TBB: add platform API to read the ROTPK information
This patch extends the platform port by adding an API that returns
either the Root of Trust public key (ROTPK) or its hash. This is
usually stored in ROM or eFUSE memory. The ROTPK returned must be
encoded in DER format according to the following ASN.1 structure:
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING
}
In case the platform returns a hash of the key:
DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
keyDigest OCTET STRING
}
An implementation for ARM development platforms is provided in this
patch. When TBB is enabled, the ROTPK hash location must be specified
using the build option 'ARM_ROTPK_LOCATION'. Available options are:
- 'regs' : return the ROTPK hash stored in the Trusted
root-key storage registers.
- 'devel_rsa' : return a ROTPK hash embedded in the BL1 and
BL2 binaries. This hash has been obtained from the development
RSA public key located in 'plat/arm/board/common/rotpk'.
On FVP, the number of MMU tables has been increased to map and
access the ROTPK registers.
A new file 'board_common.mk' has been added to improve code sharing
in the ARM develelopment platforms.
Change-Id: Ib25862e5507d1438da10773e62bd338da8f360bf
diff --git a/docs/porting-guide.md b/docs/porting-guide.md
index 4f842c4..d009605 100644
--- a/docs/porting-guide.md
+++ b/docs/porting-guide.md
@@ -483,6 +483,38 @@
the platform. Any other return value means a mismatch.
+### Function: plat_get_rotpk_info()
+
+ Argument : void *, void **, unsigned int *, unsigned int *
+ Return : int
+
+This function is mandatory when Trusted Board Boot is enabled. It returns a
+pointer to the ROTPK stored in the platform (or a hash of it) and its length.
+The ROTPK must be encoded in DER format according to the following ASN.1
+structure:
+
+ AlgorithmIdentifier ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY algorithm OPTIONAL
+ }
+
+ SubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm AlgorithmIdentifier,
+ subjectPublicKey BIT STRING
+ }
+
+In case the function returns a hash of the key:
+
+ DigestInfo ::= SEQUENCE {
+ digestAlgorithm AlgorithmIdentifier,
+ digest OCTET STRING
+ }
+
+The function returns 0 on success. Any other value means the ROTPK could not be
+retrieved from the platform. The function also reports extra information related
+to the ROTPK in the flags parameter.
+
+
2.3 Common optional modifications
---------------------------------
diff --git a/docs/user-guide.md b/docs/user-guide.md
index 184e46a..742f616 100644
--- a/docs/user-guide.md
+++ b/docs/user-guide.md
@@ -346,6 +346,23 @@
For a better understanding of these options, the ARM development platform memory
map is explained in the [Firmware Design].
+* `ARM_ROTPK_LOCATION`: used when `TRUSTED_BOARD_BOOT=1`. It specifies the
+ location of the ROTPK hash returned by the function `plat_get_rotpk_info()`
+ for ARM platforms. Depending on the selected option, the proper private key
+ must be specified using the `ROT_KEY` option when building the Trusted
+ Firmware. This private key will be used by the certificate generation tool
+ to sign the BL2 and Trusted Key certificates. Available options for
+ `ARM_ROTPK_LOCATION` are:
+
+ - `regs` : return the ROTPK hash stored in the Trusted root-key storage
+ registers. The private key corresponding to this ROTPK hash is not
+ currently available.
+ - `devel_rsa` : return a development public key hash embedded in the BL1
+ and BL2 binaries. This hash has been obtained from the RSA public key
+ `arm_rotpk_rsa.der`, located in `plat/arm/board/common/rotpk`. To use
+ this option, `arm_rotprivk_rsa.pem` must be specified as `ROT_KEY` when
+ creating the certificates.
+
#### ARM CSS platform specific build options
* `CSS_DETECT_PRE_1_7_0_SCP`: Boolean flag to detect SCP version
diff --git a/include/plat/arm/board/common/board_arm_def.h b/include/plat/arm/board/common/board_arm_def.h
index 21dee7e..3abf235 100644
--- a/include/plat/arm/board/common/board_arm_def.h
+++ b/include/plat/arm/board/common/board_arm_def.h
@@ -64,29 +64,41 @@
* plat_arm_mmap array defined for each BL stage.
*/
#if IMAGE_BL1
-# define PLAT_ARM_MMAP_ENTRIES 6
+# if PLAT_fvp
+# define PLAT_ARM_MMAP_ENTRIES 7
+# else
+# define PLAT_ARM_MMAP_ENTRIES 6
+# endif
#endif
#if IMAGE_BL2
-# define PLAT_ARM_MMAP_ENTRIES 8
+# if PLAT_fvp
+# define PLAT_ARM_MMAP_ENTRIES 9
+# else
+# define PLAT_ARM_MMAP_ENTRIES 8
+# endif
#endif
#if IMAGE_BL31
-# define PLAT_ARM_MMAP_ENTRIES 5
+#define PLAT_ARM_MMAP_ENTRIES 5
#endif
#if IMAGE_BL32
-# define PLAT_ARM_MMAP_ENTRIES 4
+#define PLAT_ARM_MMAP_ENTRIES 4
#endif
/*
* Platform specific page table and MMU setup constants
*/
#if IMAGE_BL1
-# if PLAT_fvp || PLAT_juno
+# if PLAT_juno
# define MAX_XLAT_TABLES 2
# else
# define MAX_XLAT_TABLES 3
# endif /* PLAT_ */
#elif IMAGE_BL2
-# define MAX_XLAT_TABLES 3
+# if PLAT_juno
+# define MAX_XLAT_TABLES 3
+# else
+# define MAX_XLAT_TABLES 4
+# endif /* PLAT_ */
#elif IMAGE_BL31
# define MAX_XLAT_TABLES 2
#elif IMAGE_BL32
diff --git a/include/plat/arm/soc/common/soc_css_def.h b/include/plat/arm/soc/common/soc_css_def.h
index 8b43e4c..428df4d 100644
--- a/include/plat/arm/soc/common/soc_css_def.h
+++ b/include/plat/arm/soc/common/soc_css_def.h
@@ -65,6 +65,14 @@
*/
#define SOC_CSS_NIC400_APB4_BRIDGE 4
+/* Keys */
+#define SOC_KEYS_BASE 0x7fe80000
+#define TZ_PUB_KEY_HASH_BASE (SOC_KEYS_BASE + 0x0000)
+#define TZ_PUB_KEY_HASH_SIZE 32
+#define HU_KEY_BASE (SOC_KEYS_BASE + 0x0020)
+#define HU_KEY_SIZE 16
+#define END_KEY_BASE (SOC_KEYS_BASE + 0x0044)
+#define END_KEY_SIZE 32
#define SOC_CSS_MAP_DEVICE MAP_REGION_FLAT( \
SOC_CSS_DEVICE_BASE, \
diff --git a/include/plat/common/platform.h b/include/plat/common/platform.h
index 73c2fdd..d8fa891 100644
--- a/include/plat/common/platform.h
+++ b/include/plat/common/platform.h
@@ -44,6 +44,11 @@
struct bl31_params;
/*******************************************************************************
+ * plat_get_rotpk_info() flags
+ ******************************************************************************/
+#define ROTPK_IS_HASH (1 << 0)
+
+/*******************************************************************************
* Function declarations
******************************************************************************/
/*******************************************************************************
@@ -191,8 +196,10 @@
void bl32_plat_enable_mmu(uint32_t flags);
/*******************************************************************************
- * Trusted Boot functions
+ * Trusted Board Boot functions
******************************************************************************/
int plat_match_rotpk(const unsigned char *, unsigned int);
+int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len,
+ unsigned int *flags);
#endif /* __PLATFORM_H__ */
diff --git a/plat/arm/board/common/board_arm_trusted_boot.c b/plat/arm/board/common/board_arm_trusted_boot.c
index c6ad68a..50379be 100644
--- a/plat/arm/board/common/board_arm_trusted_boot.c
+++ b/plat/arm/board/common/board_arm_trusted_boot.c
@@ -28,8 +28,40 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+#include <arm_def.h>
+#include <assert.h>
+#include <platform.h>
+#include <stdint.h>
+#include <string.h>
+
/* Weak definition may be overridden in specific platform */
#pragma weak plat_match_rotpk
+
+/* SHA256 algorithm */
+#define SHA256_BYTES 32
+
+/* ROTPK locations */
+#define ARM_ROTPK_REGS_ID 1
+#define ARM_ROTPK_DEVEL_RSA_ID 2
+
+#if !ARM_ROTPK_LOCATION_ID
+ #error "ARM_ROTPK_LOCATION_ID not defined"
+#endif
+
+static const unsigned char rotpk_hash_hdr[] = \
+ "\x30\x31\x30\x0D\x06\x09\x60\x86\x48" \
+ "\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20";
+static const unsigned int rotpk_hash_hdr_len = sizeof(rotpk_hash_hdr) - 1;
+static unsigned char rotpk_hash_der[sizeof(rotpk_hash_hdr) - 1 + SHA256_BYTES];
+
+#if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID)
+static const unsigned char arm_devel_rotpk_hash[] = \
+ "\xB0\xF3\x82\x09\x12\x97\xD8\x3A" \
+ "\x37\x7A\x72\x47\x1B\xEC\x32\x73" \
+ "\xE9\x92\x32\xE2\x49\x59\xF6\x5E" \
+ "\x8B\x4A\x4A\x46\xD8\x22\x9A\xDA";
+#endif
+
/*
* Check the validity of the key
*
@@ -40,3 +72,90 @@
/* TODO: check against the ROT key stored in the platform */
return 0;
}
+
+/*
+ * Return the ROTPK hash in the following ASN.1 structure in DER format:
+ *
+ * AlgorithmIdentifier ::= SEQUENCE {
+ * algorithm OBJECT IDENTIFIER,
+ * parameters ANY DEFINED BY algorithm OPTIONAL
+ * }
+ *
+ * DigestInfo ::= SEQUENCE {
+ * digestAlgorithm AlgorithmIdentifier,
+ * digest OCTET STRING
+ * }
+ */
+int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len,
+ unsigned int *flags)
+{
+ uint8_t *dst;
+
+ assert(key_ptr != NULL);
+ assert(key_len != NULL);
+ assert(flags != NULL);
+
+ /* Copy the DER header */
+ memcpy(rotpk_hash_der, rotpk_hash_hdr, rotpk_hash_hdr_len);
+ dst = (uint8_t *)&rotpk_hash_der[rotpk_hash_hdr_len];
+
+#if (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID)
+ memcpy(dst, arm_devel_rotpk_hash, SHA256_BYTES);
+#elif (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID)
+ uint32_t *src, tmp;
+ unsigned int words, i;
+
+ /*
+ * Append the hash from Trusted Root-Key Storage registers. The hash has
+ * not been written linearly into the registers, so we have to do a bit
+ * of byte swapping:
+ *
+ * 0x00 0x04 0x08 0x0C 0x10 0x14 0x18 0x1C
+ * +---------------------------------------------------------------+
+ * | Reg0 | Reg1 | Reg2 | Reg3 | Reg4 | Reg5 | Reg6 | Reg7 |
+ * +---------------------------------------------------------------+
+ * | ... ... | | ... ... |
+ * | +--------------------+ | +-------+
+ * | | | |
+ * +----------------------------+ +----------------------------+
+ * | | | |
+ * +-------+ | +--------------------+ |
+ * | | | |
+ * v v v v
+ * +---------------------------------------------------------------+
+ * | | |
+ * +---------------------------------------------------------------+
+ * 0 15 16 31
+ *
+ * Additionally, we have to access the registers in 32-bit words
+ */
+ words = SHA256_BYTES >> 3;
+
+ /* Swap bytes 0-15 (first four registers) */
+ src = (uint32_t *)TZ_PUB_KEY_HASH_BASE;
+ for (i = 0 ; i < words ; i++) {
+ tmp = src[words - 1 - i];
+ /* Words are read in little endian */
+ *dst++ = (uint8_t)((tmp >> 24) & 0xFF);
+ *dst++ = (uint8_t)((tmp >> 16) & 0xFF);
+ *dst++ = (uint8_t)((tmp >> 8) & 0xFF);
+ *dst++ = (uint8_t)(tmp & 0xFF);
+ }
+
+ /* Swap bytes 16-31 (last four registers) */
+ src = (uint32_t *)(TZ_PUB_KEY_HASH_BASE + SHA256_BYTES / 2);
+ for (i = 0 ; i < words ; i++) {
+ tmp = src[words - 1 - i];
+ *dst++ = (uint8_t)((tmp >> 24) & 0xFF);
+ *dst++ = (uint8_t)((tmp >> 16) & 0xFF);
+ *dst++ = (uint8_t)((tmp >> 8) & 0xFF);
+ *dst++ = (uint8_t)(tmp & 0xFF);
+ }
+#endif /* (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_DEVEL_RSA_ID) */
+
+ *key_ptr = (void *)rotpk_hash_der;
+ *key_len = (unsigned int)sizeof(rotpk_hash_der);
+ *flags = ROTPK_IS_HASH;
+ return 0;
+}
+
diff --git a/plat/arm/board/common/board_common.mk b/plat/arm/board/common/board_common.mk
new file mode 100644
index 0000000..bec49ed
--- /dev/null
+++ b/plat/arm/board/common/board_common.mk
@@ -0,0 +1,55 @@
+#
+# Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+#
+# Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation
+# and/or other materials provided with the distribution.
+#
+# Neither the name of ARM nor the names of its contributors may be used
+# to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+PLAT_INCLUDES += -Iinclude/plat/arm/board/common/
+
+PLAT_BL_COMMON_SOURCES += drivers/arm/pl011/pl011_console.S \
+ plat/arm/board/common/aarch64/board_arm_helpers.S
+
+#BL1_SOURCES +=
+
+#BL2_SOURCES +=
+
+#BL31_SOURCES +=
+
+ifneq (${TRUSTED_BOARD_BOOT},0)
+ # ROTPK hash location
+ ifeq (${ARM_ROTPK_LOCATION}, regs)
+ ARM_ROTPK_LOCATION_ID = ARM_ROTPK_REGS_ID
+ else ifeq (${ARM_ROTPK_LOCATION}, devel_rsa)
+ ARM_ROTPK_LOCATION_ID = ARM_ROTPK_DEVEL_RSA_ID
+ else
+ $(error "Unsupported ARM_ROTPK_LOCATION value")
+ endif
+ $(eval $(call add_define,ARM_ROTPK_LOCATION_ID))
+
+ BL1_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
+ BL2_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
+endif
diff --git a/plat/arm/board/common/board_css.mk b/plat/arm/board/common/board_css.mk
index 691999b..67e794e 100644
--- a/plat/arm/board/common/board_css.mk
+++ b/plat/arm/board/common/board_css.mk
@@ -28,20 +28,6 @@
# POSSIBILITY OF SUCH DAMAGE.
#
-PLAT_INCLUDES += -Iinclude/plat/arm/board/common/
-
-PLAT_BL_COMMON_SOURCES += drivers/arm/pl011/pl011_console.S \
- plat/arm/board/common/aarch64/board_arm_helpers.S \
- plat/arm/board/common/board_css_common.c
-
-
-#BL1_SOURCES +=
-
-#BL2_SOURCES +=
-
-#BL31_SOURCES +=
+PLAT_BL_COMMON_SOURCES += plat/arm/board/common/board_css_common.c
-ifneq (${TRUSTED_BOARD_BOOT},0)
- BL1_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
- BL2_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
-endif
+include plat/arm/board/common/board_common.mk
diff --git a/plat/arm/board/common/rotpk/arm_rotpk_rsa.der b/plat/arm/board/common/rotpk/arm_rotpk_rsa.der
new file mode 100644
index 0000000..661f899
--- /dev/null
+++ b/plat/arm/board/common/rotpk/arm_rotpk_rsa.der
Binary files differ
diff --git a/plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin b/plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin
new file mode 100644
index 0000000..7653f7e
--- /dev/null
+++ b/plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin
@@ -0,0 +1 @@
+°ó �Ø:7zrG�ì2sé2âIYö^JJFØ"Ú
\ No newline at end of file
diff --git a/plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem b/plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem
new file mode 100644
index 0000000..71410ec
--- /dev/null
+++ b/plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDLLGDVjWPUB3l+
+xxaWvU0kTqyG5rdx48VUC+cUHL0pGsE/erYCqqs2xNk2aWziZcObsb89qFYmy/0E
+AbqsPlQyynleu7IF6gZY8nS64fSHwBkKH2YHd4SDoRzv/yhZ58NofSYgQ+tWY/M5
+MdgrUam8T9D23pXcX1vB7ZBv7CiRfhfteJD0YKfEx09Q7V0TOiErcMVhewghZTrN
+glaMekesieilSEgx2R1G5YWGmKDlwKZqvQfkkldhB499Wk3Krja5VgQQ8my+9jts
+gD6+DqNNx9R+p0nU8tK8zzCo53SPZN+8XEdozEBM+IPMy0A1BGDKs6QXnwPKHVr6
+0a8hVxDTAgMBAAECggEAfwsc8ewbhDW4TwIGqfNtDUr0rtYN13VpqohW0ki2L8G/
+HQaKUViO/wxQFqoNn/OqQO0AfHmKhXAAokTCiXngBHJ/OjF7vB7+IRhazZEE6u2/
+uoivr/OYNQbFpXyTqsQ1eFzpPju6KKcPK7BzT4Mc89ek/vloFAi8w6LdMl8lbvOg
+LBWqX+5A+UQoenPUTvYM4U22YNcEAWubkpsYAmViiWiac+a+uPRk39aKyfOedDNu
++ty9MtCwekivoUTfP/1+O+jFlDnPMJUOEkBmcBqxseYYAHu7blBpdHxYpAItC2pv
+YwJJSvsE+HLBLPk177Jahg7sOUqcP0F/X+T65yuvIQKBgQDxdjXdJT5K8j7rG2fv
+2bvF2H1GPaHaTYRk0EGI2Ql6Nn+ddfeCE6gaT7aPPgg87wAhNu93coFuYHw0p/sc
+ZkXMJ+BmlstPV555cWXmwcxZLsni0fOXrt4YxwWkZwmh74m0NVM/cSFw56PU0oj1
+yDNeq3fgmsJocmuNTe1eG9qA7QKBgQDXaAGrNA5Xel5mqqMYTHHQWI6l2uzdNtt7
+eDn3K9+Eh3ywTqrwP845MAjKDU2Lq61I6t2H89dEifHq823VIcLCHd9BF04MrAH7
+qDPzrmPP2iB9g+YFmGBKe+K0HFE1t1KrTlo9VV6ZAC6RJNLAgwD4kvfIVYNkCGwe
++hoZBdhgvwKBgBrOsPQ4ak4PzwRzKnrqhXpVqrLdrNZ7vLMkm+IBlpfG7SwiKLR8
+UjF5oB8PGAML1cvaOYPdZplGhQOjkrF4eU9NLhC1tSS96Y46FMIlyfYsx6UzAgRZ
+GbdOgUXbWqpr2bH0KaXlfXz3eqzqIuKGs41TJB//jo3iBibN/AhytzORAoGAeGov
+5KDpE4XYl9Pz8HVremjG9Xh4yQENmOwQm1fvT4rd7UFM1ZkVk2qCv1DIdLe32vdQ
+d9ucDzh+ADWsxGRnF1TTpPN+Mh9FzISu5h4qtdreJsxBHgecbIbsqHrb+wdMM29N
+itPaWfV8Eq9fETcqp8qgsWD8XkNHDdoKFMrrtskCgYAoSt/Je1D3ZE/3HEjez7bq
+fenS3J6KG2SEn2PNFn+R0R5vBo4DaV/cQysKh44GD2+sh0QDyh6nuWJufyhPzROP
+DU6DCLbwNePj/yaGuzi36oLt6bBgfPWCiJY7jIdK8DmTLW25m7fRtCC5pxZlSzgl
+KBf7R6cbaTvaFe05Y2FJXA==
+-----END PRIVATE KEY-----
diff --git a/plat/arm/board/fvp/aarch64/fvp_common.c b/plat/arm/board/fvp/aarch64/fvp_common.c
index a876313..c46bdb6 100644
--- a/plat/arm/board/fvp/aarch64/fvp_common.c
+++ b/plat/arm/board/fvp/aarch64/fvp_common.c
@@ -55,6 +55,11 @@
DEVICE1_SIZE, \
MT_DEVICE | MT_RW | MT_SECURE)
+#define MAP_DEVICE2 MAP_REGION_FLAT(DEVICE2_BASE, \
+ DEVICE2_SIZE, \
+ MT_DEVICE | MT_RO | MT_SECURE)
+
+
/*
* Table of regions for various BL stages to map using the MMU.
* This doesn't include TZRAM as the 'mem_layout' argument passed to
@@ -67,6 +72,7 @@
V2M_MAP_IOFPGA,
MAP_DEVICE0,
MAP_DEVICE1,
+ MAP_DEVICE2,
{0}
};
#endif
@@ -77,6 +83,7 @@
V2M_MAP_IOFPGA,
MAP_DEVICE0,
MAP_DEVICE1,
+ MAP_DEVICE2,
ARM_MAP_NS_DRAM1,
ARM_MAP_TSP_SEC_MEM,
{0}
diff --git a/plat/arm/board/fvp/fvp_def.h b/plat/arm/board/fvp/fvp_def.h
index 68ef297..842a287 100644
--- a/plat/arm/board/fvp/fvp_def.h
+++ b/plat/arm/board/fvp/fvp_def.h
@@ -58,13 +58,25 @@
#define DEVICE1_BASE 0x2f000000
#define DEVICE1_SIZE 0x200000
+/* Devices in the second GB */
+#define DEVICE2_BASE 0x7fe00000
+#define DEVICE2_SIZE 0x00200000
+
#define NSRAM_BASE 0x2e000000
#define NSRAM_SIZE 0x10000
#define PCIE_EXP_BASE 0x40000000
#define TZRNG_BASE 0x7fe60000
#define TZNVCTR_BASE 0x7fe70000
-#define TZROOTKEY_BASE 0x7fe80000
+
+/* Keys */
+#define SOC_KEYS_BASE 0x7fe80000
+#define TZ_PUB_KEY_HASH_BASE (SOC_KEYS_BASE + 0x0000)
+#define TZ_PUB_KEY_HASH_SIZE 32
+#define HU_KEY_BASE (SOC_KEYS_BASE + 0x0020)
+#define HU_KEY_SIZE 16
+#define END_KEY_BASE (SOC_KEYS_BASE + 0x0044)
+#define END_KEY_SIZE 32
/* Constants to distinguish FVP type */
#define HBI_BASE_FVP 0x020
diff --git a/plat/arm/board/fvp/platform.mk b/plat/arm/board/fvp/platform.mk
index 949e6ad..a1a0971 100644
--- a/plat/arm/board/fvp/platform.mk
+++ b/plat/arm/board/fvp/platform.mk
@@ -29,12 +29,10 @@
#
-PLAT_INCLUDES := -Iinclude/plat/arm/board/common \
- -Iplat/arm/board/fvp/include
+PLAT_INCLUDES := -Iplat/arm/board/fvp/include
-PLAT_BL_COMMON_SOURCES := drivers/arm/pl011/pl011_console.S \
- plat/arm/board/fvp/aarch64/fvp_common.c
+PLAT_BL_COMMON_SOURCES := plat/arm/board/fvp/aarch64/fvp_common.c
BL1_SOURCES += drivers/io/io_semihosting.c \
lib/cpus/aarch64/aem_generic.S \
@@ -65,10 +63,5 @@
plat/arm/board/fvp/aarch64/fvp_helpers.S \
plat/arm/board/fvp/drivers/pwrc/fvp_pwrc.c
-ifneq (${TRUSTED_BOARD_BOOT},0)
- BL1_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
- BL2_SOURCES += plat/arm/board/common/board_arm_trusted_boot.c
-endif
-
-
+include plat/arm/board/common/board_common.mk
include plat/arm/common/arm_common.mk