how the RP2350 verifies the BL2 image?

[xiaotailang]

Hello, I hope you can help me with a question! After carefully studying the BL2 code for RP2350 in the TF-M 2.2.x source code, I’ve noticed something that’s confusing me: the boot ROM doesn’t seem to verify the BL2 image at this stage (even though the corresponding root of trust (RoT) fields exist in OTP). From what I can tell, if I were to replace the BL2 image, the subsequent security chain would be completely compromised.
So I’m really puzzled and wondering: Has the implementation of using the boot ROM as the sole root of trust anchor not been finished in TF-M 2.2.x yet? Or has it already been implemented (i.e., using the boot ROM as the sole root of trust anchor) but I missed some parts of the code and thus misunderstood how it works?
I’d really appreciate any guidance or clarification you can provide!

[adeaarm]

Hi @xiaotailang , thanks for the question. I suggest to ask the same on the TF-M mailing list tf-m@lists.trustedfirmware.org as that normally has a better reach and more visibility.

[adeaarm]

To answer your question, from the RPI-2350 data sheet.

Section 5.10.1 for the procedure to follow using the SDK tools to sign the image to be loaded and which flags to set (and how to produce the OTP layout correctly) for signature verification of the images being loaded by the BootROM. This part is not extensively documented in the TF-M docs as it's very SDK specific for the RP-2350 bootROM.