* [ptxdist] [WIP PATCH] tf-a: Cleanup and add Trusted Board Boot & Encryption.
@ 2022-06-27 12:40 Christian Melki
2022-07-01 6:05 ` Michael Olbrich
0 siblings, 1 reply; 2+ messages in thread
From: Christian Melki @ 2022-06-27 12:40 UTC (permalink / raw)
To: ptxdist
TF-A allows for different Chain of Trust models (CoT).
The integrated one is based on ARM Trusted Board Boot Requirements (tbbr).
* Update vanilla TF-A to 2.2 -> 2.7
* Cleanup various whitespace and ordering in platforms/tf-a.in.
* Minor cleanups in repetitive text and help information.
* TBBR is dependent on HOST_OPENSSL for host tools.
* Runtime TF-A is dependent on MBEDTLS for cryptography services.
Add MBEDTLS 2.28 and merge the LICENCE, SOURCE and LICENSE_FILES
under TF-A. Let it carry it's own version, since TF-A MBEDTLS
can be different from the userspace variant of MBEDTLS.
* Add DEBUG configuration and let BINDIR directory depend on
that variable instead of parsing EXTRA_ARGS (cleanup).
* Add LOG_LEVEL configuration. Make configuration more visible
than hiding it in EXTRA_ARGS.
* Fix verbose handling to better align with ptxdist verbose builds.
* Add TRUSTED_BOARD_BOOT.
Expose some default configurations so that it makes security
choices more visible.
Key handling is currently a key path. If no key exists,
the TF-A makefile is configured to generate keys for you and
store them under the specified path name.
* Add DECRYPTION_SUPPORT
Expose some default configuratons so that it makes security
choices more visible.
ENC_KEY and ENC_NONCE has to be provided.
* Add FIP_GENERATION.
Let the TF-A makefile generate a fip if you wish to.
It can take external components if defined. Otherwise
it will choose the ones it has generated by itself during
the build. Most of the variables are to be left empty, beside
BL33, which is always external. The non-secure world OS.
(U-Boot, Barebox, Kernel, other...).
Signed-off-by: Christian Melki <christian.melki@t2data.com>
---
platforms/tf-a.in | 289 +++++++++++++++++++++++++++++++++++++++++++---
rules/tf-a.make | 139 ++++++++++++++++++----
2 files changed, 388 insertions(+), 40 deletions(-)
diff --git a/platforms/tf-a.in b/platforms/tf-a.in
index 0a14bd8c4..929695c13 100644
--- a/platforms/tf-a.in
+++ b/platforms/tf-a.in
@@ -3,6 +3,7 @@
menuconfig TF_A
select BOOTLOADER
select HOST_DTC
+ select HOST_OPENSSL if TF_A_TRUSTED_BOARD_BOOT
prompt "ARM Trusted Firmware-A "
depends on ARCH_ARM || ARCH_ARM64
bool
@@ -18,16 +19,18 @@ config TF_A_URL
config TF_A_VERSION
string
- default "v2.2"
+ default "v2.7"
prompt "TF-A version"
help
Enter the TF-A git commit-ish you want to build. Usually a tagged
- release like "v2.2"
+ release like "v2.7"
config TF_A_MD5
string
- default "bb300e5a62c911e189c80d935d497a4b"
- prompt "TF-A source md5"
+ default "1d609ceb2bc01d650366118c58ca7336"
+ prompt "Source md5"
+
+comment "Target"
config TF_A_ARCH_STRING
string
@@ -35,7 +38,7 @@ config TF_A_ARCH_STRING
default "aarch64" if ARCH_ARM64
choice
- prompt "TF-A Architecture"
+ prompt "Architecture"
default TF_A_ARM_ARCH_MAJOR_7 if ARCH_ARM
default TF_A_ARM_ARCH_MAJOR_8 if ARCH_ARM64
help
@@ -64,36 +67,292 @@ config TF_A_ARM_ARCH_MAJOR
default 8 if TF_A_ARM_ARCH_MAJOR_8_32_BIT
default 8 if TF_A_ARM_ARCH_MAJOR_8
+config TF_A_ARM_ARCH_MINOR
+ depends on TF_A_ARM_ARCH_MAJOR_8 || TF_A_ARM_ARCH_MAJOR_8_32_BIT
+ int
+ default 0
+ prompt "Target ARMv8.MINOR version"
+ help
+ The minor version of the ARMv8 architecture targeted. Defaults to 0.
config TF_A_PLATFORMS
string
- prompt "TF-A target platforms"
+ prompt "Target platforms"
help
A space separated list of TF-A target platforms.
-config TF_A_ARM_ARCH_MINOR
- depends on TF_A_ARM_ARCH_MAJOR_8 || TF_A_ARM_ARCH_MAJOR_8_32_BIT
+comment "Options"
+
+config TF_A_DEBUG
+ bool
+ prompt "Debug"
+ help
+ Enables or disables debug builds.
+ Debug is by default disabled.
+
+config TF_A_LOG_LEVEL
int
- default 0
- prompt "TF-A target ARMv8.MINOR version"
+ prompt "Loglevel"
+ default 40 if TF_A_DEBUG
+ default 20 if !TF_A_DEBUG
help
- The minor version of the ARMv8 architecture targeted. Defaults to 0.
+ Controls the log level in the build.
+ Default is 20 in a release and 40 in a debug build.
+ 0, LOG_LEVEL_NONE
+ 10, LOG_LEVEL_ERROR
+ 20, LOG_LEVEL_NOTICE
+ 30, LOG_LEVEL_WARNING
+ 40, LOG_LEVEL_INFO
+ 50, LOG_LEVEL_VERBOSE
+
+config TF_A_TRUSTED_BOARD_BOOT
+ bool
+ prompt "Trusted Board Boot"
+ help
+ Builds TF-A with TRUSTED_BOARD_BOOT=1 and
+ integrates MBEDTLS into the build.
+ The current configuration options will GENERATE
+ and SAVE keys (if filename does not exist) when
+ fip creation is specified.
+ PKCS#1, RSA 2.1, keysize 2048. Hash SHA2-256.
+
+config TF_A_DECRYPTION_SUPPORT
+ depends on TF_A_TRUSTED_BOARD_BOOT
+ bool
+ prompt "Decrypt support"
+ help
+ Builds TF-A with DECRYPTION_SUPPORT using
+ openssl to encrypt binaries in the build.
+ The current configuration options use a
+ symmetric chiper (AES-GCM) and symmetric
+ key status set to 0 (same key for all devices, SSK).
+ Encryption takes place if fip creation is specified.
+
+config TF_A_GENERATE_FIP
+ bool
+ prompt "Generate FIP"
+ help
+ Lets the TF-A makefile generate a FIP.
+ Depending on options, TF-A will generate
+ a FIP with or without trusted board boot.
config TF_A_EXTRA_ARGS
string
- prompt "TF-A extra build arguments"
+ prompt "Extra build arguments"
help
Extra platform-specific build arguments to pass to the TF-A build
process, e.g. DTB_FILE_NAME= for the stm32mp1
+comment "FIP components"
+ depends on TF_A_GENERATE_FIP
+
+config TF_A_BL2
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "External BL2 path"
+ help
+ Use an external BL2 image for FIP generation.
+ If non-empty, BL2 will not be generated by the
+ TF-A build.
+ BL2 usually corresponds to Trusted Boot Firmware
+ and is generated by TF-A.
+ Usually, this is left empty.
+
+config TF_A_BL31
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "External BL31 path"
+ help
+ Use an external BL31 image for FIP generation.
+ If non-empty, BL31 will not be generated by the
+ TF-A build.
+ BL31 usually corresponds to Trusted Runtime Firmware
+ and is usually generated by TF-A
+ Usually, this is left empty.
+
+config TF_A_BL32
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "External BL32 path"
+ help
+ Use an external BL32 image for FIP generation.
+ If non-empty, BL32 will not be generated by the
+ TF-A build.
+ BL32 usually corresponds to Trusted Secure World
+ and is either generated by TF-A (typ. sp_min) or
+ used in the form of OP-TEE.
+ For TF-A included secure OS (sp_min),
+ this is left empty.
+
+config TF_A_BL32_EXTRA1
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "External BL32 CFG1/EXTRA1 path"
+ help
+ Use an external BL32 CFG image for FIP generation.
+ If non-empty, this image will not be generated by the
+ TF-A build.
+ BL32 CFG1 usually corresponds to Trusted Secure World
+ extra config 1 and is either generated by TF-A (typ. sp_min)
+ or used in the form of configuration for OP-TEE.
+ For TF-A included secure OS (sp_min),
+ this is left empty.
+
+config TF_A_BL32_EXTRA2
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "External BL32 CFG2/EXTRA2 path"
+ help
+ Use an external BL32 CFG image for FIP generation.
+ If non-empty, this image will not be generated by the
+ TF-A build.
+ BL32 CFG2 usually corresponds to Trusted Secure World
+ extra config 2 and is either generated by TF-A (typ. sp_min)
+ or used in the form of configuration for OP-TEE.
+ For TF-A included secure OS (sp_min),
+ this is left empty.
+
+config TF_A_BL33
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "External BL33 path"
+ help
+ Use an external BL33 image for FIP generation.
+ BL33 usually corresponds to the Non-Secure World
+ OS and is not generated by TF-A.
+ This has to be defined when generating a FIP.
+ Normally this would be something like Barebox/U-Boot.
+ But it could also be a Linux kernel.
+
+config TF_A_BL33_CFG
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "TF-A external BL33 CFG"
+ help
+ Use an external BL33 CFG image for FIP generation.
+ BL33 CFG usually corresponds to the Non-Secure World
+ OS configuration and is not generated by TF-A.
+ This has to be defined when generating a FIP.
+ Normally this would be something like Barebox/U-Boot dtb.
+ But it could also be a Linux kernel dtb.
+
+comment "Trusted Board Boot Chain of Trust Key components"
+ depends on TF_A_TRUSTED_BOARD_BOOT
+ depends on TF_A_GENERATE_FIP
+
+config TF_A_ROT_KEY
+ depends on TF_A_TRUSTED_BOARD_BOOT
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "Root of Trust key path"
+ default "rot.key"
+ help
+ Path to Root of Trust private key.
+ Generated if file does not exist.
+
+config TF_A_TRUSTED_WORLD_KEY
+ depends on TF_A_TRUSTED_BOARD_BOOT
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "Trusted World key path"
+ default "trusted_world.key"
+ help
+ Path to Trusted World private key.
+ Generated if file does not exist.
+
+config TF_A_NON_TRUSTED_WORLD_KEY
+ depends on TF_A_TRUSTED_BOARD_BOOT
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "Non Trusted World key path"
+ default "non_trusted_world.key"
+ help
+ Path to Non Trusted World private key.
+ Generated if file does not exist.
+
+config TF_A_SCP_BL2_KEY
+ depends on TF_A_TRUSTED_BOARD_BOOT
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "System Control Processor Boot Level 2 key path"
+ default "scp_bl2.key"
+ help
+ Path to System Control Processor private key.
+ This firmware exists in some platforms.
+ (scp-fw-key).
+ Generated if file does not exist.
+
+config TF_A_BL31_KEY
+ depends on TF_A_TRUSTED_BOARD_BOOT
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "Boot Level 31 key path"
+ default "bl31.key"
+ help
+ Path to bl31 private key.
+ BL31 corresponds to TF-A Runtime Firmware.
+ (soc-fw-key).
+ Generated if file does not exist.
+
+config TF_A_BL32_KEY
+ depends on TF_A_TRUSTED_BOARD_BOOT
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "Boot Level 32 key path"
+ default "bl32.key"
+ help
+ Path to bl32 private key.
+ BL32 corresponds to TF-A Trusted World OS.
+ (tos-fw-key).
+ Generated if file does not exist.
+
+config TF_A_BL33_KEY
+ depends on TF_A_TRUSTED_BOARD_BOOT
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "Boot Level 33 key path"
+ default "bl33.key"
+ help
+ Path to bl33 private key.
+ BL33 corresponds to TF-A Non Trusted World OS.
+ (nt-fw-key).
+ Generated if file does not exist.
+
+comment "Trusted Board Boot Encryption Key components"
+ depends on TF_A_DECRYPTION_SUPPORT
+ depends on TF_A_GENERATE_FIP
+
+config TF_A_ENC_KEY
+ depends on TF_A_DECRYPTION_SUPPORT
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "Encryption key"
+ help
+ A 32-byte (256-bit) symmetric key in
+ hex string format.
+ Since the crypto is AES-GCM, a 256-bit
+ key is used.
+
+config TF_A_ENC_NONCE
+ depends on TF_A_DECRYPTION_SUPPORT
+ depends on TF_A_GENERATE_FIP
+ string
+ prompt "Encryption nonce"
+ help
+ A 12-byte (96-bit) nonce or IV in hex string format.
+ NEVER EVER REUSE A NONCE for the same key.
+ You have been warned.
+
+comment "Artifacts"
+
config TF_A_ARTIFACTS
string
prompt "TF-A artifact file names"
help
A space-separated list of glob patterns of artifacts to copy from the
- build directory.
- All file names are relative to the appropriate TF-A platform build
- directory.
+ build directory. This can be a final image or image components that, f.ex.
+ genimage will construct a final image from. All file names are relative
+ to the appropriate TF-A platform build directory.
comment "Payloads"
diff --git a/rules/tf-a.make b/rules/tf-a.make
index 5fa0df941..c86c24cb4 100644
--- a/rules/tf-a.make
+++ b/rules/tf-a.make
@@ -2,6 +2,7 @@
#
# Copyright (C) 2018 by Rouven Czerwinski <r.czerwinski@pengutronix.de>
# 2019 by Ahmad Fatoum <a.fatoum@pengutronix.de>
+# 2022 by Christian Melki <christian.melki@t2data.com>
#
# For further information about the PTXdist project and license conditions
# see the README file.
@@ -15,25 +16,57 @@ PACKAGES-$(PTXCONF_TF_A) += tf-a
#
# Paths and names
#
-TF_A_VERSION := $(call ptx/config-version, PTXCONF_TF_A)
-TF_A_MD5 := $(call ptx/config-md5, PTXCONF_TF_A)
-TF_A := tf-a-$(TF_A_VERSION)
-TF_A_SUFFIX := tar.gz
-TF_A_URL := $(call remove_quotes, $(PTXCONF_TF_A_URL))/$(TF_A_VERSION).$(TF_A_SUFFIX)
-TF_A_SOURCE := $(SRCDIR)/$(TF_A).$(TF_A_SUFFIX)
-TF_A_DIR := $(BUILDDIR)/$(TF_A)
-TF_A_BUILDDIR := $(TF_A_DIR)/build
-TF_A_BUILD_OOT := YES
-TF_A_LICENSE := BSD-3-Clause AND BSD-2-Clause \
- AND (GPL-2.0-or-later OR BSD-2-Clause) \
- AND (NCSA OR MIT) \
- AND Zlib \
- AND (GPL-2.0-or-later OR BSD-3-Clause)
+TF_A_VERSION := $(call ptx/config-version, PTXCONF_TF_A)
+TF_A_MD5 := $(call ptx/config-md5, PTXCONF_TF_A)
+TF_A := tf-a-$(TF_A_VERSION)
+TF_A_SUFFIX := tar.gz
+TF_A_URL := $(call remove_quotes, $(PTXCONF_TF_A_URL))/$(TF_A_VERSION).$(TF_A_SUFFIX)
+TF_A_SOURCE := $(SRCDIR)/$(TF_A).$(TF_A_SUFFIX)
+TF_A_DIR := $(BUILDDIR)/$(TF_A)
+TF_A_BUILDDIR := $(TF_A_DIR)/build
+TF_A_BUILD_OOT := YES
+TF_A_LICENSE := BSD-3-Clause AND BSD-2-Clause \
+ AND (GPL-2.0-or-later OR BSD-2-Clause) \
+ AND (NCSA OR MIT) \
+ AND Zlib \
+ AND (GPL-2.0-or-later OR BSD-3-Clause)
+
+ifdef PTXCONF_TF_A_TRUSTED_BOARD_BOOT
+TF_A_MBEDTLS_VERSION := 2.28.0
+TF_A_MBEDTLS_MD5 := d64054513df877458493dbb28e2935fa
+TF_A_MBEDTLS := mbedtls-$(TF_A_MBEDTLS_VERSION)
+TF_A_MBEDTLS_SUFFIX := tar.gz
+TF_A_MBEDTLS_URL := https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v$(TF_A_MBEDTLS_VERSION).$(TF_A_MBEDTLS_SUFFIX)
+TF_A_MBEDTLS_SOURCE := $(SRCDIR)/$(TF_A_MBEDTLS).$(TF_A_MBEDTLS_SUFFIX)
+$(TF_A_MBEDTLS_SOURCE) := TF_A_MBEDTLS
+TF_A_MBEDTLS_DIR := $(TF_A_DIR)/$(TF_A_MBEDTLS)
+
+TF_A_SOURCES += $(TF_A_MBEDTLS_SOURCE)
+TF_A_LICENSE += AND Apache-2.0
+TF_A_LICENSE_FILES += file://$(TF_A_MBEDTLS)/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57
+endif
+
+# ----------------------------------------------------------------------------
+# Extract
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/tf-a.extract:
+ @$(call targetinfo)
+ @$(call clean, $(TF_A_DIR))
+ @$(call extract, TF_A)
+ @$(call patchin, TF_A)
+ifdef PTXCONF_TF_A_TRUSTED_BOARD_BOOT
+ @$(call extract, TF_A_MBEDTLS)
+ @$(call patchin, TF_A_MBEDTLS)
+endif
+ @$(call touch)
# ----------------------------------------------------------------------------
# Prepare
# ----------------------------------------------------------------------------
+tf-a/declare-nonempty = $(if $(call remove_quotes, $(PTXCONF_TF_A_$(1))),$(1)=$(PTXCONF_TF_A_$(1)))
+
TF_A_PLATFORMS := $(call remove_quotes, $(PTXCONF_TF_A_PLATFORMS))
TF_A_ARTIFACTS := $(call remove_quotes, $(PTXCONF_TF_A_ARTIFACTS))
@@ -41,27 +74,82 @@ TF_A_WRAPPER_BLACKLIST := \
$(PTXDIST_LOWLEVEL_WRAPPER_BLACKLIST)
TF_A_EXTRA_ARGS := $(call remove_quotes,$(PTXCONF_TF_A_EXTRA_ARGS))
-TF_A_BINDIR = $(TF_A_BUILDDIR)/$(1)/$(if $(filter DEBUG=1,$(TF_A_EXTRA_ARGS)),debug,release)
-TF_A_PATH := PATH=$(CROSS_PATH)
-TF_A_MAKE_OPT := \
+TF_A_BINDIR = $(TF_A_BUILDDIR)/$(1)/$(if $(PTXCONF_TF_A_DEBUG),debug,release)
+
+TF_A_PATH := PATH=$(CROSS_PATH)
+TF_A_MAKE_OPT := \
-C $(TF_A_DIR) \
CROSS_COMPILE=$(BOOTLOADER_CROSS_COMPILE) \
HOSTCC=$(HOSTCC) \
- ARCH=$(PTXCONF_TF_A_ARCH_STRING) \
- ARM_ARCH_MAJOR=$(PTXCONF_TF_A_ARM_ARCH_MAJOR) \
+ V=$(if $(filter 1, $(PTXDIST_VERBOSE)),1,0) \
BUILD_STRING=$(PTXCONF_TF_A_VERSION) \
- $(TF_A_EXTRA_ARGS) \
- all
+ DEBUG=$(if $(PTXCONF_TF_A_DEBUG),1,0) \
+ LOG_LEVEL=$(PTXCONF_TF_A_LOG_LEVEL)
+
+TF_A_MAKE_OPT += \
+ ARCH=$(PTXCONF_TF_A_ARCH_STRING) \
+ ARM_ARCH_MAJOR=$(PTXCONF_TF_A_ARM_ARCH_MAJOR)
ifdef PTXCONF_TF_A_BL32_TSP
-TF_A_MAKE_OPT += ARM_TSP_RAM_LOCATION=$(PTXCONF_TF_A_BL32_TSP_RAM_LOCATION_STRING)
+TF_A_MAKE_OPT += \
+ ARM_TSP_RAM_LOCATION=$(PTXCONF_TF_A_BL32_TSP_RAM_LOCATION_STRING)
endif
+
ifdef PTXCONF_TF_A_ARM_ARCH_MINOR
-TF_A_MAKE_OPT += ARM_ARCH_MINOR=$(PTXCONF_TF_A_ARM_ARCH_MINOR)
+TF_A_MAKE_OPT += \
+ ARM_ARCH_MINOR=$(PTXCONF_TF_A_ARM_ARCH_MINOR)
endif
+
ifdef PTXCONF_TF_A_BL32_SP_MIN
-TF_A_MAKE_OPT += AARCH32_SP=sp_min
+TF_A_MAKE_OPT += \
+ AARCH32_SP=sp_min
+endif
+
+ifdef PTXCONF_TF_A_TRUSTED_BOARD_BOOT
+TF_A_MAKE_OPT += \
+ OPENSSL_DIR=$(PTXDIST_SYSROOT_HOST) \
+ TRUSTED_BOARD_BOOT=1 \
+ COT=tbbr \
+ KEY_ALG=rsa \
+ KEY_SIZE=2048 \
+ HASH_ALG=sha256 \
+ GENERATE_COT=1 \
+ CREATE_KEYS=1 \
+ SAVE_KEYS=1 \
+ $(call tf-a/declare-nonempty,ROT_KEY) \
+ $(call tf-a/declare-nonempty,TRUSTED_WORLD_KEY) \
+ $(call tf-a/declare-nonempty,NON_TRUSTED_WORLD_KEY) \
+ $(call tf-a/declare-nonempty,SCP_BL2_KEY) \
+ $(call tf-a/declare-nonempty,BL31_KEY) \
+ $(call tf-a/declare-nonempty,BL32_KEY) \
+ $(call tf-a/declare-nonempty,BL33_KEY)
+
+ifdef PTXCONF_TF_A_DECRYPTION_SUPPORT
+TF_A_MAKE_OPT += \
+ DECRYPTION_SUPPORT=aes_gcm \
+ FW_ENC_STATUS=0 \
+ ENCRYPT_BL31=1 \
+ ENCRYPT_BL32=1 \
+ $(call tf-a/declare-nonempty,ENC_KEY) \
+ $(call tf-a/declare-nonempty,ENC_NONCE)
endif
+endif
+
+ifdef PTXCONF_TF_A_GENERATE_FIP
+TF_A_MAKE_OPT += \
+ $(call tf-a/declare-nonempty,BL2) \
+ $(call tf-a/declare-nonempty,BL31) \
+ $(call tf-a/declare-nonempty,BL32) \
+ $(call tf-a/declare-nonempty,BL32_EXTRA1) \
+ $(call tf-a/declare-nonempty,BL32_EXTRA2) \
+ $(call tf-a/declare-nonempty,BL33) \
+ $(call tf-a/declare-nonempty,BL33_CFG) \
+ fip
+endif
+
+TF_A_MAKE_OPT += \
+ $(TF_A_EXTRA_ARGS) \
+ all
ifdef PTXCONF_TF_A
ifeq ($(TF_A_ARTIFACTS),)
@@ -75,7 +163,8 @@ TF_A_CONF_TOOL := NO
# Compile
# ----------------------------------------------------------------------------
-TF_A_MAKE_ENV := $(CROSS_ENV)
+TF_A_MAKE_ENV := $(CROSS_ENV) \
+ $(call ptx/ifdef, PTXCONF_TF_A_TRUSTED_BOARD_BOOT, MBEDTLS_DIR=$(TF_A_MBEDTLS))
$(STATEDIR)/tf-a.compile:
@$(call targetinfo)
--
2.34.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [ptxdist] [WIP PATCH] tf-a: Cleanup and add Trusted Board Boot & Encryption.
2022-06-27 12:40 [ptxdist] [WIP PATCH] tf-a: Cleanup and add Trusted Board Boot & Encryption Christian Melki
@ 2022-07-01 6:05 ` Michael Olbrich
0 siblings, 0 replies; 2+ messages in thread
From: Michael Olbrich @ 2022-07-01 6:05 UTC (permalink / raw)
To: Christian Melki; +Cc: ptxdist
We've discussed some of this on IRC but I have some more comments.
On Mon, Jun 27, 2022 at 02:40:03PM +0200, Christian Melki wrote:
> TF-A allows for different Chain of Trust models (CoT).
> The integrated one is based on ARM Trusted Board Boot Requirements (tbbr).
This needs to be split into multiple patches.
> * Update vanilla TF-A to 2.2 -> 2.7
>
> * Cleanup various whitespace and ordering in platforms/tf-a.in.
>
> * Minor cleanups in repetitive text and help information.
These can probably go into one patch. It shouldn't be controversial.
But make that older versions still build.
> * TBBR is dependent on HOST_OPENSSL for host tools.
Should be part of whatever patch needs it.
> * Runtime TF-A is dependent on MBEDTLS for cryptography services.
> Add MBEDTLS 2.28 and merge the LICENCE, SOURCE and LICENSE_FILES
> under TF-A. Let it carry it's own version, since TF-A MBEDTLS
> can be different from the userspace variant of MBEDTLS.
Same here.
> * Add DEBUG configuration and let BINDIR directory depend on
> that variable instead of parsing EXTRA_ARGS (cleanup).
>
> * Add LOG_LEVEL configuration. Make configuration more visible
> than hiding it in EXTRA_ARGS.
I prefer hiding this in EXTRA_ARGS but some examples in the help text would
be nice.
> * Fix verbose handling to better align with ptxdist verbose builds.
Could be part of the cleanup patch.
> * Add TRUSTED_BOARD_BOOT.
> Expose some default configurations so that it makes security
> choices more visible.
> Key handling is currently a key path. If no key exists,
> the TF-A makefile is configured to generate keys for you and
> store them under the specified path name.
>
> * Add DECRYPTION_SUPPORT
> Expose some default configuratons so that it makes security
> choices more visible.
> ENC_KEY and ENC_NONCE has to be provided.
>
> * Add FIP_GENERATION.
> Let the TF-A makefile generate a fip if you wish to.
> It can take external components if defined. Otherwise
> it will choose the ones it has generated by itself during
> the build. Most of the variables are to be left empty, beside
> BL33, which is always external. The non-secure world OS.
> (U-Boot, Barebox, Kernel, other...).
This will need some more discussions and experimentation. It should use the
signing infrastructure for all key and certificate handling.
It may be necessary or easier to use genimage to create the final fip
image. That would also avoid the dependency loop with the bootloader.
Michael
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
> ---
> platforms/tf-a.in | 289 +++++++++++++++++++++++++++++++++++++++++++---
> rules/tf-a.make | 139 ++++++++++++++++++----
> 2 files changed, 388 insertions(+), 40 deletions(-)
>
> diff --git a/platforms/tf-a.in b/platforms/tf-a.in
> index 0a14bd8c4..929695c13 100644
> --- a/platforms/tf-a.in
> +++ b/platforms/tf-a.in
> @@ -3,6 +3,7 @@
> menuconfig TF_A
> select BOOTLOADER
> select HOST_DTC
> + select HOST_OPENSSL if TF_A_TRUSTED_BOARD_BOOT
> prompt "ARM Trusted Firmware-A "
> depends on ARCH_ARM || ARCH_ARM64
> bool
> @@ -18,16 +19,18 @@ config TF_A_URL
>
> config TF_A_VERSION
> string
> - default "v2.2"
> + default "v2.7"
> prompt "TF-A version"
> help
> Enter the TF-A git commit-ish you want to build. Usually a tagged
> - release like "v2.2"
> + release like "v2.7"
>
> config TF_A_MD5
> string
> - default "bb300e5a62c911e189c80d935d497a4b"
> - prompt "TF-A source md5"
> + default "1d609ceb2bc01d650366118c58ca7336"
> + prompt "Source md5"
> +
> +comment "Target"
>
> config TF_A_ARCH_STRING
> string
> @@ -35,7 +38,7 @@ config TF_A_ARCH_STRING
> default "aarch64" if ARCH_ARM64
>
> choice
> - prompt "TF-A Architecture"
> + prompt "Architecture"
> default TF_A_ARM_ARCH_MAJOR_7 if ARCH_ARM
> default TF_A_ARM_ARCH_MAJOR_8 if ARCH_ARM64
> help
> @@ -64,36 +67,292 @@ config TF_A_ARM_ARCH_MAJOR
> default 8 if TF_A_ARM_ARCH_MAJOR_8_32_BIT
> default 8 if TF_A_ARM_ARCH_MAJOR_8
>
> +config TF_A_ARM_ARCH_MINOR
> + depends on TF_A_ARM_ARCH_MAJOR_8 || TF_A_ARM_ARCH_MAJOR_8_32_BIT
> + int
> + default 0
> + prompt "Target ARMv8.MINOR version"
> + help
> + The minor version of the ARMv8 architecture targeted. Defaults to 0.
>
> config TF_A_PLATFORMS
> string
> - prompt "TF-A target platforms"
> + prompt "Target platforms"
> help
> A space separated list of TF-A target platforms.
>
> -config TF_A_ARM_ARCH_MINOR
> - depends on TF_A_ARM_ARCH_MAJOR_8 || TF_A_ARM_ARCH_MAJOR_8_32_BIT
> +comment "Options"
> +
> +config TF_A_DEBUG
> + bool
> + prompt "Debug"
> + help
> + Enables or disables debug builds.
> + Debug is by default disabled.
> +
> +config TF_A_LOG_LEVEL
> int
> - default 0
> - prompt "TF-A target ARMv8.MINOR version"
> + prompt "Loglevel"
> + default 40 if TF_A_DEBUG
> + default 20 if !TF_A_DEBUG
> help
> - The minor version of the ARMv8 architecture targeted. Defaults to 0.
> + Controls the log level in the build.
> + Default is 20 in a release and 40 in a debug build.
> + 0, LOG_LEVEL_NONE
> + 10, LOG_LEVEL_ERROR
> + 20, LOG_LEVEL_NOTICE
> + 30, LOG_LEVEL_WARNING
> + 40, LOG_LEVEL_INFO
> + 50, LOG_LEVEL_VERBOSE
> +
> +config TF_A_TRUSTED_BOARD_BOOT
> + bool
> + prompt "Trusted Board Boot"
> + help
> + Builds TF-A with TRUSTED_BOARD_BOOT=1 and
> + integrates MBEDTLS into the build.
> + The current configuration options will GENERATE
> + and SAVE keys (if filename does not exist) when
> + fip creation is specified.
> + PKCS#1, RSA 2.1, keysize 2048. Hash SHA2-256.
