xref: /rk3399_ARM-atf/docs/design/trusted-board-boot.rst (revision 57354abb2032b4598ce513d5d1ca788fe3bcf356) 
1Trusted Board Boot
2==================
3
4The Trusted Board Boot (TBB) feature prevents malicious firmware from running on
5the platform by authenticating all firmware images up to and including the
6normal world bootloader. It does this by establishing a Chain of Trust using
7Public-Key-Cryptography Standards (PKCS).
8
9This document describes the design of Trusted Firmware-A (TF-A) TBB, which is an
10implementation of the `Trusted Board Boot Requirements (TBBR)`_ specification,
11Arm DEN0006D. It should be used in conjunction with the `Firmware Update`_
12design document, which implements a specific aspect of the TBBR.
13
14Chain of Trust
15--------------
16
17A Chain of Trust (CoT) starts with a set of implicitly trusted components. On
18the Arm development platforms, these components are:
19
20-  A SHA-256 hash of the Root of Trust Public Key (ROTPK). It is stored in the
21   trusted root-key storage registers.
22
23-  The BL1 image, on the assumption that it resides in ROM so cannot be
24   tampered with.
25
26The remaining components in the CoT are either certificates or boot loader
27images. The certificates follow the `X.509 v3`_ standard. This standard
28enables adding custom extensions to the certificates, which are used to store
29essential information to establish the CoT.
30
31In the TBB CoT all certificates are self-signed. There is no need for a
32Certificate Authority (CA) because the CoT is not established by verifying the
33validity of a certificate's issuer but by the content of the certificate
34extensions. To sign the certificates, the PKCS#1 SHA-256 with RSA Encryption
35signature scheme is used with a RSA key length of 2048 bits. Future version of
36TF-A will support additional cryptographic algorithms.
37
38The certificates are categorised as "Key" and "Content" certificates. Key
39certificates are used to verify public keys which have been used to sign content
40certificates. Content certificates are used to store the hash of a boot loader
41image. An image can be authenticated by calculating its hash and matching it
42with the hash extracted from the content certificate. The SHA-256 function is
43used to calculate all hashes. The public keys and hashes are included as
44non-standard extension fields in the `X.509 v3`_ certificates.
45
46The keys used to establish the CoT are:
47
48-  **Root of trust key**
49
50   The private part of this key is used to sign the BL2 content certificate and
51   the trusted key certificate. The public part is the ROTPK.
52
53-  **Trusted world key**
54
55   The private part is used to sign the key certificates corresponding to the
56   secure world images (SCP_BL2, BL31 and BL32). The public part is stored in
57   one of the extension fields in the trusted world certificate.
58
59-  **Non-trusted world key**
60
61   The private part is used to sign the key certificate corresponding to the
62   non secure world image (BL33). The public part is stored in one of the
63   extension fields in the trusted world certificate.
64
65-  **BL3-X keys**
66
67   For each of SCP_BL2, BL31, BL32 and BL33, the private part is used to
68   sign the content certificate for the BL3-X image. The public part is stored
69   in one of the extension fields in the corresponding key certificate.
70
71The following images are included in the CoT:
72
73-  BL1
74-  BL2
75-  SCP_BL2 (optional)
76-  BL31
77-  BL33
78-  BL32 (optional)
79
80The following certificates are used to authenticate the images.
81
82-  **BL2 content certificate**
83
84   It is self-signed with the private part of the ROT key. It contains a hash
85   of the BL2 image.
86
87-  **Trusted key certificate**
88
89   It is self-signed with the private part of the ROT key. It contains the
90   public part of the trusted world key and the public part of the non-trusted
91   world key.
92
93-  **SCP_BL2 key certificate**
94
95   It is self-signed with the trusted world key. It contains the public part of
96   the SCP_BL2 key.
97
98-  **SCP_BL2 content certificate**
99
100   It is self-signed with the SCP_BL2 key. It contains a hash of the SCP_BL2
101   image.
102
103-  **BL31 key certificate**
104
105   It is self-signed with the trusted world key. It contains the public part of
106   the BL31 key.
107
108-  **BL31 content certificate**
109
110   It is self-signed with the BL31 key. It contains a hash of the BL31 image.
111
112-  **BL32 key certificate**
113
114   It is self-signed with the trusted world key. It contains the public part of
115   the BL32 key.
116
117-  **BL32 content certificate**
118
119   It is self-signed with the BL32 key. It contains a hash of the BL32 image.
120
121-  **BL33 key certificate**
122
123   It is self-signed with the non-trusted world key. It contains the public
124   part of the BL33 key.
125
126-  **BL33 content certificate**
127
128   It is self-signed with the BL33 key. It contains a hash of the BL33 image.
129
130The SCP_BL2 and BL32 certificates are optional, but they must be present if the
131corresponding SCP_BL2 or BL32 images are present.
132
133Trusted Board Boot Sequence
134---------------------------
135
136The CoT is verified through the following sequence of steps. The system panics
137if any of the steps fail.
138
139-  BL1 loads and verifies the BL2 content certificate. The issuer public key is
140   read from the verified certificate. A hash of that key is calculated and
141   compared with the hash of the ROTPK read from the trusted root-key storage
142   registers. If they match, the BL2 hash is read from the certificate.
143
144   Note: the matching operation is platform specific and is currently
145   unimplemented on the Arm development platforms.
146
147-  BL1 loads the BL2 image. Its hash is calculated and compared with the hash
148   read from the certificate. Control is transferred to the BL2 image if all
149   the comparisons succeed.
150
151-  BL2 loads and verifies the trusted key certificate. The issuer public key is
152   read from the verified certificate. A hash of that key is calculated and
153   compared with the hash of the ROTPK read from the trusted root-key storage
154   registers. If the comparison succeeds, BL2 reads and saves the trusted and
155   non-trusted world public keys from the verified certificate.
156
157The next two steps are executed for each of the SCP_BL2, BL31 & BL32 images.
158The steps for the optional SCP_BL2 and BL32 images are skipped if these images
159are not present.
160
161-  BL2 loads and verifies the BL3x key certificate. The certificate signature
162   is verified using the trusted world public key. If the signature
163   verification succeeds, BL2 reads and saves the BL3x public key from the
164   certificate.
165
166-  BL2 loads and verifies the BL3x content certificate. The signature is
167   verified using the BL3x public key. If the signature verification succeeds,
168   BL2 reads and saves the BL3x image hash from the certificate.
169
170The next two steps are executed only for the BL33 image.
171
172-  BL2 loads and verifies the BL33 key certificate. If the signature
173   verification succeeds, BL2 reads and saves the BL33 public key from the
174   certificate.
175
176-  BL2 loads and verifies the BL33 content certificate. If the signature
177   verification succeeds, BL2 reads and saves the BL33 image hash from the
178   certificate.
179
180The next step is executed for all the boot loader images.
181
182-  BL2 calculates the hash of each image. It compares it with the hash obtained
183   from the corresponding content certificate. The image authentication succeeds
184   if the hashes match.
185
186The Trusted Board Boot implementation spans both generic and platform-specific
187BL1 and BL2 code, and in tool code on the host build machine. The feature is
188enabled through use of specific build flags as described in the `User Guide`_.
189
190On the host machine, a tool generates the certificates, which are included in
191the FIP along with the boot loader images. These certificates are loaded in
192Trusted SRAM using the IO storage framework. They are then verified by an
193Authentication module included in TF-A.
194
195The mechanism used for generating the FIP and the Authentication module are
196described in the following sections.
197
198Authentication Framework
199------------------------
200
201The authentication framework included in TF-A provides support to implement
202the desired trusted boot sequence. Arm platforms use this framework to
203implement the boot requirements specified in the `TBBR-client`_ document.
204
205More information about the authentication framework can be found in the
206`Auth Framework`_ document.
207
208Certificate Generation Tool
209---------------------------
210
211The ``cert_create`` tool is built and runs on the host machine as part of the
212TF-A build process when ``GENERATE_COT=1``. It takes the boot loader images
213and keys as inputs (keys must be in PEM format) and generates the
214certificates (in DER format) required to establish the CoT. New keys can be
215generated by the tool in case they are not provided. The certificates are then
216passed as inputs to the ``fiptool`` utility for creating the FIP.
217
218The certificates are also stored individually in the in the output build
219directory.
220
221The tool resides in the ``tools/cert_create`` directory. It uses OpenSSL SSL
222library version 1.0.1 or later to generate the X.509 certificates. Instructions
223for building and using the tool can be found in the `User Guide`_.
224
225--------------
226
227*Copyright (c) 2015-2019, Arm Limited and Contributors. All rights reserved.*
228
229.. _Firmware Update: firmware-update.rst
230.. _X.509 v3: https://tools.ietf.org/rfc/rfc5280.txt
231.. _User Guide: ../getting_started/user-guide.rst
232.. _Auth Framework: auth-framework.rst
233.. _TBBR-client: https://developer.arm.com/docs/den0006/latest/trusted-board-boot-requirements-client-tbbr-client-armv8-a
234.. _Trusted Board Boot Requirements (TBBR): `TBBR-client`_
235