Merge changes from topic "xl/separate-bl2" into integration

* changes:
feat(fwu): documentation for BL2 separation
feat(fwu): separate bl2 image from rest of the FIP
feat(fwu): create flag for

Merge changes from topic "xl/separate-bl2" into integration

* changes:
feat(fwu): documentation for BL2 separation
feat(fwu): separate bl2 image from rest of the FIP
feat(fwu): create flag for BL2 separation

show more ...

feat(fwu): separate bl2 image from rest of the FIP

Create a separate partition for BL2 image in the GPT.
Modify the makefile to package BL2 image and its certificates
into a different FIP image.

Ch

feat(fwu): separate bl2 image from rest of the FIP

Create a separate partition for BL2 image in the GPT.
Modify the makefile to package BL2 image and its certificates
into a different FIP image.

Change-Id: I950883ea0c393a2a063ad9e51bb963cbac742705
Signed-off-by: Xialin Liu <xialin.liu@arm.com>

show more ...

Merge changes from topic "fw_config_handoff" into integration

* changes:
doc: Update memory layout for firmware configuration area
plat/arm: Increase size of firmware configuration area
plat/a

Merge changes from topic "fw_config_handoff" into integration

* changes:
doc: Update memory layout for firmware configuration area
plat/arm: Increase size of firmware configuration area
plat/arm: Load and populate fw_config and tb_fw_config
fconf: Handle error from fconf_load_config
plat/arm: Update the fw_config load call and populate it's information
fconf: Allow fconf to load additional firmware configuration
fconf: Clean confused naming between TB_FW and FW_CONFIG
tbbr/dualroot: Add fw_config image in chain of trust
cert_tool: Update cert_tool for fw_config image support
fiptool: Add fw_config in FIP
plat/arm: Rentroduce tb_fw_config device tree

show more ...

cert_tool: Update cert_tool for fw_config image support

Updated cert_tool to add hash information of fw_config image into
the existing "trusted boot fw" certificate.

Signed-off-by: Manish V Badarkh

cert_tool: Update cert_tool for fw_config image support

Updated cert_tool to add hash information of fw_config image into
the existing "trusted boot fw" certificate.

Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I720319225925806a2a9f50a1ac9c8a464be975f0

show more ...

Merge changes I1b9e3ebd,I451c0333 into integration

* changes:
tbbr: add chain of trust for Secure Partitions
cert_create: extend Secure partition support for tbbr CoT

cert_create: extend Secure partition support for tbbr CoT

with sha 0792dd7, support to generate certificate for Secure
Partitions was added for dualroot CoT only, this patch extends
this support for

cert_create: extend Secure partition support for tbbr CoT

with sha 0792dd7, support to generate certificate for Secure
Partitions was added for dualroot CoT only, this patch extends
this support for tbbr CoT.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I451c0333536dd1cbe17861d454bdb0dc7a17c63f

show more ...

Merge pull request #1879 from pbeesley-arm/pb/todo-removal

Pb/todo removal

tools: Remove unused cert_create defines

Change-Id: Iea72ef9ba16325cbce07eea1a975d2a96eede274
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Merge pull request #1386 from soby-mathew/sm/dyn_bl31

Extend dynamic configuration

Dynamic cfg: Enable support on CoT for other configs

This patch implements support for adding dynamic configurations for
BL31 (soc_fw_config), BL32 (tos_fw_config) and BL33 (nt_fw_config). The
neces

Dynamic cfg: Enable support on CoT for other configs

This patch implements support for adding dynamic configurations for
BL31 (soc_fw_config), BL32 (tos_fw_config) and BL33 (nt_fw_config). The
necessary cert tool support and changes to default chain of trust are made
for these configs.

Change-Id: I25f266277b5b5501a196d2f2f79639d838794518
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

show more ...

Merge pull request #1263 from soby-mathew/sm/dyn_config

Dynamic Configuration Prototype

Dynamic cfg: Update the tools

This patch updates the `fiptool` and `cert_create` for the
`hw_config` and `tb_fw_config` dynamic configuration files.
The necessary UUIDs and OIDs are assigned to thes

Dynamic cfg: Update the tools

This patch updates the `fiptool` and `cert_create` for the
`hw_config` and `tb_fw_config` dynamic configuration files.
The necessary UUIDs and OIDs are assigned to these files and
the `cert_create` is updated to generate appropriate hashes
and include them in the "Trusted Boot FW Certificate". The
`fiptool` is updated to allow the configs to be specified
via cmdline and included in the generated FIP.

Change-Id: I940e751a49621ae681d14e162aa1f5697eb0cb15
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

show more ...

Merge pull request #1040 from sliai/support-opteed-header

Support opteed header

Support Trusted OS firmware extra images in TF tools

Since Trusted OS firmware may have extra images, need to
assign new uuid and image id for them.
The TBBR chain of trust has been extended to add

Support Trusted OS firmware extra images in TF tools

Since Trusted OS firmware may have extra images, need to
assign new uuid and image id for them.
The TBBR chain of trust has been extended to add support
for the new images within the existing Trusted OS firmware
content certificate.

Change-Id: I678dac7ba1137e85c5779b05e0c4331134c10e06
Signed-off-by: Summer Qin <summer.qin@arm.com>

show more ...

Merge pull request #938 from masahir0y/tools_share

Collect headers shared between TF and host-tools into include/tools_share

cert: move platform_oid.h to include/tools_share for all platforms

Platforms aligned with TBBR are supposed to use their own OIDs, but
defining the same macros with different OIDs does not provide a

cert: move platform_oid.h to include/tools_share for all platforms

Platforms aligned with TBBR are supposed to use their own OIDs, but
defining the same macros with different OIDs does not provide any
value (at least technically).

For easier use of TBBR, this commit allows platforms to reuse the OIDs
obtained by ARM Ltd. This will be useful for non-ARM vendors that
do not need their own extension fields in their certificate files.

The OIDs of ARM Ltd. have been moved to include/tools_share/tbbr_oid.h

Platforms can include <tbbr_oid.h> instead of <platform_oid.h> by
defining USE_TBBR_DEFS as 1. USE_TBBR_DEFS is 0 by default to keep the
backward compatibility.

For clarification, I inserted a blank line between headers from the
include/ directory (#include <...>) and ones from a local directory
(#include "..." ).

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

show more ...

Merge pull request #925 from dp-arm/dp/spdx

Use SPDX license identifiers

Use SPDX license identifiers

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by

Use SPDX license identifiers

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by FreeBSD have not been modified.

[0]: https://spdx.org/

Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

show more ...

Merge pull request #572 from jcastillo-arm/jc/tbb_nvcounter

TBB NVcounter support

cert_create: add non-volatile counter support

This patch adds non-volatile counter support to the Certificate
Generation tool. The TBBR Chain of Trust definition in the tool
has been extended to inc

cert_create: add non-volatile counter support

This patch adds non-volatile counter support to the Certificate
Generation tool. The TBBR Chain of Trust definition in the tool
has been extended to include the counters as certificate extensions.
The counter values can be specified in the command line.

The following default counter values are specified in the build
system:

* Trusted FW Non-Volatile counter = 0
* Non-Trusted FW Non-Volatile counter = 0

These values can be overridden by the platform at build time.

Change-Id: I7ea10ee78d72748d181df4ee78a7169b3ef2720c

show more ...

Merge pull request #484 from jcastillo-arm/jc/tf-issues/337

cert_create: update help message

cert_create: update help message

The help message printed by the cert_create tool using the command
line option -h (or --help) does not correctly list all the available
command line options.

This p

cert_create: update help message

The help message printed by the cert_create tool using the command
line option -h (or --help) does not correctly list all the available
command line options.

This patch reworks the print_help() function to print the help
messages in a data driven approach. For each command line option
registered, an optional help message can be specified, which will
be printed by print_help().

Help messages for the TBBR options (certificates, keys and images)
are also provided.

Fix a small bug in the short options string passed to getopt_long:
the ':' was missing in the '-a' option (this option must take an
argument).

Fixes ARM-software/tf-issues#337

Change-Id: I9d08c2dfd349022808fcc884724f677eefdc1452

show more ...

Merge pull request #467 from jcastillo-arm/jc/tbb_oid

Apply new image terminology

TBB: apply TBBR naming convention to certificates and extensions

This patch applies the TBBR naming convention to the certificates
and the corresponding extensions defined by the CoT:

* Certifi

TBB: apply TBBR naming convention to certificates and extensions

This patch applies the TBBR naming convention to the certificates
and the corresponding extensions defined by the CoT:

* Certificate UUID names
* Certificate identifier names
* OID names

Changes apply to:

* Generic code (variables and defines)
* The default certificate identifiers provided in the generic
code
* Build system
* ARM platforms port
* cert_create tool internal definitions
* fip_create and cert_create tools command line options
* Documentation

IMPORTANT: this change breaks the compatibility with platforms
that use TBBR. The platform will need to adapt the identifiers
and OIDs to the TBBR naming convention introduced by this patch:

Certificate UUIDs:

UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT --> UUID_TRUSTED_BOOT_FW_CERT
UUID_SCP_FIRMWARE_BL30_KEY_CERT --> UUID_SCP_FW_KEY_CERT
UUID_SCP_FIRMWARE_BL30_CERT --> UUID_SCP_FW_CONTENT_CERT
UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT --> UUID_SOC_FW_KEY_CERT
UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT --> UUID_SOC_FW_CONTENT_CERT
UUID_SECURE_PAYLOAD_BL32_KEY_CERT --> UUID_TRUSTED_OS_FW_KEY_CERT
UUID_SECURE_PAYLOAD_BL32_CERT --> UUID_TRUSTED_OS_FW_CONTENT_CERT
UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT --> UUID_NON_TRUSTED_FW_KEY_CERT
UUID_NON_TRUSTED_FIRMWARE_BL33_CERT --> UUID_NON_TRUSTED_FW_CONTENT_CERT

Certificate identifiers:

BL2_CERT_ID --> TRUSTED_BOOT_FW_CERT_ID
BL30_KEY_CERT_ID --> SCP_FW_KEY_CERT_ID
BL30_CERT_ID --> SCP_FW_CONTENT_CERT_ID
BL31_KEY_CERT_ID --> SOC_FW_KEY_CERT_ID
BL31_CERT_ID --> SOC_FW_CONTENT_CERT_ID
BL32_KEY_CERT_ID --> TRUSTED_OS_FW_KEY_CERT_ID
BL32_CERT_ID --> TRUSTED_OS_FW_CONTENT_CERT_ID
BL33_KEY_CERT_ID --> NON_TRUSTED_FW_KEY_CERT_ID
BL33_CERT_ID --> NON_TRUSTED_FW_CONTENT_CERT_ID

OIDs:

TZ_FW_NVCOUNTER_OID --> TRUSTED_FW_NVCOUNTER_OID
NTZ_FW_NVCOUNTER_OID --> NON_TRUSTED_FW_NVCOUNTER_OID
BL2_HASH_OID --> TRUSTED_BOOT_FW_HASH_OID
TZ_WORLD_PK_OID --> TRUSTED_WORLD_PK_OID
NTZ_WORLD_PK_OID --> NON_TRUSTED_WORLD_PK_OID
BL30_CONTENT_CERT_PK_OID --> SCP_FW_CONTENT_CERT_PK_OID
BL30_HASH_OID --> SCP_FW_HASH_OID
BL31_CONTENT_CERT_PK_OID --> SOC_FW_CONTENT_CERT_PK_OID
BL31_HASH_OID --> SOC_AP_FW_HASH_OID
BL32_CONTENT_CERT_PK_OID --> TRUSTED_OS_FW_CONTENT_CERT_PK_OID
BL32_HASH_OID --> TRUSTED_OS_FW_HASH_OID
BL33_CONTENT_CERT_PK_OID --> NON_TRUSTED_FW_CONTENT_CERT_PK_OID
BL33_HASH_OID --> NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID
BL2U_HASH_OID --> AP_FWU_CFG_HASH_OID
SCP_BL2U_HASH_OID --> SCP_FWU_CFG_HASH_OID
NS_BL2U_HASH_OID --> FWU_HASH_OID

Change-Id: I1e047ae046299ca913911c39ac3a6e123bd41079

show more ...

Merge pull request #453 from yatharth-arm/yk/fwu-6

Firmware Update patch stack