diff options
Diffstat (limited to 'tools/cert_create')
25 files changed, 1429 insertions, 1317 deletions
diff --git a/tools/cert_create/Makefile b/tools/cert_create/Makefile index f1aa7974..437b6927 100644 --- a/tools/cert_create/Makefile +++ b/tools/cert_create/Makefile @@ -1,53 +1,48 @@ # -# Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. # -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# Redistributions of source code must retain the above copyright notice, this -# list of conditions and the following disclaimer. -# -# Redistributions in binary form must reproduce the above copyright notice, -# this list of conditions and the following disclaimer in the documentation -# and/or other materials provided with the distribution. -# -# Neither the name of ARM nor the names of its contributors may be used -# to endorse or promote products derived from this software without specific -# prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. +# SPDX-License-Identifier: BSD-3-Clause # PROJECT := cert_create PLAT := none -V := 0 +V ?= 0 DEBUG := 0 -BINARY := ${PROJECT} +BINARY := ${PROJECT}${BIN_EXT} +OPENSSL_DIR := /usr +USE_TBBR_DEFS := 1 OBJECTS := src/cert.o \ + src/cmd_opt.o \ src/ext.o \ src/key.o \ src/main.o \ - src/tbb_cert.o \ - src/tbb_ext.o \ - src/tbb_key.o \ - src/sha.o + src/sha.o \ + src/tbbr/tbb_cert.o \ + src/tbbr/tbb_ext.o \ + src/tbbr/tbb_key.o CFLAGS := -Wall -std=c99 -# Check the platform -ifeq (${PLAT},none) - $(error Error: No platform defined. Use PLAT=<platform>.) +MAKE_HELPERS_DIRECTORY := ../../make_helpers/ +include ${MAKE_HELPERS_DIRECTORY}build_macros.mk +include ${MAKE_HELPERS_DIRECTORY}build_env.mk + +ifeq (${USE_TBBR_DEFS},1) +# In this case, cert_tool is platform-independent +PLAT_MSG := TBBR Generic +PLAT_INCLUDE := ../../include/tools_share +else +PLAT_MSG := ${PLAT} + +PLATFORM_ROOT := ../../plat/ +include ${MAKE_HELPERS_DIRECTORY}plat_helpers.mk + +PLAT_INCLUDE := $(wildcard ${PLAT_DIR}include) + +ifeq ($(PLAT_INCLUDE),) + $(error "Error: Invalid platform '${PLAT}' has no include directory.") +endif endif ifeq (${DEBUG},1) @@ -56,37 +51,40 @@ else CFLAGS += -O2 -DLOG_LEVEL=20 endif ifeq (${V},0) - Q := @ + Q := @ else - Q := + Q := endif +$(eval $(call add_define,USE_TBBR_DEFS)) +CFLAGS += ${DEFINES} + # Make soft links and include from local directory otherwise wrong headers # could get pulled in from firmware tree. -INC_DIR := -I ./include -I ../../plat/${PLAT}/include -LIB_DIR := +INC_DIR := -I ./include -I ${PLAT_INCLUDE} -I ${OPENSSL_DIR}/include +LIB_DIR := -L ${OPENSSL_DIR}/lib LIB := -lssl -lcrypto -CC := gcc -RM := rm -rf +HOSTCC ?= gcc -.PHONY: all clean +.PHONY: all clean realclean all: clean ${BINARY} ${BINARY}: ${OBJECTS} Makefile @echo " LD $@" @echo 'const char build_msg[] = "Built : "__TIME__", "__DATE__; \ - const char platform_msg[] = "${PLAT}";' | \ + const char platform_msg[] = "${PLAT_MSG}";' | \ ${CC} -c ${CFLAGS} -xc - -o src/build_msg.o - ${Q}${CC} src/build_msg.o ${OBJECTS} ${LIB_DIR} ${LIB} -o $@ + ${Q}${HOSTCC} src/build_msg.o ${OBJECTS} ${LIB_DIR} ${LIB} -o $@ %.o: %.c @echo " CC $<" - ${Q}${CC} -c ${CFLAGS} ${INC_DIR} $< -o $@ + ${Q}${HOSTCC} -c ${CFLAGS} ${INC_DIR} $< -o $@ clean: - ${Q}${RM} -f src/build_msg.o ${OBJECTS} + $(call SHELL_DELETE_ALL, src/build_msg.o ${OBJECTS}) realclean: clean - ${Q}${RM} -f ${BINARY} + $(call SHELL_DELETE, ${BINARY}) + diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h index 48a41462..256e7afd 100644 --- a/tools/cert_create/include/cert.h +++ b/tools/cert_create/include/cert.h @@ -1,31 +1,7 @@ /* * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ #ifndef CERT_H_ @@ -33,8 +9,11 @@ #include <openssl/ossl_typ.h> #include <openssl/x509.h> +#include "ext.h" #include "key.h" +#define CERT_MAX_EXT 4 + /* * This structure contains information related to the generation of the * certificates. All these fields must be known and specified at build time @@ -51,19 +30,33 @@ typedef struct cert_s cert_t; struct cert_s { int id; /* Unique identifier */ + const char *opt; /* Command line option to pass filename */ const char *fn; /* Filename to save the certificate */ - const char *bin; /* Image associated to this certificate */ - const char *cn; /* Subject CN (Company Name) */ + const char *help_msg; /* Help message */ - X509 *x; /* X509 certificate container */ - key_t *key; /* Key to be signed */ + /* These fields must be defined statically */ + int key; /* Key to be signed */ + int issuer; /* Issuer certificate */ + int ext[CERT_MAX_EXT]; /* Certificate extensions */ + int num_ext; /* Number of extensions in the certificate */ - cert_t *issuer; /* Issuer certificate */ + X509 *x; /* X509 certificate container */ }; +/* Exported API */ +int cert_init(void); +cert_t *cert_get_by_opt(const char *opt); int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value); +int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk); + +/* Macro to register the certificates used in the CoT */ +#define REGISTER_COT(_certs) \ + cert_t *certs = &_certs[0]; \ + const unsigned int num_certs = sizeof(_certs)/sizeof(_certs[0]) -int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk); +/* Exported variables */ +extern cert_t *certs; +extern const unsigned int num_certs; #endif /* CERT_H_ */ diff --git a/tools/cert_create/include/cmd_opt.h b/tools/cert_create/include/cmd_opt.h new file mode 100644 index 00000000..5095ed16 --- /dev/null +++ b/tools/cert_create/include/cmd_opt.h @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef CMD_OPT_H_ +#define CMD_OPT_H_ + +#include <getopt.h> + +#define CMD_OPT_MAX_NUM 64 + +/* Supported long command line option types */ +enum { + CMD_OPT_CERT, + CMD_OPT_KEY, + CMD_OPT_EXT +}; + +/* Structure to define a command line option */ +typedef struct cmd_opt_s { + struct option long_opt; + const char *help_msg; +} cmd_opt_t; + +/* Exported API*/ +void cmd_opt_add(const cmd_opt_t *cmd_opt); +const struct option *cmd_opt_get_array(void); +const char *cmd_opt_get_name(int idx); +const char *cmd_opt_get_help_msg(int idx); + +#endif /* CMD_OPT_H_ */ diff --git a/tools/cert_create/include/debug.h b/tools/cert_create/include/debug.h index dd0510a5..6302b413 100644 --- a/tools/cert_create/include/debug.h +++ b/tools/cert_create/include/debug.h @@ -1,31 +1,7 @@ /* * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ #ifndef __DEBUG_H__ diff --git a/tools/cert_create/include/ext.h b/tools/cert_create/include/ext.h index d73f5734..d432e639 100644 --- a/tools/cert_create/include/ext.h +++ b/tools/cert_create/include/ext.h @@ -1,37 +1,27 @@ /* * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ #ifndef EXT_H_ #define EXT_H_ #include <openssl/x509v3.h> +#include "key.h" + +/* Extension types supported */ +enum ext_type_e { + EXT_TYPE_NVCOUNTER, + EXT_TYPE_PKEY, + EXT_TYPE_HASH +}; + +/* NV-Counter types */ +enum nvctr_type_e { + NVCTR_TYPE_TFW, + NVCTR_TYPE_NTFW +}; /* * This structure contains the relevant information to create the extensions @@ -42,11 +32,22 @@ typedef struct ext_s { const char *oid; /* OID of the extension */ const char *sn; /* Short name */ const char *ln; /* Long description */ - int type; /* OpenSSL ASN1 type of the extension data. + const char *opt; /* Command line option to specify data */ + const char *help_msg; /* Help message */ + const char *arg; /* Argument passed from command line */ + int asn1_type; /* OpenSSL ASN1 type of the extension data. * Supported types are: * - V_ASN1_INTEGER * - V_ASN1_OCTET_STRING */ + int type; /* See ext_type_e */ + + /* Extension attributes (depends on extension type) */ + union { + int nvctr_type; /* See nvctr_type_e */ + int key; /* Index into array of registered public keys */ + } attr; + int alias; /* In case OpenSSL provides an standard * extension of the same type, add the new * extension as an alias of this one @@ -55,6 +56,8 @@ typedef struct ext_s { X509V3_EXT_METHOD method; /* This field may be used to define a custom * function to print the contents of the * extension */ + + int optional; /* This field may be used optionally to exclude an image */ } ext_t; enum { @@ -62,9 +65,21 @@ enum { EXT_CRIT = !EXT_NON_CRIT, }; -int ext_init(ext_t *tbb_ext); -X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len); +/* Exported API */ +int ext_init(void); +ext_t *ext_get_by_opt(const char *opt); +X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md, + unsigned char *buf, size_t len); X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value); X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k); +/* Macro to register the extensions used in the CoT */ +#define REGISTER_EXTENSIONS(_ext) \ + ext_t *extensions = &_ext[0]; \ + const unsigned int num_extensions = sizeof(_ext)/sizeof(_ext[0]) + +/* Exported variables */ +extern ext_t *extensions; +extern const unsigned int num_extensions; + #endif /* EXT_H_ */ diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h index 88197500..304fa615 100644 --- a/tools/cert_create/include/key.h +++ b/tools/cert_create/include/key.h @@ -1,31 +1,7 @@ /* * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ #ifndef KEY_H_ @@ -35,6 +11,25 @@ #define RSA_KEY_BITS 2048 +/* Error codes */ +enum { + KEY_ERR_NONE, + KEY_ERR_MALLOC, + KEY_ERR_FILENAME, + KEY_ERR_OPEN, + KEY_ERR_LOAD +}; + +/* Supported key algorithms */ +enum { + KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */ + KEY_ALG_RSA_1_5, /* RSA as defined by PKCS#1 v1.5 */ +#ifndef OPENSSL_NO_EC + KEY_ALG_ECDSA, +#endif /* OPENSSL_NO_EC */ + KEY_ALG_MAX_NUM +}; + /* * This structure contains the relevant information to create the keys * required to sign the certificates. @@ -45,13 +40,28 @@ */ typedef struct key_s { int id; /* Key id */ + const char *opt; /* Command line option to specify a key */ + const char *help_msg; /* Help message */ const char *desc; /* Key description (debug purposes) */ char *fn; /* Filename to load/store the key */ EVP_PKEY *key; /* Key container */ } key_t; +/* Exported API */ +int key_init(void); +key_t *key_get_by_opt(const char *opt); int key_new(key_t *key); -int key_load(key_t *key); +int key_create(key_t *key, int type); +int key_load(key_t *key, unsigned int *err_code); int key_store(key_t *key); +/* Macro to register the keys used in the CoT */ +#define REGISTER_KEYS(_keys) \ + key_t *keys = &_keys[0]; \ + const unsigned int num_keys = sizeof(_keys)/sizeof(_keys[0]) + +/* Exported variables */ +extern key_t *keys; +extern const unsigned int num_keys; + #endif /* KEY_H_ */ diff --git a/tools/cert_create/include/sha.h b/tools/cert_create/include/sha.h index 466d6689..6907fa19 100644 --- a/tools/cert_create/include/sha.h +++ b/tools/cert_create/include/sha.h @@ -1,31 +1,7 @@ /* * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ #ifndef SHA_H_ diff --git a/tools/cert_create/include/tbb_cert.h b/tools/cert_create/include/tbb_cert.h deleted file mode 100644 index 4e481258..00000000 --- a/tools/cert_create/include/tbb_cert.h +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef TBB_CERT_H_ -#define TBB_CERT_H_ - -#include "cert.h" - -/* - * Enumerate the certificates that are used to establish the chain of trust - */ -enum { - BL2_CERT, - TRUSTED_KEY_CERT, - BL30_KEY_CERT, - BL30_CERT, - BL31_KEY_CERT, - BL31_CERT, - BL32_KEY_CERT, - BL32_CERT, - BL33_KEY_CERT, - BL33_CERT, - NUM_CERTIFICATES, -}; - -/* - * Array containing the certificate instances - */ -extern cert_t certs[NUM_CERTIFICATES]; - -#endif /* TBB_CERT_H_ */ diff --git a/tools/cert_create/include/tbb_ext.h b/tools/cert_create/include/tbb_ext.h deleted file mode 100644 index 155d3cb4..00000000 --- a/tools/cert_create/include/tbb_ext.h +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ -#ifndef TBB_EXT_H_ -#define TBB_EXT_H_ - -#include "ext.h" - -/* Array containing the extensions used in the chain of trust */ -extern ext_t tbb_ext[]; - -#endif /* TBB_EXT_H_ */ diff --git a/tools/cert_create/include/tbb_key.h b/tools/cert_create/include/tbb_key.h deleted file mode 100644 index cc927d1e..00000000 --- a/tools/cert_create/include/tbb_key.h +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef TBB_KEY_H_ -#define TBB_KEY_H_ - -#include "key.h" - -/* - * Enumerate the keys that are used to establish the chain of trust - */ -enum { - ROT_KEY, - TRUSTED_WORLD_KEY, - NON_TRUSTED_WORLD_KEY, - BL30_KEY, - BL31_KEY, - BL32_KEY, - BL33_KEY, - NUM_KEYS -}; - -/* - * Array containing the key instances - */ -extern key_t keys[]; - -#endif /* TBB_KEY_H_ */ diff --git a/tools/cert_create/include/tbbr/tbb_cert.h b/tools/cert_create/include/tbbr/tbb_cert.h new file mode 100644 index 00000000..716b570f --- /dev/null +++ b/tools/cert_create/include/tbbr/tbb_cert.h @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef TBB_CERT_H_ +#define TBB_CERT_H_ + +#include "cert.h" + +/* + * Enumerate the certificates that are used to establish the chain of trust + */ +enum { + TRUSTED_BOOT_FW_CERT, + TRUSTED_KEY_CERT, + SCP_FW_KEY_CERT, + SCP_FW_CONTENT_CERT, + SOC_FW_KEY_CERT, + SOC_FW_CONTENT_CERT, + TRUSTED_OS_FW_KEY_CERT, + TRUSTED_OS_FW_CONTENT_CERT, + NON_TRUSTED_FW_KEY_CERT, + NON_TRUSTED_FW_CONTENT_CERT, + FWU_CERT +}; + +#endif /* TBB_CERT_H_ */ diff --git a/tools/cert_create/include/tbbr/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h new file mode 100644 index 00000000..85ad3595 --- /dev/null +++ b/tools/cert_create/include/tbbr/tbb_ext.h @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +#ifndef TBB_EXT_H_ +#define TBB_EXT_H_ + +#include "ext.h" + +/* TBBR extensions */ +enum { + TRUSTED_FW_NVCOUNTER_EXT, + NON_TRUSTED_FW_NVCOUNTER_EXT, + TRUSTED_BOOT_FW_HASH_EXT, + TRUSTED_WORLD_PK_EXT, + NON_TRUSTED_WORLD_PK_EXT, + SCP_FW_CONTENT_CERT_PK_EXT, + SCP_FW_HASH_EXT, + SOC_FW_CONTENT_CERT_PK_EXT, + SOC_AP_FW_HASH_EXT, + TRUSTED_OS_FW_CONTENT_CERT_PK_EXT, + TRUSTED_OS_FW_HASH_EXT, + TRUSTED_OS_FW_EXTRA1_HASH_EXT, + TRUSTED_OS_FW_EXTRA2_HASH_EXT, + NON_TRUSTED_FW_CONTENT_CERT_PK_EXT, + NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, + SCP_FWU_CFG_HASH_EXT, + AP_FWU_CFG_HASH_EXT, + FWU_HASH_EXT +}; + +#endif /* TBB_EXT_H_ */ diff --git a/tools/cert_create/include/tbbr/tbb_key.h b/tools/cert_create/include/tbbr/tbb_key.h new file mode 100644 index 00000000..df634c6a --- /dev/null +++ b/tools/cert_create/include/tbbr/tbb_key.h @@ -0,0 +1,25 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef TBB_KEY_H_ +#define TBB_KEY_H_ + +#include "key.h" + +/* + * Enumerate the keys that are used to establish the chain of trust + */ +enum { + ROT_KEY, + TRUSTED_WORLD_KEY, + NON_TRUSTED_WORLD_KEY, + SCP_FW_CONTENT_CERT_KEY, + SOC_FW_CONTENT_CERT_KEY, + TRUSTED_OS_FW_CONTENT_CERT_KEY, + NON_TRUSTED_FW_CONTENT_CERT_KEY +}; + +#endif /* TBB_KEY_H_ */ diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c index 9705643d..3f0b4d36 100644 --- a/tools/cert_create/src/cert.c +++ b/tools/cert_create/src/cert.c @@ -1,31 +1,7 @@ /* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ #include <stdio.h> @@ -34,17 +10,25 @@ #include <openssl/conf.h> #include <openssl/err.h> +#include <openssl/opensslv.h> #include <openssl/pem.h> #include <openssl/sha.h> #include <openssl/x509v3.h> +#if USE_TBBR_DEFS +#include <tbbr_oid.h> +#else +#include <platform_oid.h> +#endif + #include "cert.h" +#include "cmd_opt.h" #include "debug.h" #include "key.h" -#include "platform_oid.h" #include "sha.h" #define SERIAL_RAND_BITS 64 +#define RSA_SALT_LEN 32 int rand_serial(BIGNUM *b, ASN1_INTEGER *ai) { @@ -95,17 +79,19 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value) return 1; } - -int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) +int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) { - EVP_PKEY *pkey = cert->key->key; - EVP_PKEY *ikey = cert->issuer->key->key; - X509 *issuer = cert->issuer->x; - X509 *x = NULL; - X509_EXTENSION *ex = NULL; - X509_NAME *name = NULL; - ASN1_INTEGER *sno = NULL; - int i, num; + EVP_PKEY *pkey = keys[cert->key].key; + cert_t *issuer_cert = &certs[cert->issuer]; + EVP_PKEY *ikey = keys[issuer_cert->key].key; + X509 *issuer = issuer_cert->x; + X509 *x; + X509_EXTENSION *ex; + X509_NAME *name; + ASN1_INTEGER *sno; + int i, num, rc = 0; + EVP_MD_CTX *mdCtx; + EVP_PKEY_CTX *pKeyCtx = NULL; /* Create the certificate structure */ x = X509_new(); @@ -125,6 +111,39 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) issuer = x; } + mdCtx = EVP_MD_CTX_create(); + if (mdCtx == NULL) { + ERR_print_errors_fp(stdout); + goto END; + } + + /* Sign the certificate with the issuer key */ + if (!EVP_DigestSignInit(mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) { + ERR_print_errors_fp(stdout); + goto END; + } + + /* + * Set additional parameters if algorithm is RSA PSS. This is not + * required for RSA 1.5 or ECDSA. + */ + if (key_alg == KEY_ALG_RSA) { + if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) { + ERR_print_errors_fp(stdout); + goto END; + } + + if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) { + ERR_print_errors_fp(stdout); + goto END; + } + + if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) { + ERR_print_errors_fp(stdout); + goto END; + } + } + /* x509.v3 */ X509_set_version(x, 2); @@ -147,7 +166,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) /* Issuer name */ name = X509_get_issuer_name(x); X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, - (const unsigned char *)cert->issuer->cn, -1, -1, 0); + (const unsigned char *)issuer_cert->cn, -1, -1, 0); X509_set_issuer_name(x, name); /* Add various extensions: standard extensions */ @@ -169,12 +188,50 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) } } - /* Sign the certificate with the issuer key */ - if (!X509_sign(x, ikey, EVP_sha1())) { + if (!X509_sign_ctx(x, mdCtx)) { ERR_print_errors_fp(stdout); - return 0; + goto END; } + /* X509 certificate signed successfully */ + rc = 1; cert->x = x; - return 1; + +END: + EVP_MD_CTX_destroy(mdCtx); + return rc; +} + +int cert_init(void) +{ + cmd_opt_t cmd_opt; + cert_t *cert; + unsigned int i; + + for (i = 0; i < num_certs; i++) { + cert = &certs[i]; + cmd_opt.long_opt.name = cert->opt; + cmd_opt.long_opt.has_arg = required_argument; + cmd_opt.long_opt.flag = NULL; + cmd_opt.long_opt.val = CMD_OPT_CERT; + cmd_opt.help_msg = cert->help_msg; + cmd_opt_add(&cmd_opt); + } + + return 0; +} + +cert_t *cert_get_by_opt(const char *opt) +{ + cert_t *cert; + unsigned int i; + + for (i = 0; i < num_certs; i++) { + cert = &certs[i]; + if (0 == strcmp(cert->opt, opt)) { + return cert; + } + } + + return NULL; } diff --git a/tools/cert_create/src/cmd_opt.c b/tools/cert_create/src/cmd_opt.c new file mode 100644 index 00000000..64180d1f --- /dev/null +++ b/tools/cert_create/src/cmd_opt.c @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include <assert.h> +#include <cmd_opt.h> +#include <getopt.h> +#include <stddef.h> +#include <stdlib.h> +#include "debug.h" + +/* Command line options */ +static struct option long_opt[CMD_OPT_MAX_NUM+1]; +static const char *help_msg[CMD_OPT_MAX_NUM+1]; +static int num_reg_opt; + +void cmd_opt_add(const cmd_opt_t *cmd_opt) +{ + assert(cmd_opt != NULL); + + if (num_reg_opt >= CMD_OPT_MAX_NUM) { + ERROR("Out of memory. Please increase CMD_OPT_MAX_NUM\n"); + exit(1); + } + + long_opt[num_reg_opt].name = cmd_opt->long_opt.name; + long_opt[num_reg_opt].has_arg = cmd_opt->long_opt.has_arg; + long_opt[num_reg_opt].flag = 0; + long_opt[num_reg_opt].val = cmd_opt->long_opt.val; + + help_msg[num_reg_opt] = cmd_opt->help_msg; + + num_reg_opt++; +} + +const struct option *cmd_opt_get_array(void) +{ + return long_opt; +} + +const char *cmd_opt_get_name(int idx) +{ + if (idx >= num_reg_opt) { + return NULL; + } + + return long_opt[idx].name; +} + +const char *cmd_opt_get_help_msg(int idx) +{ + if (idx >= num_reg_opt) { + return NULL; + } + + return help_msg[idx]; +} diff --git a/tools/cert_create/src/ext.c b/tools/cert_create/src/ext.c index 31f84a86..055ddbfd 100644 --- a/tools/cert_create/src/ext.c +++ b/tools/cert_create/src/ext.c @@ -1,43 +1,37 @@ /* * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ #include <stddef.h> #include <stdio.h> #include <string.h> +#include <openssl/asn1.h> +#include <openssl/asn1t.h> #include <openssl/err.h> #include <openssl/x509v3.h> + +#include "cmd_opt.h" #include "ext.h" DECLARE_ASN1_ITEM(ASN1_INTEGER) +DECLARE_ASN1_ITEM(X509_ALGOR) DECLARE_ASN1_ITEM(ASN1_OCTET_STRING) +typedef struct { + X509_ALGOR *hashAlgorithm; + ASN1_OCTET_STRING *dataHash; +} HASH; + +ASN1_SEQUENCE(HASH) = { + ASN1_SIMPLE(HASH, hashAlgorithm, X509_ALGOR), + ASN1_SIMPLE(HASH, dataHash, ASN1_OCTET_STRING), +} ASN1_SEQUENCE_END(HASH) + +DECLARE_ASN1_FUNCTIONS(HASH) +IMPLEMENT_ASN1_FUNCTIONS(HASH) + /* * This function adds the TBB extensions to the internal extension list * maintained by OpenSSL so they can be used later. @@ -49,20 +43,36 @@ DECLARE_ASN1_ITEM(ASN1_OCTET_STRING) * * Return: 0 = success, Otherwise: error */ -int ext_init(ext_t *tbb_ext) +int ext_init(void) { + cmd_opt_t cmd_opt; ext_t *ext; X509V3_EXT_METHOD *m; - int i = 0, nid, ret; + int nid, ret; + unsigned int i; - while ((ext = &tbb_ext[i++]) && ext->oid) { + for (i = 0; i < num_extensions; i++) { + ext = &extensions[i]; + /* Register command line option */ + if (ext->opt) { + cmd_opt.long_opt.name = ext->opt; + cmd_opt.long_opt.has_arg = required_argument; + cmd_opt.long_opt.flag = NULL; + cmd_opt.long_opt.val = CMD_OPT_EXT; + cmd_opt.help_msg = ext->help_msg; + cmd_opt_add(&cmd_opt); + } + /* Register the extension OID in OpenSSL */ + if (ext->oid == NULL) { + continue; + } nid = OBJ_create(ext->oid, ext->sn, ext->ln); if (ext->alias) { X509V3_EXT_add_alias(nid, ext->alias); } else { m = &ext->method; memset(m, 0x0, sizeof(X509V3_EXT_METHOD)); - switch (ext->type) { + switch (ext->asn1_type) { case V_ASN1_INTEGER: m->it = ASN1_ITEM_ref(ASN1_INTEGER); m->i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER; @@ -123,37 +133,85 @@ X509_EXTENSION *ext_new(int nid, int crit, unsigned char *data, int len) } /* - * Creates a x509v3 extension containing a hash encapsulated in an ASN1 Octet - * String + * Creates a x509v3 extension containing a hash + * + * DigestInfo ::= SEQUENCE { + * digestAlgorithm AlgorithmIdentifier, + * digest OCTET STRING + * } + * + * AlgorithmIdentifier ::= SEQUENCE { + * algorithm OBJECT IDENTIFIER, + * parameters ANY DEFINED BY algorithm OPTIONAL + * } * * Parameters: - * pex: OpenSSL extension pointer (output parameter) * nid: extension identifier * crit: extension critical (EXT_NON_CRIT, EXT_CRIT) + * md: hash algorithm * buf: pointer to the buffer that contains the hash * len: size of the hash in bytes * * Return: Extension address, NULL if error */ -X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len) +X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md, + unsigned char *buf, size_t len) { - X509_EXTENSION *ex = NULL; - ASN1_OCTET_STRING *hash = NULL; + X509_EXTENSION *ex; + ASN1_OCTET_STRING *octet; + HASH *hash; + ASN1_OBJECT *algorithm; + X509_ALGOR *x509_algor; unsigned char *p = NULL; - int sz = -1; + int sz; + + /* OBJECT_IDENTIFIER with hash algorithm */ + algorithm = OBJ_nid2obj(EVP_MD_type(md)); + if (algorithm == NULL) { + return NULL; + } - /* Encode Hash */ - hash = ASN1_OCTET_STRING_new(); - ASN1_OCTET_STRING_set(hash, buf, len); - sz = i2d_ASN1_OCTET_STRING(hash, NULL); - i2d_ASN1_OCTET_STRING(hash, &p); + /* Create X509_ALGOR */ + x509_algor = X509_ALGOR_new(); + if (x509_algor == NULL) { + return NULL; + } + x509_algor->algorithm = algorithm; + x509_algor->parameter = ASN1_TYPE_new(); + ASN1_TYPE_set(x509_algor->parameter, V_ASN1_NULL, NULL); + + /* OCTET_STRING with the actual hash */ + octet = ASN1_OCTET_STRING_new(); + if (octet == NULL) { + X509_ALGOR_free(x509_algor); + return NULL; + } + ASN1_OCTET_STRING_set(octet, buf, len); + + /* HASH structure containing algorithm + hash */ + hash = HASH_new(); + if (hash == NULL) { + ASN1_OCTET_STRING_free(octet); + X509_ALGOR_free(x509_algor); + return NULL; + } + hash->hashAlgorithm = x509_algor; + hash->dataHash = octet; + + /* DER encoded HASH */ + sz = i2d_HASH(hash, &p); + if ((sz <= 0) || (p == NULL)) { + HASH_free(hash); + X509_ALGOR_free(x509_algor); + return NULL; + } /* Create the extension */ ex = ext_new(nid, crit, p, sz); /* Clean up */ OPENSSL_free(p); - ASN1_OCTET_STRING_free(hash); + HASH_free(hash); return ex; } @@ -172,16 +230,15 @@ X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len) */ X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value) { - X509_EXTENSION *ex = NULL; - ASN1_INTEGER *counter = NULL; + X509_EXTENSION *ex; + ASN1_INTEGER *counter; unsigned char *p = NULL; - int sz = -1; + int sz; /* Encode counter */ counter = ASN1_INTEGER_new(); ASN1_INTEGER_set(counter, value); - sz = i2d_ASN1_INTEGER(counter, NULL); - i2d_ASN1_INTEGER(counter, &p); + sz = i2d_ASN1_INTEGER(counter, &p); /* Create the extension */ ex = ext_new(nid, crit, p, sz); @@ -210,9 +267,9 @@ X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value) */ X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k) { - X509_EXTENSION *ex = NULL; - unsigned char *p = NULL; - int sz = -1; + X509_EXTENSION *ex; + unsigned char *p; + int sz; /* Encode key */ BIO *mem = BIO_new(BIO_s_mem()); @@ -231,3 +288,20 @@ X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k) return ex; } + +ext_t *ext_get_by_opt(const char *opt) +{ + ext_t *ext; + unsigned int i; + + /* Sequential search. This is not a performance concern since the number + * of extensions is bounded and the code runs on a host machine */ + for (i = 0; i < num_extensions; i++) { + ext = &extensions[i]; + if (ext->opt && !strcmp(ext->opt, opt)) { + return ext; + } + } + + return NULL; +} diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c index b5737d93..871f9ee8 100644 --- a/tools/cert_create/src/key.c +++ b/tools/cert_create/src/key.c @@ -1,31 +1,7 @@ /* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ #include <getopt.h> @@ -37,81 +13,157 @@ #include <openssl/evp.h> #include <openssl/pem.h> +#if USE_TBBR_DEFS +#include <tbbr_oid.h> +#else +#include <platform_oid.h> +#endif + #include "cert.h" +#include "cmd_opt.h" #include "debug.h" #include "key.h" -#include "platform_oid.h" #include "sha.h" #define MAX_FILENAME_LEN 1024 /* - * Create a new key + * Create a new key container */ int key_new(key_t *key) { - RSA *rsa = NULL; - EVP_PKEY *k = NULL; - /* Create key pair container */ - k = EVP_PKEY_new(); - if (k == NULL) { + key->key = EVP_PKEY_new(); + if (key->key == NULL) { return 0; } - /* Generate a new RSA key */ - rsa = RSA_generate_key(RSA_KEY_BITS, RSA_F4, NULL, NULL); - if (EVP_PKEY_assign_RSA(k, rsa)) { - key->key = k; - return 1; - } else { + return 1; +} + +static int key_create_rsa(key_t *key) +{ + BIGNUM *e; + RSA *rsa = NULL; + + e = BN_new(); + if (e == NULL) { + printf("Cannot create RSA exponent\n"); + goto err; + } + + if (!BN_set_word(e, RSA_F4)) { + printf("Cannot assign RSA exponent\n"); + goto err; + } + + rsa = RSA_new(); + if (rsa == NULL) { + printf("Cannot create RSA key\n"); + goto err; + } + + if (!RSA_generate_key_ex(rsa, RSA_KEY_BITS, e, NULL)) { + printf("Cannot generate RSA key\n"); + goto err; + } + + if (!EVP_PKEY_assign_RSA(key->key, rsa)) { printf("Cannot assign RSA key\n"); + goto err; } - if (k) - EVP_PKEY_free(k); + return 1; +err: + RSA_free(rsa); + BN_free(e); return 0; } -int key_load(key_t *key) +#ifndef OPENSSL_NO_EC +static int key_create_ecdsa(key_t *key) { - FILE *fp = NULL; - EVP_PKEY *k = NULL; + EC_KEY *ec; - /* Create key pair container */ - k = EVP_PKEY_new(); - if (k == NULL) { + ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (ec == NULL) { + printf("Cannot create EC key\n"); + goto err; + } + if (!EC_KEY_generate_key(ec)) { + printf("Cannot generate EC key\n"); + goto err; + } + EC_KEY_set_flags(ec, EC_PKEY_NO_PARAMETERS); + EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE); + if (!EVP_PKEY_assign_EC_KEY(key->key, ec)) { + printf("Cannot assign EC key\n"); + goto