1ebd34beaSManish V BadarkheChain of trust bindings 2ebd34beaSManish V Badarkhe======================= 3ebd34beaSManish V Badarkhe 4*b5fb6917SManish V BadarkheThe device tree allows to describe the chain of trust with the help of 5*b5fb6917SManish V Badarkhe'cot' node which contain 'manifests' and 'images' as sub-nodes. 6*b5fb6917SManish V Badarkhe'manifests' and 'images' nodes contains number of sub-nodes (i.e. 'certificate' 7*b5fb6917SManish V Badarkheand 'image' nodes) mentioning properties of the certificate and image respectively. 8ebd34beaSManish V Badarkhe 9*b5fb6917SManish V BadarkheAlso, device tree describes 'non-volatile-counters' node which contains number of 10*b5fb6917SManish V Badarkhesub-nodes mentioning properties of all non-volatile-counters used in the chain of trust. 11ebd34beaSManish V Badarkhe 12*b5fb6917SManish V Badarkhecot 13*b5fb6917SManish V Badarkhe------------------------------------------------------------------ 14*b5fb6917SManish V BadarkheThis is root node which contains 'manifests' and 'images' as sub-nodes 15ebd34beaSManish V Badarkhe 16*b5fb6917SManish V Badarkhe 17*b5fb6917SManish V BadarkheManifests and Certificate node bindings definition 18ebd34beaSManish V Badarkhe---------------------------------------------------------------- 19ebd34beaSManish V Badarkhe 20*b5fb6917SManish V Badarkhe- Manifests node 21ebd34beaSManish V Badarkhe Description: Container of certificate nodes. 22ebd34beaSManish V Badarkhe 23ebd34beaSManish V Badarkhe PROPERTIES 24ebd34beaSManish V Badarkhe 25ebd34beaSManish V Badarkhe - compatible: 26ebd34beaSManish V Badarkhe Usage: required 27ebd34beaSManish V Badarkhe 28ebd34beaSManish V Badarkhe Value type: <string> 29ebd34beaSManish V Badarkhe 30*b5fb6917SManish V Badarkhe Definition: must be "arm, cert-descs" 31ebd34beaSManish V Badarkhe 32ebd34beaSManish V Badarkhe- Certificate node 33*b5fb6917SManish V Badarkhe Description: 34*b5fb6917SManish V Badarkhe 35*b5fb6917SManish V Badarkhe Describes certificate properties which are used 36ebd34beaSManish V Badarkhe during the authentication process. 37ebd34beaSManish V Badarkhe 38ebd34beaSManish V Badarkhe PROPERTIES 39ebd34beaSManish V Badarkhe 40ebd34beaSManish V Badarkhe - root-certificate 41*b5fb6917SManish V Badarkhe Usage: 42*b5fb6917SManish V Badarkhe 43*b5fb6917SManish V Badarkhe Required for the certificate with no parent. 44*b5fb6917SManish V Badarkhe In other words, certificates which are validated 45ebd34beaSManish V Badarkhe using root of trust public key. 46ebd34beaSManish V Badarkhe 47ebd34beaSManish V Badarkhe Value type: <boolean> 48ebd34beaSManish V Badarkhe 49ebd34beaSManish V Badarkhe - image-id 50ebd34beaSManish V Badarkhe Usage: Required for every certificate with unique id. 51ebd34beaSManish V Badarkhe 52ebd34beaSManish V Badarkhe Value type: <u32> 53ebd34beaSManish V Badarkhe 54ebd34beaSManish V Badarkhe - parent 55*b5fb6917SManish V Badarkhe Usage: 56*b5fb6917SManish V Badarkhe 57*b5fb6917SManish V Badarkhe It refers to their parent image, which typically contains 58ebd34beaSManish V Badarkhe information to authenticate the certificate. 59ebd34beaSManish V Badarkhe This property is required for all non-root certificates. 60ebd34beaSManish V Badarkhe 61ebd34beaSManish V Badarkhe This property is not required for root-certificates 62*b5fb6917SManish V Badarkhe as root-certificates are validated using root of trust 63*b5fb6917SManish V Badarkhe public key provided by platform. 64ebd34beaSManish V Badarkhe 65ebd34beaSManish V Badarkhe Value type: <phandle> 66ebd34beaSManish V Badarkhe 67ebd34beaSManish V Badarkhe - signing-key 68*b5fb6917SManish V Badarkhe Usage: 69*b5fb6917SManish V Badarkhe 70*b5fb6917SManish V Badarkhe This property is used to refer public key node present in 71*b5fb6917SManish V Badarkhe parent certificate node and it is required property for all 72*b5fb6917SManish V Badarkhe non-root certificates which are authenticated using public-key 73ebd34beaSManish V Badarkhe present in parent certificate. 74ebd34beaSManish V Badarkhe 75ebd34beaSManish V Badarkhe This property is not required for root-certificates 76ebd34beaSManish V Badarkhe as root-certificates are validated using root of trust 77ebd34beaSManish V Badarkhe public key provided by platform. 78ebd34beaSManish V Badarkhe 79ebd34beaSManish V Badarkhe Value type: <phandle> 80ebd34beaSManish V Badarkhe 81ebd34beaSManish V Badarkhe - antirollback-counter 82*b5fb6917SManish V Badarkhe Usage: 83ebd34beaSManish V Badarkhe 84*b5fb6917SManish V Badarkhe This property is used by all certificates which are 85*b5fb6917SManish V Badarkhe protected against rollback attacks using a non-volatile 86*b5fb6917SManish V Badarkhe counter and it is an optional property. 87*b5fb6917SManish V Badarkhe 88*b5fb6917SManish V Badarkhe This property is used to refer one of the non-volatile 89*b5fb6917SManish V Badarkhe counter sub-node present in 'non-volatile counters' node. 90ebd34beaSManish V Badarkhe 91ebd34beaSManish V Badarkhe Value type: <phandle> 92ebd34beaSManish V Badarkhe 93ebd34beaSManish V Badarkhe 94*b5fb6917SManish V Badarkhe SUBNODES 95*b5fb6917SManish V Badarkhe - Description: 96*b5fb6917SManish V Badarkhe 97*b5fb6917SManish V Badarkhe Hash and public key information present in the certificate 98*b5fb6917SManish V Badarkhe are shown by these nodes. 99*b5fb6917SManish V Badarkhe 100*b5fb6917SManish V Badarkhe - public key node 101*b5fb6917SManish V Badarkhe Description: Provide public key information in the certificate. 102ebd34beaSManish V Badarkhe 103ebd34beaSManish V Badarkhe PROPERTIES 104ebd34beaSManish V Badarkhe 105ebd34beaSManish V Badarkhe - oid 106*b5fb6917SManish V Badarkhe Usage: 107*b5fb6917SManish V Badarkhe 108*b5fb6917SManish V Badarkhe This property provides the Object ID of public key 109*b5fb6917SManish V Badarkhe provided in the certificate which the help of which 110*b5fb6917SManish V Badarkhe public key information can be extracted. 111*b5fb6917SManish V Badarkhe 112*b5fb6917SManish V Badarkhe Value type: <string> 113*b5fb6917SManish V Badarkhe 114*b5fb6917SManish V Badarkhe - hash node 115*b5fb6917SManish V Badarkhe Description: Provide the hash information in the certificate. 116*b5fb6917SManish V Badarkhe 117*b5fb6917SManish V Badarkhe PROPERTIES 118*b5fb6917SManish V Badarkhe 119*b5fb6917SManish V Badarkhe - oid 120*b5fb6917SManish V Badarkhe Usage: 121*b5fb6917SManish V Badarkhe 122*b5fb6917SManish V Badarkhe This property provides the Object ID of hash provided in 123*b5fb6917SManish V Badarkhe the certificate which the help of which hash information 124*b5fb6917SManish V Badarkhe can be extracted. 125ebd34beaSManish V Badarkhe 126ebd34beaSManish V Badarkhe Value type: <string> 127ebd34beaSManish V Badarkhe 128ebd34beaSManish V BadarkheExample: 129ebd34beaSManish V Badarkhe 130ebd34beaSManish V Badarkhe.. code:: c 131ebd34beaSManish V Badarkhe 132*b5fb6917SManish V Badarkhe cot { 133*b5fb6917SManish V Badarkhe manifests { 134*b5fb6917SManish V Badarkhe compatible = "arm, cert-descs” 135ebd34beaSManish V Badarkhe 136ebd34beaSManish V Badarkhe trusted-key-cert: trusted-key-cert { 137ebd34beaSManish V Badarkhe root-certificate; 138ebd34beaSManish V Badarkhe image-id = <TRUSTED_KEY_CERT_ID>; 139ebd34beaSManish V Badarkhe antirollback-counter = <&trusted_nv_counter>; 140*b5fb6917SManish V Badarkhe 141ebd34beaSManish V Badarkhe trusted-world-pk: trusted-world-pk { 142ebd34beaSManish V Badarkhe oid = TRUSTED_WORLD_PK_OID; 143ebd34beaSManish V Badarkhe }; 144ebd34beaSManish V Badarkhe non-trusted-world-pk: non-trusted-world-pk { 145ebd34beaSManish V Badarkhe oid = NON_TRUSTED_WORLD_PK_OID; 146ebd34beaSManish V Badarkhe }; 147ebd34beaSManish V Badarkhe }; 148ebd34beaSManish V Badarkhe 149ebd34beaSManish V Badarkhe scp_fw_key_cert: scp_fw_key_cert { 150ebd34beaSManish V Badarkhe image-id = <SCP_FW_KEY_CERT_ID>; 151ebd34beaSManish V Badarkhe parent = <&trusted-key-cert>; 152ebd34beaSManish V Badarkhe signing-key = <&trusted_world_pk>; 153ebd34beaSManish V Badarkhe antirollback-counter = <&trusted_nv_counter>; 154*b5fb6917SManish V Badarkhe 155ebd34beaSManish V Badarkhe scp_fw_content_pk: scp_fw_content_pk { 156ebd34beaSManish V Badarkhe oid = SCP_FW_CONTENT_CERT_PK_OID; 157ebd34beaSManish V Badarkhe }; 158ebd34beaSManish V Badarkhe }; 159ebd34beaSManish V Badarkhe . 160ebd34beaSManish V Badarkhe . 161ebd34beaSManish V Badarkhe . 162ebd34beaSManish V Badarkhe 163*b5fb6917SManish V Badarkhe next-certificate { 164ebd34beaSManish V Badarkhe 165ebd34beaSManish V Badarkhe }; 166ebd34beaSManish V Badarkhe }; 167*b5fb6917SManish V Badarkhe }; 168ebd34beaSManish V Badarkhe 169*b5fb6917SManish V BadarkheImages and Image node bindings definition 170ebd34beaSManish V Badarkhe----------------------------------------- 171ebd34beaSManish V Badarkhe 172ebd34beaSManish V Badarkhe- Images node 173ebd34beaSManish V Badarkhe Description: Container of image nodes 174ebd34beaSManish V Badarkhe 175ebd34beaSManish V Badarkhe PROPERTIES 176ebd34beaSManish V Badarkhe 177ebd34beaSManish V Badarkhe - compatible: 178ebd34beaSManish V Badarkhe Usage: required 179ebd34beaSManish V Badarkhe 180ebd34beaSManish V Badarkhe Value type: <string> 181ebd34beaSManish V Badarkhe 182*b5fb6917SManish V Badarkhe Definition: must be "arm, img-descs" 183ebd34beaSManish V Badarkhe 184ebd34beaSManish V Badarkhe- Image node 185*b5fb6917SManish V Badarkhe Description: 186*b5fb6917SManish V Badarkhe 187*b5fb6917SManish V Badarkhe Describes image properties which will be used during 188ebd34beaSManish V Badarkhe authentication process. 189ebd34beaSManish V Badarkhe 190ebd34beaSManish V Badarkhe PROPERTIES 191ebd34beaSManish V Badarkhe 192ebd34beaSManish V Badarkhe - image-id 193ebd34beaSManish V Badarkhe Usage: Required for every image with unique id. 194ebd34beaSManish V Badarkhe 195ebd34beaSManish V Badarkhe Value type: <u32> 196ebd34beaSManish V Badarkhe 197ebd34beaSManish V Badarkhe - parent 198*b5fb6917SManish V Badarkhe Usage: 199*b5fb6917SManish V Badarkhe 200*b5fb6917SManish V Badarkhe Required for every image to provide a reference to 201*b5fb6917SManish V Badarkhe its parent image, which contains the necessary information 202ebd34beaSManish V Badarkhe to authenticate it. 203ebd34beaSManish V Badarkhe 204ebd34beaSManish V Badarkhe Value type: <phandle> 205ebd34beaSManish V Badarkhe 206ebd34beaSManish V Badarkhe - hash 207*b5fb6917SManish V Badarkhe Usage: 208*b5fb6917SManish V Badarkhe 209*b5fb6917SManish V Badarkhe Required for all images which are validated using 210*b5fb6917SManish V Badarkhe hash method. This property is used to refer hash 211*b5fb6917SManish V Badarkhe node present in parent certificate node. 212ebd34beaSManish V Badarkhe 213ebd34beaSManish V Badarkhe Value type: <phandle> 214ebd34beaSManish V Badarkhe 215*b5fb6917SManish V Badarkhe Note: 216*b5fb6917SManish V Badarkhe 217*b5fb6917SManish V Badarkhe Currently, all images are validated using 'hash' 218ebd34beaSManish V Badarkhe method. In future, there may be multiple methods can 219ebd34beaSManish V Badarkhe be used to validate the image. 220ebd34beaSManish V Badarkhe 221ebd34beaSManish V BadarkheExample: 222ebd34beaSManish V Badarkhe 223ebd34beaSManish V Badarkhe.. code:: c 224ebd34beaSManish V Badarkhe 225*b5fb6917SManish V Badarkhe cot { 226ebd34beaSManish V Badarkhe images { 227*b5fb6917SManish V Badarkhe compatible = "arm, img-descs"; 228ebd34beaSManish V Badarkhe 229ebd34beaSManish V Badarkhe scp_bl2_image { 230ebd34beaSManish V Badarkhe image-id = <SCP_BL2_IMAGE_ID>; 231ebd34beaSManish V Badarkhe parent = <&scp_fw_content_cert>; 232ebd34beaSManish V Badarkhe hash = <&scp_fw_hash>; 233ebd34beaSManish V Badarkhe }; 234ebd34beaSManish V Badarkhe 235ebd34beaSManish V Badarkhe . 236ebd34beaSManish V Badarkhe . 237ebd34beaSManish V Badarkhe . 238ebd34beaSManish V Badarkhe 239ebd34beaSManish V Badarkhe next-img { 240*b5fb6917SManish V Badarkhe 241*b5fb6917SManish V Badarkhe }; 242ebd34beaSManish V Badarkhe }; 243ebd34beaSManish V Badarkhe }; 244ebd34beaSManish V Badarkhe 245ebd34beaSManish V Badarkhenon-volatile counter node binding definition 246ebd34beaSManish V Badarkhe-------------------------------------------- 247ebd34beaSManish V Badarkhe 248ebd34beaSManish V Badarkhe- non-volatile counters node 249ebd34beaSManish V Badarkhe Description: Contains properties for non-volatile counters. 250ebd34beaSManish V Badarkhe 251ebd34beaSManish V Badarkhe PROPERTIES 252ebd34beaSManish V Badarkhe 253ebd34beaSManish V Badarkhe - compatible: 254ebd34beaSManish V Badarkhe Usage: required 255ebd34beaSManish V Badarkhe 256ebd34beaSManish V Badarkhe Value type: <string> 257ebd34beaSManish V Badarkhe 258ebd34beaSManish V Badarkhe Definition: must be "arm, non-volatile-counter" 259ebd34beaSManish V Badarkhe 260ebd34beaSManish V Badarkhe - #address-cells 261ebd34beaSManish V Badarkhe Usage: required 262ebd34beaSManish V Badarkhe 263ebd34beaSManish V Badarkhe Value type: <u32> 264ebd34beaSManish V Badarkhe 265*b5fb6917SManish V Badarkhe Definition: 266*b5fb6917SManish V Badarkhe 267*b5fb6917SManish V Badarkhe Must be set according to address size 268ebd34beaSManish V Badarkhe of non-volatile counter register 269ebd34beaSManish V Badarkhe 270ebd34beaSManish V Badarkhe - #size-cells 271ebd34beaSManish V Badarkhe Usage: required 272ebd34beaSManish V Badarkhe 273ebd34beaSManish V Badarkhe Value type: <u32> 274ebd34beaSManish V Badarkhe 275ebd34beaSManish V Badarkhe Definition: must be set to 0 276ebd34beaSManish V Badarkhe 277ebd34beaSManish V Badarkhe SUBNODE 278ebd34beaSManish V Badarkhe - counters node 279ebd34beaSManish V Badarkhe Description: Contains various non-volatile counters present in the platform. 280ebd34beaSManish V Badarkhe 281ebd34beaSManish V Badarkhe PROPERTIES 282ebd34beaSManish V Badarkhe 283ebd34beaSManish V Badarkhe - reg 284*b5fb6917SManish V Badarkhe Usage: 285*b5fb6917SManish V Badarkhe 286*b5fb6917SManish V Badarkhe Register base address of non-volatile counter and it is required 287ebd34beaSManish V Badarkhe property. 288ebd34beaSManish V Badarkhe 289ebd34beaSManish V Badarkhe Value type: <u32> 290ebd34beaSManish V Badarkhe 291ebd34beaSManish V Badarkhe - oid 292*b5fb6917SManish V Badarkhe Usage: 293*b5fb6917SManish V Badarkhe 294*b5fb6917SManish V Badarkhe This property provides the Object ID of non-volatile counter 295ebd34beaSManish V Badarkhe provided in the certificate and it is required property. 296ebd34beaSManish V Badarkhe 297ebd34beaSManish V Badarkhe Value type: <string> 298ebd34beaSManish V Badarkhe 299ebd34beaSManish V BadarkheExample: 300ebd34beaSManish V BadarkheBelow is non-volatile counters example for ARM platform 301ebd34beaSManish V Badarkhe 302ebd34beaSManish V Badarkhe.. code:: c 303ebd34beaSManish V Badarkhe 304ebd34beaSManish V Badarkhe non-volatile-counters { 305ebd34beaSManish V Badarkhe compatible = "arm, non-volatile-counter"; 306ebd34beaSManish V Badarkhe #address-cells = <1>; 307ebd34beaSManish V Badarkhe #size-cells = <0>; 308ebd34beaSManish V Badarkhe 309ebd34beaSManish V Badarkhe counters { 310ebd34beaSManish V Badarkhe trusted-nv-counter: trusted_nv_counter { 311ebd34beaSManish V Badarkhe reg = <TFW_NVCTR_BASE>; 312ebd34beaSManish V Badarkhe oid = TRUSTED_FW_NVCOUNTER_OID; 313ebd34beaSManish V Badarkhe }; 314ebd34beaSManish V Badarkhe non_trusted_nv_counter: non_trusted_nv_counter { 315ebd34beaSManish V Badarkhe reg = <NTFW_CTR_BASE>; 316ebd34beaSManish V Badarkhe oid = NON_TRUSTED_FW_NVCOUNTER_OID; 317ebd34beaSManish V Badarkhe 318ebd34beaSManish V Badarkhe }; 319ebd34beaSManish V Badarkhe }; 320ebd34beaSManish V Badarkhe }; 321ebd34beaSManish V Badarkhe 322ebd34beaSManish V BadarkheFuture update to chain of trust binding 323ebd34beaSManish V Badarkhe--------------------------------------- 324ebd34beaSManish V Badarkhe 325*b5fb6917SManish V BadarkheThis binding document needs to be revisited to generalise some terminologies 326*b5fb6917SManish V Badarkhewhich are currently specific to X.509 certificates for e.g. Object IDs. 327ebd34beaSManish V Badarkhe 328*b5fb6917SManish V Badarkhe*Copyright (c) 2020, Arm Limited. All rights reserved.* 329