Paul Beesley | fc9ee36 | 2019-03-07 15:47:15 +0000 | [diff] [blame] | 1 | Authentication Framework & Chain of Trust |
| 2 | ========================================= |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 4 | The aim of this document is to describe the authentication framework |
| 5 | implemented in Trusted Firmware-A (TF-A). This framework fulfills the |
| 6 | following requirements: |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 7 | |
| 8 | #. It should be possible for a platform port to specify the Chain of Trust in |
| 9 | terms of certificate hierarchy and the mechanisms used to verify a |
| 10 | particular image/certificate. |
| 11 | |
| 12 | #. The framework should distinguish between: |
| 13 | |
| 14 | - The mechanism used to encode and transport information, e.g. DER encoded |
| 15 | X.509v3 certificates to ferry Subject Public Keys, hashes and non-volatile |
| 16 | counters. |
| 17 | |
| 18 | - The mechanism used to verify the transported information i.e. the |
| 19 | cryptographic libraries. |
| 20 | |
| 21 | The framework has been designed following a modular approach illustrated in the |
| 22 | next diagram: |
| 23 | |
| 24 | :: |
| 25 | |
| 26 | +---------------+---------------+------------+ |
| 27 | | Trusted | Trusted | Trusted | |
| 28 | | Firmware | Firmware | Firmware | |
| 29 | | Generic | IO Framework | Platform | |
| 30 | | Code i.e. | (IO) | Port | |
| 31 | | BL1/BL2 (GEN) | | (PP) | |
| 32 | +---------------+---------------+------------+ |
| 33 | ^ ^ ^ |
| 34 | | | | |
| 35 | v v v |
| 36 | +-----------+ +-----------+ +-----------+ |
| 37 | | | | | | Image | |
| 38 | | Crypto | | Auth | | Parser | |
| 39 | | Module |<->| Module |<->| Module | |
| 40 | | (CM) | | (AM) | | (IPM) | |
| 41 | | | | | | | |
| 42 | +-----------+ +-----------+ +-----------+ |
| 43 | ^ ^ |
| 44 | | | |
| 45 | v v |
| 46 | +----------------+ +-----------------+ |
| 47 | | Cryptographic | | Image Parser | |
| 48 | | Libraries (CL) | | Libraries (IPL) | |
| 49 | +----------------+ +-----------------+ |
| 50 | | | |
| 51 | | | |
| 52 | | | |
| 53 | v v |
| 54 | +-----------------+ |
| 55 | | Misc. Libs e.g. | |
| 56 | | ASN.1 decoder | |
| 57 | | | |
| 58 | +-----------------+ |
| 59 | |
| 60 | DIAGRAM 1. |
| 61 | |
| 62 | This document describes the inner details of the authentication framework and |
| 63 | the abstraction mechanisms available to specify a Chain of Trust. |
| 64 | |
| 65 | Framework design |
| 66 | ---------------- |
| 67 | |
| 68 | This section describes some aspects of the framework design and the rationale |
| 69 | behind them. These aspects are key to verify a Chain of Trust. |
| 70 | |
| 71 | Chain of Trust |
| 72 | ~~~~~~~~~~~~~~ |
| 73 | |
| 74 | A CoT is basically a sequence of authentication images which usually starts with |
| 75 | a root of trust and culminates in a single data image. The following diagram |
| 76 | illustrates how this maps to a CoT for the BL31 image described in the |
Sandrine Bailleux | 3091842 | 2019-04-24 10:41:24 +0200 | [diff] [blame] | 77 | `TBBR-Client specification`_. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 78 | |
| 79 | :: |
| 80 | |
| 81 | +------------------+ +-------------------+ |
| 82 | | ROTPK/ROTPK Hash |------>| Trusted Key | |
| 83 | +------------------+ | Certificate | |
| 84 | | (Auth Image) | |
| 85 | /+-------------------+ |
| 86 | / | |
| 87 | / | |
| 88 | / | |
| 89 | / | |
| 90 | L v |
| 91 | +------------------+ +-------------------+ |
| 92 | | Trusted World |------>| BL31 Key | |
| 93 | | Public Key | | Certificate | |
| 94 | +------------------+ | (Auth Image) | |
| 95 | +-------------------+ |
| 96 | / | |
| 97 | / | |
| 98 | / | |
| 99 | / | |
| 100 | / v |
| 101 | +------------------+ L +-------------------+ |
| 102 | | BL31 Content |------>| BL31 Content | |
| 103 | | Certificate PK | | Certificate | |
| 104 | +------------------+ | (Auth Image) | |
| 105 | +-------------------+ |
| 106 | / | |
| 107 | / | |
| 108 | / | |
| 109 | / | |
| 110 | / v |
| 111 | +------------------+ L +-------------------+ |
| 112 | | BL31 Hash |------>| BL31 Image | |
| 113 | | | | (Data Image) | |
| 114 | +------------------+ | | |
| 115 | +-------------------+ |
| 116 | |
| 117 | DIAGRAM 2. |
| 118 | |
| 119 | The root of trust is usually a public key (ROTPK) that has been burnt in the |
| 120 | platform and cannot be modified. |
| 121 | |
| 122 | Image types |
| 123 | ~~~~~~~~~~~ |
| 124 | |
| 125 | Images in a CoT are categorised as authentication and data images. An |
| 126 | authentication image contains information to authenticate a data image or |
| 127 | another authentication image. A data image is usually a boot loader binary, but |
| 128 | it could be any other data that requires authentication. |
| 129 | |
| 130 | Component responsibilities |
| 131 | ~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 132 | |
| 133 | For every image in a Chain of Trust, the following high level operations are |
| 134 | performed to verify it: |
| 135 | |
| 136 | #. Allocate memory for the image either statically or at runtime. |
| 137 | |
| 138 | #. Identify the image and load it in the allocated memory. |
| 139 | |
| 140 | #. Check the integrity of the image as per its type. |
| 141 | |
| 142 | #. Authenticate the image as per the cryptographic algorithms used. |
| 143 | |
| 144 | #. If the image is an authentication image, extract the information that will |
| 145 | be used to authenticate the next image in the CoT. |
| 146 | |
| 147 | In Diagram 1, each component is responsible for one or more of these operations. |
| 148 | The responsibilities are briefly described below. |
| 149 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 150 | TF-A Generic code and IO framework (GEN/IO) |
| 151 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 152 | |
| 153 | These components are responsible for initiating the authentication process for a |
| 154 | particular image in BL1 or BL2. For each BL image that requires authentication, |
| 155 | the Generic code asks recursively the Authentication module what is the parent |
| 156 | image until either an authenticated image or the ROT is reached. Then the |
Paul Beesley | 1fbc97b | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 157 | Generic code calls the IO framework to load the image and calls the |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 158 | Authentication module to authenticate it, following the CoT from ROT to Image. |
| 159 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 160 | TF-A Platform Port (PP) |
| 161 | ^^^^^^^^^^^^^^^^^^^^^^^ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 162 | |
| 163 | The platform is responsible for: |
| 164 | |
| 165 | #. Specifying the CoT for each image that needs to be authenticated. Details of |
| 166 | how a CoT can be specified by the platform are explained later. The platform |
| 167 | also specifies the authentication methods and the parsing method used for |
| 168 | each image. |
| 169 | |
| 170 | #. Statically allocating memory for each parameter in each image which is |
| 171 | used for verifying the CoT, e.g. memory for public keys, hashes etc. |
| 172 | |
| 173 | #. Providing the ROTPK or a hash of it. |
| 174 | |
| 175 | #. Providing additional information to the IPM to enable it to identify and |
| 176 | extract authentication parameters contained in an image, e.g. if the |
| 177 | parameters are stored as X509v3 extensions, the corresponding OID must be |
| 178 | provided. |
| 179 | |
| 180 | #. Fulfill any other memory requirements of the IPM and the CM (not currently |
| 181 | described in this document). |
| 182 | |
| 183 | #. Export functions to verify an image which uses an authentication method that |
| 184 | cannot be interpreted by the CM, e.g. if an image has to be verified using a |
| 185 | NV counter, then the value of the counter to compare with can only be |
| 186 | provided by the platform. |
| 187 | |
| 188 | #. Export a custom IPM if a proprietary image format is being used (described |
| 189 | later). |
| 190 | |
| 191 | Authentication Module (AM) |
| 192 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 193 | |
| 194 | It is responsible for: |
| 195 | |
| 196 | #. Providing the necessary abstraction mechanisms to describe a CoT. Amongst |
| 197 | other things, the authentication and image parsing methods must be specified |
| 198 | by the PP in the CoT. |
| 199 | |
| 200 | #. Verifying the CoT passed by GEN by utilising functionality exported by the |
| 201 | PP, IPM and CM. |
| 202 | |
| 203 | #. Tracking which images have been verified. In case an image is a part of |
| 204 | multiple CoTs then it should be verified only once e.g. the Trusted World |
| 205 | Key Certificate in the TBBR-Client spec. contains information to verify |
Sandrine Bailleux | 15530dd | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 206 | SCP_BL2, BL31, BL32 each of which have a separate CoT. (This |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 207 | responsibility has not been described in this document but should be |
| 208 | trivial to implement). |
| 209 | |
| 210 | #. Reusing memory meant for a data image to verify authentication images e.g. |
| 211 | in the CoT described in Diagram 2, each certificate can be loaded and |
| 212 | verified in the memory reserved by the platform for the BL31 image. By the |
| 213 | time BL31 (the data image) is loaded, all information to authenticate it |
| 214 | will have been extracted from the parent image i.e. BL31 content |
| 215 | certificate. It is assumed that the size of an authentication image will |
| 216 | never exceed the size of a data image. It should be possible to verify this |
| 217 | at build time using asserts. |
| 218 | |
| 219 | Cryptographic Module (CM) |
| 220 | ^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 221 | |
| 222 | The CM is responsible for providing an API to: |
| 223 | |
| 224 | #. Verify a digital signature. |
| 225 | #. Verify a hash. |
| 226 | |
| 227 | The CM does not include any cryptography related code, but it relies on an |
| 228 | external library to perform the cryptographic operations. A Crypto-Library (CL) |
| 229 | linking the CM and the external library must be implemented. The following |
| 230 | functions must be provided by the CL: |
| 231 | |
| 232 | .. code:: c |
| 233 | |
| 234 | void (*init)(void); |
| 235 | int (*verify_signature)(void *data_ptr, unsigned int data_len, |
| 236 | void *sig_ptr, unsigned int sig_len, |
| 237 | void *sig_alg, unsigned int sig_alg_len, |
| 238 | void *pk_ptr, unsigned int pk_len); |
Manish V Badarkhe | 149e8e0 | 2023-03-09 22:23:49 +0000 | [diff] [blame] | 239 | int (*calc_hash)(enum crypto_md_algo alg, void *data_ptr, |
| 240 | unsigned int data_len, |
| 241 | unsigned char output[CRYPTO_MD_MAX_SIZE]) |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 242 | int (*verify_hash)(void *data_ptr, unsigned int data_len, |
| 243 | void *digest_info_ptr, unsigned int digest_info_len); |
Yann Gautier | 2c108bb | 2023-01-24 09:23:10 +0100 | [diff] [blame] | 244 | int (*auth_decrypt)(enum crypto_dec_algo dec_algo, void *data_ptr, |
| 245 | size_t len, const void *key, unsigned int key_len, |
| 246 | unsigned int key_flags, const void *iv, |
| 247 | unsigned int iv_len, const void *tag, |
| 248 | unsigned int tag_len); |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 249 | |
| 250 | These functions are registered in the CM using the macro: |
| 251 | |
| 252 | .. code:: c |
| 253 | |
Manish V Badarkhe | 149e8e0 | 2023-03-09 22:23:49 +0000 | [diff] [blame] | 254 | REGISTER_CRYPTO_LIB(_name, |
| 255 | _init, |
| 256 | _verify_signature, |
Yann Gautier | 2c108bb | 2023-01-24 09:23:10 +0100 | [diff] [blame] | 257 | _verify_hash, |
zhiyang.shi | f5cd8f1 | 2023-11-29 14:07:15 +0800 | [diff] [blame] | 258 | _calc_hash, |
Yann Gautier | c68b8af | 2023-01-24 09:39:47 +0100 | [diff] [blame] | 259 | _auth_decrypt, |
| 260 | _convert_pk); |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 261 | |
| 262 | ``_name`` must be a string containing the name of the CL. This name is used for |
| 263 | debugging purposes. |
| 264 | |
Manish V Badarkhe | 149e8e0 | 2023-03-09 22:23:49 +0000 | [diff] [blame] | 265 | Crypto module provides a function ``_calc_hash`` to calculate and |
| 266 | return the hash of the given data using the provided hash algorithm. |
| 267 | This function is mainly used in the ``MEASURED_BOOT`` and ``DRTM_SUPPORT`` |
| 268 | features to calculate the hashes of various images/data. |
| 269 | |
Yann Gautier | c68b8af | 2023-01-24 09:39:47 +0100 | [diff] [blame] | 270 | Optionally, a platform function can be provided to convert public key |
| 271 | (_convert_pk). It is only used if the platform saves a hash of the ROTPK. |
| 272 | Most platforms save the hash of the ROTPK, but some may save slightly different |
| 273 | information - e.g the hash of the ROTPK plus some related information. |
| 274 | Defining this function allows to transform the ROTPK used to verify |
| 275 | the signature to the buffer (a platform specific public key) which |
| 276 | hash is saved in OTP. |
| 277 | |
| 278 | .. code:: c |
| 279 | |
| 280 | int (*convert_pk)(void *full_pk_ptr, unsigned int full_pk_len, |
| 281 | void **hashed_pk_ptr, unsigned int *hashed_pk_len); |
| 282 | |
| 283 | |
| 284 | - ``full_pk_ptr``: Pointer to Distinguished Encoding Rules (DER) ROTPK. |
| 285 | - ``full_pk_len``: DER ROTPK size. |
| 286 | - ``hashed_pk_ptr``: to return a pointer to a buffer, which hash should be the one saved in OTP. |
| 287 | - ``hashed_pk_len``: previous buffer size |
| 288 | |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 289 | Image Parser Module (IPM) |
| 290 | ^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 291 | |
| 292 | The IPM is responsible for: |
| 293 | |
| 294 | #. Checking the integrity of each image loaded by the IO framework. |
| 295 | #. Extracting parameters used for authenticating an image based upon a |
| 296 | description provided by the platform in the CoT descriptor. |
| 297 | |
| 298 | Images may have different formats (for example, authentication images could be |
| 299 | x509v3 certificates, signed ELF files or any other platform specific format). |
| 300 | The IPM allows to register an Image Parser Library (IPL) for every image format |
| 301 | used in the CoT. This library must implement the specific methods to parse the |
| 302 | image. The IPM obtains the image format from the CoT and calls the right IPL to |
| 303 | check the image integrity and extract the authentication parameters. |
| 304 | |
| 305 | See Section "Describing the image parsing methods" for more details about the |
| 306 | mechanism the IPM provides to define and register IPLs. |
| 307 | |
| 308 | Authentication methods |
| 309 | ~~~~~~~~~~~~~~~~~~~~~~ |
| 310 | |
| 311 | The AM supports the following authentication methods: |
| 312 | |
| 313 | #. Hash |
| 314 | #. Digital signature |
| 315 | |
| 316 | The platform may specify these methods in the CoT in case it decides to define |
| 317 | a custom CoT instead of reusing a predefined one. |
| 318 | |
| 319 | If a data image uses multiple methods, then all the methods must be a part of |
| 320 | the same CoT. The number and type of parameters are method specific. These |
| 321 | parameters should be obtained from the parent image using the IPM. |
| 322 | |
| 323 | #. Hash |
| 324 | |
| 325 | Parameters: |
| 326 | |
| 327 | #. A pointer to data to hash |
| 328 | #. Length of the data |
| 329 | #. A pointer to the hash |
| 330 | #. Length of the hash |
| 331 | |
| 332 | The hash will be represented by the DER encoding of the following ASN.1 |
| 333 | type: |
| 334 | |
| 335 | :: |
| 336 | |
| 337 | DigestInfo ::= SEQUENCE { |
| 338 | digestAlgorithm DigestAlgorithmIdentifier, |
| 339 | digest Digest |
| 340 | } |
| 341 | |
| 342 | This ASN.1 structure makes it possible to remove any assumption about the |
| 343 | type of hash algorithm used as this information accompanies the hash. This |
| 344 | should allow the Cryptography Library (CL) to support multiple hash |
| 345 | algorithm implementations. |
| 346 | |
| 347 | #. Digital Signature |
| 348 | |
| 349 | Parameters: |
| 350 | |
| 351 | #. A pointer to data to sign |
| 352 | #. Length of the data |
| 353 | #. Public Key Algorithm |
| 354 | #. Public Key value |
| 355 | #. Digital Signature Algorithm |
| 356 | #. Digital Signature value |
| 357 | |
| 358 | The Public Key parameters will be represented by the DER encoding of the |
| 359 | following ASN.1 type: |
| 360 | |
| 361 | :: |
| 362 | |
| 363 | SubjectPublicKeyInfo ::= SEQUENCE { |
| 364 | algorithm AlgorithmIdentifier{PUBLIC-KEY,{PublicKeyAlgorithms}}, |
| 365 | subjectPublicKey BIT STRING } |
| 366 | |
| 367 | The Digital Signature Algorithm will be represented by the DER encoding of |
| 368 | the following ASN.1 types. |
| 369 | |
| 370 | :: |
| 371 | |
| 372 | AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE { |
| 373 | algorithm ALGORITHM.&id({IOSet}), |
| 374 | parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL |
| 375 | } |
| 376 | |
| 377 | The digital signature will be represented by: |
| 378 | |
| 379 | :: |
| 380 | |
| 381 | signature ::= BIT STRING |
| 382 | |
| 383 | The authentication framework will use the image descriptor to extract all the |
| 384 | information related to authentication. |
| 385 | |
| 386 | Specifying a Chain of Trust |
| 387 | --------------------------- |
| 388 | |
| 389 | A CoT can be described as a set of image descriptors linked together in a |
| 390 | particular order. The order dictates the sequence in which they must be |
| 391 | verified. Each image has a set of properties which allow the AM to verify it. |
| 392 | These properties are described below. |
| 393 | |
| 394 | The PP is responsible for defining a single or multiple CoTs for a data image. |
| 395 | Unless otherwise specified, the data structures described in the following |
| 396 | sections are populated by the PP statically. |
| 397 | |
| 398 | Describing the image parsing methods |
| 399 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 400 | |
| 401 | The parsing method refers to the format of a particular image. For example, an |
| 402 | authentication image that represents a certificate could be in the X.509v3 |
| 403 | format. A data image that represents a boot loader stage could be in raw binary |
| 404 | or ELF format. The IPM supports three parsing methods. An image has to use one |
| 405 | of the three methods described below. An IPL is responsible for interpreting a |
| 406 | single parsing method. There has to be one IPL for every method used by the |
| 407 | platform. |
| 408 | |
| 409 | #. Raw format: This format is effectively a nop as an image using this method |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 410 | is treated as being in raw binary format e.g. boot loader images used by |
| 411 | TF-A. This method should only be used by data images. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 412 | |
| 413 | #. X509V3 method: This method uses industry standards like X.509 to represent |
| 414 | PKI certificates (authentication images). It is expected that open source |
| 415 | libraries will be available which can be used to parse an image represented |
| 416 | by this method. Such libraries can be used to write the corresponding IPL |
| 417 | e.g. the X.509 parsing library code in mbed TLS. |
| 418 | |
| 419 | #. Platform defined method: This method caters for platform specific |
| 420 | proprietary standards to represent authentication or data images. For |
| 421 | example, The signature of a data image could be appended to the data image |
| 422 | raw binary. A header could be prepended to the combined blob to specify the |
| 423 | extents of each component. The platform will have to implement the |
| 424 | corresponding IPL to interpret such a format. |
| 425 | |
| 426 | The following enum can be used to define these three methods. |
| 427 | |
| 428 | .. code:: c |
| 429 | |
| 430 | typedef enum img_type_enum { |
| 431 | IMG_RAW, /* Binary image */ |
| 432 | IMG_PLAT, /* Platform specific format */ |
| 433 | IMG_CERT, /* X509v3 certificate */ |
| 434 | IMG_MAX_TYPES, |
| 435 | } img_type_t; |
| 436 | |
| 437 | An IPL must provide functions with the following prototypes: |
| 438 | |
| 439 | .. code:: c |
| 440 | |
| 441 | void init(void); |
| 442 | int check_integrity(void *img, unsigned int img_len); |
| 443 | int get_auth_param(const auth_param_type_desc_t *type_desc, |
| 444 | void *img, unsigned int img_len, |
| 445 | void **param, unsigned int *param_len); |
| 446 | |
| 447 | An IPL for each type must be registered using the following macro: |
| 448 | |
Paul Beesley | 493e349 | 2019-03-13 15:11:04 +0000 | [diff] [blame] | 449 | .. code:: c |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 450 | |
| 451 | REGISTER_IMG_PARSER_LIB(_type, _name, _init, _check_int, _get_param) |
| 452 | |
| 453 | - ``_type``: one of the types described above. |
| 454 | - ``_name``: a string containing the IPL name for debugging purposes. |
| 455 | - ``_init``: initialization function pointer. |
| 456 | - ``_check_int``: check image integrity function pointer. |
Paul Beesley | 1fbc97b | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 457 | - ``_get_param``: extract authentication parameter function pointer. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 458 | |
| 459 | The ``init()`` function will be used to initialize the IPL. |
| 460 | |
| 461 | The ``check_integrity()`` function is passed a pointer to the memory where the |
| 462 | image has been loaded by the IO framework and the image length. It should ensure |
| 463 | that the image is in the format corresponding to the parsing method and has not |
| 464 | been tampered with. For example, RFC-2459 describes a validation sequence for an |
| 465 | X.509 certificate. |
| 466 | |
| 467 | The ``get_auth_param()`` function is passed a parameter descriptor containing |
| 468 | information about the parameter (``type_desc`` and ``cookie``) to identify and |
| 469 | extract the data corresponding to that parameter from an image. This data will |
| 470 | be used to verify either the current or the next image in the CoT sequence. |
| 471 | |
| 472 | Each image in the CoT will specify the parsing method it uses. This information |
| 473 | will be used by the IPM to find the right parser descriptor for the image. |
| 474 | |
| 475 | Describing the authentication method(s) |
| 476 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 477 | |
| 478 | As part of the CoT, each image has to specify one or more authentication methods |
| 479 | which will be used to verify it. As described in the Section "Authentication |
| 480 | methods", there are three methods supported by the AM. |
| 481 | |
| 482 | .. code:: c |
| 483 | |
| 484 | typedef enum { |
| 485 | AUTH_METHOD_NONE, |
| 486 | AUTH_METHOD_HASH, |
| 487 | AUTH_METHOD_SIG, |
| 488 | AUTH_METHOD_NUM |
| 489 | } auth_method_type_t; |
| 490 | |
| 491 | The AM defines the type of each parameter used by an authentication method. It |
| 492 | uses this information to: |
| 493 | |
| 494 | #. Specify to the ``get_auth_param()`` function exported by the IPM, which |
| 495 | parameter should be extracted from an image. |
| 496 | |
| 497 | #. Correctly marshall the parameters while calling the verification function |
| 498 | exported by the CM and PP. |
| 499 | |
| 500 | #. Extract authentication parameters from a parent image in order to verify a |
| 501 | child image e.g. to verify the certificate image, the public key has to be |
| 502 | obtained from the parent image. |
| 503 | |
| 504 | .. code:: c |
| 505 | |
| 506 | typedef enum { |
| 507 | AUTH_PARAM_NONE, |
| 508 | AUTH_PARAM_RAW_DATA, /* Raw image data */ |
| 509 | AUTH_PARAM_SIG, /* The image signature */ |
| 510 | AUTH_PARAM_SIG_ALG, /* The image signature algorithm */ |
| 511 | AUTH_PARAM_HASH, /* A hash (including the algorithm) */ |
| 512 | AUTH_PARAM_PUB_KEY, /* A public key */ |
| 513 | } auth_param_type_t; |
| 514 | |
| 515 | The AM defines the following structure to identify an authentication parameter |
| 516 | required to verify an image. |
| 517 | |
| 518 | .. code:: c |
| 519 | |
| 520 | typedef struct auth_param_type_desc_s { |
| 521 | auth_param_type_t type; |
| 522 | void *cookie; |
| 523 | } auth_param_type_desc_t; |
| 524 | |
| 525 | ``cookie`` is used by the platform to specify additional information to the IPM |
| 526 | which enables it to uniquely identify the parameter that should be extracted |
| 527 | from an image. For example, the hash of a BL3x image in its corresponding |
| 528 | content certificate is stored in an X509v3 custom extension field. An extension |
| 529 | field can only be identified using an OID. In this case, the ``cookie`` could |
| 530 | contain the pointer to the OID defined by the platform for the hash extension |
| 531 | field while the ``type`` field could be set to ``AUTH_PARAM_HASH``. A value of 0 for |
| 532 | the ``cookie`` field means that it is not used. |
| 533 | |
| 534 | For each method, the AM defines a structure with the parameters required to |
| 535 | verify the image. |
| 536 | |
| 537 | .. code:: c |
| 538 | |
| 539 | /* |
| 540 | * Parameters for authentication by hash matching |
| 541 | */ |
| 542 | typedef struct auth_method_param_hash_s { |
| 543 | auth_param_type_desc_t *data; /* Data to hash */ |
| 544 | auth_param_type_desc_t *hash; /* Hash to match with */ |
| 545 | } auth_method_param_hash_t; |
| 546 | |
| 547 | /* |
| 548 | * Parameters for authentication by signature |
| 549 | */ |
| 550 | typedef struct auth_method_param_sig_s { |
| 551 | auth_param_type_desc_t *pk; /* Public key */ |
| 552 | auth_param_type_desc_t *sig; /* Signature to check */ |
| 553 | auth_param_type_desc_t *alg; /* Signature algorithm */ |
| 554 | auth_param_type_desc_t *tbs; /* Data signed */ |
| 555 | } auth_method_param_sig_t; |
| 556 | |
