andrius
/
arm-trusted-firmware
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

TBB: apply TBBR naming convention to certificates and extensions 

This patch applies the TBBR naming convention to the certificates
and the corresponding extensions defined by the CoT:

    * Certificate UUID names
    * Certificate identifier names
    * OID names

Changes apply to:

    * Generic code (variables and defines)
    * The default certificate identifiers provided in the generic
      code
    * Build system
    * ARM platforms port
    * cert_create tool internal definitions
    * fip_create and cert_create tools command line options
    * Documentation

IMPORTANT: this change breaks the compatibility with platforms
that use TBBR. The platform will need to adapt the identifiers
and OIDs to the TBBR naming convention introduced by this patch:

Certificate UUIDs:

    UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT --> UUID_TRUSTED_BOOT_FW_CERT
    UUID_SCP_FIRMWARE_BL30_KEY_CERT --> UUID_SCP_FW_KEY_CERT
    UUID_SCP_FIRMWARE_BL30_CERT --> UUID_SCP_FW_CONTENT_CERT
    UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT --> UUID_SOC_FW_KEY_CERT
    UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT --> UUID_SOC_FW_CONTENT_CERT
    UUID_SECURE_PAYLOAD_BL32_KEY_CERT --> UUID_TRUSTED_OS_FW_KEY_CERT
    UUID_SECURE_PAYLOAD_BL32_CERT --> UUID_TRUSTED_OS_FW_CONTENT_CERT
    UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT --> UUID_NON_TRUSTED_FW_KEY_CERT
    UUID_NON_TRUSTED_FIRMWARE_BL33_CERT --> UUID_NON_TRUSTED_FW_CONTENT_CERT

Certificate identifiers:

    BL2_CERT_ID --> TRUSTED_BOOT_FW_CERT_ID
    BL30_KEY_CERT_ID --> SCP_FW_KEY_CERT_ID
    BL30_CERT_ID --> SCP_FW_CONTENT_CERT_ID
    BL31_KEY_CERT_ID --> SOC_FW_KEY_CERT_ID
    BL31_CERT_ID --> SOC_FW_CONTENT_CERT_ID
    BL32_KEY_CERT_ID --> TRUSTED_OS_FW_KEY_CERT_ID
    BL32_CERT_ID --> TRUSTED_OS_FW_CONTENT_CERT_ID
    BL33_KEY_CERT_ID --> NON_TRUSTED_FW_KEY_CERT_ID
    BL33_CERT_ID --> NON_TRUSTED_FW_CONTENT_CERT_ID

OIDs:

    TZ_FW_NVCOUNTER_OID --> TRUSTED_FW_NVCOUNTER_OID
    NTZ_FW_NVCOUNTER_OID --> NON_TRUSTED_FW_NVCOUNTER_OID
    BL2_HASH_OID --> TRUSTED_BOOT_FW_HASH_OID
    TZ_WORLD_PK_OID --> TRUSTED_WORLD_PK_OID
    NTZ_WORLD_PK_OID --> NON_TRUSTED_WORLD_PK_OID
    BL30_CONTENT_CERT_PK_OID --> SCP_FW_CONTENT_CERT_PK_OID
    BL30_HASH_OID --> SCP_FW_HASH_OID
    BL31_CONTENT_CERT_PK_OID --> SOC_FW_CONTENT_CERT_PK_OID
    BL31_HASH_OID --> SOC_AP_FW_HASH_OID
    BL32_CONTENT_CERT_PK_OID --> TRUSTED_OS_FW_CONTENT_CERT_PK_OID
    BL32_HASH_OID --> TRUSTED_OS_FW_HASH_OID
    BL33_CONTENT_CERT_PK_OID --> NON_TRUSTED_FW_CONTENT_CERT_PK_OID
    BL33_HASH_OID --> NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID
    BL2U_HASH_OID --> AP_FWU_CFG_HASH_OID
    SCP_BL2U_HASH_OID --> SCP_FWU_CFG_HASH_OID
    NS_BL2U_HASH_OID --> FWU_HASH_OID

Change-Id: I1e047ae046299ca913911c39ac3a6e123bd41079
This commit is contained in:
Juan Castillo 2015-12-03 10:19:21 +00:00
parent a84deb9c3f
commit 516beb585c
17 changed files with 441 additions and 441 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
docs/auth-framework.md
View File

@ -726,30 +726,30 @@ Four image descriptors form the BL3-1 Chain of Trust:
},
.authenticated_data = {
[0] = {
.type_desc = &tz_world_pk,
.type_desc = &trusted_world_pk,
.data = {
.ptr = (void *)plat_tz_world_pk_buf,
.ptr = (void *)trusted_world_pk_buf,
.len = (unsigned int)PK_DER_LEN
}
},
[1] = {
.type_desc = &ntz_world_pk,
.type_desc = &non_trusted_world_pk,
.data = {
.ptr = (void *)plat_ntz_world_pk_buf,
.ptr = (void *)non_trusted_world_pk_buf,
.len = (unsigned int)PK_DER_LEN
}
}
}
},
[BL31_KEY_CERT_ID] = {
.img_id = BL31_KEY_CERT_ID,
[SOC_FW_KEY_CERT_ID] = {
.img_id = SOC_FW_KEY_CERT_ID,
.img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_SIG,
.param.sig = {
.pk = &tz_world_pk,
.pk = &trusted_world_pk,
.sig = &sig,
.alg = &sig_alg,
.data = &raw_data,
@ -758,23 +758,23 @@ Four image descriptors form the BL3-1 Chain of Trust:
},
.authenticated_data = {
[0] = {
.type_desc = &bl31_content_pk,
.type_desc = &soc_fw_content_pk,
.data = {
.ptr = (void *)plat_content_pk,
.ptr = (void *)content_pk_buf,
.len = (unsigned int)PK_DER_LEN
}
}
}
},
[BL31_CERT_ID] = {
.img_id = BL31_CERT_ID,
[SOC_FW_CONTENT_CERT_ID] = {
.img_id = SOC_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT,
.parent = &cot_desc[BL31_KEY_CERT_ID],
.parent = &cot_desc[SOC_FW_KEY_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_SIG,
.param.sig = {
.pk = &bl31_content_pk,
.pk = &soc_fw_content_pk,
.sig = &sig,
.alg = &sig_alg,
.data = &raw_data,
@ -783,9 +783,9 @@ Four image descriptors form the BL3-1 Chain of Trust:
},
.authenticated_data = {
[0] = {
.type_desc = &bl31_hash,
.type_desc = &soc_fw_hash,
.data = {
.ptr = (void *)plat_bl31_hash_buf,
.ptr = (void *)soc_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
}
@ -794,13 +794,13 @@ Four image descriptors form the BL3-1 Chain of Trust:
[BL31_IMAGE_ID] = {
.img_id = BL31_IMAGE_ID,
.img_type = IMG_RAW,
.parent = &cot_desc[BL31_CERT_ID],
.parent = &cot_desc[SOC_FW_CONTENT_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_HASH,
.param.hash = {
.data = &raw_data,
.hash = &bl31_hash,
.hash = &soc_fw_hash,
}
}
}
@ -835,7 +835,7 @@ is created in the `authenticated_data` array for that purpose. In that entry,
the corresponding parameter descriptor must be specified along with the buffer
address to store the parameter value. In this case, the `tz_world_pk` descriptor
is used to extract the public key from an x509v3 extension with OID
`TZ_WORLD_PK_OID`. The BL3-1 key certificate will use this descriptor as
`TRUSTED_WORLD_PK_OID`. The BL3-1 key certificate will use this descriptor as
parameter in the signature authentication method. The key is stored in the
`plat_tz_world_pk_buf` buffer.

18
docs/porting-guide.md
View File

@ -247,7 +247,7 @@ mandatory:
If Trusted Board Boot is enabled, the following certificate identifiers must
also be defined:
* **#define : BL2_CERT_ID**
* **#define : TRUSTED_BOOT_FW_CERT_ID**
BL2 content certificate identifier, used by BL1 to load the BL2 content
certificate.
@ -257,22 +257,22 @@ also be defined:
Trusted key certificate identifier, used by BL2 to load the trusted key
certificate.
* **#define : BL31_KEY_CERT_ID**
* **#define : SOC_FW_KEY_CERT_ID**
BL3-1 key certificate identifier, used by BL2 to load the BL3-1 key
certificate.
* **#define : BL31_CERT_ID**
* **#define : SOC_FW_CONTENT_CERT_ID**
BL3-1 content certificate identifier, used by BL2 to load the BL3-1 content
certificate.
* **#define : BL33_KEY_CERT_ID**
* **#define : NON_TRUSTED_FW_KEY_CERT_ID**
BL3-3 key certificate identifier, used by BL2 to load the BL3-3 key
certificate.
* **#define : BL33_CERT_ID**
* **#define : NON_TRUSTED_FW_CONTENT_CERT_ID**
BL3-3 content certificate identifier, used by BL2 to load the BL3-3 content
certificate.
@ -285,12 +285,12 @@ also be defined:
BL3-0 image identifier, used by BL2 to load BL3-0 into secure memory from
platform storage before being transfered to the SCP.
* **#define : BL30_KEY_CERT_ID**
* **#define : SCP_FW_KEY_CERT_ID**
BL3-0 key certificate identifier, used by BL2 to load the BL3-0 key
certificate (mandatory when Trusted Board Boot is enabled).
* **#define : BL30_CERT_ID**
* **#define : SCP_FW_CONTENT_CERT_ID**
BL3-0 content certificate identifier, used by BL2 to load the BL3-0 content
certificate (mandatory when Trusted Board Boot is enabled).
@ -302,12 +302,12 @@ also be defined:
BL3-2 image identifier, used by BL2 to load BL3-2.
* **#define : BL32_KEY_CERT_ID**
* **#define : TRUSTED_OS_FW_KEY_CERT_ID**
BL3-2 key certificate identifier, used by BL2 to load the BL3-2 key
certificate (mandatory when Trusted Board Boot is enabled).
* **#define : BL32_CERT_ID**
* **#define : TRUSTED_OS_FW_CONTENT_CERT_ID**
BL3-2 content certificate identifier, used by BL2 to load the BL3-2 content
certificate (mandatory when Trusted Board Boot is enabled).

204
drivers/auth/tbbr/tbbr_cot.c
View File

@ -44,14 +44,14 @@
* extracted from the certificates. In this case, because of the way the CoT is
* established, we can reuse some of the buffers on different stages
*/
static unsigned char plat_bl2_hash_buf[HASH_DER_LEN];
static unsigned char plat_bl30_hash_buf[HASH_DER_LEN];
static unsigned char plat_bl31_hash_buf[HASH_DER_LEN];
static unsigned char plat_bl32_hash_buf[HASH_DER_LEN];
static unsigned char plat_bl33_hash_buf[HASH_DER_LEN];
static unsigned char plat_tz_world_pk_buf[PK_DER_LEN];
static unsigned char plat_ntz_world_pk_buf[PK_DER_LEN];
static unsigned char plat_content_pk[PK_DER_LEN];
static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
static unsigned char scp_fw_hash_buf[HASH_DER_LEN];
static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
static unsigned char trusted_world_pk_buf[PK_DER_LEN];
static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];
static unsigned char content_pk_buf[PK_DER_LEN];
/*
* Parameter type descriptors
@ -65,36 +65,36 @@ static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_RAW_DATA, 0);
static auth_param_type_desc_t tz_world_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, TZ_WORLD_PK_OID);
static auth_param_type_desc_t ntz_world_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, NTZ_WORLD_PK_OID);
static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID);
static auth_param_type_desc_t bl30_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, BL30_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t bl31_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, BL31_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t bl32_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, BL32_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t bl33_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, BL33_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t bl2_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL2_HASH_OID);
static auth_param_type_desc_t bl30_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL30_HASH_OID);
static auth_param_type_desc_t bl31_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL31_HASH_OID);
static auth_param_type_desc_t bl32_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL32_HASH_OID);
static auth_param_type_desc_t bl33_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL33_HASH_OID);
static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SCP_FW_HASH_OID);
static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SCP_BL2U_HASH_OID);
AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL2U_HASH_OID);
AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, NS_BL2U_HASH_OID);
AUTH_PARAM_HASH, FWU_HASH_OID);
/*
* TBBR Chain of trust definition
@ -103,8 +103,8 @@ static const auth_img_desc_t cot_desc[] = {
/*
* BL2
*/
[BL2_CERT_ID] = {
.img_id = BL2_CERT_ID,
[TRUSTED_BOOT_FW_CERT_ID] = {
.img_id = TRUSTED_BOOT_FW_CERT_ID,
.img_type = IMG_CERT,
.parent = NULL,
.img_auth_methods = {
@ -120,9 +120,9 @@ static const auth_img_desc_t cot_desc[] = {
},
.authenticated_data = {
[0] = {
.type_desc = &bl2_hash,
.type_desc = &tb_fw_hash,
.data = {
.ptr = (void *)plat_bl2_hash_buf,
.ptr = (void *)tb_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
}
@ -131,13 +131,13 @@ static const auth_img_desc_t cot_desc[] = {
[BL2_IMAGE_ID] = {
.img_id = BL2_IMAGE_ID,
.img_type = IMG_RAW,
.parent = &cot_desc[BL2_CERT_ID],
.parent = &cot_desc[TRUSTED_BOOT_FW_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_HASH,
.param.hash = {
.data = &raw_data,
.hash = &bl2_hash,
.hash = &tb_fw_hash,
}
}
}
@ -162,33 +162,33 @@ static const auth_img_desc_t cot_desc[] = {
},
.authenticated_data = {
[0] = {
.type_desc = &tz_world_pk,
.type_desc = &trusted_world_pk,
.data = {
.ptr = (void *)plat_tz_world_pk_buf,
.ptr = (void *)trusted_world_pk_buf,
.len = (unsigned int)PK_DER_LEN
}
},
[1] = {
.type_desc = &ntz_world_pk,
.type_desc = &non_trusted_world_pk,
.data = {
.ptr = (void *)plat_ntz_world_pk_buf,
.ptr = (void *)non_trusted_world_pk_buf,
.len = (unsigned int)PK_DER_LEN
}
}
}
},
/*
* BL3-0
* SCP Firmware
*/
[BL30_KEY_CERT_ID] = {
.img_id = BL30_KEY_CERT_ID,
[SCP_FW_KEY_CERT_ID] = {
.img_id = SCP_FW_KEY_CERT_ID,
.img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_SIG,
.param.sig = {
.pk = &tz_world_pk,
.pk = &trusted_world_pk,
.sig = &sig,
.alg = &sig_alg,
.data = &raw_data,
@ -197,23 +197,23 @@ static const auth_img_desc_t cot_desc[] = {
},
.authenticated_data = {
[0] = {
.type_desc = &bl30_content_pk,
.type_desc = &scp_fw_content_pk,
.data = {
.ptr = (void *)plat_content_pk,
.ptr = (void *)content_pk_buf,
.len = (unsigned int)PK_DER_LEN
}
}
}
},
[BL30_CERT_ID] = {
.img_id = BL30_CERT_ID,
[SCP_FW_CONTENT_CERT_ID] = {
.img_id = SCP_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT,
.parent = &cot_desc[BL30_KEY_CERT_ID],
.parent = &cot_desc[SCP_FW_KEY_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_SIG,
.param.sig = {
.pk = &bl30_content_pk,
.pk = &scp_fw_content_pk,
.sig = &sig,
.alg = &sig_alg,
.data = &raw_data,
@ -222,9 +222,9 @@ static const auth_img_desc_t cot_desc[] = {
},
.authenticated_data = {
[0] = {
.type_desc = &bl30_hash,
.type_desc = &scp_fw_hash,
.data = {
.ptr = (void *)plat_bl30_hash_buf,
.ptr = (void *)scp_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
}
@ -233,29 +233,29 @@ static const auth_img_desc_t cot_desc[] = {
[BL30_IMAGE_ID] = {
.img_id = BL30_IMAGE_ID,
.img_type = IMG_RAW,
.parent = &cot_desc[BL30_CERT_ID],
.parent = &cot_desc[SCP_FW_CONTENT_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_HASH,
.param.hash = {
.data = &raw_data,
.hash = &bl30_hash,
.hash = &scp_fw_hash,
}
}
}
},
/*
* BL3-1
* SoC Firmware
*/
[BL31_KEY_CERT_ID] = {
.img_id = BL31_KEY_CERT_ID,
[SOC_FW_KEY_CERT_ID] = {
.img_id = SOC_FW_KEY_CERT_ID,
.img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_SIG,
.param.sig = {
.pk = &tz_world_pk,
.pk = &trusted_world_pk,
.sig = &sig,
.alg = &sig_alg,
.data = &raw_data,
@ -264,23 +264,23 @@ static const auth_img_desc_t cot_desc[] = {
},
.authenticated_data = {
[0] = {
.type_desc = &bl31_content_pk,
.type_desc = &soc_fw_content_pk,
.data = {
.ptr = (void *)plat_content_pk,
.ptr = (void *)content_pk_buf,
.len = (unsigned int)PK_DER_LEN
}
}
}
},
[BL31_CERT_ID] = {
.img_id = BL31_CERT_ID,
[SOC_FW_CONTENT_CERT_ID] = {
.img_id = SOC_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT,
.parent = &cot_desc[BL31_KEY_CERT_ID],
.parent = &cot_desc[SOC_FW_KEY_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_SIG,
.param.sig = {
.pk = &bl31_content_pk,
.pk = &soc_fw_content_pk,
.sig = &sig,
.alg = &sig_alg,
.data = &raw_data,
@ -289,9 +289,9 @@ static const auth_img_desc_t cot_desc[] = {
},
.authenticated_data = {
[0] = {
.type_desc = &bl31_hash,
.type_desc = &soc_fw_hash,
.data = {
.ptr = (void *)plat_bl31_hash_buf,
.ptr = (void *)soc_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
}
@ -300,29 +300,29 @@ static const auth_img_desc_t cot_desc[] = {
[BL31_IMAGE_ID] = {
.img_id = BL31_IMAGE_ID,
.img_type = IMG_RAW,
.parent = &cot_desc[BL31_CERT_ID],
.parent = &cot_desc[SOC_FW_CONTENT_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_HASH,
.param.hash = {
.data = &raw_data,
.hash = &bl31_hash,
.hash = &soc_fw_hash,
}
}
}
},
/*
* BL3-2
* Trusted OS Firmware
*/
[BL32_KEY_CERT_ID] = {
.img_id = BL32_KEY_CERT_ID,
[TRUSTED_OS_FW_KEY_CERT_ID] = {
.img_id = TRUSTED_OS_FW_KEY_CERT_ID,
.img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_SIG,
.param.sig = {
.pk = &tz_world_pk,
.pk = &trusted_world_pk,
.sig = &sig,
.alg = &sig_alg,
.data = &raw_data,
@ -331,23 +331,23 @@ static const auth_img_desc_t cot_desc[] = {
},
.authenticated_data = {
[0] = {
.type_desc = &bl32_content_pk,
.type_desc = &tos_fw_content_pk,
.data = {
.ptr = (void *)plat_content_pk,
.ptr = (void *)content_pk_buf,
.len = (unsigned int)PK_DER_LEN
}
}
}
},
[BL32_CERT_ID] = {
.img_id = BL32_CERT_ID,
[TRUSTED_OS_FW_CONTENT_CERT_ID] = {
.img_id = TRUSTED_OS_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT,
.parent = &cot_desc[BL32_KEY_CERT_ID],
.parent = &cot_desc[TRUSTED_OS_FW_KEY_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_SIG,
.param.sig = {
.pk = &bl32_content_pk,
.pk = &tos_fw_content_pk,
.sig = &sig,
.alg = &sig_alg,
.data = &raw_data,
@ -356,9 +356,9 @@ static const auth_img_desc_t cot_desc[] = {
},
.authenticated_data = {
[0] = {
.type_desc = &bl32_hash,
.type_desc = &tos_fw_hash,
.data = {
.ptr = (void *)plat_bl32_hash_buf,
.ptr = (void *)tos_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
}
@ -367,29 +367,29 @@ static const auth_img_desc_t cot_desc[] = {
[BL32_IMAGE_ID] = {
.img_id = BL32_IMAGE_ID,
.img_type = IMG_RAW,
.parent = &cot_desc[BL32_CERT_ID],
.parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_HASH,
.param.hash = {
.data = &raw_data,
.hash = &bl32_hash,
.hash = &tos_fw_hash,
}
}
}
},
/*
* BL3-3
* Non-Trusted Firmware
*/
[BL33_KEY_CERT_ID] = {
.img_id = BL33_KEY_CERT_ID,
[NON_TRUSTED_FW_KEY_CERT_ID] = {
.img_id = NON_TRUSTED_FW_KEY_CERT_ID,
.img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_SIG,
.param.sig = {
.pk = &ntz_world_pk,
.pk = &non_trusted_world_pk,
.sig = &sig,
.alg = &sig_alg,
.data = &raw_data,
@ -398,23 +398,23 @@ static const auth_img_desc_t cot_desc[] = {
},
.authenticated_data = {
[0] = {
.type_desc = &bl33_content_pk,
.type_desc = &nt_fw_content_pk,
.data = {
.ptr = (void *)plat_content_pk,
.ptr = (void *)content_pk_buf,
.len = (unsigned int)PK_DER_LEN
}
}
}
},
[BL33_CERT_ID] = {
.img_id = BL33_CERT_ID,
[NON_TRUSTED_FW_CONTENT_CERT_ID] = {
.img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT,
.parent = &cot_desc[BL33_KEY_CERT_ID],
.parent = &cot_desc[NON_TRUSTED_FW_KEY_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_SIG,
.param.sig = {
.pk = &bl33_content_pk,
.pk = &nt_fw_content_pk,
.sig = &sig,
.alg = &sig_alg,
.data = &raw_data,
@ -423,9 +423,9 @@ static const auth_img_desc_t cot_desc[] = {
},
.authenticated_data = {
[0] = {
.type_desc = &bl33_hash,
.type_desc = &nt_world_bl_hash,
.data = {
.ptr = (void *)plat_bl33_hash_buf,
.ptr = (void *)nt_world_bl_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
}
@ -434,13 +434,13 @@ static const auth_img_desc_t cot_desc[] = {
[BL33_IMAGE_ID] = {
.img_id = BL33_IMAGE_ID,
.img_type = IMG_RAW,
.parent = &cot_desc[BL33_CERT_ID],
.parent = &cot_desc[NON_TRUSTED_FW_CONTENT_CERT_ID],
.img_auth_methods = {
[0] = {
.type = AUTH_METHOD_HASH,
.param.hash = {
.data = &raw_data,
.hash = &bl33_hash,
.hash = &nt_world_bl_hash,
}
}
}
@ -467,21 +467,21 @@ static const auth_img_desc_t cot_desc[] = {
[0] = {
.type_desc = &scp_bl2u_hash,
.data = {
.ptr = (void *)plat_bl30_hash_buf,
.ptr = (void *)scp_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
},
[1] = {
.type_desc = &bl2u_hash,
.data = {
.ptr = (void *)plat_bl2_hash_buf,
.ptr = (void *)tb_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
},
[2] = {
.type_desc = &ns_bl2u_hash,
.data = {
.ptr = (void *)plat_bl33_hash_buf,
.ptr = (void *)nt_world_bl_hash_buf,
.len = (unsigned int)HASH_DER_LEN
}
}

