diff options
| author | Mark Dykes <mardyk01@review.trustedfirmware.org> | 2020-03-12 18:04:09 +0000 |
|---|---|---|
| committer | TrustedFirmware Code Review <review@review.trustedfirmware.org> | 2020-03-12 18:04:09 +0000 |
| commit | e820759f1c4aadb52d6be77099478d0be8877b99 (patch) | |
| tree | e596ab81ab5e16ed77f51ac15ea27de9db2a05ca /docs | |
| parent | bd2ad92902da142e312d02c9d8af675e7a4ffd6d (diff) | |
| parent | d935b95161959d79521b83e2887ab44947208ea9 (diff) | |
| download | platform_external_arm-trusted-firmware-e820759f1c4aadb52d6be77099478d0be8877b99.tar.gz platform_external_arm-trusted-firmware-e820759f1c4aadb52d6be77099478d0be8877b99.tar.bz2 platform_external_arm-trusted-firmware-e820759f1c4aadb52d6be77099478d0be8877b99.zip | |
Merge "Mention COT build option in trusted-board-boot-build.rst" into integration
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/design/trusted-board-boot-build.rst | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/docs/design/trusted-board-boot-build.rst b/docs/design/trusted-board-boot-build.rst index f5c8bc98c..dd61b61f5 100644 --- a/docs/design/trusted-board-boot-build.rst +++ b/docs/design/trusted-board-boot-build.rst @@ -32,25 +32,28 @@ images with support for these features: - ``TRUSTED_BOARD_BOOT=1`` - ``GENERATE_COT=1`` + By default, this will use the Chain of Trust described in the TBBR-client + document. To select a different one, use the ``COT`` build option. + In the case of Arm platforms, the location of the ROTPK hash must also be specified at build time. The following locations are currently supported (see ``ARM_ROTPK_LOCATION`` build option): - ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted - root-key storage registers present in the platform. On Juno, this + root-key storage registers present in the platform. On Juno, these registers are read-only. On FVP Base and Cortex models, the registers - are read-only, but the value can be specified using the command line + are also read-only, but the value can be specified using the command line option ``bp.trusted_key_storage.public_key`` when launching the model. On Juno board, the default value corresponds to an ECDSA-SECP256R1 public key hash, whose private part is not currently available. - ``ARM_ROTPK_LOCATION=devel_rsa``: use the default hash located in - plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin. Enforce generation - of the new hash if ROT_KEY is specified. + ``plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin``. Enforce + generation of the new hash if ``ROT_KEY`` is specified. - ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the default hash located in - plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin. Enforce generation - of the new hash if ROT_KEY is specified. + ``plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin``. Enforce + generation of the new hash if ``ROT_KEY`` is specified. Example of command line using RSA development keys: @@ -64,9 +67,8 @@ images with support for these features: all fip The result of this build will be the bl1.bin and the fip.bin binaries. This - FIP will include the certificates corresponding to the Chain of Trust - described in the TBBR-client document. These certificates can also be found - in the output build directory. + FIP will include the certificates corresponding to the selected Chain of + Trust. These certificates can also be found in the output build directory. #. The optional FWU_FIP contains any additional images to be loaded from Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the @@ -102,8 +104,8 @@ images with support for these features: The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries. Both the FIP and FWU_FIP will include the certificates corresponding to the - Chain of Trust described in the TBBR-client document. These certificates - can also be found in the output build directory. + selected Chain of Trust. These certificates can also be found in the output + build directory. -------------- |