1*624c9a0bSTamas BanRuntime Security Engine (RSE) 2*624c9a0bSTamas Ban============================= 3a5a5947aSTamas Ban 4*624c9a0bSTamas BanThis document focuses on the relationship between the Runtime Security Engine 5*624c9a0bSTamas Ban(RSE) and the application processor (AP). According to the ARM reference design 6*624c9a0bSTamas Banthe RSE is an independent core next to the AP and the SCP on the same die. It 7a5a5947aSTamas Banprovides fundamental security guarantees and runtime services for the rest of 8a5a5947aSTamas Banthe system (e.g.: trusted boot, measured boot, platform attestation, 9a5a5947aSTamas Bankey management, and key derivation). 10a5a5947aSTamas Ban 11*624c9a0bSTamas BanAt power up RSE boots first from its private ROM code. It validates and loads 12a5a5947aSTamas Banits own images and the initial images of SCP and AP. When AP and SCP are 13a5a5947aSTamas Banreleased from reset and their initial code is loaded then they continue their 14*624c9a0bSTamas Banown boot process, which is the same as on non-RSE systems. Please refer to the 15*624c9a0bSTamas Ban``RSE documentation`` [1]_ for more details about the RSE boot flow. 16a5a5947aSTamas Ban 17*624c9a0bSTamas BanThe last stage of the RSE firmware is a persistent, runtime component. Much 18a5a5947aSTamas Banlike AP_BL31, this is a passive entity which has no periodical task to do and 19*624c9a0bSTamas Banjust waits for external requests from other subsystems. RSE and other 20*624c9a0bSTamas Bansubsystems can communicate with each other over message exchange. RSE waits 21a5a5947aSTamas Banin idle for the incoming request, handles them, and sends a response then goes 22a5a5947aSTamas Banback to idle. 23a5a5947aSTamas Ban 24*624c9a0bSTamas BanRSE communication layer 25a5a5947aSTamas Ban----------------------- 26a5a5947aSTamas Ban 27*624c9a0bSTamas BanThe communication between RSE and other subsystems are primarily relying on the 28*624c9a0bSTamas BanMessage Handling Unit (MHU) module. The number of MHU interfaces between RSE 29a5a5947aSTamas Banand other cores is IMPDEF. Besides MHU other modules also could take part in 30*624c9a0bSTamas Banthe communication. RSE is capable of mapping the AP memory to its address space. 31*624c9a0bSTamas BanThereby either RSE core itself or a DMA engine if it is present, can move the 32*624c9a0bSTamas Bandata between memory belonging to RSE or AP. In this way, a bigger amount of data 33a5a5947aSTamas Bancan be transferred in a short time. 34a5a5947aSTamas Ban 35a5a5947aSTamas BanThe MHU comes in pairs. There is a sender and receiver side. They are connected 36a5a5947aSTamas Banto each other. An MHU interface consists of two pairs of MHUs, one sender and 37a5a5947aSTamas Banone receiver on both sides. Bidirectional communication is possible over an 38*624c9a0bSTamas Baninterface. One pair provides message sending from AP to RSE and the other pair 39*624c9a0bSTamas Banfrom RSE to AP. The sender and receiver are connected via channels. There is an 40a5a5947aSTamas BanIMPDEF number of channels (e.g: 4-16) between a sender and a receiver module. 41a5a5947aSTamas Ban 42*624c9a0bSTamas BanThe RSE communication layer provides two ways for message exchange: 43a5a5947aSTamas Ban 44a5a5947aSTamas Ban- ``Embedded messaging``: The full message, including header and payload, are 45a5a5947aSTamas Ban exchanged over the MHU channels. A channel is capable of delivering a single 46a5a5947aSTamas Ban word. The sender writes the data to the channel register on its side and the 47a5a5947aSTamas Ban receiver can read the data from the channel on the other side. One dedicated 48a5a5947aSTamas Ban channel is used for signalling. It does not deliver any payload it is just 49a5a5947aSTamas Ban meant for signalling that the sender loaded the data to the channel registers 50a5a5947aSTamas Ban so the receiver can read them. The receiver uses the same channel to signal 51a5a5947aSTamas Ban that data was read. Signalling happens via IRQ. If the message is longer than 52a5a5947aSTamas Ban the data fit to the channel registers then the message is sent over in 53a5a5947aSTamas Ban multiple rounds. Both, sender and receiver allocate a local buffer for the 54a5a5947aSTamas Ban messages. Data is copied from/to these buffers to/from the channel registers. 55a5a5947aSTamas Ban- ``Pointer-access messaging``: The message header and the payload are 56a5a5947aSTamas Ban separated and they are conveyed in different ways. The header is sent 57a5a5947aSTamas Ban over the channels, similar to the embedded messaging but the payload is 58*624c9a0bSTamas Ban copied over by RSE core (or by DMA) between the sender and the receiver. This 59a5a5947aSTamas Ban could be useful in the case of long messages because transaction time is less 60*624c9a0bSTamas Ban compared to the embedded messaging mode. Small payloads are copied by the RSE 61a5a5947aSTamas Ban core because setting up DMA would require more CPU cycles. The payload is 62*624c9a0bSTamas Ban either copied into an internal buffer or directly read-written by RSE. Actual 63*624c9a0bSTamas Ban behavior depends on RSE setup, whether the partition supports memory-mapped 64a5a5947aSTamas Ban ``iovec``. Therefore, the sender must handle both cases and prevent access to 65*624c9a0bSTamas Ban the memory, where payload data lives, while the RSE handles the request. 66a5a5947aSTamas Ban 67*624c9a0bSTamas BanThe RSE communication layer supports both ways of messaging in parallel. It is 68a5a5947aSTamas Bandecided at runtime based on the message size which way to transfer the message. 69a5a5947aSTamas Ban 70a5a5947aSTamas Ban.. code-block:: bash 71a5a5947aSTamas Ban 72a5a5947aSTamas Ban +----------------------------------------------+ +-------------------+ 73a5a5947aSTamas Ban | | | | 74a5a5947aSTamas Ban | AP | | | 75a5a5947aSTamas Ban | | +--->| SRAM | 76a5a5947aSTamas Ban +----------------------------------------------| | | | 77a5a5947aSTamas Ban | BL1 / BL2 / BL31 | | | | 78a5a5947aSTamas Ban +----------------------------------------------+ | +-------------------+ 79a5a5947aSTamas Ban | ^ | ^ ^ 80a5a5947aSTamas Ban | send IRQ | receive |direct | | 81a5a5947aSTamas Ban V | |access | | 82a5a5947aSTamas Ban +--------------------+ +--------------------+ | | | 83a5a5947aSTamas Ban | MHU sender | | MHU receiver | | | Copy data | 84a5a5947aSTamas Ban +--------------------+ +--------------------+ | | | 85a5a5947aSTamas Ban | | | | | | | | | | | 86a5a5947aSTamas Ban | | channels | | | | channels | | | | | 87a5a5947aSTamas Ban | | e.g: 4-16 | | | | e.g: 4-16 | | | V | 88a5a5947aSTamas Ban +--------------------+ +--------------------+ | +-------+ | 89a5a5947aSTamas Ban | MHU receiver | | MHU sender | | +->| DMA | | 90a5a5947aSTamas Ban +--------------------+ +--------------------+ | | +-------+ | 91a5a5947aSTamas Ban | ^ | | ^ | 92a5a5947aSTamas Ban IRQ | receive | send | | | Copy data | 93a5a5947aSTamas Ban V | | | V V 94a5a5947aSTamas Ban +----------------------------------------------+ | | +-------------------+ 95a5a5947aSTamas Ban | |--+-+ | | 96*624c9a0bSTamas Ban | RSE | | SRAM | 97a5a5947aSTamas Ban | | | | 98a5a5947aSTamas Ban +----------------------------------------------+ +-------------------+ 99a5a5947aSTamas Ban 100a5a5947aSTamas Ban.. Note:: 101a5a5947aSTamas Ban 102*624c9a0bSTamas Ban The RSE communication layer is not prepared for concurrent execution. The 103a5a5947aSTamas Ban current use case only requires message exchange during the boot phase. In 104a5a5947aSTamas Ban the boot phase, only a single core is running and the rest of the cores are 105a5a5947aSTamas Ban in reset. 106a5a5947aSTamas Ban 107a5a5947aSTamas BanMessage structure 108a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^ 109*624c9a0bSTamas BanA description of the message format can be found in the ``RSE communication 110a5a5947aSTamas Bandesign`` [2]_ document. 111a5a5947aSTamas Ban 112a5a5947aSTamas BanSource files 113a5a5947aSTamas Ban^^^^^^^^^^^^ 114*624c9a0bSTamas Ban- RSE comms: ``drivers/arm/rse`` 115a5a5947aSTamas Ban- MHU driver: ``drivers/arm/mhu`` 116a5a5947aSTamas Ban 117a5a5947aSTamas Ban 118a5a5947aSTamas BanAPI for communication over MHU 119a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 120a5a5947aSTamas BanThe API is defined in these header files: 121a5a5947aSTamas Ban 122*624c9a0bSTamas Ban- ``include/drivers/arm/rse_comms.h`` 123a5a5947aSTamas Ban- ``include/drivers/arm/mhu.h`` 124a5a5947aSTamas Ban 125*624c9a0bSTamas BanRSE provided runtime services 126a5a5947aSTamas Ban----------------------------- 127a5a5947aSTamas Ban 128*624c9a0bSTamas BanRSE provides the following runtime services: 129a5a5947aSTamas Ban 130a5a5947aSTamas Ban- ``Measured boot``: Securely store the firmware measurements which were 131a5a5947aSTamas Ban computed during the boot process and the associated metadata (image 132a5a5947aSTamas Ban description, measurement algorithm, etc.). More info on measured boot service 133*624c9a0bSTamas Ban in RSE can be found in the ``measured_boot_integration_guide`` [3]_ . 134a5a5947aSTamas Ban- ``Delegated attestation``: Query the platform attestation token and derive a 135a5a5947aSTamas Ban delegated attestation key. More info on the delegated attestation service 136*624c9a0bSTamas Ban in RSE can be found in the ``delegated_attestation_integration_guide`` [4]_ . 137a5a5947aSTamas Ban- ``OTP assets management``: Public keys used by AP during the trusted boot 138*624c9a0bSTamas Ban process can be requested from RSE. Furthermore, AP can request RSE to 139a5a5947aSTamas Ban increase a non-volatile counter. Please refer to the 140*624c9a0bSTamas Ban ``RSE key management`` [5]_ document for more details. 141a5a5947aSTamas Ban 142a5a5947aSTamas BanRuntime service API 143a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^ 144*624c9a0bSTamas BanThe RSE provided runtime services implement a PSA aligned API. The parameter 145a5a5947aSTamas Banencoding follows the PSA client protocol described in the 146a5a5947aSTamas Ban``Firmware Framework for M`` [6]_ document in chapter 4.4. The implementation is 147a5a5947aSTamas Banrestricted to the static handle use case therefore only the ``psa_call`` API is 148a5a5947aSTamas Banimplemented. 149a5a5947aSTamas Ban 150a5a5947aSTamas Ban 151a5a5947aSTamas BanSoftware and API layers 152a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^ 153a5a5947aSTamas Ban 154a5a5947aSTamas Ban.. code-block:: bash 155a5a5947aSTamas Ban 156a5a5947aSTamas Ban +----------------+ +---------------------+ 157a5a5947aSTamas Ban | BL1 / BL2 | | BL31 | 158a5a5947aSTamas Ban +----------------+ +---------------------+ 159a5a5947aSTamas Ban | | 160a5a5947aSTamas Ban | extend_measurement() | get_delegated_key() 161a5a5947aSTamas Ban | | get_platform_token() 162a5a5947aSTamas Ban V V 163a5a5947aSTamas Ban +----------------+ +---------------------+ 164a5a5947aSTamas Ban | PSA protocol | | PSA protocol | 165a5a5947aSTamas Ban +----------------+ +---------------------+ 166a5a5947aSTamas Ban | | 167a5a5947aSTamas Ban | psa_call() | psa_call() 168a5a5947aSTamas Ban | | 169a5a5947aSTamas Ban V V 170a5a5947aSTamas Ban +------------------------------------------------+ 171*624c9a0bSTamas Ban | RSE communication protocol | 172a5a5947aSTamas Ban +------------------------------------------------+ 173a5a5947aSTamas Ban | ^ 174a5a5947aSTamas Ban | mhu_send_data() | mhu_receive_data() 175a5a5947aSTamas Ban | | 176a5a5947aSTamas Ban V | 177a5a5947aSTamas Ban +------------------------------------------------+ 178a5a5947aSTamas Ban | MHU driver | 179a5a5947aSTamas Ban +------------------------------------------------+ 180a5a5947aSTamas Ban | ^ 181a5a5947aSTamas Ban | Register access | IRQ 182a5a5947aSTamas Ban V | 183a5a5947aSTamas Ban +------------------------------------------------+ 184a5a5947aSTamas Ban | MHU HW on AP side | 185a5a5947aSTamas Ban +------------------------------------------------+ 186a5a5947aSTamas Ban ^ 187a5a5947aSTamas Ban | Physical wires 188a5a5947aSTamas Ban | 189a5a5947aSTamas Ban V 190a5a5947aSTamas Ban +------------------------------------------------+ 191*624c9a0bSTamas Ban | MHU HW on RSE side | 192a5a5947aSTamas Ban +------------------------------------------------+ 193a5a5947aSTamas Ban | ^ 194a5a5947aSTamas Ban | IRQ | Register access 195a5a5947aSTamas Ban V | 196a5a5947aSTamas Ban +------------------------------------------------+ 197a5a5947aSTamas Ban | MHU driver | 198a5a5947aSTamas Ban +------------------------------------------------+ 199a5a5947aSTamas Ban | | 200a5a5947aSTamas Ban V V 201a5a5947aSTamas Ban +---------------+ +------------------------+ 202a5a5947aSTamas Ban | Measured boot | | Delegated attestation | 203a5a5947aSTamas Ban | service | | service | 204a5a5947aSTamas Ban +---------------+ +------------------------+ 205a5a5947aSTamas Ban 206a5a5947aSTamas Ban 207*624c9a0bSTamas BanRSE based Measured Boot 208a5a5947aSTamas Ban----------------------- 209a5a5947aSTamas Ban 210a5a5947aSTamas BanMeasured Boot is the process of cryptographically measuring (computing the hash 211a5a5947aSTamas Banvalue of a binary) the code and critical data used at boot time. The 212a5a5947aSTamas Banmeasurement must be stored in a tamper-resistant way, so the security state 213*624c9a0bSTamas Banof the device can be attested later to an external party. RSE provides a runtime 214a5a5947aSTamas Banservice which is meant to store measurements and associated metadata alongside. 215a5a5947aSTamas Ban 216a5a5947aSTamas BanData is stored in internal SRAM which is only accessible by the secure runtime 217*624c9a0bSTamas Banfirmware of RSE. Data is stored in so-called measurement slots. A platform has 218a5a5947aSTamas BanIMPDEF number of measurement slots. The measurement storage follows extend 219a5a5947aSTamas Bansemantics. This means that measurements are not stored directly (as it was 220a5a5947aSTamas Bantaken) instead they contribute to the current value of the measurement slot. 221a5a5947aSTamas BanThe extension implements this logic, where ``||`` stands for concatenation: 222a5a5947aSTamas Ban 223a5a5947aSTamas Ban.. code-block:: bash 224a5a5947aSTamas Ban 225a5a5947aSTamas Ban new_value_of_measurement_slot = Hash(old_value_of_measurement_slot || measurement) 226a5a5947aSTamas Ban 227a5a5947aSTamas BanSupported hash algorithms: sha-256, sha-512 228a5a5947aSTamas Ban 229a5a5947aSTamas BanMeasured Boot API 230a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^ 231a5a5947aSTamas Ban 232a5a5947aSTamas BanDefined here: 233a5a5947aSTamas Ban 234a5a5947aSTamas Ban- ``include/lib/psa/measured_boot.h`` 235a5a5947aSTamas Ban 236a5a5947aSTamas Ban.. code-block:: c 237a5a5947aSTamas Ban 238a5a5947aSTamas Ban psa_status_t 239*624c9a0bSTamas Ban rse_measured_boot_extend_measurement(uint8_t index, 240a5a5947aSTamas Ban const uint8_t *signer_id, 241a5a5947aSTamas Ban size_t signer_id_size, 242a5a5947aSTamas Ban const uint8_t *version, 243a5a5947aSTamas Ban size_t version_size, 244a5a5947aSTamas Ban uint32_t measurement_algo, 245a5a5947aSTamas Ban const uint8_t *sw_type, 246a5a5947aSTamas Ban size_t sw_type_size, 247a5a5947aSTamas Ban const uint8_t *measurement_value, 248a5a5947aSTamas Ban size_t measurement_value_size, 249a5a5947aSTamas Ban bool lock_measurement); 250a5a5947aSTamas Ban 251a5a5947aSTamas BanMeasured Boot Metadata 252a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^ 253a5a5947aSTamas Ban 254a5a5947aSTamas BanThe following metadata can be stored alongside the measurement: 255a5a5947aSTamas Ban 256a5a5947aSTamas Ban- ``Signer-id``: Mandatory. The hash of the firmware image signing public key. 257a5a5947aSTamas Ban- ``Measurement algorithm``: Optional. The hash algorithm which was used to 258a5a5947aSTamas Ban compute the measurement (e.g.: sha-256, etc.). 