aboutsummaryrefslogtreecommitdiff
path: root/tools
AgeCommit message (Collapse)Author
2015-12-14Remove dashes from image names: 'BL3-x' --> 'BL3x'Juan Castillo
This patch removes the dash character from the image name, to follow the image terminology in the Trusted Firmware Wiki page: https://github.com/ARM-software/arm-trusted-firmware/wiki Changes apply to output messages, comments and documentation. non-ARM platform files have been left unmodified. Change-Id: Ic2a99be4ed929d52afbeb27ac765ceffce46ed76
2015-12-14Replace all SCP FW (BL0, BL3-0) referencesJuan Castillo
This patch replaces all references to the SCP Firmware (BL0, BL30, BL3-0, bl30) with the image terminology detailed in the TF wiki (https://github.com/ARM-software/arm-trusted-firmware/wiki): BL0 --> SCP_BL1 BL30, BL3-0 --> SCP_BL2 bl30 --> scp_bl2 This change affects code, documentation, build system, tools and platform ports that load SCP firmware. ARM plaforms have been updated to the new porting API. IMPORTANT: build option to specify the SCP FW image has changed: BL30 --> SCP_BL2 IMPORTANT: This patch breaks compatibility for platforms that use BL2 to load SCP firmware. Affected platforms must be updated as follows: BL30_IMAGE_ID --> SCP_BL2_IMAGE_ID BL30_BASE --> SCP_BL2_BASE bl2_plat_get_bl30_meminfo() --> bl2_plat_get_scp_bl2_meminfo() bl2_plat_handle_bl30() --> bl2_plat_handle_scp_bl2() Change-Id: I24c4c1a4f0e4b9f17c9e4929da815c4069549e58
2015-12-14TBB: apply TBBR naming convention to certificates and extensionsJuan Castillo
This patch applies the TBBR naming convention to the certificates and the corresponding extensions defined by the CoT: * Certificate UUID names * Certificate identifier names * OID names Changes apply to: * Generic code (variables and defines) * The default certificate identifiers provided in the generic code * Build system * ARM platforms port * cert_create tool internal definitions * fip_create and cert_create tools command line options * Documentation IMPORTANT: this change breaks the compatibility with platforms that use TBBR. The platform will need to adapt the identifiers and OIDs to the TBBR naming convention introduced by this patch: Certificate UUIDs: UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT --> UUID_TRUSTED_BOOT_FW_CERT UUID_SCP_FIRMWARE_BL30_KEY_CERT --> UUID_SCP_FW_KEY_CERT UUID_SCP_FIRMWARE_BL30_CERT --> UUID_SCP_FW_CONTENT_CERT UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT --> UUID_SOC_FW_KEY_CERT UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT --> UUID_SOC_FW_CONTENT_CERT UUID_SECURE_PAYLOAD_BL32_KEY_CERT --> UUID_TRUSTED_OS_FW_KEY_CERT UUID_SECURE_PAYLOAD_BL32_CERT --> UUID_TRUSTED_OS_FW_CONTENT_CERT UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT --> UUID_NON_TRUSTED_FW_KEY_CERT UUID_NON_TRUSTED_FIRMWARE_BL33_CERT --> UUID_NON_TRUSTED_FW_CONTENT_CERT Certificate identifiers: BL2_CERT_ID --> TRUSTED_BOOT_FW_CERT_ID BL30_KEY_CERT_ID --> SCP_FW_KEY_CERT_ID BL30_CERT_ID --> SCP_FW_CONTENT_CERT_ID BL31_KEY_CERT_ID --> SOC_FW_KEY_CERT_ID BL31_CERT_ID --> SOC_FW_CONTENT_CERT_ID BL32_KEY_CERT_ID --> TRUSTED_OS_FW_KEY_CERT_ID BL32_CERT_ID --> TRUSTED_OS_FW_CONTENT_CERT_ID BL33_KEY_CERT_ID --> NON_TRUSTED_FW_KEY_CERT_ID BL33_CERT_ID --> NON_TRUSTED_FW_CONTENT_CERT_ID OIDs: TZ_FW_NVCOUNTER_OID --> TRUSTED_FW_NVCOUNTER_OID NTZ_FW_NVCOUNTER_OID --> NON_TRUSTED_FW_NVCOUNTER_OID BL2_HASH_OID --> TRUSTED_BOOT_FW_HASH_OID TZ_WORLD_PK_OID --> TRUSTED_WORLD_PK_OID NTZ_WORLD_PK_OID --> NON_TRUSTED_WORLD_PK_OID BL30_CONTENT_CERT_PK_OID --> SCP_FW_CONTENT_CERT_PK_OID BL30_HASH_OID --> SCP_FW_HASH_OID BL31_CONTENT_CERT_PK_OID --> SOC_FW_CONTENT_CERT_PK_OID BL31_HASH_OID --> SOC_AP_FW_HASH_OID BL32_CONTENT_CERT_PK_OID --> TRUSTED_OS_FW_CONTENT_CERT_PK_OID BL32_HASH_OID --> TRUSTED_OS_FW_HASH_OID BL33_CONTENT_CERT_PK_OID --> NON_TRUSTED_FW_CONTENT_CERT_PK_OID BL33_HASH_OID --> NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID BL2U_HASH_OID --> AP_FWU_CFG_HASH_OID SCP_BL2U_HASH_OID --> SCP_FWU_CFG_HASH_OID NS_BL2U_HASH_OID --> FWU_HASH_OID Change-Id: I1e047ae046299ca913911c39ac3a6e123bd41079
