summaryrefslogtreecommitdiffstats
path: root/tools/cert_create/include
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:13:47 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:13:47 +0000
commit102b0d2daa97dae68d3eed54d8fe37a9cc38a892 (patch)
treebcf648efac40ca6139842707f0eba5a4496a6dd2 /tools/cert_create/include
parentInitial commit. (diff)
downloadarm-trusted-firmware-102b0d2daa97dae68d3eed54d8fe37a9cc38a892.tar.xz
arm-trusted-firmware-102b0d2daa97dae68d3eed54d8fe37a9cc38a892.zip
Adding upstream version 2.8.0+dfsg.upstream/2.8.0+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tools/cert_create/include')
-rw-r--r--tools/cert_create/include/cca/cca_cot.h68
-rw-r--r--tools/cert_create/include/cert.h77
-rw-r--r--tools/cert_create/include/cmd_opt.h33
-rw-r--r--tools/cert_create/include/debug.h59
-rw-r--r--tools/cert_create/include/dualroot/cot.h81
-rw-r--r--tools/cert_create/include/ext.h95
-rw-r--r--tools/cert_create/include/key.h99
-rw-r--r--tools/cert_create/include/sha.h12
-rw-r--r--tools/cert_create/include/tbbr/tbb_cert.h30
-rw-r--r--tools/cert_create/include/tbbr/tbb_ext.h47
-rw-r--r--tools/cert_create/include/tbbr/tbb_key.h25
11 files changed, 626 insertions, 0 deletions
diff --git a/tools/cert_create/include/cca/cca_cot.h b/tools/cert_create/include/cca/cca_cot.h
new file mode 100644
index 0000000..56585fb
--- /dev/null
+++ b/tools/cert_create/include/cca/cca_cot.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2022, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CCA_COT_H
+#define CCA_COT_H
+
+/* Certificates. */
+enum {
+ /* Certificates owned by the silicon provider. */
+ CCA_CONTENT_CERT,
+ CORE_SWD_KEY_CERT,
+ SPMC_CONTENT_CERT,
+ SIP_SECURE_PARTITION_CONTENT_CERT,
+
+ /* Certificates owned by the platform owner. */
+ PLAT_KEY_CERT,
+ PLAT_SECURE_PARTITION_CONTENT_CERT,
+ NON_TRUSTED_FW_CONTENT_CERT,
+};
+
+/* Certificate extensions. */
+enum {
+ /* Extensions used in certificates owned by the silicon provider. */
+ TRUSTED_FW_NVCOUNTER_EXT,
+ TRUSTED_BOOT_FW_HASH_EXT,
+ TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
+ HW_CONFIG_HASH_EXT,
+ FW_CONFIG_HASH_EXT,
+ SWD_ROT_PK_EXT,
+ CORE_SWD_PK_EXT,
+ SOC_AP_FW_HASH_EXT,
+ SOC_FW_CONFIG_HASH_EXT,
+ RMM_HASH_EXT,
+ TRUSTED_OS_FW_HASH_EXT,
+ TRUSTED_OS_FW_CONFIG_HASH_EXT,
+ SP_PKG1_HASH_EXT,
+ SP_PKG2_HASH_EXT,
+ SP_PKG3_HASH_EXT,
+ SP_PKG4_HASH_EXT,
+
+ /* Extensions used in certificates owned by the platform owner. */
+ PROT_PK_EXT,
+ PLAT_PK_EXT,
+ SP_PKG5_HASH_EXT,
+ SP_PKG6_HASH_EXT,
+ SP_PKG7_HASH_EXT,
+ SP_PKG8_HASH_EXT,
+ NON_TRUSTED_FW_NVCOUNTER_EXT,
+ NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
+ NON_TRUSTED_FW_CONFIG_HASH_EXT,
+};
+
+/* Keys. */
+enum {
+ /* Keys owned by the silicon provider. */
+ ROT_KEY,
+ SWD_ROT_KEY,
+ CORE_SWD_KEY,
+
+ /* Keys owned by the platform owner. */
+ PROT_KEY,
+ PLAT_KEY,
+};
+
+#endif /* CCA_COT_H */
diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h
new file mode 100644
index 0000000..5d39a88
--- /dev/null
+++ b/tools/cert_create/include/cert.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CERT_H
+#define CERT_H
+
+#include <openssl/ossl_typ.h>
+#include <openssl/x509.h>
+#include "ext.h"
+#include "key.h"
+
+#define CERT_MAX_EXT 9
+
+/*
+ * This structure contains information related to the generation of the
+ * certificates. All these fields must be known and specified at build time
+ * except for the file name, which is picked up from the command line at
+ * run time.
+ *
+ * One instance of this structure must be created for each of the certificates
+ * present in the chain of trust.
+ *
+ * If the issuer points to this same instance, the generated certificate will
+ * be self-signed.
+ */
+typedef struct cert_s cert_t;
+struct cert_s {
+ int id; /* Unique identifier */
+
+ const char *opt; /* Command line option to pass filename */
+ const char *fn; /* Filename to save the certificate */
+ const char *cn; /* Subject CN (Company Name) */
+ const char *help_msg; /* Help message */
+
+ /* These fields must be defined statically */
+ int key; /* Key to be signed */
+ int issuer; /* Issuer certificate */
+ int ext[CERT_MAX_EXT]; /* Certificate extensions */
+ int num_ext; /* Number of extensions in the certificate */
+
+ X509 *x; /* X509 certificate container */
+};
+
+/* Exported API */
+int cert_init(void);
+cert_t *cert_get_by_opt(const char *opt);
+int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value);
+int cert_new(
+ int md_alg,
+ cert_t *cert,
+ int days,
+ int ca,
+ STACK_OF(X509_EXTENSION) * sk);
+void cert_cleanup(void);
+
+/* Macro to register the certificates used in the CoT */
+#define REGISTER_COT(_certs) \
+ cert_t *def_certs = &_certs[0]; \
+ const unsigned int num_def_certs = sizeof(_certs)/sizeof(_certs[0])
+
+/* Macro to register the platform defined certificates used in the CoT */
+#define PLAT_REGISTER_COT(_pdef_certs) \
+ cert_t *pdef_certs = &_pdef_certs[0]; \
+ const unsigned int num_pdef_certs = sizeof(_pdef_certs)/sizeof(_pdef_certs[0])
+
+/* Exported variables */
+extern cert_t *def_certs;
+extern const unsigned int num_def_certs;
+extern cert_t *pdef_certs;
+extern const unsigned int num_pdef_certs;
+
+extern cert_t *certs;
+extern unsigned int num_certs;
+#endif /* CERT_H */
diff --git a/tools/cert_create/include/cmd_opt.h b/tools/cert_create/include/cmd_opt.h
new file mode 100644
index 0000000..10df00e
--- /dev/null
+++ b/tools/cert_create/include/cmd_opt.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CMD_OPT_H
+#define CMD_OPT_H
+
+#include <getopt.h>
+
+#define CMD_OPT_MAX_NUM 64
+
+/* Supported long command line option types */
+enum {
+ CMD_OPT_CERT,
+ CMD_OPT_KEY,
+ CMD_OPT_EXT
+};
+
+/* Structure to define a command line option */
+typedef struct cmd_opt_s {
+ struct option long_opt;
+ const char *help_msg;
+} cmd_opt_t;
+
+/* Exported API*/
+void cmd_opt_add(const cmd_opt_t *cmd_opt);
+const struct option *cmd_opt_get_array(void);
+const char *cmd_opt_get_name(int idx);
+const char *cmd_opt_get_help_msg(int idx);
+
+#endif /* CMD_OPT_H */
diff --git a/tools/cert_create/include/debug.h b/tools/cert_create/include/debug.h
new file mode 100644
index 0000000..ee8f1f5
--- /dev/null
+++ b/tools/cert_create/include/debug.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef DEBUG_H
+#define DEBUG_H
+
+#include <stdio.h>
+
+/* The log output macros print output to the console. These macros produce
+ * compiled log output only if the LOG_LEVEL defined in the makefile (or the
+ * make command line) is greater or equal than the level required for that
+ * type of log output.
+ * The format expected is the same as for printf(). For example:
+ * INFO("Info %s.\n", "message") -> INFO: Info message.
+ * WARN("Warning %s.\n", "message") -> WARNING: Warning message.
+ */
+
+#define LOG_LEVEL_NONE 0
+#define LOG_LEVEL_ERROR 10
+#define LOG_LEVEL_NOTICE 20
+#define LOG_LEVEL_WARNING 30
+#define LOG_LEVEL_INFO 40
+#define LOG_LEVEL_VERBOSE 50
+
+
+#if LOG_LEVEL >= LOG_LEVEL_NOTICE
+# define NOTICE(...) printf("NOTICE: " __VA_ARGS__)
+#else
+# define NOTICE(...)
+#endif
+
+#if LOG_LEVEL >= LOG_LEVEL_ERROR
+# define ERROR(...) printf("ERROR: " __VA_ARGS__)
+#else
+# define ERROR(...)
+#endif
+
+#if LOG_LEVEL >= LOG_LEVEL_WARNING
+# define WARN(...) printf("WARNING: " __VA_ARGS__)
+#else
+# define WARN(...)
+#endif
+
+#if LOG_LEVEL >= LOG_LEVEL_INFO
+# define INFO(...) printf("INFO: " __VA_ARGS__)
+#else
+# define INFO(...)
+#endif
+
+#if LOG_LEVEL >= LOG_LEVEL_VERBOSE
+# define VERBOSE(...) printf("VERBOSE: " __VA_ARGS__)
+#else
+# define VERBOSE(...)
+#endif
+
+#endif /* DEBUG_H */
diff --git a/tools/cert_create/include/dualroot/cot.h b/tools/cert_create/include/dualroot/cot.h
new file mode 100644
index 0000000..3e50c89
--- /dev/null
+++ b/tools/cert_create/include/dualroot/cot.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2020, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef DUALROOT_COT_H
+#define DUALROOT_COT_H
+
+/* Certificates. */
+enum {
+ /* Certificates owned by the silicon provider. */
+ TRUSTED_BOOT_FW_CERT,
+ TRUSTED_KEY_CERT,
+ SCP_FW_KEY_CERT,
+ SCP_FW_CONTENT_CERT,
+ SOC_FW_KEY_CERT,
+ SOC_FW_CONTENT_CERT,
+ TRUSTED_OS_FW_KEY_CERT,
+ TRUSTED_OS_FW_CONTENT_CERT,
+ SIP_SECURE_PARTITION_CONTENT_CERT,
+ FWU_CERT,
+
+ /* Certificates owned by the platform owner. */
+ NON_TRUSTED_FW_CONTENT_CERT,
+ PLAT_SECURE_PARTITION_CONTENT_CERT,
+};
+
+/* Certificate extensions. */
+enum {
+ /* Extensions used in certificates owned by the silicon provider. */
+ TRUSTED_FW_NVCOUNTER_EXT,
+ TRUSTED_BOOT_FW_HASH_EXT,
+ TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
+ HW_CONFIG_HASH_EXT,
+ FW_CONFIG_HASH_EXT,
+ TRUSTED_WORLD_PK_EXT,
+ SCP_FW_CONTENT_CERT_PK_EXT,
+ SCP_FW_HASH_EXT,
+ SOC_FW_CONTENT_CERT_PK_EXT,
+ SOC_AP_FW_HASH_EXT,
+ SOC_FW_CONFIG_HASH_EXT,
+ TRUSTED_OS_FW_CONTENT_CERT_PK_EXT,
+ TRUSTED_OS_FW_HASH_EXT,
+ TRUSTED_OS_FW_EXTRA1_HASH_EXT,
+ TRUSTED_OS_FW_EXTRA2_HASH_EXT,
+ TRUSTED_OS_FW_CONFIG_HASH_EXT,
+ SP_PKG1_HASH_EXT,
+ SP_PKG2_HASH_EXT,
+ SP_PKG3_HASH_EXT,
+ SP_PKG4_HASH_EXT,
+ SP_PKG5_HASH_EXT,
+ SP_PKG6_HASH_EXT,
+ SP_PKG7_HASH_EXT,
+ SP_PKG8_HASH_EXT,
+ SCP_FWU_CFG_HASH_EXT,
+ AP_FWU_CFG_HASH_EXT,
+ FWU_HASH_EXT,
+
+ /* Extensions used in certificates owned by the platform owner. */
+ PROT_PK_EXT,
+ NON_TRUSTED_FW_NVCOUNTER_EXT,
+ NON_TRUSTED_FW_CONTENT_CERT_PK_EXT,
+ NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
+ NON_TRUSTED_FW_CONFIG_HASH_EXT,
+};
+
+/* Keys. */
+enum {
+ /* Keys owned by the silicon provider. */
