From a1a1376cd1cc5ef232258e3302596f6a2fb9b8e4 Mon Sep 17 00:00:00 2001
From: Lionel Debieve <lionel.debieve@st.com>
Date: Tue, 19 Jan 2021 15:40:36 +0100
Subject: [PATCH] tools: allow to use a root key password from command line

By defining the ROT_KEY_PWD, user is able to define the private
root key password. Useful for build system management.

Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Change-Id: Ie692c5c6db5ddb093ca7659d80f6137a978aa7bf
---
 make_helpers/tbbr/tbbr_tools.mk |  4 +++-
 tools/cert_create/include/key.h |  4 ++--
 tools/cert_create/src/key.c     |  6 +++---
 tools/cert_create/src/main.c    | 18 ++++++++++++++----
 4 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk
index 853ad11bef..0aab592228 100644
--- a/make_helpers/tbbr/tbbr_tools.mk
+++ b/make_helpers/tbbr/tbbr_tools.mk
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -24,6 +24,7 @@
 #   KEY_SIZE
 #   ROT_KEY
 #   PROT_KEY
+#   ROT_KEY_PWD
 #   TRUSTED_WORLD_KEY
 #   NON_TRUSTED_WORLD_KEY
 #   SCP_BL2_KEY
@@ -62,6 +63,7 @@ $(if ${HASH_ALG},$(eval $(call CERT_ADD_CMD_OPT,${HASH_ALG},--hash-alg,FWU_)))
 $(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
 $(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key,FWU_)))
 $(if ${PROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${PROT_KEY},--prot-key)))
+$(if ${ROT_KEY_PWD},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY_PWD},--rot-key-pwd)))
 $(if ${TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_WORLD_KEY},--trusted-world-key)))
 $(if ${NON_TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${NON_TRUSTED_WORLD_KEY},--non-trusted-world-key)))
 
diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h
index 3409502d82..1a03201560 100644
--- a/tools/cert_create/include/key.h
+++ b/tools/cert_create/include/key.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -70,7 +70,7 @@ int key_init(void);
 key_t *key_get_by_opt(const char *opt);
 int key_new(key_t *key);
 int key_create(key_t *key, int type, int key_bits);
-int key_load(key_t *key, unsigned int *err_code);
+int key_load(key_t *key, char *rot_key_pwd, unsigned int *err_code);
 int key_store(key_t *key);
 
 /* Macro to register the keys used in the CoT */
diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c
index 25d7d4bd9b..9ba5028af7 100644
--- a/tools/cert_create/src/key.c
+++ b/tools/cert_create/src/key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -137,7 +137,7 @@ int key_create(key_t *key, int type, int key_bits)
 	return 0;
 }
 
-int key_load(key_t *key, unsigned int *err_code)
+int key_load(key_t *key, char *rot_key_pwd, unsigned int *err_code)
 {
 	FILE *fp;
 	EVP_PKEY *k;
@@ -146,7 +146,7 @@ int key_load(key_t *key, unsigned int *err_code)
 		/* Load key from file */
 		fp = fopen(key->fn, "r");
 		if (fp) {
-			k = PEM_read_PrivateKey(fp, &key->key, NULL, NULL);
+			k = PEM_read_PrivateKey(fp, &key->key, NULL, rot_key_pwd);
 			fclose(fp);
 			if (k) {
 				*err_code = KEY_ERR_NONE;
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index 8a1e02e62f..e79e72745b 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -289,7 +289,12 @@ static const cmd_opt_t common_cmd_opt[] = {
 	{
 		{ "print-cert", no_argument, NULL, 'p' },
 		"Print the certificates in the standard output"
-	}
+	},
+	{
+		{ "rot-key-pwd", required_argument, NULL, 'r' },
+		"Password for the root key"
+	},
+
 };
 
 int main(int argc, char *argv[])
@@ -308,6 +313,7 @@ int main(int argc, char *argv[])
 	unsigned char md[SHA512_DIGEST_LENGTH];
 	unsigned int  md_len;
 	const EVP_MD *md_info;
+	char *rot_key_pw = NULL;
 
 	NOTICE("CoT Generation Tool: %s\n", build_msg);
 	NOTICE("Target platform: %s\n", platform_msg);
@@ -345,7 +351,7 @@ int main(int argc, char *argv[])
 
 	while (1) {
 		/* getopt_long stores the option index here. */
-		c = getopt_long(argc, argv, "a:b:hknps:", cmd_opt, &opt_idx);
+		c = getopt_long(argc, argv, "a:b:hknpr:s:", cmd_opt, &opt_idx);
 
 		/* Detect the end of the options. */
 		if (c == -1) {
@@ -379,6 +385,10 @@ int main(int argc, char *argv[])
 		case 'p':
 			print_cert = 1;
 			break;
+		case 'r':
+			rot_key_pw = malloc(sizeof(char) * strlen(optarg));
+			strncpy(rot_key_pw, optarg, strlen(optarg));
+			break;
 		case 's':
 			hash_alg = get_hash_alg(optarg);
 			if (hash_alg < 0) {
@@ -437,7 +447,7 @@ int main(int argc, char *argv[])
 		}
 
 		/* First try to load the key from disk */
-		if (key_load(&keys[i], &err_code)) {
+		if (key_load(&keys[i], rot_key_pw, &err_code)) {
 			/* Key loaded successfully */
 			continue;
 		}
-- 
2.17.1