diff --git a/Makefile b/Makefile index 7627797..a0d2ae0 100644 --- a/Makefile +++ b/Makefile @@ -1012,6 +1012,7 @@ endif -include $(BUILD_PLAT)/sp_gen.mk FIP_DEPS += sp + CRT_DEPS += sp NEED_SP_PKG := yes else ifeq (${SPMD_SPM_AT_SEL2},1) diff --git a/drivers/auth/dualroot/cot.c b/drivers/auth/dualroot/cot.c index 8aca2be..f28ddaa 100644 --- a/drivers/auth/dualroot/cot.c +++ b/drivers/auth/dualroot/cot.c @@ -30,6 +30,9 @@ static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN]; static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN]; static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN]; +#if defined(SPD_spmd) +static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN]; +#endif /* SPD_spmd */ static unsigned char trusted_world_pk_buf[PK_DER_LEN]; static unsigned char content_pk_buf[PK_DER_LEN]; @@ -97,6 +100,24 @@ AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID); static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID); +#if defined(SPD_spmd) +static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SP_PKG1_HASH_OID); +static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SP_PKG2_HASH_OID); +static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SP_PKG3_HASH_OID); +static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SP_PKG4_HASH_OID); +static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SP_PKG5_HASH_OID); +static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SP_PKG6_HASH_OID); +static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SP_PKG7_HASH_OID); +static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SP_PKG8_HASH_OID); +#endif /* SPD_spmd */ #endif /* IMAGE_BL2 */ @@ -642,6 +663,102 @@ } }; +/* + * Secure Partitions + */ +#if defined(SPD_spmd) +static const auth_img_desc_t sp_content_cert = { + .img_id = SP_CONTENT_CERT_ID, + .img_type = IMG_CERT, + .parent = &trusted_key_cert, + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data + } + }, + [1] = { + .type = AUTH_METHOD_NV_CTR, + .param.nv_ctr = { + .cert_nv_ctr = &trusted_nv_ctr, + .plat_nv_ctr = &trusted_nv_ctr + } + } + }, + .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { + [0] = { + .type_desc = &sp_pkg1_hash, + .data = { + .ptr = (void *)sp_pkg_hash_buf[0], + .len = (unsigned int)HASH_DER_LEN + } + }, + [1] = { + .type_desc = &sp_pkg2_hash, + .data = { + .ptr = (void *)sp_pkg_hash_buf[1], + .len = (unsigned int)HASH_DER_LEN + } + }, + [2] = { + .type_desc = &sp_pkg3_hash, + .data = { + .ptr = (void *)sp_pkg_hash_buf[2], + .len = (unsigned int)HASH_DER_LEN + } + }, + [3] = { + .type_desc = &sp_pkg4_hash, + .data = { + .ptr = (void *)sp_pkg_hash_buf[3], + .len = (unsigned int)HASH_DER_LEN + } + }, + [4] = { + .type_desc = &sp_pkg5_hash, + .data = { + .ptr = (void *)sp_pkg_hash_buf[4], + .len = (unsigned int)HASH_DER_LEN + } + }, + [5] = { + .type_desc = &sp_pkg6_hash, + .data = { + .ptr = (void *)sp_pkg_hash_buf[5], + .len = (unsigned int)HASH_DER_LEN + } + }, + [6] = { + .type_desc = &sp_pkg7_hash, + .data = { + .ptr = (void *)sp_pkg_hash_buf[6], + .len = (unsigned int)HASH_DER_LEN + } + }, + [7] = { + .type_desc = &sp_pkg8_hash, + .data = { + .ptr = (void *)sp_pkg_hash_buf[7], + .len = (unsigned int)HASH_DER_LEN + } + } + } +}; + +DEFINE_SP_PKG(1); +DEFINE_SP_PKG(2); +DEFINE_SP_PKG(3); +DEFINE_SP_PKG(4); +DEFINE_SP_PKG(5); +DEFINE_SP_PKG(6); +DEFINE_SP_PKG(7); +DEFINE_SP_PKG(8); +#endif /* SPD_spmd */ + #else /* IMAGE_BL2 */ /* FWU auth descriptor */ @@ -769,6 +886,17 @@ [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert, [BL33_IMAGE_ID] = &bl33_image, [NT_FW_CONFIG_ID] = &nt_fw_config, +#if defined(SPD_spmd) + [SP_CONTENT_CERT_ID] = &sp_content_cert, + [SP_CONTENT_CERT_ID + 1] = &sp_pkg1, + [SP_CONTENT_CERT_ID + 2] = &sp_pkg2, + [SP_CONTENT_CERT_ID + 3] = &sp_pkg3, + [SP_CONTENT_CERT_ID + 4] = &sp_pkg4, + [SP_CONTENT_CERT_ID + 5] = &sp_pkg5, + [SP_CONTENT_CERT_ID + 6] = &sp_pkg6, + [SP_CONTENT_CERT_ID + 7] = &sp_pkg7, + [SP_CONTENT_CERT_ID + 8] = &sp_pkg8, +#endif }; #endif diff --git a/include/common/tbbr/cot_def.h b/include/common/tbbr/cot_def.h index c411146..6ce7f80 100644 --- a/include/common/tbbr/cot_def.h +++ b/include/common/tbbr/cot_def.h @@ -8,8 +8,11 @@ #define COT_DEF_H /* TBBR CoT definitions */ - +#if defined(SPD_spmd) +#define COT_MAX_VERIFIED_PARAMS 8 +#else #define COT_MAX_VERIFIED_PARAMS 4 +#endif /* * Maximum key and hash sizes (in DER format). diff --git a/include/common/tbbr/tbbr_img_def.h b/include/common/tbbr/tbbr_img_def.h index 1701995..1f9aab1 100644 --- a/include/common/tbbr/tbbr_img_def.h +++ b/include/common/tbbr/tbbr_img_def.h @@ -9,4 +9,12 @@ #include +#if defined(SPD_spmd) +#define SP_CONTENT_CERT_ID MAX_IMAGE_IDS +#define MAX_SP_IDS U(8) +#define MAX_NUMBER_IDS (MAX_IMAGE_IDS + MAX_SP_IDS + U(1)) +#else +#define MAX_NUMBER_IDS MAX_IMAGE_IDS +#endif + #endif /* TBBR_IMG_DEF_H */ diff --git a/include/drivers/auth/auth_mod.h b/include/drivers/auth/auth_mod.h index 1dc9ff4..01d144d 100644 --- a/include/drivers/auth/auth_mod.h +++ b/include/drivers/auth/auth_mod.h @@ -50,6 +50,24 @@ extern const size_t cot_desc_size; extern unsigned int auth_img_flags[MAX_NUMBER_IDS]; +#if defined(SPD_spmd) +#define DEFINE_SP_PKG(n) \ + static const auth_img_desc_t sp_pkg##n = { \ + .img_id = SP_CONTENT_CERT_ID + (n), \ + .img_type = IMG_RAW, \ + .parent = &sp_content_cert, \ + .