trusted-board-boot.rst 10.4 KB
Newer Older
Paul Beesley's avatar
Paul Beesley committed
1
2
Trusted Board Boot
==================
3
4
5
6
7
8

The Trusted Board Boot (TBB) feature prevents malicious firmware from running on
the platform by authenticating all firmware images up to and including the
normal world bootloader. It does this by establishing a Chain of Trust using
Public-Key-Cryptography Standards (PKCS).

9
10
This document describes the design of Trusted Firmware-A (TF-A) TBB, which is an
implementation of the `Trusted Board Boot Requirements (TBBR)`_ specification,
11
12
13
Arm DEN0006D. It should be used in conjunction with the
:ref:`Firmware Update (FWU)` design document, which implements a specific aspect
of the TBBR.
14
15
16
17
18

Chain of Trust
--------------

A Chain of Trust (CoT) starts with a set of implicitly trusted components. On
Dan Handley's avatar
Dan Handley committed
19
the Arm development platforms, these components are:
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

-  A SHA-256 hash of the Root of Trust Public Key (ROTPK). It is stored in the
   trusted root-key storage registers.

-  The BL1 image, on the assumption that it resides in ROM so cannot be
   tampered with.

The remaining components in the CoT are either certificates or boot loader
images. The certificates follow the `X.509 v3`_ standard. This standard
enables adding custom extensions to the certificates, which are used to store
essential information to establish the CoT.

In the TBB CoT all certificates are self-signed. There is no need for a
Certificate Authority (CA) because the CoT is not established by verifying the
validity of a certificate's issuer but by the content of the certificate
extensions. To sign the certificates, the PKCS#1 SHA-256 with RSA Encryption
signature scheme is used with a RSA key length of 2048 bits. Future version of
Dan Handley's avatar
Dan Handley committed
37
TF-A will support additional cryptographic algorithms.
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

The certificates are categorised as "Key" and "Content" certificates. Key
certificates are used to verify public keys which have been used to sign content
certificates. Content certificates are used to store the hash of a boot loader
image. An image can be authenticated by calculating its hash and matching it
with the hash extracted from the content certificate. The SHA-256 function is
used to calculate all hashes. The public keys and hashes are included as
non-standard extension fields in the `X.509 v3`_ certificates.

The keys used to establish the CoT are:

-  **Root of trust key**

   The private part of this key is used to sign the BL2 content certificate and
   the trusted key certificate. The public part is the ROTPK.

-  **Trusted world key**

   The private part is used to sign the key certificates corresponding to the
57
   secure world images (SCP_BL2, BL31 and BL32). The public part is stored in
58
59
60
61
62
63
64
65
66
67
   one of the extension fields in the trusted world certificate.

-  **Non-trusted world key**

   The private part is used to sign the key certificate corresponding to the
   non secure world image (BL33). The public part is stored in one of the
   extension fields in the trusted world certificate.

-  **BL3-X keys**

68
   For each of SCP_BL2, BL31, BL32 and BL33, the private part is used to
69
70
71
72
73
74
75
   sign the content certificate for the BL3-X image. The public part is stored
   in one of the extension fields in the corresponding key certificate.

The following images are included in the CoT:

-  BL1
-  BL2
76
-  SCP_BL2 (optional)
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
-  BL31
-  BL33
-  BL32 (optional)

The following certificates are used to authenticate the images.

-  **BL2 content certificate**

   It is self-signed with the private part of the ROT key. It contains a hash
   of the BL2 image.

-  **Trusted key certificate**

   It is self-signed with the private part of the ROT key. It contains the
   public part of the trusted world key and the public part of the non-trusted
   world key.

94
-  **SCP_BL2 key certificate**
95
96

   It is self-signed with the trusted world key. It contains the public part of
97
   the SCP_BL2 key.
98

99
-  **SCP_BL2 content certificate**
100

101
   It is self-signed with the SCP_BL2 key. It contains a hash of the SCP_BL2
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
   image.

-  **BL31 key certificate**

   It is self-signed with the trusted world key. It contains the public part of
   the BL31 key.

-  **BL31 content certificate**

   It is self-signed with the BL31 key. It contains a hash of the BL31 image.

-  **BL32 key certificate**

   It is self-signed with the trusted world key. It contains the public part of
   the BL32 key.

-  **BL32 content certificate**

   It is self-signed with the BL32 key. It contains a hash of the BL32 image.

-  **BL33 key certificate**

   It is self-signed with the non-trusted world key. It contains the public
   part of the BL33 key.

-  **BL33 content certificate**

   It is self-signed with the BL33 key. It contains a hash of the BL33 image.

131
132
The SCP_BL2 and BL32 certificates are optional, but they must be present if the
corresponding SCP_BL2 or BL32 images are present.
133
134
135
136
137
138
139
140
141
142
143
144

Trusted Board Boot Sequence
---------------------------

The CoT is verified through the following sequence of steps. The system panics
if any of the steps fail.

-  BL1 loads and verifies the BL2 content certificate. The issuer public key is
   read from the verified certificate. A hash of that key is calculated and
   compared with the hash of the ROTPK read from the trusted root-key storage
   registers. If they match, the BL2 hash is read from the certificate.

145
146
147
   .. note::
      The matching operation is platform specific and is currently
      unimplemented on the Arm development platforms.
148
149
150
151
152
153
154
155
156
157
158

-  BL1 loads the BL2 image. Its hash is calculated and compared with the hash
   read from the certificate. Control is transferred to the BL2 image if all
   the comparisons succeed.

-  BL2 loads and verifies the trusted key certificate. The issuer public key is
   read from the verified certificate. A hash of that key is calculated and
   compared with the hash of the ROTPK read from the trusted root-key storage
   registers. If the comparison succeeds, BL2 reads and saves the trusted and
   non-trusted world public keys from the verified certificate.

159
160
The next two steps are executed for each of the SCP_BL2, BL31 & BL32 images.
The steps for the optional SCP_BL2 and BL32 images are skipped if these images
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
are not present.

-  BL2 loads and verifies the BL3x key certificate. The certificate signature
   is verified using the trusted world public key. If the signature
   verification succeeds, BL2 reads and saves the BL3x public key from the
   certificate.

-  BL2 loads and verifies the BL3x content certificate. The signature is
   verified using the BL3x public key. If the signature verification succeeds,
   BL2 reads and saves the BL3x image hash from the certificate.

The next two steps are executed only for the BL33 image.

-  BL2 loads and verifies the BL33 key certificate. If the signature
   verification succeeds, BL2 reads and saves the BL33 public key from the
   certificate.

-  BL2 loads and verifies the BL33 content certificate. If the signature
   verification succeeds, BL2 reads and saves the BL33 image hash from the
   certificate.

The next step is executed for all the boot loader images.

-  BL2 calculates the hash of each image. It compares it with the hash obtained
   from the corresponding content certificate. The image authentication succeeds
   if the hashes match.

The Trusted Board Boot implementation spans both generic and platform-specific
BL1 and BL2 code, and in tool code on the host build machine. The feature is
190
191
enabled through use of specific build flags as described in
:ref:`Build Options`.
192
193
194
195

On the host machine, a tool generates the certificates, which are included in
the FIP along with the boot loader images. These certificates are loaded in
Trusted SRAM using the IO storage framework. They are then verified by an
Dan Handley's avatar
Dan Handley committed
196
Authentication module included in TF-A.
197
198
199
200
201
202
203

The mechanism used for generating the FIP and the Authentication module are
described in the following sections.

Authentication Framework
------------------------

Dan Handley's avatar
Dan Handley committed
204
205
The authentication framework included in TF-A provides support to implement
the desired trusted boot sequence. Arm platforms use this framework to
206
207
implement the boot requirements specified in the
`Trusted Board Boot Requirements (TBBR)`_ document.
208
209

More information about the authentication framework can be found in the
210
:ref:`Authentication Framework & Chain of Trust` document.
211
212
213
214
215

Certificate Generation Tool
---------------------------

The ``cert_create`` tool is built and runs on the host machine as part of the
Dan Handley's avatar
Dan Handley committed
216
217
TF-A build process when ``GENERATE_COT=1``. It takes the boot loader images
and keys as inputs (keys must be in PEM format) and generates the
218
219
220
221
222
223
224
certificates (in DER format) required to establish the CoT. New keys can be
generated by the tool in case they are not provided. The certificates are then
passed as inputs to the ``fiptool`` utility for creating the FIP.

The certificates are also stored individually in the in the output build
directory.

225
226
227
228
229
230
The tool resides in the ``tools/cert_create`` directory. It uses the OpenSSL SSL
library version to generate the X.509 certificates. The specific version of the
library that is required is given in the :ref:`Prerequisites` document.

Instructions for building and using the tool can be found at
:ref:`tools_build_cert_create`.
231

232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
Authenticated Encryption Framework
----------------------------------

The authenticated encryption framework included in TF-A provides support to
implement the optional firmware encryption feature. This feature can be
optionally enabled on platforms to implement the optional requirement:
R060_TBBR_FUNCTION as specified in the `Trusted Board Boot Requirements (TBBR)`_
document.

Note that due to security considerations and complexity of this feature, it is
marked as experimental.

Firmware Encryption Tool
------------------------

The ``encrypt_fw`` tool is built and runs on the host machine as part of the
TF-A build process when ``DECRYPTION_SUPPORT != none``. It takes the plain
firmware image as input and generates the encrypted firmware image which can
then be passed as input to the ``fiptool`` utility for creating the FIP.

The encrypted firmwares are also stored individually in the output build
directory.

The tool resides in the ``tools/encrypt_fw`` directory. It uses OpenSSL SSL
library version 1.0.1 or later to do authenticated encryption operation.
Instructions for building and using the tool can be found in the
:ref:`tools_build_enctool`.

260
261
--------------

262
*Copyright (c) 2015-2019, Arm Limited and Contributors. All rights reserved.*
263

Paul Beesley's avatar
Paul Beesley committed
264
.. _X.509 v3: https://tools.ietf.org/rfc/rfc5280.txt
265
.. _Trusted Board Boot Requirements (TBBR): https://developer.arm.com/docs/den0006/latest/trusted-board-boot-requirements-client-tbbr-client-armv8-a