certtool: ${CRTTOOL}
${CRTTOOL}: FORCE
- ${Q}${MAKE} PLAT=${PLAT} USE_TBBR_DEFS=${USE_TBBR_DEFS} COT=${COT} OPENSSL_DIR=${OPENSSL_DIR} CRTTOOL=${CRTTOOL} --no-print-directory -C ${CRTTOOLPATH}
+ ${Q}${MAKE} PLAT=${PLAT} USE_TBBR_DEFS=${USE_TBBR_DEFS} COT=${COT} OPENSSL_DIR=${OPENSSL_DIR} CRTTOOL=${CRTTOOL} DEBUG=${DEBUG} V=${V} --no-print-directory -C ${CRTTOOLPATH}
@${ECHO_BLANK_LINE}
@echo "Built $@ successfully"
@${ECHO_BLANK_LINE}
${FIPTOOL}: FORCE
ifdef UNIX_MK
- ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
+ ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} DEBUG=${DEBUG} V=${V} --no-print-directory -C ${FIPTOOLPATH}
else
# Clear the MAKEFLAGS as we do not want
# to pass the gnumake flags to nmake.
enctool: ${ENCTOOL}
${ENCTOOL}: FORCE
- ${Q}${MAKE} PLAT=${PLAT} BUILD_INFO=0 OPENSSL_DIR=${OPENSSL_DIR} ENCTOOL=${ENCTOOL} --no-print-directory -C ${ENCTOOLPATH}
+ ${Q}${MAKE} PLAT=${PLAT} BUILD_INFO=0 OPENSSL_DIR=${OPENSSL_DIR} ENCTOOL=${ENCTOOL} DEBUG=${DEBUG} V=${V} --no-print-directory -C ${ENCTOOLPATH}
@${ECHO_BLANK_LINE}
@echo "Built $@ successfully"
@${ECHO_BLANK_LINE}
The following libraries must be available to build one or more components or
supporting tools:
-- OpenSSL >= 3.0
+- OpenSSL >= 1.1.1 (v3.0.0 to v3.0.6 highly discouraged due to security issues)
- Required to build the cert_create tool.
+ Required to build the cert_create, encrypt_fw, and fiptool tools.
.. note::
- OpenSSL 3.0 has to be built from source code, as it's not available in
- the default package repositories in recent Ubuntu versions. Please refer
- to the OpenSSL project documentation for more information.
+ If using OpenSSL 3, older Linux versions may require it to be built from
+ source code, as it may not be available in the default package repositories.
+ Please refer to the OpenSSL project documentation for more information.
The following libraries are required for Trusted Board Boot and Measured Boot
support:
#
-# Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
$(check_$(1)_cmd)
endef
+# SELECT_OPENSSL_API_VERSION selects the OpenSSL API version to be used to
+# build the host tools by checking the version of OpenSSL located under
+# the path defined by the OPENSSL_DIR variable. It receives no parameters.
+define SELECT_OPENSSL_API_VERSION
+ # Set default value for USING_OPENSSL3 macro to 0
+ $(eval USING_OPENSSL3 = 0)
+ # Obtain the OpenSSL version for the build located under OPENSSL_DIR
+ $(eval OPENSSL_INFO := $(shell LD_LIBRARY_PATH=${OPENSSL_DIR}:${OPENSSL_DIR}/lib ${OPENSSL_BIN_PATH}/openssl version))
+ $(eval OPENSSL_CURRENT_VER = $(word 2, ${OPENSSL_INFO}))
+ $(eval OPENSSL_CURRENT_VER_MAJOR = $(firstword $(subst ., ,$(OPENSSL_CURRENT_VER))))
+ # If OpenSSL version is 3.x, then set USING_OPENSSL3 flag to 1
+ $(if $(filter 3,$(OPENSSL_CURRENT_VER_MAJOR)), $(eval USING_OPENSSL3 = 1))
+endef
+
################################################################################
# Generic image processing filters
################################################################################
# Build option to create cot descriptors using fconf
COT_DESC_IN_DTB := 0
-# Build option to provide openssl directory path
+# Build option to provide OpenSSL directory path
OPENSSL_DIR := /usr
# Select the openssl binary provided in OPENSSL_DIR variable
#
-# Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
DEBUG := 0
CRTTOOL ?= cert_create${BIN_EXT}
BINARY := $(notdir ${CRTTOOL})
-OPENSSL_DIR := /usr
COT := tbbr
MAKE_HELPERS_DIRECTORY := ../../make_helpers/
include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
include ${MAKE_HELPERS_DIRECTORY}build_env.mk
+include ${MAKE_HELPERS_DIRECTORY}defaults.mk
ifneq (${PLAT},none)
TF_PLATFORM_ROOT := ../../plat/
include ${PLAT_CERT_CREATE_HELPER_MK}
endif
+# Select OpenSSL version flag according to the OpenSSL build selected
+# from setting the OPENSSL_DIR path.
