TRUSTED_KEY_CERT := ${BUILD_PLAT}/trusted_key.crt
FWU_CERT := ${BUILD_PLAT}/fwu_cert.crt
+# Default non-volatile counter values (overridable by the platform)
+TFW_NVCTR_VAL ?= 0
+NTFW_NVCTR_VAL ?= 0
+
+# Pass the non-volatile counters to the cert_create tool
+$(eval $(call CERT_ADD_CMD_OPT,${TFW_NVCTR_VAL},--tfw-nvctr))
+$(eval $(call CERT_ADD_CMD_OPT,${NTFW_NVCTR_VAL},--ntfw-nvctr))
+
# Add Trusted Key certificate to the fip_create and cert_create command line options
$(eval $(call FIP_ADD_PAYLOAD,${TRUSTED_KEY_CERT},--trusted-key-cert))
$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_KEY_CERT},--trusted-key-cert))
#include <openssl/x509v3.h>
/* Extension types supported */
-enum {
+enum ext_type_e {
EXT_TYPE_NVCOUNTER,
EXT_TYPE_PKEY,
EXT_TYPE_HASH
};
+/* NV-Counter types */
+enum nvctr_type_e {
+ NVCTR_TYPE_TFW,
+ NVCTR_TYPE_NTFW
+};
+
/*
* This structure contains the relevant information to create the extensions
* to be included in the certificates. This extensions will be used to
const char *oid; /* OID of the extension */
const char *sn; /* Short name */
const char *ln; /* Long description */
+ const char *opt; /* Command line option to specify data */
const char *help_msg; /* Help message */
+ const char *arg; /* Argument passed from command line */
int asn1_type; /* OpenSSL ASN1 type of the extension data.
* Supported types are:
* - V_ASN1_INTEGER
* - V_ASN1_OCTET_STRING
*/
- int type;
- const char *opt; /* Command line option to specify data */
- /* Extension data (depends on extension type) */
+ int type; /* See ext_type_e */
+
+ /* Extension attributes (depends on extension type) */
union {
- const char *fn; /* File with extension data */
- int nvcounter; /* Non volatile counter */
- int key; /* Public key */
- } data;
+ int nvctr_type; /* See nvctr_type_e */
+ int key; /* Index into array of registered public keys */
+ } attr;
int alias; /* In case OpenSSL provides an standard
* extension of the same type, add the new
for (j = 0; j < cert->num_ext; j++) {
ext = &extensions[cert->ext[j]];
switch (ext->type) {
+ case EXT_TYPE_NVCOUNTER:
+ /* Counter value must be specified */
+ if ((!ext->optional) && (ext->arg == NULL)) {
+ ERROR("Value for '%s' not specified\n",
+ ext->ln);
+ exit(1);
+ }
+ break;
case EXT_TYPE_PKEY:
/* Key filename must be specified */
- key = &keys[ext->data.key];
+ key = &keys[ext->attr.key];
if (!new_keys && key->fn == NULL) {
ERROR("Key '%s' required by '%s' not "
"specified\n", key->desc,
* Binary image must be specified
* unless it is explicitly made optional.
*/
- if ((!ext->optional) && (ext->data.fn == NULL)) {
+ if ((!ext->optional) && (ext->arg == NULL)) {
ERROR("Image for '%s' not specified\n",
ext->ln);
exit(1);
}
break;
default:
- ERROR("Unknown extension type in '%s'\n",
- ext->ln);
+ ERROR("Unknown extension type '%d' in '%s'\n",
+ ext->type, ext->ln);
exit(1);
break;
}
key_t *key = NULL;
cert_t *cert = NULL;
FILE *file = NULL;
- int i, j, ext_nid;
+ int i, j, ext_nid, nvctr;
int c, opt_idx = 0;
const struct option *cmd_opt;
const char *cur_opt;
case CMD_OPT_EXT:
cur_opt = cmd_opt_get_name(opt_idx);
ext = ext_get_by_opt(cur_opt);
- ext->data.fn = strdup(optarg);
+ ext->arg = strdup(optarg);
break;
case CMD_OPT_KEY:
cur_opt = cmd_opt_get_name(opt_idx);
*/
switch (ext->type) {
case EXT_TYPE_NVCOUNTER:
+ nvctr = atoi(ext->arg);
CHECK_NULL(cert_ext, ext_new_nvcounter(ext_nid,
- EXT_CRIT, ext->data.nvcounter));
+ EXT_CRIT, nvctr));
break;
case EXT_TYPE_HASH:
- if (ext->data.fn == NULL) {
+ if (ext->arg == NULL) {
if (ext->optional) {
/* Include a hash filled with zeros */
memset(md, 0x0, SHA256_DIGEST_LENGTH);
}
} else {
/* Calculate the hash of the file */
- if (!sha_file(ext->data.fn, md)) {
+ if (!sha_file(ext->arg, md)) {
ERROR("Cannot calculate hash of %s\n",
- ext->data.fn);
+ ext->arg);
exit(1);
}
}
break;
case EXT_TYPE_PKEY:
CHECK_NULL(cert_ext, ext_new_key(ext_nid,
- EXT_CRIT, keys[ext->data.key].key));
+ EXT_CRIT, keys[ext->attr.key].key));
break;
default:
- ERROR("Unknown extension type in %s\n",
- cert->cn);
+ ERROR("Unknown extension type '%d' in %s\n",
+ ext->type, cert->cn);
exit(1);
}
.key = ROT_KEY,
.issuer = TRUSTED_BOOT_FW_CERT,
.ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
TRUSTED_BOOT_FW_HASH_EXT
},
- .num_ext = 1
+ .num_ext = 2
},
[TRUSTED_KEY_CERT] = {
.id = TRUSTED_KEY_CERT,
.key = ROT_KEY,
.issuer = TRUSTED_KEY_CERT,
.ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
TRUSTED_WORLD_PK_EXT,
NON_TRUSTED_WORLD_PK_EXT
},
- .num_ext = 2
+ .num_ext = 3
},
[SCP_FW_KEY_CERT] = {
.id = SCP_FW_KEY_CERT,
.key = TRUSTED_WORLD_KEY,
.issuer = SCP_FW_KEY_CERT,
.ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
SCP_FW_CONTENT_CERT_PK_EXT
},
- .num_ext = 1
+ .num_ext = 2
},
[SCP_FW_CONTENT_CERT] = {
.id = SCP_FW_CONTENT_CERT,
.key = SCP_FW_CONTENT_CERT_KEY,
.issuer = SCP_FW_CONTENT_CERT,
.ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
SCP_FW_HASH_EXT
},
- .num_ext = 1
+ .num_ext = 2
},
[SOC_FW_KEY_CERT] = {
.id = SOC_FW_KEY_CERT,
.key = TRUSTED_WORLD_KEY,
.issuer = SOC_FW_KEY_CERT,
.ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
SOC_FW_CONTENT_CERT_PK_EXT
},
- .num_ext = 1
+ .num_ext = 2
},
[SOC_FW_CONTENT_CERT] = {
.id = SOC_FW_CONTENT_CERT,
.key = SOC_FW_CONTENT_CERT_KEY,
.issuer = SOC_FW_CONTENT_CERT,
.ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
SOC_AP_FW_HASH_EXT
},
- .num_ext = 1
+ .num_ext = 2
},
[TRUSTED_OS_FW_KEY_CERT] = {
.id = TRUSTED_OS_FW_KEY_CERT,
.key = TRUSTED_WORLD_KEY,
.issuer = TRUSTED_OS_FW_KEY_CERT,
.ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
TRUSTED_OS_FW_CONTENT_CERT_PK_EXT
},
- .num_ext = 1
+ .num_ext = 2
},
[TRUSTED_OS_FW_CONTENT_CERT] = {
.id = TRUSTED_OS_FW_CONTENT_CERT,
.key = TRUSTED_OS_FW_CONTENT_CERT_KEY,
.issuer = TRUSTED_OS_FW_CONTENT_CERT,
.ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
TRUSTED_OS_FW_HASH_EXT
},
- .num_ext = 1
+ .num_ext = 2
},
[NON_TRUSTED_FW_KEY_CERT] = {
.id = NON_TRUSTED_FW_KEY_CERT,
.key = NON_TRUSTED_WORLD_KEY,
.issuer = NON_TRUSTED_FW_KEY_CERT,
.ext = {
+ NON_TRUSTED_FW_NVCOUNTER_EXT,
NON_TRUSTED_FW_CONTENT_CERT_PK_EXT
},
- .num_ext = 1
+ .num_ext = 2
},
[NON_TRUSTED_FW_CONTENT_CERT] = {
.id = NON_TRUSTED_FW_CONTENT_CERT,
.key = NON_TRUSTED_FW_CONTENT_CERT_KEY,
.issuer = NON_TRUSTED_FW_CONTENT_CERT,
.ext = {
+ NON_TRUSTED_FW_NVCOUNTER_EXT,
NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT
},
- .num_ext = 1
+ .num_ext = 2
},
[FWU_CERT] = {
.id = FWU_CERT,
static ext_t tbb_ext[] = {
[TRUSTED_FW_NVCOUNTER_EXT] = {
.oid = TRUSTED_FW_NVCOUNTER_OID,
+ .opt = "tfw-nvctr",
+ .help_msg = "Trusted Firmware Non-Volatile counter value",
.sn = "TrustedWorldNVCounter",
.ln = "Trusted World Non-Volatile counter",
.asn1_type = V_ASN1_INTEGER,
.type = EXT_TYPE_NVCOUNTER,
- .data.nvcounter = TRUSTED_WORLD_NVCTR_VALUE
+ .attr.nvctr_type = NVCTR_TYPE_TFW
},
[NON_TRUSTED_FW_NVCOUNTER_EXT] = {
.oid = NON_TRUSTED_FW_NVCOUNTER_OID,
+ .opt = "ntfw-nvctr",
+ .help_msg = "Non-Trusted Firmware Non-Volatile counter value",
.sn = "NormalWorldNVCounter",
- .ln = "Normal World Non-Volatile counter",
+ .ln = "Non-Trusted Firmware Non-Volatile counter",
.asn1_type = V_ASN1_INTEGER,
.type = EXT_TYPE_NVCOUNTER,
- .data.nvcounter = NORMAL_WORLD_NVCTR_VALUE
+ .attr.nvctr_type = NVCTR_TYPE_NTFW
},
[TRUSTED_BOOT_FW_HASH_EXT] = {
.oid = TRUSTED_BOOT_FW_HASH_OID,
.ln = "Trusted World Public Key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
- .data.key = TRUSTED_WORLD_KEY
+ .attr.key = TRUSTED_WORLD_KEY
},
[NON_TRUSTED_WORLD_PK_EXT] = {
.oid = NON_TRUSTED_WORLD_PK_OID,
.ln = "Non-Trusted World Public Key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
- .data.key = NON_TRUSTED_WORLD_KEY
+ .attr.key = NON_TRUSTED_WORLD_KEY
},
[SCP_FW_CONTENT_CERT_PK_EXT] = {
.oid = SCP_FW_CONTENT_CERT_PK_OID,
.ln = "SCP Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
- .data.key = SCP_FW_CONTENT_CERT_KEY
+ .attr.key = SCP_FW_CONTENT_CERT_KEY
},
[SCP_FW_HASH_EXT] = {
.oid = SCP_FW_HASH_OID,
.ln = "SoC Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
- .data.key = SOC_FW_CONTENT_CERT_KEY
+ .attr.key = SOC_FW_CONTENT_CERT_KEY
},
[SOC_AP_FW_HASH_EXT] = {
.oid = SOC_AP_FW_HASH_OID,
.ln = "Trusted OS Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
- .data.key = TRUSTED_OS_FW_CONTENT_CERT_KEY
+ .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY
},
[TRUSTED_OS_FW_HASH_EXT] = {
.oid = TRUSTED_OS_FW_HASH_OID,
.ln = "Non-Trusted Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
- .data.key = NON_TRUSTED_FW_CONTENT_CERT_KEY
+ .attr.key = NON_TRUSTED_FW_CONTENT_CERT_KEY
},
[NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = {
.oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID,
projects / project / bcm63xx / atf.git / commitdiff