Skip to content

GitLab

Commit fd34e7ba authored by Juan Castillo's avatar Juan Castillo
Browse files

TBB: add build option to save private keys 

This patch adds a boolean build option 'SAVE_KEYS' to indicate the
certificate generation tool that it must save the private keys used
to establish the chain of trust. This option depends on 'CREATE_KEYS'
to be enabled. Default is '0' (do not save).

Because the same filenames are used as outputs to save the keys,
they are no longer a dependency to the cert_tool. This dependency
has been removed from the Makefile.

Documentation updated accordingly.

Change-Id: I67ab1c2b1f8a25793f0de95e8620ce7596a6bc3b
parent dba12894
Show whitespace changes
Inline Side-by-side
Makefile
View file @ fd34e7ba
...@@ -73,6 +73,7 @@ DISABLE_PEDANTIC := 0 ...@@ -73,6 +73,7 @@ DISABLE_PEDANTIC := 0
# Flags to generate the Chain of Trust # Flags to generate the Chain of Trust
GENERATE_COT := 0 GENERATE_COT := 0
CREATE_KEYS := 1 CREATE_KEYS := 1
SAVE_KEYS := 0
# Flags to build TF with Trusted Boot support # Flags to build TF with Trusted Boot support
TRUSTED_BOARD_BOOT := 0 TRUSTED_BOARD_BOOT := 0
AUTH_MOD := none AUTH_MOD := none
...@@ -270,6 +271,7 @@ $(eval $(call add_define,USE_COHERENT_MEM)) ...@@ -270,6 +271,7 @@ $(eval $(call add_define,USE_COHERENT_MEM))
# Process Generate CoT flags # Process Generate CoT flags
$(eval $(call assert_boolean,GENERATE_COT)) $(eval $(call assert_boolean,GENERATE_COT))
$(eval $(call assert_boolean,CREATE_KEYS)) $(eval $(call assert_boolean,CREATE_KEYS))
$(eval $(call assert_boolean,SAVE_KEYS))
# Process TRUSTED_BOARD_BOOT flag # Process TRUSTED_BOARD_BOOT flag
$(eval $(call assert_boolean,TRUSTED_BOARD_BOOT)) $(eval $(call assert_boolean,TRUSTED_BOARD_BOOT))
...@@ -327,6 +329,9 @@ ifneq (${GENERATE_COT},0) ...@@ -327,6 +329,9 @@ ifneq (${GENERATE_COT},0)
ifneq (${CREATE_KEYS},0) ifneq (${CREATE_KEYS},0)
$(eval CRT_ARGS += -n) $(eval CRT_ARGS += -n)
ifneq (${SAVE_KEYS},0)
$(eval CRT_ARGS += -k)
endif
endif endif
$(eval CRT_ARGS += $(if ${ROT_KEY}, --rot-key ${ROT_KEY})) $(eval CRT_ARGS += $(if ${ROT_KEY}, --rot-key ${ROT_KEY}))
$(eval CRT_ARGS += $(if ${TRUSTED_WORLD_KEY}, --trusted-world-key ${TRUSTED_WORLD_KEY})) $(eval CRT_ARGS += $(if ${TRUSTED_WORLD_KEY}, --trusted-world-key ${TRUSTED_WORLD_KEY}))
...@@ -514,7 +519,6 @@ $(eval FIP_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt)) ...@@ -514,7 +519,6 @@ $(eval FIP_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt))
$(eval FIP_ARGS += $(if $4,$(if $5,--bl$(1)-key-cert $(BUILD_PLAT)/bl$(1)_key.crt))) $(eval FIP_ARGS += $(if $4,$(if $5,--bl$(1)-key-cert $(BUILD_PLAT)/bl$(1)_key.crt)))
$(eval CRT_DEPS += $(if $4,$(2),)) $(eval CRT_DEPS += $(if $4,$(2),))
$(eval CRT_DEPS += $(if $4,$(if $6,$(6),)))
$(eval CRT_ARGS += $(if $4,--bl$(1) $(2))) $(eval CRT_ARGS += $(if $4,--bl$(1) $(2)))
$(eval CRT_ARGS += $(if $4,$(if $6,--bl$(1)-key $(6)))) $(eval CRT_ARGS += $(if $4,$(if $6,--bl$(1)-key $(6))))
$(eval CRT_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt)) $(eval CRT_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt))
......
docs/user-guide.md
View file @ fd34e7ba
...@@ -297,28 +297,40 @@ performed. ...@@ -297,28 +297,40 @@ performed.
certificate generation tool to create new keys in case no valid keys are certificate generation tool to create new keys in case no valid keys are
present or specified. Allowed options are '0' or '1'. Default is '1'. present or specified. Allowed options are '0' or '1'. Default is '1'.
* `SAVE_KEYS`: This option is used when `GENERATE_COT=1`. It tells the
certificate generation tool to save the keys used to establish the Chain of
Trust. Allowed options are '0' or '1'. Default is '0' (do not save).
Note: This option depends on 'CREATE_KEYS' to be enabled. If the keys
already exist in disk, they will be overwritten without further notice.
* `ROT_KEY`: This option is used when `GENERATE_COT=1`. It specifies the * `ROT_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
file that contains the ROT private key in PEM format. file that contains the ROT private key in PEM format. If `SAVE_KEYS=1`, this
file name will be used to save the key.
* `TRUSTED_WORLD_KEY`: This option is used when `GENERATE_COT=1`. It * `TRUSTED_WORLD_KEY`: This option is used when `GENERATE_COT=1`. It
specifies the file that contains the Trusted World private key in PEM specifies the file that contains the Trusted World private key in PEM
format. format. If `SAVE_KEYS=1`, this file name will be used to save the key.
* `NON_TRUSTED_WORLD_KEY`: This option is used when `GENERATE_COT=1`. It * `NON_TRUSTED_WORLD_KEY`: This option is used when `GENERATE_COT=1`. It
specifies the file that contains the Non-Trusted World private key in PEM specifies the file that contains the Non-Trusted World private key in PEM
format. format. If `SAVE_KEYS=1`, this file name will be used to save the key.
* `BL30_KEY`: This option is used when `GENERATE_COT=1`. It specifies the * `BL30_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
file that contains the BL3-0 private key in PEM format. file that contains the BL3-0 private key in PEM format. If `SAVE_KEYS=1`,
this file name will be used to save the key.
* `BL31_KEY`: This option is used when `GENERATE_COT=1`. It specifies the * `BL31_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
file that contains the BL3-1 private key in PEM format. file that contains the BL3-1 private key in PEM format. If `SAVE_KEYS=1`,
this file name will be used to save the key.
* `BL32_KEY`: This option is used when `GENERATE_COT=1`. It specifies the * `BL32_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
file that contains the BL3-2 private key in PEM format. file that contains the BL3-2 private key in PEM format. If `SAVE_KEYS=1`,
this file name will be used to save the key.
* `BL33_KEY`: This option is used when `GENERATE_COT=1`. It specifies the * `BL33_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
file that contains the BL3-3 private key in PEM format. file that contains the BL3-3 private key in PEM format. If `SAVE_KEYS=1`,
this file name will be used to save the key.
* `PROGRAMMABLE_RESET_ADDRESS`: This option indicates whether the reset * `PROGRAMMABLE_RESET_ADDRESS`: This option indicates whether the reset
vector address can be programmed or is fixed on the platform. It can take vector address can be programmed or is fixed on the platform. It can take
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment