andrius
/
arm-trusted-firmware
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

TBB: apply TBBR naming convention to certificates and extensions 

This patch applies the TBBR naming convention to the certificates
and the corresponding extensions defined by the CoT:

    * Certificate UUID names
    * Certificate identifier names
    * OID names

Changes apply to:

    * Generic code (variables and defines)
    * The default certificate identifiers provided in the generic
      code
    * Build system
    * ARM platforms port
    * cert_create tool internal definitions
    * fip_create and cert_create tools command line options
    * Documentation

IMPORTANT: this change breaks the compatibility with platforms
that use TBBR. The platform will need to adapt the identifiers
and OIDs to the TBBR naming convention introduced by this patch:

Certificate UUIDs:

    UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT --> UUID_TRUSTED_BOOT_FW_CERT
    UUID_SCP_FIRMWARE_BL30_KEY_CERT --> UUID_SCP_FW_KEY_CERT
    UUID_SCP_FIRMWARE_BL30_CERT --> UUID_SCP_FW_CONTENT_CERT
    UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT --> UUID_SOC_FW_KEY_CERT
    UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT --> UUID_SOC_FW_CONTENT_CERT
    UUID_SECURE_PAYLOAD_BL32_KEY_CERT --> UUID_TRUSTED_OS_FW_KEY_CERT
    UUID_SECURE_PAYLOAD_BL32_CERT --> UUID_TRUSTED_OS_FW_CONTENT_CERT
    UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT --> UUID_NON_TRUSTED_FW_KEY_CERT
    UUID_NON_TRUSTED_FIRMWARE_BL33_CERT --> UUID_NON_TRUSTED_FW_CONTENT_CERT

Certificate identifiers:

    BL2_CERT_ID --> TRUSTED_BOOT_FW_CERT_ID
    BL30_KEY_CERT_ID --> SCP_FW_KEY_CERT_ID
    BL30_CERT_ID --> SCP_FW_CONTENT_CERT_ID
    BL31_KEY_CERT_ID --> SOC_FW_KEY_CERT_ID
    BL31_CERT_ID --> SOC_FW_CONTENT_CERT_ID
    BL32_KEY_CERT_ID --> TRUSTED_OS_FW_KEY_CERT_ID
    BL32_CERT_ID --> TRUSTED_OS_FW_CONTENT_CERT_ID
    BL33_KEY_CERT_ID --> NON_TRUSTED_FW_KEY_CERT_ID
    BL33_CERT_ID --> NON_TRUSTED_FW_CONTENT_CERT_ID

OIDs:

    TZ_FW_NVCOUNTER_OID --> TRUSTED_FW_NVCOUNTER_OID
    NTZ_FW_NVCOUNTER_OID --> NON_TRUSTED_FW_NVCOUNTER_OID
    BL2_HASH_OID --> TRUSTED_BOOT_FW_HASH_OID
    TZ_WORLD_PK_OID --> TRUSTED_WORLD_PK_OID
    NTZ_WORLD_PK_OID --> NON_TRUSTED_WORLD_PK_OID
    BL30_CONTENT_CERT_PK_OID --> SCP_FW_CONTENT_CERT_PK_OID
    BL30_HASH_OID --> SCP_FW_HASH_OID
    BL31_CONTENT_CERT_PK_OID --> SOC_FW_CONTENT_CERT_PK_OID
    BL31_HASH_OID --> SOC_AP_FW_HASH_OID
    BL32_CONTENT_CERT_PK_OID --> TRUSTED_OS_FW_CONTENT_CERT_PK_OID
    BL32_HASH_OID --> TRUSTED_OS_FW_HASH_OID
    BL33_CONTENT_CERT_PK_OID --> NON_TRUSTED_FW_CONTENT_CERT_PK_OID
    BL33_HASH_OID --> NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID
    BL2U_HASH_OID --> AP_FWU_CFG_HASH_OID
    SCP_BL2U_HASH_OID --> SCP_FWU_CFG_HASH_OID
    NS_BL2U_HASH_OID --> FWU_HASH_OID

Change-Id: I1e047ae046299ca913911c39ac3a6e123bd41079
This commit is contained in:
Juan Castillo 2015-12-03 10:19:21 +00:00
parent a84deb9c3f
commit 516beb585c
17 changed files with 441 additions and 441 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
docs/auth-framework.md
View File

@ -726,30 +726,30 @@ Four image descriptors form the BL3-1 Chain of Trust:
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &tz_world_pk, .type_desc = &trusted_world_pk,
.data = { .data = {
.ptr = (void *)plat_tz_world_pk_buf, .ptr = (void *)trusted_world_pk_buf,
.len = (unsigned int)PK_DER_LEN .len = (unsigned int)PK_DER_LEN
} }
}, },
[1] = { [1] = {
.type_desc = &ntz_world_pk, .type_desc = &non_trusted_world_pk,
.data = { .data = {
.ptr = (void *)plat_ntz_world_pk_buf, .ptr = (void *)non_trusted_world_pk_buf,
.len = (unsigned int)PK_DER_LEN .len = (unsigned int)PK_DER_LEN
} }
} }
} }
}, },
[BL31_KEY_CERT_ID] = { [SOC_FW_KEY_CERT_ID] = {
.img_id = BL31_KEY_CERT_ID, .img_id = SOC_FW_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID], .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &tz_world_pk, .pk = &trusted_world_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data,
@ -758,23 +758,23 @@ Four image descriptors form the BL3-1 Chain of Trust:
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &bl31_content_pk, .type_desc = &soc_fw_content_pk,
.data = { .data = {
.ptr = (void *)plat_content_pk, .ptr = (void *)content_pk_buf,
.len = (unsigned int)PK_DER_LEN .len = (unsigned int)PK_DER_LEN
} }
} }
} }
}, },
[BL31_CERT_ID] = { [SOC_FW_CONTENT_CERT_ID] = {
.img_id = BL31_CERT_ID, .img_id = SOC_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[BL31_KEY_CERT_ID], .parent = &cot_desc[SOC_FW_KEY_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &bl31_content_pk, .pk = &soc_fw_content_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data,
@ -783,9 +783,9 @@ Four image descriptors form the BL3-1 Chain of Trust:
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &bl31_hash, .type_desc = &soc_fw_hash,
.data = { .data = {
.ptr = (void *)plat_bl31_hash_buf, .ptr = (void *)soc_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
} }
@ -794,13 +794,13 @@ Four image descriptors form the BL3-1 Chain of Trust:
[BL31_IMAGE_ID] = { [BL31_IMAGE_ID] = {
.img_id = BL31_IMAGE_ID, .img_id = BL31_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[BL31_CERT_ID], .parent = &cot_desc[SOC_FW_CONTENT_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &bl31_hash, .hash = &soc_fw_hash,
} }
} }
} }
@ -835,7 +835,7 @@ is created in the `authenticated_data` array for that purpose. In that entry,
the corresponding parameter descriptor must be specified along with the buffer the corresponding parameter descriptor must be specified along with the buffer
address to store the parameter value. In this case, the `tz_world_pk` descriptor address to store the parameter value. In this case, the `tz_world_pk` descriptor
is used to extract the public key from an x509v3 extension with OID is used to extract the public key from an x509v3 extension with OID
`TZ_WORLD_PK_OID`. The BL3-1 key certificate will use this descriptor as `TRUSTED_WORLD_PK_OID`. The BL3-1 key certificate will use this descriptor as
parameter in the signature authentication method. The key is stored in the parameter in the signature authentication method. The key is stored in the
`plat_tz_world_pk_buf` buffer. `plat_tz_world_pk_buf` buffer.

18
docs/porting-guide.md
View File

@ -247,7 +247,7 @@ mandatory:
If Trusted Board Boot is enabled, the following certificate identifiers must If Trusted Board Boot is enabled, the following certificate identifiers must
also be defined: also be defined:
* **#define : BL2_CERT_ID** * **#define : TRUSTED_BOOT_FW_CERT_ID**
BL2 content certificate identifier, used by BL1 to load the BL2 content BL2 content certificate identifier, used by BL1 to load the BL2 content
certificate. certificate.
@ -257,22 +257,22 @@ also be defined:
Trusted key certificate identifier, used by BL2 to load the trusted key Trusted key certificate identifier, used by BL2 to load the trusted key
certificate. certificate.
* **#define : BL31_KEY_CERT_ID** * **#define : SOC_FW_KEY_CERT_ID**
BL3-1 key certificate identifier, used by BL2 to load the BL3-1 key BL3-1 key certificate identifier, used by BL2 to load the BL3-1 key
certificate. certificate.
* **#define : BL31_CERT_ID** * **#define : SOC_FW_CONTENT_CERT_ID**
BL3-1 content certificate identifier, used by BL2 to load the BL3-1 content BL3-1 content certificate identifier, used by BL2 to load the BL3-1 content
certificate. certificate.
* **#define : BL33_KEY_CERT_ID** * **#define : NON_TRUSTED_FW_KEY_CERT_ID**
BL3-3 key certificate identifier, used by BL2 to load the BL3-3 key BL3-3 key certificate identifier, used by BL2 to load the BL3-3 key
certificate. certificate.
* **#define : BL33_CERT_ID** * **#define : NON_TRUSTED_FW_CONTENT_CERT_ID**
BL3-3 content certificate identifier, used by BL2 to load the BL3-3 content BL3-3 content certificate identifier, used by BL2 to load the BL3-3 content
certificate. certificate.
@ -285,12 +285,12 @@ also be defined:
BL3-0 image identifier, used by BL2 to load BL3-0 into secure memory from BL3-0 image identifier, used by BL2 to load BL3-0 into secure memory from
platform storage before being transfered to the SCP. platform storage before being transfered to the SCP.
* **#define : BL30_KEY_CERT_ID** * **#define : SCP_FW_KEY_CERT_ID**
BL3-0 key certificate identifier, used by BL2 to load the BL3-0 key BL3-0 key certificate identifier, used by BL2 to load the BL3-0 key
certificate (mandatory when Trusted Board Boot is enabled). certificate (mandatory when Trusted Board Boot is enabled).
* **#define : BL30_CERT_ID** * **#define : SCP_FW_CONTENT_CERT_ID**
BL3-0 content certificate identifier, used by BL2 to load the BL3-0 content BL3-0 content certificate identifier, used by BL2 to load the BL3-0 content
certificate (mandatory when Trusted Board Boot is enabled). certificate (mandatory when Trusted Board Boot is enabled).
@ -302,12 +302,12 @@ also be defined:
BL3-2 image identifier, used by BL2 to load BL3-2. BL3-2 image identifier, used by BL2 to load BL3-2.
* **#define : BL32_KEY_CERT_ID** * **#define : TRUSTED_OS_FW_KEY_CERT_ID**
BL3-2 key certificate identifier, used by BL2 to load the BL3-2 key BL3-2 key certificate identifier, used by BL2 to load the BL3-2 key
certificate (mandatory when Trusted Board Boot is enabled). certificate (mandatory when Trusted Board Boot is enabled).
* **#define : BL32_CERT_ID** * **#define : TRUSTED_OS_FW_CONTENT_CERT_ID**
BL3-2 content certificate identifier, used by BL2 to load the BL3-2 content BL3-2 content certificate identifier, used by BL2 to load the BL3-2 content
certificate (mandatory when Trusted Board Boot is enabled). certificate (mandatory when Trusted Board Boot is enabled).

204
drivers/auth/tbbr/tbbr_cot.c
View File

@ -44,14 +44,14 @@
* extracted from the certificates. In this case, because of the way the CoT is * extracted from the certificates. In this case, because of the way the CoT is
* established, we can reuse some of the buffers on different stages * established, we can reuse some of the buffers on different stages
*/ */
static unsigned char plat_bl2_hash_buf[HASH_DER_LEN]; static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
static unsigned char plat_bl30_hash_buf[HASH_DER_LEN]; static unsigned char scp_fw_hash_buf[HASH_DER_LEN];
static unsigned char plat_bl31_hash_buf[HASH_DER_LEN]; static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
static unsigned char plat_bl32_hash_buf[HASH_DER_LEN]; static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
static unsigned char plat_bl33_hash_buf[HASH_DER_LEN]; static unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
static unsigned char plat_tz_world_pk_buf[PK_DER_LEN]; static unsigned char trusted_world_pk_buf[PK_DER_LEN];
static unsigned char plat_ntz_world_pk_buf[PK_DER_LEN]; static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];
static unsigned char plat_content_pk[PK_DER_LEN]; static unsigned char content_pk_buf[PK_DER_LEN];
/* /*
* Parameter type descriptors * Parameter type descriptors
@ -65,36 +65,36 @@ static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC(
static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t raw_data = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_RAW_DATA, 0); AUTH_PARAM_RAW_DATA, 0);
static auth_param_type_desc_t tz_world_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, TZ_WORLD_PK_OID); AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
static auth_param_type_desc_t ntz_world_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, NTZ_WORLD_PK_OID); AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID);
static auth_param_type_desc_t bl30_content_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t scp_fw_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, BL30_CONTENT_CERT_PK_OID); AUTH_PARAM_PUB_KEY, SCP_FW_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t bl31_content_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t soc_fw_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, BL31_CONTENT_CERT_PK_OID); AUTH_PARAM_PUB_KEY, SOC_FW_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t bl32_content_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t tos_fw_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, BL32_CONTENT_CERT_PK_OID); AUTH_PARAM_PUB_KEY, TRUSTED_OS_FW_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t bl33_content_pk = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_PUB_KEY, BL33_CONTENT_CERT_PK_OID); AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID);
static auth_param_type_desc_t bl2_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t tb_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL2_HASH_OID); AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
static auth_param_type_desc_t bl30_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t scp_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL30_HASH_OID); AUTH_PARAM_HASH, SCP_FW_HASH_OID);
static auth_param_type_desc_t bl31_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t soc_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL31_HASH_OID); AUTH_PARAM_HASH, SOC_AP_FW_HASH_OID);
static auth_param_type_desc_t bl32_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t tos_fw_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL32_HASH_OID); AUTH_PARAM_HASH, TRUSTED_OS_FW_HASH_OID);
static auth_param_type_desc_t bl33_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL33_HASH_OID); AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SCP_BL2U_HASH_OID); AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, BL2U_HASH_OID); AUTH_PARAM_HASH, AP_FWU_CFG_HASH_OID);
static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, NS_BL2U_HASH_OID); AUTH_PARAM_HASH, FWU_HASH_OID);
/* /*
* TBBR Chain of trust definition * TBBR Chain of trust definition
@ -103,8 +103,8 @@ static const auth_img_desc_t cot_desc[] = {
/* /*
* BL2 * BL2
*/ */
[BL2_CERT_ID] = { [TRUSTED_BOOT_FW_CERT_ID] = {
.img_id = BL2_CERT_ID, .img_id = TRUSTED_BOOT_FW_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = NULL, .parent = NULL,
.img_auth_methods = { .img_auth_methods = {
@ -120,9 +120,9 @@ static const auth_img_desc_t cot_desc[] = {
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &bl2_hash, .type_desc = &tb_fw_hash,
.data = { .data = {
.ptr = (void *)plat_bl2_hash_buf, .ptr = (void *)tb_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
} }
@ -131,13 +131,13 @@ static const auth_img_desc_t cot_desc[] = {
[BL2_IMAGE_ID] = { [BL2_IMAGE_ID] = {
.img_id = BL2_IMAGE_ID, .img_id = BL2_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[BL2_CERT_ID], .parent = &cot_desc[TRUSTED_BOOT_FW_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &bl2_hash, .hash = &tb_fw_hash,
} }
} }
} }
@ -162,33 +162,33 @@ static const auth_img_desc_t cot_desc[] = {
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &tz_world_pk, .type_desc = &trusted_world_pk,
.data = { .data = {
.ptr = (void *)plat_tz_world_pk_buf, .ptr = (void *)trusted_world_pk_buf,
.len = (unsigned int)PK_DER_LEN .len = (unsigned int)PK_DER_LEN
} }
}, },
[1] = { [1] = {
.type_desc = &ntz_world_pk, .type_desc = &non_trusted_world_pk,
.data = { .data = {
.ptr = (void *)plat_ntz_world_pk_buf, .ptr = (void *)non_trusted_world_pk_buf,
.len = (unsigned int)PK_DER_LEN .len = (unsigned int)PK_DER_LEN
} }
} }
} }
}, },
/* /*
* BL3-0 * SCP Firmware
*/ */
[BL30_KEY_CERT_ID] = { [SCP_FW_KEY_CERT_ID] = {
.img_id = BL30_KEY_CERT_ID, .img_id = SCP_FW_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID], .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &tz_world_pk, .pk = &trusted_world_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data,
@ -197,23 +197,23 @@ static const auth_img_desc_t cot_desc[] = {
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &bl30_content_pk, .type_desc = &scp_fw_content_pk,
.data = { .data = {
.ptr = (void *)plat_content_pk, .ptr = (void *)content_pk_buf,
.len = (unsigned int)PK_DER_LEN .len = (unsigned int)PK_DER_LEN
} }
} }
} }
}, },
[BL30_CERT_ID] = { [SCP_FW_CONTENT_CERT_ID] = {
.img_id = BL30_CERT_ID, .img_id = SCP_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[BL30_KEY_CERT_ID], .parent = &cot_desc[SCP_FW_KEY_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &bl30_content_pk, .pk = &scp_fw_content_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data,
@ -222,9 +222,9 @@ static const auth_img_desc_t cot_desc[] = {
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &bl30_hash, .type_desc = &scp_fw_hash,
.data = { .data = {
.ptr = (void *)plat_bl30_hash_buf, .ptr = (void *)scp_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
} }
@ -233,29 +233,29 @@ static const auth_img_desc_t cot_desc[] = {
[BL30_IMAGE_ID] = { [BL30_IMAGE_ID] = {
.img_id = BL30_IMAGE_ID, .img_id = BL30_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[BL30_CERT_ID], .parent = &cot_desc[SCP_FW_CONTENT_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &bl30_hash, .hash = &scp_fw_hash,
} }
} }
} }
}, },
/* /*
* BL3-1 * SoC Firmware
*/ */
[BL31_KEY_CERT_ID] = { [SOC_FW_KEY_CERT_ID] = {
.img_id = BL31_KEY_CERT_ID, .img_id = SOC_FW_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID], .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &tz_world_pk, .pk = &trusted_world_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data,
@ -264,23 +264,23 @@ static const auth_img_desc_t cot_desc[] = {
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &bl31_content_pk, .type_desc = &soc_fw_content_pk,
.data = { .data = {
.ptr = (void *)plat_content_pk, .ptr = (void *)content_pk_buf,
.len = (unsigned int)PK_DER_LEN .len = (unsigned int)PK_DER_LEN
} }
} }
} }
}, },
[BL31_CERT_ID] = { [SOC_FW_CONTENT_CERT_ID] = {
.img_id = BL31_CERT_ID, .img_id = SOC_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[BL31_KEY_CERT_ID], .parent = &cot_desc[SOC_FW_KEY_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &bl31_content_pk, .pk = &soc_fw_content_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data,
@ -289,9 +289,9 @@ static const auth_img_desc_t cot_desc[] = {
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &bl31_hash, .type_desc = &soc_fw_hash,
.data = { .data = {
.ptr = (void *)plat_bl31_hash_buf, .ptr = (void *)soc_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
} }
@ -300,29 +300,29 @@ static const auth_img_desc_t cot_desc[] = {
[BL31_IMAGE_ID] = { [BL31_IMAGE_ID] = {
.img_id = BL31_IMAGE_ID, .img_id = BL31_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[BL31_CERT_ID], .parent = &cot_desc[SOC_FW_CONTENT_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &bl31_hash, .hash = &soc_fw_hash,
} }
} }
} }
}, },
/* /*
* BL3-2 * Trusted OS Firmware
*/ */
[BL32_KEY_CERT_ID] = { [TRUSTED_OS_FW_KEY_CERT_ID] = {
.img_id = BL32_KEY_CERT_ID, .img_id = TRUSTED_OS_FW_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID], .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &tz_world_pk, .pk = &trusted_world_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data,
@ -331,23 +331,23 @@ static const auth_img_desc_t cot_desc[] = {
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &bl32_content_pk, .type_desc = &tos_fw_content_pk,
.data = { .data = {
.ptr = (void *)plat_content_pk, .ptr = (void *)content_pk_buf,
.len = (unsigned int)PK_DER_LEN .len = (unsigned int)PK_DER_LEN
} }
} }
} }
}, },
[BL32_CERT_ID] = { [TRUSTED_OS_FW_CONTENT_CERT_ID] = {
.img_id = BL32_CERT_ID, .img_id = TRUSTED_OS_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[BL32_KEY_CERT_ID], .parent = &cot_desc[TRUSTED_OS_FW_KEY_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &bl32_content_pk, .pk = &tos_fw_content_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data,
@ -356,9 +356,9 @@ static const auth_img_desc_t cot_desc[] = {
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &bl32_hash, .type_desc = &tos_fw_hash,
.data = { .data = {
.ptr = (void *)plat_bl32_hash_buf, .ptr = (void *)tos_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
} }
@ -367,29 +367,29 @@ static const auth_img_desc_t cot_desc[] = {
[BL32_IMAGE_ID] = { [BL32_IMAGE_ID] = {
.img_id = BL32_IMAGE_ID, .img_id = BL32_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[BL32_CERT_ID], .parent = &cot_desc[TRUSTED_OS_FW_CONTENT_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &bl32_hash, .hash = &tos_fw_hash,
} }
} }
} }
}, },
/* /*
* BL3-3 * Non-Trusted Firmware
*/ */
[BL33_KEY_CERT_ID] = { [NON_TRUSTED_FW_KEY_CERT_ID] = {
.img_id = BL33_KEY_CERT_ID, .img_id = NON_TRUSTED_FW_KEY_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[TRUSTED_KEY_CERT_ID], .parent = &cot_desc[TRUSTED_KEY_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &ntz_world_pk, .pk = &non_trusted_world_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data,
@ -398,23 +398,23 @@ static const auth_img_desc_t cot_desc[] = {
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &bl33_content_pk, .type_desc = &nt_fw_content_pk,
.data = { .data = {
.ptr = (void *)plat_content_pk, .ptr = (void *)content_pk_buf,
.len = (unsigned int)PK_DER_LEN .len = (unsigned int)PK_DER_LEN
} }
} }
} }
}, },
[BL33_CERT_ID] = { [NON_TRUSTED_FW_CONTENT_CERT_ID] = {
.img_id = BL33_CERT_ID, .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
.img_type = IMG_CERT, .img_type = IMG_CERT,
.parent = &cot_desc[BL33_KEY_CERT_ID], .parent = &cot_desc[NON_TRUSTED_FW_KEY_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_SIG, .type = AUTH_METHOD_SIG,
.param.sig = { .param.sig = {
.pk = &bl33_content_pk, .pk = &nt_fw_content_pk,
.sig = &sig, .sig = &sig,
.alg = &sig_alg, .alg = &sig_alg,
.data = &raw_data, .data = &raw_data,
@ -423,9 +423,9 @@ static const auth_img_desc_t cot_desc[] = {
}, },
.authenticated_data = { .authenticated_data = {
[0] = { [0] = {
.type_desc = &bl33_hash, .type_desc = &nt_world_bl_hash,
.data = { .data = {
.ptr = (void *)plat_bl33_hash_buf, .ptr = (void *)nt_world_bl_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
} }
@ -434,13 +434,13 @@ static const auth_img_desc_t cot_desc[] = {
[BL33_IMAGE_ID] = { [BL33_IMAGE_ID] = {
.img_id = BL33_IMAGE_ID, .img_id = BL33_IMAGE_ID,
.img_type = IMG_RAW, .img_type = IMG_RAW,
.parent = &cot_desc[BL33_CERT_ID], .parent = &cot_desc[NON_TRUSTED_FW_CONTENT_CERT_ID],
.img_auth_methods = { .img_auth_methods = {
[0] = { [0] = {
.type = AUTH_METHOD_HASH, .type = AUTH_METHOD_HASH,
.param.hash = { .param.hash = {
.data = &raw_data, .data = &raw_data,
.hash = &bl33_hash, .hash = &nt_world_bl_hash,
} }
} }
} }
@ -467,21 +467,21 @@ static const auth_img_desc_t cot_desc[] = {
[0] = { [0] = {
.type_desc = &scp_bl2u_hash, .type_desc = &scp_bl2u_hash,
.data = { .data = {
.ptr = (void *)plat_bl30_hash_buf, .ptr = (void *)scp_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
}, },
[1] = { [1] = {
.type_desc = &bl2u_hash, .type_desc = &bl2u_hash,
.data = { .data = {
.ptr = (void *)plat_bl2_hash_buf, .ptr = (void *)tb_fw_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
}, },
[2] = { [2] = {
.type_desc = &ns_bl2u_hash, .type_desc = &ns_bl2u_hash,
.data = { .data = {
.ptr = (void *)plat_bl33_hash_buf, .ptr = (void *)nt_world_bl_hash_buf,
.len = (unsigned int)HASH_DER_LEN .len = (unsigned int)HASH_DER_LEN
} }
} }

18
include/common/firmware_image_package.h
View File

@ -64,24 +64,24 @@
{0x90e87e82, 0x60f8, 0x11e4, 0xa1, 0xb4, {0x77, 0x7a, 0x21, 0xb4, 0xf9, 0x4c} } {0x90e87e82, 0x60f8, 0x11e4, 0xa1, 0xb4, {0x77, 0x7a, 0x21, 0xb4, 0xf9, 0x4c} }
#define UUID_NON_TRUSTED_WORLD_KEY_CERT \ #define UUID_NON_TRUSTED_WORLD_KEY_CERT \
{0x3d87671c, 0x635f, 0x11e4, 0x97, 0x8d, {0x27, 0xc0, 0xc7, 0x14, 0x8a, 0xbd} } {0x3d87671c, 0x635f, 0x11e4, 0x97, 0x8d, {0x27, 0xc0, 0xc7, 0x14, 0x8a, 0xbd} }
#define UUID_SCP_FIRMWARE_BL30_KEY_CERT \ #define UUID_SCP_FW_KEY_CERT \
{0xa1214202, 0x60f8, 0x11e4, 0x8d, 0x9b, {0xf3, 0x3c, 0x0e, 0x15, 0xa0, 0x14} } {0xa1214202, 0x60f8, 0x11e4, 0x8d, 0x9b, {0xf3, 0x3c, 0x0e, 0x15, 0xa0, 0x14} }
#define UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT \ #define UUID_SOC_FW_KEY_CERT \
{0xccbeb88a, 0x60f9, 0x11e4, 0x9a, 0xd0, {0xeb, 0x48, 0x22, 0xd8, 0xdc, 0xf8} } {0xccbeb88a, 0x60f9, 0x11e4, 0x9a, 0xd0, {0xeb, 0x48, 0x22, 0xd8, 0xdc, 0xf8} }
#define UUID_SECURE_PAYLOAD_BL32_KEY_CERT \ #define UUID_TRUSTED_OS_FW_KEY_CERT \
{0x03d67794, 0x60fb, 0x11e4, 0x85, 0xdd, {0xb7, 0x10, 0x5b, 0x8c, 0xee, 0x04} } {0x03d67794, 0x60fb, 0x11e4, 0x85, 0xdd, {0xb7, 0x10, 0x5b, 0x8c, 0xee, 0x04} }
#define UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT \ #define UUID_NON_TRUSTED_FW_KEY_CERT \
{0x2a83d58a, 0x60fb, 0x11e4, 0x8a, 0xaf, {0xdf, 0x30, 0xbb, 0xc4, 0x98, 0x59} } {0x2a83d58a, 0x60fb, 0x11e4, 0x8a, 0xaf, {0xdf, 0x30, 0xbb, 0xc4, 0x98, 0x59} }
/* Content certificates */ /* Content certificates */
#define UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT \ #define UUID_TRUSTED_BOOT_FW_CERT \
{0xea69e2d6, 0x635d, 0x11e4, 0x8d, 0x8c, {0x9f, 0xba, 0xbe, 0x99, 0x56, 0xa5} } {0xea69e2d6, 0x635d, 0x11e4, 0x8d, 0x8c, {0x9f, 0xba, 0xbe, 0x99, 0x56, 0xa5} }
#define UUID_SCP_FIRMWARE_BL30_CERT \ #define UUID_SCP_FW_CONTENT_CERT \
{0x046fbe44, 0x635e, 0x11e4, 0xb2, 0x8b, {0x73, 0xd8, 0xea, 0xae, 0x96, 0x56} } {0x046fbe44, 0x635e, 0x11e4, 0xb2, 0x8b, {0x73, 0xd8, 0xea, 0xae, 0x96, 0x56} }
#define UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT \ #define UUID_SOC_FW_CONTENT_CERT \
{0x200cb2e2, 0x635e, 0x11e4, 0x9c, 0xe8, {0xab, 0xcc, 0xf9, 0x2b, 0xb6, 0x66} } {0x200cb2e2, 0x635e, 0x11e4, 0x9c, 0xe8, {0xab, 0xcc, 0xf9, 0x2b, 0xb6, 0x66} }
#define UUID_SECURE_PAYLOAD_BL32_CERT \ #define UUID_TRUSTED_OS_FW_CONTENT_CERT \
{0x11449fa4, 0x635e, 0x11e4, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} } {0x11449fa4, 0x635e, 0x11e4, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} }
#define UUID_NON_TRUSTED_FIRMWARE_BL33_CERT \ #define UUID_NON_TRUSTED_FW_CONTENT_CERT \
{0xf3c1c48e, 0x635d, 0x11e4, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} } {0xf3c1c48e, 0x635d, 0x11e4, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} }
typedef struct fip_toc_header { typedef struct fip_toc_header {

18
include/common/tbbr/tbbr_img_def.h
View File

@ -50,18 +50,18 @@
#define BL33_IMAGE_ID 5 #define BL33_IMAGE_ID 5
/* Certificates */ /* Certificates */
#define BL2_CERT_ID 6 #define TRUSTED_BOOT_FW_CERT_ID 6
#define TRUSTED_KEY_CERT_ID 7 #define TRUSTED_KEY_CERT_ID 7
#define BL30_KEY_CERT_ID 8 #define SCP_FW_KEY_CERT_ID 8
#define BL31_KEY_CERT_ID 9 #define SOC_FW_KEY_CERT_ID 9
#define BL32_KEY_CERT_ID 10 #define TRUSTED_OS_FW_KEY_CERT_ID 10
#define BL33_KEY_CERT_ID 11 #define NON_TRUSTED_FW_KEY_CERT_ID 11
#define BL30_CERT_ID 12 #define SCP_FW_CONTENT_CERT_ID 12
#define BL31_CERT_ID 13 #define SOC_FW_CONTENT_CERT_ID 13
#define BL32_CERT_ID 14 #define TRUSTED_OS_FW_CONTENT_CERT_ID 14
#define BL33_CERT_ID 15 #define NON_TRUSTED_FW_CONTENT_CERT_ID 15
/* Non-Trusted ROM Firmware NS_BL1U */ /* Non-Trusted ROM Firmware NS_BL1U */
#define NS_BL1U_IMAGE_ID 16 #define NS_BL1U_IMAGE_ID 16

32
include/plat/arm/board/common/board_arm_oid.h
View File

@ -44,9 +44,9 @@
/* TrustedFirmwareNVCounter - Non-volatile counter extension */ /* TrustedFirmwareNVCounter - Non-volatile counter extension */
#define TZ_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.1" #define TRUSTED_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.1"
/* NonTrustedFirmwareNVCounter - Non-volatile counter extension */ /* NonTrustedFirmwareNVCounter - Non-volatile counter extension */
#define NTZ_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.2" #define NON_TRUSTED_FW_NVCOUNTER_OID "1.3.6.1.4.1.4128.2100.2"
/* /*
@ -54,11 +54,11 @@
*/ */
/* APFirmwareUpdaterConfigHash - BL2U */ /* APFirmwareUpdaterConfigHash - BL2U */
#define BL2U_HASH_OID "1.3.6.1.4.1.4128.2100.101" #define AP_FWU_CFG_HASH_OID "1.3.6.1.4.1.4128.2100.101"
/* SCPFirmwareUpdaterConfigHash - SCP_BL2U */ /* SCPFirmwareUpdaterConfigHash - SCP_BL2U */
#define SCP_BL2U_HASH_OID "1.3.6.1.4.1.4128.2100.102" #define SCP_FWU_CFG_HASH_OID "1.3.6.1.4.1.4128.2100.102"
/* FirmwareUpdaterHash - NS_BL2U */ /* FirmwareUpdaterHash - NS_BL2U */
#define NS_BL2U_HASH_OID "1.3.6.1.4.1.4128.2100.103" #define FWU_HASH_OID "1.3.6.1.4.1.4128.2100.103"
/* TrustedWatchdogRefreshTime */ /* TrustedWatchdogRefreshTime */
#define TRUSTED_WATCHDOG_TIME_OID "1.3.6.1.4.1.4128.2100.104" #define TRUSTED_WATCHDOG_TIME_OID "1.3.6.1.4.1.4128.2100.104"
@ -68,7 +68,7 @@
*/ */
/* TrustedBootFirmwareHash - BL2 */ /* TrustedBootFirmwareHash - BL2 */
#define BL2_HASH_OID "1.3.6.1.4.1.4128.2100.201" #define TRUSTED_BOOT_FW_HASH_OID "1.3.6.1.4.1.4128.2100.201"
/* /*
@ -78,9 +78,9 @@
/* PrimaryDebugCertificatePK */ /* PrimaryDebugCertificatePK */
#define PRIMARY_DEBUG_PK_OID "1.3.6.1.4.1.4128.2100.301" #define PRIMARY_DEBUG_PK_OID "1.3.6.1.4.1.4128.2100.301"
/* TrustedWorldPK */ /* TrustedWorldPK */
#define TZ_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.302" #define TRUSTED_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.302"
/* NonTrustedWorldPK */ /* NonTrustedWorldPK */
#define NTZ_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.303" #define NON_TRUSTED_WORLD_PK_OID "1.3.6.1.4.1.4128.2100.303"
/* /*
@ -100,7 +100,7 @@
*/ */
/* SoCFirmwareContentCertPK */ /* SoCFirmwareContentCertPK */
#define BL31_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.501" #define SOC_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.501"
/* /*
@ -112,7 +112,7 @@
/* SoCConfigHash */ /* SoCConfigHash */
#define SOC_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.602" #define SOC_CONFIG_HASH_OID "1.3.6.1.4.1.4128.2100.602"
/* SoCAPFirmwareHash - BL31 */ /* SoCAPFirmwareHash - BL31 */
#define BL31_HASH_OID "1.3.6.1.4.1.4128.2100.603" #define SOC_AP_FW_HASH_OID "1.3.6.1.4.1.4128.2100.603"
/* /*
@ -120,7 +120,7 @@
*/ */
/* SCPFirmwareContentCertPK */ /* SCPFirmwareContentCertPK */
#define BL30_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.701" #define SCP_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.701"
/* /*
@ -128,7 +128,7 @@
*/ */
/* SCPFirmwareHash - BL30 */ /* SCPFirmwareHash - BL30 */
#define BL30_HASH_OID "1.3.6.1.4.1.4128.2100.801" #define SCP_FW_HASH_OID "1.3.6.1.4.1.4128.2100.801"
/* SCPRomPatchHash - BL0_PATCH */ /* SCPRomPatchHash - BL0_PATCH */
#define SCP_ROM_PATCH_HASH_OID "1.3.6.1.4.1.4128.2100.802" #define SCP_ROM_PATCH_HASH_OID "1.3.6.1.4.1.4128.2100.802"
@ -138,7 +138,7 @@
*/ */
/* TrustedOSFirmwareContentCertPK */ /* TrustedOSFirmwareContentCertPK */
#define BL32_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.901" #define TRUSTED_OS_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.901"
/* /*
@ -146,7 +146,7 @@
*/ */
/* TrustedOSFirmwareHash - BL32 */ /* TrustedOSFirmwareHash - BL32 */
#define BL32_HASH_OID "1.3.6.1.4.1.4128.2100.1001" #define TRUSTED_OS_FW_HASH_OID "1.3.6.1.4.1.4128.2100.1001"
/* /*
@ -154,7 +154,7 @@
*/ */
/* NonTrustedFirmwareContentCertPK */ /* NonTrustedFirmwareContentCertPK */
#define BL33_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.1101" #define NON_TRUSTED_FW_CONTENT_CERT_PK_OID "1.3.6.1.4.1.4128.2100.1101"
/* /*
@ -162,6 +162,6 @@
*/ */
/* NonTrustedWorldBootloaderHash - BL33 */ /* NonTrustedWorldBootloaderHash - BL33 */
#define BL33_HASH_OID "1.3.6.1.4.1.4128.2100.1201" #define NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID "1.3.6.1.4.1.4128.2100.1201"
#endif /* __BOARD_ARM_OID_H__ */ #endif /* __BOARD_ARM_OID_H__ */

68
make_helpers/tbbr/tbbr_tools.mk
View File

@ -76,61 +76,61 @@ $(if ${TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_WORLD_KEY},--
$(if ${NON_TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${NON_TRUSTED_WORLD_KEY},--non-trusted-world-key))) $(if ${NON_TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${NON_TRUSTED_WORLD_KEY},--non-trusted-world-key)))
# Add the BL2 CoT (image cert + image) # Add the BL2 CoT (image cert + image)
$(if ${BL2},$(eval $(call CERT_ADD_CMD_OPT,${BL2},--bl2,true)),\ $(if ${BL2},$(eval $(call CERT_ADD_CMD_OPT,${BL2},--tb-fw,true)),\
$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,2),--bl2,true))) $(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,2),--tb-fw,true)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl2.crt,--bl2-cert)) $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/tb_fw.crt,--tb-fw-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl2.crt,--bl2-cert)) $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/tb_fw.crt,--tb-fw-cert))
# Add the BL30 CoT (key cert + img cert + image) # Add the BL30 CoT (key cert + img cert + image)
ifneq (${BL30},) ifneq (${BL30},)
$(eval $(call CERT_ADD_CMD_OPT,${BL30},--bl30,true)) $(eval $(call CERT_ADD_CMD_OPT,${BL30},--scp-fw,true))
$(if ${BL30_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL30_KEY},--bl30-key))) $(if ${BL30_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL30_KEY},--scp-fw-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl30.crt,--bl30-cert)) $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/scp_fw_content.crt,--scp-fw-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl30_key.crt,--bl30-key-cert)) $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/scp_fw_key.crt,--scp-fw-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl30.crt,--bl30-cert)) $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/scp_fw_content.crt,--scp-fw-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl30_key.crt,--bl30-key-cert)) $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/scp_fw_key.crt,--scp-fw-key-cert))
endif endif
# Add the BL31 CoT (key cert + img cert + image) # Add the BL31 CoT (key cert + img cert + image)
$(if ${BL31},$(eval $(call CERT_ADD_CMD_OPT,${BL31},--bl31,true)),\ $(if ${BL31},$(eval $(call CERT_ADD_CMD_OPT,${BL31},--soc-fw,true)),\
$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,31),--bl31,true))) $(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,31),--soc-fw,true)))
$(if ${BL31_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL31_KEY},--bl31-key))) $(if ${BL31_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL31_KEY},--soc-fw-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl31.crt,--bl31-cert)) $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/soc_fw_content.crt,--soc-fw-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl31_key.crt,--bl31-key-cert)) $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/soc_fw_key.crt,--soc-fw-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl31.crt,--bl31-cert)) $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/soc_fw_content.crt,--soc-fw-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl31_key.crt,--bl31-key-cert)) $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/soc_fw_key.crt,--soc-fw-key-cert))
# Add the BL32 CoT (key cert + img cert + image) # Add the BL32 CoT (key cert + img cert + image)
ifeq (${NEED_BL32},yes) ifeq (${NEED_BL32},yes)
$(if ${BL32},$(eval $(call CERT_ADD_CMD_OPT,${BL32},--bl32,true)),\ $(if ${BL32},$(eval $(call CERT_ADD_CMD_OPT,${BL32},--tos-fw,true)),\
$(if ${BL32_SOURCES},$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,32),--bl32,true)))) $(if ${BL32_SOURCES},$(eval $(call CERT_ADD_CMD_OPT,$(call IMG_BIN,32),--tos-fw,true))))
$(if ${BL32_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL32_KEY},--bl32-key))) $(if ${BL32_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL32_KEY},--tos-fw-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl32.crt,--bl32-cert)) $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/tos_fw_content.crt,--tos-fw-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl32_key.crt,--bl32-key-cert)) $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/tos_fw_key.crt,--tos-fw-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl32.crt,--bl32-cert)) $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/tos_fw_content.crt,--tos-fw-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl32_key.crt,--bl32-key-cert)) $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/tos_fw_key.crt,--tos-fw-key-cert))
endif endif
# Add the BL33 CoT (key cert + img cert + image) # Add the BL33 CoT (key cert + img cert + image)
ifneq (${BL33},) ifneq (${BL33},)
$(eval $(call CERT_ADD_CMD_OPT,${BL33},--bl33,true)) $(eval $(call CERT_ADD_CMD_OPT,${BL33},--nt-fw,true))
$(if ${BL33_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL33_KEY},--bl33-key))) $(if ${BL33_KEY},$(eval $(call CERT_ADD_CMD_OPT,${BL33_KEY},--nt-fw-key)))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl33.crt,--bl33-cert)) $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/nt_fw_content.crt,--nt-fw-cert))
$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl33_key.crt,--bl33-key-cert)) $(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl33.crt,--bl33-cert)) $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_content.crt,--nt-fw-cert))
$(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/bl33_key.crt,--bl33-key-cert)) $(eval $(call FIP_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert))
endif endif
# Add the BL2U image # Add the BL2U image
$(if ${BL2U},$(eval $(call FWU_CERT_ADD_CMD_OPT,${BL2U},--bl2u,true)),\ $(if ${BL2U},$(eval $(call FWU_CERT_ADD_CMD_OPT,${BL2U},--ap-fwu-cfg,true)),\
$(eval $(call FWU_CERT_ADD_CMD_OPT,$(call IMG_BIN,2u),--bl2u,true))) $(eval $(call FWU_CERT_ADD_CMD_OPT,$(call IMG_BIN,2u),--ap-fwu-cfg,true)))
# Add the SCP_BL2U image # Add the SCP_BL2U image
ifneq (${SCP_BL2U},) ifneq (${SCP_BL2U},)
$(eval $(call FWU_CERT_ADD_CMD_OPT,${SCP_BL2U},--scp_bl2u,true)) $(eval $(call FWU_CERT_ADD_CMD_OPT,${SCP_BL2U},--scp-fwu-cfg,true))
endif endif
# Add the NS_BL2U image # Add the NS_BL2U image
ifneq (${NS_BL2U},) ifneq (${NS_BL2U},)
$(eval $(call FWU_CERT_ADD_CMD_OPT,${NS_BL2U},--ns_bl2u,true)) $(eval $(call FWU_CERT_ADD_CMD_OPT,${NS_BL2U},--fwu,true))
endif endif