> +
> +config TF_A_DECRYPTION_SUPPORT
> + depends on TF_A_TRUSTED_BOARD_BOOT
> + bool
> + prompt "Decrypt support"
> + help
> + Builds TF-A with DECRYPTION_SUPPORT using
> + openssl to encrypt binaries in the build.
> + The current configuration options use a
> + symmetric chiper (AES-GCM) and symmetric
> + key status set to 0 (same key for all devices, SSK).
> + Encryption takes place if fip creation is specified.
> +
> +config TF_A_GENERATE_FIP
> + bool
> + prompt "Generate FIP"
> + help
> + Lets the TF-A makefile generate a FIP.
> + Depending on options, TF-A will generate
> + a FIP with or without trusted board boot.
>
> config TF_A_EXTRA_ARGS
> string
> - prompt "TF-A extra build arguments"
> + prompt "Extra build arguments"
> help
> Extra platform-specific build arguments to pass to the TF-A build
> process, e.g. DTB_FILE_NAME= for the stm32mp1
>
> +comment "FIP components"
> + depends on TF_A_GENERATE_FIP
> +
> +config TF_A_BL2
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "External BL2 path"
> + help
> + Use an external BL2 image for FIP generation.
> + If non-empty, BL2 will not be generated by the
> + TF-A build.
> + BL2 usually corresponds to Trusted Boot Firmware
> + and is generated by TF-A.
> + Usually, this is left empty.
> +
> +config TF_A_BL31
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "External BL31 path"
> + help
> + Use an external BL31 image for FIP generation.
> + If non-empty, BL31 will not be generated by the
> + TF-A build.
> + BL31 usually corresponds to Trusted Runtime Firmware
> + and is usually generated by TF-A
> + Usually, this is left empty.
> +
> +config TF_A_BL32
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "External BL32 path"
> + help
> + Use an external BL32 image for FIP generation.
> + If non-empty, BL32 will not be generated by the
> + TF-A build.
> + BL32 usually corresponds to Trusted Secure World
> + and is either generated by TF-A (typ. sp_min) or
> + used in the form of OP-TEE.
> + For TF-A included secure OS (sp_min),
> + this is left empty.
> +
> +config TF_A_BL32_EXTRA1
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "External BL32 CFG1/EXTRA1 path"
> + help
> + Use an external BL32 CFG image for FIP generation.
> + If non-empty, this image will not be generated by the
> + TF-A build.
> + BL32 CFG1 usually corresponds to Trusted Secure World
> + extra config 1 and is either generated by TF-A (typ. sp_min)
> + or used in the form of configuration for OP-TEE.
> + For TF-A included secure OS (sp_min),
> + this is left empty.
> +
> +config TF_A_BL32_EXTRA2
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "External BL32 CFG2/EXTRA2 path"
> + help
> + Use an external BL32 CFG image for FIP generation.
> + If non-empty, this image will not be generated by the
> + TF-A build.
> + BL32 CFG2 usually corresponds to Trusted Secure World
> + extra config 2 and is either generated by TF-A (typ. sp_min)
> + or used in the form of configuration for OP-TEE.
> + For TF-A included secure OS (sp_min),
> + this is left empty.
> +
> +config TF_A_BL33
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "External BL33 path"
> + help
> + Use an external BL33 image for FIP generation.
> + BL33 usually corresponds to the Non-Secure World
> + OS and is not generated by TF-A.
> + This has to be defined when generating a FIP.
> + Normally this would be something like Barebox/U-Boot.
> + But it could also be a Linux kernel.
> +
> +config TF_A_BL33_CFG
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "TF-A external BL33 CFG"
> + help
> + Use an external BL33 CFG image for FIP generation.
> + BL33 CFG usually corresponds to the Non-Secure World
> + OS configuration and is not generated by TF-A.
> + This has to be defined when generating a FIP.
> + Normally this would be something like Barebox/U-Boot dtb.
> + But it could also be a Linux kernel dtb.
> +
> +comment "Trusted Board Boot Chain of Trust Key components"
> + depends on TF_A_TRUSTED_BOARD_BOOT
> + depends on TF_A_GENERATE_FIP
> +
> +config TF_A_ROT_KEY
> + depends on TF_A_TRUSTED_BOARD_BOOT
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "Root of Trust key path"
> + default "rot.key"
> + help
> + Path to Root of Trust private key.
> + Generated if file does not exist.
> +
> +config TF_A_TRUSTED_WORLD_KEY
> + depends on TF_A_TRUSTED_BOARD_BOOT
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "Trusted World key path"
> + default "trusted_world.key"
> + help
> + Path to Trusted World private key.
> + Generated if file does not exist.
> +
> +config TF_A_NON_TRUSTED_WORLD_KEY
> + depends on TF_A_TRUSTED_BOARD_BOOT
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "Non Trusted World key path"
> + default "non_trusted_world.key"
> + help
> + Path to Non Trusted World private key.
> + Generated if file does not exist.
> +
> +config TF_A_SCP_BL2_KEY
> + depends on TF_A_TRUSTED_BOARD_BOOT
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "System Control Processor Boot Level 2 key path"
> + default "scp_bl2.key"
> + help
> + Path to System Control Processor private key.
> + This firmware exists in some platforms.
> + (scp-fw-key).
> + Generated if file does not exist.
> +
> +config TF_A_BL31_KEY
> + depends on TF_A_TRUSTED_BOARD_BOOT
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "Boot Level 31 key path"
> + default "bl31.key"
> + help
> + Path to bl31 private key.
> + BL31 corresponds to TF-A Runtime Firmware.
> + (soc-fw-key).
> + Generated if file does not exist.
> +
> +config TF_A_BL32_KEY
> + depends on TF_A_TRUSTED_BOARD_BOOT
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "Boot Level 32 key path"
> + default "bl32.key"
> + help
> + Path to bl32 private key.
> + BL32 corresponds to TF-A Trusted World OS.
> + (tos-fw-key).
> + Generated if file does not exist.
> +
> +config TF_A_BL33_KEY
> + depends on TF_A_TRUSTED_BOARD_BOOT
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "Boot Level 33 key path"
> + default "bl33.key"
> + help
> + Path to bl33 private key.
> + BL33 corresponds to TF-A Non Trusted World OS.
> + (nt-fw-key).
> + Generated if file does not exist.
