Merge "Update cryptographic algorithms in TBBR doc" into integration
This commit is contained in:
commit
bd2ad92902
|
@ -19,7 +19,9 @@ A Chain of Trust (CoT) starts with a set of implicitly trusted components. On
|
|||
the Arm development platforms, these components are:
|
||||
|
||||
- A SHA-256 hash of the Root of Trust Public Key (ROTPK). It is stored in the
|
||||
trusted root-key storage registers.
|
||||
trusted root-key storage registers. Alternatively, a development ROTPK might
|
||||
be used and its hash embedded into the BL1 and BL2 images (only for
|
||||
development purposes).
|
||||
|
||||
- The BL1 image, on the assumption that it resides in ROM so cannot be
|
||||
tampered with.
|
||||
|
@ -32,17 +34,17 @@ essential information to establish the CoT.
|
|||
In the TBB CoT all certificates are self-signed. There is no need for a
|
||||
Certificate Authority (CA) because the CoT is not established by verifying the
|
||||
validity of a certificate's issuer but by the content of the certificate
|
||||
extensions. To sign the certificates, the PKCS#1 SHA-256 with RSA Encryption
|
||||
signature scheme is used with a RSA key length of 2048 bits. Future version of
|
||||
TF-A will support additional cryptographic algorithms.
|
||||
extensions. To sign the certificates, different signature schemes are available,
|
||||
please refer to the :ref:`Build Options` for more details.
|
||||
|
||||
The certificates are categorised as "Key" and "Content" certificates. Key
|
||||
certificates are used to verify public keys which have been used to sign content
|
||||
certificates. Content certificates are used to store the hash of a boot loader
|
||||
image. An image can be authenticated by calculating its hash and matching it
|
||||
with the hash extracted from the content certificate. The SHA-256 function is
|
||||
used to calculate all hashes. The public keys and hashes are included as
|
||||
non-standard extension fields in the `X.509 v3`_ certificates.
|
||||
with the hash extracted from the content certificate. Various hash algorithms
|
||||
are supported to calculate all hashes, please refer to the :ref:`Build Options`
|
||||
for more details.. The public keys and hashes are included as non-standard
|
||||
extension fields in the `X.509 v3`_ certificates.
|
||||
|
||||
The keys used to establish the CoT are:
|
||||
|
||||
|
@ -63,10 +65,10 @@ The keys used to establish the CoT are:
|
|||
non secure world image (BL33). The public part is stored in one of the
|
||||
extension fields in the trusted world certificate.
|
||||
|
||||
- **BL3-X keys**
|
||||
- **BL3X keys**
|
||||
|
||||
For each of SCP_BL2, BL31, BL32 and BL33, the private part is used to
|
||||
sign the content certificate for the BL3-X image. The public part is stored
|
||||
sign the content certificate for the BL3X image. The public part is stored
|
||||
in one of the extension fields in the corresponding key certificate.
|
||||
|
||||
The following images are included in the CoT:
|
||||
|
@ -219,8 +221,7 @@ certificates (in DER format) required to establish the CoT. New keys can be
|
|||
generated by the tool in case they are not provided. The certificates are then
|
||||
passed as inputs to the ``fiptool`` utility for creating the FIP.
|
||||
|
||||
The certificates are also stored individually in the in the output build
|
||||
directory.
|
||||
The certificates are also stored individually in the output build directory.
|
||||
|
||||
The tool resides in the ``tools/cert_create`` directory. It uses the OpenSSL SSL
|
||||
library version to generate the X.509 certificates. The specific version of the
|
||||
|
@ -259,7 +260,7 @@ Instructions for building and using the tool can be found in the
|
|||
|
||||
--------------
|
||||
|
||||
*Copyright (c) 2015-2019, Arm Limited and Contributors. All rights reserved.*
|
||||
*Copyright (c) 2015-2020, Arm Limited and Contributors. All rights reserved.*
|
||||
|
||||
.. _X.509 v3: https://tools.ietf.org/rfc/rfc5280.txt
|
||||
.. _Trusted Board Boot Requirements (TBBR): https://developer.arm.com/docs/den0006/latest/trusted-board-boot-requirements-client-tbbr-client-armv8-a
|
||||
|
|
Loading…
Reference in New Issue