| Joakim Bech | 8e5c5b3 | 2018-10-25 08:18:32 +0200 | [diff] [blame] | 1 | .. _secure_boot: |
| 2 | |
| 3 | ########### |
| 4 | Secure boot |
| 5 | ########### |
| 6 | |
| 7 | Armv8-A - Using the authentication framework in TF-A |
| 8 | **************************************************** |
| 9 | This section gives a brief description on how to enable the verification of |
| 10 | OP-TEE using the authentication framework in Trusted Firmware A (TF-A), i.e., |
| 11 | something that could be used in an Armv8-A environment. |
| 12 | |
| 13 | According to user-guide.rst_, there is no additional specific build options for |
| 14 | the verification of OP-TEE. If we have enabled the authentication framework and |
| 15 | specified the ``BL32`` build option when building TF-A, the BL32 related |
| 16 | certificates will be created automatically by the cert_create tool, and then |
| 17 | these certificates will be verified during booting up. |
| 18 | |
| 19 | To enable the authentication framework, the following steps should be followed |
| 20 | according to user-guide.rst_. For more details about the authentication |
| 21 | framework, please see auth-framework.rst_ and trusted-board-boot.rst_. |
| 22 | |
| 23 | - Check out a recent version of the `mbed TLS`_ repository and then switch |
| 24 | to tag mbedtls-2.2.0 |
| 25 | |
| 26 | - Besides the normal build options, add the following build options for TF-A |
| 27 | |
| 28 | .. code-block:: bash |
| 29 | |
| 30 | MBEDTLS_DIR=<path of the directory containing mbed TLS sources> |
| 31 | TRUSTED_BOARD_BOOT=1 |
| 32 | GENERATE_COT=1 |
| 33 | ARM_ROTPK_LOCATION=devel_rsa |
| 34 | ROT_KEY=<TF-A-PATH/plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem> |
| 35 | |
| 36 | Above steps have been tested on FVP platform, all verification steps are OK and |
| 37 | xtest runs successfully without regression. |
| 38 | |
| 39 | Armv7-A systems |
| 40 | *************** |
| 41 | Unlike for Armv8-A systems where one can use a more standardized way of doing |
| 42 | secure boot by leverage the authentication framework as described above, most |
| 43 | device manufacturers have their own way of doing secure boot. Please reach out |
| 44 | directly to the manufacturer for the device you are working with to be able to |
| 45 | understand how to do secure boot on their devices. |
| 46 | |
| Etienne Carriere | e04a38b | 2021-03-13 14:04:49 +0100 | [diff] [blame] | 47 | Note however that TF-A supports Armv7-A with Trustzone extension and we |
| 48 | strongly encourage one to look at TF-A and use its BL2 as secure boot loader. |
| 49 | |
| Rouven Czerwinski | 9724aec | 2019-10-30 14:42:18 +0100 | [diff] [blame] | 50 | .. _auth-framework.rst : https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/design/auth-framework.rst |
| Joakim Bech | 8e5c5b3 | 2018-10-25 08:18:32 +0200 | [diff] [blame] | 51 | .. _mbed TLS: https://github.com/ARMmbed/mbedtls.git |
| Rouven Czerwinski | 9724aec | 2019-10-30 14:42:18 +0100 | [diff] [blame] | 52 | .. _user-guide.rst: https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/getting_started/user-guide.rst |
| 53 | .. _trusted-board-boot.rst: https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/design/trusted-board-boot.rst |