TBB: add build option to save private keys

This patch adds a boolean build option 'SAVE_KEYS' to indicate the certificate generation tool that it must save the private keys used to establish the chain of trust. This option depends on 'CREATE_KEYS' to be enabled. Default is '0' (do not save). Because the same filenames are used as outputs to save the keys, they are no longer a dependency to the cert_tool. This dependency has been removed from the Makefile. Documentation updated accordingly. Change-Id: I67ab1c2b1f8a25793f0de95e8620ce7596a6bc3b
2025-04-18 02:24:18 +00:00 · 2015-02-25 12:43:12 +00:00 · 2015-02-25 12:43:12 +00:00 · fd34e7ba77
commit fd34e7ba77
parent dba1289403
2 changed files with 24 additions and 8 deletions
--- a/6
+++ b/6
@ -73,6 +73,7 @@ DISABLE_PEDANTIC	:= 0
 # Flags to generate the Chain of Trust
 GENERATE_COT		:= 0
 CREATE_KEYS		:= 1
+SAVE_KEYS		:= 0
 # Flags to build TF with Trusted Boot support
 TRUSTED_BOARD_BOOT	:= 0
 AUTH_MOD		:= none
@ -270,6 +271,7 @@ $(eval $(call add_define,USE_COHERENT_MEM))
 # Process Generate CoT flags
 $(eval $(call assert_boolean,GENERATE_COT))
 $(eval $(call assert_boolean,CREATE_KEYS))
+$(eval $(call assert_boolean,SAVE_KEYS))

 # Process TRUSTED_BOARD_BOOT flag
 $(eval $(call assert_boolean,TRUSTED_BOARD_BOOT))
@ -327,6 +329,9 @@ ifneq (${GENERATE_COT},0)

    ifneq (${CREATE_KEYS},0)
        $(eval CRT_ARGS += -n)
+        ifneq (${SAVE_KEYS},0)
+            $(eval CRT_ARGS += -k)
+        endif
    endif
    $(eval CRT_ARGS += $(if ${ROT_KEY}, --rot-key ${ROT_KEY}))
    $(eval CRT_ARGS += $(if ${TRUSTED_WORLD_KEY}, --trusted-world-key ${TRUSTED_WORLD_KEY}))
@ -514,7 +519,6 @@ $(eval FIP_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt))
 $(eval FIP_ARGS += $(if $4,$(if $5,--bl$(1)-key-cert $(BUILD_PLAT)/bl$(1)_key.crt)))

 $(eval CRT_DEPS += $(if $4,$(2),))
-$(eval CRT_DEPS += $(if $4,$(if $6,$(6),)))
 $(eval CRT_ARGS += $(if $4,--bl$(1) $(2)))
 $(eval CRT_ARGS += $(if $4,$(if $6,--bl$(1)-key $(6))))
 $(eval CRT_ARGS += $(if $4,--bl$(1)-cert $(BUILD_PLAT)/bl$(1).crt))
--- a/docs/user-guide.md
+++ b/docs/user-guide.md
@ -297,28 +297,40 @@ performed.
    certificate generation tool to create new keys in case no valid keys are
    present or specified. Allowed options are '0' or '1'. Default is '1'.

+*   `SAVE_KEYS`: This option is used when `GENERATE_COT=1`. It tells the
+    certificate generation tool to save the keys used to establish the Chain of
+    Trust. Allowed options are '0' or '1'. Default is '0' (do not save).
+
+    Note: This option depends on 'CREATE_KEYS' to be enabled. If the keys
+    already exist in disk, they will be overwritten without further notice.
+
 *   `ROT_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
-    file that contains the ROT private key in PEM format.
+    file that contains the ROT private key in PEM format. If `SAVE_KEYS=1`, this
+    file name will be used to save the key.

 *   `TRUSTED_WORLD_KEY`: This option is used when `GENERATE_COT=1`. It
    specifies the file that contains the Trusted World private key in PEM
-    format.
+    format. If `SAVE_KEYS=1`, this file name will be used to save the key.

 *   `NON_TRUSTED_WORLD_KEY`: This option is used when `GENERATE_COT=1`. It
    specifies the file that contains the Non-Trusted World private key in PEM
-    format.
+    format. If `SAVE_KEYS=1`, this file name will be used to save the key.

 *   `BL30_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
-    file that contains the BL3-0 private key in PEM format.
+    file that contains the BL3-0 private key in PEM format. If `SAVE_KEYS=1`,
+    this file name will be used to save the key.

 *   `BL31_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
-    file that contains the BL3-1 private key in PEM format.
+    file that contains the BL3-1 private key in PEM format. If `SAVE_KEYS=1`,
+    this file name will be used to save the key.

 *   `BL32_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
-    file that contains the BL3-2 private key in PEM format.
+    file that contains the BL3-2 private key in PEM format. If `SAVE_KEYS=1`,
+    this file name will be used to save the key.

 *   `BL33_KEY`: This option is used when `GENERATE_COT=1`. It specifies the
-    file that contains the BL3-3 private key in PEM format.
+    file that contains the BL3-3 private key in PEM format. If `SAVE_KEYS=1`,
+    this file name will be used to save the key.

 *   `PROGRAMMABLE_RESET_ADDRESS`: This option indicates whether the reset
    vector address can be programmed or is fixed on the platform. It can take