Mention COT build option in trusted-board-boot-build.rst
Since commit 3bff910dc16ad5ed97d470064b25481d3674732b ("Introduce COT
build option"), it is now possible to select a different Chain of Trust
than the TBBR-Client one.
Make a few adjustments in the documentation to reflect that. Also make
some minor improvements (fixing typos, better formatting, ...) along
the way.
Change-Id: I3bbadc441557e1e13311b6fd053fdab6b10b1ba2
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
diff --git a/docs/design/trusted-board-boot-build.rst b/docs/design/trusted-board-boot-build.rst
index f5c8bc9..dd61b61 100644
--- a/docs/design/trusted-board-boot-build.rst
+++ b/docs/design/trusted-board-boot-build.rst
@@ -32,25 +32,28 @@
- ``TRUSTED_BOARD_BOOT=1``
- ``GENERATE_COT=1``
+ By default, this will use the Chain of Trust described in the TBBR-client
+ document. To select a different one, use the ``COT`` build option.
+
In the case of Arm platforms, the location of the ROTPK hash must also be
specified at build time. The following locations are currently supported (see
``ARM_ROTPK_LOCATION`` build option):
- ``ARM_ROTPK_LOCATION=regs``: the ROTPK hash is obtained from the Trusted
- root-key storage registers present in the platform. On Juno, this
+ root-key storage registers present in the platform. On Juno, these
registers are read-only. On FVP Base and Cortex models, the registers
- are read-only, but the value can be specified using the command line
+ are also read-only, but the value can be specified using the command line
option ``bp.trusted_key_storage.public_key`` when launching the model.
On Juno board, the default value corresponds to an ECDSA-SECP256R1 public
key hash, whose private part is not currently available.
- ``ARM_ROTPK_LOCATION=devel_rsa``: use the default hash located in
- plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin. Enforce generation
- of the new hash if ROT_KEY is specified.
+ ``plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin``. Enforce
+ generation of the new hash if ``ROT_KEY`` is specified.
- ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the default hash located in
- plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin. Enforce generation
- of the new hash if ROT_KEY is specified.
+ ``plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin``. Enforce
+ generation of the new hash if ``ROT_KEY`` is specified.
Example of command line using RSA development keys:
@@ -64,9 +67,8 @@
all fip
The result of this build will be the bl1.bin and the fip.bin binaries. This
- FIP will include the certificates corresponding to the Chain of Trust
- described in the TBBR-client document. These certificates can also be found
- in the output build directory.
+ FIP will include the certificates corresponding to the selected Chain of
+ Trust. These certificates can also be found in the output build directory.
#. The optional FWU_FIP contains any additional images to be loaded from
Non-Volatile storage during the :ref:`Firmware Update (FWU)` process. To build the
@@ -102,8 +104,8 @@
The result of this build will be bl1.bin, fip.bin and fwu_fip.bin binaries.
Both the FIP and FWU_FIP will include the certificates corresponding to the
- Chain of Trust described in the TBBR-client document. These certificates
- can also be found in the output build directory.
+ selected Chain of Trust. These certificates can also be found in the output
+ build directory.
--------------