diff options
| author | Alistair Delva <adelva@google.com> | 2021-02-15 12:43:29 -0800 |
|---|---|---|
| committer | Alistair Delva <adelva@google.com> | 2021-02-15 12:44:34 -0800 |
| commit | faa476c0caaa598afa5a6109d17102db5fe35ec6 (patch) | |
| tree | 37a21c69306801ee7cdda5167a30896c8740155b /docs/design/trusted-board-boot-build.rst | |
| parent | b00a71fc312c9781fa6f404dccfb55b062b2ccac (diff) | |
| parent | 66306814586b1bf6bcb859aaad218ec3bb090e94 (diff) | |
| download | platform_external_arm-trusted-firmware-faa476c0caaa598afa5a6109d17102db5fe35ec6.tar.gz platform_external_arm-trusted-firmware-faa476c0caaa598afa5a6109d17102db5fe35ec6.tar.bz2 platform_external_arm-trusted-firmware-faa476c0caaa598afa5a6109d17102db5fe35ec6.zip | |
Merge branch 'aosp/upstream-master' into HEADandroid-s-preview-1
This keeps the bl31 interface change reverted which still has not been
fixed in upstream U-Boot for rockchip devices.
Test: CROSS_COMPILE=aarch64-linux-gnu- make PLAT=rk3399 \
DEBUG=0 ERROR_DEPRECATED=1 bl31
Signed-off-by: Alistair Delva <adelva@google.com>
Change-Id: I7c3972a7b767715efb05593096d5d92dba14c609
Diffstat (limited to 'docs/design/trusted-board-boot-build.rst')
| -rw-r--r-- | docs/design/trusted-board-boot-build.rst | 37 |
1 files changed, 19 insertions, 18 deletions
diff --git a/docs/design/trusted-board-boot-build.rst b/docs/design/trusted-board-boot-build.rst index 202524316..dd61b61f5 100644 --- a/docs/design/trusted-board-boot-build.rst +++ b/docs/design/trusted-board-boot-build.rst @@ -32,26 +32,28 @@ images with support for these features: - ``TRUSTED_BOARD_BOOT=1`` - ``GENERATE_COT=1`` + By default, this will use the Chain of Trust described in the TBBR-client + document. To select a different one, use the ``COT`` build option. + In the case of Arm platforms, the location of the ROTPK hash must also be - specified at build time. Two locations are currently supported (see + specified at build time. The following locations are currently supported (see ``ARM_ROTPK_LOCATION`` build option): - ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted - root-key storage registers present in the platform. On Juno, this + root-key storage registers present in the platform. On Juno, these registers are read-only. On FVP Base and Cortex models, the registers - are read-only, but the value can be specified using the command line + are also read-only, but the value can be specified using the command line option ``bp.trusted_key_storage.public_key`` when launching the model. - On both Juno and FVP models, the default value corresponds to an - ECDSA-SECP256R1 public key hash, whose private part is not currently - available. + On Juno board, the default value corresponds to an ECDSA-SECP256R1 public + key hash, whose private part is not currently available. - - ``ARM_ROTPK_LOCATION=devel_rsa``: use the ROTPK hash that is hardcoded - in the Arm platform port. The private/public RSA key pair may be - found in ``plat/arm/board/common/rotpk``. + - ``ARM_ROTPK_LOCATION=devel_rsa``: use the default hash located in + ``plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin``. Enforce + generation of the new hash if ``ROT_KEY`` is specified. - - ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the ROTPK hash that is hardcoded - in the Arm platform port. The private/public ECDSA key pair may be - found in ``plat/arm/board/common/rotpk``. + - ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the default hash located in + ``plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin``. Enforce + generation of the new hash if ``ROT_KEY`` is specified. Example of command line using RSA development keys: @@ -65,9 +67,8 @@ images with support for these features: all fip The result of this build will be the bl1.bin and the fip.bin binaries. This - FIP will include the certificates corresponding to the Chain of Trust - described in the TBBR-client document. These certificates can also be found - in the output build directory. + FIP will include the certificates corresponding to the selected Chain of + Trust. These certificates can also be found in the output build directory. #. The optional FWU_FIP contains any additional images to be loaded from Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the @@ -103,12 +104,12 @@ images with support for these features: The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries. Both the FIP and FWU_FIP will include the certificates corresponding to the - Chain of Trust described in the TBBR-client document. These certificates - can also be found in the output build directory. + selected Chain of Trust. These certificates can also be found in the output + build directory. -------------- -*Copyright (c) 2019, Arm Limited. All rights reserved.* +*Copyright (c) 2019-2020, Arm Limited. All rights reserved.* .. _mbed TLS Repository: https://github.com/ARMmbed/mbedtls.git .. _mbed TLS Security Center: https://tls.mbed.org/security |