TOC0

= TOC0 Header =

= TOC0 Items =

RoT certificate (ID 0x010101)
Self-signed DER encoded X.509-like certificate containing a SHA256 hash of the boot code.

If a ROTPK_HASH is programmed only certificates with that key are accepted.

The certificate has a similar structure to standard X.509 certificates, but is different in details:
 * the public key is stored in a non-standard way
 * the hash is added at the place of extensions, but not as real extension
 * the signature doesn't use a standard algorithm, misses the last 4 bytes (bug!) and is stored in a non-standard way

TODO: maybe add ASN.1 of the certificate

TOC0 boot code (ID 0x010202)
Similar to boot0, only "TOC0.GLH" magic instead of "eGON.BT0". After verifying against the SHA256 hash in the certificate, this item is copied at the run address given in the item header and executed in secure mode.