feat(test-configs): add a test config to exercise TF-A's SAVE_KEYS feature
Add a new run config which generates boot certificates and keys, and
saves the latter on the disk.
This is the first test config to leverage TF-A's SAVE_KEYS feature,
which requests the certificate generation tool to save private keys in
PEM format in files, whose names are specified through *_KEY build
options (e.g. BL31_KEY).
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I41ed741ef107d8ea638276678521e953b4726b78
diff --git a/group/tf-l1-build-plat/fvp-tbb-mbedtls:certificates.keys b/group/tf-l1-build-plat/fvp-tbb-mbedtls:certificates.keys
new file mode 100644
index 0000000..8c2d647
--- /dev/null
+++ b/group/tf-l1-build-plat/fvp-tbb-mbedtls:certificates.keys
@@ -0,0 +1,5 @@
+#
+# Copyright (c) 2023, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
diff --git a/run_config/certificates.keys b/run_config/certificates.keys
new file mode 100644
index 0000000..6ae7181
--- /dev/null
+++ b/run_config/certificates.keys
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2023, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+# This run fragment is used to generate boot certificates and key files.
+
+post_tf_build() {
+ local bl31_key_file="${workspace}/bl31-key.pem"
+ local bl32_key_file="${workspace}/bl32-key.pem"
+ local bl33_key_file="${workspace}/bl33-key.pem"
+ local trusted_key_file="${workspace}/trusted-private-key.pem"
+ local non_trusted_key_file="${workspace}/non-trusted-private-key.pem"
+
+ local key_files=(
+ "$bl31_key_file"
+ "$bl33_key_file"
+ "$trusted_key_file"
+ "$non_trusted_key_file"
+ )
+
+ # BL32 key only gets generated if building TF-A with an SPD.
+ if upon "$(get_tf_opt SPD)"; then
+ key_files+=("$bl32_key_file")
+ fi
+
+ # Generate the boot certificates and key files.
+ #
+ # Note that even if we do not generate a FIP, TF-A build system still
+ # demands a BL33 image so provide a dummy one.
+ tf_extra_rules="certificates" build_tf_extra \
+ BL33="$(mktempfile)" \
+ GENERATE_COT=1 \
+ CREATE_KEYS=1 \
+ SAVE_KEYS=1 \
+ BL31_KEY="$bl31_key_file" \
+ BL32_KEY="$bl32_key_file" \
+ BL33_KEY="$bl33_key_file" \
+ TRUSTED_WORLD_KEY="$trusted_key_file" \
+ NON_TRUSTED_WORLD_KEY="$non_trusted_key_file" \
+
+
+ echo "Checking that the keys got correctly generated and saved..."
+
+ for i in "${!key_files[@]}"; do
+ # A valid private key file in PEM format starts with:
+ # -----BEGIN PRIVATE KEY-----
+ grep -q 'BEGIN PRIVATE KEY' "${key_files[$i]}" || \
+ (echo "Key file \"${key_files[$i]}\" is incorrect." && exit 1)
+ done
+
+ echo "All keys verified."
+}