1Authentication Framework & Chain of Trust 2========================================= 3 4The aim of this document is to describe the authentication framework 5implemented in Trusted Firmware-A (TF-A). This framework fulfills the 6following requirements: 7 8#. It should be possible for a platform port to specify the Chain of Trust in 9 terms of certificate hierarchy and the mechanisms used to verify a 10 particular image/certificate. 11 12#. The framework should distinguish between: 13 14 - The mechanism used to encode and transport information, e.g. DER encoded 15 X.509v3 certificates to ferry Subject Public Keys, hashes and non-volatile 16 counters. 17 18 - The mechanism used to verify the transported information i.e. the 19 cryptographic libraries. 20 21The framework has been designed following a modular approach illustrated in the 22next diagram: 23 24:: 25 26 +---------------+---------------+------------+ 27 | Trusted | Trusted | Trusted | 28 | Firmware | Firmware | Firmware | 29 | Generic | IO Framework | Platform | 30 | Code i.e. | (IO) | Port | 31 | BL1/BL2 (GEN) | | (PP) | 32 +---------------+---------------+------------+ 33 ^ ^ ^ 34 | | | 35 v v v 36 +-----------+ +-----------+ +-----------+ 37 | | | | | Image | 38 | Crypto | | Auth | | Parser | 39 | Module |<->| Module |<->| Module | 40 | (CM) | | (AM) | | (IPM) | 41 | | | | | | 42 +-----------+ +-----------+ +-----------+ 43 ^ ^ 44 | | 45 v v 46 +----------------+ +-----------------+ 47 | Cryptographic | | Image Parser | 48 | Libraries (CL) | | Libraries (IPL) | 49 +----------------+ +-----------------+ 50 | | 51 | | 52 | | 53 v v 54 +-----------------+ 55 | Misc. Libs e.g. | 56 | ASN.1 decoder | 57 | | 58 +-----------------+ 59 60 DIAGRAM 1. 61 62This document describes the inner details of the authentication framework and 63the abstraction mechanisms available to specify a Chain of Trust. 64 65Framework design 66---------------- 67 68This section describes some aspects of the framework design and the rationale 69behind them. These aspects are key to verify a Chain of Trust. 70 71Chain of Trust 72~~~~~~~~~~~~~~ 73 74A CoT is basically a sequence of authentication images which usually starts with 75a root of trust and culminates in a single data image. The following diagram 76illustrates how this maps to a CoT for the BL31 image described in the 77`TBBR-Client specification`_. 78 79:: 80 81 +------------------+ +-------------------+ 82 | ROTPK/ROTPK Hash |------>| Trusted Key | 83 +------------------+ | Certificate | 84 | (Auth Image) | 85 /+-------------------+ 86 / | 87 / | 88 / | 89 / | 90 L v 91 +------------------+ +-------------------+ 92 | Trusted World |------>| BL31 Key | 93 | Public Key | | Certificate | 94 +------------------+ | (Auth Image) | 95 +-------------------+ 96 / | 97 / | 98 / | 99 / | 100 / v 101 +------------------+ L +-------------------+ 102 | BL31 Content |------>| BL31 Content | 103 | Certificate PK | | Certificate | 104 +------------------+ | (Auth Image) | 105 +-------------------+ 106 / | 107 / | 108 / | 109 / | 110 / v 111 +------------------+ L +-------------------+ 112 | BL31 Hash |------>| BL31 Image | 113 | | | (Data Image) | 114 +------------------+ | | 115 +-------------------+ 116 117 DIAGRAM 2. 118 119The root of trust is usually a public key (ROTPK) that has been burnt in the 120platform and cannot be modified. 121 122Image types 123~~~~~~~~~~~ 124 125Images in a CoT are categorised as authentication and data images. An 126authentication image contains information to authenticate a data image or 127another authentication image. A data image is usually a boot loader binary, but 128it could be any other data that requires authentication. 129 130Component responsibilities 131~~~~~~~~~~~~~~~~~~~~~~~~~~ 132 133For every image in a Chain of Trust, the following high level operations are 134performed to verify it: 135 136#. Allocate memory for the image either statically or at runtime. 137 138#. Identify the image and load it in the allocated memory. 139 140#. Check the integrity of the image as per its type. 141 142#. Authenticate the image as per the cryptographic algorithms used. 143 144#. If the image is an authentication image, extract the information that will 145 be used to authenticate the next image in the CoT. 146 147In Diagram 1, each component is responsible for one or more of these operations. 148The responsibilities are briefly described below. 149 150TF-A Generic code and IO framework (GEN/IO) 151^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 152 153These components are responsible for initiating the authentication process for a 154particular image in BL1 or BL2. For each BL image that requires authentication, 155the Generic code asks recursively the Authentication module what is the parent 156image until either an authenticated image or the ROT is reached. Then the 157Generic code calls the IO framework to load the image and calls the 158Authentication module to authenticate it, following the CoT from ROT to Image. 