42
plat/arm/board/fvp/fvp_io_storage.c
View File

@ -44,14 +44,14 @@
#define BL33_IMAGE_NAME "bl33.bin" #define BL33_IMAGE_NAME "bl33.bin"
#if TRUSTED_BOARD_BOOT #if TRUSTED_BOARD_BOOT
#define BL2_CERT_NAME "bl2.crt" #define TRUSTED_BOOT_FW_CERT_NAME "tb_fw.crt"
#define TRUSTED_KEY_CERT_NAME "trusted_key.crt" #define TRUSTED_KEY_CERT_NAME "trusted_key.crt"
#define BL31_KEY_CERT_NAME "bl31_key.crt" #define SOC_FW_KEY_CERT_NAME "soc_fw_key.crt"
#define BL32_KEY_CERT_NAME "bl32_key.crt" #define TOS_FW_KEY_CERT_NAME "tos_fw_key.crt"
#define BL33_KEY_CERT_NAME "bl33_key.crt" #define NT_FW_KEY_CERT_NAME "nt_fw_key.crt"
#define BL31_CERT_NAME "bl31.crt" #define SOC_FW_CONTENT_CERT_NAME "soc_fw_content.crt"
#define BL32_CERT_NAME "bl32.crt" #define TOS_FW_CONTENT_CERT_NAME "tos_fw_content.crt"
#define BL33_CERT_NAME "bl33.crt" #define NT_FW_CONTENT_CERT_NAME "nt_fw_content.crt"
#endif /* TRUSTED_BOARD_BOOT */ #endif /* TRUSTED_BOARD_BOOT */
/* IO devices */ /* IO devices */
@ -76,36 +76,36 @@ static const io_file_spec_t sh_file_spec[] = {
.mode = FOPEN_MODE_RB .mode = FOPEN_MODE_RB
}, },
#if TRUSTED_BOARD_BOOT #if TRUSTED_BOARD_BOOT
[BL2_CERT_ID] = { [TRUSTED_BOOT_FW_CERT_ID] = {
.path = BL2_CERT_NAME, .path = TRUSTED_BOOT_FW_CERT_NAME,
.mode = FOPEN_MODE_RB .mode = FOPEN_MODE_RB
}, },
[TRUSTED_KEY_CERT_ID] = { [TRUSTED_KEY_CERT_ID] = {
.path = TRUSTED_KEY_CERT_NAME, .path = TRUSTED_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB .mode = FOPEN_MODE_RB
}, },
[BL31_KEY_CERT_ID] = { [SOC_FW_KEY_CERT_ID] = {
.path = BL31_KEY_CERT_NAME, .path = SOC_FW_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB .mode = FOPEN_MODE_RB
}, },
[BL32_KEY_CERT_ID] = { [TRUSTED_OS_FW_KEY_CERT_ID] = {
.path = BL32_KEY_CERT_NAME, .path = TOS_FW_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB .mode = FOPEN_MODE_RB
}, },
[BL33_KEY_CERT_ID] = { [NON_TRUSTED_FW_KEY_CERT_ID] = {
.path = BL33_KEY_CERT_NAME, .path = NT_FW_KEY_CERT_NAME,
.mode = FOPEN_MODE_RB .mode = FOPEN_MODE_RB
}, },
[BL31_CERT_ID] = { [SOC_FW_CONTENT_CERT_ID] = {
.path = BL31_CERT_NAME, .path = SOC_FW_CONTENT_CERT_NAME,
.mode = FOPEN_MODE_RB .mode = FOPEN_MODE_RB
}, },
[BL32_CERT_ID] = { [TRUSTED_OS_FW_CONTENT_CERT_ID] = {
.path = BL32_CERT_NAME, .path = TOS_FW_CONTENT_CERT_NAME,
.mode = FOPEN_MODE_RB .mode = FOPEN_MODE_RB
}, },
[BL33_CERT_ID] = { [NON_TRUSTED_FW_CONTENT_CERT_ID] = {
.path = BL33_CERT_NAME, .path = NT_FW_CONTENT_CERT_NAME,
.mode = FOPEN_MODE_RB .mode = FOPEN_MODE_RB
}, },
#endif /* TRUSTED_BOARD_BOOT */ #endif /* TRUSTED_BOARD_BOOT */

72
plat/arm/common/arm_io_storage.c
View File

@ -70,44 +70,44 @@ static const io_uuid_spec_t bl33_uuid_spec = {
}; };
#if TRUSTED_BOARD_BOOT #if TRUSTED_BOARD_BOOT
static const io_uuid_spec_t bl2_cert_uuid_spec = { static const io_uuid_spec_t tb_fw_cert_uuid_spec = {
.uuid = UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT, .uuid = UUID_TRUSTED_BOOT_FW_CERT,
}; };
static const io_uuid_spec_t trusted_key_cert_uuid_spec = { static const io_uuid_spec_t trusted_key_cert_uuid_spec = {
.uuid = UUID_TRUSTED_KEY_CERT, .uuid = UUID_TRUSTED_KEY_CERT,
}; };
static const io_uuid_spec_t bl30_key_cert_uuid_spec = { static const io_uuid_spec_t scp_fw_key_cert_uuid_spec = {
.uuid = UUID_SCP_FIRMWARE_BL30_KEY_CERT, .uuid = UUID_SCP_FW_KEY_CERT,
}; };
static const io_uuid_spec_t bl31_key_cert_uuid_spec = { static const io_uuid_spec_t soc_fw_key_cert_uuid_spec = {
.uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT, .uuid = UUID_SOC_FW_KEY_CERT,
}; };
static const io_uuid_spec_t bl32_key_cert_uuid_spec = { static const io_uuid_spec_t tos_fw_key_cert_uuid_spec = {
.uuid = UUID_SECURE_PAYLOAD_BL32_KEY_CERT, .uuid = UUID_TRUSTED_OS_FW_KEY_CERT,
}; };
static const io_uuid_spec_t bl33_key_cert_uuid_spec = { static const io_uuid_spec_t nt_fw_key_cert_uuid_spec = {
.uuid = UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT, .uuid = UUID_NON_TRUSTED_FW_KEY_CERT,
}; };
static const io_uuid_spec_t bl30_cert_uuid_spec = { static const io_uuid_spec_t scp_fw_cert_uuid_spec = {
.uuid = UUID_SCP_FIRMWARE_BL30_CERT, .uuid = UUID_SCP_FW_CONTENT_CERT,
}; };
static const io_uuid_spec_t bl31_cert_uuid_spec = { static const io_uuid_spec_t soc_fw_cert_uuid_spec = {
.uuid = UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT, .uuid = UUID_SOC_FW_CONTENT_CERT,
}; };
static const io_uuid_spec_t bl32_cert_uuid_spec = { static const io_uuid_spec_t tos_fw_cert_uuid_spec = {
.uuid = UUID_SECURE_PAYLOAD_BL32_CERT, .uuid = UUID_TRUSTED_OS_FW_CONTENT_CERT,
}; };
static const io_uuid_spec_t bl33_cert_uuid_spec = { static const io_uuid_spec_t nt_fw_cert_uuid_spec = {
.uuid = UUID_NON_TRUSTED_FIRMWARE_BL33_CERT, .uuid = UUID_NON_TRUSTED_FW_CONTENT_CERT,
}; };
#endif /* TRUSTED_BOARD_BOOT */ #endif /* TRUSTED_BOARD_BOOT */
@ -154,9 +154,9 @@ static const struct plat_io_policy policies[] = {
open_fip open_fip
}, },
#if TRUSTED_BOARD_BOOT #if TRUSTED_BOARD_BOOT
[BL2_CERT_ID] = { [TRUSTED_BOOT_FW_CERT_ID] = {
&fip_dev_handle, &fip_dev_handle,
(uintptr_t)&bl2_cert_uuid_spec, (uintptr_t)&tb_fw_cert_uuid_spec,
open_fip open_fip
}, },
[TRUSTED_KEY_CERT_ID] = { [TRUSTED_KEY_CERT_ID] = {
@ -164,44 +164,44 @@ static const struct plat_io_policy policies[] = {
(uintptr_t)&trusted_key_cert_uuid_spec, (uintptr_t)&trusted_key_cert_uuid_spec,
open_fip open_fip
}, },
[BL30_KEY_CERT_ID] = { [SCP_FW_KEY_CERT_ID] = {
&fip_dev_handle, &fip_dev_handle,
(uintptr_t)&bl30_key_cert_uuid_spec, (uintptr_t)&scp_fw_key_cert_uuid_spec,
open_fip open_fip
}, },
[BL31_KEY_CERT_ID] = { [SOC_FW_KEY_CERT_ID] = {
&fip_dev_handle, &fip_dev_handle,
(uintptr_t)&bl31_key_cert_uuid_spec, (uintptr_t)&soc_fw_key_cert_uuid_spec,
open_fip open_fip
}, },
[BL32_KEY_CERT_ID] = { [TRUSTED_OS_FW_KEY_CERT_ID] = {
&fip_dev_handle, &fip_dev_handle,
(uintptr_t)&bl32_key_cert_uuid_spec, (uintptr_t)&tos_fw_key_cert_uuid_spec,
open_fip open_fip
}, },
[BL33_KEY_CERT_ID] = { [NON_TRUSTED_FW_KEY_CERT_ID] = {
&fip_dev_handle, &fip_dev_handle,
(uintptr_t)&bl33_key_cert_uuid_spec, (uintptr_t)&nt_fw_key_cert_uuid_spec,
open_fip open_fip
}, },
[BL30_CERT_ID] = { [SCP_FW_CONTENT_CERT_ID] = {
&fip_dev_handle, &fip_dev_handle,
(uintptr_t)&bl30_cert_uuid_spec, (uintptr_t)&scp_fw_cert_uuid_spec,
open_fip open_fip
}, },
[BL31_CERT_ID] = { [SOC_FW_CONTENT_CERT_ID] = {
&fip_dev_handle, &fip_dev_handle,
(uintptr_t)&bl31_cert_uuid_spec, (uintptr_t)&soc_fw_cert_uuid_spec,
open_fip open_fip
}, },
[BL32_CERT_ID] = { [TRUSTED_OS_FW_CONTENT_CERT_ID] = {
&fip_dev_handle, &fip_dev_handle,
(uintptr_t)&bl32_cert_uuid_spec, (uintptr_t)&tos_fw_cert_uuid_spec,
open_fip open_fip
}, },
[BL33_CERT_ID] = { [NON_TRUSTED_FW_CONTENT_CERT_ID] = {
&fip_dev_handle, &fip_dev_handle,
(uintptr_t)&bl33_cert_uuid_spec, (uintptr_t)&nt_fw_cert_uuid_spec,
open_fip open_fip
}, },
#endif /* TRUSTED_BOARD_BOOT */ #endif /* TRUSTED_BOARD_BOOT */

18
tools/cert_create/include/tbbr/tbb_cert.h
View File

@ -37,16 +37,16 @@
* Enumerate the certificates that are used to establish the chain of trust * Enumerate the certificates that are used to establish the chain of trust
*/ */
enum { enum {
BL2_CERT, TRUSTED_BOOT_FW_CERT,
TRUSTED_KEY_CERT, TRUSTED_KEY_CERT,
BL30_KEY_CERT, SCP_FW_KEY_CERT,
BL30_CERT, SCP_FW_CONTENT_CERT,
BL31_KEY_CERT, SOC_FW_KEY_CERT,
BL31_CERT, SOC_FW_CONTENT_CERT,
BL32_KEY_CERT, TRUSTED_OS_FW_KEY_CERT,
BL32_CERT, TRUSTED_OS_FW_CONTENT_CERT,
BL33_KEY_CERT, NON_TRUSTED_FW_KEY_CERT,
BL33_CERT, NON_TRUSTED_FW_CONTENT_CERT,
FWU_CERT FWU_CERT
}; };

32
tools/cert_create/include/tbbr/tbb_ext.h
View File

@ -34,22 +34,22 @@
/* TBBR extensions */ /* TBBR extensions */
enum { enum {
TZ_FW_NVCOUNTER_EXT, TRUSTED_FW_NVCOUNTER_EXT,
NTZ_FW_NVCOUNTER_EXT, NON_TRUSTED_FW_NVCOUNTER_EXT,
BL2_HASH_EXT, TRUSTED_BOOT_FW_HASH_EXT,
TZ_WORLD_PK_EXT, TRUSTED_WORLD_PK_EXT,
NTZ_WORLD_PK_EXT, NON_TRUSTED_WORLD_PK_EXT,
BL31_CONTENT_CERT_PK_EXT, SCP_FW_CONTENT_CERT_PK_EXT,
BL31_HASH_EXT, SCP_FW_HASH_EXT,
BL30_CONTENT_CERT_PK_EXT, SOC_FW_CONTENT_CERT_PK_EXT,
BL30_HASH_EXT, SOC_AP_FW_HASH_EXT,
BL32_CONTENT_CERT_PK_EXT, TRUSTED_OS_FW_CONTENT_CERT_PK_EXT,
BL32_HASH_EXT, TRUSTED_OS_FW_HASH_EXT,
BL33_CONTENT_CERT_PK_EXT, NON_TRUSTED_FW_CONTENT_CERT_PK_EXT,
BL33_HASH_EXT, NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
SCP_BL2U_HASH_EXT, SCP_FWU_CFG_HASH_EXT,
BL2U_HASH_EXT, AP_FWU_CFG_HASH_EXT,
NS_BL2U_HASH_EXT FWU_HASH_EXT
}; };
#endif /* TBB_EXT_H_ */ #endif /* TBB_EXT_H_ */

8
tools/cert_create/include/tbbr/tbb_key.h
View File

@ -40,10 +40,10 @@ enum {
ROT_KEY, ROT_KEY,
TRUSTED_WORLD_KEY, TRUSTED_WORLD_KEY,
NON_TRUSTED_WORLD_KEY, NON_TRUSTED_WORLD_KEY,
BL30_KEY, SCP_FW_CONTENT_CERT_KEY,
BL31_KEY, SOC_FW_CONTENT_CERT_KEY,
BL32_KEY, TRUSTED_OS_FW_CONTENT_CERT_KEY,
BL33_KEY NON_TRUSTED_FW_CONTENT_CERT_KEY
}; };
#endif /* TBB_KEY_H_ */ #endif /* TBB_KEY_H_ */

18
tools/cert_create/src/main.c
View File

@ -91,16 +91,16 @@ enum {
BL32_ID, BL32_ID,
BL33_ID, BL33_ID,
/* Certificate file names (outputs) */ /* Certificate file names (outputs) */
BL2_CERT_ID, TRUSTED_BOOT_FW_CERT_ID,
TRUSTED_KEY_CERT_ID, TRUSTED_KEY_CERT_ID,
BL30_KEY_CERT_ID, SCP_FW_KEY_CERT_ID,
BL30_CERT_ID, SCP_FW_CONTENT_CERT_ID,
BL31_KEY_CERT_ID, SOC_FW_KEY_CERT_ID,
BL31_CERT_ID, SOC_FW_CONTENT_CERT_ID,
BL32_KEY_CERT_ID, TRUSTED_OS_FW_KEY_CERT_ID,
BL32_CERT_ID, TRUSTED_OS_FW_CONTENT_CERT_ID,
BL33_KEY_CERT_ID, NON_TRUSTED_FW_KEY_CERT_ID,
BL33_CERT_ID, NON_TRUSTED_FW_CONTENT_CERT_ID,
/* Key file names (input/output) */ /* Key file names (input/output) */
ROT_KEY_ID, ROT_KEY_ID,
TRUSTED_WORLD_KEY_ID, TRUSTED_WORLD_KEY_ID,

126
tools/cert_create/src/tbbr/tbb_cert.c
View File

@ -40,15 +40,15 @@
* field points to itself. * field points to itself.
*/ */
static cert_t tbb_certs[] = { static cert_t tbb_certs[] = {
[BL2_CERT] = { [TRUSTED_BOOT_FW_CERT] = {
.id = BL2_CERT, .id = TRUSTED_BOOT_FW_CERT,
.opt = "bl2-cert", .opt = "tb-fw-cert",
.fn = NULL, .fn = NULL,
.cn = "BL2 Certificate", .cn = "Trusted Boot FW Certificate",
.key = ROT_KEY, .key = ROT_KEY,
.issuer = BL2_CERT, .issuer = TRUSTED_BOOT_FW_CERT,
.ext = { .ext = {
BL2_HASH_EXT TRUSTED_BOOT_FW_HASH_EXT
}, },
.num_ext = 1 .num_ext = 1
}, },
@ -60,104 +60,104 @@ static cert_t tbb_certs[] = {
.key = ROT_KEY, .key = ROT_KEY,
.issuer = TRUSTED_KEY_CERT, .issuer = TRUSTED_KEY_CERT,
.ext = { .ext = {
TZ_WORLD_PK_EXT, TRUSTED_WORLD_PK_EXT,
NTZ_WORLD_PK_EXT NON_TRUSTED_WORLD_PK_EXT
}, },
.num_ext = 2 .num_ext = 2
}, },
[BL30_KEY_CERT] = { [SCP_FW_KEY_CERT] = {
.id = BL30_KEY_CERT, .id = SCP_FW_KEY_CERT,
.opt = "bl30-key-cert", .opt = "scp-fw-key-cert",
.fn = NULL, .fn = NULL,
.cn = "BL3-0 Key Certificate", .cn = "SCP Firmware Key Certificate",
.key = TRUSTED_WORLD_KEY, .key = TRUSTED_WORLD_KEY,
.issuer = BL30_KEY_CERT, .issuer = SCP_FW_KEY_CERT,
.ext = { .ext = {
BL30_CONTENT_CERT_PK_EXT SCP_FW_CONTENT_CERT_PK_EXT
}, },
.num_ext = 1 .num_ext = 1
}, },
[BL30_CERT] = { [SCP_FW_CONTENT_CERT] = {
.id = BL30_CERT, .id = SCP_FW_CONTENT_CERT,
.opt = "bl30-cert", .opt = "scp-fw-cert",
.fn = NULL, .fn = NULL,
.cn = "BL3-0 Content Certificate", .cn = "SCP Firmware Content Certificate",
.key = BL30_KEY, .key = SCP_FW_CONTENT_CERT_KEY,
.issuer = BL30_CERT, .issuer = SCP_FW_CONTENT_CERT,
.ext = { .ext = {
BL30_HASH_EXT SCP_FW_HASH_EXT
}, },
.num_ext = 1 .num_ext = 1
}, },
[BL31_KEY_CERT] = { [SOC_FW_KEY_CERT] = {
.id = BL31_KEY_CERT, .id = SOC_FW_KEY_CERT,
.opt = "bl31-key-cert", .opt = "soc-fw-key-cert",
.fn = NULL, .fn = NULL,
.cn = "BL3-1 Key Certificate", .cn = "SoC Firmware Key Certificate",
.key = TRUSTED_WORLD_KEY, .key = TRUSTED_WORLD_KEY,
.issuer = BL31_KEY_CERT, .issuer = SOC_FW_KEY_CERT,
.ext = { .ext = {
BL31_CONTENT_CERT_PK_EXT SOC_FW_CONTENT_CERT_PK_EXT
}, },
.num_ext = 1 .num_ext = 1
}, },
[BL31_CERT] = { [SOC_FW_CONTENT_CERT] = {
.id = BL31_CERT, .id = SOC_FW_CONTENT_CERT,
.opt = "bl31-cert", .opt = "soc-fw-cert",
.fn = NULL, .fn = NULL,
.cn = "BL3-1 Content Certificate", .cn = "SoC Firmware Content Certificate",
.key = BL31_KEY, .key = SOC_FW_CONTENT_CERT_KEY,
.issuer = BL31_CERT, .issuer = SOC_FW_CONTENT_CERT,
.ext = { .ext = {
BL31_HASH_EXT SOC_AP_FW_HASH_EXT
}, },
.num_ext = 1 .num_ext = 1
}, },
[BL32_KEY_CERT] = { [TRUSTED_OS_FW_KEY_CERT] = {
.id = BL32_KEY_CERT, .id = TRUSTED_OS_FW_KEY_CERT,
.opt = "bl32-key-cert", .opt = "tos-fw-key-cert",
.fn = NULL, .fn = NULL,
.cn = "BL3-2 Key Certificate", .cn = "Trusted OS Firmware Key Certificate",
.key = TRUSTED_WORLD_KEY, .key = TRUSTED_WORLD_KEY,
.issuer = BL32_KEY_CERT, .issuer = TRUSTED_OS_FW_KEY_CERT,
.ext = { .ext = {
BL32_CONTENT_CERT_PK_EXT TRUSTED_OS_FW_CONTENT_CERT_PK_EXT
}, },
.num_ext = 1 .num_ext = 1
}, },
[BL32_CERT] = { [TRUSTED_OS_FW_CONTENT_CERT] = {
.id = BL32_CERT, .id = TRUSTED_OS_FW_CONTENT_CERT,
.opt = "bl32-cert", .opt = "tos-fw-cert",
.fn = NULL, .fn = NULL,
.cn = "BL3-2 Content Certificate", .cn = "Trusted OS Firmware Content Certificate",
.key = BL32_KEY, .key = TRUSTED_OS_FW_CONTENT_CERT_KEY,
.issuer = BL32_CERT, .issuer = TRUSTED_OS_FW_CONTENT_CERT,
.ext = { .ext = {
BL32_HASH_EXT TRUSTED_OS_FW_HASH_EXT
}, },
.num_ext = 1 .num_ext = 1
}, },
[BL33_KEY_CERT] = { [NON_TRUSTED_FW_KEY_CERT] = {
.id = BL33_KEY_CERT, .id = NON_TRUSTED_FW_KEY_CERT,
.opt = "bl33-key-cert", .opt = "nt-fw-key-cert",
.fn = NULL, .fn = NULL,
.cn = "BL3-3 Key Certificate", .cn = "Non-Trusted Firmware Key Certificate",
.key = NON_TRUSTED_WORLD_KEY, .key = NON_TRUSTED_WORLD_KEY,
.issuer = BL33_KEY_CERT, .issuer = NON_TRUSTED_FW_KEY_CERT,
.ext = { .ext = {
BL33_CONTENT_CERT_PK_EXT NON_TRUSTED_FW_CONTENT_CERT_PK_EXT
}, },
.num_ext = 1 .num_ext = 1
}, },
[BL33_CERT] = { [NON_TRUSTED_FW_CONTENT_CERT] = {
.id = BL33_CERT, .id = NON_TRUSTED_FW_CONTENT_CERT,
.opt = "bl33-cert", .opt = "nt-fw-cert",
.fn = NULL, .fn = NULL,
.cn = "BL3-3 Content Certificate", .cn = "Non-Trusted Firmware Content Certificate",
.key = BL33_KEY, .key = NON_TRUSTED_FW_CONTENT_CERT_KEY,
.issuer = BL33_CERT, .issuer = NON_TRUSTED_FW_CONTENT_CERT,
.ext = { .ext = {
BL33_HASH_EXT NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT
}, },
.num_ext = 1 .num_ext = 1
}, },
@ -169,9 +169,9 @@ static cert_t tbb_certs[] = {
.key = ROT_KEY, .key = ROT_KEY,
.issuer = FWU_CERT, .issuer = FWU_CERT,
.ext = { .ext = {
SCP_BL2U_HASH_EXT, SCP_FWU_CFG_HASH_EXT,
BL2U_HASH_EXT, AP_FWU_CFG_HASH_EXT,
NS_BL2U_HASH_EXT FWU_HASH_EXT
}, },
.num_ext = 3 .num_ext = 3
} }

104
tools/cert_create/src/tbbr/tbb_ext.c
View File

@ -42,133 +42,133 @@
#define NORMAL_WORLD_NVCTR_VALUE 0 #define NORMAL_WORLD_NVCTR_VALUE 0
static ext_t tbb_ext[] = { static ext_t tbb_ext[] = {
[TZ_FW_NVCOUNTER_EXT] = { [TRUSTED_FW_NVCOUNTER_EXT] = {
.oid = TZ_FW_NVCOUNTER_OID, .oid = TRUSTED_FW_NVCOUNTER_OID,
.sn = "TrustedWorldNVCounter", .sn = "TrustedWorldNVCounter",
.ln = "Trusted World Non-Volatile counter", .ln = "Trusted World Non-Volatile counter",
.asn1_type = V_ASN1_INTEGER, .asn1_type = V_ASN1_INTEGER,
.type = EXT_TYPE_NVCOUNTER, .type = EXT_TYPE_NVCOUNTER,
.data.nvcounter = TRUSTED_WORLD_NVCTR_VALUE .data.nvcounter = TRUSTED_WORLD_NVCTR_VALUE
}, },
[NTZ_FW_NVCOUNTER_EXT] = { [NON_TRUSTED_FW_NVCOUNTER_EXT] = {
.oid = NTZ_FW_NVCOUNTER_OID, .oid = NON_TRUSTED_FW_NVCOUNTER_OID,
.sn = "NormalWorldNVCounter", .sn = "NormalWorldNVCounter",
.ln = "Normal World Non-Volatile counter", .ln = "Normal World Non-Volatile counter",
.asn1_type = V_ASN1_INTEGER, .asn1_type = V_ASN1_INTEGER,
.type = EXT_TYPE_NVCOUNTER, .type = EXT_TYPE_NVCOUNTER,
.data.nvcounter = NORMAL_WORLD_NVCTR_VALUE .data.nvcounter = NORMAL_WORLD_NVCTR_VALUE
}, },
[BL2_HASH_EXT] = { [TRUSTED_BOOT_FW_HASH_EXT] = {
.oid = BL2_HASH_OID, .oid = TRUSTED_BOOT_FW_HASH_OID,
.opt = "bl2", .opt = "tb-fw",
.sn = "TrustedBootFirmwareHash", .sn = "TrustedBootFirmwareHash",
.ln = "Trusted Boot Firmware (BL2) hash (SHA256)", .ln = "Trusted Boot Firmware hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH .type = EXT_TYPE_HASH
}, },
[TZ_WORLD_PK_EXT] = { [TRUSTED_WORLD_PK_EXT] = {
.oid = TZ_WORLD_PK_OID, .oid = TRUSTED_WORLD_PK_OID,
.sn = "TrustedWorldPublicKey", .sn = "TrustedWorldPublicKey",
.ln = "Trusted World Public Key", .ln = "Trusted World Public Key",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY, .type = EXT_TYPE_PKEY,
.data.key = TRUSTED_WORLD_KEY .data.key = TRUSTED_WORLD_KEY
}, },
[NTZ_WORLD_PK_EXT] = { [NON_TRUSTED_WORLD_PK_EXT] = {
.oid = NTZ_WORLD_PK_OID, .oid = NON_TRUSTED_WORLD_PK_OID,
.sn = "NonTrustedWorldPublicKey", .sn = "NonTrustedWorldPublicKey",
.ln = "Non-Trusted World Public Key", .ln = "Non-Trusted World Public Key",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY, .type = EXT_TYPE_PKEY,
.data.key = NON_TRUSTED_WORLD_KEY .data.key = NON_TRUSTED_WORLD_KEY
}, },
[BL30_CONTENT_CERT_PK_EXT] = { [SCP_FW_CONTENT_CERT_PK_EXT] = {
.oid = BL30_CONTENT_CERT_PK_OID, .oid = SCP_FW_CONTENT_CERT_PK_OID,
.sn = "SCPFirmwareContentCertPK", .sn = "SCPFirmwareContentCertPK",
.ln = "SCP Firmware content certificate public key", .ln = "SCP Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY, .type = EXT_TYPE_PKEY,
.data.key = BL30_KEY .data.key = SCP_FW_CONTENT_CERT_KEY
}, },
[BL30_HASH_EXT] = { [SCP_FW_HASH_EXT] = {
.oid = BL30_HASH_OID, .oid = SCP_FW_HASH_OID,
.opt = "bl30", .opt = "scp-fw",
.sn = "SCPFirmwareHash", .sn = "SCPFirmwareHash",
.ln = "SCP Firmware (BL30) hash (SHA256)", .ln = "SCP Firmware hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH .type = EXT_TYPE_HASH
}, },
[BL31_CONTENT_CERT_PK_EXT] = { [SOC_FW_CONTENT_CERT_PK_EXT] = {
.oid = BL31_CONTENT_CERT_PK_OID, .oid = SOC_FW_CONTENT_CERT_PK_OID,
.sn = "SoCFirmwareContentCertPK", .sn = "SoCFirmwareContentCertPK",
.ln = "SoC Firmware content certificate public key", .ln = "SoC Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY, .type = EXT_TYPE_PKEY,
.data.key = BL31_KEY .data.key = SOC_FW_CONTENT_CERT_KEY
}, },
[BL31_HASH_EXT] = { [SOC_AP_FW_HASH_EXT] = {
.oid = BL31_HASH_OID, .oid = SOC_AP_FW_HASH_OID,
.opt = "bl31", .opt = "soc-fw",
.sn = "SoCAPFirmwareHash", .sn = "SoCAPFirmwareHash",
.ln = "SoC AP Firmware (BL31) hash (SHA256)", .ln = "SoC AP Firmware hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH .type = EXT_TYPE_HASH
}, },
[BL32_CONTENT_CERT_PK_EXT] = { [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = {
.oid = BL32_CONTENT_CERT_PK_OID, .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID,
.sn = "TrustedOSFirmwareContentCertPK", .sn = "TrustedOSFirmwareContentCertPK",
.ln = "Trusted OS Firmware content certificate public key", .ln = "Trusted OS Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY, .type = EXT_TYPE_PKEY,
.data.key = BL32_KEY .data.key = TRUSTED_OS_FW_CONTENT_CERT_KEY
}, },
[BL32_HASH_EXT] = { [TRUSTED_OS_FW_HASH_EXT] = {
.oid = BL32_HASH_OID, .oid = TRUSTED_OS_FW_HASH_OID,
.opt = "bl32", .opt = "tos-fw",
.sn = "TrustedOSHash", .sn = "TrustedOSHash",
.ln = "Trusted OS (BL32) hash (SHA256)", .ln = "Trusted OS hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH .type = EXT_TYPE_HASH
}, },
[BL33_CONTENT_CERT_PK_EXT] = { [NON_TRUSTED_FW_CONTENT_CERT_PK_EXT] = {
.oid = BL33_CONTENT_CERT_PK_OID, .oid = NON_TRUSTED_FW_CONTENT_CERT_PK_OID,
.sn = "NonTrustedFirmwareContentCertPK", .sn = "NonTrustedFirmwareContentCertPK",
.ln = "Non-Trusted Firmware content certificate public key", .ln = "Non-Trusted Firmware content certificate public key",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_PKEY, .type = EXT_TYPE_PKEY,
.data.key = BL33_KEY .data.key = NON_TRUSTED_FW_CONTENT_CERT_KEY
}, },
[BL33_HASH_EXT] = { [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = {
.oid = BL33_HASH_OID, .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID,
.opt = "bl33", .opt = "nt-fw",
.sn = "NonTrustedWorldBootloaderHash", .sn = "NonTrustedWorldBootloaderHash",
.ln = "Non-Trusted World (BL33) hash (SHA256)", .ln = "Non-Trusted World hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH .type = EXT_TYPE_HASH
}, },
[SCP_BL2U_HASH_EXT] = { [SCP_FWU_CFG_HASH_EXT] = {
.oid = SCP_BL2U_HASH_OID, .oid = SCP_FWU_CFG_HASH_OID,
.opt = "scp_bl2u", .opt = "scp-fwu-cfg",
.sn = "SCPFWUpdateConfig", .sn = "SCPFWUpdateConfig",
.ln = "SCP Firmware Update Config (SCP_BL2U) hash (SHA256)", .ln = "SCP Firmware Update Config hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH, .type = EXT_TYPE_HASH,
.optional = 1 .optional = 1
}, },
[BL2U_HASH_EXT] = { [AP_FWU_CFG_HASH_EXT] = {
.oid = BL2U_HASH_OID, .oid = AP_FWU_CFG_HASH_OID,
.opt = "bl2u", .opt = "ap-fwu-cfg",
.sn = "APFWUpdateConfig", .sn = "APFWUpdateConfig",
.ln = "AP Firmware Update Config (BL2U) hash (SHA256)", .ln = "AP Firmware Update Config hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH, .type = EXT_TYPE_HASH,
.optional = 1 .optional = 1
}, },
[NS_BL2U_HASH_EXT] = { [FWU_HASH_EXT] = {
.oid = NS_BL2U_HASH_OID, .oid = FWU_HASH_OID,
.opt = "ns_bl2u", .opt = "fwu",
.sn = "FWUpdaterHash", .sn = "FWUpdaterHash",
.ln = "Firmware Updater (NS_BL2U) hash (SHA256)", .ln = "Firmware Updater hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING, .asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH, .type = EXT_TYPE_HASH,
.optional = 1 .optional = 1

32
tools/cert_create/src/tbbr/tbb_key.c
View File

@ -51,25 +51,25 @@ static key_t tbb_keys[] = {
.opt = "non-trusted-world-key", .opt = "non-trusted-world-key",
.desc = "Non Trusted World key" .desc = "Non Trusted World key"
}, },
[BL30_KEY] = { [SCP_FW_CONTENT_CERT_KEY] = {
.id = BL30_KEY, .id = SCP_FW_CONTENT_CERT_KEY,
.opt = "bl30-key", .opt = "scp-fw-key",
.desc = "BL30 key" .desc = "SCP Firmware Content Certificate key"
}, },
[BL31_KEY] = { [SOC_FW_CONTENT_CERT_KEY] = {
.id = BL31_KEY, .id = SOC_FW_CONTENT_CERT_KEY,
.opt = "bl31-key", .opt = "soc-fw-key",
.desc = "BL31 key" .desc = "SoC Firmware Content Certificate key"
}, },
[BL32_KEY] = { [TRUSTED_OS_FW_CONTENT_CERT_KEY] = {
.id = BL32_KEY, .id = TRUSTED_OS_FW_CONTENT_CERT_KEY,
.opt = "bl32-key", .opt = "tos-fw-key",
.desc = "BL32 key" .desc = "Trusted OS Firmware Content Certificate key"
}, },
[BL33_KEY] = { [NON_TRUSTED_FW_CONTENT_CERT_KEY] = {
.id = BL33_KEY, .id = NON_TRUSTED_FW_CONTENT_CERT_KEY,
.opt = "bl33-key", .opt = "nt-fw-key",
.desc = "BL33 key" .desc = "Non Trusted Firmware Content Certificate key"
} }
}; };

36
tools/fip_create/fip_create.c
View File

@ -78,25 +78,25 @@ static entry_lookup_list_t toc_entry_lookup_list[] = {
"rot-cert", NULL, FLAG_FILENAME }, "rot-cert", NULL, FLAG_FILENAME },
{ "Trusted key certificate", UUID_TRUSTED_KEY_CERT, { "Trusted key certificate", UUID_TRUSTED_KEY_CERT,
"trusted-key-cert", NULL, FLAG_FILENAME}, "trusted-key-cert", NULL, FLAG_FILENAME},
{ "SCP Firmware BL3-0 key certificate", UUID_SCP_FIRMWARE_BL30_KEY_CERT, { "SCP Firmware key certificate", UUID_SCP_FW_KEY_CERT,
"bl30-key-cert", NULL, FLAG_FILENAME}, "scp-fw-key-cert", NULL, FLAG_FILENAME},
{ "EL3 Runtime Firmware BL3-1 key certificate", UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT, { "SoC Firmware key certificate", UUID_SOC_FW_KEY_CERT,
"bl31-key-cert", NULL, FLAG_FILENAME}, "soc-fw-key-cert", NULL, FLAG_FILENAME},
{ "Secure Payload BL3-2 (Trusted OS) key certificate", UUID_SECURE_PAYLOAD_BL32_KEY_CERT, { "Trusted OS Firmware key certificate", UUID_TRUSTED_OS_FW_KEY_CERT,
"bl32-key-cert", NULL, FLAG_FILENAME}, "tos-fw-key-cert", NULL, FLAG_FILENAME},
{ "Non-Trusted Firmware BL3-3 key certificate", UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT, { "Non-Trusted Firmware key certificate", UUID_NON_TRUSTED_FW_KEY_CERT,
"bl33-key-cert", NULL, FLAG_FILENAME}, "nt-fw-key-cert", NULL, FLAG_FILENAME},
/* Content certificates */ /* Content certificates */
{ "Trusted Boot Firmware BL2 certificate", UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT, { "Trusted Boot Firmware BL2 certificate", UUID_TRUSTED_BOOT_FW_CERT,
"bl2-cert", NULL, FLAG_FILENAME }, "tb-fw-cert", NULL, FLAG_FILENAME },
{ "SCP Firmware BL3-0 certificate", UUID_SCP_FIRMWARE_BL30_CERT, { "SCP Firmware content certificate", UUID_SCP_FW_CONTENT_CERT,
"bl30-cert", NULL, FLAG_FILENAME}, "scp-fw-cert", NULL, FLAG_FILENAME},
{ "EL3 Runtime Firmware BL3-1 certificate", UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT, { "SoC Firmware content certificate", UUID_SOC_FW_CONTENT_CERT,
"bl31-cert", NULL, FLAG_FILENAME}, "soc-fw-cert", NULL, FLAG_FILENAME},
{ "Secure Payload BL3-2 (Trusted OS) certificate", UUID_SECURE_PAYLOAD_BL32_CERT, { "Trusted OS Firmware content certificate", UUID_TRUSTED_OS_FW_CONTENT_CERT,
"bl32-cert", NULL, FLAG_FILENAME}, "tos-fw-cert", NULL, FLAG_FILENAME},
{ "Non-Trusted Firmware BL3-3 certificate", UUID_NON_TRUSTED_FIRMWARE_BL33_CERT, { "Non-Trusted Firmware content certificate", UUID_NON_TRUSTED_FW_CONTENT_CERT,
"bl33-cert", NULL, FLAG_FILENAME}, "nt-fw-cert", NULL, FLAG_FILENAME},
{ NULL, {0}, 0 } { NULL, {0}, 0 }
}; };