nxp: supports two mode of trusted board boot NXP SoC supports two TBB mode: - MBED_TLS based -- ROTK key hash is placed as part of the BL2 binary at section: --- .rodata.nxp_rotpk_hash -- Supporting non-volatile counter via SFP. -- platform function used by TFA common authentication code. - NXP CSF based -- ROTK key deployment vary from MBEDTLS Signed-off-by: Ruchika Gupta <ruchika.gupta@nxp.com> Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com> Change-Id: Ib0f0bf024fd93de906c5d4f609383ae9e02b2fbc

commit: 713b6a59230de73a53859e5f5a745f112d4e09aa [log] [tgz]
author: Pankaj Gupta <pankaj.gupta@nxp.com> Wed Dec 09 14:02:40 2020 +0530
committer: Pankaj Gupta <pankaj.gupta@nxp.com> Wed Mar 24 09:49:32 2021 +0530
tree: d694c53b8947e9672f91567e8cdbe29f087151dc
parent: 9f29965b55fc24f3ff5f6a09a6e14e6104d68826 [diff] [blame]
diff --git a/plat/nxp/common/tbbr/tbbr.mk b/plat/nxp/common/tbbr/tbbr.mk
new file mode 100644
index 0000000..25852ba
--- /dev/null
+++ b/plat/nxp/common/tbbr/tbbr.mk

@@ -0,0 +1,155 @@
+#
+# Copyright 2020 NXP
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+# For TRUSTED_BOARD_BOOT platforms need to include this makefile
+# Following definations are to be provided by platform.mk file or
+# by user - BL33_INPUT_FILE, BL32_INPUT_FILE, BL31_INPUT_FILE
+
+ifeq ($(CHASSIS), 2)
+include $(PLAT_DRIVERS_PATH)/csu/csu.mk
+CSF_FILE		:=	input_blx_ch${CHASSIS}
+BL2_CSF_FILE		:=	input_bl2_ch${CHASSIS}
+else
+ifeq ($(CHASSIS), 3_2)
+CSF_FILE		:=	input_blx_ch3
+BL2_CSF_FILE		:=	input_bl2_ch${CHASSIS}
+PBI_CSF_FILE		:=	input_pbi_ch${CHASSIS}
+$(eval $(call add_define, CSF_HDR_CH3))
+else
+    $(error -> CHASSIS not set!)
+endif
+endif
+
+PLAT_AUTH_PATH		:=  $(PLAT_DRIVERS_PATH)/auth
+
+
+ifeq (${BL2_INPUT_FILE},)
+    BL2_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${BL2_CSF_FILE}
+endif
+
+ifeq (${PBI_INPUT_FILE},)
+    PBI_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${PBI_CSF_FILE}
+endif
+
+# If MBEDTLS_DIR is not specified, use CSF Header option
+ifeq (${MBEDTLS_DIR},)
+    # Generic image processing filters to prepend CSF header
+    ifeq (${BL33_INPUT_FILE},)
+    BL33_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
+    endif
+
+    ifeq (${BL31_INPUT_FILE},)
+    BL31_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
+    endif
+
+    ifeq (${BL32_INPUT_FILE},)
+    BL32_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
+    endif
+
+    ifeq (${FUSE_INPUT_FILE},)
+    FUSE_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
+    endif
+
+    PLAT_INCLUDES	+= -I$(PLAT_DRIVERS_PATH)/sfp
+    PLAT_TBBR_SOURCES	+= $(PLAT_AUTH_PATH)/csf_hdr_parser/cot.c	\
+			   $(PLAT_COMMON_PATH)/tbbr/csf_tbbr.c
+    # IMG PARSER here is CSF header parser
+    include $(PLAT_DRIVERS_PATH)/auth/csf_hdr_parser/csf_hdr.mk
+    PLAT_TBBR_SOURCES 	+=	$(CSF_HDR_SOURCES)
+
