Changes to 'tools/cert_create' folder, to include platform defined
certificates, keys, and extensions.
NXP SoC lx2160a : based platforms requires additional
FIP DDR to be loaded before initializing the DDR.
To enable chain of trust on these platforms, FIP DDR
image needs to be authenticated, additionally.
Platform specific folder 'tools/nxp/cert_create_helper'
is added to support platform specific macros and definitions.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: I4752a30a9ff3aa1d403e9babe3a07ba0e6b2bf8f
This bug manifests itself as a segfault triggered by a double-free.
I noticed that right before the double-free, the sk list contained 2
elements with the same address.
(gdb) p sk_X509_EXTENSION_value(sk, 1)
$34 = (X509_EXTENSION *) 0x431ad0
(gdb) p sk_X509_EXTENSION_value(sk, 0)
$35 = (X509_EXTENSION *) 0x431ad0
(gdb) p sk_X509_EXTENSION_num(sk)
$36 = 2
This caused confusion; this should never happen.
I figured that this was caused by a ext_new_xxxx function freeing
something before it is added to the list, so I put a breakpoint on
each of them to step through. I was suprised to find that none of my
breakpoints triggered for the second element of the iteration through
the outer loop just before the double-free.
Looking through the code, I noticed that it's possible to avoid doing
a ext_new_xxxx, when either:
* ext->type == NVCOUNTER and ext->arg == NULL
* ext->type == HASH and ext->arg == NULL and ext->optional == false
So I put a breakpoint on both.
It turns out that it was the HASH version, but I added a fix for both.
The fix for the Hash case is simple, as it was a mistake. The fix for
the NVCOUNTER case, however, is a bit more subtle. The NVCOUNTER may
be optional, and when it's optional we can skip it. The other case,
when the NVCOUNTER is required (not optinal), the `check_cmd_params`
function has already verified that the `ext->arg` must be non-NULL.
We assert that before processing it to covert any possible segfaults
into more descriptive errors.
This should no longer cause double-frees by adding the same ext twice.
Change-Id: Idae2a24ecd964b0a3929e6193c7f85ec769f6470
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
The certification tool creates all the certificates mentioned
statically in the code rather than taking explicit certificate
requests from the command line parameters.
Code is optimized to avoid unnecessary attempts to create
non-requested certificates.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I78feac25bc701bf8f08c6aa5a2e1590bec92d0f2
When OpenSSL's macro allocates the HASH struct, it allocates the fields
as well. After this allocation, the prior code would assign over the
pointers inside the HASH struct, leaking these fields. This patch
avoids allocating extra copies of these members.
Change-Id: I50a38b0a04b52ec54d6388db0f694feb578d2818
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Previously, we would leak these extensions as they are not freed by the
stack. An except from the `sk_TYPE_free` documentation:
sk_TYPE_free() frees up the sk structure. It does not free up any
elements of sk. After this call sk is no longer valid.
The fix is to drain the stack and free its elements before freeing the
stack. sk_TYPE_pop_free does this, so we use that instead.
Change-Id: Ie70c302f9dda5af1a7243f163d36e99916ee639c
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Add support to generate a certificate named "plat-sp-cert" for Secure
Partitions(SP) owned by Platform.
Earlier a single certificate file "sip-sp-cert" was generated which
contained hash of all 8 SPs, with this change SPs are divided into
two categories viz "SiP owned" and "Plat owned" containing 4 SPs each.
Platform RoT key pair is used for signing.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I5bd493cfce4cf3fc14b87c8ed1045f633d0c92b6
Updated cert_tool to add hash information of fw_config image into
the existing "trusted boot fw" certificate.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I720319225925806a2a9f50a1ac9c8a464be975f0
with sha 0792dd7, support to generate certificate for Secure
Partitions was added for dualroot CoT only, this patch extends
this support for tbbr CoT.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I451c0333536dd1cbe17861d454bdb0dc7a17c63f
Add support to generate certificate "sip-sp-cert" for Secure
Partitions(SP) owned by Silicon provider(SiP).
To avoid deviation from TBBR specification the support is only added for
dualroot CoT and not for TBBR CoT.
A single certificate file is generated containing hash of individual
packages. Maximum 8 secure partitions are supported.
Following new options added to cert_tool:
--sip-sp-cert --> SiP owned Secure Partition Content Certificate
--sp-pkg1 --> Secure Partition Package1 file
--sp-pkg2
.....
--sp-pkg8
Trusted world key pair is used for signing.
Going forward, this feature can be extended for Platfrom owned
Partitions, if required.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia6dfbc1447cfb41b1fcbd12cf2bf7b88f409bd8d
Selection of the chain of trust is done through the COT build option:
> make COT=dualroot
Change-Id: Id87c7a5116bdd13bdb29645ecf31d111ad094c1e
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
In preparation of supporting alternate chains of trust, reword comments
and error messages that explicitly mentioned TBBR.
Change-Id: I85a0b08e16d0cd82f3b767fcc092d1f20f45939f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Move all TBBR-specific stuff out of the tool's makefile into a
sub-makefile. This will make it easier to define and select an alternate
chain of trust in the future.
Change-Id: I92e366a1999b74cf51127d1771b64b807cd94b29
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The chain of trust definitions are only needed in the part of the code
dealing with the TBBR CoT (tbbr/* files).
Change-Id: I6f9a86bba4a2d16313b6842a3ec85b7c951074bc
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Support for PKCS#1 v1.5 was deprecated in SHA 1001202 and fully removed
in SHA fe199e3, however, cert_tool is still able to generate
certificates in that form. This patch fully removes the ability for
cert_tool to generate these certificates.
Additionally, this patch also fixes a bug where the issuing certificate
was a RSA and the issued certificate was EcDSA. In this case, the issued
certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per
PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now
that PKCS#1 v1.5 support is removed, all certificates that are signed
with RSA now use the more modern padding scheme.
Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
cert_tool is now able to accept a command line option for specifying the
key size. It now supports the following options: 1024, 2048 (default),
3072 and 4096. This is also modifiable by TFA using the build flag
KEY_SIZE.
Change-Id: Ifadecf84ade3763249ee8cc7123a8178f606f0e5
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
The valgrind checks for cert_create have not been run in a long while -
as such there are a few memory leaks present. This patch fixes a few of
the major ones reported by valgrind. However, a few do remain.
Change-Id: Iab002fb2b0090043287d43fb54a4d18928c2ed85
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
Print_help was used in different contexts and returning no
error in that function was hiding the error when incorrect
options were used.
Change-Id: Ic3f71748be7ff8440c9d54810b986e9f177f4439
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch implements support for adding dynamic configurations for
BL31 (soc_fw_config), BL32 (tos_fw_config) and BL33 (nt_fw_config). The
necessary cert tool support and changes to default chain of trust are made
for these configs.
Change-Id: I25f266277b5b5501a196d2f2f79639d838794518
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch updates the `fiptool` and `cert_create` for the
`hw_config` and `tb_fw_config` dynamic configuration files.
The necessary UUIDs and OIDs are assigned to these files and
the `cert_create` is updated to generate appropriate hashes
and include them in the "Trusted Boot FW Certificate". The
`fiptool` is updated to allow the configs to be specified
via cmdline and included in the generated FIP.
Change-Id: I940e751a49621ae681d14e162aa1f5697eb0cb15
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This option enables the user to select the secure hash algorithm
to be used for generating the hash. It supports the following
options:
- sha256 (default)
- sha384
- sha512
Change-Id: Icb093cec1b5715e248c3d1c3749a2479a7ab4b89
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
Commit a8eb286ada introduced the
following error when creating ECDSA certificates.
ERROR: Error creating key 'Trusted World key'
Makefile:634: recipe for target 'certificates' failed
make: *** [certificates] Error 1
this patch adds the function to create PKCS#1 v1.5.
Change-Id: Ief96d55969d5e9877aeb528c6bb503b560563537
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
This patch fixes incompatibility issues that prevent building the cert_tool
with OpenSSL >= v1.1.0. The changes introduced are still backwards
compatible with OpenSSL v1.0.2.
Fixesarm-software/trusted-fw#521
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
This patch enables choice of RSA version at run time to be used for
generating signatures by the cert_tool. The RSA PSS as defined in
PKCS#1 v2.1 becomes the default version and this patch enables to specify
the RSA PKCS#1 v1.5 algorithm to `cert_create` through the command line
-a option. Also, the build option `KEY_ALG` can be used to pass this
option from the build system. Please note that RSA PSS is mandated
by Trusted Board Boot requirements (TBBR) and legacy RSA support is
being added for compatibility reasons.
FixesARM-Software/tf-issues#499
Change-Id: Ifaa3f2f7c9b43f3d7b3effe2cde76bf6745a5d73
Co-Authored-By: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Since Trusted OS firmware may have extra images, need to
assign new uuid and image id for them.
The TBBR chain of trust has been extended to add support
for the new images within the existing Trusted OS firmware
content certificate.
Change-Id: I678dac7ba1137e85c5779b05e0c4331134c10e06
Signed-off-by: Summer Qin <summer.qin@arm.com>
This fix modifies the order of system includes to meet the ARM TF coding
standard. There are some exceptions in order to retain header groupings,
minimise changes to imported headers, and where there are headers within
the #if and #ifndef statements.
Change-Id: I65085a142ba6a83792b26efb47df1329153f1624
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
This patch modifies the `cert_create` tool to use RSASSA-PSS scheme for
signing the certificates. This is compliant with RSA PKCS_2_1 standard as
mandated by TBBR.
Note that the certificates generated by using cert_create tool after this
patch can be authenticated during TBB only if the corresponding mbedtls
driver in ARM Trusted Firmware has the corresponding support.
Change-Id: If224f41c76b3c4765ae2af5259e67f73602818a4
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Platforms aligned with TBBR are supposed to use their own OIDs, but
defining the same macros with different OIDs does not provide any
value (at least technically).
For easier use of TBBR, this commit allows platforms to reuse the OIDs
obtained by ARM Ltd. This will be useful for non-ARM vendors that
do not need their own extension fields in their certificate files.
The OIDs of ARM Ltd. have been moved to include/tools_share/tbbr_oid.h
Platforms can include <tbbr_oid.h> instead of <platform_oid.h> by
defining USE_TBBR_DEFS as 1. USE_TBBR_DEFS is 0 by default to keep the
backward compatibility.
For clarification, I inserted a blank line between headers from the
include/ directory (#include <...>) and ones from a local directory
(#include "..." ).
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.
NOTE: Files that have been imported by FreeBSD have not been modified.
[0]: https://spdx.org/
Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
These variables store return values of functions. Remove all of
meaningless initializers.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The ext_new_nvcounter() function calls i2d_ASN1_INTEGER() twice;
the first call to get the return value "sz", and the second one
for writing data into the buffer. This is actually redundant.
We can do both by one function call.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
In the current code, both key_load() and key_create() call key_new()
to allocate a key container (and they do not free it even if they
fail). If a specific key is not given by the command option,
key_load() fails, then key_create() is called. At this point, the
key container that has been allocated in key_load() is still alive,
and it is overwritten by a new key container created by key_create().
Move the key_new() call to the main() function to make sure it is
called just once for each descriptor.
While we are here, let's fix one more bug; the error handling code
ERROR("Malloc error while loading '%s'\n", keys[i].fn);
is wrong because keys[i].fn is NULL pointer unless a specific key is
given by the command option. This code could be run in either case.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
With the introduction of commit `96103d5a`, the Certificate
Generation tool is not able to generate FWU certificate and
while doing so it does segmentation fault.
This happens because it is now required to pass non-volatile
counter values to the `cert_create` tool from the command line
for creating the trusted firmware certificates.
But in case of creating FWU certificate these counter values are not
being passed to the tool and as a consequence the `cert_create` tool
try to use the NULL argument and errors out with Segmentation fault.
This patch fixes this issue by providing a check before using the
command line argument passed in the case of `EXT_TYPE_NVCOUNTER`
certificate extension.
Change-Id: Ie17d0c1502b52aaa8500f3659c2da2448ab0347a
This patch adds non-volatile counter support to the Certificate
Generation tool. The TBBR Chain of Trust definition in the tool
has been extended to include the counters as certificate extensions.
The counter values can be specified in the command line.
The following default counter values are specified in the build
system:
* Trusted FW Non-Volatile counter = 0
* Non-Trusted FW Non-Volatile counter = 0
These values can be overridden by the platform at build time.
Change-Id: I7ea10ee78d72748d181df4ee78a7169b3ef2720c
The help message printed by the cert_create tool using the command
line option -h (or --help) does not correctly list all the available
command line options.
This patch reworks the print_help() function to print the help
messages in a data driven approach. For each command line option
registered, an optional help message can be specified, which will
be printed by print_help().
Help messages for the TBBR options (certificates, keys and images)
are also provided.
Fix a small bug in the short options string passed to getopt_long:
the ':' was missing in the '-a' option (this option must take an
argument).
FixesARM-software/tf-issues#337
Change-Id: I9d08c2dfd349022808fcc884724f677eefdc1452
This patch replaces all references to the SCP Firmware (BL0, BL30,
BL3-0, bl30) with the image terminology detailed in the TF wiki
(https://github.com/ARM-software/arm-trusted-firmware/wiki):
BL0 --> SCP_BL1
BL30, BL3-0 --> SCP_BL2
bl30 --> scp_bl2
This change affects code, documentation, build system, tools and
platform ports that load SCP firmware. ARM plaforms have been
updated to the new porting API.
IMPORTANT: build option to specify the SCP FW image has changed:
BL30 --> SCP_BL2
IMPORTANT: This patch breaks compatibility for platforms that use BL2
to load SCP firmware. Affected platforms must be updated as follows:
BL30_IMAGE_ID --> SCP_BL2_IMAGE_ID
BL30_BASE --> SCP_BL2_BASE
bl2_plat_get_bl30_meminfo() --> bl2_plat_get_scp_bl2_meminfo()
bl2_plat_handle_bl30() --> bl2_plat_handle_scp_bl2()
Change-Id: I24c4c1a4f0e4b9f17c9e4929da815c4069549e58
Firmware Update requires an X509v3 certificate which contains
hashes for SCP_BL2U, BL2U and NS_BL2U images as extensions.
This patch extends the Chain of Trust definition in the
'cert_create' tool to include the Firmware Update certificate
and the required extensions (including command line options).
A new field in the extension structure will be used to indicate
that the extension is optional. In the case of an image hash
extension, this field will tell the tool that the hash should
be included in the certificate, but filled with zeros.
Change-Id: I1f77a66b018826b71745910771f38d9cf6050388
This patch introduces a new API that allows to specify command
line options in the Chain of Trust description. These command line
options may be used to specify parameters related to the CoT (i.e.
keys or certificates), instead of keeping a hardcoded list of
options in main.c.
Change-Id: I282b0b01cb9add557b26bddc238a28253ce05e44
The certificate generation tool currently checks if all command
line options required to create all certificates in the CoT have
been specified. This prevents using the tool to create individual
certificates when the whole CoT is not required.
This patch improves the checking function so only those options
required by the certificates specified in the command line are
verified.
Change-Id: I2c426a8e2e2dec85b15f2d98fd4ba949c1aed385
This patch reworks the certificate generation tool to follow a data
driven approach. The user may specify at build time the certificates,
keys and extensions defined in the CoT, register them using the
appropiate macros and the tool will take care of creating the
certificates corresponding to the CoT specified.
Change-Id: I29950b39343c3e1b71718fce0e77dcf2a9a0be2f
Some Linux distributions include an OpenSSL library which has been
built without ECDSA support. Trying to build the certificate
generation tool on those distributions will result in a build error.
This patch fixes that issue by including ECDSA support only if
OpenSSL has been built with ECDSA. In that case, the OpenSSL
configuration file does not define the OPENSSL_NO_EC macro. The tool
will build successfully, although the resulting binary will not
support ECDSA keys.
Change-Id: I4627d1abd19eef7ad3251997d8218599187eb902
This patch extends the 'cert_create' tool to support ECDSA keys
to sign the certificates. The '--key-alg' command line option
can be used to specify the key algorithm when invoking the tool.
Available options are:
* 'rsa': create RSA-2048 keys (default option)
* 'ecdsa': create ECDSA-SECP256R1 keys
The TF Makefile has been updated to allow the platform to specify
the key algorithm by declaring the 'KEY_ALG' variable in the
platform makefile.
The behaviour regarding key management has changed. After applying
this patch, the tool will try first to open the keys from disk. If
one key does not exist or no key is specified, and the command line
option to create keys has been specified, new keys will be created.
Otherwise an error will be generated and the tool will exit. This
way, the user may specify certain keys while the tool will create
the remaining ones. This feature is useful for testing purposes
and CI infrastructures.
The OpenSSL directory may be specified using the build option
'OPENSSL_DIR' when building the certificate generation tool.
Default is '/usr'.
Change-Id: I98bcc2bfab28dd7179f17f1177ea7a65698df4e7
The cert_create tool calculates the hash of each BL image and includes
it as an ASN.1 OCTET STRING in the corresponding certificate extension.
Without additional information, the firmware running on the platform
has to know in advance the algorithm used to generate the hash.
This patch modifies the cert_create tool so the certificate extensions
that include an image hash are generated according to the following
ASN.1 structure:
DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
The PolarSSL module has been updated to extract the image hash
from the certificate extension according to this structure.
Change-Id: I6d83430f12a8a0eea8447bec7c936e903f644c85
This patch replaces SHA1 by SHA256 in the 'cert_create' tool, so
certificate signatures are generated according to the NSA Suite B
cryptographic algorithm requirements.
Documentation updated accordingly.
Change-Id: I7be79e6b2b62dac8dc78a4f4f5006e37686bccf6