ddr_tbbr.mk 3.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293
  1. #
  2. # Copyright 2021 NXP
  3. #
  4. # SPDX-License-Identifier: BSD-3-Clause
  5. #
  6. # This file defines the keys and certificates that must be created to establish
  7. # a Chain of Trust for the DDR FW. These definitions include the
  8. # command line options passed to the cert_create and fiptool commands for DDR FW.
  9. # A DDR FW key is used for signing the DDR Firmware. The DDR key is authenticated
  10. # by the Trusted World Key. Two content certificates are created:
  11. # For DDR RDIMM Images [ signed by DDR FW Key]
  12. # For DDR UDIMM Images [ signed by DDR FW Key]
  13. #
  14. # Expected environment:
  15. #
  16. # BUILD_PLAT: output directory
  17. #
  18. # Build options added by this file:
  19. #
  20. # KEY_ALG
  21. # KEY_SIZE
  22. # TRUSTED_WORLD_KEY
  23. # NON_TRUSTED_WORLD_KEY
  24. #
  25. # Copy the tbbr.mk from PLAT_TOOL_PATH/cert_create_helper
  26. # to the ${PLAT_DIR}. So that cert_create is enabled
  27. # to create certificates for DDR
  28. $(shell cp ${PLAT_TOOL_PATH}/cert_create_helper/cert_create_tbbr.mk ${PLAT_DIR})
  29. # Certificate generation tool default parameters
  30. DDR_FW_CERT := ${BUILD_PLAT}/ddr_fw_key_cert.crt
  31. # Default non-volatile counter values (overridable by the platform)
  32. TFW_NVCTR_VAL ?= 0
  33. NTFW_NVCTR_VAL ?= 0
  34. # Pass the non-volatile counters to the cert_create tool
  35. $(eval $(call CERT_ADD_CMD_OPT,${TFW_NVCTR_VAL},--tfw-nvctr,DDR_))
  36. ifeq (${DDR_KEY},)
  37. DDR_KEY=${BUILD_PLAT}/ddr.pem
  38. endif
  39. ifeq (${TRUSTED_KEY_CERT},)
  40. $(info Generating: Trusted key certificate as part of DDR cert creation)
  41. TRUSTED_KEY_CERT := ${BUILD_PLAT}/trusted_key.crt
  42. $(eval $(call TOOL_ADD_PAYLOAD,${TRUSTED_KEY_CERT},--trusted-key-cert,))
  43. $(eval $(call TOOL_ADD_PAYLOAD,${TRUSTED_KEY_CERT},--trusted-key-cert,,DDR_))
  44. else
  45. $(info Using: Trusted key certificate as part of DDR cert creation)
  46. DDR_FIP_ARGS += --trusted-key-cert ${TRUSTED_KEY_CERT}
  47. endif
  48. # Add the keys to the cert_create command line options (private keys are NOT
  49. # packed in the FIP). Developers can use their own keys by specifying the proper
  50. # build option in the command line when building the Trusted Firmware
  51. $(if ${KEY_ALG},$(eval $(call CERT_ADD_CMD_OPT,${KEY_ALG},--key-alg,DDR_)))
  52. $(if ${KEY_SIZE},$(eval $(call CERT_ADD_CMD_OPT,${KEY_SIZE},--key-size,DDR_)))
  53. $(if ${HASH_ALG},$(eval $(call CERT_ADD_CMD_OPT,${HASH_ALG},--hash-alg,DDR_)))
  54. $(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key,DDR_)))
  55. $(if ${TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_WORLD_KEY},--trusted-world-key,DDR_)))
  56. $(if ${NON_TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${NON_TRUSTED_WORLD_KEY},--non-trusted-world-key, DDR_)))
  57. # Add the DDR CoT (key cert + img cert)
  58. $(if ${DDR_KEY},$(eval $(call CERT_ADD_CMD_OPT,${DDR_KEY},--ddr-fw-key,DDR_)))
  59. $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/ddr_fw_key.crt,--ddr-fw-key-cert,,DDR_))
  60. $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/ddr_udimm_fw_content.crt,--ddr-udimm-fw-cert,,DDR_))
  61. $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/ddr_rdimm_fw_content.crt,--ddr-rdimm-fw-cert,,DDR_))
  62. $(eval $(call TOOL_ADD_IMG,DDR_IMEM_UDIMM_1D,--ddr-immem-udimm-1d,DDR_))
  63. $(eval $(call TOOL_ADD_IMG,DDR_IMEM_UDIMM_2D,--ddr-immem-udimm-2d,DDR_))
  64. $(eval $(call TOOL_ADD_IMG,DDR_DMEM_UDIMM_1D,--ddr-dmmem-udimm-1d,DDR_))
  65. $(eval $(call TOOL_ADD_IMG,DDR_DMEM_UDIMM_2D,--ddr-dmmem-udimm-2d,DDR_))
  66. $(eval $(call TOOL_ADD_IMG,DDR_IMEM_RDIMM_1D,--ddr-immem-rdimm-1d,DDR_))
  67. $(eval $(call TOOL_ADD_IMG,DDR_IMEM_RDIMM_2D,--ddr-immem-rdimm-2d,DDR_))
  68. $(eval $(call TOOL_ADD_IMG,DDR_DMEM_RDIMM_1D,--ddr-dmmem-rdimm-1d,DDR_))
  69. $(eval $(call TOOL_ADD_IMG,DDR_DMEM_RDIMM_2D,--ddr-dmmem-rdimm-2d,DDR_))
  70. DDR_FIP_DEPS += ddr_certificates
  71. # Process TBB related flags
  72. ifneq (${GENERATE_COT},0)
  73. # Common cert_create options
  74. ifneq (${CREATE_KEYS},0)
  75. $(eval DDR_CRT_ARGS += -n)
  76. ifneq (${SAVE_KEYS},0)
  77. $(eval DDR_CRT_ARGS += -k)
  78. endif
  79. endif
  80. endif