FWU: Add FWU support to `cert_create` tool

Firmware Update requires an X509v3 certificate which contains
hashes for SCP_BL2U, BL2U and NS_BL2U images as extensions.

This patch extends the Chain of Trust definition in the
'cert_create' tool to include the Firmware Update certificate
and the required extensions (including command line options).
A new field in the extension structure will be used to indicate
that the extension is optional. In the case of an image hash
extension, this field will tell the tool that the hash should
be included in the certificate, but filled with zeros.

Change-Id: I1f77a66b018826b71745910771f38d9cf6050388

diff --git a/tools/cert_create/include/ext.h b/tools/cert_create/include/ext.h
index 3c65473b0d142457ab2785c8c487211b7fa8d2a7..0ede365181e219d85665b037a999e67b2c121dd3 100644 (file)
--- a/tools/cert_create/include/ext.h
+++ b/tools/cert_create/include/ext.h
@@ -72,6 +72,8 @@ typedef struct ext_s {
        X509V3_EXT_METHOD method; /* This field may be used to define a custom
                                   * function to print the contents of the
                                   * extension */
+
+       int optional;   /* This field may be used optionally to exclude an image */
 } ext_t;
 
 enum {

diff --git a/tools/cert_create/include/tbbr/tbb_cert.h b/tools/cert_create/include/tbbr/tbb_cert.h
index 21626c726c4bded292ad719228259cfe085f925e..2bc3be63c6bc18a7b3cc53203bf31544571586e8 100644 (file)
--- a/tools/cert_create/include/tbbr/tbb_cert.h
+++ b/tools/cert_create/include/tbbr/tbb_cert.h
@@ -46,7 +46,8 @@ enum {
        BL32_KEY_CERT,
        BL32_CERT,
        BL33_KEY_CERT,
-       BL33_CERT
+       BL33_CERT,
+       FWU_CERT
 };
 
 #endif /* TBB_CERT_H_ */

diff --git a/tools/cert_create/include/tbbr/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h
index 03b12d7aed6c2c541ad8702355538e65e73192fc..ecbe8669d4542e3ded19fdda5201d1797a356177 100644 (file)
--- a/tools/cert_create/include/tbbr/tbb_ext.h
+++ b/tools/cert_create/include/tbbr/tbb_ext.h
@@ -46,7 +46,10 @@ enum {
        BL32_CONTENT_CERT_PK_EXT,
        BL32_HASH_EXT,
        BL33_CONTENT_CERT_PK_EXT,
-       BL33_HASH_EXT
+       BL33_HASH_EXT,
+       SCP_BL2U_HASH_EXT,
+       BL2U_HASH_EXT,
+       NS_BL2U_HASH_EXT
 };
 
 #endif /* TBB_EXT_H_ */

diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index b7ad33fe36804697112ce501b1e4906057c2ae63..de15ef6fecfa14bbc7a14814f5fb5f394ce7bf6a 100644 (file)
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -217,8 +217,11 @@ static void check_cmd_params(void)
                                }
                                break;
                        case EXT_TYPE_HASH:
-                               /* Binary image must be specified */
-                               if (ext->data.fn == NULL) {
+                               /*
+                                * Binary image must be specified
+                                * unless it is explicitly made optional.
+                                */
+                               if ((!ext->optional) && (ext->data.fn == NULL)) {
                                        ERROR("Image for '%s' not specified\n",
                                              ext->ln);
                                        exit(1);
@@ -410,12 +413,20 @@ int main(int argc, char *argv[])
                                break;
                        case EXT_TYPE_HASH:
                                if (ext->data.fn == NULL) {
-                                       break;
-                               }
-                               if (!sha_file(ext->data.fn, md)) {
-                                       ERROR("Cannot calculate hash of %s\n",
-                                               ext->data.fn);
-                                       exit(1);
+                                       if (ext->optional) {
+                                               /* Include a hash filled with zeros */
+                                               memset(md, 0x0, SHA256_DIGEST_LENGTH);
+                                       } else {
+                                               /* Do not include this hash in the certificate */
+                                               break;
+                                       }
+                               } else {
+                                       /* Calculate the hash of the file */
+                                       if (!sha_file(ext->data.fn, md)) {
+                                               ERROR("Cannot calculate hash of %s\n",
+                                                       ext->data.fn);
+                                               exit(1);
+                                       }
                                }
                                CHECK_NULL(cert_ext, ext_new_hash(ext_nid,
                                                EXT_CRIT, md_info, md,

diff --git a/tools/cert_create/src/tbbr/tbb_cert.c b/tools/cert_create/src/tbbr/tbb_cert.c
index 770bd6a0aac4a38ce5c02c64bc838741a2f2b49f..59a1cd9c7d5a58577f24d886a2f3b3d1a555e47c 100644 (file)
--- a/tools/cert_create/src/tbbr/tbb_cert.c
+++ b/tools/cert_create/src/tbbr/tbb_cert.c
@@ -160,6 +160,20 @@ static cert_t tbb_certs[] = {
                        BL33_HASH_EXT
                },
                .num_ext = 1
+       },
+       [FWU_CERT] = {
+               .id = FWU_CERT,
+               .opt = "fwu-cert",
+               .fn = NULL,
+               .cn = "FWU Certificate",
+               .key = ROT_KEY,
+               .issuer = FWU_CERT,
+               .ext = {
+                       SCP_BL2U_HASH_EXT,
+                       BL2U_HASH_EXT,
+                       NS_BL2U_HASH_EXT
+               },
+               .num_ext = 3
        }
 };
 

diff --git a/tools/cert_create/src/tbbr/tbb_ext.c b/tools/cert_create/src/tbbr/tbb_ext.c
index c39c9e6a41749ad047bcb0e3cb6ad94b1ad8053e..b0af6f1a5e90a5c116b22abddfeb3e51845bc818 100644 (file)
--- a/tools/cert_create/src/tbbr/tbb_ext.c
+++ b/tools/cert_create/src/tbbr/tbb_ext.c
@@ -145,6 +145,33 @@ static ext_t tbb_ext[] = {
                .ln = "Non-Trusted World (BL33) hash (SHA256)",
                .asn1_type = V_ASN1_OCTET_STRING,
                .type = EXT_TYPE_HASH
+       },
+       [SCP_BL2U_HASH_EXT] = {
+               .oid = SCP_BL2U_HASH_OID,
+               .opt = "scp_bl2u",
+               .sn = "SCPFWUpdateConfig",
+               .ln = "SCP Firmware Update Config (SCP_BL2U) hash (SHA256)",
+               .asn1_type = V_ASN1_OCTET_STRING,
+               .type = EXT_TYPE_HASH,
+               .optional = 1
+       },
+       [BL2U_HASH_EXT] = {
+               .oid = BL2U_HASH_OID,
+               .opt = "bl2u",
+               .sn = "APFWUpdateConfig",
+               .ln = "AP Firmware Update Config (BL2U) hash (SHA256)",
+               .asn1_type = V_ASN1_OCTET_STRING,
+               .type = EXT_TYPE_HASH,
+               .optional = 1
+       },
+       [NS_BL2U_HASH_EXT] = {
+               .oid = NS_BL2U_HASH_OID,
+               .opt = "ns_bl2u",
+               .sn = "FWUpdaterHash",
+               .ln = "Firmware Updater (NS_BL2U) hash (SHA256)",
+               .asn1_type = V_ASN1_OCTET_STRING,
+               .type = EXT_TYPE_HASH,
+               .optional = 1
        }
 };