auth-framework.rst - OpenGrok cross reference for /aosp_15_r20/external/arm-trusted-firmware/docs/design/auth-framework.rst

Lines Matching full:authentication
1 Authentication Framework & Chain of Trust
4 The aim of this document is to describe the authentication framework
62 This document describes the inner details of the authentication framework and
74 A CoT is basically a sequence of authentication images which usually starts with
125 Images in a CoT are categorised as authentication and data images. An
126 authentication image contains information to authenticate a data image or
127 another authentication image. A data image is usually a boot loader binary, but
128 it could be any other data that requires authentication.
144 #. If the image is an authentication image, extract the information that will
153 These components are responsible for initiating the authentication process for a
154 particular image in BL1 or BL2. For each BL image that requires authentication,
155 the Generic code asks recursively the Authentication module what is the parent
158 Authentication module to authenticate it, following the CoT from ROT to Image.
167    also specifies the authentication methods and the parsing method used for
176    extract authentication parameters contained in an image, e.g. if the
183 #. Export functions to verify an image which uses an authentication method that
191 Authentication Module (AM)
197    other things, the authentication and image parsing methods must be specified
210 #. Reusing memory meant for a data image to verify authentication images e.g.
215    certificate. It is assumed that the size of an authentication image will
260 Images may have different formats (for example, authentication images could be
265 check the image integrity and extract the authentication parameters.
270 Authentication methods
273 The AM supports the following authentication methods:
345 The authentication framework will use the image descriptor to extract all the
346 information related to authentication.
364 authentication image that represents a certificate could be in the X.509v3
376    PKI certificates (authentication images). It is expected that open source
382    proprietary standards to represent authentication or data images. For
419 -  ``_get_param``: extract authentication parameter function pointer.
437 Describing the authentication method(s)
440 As part of the CoT, each image has to specify one or more authentication methods
441 which will be used to verify it. As described in the Section "Authentication
453 The AM defines the type of each parameter used by an authentication method. It
462 #. Extract authentication parameters from a parent image in order to verify a
477 The AM defines the following structure to identify an authentication parameter
502      * Parameters for authentication by hash matching
510      * Parameters for authentication by signature
519 The AM defines the following structure to describe an authentication method for
525      * Authentication method descriptor
538 Storing Authentication parameters
549 authentication parameter.
588 #. Authentication methods and their parameters as described in the previous
592    parameters are specified only by authentication images and can be extracted
615 the authentication framework. This example corresponds to the Applicative
641 for a proper authentication. Details about the TBBR CoT may be found in the
651 **Important**: the authentication module uses these identifiers to index the
659    authentication parameters. Three types of images are currently supported:
664       type for custom images not directly supported by the authentication
670    is NULL, the authentication parameters will be obtained from the platform
674    authentication methods that must be checked to consider an image
701 -  ``authenticated_data``: this array pointer indicates what authentication
710 bytes, and a hash requires 51 bytes. Depending on the CoT and the authentication
856 four parameter descriptors must be specified with the authentication method:
878 parameter in the signature authentication method. The key is stored in the
883 certificate. In the image descriptor, we specify a single authentication method
891 We specify the authentication method using ``soc_fw_content_pk`` as public key.
892 After authentication, we need to extract the BL31 hash, stored in the extension
898 a single authentication method by hash. The parameters to the hash method are
906 extract the authentication parameters. The number and type of parser libraries
938 authentication framework using the macro ``REGISTER_CRYPTO_LIB()`` and exports