1ebd34beaSManish V BadarkheChain of trust bindings 2ebd34beaSManish V Badarkhe======================= 3ebd34beaSManish V Badarkhe 4b5fb6917SManish V BadarkheThe device tree allows to describe the chain of trust with the help of 5b5fb6917SManish V Badarkhe'cot' node which contain 'manifests' and 'images' as sub-nodes. 6b5fb6917SManish V Badarkhe'manifests' and 'images' nodes contains number of sub-nodes (i.e. 'certificate' 7b5fb6917SManish V Badarkheand 'image' nodes) mentioning properties of the certificate and image respectively. 8ebd34beaSManish V Badarkhe 9b5fb6917SManish V BadarkheAlso, device tree describes 'non-volatile-counters' node which contains number of 10b5fb6917SManish V Badarkhesub-nodes mentioning properties of all non-volatile-counters used in the chain of trust. 11ebd34beaSManish V Badarkhe 12b5fb6917SManish V Badarkhecot 13b5fb6917SManish V Badarkhe------------------------------------------------------------------ 14b5fb6917SManish V BadarkheThis is root node which contains 'manifests' and 'images' as sub-nodes 15ebd34beaSManish V Badarkhe 16b5fb6917SManish V Badarkhe 17b5fb6917SManish V BadarkheManifests and Certificate node bindings definition 18ebd34beaSManish V Badarkhe---------------------------------------------------------------- 19ebd34beaSManish V Badarkhe 20b5fb6917SManish V Badarkhe- Manifests node 21ebd34beaSManish V Badarkhe Description: Container of certificate nodes. 22ebd34beaSManish V Badarkhe 23ebd34beaSManish V Badarkhe PROPERTIES 24ebd34beaSManish V Badarkhe 25ebd34beaSManish V Badarkhe - compatible: 26ebd34beaSManish V Badarkhe Usage: required 27ebd34beaSManish V Badarkhe 28ebd34beaSManish V Badarkhe Value type: <string> 29ebd34beaSManish V Badarkhe 30b5fb6917SManish V Badarkhe Definition: must be "arm, cert-descs" 31ebd34beaSManish V Badarkhe 32ebd34beaSManish V Badarkhe- Certificate node 33b5fb6917SManish V Badarkhe Description: 34b5fb6917SManish V Badarkhe 35b5fb6917SManish V Badarkhe Describes certificate properties which are used 36ebd34beaSManish V Badarkhe during the authentication process. 37ebd34beaSManish V Badarkhe 38ebd34beaSManish V Badarkhe PROPERTIES 39ebd34beaSManish V Badarkhe 40ebd34beaSManish V Badarkhe - root-certificate 41b5fb6917SManish V Badarkhe Usage: 42b5fb6917SManish V Badarkhe 43b5fb6917SManish V Badarkhe Required for the certificate with no parent. 44b5fb6917SManish V Badarkhe In other words, certificates which are validated 45ebd34beaSManish V Badarkhe using root of trust public key. 46ebd34beaSManish V Badarkhe 47ebd34beaSManish V Badarkhe Value type: <boolean> 48ebd34beaSManish V Badarkhe 49ebd34beaSManish V Badarkhe - image-id 50ebd34beaSManish V Badarkhe Usage: Required for every certificate with unique id. 51ebd34beaSManish V Badarkhe 52ebd34beaSManish V Badarkhe Value type: <u32> 53ebd34beaSManish V Badarkhe 54ebd34beaSManish V Badarkhe - parent 55b5fb6917SManish V Badarkhe Usage: 56b5fb6917SManish V Badarkhe 57b5fb6917SManish V Badarkhe It refers to their parent image, which typically contains 58ebd34beaSManish V Badarkhe information to authenticate the certificate. 59ebd34beaSManish V Badarkhe This property is required for all non-root certificates. 60ebd34beaSManish V Badarkhe 61ebd34beaSManish V Badarkhe This property is not required for root-certificates 62b5fb6917SManish V Badarkhe as root-certificates are validated using root of trust 63b5fb6917SManish V Badarkhe public key provided by platform. 64ebd34beaSManish V Badarkhe 65ebd34beaSManish V Badarkhe Value type: <phandle> 66ebd34beaSManish V Badarkhe 67ebd34beaSManish V Badarkhe - signing-key 68b5fb6917SManish V Badarkhe Usage: 69b5fb6917SManish V Badarkhe 70b5fb6917SManish V Badarkhe This property is used to refer public key node present in 71b5fb6917SManish V Badarkhe parent certificate node and it is required property for all 72b5fb6917SManish V Badarkhe non-root certificates which are authenticated using public-key 73ebd34beaSManish V Badarkhe present in parent certificate. 74ebd34beaSManish V Badarkhe 75ebd34beaSManish V Badarkhe This property is not required for root-certificates 76ebd34beaSManish V Badarkhe as root-certificates are validated using root of trust 77ebd34beaSManish V Badarkhe public key provided by platform. 78ebd34beaSManish V Badarkhe 79ebd34beaSManish V Badarkhe Value type: <phandle> 80ebd34beaSManish V Badarkhe 81ebd34beaSManish V Badarkhe - antirollback-counter 82b5fb6917SManish V Badarkhe Usage: 83ebd34beaSManish V Badarkhe 84b5fb6917SManish V Badarkhe This property is used by all certificates which are 85b5fb6917SManish V Badarkhe protected against rollback attacks using a non-volatile 86b5fb6917SManish V Badarkhe counter and it is an optional property. 87b5fb6917SManish V Badarkhe 88b5fb6917SManish V Badarkhe This property is used to refer one of the non-volatile 89b5fb6917SManish V Badarkhe counter sub-node present in 'non-volatile counters' node. 90ebd34beaSManish V Badarkhe 91ebd34beaSManish V Badarkhe Value type: <phandle> 92ebd34beaSManish V Badarkhe 93ebd34beaSManish V Badarkhe 94b5fb6917SManish V Badarkhe SUBNODES 95b5fb6917SManish V Badarkhe - Description: 96b5fb6917SManish V Badarkhe 97b5fb6917SManish V Badarkhe Hash and public key information present in the certificate 98b5fb6917SManish V Badarkhe are shown by these nodes. 99b5fb6917SManish V Badarkhe 100b5fb6917SManish V Badarkhe - public key node 101b5fb6917SManish V Badarkhe Description: Provide public key information in the certificate. 102ebd34beaSManish V Badarkhe 103ebd34beaSManish V Badarkhe PROPERTIES 104ebd34beaSManish V Badarkhe 105ebd34beaSManish V Badarkhe - oid 106b5fb6917SManish V Badarkhe Usage: 107b5fb6917SManish V Badarkhe 108b5fb6917SManish V Badarkhe This property provides the Object ID of public key 109b5fb6917SManish V Badarkhe provided in the certificate which the help of which 110b5fb6917SManish V Badarkhe public key information can be extracted. 111b5fb6917SManish V Badarkhe 112b5fb6917SManish V Badarkhe Value type: <string> 113b5fb6917SManish V Badarkhe 114b5fb6917SManish V Badarkhe - hash node 115b5fb6917SManish V Badarkhe Description: Provide the hash information in the certificate. 116b5fb6917SManish V Badarkhe 117b5fb6917SManish V Badarkhe PROPERTIES 118b5fb6917SManish V Badarkhe 119b5fb6917SManish V Badarkhe - oid 120b5fb6917SManish V Badarkhe Usage: 121b5fb6917SManish V Badarkhe 122b5fb6917SManish V Badarkhe This property provides the Object ID of hash provided in 123b5fb6917SManish V Badarkhe the certificate which the help of which hash information 124b5fb6917SManish V Badarkhe can be extracted. 125ebd34beaSManish V Badarkhe 126ebd34beaSManish V Badarkhe Value type: <string> 127ebd34beaSManish V Badarkhe 128ebd34beaSManish V BadarkheExample: 129ebd34beaSManish V Badarkhe 130ebd34beaSManish V Badarkhe.. code:: c 131ebd34beaSManish V Badarkhe 132b5fb6917SManish V Badarkhe cot { 133b5fb6917SManish V Badarkhe manifests { 134b5fb6917SManish V Badarkhe compatible = "arm, cert-descs” 135ebd34beaSManish V Badarkhe 136ebd34beaSManish V Badarkhe trusted-key-cert: trusted-key-cert { 137ebd34beaSManish V Badarkhe root-certificate; 138ebd34beaSManish V Badarkhe image-id = <TRUSTED_KEY_CERT_ID>; 139ebd34beaSManish V Badarkhe antirollback-counter = <&trusted_nv_counter>; 140b5fb6917SManish V Badarkhe 141ebd34beaSManish V Badarkhe trusted-world-pk: trusted-world-pk { 142ebd34beaSManish V Badarkhe oid = TRUSTED_WORLD_PK_OID; 143ebd34beaSManish V Badarkhe }; 144ebd34beaSManish V Badarkhe non-trusted-world-pk: non-trusted-world-pk { 145ebd34beaSManish V Badarkhe oid = NON_TRUSTED_WORLD_PK_OID; 146ebd34beaSManish V Badarkhe }; 147ebd34beaSManish V Badarkhe }; 148ebd34beaSManish V Badarkhe 149ebd34beaSManish V Badarkhe scp_fw_key_cert: scp_fw_key_cert { 150ebd34beaSManish V Badarkhe image-id = <SCP_FW_KEY_CERT_ID>; 151ebd34beaSManish V Badarkhe parent = <&trusted-key-cert>; 152ebd34beaSManish V Badarkhe signing-key = <&trusted_world_pk>; 153ebd34beaSManish V Badarkhe antirollback-counter = <&trusted_nv_counter>; 154b5fb6917SManish V Badarkhe 155ebd34beaSManish V Badarkhe scp_fw_content_pk: scp_fw_content_pk { 156ebd34beaSManish V Badarkhe oid = SCP_FW_CONTENT_CERT_PK_OID; 157ebd34beaSManish V Badarkhe }; 158ebd34beaSManish V Badarkhe }; 159ebd34beaSManish V Badarkhe . 160ebd34beaSManish V Badarkhe . 161ebd34beaSManish V Badarkhe . 162ebd34beaSManish V Badarkhe 163b5fb6917SManish V Badarkhe next-certificate { 164ebd34beaSManish V Badarkhe 165ebd34beaSManish V Badarkhe }; 166ebd34beaSManish V Badarkhe }; 167b5fb6917SManish V Badarkhe }; 168ebd34beaSManish V Badarkhe 169b5fb6917SManish V BadarkheImages and Image node bindings definition 170ebd34beaSManish V Badarkhe----------------------------------------- 171ebd34beaSManish V Badarkhe 172ebd34beaSManish V Badarkhe- Images node 173ebd34beaSManish V Badarkhe Description: Container of image nodes 174ebd34beaSManish V Badarkhe 175ebd34beaSManish V Badarkhe PROPERTIES 176ebd34beaSManish V Badarkhe 177ebd34beaSManish V Badarkhe - compatible: 178ebd34beaSManish V Badarkhe Usage: required 179ebd34beaSManish V Badarkhe 180ebd34beaSManish V Badarkhe Value type: <string> 181ebd34beaSManish V Badarkhe 182b5fb6917SManish V Badarkhe Definition: must be "arm, img-descs" 183ebd34beaSManish V Badarkhe 184ebd34beaSManish V Badarkhe- Image node 185b5fb6917SManish V Badarkhe Description: 186b5fb6917SManish V Badarkhe 187b5fb6917SManish V Badarkhe Describes image properties which will be used during 188ebd34beaSManish V Badarkhe authentication process. 189ebd34beaSManish V Badarkhe 190ebd34beaSManish V Badarkhe PROPERTIES 191ebd34beaSManish V Badarkhe 192ebd34beaSManish V Badarkhe - image-id 193ebd34beaSManish V Badarkhe Usage: Required for every image with unique id. 194ebd34beaSManish V Badarkhe 195ebd34beaSManish V Badarkhe Value type: <u32> 196ebd34beaSManish V Badarkhe 197ebd34beaSManish V Badarkhe - parent 198b5fb6917SManish V Badarkhe Usage: 199b5fb6917SManish V Badarkhe 200b5fb6917SManish V Badarkhe Required for every image to provide a reference to 201b5fb6917SManish V Badarkhe its parent image, which contains the necessary information 202ebd34beaSManish V Badarkhe to authenticate it. 203ebd34beaSManish V Badarkhe 204ebd34beaSManish V Badarkhe Value type: <phandle> 205ebd34beaSManish V Badarkhe 206ebd34beaSManish V Badarkhe - hash 207b5fb6917SManish V Badarkhe Usage: 208b5fb6917SManish V Badarkhe 209b5fb6917SManish V Badarkhe Required for all images which are validated using 210b5fb6917SManish V Badarkhe hash method. This property is used to refer hash 211b5fb6917SManish V Badarkhe node present in parent certificate node. 212ebd34beaSManish V Badarkhe 213ebd34beaSManish V Badarkhe Value type: <phandle> 214ebd34beaSManish V Badarkhe 215b5fb6917SManish V Badarkhe Note: 216b5fb6917SManish V Badarkhe 217b5fb6917SManish V Badarkhe Currently, all images are validated using 'hash' 218ebd34beaSManish V Badarkhe method. In future, there may be multiple methods can 219ebd34beaSManish V Badarkhe be used to validate the image. 220ebd34beaSManish V Badarkhe 221ebd34beaSManish V BadarkheExample: 222ebd34beaSManish V Badarkhe 223ebd34beaSManish V Badarkhe.. code:: c 224ebd34beaSManish V Badarkhe 225b5fb6917SManish V Badarkhe cot { 226ebd34beaSManish V Badarkhe images { 227b5fb6917SManish V Badarkhe compatible = "arm, img-descs"; 228ebd34beaSManish V Badarkhe 229ebd34beaSManish V Badarkhe scp_bl2_image { 230ebd34beaSManish V Badarkhe image-id = <SCP_BL2_IMAGE_ID>; 231ebd34beaSManish V Badarkhe parent = <&scp_fw_content_cert>; 232ebd34beaSManish V Badarkhe hash = <&scp_fw_hash>; 233ebd34beaSManish V Badarkhe }; 234ebd34beaSManish V Badarkhe 235ebd34beaSManish V Badarkhe . 236ebd34beaSManish V Badarkhe . 237ebd34beaSManish V Badarkhe . 238ebd34beaSManish V Badarkhe 239ebd34beaSManish V Badarkhe next-img { 240b5fb6917SManish V Badarkhe 241b5fb6917SManish V Badarkhe }; 242ebd34beaSManish V Badarkhe }; 243ebd34beaSManish V Badarkhe }; 244ebd34beaSManish V Badarkhe 245ebd34beaSManish V Badarkhenon-volatile counter node binding definition 246ebd34beaSManish V Badarkhe-------------------------------------------- 247ebd34beaSManish V Badarkhe 248ebd34beaSManish V Badarkhe- non-volatile counters node 249ebd34beaSManish V Badarkhe Description: Contains properties for non-volatile counters. 250ebd34beaSManish V Badarkhe 251ebd34beaSManish V Badarkhe PROPERTIES 252ebd34beaSManish V Badarkhe 253ebd34beaSManish V Badarkhe - compatible: 254ebd34beaSManish V Badarkhe Usage: required 255ebd34beaSManish V Badarkhe 256ebd34beaSManish V Badarkhe Value type: <string> 257ebd34beaSManish V Badarkhe 258ebd34beaSManish V Badarkhe Definition: must be "arm, non-volatile-counter" 259ebd34beaSManish V Badarkhe 260ebd34beaSManish V Badarkhe - #address-cells 261ebd34beaSManish V Badarkhe Usage: required 262ebd34beaSManish V Badarkhe 263ebd34beaSManish V Badarkhe Value type: <u32> 264ebd34beaSManish V Badarkhe 265b5fb6917SManish V Badarkhe Definition: 266b5fb6917SManish V Badarkhe 267b5fb6917SManish V Badarkhe Must be set according to address size 268ebd34beaSManish V Badarkhe of non-volatile counter register 269ebd34beaSManish V Badarkhe 270ebd34beaSManish V Badarkhe - #size-cells 271ebd34beaSManish V Badarkhe Usage: required 272ebd34beaSManish V Badarkhe 273ebd34beaSManish V Badarkhe Value type: <u32> 274ebd34beaSManish V Badarkhe 275ebd34beaSManish V Badarkhe Definition: must be set to 0 276ebd34beaSManish V Badarkhe 277ebd34beaSManish V Badarkhe SUBNODE 278ebd34beaSManish V Badarkhe - counters node 279ebd34beaSManish V Badarkhe Description: Contains various non-volatile counters present in the platform. 280ebd34beaSManish V Badarkhe 281ebd34beaSManish V Badarkhe PROPERTIES 282*e87c8231SManish V Badarkhe - id 283*e87c8231SManish V Badarkhe Usage: Required for every nv-counter with unique id. 284*e87c8231SManish V Badarkhe 285*e87c8231SManish V Badarkhe Value type: <u32> 286ebd34beaSManish V Badarkhe 287ebd34beaSManish V Badarkhe - reg 288b5fb6917SManish V Badarkhe Usage: 289b5fb6917SManish V Badarkhe 290b5fb6917SManish V Badarkhe Register base address of non-volatile counter and it is required 291ebd34beaSManish V Badarkhe property. 292ebd34beaSManish V Badarkhe 293ebd34beaSManish V Badarkhe Value type: <u32> 294ebd34beaSManish V Badarkhe 295ebd34beaSManish V Badarkhe - oid 296b5fb6917SManish V Badarkhe Usage: 297b5fb6917SManish V Badarkhe 298b5fb6917SManish V Badarkhe This property provides the Object ID of non-volatile counter 299ebd34beaSManish V Badarkhe provided in the certificate and it is required property. 300ebd34beaSManish V Badarkhe 301ebd34beaSManish V Badarkhe Value type: <string> 302ebd34beaSManish V Badarkhe 303ebd34beaSManish V BadarkheExample: 304ebd34beaSManish V BadarkheBelow is non-volatile counters example for ARM platform 305ebd34beaSManish V Badarkhe 306ebd34beaSManish V Badarkhe.. code:: c 307ebd34beaSManish V Badarkhe 308*e87c8231SManish V Badarkhe non_volatile_counters: non_volatile_counters { 309ebd34beaSManish V Badarkhe compatible = "arm, non-volatile-counter"; 310ebd34beaSManish V Badarkhe #address-cells = <1>; 311ebd34beaSManish V Badarkhe #size-cells = <0>; 312ebd34beaSManish V Badarkhe 313ebd34beaSManish V Badarkhe trusted-nv-counter: trusted_nv_counter { 314*e87c8231SManish V Badarkhe id = <TRUSTED_NV_CTR_ID>; 315ebd34beaSManish V Badarkhe reg = <TFW_NVCTR_BASE>; 316ebd34beaSManish V Badarkhe oid = TRUSTED_FW_NVCOUNTER_OID; 317ebd34beaSManish V Badarkhe }; 318*e87c8231SManish V Badarkhe 319ebd34beaSManish V Badarkhe non_trusted_nv_counter: non_trusted_nv_counter { 320*e87c8231SManish V Badarkhe id = <NON_TRUSTED_NV_CTR_ID>; 321ebd34beaSManish V Badarkhe reg = <NTFW_CTR_BASE>; 322ebd34beaSManish V Badarkhe oid = NON_TRUSTED_FW_NVCOUNTER_OID; 323ebd34beaSManish V Badarkhe }; 324ebd34beaSManish V Badarkhe }; 325ebd34beaSManish V Badarkhe 326ebd34beaSManish V BadarkheFuture update to chain of trust binding 327ebd34beaSManish V Badarkhe--------------------------------------- 328ebd34beaSManish V Badarkhe 329b5fb6917SManish V BadarkheThis binding document needs to be revisited to generalise some terminologies 330b5fb6917SManish V Badarkhewhich are currently specific to X.509 certificates for e.g. Object IDs. 331ebd34beaSManish V Badarkhe 332b5fb6917SManish V Badarkhe*Copyright (c) 2020, Arm Limited. All rights reserved.* 333