1 /* 2 * Copyright (c) 2022-2023, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include "cca/cca_cot.h" 8 9 #include <cca_oid.h> 10 11 #include "cert.h" 12 #include "ext.h" 13 #include "key.h" 14 15 /* 16 * Certificates used in the chain of trust. 17 * 18 * All certificates are self-signed so the issuer certificate field points to 19 * itself. 20 */ 21 static cert_t cot_certs[] = { 22 [CCA_CONTENT_CERT] = { 23 .id = CCA_CONTENT_CERT, 24 .opt = "cca-cert", 25 .help_msg = "CCA Content Certificate (output file)", 26 .cn = "CCA Content Certificate", 27 .key = ROT_KEY, 28 .issuer = CCA_CONTENT_CERT, 29 .ext = { 30 CCA_FW_NVCOUNTER_EXT, 31 SOC_AP_FW_HASH_EXT, 32 SOC_FW_CONFIG_HASH_EXT, 33 RMM_HASH_EXT, 34 TRUSTED_BOOT_FW_HASH_EXT, 35 TRUSTED_BOOT_FW_CONFIG_HASH_EXT, 36 HW_CONFIG_HASH_EXT, 37 FW_CONFIG_HASH_EXT, 38 }, 39 .num_ext = 8 40 }, 41 42 [CORE_SWD_KEY_CERT] = { 43 .id = CORE_SWD_KEY_CERT, 44 .opt = "core-swd-cert", 45 .help_msg = "Core Secure World Key Certificate (output file)", 46 .cn = "Core Secure World Key Certificate", 47 .key = SWD_ROT_KEY, 48 .issuer = CORE_SWD_KEY_CERT, 49 .ext = { 50 TRUSTED_FW_NVCOUNTER_EXT, 51 SWD_ROT_PK_EXT, 52 CORE_SWD_PK_EXT, 53 }, 54 .num_ext = 3 55 }, 56 57 [SPMC_CONTENT_CERT] = { 58 .id = SPMC_CONTENT_CERT, 59 .opt = "tos-fw-cert", 60 .help_msg = "SPMC Content Certificate (output file)", 61 .cn = "SPMC Content Certificate", 62 .key = CORE_SWD_KEY, 63 .issuer = SPMC_CONTENT_CERT, 64 .ext = { 65 TRUSTED_FW_NVCOUNTER_EXT, 66 TRUSTED_OS_FW_HASH_EXT, 67 TRUSTED_OS_FW_CONFIG_HASH_EXT, 68 }, 69 .num_ext = 3 70 }, 71 72 [SIP_SECURE_PARTITION_CONTENT_CERT] = { 73 .id = SIP_SECURE_PARTITION_CONTENT_CERT, 74 .opt = "sip-sp-cert", 75 .help_msg = "SiP owned Secure Partition Content Certificate (output file)", 76 .cn = "SiP owned Secure Partition Content Certificate", 77 .key = CORE_SWD_KEY, 78 .issuer = SIP_SECURE_PARTITION_CONTENT_CERT, 79 .ext = { 80 TRUSTED_FW_NVCOUNTER_EXT, 81 SP_PKG1_HASH_EXT, 82 SP_PKG2_HASH_EXT, 83 SP_PKG3_HASH_EXT, 84 SP_PKG4_HASH_EXT, 85 }, 86 .num_ext = 5 87 }, 88 89 [PLAT_KEY_CERT] = { 90 .id = PLAT_KEY_CERT, 91 .opt = "plat-key-cert", 92 .help_msg = "Platform Key Certificate (output file)", 93 .cn = "Platform Key Certificate", 94 .key = PROT_KEY, 95 .issuer = PLAT_KEY_CERT, 96 .ext = { 97 NON_TRUSTED_FW_NVCOUNTER_EXT, 98 PROT_PK_EXT, 99 PLAT_PK_EXT, 100 }, 101 .num_ext = 3 102 }, 103 104 [PLAT_SECURE_PARTITION_CONTENT_CERT] = { 105 .id = PLAT_SECURE_PARTITION_CONTENT_CERT, 106 .opt = "plat-sp-cert", 107 .help_msg = "Platform owned Secure Partition Content Certificate (output file)", 108 .cn = "Platform owned Secure Partition Content Certificate", 109 .key = PLAT_KEY, 110 .issuer = PLAT_SECURE_PARTITION_CONTENT_CERT, 111 .ext = { 112 NON_TRUSTED_FW_NVCOUNTER_EXT, 113 SP_PKG5_HASH_EXT, 114 SP_PKG6_HASH_EXT, 115 SP_PKG7_HASH_EXT, 116 SP_PKG8_HASH_EXT, 117 }, 118 .num_ext = 5 119 }, 120 121 [NON_TRUSTED_FW_CONTENT_CERT] = { 122 .id = NON_TRUSTED_FW_CONTENT_CERT, 123 .opt = "nt-fw-cert", 124 .help_msg = "Non-Trusted Firmware Content Certificate (output file)", 125 .cn = "Non-Trusted Firmware Content Certificate", 126 .key = PLAT_KEY, 127 .issuer = NON_TRUSTED_FW_CONTENT_CERT, 128 .ext = { 129 NON_TRUSTED_FW_NVCOUNTER_EXT, 130 NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, 131 NON_TRUSTED_FW_CONFIG_HASH_EXT, 132 }, 133 .num_ext = 3 134 }, 135 }; 136 137 REGISTER_COT(cot_certs); 138 139 140 /* Certificate extensions. */ 141 static ext_t cot_ext[] = { 142 [CCA_FW_NVCOUNTER_EXT] = { 143 .oid = CCA_FW_NVCOUNTER_OID, 144 .opt = "ccafw-nvctr", 145 .help_msg = "CCA Firmware Non-Volatile counter value", 146 .sn = "CCANVCounter", 147 .ln = "CCA Non-Volatile counter", 148 .asn1_type = V_ASN1_INTEGER, 149 .type = EXT_TYPE_NVCOUNTER, 150 .attr.nvctr_type = NVCTR_TYPE_CCAFW 151 }, 152 153 [TRUSTED_FW_NVCOUNTER_EXT] = { 154 .oid = TRUSTED_FW_NVCOUNTER_OID, 155 .opt = "tfw-nvctr", 156 .help_msg = "Trusted Firmware Non-Volatile counter value", 157 .sn = "TrustedWorldNVCounter", 158 .ln = "Trusted World Non-Volatile counter", 159 .asn1_type = V_ASN1_INTEGER, 160 .type = EXT_TYPE_NVCOUNTER, 161 .attr.nvctr_type = NVCTR_TYPE_TFW 162 }, 163 164 [TRUSTED_BOOT_FW_HASH_EXT] = { 165 .oid = TRUSTED_BOOT_FW_HASH_OID, 166 .opt = "tb-fw", 167 .help_msg = "Trusted Boot Firmware image file", 168 .sn = "TrustedBootFirmwareHash", 169 .ln = "Trusted Boot Firmware hash (SHA256)", 170 .asn1_type = V_ASN1_OCTET_STRING, 171 .type = EXT_TYPE_HASH 172 }, 173 174 [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = { 175 .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID, 176 .opt = "tb-fw-config", 177 .help_msg = "Trusted Boot Firmware Config file", 178 .sn = "TrustedBootFirmwareConfigHash", 179 .ln = "Trusted Boot Firmware Config hash", 180 .asn1_type = V_ASN1_OCTET_STRING, 181 .type = EXT_TYPE_HASH, 182 .optional = 1 183 }, 184 185 [HW_CONFIG_HASH_EXT] = { 186 .oid = HW_CONFIG_HASH_OID, 187 .opt = "hw-config", 188 .help_msg = "HW Config file", 189 .sn = "HWConfigHash", 190 .ln = "HW Config hash", 191 .asn1_type = V_ASN1_OCTET_STRING, 192 .type = EXT_TYPE_HASH, 193 .optional = 1 194 }, 195 196 [FW_CONFIG_HASH_EXT] = { 197 .oid = FW_CONFIG_HASH_OID, 198 .opt = "fw-config", 199 .help_msg = "Firmware Config file", 200 .sn = "FirmwareConfigHash", 201 .ln = "Firmware Config hash", 202 .asn1_type = V_ASN1_OCTET_STRING, 203 .type = EXT_TYPE_HASH, 204 .optional = 1 205 }, 206 207 [SWD_ROT_PK_EXT] = { 208 .oid = SWD_ROT_PK_OID, 209 .sn = "SWDRoTKey", 210 .ln = "Secure World Root of Trust Public Key", 211 .asn1_type = V_ASN1_OCTET_STRING, 212 .type = EXT_TYPE_PKEY, 213 .attr.key = SWD_ROT_KEY 214 }, 215 216 [CORE_SWD_PK_EXT] = { 217 .oid = CORE_SWD_PK_OID, 218 .sn = "CORESWDKey", 219 .ln = "Core Secure World Public Key", 220 .asn1_type = V_ASN1_OCTET_STRING, 221 .type = EXT_TYPE_PKEY, 222 .attr.key = CORE_SWD_KEY 223 }, 224 225 [SOC_AP_FW_HASH_EXT] = { 226 .oid = SOC_AP_FW_HASH_OID, 227 .opt = "soc-fw", 228 .help_msg = "SoC AP Firmware image file", 229 .sn = "SoCAPFirmwareHash", 230 .ln = "SoC AP Firmware hash (SHA256)", 231 .asn1_type = V_ASN1_OCTET_STRING, 232 .type = EXT_TYPE_HASH 233 }, 234 235 [SOC_FW_CONFIG_HASH_EXT] = { 236 .oid = SOC_FW_CONFIG_HASH_OID, 237 .opt = "soc-fw-config", 238 .help_msg = "SoC Firmware Config file", 239 .sn = "SocFirmwareConfigHash", 240 .ln = "SoC Firmware Config hash", 241 .asn1_type = V_ASN1_OCTET_STRING, 242 .type = EXT_TYPE_HASH, 243 .optional = 1 244 }, 245 246 [RMM_HASH_EXT] = { 247 .oid = RMM_HASH_OID, 248 .opt = "rmm-fw", 249 .help_msg = "RMM Firmware image file", 250 .sn = "RMMFirmwareHash", 251 .ln = "RMM Firmware hash (SHA256)", 252 .asn1_type = V_ASN1_OCTET_STRING, 253 .type = EXT_TYPE_HASH 254 }, 255 256 [TRUSTED_OS_FW_HASH_EXT] = { 257 .oid = TRUSTED_OS_FW_HASH_OID, 258 .opt = "tos-fw", 259 .help_msg = "Trusted OS image file", 260 .sn = "TrustedOSHash", 261 .ln = "Trusted OS hash (SHA256)", 262 .asn1_type = V_ASN1_OCTET_STRING, 263 .type = EXT_TYPE_HASH 264 }, 265 266 [TRUSTED_OS_FW_CONFIG_HASH_EXT] = { 267 .oid = TRUSTED_OS_FW_CONFIG_HASH_OID, 268 .opt = "tos-fw-config", 269 .help_msg = "Trusted OS Firmware Config file", 270 .sn = "TrustedOSFirmwareConfigHash", 271 .ln = "Trusted OS Firmware Config hash", 272 .asn1_type = V_ASN1_OCTET_STRING, 273 .type = EXT_TYPE_HASH, 274 .optional = 1 275 }, 276 277 [SP_PKG1_HASH_EXT] = { 278 .oid = SP_PKG1_HASH_OID, 279 .opt = "sp-pkg1", 280 .help_msg = "Secure Partition Package1 file", 281 .sn = "SPPkg1Hash", 282 .ln = "SP Pkg1 hash (SHA256)", 283 .asn1_type = V_ASN1_OCTET_STRING, 284 .type = EXT_TYPE_HASH, 285 .optional = 1 286 }, 287 [SP_PKG2_HASH_EXT] = { 288 .oid = SP_PKG2_HASH_OID, 289 .opt = "sp-pkg2", 290 .help_msg = "Secure Partition Package2 file", 291 .sn = "SPPkg2Hash", 292 .ln = "SP Pkg2 hash (SHA256)", 293 .asn1_type = V_ASN1_OCTET_STRING, 294 .type = EXT_TYPE_HASH, 295 .optional = 1 296 }, 297 [SP_PKG3_HASH_EXT] = { 298 .oid = SP_PKG3_HASH_OID, 299 .opt = "sp-pkg3", 300 .help_msg = "Secure Partition Package3 file", 301 .sn = "SPPkg3Hash", 302 .ln = "SP Pkg3 hash (SHA256)", 303 .asn1_type = V_ASN1_OCTET_STRING, 304 .type = EXT_TYPE_HASH, 305 .optional = 1 306 }, 307 [SP_PKG4_HASH_EXT] = { 308 .oid = SP_PKG4_HASH_OID, 309 .opt = "sp-pkg4", 310 .help_msg = "Secure Partition Package4 file", 311 .sn = "SPPkg4Hash", 312 .ln = "SP Pkg4 hash (SHA256)", 313 .asn1_type = V_ASN1_OCTET_STRING, 314 .type = EXT_TYPE_HASH, 315 .optional = 1 316 }, 317 318 [PROT_PK_EXT] = { 319 .oid = PROT_PK_OID, 320 .sn = "PlatformRoTKey", 321 .ln = "Platform Root of Trust Public Key", 322 .asn1_type = V_ASN1_OCTET_STRING, 323 .type = EXT_TYPE_PKEY, 324 .attr.key = PROT_KEY 325 }, 326 327 [PLAT_PK_EXT] = { 328 .oid = PLAT_PK_OID, 329 .sn = "PLATKey", 330 .ln = "Platform Public Key", 331 .asn1_type = V_ASN1_OCTET_STRING, 332 .type = EXT_TYPE_PKEY, 333 .attr.key = PLAT_KEY 334 }, 335 336 [SP_PKG5_HASH_EXT] = { 337 .oid = SP_PKG5_HASH_OID, 338 .opt = "sp-pkg5", 339 .help_msg = "Secure Partition Package5 file", 340 .sn = "SPPkg5Hash", 341 .ln = "SP Pkg5 hash (SHA256)", 342 .asn1_type = V_ASN1_OCTET_STRING, 343 .type = EXT_TYPE_HASH, 344 .optional = 1 345 }, 346 [SP_PKG6_HASH_EXT] = { 347 .oid = SP_PKG6_HASH_OID, 348 .opt = "sp-pkg6", 349 .help_msg = "Secure Partition Package6 file", 350 .sn = "SPPkg6Hash", 351 .ln = "SP Pkg6 hash (SHA256)", 352 .asn1_type = V_ASN1_OCTET_STRING, 353 .type = EXT_TYPE_HASH, 354 .optional = 1 355 }, 356 [SP_PKG7_HASH_EXT] = { 357 .oid = SP_PKG7_HASH_OID, 358 .opt = "sp-pkg7", 359 .help_msg = "Secure Partition Package7 file", 360 .sn = "SPPkg7Hash", 361 .ln = "SP Pkg7 hash (SHA256)", 362 .asn1_type = V_ASN1_OCTET_STRING, 363 .type = EXT_TYPE_HASH, 364 .optional = 1 365 }, 366 [SP_PKG8_HASH_EXT] = { 367 .oid = SP_PKG8_HASH_OID, 368 .opt = "sp-pkg8", 369 .help_msg = "Secure Partition Package8 file", 370 .sn = "SPPkg8Hash", 371 .ln = "SP Pkg8 hash (SHA256)", 372 .asn1_type = V_ASN1_OCTET_STRING, 373 .type = EXT_TYPE_HASH, 374 .optional = 1 375 }, 376 377 [NON_TRUSTED_FW_NVCOUNTER_EXT] = { 378 .oid = NON_TRUSTED_FW_NVCOUNTER_OID, 379 .opt = "ntfw-nvctr", 380 .help_msg = "Non-Trusted Firmware Non-Volatile counter value", 381 .sn = "NormalWorldNVCounter", 382 .ln = "Non-Trusted Firmware Non-Volatile counter", 383 .asn1_type = V_ASN1_INTEGER, 384 .type = EXT_TYPE_NVCOUNTER, 385 .attr.nvctr_type = NVCTR_TYPE_NTFW 386 }, 387 388 [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { 389 .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID, 390 .opt = "nt-fw", 391 .help_msg = "Non-Trusted World Bootloader image file", 392 .sn = "NonTrustedWorldBootloaderHash", 393 .ln = "Non-Trusted World hash (SHA256)", 394 .asn1_type = V_ASN1_OCTET_STRING, 395 .type = EXT_TYPE_HASH 396 }, 397 398 [NON_TRUSTED_FW_CONFIG_HASH_EXT] = { 399 .oid = NON_TRUSTED_FW_CONFIG_HASH_OID, 400 .opt = "nt-fw-config", 401 .help_msg = "Non Trusted OS Firmware Config file", 402 .sn = "NonTrustedOSFirmwareConfigHash", 403 .ln = "Non-Trusted OS Firmware Config hash", 404 .asn1_type = V_ASN1_OCTET_STRING, 405 .type = EXT_TYPE_HASH, 406 .optional = 1 407 }, 408 }; 409 410 REGISTER_EXTENSIONS(cot_ext); 411 412 /* Keys used to establish the chain of trust. */ 413 static key_t cot_keys[] = { 414 [ROT_KEY] = { 415 .id = ROT_KEY, 416 .opt = "rot-key", 417 .help_msg = "Root Of Trust key file or PKCS11 URI", 418 .desc = "Root Of Trust key" 419 }, 420 421 [SWD_ROT_KEY] = { 422 .id = SWD_ROT_KEY, 423 .opt = "swd-rot-key", 424 .help_msg = "Secure World Root of Trust key file or PKCS11 URI", 425 .desc = "Secure World Root of Trust key" 426 }, 427 428 [CORE_SWD_KEY] = { 429 .id = CORE_SWD_KEY, 430 .opt = "core-swd-key", 431 .help_msg = "Core Secure World key file or PKCS11 URI", 432 .desc = "Core Secure World key" 433 }, 434 435 [PROT_KEY] = { 436 .id = PROT_KEY, 437 .opt = "prot-key", 438 .help_msg = "Platform Root of Trust key file or PKCS11 URI", 439 .desc = "Platform Root of Trust key" 440 }, 441 442 [PLAT_KEY] = { 443 .id = PLAT_KEY, 444 .opt = "plat-key", 445 .help_msg = "Platform key file or PKCS11 URI", 446 .desc = "Platform key" 447 }, 448 }; 449 450 REGISTER_KEYS(cot_keys); 451