1*a5a5947aSTamas BanRuntime Security Subsystem (RSS) 2*a5a5947aSTamas Ban================================ 3*a5a5947aSTamas Ban 4*a5a5947aSTamas BanThis document focuses on the relationship between the Runtime Security Subsystem 5*a5a5947aSTamas Ban(RSS) and the application processor (AP). According to the ARM reference design 6*a5a5947aSTamas Banthe RSS is an independent core next to the AP and the SCP on the same die. It 7*a5a5947aSTamas Banprovides fundamental security guarantees and runtime services for the rest of 8*a5a5947aSTamas Banthe system (e.g.: trusted boot, measured boot, platform attestation, 9*a5a5947aSTamas Bankey management, and key derivation). 10*a5a5947aSTamas Ban 11*a5a5947aSTamas BanAt power up RSS boots first from its private ROM code. It validates and loads 12*a5a5947aSTamas Banits own images and the initial images of SCP and AP. When AP and SCP are 13*a5a5947aSTamas Banreleased from reset and their initial code is loaded then they continue their 14*a5a5947aSTamas Banown boot process, which is the same as on non-RSS systems. Please refer to the 15*a5a5947aSTamas Ban``RSS documentation`` [1]_ for more details about the RSS boot flow. 16*a5a5947aSTamas Ban 17*a5a5947aSTamas BanThe last stage of the RSS firmware is a persistent, runtime component. Much 18*a5a5947aSTamas Banlike AP_BL31, this is a passive entity which has no periodical task to do and 19*a5a5947aSTamas Banjust waits for external requests from other subsystems. RSS and other 20*a5a5947aSTamas Bansubsystems can communicate with each other over message exchange. RSS waits 21*a5a5947aSTamas Banin idle for the incoming request, handles them, and sends a response then goes 22*a5a5947aSTamas Banback to idle. 23*a5a5947aSTamas Ban 24*a5a5947aSTamas BanRSS communication layer 25*a5a5947aSTamas Ban----------------------- 26*a5a5947aSTamas Ban 27*a5a5947aSTamas BanThe communication between RSS and other subsystems are primarily relying on the 28*a5a5947aSTamas BanMessage Handling Unit (MHU) module. The number of MHU interfaces between RSS 29*a5a5947aSTamas Banand other cores is IMPDEF. Besides MHU other modules also could take part in 30*a5a5947aSTamas Banthe communication. RSS is capable of mapping the AP memory to its address space. 31*a5a5947aSTamas BanThereby either RSS core itself or a DMA engine if it is present, can move the 32*a5a5947aSTamas Bandata between memory belonging to RSS or AP. In this way, a bigger amount of data 33*a5a5947aSTamas Bancan be transferred in a short time. 34*a5a5947aSTamas Ban 35*a5a5947aSTamas BanThe MHU comes in pairs. There is a sender and receiver side. They are connected 36*a5a5947aSTamas Banto each other. An MHU interface consists of two pairs of MHUs, one sender and 37*a5a5947aSTamas Banone receiver on both sides. Bidirectional communication is possible over an 38*a5a5947aSTamas Baninterface. One pair provides message sending from AP to RSS and the other pair 39*a5a5947aSTamas Banfrom RSS to AP. The sender and receiver are connected via channels. There is an 40*a5a5947aSTamas BanIMPDEF number of channels (e.g: 4-16) between a sender and a receiver module. 41*a5a5947aSTamas Ban 42*a5a5947aSTamas BanThe RSS communication layer provides two ways for message exchange: 43*a5a5947aSTamas Ban 44*a5a5947aSTamas Ban- ``Embedded messaging``: The full message, including header and payload, are 45*a5a5947aSTamas Ban exchanged over the MHU channels. A channel is capable of delivering a single 46*a5a5947aSTamas Ban word. The sender writes the data to the channel register on its side and the 47*a5a5947aSTamas Ban receiver can read the data from the channel on the other side. One dedicated 48*a5a5947aSTamas Ban channel is used for signalling. It does not deliver any payload it is just 49*a5a5947aSTamas Ban meant for signalling that the sender loaded the data to the channel registers 50*a5a5947aSTamas Ban so the receiver can read them. The receiver uses the same channel to signal 51*a5a5947aSTamas Ban that data was read. Signalling happens via IRQ. If the message is longer than 52*a5a5947aSTamas Ban the data fit to the channel registers then the message is sent over in 53*a5a5947aSTamas Ban multiple rounds. Both, sender and receiver allocate a local buffer for the 54*a5a5947aSTamas Ban messages. Data is copied from/to these buffers to/from the channel registers. 55*a5a5947aSTamas Ban- ``Pointer-access messaging``: The message header and the payload are 56*a5a5947aSTamas Ban separated and they are conveyed in different ways. The header is sent 57*a5a5947aSTamas Ban over the channels, similar to the embedded messaging but the payload is 58*a5a5947aSTamas Ban copied over by RSS core (or by DMA) between the sender and the receiver. This 59*a5a5947aSTamas Ban could be useful in the case of long messages because transaction time is less 60*a5a5947aSTamas Ban compared to the embedded messaging mode. Small payloads are copied by the RSS 61*a5a5947aSTamas Ban core because setting up DMA would require more CPU cycles. The payload is 62*a5a5947aSTamas Ban either copied into an internal buffer or directly read-written by RSS. Actual 63*a5a5947aSTamas Ban behavior depends on RSS setup, whether the partition supports memory-mapped 64*a5a5947aSTamas Ban ``iovec``. Therefore, the sender must handle both cases and prevent access to 65*a5a5947aSTamas Ban the memory, where payload data lives, while the RSS handles the request. 66*a5a5947aSTamas Ban 67*a5a5947aSTamas BanThe RSS communication layer supports both ways of messaging in parallel. It is 68*a5a5947aSTamas Bandecided at runtime based on the message size which way to transfer the message. 69*a5a5947aSTamas Ban 70*a5a5947aSTamas Ban.. code-block:: bash 71*a5a5947aSTamas Ban 72*a5a5947aSTamas Ban +----------------------------------------------+ +-------------------+ 73*a5a5947aSTamas Ban | | | | 74*a5a5947aSTamas Ban | AP | | | 75*a5a5947aSTamas Ban | | +--->| SRAM | 76*a5a5947aSTamas Ban +----------------------------------------------| | | | 77*a5a5947aSTamas Ban | BL1 / BL2 / BL31 | | | | 78*a5a5947aSTamas Ban +----------------------------------------------+ | +-------------------+ 79*a5a5947aSTamas Ban | ^ | ^ ^ 80*a5a5947aSTamas Ban | send IRQ | receive |direct | | 81*a5a5947aSTamas Ban V | |access | | 82*a5a5947aSTamas Ban +--------------------+ +--------------------+ | | | 83*a5a5947aSTamas Ban | MHU sender | | MHU receiver | | | Copy data | 84*a5a5947aSTamas Ban +--------------------+ +--------------------+ | | | 85*a5a5947aSTamas Ban | | | | | | | | | | | 86*a5a5947aSTamas Ban | | channels | | | | channels | | | | | 87*a5a5947aSTamas Ban | | e.g: 4-16 | | | | e.g: 4-16 | | | V | 88*a5a5947aSTamas Ban +--------------------+ +--------------------+ | +-------+ | 89*a5a5947aSTamas Ban | MHU receiver | | MHU sender | | +->| DMA | | 90*a5a5947aSTamas Ban +--------------------+ +--------------------+ | | +-------+ | 91*a5a5947aSTamas Ban | ^ | | ^ | 92*a5a5947aSTamas Ban IRQ | receive | send | | | Copy data | 93*a5a5947aSTamas Ban V | | | V V 94*a5a5947aSTamas Ban +----------------------------------------------+ | | +-------------------+ 95*a5a5947aSTamas Ban | |--+-+ | | 96*a5a5947aSTamas Ban | RSS | | SRAM | 97*a5a5947aSTamas Ban | | | | 98*a5a5947aSTamas Ban +----------------------------------------------+ +-------------------+ 99*a5a5947aSTamas Ban 100*a5a5947aSTamas Ban.. Note:: 101*a5a5947aSTamas Ban 102*a5a5947aSTamas Ban The RSS communication layer is not prepared for concurrent execution. The 103*a5a5947aSTamas Ban current use case only requires message exchange during the boot phase. In 104*a5a5947aSTamas Ban the boot phase, only a single core is running and the rest of the cores are 105*a5a5947aSTamas Ban in reset. 106*a5a5947aSTamas Ban 107*a5a5947aSTamas BanMessage structure 108*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^ 109*a5a5947aSTamas BanA description of the message format can be found in the ``RSS communication 110*a5a5947aSTamas Bandesign`` [2]_ document. 111*a5a5947aSTamas Ban 112*a5a5947aSTamas BanSource files 113*a5a5947aSTamas Ban^^^^^^^^^^^^ 114*a5a5947aSTamas Ban- RSS comms: ``drivers/arm/rss`` 115*a5a5947aSTamas Ban- MHU driver: ``drivers/arm/mhu`` 116*a5a5947aSTamas Ban 117*a5a5947aSTamas Ban 118*a5a5947aSTamas BanAPI for communication over MHU 119*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 120*a5a5947aSTamas BanThe API is defined in these header files: 121*a5a5947aSTamas Ban 122*a5a5947aSTamas Ban- ``include/drivers/arm/rss_comms.h`` 123*a5a5947aSTamas Ban- ``include/drivers/arm/mhu.h`` 124*a5a5947aSTamas Ban 125*a5a5947aSTamas BanRSS provided runtime services 126*a5a5947aSTamas Ban----------------------------- 127*a5a5947aSTamas Ban 128*a5a5947aSTamas BanRSS provides the following runtime services: 129*a5a5947aSTamas Ban 130*a5a5947aSTamas Ban- ``Measured boot``: Securely store the firmware measurements which were 131*a5a5947aSTamas Ban computed during the boot process and the associated metadata (image 132*a5a5947aSTamas Ban description, measurement algorithm, etc.). More info on measured boot service 133*a5a5947aSTamas Ban in RSS can be found in the ``measured_boot_integration_guide`` [3]_ . 134*a5a5947aSTamas Ban- ``Delegated attestation``: Query the platform attestation token and derive a 135*a5a5947aSTamas Ban delegated attestation key. More info on the delegated attestation service 136*a5a5947aSTamas Ban in RSS can be found in the ``delegated_attestation_integration_guide`` [4]_ . 137*a5a5947aSTamas Ban- ``OTP assets management``: Public keys used by AP during the trusted boot 138*a5a5947aSTamas Ban process can be requested from RSS. Furthermore, AP can request RSS to 139*a5a5947aSTamas Ban increase a non-volatile counter. Please refer to the 140*a5a5947aSTamas Ban ``RSS key management`` [5]_ document for more details. 141*a5a5947aSTamas Ban 142*a5a5947aSTamas BanRuntime service API 143*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^ 144*a5a5947aSTamas BanThe RSS provided runtime services implement a PSA aligned API. The parameter 145*a5a5947aSTamas Banencoding follows the PSA client protocol described in the 146*a5a5947aSTamas Ban``Firmware Framework for M`` [6]_ document in chapter 4.4. The implementation is 147*a5a5947aSTamas Banrestricted to the static handle use case therefore only the ``psa_call`` API is 148*a5a5947aSTamas Banimplemented. 149*a5a5947aSTamas Ban 150*a5a5947aSTamas Ban 151*a5a5947aSTamas BanSoftware and API layers 152*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^ 153*a5a5947aSTamas Ban 154*a5a5947aSTamas Ban.. code-block:: bash 155*a5a5947aSTamas Ban 156*a5a5947aSTamas Ban +----------------+ +---------------------+ 157*a5a5947aSTamas Ban | BL1 / BL2 | | BL31 | 158*a5a5947aSTamas Ban +----------------+ +---------------------+ 159*a5a5947aSTamas Ban | | 160*a5a5947aSTamas Ban | extend_measurement() | get_delegated_key() 161*a5a5947aSTamas Ban | | get_platform_token() 162*a5a5947aSTamas Ban V V 163*a5a5947aSTamas Ban +----------------+ +---------------------+ 164*a5a5947aSTamas Ban | PSA protocol | | PSA protocol | 165*a5a5947aSTamas Ban +----------------+ +---------------------+ 166*a5a5947aSTamas Ban | | 167*a5a5947aSTamas Ban | psa_call() | psa_call() 168*a5a5947aSTamas Ban | | 169*a5a5947aSTamas Ban V V 170*a5a5947aSTamas Ban +------------------------------------------------+ 171*a5a5947aSTamas Ban | RSS communication protocol | 172*a5a5947aSTamas Ban +------------------------------------------------+ 173*a5a5947aSTamas Ban | ^ 174*a5a5947aSTamas Ban | mhu_send_data() | mhu_receive_data() 175*a5a5947aSTamas Ban | | 176*a5a5947aSTamas Ban V | 177*a5a5947aSTamas Ban +------------------------------------------------+ 178*a5a5947aSTamas Ban | MHU driver | 179*a5a5947aSTamas Ban +------------------------------------------------+ 180*a5a5947aSTamas Ban | ^ 181*a5a5947aSTamas Ban | Register access | IRQ 182*a5a5947aSTamas Ban V | 183*a5a5947aSTamas Ban +------------------------------------------------+ 184*a5a5947aSTamas Ban | MHU HW on AP side | 185*a5a5947aSTamas Ban +------------------------------------------------+ 186*a5a5947aSTamas Ban ^ 187*a5a5947aSTamas Ban | Physical wires 188*a5a5947aSTamas Ban | 189*a5a5947aSTamas Ban V 190*a5a5947aSTamas Ban +------------------------------------------------+ 191*a5a5947aSTamas Ban | MHU HW on RSS side | 192*a5a5947aSTamas Ban +------------------------------------------------+ 193*a5a5947aSTamas Ban | ^ 194*a5a5947aSTamas Ban | IRQ | Register access 195*a5a5947aSTamas Ban V | 196*a5a5947aSTamas Ban +------------------------------------------------+ 197*a5a5947aSTamas Ban | MHU driver | 198*a5a5947aSTamas Ban +------------------------------------------------+ 199*a5a5947aSTamas Ban | | 200*a5a5947aSTamas Ban V V 201*a5a5947aSTamas Ban +---------------+ +------------------------+ 202*a5a5947aSTamas Ban | Measured boot | | Delegated attestation | 203*a5a5947aSTamas Ban | service | | service | 204*a5a5947aSTamas Ban +---------------+ +------------------------+ 205*a5a5947aSTamas Ban 206*a5a5947aSTamas Ban 207*a5a5947aSTamas BanRSS based Measured Boot 208*a5a5947aSTamas Ban----------------------- 209*a5a5947aSTamas Ban 210*a5a5947aSTamas BanMeasured Boot is the process of cryptographically measuring (computing the hash 211*a5a5947aSTamas Banvalue of a binary) the code and critical data used at boot time. The 212*a5a5947aSTamas Banmeasurement must be stored in a tamper-resistant way, so the security state 213*a5a5947aSTamas Banof the device can be attested later to an external party. RSS provides a runtime 214*a5a5947aSTamas Banservice which is meant to store measurements and associated metadata alongside. 215*a5a5947aSTamas Ban 216*a5a5947aSTamas BanData is stored in internal SRAM which is only accessible by the secure runtime 217*a5a5947aSTamas Banfirmware of RSS. Data is stored in so-called measurement slots. A platform has 218*a5a5947aSTamas BanIMPDEF number of measurement slots. The measurement storage follows extend 219*a5a5947aSTamas Bansemantics. This means that measurements are not stored directly (as it was 220*a5a5947aSTamas Bantaken) instead they contribute to the current value of the measurement slot. 221*a5a5947aSTamas BanThe extension implements this logic, where ``||`` stands for concatenation: 222*a5a5947aSTamas Ban 223*a5a5947aSTamas Ban.. code-block:: bash 224*a5a5947aSTamas Ban 225*a5a5947aSTamas Ban new_value_of_measurement_slot = Hash(old_value_of_measurement_slot || measurement) 226*a5a5947aSTamas Ban 227*a5a5947aSTamas BanSupported hash algorithms: sha-256, sha-512 228*a5a5947aSTamas Ban 229*a5a5947aSTamas BanMeasured Boot API 230*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^ 231*a5a5947aSTamas Ban 232*a5a5947aSTamas BanDefined here: 233*a5a5947aSTamas Ban 234*a5a5947aSTamas Ban- ``include/lib/psa/measured_boot.h`` 235*a5a5947aSTamas Ban 236*a5a5947aSTamas Ban.. code-block:: c 237*a5a5947aSTamas Ban 238*a5a5947aSTamas Ban psa_status_t 239*a5a5947aSTamas Ban rss_measured_boot_extend_measurement(uint8_t index, 240*a5a5947aSTamas Ban const uint8_t *signer_id, 241*a5a5947aSTamas Ban size_t signer_id_size, 242*a5a5947aSTamas Ban const uint8_t *version, 243*a5a5947aSTamas Ban size_t version_size, 244*a5a5947aSTamas Ban uint32_t measurement_algo, 245*a5a5947aSTamas Ban const uint8_t *sw_type, 246*a5a5947aSTamas Ban size_t sw_type_size, 247*a5a5947aSTamas Ban const uint8_t *measurement_value, 248*a5a5947aSTamas Ban size_t measurement_value_size, 249*a5a5947aSTamas Ban bool lock_measurement); 250*a5a5947aSTamas Ban 251*a5a5947aSTamas BanMeasured Boot Metadata 252*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^ 253*a5a5947aSTamas Ban 254*a5a5947aSTamas BanThe following metadata can be stored alongside the measurement: 255*a5a5947aSTamas Ban 256*a5a5947aSTamas Ban- ``Signer-id``: Mandatory. The hash of the firmware image signing public key. 257*a5a5947aSTamas Ban- ``Measurement algorithm``: Optional. The hash algorithm which was used to 258*a5a5947aSTamas Ban compute the measurement (e.g.: sha-256, etc.). 259*a5a5947aSTamas Ban- ``Version info``: Optional. The firmware version info (e.g.: 2.7). 260*a5a5947aSTamas Ban- ``SW type``: Optional. Short text description (e.g.: BL1, BL2, BL31, etc.) 261*a5a5947aSTamas Ban 262*a5a5947aSTamas Ban.. Note:: 263*a5a5947aSTamas Ban Version info is not implemented in TF-A yet. 264*a5a5947aSTamas Ban 265*a5a5947aSTamas Ban 266*a5a5947aSTamas BanThe caller must specify in which measurement slot to extend a certain 267*a5a5947aSTamas Banmeasurement and metadata. A measurement slot can be extended by multiple 268*a5a5947aSTamas Banmeasurements. The default value is IMPDEF. All measurement slot is cleared at 269*a5a5947aSTamas Banreset, there is no other way to clear them. In the reference implementation, 270*a5a5947aSTamas Banthe measurement slots are initialized to 0. At the first call to extend the 271*a5a5947aSTamas Banmeasurement in a slot, the extend operation uses the default value of the 272*a5a5947aSTamas Banmeasurement slot. All upcoming extend operation on the same slot contributes 273*a5a5947aSTamas Banto the previous value of that measurement slot. 274*a5a5947aSTamas Ban 275*a5a5947aSTamas BanThe following rules are kept when a slot is extended multiple times: 276*a5a5947aSTamas Ban 277*a5a5947aSTamas Ban- ``Signer-id`` must be the same as the previous call(s), otherwise a 278*a5a5947aSTamas Ban PSA_ERROR_NOT_PERMITTED error code is returned. 279*a5a5947aSTamas Ban 280*a5a5947aSTamas Ban- ``Measurement algorithm``: must be the same as the previous call(s), 281*a5a5947aSTamas Ban otherwise, a PSA_ERROR_NOT_PERMITTED error code is returned. 282*a5a5947aSTamas Ban 283*a5a5947aSTamas BanIn case of error no further action is taken (slot is not locked). If there is 284*a5a5947aSTamas Bana valid data in a sub-sequent call then measurement slot will be extended. The 285*a5a5947aSTamas Banrest of the metadata is handled as follows when a measurement slot is extended 286*a5a5947aSTamas Banmultiple times: 287*a5a5947aSTamas Ban 288*a5a5947aSTamas Ban- ``SW type``: Cleared. 289*a5a5947aSTamas Ban- ``Version info``: Cleared. 290*a5a5947aSTamas Ban 291*a5a5947aSTamas Ban.. Note:: 292*a5a5947aSTamas Ban 293*a5a5947aSTamas Ban Extending multiple measurements in the same slot leads to some metadata 294*a5a5947aSTamas Ban information loss. Since RSS is not constrained on special HW resources to 295*a5a5947aSTamas Ban store the measurements and metadata, therefore it is worth considering to 296*a5a5947aSTamas Ban store all of them one by one in distinct slots. However, they are one-by-one 297*a5a5947aSTamas Ban included in the platform attestation token. So, the number of distinct 298*a5a5947aSTamas Ban firmware image measurements has an impact on the size of the attestation 299*a5a5947aSTamas Ban token. 300*a5a5947aSTamas Ban 301*a5a5947aSTamas BanThe allocation of the measurement slot among RSS, Root and Realm worlds is 302*a5a5947aSTamas Banplatform dependent. The platform must provide an allocation of the measurement 303*a5a5947aSTamas Banslot at build time. An example can be found in 304*a5a5947aSTamas Ban``tf-a/plat/arm/board/tc/tc_bl1_measured_boot.c`` 305*a5a5947aSTamas BanFurthermore, the memory, which holds the metadata is also statically allocated 306*a5a5947aSTamas Banin RSS memory. Some of the fields have a static value (measurement algorithm), 307*a5a5947aSTamas Banand some of the values have a dynamic value (measurement value) which is updated 308*a5a5947aSTamas Banby the bootloaders when the firmware image is loaded and measured. The metadata 309*a5a5947aSTamas Banstructure is defined in 310*a5a5947aSTamas Ban``include/drivers/measured_boot/rss/rss_measured_boot.h``. 311*a5a5947aSTamas Ban 312*a5a5947aSTamas Ban.. code-block:: c 313*a5a5947aSTamas Ban 314*a5a5947aSTamas Ban struct rss_mboot_metadata { 315*a5a5947aSTamas Ban unsigned int id; 316*a5a5947aSTamas Ban uint8_t slot; 317*a5a5947aSTamas Ban uint8_t signer_id[SIGNER_ID_MAX_SIZE]; 318*a5a5947aSTamas Ban size_t signer_id_size; 319*a5a5947aSTamas Ban uint8_t version[VERSION_MAX_SIZE]; 320*a5a5947aSTamas Ban size_t version_size; 321*a5a5947aSTamas Ban uint8_t sw_type[SW_TYPE_MAX_SIZE]; 322*a5a5947aSTamas Ban size_t sw_type_size; 323*a5a5947aSTamas Ban void *pk_oid; 324*a5a5947aSTamas Ban bool lock_measurement; 325*a5a5947aSTamas Ban }; 326*a5a5947aSTamas Ban 327*a5a5947aSTamas BanSigner-ID API 328*a5a5947aSTamas Ban^^^^^^^^^^^^^ 329*a5a5947aSTamas Ban 330*a5a5947aSTamas BanThis function calculates the hash of a public key (signer-ID) using the 331*a5a5947aSTamas Ban``Measurement algorithm`` and stores it in the ``rss_mboot_metadata`` field 332*a5a5947aSTamas Bannamed ``signer_id``. 333*a5a5947aSTamas BanPrior to calling this function, the caller must ensure that the ``signer_id`` 334*a5a5947aSTamas Banfield points to the zero-filled buffer. 335*a5a5947aSTamas Ban 336*a5a5947aSTamas BanDefined here: 337*a5a5947aSTamas Ban 338*a5a5947aSTamas Ban- ``include/drivers/measured_boot/rss/rss_measured_boot.h`` 339*a5a5947aSTamas Ban 340*a5a5947aSTamas Ban.. code-block:: c 341*a5a5947aSTamas Ban 342*a5a5947aSTamas Ban int rss_mboot_set_signer_id(struct rss_mboot_metadata *metadata_ptr, 343*a5a5947aSTamas Ban const void *pk_oid, 344*a5a5947aSTamas Ban const void *pk_ptr, 345*a5a5947aSTamas Ban size_t pk_len) 346*a5a5947aSTamas Ban 347*a5a5947aSTamas Ban 348*a5a5947aSTamas Ban- First parameter is the pointer to the ``rss_mboot_metadata`` structure. 349*a5a5947aSTamas Ban- Second parameter is the pointer to the key-OID of the public key. 350*a5a5947aSTamas Ban- Third parameter is the pointer to the public key buffer. 351*a5a5947aSTamas Ban- Fourth parameter is the size of public key buffer. 352*a5a5947aSTamas Ban- This function returns 0 on success, a signed integer error code 353*a5a5947aSTamas Ban otherwise. 354*a5a5947aSTamas Ban 355*a5a5947aSTamas BanBuild time config options 356*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 357*a5a5947aSTamas Ban 358*a5a5947aSTamas Ban- ``MEASURED_BOOT``: Enable measured boot. It depends on the platform 359*a5a5947aSTamas Ban implementation whether RSS or TPM (or both) backend based measured boot is 360*a5a5947aSTamas Ban enabled. 361*a5a5947aSTamas Ban- ``MBOOT_RSS_HASH_ALG``: Determine the hash algorithm to measure the images. 362*a5a5947aSTamas Ban The default value is sha-256. 363*a5a5947aSTamas Ban 364*a5a5947aSTamas BanMeasured boot flow 365*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^ 366*a5a5947aSTamas Ban 367*a5a5947aSTamas Ban.. figure:: ../resources/diagrams/rss_measured_boot_flow.svg 368*a5a5947aSTamas Ban :align: center 369*a5a5947aSTamas Ban 370*a5a5947aSTamas BanSample console log 371*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^ 372*a5a5947aSTamas Ban 373*a5a5947aSTamas Ban.. code-block:: bash 374*a5a5947aSTamas Ban 375*a5a5947aSTamas Ban INFO: Measured boot extend measurement: 376*a5a5947aSTamas Ban INFO: - slot : 6 377*a5a5947aSTamas Ban INFO: - signer_id : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 378*a5a5947aSTamas Ban INFO: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 379*a5a5947aSTamas Ban INFO: - version : 380*a5a5947aSTamas Ban INFO: - version_size: 0 381*a5a5947aSTamas Ban INFO: - sw_type : FW_CONFIG 382*a5a5947aSTamas Ban INFO: - sw_type_size: 10 383*a5a5947aSTamas Ban INFO: - algorithm : 2000009 384*a5a5947aSTamas Ban INFO: - measurement : aa ea d3 a7 a8 e2 ab 7d 13 a6 cb 34 99 10 b9 a1 385*a5a5947aSTamas Ban INFO: : 1b 9f a0 52 c5 a8 b1 d7 76 f2 c1 c1 ef ca 1a df 386*a5a5947aSTamas Ban INFO: - locking : true 387*a5a5947aSTamas Ban INFO: FCONF: Config file with image ID:31 loaded at address = 0x4001010 388*a5a5947aSTamas Ban INFO: Loading image id=24 at address 0x4001300 389*a5a5947aSTamas Ban INFO: Image id=24 loaded: 0x4001300 - 0x400153a 390*a5a5947aSTamas Ban INFO: Measured boot extend measurement: 391*a5a5947aSTamas Ban INFO: - slot : 7 392*a5a5947aSTamas Ban INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 393*a5a5947aSTamas Ban INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 394*a5a5947aSTamas Ban INFO: - version : 395*a5a5947aSTamas Ban INFO: - version_size: 0 396*a5a5947aSTamas Ban INFO: - sw_type : TB_FW_CONFIG 397*a5a5947aSTamas Ban INFO: - sw_type_size: 13 398*a5a5947aSTamas Ban INFO: - algorithm : 2000009 399*a5a5947aSTamas Ban INFO: - measurement : 05 b9 dc 98 62 26 a7 1c 2d e5 bb af f0 90 52 28 400*a5a5947aSTamas Ban INFO: : f2 24 15 8a 3a 56 60 95 d6 51 3a 7a 1a 50 9b b7 401*a5a5947aSTamas Ban INFO: - locking : true 402*a5a5947aSTamas Ban INFO: FCONF: Config file with image ID:24 loaded at address = 0x4001300 403*a5a5947aSTamas Ban INFO: BL1: Loading BL2 404*a5a5947aSTamas Ban INFO: Loading image id=1 at address 0x404d000 405*a5a5947aSTamas Ban INFO: Image id=1 loaded: 0x404d000 - 0x406412a 406*a5a5947aSTamas Ban INFO: Measured boot extend measurement: 407*a5a5947aSTamas Ban INFO: - slot : 8 408*a5a5947aSTamas Ban INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 409*a5a5947aSTamas Ban INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 410*a5a5947aSTamas Ban INFO: - version : 411*a5a5947aSTamas Ban INFO: - version_size: 0 412*a5a5947aSTamas Ban INFO: - sw_type : BL_2 413*a5a5947aSTamas Ban INFO: - sw_type_size: 5 414*a5a5947aSTamas Ban INFO: - algorithm : 2000009 415*a5a5947aSTamas Ban INFO: - measurement : 53 a1 51 75 25 90 fb a1 d9 b8 c8 34 32 3a 01 16 416*a5a5947aSTamas Ban INFO: : c9 9e 74 91 7d 28 02 56 3f 5c 40 94 37 58 50 68 417*a5a5947aSTamas Ban INFO: - locking : true 418*a5a5947aSTamas Ban 419*a5a5947aSTamas BanDelegated Attestation 420*a5a5947aSTamas Ban--------------------- 421*a5a5947aSTamas Ban 422*a5a5947aSTamas BanDelegated Attestation Service was mainly developed to support the attestation 423*a5a5947aSTamas Banflow on the ``ARM Confidential Compute Architecture`` (ARM CCA) [7]_. 424*a5a5947aSTamas BanThe detailed description of the delegated attestation service can be found in 425*a5a5947aSTamas Banthe ``Delegated Attestation Service Integration Guide`` [4]_ document. 426*a5a5947aSTamas Ban 427*a5a5947aSTamas BanIn the CCA use case, the Realm Management Monitor (RMM) relies on the delegated 428*a5a5947aSTamas Banattestation service of the RSS to get a realm attestation key and the CCA 429*a5a5947aSTamas Banplatform token. BL31 does not use the service for its own purpose, only calls 430*a5a5947aSTamas Banit on behalf of RMM. The access to MHU interface and thereby to RSS is 431*a5a5947aSTamas Banrestricted to BL31 only. Therefore, RMM does not have direct access, all calls 432*a5a5947aSTamas Banneed to go through BL31. The RMM dispatcher module of the BL31 is responsible 433*a5a5947aSTamas Banfor delivering the calls between the two parties. 