1. 08 Nov, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Standardise header guards across codebase · c3cf06f1
      Antonio Nino Diaz authored
      
      
      All identifiers, regardless of use, that start with two underscores are
      reserved. This means they can't be used in header guards.
      
      The style that this project is now to use the full name of the file in
      capital letters followed by 'H'. For example, for a file called
      "uart_example.h", the header guard is UART_EXAMPLE_H.
      
      The exceptions are files that are imported from other projects:
      
      - CryptoCell driver
      - dt-bindings folders
      - zlib headers
      
      Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c3cf06f1
  2. 04 Oct, 2018 1 commit
    • Antonio Nino Diaz's avatar
      tools: Make invocation of host compiler correct · 750e8d80
      Antonio Nino Diaz authored
      
      
      HOSTCC should be used in any of the tools inside the tools/ directory
      instead of CC. That way it is possible to override both values from the
      command line when building the Trusted Firmware and the tools at the
      same time. Also, use HOSTCCFLAGS instead of CFLAGS.
      
      Also, instead of printing the strings CC and LD in the console during
      the compilation of the tools, HOSTCC and HOSTLD have to be used for
      clarity. This is how it is done in other projects like U-Boot or Linux.
      
      Change-Id: Icd6f74c31eb74cdd1c353583399ab19e173e293e
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      750e8d80
  3. 06 Jul, 2018 1 commit
  4. 27 Jun, 2018 1 commit
  5. 18 May, 2018 1 commit
  6. 30 Apr, 2018 1 commit
  7. 05 Mar, 2018 1 commit
  8. 26 Feb, 2018 1 commit
    • Soby Mathew's avatar
      Dynamic cfg: Update the tools · e24659df
      Soby Mathew authored
      
      
      This patch updates the `fiptool` and `cert_create` for the
      `hw_config` and `tb_fw_config` dynamic configuration files.
      The necessary UUIDs and OIDs are assigned to these files and
      the `cert_create` is updated to generate appropriate hashes
      and include them in the "Trusted Boot FW Certificate". The
      `fiptool` is updated to allow the configs to be specified
      via cmdline and included in the generated FIP.
      
      Change-Id: I940e751a49621ae681d14e162aa1f5697eb0cb15
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      e24659df
  9. 21 Nov, 2017 1 commit
  10. 09 Oct, 2017 1 commit
    • Qixiang Xu's avatar
      cert_tool: Fix ECDSA certificates create failure · 1727de0e
      Qixiang Xu authored
      Commit a8eb286a
      
       introduced the
      following error when creating ECDSA certificates.
          ERROR:   Error creating key 'Trusted World key'
          Makefile:634: recipe for target 'certificates' failed
          make: *** [certificates] Error 1
      
      this patch adds the function to create PKCS#1 v1.5.
      
      Change-Id: Ief96d55969d5e9877aeb528c6bb503b560563537
      Signed-off-by: default avatarQixiang Xu <qixiang.xu@arm.com>
      1727de0e
  11. 08 Oct, 2017 1 commit
  12. 11 Sep, 2017 1 commit
    • Soby Mathew's avatar
      Set default value of USE_TBBR_DEFS · 4a2bf951
      Soby Mathew authored
      
      
      Using the OIDs defined in tbbr_oids.h is the recommended way to build
      the cert_create tool. This patch hence sets default value of the build
      flag USE_TBBR_DEFS to 1 in the Makefile in `tools/cert_create` folder
      when cert_create is built from this folder.
      
      Fixes ARM-software/tf-issues#482
      
      Change-Id: Id1d224826b3417770bccbefa1b68d9bdb3b567f0
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      4a2bf951
  13. 31 Aug, 2017 1 commit
    • Soby Mathew's avatar
      cert_tool: Support for legacy RSA PKCS#1 v1.5 · a8eb286a
      Soby Mathew authored
      
      
      This patch enables choice of RSA version at run time to be used for
      generating signatures by the cert_tool. The RSA PSS as defined in
      PKCS#1 v2.1 becomes the default version and this patch enables to specify
      the RSA PKCS#1 v1.5 algorithm to `cert_create` through the command line
      -a option. Also, the build option `KEY_ALG` can be used to pass this
      option from the build system. Please note that RSA PSS is mandated
      by Trusted Board Boot requirements (TBBR) and legacy RSA support is
      being added for compatibility reasons.
      
      Fixes ARM-Software/tf-issues#499
      Change-Id: Ifaa3f2f7c9b43f3d7b3effe2cde76bf6745a5d73
      Co-Authored-By: default avatarEleanor Bonnici <Eleanor.bonnici@arm.com>
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      a8eb286a
  14. 09 Aug, 2017 1 commit
  15. 12 Jul, 2017 1 commit
    • Isla Mitchell's avatar
      Fix order of #includes · 2a4b4b71
      Isla Mitchell authored
      
      
      This fix modifies the order of system includes to meet the ARM TF coding
      standard. There are some exceptions in order to retain header groupings,
      minimise changes to imported headers, and where there are headers within
      the #if and #ifndef statements.
      
      Change-Id: I65085a142ba6a83792b26efb47df1329153f1624
      Signed-off-by: default avatarIsla Mitchell <isla.mitchell@arm.com>
      2a4b4b71
  16. 12 Jun, 2017 1 commit
  17. 05 Jun, 2017 1 commit
    • Soby Mathew's avatar
      cert_create: Use RSASSA-PSS signature scheme for certificates · 1f33ad4e
      Soby Mathew authored
      
      
      This patch modifies the `cert_create` tool to use RSASSA-PSS scheme for
      signing the certificates. This is compliant with RSA PKCS_2_1 standard as
      mandated by TBBR.
      
      Note that the certificates generated by using cert_create tool after this
      patch can be authenticated during TBB only if the corresponding mbedtls
      driver in ARM Trusted Firmware has the corresponding support.
      
      Change-Id: If224f41c76b3c4765ae2af5259e67f73602818a4
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      1f33ad4e
  18. 24 May, 2017 1 commit
  19. 23 May, 2017 1 commit
    • Masahiro Yamada's avatar
      cert: move platform_oid.h to include/tools_share for all platforms · bb41eb7a
      Masahiro Yamada authored
      
      
      Platforms aligned with TBBR are supposed to use their own OIDs, but
      defining the same macros with different OIDs does not provide any
      value (at least technically).
      
      For easier use of TBBR, this commit allows platforms to reuse the OIDs
      obtained by ARM Ltd.  This will be useful for non-ARM vendors that
      do not need their own extension fields in their certificate files.
      
      The OIDs of ARM Ltd. have been moved to include/tools_share/tbbr_oid.h
      
      Platforms can include <tbbr_oid.h> instead of <platform_oid.h> by
      defining USE_TBBR_DEFS as 1.  USE_TBBR_DEFS is 0 by default to keep the
      backward compatibility.
      
      For clarification, I inserted a blank line between headers from the
      include/ directory (#include <...>) and ones from a local directory
      (#include "..." ).
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      bb41eb7a
  20. 03 May, 2017 1 commit
  21. 14 Feb, 2017 1 commit
  22. 11 Feb, 2017 3 commits
  23. 05 Jul, 2016 1 commit
    • Yatharth Kochar's avatar
      Fix `cert_create` tool for Segmentation fault · f16db56a
      Yatharth Kochar authored
      With the introduction of commit `96103d5a`, the Certificate
      Generation tool is not able to generate FWU certificate and
      while doing so it does segmentation fault.
      
      This happens because it is now required to pass non-volatile
      counter values to the `cert_create` tool from the command line
      for creating the trusted firmware certificates.
      
      But in case of creating FWU certificate these counter values are not
      being passed to the tool and as a consequence the `cert_create` tool
      try to use the NULL argument and errors out with Segmentation fault.
      
      This patch fixes this issue by providing a check before using the
      command line argument passed in the case of `EXT_TYPE_NVCOUNTER`
      certificate extension.
      
      Change-Id: Ie17d0c1502b52aaa8500f3659c2da2448ab0347a
      f16db56a
  24. 01 Apr, 2016 5 commits
    • Evan Lloyd's avatar
      Make:Allow for extension in tool names. · 42a45b51
      Evan Lloyd authored
      In some build environments executable programs have a specific file
      extension.  The value of BIN_EXT is appended to the relevant tool file
      names to allow for this.
      The value of BIN_EXT is set, where appropriate, by the build environment
      specific make helper (to .exe for Windows build environments).
      
      .gitignore is updated to hide the new (.exe) files.
      
      Change-Id: Icc32f64b750e425265075ad4e0dea18129640b86
      42a45b51
    • Evan Lloyd's avatar
      Make:Use environment variables for OS detection. · e7f54dbd
      Evan Lloyd authored
      Add make helper files to select the appropriate settings for the build
      environment. Selection is made in make_helpers/build_env.mk, which
      selects other files to include using generic build environment settings.
      The Trusted Firmware Makefile and supporting tool Makefiles are updated
      to include build_env.mk instead of unix.mk.
      
      NOTE: This change does not fully enable builds in other build
            environments. It facilitates this without compromising the
            existing build environments.
      
      Change-Id: Ic4064ffe6ce158bbd16d7cc9f27dd4655a3580f6
      e7f54dbd
    • Evan Lloyd's avatar
      Make:Make shell commands more portable · f1477d4a
      Evan Lloyd authored
      Macros are inserted to replace direct invocations of commands that are
      problematic on some build environments. (e.g. Some environments expect
      \ in paths instead of /.)
      The changes take into account mismatched command mappings across
      environments.
      The new helper file unix.mk retains existing makefile behaviour on unix
      like build environments by providing the following macro definitions:
        SHELL_COPY        cp -f
        SHELL_COPY_TREE   cp -rf
        SHELL_DELETE      rm -f
        SHELL_DELETE_ALL  rm -rf
        MAKE_PREREQ_DIR   mkdir -p  (As make target)
        SHELL_REMOVE_DIR  rm -rf
      
      Change-Id: I1b5ca5e1208e78230b15284c4af00c1c006cffcb
      f1477d4a
    • Evan Lloyd's avatar
      Make:Add realclean to .PHONY list · aeb25668
      Evan Lloyd authored
      Update the cert_create Makefile to list realclean as .PHONY
      (like clean)
      
      Change-Id: I9dc8a61a11574a044372e0952b5b12b74e133747
      aeb25668
    • Evan Lloyd's avatar
      Make:Remove calls to shell from makefiles. · 231c1470
      Evan Lloyd authored
      As an initial stage of making Trusted Firmware build environment more
      portable, we remove most uses of the $(shell ) function and replace them
      with more portable make function based solutions.
      
      Note that the setting of BUILD_STRING still uses $(shell ) since it's
      not possible to reimplement this as a make function. Avoiding invocation
      of this on incompatible host platforms will be implemented separately.
      
      Change-Id: I768e2f9a265c78814a4adf2edee4cc46cda0f5b8
      231c1470
  25. 30 Mar, 2016 1 commit
    • Juan Castillo's avatar
      cert_create: add non-volatile counter support · 96103d5a
      Juan Castillo authored
      This patch adds non-volatile counter support to the Certificate
      Generation tool. The TBBR Chain of Trust definition in the tool
      has been extended to include the counters as certificate extensions.
      The counter values can be specified in the command line.
      
      The following default counter values are specified in the build
      system:
      
        * Trusted FW Non-Volatile counter = 0
        * Non-Trusted FW Non-Volatile counter = 0
      
      These values can be overridden by the platform at build time.
      
      Change-Id: I7ea10ee78d72748d181df4ee78a7169b3ef2720c
      96103d5a
  26. 07 Jan, 2016 1 commit
    • Juan Castillo's avatar
      cert_create: update help message · 159807e2
      Juan Castillo authored
      The help message printed by the cert_create tool using the command
      line option -h (or --help) does not correctly list all the available
      command line options.
      
      This patch reworks the print_help() function to print the help
      messages in a data driven approach. For each command line option
      registered, an optional help message can be specified, which will
      be printed by print_help().
      
      Help messages for the TBBR options (certificates, keys and images)
      are also provided.
      
      Fix a small bug in the short options string passed to getopt_long:
      the ':' was missing in the '-a' option (this option must take an
      argument).
      
      Fixes ARM-software/tf-issues#337
      
      Change-Id: I9d08c2dfd349022808fcc884724f677eefdc1452
      159807e2
  27. 05 Jan, 2016 1 commit
    • Sandrine Bailleux's avatar
      Always build with '-pedantic' · aa856917
      Sandrine Bailleux authored
      By default ARM TF is built with the '-pedantic' compiler flag, which
      helps detecting violations of the C standard. However, the mbed TLS
      library and its associated authentication module in TF used to fail
      building with this compiler flag. As a workaround, the mbed TLS
      authentication module makefile used to set the 'DISABLE_PEDANTIC'
      TF build flag.
      
      The compiler errors flagged by '-pedantic' in the mbed TLS library
      have been fixed between versions 1.3.9 and 2.2.0 and the library now
      properly builds with this compiler flag.
      
      This patch fixes the remaining compiler errors in the mbed TLS
      authentication module in TF and unsets the 'DISABLE_PEDANTIC' TF
      build flag. This means that TF is now always built with '-pedantic'.
      
      In particular, this patch:
      
       * Removes the final semi-colon in REGISTER_COT() macro.
      
         This semi-colon was causing the following error message:
      
         drivers/auth/tbbr/tbbr_cot.c:544:23: error: ISO C does not allow
         extra ';' outside of a function [-Werror=pedantic]
      
         This has been fixed both in the mbed TLS authentication module
         as well as in the certificate generation tool. Note that the latter
         code didn't need fixing since it is not built with '-pedantic' but
         the change has been propagated for consistency.
      
         Also fixed the REGISTER_KEYS() and REGISTER_EXTENSIONS() macros,
         which were suffering from the same issue.
      
       * Fixes a pointer type.
      
         It was causing the following error message:
      
         drivers/auth/mbedtls/mbedtls_crypto.c: In function 'verify_hash':
         drivers/auth/mbedtls/mbedtls_crypto.c:177:42: error: pointer of
         type 'void *' used in arithmetic [-Werror=pointer-arith]
      
      Change-Id: I7b7a04ef711efd65e17b5be26990d1a0d940257d
      aa856917
  28. 14 Dec, 2015 2 commits
    • Juan Castillo's avatar
      Replace all SCP FW (BL0, BL3-0) references · f59821d5
      Juan Castillo authored
      This patch replaces all references to the SCP Firmware (BL0, BL30,
      BL3-0, bl30) with the image terminology detailed in the TF wiki
      (https://github.com/ARM-software/arm-trusted-firmware/wiki):
      
          BL0          -->  SCP_BL1
          BL30, BL3-0  -->  SCP_BL2
          bl30         -->  scp_bl2
      
      This change affects code, documentation, build system, tools and
      platform ports that load SCP firmware. ARM plaforms have been
      updated to the new porting API.
      
      IMPORTANT: build option to specify the SCP FW image has changed:
      
          BL30 --> SCP_BL2
      
      IMPORTANT: This patch breaks compatibility for platforms that use BL2
      to load SCP firmware. Affected platforms must be updated as follows:
      
          BL30_IMAGE_ID --> SCP_BL2_IMAGE_ID
          BL30_BASE --> SCP_BL2_BASE
          bl2_plat_get_bl30_meminfo() --> bl2_plat_get_scp_bl2_meminfo()
          bl2_plat_handle_bl30() --> bl2_plat_handle_scp_bl2()
      
      Change-Id: I24c4c1a4f0e4b9f17c9e4929da815c4069549e58
      f59821d5
    • Juan Castillo's avatar
      TBB: apply TBBR naming convention to certificates and extensions · 516beb58
      Juan Castillo authored
      This patch applies the TBBR naming convention to the certificates
      and the corresponding extensions defined by the CoT:
      
          * Certificate UUID names
          * Certificate identifier names
          * OID names
      
      Changes apply to:
      
          * Generic code (variables and defines)
          * The default certificate identifiers provided in the generic
            code
          * Build system
          * ARM platforms port
          * cert_create tool internal definitions
          * fip_create and cert_create tools command line options
          * Documentation
      
      IMPORTANT: this change breaks the compatibility with platforms
      that use TBBR. The platform will need to adapt the identifiers
      and OIDs to the TBBR naming convention introduced by this patch:
      
      Certificate UUIDs:
      
          UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT --> UUID_TRUSTED_BOOT_FW_CERT
          UUID_SCP_FIRMWARE_BL30_KEY_CERT --> UUID_SCP_FW_KEY_CERT
          UUID_SCP_FIRMWARE_BL30_CERT --> UUID_SCP_FW_CONTENT_CERT
          UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT --> UUID_SOC_FW_KEY_CERT
          UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT --> UUID_SOC_FW_CONTENT_CERT
          UUID_SECURE_PAYLOAD_BL32_KEY_CERT --> UUID_TRUSTED_OS_FW_KEY_CERT
          UUID_SECURE_PAYLOAD_BL32_CERT --> UUID_TRUSTED_OS_FW_CONTENT_CERT
          UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT --> UUID_NON_TRUSTED_FW_KEY_CERT
          UUID_NON_TRUSTED_FIRMWARE_BL33_CERT --> UUID_NON_TRUSTED_FW_CONTENT_CERT
      
      Certificate identifiers:
      
          BL2_CERT_ID --> TRUSTED_BOOT_FW_CERT_ID
          BL30_KEY_CERT_ID --> SCP_FW_KEY_CERT_ID
          BL30_CERT_ID --> SCP_FW_CONTENT_CERT_ID
          BL31_KEY_CERT_ID --> SOC_FW_KEY_CERT_ID
          BL31_CERT_ID --> SOC_FW_CONTENT_CERT_ID
          BL32_KEY_CERT_ID --> TRUSTED_OS_FW_KEY_CERT_ID
          BL32_CERT_ID --> TRUSTED_OS_FW_CONTENT_CERT_ID
          BL33_KEY_CERT_ID --> NON_TRUSTED_FW_KEY_CERT_ID
          BL33_CERT_ID --> NON_TRUSTED_FW_CONTENT_CERT_ID
      
      OIDs:
      
          TZ_FW_NVCOUNTER_OID --> TRUSTED_FW_NVCOUNTER_OID
          NTZ_FW_NVCOUNTER_OID --> NON_TRUSTED_FW_NVCOUNTER_OID
          BL2_HASH_OID --> TRUSTED_BOOT_FW_HASH_OID
          TZ_WORLD_PK_OID --> TRUSTED_WORLD_PK_OID
          NTZ_WORLD_PK_OID --> NON_TRUSTED_WORLD_PK_OID
          BL30_CONTENT_CERT_PK_OID --> SCP_FW_CONTENT_CERT_PK_OID
          BL30_HASH_OID --> SCP_FW_HASH_OID
          BL31_CONTENT_CERT_PK_OID --> SOC_FW_CONTENT_CERT_PK_OID
          BL31_HASH_OID --> SOC_AP_FW_HASH_OID
          BL32_CONTENT_CERT_PK_OID --> TRUSTED_OS_FW_CONTENT_CERT_PK_OID
          BL32_HASH_OID --> TRUSTED_OS_FW_HASH_OID
          BL33_CONTENT_CERT_PK_OID --> NON_TRUSTED_FW_CONTENT_CERT_PK_OID
          BL33_HASH_OID --> NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID
          BL2U_HASH_OID --> AP_FWU_CFG_HASH_OID
          SCP_BL2U_HASH_OID --> SCP_FWU_CFG_HASH_OID
          NS_BL2U_HASH_OID --> FWU_HASH_OID
      
      Change-Id: I1e047ae046299ca913911c39ac3a6e123bd41079
      516beb58
  29. 09 Dec, 2015 1 commit
    • Yatharth Kochar's avatar
      FWU: Add FWU support to `cert_create` tool · cebe1f23
      Yatharth Kochar authored
      Firmware Update requires an X509v3 certificate which contains
      hashes for SCP_BL2U, BL2U and NS_BL2U images as extensions.
      
      This patch extends the Chain of Trust definition in the
      'cert_create' tool to include the Firmware Update certificate
      and the required extensions (including command line options).
      A new field in the extension structure will be used to indicate
      that the extension is optional. In the case of an image hash
      extension, this field will tell the tool that the hash should
      be included in the certificate, but filled with zeros.
      
      Change-Id: I1f77a66b018826b71745910771f38d9cf6050388
      cebe1f23
  30. 23 Oct, 2015 2 commits
    • Juan Castillo's avatar
      cert_create: specify command line options in the CoT · ad2c1a9a
      Juan Castillo authored
      This patch introduces a new API that allows to specify command
      line options in the Chain of Trust description. These command line
      options may be used to specify parameters related to the CoT (i.e.
      keys or certificates), instead of keeping a hardcoded list of
      options in main.c.
      
      Change-Id: I282b0b01cb9add557b26bddc238a28253ce05e44
      ad2c1a9a
    • Juan Castillo's avatar
      cert_create: improve command line argument check · dfc90e26
      Juan Castillo authored
      The certificate generation tool currently checks if all command
      line options required to create all certificates in the CoT have
      been specified. This prevents using the tool to create individual
      certificates when the whole CoT is not required.
      
      This patch improves the checking function so only those options
      required by the certificates specified in the command line are
      verified.
      
      Change-Id: I2c426a8e2e2dec85b15f2d98fd4ba949c1aed385
      dfc90e26
  31. 16 Jul, 2015 1 commit
    • Juan Castillo's avatar
      TBB: rework cert_create tool to follow a data driven approach · 55e291a4
      Juan Castillo authored
      This patch reworks the certificate generation tool to follow a data
      driven approach. The user may specify at build time the certificates,
      keys and extensions defined in the CoT, register them using the
      appropiate macros and the tool will take care of creating the
      certificates corresponding to the CoT specified.
      
      Change-Id: I29950b39343c3e1b71718fce0e77dcf2a9a0be2f
      55e291a4
  32. 01 Jul, 2015 1 commit
    • Juan Castillo's avatar
      TBB: build 'cert_create' with ECDSA only if OpenSSL supports it · ed2a76ea
      Juan Castillo authored
      Some Linux distributions include an OpenSSL library which has been
      built without ECDSA support. Trying to build the certificate
      generation tool on those distributions will result in a build error.
      
      This patch fixes that issue by including ECDSA support only if
      OpenSSL has been built with ECDSA. In that case, the OpenSSL
      configuration file does not define the OPENSSL_NO_EC macro. The tool
      will build successfully, although the resulting binary will not
      support ECDSA keys.
      
      Change-Id: I4627d1abd19eef7ad3251997d8218599187eb902
      ed2a76ea