diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk index e934d72..71d9747 100644 --- a/make_helpers/tbbr/tbbr_tools.mk +++ b/make_helpers/tbbr/tbbr_tools.mk @@ -58,6 +58,14 @@ TRUSTED_KEY_CERT := ${BUILD_PLAT}/trusted_key.crt FWU_CERT := ${BUILD_PLAT}/fwu_cert.crt +# Default non-volatile counter values (overridable by the platform) +TFW_NVCTR_VAL ?= 0 +NTFW_NVCTR_VAL ?= 0 + +# Pass the non-volatile counters to the cert_create tool +$(eval $(call CERT_ADD_CMD_OPT,${TFW_NVCTR_VAL},--tfw-nvctr)) +$(eval $(call CERT_ADD_CMD_OPT,${NTFW_NVCTR_VAL},--ntfw-nvctr)) + # Add Trusted Key certificate to the fip_create and cert_create command line options $(eval $(call FIP_ADD_PAYLOAD,${TRUSTED_KEY_CERT},--trusted-key-cert)) $(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_KEY_CERT},--trusted-key-cert)) diff --git a/tools/cert_create/include/ext.h b/tools/cert_create/include/ext.h index 82a4bcb..95bde6c 100644 --- a/tools/cert_create/include/ext.h +++ b/tools/cert_create/include/ext.h @@ -35,12 +35,18 @@ #include /* Extension types supported */ -enum { +enum ext_type_e { EXT_TYPE_NVCOUNTER, EXT_TYPE_PKEY, EXT_TYPE_HASH }; +/* NV-Counter types */ +enum nvctr_type_e { + NVCTR_TYPE_TFW, + NVCTR_TYPE_NTFW +}; + /* * This structure contains the relevant information to create the extensions * to be included in the certificates. This extensions will be used to @@ -50,20 +56,21 @@ const char *oid; /* OID of the extension */ const char *sn; /* Short name */ const char *ln; /* Long description */ + const char *opt; /* Command line option to specify data */ const char *help_msg; /* Help message */ + const char *arg; /* Argument passed from command line */ int asn1_type; /* OpenSSL ASN1 type of the extension data. * Supported types are: * - V_ASN1_INTEGER * - V_ASN1_OCTET_STRING */ - int type; - const char *opt; /* Command line option to specify data */ - /* Extension data (depends on extension type) */ + int type; /* See ext_type_e */ + + /* Extension attributes (depends on extension type) */ union { - const char *fn; /* File with extension data */ - int nvcounter; /* Non volatile counter */ - int key; /* Public key */ - } data; + int nvctr_type; /* See nvctr_type_e */ + int key; /* Index into array of registered public keys */ + } attr; int alias; /* In case OpenSSL provides an standard * extension of the same type, add the new diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index 3d2b4ba..c87d988 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -196,9 +196,17 @@ for (j = 0; j < cert->num_ext; j++) { ext = &extensions[cert->ext[j]]; switch (ext->type) { + case EXT_TYPE_NVCOUNTER: + /* Counter value must be specified */ + if ((!ext->optional) && (ext->arg == NULL)) { + ERROR("Value for '%s' not specified\n", + ext->ln); + exit(1); + } + break; case EXT_TYPE_PKEY: /* Key filename must be specified */ - key = &keys[ext->data.key]; + key = &keys[ext->attr.key]; if (!new_keys && key->fn == NULL) { ERROR("Key '%s' required by '%s' not " "specified\n", key->desc, @@ -211,15 +219,15 @@ * Binary image must be specified * unless it is explicitly made optional. */ - if ((!ext->optional) && (ext->data.fn == NULL)) { + if ((!ext->optional) && (ext->arg == NULL)) { ERROR("Image for '%s' not specified\n", ext->ln); exit(1); } break; default: - ERROR("Unknown extension type in '%s'\n", - ext->ln); + ERROR("Unknown