> +
> +comment "Trusted Board Boot Encryption Key components"
> + depends on TF_A_DECRYPTION_SUPPORT
> + depends on TF_A_GENERATE_FIP
> +
> +config TF_A_ENC_KEY
> + depends on TF_A_DECRYPTION_SUPPORT
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "Encryption key"
> + help
> + A 32-byte (256-bit) symmetric key in
> + hex string format.
> + Since the crypto is AES-GCM, a 256-bit
> + key is used.
> +
> +config TF_A_ENC_NONCE
> + depends on TF_A_DECRYPTION_SUPPORT
> + depends on TF_A_GENERATE_FIP
> + string
> + prompt "Encryption nonce"
> + help
> + A 12-byte (96-bit) nonce or IV in hex string format.
> + NEVER EVER REUSE A NONCE for the same key.
> + You have been warned.
> +
> +comment "Artifacts"
> +
> config TF_A_ARTIFACTS
> string
> prompt "TF-A artifact file names"
> help
> A space-separated list of glob patterns of artifacts to copy from the
> - build directory.
> - All file names are relative to the appropriate TF-A platform build
> - directory.
> + build directory. This can be a final image or image components that, f.ex.
> + genimage will construct a final image from. All file names are relative
> + to the appropriate TF-A platform build directory.
>
> comment "Payloads"
>
> diff --git a/rules/tf-a.make b/rules/tf-a.make
> index 5fa0df941..c86c24cb4 100644
> --- a/rules/tf-a.make
> +++ b/rules/tf-a.make
> @@ -2,6 +2,7 @@
> #
> # Copyright (C) 2018 by Rouven Czerwinski <r.czerwinski@pengutronix.de>
> # 2019 by Ahmad Fatoum <a.fatoum@pengutronix.de>
> +# 2022 by Christian Melki <christian.melki@t2data.com>
> #
> # For further information about the PTXdist project and license conditions
> # see the README file.
> @@ -15,25 +16,57 @@ PACKAGES-$(PTXCONF_TF_A) += tf-a
> #
> # Paths and names
> #
> -TF_A_VERSION := $(call ptx/config-version, PTXCONF_TF_A)
> -TF_A_MD5 := $(call ptx/config-md5, PTXCONF_TF_A)
> -TF_A := tf-a-$(TF_A_VERSION)
> -TF_A_SUFFIX := tar.gz
> -TF_A_URL := $(call remove_quotes, $(PTXCONF_TF_A_URL))/$(TF_A_VERSION).$(TF_A_SUFFIX)
> -TF_A_SOURCE := $(SRCDIR)/$(TF_A).$(TF_A_SUFFIX)
> -TF_A_DIR := $(BUILDDIR)/$(TF_A)
> -TF_A_BUILDDIR := $(TF_A_DIR)/build
> -TF_A_BUILD_OOT := YES
> -TF_A_LICENSE := BSD-3-Clause AND BSD-2-Clause \
> - AND (GPL-2.0-or-later OR BSD-2-Clause) \
> - AND (NCSA OR MIT) \
> - AND Zlib \
> - AND (GPL-2.0-or-later OR BSD-3-Clause)
> +TF_A_VERSION := $(call ptx/config-version, PTXCONF_TF_A)
> +TF_A_MD5 := $(call ptx/config-md5, PTXCONF_TF_A)
> +TF_A := tf-a-$(TF_A_VERSION)
> +TF_A_SUFFIX := tar.gz
> +TF_A_URL := $(call remove_quotes, $(PTXCONF_TF_A_URL))/$(TF_A_VERSION).$(TF_A_SUFFIX)
> +TF_A_SOURCE := $(SRCDIR)/$(TF_A).$(TF_A_SUFFIX)
> +TF_A_DIR := $(BUILDDIR)/$(TF_A)
> +TF_A_BUILDDIR := $(TF_A_DIR)/build
> +TF_A_BUILD_OOT := YES
> +TF_A_LICENSE := BSD-3-Clause AND BSD-2-Clause \
> + AND (GPL-2.0-or-later OR BSD-2-Clause) \
> + AND (NCSA OR MIT) \
> + AND Zlib \
> + AND (GPL-2.0-or-later OR BSD-3-Clause)
> +
> +ifdef PTXCONF_TF_A_TRUSTED_BOARD_BOOT
> +TF_A_MBEDTLS_VERSION := 2.28.0
> +TF_A_MBEDTLS_MD5 := d64054513df877458493dbb28e2935fa
> +TF_A_MBEDTLS := mbedtls-$(TF_A_MBEDTLS_VERSION)
> +TF_A_MBEDTLS_SUFFIX := tar.gz
> +TF_A_MBEDTLS_URL := https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v$(TF_A_MBEDTLS_VERSION).$(TF_A_MBEDTLS_SUFFIX)
> +TF_A_MBEDTLS_SOURCE := $(SRCDIR)/$(TF_A_MBEDTLS).$(TF_A_MBEDTLS_SUFFIX)
> +$(TF_A_MBEDTLS_SOURCE) := TF_A_MBEDTLS
> +TF_A_MBEDTLS_DIR := $(TF_A_DIR)/$(TF_A_MBEDTLS)
> +
> +TF_A_SOURCES += $(TF_A_MBEDTLS_SOURCE)
> +TF_A_LICENSE += AND Apache-2.0
> +TF_A_LICENSE_FILES += file://$(TF_A_MBEDTLS)/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57
> +endif
> +
> +# ----------------------------------------------------------------------------
> +# Extract
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/tf-a.extract:
> + @$(call targetinfo)
> + @$(call clean, $(TF_A_DIR))
> + @$(call extract, TF_A)
> + @$(call patchin, TF_A)
> +ifdef PTXCONF_TF_A_TRUSTED_BOARD_BOOT
> + @$(call extract, TF_A_MBEDTLS)
> + @$(call patchin, TF_A_MBEDTLS)
> +endif
> + @$(call touch)
>
> # ----------------------------------------------------------------------------
> # Prepare
> # ----------------------------------------------------------------------------
>
> +tf-a/declare-nonempty = $(if $(call remove_quotes, $(PTXCONF_TF_A_$(1))),$(1)=$(PTXCONF_TF_A_$(1)))
> +
> TF_A_PLATFORMS := $(call remove_quotes, $(PTXCONF_TF_A_PLATFORMS))
> TF_A_ARTIFACTS := $(call remove_quotes, $(PTXCONF_TF_A_ARTIFACTS))
>
> @@ -41,27 +74,82 @@ TF_A_WRAPPER_BLACKLIST := \
> $(PTXDIST_LOWLEVEL_WRAPPER_BLACKLIST)
>
> TF_A_EXTRA_ARGS := $(call remove_quotes,$(PTXCONF_TF_A_EXTRA_ARGS))
> -TF_A_BINDIR = $(TF_A_BUILDDIR)/$(1)/$(if $(filter DEBUG=1,$(TF_A_EXTRA_ARGS)),debug,release)
> -TF_A_PATH := PATH=$(CROSS_PATH)
> -TF_A_MAKE_OPT := \
> +TF_A_BINDIR = $(TF_A_BUILDDIR)/$(1)/$(if $(PTXCONF_TF_A_DEBUG),debug,release)
> +
> +TF_A_PATH := PATH=$(CROSS_PATH)
> +TF_A_MAKE_OPT := \
> -C $(TF_A_DIR) \
> CROSS_COMPILE=$(BOOTLOADER_CROSS_COMPILE) \
> HOSTCC=$(HOSTCC) \
> - ARCH=$(PTXCONF_TF_A_ARCH_STRING) \
> - ARM_ARCH_MAJOR=$(PTXCONF_TF_A_ARM_ARCH_MAJOR) \
> + V=$(if $(filter 1, $(PTXDIST_VERBOSE)),1,0) \
> BUILD_STRING=$(PTXCONF_TF_A_VERSION) \
> - $(TF_A_EXTRA_ARGS) \
> - all
> + DEBUG=$(if $(PTXCONF_TF_A_DEBUG),1,0) \
> + LOG_LEVEL=$(PTXCONF_TF_A_LOG_LEVEL)
> +
> +TF_A_MAKE_OPT += \
> + ARCH=$(PTXCONF_TF_A_ARCH_STRING) \
> + ARM_ARCH_MAJOR=$(PTXCONF_TF_A_ARM_ARCH_MAJOR)
>
> ifdef PTXCONF_TF_A_BL32_TSP
> -TF_A_MAKE_OPT += ARM_TSP_RAM_LOCATION=$(PTXCONF_TF_A_BL32_TSP_RAM_LOCATION_STRING)
> +TF_A_MAKE_OPT += \
> + ARM_TSP_RAM_LOCATION=$(PTXCONF_TF_A_BL32_TSP_RAM_LOCATION_STRING)
> endif
> +
> ifdef PTXCONF_TF_A_ARM_ARCH_MINOR
> -TF_A_MAKE_OPT += ARM_ARCH_MINOR=$(PTXCONF_TF_A_ARM_ARCH_MINOR)
> +TF_A_MAKE_OPT += \
> + ARM_ARCH_MINOR=$(PTXCONF_TF_A_ARM_ARCH_MINOR)
> endif
> +
> ifdef PTXCONF_TF_A_BL32_SP_MIN
> -TF_A_MAKE_OPT += AARCH32_SP=sp_min
> +TF_A_MAKE_OPT += \
> + AARCH32_SP=sp_min
> +endif
> +
> +ifdef PTXCONF_TF_A_TRUSTED_BOARD_BOOT
> +TF_A_MAKE_OPT += \
> + OPENSSL_DIR=$(PTXDIST_SYSROOT_HOST) \
> + TRUSTED_BOARD_BOOT=1 \
> + COT=tbbr \
> + KEY_ALG=rsa \
> + KEY_SIZE=2048 \
> + HASH_ALG=sha256 \
> + GENERATE_COT=1 \
> + CREATE_KEYS=1 \
> + SAVE_KEYS=1 \
> + $(call tf-a/declare-nonempty,ROT_KEY) \
> + $(call tf-a/declare-nonempty,TRUSTED_WORLD_KEY) \
> + $(call tf-a/declare-nonempty,NON_TRUSTED_WORLD_KEY) \
> + $(call tf-a/declare-nonempty,SCP_BL2_KEY) \
> + $(call tf-a/declare-nonempty,BL31_KEY) \
> + $(call tf-a/declare-nonempty,BL32_KEY) \
> + $(call tf-a/declare-nonempty,BL33_KEY)
> +
> +ifdef PTXCONF_TF_A_DECRYPTION_SUPPORT
> +TF_A_MAKE_OPT += \
> + DECRYPTION_SUPPORT=aes_gcm \
> + FW_ENC_STATUS=0 \
> + ENCRYPT_BL31=1 \
> + ENCRYPT_BL32=1 \
> + $(call tf-a/declare-nonempty,ENC_KEY) \
> + $(call tf-a/declare-nonempty,ENC_NONCE)
> endif
> +endif
> +
> +ifdef PTXCONF_TF_A_GENERATE_FIP
> +TF_A_MAKE_OPT += \
> + $(call tf-a/declare-nonempty,BL2) \
> + $(call tf-a/declare-nonempty,BL31) \
> + $(call tf-a/declare-nonempty,BL32) \
> + $(call tf-a/declare-nonempty,BL32_EXTRA1) \
> + $(call tf-a/declare-nonempty,BL32_EXTRA2) \
> + $(call tf-a/declare-nonempty,BL33) \
> + $(call tf-a/declare-nonempty,BL33_CFG) \
> + fip
> +endif
> +
> +TF_A_MAKE_OPT += \
> + $(TF_A_EXTRA_ARGS) \
> + all
>
> ifdef PTXCONF_TF_A
> ifeq ($(TF_A_ARTIFACTS),)
> @@ -75,7 +163,8 @@ TF_A_CONF_TOOL := NO
> # Compile
> # ----------------------------------------------------------------------------
>
> -TF_A_MAKE_ENV := $(CROSS_ENV)
> +TF_A_MAKE_ENV := $(CROSS_ENV) \
> + $(call ptx/ifdef, PTXCONF_TF_A_TRUSTED_BOARD_BOOT, MBEDTLS_DIR=$(TF_A_MBEDTLS))
>
> $(STATEDIR)/tf-a.compile:
> @$(call targetinfo)
> --
> 2.34.1
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-07-01 6:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-27 12:40 [ptxdist] [WIP PATCH] tf-a: Cleanup and add Trusted Board Boot & Encryption Christian Melki
2022-07-01 6:05 ` Michael Olbrich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox