From fd34e7ba7730b6538cfd18bddd877900c80e2a50 Mon Sep 17 00:00:00 2001 From: Juan Castillo Date: Wed, 25 Feb 2015 12:43:12 +0000 Subject: [PATCH] TBB: add build option to save private keys This patch adds a boolean build option 'SAVE_KEYS' to indicate the certificate generation tool that it must save the private keys used to establish the chain of trust. This option depends on 'CREATE_KEYS' to be enabled. Default is '0' (do not save). Because the same filenames are used as outputs to save the keys, they are no longer a dependency to the cert_tool. This dependency has been removed from the Makefile. Documentation updated accordingly. Change-Id: I67ab1c2b1f8a25793f0de95e8620ce7596a6bc3b --- Makefile | 6 +++++- docs/user-guide.md | 26 +++++++++++++++++++------- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index c33670b5..7f7ca8e7 100644 --- a/Makefile +++ b/Makefile @@ -73,6 +73,7 @@ DISABLE_PEDANTIC := 0 # Flags to generate the Chain of Trust GENERATE_COT := 0 CREATE_KEYS := 1 +SAVE_KEYS := 0 # Flags to build TF with Trusted Boot support TRUSTED_BOARD_BOOT := 0 AUTH_MOD := none @@ -270,6 +271,7 @@ $(eval $(call add_define,USE_COHERENT_MEM)) # Process Generate CoT flags $(eval $(call assert_boolean,GENERATE_COT)) $(eval $(call assert_boolean,CREATE_KEYS)) +$(eval $(call assert_boolean,SAVE_KEYS)) # Process TRUSTED_BOARD_BOOT flag $(eval $(call assert_boolean,TRUSTED_BOARD_BOOT)) @@ -327,6 +329,9 @@ ifneq (${GENERATE_COT},0) ifneq (${CREATE_KEYS},0) $(eval CRT_ARGS += -n) + ifneq (${SAVE_KEYS},0) + $(eval CRT_ARGS += -k) + endif endif $(eval CRT_ARGS += $(if ${ROT_KEY}, --rot-key ${ROT_KEY})) $(eval CRT_ARGS += $(if ${TRUSTED_WORLD_KEY}, --trusted-world-key ${TRUSTED_WORLD_KEY})) @@ -514,7 +519,6 @@ $(eval FIP_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt)) $(eval FIP_ARGS += $(if $4,$(if $5,--bl$(1)-key-cert $(BUILD_PLAT)/bl$(1)_key.crt))) $(eval CRT_DEPS += $(if $4,$(2),)) -$(eval CRT_DEPS += $(if $4,$(if $6,$(6),))) $(eval CRT_ARGS += $(if $4,--bl$(1) $(2))) $(eval CRT_ARGS += $(if $4,$(if $6,--bl$(1)-key $(6)))) $(eval CRT_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt)) diff --git a/docs/user-guide.md b/docs/user-guide.md index ef26f118..184e46ab 100644 --- a/docs/user-guide.md +++ b/docs/user-guide.md @@ -297,28 +297,40 @@ performed. certificate generation tool to create new keys in case no valid keys are present or specified. Allowed options are '0' or '1'. Default is '1'. +* `SAVE_KEYS`: This option is used when `GENERATE_COT=1`. It tells the + certificate generation tool to save the keys used to establish the Chain of + Trust. Allowed options are '0' or '1'. Default is '0' (do not save). + + Note: This option depends on 'CREATE_KEYS' to be enabled. If the keys + already exist in disk, they will be overwritten without further notice. + * `ROT_KEY`: This option is used when `GENERATE_COT=1`. It specifies the - file that contains the ROT private key in PEM format. + file that contains the ROT private key in PEM format. If `SAVE_KEYS=1`, this + file name will be used to save the key. * `TRUSTED_WORLD_KEY`: This option is used when `GENERATE_COT=1`. It specifies the file that contains the Trusted World private key in PEM - format. + format. If `SAVE_KEYS=1`, this file name will be used to save the key. * `NON_TRUSTED_WORLD_KEY`: This option is used when `GENERATE_COT=1`. It specifies the file that contains the Non-Trusted World private key in PEM - format. + format. If `SAVE_KEYS=1`, this file name will be used to save the key. * `BL30_KEY`: This option is used when `GENERATE_COT=1`. It specifies the - file that contains the BL3-0 private key in PEM format. + file that contains the BL3-0 private key in PEM format. If `SAVE_KEYS=1`, + this file name will be used to save the key. * `BL31_KEY`: This option is used when `GENERATE_COT=1`. It specifies the - file that contains the BL3-1 private key in PEM format. + file that contains the BL3-1 private key in PEM format. If `SAVE_KEYS=1`, + this file name will be used to save the key. * `BL32_KEY`: This option is used when `GENERATE_COT=1`. It specifies the - file that contains the BL3-2 private key in PEM format. + file that contains the BL3-2 private key in PEM format. If `SAVE_KEYS=1`, + this file name will be used to save the key. * `BL33_KEY`: This option is used when `GENERATE_COT=1`. It specifies the - file that contains the BL3-3 private key in PEM format. + file that contains the BL3-3 private key in PEM format. If `SAVE_KEYS=1`, + this file name will be used to save the key. * `PROGRAMMABLE_RESET_ADDRESS`: This option indicates whether the reset vector address can be programmed or is fixed on the platform. It can take -- 2.30.2