This patch adds experimental support for TRUSTED_BOARD_BOOT to the
Hikey. This is adapted from the RPi3 and QEMU implementations.
Since the Hikey starts from BL2 the TRUSTED_BOARD_BOOT ROT begins there
too. When TRUSTED_BOARD_BOOT is defined, the BL1 build is skipped.
See the following example:
make \
PLAT=hikey \
BL33=u-boot.bin \
SCP_BL2=mcuimage.bin \
TRUSTED_BOARD_BOOT=1 \
MBEDTLS_DIR=../../mbedtls \
GENERATE_COT=1 \
all fip
Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
This patch adds support for TBB to qemu. An RSA ROT keypair is generated at
build time and is included into BL1/BL2. The key and content certificates
are read over semihosting.
FixesARM-software/tf-issues#526
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
This is not executable code. It should be put into .rodata instead
of .text section.
This produces more correct BL1 image when SEPARATE_CODE_AND_RODATA is
defined.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Currently, ROTPK_NOT_DEPLOYED flag is set in plat_get_rotpk_info().
It is up to users how to retrieve ROTPK if the ROT verification is
desired. This is not nice.
This commit improves plat_get_rotpk_info() implementation and automates
the ROTPK deployment. UniPhier platform has no ROTPK storage, so it
should be embedded in BL1/BL2, like ARM_ROTPK_LOCATION=devel_rsa case.
This makes sense because UniPhier platform implements its internal ROM
i.e. BL1 is used as updatable pseudo ROM.
Things work like this:
- ROT_KEY (default: $(BUILD_PLAT)/rot_key.pem) is created if missing.
Users can override ROT_KEY from the command line if they want to
use a specific ROT key.
- ROTPK_HASH is generated based on ROT_KEY.
- ROTPK_HASH is included by uniphier_rotpk.S and compiled into BL1/BL2.
- ROT_KEY is input to cert_create tool.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Teddy Reed
Michalis Pappas
Masahiro Yamada