FWU: Add FWU support to `cert_create` tool

Firmware Update requires an X509v3 certificate which contains
hashes for SCP_BL2U, BL2U and NS_BL2U images as extensions.

This patch extends the Chain of Trust definition in the
'cert_create' tool to include the Firmware Update certificate
and the required extensions (including command line options).
A new field in the extension structure will be used to indicate
that the extension is optional. In the case of an image hash
extension, this field will tell the tool that the hash should
be included in the certificate, but filled with zeros.

Change-Id: I1f77a66b018826b71745910771f38d9cf6050388

tools/cert_create/include/ext.h

@@ -72,6 +72,8 @@ typedef struct ext_s {
 	X509V3_EXT_METHOD method; /* This field may be used to define a custom
 				   * function to print the contents of the
 				   * extension */
+
+	int optional;	/* This field may be used optionally to exclude an image */
 } ext_t;
 
 enum {

tools/cert_create/include/tbbr/tbb_cert.h

@@ -46,7 +46,8 @@ enum {
 	BL32_KEY_CERT,
 	BL32_CERT,
 	BL33_KEY_CERT,
-	BL33_CERT
+	BL33_CERT,
+	FWU_CERT
 };
 
 #endif /* TBB_CERT_H_ */

tools/cert_create/include/tbbr/tbb_ext.h

@@ -46,7 +46,10 @@ enum {
 	BL32_CONTENT_CERT_PK_EXT,
 	BL32_HASH_EXT,
 	BL33_CONTENT_CERT_PK_EXT,
-	BL33_HASH_EXT
+	BL33_HASH_EXT,
+	SCP_BL2U_HASH_EXT,
+	BL2U_HASH_EXT,
+	NS_BL2U_HASH_EXT
 };
 
 #endif /* TBB_EXT_H_ */

tools/cert_create/src/main.c

@@ -217,8 +217,11 @@ static void check_cmd_params(void)
 				}
 				break;
 			case EXT_TYPE_HASH:
-				/* Binary image must be specified */
-				if (ext->data.fn == NULL) {
+				/*
+				 * Binary image must be specified
+				 * unless it is explicitly made optional.
+				 */
+				if ((!ext->optional) && (ext->data.fn == NULL)) {
 					ERROR("Image for '%s' not specified\n",
 					      ext->ln);
 					exit(1);
@@ -410,12 +413,20 @@ int main(int argc, char *argv[])
 				break;
 			case EXT_TYPE_HASH:
 				if (ext->data.fn == NULL) {
-					break;
-				}
-				if (!sha_file(ext->data.fn, md)) {
-					ERROR("Cannot calculate hash of %s\n",
-						ext->data.fn);
-					exit(1);
+					if (ext->optional) {
+						/* Include a hash filled with zeros */
+						memset(md, 0x0, SHA256_DIGEST_LENGTH);
+					} else {
+						/* Do not include this hash in the certificate */
+						break;
+					}
+				} else {
+					/* Calculate the hash of the file */
+					if (!sha_file(ext->data.fn, md)) {
+						ERROR("Cannot calculate hash of %s\n",
+							ext->data.fn);
+						exit(1);
+					}
 				}
 				CHECK_NULL(cert_ext, ext_new_hash(ext_nid,
 						EXT_CRIT, md_info, md,

tools/cert_create/src/tbbr/tbb_cert.c

@@ -160,6 +160,20 @@ static cert_t tbb_certs[] = {
 			BL33_HASH_EXT
 		},
 		.num_ext = 1
+	},
+	[FWU_CERT] = {
+		.id = FWU_CERT,
+		.opt = "fwu-cert",
+		.fn = NULL,
+		.cn = "FWU Certificate",
+		.key = ROT_KEY,
+		.issuer = FWU_CERT,
+		.ext = {
+			SCP_BL2U_HASH_EXT,
+			BL2U_HASH_EXT,
+			NS_BL2U_HASH_EXT
+		},
+		.num_ext = 3
 	}
 };
 

tools/cert_create/src/tbbr/tbb_ext.c

@@ -145,6 +145,33 @@ static ext_t tbb_ext[] = {
 		.ln = "Non-Trusted World (BL33) hash (SHA256)",
 		.asn1_type = V_ASN1_OCTET_STRING,
 		.type = EXT_TYPE_HASH
+	},
+	[SCP_BL2U_HASH_EXT] = {
+		.oid = SCP_BL2U_HASH_OID,
+		.opt = "scp_bl2u",
+		.sn = "SCPFWUpdateConfig",
+		.ln = "SCP Firmware Update Config (SCP_BL2U) hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[BL2U_HASH_EXT] = {
+		.oid = BL2U_HASH_OID,
+		.opt = "bl2u",
+		.sn = "APFWUpdateConfig",
+		.ln = "AP Firmware Update Config (BL2U) hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[NS_BL2U_HASH_EXT] = {
+		.oid = NS_BL2U_HASH_OID,
+		.opt = "ns_bl2u",
+		.sn = "FWUpdaterHash",
+		.ln = "Firmware Updater (NS_BL2U) hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
 	}
 };