+ ROT_KEY,
+ TRUSTED_WORLD_KEY,
+ SCP_FW_CONTENT_CERT_KEY,
+ SOC_FW_CONTENT_CERT_KEY,
+ TRUSTED_OS_FW_CONTENT_CERT_KEY,
+
+ /* Keys owned by the platform owner. */
+ PROT_KEY,
+};
+
+#endif /* DUALROOT_COT_H */
diff --git a/tools/cert_create/include/ext.h b/tools/cert_create/include/ext.h
new file mode 100644
index 0000000..0e7f3be
--- /dev/null
+++ b/tools/cert_create/include/ext.h
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef EXT_H
+#define EXT_H
+
+#include <openssl/x509v3.h>
+#include "key.h"
+
+/* Extension types supported */
+enum ext_type_e {
+ EXT_TYPE_NVCOUNTER,
+ EXT_TYPE_PKEY,
+ EXT_TYPE_HASH
+};
+
+/* NV-Counter types */
+enum nvctr_type_e {
+ NVCTR_TYPE_TFW,
+ NVCTR_TYPE_NTFW
+};
+
+/*
+ * This structure contains the relevant information to create the extensions
+ * to be included in the certificates. This extensions will be used to
+ * establish the chain of trust.
+ */
+typedef struct ext_s {
+ const char *oid; /* OID of the extension */
+ const char *sn; /* Short name */
+ const char *ln; /* Long description */
+ const char *opt; /* Command line option to specify data */
+ const char *help_msg; /* Help message */
+ const char *arg; /* Argument passed from command line */
+ int asn1_type; /* OpenSSL ASN1 type of the extension data.
+ * Supported types are:
+ * - V_ASN1_INTEGER
+ * - V_ASN1_OCTET_STRING
+ */
+ int type; /* See ext_type_e */
+
+ /* Extension attributes (depends on extension type) */
+ union {
+ int nvctr_type; /* See nvctr_type_e */
+ int key; /* Index into array of registered public keys */
+ } attr;
+
+ int alias; /* In case OpenSSL provides an standard
+ * extension of the same type, add the new
+ * extension as an alias of this one
+ */
+
+ X509V3_EXT_METHOD method; /* This field may be used to define a custom
+ * function to print the contents of the
+ * extension */
+
+ int optional; /* This field may be used optionally to exclude an image */
+} ext_t;
+
+enum {
+ EXT_NON_CRIT = 0,
+ EXT_CRIT = !EXT_NON_CRIT,
+};
+
+/* Exported API */
+int ext_init(void);
+ext_t *ext_get_by_opt(const char *opt);
+X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
+ unsigned char *buf, size_t len);
+X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value);
+X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k);
+void ext_cleanup(void);
+
+/* Macro to register the extensions used in the CoT */
+#define REGISTER_EXTENSIONS(_ext) \
+ ext_t *def_extensions = &_ext[0]; \
+ const unsigned int num_def_extensions = sizeof(_ext)/sizeof(_ext[0])
+
+/* Macro to register the platform defined extensions used in the CoT */
+#define PLAT_REGISTER_EXTENSIONS(_pdef_ext) \
+ ext_t *pdef_extensions = &_pdef_ext[0]; \
+ const unsigned int num_pdef_extensions = sizeof(_pdef_ext)/sizeof(_pdef_ext[0])
+
+/* Exported variables */
+extern ext_t *def_extensions;
+extern const unsigned int num_def_extensions;
+extern ext_t *pdef_extensions;
+extern const unsigned int num_pdef_extensions;
+
+extern ext_t *extensions;
+extern unsigned int num_extensions;
+#endif /* EXT_H */
diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h
new file mode 100644
index 0000000..312575b
--- /dev/null
+++ b/tools/cert_create/include/key.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef KEY_H
+#define KEY_H
+
+#include <openssl/ossl_typ.h>
+
+/* Error codes */
+enum {
+ KEY_ERR_NONE,
+ KEY_ERR_MALLOC,
+ KEY_ERR_FILENAME,
+ KEY_ERR_OPEN,
+ KEY_ERR_LOAD
+};
+
+/* Supported key algorithms */
+enum {
+ KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */
+#ifndef OPENSSL_NO_EC
+ KEY_ALG_ECDSA_NIST,
+ KEY_ALG_ECDSA_BRAINPOOL_R,
+ KEY_ALG_ECDSA_BRAINPOOL_T,
+#endif /* OPENSSL_NO_EC */
+ KEY_ALG_MAX_NUM
+};
+
+/* Maximum number of valid key sizes per algorithm */
+#define KEY_SIZE_MAX_NUM 4
+
+/* Supported hash algorithms */
+enum{
+ HASH_ALG_SHA256,
+ HASH_ALG_SHA384,
+ HASH_ALG_SHA512,
+};
+
+/* Supported key sizes */
+/* NOTE: the first item in each array is the default key size */
+static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = {
+ { 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA */
+#ifndef OPENSSL_NO_EC
+ {}, /* KEY_ALG_ECDSA_NIST */
+ {}, /* KEY_ALG_ECDSA_BRAINPOOL_R */
+ {} /* KEY_ALG_ECDSA_BRAINPOOL_T */
+#endif /* OPENSSL_NO_EC */
+};
+
+/*
+ * This structure contains the relevant information to create the keys
+ * required to sign the certificates.
+ *
+ * One instance of this structure must be created for each key, usually in an
+ * array fashion. The filename is obtained at run time from the command line
+ * parameters
+ */
+typedef struct key_s {
+ int id; /* Key id */
+ const char *opt; /* Command line option to specify a key */
+ const char *help_msg; /* Help message */
+ const char *desc; /* Key description (debug purposes) */
+ char *fn; /* Filename to load/store the key */
+ EVP_PKEY *key; /* Key container */
+} key_t;
+
+/* Exported API */
+int key_init(void);
+key_t *key_get_by_opt(const char *opt);
+#if !USING_OPENSSL3
+int key_new(key_t *key);
+#endif
+int key_create(key_t *key, int type, int key_bits);
+int key_load(key_t *key, unsigned int *err_code);
+int key_store(key_t *key);
+void key_cleanup(void);
+
+/* Macro to register the keys used in the CoT */
+#define REGISTER_KEYS(_keys) \
+ key_t *def_keys = &_keys[0]; \
+ const unsigned int num_def_keys = sizeof(_keys)/sizeof(_keys[0])
+
+/* Macro to register the platform defined keys used in the CoT */
+#define PLAT_REGISTER_KEYS(_pdef_keys) \
+ key_t *pdef_keys = &_pdef_keys[0]; \
+ const unsigned int num_pdef_keys = sizeof(_pdef_keys)/sizeof(_pdef_keys[0])
+
+/* Exported variables */
+extern key_t *def_keys;
+extern const unsigned int num_def_keys;
+extern key_t *pdef_keys;
+extern const unsigned int num_pdef_keys;
+
+extern key_t *keys;
+extern unsigned int num_keys;
+#endif /* KEY_H */
diff --git a/tools/cert_create/include/sha.h b/tools/cert_create/include/sha.h
new file mode 100644
index 0000000..4c55f37
--- /dev/null
+++ b/tools/cert_create/include/sha.h
@@ -0,0 +1,12 @@
+/*
+ * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SHA_H
+#define SHA_H
+
+int sha_file(int md_alg, const char *filename, unsigned char *md);
+
+#endif /* SHA_H */
diff --git a/tools/cert_create/include/tbbr/tbb_cert.h b/tools/cert_create/include/tbbr/tbb_cert.h
new file mode 100644
index 0000000..e5fa3a2
--- /dev/null
+++ b/tools/cert_create/include/tbbr/tbb_cert.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef TBB_CERT_H
+#define TBB_CERT_H
+
+#include "cert.h"
+
+/*
+ * Enumerate the certificates that are used to establish the chain of trust
+ */
+enum {
+ TRUSTED_BOOT_FW_CERT,
+ TRUSTED_KEY_CERT,
+ SCP_FW_KEY_CERT,
+ SCP_FW_CONTENT_CERT,
+ SOC_FW_KEY_CERT,
+ SOC_FW_CONTENT_CERT,
+ TRUSTED_OS_FW_KEY_CERT,
+ TRUSTED_OS_FW_CONTENT_CERT,
+ NON_TRUSTED_FW_KEY_CERT,
+ NON_TRUSTED_FW_CONTENT_CERT,
+ SIP_SECURE_PARTITION_CONTENT_CERT,
+ FWU_CERT
+};
+
+#endif /* TBB_CERT_H */
diff --git a/tools/cert_create/include/tbbr/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h
new file mode 100644
index 0000000..692b2d4
--- /dev/null
+++ b/tools/cert_create/include/tbbr/tbb_ext.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+#ifndef TBB_EXT_H
+#define TBB_EXT_H
+
+#include "ext.h"
+
+/* TBBR extensions */
+enum {
+ TRUSTED_FW_NVCOUNTER_EXT,
+ NON_TRUSTED_FW_NVCOUNTER_EXT,
+ TRUSTED_BOOT_FW_HASH_EXT,
+ TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
+ HW_CONFIG_HASH_EXT,
+ FW_CONFIG_HASH_EXT,
+ TRUSTED_WORLD_PK_EXT,
+ NON_TRUSTED_WORLD_PK_EXT,
+ SCP_FW_CONTENT_CERT_PK_EXT,
+ SCP_FW_HASH_EXT,
+ SOC_FW_CONTENT_CERT_PK_EXT,
+ SOC_AP_FW_HASH_EXT,
+ SOC_FW_CONFIG_HASH_EXT,
+ TRUSTED_OS_FW_CONTENT_CERT_PK_EXT,
+ TRUSTED_OS_FW_HASH_EXT,
+ TRUSTED_OS_FW_EXTRA1_HASH_EXT,
+ TRUSTED_OS_FW_EXTRA2_HASH_EXT,
+ TRUSTED_OS_FW_CONFIG_HASH_EXT,
+ NON_TRUSTED_FW_CONTENT_CERT_PK_EXT,
+ NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
+ NON_TRUSTED_FW_CONFIG_HASH_EXT,
+ SP_PKG1_HASH_EXT,
+ SP_PKG2_HASH_EXT,
+ SP_PKG3_HASH_EXT,
+ SP_PKG4_HASH_EXT,
+ SP_PKG5_HASH_EXT,
+ SP_PKG6_HASH_EXT,
+ SP_PKG7_HASH_EXT,
+ SP_PKG8_HASH_EXT,
+ SCP_FWU_CFG_HASH_EXT,
+ AP_FWU_CFG_HASH_EXT,
+ FWU_HASH_EXT
+};
+
+#endif /* TBB_EXT_H */
diff --git a/tools/cert_create/include/tbbr/tbb_key.h b/tools/cert_create/include/tbbr/tbb_key.h
new file mode 100644
index 0000000..47ad1de
--- /dev/null
+++ b/tools/cert_create/include/tbbr/tbb_key.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef TBB_KEY_H
+#define TBB_KEY_H
+
+#include "key.h"
+
+/*
+ * Enumerate the keys that are used to establish the chain of trust
+ */
+enum {
+ ROT_KEY,
+ TRUSTED_WORLD_KEY,
+ NON_TRUSTED_WORLD_KEY,
+ SCP_FW_CONTENT_CERT_KEY,
+ SOC_FW_CONTENT_CERT_KEY,
+ TRUSTED_OS_FW_CONTENT_CERT_KEY,
+ NON_TRUSTED_FW_CONTENT_CERT_KEY
+};
+
+#endif /* TBB_KEY_H */