tools/**/*.o
tools/fip_create/fip_create
tools/cert_create/src/*.o
+tools/cert_create/src/**/*.o
tools/cert_create/cert_create
src/ext.o \
src/key.o \
src/main.o \
- src/tbb_cert.o \
- src/tbb_ext.o \
- src/tbb_key.o \
- src/sha.o
+ src/sha.o \
+ src/tbbr/tbb_cert.o \
+ src/tbbr/tbb_ext.o \
+ src/tbbr/tbb_key.o
CFLAGS := -Wall -std=c99
#include <openssl/ossl_typ.h>
#include <openssl/x509.h>
+#include "ext.h"
#include "key.h"
+#define CERT_MAX_EXT 4
+
/*
* This structure contains information related to the generation of the
* certificates. All these fields must be known and specified at build time
int id; /* Unique identifier */
const char *fn; /* Filename to save the certificate */
- const char *bin; /* Image associated to this certificate */
-
const char *cn; /* Subject CN (Company Name) */
- X509 *x; /* X509 certificate container */
- key_t *key; /* Key to be signed */
+ /* These fields must be defined statically */
+ int key; /* Key to be signed */
+ int issuer; /* Issuer certificate */
+ int ext[CERT_MAX_EXT]; /* Certificate extensions */
+ int num_ext; /* Number of extensions in the certificate */
- cert_t *issuer; /* Issuer certificate */
+ X509 *x; /* X509 certificate container */
};
+/* Exported API */
int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value);
-
int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk);
+/* Macro to register the certificates used in the CoT */
+#define REGISTER_COT(_certs) \
+ cert_t *certs = &_certs[0]; \
+ const unsigned int num_certs = sizeof(_certs)/sizeof(_certs[0]);
+
+/* Exported variables */
+extern cert_t *certs;
+extern const unsigned int num_certs;
+
#endif /* CERT_H_ */
#ifndef EXT_H_
#define EXT_H_
+#include "key.h"
#include <openssl/x509v3.h>
+/* Extension types supported */
+enum {
+ EXT_TYPE_NVCOUNTER,
+ EXT_TYPE_PKEY,
+ EXT_TYPE_HASH
+};
+
/*
* This structure contains the relevant information to create the extensions
* to be included in the certificates. This extensions will be used to
const char *oid; /* OID of the extension */
const char *sn; /* Short name */
const char *ln; /* Long description */
- int type; /* OpenSSL ASN1 type of the extension data.
+ int asn1_type; /* OpenSSL ASN1 type of the extension data.
* Supported types are:
* - V_ASN1_INTEGER
* - V_ASN1_OCTET_STRING
*/
+ int type;
+ /* Extension data (depends on extension type) */
+ union {
+ const char *fn; /* File with extension data */
+ int nvcounter; /* Non volatile counter */
+ int key; /* Public key */
+ } data;
+
int alias; /* In case OpenSSL provides an standard
* extension of the same type, add the new
* extension as an alias of this one
EXT_CRIT = !EXT_NON_CRIT,
};
-int ext_init(ext_t *tbb_ext);
+/* Exported API */
+int ext_register(ext_t *tbb_ext);
X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
unsigned char *buf, size_t len);
X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value);
X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k);
+/* Macro to register the extensions used in the CoT */
+#define REGISTER_EXTENSIONS(_ext) \
+ ext_t *extensions = &_ext[0]; \
+ const unsigned int num_extensions = sizeof(_ext)/sizeof(_ext[0]);
+
+/* Exported variables */
+extern ext_t *extensions;
+extern const unsigned int num_extensions;
+
#endif /* EXT_H_ */
EVP_PKEY *key; /* Key container */
} key_t;
+/* Exported API */
int key_create(key_t *key, int type);
int key_load(key_t *key, unsigned int *err_code);
int key_store(key_t *key);
+/* Macro to register the keys used in the CoT */
+#define REGISTER_KEYS(_keys) \
+ key_t *keys = &_keys[0]; \
+ const unsigned int num_keys = sizeof(_keys)/sizeof(_keys[0]);
+
+/* Exported variables */
+extern key_t *keys;
+extern const unsigned int num_keys;
+
#endif /* KEY_H_ */
+++ /dev/null
-/*
- * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of ARM nor the names of its contributors may be used
- * to endorse or promote products derived from this software without specific
- * prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef TBB_CERT_H_
-#define TBB_CERT_H_
-
-#include "cert.h"
-
-/*
- * Enumerate the certificates that are used to establish the chain of trust
- */
-enum {
- BL2_CERT,
- TRUSTED_KEY_CERT,
- BL30_KEY_CERT,
- BL30_CERT,
- BL31_KEY_CERT,
- BL31_CERT,
- BL32_KEY_CERT,
- BL32_CERT,
- BL33_KEY_CERT,
- BL33_CERT,
- NUM_CERTIFICATES,
-};
-
-/*
- * Array containing the certificate instances
- */
-extern cert_t certs[NUM_CERTIFICATES];
-
-#endif /* TBB_CERT_H_ */
+++ /dev/null
-/*
- * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of ARM nor the names of its contributors may be used
- * to endorse or promote products derived from this software without specific
- * prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef TBB_EXT_H_
