1624c9a0bSTamas BanRuntime Security Engine (RSE) 2624c9a0bSTamas Ban============================= 3a5a5947aSTamas Ban 4624c9a0bSTamas BanThis document focuses on the relationship between the Runtime Security Engine 5624c9a0bSTamas Ban(RSE) and the application processor (AP). According to the ARM reference design 6624c9a0bSTamas Banthe RSE is an independent core next to the AP and the SCP on the same die. It 7a5a5947aSTamas Banprovides fundamental security guarantees and runtime services for the rest of 8a5a5947aSTamas Banthe system (e.g.: trusted boot, measured boot, platform attestation, 9a5a5947aSTamas Bankey management, and key derivation). 10a5a5947aSTamas Ban 11624c9a0bSTamas BanAt power up RSE boots first from its private ROM code. It validates and loads 12a5a5947aSTamas Banits own images and the initial images of SCP and AP. When AP and SCP are 13a5a5947aSTamas Banreleased from reset and their initial code is loaded then they continue their 14624c9a0bSTamas Banown boot process, which is the same as on non-RSE systems. Please refer to the 15624c9a0bSTamas Ban``RSE documentation`` [1]_ for more details about the RSE boot flow. 16a5a5947aSTamas Ban 17624c9a0bSTamas BanThe last stage of the RSE firmware is a persistent, runtime component. Much 18a5a5947aSTamas Banlike AP_BL31, this is a passive entity which has no periodical task to do and 19624c9a0bSTamas Banjust waits for external requests from other subsystems. RSE and other 20624c9a0bSTamas Bansubsystems can communicate with each other over message exchange. RSE waits 21a5a5947aSTamas Banin idle for the incoming request, handles them, and sends a response then goes 22a5a5947aSTamas Banback to idle. 23a5a5947aSTamas Ban 24624c9a0bSTamas BanRSE communication layer 25a5a5947aSTamas Ban----------------------- 26a5a5947aSTamas Ban 27624c9a0bSTamas BanThe communication between RSE and other subsystems are primarily relying on the 2836416b1eSYann GautierMessage Handling Unit (MHU) module. 2936416b1eSYann Gautier 3036416b1eSYann GautierHowever, this is possible to use this communication protocol with a different 3136416b1eSYann Gautiermailbox than MHU, by setting the flag ``PLAT_MHU=NO_MHU`` and implementing the 3236416b1eSYann GautierAPIs given in the file: ``include/drivers/arm/rse_comms.h``. 3336416b1eSYann Gautier 3436416b1eSYann GautierThe number of MHU interfaces between RSE and other cores is IMPDEF. Besides MHU 3536416b1eSYann Gautierother modules also could take part in the communication. RSE is capable of 3636416b1eSYann Gautiermapping the AP memory to its address space. 37624c9a0bSTamas BanThereby either RSE core itself or a DMA engine if it is present, can move the 38624c9a0bSTamas Bandata between memory belonging to RSE or AP. In this way, a bigger amount of data 39a5a5947aSTamas Bancan be transferred in a short time. 40a5a5947aSTamas Ban 41a5a5947aSTamas BanThe MHU comes in pairs. There is a sender and receiver side. They are connected 42a5a5947aSTamas Banto each other. An MHU interface consists of two pairs of MHUs, one sender and 43a5a5947aSTamas Banone receiver on both sides. Bidirectional communication is possible over an 44624c9a0bSTamas Baninterface. One pair provides message sending from AP to RSE and the other pair 45624c9a0bSTamas Banfrom RSE to AP. The sender and receiver are connected via channels. There is an 46a5a5947aSTamas BanIMPDEF number of channels (e.g: 4-16) between a sender and a receiver module. 47a5a5947aSTamas Ban 48624c9a0bSTamas BanThe RSE communication layer provides two ways for message exchange: 49a5a5947aSTamas Ban 50a5a5947aSTamas Ban- ``Embedded messaging``: The full message, including header and payload, are 51a5a5947aSTamas Ban exchanged over the MHU channels. A channel is capable of delivering a single 52a5a5947aSTamas Ban word. The sender writes the data to the channel register on its side and the 53a5a5947aSTamas Ban receiver can read the data from the channel on the other side. One dedicated 54a5a5947aSTamas Ban channel is used for signalling. It does not deliver any payload it is just 55a5a5947aSTamas Ban meant for signalling that the sender loaded the data to the channel registers 56a5a5947aSTamas Ban so the receiver can read them. The receiver uses the same channel to signal 57a5a5947aSTamas Ban that data was read. Signalling happens via IRQ. If the message is longer than 58a5a5947aSTamas Ban the data fit to the channel registers then the message is sent over in 59a5a5947aSTamas Ban multiple rounds. Both, sender and receiver allocate a local buffer for the 60a5a5947aSTamas Ban messages. Data is copied from/to these buffers to/from the channel registers. 61a5a5947aSTamas Ban- ``Pointer-access messaging``: The message header and the payload are 62a5a5947aSTamas Ban separated and they are conveyed in different ways. The header is sent 63a5a5947aSTamas Ban over the channels, similar to the embedded messaging but the payload is 64624c9a0bSTamas Ban copied over by RSE core (or by DMA) between the sender and the receiver. This 65a5a5947aSTamas Ban could be useful in the case of long messages because transaction time is less 66624c9a0bSTamas Ban compared to the embedded messaging mode. Small payloads are copied by the RSE 67a5a5947aSTamas Ban core because setting up DMA would require more CPU cycles. The payload is 68624c9a0bSTamas Ban either copied into an internal buffer or directly read-written by RSE. Actual 69624c9a0bSTamas Ban behavior depends on RSE setup, whether the partition supports memory-mapped 70a5a5947aSTamas Ban ``iovec``. Therefore, the sender must handle both cases and prevent access to 71624c9a0bSTamas Ban the memory, where payload data lives, while the RSE handles the request. 72a5a5947aSTamas Ban 73624c9a0bSTamas BanThe RSE communication layer supports both ways of messaging in parallel. It is 74a5a5947aSTamas Bandecided at runtime based on the message size which way to transfer the message. 75a5a5947aSTamas Ban 76a5a5947aSTamas Ban.. code-block:: bash 77a5a5947aSTamas Ban 78a5a5947aSTamas Ban +----------------------------------------------+ +-------------------+ 79a5a5947aSTamas Ban | | | | 80a5a5947aSTamas Ban | AP | | | 81a5a5947aSTamas Ban | | +--->| SRAM | 82a5a5947aSTamas Ban +----------------------------------------------| | | | 83a5a5947aSTamas Ban | BL1 / BL2 / BL31 | | | | 84a5a5947aSTamas Ban +----------------------------------------------+ | +-------------------+ 85a5a5947aSTamas Ban | ^ | ^ ^ 86a5a5947aSTamas Ban | send IRQ | receive |direct | | 87a5a5947aSTamas Ban V | |access | | 88a5a5947aSTamas Ban +--------------------+ +--------------------+ | | | 89a5a5947aSTamas Ban | MHU sender | | MHU receiver | | | Copy data | 90a5a5947aSTamas Ban +--------------------+ +--------------------+ | | | 91a5a5947aSTamas Ban | | | | | | | | | | | 92a5a5947aSTamas Ban | | channels | | | | channels | | | | | 93a5a5947aSTamas Ban | | e.g: 4-16 | | | | e.g: 4-16 | | | V | 94a5a5947aSTamas Ban +--------------------+ +--------------------+ | +-------+ | 95a5a5947aSTamas Ban | MHU receiver | | MHU sender | | +->| DMA | | 96a5a5947aSTamas Ban +--------------------+ +--------------------+ | | +-------+ | 97a5a5947aSTamas Ban | ^ | | ^ | 98a5a5947aSTamas Ban IRQ | receive | send | | | Copy data | 99a5a5947aSTamas Ban V | | | V V 100a5a5947aSTamas Ban +----------------------------------------------+ | | +-------------------+ 101a5a5947aSTamas Ban | |--+-+ | | 102624c9a0bSTamas Ban | RSE | | SRAM | 103a5a5947aSTamas Ban | | | | 104a5a5947aSTamas Ban +----------------------------------------------+ +-------------------+ 105a5a5947aSTamas Ban 106a5a5947aSTamas Ban.. Note:: 107a5a5947aSTamas Ban 108624c9a0bSTamas Ban The RSE communication layer is not prepared for concurrent execution. The 109a5a5947aSTamas Ban current use case only requires message exchange during the boot phase. In 110a5a5947aSTamas Ban the boot phase, only a single core is running and the rest of the cores are 111a5a5947aSTamas Ban in reset. 112a5a5947aSTamas Ban 113a5a5947aSTamas BanMessage structure 114a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^ 115624c9a0bSTamas BanA description of the message format can be found in the ``RSE communication 116a5a5947aSTamas Bandesign`` [2]_ document. 117a5a5947aSTamas Ban 118a5a5947aSTamas BanSource files 119a5a5947aSTamas Ban^^^^^^^^^^^^ 120624c9a0bSTamas Ban- RSE comms: ``drivers/arm/rse`` 121a5a5947aSTamas Ban- MHU driver: ``drivers/arm/mhu`` 122a5a5947aSTamas Ban 123a5a5947aSTamas Ban 124a5a5947aSTamas BanAPI for communication over MHU 125a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 126a5a5947aSTamas BanThe API is defined in these header files: 127a5a5947aSTamas Ban 128624c9a0bSTamas Ban- ``include/drivers/arm/rse_comms.h`` 129a5a5947aSTamas Ban- ``include/drivers/arm/mhu.h`` 130a5a5947aSTamas Ban 131624c9a0bSTamas BanRSE provided runtime services 132a5a5947aSTamas Ban----------------------------- 133a5a5947aSTamas Ban 134624c9a0bSTamas BanRSE provides the following runtime services: 135a5a5947aSTamas Ban 136a5a5947aSTamas Ban- ``Measured boot``: Securely store the firmware measurements which were 137a5a5947aSTamas Ban computed during the boot process and the associated metadata (image 138a5a5947aSTamas Ban description, measurement algorithm, etc.). More info on measured boot service 139624c9a0bSTamas Ban in RSE can be found in the ``measured_boot_integration_guide`` [3]_ . 140a5a5947aSTamas Ban- ``Delegated attestation``: Query the platform attestation token and derive a 141a5a5947aSTamas Ban delegated attestation key. More info on the delegated attestation service 142624c9a0bSTamas Ban in RSE can be found in the ``delegated_attestation_integration_guide`` [4]_ . 143a5a5947aSTamas Ban- ``OTP assets management``: Public keys used by AP during the trusted boot 144624c9a0bSTamas Ban process can be requested from RSE. Furthermore, AP can request RSE to 145a5a5947aSTamas Ban increase a non-volatile counter. Please refer to the 146624c9a0bSTamas Ban ``RSE key management`` [5]_ document for more details. 147e4582e42STamas Ban- ``DICE Protection Environment``: Securely store the firmware measurements 148e4582e42STamas Ban which were computed during the boot process and the associated metadata. It is 149e4582e42STamas Ban also capable of representing the boot measurements in the form of a 150e4582e42STamas Ban certificate chain, which is queriable. Please refer to the 151e4582e42STamas Ban ``DICE Protection Environment (DPE)`` [8]_ document for more details. 152a5a5947aSTamas Ban 153a5a5947aSTamas BanRuntime service API 154a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^ 155624c9a0bSTamas BanThe RSE provided runtime services implement a PSA aligned API. The parameter 156a5a5947aSTamas Banencoding follows the PSA client protocol described in the 157a5a5947aSTamas Ban``Firmware Framework for M`` [6]_ document in chapter 4.4. The implementation is 158a5a5947aSTamas Banrestricted to the static handle use case therefore only the ``psa_call`` API is 159a5a5947aSTamas Banimplemented. 160a5a5947aSTamas Ban 161a5a5947aSTamas Ban 162a5a5947aSTamas BanSoftware and API layers 163a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^ 164a5a5947aSTamas Ban 165a5a5947aSTamas Ban.. code-block:: bash 166a5a5947aSTamas Ban 167a5a5947aSTamas Ban +----------------+ +---------------------+ 168a5a5947aSTamas Ban | BL1 / BL2 | | BL31 | 169a5a5947aSTamas Ban +----------------+ +---------------------+ 170a5a5947aSTamas Ban | | 171a5a5947aSTamas Ban | extend_measurement() | get_delegated_key() 172a5a5947aSTamas Ban | | get_platform_token() 173a5a5947aSTamas Ban V V 174a5a5947aSTamas Ban +----------------+ +---------------------+ 175a5a5947aSTamas Ban | PSA protocol | | PSA protocol | 176a5a5947aSTamas Ban +----------------+ +---------------------+ 177a5a5947aSTamas Ban | | 178a5a5947aSTamas Ban | psa_call() | psa_call() 179a5a5947aSTamas Ban | | 180a5a5947aSTamas Ban V V 181a5a5947aSTamas Ban +------------------------------------------------+ 182624c9a0bSTamas Ban | RSE communication protocol | 183a5a5947aSTamas Ban +------------------------------------------------+ 184a5a5947aSTamas Ban | ^ 185a5a5947aSTamas Ban | mhu_send_data() | mhu_receive_data() 186a5a5947aSTamas Ban | | 187a5a5947aSTamas Ban V | 188a5a5947aSTamas Ban +------------------------------------------------+ 189a5a5947aSTamas Ban | MHU driver | 190a5a5947aSTamas Ban +------------------------------------------------+ 191a5a5947aSTamas Ban | ^ 192a5a5947aSTamas Ban | Register access | IRQ 193a5a5947aSTamas Ban V | 194a5a5947aSTamas Ban +------------------------------------------------+ 195a5a5947aSTamas Ban | MHU HW on AP side | 196a5a5947aSTamas Ban +------------------------------------------------+ 197a5a5947aSTamas Ban ^ 198a5a5947aSTamas Ban | Physical wires 199a5a5947aSTamas Ban | 200a5a5947aSTamas Ban V 201a5a5947aSTamas Ban +------------------------------------------------+ 202624c9a0bSTamas Ban | MHU HW on RSE side | 203a5a5947aSTamas Ban +------------------------------------------------+ 204a5a5947aSTamas Ban | ^ 205a5a5947aSTamas Ban | IRQ | Register access 206a5a5947aSTamas Ban V | 207a5a5947aSTamas Ban +------------------------------------------------+ 208a5a5947aSTamas Ban | MHU driver | 209a5a5947aSTamas Ban +------------------------------------------------+ 210a5a5947aSTamas Ban | | 211a5a5947aSTamas Ban V V 212a5a5947aSTamas Ban +---------------+ +------------------------+ 213a5a5947aSTamas Ban | Measured boot | | Delegated attestation | 214a5a5947aSTamas Ban | service | | service | 215a5a5947aSTamas Ban +---------------+ +------------------------+ 216a5a5947aSTamas Ban 217a5a5947aSTamas Ban 218624c9a0bSTamas BanRSE based Measured Boot 219a5a5947aSTamas Ban----------------------- 220a5a5947aSTamas Ban 221a5a5947aSTamas BanMeasured Boot is the process of cryptographically measuring (computing the hash 222a5a5947aSTamas Banvalue of a binary) the code and critical data used at boot time. The 223a5a5947aSTamas Banmeasurement must be stored in a tamper-resistant way, so the security state 224624c9a0bSTamas Banof the device can be attested later to an external party. RSE provides a runtime 225a5a5947aSTamas Banservice which is meant to store measurements and associated metadata alongside. 226a5a5947aSTamas Ban 227a5a5947aSTamas BanData is stored in internal SRAM which is only accessible by the secure runtime 228624c9a0bSTamas Banfirmware of RSE. Data is stored in so-called measurement slots. A platform has 229a5a5947aSTamas BanIMPDEF number of measurement slots. The measurement storage follows extend 230a5a5947aSTamas Bansemantics. This means that measurements are not stored directly (as it was 231a5a5947aSTamas Bantaken) instead they contribute to the current value of the measurement slot. 232a5a5947aSTamas BanThe extension implements this logic, where ``||`` stands for concatenation: 233a5a5947aSTamas Ban 234a5a5947aSTamas Ban.. code-block:: bash 235a5a5947aSTamas Ban 236a5a5947aSTamas Ban new_value_of_measurement_slot = Hash(old_value_of_measurement_slot || measurement) 237a5a5947aSTamas Ban 238a5a5947aSTamas BanSupported hash algorithms: sha-256, sha-512 239a5a5947aSTamas Ban 240a5a5947aSTamas BanMeasured Boot API 241a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^ 242a5a5947aSTamas Ban 243a5a5947aSTamas BanDefined here: 244a5a5947aSTamas Ban 245a5a5947aSTamas Ban- ``include/lib/psa/measured_boot.h`` 246a5a5947aSTamas Ban 247a5a5947aSTamas Ban.. code-block:: c 248a5a5947aSTamas Ban 249a5a5947aSTamas Ban psa_status_t 250624c9a0bSTamas Ban rse_measured_boot_extend_measurement(uint8_t index, 251a5a5947aSTamas Ban const uint8_t *signer_id, 252a5a5947aSTamas Ban size_t signer_id_size, 253a5a5947aSTamas Ban const uint8_t *version, 254a5a5947aSTamas Ban size_t version_size, 255a5a5947aSTamas Ban uint32_t measurement_algo, 256a5a5947aSTamas Ban const uint8_t *sw_type, 257a5a5947aSTamas Ban size_t sw_type_size, 258a5a5947aSTamas Ban const uint8_t *measurement_value, 259a5a5947aSTamas Ban size_t measurement_value_size, 260a5a5947aSTamas Ban bool lock_measurement); 261a5a5947aSTamas Ban 262a5a5947aSTamas BanMeasured Boot Metadata 263a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^ 264a5a5947aSTamas Ban 265a5a5947aSTamas BanThe following metadata can be stored alongside the measurement: 266a5a5947aSTamas Ban 267a5a5947aSTamas Ban- ``Signer-id``: Mandatory. The hash of the firmware image signing public key. 268a5a5947aSTamas Ban- ``Measurement algorithm``: Optional. The hash algorithm which was used to 269a5a5947aSTamas Ban compute the measurement (e.g.: sha-256, etc.). 270a5a5947aSTamas Ban- ``Version info``: Optional. The firmware version info (e.g.: 2.7). 271a5a5947aSTamas Ban- ``SW type``: Optional. Short text description (e.g.: BL1, BL2, BL31, etc.) 272a5a5947aSTamas Ban 273a5a5947aSTamas Ban.. Note:: 274a5a5947aSTamas Ban Version info is not implemented in TF-A yet. 275a5a5947aSTamas Ban 276a5a5947aSTamas Ban 277a5a5947aSTamas BanThe caller must specify in which measurement slot to extend a certain 278a5a5947aSTamas Banmeasurement and metadata. A measurement slot can be extended by multiple 279a5a5947aSTamas Banmeasurements. The default value is IMPDEF. All measurement slot is cleared at 280a5a5947aSTamas Banreset, there is no other way to clear them. In the reference implementation, 281a5a5947aSTamas Banthe measurement slots are initialized to 0. At the first call to extend the 282a5a5947aSTamas Banmeasurement in a slot, the extend operation uses the default value of the 283a5a5947aSTamas Banmeasurement slot. All upcoming extend operation on the same slot contributes 284a5a5947aSTamas Banto the previous value of that measurement slot. 285a5a5947aSTamas Ban 286a5a5947aSTamas BanThe following rules are kept when a slot is extended multiple times: 287a5a5947aSTamas Ban 288a5a5947aSTamas Ban- ``Signer-id`` must be the same as the previous call(s), otherwise a 289a5a5947aSTamas Ban PSA_ERROR_NOT_PERMITTED error code is returned. 290a5a5947aSTamas Ban 291a5a5947aSTamas Ban- ``Measurement algorithm``: must be the same as the previous call(s), 292a5a5947aSTamas Ban otherwise, a PSA_ERROR_NOT_PERMITTED error code is returned. 293a5a5947aSTamas Ban 294a5a5947aSTamas BanIn case of error no further action is taken (slot is not locked). If there is 295a5a5947aSTamas Bana valid data in a sub-sequent call then measurement slot will be extended. The 296a5a5947aSTamas Banrest of the metadata is handled as follows when a measurement slot is extended 297a5a5947aSTamas Banmultiple times: 298a5a5947aSTamas Ban 299a5a5947aSTamas Ban- ``SW type``: Cleared. 300a5a5947aSTamas Ban- ``Version info``: Cleared. 301a5a5947aSTamas Ban 302a5a5947aSTamas Ban.. Note:: 303a5a5947aSTamas Ban 304a5a5947aSTamas Ban Extending multiple measurements in the same slot leads to some metadata 305624c9a0bSTamas Ban information loss. Since RSE is not constrained on special HW resources to 306a5a5947aSTamas Ban store the measurements and metadata, therefore it is worth considering to 307a5a5947aSTamas Ban store all of them one by one in distinct slots. However, they are one-by-one 308a5a5947aSTamas Ban included in the platform attestation token. So, the number of distinct 309a5a5947aSTamas Ban firmware image measurements has an impact on the size of the attestation 310a5a5947aSTamas Ban token. 311a5a5947aSTamas Ban 312624c9a0bSTamas BanThe allocation of the measurement slot among RSE, Root and Realm worlds is 313a5a5947aSTamas Banplatform dependent. The platform must provide an allocation of the measurement 314a5a5947aSTamas Banslot at build time. An example can be found in 315a5a5947aSTamas Ban``tf-a/plat/arm/board/tc/tc_bl1_measured_boot.c`` 316a5a5947aSTamas BanFurthermore, the memory, which holds the metadata is also statically allocated 317624c9a0bSTamas Banin RSE memory. Some of the fields have a static value (measurement algorithm), 318a5a5947aSTamas Banand some of the values have a dynamic value (measurement value) which is updated 319a5a5947aSTamas Banby the bootloaders when the firmware image is loaded and measured. The metadata 320a5a5947aSTamas Banstructure is defined in 321624c9a0bSTamas Ban``include/drivers/measured_boot/rse/rse_measured_boot.h``. 322a5a5947aSTamas Ban 323a5a5947aSTamas Ban.. code-block:: c 324a5a5947aSTamas Ban 325624c9a0bSTamas Ban struct rse_mboot_metadata { 326a5a5947aSTamas Ban unsigned int id; 327a5a5947aSTamas Ban uint8_t slot; 328a5a5947aSTamas Ban uint8_t signer_id[SIGNER_ID_MAX_SIZE]; 329a5a5947aSTamas Ban size_t signer_id_size; 330a5a5947aSTamas Ban uint8_t version[VERSION_MAX_SIZE]; 331a5a5947aSTamas Ban size_t version_size; 332a5a5947aSTamas Ban uint8_t sw_type[SW_TYPE_MAX_SIZE]; 333a5a5947aSTamas Ban size_t sw_type_size; 334a5a5947aSTamas Ban void *pk_oid; 335a5a5947aSTamas Ban bool lock_measurement; 336a5a5947aSTamas Ban }; 337a5a5947aSTamas Ban 338a5a5947aSTamas BanSigner-ID API 339a5a5947aSTamas Ban^^^^^^^^^^^^^ 340a5a5947aSTamas Ban 341a5a5947aSTamas BanThis function calculates the hash of a public key (signer-ID) using the 342624c9a0bSTamas Ban``Measurement algorithm`` and stores it in the ``rse_mboot_metadata`` field 343a5a5947aSTamas Bannamed ``signer_id``. 344a5a5947aSTamas BanPrior to calling this function, the caller must ensure that the ``signer_id`` 345a5a5947aSTamas Banfield points to the zero-filled buffer. 346a5a5947aSTamas Ban 347a5a5947aSTamas BanDefined here: 348a5a5947aSTamas Ban 349624c9a0bSTamas Ban- ``include/drivers/measured_boot/rse/rse_measured_boot.h`` 350a5a5947aSTamas Ban 351a5a5947aSTamas Ban.. code-block:: c 352a5a5947aSTamas Ban 353624c9a0bSTamas Ban int rse_mboot_set_signer_id(struct rse_mboot_metadata *metadata_ptr, 354a5a5947aSTamas Ban const void *pk_oid, 355a5a5947aSTamas Ban const void *pk_ptr, 356a5a5947aSTamas Ban size_t pk_len) 357a5a5947aSTamas Ban 358a5a5947aSTamas Ban 359624c9a0bSTamas Ban- First parameter is the pointer to the ``rse_mboot_metadata`` structure. 360a5a5947aSTamas Ban- Second parameter is the pointer to the key-OID of the public key. 361a5a5947aSTamas Ban- Third parameter is the pointer to the public key buffer. 362a5a5947aSTamas Ban- Fourth parameter is the size of public key buffer. 363a5a5947aSTamas Ban- This function returns 0 on success, a signed integer error code 364a5a5947aSTamas Ban otherwise. 365a5a5947aSTamas Ban 366a5a5947aSTamas BanBuild time config options 367a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 368a5a5947aSTamas Ban 369e4582e42STamas Ban- ``MEASURED_BOOT``: Enable measured boot. 370624c9a0bSTamas Ban- ``MBOOT_RSE_HASH_ALG``: Determine the hash algorithm to measure the images. 371a5a5947aSTamas Ban The default value is sha-256. 372a5a5947aSTamas Ban 373a5a5947aSTamas BanMeasured boot flow 374a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^ 375a5a5947aSTamas Ban 376624c9a0bSTamas Ban.. figure:: ../resources/diagrams/rse_measured_boot_flow.svg 377a5a5947aSTamas Ban :align: center 378a5a5947aSTamas Ban 379a5a5947aSTamas BanSample console log 380a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^ 381a5a5947aSTamas Ban 382a5a5947aSTamas Ban.. code-block:: bash 383a5a5947aSTamas Ban 384a5a5947aSTamas Ban INFO: Measured boot extend measurement: 385a5a5947aSTamas Ban INFO: - slot : 6 386a5a5947aSTamas Ban INFO: - signer_id : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 387a5a5947aSTamas Ban INFO: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 388a5a5947aSTamas Ban INFO: - version : 389a5a5947aSTamas Ban INFO: - version_size: 0 390a5a5947aSTamas Ban INFO: - sw_type : FW_CONFIG 391a5a5947aSTamas Ban INFO: - sw_type_size: 10 392a5a5947aSTamas Ban INFO: - algorithm : 2000009 393a5a5947aSTamas Ban INFO: - measurement : aa ea d3 a7 a8 e2 ab 7d 13 a6 cb 34 99 10 b9 a1 394a5a5947aSTamas Ban INFO: : 1b 9f a0 52 c5 a8 b1 d7 76 f2 c1 c1 ef ca 1a df 395a5a5947aSTamas Ban INFO: - locking : true 396a5a5947aSTamas Ban INFO: FCONF: Config file with image ID:31 loaded at address = 0x4001010 397a5a5947aSTamas Ban INFO: Loading image id=24 at address 0x4001300 398a5a5947aSTamas Ban INFO: Image id=24 loaded: 0x4001300 - 0x400153a 399a5a5947aSTamas Ban INFO: Measured boot extend measurement: 400a5a5947aSTamas Ban INFO: - slot : 7 401a5a5947aSTamas Ban INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 402a5a5947aSTamas Ban INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 403a5a5947aSTamas Ban INFO: - version : 404a5a5947aSTamas Ban INFO: - version_size: 0 405a5a5947aSTamas Ban INFO: - sw_type : TB_FW_CONFIG 406a5a5947aSTamas Ban INFO: - sw_type_size: 13 407a5a5947aSTamas Ban INFO: - algorithm : 2000009 408a5a5947aSTamas Ban INFO: - measurement : 05 b9 dc 98 62 26 a7 1c 2d e5 bb af f0 90 52 28 409a5a5947aSTamas Ban INFO: : f2 24 15 8a 3a 56 60 95 d6 51 3a 7a 1a 50 9b b7 410a5a5947aSTamas Ban INFO: - locking : true 411a5a5947aSTamas Ban INFO: FCONF: Config file with image ID:24 loaded at address = 0x4001300 412a5a5947aSTamas Ban INFO: BL1: Loading BL2 413a5a5947aSTamas Ban INFO: Loading image id=1 at address 0x404d000 414a5a5947aSTamas Ban INFO: Image id=1 loaded: 0x404d000 - 0x406412a 415a5a5947aSTamas Ban INFO: Measured boot extend measurement: 416a5a5947aSTamas Ban INFO: - slot : 8 417a5a5947aSTamas Ban INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 418a5a5947aSTamas Ban INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 419a5a5947aSTamas Ban INFO: - version : 420a5a5947aSTamas Ban INFO: - version_size: 0 421a5a5947aSTamas Ban INFO: - sw_type : BL_2 422a5a5947aSTamas Ban INFO: - sw_type_size: 5 423a5a5947aSTamas Ban INFO: - algorithm : 2000009 424a5a5947aSTamas Ban INFO: - measurement : 53 a1 51 75 25 90 fb a1 d9 b8 c8 34 32 3a 01 16 425a5a5947aSTamas Ban INFO: : c9 9e 74 91 7d 28 02 56 3f 5c 40 94 37 58 50 68 426a5a5947aSTamas Ban INFO: - locking : true 427a5a5947aSTamas Ban 428a5a5947aSTamas BanDelegated Attestation 429a5a5947aSTamas Ban--------------------- 430a5a5947aSTamas Ban 431a5a5947aSTamas BanDelegated Attestation Service was mainly developed to support the attestation 432a5a5947aSTamas Banflow on the ``ARM Confidential Compute Architecture`` (ARM CCA) [7]_. 433a5a5947aSTamas BanThe detailed description of the delegated attestation service can be found in 434a5a5947aSTamas Banthe ``Delegated Attestation Service Integration Guide`` [4]_ document. 435a5a5947aSTamas Ban 436a5a5947aSTamas BanIn the CCA use case, the Realm Management Monitor (RMM) relies on the delegated 437624c9a0bSTamas Banattestation service of the RSE to get a realm attestation key and the CCA 438a5a5947aSTamas Banplatform token. BL31 does not use the service for its own purpose, only calls 439624c9a0bSTamas Banit on behalf of RMM. The access to MHU interface and thereby to RSE is 440a5a5947aSTamas Banrestricted to BL31 only. Therefore, RMM does not have direct access, all calls 441a5a5947aSTamas Banneed to go through BL31. The RMM dispatcher module of the BL31 is responsible 442a5a5947aSTamas Banfor delivering the calls between the two parties. 443a5a5947aSTamas Ban 444a5a5947aSTamas BanDelegated Attestation API 445a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 446a5a5947aSTamas BanDefined here: 447a5a5947aSTamas Ban 448a5a5947aSTamas Ban- ``include/lib/psa/delegated_attestation.h`` 449a5a5947aSTamas Ban 450a5a5947aSTamas Ban.. code-block:: c 451a5a5947aSTamas Ban 452a5a5947aSTamas Ban psa_status_t 453624c9a0bSTamas Ban rse_delegated_attest_get_delegated_key(uint8_t ecc_curve, 454a5a5947aSTamas Ban uint32_t key_bits, 455a5a5947aSTamas Ban uint8_t *key_buf, 456a5a5947aSTamas Ban size_t key_buf_size, 457a5a5947aSTamas Ban size_t *key_size, 458a5a5947aSTamas Ban uint32_t hash_algo); 459a5a5947aSTamas Ban 460a5a5947aSTamas Ban psa_status_t 461624c9a0bSTamas Ban rse_delegated_attest_get_token(const uint8_t *dak_pub_hash, 462a5a5947aSTamas Ban size_t dak_pub_hash_size, 463a5a5947aSTamas Ban uint8_t *token_buf, 464a5a5947aSTamas Ban size_t token_buf_size, 465a5a5947aSTamas Ban size_t *token_size); 466a5a5947aSTamas Ban 467a5a5947aSTamas BanAttestation flow 468a5a5947aSTamas Ban^^^^^^^^^^^^^^^^ 469a5a5947aSTamas Ban 470624c9a0bSTamas Ban.. figure:: ../resources/diagrams/rse_attestation_flow.svg 471a5a5947aSTamas Ban :align: center 472a5a5947aSTamas Ban 473a5a5947aSTamas BanSample attestation token 474a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^ 475a5a5947aSTamas Ban 476a5a5947aSTamas BanBinary format: 477a5a5947aSTamas Ban 478a5a5947aSTamas Ban.. code-block:: bash 479a5a5947aSTamas Ban 480a5a5947aSTamas Ban INFO: DELEGATED ATTEST TEST START 481a5a5947aSTamas Ban INFO: Get delegated attestation key start 482a5a5947aSTamas Ban INFO: Get delegated attest key succeeds, len: 48 483a5a5947aSTamas Ban INFO: Delegated attest key: 484a5a5947aSTamas Ban INFO: 0d 2a 66 61 d4 89 17 e1 70 c6 73 56 df f4 11 fd 485a5a5947aSTamas Ban INFO: 7d 1f 3b 8a a3 30 3d 70 4c d9 06 c3 c7 ef 29 43 486a5a5947aSTamas Ban INFO: 0f ee b5 e7 56 e0 71 74 1b c4 39 39 fd 85 f6 7b 487a5a5947aSTamas Ban INFO: Get platform token start 488a5a5947aSTamas Ban INFO: Get platform token succeeds, len: 1086 489a5a5947aSTamas Ban INFO: Platform attestation token: 4905c8b5f9fSTamas Ban INFO: d2 84 44 a1 01 38 22 a0 59 05 81 a9 19 01 09 78 4915c8b5f9fSTamas Ban INFO: 23 74 61 67 3a 61 72 6d 2e 63 6f 6d 2c 32 30 32 4925c8b5f9fSTamas Ban INFO: 33 3a 63 63 61 5f 70 6c 61 74 66 6f 72 6d 23 31 4935c8b5f9fSTamas Ban INFO: 2e 30 2e 30 0a 58 20 0d 22 e0 8a 98 46 90 58 48 4945c8b5f9fSTamas Ban INFO: 63 18 28 34 89 bd b3 6f 09 db ef eb 18 64 df 43 4955c8b5f9fSTamas Ban INFO: 3f a6 e5 4e a2 d7 11 19 09 5c 58 20 7f 45 4c 46 4965c8b5f9fSTamas Ban INFO: 02 01 01 00 00 00 00 00 00 00 00 00 03 00 3e 00 4975c8b5f9fSTamas Ban INFO: 01 00 00 00 50 58 00 00 00 00 00 00 19 01 00 58 4985c8b5f9fSTamas Ban INFO: 21 01 07 06 05 04 03 02 01 00 0f 0e 0d 0c 0b 0a 4995c8b5f9fSTamas Ban INFO: 09 08 17 16 15 14 13 12 11 10 1f 1e 1d 1c 1b 1a 5005c8b5f9fSTamas Ban INFO: 19 18 19 09 61 44 cf cf cf cf 19 09 5b 19 30 03 5015c8b5f9fSTamas Ban INFO: 19 09 62 67 73 68 61 2d 32 35 36 19 09 60 78 3a 5025c8b5f9fSTamas Ban INFO: 68 74 74 70 73 3a 2f 2f 76 65 72 61 69 73 6f 6e 5035c8b5f9fSTamas Ban INFO: 2e 65 78 61 6d 70 6c 65 2f 2e 77 65 6c 6c 2d 6b 5045c8b5f9fSTamas Ban INFO: 6e 6f 77 6e 2f 76 65 72 61 69 73 6f 6e 2f 76 65 5055c8b5f9fSTamas Ban INFO: 72 69 66 69 63 61 74 69 6f 6e 19 09 5f 8d a4 01 5065c8b5f9fSTamas Ban INFO: 69 52 53 45 5f 42 4c 31 5f 32 05 58 20 53 78 79 5075c8b5f9fSTamas Ban INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 5085c8b5f9fSTamas Ban INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 5095c8b5f9fSTamas Ban INFO: 9a 27 1f 2a 91 6b 0b 6e e6 ce cb 24 26 f0 b3 20 5105c8b5f9fSTamas Ban INFO: 6e f0 74 57 8b e5 5d 9b c9 4f 6f 3f e3 ab 86 aa 5115c8b5f9fSTamas Ban INFO: 06 67 73 68 61 2d 32 35 36 a4 01 67 52 53 45 5f 5126dfeb60aSThomas Fossati INFO: 42 4c 32 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 5136dfeb60aSThomas Fossati INFO: 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 5145c8b5f9fSTamas Ban INFO: c0 fa 97 3f 7a a3 02 58 20 53 c2 34 e5 e8 47 2b 5155c8b5f9fSTamas Ban INFO: 6a c5 1c 1a e1 ca b3 fe 06 fa d0 53 be b8 eb fd 5165c8b5f9fSTamas Ban INFO: 89 77 b0 10 65 5b fd d3 c3 06 67 73 68 61 2d 32 5175c8b5f9fSTamas Ban INFO: 35 36 a4 01 65 52 53 45 5f 53 05 58 20 53 78 79 5185c8b5f9fSTamas Ban INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 5195c8b5f9fSTamas Ban INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 5205c8b5f9fSTamas Ban INFO: 11 21 cf cc d5 91 3f 0a 63 fe c4 0a 6f fd 44 ea 5215c8b5f9fSTamas Ban INFO: 64 f9 dc 13 5c 66 63 4b a0 01 d1 0b cf 43 02 a2 5225c8b5f9fSTamas Ban INFO: 06 67 73 68 61 2d 32 35 36 a4 01 66 41 50 5f 42 5235c8b5f9fSTamas Ban INFO: 4c 31 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 8b 5245c8b5f9fSTamas Ban INFO: 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 c0 5255c8b5f9fSTamas Ban INFO: fa 97 3f 7a a3 02 58 20 15 71 b5 ec 78 bd 68 51 5265c8b5f9fSTamas Ban INFO: 2b f7 83 0b b6 a2 a4 4b 20 47 c7 df 57 bc e7 9e 5275c8b5f9fSTamas Ban INFO: b8 a1 c0 e5 be a0 a5 01 06 67 73 68 61 2d 32 35 5285c8b5f9fSTamas Ban INFO: 36 a4 01 66 41 50 5f 42 4c 32 05 58 20 53 78 79 5295c8b5f9fSTamas Ban INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 5305c8b5f9fSTamas Ban INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 5315c8b5f9fSTamas Ban INFO: 10 15 9b af 26 2b 43 a9 2d 95 db 59 da e1 f7 2c 5325c8b5f9fSTamas Ban INFO: 64 51 27 30 16 61 e0 a3 ce 4e 38 b2 95 a9 7c 58 5335c8b5f9fSTamas Ban INFO: 06 67 73 68 61 2d 32 35 36 a4 01 67 53 43 50 5f 5345c8b5f9fSTamas Ban INFO: 42 4c 31 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 5356dfeb60aSThomas Fossati INFO: 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 5365c8b5f9fSTamas Ban INFO: c0 fa 97 3f 7a a3 02 58 20 10 12 2e 85 6b 3f cd 5375c8b5f9fSTamas Ban INFO: 49 f0 63 63 63 17 47 61 49 cb 73 0a 1a a1 cf aa 5385c8b5f9fSTamas Ban INFO: d8 18 55 2b 72 f5 6d 6f 68 06 67 73 68 61 2d 32 5395c8b5f9fSTamas Ban INFO: 35 36 a4 01 67 53 43 50 5f 42 4c 32 05 58 20 f1 5405c8b5f9fSTamas Ban INFO: 4b 49 87 90 4b cb 58 14 e4 45 9a 05 7e d4 d2 0f 5415c8b5f9fSTamas Ban INFO: 58 a6 33 15 22 88 a7 61 21 4d cd 28 78 0b 56 02 5425c8b5f9fSTamas Ban INFO: 58 20 aa 67 a1 69 b0 bb a2 17 aa 0a a8 8a 65 34 5435c8b5f9fSTamas Ban INFO: 69 20 c8 4c 42 44 7c 36 ba 5f 7e a6 5f 42 2c 1f 5445c8b5f9fSTamas Ban INFO: e5 d8 06 67 73 68 61 2d 32 35 36 a4 01 67 41 50 5455c8b5f9fSTamas Ban INFO: 5f 42 4c 33 31 05 58 20 53 78 79 63 07 53 5d f3 5465c8b5f9fSTamas Ban INFO: ec 8d 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 5475c8b5f9fSTamas Ban INFO: 22 38 c0 fa 97 3f 7a a3 02 58 20 2e 6d 31 a5 98 5485c8b5f9fSTamas Ban INFO: 3a 91 25 1b fa e5 ae fa 1c 0a 19 d8 ba 3c f6 01 5495c8b5f9fSTamas Ban INFO: d0 e8 a7 06 b4 cf a9 66 1a 6b 8a 06 67 73 68 61 5505c8b5f9fSTamas Ban INFO: 2d 32 35 36 a4 01 63 52 4d 4d 05 58 20 53 78 79 5515c8b5f9fSTamas Ban INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 5525c8b5f9fSTamas Ban INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 5535c8b5f9fSTamas Ban INFO: a1 fb 50 e6 c8 6f ae 16 79 ef 33 51 29 6f d6 71 5545c8b5f9fSTamas Ban INFO: 34 11 a0 8c f8 dd 17 90 a4 fd 05 fa e8 68 81 64 5555c8b5f9fSTamas Ban INFO: 06 67 73 68 61 2d 32 35 36 a4 01 69 48 57 5f 43 5565c8b5f9fSTamas Ban INFO: 4f 4e 46 49 47 05 58 20 53 78 79 63 07 53 5d f3 5575c8b5f9fSTamas Ban INFO: ec 8d 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 5585c8b5f9fSTamas Ban INFO: 22 38 c0 fa 97 3f 7a a3 02 58 20 1a 25 24 02 97 5595c8b5f9fSTamas Ban INFO: 2f 60 57 fa 53 cc 17 2b 52 b9 ff ca 69 8e 18 31 5605c8b5f9fSTamas Ban INFO: 1f ac d0 f3 b0 6e ca ae f7 9e 17 06 67 73 68 61 5615c8b5f9fSTamas Ban INFO: 2d 32 35 36 a4 01 69 46 57 5f 43 4f 4e 46 49 47 5625c8b5f9fSTamas Ban INFO: 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 8b 15 a2 5635c8b5f9fSTamas Ban INFO: e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 c0 fa 97 5645c8b5f9fSTamas Ban INFO: 3f 7a a3 02 58 20 9a 92 ad bc 0c ee 38 ef 65 8c 5655c8b5f9fSTamas Ban INFO: 71 ce 1b 1b f8 c6 56 68 f1 66 bf b2 13 64 4c 89 5665c8b5f9fSTamas Ban INFO: 5c cb 1a d0 7a 25 06 67 73 68 61 2d 32 35 36 a4 5675c8b5f9fSTamas Ban INFO: 01 6c 54 42 5f 46 57 5f 43 4f 4e 46 49 47 05 58 5686dfeb60aSThomas Fossati INFO: 20 53 78 79 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 5696dfeb60aSThomas Fossati INFO: 56 41 41 9c 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a 5705c8b5f9fSTamas Ban INFO: a3 02 58 20 23 89 03 18 0c c1 04 ec 2c 5d 8b 3f 5715c8b5f9fSTamas Ban INFO: 20 c5 bc 61 b3 89 ec 0a 96 7d f8 cc 20 8c dc 7c 5725c8b5f9fSTamas Ban INFO: d4 54 17 4f 06 67 73 68 61 2d 32 35 36 a4 01 6d 5735c8b5f9fSTamas Ban INFO: 53 4f 43 5f 46 57 5f 43 4f 4e 46 49 47 05 58 20 5745c8b5f9fSTamas Ban INFO: 53 78 79 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 5755c8b5f9fSTamas Ban INFO: 41 41 9c 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 5765c8b5f9fSTamas Ban INFO: 02 58 20 e6 c2 1e 8d 26 0f e7 18 82 de bd b3 39 5775c8b5f9fSTamas Ban INFO: d2 40 2a 2c a7 64 85 29 bc 23 03 f4 86 49 bc e0 5785c8b5f9fSTamas Ban INFO: 38 00 17 06 67 73 68 61 2d 32 35 36 58 60 31 d0 5795c8b5f9fSTamas Ban INFO: 4d 52 cc de 95 2c 1e 32 cb a1 81 88 5a 40 b8 cc 5805c8b5f9fSTamas Ban INFO: 38 e0 52 8c 1e 89 58 98 07 64 2a a5 e3 f2 bc 37 5815c8b5f9fSTamas Ban INFO: f9 53 74 50 6b ff 4d 2e 4b e7 06 3c 4d 72 41 92 5825c8b5f9fSTamas Ban INFO: 70 c7 22 e8 d4 d9 3e e8 b6 c9 fa ce 3b 43 c9 76 5835c8b5f9fSTamas Ban INFO: 1a 49 94 1a b6 f3 8f fd ff 49 6a d4 63 b4 cb fa 5845c8b5f9fSTamas Ban INFO: 11 d8 3e 23 e3 1f 7f 62 32 9d e3 0c 1c c8 585a5a5947aSTamas Ban INFO: DELEGATED ATTEST TEST END 586a5a5947aSTamas Ban 587a5a5947aSTamas BanJSON format: 588a5a5947aSTamas Ban 589a5a5947aSTamas Ban.. code-block:: JSON 590a5a5947aSTamas Ban 591a5a5947aSTamas Ban { 5925c8b5f9fSTamas Ban "CCA_ATTESTATION_PROFILE": "tag:arm.com,2023:cca_platform#1.0.0", 5935c8b5f9fSTamas Ban "CCA_PLATFORM_CHALLENGE": "b'0D22E08A98469058486318283489BDB36F09DBEFEB1864DF433FA6E54EA2D711'", 5946dfeb60aSThomas Fossati "CCA_PLATFORM_IMPLEMENTATION_ID": "b'7F454C4602010100000000000000000003003E00010000005058000000000000'", 5956dfeb60aSThomas Fossati "CCA_PLATFORM_INSTANCE_ID": "b'0107060504030201000F0E0D0C0B0A090817161514131211101F1E1D1C1B1A1918'", 5966dfeb60aSThomas Fossati "CCA_PLATFORM_CONFIG": "b'CFCFCFCF'", 5976dfeb60aSThomas Fossati "CCA_PLATFORM_LIFECYCLE": "secured_3003", 5986dfeb60aSThomas Fossati "CCA_PLATFORM_HASH_ALGO_ID": "sha-256", 5996dfeb60aSThomas Fossati "CCA_PLATFORM_VERIFICATION_SERVICE": "https://veraison.example/.well-known/veraison/verification", 600a5a5947aSTamas Ban "CCA_PLATFORM_SW_COMPONENTS": [ 601a5a5947aSTamas Ban { 6026dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "RSE_BL1_2", 6036dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6046dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'9A271F2A916B0B6EE6CECB2426F0B3206EF074578BE55D9BC94F6F3FE3AB86AA'", 6056dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 606a5a5947aSTamas Ban }, 607a5a5947aSTamas Ban { 6086dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "RSE_BL2", 6096dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6106dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'53C234E5E8472B6AC51C1AE1CAB3FE06FAD053BEB8EBFD8977B010655BFDD3C3'", 6116dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 612a5a5947aSTamas Ban }, 613a5a5947aSTamas Ban { 6146dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "RSE_S", 6156dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6166dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'1121CFCCD5913F0A63FEC40A6FFD44EA64F9DC135C66634BA001D10BCF4302A2'", 6176dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 618a5a5947aSTamas Ban }, 619a5a5947aSTamas Ban { 6206dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "AP_BL1", 6216dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6226dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'1571B5EC78BD68512BF7830BB6A2A44B2047C7DF57BCE79EB8A1C0E5BEA0A501'", 6236dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 624a5a5947aSTamas Ban }, 625a5a5947aSTamas Ban { 6266dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "AP_BL2", 6276dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6286dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'10159BAF262B43A92D95DB59DAE1F72C645127301661E0A3CE4E38B295A97C58'", 6296dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 630a5a5947aSTamas Ban }, 631a5a5947aSTamas Ban { 6326dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "SCP_BL1", 6336dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6346dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'10122E856B3FCD49F063636317476149CB730A1AA1CFAAD818552B72F56D6F68'", 6356dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 636a5a5947aSTamas Ban }, 637a5a5947aSTamas Ban { 6386dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "SCP_BL2", 6396dfeb60aSThomas Fossati "SIGNER_ID": "b'F14B4987904BCB5814E4459A057ED4D20F58A633152288A761214DCD28780B56'", 6406dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'AA67A169B0BBA217AA0AA88A65346920C84C42447C36BA5F7EA65F422C1FE5D8'", 6416dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 642a5a5947aSTamas Ban }, 643a5a5947aSTamas Ban { 6446dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "AP_BL31", 6456dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6466dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'2E6D31A5983A91251BFAE5AEFA1C0A19D8BA3CF601D0E8A706B4CFA9661A6B8A'", 6476dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 648a5a5947aSTamas Ban }, 649a5a5947aSTamas Ban { 6506dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "RMM", 6516dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6526dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'A1FB50E6C86FAE1679EF3351296FD6713411A08CF8DD1790A4FD05FAE8688164'", 6536dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 6546dfeb60aSThomas Fossati }, 6556dfeb60aSThomas Fossati { 6566dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "HW_CONFIG", 6576dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6586dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'1A252402972F6057FA53CC172B52B9FFCA698E18311FACD0F3B06ECAAEF79E17'", 6596dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 6606dfeb60aSThomas Fossati }, 6616dfeb60aSThomas Fossati { 6626dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "FW_CONFIG", 6636dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6646dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'9A92ADBC0CEE38EF658C71CE1B1BF8C65668F166BFB213644C895CCB1AD07A25'", 6656dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 6666dfeb60aSThomas Fossati }, 6676dfeb60aSThomas Fossati { 6686dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "TB_FW_CONFIG", 6696dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6706dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'238903180CC104EC2C5D8B3F20C5BC61B389EC0A967DF8CC208CDC7CD454174F'", 6716dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 6726dfeb60aSThomas Fossati }, 6736dfeb60aSThomas Fossati { 6746dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "SOC_FW_CONFIG", 6756dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6766dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'E6C21E8D260FE71882DEBDB339D2402A2CA7648529BC2303F48649BCE0380017'", 6776dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 678a5a5947aSTamas Ban } 6796dfeb60aSThomas Fossati ] 680a5a5947aSTamas Ban } 681a5a5947aSTamas Ban 682e4582e42STamas BanRSE based DICE Protection Environment 683e4582e42STamas Ban------------------------------------- 684e4582e42STamas Ban 685e4582e42STamas BanThe ``DICE Protection Environment (DPE)`` [8]_ service makes it possible to 686e4582e42STamas Banexecute |DICE| commands within an isolated execution environment. It provides 687e4582e42STamas Banclients with an interface to send DICE commands, encoded as CBOR objects, 688e4582e42STamas Banthat act on opaque context handles. The |DPE| service performs |DICE| 689e4582e42STamas Banderivations and certification on its internal contexts, without exposing the 690e4582e42STamas Ban|DICE| secrets (private keys and CDIs) outside of the isolated execution 691e4582e42STamas Banenvironment. 692e4582e42STamas Ban 693e4582e42STamas Ban|DPE| API 694e4582e42STamas Ban^^^^^^^^^ 695e4582e42STamas Ban 696e4582e42STamas BanDefined here: 697e4582e42STamas Ban 698e4582e42STamas Ban- ``include/lib/psa/dice_protection_environment.h`` 699e4582e42STamas Ban 700e4582e42STamas Ban.. code-block:: c 701e4582e42STamas Ban 702e4582e42STamas Ban dpe_error_t 703e4582e42STamas Ban dpe_derive_context(int context_handle, 704e4582e42STamas Ban uint32_t cert_id, 705e4582e42STamas Ban bool retain_parent_context, 706e4582e42STamas Ban bool allow_new_context_to_derive, 707e4582e42STamas Ban bool create_certificate, 708e4582e42STamas Ban const DiceInputValues *dice_inputs, 709e4582e42STamas Ban int32_t target_locality, 710e4582e42STamas Ban bool return_certificate, 711e4582e42STamas Ban bool allow_new_context_to_export, 712e4582e42STamas Ban bool export_cdi, 713e4582e42STamas Ban int *new_context_handle, 714e4582e42STamas Ban int *new_parent_context_handle, 715e4582e42STamas Ban uint8_t *new_certificate_buf, 716e4582e42STamas Ban size_t new_certificate_buf_size, 717e4582e42STamas Ban size_t *new_certificate_actual_size, 718e4582e42STamas Ban uint8_t *exported_cdi_buf, 719e4582e42STamas Ban size_t exported_cdi_buf_size, 720e4582e42STamas Ban size_t *exported_cdi_actual_size); 721e4582e42STamas Ban 722e4582e42STamas BanBuild time config options 723e4582e42STamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 724e4582e42STamas Ban 725e4582e42STamas Ban- ``MEASURED_BOOT``: Enable measured boot. 726e4582e42STamas Ban- ``DICE_PROTECTION_ENVIRONMENT``: Boolean flag to specify the measured boot 727e4582e42STamas Ban backend when |RSE| based ``MEASURED_BOOT`` is enabled. The default value is 728e4582e42STamas Ban ``0``. When set to ``1`` then measurements and additional metadata collected 729e4582e42STamas Ban during the measured boot process are sent to the |DPE| for storage and 730e4582e42STamas Ban processing. 731e4582e42STamas Ban- ``DPE_ALG_ID``: Determine the hash algorithm to measure the images. The 732e4582e42STamas Ban default value is sha-256. 733e4582e42STamas Ban 734e4582e42STamas BanExample certificate chain 735e4582e42STamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 736e4582e42STamas Ban 737e4582e42STamas Ban``plat/arm/board/tc/tc_dpe.h`` 738e4582e42STamas Ban 739624c9a0bSTamas BanRSE OTP Assets Management 740a5a5947aSTamas Ban------------------------- 741a5a5947aSTamas Ban 742624c9a0bSTamas BanRSE provides access for AP to assets in OTP, which include keys for image 743a5a5947aSTamas Bansignature verification and non-volatile counters for anti-rollback protection. 744a5a5947aSTamas Ban 745a5a5947aSTamas BanNon-Volatile Counter API 746a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^ 747a5a5947aSTamas Ban 748624c9a0bSTamas BanAP/RSE interface for retrieving and incrementing non-volatile counters API is 749a5a5947aSTamas Banas follows. 750a5a5947aSTamas Ban 751a5a5947aSTamas BanDefined here: 752a5a5947aSTamas Ban 753624c9a0bSTamas Ban- ``include/lib/psa/rse_platform_api.h`` 754a5a5947aSTamas Ban 755a5a5947aSTamas Ban.. code-block:: c 756a5a5947aSTamas Ban 757624c9a0bSTamas Ban psa_status_t rse_platform_nv_counter_increment(uint32_t counter_id) 758a5a5947aSTamas Ban 759624c9a0bSTamas Ban psa_status_t rse_platform_nv_counter_read(uint32_t counter_id, 760a5a5947aSTamas Ban uint32_t size, uint8_t *val) 761a5a5947aSTamas Ban 762a5a5947aSTamas BanThrough this service, we can read/increment any of the 3 non-volatile 763a5a5947aSTamas Bancounters used on an Arm CCA platform: 764a5a5947aSTamas Ban 765a5a5947aSTamas Ban- ``Non-volatile counter for CCA firmware (BL2, BL31, RMM).`` 766a5a5947aSTamas Ban- ``Non-volatile counter for secure firmware.`` 767a5a5947aSTamas Ban- ``Non-volatile counter for non-secure firmware.`` 768a5a5947aSTamas Ban 769a5a5947aSTamas BanPublic Key API 770a5a5947aSTamas Ban^^^^^^^^^^^^^^ 771a5a5947aSTamas Ban 772624c9a0bSTamas BanAP/RSE interface for reading the ROTPK is as follows. 773a5a5947aSTamas Ban 774a5a5947aSTamas BanDefined here: 775a5a5947aSTamas Ban 776624c9a0bSTamas Ban- ``include/lib/psa/rse_platform_api.h`` 777a5a5947aSTamas Ban 778a5a5947aSTamas Ban.. code-block:: c 779a5a5947aSTamas Ban 780624c9a0bSTamas Ban psa_status_t rse_platform_key_read(enum rse_key_id_builtin_t key, 781a5a5947aSTamas Ban uint8_t *data, size_t data_size, size_t *data_length) 782a5a5947aSTamas Ban 783a5a5947aSTamas BanThrough this service, we can read any of the 3 ROTPKs used on an 784a5a5947aSTamas BanArm CCA platform: 785a5a5947aSTamas Ban 786a5a5947aSTamas Ban- ``ROTPK for CCA firmware (BL2, BL31, RMM).`` 787a5a5947aSTamas Ban- ``ROTPK for secure firmware.`` 788a5a5947aSTamas Ban- ``ROTPK for non-secure firmware.`` 789a5a5947aSTamas Ban 7901147a470SLeo YanGet entropy API 7911147a470SLeo Yan^^^^^^^^^^^^^^^ 7921147a470SLeo Yan 7931147a470SLeo YanAP/RSE interface for reading the entropy is as follows. 7941147a470SLeo Yan 7951147a470SLeo YanDefined here: 7961147a470SLeo Yan 7971147a470SLeo Yan- ``include/lib/psa/rse_platform_api.h`` 7981147a470SLeo Yan 7991147a470SLeo Yan.. code-block:: c 8001147a470SLeo Yan 8011147a470SLeo Yan psa_status_t rse_platform_get_entropy(uint8_t *data, size_t data_size) 8021147a470SLeo Yan 8031147a470SLeo YanThrough this service, we can read an entropy generated from RSE. 8041147a470SLeo Yan 805a5a5947aSTamas BanReferences 806a5a5947aSTamas Ban---------- 807a5a5947aSTamas Ban 808e4582e42STamas Ban.. [1] https://trustedfirmware-m.readthedocs.io/en/latest/platform/arm/rse/index.html 809e4582e42STamas Ban.. [2] https://trustedfirmware-m.readthedocs.io/en/latest/platform/arm/rse/rse_comms.html 810e4582e42STamas Ban.. [3] https://trustedfirmware-m.readthedocs.io/projects/tf-m-extras/en/latest/partitions/measured_boot_integration_guide.html 811e4582e42STamas Ban.. [4] https://trustedfirmware-m.readthedocs.io/projects/tf-m-extras/en/latest/partitions/delegated_attestation/delegated_attest_integration_guide.html 812e4582e42STamas Ban.. [5] https://trustedfirmware-m.readthedocs.io/en/latest/platform/arm/rse/rse_key_management.html 813*854d199bSGovindraj Raja.. [6] https://developer.arm.com/documentation/den0063 814a5a5947aSTamas Ban.. [7] https://developer.arm.com/documentation/DEN0096/A_a/?lang=en 815e4582e42STamas Ban.. [8] https://trustedfirmware-m.readthedocs.io/projects/tf-m-extras/en/latest/partitions/dice_protection_environment/dice_protection_environment.html 816a5a5947aSTamas Ban 817a5a5947aSTamas Ban-------------- 818a5a5947aSTamas Ban 819*854d199bSGovindraj Raja*Copyright (c) 2023-2025, Arm Limited. All rights reserved.* 8206dfeb60aSThomas Fossati*Copyright (c) 2024, Linaro Limited. All rights reserved.* 82136416b1eSYann Gautier*Copyright (c) 2025, STMicroelectronics - All Rights Reserved* 822
