Merge pull request #315 from jcastillo-arm/jc/tbb_tmp9

Authentication Framework

plat/arm/board/common/board_css.mk

@@ -28,20 +28,6 @@
 # POSSIBILITY OF SUCH DAMAGE.
 #
 
-PLAT_INCLUDES		+=	-Iinclude/plat/arm/board/common/
+PLAT_BL_COMMON_SOURCES	+=	plat/arm/board/common/board_css_common.c
 
-PLAT_BL_COMMON_SOURCES	+=	drivers/arm/pl011/pl011_console.S			\
-				plat/arm/board/common/aarch64/board_arm_helpers.S	\
-				plat/arm/board/common/board_css_common.c
-
-
-#BL1_SOURCES		+=
-
-#BL2_SOURCES		+=
-
-#BL31_SOURCES		+=
-
-ifneq (${TRUSTED_BOARD_BOOT},0)
-  BL1_SOURCES		+=	plat/arm/board/common/board_arm_trusted_boot.c
-  BL2_SOURCES		+=	plat/arm/board/common/board_arm_trusted_boot.c
-endif
+include plat/arm/board/common/board_common.mk

plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin

+	:7zrG2s2IY^JJF"
\ No newline at end of file

plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem

+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDLLGDVjWPUB3l+
+xxaWvU0kTqyG5rdx48VUC+cUHL0pGsE/erYCqqs2xNk2aWziZcObsb89qFYmy/0E
+AbqsPlQyynleu7IF6gZY8nS64fSHwBkKH2YHd4SDoRzv/yhZ58NofSYgQ+tWY/M5
+MdgrUam8T9D23pXcX1vB7ZBv7CiRfhfteJD0YKfEx09Q7V0TOiErcMVhewghZTrN
+glaMekesieilSEgx2R1G5YWGmKDlwKZqvQfkkldhB499Wk3Krja5VgQQ8my+9jts
+gD6+DqNNx9R+p0nU8tK8zzCo53SPZN+8XEdozEBM+IPMy0A1BGDKs6QXnwPKHVr6
+0a8hVxDTAgMBAAECggEAfwsc8ewbhDW4TwIGqfNtDUr0rtYN13VpqohW0ki2L8G/
+HQaKUViO/wxQFqoNn/OqQO0AfHmKhXAAokTCiXngBHJ/OjF7vB7+IRhazZEE6u2/
+uoivr/OYNQbFpXyTqsQ1eFzpPju6KKcPK7BzT4Mc89ek/vloFAi8w6LdMl8lbvOg
+LBWqX+5A+UQoenPUTvYM4U22YNcEAWubkpsYAmViiWiac+a+uPRk39aKyfOedDNu
++ty9MtCwekivoUTfP/1+O+jFlDnPMJUOEkBmcBqxseYYAHu7blBpdHxYpAItC2pv
+YwJJSvsE+HLBLPk177Jahg7sOUqcP0F/X+T65yuvIQKBgQDxdjXdJT5K8j7rG2fv
+2bvF2H1GPaHaTYRk0EGI2Ql6Nn+ddfeCE6gaT7aPPgg87wAhNu93coFuYHw0p/sc
+ZkXMJ+BmlstPV555cWXmwcxZLsni0fOXrt4YxwWkZwmh74m0NVM/cSFw56PU0oj1
+yDNeq3fgmsJocmuNTe1eG9qA7QKBgQDXaAGrNA5Xel5mqqMYTHHQWI6l2uzdNtt7
+eDn3K9+Eh3ywTqrwP845MAjKDU2Lq61I6t2H89dEifHq823VIcLCHd9BF04MrAH7
+qDPzrmPP2iB9g+YFmGBKe+K0HFE1t1KrTlo9VV6ZAC6RJNLAgwD4kvfIVYNkCGwe
++hoZBdhgvwKBgBrOsPQ4ak4PzwRzKnrqhXpVqrLdrNZ7vLMkm+IBlpfG7SwiKLR8
+UjF5oB8PGAML1cvaOYPdZplGhQOjkrF4eU9NLhC1tSS96Y46FMIlyfYsx6UzAgRZ
+GbdOgUXbWqpr2bH0KaXlfXz3eqzqIuKGs41TJB//jo3iBibN/AhytzORAoGAeGov
+5KDpE4XYl9Pz8HVremjG9Xh4yQENmOwQm1fvT4rd7UFM1ZkVk2qCv1DIdLe32vdQ
+d9ucDzh+ADWsxGRnF1TTpPN+Mh9FzISu5h4qtdreJsxBHgecbIbsqHrb+wdMM29N
+itPaWfV8Eq9fETcqp8qgsWD8XkNHDdoKFMrrtskCgYAoSt/Je1D3ZE/3HEjez7bq
+fenS3J6KG2SEn2PNFn+R0R5vBo4DaV/cQysKh44GD2+sh0QDyh6nuWJufyhPzROP
+DU6DCLbwNePj/yaGuzi36oLt6bBgfPWCiJY7jIdK8DmTLW25m7fRtCC5pxZlSzgl
+KBf7R6cbaTvaFe05Y2FJXA==
+-----END PRIVATE KEY-----

plat/arm/board/fvp/aarch64/fvp_common.c

@@ -55,6 +55,11 @@ arm_config_t arm_config;
 					DEVICE1_SIZE,			\
 					MT_DEVICE | MT_RW | MT_SECURE)
 
+#define MAP_DEVICE2	MAP_REGION_FLAT(DEVICE2_BASE,			\
+					DEVICE2_SIZE,			\
+					MT_DEVICE | MT_RO | MT_SECURE)
+
+
 /*
  * Table of regions for various BL stages to map using the MMU.
  * This doesn't include TZRAM as the 'mem_layout' argument passed to
@@ -67,6 +72,7 @@ const mmap_region_t plat_arm_mmap[] = {
 	V2M_MAP_IOFPGA,
 	MAP_DEVICE0,
 	MAP_DEVICE1,
+	MAP_DEVICE2,
 	{0}
 };
 #endif
@@ -77,6 +83,7 @@ const mmap_region_t plat_arm_mmap[] = {
 	V2M_MAP_IOFPGA,
 	MAP_DEVICE0,
 	MAP_DEVICE1,
+	MAP_DEVICE2,
 	ARM_MAP_NS_DRAM1,
 	ARM_MAP_TSP_SEC_MEM,
 	{0}

plat/arm/board/fvp/fvp_def.h

@@ -58,13 +58,25 @@
 #define DEVICE1_BASE			0x2f000000
 #define DEVICE1_SIZE			0x200000
 
+/* Devices in the second GB */
+#define DEVICE2_BASE			0x7fe00000
+#define DEVICE2_SIZE			0x00200000
+
 #define NSRAM_BASE			0x2e000000
 #define NSRAM_SIZE			0x10000
 
 #define PCIE_EXP_BASE			0x40000000
 #define TZRNG_BASE			0x7fe60000
 #define TZNVCTR_BASE			0x7fe70000
-#define TZROOTKEY_BASE			0x7fe80000
+
+/* Keys */
+#define SOC_KEYS_BASE			0x7fe80000
+#define TZ_PUB_KEY_HASH_BASE		(SOC_KEYS_BASE + 0x0000)
+#define TZ_PUB_KEY_HASH_SIZE		32
+#define HU_KEY_BASE			(SOC_KEYS_BASE + 0x0020)
+#define HU_KEY_SIZE			16
+#define END_KEY_BASE			(SOC_KEYS_BASE + 0x0044)
+#define END_KEY_SIZE			32
 
 /* Constants to distinguish FVP type */
 #define HBI_BASE_FVP			0x020

plat/arm/board/fvp/fvp_io_storage.c

@@ -29,16 +29,88 @@
  */
 
 #include <assert.h>
+#include <common_def.h>
 #include <debug.h>
 #include <io_driver.h>
 #include <io_storage.h>
 #include <io_semihosting.h>
 #include <plat_arm.h>
+#include <semihosting.h>	/* For FOPEN_MODE_... */
+
+/* Semihosting filenames */
+#define BL2_IMAGE_NAME			"bl2.bin"
+#define BL31_IMAGE_NAME			"bl31.bin"
+#define BL32_IMAGE_NAME			"bl32.bin"
+#define BL33_IMAGE_NAME			"bl33.bin"
+
+#if TRUSTED_BOARD_BOOT
+#define BL2_CERT_NAME			"bl2.crt"
+#define TRUSTED_KEY_CERT_NAME		"trusted_key.crt"
+#define BL31_KEY_CERT_NAME		"bl31_key.crt"
+#define BL32_KEY_CERT_NAME		"bl32_key.crt"
+#define BL33_KEY_CERT_NAME		"bl33_key.crt"
+#define BL31_CERT_NAME			"bl31.crt"
+#define BL32_CERT_NAME			"bl32.crt"
+#define BL33_CERT_NAME			"bl33.crt"
+#endif /* TRUSTED_BOARD_BOOT */
 
 /* IO devices */
 static const io_dev_connector_t *sh_dev_con;
 static uintptr_t sh_dev_handle;
 
+static const io_file_spec_t sh_file_spec[] = {
+	[BL2_IMAGE_ID] = {
+		.path = BL2_IMAGE_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+	[BL31_IMAGE_ID] = {
+		.path = BL31_IMAGE_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+	[BL32_IMAGE_ID] = {
+		.path = BL32_IMAGE_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+	[BL33_IMAGE_ID] = {
+		.path = BL33_IMAGE_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+#if TRUSTED_BOARD_BOOT
+	[BL2_CERT_ID] = {
+		.path = BL2_CERT_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+	[TRUSTED_KEY_CERT_ID] = {
+		.path = TRUSTED_KEY_CERT_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+	[BL31_KEY_CERT_ID] = {
+		.path = BL31_KEY_CERT_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+	[BL32_KEY_CERT_ID] = {
+		.path = BL32_KEY_CERT_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+	[BL33_KEY_CERT_ID] = {
+		.path = BL33_KEY_CERT_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+	[BL31_CERT_ID] = {
+		.path = BL31_CERT_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+	[BL32_CERT_ID] = {
+		.path = BL32_CERT_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+	[BL33_CERT_ID] = {
+		.path = BL33_CERT_NAME,
+		.mode = FOPEN_MODE_RB
+	},
+#endif /* TRUSTED_BOARD_BOOT */
+};
+
 
 static int open_semihosting(const uintptr_t spec)
 {
@@ -75,13 +147,17 @@ void plat_arm_io_setup(void)
 	(void)io_result;
 }
 
-int plat_arm_get_alt_image_source(
-	const uintptr_t image_spec,
-	uintptr_t *dev_handle)
+/*
+ * FVP provides semihosting as an alternative to load images
+ */
+int plat_arm_get_alt_image_source(unsigned int image_id, uintptr_t *dev_handle,
+				  uintptr_t *image_spec)
 {
-	int result = open_semihosting(image_spec);
-	if (result == IO_SUCCESS)
+	int result = open_semihosting((const uintptr_t)&sh_file_spec[image_id]);
+	if (result == IO_SUCCESS) {
 		*dev_handle = sh_dev_handle;
+		*image_spec = (uintptr_t)&sh_file_spec[image_id];
+	}
 
 	return result;
 }

plat/arm/board/fvp/platform.mk

@@ -29,12 +29,10 @@
 #
 
 
-PLAT_INCLUDES		:=	-Iinclude/plat/arm/board/common			\
-				-Iplat/arm/board/fvp/include
+PLAT_INCLUDES		:=	-Iplat/arm/board/fvp/include
 
 
-PLAT_BL_COMMON_SOURCES	:=	drivers/arm/pl011/pl011_console.S		\
-				plat/arm/board/fvp/aarch64/fvp_common.c
+PLAT_BL_COMMON_SOURCES	:=	plat/arm/board/fvp/aarch64/fvp_common.c
 
 BL1_SOURCES		+=	drivers/io/io_semihosting.c			\
 				lib/cpus/aarch64/aem_generic.S			\
@@ -65,10 +63,5 @@ BL31_SOURCES		+=	lib/cpus/aarch64/aem_generic.S			\
 				plat/arm/board/fvp/aarch64/fvp_helpers.S	\
 				plat/arm/board/fvp/drivers/pwrc/fvp_pwrc.c
 
-ifneq (${TRUSTED_BOARD_BOOT},0)
-  BL1_SOURCES		+=	plat/arm/board/common/board_arm_trusted_boot.c
-  BL2_SOURCES		+=	plat/arm/board/common/board_arm_trusted_boot.c
-endif
-
-
+include plat/arm/board/common/board_common.mk
 include plat/arm/common/arm_common.mk

plat/arm/board/juno/platform.mk

@@ -40,7 +40,6 @@ BL2_SOURCES		+=	plat/arm/board/juno/juno_security.c	\
 BL31_SOURCES		+=	lib/cpus/aarch64/cortex_a53.S		\
 				lib/cpus/aarch64/cortex_a57.S
 
-
 # Enable workarounds for selected Cortex-A57 erratas.
 ERRATA_A57_806969	:=	0
 ERRATA_A57_813420	:=	1
@@ -53,3 +52,7 @@ include plat/arm/board/common/board_css.mk
 include plat/arm/common/arm_common.mk
 include plat/arm/soc/common/soc_css.mk
 include plat/arm/css/common/css_common.mk
+
+ifeq (${KEY_ALG},ecdsa)
+    $(error "ECDSA key algorithm is not fully supported on Juno.")
+endif

plat/arm/common/arm_common.mk

@@ -46,7 +46,8 @@ endif
 # Process flags
 $(eval $(call add_define,ARM_TSP_RAM_LOCATION_ID))
 
-PLAT_INCLUDES		+=	-Iinclude/plat/arm/common			\
+PLAT_INCLUDES		+=	-Iinclude/common/tbbr				\
+				-Iinclude/plat/arm/common			\
 				-Iinclude/plat/arm/common/aarch64
 
 
@@ -83,3 +84,31 @@ BL31_SOURCES		+=	drivers/arm/cci/cci.c				\
 				plat/arm/common/arm_topology.c			\
 				plat/common/plat_gic.c				\
 				plat/common/aarch64/platform_mp_stack.S
+
+ifneq (${TRUSTED_BOARD_BOOT},0)
+
+    # By default, ARM platforms use RSA keys
+    KEY_ALG		:=	rsa
+
+    # Include common TBB sources
+    AUTH_SOURCES	:=	drivers/auth/auth_mod.c				\
+    				drivers/auth/crypto_mod.c			\
+    				drivers/auth/img_parser_mod.c			\
+    				drivers/auth/tbbr/tbbr_cot.c			\
+
+    BL1_SOURCES		+=	${AUTH_SOURCES}
+    BL2_SOURCES		+=	${AUTH_SOURCES}
+
+    MBEDTLS_KEY_ALG	:=	${KEY_ALG}
+
+    # We expect to locate the *.mk files under the directories specified below
+    CRYPTO_LIB_MK := drivers/auth/mbedtls/mbedtls_crypto.mk
+    IMG_PARSER_LIB_MK := drivers/auth/mbedtls/mbedtls_x509.mk
+
+    $(info Including ${CRYPTO_LIB_MK})
+    include ${CRYPTO_LIB_MK}
+
+    $(info Including ${IMG_PARSER_LIB_MK})
+    include ${IMG_PARSER_LIB_MK}
+
+endif

plat/arm/common/arm_io_storage.c

@@ -28,13 +28,14 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <assert.h>
+#include <bl_common.h>		/* For ARRAY_SIZE */
 #include <debug.h>
+#include <firmware_image_package.h>
 #include <io_driver.h>
 #include <io_fip.h>
 #include <io_memmap.h>
 #include <io_storage.h>
 #include <platform_def.h>
-#include <semihosting.h>	/* For FOPEN_MODE_... */
 #include <string.h>
 
 /* IO devices */
@@ -48,179 +49,162 @@ static const io_block_spec_t fip_block_spec = {
 	.length = PLAT_ARM_FIP_MAX_SIZE
 };
 
-static const io_file_spec_t bl2_file_spec = {
-	.path = BL2_IMAGE_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl2_uuid_spec = {
+	.uuid = UUID_TRUSTED_BOOT_FIRMWARE_BL2,
 };
 
-static const io_file_spec_t bl30_file_spec = {
-	.path = BL30_IMAGE_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl30_uuid_spec = {
+	.uuid = UUID_SCP_FIRMWARE_BL30,
 };
 