434*a5a5947aSTamas Ban 435*a5a5947aSTamas Ban.. Note:: 436*a5a5947aSTamas Ban Currently the connection between the RMM dispatcher and the PSA/RSS layer 437*a5a5947aSTamas Ban is not yet implemented. RMM dispatcher just returns hard coded data. 438*a5a5947aSTamas Ban 439*a5a5947aSTamas BanDelegated Attestation API 440*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 441*a5a5947aSTamas BanDefined here: 442*a5a5947aSTamas Ban 443*a5a5947aSTamas Ban- ``include/lib/psa/delegated_attestation.h`` 444*a5a5947aSTamas Ban 445*a5a5947aSTamas Ban.. code-block:: c 446*a5a5947aSTamas Ban 447*a5a5947aSTamas Ban psa_status_t 448*a5a5947aSTamas Ban rss_delegated_attest_get_delegated_key(uint8_t ecc_curve, 449*a5a5947aSTamas Ban uint32_t key_bits, 450*a5a5947aSTamas Ban uint8_t *key_buf, 451*a5a5947aSTamas Ban size_t key_buf_size, 452*a5a5947aSTamas Ban size_t *key_size, 453*a5a5947aSTamas Ban uint32_t hash_algo); 454*a5a5947aSTamas Ban 455*a5a5947aSTamas Ban psa_status_t 456*a5a5947aSTamas Ban rss_delegated_attest_get_token(const uint8_t *dak_pub_hash, 457*a5a5947aSTamas Ban size_t dak_pub_hash_size, 458*a5a5947aSTamas Ban uint8_t *token_buf, 459*a5a5947aSTamas Ban size_t token_buf_size, 460*a5a5947aSTamas Ban size_t *token_size); 461*a5a5947aSTamas Ban 462*a5a5947aSTamas BanAttestation flow 463*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^ 464*a5a5947aSTamas Ban 465*a5a5947aSTamas Ban.. figure:: ../resources/diagrams/rss_attestation_flow.svg 466*a5a5947aSTamas Ban :align: center 467*a5a5947aSTamas Ban 468*a5a5947aSTamas BanSample attestation token 469*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^ 470*a5a5947aSTamas Ban 471*a5a5947aSTamas BanBinary format: 472*a5a5947aSTamas Ban 473*a5a5947aSTamas Ban.. code-block:: bash 474*a5a5947aSTamas Ban 475*a5a5947aSTamas Ban INFO: DELEGATED ATTEST TEST START 476*a5a5947aSTamas Ban INFO: Get delegated attestation key start 477*a5a5947aSTamas Ban INFO: Get delegated attest key succeeds, len: 48 478*a5a5947aSTamas Ban INFO: Delegated attest key: 479*a5a5947aSTamas Ban INFO: 0d 2a 66 61 d4 89 17 e1 70 c6 73 56 df f4 11 fd 480*a5a5947aSTamas Ban INFO: 7d 1f 3b 8a a3 30 3d 70 4c d9 06 c3 c7 ef 29 43 481*a5a5947aSTamas Ban INFO: 0f ee b5 e7 56 e0 71 74 1b c4 39 39 fd 85 f6 7b 482*a5a5947aSTamas Ban INFO: Get platform token start 483*a5a5947aSTamas Ban INFO: Get platform token succeeds, len: 1086 484*a5a5947aSTamas Ban INFO: Platform attestation token: 485*a5a5947aSTamas Ban INFO: d2 84 44 a1 01 38 22 a0 59 03 d1 a9 0a 58 20 00 486*a5a5947aSTamas Ban INFO: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 487*a5a5947aSTamas Ban INFO: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 488*a5a5947aSTamas Ban INFO: 01 00 58 21 01 cb 8c 79 f7 a0 0a 6c ce 12 66 f8 489*a5a5947aSTamas Ban INFO: 64 45 48 42 0e c5 10 bf 84 ee 22 18 b9 8f 11 04 490*a5a5947aSTamas Ban INFO: c7 22 31 9d fb 19 09 5c 58 20 aa aa aa aa aa aa 491*a5a5947aSTamas Ban INFO: aa aa bb bb bb bb bb bb bb bb cc cc cc cc cc cc 492*a5a5947aSTamas Ban INFO: cc cc dd dd dd dd dd dd dd dd 19 09 5b 19 30 00 493*a5a5947aSTamas Ban INFO: 19 09 5f 89 a4 05 58 20 bf e6 d8 6f 88 26 f4 ff 494*a5a5947aSTamas Ban INFO: 97 fb 96 c4 e6 fb c4 99 3e 46 19 fc 56 5d a2 6a 495*a5a5947aSTamas Ban INFO: df 34 c3 29 48 9a dc 38 04 67 31 2e 36 2e 30 2b 496*a5a5947aSTamas Ban INFO: 30 01 64 52 54 5f 30 02 58 20 90 27 f2 46 ab 31 497*a5a5947aSTamas Ban INFO: 85 36 46 c4 d7 c6 60 ed 31 0d 3c f0 14 de f0 6c 498*a5a5947aSTamas Ban INFO: 24 0b de b6 7a 84 fc 3f 5b b7 a4 05 58 20 b3 60 499*a5a5947aSTamas Ban INFO: ca f5 c9 8c 6b 94 2a 48 82 fa 9d 48 23 ef b1 66 500*a5a5947aSTamas Ban INFO: a9 ef 6a 6e 4a a3 7c 19 19 ed 1f cc c0 49 04 67 501*a5a5947aSTamas Ban INFO: 30 2e 30 2e 30 2b 30 01 64 52 54 5f 31 02 58 20 502*a5a5947aSTamas Ban INFO: 52 13 15 d4 9d b2 cf 54 e4 99 37 44 40 68 f0 70 503*a5a5947aSTamas Ban INFO: 7d 73 64 ae f7 08 14 b0 f7 82 ad c6 17 db a3 91 504*a5a5947aSTamas Ban INFO: a4 05 58 20 bf e6 d8 6f 88 26 f4 ff 97 fb 96 c4 505*a5a5947aSTamas Ban INFO: e6 fb c4 99 3e 46 19 fc 56 5d a2 6a df 34 c3 29 506*a5a5947aSTamas Ban INFO: 48 9a dc 38 04 67 31 2e 35 2e 30 2b 30 01 64 52 507*a5a5947aSTamas Ban INFO: 54 5f 32 02 58 20 8e 5d 64 7e 6f 6c c6 6f d4 4f 508*a5a5947aSTamas Ban INFO: 54 b6 06 e5 47 9a cc 1b f3 7f ce 87 38 49 c5 92 509*a5a5947aSTamas Ban INFO: d8 2f 85 2e 85 42 a4 05 58 20 bf e6 d8 6f 88 26 510*a5a5947aSTamas Ban INFO: f4 ff 97 fb 96 c4 e6 fb c4 99 3e 46 19 fc 56 5d 511*a5a5947aSTamas Ban INFO: a2 6a df 34 c3 29 48 9a dc 38 04 67 31 2e 35 2e 512*a5a5947aSTamas Ban INFO: 30 2b 30 01 60 02 58 20 b8 01 65 a7 78 8b c6 59 513*a5a5947aSTamas Ban INFO: 42 8d 33 10 85 d1 49 0a dc 9e c3 ee df 85 1b d2 514*a5a5947aSTamas Ban INFO: f0 73 73 6a 0c 07 11 b8 a4 05 58 20 b0 f3 82 09 515*a5a5947aSTamas Ban INFO: 12 97 d8 3a 37 7a 72 47 1b ec 32 73 e9 92 32 e2 516*a5a5947aSTamas Ban INFO: 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 04 60 01 6a 517*a5a5947aSTamas Ban INFO: 46 57 5f 43 4f 4e 46 49 47 00 02 58 20 21 9e a0 518*a5a5947aSTamas Ban INFO: 13 82 e6 d7 97 5a 11 13 a3 5f 45 39 68 b1 d9 a3 519*a5a5947aSTamas Ban INFO: ea 6a ab 84 23 3b 8c 06 16 98 20 ba b9 a4 05 58 520*a5a5947aSTamas Ban INFO: 20 b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 521*a5a5947aSTamas Ban INFO: 73 e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a 522*a5a5947aSTamas Ban INFO: da 04 60 01 6d 54 42 5f 46 57 5f 43 4f 4e 46 49 523*a5a5947aSTamas Ban INFO: 47 00 02 58 20 41 39 f6 c2 10 84 53 c5 17 ae 9a 524*a5a5947aSTamas Ban INFO: e5 be c1 20 7b cc 24 24 f3 9d 20 a8 fb c7 b3 10 525*a5a5947aSTamas Ban INFO: e3 ee af 1b 05 a4 05 58 20 b0 f3 82 09 12 97 d8 526*a5a5947aSTamas Ban INFO: 3a 37 7a 72 47 1b ec 32 73 e9 92 32 e2 49 59 f6 527*a5a5947aSTamas Ban INFO: 5e 8b 4a 4a 46 d8 22 9a da 04 60 01 65 42 4c 5f 528*a5a5947aSTamas Ban INFO: 32 00 02 58 20 5c 96 20 e1 e3 3b 0f 2c eb c1 8e 529*a5a5947aSTamas Ban INFO: 1a 02 a6 65 86 dd 34 97 a7 4c 98 13 bf 74 14 45 530*a5a5947aSTamas Ban INFO: 2d 30 28 05 c3 a4 05 58 20 b0 f3 82 09 12 97 d8 531*a5a5947aSTamas Ban INFO: 3a 37 7a 72 47 1b ec 32 73 e9 92 32 e2 49 59 f6 532*a5a5947aSTamas Ban INFO: 5e 8b 4a 4a 46 d8 22 9a da 04 60 01 6e 53 45 43 533*a5a5947aSTamas Ban INFO: 55 52 45 5f 52 54 5f 45 4c 33 00 02 58 20 f6 fb 534*a5a5947aSTamas Ban INFO: 62 99 a5 0c df db 02 0b 72 5b 1c 0b 63 6e 94 ee 535*a5a5947aSTamas Ban INFO: 66 50 56 3a 29 9c cb 38 f0 ec 59 99 d4 2e a4 05 536*a5a5947aSTamas Ban INFO: 58 20 b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 537*a5a5947aSTamas Ban INFO: 32 73 e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 538*a5a5947aSTamas Ban INFO: 9a da 04 60 01 6a 48 57 5f 43 4f 4e 46 49 47 00 539*a5a5947aSTamas Ban INFO: 02 58 20 98 5d 87 21 84 06 33 9d c3 1f 91 f5 68 540*a5a5947aSTamas Ban INFO: 8d a0 5a f0 d7 7e 20 51 ce 3b f2 a5 c3 05 2e 3c 541*a5a5947aSTamas Ban INFO: 8b 52 31 19 01 09 78 1c 68 74 74 70 3a 2f 2f 61 542*a5a5947aSTamas Ban INFO: 72 6d 2e 63 6f 6d 2f 43 43 41 2d 53 53 44 2f 31 543*a5a5947aSTamas Ban INFO: 2e 30 2e 30 19 09 62 71 6e 6f 74 2d 68 61 73 68 544*a5a5947aSTamas Ban INFO: 2d 65 78 74 65 6e 64 65 64 19 09 61 44 ef be ad 545*a5a5947aSTamas Ban INFO: de 19 09 60 77 77 77 77 2e 74 72 75 73 74 65 64 546*a5a5947aSTamas Ban INFO: 66 69 72 6d 77 61 72 65 2e 6f 72 67 58 60 29 4e 547*a5a5947aSTamas Ban INFO: 4a d3 98 1e 3b 70 9f b6 66 ed 47 33 0e 99 f0 b1 548*a5a5947aSTamas Ban INFO: c3 f2 bc b2 1d b0 ae 90 0c c4 82 ff a2 6f ae 45 549*a5a5947aSTamas Ban INFO: f6 87 09 4a 09 21 77 ec 36 1c 53 b8 a7 9b 8e f7 550*a5a5947aSTamas Ban INFO: 27 eb 7a 09 da 6f fb bf cb fd b3 e5 e9 36 91 b1 551*a5a5947aSTamas Ban INFO: 92 13 c1 30 16 b4 5c 49 5e c0 c1 b9 01 5c 88 2c 552*a5a5947aSTamas Ban INFO: f8 2f 3e a4 a2 6d e4 9d 31 6a 06 f7 a7 73 553*a5a5947aSTamas Ban INFO: DELEGATED ATTEST TEST END 554*a5a5947aSTamas Ban 555*a5a5947aSTamas BanJSON format: 556*a5a5947aSTamas Ban 557*a5a5947aSTamas Ban.. code-block:: JSON 558*a5a5947aSTamas Ban 559*a5a5947aSTamas Ban { 560*a5a5947aSTamas Ban "CCA_PLATFORM_CHALLENGE": "b'0000000000000000000000000000000000000000000000000000000000000000'", 561*a5a5947aSTamas Ban "CCA_PLATFORM_INSTANCE_ID": "b'01CB8C79F7A00A6CCE1266F8644548420EC510BF84EE2218B98F1104C722319DFB'", 562*a5a5947aSTamas Ban "CCA_PLATFORM_IMPLEMENTATION_ID": "b'AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD'", 563*a5a5947aSTamas Ban "CCA_PLATFORM_LIFECYCLE": "secured_3000", 564*a5a5947aSTamas Ban "CCA_PLATFORM_SW_COMPONENTS": [ 565*a5a5947aSTamas Ban { 566*a5a5947aSTamas Ban "SIGNER_ID": "b'BFE6D86F8826F4FF97FB96C4E6FBC4993E4619FC565DA26ADF34C329489ADC38'", 567*a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "1.6.0+0", 568*a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "RT_0", 569*a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'9027F246AB31853646C4D7C660ED310D3CF014DEF06C240BDEB67A84FC3F5BB7'" 570*a5a5947aSTamas Ban }, 571*a5a5947aSTamas Ban { 572*a5a5947aSTamas Ban "SIGNER_ID": "b'B360CAF5C98C6B942A4882FA9D4823EFB166A9EF6A6E4AA37C1919ED1FCCC049'", 573*a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "0.0.0+0", 574*a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "RT_1", 575*a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'521315D49DB2CF54E49937444068F0707D7364AEF70814B0F782ADC617DBA391'" 576*a5a5947aSTamas Ban }, 577*a5a5947aSTamas Ban { 578*a5a5947aSTamas Ban "SIGNER_ID": "b'BFE6D86F8826F4FF97FB96C4E6FBC4993E4619FC565DA26ADF34C329489ADC38'", 579*a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "1.5.0+0", 580*a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "RT_2", 581*a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'8E5D647E6F6CC66FD44F54B606E5479ACC1BF37FCE873849C592D82F852E8542'" 582*a5a5947aSTamas Ban }, 583*a5a5947aSTamas Ban { 584*a5a5947aSTamas Ban "SIGNER_ID": "b'BFE6D86F8826F4FF97FB96C4E6FBC4993E4619FC565DA26ADF34C329489ADC38'", 585*a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "1.5.0+0", 586*a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "", 587*a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'B80165A7788BC659428D331085D1490ADC9EC3EEDF851BD2F073736A0C0711B8'" 588*a5a5947aSTamas Ban }, 589*a5a5947aSTamas Ban { 590*a5a5947aSTamas Ban "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", 591*a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "", 592*a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "FW_CONFIG\u0000", 593*a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'219EA01382E6D7975A1113A35F453968B1D9A3EA6AAB84233B8C06169820BAB9'" 594*a5a5947aSTamas Ban }, 595*a5a5947aSTamas Ban { 596*a5a5947aSTamas Ban "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", 597*a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "", 598*a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "TB_FW_CONFIG\u0000", 599*a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'4139F6C2108453C517AE9AE5BEC1207BCC2424F39D20A8FBC7B310E3EEAF1B05'" 600*a5a5947aSTamas Ban }, 601*a5a5947aSTamas Ban { 602*a5a5947aSTamas Ban "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", 603*a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "", 604*a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "BL_2\u0000", 605*a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'5C9620E1E33B0F2CEBC18E1A02A66586DD3497A74C9813BF7414452D302805C3'" 606*a5a5947aSTamas Ban }, 607*a5a5947aSTamas Ban { 608*a5a5947aSTamas Ban "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", 609*a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "", 610*a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "SECURE_RT_EL3\u0000", 611*a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'F6FB6299A50CDFDB020B725B1C0B636E94EE6650563A299CCB38F0EC5999D42E'" 612*a5a5947aSTamas Ban }, 613*a5a5947aSTamas Ban { 614*a5a5947aSTamas Ban "SIGNER_ID": "b'b0f382091297d83a377a72471bec3273e99232e24959f65e8b4a4a46d8229ada'", 615*a5a5947aSTamas Ban "SW_COMPONENT_VERSION": "", 616*a5a5947aSTamas Ban "SW_COMPONENT_TYPE": "HW_CONFIG\u0000", 617*a5a5947aSTamas Ban "MEASUREMENT_VALUE": "b'985D87218406339DC31F91F5688DA05AF0D77E2051CE3BF2A5C3052E3C8B5231'" 618*a5a5947aSTamas Ban } 619*a5a5947aSTamas Ban ], 620*a5a5947aSTamas Ban "CCA_ATTESTATION_PROFILE": "http://arm.com/CCA-SSD/1.0.0", 621*a5a5947aSTamas Ban "CCA_PLATFORM_HASH_ALGO_ID": "not-hash-extended", 622*a5a5947aSTamas Ban "CCA_PLATFORM_CONFIG": "b'EFBEADDE'", 623*a5a5947aSTamas Ban "CCA_PLATFORM_VERIFICATION_SERVICE": "www.trustedfirmware.org" 624*a5a5947aSTamas Ban } 625*a5a5947aSTamas Ban 626*a5a5947aSTamas BanRSS OTP Assets Management 627*a5a5947aSTamas Ban------------------------- 628*a5a5947aSTamas Ban 629*a5a5947aSTamas BanRSS provides access for AP to assets in OTP, which include keys for image 630*a5a5947aSTamas Bansignature verification and non-volatile counters for anti-rollback protection. 631*a5a5947aSTamas Ban 632*a5a5947aSTamas BanNon-Volatile Counter API 633*a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^ 634*a5a5947aSTamas Ban 635*a5a5947aSTamas BanAP/RSS interface for retrieving and incrementing non-volatile counters API is 636*a5a5947aSTamas Banas follows. 637*a5a5947aSTamas Ban 638*a5a5947aSTamas BanDefined here: 639*a5a5947aSTamas Ban 640*a5a5947aSTamas Ban- ``include/lib/psa/rss_platform_api.h`` 641*a5a5947aSTamas Ban 642*a5a5947aSTamas Ban.. code-block:: c 643*a5a5947aSTamas Ban 644*a5a5947aSTamas Ban psa_status_t rss_platform_nv_counter_increment(uint32_t counter_id) 645*a5a5947aSTamas Ban 646*a5a5947aSTamas Ban psa_status_t rss_platform_nv_counter_read(uint32_t counter_id, 647*a5a5947aSTamas Ban uint32_t size, uint8_t *val) 648*a5a5947aSTamas Ban 649*a5a5947aSTamas BanThrough this service, we can read/increment any of the 3 non-volatile 650*a5a5947aSTamas Bancounters used on an Arm CCA platform: 651*a5a5947aSTamas Ban 652*a5a5947aSTamas Ban- ``Non-volatile counter for CCA firmware (BL2, BL31, RMM).`` 653*a5a5947aSTamas Ban- ``Non-volatile counter for secure firmware.`` 654*a5a5947aSTamas Ban- ``Non-volatile counter for non-secure firmware.`` 655*a5a5947aSTamas Ban 656*a5a5947aSTamas BanPublic Key API 657*a5a5947aSTamas Ban^^^^^^^^^^^^^^ 658*a5a5947aSTamas Ban 659*a5a5947aSTamas BanAP/RSS interface for reading the ROTPK is as follows. 660*a5a5947aSTamas Ban 661*a5a5947aSTamas BanDefined here: 662*a5a5947aSTamas Ban 663*a5a5947aSTamas Ban- ``include/lib/psa/rss_platform_api.h`` 664*a5a5947aSTamas Ban 665*a5a5947aSTamas Ban.. code-block:: c 666*a5a5947aSTamas Ban 667*a5a5947aSTamas Ban psa_status_t rss_platform_key_read(enum rss_key_id_builtin_t key, 668*a5a5947aSTamas Ban uint8_t *data, size_t data_size, size_t *data_length) 669*a5a5947aSTamas Ban 670*a5a5947aSTamas BanThrough this service, we can read any of the 3 ROTPKs used on an 671*a5a5947aSTamas BanArm CCA platform: 672*a5a5947aSTamas Ban 673*a5a5947aSTamas Ban- ``ROTPK for CCA firmware (BL2, BL31, RMM).`` 674*a5a5947aSTamas Ban- ``ROTPK for secure firmware.`` 675*a5a5947aSTamas Ban- ``ROTPK for non-secure firmware.`` 676*a5a5947aSTamas Ban 677*a5a5947aSTamas BanReferences 678*a5a5947aSTamas Ban---------- 679*a5a5947aSTamas Ban 680*a5a5947aSTamas Ban.. [1] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rss/readme.html 681*a5a5947aSTamas Ban.. [2] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rss/rss_comms.html 682*a5a5947aSTamas Ban.. [3] https://git.trustedfirmware.org/TF-M/tf-m-extras.git/tree/partitions/measured_boot/measured_boot_integration_guide.rst 683*a5a5947aSTamas Ban.. [4] https://git.trustedfirmware.org/TF-M/tf-m-extras.git/tree/partitions/delegated_attestation/delegated_attest_integration_guide.rst 684*a5a5947aSTamas Ban.. [5] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rss/rss_key_management.html 685*a5a5947aSTamas Ban.. [6] https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0063-PSA_Firmware_Framework-1.0.0-2.pdf?revision=2d1429fa-4b5b-461a-a60e-4ef3d8f7f4b4&hash=3BFD6F3E687F324672F18E5BE9F08EDC48087C93 686*a5a5947aSTamas Ban.. [7] https://developer.arm.com/documentation/DEN0096/A_a/?lang=en 687*a5a5947aSTamas Ban 688*a5a5947aSTamas Ban-------------- 689*a5a5947aSTamas Ban 690*a5a5947aSTamas Ban*Copyright (c) 2023, Arm Limited. All rights reserved.* 691
