blob: f10d2e72c7adc75e44e5df6b2bafe4d429d52a5b [file] [log] [blame]
Paul Beesleyfc9ee362019-03-07 15:47:15 +00001Trusted Board Boot
2==================
Douglas Raillardd7c21b72017-06-28 15:23:03 +01003
Sandrine Bailleuxb8904402024-02-02 15:21:29 +01004The `Trusted Board Boot` (TBB) feature prevents malicious firmware from running
5on the platform by authenticating all firmware images up to and including the
6normal world bootloader. It does this by establishing a `Chain of Trust` using
Douglas Raillardd7c21b72017-06-28 15:23:03 +01007Public-Key-Cryptography Standards (PKCS).
8
Sandrine Bailleux30918422019-04-24 10:41:24 +02009This document describes the design of Trusted Firmware-A (TF-A) TBB, which is an
10implementation of the `Trusted Board Boot Requirements (TBBR)`_ specification,
Sandrine Bailleuxb8904402024-02-02 15:21:29 +010011Arm DEN0006D. It should be used in conjunction with the :ref:`Firmware Update
12(FWU)` design document, which implements a specific aspect of the TBBR.
Douglas Raillardd7c21b72017-06-28 15:23:03 +010013
14Chain of Trust
15--------------
16
Sandrine Bailleuxb8904402024-02-02 15:21:29 +010017A Chain of Trust (CoT) starts with a set of implicitly trusted components, which
18are used to establish trust in the next layer of components, and so on, in a
19`chained` manner.
Douglas Raillardd7c21b72017-06-28 15:23:03 +010020
Sandrine Bailleuxb8904402024-02-02 15:21:29 +010021The chain of trust depends on several factors, including:
22
23- The set of firmware images in use on this platform.
24 Typically, most platforms share a common set of firmware images (BL1, BL2,
25 BL31, BL33) but extra platform-specific images might be required.
26
27- The key provisioning scheme: which keys need to programmed into the device
28 and at which stage during the platform's manufacturing lifecycle.
29
30- The key ownership model: who owns which key.
31
32As these vary across platforms, chains of trust also vary across
33platforms. Although each platform is free to define its own CoT based on its
34needs, TF-A provides a set of "default" CoTs fitting some typical trust models,
35which platforms may reuse. The rest of this section presents general concepts
36which apply to all these default CoTs.
37
38The implicitly trusted components forming the trust anchor are:
39
40- A Root of Trust Public Key (ROTPK), or a hash of it.
41
42 On Arm development platforms, a SHA-256 hash of the ROTPK is stored in the
Sandrine Bailleux54b47dc2020-03-03 13:00:10 +010043 trusted root-key storage registers. Alternatively, a development ROTPK might
44 be used and its hash embedded into the BL1 and BL2 images (only for
45 development purposes).
Douglas Raillardd7c21b72017-06-28 15:23:03 +010046
47- The BL1 image, on the assumption that it resides in ROM so cannot be
48 tampered with.
49
50The remaining components in the CoT are either certificates or boot loader
51images. The certificates follow the `X.509 v3`_ standard. This standard
52enables adding custom extensions to the certificates, which are used to store
53essential information to establish the CoT.
54
Sandrine Bailleuxb8904402024-02-02 15:21:29 +010055All certificates are self-signed. There is no need for a Certificate Authority
56(CA) because the CoT is not established by verifying the validity of a
57certificate's issuer but by the content of the certificate extensions. To sign
58the certificates, different signature schemes are available, please refer to the
59:ref:`Build Options` for more details.
Douglas Raillardd7c21b72017-06-28 15:23:03 +010060
61The certificates are categorised as "Key" and "Content" certificates. Key
62certificates are used to verify public keys which have been used to sign content
63certificates. Content certificates are used to store the hash of a boot loader
64image. An image can be authenticated by calculating its hash and matching it
Sandrine Bailleux54b47dc2020-03-03 13:00:10 +010065with the hash extracted from the content certificate. Various hash algorithms
66are supported to calculate all hashes, please refer to the :ref:`Build Options`
Sandrine Bailleuxb8904402024-02-02 15:21:29 +010067for more details. The public keys and hashes are included as non-standard
Sandrine Bailleux54b47dc2020-03-03 13:00:10 +010068extension fields in the `X.509 v3`_ certificates.
Douglas Raillardd7c21b72017-06-28 15:23:03 +010069
Sandrine Bailleuxb8904402024-02-02 15:21:29 +010070The next sections now present specificities of each default CoT provided in
71TF-A.
72
73Default CoT #1: TBBR
74~~~~~~~~~~~~~~~~~~~~
75
76The `TBBR` CoT is named after the specification it follows to the letter.
77
78In the TBBR CoT, all firmware binaries and certificates are (directly or
79indirectly) linked to the Root of Trust Public Key (ROTPK). Typically, the same
80vendor owns the ROTPK, the Trusted key and the Non-Trusted Key. Thus, this vendor
81is involved in signing every BL3x Key Certificate.
82
83The keys used to establish this CoT are:
Douglas Raillardd7c21b72017-06-28 15:23:03 +010084
85- **Root of trust key**
86
Sandrine Bailleux3e992d62024-02-09 13:41:09 +010087 The private part of this key is used to sign the trusted boot firmware
88 certificate and the trusted key certificate. The public part is the ROTPK.
Douglas Raillardd7c21b72017-06-28 15:23:03 +010089
90- **Trusted world key**
91
92 The private part is used to sign the key certificates corresponding to the
Sandrine Bailleux15530dd2019-02-08 15:26:36 +010093 secure world images (SCP_BL2, BL31 and BL32). The public part is stored in
Sandrine Bailleux3e992d62024-02-09 13:41:09 +010094 one of the extension fields in the trusted key certificate.
Douglas Raillardd7c21b72017-06-28 15:23:03 +010095
96- **Non-trusted world key**
97
98 The private part is used to sign the key certificate corresponding to the
Sandrine Bailleux3e992d62024-02-09 13:41:09 +010099 non-secure world image (BL33). The public part is stored in one of the
100 extension fields in the trusted key certificate.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100101
Sandrine Bailleux54b47dc2020-03-03 13:00:10 +0100102- **BL3X keys**
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100103
Sandrine Bailleux15530dd2019-02-08 15:26:36 +0100104 For each of SCP_BL2, BL31, BL32 and BL33, the private part is used to
Sandrine Bailleux54b47dc2020-03-03 13:00:10 +0100105 sign the content certificate for the BL3X image. The public part is stored
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100106 in one of the extension fields in the corresponding key certificate.
107
108The following images are included in the CoT:
109
110- BL1
111- BL2
Sandrine Bailleux15530dd2019-02-08 15:26:36 +0100112- SCP_BL2 (optional)
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100113- BL31
114- BL33
115- BL32 (optional)
116
117The following certificates are used to authenticate the images.
118
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100119- **Trusted boot firmware certificate**
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100120
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100121 It is self-signed with the private part of the ROT key. It contains a hash of
122 the BL2 image and hashes of various firmware configuration files
123 (TB_FW_CONFIG, HW_CONFIG, FW_CONFIG).
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100124
125- **Trusted key certificate**
126
127 It is self-signed with the private part of the ROT key. It contains the
128 public part of the trusted world key and the public part of the non-trusted
129 world key.
130
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100131- **SCP firmware key certificate**
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100132
133 It is self-signed with the trusted world key. It contains the public part of
Sandrine Bailleux15530dd2019-02-08 15:26:36 +0100134 the SCP_BL2 key.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100135
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100136- **SCP firmware content certificate**
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100137
Sandrine Bailleux15530dd2019-02-08 15:26:36 +0100138 It is self-signed with the SCP_BL2 key. It contains a hash of the SCP_BL2
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100139 image.
140
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100141- **SoC firmware key certificate**
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100142
143 It is self-signed with the trusted world key. It contains the public part of
144 the BL31 key.
145
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100146- **SoC firmware content certificate**
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100147
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100148 It is self-signed with the BL31 key. It contains hashes of the BL31 image and
149 its configuration file (SOC_FW_CONFIG).
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100150
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100151- **Trusted OS key certificate**
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100152
153 It is self-signed with the trusted world key. It contains the public part of
154 the BL32 key.
155
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100156- **Trusted OS content certificate**
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100157
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100158 It is self-signed with the BL32 key. It contains hashes of the BL32 image(s)
159 and its configuration file(s) (TOS_FW_CONFIG).
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100160
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100161- **Non-trusted firmware key certificate**
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100162
163 It is self-signed with the non-trusted world key. It contains the public
164 part of the BL33 key.
165
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100166- **Non-trusted firmware content certificate**
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100167
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100168 It is self-signed with the BL33 key. It contains hashes of the BL33 image and
169 its configuration file (NT_FW_CONFIG).
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100170
Sandrine Bailleux3e992d62024-02-09 13:41:09 +0100171The SCP firmware and Trusted OS certificates are optional, but they must be
172present if the corresponding SCP_BL2 or BL32 images are present.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100173
Sandrine Bailleuxb8904402024-02-02 15:21:29 +0100174The following diagram summarizes the part of the TBBR CoT enforced by BL2. Some
175images (SCP, debug certificates, secure partitions, configuration files) are not
176shown here for conciseness:
177
178.. image:: ../resources/diagrams/cot-tbbr.jpg
179
180Default CoT #2: Dualroot
181~~~~~~~~~~~~~~~~~~~~~~~~
182
183The `dualroot` CoT is targeted at systems where the Normal World firmware is
184owned by a different entity than the Secure World Firmware, and those 2 entities
185do not wish to share any keys or have any dependency between each other when it
186comes to signing their respective images. It establishes 2 separate signing
187domains, each with its own Root of Trust key. In that sense, this CoT has 2
188roots of trust, hence the `dualroot` name.
189
190Although the dualroot CoT reuses some of the TBBR CoT components and concepts,
191it differs on the BL33 image's chain of trust, which is rooted into a new key,
192called `Platform ROTPK`, or `PROTPK` for short.
193
194The following diagram summarizes the part of the dualroot CoT enforced by
195BL2. Some images (SCP, debug certificates, secure partitions, configuration
196files) are not shown here for conciseness:
197
198.. image:: ../resources/diagrams/cot-dualroot.jpg
199
200Default CoT #3: CCA
201~~~~~~~~~~~~~~~~~~~
202
203This CoT is targeted at Arm CCA systems. The Arm CCA security model recommends
204making supply chains for the Arm CCA firmware, the secure world firmware and the
205platform owner firmware, independent. Hence, this CoT has 3 roots of trust, one
206for each supply chain.
207
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100208Trusted Board Boot Sequence
209---------------------------
210
211The CoT is verified through the following sequence of steps. The system panics
212if any of the steps fail.
213
214- BL1 loads and verifies the BL2 content certificate. The issuer public key is
215 read from the verified certificate. A hash of that key is calculated and
216 compared with the hash of the ROTPK read from the trusted root-key storage
217 registers. If they match, the BL2 hash is read from the certificate.
218
Paul Beesleyba3ed402019-03-13 16:20:44 +0000219 .. note::
220 The matching operation is platform specific and is currently
221 unimplemented on the Arm development platforms.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100222
223- BL1 loads the BL2 image. Its hash is calculated and compared with the hash
224 read from the certificate. Control is transferred to the BL2 image if all
225 the comparisons succeed.
226
227- BL2 loads and verifies the trusted key certificate. The issuer public key is
228 read from the verified certificate. A hash of that key is calculated and
229 compared with the hash of the ROTPK read from the trusted root-key storage
230 registers. If the comparison succeeds, BL2 reads and saves the trusted and
231 non-trusted world public keys from the verified certificate.
232
Sandrine Bailleux15530dd2019-02-08 15:26:36 +0100233The next two steps are executed for each of the SCP_BL2, BL31 & BL32 images.
234The steps for the optional SCP_BL2 and BL32 images are skipped if these images
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100235are not present.
236
237- BL2 loads and verifies the BL3x key certificate. The certificate signature
238 is verified using the trusted world public key. If the signature
239 verification succeeds, BL2 reads and saves the BL3x public key from the
240 certificate.
241
242- BL2 loads and verifies the BL3x content certificate. The signature is
243 verified using the BL3x public key. If the signature verification succeeds,
244 BL2 reads and saves the BL3x image hash from the certificate.
245
246The next two steps are executed only for the BL33 image.
247
248- BL2 loads and verifies the BL33 key certificate. If the signature
249 verification succeeds, BL2 reads and saves the BL33 public key from the
250 certificate.
251
252- BL2 loads and verifies the BL33 content certificate. If the signature
253 verification succeeds, BL2 reads and saves the BL33 image hash from the
254 certificate.
255
256The next step is executed for all the boot loader images.
257
258- BL2 calculates the hash of each image. It compares it with the hash obtained
259 from the corresponding content certificate. The image authentication succeeds
260 if the hashes match.
261
262The Trusted Board Boot implementation spans both generic and platform-specific
263BL1 and BL2 code, and in tool code on the host build machine. The feature is
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +0100264enabled through use of specific build flags as described in
265:ref:`Build Options`.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100266
267On the host machine, a tool generates the certificates, which are included in
268the FIP along with the boot loader images. These certificates are loaded in
269Trusted SRAM using the IO storage framework. They are then verified by an
Dan Handley610e7e12018-03-01 18:44:00 +0000270Authentication module included in TF-A.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100271
272The mechanism used for generating the FIP and the Authentication module are
273described in the following sections.
274
275Authentication Framework
276------------------------
277
Dan Handley610e7e12018-03-01 18:44:00 +0000278The authentication framework included in TF-A provides support to implement
279the desired trusted boot sequence. Arm platforms use this framework to
Paul Beesleyf8640672019-04-12 14:19:42 +0100280implement the boot requirements specified in the
281`Trusted Board Boot Requirements (TBBR)`_ document.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100282
283More information about the authentication framework can be found in the
Paul Beesleyf8640672019-04-12 14:19:42 +0100284:ref:`Authentication Framework & Chain of Trust` document.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100285
286Certificate Generation Tool
287---------------------------
288
289The ``cert_create`` tool is built and runs on the host machine as part of the
Dan Handley610e7e12018-03-01 18:44:00 +0000290TF-A build process when ``GENERATE_COT=1``. It takes the boot loader images
Robin van der Gracht06b5cdb2023-09-12 11:16:23 +0200291and keys as inputs and generates the certificates (in DER format) required to
292establish the CoT. The input keys must either be a file in PEM format or a
293PKCS11 URI in case a HSM is used. New keys can be generated by the tool in
294case they are not provided. The certificates are then passed as inputs to
295the ``fiptool`` utility for creating the FIP.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100296
Sandrine Bailleux54b47dc2020-03-03 13:00:10 +0100297The certificates are also stored individually in the output build directory.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100298
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +0100299The tool resides in the ``tools/cert_create`` directory. It uses the OpenSSL SSL
300library version to generate the X.509 certificates. The specific version of the
301library that is required is given in the :ref:`Prerequisites` document.
302
303Instructions for building and using the tool can be found at
304:ref:`tools_build_cert_create`.
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100305
Sumit Gargc0c369c2019-11-15 18:47:53 +0530306Authenticated Encryption Framework
307----------------------------------
308
309The authenticated encryption framework included in TF-A provides support to
310implement the optional firmware encryption feature. This feature can be
311optionally enabled on platforms to implement the optional requirement:
312R060_TBBR_FUNCTION as specified in the `Trusted Board Boot Requirements (TBBR)`_
313document.
314
Sumit Gargc0c369c2019-11-15 18:47:53 +0530315Firmware Encryption Tool
316------------------------
317
318The ``encrypt_fw`` tool is built and runs on the host machine as part of the
319TF-A build process when ``DECRYPTION_SUPPORT != none``. It takes the plain
320firmware image as input and generates the encrypted firmware image which can
321then be passed as input to the ``fiptool`` utility for creating the FIP.
322
323The encrypted firmwares are also stored individually in the output build
324directory.
325
326The tool resides in the ``tools/encrypt_fw`` directory. It uses OpenSSL SSL
327library version 1.0.1 or later to do authenticated encryption operation.
328Instructions for building and using the tool can be found in the
329:ref:`tools_build_enctool`.
330
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100331--------------
332
Sandrine Bailleux54b47dc2020-03-03 13:00:10 +0100333*Copyright (c) 2015-2020, Arm Limited and Contributors. All rights reserved.*
Douglas Raillardd7c21b72017-06-28 15:23:03 +0100334
Paul Beesley2437ddc2019-02-08 16:43:05 +0000335.. _X.509 v3: https://tools.ietf.org/rfc/rfc5280.txt
Sandrine Bailleuxf2384172024-02-02 11:16:12 +0100336.. _Trusted Board Boot Requirements (TBBR): https://developer.arm.com/docs/den0006/latest