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { \ + [0] = { \ + .type = AUTH_METHOD_HASH, \ + .param.hash = { \ + .data = &raw_data, \ + .hash = &sp_pkg##n##_hash \ + } \ + } \ + } \ + } +#endif + #endif /* TRUSTED_BOARD_BOOT */ #endif /* AUTH_MOD_H */ diff --git a/include/export/common/tbbr/tbbr_img_def_exp.h b/include/export/common/tbbr/tbbr_img_def_exp.h index 89dbc58..a98c1b4 100644 --- a/include/export/common/tbbr/tbbr_img_def_exp.h +++ b/include/export/common/tbbr/tbbr_img_def_exp.h @@ -88,12 +88,7 @@ /* Encrypted image identifier */ #define ENC_IMAGE_ID U(30) -/* Define size of the array */ -#if defined(SPD_spmd) -#define MAX_SP_IDS U(8) -#define MAX_NUMBER_IDS MAX_SP_IDS + U(31) -#else -#define MAX_NUMBER_IDS U(31) -#endif +/* Max Images */ +#define MAX_IMAGE_IDS U(31) #endif /* ARM_TRUSTED_FIRMWARE_EXPORT_COMMON_TBBR_TBBR_IMG_DEF_EXP_H */ diff --git a/include/tools_share/dualroot_oid.h b/include/tools_share/dualroot_oid.h index 3e88a6d..da367da 100644 --- a/include/tools_share/dualroot_oid.h +++ b/include/tools_share/dualroot_oid.h @@ -16,4 +16,16 @@ */ #define PROT_PK_OID "1.3.6.1.4.1.4128.2100.1102" +/* + * Secure Partitions Content Certificate + */ +#define SP_PKG1_HASH_OID "1.3.6.1.4.1.4128.2100.1301" +#define SP_PKG2_HASH_OID "1.3.6.1.4.1.4128.2100.1302" +#define SP_PKG3_HASH_OID "1.3.6.1.4.1.4128.2100.1303" +#define SP_PKG4_HASH_OID "1.3.6.1.4.1.4128.2100.1304" +#define SP_PKG5_HASH_OID "1.3.6.1.4.1.4128.2100.1305" +#define SP_PKG6_HASH_OID "1.3.6.1.4.1.4128.2100.1306" +#define SP_PKG7_HASH_OID "1.3.6.1.4.1.4128.2100.1307" +#define SP_PKG8_HASH_OID "1.3.6.1.4.1.4128.2100.1308" + #endif /* DUALROOT_OID_H */ diff --git a/include/tools_share/firmware_image_package.h b/include/tools_share/firmware_image_package.h index 598d5c2..75f3cc6 100644 --- a/include/tools_share/firmware_image_package.h +++ b/include/tools_share/firmware_image_package.h @@ -64,6 +64,8 @@ {{0xa4, 0x9f, 0x44, 0x11}, {0x5e, 0x63}, {0xe4, 0x11}, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} } #define UUID_NON_TRUSTED_FW_CONTENT_CERT \ {{0x8e, 0xc4, 0xc1, 0xf3}, {0x5d, 0x63}, {0xe4, 0x11}, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} } +#define UUID_SIP_SECURE_PARTITION_CONTENT_CERT \ + {{0x77, 0x6d, 0xfd, 0x44}, {0x86, 0x97}, {0x4c, 0x3b}, 0x91, 0xeb, {0xc1, 0x3e, 0x02, 0x5a, 0x2a, 0x6f} } /* Dynamic configs */ #define UUID_HW_CONFIG \ {{0x08, 0xb8, 0xf1, 0xd9}, {0xc9, 0xcf}, {0x93, 0x49}, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} } diff --git a/lib/debugfs/devfip.c b/lib/debugfs/devfip.c index fc14e70..70ac3bc 100644 --- a/lib/debugfs/devfip.c +++ b/lib/debugfs/devfip.c @@ -74,7 +74,8 @@ {"tos-fw.cfg", UUID_TOS_FW_CONFIG}, {"nt-fw.cfg", UUID_NT_FW_CONFIG}, {"rot-k.crt", UUID_ROT_KEY_CERT}, - {"nt-k.crt", UUID_NON_TRUSTED_WORLD_KEY_CERT} + {"nt-k.crt", UUID_NON_TRUSTED_WORLD_KEY_CERT}, + {"sip-sp.crt", UUID_SIP_SECURE_PARTITION_CONTENT_CERT} }; /******************************************************************************* diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk index f0adfe1..9520934 100644 --- a/make_helpers/tbbr/tbbr_tools.mk +++ b/make_helpers/tbbr/tbbr_tools.mk @@ -99,3 +99,8 @@ $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert)) endif endif + +# Add SiP owned Secure Partitions CoT (image cert) +ifneq (${SP_LAYOUT_FILE},) + $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/sip_sp_content.crt,--sip-sp-cert)) +endif diff --git a/plat/arm/board/fvp/fdts/fvp_fw_config.dts b/plat/arm/board/fvp/fdts/fvp_fw_config.dts index 8f87f7c..5f89284 100644 --- a/plat/arm/board/fvp/fdts/fvp_fw_config.dts +++ b/plat/arm/board/fvp/fdts/fvp_fw_config.dts @@ -111,6 +111,7 @@ soc_fw_content_cert_uuid = <0x200cb2e2 0x11e4635e 0xccabe89c 0x66b62bf9>; tos_fw_content_cert_uuid = <0x11449fa4 0x11e4635e 0x53f2887 0x3df32a72>; nt_fw_content_cert_uuid = <0xf3c1c48e 0x11e4635d 0xee87a9a7 0xa73fb240>; + sp_content_cert_uuid = <0x44fd6d77 0x3b4c9786 0x3ec1eb91 0x6f2a5a02>; }; }; #endif /* ARM_IO_IN_DTB */ diff --git a/plat/arm/common/fconf/arm_fconf_io.c b/plat/arm/common/fconf/arm_fconf_io.c index 26e51b2..68cd9fb 100644 --- a/plat/arm/common/fconf/arm_fconf_io.c +++ b/plat/arm/common/fconf/arm_fconf_io.c @@ -49,6 +49,9 @@ [SOC_FW_CONTENT_CERT_ID] = {UUID_SOC_FW_CONTENT_CERT}, [TRUSTED_OS_FW_CONTENT_CERT_ID] = {UUID_TRUSTED_OS_FW_CONTENT_CERT}, [NON_TRUSTED_FW_CONTENT_CERT_ID] = {UUID_NON_TRUSTED_FW_CONTENT_CERT}, +#if defined(SPD_spmd) + [SP_CONTENT_CERT_ID] = {UUID_SIP_SECURE_PARTITION_CONTENT_CERT}, +#endif #endif /* ARM_IO_IN_DTB */ #endif /* TRUSTED_BOARD_BOOT */ }; @@ -174,6 +177,13 @@ (uintptr_t)&arm_uuid_spec[NON_TRUSTED_FW_CONTENT_CERT_ID], open_fip }, +#if defined(SPD_spmd) + [SP_CONTENT_CERT_ID] = { + &fip_dev_handle, + (uintptr_t)&arm_uuid_spec[SP_CONTENT_CERT_ID], + open_fip + }, +#endif #endif /* ARM_IO_IN_DTB */ #endif /* TRUSTED_BOARD_BOOT */ }; @@ -181,7 +191,7 @@ #ifdef IMAGE_BL2 #if TRUSTED_BOARD_BOOT -#define FCONF_ARM_IO_UUID_NUMBER U(19) +#define FCONF_ARM_IO_UUID_NUMBER U(20) #else #define FCONF_ARM_IO_UUID_NUMBER U(10) #endif @@ -216,6 +226,9 @@ {SOC_FW_CONTENT_CERT_ID, "soc_fw_content_cert_uuid"}, {TRUSTED_OS_FW_CONTENT_CERT_ID, "tos_fw_content_cert_uuid"}, {NON_TRUSTED_FW_CONTENT_CERT_ID, "nt_fw_content_cert_uuid"}, +#if defined(SPD_spmd) + {SP_CONTENT_CERT_ID, "sp_content_cert_uuid"}, +#endif #endif /* TRUSTED_BOARD_BOOT */ }; diff --git a/plat/arm/common/fconf/arm_fconf_sp.c b/plat/arm/common/fconf/arm_fconf_sp.c index 1b09bc8..64e873e 100644 --- a/plat/arm/common/fconf/arm_fconf_sp.c +++ b/plat/arm/common/fconf/arm_fconf_sp.c @@ -30,7 +30,7 @@ union uuid_helper_t uuid_helper; unsigned int index = 0; uint32_t val32; - const unsigned int sp_start_index = MAX_NUMBER_IDS - MAX_SP_IDS; + const unsigned int sp_start_index = SP_CONTENT_CERT_ID + 1; /* As libfdt use void *, we can't avoid this cast */ const void *dtb = (void *)config; diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h index 6db9b57..daf27a7 100644 --- a/tools/cert_create/include/cert.h +++ b/tools/cert_create/include/cert.h @@ -12,7 +12,7 @@ #include "ext.h" #include "key.h" -#define CERT_MAX_EXT 5 +#define CERT_MAX_EXT 9 /* * This structure contains information related to the generation of the diff --git a/tools/cert_create/include/dualroot/cot.h b/tools/cert_create/include/dualroot/cot.h index 5701206..47e371f 100644 --- a/tools/cert_create/include/dualroot/cot.h +++ b/tools/cert_create/include/dualroot/cot.h @@ -18,6 +18,7 @@ SOC_FW_CONTENT_CERT, TRUSTED_OS_FW_KEY_CERT, TRUSTED_OS_FW_CONTENT_CERT, + SIP_SECURE_PARTITION_CONTENT_CERT, FWU_CERT, /* Certificates owned by the platform owner. */ @@ -42,6 +43,14 @@ TRUSTED_OS_FW_EXTRA1_HASH_EXT, TRUSTED_OS_FW_EXTRA2_HASH_EXT, TRUSTED_OS_FW_CONFIG_HASH_EXT, + SP_PKG1_HASH_EXT, + SP_PKG2_HASH_EXT, + SP_PKG3_HASH_EXT, + SP_PKG4_HASH_EXT, + SP_PKG5_HASH_EXT, + SP_PKG6_HASH_EXT, + SP_PKG7_HASH_EXT, + SP_PKG8_HASH_EXT, SCP_FWU_CFG_HASH_EXT, AP_FWU_CFG_HASH_EXT, FWU_HASH_EXT, diff --git a/tools/cert_create/src/dualroot/cot.c b/tools/cert_create/src/dualroot/cot.c index 8117ffc..2965828 100644 --- a/tools/cert_create/src/dualroot/cot.c +++ b/tools/cert_create/src/dualroot/cot.c @@ -137,6 +137,28 @@ .num_ext = 5 }, + [SIP_SECURE_PARTITION_CONTENT_CERT] = { + .id = SIP_SECURE_PARTITION_CONTENT_CERT, + .opt = "sip-sp-cert", + .help_msg = "SiP owned Secure Partition Content Certificate (output file)", + .fn = NULL, + .cn = "SiP owned Secure Partition Content Certificate", + .key = TRUSTED_WORLD_KEY, + .issuer = SIP_SECURE_PARTITION_CONTENT_CERT, + .ext = { + TRUSTED_FW_NVCOUNTER_EXT, + SP_PKG1_HASH_EXT, + SP_PKG2_HASH_EXT, + SP_PKG3_HASH_EXT, + SP_PKG4_HASH_EXT, + SP_PKG5_HASH_EXT, + SP_PKG6_HASH_EXT, + SP_PKG7_HASH_EXT, + SP_PKG8_HASH_EXT, + }, + .num_ext = 9 + }, + [FWU_CERT] = { .id = FWU_CERT, .opt = "fwu-cert", @@ -327,6 +349,87 @@ .optional = 1 }, + [SP_PKG1_HASH_EXT] = { + .oid = SP_PKG1_HASH_OID, + .opt = "sp-pkg1", + .help_msg = "Secure Partition Package1 file", + .sn = "SPPkg1Hash", + .ln = "SP Pkg1 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG2_HASH_EXT] = { + .oid = SP_PKG2_HASH_OID, + .opt = "sp-pkg2", + .help_msg = "Secure Partition Package2 file", + .sn = "SPPkg2Hash", + .ln = "SP Pkg2 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG3_HASH_EXT] = { + .oid = SP_PKG3_HASH_OID, + .opt = "sp-pkg3", + .help_msg = "Secure Partition Package3 file", + .sn = "SPPkg3Hash", + .ln = "SP Pkg3 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG4_HASH_EXT] = { + .oid = SP_PKG4_HASH_OID, + .opt = "sp-pkg4", + .help_msg = "Secure Partition Package4 file", + .sn = "SPPkg4Hash", + .ln = "SP Pkg4 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG5_HASH_EXT] = { + .oid = SP_PKG5_HASH_OID, + .opt = "sp-pkg5", + .help_msg = "Secure Partition Package5 file", + .sn = "SPPkg5Hash", + .ln = "SP Pkg5 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG6_HASH_EXT] = { + .oid = SP_PKG6_HASH_OID, + .opt = "sp-pkg6", + .help_msg = "Secure Partition Package6 file", + .sn = "SPPkg6Hash", + .ln = "SP Pkg6 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG7_HASH_EXT] = { + .oid = SP_PKG7_HASH_OID, + .opt = "sp-pkg7", + .help_msg = "Secure Partition Package7 file", + .sn = "SPPkg7Hash", + .ln = "SP Pkg7 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SP_PKG8_HASH_EXT] = { + .oid = SP_PKG8_HASH_OID, + .opt = "sp-pkg8", + .help_msg = "Secure Partition Package8 file", + .sn = "SPPkg8Hash", + .ln = "SP Pkg8 hash (SHA256)", + .asn1_type = V_ASN1_OCTET_STRING, + .type = EXT_TYPE_HASH, + .optional = 1 + }, + [SCP_FWU_CFG_HASH_EXT] = { .oid = SCP_FWU_CFG_HASH_OID, .opt = "scp-fwu-cfg", diff --git a/tools/fiptool/tbbr_config.c b/tools/fiptool/tbbr_config.c index 86b8581..1c5ef5f 100644 --- a/tools/fiptool/tbbr_config.c +++ b/tools/fiptool/tbbr_config.c @@ -152,6 +152,11 @@ .cmdline_name = "nt-fw-cert" }, { + .name = "SiP owned Secure Partition content certificate", + .uuid = UUID_SIP_SECURE_PARTITION_CONTENT_CERT, + .cmdline_name = "sip-sp-cert" + }, + { .name = NULL, .uuid = { {0} }, .cmdline_name = NULL, diff --git a/tools/sptool/sp_mk_generator.py b/tools/sptool/sp_mk_generator.py index 6b6fa19..f2387f6 100755 --- a/tools/sptool/sp_mk_generator.py +++ b/tools/sptool/sp_mk_generator.py @@ -11,7 +11,8 @@ must be relative to it. This script parses the layout file and generates a make file which updates -FDT_SOURCES, FIP_ARGS and SPTOOL_ARGS which are used in later build steps. +FDT_SOURCES, FIP_ARGS, CRT_ARGS and SPTOOL_ARGS which are used in later build +steps. This script also gets SP "uuid" from parsing its PM and converting it to a standard format. @@ -24,6 +25,7 @@ FDT_SOURCES += sp1.dts SPTOOL_ARGS += -i sp1.bin:sp1.dtb -o sp1.pkg FIP_ARGS += --blob uuid=XXXXX-XXX...,file=sp1.pkg + CRT_ARGS += --sp-pkg1 sp1.pkg A typical SP_LAYOUT_FILE file will look like { @@ -59,7 +61,7 @@ print(dtb_dir) with open(gen_file, 'w') as out_file: - for key in data.keys(): + for idx, key in enumerate(data.keys()): """ Append FDT_SOURCES @@ -97,4 +99,9 @@ Append FIP_ARGS """ out_file.write("FIP_ARGS += --blob uuid=" + uuid_std + ",file=" + dst + "\n") + + """ + Append CRT_ARGS + """ + out_file.write("CRT_ARGS += --sp-pkg" + str(idx + 1) + " " + dst + "\n") out_file.write("\n")