aboutsummaryrefslogtreecommitdiffstats
path: root/docs/design/auth-framework.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/design/auth-framework.rst')
-rw-r--r--docs/design/auth-framework.rst24
1 files changed, 13 insertions, 11 deletions
diff --git a/docs/design/auth-framework.rst b/docs/design/auth-framework.rst
index da958b7c2..93f691b7b 100644
--- a/docs/design/auth-framework.rst
+++ b/docs/design/auth-framework.rst
@@ -637,9 +637,9 @@ all CoTs must present:
The TBBR specifies the additional certificates that must accompany these images
for a proper authentication. Details about the TBBR CoT may be found in the
-`Trusted Board Boot`_ document.
+:ref:`Trusted Board Boot` document.
-Following the `Platform Porting Guide`_, a platform must provide unique
+Following the :ref:`Porting Guide`, a platform must provide unique
identifiers for all the images and certificates that will be loaded during the
boot process. If a platform is using the TBBR as a reference for trusted boot,
these identifiers can be obtained from ``include/common/tbbr/tbbr_img_def.h``.
@@ -704,7 +704,7 @@ Each image descriptor must specify:
In the ``tbbr_cot.c`` file, a set of buffers are allocated to store the parameters
extracted from the certificates. In the case of the TBBR CoT, these parameters
-are hashes and public keys. In DER format, an RSA-2048 public key requires 294
+are hashes and public keys. In DER format, an RSA-4096 public key requires 550
bytes, and a hash requires 51 bytes. Depending on the CoT and the authentication
process, some of the buffers may be reused at different stages during the boot.
@@ -946,12 +946,16 @@ three functions:
int verify_hash(void *data_ptr, unsigned int data_len,
void *digest_info_ptr, unsigned int digest_info_len);
-The mbedTLS library algorithm support is configured by the
-``TF_MBEDTLS_KEY_ALG`` variable which can take in 3 values: `rsa`, `ecdsa` or
-`rsa+ecdsa`. This variable allows the Makefile to include the corresponding
-sources in the build for the various algorithms. Setting the variable to
-`rsa+ecdsa` enables support for both rsa and ecdsa algorithms in the mbedTLS
-library.
+The mbedTLS library algorithm support is configured by both the
+``TF_MBEDTLS_KEY_ALG`` and ``TF_MBEDTLS_KEY_SIZE`` variables.
+
+- ``TF_MBEDTLS_KEY_ALG`` can take in 3 values: `rsa`, `ecdsa` or `rsa+ecdsa`.
+ This variable allows the Makefile to include the corresponding sources in
+ the build for the various algorithms. Setting the variable to `rsa+ecdsa`
+ enables support for both rsa and ecdsa algorithms in the mbedTLS library.
+
+- ``TF_MBEDTLS_KEY_SIZE`` sets the supported RSA key size for TFA. Valid values
+ include 1024, 2048, 3072 and 4096.
.. note::
If code size is a concern, the build option ``MBEDTLS_SHA256_SMALLER`` can
@@ -963,6 +967,4 @@ library.
*Copyright (c) 2017-2019, Arm Limited and Contributors. All rights reserved.*
-.. _Trusted Board Boot: ./trusted-board-boot.rst
-.. _Platform Porting Guide: ../getting_started/porting-guide.rst
.. _TBBR-Client specification: https://developer.arm.com/docs/den0006/latest/trusted-board-boot-requirements-client-tbbr-client-armv8-a
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-16 01:22:17 +0000