[Buildroot] [PATCH 1/1] boot/arm-trusted-firmware: add trusted boot option
Javad Rahimipetroudi
javad.rahimipetroudi at essensium.com
Thu Mar 28 18:12:47 UTC 2024
This patch adds the required fields to enable Trusted Board Boot in
TF-A. The users should provide ROT_KEY private key to build the TF-A in
this mode. The ROT_KEY is used to sign the FIP image during the TF-A
build. Furthermore, the source code of the mbedTLS is also used during
the build process.
Signed-off-by: Javad Rahimipetroudi <javad.rahimipetroudi at mind.be>
---
boot/arm-trusted-firmware/Config.in | 22 +++++++++++++++++++
.../arm-trusted-firmware.mk | 16 ++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-firmware/Config.in
index 2fe3dd1146..b90fca8191 100644
--- a/boot/arm-trusted-firmware/Config.in
+++ b/boot/arm-trusted-firmware/Config.in
@@ -45,6 +45,28 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION_VALUE
string "ATF version"
depends on BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT
+ bool "Enable Trusted Boot build"
+ select BR2_PACKAGE_MBEDTLS
+ help
+ This option enables the Trusted Board Boot for TF-A.
+ It is an authentication framework that uses a defined
+ Chain of Trust (CoT) based on Arm TBBR requirements to
+ achieve a secure boot.
+
+ https://trustedfirmware-a.readthedocs.io/en/latest/design/trusted-board-boot.html
+
+if BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY
+ string "Path to the ROT private key"
+ help
+ The ROT_KEY private key is used to sign FIP image during
+ TF-A build. It specifies a file that contains the ROT
+ private key in PEM format or a PKCS11 URI and enforces
+ public key hash generation. To generate by OpenSSL:
+ openssl genrsa -out key.pem 2048
+endif
+
config BR2_TARGET_ARM_TRUSTED_FIRMWARE_VERSION
string
default "v2.10" if BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST_VERSION
diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index 2d554c1da8..49ebd29b93 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -58,6 +58,16 @@ ARM_TRUSTED_FIRMWARE_IMG_DIR = $(@D)/build/$(ARM_TRUSTED_FIRMWARE_PLATFORM)/rele
endif
endif
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT),y)
+ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY = $(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY))
+ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
+ TRUSTED_BOARD_BOOT=1 \
+ MBEDTLS_DIR=$(MBEDTLS_SRCDIR) \
+ GENERATE_COT=1 \
+ ROT_KEY=$(ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY)
+ARM_TRUSTED_FIRMWARE_DEPENDENCIES += mbedtls
+endif
+
ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
CROSS_COMPILE="$(TARGET_CROSS)" \
BUILD_STRING=$(ARM_TRUSTED_FIRMWARE_VERSION) \
@@ -224,6 +234,12 @@ $(error No repository specified. Please check BR2_TARGET_ARM_TRUSTED_FIRMWARE_CU
endif
endif
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT),y)
+ifeq ($(ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY),)
+$(error No ROT_KEY specified for TF-A. Please check BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY)
+endif
+endif
+
endif
$(eval $(generic-package))
--
2.44.0
More information about the buildroot
mailing list