Browse Source

cert_create: add SiP owned secure partitions support

Add support to generate certificate "sip-sp-cert" for Secure
Partitions(SP) owned by Silicon provider(SiP).
To avoid deviation from TBBR specification the support is only added for
dualroot CoT and not for TBBR CoT.

A single certificate file is generated containing hash of individual
packages. Maximum 8 secure partitions are supported.

Following new options added to cert_tool:
 --sip-sp-cert --> SiP owned Secure Partition Content Certificate
 --sp-pkg1 --> Secure Partition Package1 file
 --sp-pkg2
 .....
 --sp-pkg8

Trusted world key pair is used for signing.

Going forward, this feature can be extended for Platfrom owned
Partitions, if required.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia6dfbc1447cfb41b1fcbd12cf2bf7b88f409bd8d
pull/1979/head
Manish Pandey 5 years ago
parent
commit
0792dd7d64
  1. 12
      include/tools_share/dualroot_oid.h
  2. 2
      include/tools_share/firmware_image_package.h
  3. 3
      lib/debugfs/devfip.c
  4. 5
      make_helpers/tbbr/tbbr_tools.mk
  5. 2
      tools/cert_create/include/cert.h
  6. 9
      tools/cert_create/include/dualroot/cot.h
  7. 103
      tools/cert_create/src/dualroot/cot.c
  8. 5
      tools/fiptool/tbbr_config.c

12
include/tools_share/dualroot_oid.h

@ -16,4 +16,16 @@
*/
#define PROT_PK_OID "1.3.6.1.4.1.4128.2100.1102"
/*
* Secure Partitions Content Certificate
*/
#define SP_PKG1_HASH_OID "1.3.6.1.4.1.4128.2100.1301"
#define SP_PKG2_HASH_OID "1.3.6.1.4.1.4128.2100.1302"
#define SP_PKG3_HASH_OID "1.3.6.1.4.1.4128.2100.1303"
#define SP_PKG4_HASH_OID "1.3.6.1.4.1.4128.2100.1304"
#define SP_PKG5_HASH_OID "1.3.6.1.4.1.4128.2100.1305"
#define SP_PKG6_HASH_OID "1.3.6.1.4.1.4128.2100.1306"
#define SP_PKG7_HASH_OID "1.3.6.1.4.1.4128.2100.1307"
#define SP_PKG8_HASH_OID "1.3.6.1.4.1.4128.2100.1308"
#endif /* DUALROOT_OID_H */

2
include/tools_share/firmware_image_package.h

@ -64,6 +64,8 @@
{{0xa4, 0x9f, 0x44, 0x11}, {0x5e, 0x63}, {0xe4, 0x11}, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} }
#define UUID_NON_TRUSTED_FW_CONTENT_CERT \
{{0x8e, 0xc4, 0xc1, 0xf3}, {0x5d, 0x63}, {0xe4, 0x11}, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} }
#define UUID_SIP_SECURE_PARTITION_CONTENT_CERT \
{{0x77, 0x6d, 0xfd, 0x44}, {0x86, 0x97}, {0x4c, 0x3b}, 0x91, 0xeb, {0xc1, 0x3e, 0x02, 0x5a, 0x2a, 0x6f} }
/* Dynamic configs */
#define UUID_HW_CONFIG \
{{0x08, 0xb8, 0xf1, 0xd9}, {0xc9, 0xcf}, {0x93, 0x49}, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} }

3
lib/debugfs/devfip.c

@ -74,7 +74,8 @@ static const struct uuidnames uuidnames[] = {
{"tos-fw.cfg", UUID_TOS_FW_CONFIG},
{"nt-fw.cfg", UUID_NT_FW_CONFIG},
{"rot-k.crt", UUID_ROT_KEY_CERT},
{"nt-k.crt", UUID_NON_TRUSTED_WORLD_KEY_CERT}
{"nt-k.crt", UUID_NON_TRUSTED_WORLD_KEY_CERT},
{"sip-sp.crt", UUID_SIP_SECURE_PARTITION_CONTENT_CERT}
};
/*******************************************************************************

5
make_helpers/tbbr/tbbr_tools.mk

@ -99,3 +99,8 @@ ifneq (${COT},dualroot)
$(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert))
endif
endif
# Add SiP owned Secure Partitions CoT (image cert)
ifneq (${SP_LAYOUT_FILE},)
$(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/sip_sp_content.crt,--sip-sp-cert))
endif

2
tools/cert_create/include/cert.h

@ -12,7 +12,7 @@
#include "ext.h"
#include "key.h"
#define CERT_MAX_EXT 5
#define CERT_MAX_EXT 9
/*
* This structure contains information related to the generation of the

9
tools/cert_create/include/dualroot/cot.h

@ -18,6 +18,7 @@ enum {
SOC_FW_CONTENT_CERT,
TRUSTED_OS_FW_KEY_CERT,
TRUSTED_OS_FW_CONTENT_CERT,
SIP_SECURE_PARTITION_CONTENT_CERT,
FWU_CERT,
/* Certificates owned by the platform owner. */
@ -42,6 +43,14 @@ enum {
TRUSTED_OS_FW_EXTRA1_HASH_EXT,
TRUSTED_OS_FW_EXTRA2_HASH_EXT,
TRUSTED_OS_FW_CONFIG_HASH_EXT,
SP_PKG1_HASH_EXT,
SP_PKG2_HASH_EXT,
SP_PKG3_HASH_EXT,
SP_PKG4_HASH_EXT,
SP_PKG5_HASH_EXT,
SP_PKG6_HASH_EXT,
SP_PKG7_HASH_EXT,
SP_PKG8_HASH_EXT,
SCP_FWU_CFG_HASH_EXT,
AP_FWU_CFG_HASH_EXT,
FWU_HASH_EXT,

103
tools/cert_create/src/dualroot/cot.c

@ -137,6 +137,28 @@ static cert_t cot_certs[] = {
.num_ext = 5
},
[SIP_SECURE_PARTITION_CONTENT_CERT] = {
.id = SIP_SECURE_PARTITION_CONTENT_CERT,
.opt = "sip-sp-cert",
.help_msg = "SiP owned Secure Partition Content Certificate (output file)",
.fn = NULL,
.cn = "SiP owned Secure Partition Content Certificate",
.key = TRUSTED_WORLD_KEY,
.issuer = SIP_SECURE_PARTITION_CONTENT_CERT,
.ext = {
TRUSTED_FW_NVCOUNTER_EXT,
SP_PKG1_HASH_EXT,
SP_PKG2_HASH_EXT,
SP_PKG3_HASH_EXT,
SP_PKG4_HASH_EXT,
SP_PKG5_HASH_EXT,
SP_PKG6_HASH_EXT,
SP_PKG7_HASH_EXT,
SP_PKG8_HASH_EXT,
},
.num_ext = 9
},
[FWU_CERT] = {
.id = FWU_CERT,
.opt = "fwu-cert",
@ -327,6 +349,87 @@ static ext_t cot_ext[] = {
.optional = 1
},
[SP_PKG1_HASH_EXT] = {
.oid = SP_PKG1_HASH_OID,
.opt = "sp-pkg1",
.help_msg = "Secure Partition Package1 file",
.sn = "SPPkg1Hash",
.ln = "SP Pkg1 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG2_HASH_EXT] = {
.oid = SP_PKG2_HASH_OID,
.opt = "sp-pkg2",
.help_msg = "Secure Partition Package2 file",
.sn = "SPPkg2Hash",
.ln = "SP Pkg2 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG3_HASH_EXT] = {
.oid = SP_PKG3_HASH_OID,
.opt = "sp-pkg3",
.help_msg = "Secure Partition Package3 file",
.sn = "SPPkg3Hash",
.ln = "SP Pkg3 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG4_HASH_EXT] = {
.oid = SP_PKG4_HASH_OID,
.opt = "sp-pkg4",
.help_msg = "Secure Partition Package4 file",
.sn = "SPPkg4Hash",
.ln = "SP Pkg4 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG5_HASH_EXT] = {
.oid = SP_PKG5_HASH_OID,
.opt = "sp-pkg5",
.help_msg = "Secure Partition Package5 file",
.sn = "SPPkg5Hash",
.ln = "SP Pkg5 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG6_HASH_EXT] = {
.oid = SP_PKG6_HASH_OID,
.opt = "sp-pkg6",
.help_msg = "Secure Partition Package6 file",
.sn = "SPPkg6Hash",
.ln = "SP Pkg6 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG7_HASH_EXT] = {
.oid = SP_PKG7_HASH_OID,
.opt = "sp-pkg7",
.help_msg = "Secure Partition Package7 file",
.sn = "SPPkg7Hash",
.ln = "SP Pkg7 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SP_PKG8_HASH_EXT] = {
.oid = SP_PKG8_HASH_OID,
.opt = "sp-pkg8",
.help_msg = "Secure Partition Package8 file",
.sn = "SPPkg8Hash",
.ln = "SP Pkg8 hash (SHA256)",
.asn1_type = V_ASN1_OCTET_STRING,
.type = EXT_TYPE_HASH,
.optional = 1
},
[SCP_FWU_CFG_HASH_EXT] = {
.oid = SCP_FWU_CFG_HASH_OID,
.opt = "scp-fwu-cfg",

5
tools/fiptool/tbbr_config.c

@ -151,6 +151,11 @@ toc_entry_t toc_entries[] = {
.uuid = UUID_NON_TRUSTED_FW_CONTENT_CERT,
.cmdline_name = "nt-fw-cert"
},
{
.name = "SiP owned Secure Partition content certificate",
.uuid = UUID_SIP_SECURE_PARTITION_CONTENT_CERT,
.cmdline_name = "sip-sp-cert"
},
{
.name = NULL,
.uuid = { {0} },

Loading…
Cancel
Save