xref: /rk3399_ARM-atf/docs/design/trusted-board-boot-build.rst (revision 665e71b8ea28162ec7737c1411bca3ea89e5957e) 
1Building FIP images with support for Trusted Board Boot
2=======================================================
3
4Trusted Board Boot primarily consists of the following two features:
5
6-  Image Authentication, described in :ref:`Trusted Board Boot`, and
7-  Firmware Update, described in :ref:`Firmware Update (FWU)`
8
9The following steps should be followed to build FIP and (optionally) FWU_FIP
10images with support for these features:
11
12#. Fulfill the dependencies of the ``mbedtls`` cryptographic and image parser
13   modules by checking out a recent version of the `mbed TLS Repository`_. It
14   is important to use a version that is compatible with TF-A and fixes any
15   known security vulnerabilities. See `mbed TLS Security Center`_ for more
16   information. See the :ref:`Prerequisites` document for the appropriate
17   version of mbed TLS to use.
18
19   The ``drivers/auth/mbedtls/mbedtls_*.mk`` files contain the list of mbed TLS
20   source files the modules depend upon.
21   ``include/drivers/auth/mbedtls/mbedtls_config.h`` contains the configuration
22   options required to build the mbed TLS sources.
23
24   Note that the mbed TLS library is licensed under the Apache version 2.0
25   license. Using mbed TLS source code will affect the licensing of TF-A
26   binaries that are built using this library.
27
28#. To build the FIP image, ensure the following command line variables are set
29   while invoking ``make`` to build TF-A:
30
31   -  ``MBEDTLS_DIR=<path of the directory containing mbed TLS sources>``
32   -  ``TRUSTED_BOARD_BOOT=1``
33   -  ``GENERATE_COT=1``
34
35   In the case of Arm platforms, the location of the ROTPK hash must also be
36   specified at build time. The following locations are currently supported (see
37   ``ARM_ROTPK_LOCATION`` build option):
38
39   -  ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted
40      root-key storage registers present in the platform. On Juno, this
41      registers are read-only. On FVP Base and Cortex models, the registers
42      are read-only, but the value can be specified using the command line
43      option ``bp.trusted_key_storage.public_key`` when launching the model.
44      On Juno board, the default value corresponds to an ECDSA-SECP256R1 public
45      key hash, whose private part is not currently available.
46
47   -  ``ARM_ROTPK_LOCATION=devel_rsa``: use the default hash located in
48      plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin. Enforce generation
49      of the new hash if ROT_KEY is specified.
50
51   -  ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the default hash located in
52      plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin. Enforce generation
53      of the new hash if ROT_KEY is specified.
54
55   Example of command line using RSA development keys:
56
57   .. code:: shell
58
59       MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
60       make PLAT=<platform> TRUSTED_BOARD_BOOT=1 GENERATE_COT=1        \
61       ARM_ROTPK_LOCATION=devel_rsa                                    \
62       ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem        \
63       BL33=<path-to>/<bl33_image>                                     \
64       all fip
65
66   The result of this build will be the bl1.bin and the fip.bin binaries. This
67   FIP will include the certificates corresponding to the Chain of Trust
68   described in the TBBR-client document. These certificates can also be found
69   in the output build directory.
70
71#. The optional FWU_FIP contains any additional images to be loaded from
72   Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the
73   FWU_FIP, any FWU images required by the platform must be specified on the
74   command line. On Arm development platforms like Juno, these are:
75
76   -  NS_BL2U. The AP non-secure Firmware Updater image.
77   -  SCP_BL2U. The SCP Firmware Update Configuration image.
78
79   Example of Juno command line for generating both ``fwu`` and ``fwu_fip``
80   targets using RSA development:
81
82   ::
83
84       MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
85       make PLAT=juno TRUSTED_BOARD_BOOT=1 GENERATE_COT=1              \
86       ARM_ROTPK_LOCATION=devel_rsa                                    \
87       ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem        \
88       BL33=<path-to>/<bl33_image>                                     \
89       SCP_BL2=<path-to>/<scp_bl2_image>                               \
90       SCP_BL2U=<path-to>/<scp_bl2u_image>                             \
91       NS_BL2U=<path-to>/<ns_bl2u_image>                               \
92       all fip fwu_fip
93
94   .. note::
95      The BL2U image will be built by default and added to the FWU_FIP.
96      The user may override this by adding ``BL2U=<path-to>/<bl2u_image>``
97      to the command line above.
98
99   .. note::
100      Building and installing the non-secure and SCP FWU images (NS_BL1U,
101      NS_BL2U and SCP_BL2U) is outside the scope of this document.
102
103   The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries.
104   Both the FIP and FWU_FIP will include the certificates corresponding to the
105   Chain of Trust described in the TBBR-client document. These certificates
106   can also be found in the output build directory.
107
108--------------
109
110*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*
111
112.. _mbed TLS Repository: https://github.com/ARMmbed/mbedtls.git
113.. _mbed TLS Security Center: https://tls.mbed.org/security
114