259a5a5947aSTamas Ban- ``Version info``: Optional. The firmware version info (e.g.: 2.7). 260a5a5947aSTamas Ban- ``SW type``: Optional. Short text description (e.g.: BL1, BL2, BL31, etc.) 261a5a5947aSTamas Ban 262a5a5947aSTamas Ban.. Note:: 263a5a5947aSTamas Ban Version info is not implemented in TF-A yet. 264a5a5947aSTamas Ban 265a5a5947aSTamas Ban 266a5a5947aSTamas BanThe caller must specify in which measurement slot to extend a certain 267a5a5947aSTamas Banmeasurement and metadata. A measurement slot can be extended by multiple 268a5a5947aSTamas Banmeasurements. The default value is IMPDEF. All measurement slot is cleared at 269a5a5947aSTamas Banreset, there is no other way to clear them. In the reference implementation, 270a5a5947aSTamas Banthe measurement slots are initialized to 0. At the first call to extend the 271a5a5947aSTamas Banmeasurement in a slot, the extend operation uses the default value of the 272a5a5947aSTamas Banmeasurement slot. All upcoming extend operation on the same slot contributes 273a5a5947aSTamas Banto the previous value of that measurement slot. 274a5a5947aSTamas Ban 275a5a5947aSTamas BanThe following rules are kept when a slot is extended multiple times: 276a5a5947aSTamas Ban 277a5a5947aSTamas Ban- ``Signer-id`` must be the same as the previous call(s), otherwise a 278a5a5947aSTamas Ban PSA_ERROR_NOT_PERMITTED error code is returned. 279a5a5947aSTamas Ban 280a5a5947aSTamas Ban- ``Measurement algorithm``: must be the same as the previous call(s), 281a5a5947aSTamas Ban otherwise, a PSA_ERROR_NOT_PERMITTED error code is returned. 282a5a5947aSTamas Ban 283a5a5947aSTamas BanIn case of error no further action is taken (slot is not locked). If there is 284a5a5947aSTamas Bana valid data in a sub-sequent call then measurement slot will be extended. The 285a5a5947aSTamas Banrest of the metadata is handled as follows when a measurement slot is extended 286a5a5947aSTamas Banmultiple times: 287a5a5947aSTamas Ban 288a5a5947aSTamas Ban- ``SW type``: Cleared. 289a5a5947aSTamas Ban- ``Version info``: Cleared. 290a5a5947aSTamas Ban 291a5a5947aSTamas Ban.. Note:: 292a5a5947aSTamas Ban 293a5a5947aSTamas Ban Extending multiple measurements in the same slot leads to some metadata 294*624c9a0bSTamas Ban information loss. Since RSE is not constrained on special HW resources to 295a5a5947aSTamas Ban store the measurements and metadata, therefore it is worth considering to 296a5a5947aSTamas Ban store all of them one by one in distinct slots. However, they are one-by-one 297a5a5947aSTamas Ban included in the platform attestation token. So, the number of distinct 298a5a5947aSTamas Ban firmware image measurements has an impact on the size of the attestation 299a5a5947aSTamas Ban token. 300a5a5947aSTamas Ban 301*624c9a0bSTamas BanThe allocation of the measurement slot among RSE, Root and Realm worlds is 302a5a5947aSTamas Banplatform dependent. The platform must provide an allocation of the measurement 303a5a5947aSTamas Banslot at build time. An example can be found in 304a5a5947aSTamas Ban``tf-a/plat/arm/board/tc/tc_bl1_measured_boot.c`` 305a5a5947aSTamas BanFurthermore, the memory, which holds the metadata is also statically allocated 306*624c9a0bSTamas Banin RSE memory. Some of the fields have a static value (measurement algorithm), 307a5a5947aSTamas Banand some of the values have a dynamic value (measurement value) which is updated 308a5a5947aSTamas Banby the bootloaders when the firmware image is loaded and measured. The metadata 309a5a5947aSTamas Banstructure is defined in 310*624c9a0bSTamas Ban``include/drivers/measured_boot/rse/rse_measured_boot.h``. 311a5a5947aSTamas Ban 312a5a5947aSTamas Ban.. code-block:: c 313a5a5947aSTamas Ban 314*624c9a0bSTamas Ban struct rse_mboot_metadata { 315a5a5947aSTamas Ban unsigned int id; 316a5a5947aSTamas Ban uint8_t slot; 317a5a5947aSTamas Ban uint8_t signer_id[SIGNER_ID_MAX_SIZE]; 318a5a5947aSTamas Ban size_t signer_id_size; 319a5a5947aSTamas Ban uint8_t version[VERSION_MAX_SIZE]; 320a5a5947aSTamas Ban size_t version_size; 321a5a5947aSTamas Ban uint8_t sw_type[SW_TYPE_MAX_SIZE]; 322a5a5947aSTamas Ban size_t sw_type_size; 323a5a5947aSTamas Ban void *pk_oid; 324a5a5947aSTamas Ban bool lock_measurement; 325a5a5947aSTamas Ban }; 326a5a5947aSTamas Ban 327a5a5947aSTamas BanSigner-ID API 328a5a5947aSTamas Ban^^^^^^^^^^^^^ 329a5a5947aSTamas Ban 330a5a5947aSTamas BanThis function calculates the hash of a public key (signer-ID) using the 331*624c9a0bSTamas Ban``Measurement algorithm`` and stores it in the ``rse_mboot_metadata`` field 332a5a5947aSTamas Bannamed ``signer_id``. 333a5a5947aSTamas BanPrior to calling this function, the caller must ensure that the ``signer_id`` 334a5a5947aSTamas Banfield points to the zero-filled buffer. 335a5a5947aSTamas Ban 336a5a5947aSTamas BanDefined here: 337a5a5947aSTamas Ban 338*624c9a0bSTamas Ban- ``include/drivers/measured_boot/rse/rse_measured_boot.h`` 339a5a5947aSTamas Ban 340a5a5947aSTamas Ban.. code-block:: c 341a5a5947aSTamas Ban 342*624c9a0bSTamas Ban int rse_mboot_set_signer_id(struct rse_mboot_metadata *metadata_ptr, 343a5a5947aSTamas Ban const void *pk_oid, 344a5a5947aSTamas Ban const void *pk_ptr, 345a5a5947aSTamas Ban size_t pk_len) 346a5a5947aSTamas Ban 347a5a5947aSTamas Ban 348*624c9a0bSTamas Ban- First parameter is the pointer to the ``rse_mboot_metadata`` structure. 349a5a5947aSTamas Ban- Second parameter is the pointer to the key-OID of the public key. 350a5a5947aSTamas Ban- Third parameter is the pointer to the public key buffer. 351a5a5947aSTamas Ban- Fourth parameter is the size of public key buffer. 352a5a5947aSTamas Ban- This function returns 0 on success, a signed integer error code 353a5a5947aSTamas Ban otherwise. 354a5a5947aSTamas Ban 355a5a5947aSTamas BanBuild time config options 356a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 357a5a5947aSTamas Ban 358a5a5947aSTamas Ban- ``MEASURED_BOOT``: Enable measured boot. It depends on the platform 359*624c9a0bSTamas Ban implementation whether RSE or TPM (or both) backend based measured boot is 360a5a5947aSTamas Ban enabled. 361*624c9a0bSTamas Ban- ``MBOOT_RSE_HASH_ALG``: Determine the hash algorithm to measure the images. 362a5a5947aSTamas Ban The default value is sha-256. 363a5a5947aSTamas Ban 364a5a5947aSTamas BanMeasured boot flow 365a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^ 366a5a5947aSTamas Ban 367*624c9a0bSTamas Ban.. figure:: ../resources/diagrams/rse_measured_boot_flow.svg 368a5a5947aSTamas Ban :align: center 369a5a5947aSTamas Ban 370a5a5947aSTamas BanSample console log 371a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^ 372a5a5947aSTamas Ban 373a5a5947aSTamas Ban.. code-block:: bash 374a5a5947aSTamas Ban 375a5a5947aSTamas Ban INFO: Measured boot extend measurement: 376a5a5947aSTamas Ban INFO: - slot : 6 377a5a5947aSTamas Ban INFO: - signer_id : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 378a5a5947aSTamas Ban INFO: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 379a5a5947aSTamas Ban INFO: - version : 380a5a5947aSTamas Ban INFO: - version_size: 0 381a5a5947aSTamas Ban INFO: - sw_type : FW_CONFIG 382a5a5947aSTamas Ban INFO: - sw_type_size: 10 383a5a5947aSTamas Ban INFO: - algorithm : 2000009 384a5a5947aSTamas Ban INFO: - measurement : aa ea d3 a7 a8 e2 ab 7d 13 a6 cb 34 99 10 b9 a1 385a5a5947aSTamas Ban INFO: : 1b 9f a0 52 c5 a8 b1 d7 76 f2 c1 c1 ef ca 1a df 386a5a5947aSTamas Ban INFO: - locking : true 387a5a5947aSTamas Ban INFO: FCONF: Config file with image ID:31 loaded at address = 0x4001010 388a5a5947aSTamas Ban INFO: Loading image id=24 at address 0x4001300 389a5a5947aSTamas Ban INFO: Image id=24 loaded: 0x4001300 - 0x400153a 390a5a5947aSTamas Ban INFO: Measured boot extend measurement: 391a5a5947aSTamas Ban INFO: - slot : 7 392a5a5947aSTamas Ban INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 393a5a5947aSTamas Ban INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 394a5a5947aSTamas Ban INFO: - version : 395a5a5947aSTamas Ban INFO: - version_size: 0 396a5a5947aSTamas Ban INFO: - sw_type : TB_FW_CONFIG 397a5a5947aSTamas Ban INFO: - sw_type_size: 13 398a5a5947aSTamas Ban INFO: - algorithm : 2000009 399a5a5947aSTamas Ban INFO: - measurement : 05 b9 dc 98 62 26 a7 1c 2d e5 bb af f0 90 52 28 400a5a5947aSTamas Ban INFO: : f2 24 15 8a 3a 56 60 95 d6 51 3a 7a 1a 50 9b b7 401a5a5947aSTamas Ban INFO: - locking : true 402a5a5947aSTamas Ban INFO: FCONF: Config file with image ID:24 loaded at address = 0x4001300 403a5a5947aSTamas Ban INFO: BL1: Loading BL2 404a5a5947aSTamas Ban INFO: Loading image id=1 at address 0x404d000 405a5a5947aSTamas Ban INFO: Image id=1 loaded: 0x404d000 - 0x406412a 406a5a5947aSTamas Ban INFO: Measured boot extend measurement: 407a5a5947aSTamas Ban INFO: - slot : 8 408a5a5947aSTamas Ban INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 409a5a5947aSTamas Ban INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 410a5a5947aSTamas Ban INFO: - version : 411a5a5947aSTamas Ban INFO: - version_size: 0 412a5a5947aSTamas Ban INFO: - sw_type : BL_2 413a5a5947aSTamas Ban INFO: - sw_type_size: 5 414a5a5947aSTamas Ban INFO: - algorithm : 2000009 415a5a5947aSTamas Ban INFO: - measurement : 53 a1 51 75 25 90 fb a1 d9 b8 c8 34 32 3a 01 16 416a5a5947aSTamas Ban INFO: : c9 9e 74 91 7d 28 02 56 3f 5c 40 94 37 58 50 68 417a5a5947aSTamas Ban INFO: - locking : true 418a5a5947aSTamas Ban 419a5a5947aSTamas BanDelegated Attestation 420a5a5947aSTamas Ban--------------------- 421a5a5947aSTamas Ban 422a5a5947aSTamas BanDelegated Attestation Service was mainly developed to support the attestation 423a5a5947aSTamas Banflow on the ``ARM Confidential Compute Architecture`` (ARM CCA) [7]_. 424a5a5947aSTamas BanThe detailed description of the delegated attestation service can be found in 425a5a5947aSTamas Banthe ``Delegated Attestation Service Integration Guide`` [4]_ document. 426a5a5947aSTamas Ban 427a5a5947aSTamas BanIn the CCA use case, the Realm Management Monitor (RMM) relies on the delegated 428*624c9a0bSTamas Banattestation service of the RSE to get a realm attestation key and the CCA 429a5a5947aSTamas Banplatform token. BL31 does not use the service for its own purpose, only calls 430*624c9a0bSTamas Banit on behalf of RMM. The access to MHU interface and thereby to RSE is 431a5a5947aSTamas Banrestricted to BL31 only. Therefore, RMM does not have direct access, all calls 432a5a5947aSTamas Banneed to go through BL31. The RMM dispatcher module of the BL31 is responsible 433a5a5947aSTamas Banfor delivering the calls between the two parties. 434a5a5947aSTamas Ban 435a5a5947aSTamas Ban.. Note:: 436*624c9a0bSTamas Ban Currently the connection between the RMM dispatcher and the PSA/RSE layer 437a5a5947aSTamas Ban is not yet implemented. RMM dispatcher just returns hard coded data. 438a5a5947aSTamas Ban 439a5a5947aSTamas BanDelegated Attestation API 440a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 441a5a5947aSTamas BanDefined here: 442a5a5947aSTamas Ban 443a5a5947aSTamas Ban- ``include/lib/psa/delegated_attestation.h`` 444a5a5947aSTamas Ban 445a5a5947aSTamas Ban.. code-block:: c 446a5a5947aSTamas Ban 447a5a5947aSTamas Ban psa_status_t 448*624c9a0bSTamas Ban rse_delegated_attest_get_delegated_key(uint8_t ecc_curve, 449a5a5947aSTamas Ban uint32_t key_bits, 450a5a5947aSTamas Ban uint8_t *key_buf, 451a5a5947aSTamas Ban size_t key_buf_size, 452a5a5947aSTamas Ban size_t *key_size, 453a5a5947aSTamas Ban uint32_t hash_algo); 454a5a5947aSTamas Ban 455a5a5947aSTamas Ban psa_status_t 456*624c9a0bSTamas Ban rse_delegated_attest_get_token(const uint8_t *dak_pub_hash, 457a5a5947aSTamas Ban size_t dak_pub_hash_size, 458a5a5947aSTamas Ban uint8_t *token_buf, 459a5a5947aSTamas Ban size_t token_buf_size, 460a5a5947aSTamas Ban size_t *token_size); 461a5a5947aSTamas Ban 462a5a5947aSTamas BanAttestation flow 463a5a5947aSTamas Ban^^^^^^^^^^^^^^^^ 464a5a5947aSTamas Ban 465*624c9a0bSTamas Ban.. figure:: ../resources/diagrams/rse_attestation_flow.svg 466a5a5947aSTamas Ban :align: center 467a5a5947aSTamas Ban 468a5a5947aSTamas BanSample attestation token 469a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^ 470a5a5947aSTamas Ban 471a5a5947aSTamas BanBinary format: 472a5a5947aSTamas Ban 473a5a5947aSTamas Ban.. code-block:: bash 474a5a5947aSTamas Ban 475a5a5947aSTamas Ban INFO: DELEGATED ATTEST TEST START 476a5a5947aSTamas Ban INFO: Get delegated attestation key start 477a5a5947aSTamas Ban INFO: Get delegated attest key succeeds, len: 48 478a5a5947aSTamas Ban INFO: Delegated attest key: 479a5a5947aSTamas Ban INFO: 0d 2a 66 61 d4 89 17 e1 70 c6 73 56 df f4 11 fd 480a5a5947aSTamas Ban INFO: 7d 1f 3b 8a a3 30 3d 70 4c d9 06 c3 c7 ef 29 43 481a5a5947aSTamas Ban INFO: 0f ee b5 e7 56 e0 71 74 1b c4 39 39 fd 85 f6 7b 482a5a5947aSTamas Ban INFO: Get platform token start 483a5a5947aSTamas Ban INFO: Get platform token succeeds, len: 1086 484a5a5947aSTamas Ban INFO: Platform attestation token: 485a5a5947aSTamas Ban INFO: d2 84 44 a1 01 38 22 a0 59 03 d1 a9 0a 58 20 00 486a5a5947aSTamas Ban INFO: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 487a5a5947aSTamas Ban INFO: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 488a5a5947aSTamas Ban INFO: 01 00 58 21 01 cb 8c 79 f7 a0 0a 6c ce 12 66 f8 489a5a5947aSTamas Ban INFO: 64 45 48 42 0e c5 10 bf 84 ee 22 18 b9 8f 11 04 490a5a5947aSTamas Ban INFO: c7 22 31 9d fb 19 09 5c 58 20 aa aa aa aa aa aa 491a5a5947aSTamas Ban INFO: aa aa bb bb bb bb bb bb bb bb cc cc cc cc cc cc 492a5a5947aSTamas Ban INFO: cc cc dd dd dd dd dd dd dd dd 19 09 5b 19 30 00 493a5a5947aSTamas Ban INFO: 19 09 5f 89 a4 05 58 20 bf e6 d8 6f 88 26 f4 ff 494a5a5947aSTamas Ban INFO: 97 fb 96 c4 e6 fb c4 99 3e 46 19 fc 56 5d a2 6a 495a5a5947aSTamas Ban INFO: df 34 c3 29 48 9a dc 38 04 67 31 2e 36 2e 30 2b 496a5a5947aSTamas Ban INFO: 30 01 64 52 54 5f 30 02 58 20 90 27 f2 46 ab 31 497a5a5947aSTamas Ban INFO: 85 36 46 c4 d7 c6 60 ed 31 0d 3c f0 14 de f0 6c 498a5a5947aSTamas Ban INFO: 24 0b de b6 7a 84 fc 3f 5b b7 a4 05 58 20 b3 60 499a5a5947aSTamas Ban INFO: ca f5 c9 8c 6b 94 2a 48 82 fa 9d 48 23 ef b1 66 500a5a5947aSTamas Ban INFO: a9 ef 6a 6e 4a a3 7c 19 19 ed 1f cc c0 49 04 67 501a5a5947aSTamas Ban INFO: 30 2e 30 2e 30 2b 30 01 64 52 54 5f 31 02 58 20 502a5a5947aSTamas Ban INFO: 52 13 15 d4 9d b2 cf 54 e4 99 37 44 40 68 f0 70 503a5a5947aSTamas Ban INFO: 7d 73 64 ae f7 08 14 b0 f7 82 ad c6 17 db a3 91 504a5a5947aSTamas Ban INFO: a4 05 58 20 bf e6 d8 6f 88 26 f4 ff 97 fb 96 c4 505a5a5947aSTamas Ban INFO: e6 fb c4 99 3e 46 19 fc 56 5d a2 6a df 34 c3 29 506a5a5947aSTamas Ban INFO: 48 9a dc 38 04 67 31 2e 35 2e 30 2b 30 01 64 52 507a5a5947aSTamas Ban INFO: 54 5f 32 02 58 20 8e 5d 64 7e 6f 6c c6 6f d4 4f 508a5a5947aSTamas Ban INFO: 54 b6 06 e5 47 9a cc 1b f3 7f ce 87 38 49 c5 92 509a5a5947aSTamas Ban INFO: d8 2f 85 2e 85 42 a4 05 58 20 bf e6 d8 6f 88 26 510a5a5947aSTamas Ban INFO: f4 ff 97 fb 96 c4 e6 fb c4 99 3e 46 19 fc 56 5d 511a5a5947aSTamas Ban INFO: a2 6a df 34 c3 29 48 9a dc 38 04 67 31 2e 35 2e 512a5a5947aSTamas Ban INFO: 30 2b 30 01 60 02 58 20 b8 01 65 a7 78 8b c6 59 513a5a5947aSTamas Ban INFO: 42 8d 33 10 85 d1 49 0a dc 9e c3 ee df 85 1b d2 514a5a5947aSTamas Ban INFO: f0 73 73 6a 0c 07 11 b8 a4 05 58 20 b0 f3 82 09 515a5a5947aSTamas Ban INFO: 12 97 d8 3a 37 7a 72 47 1b ec 32 73 e9 92 32 e2 516a5a5947aSTamas Ban INFO: 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 04 60 01 6a 517a5a5947aSTamas Ban INFO: 46 57 5f 43 4f 4e 46 49 47 00 02 58 20 21 9e a0 518a5a5947aSTamas Ban INFO: 13 82 e6 d7 97 5a 11 13 a3 5f 45 39 68 b1 d9 a3 519a5a5947aSTamas Ban INFO: ea 6a ab 84 23 3b 8c 06 16 98 20 ba b9 a4 05 58 520a5a5947aSTamas Ban INFO: 20 b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 521a5a5947aSTamas Ban INFO: 73 e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a 522a5a5947aSTamas Ban INFO: da 04 60 01 6d 54 42 5f 46 57 5f 43 4f 4e 46 49 523a5a5947aSTamas Ban INFO: 47 00 02 58 20 41 39 f6 c2 10 84 53 c5 17 ae 9a 524a5a5947aSTamas Ban INFO: e5 be c1 20 7b cc 24 24 f3 9d 20 a8 fb c7 b3 10 525a5a5947aSTamas Ban INFO: e3 ee af 1b 05 a4 05 58 20 b0 f3 82 09 12 97 d8 526a5a5947aSTamas Ban INFO: 3a 37 7a 72 47 1b ec 32 73 e9 92 32 e2 49 59 f6 527a5a5947aSTamas Ban INFO: 5e 8b 4a 4a 46 d8 22 9a da 04 60 01 65 42 4c 5f 528a5a5947aSTamas Ban INFO: 32 00 02 58 20 5c 96 20 e1 e3 3b 0f 2c eb c1 8e 529a5a5947aSTamas Ban INFO: 1a 02 a6 65 86 dd 34 97 a7 4c 98 13 bf 74 14 45 530a5a5947aSTamas Ban INFO: 2d 30 28 05 c3 a4 05 58 20 b0 f3 82 09 12 97 d8 531a5a5947aSTamas Ban INFO: 3a 37 7a 72 47 1b ec 32 73 e9 92 32 e2 49 59 f6 532a5a5947aSTamas Ban INFO: 5e 8b 4a 4a 46 d8 22 9a da 04 60 01 6e 53 45 43 533a5a5947aSTamas Ban INFO: 55 52 45 5f 52 54 5f 45 4c 33 00 02 58 20 f6 fb 534a5a5947aSTamas Ban INFO: 62 99 a5 0c df db 02 0b 72 5b 1c 0b 63 6e 94 ee 535a5a5947aSTamas Ban INFO: 66 50 56 3a 29 9c cb 38 f0 ec 59 99 d4 2e a4 05 536a5a5947aSTamas Ban INFO: 58 20 b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 537a5a5947aSTamas Ban INFO: 32 73 e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 538a5a5947aSTamas Ban INFO: 9a da 04 60 01 6a 48 57 5f 43 4f 4e 46 49 47 00 539a5a5947aSTamas Ban INFO: 02 58 20 98 5d 87 21 84 06 33 9d c3 1f 91 f5 68 540a5a5947aSTamas Ban INFO: 8d a0 5a f0 d7 7e 20 51 ce 3b f2 a5 c3 05 2e 3c 541a5a5947aSTamas Ban INFO: 8b 52 31 19 01 09 78 1c 68 74 74 70 3a 2f 2f 61 542a5a5947aSTamas Ban INFO: 72 6d 2e 63 6f 6d 2f 43 43 41 2d 53 53 44 2f 31 543a5a5947aSTamas Ban INFO: 2e 30 2e 30 19 09 62 71 6e 6f 74 2d 68 61 73 68 544a5a5947aSTamas Ban INFO: 2d 65 78 74 65 6e 64 65 64 19 09 61 44 ef be ad 545a5a5947aSTamas Ban INFO: de 19 09 60 77 77 77 77 2e 74 72 75 73 74 65 64 546a5a5947aSTamas Ban INFO: 66 69 72 6d 77 61 72 65 2e 6f 72 67 58 60 29 4e 547a5a5947aSTamas Ban INFO: 4a d3 98 1e 3b 70 9f b6 66 ed 47 33 0e 99 f0 b1 548a5a5947aSTamas Ban INFO: c3 f2 bc b2 1d b0 ae 90 0c c4 82 ff a2 6f ae 45 549a5a5947aSTamas Ban INFO: f6 87 09 4a 09 21 77 ec 36 1c 53 b8 a7 9b 8e f7 550a5a5947aSTamas Ban INFO: 27 eb 7a 09 da 6f fb bf cb fd b3 e5 e9 36 91 b1 551a5a5947aSTamas Ban INFO: 92 13 c1 30 16 b4 5c 49 5e c0 c1 b9 01 5c 88 2c 552a5a5947aSTamas Ban INFO: f8 2f 3e a4 a2 6d e4 9d 31 6a 06 f7 a7 73 553a5a5947aSTamas Ban INFO: DELEGATED ATTEST TEST END 554a5a5947aSTamas Ban 555a5a5947aSTamas BanJSON format: 556a5a5947aSTamas Ban 557a5a5947aSTamas Ban.. code-block:: JSON 558a5a5947aSTamas Ban 559a5a5947aSTamas Ban { 560a5a5947aSTamas Ban "CCA_PLATFORM_CHALLENGE": "b'0000000000000000000000000000000000000000000000000000000000000000'", 561a5a5947aSTamas Ban "CCA_PLATFORM_INSTANCE_ID": "b'01CB8C79F7A00A6CCE1266F8644548420EC510BF84EE2218B98F1104C722319DFB'", 562a5a5947aSTamas Ban "CCA_PLATFORM_IMPLEMENTATION_ID": "b'AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD'", 563a5a5947aSTamas Ban "CCA_PLATFORM_LIFECYCLE": "secured_3000", 564a5a5947aSTamas Ban "CCA_PLATFORM_SW_COMPONENTS": [ 565a5a5947aSTamas Ban { 566a5a5947aSTamas Ban "SIGNER_ID": "b'BFE6D86F8826F4FF97FB96C4E6FBC4993E4619FC565DA26ADF34C329489ADC38'", 567a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "1.6.0+0", 568a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "RT_0", 569a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'9027F246AB31853646C4D7C660ED310D3CF014DEF06C240BDEB67A84FC3F5BB7'" 570a5a5947aSTamas Ban }, 571a5a5947aSTamas Ban { 572a5a5947aSTamas Ban "SIGNER_ID": "b'B360CAF5C98C6B942A4882FA9D4823EFB166A9EF6A6E4AA37C1919ED1FCCC049'", 573a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "0.0.0+0", 574a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "RT_1", 575a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'521315D49DB2CF54E49937444068F0707D7364AEF70814B0F782ADC617DBA391'" 576a5a5947aSTamas Ban }, 577a5a5947aSTamas Ban { 578a5a5947aSTamas Ban "SIGNER_ID": "b'BFE6D86F8826F4FF97FB96C4E6FBC4993E4619FC565DA26ADF34C329489ADC38'", 579a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "1.5.0+0", 580a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "RT_2", 581a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'8E5D647E6F6CC66FD44F54B606E5479ACC1BF37FCE873849C592D82F852E8542'" 582a5a5947aSTamas Ban }, 583a5a5947aSTamas Ban { 584a5a5947aSTamas Ban "SIGNER_ID": "b'BFE6D86F8826F4FF97FB96C4E6FBC4993E4619FC565DA26ADF34C329489ADC38'", 585a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "1.5.0+0", 586a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "", 587a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'B80165A7788BC659428D331085D1490ADC9EC3EEDF851BD2F073736A0C0711B8'" 588a5a5947aSTamas Ban }, 589a5a5947aSTamas Ban { 590a5a5947aSTamas Ban "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", 591a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "", 592a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "FW_CONFIG\u0000", 593a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'219EA01382E6D7975A1113A35F453968B1D9A3EA6AAB84233B8C06169820BAB9'" 594a5a5947aSTamas Ban }, 595a5a5947aSTamas Ban { 596a5a5947aSTamas Ban "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", 597a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "", 598a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "TB_FW_CONFIG\u0000", 599a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'4139F6C2108453C517AE9AE5BEC1207BCC2424F39D20A8FBC7B310E3EEAF1B05'" 600a5a5947aSTamas Ban }, 601a5a5947aSTamas Ban { 602a5a5947aSTamas Ban "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", 603a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "", 604a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "BL_2\u0000", 605a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'5C9620E1E33B0F2CEBC18E1A02A66586DD3497A74C9813BF7414452D302805C3'" 606a5a5947aSTamas Ban }, 607a5a5947aSTamas Ban { 608a5a5947aSTamas Ban "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", 609a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "", 610a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "SECURE_RT_EL3\u0000", 611a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'F6FB6299A50CDFDB020B725B1C0B636E94EE6650563A299CCB38F0EC5999D42E'" 612a5a5947aSTamas Ban }, 613a5a5947aSTamas Ban { 614a5a5947aSTamas Ban "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", 615a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "", 616a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "HW_CONFIG\u0000", 617a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'985D87218406339DC31F91F5688DA05AF0D77E2051CE3BF2A5C3052E3C8B5231'" 618a5a5947aSTamas Ban } 619a5a5947aSTamas Ban ], 620a5a5947aSTamas Ban "CCA_ATTESTATION_PROFILE": "http://arm.com/CCA-SSD/1.0.0", 621a5a5947aSTamas Ban "CCA_PLATFORM_HASH_ALGO_ID": "not-hash-extended", 622a5a5947aSTamas Ban "CCA_PLATFORM_CONFIG": "b'EFBEADDE'", 623a5a5947aSTamas Ban "CCA_PLATFORM_VERIFICATION_SERVICE": "www.trustedfirmware.org" 624a5a5947aSTamas Ban } 625a5a5947aSTamas Ban 626*624c9a0bSTamas BanRSE OTP Assets Management 627a5a5947aSTamas Ban------------------------- 628a5a5947aSTamas Ban 629*624c9a0bSTamas BanRSE provides access for AP to assets in OTP, which include keys for image 630a5a5947aSTamas Bansignature verification and non-volatile counters for anti-rollback protection. 631a5a5947aSTamas Ban 632a5a5947aSTamas BanNon-Volatile Counter API 633a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^ 634a5a5947aSTamas Ban 635*624c9a0bSTamas BanAP/RSE interface for retrieving and incrementing non-volatile counters API is 636a5a5947aSTamas Banas follows. 637a5a5947aSTamas Ban 638a5a5947aSTamas BanDefined here: 639a5a5947aSTamas Ban 640*624c9a0bSTamas Ban- ``include/lib/psa/rse_platform_api.h`` 641a5a5947aSTamas Ban 642a5a5947aSTamas Ban.. code-block:: c 643a5a5947aSTamas Ban 644*624c9a0bSTamas Ban psa_status_t rse_platform_nv_counter_increment(uint32_t counter_id) 645a5a5947aSTamas Ban 646*624c9a0bSTamas Ban psa_status_t rse_platform_nv_counter_read(uint32_t counter_id, 647a5a5947aSTamas Ban uint32_t size, uint8_t *val) 648a5a5947aSTamas Ban 649a5a5947aSTamas BanThrough this service, we can read/increment any of the 3 non-volatile 650a5a5947aSTamas Bancounters used on an Arm CCA platform: 651a5a5947aSTamas Ban 652a5a5947aSTamas Ban- ``Non-volatile counter for CCA firmware (BL2, BL31, RMM).`` 653a5a5947aSTamas Ban- ``Non-volatile counter for secure firmware.`` 654a5a5947aSTamas Ban- ``Non-volatile counter for non-secure firmware.`` 655a5a5947aSTamas Ban 656a5a5947aSTamas BanPublic Key API 657a5a5947aSTamas Ban^^^^^^^^^^^^^^ 658a5a5947aSTamas Ban 659*624c9a0bSTamas BanAP/RSE interface for reading the ROTPK is as follows. 660a5a5947aSTamas Ban 661a5a5947aSTamas BanDefined here: 662a5a5947aSTamas Ban 663*624c9a0bSTamas Ban- ``include/lib/psa/rse_platform_api.h`` 664a5a5947aSTamas Ban 665a5a5947aSTamas Ban.. code-block:: c 666a5a5947aSTamas Ban 667*624c9a0bSTamas Ban psa_status_t rse_platform_key_read(enum rse_key_id_builtin_t key, 668a5a5947aSTamas Ban uint8_t *data, size_t data_size, size_t *data_length) 669a5a5947aSTamas Ban 670a5a5947aSTamas BanThrough this service, we can read any of the 3 ROTPKs used on an 671a5a5947aSTamas BanArm CCA platform: 672a5a5947aSTamas Ban 673a5a5947aSTamas Ban- ``ROTPK for CCA firmware (BL2, BL31, RMM).`` 674a5a5947aSTamas Ban- ``ROTPK for secure firmware.`` 675a5a5947aSTamas Ban- ``ROTPK for non-secure firmware.`` 676a5a5947aSTamas Ban 677a5a5947aSTamas BanReferences 678a5a5947aSTamas Ban---------- 679a5a5947aSTamas Ban 680*624c9a0bSTamas Ban.. [1] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/readme.html 681*624c9a0bSTamas Ban.. [2] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/rse_comms.html 682a5a5947aSTamas Ban.. [3] https://git.trustedfirmware.org/TF-M/tf-m-extras.git/tree/partitions/measured_boot/measured_boot_integration_guide.rst 683a5a5947aSTamas Ban.. [4] https://git.trustedfirmware.org/TF-M/tf-m-extras.git/tree/partitions/delegated_attestation/delegated_attest_integration_guide.rst 684*624c9a0bSTamas Ban.. [5] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/rse_key_management.html 685a5a5947aSTamas Ban.. [6] https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0063-PSA_Firmware_Framework-1.0.0-2.pdf?revision=2d1429fa-4b5b-461a-a60e-4ef3d8f7f4b4&hash=3BFD6F3E687F324672F18E5BE9F08EDC48087C93 686a5a5947aSTamas Ban.. [7] https://developer.arm.com/documentation/DEN0096/A_a/?lang=en 687a5a5947aSTamas Ban 688a5a5947aSTamas Ban-------------- 689a5a5947aSTamas Ban 690a5a5947aSTamas Ban*Copyright (c) 2023, Arm Limited. All rights reserved.* 691
