1*54fd6939SJiyong ParkBuilding FIP images with support for Trusted Board Boot 2*54fd6939SJiyong Park======================================================= 3*54fd6939SJiyong Park 4*54fd6939SJiyong ParkTrusted Board Boot primarily consists of the following two features: 5*54fd6939SJiyong Park 6*54fd6939SJiyong Park- Image Authentication, described in :ref:`Trusted Board Boot`, and 7*54fd6939SJiyong Park- Firmware Update, described in :ref:`Firmware Update (FWU)` 8*54fd6939SJiyong Park 9*54fd6939SJiyong ParkThe following steps should be followed to build FIP and (optionally) FWU_FIP 10*54fd6939SJiyong Parkimages with support for these features: 11*54fd6939SJiyong Park 12*54fd6939SJiyong Park#. Fulfill the dependencies of the ``mbedtls`` cryptographic and image parser 13*54fd6939SJiyong Park modules by checking out a recent version of the `mbed TLS Repository`_. It 14*54fd6939SJiyong Park is important to use a version that is compatible with TF-A and fixes any 15*54fd6939SJiyong Park known security vulnerabilities. See `mbed TLS Security Center`_ for more 16*54fd6939SJiyong Park information. See the :ref:`Prerequisites` document for the appropriate 17*54fd6939SJiyong Park version of mbed TLS to use. 18*54fd6939SJiyong Park 19*54fd6939SJiyong Park The ``drivers/auth/mbedtls/mbedtls_*.mk`` files contain the list of mbed TLS 20*54fd6939SJiyong Park source files the modules depend upon. 21*54fd6939SJiyong Park ``include/drivers/auth/mbedtls/mbedtls_config.h`` contains the configuration 22*54fd6939SJiyong Park options required to build the mbed TLS sources. 23*54fd6939SJiyong Park 24*54fd6939SJiyong Park Note that the mbed TLS library is licensed under the Apache version 2.0 25*54fd6939SJiyong Park license. Using mbed TLS source code will affect the licensing of TF-A 26*54fd6939SJiyong Park binaries that are built using this library. 27*54fd6939SJiyong Park 28*54fd6939SJiyong Park#. To build the FIP image, ensure the following command line variables are set 29*54fd6939SJiyong Park while invoking ``make`` to build TF-A: 30*54fd6939SJiyong Park 31*54fd6939SJiyong Park - ``MBEDTLS_DIR=<path of the directory containing mbed TLS sources>`` 32*54fd6939SJiyong Park - ``TRUSTED_BOARD_BOOT=1`` 33*54fd6939SJiyong Park - ``GENERATE_COT=1`` 34*54fd6939SJiyong Park 35*54fd6939SJiyong Park By default, this will use the Chain of Trust described in the TBBR-client 36*54fd6939SJiyong Park document. To select a different one, use the ``COT`` build option. 37*54fd6939SJiyong Park 38*54fd6939SJiyong Park In the case of Arm platforms, the location of the ROTPK hash must also be 39*54fd6939SJiyong Park specified at build time. The following locations are currently supported (see 40*54fd6939SJiyong Park ``ARM_ROTPK_LOCATION`` build option): 41*54fd6939SJiyong Park 42*54fd6939SJiyong Park - ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted 43*54fd6939SJiyong Park root-key storage registers present in the platform. On Juno, these 44*54fd6939SJiyong Park registers are read-only. On FVP Base and Cortex models, the registers 45*54fd6939SJiyong Park are also read-only, but the value can be specified using the command line 46*54fd6939SJiyong Park option ``bp.trusted_key_storage.public_key`` when launching the model. 47*54fd6939SJiyong Park On Juno board, the default value corresponds to an ECDSA-SECP256R1 public 48*54fd6939SJiyong Park key hash, whose private part is not currently available. 49*54fd6939SJiyong Park 50*54fd6939SJiyong Park - ``ARM_ROTPK_LOCATION=devel_rsa``: use the default hash located in 51*54fd6939SJiyong Park ``plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin``. Enforce 52*54fd6939SJiyong Park generation of the new hash if ``ROT_KEY`` is specified. 53*54fd6939SJiyong Park 54*54fd6939SJiyong Park - ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the default hash located in 55*54fd6939SJiyong Park ``plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin``. Enforce 56*54fd6939SJiyong Park generation of the new hash if ``ROT_KEY`` is specified. 57*54fd6939SJiyong Park 58*54fd6939SJiyong Park Example of command line using RSA development keys: 59*54fd6939SJiyong Park 60*54fd6939SJiyong Park .. code:: shell 61*54fd6939SJiyong Park 62*54fd6939SJiyong Park MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \ 63*54fd6939SJiyong Park make PLAT=<platform> TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 \ 64*54fd6939SJiyong Park ARM_ROTPK_LOCATION=devel_rsa \ 65*54fd6939SJiyong Park ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ 66*54fd6939SJiyong Park BL33=<path-to>/<bl33_image> \ 67*54fd6939SJiyong Park all fip 68*54fd6939SJiyong Park 69*54fd6939SJiyong Park The result of this build will be the bl1.bin and the fip.bin binaries. This 70*54fd6939SJiyong Park FIP will include the certificates corresponding to the selected Chain of 71*54fd6939SJiyong Park Trust. These certificates can also be found in the output build directory. 72*54fd6939SJiyong Park 73*54fd6939SJiyong Park#. The optional FWU_FIP contains any additional images to be loaded from 74*54fd6939SJiyong Park Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the 75*54fd6939SJiyong Park FWU_FIP, any FWU images required by the platform must be specified on the 76*54fd6939SJiyong Park command line. On Arm development platforms like Juno, these are: 77*54fd6939SJiyong Park 78*54fd6939SJiyong Park - NS_BL2U. The AP non-secure Firmware Updater image. 79*54fd6939SJiyong Park - SCP_BL2U. The SCP Firmware Update Configuration image. 80*54fd6939SJiyong Park 81*54fd6939SJiyong Park Example of Juno command line for generating both ``fwu`` and ``fwu_fip`` 82*54fd6939SJiyong Park targets using RSA development: 83*54fd6939SJiyong Park 84*54fd6939SJiyong Park :: 85*54fd6939SJiyong Park 86*54fd6939SJiyong Park MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \ 87*54fd6939SJiyong Park make PLAT=juno TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 \ 88*54fd6939SJiyong Park ARM_ROTPK_LOCATION=devel_rsa \ 89*54fd6939SJiyong Park ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ 90*54fd6939SJiyong Park BL33=<path-to>/<bl33_image> \ 91*54fd6939SJiyong Park SCP_BL2=<path-to>/<scp_bl2_image> \ 92*54fd6939SJiyong Park SCP_BL2U=<path-to>/<scp_bl2u_image> \ 93*54fd6939SJiyong Park NS_BL2U=<path-to>/<ns_bl2u_image> \ 94*54fd6939SJiyong Park all fip fwu_fip 95*54fd6939SJiyong Park 96*54fd6939SJiyong Park .. note:: 97*54fd6939SJiyong Park The BL2U image will be built by default and added to the FWU_FIP. 98*54fd6939SJiyong Park The user may override this by adding ``BL2U=<path-to>/<bl2u_image>`` 99*54fd6939SJiyong Park to the command line above. 100*54fd6939SJiyong Park 101*54fd6939SJiyong Park .. note:: 102*54fd6939SJiyong Park Building and installing the non-secure and SCP FWU images (NS_BL1U, 103*54fd6939SJiyong Park NS_BL2U and SCP_BL2U) is outside the scope of this document. 104*54fd6939SJiyong Park 105*54fd6939SJiyong Park The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries. 106*54fd6939SJiyong Park Both the FIP and FWU_FIP will include the certificates corresponding to the 107*54fd6939SJiyong Park selected Chain of Trust. These certificates can also be found in the output 108*54fd6939SJiyong Park build directory. 109*54fd6939SJiyong Park 110*54fd6939SJiyong Park-------------- 111*54fd6939SJiyong Park 112*54fd6939SJiyong Park*Copyright (c) 2019-2020, Arm Limited. All rights reserved.* 113*54fd6939SJiyong Park 114*54fd6939SJiyong Park.. _mbed TLS Repository: https://github.com/ARMmbed/mbedtls.git 115*54fd6939SJiyong Park.. _mbed TLS Security Center: https://tls.mbed.org/security 116