Secure boot

Armv8-A - Using the authentication framework in TF-A

This section gives a brief description on how to enable the verification of OP-TEE using the authentication framework in Trusted Firmware A (TF-A), i.e., something that could be used in an Armv8-A environment.

According to user-guide.rst, there is no additional specific build options for the verification of OP-TEE. If we have enabled the authentication framework and specified the BL32 build option when building TF-A, the BL32 related certificates will be created automatically by the cert_create tool, and then these certificates will be verified during booting up.

To enable the authentication framework, the following steps should be followed according to user-guide.rst. For more details about the authentication framework, please see auth-framework.rst and trusted-board-boot.rst.

  • Check out a recent version of the mbed TLS repository and then switch to tag mbedtls-2.2.0

  • Besides the normal build options, add the following build options for TF-A

    MBEDTLS_DIR=<path of the directory containing mbed TLS sources>
    TRUSTED_BOARD_BOOT=1
    GENERATE_COT=1
    ARM_ROTPK_LOCATION=devel_rsa
    ROT_KEY=<TF-A-PATH/plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem>
    

Above steps have been tested on FVP platform, all verification steps are OK and xtest runs successfully without regression.

Armv7-A systems

Unlike for Armv8-A systems where one can use a more standardized way of doing secure boot by leverage the authentication framework as described above, most device manufacturers have their own way of doing secure boot. Please reach out directly to the manufacturer for the device you are working with to be able to understand how to do secure boot on their devices.