blob: 597f955ec084e87798cb5bcfa006ff703820fa5b [file] [log] [blame]
Paul Beesleyfc9ee362019-03-07 15:47:15 +00001Authentication Framework & Chain of Trust
2=========================================
Douglas Raillardd7c21b72017-06-28 15:23:03 +01003
Dan Handley610e7e12018-03-01 18:44:00 +00004The aim of this document is to describe the authentication framework
5implemented in Trusted Firmware-A (TF-A). This framework fulfills the
6following requirements:
Douglas Raillardd7c21b72017-06-28 15:23:03 +01007
8#. It should be possible for a platform port to specify the Chain of Trust in
9 terms of certificate hierarchy and the mechanisms used to verify a
10 particular image/certificate.
11
12#. The framework should distinguish between:
13
14 - The mechanism used to encode and transport information, e.g. DER encoded
15 X.509v3 certificates to ferry Subject Public Keys, hashes and non-volatile
16 counters.
17
18 - The mechanism used to verify the transported information i.e. the
19 cryptographic libraries.
20
21The framework has been designed following a modular approach illustrated in the
22next diagram:
23
24::
25
26 +---------------+---------------+------------+
27 | Trusted | Trusted | Trusted |
28 | Firmware | Firmware | Firmware |
29 | Generic | IO Framework | Platform |
30 | Code i.e. | (IO) | Port |
31 | BL1/BL2 (GEN) | | (PP) |
32 +---------------+---------------+------------+
33 ^ ^ ^
34 | | |
35 v v v
36 +-----------+ +-----------+ +-----------+
37 | | | | | Image |
38 | Crypto | | Auth | | Parser |
39 | Module |<->| Module |<->| Module |
40 | (CM) | | (AM) | | (IPM) |
41 | | | | | |
42 +-----------+ +-----------+ +-----------+
43 ^ ^
44 | |
45 v v
46 +----------------+ +-----------------+
47 | Cryptographic | | Image Parser |
48 | Libraries (CL) | | Libraries (IPL) |
49 +----------------+ +-----------------+
50 | |
51 | |
52 | |
53 v v
54 +-----------------+
55 | Misc. Libs e.g. |
56 | ASN.1 decoder |
57 | |
58 +-----------------+
59
60 DIAGRAM 1.
61
62This document describes the inner details of the authentication framework and
63the abstraction mechanisms available to specify a Chain of Trust.
64
65Framework design
66----------------
67
68This section describes some aspects of the framework design and the rationale
69behind them. These aspects are key to verify a Chain of Trust.
70
71Chain of Trust
72~~~~~~~~~~~~~~
73
74A CoT is basically a sequence of authentication images which usually starts with
75a root of trust and culminates in a single data image. The following diagram
76illustrates how this maps to a CoT for the BL31 image described in the
Sandrine Bailleux30918422019-04-24 10:41:24 +020077`TBBR-Client specification`_.
Douglas Raillardd7c21b72017-06-28 15:23:03 +010078
79::
80
81 +------------------+ +-------------------+
82 | ROTPK/ROTPK Hash |------>| Trusted Key |
83 +------------------+ | Certificate |
84 | (Auth Image) |
85 /+-------------------+
86 / |
87 / |
88 / |
89 / |
90 L v
91 +------------------+ +-------------------+
92 | Trusted World |------>| BL31 Key |
93 | Public Key | | Certificate |
94 +------------------+ | (Auth Image) |
95 +-------------------+
96 / |
97 / |
98 / |
99 / |
100 / v
101 +------------------+ L +-------------------+
102 | BL31 Content |------>| BL31 Content |
103 | Certificate PK | | Certificate |
104 +------------------+ | (Auth Image) |
105 +-------------------+
106 / |
107 / |
108 / |
109 / |
110 / v
111 +------------------+ L +-------------------+
112 | BL31 Hash |------>| BL31 Image |
113 | | | (Data Image) |
114 +------------------+ | |
115 +-------------------+
116
117 DIAGRAM 2.
118
119The root of trust is usually a public key (ROTPK) that has been burnt in the
120platform and cannot be modified.
121
122Image types
123~~~~~~~~~~~
124
125Images in a CoT are categorised as authentication and data images. An
126authentication image contains information to authenticate a data image or
127another authentication image. A data image is usually a boot loader binary, but
128it could be any other data that requires authentication.
129
130Component responsibilities
131~~~~~~~~~~~~~~~~~~~~~~~~~~
132
133For every image in a Chain of Trust, the following high level operations are
134performed to verify it:
135
136#. Allocate memory for the image either statically or at runtime.
137
138#. Identify the image and load it in the allocated memory.
139
140#. Check the integrity of the image as per its type.
141
142#. Authenticate the image as per the cryptographic algorithms used.
143
144#. If the image is an authentication image, extract the information that will
145 be used to authenticate the next image in the CoT.
146
147In Diagram 1, each component is responsible for one or more of these operations.
148The responsibilities are briefly described below.
149
Dan Handley610e7e12018-03-01 18:44:00 +0000150TF-A Generic code and IO framework (GEN/IO)
151^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100152
153These components are responsible for initiating the authentication process for a
154particular image in BL1 or BL2. For each BL image that requires authentication,
155the Generic code asks recursively the Authentication module what is the parent
156image until either an authenticated image or the ROT is reached. Then the
Paul Beesley1fbc97b2019-01-11 18:26:51 +0000157Generic code calls the IO framework to load the image and calls the
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100158Authentication module to authenticate it, following the CoT from ROT to Image.
159
Dan Handley610e7e12018-03-01 18:44:00 +0000160TF-A Platform Port (PP)
161^^^^^^^^^^^^^^^^^^^^^^^
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100162
163The platform is responsible for:
164
165#. Specifying the CoT for each image that needs to be authenticated. Details of
166 how a CoT can be specified by the platform are explained later. The platform
167 also specifies the authentication methods and the parsing method used for
168 each image.
169
170#. Statically allocating memory for each parameter in each image which is
171 used for verifying the CoT, e.g. memory for public keys, hashes etc.
172
173#. Providing the ROTPK or a hash of it.
174
175#. Providing additional information to the IPM to enable it to identify and
176 extract authentication parameters contained in an image, e.g. if the
177 parameters are stored as X509v3 extensions, the corresponding OID must be
178 provided.
179
180#. Fulfill any other memory requirements of the IPM and the CM (not currently
181 described in this document).
182
183#. Export functions to verify an image which uses an authentication method that
184 cannot be interpreted by the CM, e.g. if an image has to be verified using a
185 NV counter, then the value of the counter to compare with can only be
186 provided by the platform.
187
188#. Export a custom IPM if a proprietary image format is being used (described
189 later).
190
191Authentication Module (AM)
192^^^^^^^^^^^^^^^^^^^^^^^^^^
193
194It is responsible for:
195
196#. Providing the necessary abstraction mechanisms to describe a CoT. Amongst
197 other things, the authentication and image parsing methods must be specified
198 by the PP in the CoT.
199
200#. Verifying the CoT passed by GEN by utilising functionality exported by the
201 PP, IPM and CM.
202
203#. Tracking which images have been verified. In case an image is a part of
204 multiple CoTs then it should be verified only once e.g. the Trusted World
205 Key Certificate in the TBBR-Client spec. contains information to verify
Sandrine Bailleux15530dd2019-02-08 15:26:36 +0100206 SCP_BL2, BL31, BL32 each of which have a separate CoT. (This
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100207 responsibility has not been described in this document but should be
208 trivial to implement).
209
210#. Reusing memory meant for a data image to verify authentication images e.g.
211 in the CoT described in Diagram 2, each certificate can be loaded and
212 verified in the memory reserved by the platform for the BL31 image. By the
213 time BL31 (the data image) is loaded, all information to authenticate it
214 will have been extracted from the parent image i.e. BL31 content
215 certificate. It is assumed that the size of an authentication image will
216 never exceed the size of a data image. It should be possible to verify this
217 at build time using asserts.
218
219Cryptographic Module (CM)
220^^^^^^^^^^^^^^^^^^^^^^^^^
221
222The CM is responsible for providing an API to:
223
224#. Verify a digital signature.
225#. Verify a hash.
226
227The CM does not include any cryptography related code, but it relies on an
228external library to perform the cryptographic operations. A Crypto-Library (CL)
229linking the CM and the external library must be implemented. The following
230functions must be provided by the CL:
231
232.. code:: c
233
234 void (*init)(void);
235 int (*verify_signature)(void *data_ptr, unsigned int data_len,
236 void *sig_ptr, unsigned int sig_len,
237 void *sig_alg, unsigned int sig_alg_len,
238 void *pk_ptr, unsigned int pk_len);
Manish V Badarkhe149e8e02023-03-09 22:23:49 +0000239 int (*calc_hash)(enum crypto_md_algo alg, void *data_ptr,
240 unsigned int data_len,
241 unsigned char output[CRYPTO_MD_MAX_SIZE])
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100242 int (*verify_hash)(void *data_ptr, unsigned int data_len,
243 void *digest_info_ptr, unsigned int digest_info_len);
Yann Gautier2c108bb2023-01-24 09:23:10 +0100244 int (*auth_decrypt)(enum crypto_dec_algo dec_algo, void *data_ptr,
245 size_t len, const void *key, unsigned int key_len,
246 unsigned int key_flags, const void *iv,
247 unsigned int iv_len, const void *tag,
248 unsigned int tag_len);
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100249
250These functions are registered in the CM using the macro:
251
252.. code:: c
253
Manish V Badarkhe149e8e02023-03-09 22:23:49 +0000254 REGISTER_CRYPTO_LIB(_name,
255 _init,
256 _verify_signature,
257 _calc_hash,
Yann Gautier2c108bb2023-01-24 09:23:10 +0100258 _verify_hash,
Yann Gautierc68b8af2023-01-24 09:39:47 +0100259 _auth_decrypt,
260 _convert_pk);
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100261
262``_name`` must be a string containing the name of the CL. This name is used for
263debugging purposes.
264
Manish V Badarkhe149e8e02023-03-09 22:23:49 +0000265Crypto module provides a function ``_calc_hash`` to calculate and
266return the hash of the given data using the provided hash algorithm.
267This function is mainly used in the ``MEASURED_BOOT`` and ``DRTM_SUPPORT``
268features to calculate the hashes of various images/data.
269
Yann Gautierc68b8af2023-01-24 09:39:47 +0100270Optionally, a platform function can be provided to convert public key
271(_convert_pk). It is only used if the platform saves a hash of the ROTPK.
272Most platforms save the hash of the ROTPK, but some may save slightly different
273information - e.g the hash of the ROTPK plus some related information.
274Defining this function allows to transform the ROTPK used to verify
275the signature to the buffer (a platform specific public key) which
276hash is saved in OTP.
277
278.. code:: c
279
280 int (*convert_pk)(void *full_pk_ptr, unsigned int full_pk_len,
281 void **hashed_pk_ptr, unsigned int *hashed_pk_len);
282
283
284- ``full_pk_ptr``: Pointer to Distinguished Encoding Rules (DER) ROTPK.
285- ``full_pk_len``: DER ROTPK size.
286- ``hashed_pk_ptr``: to return a pointer to a buffer, which hash should be the one saved in OTP.
287- ``hashed_pk_len``: previous buffer size
288
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100289Image Parser Module (IPM)
290^^^^^^^^^^^^^^^^^^^^^^^^^
291
292The IPM is responsible for:
293
294#. Checking the integrity of each image loaded by the IO framework.
295#. Extracting parameters used for authenticating an image based upon a
296 description provided by the platform in the CoT descriptor.
297
298Images may have different formats (for example, authentication images could be
299x509v3 certificates, signed ELF files or any other platform specific format).
300The IPM allows to register an Image Parser Library (IPL) for every image format
301used in the CoT. This library must implement the specific methods to parse the
302image. The IPM obtains the image format from the CoT and calls the right IPL to
303check the image integrity and extract the authentication parameters.
304
305See Section "Describing the image parsing methods" for more details about the
306mechanism the IPM provides to define and register IPLs.
307
308Authentication methods
309~~~~~~~~~~~~~~~~~~~~~~
310
311The AM supports the following authentication methods:
312
313#. Hash
314#. Digital signature
315
316The platform may specify these methods in the CoT in case it decides to define
317a custom CoT instead of reusing a predefined one.
318
319If a data image uses multiple methods, then all the methods must be a part of
320the same CoT. The number and type of parameters are method specific. These
321parameters should be obtained from the parent image using the IPM.
322
323#. Hash
324
325 Parameters:
326
327 #. A pointer to data to hash
328 #. Length of the data
329 #. A pointer to the hash
330 #. Length of the hash
331
332 The hash will be represented by the DER encoding of the following ASN.1
333 type:
334
335 ::
336
337 DigestInfo ::= SEQUENCE {
338 digestAlgorithm DigestAlgorithmIdentifier,
339 digest Digest
340 }
341
342 This ASN.1 structure makes it possible to remove any assumption about the
343 type of hash algorithm used as this information accompanies the hash. This
344 should allow the Cryptography Library (CL) to support multiple hash
345 algorithm implementations.
346
347#. Digital Signature
348
349 Parameters:
350
351 #. A pointer to data to sign
352 #. Length of the data
353 #. Public Key Algorithm
354 #. Public Key value
355 #. Digital Signature Algorithm
356 #. Digital Signature value
357
358 The Public Key parameters will be represented by the DER encoding of the
359 following ASN.1 type:
360
361 ::
362
363 SubjectPublicKeyInfo ::= SEQUENCE {
364 algorithm AlgorithmIdentifier{PUBLIC-KEY,{PublicKeyAlgorithms}},
365 subjectPublicKey BIT STRING }
366
367 The Digital Signature Algorithm will be represented by the DER encoding of
368 the following ASN.1 types.
369
370 ::
371
372 AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE {
373 algorithm ALGORITHM.&id({IOSet}),
374 parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
375 }
376
377 The digital signature will be represented by:
378
379 ::
380
381 signature ::= BIT STRING
382
383The authentication framework will use the image descriptor to extract all the
384information related to authentication.
385
386Specifying a Chain of Trust
387---------------------------
388
389A CoT can be described as a set of image descriptors linked together in a
390particular order. The order dictates the sequence in which they must be
391verified. Each image has a set of properties which allow the AM to verify it.
392These properties are described below.
393
394The PP is responsible for defining a single or multiple CoTs for a data image.
395Unless otherwise specified, the data structures described in the following
396sections are populated by the PP statically.
397
398Describing the image parsing methods
399~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
400
401The parsing method refers to the format of a particular image. For example, an
402authentication image that represents a certificate could be in the X.509v3
403format. A data image that represents a boot loader stage could be in raw binary
404or ELF format. The IPM supports three parsing methods. An image has to use one
405of the three methods described below. An IPL is responsible for interpreting a
406single parsing method. There has to be one IPL for every method used by the
407platform.
408
409#. Raw format: This format is effectively a nop as an image using this method
Dan Handley610e7e12018-03-01 18:44:00 +0000410 is treated as being in raw binary format e.g. boot loader images used by
411 TF-A. This method should only be used by data images.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100412
413#. X509V3 method: This method uses industry standards like X.509 to represent
414 PKI certificates (authentication images). It is expected that open source
415 libraries will be available which can be used to parse an image represented
416 by this method. Such libraries can be used to write the corresponding IPL
417 e.g. the X.509 parsing library code in mbed TLS.
418
419#. Platform defined method: This method caters for platform specific
420 proprietary standards to represent authentication or data images. For
421 example, The signature of a data image could be appended to the data image
422 raw binary. A header could be prepended to the combined blob to specify the
423 extents of each component. The platform will have to implement the
424 corresponding IPL to interpret such a format.
425
426The following enum can be used to define these three methods.
427
428.. code:: c
429
430 typedef enum img_type_enum {
431 IMG_RAW, /* Binary image */
432 IMG_PLAT, /* Platform specific format */
433 IMG_CERT, /* X509v3 certificate */
434 IMG_MAX_TYPES,
435 } img_type_t;
436
437An IPL must provide functions with the following prototypes:
438
439.. code:: c
440
441 void init(void);
442 int check_integrity(void *img, unsigned int img_len);
443 int get_auth_param(const auth_param_type_desc_t *type_desc,
444 void *img, unsigned int img_len,
445 void **param, unsigned int *param_len);
446
447An IPL for each type must be registered using the following macro:
448
Paul Beesley493e3492019-03-13 15:11:04 +0000449.. code:: c
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100450
451 REGISTER_IMG_PARSER_LIB(_type, _name, _init, _check_int, _get_param)
452
453- ``_type``: one of the types described above.
454- ``_name``: a string containing the IPL name for debugging purposes.
455- ``_init``: initialization function pointer.
456- ``_check_int``: check image integrity function pointer.
Paul Beesley1fbc97b2019-01-11 18:26:51 +0000457- ``_get_param``: extract authentication parameter function pointer.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100458
459The ``init()`` function will be used to initialize the IPL.
460
461The ``check_integrity()`` function is passed a pointer to the memory where the
462image has been loaded by the IO framework and the image length. It should ensure
463that the image is in the format corresponding to the parsing method and has not
464been tampered with. For example, RFC-2459 describes a validation sequence for an
465X.509 certificate.
466
467The ``get_auth_param()`` function is passed a parameter descriptor containing
468information about the parameter (``type_desc`` and ``cookie``) to identify and
469extract the data corresponding to that parameter from an image. This data will
470be used to verify either the current or the next image in the CoT sequence.
471
472Each image in the CoT will specify the parsing method it uses. This information
473will be used by the IPM to find the right parser descriptor for the image.
474
475Describing the authentication method(s)
476~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
477
478As part of the CoT, each image has to specify one or more authentication methods
479which will be used to verify it. As described in the Section "Authentication
480methods", there are three methods supported by the AM.
481
482.. code:: c
483
484 typedef enum {
485 AUTH_METHOD_NONE,
486 AUTH_METHOD_HASH,
487 AUTH_METHOD_SIG,
488 AUTH_METHOD_NUM
489 } auth_method_type_t;
490
491The AM defines the type of each parameter used by an authentication method. It
492uses this information to:
493
494#. Specify to the ``get_auth_param()`` function exported by the IPM, which
495 parameter should be extracted from an image.
496
497#. Correctly marshall the parameters while calling the verification function
498 exported by the CM and PP.
499
500#. Extract authentication parameters from a parent image in order to verify a
501 child image e.g. to verify the certificate image, the public key has to be
502 obtained from the parent image.
503
504.. code:: c
505
506 typedef enum {
507 AUTH_PARAM_NONE,
508 AUTH_PARAM_RAW_DATA, /* Raw image data */
509 AUTH_PARAM_SIG, /* The image signature */
510 AUTH_PARAM_SIG_ALG, /* The image signature algorithm */
511 AUTH_PARAM_HASH, /* A hash (including the algorithm) */
512 AUTH_PARAM_PUB_KEY, /* A public key */
513 } auth_param_type_t;
514
515The AM defines the following structure to identify an authentication parameter
516required to verify an image.
517
518.. code:: c
519
520 typedef struct auth_param_type_desc_s {
521 auth_param_type_t type;
522 void *cookie;
523 } auth_param_type_desc_t;
524
525``cookie`` is used by the platform to specify additional information to the IPM
526which enables it to uniquely identify the parameter that should be extracted
527from an image. For example, the hash of a BL3x image in its corresponding
528content certificate is stored in an X509v3 custom extension field. An extension
529field can only be identified using an OID. In this case, the ``cookie`` could
530contain the pointer to the OID defined by the platform for the hash extension
531field while the ``type`` field could be set to ``AUTH_PARAM_HASH``. A value of 0 for
532the ``cookie`` field means that it is not used.
533
534For each method, the AM defines a structure with the parameters required to
535verify the image.
536
537.. code:: c
538
539 /*
540 * Parameters for authentication by hash matching
541 */
542 typedef struct auth_method_param_hash_s {
543 auth_param_type_desc_t *data; /* Data to hash */
544 auth_param_type_desc_t *hash; /* Hash to match with */
545 } auth_method_param_hash_t;
546
547 /*
548 * Parameters for authentication by signature
549 */
550 typedef struct auth_method_param_sig_s {
551 auth_param_type_desc_t *pk; /* Public key */
552 auth_param_type_desc_t *sig; /* Signature to check */
553 auth_param_type_desc_t *alg; /* Signature algorithm */
554 auth_param_type_desc_t *tbs; /* Data signed */
555 } auth_method_param_sig_t;
556
557The AM defines the following structure to describe an authentication method for
558verifying an image
559
560.. code:: c
561
562 /*
563 * Authentication method descriptor
564 */
565 typedef struct auth_method_desc_s {
566 auth_method_type_t type;
567 union {
568 auth_method_param_hash_t hash;
569 auth_method_param_sig_t sig;
570 } param;
571 } auth_method_desc_t;
572
573Using the method type specified in the ``type`` field, the AM finds out what field
574needs to access within the ``param`` union.
575
576Storing Authentication parameters
577~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
578
579A parameter described by ``auth_param_type_desc_t`` to verify an image could be
580obtained from either the image itself or its parent image. The memory allocated
581for loading the parent image will be reused for loading the child image. Hence
582parameters which are obtained from the parent for verifying a child image need
583to have memory allocated for them separately where they can be stored. This
584memory must be statically allocated by the platform port.
585
586The AM defines the following structure to store the data corresponding to an
587authentication parameter.
588
589.. code:: c
590
591 typedef struct auth_param_data_desc_s {
592 void *auth_param_ptr;
593 unsigned int auth_param_len;
594 } auth_param_data_desc_t;
595
596The ``auth_param_ptr`` field is initialized by the platform. The ``auth_param_len``
597field is used to specify the length of the data in the memory.
598
599For parameters that can be obtained from the child image itself, the IPM is
600responsible for populating the ``auth_param_ptr`` and ``auth_param_len`` fields
601while executing the ``img_get_auth_param()`` function.
602
603The AM defines the following structure to enable an image to describe the
604parameters that should be extracted from it and used to verify the next image
605(child) in a CoT.
606
607.. code:: c
608
609 typedef struct auth_param_desc_s {
610 auth_param_type_desc_t type_desc;
611 auth_param_data_desc_t data;
612 } auth_param_desc_t;
613
614Describing an image in a CoT
615~~~~~~~~~~~~~~~~~~~~~~~~~~~~
616
617An image in a CoT is a consolidation of the following aspects of a CoT described
618above.
619
620#. A unique identifier specified by the platform which allows the IO framework
621 to locate the image in a FIP and load it in the memory reserved for the data
622 image in the CoT.
623
624#. A parsing method which is used by the AM to find the appropriate IPM.
625
626#. Authentication methods and their parameters as described in the previous
627 section. These are used to verify the current image.
628
629#. Parameters which are used to verify the next image in the current CoT. These
630 parameters are specified only by authentication images and can be extracted
631 from the current image once it has been verified.
632
633The following data structure describes an image in a CoT.
634
635.. code:: c
636
637 typedef struct auth_img_desc_s {
638 unsigned int img_id;
639 const struct auth_img_desc_s *parent;
640 img_type_t img_type;
Joel Hutton1fdcc902019-02-22 16:40:16 +0000641 const auth_method_desc_t *const img_auth_methods;
642 const auth_param_desc_t *const authenticated_data;
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100643 } auth_img_desc_t;
644
Joel Hutton1fdcc902019-02-22 16:40:16 +0000645A CoT is defined as an array of pointers to ``auth_image_desc_t`` structures
646linked together by the ``parent`` field. Those nodes with no parent must be
647authenticated using the ROTPK stored in the platform.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100648
649Implementation example
650----------------------
651
652This section is a detailed guide explaining a trusted boot implementation using
653the authentication framework. This example corresponds to the Applicative
654Functional Mode (AFM) as specified in the TBBR-Client document. It is
655recommended to read this guide along with the source code.
656
657The TBBR CoT
658~~~~~~~~~~~~
659
Manish V Badarkhe043fd622020-05-16 16:36:39 +0100660CoT specific to BL1 and BL2 can be found in ``drivers/auth/tbbr/tbbr_cot_bl1.c``
661and ``drivers/auth/tbbr/tbbr_cot_bl2.c`` respectively. The common CoT used across
662BL1 and BL2 can be found in ``drivers/auth/tbbr/tbbr_cot_common.c``.
663This CoT consists of an array of pointers to image descriptors and it is
664registered in the framework using the macro ``REGISTER_COT(cot_desc)``, where
665``cot_desc`` must be the name of the array (passing a pointer or any other
666type of indirection will cause the registration process to fail).
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100667
Joel Hutton1fdcc902019-02-22 16:40:16 +0000668The number of images participating in the boot process depends on the CoT.
669There is, however, a minimum set of images that are mandatory in TF-A and thus
670all CoTs must present:
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100671
672- ``BL2``
673- ``SCP_BL2`` (platform specific)
674- ``BL31``
675- ``BL32`` (optional)
676- ``BL33``
677
678The TBBR specifies the additional certificates that must accompany these images
679for a proper authentication. Details about the TBBR CoT may be found in the
Paul Beesleyf8640672019-04-12 14:19:42 +0100680:ref:`Trusted Board Boot` document.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100681
Paul Beesleyf8640672019-04-12 14:19:42 +0100682Following the :ref:`Porting Guide`, a platform must provide unique
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100683identifiers for all the images and certificates that will be loaded during the
684boot process. If a platform is using the TBBR as a reference for trusted boot,
685these identifiers can be obtained from ``include/common/tbbr/tbbr_img_def.h``.
Dan Handley610e7e12018-03-01 18:44:00 +0000686Arm platforms include this file in ``include/plat/arm/common/arm_def.h``. Other
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100687platforms may also include this file or provide their own identifiers.
688
689**Important**: the authentication module uses these identifiers to index the
690CoT array, so the descriptors location in the array must match the identifiers.
691
692Each image descriptor must specify:
693
694- ``img_id``: the corresponding image unique identifier defined by the platform.
695- ``img_type``: the image parser module uses the image type to call the proper
696 parsing library to check the image integrity and extract the required
697 authentication parameters. Three types of images are currently supported:
698
699 - ``IMG_RAW``: image is a raw binary. No parsing functions are available,
700 other than reading the whole image.
701 - ``IMG_PLAT``: image format is platform specific. The platform may use this
702 type for custom images not directly supported by the authentication
703 framework.
704 - ``IMG_CERT``: image is an x509v3 certificate.
705
706- ``parent``: pointer to the parent image descriptor. The parent will contain
707 the information required to authenticate the current image. If the parent
708 is NULL, the authentication parameters will be obtained from the platform
709 (i.e. the BL2 and Trusted Key certificates are signed with the ROT private
710 key, whose public part is stored in the platform).
Joel Hutton1fdcc902019-02-22 16:40:16 +0000711- ``img_auth_methods``: this points to an array which defines the
712 authentication methods that must be checked to consider an image
713 authenticated. Each method consists of a type and a list of parameter
714 descriptors. A parameter descriptor consists of a type and a cookie which
715 will point to specific information required to extract that parameter from
716 the image (i.e. if the parameter is stored in an x509v3 extension, the
717 cookie will point to the extension OID). Depending on the method type, a
718 different number of parameters must be specified. This pointer should not be
719 NULL.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100720 Supported methods are:
721
722 - ``AUTH_METHOD_HASH``: the hash of the image must match the hash extracted
723 from the parent image. The following parameter descriptors must be
724 specified:
725
726 - ``data``: data to be hashed (obtained from current image)
727 - ``hash``: reference hash (obtained from parent image)
728
729 - ``AUTH_METHOD_SIG``: the image (usually a certificate) must be signed with
730 the private key whose public part is extracted from the parent image (or
731 the platform if the parent is NULL). The following parameter descriptors
732 must be specified:
733
734 - ``pk``: the public key (obtained from parent image)
735 - ``sig``: the digital signature (obtained from current image)
736 - ``alg``: the signature algorithm used (obtained from current image)
737 - ``data``: the data to be signed (obtained from current image)
738
Joel Hutton1fdcc902019-02-22 16:40:16 +0000739- ``authenticated_data``: this array pointer indicates what authentication
740 parameters must be extracted from an image once it has been authenticated.
741 Each parameter consists of a parameter descriptor and the buffer
742 address/size to store the parameter. The CoT is responsible for allocating
743 the required memory to store the parameters. This pointer may be NULL.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100744
Manish V Badarkhe043fd622020-05-16 16:36:39 +0100745In the ``tbbr_cot*.c`` file, a set of buffers are allocated to store the parameters
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100746extracted from the certificates. In the case of the TBBR CoT, these parameters
Justin Chadwell82b06b32019-07-29 17:18:21 +0100747are hashes and public keys. In DER format, an RSA-4096 public key requires 550
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100748bytes, and a hash requires 51 bytes. Depending on the CoT and the authentication
749process, some of the buffers may be reused at different stages during the boot.
750
751Next in that file, the parameter descriptors are defined. These descriptors will
752be used to extract the parameter data from the corresponding image.
753
754Example: the BL31 Chain of Trust
755^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
756
757Four image descriptors form the BL31 Chain of Trust:
758
Sandrine Bailleuxf5a91002019-02-08 10:50:28 +0100759.. code:: c
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100760
Joel Hutton1fdcc902019-02-22 16:40:16 +0000761 static const auth_img_desc_t trusted_key_cert = {
762 .img_id = TRUSTED_KEY_CERT_ID,
763 .img_type = IMG_CERT,
764 .parent = NULL,
765 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
766 [0] = {
767 .type = AUTH_METHOD_SIG,
768 .param.sig = {
769 .pk = &subject_pk,
770 .sig = &sig,
771 .alg = &sig_alg,
772 .data = &raw_data
773 }
774 },
775 [1] = {
776 .type = AUTH_METHOD_NV_CTR,
777 .param.nv_ctr = {
778 .cert_nv_ctr = &trusted_nv_ctr,
779 .plat_nv_ctr = &trusted_nv_ctr
780 }
781 }
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100782 },
Joel Hutton1fdcc902019-02-22 16:40:16 +0000783 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
784 [0] = {
785 .type_desc = &trusted_world_pk,
786 .data = {
787 .ptr = (void *)trusted_world_pk_buf,
788 .len = (unsigned int)PK_DER_LEN
789 }
790 },
791 [1] = {
792 .type_desc = &non_trusted_world_pk,
793 .data = {
794 .ptr = (void *)non_trusted_world_pk_buf,
795 .len = (unsigned int)PK_DER_LEN
796 }
797 }
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100798 }
Joel Hutton1fdcc902019-02-22 16:40:16 +0000799 };
800 static const auth_img_desc_t soc_fw_key_cert = {
801 .img_id = SOC_FW_KEY_CERT_ID,
802 .img_type = IMG_CERT,
803 .parent = &trusted_key_cert,
804 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
805 [0] = {
806 .type = AUTH_METHOD_SIG,
807 .param.sig = {
808 .pk = &trusted_world_pk,
809 .sig = &sig,
810 .alg = &sig_alg,
811 .data = &raw_data
812 }
813 },
814 [1] = {
815 .type = AUTH_METHOD_NV_CTR,
816 .param.nv_ctr = {
817 .cert_nv_ctr = &trusted_nv_ctr,
818 .plat_nv_ctr = &trusted_nv_ctr
819 }
820 }
821 },
822 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
823 [0] = {
824 .type_desc = &soc_fw_content_pk,
825 .data = {
826 .ptr = (void *)content_pk_buf,
827 .len = (unsigned int)PK_DER_LEN
828 }
829 }
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100830 }
Joel Hutton1fdcc902019-02-22 16:40:16 +0000831 };
832 static const auth_img_desc_t soc_fw_content_cert = {
833 .img_id = SOC_FW_CONTENT_CERT_ID,
834 .img_type = IMG_CERT,
835 .parent = &soc_fw_key_cert,
836 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
837 [0] = {
838 .type = AUTH_METHOD_SIG,
839 .param.sig = {
840 .pk = &soc_fw_content_pk,
841 .sig = &sig,
842 .alg = &sig_alg,
843 .data = &raw_data
844 }
845 },
846 [1] = {
847 .type = AUTH_METHOD_NV_CTR,
848 .param.nv_ctr = {
849 .cert_nv_ctr = &trusted_nv_ctr,
850 .plat_nv_ctr = &trusted_nv_ctr
851 }
852 }
853 },
854 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
855 [0] = {
856 .type_desc = &soc_fw_hash,
857 .data = {
858 .ptr = (void *)soc_fw_hash_buf,
859 .len = (unsigned int)HASH_DER_LEN
860 }
861 },
862 [1] = {
863 .type_desc = &soc_fw_config_hash,
864 .data = {
865 .ptr = (void *)soc_fw_config_hash_buf,
866 .len = (unsigned int)HASH_DER_LEN
867 }
868 }
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100869 }
Joel Hutton1fdcc902019-02-22 16:40:16 +0000870 };
871 static const auth_img_desc_t bl31_image = {
872 .img_id = BL31_IMAGE_ID,
873 .img_type = IMG_RAW,
874 .parent = &soc_fw_content_cert,
875 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
876 [0] = {
877 .type = AUTH_METHOD_HASH,
878 .param.hash = {
879 .data = &raw_data,
880 .hash = &soc_fw_hash
881 }
882 }
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100883 }
Joel Hutton1fdcc902019-02-22 16:40:16 +0000884 };
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100885
886The **Trusted Key certificate** is signed with the ROT private key and contains
887the Trusted World public key and the Non-Trusted World public key as x509v3
888extensions. This must be specified in the image descriptor using the
889``img_auth_methods`` and ``authenticated_data`` arrays, respectively.
890
891The Trusted Key certificate is authenticated by checking its digital signature
892using the ROTPK. Four parameters are required to check a signature: the public
893key, the algorithm, the signature and the data that has been signed. Therefore,
894four parameter descriptors must be specified with the authentication method:
895
896- ``subject_pk``: parameter descriptor of type ``AUTH_PARAM_PUB_KEY``. This type
897 is used to extract a public key from the parent image. If the cookie is an
898 OID, the key is extracted from the corresponding x509v3 extension. If the
899 cookie is NULL, the subject public key is retrieved. In this case, because
900 the parent image is NULL, the public key is obtained from the platform
901 (this key will be the ROTPK).
902- ``sig``: parameter descriptor of type ``AUTH_PARAM_SIG``. It is used to extract
903 the signature from the certificate.
904- ``sig_alg``: parameter descriptor of type ``AUTH_PARAM_SIG``. It is used to
905 extract the signature algorithm from the certificate.
906- ``raw_data``: parameter descriptor of type ``AUTH_PARAM_RAW_DATA``. It is used
907 to extract the data to be signed from the certificate.
908
909Once the signature has been checked and the certificate authenticated, the
910Trusted World public key needs to be extracted from the certificate. A new entry
911is created in the ``authenticated_data`` array for that purpose. In that entry,
912the corresponding parameter descriptor must be specified along with the buffer
Sandrine Bailleuxaf0f9602020-03-02 13:09:22 +0100913address to store the parameter value. In this case, the ``trusted_world_pk``
914descriptor is used to extract the public key from an x509v3 extension with OID
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100915``TRUSTED_WORLD_PK_OID``. The BL31 key certificate will use this descriptor as
916parameter in the signature authentication method. The key is stored in the
Sandrine Bailleuxaf0f9602020-03-02 13:09:22 +0100917``trusted_world_pk_buf`` buffer.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100918
919The **BL31 Key certificate** is authenticated by checking its digital signature
920using the Trusted World public key obtained previously from the Trusted Key
921certificate. In the image descriptor, we specify a single authentication method
Sandrine Bailleuxaf0f9602020-03-02 13:09:22 +0100922by signature whose public key is the ``trusted_world_pk``. Once this certificate
923has been authenticated, we have to extract the BL31 public key, stored in the
924extension specified by ``soc_fw_content_pk``. This key will be copied to the
925``content_pk_buf`` buffer.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100926
927The **BL31 certificate** is authenticated by checking its digital signature
928using the BL31 public key obtained previously from the BL31 Key certificate.
Sandrine Bailleuxaf0f9602020-03-02 13:09:22 +0100929We specify the authentication method using ``soc_fw_content_pk`` as public key.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100930After authentication, we need to extract the BL31 hash, stored in the extension
Sandrine Bailleuxaf0f9602020-03-02 13:09:22 +0100931specified by ``soc_fw_hash``. This hash will be copied to the
932``soc_fw_hash_buf`` buffer.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100933
934The **BL31 image** is authenticated by calculating its hash and matching it
935with the hash obtained from the BL31 certificate. The image descriptor contains
936a single authentication method by hash. The parameters to the hash method are
Sandrine Bailleuxaf0f9602020-03-02 13:09:22 +0100937the reference hash, ``soc_fw_hash``, and the data to be hashed. In this case,
938it is the whole image, so we specify ``raw_data``.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100939
940The image parser library
941~~~~~~~~~~~~~~~~~~~~~~~~
942
943The image parser module relies on libraries to check the image integrity and
944extract the authentication parameters. The number and type of parser libraries
945depend on the images used in the CoT. Raw images do not need a library, so
946only an x509v3 library is required for the TBBR CoT.
947
Dan Handley610e7e12018-03-01 18:44:00 +0000948Arm platforms will use an x509v3 library based on mbed TLS. This library may be
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100949found in ``drivers/auth/mbedtls/mbedtls_x509_parser.c``. It exports three
950functions:
951
952.. code:: c
953
954 void init(void);
955 int check_integrity(void *img, unsigned int img_len);
956 int get_auth_param(const auth_param_type_desc_t *type_desc,
957 void *img, unsigned int img_len,
958 void **param, unsigned int *param_len);
959
960The library is registered in the framework using the macro
961``REGISTER_IMG_PARSER_LIB()``. Each time the image parser module needs to access
962an image of type ``IMG_CERT``, it will call the corresponding function exported
963in this file.
964
965The build system must be updated to include the corresponding library and
Dan Handley610e7e12018-03-01 18:44:00 +0000966mbed TLS sources. Arm platforms use the ``arm_common.mk`` file to pull the
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100967sources.
968
969The cryptographic library
970~~~~~~~~~~~~~~~~~~~~~~~~~
971
972The cryptographic module relies on a library to perform the required operations,
Dan Handley610e7e12018-03-01 18:44:00 +0000973i.e. verify a hash or a digital signature. Arm platforms will use a library
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100974based on mbed TLS, which can be found in
975``drivers/auth/mbedtls/mbedtls_crypto.c``. This library is registered in the
976authentication framework using the macro ``REGISTER_CRYPTO_LIB()`` and exports
Manish V Badarkhe149e8e02023-03-09 22:23:49 +0000977below functions:
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100978
979.. code:: c
980
981 void init(void);
982 int verify_signature(void *data_ptr, unsigned int data_len,
983 void *sig_ptr, unsigned int sig_len,
984 void *sig_alg, unsigned int sig_alg_len,
985 void *pk_ptr, unsigned int pk_len);
Manish V Badarkhe149e8e02023-03-09 22:23:49 +0000986 int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
987 unsigned int data_len,
988 unsigned char output[CRYPTO_MD_MAX_SIZE])
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100989 int verify_hash(void *data_ptr, unsigned int data_len,
990 void *digest_info_ptr, unsigned int digest_info_len);
Sumit Gargc0c369c2019-11-15 18:47:53 +0530991 int auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
992 size_t len, const void *key, unsigned int key_len,
993 unsigned int key_flags, const void *iv,
994 unsigned int iv_len, const void *tag,
995 unsigned int tag_len)
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100996
Justin Chadwell82b06b32019-07-29 17:18:21 +0100997The mbedTLS library algorithm support is configured by both the
998``TF_MBEDTLS_KEY_ALG`` and ``TF_MBEDTLS_KEY_SIZE`` variables.
999
1000- ``TF_MBEDTLS_KEY_ALG`` can take in 3 values: `rsa`, `ecdsa` or `rsa+ecdsa`.
1001 This variable allows the Makefile to include the corresponding sources in
1002 the build for the various algorithms. Setting the variable to `rsa+ecdsa`
1003 enables support for both rsa and ecdsa algorithms in the mbedTLS library.
1004
1005- ``TF_MBEDTLS_KEY_SIZE`` sets the supported RSA key size for TFA. Valid values
1006 include 1024, 2048, 3072 and 4096.
Douglas Raillardd7c21b72017-06-28 15:23:03 +01001007
Sumit Gargc0c369c2019-11-15 18:47:53 +05301008- ``TF_MBEDTLS_USE_AES_GCM`` enables the authenticated decryption support based
1009 on AES-GCM algorithm. Valid values are 0 and 1.
1010
Paul Beesleyba3ed402019-03-13 16:20:44 +00001011.. note::
1012 If code size is a concern, the build option ``MBEDTLS_SHA256_SMALLER`` can
1013 be defined in the platform Makefile. It will make mbed TLS use an
1014 implementation of SHA-256 with smaller memory footprint (~1.5 KB less) but
1015 slower (~30%).
Douglas Raillardd7c21b72017-06-28 15:23:03 +01001016
1017--------------
1018
Manish V Badarkhe149e8e02023-03-09 22:23:49 +00001019*Copyright (c) 2017-2023, Arm Limited and Contributors. All rights reserved.*
Douglas Raillardd7c21b72017-06-28 15:23:03 +01001020
Sandrine Bailleux30918422019-04-24 10:41:24 +02001021.. _TBBR-Client specification: https://developer.arm.com/docs/den0006/latest/trusted-board-boot-requirements-client-tbbr-client-armv8-a