, 434 [SP_PKG8_HASH_EXT] = { 435 .oid = SP_PKG8_HASH_OID, 436 .opt = "sp-pkg8", 437 .help_msg = "Secure Partition Package8 file", 438 .sn = "SPPkg8Hash", 439 .ln = "SP Pkg8 hash (SHA256)", 440 .asn1_type = V_ASN1_OCTET_STRING, 441 .type = EXT_TYPE_HASH, 442 .optional = 1 443 }, 444 445 [SCP_FWU_CFG_HASH_EXT] = { 446 .oid = SCP_FWU_CFG_HASH_OID, 447 .opt = "scp-fwu-cfg", 448 .help_msg = "SCP Firmware Update Config image file", 449 .sn = "SCPFWUpdateConfig", 450 .ln = "SCP Firmware Update Config hash (SHA256)", 451 .asn1_type = V_ASN1_OCTET_STRING, 452 .type = EXT_TYPE_HASH, 453 .optional = 1 454 }, 455 456 [AP_FWU_CFG_HASH_EXT] = { 457 .oid = AP_FWU_CFG_HASH_OID, 458 .opt = "ap-fwu-cfg", 459 .help_msg = "AP Firmware Update Config image file", 460 .sn = "APFWUpdateConfig", 461 .ln = "AP Firmware Update Config hash (SHA256)", 462 .asn1_type = V_ASN1_OCTET_STRING, 463 .type = EXT_TYPE_HASH, 464 .optional = 1 465 }, 466 467 [FWU_HASH_EXT] = { 468 .oid = FWU_HASH_OID, 469 .opt = "fwu", 470 .help_msg = "Firmware Updater image file", 471 .sn = "FWUpdaterHash", 472 .ln = "Firmware Updater hash (SHA256)", 473 .asn1_type = V_ASN1_OCTET_STRING, 474 .type = EXT_TYPE_HASH, 475 .optional = 1 476 }, 477 478 [PROT_PK_EXT] = { 479 .oid = PROT_PK_OID, 480 .sn = "PlatformRoTKey", 481 .ln = "Platform Root of Trust Public Key", 482 .asn1_type = V_ASN1_OCTET_STRING, 483 .type = EXT_TYPE_PKEY, 484 .attr.key = PROT_KEY 485 }, 486 487 [NON_TRUSTED_FW_NVCOUNTER_EXT] = { 488 .oid = NON_TRUSTED_FW_NVCOUNTER_OID, 489 .opt = "ntfw-nvctr", 490 .help_msg = "Non-Trusted Firmware Non-Volatile counter value", 491 .sn = "NormalWorldNVCounter", 492 .ln = "Non-Trusted Firmware Non-Volatile counter", 493 .asn1_type = V_ASN1_INTEGER, 494 .type = EXT_TYPE_NVCOUNTER, 495 .attr.nvctr_type = NVCTR_TYPE_NTFW 496 }, 497 498 [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { 499 .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID, 500 .opt = "nt-fw", 501 .help_msg = "Non-Trusted World Bootloader image file", 502 .sn = "NonTrustedWorldBootloaderHash", 503 .ln = "Non-Trusted World hash (SHA256)", 504 .asn1_type = V_ASN1_OCTET_STRING, 505 .type = EXT_TYPE_HASH 506 }, 507 508 [NON_TRUSTED_FW_CONFIG_HASH_EXT] = { 509 .oid = NON_TRUSTED_FW_CONFIG_HASH_OID, 510 .opt = "nt-fw-config", 511 .help_msg = "Non Trusted OS Firmware Config file", 512 .sn = "NonTrustedOSFirmwareConfigHash", 513 .ln = "Non-Trusted OS Firmware Config hash", 514 .asn1_type = V_ASN1_OCTET_STRING, 515 .type = EXT_TYPE_HASH, 516 .optional = 1 517 }, 518 }; 519 520 REGISTER_EXTENSIONS(cot_ext); 521 522 523 /* Keys used to establish the chain of trust. */ 524 static key_t cot_keys[] = { 525 [ROT_KEY] = { 526 .id = ROT_KEY, 527 .opt = "rot-key", 528 .help_msg = "Root Of Trust key (input/output file)", 529 .desc = "Root Of Trust key" 530 }, 531 532 [TRUSTED_WORLD_KEY] = { 533 .id = TRUSTED_WORLD_KEY, 534 .opt = "trusted-world-key", 535 .help_msg = "Trusted World key (input/output file)", 536 .desc = "Trusted World key" 537 }, 538 539 [SCP_FW_CONTENT_CERT_KEY] = { 540 .id = SCP_FW_CONTENT_CERT_KEY, 541 .opt = "scp-fw-key", 542 .help_msg = "SCP Firmware Content Certificate key (input/output file)", 543 .desc = "SCP Firmware Content Certificate key" 544 }, 545 546 [SOC_FW_CONTENT_CERT_KEY] = { 547 .id = SOC_FW_CONTENT_CERT_KEY, 548 .opt = "soc-fw-key", 549 .help_msg = "SoC Firmware Content Certificate key (input/output file)", 550 .desc = "SoC Firmware Content Certificate key" 551 }, 552 553 [TRUSTED_OS_FW_CONTENT_CERT_KEY] = { 554 .id = TRUSTED_OS_FW_CONTENT_CERT_KEY, 555 .opt = "tos-fw-key", 556 .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)", 557 .desc = "Trusted OS Firmware Content Certificate key" 558 }, 559 560 [PROT_KEY] = { 561 .id = PROT_KEY, 562 .opt = "prot-key", 563 .help_msg = "Platform Root of Trust key", 564 .desc = "Platform Root of Trust key" 565 }, 566 }; 567 568 REGISTER_KEYS(cot_keys); 569