| 557 | The AM defines the following structure to describe an authentication method for |
| 558 | verifying an image |
| 559 | |
| 560 | .. code:: c |
| 561 | |
| 562 | /* |
| 563 | * Authentication method descriptor |
| 564 | */ |
| 565 | typedef struct auth_method_desc_s { |
| 566 | auth_method_type_t type; |
| 567 | union { |
| 568 | auth_method_param_hash_t hash; |
| 569 | auth_method_param_sig_t sig; |
| 570 | } param; |
| 571 | } auth_method_desc_t; |
| 572 | |
| 573 | Using the method type specified in the ``type`` field, the AM finds out what field |
| 574 | needs to access within the ``param`` union. |
| 575 | |
| 576 | Storing Authentication parameters |
| 577 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 578 | |
| 579 | A parameter described by ``auth_param_type_desc_t`` to verify an image could be |
| 580 | obtained from either the image itself or its parent image. The memory allocated |
| 581 | for loading the parent image will be reused for loading the child image. Hence |
| 582 | parameters which are obtained from the parent for verifying a child image need |
| 583 | to have memory allocated for them separately where they can be stored. This |
| 584 | memory must be statically allocated by the platform port. |
| 585 | |
| 586 | The AM defines the following structure to store the data corresponding to an |
| 587 | authentication parameter. |
| 588 | |
| 589 | .. code:: c |
| 590 | |
| 591 | typedef struct auth_param_data_desc_s { |
| 592 | void *auth_param_ptr; |
| 593 | unsigned int auth_param_len; |
| 594 | } auth_param_data_desc_t; |
| 595 | |
| 596 | The ``auth_param_ptr`` field is initialized by the platform. The ``auth_param_len`` |
| 597 | field is used to specify the length of the data in the memory. |
| 598 | |
| 599 | For parameters that can be obtained from the child image itself, the IPM is |
| 600 | responsible for populating the ``auth_param_ptr`` and ``auth_param_len`` fields |
| 601 | while executing the ``img_get_auth_param()`` function. |
| 602 | |
| 603 | The AM defines the following structure to enable an image to describe the |
| 604 | parameters that should be extracted from it and used to verify the next image |
| 605 | (child) in a CoT. |
| 606 | |
| 607 | .. code:: c |
| 608 | |
| 609 | typedef struct auth_param_desc_s { |
| 610 | auth_param_type_desc_t type_desc; |
| 611 | auth_param_data_desc_t data; |
| 612 | } auth_param_desc_t; |
| 613 | |
| 614 | Describing an image in a CoT |
| 615 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 616 | |
| 617 | An image in a CoT is a consolidation of the following aspects of a CoT described |
| 618 | above. |
| 619 | |
| 620 | #. A unique identifier specified by the platform which allows the IO framework |
| 621 | to locate the image in a FIP and load it in the memory reserved for the data |
| 622 | image in the CoT. |
| 623 | |
| 624 | #. A parsing method which is used by the AM to find the appropriate IPM. |
| 625 | |
| 626 | #. Authentication methods and their parameters as described in the previous |
| 627 | section. These are used to verify the current image. |
| 628 | |
| 629 | #. Parameters which are used to verify the next image in the current CoT. These |
| 630 | parameters are specified only by authentication images and can be extracted |
| 631 | from the current image once it has been verified. |
| 632 | |
| 633 | The following data structure describes an image in a CoT. |
| 634 | |
| 635 | .. code:: c |
| 636 | |
| 637 | typedef struct auth_img_desc_s { |
| 638 | unsigned int img_id; |
| 639 | const struct auth_img_desc_s *parent; |
| 640 | img_type_t img_type; |
Joel Hutton | 1fdcc90 | 2019-02-22 16:40:16 +0000 | [diff] [blame] | 641 | const auth_method_desc_t *const img_auth_methods; |
| 642 | const auth_param_desc_t *const authenticated_data; |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 643 | } auth_img_desc_t; |
| 644 | |
Joel Hutton | 1fdcc90 | 2019-02-22 16:40:16 +0000 | [diff] [blame] | 645 | A CoT is defined as an array of pointers to ``auth_image_desc_t`` structures |
| 646 | linked together by the ``parent`` field. Those nodes with no parent must be |
| 647 | authenticated using the ROTPK stored in the platform. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 648 | |
| 649 | Implementation example |
| 650 | ---------------------- |
| 651 | |
| 652 | This section is a detailed guide explaining a trusted boot implementation using |
| 653 | the authentication framework. This example corresponds to the Applicative |
| 654 | Functional Mode (AFM) as specified in the TBBR-Client document. It is |
| 655 | recommended to read this guide along with the source code. |
| 656 | |
| 657 | The TBBR CoT |
| 658 | ~~~~~~~~~~~~ |
| 659 | |
Manish V Badarkhe | 043fd62 | 2020-05-16 16:36:39 +0100 | [diff] [blame] | 660 | CoT specific to BL1 and BL2 can be found in ``drivers/auth/tbbr/tbbr_cot_bl1.c`` |
| 661 | and ``drivers/auth/tbbr/tbbr_cot_bl2.c`` respectively. The common CoT used across |
| 662 | BL1 and BL2 can be found in ``drivers/auth/tbbr/tbbr_cot_common.c``. |
| 663 | This CoT consists of an array of pointers to image descriptors and it is |
| 664 | registered in the framework using the macro ``REGISTER_COT(cot_desc)``, where |
| 665 | ``cot_desc`` must be the name of the array (passing a pointer or any other |
| 666 | type of indirection will cause the registration process to fail). |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 667 | |
Joel Hutton | 1fdcc90 | 2019-02-22 16:40:16 +0000 | [diff] [blame] | 668 | The number of images participating in the boot process depends on the CoT. |
| 669 | There is, however, a minimum set of images that are mandatory in TF-A and thus |
| 670 | all CoTs must present: |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 671 | |
| 672 | - ``BL2`` |
| 673 | - ``SCP_BL2`` (platform specific) |
| 674 | - ``BL31`` |
| 675 | - ``BL32`` (optional) |
| 676 | - ``BL33`` |
| 677 | |
| 678 | The TBBR specifies the additional certificates that must accompany these images |
| 679 | for a proper authentication. Details about the TBBR CoT may be found in the |
Paul Beesley | f864067 | 2019-04-12 14:19:42 +0100 | [diff] [blame] | 680 | :ref:`Trusted Board Boot` document. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 681 | |
Paul Beesley | f864067 | 2019-04-12 14:19:42 +0100 | [diff] [blame] | 682 | Following the :ref:`Porting Guide`, a platform must provide unique |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 683 | identifiers for all the images and certificates that will be loaded during the |
| 684 | boot process. If a platform is using the TBBR as a reference for trusted boot, |
| 685 | these identifiers can be obtained from ``include/common/tbbr/tbbr_img_def.h``. |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 686 | Arm platforms include this file in ``include/plat/arm/common/arm_def.h``. Other |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 687 | platforms may also include this file or provide their own identifiers. |
| 688 | |
| 689 | **Important**: the authentication module uses these identifiers to index the |
| 690 | CoT array, so the descriptors location in the array must match the identifiers. |
| 691 | |
| 692 | Each image descriptor must specify: |
| 693 | |
| 694 | - ``img_id``: the corresponding image unique identifier defined by the platform. |
| 695 | - ``img_type``: the image parser module uses the image type to call the proper |
| 696 | parsing library to check the image integrity and extract the required |
| 697 | authentication parameters. Three types of images are currently supported: |
| 698 | |
| 699 | - ``IMG_RAW``: image is a raw binary. No parsing functions are available, |
| 700 | other than reading the whole image. |
| 701 | - ``IMG_PLAT``: image format is platform specific. The platform may use this |
| 702 | type for custom images not directly supported by the authentication |
| 703 | framework. |
| 704 | - ``IMG_CERT``: image is an x509v3 certificate. |
| 705 | |
| 706 | - ``parent``: pointer to the parent image descriptor. The parent will contain |
| 707 | the information required to authenticate the current image. If the parent |
| 708 | is NULL, the authentication parameters will be obtained from the platform |
| 709 | (i.e. the BL2 and Trusted Key certificates are signed with the ROT private |
| 710 | key, whose public part is stored in the platform). |
Joel Hutton | 1fdcc90 | 2019-02-22 16:40:16 +0000 | [diff] [blame] | 711 | - ``img_auth_methods``: this points to an array which defines the |
| 712 | authentication methods that must be checked to consider an image |
| 713 | authenticated. Each method consists of a type and a list of parameter |
| 714 | descriptors. A parameter descriptor consists of a type and a cookie which |
| 715 | will point to specific information required to extract that parameter from |
| 716 | the image (i.e. if the parameter is stored in an x509v3 extension, the |
| 717 | cookie will point to the extension OID). Depending on the method type, a |
| 718 | different number of parameters must be specified. This pointer should not be |
| 719 | NULL. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 720 | Supported methods are: |
| 721 | |
| 722 | - ``AUTH_METHOD_HASH``: the hash of the image must match the hash extracted |
| 723 | from the parent image. The following parameter descriptors must be |
| 724 | specified: |
| 725 | |
| 726 | - ``data``: data to be hashed (obtained from current image) |
| 727 | - ``hash``: reference hash (obtained from parent image) |
| 728 | |
| 729 | - ``AUTH_METHOD_SIG``: the image (usually a certificate) must be signed with |
| 730 | the private key whose public part is extracted from the parent image (or |
| 731 | the platform if the parent is NULL). The following parameter descriptors |
| 732 | must be specified: |
| 733 | |
| 734 | - ``pk``: the public key (obtained from parent image) |
| 735 | - ``sig``: the digital signature (obtained from current image) |
| 736 | - ``alg``: the signature algorithm used (obtained from current image) |
| 737 | - ``data``: the data to be signed (obtained from current image) |
| 738 | |
Joel Hutton | 1fdcc90 | 2019-02-22 16:40:16 +0000 | [diff] [blame] | 739 | - ``authenticated_data``: this array pointer indicates what authentication |
| 740 | parameters must be extracted from an image once it has been authenticated. |
| 741 | Each parameter consists of a parameter descriptor and the buffer |
| 742 | address/size to store the parameter. The CoT is responsible for allocating |
| 743 | the required memory to store the parameters. This pointer may be NULL. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 744 | |
Manish V Badarkhe | 043fd62 | 2020-05-16 16:36:39 +0100 | [diff] [blame] | 745 | In the ``tbbr_cot*.c`` file, a set of buffers are allocated to store the parameters |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 746 | extracted from the certificates. In the case of the TBBR CoT, these parameters |
Justin Chadwell | 82b06b3 | 2019-07-29 17:18:21 +0100 | [diff] [blame] | 747 | are hashes and public keys. In DER format, an RSA-4096 public key requires 550 |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 748 | bytes, and a hash requires 51 bytes. Depending on the CoT and the authentication |
| 749 | process, some of the buffers may be reused at different stages during the boot. |
| 750 | |
| 751 | Next in that file, the parameter descriptors are defined. These descriptors will |
| 752 | be used to extract the parameter data from the corresponding image. |
| 753 | |
| 754 | Example: the BL31 Chain of Trust |
| 755 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 756 | |
| 757 | Four image descriptors form the BL31 Chain of Trust: |
| 758 | |
Sandrine Bailleux | f5a9100 | 2019-02-08 10:50:28 +0100 | [diff] [blame] | 759 | .. code:: c |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 760 | |
Joel Hutton | 1fdcc90 | 2019-02-22 16:40:16 +0000 | [diff] [blame] | 761 | static const auth_img_desc_t trusted_key_cert = { |
| 762 | .img_id = TRUSTED_KEY_CERT_ID, |
| 763 | .img_type = IMG_CERT, |
| 764 | .parent = NULL, |
| 765 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 766 | [0] = { |
| 767 | .type = AUTH_METHOD_SIG, |
| 768 | .param.sig = { |
| 769 | .pk = &subject_pk, |
| 770 | .sig = &sig, |
| 771 | .alg = &sig_alg, |
| 772 | .data = &raw_data |
| 773 | } |
| 774 | }, |
| 775 | [1] = { |
| 776 | .type = AUTH_METHOD_NV_CTR, |
| 777 | .param.nv_ctr = { |
| 778 | .cert_nv_ctr = &trusted_nv_ctr, |
| 779 | .plat_nv_ctr = &trusted_nv_ctr |
| 780 | } |
| 781 | } |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 782 | }, |
Joel Hutton | 1fdcc90 | 2019-02-22 16:40:16 +0000 | [diff] [blame] | 783 | .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { |
| 784 | [0] = { |
| 785 | .type_desc = &trusted_world_pk, |
| 786 | .data = { |
| 787 | .ptr = (void *)trusted_world_pk_buf, |
| 788 | .len = (unsigned int)PK_DER_LEN |
| 789 | } |
| 790 | }, |
| 791 | [1] = { |
| 792 | .type_desc = &non_trusted_world_pk, |
| 793 | .data = { |
| 794 | .ptr = (void *)non_trusted_world_pk_buf, |
| 795 | .len = (unsigned int)PK_DER_LEN |
| 796 | } |
| 797 | } |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 798 | } |
Joel Hutton | 1fdcc90 | 2019-02-22 16:40:16 +0000 | [diff] [blame] | 799 | }; |
| 800 | static const auth_img_desc_t soc_fw_key_cert = { |
| 801 | .img_id = SOC_FW_KEY_CERT_ID, |
| 802 | .img_type = IMG_CERT, |
| 803 | .parent = &trusted_key_cert, |
| 804 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 805 | [0] = { |
| 806 | .type = AUTH_METHOD_SIG, |
| 807 | .param.sig = { |
| 808 | .pk = &trusted_world_pk, |
| 809 | .sig = &sig, |
| 810 | .alg = &sig_alg, |
| 811 | .data = &raw_data |
| 812 | } |
| 813 | }, |
| 814 | [1] = { |
| 815 | .type = AUTH_METHOD_NV_CTR, |
| 816 | .param.nv_ctr = { |
| 817 | .cert_nv_ctr = &trusted_nv_ctr, |
| 818 | .plat_nv_ctr = &trusted_nv_ctr |
| 819 | } |
| 820 | } |
| 821 | }, |
| 822 | .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { |
| 823 | [0] = { |
| 824 | .type_desc = &soc_fw_content_pk, |
| 825 | .data = { |
| 826 | .ptr = (void *)content_pk_buf, |
| 827 | .len = (unsigned int)PK_DER_LEN |
| 828 | } |
| 829 | } |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 830 | } |
Joel Hutton | 1fdcc90 | 2019-02-22 16:40:16 +0000 | [diff] [blame] | 831 | }; |
| 832 | static const auth_img_desc_t soc_fw_content_cert = { |
| 833 | .img_id = SOC_FW_CONTENT_CERT_ID, |
| 834 | .img_type = IMG_CERT, |
| 835 | .parent = &soc_fw_key_cert, |
| 836 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 837 | [0] = { |
| 838 | .type = AUTH_METHOD_SIG, |
| 839 | .param.sig = { |
| 840 | .pk = &soc_fw_content_pk, |
| 841 | .sig = &sig, |
| 842 | .alg = &sig_alg, |
| 843 | .data = &raw_data |
| 844 | } |
| 845 | }, |
| 846 | [1] = { |
| 847 | .type = AUTH_METHOD_NV_CTR, |
| 848 | .param.nv_ctr = { |
| 849 | .cert_nv_ctr = &trusted_nv_ctr, |
| 850 | .plat_nv_ctr = &trusted_nv_ctr |
| 851 | } |
| 852 | } |
| 853 | }, |
| 854 | .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { |
| 855 | [0] = { |
| 856 | .type_desc = &soc_fw_hash, |
| 857 | .data = { |
| 858 | .ptr = (void *)soc_fw_hash_buf, |
| 859 | .len = (unsigned int)HASH_DER_LEN |
| 860 | } |
| 861 | }, |
| 862 | [1] = { |
| 863 | .type_desc = &soc_fw_config_hash, |
| 864 | .data = { |
| 865 | .ptr = (void *)soc_fw_config_hash_buf, |
| 866 | .len = (unsigned int)HASH_DER_LEN |
| 867 | } |
| 868 | } |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 869 | } |
Joel Hutton | 1fdcc90 | 2019-02-22 16:40:16 +0000 | [diff] [blame] | 870 | }; |
| 871 | static const auth_img_desc_t bl31_image = { |
| 872 | .img_id = BL31_IMAGE_ID, |
| 873 | .img_type = IMG_RAW, |
| 874 | .parent = &soc_fw_content_cert, |
| 875 | .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { |
| 876 | [0] = { |
| 877 | .type = AUTH_METHOD_HASH, |
| 878 | .param.hash = { |
| 879 | .data = &raw_data, |
| 880 | .hash = &soc_fw_hash |
| 881 | } |
| 882 | } |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 883 | } |
Joel Hutton | 1fdcc90 | 2019-02-22 16:40:16 +0000 | [diff] [blame] | 884 | }; |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 885 | |
| 886 | The **Trusted Key certificate** is signed with the ROT private key and contains |
| 887 | the Trusted World public key and the Non-Trusted World public key as x509v3 |
| 888 | extensions. This must be specified in the image descriptor using the |
| 889 | ``img_auth_methods`` and ``authenticated_data`` arrays, respectively. |
| 890 | |
| 891 | The Trusted Key certificate is authenticated by checking its digital signature |
| 892 | using the ROTPK. Four parameters are required to check a signature: the public |
| 893 | key, the algorithm, the signature and the data that has been signed. Therefore, |
| 894 | four parameter descriptors must be specified with the authentication method: |
| 895 | |
| 896 | - ``subject_pk``: parameter descriptor of type ``AUTH_PARAM_PUB_KEY``. This type |
| 897 | is used to extract a public key from the parent image. If the cookie is an |
| 898 | OID, the key is extracted from the corresponding x509v3 extension. If the |
| 899 | cookie is NULL, the subject public key is retrieved. In this case, because |
| 900 | the parent image is NULL, the public key is obtained from the platform |
| 901 | (this key will be the ROTPK). |
| 902 | - ``sig``: parameter descriptor of type ``AUTH_PARAM_SIG``. It is used to extract |
| 903 | the signature from the certificate. |
| 904 | - ``sig_alg``: parameter descriptor of type ``AUTH_PARAM_SIG``. It is used to |
| 905 | extract the signature algorithm from the certificate. |
| 906 | - ``raw_data``: parameter descriptor of type ``AUTH_PARAM_RAW_DATA``. It is used |
| 907 | to extract the data to be signed from the certificate. |
| 908 | |
| 909 | Once the signature has been checked and the certificate authenticated, the |
| 910 | Trusted World public key needs to be extracted from the certificate. A new entry |
| 911 | is created in the ``authenticated_data`` array for that purpose. In that entry, |
| 912 | the corresponding parameter descriptor must be specified along with the buffer |
Sandrine Bailleux | af0f960 | 2020-03-02 13:09:22 +0100 | [diff] [blame] | 913 | address to store the parameter value. In this case, the ``trusted_world_pk`` |
| 914 | descriptor is used to extract the public key from an x509v3 extension with OID |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 915 | ``TRUSTED_WORLD_PK_OID``. The BL31 key certificate will use this descriptor as |
| 916 | parameter in the signature authentication method. The key is stored in the |
Sandrine Bailleux | af0f960 | 2020-03-02 13:09:22 +0100 | [diff] [blame] | 917 | ``trusted_world_pk_buf`` buffer. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 918 | |
| 919 | The **BL31 Key certificate** is authenticated by checking its digital signature |
| 920 | using the Trusted World public key obtained previously from the Trusted Key |
| 921 | certificate. In the image descriptor, we specify a single authentication method |
Sandrine Bailleux | af0f960 | 2020-03-02 13:09:22 +0100 | [diff] [blame] | 922 | by signature whose public key is the ``trusted_world_pk``. Once this certificate |
| 923 | has been authenticated, we have to extract the BL31 public key, stored in the |
| 924 | extension specified by ``soc_fw_content_pk``. This key will be copied to the |
| 925 | ``content_pk_buf`` buffer. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 926 | |
| 927 | The **BL31 certificate** is authenticated by checking its digital signature |
| 928 | using the BL31 public key obtained previously from the BL31 Key certificate. |
Sandrine Bailleux | af0f960 | 2020-03-02 13:09:22 +0100 | [diff] [blame] | 929 | We specify the authentication method using ``soc_fw_content_pk`` as public key. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 930 | After authentication, we need to extract the BL31 hash, stored in the extension |
Sandrine Bailleux | af0f960 | 2020-03-02 13:09:22 +0100 | [diff] [blame] | 931 | specified by ``soc_fw_hash``. This hash will be copied to the |
| 932 | ``soc_fw_hash_buf`` buffer. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 933 | |
| 934 | The **BL31 image** is authenticated by calculating its hash and matching it |
| 935 | with the hash obtained from the BL31 certificate. The image descriptor contains |
| 936 | a single authentication method by hash. The parameters to the hash method are |
Sandrine Bailleux | af0f960 | 2020-03-02 13:09:22 +0100 | [diff] [blame] | 937 | the reference hash, ``soc_fw_hash``, and the data to be hashed. In this case, |
| 938 | it is the whole image, so we specify ``raw_data``. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 939 | |
| 940 | The image parser library |
| 941 | ~~~~~~~~~~~~~~~~~~~~~~~~ |
| 942 | |
| 943 | The image parser module relies on libraries to check the image integrity and |
| 944 | extract the authentication parameters. The number and type of parser libraries |
| 945 | depend on the images used in the CoT. Raw images do not need a library, so |
| 946 | only an x509v3 library is required for the TBBR CoT. |
| 947 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 948 | Arm platforms will use an x509v3 library based on mbed TLS. This library may be |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 949 | found in ``drivers/auth/mbedtls/mbedtls_x509_parser.c``. It exports three |
| 950 | functions: |
| 951 | |
| 952 | .. code:: c |
| 953 | |
| 954 | void init(void); |
| 955 | int check_integrity(void *img, unsigned int img_len); |
| 956 | int get_auth_param(const auth_param_type_desc_t *type_desc, |
| 957 | void *img, unsigned int img_len, |
| 958 | void **param, unsigned int *param_len); |
| 959 | |
| 960 | The library is registered in the framework using the macro |
| 961 | ``REGISTER_IMG_PARSER_LIB()``. Each time the image parser module needs to access |
| 962 | an image of type ``IMG_CERT``, it will call the corresponding function exported |
| 963 | in this file. |
| 964 | |
| 965 | The build system must be updated to include the corresponding library and |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 966 | mbed TLS sources. Arm platforms use the ``arm_common.mk`` file to pull the |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 967 | sources. |
| 968 | |
| 969 | The cryptographic library |
| 970 | ~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 971 | |
| 972 | The cryptographic module relies on a library to perform the required operations, |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 973 | i.e. verify a hash or a digital signature. Arm platforms will use a library |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 974 | based on mbed TLS, which can be found in |
| 975 | ``drivers/auth/mbedtls/mbedtls_crypto.c``. This library is registered in the |
| 976 | authentication framework using the macro ``REGISTER_CRYPTO_LIB()`` and exports |
Manish V Badarkhe | 149e8e0 | 2023-03-09 22:23:49 +0000 | [diff] [blame] | 977 | below functions: |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 978 | |
| 979 | .. code:: c |
| 980 | |
| 981 | void init(void); |
| 982 | int verify_signature(void *data_ptr, unsigned int data_len, |
| 983 | void *sig_ptr, unsigned int sig_len, |
| 984 | void *sig_alg, unsigned int sig_alg_len, |
| 985 | void *pk_ptr, unsigned int pk_len); |
Manish V Badarkhe | 149e8e0 | 2023-03-09 22:23:49 +0000 | [diff] [blame] | 986 | int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr, |
| 987 | unsigned int data_len, |
| 988 | unsigned char output[CRYPTO_MD_MAX_SIZE]) |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 989 | int verify_hash(void *data_ptr, unsigned int data_len, |
| 990 | void *digest_info_ptr, unsigned int digest_info_len); |
Sumit Garg | c0c369c | 2019-11-15 18:47:53 +0530 | [diff] [blame] | 991 | int auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr, |
| 992 | size_t len, const void *key, unsigned int key_len, |
| 993 | unsigned int key_flags, const void *iv, |
| 994 | unsigned int iv_len, const void *tag, |
| 995 | unsigned int tag_len) |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 996 | |
Justin Chadwell | 82b06b3 | 2019-07-29 17:18:21 +0100 | [diff] [blame] | 997 | The mbedTLS library algorithm support is configured by both the |
| 998 | ``TF_MBEDTLS_KEY_ALG`` and ``TF_MBEDTLS_KEY_SIZE`` variables. |
| 999 | |
| 1000 | - ``TF_MBEDTLS_KEY_ALG`` can take in 3 values: `rsa`, `ecdsa` or `rsa+ecdsa`. |
| 1001 | This variable allows the Makefile to include the corresponding sources in |
| 1002 | the build for the various algorithms. Setting the variable to `rsa+ecdsa` |
| 1003 | enables support for both rsa and ecdsa algorithms in the mbedTLS library. |
| 1004 | |
| 1005 | - ``TF_MBEDTLS_KEY_SIZE`` sets the supported RSA key size for TFA. Valid values |
| 1006 | include 1024, 2048, 3072 and 4096. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1007 | |
Sumit Garg | c0c369c | 2019-11-15 18:47:53 +0530 | [diff] [blame] | 1008 | - ``TF_MBEDTLS_USE_AES_GCM`` enables the authenticated decryption support based |
| 1009 | on AES-GCM algorithm. Valid values are 0 and 1. |
| 1010 | |
Paul Beesley | ba3ed40 | 2019-03-13 16:20:44 +0000 | [diff] [blame] | 1011 | .. note:: |
| 1012 | If code size is a concern, the build option ``MBEDTLS_SHA256_SMALLER`` can |
| 1013 | be defined in the platform Makefile. It will make mbed TLS use an |
| 1014 | implementation of SHA-256 with smaller memory footprint (~1.5 KB less) but |
| 1015 | slower (~30%). |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1016 | |
| 1017 | -------------- |
| 1018 | |
Manish V Badarkhe | 149e8e0 | 2023-03-09 22:23:49 +0000 | [diff] [blame] | 1019 | *Copyright (c) 2017-2023, Arm Limited and Contributors. All rights reserved.* |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1020 | |
Sandrine Bailleux | f238417 | 2024-02-02 11:16:12 +0100 | [diff] [blame] | 1021 | .. _TBBR-Client specification: https://developer.arm.com/docs/den0006/latest |