1ebd34beaSManish V BadarkheChain of trust bindings 2ebd34beaSManish V Badarkhe======================= 3ebd34beaSManish V Badarkhe 4b5fb6917SManish V BadarkheThe device tree allows to describe the chain of trust with the help of 5b5fb6917SManish V Badarkhe'cot' node which contain 'manifests' and 'images' as sub-nodes. 6b5fb6917SManish V Badarkhe'manifests' and 'images' nodes contains number of sub-nodes (i.e. 'certificate' 7b5fb6917SManish V Badarkheand 'image' nodes) mentioning properties of the certificate and image respectively. 8ebd34beaSManish V Badarkhe 9b5fb6917SManish V BadarkheAlso, device tree describes 'non-volatile-counters' node which contains number of 10b5fb6917SManish V Badarkhesub-nodes mentioning properties of all non-volatile-counters used in the chain of trust. 11ebd34beaSManish V Badarkhe 12b5fb6917SManish V Badarkhecot 13b5fb6917SManish V Badarkhe------------------------------------------------------------------ 14b5fb6917SManish V BadarkheThis is root node which contains 'manifests' and 'images' as sub-nodes 15ebd34beaSManish V Badarkhe 16b5fb6917SManish V Badarkhe 17b5fb6917SManish V BadarkheManifests and Certificate node bindings definition 18ebd34beaSManish V Badarkhe---------------------------------------------------------------- 19ebd34beaSManish V Badarkhe 20b5fb6917SManish V Badarkhe- Manifests node 21ebd34beaSManish V Badarkhe Description: Container of certificate nodes. 22ebd34beaSManish V Badarkhe 23ebd34beaSManish V Badarkhe PROPERTIES 24ebd34beaSManish V Badarkhe 25ebd34beaSManish V Badarkhe - compatible: 26ebd34beaSManish V Badarkhe Usage: required 27ebd34beaSManish V Badarkhe 28ebd34beaSManish V Badarkhe Value type: <string> 29ebd34beaSManish V Badarkhe 30b5fb6917SManish V Badarkhe Definition: must be "arm, cert-descs" 31ebd34beaSManish V Badarkhe 32ebd34beaSManish V Badarkhe- Certificate node 33b5fb6917SManish V Badarkhe Description: 34b5fb6917SManish V Badarkhe 35b5fb6917SManish V Badarkhe Describes certificate properties which are used 36ebd34beaSManish V Badarkhe during the authentication process. 37ebd34beaSManish V Badarkhe 38ebd34beaSManish V Badarkhe PROPERTIES 39ebd34beaSManish V Badarkhe 40ebd34beaSManish V Badarkhe - root-certificate 41b5fb6917SManish V Badarkhe Usage: 42b5fb6917SManish V Badarkhe 43b5fb6917SManish V Badarkhe Required for the certificate with no parent. 44b5fb6917SManish V Badarkhe In other words, certificates which are validated 45ebd34beaSManish V Badarkhe using root of trust public key. 46ebd34beaSManish V Badarkhe 47ebd34beaSManish V Badarkhe Value type: <boolean> 48ebd34beaSManish V Badarkhe 49ebd34beaSManish V Badarkhe - image-id 50ebd34beaSManish V Badarkhe Usage: Required for every certificate with unique id. 51ebd34beaSManish V Badarkhe 52ebd34beaSManish V Badarkhe Value type: <u32> 53ebd34beaSManish V Badarkhe 54ebd34beaSManish V Badarkhe - parent 55b5fb6917SManish V Badarkhe Usage: 56b5fb6917SManish V Badarkhe 57b5fb6917SManish V Badarkhe It refers to their parent image, which typically contains 58ebd34beaSManish V Badarkhe information to authenticate the certificate. 59ebd34beaSManish V Badarkhe This property is required for all non-root certificates. 60ebd34beaSManish V Badarkhe 61ebd34beaSManish V Badarkhe This property is not required for root-certificates 62b5fb6917SManish V Badarkhe as root-certificates are validated using root of trust 63b5fb6917SManish V Badarkhe public key provided by platform. 