18
include/common/firmware_image_package.h
View File

@ -64,24 +64,24 @@
{0x90e87e82, 0x60f8, 0x11e4, 0xa1, 0xb4, {0x77, 0x7a, 0x21, 0xb4, 0xf9, 0x4c} }
#define UUID_NON_TRUSTED_WORLD_KEY_CERT \
{0x3d87671c, 0x635f, 0x11e4, 0x97, 0x8d, {0x27, 0xc0, 0xc7, 0x14, 0x8a, 0xbd} }
#define UUID_SCP_FIRMWARE_BL30_KEY_CERT \
#define UUID_SCP_FW_KEY_CERT \
{0xa1214202, 0x60f8, 0x11e4, 0x8d, 0x9b, {0xf3, 0x3c, 0x0e, 0x15, 0xa0, 0x14} }
#define UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT \
#define UUID_SOC_FW_KEY_CERT \
{0xccbeb88a, 0x60f9, 0x11e4, 0x9a, 0xd0, {0xeb, 0x48, 0x22, 0xd8, 0xdc, 0xf8} }
#define UUID_SECURE_PAYLOAD_BL32_KEY_CERT \
#define UUID_TRUSTED_OS_FW_KEY_CERT \
{0x03d67794, 0x60fb, 0x11e4, 0x85, 0xdd, {0xb7, 0x10, 0x5b, 0x8c, 0xee, 0x04} }
#define UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT \
#define UUID_NON_TRUSTED_FW_KEY_CERT \
{0x2a83d58a, 0x60fb, 0x11e4, 0x8a, 0xaf, {0xdf, 0x30, 0xbb, 0xc4, 0x98, 0x59} }
/* Content certificates */
#define UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT \
#define UUID_TRUSTED_BOOT_FW_CERT \
{0xea69e2d6, 0x635d, 0x11e4, 0x8d, 0x8c, {0x9f, 0xba, 0xbe, 0x99, 0x56, 0xa5} }
#define UUID_SCP_FIRMWARE_BL30_CERT \
#define UUID_SCP_FW_CONTENT_CERT \
{0x046fbe44, 0x635e, 0x11e4, 0xb2, 0x8b, {0x73, 0xd8, 0xea, 0xae, 0x96, 0x56} }
#define UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT \
#define UUID_SOC_FW_CONTENT_CERT \
{0x200cb2e2, 0x635e, 0x11e4, 0x9c, 0xe8, {0xab, 0xcc, 0xf9, 0x2b, 0xb6, 0x66} }
#define UUID_SECURE_PAYLOAD_BL32_CERT \
#define UUID_TRUSTED_OS_FW_CONTENT_CERT \
{0x11449fa4, 0x635e, 0x11e4, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} }
#define UUID_NON_TRUSTED_FIRMWARE_BL33_CERT \
#define UUID_NON_TRUSTED_FW_CONTENT_CERT \
{0xf3c1c48e, 0x635d, 0x11e4, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} }
typedef struct fip_toc_header {

