Merge branch 'aosp/upstream-master' into HEAD am: faa476c0caHEADandroid-s-beta-5android-s-beta-4android-s-beta-3android-s-beta-2android-s-beta-1mastermain-cg-testing-releaseandroid-s-beta-5android-s-beta-4

Original change: https://android-review.googlesource.com/c/platform/external/arm-trusted-firmware/+/1589611

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I3a25534ceed4f8e188510641080d8b8ed49b8f62

35 files changed, 2523 insertions, 307 deletions

diff --git a/tools/cert_create/Makefile b/tools/cert_create/Makefile
index eff929ef0..c3c8bcf5e 100644
--- a/tools/cert_create/Makefile
+++ b/tools/cert_create/Makefile
@@ -4,11 +4,11 @@
 # SPDX-License-Identifier: BSD-3-Clause
 #
 
-PROJECT		:= cert_create
 PLAT		:= none
 V		?= 0
 DEBUG		:= 0
-BINARY		:= ${PROJECT}${BIN_EXT}
+CRTTOOL		?= cert_create${BIN_EXT}
+BINARY		:= $(notdir ${CRTTOOL})
 OPENSSL_DIR	:= /usr
 COT		:= tbbr
 
@@ -27,6 +27,8 @@ OBJECTS := src/cert.o \
 # Chain of trust.
 ifeq (${COT},tbbr)
   include src/tbbr/tbbr.mk
+else ifeq (${COT},dualroot)
+  include src/dualroot/cot.mk
 else
   $(error Unknown chain of trust ${COT})
 endif
@@ -57,7 +59,7 @@ HOSTCC ?= gcc
 
 .PHONY: all clean realclean
 
-all: clean ${BINARY}
+all: ${BINARY}
 
 ${BINARY}: ${OBJECTS} Makefile
 	@echo "  HOSTLD  $@"
diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h
index 6db9b579d..daf27a78a 100644
--- a/tools/cert_create/include/cert.h
+++ b/tools/cert_create/include/cert.h
@@ -12,7 +12,7 @@
 #include "ext.h"
 #include "key.h"
 
-#define CERT_MAX_EXT			5
+#define CERT_MAX_EXT			9
 
 /*
  * This structure contains information related to the generation of the
diff --git a/tools/cert_create/include/dualroot/cot.h b/tools/cert_create/include/dualroot/cot.h
new file mode 100644
index 000000000..3e50c8986
--- /dev/null
+++ b/tools/cert_create/include/dualroot/cot.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2020, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef DUALROOT_COT_H
+#define DUALROOT_COT_H
+
+/* Certificates. */
+enum {
+	/* Certificates owned by the silicon provider. */
+	TRUSTED_BOOT_FW_CERT,
+	TRUSTED_KEY_CERT,
+	SCP_FW_KEY_CERT,
+	SCP_FW_CONTENT_CERT,
+	SOC_FW_KEY_CERT,
+	SOC_FW_CONTENT_CERT,
+	TRUSTED_OS_FW_KEY_CERT,
+	TRUSTED_OS_FW_CONTENT_CERT,
+	SIP_SECURE_PARTITION_CONTENT_CERT,
+	FWU_CERT,
+
+	/* Certificates owned by the platform owner. */
+	NON_TRUSTED_FW_CONTENT_CERT,
+	PLAT_SECURE_PARTITION_CONTENT_CERT,
+};
+
+/* Certificate extensions. */
+enum {
+	/* Extensions used in certificates owned by the silicon provider. */
+	TRUSTED_FW_NVCOUNTER_EXT,
+	TRUSTED_BOOT_FW_HASH_EXT,
+	TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
+	HW_CONFIG_HASH_EXT,
+	FW_CONFIG_HASH_EXT,
+	TRUSTED_WORLD_PK_EXT,
+	SCP_FW_CONTENT_CERT_PK_EXT,
+	SCP_FW_HASH_EXT,
+	SOC_FW_CONTENT_CERT_PK_EXT,
+	SOC_AP_FW_HASH_EXT,
+	SOC_FW_CONFIG_HASH_EXT,
+	TRUSTED_OS_FW_CONTENT_CERT_PK_EXT,
+	TRUSTED_OS_FW_HASH_EXT,
+	TRUSTED_OS_FW_EXTRA1_HASH_EXT,
+	TRUSTED_OS_FW_EXTRA2_HASH_EXT,
+	TRUSTED_OS_FW_CONFIG_HASH_EXT,
+	SP_PKG1_HASH_EXT,
+	SP_PKG2_HASH_EXT,
+	SP_PKG3_HASH_EXT,
+	SP_PKG4_HASH_EXT,
+	SP_PKG5_HASH_EXT,
+	SP_PKG6_HASH_EXT,
+	SP_PKG7_HASH_EXT,
+	SP_PKG8_HASH_EXT,
+	SCP_FWU_CFG_HASH_EXT,
+	AP_FWU_CFG_HASH_EXT,
+	FWU_HASH_EXT,
+
+	/* Extensions used in certificates owned by the platform owner. */
+	PROT_PK_EXT,
+	NON_TRUSTED_FW_NVCOUNTER_EXT,
+	NON_TRUSTED_FW_CONTENT_CERT_PK_EXT,
+	NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
+	NON_TRUSTED_FW_CONFIG_HASH_EXT,
+};
+
+/* Keys. */
+enum {
+	/* Keys owned by the silicon provider. */
+	ROT_KEY,
+	TRUSTED_WORLD_KEY,
+	SCP_FW_CONTENT_CERT_KEY,
+	SOC_FW_CONTENT_CERT_KEY,
+	TRUSTED_OS_FW_CONTENT_CERT_KEY,
+
+	/* Keys owned by the platform owner. */
+	PROT_KEY,
+};
+
+#endif /* DUALROOT_COT_H */
diff --git a/tools/cert_create/include/tbbr/tbb_cert.h b/tools/cert_create/include/tbbr/tbb_cert.h
index 628ef3a42..e5fa3a238 100644
--- a/tools/cert_create/include/tbbr/tbb_cert.h
+++ b/tools/cert_create/include/tbbr/tbb_cert.h
@@ -23,6 +23,7 @@ enum {
 	TRUSTED_OS_FW_CONTENT_CERT,
 	NON_TRUSTED_FW_KEY_CERT,
 	NON_TRUSTED_FW_CONTENT_CERT,
+	SIP_SECURE_PARTITION_CONTENT_CERT,
 	FWU_CERT
 };
 
diff --git a/tools/cert_create/include/tbbr/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h
index 462aafcfa..692b2d4d3 100644
--- a/tools/cert_create/include/tbbr/tbb_ext.h
+++ b/tools/cert_create/include/tbbr/tbb_ext.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -15,6 +15,7 @@ enum {
 	TRUSTED_BOOT_FW_HASH_EXT,
 	TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
 	HW_CONFIG_HASH_EXT,
+	FW_CONFIG_HASH_EXT,
 	TRUSTED_WORLD_PK_EXT,
 	NON_TRUSTED_WORLD_PK_EXT,
 	SCP_FW_CONTENT_CERT_PK_EXT,
@@ -30,6 +31,14 @@ enum {
 	NON_TRUSTED_FW_CONTENT_CERT_PK_EXT,
 	NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
 	NON_TRUSTED_FW_CONFIG_HASH_EXT,
+	SP_PKG1_HASH_EXT,
+	SP_PKG2_HASH_EXT,
+	SP_PKG3_HASH_EXT,
+	SP_PKG4_HASH_EXT,
+	SP_PKG5_HASH_EXT,
+	SP_PKG6_HASH_EXT,
+	SP_PKG7_HASH_EXT,
+	SP_PKG8_HASH_EXT,
 	SCP_FWU_CFG_HASH_EXT,
 	AP_FWU_CFG_HASH_EXT,
 	FWU_HASH_EXT
diff --git a/tools/cert_create/src/dualroot/cot.c b/tools/cert_create/src/dualroot/cot.c
new file mode 100644
index 000000000..4dd4cf033
--- /dev/null
+++ b/tools/cert_create/src/dualroot/cot.c
@@ -0,0 +1,583 @@
+/*
+ * Copyright (c) 2020, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <dualroot_oid.h>
+
+#include "cert.h"
+#include "ext.h"
+#include "key.h"
+
+#include "dualroot/cot.h"
+
+/*
+ * Certificates used in the chain of trust.
+ *
+ * All certificates are self-signed so the issuer certificate field points to
+ * itself.
+ */
+static cert_t cot_certs[] = {
+	[TRUSTED_BOOT_FW_CERT] = {
+		.id = TRUSTED_BOOT_FW_CERT,
+		.opt = "tb-fw-cert",
+		.help_msg = "Trusted Boot FW Certificate (output file)",
+		.cn = "Trusted Boot FW Certificate",
+		.key = ROT_KEY,
+		.issuer = TRUSTED_BOOT_FW_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			TRUSTED_BOOT_FW_HASH_EXT,
+			TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
+			HW_CONFIG_HASH_EXT,
+			FW_CONFIG_HASH_EXT
+		},
+		.num_ext = 5
+	},
+
+	[TRUSTED_KEY_CERT] = {
+		.id = TRUSTED_KEY_CERT,
+		.opt = "trusted-key-cert",
+		.help_msg = "Trusted Key Certificate (output file)",
+		.cn = "Trusted Key Certificate",
+		.key = ROT_KEY,
+		.issuer = TRUSTED_KEY_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			TRUSTED_WORLD_PK_EXT,
+		},
+		.num_ext = 2
+	},
+
+	[SCP_FW_KEY_CERT] = {
+		.id = SCP_FW_KEY_CERT,
+		.opt = "scp-fw-key-cert",
+		.help_msg = "SCP Firmware Key Certificate (output file)",
+		.cn = "SCP Firmware Key Certificate",
+		.key = TRUSTED_WORLD_KEY,
+		.issuer = SCP_FW_KEY_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			SCP_FW_CONTENT_CERT_PK_EXT
+		},
+		.num_ext = 2
+	},
+
+	[SCP_FW_CONTENT_CERT] = {
+		.id = SCP_FW_CONTENT_CERT,
+		.opt = "scp-fw-cert",
+		.help_msg = "SCP Firmware Content Certificate (output file)",
+		.cn = "SCP Firmware Content Certificate",
+		.key = SCP_FW_CONTENT_CERT_KEY,
+		.issuer = SCP_FW_CONTENT_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			SCP_FW_HASH_EXT
+		},
+		.num_ext = 2
+	},
+
+	[SOC_FW_KEY_CERT] = {
+		.id = SOC_FW_KEY_CERT,
+		.opt = "soc-fw-key-cert",
+		.help_msg = "SoC Firmware Key Certificate (output file)",
+		.cn = "SoC Firmware Key Certificate",
+		.key = TRUSTED_WORLD_KEY,
+		.issuer = SOC_FW_KEY_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			SOC_FW_CONTENT_CERT_PK_EXT
+		},
+		.num_ext = 2
+	},
+
+	[SOC_FW_CONTENT_CERT] = {
+		.id = SOC_FW_CONTENT_CERT,
+		.opt = "soc-fw-cert",
+		.help_msg = "SoC Firmware Content Certificate (output file)",
+		.cn = "SoC Firmware Content Certificate",
+		.key = SOC_FW_CONTENT_CERT_KEY,
+		.issuer = SOC_FW_CONTENT_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			SOC_AP_FW_HASH_EXT,
+			SOC_FW_CONFIG_HASH_EXT,
+		},
+		.num_ext = 3
+	},
+
+	[TRUSTED_OS_FW_KEY_CERT] = {
+		.id = TRUSTED_OS_FW_KEY_CERT,
+		.opt = "tos-fw-key-cert",
+		.help_msg = "Trusted OS Firmware Key Certificate (output file)",
+		.cn = "Trusted OS Firmware Key Certificate",
+		.key = TRUSTED_WORLD_KEY,
+		.issuer = TRUSTED_OS_FW_KEY_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			TRUSTED_OS_FW_CONTENT_CERT_PK_EXT
+		},
+		.num_ext = 2
+	},
+
+	[TRUSTED_OS_FW_CONTENT_CERT] = {
+		.id = TRUSTED_OS_FW_CONTENT_CERT,
+		.opt = "tos-fw-cert",
+		.help_msg = "Trusted OS Firmware Content Certificate (output file)",
+		.cn = "Trusted OS Firmware Content Certificate",
+		.key = TRUSTED_OS_FW_CONTENT_CERT_KEY,
+		.issuer = TRUSTED_OS_FW_CONTENT_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			TRUSTED_OS_FW_HASH_EXT,
+			TRUSTED_OS_FW_EXTRA1_HASH_EXT,
+			TRUSTED_OS_FW_EXTRA2_HASH_EXT,
+			TRUSTED_OS_FW_CONFIG_HASH_EXT,
+		},
+		.num_ext = 5
+	},
+
+	[SIP_SECURE_PARTITION_CONTENT_CERT] = {
+		.id = SIP_SECURE_PARTITION_CONTENT_CERT,
+		.opt = "sip-sp-cert",
+		.help_msg = "SiP owned Secure Partition Content Certificate (output file)",
+		.fn = NULL,
+		.cn = "SiP owned Secure Partition Content Certificate",
+		.key = TRUSTED_WORLD_KEY,
+		.issuer = SIP_SECURE_PARTITION_CONTENT_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			SP_PKG1_HASH_EXT,
+			SP_PKG2_HASH_EXT,
+			SP_PKG3_HASH_EXT,
+			SP_PKG4_HASH_EXT,
+		},
+		.num_ext = 5
+	},
+
+	[PLAT_SECURE_PARTITION_CONTENT_CERT] = {
+		.id = PLAT_SECURE_PARTITION_CONTENT_CERT,
+		.opt = "plat-sp-cert",
+		.help_msg = "Platform owned Secure Partition Content Certificate (output file)",
+		.fn = NULL,
+		.cn = "Platform owned Secure Partition Content Certificate",
+		.key = PROT_KEY,
+		.issuer = PLAT_SECURE_PARTITION_CONTENT_CERT,
+		.ext = {
+			NON_TRUSTED_FW_NVCOUNTER_EXT,
+			SP_PKG5_HASH_EXT,
+			SP_PKG6_HASH_EXT,
+			SP_PKG7_HASH_EXT,
+			SP_PKG8_HASH_EXT,
+			PROT_PK_EXT,
+		},
+		.num_ext = 6
+	},
+
+	[FWU_CERT] = {
+		.id = FWU_CERT,
+		.opt = "fwu-cert",
+		.help_msg = "Firmware Update Certificate (output file)",
+		.cn = "Firmware Update Certificate",
+		.key = ROT_KEY,
+		.issuer = FWU_CERT,
+		.ext = {
+			SCP_FWU_CFG_HASH_EXT,
+			AP_FWU_CFG_HASH_EXT,
+			FWU_HASH_EXT
+		},
+		.num_ext = 3
+	},
+
+	[NON_TRUSTED_FW_CONTENT_CERT] = {
+		.id = NON_TRUSTED_FW_CONTENT_CERT,
+		.opt = "nt-fw-cert",
+		.help_msg = "Non-Trusted Firmware Content Certificate (output file)",
+		.cn = "Non-Trusted Firmware Content Certificate",
+		.key = PROT_KEY,
+		.issuer = NON_TRUSTED_FW_CONTENT_CERT,
+		.ext = {
+			NON_TRUSTED_FW_NVCOUNTER_EXT,
+			NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT,
+			NON_TRUSTED_FW_CONFIG_HASH_EXT,
+			PROT_PK_EXT,
+		},
+		.num_ext = 4
+	},
+};
+
+REGISTER_COT(cot_certs);
+
+
+/* Certificate extensions. */
+static ext_t cot_ext[] = {
+	[TRUSTED_FW_NVCOUNTER_EXT] = {
+		.oid = TRUSTED_FW_NVCOUNTER_OID,
+		.opt = "tfw-nvctr",
+		.help_msg = "Trusted Firmware Non-Volatile counter value",
+		.sn = "TrustedWorldNVCounter",
+		.ln = "Trusted World Non-Volatile counter",
+		.asn1_type = V_ASN1_INTEGER,
+		.type = EXT_TYPE_NVCOUNTER,
+		.attr.nvctr_type = NVCTR_TYPE_TFW
+	},
+
+	[TRUSTED_BOOT_FW_HASH_EXT] = {
+		.oid = TRUSTED_BOOT_FW_HASH_OID,
+		.opt = "tb-fw",
+		.help_msg = "Trusted Boot Firmware image file",
+		.sn = "TrustedBootFirmwareHash",
+		.ln = "Trusted Boot Firmware hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+
+	[TRUSTED_BOOT_FW_CONFIG_HASH_EXT] = {
+		.oid = TRUSTED_BOOT_FW_CONFIG_HASH_OID,
+		.opt = "tb-fw-config",
+		.help_msg = "Trusted Boot Firmware Config file",
+		.sn = "TrustedBootFirmwareConfigHash",
+		.ln = "Trusted Boot Firmware Config hash",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
+	[HW_CONFIG_HASH_EXT] = {
+		.oid = HW_CONFIG_HASH_OID,
+		.opt = "hw-config",
+		.help_msg = "HW Config file",
+		.sn = "HWConfigHash",
+		.ln = "HW Config hash",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
+	[FW_CONFIG_HASH_EXT] = {
+		.oid = FW_CONFIG_HASH_OID,
+		.opt = "fw-config",
+		.help_msg = "Firmware Config file",
+		.sn = "FirmwareConfigHash",
+		.ln = "Firmware Config hash",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
+	[TRUSTED_WORLD_PK_EXT] = {
+		.oid = TRUSTED_WORLD_PK_OID,
+		.sn = "TrustedWorldPublicKey",
+		.ln = "Trusted World Public Key",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_PKEY,
+		.attr.key = TRUSTED_WORLD_KEY
+	},
+
+	[SCP_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = SCP_FW_CONTENT_CERT_PK_OID,
+		.sn = "SCPFirmwareContentCertPK",
+		.ln = "SCP Firmware content certificate public key",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_PKEY,
+		.attr.key = SCP_FW_CONTENT_CERT_KEY
+	},
+
+	[SCP_FW_HASH_EXT] = {
+		.oid = SCP_FW_HASH_OID,
+		.opt = "scp-fw",
+		.help_msg = "SCP Firmware image file",
+		.sn = "SCPFirmwareHash",
+		.ln = "SCP Firmware hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+
+	[SOC_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = SOC_FW_CONTENT_CERT_PK_OID,
+		.sn = "SoCFirmwareContentCertPK",
+		.ln = "SoC Firmware content certificate public key",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_PKEY,
+		.attr.key = SOC_FW_CONTENT_CERT_KEY
+	},
+
+	[SOC_AP_FW_HASH_EXT] = {
+		.oid = SOC_AP_FW_HASH_OID,
+		.opt = "soc-fw",
+		.help_msg = "SoC AP Firmware image file",
+		.sn = "SoCAPFirmwareHash",
+		.ln = "SoC AP Firmware hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+
+	[SOC_FW_CONFIG_HASH_EXT] = {
+		.oid = SOC_FW_CONFIG_HASH_OID,
+		.opt = "soc-fw-config",
+		.help_msg = "SoC Firmware Config file",
+		.sn = "SocFirmwareConfigHash",
+		.ln = "SoC Firmware Config hash",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
+	[TRUSTED_OS_FW_CONTENT_CERT_PK_EXT] = {
+		.oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID,
+		.sn = "TrustedOSFirmwareContentCertPK",
+		.ln = "Trusted OS Firmware content certificate public key",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_PKEY,
+		.attr.key = TRUSTED_OS_FW_CONTENT_CERT_KEY
+	},
+
+	[TRUSTED_OS_FW_HASH_EXT] = {
+		.oid = TRUSTED_OS_FW_HASH_OID,
+		.opt = "tos-fw",
+		.help_msg = "Trusted OS image file",
+		.sn = "TrustedOSHash",
+		.ln = "Trusted OS hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+
+	[TRUSTED_OS_FW_EXTRA1_HASH_EXT] = {
+		.oid = TRUSTED_OS_FW_EXTRA1_HASH_OID,
+		.opt = "tos-fw-extra1",
+		.help_msg = "Trusted OS Extra1 image file",
+		.sn = "TrustedOSExtra1Hash",
+		.ln = "Trusted OS Extra1 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
+	[TRUSTED_OS_FW_EXTRA2_HASH_EXT] = {
+		.oid = TRUSTED_OS_FW_EXTRA2_HASH_OID,
+		.opt = "tos-fw-extra2",
+		.help_msg = "Trusted OS Extra2 image file",
+		.sn = "TrustedOSExtra2Hash",
+		.ln = "Trusted OS Extra2 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
+	[TRUSTED_OS_FW_CONFIG_HASH_EXT] = {
+		.oid = TRUSTED_OS_FW_CONFIG_HASH_OID,
+		.opt = "tos-fw-config",
+		.help_msg = "Trusted OS Firmware Config file",
+		.sn = "TrustedOSFirmwareConfigHash",
+		.ln = "Trusted OS Firmware Config hash",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
+	[SP_PKG1_HASH_EXT] = {
+		.oid = SP_PKG1_HASH_OID,
+		.opt = "sp-pkg1",
+		.help_msg = "Secure Partition Package1 file",
+		.sn = "SPPkg1Hash",
+		.ln = "SP Pkg1 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG2_HASH_EXT] = {
+		.oid = SP_PKG2_HASH_OID,
+		.opt = "sp-pkg2",
+		.help_msg = "Secure Partition Package2 file",
+		.sn = "SPPkg2Hash",
+		.ln = "SP Pkg2 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG3_HASH_EXT] = {
+		.oid = SP_PKG3_HASH_OID,
+		.opt = "sp-pkg3",
+		.help_msg = "Secure Partition Package3 file",
+		.sn = "SPPkg3Hash",
+		.ln = "SP Pkg3 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG4_HASH_EXT] = {
+		.oid = SP_PKG4_HASH_OID,
+		.opt = "sp-pkg4",
+		.help_msg = "Secure Partition Package4 file",
+		.sn = "SPPkg4Hash",
+		.ln = "SP Pkg4 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG5_HASH_EXT] = {
+		.oid = SP_PKG5_HASH_OID,
+		.opt = "sp-pkg5",
+		.help_msg = "Secure Partition Package5 file",
+		.sn = "SPPkg5Hash",
+		.ln = "SP Pkg5 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG6_HASH_EXT] = {
+		.oid = SP_PKG6_HASH_OID,
+		.opt = "sp-pkg6",
+		.help_msg = "Secure Partition Package6 file",
+		.sn = "SPPkg6Hash",
+		.ln = "SP Pkg6 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG7_HASH_EXT] = {
+		.oid = SP_PKG7_HASH_OID,
+		.opt = "sp-pkg7",
+		.help_msg = "Secure Partition Package7 file",
+		.sn = "SPPkg7Hash",
+		.ln = "SP Pkg7 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG8_HASH_EXT] = {
+		.oid = SP_PKG8_HASH_OID,
+		.opt = "sp-pkg8",
+		.help_msg = "Secure Partition Package8 file",
+		.sn = "SPPkg8Hash",
+		.ln = "SP Pkg8 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
+	[SCP_FWU_CFG_HASH_EXT] = {
+		.oid = SCP_FWU_CFG_HASH_OID,
+		.opt = "scp-fwu-cfg",
+		.help_msg = "SCP Firmware Update Config image file",
+		.sn = "SCPFWUpdateConfig",
+		.ln = "SCP Firmware Update Config hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
+	[AP_FWU_CFG_HASH_EXT] = {
+		.oid = AP_FWU_CFG_HASH_OID,
+		.opt = "ap-fwu-cfg",
+		.help_msg = "AP Firmware Update Config image file",
+		.sn = "APFWUpdateConfig",
+		.ln = "AP Firmware Update Config hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
+	[FWU_HASH_EXT] = {
+		.oid = FWU_HASH_OID,
+		.opt = "fwu",
+		.help_msg = "Firmware Updater image file",
+		.sn = "FWUpdaterHash",
+		.ln = "Firmware Updater hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
+	[PROT_PK_EXT] = {
+		.oid = PROT_PK_OID,
+		.sn = "PlatformRoTKey",
+		.ln = "Platform Root of Trust Public Key",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_PKEY,
+		.attr.key = PROT_KEY
+	},
+
+	[NON_TRUSTED_FW_NVCOUNTER_EXT] = {
+		.oid = NON_TRUSTED_FW_NVCOUNTER_OID,
+		.opt = "ntfw-nvctr",
+		.help_msg = "Non-Trusted Firmware Non-Volatile counter value",
+		.sn = "NormalWorldNVCounter",
+		.ln = "Non-Trusted Firmware Non-Volatile counter",
+		.asn1_type = V_ASN1_INTEGER,
+		.type = EXT_TYPE_NVCOUNTER,
+		.attr.nvctr_type = NVCTR_TYPE_NTFW
+	},
+
+	[NON_TRUSTED_WORLD_BOOTLOADER_HASH_EXT] = {
+		.oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID,
+		.opt = "nt-fw",
+		.help_msg = "Non-Trusted World Bootloader image file",
+		.sn = "NonTrustedWorldBootloaderHash",
+		.ln = "Non-Trusted World hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH
+	},
+
+	[NON_TRUSTED_FW_CONFIG_HASH_EXT] = {
+		.oid = NON_TRUSTED_FW_CONFIG_HASH_OID,
+		.opt = "nt-fw-config",
+		.help_msg = "Non Trusted OS Firmware Config file",
+		.sn = "NonTrustedOSFirmwareConfigHash",
+		.ln = "Non-Trusted OS Firmware Config hash",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+};
+
+REGISTER_EXTENSIONS(cot_ext);
+
+
+/* Keys used to establish the chain of trust. */
+static key_t cot_keys[] = {
+	[ROT_KEY] = {
+		.id = ROT_KEY,
+		.opt = "rot-key",
+		.help_msg = "Root Of Trust key (input/output file)",
+		.desc = "Root Of Trust key"
+	},
+
+	[TRUSTED_WORLD_KEY] = {
+		.id = TRUSTED_WORLD_KEY,
+		.opt = "trusted-world-key",
+		.help_msg = "Trusted World key (input/output file)",
+		.desc = "Trusted World key"
+	},
+
+	[SCP_FW_CONTENT_CERT_KEY] = {
+		.id = SCP_FW_CONTENT_CERT_KEY,
+		.opt = "scp-fw-key",
+		.help_msg = "SCP Firmware Content Certificate key (input/output file)",
+		.desc = "SCP Firmware Content Certificate key"
+	},
+
+	[SOC_FW_CONTENT_CERT_KEY] = {
+		.id = SOC_FW_CONTENT_CERT_KEY,
+		.opt = "soc-fw-key",
+		.help_msg = "SoC Firmware Content Certificate key (input/output file)",
+		.desc = "SoC Firmware Content Certificate key"
+	},
+
+	[TRUSTED_OS_FW_CONTENT_CERT_KEY] = {
+		.id = TRUSTED_OS_FW_CONTENT_CERT_KEY,
+		.opt = "tos-fw-key",
+		.help_msg = "Trusted OS Firmware Content Certificate key (input/output file)",
+		.desc = "Trusted OS Firmware Content Certificate key"
+	},
+
+	[PROT_KEY] = {
+		.id = PROT_KEY,
+		.opt = "prot-key",
+		.help_msg = "Platform Root of Trust key",
+		.desc = "Platform Root of Trust key"
+	},
+};
+
+REGISTER_KEYS(cot_keys);
diff --git a/tools/cert_create/src/dualroot/cot.mk b/tools/cert_create/src/dualroot/cot.mk
new file mode 100644
index 000000000..a572484d7
--- /dev/null
+++ b/tools/cert_create/src/dualroot/cot.mk
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2020, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+PLAT_MSG		:=	Dual root of trust
+PLAT_INCLUDE		:=	../../include/tools_share
+
+OBJECTS += src/dualroot/cot.o
diff --git a/tools/cert_create/src/ext.c b/tools/cert_create/src/ext.c
index d9a92bb10..65dd3e583 100644
--- a/tools/cert_create/src/ext.c
+++ b/tools/cert_create/src/ext.c
@@ -158,51 +158,36 @@ X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
 		unsigned char *buf, size_t len)
 {
 	X509_EXTENSION *ex;
-	ASN1_OCTET_STRING *octet;
 	HASH *hash;
 	ASN1_OBJECT *algorithm;
-	X509_ALGOR *x509_algor;
 	unsigned char *p = NULL;
 	int sz;
 
+	/* HASH structure containing algorithm + hash */
+	hash = HASH_new();
+	if (hash == NULL) {
+		return NULL;
+	}
+
 	/* OBJECT_IDENTIFIER with hash algorithm */
 	algorithm = OBJ_nid2obj(EVP_MD_type(md));
 	if (algorithm == NULL) {
+		HASH_free(hash);
 		return NULL;
 	}
 
 	/* Create X509_ALGOR */
-	x509_algor = X509_ALGOR_new();
-	if (x509_algor == NULL) {
-		return NULL;
-	}
-	x509_algor->algorithm = algorithm;
-	x509_algor->parameter = ASN1_TYPE_new();
-	ASN1_TYPE_set(x509_algor->parameter, V_ASN1_NULL, NULL);
+	hash->hashAlgorithm->algorithm = algorithm;
+	hash->hashAlgorithm->parameter = ASN1_TYPE_new();
+	ASN1_TYPE_set(hash->hashAlgorithm->parameter, V_ASN1_NULL, NULL);
 
 	/* OCTET_STRING with the actual hash */
-	octet = ASN1_OCTET_STRING_new();
-	if (octet == NULL) {
-		X509_ALGOR_free(x509_algor);
-		return NULL;
-	}
-	ASN1_OCTET_STRING_set(octet, buf, len);
-
-	/* HASH structure containing algorithm + hash */
-	hash = HASH_new();
-	if (hash == NULL) {
-		ASN1_OCTET_STRING_free(octet);
-		X509_ALGOR_free(x509_algor);
-		return NULL;
-	}
-	hash->hashAlgorithm = x509_algor;
-	hash->dataHash = octet;
+	ASN1_OCTET_STRING_set(hash->dataHash, buf, len);
 
 	/* DER encoded HASH */
 	sz = i2d_HASH(hash, &p);
 	if ((sz <= 0) || (p == NULL)) {
 		HASH_free(hash);
-		X509_ALGOR_free(x509_algor);
 		return NULL;
 	}
 
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index 2ba110132..b39378ca9 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -473,6 +473,11 @@ int main(int argc, char *argv[])
 
 		cert = &certs[i];
 
+		if (cert->fn == NULL) {
+			/* Certificate not requested. Skip to the next one */
+			continue;
+		}
+
 		/* Create a new stack of extensions. This stack will be used
 		 * to create the certificate */
 		CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
@@ -492,7 +497,12 @@ int main(int argc, char *argv[])
 			 */
 			switch (ext->type) {
 			case EXT_TYPE_NVCOUNTER:
-				if (ext->arg) {
+				if (ext->optional && ext->arg == NULL) {
+					/* Skip this NVCounter */
+					continue;
+				} else {
+					/* Checked by `check_cmd_params` */
+					assert(ext->arg != NULL);
 					nvctr = atoi(ext->arg);
 					CHECK_NULL(cert_ext, ext_new_nvcounter(ext_nid,
 						EXT_CRIT, nvctr));
@@ -505,7 +515,7 @@ int main(int argc, char *argv[])
 						memset(md, 0x0, SHA512_DIGEST_LENGTH);
 					} else {
 						/* Do not include this hash in the certificate */
-						break;
+						continue;
 					}
 				} else {
 					/* Calculate the hash of the file */
@@ -534,11 +544,16 @@ int main(int argc, char *argv[])
 		}
 
 		/* Create certificate. Signed with corresponding key */
-		if (cert->fn && !cert_new(hash_alg, cert, VAL_DAYS, 0, sk)) {
+		if (!cert_new(hash_alg, cert, VAL_DAYS, 0, sk)) {
 			ERROR("Cannot create %s\n", cert->cn);
 			exit(1);
 		}
 
+		for (cert_ext = sk_X509_EXTENSION_pop(sk); cert_ext != NULL;
+				cert_ext = sk_X509_EXTENSION_pop(sk)) {
+			X509_EXTENSION_free(cert_ext);
+		}
+
 		sk_X509_EXTENSION_free(sk);
 	}
 
@@ -576,10 +591,44 @@ int main(int argc, char *argv[])
 		}
 	}
 
+	/* If we got here, then we must have filled the key array completely.
+	 * We can then safely call free on all of the keys in the array
+	 */
+	for (i = 0; i < num_keys; i++) {
+		EVP_PKEY_free(keys[i].key);
+	}
+
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE_cleanup();
 #endif
 	CRYPTO_cleanup_all_ex_data();
 
+
+	/* We allocated strings through strdup, so now we have to free them */
+	for (i = 0; i < num_keys; i++) {
+		if (keys[i].fn != NULL) {
+			void *ptr = keys[i].fn;
+
+			keys[i].fn = NULL;
+			free(ptr);
+		}
+	}
+	for (i = 0; i < num_extensions; i++) {
+		if (extensions[i].arg != NULL) {
+			void *ptr = (void *)extensions[i].arg;
+
+			extensions[i].arg = NULL;
+			free(ptr);
+		}
+	}
+	for (i = 0; i < num_certs; i++) {
+		if (certs[i].fn != NULL) {
+			void *ptr = (void *)certs[i].fn;
+
+			certs[i].fn = NULL;
+			free(ptr);
+		}
+	}
+
 	return 0;
 }
diff --git a/tools/cert_create/src/tbbr/tbb_cert.c b/tools/cert_create/src/tbbr/tbb_cert.c
index 7fb32d82c..f4fe63dc3 100644
--- a/tools/cert_create/src/tbbr/tbb_cert.c
+++ b/tools/cert_create/src/tbbr/tbb_cert.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -28,9 +28,10 @@ static cert_t tbb_certs[] = {
 			TRUSTED_FW_NVCOUNTER_EXT,
 			TRUSTED_BOOT_FW_HASH_EXT,
 			TRUSTED_BOOT_FW_CONFIG_HASH_EXT,
-			HW_CONFIG_HASH_EXT
+			HW_CONFIG_HASH_EXT,
+			FW_CONFIG_HASH_EXT
 		},
-		.num_ext = 4
+		.num_ext = 5
 	},
 	[TRUSTED_KEY_CERT] = {
 		.id = TRUSTED_KEY_CERT,
@@ -164,6 +165,27 @@ static cert_t tbb_certs[] = {
 		},
 		.num_ext = 3
 	},
+	[SIP_SECURE_PARTITION_CONTENT_CERT] = {
+		.id = SIP_SECURE_PARTITION_CONTENT_CERT,
+		.opt = "sip-sp-cert",
+		.help_msg = "SiP owned Secure Partition Content Certificate (output file)",
+		.fn = NULL,
+		.cn = "SiP owned Secure Partition Content Certificate",
+		.key = TRUSTED_WORLD_KEY,
+		.issuer = SIP_SECURE_PARTITION_CONTENT_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			SP_PKG1_HASH_EXT,
+			SP_PKG2_HASH_EXT,
+			SP_PKG3_HASH_EXT,
+			SP_PKG4_HASH_EXT,
+			SP_PKG5_HASH_EXT,
+			SP_PKG6_HASH_EXT,
+			SP_PKG7_HASH_EXT,
+			SP_PKG8_HASH_EXT,
+		},
+		.num_ext = 9
+	},
 	[FWU_CERT] = {
 		.id = FWU_CERT,
 		.opt = "fwu-cert",
diff --git a/tools/cert_create/src/tbbr/tbb_ext.c b/tools/cert_create/src/tbbr/tbb_ext.c
index ee5377fe8..60bafb4be 100644
--- a/tools/cert_create/src/tbbr/tbb_ext.c
+++ b/tools/cert_create/src/tbbr/tbb_ext.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -69,6 +69,16 @@ static ext_t tbb_ext[] = {
 		.type = EXT_TYPE_HASH,
 		.optional = 1
 	},
+	[FW_CONFIG_HASH_EXT] = {
+		.oid = FW_CONFIG_HASH_OID,
+		.opt = "fw-config",
+		.help_msg = "Firmware Config file",
+		.sn = "FirmwareConfigHash",
+		.ln = "Firmware Config hash",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
 	[TRUSTED_WORLD_PK_EXT] = {
 		.oid = TRUSTED_WORLD_PK_OID,
 		.sn = "TrustedWorldPublicKey",
@@ -203,6 +213,86 @@ static ext_t tbb_ext[] = {
 		.type = EXT_TYPE_HASH,
 		.optional = 1
 	},
+	[SP_PKG1_HASH_EXT] = {
+		.oid = SP_PKG1_HASH_OID,
+		.opt = "sp-pkg1",
+		.help_msg = "Secure Partition Package1 file",
+		.sn = "SPPkg1Hash",
+		.ln = "SP Pkg1 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG2_HASH_EXT] = {
+		.oid = SP_PKG2_HASH_OID,
+		.opt = "sp-pkg2",
+		.help_msg = "Secure Partition Package2 file",
+		.sn = "SPPkg2Hash",
+		.ln = "SP Pkg2 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG3_HASH_EXT] = {
+		.oid = SP_PKG3_HASH_OID,
+		.opt = "sp-pkg3",
+		.help_msg = "Secure Partition Package3 file",
+		.sn = "SPPkg3Hash",
+		.ln = "SP Pkg3 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG4_HASH_EXT] = {
+		.oid = SP_PKG4_HASH_OID,
+		.opt = "sp-pkg4",
+		.help_msg = "Secure Partition Package4 file",
+		.sn = "SPPkg4Hash",
+		.ln = "SP Pkg4 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG5_HASH_EXT] = {
+		.oid = SP_PKG5_HASH_OID,
+		.opt = "sp-pkg5",
+		.help_msg = "Secure Partition Package5 file",
+		.sn = "SPPkg5Hash",
+		.ln = "SP Pkg5 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG6_HASH_EXT] = {
+		.oid = SP_PKG6_HASH_OID,
+		.opt = "sp-pkg6",
+		.help_msg = "Secure Partition Package6 file",
+		.sn = "SPPkg6Hash",
+		.ln = "SP Pkg6 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG7_HASH_EXT] = {
+		.oid = SP_PKG7_HASH_OID,
+		.opt = "sp-pkg7",
+		.help_msg = "Secure Partition Package7 file",
+		.sn = "SPPkg7Hash",
+		.ln = "SP Pkg7 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG8_HASH_EXT] = {
+		.oid = SP_PKG8_HASH_OID,
+		.opt = "sp-pkg8",
+		.help_msg = "Secure Partition Package8 file",
+		.sn = "SPPkg8Hash",
+		.ln = "SP Pkg8 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
 	[SCP_FWU_CFG_HASH_EXT] = {
 		.oid = SCP_FWU_CFG_HASH_OID,
 		.opt = "scp-fwu-cfg",
diff --git a/tools/encrypt_fw/Makefile b/tools/encrypt_fw/Makefile
new file mode 100644
index 000000000..96dff2324
--- /dev/null
+++ b/tools/encrypt_fw/Makefile
@@ -0,0 +1,65 @@
+#
+# Copyright (c) 2019-2020, Linaro Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+V		?= 0
+BUILD_INFO	?= 1
+DEBUG		:= 0
+ENCTOOL		?= encrypt_fw${BIN_EXT}
+BINARY		:= $(notdir ${ENCTOOL})
+OPENSSL_DIR	:= /usr
+
+OBJECTS := src/encrypt.o \
+           src/cmd_opt.o \
+           src/main.o
+
+HOSTCCFLAGS := -Wall -std=c99
+
+MAKE_HELPERS_DIRECTORY := ../../make_helpers/
+include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
+include ${MAKE_HELPERS_DIRECTORY}build_env.mk
+
+ifeq (${DEBUG},1)
+  HOSTCCFLAGS += -g -O0 -DDEBUG -DLOG_LEVEL=40
+else
+ifeq (${BUILD_INFO},1)
+  HOSTCCFLAGS += -O2 -DLOG_LEVEL=20
+else
+  HOSTCCFLAGS += -O2 -DLOG_LEVEL=10
+endif
+endif
+ifeq (${V},0)
+  Q := @
+else
+  Q :=
+endif
+
+# Make soft links and include from local directory otherwise wrong headers
+# could get pulled in from firmware tree.
+INC_DIR := -I ./include -I ../../include/tools_share -I ${OPENSSL_DIR}/include
+LIB_DIR := -L ${OPENSSL_DIR}/lib
+LIB := -lssl -lcrypto
+
+HOSTCC ?= gcc
+
+.PHONY: all clean realclean
+
+all: ${BINARY}
+
+${BINARY}: ${OBJECTS} Makefile
+	@echo "  HOSTLD  $@"
+	@echo 'const char build_msg[] = "Built : "__TIME__", "__DATE__;' | \
+                ${HOSTCC} -c ${HOSTCCFLAGS} -xc - -o src/build_msg.o
+	${Q}${HOSTCC} src/build_msg.o ${OBJECTS} ${LIB_DIR} ${LIB} -o $@
+
+%.o: %.c
+	@echo "  HOSTCC  $<"
+	${Q}${HOSTCC} -c ${HOSTCCFLAGS} ${INC_DIR} $< -o $@
+
+clean:
+	$(call SHELL_DELETE_ALL, src/build_msg.o ${OBJECTS})
+
+realclean: clean
+	$(call SHELL_DELETE,${BINARY})
diff --git a/tools/encrypt_fw/include/cmd_opt.h b/tools/encrypt_fw/include/cmd_opt.h
new file mode 100644
index 000000000..bd7d31f03
--- /dev/null
+++ b/tools/encrypt_fw/include/cmd_opt.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2019, Linaro Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CMD_OPT_H
+#define CMD_OPT_H
+
+#include <getopt.h>
+
+#define CMD_OPT_MAX_NUM			64
+
+/* Supported long command line option types */
+enum {
+	CMD_OPT_FW
+};
+
+/* Structure to define a command line option */
+typedef struct cmd_opt_s {
+	struct option long_opt;
+	const char *help_msg;
+} cmd_opt_t;
+
+/* Exported API*/
+void cmd_opt_add(const cmd_opt_t *cmd_opt);
+const struct option *cmd_opt_get_array(void);
+const char *cmd_opt_get_name(int idx);
+const char *cmd_opt_get_help_msg(int idx);
+
+#endif /* CMD_OPT_H */
diff --git a/tools/encrypt_fw/include/debug.h b/tools/encrypt_fw/include/debug.h
new file mode 100644
index 000000000..ee8f1f517
--- /dev/null
+++ b/tools/encrypt_fw/include/debug.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef DEBUG_H
+#define DEBUG_H
+
+#include <stdio.h>
+
+/* The log output macros print output to the console. These macros produce
+ * compiled log output only if the LOG_LEVEL defined in the makefile (or the
+ * make command line) is greater or equal than the level required for that
+ * type of log output.
+ * The format expected is the same as for printf(). For example:
+ * INFO("Info %s.\n", "message")    -> INFO:    Info message.
+ * WARN("Warning %s.\n", "message") -> WARNING: Warning message.
+ */
+
+#define LOG_LEVEL_NONE			0
+#define LOG_LEVEL_ERROR			10
+#define LOG_LEVEL_NOTICE		20
+#define LOG_LEVEL_WARNING		30
+#define LOG_LEVEL_INFO			40
+#define LOG_LEVEL_VERBOSE		50
+
+
+#if LOG_LEVEL >= LOG_LEVEL_NOTICE
+# define NOTICE(...)	printf("NOTICE:  " __VA_ARGS__)
+#else
+# define NOTICE(...)
+#endif
+
+#if LOG_LEVEL >= LOG_LEVEL_ERROR
+# define ERROR(...)	printf("ERROR:   " __VA_ARGS__)
+#else
+# define ERROR(...)
+#endif
+
+#if LOG_LEVEL >= LOG_LEVEL_WARNING
+# define WARN(...)	printf("WARNING: " __VA_ARGS__)
+#else
+# define WARN(...)
+#endif
+
+#if LOG_LEVEL >= LOG_LEVEL_INFO
+# define INFO(...)	printf("INFO:    " __VA_ARGS__)
+#else
+# define INFO(...)
+#endif
+
+#if LOG_LEVEL >= LOG_LEVEL_VERBOSE
+# define VERBOSE(...)	printf("VERBOSE: " __VA_ARGS__)
+#else
+# define VERBOSE(...)
+#endif
+
+#endif /* DEBUG_H */
diff --git a/tools/encrypt_fw/include/encrypt.h b/tools/encrypt_fw/include/encrypt.h
new file mode 100644
index 000000000..25d301170
--- /dev/null
+++ b/tools/encrypt_fw/include/encrypt.h
@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 2019, Linaro Limited. All rights reserved.
+ * Author: Sumit Garg <sumit.garg@linaro.org>
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef ENCRYPT_H
+#define ENCRYPT_H
+
+/* Supported key algorithms */
+enum {
+	KEY_ALG_GCM		/* AES-GCM (default) */
+};
+
+int encrypt_file(unsigned short fw_enc_status, int enc_alg, char *key_string,
+		 char *nonce_string, const char *ip_name, const char *op_name);
+
+#endif /* ENCRYPT_H */
diff --git a/tools/encrypt_fw/src/cmd_opt.c b/tools/encrypt_fw/src/cmd_opt.c
new file mode 100644
index 000000000..64180d1f5
--- /dev/null
+++ b/tools/encrypt_fw/src/cmd_opt.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <cmd_opt.h>
+#include <getopt.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include "debug.h"
+
+/* Command line options */
+static struct option long_opt[CMD_OPT_MAX_NUM+1];
+static const char *help_msg[CMD_OPT_MAX_NUM+1];
+static int num_reg_opt;
+
+void cmd_opt_add(const cmd_opt_t *cmd_opt)
+{
+	assert(cmd_opt != NULL);
+
+	if (num_reg_opt >= CMD_OPT_MAX_NUM) {
+		ERROR("Out of memory. Please increase CMD_OPT_MAX_NUM\n");
+		exit(1);
+	}
+
+	long_opt[num_reg_opt].name = cmd_opt->long_opt.name;
+	long_opt[num_reg_opt].has_arg = cmd_opt->long_opt.has_arg;
+	long_opt[num_reg_opt].flag = 0;
+	long_opt[num_reg_opt].val = cmd_opt->long_opt.val;
+
+	help_msg[num_reg_opt] = cmd_opt->help_msg;
+
+	num_reg_opt++;
+}
+
+const struct option *cmd_opt_get_array(void)
+{
+	return long_opt;
+}
+
+const char *cmd_opt_get_name(int idx)
+{
+	if (idx >= num_reg_opt) {
+		return NULL;
+	}
+
+	return long_opt[idx].name;
+}
+
+const char *cmd_opt_get_help_msg(int idx)
+{
+	if (idx >= num_reg_opt) {
+		return NULL;
+	}
+
+	return help_msg[idx];
+}
diff --git a/tools/encrypt_fw/src/encrypt.c b/tools/encrypt_fw/src/encrypt.c
new file mode 100644
index 000000000..18a514cb9
--- /dev/null
+++ b/tools/encrypt_fw/src/encrypt.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright (c) 2019, Linaro Limited. All rights reserved.
+ * Author: Sumit Garg <sumit.garg@linaro.org>
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <firmware_encrypted.h>
+#include <openssl/evp.h>
+#include <stdio.h>
+#include <string.h>
+#include "debug.h"
+#include "encrypt.h"
+
+#define BUFFER_SIZE		256
+#define IV_SIZE			12
+#define IV_STRING_SIZE		24
+#define TAG_SIZE		16
+#define KEY_SIZE		32
+#define KEY_STRING_SIZE		64
+
+static int gcm_encrypt(unsigned short fw_enc_status, char *key_string,
+		       char *nonce_string, const char *ip_name,
+		       const char *op_name)
+{
+	FILE *ip_file;
+	FILE *op_file;
+	EVP_CIPHER_CTX *ctx;
+	unsigned char data[BUFFER_SIZE], enc_data[BUFFER_SIZE];
+	unsigned char key[KEY_SIZE], iv[IV_SIZE], tag[TAG_SIZE];
+	int bytes, enc_len = 0, i, j, ret = 0;
+	struct fw_enc_hdr header;
+
+	memset(&header, 0, sizeof(struct fw_enc_hdr));
+
+	if (strlen(key_string) != KEY_STRING_SIZE) {
+		ERROR("Unsupported key size: %lu\n", strlen(key_string));
+		return -1;
+	}
+
+	for (i = 0, j = 0; i < KEY_SIZE; i++, j += 2) {
+		if (sscanf(&key_string[j], "%02hhx", &key[i]) != 1) {
+			ERROR("Incorrect key format\n");
+			return -1;
+		}
+	}
+
+	if (strlen(nonce_string) != IV_STRING_SIZE) {
+		ERROR("Unsupported IV size: %lu\n", strlen(nonce_string));
+		return -1;
+	}
+
+	for (i = 0, j = 0; i < IV_SIZE; i++, j += 2) {
+		if (sscanf(&nonce_string[j], "%02hhx", &iv[i]) != 1) {
+			ERROR("Incorrect IV format\n");
+			return -1;
+		}
+	}
+
+	ip_file = fopen(ip_name, "rb");
+	if (ip_file == NULL) {
+		ERROR("Cannot read %s\n", ip_name);
+		return -1;
+	}
+
+	op_file = fopen(op_name, "wb");
+	if (op_file == NULL) {
+		ERROR("Cannot write %s\n", op_name);
+		fclose(ip_file);
+		return -1;
+	}
+
+	ret = fseek(op_file, sizeof(struct fw_enc_hdr), SEEK_SET);
+	if (ret) {
+		ERROR("fseek failed\n");
+		goto out_file;
+	}
+
+	ctx = EVP_CIPHER_CTX_new();
+	if (ctx == NULL) {
+		ERROR("EVP_CIPHER_CTX_new failed\n");
+		ret = -1;
+		goto out_file;
+	}
+
+	ret = EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL);
+	if (ret != 1) {
+		ERROR("EVP_EncryptInit_ex failed\n");
+		ret = -1;
+		goto out;
+	}
+
+	ret = EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv);
+	if (ret != 1) {
+		ERROR("EVP_EncryptInit_ex failed\n");
+		goto out;
+	}
+
+	while ((bytes = fread(data, 1, BUFFER_SIZE, ip_file)) != 0) {
+		ret = EVP_EncryptUpdate(ctx, enc_data, &enc_len, data, bytes);
+		if (ret != 1) {
+			ERROR("EVP_EncryptUpdate failed\n");
+			ret = -1;
+			goto out;
+		}
+
+		fwrite(enc_data, 1, enc_len, op_file);
+	}
+
+	ret = EVP_EncryptFinal_ex(ctx, enc_data, &enc_len);
+	if (ret != 1) {
+		ERROR("EVP_EncryptFinal_ex failed\n");
+		ret = -1;
+		goto out;
+	}
+
+	ret = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, TAG_SIZE, tag);
+	if (ret != 1) {
+		ERROR("EVP_CIPHER_CTX_ctrl failed\n");
+		ret = -1;
+		goto out;
+	}
+
+	header.magic = ENC_HEADER_MAGIC;
+	header.flags |= fw_enc_status & FW_ENC_STATUS_FLAG_MASK;
+	header.dec_algo = KEY_ALG_GCM;
+	header.iv_len = IV_SIZE;
+	header.tag_len = TAG_SIZE;
+	memcpy(header.iv, iv, IV_SIZE);
+	memcpy(header.tag, tag, TAG_SIZE);
+
+	ret = fseek(op_file, 0, SEEK_SET);
+	if (ret) {
+		ERROR("fseek failed\n");
+		goto out;
+	}
+
+	fwrite(&header, 1, sizeof(struct fw_enc_hdr), op_file);
+
+out:
+	EVP_CIPHER_CTX_free(ctx);
+
+out_file:
+	fclose(ip_file);
+	fclose(op_file);
+
+	/*
+	 * EVP_* APIs returns 1 as success but enctool considers
+	 * 0 as success.
+	 */
+	if (ret == 1)
+		ret = 0;
+
+	return ret;
+}
+
+int encrypt_file(unsigned short fw_enc_status, int enc_alg, char *key_string,
+		 char *nonce_string, const char *ip_name, const char *op_name)
+{
+	switch (enc_alg) {
+	case KEY_ALG_GCM:
+		return gcm_encrypt(fw_enc_status, key_string, nonce_string,
+				   ip_name, op_name);
+	default:
+		return -1;
+	}
+}
diff --git a/tools/encrypt_fw/src/main.c b/tools/encrypt_fw/src/main.c
new file mode 100644
index 000000000..39b7af761
--- /dev/null
+++ b/tools/encrypt_fw/src/main.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (c) 2019, Linaro Limited. All rights reserved.
+ * Author: Sumit Garg <sumit.garg@linaro.org>
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <ctype.h>
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdbool.h>
+
+#include <openssl/conf.h>
+
+#include "cmd_opt.h"
+#include "debug.h"
+#include "encrypt.h"
+#include "firmware_encrypted.h"
+
+#define NUM_ELEM(x)			((sizeof(x)) / (sizeof(x[0])))
+#define HELP_OPT_MAX_LEN		128
+
+/* Global options */
+
+/* Info messages created in the Makefile */
+extern const char build_msg[];
+
+static char *key_algs_str[] = {
+	[KEY_ALG_GCM] = "gcm",
+};
+
+static void print_help(const char *cmd, const struct option *long_opt)
+{
+	int rem, i = 0;
+	const struct option *opt;
+	char line[HELP_OPT_MAX_LEN];
+	char *p;
+
+	assert(cmd != NULL);
+	assert(long_opt != NULL);
+
+	printf("\n\n");
+	printf("The firmware encryption tool loads the binary image and\n"
+	       "outputs encrypted binary image using an encryption key\n"
+	       "provided as an input hex string.\n");
+	printf("\n");
+	printf("Usage:\n");
+	printf("\t%s [OPTIONS]\n\n", cmd);
+
+	printf("Available options:\n");
+	opt = long_opt;
+	while (opt->name) {
+		p = line;
+		rem = HELP_OPT_MAX_LEN;
+		if (isalpha(opt->val)) {
+			/* Short format */
+			sprintf(p, "-%c,", (char)opt->val);
+			p += 3;
+			rem -= 3;
+		}
+		snprintf(p, rem, "--%s %s", opt->name,
+			 (opt->has_arg == required_argument) ? "<arg>" : "");
+		printf("\t%-32s %s\n", line, cmd_opt_get_help_msg(i));
+		opt++;
+		i++;
+	}
+	printf("\n");
+}
+
+static int get_key_alg(const char *key_alg_str)
+{
+	int i;
+
+	for (i = 0 ; i < NUM_ELEM(key_algs_str) ; i++) {
+		if (strcmp(key_alg_str, key_algs_str[i]) == 0) {
+			return i;
+		}
+	}
+
+	return -1;
+}
+
+static void parse_fw_enc_status_flag(const char *arg,
+				     unsigned short *fw_enc_status)
+{
+	unsigned long flag;
+	char *endptr;
+
+	flag = strtoul(arg, &endptr, 16);
+	if (*endptr != '\0' || flag > FW_ENC_WITH_BSSK) {
+		ERROR("Invalid fw_enc_status flag '%s'\n", arg);
+		exit(1);
+	}
+
+	*fw_enc_status = flag & FW_ENC_STATUS_FLAG_MASK;
+}
+
+/* Common command line options */
+static const cmd_opt_t common_cmd_opt[] = {
+	{
+		{ "help", no_argument, NULL, 'h' },
+		"Print this message and exit"
+	},
+	{
+		{ "fw-enc-status", required_argument, NULL, 'f' },
+		"Firmware encryption status flag (with SSK=0 or BSSK=1)."
+	},
+	{
+		{ "key-alg", required_argument, NULL, 'a' },
+		"Encryption key algorithm: 'gcm' (default)"
+	},
+	{
+		{ "key", required_argument, NULL, 'k' },
+		"Encryption key (for supported algorithm)."
+	},
+	{
+		{ "nonce", required_argument, NULL, 'n' },
+		"Nonce or Initialization Vector (for supported algorithm)."
+	},
+	{
+		{ "in", required_argument, NULL, 'i' },
+		"Input filename to be encrypted."
+	},
+	{
+		{ "out", required_argument, NULL, 'o' },
+		"Encrypted output filename."
+	},
+};
+
+int main(int argc, char *argv[])
+{
+	int i, key_alg, ret;
+	int c, opt_idx = 0;
+	const struct option *cmd_opt;
+	char *key = NULL;
+	char *nonce = NULL;
+	char *in_fn = NULL;
+	char *out_fn = NULL;
+	unsigned short fw_enc_status = 0;
+
+	NOTICE("Firmware Encryption Tool: %s\n", build_msg);
+
+	/* Set default options */
+	key_alg = KEY_ALG_GCM;
+
+	/* Add common command line options */
+	for (i = 0; i < NUM_ELEM(common_cmd_opt); i++) {
+		cmd_opt_add(&common_cmd_opt[i]);
+	}
+
+	/* Get the command line options populated during the initialization */
+	cmd_opt = cmd_opt_get_array();
+
+	while (1) {
+		/* getopt_long stores the option index here. */
+		c = getopt_long(argc, argv, "a:f:hi:k:n:o:", cmd_opt, &opt_idx);
+
+		/* Detect the end of the options. */
+		if (c == -1) {
+			break;
+		}
+
+		switch (c) {
+		case 'a':
+			key_alg = get_key_alg(optarg);
+			if (key_alg < 0) {
+				ERROR("Invalid key algorithm '%s'\n", optarg);
+				exit(1);
+			}
+			break;
+		case 'f':
+			parse_fw_enc_status_flag(optarg, &fw_enc_status);
+			break;
+		case 'k':
+			key = optarg;
+			break;
+		case 'i':
+			in_fn = optarg;
+			break;
+		case 'o':
+			out_fn = optarg;
+			break;
+		case 'n':
+			nonce = optarg;
+			break;
+		case 'h':
+			print_help(argv[0], cmd_opt);
+			exit(0);
+		case '?':
+		default:
+			print_help(argv[0], cmd_opt);
+			exit(1);
+		}
+	}
+
+	if (!key) {
+		ERROR("Key must not be NULL\n");
+		exit(1);
+	}
+
+	if (!nonce) {
+		ERROR("Nonce must not be NULL\n");
+		exit(1);
+	}
+
+	if (!in_fn) {
+		ERROR("Input filename must not be NULL\n");
+		exit(1);
+	}
+
+	if (!out_fn) {
+		ERROR("Output filename must not be NULL\n");
+		exit(1);
+	}
+
+	ret = encrypt_file(fw_enc_status, key_alg, key, nonce, in_fn, out_fn);
+
+	CRYPTO_cleanup_all_ex_data();
+
+	return ret;
+}
diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
index ef3501432..df8ab5c7b 100644
--- a/tools/fiptool/Makefile
+++ b/tools/fiptool/Makefile
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2014-2018, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2014-2020, ARM Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -8,7 +8,8 @@ MAKE_HELPERS_DIRECTORY := ../../make_helpers/
 include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
 include ${MAKE_HELPERS_DIRECTORY}build_env.mk
 
-PROJECT := fiptool${BIN_EXT}
+FIPTOOL ?= fiptool${BIN_EXT}
+PROJECT := $(notdir ${FIPTOOL})
 OBJECTS := fiptool.o tbbr_config.o
 V ?= 0
 
diff --git a/tools/fiptool/Makefile.msvc b/tools/fiptool/Makefile.msvc
index 58dbb8973..9081bc64c 100644
--- a/tools/fiptool/Makefile.msvc
+++ b/tools/fiptool/Makefile.msvc
@@ -1,30 +1,37 @@
-#

-# Copyright (c) 2019, Arm Limited. All rights reserved.

-#

-# SPDX-License-Identifier: BSD-3-Clause

-#

-

-CC = cl.exe

-LD = link.exe

-

-FIPTOOL = fiptool.exe

-OBJECTS = fiptool.obj tbbr_config.obj win_posix.obj

-

-INC = -I. -I..\..\include\tools_share

-CFLAGS = $(CFLAGS) /nologo /Za /Zi /c /O2 /MT

-

-all: $(FIPTOOL)

-

-$(FIPTOOL): $(OBJECTS)

-	$(LD) /INCREMENTAL:NO /debug /nodefaultlib:libc.lib /out:$@ $(LIBS) $**

-

-.PHONY: clean realclean

-

-clean:

-	del /f /q $(OBJECTS) > nul

-

-realclean:

-	del /f /q $(OBJECTS) $(FIPTOOL) > nul

-

-.c.obj:

-	$(CC) -c $(CFLAGS) $(INC) $< -Fo$@

+#
+# Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+CC = cl.exe
+LD = link.exe
+
+# FIPTOOLPATH and FIPTOOL are passed from the main makefile.
+
+OBJECTS = $(FIPTOOLPATH)\fiptool.obj     \
+          $(FIPTOOLPATH)\tbbr_config.obj \
+          $(FIPTOOLPATH)\win_posix.obj
+
+INC = -I$(FIPTOOLPATH) -Iinclude\tools_share
+
+CFLAGS = $(CFLAGS) /nologo /Za /Zi /c /O2 /MT
+
+all: $(FIPTOOL)
+
+$(FIPTOOL): $(OBJECTS)
+	$(LD) /nologo /INCREMENTAL:NO /debug /nodefaultlib:libc.lib /out:$@ $(LIBS) $**
+
+.PHONY: clean realclean
+
+clean:
+	-@del /f /q $(OBJECTS) > nul
+	-@del /f /q $(FIPTOOLPATH)\*.pdb > nul
+
+realclean:
+	-@del /f /q $(OBJECTS) > nul
+	-@del /f /q $(FIPTOOLPATH)\*.pdb > nul
+	-@del /f /q $(FIPTOOL) > nul
+
+.c.obj:
+	$(CC) -c $(CFLAGS) $(INC) $< -Fo$@
diff --git a/tools/fiptool/fiptool.c b/tools/fiptool/fiptool.c
index 80b498e47..8c5b04a55 100644
--- a/tools/fiptool/fiptool.c
+++ b/tools/fiptool/fiptool.c
@@ -24,17 +24,17 @@
 #define OPT_ALIGN 2
 
 static int info_cmd(int argc, char *argv[]);
-static void info_usage(void);
+static void info_usage(int);
 static int create_cmd(int argc, char *argv[]);
-static void create_usage(void);
+static void create_usage(int);
 static int update_cmd(int argc, char *argv[]);
-static void update_usage(void);
+static void update_usage(int);
 static int unpack_cmd(int argc, char *argv[]);
-static void unpack_usage(void);
+static void unpack_usage(int);
 static int remove_cmd(int argc, char *argv[]);
-static void remove_usage(void);
+static void remove_usage(int);
 static int version_cmd(int argc, char *argv[]);
-static void version_usage(void);
+static void version_usage(int);
 static int help_cmd(int argc, char *argv[]);
 static void usage(void);
 
@@ -448,7 +448,7 @@ static int info_cmd(int argc, char *argv[])
 	fip_toc_header_t toc_header;
 
 	if (argc != 2)
-		info_usage();
+		info_usage(EXIT_FAILURE);
 	argc--, argv++;
 
 	parse_fip(argv[0], &toc_header);
@@ -487,10 +487,10 @@ static int info_cmd(int argc, char *argv[])
 	return 0;
 }
 
-static void info_usage(void)
+static void info_usage(int exit_status)
 {
 	printf("fiptool info FIP_FILENAME\n");
-	exit(1);
+	exit(exit_status);
 }
 
 static int pack_images(const char *filename, uint64_t toc_flags, unsigned long align)
@@ -669,7 +669,7 @@ static int create_cmd(int argc, char *argv[])
 	unsigned long align = 1;
 
 	if (argc < 2)
-		create_usage();
+		create_usage(EXIT_FAILURE);
 
 	opts = fill_common_opts(opts, &nr_opts, required_argument);
 	opts = add_opt(opts, &nr_opts, "plat-toc-flags", required_argument,
@@ -710,7 +710,7 @@ static int create_cmd(int argc, char *argv[])
 
 			if (memcmp(&uuid, &uuid_null, sizeof(uuid_t)) == 0 ||
 			    filename[0] == '\0')
-				create_usage();
+				create_usage(EXIT_FAILURE);
 
 			desc = lookup_image_desc_from_uuid(&uuid);
 			if (desc == NULL) {
@@ -722,7 +722,7 @@ static int create_cmd(int argc, char *argv[])
 			break;
 		}
 		default:
-			create_usage();
+			create_usage(EXIT_FAILURE);
 		}
 	}
 	argc -= optind;
@@ -730,7 +730,7 @@ static int create_cmd(int argc, char *argv[])
 	free(opts);
 
 	if (argc == 0)
-		create_usage();
+		create_usage(EXIT_SUCCESS);
 
 	update_fip();
 
@@ -738,7 +738,7 @@ static int create_cmd(int argc, char *argv[])
 	return 0;
 }
 
-static void create_usage(void)
+static void create_usage(int exit_status)
 {
 	toc_entry_t *toc_entry = toc_entries;
 
@@ -753,7 +753,7 @@ static void create_usage(void)
 	for (; toc_entry->cmdline_name != NULL; toc_entry++)
 		printf("  --%-16s FILENAME\t%s\n", toc_entry->cmdline_name,
 		    toc_entry->name);
-	exit(1);
+	exit(exit_status);
 }
 
 static int update_cmd(int argc, char *argv[])
@@ -767,7 +767,7 @@ static int update_cmd(int argc, char *argv[])
 	int pflag = 0;
 
 	if (argc < 2)
-		update_usage();
+		update_usage(EXIT_FAILURE);
 
 	opts = fill_common_opts(opts, &nr_opts, required_argument);
 	opts = add_opt(opts, &nr_opts, "align", required_argument, OPT_ALIGN);
@@ -807,7 +807,7 @@ static int update_cmd(int argc, char *argv[])
 
 			if (memcmp(&uuid, &uuid_null, sizeof(uuid_t)) == 0 ||
 			    filename[0] == '\0')
-				update_usage();
+				update_usage(EXIT_FAILURE);
 
 			desc = lookup_image_desc_from_uuid(&uuid);
 			if (desc == NULL) {
@@ -825,7 +825,7 @@ static int update_cmd(int argc, char *argv[])
 			snprintf(outfile, sizeof(outfile), "%s", optarg);
 			break;
 		default:
-			update_usage();
+			update_usage(EXIT_FAILURE);
 		}
 	}
 	argc -= optind;
@@ -833,7 +833,7 @@ static int update_cmd(int argc, char *argv[])
 	free(opts);
 
 	if (argc == 0)
-		update_usage();
+		update_usage(EXIT_SUCCESS);
 
 	if (outfile[0] == '\0')
 		snprintf(outfile, sizeof(outfile), "%s", argv[0]);
@@ -851,7 +851,7 @@ static int update_cmd(int argc, char *argv[])
 	return 0;
 }
 
-static void update_usage(void)
+static void update_usage(int exit_status)
 {
 	toc_entry_t *toc_entry = toc_entries;
 
@@ -867,7 +867,7 @@ static void update_usage(void)
 	for (; toc_entry->cmdline_name != NULL; toc_entry++)
 		printf("  --%-16s FILENAME\t%s\n", toc_entry->cmdline_name,
 		    toc_entry->name);
-	exit(1);
+	exit(exit_status);
 }
 
 static int unpack_cmd(int argc, char *argv[])
@@ -880,7 +880,7 @@ static int unpack_cmd(int argc, char *argv[])
 	int unpack_all = 1;
 
 	if (argc < 2)
-		unpack_usage();
+		unpack_usage(EXIT_FAILURE);
 
 	opts = fill_common_opts(opts, &nr_opts, required_argument);
 	opts = add_opt(opts, &nr_opts, "blob", required_argument, 'b');
@@ -915,7 +915,7 @@ static int unpack_cmd(int argc, char *argv[])
 
 			if (memcmp(&uuid, &uuid_null, sizeof(uuid_t)) == 0 ||
 			    filename[0] == '\0')
-				unpack_usage();
+				unpack_usage(EXIT_FAILURE);
 
 			desc = lookup_image_desc_from_uuid(&uuid);
 			if (desc == NULL) {
@@ -934,7 +934,7 @@ static int unpack_cmd(int argc, char *argv[])
 			snprintf(outdir, sizeof(outdir), "%s", optarg);
 			break;
 		default:
-			unpack_usage();
+			unpack_usage(EXIT_FAILURE);
 		}
 	}
 	argc -= optind;
@@ -942,7 +942,7 @@ static int unpack_cmd(int argc, char *argv[])
 	free(opts);
 
 	if (argc == 0)
-		unpack_usage();
+		unpack_usage(EXIT_SUCCESS);
 
 	parse_fip(argv[0], NULL);
 
@@ -986,7 +986,7 @@ static int unpack_cmd(int argc, char *argv[])
 	return 0;
 }
 
-static void unpack_usage(void)
+static void unpack_usage(int exit_status)
 {
 	toc_entry_t *toc_entry = toc_entries;
 
@@ -1003,7 +1003,7 @@ static void unpack_usage(void)
 		    toc_entry->name);
 	printf("\n");
 	printf("If no options are provided, all images will be unpacked.\n");
-	exit(1);
+	exit(exit_status);
 }
 
 static int remove_cmd(int argc, char *argv[])
@@ -1017,7 +1017,7 @@ static int remove_cmd(int argc, char *argv[])
 	int fflag = 0;
 
 	if (argc < 2)
-		remove_usage();
+		remove_usage(EXIT_FAILURE);
 
 	opts = fill_common_opts(opts, &nr_opts, no_argument);
 	opts = add_opt(opts, &nr_opts, "align", required_argument, OPT_ALIGN);
@@ -1053,7 +1053,7 @@ static int remove_cmd(int argc, char *argv[])
 			    filename, sizeof(filename));
 
 			if (memcmp(&uuid, &uuid_null, sizeof(uuid_t)) == 0)
-				remove_usage();
+				remove_usage(EXIT_FAILURE);
 
 			desc = lookup_image_desc_from_uuid(&uuid);
 			if (desc == NULL) {
@@ -1071,7 +1071,7 @@ static int remove_cmd(int argc, char *argv[])
 			snprintf(outfile, sizeof(outfile), "%s", optarg);
 			break;
 		default:
-			remove_usage();
+			remove_usage(EXIT_FAILURE);
 		}
 	}
 	argc -= optind;
@@ -1079,7 +1079,7 @@ static int remove_cmd(int argc, char *argv[])
 	free(opts);
 
 	if (argc == 0)
-		remove_usage();
+		remove_usage(EXIT_SUCCESS);
 
 	if (outfile[0] != '\0' && access(outfile, F_OK) == 0 && !fflag)
 		log_errx("File %s already exists, use --force to overwrite it",
@@ -1110,7 +1110,7 @@ static int remove_cmd(int argc, char *argv[])
 	return 0;
 }
 
-static void remove_usage(void)
+static void remove_usage(int exit_status)
 {
 	toc_entry_t *toc_entry = toc_entries;
 
@@ -1126,7 +1126,7 @@ static void remove_usage(void)
 	for (; toc_entry->cmdline_name != NULL; toc_entry++)
 		printf("  --%-16s\t%s\n", toc_entry->cmdline_name,
 		    toc_entry->name);
-	exit(1);
+	exit(exit_status);
 }
 
 static int version_cmd(int argc, char *argv[])
@@ -1140,10 +1140,10 @@ static int version_cmd(int argc, char *argv[])
 	return 0;
 }
 
-static void version_usage(void)
+static void version_usage(int exit_status)
 {
 	printf("fiptool version\n");
-	exit(1);
+	exit(exit_status);
 }
 
 static int help_cmd(int argc, char *argv[])
@@ -1157,7 +1157,7 @@ static int help_cmd(int argc, char *argv[])
 	for (i = 0; i < NELEM(cmds); i++) {
 		if (strcmp(cmds[i].name, argv[0]) == 0 &&
 		    cmds[i].usage != NULL)
-			cmds[i].usage();
+			cmds[i].usage(EXIT_SUCCESS);
 	}
 	if (i == NELEM(cmds))
 		printf("No help for subcommand '%s'\n", argv[0]);
@@ -1178,7 +1178,7 @@ static void usage(void)
 	printf("  remove\tRemove images from FIP.\n");
 	printf("  version\tShow fiptool version.\n");
 	printf("  help\t\tShow help for given command.\n");
-	exit(1);
+	exit(EXIT_SUCCESS);
 }
 
 int main(int argc, char *argv[])
diff --git a/tools/fiptool/fiptool.h b/tools/fiptool/fiptool.h
index af3fcbdee..88c4a7edb 100644
--- a/tools/fiptool/fiptool.h
+++ b/tools/fiptool/fiptool.h
@@ -48,7 +48,7 @@ typedef struct image {
 typedef struct cmd {
 	char              *name;
 	int              (*handler)(int, char **);
-	void             (*usage)(void);
+	void             (*usage)(int);
 } cmd_t;
 
 #endif /* FIPTOOL_H */
diff --git a/tools/fiptool/tbbr_config.c b/tools/fiptool/tbbr_config.c
index 86b8581f8..c1e5217f0 100644
--- a/tools/fiptool/tbbr_config.c
+++ b/tools/fiptool/tbbr_config.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2018, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2016-2020, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -69,6 +69,11 @@ toc_entry_t toc_entries[] = {
 	},
 	/* Dynamic Configs */
 	{
+		.name = "FW_CONFIG",
+		.uuid = UUID_FW_CONFIG,
+		.cmdline_name = "fw-config"
+	},
+	{
 		.name = "HW_CONFIG",
 		.uuid = UUID_HW_CONFIG,
 		.cmdline_name = "hw-config"
@@ -152,6 +157,16 @@ toc_entry_t toc_entries[] = {
 		.cmdline_name = "nt-fw-cert"
 	},
 	{
+		.name = "SiP owned Secure Partition content certificate",
+		.uuid = UUID_SIP_SECURE_PARTITION_CONTENT_CERT,
+		.cmdline_name = "sip-sp-cert"
+	},
+	{
+		.name = "Platform owned Secure Partition content certificate",
+		.uuid = UUID_PLAT_SECURE_PARTITION_CONTENT_CERT,
+		.cmdline_name = "plat-sp-cert"
+	},
+	{
 		.name = NULL,
 		.uuid = { {0} },
 		.cmdline_name = NULL,
diff --git a/tools/fiptool/win_posix.c b/tools/fiptool/win_posix.c
index 48feb162e..33b44d4c6 100644
--- a/tools/fiptool/win_posix.c
+++ b/tools/fiptool/win_posix.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017 - 2020, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -137,7 +137,8 @@ int getopt(int argc,
  * Note that we only match over the shorter length of the pair, to allow
  * for abbreviation or say --match=value
  * Long option names may be abbreviated if the abbreviation is unique or an
- * exact match for some defined option.
+ * exact match for some defined option. This function does not check that the
+ * abbreviations are unique and should be handled by the caller.
  * A long option may take a parameter, of the form --opt=param or --opt param.
 */
 static
@@ -160,42 +161,72 @@ int getopt_1long(const int argc,
 {
 	int result = RET_UNKNOWN_OPT;
 	size_t loptn = 0;
+	bool match_found = false;
 
-	while (longopts[loptn].name != 0) {
-		if (optmatch(optname, longopts[loptn].name) == 0) {
-			/* We found a match. */
-			result = longopts[loptn].val;
-			if (indexptr != 0)
-				*indexptr = loptn;
-			switch (longopts[loptn].has_arg) {
-			case required_argument:
-				if ((optind + 1) >= argc) {
-					/* Missing argument. */
-					optopt = result;
-					return RET_NO_PARAM;
-				}
-				/* Fallthrough to get option value. */
+	/*
+	 * Long option names may be abbreviated if the abbreviation
+	 * is unique or an exact match for some defined option.
+	 * To handle this:
+	 * - First search for an exact match.
+	 * - If exact match was not found search for a abbreviated match.
+	 * By doing this an incorrect option selection can be avoided.
+	 */
 
-			case optional_argument:
-				if ((argc - optind) > 0) {
-					/* Found argument. */
-					optarg = argv[++optind];
-				}
-				/* Fallthrough to handle flag. */
+	/* 1. Search for an exact match. */
+	while (longopts[loptn].name != NULL) {
+		if (strcmp(optname, longopts[loptn].name) == 0) {
+			match_found = true;
+			break;
+		}
+		++loptn;
+	}
 
-			case no_argument:
-				optind++;
-				if (longopts[loptn].flag != 0) {
-					*longopts[loptn].flag = result;
-					result = 0;
-				}
+	/* 2. If exact match was not found search for a abbreviated match. */
+	if (!match_found) {
+		loptn = 0;
+		while (longopts[loptn].name != NULL) {
+			if (optmatch(optname, longopts[loptn].name) == 0) {
+				match_found = true;
 				break;
+			}
+			++loptn;
+		}
+	}
+
+	if (match_found) {
+		/* We found a match. */
+		result = longopts[loptn].val;
+		if (indexptr != 0) {
+			*indexptr = loptn;
+		}
+		switch (longopts[loptn].has_arg) {
+		case required_argument:
+			if ((optind + 1) >= argc) {
+				/* Missing argument. */
+				optopt = result;
+				return RET_NO_PARAM;
+			}
+			/* Fallthrough to get option value. */
 
+		case optional_argument:
+			if ((argc - optind) > 0) {
+				/* Found argument. */
+				optarg = argv[++optind];
 			}
-			return result;
+			/* Fallthrough to handle flag. */
+
+		case no_argument:
+			optind++;
+			if (longopts[loptn].flag != 0) {
+				*longopts[loptn].flag = result;
+				result = 0;
+			}
+			break;
+
 		}
-		++loptn;
+		return result;
 	}
+
 	/*
 	 * If getopt finds an option character in argv that was not included
 	 * in options, ... it returns '?' and sets the external variable
diff --git a/tools/fiptool/win_posix.h b/tools/fiptool/win_posix.h
index 836ffed31..6f0d8e6b6 100644
--- a/tools/fiptool/win_posix.h
+++ b/tools/fiptool/win_posix.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017-2020, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -9,13 +9,15 @@
 
 #define _CRT_SECURE_NO_WARNINGS
 
-#include <direct.h>
-#include <io.h>
+#include <stdbool.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
 
+#include <direct.h>
+#include <io.h>
+
 #include "uuid.h"
 
 /* Derive or provide Windows equivalents of Posix/GCC/Unix stuff. */
diff --git a/tools/marvell/doimage/doimage.c b/tools/marvell/doimage/doimage.c
index 82fd375f1..e08b82072 100644
--- a/tools/marvell/doimage/doimage.c
+++ b/tools/marvell/doimage/doimage.c
@@ -51,7 +51,7 @@
 /* Number of address pairs in control array */
 #define CP_CTRL_EL_ARRAY_SZ	32
 
-#define VERSION_STRING		"Marvell(C) doimage utility version 3.2"
+#define VERSION_STRING		"Marvell(C) doimage utility version 3.3"
 
 /* A8K definitions */
 
@@ -303,7 +303,7 @@ int create_rsa_signature(mbedtls_pk_context	*pk_ctx,
 				MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256);
 
 	/* First compute the SHA256 hash for the input blob */
-	mbedtls_sha256(input, ilen, hash, 0);
+	mbedtls_sha256_ret(input, ilen, hash, 0);
 
 	/* Then calculate the hash signature */
 	rval = mbedtls_rsa_rsassa_pss_sign(mbedtls_pk_rsa(*pk_ctx),
@@ -354,6 +354,7 @@ int verify_rsa_signature(const unsigned char	*pub_key,
 	mbedtls_pk_context		pk_ctx;
 	unsigned char			hash[32];
 	int				rval;
+	unsigned char			*pkey = (unsigned char *)pub_key;
 
 	/* Not sure this is required,
 	 * but it's safer to start with empty buffer
@@ -373,8 +374,7 @@ int verify_rsa_signature(const unsigned char	*pub_key,
 	}
 
 	/* Check ability to read the public key */
-	rval = mbedtls_pk_parse_public_key(&pk_ctx, pub_key,
-					   MAX_RSA_DER_BYTE_LEN);
+	rval = mbedtls_pk_parse_subpubkey(&pkey, pub_key + klen, &pk_ctx);
 	if (rval != 0) {
 		fprintf(stderr, " Failed in pk_parse_public_key (%#x)!\n",
 			rval);
@@ -387,7 +387,7 @@ int verify_rsa_signature(const unsigned char	*pub_key,
 				MBEDTLS_MD_SHA256);
 
 	/* Compute the SHA256 hash for the input buffer */
-	mbedtls_sha256(input, ilen, hash, 0);
+	mbedtls_sha256_ret(input, ilen, hash, 0);
 
 	rval = mbedtls_rsa_rsassa_pss_verify(mbedtls_pk_rsa(pk_ctx),
 					     mbedtls_ctr_drbg_random,
@@ -458,7 +458,7 @@ int image_encrypt(uint8_t *buf, uint32_t blen)
 	/* compute SHA-256 digest of the results
 	 * and use it as the init vector (IV)
 	 */
-	mbedtls_sha256(IV, AES_BLOCK_SZ, digest, 0);
+	mbedtls_sha256_ret(IV, AES_BLOCK_SZ, digest, 0);
 	memcpy(IV, digest, AES_BLOCK_SZ);
 	mbedtls_aes_setkey_enc(&aes_ctx, opts.sec_opts->aes_key,
 			       AES_KEY_BIT_LEN);
@@ -880,11 +880,13 @@ int format_sec_ext(char *filename, FILE *out_fd)
 				fname);
 			return 1;
 		}
+
 		/* Data in the output buffer is aligned to the buffer end */
 		der_buf_start = output_buf + sizeof(output_buf) - output_len;
 		/* In the header DER data is aligned
 		 * to the start of appropriate field
 		 */
+		bzero(out_der_key, MAX_RSA_DER_BYTE_LEN);
 		memcpy(out_der_key, der_buf_start, output_len);
 
 	} /* for every private key file */
@@ -899,8 +901,10 @@ int format_sec_ext(char *filename, FILE *out_fd)
 		fprintf(stderr, "Failed to sign CSK keys block!\n");
 		return 1;
 	}
+
 	/* Check that everything is correct */
-	if (verify_rsa_signature(sec_ext.kak_key, MAX_RSA_DER_BYTE_LEN,
+	if (verify_rsa_signature(sec_ext.kak_key,
+				 MAX_RSA_DER_BYTE_LEN,
 				 &sec_ext.csk_keys[0][0],
 				 sizeof(sec_ext.csk_keys),
 				 opts.sec_opts->kak_key_file,
@@ -1333,7 +1337,7 @@ int parse_image(uint8_t *buf, int size)
 					goto error;
 				}
 
-				mbedtls_sha256(sec_entry->kak_key,
+				mbedtls_sha256_ret(sec_entry->kak_key,
 					       MAX_RSA_DER_BYTE_LEN, hash, 0);
 				fprintf(stdout,
 					">>>>>>>>>> KAK KEY HASH >>>>>>>>>>\n");
@@ -1559,13 +1563,9 @@ error:
 
 int write_boot_image(uint8_t *buf, uint32_t image_size, FILE *out_fd)
 {
-	int aligned_size;
 	int written;
 
-	/* Image size must be aligned to 4 bytes */
-	aligned_size = (image_size + 3) & (~0x3);
-
-	written = fwrite(buf, aligned_size, 1, out_fd);
+	written = fwrite(buf, image_size, 1, out_fd);
 	if (written != 1) {
 		fprintf(stderr, "Error: Failed to write boot image\n");
 		goto error;
@@ -1587,7 +1587,7 @@ int main(int argc, char *argv[])
 	int ext_cnt = 0;
 	int opt;
 	int ret = 0;
-	int image_size;
+	int image_size, file_size;
 	uint8_t *image_buf = NULL;
 	int read;
 	size_t len;
@@ -1683,16 +1683,18 @@ int main(int argc, char *argv[])
 		goto main_exit;
 	}
 
-	/* Read the input file to buffer */
-	image_size = get_file_size(in_file);
-	image_buf = calloc((image_size + AES_BLOCK_SZ - 1) &
-			   ~(AES_BLOCK_SZ - 1), 1);
+	/* Read the input file to buffer
+	 * Always align the image to 16 byte boundary
+	 */
+	file_size  = get_file_size(in_file);
+	image_size = (file_size + AES_BLOCK_SZ - 1) & ~(AES_BLOCK_SZ - 1);
+	image_buf  = calloc(image_size, 1);
 	if (image_buf == NULL) {
 		fprintf(stderr, "Error: failed allocating input buffer\n");
 		return 1;
 	}
 
-	read = fread(image_buf, image_size, 1, in_fd);
+	read = fread(image_buf, file_size, 1, in_fd);
 	if (read != 1) {
 		fprintf(stderr, "Error: failed to read input file\n");
 		goto main_exit;
diff --git a/tools/memory/print_memory_map.py b/tools/memory/print_memory_map.py
index 35cccd38c..8a84018e7 100755
--- a/tools/memory/print_memory_map.py
+++ b/tools/memory/print_memory_map.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (c) 2019, Arm Limited. All rights reserved.
+# Copyright (c) 2019-2020, Arm Limited. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -22,6 +22,7 @@ blx_symbols = ['__BL1_RAM_START__', '__BL1_RAM_END__',
                 '__DATA_START__', '__DATA_END__',
                 '__STACKS_START__', '__STACKS_END__',
                 '__BSS_END',
+                '__COHERENT_RAM_START__', '__COHERENT_RAM_END__',
                ]
 
 # Regex to extract address from map file
@@ -31,8 +32,11 @@ address_pattern = re.compile(r"\b0x\w*")
 address_list = []
 
 # Get the directory from command line or use a default one
+inverted_print = True
 if len(sys.argv) >= 2:
     build_dir = sys.argv[1]
+    if len(sys.argv) >= 3:
+        inverted_print = sys.argv[2] == '0'
 else:
     build_dir = 'build/fvp/debug'
 
@@ -43,7 +47,10 @@ for image in bl_images:
         with open (file_path, 'rt') as mapfile:
             for line in mapfile:
                 for symbol in blx_symbols:
-                    if line.find(symbol) > 0 and line.find("ASSERT") < 0:
+                    # Regex to find symbol definition
+                    line_pattern = re.compile(r"\b0x\w*\s*" + symbol + "\s= .")
+                    match = line_pattern.search(line)
+                    if match:
                         # Extract address from line
                         match = address_pattern.search(line)
                         if match:
@@ -52,17 +59,21 @@ for image in bl_images:
 # Sort by address
 address_list.sort(key=operator.itemgetter(0))
 
+# Invert list for lower address at bottom
+if inverted_print:
+    address_list = reversed(address_list)
+
 # Generate memory view
-print('{:-^87}'.format('Memory Map from: ' + build_dir))
-for address in reversed(address_list):
+print('{:-^93}'.format('Memory Map from: ' + build_dir))
+for address in address_list:
     if "bl1" in address[2]:
-        print(address[0], '+{:-^20}+ |{:^20}| |{:^20}|'.format(address[1], '', ''))
+        print(address[0], '+{:-^22}+ |{:^22}| |{:^22}|'.format(address[1], '', ''))
     elif "bl2" in address[2]:
-        print(address[0], '|{:^20}| +{:-^20}+ |{:^20}|'.format('', address[1], ''))
+        print(address[0], '|{:^22}| +{:-^22}+ |{:^22}|'.format('', address[1], ''))
     elif "bl31" in address[2]:
-        print(address[0], '|{:^20}| |{:^20}| +{:-^20}+'.format('', '', address[1]))
+        print(address[0], '|{:^22}| |{:^22}| +{:-^22}+'.format('', '', address[1]))
     else:
-        print(address[0], '|{:^20}| |{:^20}| +{:-^20}+'.format('', '', address[1]))
+        print(address[0], '|{:^22}| |{:^22}| +{:-^22}+'.format('', '', address[1]))
 
-print('{:^20}{:_^20}   {:_^20}   {:_^20}'.format('', '', '', ''))
-print('{:^20}{:^20}   {:^20}   {:^20}'.format('address', 'bl1', 'bl2', 'bl31'))
+print('{:^20}{:_^22}   {:_^22}   {:_^22}'.format('', '', '', ''))
+print('{:^20}{:^22}   {:^22}   {:^22}'.format('address', 'bl1', 'bl2', 'bl31'))
diff --git a/tools/renesas/rzg_layout_create/makefile b/tools/renesas/rzg_layout_create/makefile
new file mode 100644
index 000000000..2d438b923
--- /dev/null
+++ b/tools/renesas/rzg_layout_create/makefile
@@ -0,0 +1,118 @@
+#
+# Copyright (c) 2020, Renesas Electronics Corporation. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+###################################################
+# makefile
+###################################################
+
+#output file name
+FILE_NAME_SA0 = bootparam_sa0
+FILE_NAME_SA6 = cert_header_sa6
+
+OUTPUT_FILE_SA0 = $(FILE_NAME_SA0).elf
+OUTPUT_FILE_SA6 = $(FILE_NAME_SA6).elf
+
+#object file name
+OBJ_FILE_SA0 = sa0.o
+OBJ_FILE_SA6 = sa6.o
+
+#linker script name
+MEMORY_DEF_SA0 = sa0.ld.S
+MEMORY_DEF_SA6 = sa6.ld.S
+
+###################################################
+# Convenience function for adding build definitions
+# $(eval $(call add_define,FOO)) will have:
+# -DFOO if $(FOO) is empty; -DFOO=$(FOO) otherwise
+define add_define
+DEFINES += -D$(1)$(if $(value $(1)),=$(value $(1)),)
+endef
+
+# Process RCAR_SA0_SIZE flag
+ifndef RCAR_SA0_SIZE
+RCAR_SA0_SIZE := 1
+else
+ifeq (${RCAR_SA0_SIZE},0)
+RCAR_SA0_SIZE := 0
+else
+RCAR_SA0_SIZE := 1
+endif
+endif
+$(eval $(call add_define,RCAR_SA0_SIZE))
+
+# Process RCAR_SA6_TYPE flag
+ifndef RCAR_SA6_TYPE
+RCAR_SA6_TYPE := 0
+else
+ifeq (${RCAR_SA6_TYPE},0)
+RCAR_SA6_TYPE := 0
+else
+RCAR_SA6_TYPE := 1
+endif
+endif
+$(eval $(call add_define,RCAR_SA6_TYPE))
+
+RCAR_VMA_ADJUST_ADDR := 0xE6320000
+$(eval $(call add_define,RCAR_VMA_ADJUST_ADDR))
+
+
+###################################################
+
+#c compiler
+CC = $(CROSS_COMPILE)gcc
+CFLAGS += ${DEFINES}
+CFLAGS += -nostdinc \
+	  -I../../../include/lib/libc \
+	  -I../../../include/lib/libc/aarch64
+
+#Linker
+LD = $(CROSS_COMPILE)ld
+
+#objcopy
+objcopy = $(CROSS_COMPILE)objcopy
+
+#clean
+CL = rm -f
+
+###################################################
+.SUFFIXES : .s .c .o
+
+###################################################
+# command
+
+.PHONY: all
+all: $(OUTPUT_FILE_SA0) $(OUTPUT_FILE_SA6)
+###################################################
+# Linker
+###################################################
+$(OUTPUT_FILE_SA0) : $(MEMORY_DEF_SA0) $(OBJ_FILE_SA0)
+	$(LD) $(OBJ_FILE_SA0)		 	\
+	-T $(MEMORY_DEF_SA0)			\
+	-o $(OUTPUT_FILE_SA0)			\
+	-Map $(FILE_NAME_SA0).map 		\
+
+	$(objcopy) -O srec --adjust-vma=$(RCAR_VMA_ADJUST_ADDR) --srec-forceS3  $(OUTPUT_FILE_SA0) $(FILE_NAME_SA0).srec
+	$(objcopy) -O binary --adjust-vma=$(RCAR_VMA_ADJUST_ADDR) --srec-forceS3  $(OUTPUT_FILE_SA0) $(FILE_NAME_SA0).bin
+
+$(OUTPUT_FILE_SA6) : $(MEMORY_DEF_SA6) $(OBJ_FILE_SA6)
+	$(LD) $(OBJ_FILE_SA6)		 	\
+	-T $(MEMORY_DEF_SA6)			\
+	-o $(OUTPUT_FILE_SA6)			\
+	-Map $(FILE_NAME_SA6).map 		\
+
+	$(objcopy) -O srec --adjust-vma=$(RCAR_VMA_ADJUST_ADDR) --srec-forceS3  $(OUTPUT_FILE_SA6) $(FILE_NAME_SA6).srec
+	$(objcopy) -O binary --adjust-vma=$(RCAR_VMA_ADJUST_ADDR) --srec-forceS3  $(OUTPUT_FILE_SA6) $(FILE_NAME_SA6).bin
+
+###################################################
+# Compile
+###################################################
+
+%.o:../%.c
+	$(CC) -c -I $< -o $@
+
+.PHONY: clean
+clean:
+	$(CL)  *.bin *.map *.srec *.elf *.o
diff --git a/tools/renesas/rzg_layout_create/sa0.c b/tools/renesas/rzg_layout_create/sa0.c
new file mode 100644
index 000000000..763d3a536
--- /dev/null
+++ b/tools/renesas/rzg_layout_create/sa0.c
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2020, Renesas Electronics Corporation. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#define RCAR_SA0_SIZE_SMALL	(0)	/* for RZ/G2E */
+#define RCAR_SA0_SIZE_NORMAL	(1)	/* for RZ/G2[HMN] */
+
+#define BL2_ADDRESS	(0xE6304000)	/* BL2 start address */
+
+#if (RCAR_SA0_SIZE == RCAR_SA0_SIZE_SMALL)
+#define BL2_SIZE	(80*1024/4)	/* BL2 size is 80KB(0x00005000) */
+#else  /* (RCAR_SA0_SIZE == RCAR_SA0_SIZE_SMALL) */
+#define BL2_SIZE	(170*1024/4)	/* BL2 size is 170KB(0x0000AA00) */
+#endif /* (RCAR_SA0_SIZE == RCAR_SA0_SIZE_SMALL) */
+
+/* SA0 */
+/* 0x00000000 */
+const unsigned int __attribute__ ((section(".sa0_bootrom"))) bootrom_paramA = 0x00000100;
+/* 0x00000080 (Map Type 3 for eMMC Boot)*/
+/* 0x000001D4 */
+const unsigned int __attribute__ ((section(".sa0_bl2dst_addr3"))) bl2dst_addr3 = BL2_ADDRESS;
+/* 0x000002E4 */
+const unsigned int __attribute__ ((section(".sa0_bl2dst_size3"))) bl2dst_size3 = BL2_SIZE;
+/* 0x00000C00 (Map Type 1 for HyperFlash/QSPI Flash Boot)*/
+/* 0x00000D54 */
+const unsigned int __attribute__ ((section(".sa0_bl2dst_addr1"))) bl2dst_addr1 = BL2_ADDRESS;
+/* 0x00000E64 */
+const unsigned int __attribute__ ((section(".sa0_bl2dst_size1"))) bl2dst_size1 = BL2_SIZE;
diff --git a/tools/renesas/rzg_layout_create/sa0.ld.S b/tools/renesas/rzg_layout_create/sa0.ld.S
new file mode 100644
index 000000000..23e2b237f
--- /dev/null
+++ b/tools/renesas/rzg_layout_create/sa0.ld.S
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2020, Renesas Electronics Corporation. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+SECTIONS
+{
+	. = 0x00000000;
+	.rodata : {
+		KEEP(*(.sa0_bootrom))
+		/* Map Type 3 for eMMC Boot */
+                /* A-side IPL content cert "Start Address" */
+		. = 0x000001D4;		/* H'00000080 + H'00000154 */
+		KEEP(*(.sa0_bl2dst_addr3))
+                /* A-side IPL content cert "Size" */
+		. = 0x000002E4;		/* H'00000080 + H'00000264 */
+		KEEP(*(.sa0_bl2dst_size3))
+		/* Map Type 1 for HyperFlash/QSPI Flash Boot */
+		/* A-side IPL content cert "Start Address" */
+		. = 0x00000D54;		/* H'00000C00 + H'00000154 */
+		KEEP(*(.sa0_bl2dst_addr1))
+		/* A-side IPL content cert "Size" */
+		. = 0x00000E64;		/* H'00000C00 + H'00000264 */
+		KEEP(*(.sa0_bl2dst_size1))
+	}
+
+}
diff --git a/tools/renesas/rzg_layout_create/sa6.c b/tools/renesas/rzg_layout_create/sa6.c
new file mode 100644
index 000000000..76e3dc5e3
--- /dev/null
+++ b/tools/renesas/rzg_layout_create/sa6.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) 2020, Renesas Electronics Corporation. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdint.h>
+
+#define RCAR_SA6_TYPE_QSPIFLASH		(0)
+#define RCAR_SA6_TYPE_EMMC		(1)
+
+#if (RCAR_SA6_TYPE == RCAR_SA6_TYPE_QSPIFLASH)
+
+/* Number of content cert for Non-secure Target Program(BL33x) */
+#define RCAR_IMAGE_NUM			(0x00000001U)
+/* Source address on flash for BL31 */
+#define RCAR_BL31SRC_ADDRESS		(0x001C0000U)
+/* Reserved */
+#define RCAR_BL31_PARTITION		(0x00000000U)
+/* Source address on flash for BL32 */
+#define RCAR_BL32SRC_ADDRESS		(0x00200000U)
+/* Reserved */
+#define RCAR_BL32_PARTITION		(0x00000000U)
+/* Source address on flash for BL33 */
+#define RCAR_BL33SRC_ADDRESS		(0x00300000U)
+/* Reserved */
+#define RCAR_BL33_PARTITION		(0x00000000U)
+#define RCAR_BL332SRC_ADDRESS		(0x00000000U)
+/* Reserved */
+#define RCAR_BL332_PARTITION		(0x00000000U)
+#define RCAR_BL333SRC_ADDRESS		(0x00000000U)
+/* Reserved */
+#define RCAR_BL333_PARTITION		(0x00000000U)
+#define RCAR_BL334SRC_ADDRESS		(0x00000000U)
+/* Reserved */
+#define RCAR_BL334_PARTITION		(0x00000000U)
+#define RCAR_BL335SRC_ADDRESS		(0x00000000U)
+/* Reserved */
+#define RCAR_BL335_PARTITION		(0x00000000U)
+#define RCAR_BL336SRC_ADDRESS		(0x00000000U)
+/* Reserved */
+#define RCAR_BL336_PARTITION		(0x00000000U)
+#define RCAR_BL337SRC_ADDRESS		(0x00000000U)
+/* Reserved */
+#define RCAR_BL337_PARTITION		(0x00000000U)
+#define RCAR_BL338SRC_ADDRESS		(0x00000000U)
+/* Reserved */
+#define RCAR_BL338_PARTITION		(0x00000000U)
+
+#else /* RCAR_SA6_TYPE == RCAR_SA6_TYPE_EMMC */
+
+/* Number of content cert for Non-secure Target Program(BL33x) */
+#define RCAR_IMAGE_NUM			(0x00000001U)
+/* Source address on eMMC for BL31 */
+#define RCAR_BL31SRC_ADDRESS		(0x00040000U)
+/* Source partition on eMMC for BL31 */
+#define RCAR_BL31_PARTITION		(0x00000001U)
+/* Source address on eMMC for BL32 */
+#define RCAR_BL32SRC_ADDRESS		(0x00200000U)
+/* Source partition on eMMC for BL32 */
+#define RCAR_BL32_PARTITION		(0x00000001U)
+/* Source address on eMMC for BL33 */
+#define RCAR_BL33SRC_ADDRESS		(0x00000000U)
+/* Source partition on eMMC for BL33 */
+#define RCAR_BL33_PARTITION		(0x00000002U)
+/* Reserved */
+#define RCAR_BL332SRC_ADDRESS		(0x00000000U)
+#define RCAR_BL332_PARTITION		(0x00000000U)
+/* Reserved */
+#define RCAR_BL333SRC_ADDRESS		(0x00000000U)
+#define RCAR_BL333_PARTITION		(0x00000000U)
+/* Reserved */
+#define RCAR_BL334SRC_ADDRESS		(0x00000000U)
+#define RCAR_BL334_PARTITION		(0x00000000U)
+/* Reserved */
+#define RCAR_BL335SRC_ADDRESS		(0x00000000U)
+#define RCAR_BL335_PARTITION		(0x00000000U)
+/* Reserved */
+#define RCAR_BL336SRC_ADDRESS		(0x00000000U)
+#define RCAR_BL336_PARTITION		(0x00000000U)
+/* Reserved */
+#define RCAR_BL337SRC_ADDRESS		(0x00000000U)
+#define RCAR_BL337_PARTITION		(0x00000000U)
+/* Reserved */
+#define RCAR_BL338SRC_ADDRESS		(0x00000000U)
+#define RCAR_BL338_PARTITION		(0x00000000U)
+
+#endif /* RCAR_SA6_TYPE == RCAR_SA6_TYPE_QSPIFLASH */
+
+/* Destination address for BL31 */
+#define RCAR_BL31DST_ADDRESS		(0x44000000U)
+#define RCAR_BL31DST_ADDRESSH		(0x00000000U)
+/* Destination size for BL31 */
+#define RCAR_BL31DST_SIZE		(0x00004000U)
+/* Destination address for BL32 */
+#define RCAR_BL32DST_ADDRESS		(0x44100000U)
+#define RCAR_BL32DST_ADDRESSH		(0x00000000U)
+/* Destination size for BL32 */
+#define RCAR_BL32DST_SIZE		(0x00040000U)
+/* Destination address for BL33 */
+#define RCAR_BL33DST_ADDRESS		(0x50000000U)
+#define RCAR_BL33DST_ADDRESSH		(0x00000000U)
+/* Destination size for BL33 */
+#define RCAR_BL33DST_SIZE		(0x00040000U)
+/* Reserved */
+#define RCAR_BL332DST_ADDRESS		(0x00000000U)
+#define RCAR_BL332DST_ADDRESSH		(0x00000000U)
+#define RCAR_BL332DST_SIZE		(0x00000000U)
+/* Reserved */
+#define RCAR_BL333DST_ADDRESS		(0x00000000U)
+#define RCAR_BL333DST_ADDRESSH		(0x00000000U)
+#define RCAR_BL333DST_SIZE		(0x00000000U)
+/* Reserved */
+#define RCAR_BL334DST_ADDRESS		(0x00000000U)
+#define RCAR_BL334DST_ADDRESSH		(0x00000000U)
+#define RCAR_BL334DST_SIZE		(0x00000000U)
+/* Reserved */
+#define RCAR_BL335DST_ADDRESS		(0x00000000U)
+#define RCAR_BL335DST_ADDRESSH		(0x00000000U)
+#define RCAR_BL335DST_SIZE		(0x00000000U)
+/* Reserved */
+#define RCAR_BL336DST_ADDRESS		(0x00000000U)
+#define RCAR_BL336DST_ADDRESSH		(0x00000000U)
+#define RCAR_BL336DST_SIZE		(0x00000000U)
+/* Reserved */
+#define RCAR_BL337DST_ADDRESS		(0x00000000U)
+#define RCAR_BL337DST_ADDRESSH		(0x00000000U)
+#define RCAR_BL337DST_SIZE		(0x00000000U)
+/* Reserved */
+#define RCAR_BL338DST_ADDRESS		(0x00000000U)
+#define RCAR_BL338DST_ADDRESSH		(0x00000000U)
+#define RCAR_BL338DST_SIZE		(0x00000000U)
+
+/* SA6 */
+const uint64_t __attribute__ ((section(".sa6_image_num")))
+				image_num	= RCAR_IMAGE_NUM;
+const uint64_t __attribute__ ((section(".sa6_bl31src_addr")))
+				bl31src_addr	= RCAR_BL31SRC_ADDRESS;
+const uint64_t __attribute__ ((section(".sa6_bl31partition")))
+				bl31partition	= RCAR_BL31_PARTITION;
+const uint64_t __attribute__ ((section(".sa6_bl32src_addr")))
+				bl32src_addr	= RCAR_BL32SRC_ADDRESS;
+const uint64_t __attribute__ ((section(".sa6_bl32partition")))
+				bl32partition	= RCAR_BL32_PARTITION;
+const uint64_t __attribute__ ((section(".sa6_bl33src_addr")))
+				bl33src_addr	= RCAR_BL33SRC_ADDRESS;
+const uint64_t __attribute__ ((section(".sa6_bl33partition")))
+				bl33partition	= RCAR_BL33_PARTITION;
+const uint64_t __attribute__ ((section(".sa6_bl332src_addr")))
+				bl332src_addr	= RCAR_BL332SRC_ADDRESS;
+const uint64_t __attribute__ ((section(".sa6_bl332partition")))
+				bl332partition	= RCAR_BL332_PARTITION;
+const uint64_t __attribute__ ((section(".sa6_bl333src_addr")))
+				bl333src_addr	= RCAR_BL333SRC_ADDRESS;
+const uint64_t __attribute__ ((section(".sa6_bl333partition")))
+				bl333partition	= RCAR_BL333_PARTITION;
+const uint64_t __attribute__ ((section(".sa6_bl334src_addr")))
+				bl334src_addr	= RCAR_BL334SRC_ADDRESS;
+const uint64_t __attribute__ ((section(".sa6_bl334partition")))
+				bl334partition	= RCAR_BL334_PARTITION;
+const uint64_t __attribute__ ((section(".sa6_bl335src_addr")))
+				bl335src_addr	= RCAR_BL335SRC_ADDRESS;
+const uint64_t __attribute__ ((section(".sa6_bl335partition")))
+				bl335partition	= RCAR_BL335_PARTITION;
+const uint64_t __attribute__ ((section(".sa6_bl336src_addr")))
+				bl336src_addr	= RCAR_BL336SRC_ADDRESS;
+const uint64_t __attribute__ ((section(".sa6_bl336partition")))
+				bl336partition	= RCAR_BL336_PARTITION;
+const uint64_t __attribute__ ((section(".sa6_bl337src_addr")))
+				bl337src_addr	= RCAR_BL337SRC_ADDRESS;
+const uint64_t __attribute__ ((section(".sa6_bl337partition")))
+				bl337partition	= RCAR_BL337_PARTITION;
+const uint64_t __attribute__ ((section(".sa6_bl338src_addr")))
+				bl338src_addr	= RCAR_BL338SRC_ADDRESS;
+const uint64_t __attribute__ ((section(".sa6_bl338partition")))
+				bl338partition	= RCAR_BL338_PARTITION;
+const uint32_t __attribute__ ((section(".sa6_bl31dst_addr")))
+				bl31dst_addr	= RCAR_BL31DST_ADDRESS;
+const uint32_t __attribute__ ((section(".sa6_bl31dst_addrh")))
+				bl31dst_addrh	= RCAR_BL31DST_ADDRESSH;
+const uint32_t __attribute__ ((section(".sa6_bl31dst_size")))
+				bl31dst_size	= RCAR_BL31DST_SIZE;
+const uint32_t __attribute__ ((section(".sa6_bl32dst_addr")))
+				bl32dst_addr	= RCAR_BL32DST_ADDRESS;
+const uint32_t __attribute__ ((section(".sa6_bl32dst_addrh")))
+				bl32dst_addrh	= RCAR_BL32DST_ADDRESSH;
+const uint32_t __attribute__ ((section(".sa6_bl32dst_size")))
+				bl32dst_size	= RCAR_BL32DST_SIZE;
+const uint32_t __attribute__ ((section(".sa6_bl33dst_addr")))
+				bl33dst_addr	= RCAR_BL33DST_ADDRESS;
+const uint32_t __attribute__ ((section(".sa6_bl33dst_addrh")))
+				bl33dst_addrh	= RCAR_BL33DST_ADDRESSH;
+const uint32_t __attribute__ ((section(".sa6_bl33dst_size")))
+				bl33dst_size	= RCAR_BL33DST_SIZE;
+const uint32_t __attribute__ ((section(".sa6_bl332dst_addr")))
+				bl332dst_addr	= RCAR_BL332DST_ADDRESS;
+const uint32_t __attribute__ ((section(".sa6_bl332dst_addrh")))
+				bl332dst_addrh	= RCAR_BL332DST_ADDRESSH;
+const uint32_t __attribute__ ((section(".sa6_bl332dst_size")))
+				bl332dst_size	= RCAR_BL332DST_SIZE;
+const uint32_t __attribute__ ((section(".sa6_bl333dst_addr")))
+				bl333dst_addr	= RCAR_BL333DST_ADDRESS;
+const uint32_t __attribute__ ((section(".sa6_bl333dst_addrh")))
+				bl333dst_addrh	= RCAR_BL333DST_ADDRESSH;
+const uint32_t __attribute__ ((section(".sa6_bl333dst_size")))
+				bl333dst_size	= RCAR_BL333DST_SIZE;
+const uint32_t __attribute__ ((section(".sa6_bl334dst_addr")))
+				bl334dst_addr	= RCAR_BL334DST_ADDRESS;
+const uint32_t __attribute__ ((section(".sa6_bl334dst_addrh")))
+				bl334dst_addrh	= RCAR_BL334DST_ADDRESSH;
+const uint32_t __attribute__ ((section(".sa6_bl334dst_size")))
+				bl334dst_size	= RCAR_BL334DST_SIZE;
+const uint32_t __attribute__ ((section(".sa6_bl335dst_addr")))
+				bl335dst_addr	= RCAR_BL335DST_ADDRESS;
+const uint32_t __attribute__ ((section(".sa6_bl335dst_addrh")))
+				bl335dst_addrh	= RCAR_BL335DST_ADDRESSH;
+const uint32_t __attribute__ ((section(".sa6_bl335dst_size")))
+				bl335dst_size	= RCAR_BL335DST_SIZE;
+const uint32_t __attribute__ ((section(".sa6_bl336dst_addr")))
+				bl336dst_addr	= RCAR_BL336DST_ADDRESS;
+const uint32_t __attribute__ ((section(".sa6_bl336dst_addrh")))
+				bl336dst_addrh	= RCAR_BL336DST_ADDRESSH;
+const uint32_t __attribute__ ((section(".sa6_bl336dst_size")))
+				bl336dst_size	= RCAR_BL336DST_SIZE;
+const uint32_t __attribute__ ((section(".sa6_bl337dst_addr")))
+				bl337dst_addr	= RCAR_BL337DST_ADDRESS;
+const uint32_t __attribute__ ((section(".sa6_bl337dst_addrh")))
+				bl337dst_addrh	= RCAR_BL337DST_ADDRESSH;
+const uint32_t __attribute__ ((section(".sa6_bl337dst_size")))
+				bl337dst_size	= RCAR_BL337DST_SIZE;
+const uint32_t __attribute__ ((section(".sa6_bl338dst_addr")))
+				bl338dst_addr	= RCAR_BL338DST_ADDRESS;
+const uint32_t __attribute__ ((section(".sa6_bl338dst_addrh")))
+				bl338dst_addrh	= RCAR_BL338DST_ADDRESSH;
+const uint32_t __attribute__ ((section(".sa6_bl338dst_size")))
+				bl338dst_size	= RCAR_BL338DST_SIZE;
diff --git a/tools/renesas/rzg_layout_create/sa6.ld.S b/tools/renesas/rzg_layout_create/sa6.ld.S
new file mode 100644
index 000000000..efe40b0c8
--- /dev/null
+++ b/tools/renesas/rzg_layout_create/sa6.ld.S
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2020, Renesas Electronics Corporation. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+SECTIONS
+{
+	. = 0x00000000;
+	.rodata : {
+		KEEP(*(.sa6_image_num))
+		. = 0x00000008;
+		KEEP(*(.sa6_bl31src_addr))
+		. = 0x00000010;
+		KEEP(*(.sa6_bl31partition))
+		. = 0x00000018;
+		KEEP(*(.sa6_bl32src_addr))
+		. = 0x00000020;
+		KEEP(*(.sa6_bl32partition))
+		. = 0x00000028;
+		KEEP(*(.sa6_bl33src_addr))
+		. = 0x00000030;
+		KEEP(*(.sa6_bl33partition))
+		. = 0x00000038;
+		KEEP(*(.sa6_bl332src_addr))
+		. = 0x00000040;
+		KEEP(*(.sa6_bl332partition))
+		. = 0x00000048;
+		KEEP(*(.sa6_bl333src_addr))
+		. = 0x00000050;
+		KEEP(*(.sa6_bl333partition))
+		. = 0x00000058;
+		KEEP(*(.sa6_bl334src_addr))
+		. = 0x00000060;
+		KEEP(*(.sa6_bl334partition))
+		. = 0x00000068;
+		KEEP(*(.sa6_bl335src_addr))
+		. = 0x00000070;
+		KEEP(*(.sa6_bl335partition))
+		. = 0x00000078;
+		KEEP(*(.sa6_bl336src_addr))
+		. = 0x00000080;
+		KEEP(*(.sa6_bl336partition))
+		. = 0x00000088;
+		KEEP(*(.sa6_bl337src_addr))
+		. = 0x00000090;
+		KEEP(*(.sa6_bl337partition))
+		. = 0x00000098;
+		KEEP(*(.sa6_bl338src_addr))
+		. = 0x000000A0;
+		KEEP(*(.sa6_bl338partition))
+		. = 0x00000554;
+		KEEP(*(.sa6_bl31dst_addr))
+		. = 0x00000558;
+		KEEP(*(.sa6_bl31dst_addrh))
+		. = 0x00000664;
+		KEEP(*(.sa6_bl31dst_size))
+		. = 0x00000D54;
+		KEEP(*(.sa6_bl32dst_addr))
+		. = 0x00000D58;
+		KEEP(*(.sa6_bl32dst_addrh))
+		. = 0x00000E64;
+		KEEP(*(.sa6_bl32dst_size))
+		. = 0x00001554;
+		KEEP(*(.sa6_bl33dst_addr))
+		. = 0x00001558;
+		KEEP(*(.sa6_bl33dst_addrh))
+		. = 0x00001664;
+		KEEP(*(.sa6_bl33dst_size))
+		. = 0x00001D54;
+		KEEP(*(.sa6_bl332dst_addr))
+		. = 0x00001D58;
+		KEEP(*(.sa6_bl332dst_addrh))
+		. = 0x00001E64;
+		KEEP(*(.sa6_bl332dst_size))
+		. = 0x00002554;
+		KEEP(*(.sa6_bl333dst_addr))
+		. = 0x00002558;
+		KEEP(*(.sa6_bl333dst_addrh))
+		. = 0x00002664;
+		KEEP(*(.sa6_bl333dst_size))
+		. = 0x00002D54;
+		KEEP(*(.sa6_bl334dst_addr))
+		. = 0x00002D58;
+		KEEP(*(.sa6_bl334dst_addrh))
+		. = 0x00002E64;
+		KEEP(*(.sa6_bl334dst_size))
+		. = 0x00003554;
+		KEEP(*(.sa6_bl335dst_addr))
+		. = 0x00003558;
+		KEEP(*(.sa6_bl335dst_addrh))
+		. = 0x00003664;
+		KEEP(*(.sa6_bl335dst_size))
+		. = 0x00003D54;
+		KEEP(*(.sa6_bl336dst_addr))
+		. = 0x00003D58;
+		KEEP(*(.sa6_bl336dst_addrh))
+		. = 0x00003E64;
+		KEEP(*(.sa6_bl336dst_size))
+		. = 0x00004554;
+		KEEP(*(.sa6_bl337dst_addr))
+		. = 0x00004558;
+		KEEP(*(.sa6_bl337dst_addrh))
+		. = 0x00004664;
+		KEEP(*(.sa6_bl337dst_size))
+		. = 0x00004D54;
+		KEEP(*(.sa6_bl338dst_addr))
+		. = 0x00004D58;
+		KEEP(*(.sa6_bl338dst_addrh))
+		. = 0x00004E64;
+		KEEP(*(.sa6_bl338dst_size))
+	}
+
+}
diff --git a/tools/sptool/Makefile b/tools/sptool/Makefile
index 9325207c4..1fa85fb20 100644
--- a/tools/sptool/Makefile
+++ b/tools/sptool/Makefile
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2018, Arm Limited. All rights reserved.
+# Copyright (c) 2018-2020, Arm Limited. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -8,7 +8,8 @@ MAKE_HELPERS_DIRECTORY := ../../make_helpers/
 include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
 include ${MAKE_HELPERS_DIRECTORY}build_env.mk
 
-PROJECT := sptool${BIN_EXT}
+SPTOOL  ?= sptool${BIN_EXT}
+PROJECT := $(notdir ${SPTOOL})
 OBJECTS := sptool.o
 V ?= 0
 
diff --git a/tools/sptool/sp_mk_generator.py b/tools/sptool/sp_mk_generator.py
new file mode 100755
index 000000000..a37e702bb
--- /dev/null
+++ b/tools/sptool/sp_mk_generator.py
@@ -0,0 +1,137 @@
+#!/usr/bin/python3
+# Copyright (c) 2020, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+
+"""
+This script is invoked by Make system and generates secure partition makefile.
+It expects platform provided secure partition layout file which contains list
+of Secure Partition Images and Partition manifests(PM).
+Layout file can exist outside of TF-A tree and the paths of Image and PM files
+must be relative to it.
+
+This script parses the layout file and generates a make file which updates
+FDT_SOURCES, FIP_ARGS, CRT_ARGS and SPTOOL_ARGS which are used in later build
+steps.
+This script also gets SP "uuid" from parsing its PM and converting it to a
+standard format.
+
+param1: Generated mk file "sp_gen.mk"
+param2: "SP_LAYOUT_FILE", json file containing platform provided information
+param3: plat out directory
+param4: CoT parameter
+
+Generated "sp_gen.mk" file contains triplet of following information for each
+Secure Partition entry
+    FDT_SOURCES +=  sp1.dts
+    SPTOOL_ARGS += -i sp1.bin:sp1.dtb -o sp1.pkg
+    FIP_ARGS += --blob uuid=XXXXX-XXX...,file=sp1.pkg
+    CRT_ARGS += --sp-pkg1 sp1.pkg
+
+A typical SP_LAYOUT_FILE file will look like
+{
+        "SP1" : {
+                "image": "sp1.bin",
+                "pm": "test/sp1.dts"
+        },
+
+        "SP2" : {
+                "image": "sp2.bin",
+                "pm": "test/sp2.dts"
+        }
+
+        ...
+}
+
+"""
+
+import getopt
+import json
+import os
+import re
+import sys
+import uuid
+
+with open(sys.argv[2],'r') as in_file:
+    data = json.load(in_file)
+json_file = os.path.abspath(sys.argv[2])
+json_dir = os.path.dirname(json_file)
+gen_file = os.path.abspath(sys.argv[1])
+out_dir = os.path.abspath(sys.argv[3])
+dtb_dir = out_dir + "/fdts/"
+MAX_SP = 8
+dualroot = sys.argv[4].lower() == "dualroot"
+split = int(MAX_SP / 2)
+print(dtb_dir)
+platform_count = 1
+sip_count = 1
+
+with open(gen_file, 'w') as out_file:
+    for idx, key in enumerate(data.keys()):
+
+        pkg_num = idx + 1
+
+        if (pkg_num > MAX_SP):
+            print("WARNING: Too many secure partitions\n")
+            exit(-1)
+
+        if dualroot:
+            owner = data[key].get('owner')
+            if owner == "Plat":
+                if (platform_count > split):
+                    print("WARNING: Maximum Secure partitions by Plat " +
+                    "have been exceeded (" + str(split) + ")\n")
+                    exit(-1)
+                pkg_num = split + platform_count
+                platform_count += 1
+            elif (sip_count > split):
+                print("WARNING: Maximum Secure partitions by SiP " +
+                "have been exceeded (" + str(split) + ")\n")
+                exit(-1)
+            else:
+                pkg_num = sip_count
+                sip_count += 1
+
+        """
+        Append FDT_SOURCES
+        """
+        dts = os.path.join(json_dir, data[key]['pm'])
+        dtb = dtb_dir + os.path.basename(data[key]['pm'][:-1] + "b")
+        out_file.write("FDT_SOURCES += " + dts + "\n")
+
+        """
+        Update SPTOOL_ARGS
+        """
+        dst = out_dir + "/" + key + ".pkg"
+        src = [ json_dir + "/" + data[key]['image'] , dtb  ]
+        out_file.write("SPTOOL_ARGS += -i " + ":".join(src) + " -o " + dst + "\n")
+
+        """
+        Extract uuid from partition manifest
+        """
+        pm_file = open(dts)
+        uuid_key = "uuid"
+
+        for line in pm_file:
+            if uuid_key in line:
+                uuid_hex = re.findall(r'\<(.+?)\>', line)[0];
+
+        # PM has uuid in format 0xABC... 0x... 0x... 0x...
+        # Get rid of '0x' and spaces and convert to string of hex digits
+        uuid_hex = uuid_hex.replace('0x','').replace(' ','')
+        # make UUID from a string of hex digits
+        uuid_std = uuid.UUID(uuid_hex)
+        # convert UUID to a string of hex digits in standard form
+        uuid_std = str(uuid_std)
+
+        """
+        Append FIP_ARGS
+        """
+        out_file.write("FIP_ARGS += --blob uuid=" + uuid_std + ",file=" + dst + "\n")
+
+        """
+        Append CRT_ARGS
+        """
+
+        out_file.write("CRT_ARGS += --sp-pkg" + str(pkg_num) + " " + dst + "\n")
+        out_file.write("\n")
diff --git a/tools/sptool/sptool.c b/tools/sptool/sptool.c
index a33b66446..38baa2cd9 100644
--- a/tools/sptool/sptool.c
+++ b/tools/sptool/sptool.c
@@ -1,10 +1,11 @@
 /*
- * Copyright (c) 2018, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
 #include <stdarg.h>
+#include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -16,25 +17,26 @@
 #define PAGE_SIZE		4096
 
 /*
- * Linked list of entries describing entries in the secure
- * partition package.
+ * Entry describing Secure Partition package.
  */
-struct sp_entry_info {
+struct sp_pkg_info {
 	/* Location of the files in the host's RAM. */
-	void *sp_data, *rd_data;
+	void *img_data, *pm_data;
 
 	/* Size of the files. */
-	uint64_t sp_size, rd_size;
+	uint32_t img_size, pm_size;
 
 	/* Location of the binary files inside the package output file */
-	uint64_t sp_offset, rd_offset;
-
-	struct sp_entry_info *next;
+	uint32_t img_offset, pm_offset;
 };
 
-static struct sp_entry_info *sp_info_head;
-
-static uint64_t sp_count;
+/*
+ * List of input provided by user
+ */
+struct arg_list {
+	char *usr_input;
+	struct arg_list *next;
+};
 
 /* Align an address to a power-of-two boundary. */
 static unsigned int align_to(unsigned int address, unsigned int boundary)
@@ -89,26 +91,61 @@ static void xfseek(FILE *fp, long offset, int whence)
 	}
 }
 
-static void cleanup(void)
+/*
+ * Free SP package structure
+ */
+static void cleanup(struct sp_pkg_info *sp)
 {
-	struct sp_entry_info *sp = sp_info_head;
 
-	while (sp != NULL) {
-		struct sp_entry_info *next = sp->next;
-
-		if (sp->sp_data != NULL)
-			free(sp->sp_data);
+	if (sp != NULL) {
+		if (sp->img_data != NULL) {
+			free(sp->img_data);
+		}
 
-		if (sp->rd_data != NULL)
-			free(sp->rd_data);
+		if (sp->pm_data != NULL) {
+			free(sp->pm_data);
+		}
 
 		free(sp);
 
-		sp = next;
 	}
+}
 
-	sp_count = 0;
-	sp_info_head = NULL;
+/*
+ * Free argument list structure
+ */
+static void freelist(struct arg_list *head)
+{
+	struct arg_list *tmp;
+
+	while (head != NULL) {
+		tmp = head;
+		head = head->next;
+		free(tmp);
+	}
+}
+
+/*
+ * Append user inputs in argument list structure
+ */
+static void append_user_input(struct arg_list **head, char *args)
+{
+	struct arg_list *tmp = *head;
+
+	if (tmp == NULL) {
+		tmp = xzalloc(sizeof(struct arg_list),
+				"Failed to allocate arg_list struct");
+		tmp->usr_input = args;
+		*head = tmp;
+	} else {
+		while (tmp->next != NULL) {
+			tmp = tmp->next;
+		}
+		tmp->next = xzalloc(sizeof(struct arg_list),
+				"Failed to allocate arg_list struct");
+		tmp = tmp->next;
+		tmp->usr_input = args;
+	}
 }
 
 /*
@@ -116,7 +153,7 @@ static void cleanup(void)
  * load the file into it. Fill 'size' with the file size. Exit the program on
  * error.
  */
-static void load_file(const char *path, void **ptr, uint64_t *size)
+static void load_file(const char *path, void **ptr, uint32_t *size)
 {
 	FILE *f = fopen(path, "rb");
 	if (f == NULL) {
@@ -147,59 +184,40 @@ static void load_file(const char *path, void **ptr, uint64_t *size)
 	fclose(f);
 }
 
-static void load_sp_rd(char *path)
+/*
+ * Parse the string containing input payloads and fill in the
+ * SP Package data structure.
+ */
+static void load_sp_pm(char *path, struct sp_pkg_info **sp_out)
 {
+	struct sp_pkg_info *sp_pkg;
+
 	char *split_mark = strstr(path, ":");
 
 	*split_mark = '\0';
 
 	char *sp_path = path;
-	char *rd_path = split_mark + 1;
-
-	struct sp_entry_info *sp;
-
-	if (sp_info_head == NULL) {
-		sp_info_head = xzalloc(sizeof(struct sp_entry_info),
-			"Failed to allocate sp_entry_info struct");
-
-		sp = sp_info_head;
-	} else {
-		sp = sp_info_head;
-
-		while (sp->next != NULL) {
-			sp = sp->next;
-		}
-
-		sp->next = xzalloc(sizeof(struct sp_entry_info),
-			"Failed to allocate sp_entry_info struct");
+	char *pm_path = split_mark + 1;
 
-		sp = sp->next;
-	}
+	sp_pkg = xzalloc(sizeof(struct sp_pkg_info),
+		"Failed to allocate sp_pkg_info struct");
 
-	load_file(sp_path, &sp->sp_data, &sp->sp_size);
-	printf("Loaded image file %s (%lu bytes)\n", sp_path, sp->sp_size);
+	load_file(pm_path, &sp_pkg->pm_data, &sp_pkg->pm_size);
+	printf("\nLoaded SP Manifest file %s (%u bytes)\n", pm_path, sp_pkg->pm_size);
 
-	load_file(rd_path, &sp->rd_data, &sp->rd_size);
-	printf("Loaded RD file %s (%lu bytes)\n", rd_path, sp->rd_size);
+	load_file(sp_path, &sp_pkg->img_data, &sp_pkg->img_size);
+	printf("Loaded SP Image file %s (%u bytes)\n", sp_path, sp_pkg->img_size);
 
-	sp_count++;
+	*sp_out = sp_pkg;
 }
 
-static void output_write(const char *path)
+/*
+ * Write SP package data structure into output file.
+ */
+static void output_write(const char *path, struct sp_pkg_info *sp, bool header)
 {
-	struct sp_entry_info *sp;
-
-	if (sp_count == 0) {
-		fprintf(stderr, "error: At least one SP must be provided.\n");
-		exit(1);
-	}
-
-	/* The layout of the structs is specified in the header file sptool.h */
-
-	printf("Writing %lu partitions to output file.\n", sp_count);
-
-	unsigned int header_size = (sizeof(struct sp_pkg_header) * 8)
-				 + (sizeof(struct sp_pkg_entry) * 8 * sp_count);
+	struct sp_pkg_header sp_header_info;
+	unsigned int file_ptr = 0;
 
 	FILE *f = fopen(path, "wb");
 	if (f == NULL) {
@@ -207,70 +225,46 @@ static void output_write(const char *path)
 		exit(1);
 	}
 
-	unsigned int file_ptr = align_to(header_size, PAGE_SIZE);
-
-	/* First, save all partition images aligned to page boundaries */
-
-	sp = sp_info_head;
-
-	for (uint64_t i = 0; i < sp_count; i++) {
-		xfseek(f, file_ptr, SEEK_SET);
-
-		printf("Writing image %lu to offset 0x%x (0x%lx bytes)\n",
-		       i, file_ptr, sp->sp_size);
-
-		sp->sp_offset = file_ptr;
-		xfwrite(sp->sp_data, sp->sp_size, f);
-		file_ptr = align_to(file_ptr + sp->sp_size, PAGE_SIZE);
-		sp = sp->next;
+	/* Reserve Header size */
+	if (header) {
+		file_ptr = sizeof(struct sp_pkg_header);
 	}
 
-	/* Now, save resource description blobs aligned to 8 bytes */
+	/* Save partition manifest */
+	xfseek(f, file_ptr, SEEK_SET);
+	printf("Writing SP Manifest at offset 0x%x (%u bytes)\n",
+	       file_ptr, sp->pm_size);
 
-	sp = sp_info_head;
-
-	for (uint64_t i = 0; i < sp_count; i++) {
-		xfseek(f, file_ptr, SEEK_SET);
-
-		printf("Writing RD blob %lu to offset 0x%x (0x%lx bytes)\n",
-		       i, file_ptr, sp->rd_size);
-
-		sp->rd_offset = file_ptr;
-		xfwrite(sp->rd_data, sp->rd_size, f);
-		file_ptr = align_to(file_ptr + sp->rd_size, 8);
-		sp = sp->next;
-	}
+	sp->pm_offset = file_ptr;
+	xfwrite(sp->pm_data, sp->pm_size, f);
 
-	/* Finally, write header */
+	/* Save partition image aligned to Page size */
+	file_ptr = align_to((sp->pm_offset + sp->pm_size), PAGE_SIZE);
+	xfseek(f, file_ptr, SEEK_SET);
+	printf("Writing SP Image at offset 0x%x (%u bytes)\n",
+	       file_ptr, sp->img_size);
 
-	uint64_t version = 0x1;
-	uint64_t sp_num = sp_count;
+	sp->img_offset = file_ptr;
+	xfwrite(sp->img_data, sp->img_size, f);
 
-	xfseek(f, 0, SEEK_SET);
+	/* Finally, write header, if needed */
+	if (header) {
+		sp_header_info.magic = SECURE_PARTITION_MAGIC;
+		sp_header_info.version = 0x1;
+		sp_header_info.img_offset = sp->img_offset;
+		sp_header_info.img_size = sp->img_size;
+		sp_header_info.pm_offset = sp->pm_offset;
+		sp_header_info.pm_size = sp->pm_size;
 
-	xfwrite(&version, sizeof(uint64_t), f);
-	xfwrite(&sp_num, sizeof(uint64_t), f);
+		xfseek(f, 0, SEEK_SET);
 
-	sp = sp_info_head;
+		printf("Writing package header\n");
 
-	for (unsigned int i = 0; i < sp_count; i++) {
-
-		uint64_t sp_offset, sp_size, rd_offset, rd_size;
-
-		sp_offset = sp->sp_offset;
-		sp_size = align_to(sp->sp_size, PAGE_SIZE);
-		rd_offset = sp->rd_offset;
-		rd_size = sp->rd_size;
-
-		xfwrite(&sp_offset, sizeof(uint64_t), f);
-		xfwrite(&sp_size, sizeof(uint64_t), f);
-		xfwrite(&rd_offset, sizeof(uint64_t), f);
-		xfwrite(&rd_size, sizeof(uint64_t), f);
-
-		sp = sp->next;
+		xfwrite(&sp_header_info, sizeof(struct sp_pkg_header), f);
 	}
 
 	/* All information has been written now */
+	printf("\nsptool: Built Secure Partition blob %s\n", path);
 
 	fclose(f);
 }
@@ -286,30 +280,51 @@ static void usage(void)
 #endif
 	printf(" [<args>]\n\n");
 
-	printf("This tool takes as inputs several image binary files and the\n"
-	       "resource description blobs as input and generates a package\n"
-	       "file that contains them.\n\n");
+	printf("This tool takes as input set of image binary files and the\n"
+	       "partition manifest blobs as input and generates set of\n"
+	       "output package files\n"
+	       "Usage example: sptool -i sp1.bin:sp1.dtb -o sp1.pkg\n"
+	       "                      -i sp2.bin:sp2.dtb -o sp2.pkg ...\n\n");
 	printf("Commands supported:\n");
 	printf("  -o <path>            Set output file path.\n");
-	printf("  -i <sp_path:rd_path> Add Secure Partition image and Resource\n"
-	       "                       Description blob (specified in two paths\n"
+	printf("  -i <sp_path:pm_path> Add Secure Partition image and\n"
+	       "                       Manifest blob (specified in two paths\n"
 	       "                       separated by a colon).\n");
+	printf("  -n                   Generate package without header\n");
 	printf("  -h                   Show this message.\n");
 	exit(1);
 }
 
 int main(int argc, char *argv[])
 {
+	struct sp_pkg_info *sp_pkg = NULL;
+	struct arg_list *in_head = NULL;
+	struct arg_list *out_head = NULL;
+	struct arg_list *in_list = NULL;
+	struct arg_list *out_list = NULL;
+	unsigned int match_counter = 0;
+	bool need_header = true;
+
 	int ch;
-	const char *outname = NULL;
 
-	while ((ch = getopt(argc, argv, "hi:o:")) != -1) {
+	if (argc <= 1) {
+		fprintf(stderr, "error: File paths must be provided.\n\n");
+		usage();
+		return 1;
+	}
+
+	while ((ch = getopt(argc, argv, "hni:o:")) != -1) {
 		switch (ch) {
 		case 'i':
-			load_sp_rd(optarg);
+			append_user_input(&in_head, optarg);
+			match_counter++;
 			break;
 		case 'o':
-			outname = optarg;
+			append_user_input(&out_head, optarg);
+			match_counter--;
+			break;
+		case 'n':
+			need_header = false;
 			break;
 		case 'h':
 		default:
@@ -317,18 +332,29 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	argc -= optind;
-	argv += optind;
-
-	if (outname == NULL) {
-		fprintf(stderr, "error: An output file path must be provided.\n\n");
+	if (match_counter) {
+		fprintf(stderr, "error: Input/Output count mismatch.\n\n");
+		freelist(in_head);
+		freelist(out_head);
 		usage();
 		return 1;
 	}
 
-	output_write(outname);
+	in_list = in_head;
+	out_list = out_head;
+	while (in_list != NULL) {
+		load_sp_pm(in_list->usr_input, &sp_pkg);
+		output_write(out_list->usr_input, sp_pkg, need_header);
+		in_list = in_list->next;
+		out_list = out_list->next;
+	}
+
+	argc -= optind;
+	argv += optind;
 
-	cleanup();
+	cleanup(sp_pkg);
+	freelist(in_head);
+	freelist(out_head);
 
 	return 0;
 }