1#
2# Copyright 2020-2022 NXP
3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6
7# For TRUSTED_BOARD_BOOT platforms need to include this makefile
8# Following definations are to be provided by platform.mk file or
9# by user - BL33_INPUT_FILE, BL32_INPUT_FILE, BL31_INPUT_FILE
10
11ifeq ($(CHASSIS), 2)
12include $(PLAT_DRIVERS_PATH)/csu/csu.mk
13CSF_FILE		:=	input_blx_ch${CHASSIS}
14BL2_CSF_FILE		:=	input_bl2_ch${CHASSIS}
15else
16ifeq ($(CHASSIS), 3)
17CSF_FILE		:=	input_blx_ch${CHASSIS}
18BL2_CSF_FILE		:=	input_bl2_ch${CHASSIS}
19PBI_CSF_FILE		:=	input_pbi_ch${CHASSIS}
20$(eval $(call add_define, CSF_HDR_CH3))
21else
22ifeq ($(CHASSIS), 3_2)
23CSF_FILE		:=	input_blx_ch3
24BL2_CSF_FILE		:=	input_bl2_ch${CHASSIS}
25PBI_CSF_FILE		:=	input_pbi_ch${CHASSIS}
26$(eval $(call add_define, CSF_HDR_CH3))
27else
28    $(error -> CHASSIS not set!)
29endif
30endif
31endif
32
33PLAT_AUTH_PATH		:=  $(PLAT_DRIVERS_PATH)/auth
34
35
36ifeq (${BL2_INPUT_FILE},)
37    BL2_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${BL2_CSF_FILE}
38endif
39
40ifeq (${PBI_INPUT_FILE},)
41    PBI_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${PBI_CSF_FILE}
42endif
43
44# If MBEDTLS_DIR is not specified, use CSF Header option
45ifeq (${MBEDTLS_DIR},)
46    # Generic image processing filters to prepend CSF header
47    ifeq (${BL33_INPUT_FILE},)
48    BL33_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
49    endif
50
51    ifeq (${BL31_INPUT_FILE},)
52    BL31_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
53    endif
54
55    ifeq (${BL32_INPUT_FILE},)
56    BL32_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
57    endif
58
59    ifeq (${FUSE_INPUT_FILE},)
60    FUSE_INPUT_FILE	:= $(PLAT_AUTH_PATH)/csf_hdr_parser/${CSF_FILE}
61    endif
62
63    PLAT_INCLUDES	+= -I$(PLAT_DRIVERS_PATH)/sfp
64    PLAT_TBBR_SOURCES	+= $(PLAT_AUTH_PATH)/csf_hdr_parser/cot.c	\
65			   $(PLAT_COMMON_PATH)/tbbr/csf_tbbr.c
66    # IMG PARSER here is CSF header parser
67    include $(PLAT_DRIVERS_PATH)/auth/csf_hdr_parser/csf_hdr.mk
68    PLAT_TBBR_SOURCES 	+=	$(CSF_HDR_SOURCES)
69
70    SCP_BL2_PRE_TOOL_FILTER	:= CST_SCP_BL2
71    BL31_PRE_TOOL_FILTER	:= CST_BL31
72    BL32_PRE_TOOL_FILTER	:= CST_BL32
73    BL33_PRE_TOOL_FILTER	:= CST_BL33
74else
75
76    ifeq (${DISABLE_FUSE_WRITE}, 1)
77        $(eval $(call add_define,DISABLE_FUSE_WRITE))
78    endif
79
80    # For Mbedtls currently crypto is not supported via CAAM
81    # enable it when that support is there
82    CAAM_INTEG		:= 0
83    KEY_ALG		:= rsa
84    KEY_SIZE		:= 2048
85
86    $(eval $(call add_define,MBEDTLS_X509))
87    ifeq (${PLAT_DDR_PHY},PHY_GEN2)
88        $(eval $(call add_define,PLAT_DEF_OID))
89    endif
90    include drivers/auth/mbedtls/mbedtls_x509.mk
91
92
93    PLAT_TBBR_SOURCES	+= $(PLAT_AUTH_PATH)/tbbr/tbbr_cot.c \
94			   $(PLAT_COMMON_PATH)/tbbr/nxp_rotpk.S \
95			   $(PLAT_COMMON_PATH)/tbbr/x509_tbbr.c
96
97    #ROTPK key is embedded in BL2 image
98    ifeq (${ROT_KEY},)
99	ROT_KEY		= $(BUILD_PLAT)/rot_key.pem
100    endif
101
102    ifeq (${SAVE_KEYS},1)
103
104        ifeq (${TRUSTED_WORLD_KEY},)
105            TRUSTED_WORLD_KEY = ${BUILD_PLAT}/trusted.pem
106        endif
107
108        ifeq (${NON_TRUSTED_WORLD_KEY},)
109            NON_TRUSTED_WORLD_KEY = ${BUILD_PLAT}/non-trusted.pem
110        endif
111
112        ifeq (${BL31_KEY},)
113            BL31_KEY = ${BUILD_PLAT}/soc.pem
114        endif
115
116        ifeq (${BL32_KEY},)
117            BL32_KEY = ${BUILD_PLAT}/trusted_os.pem
118        endif
119
120        ifeq (${BL33_KEY},)
121            BL33_KEY = ${BUILD_PLAT}/non-trusted_os.pem
122        endif
123
124    endif
125
126    ROTPK_HASH		= $(BUILD_PLAT)/rotpk_sha256.bin
127
128    $(eval $(call add_define_val,ROTPK_HASH,'"$(ROTPK_HASH)"'))
129
130    $(BUILD_PLAT)/bl2/nxp_rotpk.o: $(ROTPK_HASH)
131
132    certificates: $(ROT_KEY)
133    $(ROT_KEY): | $(BUILD_PLAT)
134	@echo "  OPENSSL $@"
135	@if [ ! -f $(ROT_KEY) ]; then \
136		${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null; \
137	fi
138
139    $(ROTPK_HASH): $(ROT_KEY)
140	@echo "  OPENSSL $@"
141	$(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
142	${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
143
144endif #MBEDTLS_DIR
145
146PLAT_INCLUDES		+=	-Iinclude/common/tbbr
147
148# Generic files for authentication framework
149TBBR_SOURCES		+=	drivers/auth/auth_mod.c		\
150				drivers/auth/crypto_mod.c	\
151				drivers/auth/img_parser_mod.c	\
152				plat/common/tbbr/plat_tbbr.c	\
153				${PLAT_TBBR_SOURCES}
154
155# If CAAM_INTEG is not defined (would be scenario with MBED TLS)
156# include mbedtls_crypto
157ifeq (${CAAM_INTEG},0)
158    include drivers/auth/mbedtls/mbedtls_crypto.mk
159else
160    include $(PLAT_DRIVERS_PATH)/crypto/caam/src/auth/auth.mk
161    TBBR_SOURCES	+= ${AUTH_SOURCES}
162endif
163