docs/design/trusted-board-boot.rst

51 The remaining components in the CoT are either certificates or boot loader
52 images. The certificates follow the `X.509 v3`_ standard. This standard
53 enables adding custom extensions to the certificates, which are used to store
56 All certificates are self-signed. There is no need for a Certificate Authority
59 the certificates, different signature schemes are available, please refer to the
62 The certificates are categorised as "Key" and "Content" certificates. Key
63 certificates are used to verify public keys which have been used to sign content
64 certificates. Content certificates are used to store the hash of a boot loader
69 extension fields in the `X.509 v3`_ certificates.
79 In the TBBR CoT, all firmware binaries and certificates are (directly or
93    The private part is used to sign the key certificates corresponding to the
118 The following certificates are used to authenticate the images.
172 The SCP firmware and Trusted OS certificates are optional, but they must be
176 images (SCP, debug certificates, secure partitions, configuration files) are not
196 BL2. Some images (SCP, debug certificates, secure partitions, configuration
268 On the host machine, a tool generates the certificates, which are included in
269 the FIP along with the boot loader images. These certificates are loaded in
292 and keys as inputs and generates the certificates (in DER format) required to
295 case they are not provided. The certificates are then passed as inputs to
298 The certificates are also stored individually in the output build directory.
301 library version to generate the X.509 certificates. The specific version of the