1*43f35ef5SPaul BeesleyBuilding FIP images with support for Trusted Board Boot 2*43f35ef5SPaul Beesley======================================================= 3*43f35ef5SPaul Beesley 4*43f35ef5SPaul BeesleyTrusted Board Boot primarily consists of the following two features: 5*43f35ef5SPaul Beesley 6*43f35ef5SPaul Beesley- Image Authentication, described in :ref:`Trusted Board Boot`, and 7*43f35ef5SPaul Beesley- Firmware Update, described in :ref:`Firmware Update (FWU)` 8*43f35ef5SPaul Beesley 9*43f35ef5SPaul BeesleyThe following steps should be followed to build FIP and (optionally) FWU_FIP 10*43f35ef5SPaul Beesleyimages with support for these features: 11*43f35ef5SPaul Beesley 12*43f35ef5SPaul Beesley#. Fulfill the dependencies of the ``mbedtls`` cryptographic and image parser 13*43f35ef5SPaul Beesley modules by checking out a recent version of the `mbed TLS Repository`_. It 14*43f35ef5SPaul Beesley is important to use a version that is compatible with TF-A and fixes any 15*43f35ef5SPaul Beesley known security vulnerabilities. See `mbed TLS Security Center`_ for more 16*43f35ef5SPaul Beesley information. See the :ref:`Prerequisites` document for the appropriate 17*43f35ef5SPaul Beesley version of mbed TLS to use. 18*43f35ef5SPaul Beesley 19*43f35ef5SPaul Beesley The ``drivers/auth/mbedtls/mbedtls_*.mk`` files contain the list of mbed TLS 20*43f35ef5SPaul Beesley source files the modules depend upon. 21*43f35ef5SPaul Beesley ``include/drivers/auth/mbedtls/mbedtls_config.h`` contains the configuration 22*43f35ef5SPaul Beesley options required to build the mbed TLS sources. 23*43f35ef5SPaul Beesley 24*43f35ef5SPaul Beesley Note that the mbed TLS library is licensed under the Apache version 2.0 25*43f35ef5SPaul Beesley license. Using mbed TLS source code will affect the licensing of TF-A 26*43f35ef5SPaul Beesley binaries that are built using this library. 27*43f35ef5SPaul Beesley 28*43f35ef5SPaul Beesley#. To build the FIP image, ensure the following command line variables are set 29*43f35ef5SPaul Beesley while invoking ``make`` to build TF-A: 30*43f35ef5SPaul Beesley 31*43f35ef5SPaul Beesley - ``MBEDTLS_DIR=<path of the directory containing mbed TLS sources>`` 32*43f35ef5SPaul Beesley - ``TRUSTED_BOARD_BOOT=1`` 33*43f35ef5SPaul Beesley - ``GENERATE_COT=1`` 34*43f35ef5SPaul Beesley 35*43f35ef5SPaul Beesley In the case of Arm platforms, the location of the ROTPK hash must also be 36*43f35ef5SPaul Beesley specified at build time. Two locations are currently supported (see 37*43f35ef5SPaul Beesley ``ARM_ROTPK_LOCATION`` build option): 38*43f35ef5SPaul Beesley 39*43f35ef5SPaul Beesley - ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted 40*43f35ef5SPaul Beesley root-key storage registers present in the platform. On Juno, this 41*43f35ef5SPaul Beesley registers are read-only. On FVP Base and Cortex models, the registers 42*43f35ef5SPaul Beesley are read-only, but the value can be specified using the command line 43*43f35ef5SPaul Beesley option ``bp.trusted_key_storage.public_key`` when launching the model. 44*43f35ef5SPaul Beesley On both Juno and FVP models, the default value corresponds to an 45*43f35ef5SPaul Beesley ECDSA-SECP256R1 public key hash, whose private part is not currently 46*43f35ef5SPaul Beesley available. 47*43f35ef5SPaul Beesley 48*43f35ef5SPaul Beesley - ``ARM_ROTPK_LOCATION=devel_rsa``: use the ROTPK hash that is hardcoded 49*43f35ef5SPaul Beesley in the Arm platform port. The private/public RSA key pair may be 50*43f35ef5SPaul Beesley found in ``plat/arm/board/common/rotpk``. 51*43f35ef5SPaul Beesley 52*43f35ef5SPaul Beesley - ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the ROTPK hash that is hardcoded 53*43f35ef5SPaul Beesley in the Arm platform port. The private/public ECDSA key pair may be 54*43f35ef5SPaul Beesley found in ``plat/arm/board/common/rotpk``. 55*43f35ef5SPaul Beesley 56*43f35ef5SPaul Beesley Example of command line using RSA development keys: 57*43f35ef5SPaul Beesley 58*43f35ef5SPaul Beesley .. code:: shell 59*43f35ef5SPaul Beesley 60*43f35ef5SPaul Beesley MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \ 61*43f35ef5SPaul Beesley make PLAT=<platform> TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 \ 62*43f35ef5SPaul Beesley ARM_ROTPK_LOCATION=devel_rsa \ 63*43f35ef5SPaul Beesley ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ 64*43f35ef5SPaul Beesley BL33=<path-to>/<bl33_image> \ 65*43f35ef5SPaul Beesley all fip 66*43f35ef5SPaul Beesley 67*43f35ef5SPaul Beesley The result of this build will be the bl1.bin and the fip.bin binaries. This 68*43f35ef5SPaul Beesley FIP will include the certificates corresponding to the Chain of Trust 69*43f35ef5SPaul Beesley described in the TBBR-client document. These certificates can also be found 70*43f35ef5SPaul Beesley in the output build directory. 71*43f35ef5SPaul Beesley 72*43f35ef5SPaul Beesley#. The optional FWU_FIP contains any additional images to be loaded from 73*43f35ef5SPaul Beesley Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the 74*43f35ef5SPaul Beesley FWU_FIP, any FWU images required by the platform must be specified on the 75*43f35ef5SPaul Beesley command line. On Arm development platforms like Juno, these are: 76*43f35ef5SPaul Beesley 77*43f35ef5SPaul Beesley - NS_BL2U. The AP non-secure Firmware Updater image. 78*43f35ef5SPaul Beesley - SCP_BL2U. The SCP Firmware Update Configuration image. 79*43f35ef5SPaul Beesley 80*43f35ef5SPaul Beesley Example of Juno command line for generating both ``fwu`` and ``fwu_fip`` 81*43f35ef5SPaul Beesley targets using RSA development: 82*43f35ef5SPaul Beesley 83*43f35ef5SPaul Beesley :: 84*43f35ef5SPaul Beesley 85*43f35ef5SPaul Beesley MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \ 86*43f35ef5SPaul Beesley make PLAT=juno TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 \ 87*43f35ef5SPaul Beesley ARM_ROTPK_LOCATION=devel_rsa \ 88*43f35ef5SPaul Beesley ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ 89*43f35ef5SPaul Beesley BL33=<path-to>/<bl33_image> \ 90*43f35ef5SPaul Beesley SCP_BL2=<path-to>/<scp_bl2_image> \ 91*43f35ef5SPaul Beesley SCP_BL2U=<path-to>/<scp_bl2u_image> \ 92*43f35ef5SPaul Beesley NS_BL2U=<path-to>/<ns_bl2u_image> \ 93*43f35ef5SPaul Beesley all fip fwu_fip 94*43f35ef5SPaul Beesley 95*43f35ef5SPaul Beesley .. note:: 96*43f35ef5SPaul Beesley The BL2U image will be built by default and added to the FWU_FIP. 97*43f35ef5SPaul Beesley The user may override this by adding ``BL2U=<path-to>/<bl2u_image>`` 98*43f35ef5SPaul Beesley to the command line above. 99*43f35ef5SPaul Beesley 100*43f35ef5SPaul Beesley .. note:: 101*43f35ef5SPaul Beesley Building and installing the non-secure and SCP FWU images (NS_BL1U, 102*43f35ef5SPaul Beesley NS_BL2U and SCP_BL2U) is outside the scope of this document. 103*43f35ef5SPaul Beesley 104*43f35ef5SPaul Beesley The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries. 105*43f35ef5SPaul Beesley Both the FIP and FWU_FIP will include the certificates corresponding to the 106*43f35ef5SPaul Beesley Chain of Trust described in the TBBR-client document. These certificates 107*43f35ef5SPaul Beesley can also be found in the output build directory. 108*43f35ef5SPaul Beesley 109*43f35ef5SPaul Beesley-------------- 110*43f35ef5SPaul Beesley 111*43f35ef5SPaul Beesley*Copyright (c) 2019, Arm Limited. All rights reserved.* 112*43f35ef5SPaul Beesley 113*43f35ef5SPaul Beesley.. _mbed TLS Repository: https://github.com/ARMmbed/mbedtls.git 114*43f35ef5SPaul Beesley.. _mbed TLS Security Center: https://tls.mbed.org/security 115