err; + } + + return 1; +err: + EC_KEY_free(ec); + return 0; +} +#endif /* OPENSSL_NO_EC */ + +typedef int (*key_create_fn_t)(key_t *key); +static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = { + key_create_rsa, /* KEY_ALG_RSA */ + key_create_rsa, /* KEY_ALG_RSA_1_5 */ +#ifndef OPENSSL_NO_EC + key_create_ecdsa, /* KEY_ALG_ECDSA */ +#endif /* OPENSSL_NO_EC */ +}; + +int key_create(key_t *key, int type) +{ + if (type >= KEY_ALG_MAX_NUM) { + printf("Invalid key type\n"); return 0; } + if (key_create_fn[type]) { + return key_create_fn[type](key); + } + + return 0; +} + +int key_load(key_t *key, unsigned int *err_code) +{ + FILE *fp; + EVP_PKEY *k; + if (key->fn) { /* Load key from file */ fp = fopen(key->fn, "r"); if (fp) { - k = PEM_read_PrivateKey(fp, &k, NULL, NULL); + k = PEM_read_PrivateKey(fp, &key->key, NULL, NULL); fclose(fp); if (k) { - key->key = k; + *err_code = KEY_ERR_NONE; return 1; } else { - ERROR("Cannot read key from %s\n", key->fn); + ERROR("Cannot load key from %s\n", key->fn); + *err_code = KEY_ERR_LOAD; } } else { - ERROR("Cannot open file %s\n", key->fn); + WARN("Cannot open file %s\n", key->fn); + *err_code = KEY_ERR_OPEN; } } else { - ERROR("Key filename not specified\n"); + WARN("Key filename not specified\n"); + *err_code = KEY_ERR_FILENAME; } - if (k) - EVP_PKEY_free(k); - return 0; } int key_store(key_t *key) { - FILE *fp = NULL; + FILE *fp; if (key->fn) { fp = fopen(key->fn, "w"); @@ -129,3 +181,41 @@ int key_store(key_t *key) return 0; } + +int key_init(void) +{ + cmd_opt_t cmd_opt; + key_t *key; + unsigned int i; + + for (i = 0; i < num_keys; i++) { + key = &keys[i]; + if (key->opt != NULL) { + cmd_opt.long_opt.name = key->opt; + cmd_opt.long_opt.has_arg = required_argument; + cmd_opt.long_opt.flag = NULL; + cmd_opt.long_opt.val = CMD_OPT_KEY; + cmd_opt.help_msg = key->help_msg; + cmd_opt_add(&cmd_opt); + } + } + + return 0; +} + +key_t *key_get_by_opt(const char *opt) +{ + key_t *key; + unsigned int i; + + /* Sequential search. This is not a performance concern since the number + * of keys is bounded and the code runs on a host machine */ + for (i = 0; i < num_keys; i++) { + key = &keys[i]; + if (0 == strcmp(key->opt, opt)) { + return key; + } + } + + return NULL; +} diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index 6df367a2..741242f5 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -1,33 +1,11 @@ /* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ +#include <assert.h> +#include <ctype.h> #include <getopt.h> #include <stdio.h> #include <stdlib.h> @@ -40,15 +18,21 @@ #include <openssl/sha.h> #include <openssl/x509v3.h> +#if USE_TBBR_DEFS +#include <tbbr_oid.h> +#else +#include <platform_oid.h> +#endif + #include "cert.h" +#include "cmd_opt.h" #include "debug.h" #include "ext.h" #include "key.h" -#include "platform_oid.h" #include "sha.h" -#include "tbb_ext.h" -#include "tbb_cert.h" -#include "tbb_key.h" +#include "tbbr/tbb_cert.h" +#include "tbbr/tbb_ext.h" +#include "tbbr/tbb_key.h" /* * Helper macros to simplify the code. This macro assigns the return value of @@ -79,49 +63,14 @@ #define MAX_FILENAME_LEN 1024 #define VAL_DAYS 7300 #define ID_TO_BIT_MASK(id) (1 << id) -#define NVCOUNTER_VALUE 0 - -/* Files */ -enum { - /* Image file names (inputs) */ - BL2_ID = 0, - BL30_ID, - BL31_ID, - BL32_ID, - BL33_ID, - /* Certificate file names (outputs) */ - BL2_CERT_ID, - TRUSTED_KEY_CERT_ID, - BL30_KEY_CERT_ID, - BL30_CERT_ID, - BL31_KEY_CERT_ID, - BL31_CERT_ID, - BL32_KEY_CERT_ID, - BL32_CERT_ID, - BL33_KEY_CERT_ID, - BL33_CERT_ID, - /* Key file names (input/output) */ - ROT_KEY_ID, - TRUSTED_WORLD_KEY_ID, - NON_TRUSTED_WORLD_KEY_ID, - BL30_KEY_ID, - BL31_KEY_ID, - BL32_KEY_ID, - BL33_KEY_ID, - NUM_OPTS -}; +#define NUM_ELEM(x) ((sizeof(x)) / (sizeof(x[0]))) +#define HELP_OPT_MAX_LEN 128 /* Global options */ +static int key_alg; static int new_keys; static int save_keys; static int print_cert; -static int bl30_present; -static int bl32_present; - -/* We are not checking nvcounters in TF. Include them in the certificates but - * the value will be set to 0 */ -static int tf_nvcounter; -static int non_tf_nvcounter; /* Info messages created in the Makefile */ extern const char build_msg[]; @@ -138,44 +87,24 @@ static char *strdup(const char *str) return dup; } -/* Command line options */ -static const struct option long_opt[] = { - /* Binary images */ - {"bl2", required_argument, 0, BL2_ID}, - {"bl30", required_argument, 0, BL30_ID}, - {"bl31", required_argument, 0, BL31_ID}, - {"bl32", required_argument, 0, BL32_ID}, - {"bl33", required_argument, 0, BL33_ID}, - /* Certificate files */ - {"bl2-cert", required_argument, 0, BL2_CERT_ID}, - {"trusted-key-cert", required_argument, 0, TRUSTED_KEY_CERT_ID}, - {"bl30-key-cert", required_argument, 0, BL30_KEY_CERT_ID}, - {"bl30-cert", required_argument, 0, BL30_CERT_ID}, - {"bl31-key-cert", required_argument, 0, BL31_KEY_CERT_ID}, - {"bl31-cert", required_argument, 0, BL31_CERT_ID}, - {"bl32-key-cert", required_argument, 0, BL32_KEY_CERT_ID}, - {"bl32-cert", required_argument, 0, BL32_CERT_ID}, - {"bl33-key-cert", required_argument, 0, BL33_KEY_CERT_ID}, - {"bl33-cert", required_argument, 0, BL33_CERT_ID}, - /* Private key files */ - {"rot-key", required_argument, 0, ROT_KEY_ID}, - {"trusted-world-key", required_argument, 0, TRUSTED_WORLD_KEY_ID}, - {"non-trusted-world-key", required_argument, 0, NON_TRUSTED_WORLD_KEY_ID}, - {"bl30-key", required_argument, 0, BL30_KEY_ID}, - {"bl31-key", required_argument, 0, BL31_KEY_ID}, - {"bl32-key", required_argument, 0, BL32_KEY_ID}, - {"bl33-key", required_argument, 0, BL33_KEY_ID}, - /* Common options */ - {"help", no_argument, 0, 'h'}, - {"save-keys", no_argument, 0, 'k'}, - {"new-chain", no_argument, 0, 'n'}, - {"print-cert", no_argument, 0, 'p'}, - {0, 0, 0, 0} +static const char *key_algs_str[] = { + [KEY_ALG_RSA] = "rsa", + [KEY_ALG_RSA_1_5] = "rsa_1_5", +#ifndef OPENSSL_NO_EC + [KEY_ALG_ECDSA] = "ecdsa" +#endif /* OPENSSL_NO_EC */ }; -static void print_help(const char *cmd) +static void print_help(const char *cmd, const struct option *long_opt) { - int i = 0; + int rem, i = 0; + const struct option *opt; + char line[HELP_OPT_MAX_LEN]; + char *p; + + assert(cmd != NULL); + assert(long_opt != NULL); + printf("\n\n"); printf("The certificate generation tool loads the binary images and\n" "optionally the RSA keys, and outputs the key and content\n" @@ -183,107 +112,186 @@ static void print_help(const char *cmd) "If keys are provided, they must be in PEM format.\n" "Certificates are generated in DER format.\n"); printf("\n"); - printf("Usage:\n\n"); - printf(" %s [-hknp] \\\n", cmd); - for (i = 0; i < NUM_OPTS; i++) { - printf(" --%s <file> \\\n", long_opt[i].name); + printf("Usage:\n"); + printf("\t%s [OPTIONS]\n\n", cmd); + + printf("Available options:\n"); + opt = long_opt; + while (opt->name) { + p = line; + rem = HELP_OPT_MAX_LEN; + if (isalpha(opt->val)) { + /* Short format */ + sprintf(p, "-%c,", (char)opt->val); + p += 3; + rem -= 3; + } + snprintf(p, rem, "--%s %s", opt->name, + (opt->has_arg == required_argument) ? "<arg>" : ""); + printf("\t%-32s %s\n", line, cmd_opt_get_help_msg(i)); + opt++; + i++; } printf("\n"); - printf("-h Print help and exit\n"); - printf("-k Save key pairs into files. Filenames must be provided\n"); - printf("-n Generate new key pairs if no key files are provided\n"); - printf("-p Print the certificates in the standard output\n"); - printf("\n"); exit(0); } -static void check_cmd_params(void) +static int get_key_alg(const char *key_alg_str) { - /* BL2, BL31 and BL33 are mandatory */ - if (certs[BL2_CERT].bin == NULL) { - ERROR("BL2 image not specified\n"); - exit(1); - } - - if (certs[BL31_CERT].bin == NULL) { - ERROR("BL31 image not specified\n"); - exit(1); - } + int i; - if (certs[BL33_CERT].bin == NULL) { - ERROR("BL33 image not specified\n"); - exit(1); + for (i = 0 ; i < NUM_ELEM(key_algs_str) ; i++) { + if (0 == strcmp(key_alg_str, key_algs_str[i])) { + return i; + } } - /* BL30 and BL32 are optional */ - if (certs[BL30_CERT].bin != NULL) { - bl30_present = 1; - } + return -1; +} - if (certs[BL32_CERT].bin != NULL) { - bl32_present = 1; +static void check_cmd_params(void) +{ + cert_t *cert; + ext_t *ext; + key_t *key; + int i, j; + + /* Only save new keys */ + if (save_keys && !new_keys) { + ERROR("Only new keys can be saved to disk\n"); + exit(1); } - /* TODO: Certificate filenames */ - - /* Filenames to store keys must be specified */ - if (save_keys || !new_keys) { - if (keys[ROT_KEY].fn == NULL) { - ERROR("ROT key not specified\n"); - exit(1); + /* Check that all required options have been specified in the + * command line */ + for (i = 0; i < num_certs; i++) { + cert = &certs[i]; + if (cert->fn == NULL) { + /* Certificate not requested. Skip to the next one */ + continue; } - if (keys[TRUSTED_WORLD_KEY].fn == NULL) { - ERROR("Trusted World key not specified\n"); - exit(1); - } - - if (keys[NON_TRUSTED_WORLD_KEY].fn == NULL) { - ERROR("Non-trusted World key not specified\n"); - exit(1); - } - - if (keys[BL31_KEY].fn == NULL) { - ERROR("BL31 key not specified\n"); - exit(1); - } - - if (keys[BL33_KEY].fn == NULL) { - ERROR("BL33 key not specified\n"); - exit(1); - } - - if (bl30_present && (keys[BL30_KEY].fn == NULL)) { - ERROR("BL30 key not specified\n"); - exit(1); - } - - if (bl32_present && (keys[BL32_KEY].fn == NULL)) { - ERROR("BL32 key not specified\n"); - exit(1); + /* Check that all parameters required to create this certificate + * have been specified in the command line */ + for (j = 0; j < cert->num_ext; j++) { + ext = &extensions[cert->ext[j]]; + switch (ext->type) { + case EXT_TYPE_NVCOUNTER: + /* Counter value must be specified */ + if ((!ext->optional) && (ext->arg == NULL)) { + ERROR("Value for '%s' not specified\n", + ext->ln); + exit(1); + } + break; + case EXT_TYPE_PKEY: + /* Key filename must be specified */ + key = &keys[ext->attr.key]; + if (!new_keys && key->fn == NULL) { + ERROR("Key '%s' required by '%s' not " + "specified\n", key->desc, + cert->cn); + exit(1); + } + break; + case EXT_TYPE_HASH: + /* + * Binary image must be specified + * unless it is explicitly made optional. + */ + if ((!ext->optional) && (ext->arg == NULL)) { + ERROR("Image for '%s' not specified\n", + ext->ln); + exit(1); + } + break; + default: + ERROR("Unknown extension type '%d' in '%s'\n", + ext->type, ext->ln); + exit(1); + break; + } } } } +/* Common command line options */ +static const cmd_opt_t common_cmd_opt[] = { + { + { "help", no_argument, NULL, 'h' }, + "Print this message and exit" + }, + { + { "key-alg", required_argument, NULL, 'a' }, + "Key algorithm: 'rsa' (default) - RSAPSS scheme as per \ +PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'" + }, + { + { "save-keys", no_argument, NULL, 'k' }, + "Save key pairs into files. Filenames must be provided" + }, + { + { "new-keys", no_argument, NULL, 'n' }, + "Generate new key pairs if no key files are provided" + }, + { + { "print-cert", no_argument, NULL, 'p' }, + "Print the certificates in the standard output" + } +}; + int main(int argc, char *argv[]) { - STACK_OF(X509_EXTENSION) * sk = NULL; - X509_EXTENSION *hash_ext = NULL; - X509_EXTENSION *nvctr_ext = NULL; - X509_EXTENSION *trusted_key_ext = NULL; - X509_EXTENSION *non_trusted_key_ext = NULL; - FILE *file = NULL; - int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid; + STACK_OF(X509_EXTENSION) * sk; + X509_EXTENSION *cert_ext = NULL; + ext_t *ext; + key_t *key; + cert_t *cert; + FILE *file; + int i, j, ext_nid, nvctr; int c, opt_idx = 0; + const struct option *cmd_opt; + const char *cur_opt; + unsigned int err_code; unsigned char md[SHA256_DIGEST_LENGTH]; + const EVP_MD *md_info; NOTICE("CoT Generation Tool: %s\n", build_msg); NOTICE("Target platform: %s\n", platform_msg); + /* Set default options */ + key_alg = KEY_ALG_RSA; + + /* Add common command line options */ + for (i = 0; i < NUM_ELEM(common_cmd_opt); i++) { + cmd_opt_add(&common_cmd_opt[i]); + } + + /* Initialize the certificates */ + if (cert_init() != 0) { + ERROR("Cannot initialize certificates\n"); + exit(1); + } + + /* Initialize the keys */ + if (key_init() != 0) { + ERROR("Cannot initialize keys\n"); + exit(1); + } + + /* Initialize the new types and register OIDs for the extensions */ + if (ext_init() != 0) { + ERROR("Cannot initialize TBB extensions\n"); + exit(1); + } + + /* Get the command line options populated during the initialization */ + cmd_opt = cmd_opt_get_array(); + while (1) { /* getopt_long stores the option index here. */ - c = getopt_long(argc, argv, "hknp", long_opt, &opt_idx); + c = getopt_long(argc, argv, "a:hknp", cmd_opt, &opt_idx); /* Detect the end of the options. */ if (c == -1) { @@ -291,8 +299,15 @@ int main(int argc, char *argv[]) } switch (c) { + case 'a': + key_alg = get_key_alg(optarg); + if (key_alg < 0) { + ERROR("Invalid key algorithm '%s'\n", optarg); + exit(1); + } + break; case 'h': - print_help(argv[0]); + print_help(argv[0], cmd_opt); break; case 'k': save_keys = 1; @@ -303,378 +318,153 @@ int main(int argc, char *argv[]) case 'p': print_cert = 1; break; - case BL2_ID: - certs[BL2_CERT].bin = strdup(optarg); - break; - case BL30_ID: - certs[BL30_CERT].bin = strdup(optarg); - break; - case BL31_ID: - certs[BL31_CERT].bin = strdup(optarg); - break; - case BL32_ID: - certs[BL32_CERT].bin = strdup(optarg); - break; - case BL33_ID: - certs[BL33_CERT].bin = strdup(optarg); + case CMD_OPT_EXT: + cur_opt = cmd_opt_get_name(opt_idx); + ext = ext_get_by_opt(cur_opt); + ext->arg = strdup(optarg); break; - case BL2_CERT_ID: - certs[BL2_CERT].fn = strdup(optarg); + case CMD_OPT_KEY: + cur_opt = cmd_opt_get_name(opt_idx); + key = key_get_by_opt(cur_opt); + key->fn = strdup(optarg); break; - case TRUSTED_KEY_CERT_ID: - certs[TRUSTED_KEY_CERT].fn = strdup(optarg); - break; - case BL30_KEY_CERT_ID: - certs[BL30_KEY_CERT].fn = strdup(optarg); - break; - case BL30_CERT_ID: - certs[BL30_CERT].fn = strdup(optarg); - break; - case BL31_KEY_CERT_ID: - certs[BL31_KEY_CERT].fn = strdup(optarg); - break; - case BL31_CERT_ID: - certs[BL31_CERT].fn = strdup(optarg); - break; - case BL32_KEY_CERT_ID: - certs[BL32_KEY_CERT].fn = strdup(optarg); - break; - case BL32_CERT_ID: - certs[BL32_CERT].fn = strdup(optarg); - break; - case BL33_KEY_CERT_ID: - certs[BL33_KEY_CERT].fn = strdup(optarg); - break; - case BL33_CERT_ID: - certs[BL33_CERT].fn = strdup(optarg); - break; - case ROT_KEY_ID: - keys[ROT_KEY].fn = strdup(optarg); - break; - case TRUSTED_WORLD_KEY_ID: - keys[TRUSTED_WORLD_KEY].fn = strdup(optarg); - break; - case NON_TRUSTED_WORLD_KEY_ID: - keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg); - break; - case BL30_KEY_ID: - keys[BL30_KEY].fn = strdup(optarg); - break; - case BL31_KEY_ID: - keys[BL31_KEY].fn = strdup(optarg); - break; - case BL32_KEY_ID: - keys[BL32_KEY].fn = strdup(optarg); - break; - case BL33_KEY_ID: - keys[BL33_KEY].fn = strdup(optarg); + case CMD_OPT_CERT: + cur_opt = cmd_opt_get_name(opt_idx); + cert = cert_get_by_opt(cur_opt); + cert->fn = strdup(optarg); break; case '?': default: - printf("%s\n", optarg); + print_help(argv[0], cmd_opt); exit(1); } } - /* Set the value of the NVCounters */ - tf_nvcounter = NVCOUNTER_VALUE; - non_tf_nvcounter = NVCOUNTER_VALUE; - /* Check command line arguments */ check_cmd_params(); - /* Register the new types and OIDs for the extensions */ - if (ext_init(tbb_ext) != 0) { - ERROR("Cannot initialize TBB extensions\n"); - exit(1); - } - - /* Get non-volatile counters NIDs */ - CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID); - CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID); + /* Indicate SHA256 as image hash algorithm in the certificate + * extension */ + md_info = EVP_sha256(); /* Load private keys from files (or generate new ones) */ - if (new_keys) { - for (i = 0 ; i < NUM_KEYS ; i++) { - if (!key_new(&keys[i])) { - ERROR("Error creating %s\n", keys[i].desc); - exit(1); - } - } - } else { - for (i = 0 ; i < NUM_KEYS ; i++) { - if (!key_load(&keys[i])) { - ERROR("Error loading %s\n", keys[i].desc); - exit(1); - } - } - } - - /* ********************************************************************* - * BL2 certificate (Trusted Boot Firmware certificate): - * - Self-signed with OEM ROT private key - * - Extensions: - * - TrustedFirmwareNVCounter (TODO) - * - BL2 hash - **********************************************************************/ - CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); - - /* Add the NVCounter as a critical extension */ - CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, - tf_nvcounter)); - sk_X509_EXTENSION_push(sk, nvctr_ext); - - /* Add hash of BL2 as an extension */ - if (!sha_file(certs[BL2_CERT].bin, md)) { - ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin); - exit(1); - } - CHECK_OID(hash_nid, BL2_HASH_OID); - CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, - SHA256_DIGEST_LENGTH)); - sk_X509_EXTENSION_push(sk, hash_ext); - - /* Create certificate. Signed with ROT key */ - if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) { - ERROR("Cannot create %s\n", certs[BL2_CERT].cn); - exit(1); - } - sk_X509_EXTENSION_free(sk); - - /* ********************************************************************* - * Trusted Key certificate: - * - Self-signed with OEM ROT private key - * - Extensions: - * - TrustedFirmwareNVCounter (TODO) - * - TrustedWorldPK - * - NonTrustedWorldPK - **********************************************************************/ - CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); - CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, - tf_nvcounter)); - sk_X509_EXTENSION_push(sk, nvctr_ext); - CHECK_OID(pk_nid, TZ_WORLD_PK_OID); - CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, - keys[TRUSTED_WORLD_KEY].key)); - sk_X509_EXTENSION_push(sk, trusted_key_ext); - CHECK_OID(pk_nid, NTZ_WORLD_PK_OID); - CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, - keys[NON_TRUSTED_WORLD_KEY].key)); - sk_X509_EXTENSION_push(sk, non_trusted_key_ext); - if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) { - ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn); - exit(1); - } - sk_X509_EXTENSION_free(sk); - - /* ********************************************************************* - * BL30 Key certificate (Trusted SCP Firmware Key certificate): - * - Self-signed with Trusted World key - * - Extensions: - * - TrustedFirmwareNVCounter (TODO) - * - SCPFirmwareContentCertPK - **********************************************************************/ - if (bl30_present) { - CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); - CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, - tf_nvcounter)); - sk_X509_EXTENSION_push(sk, nvctr_ext); - CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID); - CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, - keys[BL30_KEY].key)); - sk_X509_EXTENSION_push(sk, trusted_key_ext); - if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) { - ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn); + for (i = 0 ; i < num_keys ; i++) { + if (!key_new(&keys[i])) { + ERROR("Failed to allocate key container\n"); exit(1); } - sk_X509_EXTENSION_free(sk); - } - /* ********************************************************************* - * BL30 certificate (SCP Firmware Content certificate): - * - Signed with Trusted World Key - * - Extensions: - * - TrustedFirmwareNVCounter (TODO) - * - SCPFirmwareHash - **********************************************************************/ - if (bl30_present) { - CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); - CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, - tf_nvcounter)); - sk_X509_EXTENSION_push(sk, nvctr_ext); + /* First try to load the key from disk */ + if (key_load(&keys[i], &err_code)) { + /* Key loaded successfully */ + continue; + } - if (!sha_file(certs[BL30_CERT].bin, md)) { - ERROR("Cannot calculate the hash of %s\n", - certs[BL30_CERT].bin); + /* Key not loaded. Check the error code */ + if (err_code == KEY_ERR_LOAD) { + /* File exists, but it does not contain a valid private + * key. Abort. */ + ERROR("Error loading '%s'\n", keys[i].fn); exit(1); } - CHECK_OID(hash_nid, BL30_HASH_OID); - CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, - SHA256_DIGEST_LENGTH)); - sk_X509_EXTENSION_push(sk, hash_ext); - if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) { - ERROR("Cannot create %s\n", certs[BL30_CERT].cn); + /* File does not exist, could not be opened or no filename was + * given */ + if (new_keys) { + /* Try to create a new key */ + NOTICE("Creating new key for '%s'\n", keys[i].desc); + if (!key_create(&keys[i], key_alg)) { + ERROR("Error creating key '%s'\n", keys[i].desc); + exit(1); + } + } else { + if (err_code == KEY_ERR_OPEN) { + ERROR("Error opening '%s'\n", keys[i].fn); + } else { + ERROR("Key '%s' not specified\n", keys[i].desc); + } exit(1); } - - sk_X509_EXTENSION_free(sk); - } - - /* ********************************************************************* - * BL31 Key certificate (Trusted SoC Firmware Key certificate): - * - Self-signed with Trusted World key - * - Extensions: - * - TrustedFirmwareNVCounter (TODO) - * - SoCFirmwareContentCertPK - **********************************************************************/ - CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); - CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, - tf_nvcounter)); - sk_X509_EXTENSION_push(sk, nvctr_ext); - CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID); - CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, - keys[BL31_KEY].key)); - sk_X509_EXTENSION_push(sk, trusted_key_ext); - if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) { - ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn); - exit(1); - } - sk_X509_EXTENSION_free(sk); - - /* ********************************************************************* - * BL31 certificate (SOC Firmware Content certificate): - * - Signed with Trusted World Key - * - Extensions: - * - TrustedFirmwareNVCounter (TODO) - * - BL31 hash - **********************************************************************/ - CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); - CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, - tf_nvcounter)); - sk_X509_EXTENSION_push(sk, nvctr_ext); - - if (!sha_file(certs[BL31_CERT].bin, md)) { - ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin); - exit(1); } - CHECK_OID(hash_nid, BL31_HASH_OID); - CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, - SHA256_DIGEST_LENGTH)); - sk_X509_EXTENSION_push(sk, hash_ext); - if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) { - ERROR("Cannot create %s\n", certs[BL31_CERT].cn); - exit(1); - } + /* Create the certificates */ + for (i = 0 ; i < num_certs ; i++) { - sk_X509_EXTENSION_free(sk); + cert = &certs[i]; - /* ********************************************************************* - * BL32 Key certificate (Trusted OS Firmware Key certificate): - * - Self-signed with Trusted World key - * - Extensions: - * - TrustedFirmwareNVCounter (TODO) - * - TrustedOSFirmwareContentCertPK - **********************************************************************/ - if (bl32_present) { + /* Create a new stack of extensions. This stack will be used + * to create the certificate */ CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); - CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, - tf_nvcounter)); - sk_X509_EXTENSION_push(sk, nvctr_ext); - CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID); - CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, - keys[BL32_KEY].key)); - sk_X509_EXTENSION_push(sk, trusted_key_ext); - if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) { - ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn); - exit(1); - } - sk_X509_EXTENSION_free(sk); - } - /* ********************************************************************* - * BL32 certificate (TrustedOS Firmware Content certificate): - * - Signed with Trusted World Key - * - Extensions: - * - TrustedFirmwareNVCounter (TODO) - * - BL32 hash - **********************************************************************/ - if (bl32_present) { - CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); - CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, - tf_nvcounter)); - sk_X509_EXTENSION_push(sk, nvctr_ext); + for (j = 0 ; j < cert->num_ext ; j++) { + + ext = &extensions[cert->ext[j]]; + + /* Get OpenSSL internal ID for this extension */ + CHECK_OID(ext_nid, ext->oid); + + /* + * Three types of extensions are currently supported: + * - EXT_TYPE_NVCOUNTER + * - EXT_TYPE_HASH + * - EXT_TYPE_PKEY + */ + switch (ext->type) { + case EXT_TYPE_NVCOUNTER: + if (ext->arg) { + nvctr = atoi(ext->arg); + CHECK_NULL(cert_ext, ext_new_nvcounter(ext_nid, + EXT_CRIT, nvctr)); + } + break; + case EXT_TYPE_HASH: + if (ext->arg == NULL) { + if (ext->optional) { + /* Include a hash filled with zeros */ + memset(md, 0x0, SHA256_DIGEST_LENGTH); + } else { + /* Do not include this hash in the certificate */ + break; + } + } else { + /* Calculate the hash of the file */ + if (!sha_file(ext->arg, md)) { + ERROR("Cannot calculate hash of %s\n", + ext->arg); + exit(1); + } + } + CHECK_NULL(cert_ext, ext_new_hash(ext_nid, + EXT_CRIT, md_info, md, + SHA256_DIGEST_LENGTH)); + break; + case EXT_TYPE_PKEY: + CHECK_NULL(cert_ext, ext_new_key(ext_nid, + EXT_CRIT, keys[ext->attr.key].key)); + break; + default: + ERROR("Unknown extension type '%d' in %s\n", + ext->type, cert->cn); + exit(1); + } - if (!sha_file(certs[BL32_CERT].bin, md)) { - ERROR("Cannot calculate the hash of %s\n", - certs[BL32_CERT].bin); - exit(1); + /* Push the extension into the stack */ + sk_X509_EXTENSION_push(sk, cert_ext); } - CHECK_OID(hash_nid, BL32_HASH_OID); - CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, - SHA256_DIGEST_LENGTH)); - sk_X509_EXTENSION_push(sk, hash_ext); - if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) { - ERROR("Cannot create %s\n", certs[BL32_CERT].cn); + /* Create certificate. Signed with corresponding key */ + if (cert->fn && !cert_new(key_alg, cert, VAL_DAYS, 0, sk)) { + ERROR("Cannot create %s\n", cert->cn); exit(1); } sk_X509_EXTENSION_free(sk); } - /* ********************************************************************* - * BL33 Key certificate (Non Trusted Firmware Key certificate): - * - Self-signed with Non Trusted World key - * - Extensions: - * - NonTrustedFirmwareNVCounter (TODO) - * - NonTrustedFirmwareContentCertPK - **********************************************************************/ - CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); - CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT, - non_tf_nvcounter)); - sk_X509_EXTENSION_push(sk, nvctr_ext); - CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID); - CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, - keys[BL33_KEY].key)); - sk_X509_EXTENSION_push(sk, non_trusted_key_ext); - if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) { - ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn); - exit(1); - } - sk_X509_EXTENSION_free(sk); - - /* ********************************************************************* - * BL33 certificate (Non-Trusted World Content certificate): - * - Signed with Non-Trusted World Key - * - Extensions: - * - NonTrustedFirmwareNVCounter (TODO) - * - BL33 hash - **********************************************************************/ - CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); - CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT, - non_tf_nvcounter)); - sk_X509_EXTENSION_push(sk, nvctr_ext); - - if (!sha_file(certs[BL33_CERT].bin, md)) { - ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin); - exit(1); - } - CHECK_OID(hash_nid, BL33_HASH_OID); - CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, - SHA256_DIGEST_LENGTH)); - sk_X509_EXTENSION_push(sk, hash_ext); - - if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) { - ERROR("Cannot create %s\n", certs[BL33_CERT].cn); - exit(1); - } - sk_X509_EXTENSION_free(sk); /* Print the certificates */ if (print_cert) { - for (i = 0 ; i < NUM_CERTIFICATES ; i++) { + for (i = 0 ; i < num_certs ; i++) { if (!certs[i].x) { continue; } @@ -684,7 +474,7 @@ int main(int argc, char *argv[]) } /* Save created certificates to files */ - for (i = 0 ; i < NUM_CERTIFICATES ; i++) { + for (i = 0 ; i < num_certs ; i++) { if (certs[i].x && certs[i].fn) { file = fopen(certs[i].fn, "w"); if (file != NULL) { @@ -698,18 +488,13 @@ int main(int argc, char *argv[]) /* Save keys */ if (save_keys) { - for (i = 0 ; i < NUM_KEYS ; i++) { + for (i = 0 ; i < num_keys ; i++) { if (!key_store(&keys[i])) { ERROR("Cannot save %s\n", keys[i].desc); } } } - X509_EXTENSION_free(hash_ext); - X509_EXTENSION_free(nvctr_ext); - X509_EXTENSION_free(trusted_key_ext); - X509_EXTENSION_free(non_trusted_key_ext); - #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif diff --git a/tools/cert_create/src/sha.c b/tools/cert_create/src/sha.c index 57026b56..29715930 100644 --- a/tools/cert_create/src/sha.c +++ b/tools/cert_create/src/sha.c @@ -1,35 +1,11 @@ /* * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ -#include <stdio.h> #include <openssl/sha.h> +#include <stdio.h> #include "debug.h" diff --git a/tools/cert_create/src/tbb_cert.c b/tools/cert_create/src/tbb_cert.c deleted file mode 100644 index 8dfda605..00000000 --- a/tools/cert_create/src/tbb_cert.c +++ /dev/null @@ -1,111 +0,0 @@ -/* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "tbb_cert.h" -#include "tbb_key.h" - -/* - * Certificates used in the chain of trust - * - * The order of the certificates must follow the enumeration specified in - * tbb_cert.h. All certificates are self-signed. - */ -cert_t certs[NUM_CERTIFICATES] = { - { - .id = BL2_CERT, - .fn = NULL, - .cn = "BL2 Certificate", - .key = &keys[ROT_KEY], - .issuer = &certs[BL2_CERT], - }, - { - .id = TRUSTED_KEY_CERT, - .fn = NULL, - .cn = "Trusted Key Certificate", - .key = &keys[ROT_KEY], - .issuer = &certs[TRUSTED_KEY_CERT], - }, - { - .id = BL30_KEY_CERT, - .fn = NULL, - .cn = "BL3-0 Key Certificate", - .key = &keys[TRUSTED_WORLD_KEY], - .issuer = &certs[BL30_KEY_CERT], - }, - { - .id = BL30_CERT, - .fn = NULL, - .cn = "BL3-0 Content Certificate", - .key = &keys[BL30_KEY], - .issuer = &certs[BL30_CERT], - }, - { - .id = BL31_KEY_CERT, - .fn = NULL, - .cn = "BL3-1 Key Certificate", - .key = &keys[TRUSTED_WORLD_KEY], - .issuer = &certs[BL31_KEY_CERT], - }, - { - .id = BL31_CERT, - .fn = NULL, - .cn = "BL3-1 Content Certificate", - .key = &keys[BL31_KEY], - .issuer = &certs[BL31_CERT], - }, - { - .id = BL32_KEY_CERT, - .fn = NULL, - .cn = "BL3-2 Key Certificate", - .key = &keys[TRUSTED_WORLD_KEY], - .issuer = &certs[BL32_KEY_CERT], - }, - { - .id = BL32_CERT, - .fn = NULL, - .cn = "BL3-2 Content Certificate", - .key = &keys[BL32_KEY], - .issuer = &certs[BL32_CERT], - }, - { - .id = BL33_KEY_CERT, - .fn = NULL, - .cn = "BL3-3 Key Certificate", - .key = &keys[NON_TRUSTED_WORLD_KEY], - .issuer = &certs[BL33_KEY_CERT], - }, - { - .id = BL33_CERT, - .fn = NULL, - .cn = "BL3-3 Content Certificate", - .key = &keys[BL33_KEY], - .issuer = &certs[BL33_CERT], - } -}; diff --git a/tools/cert_create/src/tbb_ext.c b/tools/cert_create/src/tbb_ext.c deleted file mode 100644 index 0022611c..00000000 --- a/tools/cert_create/src/tbb_ext.c +++ /dev/null @@ -1,118 +0,0 @@ -/* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include <stdio.h> -#include <string.h> -#include <openssl/err.h> -#include <openssl/x509v3.h> -#include "ext.h" -#include "platform_oid.h" - -ext_t tbb_ext[] = { - { - .oid = TZ_FW_NVCOUNTER_OID, - .sn = "TrustedNvCounter", - .ln = "Non-volatile trusted counter", - .type = V_ASN1_INTEGER - }, - { - .oid = NTZ_FW_NVCOUNTER_OID, - .sn = "NonTrustedNvCounter", - .ln = "Non-volatile non-trusted counter", - .type = V_ASN1_INTEGER - }, - { - .oid = BL2_HASH_OID, - .sn = "TrustedBootFirmwareHash", - .ln = "Trusted Boot Firmware (BL2) hash (SHA256)", - .type = V_ASN1_OCTET_STRING - }, - { - .oid = TZ_WORLD_PK_OID, - .sn = "TrustedWorldPublicKey", - .ln = "Trusted World Public Key", - .type = V_ASN1_OCTET_STRING - }, - { - .oid = NTZ_WORLD_PK_OID, - .sn = "NonTrustedWorldPublicKey", - .ln = "Non-Trusted World Public Key", - .type = V_ASN1_OCTET_STRING - }, - { - .oid = BL31_CONTENT_CERT_PK_OID, - .sn = "SoCFirmwareContentCertPK", - .ln = "SoC Firmware content certificate public key", - .type = V_ASN1_OCTET_STRING - }, - { - .oid = BL31_HASH_OID, - .sn = "APROMPatchHash", - .ln = "AP ROM patch hash", - .type = V_ASN1_OCTET_STRING - }, - { - .oid = BL30_CONTENT_CERT_PK_OID, - .sn = "SCPFirmwareContentCertPK", - .ln = "SCP Firmware content certificate public key", - .type = V_ASN1_OCTET_STRING - }, - { - .oid = BL30_HASH_OID, - .sn = "SCPFirmwareHash", - .ln = "SCP Firmware (BL30) hash (SHA256)", - .type = V_ASN1_OCTET_STRING - }, - { - .oid = BL32_CONTENT_CERT_PK_OID, - .sn = "TrustedOSFirmwareContentCertPK", - .ln = "Trusted OS Firmware content certificate public key", - .type = V_ASN1_OCTET_STRING - }, - { - .oid = BL32_HASH_OID, - .sn = "TrustedOSHash", - .ln = "Trusted OS (BL32) hash (SHA256)", - .type = V_ASN1_OCTET_STRING - }, - { - .oid = BL33_CONTENT_CERT_PK_OID, - .sn = "NonTrustedFirmwareContentCertPK", - .ln = "Non-Trusted Firmware content certificate public key", - .type = V_ASN1_OCTET_STRING - }, - { - .oid = BL33_HASH_OID, - .sn = "NonTrustedWorldBootloaderHash", - .ln = "Non-Trusted World (BL33) hash (SHA256)", - .type = V_ASN1_OCTET_STRING - }, - { 0, 0, 0, 0 } -}; diff --git a/tools/cert_create/src/tbb_key.c b/tools/cert_create/src/tbb_key.c deleted file mode 100644 index 140aeda1..00000000 --- a/tools/cert_create/src/tbb_key.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "tbb_key.h" - -/* - * Keys used to establish the chain of trust - * - * The order of the keys must follow the enumeration specified in tbb_key.h - */ -key_t keys[NUM_KEYS] = { - { - .id = ROT_KEY, - .desc = "Root Of Trust key" - }, - { - .id = TRUSTED_WORLD_KEY, - .desc = "Trusted World key" - }, - { - .id = NON_TRUSTED_WORLD_KEY, - .desc = "Non Trusted World key" - }, - { - .id = BL30_KEY, - .desc = "BL30 key" - }, - { - .id = BL31_KEY, - .desc = "BL31 key" - }, - { - .id = BL32_KEY, - .desc = "BL32 key" - }, - { - .id = BL33_KEY, - .desc = "BL33 key" - } -}; diff --git a/tools/cert_create/src/tbbr/tbb_cert.c b/tools/cert_create/src/tbbr/tbb_cert.c new file mode 100644 index 00000000..c815178c --- /dev/null +++ b/tools/cert_create/src/tbbr/tbb_cert.c @@ -0,0 +1,179 @@ +/* + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include "tbbr/tbb_cert.h" +#include "tbbr/tbb_ext.h" +#include "tbbr/tbb_key.h" + +/* + * Certificates used in the chain of trust + * + * The order of the certificates must follow the enumeration specified in + * tbb_cert.h. All certificates are self-signed, so the issuer certificate + * field points to itself. + */ +static cert_t tbb_certs[] = { + [TRUSTED_BOOT_FW_CERT] = { + .id = TRUSTED_BOOT_FW_CERT, + .opt = "tb-fw-cert", + .help_msg = "Trusted Boot FW Certificate (output file)", + .fn = NULL, + .cn = "Trusted Boot FW Certificate", + .key = ROT_KEY, + .issuer = TRUSTED_BOOT_FW_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + TRUSTED_BOOT_FW_HASH_EXT + }, + .num_ext = 2 + }, + [TRUSTED_KEY_CERT] = { + .id = TRUSTED_KEY_CERT, + .opt = "trusted-key-cert", + .help_msg = "Trusted Key Certificate (output file)", + .fn = NULL, + .cn = "Trusted Key Certificate", + .key = ROT_KEY, + .issuer = TRUSTED_KEY_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + TRUSTED_WORLD_PK_EXT, + NON_TRUSTED_WORLD_PK_EXT + }, + .num_ext = 3 + }, + [SCP_FW_KEY_CERT] = { + .id = SCP_FW_KEY_CERT, + .opt = "scp-fw-key-cert", + .help_msg = "SCP Firmware Key Certificate (output file)", + .fn = NULL, + .cn = "SCP Firmware Key Certificate", + .key = TRUSTED_WORLD_KEY, + .issuer = SCP_FW_KEY_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + SCP_FW_CONTENT_CERT_PK_EXT + }, + .num_ext = 2 + }, + [SCP_FW_CONTENT_CERT] = { + .id = SCP_FW_CONTENT_CERT, + .opt = "scp-fw-cert", + .help_msg = "SCP Firmware Content Certificate (output file)", + .fn = NULL, + .cn = "SCP Firmware Content Certificate", + .key = SCP_FW_CONTENT_CERT_KEY, + .issuer = SCP_FW_CONTENT_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + SCP_FW_HASH_EXT + }, + .num_ext = 2 + }, + [SOC_FW_KEY_CERT] = { + .id = SOC_FW_KEY_CERT, + .opt = "soc-fw-key-cert", + .help_msg = "SoC Firmware Key Certificate (output file)", + .fn = NULL, + .cn = "SoC Firmware Key Certificate", + .key = TRUSTED_WORLD_KEY, + .issuer = SOC_FW_KEY_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + SOC_FW_CONTENT_CERT_PK_EXT + }, + .num_ext = 2 + }, + [SOC_FW_CONTENT_CERT] = { + .id = SOC_FW_CONTENT_CERT, + .opt = "soc-fw-cert", + .help_msg = "SoC Firmware Content Certificate (output file)", + .fn = NULL, + .cn = "SoC Firmware Content Certificate", + .key = SOC_FW_CONTENT_CERT_KEY, + .issuer = SOC_FW_CONTENT_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + SOC_AP_FW_HASH_EXT + }, + .num_ext = 2 + }, + [TRUSTED_OS_FW_KEY_CERT] = { + .id = TRUSTED_OS_FW_KEY_CERT, + .opt = "tos-fw-key-cert", + .help_msg = "Trusted OS Firmware Key Certificate (output file)", + .fn = NULL, + .cn = "Trusted OS Firmware Key Certificate", + .key = TRUSTED_WORLD_KEY, + .issuer = TRUSTED_OS_FW_KEY_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + TRUSTED_OS_FW_CONTENT_CERT_PK_EXT + }, + .num_ext = 2 + }, + [TRUSTED_OS_FW_CONTENT_CERT] = { + .id = TRUSTED_OS_FW_CONTENT_CERT, + .opt = "tos-fw-cert", + .help_msg = "Trusted OS Firmware Content Certificate (output file)", + .fn = NULL, + .cn = "Trusted OS Firmware Content Certificate", + .key = TRUSTED_OS_FW_CONTENT_CERT_KEY, + .issuer = TRUSTED_OS_FW_CONTENT_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + TRUSTED_OS_FW_HASH_EXT, + TRUSTED_OS_FW_EXTRA1_HASH_EXT, + TRUSTED_OS_FW_EXTRA2_HASH_EXT + }, + .num_ext = 4 + }, + [NON_TRUSTED_FW_KEY_CERT] = { + .id = NON_TRUSTED_FW_KEY_CERT, + .opt = "nt-fw-key-cert", + .help_msg = "Non-Trusted Firmware Key Certificate (output file)", + .fn = NULL, + .cn = "Non-Trusted Firmware Key Certificate", + .key = NON_TRUSTED_WORLD_KEY, + .issuer = NON_TRUSTED_FW_KEY_CERT, + .ext = { + NON_TRUSTED_FW_NVCOUNTER_EXT, + NON_TRUSTED_FW_CONTENT_CERT_PK_EXT + }, + .num_ext = 2 + }, + [NON_TRUSTED_FW_CONTENT_CERT] = { + .id = NON_TRUSTED_FW_CONTENT_CERT, + .opt = "nt-fw-cert", + .help_msg = "Non-Trusted Firmware Content Certificate (output file)", + .fn = NULL, + .cn = "Non-Trusted Firmware Content Certificate", + .key = NON_TRUSTED_FW_CONTENT_CERT_KEY, + .issuer = NON_TRUSTED_FW_CONTENT_CERT, + .ext = { + NON_TRUSTED_FW_NVCOUNTER_EXT, + NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT + }, + .num_ext = 2 + }, + [FWU_CERT] = { + .id = FWU_CERT, + .opt = "fwu-cert", + .help_msg = "Firmware Update Certificate (output file)", + .fn = NULL, + .cn = "Firmware Update Certificate", + .key = ROT_KEY, + .issuer = FWU_CERT, + .ext = { + SCP_FWU_CFG_HASH_EXT, + AP_FWU_CFG_HASH_EXT, + FWU_HASH_EXT + }, + .num_ext = 3 + } +}; + +REGISTER_COT(tbb_certs); diff --git a/tools/cert_create/src/tbbr/tbb_ext.c b/tools/cert_create/src/tbbr/tbb_ext.c new file mode 100644 index 00000000..504b0fc0 --- /dev/null +++ b/tools/cert_create/src/tbbr/tbb_ext.c @@ -0,0 +1,192 @@ +/* + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include <stdio.h> +#include <string.h> +#include <openssl/err.h> +#include <openssl/x509v3.h> + +#if USE_TBBR_DEFS +#include <tbbr_oid.h> +#else +#include <platform_oid.h> +#endif + +#include "ext.h" +#include "tbbr/tbb_ext.h" +#include "tbbr/tbb_key.h" + +/* TODO: get these values from the command line */ +#define TRUSTED_WORLD_NVCTR_VALUE 0 +#define NORMAL_WORLD_NVCTR_VALUE 0 + +static ext_t tbb_ext[] = { + [TRUSTED_FW_NVCOUNTER_EXT] = { + .oid = TRUSTED_FW_NVCOUNTER_OID, + .opt = "tfw-nvctr", + .help_msg = "Trusted Firmware Non-Volatile counter value", + .sn = "TrustedWorldNVCounter", + .ln = "Trusted World Non-Volatile counter", + .asn1_type = V_ASN1_INTEGER, + .type = EXT_TYPE_NVCOUNTER, + .attr.nvctr_type = NVCTR_TYPE_TFW + }, + [NON_TRUSTED_FW_NVCOUNTER_EXT] = { + .oid = NON_TRUSTED_FW_NVCOUNTER_OID, + .opt = "ntfw-nvctr", + .help_msg = "Non-Trusted Firmware Non-Volatile counter value", + .sn = "NormalWorldNVCounter", + .ln = "Non-Trusted Firmware Non-Volatile counter", + .asn1_type = V_ASN1_INTEGER, + .type = EXT_TYPE_NVCOUNTER, + .attr.nvctr_type = NVCTR_TYPE_NTFW + }, + [TRUSTED_BOOT_FW_HASH_EXT] = { + .oid = TRUSTED_BOOT_FW_HASH_OID, + .opt = "tb-fw", + .help_msg = "Trusted Boot Firmware image file", + .sn = "TrustedBootFirmwareHash", + .ln = "Trusted Boot Firmware hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH + }, + [TRUSTED_WORLD_PK_EXT] = { + .oid = TRUSTED_WORLD_PK_OID, + .sn = "TrustedWorldPublicKey", + .ln = "Trusted World Public Key", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_PKEY, + .attr.key = TRUSTED_WORLD_KEY + }, + [NON_TRUSTED_WORLD_PK_EXT] = { + .oid = NON_TRUSTED_WORLD_PK_OID, + .sn = "NonTrustedWorldPublicKey", + .ln = "Non-Trusted World Public Key", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_PKEY, + .attr.key = NON_TRUSTED_WORLD_KEY + }, + [SCP_FW_CONTENT_CERT_PK_EXT] = { + .oid = SCP_FW_CONTENT_CERT_PK_OID, + .sn = "SCPFirmwareContentCertPK", + .ln = "SCP Firmware content certificate public key", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_PKEY, + .attr.key = SCP_FW_CONTENT_CERT_KEY + }, + [SCP_FW_HASH_EXT] = { + .oid = SCP_FW_HASH_OID, + .opt = "scp-fw", + .help_msg = "SCP Firmware image file", + .sn = "SCPFirmwareHash", + .ln = "SCP Firmware hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH + }, + [SOC_FW_CONTENT_CERT_PK_EXT] = { + .oid = SOC_FW_CONTENT_CERT_PK_OID, + .sn = "SoCFirmwareContentCertPK", + .ln = "SoC Firmware content certificate public key", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_PKEY, + .attr.key = SOC_FW_CONTENT_CERT_KEY + }, + [SOC_AP_FW_HASH_EXT] = { + .oid = SOC_AP_FW_HASH_OID, + .opt = "soc-fw", + .help_msg = "SoC AP Firmware image file", + .sn = "SoCAPFirmwareHash", + .ln = "SoC AP Firmware hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH + }, + [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = { + .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID, + .sn = "TrustedOSFirmwareContentCertPK", + .ln = "Trusted OS Firmware content certificate public key", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_PKEY, + .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY + }, + [TRUSTED_OS_FW_HASH_EXT] = { + .oid = TRUSTED_OS_FW_HASH_OID, + .opt = "tos-fw", + .help_msg = "Trusted OS image file", + .sn = "TrustedOSHash", + .ln = "Trusted OS hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH + }, + [TRUSTED_OS_FW_EXTRA1_HASH_EXT] = { + .oid = TRUSTED_OS_FW_EXTRA1_HASH_OID, + .opt = "tos-fw-extra1", + .help_msg = "Trusted OS Extra1 image file", + .sn = "TrustedOSExtra1Hash", + .ln = "Trusted OS Extra1 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [TRUSTED_OS_FW_EXTRA2_HASH_EXT] = { + .oid = TRUSTED_OS_FW_EXTRA2_HASH_OID, + .opt = "tos-fw-extra2", + .help_msg = "Trusted OS Extra2 image file", + .sn = "TrustedOSExtra2Hash", + .ln = "Trusted OS Extra2 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [NON_TRUSTED_FW_CONTENT_CERT_PK_EXT] = { + .oid = NON_TRUSTED_FW_CONTENT_CERT_PK_OID, + .sn = "NonTrustedFirmwareContentCertPK", + .ln = "Non-Trusted Firmware content certificate public key", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_PKEY, + .attr.key = NON_TRUSTED_FW_CONTENT_CERT_KEY + }, + [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { + .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID, + .opt = "nt-fw", + .help_msg = "Non-Trusted World Bootloader image file", + .sn = "NonTrustedWorldBootloaderHash", + .ln = "Non-Trusted World hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH + }, + [SCP_FWU_CFG_HASH_EXT] = { + .oid = SCP_FWU_CFG_HASH_OID, + .opt = "scp-fwu-cfg", + .help_msg = "SCP Firmware Update Config image file", + .sn = "SCPFWUpdateConfig", + .ln = "SCP Firmware Update Config hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [AP_FWU_CFG_HASH_EXT] = { + .oid = AP_FWU_CFG_HASH_OID, + .opt = "ap-fwu-cfg", + .help_msg = "AP Firmware Update Config image file", + .sn = "APFWUpdateConfig", + .ln = "AP Firmware Update Config hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [FWU_HASH_EXT] = { + .oid = FWU_HASH_OID, + .opt = "fwu", + .help_msg = "Firmware Updater image file", + .sn = "FWUpdaterHash", + .ln = "Firmware Updater hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + } +}; + +REGISTER_EXTENSIONS(tbb_ext); diff --git a/tools/cert_create/src/tbbr/tbb_key.c b/tools/cert_create/src/tbbr/tbb_key.c new file mode 100644 index 00000000..a81f0e44 --- /dev/null +++ b/tools/cert_create/src/tbbr/tbb_key.c @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include "tbbr/tbb_key.h" + +/* + * Keys used to establish the chain of trust + * + * The order of the keys must follow the enumeration specified in tbb_key.h + */ +static key_t tbb_keys[] = { + [ROT_KEY] = { + .id = ROT_KEY, + .opt = "rot-key", + .help_msg = "Root Of Trust key (input/output file)", + .desc = "Root Of Trust key" + }, + [TRUSTED_WORLD_KEY] = { + .id = TRUSTED_WORLD_KEY, + .opt = "trusted-world-key", + .help_msg = "Trusted World key (input/output file)", + .desc = "Trusted World key" + }, + [NON_TRUSTED_WORLD_KEY] = { + .id = NON_TRUSTED_WORLD_KEY, + .opt = "non-trusted-world-key", + .help_msg = "Non Trusted World key (input/output file)", + .desc = "Non Trusted World key" + }, + [SCP_FW_CONTENT_CERT_KEY] = { + .id = SCP_FW_CONTENT_CERT_KEY, + .opt = "scp-fw-key", + .help_msg = "SCP Firmware Content Certificate key (input/output file)", + .desc = "SCP Firmware Content Certificate key" + }, + [SOC_FW_CONTENT_CERT_KEY] = { + .id = SOC_FW_CONTENT_CERT_KEY, + .opt = "soc-fw-key", + .help_msg = "SoC Firmware Content Certificate key (input/output file)", + .desc = "SoC Firmware Content Certificate key" + }, + [TRUSTED_OS_FW_CONTENT_CERT_KEY] = { + .id = TRUSTED_OS_FW_CONTENT_CERT_KEY, + .opt = "tos-fw-key", + .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)", + .desc = "Trusted OS Firmware Content Certificate key" + }, + [NON_TRUSTED_FW_CONTENT_CERT_KEY] = { + .id = NON_TRUSTED_FW_CONTENT_CERT_KEY, + .opt = "nt-fw-key", + .help_msg = "Non Trusted Firmware Content Certificate key (input/output file)", + .desc = "Non Trusted Firmware Content Certificate key" + } +}; + +REGISTER_KEYS(tbb_keys); |