docs(fconf): update bindings for multi-RoT CoTs

Update CoT binding documentation to add the signing-key property as optional in root-certificates and add rot_keys node Change-Id: I1d1fbc0394275520cfa43213d5b7006e51990fdd Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
2025-04-15 17:14:21 +00:00 · 2024-01-09 20:40:23 -06:00 · 2024-01-09 20:40:23 -06:00 · 0de9a12c89
commit 0de9a12c89
parent 04ac0b3c27
1 changed files with 50 additions and 8 deletions
--- a/docs/components/cot-binding.rst
+++ b/docs/components/cot-binding.rst
@ -67,14 +67,16 @@ Manifests and Certificate node bindings definition
        - signing-key
                Usage:

-                This property is used to refer public key node present in
-                parent certificate node and it is required property for all
-                non-root certificates which are authenticated using public-key
-                present in parent certificate.
+                For non-root certificates, this property is used to refer
+                public key node present in parent certificate node and it is
+                required property for all non-root certificates which are
+                authenticated using public-key present in parent certificate.

-                This property is not required for root-certificates
-                as root-certificates are validated using root of trust
-                public key provided by platform.
+                This property is not required for all root-certificates. If
+                omitted, the root certificate will be validated using the
+                default platform ROTPK. If instead the root certificate needs
+                validating using a different ROTPK, the signing-key property
+                should provide a reference to the ROTPK node to use.

                Value type: <phandle>

@ -323,10 +325,50 @@ Below is non-volatile counters example for ARM platform
        };
   };

+rot_keys node binding definition
+---------------------------------
+
+- rot_keys node
+        Description: Contains root-of-trust keys for the root certificates.
+
+        SUBNODES
+            - Description:
+
+              Root of trust key information present in the root certificates
+              are shown by these nodes.
+
+            - rot key node
+                  Description: Provide ROT key information in the certificate.
+
+                  PROPERTIES
+
+                  - oid
+                     Usage:
+
+                     This property provides the Object ID of ROT key provided
+                     in the certificate.
+
+                     Value type: <string>
+
+Example:
+Below is rot_keys example for CCA platform
+
+.. code:: c
+
+   rot_keys {
+        swd_rot_pk: swd_rot_pk {
+           oid = SWD_ROT_PK_OID;
+        };
+
+        prot_pk: prot_pk {
+           oid = PROT_PK_OID;
+        };
+   };
+
 Future update to chain of trust binding
 ---------------------------------------

 This binding document needs to be revisited to generalise some terminologies
 which are currently specific to X.509 certificates for e.g. Object IDs.

-*Copyright (c) 2020, Arm Limited. All rights reserved.*
+*Copyright (c) 2020-2024, Arm Limited. All rights reserved.*