Hello everyone, 

    When I used TF-A 2.9.0 (commit b06b509eb2b7f0f4dce1b4133500cf30aa0dcd4a) to compile FVP, I opened the SAVE_KEYS=1 and modified the relevant code to save the key, but the compilation failed. 
The error message is as follows, SAVE_KEYS=0 compile is normal. It is also normal in lts-v2.8.9. 
    
    Is this question not configured or TF-A has bugs?


//Compile information
MBEDTLS_VERSION_MAJOR is [2] MBEDTLS_VERSION_MINOR is [28]
Including drivers/auth/mbedtls/mbedtls_crypto.mk
Building fvp
Selected OpenSSL version: 3.0.2

Built tools/cert_create/cert_create successfully

Selected OpenSSL version: 3.0.2
NOTICE:  CoT Generation Tool: Built : 16:00:52, Oct 13 2023
NOTICE:  Target platform: TBBR Generic
NOTICE:  Creating new key for 'Root Of Trust key'
WARNING: Cannot open file /mnt/sdb/tanwc/linux/tf-a/build/fvp/debug/trusted_rsa2048.pem
ERROR:   Cannot load key from /mnt/sdb/tanwc/linux/tf-a/build/fvp/debug/trusted_rsa2048.pem
ERROR:   Error loading '/mnt/sdb/tanwc/linux/tf-a/build/fvp/debug/trusted_rsa2048.pem'
make: *** [Makefile:1652: certificates] Error 1


//File modification: Define the specified macro
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index 41d1b66c1..216659835 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -377,6 +377,22 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
     # Include common TBB sources
     AUTH_SOURCES       :=      drivers/auth/auth_mod.c \
                                drivers/auth/img_parser_mod.c
+    ifeq (${GENERATE_COT},1)
+       TFW_NVCTR_VAL   ?=      0
+       NTFW_NVCTR_VAL  ?=      0
+       KEY_SIZE        ?=
+       HASH_ALG        ?=      sha256
+       KEY_ALG         ?=      ecdsa
+       TF_MBEDTLS_KEY_ALG      :=      ${KEY_ALG}
+
+       ifeq (${SAVE_KEYS},1)
+               TRUSTED_WORLD_KEY       ?=      ${BUILD_PLAT}/trusted_${KEY_ALG}${KEY_SIZE}.pem
+               NON_TRUSTED_WORLD_KEY   ?=      ${BUILD_PLAT}/non-trusted_${KEY_ALG}${KEY_SIZE}.pem
+               BL31_KEY                ?=      ${BUILD_PLAT}/soc_${KEY_ALG}${KEY_SIZE}.pem
+               BL32_KEY                ?=      ${BUILD_PLAT}/trusted_os_${KEY_ALG}${KEY_SIZE}.pem
+               BL33_KEY                ?=      ${BUILD_PLAT}/non-trusted_os_${KEY_ALG}${KEY_SIZE}.pem
+       endif
+    endif

     # Include the selected chain of trust sources.
     ifeq (${COT},tbbr)

//The compilation command I use
make -j ARM_ARCH_MAJOR=8 \
    ARCH=aarch64 \
    CROSS_COMPILE=aarch64-linux-gnu- \
    DEBUG=1 \
    PLAT=fvp \
    TRUSTED_BOARD_BOOT=1 \
    GENERATE_COT=1 \
    SAVE_KEYS=1 \
    ARM_ROTPK_LOCATION=devel_rsa \
    MBEDTLS_DIR=/mbedtls \
    BL33=/mnt/uboot.bin \
    all fip


Thanks