+$(eval $(call SELECT_OPENSSL_API_VERSION))
+
HOSTCCFLAGS := -Wall -std=c99
ifeq (${DEBUG},1)
endif
HOSTCCFLAGS += ${DEFINES}
+# USING_OPENSSL3 flag will be added to the HOSTCCFLAGS variable with the proper
+# computed value.
+HOSTCCFLAGS += -DUSING_OPENSSL3=$(USING_OPENSSL3)
# Make soft links and include from local directory otherwise wrong headers
# could get pulled in from firmware tree.
HOSTCC ?= gcc
-.PHONY: all clean realclean
+.PHONY: all clean realclean --openssl
all: ${BINARY}
-${BINARY}: ${OBJECTS} Makefile
+${BINARY}: --openssl ${OBJECTS} Makefile
@echo " HOSTLD $@"
@echo 'const char build_msg[] = "Built : "__TIME__", "__DATE__; \
const char platform_msg[] = "${PLAT_MSG}";' | \
@echo " HOSTCC $<"
${Q}${HOSTCC} -c ${HOSTCCFLAGS} ${INC_DIR} $< -o $@
+--openssl:
+ifeq ($(DEBUG),1)
+ @echo "Selected OpenSSL version: ${OPENSSL_CURRENT_VER}"
+endif
+
clean:
$(call SHELL_DELETE_ALL, src/build_msg.o ${OBJECTS})
/*
- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
int days,
int ca,
STACK_OF(X509_EXTENSION) * sk);
+void cert_cleanup(void);
/* Macro to register the certificates used in the CoT */
#define REGISTER_COT(_certs) \
/*
- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
unsigned char *buf, size_t len);
X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value);
X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k);
+void ext_cleanup(void);
/* Macro to register the extensions used in the CoT */
#define REGISTER_EXTENSIONS(_ext) \
/*
- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
/* Exported API */
int key_init(void);
key_t *key_get_by_opt(const char *opt);
+#if !USING_OPENSSL3
int key_new(key_t *key);
+#endif
int key_create(key_t *key, int type, int key_bits);
int key_load(key_t *key, unsigned int *err_code);
int key_store(key_t *key);
+void key_cleanup(void);
/* Macro to register the keys used in the CoT */
#define REGISTER_KEYS(_keys) \
/*
- * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
if (!btmp)
return 0;
+#if USING_OPENSSL3
if (!BN_rand(btmp, SERIAL_RAND_BITS, 0, 0))
+#else
+ if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
+#endif
goto error;
if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
goto error;
return NULL;
}
+
+void cert_cleanup(void)
+{
+ unsigned int i;
+
+ for (i = 0; i < num_certs; i++) {
+ if (certs[i].fn != NULL) {
+ void *ptr = (void *)certs[i].fn;
+
+ certs[i].fn = NULL;
+ free(ptr);
+ }
+ }
+ free(certs);
+}
+
/*
- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
return NULL;
}
+
+void ext_cleanup(void)
+{
+ unsigned int i;
+
+ for (i = 0; i < num_extensions; i++) {
+ if (extensions[i].arg != NULL) {
+ void *ptr = (void *)extensions[i].arg;
+
+ extensions[i].arg = NULL;
+ free(ptr);
+ }
+ }
+ free(extensions);
+ X509V3_EXT_cleanup();
+}
+
/*
- * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
key_t *keys;
unsigned int num_keys;
+#if !USING_OPENSSL3
/*
* Create a new key container
*/
return 1;
}
+#endif
static int key_create_rsa(key_t *key, int key_bits)
{
+#if USING_OPENSSL3
EVP_PKEY *rsa = EVP_RSA_gen(key_bits);
if (rsa == NULL) {
printf("Cannot generate RSA key\n");
}
key->key = rsa;
return 1;
+#else
+ BIGNUM *e;
+ RSA *rsa = NULL;
+
+ e = BN_new();
+ if (e == NULL) {
+ printf("Cannot create RSA exponent\n");
+ return 0;
+ }
+
+ if (!BN_set_word(e, RSA_F4)) {
+ printf("Cannot assign RSA exponent\n");
+ goto err2;
+ }
+
+ rsa = RSA_new();
+ if (rsa == NULL) {
+ printf("Cannot create RSA key\n");
+ goto err2;
+ }
+
+ if (!RSA_generate_key_ex(rsa, key_bits, e, NULL)) {
+ printf("Cannot generate RSA key\n");
+ goto err;
+ }
+
+ if (!EVP_PKEY_assign_RSA(key->key, rsa)) {
+ printf("Cannot assign RSA key\n");
+ goto err;
+ }
+
+ BN_free(e);
+ return 1;
+
+err:
+ RSA_free(rsa);
+err2:
+ BN_free(e);
+ return 0;
+#endif
}
#ifndef OPENSSL_NO_EC
static int key_create_ecdsa(key_t *key, int key_bits)
{
+#if USING_OPENSSL3
EVP_PKEY *ec = EVP_EC_gen("prime256v1");
if (ec == NULL) {
printf("Cannot generate EC key\n");
}
key->key = ec;
return 1;
+#else
+ EC_KEY *ec;
+
+ ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ if (ec == NULL) {