64ebd34beaSManish V Badarkhe 65ebd34beaSManish V Badarkhe Value type: <phandle> 66ebd34beaSManish V Badarkhe 67ebd34beaSManish V Badarkhe - signing-key 68b5fb6917SManish V Badarkhe Usage: 69b5fb6917SManish V Badarkhe 700de9a12cSlaurenw-arm For non-root certificates, this property is used to refer 710de9a12cSlaurenw-arm public key node present in parent certificate node and it is 720de9a12cSlaurenw-arm required property for all non-root certificates which are 730de9a12cSlaurenw-arm authenticated using public-key present in parent certificate. 74ebd34beaSManish V Badarkhe 750de9a12cSlaurenw-arm This property is not required for all root-certificates. If 760de9a12cSlaurenw-arm omitted, the root certificate will be validated using the 770de9a12cSlaurenw-arm default platform ROTPK. If instead the root certificate needs 780de9a12cSlaurenw-arm validating using a different ROTPK, the signing-key property 790de9a12cSlaurenw-arm should provide a reference to the ROTPK node to use. 80ebd34beaSManish V Badarkhe 81ebd34beaSManish V Badarkhe Value type: <phandle> 82ebd34beaSManish V Badarkhe 83ebd34beaSManish V Badarkhe - antirollback-counter 84b5fb6917SManish V Badarkhe Usage: 85ebd34beaSManish V Badarkhe 86b5fb6917SManish V Badarkhe This property is used by all certificates which are 87b5fb6917SManish V Badarkhe protected against rollback attacks using a non-volatile 88b5fb6917SManish V Badarkhe counter and it is an optional property. 89b5fb6917SManish V Badarkhe 90b5fb6917SManish V Badarkhe This property is used to refer one of the non-volatile 91b5fb6917SManish V Badarkhe counter sub-node present in 'non-volatile counters' node. 92ebd34beaSManish V Badarkhe 93ebd34beaSManish V Badarkhe Value type: <phandle> 94ebd34beaSManish V Badarkhe 95ebd34beaSManish V Badarkhe 96b5fb6917SManish V Badarkhe SUBNODES 97b5fb6917SManish V Badarkhe - Description: 98b5fb6917SManish V Badarkhe 99b5fb6917SManish V Badarkhe Hash and public key information present in the certificate 100b5fb6917SManish V Badarkhe are shown by these nodes. 101b5fb6917SManish V Badarkhe 102b5fb6917SManish V Badarkhe - public key node 103b5fb6917SManish V Badarkhe Description: Provide public key information in the certificate. 104ebd34beaSManish V Badarkhe 105ebd34beaSManish V Badarkhe PROPERTIES 106ebd34beaSManish V Badarkhe 107ebd34beaSManish V Badarkhe - oid 108b5fb6917SManish V Badarkhe Usage: 109b5fb6917SManish V Badarkhe 110b5fb6917SManish V Badarkhe This property provides the Object ID of public key 111*afcb696eSManish V Badarkhe provided in the certificate with the help of which 112b5fb6917SManish V Badarkhe public key information can be extracted. 113b5fb6917SManish V Badarkhe 114b5fb6917SManish V Badarkhe Value type: <string> 115b5fb6917SManish V Badarkhe 116b5fb6917SManish V Badarkhe - hash node 117b5fb6917SManish V Badarkhe Description: Provide the hash information in the certificate. 118b5fb6917SManish V Badarkhe 119b5fb6917SManish V Badarkhe PROPERTIES 120b5fb6917SManish V Badarkhe 121b5fb6917SManish V Badarkhe - oid 122b5fb6917SManish V Badarkhe Usage: 123b5fb6917SManish V Badarkhe 124b5fb6917SManish V Badarkhe This property provides the Object ID of hash provided in 125*afcb696eSManish V Badarkhe the certificate with the help of which hash information 126b5fb6917SManish V Badarkhe can be extracted. 127ebd34beaSManish V Badarkhe 128ebd34beaSManish V Badarkhe Value type: <string> 129ebd34beaSManish V Badarkhe 130ebd34beaSManish V BadarkheExample: 131ebd34beaSManish V Badarkhe 132ebd34beaSManish V Badarkhe.. code:: c 133ebd34beaSManish V Badarkhe 134b5fb6917SManish V Badarkhe cot { 135b5fb6917SManish V Badarkhe manifests { 136b5fb6917SManish V Badarkhe compatible = "arm, cert-descs” 137ebd34beaSManish V Badarkhe 138ebd34beaSManish V Badarkhe trusted-key-cert: trusted-key-cert { 139ebd34beaSManish V Badarkhe root-certificate; 140ebd34beaSManish V Badarkhe image-id = <TRUSTED_KEY_CERT_ID>; 141b95f398eSXialin Liu antirollback-counter = <&trusted_nv_ctr>; 142b5fb6917SManish V Badarkhe 143ebd34beaSManish V Badarkhe trusted-world-pk: trusted-world-pk { 144ebd34beaSManish V Badarkhe oid = TRUSTED_WORLD_PK_OID; 145ebd34beaSManish V Badarkhe }; 146ebd34beaSManish V Badarkhe non-trusted-world-pk: non-trusted-world-pk { 147ebd34beaSManish V Badarkhe oid = NON_TRUSTED_WORLD_PK_OID; 148ebd34beaSManish V Badarkhe }; 149ebd34beaSManish V Badarkhe }; 150ebd34beaSManish V Badarkhe 151ebd34beaSManish V Badarkhe scp_fw_key_cert: scp_fw_key_cert { 152ebd34beaSManish V Badarkhe image-id = <SCP_FW_KEY_CERT_ID>; 153ebd34beaSManish V Badarkhe parent = <&trusted-key-cert>; 154ebd34beaSManish V Badarkhe signing-key = <&trusted_world_pk>; 155b95f398eSXialin Liu antirollback-counter = <&trusted_nv_ctr>; 156b5fb6917SManish V Badarkhe 157ebd34beaSManish V Badarkhe scp_fw_content_pk: scp_fw_content_pk { 158ebd34beaSManish V Badarkhe oid = SCP_FW_CONTENT_CERT_PK_OID; 159ebd34beaSManish V Badarkhe }; 160ebd34beaSManish V Badarkhe }; 161ebd34beaSManish V Badarkhe . 162ebd34beaSManish V Badarkhe . 163ebd34beaSManish V Badarkhe . 164ebd34beaSManish V Badarkhe 165b5fb6917SManish V Badarkhe next-certificate { 166ebd34beaSManish V Badarkhe 167ebd34beaSManish V Badarkhe }; 168ebd34beaSManish V Badarkhe }; 169b5fb6917SManish V Badarkhe }; 170ebd34beaSManish V Badarkhe 171b5fb6917SManish V BadarkheImages and Image node bindings definition 172ebd34beaSManish V Badarkhe----------------------------------------- 173ebd34beaSManish V Badarkhe 174ebd34beaSManish V Badarkhe- Images node 175ebd34beaSManish V Badarkhe Description: Container of image nodes 176ebd34beaSManish V Badarkhe 177ebd34beaSManish V Badarkhe PROPERTIES 178ebd34beaSManish V Badarkhe 179ebd34beaSManish V Badarkhe - compatible: 180ebd34beaSManish V Badarkhe Usage: required 181ebd34beaSManish V Badarkhe 182ebd34beaSManish V Badarkhe Value type: <string> 183ebd34beaSManish V Badarkhe 184b5fb6917SManish V Badarkhe Definition: must be "arm, img-descs" 185ebd34beaSManish V Badarkhe 186ebd34beaSManish V Badarkhe- Image node 187b5fb6917SManish V Badarkhe Description: 188b5fb6917SManish V Badarkhe 189b5fb6917SManish V Badarkhe Describes image properties which will be used during 190ebd34beaSManish V Badarkhe authentication process. 191ebd34beaSManish V Badarkhe 192ebd34beaSManish V Badarkhe PROPERTIES 193ebd34beaSManish V Badarkhe 194ebd34beaSManish V Badarkhe - image-id 195ebd34beaSManish V Badarkhe Usage: Required for every image with unique id. 196ebd34beaSManish V Badarkhe 197ebd34beaSManish V Badarkhe Value type: <u32> 198ebd34beaSManish V Badarkhe 199ebd34beaSManish V Badarkhe - parent 200b5fb6917SManish V Badarkhe Usage: 201b5fb6917SManish V Badarkhe 202b5fb6917SManish V Badarkhe Required for every image to provide a reference to 203b5fb6917SManish V Badarkhe its parent image, which contains the necessary information 204ebd34beaSManish V Badarkhe to authenticate it. 205ebd34beaSManish V Badarkhe 206ebd34beaSManish V Badarkhe Value type: <phandle> 207ebd34beaSManish V Badarkhe 208ebd34beaSManish V Badarkhe - hash 209b5fb6917SManish V Badarkhe Usage: 210b5fb6917SManish V Badarkhe 211b5fb6917SManish V Badarkhe Required for all images which are validated using 212b5fb6917SManish V Badarkhe hash method. This property is used to refer hash 213b5fb6917SManish V Badarkhe node present in parent certificate node. 214ebd34beaSManish V Badarkhe 215ebd34beaSManish V Badarkhe Value type: <phandle> 216ebd34beaSManish V Badarkhe 217b5fb6917SManish V Badarkhe Note: 218b5fb6917SManish V Badarkhe 219b5fb6917SManish V Badarkhe Currently, all images are validated using 'hash' 220ebd34beaSManish V Badarkhe method. In future, there may be multiple methods can 221ebd34beaSManish V Badarkhe be used to validate the image. 222ebd34beaSManish V Badarkhe 223ebd34beaSManish V BadarkheExample: 224ebd34beaSManish V Badarkhe 225ebd34beaSManish V Badarkhe.. code:: c 226ebd34beaSManish V Badarkhe 227b5fb6917SManish V Badarkhe cot { 228ebd34beaSManish V Badarkhe images { 229b5fb6917SManish V Badarkhe compatible = "arm, img-descs"; 230ebd34beaSManish V Badarkhe 231ebd34beaSManish V Badarkhe scp_bl2_image { 232ebd34beaSManish V Badarkhe image-id = <SCP_BL2_IMAGE_ID>; 233ebd34beaSManish V Badarkhe parent = <&scp_fw_content_cert>; 234ebd34beaSManish V Badarkhe hash = <&scp_fw_hash>; 235ebd34beaSManish V Badarkhe }; 236ebd34beaSManish V Badarkhe 237ebd34beaSManish V Badarkhe . 238ebd34beaSManish V Badarkhe . 239ebd34beaSManish V Badarkhe . 240ebd34beaSManish V Badarkhe 241ebd34beaSManish V Badarkhe next-img { 242b5fb6917SManish V Badarkhe 243b5fb6917SManish V Badarkhe }; 244ebd34beaSManish V Badarkhe }; 245ebd34beaSManish V Badarkhe }; 246ebd34beaSManish V Badarkhe 247ebd34beaSManish V Badarkhenon-volatile counter node binding definition 248ebd34beaSManish V Badarkhe-------------------------------------------- 249ebd34beaSManish V Badarkhe 250ebd34beaSManish V Badarkhe- non-volatile counters node 251ebd34beaSManish V Badarkhe Description: Contains properties for non-volatile counters. 252ebd34beaSManish V Badarkhe 253ebd34beaSManish V Badarkhe PROPERTIES 254ebd34beaSManish V Badarkhe 255ebd34beaSManish V Badarkhe - compatible: 256ebd34beaSManish V Badarkhe Usage: required 257ebd34beaSManish V Badarkhe 258ebd34beaSManish V Badarkhe Value type: <string> 259ebd34beaSManish V Badarkhe 260ebd34beaSManish V Badarkhe Definition: must be "arm, non-volatile-counter" 261ebd34beaSManish V Badarkhe 262ebd34beaSManish V Badarkhe - #address-cells 263ebd34beaSManish V Badarkhe Usage: required 264ebd34beaSManish V Badarkhe 265ebd34beaSManish V Badarkhe Value type: <u32> 266ebd34beaSManish V Badarkhe 267b5fb6917SManish V Badarkhe Definition: 268b5fb6917SManish V Badarkhe 269b5fb6917SManish V Badarkhe Must be set according to address size 270ebd34beaSManish V Badarkhe of non-volatile counter register 271ebd34beaSManish V Badarkhe 272ebd34beaSManish V Badarkhe - #size-cells 273ebd34beaSManish V Badarkhe Usage: required 274ebd34beaSManish V Badarkhe 275ebd34beaSManish V Badarkhe Value type: <u32> 276ebd34beaSManish V Badarkhe 277ebd34beaSManish V Badarkhe Definition: must be set to 0 278ebd34beaSManish V Badarkhe 279ebd34beaSManish V Badarkhe SUBNODE 280ebd34beaSManish V Badarkhe - counters node 281ebd34beaSManish V Badarkhe Description: Contains various non-volatile counters present in the platform. 282ebd34beaSManish V Badarkhe 283ebd34beaSManish V Badarkhe PROPERTIES 284e87c8231SManish V Badarkhe - id 285e87c8231SManish V Badarkhe Usage: Required for every nv-counter with unique id. 286e87c8231SManish V Badarkhe 287e87c8231SManish V Badarkhe Value type: <u32> 288ebd34beaSManish V Badarkhe 289ebd34beaSManish V Badarkhe - reg 290b5fb6917SManish V Badarkhe Usage: 291b5fb6917SManish V Badarkhe 292b5fb6917SManish V Badarkhe Register base address of non-volatile counter and it is required 293ebd34beaSManish V Badarkhe property. 294ebd34beaSManish V Badarkhe 295ebd34beaSManish V Badarkhe Value type: <u32> 296ebd34beaSManish V Badarkhe 297ebd34beaSManish V Badarkhe - oid 298b5fb6917SManish V Badarkhe Usage: 299b5fb6917SManish V Badarkhe 300b5fb6917SManish V Badarkhe This property provides the Object ID of non-volatile counter 301ebd34beaSManish V Badarkhe provided in the certificate and it is required property. 302ebd34beaSManish V Badarkhe 303ebd34beaSManish V Badarkhe Value type: <string> 304ebd34beaSManish V Badarkhe 305ebd34beaSManish V BadarkheExample: 306ebd34beaSManish V BadarkheBelow is non-volatile counters example for ARM platform 307ebd34beaSManish V Badarkhe 308ebd34beaSManish V Badarkhe.. code:: c 309ebd34beaSManish V Badarkhe 310e87c8231SManish V Badarkhe non_volatile_counters: non_volatile_counters { 311ebd34beaSManish V Badarkhe compatible = "arm, non-volatile-counter"; 312ebd34beaSManish V Badarkhe #address-cells = <1>; 313ebd34beaSManish V Badarkhe #size-cells = <0>; 314ebd34beaSManish V Badarkhe 315b95f398eSXialin Liu trusted_nv_ctr: trusted_nv_ctr { 316e87c8231SManish V Badarkhe id = <TRUSTED_NV_CTR_ID>; 317ebd34beaSManish V Badarkhe reg = <TFW_NVCTR_BASE>; 318ebd34beaSManish V Badarkhe oid = TRUSTED_FW_NVCOUNTER_OID; 319ebd34beaSManish V Badarkhe }; 320e87c8231SManish V Badarkhe 321b95f398eSXialin Liu non_trusted_nv_ctr: non_trusted_nv_ctr { 322e87c8231SManish V Badarkhe id = <NON_TRUSTED_NV_CTR_ID>; 323ebd34beaSManish V Badarkhe reg = <NTFW_CTR_BASE>; 324ebd34beaSManish V Badarkhe oid = NON_TRUSTED_FW_NVCOUNTER_OID; 325ebd34beaSManish V Badarkhe }; 326ebd34beaSManish V Badarkhe }; 327ebd34beaSManish V Badarkhe 3280de9a12cSlaurenw-armrot_keys node binding definition 3290de9a12cSlaurenw-arm--------------------------------- 3300de9a12cSlaurenw-arm 3310de9a12cSlaurenw-arm- rot_keys node 3320de9a12cSlaurenw-arm Description: Contains root-of-trust keys for the root certificates. 3330de9a12cSlaurenw-arm 3340de9a12cSlaurenw-arm SUBNODES 3350de9a12cSlaurenw-arm - Description: 3360de9a12cSlaurenw-arm 3370de9a12cSlaurenw-arm Root of trust key information present in the root certificates 3380de9a12cSlaurenw-arm are shown by these nodes. 3390de9a12cSlaurenw-arm 3400de9a12cSlaurenw-arm - rot key node 3410de9a12cSlaurenw-arm Description: Provide ROT key information in the certificate. 3420de9a12cSlaurenw-arm 3430de9a12cSlaurenw-arm PROPERTIES 3440de9a12cSlaurenw-arm 3450de9a12cSlaurenw-arm - oid 3460de9a12cSlaurenw-arm Usage: 3470de9a12cSlaurenw-arm 3480de9a12cSlaurenw-arm This property provides the Object ID of ROT key provided 3490de9a12cSlaurenw-arm in the certificate. 3500de9a12cSlaurenw-arm 3510de9a12cSlaurenw-arm Value type: <string> 3520de9a12cSlaurenw-arm 3530de9a12cSlaurenw-armExample: 3540de9a12cSlaurenw-armBelow is rot_keys example for CCA platform 3550de9a12cSlaurenw-arm 3560de9a12cSlaurenw-arm.. code:: c 3570de9a12cSlaurenw-arm 3580de9a12cSlaurenw-arm rot_keys { 3590de9a12cSlaurenw-arm swd_rot_pk: swd_rot_pk { 3600de9a12cSlaurenw-arm oid = SWD_ROT_PK_OID; 3610de9a12cSlaurenw-arm }; 3620de9a12cSlaurenw-arm 3630de9a12cSlaurenw-arm prot_pk: prot_pk { 3640de9a12cSlaurenw-arm oid = PROT_PK_OID; 3650de9a12cSlaurenw-arm }; 3660de9a12cSlaurenw-arm }; 3670de9a12cSlaurenw-arm 368ebd34beaSManish V BadarkheFuture update to chain of trust binding 369ebd34beaSManish V Badarkhe--------------------------------------- 370ebd34beaSManish V Badarkhe 371b5fb6917SManish V BadarkheThis binding document needs to be revisited to generalise some terminologies 372b5fb6917SManish V Badarkhewhich are currently specific to X.509 certificates for e.g. Object IDs. 373ebd34beaSManish V Badarkhe 3740de9a12cSlaurenw-arm*Copyright (c) 2020-2024, Arm Limited. All rights reserved.* 375