18
include/common/tbbr/tbbr_img_def.h
View File

@ -50,18 +50,18 @@
#define BL33_IMAGE_ID 5
/* Certificates */
#define BL2_CERT_ID 6
#define TRUSTED_BOOT_FW_CERT_ID 6
#define TRUSTED_KEY_CERT_ID 7
#define BL30_KEY_CERT_ID 8
#define BL31_KEY_CERT_ID 9
#define BL32_KEY_CERT_ID 10
#define BL33_KEY_CERT_ID 11
#define SCP_FW_KEY_CERT_ID 8
#define SOC_FW_KEY_CERT_ID 9
#define TRUSTED_OS_FW_KEY_CERT_ID 10
#define NON_TRUSTED_FW_KEY_CERT_ID 11
#define BL30_CERT_ID 12
#define BL31_CERT_ID 13
#define BL32_CERT_ID 14
#define BL33_CERT_ID 15
#define SCP_FW_CONTENT_CERT_ID 12
#define SOC_FW_CONTENT_CERT_ID 13
#define TRUSTED_OS_FW_CONTENT_CERT_ID 14
#define NON_TRUSTED_FW_CONTENT_CERT_ID 15
/* Non-Trusted ROM Firmware NS_BL1U */
#define NS_BL1U_IMAGE_ID 16

32
include/plat/arm/board/common/board_arm_oid.h
View File

@ -44,9 +44,9 @@
/* TrustedFirmwareNVCounter - Non-volatile counter extension */
#define TZ_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.1"
#define TRUSTED_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.1"
/* NonTrustedFirmwareNVCounter - Non-volatile counter extension */
#define NTZ_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.2"
#define NON_TRUSTED_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.2"
/*
@ -54,11 +54,11 @@
*/
/* APFirmwareUpdaterConfigHash - BL2U */
#define BL2U_HASH_OID "1.3.6.1.4.1.4128.2100.101"
#define AP_FWU_CFG_HASH_OID "1.3.6.1.4.1.4128.2100.101"
/* SCPFirmwareUpdaterConfigHash - SCP_BL2U */
#define SCP_BL2U_HASH_OID "1.3.6.1.4.1.4128.2100.102"
#define SCP_FWU_CFG_HASH_OID "1.3.6.1.4.1.4128.2100.102"
/* FirmwareUpdaterHash - NS_BL2U */
#define NS_BL2U_HASH_OID "1.3.6.1.4.1.4128.2100.103"
#define FWU_HASH_OID "1.3.6.1.4.1.4128.2100.103"
/* TrustedWatchdogRefreshTime */
#define TRUSTED_WATCHDOG_TIME_OID "1.3.6.1.4.1.4128.2100.104"
@ -68,7 +68,7 @@
*/
/* TrustedBootFirmwareHash - BL2 */
#define BL2_HASH_OID "1.3.6.1.4.1.4128.2100.201"
#define TRUSTED_BOOT_FW_HASH_OID "1.3.6.1.4.1.4128.2100.201"
/*
@ -78,9 +78,9 @@
/* PrimaryDebugCertificatePK */
#define PRIMARY_DEBUG_PK_OID "1.3.6.1.4.1.4128.2100.301"
/* TrustedWorldPK */
#define TZ_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.302"
#define TRUSTED_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.302"
/* NonTrustedWorldPK */
#define NTZ_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.303"
#define NON_TRUSTED_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.303"
/*
@ -100,7 +100,7 @@
*/
/* SoCFirmwareContentCertPK */
#define BL31_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.501"
#define SOC_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.501"
/*
@ -112,7 +112,7 @@
/* SoCConfigHash */
#define SOC_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.602"
/* SoCAPFirmwareHash - BL31 */
#define BL31_HASH_OID "1.3.6.1.4.1.4128.2100.603"
#define SOC_AP_FW_HASH_OID "1.3.6.1.4.1.4128.2100.603"
/*
@ -120,7 +120,7 @@
*/
/* SCPFirmwareContentCertPK */
#define BL30_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.701"
#define SCP_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.701"
/*
@ -128,7 +128,7 @@
*/
/* SCPFirmwareHash - BL30 */
#define BL30_HASH_OID "1.3.6.1.4.1.4128.2100.801"
#define SCP_FW_HASH_OID "1.3.6.1.4.1.4128.2100.801"
/* SCPRomPatchHash - BL0_PATCH */
#define SCP_ROM_PATCH_HASH_OID "1.3.6.1.4.1.4128.2100.802"
@ -138,7 +138,7 @@
*/
/* TrustedOSFirmwareContentCertPK */
#define BL32_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.901"
#define TRUSTED_OS_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.901"
/*
@ -146,7 +146,7 @@
*/
/* TrustedOSFirmwareHash - BL32 */
#define BL32_HASH_OID "1.3.6.1.4.1.4128.2100.1001"
#define TRUSTED_OS_FW_HASH_OID "1.3.6.1.4.1.4128.2100.1001"
/*
@ -154,7 +154,7 @@
*/
/* NonTrustedFirmwareContentCertPK */
#define BL33_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.1101"
#define NON_TRUSTED_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.1101"
/*
@ -162,6 +162,6 @@
*/
/* NonTrustedWorldBootloaderHash - BL33 */
#define BL33_HASH_OID "1.3.6.1.4.1.4128.2100.1201"
#define NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID "1.3.6.1.4.1.4128.2100.1201"
#endif /* __BOARD_ARM_OID_H__ */

68
make_helpers/tbbr/tbbr_tools.mk
View File

@ -76,61 +76,61 @@ $(if ${TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_WORLD_KEY},--
$(if ${NON_TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${NON_TRUSTED_WORLD_KEY},--non-trusted-world-key)))
# Add the BL2 CoT (image cert + image)
$(if ${BL2},$(eval $(call CERT_ADD_CMD_OPT,${BL2},--bl2,true)),\
$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,2),--bl2,true)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl2.crt,--bl2-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl2.crt,--bl2-cert))
$(if ${BL2},$(eval $(call CERT_ADD_CMD_OPT,${BL2},--tb-fw,true)),\
$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,2),--tb-fw,true)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/tb_fw.crt,--tb-fw-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/tb_fw.crt,--tb-fw-cert))
# Add the BL30 CoT (key cert + img cert + image)
ifneq (${BL30},)
$(eval $(call CERT_ADD_CMD_OPT,${BL30},--bl30,true))
$(if ${BL30_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL30_KEY},--bl30-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl30.crt,--bl30-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl30_key.crt,--bl30-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl30.crt,--bl30-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl30_key.crt,--bl30-key-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BL30},--scp-fw,true))
$(if ${BL30_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL30_KEY},--scp-fw-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/scp_fw_content.crt,--scp-fw-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/scp_fw_key.crt,--scp-fw-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/scp_fw_content.crt,--scp-fw-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/scp_fw_key.crt,--scp-fw-key-cert))
endif
# Add the BL31 CoT (key cert + img cert + image)
$(if ${BL31},$(eval $(call CERT_ADD_CMD_OPT,${BL31},--bl31,true)),\
$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,31),--bl31,true)))
$(if ${BL31_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL31_KEY},--bl31-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl31.crt,--bl31-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl31_key.crt,--bl31-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl31.crt,--bl31-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl31_key.crt,--bl31-key-cert))
$(if ${BL31},$(eval $(call CERT_ADD_CMD_OPT,${BL31},--soc-fw,true)),\
$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,31),--soc-fw,true)))
$(if ${BL31_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL31_KEY},--soc-fw-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/soc_fw_content.crt,--soc-fw-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/soc_fw_key.crt,--soc-fw-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/soc_fw_content.crt,--soc-fw-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/soc_fw_key.crt,--soc-fw-key-cert))
# Add the BL32 CoT (key cert + img cert + image)
ifeq (${NEED_BL32},yes)
$(if ${BL32},$(eval $(call CERT_ADD_CMD_OPT,${BL32},--bl32,true)),\
$(if ${BL32_SOURCES},$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,32),--bl32,true))))
$(if ${BL32_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL32_KEY},--bl32-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl32.crt,--bl32-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl32_key.crt,--bl32-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl32.crt,--bl32-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl32_key.crt,--bl32-key-cert))
$(if ${BL32},$(eval $(call CERT_ADD_CMD_OPT,${BL32},--tos-fw,true)),\
$(if ${BL32_SOURCES},$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,32),--tos-fw,true))))
$(if ${BL32_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL32_KEY},--tos-fw-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/tos_fw_content.crt,--tos-fw-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/tos_fw_key.crt,--tos-fw-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/tos_fw_content.crt,--tos-fw-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/tos_fw_key.crt,--tos-fw-key-cert))
endif
# Add the BL33 CoT (key cert + img cert + image)
ifneq (${BL33},)
$(eval $(call CERT_ADD_CMD_OPT,${BL33},--bl33,true))
$(if ${BL33_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL33_KEY},--bl33-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl33.crt,--bl33-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl33_key.crt,--bl33-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl33.crt,--bl33-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl33_key.crt,--bl33-key-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BL33},--nt-fw,true))
$(if ${BL33_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL33_KEY},--nt-fw-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/nt_fw_content.crt,--nt-fw-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_content.crt,--nt-fw-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert))
endif
# Add the BL2U image
$(if ${BL2U},$(eval $(call FWU_CERT_ADD_CMD_OPT,${BL2U},--bl2u,true)),\
$(eval $(call FWU_CERT_ADD_CMD_OPT,$(call IMG_BIN,2u),--bl2u,true)))
$(if ${BL2U},$(eval $(call FWU_CERT_ADD_CMD_OPT,${BL2U},--ap-fwu-cfg,true)),\
$(eval $(call FWU_CERT_ADD_CMD_OPT,$(call IMG_BIN,2u),--ap-fwu-cfg,true)))
# Add the SCP_BL2U image
ifneq (${SCP_BL2U},)
$(eval $(call FWU_CERT_ADD_CMD_OPT,${SCP_BL2U},--scp_bl2u,true))
$(eval $(call FWU_CERT_ADD_CMD_OPT,${SCP_BL2U},--scp-fwu-cfg,true))
endif
# Add the NS_BL2U image
ifneq (${NS_BL2U},)
$(eval $(call FWU_CERT_ADD_CMD_OPT,${NS_BL2U},--ns_bl2u,true))
$(eval $(call FWU_CERT_ADD_CMD_OPT,${NS_BL2U},--fwu,true))
endif