-#define TBB_EXT_H_
-
-#include "ext.h"
-
-/* Array containing the extensions used in the chain of trust */
-extern ext_t tbb_ext[];
-
-#endif /* TBB_EXT_H_ */
+++ /dev/null
-/*
- * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of ARM nor the names of its contributors may be used
- * to endorse or promote products derived from this software without specific
- * prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef TBB_KEY_H_
-#define TBB_KEY_H_
-
-#include "key.h"
-
-/*
- * Enumerate the keys that are used to establish the chain of trust
- */
-enum {
- ROT_KEY,
- TRUSTED_WORLD_KEY,
- NON_TRUSTED_WORLD_KEY,
- BL30_KEY,
- BL31_KEY,
- BL32_KEY,
- BL33_KEY,
- NUM_KEYS
-};
-
-/*
- * Array containing the key instances
- */
-extern key_t keys[];
-
-#endif /* TBB_KEY_H_ */
--- /dev/null
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef TBB_CERT_H_
+#define TBB_CERT_H_
+
+#include "cert.h"
+
+/*
+ * Enumerate the certificates that are used to establish the chain of trust
+ */
+enum {
+ BL2_CERT,
+ TRUSTED_KEY_CERT,
+ BL30_KEY_CERT,
+ BL30_CERT,
+ BL31_KEY_CERT,
+ BL31_CERT,
+ BL32_KEY_CERT,
+ BL32_CERT,
+ BL33_KEY_CERT,
+ BL33_CERT
+};
+
+#endif /* TBB_CERT_H_ */
--- /dev/null
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef TBB_EXT_H_
+#define TBB_EXT_H_
+
+#include "ext.h"
+
+/* TBBR extensions */
+enum {
+ TZ_FW_NVCOUNTER_EXT,
+ NTZ_FW_NVCOUNTER_EXT,
+ BL2_HASH_EXT,
+ TZ_WORLD_PK_EXT,
+ NTZ_WORLD_PK_EXT,
+ BL31_CONTENT_CERT_PK_EXT,
+ BL31_HASH_EXT,
+ BL30_CONTENT_CERT_PK_EXT,
+ BL30_HASH_EXT,
+ BL32_CONTENT_CERT_PK_EXT,
+ BL32_HASH_EXT,
+ BL33_CONTENT_CERT_PK_EXT,
+ BL33_HASH_EXT
+};
+
+#endif /* TBB_EXT_H_ */
--- /dev/null
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef TBB_KEY_H_
+#define TBB_KEY_H_
+
+#include "key.h"
+
+/*
+ * Enumerate the keys that are used to establish the chain of trust
+ */
+enum {
+ ROT_KEY,
+ TRUSTED_WORLD_KEY,
+ NON_TRUSTED_WORLD_KEY,
+ BL30_KEY,
+ BL31_KEY,
+ BL32_KEY,
+ BL33_KEY
+};
+
+#endif /* TBB_KEY_H_ */
int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
{
- EVP_PKEY *pkey = cert->key->key;
- EVP_PKEY *ikey = cert->issuer->key->key;
- X509 *issuer = cert->issuer->x;
+ EVP_PKEY *pkey = keys[cert->key].key;
+ cert_t *issuer_cert = &certs[cert->issuer];
+ EVP_PKEY *ikey = keys[issuer_cert->key].key;
+ X509 *issuer = issuer_cert->x;
X509 *x = NULL;
X509_EXTENSION *ex = NULL;
X509_NAME *name = NULL;
/* Issuer name */
name = X509_get_issuer_name(x);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
- (const unsigned char *)cert->issuer->cn, -1, -1, 0);
+ (const unsigned char *)issuer_cert->cn, -1, -1, 0);
X509_set_issuer_name(x, name);
/* Add various extensions: standard extensions */
*
* Return: 0 = success, Otherwise: error
*/
-int ext_init(ext_t *tbb_ext)
+int ext_register(ext_t *exts)
{
ext_t *ext;
X509V3_EXT_METHOD *m;
int i = 0, nid, ret;
- while ((ext = &tbb_ext[i++]) && ext->oid) {
+ while ((ext = &exts[i++]) && ext->oid) {
nid = OBJ_create(ext->oid, ext->sn, ext->ln);
if (ext->alias) {
X509V3_EXT_add_alias(nid, ext->alias);
} else {
m = &ext->method;
memset(m, 0x0, sizeof(X509V3_EXT_METHOD));
- switch (ext->type) {
+ switch (ext->asn1_type) {
case V_ASN1_INTEGER:
m->it = ASN1_ITEM_ref(ASN1_INTEGER);
m->i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER;
#include "key.h"
#include "platform_oid.h"
#include "sha.h"
-#include "tbb_ext.h"
-#include "tbb_cert.h"
-#include "tbb_key.h"
+#include "tbbr/tbb_ext.h"
+#include "tbbr/tbb_cert.h"
+#include "tbbr/tbb_key.h"
/*
* Helper macros to simplify the code. This macro assigns the return value of
#define MAX_FILENAME_LEN 1024
#define VAL_DAYS 7300
#define ID_TO_BIT_MASK(id) (1 << id)
-#define NVCOUNTER_VALUE 0
#define NUM_ELEM(x) ((sizeof(x)) / (sizeof(x[0])))
/* Files */
static int bl30_present;
static int bl32_present;
-/* We are not checking nvcounters in TF. Include them in the certificates but
- * the value will be set to 0 */
-static int tf_nvcounter;
-static int non_tf_nvcounter;
-
/* Info messages created in the Makefile */
extern const char build_msg[];
extern const char platform_msg[];
}
/* BL2, BL31 and BL33 are mandatory */
- if (certs[BL2_CERT].bin == NULL) {
+ if (extensions[BL2_HASH_EXT].data.fn == NULL) {
ERROR("BL2 image not specified\n");
exit(1);
}
- if (certs[BL31_CERT].bin == NULL) {
+ if (extensions[BL31_HASH_EXT].data.fn == NULL) {
ERROR("BL31 image not specified\n");
exit(1);
}
- if (certs[BL33_CERT].bin == NULL) {
+ if (extensions[BL33_HASH_EXT].data.fn == NULL) {
ERROR("BL33 image not specified\n");
exit(1);
}
/* BL30 and BL32 are optional */
- if (certs[BL30_CERT].bin != NULL) {
+ if (extensions[BL30_HASH_EXT].data.fn != NULL) {
bl30_present = 1;
}
- if (certs[BL32_CERT].bin != NULL) {
+ if (extensions[BL32_HASH_EXT].data.fn != NULL) {
bl32_present = 1;
}
int main(int argc, char *argv[])
{
STACK_OF(X509_EXTENSION) * sk = NULL;
- X509_EXTENSION *hash_ext = NULL;
- X509_EXTENSION *nvctr_ext = NULL;
- X509_EXTENSION *trusted_key_ext = NULL;
- X509_EXTENSION *non_trusted_key_ext = NULL;
+ X509_EXTENSION *cert_ext = NULL;
+ ext_t *ext = NULL;
+ cert_t *cert;
FILE *file = NULL;
- int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
+ int i, j, ext_nid;
int c, opt_idx = 0;
unsigned int err_code;
unsigned char md[SHA256_DIGEST_LENGTH];
print_cert = 1;
break;
case BL2_ID:
- certs[BL2_CERT].bin = strdup(optarg);
+ extensions[BL2_HASH_EXT].data.fn = strdup(optarg);
break;
case BL30_ID:
- certs[BL30_CERT].bin = strdup(optarg);
+ extensions[BL30_HASH_EXT].data.fn = strdup(optarg);
break;
case BL31_ID:
- certs[BL31_CERT].bin = strdup(optarg);
+ extensions[BL31_HASH_EXT].data.fn = strdup(optarg);
break;
case BL32_ID:
- certs[BL32_CERT].bin = strdup(optarg);
+ extensions[BL32_HASH_EXT].data.fn = strdup(optarg);
break;
case BL33_ID:
- certs[BL33_CERT].bin = strdup(optarg);
+ extensions[BL33_HASH_EXT].data.fn = strdup(optarg);
break;
case BL2_CERT_ID:
certs[BL2_CERT].fn = strdup(optarg);
}
}
- /* Set the value of the NVCounters */
- tf_nvcounter = NVCOUNTER_VALUE;
- non_tf_nvcounter = NVCOUNTER_VALUE;
-
/* Check command line arguments */
check_cmd_params();
/* Register the new types and OIDs for the extensions */
- if (ext_init(tbb_ext) != 0) {
- ERROR("Cannot initialize TBB extensions\n");
+ if (ext_register(extensions) != 0) {
+ ERROR("Cannot register TBB extensions\n");
exit(1);
}
* extension */
md_info = EVP_sha256();
- /* Get non-volatile counters NIDs */
- CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
- CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
-
/* Load private keys from files (or generate new ones) */
- for (i = 0 ; i < NUM_KEYS ; i++) {
+ for (i = 0 ; i < num_keys ; i++) {
/* First try to load the key from disk */
if (key_load(&keys[i], &err_code)) {
/* Key loaded successfully */
}
}
- /* *********************************************************************
- * BL2 certificate (Trusted Boot Firmware certificate):
- * - Self-signed with OEM ROT private key
- * - Extensions:
- * - TrustedFirmwareNVCounter (TODO)
- * - BL2 hash
- **********************************************************************/
- CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
-
- /* Add the NVCounter as a critical extension */
- CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
- tf_nvcounter));
- sk_X509_EXTENSION_push(sk, nvctr_ext);
-
- /* Add hash of BL2 as an extension */
- if (!sha_file(certs[BL2_CERT].bin, md)) {
- ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin);
- exit(1);
- }
- CHECK_OID(hash_nid, BL2_HASH_OID);
- CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
- SHA256_DIGEST_LENGTH));
- sk_X509_EXTENSION_push(sk, hash_ext);
-
- /* Create certificate. Signed with ROT key */
- if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) {
- ERROR("Cannot create %s\n", certs[BL2_CERT].cn);
- exit(1);
- }
- sk_X509_EXTENSION_free(sk);
-
- /* *********************************************************************
- * Trusted Key certificate:
- * - Self-signed with OEM ROT private key
- * - Extensions:
- * - TrustedFirmwareNVCounter (TODO)
- * - TrustedWorldPK
- * - NonTrustedWorldPK
- **********************************************************************/
- CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
- CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
- tf_nvcounter));
- sk_X509_EXTENSION_push(sk, nvctr_ext);
- CHECK_OID(pk_nid, TZ_WORLD_PK_OID);
- CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
- keys[TRUSTED_WORLD_KEY].key));
- sk_X509_EXTENSION_push(sk, trusted_key_ext);
- CHECK_OID(pk_nid, NTZ_WORLD_PK_OID);
- CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
- keys[NON_TRUSTED_WORLD_KEY].key));
- sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
- if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) {
- ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn);
- exit(1);
- }
- sk_X509_EXTENSION_free(sk);
-
- /* *********************************************************************
- * BL30 Key certificate (Trusted SCP Firmware Key certificate):
- * - Self-signed with Trusted World key
- * - Extensions:
- * - TrustedFirmwareNVCounter (TODO)
- * - SCPFirmwareContentCertPK
- **********************************************************************/
- if (bl30_present) {
- CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
- CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
- tf_nvcounter));
- sk_X509_EXTENSION_push(sk, nvctr_ext);
- CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID);
- CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
- keys[BL30_KEY].key));
- sk_X509_EXTENSION_push(sk, trusted_key_ext);
- if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) {
- ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn);
- exit(1);
- }
- sk_X509_EXTENSION_free(sk);
- }
-
- /* *********************************************************************
- * BL30 certificate (SCP Firmware Content certificate):
- * - Signed with Trusted World Key
- * - Extensions:
- * - TrustedFirmwareNVCounter (TODO)
- * - SCPFirmwareHash
- **********************************************************************/
- if (bl30_present) {
- CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
- CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
- tf_nvcounter));
- sk_X509_EXTENSION_push(sk, nvctr_ext);
-
- if (!sha_file(certs[BL30_CERT].bin, md)) {
- ERROR("Cannot calculate the hash of %s\n",
- certs[BL30_CERT].bin);
- exit(1);
- }
- CHECK_OID(hash_nid, BL30_HASH_OID);
- CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
- md, SHA256_DIGEST_LENGTH));
- sk_X509_EXTENSION_push(sk, hash_ext);
+ /* Create the certificates */
+ for (i = 0 ; i < num_certs ; i++) {
- if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
- ERROR("Cannot create %s\n", certs[BL30_CERT].cn);
- exit(1);
- }
-
- sk_X509_EXTENSION_free(sk);
- }
+ cert = &certs[i];
- /* *********************************************************************
- * BL31 Key certificate (Trusted SoC Firmware Key certificate):
- * - Self-signed with Trusted World key
- * - Extensions:
- * - TrustedFirmwareNVCounter (TODO)
- * - SoCFirmwareContentCertPK
- **********************************************************************/
- CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
- CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
- tf_nvcounter));
- sk_X509_EXTENSION_push(sk, nvctr_ext);
- CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID);
- CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
- keys[BL31_KEY].key));
- sk_X509_EXTENSION_push(sk, trusted_key_ext);
- if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) {
- ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn);
- exit(1);
- }
- sk_X509_EXTENSION_free(sk);
-
- /* *********************************************************************
- * BL31 certificate (SOC Firmware Content certificate):
- * - Signed with Trusted World Key
- * - Extensions:
- * - TrustedFirmwareNVCounter (TODO)
- * - BL31 hash
- **********************************************************************/
- CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
- CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
- tf_nvcounter));
- sk_X509_EXTENSION_push(sk, nvctr_ext);
-
- if (!sha_file(certs[BL31_CERT].bin, md)) {
- ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin);
- exit(1);
- }
- CHECK_OID(hash_nid, BL31_HASH_OID);
- CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
- SHA256_DIGEST_LENGTH));
- sk_X509_EXTENSION_push(sk, hash_ext);
-
- if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) {
- ERROR("Cannot create %s\n", certs[BL31_CERT].cn);
- exit(1);
- }
-
- sk_X509_EXTENSION_free(sk);
-
- /* *********************************************************************
- * BL32 Key certificate (Trusted OS Firmware Key certificate):
- * - Self-signed with Trusted World key
- * - Extensions:
- * - TrustedFirmwareNVCounter (TODO)
- * - TrustedOSFirmwareContentCertPK
- **********************************************************************/
- if (bl32_present) {
+ /* Create a new stack of extensions. This stack will be used
+ * to create the certificate */
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
- CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
- tf_nvcounter));
- sk_X509_EXTENSION_push(sk, nvctr_ext);
- CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID);
- CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
- keys[BL32_KEY].key));
- sk_X509_EXTENSION_push(sk, trusted_key_ext);
- if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) {
- ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn);
- exit(1);
- }
- sk_X509_EXTENSION_free(sk);
- }
- /* *********************************************************************
- * BL32 certificate (TrustedOS Firmware Content certificate):
- * - Signed with Trusted World Key
- * - Extensions:
- * - TrustedFirmwareNVCounter (TODO)
- * - BL32 hash
- **********************************************************************/
- if (bl32_present) {
- CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
- CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
- tf_nvcounter));
- sk_X509_EXTENSION_push(sk, nvctr_ext);
