| # |
| # Copyright 2020 NXP |
| # |
| # SPDX-License-Identifier: BSD-3-Clause |
| # |
| |
| # For TRUSTED_BOARD_BOOT platforms need to include this makefile |
| # Following definations are to be provided by platform.mk file or |
| # by user - BL33_INPUT_FILE, BL32_INPUT_FILE, BL31_INPUT_FILE |
| |
| ifeq ($(CHASSIS), 2) |
| include $(PLAT_DRIVERS_PATH)/csu/csu.mk |
| CSF_FILE := input_blx_ch${CHASSIS} |
| BL2_CSF_FILE := input_bl2_ch${CHASSIS} |
| else |
| ifeq ($(CHASSIS), 3_2) |
| CSF_FILE := input_blx_ch3 |
| BL2_CSF_FILE := input_bl2_ch${CHASSIS} |
| PBI_CSF_FILE := input_pbi_ch${CHASSIS} |
| $(eval $(call add_define, CSF_HDR_CH3)) |
| else |
| $(error -> CHASSIS not set!) |
| endif |
| endif |
| |
| PLAT_AUTH_PATH := $(PLAT_DRIVERS_PATH)/auth |
| |
| |
| ifeq (${BL2_INPUT_FILE},) |
| BL2_INPUT_FILE := $(PLAT_AUTH_PATH)/csf_hdr_parser/${BL2_CSF_FILE} |
| endif |
| |
| ifeq (${PBI_INPUT_FILE},) |
| PBI_INPUT_FILE := $(PLAT_AUTH_PATH)/csf_hdr_parser/${PBI_CSF_FILE} |
| endif |
| |
| # If MBEDTLS_DIR is not specified, use CSF Header option |
| ifeq (${MBEDTLS_DIR},) |
| # Generic image processing filters to prepend CSF header |
| ifeq (${BL33_INPUT_FILE},) |
| BL33_INPUT_FILE := $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE} |
| endif |
| |
| ifeq (${BL31_INPUT_FILE},) |
| BL31_INPUT_FILE := $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE} |
| endif |
| |
| ifeq (${BL32_INPUT_FILE},) |
| BL32_INPUT_FILE := $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE} |
| endif |
| |
| ifeq (${FUSE_INPUT_FILE},) |
| FUSE_INPUT_FILE := $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE} |
| endif |
| |
| PLAT_INCLUDES += -I$(PLAT_DRIVERS_PATH)/sfp |
| PLAT_TBBR_SOURCES += $(PLAT_AUTH_PATH)/csf_hdr_parser/cot.c \ |
| $(PLAT_COMMON_PATH)/tbbr/csf_tbbr.c |
| # IMG PARSER here is CSF header parser |
| include $(PLAT_DRIVERS_PATH)/auth/csf_hdr_parser/csf_hdr.mk |
| PLAT_TBBR_SOURCES += $(CSF_HDR_SOURCES) |
| |
| SCP_BL2_PRE_TOOL_FILTER := CST_SCP_BL2 |
| BL31_PRE_TOOL_FILTER := CST_BL31 |
| BL32_PRE_TOOL_FILTER := CST_BL32 |
| BL33_PRE_TOOL_FILTER := CST_BL33 |
| else |
| |
| ifeq (${DISABLE_FUSE_WRITE}, 1) |
| $(eval $(call add_define,DISABLE_FUSE_WRITE)) |
| endif |
| |
| # For Mbedtls currently crypto is not supported via CAAM |
| # enable it when that support is there |
| CAAM_INTEG := 0 |
| KEY_ALG := rsa |
| KEY_SIZE := 2048 |
| |
| $(eval $(call add_define,MBEDTLS_X509)) |
| ifeq (${PLAT_DDR_PHY},PHY_GEN2) |
| $(eval $(call add_define,PLAT_DEF_OID)) |
| endif |
| include drivers/auth/mbedtls/mbedtls_x509.mk |
| |
| |
| PLAT_TBBR_SOURCES += $(PLAT_AUTH_PATH)/tbbr/tbbr_cot.c \ |
| $(PLAT_COMMON_PATH)/tbbr/nxp_rotpk.S \ |
| $(PLAT_COMMON_PATH)/tbbr/x509_tbbr.c |
| |
| #ROTPK key is embedded in BL2 image |
| ifeq (${ROT_KEY},) |
| ROT_KEY = $(BUILD_PLAT)/rot_key.pem |
| endif |
| |
| ifeq (${SAVE_KEYS},1) |
| |
| ifeq (${TRUSTED_WORLD_KEY},) |
| TRUSTED_WORLD_KEY = ${BUILD_PLAT}/trusted.pem |
| endif |
| |
| ifeq (${NON_TRUSTED_WORLD_KEY},) |
| NON_TRUSTED_WORLD_KEY = ${BUILD_PLAT}/non-trusted.pem |
| endif |
| |
| ifeq (${BL31_KEY},) |
| BL31_KEY = ${BUILD_PLAT}/soc.pem |
| endif |
| |
| ifeq (${BL32_KEY},) |
| BL32_KEY = ${BUILD_PLAT}/trusted_os.pem |
| endif |
| |
| ifeq (${BL33_KEY},) |
| BL33_KEY = ${BUILD_PLAT}/non-trusted_os.pem |
| endif |
| |
| endif |
| |
| ROTPK_HASH = $(BUILD_PLAT)/rotpk_sha256.bin |
| |
| $(eval $(call add_define_val,ROTPK_HASH,'"$(ROTPK_HASH)"')) |
| |
| $(BUILD_PLAT)/bl2/nxp_rotpk.o: $(ROTPK_HASH) |
| |
| certificates: $(ROT_KEY) |
| $(ROT_KEY): | $(BUILD_PLAT) |
| @echo " OPENSSL $@" |
| @if [ ! -f $(ROT_KEY) ]; then \ |
| openssl genrsa 2048 > $@ 2>/dev/null; \ |
| fi |
| |
| $(ROTPK_HASH): $(ROT_KEY) |
| @echo " OPENSSL $@" |
| $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ |
| openssl dgst -sha256 -binary > $@ 2>/dev/null |
| |
| endif #MBEDTLS_DIR |
| |
| PLAT_INCLUDES += -Iinclude/common/tbbr |
| |
| # Generic files for authentication framework |
| TBBR_SOURCES += drivers/auth/auth_mod.c \ |
| drivers/auth/crypto_mod.c \ |
| drivers/auth/img_parser_mod.c \ |
| plat/common/tbbr/plat_tbbr.c \ |
| ${PLAT_TBBR_SOURCES} |
| |
| # If CAAM_INTEG is not defined (would be scenario with MBED TLS) |
| # include mbedtls_crypto |
| ifeq (${CAAM_INTEG},0) |
| include drivers/auth/mbedtls/mbedtls_crypto.mk |
| else |
| include $(PLAT_DRIVERS_PATH)/crypto/caam/src/auth/auth.mk |
| TBBR_SOURCES += ${AUTH_SOURCES} |
| endif |