TBB: add build option to save private keys
This patch adds a boolean build option 'SAVE_KEYS' to indicate the
certificate generation tool that it must save the private keys used
to establish the chain of trust. This option depends on 'CREATE_KEYS'
to be enabled. Default is '0' (do not save).
Because the same filenames are used as outputs to save the keys,
they are no longer a dependency to the cert_tool. This dependency
has been removed from the Makefile.
Documentation updated accordingly.
Change-Id: I67ab1c2b1f8a25793f0de95e8620ce7596a6bc3b
diff --git a/Makefile b/Makefile
index c33670b..7f7ca8e 100644
--- a/Makefile
+++ b/Makefile
@@ -73,6 +73,7 @@
# Flags to generate the Chain of Trust
GENERATE_COT := 0
CREATE_KEYS := 1
+SAVE_KEYS := 0
# Flags to build TF with Trusted Boot support
TRUSTED_BOARD_BOOT := 0
AUTH_MOD := none
@@ -270,6 +271,7 @@
# Process Generate CoT flags
$(eval $(call assert_boolean,GENERATE_COT))
$(eval $(call assert_boolean,CREATE_KEYS))
+$(eval $(call assert_boolean,SAVE_KEYS))
# Process TRUSTED_BOARD_BOOT flag
$(eval $(call assert_boolean,TRUSTED_BOARD_BOOT))
@@ -327,6 +329,9 @@
ifneq (${CREATE_KEYS},0)
$(eval CRT_ARGS += -n)
+ ifneq (${SAVE_KEYS},0)
+ $(eval CRT_ARGS += -k)
+ endif
endif
$(eval CRT_ARGS += $(if ${ROT_KEY}, --rot-key ${ROT_KEY}))
$(eval CRT_ARGS += $(if ${TRUSTED_WORLD_KEY}, --trusted-world-key ${TRUSTED_WORLD_KEY}))
@@ -514,7 +519,6 @@
$(eval FIP_ARGS += $(if $4,$(if $5,--bl$(1)-key-cert $(BUILD_PLAT)/bl$(1)_key.crt)))
$(eval CRT_DEPS += $(if $4,$(2),))
-$(eval CRT_DEPS += $(if $4,$(if $6,$(6),)))
$(eval CRT_ARGS += $(if $4,--bl$(1) $(2)))
$(eval CRT_ARGS += $(if $4,$(if $6,--bl$(1)-key $(6))))
$(eval CRT_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt))