run_config/certificates.keys

#!/usr/bin/env bash
#
# Copyright (c) 2023, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#

# This run fragment is used to generate boot certificates and key files.

post_tf_build() {
	local bl31_key_file="${workspace}/bl31-key.pem"
	local bl32_key_file="${workspace}/bl32-key.pem"
	local bl33_key_file="${workspace}/bl33-key.pem"
	local trusted_key_file="${workspace}/trusted-private-key.pem"
	local non_trusted_key_file="${workspace}/non-trusted-private-key.pem"

	local key_files=(
		"$bl31_key_file"
		"$bl33_key_file"
		"$trusted_key_file"
		"$non_trusted_key_file"
	)

	# BL32 key only gets generated if building TF-A with an SPD.
	if upon "$(get_tf_opt SPD)"; then
	    key_files+=("$bl32_key_file")
	fi

	# Generate the boot certificates and key files.
	#
	# Note that even if we do not generate a FIP, TF-A build system still
	# demands a BL33 image so provide a dummy one.
	tf_extra_rules="certificates" build_tf_extra		\
		BL33="$(mktempfile)"				\
		GENERATE_COT=1					\
		CREATE_KEYS=1					\
		SAVE_KEYS=1					\
		BL31_KEY="$bl31_key_file"			\
		BL32_KEY="$bl32_key_file"			\
		BL33_KEY="$bl33_key_file"			\
		TRUSTED_WORLD_KEY="$trusted_key_file"		\
		NON_TRUSTED_WORLD_KEY="$non_trusted_key_file"	\


	echo "Checking that the keys got correctly generated and saved..."

	for i in "${!key_files[@]}"; do
		# A valid private key file in PEM format starts with:
		# -----BEGIN PRIVATE KEY-----
		grep -q 'BEGIN PRIVATE KEY' "${key_files[$i]}" || \
			(echo "Key file \"${key_files[$i]}\" is incorrect." && exit 1)
	done

	echo "All keys verified."
}