Merge changes from topic "sp_secure_boot" into integration
* changes:
dualroot: add chain of trust for secure partitions
sptool: append cert_tool arguments.
cert_create: add SiP owned secure partitions support
diff --git a/Makefile b/Makefile
index 7627797..a0d2ae0 100644
--- a/Makefile
+++ b/Makefile
@@ -1012,6 +1012,7 @@
endif
-include $(BUILD_PLAT)/sp_gen.mk
FIP_DEPS += sp
+ CRT_DEPS += sp
NEED_SP_PKG := yes
else
ifeq (${SPMD_SPM_AT_SEL2},1)
diff --git a/drivers/auth/dualroot/cot.c b/drivers/auth/dualroot/cot.c
index 8aca2be..f28ddaa 100644
--- a/drivers/auth/dualroot/cot.c
+++ b/drivers/auth/dualroot/cot.c
@@ -30,6 +30,9 @@
static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
+#if defined(SPD_spmd)
+static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN];
+#endif /* SPD_spmd */
static unsigned char trusted_world_pk_buf[PK_DER_LEN];
static unsigned char content_pk_buf[PK_DER_LEN];
@@ -97,6 +100,24 @@
AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
+#if defined(SPD_spmd)
+static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG1_HASH_OID);
+static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG2_HASH_OID);
+static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG3_HASH_OID);
+static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG4_HASH_OID);
+static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG5_HASH_OID);
+static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG6_HASH_OID);
+static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG7_HASH_OID);
+static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, SP_PKG8_HASH_OID);
+#endif /* SPD_spmd */
#endif /* IMAGE_BL2 */
@@ -642,6 +663,102 @@
}
};
+/*
+ * Secure Partitions
+ */
+#if defined(SPD_spmd)
+static const auth_img_desc_t sp_content_cert = {
+ .img_id = SP_CONTENT_CERT_ID,
+ .img_type = IMG_CERT,
+ .parent = &trusted_key_cert,
+ .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+ [0] = {
+ .type = AUTH_METHOD_SIG,
+ .param.sig = {
+ .pk = &trusted_world_pk,
+ .sig = &sig,
+ .alg = &sig_alg,
+ .data = &raw_data
+ }
+ },
+ [1] = {
+ .type = AUTH_METHOD_NV_CTR,
+ .param.nv_ctr = {
+ .cert_nv_ctr = &trusted_nv_ctr,
+ .plat_nv_ctr = &trusted_nv_ctr
+ }
+ }
+ },
+ .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
+ [0] = {
+ .type_desc = &sp_pkg1_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[0],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [1] = {
+ .type_desc = &sp_pkg2_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[1],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [2] = {
+ .type_desc = &sp_pkg3_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[2],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [3] = {
+ .type_desc = &sp_pkg4_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[3],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [4] = {
+ .type_desc = &sp_pkg5_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[4],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [5] = {
+ .type_desc = &sp_pkg6_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[5],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [6] = {
+ .type_desc = &sp_pkg7_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[6],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [7] = {
+ .type_desc = &sp_pkg8_hash,
+ .data = {
+ .ptr = (void *)sp_pkg_hash_buf[7],
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ }
+ }
+};
+
+DEFINE_SP_PKG(1);
+DEFINE_SP_PKG(2);
+DEFINE_SP_PKG(3);
+DEFINE_SP_PKG(4);
+DEFINE_SP_PKG(5);
+DEFINE_SP_PKG(6);
+DEFINE_SP_PKG(7);
+DEFINE_SP_PKG(8);
+#endif /* SPD_spmd */
+
#else /* IMAGE_BL2 */
/* FWU auth descriptor */
@@ -769,6 +886,17 @@
[NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert,
[BL33_IMAGE_ID] = &bl33_image,
[NT_FW_CONFIG_ID] = &nt_fw_config,
+#if defined(SPD_spmd)
+ [SP_CONTENT_CERT_ID] = &sp_content_cert,
+ [SP_CONTENT_CERT_ID + 1] = &sp_pkg1,
+ [SP_CONTENT_CERT_ID + 2] = &sp_pkg2,
+ [SP_CONTENT_CERT_ID + 3] = &sp_pkg3,
+ [SP_CONTENT_CERT_ID + 4] = &sp_pkg4,
+ [SP_CONTENT_CERT_ID + 5] = &sp_pkg5,
+ [SP_CONTENT_CERT_ID + 6] = &sp_pkg6,
+ [SP_CONTENT_CERT_ID + 7] = &sp_pkg7,
+ [SP_CONTENT_CERT_ID + 8] = &sp_pkg8,
+#endif
};
#endif
diff --git a/include/common/tbbr/cot_def.h b/include/common/tbbr/cot_def.h
index c411146..6ce7f80 100644
--- a/include/common/tbbr/cot_def.h
+++ b/include/common/tbbr/cot_def.h
@@ -8,8 +8,11 @@
#define COT_DEF_H
/* TBBR CoT definitions */
-
+#if defined(SPD_spmd)
+#define COT_MAX_VERIFIED_PARAMS 8
+#else
#define COT_MAX_VERIFIED_PARAMS 4
+#endif
/*
* Maximum key and hash sizes (in DER format).
