From: Juan Castillo Date: Thu, 3 Dec 2015 10:19:21 +0000 (+0000) Subject: TBB: apply TBBR naming convention to certificates and extensions X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=516beb585c23056820a854b12c77a6f62cbc5c8b;p=project%2Fbcm63xx%2Fatf.git TBB: apply TBBR naming convention to certificates and extensions This patch applies the TBBR naming convention to the certificates and the corresponding extensions defined by the CoT: * Certificate UUID names * Certificate identifier names * OID names Changes apply to: * Generic code (variables and defines) * The default certificate identifiers provided in the generic code * Build system * ARM platforms port * cert_create tool internal definitions * fip_create and cert_create tools command line options * Documentation IMPORTANT: this change breaks the compatibility with platforms that use TBBR. The platform will need to adapt the identifiers and OIDs to the TBBR naming convention introduced by this patch: Certificate UUIDs: UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT --> UUID_TRUSTED_BOOT_FW_CERT UUID_SCP_FIRMWARE_BL30_KEY_CERT --> UUID_SCP_FW_KEY_CERT UUID_SCP_FIRMWARE_BL30_CERT --> UUID_SCP_FW_CONTENT_CERT UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT --> UUID_SOC_FW_KEY_CERT UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT --> UUID_SOC_FW_CONTENT_CERT UUID_SECURE_PAYLOAD_BL32_KEY_CERT --> UUID_TRUSTED_OS_FW_KEY_CERT UUID_SECURE_PAYLOAD_BL32_CERT --> UUID_TRUSTED_OS_FW_CONTENT_CERT UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT --> UUID_NON_TRUSTED_FW_KEY_CERT UUID_NON_TRUSTED_FIRMWARE_BL33_CERT --> UUID_NON_TRUSTED_FW_CONTENT_CERT Certificate identifiers: BL2_CERT_ID --> TRUSTED_BOOT_FW_CERT_ID BL30_KEY_CERT_ID --> SCP_FW_KEY_CERT_ID BL30_CERT_ID --> SCP_FW_CONTENT_CERT_ID BL31_KEY_CERT_ID --> SOC_FW_KEY_CERT_ID BL31_CERT_ID --> SOC_FW_CONTENT_CERT_ID BL32_KEY_CERT_ID --> TRUSTED_OS_FW_KEY_CERT_ID BL32_CERT_ID --> TRUSTED_OS_FW_CONTENT_CERT_ID BL33_KEY_CERT_ID --> NON_TRUSTED_FW_KEY_CERT_ID BL33_CERT_ID --> NON_TRUSTED_FW_CONTENT_CERT_ID OIDs: TZ_FW_NVCOUNTER_OID --> TRUSTED_FW_NVCOUNTER_OID NTZ_FW_NVCOUNTER_OID --> NON_TRUSTED_FW_NVCOUNTER_OID BL2_HASH_OID --> TRUSTED_BOOT_FW_HASH_OID TZ_WORLD_PK_OID --> TRUSTED_WORLD_PK_OID NTZ_WORLD_PK_OID --> NON_TRUSTED_WORLD_PK_OID BL30_CONTENT_CERT_PK_OID --> SCP_FW_CONTENT_CERT_PK_OID BL30_HASH_OID --> SCP_FW_HASH_OID BL31_CONTENT_CERT_PK_OID --> SOC_FW_CONTENT_CERT_PK_OID BL31_HASH_OID --> SOC_AP_FW_HASH_OID BL32_CONTENT_CERT_PK_OID --> TRUSTED_OS_FW_CONTENT_CERT_PK_OID BL32_HASH_OID --> TRUSTED_OS_FW_HASH_OID BL33_CONTENT_CERT_PK_OID --> NON_TRUSTED_FW_CONTENT_CERT_PK_OID BL33_HASH_OID --> NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID BL2U_HASH_OID --> AP_FWU_CFG_HASH_OID SCP_BL2U_HASH_OID --> SCP_FWU_CFG_HASH_OID NS_BL2U_HASH_OID --> FWU_HASH_OID Change-Id: I1e047ae046299ca913911c39ac3a6e123bd41079 --- diff --git a/docs/auth-framework.md b/docs/auth-framework.md index 0f799c0e..b910eaeb 100644 --- a/docs/auth-framework.md +++ b/docs/auth-framework.md @@ -726,30 +726,30 @@ Four image descriptors form the BL3-1 Chain of Trust: }, .authenticated_data = { [0] = { - .type_desc = &tz_world_pk, + .type_desc = &trusted_world_pk, .data = { - .ptr = (void *)plat_tz_world_pk_buf, + .ptr = (void *)trusted_world_pk_buf, .len = (unsigned int)PK_DER_LEN } }, [1] = { - .type_desc = &ntz_world_pk, + .type_desc = &non_trusted_world_pk, .data = { - .ptr = (void *)plat_ntz_world_pk_buf, + .ptr = (void *)non_trusted_world_pk_buf, .len = (unsigned int)PK_DER_LEN } } } }, -[BL31_KEY_CERT_ID] = { - .img_id = BL31_KEY_CERT_ID, +[SOC_FW_KEY_CERT_ID] = { + .img_id = SOC_FW_KEY_CERT_ID, .img_type = IMG_CERT, .parent = &cot_desc[TRUSTED_KEY_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_SIG, .param.sig = { - .pk = &tz_world_pk, + .pk = &trusted_world_pk, .sig = &sig, .alg = &sig_alg, .data = &raw_data, @@ -758,23 +758,23 @@ Four image descriptors form the BL3-1 Chain of Trust: }, .authenticated_data = { [0] = { - .type_desc = &bl31_content_pk, + .type_desc = &soc_fw_content_pk, .data = { - .ptr = (void *)plat_content_pk, + .ptr = (void *)content_pk_buf, .len = (unsigned int)PK_DER_LEN } } } }, -[BL31_CERT_ID] = { - .img_id = BL31_CERT_ID, +[SOC_FW_CONTENT_CERT_ID] = { + .img_id = SOC_FW_CONTENT_CERT_ID, .img_type = IMG_CERT, - .parent = &cot_desc[BL31_KEY_CERT_ID], + .parent = &cot_desc[SOC_FW_KEY_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_SIG, .param.sig = { - .pk = &bl31_content_pk, + .pk = &soc_fw_content_pk, .sig = &sig, .alg = &sig_alg, .data = &raw_data, @@ -783,9 +783,9 @@ Four image descriptors form the BL3-1 Chain of Trust: }, .authenticated_data = { [0] = { - .type_desc = &bl31_hash, + .type_desc = &soc_fw_hash, .data = { - .ptr = (void *)plat_bl31_hash_buf, + .ptr = (void *)soc_fw_hash_buf, .len = (unsigned int)HASH_DER_LEN } } @@ -794,13 +794,13 @@ Four image descriptors form the BL3-1 Chain of Trust: [BL31_IMAGE_ID] = { .img_id = BL31_IMAGE_ID, .img_type = IMG_RAW, - .parent = &cot_desc[BL31_CERT_ID], + .parent = &cot_desc[SOC_FW_CONTENT_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_HASH, .param.hash = { .data = &raw_data, - .hash = &bl31_hash, + .hash = &soc_fw_hash, } } } @@ -835,7 +835,7 @@ is created in the `authenticated_data` array for that purpose. In that entry, the corresponding parameter descriptor must be specified along with the buffer address to store the parameter value. In this case, the `tz_world_pk` descriptor is used to extract the public key from an x509v3 extension with OID -`TZ_WORLD_PK_OID`. The BL3-1 key certificate will use this descriptor as +`TRUSTED_WORLD_PK_OID`. The BL3-1 key certificate will use this descriptor as parameter in the signature authentication method. The key is stored in the `plat_tz_world_pk_buf` buffer. diff --git a/docs/porting-guide.md b/docs/porting-guide.md index ba550f04..b77377f1 100644 --- a/docs/porting-guide.md +++ b/docs/porting-guide.md @@ -247,7 +247,7 @@ mandatory: If Trusted Board Boot is enabled, the following certificate identifiers must also be defined: -* **#define : BL2_CERT_ID** +* **#define : TRUSTED_BOOT_FW_CERT_ID** BL2 content certificate identifier, used by BL1 to load the BL2 content certificate. @@ -257,22 +257,22 @@ also be defined: Trusted key certificate identifier, used by BL2 to load the trusted key certificate. -* **#define : BL31_KEY_CERT_ID** +* **#define : SOC_FW_KEY_CERT_ID** BL3-1 key certificate identifier, used by BL2 to load the BL3-1 key certificate. -* **#define : BL31_CERT_ID** +* **#define : SOC_FW_CONTENT_CERT_ID** BL3-1 content certificate identifier, used by BL2 to load the BL3-1 content certificate. -* **#define : BL33_KEY_CERT_ID** +* **#define : NON_TRUSTED_FW_KEY_CERT_ID** BL3-3 key certificate identifier, used by BL2 to load the BL3-3 key certificate. -* **#define : BL33_CERT_ID** +* **#define : NON_TRUSTED_FW_CONTENT_CERT_ID** BL3-3 content certificate identifier, used by BL2 to load the BL3-3 content certificate. @@ -285,12 +285,12 @@ also be defined: BL3-0 image identifier, used by BL2 to load BL3-0 into secure memory from platform storage before being transfered to the SCP. -* **#define : BL30_KEY_CERT_ID** +* **#define : SCP_FW_KEY_CERT_ID** BL3-0 key certificate identifier, used by BL2 to load the BL3-0 key certificate (mandatory when Trusted Board Boot is enabled). -* **#define : BL30_CERT_ID** +* **#define : SCP_FW_CONTENT_CERT_ID** BL3-0 content certificate identifier, used by BL2 to load the BL3-0 content certificate (mandatory when Trusted Board Boot is enabled). @@ -302,12 +302,12 @@ also be defined: BL3-2 image identifier, used by BL2 to load BL3-2. -* **#define : BL32_KEY_CERT_ID** +* **#define : TRUSTED_OS_FW_KEY_CERT_ID** BL3-2 key certificate identifier, used by BL2 to load the BL3-2 key certificate (mandatory when Trusted Board Boot is enabled). -* **#define : BL32_CERT_ID** +* **#define : TRUSTED_OS_FW_CONTENT_CERT_ID** BL3-2 content certificate identifier, used by BL2 to load the BL3-2 content certificate (mandatory when Trusted Board Boot is enabled). diff --git a/drivers/auth/tbbr/tbbr_cot.c b/drivers/auth/tbbr/tbbr_cot.c index 71634a19..ab0243da 100644 --- a/drivers/auth/tbbr/tbbr_cot.c +++ b/drivers/auth/tbbr/tbbr_cot.c @@ -44,14 +44,14 @@ * extracted from the certificates. In this case, because of the way the CoT is * established, we can reuse some of the buffers on different stages */ -static unsigned char plat_bl2_hash_buf[HASH_DER_LEN]; -static unsigned char plat_bl30_hash_buf[HASH_DER_LEN]; -static unsigned char plat_bl31_hash_buf[HASH_DER_LEN]; -static unsigned char plat_bl32_hash_buf[HASH_DER_LEN]; -static unsigned char plat_bl33_hash_buf[HASH_DER_LEN]; -static unsigned char plat_tz_world_pk_buf[PK_DER_LEN]; -static unsigned char plat_ntz_world_pk_buf[PK_DER_LEN]; -static unsigned char plat_content_pk[PK_DER_LEN]; +static unsigned char tb_fw_hash_buf[HASH_DER_LEN]; +static unsigned char scp_fw_hash_buf[HASH_DER_LEN]; +static unsigned char soc_fw_hash_buf[HASH_DER_LEN]; +static unsigned char tos_fw_hash_buf[HASH_DER_LEN]; +static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN]; +static unsigned char trusted_world_pk_buf[PK_DER_LEN]; +static unsigned char non_trusted_world_pk_buf[PK_DER_LEN]; +static unsigned char content_pk_buf[PK_DER_LEN]; /* * Parameter type descriptors @@ -65,36 +65,36 @@ static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_RAW_DATA, 0); -static auth_param_type_desc_t tz_world_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, TZ_WORLD_PK_OID); -static auth_param_type_desc_t ntz_world_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, NTZ_WORLD_PK_OID); +static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID); +static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); -static auth_param_type_desc_t bl30_content_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, BL30_CONTENT_CERT_PK_OID); -static auth_param_type_desc_t bl31_content_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, BL31_CONTENT_CERT_PK_OID); -static auth_param_type_desc_t bl32_content_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, BL32_CONTENT_CERT_PK_OID); -static auth_param_type_desc_t bl33_content_pk = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_PUB_KEY, BL33_CONTENT_CERT_PK_OID); +static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID); +static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID); +static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID); +static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID); -static auth_param_type_desc_t bl2_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, BL2_HASH_OID); -static auth_param_type_desc_t bl30_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, BL30_HASH_OID); -static auth_param_type_desc_t bl31_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, BL31_HASH_OID); -static auth_param_type_desc_t bl32_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, BL32_HASH_OID); -static auth_param_type_desc_t bl33_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, BL33_HASH_OID); +static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID); +static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SCP_FW_HASH_OID); +static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID); +static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID); +static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, SCP_BL2U_HASH_OID); + AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID); static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, BL2U_HASH_OID); + AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID); static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( - AUTH_PARAM_HASH, NS_BL2U_HASH_OID); + AUTH_PARAM_HASH, FWU_HASH_OID); /* * TBBR Chain of trust definition @@ -103,8 +103,8 @@ static const auth_img_desc_t cot_desc[] = { /* * BL2 */ - [BL2_CERT_ID] = { - .img_id = BL2_CERT_ID, + [TRUSTED_BOOT_FW_CERT_ID] = { + .img_id = TRUSTED_BOOT_FW_CERT_ID, .img_type = IMG_CERT, .parent = NULL, .img_auth_methods = { @@ -120,9 +120,9 @@ static const auth_img_desc_t cot_desc[] = { }, .authenticated_data = { [0] = { - .type_desc = &bl2_hash, + .type_desc = &tb_fw_hash, .data = { - .ptr = (void *)plat_bl2_hash_buf, + .ptr = (void *)tb_fw_hash_buf, .len = (unsigned int)HASH_DER_LEN } } @@ -131,13 +131,13 @@ static const auth_img_desc_t cot_desc[] = { [BL2_IMAGE_ID] = { .img_id = BL2_IMAGE_ID, .img_type = IMG_RAW, - .parent = &cot_desc[BL2_CERT_ID], + .parent = &cot_desc[TRUSTED_BOOT_FW_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_HASH, .param.hash = { .data = &raw_data, - .hash = &bl2_hash, + .hash = &tb_fw_hash, } } } @@ -162,33 +162,33 @@ static const auth_img_desc_t cot_desc[] = { }, .authenticated_data = { [0] = { - .type_desc = &tz_world_pk, + .type_desc = &trusted_world_pk, .data = { - .ptr = (void *)plat_tz_world_pk_buf, + .ptr = (void *)trusted_world_pk_buf, .len = (unsigned int)PK_DER_LEN } }, [1] = { - .type_desc = &ntz_world_pk, + .type_desc = &non_trusted_world_pk, .data = { - .ptr = (void *)plat_ntz_world_pk_buf, + .ptr = (void *)non_trusted_world_pk_buf, .len = (unsigned int)PK_DER_LEN } } } }, /* - * BL3-0 + * SCP Firmware */ - [BL30_KEY_CERT_ID] = { - .img_id = BL30_KEY_CERT_ID, + [SCP_FW_KEY_CERT_ID] = { + .img_id = SCP_FW_KEY_CERT_ID, .img_type = IMG_CERT, .parent = &cot_desc[TRUSTED_KEY_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_SIG, .param.sig = { - .pk = &tz_world_pk, + .pk = &trusted_world_pk, .sig = &sig, .alg = &sig_alg, .data = &raw_data, @@ -197,23 +197,23 @@ static const auth_img_desc_t cot_desc[] = { }, .authenticated_data = { [0] = { - .type_desc = &bl30_content_pk, + .type_desc = &scp_fw_content_pk, .data = { - .ptr = (void *)plat_content_pk, + .ptr = (void *)content_pk_buf, .len = (unsigned int)PK_DER_LEN } } } }, - [BL30_CERT_ID] = { - .img_id = BL30_CERT_ID, + [SCP_FW_CONTENT_CERT_ID] = { + .img_id = SCP_FW_CONTENT_CERT_ID, .img_type = IMG_CERT, - .parent = &cot_desc[BL30_KEY_CERT_ID], + .parent = &cot_desc[SCP_FW_KEY_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_SIG, .param.sig = { - .pk = &bl30_content_pk, + .pk = &scp_fw_content_pk, .sig = &sig, .alg = &sig_alg, .data = &raw_data, @@ -222,9 +222,9 @@ static const auth_img_desc_t cot_desc[] = { }, .authenticated_data = { [0] = { - .type_desc = &bl30_hash, + .type_desc = &scp_fw_hash, .data = { - .ptr = (void *)plat_bl30_hash_buf, + .ptr = (void *)scp_fw_hash_buf, .len = (unsigned int)HASH_DER_LEN } } @@ -233,29 +233,29 @@ static const auth_img_desc_t cot_desc[] = { [BL30_IMAGE_ID] = { .img_id = BL30_IMAGE_ID, .img_type = IMG_RAW, - .parent = &cot_desc[BL30_CERT_ID], + .parent = &cot_desc[SCP_FW_CONTENT_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_HASH, .param.hash = { .data = &raw_data, - .hash = &bl30_hash, + .hash = &scp_fw_hash, } } } }, /* - * BL3-1 + * SoC Firmware */ - [BL31_KEY_CERT_ID] = { - .img_id = BL31_KEY_CERT_ID, + [SOC_FW_KEY_CERT_ID] = { + .img_id = SOC_FW_KEY_CERT_ID, .img_type = IMG_CERT, .parent = &cot_desc[TRUSTED_KEY_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_SIG, .param.sig = { - .pk = &tz_world_pk, + .pk = &trusted_world_pk, .sig = &sig, .alg = &sig_alg, .data = &raw_data, @@ -264,23 +264,23 @@ static const auth_img_desc_t cot_desc[] = { }, .authenticated_data = { [0] = { - .type_desc = &bl31_content_pk, + .type_desc = &soc_fw_content_pk, .data = { - .ptr = (void *)plat_content_pk, + .ptr = (void *)content_pk_buf, .len = (unsigned int)PK_DER_LEN } } } }, - [BL31_CERT_ID] = { - .img_id = BL31_CERT_ID, + [SOC_FW_CONTENT_CERT_ID] = { + .img_id = SOC_FW_CONTENT_CERT_ID, .img_type = IMG_CERT, - .parent = &cot_desc[BL31_KEY_CERT_ID], + .parent = &cot_desc[SOC_FW_KEY_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_SIG, .param.sig = { - .pk = &bl31_content_pk, + .pk = &soc_fw_content_pk, .sig = &sig, .alg = &sig_alg, .data = &raw_data, @@ -289,9 +289,9 @@ static const auth_img_desc_t cot_desc[] = { }, .authenticated_data = { [0] = { - .type_desc = &bl31_hash, + .type_desc = &soc_fw_hash, .data = { - .ptr = (void *)plat_bl31_hash_buf, + .ptr = (void *)soc_fw_hash_buf, .len = (unsigned int)HASH_DER_LEN } } @@ -300,29 +300,29 @@ static const auth_img_desc_t cot_desc[] = { [BL31_IMAGE_ID] = { .img_id = BL31_IMAGE_ID, .img_type = IMG_RAW, - .parent = &cot_desc[BL31_CERT_ID], + .parent = &cot_desc[SOC_FW_CONTENT_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_HASH, .param.hash = { .data = &raw_data, - .hash = &bl31_hash, + .hash = &soc_fw_hash, } } } }, /* - * BL3-2 + * Trusted OS Firmware */ - [BL32_KEY_CERT_ID] = { - .img_id = BL32_KEY_CERT_ID, + [TRUSTED_OS_FW_KEY_CERT_ID] = { + .img_id = TRUSTED_OS_FW_KEY_CERT_ID, .img_type = IMG_CERT, .parent = &cot_desc[TRUSTED_KEY_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_SIG, .param.sig = { - .pk = &tz_world_pk, + .pk = &trusted_world_pk, .sig = &sig, .alg = &sig_alg, .data = &raw_data, @@ -331,23 +331,23 @@ static const auth_img_desc_t cot_desc[] = { }, .authenticated_data = { [0] = { - .type_desc = &bl32_content_pk, + .type_desc = &tos_fw_content_pk, .data = { - .ptr = (void *)plat_content_pk, + .ptr = (void *)content_pk_buf, .len = (unsigned int)PK_DER_LEN } } } }, - [BL32_CERT_ID] = { - .img_id = BL32_CERT_ID, + [TRUSTED_OS_FW_CONTENT_CERT_ID] = { + .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID, .img_type = IMG_CERT, - .parent = &cot_desc[BL32_KEY_CERT_ID], + .parent = &cot_desc[TRUSTED_OS_FW_KEY_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_SIG, .param.sig = { - .pk = &bl32_content_pk, + .pk = &tos_fw_content_pk, .sig = &sig, .alg = &sig_alg, .data = &raw_data, @@ -356,9 +356,9 @@ static const auth_img_desc_t cot_desc[] = { }, .authenticated_data = { [0] = { - .type_desc = &bl32_hash, + .type_desc = &tos_fw_hash, .data = { - .ptr = (void *)plat_bl32_hash_buf, + .ptr = (void *)tos_fw_hash_buf, .len = (unsigned int)HASH_DER_LEN } } @@ -367,29 +367,29 @@ static const auth_img_desc_t cot_desc[] = { [BL32_IMAGE_ID] = { .img_id = BL32_IMAGE_ID, .img_type = IMG_RAW, - .parent = &cot_desc[BL32_CERT_ID], + .parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_HASH, .param.hash = { .data = &raw_data, - .hash = &bl32_hash, + .hash = &tos_fw_hash, } } } }, /* - * BL3-3 + * Non-Trusted Firmware */ - [BL33_KEY_CERT_ID] = { - .img_id = BL33_KEY_CERT_ID, + [NON_TRUSTED_FW_KEY_CERT_ID] = { + .img_id = NON_TRUSTED_FW_KEY_CERT_ID, .img_type = IMG_CERT, .parent = &cot_desc[TRUSTED_KEY_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_SIG, .param.sig = { - .pk = &ntz_world_pk, + .pk = &non_trusted_world_pk, .sig = &sig, .alg = &sig_alg, .data = &raw_data, @@ -398,23 +398,23 @@ static const auth_img_desc_t cot_desc[] = { }, .authenticated_data = { [0] = { - .type_desc = &bl33_content_pk, + .type_desc = &nt_fw_content_pk, .data = { - .ptr = (void *)plat_content_pk, + .ptr = (void *)content_pk_buf, .len = (unsigned int)PK_DER_LEN } } } }, - [BL33_CERT_ID] = { - .img_id = BL33_CERT_ID, + [NON_TRUSTED_FW_CONTENT_CERT_ID] = { + .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID, .img_type = IMG_CERT, - .parent = &cot_desc[BL33_KEY_CERT_ID], + .parent = &cot_desc[NON_TRUSTED_FW_KEY_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_SIG, .param.sig = { - .pk = &bl33_content_pk, + .pk = &nt_fw_content_pk, .sig = &sig, .alg = &sig_alg, .data = &raw_data, @@ -423,9 +423,9 @@ static const auth_img_desc_t cot_desc[] = { }, .authenticated_data = { [0] = { - .type_desc = &bl33_hash, + .type_desc = &nt_world_bl_hash, .data = { - .ptr = (void *)plat_bl33_hash_buf, + .ptr = (void *)nt_world_bl_hash_buf, .len = (unsigned int)HASH_DER_LEN } } @@ -434,13 +434,13 @@ static const auth_img_desc_t cot_desc[] = { [BL33_IMAGE_ID] = { .img_id = BL33_IMAGE_ID, .img_type = IMG_RAW, - .parent = &cot_desc[BL33_CERT_ID], + .parent = &cot_desc[NON_TRUSTED_FW_CONTENT_CERT_ID], .img_auth_methods = { [0] = { .type = AUTH_METHOD_HASH, .param.hash = { .data = &raw_data, - .hash = &bl33_hash, + .hash = &nt_world_bl_hash, } } } @@ -467,21 +467,21 @@ static const auth_img_desc_t cot_desc[] = { [0] = { .type_desc = &scp_bl2u_hash, .data = { - .ptr = (void *)plat_bl30_hash_buf, + .ptr = (void *)scp_fw_hash_buf, .len = (unsigned int)HASH_DER_LEN } }, [1] = { .type_desc = &bl2u_hash, .data = { - .ptr = (void *)plat_bl2_hash_buf, + .ptr = (void *)tb_fw_hash_buf, .len = (unsigned int)HASH_DER_LEN } }, [2] = { .type_desc = &ns_bl2u_hash, .data = { - .ptr = (void *)plat_bl33_hash_buf, + .ptr = (void *)nt_world_bl_hash_buf, .len = (unsigned int)HASH_DER_LEN } } diff --git a/include/common/firmware_image_package.h b/include/common/firmware_image_package.h index daa043a8..30c55025 100644 --- a/include/common/firmware_image_package.h +++ b/include/common/firmware_image_package.h @@ -64,24 +64,24 @@ {0x90e87e82, 0x60f8, 0x11e4, 0xa1, 0xb4, {0x77, 0x7a, 0x21, 0xb4, 0xf9, 0x4c} } #define UUID_NON_TRUSTED_WORLD_KEY_CERT \ {0x3d87671c, 0x635f, 0x11e4, 0x97, 0x8d, {0x27, 0xc0, 0xc7, 0x14, 0x8a, 0xbd} } -#define UUID_SCP_FIRMWARE_BL30_KEY_CERT \ +#define UUID_SCP_FW_KEY_CERT \ {0xa1214202, 0x60f8, 0x11e4, 0x8d, 0x9b, {0xf3, 0x3c, 0x0e, 0x15, 0xa0, 0x14} } -#define UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT \ +#define UUID_SOC_FW_KEY_CERT \ {0xccbeb88a, 0x60f9, 0x11e4, 0x9a, 0xd0, {0xeb, 0x48, 0x22, 0xd8, 0xdc, 0xf8} } -#define UUID_SECURE_PAYLOAD_BL32_KEY_CERT \ +#define UUID_TRUSTED_OS_FW_KEY_CERT \ {0x03d67794, 0x60fb, 0x11e4, 0x85, 0xdd, {0xb7, 0x10, 0x5b, 0x8c, 0xee, 0x04} } -#define UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT \ +#define UUID_NON_TRUSTED_FW_KEY_CERT \ {0x2a83d58a, 0x60fb, 0x11e4, 0x8a, 0xaf, {0xdf, 0x30, 0xbb, 0xc4, 0x98, 0x59} } /* Content certificates */ -#define UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT \ +#define UUID_TRUSTED_BOOT_FW_CERT \ {0xea69e2d6, 0x635d, 0x11e4, 0x8d, 0x8c, {0x9f, 0xba, 0xbe, 0x99, 0x56, 0xa5} } -#define UUID_SCP_FIRMWARE_BL30_CERT \ +#define UUID_SCP_FW_CONTENT_CERT \ {0x046fbe44, 0x635e, 0x11e4, 0xb2, 0x8b, {0x73, 0xd8, 0xea, 0xae, 0x96, 0x56} } -#define UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT \ +#define UUID_SOC_FW_CONTENT_CERT \ {0x200cb2e2, 0x635e, 0x11e4, 0x9c, 0xe8, {0xab, 0xcc, 0xf9, 0x2b, 0xb6, 0x66} } -#define UUID_SECURE_PAYLOAD_BL32_CERT \ +#define UUID_TRUSTED_OS_FW_CONTENT_CERT \ {0x11449fa4, 0x635e, 0x11e4, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} } -#define UUID_NON_TRUSTED_FIRMWARE_BL33_CERT \ +#define UUID_NON_TRUSTED_FW_CONTENT_CERT \ {0xf3c1c48e, 0x635d, 0x11e4, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} } typedef struct fip_toc_header { diff --git a/include/common/tbbr/tbbr_img_def.h b/include/common/tbbr/tbbr_img_def.h index fabe0b94..8b16639a 100644 --- a/include/common/tbbr/tbbr_img_def.h +++ b/include/common/tbbr/tbbr_img_def.h @@ -50,18 +50,18 @@ #define BL33_IMAGE_ID 5 /* Certificates */ -#define BL2_CERT_ID 6 +#define TRUSTED_BOOT_FW_CERT_ID 6 #define TRUSTED_KEY_CERT_ID 7 -#define BL30_KEY_CERT_ID 8 -#define BL31_KEY_CERT_ID 9 -#define BL32_KEY_CERT_ID 10 -#define BL33_KEY_CERT_ID 11 +#define SCP_FW_KEY_CERT_ID 8 +#define SOC_FW_KEY_CERT_ID 9 +#define TRUSTED_OS_FW_KEY_CERT_ID 10 +#define NON_TRUSTED_FW_KEY_CERT_ID 11 -#define BL30_CERT_ID 12 -#define BL31_CERT_ID 13 -#define BL32_CERT_ID 14 -#define BL33_CERT_ID 15 +#define SCP_FW_CONTENT_CERT_ID 12 +#define SOC_FW_CONTENT_CERT_ID 13 +#define TRUSTED_OS_FW_CONTENT_CERT_ID 14 +#define NON_TRUSTED_FW_CONTENT_CERT_ID 15 /* Non-Trusted ROM Firmware NS_BL1U */ #define NS_BL1U_IMAGE_ID 16 diff --git a/include/plat/arm/board/common/board_arm_oid.h b/include/plat/arm/board/common/board_arm_oid.h index b29212e4..bf26a48b 100644 --- a/include/plat/arm/board/common/board_arm_oid.h +++ b/include/plat/arm/board/common/board_arm_oid.h @@ -44,9 +44,9 @@ /* TrustedFirmwareNVCounter - Non-volatile counter extension */ -#define TZ_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.1" +#define TRUSTED_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.1" /* NonTrustedFirmwareNVCounter - Non-volatile counter extension */ -#define NTZ_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.2" +#define NON_TRUSTED_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.2" /* @@ -54,11 +54,11 @@ */ /* APFirmwareUpdaterConfigHash - BL2U */ -#define BL2U_HASH_OID "1.3.6.1.4.1.4128.2100.101" +#define AP_FWU_CFG_HASH_OID "1.3.6.1.4.1.4128.2100.101" /* SCPFirmwareUpdaterConfigHash - SCP_BL2U */ -#define SCP_BL2U_HASH_OID "1.3.6.1.4.1.4128.2100.102" +#define SCP_FWU_CFG_HASH_OID "1.3.6.1.4.1.4128.2100.102" /* FirmwareUpdaterHash - NS_BL2U */ -#define NS_BL2U_HASH_OID "1.3.6.1.4.1.4128.2100.103" +#define FWU_HASH_OID "1.3.6.1.4.1.4128.2100.103" /* TrustedWatchdogRefreshTime */ #define TRUSTED_WATCHDOG_TIME_OID "1.3.6.1.4.1.4128.2100.104" @@ -68,7 +68,7 @@ */ /* TrustedBootFirmwareHash - BL2 */ -#define BL2_HASH_OID "1.3.6.1.4.1.4128.2100.201" +#define TRUSTED_BOOT_FW_HASH_OID "1.3.6.1.4.1.4128.2100.201" /* @@ -78,9 +78,9 @@ /* PrimaryDebugCertificatePK */ #define PRIMARY_DEBUG_PK_OID "1.3.6.1.4.1.4128.2100.301" /* TrustedWorldPK */ -#define TZ_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.302" +#define TRUSTED_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.302" /* NonTrustedWorldPK */ -#define NTZ_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.303" +#define NON_TRUSTED_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.303" /* @@ -100,7 +100,7 @@ */ /* SoCFirmwareContentCertPK */ -#define BL31_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.501" +#define SOC_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.501" /* @@ -112,7 +112,7 @@ /* SoCConfigHash */ #define SOC_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.602" /* SoCAPFirmwareHash - BL31 */ -#define BL31_HASH_OID "1.3.6.1.4.1.4128.2100.603" +#define SOC_AP_FW_HASH_OID "1.3.6.1.4.1.4128.2100.603" /* @@ -120,7 +120,7 @@ */ /* SCPFirmwareContentCertPK */ -#define BL30_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.701" +#define SCP_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.701" /* @@ -128,7 +128,7 @@ */ /* SCPFirmwareHash - BL30 */ -#define BL30_HASH_OID "1.3.6.1.4.1.4128.2100.801" +#define SCP_FW_HASH_OID "1.3.6.1.4.1.4128.2100.801" /* SCPRomPatchHash - BL0_PATCH */ #define SCP_ROM_PATCH_HASH_OID "1.3.6.1.4.1.4128.2100.802" @@ -138,7 +138,7 @@ */ /* TrustedOSFirmwareContentCertPK */ -#define BL32_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.901" +#define TRUSTED_OS_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.901" /* @@ -146,7 +146,7 @@ */ /* TrustedOSFirmwareHash - BL32 */ -#define BL32_HASH_OID "1.3.6.1.4.1.4128.2100.1001" +#define TRUSTED_OS_FW_HASH_OID "1.3.6.1.4.1.4128.2100.1001" /* @@ -154,7 +154,7 @@ */ /* NonTrustedFirmwareContentCertPK */ -#define BL33_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.1101" +#define NON_TRUSTED_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.1101" /* @@ -162,6 +162,6 @@ */ /* NonTrustedWorldBootloaderHash - BL33 */ -#define BL33_HASH_OID "1.3.6.1.4.1.4128.2100.1201" +#define NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID "1.3.6.1.4.1.4128.2100.1201" #endif /* __BOARD_ARM_OID_H__ */ diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk index bf0d2967..eed3808a 100644 --- a/make_helpers/tbbr/tbbr_tools.mk +++ b/make_helpers/tbbr/tbbr_tools.mk @@ -76,61 +76,61 @@ $(if ${TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_WORLD_KEY},-- $(if ${NON_TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${NON_TRUSTED_WORLD_KEY},--non-trusted-world-key))) # Add the BL2 CoT (image cert + image) -$(if ${BL2},$(eval $(call CERT_ADD_CMD_OPT,${BL2},--bl2,true)),\ - $(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,2),--bl2,true))) -$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl2.crt,--bl2-cert)) -$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl2.crt,--bl2-cert)) +$(if ${BL2},$(eval $(call CERT_ADD_CMD_OPT,${BL2},--tb-fw,true)),\ + $(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,2),--tb-fw,true))) +$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/tb_fw.crt,--tb-fw-cert)) +$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/tb_fw.crt,--tb-fw-cert)) # Add the BL30 CoT (key cert + img cert + image) ifneq (${BL30},) - $(eval $(call CERT_ADD_CMD_OPT,${BL30},--bl30,true)) - $(if ${BL30_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL30_KEY},--bl30-key))) - $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl30.crt,--bl30-cert)) - $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl30_key.crt,--bl30-key-cert)) - $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl30.crt,--bl30-cert)) - $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl30_key.crt,--bl30-key-cert)) + $(eval $(call CERT_ADD_CMD_OPT,${BL30},--scp-fw,true)) + $(if ${BL30_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL30_KEY},--scp-fw-key))) + $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/scp_fw_content.crt,--scp-fw-cert)) + $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/scp_fw_key.crt,--scp-fw-key-cert)) + $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/scp_fw_content.crt,--scp-fw-cert)) + $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/scp_fw_key.crt,--scp-fw-key-cert)) endif # Add the BL31 CoT (key cert + img cert + image) -$(if ${BL31},$(eval $(call CERT_ADD_CMD_OPT,${BL31},--bl31,true)),\ - $(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,31),--bl31,true))) -$(if ${BL31_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL31_KEY},--bl31-key))) -$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl31.crt,--bl31-cert)) -$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl31_key.crt,--bl31-key-cert)) -$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl31.crt,--bl31-cert)) -$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl31_key.crt,--bl31-key-cert)) +$(if ${BL31},$(eval $(call CERT_ADD_CMD_OPT,${BL31},--soc-fw,true)),\ + $(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,31),--soc-fw,true))) +$(if ${BL31_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL31_KEY},--soc-fw-key))) +$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/soc_fw_content.crt,--soc-fw-cert)) +$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/soc_fw_key.crt,--soc-fw-key-cert)) +$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/soc_fw_content.crt,--soc-fw-cert)) +$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/soc_fw_key.crt,--soc-fw-key-cert)) # Add the BL32 CoT (key cert + img cert + image) ifeq (${NEED_BL32},yes) - $(if ${BL32},$(eval $(call CERT_ADD_CMD_OPT,${BL32},--bl32,true)),\ - $(if ${BL32_SOURCES},$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,32),--bl32,true)))) - $(if ${BL32_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL32_KEY},--bl32-key))) - $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl32.crt,--bl32-cert)) - $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl32_key.crt,--bl32-key-cert)) - $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl32.crt,--bl32-cert)) - $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl32_key.crt,--bl32-key-cert)) + $(if ${BL32},$(eval $(call CERT_ADD_CMD_OPT,${BL32},--tos-fw,true)),\ + $(if ${BL32_SOURCES},$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,32),--tos-fw,true)))) + $(if ${BL32_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL32_KEY},--tos-fw-key))) + $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/tos_fw_content.crt,--tos-fw-cert)) + $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/tos_fw_key.crt,--tos-fw-key-cert)) + $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/tos_fw_content.crt,--tos-fw-cert)) + $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/tos_fw_key.crt,--tos-fw-key-cert)) endif # Add the BL33 CoT (key cert + img cert + image) ifneq (${BL33},) - $(eval $(call CERT_ADD_CMD_OPT,${BL33},--bl33,true)) - $(if ${BL33_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL33_KEY},--bl33-key))) - $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl33.crt,--bl33-cert)) - $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl33_key.crt,--bl33-key-cert)) - $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl33.crt,--bl33-cert)) - $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl33_key.crt,--bl33-key-cert)) + $(eval $(call CERT_ADD_CMD_OPT,${BL33},--nt-fw,true)) + $(if ${BL33_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL33_KEY},--nt-fw-key))) + $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/nt_fw_content.crt,--nt-fw-cert)) + $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert)) + $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_content.crt,--nt-fw-cert)) + $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert)) endif # Add the BL2U image -$(if ${BL2U},$(eval $(call FWU_CERT_ADD_CMD_OPT,${BL2U},--bl2u,true)),\ - $(eval $(call FWU_CERT_ADD_CMD_OPT,$(call IMG_BIN,2u),--bl2u,true))) +$(if ${BL2U},$(eval $(call FWU_CERT_ADD_CMD_OPT,${BL2U},--ap-fwu-cfg,true)),\ + $(eval $(call FWU_CERT_ADD_CMD_OPT,$(call IMG_BIN,2u),--ap-fwu-cfg,true))) # Add the SCP_BL2U image ifneq (${SCP_BL2U},) - $(eval $(call FWU_CERT_ADD_CMD_OPT,${SCP_BL2U},--scp_bl2u,true)) + $(eval $(call FWU_CERT_ADD_CMD_OPT,${SCP_BL2U},--scp-fwu-cfg,true)) endif # Add the NS_BL2U image ifneq (${NS_BL2U},) - $(eval $(call FWU_CERT_ADD_CMD_OPT,${NS_BL2U},--ns_bl2u,true)) + $(eval $(call FWU_CERT_ADD_CMD_OPT,${NS_BL2U},--fwu,true)) endif diff --git a/plat/arm/board/fvp/fvp_io_storage.c b/plat/arm/board/fvp/fvp_io_storage.c index 0b74de2e..bc3d7b11 100644 --- a/plat/arm/board/fvp/fvp_io_storage.c +++ b/plat/arm/board/fvp/fvp_io_storage.c @@ -44,14 +44,14 @@ #define BL33_IMAGE_NAME "bl33.bin" #if TRUSTED_BOARD_BOOT -#define BL2_CERT_NAME "bl2.crt" +#define TRUSTED_BOOT_FW_CERT_NAME "tb_fw.crt" #define TRUSTED_KEY_CERT_NAME "trusted_key.crt" -#define BL31_KEY_CERT_NAME "bl31_key.crt" -#define BL32_KEY_CERT_NAME "bl32_key.crt" -#define BL33_KEY_CERT_NAME "bl33_key.crt" -#define BL31_CERT_NAME "bl31.crt" -#define BL32_CERT_NAME "bl32.crt" -#define BL33_CERT_NAME "bl33.crt" +#define SOC_FW_KEY_CERT_NAME "soc_fw_key.crt" +#define TOS_FW_KEY_CERT_NAME "tos_fw_key.crt" +#define NT_FW_KEY_CERT_NAME "nt_fw_key.crt" +#define SOC_FW_CONTENT_CERT_NAME "soc_fw_content.crt" +#define TOS_FW_CONTENT_CERT_NAME "tos_fw_content.crt" +#define NT_FW_CONTENT_CERT_NAME "nt_fw_content.crt" #endif /* TRUSTED_BOARD_BOOT */ /* IO devices */ @@ -76,36 +76,36 @@ static const io_file_spec_t sh_file_spec[] = { .mode = FOPEN_MODE_RB }, #if TRUSTED_BOARD_BOOT - [BL2_CERT_ID] = { - .path = BL2_CERT_NAME, + [TRUSTED_BOOT_FW_CERT_ID] = { + .path = TRUSTED_BOOT_FW_CERT_NAME, .mode = FOPEN_MODE_RB }, [TRUSTED_KEY_CERT_ID] = { .path = TRUSTED_KEY_CERT_NAME, .mode = FOPEN_MODE_RB }, - [BL31_KEY_CERT_ID] = { - .path = BL31_KEY_CERT_NAME, + [SOC_FW_KEY_CERT_ID] = { + .path = SOC_FW_KEY_CERT_NAME, .mode = FOPEN_MODE_RB }, - [BL32_KEY_CERT_ID] = { - .path = BL32_KEY_CERT_NAME, + [TRUSTED_OS_FW_KEY_CERT_ID] = { + .path = TOS_FW_KEY_CERT_NAME, .mode = FOPEN_MODE_RB }, - [BL33_KEY_CERT_ID] = { - .path = BL33_KEY_CERT_NAME, + [NON_TRUSTED_FW_KEY_CERT_ID] = { + .path = NT_FW_KEY_CERT_NAME, .mode = FOPEN_MODE_RB }, - [BL31_CERT_ID] = { - .path = BL31_CERT_NAME, + [SOC_FW_CONTENT_CERT_ID] = { + .path = SOC_FW_CONTENT_CERT_NAME, .mode = FOPEN_MODE_RB }, - [BL32_CERT_ID] = { - .path = BL32_CERT_NAME, + [TRUSTED_OS_FW_CONTENT_CERT_ID] = { + .path = TOS_FW_CONTENT_CERT_NAME, .mode = FOPEN_MODE_RB }, - [BL33_CERT_ID] = { - .path = BL33_CERT_NAME, + [NON_TRUSTED_FW_CONTENT_CERT_ID] = { + .path = NT_FW_CONTENT_CERT_NAME, .mode = FOPEN_MODE_RB }, #endif /* TRUSTED_BOARD_BOOT */ diff --git a/plat/arm/common/arm_io_storage.c b/plat/arm/common/arm_io_storage.c index f7e99e9c..56d711c0 100644 --- a/plat/arm/common/arm_io_storage.c +++ b/plat/arm/common/arm_io_storage.c @@ -70,44 +70,44 @@ static const io_uuid_spec_t bl33_uuid_spec = { }; #if TRUSTED_BOARD_BOOT -static const io_uuid_spec_t bl2_cert_uuid_spec = { - .uuid = UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT, +static const io_uuid_spec_t tb_fw_cert_uuid_spec = { + .uuid = UUID_TRUSTED_BOOT_FW_CERT, }; static const io_uuid_spec_t trusted_key_cert_uuid_spec = { .uuid = UUID_TRUSTED_KEY_CERT, }; -static const io_uuid_spec_t bl30_key_cert_uuid_spec = { - .uuid = UUID_SCP_FIRMWARE_BL30_KEY_CERT, +static const io_uuid_spec_t scp_fw_key_cert_uuid_spec = { + .uuid = UUID_SCP_FW_KEY_CERT, }; -static const io_uuid_spec_t bl31_key_cert_uuid_spec = { - .uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT, +static const io_uuid_spec_t soc_fw_key_cert_uuid_spec = { + .uuid = UUID_SOC_FW_KEY_CERT, }; -static const io_uuid_spec_t bl32_key_cert_uuid_spec = { - .uuid = UUID_SECURE_PAYLOAD_BL32_KEY_CERT, +static const io_uuid_spec_t tos_fw_key_cert_uuid_spec = { + .uuid = UUID_TRUSTED_OS_FW_KEY_CERT, }; -static const io_uuid_spec_t bl33_key_cert_uuid_spec = { - .uuid = UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT, +static const io_uuid_spec_t nt_fw_key_cert_uuid_spec = { + .uuid = UUID_NON_TRUSTED_FW_KEY_CERT, }; -static const io_uuid_spec_t bl30_cert_uuid_spec = { - .uuid = UUID_SCP_FIRMWARE_BL30_CERT, +static const io_uuid_spec_t scp_fw_cert_uuid_spec = { + .uuid = UUID_SCP_FW_CONTENT_CERT, }; -static const io_uuid_spec_t bl31_cert_uuid_spec = { - .uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT, +static const io_uuid_spec_t soc_fw_cert_uuid_spec = { + .uuid = UUID_SOC_FW_CONTENT_CERT, }; -static const io_uuid_spec_t bl32_cert_uuid_spec = { - .uuid = UUID_SECURE_PAYLOAD_BL32_CERT, +static const io_uuid_spec_t tos_fw_cert_uuid_spec = { + .uuid = UUID_TRUSTED_OS_FW_CONTENT_CERT, }; -static const io_uuid_spec_t bl33_cert_uuid_spec = { - .uuid = UUID_NON_TRUSTED_FIRMWARE_BL33_CERT, +static const io_uuid_spec_t nt_fw_cert_uuid_spec = { + .uuid = UUID_NON_TRUSTED_FW_CONTENT_CERT, }; #endif /* TRUSTED_BOARD_BOOT */ @@ -154,9 +154,9 @@ static const struct plat_io_policy policies[] = { open_fip }, #if TRUSTED_BOARD_BOOT - [BL2_CERT_ID] = { + [TRUSTED_BOOT_FW_CERT_ID] = { &fip_dev_handle, - (uintptr_t)&bl2_cert_uuid_spec, + (uintptr_t)&tb_fw_cert_uuid_spec, open_fip }, [TRUSTED_KEY_CERT_ID] = { @@ -164,44 +164,44 @@ static const struct plat_io_policy policies[] = { (uintptr_t)&trusted_key_cert_uuid_spec, open_fip }, - [BL30_KEY_CERT_ID] = { + [SCP_FW_KEY_CERT_ID] = { &fip_dev_handle, - (uintptr_t)&bl30_key_cert_uuid_spec, + (uintptr_t)&scp_fw_key_cert_uuid_spec, open_fip }, - [BL31_KEY_CERT_ID] = { + [SOC_FW_KEY_CERT_ID] = { &fip_dev_handle, - (uintptr_t)&bl31_key_cert_uuid_spec, + (uintptr_t)&soc_fw_key_cert_uuid_spec, open_fip }, - [BL32_KEY_CERT_ID] = { + [TRUSTED_OS_FW_KEY_CERT_ID] = { &fip_dev_handle, - (uintptr_t)&bl32_key_cert_uuid_spec, + (uintptr_t)&tos_fw_key_cert_uuid_spec, open_fip }, - [BL33_KEY_CERT_ID] = { + [NON_TRUSTED_FW_KEY_CERT_ID] = { &fip_dev_handle, - (uintptr_t)&bl33_key_cert_uuid_spec, + (uintptr_t)&nt_fw_key_cert_uuid_spec, open_fip }, - [BL30_CERT_ID] = { + [SCP_FW_CONTENT_CERT_ID] = { &fip_dev_handle, - (uintptr_t)&bl30_cert_uuid_spec, + (uintptr_t)&scp_fw_cert_uuid_spec, open_fip }, - [BL31_CERT_ID] = { + [SOC_FW_CONTENT_CERT_ID] = { &fip_dev_handle, - (uintptr_t)&bl31_cert_uuid_spec, + (uintptr_t)&soc_fw_cert_uuid_spec, open_fip }, - [BL32_CERT_ID] = { + [TRUSTED_OS_FW_CONTENT_CERT_ID] = { &fip_dev_handle, - (uintptr_t)&bl32_cert_uuid_spec, + (uintptr_t)&tos_fw_cert_uuid_spec, open_fip }, - [BL33_CERT_ID] = { + [NON_TRUSTED_FW_CONTENT_CERT_ID] = { &fip_dev_handle, - (uintptr_t)&bl33_cert_uuid_spec, + (uintptr_t)&nt_fw_cert_uuid_spec, open_fip }, #endif /* TRUSTED_BOARD_BOOT */ diff --git a/tools/cert_create/include/tbbr/tbb_cert.h b/tools/cert_create/include/tbbr/tbb_cert.h index 2bc3be63..c0f7ba25 100644 --- a/tools/cert_create/include/tbbr/tbb_cert.h +++ b/tools/cert_create/include/tbbr/tbb_cert.h @@ -37,16 +37,16 @@ * Enumerate the certificates that are used to establish the chain of trust */ enum { - BL2_CERT, + TRUSTED_BOOT_FW_CERT, TRUSTED_KEY_CERT, - BL30_KEY_CERT, - BL30_CERT, - BL31_KEY_CERT, - BL31_CERT, - BL32_KEY_CERT, - BL32_CERT, - BL33_KEY_CERT, - BL33_CERT, + SCP_FW_KEY_CERT, + SCP_FW_CONTENT_CERT, + SOC_FW_KEY_CERT, + SOC_FW_CONTENT_CERT, + TRUSTED_OS_FW_KEY_CERT, + TRUSTED_OS_FW_CONTENT_CERT, + NON_TRUSTED_FW_KEY_CERT, + NON_TRUSTED_FW_CONTENT_CERT, FWU_CERT }; diff --git a/tools/cert_create/include/tbbr/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h index ecbe8669..8589cf7b 100644 --- a/tools/cert_create/include/tbbr/tbb_ext.h +++ b/tools/cert_create/include/tbbr/tbb_ext.h @@ -34,22 +34,22 @@ /* TBBR extensions */ enum { - TZ_FW_NVCOUNTER_EXT, - NTZ_FW_NVCOUNTER_EXT, - BL2_HASH_EXT, - TZ_WORLD_PK_EXT, - NTZ_WORLD_PK_EXT, - BL31_CONTENT_CERT_PK_EXT, - BL31_HASH_EXT, - BL30_CONTENT_CERT_PK_EXT, - BL30_HASH_EXT, - BL32_CONTENT_CERT_PK_EXT, - BL32_HASH_EXT, - BL33_CONTENT_CERT_PK_EXT, - BL33_HASH_EXT, - SCP_BL2U_HASH_EXT, - BL2U_HASH_EXT, - NS_BL2U_HASH_EXT + TRUSTED_FW_NVCOUNTER_EXT, + NON_TRUSTED_FW_NVCOUNTER_EXT, + TRUSTED_BOOT_FW_HASH_EXT, + TRUSTED_WORLD_PK_EXT, + NON_TRUSTED_WORLD_PK_EXT, + SCP_FW_CONTENT_CERT_PK_EXT, + SCP_FW_HASH_EXT, + SOC_FW_CONTENT_CERT_PK_EXT, + SOC_AP_FW_HASH_EXT, + TRUSTED_OS_FW_CONTENT_CERT_PK_EXT, + TRUSTED_OS_FW_HASH_EXT, + NON_TRUSTED_FW_CONTENT_CERT_PK_EXT, + NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, + SCP_FWU_CFG_HASH_EXT, + AP_FWU_CFG_HASH_EXT, + FWU_HASH_EXT }; #endif /* TBB_EXT_H_ */ diff --git a/tools/cert_create/include/tbbr/tbb_key.h b/tools/cert_create/include/tbbr/tbb_key.h index 15903094..0becf3f5 100644 --- a/tools/cert_create/include/tbbr/tbb_key.h +++ b/tools/cert_create/include/tbbr/tbb_key.h @@ -40,10 +40,10 @@ enum { ROT_KEY, TRUSTED_WORLD_KEY, NON_TRUSTED_WORLD_KEY, - BL30_KEY, - BL31_KEY, - BL32_KEY, - BL33_KEY + SCP_FW_CONTENT_CERT_KEY, + SOC_FW_CONTENT_CERT_KEY, + TRUSTED_OS_FW_CONTENT_CERT_KEY, + NON_TRUSTED_FW_CONTENT_CERT_KEY }; #endif /* TBB_KEY_H_ */ diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index de15ef6f..6d11a277 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -91,16 +91,16 @@ enum { BL32_ID, BL33_ID, /* Certificate file names (outputs) */ - BL2_CERT_ID, + TRUSTED_BOOT_FW_CERT_ID, TRUSTED_KEY_CERT_ID, - BL30_KEY_CERT_ID, - BL30_CERT_ID, - BL31_KEY_CERT_ID, - BL31_CERT_ID, - BL32_KEY_CERT_ID, - BL32_CERT_ID, - BL33_KEY_CERT_ID, - BL33_CERT_ID, + SCP_FW_KEY_CERT_ID, + SCP_FW_CONTENT_CERT_ID, + SOC_FW_KEY_CERT_ID, + SOC_FW_CONTENT_CERT_ID, + TRUSTED_OS_FW_KEY_CERT_ID, + TRUSTED_OS_FW_CONTENT_CERT_ID, + NON_TRUSTED_FW_KEY_CERT_ID, + NON_TRUSTED_FW_CONTENT_CERT_ID, /* Key file names (input/output) */ ROT_KEY_ID, TRUSTED_WORLD_KEY_ID, diff --git a/tools/cert_create/src/tbbr/tbb_cert.c b/tools/cert_create/src/tbbr/tbb_cert.c index 59a1cd9c..20be59f7 100644 --- a/tools/cert_create/src/tbbr/tbb_cert.c +++ b/tools/cert_create/src/tbbr/tbb_cert.c @@ -40,15 +40,15 @@ * field points to itself. */ static cert_t tbb_certs[] = { - [BL2_CERT] = { - .id = BL2_CERT, - .opt = "bl2-cert", + [TRUSTED_BOOT_FW_CERT] = { + .id = TRUSTED_BOOT_FW_CERT, + .opt = "tb-fw-cert", .fn = NULL, - .cn = "BL2 Certificate", + .cn = "Trusted Boot FW Certificate", .key = ROT_KEY, - .issuer = BL2_CERT, + .issuer = TRUSTED_BOOT_FW_CERT, .ext = { - BL2_HASH_EXT + TRUSTED_BOOT_FW_HASH_EXT }, .num_ext = 1 }, @@ -60,104 +60,104 @@ static cert_t tbb_certs[] = { .key = ROT_KEY, .issuer = TRUSTED_KEY_CERT, .ext = { - TZ_WORLD_PK_EXT, - NTZ_WORLD_PK_EXT + TRUSTED_WORLD_PK_EXT, + NON_TRUSTED_WORLD_PK_EXT }, .num_ext = 2 }, - [BL30_KEY_CERT] = { - .id = BL30_KEY_CERT, - .opt = "bl30-key-cert", + [SCP_FW_KEY_CERT] = { + .id = SCP_FW_KEY_CERT, + .opt = "scp-fw-key-cert", .fn = NULL, - .cn = "BL3-0 Key Certificate", + .cn = "SCP Firmware Key Certificate", .key = TRUSTED_WORLD_KEY, - .issuer = BL30_KEY_CERT, + .issuer = SCP_FW_KEY_CERT, .ext = { - BL30_CONTENT_CERT_PK_EXT + SCP_FW_CONTENT_CERT_PK_EXT }, .num_ext = 1 }, - [BL30_CERT] = { - .id = BL30_CERT, - .opt = "bl30-cert", + [SCP_FW_CONTENT_CERT] = { + .id = SCP_FW_CONTENT_CERT, + .opt = "scp-fw-cert", .fn = NULL, - .cn = "BL3-0 Content Certificate", - .key = BL30_KEY, - .issuer = BL30_CERT, + .cn = "SCP Firmware Content Certificate", + .key = SCP_FW_CONTENT_CERT_KEY, + .issuer = SCP_FW_CONTENT_CERT, .ext = { - BL30_HASH_EXT + SCP_FW_HASH_EXT }, .num_ext = 1 }, - [BL31_KEY_CERT] = { - .id = BL31_KEY_CERT, - .opt = "bl31-key-cert", + [SOC_FW_KEY_CERT] = { + .id = SOC_FW_KEY_CERT, + .opt = "soc-fw-key-cert", .fn = NULL, - .cn = "BL3-1 Key Certificate", + .cn = "SoC Firmware Key Certificate", .key = TRUSTED_WORLD_KEY, - .issuer = BL31_KEY_CERT, + .issuer = SOC_FW_KEY_CERT, .ext = { - BL31_CONTENT_CERT_PK_EXT + SOC_FW_CONTENT_CERT_PK_EXT }, .num_ext = 1 }, - [BL31_CERT] = { - .id = BL31_CERT, - .opt = "bl31-cert", + [SOC_FW_CONTENT_CERT] = { + .id = SOC_FW_CONTENT_CERT, + .opt = "soc-fw-cert", .fn = NULL, - .cn = "BL3-1 Content Certificate", - .key = BL31_KEY, - .issuer = BL31_CERT, + .cn = "SoC Firmware Content Certificate", + .key = SOC_FW_CONTENT_CERT_KEY, + .issuer = SOC_FW_CONTENT_CERT, .ext = { - BL31_HASH_EXT + SOC_AP_FW_HASH_EXT }, .num_ext = 1 }, - [BL32_KEY_CERT] = { - .id = BL32_KEY_CERT, - .opt = "bl32-key-cert", + [TRUSTED_OS_FW_KEY_CERT] = { + .id = TRUSTED_OS_FW_KEY_CERT, + .opt = "tos-fw-key-cert", .fn = NULL, - .cn = "BL3-2 Key Certificate", + .cn = "Trusted OS Firmware Key Certificate", .key = TRUSTED_WORLD_KEY, - .issuer = BL32_KEY_CERT, + .issuer = TRUSTED_OS_FW_KEY_CERT, .ext = { - BL32_CONTENT_CERT_PK_EXT + TRUSTED_OS_FW_CONTENT_CERT_PK_EXT }, .num_ext = 1 }, - [BL32_CERT] = { - .id = BL32_CERT, - .opt = "bl32-cert", + [TRUSTED_OS_FW_CONTENT_CERT] = { + .id = TRUSTED_OS_FW_CONTENT_CERT, + .opt = "tos-fw-cert", .fn = NULL, - .cn = "BL3-2 Content Certificate", - .key = BL32_KEY, - .issuer = BL32_CERT, + .cn = "Trusted OS Firmware Content Certificate", + .key = TRUSTED_OS_FW_CONTENT_CERT_KEY, + .issuer = TRUSTED_OS_FW_CONTENT_CERT, .ext = { - BL32_HASH_EXT + TRUSTED_OS_FW_HASH_EXT }, .num_ext = 1 }, - [BL33_KEY_CERT] = { - .id = BL33_KEY_CERT, - .opt = "bl33-key-cert", + [NON_TRUSTED_FW_KEY_CERT] = { + .id = NON_TRUSTED_FW_KEY_CERT, + .opt = "nt-fw-key-cert", .fn = NULL, - .cn = "BL3-3 Key Certificate", + .cn = "Non-Trusted Firmware Key Certificate", .key = NON_TRUSTED_WORLD_KEY, - .issuer = BL33_KEY_CERT, + .issuer = NON_TRUSTED_FW_KEY_CERT, .ext = { - BL33_CONTENT_CERT_PK_EXT + NON_TRUSTED_FW_CONTENT_CERT_PK_EXT }, .num_ext = 1 }, - [BL33_CERT] = { - .id = BL33_CERT, - .opt = "bl33-cert", + [NON_TRUSTED_FW_CONTENT_CERT] = { + .id = NON_TRUSTED_FW_CONTENT_CERT, + .opt = "nt-fw-cert", .fn = NULL, - .cn = "BL3-3 Content Certificate", - .key = BL33_KEY, - .issuer = BL33_CERT, + .cn = "Non-Trusted Firmware Content Certificate", + .key = NON_TRUSTED_FW_CONTENT_CERT_KEY, + .issuer = NON_TRUSTED_FW_CONTENT_CERT, .ext = { - BL33_HASH_EXT + NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT }, .num_ext = 1 }, @@ -169,9 +169,9 @@ static cert_t tbb_certs[] = { .key = ROT_KEY, .issuer = FWU_CERT, .ext = { - SCP_BL2U_HASH_EXT, - BL2U_HASH_EXT, - NS_BL2U_HASH_EXT + SCP_FWU_CFG_HASH_EXT, + AP_FWU_CFG_HASH_EXT, + FWU_HASH_EXT }, .num_ext = 3 } diff --git a/tools/cert_create/src/tbbr/tbb_ext.c b/tools/cert_create/src/tbbr/tbb_ext.c index b0af6f1a..1400fbfd 100644 --- a/tools/cert_create/src/tbbr/tbb_ext.c +++ b/tools/cert_create/src/tbbr/tbb_ext.c @@ -42,133 +42,133 @@ #define NORMAL_WORLD_NVCTR_VALUE 0 static ext_t tbb_ext[] = { - [TZ_FW_NVCOUNTER_EXT] = { - .oid = TZ_FW_NVCOUNTER_OID, + [TRUSTED_FW_NVCOUNTER_EXT] = { + .oid = TRUSTED_FW_NVCOUNTER_OID, .sn = "TrustedWorldNVCounter", .ln = "Trusted World Non-Volatile counter", .asn1_type = V_ASN1_INTEGER, .type = EXT_TYPE_NVCOUNTER, .data.nvcounter = TRUSTED_WORLD_NVCTR_VALUE }, - [NTZ_FW_NVCOUNTER_EXT] = { - .oid = NTZ_FW_NVCOUNTER_OID, + [NON_TRUSTED_FW_NVCOUNTER_EXT] = { + .oid = NON_TRUSTED_FW_NVCOUNTER_OID, .sn = "NormalWorldNVCounter", .ln = "Normal World Non-Volatile counter", .asn1_type = V_ASN1_INTEGER, .type = EXT_TYPE_NVCOUNTER, .data.nvcounter = NORMAL_WORLD_NVCTR_VALUE }, - [BL2_HASH_EXT] = { - .oid = BL2_HASH_OID, - .opt = "bl2", + [TRUSTED_BOOT_FW_HASH_EXT] = { + .oid = TRUSTED_BOOT_FW_HASH_OID, + .opt = "tb-fw", .sn = "TrustedBootFirmwareHash", - .ln = "Trusted Boot Firmware (BL2) hash (SHA256)", + .ln = "Trusted Boot Firmware hash (SHA256)", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH }, - [TZ_WORLD_PK_EXT] = { - .oid = TZ_WORLD_PK_OID, + [TRUSTED_WORLD_PK_EXT] = { + .oid = TRUSTED_WORLD_PK_OID, .sn = "TrustedWorldPublicKey", .ln = "Trusted World Public Key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, .data.key = TRUSTED_WORLD_KEY }, - [NTZ_WORLD_PK_EXT] = { - .oid = NTZ_WORLD_PK_OID, + [NON_TRUSTED_WORLD_PK_EXT] = { + .oid = NON_TRUSTED_WORLD_PK_OID, .sn = "NonTrustedWorldPublicKey", .ln = "Non-Trusted World Public Key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, .data.key = NON_TRUSTED_WORLD_KEY }, - [BL30_CONTENT_CERT_PK_EXT] = { - .oid = BL30_CONTENT_CERT_PK_OID, + [SCP_FW_CONTENT_CERT_PK_EXT] = { + .oid = SCP_FW_CONTENT_CERT_PK_OID, .sn = "SCPFirmwareContentCertPK", .ln = "SCP Firmware content certificate public key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, - .data.key = BL30_KEY + .data.key = SCP_FW_CONTENT_CERT_KEY }, - [BL30_HASH_EXT] = { - .oid = BL30_HASH_OID, - .opt = "bl30", + [SCP_FW_HASH_EXT] = { + .oid = SCP_FW_HASH_OID, + .opt = "scp-fw", .sn = "SCPFirmwareHash", - .ln = "SCP Firmware (BL30) hash (SHA256)", + .ln = "SCP Firmware hash (SHA256)", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH }, - [BL31_CONTENT_CERT_PK_EXT] = { - .oid = BL31_CONTENT_CERT_PK_OID, + [SOC_FW_CONTENT_CERT_PK_EXT] = { + .oid = SOC_FW_CONTENT_CERT_PK_OID, .sn = "SoCFirmwareContentCertPK", .ln = "SoC Firmware content certificate public key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, - .data.key = BL31_KEY + .data.key = SOC_FW_CONTENT_CERT_KEY }, - [BL31_HASH_EXT] = { - .oid = BL31_HASH_OID, - .opt = "bl31", + [SOC_AP_FW_HASH_EXT] = { + .oid = SOC_AP_FW_HASH_OID, + .opt = "soc-fw", .sn = "SoCAPFirmwareHash", - .ln = "SoC AP Firmware (BL31) hash (SHA256)", + .ln = "SoC AP Firmware hash (SHA256)", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH }, - [BL32_CONTENT_CERT_PK_EXT] = { - .oid = BL32_CONTENT_CERT_PK_OID, + [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = { + .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID, .sn = "TrustedOSFirmwareContentCertPK", .ln = "Trusted OS Firmware content certificate public key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, - .data.key = BL32_KEY + .data.key = TRUSTED_OS_FW_CONTENT_CERT_KEY }, - [BL32_HASH_EXT] = { - .oid = BL32_HASH_OID, - .opt = "bl32", + [TRUSTED_OS_FW_HASH_EXT] = { + .oid = TRUSTED_OS_FW_HASH_OID, + .opt = "tos-fw", .sn = "TrustedOSHash", - .ln = "Trusted OS (BL32) hash (SHA256)", + .ln = "Trusted OS hash (SHA256)", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH }, - [BL33_CONTENT_CERT_PK_EXT] = { - .oid = BL33_CONTENT_CERT_PK_OID, + [NON_TRUSTED_FW_CONTENT_CERT_PK_EXT] = { + .oid = NON_TRUSTED_FW_CONTENT_CERT_PK_OID, .sn = "NonTrustedFirmwareContentCertPK", .ln = "Non-Trusted Firmware content certificate public key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, - .data.key = BL33_KEY + .data.key = NON_TRUSTED_FW_CONTENT_CERT_KEY }, - [BL33_HASH_EXT] = { - .oid = BL33_HASH_OID, - .opt = "bl33", + [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { + .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID, + .opt = "nt-fw", .sn = "NonTrustedWorldBootloaderHash", - .ln = "Non-Trusted World (BL33) hash (SHA256)", + .ln = "Non-Trusted World hash (SHA256)", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH }, - [SCP_BL2U_HASH_EXT] = { - .oid = SCP_BL2U_HASH_OID, - .opt = "scp_bl2u", + [SCP_FWU_CFG_HASH_EXT] = { + .oid = SCP_FWU_CFG_HASH_OID, + .opt = "scp-fwu-cfg", .sn = "SCPFWUpdateConfig", - .ln = "SCP Firmware Update Config (SCP_BL2U) hash (SHA256)", + .ln = "SCP Firmware Update Config hash (SHA256)", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH, .optional = 1 }, - [BL2U_HASH_EXT] = { - .oid = BL2U_HASH_OID, - .opt = "bl2u", + [AP_FWU_CFG_HASH_EXT] = { + .oid = AP_FWU_CFG_HASH_OID, + .opt = "ap-fwu-cfg", .sn = "APFWUpdateConfig", - .ln = "AP Firmware Update Config (BL2U) hash (SHA256)", + .ln = "AP Firmware Update Config hash (SHA256)", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH, .optional = 1 }, - [NS_BL2U_HASH_EXT] = { - .oid = NS_BL2U_HASH_OID, - .opt = "ns_bl2u", + [FWU_HASH_EXT] = { + .oid = FWU_HASH_OID, + .opt = "fwu", .sn = "FWUpdaterHash", - .ln = "Firmware Updater (NS_BL2U) hash (SHA256)", + .ln = "Firmware Updater hash (SHA256)", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH, .optional = 1 diff --git a/tools/cert_create/src/tbbr/tbb_key.c b/tools/cert_create/src/tbbr/tbb_key.c index eaaf1ff1..089425a9 100644 --- a/tools/cert_create/src/tbbr/tbb_key.c +++ b/tools/cert_create/src/tbbr/tbb_key.c @@ -51,25 +51,25 @@ static key_t tbb_keys[] = { .opt = "non-trusted-world-key", .desc = "Non Trusted World key" }, - [BL30_KEY] = { - .id = BL30_KEY, - .opt = "bl30-key", - .desc = "BL30 key" + [SCP_FW_CONTENT_CERT_KEY] = { + .id = SCP_FW_CONTENT_CERT_KEY, + .opt = "scp-fw-key", + .desc = "SCP Firmware Content Certificate key" }, - [BL31_KEY] = { - .id = BL31_KEY, - .opt = "bl31-key", - .desc = "BL31 key" + [SOC_FW_CONTENT_CERT_KEY] = { + .id = SOC_FW_CONTENT_CERT_KEY, + .opt = "soc-fw-key", + .desc = "SoC Firmware Content Certificate key" }, - [BL32_KEY] = { - .id = BL32_KEY, - .opt = "bl32-key", - .desc = "BL32 key" + [TRUSTED_OS_FW_CONTENT_CERT_KEY] = { + .id = TRUSTED_OS_FW_CONTENT_CERT_KEY, + .opt = "tos-fw-key", + .desc = "Trusted OS Firmware Content Certificate key" }, - [BL33_KEY] = { - .id = BL33_KEY, - .opt = "bl33-key", - .desc = "BL33 key" + [NON_TRUSTED_FW_CONTENT_CERT_KEY] = { + .id = NON_TRUSTED_FW_CONTENT_CERT_KEY, + .opt = "nt-fw-key", + .desc = "Non Trusted Firmware Content Certificate key" } }; diff --git a/tools/fip_create/fip_create.c b/tools/fip_create/fip_create.c index 57131840..ef533c7e 100644 --- a/tools/fip_create/fip_create.c +++ b/tools/fip_create/fip_create.c @@ -78,25 +78,25 @@ static entry_lookup_list_t toc_entry_lookup_list[] = { "rot-cert", NULL, FLAG_FILENAME }, { "Trusted key certificate", UUID_TRUSTED_KEY_CERT, "trusted-key-cert", NULL, FLAG_FILENAME}, - { "SCP Firmware BL3-0 key certificate", UUID_SCP_FIRMWARE_BL30_KEY_CERT, - "bl30-key-cert", NULL, FLAG_FILENAME}, - { "EL3 Runtime Firmware BL3-1 key certificate", UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT, - "bl31-key-cert", NULL, FLAG_FILENAME}, - { "Secure Payload BL3-2 (Trusted OS) key certificate", UUID_SECURE_PAYLOAD_BL32_KEY_CERT, - "bl32-key-cert", NULL, FLAG_FILENAME}, - { "Non-Trusted Firmware BL3-3 key certificate", UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT, - "bl33-key-cert", NULL, FLAG_FILENAME}, + { "SCP Firmware key certificate", UUID_SCP_FW_KEY_CERT, + "scp-fw-key-cert", NULL, FLAG_FILENAME}, + { "SoC Firmware key certificate", UUID_SOC_FW_KEY_CERT, + "soc-fw-key-cert", NULL, FLAG_FILENAME}, + { "Trusted OS Firmware key certificate", UUID_TRUSTED_OS_FW_KEY_CERT, + "tos-fw-key-cert", NULL, FLAG_FILENAME}, + { "Non-Trusted Firmware key certificate", UUID_NON_TRUSTED_FW_KEY_CERT, + "nt-fw-key-cert", NULL, FLAG_FILENAME}, /* Content certificates */ - { "Trusted Boot Firmware BL2 certificate", UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT, - "bl2-cert", NULL, FLAG_FILENAME }, - { "SCP Firmware BL3-0 certificate", UUID_SCP_FIRMWARE_BL30_CERT, - "bl30-cert", NULL, FLAG_FILENAME}, - { "EL3 Runtime Firmware BL3-1 certificate", UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT, - "bl31-cert", NULL, FLAG_FILENAME}, - { "Secure Payload BL3-2 (Trusted OS) certificate", UUID_SECURE_PAYLOAD_BL32_CERT, - "bl32-cert", NULL, FLAG_FILENAME}, - { "Non-Trusted Firmware BL3-3 certificate", UUID_NON_TRUSTED_FIRMWARE_BL33_CERT, - "bl33-cert", NULL, FLAG_FILENAME}, + { "Trusted Boot Firmware BL2 certificate", UUID_TRUSTED_BOOT_FW_CERT, + "tb-fw-cert", NULL, FLAG_FILENAME }, + { "SCP Firmware content certificate", UUID_SCP_FW_CONTENT_CERT, + "scp-fw-cert", NULL, FLAG_FILENAME}, + { "SoC Firmware content certificate", UUID_SOC_FW_CONTENT_CERT, + "soc-fw-cert", NULL, FLAG_FILENAME}, + { "Trusted OS Firmware content certificate", UUID_TRUSTED_OS_FW_CONTENT_CERT, + "tos-fw-cert", NULL, FLAG_FILENAME}, + { "Non-Trusted Firmware content certificate", UUID_NON_TRUSTED_FW_CONTENT_CERT, + "nt-fw-cert", NULL, FLAG_FILENAME}, { NULL, {0}, 0 } };