1 /*
2  * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  */
6 
7 #include "tbbr/tbb_cert.h"
8 #include "tbbr/tbb_ext.h"
9 #include "tbbr/tbb_key.h"
10 
11 /*
12  * Certificates used in the chain of trust
13  *
14  * The order of the certificates must follow the enumeration specified in
15  * tbb_cert.h. All certificates are self-signed, so the issuer certificate
16  * field points to itself.
17  */
18 static cert_t tbb_certs[] = {
19 	[TRUSTED_BOOT_FW_CERT] = {
20 		.id = TRUSTED_BOOT_FW_CERT,
21 		.opt = "tb-fw-cert",
22 		.help_msg = "Trusted Boot FW Certificate (output file)",
23 		.fn = NULL,
24 		.cn = "Trusted Boot FW Certificate",
25 		.key = ROT_KEY,
26 		.issuer = TRUSTED_BOOT_FW_CERT,
27 		.ext = {
28 			TRUSTED_FW_NVCOUNTER_EXT,
29 			TRUSTED_BOOT_FW_HASH_EXT
30 		},
31 		.num_ext = 2
32 	},
33 	[TRUSTED_KEY_CERT] = {
34 		.id = TRUSTED_KEY_CERT,
35 		.opt = "trusted-key-cert",
36 		.help_msg = "Trusted Key Certificate (output file)",
37 		.fn = NULL,
38 		.cn = "Trusted Key Certificate",
39 		.key = ROT_KEY,
40 		.issuer = TRUSTED_KEY_CERT,
41 		.ext = {
42 			TRUSTED_FW_NVCOUNTER_EXT,
43 			TRUSTED_WORLD_PK_EXT,
44 			NON_TRUSTED_WORLD_PK_EXT
45 		},
46 		.num_ext = 3
47 	},
48 	[SCP_FW_KEY_CERT] = {
49 		.id = SCP_FW_KEY_CERT,
50 		.opt = "scp-fw-key-cert",
51 		.help_msg = "SCP Firmware Key Certificate (output file)",
52 		.fn = NULL,
53 		.cn = "SCP Firmware Key Certificate",
54 		.key = TRUSTED_WORLD_KEY,
55 		.issuer = SCP_FW_KEY_CERT,
56 		.ext = {
57 			TRUSTED_FW_NVCOUNTER_EXT,
58 			SCP_FW_CONTENT_CERT_PK_EXT
59 		},
60 		.num_ext = 2
61 	},
62 	[SCP_FW_CONTENT_CERT] = {
63 		.id = SCP_FW_CONTENT_CERT,
64 		.opt = "scp-fw-cert",
65 		.help_msg = "SCP Firmware Content Certificate (output file)",
66 		.fn = NULL,
67 		.cn = "SCP Firmware Content Certificate",
68 		.key = SCP_FW_CONTENT_CERT_KEY,
69 		.issuer = SCP_FW_CONTENT_CERT,
70 		.ext = {
71 			TRUSTED_FW_NVCOUNTER_EXT,
72 			SCP_FW_HASH_EXT
73 		},
74 		.num_ext = 2
75 	},
76 	[SOC_FW_KEY_CERT] = {
77 		.id = SOC_FW_KEY_CERT,
78 		.opt = "soc-fw-key-cert",
79 		.help_msg = "SoC Firmware Key Certificate (output file)",
80 		.fn = NULL,
81 		.cn = "SoC Firmware Key Certificate",
82 		.key = TRUSTED_WORLD_KEY,
83 		.issuer = SOC_FW_KEY_CERT,
84 		.ext = {
85 			TRUSTED_FW_NVCOUNTER_EXT,
86 			SOC_FW_CONTENT_CERT_PK_EXT
87 		},
88 		.num_ext = 2
89 	},
90 	[SOC_FW_CONTENT_CERT] = {
91 		.id = SOC_FW_CONTENT_CERT,
92 		.opt = "soc-fw-cert",
93 		.help_msg = "SoC Firmware Content Certificate (output file)",
94 		.fn = NULL,
95 		.cn = "SoC Firmware Content Certificate",
96 		.key = SOC_FW_CONTENT_CERT_KEY,
97 		.issuer = SOC_FW_CONTENT_CERT,
98 		.ext = {
99 			TRUSTED_FW_NVCOUNTER_EXT,
100 			SOC_AP_FW_HASH_EXT
101 		},
102 		.num_ext = 2
103 	},
104 	[TRUSTED_OS_FW_KEY_CERT] = {
105 		.id = TRUSTED_OS_FW_KEY_CERT,
106 		.opt = "tos-fw-key-cert",
107 		.help_msg = "Trusted OS Firmware Key Certificate (output file)",
108 		.fn = NULL,
109 		.cn = "Trusted OS Firmware Key Certificate",
110 		.key = TRUSTED_WORLD_KEY,
111 		.issuer = TRUSTED_OS_FW_KEY_CERT,
112 		.ext = {
113 			TRUSTED_FW_NVCOUNTER_EXT,
114 			TRUSTED_OS_FW_CONTENT_CERT_PK_EXT
115 		},
116 		.num_ext = 2
117 	},
118 	[TRUSTED_OS_FW_CONTENT_CERT] = {
119 		.id = TRUSTED_OS_FW_CONTENT_CERT,
120 		.opt = "tos-fw-cert",
121 		.help_msg = "Trusted OS Firmware Content Certificate (output file)",
122 		.fn = NULL,
123 		.cn = "Trusted OS Firmware Content Certificate",
124 		.key = TRUSTED_OS_FW_CONTENT_CERT_KEY,
125 		.issuer = TRUSTED_OS_FW_CONTENT_CERT,
126 		.ext = {
127 			TRUSTED_FW_NVCOUNTER_EXT,
128 			TRUSTED_OS_FW_HASH_EXT,
129 			TRUSTED_OS_FW_EXTRA1_HASH_EXT,
130 			TRUSTED_OS_FW_EXTRA2_HASH_EXT
131 		},
132 		.num_ext = 4
133 	},
134 	[NON_TRUSTED_FW_KEY_CERT] = {
135 		.id = NON_TRUSTED_FW_KEY_CERT,
136 		.opt = "nt-fw-key-cert",
137 		.help_msg = "Non-Trusted Firmware Key Certificate (output file)",
138 		.fn = NULL,
139 		.cn = "Non-Trusted Firmware Key Certificate",
140 		.key = NON_TRUSTED_WORLD_KEY,
141 		.issuer = NON_TRUSTED_FW_KEY_CERT,
142 		.ext = {
143 			NON_TRUSTED_FW_NVCOUNTER_EXT,
144 			NON_TRUSTED_FW_CONTENT_CERT_PK_EXT
145 		},
146 		.num_ext = 2
147 	},
148 	[NON_TRUSTED_FW_CONTENT_CERT] = {
149 		.id = NON_TRUSTED_FW_CONTENT_CERT,
150 		.opt = "nt-fw-cert",
151 		.help_msg = "Non-Trusted Firmware Content Certificate (output file)",
152 		.fn = NULL,
153 		.cn = "Non-Trusted Firmware Content Certificate",
154 		.key = NON_TRUSTED_FW_CONTENT_CERT_KEY,
155 		.issuer = NON_TRUSTED_FW_CONTENT_CERT,
156 		.ext = {
157 			NON_TRUSTED_FW_NVCOUNTER_EXT,
158 			NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT
159 		},
160 		.num_ext = 2
161 	},
162 	[FWU_CERT] = {
163 		.id = FWU_CERT,
164 		.opt = "fwu-cert",
165 		.help_msg = "Firmware Update Certificate (output file)",
166 		.fn = NULL,
167 		.cn = "Firmware Update Certificate",
168 		.key = ROT_KEY,
169 		.issuer = FWU_CERT,
170 		.ext = {
171 			SCP_FWU_CFG_HASH_EXT,
172 			AP_FWU_CFG_HASH_EXT,
173 			FWU_HASH_EXT
174 		},
175 		.num_ext = 3
176 	}
177 };
178 
179 REGISTER_COT(tbb_certs);
180