From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 27 Jun 2022 14:40:39 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o5o2d-00GOE4-Lj for lore@lore.pengutronix.de; Mon, 27 Jun 2022 14:40:39 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1o5o2g-0001DN-GU; Mon, 27 Jun 2022 14:40:38 +0200 Received: from mail-dbaeur03on2040.outbound.protection.outlook.com ([40.107.104.40] helo=EUR03-DBA-obe.outbound.protection.outlook.com) by metis.ext.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1o5o2F-0001Cc-VI for ptxdist@pengutronix.de; Mon, 27 Jun 2022 14:40:13 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AkIA/PFTb3TUQMx5MlbxQ9BUXcyuOqcqiVLWsFVo2kT2r2Jg9XOtC1acIWEw4pR4PQl3YXOY4RjPyTrfvk1SR2G5PsZ0EA3u4ObvY/pZLCaS6b8WBQNodwEohwCRCk64lk4sjmuAjAsQAkW4dRJWr2l0qubXbkcC8Wc28aZ5xnSF5dj5VPmSTJ1pXqU3z/Jq7lbTrAzb2sWFOMhWOOF1/uuQwdlrbpQidLjIk8+/cM3++MM25sCv/9cWO/oe8kkbfxWez4mq5UbxzNJTy5f1I14BtjTtsSKjlaYS8OHB+X6K6cnnnnu+N9WhlHIIk/xJxBhQTi6j3fbOKWa+ocO1qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cJ2h5SFifqFOcZJbfCPxxJ9ZUtbKI8Zo/y60N+WepAA=; b=LZTLhWR4snxZRn8iOL93anuN8Mud/SQRllAcipviUiilZd4zG7FD5/BAqbiVbukGqOPKV+7wWAUnvShGnBqBTv4NvZwOy8BEWnPYNs40msGyzRAqZZlzbmLTGnRr6LB/NRVYgjti7uGOVPn5I1oTvaa2ZINNLekjqG6aVDN9X7B9teM7dbjWRnqf6KoIfGcCabA9WoV1kwcwoiNO9vy+zW+anbxQFhpn8Zy+QOmjkvHdVlFThHpDnvF0WxWJ7Oq/GSPFHqnRi47kztOM1fpjRt9xJKFjow1sCljaChkLJUdbjS5FZUKQEX9Dj8yuU2jLpSeNeUhOHtrhJ1QQ5AYGaQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=t2data.com; dmarc=pass action=none header.from=t2data.com; dkim=pass header.d=t2data.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t2datacom.onmicrosoft.com; s=selector1-t2datacom-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cJ2h5SFifqFOcZJbfCPxxJ9ZUtbKI8Zo/y60N+WepAA=; b=TPMXW9USHhAMR4+8eeXUWRX8ABSyhCuEBFSkluXrpUL83Mu5moJxST60/kT1NFuH3P8pHDixUOHuJmjJGY6wisqfok58imiAXwJObMrB7zzl+uk2JQiywjG7bLdOnhVuY+DEp0xEYesAVf71/9kXDnAWGRgDEtaKUFKwZY60GV0= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=t2data.com; Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) by AM9P251MB0007.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:412::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5373.18; Mon, 27 Jun 2022 12:40:09 +0000 Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::1d7f:19a9:18f9:57af]) by DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::1d7f:19a9:18f9:57af%8]) with mapi id 15.20.5373.018; Mon, 27 Jun 2022 12:40:09 +0000 From: Christian Melki To: ptxdist@pengutronix.de Date: Mon, 27 Jun 2022 14:40:03 +0200 Message-Id: <20220627124003.1652139-1-christian.melki@t2data.com> X-Mailer: git-send-email 2.34.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: GV3P280CA0111.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:8::28) To DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: db7c1191-f03d-4a5d-ea17-08da583a2bd9 X-MS-TrafficTypeDiagnostic: AM9P251MB0007:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: veALtdXda4mSnjuQhcBPYv+EIJRMoVEH3n56Aagc5faQWRu89K/xibrSaM0Ikuo2JYjyrxIERJ2OjFElnOFe57GxxGfc8PxNIzPWSFIgUnV8wAgzCRQFDe3f4yFZdVdiSDEQdkAzYxak4sj37wasb4bNnLcYZ0ur2C5W9HURGWxGSCmL8s2tfAdxBtai5uH1L6JF97BlmWK1tksStz4b/03R8HAtmO0YoCedeD9iTt3Y1NMoYLU6A4q03cnnBnOgwK6Fayax+n+LXu/jACXzYna6fJndpQKysBqOx0VuniCCFu2hGs8kFBMGOo4Oh7LM7xYPSALpaDhFyLh7kYvMes5/EXNVOxiCMEIXm7wDkErPeARAoQCYp4HoVW4N7j+nE6GJ7r5WbtplDNVvr1THx4DAj5eVriAc30jWPfrkBC+Sl8ZklnUnPoFgNFpN24BYwK8ZO+0mFkNWUwg4NJYiYsM49wP7AzxZRNHckuQ/qJcr0KCRTDwt8rT+7MmQkspGd+5y7TuiAvNfsyPrZHp6fa9CZiXlih3erGF+r6aoP+CWpxBxmPj0T5p9D9T8f8iZ+d9w7uPb1bTK7SzjiE5aWfU/8nIvr0WqsgQmALxSSLOxSaBaWeoqXkxHtC2wVeLLpouXzk2huVLmBAH/Qz+4EoNC1SuZwQYtItLasb5uxeuyvPGKmM0MChNLQ2ukaFUJgmtGbIfHmCAg+i3djW+zhV1Wb07e/BICPYWJYDxNpqhE390SSscwoYOANI/RPq1RSoizQtdQdZSyCHCRtgRv8KRLY+0Vpci1W6XIgvlJLhMSYYfRf8Whf1fXoNBG91Rz X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9P251MB0618.EURP251.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(346002)(376002)(366004)(396003)(136003)(39830400003)(44832011)(86362001)(6506007)(30864003)(2616005)(38100700002)(41300700001)(1076003)(2906002)(8936002)(36756003)(966005)(6486002)(6666004)(5660300002)(186003)(38350700002)(478600001)(66476007)(26005)(83380400001)(6512007)(8676002)(6916009)(316002)(52116002)(66556008)(66946007); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?09GKiCDLUI++Mq+CSBD7sXJ93vbyl1Z6aHQbXc1eiSU8kaAgSVUI8linswC0?= =?us-ascii?Q?zcoMW8ha9SHCl7R1mPgzs+79pZxDoRFnwSz/pr4ho+uiA109nggP0MiyX5Fe?= =?us-ascii?Q?sTKRTJzHDys5H+F6MuMem3nj5cqngzcKJizHSu1v6PYFuyLY/Y/m6ACFXziw?= =?us-ascii?Q?PQhBmkT0SorPdBNWVz7m/dY5bto90qUUf0iH20bw5tjUNHCv5W/YLb+gFUmd?= =?us-ascii?Q?z+GomJaH4Kp65NtVnws6RCs1S65RlDrQRw5YL1AFKWT+IErU+HC4eKdhQtux?= =?us-ascii?Q?7Rsx99/4YLXJ7RrNVIjytZcOEU6YN+ln0e/TAS7XsV7IG9Y6ofjhU9mT3MQA?= =?us-ascii?Q?U/f78pxwuDqdesfj3Kb/FVPdfdV/zn/Y5/uFmuoLnVtLE5uZ2hYH9O11fZhE?= =?us-ascii?Q?+HwJyKf5NeP49IM8ImlLCQ+C92+Q95e3MMTr9NyyziGorYjcFhlvv/orOUNT?= =?us-ascii?Q?nvLX92IipP2JI5EKhVhjgi1LHTLVkChhp9ajWQy1ab2KnF3q3S5NGmhf1T/Z?= =?us-ascii?Q?YVnCTLVyg6MWNIe3ykd3oFVkiOJNz2YrNpzEIw6lhN6wXyWDNkeWaRUjOg9p?= =?us-ascii?Q?isBvqaVzw0G3UFPbpnIVsXRBGJhgCKdtiCEF5ep4xfto3junfQSjl8XES0Fe?= =?us-ascii?Q?iLOy0hnAoVU50YuuxomMoyn1h0cfqpXElBHEobWQF+QuD25b/ouMwPtlo62F?= =?us-ascii?Q?6Q/QuPoJ0pU/gHGTldhWFnGZ5F63k/uT/GQc2yqlvzSxLaE6L31HAIkrzuUx?= =?us-ascii?Q?M50E6PQwEGgMQhchJU5AKdLtY9OeCzs2u9GanA35K/qtPJ3B22KrFgcnfY/d?= =?us-ascii?Q?KLgLdtJ2sLFZl7M88dG/9STSjGnTKqKV6wTtKoQEV+z1syLtxdwXm6zEiIqC?= =?us-ascii?Q?gjdQ7+UDBNrFwOeK7OM0OpTkDL+JvAVpatrf7N9vVLO3nAENTn1dwS/VvkJG?= =?us-ascii?Q?e3SmpYOTaa1WPym+0mUNLZngY3aoYRFydVVi05W3LFVnNg58CPMjAZTQhJWb?= =?us-ascii?Q?MyDRnnjK8TVWXQ4Dy1wg6usFvsjhku9WdeW6PEAfBHTQ0ejTRKSHHER2UqWd?= =?us-ascii?Q?+Xd4GF6j/PDoK2c6QIEw+kEc3l/M7d9L1FxvkIo1kY1WjArvYdmnMmpzMChx?= =?us-ascii?Q?wb6HcKtKpZJt4L1VF9wxCWuyuPuTKnZ19L5rTwHU3Qz81dTVoldVN3eQ1rZ+?= =?us-ascii?Q?kAhdySI3Vy9QYQFE+gwPMEL8aBMjdpi6JG188rSwIwSjbo6g2BfC686cMZKv?= =?us-ascii?Q?FdwdZnaT/TWCN0ThqjlnyejXHytrKtMy2MNRpxBsM9HGZ32T5J4ZCOrLS74D?= =?us-ascii?Q?DGugkWcsSvav8WhZQexh/D4x439WAFIUYCt0W7UvIKm8NCxsG8EY/dXqCBlM?= =?us-ascii?Q?KifSRQguzPAl9fPtcJSN89D1u3kqpnk6K5hWnHILuk6xJjS4bHIqNEN+ksJk?= =?us-ascii?Q?8OmlUF8D+aBKBtj8Ctx9tfb1VWbBif4sZ3XXndL+/Uc/yTq4C53v44H32LCi?= =?us-ascii?Q?vjf50adBei/d+wmZ3CrIlE3yLBdnzdFjUjkxPAwb5kiqTVimPiel2C+fMb+S?= =?us-ascii?Q?VGluxj4DZtt3PgBLXhB7StkR+V9tYmUkTWcXPA8InEyEAjwjWjkyCtoKRQkj?= =?us-ascii?Q?vw=3D=3D?= X-OriginatorOrg: t2data.com X-MS-Exchange-CrossTenant-Network-Message-Id: db7c1191-f03d-4a5d-ea17-08da583a2bd9 X-MS-Exchange-CrossTenant-AuthSource: DB9P251MB0618.EURP251.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2022 12:40:09.4957 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 27928da5-aacd-4ba1-9566-c748a6863e6c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 90/71OK3PQ5pS95s05mqtMa9OBnHpRqZroK2bH5oJLzOQdmzb7TQk9PhMWmSsIQoXtMMwZTlqnSQih+8jFGQQLGxsitlCU2qZkM8KnN+W9A= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P251MB0007 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.ext.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [WIP PATCH] tf-a: Cleanup and add Trusted Board Boot & Encryption. X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false TF-A allows for different Chain of Trust models (CoT). The integrated one is based on ARM Trusted Board Boot Requirements (tbbr). * Update vanilla TF-A to 2.2 -> 2.7 * Cleanup various whitespace and ordering in platforms/tf-a.in. * Minor cleanups in repetitive text and help information. * TBBR is dependent on HOST_OPENSSL for host tools. * Runtime TF-A is dependent on MBEDTLS for cryptography services. Add MBEDTLS 2.28 and merge the LICENCE, SOURCE and LICENSE_FILES under TF-A. Let it carry it's own version, since TF-A MBEDTLS can be different from the userspace variant of MBEDTLS. * Add DEBUG configuration and let BINDIR directory depend on that variable instead of parsing EXTRA_ARGS (cleanup). * Add LOG_LEVEL configuration. Make configuration more visible than hiding it in EXTRA_ARGS. * Fix verbose handling to better align with ptxdist verbose builds. * Add TRUSTED_BOARD_BOOT. Expose some default configurations so that it makes security choices more visible. Key handling is currently a key path. If no key exists, the TF-A makefile is configured to generate keys for you and store them under the specified path name. * Add DECRYPTION_SUPPORT Expose some default configuratons so that it makes security choices more visible. ENC_KEY and ENC_NONCE has to be provided. * Add FIP_GENERATION. Let the TF-A makefile generate a fip if you wish to. It can take external components if defined. Otherwise it will choose the ones it has generated by itself during the build. Most of the variables are to be left empty, beside BL33, which is always external. The non-secure world OS. (U-Boot, Barebox, Kernel, other...). Signed-off-by: Christian Melki --- platforms/tf-a.in | 289 +++++++++++++++++++++++++++++++++++++++++++--- rules/tf-a.make | 139 ++++++++++++++++++---- 2 files changed, 388 insertions(+), 40 deletions(-) diff --git a/platforms/tf-a.in b/platforms/tf-a.in index 0a14bd8c4..929695c13 100644 --- a/platforms/tf-a.in +++ b/platforms/tf-a.in @@ -3,6 +3,7 @@ menuconfig TF_A select