1Trusted Boot Firmware Configuration bindings 2============================================ 3 4This document defines the nodes and properties used to define the Trusted-Boot 5firmware configuration. Platform owners are advised to define shared bindings 6here. If a binding does not generalize, they should be documented 7alongside platform documentation. There is no guarantee of backward 8compatibility with the nodes and properties outlined in this context. 9 10IO FIP Handles 11-------------- 12 13- compatible [mandatory] 14 - value type: <string> 15 - Should be the string ``"<plat>,io-fip-handle"``, where ``<plat>`` is the name of the 16 platform (i.e. ``"arm,io-fip-handle"``). 17 18- scp_bl2_uuid [mandatory] 19 - value type: <string> 20 - SCP Firmware SCP_BL2 UUID 21 22- bl31_uuid [mandatory] 23 - value type: <string> 24 - EL3 Runtime Firmware BL31 UUID 25 26- bl32_uuid [mandatory] 27 - value type: <string> 28 - Secure Payload BL32 (Trusted OS) UUID 29 30- bl32_extra1_uuid [mandatory] 31 - value type: <string> 32 - Secure Payload BL32_EXTRA1 (Trusted OS Extra1) UUID 33 34- bl32_extra2_uuid [mandatory] 35 - value type: <string> 36 - Secure Payload BL32_EXTRA2 (Trusted OS Extra2) UUID 37 38- bl33_uuid [mandatory] 39 - value type: <string> 40 - Non-Trusted Firmware BL33 UUID 41 42- hw_cfg_uuid [mandatory] 43 - value type: <string> 44 - HW_CONFIG (e.g. Kernel DT) UUID 45 46- soc_fw_cfg_uuid [mandatory] 47 - value type: <string> 48 - SOC Firmware Configuration SOC_FW_CONFIG UUID 49 50- tos_fw_cfg_uuid [mandatory] 51 - value type: <string> 52 - Trusted OS Firmware Configuration TOS_FW_CONFIG UUID 53 54- nt_fw_cfg_uuid [mandatory] 55 - value type: <string> 56 - Non-Trusted Firmware Configuration NT_FW_CONFIG UUID 57 58- cca_cert_uuid [optional] 59 - value type: <string> 60 - CCA Content Certificate UUID 61 62- core_swd_cert_uuid [optional] 63 - value type: <string> 64 - Core SWD Key Certificate UUID 65 66- plat_cert_uuid [optional] 67 - value type: <string> 68 - Core SWD Key Certificate UUID 69 70- t_key_cert_uuid [optional] 71 - value type: <string> 72 - Trusted Key Certificate UUID 73 74- scp_fw_key_uuid [optional] 75 - value type: <string> 76 - SCP Firmware Key UUID 77 78- soc_fw_key_uuid [optional] 79 - value type: <string> 80 - SOC Firmware Key UUID 81 82- tos_fw_key_cert_uuid [optional] 83 - value type: <string> 84 - TOS Firmware Key UUID 85 86- nt_fw_key_cert_uuid [optional] 87 - value type: <string> 88 - Non-Trusted Firmware Key UUID 89 90- scp_fw_content_cert_uuid [optional] 91 - value type: <string> 92 - SCP Firmware Content Certificate UUID 93 94- soc_fw_content_cert_uuid [optional] 95 - value type: <string> 96 - SOC Firmware Content Certificate UUID 97 98- tos_fw_content_cert_uuid [optional] 99 - value type: <string> 100 - TOS Firmware Content Certificate UUID 101 102- nt_fw_content_cert_uuid [optional] 103 - value type: <string> 104 - Non-Trusted Firmware Content Certificate UUID 105 106- plat_sp_content_cert_uuid [optional] 107 - value type: <string> 108 - Platform Secure Partition Content Certificate UUID 109 110 111Secure Partitions 112----------------- 113 114- compatible [mandatory] 115 - value type: <string> 116 - Should be the string ``"<plat>,sp"``, where ``<plat>`` is the name of the 117 platform (i.e. ``"arm,sp"``). 118 119- uuid [mandatory] 120 - value type: <string> 121 - A string identifying the UUID of the service implemented by this partition. 122 The UUID format is described in RFC 4122. 123 124- load-address [mandatory] 125 - value type: <u32> 126 - Physical base address of the partition in memory. Absence of this field 127 indicates that the partition is position independent and can be loaded at 128 any address chosen at boot time. 129 130- owner [optional] 131 - value type: <string> 132 - A string property representing the name of the owner of the secure 133 partition, which may be the silicon or platform provider. 134 135Chain of Trust Descriptors 136-------------------------- 137 138If a structure includes a Chain of Trust (CoT) for secure authentication and 139verification, it must conform to the bindings described in the `Chain of Trust 140Bindings`_ document. Specifically, the CoT should be represented using a ``cot`` 141node containing ``manifests`` and ``images`` sub-nodes, with certificates, 142images, and non-volatile counters defined as per the specifications therein. 143This ensures compatibility with the authentication framework and supports 144features such as certificate hierarchies, rollback protection, and root-of-trust 145key integration. For full details on required properties and node structure, 146refer to the `Chain of Trust Bindings`_ document. 147 148-------------- 149 150*Copyright (c) 2024-2025, Arm Limited and Contributors. All rights reserved.* 151 152.. _Chain of Trust Bindings: ../cot-binding.html 153