1. 23 Oct, 2015 2 commits
    • Juan Castillo's avatar
      cert_create: specify command line options in the CoT · ad2c1a9a
      Juan Castillo authored
      This patch introduces a new API that allows to specify command
      line options in the Chain of Trust description. These command line
      options may be used to specify parameters related to the CoT (i.e.
      keys or certificates), instead of keeping a hardcoded list of
      options in main.c.
      
      Change-Id: I282b0b01cb9add557b26bddc238a28253ce05e44
      ad2c1a9a
    • Juan Castillo's avatar
      cert_create: improve command line argument check · dfc90e26
      Juan Castillo authored
      The certificate generation tool currently checks if all command
      line options required to create all certificates in the CoT have
      been specified. This prevents using the tool to create individual
      certificates when the whole CoT is not required.
      
      This patch improves the checking function so only those options
      required by the certificates specified in the command line are
      verified.
      
      Change-Id: I2c426a8e2e2dec85b15f2d98fd4ba949c1aed385
      dfc90e26
  2. 16 Jul, 2015 1 commit
    • Juan Castillo's avatar
      TBB: rework cert_create tool to follow a data driven approach · 55e291a4
      Juan Castillo authored
      This patch reworks the certificate generation tool to follow a data
      driven approach. The user may specify at build time the certificates,
      keys and extensions defined in the CoT, register them using the
      appropiate macros and the tool will take care of creating the
      certificates corresponding to the CoT specified.
      
      Change-Id: I29950b39343c3e1b71718fce0e77dcf2a9a0be2f
      55e291a4
  3. 01 Jul, 2015 1 commit
    • Juan Castillo's avatar
      TBB: build 'cert_create' with ECDSA only if OpenSSL supports it · ed2a76ea
      Juan Castillo authored
      Some Linux distributions include an OpenSSL library which has been
      built without ECDSA support. Trying to build the certificate
      generation tool on those distributions will result in a build error.
      
      This patch fixes that issue by including ECDSA support only if
      OpenSSL has been built with ECDSA. In that case, the OpenSSL
      configuration file does not define the OPENSSL_NO_EC macro. The tool
      will build successfully, although the resulting binary will not
      support ECDSA keys.
      
      Change-Id: I4627d1abd19eef7ad3251997d8218599187eb902
      ed2a76ea
  4. 25 Jun, 2015 2 commits
    • Juan Castillo's avatar
      TBB: add ECDSA support to the certificate generation tool · ccbf890e
      Juan Castillo authored
      This patch extends the 'cert_create' tool to support ECDSA keys
      to sign the certificates. The '--key-alg' command line option
      can be used to specify the key algorithm when invoking the tool.
      Available options are:
      
          * 'rsa': create RSA-2048 keys (default option)
          * 'ecdsa': create ECDSA-SECP256R1 keys
      
      The TF Makefile has been updated to allow the platform to specify
      the key algorithm by declaring the 'KEY_ALG' variable in the
      platform makefile.
      
      The behaviour regarding key management has changed. After applying
      this patch, the tool will try first to open the keys from disk. If
      one key does not exist or no key is specified, and the command line
      option to create keys has been specified, new keys will be created.
      Otherwise an error will be generated and the tool will exit. This
      way, the user may specify certain keys while the tool will create
      the remaining ones. This feature is useful for testing purposes
      and CI infrastructures.
      
      The OpenSSL directory may be specified using the build option
      'OPENSSL_DIR' when building the certificate generation tool.
      Default is '/usr'.
      
      Change-Id: I98bcc2bfab28dd7179f17f1177ea7a65698df4e7
      ccbf890e
    • Juan Castillo's avatar
      TBB: use ASN.1 type DigestInfo to represent hashes · c3da66b1
      Juan Castillo authored
      The cert_create tool calculates the hash of each BL image and includes
      it as an ASN.1 OCTET STRING in the corresponding certificate extension.
      Without additional information, the firmware running on the platform
      has to know in advance the algorithm used to generate the hash.
      
      This patch modifies the cert_create tool so the certificate extensions
      that include an image hash are generated according to the following
      ASN.1 structure:
      
          DigestInfo ::= SEQUENCE {
              digestAlgorithm  AlgorithmIdentifier,
              digest           OCTET STRING
          }
      
          AlgorithmIdentifier ::=  SEQUENCE  {
              algorithm        OBJECT IDENTIFIER,
              parameters       ANY DEFINED BY algorithm OPTIONAL
          }
      
      The PolarSSL module has been updated to extract the image hash
      from the certificate extension according to this structure.
      
      Change-Id: I6d83430f12a8a0eea8447bec7c936e903f644c85
      c3da66b1
  5. 28 Jan, 2015 1 commit
    • Juan Castillo's avatar
      TBB: add tool to generate certificates · 6f971622
      Juan Castillo authored
      This patch adds a tool that generates all the necessary elements
      to establish the chain of trust (CoT) between the images.
      
      The tool reads the binary images and signing keys and outputs the
      corresponding certificates that will be used by the target at run
      time to verify the authenticity of the images.
      
      Note: the platform port must provide the file platform_oid.h. This
      file will define the OIDs of the x509 extensions that will be added
      to the certificates in order to establish the CoT.
      
      Change-Id: I2734d6808b964a2107ab3a4805110698066a04be
      6f971622