Vincent Jardin 62b9afa213 feat(cert-create): make SoC AP firmware hash extension optional
Some platforms do not include BL31 in their boot flow (e.g., platforms
using alternative secure monitor implementations or simplified boot
chains). Currently, cert_create requires --soc-fw even when BL31 is
not used, forcing integrators to provide dummy files.

This change makes the extension optional, consistent with other hash
extensions (tb-fw, hw-config, fw-config, soc-fw-config) that are
already optional.

Security note: When optional and not provided, a zero hash is stored
in the certificate. If BL31 is subsequently loaded at runtime, hash
verification will fail (zero hash won't match real image). This
ensures no security bypass is possible - only platforms that genuinely
don't use BL31 should omit this argument.

Change-Id: I2e066c5d46d84b90a1c72bdd729762499c5c5486
Signed-off-by: Vincent Jardin <vjardin@free.fr>
2026-01-28 11:09:28 +00:00
..