Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
adam.huang
Arm Trusted Firmware
Commits
3747e291
Commit
3747e291
authored
Aug 04, 2015
by
danh-arm
Browse files
Merge pull request #349 from jcastillo-arm/jc/tbb_cert_opt
TBB: rework cert_create tool to follow a data driven approach
parents
c4d22eae
55e291a4
Changes
14
Show whitespace changes
Inline
Side-by-side
.gitignore
View file @
3747e291
...
@@ -12,4 +12,5 @@ build/
...
@@ -12,4 +12,5 @@ build/
tools/**/*.o
tools/**/*.o
tools/fip_create/fip_create
tools/fip_create/fip_create
tools/cert_create/src/*.o
tools/cert_create/src/*.o
tools/cert_create/src/**/*.o
tools/cert_create/cert_create
tools/cert_create/cert_create
tools/cert_create/Makefile
View file @
3747e291
...
@@ -39,10 +39,10 @@ OBJECTS := src/cert.o \
...
@@ -39,10 +39,10 @@ OBJECTS := src/cert.o \
src/ext.o
\
src/ext.o
\
src/key.o
\
src/key.o
\
src/main.o
\
src/main.o
\
src/
tbb_cert
.o
\
src/
sha
.o
\
src/tbb
_ex
t.o
\
src/tbb
r/tbb_cer
t.o
\
src/tbb
_key
.o
\
src/tbb
r/tbb_ext
.o
\
src/
sha
.o
src/
tbbr/tbb_key
.o
CFLAGS
:=
-Wall
-std
=
c99
CFLAGS
:=
-Wall
-std
=
c99
...
...
tools/cert_create/include/cert.h
View file @
3747e291
...
@@ -33,8 +33,11 @@
...
@@ -33,8 +33,11 @@
#include <openssl/ossl_typ.h>
#include <openssl/ossl_typ.h>
#include <openssl/x509.h>
#include <openssl/x509.h>
#include "ext.h"
#include "key.h"
#include "key.h"
#define CERT_MAX_EXT 4
/*
/*
* This structure contains information related to the generation of the
* This structure contains information related to the generation of the
* certificates. All these fields must be known and specified at build time
* certificates. All these fields must be known and specified at build time
...
@@ -52,18 +55,28 @@ struct cert_s {
...
@@ -52,18 +55,28 @@ struct cert_s {
int
id
;
/* Unique identifier */
int
id
;
/* Unique identifier */
const
char
*
fn
;
/* Filename to save the certificate */
const
char
*
fn
;
/* Filename to save the certificate */
const
char
*
bin
;
/* Image associated to this certificate */
const
char
*
cn
;
/* Subject CN (Company Name) */
const
char
*
cn
;
/* Subject CN (Company Name) */
X509
*
x
;
/* X509 certificate container */
/* These fields must be defined statically */
key_t
*
key
;
/* Key to be signed */
int
key
;
/* Key to be signed */
int
issuer
;
/* Issuer certificate */
int
ext
[
CERT_MAX_EXT
];
/* Certificate extensions */
int
num_ext
;
/* Number of extensions in the certificate */
cert_t
*
issuer
;
/* Issuer
certificate */
X509
*
x
;
/* X509
certificate
container
*/
};
};
/* Exported API */
int
cert_add_ext
(
X509
*
issuer
,
X509
*
subject
,
int
nid
,
char
*
value
);
int
cert_add_ext
(
X509
*
issuer
,
X509
*
subject
,
int
nid
,
char
*
value
);
int
cert_new
(
cert_t
*
cert
,
int
days
,
int
ca
,
STACK_OF
(
X509_EXTENSION
)
*
sk
);
int
cert_new
(
cert_t
*
cert
,
int
days
,
int
ca
,
STACK_OF
(
X509_EXTENSION
)
*
sk
);
/* Macro to register the certificates used in the CoT */
#define REGISTER_COT(_certs) \
cert_t *certs = &_certs[0]; \
const unsigned int num_certs = sizeof(_certs)/sizeof(_certs[0]);
/* Exported variables */
extern
cert_t
*
certs
;
extern
const
unsigned
int
num_certs
;
#endif
/* CERT_H_ */
#endif
/* CERT_H_ */
tools/cert_create/include/ext.h
View file @
3747e291
...
@@ -31,8 +31,16 @@
...
@@ -31,8 +31,16 @@
#ifndef EXT_H_
#ifndef EXT_H_
#define EXT_H_
#define EXT_H_
#include "key.h"
#include <openssl/x509v3.h>
#include <openssl/x509v3.h>
/* Extension types supported */
enum
{
EXT_TYPE_NVCOUNTER
,
EXT_TYPE_PKEY
,
EXT_TYPE_HASH
};
/*
/*
* This structure contains the relevant information to create the extensions
* This structure contains the relevant information to create the extensions
* to be included in the certificates. This extensions will be used to
* to be included in the certificates. This extensions will be used to
...
@@ -42,11 +50,19 @@ typedef struct ext_s {
...
@@ -42,11 +50,19 @@ typedef struct ext_s {
const
char
*
oid
;
/* OID of the extension */
const
char
*
oid
;
/* OID of the extension */
const
char
*
sn
;
/* Short name */
const
char
*
sn
;
/* Short name */
const
char
*
ln
;
/* Long description */
const
char
*
ln
;
/* Long description */
int
type
;
/* OpenSSL ASN1 type of the extension data.
int
asn1_
type
;
/* OpenSSL ASN1 type of the extension data.
* Supported types are:
* Supported types are:
* - V_ASN1_INTEGER
* - V_ASN1_INTEGER
* - V_ASN1_OCTET_STRING
* - V_ASN1_OCTET_STRING
*/
*/
int
type
;
/* Extension data (depends on extension type) */
union
{
const
char
*
fn
;
/* File with extension data */
int
nvcounter
;
/* Non volatile counter */
int
key
;
/* Public key */
}
data
;
int
alias
;
/* In case OpenSSL provides an standard
int
alias
;
/* In case OpenSSL provides an standard
* extension of the same type, add the new
* extension of the same type, add the new
* extension as an alias of this one
* extension as an alias of this one
...
@@ -62,10 +78,20 @@ enum {
...
@@ -62,10 +78,20 @@ enum {
EXT_CRIT
=
!
EXT_NON_CRIT
,
EXT_CRIT
=
!
EXT_NON_CRIT
,
};
};
int
ext_init
(
ext_t
*
tbb_ext
);
/* Exported API */
int
ext_register
(
ext_t
*
tbb_ext
);
X509_EXTENSION
*
ext_new_hash
(
int
nid
,
int
crit
,
const
EVP_MD
*
md
,
X509_EXTENSION
*
ext_new_hash
(
int
nid
,
int
crit
,
const
EVP_MD
*
md
,
unsigned
char
*
buf
,
size_t
len
);
unsigned
char
*
buf
,
size_t
len
);
X509_EXTENSION
*
ext_new_nvcounter
(
int
nid
,
int
crit
,
int
value
);
X509_EXTENSION
*
ext_new_nvcounter
(
int
nid
,
int
crit
,
int
value
);
X509_EXTENSION
*
ext_new_key
(
int
nid
,
int
crit
,
EVP_PKEY
*
k
);
X509_EXTENSION
*
ext_new_key
(
int
nid
,
int
crit
,
EVP_PKEY
*
k
);
/* Macro to register the extensions used in the CoT */
#define REGISTER_EXTENSIONS(_ext) \
ext_t *extensions = &_ext[0]; \
const unsigned int num_extensions = sizeof(_ext)/sizeof(_ext[0]);
/* Exported variables */
extern
ext_t
*
extensions
;
extern
const
unsigned
int
num_extensions
;
#endif
/* EXT_H_ */
#endif
/* EXT_H_ */
tools/cert_create/include/key.h
View file @
3747e291
...
@@ -68,8 +68,18 @@ typedef struct key_s {
...
@@ -68,8 +68,18 @@ typedef struct key_s {
EVP_PKEY
*
key
;
/* Key container */
EVP_PKEY
*
key
;
/* Key container */
}
key_t
;
}
key_t
;
/* Exported API */
int
key_create
(
key_t
*
key
,
int
type
);
int
key_create
(
key_t
*
key
,
int
type
);
int
key_load
(
key_t
*
key
,
unsigned
int
*
err_code
);
int
key_load
(
key_t
*
key
,
unsigned
int
*
err_code
);
int
key_store
(
key_t
*
key
);
int
key_store
(
key_t
*
key
);
/* Macro to register the keys used in the CoT */
#define REGISTER_KEYS(_keys) \
key_t *keys = &_keys[0]; \
const unsigned int num_keys = sizeof(_keys)/sizeof(_keys[0]);
/* Exported variables */
extern
key_t
*
keys
;
extern
const
unsigned
int
num_keys
;
#endif
/* KEY_H_ */
#endif
/* KEY_H_ */
tools/cert_create/include/tbb_cert.h
→
tools/cert_create/include/
tbbr/
tbb_cert.h
View file @
3747e291
...
@@ -46,13 +46,7 @@ enum {
...
@@ -46,13 +46,7 @@ enum {
BL32_KEY_CERT
,
BL32_KEY_CERT
,
BL32_CERT
,
BL32_CERT
,
BL33_KEY_CERT
,
BL33_KEY_CERT
,
BL33_CERT
,
BL33_CERT
NUM_CERTIFICATES
,
};
};
/*
* Array containing the certificate instances
*/
extern
cert_t
certs
[
NUM_CERTIFICATES
];
#endif
/* TBB_CERT_H_ */
#endif
/* TBB_CERT_H_ */
tools/cert_create/include/tbb_ext.h
→
tools/cert_create/include/
tbbr/
tbb_ext.h
View file @
3747e291
...
@@ -32,7 +32,21 @@
...
@@ -32,7 +32,21 @@
#include "ext.h"
#include "ext.h"
/* Array containing the extensions used in the chain of trust */
/* TBBR extensions */
extern
ext_t
tbb_ext
[];
enum
{
TZ_FW_NVCOUNTER_EXT
,
NTZ_FW_NVCOUNTER_EXT
,
BL2_HASH_EXT
,
TZ_WORLD_PK_EXT
,
NTZ_WORLD_PK_EXT
,
BL31_CONTENT_CERT_PK_EXT
,
BL31_HASH_EXT
,
BL30_CONTENT_CERT_PK_EXT
,
BL30_HASH_EXT
,
BL32_CONTENT_CERT_PK_EXT
,
BL32_HASH_EXT
,
BL33_CONTENT_CERT_PK_EXT
,
BL33_HASH_EXT
};
#endif
/* TBB_EXT_H_ */
#endif
/* TBB_EXT_H_ */
tools/cert_create/include/tbb_key.h
→
tools/cert_create/include/
tbbr/
tbb_key.h
View file @
3747e291
...
@@ -43,13 +43,7 @@ enum {
...
@@ -43,13 +43,7 @@ enum {
BL30_KEY
,
BL30_KEY
,
BL31_KEY
,
BL31_KEY
,
BL32_KEY
,
BL32_KEY
,
BL33_KEY
,
BL33_KEY
NUM_KEYS
};
};
/*
* Array containing the key instances
*/
extern
key_t
keys
[];
#endif
/* TBB_KEY_H_ */
#endif
/* TBB_KEY_H_ */
tools/cert_create/src/cert.c
View file @
3747e291
...
@@ -98,9 +98,10 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
...
@@ -98,9 +98,10 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
int
cert_new
(
cert_t
*
cert
,
int
days
,
int
ca
,
STACK_OF
(
X509_EXTENSION
)
*
sk
)
int
cert_new
(
cert_t
*
cert
,
int
days
,
int
ca
,
STACK_OF
(
X509_EXTENSION
)
*
sk
)
{
{
EVP_PKEY
*
pkey
=
cert
->
key
->
key
;
EVP_PKEY
*
pkey
=
keys
[
cert
->
key
].
key
;
EVP_PKEY
*
ikey
=
cert
->
issuer
->
key
->
key
;
cert_t
*
issuer_cert
=
&
certs
[
cert
->
issuer
];
X509
*
issuer
=
cert
->
issuer
->
x
;
EVP_PKEY
*
ikey
=
keys
[
issuer_cert
->
key
].
key
;
X509
*
issuer
=
issuer_cert
->
x
;
X509
*
x
=
NULL
;
X509
*
x
=
NULL
;
X509_EXTENSION
*
ex
=
NULL
;
X509_EXTENSION
*
ex
=
NULL
;
X509_NAME
*
name
=
NULL
;
X509_NAME
*
name
=
NULL
;
...
@@ -147,7 +148,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
...
@@ -147,7 +148,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
/* Issuer name */
/* Issuer name */
name
=
X509_get_issuer_name
(
x
);
name
=
X509_get_issuer_name
(
x
);
X509_NAME_add_entry_by_txt
(
name
,
"CN"
,
MBSTRING_ASC
,
X509_NAME_add_entry_by_txt
(
name
,
"CN"
,
MBSTRING_ASC
,
(
const
unsigned
char
*
)
cert
->
issuer
->
cn
,
-
1
,
-
1
,
0
);
(
const
unsigned
char
*
)
issuer
_cert
->
cn
,
-
1
,
-
1
,
0
);
X509_set_issuer_name
(
x
,
name
);
X509_set_issuer_name
(
x
,
name
);
/* Add various extensions: standard extensions */
/* Add various extensions: standard extensions */
...
...
tools/cert_create/src/ext.c
View file @
3747e291
...
@@ -65,20 +65,20 @@ IMPLEMENT_ASN1_FUNCTIONS(HASH)
...
@@ -65,20 +65,20 @@ IMPLEMENT_ASN1_FUNCTIONS(HASH)
*
*
* Return: 0 = success, Otherwise: error
* Return: 0 = success, Otherwise: error
*/
*/
int
ext_
init
(
ext_t
*
tbb_
ext
)
int
ext_
register
(
ext_t
*
ext
s
)
{
{
ext_t
*
ext
;
ext_t
*
ext
;
X509V3_EXT_METHOD
*
m
;
X509V3_EXT_METHOD
*
m
;
int
i
=
0
,
nid
,
ret
;
int
i
=
0
,
nid
,
ret
;
while
((
ext
=
&
tbb_
ext
[
i
++
])
&&
ext
->
oid
)
{
while
((
ext
=
&
ext
s
[
i
++
])
&&
ext
->
oid
)
{
nid
=
OBJ_create
(
ext
->
oid
,
ext
->
sn
,
ext
->
ln
);
nid
=
OBJ_create
(
ext
->
oid
,
ext
->
sn
,
ext
->
ln
);
if
(
ext
->
alias
)
{
if
(
ext
->
alias
)
{
X509V3_EXT_add_alias
(
nid
,
ext
->
alias
);
X509V3_EXT_add_alias
(
nid
,
ext
->
alias
);
}
else
{
}
else
{
m
=
&
ext
->
method
;
m
=
&
ext
->
method
;
memset
(
m
,
0x0
,
sizeof
(
X509V3_EXT_METHOD
));
memset
(
m
,
0x0
,
sizeof
(
X509V3_EXT_METHOD
));
switch
(
ext
->
type
)
{
switch
(
ext
->
asn1_
type
)
{
case
V_ASN1_INTEGER
:
case
V_ASN1_INTEGER
:
m
->
it
=
ASN1_ITEM_ref
(
ASN1_INTEGER
);
m
->
it
=
ASN1_ITEM_ref
(
ASN1_INTEGER
);
m
->
i2s
=
(
X509V3_EXT_I2S
)
i2s_ASN1_INTEGER
;
m
->
i2s
=
(
X509V3_EXT_I2S
)
i2s_ASN1_INTEGER
;
...
...
tools/cert_create/src/main.c
View file @
3747e291
...
@@ -46,9 +46,9 @@
...
