1#!/usr/bin/env bash
2#
3# Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
4#
5# SPDX-License-Identifier: BSD-3-Clause
6#
7
8# Relationship of the generated variable write requests:
9#
10# @startuml
11# left to right direction
12
13# rectangle PK1
14# rectangle PK2
15# rectangle PK3
16# rectangle KEK
17# rectangle db1
18# rectangle db2
19# rectangle var
20
21# PK1  --> PK1 : delete
22# PK1  --> PK2
23# PK1  --> KEK
24# PK1  --> db2
25# PK2  --> PK2 : delete
26# PK1 --> KEK : delete
27# KEK --> db1
28# var --> var : append
29# var --> var : append_old
30# var --> var : delete
31# var --> var : delete_old
32# @enduml
33
34# Check environment
35which sign-efi-sig-list     || { echo "Please install 'efitools' Minimum version: 1.8.1" && exit 1; }
36which sbsign                || { echo "Please install 'efitools' Minimum version: 1.8.1" && exit 1; }
37which openssl               || { echo "Please install 'openssl'" && exit 1; }
38
39
40HEADER_FOLDER=auth_vectors
41TEMP_FOLDER=temp_files
42
43# Generate a certificate with a public key and it's private key file
44generate_key_cert() {
45    name=$1
46
47    openssl req -x509 -newkey rsa:2048 -subj "/CN=Test $name/" -keyout $name.key -out $name.crt -days 3650 -nodes -sha256
48
49    # Create a concatenated {CRT,KEY} PEM file and also a DER from the certificate for later use
50    cat $name.crt $name.key > $name.pem
51    openssl x509 -in $name.crt -out $name.der -outform DER
52}
53
54mkdir -p ${HEADER_FOLDER}
55mkdir -p ${TEMP_FOLDER}
56pushd ${TEMP_FOLDER}
57
58# Create signer certificates
59generate_key_cert "PK1"
60generate_key_cert "PK2"
61generate_key_cert "PK3"
62generate_key_cert "KEK"
63generate_key_cert "DB1"
64generate_key_cert "DB2"
65generate_key_cert "VAR"
66
67# Create data file for the custom variable
68cat <<EOF > var_data_part01.txt
69The term 'trusted service' is used as a general name for a class of application that runs in an isolated
70processing environment. Other applications rely on trusted services to perform security related operations in
71a way that avoids exposing secret data beyond the isolation boundary of the environment. The word 'trusted'
72does not imply anything inherently trustworthy about a service application but rather that other applications
73put trust in the service. Meeting those trust obligations relies on a range of hardware and firmware
74implemented security measures.
75EOF
76
77cat <<EOF > var_data_part02.txt
78The Arm Application-profile (A-profile) architecture, in combination with standard firmware, provides a range
79of isolated processing environments that offer hardware-backed protection against various classes of attack.
80Because of their strong security properties, these environments are suitable for running applications that have
81access to valuable assets such as keys or sensitive user data. The goal of the Trusted Services project is
82to provide a framework in which security related services may be developed, tested and easily deployed to
83run in any of the supported environments. A core set of trusted services are implemented to provide basic
84device security functions such as cryptography and secure storage.
85
86Example isolated processing environments are:
87
88    - **Secure partitions** - secure world isolated environments managed by a secure partition manager
89    - **Trusted applications** - application environments managed by a TEE
90    - **VM backed container** - container runtime that uses a hypervisor to provide hardware backed container isolation
91
92The default reference system, used for test and development, uses the Secure Partition Manager configuration
93of OP-TEE to manage a set of secure partitions running at S-EL0. The secure partitions host service providers
94that implement PSA root-of-trust services. Services may be accessed using client-side C bindings that expose PSA
95Functional APIs. UEFI SMM services are provided by the SMM Gateway.
96EOF
97
98cat var_data_part01.txt var_data_part02.txt > var_data.txt
99
100# Generate EFI signature list from the certificates for each keystore variable and an empty esl for delete requests
101cert-to-efi-sig-list PK1.crt PK1.esl
102cert-to-efi-sig-list PK2.crt PK2.esl
103cert-to-efi-sig-list PK3.crt PK3.esl
104cert-to-efi-sig-list KEK.crt KEK.esl
105cert-to-efi-sig-list DB1.crt DB1.esl
106cert-to-efi-sig-list DB2.crt DB2.esl
107touch NULL.esl
108
109# Add another signature list before the correct KEK list to test if multiple lists are supported
110cat PK3.esl KEK.esl > KEK_concatenated.esl
111
112sign-efi-sig-list -c PK1.crt -k PK1.key PK  PK1.esl               PK1.auth        ; sleep 1
113sign-efi-sig-list -c PK1.crt -k PK1.key PK  NULL.esl              PK1_delete.auth ; sleep 1
114sign-efi-sig-list -c PK1.crt -k PK1.key PK  PK2.esl               PK2.auth        ; sleep 1
115sign-efi-sig-list -c PK2.crt -k PK2.key PK  NULL.esl              PK2_delete.auth ; sleep 1
116sign-efi-sig-list -c PK3.crt -k PK3.key PK  PK3.esl               PK3.auth        ; sleep 1
117sign-efi-sig-list -c PK1.crt -k PK1.key KEK KEK_concatenated.esl  KEK.auth        ; sleep 1
118sign-efi-sig-list -c PK1.crt -k PK1.key KEK NULL.esl              KEK_delete.auth ; sleep 1
119sign-efi-sig-list -c PK1.crt -k PK1.key db  DB2.esl               DB2.auth        ; sleep 1
120sign-efi-sig-list -c KEK.crt -k KEK.key db  DB1.esl               DB1.auth        ; sleep 1
121
122# GUID: Must be syncronized with m_common_guid in the tests
123sign-efi-sig-list -c VAR.crt -k VAR.key -g '01234567-89AB-CDEF-0123-456789ABCDEF' -t 0 -a var var_data_part02.txt var_append_old.auth
124sign-efi-sig-list -c VAR.crt -k VAR.key -g '01234567-89AB-CDEF-0123-456789ABCDEF' -t 0 var /dev/null var_delete_old.auth          ; sleep 1
125sign-efi-sig-list -c VAR.crt -k VAR.key -g '01234567-89AB-CDEF-0123-456789ABCDEF' var var_data_part01.txt var.auth                ; sleep 1
126sign-efi-sig-list -c VAR.crt -k VAR.key -g '01234567-89AB-CDEF-0123-456789ABCDEF' -a var var_data_part02.txt var_append.auth      ; sleep 1
127sign-efi-sig-list -c VAR.crt -k VAR.key -g '01234567-89AB-CDEF-0123-456789ABCDEF' var /dev/null var_delete.auth                   ; sleep 1
128
129# Generate C headers from the authentication headers for the tests
130xxd -i PK1.auth            > ../${HEADER_FOLDER}/PK1.h
131xxd -i PK2.auth            > ../${HEADER_FOLDER}/PK2.h
132xxd -i PK3.auth            > ../${HEADER_FOLDER}/PK3.h
133xxd -i PK1_delete.auth     > ../${HEADER_FOLDER}/PK1_delete.h
134xxd -i PK2_delete.auth     > ../${HEADER_FOLDER}/PK2_delete.h
135xxd -i KEK.auth            > ../${HEADER_FOLDER}/KEK.h
136xxd -i KEK_delete.auth     > ../${HEADER_FOLDER}/KEK_delete.h
137xxd -i DB2.auth            > ../${HEADER_FOLDER}/db2.h
138xxd -i DB1.auth            > ../${HEADER_FOLDER}/db1.h
139xxd -i var_append_old.auth > ../${HEADER_FOLDER}/var_append_old.h
140xxd -i var_delete_old.auth > ../${HEADER_FOLDER}/var_delete_old.h
141xxd -i var.auth            > ../${HEADER_FOLDER}/var.h
142xxd -i var_append.auth     > ../${HEADER_FOLDER}/var_append.h
143xxd -i var_delete.auth     > ../${HEADER_FOLDER}/var_delete.h
144xxd -i var_data.txt        > ../${HEADER_FOLDER}/var_data.h
145
146popd
147
148# Add copyright to the beginning of the headers
149current_year=$(date +"%Y")
150copyright_header=$(cat <<-END
151/*
152 * Copyright (c) ${current_year}, Arm Limited. All rights reserved.
153 *
154 * SPDX-License-Identifier: BSD-3-Clause
155 *
156 * This file was generated by generate_auth_headers.sh
157 */
158END
159)
160
161for file in ./${HEADER_FOLDER}/*
162do
163    if test -f "$file"
164    then
165        echo -e "${copyright_header}\n\n$(cat $file)" > $file
166    fi
167done
168