1*91f16700Schasinglulu /* 2*91f16700Schasinglulu * Copyright (c) 2020, Arm Limited. All rights reserved. 3*91f16700Schasinglulu * 4*91f16700Schasinglulu * SPDX-License-Identifier: BSD-3-Clause 5*91f16700Schasinglulu */ 6*91f16700Schasinglulu 7*91f16700Schasinglulu #include <dualroot_oid.h> 8*91f16700Schasinglulu 9*91f16700Schasinglulu #include "cert.h" 10*91f16700Schasinglulu #include "ext.h" 11*91f16700Schasinglulu #include "key.h" 12*91f16700Schasinglulu 13*91f16700Schasinglulu #include "dualroot/cot.h" 14*91f16700Schasinglulu 15*91f16700Schasinglulu /* 16*91f16700Schasinglulu * Certificates used in the chain of trust. 17*91f16700Schasinglulu * 18*91f16700Schasinglulu * All certificates are self-signed so the issuer certificate field points to 19*91f16700Schasinglulu * itself. 20*91f16700Schasinglulu */ 21*91f16700Schasinglulu static cert_t cot_certs[] = { 22*91f16700Schasinglulu [TRUSTED_BOOT_FW_CERT] = { 23*91f16700Schasinglulu .id = TRUSTED_BOOT_FW_CERT, 24*91f16700Schasinglulu .opt = "tb-fw-cert", 25*91f16700Schasinglulu .help_msg = "Trusted Boot FW Certificate (output file)", 26*91f16700Schasinglulu .cn = "Trusted Boot FW Certificate", 27*91f16700Schasinglulu .key = ROT_KEY, 28*91f16700Schasinglulu .issuer = TRUSTED_BOOT_FW_CERT, 29*91f16700Schasinglulu .ext = { 30*91f16700Schasinglulu TRUSTED_FW_NVCOUNTER_EXT, 31*91f16700Schasinglulu TRUSTED_BOOT_FW_HASH_EXT, 32*91f16700Schasinglulu TRUSTED_BOOT_FW_CONFIG_HASH_EXT, 33*91f16700Schasinglulu HW_CONFIG_HASH_EXT, 34*91f16700Schasinglulu FW_CONFIG_HASH_EXT 35*91f16700Schasinglulu }, 36*91f16700Schasinglulu .num_ext = 5 37*91f16700Schasinglulu }, 38*91f16700Schasinglulu 39*91f16700Schasinglulu [TRUSTED_KEY_CERT] = { 40*91f16700Schasinglulu .id = TRUSTED_KEY_CERT, 41*91f16700Schasinglulu .opt = "trusted-key-cert", 42*91f16700Schasinglulu .help_msg = "Trusted Key Certificate (output file)", 43*91f16700Schasinglulu .cn = "Trusted Key Certificate", 44*91f16700Schasinglulu .key = ROT_KEY, 45*91f16700Schasinglulu .issuer = TRUSTED_KEY_CERT, 46*91f16700Schasinglulu .ext = { 47*91f16700Schasinglulu TRUSTED_FW_NVCOUNTER_EXT, 48*91f16700Schasinglulu TRUSTED_WORLD_PK_EXT, 49*91f16700Schasinglulu }, 50*91f16700Schasinglulu .num_ext = 2 51*91f16700Schasinglulu }, 52*91f16700Schasinglulu 53*91f16700Schasinglulu [SCP_FW_KEY_CERT] = { 54*91f16700Schasinglulu .id = SCP_FW_KEY_CERT, 55*91f16700Schasinglulu .opt = "scp-fw-key-cert", 56*91f16700Schasinglulu .help_msg = "SCP Firmware Key Certificate (output file)", 57*91f16700Schasinglulu .cn = "SCP Firmware Key Certificate", 58*91f16700Schasinglulu .key = TRUSTED_WORLD_KEY, 59*91f16700Schasinglulu .issuer = SCP_FW_KEY_CERT, 60*91f16700Schasinglulu .ext = { 61*91f16700Schasinglulu TRUSTED_FW_NVCOUNTER_EXT, 62*91f16700Schasinglulu SCP_FW_CONTENT_CERT_PK_EXT 63*91f16700Schasinglulu }, 64*91f16700Schasinglulu .num_ext = 2 65*91f16700Schasinglulu }, 66*91f16700Schasinglulu 67*91f16700Schasinglulu [SCP_FW_CONTENT_CERT] = { 68*91f16700Schasinglulu .id = SCP_FW_CONTENT_CERT, 69*91f16700Schasinglulu .opt = "scp-fw-cert", 70*91f16700Schasinglulu .help_msg = "SCP Firmware Content Certificate (output file)", 71*91f16700Schasinglulu .cn = "SCP Firmware Content Certificate", 72*91f16700Schasinglulu .key = SCP_FW_CONTENT_CERT_KEY, 73*91f16700Schasinglulu .issuer = SCP_FW_CONTENT_CERT, 74*91f16700Schasinglulu .ext = { 75*91f16700Schasinglulu TRUSTED_FW_NVCOUNTER_EXT, 76*91f16700Schasinglulu SCP_FW_HASH_EXT 77*91f16700Schasinglulu }, 78*91f16700Schasinglulu .num_ext = 2 79*91f16700Schasinglulu }, 80*91f16700Schasinglulu 81*91f16700Schasinglulu [SOC_FW_KEY_CERT] = { 82*91f16700Schasinglulu .id = SOC_FW_KEY_CERT, 83*91f16700Schasinglulu .opt = "soc-fw-key-cert", 84*91f16700Schasinglulu .help_msg = "SoC Firmware Key Certificate (output file)", 85*91f16700Schasinglulu .cn = "SoC Firmware Key Certificate", 86*91f16700Schasinglulu .key = TRUSTED_WORLD_KEY, 87*91f16700Schasinglulu .issuer = SOC_FW_KEY_CERT, 88*91f16700Schasinglulu .ext = { 89*91f16700Schasinglulu TRUSTED_FW_NVCOUNTER_EXT, 90*91f16700Schasinglulu SOC_FW_CONTENT_CERT_PK_EXT 91*91f16700Schasinglulu }, 92*91f16700Schasinglulu .num_ext = 2 93*91f16700Schasinglulu }, 94*91f16700Schasinglulu 95*91f16700Schasinglulu [SOC_FW_CONTENT_CERT] = { 96*91f16700Schasinglulu .id = SOC_FW_CONTENT_CERT, 97*91f16700Schasinglulu .opt = "soc-fw-cert", 98*91f16700Schasinglulu .help_msg = "SoC Firmware Content Certificate (output file)", 99*91f16700Schasinglulu .cn = "SoC Firmware Content Certificate", 100*91f16700Schasinglulu .key = SOC_FW_CONTENT_CERT_KEY, 101*91f16700Schasinglulu .issuer = SOC_FW_CONTENT_CERT, 102*91f16700Schasinglulu .ext = { 103*91f16700Schasinglulu TRUSTED_FW_NVCOUNTER_EXT, 104*91f16700Schasinglulu SOC_AP_FW_HASH_EXT, 105*91f16700Schasinglulu SOC_FW_CONFIG_HASH_EXT, 106*91f16700Schasinglulu }, 107*91f16700Schasinglulu .num_ext = 3 108*91f16700Schasinglulu }, 109*91f16700Schasinglulu 110*91f16700Schasinglulu [TRUSTED_OS_FW_KEY_CERT] = { 111*91f16700Schasinglulu .id = TRUSTED_OS_FW_KEY_CERT, 112*91f16700Schasinglulu .opt = "tos-fw-key-cert", 113*91f16700Schasinglulu .help_msg = "Trusted OS Firmware Key Certificate (output file)", 114*91f16700Schasinglulu .cn = "Trusted OS Firmware Key Certificate", 115*91f16700Schasinglulu .key = TRUSTED_WORLD_KEY, 116*91f16700Schasinglulu .issuer = TRUSTED_OS_FW_KEY_CERT, 117*91f16700Schasinglulu .ext = { 118*91f16700Schasinglulu TRUSTED_FW_NVCOUNTER_EXT, 119*91f16700Schasinglulu TRUSTED_OS_FW_CONTENT_CERT_PK_EXT 120*91f16700Schasinglulu }, 121*91f16700Schasinglulu .num_ext = 2 122*91f16700Schasinglulu }, 123*91f16700Schasinglulu 124*91f16700Schasinglulu [TRUSTED_OS_FW_CONTENT_CERT] = { 125*91f16700Schasinglulu .id = TRUSTED_OS_FW_CONTENT_CERT, 126*91f16700Schasinglulu .opt = "tos-fw-cert", 127*91f16700Schasinglulu .help_msg = "Trusted OS Firmware Content Certificate (output file)", 128*91f16700Schasinglulu .cn = "Trusted OS Firmware Content Certificate", 129*91f16700Schasinglulu .key = TRUSTED_OS_FW_CONTENT_CERT_KEY, 130*91f16700Schasinglulu .issuer = TRUSTED_OS_FW_CONTENT_CERT, 131*91f16700Schasinglulu .ext = { 132*91f16700Schasinglulu TRUSTED_FW_NVCOUNTER_EXT, 133*91f16700Schasinglulu TRUSTED_OS_FW_HASH_EXT, 134*91f16700Schasinglulu TRUSTED_OS_FW_EXTRA1_HASH_EXT, 135*91f16700Schasinglulu TRUSTED_OS_FW_EXTRA2_HASH_EXT, 136*91f16700Schasinglulu TRUSTED_OS_FW_CONFIG_HASH_EXT, 137*91f16700Schasinglulu }, 138*91f16700Schasinglulu .num_ext = 5 139*91f16700Schasinglulu }, 140*91f16700Schasinglulu 141*91f16700Schasinglulu [SIP_SECURE_PARTITION_CONTENT_CERT] = { 142*91f16700Schasinglulu .id = SIP_SECURE_PARTITION_CONTENT_CERT, 143*91f16700Schasinglulu .opt = "sip-sp-cert", 144*91f16700Schasinglulu .help_msg = "SiP owned Secure Partition Content Certificate (output file)", 145*91f16700Schasinglulu .fn = NULL, 146*91f16700Schasinglulu .cn = "SiP owned Secure Partition Content Certificate", 147*91f16700Schasinglulu .key = TRUSTED_WORLD_KEY, 148*91f16700Schasinglulu .issuer = SIP_SECURE_PARTITION_CONTENT_CERT, 149*91f16700Schasinglulu .ext = { 150*91f16700Schasinglulu TRUSTED_FW_NVCOUNTER_EXT, 151*91f16700Schasinglulu SP_PKG1_HASH_EXT, 152*91f16700Schasinglulu SP_PKG2_HASH_EXT, 153*91f16700Schasinglulu SP_PKG3_HASH_EXT, 154*91f16700Schasinglulu SP_PKG4_HASH_EXT, 155*91f16700Schasinglulu }, 156*91f16700Schasinglulu .num_ext = 5 157*91f16700Schasinglulu }, 158*91f16700Schasinglulu 159*91f16700Schasinglulu [PLAT_SECURE_PARTITION_CONTENT_CERT] = { 160*91f16700Schasinglulu .id = PLAT_SECURE_PARTITION_CONTENT_CERT, 161*91f16700Schasinglulu .opt = "plat-sp-cert", 162*91f16700Schasinglulu .help_msg = "Platform owned Secure Partition Content Certificate (output file)", 163*91f16700Schasinglulu .fn = NULL, 164*91f16700Schasinglulu .cn = "Platform owned Secure Partition Content Certificate", 165*91f16700Schasinglulu .key = PROT_KEY, 166*91f16700Schasinglulu .issuer = PLAT_SECURE_PARTITION_CONTENT_CERT, 167*91f16700Schasinglulu .ext = { 168*91f16700Schasinglulu NON_TRUSTED_FW_NVCOUNTER_EXT, 169*91f16700Schasinglulu SP_PKG5_HASH_EXT, 170*91f16700Schasinglulu SP_PKG6_HASH_EXT, 171*91f16700Schasinglulu SP_PKG7_HASH_EXT, 172*91f16700Schasinglulu SP_PKG8_HASH_EXT, 173*91f16700Schasinglulu PROT_PK_EXT, 174*91f16700Schasinglulu }, 175*91f16700Schasinglulu .num_ext = 6 176*91f16700Schasinglulu }, 177*91f16700Schasinglulu 178*91f16700Schasinglulu [FWU_CERT] = { 179*91f16700Schasinglulu .id = FWU_CERT, 180*91f16700Schasinglulu .opt = "fwu-cert", 181*91f16700Schasinglulu .help_msg = "Firmware Update Certificate (output file)", 182*91f16700Schasinglulu .cn = "Firmware Update Certificate", 183*91f16700Schasinglulu .key = ROT_KEY, 184*91f16700Schasinglulu .issuer = FWU_CERT, 185*91f16700Schasinglulu .ext = { 186*91f16700Schasinglulu SCP_FWU_CFG_HASH_EXT, 187*91f16700Schasinglulu AP_FWU_CFG_HASH_EXT, 188*91f16700Schasinglulu FWU_HASH_EXT 189*91f16700Schasinglulu }, 190*91f16700Schasinglulu .num_ext = 3 191*91f16700Schasinglulu }, 192*91f16700Schasinglulu 193*91f16700Schasinglulu [NON_TRUSTED_FW_CONTENT_CERT] = { 194*91f16700Schasinglulu .id = NON_TRUSTED_FW_CONTENT_CERT, 195*91f16700Schasinglulu .opt = "nt-fw-cert", 196*91f16700Schasinglulu .help_msg = "Non-Trusted Firmware Content Certificate (output file)", 197*91f16700Schasinglulu .cn = "Non-Trusted Firmware Content Certificate", 198*91f16700Schasinglulu .key = PROT_KEY, 199*91f16700Schasinglulu .issuer = NON_TRUSTED_FW_CONTENT_CERT, 200*91f16700Schasinglulu .ext = { 201*91f16700Schasinglulu NON_TRUSTED_FW_NVCOUNTER_EXT, 202*91f16700Schasinglulu NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, 203*91f16700Schasinglulu NON_TRUSTED_FW_CONFIG_HASH_EXT, 204*91f16700Schasinglulu PROT_PK_EXT, 205*91f16700Schasinglulu }, 206*91f16700Schasinglulu .num_ext = 4 207*91f16700Schasinglulu }, 208*91f16700Schasinglulu }; 209*91f16700Schasinglulu 210*91f16700Schasinglulu REGISTER_COT(cot_certs); 211*91f16700Schasinglulu 212*91f16700Schasinglulu 213*91f16700Schasinglulu /* Certificate extensions. */ 214*91f16700Schasinglulu static ext_t cot_ext[] = { 215*91f16700Schasinglulu [TRUSTED_FW_NVCOUNTER_EXT] = { 216*91f16700Schasinglulu .oid = TRUSTED_FW_NVCOUNTER_OID, 217*91f16700Schasinglulu .opt = "tfw-nvctr", 218*91f16700Schasinglulu .help_msg = "Trusted Firmware Non-Volatile counter value", 219*91f16700Schasinglulu .sn = "TrustedWorldNVCounter", 220*91f16700Schasinglulu .ln = "Trusted World Non-Volatile counter", 221*91f16700Schasinglulu .asn1_type = V_ASN1_INTEGER, 222*91f16700Schasinglulu .type = EXT_TYPE_NVCOUNTER, 223*91f16700Schasinglulu .attr.nvctr_type = NVCTR_TYPE_TFW 224*91f16700Schasinglulu }, 225*91f16700Schasinglulu 226*91f16700Schasinglulu [TRUSTED_BOOT_FW_HASH_EXT] = { 227*91f16700Schasinglulu .oid = TRUSTED_BOOT_FW_HASH_OID, 228*91f16700Schasinglulu .opt = "tb-fw", 229*91f16700Schasinglulu .help_msg = "Trusted Boot Firmware image file", 230*91f16700Schasinglulu .sn = "TrustedBootFirmwareHash", 231*91f16700Schasinglulu .ln = "Trusted Boot Firmware hash (SHA256)", 232*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 233*91f16700Schasinglulu .type = EXT_TYPE_HASH 234*91f16700Schasinglulu }, 235*91f16700Schasinglulu 236*91f16700Schasinglulu [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = { 237*91f16700Schasinglulu .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID, 238*91f16700Schasinglulu .opt = "tb-fw-config", 239*91f16700Schasinglulu .help_msg = "Trusted Boot Firmware Config file", 240*91f16700Schasinglulu .sn = "TrustedBootFirmwareConfigHash", 241*91f16700Schasinglulu .ln = "Trusted Boot Firmware Config hash", 242*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 243*91f16700Schasinglulu .type = EXT_TYPE_HASH, 244*91f16700Schasinglulu .optional = 1 245*91f16700Schasinglulu }, 246*91f16700Schasinglulu 247*91f16700Schasinglulu [HW_CONFIG_HASH_EXT] = { 248*91f16700Schasinglulu .oid = HW_CONFIG_HASH_OID, 249*91f16700Schasinglulu .opt = "hw-config", 250*91f16700Schasinglulu .help_msg = "HW Config file", 251*91f16700Schasinglulu .sn = "HWConfigHash", 252*91f16700Schasinglulu .ln = "HW Config hash", 253*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 254*91f16700Schasinglulu .type = EXT_TYPE_HASH, 255*91f16700Schasinglulu .optional = 1 256*91f16700Schasinglulu }, 257*91f16700Schasinglulu 258*91f16700Schasinglulu [FW_CONFIG_HASH_EXT] = { 259*91f16700Schasinglulu .oid = FW_CONFIG_HASH_OID, 260*91f16700Schasinglulu .opt = "fw-config", 261*91f16700Schasinglulu .help_msg = "Firmware Config file", 262*91f16700Schasinglulu .sn = "FirmwareConfigHash", 263*91f16700Schasinglulu .ln = "Firmware Config hash", 264*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 265*91f16700Schasinglulu .type = EXT_TYPE_HASH, 266*91f16700Schasinglulu .optional = 1 267*91f16700Schasinglulu }, 268*91f16700Schasinglulu 269*91f16700Schasinglulu [TRUSTED_WORLD_PK_EXT] = { 270*91f16700Schasinglulu .oid = TRUSTED_WORLD_PK_OID, 271*91f16700Schasinglulu .sn = "TrustedWorldPublicKey", 272*91f16700Schasinglulu .ln = "Trusted World Public Key", 273*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 274*91f16700Schasinglulu .type = EXT_TYPE_PKEY, 275*91f16700Schasinglulu .attr.key = TRUSTED_WORLD_KEY 276*91f16700Schasinglulu }, 277*91f16700Schasinglulu 278*91f16700Schasinglulu [SCP_FW_CONTENT_CERT_PK_EXT] = { 279*91f16700Schasinglulu .oid = SCP_FW_CONTENT_CERT_PK_OID, 280*91f16700Schasinglulu .sn = "SCPFirmwareContentCertPK", 281*91f16700Schasinglulu .ln = "SCP Firmware content certificate public key", 282*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 283*91f16700Schasinglulu .type = EXT_TYPE_PKEY, 284*91f16700Schasinglulu .attr.key = SCP_FW_CONTENT_CERT_KEY 285*91f16700Schasinglulu }, 286*91f16700Schasinglulu 287*91f16700Schasinglulu [SCP_FW_HASH_EXT] = { 288*91f16700Schasinglulu .oid = SCP_FW_HASH_OID, 289*91f16700Schasinglulu .opt = "scp-fw", 290*91f16700Schasinglulu .help_msg = "SCP Firmware image file", 291*91f16700Schasinglulu .sn = "SCPFirmwareHash", 292*91f16700Schasinglulu .ln = "SCP Firmware hash (SHA256)", 293*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 294*91f16700Schasinglulu .type = EXT_TYPE_HASH 295*91f16700Schasinglulu }, 296*91f16700Schasinglulu 297*91f16700Schasinglulu [SOC_FW_CONTENT_CERT_PK_EXT] = { 298*91f16700Schasinglulu .oid = SOC_FW_CONTENT_CERT_PK_OID, 299*91f16700Schasinglulu .sn = "SoCFirmwareContentCertPK", 300*91f16700Schasinglulu .ln = "SoC Firmware content certificate public key", 301*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 302*91f16700Schasinglulu .type = EXT_TYPE_PKEY, 303*91f16700Schasinglulu .attr.key = SOC_FW_CONTENT_CERT_KEY 304*91f16700Schasinglulu }, 305*91f16700Schasinglulu 306*91f16700Schasinglulu [SOC_AP_FW_HASH_EXT] = { 307*91f16700Schasinglulu .oid = SOC_AP_FW_HASH_OID, 308*91f16700Schasinglulu .opt = "soc-fw", 309*91f16700Schasinglulu .help_msg = "SoC AP Firmware image file", 310*91f16700Schasinglulu .sn = "SoCAPFirmwareHash", 311*91f16700Schasinglulu .ln = "SoC AP Firmware hash (SHA256)", 312*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 313*91f16700Schasinglulu .type = EXT_TYPE_HASH 314*91f16700Schasinglulu }, 315*91f16700Schasinglulu 316*91f16700Schasinglulu [SOC_FW_CONFIG_HASH_EXT] = { 317*91f16700Schasinglulu .oid = SOC_FW_CONFIG_HASH_OID, 318*91f16700Schasinglulu .opt = "soc-fw-config", 319*91f16700Schasinglulu .help_msg = "SoC Firmware Config file", 320*91f16700Schasinglulu .sn = "SocFirmwareConfigHash", 321*91f16700Schasinglulu .ln = "SoC Firmware Config hash", 322*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 323*91f16700Schasinglulu .type = EXT_TYPE_HASH, 324*91f16700Schasinglulu .optional = 1 325*91f16700Schasinglulu }, 326*91f16700Schasinglulu 327*91f16700Schasinglulu [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = { 328*91f16700Schasinglulu .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID, 329*91f16700Schasinglulu .sn = "TrustedOSFirmwareContentCertPK", 330*91f16700Schasinglulu .ln = "Trusted OS Firmware content certificate public key", 331*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 332*91f16700Schasinglulu .type = EXT_TYPE_PKEY, 333*91f16700Schasinglulu .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY 334*91f16700Schasinglulu }, 335*91f16700Schasinglulu 336*91f16700Schasinglulu [TRUSTED_OS_FW_HASH_EXT] = { 337*91f16700Schasinglulu .oid = TRUSTED_OS_FW_HASH_OID, 338*91f16700Schasinglulu .opt = "tos-fw", 339*91f16700Schasinglulu .help_msg = "Trusted OS image file", 340*91f16700Schasinglulu .sn = "TrustedOSHash", 341*91f16700Schasinglulu .ln = "Trusted OS hash (SHA256)", 342*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 343*91f16700Schasinglulu .type = EXT_TYPE_HASH 344*91f16700Schasinglulu }, 345*91f16700Schasinglulu 346*91f16700Schasinglulu [TRUSTED_OS_FW_EXTRA1_HASH_EXT] = { 347*91f16700Schasinglulu .oid = TRUSTED_OS_FW_EXTRA1_HASH_OID, 348*91f16700Schasinglulu .opt = "tos-fw-extra1", 349*91f16700Schasinglulu .help_msg = "Trusted OS Extra1 image file", 350*91f16700Schasinglulu .sn = "TrustedOSExtra1Hash", 351*91f16700Schasinglulu .ln = "Trusted OS Extra1 hash (SHA256)", 352*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 353*91f16700Schasinglulu .type = EXT_TYPE_HASH, 354*91f16700Schasinglulu .optional = 1 355*91f16700Schasinglulu }, 356*91f16700Schasinglulu 357*91f16700Schasinglulu [TRUSTED_OS_FW_EXTRA2_HASH_EXT] = { 358*91f16700Schasinglulu .oid = TRUSTED_OS_FW_EXTRA2_HASH_OID, 359*91f16700Schasinglulu .opt = "tos-fw-extra2", 360*91f16700Schasinglulu .help_msg = "Trusted OS Extra2 image file", 361*91f16700Schasinglulu .sn = "TrustedOSExtra2Hash", 362*91f16700Schasinglulu .ln = "Trusted OS Extra2 hash (SHA256)", 363*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 364*91f16700Schasinglulu .type = EXT_TYPE_HASH, 365*91f16700Schasinglulu .optional = 1 366*91f16700Schasinglulu }, 367*91f16700Schasinglulu 368*91f16700Schasinglulu [TRUSTED_OS_FW_CONFIG_HASH_EXT] = { 369*91f16700Schasinglulu .oid = TRUSTED_OS_FW_CONFIG_HASH_OID, 370*91f16700Schasinglulu .opt = "tos-fw-config", 371*91f16700Schasinglulu .help_msg = "Trusted OS Firmware Config file", 372*91f16700Schasinglulu .sn = "TrustedOSFirmwareConfigHash", 373*91f16700Schasinglulu .ln = "Trusted OS Firmware Config hash", 374*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 375*91f16700Schasinglulu .type = EXT_TYPE_HASH, 376*91f16700Schasinglulu .optional = 1 377*91f16700Schasinglulu }, 378*91f16700Schasinglulu 379*91f16700Schasinglulu [SP_PKG1_HASH_EXT] = { 380*91f16700Schasinglulu .oid = SP_PKG1_HASH_OID, 381*91f16700Schasinglulu .opt = "sp-pkg1", 382*91f16700Schasinglulu .help_msg = "Secure Partition Package1 file", 383*91f16700Schasinglulu .sn = "SPPkg1Hash", 384*91f16700Schasinglulu .ln = "SP Pkg1 hash (SHA256)", 385*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 386*91f16700Schasinglulu .type = EXT_TYPE_HASH, 387*91f16700Schasinglulu .optional = 1 388*91f16700Schasinglulu }, 389*91f16700Schasinglulu [SP_PKG2_HASH_EXT] = { 390*91f16700Schasinglulu .oid = SP_PKG2_HASH_OID, 391*91f16700Schasinglulu .opt = "sp-pkg2", 392*91f16700Schasinglulu .help_msg = "Secure Partition Package2 file", 393*91f16700Schasinglulu .sn = "SPPkg2Hash", 394*91f16700Schasinglulu .ln = "SP Pkg2 hash (SHA256)", 395*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 396*91f16700Schasinglulu .type = EXT_TYPE_HASH, 397*91f16700Schasinglulu .optional = 1 398*91f16700Schasinglulu }, 399*91f16700Schasinglulu [SP_PKG3_HASH_EXT] = { 400*91f16700Schasinglulu .oid = SP_PKG3_HASH_OID, 401*91f16700Schasinglulu .opt = "sp-pkg3", 402*91f16700Schasinglulu .help_msg = "Secure Partition Package3 file", 403*91f16700Schasinglulu .sn = "SPPkg3Hash", 404*91f16700Schasinglulu .ln = "SP Pkg3 hash (SHA256)", 405*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 406*91f16700Schasinglulu .type = EXT_TYPE_HASH, 407*91f16700Schasinglulu .optional = 1 408*91f16700Schasinglulu }, 409*91f16700Schasinglulu [SP_PKG4_HASH_EXT] = { 410*91f16700Schasinglulu .oid = SP_PKG4_HASH_OID, 411*91f16700Schasinglulu .opt = "sp-pkg4", 412*91f16700Schasinglulu .help_msg = "Secure Partition Package4 file", 413*91f16700Schasinglulu .sn = "SPPkg4Hash", 414*91f16700Schasinglulu .ln = "SP Pkg4 hash (SHA256)", 415*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 416*91f16700Schasinglulu .type = EXT_TYPE_HASH, 417*91f16700Schasinglulu .optional = 1 418*91f16700Schasinglulu }, 419*91f16700Schasinglulu [SP_PKG5_HASH_EXT] = { 420*91f16700Schasinglulu .oid = SP_PKG5_HASH_OID, 421*91f16700Schasinglulu .opt = "sp-pkg5", 422*91f16700Schasinglulu .help_msg = "Secure Partition Package5 file", 423*91f16700Schasinglulu .sn = "SPPkg5Hash", 424*91f16700Schasinglulu .ln = "SP Pkg5 hash (SHA256)", 425*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 426*91f16700Schasinglulu .type = EXT_TYPE_HASH, 427*91f16700Schasinglulu .optional = 1 428*91f16700Schasinglulu }, 429*91f16700Schasinglulu [SP_PKG6_HASH_EXT] = { 430*91f16700Schasinglulu .oid = SP_PKG6_HASH_OID, 431*91f16700Schasinglulu .opt = "sp-pkg6", 432*91f16700Schasinglulu .help_msg = "Secure Partition Package6 file", 433*91f16700Schasinglulu .sn = "SPPkg6Hash", 434*91f16700Schasinglulu .ln = "SP Pkg6 hash (SHA256)", 435*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 436*91f16700Schasinglulu .type = EXT_TYPE_HASH, 437*91f16700Schasinglulu .optional = 1 438*91f16700Schasinglulu }, 439*91f16700Schasinglulu [SP_PKG7_HASH_EXT] = { 440*91f16700Schasinglulu .oid = SP_PKG7_HASH_OID, 441*91f16700Schasinglulu .opt = "sp-pkg7", 442*91f16700Schasinglulu .help_msg = "Secure Partition Package7 file", 443*91f16700Schasinglulu .sn = "SPPkg7Hash", 444*91f16700Schasinglulu .ln = "SP Pkg7 hash (SHA256)", 445*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 446*91f16700Schasinglulu .type = EXT_TYPE_HASH, 447*91f16700Schasinglulu .optional = 1 448*91f16700Schasinglulu }, 449*91f16700Schasinglulu [SP_PKG8_HASH_EXT] = { 450*91f16700Schasinglulu .oid = SP_PKG8_HASH_OID, 451*91f16700Schasinglulu .opt = "sp-pkg8", 452*91f16700Schasinglulu .help_msg = "Secure Partition Package8 file", 453*91f16700Schasinglulu .sn = "SPPkg8Hash", 454*91f16700Schasinglulu .ln = "SP Pkg8 hash (SHA256)", 455*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 456*91f16700Schasinglulu .type = EXT_TYPE_HASH, 457*91f16700Schasinglulu .optional = 1 458*91f16700Schasinglulu }, 459*91f16700Schasinglulu 460*91f16700Schasinglulu [SCP_FWU_CFG_HASH_EXT] = { 461*91f16700Schasinglulu .oid = SCP_FWU_CFG_HASH_OID, 462*91f16700Schasinglulu .opt = "scp-fwu-cfg", 463*91f16700Schasinglulu .help_msg = "SCP Firmware Update Config image file", 464*91f16700Schasinglulu .sn = "SCPFWUpdateConfig", 465*91f16700Schasinglulu .ln = "SCP Firmware Update Config hash (SHA256)", 466*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 467*91f16700Schasinglulu .type = EXT_TYPE_HASH, 468*91f16700Schasinglulu .optional = 1 469*91f16700Schasinglulu }, 470*91f16700Schasinglulu 471*91f16700Schasinglulu [AP_FWU_CFG_HASH_EXT] = { 472*91f16700Schasinglulu .oid = AP_FWU_CFG_HASH_OID, 473*91f16700Schasinglulu .opt = "ap-fwu-cfg", 474*91f16700Schasinglulu .help_msg = "AP Firmware Update Config image file", 475*91f16700Schasinglulu .sn = "APFWUpdateConfig", 476*91f16700Schasinglulu .ln = "AP Firmware Update Config hash (SHA256)", 477*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 478*91f16700Schasinglulu .type = EXT_TYPE_HASH, 479*91f16700Schasinglulu .optional = 1 480*91f16700Schasinglulu }, 481*91f16700Schasinglulu 482*91f16700Schasinglulu [FWU_HASH_EXT] = { 483*91f16700Schasinglulu .oid = FWU_HASH_OID, 484*91f16700Schasinglulu .opt = "fwu", 485*91f16700Schasinglulu .help_msg = "Firmware Updater image file", 486*91f16700Schasinglulu .sn = "FWUpdaterHash", 487*91f16700Schasinglulu .ln = "Firmware Updater hash (SHA256)", 488*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 489*91f16700Schasinglulu .type = EXT_TYPE_HASH, 490*91f16700Schasinglulu .optional = 1 491*91f16700Schasinglulu }, 492*91f16700Schasinglulu 493*91f16700Schasinglulu [PROT_PK_EXT] = { 494*91f16700Schasinglulu .oid = PROT_PK_OID, 495*91f16700Schasinglulu .sn = "PlatformRoTKey", 496*91f16700Schasinglulu .ln = "Platform Root of Trust Public Key", 497*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 498*91f16700Schasinglulu .type = EXT_TYPE_PKEY, 499*91f16700Schasinglulu .attr.key = PROT_KEY 500*91f16700Schasinglulu }, 501*91f16700Schasinglulu 502*91f16700Schasinglulu [NON_TRUSTED_FW_NVCOUNTER_EXT] = { 503*91f16700Schasinglulu .oid = NON_TRUSTED_FW_NVCOUNTER_OID, 504*91f16700Schasinglulu .opt = "ntfw-nvctr", 505*91f16700Schasinglulu .help_msg = "Non-Trusted Firmware Non-Volatile counter value", 506*91f16700Schasinglulu .sn = "NormalWorldNVCounter", 507*91f16700Schasinglulu .ln = "Non-Trusted Firmware Non-Volatile counter", 508*91f16700Schasinglulu .asn1_type = V_ASN1_INTEGER, 509*91f16700Schasinglulu .type = EXT_TYPE_NVCOUNTER, 510*91f16700Schasinglulu .attr.nvctr_type = NVCTR_TYPE_NTFW 511*91f16700Schasinglulu }, 512*91f16700Schasinglulu 513*91f16700Schasinglulu [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { 514*91f16700Schasinglulu .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID, 515*91f16700Schasinglulu .opt = "nt-fw", 516*91f16700Schasinglulu .help_msg = "Non-Trusted World Bootloader image file", 517*91f16700Schasinglulu .sn = "NonTrustedWorldBootloaderHash", 518*91f16700Schasinglulu .ln = "Non-Trusted World hash (SHA256)", 519*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 520*91f16700Schasinglulu .type = EXT_TYPE_HASH 521*91f16700Schasinglulu }, 522*91f16700Schasinglulu 523*91f16700Schasinglulu [NON_TRUSTED_FW_CONFIG_HASH_EXT] = { 524*91f16700Schasinglulu .oid = NON_TRUSTED_FW_CONFIG_HASH_OID, 525*91f16700Schasinglulu .opt = "nt-fw-config", 526*91f16700Schasinglulu .help_msg = "Non Trusted OS Firmware Config file", 527*91f16700Schasinglulu .sn = "NonTrustedOSFirmwareConfigHash", 528*91f16700Schasinglulu .ln = "Non-Trusted OS Firmware Config hash", 529*91f16700Schasinglulu .asn1_type = V_ASN1_OCTET_STRING, 530*91f16700Schasinglulu .type = EXT_TYPE_HASH, 531*91f16700Schasinglulu .optional = 1 532*91f16700Schasinglulu }, 533*91f16700Schasinglulu }; 534*91f16700Schasinglulu 535*91f16700Schasinglulu REGISTER_EXTENSIONS(cot_ext); 536*91f16700Schasinglulu 537*91f16700Schasinglulu 538*91f16700Schasinglulu /* Keys used to establish the chain of trust. */ 539*91f16700Schasinglulu static key_t cot_keys[] = { 540*91f16700Schasinglulu [ROT_KEY] = { 541*91f16700Schasinglulu .id = ROT_KEY, 542*91f16700Schasinglulu .opt = "rot-key", 543*91f16700Schasinglulu .help_msg = "Root Of Trust key file or PKCS11 URI", 544*91f16700Schasinglulu .desc = "Root Of Trust key" 545*91f16700Schasinglulu }, 546*91f16700Schasinglulu 547*91f16700Schasinglulu [TRUSTED_WORLD_KEY] = { 548*91f16700Schasinglulu .id = TRUSTED_WORLD_KEY, 549*91f16700Schasinglulu .opt = "trusted-world-key", 550*91f16700Schasinglulu .help_msg = "Trusted World key file or PKCS11 URI", 551*91f16700Schasinglulu .desc = "Trusted World key" 552*91f16700Schasinglulu }, 553*91f16700Schasinglulu 554*91f16700Schasinglulu [SCP_FW_CONTENT_CERT_KEY] = { 555*91f16700Schasinglulu .id = SCP_FW_CONTENT_CERT_KEY, 556*91f16700Schasinglulu .opt = "scp-fw-key", 557*91f16700Schasinglulu .help_msg = "SCP Firmware Content Certificate key file or PKCS11 URI", 558*91f16700Schasinglulu .desc = "SCP Firmware Content Certificate key" 559*91f16700Schasinglulu }, 560*91f16700Schasinglulu 561*91f16700Schasinglulu [SOC_FW_CONTENT_CERT_KEY] = { 562*91f16700Schasinglulu .id = SOC_FW_CONTENT_CERT_KEY, 563*91f16700Schasinglulu .opt = "soc-fw-key", 564*91f16700Schasinglulu .help_msg = "SoC Firmware Content Certificate key file or PKCS11 URI", 565*91f16700Schasinglulu .desc = "SoC Firmware Content Certificate key" 566*91f16700Schasinglulu }, 567*91f16700Schasinglulu 568*91f16700Schasinglulu [TRUSTED_OS_FW_CONTENT_CERT_KEY] = { 569*91f16700Schasinglulu .id = TRUSTED_OS_FW_CONTENT_CERT_KEY, 570*91f16700Schasinglulu .opt = "tos-fw-key", 571*91f16700Schasinglulu .help_msg = "Trusted OS Firmware Content Certificate key file or PKCS11 URI", 572*91f16700Schasinglulu .desc = "Trusted OS Firmware Content Certificate key" 573*91f16700Schasinglulu }, 574*91f16700Schasinglulu 575*91f16700Schasinglulu [PROT_KEY] = { 576*91f16700Schasinglulu .id = PROT_KEY, 577*91f16700Schasinglulu .opt = "prot-key", 578*91f16700Schasinglulu .help_msg = "Platform Root of Trust key file or PKCS11 URI", 579*91f16700Schasinglulu .desc = "Platform Root of Trust key" 580*91f16700Schasinglulu }, 581*91f16700Schasinglulu }; 582*91f16700Schasinglulu 583*91f16700Schasinglulu REGISTER_KEYS(cot_keys); 584