Build: Refine the measured boot build options
Move measured boot build options into the common platform CMakeLists,
as these options are part of the common boot HAL, available to any
platform.
Unlink the measured boot options from TFM_PARTITION_MEASURED_BOOT to
make it possible to configure the boot options separately from the
runtime config. There are three configs for the bootloader:
- CONFIG_TFM_BOOT_STORE_MEASUREMENTS = OFF
No measured boot.
- CONFIG_TFM_BOOT_STORE_MEASUREMENTS = ON
- CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS = OFF
Boot measurements stored in unencoded format defined by TF-M
boot HAL. Boot measurements available from BL1 and BL2.
- CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS = ON
Boot measurements stored in MCUboot CBOR-encoded format. Boot
measurements only available from MCUboot BL2.
Use TFM_MEASURED_BOOT_API as the C definition for unencoded TF-M
measurements, to correspond to MCUBOOT_MEASURED_BOOT for MCUboot
measurements.
Remove BL1 measured boot and not TFM_PARTITION_MEASURED_BOOT invalid
config, as other partitions could process the BL1 shared data in future.
Remove TFM_PARTITION_MEASURED_BOOT option from CS1000, since it does not
build the measured boot partition, the option was only added to avoid
invalid config.
Signed-off-by: Jamie Fox <jamie.fox@arm.com>
Change-Id: I7f2901b970233a9861d0883a845e90e3e64ceb6e
diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt
index ad5be27..6c5c7d1 100755
--- a/platform/CMakeLists.txt
+++ b/platform/CMakeLists.txt
@@ -203,6 +203,7 @@
PRIVATE
bl2_hal
mcuboot_config
+ $<$<AND:$<BOOL:${CONFIG_TFM_BOOT_STORE_MEASUREMENTS}>,$<NOT:$<BOOL:${CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS}>>>:tfm_boot_status>
)
target_compile_definitions(platform_bl2
@@ -218,6 +219,7 @@
$<$<BOOL:${TFM_DUMMY_PROVISIONING}>:TFM_DUMMY_PROVISIONING>
$<$<BOOL:${PLATFORM_DEFAULT_NV_COUNTERS}>:PLATFORM_DEFAULT_NV_COUNTERS>
$<$<BOOL:${PLATFORM_DEFAULT_OTP_WRITEABLE}>:OTP_WRITEABLE>
+ $<$<AND:$<BOOL:${CONFIG_TFM_BOOT_STORE_MEASUREMENTS}>,$<NOT:$<BOOL:${CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS}>>>:TFM_MEASURED_BOOT_API>
)
target_compile_options(platform_bl2
@@ -255,6 +257,7 @@
$<$<BOOL:${PLATFORM_DEFAULT_OTP_WRITEABLE}>:OTP_WRITEABLE>
$<$<BOOL:${TFM_BL1_MEMORY_MAPPED_FLASH}>:TFM_BL1_MEMORY_MAPPED_FLASH>
$<$<BOOL:${TFM_BL1_2_IN_OTP}>:TFM_BL1_2_IN_OTP>
+ $<$<AND:$<BOOL:${CONFIG_TFM_BOOT_STORE_MEASUREMENTS}>,$<NOT:$<BOOL:${CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS}>>>:TFM_MEASURED_BOOT_API>
)
target_sources(platform_bl1_1
@@ -305,6 +308,7 @@
$<$<BOOL:${PLATFORM_DEFAULT_OTP_WRITEABLE}>:OTP_WRITEABLE>
$<$<BOOL:${TFM_BL1_MEMORY_MAPPED_FLASH}>:TFM_BL1_MEMORY_MAPPED_FLASH>
$<$<BOOL:${TFM_BL1_2_IN_OTP}>:TFM_BL1_2_IN_OTP>
+ $<$<AND:$<BOOL:${CONFIG_TFM_BOOT_STORE_MEASUREMENTS}>,$<NOT:$<BOOL:${CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS}>>>:TFM_MEASURED_BOOT_API>
)
target_sources(platform_bl1_2
diff --git a/platform/ext/common/boot_hal_bl1_1.c b/platform/ext/common/boot_hal_bl1_1.c
index 4bc40ef..e5fd405 100644
--- a/platform/ext/common/boot_hal_bl1_1.c
+++ b/platform/ext/common/boot_hal_bl1_1.c
@@ -17,11 +17,11 @@
#include "tfm_plat_otp.h"
#include "fih.h"
-#ifdef MEASURED_BOOT_API
+#ifdef TFM_MEASURED_BOOT_API
#include "region_defs.h"
#include "tfm_boot_status.h"
#include "boot_measurement.h"
-#endif /* MEASURED_BOOT_API */
+#endif /* TFM_MEASURED_BOOT_API */
#ifndef TFM_BL1_MEMORY_MAPPED_FLASH
/* Flash device name must be specified by target */
@@ -169,7 +169,7 @@
return 0;
}
-#ifdef MEASURED_BOOT_API
+#ifdef TFM_MEASURED_BOOT_API
static int boot_add_data_to_shared_area(uint8_t major_type,
uint16_t minor_type,
size_t size,
@@ -270,4 +270,4 @@
return rc;
}
-#endif /* MEASURED_BOOT_API */
+#endif /* TFM_MEASURED_BOOT_API */
diff --git a/platform/ext/common/boot_hal_bl1_2.c b/platform/ext/common/boot_hal_bl1_2.c
index f36814e..1fe3510 100644
--- a/platform/ext/common/boot_hal_bl1_2.c
+++ b/platform/ext/common/boot_hal_bl1_2.c
@@ -16,11 +16,11 @@
#include "uart_stdout.h"
#include "fih.h"
-#ifdef MEASURED_BOOT_API
+#ifdef TFM_MEASURED_BOOT_API
#include "region_defs.h"
#include "tfm_boot_status.h"
#include "boot_measurement.h"
-#endif /* MEASURED_BOOT_API */
+#endif /* TFM_MEASURED_BOOT_API */
#ifndef TFM_BL1_MEMORY_MAPPED_FLASH
/* Flash device name must be specified by target */
@@ -200,7 +200,7 @@
return 0;
}
-#ifdef MEASURED_BOOT_API
+#ifdef TFM_MEASURED_BOOT_API
static int boot_add_data_to_shared_area(uint8_t major_type,
uint16_t minor_type,
size_t size,
@@ -301,4 +301,4 @@
return rc;
}
-#endif /* MEASURED_BOOT_API */
+#endif /* TFM_MEASURED_BOOT_API */
diff --git a/platform/ext/common/boot_hal_bl2.c b/platform/ext/common/boot_hal_bl2.c
index ceadb74..d0f111c 100644
--- a/platform/ext/common/boot_hal_bl2.c
+++ b/platform/ext/common/boot_hal_bl2.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -17,11 +17,11 @@
#include "fih.h"
#endif /* CRYPTO_HW_ACCELERATOR */
-#ifdef MEASURED_BOOT_API
+#ifdef TFM_MEASURED_BOOT_API
#include "region_defs.h"
#include "tfm_boot_status.h"
#include "boot_measurement.h"
-#endif /* MEASURED_BOOT_API */
+#endif /* TFM_MEASURED_BOOT_API */
/* Flash device names must be specified by target */
#ifdef FLASH_DEV_NAME
@@ -245,7 +245,7 @@
return 0;
}
-#ifdef MEASURED_BOOT_API
+#ifdef TFM_MEASURED_BOOT_API
static int boot_add_data_to_shared_area(uint8_t major_type,
uint16_t minor_type,
size_t size,
@@ -346,4 +346,4 @@
return rc;
}
-#endif /* MEASURED_BOOT_API */
+#endif /* TFM_MEASURED_BOOT_API */
diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
index 39ee783..e6cf15b 100644
--- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
+++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
@@ -174,7 +174,6 @@
target_compile_definitions(platform_bl1_1
PUBLIC
$<$<BOOL:${PLATFORM_IS_FVP}>:PLATFORM_IS_FVP>
- $<$<AND:$<BOOL:${CONFIG_TFM_BOOT_STORE_MEASUREMENTS}>,$<BOOL:${TFM_PARTITION_MEASURED_BOOT}>>:MEASURED_BOOT_API>
$<$<BOOL:${PLATFORM_DEFAULT_OTP_WRITEABLE}>:OTP_WRITEABLE>
$<$<BOOL:${CRYPTO_HW_ACCELERATOR}>:CRYPTO_HW_ACCELERATOR>
$<$<BOOL:${CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING}>:CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING>
@@ -214,7 +213,6 @@
target_compile_definitions(platform_bl1_2
PUBLIC
$<$<BOOL:${PLATFORM_IS_FVP}>:PLATFORM_IS_FVP>
- $<$<AND:$<BOOL:${CONFIG_TFM_BOOT_STORE_MEASUREMENTS}>,$<BOOL:${TFM_PARTITION_MEASURED_BOOT}>>:MEASURED_BOOT_API>
$<$<BOOL:${PLATFORM_DEFAULT_OTP_WRITEABLE}>:OTP_WRITEABLE>
$<$<BOOL:${CRYPTO_HW_ACCELERATOR}>:CRYPTO_HW_ACCELERATOR>
$<$<BOOL:${CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING}>:CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING>
@@ -395,4 +393,3 @@
--bundle_output_file bl1_provisioning_bundle.bin
COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/bl1_provisioning_bundle.bin $<TARGET_FILE_DIR:bl1_1>
)
-
diff --git a/platform/ext/target/arm/corstone1000/bl1/CMakeLists.txt b/platform/ext/target/arm/corstone1000/bl1/CMakeLists.txt
index 0493e7c..09238f1 100644
--- a/platform/ext/target/arm/corstone1000/bl1/CMakeLists.txt
+++ b/platform/ext/target/arm/corstone1000/bl1/CMakeLists.txt
@@ -311,7 +311,7 @@
../partition
)
-if (CONFIG_TFM_BOOT_STORE_MEASUREMENTS)
+if (CONFIG_TFM_BOOT_STORE_MEASUREMENTS AND CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS)
set(MCUBOOT_MEASURED_BOOT ON)
endif()
diff --git a/platform/ext/target/arm/corstone1000/config.cmake b/platform/ext/target/arm/corstone1000/config.cmake
index 5b1e969..d09bb3f 100644
--- a/platform/ext/target/arm/corstone1000/config.cmake
+++ b/platform/ext/target/arm/corstone1000/config.cmake
@@ -63,7 +63,6 @@
set(TFM_PARTITION_CRYPTO ON CACHE BOOL "Enable Crypto partition")
set(TFM_PARTITION_INITIAL_ATTESTATION ON CACHE BOOL "Enable Initial Attestation partition")
set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ON CACHE BOOL "Enable Internal Trusted Storage partition")
-set(TFM_PARTITION_MEASURED_BOOT ON CACHE BOOL "Enable Measured boot partition")
if (${CMAKE_BUILD_TYPE} STREQUAL Debug OR ${CMAKE_BUILD_TYPE} STREQUAL RelWithDebInfo)
diff --git a/platform/ext/target/arm/rss/common/CMakeLists.txt b/platform/ext/target/arm/rss/common/CMakeLists.txt
index fa69042..5b1d858 100644
--- a/platform/ext/target/arm/rss/common/CMakeLists.txt
+++ b/platform/ext/target/arm/rss/common/CMakeLists.txt
@@ -303,16 +303,6 @@
$<$<BOOL:${PLATFORM_HAS_BOOT_DMA}>:${COMPILER_CMSE_FLAG}>
)
-target_link_libraries(platform_bl2
- PRIVATE
- $<$<AND:$<BOOL:${CONFIG_TFM_BOOT_STORE_MEASUREMENTS}>,$<BOOL:${TFM_PARTITION_MEASURED_BOOT}>>:tfm_boot_status>
-)
-
-target_compile_definitions(platform_bl2
- PUBLIC
- $<$<AND:$<BOOL:${CONFIG_TFM_BOOT_STORE_MEASUREMENTS}>,$<BOOL:${TFM_PARTITION_MEASURED_BOOT}>>:MEASURED_BOOT_API>
-)
-
#========================= Platform bl1_1 =======================================#
target_sources(platform_bl1_1
@@ -353,7 +343,6 @@
target_compile_definitions(platform_bl1_1_interface
INTERFACE
- $<$<AND:$<BOOL:${CONFIG_TFM_BOOT_STORE_MEASUREMENTS}>,$<BOOL:${TFM_PARTITION_MEASURED_BOOT}>>:MEASURED_BOOT_API>
RSS_AMOUNT=${RSS_AMOUNT}
KMU_CONFIG_EXTERNAL_SECURE_WORD_COPY
$<$<BOOL:${RSS_ENCRYPTED_OTP_KEYS}>:RSS_ENCRYPTED_OTP_KEYS>
@@ -393,7 +382,6 @@
target_compile_definitions(platform_bl1_2
PUBLIC
- $<$<AND:$<BOOL:${CONFIG_TFM_BOOT_STORE_MEASUREMENTS}>,$<BOOL:${TFM_PARTITION_MEASURED_BOOT}>>:MEASURED_BOOT_API>
$<$<BOOL:${RSS_AMOUNT}>:RSS_AMOUNT=${RSS_AMOUNT}>
)