TBB: add support to include certificates in a FIP image

This patch extends the FIP tool to include the certificates
generated by the 'cert_create' tool.

If GENERATE_COT build option is enabled, the Makefile adds the
certificates as dependencies to create the FIP file. Thus, make
target 'fip' will also build the certificates as part of the
Trusted Firmware build process.

Change-Id: I5eee500da7f7be6cfb6e3df0423599739d260074

diff --git a/Makefile b/Makefile
index 777e3308e73788e0ff64ca09b54d2af7cd3ff1da..b5db6294b7d484bd52a6717928a0e0038a3624fc 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -286,6 +286,9 @@ TRUSTED_KEY_CERT    :=      ${BUILD_PLAT}/trusted_key.crt
 ifneq (${GENERATE_COT},0)
     $(eval CERTS := yes)
 
+    $(eval FIP_DEPS += certificates)
+    $(eval FIP_ARGS += --trusted-key-cert ${TRUSTED_KEY_CERT})
+
     ifneq (${CREATE_KEYS},0)
         $(eval CRT_ARGS += -n)
     endif
@@ -449,6 +452,8 @@ define MAKE_TOOL_ARGS
 
 $(eval FIP_DEPS += $(if $3,$(2),))
 $(eval FIP_ARGS += $(if $3,--bl$(1) $(2),))
+$(eval FIP_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt))
+$(eval FIP_ARGS += $(if $4,$(if $5,--bl$(1)-key-cert $(BUILD_PLAT)/bl$(1)_key.crt)))
 
 $(eval CRT_DEPS += $(if $4,$(2),))
 $(eval CRT_DEPS += $(if $4,$(if $6,$(6),)))

diff --git a/include/common/firmware_image_package.h b/include/common/firmware_image_package.h
index f4554ecc608437cf76bb69ffba74efed6a67df09..8fb669e3db8118fc7d7f4f11d3548c89e36bca12 100644 (file)
--- a/include/common/firmware_image_package.h
+++ b/include/common/firmware_image_package.h
@@ -49,6 +49,32 @@
        {0x89e1d005, 0xdc53, 0x4713, 0x8d, 0x2b, {0x50, 0x0a, 0x4b, 0x7a, 0x3e, 0x38} }
 #define UUID_NON_TRUSTED_FIRMWARE_BL33 \
        {0xa7eed0d6, 0xeafc, 0x4bd5, 0x97, 0x82, {0x99, 0x34, 0xf2, 0x34, 0xb6, 0xe4} }
+/* Key certificates */
+#define UUID_ROT_KEY_CERT \
+       {0x721d2d86, 0x60f8, 0x11e4, 0x92, 0x0b, {0x8b, 0xe7, 0x62, 0x16, 0x0f, 0x24} }
+#define UUID_TRUSTED_KEY_CERT \
+       {0x90e87e82, 0x60f8, 0x11e4, 0xa1, 0xb4, {0x77, 0x7a, 0x21, 0xb4, 0xf9, 0x4c} }
+#define UUID_NON_TRUSTED_WORLD_KEY_CERT \
+       {0x3d87671c, 0x635f, 0x11e4, 0x97, 0x8d, {0x27, 0xc0, 0xc7, 0x14, 0x8a, 0xbd} }
+#define UUID_SCP_FIRMWARE_BL30_KEY_CERT \
+       {0xa1214202, 0x60f8, 0x11e4, 0x8d, 0x9b, {0xf3, 0x3c, 0x0e, 0x15, 0xa0, 0x14} }
+#define UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT \
+       {0xccbeb88a, 0x60f9, 0x11e4, 0x9a, 0xd0, {0xeb, 0x48, 0x22, 0xd8, 0xdc, 0xf8} }
+#define UUID_SECURE_PAYLOAD_BL32_KEY_CERT \
+       {0x03d67794, 0x60fb, 0x11e4, 0x85, 0xdd, {0xb7, 0x10, 0x5b, 0x8c, 0xee, 0x04} }
+#define UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT \
+       {0x2a83d58a, 0x60fb, 0x11e4, 0x8a, 0xaf, {0xdf, 0x30, 0xbb, 0xc4, 0x98, 0x59} }
+/* Content certificates */
+#define UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT \
+       {0xea69e2d6, 0x635d, 0x11e4, 0x8d, 0x8c, {0x9f, 0xba, 0xbe, 0x99, 0x56, 0xa5} }
+#define UUID_SCP_FIRMWARE_BL30_CERT \
+       {0x046fbe44, 0x635e, 0x11e4, 0xb2, 0x8b, {0x73, 0xd8, 0xea, 0xae, 0x96, 0x56} }
+#define UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT \
+       {0x200cb2e2, 0x635e, 0x11e4, 0x9c, 0xe8, {0xab, 0xcc, 0xf9, 0x2b, 0xb6, 0x66} }
+#define UUID_SECURE_PAYLOAD_BL32_CERT \
+       {0x11449fa4, 0x635e, 0x11e4, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} }
+#define UUID_NON_TRUSTED_FIRMWARE_BL33_CERT \
+       {0xf3c1c48e, 0x635d, 0x11e4, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} }
 
 typedef struct fip_toc_header {
        uint32_t        name;

diff --git a/tools/fip_create/fip_create.c b/tools/fip_create/fip_create.c
index c940c5b0dd63a65a37d8dd3b694ff13e1a4fa1a6..c6869f95632b7fc9ac93cb5a19ff7dc349572609 100644 (file)
--- a/tools/fip_create/fip_create.c
+++ b/tools/fip_create/fip_create.c
@@ -65,6 +65,30 @@ static entry_lookup_list_t toc_entry_lookup_list[] = {
          "bl32", NULL, FLAG_FILENAME},
        { "Non-Trusted Firmware BL3-3", UUID_NON_TRUSTED_FIRMWARE_BL33,
          "bl33", NULL, FLAG_FILENAME},
+       /* Key Certificates */
+       { "Root Of Trust key certificate", UUID_ROT_KEY_CERT,
+         "rot-cert", NULL, FLAG_FILENAME },
+       { "Trusted key certificate", UUID_TRUSTED_KEY_CERT,
+         "trusted-key-cert", NULL, FLAG_FILENAME},
+       { "SCP Firmware BL3-0 key certificate", UUID_SCP_FIRMWARE_BL30_KEY_CERT,
+         "bl30-key-cert", NULL, FLAG_FILENAME},
+       { "EL3 Runtime Firmware BL3-1 key certificate", UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT,
+         "bl31-key-cert", NULL, FLAG_FILENAME},
+       { "Secure Payload BL3-2 (Trusted OS) key certificate", UUID_SECURE_PAYLOAD_BL32_KEY_CERT,
+         "bl32-key-cert", NULL, FLAG_FILENAME},
+       { "Non-Trusted Firmware BL3-3 key certificate", UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT,
+         "bl33-key-cert", NULL, FLAG_FILENAME},
+       /* Content certificates */
+       { "Trusted Boot Firmware BL2 certificate", UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT,
+         "bl2-cert", NULL, FLAG_FILENAME },
+       { "SCP Firmware BL3-0 certificate", UUID_SCP_FIRMWARE_BL30_CERT,
+         "bl30-cert", NULL, FLAG_FILENAME},
+       { "EL3 Runtime Firmware BL3-1 certificate", UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT,
+         "bl31-cert", NULL, FLAG_FILENAME},
+       { "Secure Payload BL3-2 (Trusted OS) certificate", UUID_SECURE_PAYLOAD_BL32_CERT,
+         "bl32-cert", NULL, FLAG_FILENAME},
+       { "Non-Trusted Firmware BL3-3 certificate", UUID_NON_TRUSTED_FIRMWARE_BL33_CERT,
+         "bl33-cert", NULL, FLAG_FILENAME},
        { NULL, {0}, 0 }
 };
 

diff --git a/tools/fip_create/fip_create.h b/tools/fip_create/fip_create.h
index ef321cd3ff4e0a0e853f00afcc0f934b10fb57d2..32583352f1633697b6e6108d6ca98b2c4ad4b8ac 100644 (file)
--- a/tools/fip_create/fip_create.h
+++ b/tools/fip_create/fip_create.h
@@ -34,7 +34,7 @@
 #include <stdint.h>
 #include <uuid.h>
 
-#define MAX_FILES                      10
+#define MAX_FILES                      20
 
 /* TODO: Update this number as required */
 #define TOC_HEADER_SERIAL_NUMBER       0x12345678