Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
adam.huang
Arm Trusted Firmware
Commits
e820759f
Commit
e820759f
authored
Mar 12, 2020
by
Mark Dykes
Committed by
TrustedFirmware Code Review
Mar 12, 2020
Browse files
Merge "Mention COT build option in trusted-board-boot-build.rst" into integration
parents
bd2ad929
d935b951
Changes
1
Hide whitespace changes
Inline
Side-by-side
docs/design/trusted-board-boot-build.rst
View file @
e820759f
...
@@ -32,25 +32,28 @@ images with support for these features:
...
@@ -32,25 +32,28 @@ images with support for these features:
- ``TRUSTED_BOARD_BOOT=1``
- ``TRUSTED_BOARD_BOOT=1``
- ``GENERATE_COT=1``
- ``GENERATE_COT=1``
By default, this will use the Chain of Trust described in the TBBR-client
document. To select a different one, use the ``COT`` build option.
In the case of Arm platforms, the location of the ROTPK hash must also be
In the case of Arm platforms, the location of the ROTPK hash must also be
specified at build time. The following locations are currently supported (see
specified at build time. The following locations are currently supported (see
``ARM_ROTPK_LOCATION`` build option):
``ARM_ROTPK_LOCATION`` build option):
- ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted
- ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted
root-key storage registers present in the platform. On Juno, th
is
root-key storage registers present in the platform. On Juno, th
ese
registers are read-only. On FVP Base and Cortex models, the registers
registers are read-only. On FVP Base and Cortex models, the registers
are read-only, but the value can be specified using the command line
are
also
read-only, but the value can be specified using the command line
option ``bp.trusted_key_storage.public_key`` when launching the model.
option ``bp.trusted_key_storage.public_key`` when launching the model.
On Juno board, the default value corresponds to an ECDSA-SECP256R1 public
On Juno board, the default value corresponds to an ECDSA-SECP256R1 public
key hash, whose private part is not currently available.
key hash, whose private part is not currently available.
- ``ARM_ROTPK_LOCATION=devel_rsa``: use the default hash located in
- ``ARM_ROTPK_LOCATION=devel_rsa``: use the default hash located in
plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin. Enforce
generation
``
plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin
``
. Enforce
of the new hash if ROT_KEY is specified.
generation
of the new hash if
``
ROT_KEY
``
is specified.
- ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the default hash located in
- ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the default hash located in
plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin. Enforce
generation
``
plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin
``
. Enforce
of the new hash if ROT_KEY is specified.
generation
of the new hash if
``
ROT_KEY
``
is specified.
Example of command line using RSA development keys:
Example of command line using RSA development keys:
...
@@ -64,9 +67,8 @@ images with support for these features:
...
@@ -64,9 +67,8 @@ images with support for these features:
all fip
all fip
The result of this build will be the bl1.bin and the fip.bin binaries. This
The result of this build will be the bl1.bin and the fip.bin binaries. This
FIP will include the certificates corresponding to the Chain of Trust
FIP will include the certificates corresponding to the selected Chain of
described in the TBBR-client document. These certificates can also be found
Trust. These certificates can also be found in the output build directory.
in the output build directory.
#. The optional FWU_FIP contains any additional images to be loaded from
#. The optional FWU_FIP contains any additional images to be loaded from
Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the
Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the
...
@@ -102,8 +104,8 @@ images with support for these features:
...
@@ -102,8 +104,8 @@ images with support for these features:
The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries.
The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries.
Both the FIP and FWU_FIP will include the certificates corresponding to the
Both the FIP and FWU_FIP will include the certificates corresponding to the
Chain of Trust
described in the TBBR-client document. These certificates
selected
Chain of Trust
. These certificates can also be found in the output
can also be found in the output
build directory.
build directory.
--------------
--------------
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment