The Open Firmware Loader (OFL) provides a standardized mechanism for loading firmware (memory images which typically contain the Operating System, but may also contain additional data like applets or file systems) into Tamper Resistant Secure Hardware (typically an SE). It defines the cryptographic protection based on ECC, the roles involved in firmware loading, and the administrative rights for the different operations. It also contains a multicast mode where one image can be used to update multiple TRSHs.
Technical changes in v2.0:
- The GlobalPlatform Certificate format has been replaced by X.509 Certificate format version 3.
- A revised OFL PKI is supported, allowing the capability to attach a new IDS Certificate Issuer after issuance of the TRSH.
- Definition of Tokens is now based on the X.509 Certificate format.
- Generic extensions in the Token similar to the X.509 Certificate to convey signed data which may either be in plaintext or encrypted.
- ARP filter extensions have been added.
- OFL Operation and related section and links have been added.
- The ARP Token has been replaced by an ARP Certificate, which is easier to issue.
- A Certificate revocation mechanism has been added, thanks to the support of X.509.
Previous Version(s)
The Open Firmware Loader (OFL) provides a standardized mechanism for loading firmware (memory images which typically contain the Operating System, but may also contain additional data like applets or file systems) into a Tamper Resistant Element (typically an SE). It defines the cryptographic protection based on ECC, the roles involved in firmware loading and the administrative rights for the different operations. It also contains a multicast mode where one image can be used to update multiple TREs.