diff options
author | Sumit Garg <sumit.garg@linaro.org> | 2019-11-14 16:33:45 +0530 |
---|---|---|
committer | Sumit Garg <sumit.garg@linaro.org> | 2020-03-06 16:40:37 +0530 |
commit | c6ba9b4547b58d16b5e0f4ec331ff4422b1f1d66 (patch) | |
tree | e0d5a3d7867390e5f58f422008aae05642f9ea53 /make_helpers | |
parent | 90aa901fc1154d2b12aa8d838ef71be47ba3cd07 (diff) | |
download | trusted-firmware-a-c6ba9b4547b58d16b5e0f4ec331ff4422b1f1d66.tar.gz |
Makefile: Add support to optionally encrypt BL31 and BL32
Following build flags have been added to support optional firmware
encryption:
- FW_ENC_STATUS: Top level firmware's encryption numeric flag, values:
0: Encryption is done with Secret Symmetric Key (SSK) which is
common for a class of devices.
1: Encryption is done with Binding Secret Symmetric Key (BSSK) which
is unique per device.
- ENC_KEY: A 32-byte (256-bit) symmetric key in hex string format. It
could be SSK or BSSK depending on FW_ENC_STATUS flag.
- ENC_NONCE: A 12-byte (96-bit) encryption nonce or Initialization Vector
(IV) in hex string format.
- ENCRYPT_BL31: Binary flag to enable encryption of BL31 firmware.
- ENCRYPT_BL32: Binary flag to enable encryption of Secure BL32 payload.
Similar flags can be added to encrypt other firmwares as well depending
on use-cases.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I94374d6830ad5908df557f63823e58383d8ad670
Diffstat (limited to 'make_helpers')
-rw-r--r-- | make_helpers/build_macros.mk | 45 | ||||
-rw-r--r-- | make_helpers/defaults.mk | 15 |
2 files changed, 57 insertions, 3 deletions
diff --git a/make_helpers/build_macros.mk b/make_helpers/build_macros.mk index 032e42c153..20a36fe08b 100644 --- a/make_helpers/build_macros.mk +++ b/make_helpers/build_macros.mk @@ -109,6 +109,22 @@ define IMG_BIN ${BUILD_PLAT}/bl$(1).bin endef +# IMG_ENC_BIN defines the default encrypted image file corresponding to a +# BL stage +# $(1) = BL stage (2, 30, 31, 32, 33) +define IMG_ENC_BIN + ${BUILD_PLAT}/bl$(1)_enc.bin +endef + +# ENCRYPT_FW invokes enctool to encrypt firmware binary +# $(1) = input firmware binary +# $(2) = output encrypted firmware binary +define ENCRYPT_FW +$(2): $(1) enctool + $$(ECHO) " ENC $$<" + $$(Q)$$(ENCTOOL) $$(ENC_ARGS) -i $$< -o $$@ +endef + # TOOL_ADD_PAYLOAD appends the command line arguments required by fiptool to # package a new payload and/or by cert_create to generate certificate. # Optionally, it adds the dependency on this payload @@ -116,11 +132,17 @@ endef # $(2) = command line option for the specified payload (i.e. --soc-fw) # $(3) = tool target dependency (optional) (ex. build/fvp/release/bl31.bin) # $(4) = FIP prefix (optional) (if FWU_, target is fwu_fip instead of fip) +# $(5) = encrypted payload (optional) (ex. build/fvp/release/bl31_enc.bin) define TOOL_ADD_PAYLOAD +ifneq ($(5),) + $(4)FIP_ARGS += $(2) $(5) + $(if $(3),$(4)CRT_DEPS += $(1)) +else $(4)FIP_ARGS += $(2) $(1) + $(if $(3),$(4)CRT_DEPS += $(3)) +endif $(if $(3),$(4)FIP_DEPS += $(3)) $(4)CRT_ARGS += $(2) $(1) - $(if $(3),$(4)CRT_DEPS += $(3)) endef # TOOL_ADD_IMG_PAYLOAD works like TOOL_ADD_PAYLOAD, but applies image filters @@ -130,6 +152,7 @@ endef # $(3) = command line option for the specified payload (ex. --soc-fw) # $(4) = tool