• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Building FIP images with support for Trusted Board Boot
2=======================================================
3
4Trusted Board Boot primarily consists of the following two features:
5
6-  Image Authentication, described in :ref:`Trusted Board Boot`, and
7-  Firmware Update, described in :ref:`Firmware Update (FWU)`
8
9The following steps should be followed to build FIP and (optionally) FWU_FIP
10images with support for these features:
11
12#. Fulfill the dependencies of the ``mbedtls`` cryptographic and image parser
13   modules by checking out a recent version of the `mbed TLS Repository`_. It
14   is important to use a version that is compatible with TF-A and fixes any
15   known security vulnerabilities. See `mbed TLS Security Center`_ for more
16   information. See the :ref:`Prerequisites` document for the appropriate
17   version of mbed TLS to use.
18
19   The ``drivers/auth/mbedtls/mbedtls_*.mk`` files contain the list of mbed TLS
20   source files the modules depend upon.
21   ``include/drivers/auth/mbedtls/mbedtls_config.h`` contains the configuration
22   options required to build the mbed TLS sources.
23
24   Note that the mbed TLS library is licensed under the Apache version 2.0
25   license. Using mbed TLS source code will affect the licensing of TF-A
26   binaries that are built using this library.
27
28#. To build the FIP image, ensure the following command line variables are set
29   while invoking ``make`` to build TF-A:
30
31   -  ``MBEDTLS_DIR=<path of the directory containing mbed TLS sources>``
32   -  ``TRUSTED_BOARD_BOOT=1``
33   -  ``GENERATE_COT=1``
34
35   In the case of Arm platforms, the location of the ROTPK hash must also be
36   specified at build time. Two locations are currently supported (see
37   ``ARM_ROTPK_LOCATION`` build option):
38
39   -  ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted
40      root-key storage registers present in the platform. On Juno, this
41      registers are read-only. On FVP Base and Cortex models, the registers
42      are read-only, but the value can be specified using the command line
43      option ``bp.trusted_key_storage.public_key`` when launching the model.
44      On both Juno and FVP models, the default value corresponds to an
45      ECDSA-SECP256R1 public key hash, whose private part is not currently
46      available.
47
48   -  ``ARM_ROTPK_LOCATION=devel_rsa``: use the ROTPK hash that is hardcoded
49      in the Arm platform port. The private/public RSA key pair may be
50      found in ``plat/arm/board/common/rotpk``.
51
52   -  ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the ROTPK hash that is hardcoded
53      in the Arm platform port. The private/public ECDSA key pair may be
54      found in ``plat/arm/board/common/rotpk``.
55
56   Example of command line using RSA development keys:
57
58   .. code:: shell
59
60       MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
61       make PLAT=<platform> TRUSTED_BOARD_BOOT=1 GENERATE_COT=1        \
62       ARM_ROTPK_LOCATION=devel_rsa                                    \
63       ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem        \
64       BL33=<path-to>/<bl33_image>                                     \
65       all fip
66
67   The result of this build will be the bl1.bin and the fip.bin binaries. This
68   FIP will include the certificates corresponding to the Chain of Trust
69   described in the TBBR-client document. These certificates can also be found
70   in the output build directory.
71
72#. The optional FWU_FIP contains any additional images to be loaded from
73   Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the
74   FWU_FIP, any FWU images required by the platform must be specified on the
75   command line. On Arm development platforms like Juno, these are:
76
77   -  NS_BL2U. The AP non-secure Firmware Updater image.
78   -  SCP_BL2U. The SCP Firmware Update Configuration image.
79
80   Example of Juno command line for generating both ``fwu`` and ``fwu_fip``
81   targets using RSA development:
82
83   ::
84
85       MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
86       make PLAT=juno TRUSTED_BOARD_BOOT=1 GENERATE_COT=1              \
87       ARM_ROTPK_LOCATION=devel_rsa                                    \
88       ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem        \
89       BL33=<path-to>/<bl33_image>                                     \
90       SCP_BL2=<path-to>/<scp_bl2_image>                               \
91       SCP_BL2U=<path-to>/<scp_bl2u_image>                             \
92       NS_BL2U=<path-to>/<ns_bl2u_image>                               \
93       all fip fwu_fip
94
95   .. note::
96      The BL2U image will be built by default and added to the FWU_FIP.
97      The user may override this by adding ``BL2U=<path-to>/<bl2u_image>``
98      to the command line above.
99
100   .. note::
101      Building and installing the non-secure and SCP FWU images (NS_BL1U,
102      NS_BL2U and SCP_BL2U) is outside the scope of this document.
103
104   The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries.
105   Both the FIP and FWU_FIP will include the certificates corresponding to the
106   Chain of Trust described in the TBBR-client document. These certificates
107   can also be found in the output build directory.
108
109--------------
110
111*Copyright (c) 2019, Arm Limited. All rights reserved.*
112
113.. _mbed TLS Repository: https://github.com/ARMmbed/mbedtls.git
114.. _mbed TLS Security Center: https://tls.mbed.org/security
115