diff --git a/Makefile b/Makefile
index 9ecbb5b..ae9b41b 100644
--- a/Makefile
+++ b/Makefile
@@ -76,6 +76,8 @@
 PSCI_EXTENDED_STATE_ID		:= 0
 # Default FIP file name
 FIP_NAME			:= fip.bin
+# Default FWU_FIP file name
+FWU_FIP_NAME			:= fwu_fip.bin
 # By default, use the -pedantic option in the gcc command line
 DISABLE_PEDANTIC		:= 0
 # Flags to generate the Chain of Trust
@@ -150,6 +152,7 @@
 # target 'certificates' to create them all
 ifneq (${GENERATE_COT},0)
         FIP_DEPS += certificates
+        FWU_FIP_DEPS += fwu_certificates
 endif
 
 
@@ -321,8 +324,10 @@
         # Common cert_create options
         ifneq (${CREATE_KEYS},0)
                 $(eval CRT_ARGS += -n)
+                $(eval FWU_CRT_ARGS += -n)
                 ifneq (${SAVE_KEYS},0)
                         $(eval CRT_ARGS += -k)
+                        $(eval FWU_CRT_ARGS += -k)
                 endif
         endif
         # Include TBBR makefile (unless the platform indicates otherwise)
@@ -429,7 +434,7 @@
 # Build targets
 ################################################################################
 
-.PHONY:	all msg_start clean realclean distclean cscope locate-checkpatch checkcodebase checkpatch fiptool fip certtool
+.PHONY:	all msg_start clean realclean distclean cscope locate-checkpatch checkcodebase checkpatch fiptool fip fwu_fip certtool
 .SUFFIXES:
 
 all: msg_start
@@ -536,8 +541,24 @@
 	@echo "Built $@ successfully"
 	@echo
 
+ifneq (${GENERATE_COT},0)
+fwu_certificates: ${FWU_CRT_DEPS} ${CRTTOOL}
+	${Q}${CRTTOOL} ${FWU_CRT_ARGS}
+	@echo
+	@echo "Built $@ successfully"
+	@echo "FWU certificates can be found in ${BUILD_PLAT}"
+	@echo
+endif
+
+${BUILD_PLAT}/${FWU_FIP_NAME}: ${FWU_FIP_DEPS} ${FIPTOOL}
+	${Q}${FIPTOOL} --dump ${FWU_FIP_ARGS} $@
+	@echo
+	@echo "Built $@ successfully"
+	@echo
+
 fiptool: ${FIPTOOL}
 fip: ${BUILD_PLAT}/${FIP_NAME}
+fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
 
 .PHONY: ${FIPTOOL}
 ${FIPTOOL}:
@@ -568,6 +589,7 @@
 	@echo "  bl32           Build the BL3-2 binary"
 	@echo "  certificates   Build the certificates (requires 'GENERATE_COT=1')"
 	@echo "  fip            Build the Firmware Image Package (FIP)"
+	@echo "  fwu_fip        Build the FWU Firmware Image Package (FIP)"
 	@echo "  checkcodebase  Check the coding style of the entire source tree"
 	@echo "  checkpatch     Check the coding style on changes in the current"
 	@echo "                 branch against BASE_COMMIT (default origin/master)"
diff --git a/make_helpers/build_macros.mk b/make_helpers/build_macros.mk
index 3624ff6..08cb4b1 100644
--- a/make_helpers/build_macros.mk
+++ b/make_helpers/build_macros.mk
@@ -98,7 +98,7 @@
     $(eval $(if $(3),FIP_DEPS += $(3)))
 endef
 
-# CERT_ADD_CMD_OPT adds a new command line option to the cert_create invokation
+# CERT_ADD_CMD_OPT adds a new command line option to the cert_create invocation
 #   $(1) = parameter filename
 #   $(2) = cert_create command line option for the specified parameter
 #   $(3) = input parameter (false if empty)
@@ -123,6 +123,38 @@
 	$$(if $(value $(1)),,$$(error "Platform '${PLAT}' requires $(1). Please set $(1) to point to the right file"))
 endef
 
+# FWU_FIP_ADD_PAYLOAD appends the command line arguments required by the FIP tool
+# to package a new FWU payload. Optionally, it  adds the dependency on this payload
+#   $(1) = payload filename (e.g. ns_bl2u.bin)
+#   $(2) = command line option for the specified payload (e.g. --ns_bl2u)
+#   $(3) = fip target dependency (optional) (e.g. ns_bl2u)
+define FWU_FIP_ADD_PAYLOAD
+    $(eval $(if $(3),FWU_FIP_DEPS += $(3)))
+    $(eval FWU_FIP_ARGS += $(2) $(1))
+endef
+
+# FWU_CERT_ADD_CMD_OPT adds a new command line option to the cert_create invocation
+#   $(1) = parameter filename
+#   $(2) = cert_create command line option for the specified parameter
+#   $(3) = input parameter (false if empty)
+define FWU_CERT_ADD_CMD_OPT
+    $(eval $(if $(3),FWU_CRT_DEPS += $(1)))
+    $(eval FWU_CRT_ARGS += $(2) $(1))
+endef
+
+# FWU_FIP_ADD_IMG allows the platform to pack a binary image in the FWU FIP
+#   $(1) build option to specify the image filename (BL2U, NS_BL2U, etc)
+#   $(2) command line option for the fip_create tool (bl2u, ns_bl2u, etc)
+# Example:
+#   $(eval $(call FWU_FIP_ADD_IMG,BL2U,--bl2u))
+define FWU_FIP_ADD_IMG
+    FWU_CRT_DEPS += check_$(1)
+    FWU_FIP_DEPS += check_$(1)
+    $(call FWU_FIP_ADD_PAYLOAD,$(value $(1)),$(2))
+
+check_$(1):
+	$$(if $(value $(1)),,$$(error "Platform '${PLAT}' requires $(1). Please set $(1) to point to the right file"))
+endef
 
 ################################################################################
 # Auxiliary macros to build TF images from sources
diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk
index d40f66a..bf0d296 100644
--- a/make_helpers/tbbr/tbbr_tools.mk
+++ b/make_helpers/tbbr/tbbr_tools.mk
@@ -56,16 +56,22 @@
 
 # Certificate generation tool default parameters
 TRUSTED_KEY_CERT	:=	${BUILD_PLAT}/trusted_key.crt
+FWU_CERT		:=	${BUILD_PLAT}/fwu_cert.crt
 
 # Add Trusted Key certificate to the fip_create and cert_create command line options
 $(eval $(call FIP_ADD_PAYLOAD,${TRUSTED_KEY_CERT},--trusted-key-cert))
 $(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_KEY_CERT},--trusted-key-cert))
 
+# Add fwu certificate to the fip_create and cert_create command line options
+$(eval $(call FWU_FIP_ADD_PAYLOAD,${FWU_CERT},--fwu-cert))
+$(eval $(call FWU_CERT_ADD_CMD_OPT,${FWU_CERT},--fwu-cert))
+
 # Add the keys to the cert_create command line options (private keys are NOT
 # packed in the FIP). Developers can use their own keys by specifying the proper
 # build option in the command line when building the Trusted Firmware
 $(if ${KEY_ALG},$(eval $(call CERT_ADD_CMD_OPT,${KEY_ALG},--key-alg)))
 $(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
+$(if ${ROT_KEY},$(eval $(call FWU_CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
 $(if ${TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_WORLD_KEY},--trusted-world-key)))
 $(if ${NON_TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${NON_TRUSTED_WORLD_KEY},--non-trusted-world-key)))
 
@@ -116,7 +122,15 @@
 endif
 
 # Add the BL2U image
-ifeq (${NEED_BL2U},yes)
-    $(if ${BL2U},$(eval $(call FWU_CERT_ADD_CMD_OPT,${BL2U},--bl2u)),\
-                 $(eval $(call FWU_CERT_ADD_CMD_OPT,$(call IMG_BIN,2u),--bl2u)))
+$(if ${BL2U},$(eval $(call FWU_CERT_ADD_CMD_OPT,${BL2U},--bl2u,true)),\
+     $(eval $(call FWU_CERT_ADD_CMD_OPT,$(call IMG_BIN,2u),--bl2u,true)))
+
+# Add the SCP_BL2U image
+ifneq (${SCP_BL2U},)
+    $(eval $(call FWU_CERT_ADD_CMD_OPT,${SCP_BL2U},--scp_bl2u,true))
+endif
+
+# Add the NS_BL2U image
+ifneq (${NS_BL2U},)
+    $(eval $(call FWU_CERT_ADD_CMD_OPT,${NS_BL2U},--ns_bl2u,true))
 endif
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index 2d4e08c..4ac12d9 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -140,6 +140,8 @@
 
     BL2_SOURCES		+=	${AUTH_SOURCES}
 
+    $(eval $(call FWU_FIP_ADD_IMG,NS_BL2U,--ns_bl2u))
+
     MBEDTLS_KEY_ALG	:=	${KEY_ALG}
 
     # We expect to locate the *.mk files under the directories specified below
diff --git a/plat/arm/css/common/css_common.mk b/plat/arm/css/common/css_common.mk
index 1612541..49fedc3 100644
--- a/plat/arm/css/common/css_common.mk
+++ b/plat/arm/css/common/css_common.mk
@@ -51,6 +51,9 @@
 				plat/arm/css/common/css_scpi.c			\
 				plat/arm/css/common/css_topology.c
 
+ifneq (${TRUSTED_BOARD_BOOT},0)
+$(eval $(call FWU_FIP_ADD_IMG,SCP_BL2U,--scp_bl2u))
+endif
 
 ifneq (${RESET_TO_BL31},0)
   $(error "Using BL3-1 as the reset vector is not supported on CSS platforms. \