diff options
Diffstat (limited to 'tools')
35 files changed, 2523 insertions, 307 deletions
diff --git a/tools/cert_create/Makefile b/tools/cert_create/Makefile index eff929ef0..c3c8bcf5e 100644 --- a/tools/cert_create/Makefile +++ b/tools/cert_create/Makefile @@ -4,11 +4,11 @@ # SPDX-License-Identifier: BSD-3-Clause # -PROJECT := cert_create PLAT := none V ?= 0 DEBUG := 0 -BINARY := ${PROJECT}${BIN_EXT} +CRTTOOL ?= cert_create${BIN_EXT} +BINARY := $(notdir ${CRTTOOL}) OPENSSL_DIR := /usr COT := tbbr @@ -27,6 +27,8 @@ OBJECTS := src/cert.o \ # Chain of trust. ifeq (${COT},tbbr) include src/tbbr/tbbr.mk +else ifeq (${COT},dualroot) + include src/dualroot/cot.mk else $(error Unknown chain of trust ${COT}) endif @@ -57,7 +59,7 @@ HOSTCC ?= gcc .PHONY: all clean realclean -all: clean ${BINARY} +all: ${BINARY} ${BINARY}: ${OBJECTS} Makefile @echo " HOSTLD $@" diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h index 6db9b579d..daf27a78a 100644 --- a/tools/cert_create/include/cert.h +++ b/tools/cert_create/include/cert.h @@ -12,7 +12,7 @@ #include "ext.h" #include "key.h" -#define CERT_MAX_EXT 5 +#define CERT_MAX_EXT 9 /* * This structure contains information related to the generation of the diff --git a/tools/cert_create/include/dualroot/cot.h b/tools/cert_create/include/dualroot/cot.h new file mode 100644 index 000000000..3e50c8986 --- /dev/null +++ b/tools/cert_create/include/dualroot/cot.h @@ -0,0 +1,81 @@ +/* + * Copyright (c) 2020, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef DUALROOT_COT_H +#define DUALROOT_COT_H + +/* Certificates. */ +enum { + /* Certificates owned by the silicon provider. */ + TRUSTED_BOOT_FW_CERT, + TRUSTED_KEY_CERT, + SCP_FW_KEY_CERT, + SCP_FW_CONTENT_CERT, + SOC_FW_KEY_CERT, + SOC_FW_CONTENT_CERT, + TRUSTED_OS_FW_KEY_CERT, + TRUSTED_OS_FW_CONTENT_CERT, + SIP_SECURE_PARTITION_CONTENT_CERT, + FWU_CERT, + + /* Certificates owned by the platform owner. */ + NON_TRUSTED_FW_CONTENT_CERT, + PLAT_SECURE_PARTITION_CONTENT_CERT, +}; + +/* Certificate extensions. */ +enum { + /* Extensions used in certificates owned by the silicon provider. */ + TRUSTED_FW_NVCOUNTER_EXT, + TRUSTED_BOOT_FW_HASH_EXT, + TRUSTED_BOOT_FW_CONFIG_HASH_EXT, + HW_CONFIG_HASH_EXT, + FW_CONFIG_HASH_EXT, + TRUSTED_WORLD_PK_EXT, + SCP_FW_CONTENT_CERT_PK_EXT, + SCP_FW_HASH_EXT, + SOC_FW_CONTENT_CERT_PK_EXT, + SOC_AP_FW_HASH_EXT, + SOC_FW_CONFIG_HASH_EXT, + TRUSTED_OS_FW_CONTENT_CERT_PK_EXT, + TRUSTED_OS_FW_HASH_EXT, + TRUSTED_OS_FW_EXTRA1_HASH_EXT, + TRUSTED_OS_FW_EXTRA2_HASH_EXT, + TRUSTED_OS_FW_CONFIG_HASH_EXT, + SP_PKG1_HASH_EXT, + SP_PKG2_HASH_EXT, + SP_PKG3_HASH_EXT, + SP_PKG4_HASH_EXT, + SP_PKG5_HASH_EXT, + SP_PKG6_HASH_EXT, + SP_PKG7_HASH_EXT, + SP_PKG8_HASH_EXT, + SCP_FWU_CFG_HASH_EXT, + AP_FWU_CFG_HASH_EXT, + FWU_HASH_EXT, + + /* Extensions used in certificates owned by the platform owner. */ + PROT_PK_EXT, + NON_TRUSTED_FW_NVCOUNTER_EXT, + NON_TRUSTED_FW_CONTENT_CERT_PK_EXT, + NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, + NON_TRUSTED_FW_CONFIG_HASH_EXT, +}; + +/* Keys. */ +enum { + /* Keys owned by the silicon provider. */ + ROT_KEY, + TRUSTED_WORLD_KEY, + SCP_FW_CONTENT_CERT_KEY, + SOC_FW_CONTENT_CERT_KEY, + TRUSTED_OS_FW_CONTENT_CERT_KEY, + + /* Keys owned by the platform owner. */ + PROT_KEY, +}; + +#endif /* DUALROOT_COT_H */ diff --git a/tools/cert_create/include/tbbr/tbb_cert.h b/tools/cert_create/include/tbbr/tbb_cert.h index 628ef3a42..e5fa3a238 100644 --- a/tools/cert_create/include/tbbr/tbb_cert.h +++ b/tools/cert_create/include/tbbr/tbb_cert.h @@ -23,6 +23,7 @@ enum { TRUSTED_OS_FW_CONTENT_CERT, NON_TRUSTED_FW_KEY_CERT, NON_TRUSTED_FW_CONTENT_CERT, + SIP_SECURE_PARTITION_CONTENT_CERT, FWU_CERT }; diff --git a/tools/cert_create/include/tbbr/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h index 462aafcfa..692b2d4d3 100644 --- a/tools/cert_create/include/tbbr/tbb_ext.h +++ b/tools/cert_create/include/tbbr/tbb_ext.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -15,6 +15,7 @@ enum { TRUSTED_BOOT_FW_HASH_EXT, TRUSTED_BOOT_FW_CONFIG_HASH_EXT, HW_CONFIG_HASH_EXT, + FW_CONFIG_HASH_EXT, TRUSTED_WORLD_PK_EXT, NON_TRUSTED_WORLD_PK_EXT, SCP_FW_CONTENT_CERT_PK_EXT, @@ -30,6 +31,14 @@ enum { NON_TRUSTED_FW_CONTENT_CERT_PK_EXT, NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, NON_TRUSTED_FW_CONFIG_HASH_EXT, + SP_PKG1_HASH_EXT, + SP_PKG2_HASH_EXT, + SP_PKG3_HASH_EXT, + SP_PKG4_HASH_EXT, + SP_PKG5_HASH_EXT, + SP_PKG6_HASH_EXT, + SP_PKG7_HASH_EXT, + SP_PKG8_HASH_EXT, SCP_FWU_CFG_HASH_EXT, AP_FWU_CFG_HASH_EXT, FWU_HASH_EXT diff --git a/tools/cert_create/src/dualroot/cot.c b/tools/cert_create/src/dualroot/cot.c new file mode 100644 index 000000000..4dd4cf033 --- /dev/null +++ b/tools/cert_create/src/dualroot/cot.c @@ -0,0 +1,583 @@ +/* + * Copyright (c) 2020, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include <dualroot_oid.h> + +#include "cert.h" +#include "ext.h" +#include "key.h" + +#include "dualroot/cot.h" + +/* + * Certificates used in the chain of trust. + * + * All certificates are self-signed so the issuer certificate field points to + * itself. + */ +static cert_t cot_certs[] = { + [TRUSTED_BOOT_FW_CERT] = { + .id = TRUSTED_BOOT_FW_CERT, + .opt = "tb-fw-cert", + .help_msg = "Trusted Boot FW Certificate (output file)", + .cn = "Trusted Boot FW Certificate", + .key = ROT_KEY, + .issuer = TRUSTED_BOOT_FW_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + TRUSTED_BOOT_FW_HASH_EXT, + TRUSTED_BOOT_FW_CONFIG_HASH_EXT, + HW_CONFIG_HASH_EXT, + FW_CONFIG_HASH_EXT + }, + .num_ext = 5 + }, + + [TRUSTED_KEY_CERT] = { + .id = TRUSTED_KEY_CERT, + .opt = "trusted-key-cert", + .help_msg = "Trusted Key Certificate (output file)", + .cn = "Trusted Key Certificate", + .key = ROT_KEY, + .issuer = TRUSTED_KEY_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + TRUSTED_WORLD_PK_EXT, + }, + .num_ext = 2 + }, + + [SCP_FW_KEY_CERT] = { + .id = SCP_FW_KEY_CERT, + .opt = "scp-fw-key-cert", + .help_msg = "SCP Firmware Key Certificate (output file)", + .cn = "SCP Firmware Key Certificate", + .key = TRUSTED_WORLD_KEY, + .issuer = SCP_FW_KEY_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + SCP_FW_CONTENT_CERT_PK_EXT + }, + .num_ext = 2 + }, + + [SCP_FW_CONTENT_CERT] = { + .id = SCP_FW_CONTENT_CERT, + .opt = "scp-fw-cert", + .help_msg = "SCP Firmware Content Certificate (output file)", + .cn = "SCP Firmware Content Certificate", + .key = SCP_FW_CONTENT_CERT_KEY, + .issuer = SCP_FW_CONTENT_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + SCP_FW_HASH_EXT + }, + .num_ext = 2 + }, + + [SOC_FW_KEY_CERT] = { + .id = SOC_FW_KEY_CERT, + .opt = "soc-fw-key-cert", + .help_msg = "SoC Firmware Key Certificate (output file)", + .cn = "SoC Firmware Key Certificate", + .key = TRUSTED_WORLD_KEY, + .issuer = SOC_FW_KEY_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + SOC_FW_CONTENT_CERT_PK_EXT + }, + .num_ext = 2 + }, + + [SOC_FW_CONTENT_CERT] = { + .id = SOC_FW_CONTENT_CERT, + .opt = "soc-fw-cert", + .help_msg = "SoC Firmware Content Certificate (output file)", + .cn = "SoC Firmware Content Certificate", + .key = SOC_FW_CONTENT_CERT_KEY, + .issuer = SOC_FW_CONTENT_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + SOC_AP_FW_HASH_EXT, + SOC_FW_CONFIG_HASH_EXT, + }, + .num_ext = 3 + }, + + [TRUSTED_OS_FW_KEY_CERT] = { + .id = TRUSTED_OS_FW_KEY_CERT, + .opt = "tos-fw-key-cert", + .help_msg = "Trusted OS Firmware Key Certificate (output file)", + .cn = "Trusted OS Firmware Key Certificate", + .key = TRUSTED_WORLD_KEY, + .issuer = TRUSTED_OS_FW_KEY_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + TRUSTED_OS_FW_CONTENT_CERT_PK_EXT + }, + .num_ext = 2 + }, + + [TRUSTED_OS_FW_CONTENT_CERT] = { + .id = TRUSTED_OS_FW_CONTENT_CERT, + .opt = "tos-fw-cert", + .help_msg = "Trusted OS Firmware Content Certificate (output file)", + .cn = "Trusted OS Firmware Content Certificate", + .key = TRUSTED_OS_FW_CONTENT_CERT_KEY, + .issuer = TRUSTED_OS_FW_CONTENT_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + TRUSTED_OS_FW_HASH_EXT, + TRUSTED_OS_FW_EXTRA1_HASH_EXT, + TRUSTED_OS_FW_EXTRA2_HASH_EXT, + TRUSTED_OS_FW_CONFIG_HASH_EXT, + }, + .num_ext = 5 + }, + + [SIP_SECURE_PARTITION_CONTENT_CERT] = { + .id = SIP_SECURE_PARTITION_CONTENT_CERT, + .opt = "sip-sp-cert", + .help_msg = "SiP owned Secure Partition Content Certificate (output file)", + .fn = NULL, + .cn = "SiP owned Secure Partition Content Certificate", + .key = TRUSTED_WORLD_KEY, + .issuer = SIP_SECURE_PARTITION_CONTENT_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + SP_PKG1_HASH_EXT, + SP_PKG2_HASH_EXT, + SP_PKG3_HASH_EXT, + SP_PKG4_HASH_EXT, + }, + .num_ext = 5 + }, + + [PLAT_SECURE_PARTITION_CONTENT_CERT] = { + .id = PLAT_SECURE_PARTITION_CONTENT_CERT, + .opt = "plat-sp-cert", + .help_msg = "Platform owned Secure Partition Content Certificate (output file)", + .fn = NULL, + .cn = "Platform owned Secure Partition Content Certificate", + .key = PROT_KEY, + .issuer = PLAT_SECURE_PARTITION_CONTENT_CERT, + .ext = { + NON_TRUSTED_FW_NVCOUNTER_EXT, + SP_PKG5_HASH_EXT, + SP_PKG6_HASH_EXT, + SP_PKG7_HASH_EXT, + SP_PKG8_HASH_EXT, + PROT_PK_EXT, + }, + .num_ext = 6 + }, + + [FWU_CERT] = { + .id = FWU_CERT, + .opt = "fwu-cert", + .help_msg = "Firmware Update Certificate (output file)", + .cn = "Firmware Update Certificate", + .key = ROT_KEY, + .issuer = FWU_CERT, + .ext = { + SCP_FWU_CFG_HASH_EXT, + AP_FWU_CFG_HASH_EXT, + FWU_HASH_EXT + }, + .num_ext = 3 + }, + + [NON_TRUSTED_FW_CONTENT_CERT] = { + .id = NON_TRUSTED_FW_CONTENT_CERT, + .opt = "nt-fw-cert", + .help_msg = "Non-Trusted Firmware Content Certificate (output file)", + .cn = "Non-Trusted Firmware Content Certificate", + .key = PROT_KEY, + .issuer = NON_TRUSTED_FW_CONTENT_CERT, + .ext = { + NON_TRUSTED_FW_NVCOUNTER_EXT, + NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT, + NON_TRUSTED_FW_CONFIG_HASH_EXT, + PROT_PK_EXT, + }, + .num_ext = 4 + }, +}; + +REGISTER_COT(cot_certs); + + +/* Certificate extensions. */ +static ext_t cot_ext[] = { + [TRUSTED_FW_NVCOUNTER_EXT] = { + .oid = TRUSTED_FW_NVCOUNTER_OID, + .opt = "tfw-nvctr", + .help_msg = "Trusted Firmware Non-Volatile counter value", + .sn = "TrustedWorldNVCounter", + .ln = "Trusted World Non-Volatile counter", + .asn1_type = V_ASN1_INTEGER, + .type = EXT_TYPE_NVCOUNTER, + .attr.nvctr_type = NVCTR_TYPE_TFW + }, + + [TRUSTED_BOOT_FW_HASH_EXT] = { + .oid = TRUSTED_BOOT_FW_HASH_OID, + .opt = "tb-fw", + .help_msg = "Trusted Boot Firmware image file", + .sn = "TrustedBootFirmwareHash", + .ln = "Trusted Boot Firmware hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH + }, + + [TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = { + .oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID, + .opt = "tb-fw-config", + .help_msg = "Trusted Boot Firmware Config file", + .sn = "TrustedBootFirmwareConfigHash", + .ln = "Trusted Boot Firmware Config hash", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + + [HW_CONFIG_HASH_EXT] = { + .oid = HW_CONFIG_HASH_OID, + .opt = "hw-config", + .help_msg = "HW Config file", + .sn = "HWConfigHash", + .ln = "HW Config hash", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + + [FW_CONFIG_HASH_EXT] = { + .oid = FW_CONFIG_HASH_OID, + .opt = "fw-config", + .help_msg = "Firmware Config file", + .sn = "FirmwareConfigHash", + .ln = "Firmware Config hash", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + + [TRUSTED_WORLD_PK_EXT] = { + .oid = TRUSTED_WORLD_PK_OID, + .sn = "TrustedWorldPublicKey", + .ln = "Trusted World Public Key", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_PKEY, + .attr.key = TRUSTED_WORLD_KEY + }, + + [SCP_FW_CONTENT_CERT_PK_EXT] = { + .oid = SCP_FW_CONTENT_CERT_PK_OID, + .sn = "SCPFirmwareContentCertPK", + .ln = "SCP Firmware content certificate public key", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_PKEY, + .attr.key = SCP_FW_CONTENT_CERT_KEY + }, + + [SCP_FW_HASH_EXT] = { + .oid = SCP_FW_HASH_OID, + .opt = "scp-fw", + .help_msg = "SCP Firmware image file", + .sn = "SCPFirmwareHash", + .ln = "SCP Firmware hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH + }, + + [SOC_FW_CONTENT_CERT_PK_EXT] = { + .oid = SOC_FW_CONTENT_CERT_PK_OID, + .sn = "SoCFirmwareContentCertPK", + .ln = "SoC Firmware content certificate