@@ -46,9 +46,9 @@
#include "key.h"
#include "key.h"
#include "platform_oid.h"
#include "platform_oid.h"
#include "sha.h"
#include "sha.h"
#include "tbb_ext.h"
#include "
tbbr/
tbb_ext.h"
#include "tbb_cert.h"
#include "
tbbr/
tbb_cert.h"
#include "tbb_key.h"
#include "
tbbr/
tbb_key.h"
/*
/*
* Helper macros to simplify the code. This macro assigns the return value of
* Helper macros to simplify the code. This macro assigns the return value of
...
@@ -79,7 +79,6 @@
...
@@ -79,7 +79,6 @@
#define MAX_FILENAME_LEN 1024
#define MAX_FILENAME_LEN 1024
#define VAL_DAYS 7300
#define VAL_DAYS 7300
#define ID_TO_BIT_MASK(id) (1 << id)
#define ID_TO_BIT_MASK(id) (1 << id)
#define NVCOUNTER_VALUE 0
#define NUM_ELEM(x) ((sizeof(x)) / (sizeof(x[0])))
#define NUM_ELEM(x) ((sizeof(x)) / (sizeof(x[0])))
/* Files */
/* Files */
...
@@ -120,11 +119,6 @@ static int print_cert;
...
@@ -120,11 +119,6 @@ static int print_cert;
static
int
bl30_present
;
static
int
bl30_present
;
static
int
bl32_present
;
static
int
bl32_present
;
/* We are not checking nvcounters in TF. Include them in the certificates but
* the value will be set to 0 */
static
int
tf_nvcounter
;
static
int
non_tf_nvcounter
;
/* Info messages created in the Makefile */
/* Info messages created in the Makefile */
extern
const
char
build_msg
[];
extern
const
char
build_msg
[];
extern
const
char
platform_msg
[];
extern
const
char
platform_msg
[];
...
@@ -231,27 +225,27 @@ static void check_cmd_params(void)
...
@@ -231,27 +225,27 @@ static void check_cmd_params(void)
}
}
/* BL2, BL31 and BL33 are mandatory */
/* BL2, BL31 and BL33 are mandatory */
if
(
certs
[
BL2_CERT
].
bi
n
==
NULL
)
{
if
(
extensions
[
BL2_HASH_EXT
].
data
.
f
n
==
NULL
)
{
ERROR
(
"BL2 image not specified
\n
"
);
ERROR
(
"BL2 image not specified
\n
"
);
exit
(
1
);
exit
(
1
);
}
}
if
(
certs
[
BL31_CERT
].
bi
n
==
NULL
)
{
if
(
extensions
[
BL31_HASH_EXT
].
data
.
f
n
==
NULL
)
{
ERROR
(
"BL31 image not specified
\n
"
);
ERROR
(
"BL31 image not specified
\n
"
);
exit
(
1
);
exit
(
1
);
}
}
if
(
certs
[
BL33_CERT
].
bi
n
==
NULL
)
{
if
(
extensions
[
BL33_HASH_EXT
].
data
.
f
n
==
NULL
)
{
ERROR
(
"BL33 image not specified
\n
"
);
ERROR
(
"BL33 image not specified
\n
"
);
exit
(
1
);
exit
(
1
);
}
}
/* BL30 and BL32 are optional */
/* BL30 and BL32 are optional */
if
(
certs
[
BL30_CERT
].
bi
n
!=
NULL
)
{
if
(
extensions
[
BL30_HASH_EXT
].
data
.
f
n
!=
NULL
)
{
bl30_present
=
1
;
bl30_present
=
1
;
}
}
if
(
certs
[
BL32_CERT
].
bi
n
!=
NULL
)
{
if
(
extensions
[
BL32_HASH_EXT
].
data
.
f
n
!=
NULL
)
{
bl32_present
=
1
;
bl32_present
=
1
;
}
}
...
@@ -299,12 +293,11 @@ static void check_cmd_params(void)
...
@@ -299,12 +293,11 @@ static void check_cmd_params(void)
int
main
(
int
argc
,
char
*
argv
[])
int
main
(
int
argc
,
char
*
argv
[])
{
{
STACK_OF
(
X509_EXTENSION
)
*
sk
=
NULL
;
STACK_OF
(
X509_EXTENSION
)
*
sk
=
NULL
;
X509_EXTENSION
*
hash_ext
=
NULL
;
X509_EXTENSION
*
cert_ext
=
NULL
;
X509_EXTENSION
*
nvctr_ext
=
NULL
;
ext_t
*
ext
=
NULL
;
X509_EXTENSION
*
trusted_key_ext
=
NULL
;
cert_t
*
cert
;
X509_EXTENSION
*
non_trusted_key_ext
=
NULL
;
FILE
*
file
=
NULL
;
FILE
*
file
=
NULL
;
int
i
,
tz_nvctr_nid
,
ntz_nvctr_nid
,
hash_nid
,
pk
_nid
;
int
i
,
j
,
ext
_nid
;
int
c
,
opt_idx
=
0
;
int
c
,
opt_idx
=
0
;
unsigned
int
err_code
;
unsigned
int
err_code
;
unsigned
char
md
[
SHA256_DIGEST_LENGTH
];
unsigned
char
md
[
SHA256_DIGEST_LENGTH
];
...
@@ -346,19 +339,19 @@ int main(int argc, char *argv[])
...
@@ -346,19 +339,19 @@ int main(int argc, char *argv[])
print_cert
=
1
;
print_cert
=
1
;
break
;
break
;
case
BL2_ID
:
case
BL2_ID
:
certs
[
BL2_CERT
].
bi
n
=
strdup
(
optarg
);
extensions
[
BL2_HASH_EXT
].
data
.
f
n
=
strdup
(
optarg
);
break
;
break
;
case
BL30_ID
:
case
BL30_ID
:
certs
[
BL30_CERT
].
bi
n
=
strdup
(
optarg
);
extensions
[
BL30_HASH_EXT
].
data
.
f
n
=
strdup
(
optarg
);
break
;
break
;
case
BL31_ID
:
case
BL31_ID
:
certs
[
BL31_CERT
].
bi
n
=
strdup
(
optarg
);
extensions
[
BL31_HASH_EXT
].
data
.
f
n
=
strdup
(
optarg
);
break
;
break
;
case
BL32_ID
:
case
BL32_ID
:
certs
[
BL32_CERT
].
bi
n
=
strdup
(
optarg
);
extensions
[
BL32_HASH_EXT
].
data
.
f
n
=
strdup
(
optarg
);
break
;
break
;
case
BL33_ID
:
case
BL33_ID
:
certs
[
BL33_CERT
].
bi
n
=
strdup
(
optarg
);
extensions
[
BL33_HASH_EXT
].
data
.
f
n
=
strdup
(
optarg
);
break
;
break
;
case
BL2_CERT_ID
:
case
BL2_CERT_ID
:
certs
[
BL2_CERT
].
fn
=
strdup
(
optarg
);
certs
[
BL2_CERT
].
fn
=
strdup
(
optarg
);
...
@@ -418,16 +411,12 @@ int main(int argc, char *argv[])
...
@@ -418,16 +411,12 @@ int main(int argc, char *argv[])
}
}
}
}
/* Set the value of the NVCounters */
tf_nvcounter
=
NVCOUNTER_VALUE
;
non_tf_nvcounter
=
NVCOUNTER_VALUE
;
/* Check command line arguments */
/* Check command line arguments */
check_cmd_params
();
check_cmd_params
();
/* Register the new types and OIDs for the extensions */
/* Register the new types and OIDs for the extensions */
if
(
ext_
init
(
tbb_ext
)
!=
0
)
{
if
(
ext_
register
(
extensions
)
!=
0
)
{
ERROR
(
"Cannot
initialize
TBB extensions
\n
"
);
ERROR
(
"Cannot
register
TBB extensions
\n
"
);
exit
(
1
);
exit
(
1
);
}
}
...