+ printf("Cannot create EC key\n");
+ return 0;
+ }
+ if (!EC_KEY_generate_key(ec)) {
+ printf("Cannot generate EC key\n");
+ goto err;
+ }
+ EC_KEY_set_flags(ec, EC_PKEY_NO_PARAMETERS);
+ EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
+ if (!EVP_PKEY_assign_EC_KEY(key->key, ec)) {
+ printf("Cannot assign EC key\n");
+ goto err;
+ }
+
+ return 1;
+
+err:
+ EC_KEY_free(ec);
+ return 0;
+#endif
}
#endif /* OPENSSL_NO_EC */
return NULL;
}
+
+void key_cleanup(void)
+{
+ unsigned int i;
+
+ for (i = 0; i < num_keys; i++) {
+ EVP_PKEY_free(keys[i].key);
+ if (keys[i].fn != NULL) {
+ void *ptr = keys[i].fn;
+
+ free(ptr);
+ keys[i].fn = NULL;
+ }
+ }
+ free(keys);
+}
+
/*
- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
/* Load private keys from files (or generate new ones) */
for (i = 0 ; i < num_keys ; i++) {
+#if !USING_OPENSSL3
if (!key_new(&keys[i])) {
ERROR("Failed to allocate key container\n");
exit(1);
}
+#endif
/* First try to load the key from disk */
if (key_load(&keys[i], &err_code)) {
/* If we got here, then we must have filled the key array completely.
* We can then safely call free on all of the keys in the array
*/
- for (i = 0; i < num_keys; i++) {
- EVP_PKEY_free(keys[i].key);
- }
+ key_cleanup();
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
/* We allocated strings through strdup, so now we have to free them */
- for (i = 0; i < num_keys; i++) {
- if (keys[i].fn != NULL) {
- void *ptr = keys[i].fn;
-
- keys[i].fn = NULL;
- free(ptr);
- }
- }
- for (i = 0; i < num_extensions; i++) {
- if (extensions[i].arg != NULL) {
- void *ptr = (void *)extensions[i].arg;
- extensions[i].arg = NULL;
- free(ptr);
- }
- }
- for (i = 0; i < num_certs; i++) {
- if (certs[i].fn != NULL) {
- void *ptr = (void *)certs[i].fn;
+ ext_cleanup();
- certs[i].fn = NULL;
- free(ptr);
- }
- }
+ cert_cleanup();
return 0;
}
/*
- * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stdio.h>
#include "debug.h"
#include "key.h"
+#if USING_OPENSSL3
#include <openssl/evp.h>
#include <openssl/obj_mac.h>
+#else
+#include <openssl/sha.h>
+#endif
#define BUFFER_SIZE 256
+#if USING_OPENSSL3
static int get_algorithm_nid(int hash_alg)
{
int nids[] = {NID_sha256, NID_sha384, NID_sha512};
}
return nids[hash_alg];
}
+#endif
int sha_file(int md_alg, const char *filename, unsigned char *md)
{
FILE *inFile;
+ int bytes;
+ unsigned char data[BUFFER_SIZE];
+#if USING_OPENSSL3
EVP_MD_CTX *mdctx;
const EVP_MD *md_type;
- int bytes;
int alg_nid;
unsigned int total_bytes;
- unsigned char data[BUFFER_SIZE];
+#else
+ SHA256_CTX shaContext;
+ SHA512_CTX sha512Context;
+#endif
if ((filename == NULL) || (md == NULL)) {
ERROR("%s(): NULL argument\n", __func__);
return 0;
}
+#if USING_OPENSSL3
+
mdctx = EVP_MD_CTX_new();
if (mdctx == NULL) {
fclose(inFile);
fclose(inFile);
EVP_MD_CTX_free(mdctx);
return 0;
+
+#else
+
+ if (md_alg == HASH_ALG_SHA384) {
+ SHA384_Init(&sha512Context);
+ while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) {
+ SHA384_Update(&sha512Context, data, bytes);
+ }
+ SHA384_Final(md, &sha512Context);
+ } else if (md_alg == HASH_ALG_SHA512) {
+ SHA512_Init(&sha512Context);
+ while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) {
+ SHA512_Update(&sha512Context, data, bytes);
+ }
+ SHA512_Final(md, &sha512Context);
+ } else {
+ SHA256_Init(&shaContext);
+ while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) {
+ SHA256_Update(&shaContext, data, bytes);
+ }
+ SHA256_Final(md, &shaContext);
+ }
+
+ fclose(inFile);
+ return 1;
+
+#endif
}
BINARY := $(notdir ${ENCTOOL})
OPENSSL_DIR := /usr
+
+MAKE_HELPERS_DIRECTORY := ../../make_helpers/
+include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
+include ${MAKE_HELPERS_DIRECTORY}build_env.mk
+include ${MAKE_HELPERS_DIRECTORY}defaults.mk
+
OBJECTS := src/encrypt.o \
src/cmd_opt.o \
src/main.o
HOSTCCFLAGS := -Wall -std=c99
-MAKE_HELPERS_DIRECTORY := ../../make_helpers/
-include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
-include ${MAKE_HELPERS_DIRECTORY}build_env.mk
+# Select OpenSSL version flag according to the OpenSSL build selected
+# from setting the OPENSSL_DIR path.
