- 24 Mar, 2021 2 commits
-
-
Pankaj Gupta authored
Generic framework is added to include platform defined UUID. This framework is added for the following: - All NXP SoC based platforms needed additional fip-fuse.bin - NXP SoC lx2160a based platforms requires additional fip-ddr.bin Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com> Change-Id: Ibe05d9c596256e34077287a490dfcd5b731ef2cf
-
Pankaj Gupta authored
Changes to 'tools/cert_create' folder, to include platform defined certificates, keys, and extensions. NXP SoC lx2160a : based platforms requires additional FIP DDR to be loaded before initializing the DDR. To enable chain of trust on these platforms, FIP DDR image needs to be authenticated, additionally. Platform specific folder 'tools/nxp/cert_create_helper' is added to support platform specific macros and definitions. Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com> Change-Id: I4752a30a9ff3aa1d403e9babe3a07ba0e6b2bf8f
-
- 18 Mar, 2021 1 commit
-
-
Tomas Pilar authored
The UEFI specification details the represenatation for the EFI_GUID type. Add this representation to the uuid_helper_t union type so that GUID definitions can be shared verbatim between UEFI and TF-A header files. Change-Id: Ie44ac141f70dd0025e186581d26dce1c1c29fce6 Signed-off-by: Tomas Pilar <tomas@nuviainc.com>
-
- 15 Sep, 2020 1 commit
-
-
Manish V Badarkhe authored
Implemented a parser which populates the properties of the CoT descriptors as per the binding document [1]. 'COT_DESC_IN_DTB' build option is disabled by default and can be enabled in future for all Arm platforms by making necessary changes in the memory map. Currently, this parser is tested only for FVP platform. [1]: https://trustedfirmware-a.readthedocs.io/en/latest/components/cot-binding.html Change-Id: I2f911206087a1a2942aa728de151d2ac269d27cc Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
-
- 12 Aug, 2020 1 commit
-
-
Manish Pandey authored
Add support to generate a certificate named "plat-sp-cert" for Secure Partitions(SP) owned by Platform. Earlier a single certificate file "sip-sp-cert" was generated which contained hash of all 8 SPs, with this change SPs are divided into two categories viz "SiP owned" and "Plat owned" containing 4 SPs each. Platform RoT key pair is used for signing. Signed-off-by: Manish Pandey <manish.pandey2@arm.com> Change-Id: I5bd493cfce4cf3fc14b87c8ed1045f633d0c92b6
-
- 24 Jun, 2020 2 commits
-
-
Manish V Badarkhe authored
Updated cert_tool to add hash information of fw_config image into the existing "trusted boot fw" certificate. Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: I720319225925806a2a9f50a1ac9c8a464be975f0
-
Manish V Badarkhe authored
Added support in fiptool to include fw_config image in FIP. Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ibbd14723a4141598d9d7f6bfcf88a0ef92cf87bc
-
- 11 Jun, 2020 1 commit
-
-
Manish Pandey authored
with sha 0792dd7d , support to generate certificate for Secure Partitions was added for dualroot CoT only, this patch extends this support for tbbr CoT. Signed-off-by: Manish Pandey <manish.pandey2@arm.com> Change-Id: I451c0333536dd1cbe17861d454bdb0dc7a17c63f
-
- 08 Jun, 2020 1 commit
-
-
Manish Pandey authored
Add support to generate certificate "sip-sp-cert" for Secure Partitions(SP) owned by Silicon provider(SiP). To avoid deviation from TBBR specification the support is only added for dualroot CoT and not for TBBR CoT. A single certificate file is generated containing hash of individual packages. Maximum 8 secure partitions are supported. Following new options added to cert_tool: --sip-sp-cert --> SiP owned Secure Partition Content Certificate --sp-pkg1 --> Secure Partition Package1 file --sp-pkg2 ..... --sp-pkg8 Trusted world key pair is used for signing. Going forward, this feature can be extended for Platfrom owned Partitions, if required. Signed-off-by: Manish Pandey <manish.pandey2@arm.com> Change-Id: Ia6dfbc1447cfb41b1fcbd12cf2bf7b88f409bd8d
-
- 06 Mar, 2020 1 commit
-
-
Sumit Garg authored
TBBR spec advocates for optional encryption of firmwares (see optional requirement: R060_TBBR_FUNCTION). So add an IO abstaction layer to support firmware decryption that can be stacked above any underlying IO/ packaging layer like FIP etc. It aims to provide a framework to load any encrypted IO payload. Also, add plat_get_enc_key_info() to be implemented in a platform specific manner as handling of encryption key may vary from one platform to another. Signed-off-by: Sumit Garg <sumit.garg@linaro.org> Change-Id: I9892e0ddf00ebecb8981301dbfa41ea23e078b03
-
- 24 Feb, 2020 1 commit
-
-
Sandrine Bailleux authored
This new chain of trust defines 2 independent signing domains: 1) One for the silicon firmware (BL1, BL2, BL31) and optionally the Trusted OS. It is rooted in the Silicon ROTPK, just as in the TBBR CoT. 2) One for the Normal World Bootloader (BL33). It is rooted in a new key called Platform ROTPK, or PROTPK for short. In terms of certificates chain, - Signing domain 1) is similar to what TBBR advocates (see page 21 of the TBBR specification), except that the Non-Trusted World Public Key has been removed from the Trusted Key Certificate. - Signing domain 2) only contains the Non-Trusted World Content certificate, which provides the hash of the Non-Trusted World Bootloader. Compared to the TBBR CoT, there's no Non-Trusted World Key certificate for simplicity. Change-Id: I62f1e952522d84470acc360cf5ee63e4c4b0b4d9 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 10 Feb, 2020 1 commit
-
-
Manish Pandey authored
Currently sptool generates a single blob containing all the Secure Partitions, with latest SPM implementation, it is desirable to have individual blobs for each Secure Partition. It allows to leverage packaging and parsing of SP on existing FIP framework. It also allows SP packages coming from different sources. This patch modifies sptool so that it takes number of SP payload pairs as input and generates number of SP blobs instead of a single blob. Each SP blob can optionally have its own header containing offsets and sizes of different payloads along with a SP magic number and version. It is also associated in FIP with a UUID, provided by SP owner. Usage example: sptool -i sp1.bin:sp1.dtb -o sp1.pkg -i sp2.bin:sp2.dtb -o sp2.pkg ... Signed-off-by: Manish Pandey <manish.pandey2@arm.com> Change-Id: Ie2db8e601fa1d4182d0a1d22e78e9533dce231bc
-
- 07 Feb, 2020 1 commit
-
-
Louis Mayencourt authored
Use the firmware configuration framework to store the io_policies information inside the configuration device tree instead of the static structure in the code base. The io_policies required by BL1 can't be inside the dtb, as this one is loaded by BL1, and only available at BL2. This change currently only applies to FVP platform. Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 04 Jan, 2019 1 commit
-
-
Antonio Nino Diaz authored
Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca339 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 11 Dec, 2018 1 commit
-
-
Antonio Nino Diaz authored
This tool packages Secure Partitions and Resource Descriptor blobs into a simple file that can be loaded by SPM. Change-Id: If3800064f30bdc3d7fc6a15ffbb3007ef632bcaa Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 08 Nov, 2018 1 commit
-
-
Antonio Nino Diaz authored
All identifiers, regardless of use, that start with two underscores are reserved. This means they can't be used in header guards. The style that this project is now to use the full name of the file in capital letters followed by 'H'. For example, for a file called "uart_example.h", the header guard is UART_EXAMPLE_H. The exceptions are files that are imported from other projects: - CryptoCell driver - dt-bindings folders - zlib headers Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 14 Jun, 2018 1 commit
-
-
Roberto Vargas authored
RFC4122 defines that fields are stored in network order (big endian), but TF-A stores them in machine order (little endian by default in TF-A). We cannot change the future UUIDs that are already generated, but we can store all the bytes using arrays and modify fiptool to generate the UUIDs with the correct byte order. Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 18 May, 2018 1 commit
-
-
Soby Mathew authored
This patch implements support for adding dynamic configurations for BL31 (soc_fw_config), BL32 (tos_fw_config) and BL33 (nt_fw_config). The necessary cert tool support and changes to default chain of trust are made for these configs. Change-Id: I25f266277b5b5501a196d2f2f79639d838794518 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 26 Feb, 2018 1 commit
-
-
Soby Mathew authored
This patch updates the `fiptool` and `cert_create` for the `hw_config` and `tb_fw_config` dynamic configuration files. The necessary UUIDs and OIDs are assigned to these files and the `cert_create` is updated to generate appropriate hashes and include them in the "Trusted Boot FW Certificate". The `fiptool` is updated to allow the configs to be specified via cmdline and included in the generated FIP. Change-Id: I940e751a49621ae681d14e162aa1f5697eb0cb15 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 09 Aug, 2017 1 commit
-
-
Summer Qin authored
Since Trusted OS firmware may have extra images, need to assign new uuid and image id for them. The TBBR chain of trust has been extended to add support for the new images within the existing Trusted OS firmware content certificate. Change-Id: I678dac7ba1137e85c5779b05e0c4331134c10e06 Signed-off-by: Summer Qin <summer.qin@arm.com>
-
- 23 May, 2017 2 commits
-
-
Masahiro Yamada authored
Platforms aligned with TBBR are supposed to use their own OIDs, but defining the same macros with different OIDs does not provide any value (at least technically). For easier use of TBBR, this commit allows platforms to reuse the OIDs obtained by ARM Ltd. This will be useful for non-ARM vendors that do not need their own extension fields in their certificate files. The OIDs of ARM Ltd. have been moved to include/tools_share/tbbr_oid.h Platforms can include <tbbr_oid.h> instead of <platform_oid.h> by defining USE_TBBR_DEFS as 1. USE_TBBR_DEFS is 0 by default to keep the backward compatibility. For clarification, I inserted a blank line between headers from the include/ directory (#include <...>) and ones from a local directory (#include "..." ). Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
Masahiro Yamada authored
Some header files need to be shared between TF and host programs. For fiptool, two headers are copied to the tools/fiptool directory, but it looks clumsy. This commit introduces a new directory, include/tools_share, which collects headers that should be shared between TF and host programs. This will clarify the interface exposed to host tools. We should add new headers to this directory only when we really need to do so. For clarification, I inserted a blank line between headers from the include/ directory (#include <...>) and ones from a local directory (#include "..." ). Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-