16f971622SJuan Castillo /* 26f971622SJuan Castillo * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. 36f971622SJuan Castillo * 46f971622SJuan Castillo * Redistribution and use in source and binary forms, with or without 56f971622SJuan Castillo * modification, are permitted provided that the following conditions are met: 66f971622SJuan Castillo * 76f971622SJuan Castillo * Redistributions of source code must retain the above copyright notice, this 86f971622SJuan Castillo * list of conditions and the following disclaimer. 96f971622SJuan Castillo * 106f971622SJuan Castillo * Redistributions in binary form must reproduce the above copyright notice, 116f971622SJuan Castillo * this list of conditions and the following disclaimer in the documentation 126f971622SJuan Castillo * and/or other materials provided with the distribution. 136f971622SJuan Castillo * 146f971622SJuan Castillo * Neither the name of ARM nor the names of its contributors may be used 156f971622SJuan Castillo * to endorse or promote products derived from this software without specific 166f971622SJuan Castillo * prior written permission. 176f971622SJuan Castillo * 186f971622SJuan Castillo * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 196f971622SJuan Castillo * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 206f971622SJuan Castillo * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 216f971622SJuan Castillo * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 226f971622SJuan Castillo * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 236f971622SJuan Castillo * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 246f971622SJuan Castillo * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 256f971622SJuan Castillo * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 266f971622SJuan Castillo * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 276f971622SJuan Castillo * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 286f971622SJuan Castillo * POSSIBILITY OF SUCH DAMAGE. 296f971622SJuan Castillo */ 306f971622SJuan Castillo 316f971622SJuan Castillo #include <getopt.h> 326f971622SJuan Castillo #include <stdio.h> 336f971622SJuan Castillo #include <stdlib.h> 346f971622SJuan Castillo #include <string.h> 356f971622SJuan Castillo 366f971622SJuan Castillo #include <openssl/conf.h> 376f971622SJuan Castillo #include <openssl/engine.h> 386f971622SJuan Castillo #include <openssl/err.h> 396f971622SJuan Castillo #include <openssl/pem.h> 406f971622SJuan Castillo #include <openssl/sha.h> 416f971622SJuan Castillo #include <openssl/x509v3.h> 426f971622SJuan Castillo 436f971622SJuan Castillo #include "cert.h" 446f971622SJuan Castillo #include "debug.h" 456f971622SJuan Castillo #include "ext.h" 466f971622SJuan Castillo #include "key.h" 476f971622SJuan Castillo #include "platform_oid.h" 486f971622SJuan Castillo #include "sha.h" 496f971622SJuan Castillo #include "tbb_ext.h" 506f971622SJuan Castillo #include "tbb_cert.h" 516f971622SJuan Castillo #include "tbb_key.h" 526f971622SJuan Castillo 536f971622SJuan Castillo /* 546f971622SJuan Castillo * Helper macros to simplify the code. This macro assigns the return value of 556f971622SJuan Castillo * the 'fn' function to 'v' and exits if the value is NULL. 566f971622SJuan Castillo */ 576f971622SJuan Castillo #define CHECK_NULL(v, fn) \ 586f971622SJuan Castillo do { \ 596f971622SJuan Castillo v = fn; \ 606f971622SJuan Castillo if (v == NULL) { \ 616f971622SJuan Castillo ERROR("NULL object at %s:%d\n", __FILE__, __LINE__); \ 626f971622SJuan Castillo exit(1); \ 636f971622SJuan Castillo } \ 646f971622SJuan Castillo } while (0) 656f971622SJuan Castillo 666f971622SJuan Castillo /* 676f971622SJuan Castillo * This macro assigns the NID corresponding to 'oid' to 'v' and exits if the 686f971622SJuan Castillo * NID is undefined. 696f971622SJuan Castillo */ 706f971622SJuan Castillo #define CHECK_OID(v, oid) \ 716f971622SJuan Castillo do { \ 726f971622SJuan Castillo v = OBJ_txt2nid(oid); \ 736f971622SJuan Castillo if (v == NID_undef) { \ 746f971622SJuan Castillo ERROR("Cannot find TBB extension %s\n", oid); \ 756f971622SJuan Castillo exit(1); \ 766f971622SJuan Castillo } \ 776f971622SJuan Castillo } while (0) 786f971622SJuan Castillo 796f971622SJuan Castillo #define MAX_FILENAME_LEN 1024 806f971622SJuan Castillo #define VAL_DAYS 7300 816f971622SJuan Castillo #define ID_TO_BIT_MASK(id) (1 << id) 826f971622SJuan Castillo #define NVCOUNTER_VALUE 0 83ccbf890eSJuan Castillo #define NUM_ELEM(x) ((sizeof(x)) / (sizeof(x[0]))) 846f971622SJuan Castillo 856f971622SJuan Castillo /* Files */ 866f971622SJuan Castillo enum { 876f971622SJuan Castillo /* Image file names (inputs) */ 886f971622SJuan Castillo BL2_ID = 0, 896f971622SJuan Castillo BL30_ID, 906f971622SJuan Castillo BL31_ID, 916f971622SJuan Castillo BL32_ID, 926f971622SJuan Castillo BL33_ID, 936f971622SJuan Castillo /* Certificate file names (outputs) */ 946f971622SJuan Castillo BL2_CERT_ID, 956f971622SJuan Castillo TRUSTED_KEY_CERT_ID, 966f971622SJuan Castillo BL30_KEY_CERT_ID, 976f971622SJuan Castillo BL30_CERT_ID, 986f971622SJuan Castillo BL31_KEY_CERT_ID, 996f971622SJuan Castillo BL31_CERT_ID, 1006f971622SJuan Castillo BL32_KEY_CERT_ID, 1016f971622SJuan Castillo BL32_CERT_ID, 1026f971622SJuan Castillo BL33_KEY_CERT_ID, 1036f971622SJuan Castillo BL33_CERT_ID, 1046f971622SJuan Castillo /* Key file names (input/output) */ 1056f971622SJuan Castillo ROT_KEY_ID, 1066f971622SJuan Castillo TRUSTED_WORLD_KEY_ID, 1076f971622SJuan Castillo NON_TRUSTED_WORLD_KEY_ID, 1086f971622SJuan Castillo BL30_KEY_ID, 1096f971622SJuan Castillo BL31_KEY_ID, 1106f971622SJuan Castillo BL32_KEY_ID, 1116f971622SJuan Castillo BL33_KEY_ID, 1126f971622SJuan Castillo NUM_OPTS 1136f971622SJuan Castillo }; 1146f971622SJuan Castillo 1156f971622SJuan Castillo /* Global options */ 116ccbf890eSJuan Castillo static int key_alg; 1176f971622SJuan Castillo static int new_keys; 1186f971622SJuan Castillo static int save_keys; 1196f971622SJuan Castillo static int print_cert; 1206f971622SJuan Castillo static int bl30_present; 1216f971622SJuan Castillo static int bl32_present; 1226f971622SJuan Castillo 1236f971622SJuan Castillo /* We are not checking nvcounters in TF. Include them in the certificates but 1246f971622SJuan Castillo * the value will be set to 0 */ 1256f971622SJuan Castillo static int tf_nvcounter; 1266f971622SJuan Castillo static int non_tf_nvcounter; 1276f971622SJuan Castillo 1286f971622SJuan Castillo /* Info messages created in the Makefile */ 1296f971622SJuan Castillo extern const char build_msg[]; 1306f971622SJuan Castillo extern const char platform_msg[]; 1316f971622SJuan Castillo 1326f971622SJuan Castillo 1336f971622SJuan Castillo static char *strdup(const char *str) 1346f971622SJuan Castillo { 1356f971622SJuan Castillo int n = strlen(str) + 1; 1366f971622SJuan Castillo char *dup = malloc(n); 1376f971622SJuan Castillo if (dup) { 1386f971622SJuan Castillo strcpy(dup, str); 1396f971622SJuan Castillo } 1406f971622SJuan Castillo return dup; 1416f971622SJuan Castillo } 1426f971622SJuan Castillo 143ccbf890eSJuan Castillo static const char *key_algs_str[] = { 144ccbf890eSJuan Castillo [KEY_ALG_RSA] = "rsa", 145*ed2a76eaSJuan Castillo #ifndef OPENSSL_NO_EC 146ccbf890eSJuan Castillo [KEY_ALG_ECDSA] = "ecdsa" 147*ed2a76eaSJuan Castillo #endif /* OPENSSL_NO_EC */ 148ccbf890eSJuan Castillo }; 149ccbf890eSJuan Castillo 1506f971622SJuan Castillo /* Command line options */ 1516f971622SJuan Castillo static const struct option long_opt[] = { 1526f971622SJuan Castillo /* Binary images */ 1536f971622SJuan Castillo {"bl2", required_argument, 0, BL2_ID}, 1546f971622SJuan Castillo {"bl30", required_argument, 0, BL30_ID}, 1556f971622SJuan Castillo {"bl31", required_argument, 0, BL31_ID}, 1566f971622SJuan Castillo {"bl32", required_argument, 0, BL32_ID}, 1576f971622SJuan Castillo {"bl33", required_argument, 0, BL33_ID}, 1586f971622SJuan Castillo /* Certificate files */ 1596f971622SJuan Castillo {"bl2-cert", required_argument, 0, BL2_CERT_ID}, 1606f971622SJuan Castillo {"trusted-key-cert", required_argument, 0, TRUSTED_KEY_CERT_ID}, 1616f971622SJuan Castillo {"bl30-key-cert", required_argument, 0, BL30_KEY_CERT_ID}, 1626f971622SJuan Castillo {"bl30-cert", required_argument, 0, BL30_CERT_ID}, 1636f971622SJuan Castillo {"bl31-key-cert", required_argument, 0, BL31_KEY_CERT_ID}, 1646f971622SJuan Castillo {"bl31-cert", required_argument, 0, BL31_CERT_ID}, 1656f971622SJuan Castillo {"bl32-key-cert", required_argument, 0, BL32_KEY_CERT_ID}, 1666f971622SJuan Castillo {"bl32-cert", required_argument, 0, BL32_CERT_ID}, 1676f971622SJuan Castillo {"bl33-key-cert", required_argument, 0, BL33_KEY_CERT_ID}, 1686f971622SJuan Castillo {"bl33-cert", required_argument, 0, BL33_CERT_ID}, 1696f971622SJuan Castillo /* Private key files */ 1706f971622SJuan Castillo {"rot-key", required_argument, 0, ROT_KEY_ID}, 1716f971622SJuan Castillo {"trusted-world-key", required_argument, 0, TRUSTED_WORLD_KEY_ID}, 1726f971622SJuan Castillo {"non-trusted-world-key", required_argument, 0, NON_TRUSTED_WORLD_KEY_ID}, 1736f971622SJuan Castillo {"bl30-key", required_argument, 0, BL30_KEY_ID}, 1746f971622SJuan Castillo {"bl31-key", required_argument, 0, BL31_KEY_ID}, 1756f971622SJuan Castillo {"bl32-key", required_argument, 0, BL32_KEY_ID}, 1766f971622SJuan Castillo {"bl33-key", required_argument, 0, BL33_KEY_ID}, 1776f971622SJuan Castillo /* Common options */ 178ccbf890eSJuan Castillo {"key-alg", required_argument, 0, 'a'}, 1796f971622SJuan Castillo {"help", no_argument, 0, 'h'}, 1806f971622SJuan Castillo {"save-keys", no_argument, 0, 'k'}, 1816f971622SJuan Castillo {"new-chain", no_argument, 0, 'n'}, 1826f971622SJuan Castillo {"print-cert", no_argument, 0, 'p'}, 1836f971622SJuan Castillo {0, 0, 0, 0} 1846f971622SJuan Castillo }; 1856f971622SJuan Castillo 1866f971622SJuan Castillo static void print_help(const char *cmd) 1876f971622SJuan Castillo { 1886f971622SJuan Castillo int i = 0; 1896f971622SJuan Castillo printf("\n\n"); 1906f971622SJuan Castillo printf("The certificate generation tool loads the binary images and\n" 1916f971622SJuan Castillo "optionally the RSA keys, and outputs the key and content\n" 1926f971622SJuan Castillo "certificates properly signed to implement the chain of trust.\n" 1936f971622SJuan Castillo "If keys are provided, they must be in PEM format.\n" 1946f971622SJuan Castillo "Certificates are generated in DER format.\n"); 1956f971622SJuan Castillo printf("\n"); 1966f971622SJuan Castillo printf("Usage:\n\n"); 1976f971622SJuan Castillo printf(" %s [-hknp] \\\n", cmd); 1986f971622SJuan Castillo for (i = 0; i < NUM_OPTS; i++) { 1996f971622SJuan Castillo printf(" --%s <file> \\\n", long_opt[i].name); 2006f971622SJuan Castillo } 2016f971622SJuan Castillo printf("\n"); 202ccbf890eSJuan Castillo printf("-a Key algorithm: rsa (default), ecdsa\n"); 2036f971622SJuan Castillo printf("-h Print help and exit\n"); 2046f971622SJuan Castillo printf("-k Save key pairs into files. Filenames must be provided\n"); 2056f971622SJuan Castillo printf("-n Generate new key pairs if no key files are provided\n"); 2066f971622SJuan Castillo printf("-p Print the certificates in the standard output\n"); 2076f971622SJuan Castillo printf("\n"); 2086f971622SJuan Castillo 2096f971622SJuan Castillo exit(0); 2106f971622SJuan Castillo } 2116f971622SJuan Castillo 212ccbf890eSJuan Castillo static int get_key_alg(const char *key_alg_str) 213ccbf890eSJuan Castillo { 214ccbf890eSJuan Castillo int i; 215ccbf890eSJuan Castillo 216ccbf890eSJuan Castillo for (i = 0 ; i < NUM_ELEM(key_algs_str) ; i++) { 217ccbf890eSJuan Castillo if (0 == strcmp(key_alg_str, key_algs_str[i])) { 218ccbf890eSJuan Castillo return i; 219ccbf890eSJuan Castillo } 220ccbf890eSJuan Castillo } 221ccbf890eSJuan Castillo 222ccbf890eSJuan Castillo return -1; 223ccbf890eSJuan Castillo } 224ccbf890eSJuan Castillo 2256f971622SJuan Castillo static void check_cmd_params(void) 2266f971622SJuan Castillo { 227ccbf890eSJuan Castillo /* Only save new keys */ 228ccbf890eSJuan Castillo if (save_keys && !new_keys) { 229ccbf890eSJuan Castillo ERROR("Only new keys can be saved to disk\n"); 230ccbf890eSJuan Castillo exit(1); 231ccbf890eSJuan Castillo } 232ccbf890eSJuan Castillo 2336f971622SJuan Castillo /* BL2, BL31 and BL33 are mandatory */ 2346f971622SJuan Castillo if (certs[BL2_CERT].bin == NULL) { 2356f971622SJuan Castillo ERROR("BL2 image not specified\n"); 2366f971622SJuan Castillo exit(1); 2376f971622SJuan Castillo } 2386f971622SJuan Castillo 2396f971622SJuan Castillo if (certs[BL31_CERT].bin == NULL) { 2406f971622SJuan Castillo ERROR("BL31 image not specified\n"); 2416f971622SJuan Castillo exit(1); 2426f971622SJuan Castillo } 2436f971622SJuan Castillo 2446f971622SJuan Castillo if (certs[BL33_CERT].bin == NULL) { 2456f971622SJuan Castillo ERROR("BL33 image not specified\n"); 2466f971622SJuan Castillo exit(1); 2476f971622SJuan Castillo } 2486f971622SJuan Castillo 2496f971622SJuan Castillo /* BL30 and BL32 are optional */ 2506f971622SJuan Castillo if (certs[BL30_CERT].bin != NULL) { 2516f971622SJuan Castillo bl30_present = 1; 2526f971622SJuan Castillo } 2536f971622SJuan Castillo 2546f971622SJuan Castillo if (certs[BL32_CERT].bin != NULL) { 2556f971622SJuan Castillo bl32_present = 1; 2566f971622SJuan Castillo } 2576f971622SJuan Castillo 2586f971622SJuan Castillo /* TODO: Certificate filenames */ 2596f971622SJuan Castillo 2606f971622SJuan Castillo /* Filenames to store keys must be specified */ 2616f971622SJuan Castillo if (save_keys || !new_keys) { 2626f971622SJuan Castillo if (keys[ROT_KEY].fn == NULL) { 2636f971622SJuan Castillo ERROR("ROT key not specified\n"); 2646f971622SJuan Castillo exit(1); 2656f971622SJuan Castillo } 2666f971622SJuan Castillo 2676f971622SJuan Castillo if (keys[TRUSTED_WORLD_KEY].fn == NULL) { 2686f971622SJuan Castillo ERROR("Trusted World key not specified\n"); 2696f971622SJuan Castillo exit(1); 2706f971622SJuan Castillo } 2716f971622SJuan Castillo 2726f971622SJuan Castillo if (keys[NON_TRUSTED_WORLD_KEY].fn == NULL) { 2736f971622SJuan Castillo ERROR("Non-trusted World key not specified\n"); 2746f971622SJuan Castillo exit(1); 2756f971622SJuan Castillo } 2766f971622SJuan Castillo 2776f971622SJuan Castillo if (keys[BL31_KEY].fn == NULL) { 2786f971622SJuan Castillo ERROR("BL31 key not specified\n"); 2796f971622SJuan Castillo exit(1); 2806f971622SJuan Castillo } 2816f971622SJuan Castillo 2826f971622SJuan Castillo if (keys[BL33_KEY].fn == NULL) { 2836f971622SJuan Castillo ERROR("BL33 key not specified\n"); 2846f971622SJuan Castillo exit(1); 2856f971622SJuan Castillo } 2866f971622SJuan Castillo 2876f971622SJuan Castillo if (bl30_present && (keys[BL30_KEY].fn == NULL)) { 2886f971622SJuan Castillo ERROR("BL30 key not specified\n"); 2896f971622SJuan Castillo exit(1); 2906f971622SJuan Castillo } 2916f971622SJuan Castillo 2926f971622SJuan Castillo if (bl32_present && (keys[BL32_KEY].fn == NULL)) { 2936f971622SJuan Castillo ERROR("BL32 key not specified\n"); 2946f971622SJuan Castillo exit(1); 2956f971622SJuan Castillo } 2966f971622SJuan Castillo } 2976f971622SJuan Castillo } 2986f971622SJuan Castillo 2996f971622SJuan Castillo int main(int argc, char *argv[]) 3006f971622SJuan Castillo { 3016f971622SJuan Castillo STACK_OF(X509_EXTENSION) * sk = NULL; 3026f971622SJuan Castillo X509_EXTENSION *hash_ext = NULL; 3036f971622SJuan Castillo X509_EXTENSION *nvctr_ext = NULL; 3046f971622SJuan Castillo X509_EXTENSION *trusted_key_ext = NULL; 3056f971622SJuan Castillo X509_EXTENSION *non_trusted_key_ext = NULL; 3066f971622SJuan Castillo FILE *file = NULL; 3076f971622SJuan Castillo int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid; 3086f971622SJuan Castillo int c, opt_idx = 0; 309ccbf890eSJuan Castillo unsigned int err_code; 3106f971622SJuan Castillo unsigned char md[SHA256_DIGEST_LENGTH]; 311c3da66b1SJuan Castillo const EVP_MD *md_info; 3126f971622SJuan Castillo 3136f971622SJuan Castillo NOTICE("CoT Generation Tool: %s\n", build_msg); 3146f971622SJuan Castillo NOTICE("Target platform: %s\n", platform_msg); 3156f971622SJuan Castillo 316ccbf890eSJuan Castillo /* Set default options */ 317ccbf890eSJuan Castillo key_alg = KEY_ALG_RSA; 318ccbf890eSJuan Castillo 3196f971622SJuan Castillo while (1) { 3206f971622SJuan Castillo /* getopt_long stores the option index here. */ 321ccbf890eSJuan Castillo c = getopt_long(argc, argv, "ahknp", long_opt, &opt_idx); 3226f971622SJuan Castillo 3236f971622SJuan Castillo /* Detect the end of the options. */ 3246f971622SJuan Castillo if (c == -1) { 3256f971622SJuan Castillo break; 3266f971622SJuan Castillo } 3276f971622SJuan Castillo 3286f971622SJuan Castillo switch (c) { 329ccbf890eSJuan Castillo case 'a': 330ccbf890eSJuan Castillo key_alg = get_key_alg(optarg); 331ccbf890eSJuan Castillo if (key_alg < 0) { 332ccbf890eSJuan Castillo ERROR("Invalid key algorithm '%s'\n", optarg); 333ccbf890eSJuan Castillo exit(1); 334ccbf890eSJuan Castillo } 335ccbf890eSJuan Castillo break; 3366f971622SJuan Castillo case 'h': 3376f971622SJuan Castillo print_help(argv[0]); 3386f971622SJuan Castillo break; 3396f971622SJuan Castillo case 'k': 3406f971622SJuan Castillo save_keys = 1; 3416f971622SJuan Castillo break; 3426f971622SJuan Castillo case 'n': 3436f971622SJuan Castillo new_keys = 1; 3446f971622SJuan Castillo break; 3456f971622SJuan Castillo case 'p': 3466f971622SJuan Castillo print_cert = 1; 3476f971622SJuan Castillo break; 3486f971622SJuan Castillo case BL2_ID: 3496f971622SJuan Castillo certs[BL2_CERT].bin = strdup(optarg); 3506f971622SJuan Castillo break; 3516f971622SJuan Castillo case BL30_ID: 3526f971622SJuan Castillo certs[BL30_CERT].bin = strdup(optarg); 3536f971622SJuan Castillo break; 3546f971622SJuan Castillo case BL31_ID: 3556f971622SJuan Castillo certs[BL31_CERT].bin = strdup(optarg); 3566f971622SJuan Castillo break; 3576f971622SJuan Castillo case BL32_ID: 3586f971622SJuan Castillo certs[BL32_CERT].bin = strdup(optarg); 3596f971622SJuan Castillo break; 3606f971622SJuan Castillo case BL33_ID: 3616f971622SJuan Castillo certs[BL33_CERT].bin = strdup(optarg); 3626f971622SJuan Castillo break; 3636f971622SJuan Castillo case BL2_CERT_ID: 3646f971622SJuan Castillo certs[BL2_CERT].fn = strdup(optarg); 3656f971622SJuan Castillo break; 3666f971622SJuan Castillo case TRUSTED_KEY_CERT_ID: 3676f971622SJuan Castillo certs[TRUSTED_KEY_CERT].fn = strdup(optarg); 3686f971622SJuan Castillo break; 3696f971622SJuan Castillo case BL30_KEY_CERT_ID: 3706f971622SJuan Castillo certs[BL30_KEY_CERT].fn = strdup(optarg); 3716f971622SJuan Castillo break; 3726f971622SJuan Castillo case BL30_CERT_ID: 3736f971622SJuan Castillo certs[BL30_CERT].fn = strdup(optarg); 3746f971622SJuan Castillo break; 3756f971622SJuan Castillo case BL31_KEY_CERT_ID: 3766f971622SJuan Castillo certs[BL31_KEY_CERT].fn = strdup(optarg); 3776f971622SJuan Castillo break; 3786f971622SJuan Castillo case BL31_CERT_ID: 3796f971622SJuan Castillo certs[BL31_CERT].fn = strdup(optarg); 3806f971622SJuan Castillo break; 3816f971622SJuan Castillo case BL32_KEY_CERT_ID: 3826f971622SJuan Castillo certs[BL32_KEY_CERT].fn = strdup(optarg); 3836f971622SJuan Castillo break; 3846f971622SJuan Castillo case BL32_CERT_ID: 3856f971622SJuan Castillo certs[BL32_CERT].fn = strdup(optarg); 3866f971622SJuan Castillo break; 3876f971622SJuan Castillo case BL33_KEY_CERT_ID: 3886f971622SJuan Castillo certs[BL33_KEY_CERT].fn = strdup(optarg); 3896f971622SJuan Castillo break; 3906f971622SJuan Castillo case BL33_CERT_ID: 3916f971622SJuan Castillo certs[BL33_CERT].fn = strdup(optarg); 3926f971622SJuan Castillo break; 3936f971622SJuan Castillo case ROT_KEY_ID: 3946f971622SJuan Castillo keys[ROT_KEY].fn = strdup(optarg); 3956f971622SJuan Castillo break; 3966f971622SJuan Castillo case TRUSTED_WORLD_KEY_ID: 3976f971622SJuan Castillo keys[TRUSTED_WORLD_KEY].fn = strdup(optarg); 3986f971622SJuan Castillo break; 3996f971622SJuan Castillo case NON_TRUSTED_WORLD_KEY_ID: 4006f971622SJuan Castillo keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg); 4016f971622SJuan Castillo break; 4026f971622SJuan Castillo case BL30_KEY_ID: 4036f971622SJuan Castillo keys[BL30_KEY].fn = strdup(optarg); 4046f971622SJuan Castillo break; 4056f971622SJuan Castillo case BL31_KEY_ID: 4066f971622SJuan Castillo keys[BL31_KEY].fn = strdup(optarg); 4076f971622SJuan Castillo break; 4086f971622SJuan Castillo case BL32_KEY_ID: 4096f971622SJuan Castillo keys[BL32_KEY].fn = strdup(optarg); 4106f971622SJuan Castillo break; 4116f971622SJuan Castillo case BL33_KEY_ID: 4126f971622SJuan Castillo keys[BL33_KEY].fn = strdup(optarg); 4136f971622SJuan Castillo break; 4146f971622SJuan Castillo case '?': 4156f971622SJuan Castillo default: 4166f971622SJuan Castillo printf("%s\n", optarg); 4176f971622SJuan Castillo exit(1); 4186f971622SJuan Castillo } 4196f971622SJuan Castillo } 4206f971622SJuan Castillo 4216f971622SJuan Castillo /* Set the value of the NVCounters */ 4226f971622SJuan Castillo tf_nvcounter = NVCOUNTER_VALUE; 4236f971622SJuan Castillo non_tf_nvcounter = NVCOUNTER_VALUE; 4246f971622SJuan Castillo 4256f971622SJuan Castillo /* Check command line arguments */ 4266f971622SJuan Castillo check_cmd_params(); 4276f971622SJuan Castillo 4286f971622SJuan Castillo /* Register the new types and OIDs for the extensions */ 4296f971622SJuan Castillo if (ext_init(tbb_ext) != 0) { 4306f971622SJuan Castillo ERROR("Cannot initialize TBB extensions\n"); 4316f971622SJuan Castillo exit(1); 4326f971622SJuan Castillo } 4336f971622SJuan Castillo 434c3da66b1SJuan Castillo /* Indicate SHA256 as image hash algorithm in the certificate 435c3da66b1SJuan Castillo * extension */ 436c3da66b1SJuan Castillo md_info = EVP_sha256(); 437c3da66b1SJuan Castillo 4386f971622SJuan Castillo /* Get non-volatile counters NIDs */ 4396f971622SJuan Castillo CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID); 4406f971622SJuan Castillo CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID); 4416f971622SJuan Castillo 4426f971622SJuan Castillo /* Load private keys from files (or generate new ones) */ 4436f971622SJuan Castillo for (i = 0 ; i < NUM_KEYS ; i++) { 444ccbf890eSJuan Castillo /* First try to load the key from disk */ 445ccbf890eSJuan Castillo if (key_load(&keys[i], &err_code)) { 446ccbf890eSJuan Castillo /* Key loaded successfully */ 447ccbf890eSJuan Castillo continue; 448ccbf890eSJuan Castillo } 449ccbf890eSJuan Castillo 450ccbf890eSJuan Castillo /* Key not loaded. Check the error code */ 451ccbf890eSJuan Castillo if (err_code == KEY_ERR_MALLOC) { 452ccbf890eSJuan Castillo /* Cannot allocate memory. Abort. */ 453ccbf890eSJuan Castillo ERROR("Malloc error while loading '%s'\n", keys[i].fn); 454ccbf890eSJuan Castillo exit(1); 455ccbf890eSJuan Castillo } else if (err_code == KEY_ERR_LOAD) { 456ccbf890eSJuan Castillo /* File exists, but it does not contain a valid private 457ccbf890eSJuan Castillo * key. Abort. */ 458ccbf890eSJuan Castillo ERROR("Error loading '%s'\n", keys[i].fn); 4596f971622SJuan Castillo exit(1); 4606f971622SJuan Castillo } 461ccbf890eSJuan Castillo 462ccbf890eSJuan Castillo /* File does not exist, could not be opened or no filename was 463ccbf890eSJuan Castillo * given */ 464ccbf890eSJuan Castillo if (new_keys) { 465ccbf890eSJuan Castillo /* Try to create a new key */ 466ccbf890eSJuan Castillo NOTICE("Creating new key for '%s'\n", keys[i].desc); 467ccbf890eSJuan Castillo if (!key_create(&keys[i], key_alg)) { 468ccbf890eSJuan Castillo ERROR("Error creating key '%s'\n", keys[i].desc); 469ccbf890eSJuan Castillo exit(1); 4706f971622SJuan Castillo } 4716f971622SJuan Castillo } else { 472ccbf890eSJuan Castillo if (err_code == KEY_ERR_OPEN) { 473ccbf890eSJuan Castillo ERROR("Error opening '%s'\n", keys[i].fn); 474ccbf890eSJuan Castillo } else { 475ccbf890eSJuan Castillo ERROR("Key '%s' not specified\n", keys[i].desc); 4766f971622SJuan Castillo } 477ccbf890eSJuan Castillo exit(1); 4786f971622SJuan Castillo } 4796f971622SJuan Castillo } 4806f971622SJuan Castillo 4816f971622SJuan Castillo /* ********************************************************************* 4826f971622SJuan Castillo * BL2 certificate (Trusted Boot Firmware certificate): 4836f971622SJuan Castillo * - Self-signed with OEM ROT private key 4846f971622SJuan Castillo * - Extensions: 4856f971622SJuan Castillo * - TrustedFirmwareNVCounter (TODO) 4866f971622SJuan Castillo * - BL2 hash 4876f971622SJuan Castillo **********************************************************************/ 4886f971622SJuan Castillo CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 4896f971622SJuan Castillo 4906f971622SJuan Castillo /* Add the NVCounter as a critical extension */ 4916f971622SJuan Castillo CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 4926f971622SJuan Castillo tf_nvcounter)); 4936f971622SJuan Castillo sk_X509_EXTENSION_push(sk, nvctr_ext); 4946f971622SJuan Castillo 4956f971622SJuan Castillo /* Add hash of BL2 as an extension */ 4966f971622SJuan Castillo if (!sha_file(certs[BL2_CERT].bin, md)) { 4976f971622SJuan Castillo ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin); 4986f971622SJuan Castillo exit(1); 4996f971622SJuan Castillo } 5006f971622SJuan Castillo CHECK_OID(hash_nid, BL2_HASH_OID); 501c3da66b1SJuan Castillo CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, 5026f971622SJuan Castillo SHA256_DIGEST_LENGTH)); 5036f971622SJuan Castillo sk_X509_EXTENSION_push(sk, hash_ext); 5046f971622SJuan Castillo 5056f971622SJuan Castillo /* Create certificate. Signed with ROT key */ 5066f971622SJuan Castillo if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) { 5076f971622SJuan Castillo ERROR("Cannot create %s\n", certs[BL2_CERT].cn); 5086f971622SJuan Castillo exit(1); 5096f971622SJuan Castillo } 5106f971622SJuan Castillo sk_X509_EXTENSION_free(sk); 5116f971622SJuan Castillo 5126f971622SJuan Castillo /* ********************************************************************* 5136f971622SJuan Castillo * Trusted Key certificate: 5146f971622SJuan Castillo * - Self-signed with OEM ROT private key 5156f971622SJuan Castillo * - Extensions: 5166f971622SJuan Castillo * - TrustedFirmwareNVCounter (TODO) 5176f971622SJuan Castillo * - TrustedWorldPK 5186f971622SJuan Castillo * - NonTrustedWorldPK 5196f971622SJuan Castillo **********************************************************************/ 5206f971622SJuan Castillo CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 5216f971622SJuan Castillo CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 5226f971622SJuan Castillo tf_nvcounter)); 5236f971622SJuan Castillo sk_X509_EXTENSION_push(sk, nvctr_ext); 5246f971622SJuan Castillo CHECK_OID(pk_nid, TZ_WORLD_PK_OID); 5256f971622SJuan Castillo CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 5266f971622SJuan Castillo keys[TRUSTED_WORLD_KEY].key)); 5276f971622SJuan Castillo sk_X509_EXTENSION_push(sk, trusted_key_ext); 5286f971622SJuan Castillo CHECK_OID(pk_nid, NTZ_WORLD_PK_OID); 5296f971622SJuan Castillo CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 5306f971622SJuan Castillo keys[NON_TRUSTED_WORLD_KEY].key)); 5316f971622SJuan Castillo sk_X509_EXTENSION_push(sk, non_trusted_key_ext); 5326f971622SJuan Castillo if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) { 5336f971622SJuan Castillo ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn); 5346f971622SJuan Castillo exit(1); 5356f971622SJuan Castillo } 5366f971622SJuan Castillo sk_X509_EXTENSION_free(sk); 5376f971622SJuan Castillo 5386f971622SJuan Castillo /* ********************************************************************* 5396f971622SJuan Castillo * BL30 Key certificate (Trusted SCP Firmware Key certificate): 5406f971622SJuan Castillo * - Self-signed with Trusted World key 5416f971622SJuan Castillo * - Extensions: 5426f971622SJuan Castillo * - TrustedFirmwareNVCounter (TODO) 5436f971622SJuan Castillo * - SCPFirmwareContentCertPK 5446f971622SJuan Castillo **********************************************************************/ 5456f971622SJuan Castillo if (bl30_present) { 5466f971622SJuan Castillo CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 5476f971622SJuan Castillo CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 5486f971622SJuan Castillo tf_nvcounter)); 5496f971622SJuan Castillo sk_X509_EXTENSION_push(sk, nvctr_ext); 5506f971622SJuan Castillo CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID); 5516f971622SJuan Castillo CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 5526f971622SJuan Castillo keys[BL30_KEY].key)); 5536f971622SJuan Castillo sk_X509_EXTENSION_push(sk, trusted_key_ext); 5546f971622SJuan Castillo if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) { 5556f971622SJuan Castillo ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn); 5566f971622SJuan Castillo exit(1); 5576f971622SJuan Castillo } 5586f971622SJuan Castillo sk_X509_EXTENSION_free(sk); 5596f971622SJuan Castillo } 5606f971622SJuan Castillo 5616f971622SJuan Castillo /* ********************************************************************* 5626f971622SJuan Castillo * BL30 certificate (SCP Firmware Content certificate): 5636f971622SJuan Castillo * - Signed with Trusted World Key 5646f971622SJuan Castillo * - Extensions: 5656f971622SJuan Castillo * - TrustedFirmwareNVCounter (TODO) 5666f971622SJuan Castillo * - SCPFirmwareHash 5676f971622SJuan Castillo **********************************************************************/ 5686f971622SJuan Castillo if (bl30_present) { 5696f971622SJuan Castillo CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 5706f971622SJuan Castillo CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 5716f971622SJuan Castillo tf_nvcounter)); 5726f971622SJuan Castillo sk_X509_EXTENSION_push(sk, nvctr_ext); 5736f971622SJuan Castillo 5746f971622SJuan Castillo if (!sha_file(certs[BL30_CERT].bin, md)) { 5756f971622SJuan Castillo ERROR("Cannot calculate the hash of %s\n", 5766f971622SJuan Castillo certs[BL30_CERT].bin); 5776f971622SJuan Castillo exit(1); 5786f971622SJuan Castillo } 5796f971622SJuan Castillo CHECK_OID(hash_nid, BL30_HASH_OID); 580c3da66b1SJuan Castillo CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, 581c3da66b1SJuan Castillo md, SHA256_DIGEST_LENGTH)); 5826f971622SJuan Castillo sk_X509_EXTENSION_push(sk, hash_ext); 5836f971622SJuan Castillo 5846f971622SJuan Castillo if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) { 5856f971622SJuan Castillo ERROR("Cannot create %s\n", certs[BL30_CERT].cn); 5866f971622SJuan Castillo exit(1); 5876f971622SJuan Castillo } 5886f971622SJuan Castillo 5896f971622SJuan Castillo sk_X509_EXTENSION_free(sk); 5906f971622SJuan Castillo } 5916f971622SJuan Castillo 5926f971622SJuan Castillo /* ********************************************************************* 5936f971622SJuan Castillo * BL31 Key certificate (Trusted SoC Firmware Key certificate): 5946f971622SJuan Castillo * - Self-signed with Trusted World key 5956f971622SJuan Castillo * - Extensions: 5966f971622SJuan Castillo * - TrustedFirmwareNVCounter (TODO) 5976f971622SJuan Castillo * - SoCFirmwareContentCertPK 5986f971622SJuan Castillo **********************************************************************/ 5996f971622SJuan Castillo CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 6006f971622SJuan Castillo CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 6016f971622SJuan Castillo tf_nvcounter)); 6026f971622SJuan Castillo sk_X509_EXTENSION_push(sk, nvctr_ext); 6036f971622SJuan Castillo CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID); 6046f971622SJuan Castillo CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 6056f971622SJuan Castillo keys[BL31_KEY].key)); 6066f971622SJuan Castillo sk_X509_EXTENSION_push(sk, trusted_key_ext); 6076f971622SJuan Castillo if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) { 6086f971622SJuan Castillo ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn); 6096f971622SJuan Castillo exit(1); 6106f971622SJuan Castillo } 6116f971622SJuan Castillo sk_X509_EXTENSION_free(sk); 6126f971622SJuan Castillo 6136f971622SJuan Castillo /* ********************************************************************* 6146f971622SJuan Castillo * BL31 certificate (SOC Firmware Content certificate): 6156f971622SJuan Castillo * - Signed with Trusted World Key 6166f971622SJuan Castillo * - Extensions: 6176f971622SJuan Castillo * - TrustedFirmwareNVCounter (TODO) 6186f971622SJuan Castillo * - BL31 hash 6196f971622SJuan Castillo **********************************************************************/ 6206f971622SJuan Castillo CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 6216f971622SJuan Castillo CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 6226f971622SJuan Castillo tf_nvcounter)); 6236f971622SJuan Castillo sk_X509_EXTENSION_push(sk, nvctr_ext); 6246f971622SJuan Castillo 6256f971622SJuan Castillo if (!sha_file(certs[BL31_CERT].bin, md)) { 6266f971622SJuan Castillo ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin); 6276f971622SJuan Castillo exit(1); 6286f971622SJuan Castillo } 6296f971622SJuan Castillo CHECK_OID(hash_nid, BL31_HASH_OID); 630c3da66b1SJuan Castillo CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, 6316f971622SJuan Castillo SHA256_DIGEST_LENGTH)); 6326f971622SJuan Castillo sk_X509_EXTENSION_push(sk, hash_ext); 6336f971622SJuan Castillo 6346f971622SJuan Castillo if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) { 6356f971622SJuan Castillo ERROR("Cannot create %s\n", certs[BL31_CERT].cn); 6366f971622SJuan Castillo exit(1); 6376f971622SJuan Castillo } 6386f971622SJuan Castillo 6396f971622SJuan Castillo sk_X509_EXTENSION_free(sk); 6406f971622SJuan Castillo 6416f971622SJuan Castillo /* ********************************************************************* 6426f971622SJuan Castillo * BL32 Key certificate (Trusted OS Firmware Key certificate): 6436f971622SJuan Castillo * - Self-signed with Trusted World key 6446f971622SJuan Castillo * - Extensions: 6456f971622SJuan Castillo * - TrustedFirmwareNVCounter (TODO) 6466f971622SJuan Castillo * - TrustedOSFirmwareContentCertPK 6476f971622SJuan Castillo **********************************************************************/ 6486f971622SJuan Castillo if (bl32_present) { 6496f971622SJuan Castillo CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 6506f971622SJuan Castillo CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 6516f971622SJuan Castillo tf_nvcounter)); 6526f971622SJuan Castillo sk_X509_EXTENSION_push(sk, nvctr_ext); 6536f971622SJuan Castillo CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID); 6546f971622SJuan Castillo CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 6556f971622SJuan Castillo keys[BL32_KEY].key)); 6566f971622SJuan Castillo sk_X509_EXTENSION_push(sk, trusted_key_ext); 6576f971622SJuan Castillo if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) { 6586f971622SJuan Castillo ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn); 6596f971622SJuan Castillo exit(1); 6606f971622SJuan Castillo } 6616f971622SJuan Castillo sk_X509_EXTENSION_free(sk); 6626f971622SJuan Castillo } 6636f971622SJuan Castillo 6646f971622SJuan Castillo /* ********************************************************************* 6656f971622SJuan Castillo * BL32 certificate (TrustedOS Firmware Content certificate): 6666f971622SJuan Castillo * - Signed with Trusted World Key 6676f971622SJuan Castillo * - Extensions: 6686f971622SJuan Castillo * - TrustedFirmwareNVCounter (TODO) 6696f971622SJuan Castillo * - BL32 hash 6706f971622SJuan Castillo **********************************************************************/ 6716f971622SJuan Castillo if (bl32_present) { 6726f971622SJuan Castillo CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 6736f971622SJuan Castillo CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 6746f971622SJuan Castillo tf_nvcounter)); 6756f971622SJuan Castillo sk_X509_EXTENSION_push(sk, nvctr_ext); 6766f971622SJuan Castillo 6776f971622SJuan Castillo if (!sha_file(certs[BL32_CERT].bin, md)) { 6786f971622SJuan Castillo ERROR("Cannot calculate the hash of %s\n", 6796f971622SJuan Castillo certs[BL32_CERT].bin); 6806f971622SJuan Castillo exit(1); 6816f971622SJuan Castillo } 6826f971622SJuan Castillo CHECK_OID(hash_nid, BL32_HASH_OID); 683c3da66b1SJuan Castillo CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, 684c3da66b1SJuan Castillo md, SHA256_DIGEST_LENGTH)); 6856f971622SJuan Castillo sk_X509_EXTENSION_push(sk, hash_ext); 6866f971622SJuan Castillo 6876f971622SJuan Castillo if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) { 6886f971622SJuan Castillo ERROR("Cannot create %s\n", certs[BL32_CERT].cn); 6896f971622SJuan Castillo exit(1); 6906f971622SJuan Castillo } 6916f971622SJuan Castillo 6926f971622SJuan Castillo sk_X509_EXTENSION_free(sk); 6936f971622SJuan Castillo } 6946f971622SJuan Castillo 6956f971622SJuan Castillo /* ********************************************************************* 6966f971622SJuan Castillo * BL33 Key certificate (Non Trusted Firmware Key certificate): 6976f971622SJuan Castillo * - Self-signed with Non Trusted World key 6986f971622SJuan Castillo * - Extensions: 6996f971622SJuan Castillo * - NonTrustedFirmwareNVCounter (TODO) 7006f971622SJuan Castillo * - NonTrustedFirmwareContentCertPK 7016f971622SJuan Castillo **********************************************************************/ 7026f971622SJuan Castillo CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 7036f971622SJuan Castillo CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT, 7046f971622SJuan Castillo non_tf_nvcounter)); 7056f971622SJuan Castillo sk_X509_EXTENSION_push(sk, nvctr_ext); 7066f971622SJuan Castillo CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID); 7076f971622SJuan Castillo CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 7086f971622SJuan Castillo keys[BL33_KEY].key)); 7096f971622SJuan Castillo sk_X509_EXTENSION_push(sk, non_trusted_key_ext); 7106f971622SJuan Castillo if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) { 7116f971622SJuan Castillo ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn); 7126f971622SJuan Castillo exit(1); 7136f971622SJuan Castillo } 7146f971622SJuan Castillo sk_X509_EXTENSION_free(sk); 7156f971622SJuan Castillo 7166f971622SJuan Castillo /* ********************************************************************* 7176f971622SJuan Castillo * BL33 certificate (Non-Trusted World Content certificate): 7186f971622SJuan Castillo * - Signed with Non-Trusted World Key 7196f971622SJuan Castillo * - Extensions: 7206f971622SJuan Castillo * - NonTrustedFirmwareNVCounter (TODO) 7216f971622SJuan Castillo * - BL33 hash 7226f971622SJuan Castillo **********************************************************************/ 7236f971622SJuan Castillo CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 7246f971622SJuan Castillo CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT, 7256f971622SJuan Castillo non_tf_nvcounter)); 7266f971622SJuan Castillo sk_X509_EXTENSION_push(sk, nvctr_ext); 7276f971622SJuan Castillo 7286f971622SJuan Castillo if (!sha_file(certs[BL33_CERT].bin, md)) { 7296f971622SJuan Castillo ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin); 7306f971622SJuan Castillo exit(1); 7316f971622SJuan Castillo } 7326f971622SJuan Castillo CHECK_OID(hash_nid, BL33_HASH_OID); 733c3da66b1SJuan Castillo CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, 7346f971622SJuan Castillo SHA256_DIGEST_LENGTH)); 7356f971622SJuan Castillo sk_X509_EXTENSION_push(sk, hash_ext); 7366f971622SJuan Castillo 7376f971622SJuan Castillo if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) { 7386f971622SJuan Castillo ERROR("Cannot create %s\n", certs[BL33_CERT].cn); 7396f971622SJuan Castillo exit(1); 7406f971622SJuan Castillo } 7416f971622SJuan Castillo sk_X509_EXTENSION_free(sk); 7426f971622SJuan Castillo 7436f971622SJuan Castillo /* Print the certificates */ 7446f971622SJuan Castillo if (print_cert) { 7456f971622SJuan Castillo for (i = 0 ; i < NUM_CERTIFICATES ; i++) { 7466f971622SJuan Castillo if (!certs[i].x) { 7476f971622SJuan Castillo continue; 7486f971622SJuan Castillo } 7496f971622SJuan Castillo printf("\n\n=====================================\n\n"); 7506f971622SJuan Castillo X509_print_fp(stdout, certs[i].x); 7516f971622SJuan Castillo } 7526f971622SJuan Castillo } 7536f971622SJuan Castillo 7546f971622SJuan Castillo /* Save created certificates to files */ 7556f971622SJuan Castillo for (i = 0 ; i < NUM_CERTIFICATES ; i++) { 7566f971622SJuan Castillo if (certs[i].x && certs[i].fn) { 7576f971622SJuan Castillo file = fopen(certs[i].fn, "w"); 7586f971622SJuan Castillo if (file != NULL) { 7596f971622SJuan Castillo i2d_X509_fp(file, certs[i].x); 7606f971622SJuan Castillo fclose(file); 7616f971622SJuan Castillo } else { 7626f971622SJuan Castillo ERROR("Cannot create file %s\n", certs[i].fn); 7636f971622SJuan Castillo } 7646f971622SJuan Castillo } 7656f971622SJuan Castillo } 7666f971622SJuan Castillo 7676f971622SJuan Castillo /* Save keys */ 7686f971622SJuan Castillo if (save_keys) { 7696f971622SJuan Castillo for (i = 0 ; i < NUM_KEYS ; i++) { 7706f971622SJuan Castillo if (!key_store(&keys[i])) { 7716f971622SJuan Castillo ERROR("Cannot save %s\n", keys[i].desc); 7726f971622SJuan Castillo } 7736f971622SJuan Castillo } 7746f971622SJuan Castillo } 7756f971622SJuan Castillo 7766f971622SJuan Castillo X509_EXTENSION_free(hash_ext); 7776f971622SJuan Castillo X509_EXTENSION_free(nvctr_ext); 7786f971622SJuan Castillo X509_EXTENSION_free(trusted_key_ext); 7796f971622SJuan Castillo X509_EXTENSION_free(non_trusted_key_ext); 7806f971622SJuan Castillo 7816f971622SJuan Castillo #ifndef OPENSSL_NO_ENGINE 7826f971622SJuan Castillo ENGINE_cleanup(); 7836f971622SJuan Castillo #endif 7846f971622SJuan Castillo CRYPTO_cleanup_all_ex_data(); 7856f971622SJuan Castillo 7866f971622SJuan Castillo return 0; 7876f971622SJuan Castillo } 788