Merge changes from topic "sp_secure_boot" into integration

* changes:
  dualroot: add chain of trust for secure partitions
  sptool: append cert_tool arguments.
  cert_create: add SiP owned secure partitions support

Makefile

@@ -1012,6 +1012,7 @@ ifdef SP_LAYOUT_FILE
         endif
         -include $(BUILD_PLAT)/sp_gen.mk
         FIP_DEPS += sp
+        CRT_DEPS += sp
         NEED_SP_PKG := yes
 else
         ifeq (${SPMD_SPM_AT_SEL2},1)

drivers/auth/dualroot/cot.c

@@ -30,6 +30,9 @@ static unsigned char tos_fw_extra2_hash_buf[HASH_DER_LEN];
 static unsigned char soc_fw_config_hash_buf[HASH_DER_LEN];
 static unsigned char tos_fw_config_hash_buf[HASH_DER_LEN];
 static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
+#if defined(SPD_spmd)
+static unsigned char sp_pkg_hash_buf[MAX_SP_IDS][HASH_DER_LEN];
+#endif /* SPD_spmd */
 
 static unsigned char trusted_world_pk_buf[PK_DER_LEN];
 static unsigned char content_pk_buf[PK_DER_LEN];
@@ -97,6 +100,24 @@ static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
 static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
+#if defined(SPD_spmd)
+static auth_param_type_desc_t sp_pkg1_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG1_HASH_OID);
+static auth_param_type_desc_t sp_pkg2_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG2_HASH_OID);
+static auth_param_type_desc_t sp_pkg3_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG3_HASH_OID);
+static auth_param_type_desc_t sp_pkg4_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG4_HASH_OID);
+static auth_param_type_desc_t sp_pkg5_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG5_HASH_OID);
+static auth_param_type_desc_t sp_pkg6_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG6_HASH_OID);
+static auth_param_type_desc_t sp_pkg7_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG7_HASH_OID);
+static auth_param_type_desc_t sp_pkg8_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, SP_PKG8_HASH_OID);
+#endif /* SPD_spmd */
 #endif /* IMAGE_BL2 */
 
 
@@ -642,6 +663,102 @@ static const auth_img_desc_t nt_fw_config = {
 	}
 };
 
+/*
+ * Secure Partitions
+ */
+#if defined(SPD_spmd)
+static const auth_img_desc_t sp_content_cert = {
+	.img_id = SP_CONTENT_CERT_ID,
+	.img_type = IMG_CERT,
+	.parent = &trusted_key_cert,
+	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+		[0] = {
+			.type = AUTH_METHOD_SIG,
+			.param.sig = {
+				.pk = &trusted_world_pk,
+				.sig = &sig,
+				.alg = &sig_alg,
+				.data = &raw_data
+			}
+		},
+		[1] = {
+			.type = AUTH_METHOD_NV_CTR,
+			.param.nv_ctr = {
+				.cert_nv_ctr = &trusted_nv_ctr,
+				.plat_nv_ctr = &trusted_nv_ctr
+			}
+		}
+	},
+	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
+		[0] = {
+			.type_desc = &sp_pkg1_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[0],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[1] = {
+			.type_desc = &sp_pkg2_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[1],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[2] = {
+			.type_desc = &sp_pkg3_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[2],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[3] = {
+			.type_desc = &sp_pkg4_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[3],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[4] = {
+			.type_desc = &sp_pkg5_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[4],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[5] = {
+			.type_desc = &sp_pkg6_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[5],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[6] = {
+			.type_desc = &sp_pkg7_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[6],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		},
+		[7] = {
+			.type_desc = &sp_pkg8_hash,
+			.data = {
+				.ptr = (void *)sp_pkg_hash_buf[7],
+				.len = (unsigned int)HASH_DER_LEN
+			}
+		}
+	}
+};
+
+DEFINE_SP_PKG(1);
+DEFINE_SP_PKG(2);
+DEFINE_SP_PKG(3);
+DEFINE_SP_PKG(4);
+DEFINE_SP_PKG(5);
+DEFINE_SP_PKG(6);
+DEFINE_SP_PKG(7);
+DEFINE_SP_PKG(8);
+#endif /* SPD_spmd */
+
 #else  /* IMAGE_BL2 */
 
 /* FWU auth descriptor */
@@ -769,6 +886,17 @@ static const auth_img_desc_t * const cot_desc[] = {
 	[NON_TRUSTED_FW_CONTENT_CERT_ID]	=	&non_trusted_fw_content_cert,
 	[BL33_IMAGE_ID]				=	&bl33_image,
 	[NT_FW_CONFIG_ID]			=	&nt_fw_config,
+#if defined(SPD_spmd)
+	[SP_CONTENT_CERT_ID]			=	&sp_content_cert,
+	[SP_CONTENT_CERT_ID + 1]		=	&sp_pkg1,
+	[SP_CONTENT_CERT_ID + 2]		=	&sp_pkg2,
+	[SP_CONTENT_CERT_ID + 3]		=	&sp_pkg3,
+	[SP_CONTENT_CERT_ID + 4]		=	&sp_pkg4,
+	[SP_CONTENT_CERT_ID + 5]		=	&sp_pkg5,
+	[SP_CONTENT_CERT_ID + 6]		=	&sp_pkg6,
+	[SP_CONTENT_CERT_ID + 7]		=	&sp_pkg7,
+	[SP_CONTENT_CERT_ID + 8]		=       &sp_pkg8,
+#endif
 };
 #endif
 

include/common/tbbr/cot_def.h

@@ -8,8 +8,11 @@
 #define COT_DEF_H
 
 /* TBBR CoT definitions */
-
+#if defined(SPD_spmd)
+#define COT_MAX_VERIFIED_PARAMS		8
+#else
 #define COT_MAX_VERIFIED_PARAMS		4
+#endif
 
 /*
  * Maximum key and hash sizes (in DER format).

include/common/tbbr/tbbr_img_def.h

@@ -9,4 +9,12 @@
 
 #include <export/common/tbbr/tbbr_img_def_exp.h>
 
+#if defined(SPD_spmd)
+#define SP_CONTENT_CERT_ID		MAX_IMAGE_IDS
+#define MAX_SP_IDS			U(8)
+#define MAX_NUMBER_IDS			(MAX_IMAGE_IDS + MAX_SP_IDS + U(1))
+#else
+#define MAX_NUMBER_IDS			MAX_IMAGE_IDS
+#endif
+
 #endif /* TBBR_IMG_DEF_H */

include/drivers/auth/auth_mod.h

@@ -50,6 +50,24 @@ extern const auth_img_desc_t *const *const cot_desc_ptr;
 extern const size_t cot_desc_size;
 extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
 
+#if defined(SPD_spmd)
+#define DEFINE_SP_PKG(n) \
+	static const auth_img_desc_t sp_pkg##n = { \
+		.img_id = SP_CONTENT_CERT_ID + (n), \
+		.img_type = IMG_RAW, \
+		.parent = &sp_content_cert, \
+		.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { \
+			[0] = { \
+				.type = AUTH_METHOD_HASH, \
+				.param.hash = { \
+					.data = &raw_data, \
+					.hash = &sp_pkg##n##_hash \
+				} \
+			} \
+		} \
+	}
+#endif
+
 #endif /* TRUSTED_BOARD_BOOT */
 
 #endif /* AUTH_MOD_H */

include/export/common/tbbr/tbbr_img_def_exp.h

@@ -88,12 +88,7 @@
 /* Encrypted image identifier */
 #define ENC_IMAGE_ID			U(30)
 
-/* Define size of the array */
-#if defined(SPD_spmd)
-#define MAX_SP_IDS			U(8)
-#define MAX_NUMBER_IDS			MAX_SP_IDS + U(31)
-#else
-#define MAX_NUMBER_IDS			U(31)
-#endif
+/* Max Images */
+#define MAX_IMAGE_IDS			U(31)
 
 #endif /* ARM_TRUSTED_FIRMWARE_EXPORT_COMMON_TBBR_TBBR_IMG_DEF_EXP_H */

include/tools_share/dualroot_oid.h

@@ -16,4 +16,16 @@
  */
 #define PROT_PK_OID				"1.3.6.1.4.1.4128.2100.1102"
 
+/*
+ * Secure Partitions Content Certificate
+ */
+#define SP_PKG1_HASH_OID                        "1.3.6.1.4.1.4128.2100.1301"
+#define SP_PKG2_HASH_OID                        "1.3.6.1.4.1.4128.2100.1302"
+#define SP_PKG3_HASH_OID                        "1.3.6.1.4.1.4128.2100.1303"
+#define SP_PKG4_HASH_OID                        "1.3.6.1.4.1.4128.2100.1304"
+#define SP_PKG5_HASH_OID                        "1.3.6.1.4.1.4128.2100.1305"
+#define SP_PKG6_HASH_OID                        "1.3.6.1.4.1.4128.2100.1306"
+#define SP_PKG7_HASH_OID                        "1.3.6.1.4.1.4128.2100.1307"
+#define SP_PKG8_HASH_OID                        "1.3.6.1.4.1.4128.2100.1308"
+
 #endif /* DUALROOT_OID_H */

include/tools_share/firmware_image_package.h

@@ -64,6 +64,8 @@
 	{{0xa4,  0x9f, 0x44, 0x11}, {0x5e, 0x63}, {0xe4, 0x11}, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} }
 #define UUID_NON_TRUSTED_FW_CONTENT_CERT \
 	{{0x8e,  0xc4, 0xc1, 0xf3}, {0x5d, 0x63}, {0xe4, 0x11}, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} }
+#define UUID_SIP_SECURE_PARTITION_CONTENT_CERT \
+	{{0x77,  0x6d, 0xfd, 0x44}, {0x86, 0x97}, {0x4c, 0x3b}, 0x91, 0xeb, {0xc1, 0x3e, 0x02, 0x5a, 0x2a, 0x6f} }
 /* Dynamic configs */
 #define UUID_HW_CONFIG \
 	{{0x08,  0xb8, 0xf1, 0xd9}, {0xc9, 0xcf}, {0x93, 0x49}, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} }

lib/debugfs/devfip.c

@@ -74,7 +74,8 @@ static const struct uuidnames uuidnames[] = {
 	{"tos-fw.cfg",		UUID_TOS_FW_CONFIG},
 	{"nt-fw.cfg",		UUID_NT_FW_CONFIG},
 	{"rot-k.crt",		UUID_ROT_KEY_CERT},
-	{"nt-k.crt",		UUID_NON_TRUSTED_WORLD_KEY_CERT}
+	{"nt-k.crt",		UUID_NON_TRUSTED_WORLD_KEY_CERT},
+	{"sip-sp.crt",		UUID_SIP_SECURE_PARTITION_CONTENT_CERT}
 };
 
 /*******************************************************************************

make_helpers/tbbr/tbbr_tools.mk

@@ -99,3 +99,8 @@ ifneq (${COT},dualroot)
     $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/nt_fw_key.crt,--nt-fw-key-cert))
 endif
 endif
+
+# Add SiP owned Secure Partitions CoT (image cert)
+ifneq (${SP_LAYOUT_FILE},)
+    $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/sip_sp_content.crt,--sip-sp-cert))
+endif

plat/arm/board/fvp/fdts/fvp_fw_config.dts

@@ -111,6 +111,7 @@
 			soc_fw_content_cert_uuid = <0x200cb2e2 0x11e4635e 0xccabe89c 0x66b62bf9>;
 			tos_fw_content_cert_uuid = <0x11449fa4 0x11e4635e 0x53f2887 0x3df32a72>;
 			nt_fw_content_cert_uuid = <0xf3c1c48e 0x11e4635d 0xee87a9a7 0xa73fb240>;
+			sp_content_cert_uuid = <0x44fd6d77 0x3b4c9786 0x3ec1eb91 0x6f2a5a02>;
 		};
 	};
 #endif /* ARM_IO_IN_DTB */

plat/arm/common/fconf/arm_fconf_io.c

@@ -49,6 +49,9 @@ const io_uuid_spec_t arm_uuid_spec[MAX_NUMBER_IDS] = {
 	[SOC_FW_CONTENT_CERT_ID] = {UUID_SOC_FW_CONTENT_CERT},
 	[TRUSTED_OS_FW_CONTENT_CERT_ID] = {UUID_TRUSTED_OS_FW_CONTENT_CERT},
 	[NON_TRUSTED_FW_CONTENT_CERT_ID] = {UUID_NON_TRUSTED_FW_CONTENT_CERT},
+#if defined(SPD_spmd)
+	[SP_CONTENT_CERT_ID] = {UUID_SIP_SECURE_PARTITION_CONTENT_CERT},
+#endif
 #endif /* ARM_IO_IN_DTB */
 #endif /* TRUSTED_BOARD_BOOT */
 };
@@ -174,6 +177,13 @@ struct plat_io_policy policies[MAX_NUMBER_IDS] = {
 		(uintptr_t)&arm_uuid_spec[NON_TRUSTED_FW_CONTENT_CERT_ID],
 		open_fip
 	},
+#if defined(SPD_spmd)
+	[SP_CONTENT_CERT_ID] = {
+		&fip_dev_handle,
+		(uintptr_t)&arm_uuid_spec[SP_CONTENT_CERT_ID],
+		open_fip
+	},
+#endif
 #endif /* ARM_IO_IN_DTB */
 #endif /* TRUSTED_BOARD_BOOT */
 };
@@ -181,7 +191,7 @@ struct plat_io_policy policies[MAX_NUMBER_IDS] = {
 #ifdef IMAGE_BL2
 
 #if TRUSTED_BOARD_BOOT
-#define FCONF_ARM_IO_UUID_NUMBER	U(19)
+#define FCONF_ARM_IO_UUID_NUMBER	U(20)
 #else
 #define FCONF_ARM_IO_UUID_NUMBER	U(10)
 #endif
@@ -216,6 +226,9 @@ static const struct policies_load_info load_info[FCONF_ARM_IO_UUID_NUMBER] = {
 	{SOC_FW_CONTENT_CERT_ID, "soc_fw_content_cert_uuid"},
 	{TRUSTED_OS_FW_CONTENT_CERT_ID, "tos_fw_content_cert_uuid"},
 	{NON_TRUSTED_FW_CONTENT_CERT_ID, "nt_fw_content_cert_uuid"},
+#if defined(SPD_spmd)
+	{SP_CONTENT_CERT_ID, "sp_content_cert_uuid"},
+#endif
 #endif /* TRUSTED_BOARD_BOOT */
 };
 

plat/arm/common/fconf/arm_fconf_sp.c

@@ -30,7 +30,7 @@ int fconf_populate_arm_sp(uintptr_t config)
 	union uuid_helper_t uuid_helper;
 	unsigned int index = 0;
 	uint32_t val32;
-	const unsigned int sp_start_index = MAX_NUMBER_IDS - MAX_SP_IDS;
+	const unsigned int sp_start_index = SP_CONTENT_CERT_ID + 1;
 
 	/* As libfdt use void *, we can't avoid this cast */
 	const void *dtb = (void *)config;

tools/cert_create/include/cert.h

@@ -12,7 +12,7 @@
 #include "ext.h"
 #include "key.h"
 
-#define CERT_MAX_EXT			5
+#define CERT_MAX_EXT			9
 
 /*
  * This structure contains information related to the generation of the

tools/cert_create/include/dualroot/cot.h

@@ -18,6 +18,7 @@ enum {
 	SOC_FW_CONTENT_CERT,
 	TRUSTED_OS_FW_KEY_CERT,
 	TRUSTED_OS_FW_CONTENT_CERT,
+	SIP_SECURE_PARTITION_CONTENT_CERT,
 	FWU_CERT,
 
 	/* Certificates owned by the platform owner. */
@@ -42,6 +43,14 @@ enum {
 	TRUSTED_OS_FW_EXTRA1_HASH_EXT,
 	TRUSTED_OS_FW_EXTRA2_HASH_EXT,
 	TRUSTED_OS_FW_CONFIG_HASH_EXT,
+	SP_PKG1_HASH_EXT,
+	SP_PKG2_HASH_EXT,
+	SP_PKG3_HASH_EXT,
+	SP_PKG4_HASH_EXT,
+	SP_PKG5_HASH_EXT,
+	SP_PKG6_HASH_EXT,
+	SP_PKG7_HASH_EXT,
+	SP_PKG8_HASH_EXT,
 	SCP_FWU_CFG_HASH_EXT,
 	AP_FWU_CFG_HASH_EXT,
 	FWU_HASH_EXT,

tools/cert_create/src/dualroot/cot.c

@@ -137,6 +137,28 @@ static cert_t cot_certs[] = {
 		.num_ext = 5
 	},
 
+	[SIP_SECURE_PARTITION_CONTENT_CERT] = {
+		.id = SIP_SECURE_PARTITION_CONTENT_CERT,
+		.opt = "sip-sp-cert",
+		.help_msg = "SiP owned Secure Partition Content Certificate (output file)",
+		.fn = NULL,
+		.cn = "SiP owned Secure Partition Content Certificate",
+		.key = TRUSTED_WORLD_KEY,
+		.issuer = SIP_SECURE_PARTITION_CONTENT_CERT,
+		.ext = {
+			TRUSTED_FW_NVCOUNTER_EXT,
+			SP_PKG1_HASH_EXT,
+			SP_PKG2_HASH_EXT,
+			SP_PKG3_HASH_EXT,
+			SP_PKG4_HASH_EXT,
+			SP_PKG5_HASH_EXT,
+			SP_PKG6_HASH_EXT,
+			SP_PKG7_HASH_EXT,
+			SP_PKG8_HASH_EXT,
+		},
+		.num_ext = 9
+	},
+
 	[FWU_CERT] = {
 		.id = FWU_CERT,
 		.opt = "fwu-cert",
@@ -327,6 +349,87 @@ static ext_t cot_ext[] = {
 		.optional = 1
 	},
 
+	[SP_PKG1_HASH_EXT] = {
+		.oid = SP_PKG1_HASH_OID,
+		.opt = "sp-pkg1",
+		.help_msg = "Secure Partition Package1 file",
+		.sn = "SPPkg1Hash",
+		.ln = "SP Pkg1 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG2_HASH_EXT] = {
+		.oid = SP_PKG2_HASH_OID,
+		.opt = "sp-pkg2",
+		.help_msg = "Secure Partition Package2 file",
+		.sn = "SPPkg2Hash",
+		.ln = "SP Pkg2 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG3_HASH_EXT] = {
+		.oid = SP_PKG3_HASH_OID,
+		.opt = "sp-pkg3",
+		.help_msg = "Secure Partition Package3 file",
+		.sn = "SPPkg3Hash",
+		.ln = "SP Pkg3 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG4_HASH_EXT] = {
+		.oid = SP_PKG4_HASH_OID,
+		.opt = "sp-pkg4",
+		.help_msg = "Secure Partition Package4 file",
+		.sn = "SPPkg4Hash",
+		.ln = "SP Pkg4 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG5_HASH_EXT] = {
+		.oid = SP_PKG5_HASH_OID,
+		.opt = "sp-pkg5",
+		.help_msg = "Secure Partition Package5 file",
+		.sn = "SPPkg5Hash",
+		.ln = "SP Pkg5 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG6_HASH_EXT] = {
+		.oid = SP_PKG6_HASH_OID,
+		.opt = "sp-pkg6",
+		.help_msg = "Secure Partition Package6 file",
+		.sn = "SPPkg6Hash",
+		.ln = "SP Pkg6 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG7_HASH_EXT] = {
+		.oid = SP_PKG7_HASH_OID,
+		.opt = "sp-pkg7",
+		.help_msg = "Secure Partition Package7 file",
+		.sn = "SPPkg7Hash",
+		.ln = "SP Pkg7 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[SP_PKG8_HASH_EXT] = {
+		.oid = SP_PKG8_HASH_OID,
+		.opt = "sp-pkg8",
+		.help_msg = "Secure Partition Package8 file",
+		.sn = "SPPkg8Hash",
+		.ln = "SP Pkg8 hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+
 	[SCP_FWU_CFG_HASH_EXT] = {
 		.oid = SCP_FWU_CFG_HASH_OID,
 		.opt = "scp-fwu-cfg",

tools/fiptool/tbbr_config.c

@@ -151,6 +151,11 @@ toc_entry_t toc_entries[] = {
 		.uuid = UUID_NON_TRUSTED_FW_CONTENT_CERT,
 		.cmdline_name = "nt-fw-cert"
 	},
+	{
+		.name = "SiP owned Secure Partition content certificate",
+		.uuid = UUID_SIP_SECURE_PARTITION_CONTENT_CERT,
+		.cmdline_name = "sip-sp-cert"
+	},
 	{
 		.name = NULL,
 		.uuid = { {0} },

tools/sptool/sp_mk_generator.py

@@ -11,7 +11,8 @@ Layout file can exist outside of TF-A tree and the paths of Image and PM files
 must be relative to it.
 
 This script parses the layout file and generates a make file which updates
-FDT_SOURCES, FIP_ARGS and SPTOOL_ARGS which are used in later build steps.
+FDT_SOURCES, FIP_ARGS, CRT_ARGS and SPTOOL_ARGS which are used in later build
+steps.
 This script also gets SP "uuid" from parsing its PM and converting it to a
 standard format.
 
@@ -24,6 +25,7 @@ Secure Partition entry
     FDT_SOURCES +=  sp1.dts
     SPTOOL_ARGS += -i sp1.bin:sp1.dtb -o sp1.pkg
     FIP_ARGS += --blob uuid=XXXXX-XXX...,file=sp1.pkg
+    CRT_ARGS += --sp-pkg1 sp1.pkg
 
 A typical SP_LAYOUT_FILE file will look like
 {
@@ -59,7 +61,7 @@ dtb_dir = out_dir + "/fdts/"
 print(dtb_dir)
 
 with open(gen_file, 'w') as out_file:
-    for key in data.keys():
+    for idx, key in enumerate(data.keys()):
 
         """
         Append FDT_SOURCES
@@ -97,4 +99,9 @@ with open(gen_file, 'w') as out_file:
         Append FIP_ARGS
         """
         out_file.write("FIP_ARGS += --blob uuid=" + uuid_std + ",file=" + dst + "\n")
+
+        """
+        Append CRT_ARGS
+        """
+        out_file.write("CRT_ARGS += --sp-pkg" + str(idx + 1) + " " + dst + "\n")
         out_file.write("\n")