xref: /rk3399_ARM-atf/tools/cert_create/src/dualroot/cot.c (revision 3443a7027d78a9ccebc6940f0a69300ec7c1ed44) 
1 /*
2  * Copyright (c) 2020, Arm Limited. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  */
6 
7 #include <dualroot_oid.h>
8 
9 #include "cert.h"
10 #include "ext.h"
11 #include "key.h"
12 
13 #include "dualroot/cot.h"
14 
15 /*
16  * Certificates used in the chain of trust.
17  *
18  * All certificates are self-signed so the issuer certificate field points to
19  * itself.
20  */
21 static cert_t cot_certs[] = {
22 	[TRUSTED_BOOT_FW_CERT] = {
23 		.id = TRUSTED_BOOT_FW_CERT,
24 		.opt = "tb-fw-cert",
25 		.help_msg = "Trusted Boot FW Certificate (output file)",
26 		.cn = "Trusted Boot FW Certificate",
27 		.key = ROT_KEY,
28 		.issuer = TRUSTED_BOOT_FW_CERT,
29 		.ext = {
30 			TRUSTED_FW_NVCOUNTER_EXT,
31 			TRUSTED_BOOT_FW_HASH_EXT,
32 			TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
33 			HW_CONFIG_HASH_EXT
34 		},
35 		.num_ext = 4
36 	},
37 
38 	[TRUSTED_KEY_CERT] = {
39 		.id = TRUSTED_KEY_CERT,
40 		.opt = "trusted-key-cert",
41 		.help_msg = "Trusted Key Certificate (output file)",
42 		.cn = "Trusted Key Certificate",
43 		.key = ROT_KEY,
44 		.issuer = TRUSTED_KEY_CERT,
45 		.ext = {
46 			TRUSTED_FW_NVCOUNTER_EXT,
47 			TRUSTED_WORLD_PK_EXT,
48 		},
49 		.num_ext = 2
50 	},
51 
52 	[SCP_FW_KEY_CERT] = {
53 		.id = SCP_FW_KEY_CERT,
54 		.opt = "scp-fw-key-cert",
55 		.help_msg = "SCP Firmware Key Certificate (output file)",
56 		.cn = "SCP Firmware Key Certificate",
57 		.key = TRUSTED_WORLD_KEY,
58 		.issuer = SCP_FW_KEY_CERT,
59 		.ext = {
60 			TRUSTED_FW_NVCOUNTER_EXT,
61 			SCP_FW_CONTENT_CERT_PK_EXT
62 		},
63 		.num_ext = 2
64 	},
65 
66 	[SCP_FW_CONTENT_CERT] = {
67 		.id = SCP_FW_CONTENT_CERT,
68 		.opt = "scp-fw-cert",
69 		.help_msg = "SCP Firmware Content Certificate (output file)",
70 		.cn = "SCP Firmware Content Certificate",
71 		.key = SCP_FW_CONTENT_CERT_KEY,
72 		.issuer = SCP_FW_CONTENT_CERT,
73 		.ext = {
74 			TRUSTED_FW_NVCOUNTER_EXT,
75 			SCP_FW_HASH_EXT
76 		},
77 		.num_ext = 2
78 	},
79 
80 	[SOC_FW_KEY_CERT] = {
81 		.id = SOC_FW_KEY_CERT,
82 		.opt = "soc-fw-key-cert",
83 		.help_msg = "SoC Firmware Key Certificate (output file)",
84 		.cn = "SoC Firmware Key Certificate",
85 		.key = TRUSTED_WORLD_KEY,
86 		.issuer = SOC_FW_KEY_CERT,
87 		.ext = {
88 			TRUSTED_FW_NVCOUNTER_EXT,
89 			SOC_FW_CONTENT_CERT_PK_EXT
90 		},
91 		.num_ext = 2
92 	},
93 
94 	[SOC_FW_CONTENT_CERT] = {
95 		.id = SOC_FW_CONTENT_CERT,
96 		.opt = "soc-fw-cert",
97 		.help_msg = "SoC Firmware Content Certificate (output file)",
98 		.cn = "SoC Firmware Content Certificate",
99 		.key = SOC_FW_CONTENT_CERT_KEY,
100 		.issuer = SOC_FW_CONTENT_CERT,
101 		.ext = {
102 			TRUSTED_FW_NVCOUNTER_EXT,
103 			SOC_AP_FW_HASH_EXT,
104 			SOC_FW_CONFIG_HASH_EXT,
105 		},
106 		.num_ext = 3
107 	},
108 
109 	[TRUSTED_OS_FW_KEY_CERT] = {
110 		.id = TRUSTED_OS_FW_KEY_CERT,
111 		.opt = "tos-fw-key-cert",
112 		.help_msg = "Trusted OS Firmware Key Certificate (output file)",
113 		.cn = "Trusted OS Firmware Key Certificate",
114 		.key = TRUSTED_WORLD_KEY,
115 		.issuer = TRUSTED_OS_FW_KEY_CERT,
116 		.ext = {
117 			TRUSTED_FW_NVCOUNTER_EXT,
118 			TRUSTED_OS_FW_CONTENT_CERT_PK_EXT
119 		},
120 		.num_ext = 2
121 	},
122 
123 	[TRUSTED_OS_FW_CONTENT_CERT] = {
124 		.id = TRUSTED_OS_FW_CONTENT_CERT,
125 		.opt = "tos-fw-cert",
126 		.help_msg = "Trusted OS Firmware Content Certificate (output file)",
127 		.cn = "Trusted OS Firmware Content Certificate",
128 		.key = TRUSTED_OS_FW_CONTENT_CERT_KEY,
129 		.issuer = TRUSTED_OS_FW_CONTENT_CERT,
130 		.ext = {
131 			TRUSTED_FW_NVCOUNTER_EXT,
132 			TRUSTED_OS_FW_HASH_EXT,
133 			TRUSTED_OS_FW_EXTRA1_HASH_EXT,
134 			TRUSTED_OS_FW_EXTRA2_HASH_EXT,
135 			TRUSTED_OS_FW_CONFIG_HASH_EXT,
136 		},
137 		.num_ext = 5
138 	},
139 
140 	[FWU_CERT] = {
141 		.id = FWU_CERT,
142 		.opt = "fwu-cert",
143 		.help_msg = "Firmware Update Certificate (output file)",
144 		.cn = "Firmware Update Certificate",
145 		.key = ROT_KEY,
146 		.issuer = FWU_CERT,
147 		.ext = {
148 			SCP_FWU_CFG_HASH_EXT,
149 			AP_FWU_CFG_HASH_EXT,
150 			FWU_HASH_EXT
151 		},
152 		.num_ext = 3
153 	},
154 
155 	[NON_TRUSTED_FW_CONTENT_CERT] = {
156 		.id = NON_TRUSTED_FW_CONTENT_CERT,
157 		.opt = "nt-fw-cert",
158 		.help_msg = "Non-Trusted Firmware Content Certificate (output file)",
159 		.cn = "Non-Trusted Firmware Content Certificate",
160 		.key = PROT_KEY,
161 		.issuer = NON_TRUSTED_FW_CONTENT_CERT,
162 		.ext = {
163 			NON_TRUSTED_FW_NVCOUNTER_EXT,
164 			NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
165 			NON_TRUSTED_FW_CONFIG_HASH_EXT,
166 			PROT_PK_EXT,
167 		},
168 		.num_ext = 4
169 	},
170 };
171 
172 REGISTER_COT(cot_certs);
173 
174 
175 /* Certificate extensions. */
176 static ext_t cot_ext[] = {
177 	[TRUSTED_FW_NVCOUNTER_EXT] = {
178 		.oid = TRUSTED_FW_NVCOUNTER_OID,
179 		.opt = "tfw-nvctr",
180 		.help_msg = "Trusted Firmware Non-Volatile counter value",
181 		.sn = "TrustedWorldNVCounter",
182 		.ln = "Trusted World Non-Volatile counter",
183 		.asn1_type = V_ASN1_INTEGER,
184 		.type = EXT_TYPE_NVCOUNTER,
185 		.attr.nvctr_type = NVCTR_TYPE_TFW
186 	},
187 
188 	[TRUSTED_BOOT_FW_HASH_EXT] = {
189 		.oid = TRUSTED_BOOT_FW_HASH_OID,
190 		.opt = "tb-fw",
191 		.help_msg = "Trusted Boot Firmware image file",
192 		.sn = "TrustedBootFirmwareHash",
193 		.ln = "Trusted Boot Firmware hash (SHA256)",
194 		.asn1_type = V_ASN1_OCTET_STRING,
195 		.type = EXT_TYPE_HASH
196 	},
197 
198 	[TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = {
199 		.oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID,
200 		.opt = "tb-fw-config",
201 		.help_msg = "Trusted Boot Firmware Config file",
202 		.sn = "TrustedBootFirmwareConfigHash",
203 		.ln = "Trusted Boot Firmware Config hash",
204 		.asn1_type = V_ASN1_OCTET_STRING,
205 		.type = EXT_TYPE_HASH,
206 		.optional = 1
207 	},
208 
209 	[HW_CONFIG_HASH_EXT] = {
210 		.oid = HW_CONFIG_HASH_OID,
211 		.opt = "hw-config",
212 		.help_msg = "HW Config file",
213 		.sn = "HWConfigHash",
214 		.ln = "HW Config hash",
215 		.asn1_type = V_ASN1_OCTET_STRING,
216 		.type = EXT_TYPE_HASH,
217 		.optional = 1
218 	},
219 
220 	[TRUSTED_WORLD_PK_EXT] = {
221 		.oid = TRUSTED_WORLD_PK_OID,
222 		.sn = "TrustedWorldPublicKey",
223 		.ln = "Trusted World Public Key",
224 		.asn1_type = V_ASN1_OCTET_STRING,
225 		.type = EXT_TYPE_PKEY,
226 		.attr.key = TRUSTED_WORLD_KEY
227 	},
228 
229 	[SCP_FW_CONTENT_CERT_PK_EXT] = {
230 		.oid = SCP_FW_CONTENT_CERT_PK_OID,
231 		.sn = "SCPFirmwareContentCertPK",
232 		.ln = "SCP Firmware content certificate public key",
233 		.asn1_type = V_ASN1_OCTET_STRING,
234 		.type = EXT_TYPE_PKEY,
235 		.attr.key = SCP_FW_CONTENT_CERT_KEY
236 	},
237 
238 	[SCP_FW_HASH_EXT] = {
239 		.oid = SCP_FW_HASH_OID,
240 		.opt = "scp-fw",
241 		.help_msg = "SCP Firmware image file",
242 		.sn = "SCPFirmwareHash",
243 		.ln = "SCP Firmware hash (SHA256)",
244 		.asn1_type = V_ASN1_OCTET_STRING,
245 		.type = EXT_TYPE_HASH
246 	},
247 
248 	[SOC_FW_CONTENT_CERT_PK_EXT] = {
249 		.oid = SOC_FW_CONTENT_CERT_PK_OID,
250 		.sn = "SoCFirmwareContentCertPK",
251 		.ln = "SoC Firmware content certificate public key",
252 		.asn1_type = V_ASN1_OCTET_STRING,
253 		.type = EXT_TYPE_PKEY,
254 		.attr.key = SOC_FW_CONTENT_CERT_KEY
255 	},
256 
257 	[SOC_AP_FW_HASH_EXT] = {
258 		.oid = SOC_AP_FW_HASH_OID,
259 		.opt = "soc-fw",
260 		.help_msg = "SoC AP Firmware image file",
261 		.sn = "SoCAPFirmwareHash",
262 		.ln = "SoC AP Firmware hash (SHA256)",
263 		.asn1_type = V_ASN1_OCTET_STRING,
264 		.type = EXT_TYPE_HASH
265 	},
266 
267 	[SOC_FW_CONFIG_HASH_EXT] = {
268 		.oid = SOC_FW_CONFIG_HASH_OID,
269 		.opt = "soc-fw-config",
270 		.help_msg = "SoC Firmware Config file",
271 		.sn = "SocFirmwareConfigHash",
272 		.ln = "SoC Firmware Config hash",
273 		.asn1_type = V_ASN1_OCTET_STRING,
274 		.type = EXT_TYPE_HASH,
275 		.optional = 1
276 	},
277 
278 	[TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = {
279 		.oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID,
