blob: caf367b66ffdf3b49230cfd96a42955c7bdb4236 [file] [log] [blame]
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +01001Building FIP images with support for Trusted Board Boot
2=======================================================
3
4Trusted Board Boot primarily consists of the following two features:
5
6- Image Authentication, described in :ref:`Trusted Board Boot`, and
7- Firmware Update, described in :ref:`Firmware Update (FWU)`
8
9The following steps should be followed to build FIP and (optionally) FWU_FIP
10images with support for these features:
11
12#. Fulfill the dependencies of the ``mbedtls`` cryptographic and image parser
13 modules by checking out a recent version of the `mbed TLS Repository`_. It
14 is important to use a version that is compatible with TF-A and fixes any
15 known security vulnerabilities. See `mbed TLS Security Center`_ for more
16 information. See the :ref:`Prerequisites` document for the appropriate
17 version of mbed TLS to use.
18
19 The ``drivers/auth/mbedtls/mbedtls_*.mk`` files contain the list of mbed TLS
20 source files the modules depend upon.
21 ``include/drivers/auth/mbedtls/mbedtls_config.h`` contains the configuration
22 options required to build the mbed TLS sources.
23
24 Note that the mbed TLS library is licensed under the Apache version 2.0
25 license. Using mbed TLS source code will affect the licensing of TF-A
26 binaries that are built using this library.
27
28#. To build the FIP image, ensure the following command line variables are set
29 while invoking ``make`` to build TF-A:
30
31 - ``MBEDTLS_DIR=<path of the directory containing mbed TLS sources>``
32 - ``TRUSTED_BOARD_BOOT=1``
33 - ``GENERATE_COT=1``
34
Sandrine Bailleux0c666162020-03-03 13:03:36 +010035 By default, this will use the Chain of Trust described in the TBBR-client
36 document. To select a different one, use the ``COT`` build option.
37
Juan Pablo Conde52865522022-06-28 16:56:32 -040038 If using a custom build of OpenSSL, set the ``OPENSSL_DIR`` variable
39 accordingly so it points at the OpenSSL installation path, as explained in
40 :ref:`Build Options`. In addition, set the ``LD_LIBRARY_PATH`` variable
41 when running to point at the custom OpenSSL path, so the OpenSSL libraries
42 are loaded from that path instead of the default OS path. Export this
43 variable if necessary.
44
laurenw-arm97d9c322022-12-01 16:54:50 -060045 In the case of Arm platforms, the location of the ROTPK must also be
Max Shvetsov06dba292019-12-06 11:50:12 +000046 specified at build time. The following locations are currently supported (see
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +010047 ``ARM_ROTPK_LOCATION`` build option):
48
49 - ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted
Sandrine Bailleux0c666162020-03-03 13:03:36 +010050 root-key storage registers present in the platform. On Juno, these
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +010051 registers are read-only. On FVP Base and Cortex models, the registers
Sandrine Bailleux0c666162020-03-03 13:03:36 +010052 are also read-only, but the value can be specified using the command line
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +010053 option ``bp.trusted_key_storage.public_key`` when launching the model.
Max Shvetsov06dba292019-12-06 11:50:12 +000054 On Juno board, the default value corresponds to an ECDSA-SECP256R1 public
55 key hash, whose private part is not currently available.
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +010056
Max Shvetsov06dba292019-12-06 11:50:12 +000057 - ``ARM_ROTPK_LOCATION=devel_rsa``: use the default hash located in
Sandrine Bailleux0c666162020-03-03 13:03:36 +010058 ``plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin``. Enforce
59 generation of the new hash if ``ROT_KEY`` is specified.
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +010060
Max Shvetsov06dba292019-12-06 11:50:12 +000061 - ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the default hash located in
Sandrine Bailleux0c666162020-03-03 13:03:36 +010062 ``plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin``. Enforce
63 generation of the new hash if ``ROT_KEY`` is specified.
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +010064
laurenw-arm97d9c322022-12-01 16:54:50 -060065 - ``ARM_ROTPK_LOCATION=devel_full_dev_rsa_key``: use the key located in
66 ``plat/arm/board/common/rotpk/arm_full_dev_rsa_rotpk.S``.
67
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +010068 Example of command line using RSA development keys:
69
70 .. code:: shell
71
72 MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
73 make PLAT=<platform> TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 \
74 ARM_ROTPK_LOCATION=devel_rsa \
75 ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \
Juan Pablo Conde52865522022-06-28 16:56:32 -040076 BL33=<path-to>/<bl33_image> OPENSSL_DIR=<path-to>/<openssl> \
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +010077 all fip
78
79 The result of this build will be the bl1.bin and the fip.bin binaries. This
Sandrine Bailleux0c666162020-03-03 13:03:36 +010080 FIP will include the certificates corresponding to the selected Chain of
81 Trust. These certificates can also be found in the output build directory.
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +010082
83#. The optional FWU_FIP contains any additional images to be loaded from
84 Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the
85 FWU_FIP, any FWU images required by the platform must be specified on the
86 command line. On Arm development platforms like Juno, these are:
87
88 - NS_BL2U. The AP non-secure Firmware Updater image.
89 - SCP_BL2U. The SCP Firmware Update Configuration image.
90
91 Example of Juno command line for generating both ``fwu`` and ``fwu_fip``
92 targets using RSA development:
93
94 ::
95
96 MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
97 make PLAT=juno TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 \
98 ARM_ROTPK_LOCATION=devel_rsa \
99 ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \
Juan Pablo Conde52865522022-06-28 16:56:32 -0400100 BL33=<path-to>/<bl33_image> OPENSSL_DIR=<path-to>/<openssl> \
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +0100101 SCP_BL2=<path-to>/<scp_bl2_image> \
102 SCP_BL2U=<path-to>/<scp_bl2u_image> \
103 NS_BL2U=<path-to>/<ns_bl2u_image> \
104 all fip fwu_fip
105
106 .. note::
107 The BL2U image will be built by default and added to the FWU_FIP.
108 The user may override this by adding ``BL2U=<path-to>/<bl2u_image>``
109 to the command line above.
110
111 .. note::
112 Building and installing the non-secure and SCP FWU images (NS_BL1U,
113 NS_BL2U and SCP_BL2U) is outside the scope of this document.
114
115 The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries.
116 Both the FIP and FWU_FIP will include the certificates corresponding to the
Sandrine Bailleux0c666162020-03-03 13:03:36 +0100117 selected Chain of Trust. These certificates can also be found in the output
118 build directory.
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +0100119
120--------------
121
Juan Pablo Conde52865522022-06-28 16:56:32 -0400122*Copyright (c) 2019-2022, Arm Limited. All rights reserved.*
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +0100123
124.. _mbed TLS Repository: https://github.com/ARMmbed/mbedtls.git
125.. _mbed TLS Security Center: https://tls.mbed.org/security