cert: move platform_oid.h to include/tools_share for all platforms

Platforms aligned with TBBR are supposed to use their own OIDs, but
defining the same macros with different OIDs does not provide a

cert: move platform_oid.h to include/tools_share for all platforms

Platforms aligned with TBBR are supposed to use their own OIDs, but
defining the same macros with different OIDs does not provide any
value (at least technically).

For easier use of TBBR, this commit allows platforms to reuse the OIDs
obtained by ARM Ltd. This will be useful for non-ARM vendors that
do not need their own extension fields in their certificate files.

The OIDs of ARM Ltd. have been moved to include/tools_share/tbbr_oid.h

Platforms can include <tbbr_oid.h> instead of <platform_oid.h> by
defining USE_TBBR_DEFS as 1. USE_TBBR_DEFS is 0 by default to keep the
backward compatibility.

For clarification, I inserted a blank line between headers from the
include/ directory (#include <...>) and ones from a local directory
(#include "..." ).

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

show more ...

Merge pull request #925 from dp-arm/dp/spdx

Use SPDX license identifiers

Use SPDX license identifiers

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by

Use SPDX license identifiers

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by FreeBSD have not been modified.

[0]: https://spdx.org/

Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

show more ...

Merge pull request #578 from EvanLloyd/ejll/woa_make2

Make improvements for host environment portability

Make:Allow for extension in tool names.

In some build environments executable programs have a specific file
extension. The value of BIN_EXT is appended to the relevant tool file
names to allow for

Make:Allow for extension in tool names.

In some build environments executable programs have a specific file
extension. The value of BIN_EXT is appended to the relevant tool file
names to allow for this.
The value of BIN_EXT is set, where appropriate, by the build environment
specific make helper (to .exe for Windows build environments).

.gitignore is updated to hide the new (.exe) files.

Change-Id: Icc32f64b750e425265075ad4e0dea18129640b86

show more ...

Make:Use environment variables for OS detection.

Add make helper files to select the appropriate settings for the build
environment. Selection is made in make_helpers/build_env.mk, which
selects oth

Make:Use environment variables for OS detection.

Add make helper files to select the appropriate settings for the build
environment. Selection is made in make_helpers/build_env.mk, which
selects other files to include using generic build environment settings.
The Trusted Firmware Makefile and supporting tool Makefiles are updated
to include build_env.mk instead of unix.mk.

NOTE: This change does not fully enable builds in other build
environments. It facilitates this without compromising the
existing build environments.

Change-Id: Ic4064ffe6ce158bbd16d7cc9f27dd4655a3580f6

show more ...

Make:Make shell commands more portable

Macros are inserted to replace direct invocations of commands that are
problematic on some build environments. (e.g. Some environments expect
\ in paths instea

Make:Make shell commands more portable

Macros are inserted to replace direct invocations of commands that are
problematic on some build environments. (e.g. Some environments expect
\ in paths instead of /.)
The changes take into account mismatched command mappings across
environments.
The new helper file unix.mk retains existing makefile behaviour on unix
like build environments by providing the following macro definitions:
SHELL_COPY cp -f
SHELL_COPY_TREE cp -rf
SHELL_DELETE rm -f
SHELL_DELETE_ALL rm -rf
MAKE_PREREQ_DIR mkdir -p (As make target)
SHELL_REMOVE_DIR rm -rf

Change-Id: I1b5ca5e1208e78230b15284c4af00c1c006cffcb

show more ...

Make:Add realclean to .PHONY list

Update the cert_create Makefile to list realclean as .PHONY
(like clean)

Change-Id: I9dc8a61a11574a044372e0952b5b12b74e133747

Make:Remove calls to shell from makefiles.

As an initial stage of making Trusted Firmware build environment more
portable, we remove most uses of the $(shell ) function and replace them
with more po

Make:Remove calls to shell from makefiles.

As an initial stage of making Trusted Firmware build environment more
portable, we remove most uses of the $(shell ) function and replace them
with more portable make function based solutions.

Note that the setting of BUILD_STRING still uses $(shell ) since it's
not possible to reimplement this as a make function. Avoiding invocation
of this on incompatible host platforms will be implemented separately.

Change-Id: I768e2f9a265c78814a4adf2edee4cc46cda0f5b8

show more ...

Merge pull request #413 from jcastillo-arm/jc/tbb_cert_opt

Certificate create tool flexibility improvements

cert_create: specify command line options in the CoT

This patch introduces a new API that allows to specify command
line options in the Chain of Trust description. These command line
options may be

cert_create: specify command line options in the CoT

This patch introduces a new API that allows to specify command
line options in the Chain of Trust description. These command line
options may be used to specify parameters related to the CoT (i.e.
keys or certificates), instead of keeping a hardcoded list of
options in main.c.

Change-Id: I282b0b01cb9add557b26bddc238a28253ce05e44

show more ...

Merge pull request #349 from jcastillo-arm/jc/tbb_cert_opt

TBB: rework cert_create tool to follow a data driven approach

TBB: rework cert_create tool to follow a data driven approach

This patch reworks the certificate generation tool to follow a data
driven approach. The user may specify at build time the certificates

TBB: rework cert_create tool to follow a data driven approach

This patch reworks the certificate generation tool to follow a data
driven approach. The user may specify at build time the certificates,
keys and extensions defined in the CoT, register them using the
appropiate macros and the tool will take care of creating the
certificates corresponding to the CoT specified.

Change-Id: I29950b39343c3e1b71718fce0e77dcf2a9a0be2f

show more ...

Merge pull request #315 from jcastillo-arm/jc/tbb_tmp9

Authentication Framework

TBB: add ECDSA support to the certificate generation tool

This patch extends the 'cert_create' tool to support ECDSA keys
to sign the certificates. The '--key-alg' command line option
can be used to

TBB: add ECDSA support to the certificate generation tool

This patch extends the 'cert_create' tool to support ECDSA keys
to sign the certificates. The '--key-alg' command line option
can be used to specify the key algorithm when invoking the tool.
Available options are:

* 'rsa': create RSA-2048 keys (default option)
* 'ecdsa': create ECDSA-SECP256R1 keys

The TF Makefile has been updated to allow the platform to specify
the key algorithm by declaring the 'KEY_ALG' variable in the
platform makefile.

The behaviour regarding key management has changed. After applying
this patch, the tool will try first to open the keys from disk. If
one key does not exist or no key is specified, and the command line
option to create keys has been specified, new keys will be created.
Otherwise an error will be generated and the tool will exit. This
way, the user may specify certain keys while the tool will create
the remaining ones. This feature is useful for testing purposes
and CI infrastructures.

The OpenSSL directory may be specified using the build option
'OPENSSL_DIR' when building the certificate generation tool.
Default is '/usr'.

Change-Id: I98bcc2bfab28dd7179f17f1177ea7a65698df4e7

show more ...

Merge pull request #295 from danh-arm/dh/plat-port-reorg

ARM platform port reorganization

Allow deeper platform port directory structure

Update the top level makefile to allow platform ports to exist in
subdirectories at any level instead of one level under `plat/`. The
makefile recursiv

Allow deeper platform port directory structure

Update the top level makefile to allow platform ports to exist in
subdirectories at any level instead of one level under `plat/`. The
makefile recursively searches for all files called `platform.mk` in
all subdirectories of `plat/`. The directory containing
`platform.mk` is the platform name. Platform names must be unique
across the codebase.

Replace usage of HELP_PLATFORMS in the Makefile with PLATFORMS since
these are both used to report the same information back to the user.

Update the TSP and cert_create tool makefiles in a similar way
to support a deeper platform port directory structure.

Also add PLAT_<plat_name> as a define passed through the top level
makefile to the source files, to allow build time variation in common
platform code.

Change-Id: I213420164808c5ddb99a26144e8e3f141a7417b7

show more ...

Merge pull request #249 from danh-arm/jc/tbb_prototype

Trusted Board Boot Prototype

TBB: add tool to generate certificates

This patch adds a tool that generates all the necessary elements
to establish the chain of trust (CoT) between the images.

The tool reads the binary images an

TBB: add tool to generate certificates

This patch adds a tool that generates all the necessary elements
to establish the chain of trust (CoT) between the images.

The tool reads the binary images and signing keys and outputs the
corresponding certificates that will be used by the target at run
time to verify the authenticity of the images.

Note: the platform port must provide the file platform_oid.h. This
file will define the OIDs of the x509 extensions that will be added
to the certificates in order to establish the CoT.

Change-Id: I2734d6808b964a2107ab3a4805110698066a04be

show more ...