+    SCP_BL2_PRE_TOOL_FILTER	:= CST_SCP_BL2
+    BL31_PRE_TOOL_FILTER	:= CST_BL31
+    BL32_PRE_TOOL_FILTER	:= CST_BL32
+    BL33_PRE_TOOL_FILTER	:= CST_BL33
+else
+
+    ifeq (${DISABLE_FUSE_WRITE}, 1)
+        $(eval $(call add_define,DISABLE_FUSE_WRITE))
+    endif
+
+    # For Mbedtls currently crypto is not supported via CAAM
+    # enable it when that support is there
+    CAAM_INTEG		:= 0
+    KEY_ALG		:= rsa
+    KEY_SIZE		:= 2048
+
+    $(eval $(call add_define,MBEDTLS_X509))
+    ifeq (${PLAT_DDR_PHY},PHY_GEN2)
+        $(eval $(call add_define,PLAT_DEF_OID))
+    endif
+    include drivers/auth/mbedtls/mbedtls_x509.mk
+
+
+    PLAT_TBBR_SOURCES	+= $(PLAT_AUTH_PATH)/tbbr/tbbr_cot.c \
+			   $(PLAT_COMMON_PATH)/tbbr/nxp_rotpk.S \
+			   $(PLAT_COMMON_PATH)/tbbr/x509_tbbr.c
+
+    #ROTPK key is embedded in BL2 image
+    ifeq (${ROT_KEY},)
+	ROT_KEY		= $(BUILD_PLAT)/rot_key.pem
+    endif
+
+    ifeq (${SAVE_KEYS},1)
+
+        ifeq (${TRUSTED_WORLD_KEY},)
+            TRUSTED_WORLD_KEY = ${BUILD_PLAT}/trusted.pem
+        endif
+
+        ifeq (${NON_TRUSTED_WORLD_KEY},)
+            NON_TRUSTED_WORLD_KEY = ${BUILD_PLAT}/non-trusted.pem
+        endif
+
+        ifeq (${BL31_KEY},)
+            BL31_KEY = ${BUILD_PLAT}/soc.pem
+        endif
+
+        ifeq (${BL32_KEY},)
+            BL32_KEY = ${BUILD_PLAT}/trusted_os.pem
+        endif
+
+        ifeq (${BL33_KEY},)
+            BL33_KEY = ${BUILD_PLAT}/non-trusted_os.pem
+        endif
+
+    endif
+
+    ROTPK_HASH		= $(BUILD_PLAT)/rotpk_sha256.bin
+
+    $(eval $(call add_define_val,ROTPK_HASH,'"$(ROTPK_HASH)"'))
+
+    $(BUILD_PLAT)/bl2/nxp_rotpk.o: $(ROTPK_HASH)
+
+    certificates: $(ROT_KEY)
+    $(ROT_KEY): | $(BUILD_PLAT)
+	@echo "  OPENSSL $@"
+	@if [ ! -f $(ROT_KEY) ]; then \
+		openssl genrsa 2048 > $@ 2>/dev/null; \
+	fi
+
+    $(ROTPK_HASH): $(ROT_KEY)
+	@echo "  OPENSSL $@"
+	$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+	openssl dgst -sha256 -binary > $@ 2>/dev/null
+
+endif #MBEDTLS_DIR
+
+PLAT_INCLUDES		+=	-Iinclude/common/tbbr
+
+# Generic files for authentication framework
+TBBR_SOURCES		+=	drivers/auth/auth_mod.c		\
+				drivers/auth/crypto_mod.c	\
+				drivers/auth/img_parser_mod.c	\
+				plat/common/tbbr/plat_tbbr.c	\
+				${PLAT_TBBR_SOURCES}
+
+# If CAAM_INTEG is not defined (would be scenario with MBED TLS)
+# include mbedtls_crypto
+ifeq (${CAAM_INTEG},0)
+    include drivers/auth/mbedtls/mbedtls_crypto.mk
+else
+    include $(PLAT_DRIVERS_PATH)/crypto/caam/src/auth/auth.mk
+    TBBR_SOURCES	+= ${AUTH_SOURCES}
+endif
commit	713b6a59230de73a53859e5f5a745f112d4e09aa	[log] [tgz]
author	Pankaj Gupta <pankaj.gupta@nxp.com>	Wed Dec 09 14:02:40 2020 +0530
committer	Pankaj Gupta <pankaj.gupta@nxp.com>	Wed Mar 24 09:49:32 2021 +0530
tree	d694c53b8947e9672f91567e8cdbe29f087151dc
parent	9f29965b55fc24f3ff5f6a09a6e14e6104d68826 [diff] [blame]