extension type '%d' in '%s'\n", + ext->type, ext->ln); exit(1); break; } @@ -259,7 +267,7 @@ key_t *key = NULL; cert_t *cert = NULL; FILE *file = NULL; - int i, j, ext_nid; + int i, j, ext_nid, nvctr; int c, opt_idx = 0; const struct option *cmd_opt; const char *cur_opt; @@ -331,7 +339,7 @@ case CMD_OPT_EXT: cur_opt = cmd_opt_get_name(opt_idx); ext = ext_get_by_opt(cur_opt); - ext->data.fn = strdup(optarg); + ext->arg = strdup(optarg); break; case CMD_OPT_KEY: cur_opt = cmd_opt_get_name(opt_idx); @@ -420,11 +428,12 @@ */ switch (ext->type) { case EXT_TYPE_NVCOUNTER: + nvctr = atoi(ext->arg); CHECK_NULL(cert_ext, ext_new_nvcounter(ext_nid, - EXT_CRIT, ext->data.nvcounter)); + EXT_CRIT, nvctr)); break; case EXT_TYPE_HASH: - if (ext->data.fn == NULL) { + if (ext->arg == NULL) { if (ext->optional) { /* Include a hash filled with zeros */ memset(md, 0x0, SHA256_DIGEST_LENGTH); @@ -434,9 +443,9 @@ } } else { /* Calculate the hash of the file */ - if (!sha_file(ext->data.fn, md)) { + if (!sha_file(ext->arg, md)) { ERROR("Cannot calculate hash of %s\n", - ext->data.fn); + ext->arg); exit(1); } } @@ -446,11 +455,11 @@ break; case EXT_TYPE_PKEY: CHECK_NULL(cert_ext, ext_new_key(ext_nid, - EXT_CRIT, keys[ext->data.key].key)); + EXT_CRIT, keys[ext->attr.key].key)); break; default: - ERROR("Unknown extension type in %s\n", - cert->cn); + ERROR("Unknown extension type '%d' in %s\n", + ext->type, cert->cn); exit(1); } diff --git a/tools/cert_create/src/tbbr/tbb_cert.c b/tools/cert_create/src/tbbr/tbb_cert.c index 7a50ab3..8f7feb5 100644 --- a/tools/cert_create/src/tbbr/tbb_cert.c +++ b/tools/cert_create/src/tbbr/tbb_cert.c @@ -49,9 +49,10 @@ .key = ROT_KEY, .issuer = TRUSTED_BOOT_FW_CERT, .ext = { + TRUSTED_FW_NVCOUNTER_EXT, TRUSTED_BOOT_FW_HASH_EXT }, - .num_ext = 1 + .num_ext = 2 }, [TRUSTED_KEY_CERT] = { .id = TRUSTED_KEY_CERT, @@ -62,10 +63,11 @@ .key = ROT_KEY, .issuer = TRUSTED_KEY_CERT, .ext = { + TRUSTED_FW_NVCOUNTER_EXT, TRUSTED_WORLD_PK_EXT, NON_TRUSTED_WORLD_PK_EXT }, - .num_ext = 2 + .num_ext = 3 }, [SCP_FW_KEY_CERT] = { .id = SCP_FW_KEY_CERT, @@ -76,9 +78,10 @@ .key = TRUSTED_WORLD_KEY, .issuer = SCP_FW_KEY_CERT, .ext = { + TRUSTED_FW_NVCOUNTER_EXT, SCP_FW_CONTENT_CERT_PK_EXT }, - .num_ext = 1 + .num_ext = 2 }, [SCP_FW_CONTENT_CERT] = { .id = SCP_FW_CONTENT_CERT, @@ -89,9 +92,10 @@ .key = SCP_FW_CONTENT_CERT_KEY, .issuer = SCP_FW_CONTENT_CERT, .ext = { + TRUSTED_FW_NVCOUNTER_EXT, SCP_FW_HASH_EXT }, - .num_ext = 1 + .num_ext = 2 }, [SOC_FW_KEY_CERT] = { .id = SOC_FW_KEY_CERT, @@ -102,9 +106,10 @@ .key = TRUSTED_WORLD_KEY, .issuer = SOC_FW_KEY_CERT, .ext = { + TRUSTED_FW_NVCOUNTER_EXT, SOC_FW_CONTENT_CERT_PK_EXT }, - .num_ext = 1 + .num_ext = 2 }, [SOC_FW_CONTENT_CERT] = { .id = SOC_FW_CONTENT_CERT, @@ -115,9 +120,10 @@ .key = SOC_FW_CONTENT_CERT_KEY, .issuer = SOC_FW_CONTENT_CERT, .ext = { + TRUSTED_FW_NVCOUNTER_EXT, SOC_AP_FW_HASH_EXT }, - .num_ext = 1 + .num_ext = 2 }, [TRUSTED_OS_FW_KEY_CERT] = { .id = TRUSTED_OS_FW_KEY_CERT, @@ -128,9 +134,10 @@ .key = TRUSTED_WORLD_KEY, .issuer = TRUSTED_OS_FW_KEY_CERT, .ext = { + TRUSTED_FW_NVCOUNTER_EXT, TRUSTED_OS_FW_CONTENT_CERT_PK_EXT }, - .num_ext = 1 + .num_ext = 2 }, [TRUSTED_OS_FW_CONTENT_CERT] = { .id = TRUSTED_OS_FW_CONTENT_CERT, @@ -141,9 +148,10 @@ .key = TRUSTED_OS_FW_CONTENT_CERT_KEY, .issuer = TRUSTED_OS_FW_CONTENT_CERT, .ext = { + TRUSTED_FW_NVCOUNTER_EXT, TRUSTED_OS_FW_HASH_EXT }, - .num_ext = 1 + .num_ext = 2 }, [NON_TRUSTED_FW_KEY_CERT] = { .id = NON_TRUSTED_FW_KEY_CERT, @@ -154,9 +162,10 @@ .key = NON_TRUSTED_WORLD_KEY, .issuer = NON_TRUSTED_FW_KEY_CERT, .ext = { + NON_TRUSTED_FW_NVCOUNTER_EXT, NON_TRUSTED_FW_CONTENT_CERT_PK_EXT }, - .num_ext = 1 + .num_ext = 2 }, [NON_TRUSTED_FW_CONTENT_CERT] = { .id = NON_TRUSTED_FW_CONTENT_CERT, @@ -167,9 +176,10 @@ .key = NON_TRUSTED_FW_CONTENT_CERT_KEY, .issuer = NON_TRUSTED_FW_CONTENT_CERT, .ext = { + NON_TRUSTED_FW_NVCOUNTER_EXT, NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT }, - .num_ext = 1 + .num_ext = 2 }, [FWU_CERT] = { .id = FWU_CERT, diff --git a/tools/cert_create/src/tbbr/tbb_ext.c b/tools/cert_create/src/tbbr/tbb_ext.c index 8bcb070..5304bd5 100644 --- a/tools/cert_create/src/tbbr/tbb_ext.c +++ b/tools/cert_create/src/tbbr/tbb_ext.c @@ -44,19 +44,23 @@ static ext_t tbb_ext[] = { [TRUSTED_FW_NVCOUNTER_EXT] = { .oid = TRUSTED_FW_NVCOUNTER_OID, + .opt = "tfw-nvctr", + .help_msg = "Trusted Firmware Non-Volatile counter value", .sn = "TrustedWorldNVCounter", .ln = "Trusted World Non-Volatile counter", .asn1_type = V_ASN1_INTEGER, .type = EXT_TYPE_NVCOUNTER, - .data.nvcounter = TRUSTED_WORLD_NVCTR_VALUE + .attr.nvctr_type = NVCTR_TYPE_TFW }, [NON_TRUSTED_FW_NVCOUNTER_EXT] = { .oid = NON_TRUSTED_FW_NVCOUNTER_OID, + .opt = "ntfw-nvctr", + .help_msg = "Non-Trusted Firmware Non-Volatile counter value", .sn = "NormalWorldNVCounter", - .ln = "Normal World Non-Volatile counter", + .ln = "Non-Trusted Firmware Non-Volatile counter", .asn1_type = V_ASN1_INTEGER, .type = EXT_TYPE_NVCOUNTER, - .data.nvcounter = NORMAL_WORLD_NVCTR_VALUE + .attr.nvctr_type = NVCTR_TYPE_NTFW }, [TRUSTED_BOOT_FW_HASH_EXT] = { .oid = TRUSTED_BOOT_FW_HASH_OID, @@ -73,7 +77,7 @@ .ln = "Trusted World Public Key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, - .data.key = TRUSTED_WORLD_KEY + .attr.key = TRUSTED_WORLD_KEY }, [NON_TRUSTED_WORLD_PK_EXT] = { .oid = NON_TRUSTED_WORLD_PK_OID, @@ -81,7 +85,7 @@ .ln = "Non-Trusted World Public Key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, - .data.key = NON_TRUSTED_WORLD_KEY + .attr.key = NON_TRUSTED_WORLD_KEY }, [SCP_FW_CONTENT_CERT_PK_EXT] = { .oid = SCP_FW_CONTENT_CERT_PK_OID, @@ -89,7 +93,7 @@ .ln = "SCP Firmware content certificate public key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, - .data.key = SCP_FW_CONTENT_CERT_KEY + .attr.key = SCP_FW_CONTENT_CERT_KEY }, [SCP_FW_HASH_EXT] = { .oid = SCP_FW_HASH_OID, @@ -106,7 +110,7 @@ .ln = "SoC Firmware content certificate public key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, - .data.key = SOC_FW_CONTENT_CERT_KEY + .attr.key = SOC_FW_CONTENT_CERT_KEY }, [SOC_AP_FW_HASH_EXT] = { .oid = SOC_AP_FW_HASH_OID, @@ -123,7 +127,7 @@ .ln = "Trusted OS Firmware content certificate public key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, - .data.key = TRUSTED_OS_FW_CONTENT_CERT_KEY + .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY }, [TRUSTED_OS_FW_HASH_EXT] = { .oid = TRUSTED_OS_FW_HASH_OID, @@ -140,7 +144,7 @@ .ln = "Non-Trusted Firmware content certificate public key", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_PKEY, - .data.key = NON_TRUSTED_FW_CONTENT_CERT_KEY + .attr.key = NON_TRUSTED_FW_CONTENT_CERT_KEY }, [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID,