Lines Matching refs:the
4 Trusted Board Boot primarily consists of the following two features:
12 #. Fulfill the dependencies of the ``mbedtls`` cryptographic and image parser
13 modules by checking out a recent version of the `mbed TLS Repository`_. It
16 information. See the :ref:`Prerequisites` document for the appropriate
19 The ``drivers/auth/mbedtls/mbedtls_*.mk`` files contain the list of mbed TLS
20 source files the modules depend upon.
21 ``include/drivers/auth/mbedtls/mbedtls_config.h`` contains the configuration
22 options required to build the mbed TLS sources.
24 Note that the mbed TLS library is licensed under the Apache version 2.0
25 license. Using mbed TLS source code will affect the licensing of TF-A
28 #. To build the FIP image, ensure the following command line variables are set
31 - ``MBEDTLS_DIR=<path of the directory containing mbed TLS sources>``
35 By default, this will use the Chain of Trust described in the TBBR-client
36 document. To select a different one, use the ``COT`` build option.
38 If using a custom build of OpenSSL, set the ``OPENSSL_DIR`` variable
39 accordingly so it points at the OpenSSL installation path, as explained in
40 :ref:`Build Options`. In addition, set the ``LD_LIBRARY_PATH`` variable
41 when running to point at the custom OpenSSL path, so the OpenSSL libraries
42 are loaded from that path instead of the default OS path. Export this
45 In the case of Arm platforms, the location of the ROTPK must also be
49 - ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted
50 root-key storage registers present in the platform. On Juno, these
51 registers are read-only. On FVP Base and Cortex models, the registers
52 are also read-only, but the value can be specified using the command line
53 option ``bp.trusted_key_storage.public_key`` when launching the model.
54 On Juno board, the default value corresponds to an ECDSA-SECP256R1 public
57 - ``ARM_ROTPK_LOCATION=devel_rsa``: the ROTPK is a hash of the
58 RSA public key corresponding to the private key specified by
59 ``ROT_KEY``. If ``ROT_KEY`` is not specified, the private key is
60 the development key ``plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem``.
65 - ``ARM_ROTPK_LOCATION=devel_ecdsa``: the ROTPK is a hash of the
66 ECDSA public key corresponding to the private key specified by
67 ``ROT_KEY``. If ``ROT_KEY`` is not specified, the private key is
68 the development key ``plat/arm/board/common/rotpk/arm_rotprivk_ecdsa.pem`` by default,
73 - ``ARM_ROTPK_LOCATION=devel_full_dev_rsa_key``: the ROTPK is an unhashed
74 RSA public key corresponding to the private key specified by ``ROT_KEY``.
75 If ``ROT_KEY`` is not specified, the private key is the development key
79 - ``ARM_ROTPK_LOCATION=devel_full_dev_ecdsa_key``: the ROTPK is an unhashed
80 RSA public key corresponding to the private key specified by ``ROT_KEY``.
81 If ``ROT_KEY`` is not specified, the private key is the development key
90 MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
97 The result of this build will be the bl1.bin and the fip.bin binaries. This
98 FIP will include the certificates corresponding to the selected Chain of
99 Trust. These certificates can also be found in the output build directory.
102 Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the
103 FWU_FIP, any FWU images required by the platform must be specified on the
114 MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
125 The BL2U image will be built by default and added to the FWU_FIP.
127 to the command line above.
130 Building and installing the non-secure and SCP FWU images (NS_BL1U,
131 NS_BL2U and SCP_BL2U) is outside the scope of this document.
134 Both the FIP and FWU_FIP will include the certificates corresponding to the
135 selected Chain of Trust. These certificates can also be found in the output