FWU: Add support for `fwu_fip` target
Firmware update feature needs a new FIP called `fwu_fip.bin` that
includes Secure(SCP_BL2U, BL2U) and Normal world(NS_BL2U) images
along with the FWU_CERT certificate in order for NS_BL1U to load
the images and help the Firmware update process to complete.
This patch adds the capability to support the new target `fwu_fip`
which includes above mentioned FWU images in the make files.
The new target of `fwu_fip` and its dependencies are included for
compilation only when `TRUSTED_BOARD_BOOT` is defined.
Change-Id: Ie780e3aac6cbd0edfaff3f9af96a2332bd69edbc
diff --git a/Makefile b/Makefile
index 9ecbb5b..ae9b41b 100644
--- a/Makefile
+++ b/Makefile
@@ -76,6 +76,8 @@
PSCI_EXTENDED_STATE_ID := 0
# Default FIP file name
FIP_NAME := fip.bin
+# Default FWU_FIP file name
+FWU_FIP_NAME := fwu_fip.bin
# By default, use the -pedantic option in the gcc command line
DISABLE_PEDANTIC := 0
# Flags to generate the Chain of Trust
@@ -150,6 +152,7 @@
# target 'certificates' to create them all
ifneq (${GENERATE_COT},0)
FIP_DEPS += certificates
+ FWU_FIP_DEPS += fwu_certificates
endif
@@ -321,8 +324,10 @@
# Common cert_create options
ifneq (${CREATE_KEYS},0)
$(eval CRT_ARGS += -n)
+ $(eval FWU_CRT_ARGS += -n)
ifneq (${SAVE_KEYS},0)
$(eval CRT_ARGS += -k)
+ $(eval FWU_CRT_ARGS += -k)
endif
endif
# Include TBBR makefile (unless the platform indicates otherwise)
@@ -429,7 +434,7 @@
# Build targets
################################################################################
-.PHONY: all msg_start clean realclean distclean cscope locate-checkpatch checkcodebase checkpatch fiptool fip certtool
+.PHONY: all msg_start clean realclean distclean cscope locate-checkpatch checkcodebase checkpatch fiptool fip fwu_fip certtool
.SUFFIXES:
all: msg_start
@@ -536,8 +541,24 @@
@echo "Built $@ successfully"
@echo
+ifneq (${GENERATE_COT},0)
+fwu_certificates: ${FWU_CRT_DEPS} ${CRTTOOL}
+ ${Q}${CRTTOOL} ${FWU_CRT_ARGS}
+ @echo
+ @echo "Built $@ successfully"
+ @echo "FWU certificates can be found in ${BUILD_PLAT}"
+ @echo
+endif
+
+${BUILD_PLAT}/${FWU_FIP_NAME}: ${FWU_FIP_DEPS} ${FIPTOOL}
+ ${Q}${FIPTOOL} --dump ${FWU_FIP_ARGS} $@
+ @echo
+ @echo "Built $@ successfully"
+ @echo
+
fiptool: ${FIPTOOL}
fip: ${BUILD_PLAT}/${FIP_NAME}
+fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
.PHONY: ${FIPTOOL}
${FIPTOOL}:
@@ -568,6 +589,7 @@
@echo " bl32 Build the BL3-2 binary"
@echo " certificates Build the certificates (requires 'GENERATE_COT=1')"
@echo " fip Build the Firmware Image Package (FIP)"
+ @echo " fwu_fip Build the FWU Firmware Image Package (FIP)"
@echo " checkcodebase Check the coding style of the entire source tree"
@echo " checkpatch Check the coding style on changes in the current"
@echo " branch against BASE_COMMIT (default origin/master)"
diff --git a/make_helpers/build_macros.mk b/make_helpers/build_macros.mk
index 3624ff6..08cb4b1 100644
--- a/make_helpers/build_macros.mk
+++ b/make_helpers/build_macros.mk
@@ -98,7 +98,7 @@
$(eval $(if $(3),FIP_DEPS += $(3)))
endef
-# CERT_ADD_CMD_OPT adds a new command line option to the cert_create invokation
+# CERT_ADD_CMD_OPT adds a new command line option to the cert_create invocation
# $(1) = parameter filename
# $(2) = cert_create command line option for the specified parameter
# $(3) = input parameter (false if empty)
@@ -123,6 +123,38 @@
$$(if $(value $(1)),,$$(error "Platform '${PLAT}' requires $(1). Please set $(1) to point to the right file"))
endef
+# FWU_FIP_ADD_PAYLOAD appends the command line arguments required by the FIP tool
+# to package a new FWU payload. Optionally, it adds the dependency on this payload
+# $(1) = payload filename (e.g. ns_bl2u.bin)
+# $(2) = command line option for the specified payload (e.g. --ns_bl2u)
+# $(3) = fip target dependency (optional) (e.g. ns_bl2u)
+define FWU_FIP_ADD_PAYLOAD
+ $(eval $(if $(3),FWU_FIP_DEPS += $(3)))
+ $(eval FWU_FIP_ARGS += $(2) $(1))
+endef
+
+# FWU_CERT_ADD_CMD_OPT adds a new command line option to the cert_create invocation
+# $(1) = parameter filename
+# $(2) = cert_create command line option for the specified parameter
+# $(3) = input parameter (false if empty)
+define FWU_CERT_ADD_CMD_OPT
+ $(eval $(if $(3),FWU_CRT_DEPS += $(1)))
+ $(eval FWU_CRT_ARGS += $(2) $(1))
+endef
+
+# FWU_FIP_ADD_IMG allows the platform to pack a binary image in the FWU FIP
+# $(1) build option to specify the image filename (BL2U, NS_BL2U, etc)
+# $(2) command line option for the fip_create tool (bl2u, ns_bl2u, etc)
+# Example:
+# $(eval $(call FWU_FIP_ADD_IMG,BL2U,--bl2u))
+define FWU_FIP_ADD_IMG
+ FWU_CRT_DEPS += check_$(1)
+ FWU_FIP_DEPS += check_$(1)
+ $(call FWU_FIP_ADD_PAYLOAD,$(value $(1)),$(2))
+
+check_$(1):
+ $$(if $(value $(1)),,$$(error "Platform '${PLAT}' requires $(1). Please set $(1) to point to the right file"))
+endef
################################################################################
# Auxiliary macros to build TF images from sources
diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk
index d40f66a..bf0d296 100644
--- a/make_helpers/tbbr/tbbr_tools.mk
+++ b/make_helpers/tbbr/tbbr_tools.mk
@@ -56,16 +56,22 @@
# Certificate generation tool default parameters
TRUSTED_KEY_CERT := ${BUILD_PLAT}/trusted_key.crt
+FWU_CERT := ${BUILD_PLAT}/fwu_cert.crt
# Add Trusted Key certificate to the fip_create and cert_create command line options
$(eval $(call FIP_ADD_PAYLOAD,${TRUSTED_KEY_CERT},--trusted-key-cert))
$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_KEY_CERT},--trusted-key-cert))
+# Add fwu certificate to the fip_create and cert_create command line options
+$(eval $(call FWU_FIP_ADD_PAYLOAD,${FWU_CERT},--fwu-cert))
+$(eval $(call FWU_CERT_ADD_CMD_OPT,${FWU_CERT},--fwu-cert))
+
# Add the keys to the cert_create command line options (private keys are NOT
# packed in the FIP). Developers can use their own keys by specifying the proper
# build option in the command line when building the Trusted Firmware
$(if ${KEY_ALG},$(eval $(call CERT_ADD_CMD_OPT,${KEY_ALG},--key-alg)))
$(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
+$(if ${ROT_KEY},$(eval $(call FWU_CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
$(if ${TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_WORLD_KEY},--trusted-world-key)))
$(if ${NON_TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${NON_TRUSTED_WORLD_KEY},--non-trusted-world-key)))
@@ -116,7 +122,15 @@
endif
# Add the BL2U image
-ifeq (${NEED_BL2U},yes)
- $(if ${BL2U},$(eval $(call FWU_CERT_ADD_CMD_OPT,${BL2U},--bl2u)),\
- $(eval $(call FWU_CERT_ADD_CMD_OPT,$(call IMG_BIN,2u),--bl2u)))
+$(if ${BL2U},$(eval $(call FWU_CERT_ADD_CMD_OPT,${BL2U},--bl2u,true)),\
+ $(eval $(call FWU_CERT_ADD_CMD_OPT,$(call IMG_BIN,2u),--bl2u,true)))
+
+# Add the SCP_BL2U image
+ifneq (${SCP_BL2U},)
+ $(eval $(call FWU_CERT_ADD_CMD_OPT,${SCP_BL2U},--scp_bl2u,true))
+endif
+
+# Add the NS_BL2U image
+ifneq (${NS_BL2U},)
+ $(eval $(call FWU_CERT_ADD_CMD_OPT,${NS_BL2U},--ns_bl2u,true))
endif
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index 2d4e08c..4ac12d9 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -140,6 +140,8 @@
BL2_SOURCES += ${AUTH_SOURCES}
+ $(eval $(call FWU_FIP_ADD_IMG,NS_BL2U,--ns_bl2u))
+
MBEDTLS_KEY_ALG := ${KEY_ALG}
# We expect to locate the *.mk files under the directories specified below
diff --git a/plat/arm/css/common/css_common.mk b/plat/arm/css/common/css_common.mk
index 1612541..49fedc3 100644
--- a/plat/arm/css/common/css_common.mk
+++ b/plat/arm/css/common/css_common.mk
@@ -51,6 +51,9 @@
plat/arm/css/common/css_scpi.c \
plat/arm/css/common/css_topology.c
+ifneq (${TRUSTED_BOARD_BOOT},0)
+$(eval $(call FWU_FIP_ADD_IMG,SCP_BL2U,--scp_bl2u))
+endif
ifneq (${RESET_TO_BL31},0)
$(error "Using BL3-1 as the reset vector is not supported on CSS platforms. \