diff options
| author | Robin van der Gracht <robin@protonic.nl> | 2023-09-12 11:16:23 +0200 |
|---|---|---|
| committer | Robin van der Gracht <robin@protonic.nl> | 2023-09-21 13:27:25 +0200 |
| commit | 616b3ce27d9a8a83a189a16ff6a05698bc6df3c8 (patch) | |
| tree | 6e290505fc336f0fc344d5799ebb322142c26e50 /docs | |
| parent | ea6f8452f6eb561a0fa96a712da93fcdba40cd9c (diff) | |
feat(cert-create): add pkcs11 engine support
Add pkcs11 engine support which allows using keys that are securely
stored on a HSM or TPM. To use this feature the user has to supply
an RFC 7512 compliant PKCS11 URI to a key instead of a file as an
argument to one of the key options. This change is fully backwards
compatible.
This change makes use of the openssl engine API which is deprecated
since openssl 3.0 and will most likely be removed in version 4. So
pkcs11 support will have to be updated to the openssl provider API
in the near future.
Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Change-Id: If96725988ca62c5613ec59123943bf15922f5d1f
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/design/trusted-board-boot.rst | 9 | ||||
| -rw-r--r-- | docs/getting_started/build-options.rst | 42 |
2 files changed, 27 insertions, 24 deletions
diff --git a/docs/design/trusted-board-boot.rst b/docs/design/trusted-board-boot.rst index 46177d768..fed202ad9 100644 --- a/docs/design/trusted-board-boot.rst +++ b/docs/design/trusted-board-boot.rst @@ -216,10 +216,11 @@ Certificate Generation Tool The ``cert_create`` tool is built and runs on the host machine as part of the TF-A build process when ``GENERATE_COT=1``. It takes the boot loader images -and keys as inputs (keys must be in PEM format) and generates the -certificates (in DER format) required to establish the CoT. New keys can be -generated by the tool in case they are not provided. The certificates are then -passed as inputs to the ``fiptool`` utility for creating the FIP. +and keys as inputs and generates the certificates (in DER format) required to +establish the CoT. The input keys must either be a file in PEM format or a +PKCS11 URI in case a HSM is used. New keys can be generated by the tool in +case they are not provided. The certificates are then passed as inputs to +the ``fiptool`` utility for creating the FIP. The certificates are also stored individually in the output build directory. diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst index 2c018c394..1da273878 100644 --- a/docs/getting_started/build-options.rst +++ b/docs/getting_started/build-options.rst @@ -80,9 +80,9 @@ Common build options BL31 image for the ``fip`` target. In this case, the BL31 in TF-A will not be built. -- ``BL31_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the - file that contains the BL31 private key in PEM format. If ``SAVE_KEYS=1``, - this file name will be used to save the key. +- ``BL31_KEY``: This option is used when ``GENERATE_COT=1``. It specifies a + file that contains the BL31 private key in PEM format or a PKCS11 URI. If + ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key. - ``BL32``: This is an optional build option which specifies the path to BL32 image for the ``fip`` target. In this case, the BL32 in TF-A will not @@ -94,16 +94,16 @@ Common build options - ``BL32_EXTRA2``: This is an optional build option which specifies the path to Trusted OS Extra2 image for the ``fip`` target. -- ``BL32_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the - file that contains the BL32 private key in PEM format. If ``SAVE_KEYS=1``, - this file name will be used to save the key. +- ``BL32_KEY``: This option is used when ``GENERATE_COT=1``. It specifies a + file that contains the BL32 private key in PEM format or a PKCS11 URI. If + ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key. - ``BL33``: Path to BL33 image in the host file system. This is mandatory for ``fip`` target in case TF-A BL2 is used. -- ``BL33_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the - file that contains the BL33 private key in PEM format. If ``SAVE_KEYS=1``, - this file name will be used to save the key. +- ``BL33_KEY``: This option is used when ``GENERATE_COT=1``. It specifies a + file that contains the BL33 private key in PEM format or a PKCS11 URI. If + ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key. - ``BRANCH_PROTECTION``: Numeric value to enable ARMv8.3 Pointer Authentication and ARMv8.5 Branch Target Identification support for TF-A BL images themselves. @@ -749,8 +749,9 @@ Common build options MARCH_DIRECTIVE := -march=armv8.5-a - ``NON_TRUSTED_WORLD_KEY``: This option is used when ``GENERATE_COT=1``. It - specifies the file that contains the Non-Trusted World private key in PEM - format. If ``SAVE_KEYS=1``, this file name will be used to save the key. + specifies a file that contains the Non-Trusted World private key in PEM + format or a PKCS11 URI. If ``SAVE_KEYS=1``, only a file is accepted and it + will be used to save the key. - ``NS_BL2U``: Path to NS_BL2U image in the host file system. This image is optional. It is only needed if the platform makefile specifies that it @@ -827,10 +828,10 @@ Common build options instead of the BL1 entrypoint. It can take the value 0 (CPU reset to BL1 entrypoint) or 1 (CPU reset to SP_MIN entrypoint). The default value is 0. -- ``ROT_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the - file that contains the ROT private key in PEM format and enforces public key - hash generation. If ``SAVE_KEYS=1``, this - file name will be used to save the key. +- ``ROT_KEY``: This option is used when ``GENERATE_COT=1``. It specifies a + file that contains the ROT private key in PEM format or a PKCS11 URI and + enforces public key hash generation. If ``SAVE_KEYS=1``, only a file is + accepted and it will be used to save the key. - ``SAVE_KEYS``: This option is used when ``GENERATE_COT=1``. It tells the certificate generation tool to save the keys used to establish the Chain of @@ -840,9 +841,9 @@ Common build options If a SCP_BL2 image is present then this option must be passed for the ``fip`` target. -- ``SCP_BL2_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the - file that contains the SCP_BL2 private key in PEM format. If ``SAVE_KEYS=1``, - this file name will be used to save the key. +- ``SCP_BL2_KEY``: This option is used when ``GENERATE_COT=1``. It specifies a + file that contains the SCP_BL2 private key in PEM format or a PKCS11 URI. + If ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key. - ``SCP_BL2U``: Path to SCP_BL2U image in the host file system. This image is optional. It is only needed if the platform makefile specifies that it @@ -959,8 +960,9 @@ Common build options already exist in disk, they will be overwritten without further notice. - ``TRUSTED_WORLD_KEY``: This option is used when ``GENERATE_COT=1``. It - specifies the file that contains the Trusted World private key in PEM - format. If ``SAVE_KEYS=1``, this file name will be used to save the key. + specifies a file that contains the Trusted World private key in PEM + format or a PKCS11 URI. If ``SAVE_KEYS=1``, only a file is accepted and + it will be used to save the key. - ``TSP_INIT_ASYNC``: Choose BL32 initialization method as asynchronous or synchronous, (see "Initializing a BL32 Image" section in |