diff --git a/include/common/tbbr/tbbr_img_def.h b/include/common/tbbr/tbbr_img_def.h
index 1701995..1f9aab1 100644
--- a/include/common/tbbr/tbbr_img_def.h
+++ b/include/common/tbbr/tbbr_img_def.h
@@ -9,4 +9,12 @@
#include <export/common/tbbr/tbbr_img_def_exp.h>
+#if defined(SPD_spmd)
+#define SP_CONTENT_CERT_ID MAX_IMAGE_IDS
+#define MAX_SP_IDS U(8)
+#define MAX_NUMBER_IDS (MAX_IMAGE_IDS + MAX_SP_IDS + U(1))
+#else
+#define MAX_NUMBER_IDS MAX_IMAGE_IDS
+#endif
+
#endif /* TBBR_IMG_DEF_H */
diff --git a/include/drivers/auth/auth_mod.h b/include/drivers/auth/auth_mod.h
index 1dc9ff4..01d144d 100644
--- a/include/drivers/auth/auth_mod.h
+++ b/include/drivers/auth/auth_mod.h
@@ -50,6 +50,24 @@
extern const size_t cot_desc_size;
extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
+#if defined(SPD_spmd)
+#define DEFINE_SP_PKG(n) \
+ static const auth_img_desc_t sp_pkg##n = { \
+ .img_id = SP_CONTENT_CERT_ID + (n), \
+ .img_type = IMG_RAW, \
+ .parent = &sp_content_cert, \
+ .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { \
+ [0] = { \
+ .type = AUTH_METHOD_HASH, \
+ .param.hash = { \
+ .data = &raw_data, \
+ .hash = &sp_pkg##n##_hash \
+ } \
+ } \
+ } \
+ }
+#endif
+
#endif /* TRUSTED_BOARD_BOOT */
#endif /* AUTH_MOD_H */
diff --git a/include/export/common/tbbr/tbbr_img_def_exp.h b/include/export/common/tbbr/tbbr_img_def_exp.h
index 89dbc58..a98c1b4 100644
--- a/include/export/common/tbbr/tbbr_img_def_exp.h
+++ b/include/export/common/tbbr/tbbr_img_def_exp.h
@@ -88,12 +88,7 @@
/* Encrypted image identifier */
#define ENC_IMAGE_ID U(30)
-/* Define size of the array */
-#if defined(SPD_spmd)
-#define MAX_SP_IDS U(8)
-#define MAX_NUMBER_IDS MAX_SP_IDS + U(31)
-#else
-#define MAX_NUMBER_IDS U(31)
-#endif
+/* Max Images */
+#define MAX_IMAGE_IDS U(31)
#endif /* ARM_TRUSTED_FIRMWARE_EXPORT_COMMON_TBBR_TBBR_IMG_DEF_EXP_H */
diff --git a/include/tools_share/dualroot_oid.h b/include/tools_share/dualroot_oid.h
index 3e88a6d..da367da 100644
--- a/include/tools_share/dualroot_oid.h
+++ b/include/tools_share/dualroot_oid.h
@@ -16,4 +16,16 @@
*/
#define PROT_PK_OID "1.3.6.1.4.1.4128.2100.1102"
+/*
+ * Secure Partitions Content Certificate
+ */
+#define SP_PKG1_HASH_OID "1.3.6.1.4.1.4128.2100.1301"
+#define SP_PKG2_HASH_OID "1.3.6.1.4.1.4128.2100.1302"
+#define SP_PKG3_HASH_OID "1.3.6.1.4.1.4128.2100.1303"
+#define SP_PKG4_HASH_OID "1.3.6.1.4.1.4128.2100.1304"
+#define SP_PKG5_HASH_OID "1.3.6.1.4.1.4128.2100.1305"
+#define SP_PKG6_HASH_OID "1.3.6.1.4.1.4128.2100.1306"
