diff --git a/Makefile b/Makefile index 777e330..b5db629 100644 --- a/Makefile +++ b/Makefile @@ -286,6 +286,9 @@ ifneq (${GENERATE_COT},0) $(eval CERTS := yes) + $(eval FIP_DEPS += certificates) + $(eval FIP_ARGS += --trusted-key-cert ${TRUSTED_KEY_CERT}) + ifneq (${CREATE_KEYS},0) $(eval CRT_ARGS += -n) endif @@ -449,6 +452,8 @@ $(eval FIP_DEPS += $(if $3,$(2),)) $(eval FIP_ARGS += $(if $3,--bl$(1) $(2),)) +$(eval FIP_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt)) +$(eval FIP_ARGS += $(if $4,$(if $5,--bl$(1)-key-cert $(BUILD_PLAT)/bl$(1)_key.crt))) $(eval CRT_DEPS += $(if $4,$(2),)) $(eval CRT_DEPS += $(if $4,$(if $6,$(6),))) diff --git a/include/common/firmware_image_package.h b/include/common/firmware_image_package.h index f4554ec..8fb669e 100644 --- a/include/common/firmware_image_package.h +++ b/include/common/firmware_image_package.h @@ -49,6 +49,32 @@ {0x89e1d005, 0xdc53, 0x4713, 0x8d, 0x2b, {0x50, 0x0a, 0x4b, 0x7a, 0x3e, 0x38} } #define UUID_NON_TRUSTED_FIRMWARE_BL33 \ {0xa7eed0d6, 0xeafc, 0x4bd5, 0x97, 0x82, {0x99, 0x34, 0xf2, 0x34, 0xb6, 0xe4} } +/* Key certificates */ +#define UUID_ROT_KEY_CERT \ + {0x721d2d86, 0x60f8, 0x11e4, 0x92, 0x0b, {0x8b, 0xe7, 0x62, 0x16, 0x0f, 0x24} } +#define UUID_TRUSTED_KEY_CERT \ + {0x90e87e82, 0x60f8, 0x11e4, 0xa1, 0xb4, {0x77, 0x7a, 0x21, 0xb4, 0xf9, 0x4c} } +#define UUID_NON_TRUSTED_WORLD_KEY_CERT \ + {0x3d87671c, 0x635f, 0x11e4, 0x97, 0x8d, {0x27, 0xc0, 0xc7, 0x14, 0x8a, 0xbd} } +#define UUID_SCP_FIRMWARE_BL30_KEY_CERT \ + {0xa1214202, 0x60f8, 0x11e4, 0x8d, 0x9b, {0xf3, 0x3c, 0x0e, 0x15, 0xa0, 0x14} } +#define UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT \ + {0xccbeb88a, 0x60f9, 0x11e4, 0x9a, 0xd0, {0xeb, 0x48, 0x22, 0xd8, 0xdc, 0xf8} } +#define UUID_SECURE_PAYLOAD_BL32_KEY_CERT \ + {0x03d67794, 0x60fb, 0x11e4, 0x85, 0xdd, {0xb7, 0x10, 0x5b, 0x8c, 0xee, 0x04} } +#define UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT \ + {0x2a83d58a, 0x60fb, 0x11e4, 0x8a, 0xaf, {0xdf, 0x30, 0xbb, 0xc4, 0x98, 0x59} } +/* Content certificates */ +#define UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT \ + {0xea69e2d6, 0x635d, 0x11e4, 0x8d, 0x8c, {0x9f, 0xba, 0xbe, 0x99, 0x56, 0xa5} } +#define UUID_SCP_FIRMWARE_BL30_CERT \ + {0x046fbe44, 0x635e, 0x11e4, 0xb2, 0x8b, {0x73, 0xd8, 0xea, 0xae, 0x96, 0x56} } +#define UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT \ + {0x200cb2e2, 0x635e, 0x11e4, 0x9c, 0xe8, {0xab, 0xcc, 0xf9, 0x2b, 0xb6, 0x66} } +#define UUID_SECURE_PAYLOAD_BL32_CERT \ + {0x11449fa4, 0x635e, 0x11e4, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} } +#define UUID_NON_TRUSTED_FIRMWARE_BL33_CERT \ + {0xf3c1c48e, 0x635d, 0x11e4, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} } typedef struct fip_toc_header { uint32_t name; diff --git a/tools/fip_create/fip_create.c b/tools/fip_create/fip_create.c index c940c5b..c6869f9 100644 --- a/tools/fip_create/fip_create.c +++ b/tools/fip_create/fip_create.c @@ -65,6 +65,30 @@ "bl32", NULL, FLAG_FILENAME}, { "Non-Trusted Firmware BL3-3", UUID_NON_TRUSTED_FIRMWARE_BL33, "bl33", NULL, FLAG_FILENAME}, + /* Key Certificates */ + { "Root Of Trust key certificate", UUID_ROT_KEY_CERT, + "rot-cert", NULL, FLAG_FILENAME }, + { "Trusted key certificate", UUID_TRUSTED_KEY_CERT, + "trusted-key-cert", NULL, FLAG_FILENAME}, + { "SCP Firmware BL3-0 key certificate", UUID_SCP_FIRMWARE_BL30_KEY_CERT, + "bl30-key-cert", NULL, FLAG_FILENAME}, + { "EL3 Runtime Firmware BL3-1 key certificate", UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT, + "bl31-key-cert", NULL, FLAG_FILENAME}, + { "Secure Payload BL3-2 (Trusted OS) key certificate", UUID_SECURE_PAYLOAD_BL32_KEY_CERT, + "bl32-key-cert", NULL, FLAG_FILENAME}, + { "Non-Trusted Firmware BL3-3 key certificate", UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT, + "bl33-key-cert", NULL, FLAG_FILENAME}, + /* Content certificates */ + { "Trusted Boot Firmware BL2 certificate", UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT, + "bl2-cert", NULL, FLAG_FILENAME }, + { "SCP Firmware BL3-0 certificate", UUID_SCP_FIRMWARE_BL30_CERT, + "bl30-cert", NULL, FLAG_FILENAME}, + { "EL3 Runtime Firmware BL3-1 certificate", UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT, + "bl31-cert", NULL, FLAG_FILENAME}, + { "Secure Payload BL3-2 (Trusted OS) certificate", UUID_SECURE_PAYLOAD_BL32_CERT, + "bl32-cert", NULL, FLAG_FILENAME}, + { "Non-Trusted Firmware BL3-3 certificate", UUID_NON_TRUSTED_FIRMWARE_BL33_CERT, + "bl33-cert", NULL, FLAG_FILENAME}, { NULL, {0}, 0 } }; diff --git a/tools/fip_create/fip_create.h b/tools/fip_create/fip_create.h index ef321cd..3258335 100644 --- a/tools/fip_create/fip_create.h +++ b/tools/fip_create/fip_create.h @@ -34,7 +34,7 @@ #include #include -#define MAX_FILES 10 +#define MAX_FILES 20 /* TODO: Update this number as required */ #define TOC_HEADER_SERIAL_NUMBER 0x12345678