280 		.sn = "TrustedOSFirmwareContentCertPK",
281 		.ln = "Trusted OS Firmware content certificate public key",
282 		.asn1_type = V_ASN1_OCTET_STRING,
283 		.type = EXT_TYPE_PKEY,
284 		.attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY
285 	},
286 
287 	[TRUSTED_OS_FW_HASH_EXT] = {
288 		.oid = TRUSTED_OS_FW_HASH_OID,
289 		.opt = "tos-fw",
290 		.help_msg = "Trusted OS image file",
291 		.sn = "TrustedOSHash",
292 		.ln = "Trusted OS hash (SHA256)",
293 		.asn1_type = V_ASN1_OCTET_STRING,
294 		.type = EXT_TYPE_HASH
295 	},
296 
297 	[TRUSTED_OS_FW_EXTRA1_HASH_EXT] = {
298 		.oid = TRUSTED_OS_FW_EXTRA1_HASH_OID,
299 		.opt = "tos-fw-extra1",
300 		.help_msg = "Trusted OS Extra1 image file",
301 		.sn = "TrustedOSExtra1Hash",
302 		.ln = "Trusted OS Extra1 hash (SHA256)",
303 		.asn1_type = V_ASN1_OCTET_STRING,
304 		.type = EXT_TYPE_HASH,
305 		.optional = 1
306 	},
307 
308 	[TRUSTED_OS_FW_EXTRA2_HASH_EXT] = {
309 		.oid = TRUSTED_OS_FW_EXTRA2_HASH_OID,
310 		.opt = "tos-fw-extra2",
311 		.help_msg = "Trusted OS Extra2 image file",
312 		.sn = "TrustedOSExtra2Hash",
313 		.ln = "Trusted OS Extra2 hash (SHA256)",
314 		.asn1_type = V_ASN1_OCTET_STRING,
315 		.type = EXT_TYPE_HASH,
316 		.optional = 1
317 	},
318 
319 	[TRUSTED_OS_FW_CONFIG_HASH_EXT] = {
320 		.oid = TRUSTED_OS_FW_CONFIG_HASH_OID,
321 		.opt = "tos-fw-config",
322 		.help_msg = "Trusted OS Firmware Config file",
323 		.sn = "TrustedOSFirmwareConfigHash",
324 		.ln = "Trusted OS Firmware Config hash",
325 		.asn1_type = V_ASN1_OCTET_STRING,
326 		.type = EXT_TYPE_HASH,
327 		.optional = 1
328 	},
329 
330 	[SCP_FWU_CFG_HASH_EXT] = {
331 		.oid = SCP_FWU_CFG_HASH_OID,
332 		.opt = "scp-fwu-cfg",
333 		.help_msg = "SCP Firmware Update Config image file",
334 		.sn = "SCPFWUpdateConfig",
335 		.ln = "SCP Firmware Update Config hash (SHA256)",
336 		.asn1_type = V_ASN1_OCTET_STRING,
337 		.type = EXT_TYPE_HASH,
338 		.optional = 1
339 	},
340 
341 	[AP_FWU_CFG_HASH_EXT] = {
342 		.oid = AP_FWU_CFG_HASH_OID,
343 		.opt = "ap-fwu-cfg",
344 		.help_msg = "AP Firmware Update Config image file",
345 		.sn = "APFWUpdateConfig",
346 		.ln = "AP Firmware Update Config hash (SHA256)",
347 		.asn1_type = V_ASN1_OCTET_STRING,
348 		.type = EXT_TYPE_HASH,
349 		.optional = 1
350 	},
351 
352 	[FWU_HASH_EXT] = {
353 		.oid = FWU_HASH_OID,
354 		.opt = "fwu",
355 		.help_msg = "Firmware Updater image file",
356 		.sn = "FWUpdaterHash",
357 		.ln = "Firmware Updater hash (SHA256)",
358 		.asn1_type = V_ASN1_OCTET_STRING,
359 		.type = EXT_TYPE_HASH,
360 		.optional = 1
361 	},
362 
363 	[PROT_PK_EXT] = {
364 		.oid = PROT_PK_OID,
365 		.sn = "PlatformRoTKey",
366 		.ln = "Platform Root of Trust Public Key",
367 		.asn1_type = V_ASN1_OCTET_STRING,
368 		.type = EXT_TYPE_PKEY,
369 		.attr.key = PROT_KEY
370 	},
371 
372 	[NON_TRUSTED_FW_NVCOUNTER_EXT] = {
373 		.oid = NON_TRUSTED_FW_NVCOUNTER_OID,
374 		.opt = "ntfw-nvctr",
375 		.help_msg = "Non-Trusted Firmware Non-Volatile counter value",
376 		.sn = "NormalWorldNVCounter",
377 		.ln = "Non-Trusted Firmware Non-Volatile counter",
378 		.asn1_type = V_ASN1_INTEGER,
379 		.type = EXT_TYPE_NVCOUNTER,
380 		.attr.nvctr_type = NVCTR_TYPE_NTFW
381 	},
382 
383 	[NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = {
384 		.oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID,
385 		.opt = "nt-fw",
386 		.help_msg = "Non-Trusted World Bootloader image file",
387 		.sn = "NonTrustedWorldBootloaderHash",
388 		.ln = "Non-Trusted World hash (SHA256)",
389 		.asn1_type = V_ASN1_OCTET_STRING,
390 		.type = EXT_TYPE_HASH
391 	},
392 
393 	[NON_TRUSTED_FW_CONFIG_HASH_EXT] = {
394 		.oid = NON_TRUSTED_FW_CONFIG_HASH_OID,
395 		.opt = "nt-fw-config",
396 		.help_msg = "Non Trusted OS Firmware Config file",
397 		.sn = "NonTrustedOSFirmwareConfigHash",
398 		.ln = "Non-Trusted OS Firmware Config hash",
399 		.asn1_type = V_ASN1_OCTET_STRING,
400 		.type = EXT_TYPE_HASH,
401 		.optional = 1
402 	},
403 };
404 
405 REGISTER_EXTENSIONS(cot_ext);
406 
407 
408 /* Keys used to establish the chain of trust. */
409 static key_t cot_keys[] = {
410 	[ROT_KEY] = {
411 		.id = ROT_KEY,
412 		.opt = "rot-key",
413 		.help_msg = "Root Of Trust key (input/output file)",
414 		.desc = "Root Of Trust key"
415 	},
416 
417 	[TRUSTED_WORLD_KEY] = {
418 		.id = TRUSTED_WORLD_KEY,
419 		.opt = "trusted-world-key",
420 		.help_msg = "Trusted World key (input/output file)",
421 		.desc = "Trusted World key"
422 	},
423 
424 	[SCP_FW_CONTENT_CERT_KEY] = {
425 		.id = SCP_FW_CONTENT_CERT_KEY,
426 		.opt = "scp-fw-key",
427 		.help_msg = "SCP Firmware Content Certificate key (input/output file)",
428 		.desc = "SCP Firmware Content Certificate key"
429 	},
430 
431 	[SOC_FW_CONTENT_CERT_KEY] = {
432 		.id = SOC_FW_CONTENT_CERT_KEY,
433 		.opt = "soc-fw-key",
434 		.help_msg = "SoC Firmware Content Certificate key (input/output file)",
435 		.desc = "SoC Firmware Content Certificate key"
436 	},
437 
438 	[TRUSTED_OS_FW_CONTENT_CERT_KEY] = {
439 		.id = TRUSTED_OS_FW_CONTENT_CERT_KEY,
440 		.opt = "tos-fw-key",
441 		.help_msg = "Trusted OS Firmware Content Certificate key (input/output file)",
442 		.desc = "Trusted OS Firmware Content Certificate key"
443 	},
444 
445 	[PROT_KEY] = {
446 		.id = PROT_KEY,
447 		.opt = "prot-key",
448 		.help_msg = "Platform Root of Trust key",
449 		.desc = "Platform Root of Trust key"
450 	},
451 };
452 
453 REGISTER_KEYS(cot_keys);
454