uniphier: embed ROTPK hash into BL1/BL2
Currently, ROTPK_NOT_DEPLOYED flag is set in plat_get_rotpk_info().
It is up to users how to retrieve ROTPK if the ROT verification is
desired. This is not nice.
This commit improves plat_get_rotpk_info() implementation and automates
the ROTPK deployment. UniPhier platform has no ROTPK storage, so it
should be embedded in BL1/BL2, like ARM_ROTPK_LOCATION=devel_rsa case.
This makes sense because UniPhier platform implements its internal ROM
i.e. BL1 is used as updatable pseudo ROM.
Things work like this:
- ROT_KEY (default: $(BUILD_PLAT)/rot_key.pem) is created if missing.
Users can override ROT_KEY from the command line if they want to
use a specific ROT key.
- ROTPK_HASH is generated based on ROT_KEY.
- ROTPK_HASH is included by uniphier_rotpk.S and compiled into BL1/BL2.
- ROT_KEY is input to cert_create tool.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
diff --git a/plat/socionext/uniphier/platform.mk b/plat/socionext/uniphier/platform.mk
index af8e3ac..7ea0f10 100644
--- a/plat/socionext/uniphier/platform.mk
+++ b/plat/socionext/uniphier/platform.mk
@@ -86,11 +86,29 @@
drivers/auth/img_parser_mod.c \
drivers/auth/tbbr/tbbr_cot.c \
plat/common/tbbr/plat_tbbr.c \
+ $(PLAT_PATH)/uniphier_rotpk.S \
$(PLAT_PATH)/uniphier_tbbr.c
BL1_SOURCES += $(TBB_SOURCES)
BL2_SOURCES += $(TBB_SOURCES)
+ROT_KEY = $(BUILD_PLAT)/rot_key.pem
+ROTPK_HASH = $(BUILD_PLAT)/rotpk_sha256.bin
+
+$(eval $(call add_define_val,ROTPK_HASH,'"$(ROTPK_HASH)"'))
+$(BUILD_PLAT)/bl1/uniphier_rotpk.o: $(ROTPK_HASH)
+$(BUILD_PLAT)/bl2/uniphier_rotpk.o: $(ROTPK_HASH)
+
+certificates: $(ROT_KEY)
+$(ROT_KEY):
+ @echo " OPENSSL $@"
+ $(Q)openssl genrsa 2048 > $@ 2>/dev/null
+
+$(ROTPK_HASH): $(ROT_KEY)
+ @echo " OPENSSL $@"
+ $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ openssl dgst -sha256 -binary > $@ 2>/dev/null
+
endif
.PHONY: bl1_gzip