1. Article purpose[edit source]
The main purpose of this article is to give main steps on how to enable the trusted boot support in the Trusted Firmware-A component.
2. Overview[edit source]
Trusted Firmware-A as a strong focus on security management. It defines a reference implementation of secure software and implements the Trusted Board Boot requirements[1] specified by Arm®. TF-A BL2 implements an authentication framework that uses a defined Chain of Trust (CoT) based on Arm® TBBR requirements to achieve a secure boot.
3. Chain of trust (CoT)[edit source]
To manage the Trusted Board Boot requirements, Trusted Firmware-A manages a Public Key Infrastructure (PKI) model so called Chain of Trust[2].
The Chain of Trust is following X509.v3[3] certificate standard adding some specific extensions and relies on a public key infrastructure (PKI) generating self-signed certificates. The Root of Trust of this chain is based on a Root of Trust Public Key (ROTPK).
Chain of Trust manages 2 certificate types:
- Key certificate used to verify public keys which have been used to sign content certificates.
- Content certificate used to store the hash of a boot loader image.