feat(test-configs): add a test config to exercise TF-A's SAVE_KEYS feature

Add a new run config which generates boot certificates and keys, and
saves the latter on the disk.

This is the first test config to leverage TF-A's SAVE_KEYS feature,
which requests the certificate generation tool to save private keys in
PEM format in files, whose names are specified through *_KEY build
options (e.g. BL31_KEY).

Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I41ed741ef107d8ea638276678521e953b4726b78
diff --git a/group/tf-l1-build-plat/fvp-tbb-mbedtls:certificates.keys b/group/tf-l1-build-plat/fvp-tbb-mbedtls:certificates.keys
new file mode 100644
index 0000000..8c2d647
--- /dev/null
+++ b/group/tf-l1-build-plat/fvp-tbb-mbedtls:certificates.keys
@@ -0,0 +1,5 @@
+#
+# Copyright (c) 2023, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
diff --git a/run_config/certificates.keys b/run_config/certificates.keys
new file mode 100644
index 0000000..6ae7181
--- /dev/null
+++ b/run_config/certificates.keys
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2023, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+# This run fragment is used to generate boot certificates and key files.
+
+post_tf_build() {
+	local bl31_key_file="${workspace}/bl31-key.pem"
+	local bl32_key_file="${workspace}/bl32-key.pem"
+	local bl33_key_file="${workspace}/bl33-key.pem"
+	local trusted_key_file="${workspace}/trusted-private-key.pem"
+	local non_trusted_key_file="${workspace}/non-trusted-private-key.pem"
+
+	local key_files=(
+		"$bl31_key_file"
+		"$bl33_key_file"
+		"$trusted_key_file"
+		"$non_trusted_key_file"
+	)
+
+	# BL32 key only gets generated if building TF-A with an SPD.
+	if upon "$(get_tf_opt SPD)"; then
+	    key_files+=("$bl32_key_file")
+	fi
+
+	# Generate the boot certificates and key files.
+	#
+	# Note that even if we do not generate a FIP, TF-A build system still
+	# demands a BL33 image so provide a dummy one.
+	tf_extra_rules="certificates" build_tf_extra		\
+		BL33="$(mktempfile)"				\
+		GENERATE_COT=1					\
+		CREATE_KEYS=1					\
+		SAVE_KEYS=1					\
+		BL31_KEY="$bl31_key_file"			\
+		BL32_KEY="$bl32_key_file"			\
+		BL33_KEY="$bl33_key_file"			\
+		TRUSTED_WORLD_KEY="$trusted_key_file"		\
+		NON_TRUSTED_WORLD_KEY="$non_trusted_key_file"	\
+
+
+	echo "Checking that the keys got correctly generated and saved..."
+
+	for i in "${!key_files[@]}"; do
+		# A valid private key file in PEM format starts with:
+		# -----BEGIN PRIVATE KEY-----
+		grep -q 'BEGIN PRIVATE KEY' "${key_files[$i]}" || \
+			(echo "Key file \"${key_files[$i]}\" is incorrect." && exit 1)
+	done
+
+	echo "All keys verified."
+}