feat(fconf): support signing-key in root cert node

Until now we have only supported describing chain of trusts through the CoT DTB with a single ROTPK so the signing key for root certificates was implicit. Therefore signing key was not a supported property in the root certificates node. Now we want to extend that to describe CoTs with mulitiple roots of trust so we need a way to specify for each root certificate with which ROTPK it should be verified. For that, we reuse the 'signing-key' property already in use for the non-root certificates, but we make it optional for root certificates in single-RoT CoTs and for root certificates signed with the default ROTPK in multi-RoT CoTs. Change-Id: I41eb6579e8f1d01eaf10480fe5e224d2eed9c736 Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
2025-04-16 01:24:27 +00:00 · 2024-01-09 20:38:10 -06:00 · 2024-01-09 20:38:10 -06:00 · 04ac0b3c27
commit 04ac0b3c27
parent a5ea5aa441
1 changed files with 11 additions and 7 deletions
--- a/lib/fconf/fconf_cot_getter.c
+++ b/lib/fconf/fconf_cot_getter.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2024, Arm Limited. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -237,13 +237,17 @@ static int populate_and_set_auth_methods(const void *dtb, int node,
 	 * verified by signature and images are verified by hash.
 	 */
 	if (type == IMG_CERT) {
-		if (root_certificate) {
-			oid = NULL;
-		} else {
-			rc = get_oid(dtb, node, "signing-key", &oid);
-			if (rc < 0) {
+		rc = get_oid(dtb, node, "signing-key", &oid);
+		if (rc < 0) {
+			/*
+			 * The signing-key property is optional in root
+			 * certificates, mandatory otherwise.
+			 */
+			if (root_certificate) {
+				oid = NULL;
+			} else {
 				ERROR("FCONF: Can't read %s property\n",
-					"signing-key");
+						"signing-key");
 				return rc;
 			}
 		}