@@ -435,12 +424,8 @@ int main(int argc, char *argv[])
...
@@ -435,12 +424,8 @@ int main(int argc, char *argv[])
* extension */
* extension */
md_info
=
EVP_sha256
();
md_info
=
EVP_sha256
();
/* Get non-volatile counters NIDs */
CHECK_OID
(
tz_nvctr_nid
,
TZ_FW_NVCOUNTER_OID
);
CHECK_OID
(
ntz_nvctr_nid
,
NTZ_FW_NVCOUNTER_OID
);
/* Load private keys from files (or generate new ones) */
/* Load private keys from files (or generate new ones) */
for
(
i
=
0
;
i
<
NUM_KEYS
;
i
++
)
{
for
(
i
=
0
;
i
<
num_keys
;
i
++
)
{
/* First try to load the key from disk */
/* First try to load the key from disk */
if
(
key_load
(
&
keys
[
i
],
&
err_code
))
{
if
(
key_load
(
&
keys
[
i
],
&
err_code
))
{
/* Key loaded successfully */
/* Key loaded successfully */
...
@@ -478,271 +463,73 @@ int main(int argc, char *argv[])
...
@@ -478,271 +463,73 @@ int main(int argc, char *argv[])
}
}
}
}
/* *********************************************************************
/* Create the certificates */
* BL2 certificate (Trusted Boot Firmware certificate):
for
(
i
=
0
;
i
<
num_certs
;
i
++
)
{
* - Self-signed with OEM ROT private key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL2 hash
**********************************************************************/
CHECK_NULL
(
sk
,
sk_X509_EXTENSION_new_null
());
/* Add the NVCounter as a critical extension */
CHECK_NULL
(
nvctr_ext
,
ext_new_nvcounter
(
tz_nvctr_nid
,
EXT_CRIT
,
tf_nvcounter
));
sk_X509_EXTENSION_push
(
sk
,
nvctr_ext
);
/* Add hash of BL2 as an extension */
if
(
!
sha_file
(
certs
[
BL2_CERT
].
bin
,
md
))
{
ERROR
(
"Cannot calculate the hash of %s
\n
"
,
certs
[
BL2_CERT
].
bin
);
exit
(
1
);
}
CHECK_OID
(
hash_nid
,
BL2_HASH_OID
);
CHECK_NULL
(
hash_ext
,
ext_new_hash
(
hash_nid
,
EXT_CRIT
,
md_info
,
md
,
SHA256_DIGEST_LENGTH
));
sk_X509_EXTENSION_push
(
sk
,
hash_ext
);
/* Create certificate. Signed with ROT key */
cert
=
&
certs
[
i
];
if
(
!
cert_new
(
&
certs
[
BL2_CERT
],
VAL_DAYS
,
0
,
sk
))
{
ERROR
(
"Cannot create %s
\n
"
,
certs
[
BL2_CERT
].
cn
);
exit
(
1
);
}
sk_X509_EXTENSION_free
(
sk
);
/* *********************************************************************
/* Create a new stack of extensions. This stack will be used
* Trusted Key certificate:
* to create the certificate */
* - Self-signed with OEM ROT private key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - TrustedWorldPK
* - NonTrustedWorldPK
**********************************************************************/
CHECK_NULL
(
sk
,
sk_X509_EXTENSION_new_null
());
CHECK_NULL
(
sk
,
sk_X509_EXTENSION_new_null
());
CHECK_NULL
(
nvctr_ext
,
ext_new_nvcounter
(
tz_nvctr_nid
,
EXT_CRIT
,
tf_nvcounter
));
sk_X509_EXTENSION_push
(
sk
,
nvctr_ext
);
CHECK_OID
(
pk_nid
,
TZ_WORLD_PK_OID
);
CHECK_NULL
(
trusted_key_ext
,
ext_new_key
(
pk_nid
,
EXT_CRIT
,
keys
[
TRUSTED_WORLD_KEY
].
key
));
sk_X509_EXTENSION_push
(
sk
,
trusted_key_ext
);
CHECK_OID
(
pk_nid
,
NTZ_WORLD_PK_OID
);
CHECK_NULL
(
non_trusted_key_ext
,
ext_new_key
(
pk_nid
,
EXT_CRIT
,
keys
[
NON_TRUSTED_WORLD_KEY
].
key
));
sk_X509_EXTENSION_push
(
sk
,
non_trusted_key_ext
);
if
(
!
cert_new
(
&
certs
[
TRUSTED_KEY_CERT
],
VAL_DAYS
,
0
,
sk
))
{
ERROR
(
"Cannot create %s
\n
"
,
certs
[
TRUSTED_KEY_CERT
].
cn
);
exit
(
1
);
}
sk_X509_EXTENSION_free
(
sk
);
/* *********************************************************************
for
(
j
=
0
;
j
<
cert
->
num_ext
;
j
++
)
{
* BL30 Key certificate (Trusted SCP Firmware Key certificate):
* - Self-signed with Trusted World key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - SCPFirmwareContentCertPK
**********************************************************************/
if
(
bl30_present
)
{
CHECK_NULL
(
sk
,
sk_X509_EXTENSION_new_null
());
CHECK_NULL
(
nvctr_ext
,
ext_new_nvcounter
(
tz_nvctr_nid
,
EXT_CRIT
,
tf_nvcounter
));
sk_X509_EXTENSION_push
(
sk
,
nvctr_ext
);
CHECK_OID
(
pk_nid
,
BL30_CONTENT_CERT_PK_OID
);
CHECK_NULL
(
trusted_key_ext
,
ext_new_key
(
pk_nid
,
EXT_CRIT
,
keys
[
BL30_KEY
].
key
));
sk_X509_EXTENSION_push
(
sk
,
trusted_key_ext
);
if
(
!
cert_new
(
&
certs
[
BL30_KEY_CERT
],
VAL_DAYS
,
0
,
sk
))
{
ERROR
(
"Cannot create %s
\n
"
,
certs
[
BL30_KEY_CERT
].
cn
);
exit
(
1
);
}
sk_X509_EXTENSION_free
(
sk
);
}
/* *********************************************************************
ext
=
&
extensions
[
cert
->
ext
[
j
]];
* BL30 certificate (SCP Firmware Content certificate):
* - Signed with Trusted World Key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - SCPFirmwareHash
**********************************************************************/
if
(
bl30_present
)
{
CHECK_NULL
(
sk
,
sk_X509_EXTENSION_new_null
());
CHECK_NULL
(
nvctr_ext
,
ext_new_nvcounter
(
tz_nvctr_nid
,
EXT_CRIT
,
tf_nvcounter
));
sk_X509_EXTENSION_push
(
sk
,
nvctr_ext
);
if
(
!
sha_file
(
certs
[
BL30_CERT
].
bin
,
md
))
{
/* Get OpenSSL internal ID for this extension */
ERROR
(
"Cannot calculate the hash of %s
\n
"
,
CHECK_OID
(
ext_nid
,
ext
->
oid
);
certs
[
BL30_CERT
].
bin
);
exit
(
1
);
}
CHECK_OID
(
hash_nid
,
BL30_HASH_OID
);
CHECK_NULL
(
hash_ext
,
ext_new_hash
(
hash_nid
,
EXT_CRIT
,
md_info
,
md
,
SHA256_DIGEST_LENGTH
));
sk_X509_EXTENSION_push
(
sk
,
hash_ext
);
if
(
!
cert_new
(
&
certs
[
BL30_CERT
],
VAL_DAYS
,
0
,
sk
))
{
ERROR
(
"Cannot create %s
\n
"
,
certs
[
BL30_CERT
].
cn
);
exit
(
1
);
}
sk_X509_EXTENSION_free
(
sk
);
/*
}
* Three types of extensions are currently supported:
* - EXT_TYPE_NVCOUNTER
/* *********************************************************************
* - EXT_TYPE_HASH
* BL31 Key certificate (Trusted SoC Firmware Key certificate):
* - EXT_TYPE_PKEY
* - Self-signed with Trusted World key
*/
* - Extensions:
switch
(
ext
->
type
)
{
* - TrustedFirmwareNVCounter (TODO)
case
EXT_TYPE_NVCOUNTER
:
* - SoCFirmwareContentCertPK
CHECK_NULL
(
cert_ext
,
ext_new_nvcounter
(
ext_nid
,
**********************************************************************/
EXT_CRIT
,
ext
->
data
.
nvcounter
));
CHECK_NULL
(
sk
,
sk_X509_EXTENSION_new_null
());
break
;
CHECK_NULL
(
nvctr_ext
,
ext_new_nvcounter
(
tz_nvctr_nid
,
EXT_CRIT
,
case
EXT_TYPE_HASH
:
tf_nvcounter
));
if
(
ext
->
data
.
fn
==
NULL
)
{
sk_X509_EXTENSION_push
(
sk
,
nvctr_ext
);
break
;
CHECK_OID
(
pk_nid
,
BL31_CONTENT_CERT_PK_OID
);
CHECK_NULL
(
trusted_key_ext
,
ext_new_key
(
pk_nid
,
EXT_CRIT
,
keys
[
BL31_KEY
].
key
));
sk_X509_EXTENSION_push
(
sk
,
trusted_key_ext
);
if
(
!
cert_new
(
&
certs
[
BL31_KEY_CERT
],
VAL_DAYS
,
0
,
sk
))
{
ERROR
(
"Cannot create %s
\n
"
,
certs
[
BL31_KEY_CERT
].
cn
);
exit
(
1
);
}
}
sk_X509_EXTENSION_free
(
sk
);
if
(
!
sha_file
(
ext
->
data
.
fn
,
md
))
{
ERROR
(
"Cannot calculate hash of %s
\n
"
,
/* *********************************************************************
ext
->
data
.
fn
);
* BL31 certificate (SOC Firmware Content certificate):
* - Signed with Trusted World Key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL31 hash
**********************************************************************/
CHECK_NULL
(
sk
,
sk_X509_EXTENSION_new_null
());
CHECK_NULL
(
nvctr_ext
,
ext_new_nvcounter
(
tz_nvctr_nid
,
EXT_CRIT
,
tf_nvcounter
));
sk_X509_EXTENSION_push
(
sk
,
nvctr_ext
);
if
(
!
sha_file
(
certs
[
BL31_CERT
].
bin
,
md
))
{
ERROR
(
"Cannot calculate the hash of %s
\n
"
,
certs
[
BL31_CERT
].
bin
);
exit
(
1
);
exit
(
1
);
}
}
CHECK_
OID
(
hash_nid
,
BL31_HASH_OID
);
CHECK_
NULL
(
cert_ext
,
ext_new_hash
(
ext_nid
,
CHECK_NULL
(
hash_ext
,
ext_new_hash
(
hash_nid
,
EXT_CRIT
,
md_info
,
md
,
EXT_CRIT
,
md_info
,
md
,
SHA256_DIGEST_LENGTH
));
SHA256_DIGEST_LENGTH
));
sk_X509_EXTENSION_push
(
sk
,
hash_ext
);
break
;
case
EXT_TYPE_PKEY
:
if
(
!
cert_new
(
&
certs
[
BL31_CERT
],
VAL_DAYS
,
0
,
sk
))
{
CHECK_NULL
(
cert_ext
,
ext_new_key
(
ext_nid
,
ERROR
(
"Cannot create %s
\n
"
,
certs
[
BL31_CERT
].
cn
);
EXT_CRIT
,
keys
[
ext
->
data
.
key
].
key
));
break
;
default:
ERROR
(
"Unknown extension type in %s
\n
"
,
cert
->
cn
);
exit
(
1
);
exit
(
1
);
}
}
sk_X509_EXTENSION_free
(
sk
);
/* Push the extension into the stack */
sk_X509_EXTENSION_push
(
sk
,
cert_ext
);
/* *********************************************************************
* BL32 Key certificate (Trusted OS Firmware Key certificate):
* - Self-signed with Trusted World key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - TrustedOSFirmwareContentCertPK
**********************************************************************/
if
(
bl32_present
)
{
CHECK_NULL
(
sk
,
sk_X509_EXTENSION_new_null
());
CHECK_NULL
(
nvctr_ext
,
ext_new_nvcounter
(
tz_nvctr_nid
,
EXT_CRIT
,
tf_nvcounter
));
sk_X509_EXTENSION_push
(
sk
,
nvctr_ext
);
CHECK_OID
(
pk_nid
,
BL32_CONTENT_CERT_PK_OID
);
CHECK_NULL
(
trusted_key_ext
,
ext_new_key
(
pk_nid
,
EXT_CRIT
,
keys
[
BL32_KEY
].
key
));
sk_X509_EXTENSION_push
(
sk
,
trusted_key_ext
);
if
(
!
cert_new
(
&
certs
[
BL32_KEY_CERT
],
VAL_DAYS
,
0
,
sk
))
{
ERROR
(
"Cannot create %s
\n
"
,
certs
[
BL32_KEY_CERT
].
cn
);
exit
(
1
);
}
sk_X509_EXTENSION_free
(
sk
);
}
}
/* *********************************************************************
/* Create certificate. Signed with ROT key */
* BL32 certificate (TrustedOS Firmware Content certificate):
if
(
!
cert_new
(
cert
,
VAL_DAYS
,
0
,
sk
))
{
* - Signed with Trusted World Key
ERROR
(
"Cannot create %s
\n
"
,
cert
->
cn
);
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL32 hash
**********************************************************************/
if
(
bl32_present
)
{
CHECK_NULL
(
sk
,
sk_X509_EXTENSION_new_null
());
CHECK_NULL
(
nvctr_ext
,
ext_new_nvcounter
(
tz_nvctr_nid
,
EXT_CRIT
,
tf_nvcounter
));
sk_X509_EXTENSION_push
(
sk
,
nvctr_ext
);
if
(
!
sha_file
(
certs
[
BL32_CERT
].
bin
,
md
))
{
ERROR
(
"Cannot calculate the hash of %s
\n
"
,
certs
[
BL32_CERT
].
bin
);
exit
(
1
);
}
CHECK_OID
(
hash_nid
,
BL32_HASH_OID
);
CHECK_NULL
(
hash_ext
,
ext_new_hash
(
hash_nid
,
EXT_CRIT
,
md_info
,
md
,
SHA256_DIGEST_LENGTH
));
sk_X509_EXTENSION_push
(
sk
,
hash_ext
);
if
(
!
cert_new
(
&
certs
[
BL32_CERT
],
VAL_DAYS
,
0
,
sk
))
{
ERROR
(
"Cannot create %s
\n
"
,
certs
[
BL32_CERT
].
cn
);
exit
(
1
);
exit
(
1
);
}
}
sk_X509_EXTENSION_free
(
sk
);
sk_X509_EXTENSION_free
(
sk
);
}
}
/* *********************************************************************
* BL33 Key certificate (Non Trusted Firmware Key certificate):
* - Self-signed with Non Trusted World key
* - Extensions:
* - NonTrustedFirmwareNVCounter (TODO)
* - NonTrustedFirmwareContentCertPK
**********************************************************************/
CHECK_NULL
(
sk
,
sk_X509_EXTENSION_new_null
());
CHECK_NULL
(
nvctr_ext
,
ext_new_nvcounter
(
ntz_nvctr_nid
,
EXT_CRIT
,
non_tf_nvcounter
));
sk_X509_EXTENSION_push
(
sk
,
nvctr_ext
);
CHECK_OID
(
pk_nid
,
BL33_CONTENT_CERT_PK_OID
);
CHECK_NULL
(
non_trusted_key_ext
,
ext_new_key
(
pk_nid
,
EXT_CRIT
,
keys
[
BL33_KEY
].
key
));
sk_X509_EXTENSION_push
(
sk
,
non_trusted_key_ext
);
if
(
!
cert_new
(
&
certs
[
BL33_KEY_CERT
],
VAL_DAYS
,
0
,
sk
))
{
ERROR
(
"Cannot create %s
\n
"
,
certs
[
BL33_KEY_CERT
].
cn
);
exit
(
1
);
}
sk_X509_EXTENSION_free
(
sk
);
/* *********************************************************************
* BL33 certificate (Non-Trusted World Content certificate):
* - Signed with Non-Trusted World Key
* - Extensions:
* - NonTrustedFirmwareNVCounter (TODO)
* - BL33 hash
**********************************************************************/
CHECK_NULL
(
sk
,
sk_X509_EXTENSION_new_null
());
CHECK_NULL
(
nvctr_ext
,
ext_new_nvcounter
(
ntz_nvctr_nid
,
EXT_CRIT
,
non_tf_nvcounter
));
sk_X509_EXTENSION_push
(
sk
,
nvctr_ext
);
if
(
!
sha_file
(
certs
[
BL33_CERT
].
bin
,
md
))
{
ERROR
(
"Cannot calculate the hash of %s
\n
"
,
certs
[
BL33_CERT
].
bin
);
exit
(
1
);
}
CHECK_OID
(
hash_nid
,
BL33_HASH_OID
);
CHECK_NULL
(
hash_ext
,
ext_new_hash
(
hash_nid
,
EXT_CRIT
,
md_info
,
md
,
SHA256_DIGEST_LENGTH
));
sk_X509_EXTENSION_push
(
sk
,
hash_ext
);
if
(
!
cert_new
(
&
certs
[
BL33_CERT
],
VAL_DAYS
,
0
,
sk
))
{
ERROR
(
"Cannot create %s
\n
"
,
certs
[
BL33_CERT
].
cn
);
exit
(
1
);
}
sk_X509_EXTENSION_free
(
sk
);
/* Print the certificates */
/* Print the certificates */
if
(
print_cert
)
{
if
(
print_cert
)
{
for
(
i
=
0
;
i
<
NUM_CERTIFICATES
;
i
++
)
{
for
(
i
=
0
;
i
<
num_certs
;
i
++
)
{
if
(
!
certs
[
i
].
x
)
{
if
(
!
certs
[
i
].
x
)
{
continue
;
continue
;
}
}
...
@@ -752,7 +539,7 @@ int main(int argc, char *argv[])
...
@@ -752,7 +539,7 @@ int main(int argc, char *argv[])
}
}
/* Save created certificates to files */
/* Save created certificates to files */
for
(
i
=
0
;
i
<
NUM_CERTIFICATES
;
i
++
)
{
for
(
i
=
0
;
i
<
num_certs
;
i
++
)
{
if
(
certs
[
i
].
x
&&
certs
[
i
].
fn
)
{
if
(
certs
[
i
].
x
&&
certs
[
i
].
fn
)
{
file
=
fopen
(
certs
[
i
].
fn
,
"w"
);
file
=
fopen
(
certs
[
i
].
fn
,
"w"
);
if
(
file
!=
NULL
)
{
if
(
file
!=
NULL
)
{
...
@@ -766,18 +553,13 @@ int main(int argc, char *argv[])
...
@@ -766,18 +553,13 @@ int main(int argc, char *argv[])
/* Save keys */
/* Save keys */
if
(
save_keys
)
{
if
(
save_keys
)
{
for
(
i
=
0
;
i
<
NUM_KEYS
;
i
++
)
{
for
(
i
=
0
;
i
<
num_keys
;
i
++
)
{
if
(
!
key_store
(
&
keys
[
i
]))
{
if
(
!
key_store
(
&
keys
[
i
]))
{
ERROR
(
"Cannot save %s
\n
"
,
keys
[
i
].
desc
);
ERROR
(
"Cannot save %s
\n
"
,
keys
[
i
].
desc
);
}
}
}
}
}
}
X509_EXTENSION_free
(
hash_ext
);
X509_EXTENSION_free
(
nvctr_ext
);
X509_EXTENSION_free
(
trusted_key_ext
);
X509_EXTENSION_free
(
non_trusted_key_ext
);
#ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup
();
ENGINE_cleanup
();
#endif
#endif
...
...
tools/cert_create/src/tbb_cert.c
→
tools/cert_create/src/
tbbr/
tbb_cert.c
View file @
3747e291
...
@@ -28,84 +28,129 @@
...
@@ -28,84 +28,129 @@
* POSSIBILITY OF SUCH DAMAGE.
* POSSIBILITY OF SUCH DAMAGE.
*/
*/
#include "tbb_cert.h"
#include "tbbr/tbb_cert.h"
#include "tbb_key.h"
#include "tbbr/tbb_ext.h"
#include "tbbr/tbb_key.h"
/*
/*
* Certificates used in the chain of trust
* Certificates used in the chain of trust
*
*
* The order of the certificates must follow the enumeration specified in
* The order of the certificates must follow the enumeration specified in
* tbb_cert.h. All certificates are self-signed.
* tbb_cert.h. All certificates are self-signed, so the issuer certificate
* field points to itself.
*/
*/
cert_t
certs
[
NUM_CERTIFICATES
]
=
{
static
cert_t
tbb_
certs
[]
=
{
{
[
BL2_CERT
]
=
{
.
id
=
BL2_CERT
,
.
id
=
BL2_CERT
,
.
fn
=
NULL
,
.
fn
=
NULL
,
.
cn
=
"BL2 Certificate"
,
.
cn
=
"BL2 Certificate"
,
.
key
=
&
keys
[
ROT_KEY
],
.
key
=
ROT_KEY
,
.
issuer
=
&
certs
[
BL2_CERT
],
.
issuer
=
BL2_CERT
,
.
ext
=
{
BL2_HASH_EXT
},
},
{
.
num_ext
=
1
},
[
TRUSTED_KEY_CERT
]
=
{
.
id
=
TRUSTED_KEY_CERT
,
.
id
=
TRUSTED_KEY_CERT
,
.
fn
=
NULL
,
.
fn
=
NULL
,
.
cn
=
"Trusted Key Certificate"
,
.
cn
=
"Trusted Key Certificate"
,
.
key
=
&
keys
[
ROT_KEY
],
.
key
=
ROT_KEY
,
.
issuer
=
&
certs
[
TRUSTED_KEY_CERT
],
.
issuer
=
TRUSTED_KEY_CERT
,
.
ext
=
{
TZ_WORLD_PK_EXT
,
NTZ_WORLD_PK_EXT
},
.
num_ext
=
2
},
},
{
[
BL30_KEY_CERT
]
=
{
.
id
=
BL30_KEY_CERT
,
.
id
=
BL30_KEY_CERT
,
.
fn
=
NULL
,
.
fn
=
NULL
,
.
cn
=
"BL3-0 Key Certificate"
,
.
cn
=
"BL3-0 Key Certificate"
,
.
key
=
&
keys
[
TRUSTED_WORLD_KEY
],
.
key
=
TRUSTED_WORLD_KEY
,
.
issuer
=
&
certs
[
BL30_KEY_CERT
],
.
issuer
=
BL30_KEY_CERT
,
.
ext
=
{
BL30_CONTENT_CERT_PK_EXT
},
.
num_ext
=
1
},
},
{
[
BL30_CERT
]
=
{
.
id
=
BL30_CERT
,
.
id
=
BL30_CERT
,
.
fn
=
NULL
,
.
fn
=
NULL
,
.
cn
=
"BL3-0 Content Certificate"
,
.
cn
=
"BL3-0 Content Certificate"
,
.
key
=
&
keys
[
BL30_KEY
],
.
key
=
BL30_KEY
,
.
issuer
=
&
certs
[
BL30_CERT
],
.
issuer
=
BL30_CERT
,
.
ext
=
{
BL30_HASH_EXT
},
},
{
.
num_ext
=
1
},
[
BL31_KEY_CERT
]
=
{
.
id
=
BL31_KEY_CERT
,
.
id
=
BL31_KEY_CERT
,
.
fn
=
NULL
,
.
fn
=
NULL
,
.
cn
=
"BL3-1 Key Certificate"
,
.
cn
=
"BL3-1 Key Certificate"
,
.
key
=
&
keys
[
TRUSTED_WORLD_KEY
],
.
key
=
TRUSTED_WORLD_KEY
,
.
issuer
=
&
certs
[
BL31_KEY_CERT
],
.
issuer
=
BL31_KEY_CERT
,
.
ext
=
{
BL31_CONTENT_CERT_PK_EXT
},
.
num_ext
=
1
},
},
{
[
BL31_CERT
]
=
{
.
id
=
BL31_CERT
,
.
id
=
BL31_CERT
,
.
fn
=
NULL
,
.
fn
=
NULL
,
.
cn
=
"BL3-1 Content Certificate"
,
.
cn
=
"BL3-1 Content Certificate"
,
.
key
=
&
keys
[
BL31_KEY
],
.
key
=
BL31_KEY
,
.
issuer
=
&
certs
[
BL31_CERT
],
.
issuer
=
BL31_CERT
,
.
ext
=
{
BL31_HASH_EXT
},
.
num_ext
=
1
},
},
{
[
BL32_KEY_CERT
]
=
{
.
id
=
BL32_KEY_CERT
,
.
id
=
BL32_KEY_CERT
,
.
fn
=
NULL
,
.
fn
=
NULL
,
.
cn
=
"BL3-2 Key Certificate"
,
.
cn
=
"BL3-2 Key Certificate"
,
.
key
=
&
keys
[
TRUSTED_WORLD_KEY
],
.
key
=
TRUSTED_WORLD_KEY
,
.
issuer
=
&
certs
[
BL32_KEY_CERT
],
.
issuer
=
BL32_KEY_CERT
,
.
ext
=
{
BL32_CONTENT_CERT_PK_EXT
},
},
{
.
num_ext
=
1
},
[
BL32_CERT
]
=
{
.
id
=
BL32_CERT
,
.
id
=
BL32_CERT
,
.
fn
=
NULL
,
.
fn
=
NULL
,
.
cn
=
"BL3-2 Content Certificate"
,
.
cn
=
"BL3-2 Content Certificate"
,
.
key
=
&
keys
[
BL32_KEY
],
.
key
=
BL32_KEY
,
.
issuer
=
&
certs
[
BL32_CERT
],
.
issuer
=
BL32_CERT
,
.
ext
=
{
BL32_HASH_EXT
},
.
num_ext
=
1
},
},
{
[
BL33_KEY_CERT
]
=
{
.
id
=
BL33_KEY_CERT
,
.
id
=
BL33_KEY_CERT
,
.
fn
=
NULL
,
.
fn
=
NULL
,
.
cn
=
"BL3-3 Key Certificate"
,
.
cn
=
"BL3-3 Key Certificate"
,
.
key
=
&
keys
[
NON_TRUSTED_WORLD_KEY
],
.
key
=
NON_TRUSTED_WORLD_KEY
,
.
issuer
=
&
certs
[
BL33_KEY_CERT
],
.
issuer
=
BL33_KEY_CERT
,
.
ext
=
{
BL33_CONTENT_CERT_PK_EXT
},
.
num_ext
=
1
},
},
{
[
BL33_CERT
]
=
{
.
id
=
BL33_CERT
,
.
id
=
BL33_CERT
,
.
fn
=
NULL
,
.
fn
=
NULL
,
.
cn
=
"BL3-3 Content Certificate"
,
.
cn
=
"BL3-3 Content Certificate"
,
.
key
=
&
keys
[
BL33_KEY
],
.
key
=
BL33_KEY
,
.
issuer
=
&
certs
[
BL33_CERT
],
.
issuer
=
BL33_CERT
,
.
ext
=
{
BL33_HASH_EXT
},
.
num_ext
=
1
}
}
};
};
REGISTER_COT
(
tbb_certs
);
tools/cert_create/src/tbb_ext.c
→
tools/cert_create/src/
tbbr/
tbb_ext.c
View file @
3747e291
...
@@ -34,85 +34,113 @@
...
@@ -34,85 +34,113 @@
#include <openssl/x509v3.h>
#include <openssl/x509v3.h>
#include "ext.h"
#include "ext.h"
#include "platform_oid.h"
#include "platform_oid.h"
#include "tbbr/tbb_ext.h"
#include "tbbr/tbb_key.h"
ext_t
tbb_ext
[]
=
{
/* TODO: get these values from the command line */
{
#define TRUSTED_WORLD_NVCTR_VALUE 0
#define NORMAL_WORLD_NVCTR_VALUE 0
static
ext_t
tbb_ext
[]
=
{
[
TZ_FW_NVCOUNTER_EXT
]
=
{
.
oid
=
TZ_FW_NVCOUNTER_OID
,
.
oid
=
TZ_FW_NVCOUNTER_OID
,
.
sn
=
"TrustedNvCounter"
,
.
sn
=
"TrustedWorldNVCounter"
,
.
ln
=
"Non-volatile trusted counter"
,
.
ln
=
"Trusted World Non-Volatile counter"
,
.
type
=
V_ASN1_INTEGER
.
asn1_type
=
V_ASN1_INTEGER
,
.
type
=
EXT_TYPE_NVCOUNTER
,
.
data
.
nvcounter
=
TRUSTED_WORLD_NVCTR_VALUE
},
},
{
[
NTZ_FW_NVCOUNTER_EXT
]
=
{
.
oid
=
NTZ_FW_NVCOUNTER_OID
,
.
oid
=
NTZ_FW_NVCOUNTER_OID
,
.
sn
=
"NonTrustedNvCounter"
,
.
sn
=
"NormalWorldNVCounter"
,
.
ln
=
"Non-volatile non-trusted counter"
,
.
ln
=
"Normal World Non-Volatile counter"
,
.
type
=
V_ASN1_INTEGER
.
asn1_type
=
V_ASN1_INTEGER
,
.
type
=
EXT_TYPE_NVCOUNTER
,
.
data
.
nvcounter
=
NORMAL_WORLD_NVCTR_VALUE
},
},
{
[
BL2_HASH_EXT
]
=
{
.
oid
=
BL2_HASH_OID
,
.
oid
=
BL2_HASH_OID
,
.
sn
=
"TrustedBootFirmwareHash"
,
.
sn
=
"TrustedBootFirmwareHash"
,
.
ln
=
"Trusted Boot Firmware (BL2) hash (SHA256)"
,
.
ln
=
"Trusted Boot Firmware (BL2) hash (SHA256)"
,
.
type
=
V_ASN1_OCTET_STRING
.
asn1_type
=
V_ASN1_OCTET_STRING
,
.
type
=
EXT_TYPE_HASH
},
},
{
[
TZ_WORLD_PK_EXT
]
=
{
.
oid
=
TZ_WORLD_PK_OID
,
.
oid
=
TZ_WORLD_PK_OID
,
.
sn
=
"TrustedWorldPublicKey"
,
.
sn
=
"TrustedWorldPublicKey"
,
.
ln
=
"Trusted World Public Key"
,
.
ln
=
"Trusted World Public Key"
,
.
type
=
V_ASN1_OCTET_STRING
.
asn1_type
=
V_ASN1_OCTET_STRING
,
.
type
=
EXT_TYPE_PKEY
,
.
data
.
key
=
TRUSTED_WORLD_KEY
},
},
{
[
NTZ_WORLD_PK_EXT
]
=
{
.
oid
=
NTZ_WORLD_PK_OID
,
.
oid
=
NTZ_WORLD_PK_OID
,
.
sn
=
"NonTrustedWorldPublicKey"
,
.
sn
=
"NonTrustedWorldPublicKey"
,
.
ln
=
"Non-Trusted World Public Key"
,
.
ln
=
"Non-Trusted World Public Key"
,
.
type
=
V_ASN1_OCTET_STRING
.
asn1_type
=
V_ASN1_OCTET_STRING
,
},
.
type
=
EXT_TYPE_PKEY
,
{
.
data
.