42
plat/arm/board/fvp/fvp_io_storage.c
View File

@ -44,14 +44,14 @@
#define BL33_IMAGE_NAME "bl33.bin"
#if TRUSTED_BOARD_BOOT
#define BL2_CERT_NAME "bl2.crt"
#define TRUSTED_BOOT_FW_CERT_NAME "tb_fw.crt"
#define TRUSTED_KEY_CERT_NAME "trusted_key.crt"
#define BL31_KEY_CERT_NAME "bl31_key.crt"
#define BL32_KEY_CERT_NAME "bl32_key.crt"
#define BL33_KEY_CERT_NAME "bl33_key.crt"
#define BL31_CERT_NAME "bl31.crt"
#define BL32_CERT_NAME "bl32.crt"
#define BL33_CERT_NAME "bl33.crt"
#define SOC_FW_KEY_CERT_NAME "soc_fw_key.crt"
#define TOS_FW_KEY_CERT_NAME "tos_fw_key.crt"
#define NT_FW_KEY_CERT_NAME "nt_fw_key.crt"
#define SOC_FW_CONTENT_CERT_NAME "soc_fw_content.crt"
#define TOS_FW_CONTENT_CERT_NAME "tos_fw_content.crt"
#define NT_FW_CONTENT_CERT_NAME "nt_fw_content.crt"
#endif /* TRUSTED_BOARD_BOOT */
/* IO devices */
@ -76,36 +76,36 @@ static const io_file_spec_t sh_file_spec[] = {
.mode = FOPEN_MODE_RB
},
#if TRUSTED_BOARD_BOOT
[BL2_CERT_ID] = {
.path = BL2_CERT_NAME,
[TRUSTED_BOOT_FW_CERT_ID] = {
.path = TRUSTED_BOOT_FW_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[TRUSTED_KEY_CERT_ID] = {
.path = TRUSTED_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL31_KEY_CERT_ID] = {
.path = BL31_KEY_CERT_NAME,
[SOC_FW_KEY_CERT_ID] = {
.path = SOC_FW_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL32_KEY_CERT_ID] = {
.path = BL32_KEY_CERT_NAME,
[TRUSTED_OS_FW_KEY_CERT_ID] = {
.path = TOS_FW_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL33_KEY_CERT_ID] = {
.path = BL33_KEY_CERT_NAME,
[NON_TRUSTED_FW_KEY_CERT_ID] = {
.path = NT_FW_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL31_CERT_ID] = {
.path = BL31_CERT_NAME,
[SOC_FW_CONTENT_CERT_ID] = {
.path = SOC_FW_CONTENT_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL32_CERT_ID] = {
.path = BL32_CERT_NAME,
[TRUSTED_OS_FW_CONTENT_CERT_ID] = {
.path = TOS_FW_CONTENT_CERT_NAME,
.mode = FOPEN_MODE_RB
},
[BL33_CERT_ID] = {
.path = BL33_CERT_NAME,
[NON_TRUSTED_FW_CONTENT_CERT_ID] = {
.path = NT_FW_CONTENT_CERT_NAME,
.mode = FOPEN_MODE_RB
},
#endif /* TRUSTED_BOARD_BOOT */

72
plat/arm/common/arm_io_storage.c
View File

@ -70,44 +70,44 @@ static const io_uuid_spec_t bl33_uuid_spec = {
};
#if TRUSTED_BOARD_BOOT
static const io_uuid_spec_t bl2_cert_uuid_spec = {
.uuid = UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT,
static const io_uuid_spec_t tb_fw_cert_uuid_spec = {
.uuid = UUID_TRUSTED_BOOT_FW_CERT,
};
static const io_uuid_spec_t trusted_key_cert_uuid_spec = {
.uuid = UUID_TRUSTED_KEY_CERT,
};
static const io_uuid_spec_t bl30_key_cert_uuid_spec = {
.uuid = UUID_SCP_FIRMWARE_BL30_KEY_CERT,
static const io_uuid_spec_t scp_fw_key_cert_uuid_spec = {
.uuid = UUID_SCP_FW_KEY_CERT,
};
static const io_uuid_spec_t bl31_key_cert_uuid_spec = {
.uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT,
static const io_uuid_spec_t soc_fw_key_cert_uuid_spec = {
.uuid = UUID_SOC_FW_KEY_CERT,
};
static const io_uuid_spec_t bl32_key_cert_uuid_spec = {
.uuid = UUID_SECURE_PAYLOAD_BL32_KEY_CERT,
static const io_uuid_spec_t tos_fw_key_cert_uuid_spec = {
.uuid = UUID_TRUSTED_OS_FW_KEY_CERT,
};
static const io_uuid_spec_t bl33_key_cert_uuid_spec = {
.uuid = UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT,
static const io_uuid_spec_t nt_fw_key_cert_uuid_spec = {
.uuid = UUID_NON_TRUSTED_FW_KEY_CERT,
};
static const io_uuid_spec_t bl30_cert_uuid_spec = {
.uuid = UUID_SCP_FIRMWARE_BL30_CERT,
static const io_uuid_spec_t scp_fw_cert_uuid_spec = {
.uuid = UUID_SCP_FW_CONTENT_CERT,
};
static const io_uuid_spec_t bl31_cert_uuid_spec = {
.uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT,
static const io_uuid_spec_t soc_fw_cert_uuid_spec = {
.uuid = UUID_SOC_FW_CONTENT_CERT,
};
static const io_uuid_spec_t bl32_cert_uuid_spec = {
.uuid = UUID_SECURE_PAYLOAD_BL32_CERT,
static const io_uuid_spec_t tos_fw_cert_uuid_spec = {
.uuid = UUID_TRUSTED_OS_FW_CONTENT_CERT,
};
static const io_uuid_spec_t bl33_cert_uuid_spec = {
.uuid = UUID_NON_TRUSTED_FIRMWARE_BL33_CERT,
static const io_uuid_spec_t nt_fw_cert_uuid_spec = {
.uuid = UUID_NON_TRUSTED_FW_CONTENT_CERT,
};
#endif /* TRUSTED_BOARD_BOOT */
@ -154,9 +154,9 @@ static const struct plat_io_policy policies[] = {
open_fip
},
#if TRUSTED_BOARD_BOOT
[BL2_CERT_ID] = {
[TRUSTED_BOOT_FW_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl2_cert_uuid_spec,
(uintptr_t)&tb_fw_cert_uuid_spec,
open_fip
},
[TRUSTED_KEY_CERT_ID] = {
@ -164,44 +164,44 @@ static const struct plat_io_policy policies[] = {
(uintptr_t)&trusted_key_cert_uuid_spec,
open_fip
},
[BL30_KEY_CERT_ID] = {
[SCP_FW_KEY_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl30_key_cert_uuid_spec,
(uintptr_t)&scp_fw_key_cert_uuid_spec,
open_fip
},
[BL31_KEY_CERT_ID] = {
[SOC_FW_KEY_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl31_key_cert_uuid_spec,
(uintptr_t)&soc_fw_key_cert_uuid_spec,
open_fip
},
[BL32_KEY_CERT_ID] = {
[TRUSTED_OS_FW_KEY_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl32_key_cert_uuid_spec,
(uintptr_t)&tos_fw_key_cert_uuid_spec,
open_fip
},
[BL33_KEY_CERT_ID] = {
[NON_TRUSTED_FW_KEY_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl33_key_cert_uuid_spec,
(uintptr_t)&nt_fw_key_cert_uuid_spec,
open_fip
},
[BL30_CERT_ID] = {
[SCP_FW_CONTENT_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl30_cert_uuid_spec,
(uintptr_t)&scp_fw_cert_uuid_spec,
open_fip
},
[BL31_CERT_ID] = {
[SOC_FW_CONTENT_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl31_cert_uuid_spec,
(uintptr_t)&soc_fw_cert_uuid_spec,
open_fip
},
[BL32_CERT_ID] = {
[TRUSTED_OS_FW_CONTENT_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl32_cert_uuid_spec,
(uintptr_t)&tos_fw_cert_uuid_spec,
open_fip
},
[BL33_CERT_ID] = {
[NON_TRUSTED_FW_CONTENT_CERT_ID] = {
&fip_dev_handle,
(uintptr_t)&bl33_cert_uuid_spec,
(uintptr_t)&nt_fw_cert_uuid_spec,
open_fip
},
#endif /* TRUSTED_BOARD_BOOT */

