docs(arm): update docs to reflect rotpk key changes

The hashing algorithm for the rotpk is now HASH_ALG, not always sha-256. The public development keys are no longer in the repository and are now generated at run-time, updates the documentation to reflect this. Change-Id: Ic336f7aca858e9b6a1af6d6e6dc5f4aa428da179 Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2025-04-22 20:38:03 +00:00 · 2024-11-13 17:01:51 +00:00 · 2024-11-13 17:01:51 +00:00 · 4639f8909b
commit 4639f8909b
parent da57b6e3cf
3 changed files with 49 additions and 29 deletions
--- a/docs/design/trusted-board-boot-build.rst
+++ b/docs/design/trusted-board-boot-build.rst
@ -54,16 +54,34 @@ images with support for these features:
      On Juno board, the default value corresponds to an ECDSA-SECP256R1 public
      key hash, whose private part is not currently available.
-   -  ``ARM_ROTPK_LOCATION=devel_rsa``: use the default hash located in
+   -  ``ARM_ROTPK_LOCATION=devel_rsa``: the ROTPK is a hash of the
-      ``plat/arm/board/common/rotpk/arm_rotpk_rsa_sha256.bin``. Enforce
+      RSA public key corresponding to the private key specified by
-      generation of the new hash if ``ROT_KEY`` is specified.
+      ``ROT_KEY``. If ``ROT_KEY`` is not specified, the private key is
      the development key ``plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem``.
      There are also 3k and 4k RSA development keys in ``plat/arm/board/common/rotpk/``.
      The hashing algorithm is selected by ``HASH_ALG``; sha256 is used if
      ``HASH_ALG`` is not specified.
-   -  ``ARM_ROTPK_LOCATION=devel_ecdsa``: use the default hash located in
+   -  ``ARM_ROTPK_LOCATION=devel_ecdsa``: the ROTPK is a hash of the
-      ``plat/arm/board/common/rotpk/arm_rotpk_ecdsa_sha256.bin``. Enforce
+      ECDSA public key corresponding to the private key specified by
-      generation of the new hash if ``ROT_KEY`` is specified.
+      ``ROT_KEY``. If ``ROT_KEY`` is not specified, the private key is
      the development key ``plat/arm/board/common/rotpk/arm_rotprivk_ecdsa.pem`` by default,
      a 384 bit key ``plat/arm/board/common/rotpk/arm_rotprivk_ecdsa_secp384r1.pem`` also exists,
      and can be specified by ``ROT_KEY``. The hashing algorithm is selected by ``HASH_ALG``;
      sha256 is used if ``HASH_ALG`` is not specified.
-   -  ``ARM_ROTPK_LOCATION=devel_full_dev_rsa_key``: use the key located in
+   -  ``ARM_ROTPK_LOCATION=devel_full_dev_rsa_key``: the ROTPK is an unhashed
-      ``plat/arm/board/common/rotpk/arm_full_dev_rsa_rotpk.S``.
+      RSA public key corresponding to the private key specified by ``ROT_KEY``.
      If ``ROT_KEY`` is not specified, the private key is the development key
      ``plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem``. There are also
      3k and 4k RSA development keys in ``plat/arm/board/common/rotpk/``.
   -  ``ARM_ROTPK_LOCATION=devel_full_dev_ecdsa_key``: the ROTPK is an unhashed
      RSA public key corresponding to the private key specified by ``ROT_KEY``.
      If ``ROT_KEY`` is not specified, the private key is the development key
      ``plat/arm/board/common/rotpk/arm_rotprivk_ecdsa.pem``, a 384 bit key
      ``plat/arm/board/common/rotpk/arm_rotprivk_ecdsa_secp384r1.pem`` also exists,
      and can be specified by ``ROT_KEY``.
   Example of command line using RSA development keys:
@ -119,7 +137,7 @@ images with support for these features:
 --------------
-*Copyright (c) 2019-2022, Arm Limited. All rights reserved.*
+*Copyright (c) 2019-2024, Arm Limited. All rights reserved.*
 .. _mbed TLS Repository: https://github.com/ARMmbed/mbedtls.git
 .. _mbed TLS Security Center: https://tls.mbed.org/security
--- a/docs/design/trusted-board-boot.rst
+++ b/docs/design/trusted-board-boot.rst
@ -39,7 +39,8 @@ The implicitly trusted components forming the trust anchor are:
 -  A Root of Trust Public Key (ROTPK), or a hash of it.
-   On Arm development platforms, a SHA-256 hash of the ROTPK is stored in the
+   On Arm development platforms, a hash of the ROTPK (hash algorithm selected by
   the ``HASH_ALG`` build option, with sha256 as default) is stored in the
   trusted root-key storage registers. Alternatively, a development ROTPK might
   be used and its hash embedded into the BL1 and BL2 images (only for
   development purposes).
@ -330,7 +331,7 @@ Instructions for building and using the tool can be found in the
 --------------
-*Copyright (c) 2015-2020, Arm Limited and Contributors. All rights reserved.*
+*Copyright (c) 2015-2024, Arm Limited and Contributors. All rights reserved.*
 .. _X.509 v3: https://tools.ietf.org/rfc/rfc5280.txt
 .. _Trusted Board Boot Requirements (TBBR): https://developer.arm.com/docs/den0006/latest
--- a/docs/plat/arm/arm-build-options.rst
+++ b/docs/plat/arm/arm-build-options.rst
@ -65,25 +65,26 @@ Arm Platform Build Options
   -  ``regs`` : return the ROTPK hash stored in the Trusted root-key storage
      registers.
   -  ``devel_rsa`` : return a development public key hash embedded in the BL1
-      and BL2 binaries. This hash has been obtained from the RSA public key
+      and BL2 binaries. This hash corresponds to the development private key
-      ``arm_rotpk_rsa.der``, located in ``plat/arm/board/common/rotpk``. To use
+      ``plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem``.
-      this option, ``arm_rotprivk_rsa.pem`` must be specified as ``ROT_KEY``
+      The hashing algorithm is selected by ``HASH_ALG``; sha256 is used if
-      when creating the certificates.
+      ``HASH_ALG`` is not specified. A different RSA key can be specified by setting
      ``ROT_KEY``, there are 3k and 4k RSA keys in ``plat/arm/board/common/rotpk/``.
   -  ``devel_ecdsa`` : return a development public key hash embedded in the BL1
-      and BL2 binaries. This hash has been obtained from the ECDSA public key
+      and BL2 binaries. This hash corresponds to the development private key
-      ``arm_rotpk_ecdsa.der``, located in ``plat/arm/board/common/rotpk``. To
+      ``plat/arm/board/common/rotpk/arm_rotprivk_ecdsa.pem`` unless a different key
-      use this option, ``arm_rotprivk_ecdsa.pem`` must be specified as
+      is specified with ``ROT_KEY``, such as the 384 bit key in the same directory.
-      ``ROT_KEY`` when creating the certificates.
+      he hashing algorithm is selected by ``HASH_ALG``; sha256 is used if ``HASH_ALG``
-   -  ``devel_full_dev_rsa_key`` : returns a development public key embedded in
+      is not specified.
-      the BL1 and BL2 binaries. This key has been obtained from the RSA public
+   -  ``devel_full_dev_rsa_key`` : return a development public key embedded in
-      key ``arm_rotpk_rsa.der``, located in ``plat/arm/board/common/rotpk``.
+      the BL1 and BL2 binaries. This key corresponds to the RSA private
-
+      key ``plat/arm/board/common/rotpk/arm_rotprivk.pem`` by default, but can
-  ``ARM_ROTPK_HASH``: used when ``ARM_ROTPK_LOCATION=devel_*``, excluding
+      be changed by setting ``ROT_KEY``, there are 3k and 4k RSA keys in
-   ``devel_full_dev_rsa_key``. Specifies the location of the ROTPK hash. Not
+      ``plat/arm/board/common/rotpk/``.
-   expected to be a build option. This defaults to
+   - ``devel_full_dev_ecdsa_key`` : return a development public key embedded in
-   ``plat/arm/board/common/rotpk/*_sha256.bin`` depending on the specified
+      the BL1 and BL2 binaries. This key corresponds to the EC private key
-   algorithm. Providing ``ROT_KEY`` enforces generation of the hash from the
+      ``plat/arm/board/common/rotpk/arm_rotprivk_ecdsa.pem``, unless a different
-   ``ROT_KEY`` and overwrites the default hash file.
+      ECDSA key is specified by ``ROT_KEY``, such as the 384 bit key in the same directory.
 -  ``ARM_TSP_RAM_LOCATION``: location of the TSP binary. Options: