tbbr.mk 4.14 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#
# Copyright 2020 NXP
#
# SPDX-License-Identifier: BSD-3-Clause
#

# For TRUSTED_BOARD_BOOT platforms need to include this makefile
# Following definations are to be provided by platform.mk file or
# by user - BL33_INPUT_FILE, BL32_INPUT_FILE, BL31_INPUT_FILE

ifeq ($(CHASSIS), 2)
include $(PLAT_DRIVERS_PATH)/csu/csu.mk
CSF_FILE		:=	input_blx_ch${CHASSIS}
BL2_CSF_FILE		:=	input_bl2_ch${CHASSIS}
else
ifeq ($(CHASSIS), 3_2)
CSF_FILE		:=	input_blx_ch3
BL2_CSF_FILE		:=	input_bl2_ch${CHASSIS}
PBI_CSF_FILE		:=	input_pbi_ch${CHASSIS}
$(eval $(call add_define, CSF_HDR_CH3))
else
    $(error -> CHASSIS not set!)
endif
endif

PLAT_AUTH_PATH		:=  $(PLAT_DRIVERS_PATH)/auth


ifeq (${BL2_INPUT_FILE},)
    BL2_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${BL2_CSF_FILE}
endif

ifeq (${PBI_INPUT_FILE},)
    PBI_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${PBI_CSF_FILE}
endif

# If MBEDTLS_DIR is not specified, use CSF Header option
ifeq (${MBEDTLS_DIR},)
    # Generic image processing filters to prepend CSF header
    ifeq (${BL33_INPUT_FILE},)
    BL33_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
    endif

    ifeq (${BL31_INPUT_FILE},)
    BL31_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
    endif

    ifeq (${BL32_INPUT_FILE},)
    BL32_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
    endif

    ifeq (${FUSE_INPUT_FILE},)
    FUSE_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
    endif

    PLAT_INCLUDES	+= -I$(PLAT_DRIVERS_PATH)/sfp
    PLAT_TBBR_SOURCES	+= $(PLAT_AUTH_PATH)/csf_hdr_parser/cot.c	\
			   $(PLAT_COMMON_PATH)/tbbr/csf_tbbr.c
    # IMG PARSER here is CSF header parser
    include $(PLAT_DRIVERS_PATH)/auth/csf_hdr_parser/csf_hdr.mk
    PLAT_TBBR_SOURCES 	+=	$(CSF_HDR_SOURCES)

    SCP_BL2_PRE_TOOL_FILTER	:= CST_SCP_BL2
    BL31_PRE_TOOL_FILTER	:= CST_BL31
    BL32_PRE_TOOL_FILTER	:= CST_BL32
    BL33_PRE_TOOL_FILTER	:= CST_BL33
else

    ifeq (${DISABLE_FUSE_WRITE}, 1)
        $(eval $(call add_define,DISABLE_FUSE_WRITE))
    endif

    # For Mbedtls currently crypto is not supported via CAAM
    # enable it when that support is there
    CAAM_INTEG		:= 0
    KEY_ALG		:= rsa
    KEY_SIZE		:= 2048

    $(eval $(call add_define,MBEDTLS_X509))
    ifeq (${PLAT_DDR_PHY},PHY_GEN2)
        $(eval $(call add_define,PLAT_DEF_OID))
    endif
    include drivers/auth/mbedtls/mbedtls_x509.mk


    PLAT_TBBR_SOURCES	+= $(PLAT_AUTH_PATH)/tbbr/tbbr_cot.c \
			   $(PLAT_COMMON_PATH)/tbbr/nxp_rotpk.S \
			   $(PLAT_COMMON_PATH)/tbbr/x509_tbbr.c

    #ROTPK key is embedded in BL2 image
    ifeq (${ROT_KEY},)
	ROT_KEY		= $(BUILD_PLAT)/rot_key.pem
    endif

    ifeq (${SAVE_KEYS},1)

        ifeq (${TRUSTED_WORLD_KEY},)
            TRUSTED_WORLD_KEY = ${BUILD_PLAT}/trusted.pem
        endif

        ifeq (${NON_TRUSTED_WORLD_KEY},)
            NON_TRUSTED_WORLD_KEY = ${BUILD_PLAT}/non-trusted.pem
        endif

        ifeq (${BL31_KEY},)
            BL31_KEY = ${BUILD_PLAT}/soc.pem
        endif

        ifeq (${BL32_KEY},)
            BL32_KEY = ${BUILD_PLAT}/trusted_os.pem
        endif

        ifeq (${BL33_KEY},)
            BL33_KEY = ${BUILD_PLAT}/non-trusted_os.pem
        endif

    endif

    ROTPK_HASH		= $(BUILD_PLAT)/rotpk_sha256.bin

    $(eval $(call add_define_val,ROTPK_HASH,'"$(ROTPK_HASH)"'))

    $(BUILD_PLAT)/bl2/nxp_rotpk.o: $(ROTPK_HASH)

    certificates: $(ROT_KEY)
    $(ROT_KEY): | $(BUILD_PLAT)
	@echo "  OPENSSL $@"
	@if [ ! -f $(ROT_KEY) ]; then \
		openssl genrsa 2048 > $@ 2>/dev/null; \
	fi

    $(ROTPK_HASH): $(ROT_KEY)
	@echo "  OPENSSL $@"
	$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
	openssl dgst -sha256 -binary > $@ 2>/dev/null

endif #MBEDTLS_DIR

PLAT_INCLUDES		+=	-Iinclude/common/tbbr

# Generic files for authentication framework
TBBR_SOURCES		+=	drivers/auth/auth_mod.c		\
				drivers/auth/crypto_mod.c	\
				drivers/auth/img_parser_mod.c	\
				plat/common/tbbr/plat_tbbr.c	\
				${PLAT_TBBR_SOURCES}

# If CAAM_INTEG is not defined (would be scenario with MBED TLS)
# include mbedtls_crypto
ifeq (${CAAM_INTEG},0)
    include drivers/auth/mbedtls/mbedtls_crypto.mk
else
    include $(PLAT_DRIVERS_PATH)/crypto/caam/src/auth/auth.mk
    TBBR_SOURCES	+= ${AUTH_SOURCES}
endif