Commit 0792dd7d authored by Manish Pandey's avatar Manish Pandey
Browse files

cert_create: add SiP owned secure partitions support



Add support to generate certificate "sip-sp-cert" for Secure
Partitions(SP) owned by Silicon provider(SiP).
To avoid deviation from TBBR specification the support is only added for
dualroot CoT and not for TBBR CoT.

A single certificate file is generated containing hash of individual
packages. Maximum 8 secure partitions are supported.

Following new options added to cert_tool:
 --sip-sp-cert --> SiP owned Secure Partition Content Certificate
 --sp-pkg1 --> Secure Partition Package1 file
 --sp-pkg2
 .....
 --sp-pkg8

Trusted world key pair is used for signing.

Going forward, this feature can be extended for Platfrom owned
Partitions, if required.
Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
Change-Id: Ia6dfbc1447cfb41b1fcbd12cf2bf7b88f409bd8d
parent 967a6d16
...@@ -16,4 +16,16 @@ ...@@ -16,4 +16,16 @@
*/ */
#define PROT_PK_OID "1.3.6.1.4.1.4128.2100.1102" #define PROT_PK_OID "1.3.6.1.4.1.4128.2100.1102"
/*
* Secure Partitions Content Certificate
*/
#define SP_PKG1_HASH_OID "1.3.6.1.4.1.4128.2100.1301"
#define SP_PKG2_HASH_OID "1.3.6.1.4.1.4128.2100.1302"
#define SP_PKG3_HASH_OID "1.3.6.1.4.1.4128.2100.1303"
#define SP_PKG4_HASH_OID "1.3.6.1.4.1.4128.2100.1304"
#define SP_PKG5_HASH_OID "1.3.6.1.4.1.4128.2100.1305"
#define SP_PKG6_HASH_OID "1.3.6.1.4.1.4128.2100.1306"
#define SP_PKG7_HASH_OID "1.3.6.1.4.1.4128.2100.1307"
#define SP_PKG8_HASH_OID "1.3.6.1.4.1.4128.2100.1308"
#endif /* DUALROOT_OID_H */ #endif /* DUALROOT_OID_H */
...@@ -64,6 +64,8 @@ ...@@ -64,6 +64,8 @@
{{0xa4, 0x9f, 0x44, 0x11}, {0x5e, 0x63}, {0xe4, 0x11}, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} } {{0xa4, 0x9f, 0x44, 0x11}, {0x5e, 0x63}, {0xe4, 0x11}, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} }
#define UUID_NON_TRUSTED_FW_CONTENT_CERT \ #define UUID_NON_TRUSTED_FW_CONTENT_CERT \
{{0x8e, 0xc4, 0xc1, 0xf3}, {0x5d, 0x63}, {0xe4, 0x11}, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} } {{0x8e, 0xc4, 0xc1, 0xf3}, {0x5d, 0x63}, {0xe4, 0x11}, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} }
#define UUID_SIP_SECURE_PARTITION_CONTENT_CERT \
{{0x77, 0x6d, 0xfd, 0x44}, {0x86, 0x97}, {0x4c, 0x3b}, 0x91, 0xeb, {0xc1, 0x3e, 0x02, 0x5a, 0x2a, 0x6f} }
/* Dynamic configs */ /* Dynamic configs */
#define UUID_HW_CONFIG \ #define UUID_HW_CONFIG \
{{0x08, 0xb8, 0xf1, 0xd9}, {0xc9, 0xcf}, {0x93, 0x49}, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} } {{0x08, 0xb8, 0xf1, 0xd9}, {0xc9, 0xcf}, {0x93, 0x49}, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} }
......
...@@ -74,7 +74,8 @@ static const struct uuidnames uuidnames[] = { ...@@ -74,7 +74,8 @@ static const struct uuidnames uuidnames[] = {
{"tos-fw.cfg", UUID_TOS_FW_CONFIG}, {"tos-fw.cfg", UUID_TOS_FW_CONFIG},
{"nt-fw.cfg", UUID_NT_FW_CONFIG}, {"nt-fw.cfg", UUID_NT_FW_CONFIG},
{"rot-k.crt", UUID_ROT_KEY_CERT}, {"rot-k.crt", UUID_ROT_KEY_CERT},
{"nt-k.crt", UUID_NON_TRUSTED_WORLD_KEY_CERT} {"nt-k.crt", UUID_NON_TRUSTED_WORLD_KEY_CERT},
{"sip-sp.crt", UUID_SIP_SECURE_PARTITION_CONTENT_CERT}
}; };
/******************************************************************************* /*******************************************************************************
......
...@@ -99,3 +99,8 @@ ifneq (${COT},dualroot) ...@@ -99,3 +99,8 @@ ifneq (${COT},dualroot)
$(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert)) $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert))
endif endif
endif endif
# Add SiP owned Secure Partitions CoT (image cert)
ifneq (${SP_LAYOUT_FILE},)
$(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/sip_sp_content.crt,--sip-sp-cert))
endif
...@@ -12,7 +12,7 @@ ...@@ -12,7 +12,7 @@
#include "ext.h" #include "ext.h"
#include "key.h" #include "key.h"
#define CERT_MAX_EXT 5 #define CERT_MAX_EXT 9
/* /*
* This structure contains information related to the generation of the * This structure contains information related to the generation of the
......
...@@ -18,6 +18,7 @@ enum { ...@@ -18,6 +18,7 @@ enum {
SOC_FW_CONTENT_CERT, SOC_FW_CONTENT_CERT,
TRUSTED_OS_FW_KEY_CERT, TRUSTED_OS_FW_KEY_CERT,
TRUSTED_OS_FW_CONTENT_CERT, TRUSTED_OS_FW_CONTENT_CERT,
SIP_SECURE_PARTITION_CONTENT_CERT,
FWU_CERT, FWU_CERT,
/* Certificates owned by the platform owner. */ /* Certificates owned by the platform owner. */
...@@ -42,6 +43,14 @@ enum { ...@@ -42,6 +43,14 @@ enum {
TRUSTED_OS_FW_EXTRA1_HASH_EXT, TRUSTED_OS_FW_EXTRA1_HASH_EXT,
TRUSTED_OS_FW_EXTRA2_HASH_EXT, TRUSTED_OS_FW_EXTRA2_HASH_EXT,
TRUSTED_OS_FW_CONFIG_HASH_EXT, TRUSTED_OS_FW_CONFIG_HASH_EXT,
SP_PKG1_HASH_EXT,
SP_PKG2_HASH_EXT,
SP_PKG3_HASH_EXT,
SP_PKG4_HASH_EXT,
SP_PKG5_HASH_EXT,
SP_PKG6_HASH_EXT,
SP_PKG7_HASH_EXT,
SP_PKG8_HASH_EXT,
SCP_FWU_CFG_HASH_EXT, SCP_FWU_CFG_HASH_EXT,
AP_FWU_CFG_HASH_EXT, AP_FWU_CFG_HASH_EXT,
FWU_HASH_EXT, FWU_HASH_EXT,
......
...@@ -137,6 +137,28 @@ static cert_t cot_certs[] = { ...@@ -137,6 +137,28 @@ static cert_t cot_certs[] = {
.num_ext = 5 .num_ext = 5
}, },
[SIP_SECURE_PARTITION_CONTENT_CERT] = {
.id = SIP_SECURE_PARTITION_CONTENT_CERT,
.opt = "sip-sp-cert",
.help_msg = "SiP owned Secure Partition Content Certificate (output file)",
.fn = NULL,
.cn = "SiP owned Secure Partition Content Certificate",
.key = TRUSTED_WORLD_KEY,
.issuer = SIP_SECURE_PARTITION_CONTENT_CERT,
.ext = {
TRUSTED_FW_NVCOUNTER_EXT,
SP_PKG1_HASH_EXT,
SP_PKG2_HASH_EXT,
SP_PKG3_HASH_EXT,
SP_PKG4_HASH_EXT,
SP_PKG5_HASH_EXT,
SP_PKG6_HASH_EXT,
SP_PKG7_HASH_EXT,
SP_PKG8_HASH_EXT,
},
.num_ext = 9
},
[FWU_CERT] = { [FWU_CERT] = {
.id = FWU_CERT, .id = FWU_CERT,
.opt = "fwu-cert", .opt = "fwu-cert",
...@@ -327,6 +349,87 @@ static ext_t cot_ext[] = { ...@@ -327,6 +349,87 @@ static ext_t cot_ext[] = {
.optional = 1 .optional = 1
}, },
[SP_PKG1_HASH_EXT] = {
.oid = SP_PKG1_HASH_OID,
.opt = "sp-pkg1",
.help_msg = "Secure Partition Package1 file",
.sn = "SPPkg1Hash",
.ln = "SP Pkg1 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG2_HASH_EXT] = {
.oid = SP_PKG2_HASH_OID,
.opt = "sp-pkg2",
.help_msg = "Secure Partition Package2 file",
.sn = "SPPkg2Hash",
.ln = "SP Pkg2 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG3_HASH_EXT] = {
.oid = SP_PKG3_HASH_OID,
.opt = "sp-pkg3",
.help_msg = "Secure Partition Package3 file",
.sn = "SPPkg3Hash",
.ln = "SP Pkg3 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG4_HASH_EXT] = {
.oid = SP_PKG4_HASH_OID,
.opt = "sp-pkg4",
.help_msg = "Secure Partition Package4 file",
.sn = "SPPkg4Hash",
.ln = "SP Pkg4 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG5_HASH_EXT] = {
.oid = SP_PKG5_HASH_OID,
.opt = "sp-pkg5",
.help_msg = "Secure Partition Package5 file",
.sn = "SPPkg5Hash",
.ln = "SP Pkg5 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG6_HASH_EXT] = {
.oid = SP_PKG6_HASH_OID,
.opt = "sp-pkg6",
.help_msg = "Secure Partition Package6 file",
.sn = "SPPkg6Hash",
.ln = "SP Pkg6 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG7_HASH_EXT] = {
.oid = SP_PKG7_HASH_OID,
.opt = "sp-pkg7",
.help_msg = "Secure Partition Package7 file",
.sn = "SPPkg7Hash",
.ln = "SP Pkg7 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG8_HASH_EXT] = {
.oid = SP_PKG8_HASH_OID,
.opt = "sp-pkg8",
.help_msg = "Secure Partition Package8 file",
.sn = "SPPkg8Hash",
.ln = "SP Pkg8 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SCP_FWU_CFG_HASH_EXT] = { [SCP_FWU_CFG_HASH_EXT] = {
.oid = SCP_FWU_CFG_HASH_OID, .oid = SCP_FWU_CFG_HASH_OID,
.opt = "scp-fwu-cfg", .opt = "scp-fwu-cfg",
......
...@@ -151,6 +151,11 @@ toc_entry_t toc_entries[] = { ...@@ -151,6 +151,11 @@ toc_entry_t toc_entries[] = {
.uuid = UUID_NON_TRUSTED_FW_CONTENT_CERT, .uuid = UUID_NON_TRUSTED_FW_CONTENT_CERT,
.cmdline_name = "nt-fw-cert" .cmdline_name = "nt-fw-cert"
}, },
{
.name = "SiP owned Secure Partition content certificate",
.uuid = UUID_SIP_SECURE_PARTITION_CONTENT_CERT,
.cmdline_name = "sip-sp-cert"
},
{ {
.name = NULL, .name = NULL,
.uuid = { {0} }, .uuid = { {0} },
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment