1. 26 Oct, 2016 1 commit
  2. 18 Oct, 2016 1 commit
    • dp-arm's avatar
      fiptool: Link `toc_entry` and `image` structures via UUID · b04efcce
      dp-arm authored
      
      
      The `toc_entry` and `image` data structures had a cyclic
      relationship.  This patch removes the explicit dependencies and introduces
      functions to link them via the UUID.
      
      This change highlights the intent of the code better and makes it more
      flexible for future enhancements.
      
      Change-Id: I0c3dd7bfda2a631a3827c8ba4831849c500affe9
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      b04efcce
  3. 15 Sep, 2016 1 commit
    • dp-arm's avatar
      fiptool: Invoke command specific usage function · 85ee2778
      dp-arm authored
      Instead of always calling the top level usage function when an
      error is detected, call the command-specific usage function.
      
      For example running `fiptool create` will produce the same output
      as `fiptool help create`.  This is more convenient for the user
      when they make a mistake.
      
      Change-Id: I60178ab89d47adf93cdfe6d8b5d5f778a5ea3bca
      85ee2778
  4. 12 Sep, 2016 1 commit
    • dp-arm's avatar
      fiptool: Add support for printing the sha256 digest with info command · 9df69ba3
      dp-arm authored
      This feature allows one to quickly verify that the expected
      image is contained in the FIP without extracting the image and
      running sha256sum(1) on it.
      
      The sha256 digest is only shown when the verbose flag is used.
      
      This change requires libssl-dev to be installed in order to build
      Trusted Firmware. Previously, libssl-dev was optionally needed only
      to support Trusted Board Boot configurations.
      
      Fixes ARM-Software/tf-issues#124
      
      Change-Id: Ifb1408d17f483d482bb270a589ee74add25ec5a6
      9df69ba3
  5. 25 Aug, 2016 1 commit
  6. 15 Aug, 2016 1 commit
  7. 29 Jul, 2016 1 commit
    • dp-arm's avatar
      Replace fip_create with fiptool · 819281ee
      dp-arm authored
      fiptool provides a more consistent and intuitive interface compared to
      the fip_create program.  It serves as a better base to build on more
      features in the future.
      
      fiptool supports various subcommands.  Below are the currently
      supported subcommands:
      
      1) info   - List the images contained in a FIP file.
      2) create - Create a new FIP file with the given images.
      3) update - Update an existing FIP with the given images.
      4) unpack - Extract a selected set or all the images from a FIP file.
      5) remove - Remove images from a FIP file.  This is a new command that
         was not present in fip_create.
      
      To create a new FIP file, replace "fip_create" with "fiptool create".
      
      To update a FIP file, replace "fip_create" with "fiptool update".
      
      To dump the contents of a FIP file, replace "fip_create --dump" with
      "fiptool info".
      
      A compatibility script that emulates the basic functionality of
      fip_create is provided.  Existing scripts might or might not work with
      the compatibility script.  Users are strongly encouraged to migrate to
      fiptool.
      
      Fixes ARM-Software/tf-issues#87
      Fixes ARM-Software/tf-issues#108
      Fixes ARM-Software/tf-issues#361
      
      Change-Id: I7ee4da7ac60179cc83cf46af890fd8bc61a53330
      819281ee
  8. 05 Jul, 2016 1 commit
    • Yatharth Kochar's avatar
      Fix `cert_create` tool for Segmentation fault · f16db56a
      Yatharth Kochar authored
      With the introduction of commit `96103d5a`, the Certificate
      Generation tool is not able to generate FWU certificate and
      while doing so it does segmentation fault.
      
      This happens because it is now required to pass non-volatile
      counter values to the `cert_create` tool from the command line
      for creating the trusted firmware certificates.
      
      But in case of creating FWU certificate these counter values are not
      being passed to the tool and as a consequence the `cert_create` tool
      try to use the NULL argument and errors out with Segmentation fault.
      
      This patch fixes this issue by providing a check before using the
      command line argument passed in the case of `EXT_TYPE_NVCOUNTER`
      certificate extension.
      
      Change-Id: Ie17d0c1502b52aaa8500f3659c2da2448ab0347a
      f16db56a
  9. 03 Jun, 2016 1 commit
    • Dan Handley's avatar
      Move stdlib header files to include/lib/stdlib · f0b489c1
      Dan Handley authored
      * Move stdlib header files from include/stdlib to include/lib/stdlib for
        consistency with other library headers.
      * Fix checkpatch paths to continue excluding stdlib files.
      * Create stdlib.mk to define the stdlib source files and include directories.
      * Include stdlib.mk from the top level Makefile.
      * Update stdlib header path in the fip_create Makefile.
      * Update porting-guide.md with the new paths.
      
      Change-Id: Ia92c2dc572e9efb54a783e306b5ceb2ce24d27fa
      f0b489c1
  10. 27 Apr, 2016 1 commit
  11. 06 Apr, 2016 1 commit
    • Juan Castillo's avatar
      fip_create: add support for image unpacking · c49a805d
      Juan Castillo authored
      This patch adds support for image unpacking to the FIP packaging
      tool. Command line option '-u,--unpack' may be used to unpack the
      contents of an existing FIP file into the working directory. The
      tool uses default hardcoded filenames for the unpacked images. If
      the files already exist, they can be overwritten by specifying the
      option '-f,--force'.
      
      Change-Id: I360b11d9c5403e8c0a7a9cac32c1d90ebb228063
      c49a805d
  12. 01 Apr, 2016 7 commits
    • Evan Lloyd's avatar
      Make:Allow for extension in tool names. · 42a45b51
      Evan Lloyd authored
      In some build environments executable programs have a specific file
      extension.  The value of BIN_EXT is appended to the relevant tool file
      names to allow for this.
      The value of BIN_EXT is set, where appropriate, by the build environment
      specific make helper (to .exe for Windows build environments).
      
      .gitignore is updated to hide the new (.exe) files.
      
      Change-Id: Icc32f64b750e425265075ad4e0dea18129640b86
      42a45b51
    • Evan Lloyd's avatar
      Make:Use "simply expanded" make variables. · b169f6a9
      Evan Lloyd authored
      Replace some "recursively expanded" make variables with "simply
      expanded" variables (i.e. replace = with :=). This has no functional
      impact but is more consistent and theoretically more efficient.
      
      Change-Id: Iaf33d7c8ad48464ae0d39923515d1e7f230c95c1
      b169f6a9
    • Evan Lloyd's avatar
      Build:Replace soft links with file copy. · bb5a762c
      Evan Lloyd authored
      Some build environments do not support symbolic links. This patch
      removes the symlinks previously used to build fip_create and instead
      copies the relevant header files.
      The original motivation for using symlinks was to avoid Trusted Firmware
      library headers conflicting with headers in the compiler standard
      include path. Copying the header files instead has the same effect.
      
      Like other build artefacts, the copied files are listed in .gitignore.
      
      The distclean targets have also been updated to remove the copies.
      
      Change-Id: Ie8b67bcb133f7f1d660ae93b857950aa15e42b1e
      bb5a762c
    • Evan Lloyd's avatar
      Make:Use environment variables for OS detection. · e7f54dbd
      Evan Lloyd authored
      Add make helper files to select the appropriate settings for the build
      environment. Selection is made in make_helpers/build_env.mk, which
      selects other files to include using generic build environment settings.
      The Trusted Firmware Makefile and supporting tool Makefiles are updated
      to include build_env.mk instead of unix.mk.
      
      NOTE: This change does not fully enable builds in other build
            environments. It facilitates this without compromising the
            existing build environments.
      
      Change-Id: Ic4064ffe6ce158bbd16d7cc9f27dd4655a3580f6
      e7f54dbd
    • Evan Lloyd's avatar
      Make:Make shell commands more portable · f1477d4a
      Evan Lloyd authored
      Macros are inserted to replace direct invocations of commands that are
      problematic on some build environments. (e.g. Some environments expect
      \ in paths instead of /.)
      The changes take into account mismatched command mappings across
      environments.
      The new helper file unix.mk retains existing makefile behaviour on unix
      like build environments by providing the following macro definitions:
        SHELL_COPY        cp -f
        SHELL_COPY_TREE   cp -rf
        SHELL_DELETE      rm -f
        SHELL_DELETE_ALL  rm -rf
        MAKE_PREREQ_DIR   mkdir -p  (As make target)
        SHELL_REMOVE_DIR  rm -rf
      
      Change-Id: I1b5ca5e1208e78230b15284c4af00c1c006cffcb
      f1477d4a
    • Evan Lloyd's avatar
      Make:Add realclean to .PHONY list · aeb25668
      Evan Lloyd authored
      Update the cert_create Makefile to list realclean as .PHONY
      (like clean)
      
      Change-Id: I9dc8a61a11574a044372e0952b5b12b74e133747
      aeb25668
    • Evan Lloyd's avatar
      Make:Remove calls to shell from makefiles. · 231c1470
      Evan Lloyd authored
      As an initial stage of making Trusted Firmware build environment more
      portable, we remove most uses of the $(shell ) function and replace them
      with more portable make function based solutions.
      
      Note that the setting of BUILD_STRING still uses $(shell ) since it's
      not possible to reimplement this as a make function. Avoiding invocation
      of this on incompatible host platforms will be implemented separately.
      
      Change-Id: I768e2f9a265c78814a4adf2edee4cc46cda0f5b8
      231c1470
  13. 30 Mar, 2016 1 commit
    • Juan Castillo's avatar
      cert_create: add non-volatile counter support · 96103d5a
      Juan Castillo authored
      This patch adds non-volatile counter support to the Certificate
      Generation tool. The TBBR Chain of Trust definition in the tool
      has been extended to include the counters as certificate extensions.
      The counter values can be specified in the command line.
      
      The following default counter values are specified in the build
      system:
      
        * Trusted FW Non-Volatile counter = 0
        * Non-Trusted FW Non-Volatile counter = 0
      
      These values can be overridden by the platform at build time.
      
      Change-Id: I7ea10ee78d72748d181df4ee78a7169b3ef2720c
      96103d5a
  14. 04 Mar, 2016 1 commit
    • Juan Castillo's avatar
      fip_create: miscellaneous improvements to source code · 24fee61e
      Juan Castillo authored
      This patch introduces the following improvements:
      
        * Global variables in fip_create.c declared static.
        * Flags to signal the requested actions (do_dump, do_pack) made
          global.
        * The ToC is printed at the end of the main funcion, after the FIP
          has been created/updated, not in the parse_cmdline() function.
        * Short format added to the command line options (-d,--dump;
          -h,--help).
        * Help message updated.
      
      Change-Id: I5f08273c76f1de45fe597e290bee4b60aa404df9
      24fee61e
  15. 07 Jan, 2016 1 commit
    • Juan Castillo's avatar
      cert_create: update help message · 159807e2
      Juan Castillo authored
      The help message printed by the cert_create tool using the command
      line option -h (or --help) does not correctly list all the available
      command line options.
      
      This patch reworks the print_help() function to print the help
      messages in a data driven approach. For each command line option
      registered, an optional help message can be specified, which will
      be printed by print_help().
      
      Help messages for the TBBR options (certificates, keys and images)
      are also provided.
      
      Fix a small bug in the short options string passed to getopt_long:
      the ':' was missing in the '-a' option (this option must take an
      argument).
      
      Fixes ARM-software/tf-issues#337
      
      Change-Id: I9d08c2dfd349022808fcc884724f677eefdc1452
      159807e2
  16. 05 Jan, 2016 2 commits
    • Juan Castillo's avatar
      Apply TBBR naming convention to the fip_create options · 8f0617ef
      Juan Castillo authored
      The fip_create tool specifies images in the command line using the
      ARM TF naming convention (--bl2, --bl31, etc), while the cert_create
      tool uses the TBBR convention (--tb-fw, --soc-fw, etc). This double
      convention is confusing and should be aligned.
      
      This patch updates the fip_create command line options to follow the
      TBBR naming convention. Usage examples in the User Guide have been
      also updated.
      
      NOTE: users that build the FIP by calling the fip_create tool directly
      from the command line must update the command line options in their
      scripts. Users that build the FIP by invoking the main ARM TF Makefile
      should not notice any difference.
      
      Change-Id: I84d602630a2585e558d927b50dfde4dd2112496f
      8f0617ef
    • Sandrine Bailleux's avatar
      Always build with '-pedantic' · aa856917
      Sandrine Bailleux authored
      By default ARM TF is built with the '-pedantic' compiler flag, which
      helps detecting violations of the C standard. However, the mbed TLS
      library and its associated authentication module in TF used to fail
      building with this compiler flag. As a workaround, the mbed TLS
      authentication module makefile used to set the 'DISABLE_PEDANTIC'
      TF build flag.
      
      The compiler errors flagged by '-pedantic' in the mbed TLS library
      have been fixed between versions 1.3.9 and 2.2.0 and the library now
      properly builds with this compiler flag.
      
      This patch fixes the remaining compiler errors in the mbed TLS
      authentication module in TF and unsets the 'DISABLE_PEDANTIC' TF
      build flag. This means that TF is now always built with '-pedantic'.
      
      In particular, this patch:
      
       * Removes the final semi-colon in REGISTER_COT() macro.
      
         This semi-colon was causing the following error message:
      
         drivers/auth/tbbr/tbbr_cot.c:544:23: error: ISO C does not allow
         extra ';' outside of a function [-Werror=pedantic]
      
         This has been fixed both in the mbed TLS authentication module
         as well as in the certificate generation tool. Note that the latter
         code didn't need fixing since it is not built with '-pedantic' but
         the change has been propagated for consistency.
      
         Also fixed the REGISTER_KEYS() and REGISTER_EXTENSIONS() macros,
         which were suffering from the same issue.
      
       * Fixes a pointer type.
      
         It was causing the following error message:
      
         drivers/auth/mbedtls/mbedtls_crypto.c: In function 'verify_hash':
         drivers/auth/mbedtls/mbedtls_crypto.c:177:42: error: pointer of
         type 'void *' used in arithmetic [-Werror=pointer-arith]
      
      Change-Id: I7b7a04ef711efd65e17b5be26990d1a0d940257d
      aa856917
  17. 14 Dec, 2015 3 commits
    • Juan Castillo's avatar
      Remove dashes from image names: 'BL3-x' --> 'BL3x' · d178637d
      Juan Castillo authored
      This patch removes the dash character from the image name, to
      follow the image terminology in the Trusted Firmware Wiki page:
      
          https://github.com/ARM-software/arm-trusted-firmware/wiki
      
      Changes apply to output messages, comments and documentation.
      
      non-ARM platform files have been left unmodified.
      
      Change-Id: Ic2a99be4ed929d52afbeb27ac765ceffce46ed76
      d178637d
    • Juan Castillo's avatar
      Replace all SCP FW (BL0, BL3-0) references · f59821d5
      Juan Castillo authored
      This patch replaces all references to the SCP Firmware (BL0, BL30,
      BL3-0, bl30) with the image terminology detailed in the TF wiki
      (https://github.com/ARM-software/arm-trusted-firmware/wiki):
      
          BL0          -->  SCP_BL1
          BL30, BL3-0  -->  SCP_BL2
          bl30         -->  scp_bl2
      
      This change affects code, documentation, build system, tools and
      platform ports that load SCP firmware. ARM plaforms have been
      updated to the new porting API.
      
      IMPORTANT: build option to specify the SCP FW image has changed:
      
          BL30 --> SCP_BL2
      
      IMPORTANT: This patch breaks compatibility for platforms that use BL2
      to load SCP firmware. Affected platforms must be updated as follows:
      
          BL30_IMAGE_ID --> SCP_BL2_IMAGE_ID
          BL30_BASE --> SCP_BL2_BASE
          bl2_plat_get_bl30_meminfo() --> bl2_plat_get_scp_bl2_meminfo()
          bl2_plat_handle_bl30() --> bl2_plat_handle_scp_bl2()
      
      Change-Id: I24c4c1a4f0e4b9f17c9e4929da815c4069549e58
      f59821d5
    • Juan Castillo's avatar
      TBB: apply TBBR naming convention to certificates and extensions · 516beb58
      Juan Castillo authored
      This patch applies the TBBR naming convention to the certificates
      and the corresponding extensions defined by the CoT:
      
          * Certificate UUID names
          * Certificate identifier names
          * OID names
      
      Changes apply to:
      
          * Generic code (variables and defines)
          * The default certificate identifiers provided in the generic
            code
          * Build system
          * ARM platforms port
          * cert_create tool internal definitions
          * fip_create and cert_create tools command line options
          * Documentation
      
      IMPORTANT: this change breaks the compatibility with platforms
      that use TBBR. The platform will need to adapt the identifiers
      and OIDs to the TBBR naming convention introduced by this patch:
      
      Certificate UUIDs:
      
          UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT --> UUID_TRUSTED_BOOT_FW_CERT
          UUID_SCP_FIRMWARE_BL30_KEY_CERT --> UUID_SCP_FW_KEY_CERT
          UUID_SCP_FIRMWARE_BL30_CERT --> UUID_SCP_FW_CONTENT_CERT
          UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT --> UUID_SOC_FW_KEY_CERT
          UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT --> UUID_SOC_FW_CONTENT_CERT
          UUID_SECURE_PAYLOAD_BL32_KEY_CERT --> UUID_TRUSTED_OS_FW_KEY_CERT
          UUID_SECURE_PAYLOAD_BL32_CERT --> UUID_TRUSTED_OS_FW_CONTENT_CERT
          UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT --> UUID_NON_TRUSTED_FW_KEY_CERT
          UUID_NON_TRUSTED_FIRMWARE_BL33_CERT --> UUID_NON_TRUSTED_FW_CONTENT_CERT
      
      Certificate identifiers:
      
          BL2_CERT_ID --> TRUSTED_BOOT_FW_CERT_ID
          BL30_KEY_CERT_ID --> SCP_FW_KEY_CERT_ID
          BL30_CERT_ID --> SCP_FW_CONTENT_CERT_ID
          BL31_KEY_CERT_ID --> SOC_FW_KEY_CERT_ID
          BL31_CERT_ID --> SOC_FW_CONTENT_CERT_ID
          BL32_KEY_CERT_ID --> TRUSTED_OS_FW_KEY_CERT_ID
          BL32_CERT_ID --> TRUSTED_OS_FW_CONTENT_CERT_ID
          BL33_KEY_CERT_ID --> NON_TRUSTED_FW_KEY_CERT_ID
          BL33_CERT_ID --> NON_TRUSTED_FW_CONTENT_CERT_ID
      
      OIDs:
      
          TZ_FW_NVCOUNTER_OID --> TRUSTED_FW_NVCOUNTER_OID
          NTZ_FW_NVCOUNTER_OID --> NON_TRUSTED_FW_NVCOUNTER_OID
          BL2_HASH_OID --> TRUSTED_BOOT_FW_HASH_OID
          TZ_WORLD_PK_OID --> TRUSTED_WORLD_PK_OID
          NTZ_WORLD_PK_OID --> NON_TRUSTED_WORLD_PK_OID
          BL30_CONTENT_CERT_PK_OID --> SCP_FW_CONTENT_CERT_PK_OID
          BL30_HASH_OID --> SCP_FW_HASH_OID
          BL31_CONTENT_CERT_PK_OID --> SOC_FW_CONTENT_CERT_PK_OID
          BL31_HASH_OID --> SOC_AP_FW_HASH_OID
          BL32_CONTENT_CERT_PK_OID --> TRUSTED_OS_FW_CONTENT_CERT_PK_OID
          BL32_HASH_OID --> TRUSTED_OS_FW_HASH_OID
          BL33_CONTENT_CERT_PK_OID --> NON_TRUSTED_FW_CONTENT_CERT_PK_OID
          BL33_HASH_OID --> NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID
          BL2U_HASH_OID --> AP_FWU_CFG_HASH_OID
          SCP_BL2U_HASH_OID --> SCP_FWU_CFG_HASH_OID
          NS_BL2U_HASH_OID --> FWU_HASH_OID
      
      Change-Id: I1e047ae046299ca913911c39ac3a6e123bd41079
      516beb58
  18. 09 Dec, 2015 2 commits
    • Yatharth Kochar's avatar
      FWU: Add FWU support to `fip_create` tool · 2d4d2203
      Yatharth Kochar authored
      Firmware Update (FWU) introduces a new set of images called
      SCP_BL2U, BL2U and NS_BL2U, which can be packed in a FWU FIP file.
      
      This patch introduces new UUIDs for the Firmware Update images
      and extends the 'fip'create' tool so that these new images can be
      packed in a FIP file.
      
      Change-Id: I7c60211b4f3cc265411efb131e6d3c624768f522
      2d4d2203
    • Yatharth Kochar's avatar
      FWU: Add FWU support to `cert_create` tool · cebe1f23
      Yatharth Kochar authored
      Firmware Update requires an X509v3 certificate which contains
      hashes for SCP_BL2U, BL2U and NS_BL2U images as extensions.
      
      This patch extends the Chain of Trust definition in the
      'cert_create' tool to include the Firmware Update certificate
      and the required extensions (including command line options).
      A new field in the extension structure will be used to indicate
      that the extension is optional. In the case of an image hash
      extension, this field will tell the tool that the hash should
      be included in the certificate, but filled with zeros.
      
      Change-Id: I1f77a66b018826b71745910771f38d9cf6050388
      cebe1f23
  19. 23 Oct, 2015 2 commits
    • Juan Castillo's avatar
      cert_create: specify command line options in the CoT · ad2c1a9a
      Juan Castillo authored
      This patch introduces a new API that allows to specify command
      line options in the Chain of Trust description. These command line
      options may be used to specify parameters related to the CoT (i.e.
      keys or certificates), instead of keeping a hardcoded list of
      options in main.c.
      
      Change-Id: I282b0b01cb9add557b26bddc238a28253ce05e44
      ad2c1a9a
    • Juan Castillo's avatar
      cert_create: improve command line argument check · dfc90e26
      Juan Castillo authored
      The certificate generation tool currently checks if all command
      line options required to create all certificates in the CoT have
      been specified. This prevents using the tool to create individual
      certificates when the whole CoT is not required.
      
      This patch improves the checking function so only those options
      required by the certificates specified in the command line are
      verified.
      
      Change-Id: I2c426a8e2e2dec85b15f2d98fd4ba949c1aed385
      dfc90e26
  20. 16 Jul, 2015 1 commit
    • Juan Castillo's avatar
      TBB: rework cert_create tool to follow a data driven approach · 55e291a4
      Juan Castillo authored
      This patch reworks the certificate generation tool to follow a data
      driven approach. The user may specify at build time the certificates,
      keys and extensions defined in the CoT, register them using the
      appropiate macros and the tool will take care of creating the
      certificates corresponding to the CoT specified.
      
      Change-Id: I29950b39343c3e1b71718fce0e77dcf2a9a0be2f
      55e291a4
  21. 01 Jul, 2015 1 commit
    • Juan Castillo's avatar
      TBB: build 'cert_create' with ECDSA only if OpenSSL supports it · ed2a76ea
      Juan Castillo authored
      Some Linux distributions include an OpenSSL library which has been
      built without ECDSA support. Trying to build the certificate
      generation tool on those distributions will result in a build error.
      
      This patch fixes that issue by including ECDSA support only if
      OpenSSL has been built with ECDSA. In that case, the OpenSSL
      configuration file does not define the OPENSSL_NO_EC macro. The tool
      will build successfully, although the resulting binary will not
      support ECDSA keys.
      
      Change-Id: I4627d1abd19eef7ad3251997d8218599187eb902
      ed2a76ea
  22. 25 Jun, 2015 2 commits
    • Juan Castillo's avatar
      TBB: add ECDSA support to the certificate generation tool · ccbf890e
      Juan Castillo authored
      This patch extends the 'cert_create' tool to support ECDSA keys
      to sign the certificates. The '--key-alg' command line option
      can be used to specify the key algorithm when invoking the tool.
      Available options are:
      
          * 'rsa': create RSA-2048 keys (default option)
          * 'ecdsa': create ECDSA-SECP256R1 keys
      
      The TF Makefile has been updated to allow the platform to specify
      the key algorithm by declaring the 'KEY_ALG' variable in the
      platform makefile.
      
      The behaviour regarding key management has changed. After applying
      this patch, the tool will try first to open the keys from disk. If
      one key does not exist or no key is specified, and the command line
      option to create keys has been specified, new keys will be created.
      Otherwise an error will be generated and the tool will exit. This
      way, the user may specify certain keys while the tool will create
      the remaining ones. This feature is useful for testing purposes
      and CI infrastructures.
      
      The OpenSSL directory may be specified using the build option
      'OPENSSL_DIR' when building the certificate generation tool.
      Default is '/usr'.
      
      Change-Id: I98bcc2bfab28dd7179f17f1177ea7a65698df4e7
      ccbf890e
    • Juan Castillo's avatar
      TBB: use ASN.1 type DigestInfo to represent hashes · c3da66b1
      Juan Castillo authored
      The cert_create tool calculates the hash of each BL image and includes
      it as an ASN.1 OCTET STRING in the corresponding certificate extension.
      Without additional information, the firmware running on the platform
      has to know in advance the algorithm used to generate the hash.
      
      This patch modifies the cert_create tool so the certificate extensions
      that include an image hash are generated according to the following
      ASN.1 structure:
      
          DigestInfo ::= SEQUENCE {
              digestAlgorithm  AlgorithmIdentifier,
              digest           OCTET STRING
          }
      
          AlgorithmIdentifier ::=  SEQUENCE  {
              algorithm        OBJECT IDENTIFIER,
              parameters       ANY DEFINED BY algorithm OPTIONAL
          }
      
      The PolarSSL module has been updated to extract the image hash
      from the certificate extension according to this structure.
      
      Change-Id: I6d83430f12a8a0eea8447bec7c936e903f644c85
      c3da66b1
  23. 28 Apr, 2015 1 commit
    • Dan Handley's avatar
      Allow deeper platform port directory structure · c04d2606
      Dan Handley authored
      Update the top level makefile to allow platform ports to exist in
      subdirectories at any level instead of one level under `plat/`. The
      makefile recursively searches for all files called `platform.mk` in
      all subdirectories of `plat/`. The directory containing
      `platform.mk` is the platform name. Platform names must be unique
      across the codebase.
      
      Replace usage of HELP_PLATFORMS in the Makefile with PLATFORMS since
      these are both used to report the same information back to the user.
      
      Update the TSP and cert_create tool makefiles in a similar way
      to support a deeper platform port directory structure.
      
      Also add PLAT_<plat_name> as a define passed through the top level
      makefile to the source files, to allow build time variation in common
      platform code.
      
      Change-Id: I213420164808c5ddb99a26144e8e3f141a7417b7
      c04d2606
  24. 05 Mar, 2015 1 commit
    • Juan Castillo's avatar
      TBB: use SHA256 to generate the certificate signatures · ea4ec3aa
      Juan Castillo authored
      This patch replaces SHA1 by SHA256 in the 'cert_create' tool, so
      certificate signatures are generated according to the NSA Suite B
      cryptographic algorithm requirements.
      
      Documentation updated accordingly.
      
      Change-Id: I7be79e6b2b62dac8dc78a4f4f5006e37686bccf6
      ea4ec3aa
  25. 28 Jan, 2015 2 commits
    • Juan Castillo's avatar
      TBB: add support to include certificates in a FIP image · b7124ea7
      Juan Castillo authored
      This patch extends the FIP tool to include the certificates
      generated by the 'cert_create' tool.
      
      If GENERATE_COT build option is enabled, the Makefile adds the
      certificates as dependencies to create the FIP file. Thus, make
      target 'fip' will also build the certificates as part of the
      Trusted Firmware build process.
      
      Change-Id: I5eee500da7f7be6cfb6e3df0423599739d260074
      b7124ea7
    • Juan Castillo's avatar
      TBB: add tool to generate certificates · 6f971622
      Juan Castillo authored
      This patch adds a tool that generates all the necessary elements
      to establish the chain of trust (CoT) between the images.
      
      The tool reads the binary images and signing keys and outputs the
      corresponding certificates that will be used by the target at run
      time to verify the authenticity of the images.
      
      Note: the platform port must provide the file platform_oid.h. This
      file will define the OIDs of the x509 extensions that will be added
      to the certificates in order to establish the CoT.
      
      Change-Id: I2734d6808b964a2107ab3a4805110698066a04be
      6f971622
  26. 10 Dec, 2014 1 commit
    • Kévin Petit's avatar
      fip_create: don't succeed if one of the passed files doesn't exist · 38410f80
      Kévin Petit authored
      
      
      If one of the files passed to fip_create on the command line doesn't
      exist, it will print an error message but produce an incomplete
      fip.bin file and report success. This behaviour could potentially
      hide errors made in the command line arguments.
      
      This patch addresses the issue by having the tool bail out if one of
      the supplied files can't be processed.
      Signed-off-by: default avatarKévin Petit <kevin.petit@arm.com>
      
      Fixes ARM-software/tf-issues#279
      
      Change-Id: I1c7d87d09eb4c063005b7969bdaad1d043c29dec
      38410f80
  27. 26 Nov, 2014 1 commit
    • Sandrine Bailleux's avatar
      Fix problem of dependencies on the fiptool makefile target · 07deed40
      Sandrine Bailleux authored
      The 'fiptool' target doesn't depend on fip_create's source files,
      neither directly nor indirectly. As a result, the FIP tool is not
      rebuilt whenever its source files change.
      
      This patch makes the ${FIPTOOL} target into a phony target so that the
      FIP tool's sub-makefile is always called. The sub-makefile correctly
      handles the dependencies. It also moves the completion message into
      the sub-makefile so that it is only displayed when the tool is
      actually recompiled.
      
      Fixes ARM-software/tf-issues#278
      
      Change-Id: Ia027519fe51d3c42be30665d1ad20a7b89fa350f
      07deed40