Adds option to read ROTPK from registers for FVP
Enables usage of ARM_ROTPK_LOCATION=regs for FVP board.
Removes hard-coded developer keys. Instead, setting
ARM_ROTPK_LOCATION=devel_* takes keys from default directory.
In case of ROT_KEY specified - generates a new hash and replaces the
original.
Note: Juno board was tested by original feature author and was not tested
for this patch since we don't have access to the private key. Juno
implementation was moved to board-specific file without changing
functionality. It is not known whether byte-swapping is still needed
for this platform.
Change-Id: I0fdbaca0415cdcd78f3a388551c2e478c01ed986
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
diff --git a/docs/design/trusted-board-boot-build.rst b/docs/design/trusted-board-boot-build.rst
index 2025243..f5c8bc9 100644
--- a/docs/design/trusted-board-boot-build.rst
+++ b/docs/design/trusted-board-boot-build.rst
@@ -33,7 +33,7 @@
- ``GENERATE_COT=1``
In the case of Arm platforms, the location of the ROTPK hash must also be
- specified at build time. Two locations are currently supported (see
+ specified at build time. The following locations are currently supported (see
``ARM_ROTPK_LOCATION`` build option):
- ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted
@@ -41,17 +41,16 @@
registers are read-only. On FVP Base and Cortex models, the registers
are read-only, but the value can be specified using the command line
option ``bp.trusted_key_storage.public_key`` when launching the model.
- On both Juno and FVP models, the default value corresponds to an
- ECDSA-SECP256R1 public key hash, whose private part is not currently
- available.
+ On Juno board, the default value corresponds to an ECDSA-SECP256R1 public
+ key hash, whose private part is not currently available.
- - ``ARM_ROTPK_LOCATION=devel_rsa``: use the ROTPK hash that is hardcoded
- in the Arm platform port. The private/public RSA key pair may be
- found in ``plat/arm/board/common/rotpk``.
+ - ``ARM_ROTPK_LOCATION=devel_rsa``: use the default hash located in
+ plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin. Enforce generation
+ of the new hash if ROT_KEY is specified.
- - ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the ROTPK hash that is hardcoded
- in the Arm platform port. The private/public ECDSA key pair may be
- found in ``plat/arm/board/common/rotpk``.
+ - ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the default hash located in
+ plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin. Enforce generation
+ of the new hash if ROT_KEY is specified.
Example of command line using RSA development keys:
@@ -108,7 +107,7 @@
--------------
-*Copyright (c) 2019, Arm Limited. All rights reserved.*
+*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*
.. _mbed TLS Repository: https://github.com/ARMmbed/mbedtls.git
.. _mbed TLS Security Center: https://tls.mbed.org/security
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index 2f44fe8..13d7058 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -468,7 +468,8 @@
entrypoint) or 1 (CPU reset to SP_MIN entrypoint). The default value is 0.
- ``ROT_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the
- file that contains the ROT private key in PEM format. If ``SAVE_KEYS=1``, this
+ file that contains the ROT private key in PEM format and enforces public key
+ hash generation. If ``SAVE_KEYS=1``, this
file name will be used to save the key.
- ``SAVE_KEYS``: This option is used when ``GENERATE_COT=1``. It tells the
@@ -657,4 +658,4 @@
--------------
-*Copyright (c) 2019, Arm Limited. All rights reserved.*
+*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*
diff --git a/docs/plat/arm/arm-build-options.rst b/docs/plat/arm/arm-build-options.rst
index d24ad23..a6f3796 100644
--- a/docs/plat/arm/arm-build-options.rst
+++ b/docs/plat/arm/arm-build-options.rst
@@ -57,8 +57,7 @@
``ARM_ROTPK_LOCATION`` are:
- ``regs`` : return the ROTPK hash stored in the Trusted root-key storage
- registers. The private key corresponding to this ROTPK hash is not
- currently available.
+ registers.
- ``devel_rsa`` : return a development public key hash embedded in the BL1
and BL2 binaries. This hash has been obtained from the RSA public key
``arm_rotpk_rsa.der``, located in ``plat/arm/board/common/rotpk``. To use
@@ -70,6 +69,12 @@
use this option, ``arm_rotprivk_ecdsa.pem`` must be specified as
``ROT_KEY`` when creating the certificates.
+- ``ARM_ROTPK_HASH``: used when ``ARM_ROTPK_LOCATION=devel_*``. Specifies the
+ location of the ROTPK hash. Not expected to be a build option. This defaults to
+ ``plat/arm/board/common/rotpk/*_sha256.bin`` depending on the specified algorithm.
+ Providing ``ROT_KEY`` enforces generation of the hash from the ``ROT_KEY`` and
+ overwrites the default hash file.
+
- ``ARM_TSP_RAM_LOCATION``: location of the TSP binary. Options:
- ``tsram`` : Trusted SRAM (default option when TBB is not enabled)
@@ -111,4 +116,4 @@
--------------
-*Copyright (c) 2019, Arm Limited. All rights reserved.*
+*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*