cert_create: updated tool for platform defined certs, keys & extensions

Changes to 'tools/cert_create' folder, to include platform defined certificates, keys, and extensions. NXP SoC lx2160a : based platforms requires additional FIP DDR to be loaded before initializing the DDR. To enable chain of trust on these platforms, FIP DDR image needs to be authenticated, additionally. Platform specific folder 'tools/nxp/cert_create_helper' is added to support platform specific macros and definitions. Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com> Change-Id: I4752a30a9ff3aa1d403e9babe3a07ba0e6b2bf8f
2020-12-09 14:02:38 +05:30 · 2020-12-09 14:02:38 +05:30 · b94bf967e6
parent 6c74c9977d
commit b94bf967e6
15 changed files with 417 additions and 20 deletions
--- a/include/tools_share/tbbr_oid.h
+++ b/include/tools_share/tbbr_oid.h
@ -160,4 +160,7 @@
 #define SP_PKG7_HASH_OID			"1.3.6.1.4.1.4128.2100.1307"
 #define SP_PKG8_HASH_OID			"1.3.6.1.4.1.4128.2100.1308"

+#ifdef PLAT_DEF_OID
+#include <platform_oid.h>
+#endif
 #endif /* TBBR_OID_H */
--- a/tools/cert_create/Makefile
+++ b/tools/cert_create/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@ -16,6 +16,12 @@ MAKE_HELPERS_DIRECTORY := ../../make_helpers/
 include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
 include ${MAKE_HELPERS_DIRECTORY}build_env.mk

+ifneq (${PLAT},none)
+TF_PLATFORM_ROOT	:=	../../plat/
+include ${MAKE_HELPERS_DIRECTORY}plat_helpers.mk
+PLAT_CERT_CREATE_HELPER_MK := ${PLAT_DIR}/cert_create_tbbr.mk
+endif
+
 # Common source files.
 OBJECTS := src/cert.o \
           src/cmd_opt.o \
@ -33,6 +39,10 @@ else
  $(error Unknown chain of trust ${COT})
 endif

+ifneq (,$(wildcard ${PLAT_CERT_CREATE_HELPER_MK}))
+include ${PLAT_CERT_CREATE_HELPER_MK}
+endif
+
 HOSTCCFLAGS := -Wall -std=c99

 ifeq (${DEBUG},1)
@ -51,7 +61,7 @@ HOSTCCFLAGS += ${DEFINES}

 # Make soft links and include from local directory otherwise wrong headers
 # could get pulled in from firmware tree.
-INC_DIR := -I ./include -I ${PLAT_INCLUDE} -I ${OPENSSL_DIR}/include
+INC_DIR += -I ./include -I ${PLAT_INCLUDE} -I ${OPENSSL_DIR}/include
 LIB_DIR := -L ${OPENSSL_DIR}/lib
 LIB := -lssl -lcrypto

--- a/tools/cert_create/include/cert.h
+++ b/tools/cert_create/include/cert.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -57,11 +57,20 @@ int cert_new(

 /* Macro to register the certificates used in the CoT */
 #define REGISTER_COT(_certs) \
-	cert_t *certs = &_certs[0]; \
-	const unsigned int num_certs = sizeof(_certs)/sizeof(_certs[0])
+	cert_t *def_certs = &_certs[0]; \
+	const unsigned int num_def_certs = sizeof(_certs)/sizeof(_certs[0])
+
+/* Macro to register the platform defined certificates used in the CoT */
+#define PLAT_REGISTER_COT(_pdef_certs) \
+	cert_t *pdef_certs = &_pdef_certs[0]; \
+	const unsigned int num_pdef_certs = sizeof(_pdef_certs)/sizeof(_pdef_certs[0])

 /* Exported variables */
-extern cert_t *certs;
-extern const unsigned int num_certs;
+extern cert_t *def_certs;
+extern const unsigned int num_def_certs;
+extern cert_t *pdef_certs;
+extern const unsigned int num_pdef_certs;

+extern cert_t *certs;
+extern unsigned int num_certs;
 #endif /* CERT_H */
--- a/tools/cert_create/include/ext.h
+++ b/tools/cert_create/include/ext.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -75,11 +75,20 @@ X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k);

 /* Macro to register the extensions used in the CoT */
 #define REGISTER_EXTENSIONS(_ext) \
-	ext_t *extensions = &_ext[0]; \
-	const unsigned int num_extensions = sizeof(_ext)/sizeof(_ext[0])
+	ext_t *def_extensions = &_ext[0]; \
+	const unsigned int num_def_extensions = sizeof(_ext)/sizeof(_ext[0])
+
+/* Macro to register the platform defined extensions used in the CoT */
+#define PLAT_REGISTER_EXTENSIONS(_pdef_ext) \
+	ext_t *pdef_extensions = &_pdef_ext[0]; \
+	const unsigned int num_pdef_extensions = sizeof(_pdef_ext)/sizeof(_pdef_ext[0])

 /* Exported variables */
-extern ext_t *extensions;
-extern const unsigned int num_extensions;
+extern ext_t *def_extensions;
+extern const unsigned int num_def_extensions;
+extern ext_t *pdef_extensions;
+extern const unsigned int num_pdef_extensions;

+extern ext_t *extensions;
+extern unsigned int num_extensions;
 #endif /* EXT_H */
--- a/tools/cert_create/include/key.h
+++ b/tools/cert_create/include/key.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -73,11 +73,20 @@ int key_store(key_t *key);

 /* Macro to register the keys used in the CoT */
 #define REGISTER_KEYS(_keys) \
-	key_t *keys = &_keys[0]; \
-	const unsigned int num_keys = sizeof(_keys)/sizeof(_keys[0])
+	key_t *def_keys = &_keys[0]; \
+	const unsigned int num_def_keys = sizeof(_keys)/sizeof(_keys[0])
+
+/* Macro to register the platform defined keys used in the CoT */
+#define PLAT_REGISTER_KEYS(_pdef_keys) \
+	key_t *pdef_keys = &_pdef_keys[0]; \
+	const unsigned int num_pdef_keys = sizeof(_pdef_keys)/sizeof(_pdef_keys[0])

 /* Exported variables */
-extern key_t *keys;
-extern const unsigned int num_keys;
+extern key_t *def_keys;
+extern const unsigned int num_def_keys;
+extern key_t *pdef_keys;
+extern const unsigned int num_pdef_keys;

+extern key_t *keys;
+extern unsigned int num_keys;
 #endif /* KEY_H */
--- a/tools/cert_create/src/cert.c
+++ b/tools/cert_create/src/cert.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -24,6 +24,9 @@
 #define SERIAL_RAND_BITS	64
 #define RSA_SALT_LEN		32

+cert_t *certs;
+unsigned int num_certs;
+
 int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
 {
 	BIGNUM *btmp;
@ -220,6 +223,28 @@ int cert_init(void)
 	cert_t *cert;
 	unsigned int i;

+	certs = malloc((num_def_certs * sizeof(def_certs[0]))
+#ifdef PDEF_CERTS
+		       + (num_pdef_certs * sizeof(pdef_certs[0]))
+#endif
+		       );
+	if (certs == NULL) {
+		ERROR("%s:%d Failed to allocate memory.\n", __func__, __LINE__);
+		return 1;
+	}
+
+	memcpy(&certs[0], &def_certs[0],
+	       (num_def_certs * sizeof(def_certs[0])));
+
+#ifdef PDEF_CERTS
+	memcpy(&certs[num_def_certs], &pdef_certs[0],
+	       (num_pdef_certs * sizeof(pdef_certs[0])));
+
+	num_certs = num_def_certs + num_pdef_certs;
+#else
+	num_certs = num_def_certs;
+#endif
+
 	for (i = 0; i < num_certs; i++) {
 		cert = &certs[i];
 		cmd_opt.long_opt.name = cert->opt;
--- a/tools/cert_create/src/ext.c
+++ b/tools/cert_create/src/ext.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -13,8 +13,12 @@
 #include <openssl/x509v3.h>

 #include "cmd_opt.h"
+#include "debug.h"
 #include "ext.h"

+ext_t *extensions;
+unsigned int num_extensions;
+
 DECLARE_ASN1_ITEM(ASN1_INTEGER)
 DECLARE_ASN1_ITEM(X509_ALGOR)
 DECLARE_ASN1_ITEM(ASN1_OCTET_STRING)
@ -51,6 +55,26 @@ int ext_init(void)
 	int nid, ret;
 	unsigned int i;

+	extensions = malloc((num_def_extensions * sizeof(def_extensions[0]))
+#ifdef PDEF_EXTS
+			    + (num_pdef_extensions * sizeof(pdef_extensions[0]))
+#endif
+			    );
+	if (extensions == NULL) {
+		ERROR("%s:%d Failed to allocate memory.\n", __func__, __LINE__);
+		return 1;
+	}
+
+	memcpy(&extensions[0], &def_extensions[0],
+	       (num_def_extensions * sizeof(def_extensions[0])));
+#ifdef PDEF_EXTS
+	memcpy(&extensions[num_def_extensions], &pdef_extensions[0],
+		(num_pdef_extensions * sizeof(pdef_extensions[0])));
+	num_extensions = num_def_extensions + num_pdef_extensions;
+#else
+	num_extensions = num_def_extensions;
+#endif
+
 	for (i = 0; i < num_extensions; i++) {
 		ext = &extensions[i];
 		/* Register command line option */
--- a/tools/cert_create/src/key.c
+++ b/tools/cert_create/src/key.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -21,6 +21,9 @@

 #define MAX_FILENAME_LEN		1024

+key_t *keys;
+unsigned int num_keys;
+
 /*
 * Create a new key container
 */
@ -182,6 +185,28 @@ int key_init(void)
 	key_t *key;
 	unsigned int i;

+	keys = malloc((num_def_keys * sizeof(def_keys[0]))
+#ifdef PDEF_KEYS
+		      + (num_pdef_keys * sizeof(pdef_keys[0]))
+#endif
+		      );
+
+	if (keys == NULL) {
+		ERROR("%s:%d Failed to allocate memory.\n", __func__, __LINE__);
+		return 1;
+	}
+
+	memcpy(&keys[0], &def_keys[0], (num_def_keys * sizeof(def_keys[0])));
+#ifdef PDEF_KEYS
+	memcpy(&keys[num_def_keys], &pdef_keys[0],
+		(num_pdef_keys * sizeof(pdef_keys[0])));
+
+	num_keys = num_def_keys + num_pdef_keys;
+#else
+	num_keys = num_def_keys;
+#endif
+		   ;
+
 	for (i = 0; i < num_keys; i++) {
 		key = &keys[i];
 		if (key->opt != NULL) {
--- a/tools/nxp/cert_create_helper/cert_create_tbbr.mk
+++ b/tools/nxp/cert_create_helper/cert_create_tbbr.mk
@ -0,0 +1,31 @@
+#
+# Copyright 2021 NXP
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+# Compile time defines used by NXP platforms
+
+PLAT_DEF_OID := yes
+
+ifeq (${PLAT_DEF_OID},yes)
+
+$(eval $(call add_define, PLAT_DEF_OID))
+$(eval $(call add_define, PDEF_KEYS))
+$(eval $(call add_define, PDEF_CERTS))
+$(eval $(call add_define, PDEF_EXTS))
+
+
+INC_DIR += -I../../plat/nxp/common/fip_handler/common/
+
+PDEF_CERT_TOOL_PATH		:=	../nxp/cert_create_helper
+PLAT_INCLUDE			+=	-I${PDEF_CERT_TOOL_PATH}/include
+
+PLAT_OBJECTS			+=	${PDEF_CERT_TOOL_PATH}/src/pdef_tbb_cert.o \
+					${PDEF_CERT_TOOL_PATH}/src/pdef_tbb_ext.o \
+					${PDEF_CERT_TOOL_PATH}/src/pdef_tbb_key.o
+
+$(shell rm ${PLAT_OBJECTS})
+
+OBJECTS				+= ${PLAT_OBJECTS}
+endif
--- a/tools/nxp/cert_create_helper/include/pdef_tbb_cert.h
+++ b/tools/nxp/cert_create_helper/include/pdef_tbb_cert.h
@ -0,0 +1,21 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PDEF_TBB_CERT_H
+#define PDEF_TBB_CERT_H
+
+#include <tbbr/tbb_cert.h>
+
+/*
+ * Enumerate the certificates that are used to establish the chain of trust
+ */
+enum {
+	DDR_FW_KEY_CERT = FWU_CERT + 1,
+	DDR_UDIMM_FW_CONTENT_CERT,
+	DDR_RDIMM_FW_CONTENT_CERT
+};
+
+#endif /* PDEF_TBB_CERT_H */
--- a/tools/nxp/cert_create_helper/include/pdef_tbb_ext.h
+++ b/tools/nxp/cert_create_helper/include/pdef_tbb_ext.h
@ -0,0 +1,25 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PDEF_TBB_EXT_H
+#define PDEF_TBB_EXT_H
+
+#include <tbbr/tbb_ext.h>
+
+/* Plat Defined TBBR extensions */
+enum {
+	DDR_FW_CONTENT_CERT_PK_EXT = FWU_HASH_EXT + 1,
+	DDR_IMEM_UDIMM_1D_HASH_EXT,
+	DDR_IMEM_UDIMM_2D_HASH_EXT,
+	DDR_DMEM_UDIMM_1D_HASH_EXT,
+	DDR_DMEM_UDIMM_2D_HASH_EXT,
+	DDR_IMEM_RDIMM_1D_HASH_EXT,
+	DDR_IMEM_RDIMM_2D_HASH_EXT,
+	DDR_DMEM_RDIMM_1D_HASH_EXT,
+	DDR_DMEM_RDIMM_2D_HASH_EXT
+};
+
+#endif /* PDEF_TBB_EXT_H */
--- a/tools/nxp/cert_create_helper/include/pdef_tbb_key.h
+++ b/tools/nxp/cert_create_helper/include/pdef_tbb_key.h
@ -0,0 +1,18 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PDEF_TBB_KEY_H
+#define PDEF_TBB_KEY_H
+
+#include <tbbr/tbb_key.h>
+
+/*
+ * Enumerate the pltform defined keys that are used to establish the chain of trust
+ */
+enum {
+	DDR_FW_CONTENT_KEY = NON_TRUSTED_FW_CONTENT_CERT_KEY + 1,
+};
+#endif /* PDEF_TBB_KEY_H */
--- a/tools/nxp/cert_create_helper/src/pdef_tbb_cert.c
+++ b/tools/nxp/cert_create_helper/src/pdef_tbb_cert.c
@ -0,0 +1,62 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <pdef_tbb_cert.h>
+#include <pdef_tbb_ext.h>
+#include <pdef_tbb_key.h>
+
+static cert_t pdef_tbb_certs[] = {
+	[DDR_FW_KEY_CERT - DDR_FW_KEY_CERT] = {
+		.id = DDR_FW_KEY_CERT,
+		.opt = "ddr-fw-key-cert",
+		.help_msg = "DDR Firmware Key Certificate (output file)",
+		.fn = NULL,
+		.cn = "DDR Firmware Key Certificate",
+		.key = TRUSTED_WORLD_KEY,
+		.issuer = DDR_FW_KEY_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			DDR_FW_CONTENT_CERT_PK_EXT,
+		},
+		.num_ext = 2
+	},
+	[DDR_UDIMM_FW_CONTENT_CERT - DDR_FW_KEY_CERT] = {
+		.id = DDR_UDIMM_FW_CONTENT_CERT,
+		.opt = "ddr-udimm-fw-cert",
+		.help_msg = "DDR UDIMM Firmware Content Certificate (output file)",
+		.fn = NULL,
+		.cn = "DDR UDIMM Firmware Content Certificate",
+		.key = DDR_FW_CONTENT_KEY,
+		.issuer = DDR_UDIMM_FW_CONTENT_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			DDR_IMEM_UDIMM_1D_HASH_EXT,
+			DDR_IMEM_UDIMM_2D_HASH_EXT,
+			DDR_DMEM_UDIMM_1D_HASH_EXT,
+			DDR_DMEM_UDIMM_2D_HASH_EXT,
+		},
+		.num_ext = 5
+	},
+	[DDR_RDIMM_FW_CONTENT_CERT - DDR_FW_KEY_CERT] = {
+		.id = DDR_RDIMM_FW_CONTENT_CERT,
+		.opt = "ddr-rdimm-fw-cert",
+		.help_msg = "DDR RDIMM Firmware Content Certificate (output file)",
+		.fn = NULL,
+		.cn = "DDR RDIMM Firmware Content Certificate",
+		.key = DDR_FW_CONTENT_KEY,
+		.issuer = DDR_RDIMM_FW_CONTENT_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			DDR_IMEM_RDIMM_1D_HASH_EXT,
+			DDR_IMEM_RDIMM_2D_HASH_EXT,
+			DDR_DMEM_RDIMM_1D_HASH_EXT,
+			DDR_DMEM_RDIMM_2D_HASH_EXT,
+		},
+		.num_ext = 5
+	}
+};
+
+PLAT_REGISTER_COT(pdef_tbb_certs);
--- a/tools/nxp/cert_create_helper/src/pdef_tbb_ext.c
+++ b/tools/nxp/cert_create_helper/src/pdef_tbb_ext.c
@ -0,0 +1,108 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+#if USE_TBBR_DEFS
+#include <tbbr_oid.h>
+#else
+#include <platform_oid.h>
+#endif
+
+#include "ext.h"
+#include "tbbr/tbb_ext.h"
+#include "tbbr/tbb_key.h"
+
+#include <pdef_tbb_ext.h>
+#include <pdef_tbb_key.h>
+
+static ext_t pdef_tbb_ext[] = {
+	[DDR_FW_CONTENT_CERT_PK_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = DDR_FW_CONTENT_CERT_PK_OID,
+		.sn = "DDR FirmwareContentCertPK",
+		.ln = "DDR Firmware content certificate public key",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_PKEY,
+		.attr.key = DDR_FW_CONTENT_KEY
+	},
+	[DDR_IMEM_UDIMM_1D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = DDR_IMEM_UDIMM_1D_HASH_OID,
+		.opt = "ddr-immem-udimm-1d",
+		.help_msg = "DDR Firmware IMEM UDIMM 1D image file",
+		.sn = "DDR UDIMM IMEM 1D FirmwareHash",
+		.ln = "DDR UDIMM IMEM 1D Firmware hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+	[DDR_IMEM_UDIMM_2D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = DDR_IMEM_UDIMM_2D_HASH_OID,
+		.opt = "ddr-immem-udimm-2d",
+		.help_msg = "DDR Firmware IMEM UDIMM 2D image file",
+		.sn = "DDR UDIMM IMEM 2D FirmwareHash",
+		.ln = "DDR UDIMM IMEM 2D Firmware hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+	[DDR_DMEM_UDIMM_1D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = DDR_DMEM_UDIMM_1D_HASH_OID,
+		.opt = "ddr-dmmem-udimm-1d",
+		.help_msg = "DDR Firmware DMEM UDIMM 1D image file",
+		.sn = "DDR UDIMM DMEM 1D FirmwareHash",
+		.ln = "DDR UDIMM DMEM 1D Firmware hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+	[DDR_DMEM_UDIMM_2D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = DDR_DMEM_UDIMM_2D_HASH_OID,
+		.opt = "ddr-dmmem-udimm-2d",
+		.help_msg = "DDR Firmware DMEM UDIMM 2D image file",
+		.sn = "DDR UDIMM DMEM 2D FirmwareHash",
+		.ln = "DDR UDIMM DMEM 2D Firmware hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+	[DDR_IMEM_RDIMM_1D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = DDR_IMEM_RDIMM_1D_HASH_OID,
+		.opt = "ddr-immem-rdimm-1d",
+		.help_msg = "DDR Firmware IMEM RDIMM 1D image file",
+		.sn = "DDR RDIMM IMEM 1D FirmwareHash",
+		.ln = "DDR RDIMM IMEM 1D Firmware hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+	[DDR_IMEM_RDIMM_2D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = DDR_IMEM_RDIMM_2D_HASH_OID,
+		.opt = "ddr-immem-rdimm-2d",
+		.help_msg = "DDR Firmware IMEM RDIMM 2D image file",
+		.sn = "DDR RDIMM IMEM 2D FirmwareHash",
+		.ln = "DDR RDIMM IMEM 2D Firmware hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+	[DDR_DMEM_RDIMM_1D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = DDR_DMEM_RDIMM_1D_HASH_OID,
+		.opt = "ddr-dmmem-rdimm-1d",
+		.help_msg = "DDR Firmware DMEM RDIMM 1D image file",
+		.sn = "DDR RDIMM DMEM 1D FirmwareHash",
+		.ln = "DDR RDIMM DMEM 1D Firmware hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+	[DDR_DMEM_RDIMM_2D_HASH_EXT - DDR_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = DDR_DMEM_RDIMM_2D_HASH_OID,
+		.opt = "ddr-dmmem-rdimm-2d",
+		.help_msg = "DDR Firmware DMEM RDIMM 2D image file",
+		.sn = "DDR RDIMM DMEM 2D FirmwareHash",
+		.ln = "DDR RDIMM DMEM 2D Firmware hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	}
+};
+
+PLAT_REGISTER_EXTENSIONS(pdef_tbb_ext);
--- a/tools/nxp/cert_create_helper/src/pdef_tbb_key.c
+++ b/tools/nxp/cert_create_helper/src/pdef_tbb_key.c
@ -0,0 +1,18 @@
+/*
+ * Copyright 2021 NXP
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <pdef_tbb_key.h>
+
+static key_t pdef_tbb_keys[] = {
+	[DDR_FW_CONTENT_KEY - DDR_FW_CONTENT_KEY] = {
+		.id = DDR_FW_CONTENT_KEY,
+		.opt = "ddr-fw-key",
+		.help_msg = "DDR Firmware Content Certificate key (input/output file)",
+		.desc = "DDR Firmware Content Certificate key"
+	}
+};
+
+PLAT_REGISTER_KEYS(pdef_tbb_keys);