BOOTLOADER select HOST_DTC + select HOST_OPENSSL if TF_A_TRUSTED_BOARD_BOOT prompt "ARM Trusted Firmware-A " depends on ARCH_ARM || ARCH_ARM64 bool @@ -18,16 +19,18 @@ config TF_A_URL config TF_A_VERSION string - default "v2.2" + default "v2.7" prompt "TF-A version" help Enter the TF-A git commit-ish you want to build. Usually a tagged - release like "v2.2" + release like "v2.7" config TF_A_MD5 string - default "bb300e5a62c911e189c80d935d497a4b" - prompt "TF-A source md5" + default "1d609ceb2bc01d650366118c58ca7336" + prompt "Source md5" + +comment "Target" config TF_A_ARCH_STRING string @@ -35,7 +38,7 @@ config TF_A_ARCH_STRING default "aarch64" if ARCH_ARM64 choice - prompt "TF-A Architecture" + prompt "Architecture" default TF_A_ARM_ARCH_MAJOR_7 if ARCH_ARM default TF_A_ARM_ARCH_MAJOR_8 if ARCH_ARM64 help @@ -64,36 +67,292 @@ config TF_A_ARM_ARCH_MAJOR default 8 if TF_A_ARM_ARCH_MAJOR_8_32_BIT default 8 if TF_A_ARM_ARCH_MAJOR_8 +config TF_A_ARM_ARCH_MINOR + depends on TF_A_ARM_ARCH_MAJOR_8 || TF_A_ARM_ARCH_MAJOR_8_32_BIT + int + default 0 + prompt "Target ARMv8.MINOR version" + help + The minor version of the ARMv8 architecture targeted. Defaults to 0. config TF_A_PLATFORMS string - prompt "TF-A target platforms" + prompt "Target platforms" help A space separated list of TF-A target platforms. -config TF_A_ARM_ARCH_MINOR - depends on TF_A_ARM_ARCH_MAJOR_8 || TF_A_ARM_ARCH_MAJOR_8_32_BIT +comment "Options" + +config TF_A_DEBUG + bool + prompt "Debug" + help + Enables or disables debug builds. + Debug is by default disabled. + +config TF_A_LOG_LEVEL int - default 0 - prompt "TF-A target ARMv8.MINOR version" + prompt "Loglevel" + default 40 if TF_A_DEBUG + default 20 if !TF_A_DEBUG help - The minor version of the ARMv8 architecture targeted. Defaults to 0. + Controls the log level in the build. + Default is 20 in a release and 40 in a debug build. + 0, LOG_LEVEL_NONE + 10, LOG_LEVEL_ERROR + 20, LOG_LEVEL_NOTICE + 30, LOG_LEVEL_WARNING + 40, LOG_LEVEL_INFO + 50, LOG_LEVEL_VERBOSE + +config TF_A_TRUSTED_BOARD_BOOT + bool + prompt "Trusted Board Boot" + help + Builds TF-A with TRUSTED_BOARD_BOOT=1 and + integrates MBEDTLS into the build. + The current configuration options will GENERATE + and SAVE keys (if filename does not exist) when + fip creation is specified. + PKCS#1, RSA 2.1, keysize 2048. Hash SHA2-256. + +config TF_A_DECRYPTION_SUPPORT + depends on TF_A_TRUSTED_BOARD_BOOT + bool + prompt "Decrypt support" + help + Builds TF-A with DECRYPTION_SUPPORT using + openssl to encrypt binaries in the build. + The current configuration options use a + symmetric chiper (AES-GCM) and symmetric + key status set to 0 (same key for all devices, SSK). + Encryption takes place if fip creation is specified. + +config TF_A_GENERATE_FIP + bool + prompt "Generate FIP" + help + Lets the TF-A makefile generate a FIP. + Depending on options, TF-A will generate + a FIP with or without trusted board boot. config TF_A_EXTRA_ARGS string - prompt "TF-A extra build arguments" + prompt "Extra build arguments" help Extra platform-specific build arguments to pass to the TF-A build process, e.g. DTB_FILE_NAME= for the stm32mp1 +comment "FIP components" + depends on TF_A_GENERATE_FIP + +config TF_A_BL2 + depends on TF_A_GENERATE_FIP + string + prompt "External BL2 path" + help + Use an external BL2 image for FIP generation. + If non-empty, BL2 will not be generated by the + TF-A build. + BL2 usually corresponds to Trusted Boot Firmware + and is generated by TF-A. + Usually, this is left empty. + +config TF_A_BL31 + depends on TF_A_GENERATE_FIP + string + prompt "External BL31 path" + help + Use an external BL31 image for FIP generation. + If non-empty, BL31 will not be generated by the + TF-A build. + BL31 usually corresponds to Trusted Runtime Firmware + and is usually generated by TF-A + Usually, this is left empty. + +config TF_A_BL32 + depends on TF_A_GENERATE_FIP + string + prompt "External BL32 path" + help + Use an external BL32 image for FIP generation. + If non-empty, BL32 will not be generated by the + TF-A build. + BL32 usually corresponds to Trusted Secure World + and is either generated by TF-A (typ. sp_min) or + used in the form of OP-TEE. + For TF-A included secure OS (sp_min), + this is left empty. + +config TF_A_BL32_EXTRA1 + depends on TF_A_GENERATE_FIP + string + prompt "External BL32 CFG1/EXTRA1 path" + help + Use an external BL32 CFG image for FIP generation. + If non-empty, this image will not be generated by the + TF-A build. + BL32 CFG1 usually corresponds to Trusted Secure World + extra config 1 and is either generated by TF-A (typ. sp_min) + or used in the form of configuration for OP-TEE. + For TF-A included secure OS (sp_min), + this is left empty. + +config TF_A_BL32_EXTRA2 + depends on TF_A_GENERATE_FIP + string + prompt "External BL32 CFG2/EXTRA2 path" + help + Use an external BL32 CFG image for FIP generation. + If non-empty, this image will not be generated by the + TF-A build. + BL32 CFG2 usually corresponds to Trusted Secure World + extra config 2 and is either generated by TF-A (typ. sp_min) + or used in the form of configuration for OP-TEE. + For TF-A included secure OS (sp_min), + this is left empty. + +config TF_A_BL33 + depends on TF_A_GENERATE_FIP + string + prompt "External BL33 path" + help + Use an external BL33 image for FIP generation. + BL33 usually corresponds to the Non-Secure World + OS and is not generated by TF-A. + This has to be defined when generating a FIP. + Normally this would be something like Barebox/U-Boot. + But it could also be a Linux kernel. + +config TF_A_BL33_CFG + depends on TF_A_GENERATE_FIP + string + prompt "TF-A external BL33 CFG" + help + Use an external BL33 CFG image for FIP generation. + BL33 CFG usually corresponds to the Non-Secure World + OS configuration and is not generated by TF-A. + This has to be defined when generating a FIP. + Normally this would be something like Barebox/U-Boot dtb. + But it could also be a Linux kernel dtb. + +comment "Trusted Board Boot Chain of Trust Key components" + depends on TF_A_TRUSTED_BOARD_BOOT + depends on TF_A_GENERATE_FIP + +config TF_A_ROT_KEY + depends on TF_A_TRUSTED_BOARD_BOOT + depends on TF_A_GENERATE_FIP + string + prompt "Root of Trust key path" + default "rot.key" + help + Path to Root of Trust private key. + Generated if file does not exist. + +config TF_A_TRUSTED_WORLD_KEY + depends on TF_A_TRUSTED_BOARD_BOOT + depends on TF_A_GENERATE_FIP + string + prompt "Trusted World key path" + default "trusted_world.key" + help + Path to Trusted World private key. + Generated if file does not exist. + +config TF_A_NON_TRUSTED_WORLD_KEY + depends on TF_A_TRUSTED_BOARD_BOOT + depends on TF_A_GENERATE_FIP + string + prompt "Non Trusted World key path" + default "non_trusted_world.key" + help + Path to Non Trusted World private key. + Generated if file does not exist. + +config TF_A_SCP_BL2_KEY + depends on TF_A_TRUSTED_BOARD_BOOT + depends on TF_A_GENERATE_FIP + string + prompt "System Control Processor Boot Level 2 key path" + default "scp_bl2.key" + help + Path to System Control Processor private key. + This firmware exists in some platforms. + (scp-fw-key). + Generated if file does not exist. + +config TF_A_BL31_KEY + depends on TF_A_TRUSTED_BOARD_BOOT + depends on TF_A_GENERATE_FIP + string + prompt "Boot Level 31 key path" + default "bl31.key" + help + Path to bl31 private key. + BL31 corresponds to TF-A Runtime Firmware. + (soc-fw-key). + Generated if file does not exist. + +config TF_A_BL32_KEY + depends on TF_A_TRUSTED_BOARD_BOOT + depends on TF_A_GENERATE_FIP + string + prompt "Boot Level 32 key path" + default "bl32.key" + help + Path to bl32 private key. + BL32 corresponds to TF-A Trusted World OS. + (tos-fw-key). + Generated if file does not exist. + +config TF_A_BL33_KEY + depends on TF_A_TRUSTED_BOARD_BOOT + depends on TF_A_GENERATE_FIP + string + prompt "Boot Level 33 key path" + default "bl33.key" + help + Path to bl33 private key. + BL33 corresponds to TF-A Non Trusted World OS. + (nt-fw-key). + Generated if file does not exist. + +comment "Trusted Board Boot Encryption Key components" + depends on TF_A_DECRYPTION_SUPPORT + depends on TF_A_GENERATE_FIP + +config TF_A_ENC_KEY + depends on TF_A_DECRYPTION_SUPPORT + depends on TF_A_GENERATE_FIP + string + prompt "Encryption key" + help + A 32-byte (256-bit) symmetric key in + hex string format. + Since the crypto is AES-GCM, a 256-bit + key is used. + +config TF_A_ENC_NONCE + depends on TF_A_DECRYPTION_SUPPORT + depends on TF_A_GENERATE_FIP + string + prompt "Encryption nonce" + help + A 12-byte (96-bit) nonce or IV in hex string format. + NEVER EVER REUSE A NONCE for the same key. + You have been warned. + +comment "Artifacts" + config TF_A_ARTIFACTS string prompt "TF-A artifact file names" help A space-separated list of glob patterns of artifacts to copy from the - build directory. - All file names are relative to the appropriate TF-A platform build - directory. + build directory. This can be a final image or image components that, f.ex. + genimage will construct a final image from. All file names are relative + to the appropriate TF-A platform build directory. comment "Payloads" diff --git a/rules/tf-a.make b/rules/tf-a.make index 5fa0df941..c86c24cb4 100644 --- a/rules/tf-a.make +++ b/rules/tf-a.make @@ -2,6 +2,7 @@ # # Copyright (C) 2018 by Rouven Czerwinski # 2019 by Ahmad Fatoum +# 2022 by Christian Melki # # For further information about the PTXdist project and license conditions # see the README file. @@ -15,25 +16,57 @@ PACKAGES-$(PTXCONF_TF_A) += tf-a # # Paths and names # -TF_A_VERSION := $(call ptx/config-version, PTXCONF_TF_A) -TF_A_MD5 := $(call ptx/config-md5, PTXCONF_TF_A) -TF_A := tf-a-$(TF_A_VERSION) -TF_A_SUFFIX := tar.gz -TF_A_URL := $(call remove_quotes, $(PTXCONF_TF_A_URL))/$(TF_A_VERSION).$(TF_A_SUFFIX) -TF_A_SOURCE := $(SRCDIR)/$(TF_A).$(TF_A_SUFFIX) -TF_A_DIR := $(BUILDDIR)/$(TF_A) -TF_A_BUILDDIR := $(TF_A_DIR)/build -TF_A_BUILD_OOT := YES -TF_A_LICENSE := BSD-3-Clause AND BSD-2-Clause \ - AND (GPL-2.0-or-later OR BSD-2-Clause) \ - AND (NCSA OR MIT) \ - AND Zlib \ - AND (GPL-2.0-or-later OR BSD-3-Clause) +TF_A_VERSION := $(call ptx/config-version, PTXCONF_TF_A) +TF_A_MD5 := $(call ptx/config-md5, PTXCONF_TF_A) +TF_A := tf-a-$(TF_A_VERSION) +TF_A_SUFFIX := tar.gz +TF_A_URL := $(call remove_quotes, $(PTXCONF_TF_A_URL))/$(TF_A_VERSION).$(TF_A_SUFFIX) +TF_A_SOURCE := $(SRCDIR)/$(TF_A).$(TF_A_SUFFIX) +TF_A_DIR := $(BUILDDIR)/$(TF_A) +TF_A_BUILDDIR := $(TF_A_DIR)/build +TF_A_BUILD_OOT := YES +TF_A_LICENSE := BSD-3-Clause AND BSD-2-Clause \ + AND (GPL-2.0-or-later OR BSD-2-Clause) \ + AND (NCSA OR MIT) \ + AND Zlib \ + AND (GPL-2.0-or-later OR BSD-3-Clause) + +ifdef PTXCONF_TF_A_TRUSTED_BOARD_BOOT +TF_A_MBEDTLS_VERSION := 2.28.0 +TF_A_MBEDTLS_MD5 := d64054513df877458493dbb28e2935fa +TF_A_MBEDTLS := mbedtls-$(TF_A_MBEDTLS_VERSION) +TF_A_MBEDTLS_SUFFIX := tar.gz +TF_A_MBEDTLS_URL := https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v$(TF_A_MBEDTLS_VERSION).$(TF_A_MBEDTLS_SUFFIX) +TF_A_MBEDTLS_SOURCE := $(SRCDIR)/$(TF_A_MBEDTLS).$(TF_A_MBEDTLS_SUFFIX) +$(TF_A_MBEDTLS_SOURCE) := TF_A_MBEDTLS +TF_A_MBEDTLS_DIR := $(TF_A_DIR)/$(TF_A_MBEDTLS) + +TF_A_SOURCES += $(TF_A_MBEDTLS_SOURCE) +TF_A_LICENSE += AND Apache-2.0 +TF_A_LICENSE_FILES += file://$(TF_A_MBEDTLS)/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57 +endif + +# ---------------------------------------------------------------------------- +# Extract +# ---------------------------------------------------------------------------- + +$(STATEDIR)/tf-a.extract: + @$(call targetinfo) + @$(call clean, $(TF_A_DIR)) + @$(call extract, TF_A) + @$(call patchin, TF_A) +ifdef PTXCONF_TF_A_TRUSTED_BOARD_BOOT + @$(call extract, TF_A_MBEDTLS) + @$(call patchin, TF_A_MBEDTLS) +endif + @$(call touch) # ---------------------------------------------------------------------------- # Prepare # ---------------------------------------------------------------------------- +tf-a/declare-nonempty = $(if $(call remove_quotes, $(PTXCONF_TF_A_$(1))),$(1)=$(PTXCONF_TF_A_$(1))) + TF_A_PLATFORMS := $(call remove_quotes, $(PTXCONF_TF_A_PLATFORMS)) TF_A_ARTIFACTS := $(call remove_quotes, $(PTXCONF_TF_A_ARTIFACTS)) @@ -41,27 +74,82 @@ TF_A_WRAPPER_BLACKLIST := \ $(PTXDIST_LOWLEVEL_WRAPPER_BLACKLIST) TF_A_EXTRA_ARGS := $(call remove_quotes,$(PTXCONF_TF_A_EXTRA_ARGS)) -TF_A_BINDIR = $(TF_A_BUILDDIR)/$(1)/$(if $(filter DEBUG=1,$(TF_A_EXTRA_ARGS)),debug,release) -TF_A_PATH := PATH=$(CROSS_PATH) -TF_A_MAKE_OPT := \ +TF_A_BINDIR = $(TF_A_BUILDDIR)/$(1)/$(if $(PTXCONF_TF_A_DEBUG),debug,release) + +TF_A_PATH := PATH=$(CROSS_PATH) +TF_A_MAKE_OPT := \ -C $(TF_A_DIR) \ CROSS_COMPILE=$(BOOTLOADER_CROSS_COMPILE) \ HOSTCC=$(HOSTCC) \ - ARCH=$(PTXCONF_TF_A_ARCH_STRING) \ - ARM_ARCH_MAJOR=$(PTXCONF_TF_A_ARM_ARCH_MAJOR) \ + V=$(if $(filter 1, $(PTXDIST_VERBOSE)),1,0) \ BUILD_STRING=$(PTXCONF_TF_A_VERSION) \ - $(TF_A_EXTRA_ARGS) \ - all + DEBUG=$(if $(PTXCONF_TF_A_DEBUG),1,0) \ + LOG_LEVEL=$(PTXCONF_TF_A_LOG_LEVEL) + +TF_A_MAKE_OPT += \ + ARCH=$(PTXCONF_TF_A_ARCH_STRING) \ + ARM_ARCH_MAJOR=$(PTXCONF_TF_A_ARM_ARCH_MAJOR) ifdef PTXCONF_TF_A_BL32_TSP -TF_A_MAKE_OPT += ARM_TSP_RAM_LOCATION=$(PTXCONF_TF_A_BL32_TSP_RAM_LOCATION_STRING) +TF_A_MAKE_OPT += \ + ARM_TSP_RAM_LOCATION=$(PTXCONF_TF_A_BL32_TSP_RAM_LOCATION_STRING) endif + ifdef PTXCONF_TF_A_ARM_ARCH_MINOR -TF_A_MAKE_OPT += ARM_ARCH_MINOR=$(PTXCONF_TF_A_ARM_ARCH_MINOR) +TF_A_MAKE_OPT += \ + ARM_ARCH_MINOR=$(PTXCONF_TF_A_ARM_ARCH_MINOR) endif + ifdef PTXCONF_TF_A_BL32_SP_MIN -TF_A_MAKE_OPT += AARCH32_SP=sp_min +TF_A_MAKE_OPT += \ + AARCH32_SP=sp_min +endif + +ifdef PTXCONF_TF_A_TRUSTED_BOARD_BOOT +TF_A_MAKE_OPT += \ + OPENSSL_DIR=$(PTXDIST_SYSROOT_HOST) \ + TRUSTED_BOARD_BOOT=1 \ + COT=tbbr \ + KEY_ALG=rsa \ + KEY_SIZE=2048 \ + HASH_ALG=sha256 \ + GENERATE_COT=1 \ + CREATE_KEYS=1 \ + SAVE_KEYS=1 \ + $(call tf-a/declare-nonempty,ROT_KEY) \ + $(call tf-a/declare-nonempty,TRUSTED_WORLD_KEY) \ + $(call tf-a/declare-nonempty,NON_TRUSTED_WORLD_KEY) \ + $(call tf-a/declare-nonempty,SCP_BL2_KEY) \ + $(call tf-a/declare-nonempty,BL31_KEY) \ + $(call tf-a/declare-nonempty,BL32_KEY) \ + $(call tf-a/declare-nonempty,BL33_KEY) + +ifdef PTXCONF_TF_A_DECRYPTION_SUPPORT +TF_A_MAKE_OPT += \ + DECRYPTION_SUPPORT=aes_gcm \ + FW_ENC_STATUS=0 \ + ENCRYPT_BL31=1 \ + ENCRYPT_BL32=1 \ + $(call tf-a/declare-nonempty,ENC_KEY) \ + $(call tf-a/declare-nonempty,ENC_NONCE) endif +endif + +ifdef PTXCONF_TF_A_GENERATE_FIP +TF_A_MAKE_OPT += \ + $(call tf-a/declare-nonempty,BL2) \ + $(call tf-a/declare-nonempty,BL31) \ + $(call tf-a/declare-nonempty,BL32) \ + $(call tf-a/declare-nonempty,BL32_EXTRA1) \ + $(call tf-a/declare-nonempty,BL32_EXTRA2) \ + $(call tf-a/declare-nonempty,BL33) \ + $(call tf-a/declare-nonempty,BL33_CFG) \ + fip +endif + +TF_A_MAKE_OPT += \ + $(TF_A_EXTRA_ARGS) \ + all ifdef PTXCONF_TF_A ifeq ($(TF_A_ARTIFACTS),) @@ -75,7 +163,8 @@ TF_A_CONF_TOOL := NO # Compile # ---------------------------------------------------------------------------- -TF_A_MAKE_ENV := $(CROSS_ENV) +TF_A_MAKE_ENV := $(CROSS_ENV) \ + $(call ptx/ifdef, PTXCONF_TF_A_TRUSTED_BOARD_BOOT, MBEDTLS_DIR=$(TF_A_MBEDTLS)) $(STATEDIR)/tf-a.compile: @$(call targetinfo) -- 2.34.1