target dependency (optional) (ex. build/fvp/release/bl31.bin) # $(5) = FIP prefix (optional) (if FWU_, target is fwu_fip instead of fip) +# $(6) = encrypted payload (optional) (ex. build/fvp/release/bl31_enc.bin) define TOOL_ADD_IMG_PAYLOAD @@ -143,10 +166,10 @@ $(call $(PRE_TOOL_FILTER)_RULE,$(PROCESSED_PATH),$(2)) $(PROCESSED_PATH): $(4) -$(call TOOL_ADD_PAYLOAD,$(PROCESSED_PATH),$(3),$(PROCESSED_PATH),$(5)) +$(call TOOL_ADD_PAYLOAD,$(PROCESSED_PATH),$(3),$(PROCESSED_PATH),$(5),$(6)) else -$(call TOOL_ADD_PAYLOAD,$(2),$(3),$(4),$(5)) +$(call TOOL_ADD_PAYLOAD,$(2),$(3),$(4),$(5),$(6)) endif endef @@ -164,6 +187,7 @@ endef # $(1) = image_type (scp_bl2, bl33, etc.) # $(2) = command line option for fiptool (--scp-fw, --nt-fw, etc) # $(3) = FIP prefix (optional) (if FWU_, target is fwu_fip instead of fip) +# $(4) = Image encryption flag (optional) (0, 1) # Example: # $(eval $(call TOOL_ADD_IMG,bl33,--nt-fw)) define TOOL_ADD_IMG @@ -173,7 +197,14 @@ define TOOL_ADD_IMG $(3)CRT_DEPS += check_$(1) $(3)FIP_DEPS += check_$(1) +ifeq ($(4),1) + $(eval ENC_BIN := ${BUILD_PLAT}/$(1)_enc.bin) + $(call ENCRYPT_FW,$(value $(_V)),$(ENC_BIN)) + $(call TOOL_ADD_IMG_PAYLOAD,$(1),$(value $(_V)),$(2),$(ENC_BIN),$(3), \ + $(ENC_BIN)) +else $(call TOOL_ADD_IMG_PAYLOAD,$(1),$(value $(_V)),$(2),,$(3)) +endif .PHONY: check_$(1) check_$(1): @@ -390,6 +421,7 @@ endef # $(1) = BL stage (1, 2, 2u, 31, 32) # $(2) = FIP command line option (if empty, image will not be included in the FIP) # $(3) = FIP prefix (optional) (if FWU_, target is fwu_fip instead of fip) +# $(4) = BL encryption flag (optional) (0, 1) define MAKE_BL $(eval BUILD_DIR := ${BUILD_PLAT}/bl$(1)) $(eval BL_SOURCES := $(BL$(call uppercase,$(1))_SOURCES)) @@ -400,6 +432,7 @@ define MAKE_BL $(eval ELF := $(call IMG_ELF,$(1))) $(eval DUMP := $(call IMG_DUMP,$(1))) $(eval BIN := $(call IMG_BIN,$(1))) + $(eval ENC_BIN := $(call IMG_ENC_BIN,$(1))) $(eval BL_LINKERFILE := $(BL$(call uppercase,$(1))_LINKERFILE)) $(eval BL_LIBS := $(BL$(call uppercase,$(1))_LIBS)) # We use sort only to get a list of unique object directory names. @@ -480,7 +513,13 @@ endif all: bl$(1) +ifeq ($(4),1) +$(call ENCRYPT_FW,$(BIN),$(ENC_BIN)) +$(if $(2),$(call TOOL_ADD_IMG_PAYLOAD,bl$(1),$(BIN),--$(2),$(ENC_BIN),$(3), \ + $(ENC_BIN))) +else $(if $(2),$(call TOOL_ADD_IMG_PAYLOAD,bl$(1),$(BIN),--$(2),$(BIN),$(3))) +endif endef diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 012760733a..03322db198 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -109,6 +109,18 @@ ENABLE_BTI := 0 # Use BRANCH_PROTECTION to enable PAUTH. ENABLE_PAUTH := 0 +# By default BL31 encryption disabled +ENCRYPT_BL31 := 0 + +# By default BL32 encryption disabled +ENCRYPT_BL32 := 0 + +# Default dummy firmware encryption key +ENC_KEY := 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef + +# Default dummy nonce for firmware encryption +ENC_NONCE := 1234567890abcdef12345678 + # Build flag to treat usage of deprecated platform and framework APIs as error. ERROR_DEPRECATED := 0 @@ -124,6 +136,9 @@ FIP_NAME := fip.bin # Default FWU_FIP file name FWU_FIP_NAME := fwu_fip.bin +# By default firmware encryption with SSK +FW_ENC_STATUS := 0 + # For Chain of Trust GENERATE_COT := 0 |