TF-A BL2 Trusted Board Boot

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

Applicable for

STM32MP13x lines, STM32MP15x lines

1. Article purpose[edit source]

The main purpose of this article is to give main steps on how to enable the trusted boot support in the Trusted Firmware-A component.

2. Overview[edit source]

Trusted Firmware-A as a strong focus on security management. It defines a reference implementation of secure software and implements the Trusted Board Boot requirements^[1] specified by Arm^®. TF-A BL2 implements an authentication framework that uses a defined Chain of Trust (CoT) based on Arm^® TBBR requirements to achieve a secure boot.

3. Chain of trust (CoT)[edit source]

To manage the Trusted Board Boot requirements, Trusted Firmware-A manages a Public Key Infrastructure (PKI) model so called Chain of Trust^[2].

The Chain of Trust is following X509.v3^[3] certificate standard adding some specific extensions and relies on a public key infrastructure (PKI) generating self-signed certificates. The Root of Trust of this chain is based on a Root of Trust Public Key (ROTPK).

Chain of Trust manages 2 certificate types:

Key certificate used to verify public keys which have been used to sign content certificates.
Content certificate used to store the hash of a boot loader image.

4. References[edit source]

[1] ttps://developer.arm.com/docs/den0006/latest/trusted-board-boot-requirements-client-tbbr-client-armv8-a

[2] ttps://trustedfirmware-a.readthedocs.io/en/latest/design/trusted-board-boot.html#chain-of-trust

[3] ttps://tools.ietf.org/rfc/rfc5280.txt

[1]

[2]

[3]