+$(eval $(call SELECT_OPENSSL_API_VERSION))
ifeq (${DEBUG},1)
HOSTCCFLAGS += -g -O0 -DDEBUG -DLOG_LEVEL=40
Q :=
endif
+HOSTCCFLAGS += ${DEFINES}
+# USING_OPENSSL3 flag will be added to the HOSTCCFLAGS variable with the proper
+# computed value.
+HOSTCCFLAGS += -DUSING_OPENSSL3=$(USING_OPENSSL3)
+
+
# Make soft links and include from local directory otherwise wrong headers
# could get pulled in from firmware tree.
INC_DIR := -I ./include -I ../../include/tools_share -I ${OPENSSL_DIR}/include
HOSTCC ?= gcc
-.PHONY: all clean realclean
+.PHONY: all clean realclean --openssl
all: ${BINARY}
-${BINARY}: ${OBJECTS} Makefile
+${BINARY}: --openssl ${OBJECTS} Makefile
@echo " HOSTLD $@"
@echo 'const char build_msg[] = "Built : "__TIME__", "__DATE__;' | \
${HOSTCC} -c ${HOSTCCFLAGS} -xc - -o src/build_msg.o
@echo " HOSTCC $<"
${Q}${HOSTCC} -c ${HOSTCCFLAGS} ${INC_DIR} $< -o $@
+--openssl:
+ifeq ($(DEBUG),1)
+ @echo "Selected OpenSSL version: ${OPENSSL_CURRENT_VER}"
+endif
+
clean:
$(call SHELL_DELETE_ALL, src/build_msg.o ${OBJECTS})
#
-# Copyright (c) 2014-2022, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2014-2022, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
MAKE_HELPERS_DIRECTORY := ../../make_helpers/
include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
include ${MAKE_HELPERS_DIRECTORY}build_env.mk
+include ${MAKE_HELPERS_DIRECTORY}defaults.mk
FIPTOOL ?= fiptool${BIN_EXT}
PROJECT := $(notdir ${FIPTOOL})
HOSTCCFLAGS += -O2
endif
+# Select OpenSSL version flag according to the OpenSSL build selected
+# from setting the OPENSSL_DIR path.
+$(eval $(call SELECT_OPENSSL_API_VERSION))
+
+HOSTCCFLAGS += ${DEFINES}
+# USING_OPENSSL3 flag will be added to the HOSTCCFLAGS variable with the proper
+# computed value.
+HOSTCCFLAGS += -DUSING_OPENSSL3=$(USING_OPENSSL3)
+
# Include library directories where OpenSSL library files are located.
# For a normal installation (i.e.: when ${OPENSSL_DIR} = /usr or
# /usr/local), binaries are located under the ${OPENSSL_DIR}/lib/
include ${PLAT_FIPTOOL_HELPER_MK}
endif
-.PHONY: all clean distclean
+.PHONY: all clean distclean --openssl
all: ${PROJECT}
-${PROJECT}: ${OBJECTS} Makefile
+${PROJECT}: --openssl ${OBJECTS} Makefile
@echo " HOSTLD $@"
${Q}${HOSTCC} ${OBJECTS} -o $@ ${LDLIBS}
@${ECHO_BLANK_LINE}
@echo " HOSTCC $<"
${Q}${HOSTCC} -c ${CPPFLAGS} ${HOSTCCFLAGS} ${INCLUDE_PATHS} $< -o $@
+--openssl:
+ifeq ($(DEBUG),1)
+ @echo "Selected OpenSSL version: ${OPENSSL_CURRENT_VER}"
+endif
+
+
clean:
$(call SHELL_DELETE_ALL, ${PROJECT} ${OBJECTS})
projects / arm-tf.git / commitdiff