You're right that the TBBR specification (DEN0006D) has been retired, and the default cert_create tool still supports it. However, this doesn't prevent platforms from implementing their own CoT in a customized manner while still using the tool. You can see how a few platforms in TF-A have implemented platform-defined certificates, keys, and extensions in [1] and [2].

Hi,

I have a question regarding the TBBR implementation for non-volatile counters in TF-A.

While looking through the code and documentation for Trusted Boot authentication options, it was not clear why there are only two non-volatile counters for the Trusted and Non-Trusted worlds (`TRUSTED_FW_NVCOUNTER` and `NON_TRUSTED_FW_NVCOUNTER`). This is true for the Arm DEN0006D specification, but it was retired and ARM DEN0072 is the current specification. Is there any specific reason why there isn't a counter for each authenticated image declared and created by `cert_create` or is the retired specification the only reason? This limits the non-volatile counter extensions for all certificates, meaning that the Trusted OS content certificate for example cannot be authenticated with another extension, unless I add a custom certificate with another non-volatile counter extension and a new command line option.

To quote the ARM DEN0072 TBBR specification [source: https://developer.arm.com/documentation/den0072/latest]: "It is recommended to implement as many version counters as there are images, where each image can use a separate counter without affecting other images. However, the number of rollback counters that can practically be supported is implementation dependent.".

Thank you!
--
TF-A mailing list -- tf-a@lists.trustedfirmware.org
To unsubscribe send an email to tf-a-leave@lists.trustedfirmware.org