1 /* 2 * Copyright (c) 2020, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <dualroot_oid.h> 8 9 #include "cert.h" 10 #include "ext.h" 11 #include "key.h" 12 13 #include "dualroot/cot.h" 14 15 /* 16 * Certificates used in the chain of trust. 17 * 18 * All certificates are self-signed so the issuer certificate field points to 19 * itself. 20 */ 21 static cert_t cot_certs[] = { 22 [TRUSTED_BOOT_FW_CERT] = { 23 .id = TRUSTED_BOOT_FW_CERT, 24 .opt = "tb-fw-cert", 25 .help_msg = "Trusted Boot FW Certificate (output file)", 26 .cn = "Trusted Boot FW Certificate", 27 .key = ROT_KEY, 28 .issuer = TRUSTED_BOOT_FW_CERT, 29 .ext = { 30 TRUSTED_FW_NVCOUNTER_EXT, 31 TRUSTED_BOOT_FW_HASH_EXT, 32 TRUSTED_BOOT_FW_CONFIG_HASH_EXT, 33 HW_CONFIG_HASH_EXT 34 }, 35 .num_ext = 4 36 }, 37 38 [TRUSTED_KEY_CERT] = { 39 .id = TRUSTED_KEY_CERT, 40 .opt = "trusted-key-cert", 41 .help_msg = "Trusted Key Certificate (output file)", 42 .cn = "Trusted Key Certificate", 43 .key = ROT_KEY, 44 .issuer = TRUSTED_KEY_CERT, 45 .ext = { 46 TRUSTED_FW_NVCOUNTER_EXT, 47 TRUSTED_WORLD_PK_EXT, 48 }, 49 .num_ext = 2 50 }, 51 52 [SCP_FW_KEY_CERT] = { 53 .id = SCP_FW_KEY_CERT, 54 .opt = "scp-fw-key-cert", 55 .help_msg = "SCP Firmware Key Certificate (output file)", 56 .cn = "SCP Firmware Key Certificate", 57 .key = TRUSTED_WORLD_KEY, 58 .issuer = SCP_FW_KEY_CERT, 59 .ext = { 60 TRUSTED_FW_NVCOUNTER_EXT, 61 SCP_FW_CONTENT_CERT_PK_EXT 62 }, 63 .num_ext = 2 64 }, 65 66 [SCP_FW_CONTENT_CERT] = { 67 .id = SCP_FW_CONTENT_CERT, 68 .opt = "scp-fw-cert", 69 .help_msg = "SCP Firmware Content Certificate (output file)", 70 .cn = "SCP Firmware Content Certificate", 71 .key = SCP_FW_CONTENT_CERT_KEY, 72 .issuer = SCP_FW_CONTENT_CERT, 73 .ext = { 74 TRUSTED_FW_NVCOUNTER_EXT, 75 SCP_FW_HASH_EXT 76 }, 77 .num_ext = 2 78 }, 79 80 [SOC_FW_KEY_CERT] = { 81 .id = SOC_FW_KEY_CERT, 82 .opt = "soc-fw-key-cert", 83 .help_msg = "SoC Firmware Key Certificate (output file)", 84 .cn = "SoC Firmware Key Certificate", 85 .key = TRUSTED_WORLD_KEY, 86 .issuer = SOC_FW_KEY_CERT, 87 .ext = { 88 TRUSTED_FW_NVCOUNTER_EXT, 89 SOC_FW_CONTENT_CERT_PK_EXT 90 }, 91 .num_ext = 2 92 }, 93 94 [SOC_FW_CONTENT_CERT] = { 95 .id = SOC_FW_CONTENT_CERT, 96 .opt = "soc-fw-cert", 97 .help_msg = "SoC Firmware Content Certificate (output file)", 98 .cn = "SoC Firmware Content Certificate", 99 .key = SOC_FW_CONTENT_CERT_KEY, 100 .issuer = SOC_FW_CONTENT_CERT, 101 .ext = { 102 TRUSTED_FW_NVCOUNTER_EXT, 103 SOC_AP_FW_HASH_EXT, 104 SOC_FW_CONFIG_HASH_EXT, 105 }, 106 .num_ext = 3 107 }, 108 109 [TRUSTED_OS_FW_KEY_CERT] = { 110 .id = TRUSTED_OS_FW_KEY_CERT, 111 .opt = "tos-fw-key-cert", 112 .help_msg = "Trusted OS Firmware Key Certificate (output file)", 113 .cn = "Trusted OS Firmware Key Certificate", 114 .key = TRUSTED_WORLD_KEY, 115 .issuer = TRUSTED_OS_FW_KEY_CERT, 116 .ext = { 117 TRUSTED_FW_NVCOUNTER_EXT, 118 TRUSTED_OS_FW_CONTENT_CERT_PK_EXT 119 }, 120 .num_ext = 2 121 }, 122 123 [TRUSTED_OS_FW_CONTENT_CERT] = { 124 .id = TRUSTED_OS_FW_CONTENT_CERT, 125 .opt = "tos-fw-cert", 126 .help_msg = "Trusted OS Firmware Content Certificate (output file)", 127 .cn = "Trusted OS Firmware Content Certificate", 128 .key = TRUSTED_OS_FW_CONTENT_CERT_KEY, 129 .issuer = TRUSTED_OS_FW_CONTENT_CERT, 130 .ext = { 131 TRUSTED_FW_NVCOUNTER_EXT, 132 TRUSTED_OS_FW_HASH_EXT, 133 TRUSTED_OS_FW_EXTRA1_HASH_EXT, 134 TRUSTED_OS_FW_EXTRA2_HASH_EXT, 135 TRUSTED_OS_FW_CONFIG_HASH_EXT, 136 }, 137 .num_ext = 5 138 }, 139 140 [SIP_SECURE_PARTITION_CONTENT_CERT] = { 141 .id = SIP_SECURE_PARTITION_CONTENT_CERT, 142 .opt = "sip-sp-cert", 143 .help_msg = "SiP owned Secure Partition Content Certificate (output file)", 144 .fn = NULL, 145 .cn = "SiP owned Secure Partition Content Certificate", 146 .key = TRUSTED_WORLD_KEY, 147 .issuer = SIP_SECURE_PARTITION_CONTENT_CERT, 148 .ext = { 149 TRUSTED_FW_NVCOUNTER_EXT, 150 SP_PKG1_HASH_EXT, 151 SP_PKG2_HASH_EXT, 152 SP_PKG3_HASH_EXT, 153 SP_PKG4_HASH_EXT, 154 SP_PKG5_HASH_EXT, 155 SP_PKG6_HASH_EXT, 156 SP_PKG7_HASH_EXT, 157 SP_PKG8_HASH_EXT, 158 }, 159 .num_ext = 9 160 }, 161 162 [FWU_CERT] = { 163 .id = FWU_CERT, 164 .opt = "fwu-cert", 165 .help_msg = "Firmware Update Certificate (output file)", 166 .cn = "Firmware Update Certificate", 167 .key = ROT_KEY, 168 .issuer = FWU_CERT, 169 .ext = { 170 SCP_FWU_CFG_HASH_EXT, 171 AP_FWU_CFG_HASH_EXT, 172 FWU_HASH_EXT 173 }, 174 .num_ext = 3 175 }, 176 177 [NON_TRUSTED_FW_CONTENT_CERT] = { 178 .id = NON_TRUSTED_FW_CONTENT_CERT, 179 .opt = "nt-fw-cert", 180 .help_msg = "Non-Trusted Firmware Content Certificate (output file)", 181 .cn = "Non-Trusted Firmware Content Certificate", 182 .key = PROT_KEY, 183 .issuer = NON_TRUSTED_FW_CONTENT_CERT, 184 .ext = { 185 NON_TRUSTED_FW_NVCOUNTER_EXT, 186 NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, 187 NON_TRUSTED_FW_CONFIG_HASH_EXT, 188 PROT_PK_EXT, 189 }, 190 .num_ext = 4 191 }, 192 }; 193 194 REGISTER_COT(cot_certs); 195 196 197 /* Certificate extensions. */ 198 static ext_t cot_ext[] = { 199 [TRUSTED_FW_NVCOUNTER_EXT] = { 200 .oid = TRUSTED_FW_NVCOUNTER_OID, 201 .opt = "tfw-nvctr", 202 .help_msg = "Trusted Firmware Non-Volatile counter value", 203 .sn = "TrustedWorldNVCounter", 204 .ln = "Trusted World Non-Volatile counter", 205 .asn1_type = V_ASN1_INTEGER, 206 .type = EXT_TYPE_NVCOUNTER, 207 .attr.nvctr_type = NVCTR_TYPE_TFW 208 }, 209 210 [TRUSTED_BOOT_FW_HASH_EXT] = { 211 .oid = TRUSTED_BOOT_FW_HASH_OID, 212 .opt = "tb-fw", 213 .help_msg = "Trusted Boot Firmware image file", 214 .sn = "TrustedBootFirmwareHash", 215 .ln = "Trusted Boot Firmware hash (SHA256)", 216 .asn1_type = V_ASN1_OCTET_STRING, 217 .type = EXT_TYPE_HASH 218 }, 219 220 [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = { 221 .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID, 222 .opt = "tb-fw-config", 223 .help_msg = "Trusted Boot Firmware Config file", 224 .sn = "TrustedBootFirmwareConfigHash", 225 .ln = "Trusted Boot Firmware Config hash", 226 .asn1_type = V_ASN1_OCTET_STRING, 227 .type = EXT_TYPE_HASH, 228 .optional = 1 229 }, 230 231 [HW_CONFIG_HASH_EXT] = { 232 .oid = HW_CONFIG_HASH_OID, 233 .opt = "hw-config", 234 .help_msg = "HW Config file", 235 .sn = "HWConfigHash", 236 .ln = "HW Config hash", 237 .asn1_type = V_ASN1_OCTET_STRING, 238 .type = EXT_TYPE_HASH, 239 .optional = 1 240 }, 241 242 [TRUSTED_WORLD_PK_EXT] = { 243 .oid = TRUSTED_WORLD_PK_OID, 244 .sn = "TrustedWorldPublicKey", 245 .ln = "Trusted World Public Key", 246 .asn1_type = V_ASN1_OCTET_STRING, 247 .type = EXT_TYPE_PKEY, 248 .attr.key = TRUSTED_WORLD_KEY 249 }, 250 251 [SCP_FW_CONTENT_CERT_PK_EXT] = { 252 .oid = SCP_FW_CONTENT_CERT_PK_OID, 253 .sn = "SCPFirmwareContentCertPK", 254 .ln = "SCP Firmware content certificate public key", 255 .asn1_type = V_ASN1_OCTET_STRING, 256 .type = EXT_TYPE_PKEY, 257 .attr.key = SCP_FW_CONTENT_CERT_KEY 258 }, 259 260 [SCP_FW_HASH_EXT] = { 261 .oid = SCP_FW_HASH_OID, 262 .opt = "scp-fw", 263 .help_msg = "SCP Firmware image file", 264 .sn = "SCPFirmwareHash", 265 .ln = "SCP Firmware hash (SHA256)", 266 .asn1_type = V_ASN1_OCTET_STRING, 267 .type = EXT_TYPE_HASH 268 }, 269 270 [SOC_FW_CONTENT_CERT_PK_EXT] = { 271 .oid = SOC_FW_CONTENT_CERT_PK_OID, 272 .sn = "SoCFirmwareContentCertPK", 273 .ln = "SoC Firmware content certificate public key", 274 .asn1_type = V_ASN1_OCTET_STRING, 275 .type = EXT_TYPE_PKEY, 276 .attr.key = SOC_FW_CONTENT_CERT_KEY 277 }, 278 279 [SOC_AP_FW_HASH_EXT] = { 280 .oid = SOC_AP_FW_HASH_OID, 281 .opt = "soc-fw", 282 .help_msg = "SoC AP Firmware image file", 283 .sn = "SoCAPFirmwareHash", 284 .ln = "SoC AP Firmware hash (SHA256)", 285 .asn1_type = V_ASN1_OCTET_STRING, 286 .type = EXT_TYPE_HASH 287 }, 288 289 [SOC_FW_CONFIG_HASH_EXT] = { 290 .oid = SOC_FW_CONFIG_HASH_OID, 291 .opt = "soc-fw-config", 292 .help_msg = "SoC Firmware Config file", 293 .sn = "SocFirmwareConfigHash", 294 .ln = "SoC Firmware Config hash", 295 .asn1_type = V_ASN1_OCTET_STRING, 296 .type = EXT_TYPE_HASH, 297 .optional = 1 298 }, 299 300 [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = { 301 .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID, 302 .sn = "TrustedOSFirmwareContentCertPK", 303 .ln = "Trusted OS Firmware content certificate public key", 304 .asn1_type = V_ASN1_OCTET_STRING, 305 .type = EXT_TYPE_PKEY, 306 .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY 307 }, 308 309 [TRUSTED_OS_FW_HASH_EXT] = { 310 .oid = TRUSTED_OS_FW_HASH_OID, 311 .opt = "tos-fw", 312 .help_msg = "Trusted OS image file", 313 .sn = "TrustedOSHash", 314 .ln = "Trusted OS hash (SHA256)", 315 .asn1_type = V_ASN1_OCTET_STRING, 316 .type = EXT_TYPE_HASH 317 }, 318 319 [TRUSTED_OS_FW_EXTRA1_HASH_EXT] = { 320 .oid = TRUSTED_OS_FW_EXTRA1_HASH_OID, 321 .opt = "tos-fw-extra1", 322 .help_msg = "Trusted OS Extra1 image file", 323 .sn = "TrustedOSExtra1Hash", 324 .ln = "Trusted OS Extra1 hash (SHA256)", 325 .asn1_type = V_ASN1_OCTET_STRING, 326 .type = EXT_TYPE_HASH, 327 .optional = 1 328 }, 329 330 [TRUSTED_OS_FW_EXTRA2_HASH_EXT] = { 331 .oid = TRUSTED_OS_FW_EXTRA2_HASH_OID, 332 .opt = "tos-fw-extra2", 333 .help_msg = "Trusted OS Extra2 image file", 334 .sn = "TrustedOSExtra2Hash", 335 .ln = "Trusted OS Extra2 hash (SHA256)", 336 .asn1_type = V_ASN1_OCTET_STRING, 337 .type = EXT_TYPE_HASH, 338 .optional = 1 339 }, 340 341 [TRUSTED_OS_FW_CONFIG_HASH_EXT] = { 342 .oid = TRUSTED_OS_FW_CONFIG_HASH_OID, 343 .opt = "tos-fw-config", 344 .help_msg = "Trusted OS Firmware Config file", 345 .sn = "TrustedOSFirmwareConfigHash", 346 .ln = "Trusted OS Firmware Config hash", 347 .asn1_type = V_ASN1_OCTET_STRING, 348 .type = EXT_TYPE_HASH, 349 .optional = 1 350 }, 351 352 [SP_PKG1_HASH_EXT] = { 353 .oid = SP_PKG1_HASH_OID, 354 .opt = "sp-pkg1", 355 .help_msg = "Secure Partition Package1 file", 356 .sn = "SPPkg1Hash", 357 .ln = "SP Pkg1 hash (SHA256)", 358 .asn1_type = V_ASN1_OCTET_STRING, 359 .type = EXT_TYPE_HASH, 360 .optional = 1 361 }, 362 [SP_PKG2_HASH_EXT] = { 363 .oid = SP_PKG2_HASH_OID, 364 .opt = "sp-pkg2", 365 .help_msg = "Secure Partition Package2 file", 366 .sn = "SPPkg2Hash", 367 .ln = "SP Pkg2 hash (SHA256)", 368 .asn1_type = V_ASN1_OCTET_STRING, 369 .type = EXT_TYPE_HASH, 370 .optional = 1 371 }, 372 [SP_PKG3_HASH_EXT] = { 373 .oid = SP_PKG3_HASH_OID, 374 .opt = "sp-pkg3", 375 .help_msg = "Secure Partition Package3 file", 376 .sn = "SPPkg3Hash", 377 .ln = "SP Pkg3 hash (SHA256)", 378 .asn1_type = V_ASN1_OCTET_STRING, 379 .type = EXT_TYPE_HASH, 380 .optional = 1 381 }, 382 [SP_PKG4_HASH_EXT] = { 383 .oid = SP_PKG4_HASH_OID, 384 .opt = "sp-pkg4", 385 .help_msg = "Secure Partition Package4 file", 386 .sn = "SPPkg4Hash", 387 .ln = "SP Pkg4 hash (SHA256)", 388 .asn1_type = V_ASN1_OCTET_STRING, 389 .type = EXT_TYPE_HASH, 390 .optional = 1 391 }, 392 [SP_PKG5_HASH_EXT] = { 393 .oid = SP_PKG5_HASH_OID, 394 .opt = "sp-pkg5", 395 .help_msg = "Secure Partition Package5 file", 396 .sn = "SPPkg5Hash", 397 .ln = "SP Pkg5 hash (SHA256)", 398 .asn1_type = V_ASN1_OCTET_STRING, 399 .type = EXT_TYPE_HASH, 400 .optional = 1 401 }, 402 [SP_PKG6_HASH_EXT] = { 403 .oid = SP_PKG6_HASH_OID, 404 .opt = "sp-pkg6", 405 .help_msg = "Secure Partition Package6 file", 406 .sn = "SPPkg6Hash", 407 .ln = "SP Pkg6 hash (SHA256)", 408 .asn1_type = V_ASN1_OCTET_STRING, 409 .type = EXT_TYPE_HASH, 410 .optional = 1 411 }, 412 [SP_PKG7_HASH_EXT] = { 413 .oid = SP_PKG7_HASH_OID, 414 .opt = "sp-pkg7", 415 .help_msg = "Secure Partition Package7 file", 416 .sn = "SPPkg7Hash", 417 .ln = "SP Pkg7 hash (SHA256)", 418 .asn1_type = V_ASN1_OCTET_STRING, 419 .type = EXT_TYPE_HASH, 420 .optional = 1 421 }, 422 [SP_PKG8_HASH_EXT] = { 423 .oid = SP_PKG8_HASH_OID, 424 .opt = "sp-pkg8", 425 .help_msg = "Secure Partition Package8 file", 426 .sn = "SPPkg8Hash", 427 .ln = "SP Pkg8 hash (SHA256)", 428 .asn1_type = V_ASN1_OCTET_STRING, 429 .type = EXT_TYPE_HASH, 430 .optional = 1 431 }, 432 433 [SCP_FWU_CFG_HASH_EXT] = { 434 .oid = SCP_FWU_CFG_HASH_OID, 435 .opt = "scp-fwu-cfg", 436 .help_msg = "SCP Firmware Update Config image file", 437 .sn = "SCPFWUpdateConfig", 438 .ln = "SCP Firmware Update Config hash (SHA256)", 439 .asn1_type = V_ASN1_OCTET_STRING, 440 .type = EXT_TYPE_HASH, 441 .optional = 1 442 }, 443 444 [AP_FWU_CFG_HASH_EXT] = { 445 .oid = AP_FWU_CFG_HASH_OID, 446 .opt = "ap-fwu-cfg", 447 .help_msg = "AP Firmware Update Config image file", 448 .sn = "APFWUpdateConfig", 449 .ln = "AP Firmware Update Config hash (SHA256)", 450 .asn1_type = V_ASN1_OCTET_STRING, 451 .type = EXT_TYPE_HASH, 452 .optional = 1 453 }, 454 455 [FWU_HASH_EXT] = { 456 .oid = FWU_HASH_OID, 457 .opt = "fwu", 458 .help_msg = "Firmware Updater image file", 459 .sn = "FWUpdaterHash", 460 .ln = "Firmware Updater hash (SHA256)", 461 .asn1_type = V_ASN1_OCTET_STRING, 462 .type = EXT_TYPE_HASH, 463 .optional = 1 464 }, 465 466 [PROT_PK_EXT] = { 467 .oid = PROT_PK_OID, 468 .sn = "PlatformRoTKey", 469 .ln = "Platform Root of Trust Public Key", 470 .asn1_type = V_ASN1_OCTET_STRING, 471 .type = EXT_TYPE_PKEY, 472 .attr.key = PROT_KEY 473 }, 474 475 [NON_TRUSTED_FW_NVCOUNTER_EXT] = { 476 .oid = NON_TRUSTED_FW_NVCOUNTER_OID, 477 .opt = "ntfw-nvctr", 478 .help_msg = "Non-Trusted Firmware Non-Volatile counter value", 479 .sn = "NormalWorldNVCounter", 480 .ln = "Non-Trusted Firmware Non-Volatile counter", 481 .asn1_type = V_ASN1_INTEGER, 482 .type = EXT_TYPE_NVCOUNTER, 483 .attr.nvctr_type = NVCTR_TYPE_NTFW 484 }, 485 486 [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { 487 .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID, 488 .opt = "nt-fw", 489 .help_msg = "Non-Trusted World Bootloader image file", 490 .sn = "NonTrustedWorldBootloaderHash", 491 .ln = "Non-Trusted World hash (SHA256)", 492 .asn1_type = V_ASN1_OCTET_STRING, 493 .type = EXT_TYPE_HASH 494 }, 495 496 [NON_TRUSTED_FW_CONFIG_HASH_EXT] = { 497 .oid = NON_TRUSTED_FW_CONFIG_HASH_OID, 498 .opt = "nt-fw-config", 499 .help_msg = "Non Trusted OS Firmware Config file", 500 .sn = "NonTrustedOSFirmwareConfigHash", 501 .ln = "Non-Trusted OS Firmware Config hash", 502 .asn1_type = V_ASN1_OCTET_STRING, 503 .type = EXT_TYPE_HASH, 504 .optional = 1 505 }, 506 }; 507 508 REGISTER_EXTENSIONS(cot_ext); 509 510 511 /* Keys used to establish the chain of trust. */ 512 static key_t cot_keys[] = { 513 [ROT_KEY] = { 514 .id = ROT_KEY, 515 .opt = "rot-key", 516 .help_msg = "Root Of Trust key (input/output file)", 517 .desc = "Root Of Trust key" 518 }, 519 520 [TRUSTED_WORLD_KEY] = { 521 .id = TRUSTED_WORLD_KEY, 522 .opt = "trusted-world-key", 523 .help_msg = "Trusted World key (input/output file)", 524 .desc = "Trusted World key" 525 }, 526 527 [SCP_FW_CONTENT_CERT_KEY] = { 528 .id = SCP_FW_CONTENT_CERT_KEY, 529 .opt = "scp-fw-key", 530 .help_msg = "SCP Firmware Content Certificate key (input/output file)", 531 .desc = "SCP Firmware Content Certificate key" 532 }, 533 534 [SOC_FW_CONTENT_CERT_KEY] = { 535 .id = SOC_FW_CONTENT_CERT_KEY, 536 .opt = "soc-fw-key", 537 .help_msg = "SoC Firmware Content Certificate key (input/output file)", 538 .desc = "SoC Firmware Content Certificate key" 539 }, 540 541 [TRUSTED_OS_FW_CONTENT_CERT_KEY] = { 542 .id = TRUSTED_OS_FW_CONTENT_CERT_KEY, 543 .opt = "tos-fw-key", 544 .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)", 545 .desc = "Trusted OS Firmware Content Certificate key" 546 }, 547 548 [PROT_KEY] = { 549 .id = PROT_KEY, 550 .opt = "prot-key", 551 .help_msg = "Platform Root of Trust key", 552 .desc = "Platform Root of Trust key" 553 }, 554 }; 555 556 REGISTER_KEYS(cot_keys); 557