-static const io_file_spec_t bl31_file_spec = {
-	.path = BL31_IMAGE_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl31_uuid_spec = {
+	.uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31,
 };
 
-static const io_file_spec_t bl32_file_spec = {
-	.path = BL32_IMAGE_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl32_uuid_spec = {
+	.uuid = UUID_SECURE_PAYLOAD_BL32,
 };
 
-static const io_file_spec_t bl33_file_spec = {
-	.path = BL33_IMAGE_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl33_uuid_spec = {
+	.uuid = UUID_NON_TRUSTED_FIRMWARE_BL33,
 };
 
 #if TRUSTED_BOARD_BOOT
-static const io_file_spec_t bl2_cert_file_spec = {
-	.path = BL2_CERT_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl2_cert_uuid_spec = {
+	.uuid = UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT,
 };
 
-static const io_file_spec_t trusted_key_cert_file_spec = {
-	.path = TRUSTED_KEY_CERT_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t trusted_key_cert_uuid_spec = {
+	.uuid = UUID_TRUSTED_KEY_CERT,
 };
 
-static const io_file_spec_t bl30_key_cert_file_spec = {
-	.path = BL30_KEY_CERT_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl30_key_cert_uuid_spec = {
+	.uuid = UUID_SCP_FIRMWARE_BL30_KEY_CERT,
 };
 
-static const io_file_spec_t bl31_key_cert_file_spec = {
-	.path = BL31_KEY_CERT_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl31_key_cert_uuid_spec = {
+	.uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT,
 };
 
-static const io_file_spec_t bl32_key_cert_file_spec = {
-	.path = BL32_KEY_CERT_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl32_key_cert_uuid_spec = {
+	.uuid = UUID_SECURE_PAYLOAD_BL32_KEY_CERT,
 };
 
-static const io_file_spec_t bl33_key_cert_file_spec = {
-	.path = BL33_KEY_CERT_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl33_key_cert_uuid_spec = {
+	.uuid = UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT,
 };
 
-static const io_file_spec_t bl30_cert_file_spec = {
-	.path = BL30_CERT_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl30_cert_uuid_spec = {
+	.uuid = UUID_SCP_FIRMWARE_BL30_CERT,
 };
 
-static const io_file_spec_t bl31_cert_file_spec = {
-	.path = BL31_CERT_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl31_cert_uuid_spec = {
+	.uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT,
 };
 
-static const io_file_spec_t bl32_cert_file_spec = {
-	.path = BL32_CERT_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl32_cert_uuid_spec = {
+	.uuid = UUID_SECURE_PAYLOAD_BL32_CERT,
 };
 
-static const io_file_spec_t bl33_cert_file_spec = {
-	.path = BL33_CERT_NAME,
-	.mode = FOPEN_MODE_RB
+static const io_uuid_spec_t bl33_cert_uuid_spec = {
+	.uuid = UUID_NON_TRUSTED_FIRMWARE_BL33_CERT,
 };
 #endif /* TRUSTED_BOARD_BOOT */
 
+
 static int open_fip(const uintptr_t spec);
 static int open_memmap(const uintptr_t spec);
 
 struct plat_io_policy {
-	const char *image_name;
 	uintptr_t *dev_handle;
 	uintptr_t image_spec;
 	int (*check)(const uintptr_t spec);
 };
 
+/* By default, ARM platforms load images from the FIP */
 static const struct plat_io_policy policies[] = {
-	{
-		FIP_IMAGE_NAME,
+	[FIP_IMAGE_ID] = {
 		&memmap_dev_handle,
 		(uintptr_t)&fip_block_spec,
 		open_memmap
-	}, {
-		BL2_IMAGE_NAME,
+	},
+	[BL2_IMAGE_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl2_file_spec,
+		(uintptr_t)&bl2_uuid_spec,
 		open_fip
-	}, {
-		BL30_IMAGE_NAME,
+	},
+	[BL30_IMAGE_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl30_file_spec,
+		(uintptr_t)&bl30_uuid_spec,
 		open_fip
-	}, {
-		BL31_IMAGE_NAME,
+	},
+	[BL31_IMAGE_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl31_file_spec,
+		(uintptr_t)&bl31_uuid_spec,
 		open_fip
-	}, {
-		BL32_IMAGE_NAME,
+	},
+	[BL32_IMAGE_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl32_file_spec,
+		(uintptr_t)&bl32_uuid_spec,
 		open_fip
-	}, {
-		BL33_IMAGE_NAME,
+	},
+	[BL33_IMAGE_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl33_file_spec,
+		(uintptr_t)&bl33_uuid_spec,
 		open_fip
-	}, {
+	},
 #if TRUSTED_BOARD_BOOT
-		BL2_CERT_NAME,
+	[BL2_CERT_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl2_cert_file_spec,
+		(uintptr_t)&bl2_cert_uuid_spec,
 		open_fip
-	}, {
-		TRUSTED_KEY_CERT_NAME,
+	},
+	[TRUSTED_KEY_CERT_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&trusted_key_cert_file_spec,
+		(uintptr_t)&trusted_key_cert_uuid_spec,
 		open_fip
-	}, {
-		BL30_KEY_CERT_NAME,
+	},
+	[BL30_KEY_CERT_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl30_key_cert_file_spec,
+		(uintptr_t)&bl30_key_cert_uuid_spec,
 		open_fip
-	}, {
-		BL31_KEY_CERT_NAME,
+	},
+	[BL31_KEY_CERT_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl31_key_cert_file_spec,
+		(uintptr_t)&bl31_key_cert_uuid_spec,
 		open_fip
-	}, {
-		BL32_KEY_CERT_NAME,
+	},
+	[BL32_KEY_CERT_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl32_key_cert_file_spec,
+		(uintptr_t)&bl32_key_cert_uuid_spec,
 		open_fip
-	}, {
-		BL33_KEY_CERT_NAME,
+	},
+	[BL33_KEY_CERT_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl33_key_cert_file_spec,
+		(uintptr_t)&bl33_key_cert_uuid_spec,
 		open_fip
-	}, {
-		BL30_CERT_NAME,
+	},
+	[BL30_CERT_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl30_cert_file_spec,
+		(uintptr_t)&bl30_cert_uuid_spec,
 		open_fip
-	}, {
-		BL31_CERT_NAME,
+	},
+	[BL31_CERT_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl31_cert_file_spec,
+		(uintptr_t)&bl31_cert_uuid_spec,
 		open_fip
-	}, {
-		BL32_CERT_NAME,
+	},
+	[BL32_CERT_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl32_cert_file_spec,
+		(uintptr_t)&bl32_cert_uuid_spec,
 		open_fip
-	}, {
-		BL33_CERT_NAME,
+	},
+	[BL33_CERT_ID] = {
 		&fip_dev_handle,
-		(uintptr_t)&bl33_cert_file_spec,
+		(uintptr_t)&bl33_cert_uuid_spec,
 		open_fip
-	}, {
+	},
 #endif /* TRUSTED_BOARD_BOOT */
-		0, 0, 0
-	}
 };
 
 
@@ -235,7 +219,7 @@ static int open_fip(const uintptr_t spec)
 	uintptr_t local_image_handle;
 
 	/* See if a Firmware Image Package is available */
-	result = io_dev_init(fip_dev_handle, (uintptr_t)FIP_IMAGE_NAME);
+	result = io_dev_init(fip_dev_handle, (uintptr_t)FIP_IMAGE_ID);
 	if (result == IO_SUCCESS) {
 		result = io_open(fip_dev_handle, spec, &local_image_handle);
 		if (result == IO_SUCCESS) {
@@ -293,8 +277,9 @@ void plat_arm_io_setup(void)
 }
 
 int plat_arm_get_alt_image_source(
-	const uintptr_t image_spec __attribute__((unused)),
-	uintptr_t *dev_handle __attribute__((unused)))
+	unsigned int image_id __attribute__((unused)),
+	uintptr_t *dev_handle __attribute__((unused)),
+	uintptr_t *image_spec __attribute__((unused)))
 {
 	/* By default do not try an alternative */
 	return IO_FAIL;
@@ -302,36 +287,24 @@ int plat_arm_get_alt_image_source(
 
 /* Return an IO device handle and specification which can be used to access
  * an image. Use this to enforce platform load policy */
-int plat_get_image_source(const char *image_name, uintptr_t *dev_handle,
+int plat_get_image_source(unsigned int image_id, uintptr_t *dev_handle,
 			  uintptr_t *image_spec)
 {
 	int result = IO_FAIL;
 	const struct plat_io_policy *policy;
 
-	if ((image_name != NULL) && (dev_handle != NULL) &&
-	    (image_spec != NULL)) {
-		policy = policies;
-		while (policy->image_name != NULL) {
-			if (strcmp(policy->image_name, image_name) == 0) {
-				result = policy->check(policy->image_spec);
-				if (result == IO_SUCCESS) {
-					*image_spec = policy->image_spec;
-					*dev_handle = *(policy->dev_handle);
-					break;
-				}
-				VERBOSE("Trying alternative IO\n");
-				result = plat_arm_get_alt_image_source(
-						policy->image_spec,
-						dev_handle);
-				if (result == IO_SUCCESS) {
-					*image_spec = policy->image_spec;
-					break;
-				}
-			}
-			policy++;
-		}
+	assert(image_id < ARRAY_SIZE(policies));
+
+	policy = &policies[image_id];
+	result = policy->check(policy->image_spec);
+	if (result == IO_SUCCESS) {
+		*image_spec = policy->image_spec;
+		*dev_handle = *(policy->dev_handle);
 	} else {
-		result = IO_FAIL;
+		VERBOSE("Trying alternative IO\n");
+		result = plat_arm_get_alt_image_source(image_id, dev_handle,
+						       image_spec);
 	}
+
 	return result;
 }

tools/cert_create/Makefile

@@ -33,6 +33,7 @@ PLAT		:= none
 V		:= 0
 DEBUG		:= 0
 BINARY		:= ${PROJECT}
+OPENSSL_DIR	:= /usr
 
 OBJECTS := src/cert.o \
            src/ext.o \
@@ -69,8 +70,8 @@ endif
 
 # Make soft links and include from local directory otherwise wrong headers
 # could get pulled in from firmware tree.
-INC_DIR := -I ./include -I ${PLAT_INCLUDE}
-LIB_DIR :=
+INC_DIR := -I ./include -I ${PLAT_INCLUDE} -I ${OPENSSL_DIR}/include
+LIB_DIR := -L ${OPENSSL_DIR}/lib
 LIB := -lssl -lcrypto
 
 CC := gcc

tools/cert_create/include/ext.h

@@ -63,7 +63,8 @@ enum {
 };
 
 int ext_init(ext_t *tbb_ext);
-X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len);
+X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
+		unsigned char *buf, size_t len);
 X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value);
 X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k);
 

tools/cert_create/include/key.h

@@ -35,6 +35,21 @@
 
 #define RSA_KEY_BITS		2048
 
+/* Error codes */
+enum {
+	KEY_ERR_NONE,
+	KEY_ERR_MALLOC,
+	KEY_ERR_FILENAME,
+	KEY_ERR_OPEN,
+	KEY_ERR_LOAD
+};
+
+/* Supported key algorithms */
+enum {
+	KEY_ALG_RSA,
+	KEY_ALG_ECDSA
+};
+
 /*
  * This structure contains the relevant information to create the keys
  * required to sign the certificates.
@@ -50,8 +65,8 @@ typedef struct key_s {
 	EVP_PKEY *key;		/* Key container */
 } key_t;
 
-int key_new(key_t *key);
-int key_load(key_t *key);
+int key_create(key_t *key, int type);
+int key_load(key_t *key, unsigned int *err_code);
 int key_store(key_t *key);
 
 #endif /* KEY_H_ */

tools/cert_create/src/ext.c

@@ -31,13 +31,29 @@
 #include <stddef.h>
 #include <stdio.h>
 #include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include "ext.h"
 
 DECLARE_ASN1_ITEM(ASN1_INTEGER)
+DECLARE_ASN1_ITEM(X509_ALGOR)
 DECLARE_ASN1_ITEM(ASN1_OCTET_STRING)
 
+typedef struct {
+	X509_ALGOR *hashAlgorithm;
+	ASN1_OCTET_STRING *dataHash;
+} HASH;
+
+ASN1_SEQUENCE(HASH) = {
+	ASN1_SIMPLE(HASH, hashAlgorithm, X509_ALGOR),
+	ASN1_SIMPLE(HASH, dataHash, ASN1_OCTET_STRING),
+} ASN1_SEQUENCE_END(HASH)
+
+DECLARE_ASN1_FUNCTIONS(HASH)
+IMPLEMENT_ASN1_FUNCTIONS(HASH)
+
 /*
  * This function adds the TBB extensions to the internal extension list
  * maintained by OpenSSL so they can be used later.
@@ -123,37 +139,85 @@ X509_EXTENSION *ext_new(int nid, int crit, unsigned char *data, int len)
 }
 
 /*
- * Creates a x509v3 extension containing a hash encapsulated in an ASN1 Octet
- * String
+ * Creates a x509v3 extension containing a hash
+ *
+ * DigestInfo ::= SEQUENCE {
+ *     digestAlgorithm  AlgorithmIdentifier,
+ *     digest           OCTET STRING
+ * }
+ *
+ * AlgorithmIdentifier ::=  SEQUENCE  {
+ *     algorithm        OBJECT IDENTIFIER,
+ *     parameters       ANY DEFINED BY algorithm OPTIONAL
+ * }
  *
  * Parameters:
- *   pex: OpenSSL extension pointer (output parameter)
  *   nid: extension identifier
  *   crit: extension critical (EXT_NON_CRIT, EXT_CRIT)
+ *   md: hash algorithm
  *   buf: pointer to the buffer that contains the hash
  *   len: size of the hash in bytes
  *
  * Return: Extension address, NULL if error
  */
-X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len)
+X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
+		unsigned char *buf, size_t len)
 {
 	X509_EXTENSION *ex = NULL;
-	ASN1_OCTET_STRING *hash = NULL;
+	ASN1_OCTET_STRING *octet = NULL;
+	HASH *hash = NULL;
+	ASN1_OBJECT *algorithm = NULL;
+	X509_ALGOR *x509_algor = NULL;
 	unsigned char *p = NULL;
 	int sz = -1;
 
-	/* Encode Hash */
-	hash = ASN1_OCTET_STRING_new();
-	ASN1_OCTET_STRING_set(hash, buf, len);
-	sz = i2d_ASN1_OCTET_STRING(hash, NULL);
-	i2d_ASN1_OCTET_STRING(hash, &p);
+	/* OBJECT_IDENTIFIER with hash algorithm */
+	algorithm = OBJ_nid2obj(md->type);
+	if (algorithm == NULL) {
+		return NULL;
+	}
+
+	/* Create X509_ALGOR */
+	x509_algor = X509_ALGOR_new();
+	if (x509_algor == NULL) {
+		return NULL;
+	}
+	x509_algor->algorithm = algorithm;
+	x509_algor->parameter = ASN1_TYPE_new();
+	ASN1_TYPE_set(x509_algor->parameter, V_ASN1_NULL, NULL);
+
+	/* OCTET_STRING with the actual hash */
+	octet = ASN1_OCTET_STRING_new();
+	if (octet == NULL) {
+		X509_ALGOR_free(x509_algor);
+		return NULL;
+	}
+	ASN1_OCTET_STRING_set(octet, buf, len);
+
+	/* HASH structure containing algorithm + hash */
+	hash = HASH_new();
+	if (hash == NULL) {
+		ASN1_OCTET_STRING_free(octet);
+		X509_ALGOR_free(x509_algor);
+		return NULL;
+	}
+	hash->hashAlgorithm = x509_algor;
+	hash->dataHash = octet;
+
+	/* DER encoded HASH */
+	sz = i2d_HASH(hash, &p);
+	if ((sz <= 0) || (p == NULL)) {
+		HASH_free(hash);
+		X509_ALGOR_free(x509_algor);
+		return NULL;
+	}
 
 	/* Create the extension */
 	ex = ext_new(nid, crit, p, sz);
 
 	/* Clean up */
 	OPENSSL_free(p);
-	ASN1_OCTET_STRING_free(hash);
+	HASH_free(hash);
 
 	return ex;
 }

tools/cert_create/src/key.c

@@ -46,41 +46,81 @@
 #define MAX_FILENAME_LEN		1024
 
 /*
- * Create a new key
+ * Create a new key container
  */
-int key_new(key_t *key)
+static int key_new(key_t *key)
 {
-	RSA *rsa = NULL;
-	EVP_PKEY *k = NULL;
-
 	/* Create key pair container */
-	k = EVP_PKEY_new();
-	if (k == NULL) {
+	key->key = EVP_PKEY_new();
+	if (key->key == NULL) {
 		return 0;
 	}
 
-	/* Generate a new RSA key */
-	rsa = RSA_generate_key(RSA_KEY_BITS, RSA_F4, NULL, NULL);
-	if (EVP_PKEY_assign_RSA(k, rsa)) {
-		key->key = k;
-		return 1;
-	} else {
-		printf("Cannot assign RSA key\n");
+	return 1;
+}
+
+int key_create(key_t *key, int type)
+{
+	RSA *rsa = NULL;
+	EC_KEY *ec = NULL;
+
+	/* Create OpenSSL key container */
+	if (!key_new(key)) {
+		goto err;
 	}
 
-	if (k)
-		EVP_PKEY_free(k);
+	switch (type) {
+	case KEY_ALG_RSA:
+		/* Generate a new RSA key */
+		rsa = RSA_generate_key(RSA_KEY_BITS, RSA_F4, NULL, NULL);
+		if (rsa == NULL) {
+			printf("Cannot create RSA key\n");
+			goto err;
+		}
+		if (!EVP_PKEY_assign_RSA(key->key, rsa)) {
+			printf("Cannot assign RSA key\n");
+			goto err;
+		}
+		break;
+	case KEY_ALG_ECDSA:
+		/* Generate a new ECDSA key */
+		ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+		if (ec == NULL) {
+			printf("Cannot create EC key\n");
+			goto err;
+		}
+		if (!EC_KEY_generate_key(ec)) {
+			printf("Cannot generate EC key\n");
+			goto err;
+		}
+		EC_KEY_set_flags(ec, EC_PKEY_NO_PARAMETERS);
+		EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
+		if (!EVP_PKEY_assign_EC_KEY(key->key, ec)) {
+			printf("Cannot assign EC key\n");
+			goto err;
+		}
+		break;
+	default:
+		goto err;
+	}
+
+	return 1;
+
+err:
+	RSA_free(rsa);
+	EC_KEY_free(ec);
+
 	return 0;
 }
 
-int key_load(key_t *key)
+int key_load(key_t *key, unsigned int *err_code)
 {
 	FILE *fp = NULL;
 	EVP_PKEY *k = NULL;
 
-	/* Create key pair container */
-	k = EVP_PKEY_new();
-	if (k == NULL) {
+	/* Create OpenSSL key container */
+	if (!key_new(key)) {
+		*err_code = KEY_ERR_MALLOC;
 		return 0;
 	}
 
@@ -88,24 +128,24 @@ int key_load(key_t *key)
 		/* Load key from file */
 		fp = fopen(key->fn, "r");
 		if (fp) {
-			k = PEM_read_PrivateKey(fp, &k, NULL, NULL);
+			k = PEM_read_PrivateKey(fp, &key->key, NULL, NULL);
 			fclose(fp);
 			if (k) {
-				key->key = k;
+				*err_code = KEY_ERR_NONE;
 				return 1;
 			} else {
-				ERROR("Cannot read key from %s\n", key->fn);
+				ERROR("Cannot load key from %s\n", key->fn);
+				*err_code = KEY_ERR_LOAD;
 			}
 		} else {
-			ERROR("Cannot open file %s\n", key->fn);
+			WARN("Cannot open file %s\n", key->fn);
+			*err_code = KEY_ERR_OPEN;
 		}
 	} else {
-		ERROR("Key filename not specified\n");
+		WARN("Key filename not specified\n");
+		*err_code = KEY_ERR_FILENAME;
 	}
 
-	if (k)
-		EVP_PKEY_free(k);
-
 	return 0;
 }
 

tools/cert_create/src/main.c

@@ -80,6 +80,7 @@
 #define VAL_DAYS			7300
 #define ID_TO_BIT_MASK(id)		(1 << id)
 #define NVCOUNTER_VALUE			0
+#define NUM_ELEM(x)			((sizeof(x)) / (sizeof(x[0])))
 
 /* Files */
 enum {
@@ -112,6 +113,7 @@ enum {
 };
 
 /* Global options */
+static int key_alg;
 static int new_keys;
 static int save_keys;
 static int print_cert;
@@ -138,6 +140,11 @@ static char *strdup(const char *str)
 	return dup;
 }
 
+static const char *key_algs_str[] = {
+	[KEY_ALG_RSA] = "rsa",
+	[KEY_ALG_ECDSA] = "ecdsa"
+};
+
 /* Command line options */
 static const struct option long_opt[] = {
 	/* Binary images */
@@ -166,6 +173,7 @@ static const struct option long_opt[] = {
 	{"bl32-key", required_argument, 0, BL32_KEY_ID},
 	{"bl33-key", required_argument, 0, BL33_KEY_ID},
 	/* Common options */
+	{"key-alg", required_argument, 0, 'a'},
 	{"help", no_argument, 0, 'h'},
 	{"save-keys", no_argument, 0, 'k'},
 	{"new-chain", no_argument, 0, 'n'},
@@ -189,6 +197,7 @@ static void print_help(const char *cmd)
 		printf("        --%s <file>  \\\n", long_opt[i].name);
 	}
 	printf("\n");
+	printf("-a    Key algorithm: rsa (default), ecdsa\n");
 	printf("-h    Print help and exit\n");
 	printf("-k    Save key pairs into files. Filenames must be provided\n");
 	printf("-n    Generate new key pairs if no key files are provided\n");
@@ -198,8 +207,27 @@ static void print_help(const char *cmd)
 	exit(0);
 }
 
+static int get_key_alg(const char *key_alg_str)
+{
+	int i;
+
+	for (i = 0 ; i < NUM_ELEM(key_algs_str) ; i++) {
+		if (0 == strcmp(key_alg_str, key_algs_str[i])) {
+			return i;
+		}
+	}
+
+	return -1;
+}
+
 static void check_cmd_params(void)
 {
+	/* Only save new keys */
+	if (save_keys && !new_keys) {
+		ERROR("Only new keys can be saved to disk\n");
+		exit(1);
+	}
+
 	/* BL2, BL31 and BL33 are mandatory */
 	if (certs[BL2_CERT].bin == NULL) {
 		ERROR("BL2 image not specified\n");
@@ -276,14 +304,19 @@ int main(int argc, char *argv[])
 	FILE *file = NULL;
 	int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
 	int c, opt_idx = 0;
+	unsigned int err_code;
 	unsigned char md[SHA256_DIGEST_LENGTH];
+	const EVP_MD *md_info;
 
 	NOTICE("CoT Generation Tool: %s\n", build_msg);
 	NOTICE("Target platform: %s\n", platform_msg);
 
+	/* Set default options */
+	key_alg = KEY_ALG_RSA;
+
 	while (1) {
 		/* getopt_long stores the option index here. */
-		c = getopt_long(argc, argv, "hknp", long_opt, &opt_idx);
+		c = getopt_long(argc, argv, "ahknp", long_opt, &opt_idx);
 
 		/* Detect the end of the options. */
 		if (c == -1) {
@@ -291,6 +324,13 @@ int main(int argc, char *argv[])
 		}
 
 		switch (c) {
+		case 'a':
+			key_alg = get_key_alg(optarg);
+			if (key_alg < 0) {
+				ERROR("Invalid key algorithm '%s'\n", optarg);
+				exit(1);
+			}
+			break;
 		case 'h':
 			print_help(argv[0]);
 			break;
@@ -389,24 +429,50 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 
+	/* Indicate SHA256 as image hash algorithm in the certificate
+	 * extension */
+	md_info = EVP_sha256();
+
 	/* Get non-volatile counters NIDs */
 	CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
 	CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
 
 	/* Load private keys from files (or generate new ones) */
-	if (new_keys) {
-		for (i = 0 ; i < NUM_KEYS ; i++) {
-			if (!key_new(&keys[i])) {
-				ERROR("Error creating %s\n", keys[i].desc);
-				exit(1);
-			}
+	for (i = 0 ; i < NUM_KEYS ; i++) {
+		/* First try to load the key from disk */
+		if (key_load(&keys[i], &err_code)) {
+			/* Key loaded successfully */
+			continue;
 		}
-	} else {
-		for (i = 0 ; i < NUM_KEYS ; i++) {
-			if (!key_load(&keys[i])) {
-				ERROR("Error loading %s\n", keys[i].desc);
+
+		/* Key not loaded. Check the error code */
+		if (err_code == KEY_ERR_MALLOC) {
+			/* Cannot allocate memory. Abort. */
+			ERROR("Malloc error while loading '%s'\n", keys[i].fn);
+			exit(1);
+		} else if (err_code == KEY_ERR_LOAD) {
+			/* File exists, but it does not contain a valid private
+			 * key. Abort. */
+			ERROR("Error loading '%s'\n", keys[i].fn);
+			exit(1);
+		}
+
+		/* File does not exist, could not be opened or no filename was
+		 * given */
+		if (new_keys) {
+			/* Try to create a new key */
+			NOTICE("Creating new key for '%s'\n", keys[i].desc);
+			if (!key_create(&keys[i], key_alg)) {
+				ERROR("Error creating key '%s'\n", keys[i].desc);
 				exit(1);
 			}
+		} else {
+			if (err_code == KEY_ERR_OPEN) {
+				ERROR("Error opening '%s'\n", keys[i].fn);
+			} else {
+				ERROR("Key '%s' not specified\n", keys[i].desc);
+			}
+			exit(1);
 		}
 	}
 
@@ -430,7 +496,7 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 	CHECK_OID(hash_nid, BL2_HASH_OID);
-	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
+	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
 			SHA256_DIGEST_LENGTH));
 	sk_X509_EXTENSION_push(sk, hash_ext);
 
@@ -509,8 +575,8 @@ int main(int argc, char *argv[])
 			exit(1);
 		}
 		CHECK_OID(hash_nid, BL30_HASH_OID);
-		CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
-				SHA256_DIGEST_LENGTH));
+		CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
+				md, SHA256_DIGEST_LENGTH));
 		sk_X509_EXTENSION_push(sk, hash_ext);
 
 		if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
@@ -559,7 +625,7 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 	CHECK_OID(hash_nid, BL31_HASH_OID);
-	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
+	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
 			SHA256_DIGEST_LENGTH));
 	sk_X509_EXTENSION_push(sk, hash_ext);
 
@@ -612,8 +678,8 @@ int main(int argc, char *argv[])
 			exit(1);
 		}
 		CHECK_OID(hash_nid, BL32_HASH_OID);
-		CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
-				SHA256_DIGEST_LENGTH));
+		CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
+				md, SHA256_DIGEST_LENGTH));
 		sk_X509_EXTENSION_push(sk, hash_ext);
 
 		if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
@@ -662,7 +728,7 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 	CHECK_OID(hash_nid, BL33_HASH_OID);
-	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
+	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
 			SHA256_DIGEST_LENGTH));
 	sk_X509_EXTENSION_push(sk, hash_ext);