xref: /rk3399_ARM-atf/docs/design/trusted-board-boot-build.rst (revision 52e486f6a6192bd18d36cdcbc35c59092eefc810) 
1Building FIP images with support for Trusted Board Boot
2=======================================================
3
4Trusted Board Boot primarily consists of the following two features:
5
6-  Image Authentication, described in :ref:`Trusted Board Boot`, and
7-  Firmware Update, described in :ref:`Firmware Update (FWU)`
8
9The following steps should be followed to build FIP and (optionally) FWU_FIP
10images with support for these features:
11
12#. Fulfill the dependencies of the ``mbedtls`` cryptographic and image parser
13   modules by checking out a recent version of the `mbed TLS Repository`_. It
14   is important to use a version that is compatible with TF-A and fixes any
15   known security vulnerabilities. See `mbed TLS Security Center`_ for more
16   information. See the :ref:`Prerequisites` document for the appropriate
17   version of mbed TLS to use.
18
19   The ``drivers/auth/mbedtls/mbedtls_*.mk`` files contain the list of mbed TLS
20   source files the modules depend upon.
21   ``include/drivers/auth/mbedtls/mbedtls_config.h`` contains the configuration
22   options required to build the mbed TLS sources.
23
24   Note that the mbed TLS library is licensed under the Apache version 2.0
25   license. Using mbed TLS source code will affect the licensing of TF-A
26   binaries that are built using this library.
27
28#. To build the FIP image, ensure the following command line variables are set
29   while invoking ``make`` to build TF-A:
30
31   -  ``MBEDTLS_DIR=<path of the directory containing mbed TLS sources>``
32   -  ``TRUSTED_BOARD_BOOT=1``
33   -  ``GENERATE_COT=1``
34
35   By default, this will use the Chain of Trust described in the TBBR-client
36   document. To select a different one, use the ``COT`` build option.
37
38   If using a custom build of OpenSSL, set the ``OPENSSL_DIR`` variable
39   accordingly so it points at the OpenSSL installation path, as explained in
40   :ref:`Build Options`. In addition, set the ``LD_LIBRARY_PATH`` variable
41   when running to point at the custom OpenSSL path, so the OpenSSL libraries
42   are loaded from that path instead of the default OS path. Export this
43   variable if necessary.
44
45   In the case of Arm platforms, the location of the ROTPK must also be
46   specified at build time. The following locations are currently supported (see
47   ``ARM_ROTPK_LOCATION`` build option):
48
49   -  ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted
50      root-key storage registers present in the platform. On Juno, these
51      registers are read-only. On FVP Base and Cortex models, the registers
52      are also read-only, but the value can be specified using the command line
53      option ``bp.trusted_key_storage.public_key`` when launching the model.
54      On Juno board, the default value corresponds to an ECDSA-SECP256R1 public
55      key hash, whose private part is not currently available.
56
57   -  ``ARM_ROTPK_LOCATION=devel_rsa``: the ROTPK is a hash of the
58      RSA public key corresponding to the private key specified by
59      ``ROT_KEY``. If ``ROT_KEY`` is not specified, the private key is
60      the development key ``plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem``.
61      There are also 3k and 4k RSA development keys in ``plat/arm/board/common/rotpk/``.
62      The hashing algorithm is selected by ``HASH_ALG``; sha256 is used if
63      ``HASH_ALG`` is not specified.
64
65   -  ``ARM_ROTPK_LOCATION=devel_ecdsa``: the ROTPK is a hash of the
66      ECDSA public key corresponding to the private key specified by
67      ``ROT_KEY``. If ``ROT_KEY`` is not specified, the private key is
68      the development key ``plat/arm/board/common/rotpk/arm_rotprivk_ecdsa.pem`` by default,
69      a 384 bit key ``plat/arm/board/common/rotpk/arm_rotprivk_ecdsa_secp384r1.pem`` also exists,
70      and can be specified by ``ROT_KEY``. The hashing algorithm is selected by ``HASH_ALG``;
71      sha256 is used if ``HASH_ALG`` is not specified.
72
73   -  ``ARM_ROTPK_LOCATION=devel_full_dev_rsa_key``: the ROTPK is an unhashed
74      RSA public key corresponding to the private key specified by ``ROT_KEY``.
75      If ``ROT_KEY`` is not specified, the private key is the development key
76      ``plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem``. There are also
77      3k and 4k RSA development keys in ``plat/arm/board/common/rotpk/``.
78
79   -  ``ARM_ROTPK_LOCATION=devel_full_dev_ecdsa_key``: the ROTPK is an unhashed
80      RSA public key corresponding to the private key specified by ``ROT_KEY``.
81      If ``ROT_KEY`` is not specified, the private key is the development key
82      ``plat/arm/board/common/rotpk/arm_rotprivk_ecdsa.pem``, a 384 bit key
83      ``plat/arm/board/common/rotpk/arm_rotprivk_ecdsa_secp384r1.pem`` also exists,
84      and can be specified by ``ROT_KEY``.
85
86   Example of command line using RSA development keys:
87
88   .. code:: shell
89
90       MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
91       make PLAT=<platform> TRUSTED_BOARD_BOOT=1 GENERATE_COT=1        \
92       ARM_ROTPK_LOCATION=devel_rsa                                    \
93       ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem        \
94       BL33=<path-to>/<bl33_image> OPENSSL_DIR=<path-to>/<openssl>     \
95       all fip
96
97   The result of this build will be the bl1.bin and the fip.bin binaries. This
98   FIP will include the certificates corresponding to the selected Chain of
99   Trust. These certificates can also be found in the output build directory.
100
101#. The optional FWU_FIP contains any additional images to be loaded from
102   Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the
103   FWU_FIP, any FWU images required by the platform must be specified on the
104   command line. On Arm development platforms like Juno, these are:
105
106   -  NS_BL2U. The AP non-secure Firmware Updater image.
107   -  SCP_BL2U. The SCP Firmware Update Configuration image.
108
109   Example of Juno command line for generating both ``fwu`` and ``fwu_fip``
110   targets using RSA development:
111
112   ::
113
114       MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
115       make PLAT=juno TRUSTED_BOARD_BOOT=1 GENERATE_COT=1              \
116       ARM_ROTPK_LOCATION=devel_rsa                                    \
117       ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem        \
118       BL33=<path-to>/<bl33_image> OPENSSL_DIR=<path-to>/<openssl>     \
119       SCP_BL2=<path-to>/<scp_bl2_image>                               \
120       SCP_BL2U=<path-to>/<scp_bl2u_image>                             \
121       NS_BL2U=<path-to>/<ns_bl2u_image>                               \
122       all fip fwu_fip
123
124   .. note::
125      The BL2U image will be built by default and added to the FWU_FIP.
126      The user may override this by adding ``BL2U=<path-to>/<bl2u_image>``
127      to the command line above.
128
129   .. note::
130      Building and installing the non-secure and SCP FWU images (NS_BL1U,
131      NS_BL2U and SCP_BL2U) is outside the scope of this document.
132
133   The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries.
134   Both the FIP and FWU_FIP will include the certificates corresponding to the
135   selected Chain of Trust. These certificates can also be found in the output
136   build directory.
137
138--------------
139
140*Copyright (c) 2019-2024, Arm Limited. All rights reserved.*
141
142.. _mbed TLS Repository: https://github.com/ARMmbed/mbedtls.git
143.. _mbed TLS Security Center: https://tls.mbed.org/security
144