1Building FIP images with support for Trusted Board Boot 2======================================================= 3 4Trusted Board Boot primarily consists of the following two features: 5 6- Image Authentication, described in :ref:`Trusted Board Boot`, and 7- Firmware Update, described in :ref:`Firmware Update (FWU)` 8 9The following steps should be followed to build FIP and (optionally) FWU_FIP 10images with support for these features: 11 12#. Fulfill the dependencies of the ``mbedtls`` cryptographic and image parser 13 modules by checking out a recent version of the `mbed TLS Repository`_. It 14 is important to use a version that is compatible with TF-A and fixes any 15 known security vulnerabilities. See `mbed TLS Security Center`_ for more 16 information. See the :ref:`Prerequisites` document for the appropriate 17 version of mbed TLS to use. 18 19 The ``drivers/auth/mbedtls/mbedtls_*.mk`` files contain the list of mbed TLS 20 source files the modules depend upon. 21 ``include/drivers/auth/mbedtls/mbedtls_config.h`` contains the configuration 22 options required to build the mbed TLS sources. 23 24 Note that the mbed TLS library is licensed under the Apache version 2.0 25 license. Using mbed TLS source code will affect the licensing of TF-A 26 binaries that are built using this library. 27 28#. To build the FIP image, ensure the following command line variables are set 29 while invoking ``make`` to build TF-A: 30 31 - ``MBEDTLS_DIR=<path of the directory containing mbed TLS sources>`` 32 - ``TRUSTED_BOARD_BOOT=1`` 33 - ``GENERATE_COT=1`` 34 35 By default, this will use the Chain of Trust described in the TBBR-client 36 document. To select a different one, use the ``COT`` build option. 37 38 If using a custom build of OpenSSL, set the ``OPENSSL_DIR`` variable 39 accordingly so it points at the OpenSSL installation path, as explained in 40 :ref:`Build Options`. In addition, set the ``LD_LIBRARY_PATH`` variable 41 when running to point at the custom OpenSSL path, so the OpenSSL libraries 42 are loaded from that path instead of the default OS path. Export this 43 variable if necessary. 44 45 In the case of Arm platforms, the location of the ROTPK hash must also be 46 specified at build time. The following locations are currently supported (see 47 ``ARM_ROTPK_LOCATION`` build option): 48 49 - ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted 50 root-key storage registers present in the platform. On Juno, these 51 registers are read-only. On FVP Base and Cortex models, the registers 52 are also read-only, but the value can be specified using the command line 53 option ``bp.trusted_key_storage.public_key`` when launching the model. 54 On Juno board, the default value corresponds to an ECDSA-SECP256R1 public 55 key hash, whose private part is not currently available. 56 57 - ``ARM_ROTPK_LOCATION=devel_rsa``: use the default hash located in 58 ``plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin``. Enforce 59 generation of the new hash if ``ROT_KEY`` is specified. 60 61 - ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the default hash located in 62 ``plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin``. Enforce 63 generation of the new hash if ``ROT_KEY`` is specified. 64 65 Example of command line using RSA development keys: 66 67 .. code:: shell 68 69 MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \ 70 make PLAT=<platform> TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 \ 71 ARM_ROTPK_LOCATION=devel_rsa \ 72 ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ 73 BL33=<path-to>/<bl33_image> OPENSSL_DIR=<path-to>/<openssl> \ 74 all fip 75 76 The result of this build will be the bl1.bin and the fip.bin binaries. This 77 FIP will include the certificates corresponding to the selected Chain of 78 Trust. These certificates can also be found in the output build directory. 79 80#. The optional FWU_FIP contains any additional images to be loaded from 81 Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the 82 FWU_FIP, any FWU images required by the platform must be specified on the 83 command line. On Arm development platforms like Juno, these are: 84 85 - NS_BL2U. The AP non-secure Firmware Updater image. 86 - SCP_BL2U. The SCP Firmware Update Configuration image. 87 88 Example of Juno command line for generating both ``fwu`` and ``fwu_fip`` 89 targets using RSA development: 90 91 :: 92 93 MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \ 94 make PLAT=juno TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 \ 95 ARM_ROTPK_LOCATION=devel_rsa \ 96 ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ 97 BL33=<path-to>/<bl33_image> OPENSSL_DIR=<path-to>/<openssl> \ 98 SCP_BL2=<path-to>/<scp_bl2_image> \ 99 SCP_BL2U=<path-to>/<scp_bl2u_image> \ 100 NS_BL2U=<path-to>/<ns_bl2u_image> \ 101 all fip fwu_fip 102 103 .. note:: 104 The BL2U image will be built by default and added to the FWU_FIP. 105 The user may override this by adding ``BL2U=<path-to>/<bl2u_image>`` 106 to the command line above. 107 108 .. note:: 109 Building and installing the non-secure and SCP FWU images (NS_BL1U, 110 NS_BL2U and SCP_BL2U) is outside the scope of this document. 111 112 The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries. 113 Both the FIP and FWU_FIP will include the certificates corresponding to the 114 selected Chain of Trust. These certificates can also be found in the output 115 build directory. 116 117-------------- 118 119*Copyright (c) 2019-2022, Arm Limited. All rights reserved.* 120 121.. _mbed TLS Repository: https://github.com/ARMmbed/mbedtls.git 122.. _mbed TLS Security Center: https://tls.mbed.org/security 123