feat(arm): use provided algs for (swd/p)rotpk

No longer hard code SHA-256 hashed rsa dev keys, now the keys can use pair of key alg: rsa, p256, p384 and hash alg: sha256, sha384, sha512. All public keys are now generated at build-time from the dev keys. Change-Id: I669438b7d1cd319962c4a135bb0e204e44d7447e Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2025-04-17 01:54:22 +00:00 · 2024-11-11 18:08:10 +00:00 · 2024-11-11 18:08:10 +00:00 · da57b6e3cf
commit da57b6e3cf
parent d51981e15d
11 changed files with 126 additions and 35 deletions
--- a/plat/arm/board/common/board_common.mk
+++ b/plat/arm/board/common/board_common.mk
@ -92,50 +92,73 @@ BL1_SOURCES		+=	plat/arm/board/common/board_arm_trusted_boot.c \
 BL2_SOURCES		+=	plat/arm/board/common/board_arm_trusted_boot.c \
 				${ARM_ROTPK_S}

+ifeq ($(CRYPTO_ALG), ec)
+ifeq ($(KEY_SIZE), 384)
+ARM_PROT_KEY		:=	plat/arm/board/common/protpk/arm_protprivk_ecdsa_secp384r1.pem
+ARM_SWD_ROT_KEY		:=	plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa_secp384r1.pem
+else
+ARM_PROT_KEY		:=	plat/arm/board/common/protpk/arm_protprivk_ecdsa.pem
+ARM_SWD_ROT_KEY		:=	plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa.pem
+endif
+else
+ARM_PROT_KEY		:=	plat/arm/board/common/protpk/arm_protprivk_rsa.pem
+ARM_SWD_ROT_KEY		:=	plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_rsa.pem
+endif
+
 # Allows platform code to provide implementation variants depending on the
 # selected chain of trust.
 $(eval $(call add_define,ARM_COT_${COT}))

 ifeq (${COT},dualroot)
 # Platform Root of Trust key files.
-ARM_PROT_KEY		:=	plat/arm/board/common/protpk/arm_protprivk_rsa.pem
-ARM_PROTPK_HASH		:=	plat/arm/board/common/protpk/arm_protpk_rsa_sha256.bin
+ARM_PROTPK			:=	$(BUILD_PLAT)/arm_protpk.bin

 # Provide the private key to cert_create tool. It needs it to sign the images.
 PROT_KEY		:=	${ARM_PROT_KEY}

-$(eval $(call add_define_val,ARM_PROTPK_HASH,'"$(ARM_PROTPK_HASH)"'))
+$(eval $(call add_define_val,ARM_PROTPK,'"$(ARM_PROTPK)"'))

 BL1_SOURCES		+=	plat/arm/board/common/protpk/arm_dev_protpk.S
 BL2_SOURCES		+=	plat/arm/board/common/protpk/arm_dev_protpk.S

-$(BUILD_PLAT)/bl1/arm_dev_protpk.o: $(ARM_PROTPK_HASH)
-$(BUILD_PLAT)/bl2/arm_dev_protpk.o: $(ARM_PROTPK_HASH)
+$(BUILD_PLAT)/bl1/arm_dev_protpk.o: $(ARM_PROTPK)
+$(BUILD_PLAT)/bl2/arm_dev_protpk.o: $(ARM_PROTPK)
 endif

 ifeq (${COT},cca)
 # Platform and Secure World Root of Trust key files.
-ARM_PROT_KEY		:=	plat/arm/board/common/protpk/arm_protprivk_rsa.pem
-ARM_PROTPK_HASH		:=	plat/arm/board/common/protpk/arm_protpk_rsa_sha256.bin
-ARM_SWD_ROT_KEY		:=	plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_rsa.pem
-ARM_SWD_ROTPK_HASH	:=	plat/arm/board/common/swd_rotpk/arm_swd_rotpk_rsa_sha256.bin
+ARM_PROTPK			:=	$(BUILD_PLAT)/arm_protpk.bin
+ARM_SWD_ROTPK		:=	$(BUILD_PLAT)/arm_swd_rotpk.bin

 # Provide the private keys to cert_create tool. It needs them to sign the images.
 PROT_KEY		:=	${ARM_PROT_KEY}
 SWD_ROT_KEY		:=	${ARM_SWD_ROT_KEY}

-$(eval $(call add_define_val,ARM_PROTPK_HASH,'"$(ARM_PROTPK_HASH)"'))
-$(eval $(call add_define_val,ARM_SWD_ROTPK_HASH,'"$(ARM_SWD_ROTPK_HASH)"'))
+$(eval $(call add_define_val,ARM_PROTPK,'"$(ARM_PROTPK)"'))
+$(eval $(call add_define_val,ARM_SWD_ROTPK,'"$(ARM_SWD_ROTPK)"'))

 BL1_SOURCES		+=	plat/arm/board/common/protpk/arm_dev_protpk.S \
 				plat/arm/board/common/swd_rotpk/arm_dev_swd_rotpk.S
 BL2_SOURCES		+=	plat/arm/board/common/protpk/arm_dev_protpk.S \
 				plat/arm/board/common/swd_rotpk/arm_dev_swd_rotpk.S

-$(BUILD_PLAT)/bl1/arm_dev_protpk.o: $(ARM_PROTPK_HASH)
-$(BUILD_PLAT)/bl1/arm_dev_swd_rotpk.o: $(ARM_SWD_ROTPK_HASH)
-$(BUILD_PLAT)/bl2/arm_dev_protpk.o: $(ARM_PROTPK_HASH)
-$(BUILD_PLAT)/bl2/arm_dev_swd_rotpk.o: $(ARM_SWD_ROTPK_HASH)
+$(BUILD_PLAT)/bl1/arm_dev_protpk.o: $(ARM_PROTPK)
+$(BUILD_PLAT)/bl1/arm_dev_swd_rotpk.o: $(ARM_SWD_ROTPK)
+$(BUILD_PLAT)/bl2/arm_dev_protpk.o: $(ARM_PROTPK)
+$(BUILD_PLAT)/bl2/arm_dev_swd_rotpk.o: $(ARM_SWD_ROTPK)
 endif

+$(ARM_PROTPK): $(ARM_PROT_KEY)
+ifndef ARM_PROT_KEY
+	$(error Cannot generate hash: no PROT_KEY defined)
+endif
+	${OPENSSL_BIN_PATH}/openssl ${CRYPTO_ALG} -in ${ARM_PROT_KEY} -pubout -outform DER | \
+	${OPENSSL_BIN_PATH}/openssl dgst -${HASH_ALG} -binary -out $@
+
+$(ARM_SWD_ROTPK): $(ARM_SWD_ROT_KEY)
+ifndef ARM_SWD_ROT_KEY
+	$(error Cannot generate hash: no SWD_KEY defined)
+endif
+	${OPENSSL_BIN_PATH}/openssl ${CRYPTO_ALG} -in ${ARM_SWD_ROT_KEY} -pubout -outform DER | \
+	${OPENSSL_BIN_PATH}/openssl dgst -${HASH_ALG} -binary -out $@
 endif
--- a/plat/arm/board/common/protpk/README
+++ b/plat/arm/board/common/protpk/README
@ -6,9 +6,12 @@ root-of-trust key.

  openssl genrsa 2048 > arm_protprivk_rsa.pem

-* arm_protpk_rsa_sha256.bin is the SHA-256 hash of the DER-encoded public key
-  associated with the above private key. It has been generated using the openssl
-  command line tool:
+* arm_protprivk_ecdsa.pem is a P-256 ECSA private key in PEM format. It has been
+  generated using the openssl command line tool:

-  openssl rsa -in arm_protprivk_rsa.pem -pubout -outform DER | \
-    openssl dgst -sha256 -binary > arm_protpk_rsa_sha256.bin
+  openssl ecparam -name prime256v1 -genkey -outform PEM -noout -out arm_protprivk_ecdsa.pem
+
+* arm_protprivk_ecdsa_secp384r1.pem is a P-384 ECSA private key in PEM format. It has been
+  generated using the openssl command line tool:
+
+  openssl ecparam -name secp384r1 -genkey -outform PEM -noout -out arm_protprivk_ecdsa_secp384r1.pem
--- a/plat/arm/board/common/protpk/arm_dev_protpk.S
+++ b/plat/arm/board/common/protpk/arm_dev_protpk.S
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -9,10 +9,31 @@

 	.section .rodata.arm_protpk_hash, "a"

+/*
+* The protpk header is dependent only on the algorithm used to
+* generate the hash.
+* ASN1_HASH_ALG is the last byte used to encode the OID for
+* the hash algorithm into the header,
+* this byte distinguishes between SHA256, SHA384 and SHA512.
+*/
+.equ HASH_ASN1_LEN, ARM_ROTPK_HASH_LEN
+#if ARM_ROTPK_HASH_LEN == 48
+	.equ ASN1_HASH_ALG, 0x02
+	.equ TOTAL_ASN1_LEN, 0x41
+#elif ARM_ROTPK_HASH_LEN == 64
+	.equ ASN1_HASH_ALG, 0x03
+	.equ TOTAL_ASN1_LEN, 0x51
+#elif ARM_ROTPK_HASH_LEN == 32
+	.equ ASN1_HASH_ALG, 0x01
+	.equ TOTAL_ASN1_LEN, 0x31
+#else
+	.error "Invalid PROTPK hash length."
+#endif
+
 arm_protpk_hash:
 	/* DER header. */
-	.byte 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48
-	.byte 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
+	.byte 0x30, TOTAL_ASN1_LEN, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48
+	.byte 0x01, 0x65, 0x03, 0x04, 0x02, ASN1_HASH_ALG, 0x05, 0x00, 0x04, HASH_ASN1_LEN
 	/* Key hash. */
-	.incbin ARM_PROTPK_HASH
+	.incbin ARM_PROTPK
 arm_protpk_hash_end:
--- a/plat/arm/board/common/protpk/arm_protpk_rsa_sha256.bin
+++ b/plat/arm/board/common/protpk/arm_protpk_rsa_sha256.bin
@ -1 +0,0 @@
-œó6{W*…`Ÿtíve×·§è£	€¾P<C2BE>ÆK{9
--- a/plat/arm/board/common/protpk/arm_protprivk_ecdsa.pem
+++ b/plat/arm/board/common/protpk/arm_protprivk_ecdsa.pem
@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILviumKhnibRT6+73/WOURk8lCxu/AHRQVcbCn/nGAr8oAoGCCqGSM49
+AwEHoUQDQgAE2HPZeAd+P8kZKHcCMfNUE+MlZSKJV360gYYC1JEdogyYztJ/QbKj
+26CZijUU/He2b9kkCOpZoJp3UuMRlsQE4Q==
+-----END EC PRIVATE KEY-----
--- a/plat/arm/board/common/protpk/arm_protprivk_ecdsa_secp384r1.pem
+++ b/plat/arm/board/common/protpk/arm_protprivk_ecdsa_secp384r1.pem
@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCn+L3kRlvrZKnemt8aDOH+ujwuhpdwAM2ZxacxudJPy5qrWCjXGIh1
+gOAMHlGESySgBwYFK4EEACKhZANiAASM5exqdUZi0msFLGi42bIMW7FPqWsJ8YmL
+scDkI6BUYRoP0V4XZWB7NOjP6y/tm5Uwid9q25QTlhNKUo5qki1YH3T6unHuylWN
+63KRHQLOaXCXZqhMhT0wccg0gG3hs+0=
+-----END EC PRIVATE KEY-----
--- a/plat/arm/board/common/swd_rotpk/README
+++ b/plat/arm/board/common/swd_rotpk/README
@ -6,9 +6,12 @@ root-of-trust key used in the CCA chain of trust.

  openssl genrsa 2048 > arm_swd_rotprivk_rsa.pem

-* swd_rotpk_rsa_sha256.bin is the SHA-256 hash of the DER-encoded public key
-  associated with the above private key. It has been generated using the openssl
-  command line tool:
+* arm_swd_rotprivk_ecdsa.pem is a P-256 ECSA private key in PEM format. It has been
+  generated using the openssl command line tool:

-  openssl rsa -in arm_swd_rotprivk_rsa.pem -pubout -outform DER | \
-    openssl dgst -sha256 -binary > arm_swd_rotpk_rsa_sha256.bin
+  openssl ecparam -name prime256v1 -genkey -outform PEM -noout -out arm_swd_rotprivk_ecdsa.pem
+
+* arm_swd_rotprivk_ecdsa_secp384r1.pem is a P-384 ECSA private key in PEM format. It has been
+  generated using the openssl command line tool:
+
+  openssl ecparam -name secp384r1 -genkey -outform PEM -noout -out arm_swd_rotprivk_ecdsa_secp384r1.pem
--- a/plat/arm/board/common/swd_rotpk/arm_dev_swd_rotpk.S
+++ b/plat/arm/board/common/swd_rotpk/arm_dev_swd_rotpk.S
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -9,10 +9,31 @@

 	.section .rodata.arm_swd_rotpk_hash, "a"

+/*
+* The swd_roptpk header is dependent only on the algorithm used to
+* generate the hash.
+* ASN1_HASH_ALG is the last byte used to encode the OID for
+* the hash algorithm into the header,
+* this byte distinguishes between SHA256, SHA384 and SHA512.
+*/
+.equ HASH_ASN1_LEN, ARM_ROTPK_HASH_LEN
+#if ARM_ROTPK_HASH_LEN == 48
+	.equ ASN1_HASH_ALG, 0x02
+	.equ TOTAL_ASN1_LEN, 0x41
+#elif ARM_ROTPK_HASH_LEN == 64
+	.equ ASN1_HASH_ALG, 0x03
+	.equ TOTAL_ASN1_LEN, 0x51
+#elif ARM_ROTPK_HASH_LEN == 32
+	.equ ASN1_HASH_ALG, 0x01
+	.equ TOTAL_ASN1_LEN, 0x31
+#else
+	.error "Invalid SWD_ROTPK hash length."
+#endif
+
 arm_swd_rotpk_hash:
 	/* DER header. */
-	.byte 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48
-	.byte 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
+	.byte 0x30, TOTAL_ASN1_LEN, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48
+	.byte 0x01, 0x65, 0x03, 0x04, 0x02, ASN1_HASH_ALG, 0x05, 0x00, 0x04, HASH_ASN1_LEN
 	/* Key hash. */
-	.incbin ARM_SWD_ROTPK_HASH
+	.incbin ARM_SWD_ROTPK
 arm_swd_rotpk_hash_end:
--- a/plat/arm/board/common/swd_rotpk/arm_swd_rotpk_rsa_sha256.bin
+++ b/plat/arm/board/common/swd_rotpk/arm_swd_rotpk_rsa_sha256.bin
@ -1 +0,0 @@
-0ľâĂ’ćśČË“(ě¨0ŠwIÓ<49>Őéăˇgk
--- a/plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa.pem
+++ b/plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa.pem
@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFmIjAPUmyqDfKXT+kKRMvyFzQfaZekczIzSPfLeQUGyoAoGCCqGSM49
+AwEHoUQDQgAEtZB8OrBV7hPl+lBrc5ypKetwGsUi+SpTK8OoMw0GwA17rGDYdBTV
+JK2ttZNtCsGzlDrXeHu6bcTmrleMdW9NdQ==
+-----END EC PRIVATE KEY-----
--- a/plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa_secp384r1.pem
+++ b/plat/arm/board/common/swd_rotpk/arm_swd_rotprivk_ecdsa_secp384r1.pem
@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDC348NhWsLI30vzJnWofKae6t3S6YIb5rdLEJSUyI9XwKj8FyJO8N3G
+DNgvVBwk4NigBwYFK4EEACKhZANiAARodLWP/EGH7/SrImvwDJr1zACOrh8acVH/
+eymfvZW2af4DPRMPyUC5Ftzv6NwGz6yPzBbAg9+qDgLgO7cqwXOwVON+hAU+ECEZ
+3AIQ7zLDfnXcfNz8dv1kwkwhfDJeQCs=
+-----END EC PRIVATE KEY-----
				`@ -1 +0,0 @@`
				œó6{W*…`Ÿtíve×·§è£ €¾P<C2BE>ÆK{9
				`@ -1 +0,0 @@`
				`0ľâĂ’ćśČË“(ě¨0ŠwIÓ<49>Őéăˇgk`