commit 78676acfb3a820109fff3949174face5c68b8e71
author Tamas Ban <tamas.ban@arm.com> Thu Jul 11 09:05:54 2019 +0100
committer Tamas Ban <tamas.ban@arm.com> Fri Sep 06 06:59:34 2019 +0000
tree 7f3cb1a3700f3ed876cd4b640b601021b95bb126
parent 1d37c340766434ca2410a70c1822eb1153e5c3e0

Boot: Use different signing key to S and NS image

Secure and non-secure images might originated from different
sources therefore the need to sign them with different keys
is very likely.

Change-Id: I46e0d549c84ba92e79c218f54e78449f1152a178
Signed-off-by: Tamas Ban <tamas.ban@arm.com>

platform/ext/common/tfm_rotpk.c

diff --git a/platform/ext/common/tfm_rotpk.c b/platform/ext/common/tfm_rotpk.c
index ca97d5a..2f26281 100644
--- a/platform/ext/common/tfm_rotpk.c
+++ b/platform/ext/common/tfm_rotpk.c
@@ -31,6 +31,15 @@
     0xbe, 0xe5, 0x83, 0x3b, 0x23, 0xc2, 0x9f, 0x93,
     0x59, 0x3d, 0x00, 0x01, 0x8c, 0xfa, 0x99, 0x94,
 };
+/* Hash of public key: bl2/ext/mcuboot/root-rsa-2048_1.pem */
+#if (MCUBOOT_IMAGE_NUMBER == 2)
+uint8_t rotpk_hash_1[ROTPK_HASH_LEN] = {
+    0xe1, 0x80, 0x15, 0x99, 0x3d, 0x6d, 0x27, 0x60,
+    0xb4, 0x99, 0x27, 0x4b, 0xae, 0xf2, 0x64, 0xb8,
+    0x3a, 0xf2, 0x29, 0xe9, 0xa7, 0x85, 0xf3, 0xd5,
+    0xbf, 0x00, 0xb9, 0xd3, 0x2c, 0x1f, 0x03, 0x96,
+};
+#endif /* MCUBOOT_IMAGE_NUMBER */
 
 #elif (MCUBOOT_SIGN_RSA_LEN == 3072)
 /* Hash of public key: bl2/ext/mcuboot/root-rsa-3072.pem */
@@ -40,7 +49,15 @@
     0x3e, 0x46, 0x19, 0xfc, 0x56, 0x5d, 0xa2, 0x6a,
     0xdf, 0x34, 0xc3, 0x29, 0x48, 0x9a, 0xdc, 0x38,
 };
-
+/* Hash of public key: bl2/ext/mcuboot/root-rsa-3072_1.pem */
+#if (MCUBOOT_IMAGE_NUMBER == 2)
+uint8_t rotpk_hash_1[ROTPK_HASH_LEN] = {
+    0xb3, 0x60, 0xca, 0xf5, 0xc9, 0x8c, 0x6b, 0x94,
+    0x2a, 0x48, 0x82, 0xfa, 0x9d, 0x48, 0x23, 0xef,
+    0xb1, 0x66, 0xa9, 0xef, 0x6a, 0x6e, 0x4a, 0xa3,
+    0x7c, 0x19, 0x19, 0xed, 0x1f, 0xcc, 0xc0, 0x49,
+};
+#endif /* MCUBOOT_IMAGE_NUMBER */
 #else
 #error "No public key available for given signing algorithm."
 #endif
@@ -50,7 +67,12 @@
         .key_hash = rotpk_hash_0,
         .hash_len = ROTPK_HASH_LEN,
     },
+#if (MCUBOOT_IMAGE_NUMBER == 2)
+    {
+        .key_hash = rotpk_hash_1,
+        .hash_len = ROTPK_HASH_LEN,
+    },
+#endif
 };
-
-const uint32_t rotpk_key_cnt = 1;
+const uint32_t rotpk_key_cnt = MCUBOOT_IMAGE_NUMBER;
 #endif /* BL2 */