diff options
| author | Sumit Garg <sumit.garg@linaro.org> | 2019-11-14 16:33:45 +0530 |
|---|---|---|
| committer | Sumit Garg <sumit.garg@linaro.org> | 2020-03-06 16:40:37 +0530 |
| commit | c6ba9b4547b58d16b5e0f4ec331ff4422b1f1d66 (patch) | |
| tree | e0d5a3d7867390e5f58f422008aae05642f9ea53 /Makefile | |
| parent | 90aa901fc1154d2b12aa8d838ef71be47ba3cd07 (diff) | |
| download | arm-trusted-firmware-c6ba9b4547b58d16b5e0f4ec331ff4422b1f1d66.tar.gz | |
Makefile: Add support to optionally encrypt BL31 and BL32
Following build flags have been added to support optional firmware
encryption:
- FW_ENC_STATUS: Top level firmware's encryption numeric flag, values:
0: Encryption is done with Secret Symmetric Key (SSK) which is
common for a class of devices.
1: Encryption is done with Binding Secret Symmetric Key (BSSK) which
is unique per device.
- ENC_KEY: A 32-byte (256-bit) symmetric key in hex string format. It
could be SSK or BSSK depending on FW_ENC_STATUS flag.
- ENC_NONCE: A 12-byte (96-bit) encryption nonce or Initialization Vector
(IV) in hex string format.
- ENCRYPT_BL31: Binary flag to enable encryption of BL31 firmware.
- ENCRYPT_BL32: Binary flag to enable encryption of Secure BL32 payload.
Similar flags can be added to encrypt other firmwares as well depending
on use-cases.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I94374d6830ad5908df557f63823e58383d8ad670
Diffstat (limited to 'Makefile')
| -rw-r--r-- | Makefile | 23 |
1 files changed, 23 insertions, 0 deletions
@@ -159,6 +159,14 @@ else endif endif +ifneq (${DECRYPTION_SUPPORT},none) +ENC_ARGS += -f ${FW_ENC_STATUS} +ENC_ARGS += -k ${ENC_KEY} +ENC_ARGS += -n ${ENC_NONCE} +FIP_DEPS += enctool +FWU_FIP_DEPS += enctool +endif + ################################################################################ # Toolchain ################################################################################ @@ -826,10 +834,13 @@ $(eval $(call assert_boolean,BL2_AT_EL3)) $(eval $(call assert_boolean,BL2_IN_XIP_MEM)) $(eval $(call assert_boolean,BL2_INV_DCACHE)) $(eval $(call assert_boolean,USE_SPINLOCK_CAS)) +$(eval $(call assert_boolean,ENCRYPT_BL31)) +$(eval $(call assert_boolean,ENCRYPT_BL32)) $(eval $(call assert_numeric,ARM_ARCH_MAJOR)) $(eval $(call assert_numeric,ARM_ARCH_MINOR)) $(eval $(call assert_numeric,BRANCH_PROTECTION)) +$(eval $(call assert_numeric,FW_ENC_STATUS)) ifdef KEY_SIZE $(eval $(call assert_numeric,KEY_SIZE)) @@ -867,6 +878,8 @@ $(eval $(call add_define,ENABLE_PSCI_STAT)) $(eval $(call add_define,ENABLE_RUNTIME_INSTRUMENTATION)) $(eval $(call add_define,ENABLE_SPE_FOR_LOWER_ELS)) $(eval $(call add_define,ENABLE_SVE_FOR_NS)) +$(eval $(call add_define,ENCRYPT_BL31)) +$(eval $(call add_define,ENCRYPT_BL32)) $(eval $(call add_define,ERROR_DEPRECATED)) $(eval $(call add_define,FAULT_INJECTION_SUPPORT)) $(eval $(call add_define,GICV2_G0_FOR_EL3)) @@ -987,9 +1000,14 @@ endif ifeq (${NEED_BL31},yes) BL31_SOURCES += ${SPD_SOURCES} +ifneq (${DECRYPTION_SUPPORT},none) +$(if ${BL31}, $(eval $(call TOOL_ADD_IMG,bl31,--soc-fw,,$(ENCRYPT_BL31))),\ + $(eval $(call MAKE_BL,31,soc-fw,,$(ENCRYPT_BL31)))) +else $(if ${BL31}, $(eval $(call TOOL_ADD_IMG,bl31,--soc-fw)),\ $(eval $(call MAKE_BL,31,soc-fw))) endif +endif # If a BL32 image is needed but neither BL32 nor BL32_SOURCES is defined, the # build system will call TOOL_ADD_IMG to print a warning message and abort the @@ -998,9 +1016,14 @@ ifeq (${NEED_BL32},yes) BUILD_BL32 := $(if $(BL32),,$(if $(BL32_SOURCES),1)) +ifneq (${DECRYPTION_SUPPORT},none) +$(if ${BUILD_BL32}, $(eval $(call MAKE_BL,32,tos-fw,,$(ENCRYPT_BL32))),\ + $(eval $(call TOOL_ADD_IMG,bl32,--tos-fw,,$(ENCRYPT_BL32)))) +else $(if ${BUILD_BL32}, $(eval $(call MAKE_BL,32,tos-fw)),\ $(eval $(call TOOL_ADD_IMG,bl32,--tos-fw))) endif +endif # Add the BL33 image if required by the platform ifeq (${NEED_BL33},yes) |