Buildroot Archive mirror
 help / color / mirror / Atom feed

From: Javad Rahimipetroudi via buildroot <buildroot@buildroot.org>
To: buildroot@buildroot.org
Cc: Javad Rahimipetroudi <javad.rahimipetroudi@mind.be>,
	Sergey Matyukevich <geomatsi@gmail.com>
Subject: [Buildroot] [PATCH 1/1] boot/arm-trusted-firmware: add trusted boot option
Date: Thu, 28 Mar 2024 19:12:47 +0100	[thread overview]
Message-ID: <20240328181247.3009506-1-javad.rahimipetroudi@mind.be> (raw)

This patch adds the required fields to enable Trusted Board Boot in
TF-A. The users should provide ROT_KEY private key to build the TF-A in
this mode. The ROT_KEY is used to sign the FIP image during the TF-A
build. Furthermore, the source code of the mbedTLS is also used during
the build process.

Signed-off-by: Javad Rahimipetroudi <javad.rahimipetroudi@mind.be>
---
 boot/arm-trusted-firmware/Config.in           | 22 +++++++++++++++++++
 .../arm-trusted-firmware.mk                   | 16 ++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-firmware/Config.in
index 2fe3dd1146..b90fca8191 100644
--- a/boot/arm-trusted-firmware/Config.in
+++ b/boot/arm-trusted-firmware/Config.in
@@ -45,6 +45,28 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION_VALUE
 	string "ATF version"
 	depends on BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION
 
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT
+	bool "Enable Trusted Boot build"
+	select BR2_PACKAGE_MBEDTLS
+	help
+	  This option enables the Trusted Board Boot for TF-A.
+	  It is an authentication framework that uses a defined
+	  Chain of Trust (CoT) based on Arm TBBR requirements to
+	  achieve a secure boot.
+
+	  https://trustedfirmware-a.readthedocs.io/en/latest/design/trusted-board-boot.html
+
+if BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY
+	string "Path to the ROT private key"
+	help
+	  The ROT_KEY private key is used to sign FIP image during
+	  TF-A build. It specifies a file that contains the ROT
+	  private key in PEM format or a PKCS11 URI and enforces
+	  public key hash generation. To generate by OpenSSL:
+	  openssl genrsa -out key.pem 2048
+endif
+
 config BR2_TARGET_ARM_TRUSTED_FIRMWARE_VERSION
 	string
 	default "v2.10"		if BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST_VERSION
diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index 2d554c1da8..49ebd29b93 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -58,6 +58,16 @@ ARM_TRUSTED_FIRMWARE_IMG_DIR = $(@D)/build/$(ARM_TRUSTED_FIRMWARE_PLATFORM)/rele
 endif
 endif
 
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT),y)
+ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY = $(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY))
+ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
+	TRUSTED_BOARD_BOOT=1 \
+	MBEDTLS_DIR=$(MBEDTLS_SRCDIR) \
+	GENERATE_COT=1 \
+	ROT_KEY=$(ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY)
+ARM_TRUSTED_FIRMWARE_DEPENDENCIES += mbedtls
+endif
+
 ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
 	CROSS_COMPILE="$(TARGET_CROSS)" \
 	BUILD_STRING=$(ARM_TRUSTED_FIRMWARE_VERSION) \
@@ -224,6 +234,12 @@ $(error No repository specified. Please check BR2_TARGET_ARM_TRUSTED_FIRMWARE_CU
 endif
 endif
 
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT),y)
+ifeq ($(ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY),)
+$(error No ROT_KEY specified for TF-A. Please check BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY)
+endif
+endif
+
 endif
 
 $(eval $(generic-package))
-- 
2.44.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

next             reply	other threads:[~2024-03-28 18:13 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-28 18:12 Javad Rahimipetroudi via buildroot [this message]
2024-04-10 19:28 ` [Buildroot] [PATCH 1/1] boot/arm-trusted-firmware: add trusted boot option Thomas Petazzoni via buildroot
2024-05-13 21:05   ` Thomas Petazzoni via buildroot

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:2fe3dd114 dfblob:2d554c1da dfblob:b90fca819 dfblob:49ebd29b9
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240328181247.3009506-1-javad.rahimipetroudi@mind.be \
    --to=buildroot@buildroot.org \
    --cc=geomatsi@gmail.com \
    --cc=javad.rahimipetroudi@essensium.com \
    --cc=javad.rahimipetroudi@mind.be \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).