When key_load() attempts to load the key from a file and it fails to
open this file, the 'err_code' output argument is set to
'KEY_ERR_OPEN' error code. However, it is incorrectly overwritten
later on with 'KEY_ERR_NONE' or 'KEY_ERR_LOAD'.
The latter case messes up with the key creation scenario. The
'KEY_ERR_LOAD' error leads the tool to exit, when it should attempt to
create the said key file if invoked with the --new-keys/-n option.
Note that, to complicate matters further, which of 'KEY_ERR_OPEN' or
'KEY_ERR_NONE' values is returned by key_load() depends on the version
of OpenSSL in use:
- If using v3+, KEY_ERROR_LOAD is returned.
- If using <v3, KEY_ERROR_NONE is returned as a result of the key
pair container being initialized by key_new().
This patch fixes this bug and also takes the opportunity to refactor
key_load() implementation to (hopefully) make it more straight-forward
and easier to reason about.
Fixes: 616b3ce27d "feat(cert-create): add pkcs11 engine support"
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Reported-by: Wenchen Tan <xtaens@qq.com>
Change-Id: Ia78ff442e04c5ff98e6ced8d26becbd817a8ccb7
Updated cert_tool to be able to select brainpool P256r/t1
or NIST prim256v1 curve for certificates signature.
Change-Id: I6e800144697069ea83660053b8ba6e21c229243a
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
When updated to work with OpenSSL 3.0, the host tools lost their
compatibility with previous versions (1.x) of OpenSSL. This is
mainly due to the fact that 1.x APIs became deprecated in 3.0 and
therefore their use cause compiling errors. In addition, updating
for a newer version of OpenSSL meant improving the stability
against security threats. However, although version 1.1.1 is
now deprecated, it still receives security updates, so it would
not imply major security issues to keep compatibility with it too.
This patch adds backwards compatibility with OpenSSL 1.x versions
by adding back 1.x API code. It defines a macro USING_OPENSSL3,
which will select the appropriate OpenSSL API version depending on
the OpenSSL library path chosen (which is determined by the
already-existing OPENSSL_DIR variable).
In addition, cleanup items were packed in functions and moved to
the proper modules in order to make the code more maintainable and
legible.
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I8deceb5e419edc73277792861882404790ccd33c
Changes to 'tools/cert_create' folder, to include platform defined
certificates, keys, and extensions.
NXP SoC lx2160a : based platforms requires additional
FIP DDR to be loaded before initializing the DDR.
To enable chain of trust on these platforms, FIP DDR
image needs to be authenticated, additionally.
Platform specific folder 'tools/nxp/cert_create_helper'
is added to support platform specific macros and definitions.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: I4752a30a9ff3aa1d403e9babe3a07ba0e6b2bf8f
Support for PKCS#1 v1.5 was deprecated in SHA 1001202 and fully removed
in SHA fe199e3, however, cert_tool is still able to generate
certificates in that form. This patch fully removes the ability for
cert_tool to generate these certificates.
Additionally, this patch also fixes a bug where the issuing certificate
was a RSA and the issued certificate was EcDSA. In this case, the issued
certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per
PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now
that PKCS#1 v1.5 support is removed, all certificates that are signed
with RSA now use the more modern padding scheme.
Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
cert_tool is now able to accept a command line option for specifying the
key size. It now supports the following options: 1024, 2048 (default),
3072 and 4096. This is also modifiable by TFA using the build flag
KEY_SIZE.
Change-Id: Ifadecf84ade3763249ee8cc7123a8178f606f0e5
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.
The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.
The exceptions are files that are imported from other projects:
- CryptoCell driver
- dt-bindings folders
- zlib headers
Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This option enables the user to select the secure hash algorithm
to be used for generating the hash. It supports the following
options:
- sha256 (default)
- sha384
- sha512
Change-Id: Icb093cec1b5715e248c3d1c3749a2479a7ab4b89
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
This patch enables choice of RSA version at run time to be used for
generating signatures by the cert_tool. The RSA PSS as defined in
PKCS#1 v2.1 becomes the default version and this patch enables to specify
the RSA PKCS#1 v1.5 algorithm to `cert_create` through the command line
-a option. Also, the build option `KEY_ALG` can be used to pass this
option from the build system. Please note that RSA PSS is mandated
by Trusted Board Boot requirements (TBBR) and legacy RSA support is
being added for compatibility reasons.
FixesARM-Software/tf-issues#499
Change-Id: Ifaa3f2f7c9b43f3d7b3effe2cde76bf6745a5d73
Co-Authored-By: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.
NOTE: Files that have been imported by FreeBSD have not been modified.
[0]: https://spdx.org/
Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
In the current code, both key_load() and key_create() call key_new()
to allocate a key container (and they do not free it even if they
fail). If a specific key is not given by the command option,
key_load() fails, then key_create() is called. At this point, the
key container that has been allocated in key_load() is still alive,
and it is overwritten by a new key container created by key_create().
Move the key_new() call to the main() function to make sure it is
called just once for each descriptor.
While we are here, let's fix one more bug; the error handling code
ERROR("Malloc error while loading '%s'\n", keys[i].fn);
is wrong because keys[i].fn is NULL pointer unless a specific key is
given by the command option. This code could be run in either case.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The help message printed by the cert_create tool using the command
line option -h (or --help) does not correctly list all the available
command line options.
This patch reworks the print_help() function to print the help
messages in a data driven approach. For each command line option
registered, an optional help message can be specified, which will
be printed by print_help().
Help messages for the TBBR options (certificates, keys and images)
are also provided.
Fix a small bug in the short options string passed to getopt_long:
the ':' was missing in the '-a' option (this option must take an
argument).
FixesARM-software/tf-issues#337
Change-Id: I9d08c2dfd349022808fcc884724f677eefdc1452
By default ARM TF is built with the '-pedantic' compiler flag, which
helps detecting violations of the C standard. However, the mbed TLS
library and its associated authentication module in TF used to fail
building with this compiler flag. As a workaround, the mbed TLS
authentication module makefile used to set the 'DISABLE_PEDANTIC'
TF build flag.
The compiler errors flagged by '-pedantic' in the mbed TLS library
have been fixed between versions 1.3.9 and 2.2.0 and the library now
properly builds with this compiler flag.
This patch fixes the remaining compiler errors in the mbed TLS
authentication module in TF and unsets the 'DISABLE_PEDANTIC' TF
build flag. This means that TF is now always built with '-pedantic'.
In particular, this patch:
* Removes the final semi-colon in REGISTER_COT() macro.
This semi-colon was causing the following error message:
drivers/auth/tbbr/tbbr_cot.c:544:23: error: ISO C does not allow
extra ';' outside of a function [-Werror=pedantic]
This has been fixed both in the mbed TLS authentication module
as well as in the certificate generation tool. Note that the latter
code didn't need fixing since it is not built with '-pedantic' but
the change has been propagated for consistency.
Also fixed the REGISTER_KEYS() and REGISTER_EXTENSIONS() macros,
which were suffering from the same issue.
* Fixes a pointer type.
It was causing the following error message:
drivers/auth/mbedtls/mbedtls_crypto.c: In function 'verify_hash':
drivers/auth/mbedtls/mbedtls_crypto.c:177:42: error: pointer of
type 'void *' used in arithmetic [-Werror=pointer-arith]
Change-Id: I7b7a04ef711efd65e17b5be26990d1a0d940257d
This patch introduces a new API that allows to specify command
line options in the Chain of Trust description. These command line
options may be used to specify parameters related to the CoT (i.e.
keys or certificates), instead of keeping a hardcoded list of
options in main.c.
Change-Id: I282b0b01cb9add557b26bddc238a28253ce05e44
This patch reworks the certificate generation tool to follow a data
driven approach. The user may specify at build time the certificates,
keys and extensions defined in the CoT, register them using the
appropiate macros and the tool will take care of creating the
certificates corresponding to the CoT specified.
Change-Id: I29950b39343c3e1b71718fce0e77dcf2a9a0be2f
Some Linux distributions include an OpenSSL library which has been
built without ECDSA support. Trying to build the certificate
generation tool on those distributions will result in a build error.
This patch fixes that issue by including ECDSA support only if
OpenSSL has been built with ECDSA. In that case, the OpenSSL
configuration file does not define the OPENSSL_NO_EC macro. The tool
will build successfully, although the resulting binary will not
support ECDSA keys.
Change-Id: I4627d1abd19eef7ad3251997d8218599187eb902
This patch extends the 'cert_create' tool to support ECDSA keys
to sign the certificates. The '--key-alg' command line option
can be used to specify the key algorithm when invoking the tool.
Available options are:
* 'rsa': create RSA-2048 keys (default option)
* 'ecdsa': create ECDSA-SECP256R1 keys
The TF Makefile has been updated to allow the platform to specify
the key algorithm by declaring the 'KEY_ALG' variable in the
platform makefile.
The behaviour regarding key management has changed. After applying
this patch, the tool will try first to open the keys from disk. If
one key does not exist or no key is specified, and the command line
option to create keys has been specified, new keys will be created.
Otherwise an error will be generated and the tool will exit. This
way, the user may specify certain keys while the tool will create
the remaining ones. This feature is useful for testing purposes
and CI infrastructures.
The OpenSSL directory may be specified using the build option
'OPENSSL_DIR' when building the certificate generation tool.
Default is '/usr'.
Change-Id: I98bcc2bfab28dd7179f17f1177ea7a65698df4e7
This patch adds a tool that generates all the necessary elements
to establish the chain of trust (CoT) between the images.
The tool reads the binary images and signing keys and outputs the
corresponding certificates that will be used by the target at run
time to verify the authenticity of the images.
Note: the platform port must provide the file platform_oid.h. This
file will define the OIDs of the x509 extensions that will be added
to the certificates in order to establish the CoT.
Change-Id: I2734d6808b964a2107ab3a4805110698066a04be
