# Flags to generate the Chain of Trust
GENERATE_COT := 0
CREATE_KEYS := 1
+SAVE_KEYS := 0
# Flags to build TF with Trusted Boot support
TRUSTED_BOARD_BOOT := 0
AUTH_MOD := none
# Process Generate CoT flags
$(eval $(call assert_boolean,GENERATE_COT))
$(eval $(call assert_boolean,CREATE_KEYS))
+$(eval $(call assert_boolean,SAVE_KEYS))
# Process TRUSTED_BOARD_BOOT flag
$(eval $(call assert_boolean,TRUSTED_BOARD_BOOT))
ifneq (${CREATE_KEYS},0)
$(eval CRT_ARGS += -n)
+ ifneq (${SAVE_KEYS},0)
+ $(eval CRT_ARGS += -k)
+ endif
endif
$(eval CRT_ARGS += $(if ${ROT_KEY}, --rot-key ${ROT_KEY}))
$(eval CRT_ARGS += $(if ${TRUSTED_WORLD_KEY}, --trusted-world-key ${TRUSTED_WORLD_KEY}))
$(eval FIP_ARGS += $(if $4,$(if $5,--bl$(1)-key-cert $(BUILD_PLAT)/bl$(1)_key.crt)))
$(eval CRT_DEPS += $(if $4,$(2),))
-$(eval CRT_DEPS += $(if $4,$(if $6,$(6),)))
$(eval CRT_ARGS += $(if $4,--bl$(1) $(2)))
$(eval CRT_ARGS += $(if $4,$(if $6,--bl$(1)-key $(6))))
$(eval CRT_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt))
certificate generation tool to create new keys in case no valid keys are
present or specified. Allowed options are '0' or '1'. Default is '1'.
+* `SAVE_KEYS`: This option is used when `GENERATE_COT=1`. It tells the
+ certificate generation tool to save the keys used to establish the Chain of
+ Trust. Allowed options are '0' or '1'. Default is '0' (do not save).
+
+ Note: This option depends on 'CREATE_KEYS' to be enabled. If the keys
+ already exist in disk, they will be overwritten without further notice.
+
* `ROT_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
- file that contains the ROT private key in PEM format.
+ file that contains the ROT private key in PEM format. If `SAVE_KEYS=1`, this
+ file name will be used to save the key.
* `TRUSTED_WORLD_KEY`: This option is used when `GENERATE_COT=1`. It
specifies the file that contains the Trusted World private key in PEM
- format.
+ format. If `SAVE_KEYS=1`, this file name will be used to save the key.
* `NON_TRUSTED_WORLD_KEY`: This option is used when `GENERATE_COT=1`. It
specifies the file that contains the Non-Trusted World private key in PEM
- format.
+ format. If `SAVE_KEYS=1`, this file name will be used to save the key.
* `BL30_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
- file that contains the BL3-0 private key in PEM format.
+ file that contains the BL3-0 private key in PEM format. If `SAVE_KEYS=1`,
+ this file name will be used to save the key.
* `BL31_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
- file that contains the BL3-1 private key in PEM format.
+ file that contains the BL3-1 private key in PEM format. If `SAVE_KEYS=1`,
+ this file name will be used to save the key.
* `BL32_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
- file that contains the BL3-2 private key in PEM format.
+ file that contains the BL3-2 private key in PEM format. If `SAVE_KEYS=1`,
+ this file name will be used to save the key.
* `BL33_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
- file that contains the BL3-3 private key in PEM format.
+ file that contains the BL3-3 private key in PEM format. If `SAVE_KEYS=1`,
+ this file name will be used to save the key.
* `PROGRAMMABLE_RESET_ADDRESS`: This option indicates whether the reset
vector address can be programmed or is fixed on the platform. It can take
projects / project / bcm63xx / atf.git / commitdiff