2016-06-03 |
Move stdlib header files to include/lib/stdlib
...
* Move stdlib header files from include/stdlib to include/lib/stdlib for
consistency with other library headers.
* Fix checkpatch paths to continue excluding stdlib files.
* Create stdlib.mk to define the stdlib source files and include directories.
* Include stdlib.mk from the top level Makefile.
* Update stdlib header path in the fip_create Makefile.
* Update porting-guide.md with the new paths.
Change-Id: Ia92c2dc572e9efb54a783e306b5ceb2ce24d27fa
Dan Handley
committed
on 3 Jun 2016
|
2016-04-27 |
fip_create: Fix exit status for missing output filename
...
Change-Id: I0d298eea9eaf47121c87637c7395e5d9868aa272
Brendan Jackman
committed
on 27 Apr 2016
|
2016-04-07 |
Merge pull request #582 from jcastillo-arm/jc/fip_extract
...
fip_create: add support for image unpacking
danh-arm
committed
on 7 Apr 2016
|
Merge pull request #578 from EvanLloyd/ejll/woa_make2
...
Make improvements for host environment portability
danh-arm
committed
on 7 Apr 2016
|
2016-04-06 |
fip_create: add support for image unpacking
...
This patch adds support for image unpacking to the FIP packaging
tool. Command line option '-u,--unpack' may be used to unpack the
contents of an existing FIP file into the working directory. The
tool uses default hardcoded filenames for the unpacked images. If
the files already exist, they can be overwritten by specifying the
option '-f,--force'.
Change-Id: I360b11d9c5403e8c0a7a9cac32c1d90ebb228063
Juan Castillo
committed
on 6 Apr 2016
|
2016-04-01 |
Make:Allow for extension in tool names.
...
In some build environments executable programs have a specific file
extension. The value of BIN_EXT is appended to the relevant tool file
names to allow for this.
The value of BIN_EXT is set, where appropriate, by the build environment
specific make helper (to .exe for Windows build environments).
.gitignore is updated to hide the new (.exe) files.
Change-Id: Icc32f64b750e425265075ad4e0dea18129640b86
Evan Lloyd
committed
on 1 Apr 2016
|
Make:Use "simply expanded" make variables.
...
Replace some "recursively expanded" make variables with "simply
expanded" variables (i.e. replace = with :=). This has no functional
impact but is more consistent and theoretically more efficient.
Change-Id: Iaf33d7c8ad48464ae0d39923515d1e7f230c95c1
Evan Lloyd
committed
on 1 Apr 2016
|
Build:Replace soft links with file copy.
...
Some build environments do not support symbolic links. This patch
removes the symlinks previously used to build fip_create and instead
copies the relevant header files.
The original motivation for using symlinks was to avoid Trusted Firmware
library headers conflicting with headers in the compiler standard
include path. Copying the header files instead has the same effect.
Like other build artefacts, the copied files are listed in .gitignore.
The distclean targets have also been updated to remove the copies.
Change-Id: Ie8b67bcb133f7f1d660ae93b857950aa15e42b1e
Evan Lloyd
committed
on 1 Apr 2016
|
Make:Use environment variables for OS detection.
...
Add make helper files to select the appropriate settings for the build
environment. Selection is made in make_helpers/build_env.mk, which
selects other files to include using generic build environment settings.
The Trusted Firmware Makefile and supporting tool Makefiles are updated
to include build_env.mk instead of unix.mk.
NOTE: This change does not fully enable builds in other build
environments. It facilitates this without compromising the
existing build environments.
Change-Id: Ic4064ffe6ce158bbd16d7cc9f27dd4655a3580f6
Evan Lloyd
committed
on 1 Apr 2016
|
Make:Make shell commands more portable
...
Macros are inserted to replace direct invocations of commands that are
problematic on some build environments. (e.g. Some environments expect
\ in paths instead of /.)
The changes take into account mismatched command mappings across
environments.
The new helper file unix.mk retains existing makefile behaviour on unix
like build environments by providing the following macro definitions:
SHELL_COPY cp -f
SHELL_COPY_TREE cp -rf
SHELL_DELETE rm -f
SHELL_DELETE_ALL rm -rf
MAKE_PREREQ_DIR mkdir -p (As make target)
SHELL_REMOVE_DIR rm -rf
Change-Id: I1b5ca5e1208e78230b15284c4af00c1c006cffcb
Evan Lloyd
committed
on 1 Apr 2016
|
Make:Add realclean to .PHONY list
...
Update the cert_create Makefile to list realclean as .PHONY
(like clean)
Change-Id: I9dc8a61a11574a044372e0952b5b12b74e133747
Evan Lloyd
committed
on 1 Apr 2016
|
Make:Remove calls to shell from makefiles.
...
As an initial stage of making Trusted Firmware build environment more
portable, we remove most uses of the $(shell ) function and replace them
with more portable make function based solutions.
Note that the setting of BUILD_STRING still uses $(shell ) since it's
not possible to reimplement this as a make function. Avoiding invocation
of this on incompatible host platforms will be implemented separately.
Change-Id: I768e2f9a265c78814a4adf2edee4cc46cda0f5b8
Evan Lloyd
committed
on 1 Apr 2016
|
2016-03-30 |
cert_create: add non-volatile counter support
...
This patch adds non-volatile counter support to the Certificate
Generation tool. The TBBR Chain of Trust definition in the tool
has been extended to include the counters as certificate extensions.
The counter values can be specified in the command line.
The following default counter values are specified in the build
system:
* Trusted FW Non-Volatile counter = 0
* Non-Trusted FW Non-Volatile counter = 0
These values can be overridden by the platform at build time.
Change-Id: I7ea10ee78d72748d181df4ee78a7169b3ef2720c
Juan Castillo
committed
on 30 Mar 2016
|
2016-03-04 |
fip_create: miscellaneous improvements to source code
...
This patch introduces the following improvements:
* Global variables in fip_create.c declared static.
* Flags to signal the requested actions (do_dump, do_pack) made
global.
* The ToC is printed at the end of the main funcion, after the FIP
has been created/updated, not in the parse_cmdline() function.
* Short format added to the command line options (-d,--dump;
-h,--help).
* Help message updated.
Change-Id: I5f08273c76f1de45fe597e290bee4b60aa404df9
Juan Castillo
committed
on 4 Mar 2016
|
2016-01-13 |
Merge pull request #484 from jcastillo-arm/jc/tf-issues/337
...
cert_create: update help message
danh-arm
committed
on 13 Jan 2016
|
2016-01-07 |
cert_create: update help message
...
The help message printed by the cert_create tool using the command
line option -h (or --help) does not correctly list all the available
command line options.
This patch reworks the print_help() function to print the help
messages in a data driven approach. For each command line option
registered, an optional help message can be specified, which will
be printed by print_help().
Help messages for the TBBR options (certificates, keys and images)
are also provided.
Fix a small bug in the short options string passed to getopt_long:
the ':' was missing in the '-a' option (this option must take an
argument).
Fixes ARM-software/tf-issues#337
Change-Id: I9d08c2dfd349022808fcc884724f677eefdc1452
Juan Castillo
committed
on 7 Jan 2016
|
2016-01-06 |
Merge pull request #479 from jcastillo-arm/jc/tbbr_fip
...
Apply TBBR naming convention to the fip_create options
danh-arm
committed
on 6 Jan 2016
|
2016-01-05 |
Apply TBBR naming convention to the fip_create options
...
The fip_create tool specifies images in the command line using the
ARM TF naming convention (--bl2, --bl31, etc), while the cert_create
tool uses the TBBR convention (--tb-fw, --soc-fw, etc). This double
convention is confusing and should be aligned.
This patch updates the fip_create command line options to follow the
TBBR naming convention. Usage examples in the User Guide have been
also updated.
NOTE: users that build the FIP by calling the fip_create tool directly
from the command line must update the command line options in their
scripts. Users that build the FIP by invoking the main ARM TF Makefile
should not notice any difference.
Change-Id: I84d602630a2585e558d927b50dfde4dd2112496f
Juan Castillo
committed
on 5 Jan 2016
|
Always build with '-pedantic'
...
By default ARM TF is built with the '-pedantic' compiler flag, which
helps detecting violations of the C standard. However, the mbed TLS
library and its associated authentication module in TF used to fail
building with this compiler flag. As a workaround, the mbed TLS
authentication module makefile used to set the 'DISABLE_PEDANTIC'
TF build flag.
The compiler errors flagged by '-pedantic' in the mbed TLS library
have been fixed between versions 1.3.9 and 2.2.0 and the library now
properly builds with this compiler flag.
This patch fixes the remaining compiler errors in the mbed TLS
authentication module in TF and unsets the 'DISABLE_PEDANTIC' TF
build flag. This means that TF is now always built with '-pedantic'.
In particular, this patch:
* Removes the final semi-colon in REGISTER_COT() macro.
This semi-colon was causing the following error message:
drivers/auth/tbbr/tbbr_cot.c:544:23: error: ISO C does not allow
extra ';' outside of a function [-Werror=pedantic]
This has been fixed both in the mbed TLS authentication module
as well as in the certificate generation tool. Note that the latter
code didn't need fixing since it is not built with '-pedantic' but
the change has been propagated for consistency.
Also fixed the REGISTER_KEYS() and REGISTER_EXTENSIONS() macros,
which were suffering from the same issue.
* Fixes a pointer type.
It was causing the following error message:
drivers/auth/mbedtls/mbedtls_crypto.c: In function 'verify_hash':
drivers/auth/mbedtls/mbedtls_crypto.c:177:42: error: pointer of
type 'void *' used in arithmetic [-Werror=pointer-arith]
Change-Id: I7b7a04ef711efd65e17b5be26990d1a0d940257d
Sandrine Bailleux
committed
on 5 Jan 2016
|
2015-12-14 |
Remove dashes from image names: 'BL3-x' --> 'BL3x'
...
This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:
https://github.com/ARM-software/arm-trusted-firmware/wiki
Changes apply to output messages, comments and documentation.
non-ARM platform files have been left unmodified.
Change-Id: Ic2a99be4ed929d52afbeb27ac765ceffce46ed76
Juan Castillo
committed
on 14 Dec 2015
|
Replace all SCP FW (BL0, BL3-0) references
...
This patch replaces all references to the SCP Firmware (BL0, BL30,
BL3-0, bl30) with the image terminology detailed in the TF wiki
(https://github.com/ARM-software/arm-trusted-firmware/wiki):
BL0 --> SCP_BL1
BL30, BL3-0 --> SCP_BL2
bl30 --> scp_bl2
This change affects code, documentation, build system, tools and
platform ports that load SCP firmware. ARM plaforms have been
updated to the new porting API.
IMPORTANT: build option to specify the SCP FW image has changed:
BL30 --> SCP_BL2
IMPORTANT: This patch breaks compatibility for platforms that use BL2
to load SCP firmware. Affected platforms must be updated as follows:
BL30_IMAGE_ID --> SCP_BL2_IMAGE_ID
BL30_BASE --> SCP_BL2_BASE
bl2_plat_get_bl30_meminfo() --> bl2_plat_get_scp_bl2_meminfo()
bl2_plat_handle_bl30() --> bl2_plat_handle_scp_bl2()
Change-Id: I24c4c1a4f0e4b9f17c9e4929da815c4069549e58
Juan Castillo
committed
on 14 Dec 2015
|
TBB: apply TBBR naming convention to certificates and extensions
...
This patch applies the TBBR naming convention to the certificates
and the corresponding extensions defined by the CoT:
* Certificate UUID names
* Certificate identifier names
* OID names
Changes apply to:
* Generic code (variables and defines)
* The default certificate identifiers provided in the generic
code
* Build system
* ARM platforms port
* cert_create tool internal definitions
* fip_create and cert_create tools command line options
* Documentation
IMPORTANT: this change breaks the compatibility with platforms
that use TBBR. The platform will need to adapt the identifiers
and OIDs to the TBBR naming convention introduced by this patch:
Certificate UUIDs:
UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT --> UUID_TRUSTED_BOOT_FW_CERT
UUID_SCP_FIRMWARE_BL30_KEY_CERT --> UUID_SCP_FW_KEY_CERT
UUID_SCP_FIRMWARE_BL30_CERT --> UUID_SCP_FW_CONTENT_CERT
UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT --> UUID_SOC_FW_KEY_CERT
UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT --> UUID_SOC_FW_CONTENT_CERT
UUID_SECURE_PAYLOAD_BL32_KEY_CERT --> UUID_TRUSTED_OS_FW_KEY_CERT
UUID_SECURE_PAYLOAD_BL32_CERT --> UUID_TRUSTED_OS_FW_CONTENT_CERT
UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT --> UUID_NON_TRUSTED_FW_KEY_CERT
UUID_NON_TRUSTED_FIRMWARE_BL33_CERT --> UUID_NON_TRUSTED_FW_CONTENT_CERT
Certificate identifiers:
BL2_CERT_ID --> TRUSTED_BOOT_FW_CERT_ID
BL30_KEY_CERT_ID --> SCP_FW_KEY_CERT_ID
BL30_CERT_ID --> SCP_FW_CONTENT_CERT_ID
BL31_KEY_CERT_ID --> SOC_FW_KEY_CERT_ID
BL31_CERT_ID --> SOC_FW_CONTENT_CERT_ID
BL32_KEY_CERT_ID --> TRUSTED_OS_FW_KEY_CERT_ID
BL32_CERT_ID --> TRUSTED_OS_FW_CONTENT_CERT_ID
BL33_KEY_CERT_ID --> NON_TRUSTED_FW_KEY_CERT_ID
BL33_CERT_ID --> NON_TRUSTED_FW_CONTENT_CERT_ID
OIDs:
TZ_FW_NVCOUNTER_OID --> TRUSTED_FW_NVCOUNTER_OID
NTZ_FW_NVCOUNTER_OID --> NON_TRUSTED_FW_NVCOUNTER_OID
BL2_HASH_OID --> TRUSTED_BOOT_FW_HASH_OID
TZ_WORLD_PK_OID --> TRUSTED_WORLD_PK_OID
NTZ_WORLD_PK_OID --> NON_TRUSTED_WORLD_PK_OID
BL30_CONTENT_CERT_PK_OID --> SCP_FW_CONTENT_CERT_PK_OID
BL30_HASH_OID --> SCP_FW_HASH_OID
BL31_CONTENT_CERT_PK_OID --> SOC_FW_CONTENT_CERT_PK_OID
BL31_HASH_OID --> SOC_AP_FW_HASH_OID
BL32_CONTENT_CERT_PK_OID --> TRUSTED_OS_FW_CONTENT_CERT_PK_OID
BL32_HASH_OID --> TRUSTED_OS_FW_HASH_OID
BL33_CONTENT_CERT_PK_OID --> NON_TRUSTED_FW_CONTENT_CERT_PK_OID
BL33_HASH_OID --> NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID
BL2U_HASH_OID --> AP_FWU_CFG_HASH_OID
SCP_BL2U_HASH_OID --> SCP_FWU_CFG_HASH_OID
NS_BL2U_HASH_OID --> FWU_HASH_OID
Change-Id: I1e047ae046299ca913911c39ac3a6e123bd41079
Juan Castillo
committed
on 14 Dec 2015
|
2015-12-09 |
FWU: Add FWU support to `fip_create` tool
...
Firmware Update (FWU) introduces a new set of images called
SCP_BL2U, BL2U and NS_BL2U, which can be packed in a FWU FIP file.
This patch introduces new UUIDs for the Firmware Update images
and extends the 'fip'create' tool so that these new images can be
packed in a FIP file.
Change-Id: I7c60211b4f3cc265411efb131e6d3c624768f522
Yatharth Kochar
committed
on 9 Dec 2015
|
FWU: Add FWU support to `cert_create` tool
...
Firmware Update requires an X509v3 certificate which contains
hashes for SCP_BL2U, BL2U and NS_BL2U images as extensions.
This patch extends the Chain of Trust definition in the
'cert_create' tool to include the Firmware Update certificate
and the required extensions (including command line options).
A new field in the extension structure will be used to indicate
that the extension is optional. In the case of an image hash
extension, this field will tell the tool that the hash should
be included in the certificate, but filled with zeros.
Change-Id: I1f77a66b018826b71745910771f38d9cf6050388
Yatharth Kochar
committed
on 9 Dec 2015
|
2015-10-23 |
cert_create: specify command line options in the CoT
...
This patch introduces a new API that allows to specify command
line options in the Chain of Trust description. These command line
options may be used to specify parameters related to the CoT (i.e.
keys or certificates), instead of keeping a hardcoded list of
options in main.c.
Change-Id: I282b0b01cb9add557b26bddc238a28253ce05e44
Juan Castillo
committed
on 23 Oct 2015
|
cert_create: improve command line argument check
...
The certificate generation tool currently checks if all command
line options required to create all certificates in the CoT have
been specified. This prevents using the tool to create individual
certificates when the whole CoT is not required.
This patch improves the checking function so only those options
required by the certificates specified in the command line are
verified.
Change-Id: I2c426a8e2e2dec85b15f2d98fd4ba949c1aed385
Juan Castillo
committed
on 23 Oct 2015
|
2015-07-16 |
TBB: rework cert_create tool to follow a data driven approach
...
This patch reworks the certificate generation tool to follow a data
driven approach. The user may specify at build time the certificates,
keys and extensions defined in the CoT, register them using the
appropiate macros and the tool will take care of creating the
certificates corresponding to the CoT specified.
Change-Id: I29950b39343c3e1b71718fce0e77dcf2a9a0be2f
Juan Castillo
committed
on 16 Jul 2015
|
2015-07-01 |
TBB: build 'cert_create' with ECDSA only if OpenSSL supports it
...
Some Linux distributions include an OpenSSL library which has been
built without ECDSA support. Trying to build the certificate
generation tool on those distributions will result in a build error.
This patch fixes that issue by including ECDSA support only if
OpenSSL has been built with ECDSA. In that case, the OpenSSL
configuration file does not define the OPENSSL_NO_EC macro. The tool
will build successfully, although the resulting binary will not
support ECDSA keys.
Change-Id: I4627d1abd19eef7ad3251997d8218599187eb902
Juan Castillo
committed
on 1 Jul 2015
|
2015-06-25 |
TBB: add ECDSA support to the certificate generation tool
...
This patch extends the 'cert_create' tool to support ECDSA keys
to sign the certificates. The '--key-alg' command line option
can be used to specify the key algorithm when invoking the tool.
Available options are:
* 'rsa': create RSA-2048 keys (default option)
* 'ecdsa': create ECDSA-SECP256R1 keys
The TF Makefile has been updated to allow the platform to specify
the key algorithm by declaring the 'KEY_ALG' variable in the
platform makefile.
The behaviour regarding key management has changed. After applying
this patch, the tool will try first to open the keys from disk. If
one key does not exist or no key is specified, and the command line
option to create keys has been specified, new keys will be created.
Otherwise an error will be generated and the tool will exit. This
way, the user may specify certain keys while the tool will create
the remaining ones. This feature is useful for testing purposes
and CI infrastructures.
The OpenSSL directory may be specified using the build option
'OPENSSL_DIR' when building the certificate generation tool.
Default is '/usr'.
Change-Id: I98bcc2bfab28dd7179f17f1177ea7a65698df4e7
Juan Castillo
committed
on 25 Jun 2015
|
TBB: use ASN.1 type DigestInfo to represent hashes
...
The cert_create tool calculates the hash of each BL image and includes
it as an ASN.1 OCTET STRING in the corresponding certificate extension.
Without additional information, the firmware running on the platform
has to know in advance the algorithm used to generate the hash.
This patch modifies the cert_create tool so the certificate extensions
that include an image hash are generated according to the following
ASN.1 structure:
DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
The PolarSSL module has been updated to extract the image hash
from the certificate extension according to this structure.
Change-Id: I6d83430f12a8a0eea8447bec7c936e903f644c85
Juan Castillo
committed
on 25 Jun 2015
|