Paul Beesley | fc9ee36 | 2019-03-07 15:47:15 +0000 | [diff] [blame] | 1 | Trusted Board Boot |
| 2 | ================== |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3 | |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 4 | The Trusted Board Boot (TBB) feature prevents malicious firmware from running on |
| 5 | the platform by authenticating all firmware images up to and including the |
| 6 | normal world bootloader. It does this by establishing a Chain of Trust using |
| 7 | Public-Key-Cryptography Standards (PKCS). |
| 8 | |
Sandrine Bailleux | 3091842 | 2019-04-24 10:41:24 +0200 | [diff] [blame] | 9 | This document describes the design of Trusted Firmware-A (TF-A) TBB, which is an |
| 10 | implementation of the `Trusted Board Boot Requirements (TBBR)`_ specification, |
| 11 | Arm DEN0006D. It should be used in conjunction with the `Firmware Update`_ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 12 | design document, which implements a specific aspect of the TBBR. |
| 13 | |
| 14 | Chain of Trust |
| 15 | -------------- |
| 16 | |
| 17 | A Chain of Trust (CoT) starts with a set of implicitly trusted components. On |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 18 | the Arm development platforms, these components are: |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 19 | |
| 20 | - A SHA-256 hash of the Root of Trust Public Key (ROTPK). It is stored in the |
| 21 | trusted root-key storage registers. |
| 22 | |
| 23 | - The BL1 image, on the assumption that it resides in ROM so cannot be |
| 24 | tampered with. |
| 25 | |
| 26 | The remaining components in the CoT are either certificates or boot loader |
| 27 | images. The certificates follow the `X.509 v3`_ standard. This standard |
| 28 | enables adding custom extensions to the certificates, which are used to store |
| 29 | essential information to establish the CoT. |
| 30 | |
| 31 | In the TBB CoT all certificates are self-signed. There is no need for a |
| 32 | Certificate Authority (CA) because the CoT is not established by verifying the |
| 33 | validity of a certificate's issuer but by the content of the certificate |
| 34 | extensions. To sign the certificates, the PKCS#1 SHA-256 with RSA Encryption |
| 35 | signature scheme is used with a RSA key length of 2048 bits. Future version of |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 36 | TF-A will support additional cryptographic algorithms. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 37 | |
| 38 | The certificates are categorised as "Key" and "Content" certificates. Key |
| 39 | certificates are used to verify public keys which have been used to sign content |
| 40 | certificates. Content certificates are used to store the hash of a boot loader |
| 41 | image. An image can be authenticated by calculating its hash and matching it |
| 42 | with the hash extracted from the content certificate. The SHA-256 function is |
| 43 | used to calculate all hashes. The public keys and hashes are included as |
| 44 | non-standard extension fields in the `X.509 v3`_ certificates. |
| 45 | |
| 46 | The keys used to establish the CoT are: |
| 47 | |
| 48 | - **Root of trust key** |
| 49 | |
| 50 | The private part of this key is used to sign the BL2 content certificate and |
| 51 | the trusted key certificate. The public part is the ROTPK. |
| 52 | |
| 53 | - **Trusted world key** |
| 54 | |
| 55 | The private part is used to sign the key certificates corresponding to the |
Sandrine Bailleux | 15530dd | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 56 | secure world images (SCP_BL2, BL31 and BL32). The public part is stored in |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 57 | one of the extension fields in the trusted world certificate. |
| 58 | |
| 59 | - **Non-trusted world key** |
| 60 | |
| 61 | The private part is used to sign the key certificate corresponding to the |
| 62 | non secure world image (BL33). The public part is stored in one of the |
| 63 | extension fields in the trusted world certificate. |
| 64 | |
| 65 | - **BL3-X keys** |
| 66 | |
Sandrine Bailleux | 15530dd | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 67 | For each of SCP_BL2, BL31, BL32 and BL33, the private part is used to |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 68 | sign the content certificate for the BL3-X image. The public part is stored |
| 69 | in one of the extension fields in the corresponding key certificate. |
| 70 | |
| 71 | The following images are included in the CoT: |
| 72 | |
| 73 | - BL1 |
| 74 | - BL2 |
Sandrine Bailleux | 15530dd | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 75 | - SCP_BL2 (optional) |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 76 | - BL31 |
| 77 | - BL33 |
| 78 | - BL32 (optional) |
| 79 | |
| 80 | The following certificates are used to authenticate the images. |
| 81 | |
| 82 | - **BL2 content certificate** |
| 83 | |
| 84 | It is self-signed with the private part of the ROT key. It contains a hash |
| 85 | of the BL2 image. |
| 86 | |
| 87 | - **Trusted key certificate** |
| 88 | |
| 89 | It is self-signed with the private part of the ROT key. It contains the |
| 90 | public part of the trusted world key and the public part of the non-trusted |
| 91 | world key. |
| 92 | |
Sandrine Bailleux | 15530dd | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 93 | - **SCP_BL2 key certificate** |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 94 | |
| 95 | It is self-signed with the trusted world key. It contains the public part of |
Sandrine Bailleux | 15530dd | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 96 | the SCP_BL2 key. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 97 | |
Sandrine Bailleux | 15530dd | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 98 | - **SCP_BL2 content certificate** |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 99 | |
Sandrine Bailleux | 15530dd | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 100 | It is self-signed with the SCP_BL2 key. It contains a hash of the SCP_BL2 |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 101 | image. |
| 102 | |
| 103 | - **BL31 key certificate** |
| 104 | |
| 105 | It is self-signed with the trusted world key. It contains the public part of |
| 106 | the BL31 key. |
| 107 | |
| 108 | - **BL31 content certificate** |
| 109 | |
| 110 | It is self-signed with the BL31 key. It contains a hash of the BL31 image. |
| 111 | |
| 112 | - **BL32 key certificate** |
| 113 | |
| 114 | It is self-signed with the trusted world key. It contains the public part of |
| 115 | the BL32 key. |
| 116 | |
| 117 | - **BL32 content certificate** |
| 118 | |
| 119 | It is self-signed with the BL32 key. It contains a hash of the BL32 image. |
| 120 | |
| 121 | - **BL33 key certificate** |
| 122 | |
| 123 | It is self-signed with the non-trusted world key. It contains the public |
| 124 | part of the BL33 key. |
| 125 | |
| 126 | - **BL33 content certificate** |
| 127 | |
| 128 | It is self-signed with the BL33 key. It contains a hash of the BL33 image. |
| 129 | |
Sandrine Bailleux | 15530dd | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 130 | The SCP_BL2 and BL32 certificates are optional, but they must be present if the |
| 131 | corresponding SCP_BL2 or BL32 images are present. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 132 | |
| 133 | Trusted Board Boot Sequence |
| 134 | --------------------------- |
| 135 | |
| 136 | The CoT is verified through the following sequence of steps. The system panics |
| 137 | if any of the steps fail. |
| 138 | |
| 139 | - BL1 loads and verifies the BL2 content certificate. The issuer public key is |
| 140 | read from the verified certificate. A hash of that key is calculated and |
| 141 | compared with the hash of the ROTPK read from the trusted root-key storage |
| 142 | registers. If they match, the BL2 hash is read from the certificate. |
| 143 | |
Paul Beesley | ba3ed40 | 2019-03-13 16:20:44 +0000 | [diff] [blame] | 144 | .. note:: |
| 145 | The matching operation is platform specific and is currently |
| 146 | unimplemented on the Arm development platforms. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 147 | |
| 148 | - BL1 loads the BL2 image. Its hash is calculated and compared with the hash |
| 149 | read from the certificate. Control is transferred to the BL2 image if all |
| 150 | the comparisons succeed. |
| 151 | |
| 152 | - BL2 loads and verifies the trusted key certificate. The issuer public key is |
| 153 | read from the verified certificate. A hash of that key is calculated and |
| 154 | compared with the hash of the ROTPK read from the trusted root-key storage |
| 155 | registers. If the comparison succeeds, BL2 reads and saves the trusted and |
| 156 | non-trusted world public keys from the verified certificate. |
| 157 | |
Sandrine Bailleux | 15530dd | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 158 | The next two steps are executed for each of the SCP_BL2, BL31 & BL32 images. |
| 159 | The steps for the optional SCP_BL2 and BL32 images are skipped if these images |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 160 | are not present. |
| 161 | |
| 162 | - BL2 loads and verifies the BL3x key certificate. The certificate signature |
| 163 | is verified using the trusted world public key. If the signature |
| 164 | verification succeeds, BL2 reads and saves the BL3x public key from the |
| 165 | certificate. |
| 166 | |
| 167 | - BL2 loads and verifies the BL3x content certificate. The signature is |
| 168 | verified using the BL3x public key. If the signature verification succeeds, |
| 169 | BL2 reads and saves the BL3x image hash from the certificate. |
| 170 | |
| 171 | The next two steps are executed only for the BL33 image. |
| 172 | |
| 173 | - BL2 loads and verifies the BL33 key certificate. If the signature |
| 174 | verification succeeds, BL2 reads and saves the BL33 public key from the |
| 175 | certificate. |
| 176 | |
| 177 | - BL2 loads and verifies the BL33 content certificate. If the signature |
| 178 | verification succeeds, BL2 reads and saves the BL33 image hash from the |
| 179 | certificate. |
| 180 | |
| 181 | The next step is executed for all the boot loader images. |
| 182 | |
| 183 | - BL2 calculates the hash of each image. It compares it with the hash obtained |
| 184 | from the corresponding content certificate. The image authentication succeeds |
| 185 | if the hashes match. |
| 186 | |
| 187 | The Trusted Board Boot implementation spans both generic and platform-specific |
| 188 | BL1 and BL2 code, and in tool code on the host build machine. The feature is |
| 189 | enabled through use of specific build flags as described in the `User Guide`_. |
| 190 | |
| 191 | On the host machine, a tool generates the certificates, which are included in |
| 192 | the FIP along with the boot loader images. These certificates are loaded in |
| 193 | Trusted SRAM using the IO storage framework. They are then verified by an |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 194 | Authentication module included in TF-A. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 195 | |
| 196 | The mechanism used for generating the FIP and the Authentication module are |
| 197 | described in the following sections. |
| 198 | |
| 199 | Authentication Framework |
| 200 | ------------------------ |
| 201 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 202 | The authentication framework included in TF-A provides support to implement |
| 203 | the desired trusted boot sequence. Arm platforms use this framework to |
Sandrine Bailleux | 3091842 | 2019-04-24 10:41:24 +0200 | [diff] [blame] | 204 | implement the boot requirements specified in the `TBBR-client`_ document. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 205 | |
| 206 | More information about the authentication framework can be found in the |
| 207 | `Auth Framework`_ document. |
| 208 | |
| 209 | Certificate Generation Tool |
| 210 | --------------------------- |
| 211 | |
| 212 | The ``cert_create`` tool is built and runs on the host machine as part of the |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 213 | TF-A build process when ``GENERATE_COT=1``. It takes the boot loader images |
| 214 | and keys as inputs (keys must be in PEM format) and generates the |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 215 | certificates (in DER format) required to establish the CoT. New keys can be |
| 216 | generated by the tool in case they are not provided. The certificates are then |
| 217 | passed as inputs to the ``fiptool`` utility for creating the FIP. |
| 218 | |
| 219 | The certificates are also stored individually in the in the output build |
| 220 | directory. |
| 221 | |
| 222 | The tool resides in the ``tools/cert_create`` directory. It uses OpenSSL SSL |
| 223 | library version 1.0.1 or later to generate the X.509 certificates. Instructions |
| 224 | for building and using the tool can be found in the `User Guide`_. |
| 225 | |
| 226 | -------------- |
| 227 | |
Sandrine Bailleux | 3091842 | 2019-04-24 10:41:24 +0200 | [diff] [blame] | 228 | *Copyright (c) 2015-2019, Arm Limited and Contributors. All rights reserved.* |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 229 | |
John Tsichritzis | 2fd3d92 | 2019-05-28 13:13:39 +0100 | [diff] [blame] | 230 | .. _Firmware Update: ../components/firmware-update.rst |
Paul Beesley | 2437ddc | 2019-02-08 16:43:05 +0000 | [diff] [blame] | 231 | .. _X.509 v3: https://tools.ietf.org/rfc/rfc5280.txt |
Paul Beesley | ea22512 | 2019-02-11 17:54:45 +0000 | [diff] [blame] | 232 | .. _User Guide: ../getting_started/user-guide.rst |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 233 | .. _Auth Framework: auth-framework.rst |
Sandrine Bailleux | 3091842 | 2019-04-24 10:41:24 +0200 | [diff] [blame] | 234 | .. _TBBR-client: https://developer.arm.com/docs/den0006/latest/trusted-board-boot-requirements-client-tbbr-client-armv8-a |
| 235 | .. _Trusted Board Boot Requirements (TBBR): `TBBR-client`_ |