public key", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_PKEY, + .attr.key = SOC_FW_CONTENT_CERT_KEY + }, + + [SOC_AP_FW_HASH_EXT] = { + .oid = SOC_AP_FW_HASH_OID, + .opt = "soc-fw", + .help_msg = "SoC AP Firmware image file", + .sn = "SoCAPFirmwareHash", + .ln = "SoC AP Firmware hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH + }, + + [SOC_FW_CONFIG_HASH_EXT] = { + .oid = SOC_FW_CONFIG_HASH_OID, + .opt = "soc-fw-config", + .help_msg = "SoC Firmware Config file", + .sn = "SocFirmwareConfigHash", + .ln = "SoC Firmware Config hash", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + + [TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = { + .oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID, + .sn = "TrustedOSFirmwareContentCertPK", + .ln = "Trusted OS Firmware content certificate public key", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_PKEY, + .attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY + }, + + [TRUSTED_OS_FW_HASH_EXT] = { + .oid = TRUSTED_OS_FW_HASH_OID, + .opt = "tos-fw", + .help_msg = "Trusted OS image file", + .sn = "TrustedOSHash", + .ln = "Trusted OS hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH + }, + + [TRUSTED_OS_FW_EXTRA1_HASH_EXT] = { + .oid = TRUSTED_OS_FW_EXTRA1_HASH_OID, + .opt = "tos-fw-extra1", + .help_msg = "Trusted OS Extra1 image file", + .sn = "TrustedOSExtra1Hash", + .ln = "Trusted OS Extra1 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + + [TRUSTED_OS_FW_EXTRA2_HASH_EXT] = { + .oid = TRUSTED_OS_FW_EXTRA2_HASH_OID, + .opt = "tos-fw-extra2", + .help_msg = "Trusted OS Extra2 image file", + .sn = "TrustedOSExtra2Hash", + .ln = "Trusted OS Extra2 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + + [TRUSTED_OS_FW_CONFIG_HASH_EXT] = { + .oid = TRUSTED_OS_FW_CONFIG_HASH_OID, + .opt = "tos-fw-config", + .help_msg = "Trusted OS Firmware Config file", + .sn = "TrustedOSFirmwareConfigHash", + .ln = "Trusted OS Firmware Config hash", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + + [SP_PKG1_HASH_EXT] = { + .oid = SP_PKG1_HASH_OID, + .opt = "sp-pkg1", + .help_msg = "Secure Partition Package1 file", + .sn = "SPPkg1Hash", + .ln = "SP Pkg1 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG2_HASH_EXT] = { + .oid = SP_PKG2_HASH_OID, + .opt = "sp-pkg2", + .help_msg = "Secure Partition Package2 file", + .sn = "SPPkg2Hash", + .ln = "SP Pkg2 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG3_HASH_EXT] = { + .oid = SP_PKG3_HASH_OID, + .opt = "sp-pkg3", + .help_msg = "Secure Partition Package3 file", + .sn = "SPPkg3Hash", + .ln = "SP Pkg3 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG4_HASH_EXT] = { + .oid = SP_PKG4_HASH_OID, + .opt = "sp-pkg4", + .help_msg = "Secure Partition Package4 file", + .sn = "SPPkg4Hash", + .ln = "SP Pkg4 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG5_HASH_EXT] = { + .oid = SP_PKG5_HASH_OID, + .opt = "sp-pkg5", + .help_msg = "Secure Partition Package5 file", + .sn = "SPPkg5Hash", + .ln = "SP Pkg5 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG6_HASH_EXT] = { + .oid = SP_PKG6_HASH_OID, + .opt = "sp-pkg6", + .help_msg = "Secure Partition Package6 file", + .sn = "SPPkg6Hash", + .ln = "SP Pkg6 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG7_HASH_EXT] = { + .oid = SP_PKG7_HASH_OID, + .opt = "sp-pkg7", + .help_msg = "Secure Partition Package7 file", + .sn = "SPPkg7Hash", + .ln = "SP Pkg7 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG8_HASH_EXT] = { + .oid = SP_PKG8_HASH_OID, + .opt = "sp-pkg8", + .help_msg = "Secure Partition Package8 file", + .sn = "SPPkg8Hash", + .ln = "SP Pkg8 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + + [SCP_FWU_CFG_HASH_EXT] = { + .oid = SCP_FWU_CFG_HASH_OID, + .opt = "scp-fwu-cfg", + .help_msg = "SCP Firmware Update Config image file", + .sn = "SCPFWUpdateConfig", + .ln = "SCP Firmware Update Config hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + + [AP_FWU_CFG_HASH_EXT] = { + .oid = AP_FWU_CFG_HASH_OID, + .opt = "ap-fwu-cfg", + .help_msg = "AP Firmware Update Config image file", + .sn = "APFWUpdateConfig", + .ln = "AP Firmware Update Config hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + + [FWU_HASH_EXT] = { + .oid = FWU_HASH_OID, + .opt = "fwu", + .help_msg = "Firmware Updater image file", + .sn = "FWUpdaterHash", + .ln = "Firmware Updater hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + + [PROT_PK_EXT] = { + .oid = PROT_PK_OID, + .sn = "PlatformRoTKey", + .ln = "Platform Root of Trust Public Key", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_PKEY, + .attr.key = PROT_KEY + }, + + [NON_TRUSTED_FW_NVCOUNTER_EXT] = { + .oid = NON_TRUSTED_FW_NVCOUNTER_OID, + .opt = "ntfw-nvctr", + .help_msg = "Non-Trusted Firmware Non-Volatile counter value", + .sn = "NormalWorldNVCounter", + .ln = "Non-Trusted Firmware Non-Volatile counter", + .asn1_type = V_ASN1_INTEGER, + .type = EXT_TYPE_NVCOUNTER, + .attr.nvctr_type = NVCTR_TYPE_NTFW + }, + + [NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = { + .oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID, + .opt = "nt-fw", + .help_msg = "Non-Trusted World Bootloader image file", + .sn = "NonTrustedWorldBootloaderHash", + .ln = "Non-Trusted World hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH + }, + + [NON_TRUSTED_FW_CONFIG_HASH_EXT] = { + .oid = NON_TRUSTED_FW_CONFIG_HASH_OID, + .opt = "nt-fw-config", + .help_msg = "Non Trusted OS Firmware Config file", + .sn = "NonTrustedOSFirmwareConfigHash", + .ln = "Non-Trusted OS Firmware Config hash", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, +}; + +REGISTER_EXTENSIONS(cot_ext); + + +/* Keys used to establish the chain of trust. */ +static key_t cot_keys[] = { + [ROT_KEY] = { + .id = ROT_KEY, + .opt = "rot-key", + .help_msg = "Root Of Trust key (input/output file)", + .desc = "Root Of Trust key" + }, + + [TRUSTED_WORLD_KEY] = { + .id = TRUSTED_WORLD_KEY, + .opt = "trusted-world-key", + .help_msg = "Trusted World key (input/output file)", + .desc = "Trusted World key" + }, + + [SCP_FW_CONTENT_CERT_KEY] = { + .id = SCP_FW_CONTENT_CERT_KEY, + .opt = "scp-fw-key", + .help_msg = "SCP Firmware Content Certificate key (input/output file)", + .desc = "SCP Firmware Content Certificate key" + }, + + [SOC_FW_CONTENT_CERT_KEY] = { + .id = SOC_FW_CONTENT_CERT_KEY, + .opt = "soc-fw-key", + .help_msg = "SoC Firmware Content Certificate key (input/output file)", + .desc = "SoC Firmware Content Certificate key" + }, + + [TRUSTED_OS_FW_CONTENT_CERT_KEY] = { + .id = TRUSTED_OS_FW_CONTENT_CERT_KEY, + .opt = "tos-fw-key", + .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)", + .desc = "Trusted OS Firmware Content Certificate key" + }, + + [PROT_KEY] = { + .id = PROT_KEY, + .opt = "prot-key", + .help_msg = "Platform Root of Trust key", + .desc = "Platform Root of Trust key" + }, +}; + +REGISTER_KEYS(cot_keys); diff --git a/tools/cert_create/src/dualroot/cot.mk b/tools/cert_create/src/dualroot/cot.mk new file mode 100644 index 000000000..a572484d7 --- /dev/null +++ b/tools/cert_create/src/dualroot/cot.mk @@ -0,0 +1,10 @@ +# +# Copyright (c) 2020, Arm Limited. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# + +PLAT_MSG := Dual root of trust +PLAT_INCLUDE := ../../include/tools_share + +OBJECTS += src/dualroot/cot.o diff --git a/tools/cert_create/src/ext.c b/tools/cert_create/src/ext.c index d9a92bb10..65dd3e583 100644 --- a/tools/cert_create/src/ext.c +++ b/tools/cert_create/src/ext.c @@ -158,51 +158,36 @@ X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md, unsigned char *buf, size_t len) { X509_EXTENSION *ex; - ASN1_OCTET_STRING *octet; HASH *hash; ASN1_OBJECT *algorithm; - X509_ALGOR *x509_algor; unsigned char *p = NULL; int sz; + /* HASH structure containing algorithm + hash */ + hash = HASH_new(); + if (hash == NULL) { + return NULL; + } + /* OBJECT_IDENTIFIER with hash algorithm */ algorithm = OBJ_nid2obj(EVP_MD_type(md)); if (algorithm == NULL) { + HASH_free(hash); return NULL; } /* Create X509_ALGOR */ - x509_algor = X509_ALGOR_new(); - if (x509_algor == NULL) { - return NULL; - } - x509_algor->algorithm = algorithm; - x509_algor->parameter = ASN1_TYPE_new(); - ASN1_TYPE_set(x509_algor->parameter, V_ASN1_NULL, NULL); + hash->hashAlgorithm->algorithm = algorithm; + hash->hashAlgorithm->parameter = ASN1_TYPE_new(); + ASN1_TYPE_set(hash->hashAlgorithm->parameter, V_ASN1_NULL, NULL); /* OCTET_STRING with the actual hash */ - octet = ASN1_OCTET_STRING_new(); - if (octet == NULL) { - X509_ALGOR_free(x509_algor); - return NULL; - } - ASN1_OCTET_STRING_set(octet, buf, len); - - /* HASH structure containing algorithm + hash */ - hash = HASH_new(); - if (hash == NULL) { - ASN1_OCTET_STRING_free(octet); - X509_ALGOR_free(x509_algor); - return NULL; - } - hash->hashAlgorithm = x509_algor; - hash->dataHash = octet; + ASN1_OCTET_STRING_set(hash->dataHash, buf, len); /* DER encoded HASH */ sz = i2d_HASH(hash, &p); if ((sz <= 0) || (p == NULL)) { HASH_free(hash); - X509_ALGOR_free(x509_algor); return NULL; } diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index 2ba110132..b39378ca9 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -473,6 +473,11 @@ int main(int argc, char *argv[]) cert = &certs[i]; + if (cert->fn == NULL) { + /* Certificate not requested. Skip to the next one */ + continue; + } + /* Create a new stack of extensions. This stack will be used * to create the certificate */ CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); @@ -492,7 +497,12 @@ int main(int argc, char *argv[]) */ switch (ext->type) { case EXT_TYPE_NVCOUNTER: - if (ext->arg) { + if (ext->optional && ext->arg == NULL) { + /* Skip this NVCounter */ + continue; + } else { + /* Checked by `check_cmd_params` */ + assert(ext->arg != NULL); nvctr = atoi(ext->arg); CHECK_NULL(cert_ext, ext_new_nvcounter(ext_nid, EXT_CRIT, nvctr)); @@ -505,7 +515,7 @@ int main(int argc, char *argv[]) memset(md, 0x0, SHA512_DIGEST_LENGTH); } else { /* Do not include this hash in the certificate */ - break; + continue; } } else { /* Calculate the hash of the file */ @@ -534,11 +544,16 @@ int main(int argc, char *argv[]) } /* Create certificate. Signed with corresponding key */ - if (cert->fn && !cert_new(hash_alg, cert, VAL_DAYS, 0, sk)) { + if (!cert_new(hash_alg, cert, VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", cert->cn); exit(1); } + for (cert_ext = sk_X509_EXTENSION_pop(sk); cert_ext != NULL; + cert_ext = sk_X509_EXTENSION_pop(sk)) { + X509_EXTENSION_free(cert_ext); + } + sk_X509_EXTENSION_free(sk); } @@ -576,10 +591,44 @@ int main(int argc, char *argv[]) } } + /* If we got here, then we must have filled the key array completely. + * We can then safely call free on all of the keys in the array + */ + for (i = 0; i < num_keys; i++) { + EVP_PKEY_free(keys[i].key); + } + #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif CRYPTO_cleanup_all_ex_data(); + + /* We allocated strings through strdup, so now we have to free them */ + for (i = 0; i < num_keys; i++) { + if (keys[i].fn != NULL) { + void *ptr = keys[i].fn; + + keys[i].fn = NULL; + free(ptr); + } + } + for (i = 0; i < num_extensions; i++) { + if (extensions[i].arg != NULL) { + void *ptr = (void *)extensions[i].arg; + + extensions[i].arg = NULL; + free(ptr); + } + } + for (i = 0; i < num_certs; i++) { + if (certs[i].fn != NULL) { + void *ptr = (void *)certs[i].fn; + + certs[i].fn = NULL; + free(ptr); + } + } + return 0; } diff --git a/tools/cert_create/src/tbbr/tbb_cert.c b/tools/cert_create/src/tbbr/tbb_cert.c index 7fb32d82c..f4fe63dc3 100644 --- a/tools/cert_create/src/tbbr/tbb_cert.c +++ b/tools/cert_create/src/tbbr/tbb_cert.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -28,9 +28,10 @@ static cert_t tbb_certs[] = { TRUSTED_FW_NVCOUNTER_EXT, TRUSTED_BOOT_FW_HASH_EXT, TRUSTED_BOOT_FW_CONFIG_HASH_EXT, - HW_CONFIG_HASH_EXT + HW_CONFIG_HASH_EXT, + FW_CONFIG_HASH_EXT }, - .num_ext = 4 + .num_ext = 5 }, [TRUSTED_KEY_CERT] = { .id = TRUSTED_KEY_CERT, @@ -164,6 +165,27 @@ static cert_t tbb_certs[] = { }, .num_ext = 3 }, + [SIP_SECURE_PARTITION_CONTENT_CERT] = { + .id = SIP_SECURE_PARTITION_CONTENT_CERT, + .opt = "sip-sp-cert", + .help_msg = "SiP owned Secure Partition Content Certificate (output file)", + .fn = NULL, + .cn = "SiP owned Secure Partition Content Certificate", + .key = TRUSTED_WORLD_KEY, + .issuer = SIP_SECURE_PARTITION_CONTENT_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + SP_PKG1_HASH_EXT, + SP_PKG2_HASH_EXT, + SP_PKG3_HASH_EXT, + SP_PKG4_HASH_EXT, + SP_PKG5_HASH_EXT, + SP_PKG6_HASH_EXT, + SP_PKG7_HASH_EXT, + SP_PKG8_HASH_EXT, + }, + .num_ext = 9 + }, [FWU_CERT] = { .id = FWU_CERT, .opt = "fwu-cert", diff --git a/tools/cert_create/src/tbbr/tbb_ext.c b/tools/cert_create/src/tbbr/tbb_ext.c index ee5377fe8..60bafb4be 100644 --- a/tools/cert_create/src/tbbr/tbb_ext.c +++ b/tools/cert_create/src/tbbr/tbb_ext.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -69,6 +69,16 @@ static ext_t tbb_ext[] = { .type = EXT_TYPE_HASH, .optional = 1 }, + [FW_CONFIG_HASH_EXT] = { + .oid = FW_CONFIG_HASH_OID, + .opt = "fw-config", + .help_msg = "Firmware Config file", + .sn = "FirmwareConfigHash", + .ln = "Firmware Config hash", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, [TRUSTED_WORLD_PK_EXT] = { .oid = TRUSTED_WORLD_PK_OID, .sn = "TrustedWorldPublicKey", @@ -203,6 +213,86 @@ static ext_t tbb_ext[] = { .type = EXT_TYPE_HASH, .optional = 1 }, + [SP_PKG1_HASH_EXT] = { + .oid = SP_PKG1_HASH_OID, + .opt = "sp-pkg1", + .help_msg = "Secure Partition Package1 file", + .sn = "SPPkg1Hash", + .ln = "SP Pkg1 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG2_HASH_EXT] = { + .oid = SP_PKG2_HASH_OID, + .opt = "sp-pkg2", + .help_msg = "Secure Partition Package2 file", + .sn = "SPPkg2Hash", + .ln = "SP Pkg2 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG3_HASH_EXT] = { + .oid = SP_PKG3_HASH_OID, + .opt = "sp-pkg3", + .help_msg = "Secure Partition Package3 file", + .sn = "SPPkg3Hash", + .ln = "SP Pkg3 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG4_HASH_EXT] = { + .oid = SP_PKG4_HASH_OID, + .opt = "sp-pkg4", + .help_msg = "Secure Partition Package4 file", + .sn = "SPPkg4Hash", + .ln = "SP Pkg4 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG5_HASH_EXT] = { + .oid = SP_PKG5_HASH_OID, + .opt = "sp-pkg5", + .help_msg = "Secure Partition Package5 file", + .sn = "SPPkg5Hash", + .ln = "SP Pkg5 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG6_HASH_EXT] = { + .oid = SP_PKG6_HASH_OID, + .opt = "sp-pkg6", + .help_msg = "Secure Partition Package6 file", + .sn = "SPPkg6Hash", + .ln = "SP Pkg6 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG7_HASH_EXT] = { + .oid = SP_PKG7_HASH_OID, + .opt = "sp-pkg7", + .help_msg = "Secure Partition Package7 file", + .sn = "SPPkg7Hash", + .ln = "SP Pkg7 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG8_HASH_EXT] = { + .oid = SP_PKG8_HASH_OID, + .opt = "sp-pkg8", + .help_msg = "Secure Partition Package8 file", + .sn = "SPPkg8Hash", + .ln = "SP Pkg8 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, [SCP_FWU_CFG_HASH_EXT] = { .oid = SCP_FWU_CFG_HASH_OID, .opt = "scp-fwu-cfg", diff --git a/tools/encrypt_fw/Makefile b/tools/encrypt_fw/Makefile new file mode 100644 index 000000000..96dff2324 --- /dev/null +++ b/tools/encrypt_fw/Makefile @@ -0,0 +1,65 @@ +# +# Copyright (c) 2019-2020, Linaro Limited. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# + +V ?= 0 +BUILD_INFO ?= 1 +DEBUG := 0 +ENCTOOL ?= encrypt_fw${BIN_EXT} +BINARY := $(notdir ${ENCTOOL}) +OPENSSL_DIR := /usr + +OBJECTS := src/encrypt.o \ + src/cmd_opt.o \ + src/main.o + +HOSTCCFLAGS := -Wall -std=c99 + +MAKE_HELPERS_DIRECTORY := ../../make_helpers/ +include ${MAKE_HELPERS_DIRECTORY}build_macros.mk +include ${MAKE_HELPERS_DIRECTORY}build_env.mk + +ifeq (${DEBUG},1) + HOSTCCFLAGS += -g -O0 -DDEBUG -DLOG_LEVEL=40 +else +ifeq (${BUILD_INFO},1) + HOSTCCFLAGS += -O2 -DLOG_LEVEL=20 +else + HOSTCCFLAGS += -O2 -DLOG_LEVEL=10 +endif +endif +ifeq (${V},0) + Q := @ +else + Q := +endif + +# Make soft links and include from local directory otherwise wrong headers +# could get pulled in from firmware tree. +INC_DIR := -I ./include -I ../../include/tools_share -I ${OPENSSL_DIR}/include +LIB_DIR := -L ${OPENSSL_DIR}/lib +LIB := -lssl -lcrypto + +HOSTCC ?= gcc + +.PHONY: all clean realclean + +all: ${BINARY} + +${BINARY}: ${OBJECTS} Makefile + @echo " HOSTLD $@" + @echo 'const char build_msg[] = "Built : "__TIME__", "__DATE__;' | \ + ${HOSTCC} -c ${HOSTCCFLAGS} -xc - -o src/build_msg.o + ${Q}${HOSTCC} src/build_msg.o ${OBJECTS} ${LIB_DIR} ${LIB} -o $@ + +%.o: %.c + @echo " HOSTCC $<" + ${Q}${HOSTCC} -c ${HOSTCCFLAGS} ${INC_DIR} $< -o $@ + +clean: + $(call SHELL_DELETE_ALL, src/build_msg.o ${OBJECTS}) + +realclean: clean + $(call SHELL_DELETE,${BINARY}) diff --git a/tools/encrypt_fw/include/cmd_opt.h b/tools/encrypt_fw/include/cmd_opt.h new file mode 100644 index 000000000..bd7d31f03 --- /dev/null +++ b/tools/encrypt_fw/include/cmd_opt.h @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2019, Linaro Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef CMD_OPT_H +#define CMD_OPT_H + +#include <getopt.h> + +#define CMD_OPT_MAX_NUM 64 + +/* Supported long command line option types */ +enum { + CMD_OPT_FW +}; + +/* Structure to define a command line option */ +typedef struct cmd_opt_s { + struct option long_opt; + const char *help_msg; +} cmd_opt_t; + +/* Exported API*/ +void cmd_opt_add(const cmd_opt_t *cmd_opt); +const struct option *cmd_opt_get_array(void); +const char *cmd_opt_get_name(int idx); +const char *cmd_opt_get_help_msg(int idx); + +#endif /* CMD_OPT_H */ diff --git a/tools/encrypt_fw/include/debug.h b/tools/encrypt_fw/include/debug.h new file mode 100644 index 000000000..ee8f1f517 --- /dev/null +++ b/tools/encrypt_fw/include/debug.h @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef DEBUG_H +#define DEBUG_H + +#include <stdio.h> + +/* The log output macros print output to the console. These macros produce + * compiled log output only if the LOG_LEVEL defined in the makefile (or the + * make command line) is greater or equal than the level required for that + * type of log output. + * The format expected is the same as for printf(). For example: + * INFO("Info %s.\n", "message") -> INFO: Info message. + * WARN("Warning %s.\n", "message") -> WARNING: Warning message. + */ + +#define LOG_LEVEL_NONE 0 +#define LOG_LEVEL_ERROR 10 +#define LOG_LEVEL_NOTICE 20 +#define LOG_LEVEL_WARNING 30 +#define LOG_LEVEL_INFO 40 +#define LOG_LEVEL_VERBOSE 50 + + +#if LOG_LEVEL >= LOG_LEVEL_NOTICE +# define NOTICE(...) printf("NOTICE: " __VA_ARGS__) +#else +# define NOTICE(...) +#endif + +#if LOG_LEVEL >= LOG_LEVEL_ERROR +# define ERROR(...) printf("ERROR: " __VA_ARGS__) +#else +# define ERROR(...) +#endif + +#if LOG_LEVEL >= LOG_LEVEL_WARNING +# define WARN(...) printf("WARNING: " __VA_ARGS__) +#else +# define WARN(...) +#endif + +#if LOG_LEVEL >= LOG_LEVEL_INFO +# define INFO(...) printf("INFO: " __VA_ARGS__) +#else +# define INFO(...) +#endif + +#if LOG_LEVEL >= LOG_LEVEL_VERBOSE +# define VERBOSE(...) printf("VERBOSE: " __VA_ARGS__) +#else +# define VERBOSE(...) +#endif + +#endif /* DEBUG_H */ diff --git a/tools/encrypt_fw/include/encrypt.h b/tools/encrypt_fw/include/encrypt.h new file mode 100644 index 000000000..25d301170 --- /dev/null +++ b/tools/encrypt_fw/include/encrypt.h @@ -0,0 +1,19 @@ +/* + * Copyright (c) 2019, Linaro Limited. All rights reserved. + * Author: Sumit Garg <sumit.garg@linaro.org> + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef ENCRYPT_H +#define ENCRYPT_H + +/* Supported key algorithms */ +enum { + KEY_ALG_GCM /* AES-GCM (default) */ +}; + +int encrypt_file(unsigned short fw_enc_status, int enc_alg, char *key_string, + char *nonce_string, const char *ip_name, const char *op_name); + +#endif /* ENCRYPT_H */ diff --git a/tools/encrypt_fw/src/cmd_opt.c b/tools/encrypt_fw/src/cmd_opt.c new file mode 100644 index 000000000..64180d1f5 --- /dev/null +++ b/tools/encrypt_fw/src/cmd_opt.c @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include <assert.h> +#include <cmd_opt.h> +#include <getopt.h> +#include <stddef.h> +#include <stdlib.h> +#include "debug.h" + +/* Command line options */ +static struct option long_opt[CMD_OPT_MAX_NUM+1]; +static const char *help_msg[CMD_OPT_MAX_NUM+1]; +static int num_reg_opt; + +void cmd_opt_add(const cmd_opt_t *cmd_opt) +{ + assert(cmd_opt != NULL); + + if (num_reg_opt >= CMD_OPT_MAX_NUM) { + ERROR("Out of memory. Please increase CMD_OPT_MAX_NUM\n"); + exit(1); + } + + long_opt[num_reg_opt].name = cmd_opt->long_opt.name; + long_opt[num_reg_opt].has_arg = cmd_opt->long_opt.has_arg; + long_opt[num_reg_opt].flag = 0; + long_opt[num_reg_opt].val = cmd_opt->long_opt.val; + + help_msg[num_reg_opt] = cmd_opt->help_msg; + + num_reg_opt++; +} + +const struct option *cmd_opt_get_array(void) +{ + return long_opt; +} + +const char *cmd_opt_get_name(int idx) +{ + if (idx >= num_reg_opt) { + return NULL; + } + + return long_opt[idx].name; +} + +const char *cmd_opt_get_help_msg(int idx) +{ + if (idx >= num_reg_opt) { + return NULL; + } + + return help_msg[idx]; +} diff --git a/tools/encrypt_fw/src/encrypt.c b/tools/encrypt_fw/src/encrypt.c new file mode 100644 index 000000000..18a514cb9 --- /dev/null +++ b/tools/encrypt_fw/src/encrypt.c @@ -0,0 +1,167 @@ +/* + * Copyright (c) 2019, Linaro Limited. All rights reserved. + * Author: Sumit Garg <sumit.garg@linaro.org> + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include <firmware_encrypted.h> +#include <openssl/evp.h> +#include <stdio.h> +#include <string.h> +#include "debug.h" +#include "encrypt.h" + +#define BUFFER_SIZE 256 +#define IV_SIZE 12 +#define IV_STRING_SIZE 24 +#define TAG_SIZE 16 +#define KEY_SIZE 32 +#define KEY_STRING_SIZE 64 + +static int gcm_encrypt(unsigned short fw_enc_status, char *key_string, + char *nonce_string, const char *ip_name, + const char *op_name) +{ + FILE *ip_file; + FILE *op_file; + EVP_CIPHER_CTX *ctx; + unsigned char data[BUFFER_SIZE], enc_data[BUFFER_SIZE]; + unsigned char key[KEY_SIZE], iv[IV_SIZE], tag[TAG_SIZE]; + int bytes, enc_len = 0, i, j, ret = 0; + struct fw_enc_hdr header; + + memset(&header, 0, sizeof(struct fw_enc_hdr)); + + if (strlen(key_string) != KEY_STRING_SIZE) { + ERROR("Unsupported key size: %lu\n", strlen(key_string)); + return -1; + } + + for (i = 0, j = 0; i < KEY_SIZE; i++, j += 2) { + if (sscanf(&key_string[j], "%02hhx", &key[i]) != 1) { + ERROR("Incorrect key format\n"); + return -1; + } + } + + if (strlen(nonce_string) != IV_STRING_SIZE) { + ERROR("Unsupported IV size: %lu\n", strlen(nonce_string)); + return -1; + } + + for (i = 0, j = 0; i < IV_SIZE; i++, j += 2) { + if (sscanf(&nonce_string[j], "%02hhx", &iv[i]) != 1) { + ERROR("Incorrect IV format\n"); + return -1; + } + } + + ip_file = fopen(ip_name, "rb"); + if (ip_file == NULL) { + ERROR("Cannot read %s\n", ip_name); + return -1; + } + + op_file = fopen(op_name, "wb"); + if (op_file == NULL) { + ERROR("Cannot write %s\n", op_name); + fclose(ip_file); + return -1; + } + + ret = fseek(op_file, sizeof(struct fw_enc_hdr), SEEK_SET); + if (ret) { + ERROR("fseek failed\n"); + goto out_file; + } + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + ERROR("EVP_CIPHER_CTX_new failed\n"); + ret = -1; + goto out_file; + } + + ret = EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL); + if (ret != 1) { + ERROR("EVP_EncryptInit_ex failed\n"); + ret = -1; + goto out; + } + + ret = EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv); + if (ret != 1) { + ERROR("EVP_EncryptInit_ex failed\n"); + goto out; + } + + while ((bytes = fread(data, 1, BUFFER_SIZE, ip_file)) != 0) { + ret = EVP_EncryptUpdate(ctx, enc_data, &enc_len, data, bytes); + if (ret != 1) { + ERROR("EVP_EncryptUpdate failed\n"); + ret = -1; + goto out; + } + + fwrite(enc_data, 1, enc_len, op_file); + } + + ret = EVP_EncryptFinal_ex(ctx, enc_data, &enc_len); + if (ret != 1) { + ERROR("EVP_EncryptFinal_ex failed\n"); + ret = -1; + goto out; + } + + ret = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, TAG_SIZE, tag); + if (ret != 1) { + ERROR("EVP_CIPHER_CTX_ctrl failed\n"); + ret = -1; + goto out; + } + + header.magic = ENC_HEADER_MAGIC; + header.flags |= fw_enc_status & FW_ENC_STATUS_FLAG_MASK; + header.dec_algo = KEY_ALG_GCM; + header.iv_len = IV_SIZE; + header.tag_len = TAG_SIZE; + memcpy(header.iv, iv, IV_SIZE); + memcpy(header.tag, tag, TAG_SIZE); + + ret = fseek(op_file, 0, SEEK_SET); + if (ret) { + ERROR("fseek failed\n"); + goto out; + } + + fwrite(&header, 1, sizeof(struct fw_enc_hdr), op_file); + +out: + EVP_CIPHER_CTX_free(ctx); + +out_file: + fclose(ip_file); + fclose(op_file); + + /* + * EVP_* APIs returns 1 as success but enctool considers + * 0 as success. + */ + if (ret == 1) + ret = 0; + + return ret; +} + +int encrypt_file(unsigned short fw_enc_status, int enc_alg, char *key_string, + char *nonce_string, const char *ip_name, const char *op_name) +{ + switch (enc_alg) { + case KEY_ALG_GCM: + return gcm_encrypt(fw_enc_status, key_string, nonce_string, + ip_name, op_name); + default: + return -1; + } +} diff --git a/tools/encrypt_fw/src/main.c b/tools/encrypt_fw/src/main.c new file mode 100644 index 000000000..39b7af761 --- /dev/null +++ b/tools/encrypt_fw/src/main.c @@ -0,0 +1,224 @@ +/* + * Copyright (c) 2019, Linaro Limited. All rights reserved. + * Author: Sumit Garg <sumit.garg@linaro.org> + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include <assert.h> +#include <ctype.h> +#include <getopt.