Add cert_create tool support for RSA key sizes

cert_tool is now able to accept a command line option for specifying the
key size. It now supports the following options: 1024, 2048 (default),
3072 an

Add cert_create tool support for RSA key sizes

cert_tool is now able to accept a command line option for specifying the
key size. It now supports the following options: 1024, 2048 (default),
3072 and 4096. This is also modifiable by TFA using the build flag
KEY_SIZE.

Change-Id: Ifadecf84ade3763249ee8cc7123a8178f606f0e5
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

show more ...

Merge pull request #1224 from masahir0y/gzip

Support GZIP-compressed images for faster loading and verification

Build: remove third argument of CERT_ADD_CMD_OPT

The third argument was given "true" by images, but it was moved
to TOOL_ADD_PAYLOAD. No more caller of CERT_ADD_CMD_OPT uses this.
So, the third arg

Build: remove third argument of CERT_ADD_CMD_OPT

The third argument was given "true" by images, but it was moved
to TOOL_ADD_PAYLOAD. No more caller of CERT_ADD_CMD_OPT uses this.
So, the third argument is always empty. Remove it.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

show more ...

Build: rename FIP_ADD_PAYLOAD to TOOL_ADD_PAYLOAD

Now FIP_ADD_PAYLOAD takes care of both fiptool and cert_create
symmetrically. Rename it so that it matches the behavior.

Signed-off-by: Masahiro Y

Build: rename FIP_ADD_PAYLOAD to TOOL_ADD_PAYLOAD

Now FIP_ADD_PAYLOAD takes care of both fiptool and cert_create
symmetrically. Rename it so that it matches the behavior.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

show more ...

Build: move cert_create arguments and dependency to FIP_ADD_PAYLOAD

The fiptool and cert_create use the same command options for images.
It is pretty easy to handle both in the same, symmetrical way

Build: move cert_create arguments and dependency to FIP_ADD_PAYLOAD

The fiptool and cert_create use the same command options for images.
It is pretty easy to handle both in the same, symmetrical way.

Move CRT_ARGS and CRT_DEPS to FIP_ADD_PAYLOAD. This refactoring makes
sense because FIP_ADD_PAYLOAD is called from MAKE_BL (when building
images from source), and from FIP_ADD_IMG (when including external
images). (FIP_ADD_PAYLOAD will be renamed later on since it now
caters to both fiptool and cert_create).

We can delete CERT_ADD_CMD_OPT for images in tbbr.mk. It still
needs to call CERT_ADD_CMD_OPT directly for certificates.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

show more ...

Build: merge build macros between FIP_ and FWU_FIP_

The build system supports generating two FIP images, fip and fwu_fip.
Accordingly, we have similar build macros.

FIP_ADD_PAYLOAD <--> FWU_F

Build: merge build macros between FIP_ and FWU_FIP_

The build system supports generating two FIP images, fip and fwu_fip.
Accordingly, we have similar build macros.

FIP_ADD_PAYLOAD <--> FWU_FIP_ADD_PAYLOAD
CERT_ADD_CMD_OPT <--> FWU_CERT_ADD_CMD_OPT
FIP_ADD_IMG <--> FWU_FIP_ADD_IMG

The duplicated code increases the maintenance burden. Also, the build
rule of BL2U looks clumsy - we want to call MAKE_BL to compile it from
source files, but we want to put it in fwu_fip. We can not do it in a
single macro call since the current MAKE_BL does not support fwu_fip.

To refactor those in a clean way is to support one more argument to
specify the FIP prefix. If it is empty, the images are targeted to
fip, whereas if the argument is "FWU_", targeted to fwu_fip.

The build macros prefixed with FWU_ go away.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

show more ...

Merge pull request #1200 from robertovargas-arm/bl2-el3

Add BL2_AT_EL3 build option

bl2-el3: Don't include BL2 in fip for BL2 at EL3

It is better to not include BL2 in FIP when using `BL2 at EL3` as
platforms using this config would not have the capability to parse the
FIP format i

bl2-el3: Don't include BL2 in fip for BL2 at EL3

It is better to not include BL2 in FIP when using `BL2 at EL3` as
platforms using this config would not have the capability to parse the
FIP format in Boot ROM and BL2 needs to be loaded independently. This
patch does the required changes for the same.

Change-Id: Iad285c247b3440e2d827fef97c3dd81f5c09cabc
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

show more ...

Merge pull request #1175 from soby-mathew/sm/juno-a32-bl32-changes

Fix issues for AArch32 builds on ARM platforms

ARM platforms: Fixup AArch32 builds

This patch fixes a couple of issues for AArch32 builds on ARM reference
platforms :

1. The arm_def.h previously defined the same BL32_BASE value for AArch64 and

ARM platforms: Fixup AArch32 builds

This patch fixes a couple of issues for AArch32 builds on ARM reference
platforms :

1. The arm_def.h previously defined the same BL32_BASE value for AArch64 and
AArch32 build. Since BL31 is not present in AArch32 mode, this meant that
the BL31 memory is empty when built for AArch32. Hence this patch allocates
BL32 to the memory region occupied by BL31 for AArch32 builds.

As a side-effect of this change, the ARM_TSP_RAM_LOCATION macro cannot
be used to control the load address of BL32 in AArch32 mode which was
never the intention of the macro anyway.

2. A static assert is added to sp_min linker script to check that the progbits
are within the bounds expected when overlaid with other images.

3. Fix specifying `SPD` when building Juno for AArch32 mode. Due to the quirks
involved when building Juno for AArch32 mode, the build option SPD needed to
specifed. This patch corrects this and also updates the documentation in the
user-guide.

4. Exclude BL31 from the build and FIP when building Juno for AArch32 mode. As
a result the previous assumption that BL31 must be always present is removed
and the certificates for BL31 is only generated if `NEED_BL31` is defined.

Change-Id: I1c39bbc0abd2be8fbe9f2dea2e9cb4e3e3e436a8
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

show more ...

Merge pull request #1165 from geesun/qx/support-sha512

Add support sha512 for hash algorithm

tbbr: Add build flag HASH_ALG to let the user to select the SHA

The flag support the following values:
- sha256 (default)
- sha384
- sha512

Change-Id: I7a49d858c361e993949cf6ada0a86575c

tbbr: Add build flag HASH_ALG to let the user to select the SHA

The flag support the following values:
- sha256 (default)
- sha384
- sha512

Change-Id: I7a49d858c361e993949cf6ada0a86575c3291066
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>

show more ...

Merge pull request #1040 from sliai/support-opteed-header

Support opteed header

Support Trusted OS firmware extra images in TF tools

Since Trusted OS firmware may have extra images, need to
assign new uuid and image id for them.
The TBBR chain of trust has been extended to add

Support Trusted OS firmware extra images in TF tools

Since Trusted OS firmware may have extra images, need to
assign new uuid and image id for them.
The TBBR chain of trust has been extended to add support
for the new images within the existing Trusted OS firmware
content certificate.

Change-Id: I678dac7ba1137e85c5779b05e0c4331134c10e06
Signed-off-by: Summer Qin <summer.qin@arm.com>

show more ...

Merge pull request #939 from dp-arm/dp/AArch32_tbbr

Add TBBR and FWU support for AArch32

AArch32: Add `TRUSTED_BOARD_BOOT` support

This patch adds `TRUSTED_BOARD_BOOT` support for AArch32 mode.

To build this patch the "mbedtls/include/mbedtls/bignum.h"
needs to be modified to remove `#

AArch32: Add `TRUSTED_BOARD_BOOT` support

This patch adds `TRUSTED_BOARD_BOOT` support for AArch32 mode.

To build this patch the "mbedtls/include/mbedtls/bignum.h"
needs to be modified to remove `#define MBEDTLS_HAVE_UDBL`
when `MBEDTLS_HAVE_INT32` is defined. This is a workaround
for "https://github.com/ARMmbed/mbedtls/issues/708"

NOTE: TBBR support on Juno AArch32 is not currently supported.

Change-Id: I86d80e30b9139adc4d9663f112801ece42deafcf
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Co-Authored-By: Yatharth Kochar <yatharth.kochar@arm.com>

show more ...

Merge pull request #925 from dp-arm/dp/spdx

Use SPDX license identifiers

Use SPDX license identifiers

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by

Use SPDX license identifiers

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by FreeBSD have not been modified.

[0]: https://spdx.org/

Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

show more ...

Merge pull request #661 from dp-arm/master

Replace fip_create with fiptool

Replace fip_create with fiptool

fiptool provides a more consistent and intuitive interface compared to
the fip_create program. It serves as a better base to build on more
features in the future.

f

Replace fip_create with fiptool

fiptool provides a more consistent and intuitive interface compared to
the fip_create program. It serves as a better base to build on more
features in the future.

fiptool supports various subcommands. Below are the currently
supported subcommands:

1) info - List the images contained in a FIP file.
2) create - Create a new FIP file with the given images.
3) update - Update an existing FIP with the given images.
4) unpack - Extract a selected set or all the images from a FIP file.
5) remove - Remove images from a FIP file. This is a new command that
was not present in fip_create.

To create a new FIP file, replace "fip_create" with "fiptool create".

To update a FIP file, replace "fip_create" with "fiptool update".

To dump the contents of a FIP file, replace "fip_create --dump" with
"fiptool info".

A compatibility script that emulates the basic functionality of
fip_create is provided. Existing scripts might or might not work with
the compatibility script. Users are strongly encouraged to migrate to
fiptool.

Fixes ARM-Software/tf-issues#87
Fixes ARM-Software/tf-issues#108
Fixes ARM-Software/tf-issues#361

Change-Id: I7ee4da7ac60179cc83cf46af890fd8bc61a53330

show more ...

Merge pull request #572 from jcastillo-arm/jc/tbb_nvcounter

TBB NVcounter support

cert_create: add non-volatile counter support

This patch adds non-volatile counter support to the Certificate
Generation tool. The TBBR Chain of Trust definition in the tool
has been extended to inc

cert_create: add non-volatile counter support

This patch adds non-volatile counter support to the Certificate
Generation tool. The TBBR Chain of Trust definition in the tool
has been extended to include the counters as certificate extensions.
The counter values can be specified in the command line.

The following default counter values are specified in the build
system:

* Trusted FW Non-Volatile counter = 0
* Non-Trusted FW Non-Volatile counter = 0

These values can be overridden by the platform at build time.

Change-Id: I7ea10ee78d72748d181df4ee78a7169b3ef2720c

show more ...

Merge pull request #467 from jcastillo-arm/jc/tbb_oid

Apply new image terminology

Remove dashes from image names: 'BL3-x' --> 'BL3x'

This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:

https://github.c

Remove dashes from image names: 'BL3-x' --> 'BL3x'

This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:

https://github.com/ARM-software/arm-trusted-firmware/wiki

Changes apply to output messages, comments and documentation.

non-ARM platform files have been left unmodified.

Change-Id: Ic2a99be4ed929d52afbeb27ac765ceffce46ed76

show more ...

Replace all SCP FW (BL0, BL3-0) references

This patch replaces all references to the SCP Firmware (BL0, BL30,
BL3-0, bl30) with the image terminology detailed in the TF wiki
(https://github.com/ARM-

Replace all SCP FW (BL0, BL3-0) references

This patch replaces all references to the SCP Firmware (BL0, BL30,
BL3-0, bl30) with the image terminology detailed in the TF wiki
(https://github.com/ARM-software/arm-trusted-firmware/wiki):

BL0 --> SCP_BL1
BL30, BL3-0 --> SCP_BL2
bl30 --> scp_bl2

This change affects code, documentation, build system, tools and
platform ports that load SCP firmware. ARM plaforms have been
updated to the new porting API.

IMPORTANT: build option to specify the SCP FW image has changed:

BL30 --> SCP_BL2

IMPORTANT: This patch breaks compatibility for platforms that use BL2
to load SCP firmware. Affected platforms must be updated as follows:

BL30_IMAGE_ID --> SCP_BL2_IMAGE_ID
BL30_BASE --> SCP_BL2_BASE
bl2_plat_get_bl30_meminfo() --> bl2_plat_get_scp_bl2_meminfo()
bl2_plat_handle_bl30() --> bl2_plat_handle_scp_bl2()

Change-Id: I24c4c1a4f0e4b9f17c9e4929da815c4069549e58

show more ...