[Buildroot] [PATCH 1/1] boot/arm-trusted-firmware: add trusted boot option

* [Buildroot] [PATCH 1/1] boot/arm-trusted-firmware: add trusted boot option
@ 2024-03-28 18:12 Javad Rahimipetroudi via buildroot
  2024-04-10 19:28 ` Thomas Petazzoni via buildroot
  0 siblings, 1 reply; 3+ messages in thread
From: Javad Rahimipetroudi via buildroot @ 2024-03-28 18:12 UTC (permalink / raw)
  To: buildroot; +Cc: Javad Rahimipetroudi, Sergey Matyukevich

This patch adds the required fields to enable Trusted Board Boot in
TF-A. The users should provide ROT_KEY private key to build the TF-A in
this mode. The ROT_KEY is used to sign the FIP image during the TF-A
build. Furthermore, the source code of the mbedTLS is also used during
the build process.

Signed-off-by: Javad Rahimipetroudi <javad.rahimipetroudi@mind.be>
---
 boot/arm-trusted-firmware/Config.in           | 22 +++++++++++++++++++
 .../arm-trusted-firmware.mk                   | 16 ++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-firmware/Config.in
index 2fe3dd1146..b90fca8191 100644
--- a/boot/arm-trusted-firmware/Config.in
+++ b/boot/arm-trusted-firmware/Config.in
@@ -45,6 +45,28 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION_VALUE
 	string "ATF version"
 	depends on BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION
 
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT
+	bool "Enable Trusted Boot build"
+	select BR2_PACKAGE_MBEDTLS
+	help
+	  This option enables the Trusted Board Boot for TF-A.
+	  It is an authentication framework that uses a defined
+	  Chain of Trust (CoT) based on Arm TBBR requirements to
+	  achieve a secure boot.
+
+	  https://trustedfirmware-a.readthedocs.io/en/latest/design/trusted-board-boot.html
+
+if BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY
+	string "Path to the ROT private key"
+	help
+	  The ROT_KEY private key is used to sign FIP image during
+	  TF-A build. It specifies a file that contains the ROT
+	  private key in PEM format or a PKCS11 URI and enforces
+	  public key hash generation. To generate by OpenSSL:
+	  openssl genrsa -out key.pem 2048
+endif
+
 config BR2_TARGET_ARM_TRUSTED_FIRMWARE_VERSION
 	string
 	default "v2.10"		if BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST_VERSION
diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index 2d554c1da8..49ebd29b93 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -58,6 +58,16 @@ ARM_TRUSTED_FIRMWARE_IMG_DIR = $(@D)/build/$(ARM_TRUSTED_FIRMWARE_PLATFORM)/rele
 endif
 endif
 
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT),y)
+ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY = $(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY))
+ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
+	TRUSTED_BOARD_BOOT=1 \
+	MBEDTLS_DIR=$(MBEDTLS_SRCDIR) \
+	GENERATE_COT=1 \
+	ROT_KEY=$(ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY)
+ARM_TRUSTED_FIRMWARE_DEPENDENCIES += mbedtls
+endif
+
 ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
 	CROSS_COMPILE="$(TARGET_CROSS)" \
 	BUILD_STRING=$(ARM_TRUSTED_FIRMWARE_VERSION) \
@@ -224,6 +234,12 @@ $(error No repository specified. Please check BR2_TARGET_ARM_TRUSTED_FIRMWARE_CU
 endif
 endif
 
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT),y)
+ifeq ($(ARM_TRUSTED_FIRMWARE_TRUSTED_BOOT_ROT_KEY),)
+$(error No ROT_KEY specified for TF-A. Please check BR2_TARGET_ARM_TRUSTED_FIRMWARE_ROT_KEY)
+endif
+endif
+
 endif
 
 $(eval $(generic-package))
-- 
2.44.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread