diff --git a/drivers/auth/dualroot/cot.c b/drivers/auth/dualroot/cot.c
index f28ddaa..31e5d65 100644
--- a/drivers/auth/dualroot/cot.c
+++ b/drivers/auth/dualroot/cot.c
@@ -16,6 +16,7 @@
  * Allocate static buffers to store the authentication parameters extracted from
  * the certificates.
  */
+static unsigned char fw_config_hash_buf[HASH_DER_LEN];
 static unsigned char tb_fw_hash_buf[HASH_DER_LEN];
 static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
 static unsigned char hw_config_hash_buf[HASH_DER_LEN];
@@ -58,6 +59,8 @@
 		AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
 static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
+static auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
+		AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
 #ifdef IMAGE_BL1
 static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
 		AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
@@ -165,6 +168,13 @@
 				.ptr = (void *)hw_config_hash_buf,
 				.len = (unsigned int)HASH_DER_LEN
 			}
+		},
+		[3] = {
+			.type_desc = &fw_config_hash,
+			.data = {
+				.ptr = (void *)fw_config_hash_buf,
+				.len = (unsigned int)HASH_DER_LEN
+			}
 		}
 	}
 };
@@ -218,6 +228,22 @@
 		}
 	}
 };
+
+static const auth_img_desc_t fw_config = {
+	.img_id = FW_CONFIG_ID,
+	.img_type = IMG_RAW,
+	.parent = &trusted_boot_fw_cert,
+	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+		[0] = {
+			.type = AUTH_METHOD_HASH,
+			.param.hash = {
+				.data = &raw_data,
+				.hash = &fw_config_hash
+			}
+		}
+	}
+};
+
 #endif /* IMAGE_BL1 */
 
 #ifdef IMAGE_BL2
@@ -860,6 +886,7 @@
 	[BL2_IMAGE_ID]				=	&bl2_image,
 	[HW_CONFIG_ID]				=	&hw_config,
 	[TB_FW_CONFIG_ID]			=	&tb_fw_config,
+	[FW_CONFIG_ID]				=	&fw_config,
 	[FWU_CERT_ID]				=	&fwu_cert,
 	[SCP_BL2U_IMAGE_ID]			=	&scp_bl2u_image,
 	[BL2U_IMAGE_ID]				=	&bl2u_image,
diff --git a/drivers/auth/tbbr/tbbr_cot_bl1.c b/drivers/auth/tbbr/tbbr_cot_bl1.c
index f3bb376..e4c9221 100644
--- a/drivers/auth/tbbr/tbbr_cot_bl1.c
+++ b/drivers/auth/tbbr/tbbr_cot_bl1.c
@@ -150,6 +150,21 @@
 	}
 };
 
+static const auth_img_desc_t fw_config = {
+	.img_id = FW_CONFIG_ID,
+	.img_type = IMG_RAW,
+	.parent = &trusted_boot_fw_cert,
+	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+		[0] = {
+			.type = AUTH_METHOD_HASH,
+			.param.hash = {
+				.data = &raw_data,
+				.hash = &fw_config_hash
+			}
+		}
+	}
+};
+
 /*
  * TBBR Chain of trust definition
  */
@@ -158,6 +173,7 @@
 	[BL2_IMAGE_ID]				=	&bl2_image,
 	[HW_CONFIG_ID]				=	&hw_config,
 	[TB_FW_CONFIG_ID]			=	&tb_fw_config,
+	[FW_CONFIG_ID]				=	&fw_config,
 	[FWU_CERT_ID]				=	&fwu_cert,
 	[SCP_BL2U_IMAGE_ID]			=	&scp_bl2u_image,
 	[BL2U_IMAGE_ID]				=	&bl2u_image,
diff --git a/drivers/auth/tbbr/tbbr_cot_common.c b/drivers/auth/tbbr/tbbr_cot_common.c
index 0a4b75e..ff3f22d 100644
--- a/drivers/auth/tbbr/tbbr_cot_common.c
+++ b/drivers/auth/tbbr/tbbr_cot_common.c
@@ -23,9 +23,10 @@
  * established, we can reuse some of the buffers on different stages
  */
 
+static unsigned char fw_config_hash_buf[HASH_DER_LEN];
+static unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
+static unsigned char hw_config_hash_buf[HASH_DER_LEN];
 unsigned char tb_fw_hash_buf[HASH_DER_LEN];
-unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
-unsigned char hw_config_hash_buf[HASH_DER_LEN];
 unsigned char scp_fw_hash_buf[HASH_DER_LEN];
 unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
 
@@ -48,7 +49,9 @@
 	AUTH_PARAM_HASH, TRUSTED_BOOT_FW_HASH_OID);
 auth_param_type_desc_t tb_fw_config_hash = AUTH_PARAM_TYPE_DESC(
 	AUTH_PARAM_HASH, TRUSTED_BOOT_FW_CONFIG_HASH_OID);
-auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
+auth_param_type_desc_t fw_config_hash = AUTH_PARAM_TYPE_DESC(
+	AUTH_PARAM_HASH, FW_CONFIG_HASH_OID);
+static auth_param_type_desc_t hw_config_hash = AUTH_PARAM_TYPE_DESC(
 	AUTH_PARAM_HASH, HW_CONFIG_HASH_OID);
 
 /* trusted_boot_fw_cert */
@@ -95,6 +98,13 @@
 				.ptr = (void *)hw_config_hash_buf,
 				.len = (unsigned int)HASH_DER_LEN
 			}
+		},
+		[3] = {
+			.type_desc = &fw_config_hash,
+			.data = {
+				.ptr = (void *)fw_config_hash_buf,
+				.len = (unsigned int)HASH_DER_LEN
+			}
 		}
 	}
 };
diff --git a/include/drivers/auth/tbbr_cot_common.h b/include/drivers/auth/tbbr_cot_common.h
index 0ea5f65..a51faee 100644
--- a/include/drivers/auth/tbbr_cot_common.h
+++ b/include/drivers/auth/tbbr_cot_common.h
@@ -10,8 +10,6 @@
 #include <drivers/auth/auth_mod.h>
 
 extern unsigned char tb_fw_hash_buf[HASH_DER_LEN];
-extern unsigned char tb_fw_config_hash_buf[HASH_DER_LEN];
-extern unsigned char hw_config_hash_buf[HASH_DER_LEN];
 extern unsigned char scp_fw_hash_buf[HASH_DER_LEN];
 extern unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
 
@@ -23,7 +21,7 @@
 
 extern auth_param_type_desc_t tb_fw_hash;
 extern auth_param_type_desc_t tb_fw_config_hash;
-extern auth_param_type_desc_t hw_config_hash;
+extern auth_param_type_desc_t fw_config_hash;
 
 extern const auth_img_desc_t trusted_boot_fw_cert;
 extern const auth_img_desc_t hw_config;
diff --git a/include/export/common/tbbr/tbbr_img_def_exp.h b/include/export/common/tbbr/tbbr_img_def_exp.h
index a98c1b4..18f0125 100644
--- a/include/export/common/tbbr/tbbr_img_def_exp.h
+++ b/include/export/common/tbbr/tbbr_img_def_exp.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2019-2020, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -88,7 +88,10 @@
 /* Encrypted image identifier */
 #define ENC_IMAGE_ID			U(30)
 
+/* FW_CONFIG */
+#define FW_CONFIG_ID			U(31)
+
 /* Max Images */
-#define MAX_IMAGE_IDS			U(31)
+#define MAX_IMAGE_IDS			U(32)
 
 #endif /* ARM_TRUSTED_FIRMWARE_EXPORT_COMMON_TBBR_TBBR_IMG_DEF_EXP_H */
diff --git a/plat/arm/common/fconf/arm_fconf_io.c b/plat/arm/common/fconf/arm_fconf_io.c
index 68cd9fb..48cc4fe 100644
--- a/plat/arm/common/fconf/arm_fconf_io.c
+++ b/plat/arm/common/fconf/arm_fconf_io.c
@@ -25,6 +25,7 @@
 const io_uuid_spec_t arm_uuid_spec[MAX_NUMBER_IDS] = {
 	[BL2_IMAGE_ID] = {UUID_TRUSTED_BOOT_FIRMWARE_BL2},
 	[TB_FW_CONFIG_ID] = {UUID_TB_FW_CONFIG},
+	[FW_CONFIG_ID] = {UUID_FW_CONFIG},
 #if !ARM_IO_IN_DTB
 	[SCP_BL2_IMAGE_ID] = {UUID_SCP_FIRMWARE_SCP_BL2},
 	[BL31_IMAGE_ID] = {UUID_EL3_RUNTIME_FIRMWARE_BL31},
@@ -73,6 +74,11 @@
 		(uintptr_t)&arm_uuid_spec[TB_FW_CONFIG_ID],
 		open_fip
 	},
+	[FW_CONFIG_ID] = {
+		&fip_dev_handle,
+		(uintptr_t)&arm_uuid_spec[FW_CONFIG_ID],
+		open_fip
+	},
 #if !ARM_IO_IN_DTB
 	[SCP_BL2_IMAGE_ID] = {
 		&fip_dev_handle,