qemu: Add support for Trusted Board Boot
This patch adds support for TBB to qemu. An RSA ROT keypair is generated at
build time and is included into BL1/BL2. The key and content certificates
are read over semihosting.
Fixes ARM-software/tf-issues#526
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
diff --git a/plat/qemu/platform.mk b/plat/qemu/platform.mk
index ed197a1..2a7415f 100644
--- a/plat/qemu/platform.mk
+++ b/plat/qemu/platform.mk
@@ -13,6 +13,7 @@
$(eval $(call add_define,QEMU_LOAD_BL32))
endif
+PLAT_PATH := plat/qemu/
PLAT_INCLUDES := -Iinclude/plat/arm/common/ \
-Iinclude/plat/arm/common/aarch64/ \
-Iplat/qemu/include \
@@ -36,6 +37,51 @@
PLAT_BL_COMMON_SOURCES += ${XLAT_TABLES_LIB_SRCS}
endif
+ifneq (${TRUSTED_BOARD_BOOT},0)
+
+ include drivers/auth/mbedtls/mbedtls_crypto.mk
+ include drivers/auth/mbedtls/mbedtls_x509.mk
+
+ USE_TBBR_DEFS := 1
+
+ AUTH_SOURCES := drivers/auth/auth_mod.c \
+ drivers/auth/crypto_mod.c \
+ drivers/auth/img_parser_mod.c \
+ drivers/auth/tbbr/tbbr_cot.c
+
+ PLAT_INCLUDES += -Iinclude/bl1/tbbr
+
+ BL1_SOURCES += ${AUTH_SOURCES} \
+ bl1/tbbr/tbbr_img_desc.c \
+ plat/common/tbbr/plat_tbbr.c \
+ plat/qemu/qemu_trusted_boot.c \
+ $(PLAT_PATH)/qemu_rotpk.S
+
+ BL2_SOURCES += ${AUTH_SOURCES} \
+ plat/common/tbbr/plat_tbbr.c \
+ plat/qemu/qemu_trusted_boot.c \
+ $(PLAT_PATH)/qemu_rotpk.S
+
+ ROT_KEY = $(BUILD_PLAT)/rot_key.pem
+ ROTPK_HASH = $(BUILD_PLAT)/rotpk_sha256.bin
+
+ $(eval $(call add_define_val,ROTPK_HASH,'"$(ROTPK_HASH)"'))
+
+ $(BUILD_PLAT)/bl1/qemu_rotpk.o: $(ROTPK_HASH)
+ $(BUILD_PLAT)/bl2/qemu_rotpk.o: $(ROTPK_HASH)
+
+ certificates: $(ROT_KEY)
+
+ $(ROT_KEY):
+ @echo " OPENSSL $@"
+ $(Q)openssl genrsa 2048 > $@ 2>/dev/null
+
+ $(ROTPK_HASH): $(ROT_KEY)
+ @echo " OPENSSL $@"
+ $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ openssl dgst -sha256 -binary > $@ 2>/dev/null
+endif
+
BL1_SOURCES += drivers/io/io_semihosting.c \
drivers/io/io_storage.c \
drivers/io/io_fip.c \