+ for (j = 0 ; j < cert->num_ext ; j++) {
+
+ ext = &extensions[cert->ext[j]];
+
+ /* Get OpenSSL internal ID for this extension */
+ CHECK_OID(ext_nid, ext->oid);
+
+ /*
+ * Three types of extensions are currently supported:
+ * - EXT_TYPE_NVCOUNTER
+ * - EXT_TYPE_HASH
+ * - EXT_TYPE_PKEY
+ */
+ switch (ext->type) {
+ case EXT_TYPE_NVCOUNTER:
+ CHECK_NULL(cert_ext, ext_new_nvcounter(ext_nid,
+ EXT_CRIT, ext->data.nvcounter));
+ break;
+ case EXT_TYPE_HASH:
+ if (ext->data.fn == NULL) {
+ break;
+ }
+ if (!sha_file(ext->data.fn, md)) {
+ ERROR("Cannot calculate hash of %s\n",
+ ext->data.fn);
+ exit(1);
+ }
+ CHECK_NULL(cert_ext, ext_new_hash(ext_nid,
+ EXT_CRIT, md_info, md,
+ SHA256_DIGEST_LENGTH));
+ break;
+ case EXT_TYPE_PKEY:
+ CHECK_NULL(cert_ext, ext_new_key(ext_nid,
+ EXT_CRIT, keys[ext->data.key].key));
+ break;
+ default:
+ ERROR("Unknown extension type in %s\n",
+ cert->cn);
+ exit(1);
+ }
- if (!sha_file(certs[BL32_CERT].bin, md)) {
- ERROR("Cannot calculate the hash of %s\n",
- certs[BL32_CERT].bin);
- exit(1);
+ /* Push the extension into the stack */
+ sk_X509_EXTENSION_push(sk, cert_ext);
}
- CHECK_OID(hash_nid, BL32_HASH_OID);
- CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
- md, SHA256_DIGEST_LENGTH));
- sk_X509_EXTENSION_push(sk, hash_ext);
- if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
- ERROR("Cannot create %s\n", certs[BL32_CERT].cn);
+ /* Create certificate. Signed with ROT key */
+ if (!cert_new(cert, VAL_DAYS, 0, sk)) {
+ ERROR("Cannot create %s\n", cert->cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
- /* *********************************************************************
- * BL33 Key certificate (Non Trusted Firmware Key certificate):
- * - Self-signed with Non Trusted World key
- * - Extensions:
- * - NonTrustedFirmwareNVCounter (TODO)
- * - NonTrustedFirmwareContentCertPK
- **********************************************************************/
- CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
- CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
- non_tf_nvcounter));
- sk_X509_EXTENSION_push(sk, nvctr_ext);
- CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID);
- CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
- keys[BL33_KEY].key));
- sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
- if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) {
- ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn);
- exit(1);
- }
- sk_X509_EXTENSION_free(sk);
-
- /* *********************************************************************
- * BL33 certificate (Non-Trusted World Content certificate):
- * - Signed with Non-Trusted World Key
- * - Extensions:
- * - NonTrustedFirmwareNVCounter (TODO)
- * - BL33 hash
- **********************************************************************/
- CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
- CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
- non_tf_nvcounter));
- sk_X509_EXTENSION_push(sk, nvctr_ext);
-
- if (!sha_file(certs[BL33_CERT].bin, md)) {
- ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin);
- exit(1);
- }
- CHECK_OID(hash_nid, BL33_HASH_OID);
- CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
- SHA256_DIGEST_LENGTH));
- sk_X509_EXTENSION_push(sk, hash_ext);
-
- if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) {
- ERROR("Cannot create %s\n", certs[BL33_CERT].cn);
- exit(1);
- }
- sk_X509_EXTENSION_free(sk);
/* Print the certificates */
if (print_cert) {
- for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
+ for (i = 0 ; i < num_certs ; i++) {
if (!certs[i].x) {
continue;
}
}
/* Save created certificates to files */
- for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
+ for (i = 0 ; i < num_certs ; i++) {
if (certs[i].x && certs[i].fn) {
file = fopen(certs[i].fn, "w");
if (file != NULL) {
/* Save keys */
if (save_keys) {
- for (i = 0 ; i < NUM_KEYS ; i++) {
+ for (i = 0 ; i < num_keys ; i++) {
if (!key_store(&keys[i])) {
ERROR("Cannot save %s\n", keys[i].desc);
}
}
}
- X509_EXTENSION_free(hash_ext);
- X509_EXTENSION_free(nvctr_ext);
- X509_EXTENSION_free(trusted_key_ext);
- X509_EXTENSION_free(non_trusted_key_ext);
-
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
+++ /dev/null
-/*
- * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of ARM nor the names of its contributors may be used
- * to endorse or promote products derived from this software without specific
- * prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "tbb_cert.h"
-#include "tbb_key.h"
-
-/*
- * Certificates used in the chain of trust
- *
- * The order of the certificates must follow the enumeration specified in
- * tbb_cert.h. All certificates are self-signed.
- */
-cert_t certs[NUM_CERTIFICATES] = {
- {
- .id = BL2_CERT,
- .fn = NULL,
- .cn = "BL2 Certificate",
- .key = &keys[ROT_KEY],
- .issuer = &certs[BL2_CERT],
- },
- {
- .id = TRUSTED_KEY_CERT,
- .fn = NULL,
- .cn = "Trusted Key Certificate",
- .key = &keys[ROT_KEY],
- .issuer = &certs[TRUSTED_KEY_CERT],
- },
- {
- .id = BL30_KEY_CERT,
- .fn = NULL,
- .cn = "BL3-0 Key Certificate",
- .key = &keys[TRUSTED_WORLD_KEY],
- .issuer = &certs[BL30_KEY_CERT],
- },
- {
- .id = BL30_CERT,
- .fn = NULL,
- .cn = "BL3-0 Content Certificate",
- .key = &keys[BL30_KEY],
- .issuer = &certs[BL30_CERT],
- },
- {
- .id = BL31_KEY_CERT,
- .fn = NULL,
- .cn = "BL3-1 Key Certificate",
- .key = &keys[TRUSTED_WORLD_KEY],
- .issuer = &certs[BL31_KEY_CERT],
- },
- {
- .id = BL31_CERT,
- .fn = NULL,
- .cn = "BL3-1 Content Certificate",
- .key = &keys[BL31_KEY],
- .issuer = &certs[BL31_CERT],
- },
- {
- .id = BL32_KEY_CERT,
- .fn = NULL,
- .cn = "BL3-2 Key Certificate",
- .key = &keys[TRUSTED_WORLD_KEY],
- .issuer = &certs[BL32_KEY_CERT],
- },
- {
- .id = BL32_CERT,
- .fn = NULL,
- .cn = "BL3-2 Content Certificate",
- .key = &keys[BL32_KEY],
- .issuer = &certs[BL32_CERT],
- },
- {
- .id = BL33_KEY_CERT,
- .fn = NULL,
- .cn = "BL3-3 Key Certificate",
- .key = &keys[NON_TRUSTED_WORLD_KEY],
- .issuer = &certs[BL33_KEY_CERT],
- },
- {
- .id = BL33_CERT,
- .fn = NULL,
- .cn = "BL3-3 Content Certificate",
- .key = &keys[BL33_KEY],
- .issuer = &certs[BL33_CERT],
- }
-};
+++ /dev/null
-/*
- * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of ARM nor the names of its contributors may be used
- * to endorse or promote products derived from this software without specific
- * prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-#include "ext.h"
-#include "platform_oid.h"
-
-ext_t tbb_ext[] = {
- {
- .oid = TZ_FW_NVCOUNTER_OID,
- .sn = "TrustedNvCounter",
- .ln = "Non-volatile trusted counter",
- .type = V_ASN1_INTEGER
- },
- {
- .oid = NTZ_FW_NVCOUNTER_OID,
- .sn = "NonTrustedNvCounter",
- .ln = "Non-volatile non-trusted counter",
- .type = V_ASN1_INTEGER
- },
- {
- .oid = BL2_HASH_OID,
- .sn = "TrustedBootFirmwareHash",
- .ln = "Trusted Boot Firmware (BL2) hash (SHA256)",
- .type = V_ASN1_OCTET_STRING
- },
- {
- .oid = TZ_WORLD_PK_OID,
- .sn = "TrustedWorldPublicKey",
- .ln = "Trusted World Public Key",
- .type = V_ASN1_OCTET_STRING
- },
- {
- .oid = NTZ_WORLD_PK_OID,
- .sn = "NonTrustedWorldPublicKey",
- .ln = "Non-Trusted World Public Key",
- .type = V_ASN1_OCTET_STRING
- },
- {
- .oid = BL31_CONTENT_CERT_PK_OID,
- .sn = "SoCFirmwareContentCertPK",
- .ln = "SoC Firmware content certificate public key",
- .type = V_ASN1_OCTET_STRING
- },
- {
- .oid = BL31_HASH_OID,
- .sn = "APROMPatchHash",
- .ln = "AP ROM patch hash",
- .type = V_ASN1_OCTET_STRING
- },
- {
- .oid = BL30_CONTENT_CERT_PK_OID,
- .sn = "SCPFirmwareContentCertPK",
- .ln = "SCP Firmware content certificate public key",
- .type = V_ASN1_OCTET_STRING
- },
- {
- .oid = BL30_HASH_OID,
- .sn = "SCPFirmwareHash",
- .ln = "SCP Firmware (BL30) hash (SHA256)",
- .type = V_ASN1_OCTET_STRING
- },
- {
- .oid = BL32_CONTENT_CERT_PK_OID,
- .sn = "TrustedOSFirmwareContentCertPK",
- .ln = "Trusted OS Firmware content certificate public key",
- .type = V_ASN1_OCTET_STRING
- },
- {
- .oid = BL32_HASH_OID,
- .sn = "TrustedOSHash",
- .ln = "Trusted OS (BL32) hash (SHA256)",
- .type = V_ASN1_OCTET_STRING
- },
- {
- .oid = BL33_CONTENT_CERT_PK_OID,
- .sn = "NonTrustedFirmwareContentCertPK",
- .ln = "Non-Trusted Firmware content certificate public key",
- .type = V_ASN1_OCTET_STRING
- },
- {
- .oid = BL33_HASH_OID,
- .sn = "NonTrustedWorldBootloaderHash",
- .ln = "Non-Trusted World (BL33) hash (SHA256)",
- .type = V_ASN1_OCTET_STRING
- },
- { 0, 0, 0, 0 }
-};
+++ /dev/null
-/*
- * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of ARM nor the names of its contributors may be used
- * to endorse or promote products derived from this software without specific
- * prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "tbb_key.h"
-
-/*
- * Keys used to establish the chain of trust
- *
- * The order of the keys must follow the enumeration specified in tbb_key.h
- */
-key_t keys[NUM_KEYS] = {
- {
- .id = ROT_KEY,
- .desc = "Root Of Trust key"
- },
- {
- .id = TRUSTED_WORLD_KEY,
- .desc = "Trusted World key"
- },
- {
- .id = NON_TRUSTED_WORLD_KEY,
- .desc = "Non Trusted World key"
- },
- {
- .id = BL30_KEY,
- .desc = "BL30 key"
- },
- {
- .id = BL31_KEY,
- .desc = "BL31 key"
- },
- {
- .id = BL32_KEY,
- .desc = "BL32 key"
- },
- {
- .id = BL33_KEY,
- .desc = "BL33 key"
- }
-};
--- /dev/null
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "tbbr/tbb_cert.h"
+#include "tbbr/tbb_ext.h"
+#include "tbbr/tbb_key.h"
+
+/*
+ * Certificates used in the chain of trust
+ *
+ * The order of the certificates must follow the enumeration specified in
+ * tbb_cert.h. All certificates are self-signed, so the issuer certificate
+ * field points to itself.
+ */
+static cert_t tbb_certs[] = {
+ [BL2_CERT] = {
+ .id = BL2_CERT,
+ .fn = NULL,
+ .cn = "BL2 Certificate",
+ .key = ROT_KEY,
+ .issuer = BL2_CERT,
+ .ext = {
+ BL2_HASH_EXT
+ },
+ .num_ext = 1
+ },
+ [TRUSTED_KEY_CERT] = {
+ .id = TRUSTED_KEY_CERT,
+ .fn = NULL,
+ .cn = "Trusted Key Certificate",
+ .key = ROT_KEY,
+ .issuer = TRUSTED_KEY_CERT,
+ .ext = {
+ TZ_WORLD_PK_EXT,
+ NTZ_WORLD_PK_EXT
+ },
+ .num_ext = 2
+ },
+ [BL30_KEY_CERT] = {
+ .id = BL30_KEY_CERT,
+ .fn = NULL,
+ .cn = "BL3-0 Key Certificate",
+ .key = TRUSTED_WORLD_KEY,
+ .issuer = BL30_KEY_CERT,
+ .ext = {
+ BL30_CONTENT_CERT_PK_EXT
+ },
+ .num_ext = 1
+ },
+ [BL30_CERT] = {
+ .id = BL30_CERT,
+ .fn = NULL,
+ .cn = "BL3-0 Content Certificate",
+ .key = BL30_KEY,
+ .issuer = BL30_CERT,
+ .ext = {
+ BL30_HASH_EXT
+ },
+ .num_ext = 1
+ },
+ [BL31_KEY_CERT] = {
+ .id = BL31_KEY_CERT,
+ .fn = NULL,
+ .cn = "BL3-1 Key Certificate",
+ .key = TRUSTED_WORLD_KEY,
+ .issuer = BL31_KEY_CERT,
+ .ext = {
+ BL31_CONTENT_CERT_PK_EXT
+ },
+ .num_ext = 1
+ },
+ [BL31_CERT] = {
+ .id = BL31_CERT,
+ .fn = NULL,
+ .cn = "BL3-1 Content Certificate",
+ .key = BL31_KEY,
+ .issuer = BL31_CERT,
+ .ext = {
+ BL31_HASH_EXT
+ },
+ .num_ext = 1
+ },
+ [BL32_KEY_CERT] = {
+ .id = BL32_KEY_CERT,
+ .fn = NULL,
+ .cn = "BL3-2 Key Certificate",
+ .key = TRUSTED_WORLD_KEY,
+ .issuer = BL32_KEY_CERT,
+ .ext = {
+ BL32_CONTENT_CERT_PK_EXT
+ },
+ .num_ext = 1
+ },
+ [BL32_CERT] = {
+ .id = BL32_CERT,
+ .fn = NULL,
+ .cn = "BL3-2 Content Certificate",
+ .key = BL32_KEY,
+ .issuer = BL32_CERT,
+ .ext = {
+ BL32_HASH_EXT
+ },
+ .num_ext = 1
+ },
+ [BL33_KEY_CERT] = {
+ .id = BL33_KEY_CERT,
+ .fn = NULL,
+ .cn = "BL3-3 Key Certificate",
+ .key = NON_TRUSTED_WORLD_KEY,
+ .issuer = BL33_KEY_CERT,
+ .ext = {
+ BL33_CONTENT_CERT_PK_EXT
+ },
+ .num_ext = 1
+ },
+ [BL33_CERT] = {
+ .id = BL33_CERT,
+ .fn = NULL,
+ .cn = "BL3-3 Content Certificate",
+ .key = BL33_KEY,
+ .issuer = BL33_CERT,
+ .ext = {
+ BL33_HASH_EXT
+ },
+ .num_ext = 1
+ }
+};
+
+REGISTER_COT(tbb_certs);
--- /dev/null
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+#include "ext.h"
+#include "platform_oid.h"
+#include "tbbr/tbb_ext.h"
+#include "tbbr/tbb_key.h"
+
+/* TODO: get these values from the command line */
+#define TRUSTED_WORLD_NVCTR_VALUE 0
+#define NORMAL_WORLD_NVCTR_VALUE 0
+
+static ext_t tbb_ext[] = {
+ [TZ_FW_NVCOUNTER_EXT] = {
+ .oid = TZ_FW_NVCOUNTER_OID,
+ .sn = "TrustedWorldNVCounter",
+ .ln = "Trusted World Non-Volatile counter",
+ .asn1_type = V_ASN1_INTEGER,
+ .type = EXT_TYPE_NVCOUNTER,
+ .data.nvcounter = TRUSTED_WORLD_NVCTR_VALUE
+ },
+ [NTZ_FW_NVCOUNTER_EXT] = {
+ .oid = NTZ_FW_NVCOUNTER_OID,
+ .sn = "NormalWorldNVCounter",
+ .ln = "Normal World Non-Volatile counter",
+ .asn1_type = V_ASN1_INTEGER,
+ .type = EXT_TYPE_NVCOUNTER,
+ .data.nvcounter = NORMAL_WORLD_NVCTR_VALUE
+ },
+ [BL2_HASH_EXT] = {
+ .oid = BL2_HASH_OID,
+ .sn = "TrustedBootFirmwareHash",
+ .ln = "Trusted Boot Firmware (BL2) hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ },
+ [TZ_WORLD_PK_EXT] = {
+ .oid = TZ_WORLD_PK_OID,
+ .sn = "TrustedWorldPublicKey",
+ .ln = "Trusted World Public Key",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_PKEY,
+ .data.key = TRUSTED_WORLD_KEY
+ },
+ [NTZ_WORLD_PK_EXT] = {
+ .oid = NTZ_WORLD_PK_OID,
+ .sn = "NonTrustedWorldPublicKey",
+ .ln = "Non-Trusted World Public Key",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_PKEY,
+ .data.key = NON_TRUSTED_WORLD_KEY
+ },
+ [BL30_CONTENT_CERT_PK_EXT] = {
+ .oid = BL30_CONTENT_CERT_PK_OID,
+ .sn = "SCPFirmwareContentCertPK",
+ .ln = "SCP Firmware content certificate public key",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_PKEY,
+ .data.key = BL30_KEY
+ },
+ [BL30_HASH_EXT] = {
+ .oid = BL30_HASH_OID,
+ .sn = "SCPFirmwareHash",
+ .ln = "SCP Firmware (BL30) hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ },
+ [BL31_CONTENT_CERT_PK_EXT] = {
+ .oid = BL31_CONTENT_CERT_PK_OID,
+ .sn = "SoCFirmwareContentCertPK",
+ .ln = "SoC Firmware content certificate public key",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_PKEY,
+ .data.key = BL31_KEY
+ },
+ [BL31_HASH_EXT] = {
+ .oid = BL31_HASH_OID,
+ .sn = "SoCAPFirmwareHash",
+ .ln = "SoC AP Firmware (BL31) hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ },
+ [BL32_CONTENT_CERT_PK_EXT] = {
+ .oid = BL32_CONTENT_CERT_PK_OID,
+ .sn = "TrustedOSFirmwareContentCertPK",
+ .ln = "Trusted OS Firmware content certificate public key",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_PKEY,
+ .data.key = BL32_KEY
+ },
+ [BL32_HASH_EXT] = {
+ .oid = BL32_HASH_OID,
+ .sn = "TrustedOSHash",
+ .ln = "Trusted OS (BL32) hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ },
+ [BL33_CONTENT_CERT_PK_EXT] = {
+ .oid = BL33_CONTENT_CERT_PK_OID,
+ .sn = "NonTrustedFirmwareContentCertPK",
+ .ln = "Non-Trusted Firmware content certificate public key",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_PKEY,
+ .data.key = BL33_KEY
+ },
+ [BL33_HASH_EXT] = {
+ .oid = BL33_HASH_OID,
+ .sn = "NonTrustedWorldBootloaderHash",
+ .ln = "Non-Trusted World (BL33) hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH
+ }
+};
+
+REGISTER_EXTENSIONS(tbb_ext);
--- /dev/null
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "tbbr/tbb_key.h"
+
+/*
+ * Keys used to establish the chain of trust
+ *
+ * The order of the keys must follow the enumeration specified in tbb_key.h
+ */
+static key_t tbb_keys[] = {
+ [ROT_KEY] = {
+ .id = ROT_KEY,
+ .desc = "Root Of Trust key"
+ },
+ [TRUSTED_WORLD_KEY] = {
+ .id = TRUSTED_WORLD_KEY,
+ .desc = "Trusted World key"
+ },
+ [NON_TRUSTED_WORLD_KEY] = {
+ .id = NON_TRUSTED_WORLD_KEY,
+ .desc = "Non Trusted World key"
+ },
+ [BL30_KEY] = {
+ .id = BL30_KEY,
+ .desc = "BL30 key"
+ },
+ [BL31_KEY] = {
+ .id = BL31_KEY,
+ .desc = "BL31 key"
+ },
+ [BL32_KEY] = {
+ .id = BL32_KEY,
+ .desc = "BL32 key"
+ },
+ [BL33_KEY] = {
+ .id = BL33_KEY,
+ .desc = "BL33 key"
+ }
+};
+
+REGISTER_KEYS(tbb_keys);
projects / project / bcm63xx / atf.git / commitdiff