From: Javad Rahimipetroudi via buildroot <buildroot@buildroot.org>
To: buildroot@buildroot.org
Cc: Javad Rahimipetroudi <javad.rahimipetroudi@mind.be>,
Sergey Matyukevich <geomatsi@gmail.com>
Subject: [Buildroot] [PATCH 1/1] boot/arm-trusted-firmware: add trusted boot option
Date: Thu, 28 Mar 2024 19:12:47 +0100 [thread overview]
Message-ID: <20240328181247.3009506-1-javad.rahimipetroudi@mind.be> (raw)
This patch adds the required fields to enable Trusted Board Boot in
TF-A. The users should provide ROT_KEY private key to build the TF-A in
this mode. The ROT_KEY is used to sign the FIP image during the TF-A
build. Furthermore, the source code of the mbedTLS is also used during
the build process.
Signed-off-by: Javad Rahimipetroudi <javad.rahimipetroudi@mind.be>
---
boot/arm-trusted-firmware/Config.in | 22 +++++++++++++++++++
.../arm-trusted-firmware.mk | 16 ++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-firmware/Config.in
index 2fe3dd1146..b90fca8191 100644
--- a/boot/arm-trusted-firmware/Config.in
+++ b/boot/arm-trusted-firmware/Config.in
@@ -45,6 +45,28 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION_VALUE
string "ATF version"
depends on BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT
+ bool "Enable Trusted Boot build"
+ select BR2_PACKAGE_MBEDTLS
+ help
+ This option enables the Trusted Board Boot for TF-A.
+ It is an authentication framework that uses a defined
+ Chain of Trust (CoT) based on Arm TBBR requirements to
+ achieve a secure boot.
+
+ https://trustedfirmware-a.readthedocs.io/en/latest/design/trusted-board-boot.html
+
+if BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY
+ string "Path to the ROT private key"
+ help
+ The ROT_KEY private key is used to sign FIP image during
+ TF-A build. It specifies a file that contains the ROT
+ private key in PEM format or a PKCS11 URI and enforces
+ public key hash generation. To generate by OpenSSL:
+ openssl genrsa -out key.pem 2048
+endif
+
config BR2_TARGET_ARM_TRUSTED_FIRMWARE_VERSION
string
default "v2.10" if BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST_VERSION
diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index 2d554c1da8..49ebd29b93 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -58,6 +58,16 @@ ARM_TRUSTED_FIRMWARE_IMG_DIR = $(@D)/build/$(ARM_TRUSTED_FIRMWARE_PLATFORM)/rele
endif
endif
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT),y)
+ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY = $(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY))
+ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
+ TRUSTED_BOARD_BOOT=1 \
+ MBEDTLS_DIR=$(MBEDTLS_SRCDIR) \
+ GENERATE_COT=1 \
+ ROT_KEY=$(ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY)
+ARM_TRUSTED_FIRMWARE_DEPENDENCIES += mbedtls
+endif
+
ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
CROSS_COMPILE="$(TARGET_CROSS)" \
BUILD_STRING=$(ARM_TRUSTED_FIRMWARE_VERSION) \
@@ -224,6 +234,12 @@ $(error No repository specified. Please check BR2_TARGET_ARM_TRUSTED_FIRMWARE_CU
endif
endif
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT),y)
+ifeq ($(ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY),)
+$(error No ROT_KEY specified for TF-A. Please check BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY)
+endif
+endif
+
endif
$(eval $(generic-package))
--
2.44.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next reply other threads:[~2024-03-28 18:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-28 18:12 Javad Rahimipetroudi via buildroot [this message]
2024-04-10 19:28 ` [Buildroot] [PATCH 1/1] boot/arm-trusted-firmware: add trusted boot option Thomas Petazzoni via buildroot
2024-05-13 21:05 ` Thomas Petazzoni via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240328181247.3009506-1-javad.rahimipetroudi@mind.be \
--to=buildroot@buildroot.org \
--cc=geomatsi@gmail.com \
--cc=javad.rahimipetroudi@essensium.com \
--cc=javad.rahimipetroudi@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).