key
=
NON_TRUSTED_WORLD_KEY
.
oid
=
BL31_CONTENT_CERT_PK_OID
,
.
sn
=
"SoCFirmwareContentCertPK"
,
.
ln
=
"SoC Firmware content certificate public key"
,
.
type
=
V_ASN1_OCTET_STRING
},
{
.
oid
=
BL31_HASH_OID
,
.
sn
=
"APROMPatchHash"
,
.
ln
=
"AP ROM patch hash"
,
.
type
=
V_ASN1_OCTET_STRING
},
},
{
[
BL30_CONTENT_CERT_PK_EXT
]
=
{
.
oid
=
BL30_CONTENT_CERT_PK_OID
,
.
oid
=
BL30_CONTENT_CERT_PK_OID
,
.
sn
=
"SCPFirmwareContentCertPK"
,
.
sn
=
"SCPFirmwareContentCertPK"
,
.
ln
=
"SCP Firmware content certificate public key"
,
.
ln
=
"SCP Firmware content certificate public key"
,
.
type
=
V_ASN1_OCTET_STRING
.
asn1_type
=
V_ASN1_OCTET_STRING
,
.
type
=
EXT_TYPE_PKEY
,
.
data
.
key
=
BL30_KEY
},
},
{
[
BL30_HASH_EXT
]
=
{
.
oid
=
BL30_HASH_OID
,
.
oid
=
BL30_HASH_OID
,
.
sn
=
"SCPFirmwareHash"
,
.
sn
=
"SCPFirmwareHash"
,
.
ln
=
"SCP Firmware (BL30) hash (SHA256)"
,
.
ln
=
"SCP Firmware (BL30) hash (SHA256)"
,
.
type
=
V_ASN1_OCTET_STRING
.
asn1_type
=
V_ASN1_OCTET_STRING
,
.
type
=
EXT_TYPE_HASH
},
},
{
[
BL31_CONTENT_CERT_PK_EXT
]
=
{
.
oid
=
BL31_CONTENT_CERT_PK_OID
,
.
sn
=
"SoCFirmwareContentCertPK"
,
.
ln
=
"SoC Firmware content certificate public key"
,
.
asn1_type
=
V_ASN1_OCTET_STRING
,
.
type
=
EXT_TYPE_PKEY
,
.
data
.
key
=
BL31_KEY
},
[
BL31_HASH_EXT
]
=
{
.
oid
=
BL31_HASH_OID
,
.
sn
=
"SoCAPFirmwareHash"
,
.
ln
=
"SoC AP Firmware (BL31) hash (SHA256)"
,
.
asn1_type
=
V_ASN1_OCTET_STRING
,
.
type
=
EXT_TYPE_HASH
},
[
BL32_CONTENT_CERT_PK_EXT
]
=
{
.
oid
=
BL32_CONTENT_CERT_PK_OID
,
.
oid
=
BL32_CONTENT_CERT_PK_OID
,
.
sn
=
"TrustedOSFirmwareContentCertPK"
,
.
sn
=
"TrustedOSFirmwareContentCertPK"
,
.
ln
=
"Trusted OS Firmware content certificate public key"
,
.
ln
=
"Trusted OS Firmware content certificate public key"
,
.
type
=
V_ASN1_OCTET_STRING
.
asn1_type
=
V_ASN1_OCTET_STRING
,
.
type
=
EXT_TYPE_PKEY
,
.
data
.
key
=
BL32_KEY
},
},
{
[
BL32_HASH_EXT
]
=
{
.
oid
=
BL32_HASH_OID
,
.
oid
=
BL32_HASH_OID
,
.
sn
=
"TrustedOSHash"
,
.
sn
=
"TrustedOSHash"
,
.
ln
=
"Trusted OS (BL32) hash (SHA256)"
,
.
ln
=
"Trusted OS (BL32) hash (SHA256)"
,
.
type
=
V_ASN1_OCTET_STRING
.
asn1_type
=
V_ASN1_OCTET_STRING
,
.
type
=
EXT_TYPE_HASH
},
},
{
[
BL33_CONTENT_CERT_PK_EXT
]
=
{
.
oid
=
BL33_CONTENT_CERT_PK_OID
,
.
oid
=
BL33_CONTENT_CERT_PK_OID
,
.
sn
=
"NonTrustedFirmwareContentCertPK"
,
.
sn
=
"NonTrustedFirmwareContentCertPK"
,
.
ln
=
"Non-Trusted Firmware content certificate public key"
,
.
ln
=
"Non-Trusted Firmware content certificate public key"
,
.
type
=
V_ASN1_OCTET_STRING
.
asn1_type
=
V_ASN1_OCTET_STRING
,
.
type
=
EXT_TYPE_PKEY
,
.
data
.
key
=
BL33_KEY
},
},
{
[
BL33_HASH_EXT
]
=
{
.
oid
=
BL33_HASH_OID
,
.
oid
=
BL33_HASH_OID
,
.
sn
=
"NonTrustedWorldBootloaderHash"
,
.
sn
=
"NonTrustedWorldBootloaderHash"
,
.
ln
=
"Non-Trusted World (BL33) hash (SHA256)"
,
.
ln
=
"Non-Trusted World (BL33) hash (SHA256)"
,
.
type
=
V_ASN1_OCTET_STRING
.
asn1_
type
=
V_ASN1_OCTET_STRING
,
},
.
type
=
EXT_TYPE_HASH
{
0
,
0
,
0
,
0
}
}
};
};
REGISTER_EXTENSIONS
(
tbb_ext
);
tools/cert_create/src/tbb_key.c
→
tools/cert_create/src/
tbbr/
tbb_key.c
View file @
3747e291
...
@@ -28,40 +28,42 @@
...
@@ -28,40 +28,42 @@
* POSSIBILITY OF SUCH DAMAGE.
* POSSIBILITY OF SUCH DAMAGE.
*/
*/
#include "tbb_key.h"
#include "
tbbr/
tbb_key.h"
/*
/*
* Keys used to establish the chain of trust
* Keys used to establish the chain of trust
*
*
* The order of the keys must follow the enumeration specified in tbb_key.h
* The order of the keys must follow the enumeration specified in tbb_key.h
*/
*/
key_t
keys
[
NUM_KEYS
]
=
{
static
key_t
tbb_
keys
[]
=
{
{
[
ROT_KEY
]
=
{
.
id
=
ROT_KEY
,
.
id
=
ROT_KEY
,
.
desc
=
"Root Of Trust key"
.
desc
=
"Root Of Trust key"
},
},
{
[
TRUSTED_WORLD_KEY
]
=
{
.
id
=
TRUSTED_WORLD_KEY
,
.
id
=
TRUSTED_WORLD_KEY
,
.
desc
=
"Trusted World key"
.
desc
=
"Trusted World key"
},
},
{
[
NON_TRUSTED_WORLD_KEY
]
=
{
.
id
=
NON_TRUSTED_WORLD_KEY
,
.
id
=
NON_TRUSTED_WORLD_KEY
,
.
desc
=
"Non Trusted World key"
.
desc
=
"Non Trusted World key"
},
},
{
[
BL30_KEY
]
=
{
.
id
=
BL30_KEY
,
.
id
=
BL30_KEY
,
.
desc
=
"BL30 key"
.
desc
=
"BL30 key"
},
},
{
[
BL31_KEY
]
=
{
.
id
=
BL31_KEY
,
.
id
=
BL31_KEY
,
.
desc
=
"BL31 key"
.
desc
=
"BL31 key"
},
},
{
[
BL32_KEY
]
=
{
.
id
=
BL32_KEY
,
.
id
=
BL32_KEY
,
.
desc
=
"BL32 key"
.
desc
=
"BL32 key"
},
},
{
[
BL33_KEY
]
=
{
.
id
=
BL33_KEY
,
.
id
=
BL33_KEY
,
.
desc
=
"BL33 key"
.
desc
=
"BL33 key"
}
}
};
};
REGISTER_KEYS
(
tbb_keys
);
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment