diff --git a/Makefile b/Makefile index c013e3578..4dbc2be99 100644 --- a/Makefile +++ b/Makefile @@ -735,6 +735,9 @@ ifeq ($(CTX_INCLUDE_MTE_REGS),1) endif endif +# Trusted Boot is a prerequisite for Measured Boot. It provides trust that the +# code taking the measurements and recording them has not been tampered +# with. This is referred to as the Root of Trust for Measurement. ifeq ($(MEASURED_BOOT),1) ifneq (${TRUSTED_BOARD_BOOT},1) $(error MEASURED_BOOT requires TRUSTED_BOARD_BOOT=1) diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst index 584430432..86618e47e 100644 --- a/docs/getting_started/build-options.rst +++ b/docs/getting_started/build-options.rst @@ -469,7 +469,10 @@ Common build options the build. The default value is 40 in debug builds and 20 in release builds. - ``MEASURED_BOOT``: Boolean flag to include support for the Measured Boot - feature. If this flag is enabled ``TRUSTED_BOARD_BOOT`` must be set. + feature. If this flag is enabled ``TRUSTED_BOARD_BOOT`` must be set as well + in order to provide trust that the code taking the measurements and recording + them has not been tampered with. + This option defaults to 0 and is an experimental feature in the stage of development. diff --git a/plat/arm/board/fvp/fvp_measured_boot.c b/plat/arm/board/fvp/fvp_measured_boot.c index b145aae58..5dcadba36 100644 --- a/plat/arm/board/fvp/fvp_measured_boot.c +++ b/plat/arm/board/fvp/fvp_measured_boot.c @@ -15,12 +15,10 @@ static const image_data_t fvp_images_data[] = { { BL32_EXTRA1_IMAGE_ID, BL32_EXTRA1_IMAGE_STRING, PCR_0 }, { BL32_EXTRA2_IMAGE_ID, BL32_EXTRA2_IMAGE_STRING, PCR_0 }, { BL33_IMAGE_ID, BL33_STRING, PCR_0 }, - { GPT_IMAGE_ID, GPT_IMAGE_STRING, PCR_0 }, { HW_CONFIG_ID, HW_CONFIG_STRING, PCR_0 }, { NT_FW_CONFIG_ID, NT_FW_CONFIG_STRING, PCR_0 }, { SCP_BL2_IMAGE_ID, SCP_BL2_IMAGE_STRING, PCR_0 }, { SOC_FW_CONFIG_ID, SOC_FW_CONFIG_STRING, PCR_0 }, - { STM32_IMAGE_ID, STM32_IMAGE_STRING, PCR_0 }, { TOS_FW_CONFIG_ID, TOS_FW_CONFIG_STRING, PCR_0 }, { INVALID_ID, NULL, (unsigned int)(-1) } /* Terminator */ };