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <stdbool.h> + +#include <openssl/conf.h> + +#include "cmd_opt.h" +#include "debug.h" +#include "encrypt.h" +#include "firmware_encrypted.h" + +#define NUM_ELEM(x) ((sizeof(x)) / (sizeof(x[0]))) +#define HELP_OPT_MAX_LEN 128 + +/* Global options */ + +/* Info messages created in the Makefile */ +extern const char build_msg[]; + +static char *key_algs_str[] = { + [KEY_ALG_GCM] = "gcm", +}; + +static void print_help(const char *cmd, const struct option *long_opt) +{ + int rem, i = 0; + const struct option *opt; + char line[HELP_OPT_MAX_LEN]; + char *p; + + assert(cmd != NULL); + assert(long_opt != NULL); + + printf("\n\n"); + printf("The firmware encryption tool loads the binary image and\n" + "outputs encrypted binary image using an encryption key\n" + "provided as an input hex string.\n"); + printf("\n"); + printf("Usage:\n"); + printf("\t%s [OPTIONS]\n\n", cmd); + + printf("Available options:\n"); + opt = long_opt; + while (opt->name) { + p = line; + rem = HELP_OPT_MAX_LEN; + if (isalpha(opt->val)) { + /* Short format */ + sprintf(p, "-%c,", (char)opt->val); + p += 3; + rem -= 3; + } + snprintf(p, rem, "--%s %s", opt->name, + (opt->has_arg == required_argument) ? "<arg>" : ""); + printf("\t%-32s %s\n", line, cmd_opt_get_help_msg(i)); + opt++; + i++; + } + printf("\n"); +} + +static int get_key_alg(const char *key_alg_str) +{ + int i; + + for (i = 0 ; i < NUM_ELEM(key_algs_str) ; i++) { + if (strcmp(key_alg_str, key_algs_str[i]) == 0) { + return i; + } + } + + return -1; +} + +static void parse_fw_enc_status_flag(const char *arg, + unsigned short *fw_enc_status) +{ + unsigned long flag; + char *endptr; + + flag = strtoul(arg, &endptr, 16); + if (*endptr != '\0' || flag > FW_ENC_WITH_BSSK) { + ERROR("Invalid fw_enc_status flag '%s'\n", arg); + exit(1); + } + + *fw_enc_status = flag & FW_ENC_STATUS_FLAG_MASK; +} + +/* Common command line options */ +static const cmd_opt_t common_cmd_opt[] = { + { + { "help", no_argument, NULL, 'h' }, + "Print this message and exit" + }, + { + { "fw-enc-status", required_argument, NULL, 'f' }, + "Firmware encryption status flag (with SSK=0 or BSSK=1)." + }, + { + { "key-alg", required_argument, NULL, 'a' }, + "Encryption key algorithm: 'gcm' (default)" + }, + { + { "key", required_argument, NULL, 'k' }, + "Encryption key (for supported algorithm)." + }, + { + { "nonce", required_argument, NULL, 'n' }, + "Nonce or Initialization Vector (for supported algorithm)." + }, + { + { "in", required_argument, NULL, 'i' }, + "Input filename to be encrypted." + }, + { + { "out", required_argument, NULL, 'o' }, + "Encrypted output filename." + }, +}; + +int main(int argc, char *argv[]) +{ + int i, key_alg, ret; + int c, opt_idx = 0; + const struct option *cmd_opt; + char *key = NULL; + char *nonce = NULL; + char *in_fn = NULL; + char *out_fn = NULL; + unsigned short fw_enc_status = 0; + + NOTICE("Firmware Encryption Tool: %s\n", build_msg); + + /* Set default options */ + key_alg = KEY_ALG_GCM; + + /* Add common command line options */ + for (i = 0; i < NUM_ELEM(common_cmd_opt); i++) { + cmd_opt_add(&common_cmd_opt[i]); + } + + /* Get the command line options populated during the initialization */ + cmd_opt = cmd_opt_get_array(); + + while (1) { + /* getopt_long stores the option index here. */ + c = getopt_long(argc, argv, "a:f:hi:k:n:o:", cmd_opt, &opt_idx); + + /* Detect the end of the options. */ + if (c == -1) { + break; + } + + switch (c) { + case 'a': + key_alg = get_key_alg(optarg); + if (key_alg < 0) { + ERROR("Invalid key algorithm '%s'\n", optarg); + exit(1); + } + break; + case 'f': + parse_fw_enc_status_flag(optarg, &fw_enc_status); + break; + case 'k': + key = optarg; + break; + case 'i': + in_fn = optarg; + break; + case 'o': + out_fn = optarg; + break; + case 'n': + nonce = optarg; + break; + case 'h': + print_help(argv[0], cmd_opt); + exit(0); + case '?': + default: + print_help(argv[0], cmd_opt); + exit(1); + } + } + + if (!key) { + ERROR("Key must not be NULL\n"); + exit(1); + } + + if (!nonce) { + ERROR("Nonce must not be NULL\n"); + exit(1); + } + + if (!in_fn) { + ERROR("Input filename must not be NULL\n"); + exit(1); + } + + if (!out_fn) { + ERROR("Output filename must not be NULL\n"); + exit(1); + } + + ret = encrypt_file(fw_enc_status, key_alg, key, nonce, in_fn, out_fn); + + CRYPTO_cleanup_all_ex_data(); + + return ret; +} diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile index ef3501432..df8ab5c7b 100644 --- a/tools/fiptool/Makefile +++ b/tools/fiptool/Makefile @@ -1,5 +1,5 @@ # -# Copyright (c) 2014-2018, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2014-2020, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -8,7 +8,8 @@ MAKE_HELPERS_DIRECTORY := ../../make_helpers/ include ${MAKE_HELPERS_DIRECTORY}build_macros.mk include ${MAKE_HELPERS_DIRECTORY}build_env.mk -PROJECT := fiptool${BIN_EXT} +FIPTOOL ?= fiptool${BIN_EXT} +PROJECT := $(notdir ${FIPTOOL}) OBJECTS := fiptool.o tbbr_config.o V ?= 0 diff --git a/tools/fiptool/Makefile.msvc b/tools/fiptool/Makefile.msvc index 58dbb8973..9081bc64c 100644 --- a/tools/fiptool/Makefile.msvc +++ b/tools/fiptool/Makefile.msvc @@ -1,30 +1,37 @@ -#
-# Copyright (c) 2019, Arm Limited. All rights reserved.
-#
-# SPDX-License-Identifier: BSD-3-Clause
-#
-
-CC = cl.exe
-LD = link.exe
-
-FIPTOOL = fiptool.exe
-OBJECTS = fiptool.obj tbbr_config.obj win_posix.obj
-
-INC = -I. -I..\..\include\tools_share
-CFLAGS = $(CFLAGS) /nologo /Za /Zi /c /O2 /MT
-
-all: $(FIPTOOL)
-
-$(FIPTOOL): $(OBJECTS)
- $(LD) /INCREMENTAL:NO /debug /nodefaultlib:libc.lib /out:$@ $(LIBS) $**
-
-.PHONY: clean realclean
-
-clean:
- del /f /q $(OBJECTS) > nul
-
-realclean:
- del /f /q $(OBJECTS) $(FIPTOOL) > nul
-
-.c.obj:
- $(CC) -c $(CFLAGS) $(INC) $< -Fo$@
+# +# Copyright (c) 2019-2020, Arm Limited. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# + +CC = cl.exe +LD = link.exe + +# FIPTOOLPATH and FIPTOOL are passed from the main makefile. + +OBJECTS = $(FIPTOOLPATH)\fiptool.obj \ + $(FIPTOOLPATH)\tbbr_config.obj \ + $(FIPTOOLPATH)\win_posix.obj + +INC = -I$(FIPTOOLPATH) -Iinclude\tools_share + +CFLAGS = $(CFLAGS) /nologo /Za /Zi /c /O2 /MT + +all: $(FIPTOOL) + +$(FIPTOOL): $(OBJECTS) + $(LD) /nologo /INCREMENTAL:NO /debug /nodefaultlib:libc.lib /out:$@ $(LIBS) $** + +.PHONY: clean realclean + +clean: + -@del /f /q $(OBJECTS) > nul + -@del /f /q $(FIPTOOLPATH)\*.pdb > nul + +realclean: + -@del /f /q $(OBJECTS) > nul + -@del /f /q $(FIPTOOLPATH)\*.pdb > nul + -@del /f /q $(FIPTOOL) > nul + +.c.obj: + $(CC) -c $(CFLAGS) $(INC) $< -Fo$@ diff --git a/tools/fiptool/fiptool.c b/tools/fiptool/fiptool.c index 80b498e47..8c5b04a55 100644 --- a/tools/fiptool/fiptool.c +++ b/tools/fiptool/fiptool.c @@ -24,17 +24,17 @@ #define OPT_ALIGN 2 static int info_cmd(int argc, char *argv[]); -static void info_usage(void); +static void info_usage(int); static int create_cmd(int argc, char *argv[]); -static void create_usage(void); +static void create_usage(int); static int update_cmd(int argc, char *argv[]); -static void update_usage(void); +static void update_usage(int); static int unpack_cmd(int argc, char *argv[]); -static void unpack_usage(void); +static void unpack_usage(int); static int remove_cmd(int argc, char *argv[]); -static void remove_usage(void); +static void remove_usage(int); static int version_cmd(int argc, char *argv[]); -static void version_usage(void); +static void version_usage(int); static int help_cmd(int argc, char *argv[]); static void usage(void); @@ -448,7 +448,7 @@ static int info_cmd(int argc, char *argv[]) fip_toc_header_t toc_header; if (argc != 2) - info_usage(); + info_usage(EXIT_FAILURE); argc--, argv++; parse_fip(argv[0], &toc_header); @@ -487,10 +487,10 @@ static int info_cmd(int argc, char *argv[]) return 0; } -static void info_usage(void) +static void info_usage(int exit_status) { printf("fiptool info FIP_FILENAME\n"); - exit(1); + exit(exit_status); } static int pack_images(const char *filename, uint64_t toc_flags, unsigned long align) @@ -669,7 +669,7 @@ static int create_cmd(int argc, char *argv[]) unsigned long align = 1; if (argc < 2) - create_usage(); + create_usage(EXIT_FAILURE); opts = fill_common_opts(opts, &nr_opts, required_argument); opts = add_opt(opts, &nr_opts, "plat-toc-flags", required_argument, @@ -710,7 +710,7 @@ static int create_cmd(int argc, char *argv[]) if (memcmp(&uuid, &uuid_null, sizeof(uuid_t)) == 0 || filename[0] == '\0') - create_usage(); + create_usage(EXIT_FAILURE); desc = lookup_image_desc_from_uuid(&uuid); if (desc == NULL) { @@ -722,7 +722,7 @@ static int create_cmd(int argc, char *argv[]) break; } default: - create_usage(); + create_usage(EXIT_FAILURE); } } argc -= optind; @@ -730,7 +730,7 @@ static int create_cmd(int argc, char *argv[]) free(opts); if (argc == 0) - create_usage(); + create_usage(EXIT_SUCCESS); update_fip(); @@ -738,7 +738,7 @@ static int create_cmd(int argc, char *argv[]) return 0; } -static void create_usage(void) +static void create_usage(int exit_status) { toc_entry_t *toc_entry = toc_entries; @@ -753,7 +753,7 @@ static void create_usage(void) for (; toc_entry->cmdline_name != NULL; toc_entry++) printf(" --%-16s FILENAME\t%s\n", toc_entry->cmdline_name, toc_entry->name); - exit(1); + exit(exit_status); } static int update_cmd(int argc, char *argv[]) @@ -767,7 +767,7 @@ static int update_cmd(int argc, char *argv[]) int pflag = 0; if (argc < 2) - update_usage(); + update_usage(EXIT_FAILURE); opts = fill_common_opts(opts, &nr_opts, required_argument); opts = add_opt(opts, &nr_opts, "align", required_argument, OPT_ALIGN); @@ -807,7 +807,7 @@ static int update_cmd(int argc, char *argv[]) if (memcmp(&uuid, &uuid_null, sizeof(uuid_t)) == 0 || filename[0] == '\0') - update_usage(); + update_usage(EXIT_FAILURE); desc = lookup_image_desc_from_uuid(&uuid); if (desc == NULL) { @@ -825,7 +825,7 @@ static int update_cmd(int argc, char *argv[]) snprintf(outfile, sizeof(outfile), "%s", optarg); break; default: - update_usage(); + update_usage(EXIT_FAILURE); } } argc -= optind; @@ -833,7 +833,7 @@ static int update_cmd(int argc, char *argv[]) free(opts); if (argc == 0) - update_usage(); + update_usage(EXIT_SUCCESS); if (outfile[0] == '\0') snprintf(outfile, sizeof(outfile), "%s", argv[0]); @@ -851,7 +851,7 @@ static int update_cmd(int argc, char *argv[]) return 0; } -static void update_usage(void) +static void update_usage(int exit_status) { toc_entry_t *toc_entry = toc_entries; @@ -867,7 +867,7 @@ static void update_usage(void) for (; toc_entry->cmdline_name != NULL; toc_entry++) printf(" --%-16s FILENAME\t%s\n", toc_entry->cmdline_name, toc_entry->name); - exit(1); + exit(exit_status); } static int unpack_cmd(int argc, char *argv[]) @@ -880,7 +880,7 @@ static int unpack_cmd(int argc, char *argv[]) int unpack_all = 1; if (argc < 2) - unpack_usage(); + unpack_usage(EXIT_FAILURE); opts = fill_common_opts(opts, &nr_opts, required_argument); opts = add_opt(opts, &nr_opts, "blob", required_argument, 'b'); @@ -915,7 +915,7 @@ static int unpack_cmd(int argc, char *argv[]) if (memcmp(&uuid, &uuid_null, sizeof(uuid_t)) == 0 || filename[0] == '\0') - unpack_usage(); + unpack_usage(EXIT_FAILURE); desc = lookup_image_desc_from_uuid(&uuid); if (desc == NULL) { @@ -934,7 +934,7 @@ static int unpack_cmd(int argc, char *argv[]) snprintf(outdir, sizeof(outdir), "%s", optarg); break; default: - unpack_usage(); + unpack_usage(EXIT_FAILURE); } } argc -= optind; @@ -942,7 +942,7 @@ static int unpack_cmd(int argc, char *argv[]) free(opts); if (argc == 0) - unpack_usage(); + unpack_usage(EXIT_SUCCESS); parse_fip(argv[0], NULL); @@ -986,7 +986,7 @@ static int unpack_cmd(int argc, char *argv[]) return 0; } -static void unpack_usage(void) +static void unpack_usage(int exit_status) { toc_entry_t *toc_entry = toc_entries; @@ -1003,7 +1003,7 @@ static void unpack_usage(void) toc_entry->name); printf("\n"); printf("If no options are provided, all images will be unpacked.\n"); - exit(1); + exit(exit_status); } static int remove_cmd(int argc, char *argv[]) @@ -1017,7 +1017,7 @@ static int remove_cmd(int argc, char *argv[]) int fflag = 0; if (argc < 2) - remove_usage(); + remove_usage(EXIT_FAILURE); opts = fill_common_opts(opts, &nr_opts, no_argument); opts = add_opt(opts, &nr_opts, "align", required_argument, OPT_ALIGN); @@ -1053,7 +1053,7 @@ static int remove_cmd(int argc, char *argv[]) filename, sizeof(filename)); if (memcmp(&uuid, &uuid_null, sizeof(uuid_t)) == 0) - remove_usage(); + remove_usage(EXIT_FAILURE); desc = lookup_image_desc_from_uuid(&uuid); if (desc == NULL) { @@ -1071,7 +1071,7 @@ static int remove_cmd(int argc, char *argv[]) snprintf(outfile, sizeof(outfile), "%s", optarg); break; default: - remove_usage(); + remove_usage(EXIT_FAILURE); } } argc -= optind; @@ -1079,7 +1079,7 @@ static int remove_cmd(int argc, char *argv[]) free(opts); if (argc == 0) - remove_usage(); + remove_usage(EXIT_SUCCESS); if (outfile[0] != '\0' && access(outfile, F_OK) == 0 && !fflag) log_errx("File %s already exists, use --force to overwrite it", @@ -1110,7 +1110,7 @@ static int remove_cmd(int argc, char *argv[]) return 0; } -static void remove_usage(void) +static void remove_usage(int exit_status) { toc_entry_t *toc_entry = toc_entries; @@ -1126,7 +1126,7 @@ static void remove_usage(void) for (; toc_entry->cmdline_name != NULL; toc_entry++) printf(" --%-16s\t%s\n", toc_entry->cmdline_name, toc_entry->name); - exit(1); + exit(exit_status); } static int version_cmd(int argc, char *argv[]) @@ -1140,10 +1140,10 @@ static int version_cmd(int argc, char *argv[]) return 0; } -static void version_usage(void) +static void version_usage(int exit_status) { printf("fiptool version\n"); - exit(1); + exit(exit_status); } static int help_cmd(int argc, char *argv[]) @@ -1157,7 +1157,7 @@ static int help_cmd(int argc, char *argv[]) for (i = 0; i < NELEM(cmds); i++) { if (strcmp(cmds[i].name, argv[0]) == 0 && cmds[i].usage != NULL) - cmds[i].usage(); + cmds[i].usage(EXIT_SUCCESS); } if (i == NELEM(cmds)) printf("No help for subcommand '%s'\n", argv[0]); @@ -1178,7 +1178,7 @@ static void usage(void) printf(" remove\tRemove images from FIP.\n"); printf(" version\tShow fiptool version.\n"); printf(" help\t\tShow help for given command.\n"); - exit(1); + exit(EXIT_SUCCESS); } int main(int argc, char *argv[]) diff --git a/tools/fiptool/fiptool.h b/tools/fiptool/fiptool.h index af3fcbdee..88c4a7edb 100644 --- a/tools/fiptool/fiptool.h +++ b/tools/fiptool/fiptool.h @@ -48,7 +48,7 @@ typedef struct image { typedef struct cmd { char *name; int (*handler)(int, char **); - void (*usage)(void); + void (*usage)(int); } cmd_t; #endif /* FIPTOOL_H */ diff --git a/tools/fiptool/tbbr_config.c b/tools/fiptool/tbbr_config.c index 86b8581f8..c1e5217f0 100644 --- a/tools/fiptool/tbbr_config.c +++ b/tools/fiptool/tbbr_config.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2018, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2016-2020, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -69,6 +69,11 @@ toc_entry_t toc_entries[] = { }, /* Dynamic Configs */ { + .name = "FW_CONFIG", + .uuid = UUID_FW_CONFIG, + .cmdline_name = "fw-config" + }, + { .name = "HW_CONFIG", .uuid = UUID_HW_CONFIG, .cmdline_name = "hw-config" @@ -152,6 +157,16 @@ toc_entry_t toc_entries[] = { .cmdline_name = "nt-fw-cert" }, { + .name = "SiP owned Secure Partition content certificate", + .uuid = UUID_SIP_SECURE_PARTITION_CONTENT_CERT, + .cmdline_name = "sip-sp-cert" + }, + { + .name = "Platform owned Secure Partition content certificate", + .uuid = UUID_PLAT_SECURE_PARTITION_CONTENT_CERT, + .cmdline_name = "plat-sp-cert" + }, + { .name = NULL, .uuid = { {0} }, .cmdline_name = NULL, diff --git a/tools/fiptool/win_posix.c b/tools/fiptool/win_posix.c index 48feb162e..33b44d4c6 100644 --- a/tools/fiptool/win_posix.c +++ b/tools/fiptool/win_posix.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2017 - 2020, Arm Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -137,7 +137,8 @@ int getopt(int argc, * Note that we only match over the shorter length of the pair, to allow * for abbreviation or say --match=value * Long option names may be abbreviated if the abbreviation is unique or an - * exact match for some defined option. + * exact match for some defined option. This function does not check that the + * abbreviations are unique and should be handled by the caller. * A long option may take a parameter, of the form --opt=param or --opt param. */ static @@ -160,42 +161,72 @@ int getopt_1long(const int argc, { int result = RET_UNKNOWN_OPT; size_t loptn = 0; + bool match_found = false; - while (longopts[loptn].name != 0) { - if (optmatch(optname, longopts[loptn].name) == 0) { - /* We found a match. */ - result = longopts[loptn].val; - if (indexptr != 0) - *indexptr = loptn; - switch (longopts[loptn].has_arg) { - case required_argument: - if ((optind + 1) >= argc) { - /* Missing argument. */ - optopt = result; - return RET_NO_PARAM; - } - /* Fallthrough to get option value. */ + /* + * Long option names may be abbreviated if the abbreviation + * is unique or an exact match for some defined option. + * To handle this: + * - First search for an exact match. + * - If exact match was not found search for a abbreviated match. + * By doing this an incorrect option selection can be avoided. + */ - case optional_argument: - if ((argc - optind) > 0) { - /* Found argument. */ - optarg = argv[++optind]; - } - /* Fallthrough to handle flag. */ + /* 1. Search for an exact match. */ + while (longopts[loptn].name != NULL) { + if (strcmp(optname, longopts[loptn].name) == 0) { + match_found = true; + break; + } + ++loptn; + } - case no_argument: - optind++; - if (longopts[loptn].flag != 0) { - *longopts[loptn].flag = result; - result = 0; - } + /* 2. If exact match was not found search for a abbreviated match. */ + if (!match_found) { + loptn = 0; + while (longopts[loptn].name != NULL) { + if (optmatch(optname, longopts[loptn].name) == 0) { + match_found = true; break; + } + ++loptn; + } + } + + if (match_found) { + /* We found a match. */ + result = longopts[loptn].val; + if (indexptr != 0) { + *indexptr = loptn; + } + switch (longopts[loptn].has_arg) { + case required_argument: + if ((optind + 1) >= argc) { + /* Missing argument. */ + optopt = result; + return RET_NO_PARAM; + } + /* Fallthrough to get option value. */ + case optional_argument: + if ((argc - optind) > 0) { + /* Found argument. */ + optarg = argv[++optind]; } - return result; + /* Fallthrough to handle flag. */ + + case no_argument: + optind++; + if (longopts[loptn].flag != 0) { + *longopts[loptn].flag = result; + result = 0; + } + break; + } - ++loptn; + return result; } + /* * If getopt finds an option character in argv that was not included * in options, ... it returns '?' and sets the external variable diff --git a/tools/fiptool/win_posix.h b/tools/fiptool/win_posix.h index 836ffed31..6f0d8e6b6 100644 --- a/tools/fiptool/win_posix.h +++ b/tools/fiptool/win_posix.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2017-2020, Arm Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -9,13 +9,15 @@ #define _CRT_SECURE_NO_WARNINGS -#include <direct.h> -#include <io.h> +#include <stdbool.h> #include <stdint.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> +#include <direct.h> +#include <io.h> + #include "uuid.h" /* Derive or provide Windows equivalents of Posix/GCC/Unix stuff. */ diff --git a/tools/marvell/doimage/doimage.c b/tools/marvell/doimage/doimage.c index 82fd375f1..e08b82072 100644 --- a/tools/marvell/doimage/doimage.c +++ b/tools/marvell/doimage/doimage.c @@ -51,7 +51,7 @@ /* Number of address pairs in control array */ #define CP_CTRL_EL_ARRAY_SZ 32 -#define VERSION_STRING "Marvell(C) doimage utility version 3.2" +#define VERSION_STRING "Marvell(C) doimage utility version 3.3" /* A8K definitions */ @@ -303,7 +303,7 @@ int create_rsa_signature(mbedtls_pk_context *pk_ctx, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256); /* First compute the SHA256 hash for the input blob */ - mbedtls_sha256(input, ilen, hash, 0); + mbedtls_sha256_ret(input, ilen, hash, 0); /* Then calculate the hash signature */ rval = mbedtls_rsa_rsassa_pss_sign(mbedtls_pk_rsa(*pk_ctx), @@ -354,6 +354,7 @@ int verify_rsa_signature(const unsigned char *pub_key, mbedtls_pk_context pk_ctx; unsigned char hash[32]; int rval; + unsigned char *pkey = (unsigned char *)pub_key; /* Not sure this is required, * but it's safer to start with empty buffer @@ -373,8 +374,7 @@ int verify_rsa_signature(const unsigned char *pub_key, } /* Check ability to read the public key */ - rval = mbedtls_pk_parse_public_key(&pk_ctx, pub_key, - MAX_RSA_DER_BYTE_LEN); + rval = mbedtls_pk_parse_subpubkey(&pkey, pub_key + klen, &pk_ctx); if (rval != 0) { fprintf(stderr, " Failed in pk_parse_public_key (%#x)!\n", rval); @@ -387,7 +387,7 @@ int verify_rsa_signature(const unsigned char *pub_key, MBEDTLS_MD_SHA256); /* Compute the SHA256 hash for the input buffer */ - mbedtls_sha256(input, ilen, hash, 0); + mbedtls_sha256_ret(input, ilen, hash, 0); rval = mbedtls_rsa_rsassa_pss_verify(mbedtls_pk_rsa(pk_ctx), mbedtls_ctr_drbg_random, @@ -458,7 +458,7 @@ int image_encrypt(uint8_t *buf, uint32_t blen) /* compute SHA-256 digest of the results * and use it as the init vector (IV) */ - mbedtls_sha256(IV, AES_BLOCK_SZ, digest, 0); + mbedtls_sha256_ret(IV, AES_BLOCK_SZ, digest, 0); memcpy(IV, digest, AES_BLOCK_SZ); mbedtls_aes_setkey_enc(&aes_ctx, opts.sec_opts->aes_key, AES_KEY_BIT_LEN); @@ -880,11 +880,13 @@ int format_sec_ext(char *filename, FILE *out_fd) fname); return 1; } + /* Data in the output buffer is aligned to the buffer end */ der_buf_start = output_buf + sizeof(output_buf) - output_len; /* In the header DER data is aligned * to the start of appropriate field */ + bzero(out_der_key, MAX_RSA_DER_BYTE_LEN); memcpy(out_der_key, der_buf_start, output_len); } /* for every private key file */ @@ -899,8 +901,10 @@ int format_sec_ext(char *filename, FILE *out_fd) fprintf(stderr, "Failed to sign CSK keys block!\n"); return 1; } + /* Check that everything is correct */ - if (verify_rsa_signature(sec_ext.kak_key, MAX_RSA_DER_BYTE_LEN, + if (verify_rsa_signature(sec_ext.kak_key, + MAX_RSA_DER_BYTE_LEN, &sec_ext.csk_keys[0][0], sizeof(sec_ext.csk_keys), opts.sec_opts->kak_key_file, @@ -1333,7 +1337,7 @@ int parse_image(uint8_t *buf, int size) goto error; } - mbedtls_sha256(sec_entry->kak_key, + mbedtls_sha256_ret(sec_entry->kak_key, MAX_RSA_DER_BYTE_LEN, hash, 0); fprintf(stdout, ">>>>>>>>>> KAK KEY HASH >>>>>>>>>>\n"); @@ -1559,13 +1563,9 @@ error: int write_boot_image(uint8_t *buf, uint32_t image_size, FILE *out_fd) { - int aligned_size; int written; - /* Image size must be aligned to 4 bytes */ - aligned_size = (image_size + 3) & (~0x3); - - written = fwrite(buf, aligned_size, 1, out_fd); + written = fwrite(buf, image_size, 1, out_fd); if (written != 1) { fprintf(stderr, "Error: Failed to write boot image\n"); goto error; @@ -1587,7 +1587,7 @@ int main(int argc, char *argv[]) int ext_cnt = 0; int opt; int ret = 0; - int image_size; + int image_size, file_size; uint8_t *image_buf = NULL; int read; size_t len; @@ -1683,16 +1683,18 @@ int main(int argc, char *argv[]) goto main_exit; } - /* Read the input file to buffer */ - image_size = get_file_size(in_file); - image_buf = calloc((image_size + AES_BLOCK_SZ - 1) & - ~(AES_BLOCK_SZ - 1), 1); + /* Read the input file to buffer + * Always align the image to 16 byte boundary + */ + file_size = get_file_size(in_file); + image_size = (file_size + AES_BLOCK_SZ - 1) & ~(AES_BLOCK_SZ - 1); + image_buf = calloc(image_size, 1); if (image_buf == NULL) { fprintf(stderr, "Error: failed allocating input buffer\n"); return 1; } - read = fread(image_buf, image_size, 1, in_fd); + read = fread(image_buf, file_size, 1, in_fd); if (read != 1) { fprintf(stderr, "Error: failed to read input file\n"); goto main_exit; diff --git a/tools/memory/print_memory_map.py b/tools/memory/print_memory_map.py index 35cccd38c..8a84018e7 100755 --- a/tools/memory/print_memory_map.py +++ b/tools/memory/print_memory_map.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (c) 2019, Arm Limited. All rights reserved. +# Copyright (c) 2019-2020, Arm Limited. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -22,6 +22,7 @@ blx_symbols = ['__BL1_RAM_START__', '__BL1_RAM_END__', '__DATA_START__', '__DATA_END__', '__STACKS_START__', '__STACKS_END__', '__BSS_END', + '__COHERENT_RAM_START__', '__COHERENT_RAM_END__', ] # Regex to extract address from map file @@ -31,8 +32,11 @@ address_pattern = re.compile(r"\b0x\w*") address_list = [] # Get the directory from command line or use a default one +inverted_print = True if len(sys.argv) >= 2: build_dir = sys.argv[1] + if len(sys.argv) >= 3: + inverted_print = sys.argv[2] == '0' else: build_dir = 'build/fvp/debug' @@ -43,7 +47,10 @@ for image in bl_images: with open (file_path, 'rt') as mapfile: for line in mapfile: for symbol in blx_symbols: - if line.find(symbol) > 0 and line.find("ASSERT") < 0: + # Regex to find symbol definition + line_pattern = re.compile(r"\b0x\w*\s*" + symbol + "\s= .") + match = line_pattern.search(line) + if match: # Extract address from line match = address_pattern.search(line) if match: @@ -52,17 +59,21 @@ for image in bl_images: # Sort by address address_list.sort(key=operator.itemgetter(0)) +# Invert list for lower address at bottom +if inverted_print: + address_list = reversed(address_list) + # Generate memory view -print('{:-^87}'.format('Memory Map from: ' + build_dir)) -for address in reversed(address_list): +print('{:-^93}'.format('Memory Map from: ' + build_dir)) +for address in address_list: if "bl1" in address[2]: - print(address[0], '+{:-^20}+ |{:^20}| |{:^20}|'.format(address[1], '', '')) + print(address[0], '+{:-^22}+ |{:^22}| |{:^22}|'.format(address[1], '', '')) elif "bl2" in address[2]: - print(address[0], '|{:^20}| +{:-^20}+ |{:^20}|'.format('', address[1], '')) + print(address[0], '|{:^22}| +{:-^22}+ |{:^22}|'.format('', address[1], '')) elif "bl31" in address[2]: - print(address[0], '|{:^20}| |{:^20}| +{:-^20}+'.format('', '', address[1])) + print(address[0], '|{:^22}| |{:^22}| +{:-^22}+'.format('', '', address[1])) else: - print(address[0], '|{:^20}| |{:^20}| +{:-^20}+'.format('', '', address[1])) + print(address[0], '|{:^22}| |{:^22}| +{:-^22}+'.format('', '', address[1])) -print('{:^20}{:_^20} {:_^20} {:_^20}'.format('', '', '', '')) -print('{:^20}{:^20} {:^20} {:^20}'.format('address', 'bl1', 'bl2', 'bl31')) +print('{:^20}{:_^22} {:_^22} {:_^22}'.format('', '', '', '')) +print('{:^20}{:^22} {:^22} {:^22}'.format('address', 'bl1', 'bl2', 'bl31')) diff --git a/tools/renesas/rzg_layout_create/makefile b/tools/renesas/rzg_layout_create/makefile new file mode 100644 index 000000000..2d438b923 --- /dev/null +++ b/tools/renesas/rzg_layout_create/makefile @@ -0,0 +1,118 @@ +# +# Copyright (c) 2020, Renesas Electronics Corporation. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# + +################################################### +# makefile +################################################### + +#output file name +FILE_NAME_SA0 = bootparam_sa0 +FILE_NAME_SA6 = cert_header_sa6 + +OUTPUT_FILE_SA0 = $(FILE_NAME_SA0).elf +OUTPUT_FILE_SA6 = $(FILE_NAME_SA6).elf + +#object file name +OBJ_FILE_SA0 = sa0.o +OBJ_FILE_SA6 = sa6.o + +#linker script name +MEMORY_DEF_SA0 = sa0.ld.S +MEMORY_DEF_SA6 = sa6.ld.S + +################################################### +# Convenience function for adding build definitions +# $(eval $(call add_define,FOO)) will have: +# -DFOO if $(FOO) is empty; -DFOO=$(FOO) otherwise +define add_define +DEFINES += -D$(1)$(if $(value $(1)),=$(value $(1)),) +endef + +# Process RCAR_SA0_SIZE flag +ifndef RCAR_SA0_SIZE +RCAR_SA0_SIZE := 1 +else +ifeq (${RCAR_SA0_SIZE},0) +RCAR_SA0_SIZE := 0 +else +RCAR_SA0_SIZE := 1 +endif +endif +$(eval $(call add_define,RCAR_SA0_SIZE)) + +# Process RCAR_SA6_TYPE flag +ifndef RCAR_SA6_TYPE +RCAR_SA6_TYPE := 0 +else +ifeq (${RCAR_SA6_TYPE},0) +RCAR_SA6_TYPE := 0 +else +RCAR_SA6_TYPE := 1 +endif +endif +$(eval $(call add_define,RCAR_SA6_TYPE)) + +RCAR_VMA_ADJUST_ADDR := 0xE6320000 +$(eval $(call add_define,RCAR_VMA_ADJUST_ADDR)) + + +################################################### + +#c compiler +CC = $(CROSS_COMPILE)gcc +CFLAGS += ${DEFINES} +CFLAGS += -nostdinc \ + -I../../../include/lib/libc \ + -I../../../include/lib/libc/aarch64 + +#Linker +LD = $(CROSS_COMPILE)ld + +#objcopy +objcopy = $(CROSS_COMPILE)objcopy + +#clean +CL = rm -f + +################################################### +.SUFFIXES : .s .c .o + +################################################### +# command + +.PHONY: all +all: $(OUTPUT_FILE_SA0) $(OUTPUT_FILE_SA6) +################################################### +# Linker +################################################### +$(OUTPUT_FILE_SA0) : $(MEMORY_DEF_SA0) $(OBJ_FILE_SA0) + $(LD) $(OBJ_FILE_SA0) \ + -T $(MEMORY_DEF_SA0) \ + -o $(OUTPUT_FILE_SA0) \ + -Map $(FILE_NAME_SA0).map \ + + $(objcopy) -O srec --adjust-vma=$(RCAR_VMA_ADJUST_ADDR) --srec-forceS3 $(OUTPUT_FILE_SA0) $(FILE_NAME_SA0).srec + $(objcopy) -O binary --adjust-vma=$(RCAR_VMA_ADJUST_ADDR) --srec-forceS3 $(OUTPUT_FILE_SA0) $(FILE_NAME_SA0).bin + +$(OUTPUT_FILE_SA6) : $(MEMORY_DEF_SA6) $(OBJ_FILE_SA6) + $(LD) $(OBJ_FILE_SA6) \ + -T $(MEMORY_DEF_SA6) \ + -o $(OUTPUT_FILE_SA6) \ + -Map $(FILE_NAME_SA6).map \ + + $(objcopy) -O srec --adjust-vma=$(RCAR_VMA_ADJUST_ADDR) --srec-forceS3 $(OUTPUT_FILE_SA6) $(FILE_NAME_SA6).srec + $(objcopy) -O binary --adjust-vma=$(RCAR_VMA_ADJUST_ADDR) --srec-forceS3 $(OUTPUT_FILE_SA6) $(FILE_NAME_SA6).bin + +################################################### +# Compile +################################################### + +%.o:../%.c + $(CC) -c -I $< -o $@ + +.PHONY: clean +clean: + $(CL) *.bin *.map *.srec *.elf *.o diff --git a/tools/renesas/rzg_layout_create/sa0.c b/tools/renesas/rzg_layout_create/sa0.c new file mode 100644 index 000000000..763d3a536 --- /dev/null +++ b/tools/renesas/rzg_layout_create/sa0.c @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2020, Renesas Electronics Corporation. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#define RCAR_SA0_SIZE_SMALL (0) /* for RZ/G2E */ +#define RCAR_SA0_SIZE_NORMAL (1) /* for RZ/G2[HMN] */ + +#define BL2_ADDRESS (0xE6304000) /* BL2 start address */ + +#if (RCAR_SA0_SIZE == RCAR_SA0_SIZE_SMALL) +#define BL2_SIZE (80*1024/4) /* BL2 size is 80KB(0x00005000) */ +#else /* (RCAR_SA0_SIZE == RCAR_SA0_SIZE_SMALL) */ +#define BL2_SIZE (170*1024/4) /* BL2 size is 170KB(0x0000AA00) */ +#endif /* (RCAR_SA0_SIZE == RCAR_SA0_SIZE_SMALL) */ + +/* SA0 */ +/* 0x00000000 */ +const unsigned int __attribute__ ((section(".sa0_bootrom"))) bootrom_paramA = 0x00000100; +/* 0x00000080 (Map Type 3 for eMMC Boot)*/ +/* 0x000001D4 */ +const unsigned int __attribute__ ((section(".sa0_bl2dst_addr3"))) bl2dst_addr3 = BL2_ADDRESS; +/* 0x000002E4 */ +const unsigned int __attribute__ ((section(".sa0_bl2dst_size3"))) bl2dst_size3 = BL2_SIZE; +/* 0x00000C00 (Map Type 1 for HyperFlash/QSPI Flash Boot)*/ +/* 0x00000D54 */ +const unsigned int __attribute__ ((section(".sa0_bl2dst_addr1"))) bl2dst_addr1 = BL2_ADDRESS; +/* 0x00000E64 */ +const unsigned int __attribute__ ((section(".sa0_bl2dst_size1"))) bl2dst_size1 = BL2_SIZE; diff --git a/tools/renesas/rzg_layout_create/sa0.ld.S b/tools/renesas/rzg_layout_create/sa0.ld.S new file mode 100644 index 000000000..23e2b237f --- /dev/null +++ b/tools/renesas/rzg_layout_create/sa0.ld.S @@ -0,0 +1,28 @@ +/* + * Copyright (c) 2020, Renesas Electronics Corporation. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +SECTIONS +{ + . = 0x00000000; + .rodata : { + KEEP(*(.sa0_bootrom)) + /* Map Type 3 for eMMC Boot */ + /* A-side IPL content cert "Start Address" */ + . = 0x000001D4; /* H'00000080 + H'00000154 */ + KEEP(*(.sa0_bl2dst_addr3)) + /* A-side IPL content cert "Size" */ + . = 0x000002E4; /* H'00000080 + H'00000264 */ + KEEP(*(.sa0_bl2dst_size3)) + /* Map Type 1 for HyperFlash/QSPI Flash Boot */ + /* A-side IPL content cert "Start Address" */ + . = 0x00000D54; /* H'00000C00 + H'00000154 */ + KEEP(*(.sa0_bl2dst_addr1)) + /* A-side IPL content cert "Size" */ + . = 0x00000E64; /* H'00000C00 + H'00000264 */ + KEEP(*(.sa0_bl2dst_size1)) + } + +} diff --git a/tools/renesas/rzg_layout_create/sa6.c b/tools/renesas/rzg_layout_create/sa6.c new file mode 100644 index 000000000..76e3dc5e3 --- /dev/null +++ b/tools/renesas/rzg_layout_create/sa6.c @@ -0,0 +1,236 @@ +/* + * Copyright (c) 2020, Renesas Electronics Corporation. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include <stdint.h> + +#define RCAR_SA6_TYPE_QSPIFLASH (0) +#define RCAR_SA6_TYPE_EMMC (1) + +#if (RCAR_SA6_TYPE == RCAR_SA6_TYPE_QSPIFLASH) + +/* Number of content cert for Non-secure Target Program(BL33x) */ +#define RCAR_IMAGE_NUM (0x00000001U) +/* Source address on flash for BL31 */ +#define RCAR_BL31SRC_ADDRESS (0x001C0000U) +/* Reserved */ +#define RCAR_BL31_PARTITION (0x00000000U) +/* Source address on flash for BL32 */ +#define RCAR_BL32SRC_ADDRESS (0x00200000U) +/* Reserved */ +#define RCAR_BL32_PARTITION (0x00000000U) +/* Source address on flash for BL33 */ +#define RCAR_BL33SRC_ADDRESS (0x00300000U) +/* Reserved */ +#define RCAR_BL33_PARTITION (0x00000000U) +#define RCAR_BL332SRC_ADDRESS (0x00000000U) +/* Reserved */ +#define RCAR_BL332_PARTITION (0x00000000U) +#define RCAR_BL333SRC_ADDRESS (0x00000000U) +/* Reserved */ +#define RCAR_BL333_PARTITION (0x00000000U) +#define RCAR_BL334SRC_ADDRESS (0x00000000U) +/* Reserved */ +#define RCAR_BL334_PARTITION (0x00000000U) +#define RCAR_BL335SRC_ADDRESS (0x00000000U) +/* Reserved */ +#define RCAR_BL335_PARTITION (0x00000000U) +#define RCAR_BL336SRC_ADDRESS (0x00000000U) +/* Reserved */ +#define RCAR_BL336_PARTITION (0x00000000U) +#define RCAR_BL337SRC_ADDRESS (0x00000000U) +/* Reserved */ +#define RCAR_BL337_PARTITION (0x00000000U) +#define RCAR_BL338SRC_ADDRESS (0x00000000U) +/* Reserved */ +#define RCAR_BL338_PARTITION (0x00000000U) + +#else /* RCAR_SA6_TYPE == RCAR_SA6_TYPE_EMMC */ + +/* Number of content cert for Non-secure Target Program(BL33x) */ +#define RCAR_IMAGE_NUM (0x00000001U) +/* Source address on eMMC for BL31 */ +#define RCAR_BL31SRC_ADDRESS (0x00040000U) +/* Source partition on eMMC for BL31 */ +#define RCAR_BL31_PARTITION (0x00000001U) +/* Source address on eMMC for BL32 */ +#define RCAR_BL32SRC_ADDRESS (0x00200000U) +/* Source partition on eMMC for BL32 */ +#define RCAR_BL32_PARTITION (0x00000001U) +/* Source address on eMMC for BL33 */ +#define RCAR_BL33SRC_ADDRESS (0x00000000U) +/* Source partition on eMMC for BL33 */ +#define RCAR_BL33_PARTITION (0x00000002U) +/* Reserved */ +#define RCAR_BL332SRC_ADDRESS (0x00000000U) +#define RCAR_BL332_PARTITION (0x00000000U) +/* Reserved */ +#define RCAR_BL333SRC_ADDRESS (0x00000000U) +#define RCAR_BL333_PARTITION (0x00000000U) +/* Reserved */ +#define RCAR_BL334SRC_ADDRESS (0x00000000U) +#define RCAR_BL334_PARTITION (0x00000000U) +/* Reserved */ +#define RCAR_BL335SRC_ADDRESS (0x00000000U) +#define RCAR_BL335_PARTITION (0x00000000U) +/* Reserved */ +#define RCAR_BL336SRC_ADDRESS (0x00000000U) +#define RCAR_BL336_PARTITION (0x00000000U) +/* Reserved */ +#define RCAR_BL337SRC_ADDRESS (0x00000000U) +#define RCAR_BL337_PARTITION (0x00000000U) +/* Reserved */ +#define RCAR_BL338SRC_ADDRESS (0x00000000U) +#define RCAR_BL338_PARTITION (0x00000000U) + +#endif /* RCAR_SA6_TYPE == RCAR_SA6_TYPE_QSPIFLASH */ + +/* Destination address for BL31 */ +#define RCAR_BL31DST_ADDRESS (0x44000000U) +#define RCAR_BL31DST_ADDRESSH (0x00000000U) +/* Destination size for BL31 */ +#define RCAR_BL31DST_SIZE (0x00004000U) +/* Destination address for BL32 */ +#define RCAR_BL32DST_ADDRESS (0x44100000U) +#define RCAR_BL32DST_ADDRESSH (0x00000000U) +/* Destination size for BL32 */ +#define RCAR_BL32DST_SIZE (0x00040000U) +/* Destination address for BL33 */ +#define RCAR_BL33DST_ADDRESS (0x50000000U) +#define RCAR_BL33DST_ADDRESSH (0x00000000U) +/* Destination size for BL33 */ +#define RCAR_BL33DST_SIZE (0x00040000U) +/* Reserved */ +#define RCAR_BL332DST_ADDRESS (0x00000000U) +#define RCAR_BL332DST_ADDRESSH (0x00000000U) +#define RCAR_BL332DST_SIZE (0x00000000U) +/* Reserved */ +#define RCAR_BL333DST_ADDRESS (0x00000000U) +#define RCAR_BL333DST_ADDRESSH (0x00000000U) +#define RCAR_BL333DST_SIZE (0x00000000U) +/* Reserved */ +#define RCAR_BL334DST_ADDRESS (0x00000000U) +#define RCAR_BL334DST_ADDRESSH (0x00000000U) +#define RCAR_BL334DST_SIZE (0x00000000U) +/* Reserved */ +#define RCAR_BL335DST_ADDRESS (0x00000000U) +#define RCAR_BL335DST_ADDRESSH (0x00000000U) +#define RCAR_BL335DST_SIZE (0x00000000U) +/* Reserved */ +#define RCAR_BL336DST_ADDRESS (0x00000000U) +#define RCAR_BL336DST_ADDRESSH (0x00000000U) +#define RCAR_BL336DST_SIZE (0x00000000U) +/* Reserved */ +#define RCAR_BL337DST_ADDRESS (0x00000000U) +#define RCAR_BL337DST_ADDRESSH (0x00000000U) +#define RCAR_BL337DST_SIZE (0x00000000U) +/* Reserved */ +#define RCAR_BL338DST_ADDRESS (0x00000000U) +#define RCAR_BL338DST_ADDRESSH (0x00000000U) +#define RCAR_BL338DST_SIZE (0x00000000U) + +/* SA6 */ +const uint64_t __attribute__ ((section(".sa6_image_num"))) + image_num = RCAR_IMAGE_NUM; +const uint64_t __attribute__ ((section(".sa6_bl31src_addr"))) + bl31src_addr = RCAR_BL31SRC_ADDRESS; +const uint64_t __attribute__ ((section(".sa6_bl31partition"))) + bl31partition = RCAR_BL31_PARTITION; +const uint64_t __attribute__ ((section(".sa6_bl32src_addr"))) + bl32src_addr = RCAR_BL32SRC_ADDRESS; +const uint64_t __attribute__ ((section(".sa6_bl32partition"))) + bl32partition = RCAR_BL32_PARTITION; +const uint64_t __attribute__ ((section(".sa6_bl33src_addr"))) + bl33src_addr = RCAR_BL33SRC_ADDRESS; +const uint64_t __attribute__ ((section(".sa6_bl33partition"))) + bl33partition = RCAR_BL33_PARTITION; +const uint64_t __attribute__ ((section(".sa6_bl332src_addr"))) + bl332src_addr = RCAR_BL332SRC_ADDRESS; +const uint64_t __attribute__ ((section(".sa6_bl332partition"))) + bl332partition = RCAR_BL332_PARTITION; +const uint64_t __attribute__ ((section(".sa6_bl333src_addr"))) + bl333src_addr = RCAR_BL333SRC_ADDRESS; +const uint64_t __attribute__ ((section(".sa6_bl333partition"))) + bl333partition = RCAR_BL333_PARTITION; +const uint64_t __attribute__ ((section(".sa6_bl334src_addr"))) + bl334src_addr = RCAR_BL334SRC_ADDRESS; +const uint64_t __attribute__ ((section(".sa6_bl334partition"))) + bl334partition = RCAR_BL334_PARTITION; +const uint64_t __attribute__ ((section(".sa6_bl335src_addr"))) + bl335src_addr = RCAR_BL335SRC_ADDRESS; +const uint64_t __attribute__ ((section(".sa6_bl335partition"))) + bl335partition = RCAR_BL335_PARTITION; +const uint64_t __attribute__ ((section(".sa6_bl336src_addr"))) + bl336src_addr = RCAR_BL336SRC_ADDRESS; +const uint64_t __attribute__ ((section(".sa6_bl336partition"))) + bl336partition = RCAR_BL336_PARTITION; +const uint64_t __attribute__ ((section(".sa6_bl337src_addr"))) + bl337src_addr = RCAR_BL337SRC_ADDRESS; +const uint64_t __attribute__ ((section(".sa6_bl337partition"))) + bl337partition = RCAR_BL337_PARTITION; +const uint64_t __attribute__ ((section(".sa6_bl338src_addr"))) + bl338src_addr = RCAR_BL338SRC_ADDRESS; +const uint64_t __attribute__ ((section(".sa6_bl338partition"))) + bl338partition = RCAR_BL338_PARTITION; +const uint32_t __attribute__ ((section(".sa6_bl31dst_addr"))) + bl31dst_addr = RCAR_BL31DST_ADDRESS; +const uint32_t __attribute__ ((section(".sa6_bl31dst_addrh"))) + bl31dst_addrh = RCAR_BL31DST_ADDRESSH; +const uint32_t __attribute__ ((section(".sa6_bl31dst_size"))) + bl31dst_size = RCAR_BL31DST_SIZE; +const uint32_t __attribute__ ((section(".sa6_bl32dst_addr"))) + bl32dst_addr = RCAR_BL32DST_ADDRESS; +const uint32_t __attribute__ ((section(".sa6_bl32dst_addrh"))) + bl32dst_addrh = RCAR_BL32DST_ADDRESSH; +const uint32_t __attribute__ ((section(".sa6_bl32dst_size"))) + bl32dst_size = RCAR_BL32DST_SIZE; +const uint32_t __attribute__ ((section(".sa6_bl33dst_addr"))) + bl33dst_addr = RCAR_BL33DST_ADDRESS; +const uint32_t __attribute__ ((section(".sa6_bl33dst_addrh"))) + bl33dst_addrh = RCAR_BL33DST_ADDRESSH; +const uint32_t __attribute__ ((section(".sa6_bl33dst_size"))) + bl33dst_size = RCAR_BL33DST_SIZE; +const uint32_t __attribute__ ((section(".sa6_bl332dst_addr"))) + bl332dst_addr = RCAR_BL332DST_ADDRESS; +const uint32_t __attribute__ ((section(".sa6_bl332dst_addrh"))) + bl332dst_addrh = RCAR_BL332DST_ADDRESSH; +const uint32_t __attribute__ ((section(".sa6_bl332dst_size"))) + bl332dst_size = RCAR_BL332DST_SIZE; +const uint32_t __attribute__ ((section(".sa6_bl333dst_addr"))) + bl333dst_addr = RCAR_BL333DST_ADDRESS; +const uint32_t __attribute__ ((section(".sa6_bl333dst_addrh"))) + bl333dst_addrh = RCAR_BL333DST_ADDRESSH; +const uint32_t __attribute__ ((section(".sa6_bl333dst_size"))) + bl333dst_size = RCAR_BL333DST_SIZE; +const uint32_t __attribute__ ((section(".sa6_bl334dst_addr"))) + bl334dst_addr = RCAR_BL334DST_ADDRESS; +const uint32_t __attribute__ ((section(".sa6_bl334dst_addrh"))) + bl334dst_addrh = RCAR_BL334DST_ADDRESSH; +const uint32_t __attribute__ ((section(".sa6_bl334dst_size"))) + bl334dst_size = RCAR_BL334DST_SIZE; +const uint32_t __attribute__ ((section(".sa6_bl335dst_addr"))) + bl335dst_addr = RCAR_BL335DST_ADDRESS; +const uint32_t __attribute__ ((section(".sa6_bl335dst_addrh"))) + bl335dst_addrh = RCAR_BL335DST_ADDRESSH; +const uint32_t __attribute__ ((section(".sa6_bl335dst_size"))) + bl335dst_size = RCAR_BL335DST_SIZE; +const uint32_t __attribute__ ((section(".sa6_bl336dst_addr"))) + bl336dst_addr = RCAR_BL336DST_ADDRESS; +const uint32_t __attribute__ ((section(".sa6_bl336dst_addrh"))) + bl336dst_addrh = RCAR_BL336DST_ADDRESSH; +const uint32_t __attribute__ ((section(".sa6_bl336dst_size"))) + bl336dst_size = RCAR_BL336DST_SIZE; +const uint32_t __attribute__ ((section(".sa6_bl337dst_addr"))) + bl337dst_addr = RCAR_BL337DST_ADDRESS; +const uint32_t __attribute__ ((section(".sa6_bl337dst_addrh"))) + bl337dst_addrh = RCAR_BL337DST_ADDRESSH; +const uint32_t __attribute__ ((section(".sa6_bl337dst_size"))) + bl337dst_size = RCAR_BL337DST_SIZE; +const uint32_t __attribute__ ((section(".sa6_bl338dst_addr"))) + bl338dst_addr = RCAR_BL338DST_ADDRESS; +const uint32_t __attribute__ ((section(".sa6_bl338dst_addrh"))) + bl338dst_addrh = RCAR_BL338DST_ADDRESSH; +const uint32_t __attribute__ ((section(".sa6_bl338dst_size"))) + bl338dst_size = RCAR_BL338DST_SIZE; diff --git a/tools/renesas/rzg_layout_create/sa6.ld.S b/tools/renesas/rzg_layout_create/sa6.ld.S new file mode 100644 index 000000000..efe40b0c8 --- /dev/null +++ b/tools/renesas/rzg_layout_create/sa6.ld.S @@ -0,0 +1,114 @@ +/* + * Copyright (c) 2020, Renesas Electronics Corporation. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +SECTIONS +{ + . = 0x00000000; + .rodata : { + KEEP(*(.sa6_image_num)) + . = 0x00000008; + KEEP(*(.sa6_bl31src_addr)) + . = 0x00000010; + KEEP(*(.sa6_bl31partition)) + . = 0x00000018; + KEEP(*(.sa6_bl32src_addr)) + . = 0x00000020; + KEEP(*(.sa6_bl32partition)) + . = 0x00000028; + KEEP(*(.sa6_bl33src_addr)) + . = 0x00000030; + KEEP(*(.sa6_bl33partition)) + . = 0x00000038; + KEEP(*(.sa6_bl332src_addr)) + . = 0x00000040; + KEEP(*(.sa6_bl332partition)) + . = 0x00000048; + KEEP(*(.sa6_bl333src_addr)) + . = 0x00000050; + KEEP(*(.sa6_bl333partition)) + . = 0x00000058; + KEEP(*(.sa6_bl334src_addr)) + . = 0x00000060; + KEEP(*(.sa6_bl334partition)) + . = 0x00000068; + KEEP(*(.sa6_bl335src_addr)) + . = 0x00000070; + KEEP(*(.sa6_bl335partition)) + . = 0x00000078; + KEEP(*(.sa6_bl336src_addr)) + . = 0x00000080; + KEEP(*(.sa6_bl336partition)) + . = 0x00000088; + KEEP(*(.sa6_bl337src_addr)) + . = 0x00000090; + KEEP(*(.sa6_bl337partition)) + . = 0x00000098; + KEEP(*(.sa6_bl338src_addr)) + . = 0x000000A0; + KEEP(*(.sa6_bl338partition)) + . = 0x00000554; + KEEP(*(.sa6_bl31dst_addr)) + . = 0x00000558; + KEEP(*(.sa6_bl31dst_addrh)) + . = 0x00000664; + KEEP(*(.sa6_bl31dst_size)) + . = 0x00000D54; + KEEP(*(.sa6_bl32dst_addr)) + . = 0x00000D58; + KEEP(*(.sa6_bl32dst_addrh)) + . = 0x00000E64; + KEEP(*(.sa6_bl32dst_size)) + . = 0x00001554; + KEEP(*(.sa6_bl33dst_addr)) + . = 0x00001558; + KEEP(*(.sa6_bl33dst_addrh)) + . = 0x00001664; + KEEP(*(.sa6_bl33dst_size)) + . = 0x00001D54; + KEEP(*(.sa6_bl332dst_addr)) + . = 0x00001D58; + KEEP(*(.sa6_bl332dst_addrh)) + . = 0x00001E64; + KEEP(*(.sa6_bl332dst_size)) + . = 0x00002554; + KEEP(*(.sa6_bl333dst_addr)) + . = 0x00002558; + KEEP(*(.sa6_bl333dst_addrh)) + . = 0x00002664; + KEEP(*(.sa6_bl333dst_size)) + . = 0x00002D54; + KEEP(*(.sa6_bl334dst_addr)) + . = 0x00002D58; + KEEP(*(.sa6_bl334dst_addrh)) + . = 0x00002E64; + KEEP(*(.sa6_bl334dst_size)) + . = 0x00003554; + KEEP(*(.sa6_bl335dst_addr)) + . = 0x00003558; + KEEP(*(.sa6_bl335dst_addrh)) + . = 0x00003664; + KEEP(*(.sa6_bl335dst_size)) + . = 0x00003D54; + KEEP(*(.sa6_bl336dst_addr)) + . = 0x00003D58; + KEEP(*(.sa6_bl336dst_addrh)) + . = 0x00003E64; + KEEP(*(.sa6_bl336dst_size)) + . = 0x00004554; + KEEP(*(.sa6_bl337dst_addr)) + . = 0x00004558; + KEEP(*(.sa6_bl337dst_addrh)) + . = 0x00004664; + KEEP(*(.sa6_bl337dst_size)) + . = 0x00004D54; + KEEP(*(.sa6_bl338dst_addr)) + . = 0x00004D58; + KEEP(*(.sa6_bl338dst_addrh)) + . = 0x00004E64; + KEEP(*(.sa6_bl338dst_size)) + } + +} diff --git a/tools/sptool/Makefile b/tools/sptool/Makefile index 9325207c4..1fa85fb20 100644 --- a/tools/sptool/Makefile +++ b/tools/sptool/Makefile @@ -1,5 +1,5 @@ # -# Copyright (c) 2018, Arm Limited. All rights reserved. +# Copyright (c) 2018-2020, Arm Limited. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -8,7 +8,8 @@ MAKE_HELPERS_DIRECTORY := ../../make_helpers/ include ${MAKE_HELPERS_DIRECTORY}build_macros.mk include ${MAKE_HELPERS_DIRECTORY}build_env.mk -PROJECT := sptool${BIN_EXT} +SPTOOL ?= sptool${BIN_EXT} +PROJECT := $(notdir ${SPTOOL}) OBJECTS := sptool.o V ?= 0 diff --git a/tools/sptool/sp_mk_generator.py b/tools/sptool/sp_mk_generator.py new file mode 100755 index 000000000..a37e702bb --- /dev/null +++ b/tools/sptool/sp_mk_generator.py @@ -0,0 +1,137 @@ +#!/usr/bin/python3 +# Copyright (c) 2020, Arm Limited. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause + +""" +This script is invoked by Make system and generates secure partition makefile. +It expects platform provided secure partition layout file which contains list +of Secure Partition Images and Partition manifests(PM). +Layout file can exist outside of TF-A tree and the paths of Image and PM files +must be relative to it. + +This script parses the layout file and generates a make file which updates +FDT_SOURCES, FIP_ARGS, CRT_ARGS and SPTOOL_ARGS which are used in later build +steps. +This script also gets SP "uuid" from parsing its PM and converting it to a +standard format. + +param1: Generated mk file "sp_gen.mk" +param2: "SP_LAYOUT_FILE", json file containing platform provided information +param3: plat out directory +param4: CoT parameter + +Generated "sp_gen.mk" file contains triplet of following information for each +Secure Partition entry + FDT_SOURCES += sp1.dts + SPTOOL_ARGS += -i sp1.bin:sp1.dtb -o sp1.pkg + FIP_ARGS += --blob uuid=XXXXX-XXX...,file=sp1.pkg + CRT_ARGS += --sp-pkg1 sp1.pkg + +A typical SP_LAYOUT_FILE file will look like +{ + "SP1" : { + "image": "sp1.bin", + "pm": "test/sp1.dts" + }, + + "SP2" : { + "image": "sp2.bin", + "pm": "test/sp2.dts" + } + + ... +} + +""" + +import getopt +import json +import os +import re +import sys +import uuid + +with open(sys.argv[2],'r') as in_file: + data = json.load(in_file) +json_file = os.path.abspath(sys.argv[2]) +json_dir = os.path.dirname(json_file) +gen_file = os.path.abspath(sys.argv[1]) +out_dir = os.path.abspath(sys.argv[3]) +dtb_dir = out_dir + "/fdts/" +MAX_SP = 8 +dualroot = sys.argv[4].lower() == "dualroot" +split = int(MAX_SP / 2) +print(dtb_dir) +platform_count = 1 +sip_count = 1 + +with open(gen_file, 'w') as out_file: + for idx, key in enumerate(data.keys()): + + pkg_num = idx + 1 + + if (pkg_num > MAX_SP): + print("WARNING: Too many secure partitions\n") + exit(-1) + + if dualroot: + owner = data[key].get('owner') + if owner == "Plat": + if (platform_count > split): + print("WARNING: Maximum Secure partitions by Plat " + + "have been exceeded (" + str(split) + ")\n") + exit(-1) + pkg_num = split + platform_count + platform_count += 1 + elif (sip_count > split): + print("WARNING: Maximum Secure partitions by SiP " + + "have been exceeded (" + str(split) + ")\n") + exit(-1) + else: + pkg_num = sip_count + sip_count += 1 + + """ + Append FDT_SOURCES + """ + dts = os.path.join(json_dir, data[key]['pm']) + dtb = dtb_dir + os.path.basename(data[key]['pm'][:-1] + "b") + out_file.write("FDT_SOURCES += " + dts + "\n") + + """ + Update SPTOOL_ARGS + """ + dst = out_dir + "/" + key + ".pkg" + src = [ json_dir + "/" + data[key]['image'] , dtb ] + out_file.write("SPTOOL_ARGS += -i " + ":".join(src) + " -o " + dst + "\n") + + """ + Extract uuid from partition manifest + """ + pm_file = open(dts) + uuid_key = "uuid" + + for line in pm_file: + if uuid_key in line: + uuid_hex = re.findall(r'\<(.+?)\>', line)[0]; + + # PM has uuid in format 0xABC... 0x... 0x... 0x... + # Get rid of '0x' and spaces and convert to string of hex digits + uuid_hex = uuid_hex.replace('0x','').replace(' ','') + # make UUID from a string of hex digits + uuid_std = uuid.UUID(uuid_hex) + # convert UUID to a string of hex digits in standard form + uuid_std = str(uuid_std) + + """ + Append FIP_ARGS + """ + out_file.write("FIP_ARGS += --blob uuid=" + uuid_std + ",file=" + dst + "\n") + + """ + Append CRT_ARGS + """ + + out_file.write("CRT_ARGS += --sp-pkg" + str(pkg_num) + " " + dst + "\n") + out_file.write("\n") diff --git a/tools/sptool/sptool.c b/tools/sptool/sptool.c index a33b66446..38baa2cd9 100644 --- a/tools/sptool/sptool.c +++ b/tools/sptool/sptool.c @@ -1,10 +1,11 @@ /* - * Copyright (c) 2018, Arm Limited. All rights reserved. + * Copyright (c) 2018-2020, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ #include <stdarg.h> +#include <stdbool.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> @@ -16,25 +17,26 @@ #define PAGE_SIZE 4096 /* - * Linked list of entries describing entries in the secure - * partition package. + * Entry describing Secure Partition package. */ -struct sp_entry_info { +struct sp_pkg_info { /* Location of the files in the host's RAM. */ - void *sp_data, *rd_data; + void *img_data, *pm_data; /* Size of the files. */ - uint64_t sp_size, rd_size; + uint32_t img_size, pm_size; /* Location of the binary files inside the package output file */ - uint64_t sp_offset, rd_offset; - - struct sp_entry_info *next; + uint32_t img_offset, pm_offset; }; -static struct sp_entry_info *sp_info_head; - -static uint64_t sp_count; +/* + * List of input provided by user + */ +struct arg_list { + char *usr_input; + struct arg_list *next; +}; /* Align an address to a power-of-two boundary. */ static unsigned int align_to(unsigned int address, unsigned int boundary) @@ -89,26 +91,61 @@ static void xfseek(FILE *fp, long offset, int whence) } } -static void cleanup(void) +/* + * Free SP package structure + */ +static void cleanup(struct sp_pkg_info *sp) { - struct sp_entry_info *sp = sp_info_head; - while (sp != NULL) { - struct sp_entry_info *next = sp->next; - - if (sp->sp_data != NULL) - free(sp->sp_data); + if (sp != NULL) { + if (sp->img_data != NULL) { + free(sp->img_data); + } - if (sp->rd_data != NULL) - free(sp->rd_data); + if (sp->pm_data != NULL) { + free(sp->pm_data); + } free(sp); - sp = next; } +} - sp_count = 0; - sp_info_head = NULL; +/* + * Free argument list structure + */ +static void freelist(struct arg_list *head) +{ + struct arg_list *tmp; + + while (head != NULL) { + tmp = head; + head = head->next; + free(tmp); + } +} + +/* + * Append user inputs in argument list structure + */ +static void append_user_input(struct arg_list **head, char *args) +{ + struct arg_list *tmp = *head; + + if (tmp == NULL) { + tmp = xzalloc(sizeof(struct arg_list), + "Failed to allocate arg_list struct"); + tmp->usr_input = args; + *head = tmp; + } else { + while (tmp->next != NULL) { + tmp = tmp->next; + } + tmp->next = xzalloc(sizeof(struct arg_list), + "Failed to allocate arg_list struct"); + tmp = tmp->next; + tmp->usr_input = args; + } } /* @@ -116,7 +153,7 @@ static void cleanup(void) * load the file into it. Fill 'size' with the file size. Exit the program on * error. */ -static void load_file(const char *path, void **ptr, uint64_t *size) +static void load_file(const char *path, void **ptr, uint32_t *size) { FILE *f = fopen(path, "rb"); if (f == NULL) { @@ -147,59 +184,40 @@ static void load_file(const char *path, void **ptr, uint64_t *size) fclose(f); } -static void load_sp_rd(char *path) +/* + * Parse the string containing input payloads and fill in the + * SP Package data structure. + */ +static void load_sp_pm(char *path, struct sp_pkg_info **sp_out) { + struct sp_pkg_info *sp_pkg; + char *split_mark = strstr(path, ":"); *split_mark = '\0'; char *sp_path = path; - char *rd_path = split_mark + 1; - - struct sp_entry_info *sp; - - if (sp_info_head == NULL) { - sp_info_head = xzalloc(sizeof(struct sp_entry_info), - "Failed to allocate sp_entry_info struct"); - - sp = sp_info_head; - } else { - sp = sp_info_head; - - while (sp->next != NULL) { - sp = sp->next; - } - - sp->next = xzalloc(sizeof(struct sp_entry_info), - "Failed to allocate sp_entry_info struct"); + char *pm_path = split_mark + 1; - sp = sp->next; - } + sp_pkg = xzalloc(sizeof(struct sp_pkg_info), + "Failed to allocate sp_pkg_info struct"); - load_file(sp_path, &sp->sp_data, &sp->sp_size); - printf("Loaded image file %s (%lu bytes)\n", sp_path, sp->sp_size); + load_file(pm_path, &sp_pkg->pm_data, &sp_pkg->pm_size); + printf("\nLoaded SP Manifest file %s (%u bytes)\n", pm_path, sp_pkg->pm_size); - load_file(rd_path, &sp->rd_data, &sp->rd_size); - printf("Loaded RD file %s (%lu bytes)\n", rd_path, sp->rd_size); + load_file(sp_path, &sp_pkg->img_data, &sp_pkg->img_size); + printf("Loaded SP Image file %s (%u bytes)\n", sp_path, sp_pkg->img_size); - sp_count++; + *sp_out = sp_pkg; } -static void output_write(const char *path) +/* + * Write SP package data structure into output file. + */ +static void output_write(const char *path, struct sp_pkg_info *sp, bool header) { - struct sp_entry_info *sp; - - if (sp_count == 0) { - fprintf(stderr, "error: At least one SP must be provided.\n"); - exit(1); - } - - /* The layout of the structs is specified in the header file sptool.h */ - - printf("Writing %lu partitions to output file.\n", sp_count); - - unsigned int header_size = (sizeof(struct sp_pkg_header) * 8) - + (sizeof(struct sp_pkg_entry) * 8 * sp_count); + struct sp_pkg_header sp_header_info; + unsigned int file_ptr = 0; FILE *f = fopen(path, "wb"); if (f == NULL) { @@ -207,70 +225,46 @@ static void output_write(const char *path) exit(1); } - unsigned int file_ptr = align_to(header_size, PAGE_SIZE); - - /* First, save all partition images aligned to page boundaries */ - - sp = sp_info_head; - - for (uint64_t i = 0; i < sp_count; i++) { - xfseek(f, file_ptr, SEEK_SET); - - printf("Writing image %lu to offset 0x%x (0x%lx bytes)\n", - i, file_ptr, sp->sp_size); - - sp->sp_offset = file_ptr; - xfwrite(sp->sp_data, sp->sp_size, f); - file_ptr = align_to(file_ptr + sp->sp_size, PAGE_SIZE); - sp = sp->next; + /* Reserve Header size */ + if (header) { + file_ptr = sizeof(struct sp_pkg_header); } - /* Now, save resource description blobs aligned to 8 bytes */ + /* Save partition manifest */ + xfseek(f, file_ptr, SEEK_SET); + printf("Writing SP Manifest at offset 0x%x (%u bytes)\n", + file_ptr, sp->pm_size); - sp = sp_info_head; - - for (uint64_t i = 0; i < sp_count; i++) { - xfseek(f, file_ptr, SEEK_SET); - - printf("Writing RD blob %lu to offset 0x%x (0x%lx bytes)\n", - i, file_ptr, sp->rd_size); - - sp->rd_offset = file_ptr; - xfwrite(sp->rd_data, sp->rd_size, f); - file_ptr = align_to(file_ptr + sp->rd_size, 8); - sp = sp->next; - } + sp->pm_offset = file_ptr; + xfwrite(sp->pm_data, sp->pm_size, f); - /* Finally, write header */ + /* Save partition image aligned to Page size */ + file_ptr = align_to((sp->pm_offset + sp->pm_size), PAGE_SIZE); + xfseek(f, file_ptr, SEEK_SET); + printf("Writing SP Image at offset 0x%x (%u bytes)\n", + file_ptr, sp->img_size); - uint64_t version = 0x1; - uint64_t sp_num = sp_count; + sp->img_offset = file_ptr; + xfwrite(sp->img_data, sp->img_size, f); - xfseek(f, 0, SEEK_SET); + /* Finally, write header, if needed */ + if (header) { + sp_header_info.magic = SECURE_PARTITION_MAGIC; + sp_header_info.version = 0x1; + sp_header_info.img_offset = sp->img_offset; + sp_header_info.img_size = sp->img_size; + sp_header_info.pm_offset = sp->pm_offset; + sp_header_info.pm_size = sp->pm_size; - xfwrite(&version, sizeof(uint64_t), f); - xfwrite(&sp_num, sizeof(uint64_t), f); + xfseek(f, 0, SEEK_SET); - sp = sp_info_head; + printf("Writing package header\n"); - for (unsigned int i = 0; i < sp_count; i++) { - - uint64_t sp_offset, sp_size, rd_offset, rd_size; - - sp_offset = sp->sp_offset; - sp_size = align_to(sp->sp_size, PAGE_SIZE); - rd_offset = sp->rd_offset; - rd_size = sp->rd_size; - - xfwrite(&sp_offset, sizeof(uint64_t), f); - xfwrite(&sp_size, sizeof(uint64_t), f); - xfwrite(&rd_offset, sizeof(uint64_t), f); - xfwrite(&rd_size, sizeof(uint64_t), f); - - sp = sp->next; + xfwrite(&sp_header_info, sizeof(struct sp_pkg_header), f); } /* All information has been written now */ + printf("\nsptool: Built Secure Partition blob %s\n", path); fclose(f); } @@ -286,30 +280,51 @@ static void usage(void) #endif printf(" [<args>]\n\n"); - printf("This tool takes as inputs several image binary files and the\n" - "resource description blobs as input and generates a package\n" - "file that contains them.\n\n"); + printf("This tool takes as input set of image binary files and the\n" + "partition manifest blobs as input and generates set of\n" + "output package files\n" + "Usage example: sptool -i sp1.bin:sp1.dtb -o sp1.pkg\n" + " -i sp2.bin:sp2.dtb -o sp2.pkg ...\n\n"); printf("Commands supported:\n"); printf(" -o <path> Set output file path.\n"); - printf(" -i <sp_path:rd_path> Add Secure Partition image and Resource\n" - " Description blob (specified in two paths\n" + printf(" -i <sp_path:pm_path> Add Secure Partition image and\n" + " Manifest blob (specified in two paths\n" " separated by a colon).\n"); + printf(" -n Generate package without header\n"); printf(" -h Show this message.\n"); exit(1); } int main(int argc, char *argv[]) { + struct sp_pkg_info *sp_pkg = NULL; + struct arg_list *in_head = NULL; + struct arg_list *out_head = NULL; + struct arg_list *in_list = NULL; + struct arg_list *out_list = NULL; + unsigned int match_counter = 0; + bool need_header = true; + int ch; - const char *outname = NULL; - while ((ch = getopt(argc, argv, "hi:o:")) != -1) { + if (argc <= 1) { + fprintf(stderr, "error: File paths must be provided.\n\n"); + usage(); + return 1; + } + + while ((ch = getopt(argc, argv, "hni:o:")) != -1) { switch (ch) { case 'i': - load_sp_rd(optarg); + append_user_input(&in_head, optarg); + match_counter++; break; case 'o': - outname = optarg; + append_user_input(&out_head, optarg); + match_counter--; + break; + case 'n': + need_header = false; break; case 'h': default: @@ -317,18 +332,29 @@ int main(int argc, char *argv[]) } } - argc -= optind; - argv += optind; - - if (outname == NULL) { - fprintf(stderr, "error: An output file path must be provided.\n\n"); + if (match_counter) { + fprintf(stderr, "error: Input/Output count mismatch.\n\n"); + freelist(in_head); + freelist(out_head); usage(); return 1; } - output_write(outname); + in_list = in_head; + out_list = out_head; + while (in_list != NULL) { + load_sp_pm(in_list->usr_input, &sp_pkg); + output_write(out_list->usr_input, sp_pkg, need_header); + in_list = in_list->next; + out_list = out_list->next; + } + + argc -= optind; + argv += optind; - cleanup(); + cleanup(sp_pkg); + freelist(in_head); + freelist(out_head); return 0; } |