diff --git a/tools/cert_create/include/ext.h b/tools/cert_create/include/ext.h index 3c65473b0..0ede36518 100644 --- a/tools/cert_create/include/ext.h +++ b/tools/cert_create/include/ext.h @@ -72,6 +72,8 @@ typedef struct ext_s { X509V3_EXT_METHOD method; /* This field may be used to define a custom * function to print the contents of the * extension */ + + int optional; /* This field may be used optionally to exclude an image */ } ext_t; enum { diff --git a/tools/cert_create/include/tbbr/tbb_cert.h b/tools/cert_create/include/tbbr/tbb_cert.h index 21626c726..2bc3be63c 100644 --- a/tools/cert_create/include/tbbr/tbb_cert.h +++ b/tools/cert_create/include/tbbr/tbb_cert.h @@ -46,7 +46,8 @@ enum { BL32_KEY_CERT, BL32_CERT, BL33_KEY_CERT, - BL33_CERT + BL33_CERT, + FWU_CERT }; #endif /* TBB_CERT_H_ */ diff --git a/tools/cert_create/include/tbbr/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h index 03b12d7ae..ecbe8669d 100644 --- a/tools/cert_create/include/tbbr/tbb_ext.h +++ b/tools/cert_create/include/tbbr/tbb_ext.h @@ -46,7 +46,10 @@ enum { BL32_CONTENT_CERT_PK_EXT, BL32_HASH_EXT, BL33_CONTENT_CERT_PK_EXT, - BL33_HASH_EXT + BL33_HASH_EXT, + SCP_BL2U_HASH_EXT, + BL2U_HASH_EXT, + NS_BL2U_HASH_EXT }; #endif /* TBB_EXT_H_ */ diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index b7ad33fe3..de15ef6fe 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -217,8 +217,11 @@ static void check_cmd_params(void) } break; case EXT_TYPE_HASH: - /* Binary image must be specified */ - if (ext->data.fn == NULL) { + /* + * Binary image must be specified + * unless it is explicitly made optional. + */ + if ((!ext->optional) && (ext->data.fn == NULL)) { ERROR("Image for '%s' not specified\n", ext->ln); exit(1); @@ -410,12 +413,20 @@ int main(int argc, char *argv[]) break; case EXT_TYPE_HASH: if (ext->data.fn == NULL) { - break; - } - if (!sha_file(ext->data.fn, md)) { - ERROR("Cannot calculate hash of %s\n", - ext->data.fn); - exit(1); + if (ext->optional) { + /* Include a hash filled with zeros */ + memset(md, 0x0, SHA256_DIGEST_LENGTH); + } else { + /* Do not include this hash in the certificate */ + break; + } + } else { + /* Calculate the hash of the file */ + if (!sha_file(ext->data.fn, md)) { + ERROR("Cannot calculate hash of %s\n", + ext->data.fn); + exit(1); + } } CHECK_NULL(cert_ext, ext_new_hash(ext_nid, EXT_CRIT, md_info, md, diff --git a/tools/cert_create/src/tbbr/tbb_cert.c b/tools/cert_create/src/tbbr/tbb_cert.c index 770bd6a0a..59a1cd9c7 100644 --- a/tools/cert_create/src/tbbr/tbb_cert.c +++ b/tools/cert_create/src/tbbr/tbb_cert.c @@ -160,6 +160,20 @@ static cert_t tbb_certs[] = { BL33_HASH_EXT }, .num_ext = 1 + }, + [FWU_CERT] = { + .id = FWU_CERT, + .opt = "fwu-cert", + .fn = NULL, + .cn = "FWU Certificate", + .key = ROT_KEY, + .issuer = FWU_CERT, + .ext = { + SCP_BL2U_HASH_EXT, + BL2U_HASH_EXT, + NS_BL2U_HASH_EXT + }, + .num_ext = 3 } }; diff --git a/tools/cert_create/src/tbbr/tbb_ext.c b/tools/cert_create/src/tbbr/tbb_ext.c index c39c9e6a4..b0af6f1a5 100644 --- a/tools/cert_create/src/tbbr/tbb_ext.c +++ b/tools/cert_create/src/tbbr/tbb_ext.c @@ -145,6 +145,33 @@ static ext_t tbb_ext[] = { .ln = "Non-Trusted World (BL33) hash (SHA256)", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH + }, + [SCP_BL2U_HASH_EXT] = { + .oid = SCP_BL2U_HASH_OID, + .opt = "scp_bl2u", + .sn = "SCPFWUpdateConfig", + .ln = "SCP Firmware Update Config (SCP_BL2U) hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [BL2U_HASH_EXT] = { + .oid = BL2U_HASH_OID, + .opt = "bl2u", + .sn = "APFWUpdateConfig", + .ln = "AP Firmware Update Config (BL2U) hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [NS_BL2U_HASH_EXT] = { + .oid = NS_BL2U_HASH_OID, + .opt = "ns_bl2u", + .sn = "FWUpdaterHash", + .ln = "Firmware Updater (NS_BL2U) hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 } };