Hi Bin Wu,

 

Thanks for coming up with this question. 

As per the below signature verification code, you raised a valid point that signature gets verified before ROTPK hash verification.

  1. Get ROTPK hash from the platform (Using platform implemented method e.g., HW register).
  2. Extract ROTPK from the image itself. 
  3. Use ROTPK to verify the image signature.
  4. Calculate the hash of ROTPK and compare it against the hash received in step[1].

 

But we can't see any concern as the system fails to boot anyways at step [4] if the ROTPK gets corrupted.

 

Regards

Manish Badarkhe

From: TF-A <tf-a-bounces@lists.trustedfirmware.org> on behalf of Îâ±ó(ۤ¡) via TF-A <tf-a@lists.trustedfirmware.org>
Date: Friday, 29 January 2021 at 07:55
To: tf-a@lists.trustedfirmware.org <tf-a@lists.trustedfirmware.org>
Subject: [TF-A] PK hash verify after signature virified

 

Hi All,

 

I am studying tbbr module in ATF recenlty. I have a little confusion about the ROTPK hash verify flow.

 

In ATF current implementation, we will verify the signature first, then verify the ROTPK hash.

But in my understanding, we should verify ROTPK first then verify signature.

 

So, what is the consideration that we use current flow in ATF?

 

Thanks for you patience

 

BRs£¬

Bin Wu