TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / next / TF-M / trusted-firmware-m / 07a11a24099c4bff735e2c90471e59663288f514^! / . / docs / user_guides / tfm_secure_boot.rst
commit07a11a24099c4bff735e2c90471e59663288f514[log] [tgz]
authorTamas Ban <tamas.ban@arm.com>Mon Sep 23 13:54:15 2019 +0100
committerTamas Ban <tamas.ban@arm.com>Wed Oct 02 10:22:07 2019 +0200
treeb6b4d778296492278558aebed4a4efaadd5dd8fd
parent056ed0bd452e959446a2675bc7f8d3b576a9aca6 [diff] [blame]
Boot: Emphasize the requirement of immutability of root of trust

Add a note to TF-M secure boot documentation which clarifies
that the first stage bootloader and ROTPK must be stored in
an immutable way to accomplish a root of trust anchor.

Change-Id: Ibd3ef9f2e4d176dcfd92fc9a51570fb47b09fc64
Signed-off-by: Tamas Ban <tamas.ban@arm.com>

diff --git a/docs/user_guides/tfm_secure_boot.rst b/docs/user_guides/tfm_secure_boot.rst
index 9aed8dd..b29b38e 100644
--- a/docs/user_guides/tfm_secure_boot.rst
+++ b/docs/user_guides/tfm_secure_boot.rst

@@ -1,6 +1,6 @@
-##############################
-Trusted Firmware M secure boot
-##############################
+################
+TF-M secure boot
+################
 For secure devices it is security critical to enforce firmware authenticity to
 protect against execution of malicious software. This is implemented by building
 a trust chain where each step in the execution chain authenticates the next
@@ -8,6 +8,22 @@
 is implemented using asymmetric cryptography. The Root of Trust is a combination
 of an immutable bootloader and a public key (ROTPK).
 
+.. Warning::
+    In order to implement a proper chain of trust functionality, it is
+    mandatory that the first stage bootloader and ROTPK is stored in an
+    **immutable** way. To achieve this the bootloader code must be stored and
+    executed from ROM or such part of flash memory which supports write
+    protection. ROTPK can be stored in a one-time-programmable (OTP) memory. If
+    the SoC has a built-in BL1 (immutable) bootloader and the immutability of
+    TF-M secure boot code is not guaranteed then TF-M secure boot code must be
+    authenticated by BL1 bootloader before execution. If immutability of root
+    of trust (first stage bootloader + ROTPK) is not ensured then there is a
+    risk that the secure boot process could be bypassed, which could lead to
+    arbitrary code execution on the device. Current TF-M secure boot code is
+    intended to be a second stage bootloader, therefore it requires
+    authentication before execution. If TF-M secure boot code is used as a first
+    stage bootloader then it must be stored according to the above requirements.
+
 *******************************
 Second stage bootloader in TF-M
 *******************************