159 160TF-A Platform Port (PP) 161^^^^^^^^^^^^^^^^^^^^^^^ 162 163The platform is responsible for: 164 165#. Specifying the CoT for each image that needs to be authenticated. Details of 166 how a CoT can be specified by the platform are explained later. The platform 167 also specifies the authentication methods and the parsing method used for 168 each image. 169 170#. Statically allocating memory for each parameter in each image which is 171 used for verifying the CoT, e.g. memory for public keys, hashes etc. 172 173#. Providing the ROTPK or a hash of it. 174 175#. Providing additional information to the IPM to enable it to identify and 176 extract authentication parameters contained in an image, e.g. if the 177 parameters are stored as X509v3 extensions, the corresponding OID must be 178 provided. 179 180#. Fulfill any other memory requirements of the IPM and the CM (not currently 181 described in this document). 182 183#. Export functions to verify an image which uses an authentication method that 184 cannot be interpreted by the CM, e.g. if an image has to be verified using a 185 NV counter, then the value of the counter to compare with can only be 186 provided by the platform. 187 188#. Export a custom IPM if a proprietary image format is being used (described 189 later). 190 191Authentication Module (AM) 192^^^^^^^^^^^^^^^^^^^^^^^^^^ 193 194It is responsible for: 195 196#. Providing the necessary abstraction mechanisms to describe a CoT. Amongst 197 other things, the authentication and image parsing methods must be specified 198 by the PP in the CoT. 199 200#. Verifying the CoT passed by GEN by utilising functionality exported by the 201 PP, IPM and CM. 202 203#. Tracking which images have been verified. In case an image is a part of 204 multiple CoTs then it should be verified only once e.g. the Trusted World 205 Key Certificate in the TBBR-Client spec. contains information to verify 206 SCP_BL2, BL31, BL32 each of which have a separate CoT. (This 207 responsibility has not been described in this document but should be 208 trivial to implement). 209 210#. Reusing memory meant for a data image to verify authentication images e.g. 211 in the CoT described in Diagram 2, each certificate can be loaded and 212 verified in the memory reserved by the platform for the BL31 image. By the 213 time BL31 (the data image) is loaded, all information to authenticate it 214 will have been extracted from the parent image i.e. BL31 content 215 certificate. It is assumed that the size of an authentication image will 216 never exceed the size of a data image. It should be possible to verify this 217 at build time using asserts. 218 219Cryptographic Module (CM) 220^^^^^^^^^^^^^^^^^^^^^^^^^ 221 222The CM is responsible for providing an API to: 223 224#. Verify a digital signature. 225#. Verify a hash. 226 227The CM does not include any cryptography related code, but it relies on an 228external library to perform the cryptographic operations. A Crypto-Library (CL) 229linking the CM and the external library must be implemented. The following 230functions must be provided by the CL: 231 232.. code:: c 233 234 void (*init)(void); 235 int (*verify_signature)(void *data_ptr, unsigned int data_len, 236 void *sig_ptr, unsigned int sig_len, 237 void *sig_alg, unsigned int sig_alg_len, 238 void *pk_ptr, unsigned int pk_len); 239 int (*calc_hash)(enum crypto_md_algo alg, void *data_ptr, 240 unsigned int data_len, 241 unsigned char output[CRYPTO_MD_MAX_SIZE]) 242 int (*verify_hash)(void *data_ptr, unsigned int data_len, 243 void *digest_info_ptr, unsigned int digest_info_len); 244 int (*auth_decrypt)(enum crypto_dec_algo dec_algo, void *data_ptr, 245 size_t len, const void *key, unsigned int key_len, 246 unsigned int key_flags, const void *iv, 247 unsigned int iv_len, const void *tag, 248 unsigned int tag_len); 249 250These functions are registered in the CM using the macro: 251 252.. code:: c 253 254 REGISTER_CRYPTO_LIB(_name, 255 _init, 256 _verify_signature, 257 _verify_hash, 258 _calc_hash, 259 _auth_decrypt, 260 _convert_pk); 261 262``_name`` must be a string containing the name of the CL. This name is used for 263debugging purposes. 264 265Crypto module provides a function ``_calc_hash`` to calculate and 266return the hash of the given data using the provided hash algorithm. 267This function is mainly used in the ``MEASURED_BOOT`` and ``DRTM_SUPPORT`` 268features to calculate the hashes of various images/data. 269 270Optionally, a platform function can be provided to convert public key 271(_convert_pk). It is only used if the platform saves a hash of the ROTPK. 272Most platforms save the hash of the ROTPK, but some may save slightly different 273information - e.g the hash of the ROTPK plus some related information. 274Defining this function allows to transform the ROTPK used to verify 275the signature to the buffer (a platform specific public key) which 276hash is saved in OTP. 277 278.. code:: c 279 280 int (*convert_pk)(void *full_pk_ptr, unsigned int full_pk_len, 281 void **hashed_pk_ptr, unsigned int *hashed_pk_len); 282 283 284- ``full_pk_ptr``: Pointer to Distinguished Encoding Rules (DER) ROTPK. 285- ``full_pk_len``: DER ROTPK size. 286- ``hashed_pk_ptr``: to return a pointer to a buffer, which hash should be the one saved in OTP. 287- ``hashed_pk_len``: previous buffer size 288 289Image Parser Module (IPM) 290^^^^^^^^^^^^^^^^^^^^^^^^^ 291 292The IPM is responsible for: 293 294#. Checking the integrity of each image loaded by the IO framework. 295#. Extracting parameters used for authenticating an image based upon a 296 description provided by the platform in the CoT descriptor. 297 298Images may have different formats (for example, authentication images could be 299x509v3 certificates, signed ELF files or any other platform specific format). 300The IPM allows to register an Image Parser Library (IPL) for every image format 301used in the CoT. This library must implement the specific methods to parse the 302image. The IPM obtains the image format from the CoT and calls the right IPL to 303check the image integrity and extract the authentication parameters. 304 305See Section "Describing the image parsing methods" for more details about the 306mechanism the IPM provides to define and register IPLs. 307 308Authentication methods 309~~~~~~~~~~~~~~~~~~~~~~ 310 311The AM supports the following authentication methods: 312 313#. Hash 314#. Digital signature 315 316The platform may specify these methods in the CoT in case it decides to define 317a custom CoT instead of reusing a predefined one. 318 319If a data image uses multiple methods, then all the methods must be a part of 320the same CoT. The number and type of parameters are method specific. These 321parameters should be obtained from the parent image using the IPM. 322 323#. Hash 324 325 Parameters: 326 327 #. A pointer to data to hash 328 #. Length of the data 329 #. A pointer to the hash 330 #. Length of the hash 331 332 The hash will be represented by the DER encoding of the following ASN.1 333 type: 334 335 :: 336 337 DigestInfo ::= SEQUENCE { 338 digestAlgorithm DigestAlgorithmIdentifier, 339 digest Digest 340 } 341 342 This ASN.1 structure makes it possible to remove any assumption about the 343 type of hash algorithm used as this information accompanies the hash. This 344 should allow the Cryptography Library (CL) to support multiple hash 345 algorithm implementations. 346 347#. Digital Signature 348 349 Parameters: 350 351 #. A pointer to data to sign 352 #. Length of the data 353 #. Public Key Algorithm 354 #. Public Key value 355 #. Digital Signature Algorithm 356 #. Digital Signature value 357 358 The Public Key parameters will be represented by the DER encoding of the 359 following ASN.1 type: 360 361 :: 362 363 SubjectPublicKeyInfo ::= SEQUENCE { 364 algorithm AlgorithmIdentifier{PUBLIC-KEY,{PublicKeyAlgorithms}}, 365 subjectPublicKey BIT STRING } 366 367 The Digital Signature Algorithm will be represented by the DER encoding of 368 the following ASN.1 types. 369 370 :: 371 372 AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE { 373 algorithm ALGORITHM.&id({IOSet}), 374 parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL 375 } 376 377 The digital signature will be represented by: 378 379 :: 380 381 signature ::= BIT STRING 382 383The authentication framework will use the image descriptor to extract all the 384information related to authentication. 385 386Specifying a Chain of Trust 387--------------------------- 388 389A CoT can be described as a set of image descriptors linked together in a 390particular order. The order dictates the sequence in which they must be 391verified. Each image has a set of properties which allow the AM to verify it. 392These properties are described below. 393 394The PP is responsible for defining a single or multiple CoTs for a data image. 395Unless otherwise specified, the data structures described in the following 396sections are populated by the PP statically. 397 398Describing the image parsing methods 399~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 400 401The parsing method refers to the format of a particular image. For example, an 402authentication image that represents a certificate could be in the X.509v3 403format. A data image that represents a boot loader stage could be in raw binary 404or ELF format. The IPM supports three parsing methods. An image has to use one 405of the three methods described below. An IPL is responsible for interpreting a 406single parsing method. There has to be one IPL for every method used by the 407platform. 408 409#. Raw format: This format is effectively a nop as an image using this method 410 is treated as being in raw binary format e.g. boot loader images used by 411 TF-A. This method should only be used by data images. 412 413#. X509V3 method: This method uses industry standards like X.509 to represent 414 PKI certificates (authentication images). It is expected that open source 415 libraries will be available which can be used to parse an image represented 416 by this method. Such libraries can be used to write the corresponding IPL 417 e.g. the X.509 parsing library code in mbed TLS. 418 419#. Platform defined method: This method caters for platform specific 420 proprietary standards to represent authentication or data images. For 421 example, The signature of a data image could be appended to the data image 422 raw binary. A header could be prepended to the combined blob to specify the 423 extents of each component. The platform will have to implement the 424 corresponding IPL to interpret such a format. 425 426The following enum can be used to define these three methods. 427 428.. code:: c 429 430 typedef enum img_type_enum { 431 IMG_RAW, /* Binary image */ 432 IMG_PLAT, /* Platform specific format */ 433 IMG_CERT, /* X509v3 certificate */ 434 IMG_MAX_TYPES, 435 } img_type_t; 436 437An IPL must provide functions with the following prototypes: 438 439.. code:: c 440 441 void init(void); 442 int check_integrity(void *img, unsigned int img_len); 443 int get_auth_param(const auth_param_type_desc_t *type_desc, 444 void *img, unsigned int img_len, 445 void **param, unsigned int *param_len); 446 447An IPL for each type must be registered using the following macro: 448 449.. code:: c 450 451 REGISTER_IMG_PARSER_LIB(_type, _name, _init, _check_int, _get_param) 452 453- ``_type``: one of the types described above. 454- ``_name``: a string containing the IPL name for debugging purposes. 455- ``_init``: initialization function pointer. 456- ``_check_int``: check image integrity function pointer. 457- ``_get_param``: extract authentication parameter function pointer. 458 459The ``init()`` function will be used to initialize the IPL. 460 461The ``check_integrity()`` function is passed a pointer to the memory where the 462image has been loaded by the IO framework and the image length. It should ensure 463that the image is in the format corresponding to the parsing method and has not 464been tampered with. For example, RFC-2459 describes a validation sequence for an 465X.509 certificate. 466 467The ``get_auth_param()`` function is passed a parameter descriptor containing 468information about the parameter (``type_desc`` and ``cookie``) to identify and 469extract the data corresponding to that parameter from an image. This data will 470be used to verify either the current or the next image in the CoT sequence. 471 472Each image in the CoT will specify the parsing method it uses. This information 473will be used by the IPM to find the right parser descriptor for the image. 474 475Describing the authentication method(s) 476~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 477 478As part of the CoT, each image has to specify one or more authentication methods 479which will be used to verify it. As described in the Section "Authentication 480methods", there are three methods supported by the AM. 481 482.. code:: c 483 484 typedef enum { 485 AUTH_METHOD_NONE, 486 AUTH_METHOD_HASH, 487 AUTH_METHOD_SIG, 488 AUTH_METHOD_NUM 489 } auth_method_type_t; 490 491The AM defines the type of each parameter used by an authentication method. It 492uses this information to: 493 494#. Specify to the ``get_auth_param()`` function exported by the IPM, which 495 parameter should be extracted from an image. 496 497#. Correctly marshall the parameters while calling the verification function 498 exported by the CM and PP. 499 500#. Extract authentication parameters from a parent image in order to verify a 501 child image e.g. to verify the certificate image, the public key has to be 502 obtained from the parent image. 503 504.. code:: c 505 506 typedef enum { 507 AUTH_PARAM_NONE, 508 AUTH_PARAM_RAW_DATA, /* Raw image data */ 509 AUTH_PARAM_SIG, /* The image signature */ 510 AUTH_PARAM_SIG_ALG, /* The image signature algorithm */ 511 AUTH_PARAM_HASH, /* A hash (including the algorithm) */ 512 AUTH_PARAM_PUB_KEY, /* A public key */ 513 AUTH_PARAM_NV_CTR, /* A non-volatile counter */ 514 } auth_param_type_t; 515 516The AM defines the following structure to identify an authentication parameter 517required to verify an image. 518 519.. code:: c 520 521 typedef struct auth_param_type_desc_s { 522 auth_param_type_t type; 523 void *cookie; 524 } auth_param_type_desc_t; 525 526``cookie`` is used by the platform to specify additional information to the IPM 527which enables it to uniquely identify the parameter that should be extracted 528from an image. For example, the hash of a BL3x image in its corresponding 529content certificate is stored in an X509v3 custom extension field. An extension 530field can only be identified using an OID. In this case, the ``cookie`` could 531contain the pointer to the OID defined by the platform for the hash extension 532field while the ``type`` field could be set to ``AUTH_PARAM_HASH``. A value of 0 for 533the ``cookie`` field means that it is not used. 534 535For each method, the AM defines a structure with the parameters required to 536verify the image. 537 538.. code:: c 539 540 /* 541 * Parameters for authentication by hash matching 542 */ 543 typedef struct auth_method_param_hash_s { 544 auth_param_type_desc_t *data; /* Data to hash */ 545 auth_param_type_desc_t *hash; /* Hash to match with */ 546 } auth_method_param_hash_t; 547 548 /* 549 * Parameters for authentication by signature 550 */ 551 typedef struct auth_method_param_sig_s { 552 auth_param_type_desc_t *pk; /* Public key */ 553 auth_param_type_desc_t *sig; /* Signature to check */ 554 auth_param_type_desc_t *alg; /* Signature algorithm */ 555 auth_param_type_desc_t *tbs; /* Data signed */ 556 } auth_method_param_sig_t; 557 558The AM defines the following structure to describe an authentication method for 559verifying an image 560 561.. code:: c 562 563 /* 564 * Authentication method descriptor 565 */ 566 typedef struct auth_method_desc_s { 567 auth_method_type_t type; 568 union { 569 auth_method_param_hash_t hash; 570 auth_method_param_sig_t sig; 571 } param; 572 } auth_method_desc_t; 573 574Using the method type specified in the ``type`` field, the AM finds out what field 575needs to access within the ``param`` union. 576 577Storing Authentication parameters 578~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 579 580A parameter described by ``auth_param_type_desc_t`` to verify an image could be 581obtained from either the image itself or its parent image. The memory allocated 582for loading the parent image will be reused for loading the child image. Hence 583parameters which are obtained from the parent for verifying a child image need 584to have memory allocated for them separately where they can be stored. This 585memory must be statically allocated by the platform port. 586 587The AM defines the following structure to store the data corresponding to an 588authentication parameter. 589 590.. code:: c 591 592 typedef struct auth_param_data_desc_s { 593 void *auth_param_ptr; 594 unsigned int auth_param_len; 595 } auth_param_data_desc_t; 596 597The ``auth_param_ptr`` field is initialized by the platform. The ``auth_param_len`` 598field is used to specify the length of the data in the memory. 599 600For parameters that can be obtained from the child image itself, the IPM is 601responsible for populating the ``auth_param_ptr`` and ``auth_param_len`` fields 602while executing the ``img_get_auth_param()`` function. 603 604The AM defines the following structure to enable an image to describe the 605parameters that should be extracted from it and used to verify the next image 606(child) in a CoT. 607 608.. code:: c 609 610 typedef struct auth_param_desc_s { 611 auth_param_type_desc_t type_desc; 612 auth_param_data_desc_t data; 613 } auth_param_desc_t; 614 615Describing an image in a CoT 616~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 617 618An image in a CoT is a consolidation of the following aspects of a CoT described 619above. 620 621#. A unique identifier specified by the platform which allows the IO framework 622 to locate the image in a FIP and load it in the memory reserved for the data 623 image in the CoT. 624 625#. A parsing method which is used by the AM to find the appropriate IPM. 626 627#. Authentication methods and their parameters as described in the previous 628 section. These are used to verify the current image. 629 630#. Parameters which are used to verify the next image in the current CoT. These 631 parameters are specified only by authentication images and can be extracted 632 from the current image once it has been verified. 633 634The following data structure describes an image in a CoT. 635 636.. code:: c 637 638 typedef struct auth_img_desc_s { 639 unsigned int img_id; 640 const struct auth_img_desc_s *parent; 641 img_type_t img_type; 642 const auth_method_desc_t *const img_auth_methods; 643 const auth_param_desc_t *const authenticated_data; 644 } auth_img_desc_t; 645 646A CoT is defined as an array of pointers to ``auth_image_desc_t`` structures 647linked together by the ``parent`` field. Those nodes with no parent must be 648authenticated using the ROTPK stored in the platform. 649 650Implementation example 651---------------------- 652 653This section is a detailed guide explaining a trusted boot implementation using 654the authentication framework. This example corresponds to the Applicative 655Functional Mode (AFM) as specified in the TBBR-Client document. It is 656recommended to read this guide along with the source code. 657 658The TBBR CoT 659~~~~~~~~~~~~ 660 661CoT specific to BL1 and BL2 can be found in ``drivers/auth/tbbr/tbbr_cot_bl1.c`` 662and ``drivers/auth/tbbr/tbbr_cot_bl2.c`` respectively. The common CoT used across 663BL1 and BL2 can be found in ``drivers/auth/tbbr/tbbr_cot_common.c``. 664This CoT consists of an array of pointers to image descriptors and it is 665registered in the framework using the macro ``REGISTER_COT(cot_desc)``, where 666``cot_desc`` must be the name of the array (passing a pointer or any other 667type of indirection will cause the registration process to fail). 668 669The number of images participating in the boot process depends on the CoT. 670There is, however, a minimum set of images that are mandatory in TF-A and thus 671all CoTs must present: 672 673- ``BL2`` 674- ``SCP_BL2`` (platform specific) 675- ``BL31`` 676- ``BL32`` (optional) 677- ``BL33`` 678 679The TBBR specifies the additional certificates that must accompany these images 680for a proper authentication. Details about the TBBR CoT may be found in the 681:ref:`Trusted Board Boot` document. 682 683Following the :ref:`Porting Guide`, a platform must provide unique 684identifiers for all the images and certificates that will be loaded during the 685boot process. If a platform is using the TBBR as a reference for trusted boot, 686these identifiers can be obtained from ``include/common/tbbr/tbbr_img_def.h``. 687Arm platforms include this file in ``include/plat/arm/common/arm_def.h``. Other 688platforms may also include this file or provide their own identifiers. 689 690**Important**: the authentication module uses these identifiers to index the 691CoT array, so the descriptors location in the array must match the identifiers. 692 693Each image descriptor must specify: 694 695- ``img_id``: the corresponding image unique identifier defined by the platform. 696- ``img_type``: the image parser module uses the image type to call the proper 697 parsing library to check the image integrity and extract the required 698 authentication parameters. Three types of images are currently supported: 699 700 - ``IMG_RAW``: image is a raw binary. No parsing functions are available, 701 other than reading the whole image. 702 - ``IMG_PLAT``: image format is platform specific. The platform may use this 703 type for custom images not directly supported by the authentication 704 framework. 705 - ``IMG_CERT``: image is an x509v3 certificate. 706 707- ``parent``: pointer to the parent image descriptor. The parent will contain 708 the information required to authenticate the current image. If the parent 709 is NULL, the authentication parameters will be obtained from the platform 710 (i.e. the BL2 and Trusted Key certificates are signed with the ROT private 711 key, whose public part is stored in the platform). 712- ``img_auth_methods``: this points to an array which defines the 713 authentication methods that must be checked to consider an image 714 authenticated. Each method consists of a type and a list of parameter 715 descriptors. A parameter descriptor consists of a type and a cookie which 716 will point to specific information required to extract that parameter from 717 the image (i.e. if the parameter is stored in an x509v3 extension, the 718 cookie will point to the extension OID). Depending on the method type, a 719 different number of parameters must be specified. This pointer should not be 720 NULL. 721 Supported methods are: 722 723 - ``AUTH_METHOD_HASH``: the hash of the image must match the hash extracted 724 from the parent image. The following parameter descriptors must be 725 specified: 726 727 - ``data``: data to be hashed (obtained from current image) 728 - ``hash``: reference hash (obtained from parent image) 729 730 - ``AUTH_METHOD_SIG``: the image (usually a certificate) must be signed with 731 the private key whose public part is extracted from the parent image (or 732 the platform if the parent is NULL). The following parameter descriptors 733 must be specified: 734 735 - ``pk``: the public key (obtained from parent image) 736 - ``sig``: the digital signature (obtained from current image) 737 - ``alg``: the signature algorithm used (obtained from current image) 738 - ``data``: the data to be signed (obtained from current image) 739 740- ``authenticated_data``: this array pointer indicates what authentication 741 parameters must be extracted from an image once it has been authenticated. 742 Each parameter consists of a parameter descriptor and the buffer 743 address/size to store the parameter. The CoT is responsible for allocating 744 the required memory to store the parameters. This pointer may be NULL. 745 746In the ``tbbr_cot*.c`` file, a set of buffers are allocated to store the parameters 747extracted from the certificates. In the case of the TBBR CoT, these parameters 748are hashes and public keys. In DER format, an RSA-4096 public key requires 550 749bytes, and a hash requires 51 bytes. Depending on the CoT and the authentication 750process, some of the buffers may be reused at different stages during the boot. 751 752Next in that file, the parameter descriptors are defined. These descriptors will 753be used to extract the parameter data from the corresponding image. 754 755Example: the BL31 Chain of Trust 756^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 757 758Four image descriptors form the BL31 Chain of Trust: 759 760.. code:: c 761 762 static const auth_img_desc_t trusted_key_cert = { 763 .img_id = TRUSTED_KEY_CERT_ID, 764 .img_type = IMG_CERT, 765 .parent = NULL, 766 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 767 [0] = { 768 .type = AUTH_METHOD_SIG, 769 .param.sig = { 770 .pk = &subject_pk, 771 .sig = &sig, 772 .alg = &sig_alg, 773 .data = &raw_data 774 } 775 }, 776 [1] = { 777 .type = AUTH_METHOD_NV_CTR, 778 .param.nv_ctr = { 779 .cert_nv_ctr = &trusted_nv_ctr, 780 .plat_nv_ctr = &trusted_nv_ctr 781 } 782 } 783 }, 784 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 785 [0] = { 786 .type_desc = &trusted_world_pk, 787 .data = { 788 .ptr = (void *)trusted_world_pk_buf, 789 .len = (unsigned int)PK_DER_LEN 790 } 791 }, 792 [1] = { 793 .type_desc = &non_trusted_world_pk, 794 .data = { 795 .ptr = (void *)non_trusted_world_pk_buf, 796 .len = (unsigned int)PK_DER_LEN 797 } 798 } 799 } 800 }; 801 static const auth_img_desc_t soc_fw_key_cert = { 802 .img_id = SOC_FW_KEY_CERT_ID, 803 .img_type = IMG_CERT, 804 .parent = &trusted_key_cert, 805 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 806 [0] = { 807 .type = AUTH_METHOD_SIG, 808 .param.sig = { 809 .pk = &trusted_world_pk, 810 .sig = &sig, 811 .alg = &sig_alg, 812 .data = &raw_data 813 } 814 }, 815 [1] = { 816 .type = AUTH_METHOD_NV_CTR, 817 .param.nv_ctr = { 818 .cert_nv_ctr = &trusted_nv_ctr, 819 .plat_nv_ctr = &trusted_nv_ctr 820 } 821 } 822 }, 823 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 824 [0] = { 825 .type_desc = &soc_fw_content_pk, 826 .data = { 827 .ptr = (void *)content_pk_buf, 828 .len = (unsigned int)PK_DER_LEN 829 } 830 } 831 } 832 }; 833 static const auth_img_desc_t soc_fw_content_cert = { 834 .img_id = SOC_FW_CONTENT_CERT_ID, 835 .img_type = IMG_CERT, 836 .parent = &soc_fw_key_cert, 837 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 838 [0] = { 839 .type = AUTH_METHOD_SIG, 840 .param.sig = { 841 .pk = &soc_fw_content_pk, 842 .sig = &sig, 843 .alg = &sig_alg, 844 .data = &raw_data 845 } 846 }, 847 [1] = { 848 .type = AUTH_METHOD_NV_CTR, 849 .param.nv_ctr = { 850 .cert_nv_ctr = &trusted_nv_ctr, 851 .plat_nv_ctr = &trusted_nv_ctr 852 } 853 } 854 }, 855 .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) { 856 [0] = { 857 .type_desc = &soc_fw_hash, 858 .data = { 859 .ptr = (void *)soc_fw_hash_buf, 860 .len = (unsigned int)HASH_DER_LEN 861 } 862 }, 863 [1] = { 864 .type_desc = &soc_fw_config_hash, 865 .data = { 866 .ptr = (void *)soc_fw_config_hash_buf, 867 .len = (unsigned int)HASH_DER_LEN 868 } 869 } 870 } 871 }; 872 static const auth_img_desc_t bl31_image = { 873 .img_id = BL31_IMAGE_ID, 874 .img_type = IMG_RAW, 875 .parent = &soc_fw_content_cert, 876 .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { 877 [0] = { 878 .type = AUTH_METHOD_HASH, 879 .param.hash = { 880 .data = &raw_data, 881 .hash = &soc_fw_hash 882 } 883 } 884 } 885 }; 886 887The **Trusted Key certificate** is signed with the ROT private key and contains 888the Trusted World public key and the Non-Trusted World public key as x509v3 889extensions. This must be specified in the image descriptor using the 890``img_auth_methods`` and ``authenticated_data`` arrays, respectively. 891 892The Trusted Key certificate is authenticated by checking its digital signature 893using the ROTPK. Four parameters are required to check a signature: the public 894key, the algorithm, the signature and the data that has been signed. Therefore, 895four parameter descriptors must be specified with the authentication method: 896 897- ``subject_pk``: parameter descriptor of type ``AUTH_PARAM_PUB_KEY``. This type 898 is used to extract a public key from the parent image. If the cookie is an 899 OID, the key is extracted from the corresponding x509v3 extension. If the 900 cookie is NULL, the subject public key is retrieved. In this case, because 901 the parent image is NULL, the public key is obtained from the platform 902 (this key will be the ROTPK). 903- ``sig``: parameter descriptor of type ``AUTH_PARAM_SIG``. It is used to extract 904 the signature from the certificate. 905- ``sig_alg``: parameter descriptor of type ``AUTH_PARAM_SIG``. It is used to 906 extract the signature algorithm from the certificate. 907- ``raw_data``: parameter descriptor of type ``AUTH_PARAM_RAW_DATA``. It is used 908 to extract the data to be signed from the certificate. 909 910Once the signature has been checked and the certificate authenticated, the 911Trusted World public key needs to be extracted from the certificate. A new entry 912is created in the ``authenticated_data`` array for that purpose. In that entry, 913the corresponding parameter descriptor must be specified along with the buffer 914address to store the parameter value. In this case, the ``trusted_world_pk`` 915descriptor is used to extract the public key from an x509v3 extension with OID 916``TRUSTED_WORLD_PK_OID``. The BL31 key certificate will use this descriptor as 917parameter in the signature authentication method. The key is stored in the 918``trusted_world_pk_buf`` buffer. 919 920The **BL31 Key certificate** is authenticated by checking its digital signature 921using the Trusted World public key obtained previously from the Trusted Key 922certificate. In the image descriptor, we specify a single authentication method 923by signature whose public key is the ``trusted_world_pk``. Once this certificate 924has been authenticated, we have to extract the BL31 public key, stored in the 925extension specified by ``soc_fw_content_pk``. This key will be copied to the 926``content_pk_buf`` buffer. 927 928The **BL31 certificate** is authenticated by checking its digital signature 929using the BL31 public key obtained previously from the BL31 Key certificate. 930We specify the authentication method using ``soc_fw_content_pk`` as public key. 931After authentication, we need to extract the BL31 hash, stored in the extension 932specified by ``soc_fw_hash``. This hash will be copied to the 933``soc_fw_hash_buf`` buffer. 934 935The **BL31 image** is authenticated by calculating its hash and matching it 936with the hash obtained from the BL31 certificate. The image descriptor contains 937a single authentication method by hash. The parameters to the hash method are 938the reference hash, ``soc_fw_hash``, and the data to be hashed. In this case, 939it is the whole image, so we specify ``raw_data``. 940 941The image parser library 942~~~~~~~~~~~~~~~~~~~~~~~~ 943 944The image parser module relies on libraries to check the image integrity and 945extract the authentication parameters. The number and type of parser libraries 946depend on the images used in the CoT. Raw images do not need a library, so 947only an x509v3 library is required for the TBBR CoT. 948 949Arm platforms will use an x509v3 library based on mbed TLS. This library may be 950found in ``drivers/auth/mbedtls/mbedtls_x509_parser.c``. It exports three 951functions: 952 953.. code:: c 954 955 void init(void); 956 int check_integrity(void *img, unsigned int img_len); 957 int get_auth_param(const auth_param_type_desc_t *type_desc, 958 void *img, unsigned int img_len, 959 void **param, unsigned int *param_len); 960 961The library is registered in the framework using the macro 962``REGISTER_IMG_PARSER_LIB()``. Each time the image parser module needs to access 963an image of type ``IMG_CERT``, it will call the corresponding function exported 964in this file. 965 966The build system must be updated to include the corresponding library and 967mbed TLS sources. Arm platforms use the ``arm_common.mk`` file to pull the 968sources. 969 970The cryptographic library 971~~~~~~~~~~~~~~~~~~~~~~~~~ 972 973The cryptographic module relies on a library to perform the required operations, 974i.e. verify a hash or a digital signature. Arm platforms will use a library 975based on mbed TLS, which can be found in 976``drivers/auth/mbedtls/mbedtls_crypto.c``. This library is registered in the 977authentication framework using the macro ``REGISTER_CRYPTO_LIB()`` and exports 978below functions: 979 980.. code:: c 981 982 void init(void); 983 int verify_signature(void *data_ptr, unsigned int data_len, 984 void *sig_ptr, unsigned int sig_len, 985 void *sig_alg, unsigned int sig_alg_len, 986 void *pk_ptr, unsigned int pk_len); 987 int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr, 988 unsigned int data_len, 989 unsigned char output[CRYPTO_MD_MAX_SIZE]) 990 int verify_hash(void *data_ptr, unsigned int data_len, 991 void *digest_info_ptr, unsigned int digest_info_len); 992 int auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr, 993 size_t len, const void *key, unsigned int key_len, 994 unsigned int key_flags, const void *iv, 995 unsigned int iv_len, const void *tag, 996 unsigned int tag_len) 997 998The mbedTLS library algorithm support is configured by both the 999``TF_MBEDTLS_KEY_ALG`` and ``TF_MBEDTLS_KEY_SIZE`` variables. 1000 1001- ``TF_MBEDTLS_KEY_ALG`` can take in 3 values: `rsa`, `ecdsa` or `rsa+ecdsa`. 1002 This variable allows the Makefile to include the corresponding sources in 1003 the build for the various algorithms. Setting the variable to `rsa+ecdsa` 1004 enables support for both rsa and ecdsa algorithms in the mbedTLS library. 1005 1006- ``TF_MBEDTLS_KEY_SIZE`` sets the supported RSA key size for TFA. Valid values 1007 include 1024, 2048, 3072 and 4096. 1008 1009- ``TF_MBEDTLS_USE_AES_GCM`` enables the authenticated decryption support based 1010 on AES-GCM algorithm. Valid values are 0 and 1. 1011 1012.. note:: 1013 If code size is a concern, the build option ``MBEDTLS_SHA256_SMALLER`` can 1014 be defined in the platform Makefile. It will make mbed TLS use an 1015 implementation of SHA-256 with smaller memory footprint (~1.5 KB less) but 1016 slower (~30%). 1017 1018-------------- 1019 1020*Copyright (c) 2017-2023, Arm Limited and Contributors. All rights reserved.* 1021 1022.. _TBBR-Client specification: https://developer.arm.com/docs/den0006/latest 1023