1 /* 2 * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include "tbbr/tbb_cert.h" 8 #include "tbbr/tbb_ext.h" 9 #include "tbbr/tbb_key.h" 10 11 /* 12 * Certificates used in the chain of trust 13 * 14 * The order of the certificates must follow the enumeration specified in 15 * tbb_cert.h. All certificates are self-signed, so the issuer certificate 16 * field points to itself. 17 */ 18 static cert_t tbb_certs[] = { 19 [TRUSTED_BOOT_FW_CERT] = { 20 .id = TRUSTED_BOOT_FW_CERT, 21 .opt = "tb-fw-cert", 22 .help_msg = "Trusted Boot FW Certificate (output file)", 23 .fn = NULL, 24 .cn = "Trusted Boot FW Certificate", 25 .key = ROT_KEY, 26 .issuer = TRUSTED_BOOT_FW_CERT, 27 .ext = { 28 TRUSTED_FW_NVCOUNTER_EXT, 29 TRUSTED_BOOT_FW_HASH_EXT, 30 TRUSTED_BOOT_FW_CONFIG_HASH_EXT, 31 HW_CONFIG_HASH_EXT, 32 FW_CONFIG_HASH_EXT 33 }, 34 .num_ext = 5 35 }, 36 [TRUSTED_KEY_CERT] = { 37 .id = TRUSTED_KEY_CERT, 38 .opt = "trusted-key-cert", 39 .help_msg = "Trusted Key Certificate (output file)", 40 .fn = NULL, 41 .cn = "Trusted Key Certificate", 42 .key = ROT_KEY, 43 .issuer = TRUSTED_KEY_CERT, 44 .ext = { 45 TRUSTED_FW_NVCOUNTER_EXT, 46 TRUSTED_WORLD_PK_EXT, 47 NON_TRUSTED_WORLD_PK_EXT 48 }, 49 .num_ext = 3 50 }, 51 [SCP_FW_KEY_CERT] = { 52 .id = SCP_FW_KEY_CERT, 53 .opt = "scp-fw-key-cert", 54 .help_msg = "SCP Firmware Key Certificate (output file)", 55 .fn = NULL, 56 .cn = "SCP Firmware Key Certificate", 57 .key = TRUSTED_WORLD_KEY, 58 .issuer = SCP_FW_KEY_CERT, 59 .ext = { 60 TRUSTED_FW_NVCOUNTER_EXT, 61 SCP_FW_CONTENT_CERT_PK_EXT 62 }, 63 .num_ext = 2 64 }, 65 [SCP_FW_CONTENT_CERT] = { 66 .id = SCP_FW_CONTENT_CERT, 67 .opt = "scp-fw-cert", 68 .help_msg = "SCP Firmware Content Certificate (output file)", 69 .fn = NULL, 70 .cn = "SCP Firmware Content Certificate", 71 .key = SCP_FW_CONTENT_CERT_KEY, 72 .issuer = SCP_FW_CONTENT_CERT, 73 .ext = { 74 TRUSTED_FW_NVCOUNTER_EXT, 75 SCP_FW_HASH_EXT 76 }, 77 .num_ext = 2 78 }, 79 [SOC_FW_KEY_CERT] = { 80 .id = SOC_FW_KEY_CERT, 81 .opt = "soc-fw-key-cert", 82 .help_msg = "SoC Firmware Key Certificate (output file)", 83 .fn = NULL, 84 .cn = "SoC Firmware Key Certificate", 85 .key = TRUSTED_WORLD_KEY, 86 .issuer = SOC_FW_KEY_CERT, 87 .ext = { 88 TRUSTED_FW_NVCOUNTER_EXT, 89 SOC_FW_CONTENT_CERT_PK_EXT 90 }, 91 .num_ext = 2 92 }, 93 [SOC_FW_CONTENT_CERT] = { 94 .id = SOC_FW_CONTENT_CERT, 95 .opt = "soc-fw-cert", 96 .help_msg = "SoC Firmware Content Certificate (output file)", 97 .fn = NULL, 98 .cn = "SoC Firmware Content Certificate", 99 .key = SOC_FW_CONTENT_CERT_KEY, 100 .issuer = SOC_FW_CONTENT_CERT, 101 .ext = { 102 TRUSTED_FW_NVCOUNTER_EXT, 103 SOC_AP_FW_HASH_EXT, 104 SOC_FW_CONFIG_HASH_EXT, 105 }, 106 .num_ext = 3 107 }, 108 [TRUSTED_OS_FW_KEY_CERT] = { 109 .id = TRUSTED_OS_FW_KEY_CERT, 110 .opt = "tos-fw-key-cert", 111 .help_msg = "Trusted OS Firmware Key Certificate (output file)", 112 .fn = NULL, 113 .cn = "Trusted OS Firmware Key Certificate", 114 .key = TRUSTED_WORLD_KEY, 115 .issuer = TRUSTED_OS_FW_KEY_CERT, 116 .ext = { 117 TRUSTED_FW_NVCOUNTER_EXT, 118 TRUSTED_OS_FW_CONTENT_CERT_PK_EXT 119 }, 120 .num_ext = 2 121 }, 122 [TRUSTED_OS_FW_CONTENT_CERT] = { 123 .id = TRUSTED_OS_FW_CONTENT_CERT, 124 .opt = "tos-fw-cert", 125 .help_msg = "Trusted OS Firmware Content Certificate (output file)", 126 .fn = NULL, 127 .cn = "Trusted OS Firmware Content Certificate", 128 .key = TRUSTED_OS_FW_CONTENT_CERT_KEY, 129 .issuer = TRUSTED_OS_FW_CONTENT_CERT, 130 .ext = { 131 TRUSTED_FW_NVCOUNTER_EXT, 132 TRUSTED_OS_FW_HASH_EXT, 133 TRUSTED_OS_FW_EXTRA1_HASH_EXT, 134 TRUSTED_OS_FW_EXTRA2_HASH_EXT, 135 TRUSTED_OS_FW_CONFIG_HASH_EXT, 136 }, 137 .num_ext = 5 138 }, 139 [NON_TRUSTED_FW_KEY_CERT] = { 140 .id = NON_TRUSTED_FW_KEY_CERT, 141 .opt = "nt-fw-key-cert", 142 .help_msg = "Non-Trusted Firmware Key Certificate (output file)", 143 .fn = NULL, 144 .cn = "Non-Trusted Firmware Key Certificate", 145 .key = NON_TRUSTED_WORLD_KEY, 146 .issuer = NON_TRUSTED_FW_KEY_CERT, 147 .ext = { 148 NON_TRUSTED_FW_NVCOUNTER_EXT, 149 NON_TRUSTED_FW_CONTENT_CERT_PK_EXT 150 }, 151 .num_ext = 2 152 }, 153 [NON_TRUSTED_FW_CONTENT_CERT] = { 154 .id = NON_TRUSTED_FW_CONTENT_CERT, 155 .opt = "nt-fw-cert", 156 .help_msg = "Non-Trusted Firmware Content Certificate (output file)", 157 .fn = NULL, 158 .cn = "Non-Trusted Firmware Content Certificate", 159 .key = NON_TRUSTED_FW_CONTENT_CERT_KEY, 160 .issuer = NON_TRUSTED_FW_CONTENT_CERT, 161 .ext = { 162 NON_TRUSTED_FW_NVCOUNTER_EXT, 163 NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, 164 NON_TRUSTED_FW_CONFIG_HASH_EXT, 165 }, 166 .num_ext = 3 167 }, 168 [SIP_SECURE_PARTITION_CONTENT_CERT] = { 169 .id = SIP_SECURE_PARTITION_CONTENT_CERT, 170 .opt = "sip-sp-cert", 171 .help_msg = "SiP owned Secure Partition Content Certificate (output file)", 172 .fn = NULL, 173 .cn = "SiP owned Secure Partition Content Certificate", 174 .key = TRUSTED_WORLD_KEY, 175 .issuer = SIP_SECURE_PARTITION_CONTENT_CERT, 176 .ext = { 177 TRUSTED_FW_NVCOUNTER_EXT, 178 SP_PKG1_HASH_EXT, 179 SP_PKG2_HASH_EXT, 180 SP_PKG3_HASH_EXT, 181 SP_PKG4_HASH_EXT, 182 SP_PKG5_HASH_EXT, 183 SP_PKG6_HASH_EXT, 184 SP_PKG7_HASH_EXT, 185 SP_PKG8_HASH_EXT, 186 }, 187 .num_ext = 9 188 }, 189 [FWU_CERT] = { 190 .id = FWU_CERT, 191 .opt = "fwu-cert", 192 .help_msg = "Firmware Update Certificate (output file)", 193 .fn = NULL, 194 .cn = "Firmware Update Certificate", 195 .key = ROT_KEY, 196 .issuer = FWU_CERT, 197 .ext = { 198 SCP_FWU_CFG_HASH_EXT, 199 AP_FWU_CFG_HASH_EXT, 200 FWU_HASH_EXT 201 }, 202 .num_ext = 3 203 } 204 }; 205 206 REGISTER_COT(tbb_certs); 207