1 /* 2 * Copyright (c) 2022, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include "cca/cca_cot.h" 8 9 #include <cca_oid.h> 10 11 #include "cert.h" 12 #include "ext.h" 13 #include "key.h" 14 15 /* 16 * Certificates used in the chain of trust. 17 * 18 * All certificates are self-signed so the issuer certificate field points to 19 * itself. 20 */ 21 static cert_t cot_certs[] = { 22 [CCA_CONTENT_CERT] = { 23 .id = CCA_CONTENT_CERT, 24 .opt = "cca-cert", 25 .help_msg = "CCA Content Certificate (output file)", 26 .cn = "CCA Content Certificate", 27 .key = ROT_KEY, 28 .issuer = CCA_CONTENT_CERT, 29 .ext = { 30 TRUSTED_FW_NVCOUNTER_EXT, 31 SOC_AP_FW_HASH_EXT, 32 SOC_FW_CONFIG_HASH_EXT, 33 RMM_HASH_EXT, 34 TRUSTED_BOOT_FW_HASH_EXT, 35 TRUSTED_BOOT_FW_CONFIG_HASH_EXT, 36 HW_CONFIG_HASH_EXT, 37 FW_CONFIG_HASH_EXT, 38 }, 39 .num_ext = 8 40 }, 41 42 [CORE_SWD_KEY_CERT] = { 43 .id = CORE_SWD_KEY_CERT, 44 .opt = "core-swd-cert", 45 .help_msg = "Core Secure World Key Certificate (output file)", 46 .cn = "Core Secure World Key Certificate", 47 .key = SWD_ROT_KEY, 48 .issuer = CORE_SWD_KEY_CERT, 49 .ext = { 50 TRUSTED_FW_NVCOUNTER_EXT, 51 SWD_ROT_PK_EXT, 52 CORE_SWD_PK_EXT, 53 }, 54 .num_ext = 3 55 }, 56 57 [SPMC_CONTENT_CERT] = { 58 .id = SPMC_CONTENT_CERT, 59 .opt = "tos-fw-cert", 60 .help_msg = "SPMC Content Certificate (output file)", 61 .cn = "SPMC Content Certificate", 62 .key = CORE_SWD_KEY, 63 .issuer = SPMC_CONTENT_CERT, 64 .ext = { 65 TRUSTED_FW_NVCOUNTER_EXT, 66 TRUSTED_OS_FW_HASH_EXT, 67 TRUSTED_OS_FW_CONFIG_HASH_EXT, 68 }, 69 .num_ext = 3 70 }, 71 72 [SIP_SECURE_PARTITION_CONTENT_CERT] = { 73 .id = SIP_SECURE_PARTITION_CONTENT_CERT, 74 .opt = "sip-sp-cert", 75 .help_msg = "SiP owned Secure Partition Content Certificate (output file)", 76 .cn = "SiP owned Secure Partition Content Certificate", 77 .key = CORE_SWD_KEY, 78 .issuer = SIP_SECURE_PARTITION_CONTENT_CERT, 79 .ext = { 80 TRUSTED_FW_NVCOUNTER_EXT, 81 SP_PKG1_HASH_EXT, 82 SP_PKG2_HASH_EXT, 83 SP_PKG3_HASH_EXT, 84 SP_PKG4_HASH_EXT, 85 }, 86 .num_ext = 5 87 }, 88 89 [PLAT_KEY_CERT] = { 90 .id = PLAT_KEY_CERT, 91 .opt = "plat-key-cert", 92 .help_msg = "Platform Key Certificate (output file)", 93 .cn = "Platform Key Certificate", 94 .key = PROT_KEY, 95 .issuer = PLAT_KEY_CERT, 96 .ext = { 97 NON_TRUSTED_FW_NVCOUNTER_EXT, 98 PROT_PK_EXT, 99 PLAT_PK_EXT, 100 }, 101 .num_ext = 3 102 }, 103 104 [PLAT_SECURE_PARTITION_CONTENT_CERT] = { 105 .id = PLAT_SECURE_PARTITION_CONTENT_CERT, 106 .opt = "plat-sp-cert", 107 .help_msg = "Platform owned Secure Partition Content Certificate (output file)", 108 .cn = "Platform owned Secure Partition Content Certificate", 109 .key = PLAT_KEY, 110 .issuer = PLAT_SECURE_PARTITION_CONTENT_CERT, 111 .ext = { 112 NON_TRUSTED_FW_NVCOUNTER_EXT, 113 SP_PKG5_HASH_EXT, 114 SP_PKG6_HASH_EXT, 115 SP_PKG7_HASH_EXT, 116 SP_PKG8_HASH_EXT, 117 }, 118 .num_ext = 5 119 }, 120 121 [NON_TRUSTED_FW_CONTENT_CERT] = { 122 .id = NON_TRUSTED_FW_CONTENT_CERT, 123 .opt = "nt-fw-cert", 124 .help_msg = "Non-Trusted Firmware Content Certificate (output file)", 125 .cn = "Non-Trusted Firmware Content Certificate", 126 .key = PLAT_KEY, 127 .issuer = NON_TRUSTED_FW_CONTENT_CERT, 128 .ext = { 129 NON_TRUSTED_FW_NVCOUNTER_EXT, 130 NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, 131 NON_TRUSTED_FW_CONFIG_HASH_EXT, 132 }, 133 .num_ext = 3 134 }, 135 }; 136 137 REGISTER_COT(cot_certs); 138 139 140 /* Certificate extensions. */ 141 static ext_t cot_ext[] = { 142 [TRUSTED_FW_NVCOUNTER_EXT] = { 143 .oid = TRUSTED_FW_NVCOUNTER_OID, 144 .opt = "tfw-nvctr", 145 .help_msg = "Trusted Firmware Non-Volatile counter value", 146 .sn = "TrustedWorldNVCounter", 147 .ln = "Trusted World Non-Volatile counter", 148 .asn1_type = V_ASN1_INTEGER, 149 .type = EXT_TYPE_NVCOUNTER, 150 .attr.nvctr_type = NVCTR_TYPE_TFW 151 }, 152 153 [TRUSTED_BOOT_FW_HASH_EXT] = { 154 .oid = TRUSTED_BOOT_FW_HASH_OID, 155 .opt = "tb-fw", 156 .help_msg = "Trusted Boot Firmware image file", 157 .sn = "TrustedBootFirmwareHash", 158 .ln = "Trusted Boot Firmware hash (SHA256)", 159 .asn1_type = V_ASN1_OCTET_STRING, 160 .type = EXT_TYPE_HASH 161 }, 162 163 [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = { 164 .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID, 165 .opt = "tb-fw-config", 166 .help_msg = "Trusted Boot Firmware Config file", 167 .sn = "TrustedBootFirmwareConfigHash", 168 .ln = "Trusted Boot Firmware Config hash", 169 .asn1_type = V_ASN1_OCTET_STRING, 170 .type = EXT_TYPE_HASH, 171 .optional = 1 172 }, 173 174 [HW_CONFIG_HASH_EXT] = { 175 .oid = HW_CONFIG_HASH_OID, 176 .opt = "hw-config", 177 .help_msg = "HW Config file", 178 .sn = "HWConfigHash", 179 .ln = "HW Config hash", 180 .asn1_type = V_ASN1_OCTET_STRING, 181 .type = EXT_TYPE_HASH, 182 .optional = 1 183 }, 184 185 [FW_CONFIG_HASH_EXT] = { 186 .oid = FW_CONFIG_HASH_OID, 187 .opt = "fw-config", 188 .help_msg = "Firmware Config file", 189 .sn = "FirmwareConfigHash", 190 .ln = "Firmware Config hash", 191 .asn1_type = V_ASN1_OCTET_STRING, 192 .type = EXT_TYPE_HASH, 193 .optional = 1 194 }, 195 196 [SWD_ROT_PK_EXT] = { 197 .oid = SWD_ROT_PK_OID, 198 .sn = "SWDRoTKey", 199 .ln = "Secure World Root of Trust Public Key", 200 .asn1_type = V_ASN1_OCTET_STRING, 201 .type = EXT_TYPE_PKEY, 202 .attr.key = SWD_ROT_KEY 203 }, 204 205 [CORE_SWD_PK_EXT] = { 206 .oid = CORE_SWD_PK_OID, 207 .sn = "CORESWDKey", 208 .ln = "Core Secure World Public Key", 209 .asn1_type = V_ASN1_OCTET_STRING, 210 .type = EXT_TYPE_PKEY, 211 .attr.key = CORE_SWD_KEY 212 }, 213 214 [SOC_AP_FW_HASH_EXT] = { 215 .oid = SOC_AP_FW_HASH_OID, 216 .opt = "soc-fw", 217 .help_msg = "SoC AP Firmware image file", 218 .sn = "SoCAPFirmwareHash", 219 .ln = "SoC AP Firmware hash (SHA256)", 220 .asn1_type = V_ASN1_OCTET_STRING, 221 .type = EXT_TYPE_HASH 222 }, 223 224 [SOC_FW_CONFIG_HASH_EXT] = { 225 .oid = SOC_FW_CONFIG_HASH_OID, 226 .opt = "soc-fw-config", 227 .help_msg = "SoC Firmware Config file", 228 .sn = "SocFirmwareConfigHash", 229 .ln = "SoC Firmware Config hash", 230 .asn1_type = V_ASN1_OCTET_STRING, 231 .type = EXT_TYPE_HASH, 232 .optional = 1 233 }, 234 235 [RMM_HASH_EXT] = { 236 .oid = RMM_HASH_OID, 237 .opt = "rmm-fw", 238 .help_msg = "RMM Firmware image file", 239 .sn = "RMMFirmwareHash", 240 .ln = "RMM Firmware hash (SHA256)", 241 .asn1_type = V_ASN1_OCTET_STRING, 242 .type = EXT_TYPE_HASH 243 }, 244 245 [TRUSTED_OS_FW_HASH_EXT] = { 246 .oid = TRUSTED_OS_FW_HASH_OID, 247 .opt = "tos-fw", 248 .help_msg = "Trusted OS image file", 249 .sn = "TrustedOSHash", 250 .ln = "Trusted OS hash (SHA256)", 251 .asn1_type = V_ASN1_OCTET_STRING, 252 .type = EXT_TYPE_HASH 253 }, 254 255 [TRUSTED_OS_FW_CONFIG_HASH_EXT] = { 256 .oid = TRUSTED_OS_FW_CONFIG_HASH_OID, 257 .opt = "tos-fw-config", 258 .help_msg = "Trusted OS Firmware Config file", 259 .sn = "TrustedOSFirmwareConfigHash", 260 .ln = "Trusted OS Firmware Config hash", 261 .asn1_type = V_ASN1_OCTET_STRING, 262 .type = EXT_TYPE_HASH, 263 .optional = 1 264 }, 265 266 [SP_PKG1_HASH_EXT] = { 267 .oid = SP_PKG1_HASH_OID, 268 .opt = "sp-pkg1", 269 .help_msg = "Secure Partition Package1 file", 270 .sn = "SPPkg1Hash", 271 .ln = "SP Pkg1 hash (SHA256)", 272 .asn1_type = V_ASN1_OCTET_STRING, 273 .type = EXT_TYPE_HASH, 274 .optional = 1 275 }, 276 [SP_PKG2_HASH_EXT] = { 277 .oid = SP_PKG2_HASH_OID, 278 .opt = "sp-pkg2", 279 .help_msg = "Secure Partition Package2 file", 280 .sn = "SPPkg2Hash", 281 .ln = "SP Pkg2 hash (SHA256)", 282 .asn1_type = V_ASN1_OCTET_STRING, 283 .type = EXT_TYPE_HASH, 284 .optional = 1 285 }, 286 [SP_PKG3_HASH_EXT] = { 287 .oid = SP_PKG3_HASH_OID, 288 .opt = "sp-pkg3", 289 .help_msg = "Secure Partition Package3 file", 290 .sn = "SPPkg3Hash", 291 .ln = "SP Pkg3 hash (SHA256)", 292 .asn1_type = V_ASN1_OCTET_STRING, 293 .type = EXT_TYPE_HASH, 294 .optional = 1 295 }, 296 [SP_PKG4_HASH_EXT] = { 297 .oid = SP_PKG4_HASH_OID, 298 .opt = "sp-pkg4", 299 .help_msg = "Secure Partition Package4 file", 300 .sn = "SPPkg4Hash", 301 .ln = "SP Pkg4 hash (SHA256)", 302 .asn1_type = V_ASN1_OCTET_STRING, 303 .type = EXT_TYPE_HASH, 304 .optional = 1 305 }, 306 307 [PROT_PK_EXT] = { 308 .oid = PROT_PK_OID, 309 .sn = "PlatformRoTKey", 310 .ln = "Platform Root of Trust Public Key", 311 .asn1_type = V_ASN1_OCTET_STRING, 312 .type = EXT_TYPE_PKEY, 313 .attr.key = PROT_KEY 314 }, 315 316 [PLAT_PK_EXT] = { 317 .oid = PLAT_PK_OID, 318 .sn = "PLATKey", 319 .ln = "Platform Public Key", 320 .asn1_type = V_ASN1_OCTET_STRING, 321 .type = EXT_TYPE_PKEY, 322 .attr.key = PLAT_KEY 323 }, 324 325 [SP_PKG5_HASH_EXT] = { 326 .oid = SP_PKG5_HASH_OID, 327 .opt = "sp-pkg5", 328 .help_msg = "Secure Partition Package5 file", 329 .sn = "SPPkg5Hash", 330 .ln = "SP Pkg5 hash (SHA256)", 331 .asn1_type = V_ASN1_OCTET_STRING, 332 .type = EXT_TYPE_HASH, 333 .optional = 1 334 }, 335 [SP_PKG6_HASH_EXT] = { 336 .oid = SP_PKG6_HASH_OID, 337 .opt = "sp-pkg6", 338 .help_msg = "Secure Partition Package6 file", 339 .sn = "SPPkg6Hash", 340 .ln = "SP Pkg6 hash (SHA256)", 341 .asn1_type = V_ASN1_OCTET_STRING, 342 .type = EXT_TYPE_HASH, 343 .optional = 1 344 }, 345 [SP_PKG7_HASH_EXT] = { 346 .oid = SP_PKG7_HASH_OID, 347 .opt = "sp-pkg7", 348 .help_msg = "Secure Partition Package7 file", 349 .sn = "SPPkg7Hash", 350 .ln = "SP Pkg7 hash (SHA256)", 351 .asn1_type = V_ASN1_OCTET_STRING, 352 .type = EXT_TYPE_HASH, 353 .optional = 1 354 }, 355 [SP_PKG8_HASH_EXT] = { 356 .oid = SP_PKG8_HASH_OID, 357 .opt = "sp-pkg8", 358 .help_msg = "Secure Partition Package8 file", 359 .sn = "SPPkg8Hash", 360 .ln = "SP Pkg8 hash (SHA256)", 361 .asn1_type = V_ASN1_OCTET_STRING, 362 .type = EXT_TYPE_HASH, 363 .optional = 1 364 }, 365 366 [NON_TRUSTED_FW_NVCOUNTER_EXT] = { 367 .oid = NON_TRUSTED_FW_NVCOUNTER_OID, 368 .opt = "ntfw-nvctr", 369 .help_msg = "Non-Trusted Firmware Non-Volatile counter value", 370 .sn = "NormalWorldNVCounter", 371 .ln = "Non-Trusted Firmware Non-Volatile counter", 372 .asn1_type = V_ASN1_INTEGER, 373 .type = EXT_TYPE_NVCOUNTER, 374 .attr.nvctr_type = NVCTR_TYPE_NTFW 375 }, 376 377 [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { 378 .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID, 379 .opt = "nt-fw", 380 .help_msg = "Non-Trusted World Bootloader image file", 381 .sn = "NonTrustedWorldBootloaderHash", 382 .ln = "Non-Trusted World hash (SHA256)", 383 .asn1_type = V_ASN1_OCTET_STRING, 384 .type = EXT_TYPE_HASH 385 }, 386 387 [NON_TRUSTED_FW_CONFIG_HASH_EXT] = { 388 .oid = NON_TRUSTED_FW_CONFIG_HASH_OID, 389 .opt = "nt-fw-config", 390 .help_msg = "Non Trusted OS Firmware Config file", 391 .sn = "NonTrustedOSFirmwareConfigHash", 392 .ln = "Non-Trusted OS Firmware Config hash", 393 .asn1_type = V_ASN1_OCTET_STRING, 394 .type = EXT_TYPE_HASH, 395 .optional = 1 396 }, 397 }; 398 399 REGISTER_EXTENSIONS(cot_ext); 400 401 /* Keys used to establish the chain of trust. */ 402 static key_t cot_keys[] = { 403 [ROT_KEY] = { 404 .id = ROT_KEY, 405 .opt = "rot-key", 406 .help_msg = "Root Of Trust key (input/output file)", 407 .desc = "Root Of Trust key" 408 }, 409 410 [SWD_ROT_KEY] = { 411 .id = SWD_ROT_KEY, 412 .opt = "swd-rot-key", 413 .help_msg = "Secure World Root of Trust key", 414 .desc = "Secure World Root of Trust key" 415 }, 416 417 [CORE_SWD_KEY] = { 418 .id = CORE_SWD_KEY, 419 .opt = "core-swd-key", 420 .help_msg = "Core Secure World key", 421 .desc = "Core Secure World key" 422 }, 423 424 [PROT_KEY] = { 425 .id = PROT_KEY, 426 .opt = "prot-key", 427 .help_msg = "Platform Root of Trust key", 428 .desc = "Platform Root of Trust key" 429 }, 430 431 [PLAT_KEY] = { 432 .id = PLAT_KEY, 433 .opt = "plat-key", 434 .help_msg = "Platform key", 435 .desc = "Platform key" 436 }, 437 }; 438 439 REGISTER_KEYS(cot_keys); 440