2015-12-09FWU: Add FWU support to `fip_create` toolYatharth Kochar
Firmware Update (FWU) introduces a new set of images called SCP_BL2U, BL2U and NS_BL2U, which can be packed in a FWU FIP file. This patch introduces new UUIDs for the Firmware Update images and extends the 'fip'create' tool so that these new images can be packed in a FIP file. Change-Id: I7c60211b4f3cc265411efb131e6d3c624768f522
2015-12-09FWU: Add FWU support to `cert_create` toolYatharth Kochar
Firmware Update requires an X509v3 certificate which contains hashes for SCP_BL2U, BL2U and NS_BL2U images as extensions. This patch extends the Chain of Trust definition in the 'cert_create' tool to include the Firmware Update certificate and the required extensions (including command line options). A new field in the extension structure will be used to indicate that the extension is optional. In the case of an image hash extension, this field will tell the tool that the hash should be included in the certificate, but filled with zeros. Change-Id: I1f77a66b018826b71745910771f38d9cf6050388
2015-10-23cert_create: specify command line options in the CoTJuan Castillo
This patch introduces a new API that allows to specify command line options in the Chain of Trust description. These command line options may be used to specify parameters related to the CoT (i.e. keys or certificates), instead of keeping a hardcoded list of options in main.c. Change-Id: I282b0b01cb9add557b26bddc238a28253ce05e44
2015-10-23cert_create: improve command line argument checkJuan Castillo
The certificate generation tool currently checks if all command line options required to create all certificates in the CoT have been specified. This prevents using the tool to create individual certificates when the whole CoT is not required. This patch improves the checking function so only those options required by the certificates specified in the command line are verified. Change-Id: I2c426a8e2e2dec85b15f2d98fd4ba949c1aed385
2015-07-16TBB: rework cert_create tool to follow a data driven approachJuan Castillo
This patch reworks the certificate generation tool to follow a data driven approach. The user may specify at build time the certificates, keys and extensions defined in the CoT, register them using the appropiate macros and the tool will take care of creating the certificates corresponding to the CoT specified. Change-Id: I29950b39343c3e1b71718fce0e77dcf2a9a0be2f
2015-07-01TBB: build 'cert_create' with ECDSA only if OpenSSL supports itJuan Castillo
Some Linux distributions include an OpenSSL library which has been built without ECDSA support. Trying to build the certificate generation tool on those distributions will result in a build error. This patch fixes that issue by including ECDSA support only if OpenSSL has been built with ECDSA. In that case, the OpenSSL configuration file does not define the OPENSSL_NO_EC macro. The tool will build successfully, although the resulting binary will not support ECDSA keys. Change-Id: I4627d1abd19eef7ad3251997d8218599187eb902
2015-06-25TBB: add ECDSA support to the certificate generation toolJuan Castillo
This patch extends the 'cert_create' tool to support ECDSA keys to sign the certificates. The '--key-alg' command line option can be used to specify the key algorithm when invoking the tool. Available options are: * 'rsa': create RSA-2048 keys (default option) * 'ecdsa': create ECDSA-SECP256R1 keys The TF Makefile has been updated to allow the platform to specify the key algorithm by declaring the 'KEY_ALG' variable in the platform makefile. The behaviour regarding key management has changed. After applying this patch, the tool will try first to open the keys from disk. If one key does not exist or no key is specified, and the command line option to create keys has been specified, new keys will be created. Otherwise an error will be generated and the tool will exit. This way, the user may specify certain keys while the tool will create the remaining ones. This feature is useful for testing purposes and CI infrastructures. The OpenSSL directory may be specified using the build option 'OPENSSL_DIR' when building the certificate generation tool. Default is '/usr'. Change-Id: I98bcc2bfab28dd7179f17f1177ea7a65698df4e7
2015-06-25TBB: use ASN.1 type DigestInfo to represent hashesJuan Castillo
The cert_create tool calculates the hash of each BL image and includes it as an ASN.1 OCTET STRING in the corresponding certificate extension. Without additional information, the firmware running on the platform has to know in advance the algorithm used to generate the hash. This patch modifies the cert_create tool so the certificate extensions that include an image hash are generated according to the following ASN.1 structure: DigestInfo ::= SEQUENCE { digestAlgorithm AlgorithmIdentifier, digest OCTET STRING } AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } The PolarSSL module has been updated to extract the image hash from the certificate extension according to this structure. Change-Id: I6d83430f12a8a0eea8447bec7c936e903f644c85
2015-04-28Allow deeper platform port directory structureDan Handley
Update the top level makefile to allow platform ports to exist in subdirectories at any level instead of one level under `plat/`. The makefile recursively searches for all files called `platform.mk` in all subdirectories of `plat/`. The directory containing `platform.mk` is the platform name. Platform names must be unique across the codebase. Replace usage of HELP_PLATFORMS in the Makefile with PLATFORMS since these are both used to report the same information back to the user. Update the TSP and cert_create tool makefiles in a similar way to support a deeper platform port directory structure. Also add PLAT_<plat_name> as a define passed through the top level makefile to the source files, to allow build time variation in common platform code. Change-Id: I213420164808c5ddb99a26144e8e3f141a7417b7
2015-03-05TBB: use SHA256 to generate the certificate signaturesJuan Castillo
This patch replaces SHA1 by SHA256 in the 'cert_create' tool, so certificate signatures are generated according to the NSA Suite B cryptographic algorithm requirements. Documentation updated accordingly. Change-Id: I7be79e6b2b62dac8dc78a4f4f5006e37686bccf6
2015-01-28TBB: add support to include certificates in a FIP imageJuan Castillo
This patch extends the FIP tool to include the certificates generated by the 'cert_create' tool. If GENERATE_COT build option is enabled, the Makefile adds the certificates as dependencies to create the FIP file. Thus, make target 'fip' will also build the certificates as part of the Trusted Firmware build process. Change-Id: I5eee500da7f7be6cfb6e3df0423599739d260074
2015-01-28TBB: add tool to generate certificatesJuan Castillo
This patch adds a tool that generates all the necessary elements to establish the chain of trust (CoT) between the images. The tool reads the binary images and signing keys and outputs the corresponding certificates that will be used by the target at run time to verify the authenticity of the images. Note: the platform port must provide the file platform_oid.h. This file will define the OIDs of the x509 extensions that will be added to the certificates in order to establish the CoT. Change-Id: I2734d6808b964a2107ab3a4805110698066a04be
2014-12-10fip_create: don't succeed if one of the passed files doesn't existKévin Petit
If one of the files passed to fip_create on the command line doesn't exist, it will print an error message but produce an incomplete fip.bin file and report success. This behaviour could potentially hide errors made in the command line arguments. This patch addresses the issue by having the tool bail out if one of the supplied files can't be processed. Signed-off-by: Kévin Petit <kevin.petit@arm.com> Fixes ARM-software/tf-issues#279 Change-Id: I1c7d87d09eb4c063005b7969bdaad1d043c29dec
2014-11-26Fix problem of dependencies on the fiptool makefile targetSandrine Bailleux
The 'fiptool' target doesn't depend on fip_create's source files, neither directly nor indirectly. As a result, the FIP tool is not rebuilt whenever its source files change. This patch makes the ${FIPTOOL} target into a phony target so that the FIP tool's sub-makefile is always called. The sub-makefile correctly handles the dependencies. It also moves the completion message into the sub-makefile so that it is only displayed when the tool is actually recompiled. Fixes ARM-software/tf-issues#278 Change-Id: Ia027519fe51d3c42be30665d1ad20a7b89fa350f
2014-05-19Improve BL3-0 documentationHarry Liebel
Provide some information about the expected use of BL3-0. Fixes ARM-software/tf-issues#144 Change-Id: I5c8d59a675578394be89481ae4ec39ca37522750
2014-05-06Always use named structs in header filesDan Handley
Add tag names to all unnamed structs in header files. This allows forward declaration of structs, which is necessary to reduce header file nesting (to be implemented in a subsequent commit). Also change the typedef names across the codebase to use the _t suffix to be more conformant with the Linux coding style. The coding style actually prefers us not to use typedefs at all but this is considered a step too far for Trusted Firmware. Also change the IO framework structs defintions to use typedef'd structs to be consistent with the rest of the codebase. Change-Id: I722b2c86fc0d92e4da3b15e5cab20373dd26786f
2014-05-06Move include and source files to logical locationsDan Handley
Move almost all system include files to a logical sub-directory under ./include. The only remaining system include directories not under ./include are specific to the platform. Move the corresponding source files to match the include directory structure. Also remove pm.h as it is no longer used. Change-Id: Ie5ea6368ec5fad459f3e8a802ad129135527f0b3
2014-03-21FIP tool: Fix error message for missing FIP filenameSandrine Bailleux
Previously to this path, the FIP tool used to print the following, misleading error message when called without any argument or with '--help' option: ERROR: Too many arguments This patch fixes this behavior by printing the following error message instead: ERROR: Missing FIP filename If called with '--help', no error message is printed and only the help message is displayed. Change-Id: Ib281b056f5cd3bc2f66d98be0b0cb2a0aed7c6a8
2014-03-21FIP tool: Add support for '--help' option.Sandrine Bailleux
Also improve the help message printed by the FIP tool. Change-Id: If0f802f1083458182ca8ce57e8c104d40eee0dbe
2014-03-21FIP tool: Small optimisation for option parsingSandrine Bailleux
This patch makes use of different values for '--dump' and other command-line options. This makes the code simpler and also optimises it a bit (because it avoids a string comparison). Change-Id: I1c8345f210074fc5f962ea0282fd3625775dec69
2014-02-20Cleanup FIP build targets and messagesJeenu Viswambharan
At present the fip.bin depends on phony targets for BL images, resulting in unconditional remake of fip.bin. Also the build messages doesn't match with the rest of build system. This patch modifies the fip.bin dependencies to the actual BL binary images so that fip.bin is remade only when the component images are rebuilt/modified. The build messages and FIP Makefile are modified to match the style of rest of the build system. Change-Id: I8dd08666ff766d106820a5b4b037c2161bcf140f
2014-02-17Add Firmware Image Package creation toolHarry Liebel
This tool can be used to create a Firmware Image Packages (FIP). These FIPs store a combined set of firmware images with a Table of Contents (ToC) that can be loaded by the firmware from platform storage. - Add uuid.h from FreeBSD. - Use symbolic links to shared headers otherwise unwanted headers and definitions are pulled in. - A FIP is created as part of the default FVP build. - A BL3-3 image(e.g. UEFI) must be provided. Change-Id: Ib73feee181df2dba68bf6abec115a83cfa5e26cb