+#define SP_PKG7_HASH_OID "1.3.6.1.4.1.4128.2100.1307"
+#define SP_PKG8_HASH_OID "1.3.6.1.4.1.4128.2100.1308"
+
#endif /* DUALROOT_OID_H */
diff --git a/include/tools_share/firmware_image_package.h b/include/tools_share/firmware_image_package.h
index 598d5c2..75f3cc6 100644
--- a/include/tools_share/firmware_image_package.h
+++ b/include/tools_share/firmware_image_package.h
@@ -64,6 +64,8 @@
{{0xa4, 0x9f, 0x44, 0x11}, {0x5e, 0x63}, {0xe4, 0x11}, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} }
#define UUID_NON_TRUSTED_FW_CONTENT_CERT \
{{0x8e, 0xc4, 0xc1, 0xf3}, {0x5d, 0x63}, {0xe4, 0x11}, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} }
+#define UUID_SIP_SECURE_PARTITION_CONTENT_CERT \
+ {{0x77, 0x6d, 0xfd, 0x44}, {0x86, 0x97}, {0x4c, 0x3b}, 0x91, 0xeb, {0xc1, 0x3e, 0x02, 0x5a, 0x2a, 0x6f} }
/* Dynamic configs */
#define UUID_HW_CONFIG \
{{0x08, 0xb8, 0xf1, 0xd9}, {0xc9, 0xcf}, {0x93, 0x49}, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} }
diff --git a/lib/debugfs/devfip.c b/lib/debugfs/devfip.c
index fc14e70..70ac3bc 100644
--- a/lib/debugfs/devfip.c
+++ b/lib/debugfs/devfip.c
@@ -74,7 +74,8 @@
{"tos-fw.cfg", UUID_TOS_FW_CONFIG},
{"nt-fw.cfg", UUID_NT_FW_CONFIG},
{"rot-k.crt", UUID_ROT_KEY_CERT},
- {"nt-k.crt", UUID_NON_TRUSTED_WORLD_KEY_CERT}
+ {"nt-k.crt", UUID_NON_TRUSTED_WORLD_KEY_CERT},
+ {"sip-sp.crt", UUID_SIP_SECURE_PARTITION_CONTENT_CERT}
};
/*******************************************************************************
diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk
index f0adfe1..9520934 100644
--- a/make_helpers/tbbr/tbbr_tools.mk
+++ b/make_helpers/tbbr/tbbr_tools.mk
@@ -99,3 +99,8 @@
$(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert))
endif
endif
+
+# Add SiP owned Secure Partitions CoT (image cert)
+ifneq (${SP_LAYOUT_FILE},)
+ $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/sip_sp_content.crt,--sip-sp-cert))
+endif
diff --git a/plat/arm/board/fvp/fdts/fvp_fw_config.dts b/plat/arm/board/fvp/fdts/fvp_fw_config.dts
index 8f87f7c..5f89284 100644
--- a/plat/arm/board/fvp/fdts/fvp_fw_config.dts
+++ b/plat/arm/board/fvp/fdts/fvp_fw_config.dts
@@ -111,6 +111,7 @@
soc_fw_content_cert_uuid = <0x200cb2e2 0x11e4635e 0xccabe89c 0x66b62bf9>;
tos_fw_content_cert_uuid = <0x11449fa4 0x11e4635e 0x53f2887 0x3df32a72>;
nt_fw_content_cert_uuid = <0xf3c1c48e 0x11e4635d 0xee87a9a7 0xa73fb240>;
+ sp_content_cert_uuid = <0x44fd6d77 0x3b4c9786 0x3ec1eb91 0x6f2a5a02>;
};
};
#endif /* ARM_IO_IN_DTB */
diff --git a/plat/arm/common/fconf/arm_fconf_io.c b/plat/arm/common/fconf/arm_fconf_io.c
index 26e51b2..68cd9fb 100644
--- a/plat/arm/common/fconf/arm_fconf_io.c
+++ b/plat/arm/common/fconf/arm_fconf_io.c
@@ -49,6 +49,9 @@
[SOC_FW_CONTENT_CERT_ID] = {UUID_SOC_FW_CONTENT_CERT},
[TRUSTED_OS_FW_CONTENT_CERT_ID] = {UUID_TRUSTED_OS_FW_CONTENT_CERT},
[NON_TRUSTED_FW_CONTENT_CERT_ID] = {UUID_NON_TRUSTED_FW_CONTENT_CERT},
+#if defined(SPD_spmd)
+ [SP_CONTENT_CERT_ID] = {UUID_SIP_SECURE_PARTITION_CONTENT_CERT},
+#endif
#endif /* ARM_IO_IN_DTB */
#endif /* TRUSTED_BOARD_BOOT */
};
@@ -174,6 +177,13 @@
(uintptr_t)&arm_uuid_spec[NON_TRUSTED_FW_CONTENT_CERT_ID],
open_fip
},
+#if defined(SPD_spmd)
+ [SP_CONTENT_CERT_ID] = {
+ &fip_dev_handle,
+ (uintptr_t)&arm_uuid_spec[SP_CONTENT_CERT_ID],
+ open_fip
+ },
+#endif
#endif /* ARM_IO_IN_DTB */
#endif /* TRUSTED_BOARD_BOOT */
};
@@ -181,7 +191,7 @@
#ifdef IMAGE_BL2
#if TRUSTED_BOARD_BOOT
-#define FCONF_ARM_IO_UUID_NUMBER U(19)
+#define FCONF_ARM_IO_UUID_NUMBER U(20)
#else
#define FCONF_ARM_IO_UUID_NUMBER U(10)
#endif
@@ -216,6 +226,9 @@
{SOC_FW_CONTENT_CERT_ID, "soc_fw_content_cert_uuid"},
{TRUSTED_OS_FW_CONTENT_CERT_ID, "tos_fw_content_cert_uuid"},
{NON_TRUSTED_FW_CONTENT_CERT_ID, "nt_fw_content_cert_uuid"},
+#if defined(SPD_spmd)
+ {SP_CONTENT_CERT_ID, "sp_content_cert_uuid"},
+#endif
#endif /* TRUSTED_BOARD_BOOT */
};
diff --git a/plat/arm/common/fconf/arm_fconf_sp.c b/plat/arm/common/fconf/arm_fconf_sp.c
index 1b09bc8..64e873e 100644
--- a/plat/arm/common/fconf/arm_fconf_sp.c
+++ b/plat/arm/common/fconf/arm_fconf_sp.c
@@ -30,7 +30,7 @@
union uuid_helper_t uuid_helper;
unsigned int index = 0;
uint32_t val32;
- const unsigned int sp_start_index = MAX_NUMBER_IDS - MAX_SP_IDS;
+ const unsigned int sp_start_index = SP_CONTENT_CERT_ID + 1;
/* As libfdt use void *, we can't avoid this cast */
const void *dtb = (void *)config;
diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h
index 6db9b57..daf27a7 100644
--- a/tools/cert_create/include/cert.h
+++ b/tools/cert_create/include/cert.h
@@ -12,7 +12,7 @@
#include "ext.h"
#include "key.h"
-#define CERT_MAX_EXT 5
+#define CERT_MAX_EXT 9
/*
* This structure contains information related to the generation of the
diff --git a/tools/cert_create/include/dualroot/cot.h b/tools/cert_create/include/dualroot/cot.h
index 5701206..47e371f 100644
--- a/tools/cert_create/include/dualroot/cot.h
+++ b/tools/cert_create/include/dualroot/cot.h
@@ -18,6 +18,7 @@
SOC_FW_CONTENT_CERT,
TRUSTED_OS_FW_KEY_CERT,
TRUSTED_OS_FW_CONTENT_CERT,
+ SIP_SECURE_PARTITION_CONTENT_CERT,
FWU_CERT,
/* Certificates owned by the platform owner. */
@@ -42,6 +43,14 @@
TRUSTED_OS_FW_EXTRA1_HASH_EXT,
TRUSTED_OS_FW_EXTRA2_HASH_EXT,
TRUSTED_OS_FW_CONFIG_HASH_EXT,
+ SP_PKG1_HASH_EXT,
+ SP_PKG2_HASH_EXT,
+ SP_PKG3_HASH_EXT,
+ SP_PKG4_HASH_EXT,
+ SP_PKG5_HASH_EXT,
+ SP_PKG6_HASH_EXT,
+ SP_PKG7_HASH_EXT,
+ SP_PKG8_HASH_EXT,
SCP_FWU_CFG_HASH_EXT,
AP_FWU_CFG_HASH_EXT,
FWU_HASH_EXT,
diff --git a/tools/cert_create/src/dualroot/cot.c b/tools/cert_create/src/dualroot/cot.c
index 8117ffc..2965828 100644
--- a/tools/cert_create/src/dualroot/cot.c
+++ b/tools/cert_create/src/dualroot/cot.c
@@ -137,6 +137,28 @@
.num_ext = 5
},
+ [SIP_SECURE_PARTITION_CONTENT_CERT] = {
+ .id = SIP_SECURE_PARTITION_CONTENT_CERT,
+ .opt = "sip-sp-cert",
+ .help_msg = "SiP owned Secure Partition Content Certificate (output file)",
+ .fn = NULL,
+ .cn = "SiP owned Secure Partition Content Certificate",
+ .key = TRUSTED_WORLD_KEY,
+ .issuer = SIP_SECURE_PARTITION_CONTENT_CERT,
+ .ext = {
+ TRUSTED_FW_NVCOUNTER_EXT,
+ SP_PKG1_HASH_EXT,
+ SP_PKG2_HASH_EXT,
+ SP_PKG3_HASH_EXT,
+ SP_PKG4_HASH_EXT,
+ SP_PKG5_HASH_EXT,
+ SP_PKG6_HASH_EXT,
+ SP_PKG7_HASH_EXT,
+ SP_PKG8_HASH_EXT,
+ },
+ .num_ext = 9
+ },
+
[FWU_CERT] = {
.id = FWU_CERT,
.opt = "fwu-cert",
@@ -327,6 +349,87 @@
.optional = 1
},
+ [SP_PKG1_HASH_EXT] = {
+ .oid = SP_PKG1_HASH_OID,
+ .opt = "sp-pkg1",
+ .help_msg = "Secure Partition Package1 file",
+ .sn = "SPPkg1Hash",
+ .ln = "SP Pkg1 hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH,
+ .optional = 1
+ },
+ [SP_PKG2_HASH_EXT] = {
+ .oid = SP_PKG2_HASH_OID,
+ .opt = "sp-pkg2",
+ .help_msg = "Secure Partition Package2 file",
+ .sn = "SPPkg2Hash",
+ .ln = "SP Pkg2 hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH,
+ .optional = 1
+ },
+ [SP_PKG3_HASH_EXT] = {
+ .oid = SP_PKG3_HASH_OID,
+ .opt = "sp-pkg3",
+ .help_msg = "Secure Partition Package3 file",
+ .sn = "SPPkg3Hash",
+ .ln = "SP Pkg3 hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH,
+ .optional = 1
+ },
+ [SP_PKG4_HASH_EXT] = {
+ .oid = SP_PKG4_HASH_OID,
+ .opt = "sp-pkg4",
+ .help_msg = "Secure Partition Package4 file",
+ .sn = "SPPkg4Hash",
+ .ln = "SP Pkg4 hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH,
+ .optional = 1
+ },
+ [SP_PKG5_HASH_EXT] = {
+ .oid = SP_PKG5_HASH_OID,
+ .opt = "sp-pkg5",
+ .help_msg = "Secure Partition Package5 file",
+ .sn = "SPPkg5Hash",
+ .ln = "SP Pkg5 hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH,
+ .optional = 1
+ },
+ [SP_PKG6_HASH_EXT] = {
+ .oid = SP_PKG6_HASH_OID,
+ .opt = "sp-pkg6",
+ .help_msg = "Secure Partition Package6 file",
+ .sn = "SPPkg6Hash",
+ .ln = "SP Pkg6 hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH,
+ .optional = 1
+ },
+ [SP_PKG7_HASH_EXT] = {
+ .oid = SP_PKG7_HASH_OID,
+ .opt = "sp-pkg7",
+ .help_msg = "Secure Partition Package7 file",
+ .sn = "SPPkg7Hash",
+ .ln = "SP Pkg7 hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH,
+ .optional = 1
+ },
+ [SP_PKG8_HASH_EXT] = {
+ .oid = SP_PKG8_HASH_OID,
+ .opt = "sp-pkg8",
+ .help_msg = "Secure Partition Package8 file",
+ .sn = "SPPkg8Hash",
+ .ln = "SP Pkg8 hash (SHA256)",
+ .asn1_type = V_ASN1_OCTET_STRING,
+ .type = EXT_TYPE_HASH,
+ .optional = 1
+ },
+
[SCP_FWU_CFG_HASH_EXT] = {
.oid = SCP_FWU_CFG_HASH_OID,
.opt = "scp-fwu-cfg",
diff --git a/tools/fiptool/tbbr_config.c b/tools/fiptool/tbbr_config.c
index 86b8581..1c5ef5f 100644
--- a/tools/fiptool/tbbr_config.c
+++ b/tools/fiptool/tbbr_config.c
@@ -152,6 +152,11 @@
.cmdline_name = "nt-fw-cert"
},
{
+ .name = "SiP owned Secure Partition content certificate",
+ .uuid = UUID_SIP_SECURE_PARTITION_CONTENT_CERT,
+ .cmdline_name = "sip-sp-cert"
+ },
+ {
.name = NULL,
.uuid = { {0} },
.cmdline_name = NULL,
diff --git a/tools/sptool/sp_mk_generator.py b/tools/sptool/sp_mk_generator.py
index 6b6fa19..f2387f6 100755
--- a/tools/sptool/sp_mk_generator.py
+++ b/tools/sptool/sp_mk_generator.py
@@ -11,7 +11,8 @@
must be relative to it.
This script parses the layout file and generates a make file which updates
-FDT_SOURCES, FIP_ARGS and SPTOOL_ARGS which are used in later build steps.
+FDT_SOURCES, FIP_ARGS, CRT_ARGS and SPTOOL_ARGS which are used in later build
+steps.
This script also gets SP "uuid" from parsing its PM and converting it to a
standard format.
@@ -24,6 +25,7 @@
FDT_SOURCES += sp1.dts
SPTOOL_ARGS += -i sp1.bin:sp1.dtb -o sp1.pkg
FIP_ARGS += --blob uuid=XXXXX-XXX...,file=sp1.pkg
+ CRT_ARGS += --sp-pkg1 sp1.pkg
A typical SP_LAYOUT_FILE file will look like
{
@@ -59,7 +61,7 @@
print(dtb_dir)
with open(gen_file, 'w') as out_file:
- for key in data.keys():
+ for idx, key in enumerate(data.keys()):
"""
Append FDT_SOURCES
@@ -97,4 +99,9 @@
Append FIP_ARGS
"""
out_file.write("FIP_ARGS += --blob uuid=" + uuid_std + ",file=" + dst + "\n")
+
+ """
+ Append CRT_ARGS
+ """
+ out_file.write("CRT_ARGS += --sp-pkg" + str(idx + 1) + " " + dst + "\n")
out_file.write("\n")