From cebe1f238fff5ad7eadb42dd1abd3ec897c27e64 Mon Sep 17 00:00:00 2001 From: Yatharth Kochar Date: Fri, 21 Aug 2015 15:30:55 +0100 Subject: [PATCH] FWU: Add FWU support to `cert_create` tool Firmware Update requires an X509v3 certificate which contains hashes for SCP_BL2U, BL2U and NS_BL2U images as extensions. This patch extends the Chain of Trust definition in the 'cert_create' tool to include the Firmware Update certificate and the required extensions (including command line options). A new field in the extension structure will be used to indicate that the extension is optional. In the case of an image hash extension, this field will tell the tool that the hash should be included in the certificate, but filled with zeros. Change-Id: I1f77a66b018826b71745910771f38d9cf6050388 --- tools/cert_create/include/ext.h | 2 ++ tools/cert_create/include/tbbr/tbb_cert.h | 3 ++- tools/cert_create/include/tbbr/tbb_ext.h | 5 ++++- tools/cert_create/src/main.c | 27 ++++++++++++++++------- tools/cert_create/src/tbbr/tbb_cert.c | 14 ++++++++++++ tools/cert_create/src/tbbr/tbb_ext.c | 27 +++++++++++++++++++++++ 6 files changed, 68 insertions(+), 10 deletions(-) diff --git a/tools/cert_create/include/ext.h b/tools/cert_create/include/ext.h index 3c65473b0..0ede36518 100644 --- a/tools/cert_create/include/ext.h +++ b/tools/cert_create/include/ext.h @@ -72,6 +72,8 @@ typedef struct ext_s { X509V3_EXT_METHOD method; /* This field may be used to define a custom * function to print the contents of the * extension */ + + int optional; /* This field may be used optionally to exclude an image */ } ext_t; enum { diff --git a/tools/cert_create/include/tbbr/tbb_cert.h b/tools/cert_create/include/tbbr/tbb_cert.h index 21626c726..2bc3be63c 100644 --- a/tools/cert_create/include/tbbr/tbb_cert.h +++ b/tools/cert_create/include/tbbr/tbb_cert.h @@ -46,7 +46,8 @@ enum { BL32_KEY_CERT, BL32_CERT, BL33_KEY_CERT, - BL33_CERT + BL33_CERT, + FWU_CERT }; #endif /* TBB_CERT_H_ */ diff --git a/tools/cert_create/include/tbbr/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h index 03b12d7ae..ecbe8669d 100644 --- a/tools/cert_create/include/tbbr/tbb_ext.h +++ b/tools/cert_create/include/tbbr/tbb_ext.h @@ -46,7 +46,10 @@ enum { BL32_CONTENT_CERT_PK_EXT, BL32_HASH_EXT, BL33_CONTENT_CERT_PK_EXT, - BL33_HASH_EXT + BL33_HASH_EXT, + SCP_BL2U_HASH_EXT, + BL2U_HASH_EXT, + NS_BL2U_HASH_EXT }; #endif /* TBB_EXT_H_ */ diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index b7ad33fe3..de15ef6fe 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -217,8 +217,11 @@ static void check_cmd_params(void) } break; case EXT_TYPE_HASH: - /* Binary image must be specified */ - if (ext->data.fn == NULL) { + /* + * Binary image must be specified + * unless it is explicitly made optional. + */ + if ((!ext->optional) && (ext->data.fn == NULL)) { ERROR("Image for '%s' not specified\n", ext->ln); exit(1); @@ -410,12 +413,20 @@ int main(int argc, char *argv[]) break; case EXT_TYPE_HASH: if (ext->data.fn == NULL) { - break; - } - if (!sha_file(ext->data.fn, md)) { - ERROR("Cannot calculate hash of %s\n", - ext->data.fn); - exit(1); + if (ext->optional) { + /* Include a hash filled with zeros */ + memset(md, 0x0, SHA256_DIGEST_LENGTH); + } else { + /* Do not include this hash in the certificate */ + break; + } + } else { + /* Calculate the hash of the file */ + if (!sha_file(ext->data.fn, md)) { + ERROR("Cannot calculate hash of %s\n", + ext->data.fn); + exit(1); + } } CHECK_NULL(cert_ext, ext_new_hash(ext_nid, EXT_CRIT, md_info, md, diff --git a/tools/cert_create/src/tbbr/tbb_cert.c b/tools/cert_create/src/tbbr/tbb_cert.c index 770bd6a0a..59a1cd9c7 100644 --- a/tools/cert_create/src/tbbr/tbb_cert.c +++ b/tools/cert_create/src/tbbr/tbb_cert.c @@ -160,6 +160,20 @@ static cert_t tbb_certs[] = { BL33_HASH_EXT }, .num_ext = 1 + }, + [FWU_CERT] = { + .id = FWU_CERT, + .opt = "fwu-cert", + .fn = NULL, + .cn = "FWU Certificate", + .key = ROT_KEY, + .issuer = FWU_CERT, + .ext = { + SCP_BL2U_HASH_EXT, + BL2U_HASH_EXT, + NS_BL2U_HASH_EXT + }, + .num_ext = 3 } }; diff --git a/tools/cert_create/src/tbbr/tbb_ext.c b/tools/cert_create/src/tbbr/tbb_ext.c index c39c9e6a4..b0af6f1a5 100644 --- a/tools/cert_create/src/tbbr/tbb_ext.c +++ b/tools/cert_create/src/tbbr/tbb_ext.c @@ -145,6 +145,33 @@ static ext_t tbb_ext[] = { .ln = "Non-Trusted World (BL33) hash (SHA256)", .asn1_type = V_ASN1_OCTET_STRING, .type = EXT_TYPE_HASH + }, + [SCP_BL2U_HASH_EXT] = { + .oid = SCP_BL2U_HASH_OID, + .opt = "scp_bl2u", + .sn = "SCPFWUpdateConfig", + .ln = "SCP Firmware Update Config (SCP_BL2U) hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [BL2U_HASH_EXT] = { + .oid = BL2U_HASH_OID, + .opt = "bl2u", + .sn = "APFWUpdateConfig", + .ln = "AP Firmware Update Config (BL2U) hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [NS_BL2U_HASH_EXT] = { + .oid = NS_BL2U_HASH_OID, + .opt = "ns_bl2u", + .sn = "FWUpdaterHash", + .ln = "Firmware Updater (NS_BL2U) hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 } };