Page MenuHomePhabricator

Get access to the private keys created by the cert_create
Open, Needs TriagePublic


Hi there, I am trying to figure out where does the cert_create tool put the private keys when running with following switch (-n,--new-keys ). Mainly, I am interested in the private key for BL31 and Non-trusted world key pairs. Any help would be greatly appreciated.
I need the private keys for testing purposes.

Event Timeline

tannoa2 created this task.Mar 17 2020, 7:33 PM
tannoa2 updated the task description. (Show Details)Mar 17 2020, 7:58 PM

Hello @tannoa2 ,

By default, the cert_create tool creates temporary keys that it keeps in RAM just to sign the certificates. These keys are not stored in files on the disk and are thus discarded after the tool exits.
If you want to save them, please have a look at the SAVE_KEYS build option. In your case, adding SAVE_KEYS=1 NON_TRUSTED_WORLD_KEY=ntw.key BL31_KEY=bl31.key to your command line should do what you want. You'll get the private keys in PEM format I believe, from which you can generate the associated public keys using the openssl tool (or equivalent) if needed.


Thanks a lot @sandrine-bailleux-arm for the input. I will try it now.

tannoa2 added a comment.EditedMar 19 2020, 7:01 PM

Hi @sandrine-bailleux-arm, where do the PEM files go? Because I still can't find them.

I rebuilt the tool the way you've suggested:

 sudo make BUILD_BASE=<workspace>/build \
> ROT_KEY=rot.key  BL31_KEY=bl31.key BL32_KEY=bl32.key  BL33_KEY=bl33.key certtool
  CC      src/cert.c
  CC      src/cmd_opt.c
  CC      src/ext.c
  CC      src/key.c
  CC      src/main.c
  CC      src/sha.c
  CC      src/tbbr/tbb_cert.c
  CC      src/tbbr/tbb_ext.c
  CC      src/tbbr/tbb_key.c
  LD     <workspace>/build/tools/cert_create/cert_create

Built <workspace>/build/tools/cert_create/cert_create successfully

Then ran the command:

sudo<workspace>/build/tools/cert_create/cert_create -n --rot-key keys/rotprivk_rsa.pem --tfw-nvctr 0 --ntfw-nvctr 0 --key-alg rsa_1_5 --tb-fw boot/bl2.bin_v0 --tb-fw-cert certificate_test_azzam/tb_fw.crt --trusted-key-cert certificate_test_azzam/trusted_key.crt --soc-fw-key-cert certificate_test_azzam/soc_fw_key.crt --soc-fw-cert certificate_test_azzam/soc_fw_content.crt --soc-fw boot/bl31.bin_v0 --nt-fw-key-cert certificate_test_azzam/nt_fw_key.crt --nt-fw-cert certificate_test_azzam/nt_fw_content.crt --nt-fw boot/EFI.fd
NOTICE:  CoT Generation Tool: Built : 09:36:13, Mar 19 2020
NOTICE:  Target platform: generic1
NOTICE:  Creating new key for 'Trusted World key'
NOTICE:  Creating new key for 'Non Trusted World key'
NOTICE:  Creating new key for 'SCP Firmware Content Certificate key'
NOTICE:  Creating new key for 'SoC Firmware Content Certificate key'
NOTICE:  Creating new key for 'Trusted OS Firmware Content Certificate key'
NOTICE:  Creating new key for 'Non Trusted Firmware Content Certificate key'

Then I look for one of the keys:

$ sudo find / -name ntw.key

and I don't find it

Hello @tannoa2

Sorry if it wasn't clear in my original answer, the SAVE_KEYS=1 option (and friends) must be passed on the command line when you build the firmware, not the cert_create tool itself. The tool has no built-in knowledge of which keys it should use, instead it is told so when it is invoked.

In other words, please try to add these build options at the make fip build stage. The keys should then appear in the current working directory.