1 /*
2  * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  */
6 
7 #include "tbbr/tbb_cert.h"
8 #include "tbbr/tbb_ext.h"
9 #include "tbbr/tbb_key.h"
10 
11 /*
12  * Certificates used in the chain of trust
13  *
14  * The order of the certificates must follow the enumeration specified in
15  * tbb_cert.h. All certificates are self-signed, so the issuer certificate
16  * field points to itself.
17  */
18 static cert_t tbb_certs[] = {
19 	[TRUSTED_BOOT_FW_CERT] = {
20 		.id = TRUSTED_BOOT_FW_CERT,
21 		.opt = "tb-fw-cert",
22 		.help_msg = "Trusted Boot FW Certificate (output file)",
23 		.fn = NULL,
24 		.cn = "Trusted Boot FW Certificate",
25 		.key = ROT_KEY,
26 		.issuer = TRUSTED_BOOT_FW_CERT,
27 		.ext = {
28 			TRUSTED_FW_NVCOUNTER_EXT,
29 			TRUSTED_BOOT_FW_HASH_EXT,
30 			TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
31 			HW_CONFIG_HASH_EXT,
32 			FW_CONFIG_HASH_EXT
33 		},
34 		.num_ext = 5
35 	},
36 	[TRUSTED_KEY_CERT] = {
37 		.id = TRUSTED_KEY_CERT,
38 		.opt = "trusted-key-cert",
39 		.help_msg = "Trusted Key Certificate (output file)",
40 		.fn = NULL,
41 		.cn = "Trusted Key Certificate",
42 		.key = ROT_KEY,
43 		.issuer = TRUSTED_KEY_CERT,
44 		.ext = {
45 			TRUSTED_FW_NVCOUNTER_EXT,
46 			TRUSTED_WORLD_PK_EXT,
47 			NON_TRUSTED_WORLD_PK_EXT
48 		},
49 		.num_ext = 3
50 	},
51 	[SCP_FW_KEY_CERT] = {
52 		.id = SCP_FW_KEY_CERT,
53 		.opt = "scp-fw-key-cert",
54 		.help_msg = "SCP Firmware Key Certificate (output file)",
55 		.fn = NULL,
56 		.cn = "SCP Firmware Key Certificate",
57 		.key = TRUSTED_WORLD_KEY,
58 		.issuer = SCP_FW_KEY_CERT,
59 		.ext = {
60 			TRUSTED_FW_NVCOUNTER_EXT,
61 			SCP_FW_CONTENT_CERT_PK_EXT
62 		},
63 		.num_ext = 2
64 	},
65 	[SCP_FW_CONTENT_CERT] = {
66 		.id = SCP_FW_CONTENT_CERT,
67 		.opt = "scp-fw-cert",
68 		.help_msg = "SCP Firmware Content Certificate (output file)",
69 		.fn = NULL,
70 		.cn = "SCP Firmware Content Certificate",
71 		.key = SCP_FW_CONTENT_CERT_KEY,
72 		.issuer = SCP_FW_CONTENT_CERT,
73 		.ext = {
74 			TRUSTED_FW_NVCOUNTER_EXT,
75 			SCP_FW_HASH_EXT
76 		},
77 		.num_ext = 2
78 	},
79 	[SOC_FW_KEY_CERT] = {
80 		.id = SOC_FW_KEY_CERT,
81 		.opt = "soc-fw-key-cert",
82 		.help_msg = "SoC Firmware Key Certificate (output file)",
83 		.fn = NULL,
84 		.cn = "SoC Firmware Key Certificate",
85 		.key = TRUSTED_WORLD_KEY,
86 		.issuer = SOC_FW_KEY_CERT,
87 		.ext = {
88 			TRUSTED_FW_NVCOUNTER_EXT,
89 			SOC_FW_CONTENT_CERT_PK_EXT
90 		},
91 		.num_ext = 2
92 	},
93 	[SOC_FW_CONTENT_CERT] = {
94 		.id = SOC_FW_CONTENT_CERT,
95 		.opt = "soc-fw-cert",
96 		.help_msg = "SoC Firmware Content Certificate (output file)",
97 		.fn = NULL,
98 		.cn = "SoC Firmware Content Certificate",
99 		.key = SOC_FW_CONTENT_CERT_KEY,
100 		.issuer = SOC_FW_CONTENT_CERT,
101 		.ext = {
102 			TRUSTED_FW_NVCOUNTER_EXT,
103 			SOC_AP_FW_HASH_EXT,
104 			SOC_FW_CONFIG_HASH_EXT,
105 		},
106 		.num_ext = 3
107 	},
108 	[TRUSTED_OS_FW_KEY_CERT] = {
109 		.id = TRUSTED_OS_FW_KEY_CERT,
110 		.opt = "tos-fw-key-cert",
111 		.help_msg = "Trusted OS Firmware Key Certificate (output file)",
112 		.fn = NULL,
113 		.cn = "Trusted OS Firmware Key Certificate",
114 		.key = TRUSTED_WORLD_KEY,
115 		.issuer = TRUSTED_OS_FW_KEY_CERT,
116 		.ext = {
117 			TRUSTED_FW_NVCOUNTER_EXT,
118 			TRUSTED_OS_FW_CONTENT_CERT_PK_EXT
119 		},
120 		.num_ext = 2
121 	},
122 	[TRUSTED_OS_FW_CONTENT_CERT] = {
123 		.id = TRUSTED_OS_FW_CONTENT_CERT,
124 		.opt = "tos-fw-cert",
125 		.help_msg = "Trusted OS Firmware Content Certificate (output file)",
126 		.fn = NULL,
127 		.cn = "Trusted OS Firmware Content Certificate",
128 		.key = TRUSTED_OS_FW_CONTENT_CERT_KEY,
129 		.issuer = TRUSTED_OS_FW_CONTENT_CERT,
130 		.ext = {
131 			TRUSTED_FW_NVCOUNTER_EXT,
132 			TRUSTED_OS_FW_HASH_EXT,
133 			TRUSTED_OS_FW_EXTRA1_HASH_EXT,
134 			TRUSTED_OS_FW_EXTRA2_HASH_EXT,
135 			TRUSTED_OS_FW_CONFIG_HASH_EXT,
136 		},
137 		.num_ext = 5
138 	},
139 	[NON_TRUSTED_FW_KEY_CERT] = {
140 		.id = NON_TRUSTED_FW_KEY_CERT,
141 		.opt = "nt-fw-key-cert",
142 		.help_msg = "Non-Trusted Firmware Key Certificate (output file)",
143 		.fn = NULL,
144 		.cn = "Non-Trusted Firmware Key Certificate",
145 		.key = NON_TRUSTED_WORLD_KEY,
146 		.issuer = NON_TRUSTED_FW_KEY_CERT,
147 		.ext = {
148 			NON_TRUSTED_FW_NVCOUNTER_EXT,
149 			NON_TRUSTED_FW_CONTENT_CERT_PK_EXT
150 		},
151 		.num_ext = 2
152 	},
153 	[NON_TRUSTED_FW_CONTENT_CERT] = {
154 		.id = NON_TRUSTED_FW_CONTENT_CERT,
155 		.opt = "nt-fw-cert",
156 		.help_msg = "Non-Trusted Firmware Content Certificate (output file)",
157 		.fn = NULL,
158 		.cn = "Non-Trusted Firmware Content Certificate",
159 		.key = NON_TRUSTED_FW_CONTENT_CERT_KEY,
160 		.issuer = NON_TRUSTED_FW_CONTENT_CERT,
161 		.ext = {
162 			NON_TRUSTED_FW_NVCOUNTER_EXT,
163 			NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
164 			NON_TRUSTED_FW_CONFIG_HASH_EXT,
165 		},
166 		.num_ext = 3
167 	},
168 	[SIP_SECURE_PARTITION_CONTENT_CERT] = {
169 		.id = SIP_SECURE_PARTITION_CONTENT_CERT,
170 		.opt = "sip-sp-cert",
171 		.help_msg = "SiP owned Secure Partition Content Certificate (output file)",
172 		.fn = NULL,
173 		.cn = "SiP owned Secure Partition Content Certificate",
174 		.key = TRUSTED_WORLD_KEY,
175 		.issuer = SIP_SECURE_PARTITION_CONTENT_CERT,
176 		.ext = {
177 			TRUSTED_FW_NVCOUNTER_EXT,
178 			SP_PKG1_HASH_EXT,
179 			SP_PKG2_HASH_EXT,
180 			SP_PKG3_HASH_EXT,
181 			SP_PKG4_HASH_EXT,
182 			SP_PKG5_HASH_EXT,
183 			SP_PKG6_HASH_EXT,
184 			SP_PKG7_HASH_EXT,
185 			SP_PKG8_HASH_EXT,
186 		},
187 		.num_ext = 9
188 	},
189 	[FWU_CERT] = {
190 		.id = FWU_CERT,
191 		.opt = "fwu-cert",
192 		.help_msg = "Firmware Update Certificate (output file)",
193 		.fn = NULL,
194 		.cn = "Firmware Update Certificate",
195 		.key = ROT_KEY,
196 		.issuer = FWU_CERT,
197 		.ext = {
198 			SCP_FWU_CFG_HASH_EXT,
199 			AP_FWU_CFG_HASH_EXT,
200 			FWU_HASH_EXT
201 		},
202 		.num_ext = 3
203 	}
204 };
205 
206 REGISTER_COT(tbb_certs);
207