18
tools/cert_create/include/tbbr/tbb_cert.h
View File

@ -37,16 +37,16 @@
* Enumerate the certificates that are used to establish the chain of trust
*/
enum {
BL2_CERT,
TRUSTED_BOOT_FW_CERT,
TRUSTED_KEY_CERT,
BL30_KEY_CERT,
BL30_CERT,
BL31_KEY_CERT,
BL31_CERT,
BL32_KEY_CERT,
BL32_CERT,
BL33_KEY_CERT,
BL33_CERT,
SCP_FW_KEY_CERT,
SCP_FW_CONTENT_CERT,
SOC_FW_KEY_CERT,
SOC_FW_CONTENT_CERT,
TRUSTED_OS_FW_KEY_CERT,
TRUSTED_OS_FW_CONTENT_CERT,
NON_TRUSTED_FW_KEY_CERT,
NON_TRUSTED_FW_CONTENT_CERT,
FWU_CERT
};

32
tools/cert_create/include/tbbr/tbb_ext.h
View File

@ -34,22 +34,22 @@
/* TBBR extensions */
enum {
TZ_FW_NVCOUNTER_EXT,
NTZ_FW_NVCOUNTER_EXT,
BL2_HASH_EXT,
TZ_WORLD_PK_EXT,
NTZ_WORLD_PK_EXT,
BL31_CONTENT_CERT_PK_EXT,
BL31_HASH_EXT,
BL30_CONTENT_CERT_PK_EXT,
BL30_HASH_EXT,
BL32_CONTENT_CERT_PK_EXT,
BL32_HASH_EXT,
BL33_CONTENT_CERT_PK_EXT,
BL33_HASH_EXT,
SCP_BL2U_HASH_EXT,
BL2U_HASH_EXT,
NS_BL2U_HASH_EXT
TRUSTED_FW_NVCOUNTER_EXT,
NON_TRUSTED_FW_NVCOUNTER_EXT,
TRUSTED_BOOT_FW_HASH_EXT,
TRUSTED_WORLD_PK_EXT,
NON_TRUSTED_WORLD_PK_EXT,
SCP_FW_CONTENT_CERT_PK_EXT,
SCP_FW_HASH_EXT,
SOC_FW_CONTENT_CERT_PK_EXT,
SOC_AP_FW_HASH_EXT,
TRUSTED_OS_FW_CONTENT_CERT_PK_EXT,
TRUSTED_OS_FW_HASH_EXT,
NON_TRUSTED_FW_CONTENT_CERT_PK_EXT,
NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
SCP_FWU_CFG_HASH_EXT,
AP_FWU_CFG_HASH_EXT,
FWU_HASH_EXT
};
#endif /* TBB_EXT_H_ */

8
tools/cert_create/include/tbbr/tbb_key.h
View File

@ -40,10 +40,10 @@ enum {
ROT_KEY,
TRUSTED_WORLD_KEY,
NON_TRUSTED_WORLD_KEY,
BL30_KEY,
BL31_KEY,
BL32_KEY,
BL33_KEY
SCP_FW_CONTENT_CERT_KEY,
SOC_FW_CONTENT_CERT_KEY,
TRUSTED_OS_FW_CONTENT_CERT_KEY,
NON_TRUSTED_FW_CONTENT_CERT_KEY
};
#endif /* TBB_KEY_H_ */

18
tools/cert_create/src/main.c
View File

@ -91,16 +91,16 @@ enum {
BL32_ID,
BL33_ID,
/* Certificate file names (outputs) */
BL2_CERT_ID,
TRUSTED_BOOT_FW_CERT_ID,
TRUSTED_KEY_CERT_ID,
BL30_KEY_CERT_ID,
BL30_CERT_ID,
BL31_KEY_CERT_ID,
BL31_CERT_ID,
BL32_KEY_CERT_ID,
BL32_CERT_ID,
BL33_KEY_CERT_ID,
BL33_CERT_ID,
SCP_FW_KEY_CERT_ID,
SCP_FW_CONTENT_CERT_ID,
SOC_FW_KEY_CERT_ID,
SOC_FW_CONTENT_CERT_ID,
TRUSTED_OS_FW_KEY_CERT_ID,
TRUSTED_OS_FW_CONTENT_CERT_ID,
NON_TRUSTED_FW_KEY_CERT_ID,
NON_TRUSTED_FW_CONTENT_CERT_ID,
/* Key file names (input/output) */
ROT_KEY_ID,
TRUSTED_WORLD_KEY_ID,

126
tools/cert_create/src/tbbr/tbb_cert.c
View File

@ -40,15 +40,15 @@
* field points to itself.
*/
static cert_t tbb_certs[] = {
[BL2_CERT] = {
.id = BL2_CERT,
.opt = "bl2-cert",
[TRUSTED_BOOT_FW_CERT] = {
.id = TRUSTED_BOOT_FW_CERT,
.opt = "tb-fw-cert",
.fn = NULL,
.cn = "BL2 Certificate",
.cn = "Trusted Boot FW Certificate",
.key = ROT_KEY,
.issuer = BL2_CERT,
.issuer = TRUSTED_BOOT_FW_CERT,
.ext = {
BL2_HASH_EXT
TRUSTED_BOOT_FW_HASH_EXT
},
.num_ext = 1
},
@ -60,104 +60,104 @@ static cert_t tbb_certs[] = {
.key = ROT_KEY,
.issuer = TRUSTED_KEY_CERT,
.ext = {
TZ_WORLD_PK_EXT,
NTZ_WORLD_PK_EXT
TRUSTED_WORLD_PK_EXT,
NON_TRUSTED_WORLD_PK_EXT
},
.num_ext = 2
},
[BL30_KEY_CERT] = {
.id = BL30_KEY_CERT,
.opt = "bl30-key-cert",
[SCP_FW_KEY_CERT] = {
.id = SCP_FW_KEY_CERT,
.opt = "scp-fw-key-cert",
.fn = NULL,
.cn = "BL3-0 Key Certificate",
.cn = "SCP Firmware Key Certificate",
.key = TRUSTED_WORLD_KEY,
.issuer = BL30_KEY_CERT,
.issuer = SCP_FW_KEY_CERT,
.ext = {
BL30_CONTENT_CERT_PK_EXT
SCP_FW_CONTENT_CERT_PK_EXT
},
.num_ext = 1
},
[BL30_CERT] = {
.id = BL30_CERT,
.opt = "bl30-cert",
[SCP_FW_CONTENT_CERT] = {
.id = SCP_FW_CONTENT_CERT,
.opt = "scp-fw-cert",
.fn = NULL,
.cn = "BL3-0 Content Certificate",
.key = BL30_KEY,
.issuer = BL30_CERT,
.cn = "SCP Firmware Content Certificate",
.key = SCP_FW_CONTENT_CERT_KEY,
.issuer = SCP_FW_CONTENT_CERT,
.ext = {
BL30_HASH_EXT
SCP_FW_HASH_EXT
},
.num_ext = 1
},
[BL31_KEY_CERT] = {
.id = BL31_KEY_CERT,
.opt = "bl31-key-cert",
[SOC_FW_KEY_CERT] = {
.id = SOC_FW_KEY_CERT,
.opt = "soc-fw-key-cert",
.fn = NULL,
.cn = "BL3-1 Key Certificate",
.cn = "SoC Firmware Key Certificate",
.key = TRUSTED_WORLD_KEY,
.issuer = BL31_KEY_CERT,
.issuer = SOC_FW_KEY_CERT,
.ext = {
BL31_CONTENT_CERT_PK_EXT
SOC_FW_CONTENT_CERT_PK_EXT
},
.num_ext = 1
},
[BL31_CERT] = {
.id = BL31_CERT,
.opt = "bl31-cert",
[SOC_FW_CONTENT_CERT] = {
.id = SOC_FW_CONTENT_CERT,
.opt = "soc-fw-cert",
.fn = NULL,
.cn = "BL3-1 Content Certificate",
.key = BL31_KEY,
.issuer = BL31_CERT,
.cn = "SoC Firmware Content Certificate",
.key = SOC_FW_CONTENT_CERT_KEY,
.issuer = SOC_FW_CONTENT_CERT,
.ext = {
BL31_HASH_EXT
SOC_AP_FW_HASH_EXT
},
.num_ext = 1
},
[BL32_KEY_CERT] = {
.id = BL32_KEY_CERT,
.opt = "bl32-key-cert",
[TRUSTED_OS_FW_KEY_CERT] = {
.id = TRUSTED_OS_FW_KEY_CERT,
.opt = "tos-fw-key-cert",
.fn = NULL,
.cn = "BL3-2 Key Certificate",
.cn = "Trusted OS Firmware Key Certificate",
.key = TRUSTED_WORLD_KEY,
.issuer = BL32_KEY_CERT,
.issuer = TRUSTED_OS_FW_KEY_CERT,
.ext = {
BL32_CONTENT_CERT_PK_EXT
TRUSTED_OS_FW_CONTENT_CERT_PK_EXT
},
.num_ext = 1
},
[BL32_CERT] = {
.id = BL32_CERT,
.opt = "bl32-cert",
[TRUSTED_OS_FW_CONTENT_CERT] = {
.id = TRUSTED_OS_FW_CONTENT_CERT,
.opt = "tos-fw-cert",
.fn = NULL,
.cn = "BL3-2 Content Certificate",
.key = BL32_KEY,
.issuer = BL32_CERT,
.cn = "Trusted OS Firmware Content Certificate",
.key = TRUSTED_OS_FW_CONTENT_CERT_KEY,
.issuer = TRUSTED_OS_FW_CONTENT_CERT,
.ext = {
BL32_HASH_EXT
TRUSTED_OS_FW_HASH_EXT
},
.num_ext = 1
},
[BL33_KEY_CERT] = {
.id = BL33_KEY_CERT,
.opt = "bl33-key-cert",
[NON_TRUSTED_FW_KEY_CERT] = {
.id = NON_TRUSTED_FW_KEY_CERT,
.opt = "nt-fw-key-cert",
.fn = NULL,
.cn = "BL3-3 Key Certificate",
.cn = "Non-Trusted Firmware Key Certificate",
.key = NON_TRUSTED_WORLD_KEY,
.issuer = BL33_KEY_CERT,
.issuer = NON_TRUSTED_FW_KEY_CERT,
.ext = {
BL33_CONTENT_CERT_PK_EXT
NON_TRUSTED_FW_CONTENT_CERT_PK_EXT
},
.num_ext = 1
},
[BL33_CERT] = {
.id = BL33_CERT,
.opt = "bl33-cert",
[NON_TRUSTED_FW_CONTENT_CERT] = {
.id = NON_TRUSTED_FW_CONTENT_CERT,
.opt = "nt-fw-cert",
.fn = NULL,
.cn = "BL3-3 Content Certificate",
.key = BL33_KEY,
.issuer = BL33_CERT,
.cn = "Non-Trusted Firmware Content Certificate",
.key = NON_TRUSTED_FW_CONTENT_CERT_KEY,
.issuer = NON_TRUSTED_FW_CONTENT_CERT,
.ext = {
BL33_HASH_EXT
NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT
},
.num_ext = 1
},
@ -169,9 +169,9 @@ static cert_t tbb_certs[] = {
.key = ROT_KEY,
.issuer = FWU_CERT,
.ext = {
SCP_BL2U_HASH_EXT,
BL2U_HASH_EXT,
NS_BL2U_HASH_EXT
SCP_FWU_CFG_HASH_EXT,
AP_FWU_CFG_HASH_EXT,
FWU_HASH_EXT
},
.num_ext = 3
}

104
tools/cert_create/src/tbbr/tbb_ext.c
View File

@ -42,133 +42,133 @@
#define NORMAL_WORLD_NVCTR_VALUE 0
static ext_t tbb_ext[] = {
[TZ_FW_NVCOUNTER_EXT] = {
.oid = TZ_FW_NVCOUNTER_OID,
[TRUSTED_FW_NVCOUNTER_EXT] = {
.oid = TRUSTED_FW_NVCOUNTER_OID,
.sn = "TrustedWorldNVCounter",
.ln = "Trusted World Non-Volatile counter",
.asn1_type = V_ASN1_INTEGER,
.type = EXT_TYPE_NVCOUNTER,
.data.nvcounter = TRUSTED_WORLD_NVCTR_VALUE
},
[NTZ_FW_NVCOUNTER_EXT] = {
.oid = NTZ_FW_NVCOUNTER_OID,
[NON_TRUSTED_FW_NVCOUNTER_EXT] = {
.oid = NON_TRUSTED_FW_NVCOUNTER_OID,
.sn = "NormalWorldNVCounter",
.ln = "Normal World Non-Volatile counter",
.asn1_type = V_ASN1_INTEGER,
.type = EXT_TYPE_NVCOUNTER,
.data.nvcounter = NORMAL_WORLD_NVCTR_VALUE
},
[BL2_HASH_EXT] = {
.oid = BL2_HASH_OID,
.opt = "bl2",
[TRUSTED_BOOT_FW_HASH_EXT] = {
.oid = TRUSTED_BOOT_FW_HASH_OID,
.opt = "tb-fw",
.sn = "TrustedBootFirmwareHash",
.ln = "Trusted Boot Firmware (BL2) hash (SHA256)",
.ln = "Trusted Boot Firmware hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH
},
[TZ_WORLD_PK_EXT] = {
.oid = TZ_WORLD_PK_OID,
[TRUSTED_WORLD_PK_EXT] = {
.oid = TRUSTED_WORLD_PK_OID,
.sn = "TrustedWorldPublicKey",
.ln = "Trusted World Public Key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
.data.key = TRUSTED_WORLD_KEY
},
[NTZ_WORLD_PK_EXT] = {
.oid = NTZ_WORLD_PK_OID,
[NON_TRUSTED_WORLD_PK_EXT] = {
.oid = NON_TRUSTED_WORLD_PK_OID,
.sn = "NonTrustedWorldPublicKey",
.ln = "Non-Trusted World Public Key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
.data.key = NON_TRUSTED_WORLD_KEY
},
[BL30_CONTENT_CERT_PK_EXT] = {
.oid = BL30_CONTENT_CERT_PK_OID,
[SCP_FW_CONTENT_CERT_PK_EXT] = {
.oid = SCP_FW_CONTENT_CERT_PK_OID,
.sn = "SCPFirmwareContentCertPK",
.ln = "SCP Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
.data.key = BL30_KEY
.data.key = SCP_FW_CONTENT_CERT_KEY
},
[BL30_HASH_EXT] = {
.oid = BL30_HASH_OID,
.opt = "bl30",
[SCP_FW_HASH_EXT] = {
.oid = SCP_FW_HASH_OID,
.opt = "scp-fw",
.sn = "SCPFirmwareHash",
.ln = "SCP Firmware (BL30) hash (SHA256)",
.ln = "SCP Firmware hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH
},
[BL31_CONTENT_CERT_PK_EXT] = {
.oid = BL31_CONTENT_CERT_PK_OID,
[SOC_FW_CONTENT_CERT_PK_EXT] = {
.oid = SOC_FW_CONTENT_CERT_PK_OID,
.sn = "SoCFirmwareContentCertPK",
.ln = "SoC Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
.data.key = BL31_KEY
.data.key = SOC_FW_CONTENT_CERT_KEY
},
[BL31_HASH_EXT] = {
.oid = BL31_HASH_OID,
.opt = "bl31",
[SOC_AP_FW_HASH_EXT] = {
.oid = SOC_AP_FW_HASH_OID,
.opt = "soc-fw",
.sn = "SoCAPFirmwareHash",
.ln = "SoC AP Firmware (BL31) hash (SHA256)",
.ln = "SoC AP Firmware hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH
},
[BL32_CONTENT_CERT_PK_EXT] = {
.oid = BL32_CONTENT_CERT_PK_OID,
[TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = {
.oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID,
.sn = "TrustedOSFirmwareContentCertPK",
.ln = "Trusted OS Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
.data.key = BL32_KEY
.data.key = TRUSTED_OS_FW_CONTENT_CERT_KEY
},
[BL32_HASH_EXT] = {
.oid = BL32_HASH_OID,
.opt = "bl32",
[TRUSTED_OS_FW_HASH_EXT] = {
.oid = TRUSTED_OS_FW_HASH_OID,
.opt = "tos-fw",
.sn = "TrustedOSHash",
.ln = "Trusted OS (BL32) hash (SHA256)",
.ln = "Trusted OS hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH
},
[BL33_CONTENT_CERT_PK_EXT] = {
.oid = BL33_CONTENT_CERT_PK_OID,
[NON_TRUSTED_FW_CONTENT_CERT_PK_EXT] = {
.oid = NON_TRUSTED_FW_CONTENT_CERT_PK_OID,
.sn = "NonTrustedFirmwareContentCertPK",
.ln = "Non-Trusted Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY,
.data.key = BL33_KEY
.data.key = NON_TRUSTED_FW_CONTENT_CERT_KEY
},
[BL33_HASH_EXT] = {
.oid = BL33_HASH_OID,
.opt = "bl33",
[NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = {
.oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID,
.opt = "nt-fw",
.sn = "NonTrustedWorldBootloaderHash",
.ln = "Non-Trusted World (BL33) hash (SHA256)",
.ln = "Non-Trusted World hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH
},
[SCP_BL2U_HASH_EXT] = {
.oid = SCP_BL2U_HASH_OID,
.opt = "scp_bl2u",
[SCP_FWU_CFG_HASH_EXT] = {
.oid = SCP_FWU_CFG_HASH_OID,
.opt = "scp-fwu-cfg",
.sn = "SCPFWUpdateConfig",
.ln = "SCP Firmware Update Config (SCP_BL2U) hash (SHA256)",
.ln = "SCP Firmware Update Config hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[BL2U_HASH_EXT] = {
.oid = BL2U_HASH_OID,
.opt = "bl2u",
[AP_FWU_CFG_HASH_EXT] = {
.oid = AP_FWU_CFG_HASH_OID,
.opt = "ap-fwu-cfg",
.sn = "APFWUpdateConfig",
.ln = "AP Firmware Update Config (BL2U) hash (SHA256)",
.ln = "AP Firmware Update Config hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[NS_BL2U_HASH_EXT] = {
.oid = NS_BL2U_HASH_OID,
.opt = "ns_bl2u",
[FWU_HASH_EXT] = {
.oid = FWU_HASH_OID,
.opt = "fwu",
.sn = "FWUpdaterHash",
.ln = "Firmware Updater (NS_BL2U) hash (SHA256)",
.ln = "Firmware Updater hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1

32
tools/cert_create/src/tbbr/tbb_key.c
View File

@ -51,25 +51,25 @@ static key_t tbb_keys[] = {
.opt = "non-trusted-world-key",
.desc = "Non Trusted World key"
},
[BL30_KEY] = {
.id = BL30_KEY,
.opt = "bl30-key",
.desc = "BL30 key"
[SCP_FW_CONTENT_CERT_KEY] = {
.id = SCP_FW_CONTENT_CERT_KEY,
.opt = "scp-fw-key",
.desc = "SCP Firmware Content Certificate key"
},
[BL31_KEY] = {
.id = BL31_KEY,
.opt = "bl31-key",
.desc = "BL31 key"
[SOC_FW_CONTENT_CERT_KEY] = {
.id = SOC_FW_CONTENT_CERT_KEY,
.opt = "soc-fw-key",
.desc = "SoC Firmware Content Certificate key"
},
[BL32_KEY] = {
.id = BL32_KEY,
.opt = "bl32-key",
.desc = "BL32 key"
[TRUSTED_OS_FW_CONTENT_CERT_KEY] = {
.id = TRUSTED_OS_FW_CONTENT_CERT_KEY,
.opt = "tos-fw-key",
.desc = "Trusted OS Firmware Content Certificate key"
},
[BL33_KEY] = {
.id = BL33_KEY,
.opt = "bl33-key",
.desc = "BL33 key"
[NON_TRUSTED_FW_CONTENT_CERT_KEY] = {
.id = NON_TRUSTED_FW_CONTENT_CERT_KEY,
.opt = "nt-fw-key",
.desc = "Non Trusted Firmware Content Certificate key"
}
};

36
tools/fip_create/fip_create.c
View File

@ -78,25 +78,25 @@ static entry_lookup_list_t toc_entry_lookup_list[] = {
"rot-cert", NULL, FLAG_FILENAME },
{ "Trusted key certificate", UUID_TRUSTED_KEY_CERT,
"trusted-key-cert", NULL, FLAG_FILENAME},
{ "SCP Firmware BL3-0 key certificate", UUID_SCP_FIRMWARE_BL30_KEY_CERT,
"bl30-key-cert", NULL, FLAG_FILENAME},
{ "EL3 Runtime Firmware BL3-1 key certificate", UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT,
"bl31-key-cert", NULL, FLAG_FILENAME},
{ "Secure Payload BL3-2 (Trusted OS) key certificate", UUID_SECURE_PAYLOAD_BL32_KEY_CERT,
"bl32-key-cert", NULL, FLAG_FILENAME},
{ "Non-Trusted Firmware BL3-3 key certificate", UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT,
"bl33-key-cert", NULL, FLAG_FILENAME},
{ "SCP Firmware key certificate", UUID_SCP_FW_KEY_CERT,
"scp-fw-key-cert", NULL, FLAG_FILENAME},
{ "SoC Firmware key certificate", UUID_SOC_FW_KEY_CERT,
"soc-fw-key-cert", NULL, FLAG_FILENAME},
{ "Trusted OS Firmware key certificate", UUID_TRUSTED_OS_FW_KEY_CERT,
"tos-fw-key-cert", NULL, FLAG_FILENAME},
{ "Non-Trusted Firmware key certificate", UUID_NON_TRUSTED_FW_KEY_CERT,
"nt-fw-key-cert", NULL, FLAG_FILENAME},
/* Content certificates */
{ "Trusted Boot Firmware BL2 certificate", UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT,
"bl2-cert", NULL, FLAG_FILENAME },
{ "SCP Firmware BL3-0 certificate", UUID_SCP_FIRMWARE_BL30_CERT,
"bl30-cert", NULL, FLAG_FILENAME},
{ "EL3 Runtime Firmware BL3-1 certificate", UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT,
"bl31-cert", NULL, FLAG_FILENAME},
{ "Secure Payload BL3-2 (Trusted OS) certificate", UUID_SECURE_PAYLOAD_BL32_CERT,
"bl32-cert", NULL, FLAG_FILENAME},
{ "Non-Trusted Firmware BL3-3 certificate", UUID_NON_TRUSTED_FIRMWARE_BL33_CERT,
"bl33-cert", NULL, FLAG_FILENAME},
{ "Trusted Boot Firmware BL2 certificate", UUID_TRUSTED_BOOT_FW_CERT,
"tb-fw-cert", NULL, FLAG_FILENAME },
{ "SCP Firmware content certificate", UUID_SCP_FW_CONTENT_CERT,
"scp-fw-cert", NULL, FLAG_FILENAME},
{ "SoC Firmware content certificate", UUID_SOC_FW_CONTENT_CERT,
"soc-fw-cert", NULL, FLAG_FILENAME},
{ "Trusted OS Firmware content certificate", UUID_TRUSTED_OS_FW_CONTENT_CERT,
"tos-fw-cert", NULL, FLAG_FILENAME},
{ "Non-Trusted Firmware content certificate", UUID_NON_TRUSTED_FW_CONTENT_CERT,
"nt-fw-cert", NULL, FLAG_FILENAME},
{ NULL, {0}, 0 }
};