1624c9a0bSTamas BanRuntime Security Engine (RSE) 2624c9a0bSTamas Ban============================= 3a5a5947aSTamas Ban 4624c9a0bSTamas BanThis document focuses on the relationship between the Runtime Security Engine 5624c9a0bSTamas Ban(RSE) and the application processor (AP). According to the ARM reference design 6624c9a0bSTamas Banthe RSE is an independent core next to the AP and the SCP on the same die. It 7a5a5947aSTamas Banprovides fundamental security guarantees and runtime services for the rest of 8a5a5947aSTamas Banthe system (e.g.: trusted boot, measured boot, platform attestation, 9a5a5947aSTamas Bankey management, and key derivation). 10a5a5947aSTamas Ban 11624c9a0bSTamas BanAt power up RSE boots first from its private ROM code. It validates and loads 12a5a5947aSTamas Banits own images and the initial images of SCP and AP. When AP and SCP are 13a5a5947aSTamas Banreleased from reset and their initial code is loaded then they continue their 14624c9a0bSTamas Banown boot process, which is the same as on non-RSE systems. Please refer to the 15624c9a0bSTamas Ban``RSE documentation`` [1]_ for more details about the RSE boot flow. 16a5a5947aSTamas Ban 17624c9a0bSTamas BanThe last stage of the RSE firmware is a persistent, runtime component. Much 18a5a5947aSTamas Banlike AP_BL31, this is a passive entity which has no periodical task to do and 19624c9a0bSTamas Banjust waits for external requests from other subsystems. RSE and other 20624c9a0bSTamas Bansubsystems can communicate with each other over message exchange. RSE waits 21a5a5947aSTamas Banin idle for the incoming request, handles them, and sends a response then goes 22a5a5947aSTamas Banback to idle. 23a5a5947aSTamas Ban 24624c9a0bSTamas BanRSE communication layer 25a5a5947aSTamas Ban----------------------- 26a5a5947aSTamas Ban 27624c9a0bSTamas BanThe communication between RSE and other subsystems are primarily relying on the 28624c9a0bSTamas BanMessage Handling Unit (MHU) module. The number of MHU interfaces between RSE 29a5a5947aSTamas Banand other cores is IMPDEF. Besides MHU other modules also could take part in 30624c9a0bSTamas Banthe communication. RSE is capable of mapping the AP memory to its address space. 31624c9a0bSTamas BanThereby either RSE core itself or a DMA engine if it is present, can move the 32624c9a0bSTamas Bandata between memory belonging to RSE or AP. In this way, a bigger amount of data 33a5a5947aSTamas Bancan be transferred in a short time. 34a5a5947aSTamas Ban 35a5a5947aSTamas BanThe MHU comes in pairs. There is a sender and receiver side. They are connected 36a5a5947aSTamas Banto each other. An MHU interface consists of two pairs of MHUs, one sender and 37a5a5947aSTamas Banone receiver on both sides. Bidirectional communication is possible over an 38624c9a0bSTamas Baninterface. One pair provides message sending from AP to RSE and the other pair 39624c9a0bSTamas Banfrom RSE to AP. The sender and receiver are connected via channels. There is an 40a5a5947aSTamas BanIMPDEF number of channels (e.g: 4-16) between a sender and a receiver module. 41a5a5947aSTamas Ban 42624c9a0bSTamas BanThe RSE communication layer provides two ways for message exchange: 43a5a5947aSTamas Ban 44a5a5947aSTamas Ban- ``Embedded messaging``: The full message, including header and payload, are 45a5a5947aSTamas Ban exchanged over the MHU channels. A channel is capable of delivering a single 46a5a5947aSTamas Ban word. The sender writes the data to the channel register on its side and the 47a5a5947aSTamas Ban receiver can read the data from the channel on the other side. One dedicated 48a5a5947aSTamas Ban channel is used for signalling. It does not deliver any payload it is just 49a5a5947aSTamas Ban meant for signalling that the sender loaded the data to the channel registers 50a5a5947aSTamas Ban so the receiver can read them. The receiver uses the same channel to signal 51a5a5947aSTamas Ban that data was read. Signalling happens via IRQ. If the message is longer than 52a5a5947aSTamas Ban the data fit to the channel registers then the message is sent over in 53a5a5947aSTamas Ban multiple rounds. Both, sender and receiver allocate a local buffer for the 54a5a5947aSTamas Ban messages. Data is copied from/to these buffers to/from the channel registers. 55a5a5947aSTamas Ban- ``Pointer-access messaging``: The message header and the payload are 56a5a5947aSTamas Ban separated and they are conveyed in different ways. The header is sent 57a5a5947aSTamas Ban over the channels, similar to the embedded messaging but the payload is 58624c9a0bSTamas Ban copied over by RSE core (or by DMA) between the sender and the receiver. This 59a5a5947aSTamas Ban could be useful in the case of long messages because transaction time is less 60624c9a0bSTamas Ban compared to the embedded messaging mode. Small payloads are copied by the RSE 61a5a5947aSTamas Ban core because setting up DMA would require more CPU cycles. The payload is 62624c9a0bSTamas Ban either copied into an internal buffer or directly read-written by RSE. Actual 63624c9a0bSTamas Ban behavior depends on RSE setup, whether the partition supports memory-mapped 64a5a5947aSTamas Ban ``iovec``. Therefore, the sender must handle both cases and prevent access to 65624c9a0bSTamas Ban the memory, where payload data lives, while the RSE handles the request. 66a5a5947aSTamas Ban 67624c9a0bSTamas BanThe RSE communication layer supports both ways of messaging in parallel. It is 68a5a5947aSTamas Bandecided at runtime based on the message size which way to transfer the message. 69a5a5947aSTamas Ban 70a5a5947aSTamas Ban.. code-block:: bash 71a5a5947aSTamas Ban 72a5a5947aSTamas Ban +----------------------------------------------+ +-------------------+ 73a5a5947aSTamas Ban | | | | 74a5a5947aSTamas Ban | AP | | | 75a5a5947aSTamas Ban | | +--->| SRAM | 76a5a5947aSTamas Ban +----------------------------------------------| | | | 77a5a5947aSTamas Ban | BL1 / BL2 / BL31 | | | | 78a5a5947aSTamas Ban +----------------------------------------------+ | +-------------------+ 79a5a5947aSTamas Ban | ^ | ^ ^ 80a5a5947aSTamas Ban | send IRQ | receive |direct | | 81a5a5947aSTamas Ban V | |access | | 82a5a5947aSTamas Ban +--------------------+ +--------------------+ | | | 83a5a5947aSTamas Ban | MHU sender | | MHU receiver | | | Copy data | 84a5a5947aSTamas Ban +--------------------+ +--------------------+ | | | 85a5a5947aSTamas Ban | | | | | | | | | | | 86a5a5947aSTamas Ban | | channels | | | | channels | | | | | 87a5a5947aSTamas Ban | | e.g: 4-16 | | | | e.g: 4-16 | | | V | 88a5a5947aSTamas Ban +--------------------+ +--------------------+ | +-------+ | 89a5a5947aSTamas Ban | MHU receiver | | MHU sender | | +->| DMA | | 90a5a5947aSTamas Ban +--------------------+ +--------------------+ | | +-------+ | 91a5a5947aSTamas Ban | ^ | | ^ | 92a5a5947aSTamas Ban IRQ | receive | send | | | Copy data | 93a5a5947aSTamas Ban V | | | V V 94a5a5947aSTamas Ban +----------------------------------------------+ | | +-------------------+ 95a5a5947aSTamas Ban | |--+-+ | | 96624c9a0bSTamas Ban | RSE | | SRAM | 97a5a5947aSTamas Ban | | | | 98a5a5947aSTamas Ban +----------------------------------------------+ +-------------------+ 99a5a5947aSTamas Ban 100a5a5947aSTamas Ban.. Note:: 101a5a5947aSTamas Ban 102624c9a0bSTamas Ban The RSE communication layer is not prepared for concurrent execution. The 103a5a5947aSTamas Ban current use case only requires message exchange during the boot phase. In 104a5a5947aSTamas Ban the boot phase, only a single core is running and the rest of the cores are 105a5a5947aSTamas Ban in reset. 106a5a5947aSTamas Ban 107a5a5947aSTamas BanMessage structure 108a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^ 109624c9a0bSTamas BanA description of the message format can be found in the ``RSE communication 110a5a5947aSTamas Bandesign`` [2]_ document. 111a5a5947aSTamas Ban 112a5a5947aSTamas BanSource files 113a5a5947aSTamas Ban^^^^^^^^^^^^ 114624c9a0bSTamas Ban- RSE comms: ``drivers/arm/rse`` 115a5a5947aSTamas Ban- MHU driver: ``drivers/arm/mhu`` 116a5a5947aSTamas Ban 117a5a5947aSTamas Ban 118a5a5947aSTamas BanAPI for communication over MHU 119a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 120a5a5947aSTamas BanThe API is defined in these header files: 121a5a5947aSTamas Ban 122624c9a0bSTamas Ban- ``include/drivers/arm/rse_comms.h`` 123a5a5947aSTamas Ban- ``include/drivers/arm/mhu.h`` 124a5a5947aSTamas Ban 125624c9a0bSTamas BanRSE provided runtime services 126a5a5947aSTamas Ban----------------------------- 127a5a5947aSTamas Ban 128624c9a0bSTamas BanRSE provides the following runtime services: 129a5a5947aSTamas Ban 130a5a5947aSTamas Ban- ``Measured boot``: Securely store the firmware measurements which were 131a5a5947aSTamas Ban computed during the boot process and the associated metadata (image 132a5a5947aSTamas Ban description, measurement algorithm, etc.). More info on measured boot service 133624c9a0bSTamas Ban in RSE can be found in the ``measured_boot_integration_guide`` [3]_ . 134a5a5947aSTamas Ban- ``Delegated attestation``: Query the platform attestation token and derive a 135a5a5947aSTamas Ban delegated attestation key. More info on the delegated attestation service 136624c9a0bSTamas Ban in RSE can be found in the ``delegated_attestation_integration_guide`` [4]_ . 137a5a5947aSTamas Ban- ``OTP assets management``: Public keys used by AP during the trusted boot 138624c9a0bSTamas Ban process can be requested from RSE. Furthermore, AP can request RSE to 139a5a5947aSTamas Ban increase a non-volatile counter. Please refer to the 140624c9a0bSTamas Ban ``RSE key management`` [5]_ document for more details. 141*e4582e42STamas Ban- ``DICE Protection Environment``: Securely store the firmware measurements 142*e4582e42STamas Ban which were computed during the boot process and the associated metadata. It is 143*e4582e42STamas Ban also capable of representing the boot measurements in the form of a 144*e4582e42STamas Ban certificate chain, which is queriable. Please refer to the 145*e4582e42STamas Ban ``DICE Protection Environment (DPE)`` [8]_ document for more details. 146a5a5947aSTamas Ban 147a5a5947aSTamas BanRuntime service API 148a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^ 149624c9a0bSTamas BanThe RSE provided runtime services implement a PSA aligned API. The parameter 150a5a5947aSTamas Banencoding follows the PSA client protocol described in the 151a5a5947aSTamas Ban``Firmware Framework for M`` [6]_ document in chapter 4.4. The implementation is 152a5a5947aSTamas Banrestricted to the static handle use case therefore only the ``psa_call`` API is 153a5a5947aSTamas Banimplemented. 154a5a5947aSTamas Ban 155a5a5947aSTamas Ban 156a5a5947aSTamas BanSoftware and API layers 157a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^ 158a5a5947aSTamas Ban 159a5a5947aSTamas Ban.. code-block:: bash 160a5a5947aSTamas Ban 161a5a5947aSTamas Ban +----------------+ +---------------------+ 162a5a5947aSTamas Ban | BL1 / BL2 | | BL31 | 163a5a5947aSTamas Ban +----------------+ +---------------------+ 164a5a5947aSTamas Ban | | 165a5a5947aSTamas Ban | extend_measurement() | get_delegated_key() 166a5a5947aSTamas Ban | | get_platform_token() 167a5a5947aSTamas Ban V V 168a5a5947aSTamas Ban +----------------+ +---------------------+ 169a5a5947aSTamas Ban | PSA protocol | | PSA protocol | 170a5a5947aSTamas Ban +----------------+ +---------------------+ 171a5a5947aSTamas Ban | | 172a5a5947aSTamas Ban | psa_call() | psa_call() 173a5a5947aSTamas Ban | | 174a5a5947aSTamas Ban V V 175a5a5947aSTamas Ban +------------------------------------------------+ 176624c9a0bSTamas Ban | RSE communication protocol | 177a5a5947aSTamas Ban +------------------------------------------------+ 178a5a5947aSTamas Ban | ^ 179a5a5947aSTamas Ban | mhu_send_data() | mhu_receive_data() 180a5a5947aSTamas Ban | | 181a5a5947aSTamas Ban V | 182a5a5947aSTamas Ban +------------------------------------------------+ 183a5a5947aSTamas Ban | MHU driver | 184a5a5947aSTamas Ban +------------------------------------------------+ 185a5a5947aSTamas Ban | ^ 186a5a5947aSTamas Ban | Register access | IRQ 187a5a5947aSTamas Ban V | 188a5a5947aSTamas Ban +------------------------------------------------+ 189a5a5947aSTamas Ban | MHU HW on AP side | 190a5a5947aSTamas Ban +------------------------------------------------+ 191a5a5947aSTamas Ban ^ 192a5a5947aSTamas Ban | Physical wires 193a5a5947aSTamas Ban | 194a5a5947aSTamas Ban V 195a5a5947aSTamas Ban +------------------------------------------------+ 196624c9a0bSTamas Ban | MHU HW on RSE side | 197a5a5947aSTamas Ban +------------------------------------------------+ 198a5a5947aSTamas Ban | ^ 199a5a5947aSTamas Ban | IRQ | Register access 200a5a5947aSTamas Ban V | 201a5a5947aSTamas Ban +------------------------------------------------+ 202a5a5947aSTamas Ban | MHU driver | 203a5a5947aSTamas Ban +------------------------------------------------+ 204a5a5947aSTamas Ban | | 205a5a5947aSTamas Ban V V 206a5a5947aSTamas Ban +---------------+ +------------------------+ 207a5a5947aSTamas Ban | Measured boot | | Delegated attestation | 208a5a5947aSTamas Ban | service | | service | 209a5a5947aSTamas Ban +---------------+ +------------------------+ 210a5a5947aSTamas Ban 211a5a5947aSTamas Ban 212624c9a0bSTamas BanRSE based Measured Boot 213a5a5947aSTamas Ban----------------------- 214a5a5947aSTamas Ban 215a5a5947aSTamas BanMeasured Boot is the process of cryptographically measuring (computing the hash 216a5a5947aSTamas Banvalue of a binary) the code and critical data used at boot time. The 217a5a5947aSTamas Banmeasurement must be stored in a tamper-resistant way, so the security state 218624c9a0bSTamas Banof the device can be attested later to an external party. RSE provides a runtime 219a5a5947aSTamas Banservice which is meant to store measurements and associated metadata alongside. 220a5a5947aSTamas Ban 221a5a5947aSTamas BanData is stored in internal SRAM which is only accessible by the secure runtime 222624c9a0bSTamas Banfirmware of RSE. Data is stored in so-called measurement slots. A platform has 223a5a5947aSTamas BanIMPDEF number of measurement slots. The measurement storage follows extend 224a5a5947aSTamas Bansemantics. This means that measurements are not stored directly (as it was 225a5a5947aSTamas Bantaken) instead they contribute to the current value of the measurement slot. 226a5a5947aSTamas BanThe extension implements this logic, where ``||`` stands for concatenation: 227a5a5947aSTamas Ban 228a5a5947aSTamas Ban.. code-block:: bash 229a5a5947aSTamas Ban 230a5a5947aSTamas Ban new_value_of_measurement_slot = Hash(old_value_of_measurement_slot || measurement) 231a5a5947aSTamas Ban 232a5a5947aSTamas BanSupported hash algorithms: sha-256, sha-512 233a5a5947aSTamas Ban 234a5a5947aSTamas BanMeasured Boot API 235a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^ 236a5a5947aSTamas Ban 237a5a5947aSTamas BanDefined here: 238a5a5947aSTamas Ban 239a5a5947aSTamas Ban- ``include/lib/psa/measured_boot.h`` 240a5a5947aSTamas Ban 241a5a5947aSTamas Ban.. code-block:: c 242a5a5947aSTamas Ban 243a5a5947aSTamas Ban psa_status_t 244624c9a0bSTamas Ban rse_measured_boot_extend_measurement(uint8_t index, 245a5a5947aSTamas Ban const uint8_t *signer_id, 246a5a5947aSTamas Ban size_t signer_id_size, 247a5a5947aSTamas Ban const uint8_t *version, 248a5a5947aSTamas Ban size_t version_size, 249a5a5947aSTamas Ban uint32_t measurement_algo, 250a5a5947aSTamas Ban const uint8_t *sw_type, 251a5a5947aSTamas Ban size_t sw_type_size, 252a5a5947aSTamas Ban const uint8_t *measurement_value, 253a5a5947aSTamas Ban size_t measurement_value_size, 254a5a5947aSTamas Ban bool lock_measurement); 255a5a5947aSTamas Ban 256a5a5947aSTamas BanMeasured Boot Metadata 257a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^ 258a5a5947aSTamas Ban 259a5a5947aSTamas BanThe following metadata can be stored alongside the measurement: 260a5a5947aSTamas Ban 261a5a5947aSTamas Ban- ``Signer-id``: Mandatory. The hash of the firmware image signing public key. 262a5a5947aSTamas Ban- ``Measurement algorithm``: Optional. The hash algorithm which was used to 263a5a5947aSTamas Ban compute the measurement (e.g.: sha-256, etc.). 264a5a5947aSTamas Ban- ``Version info``: Optional. The firmware version info (e.g.: 2.7). 265a5a5947aSTamas Ban- ``SW type``: Optional. Short text description (e.g.: BL1, BL2, BL31, etc.) 266a5a5947aSTamas Ban 267a5a5947aSTamas Ban.. Note:: 268a5a5947aSTamas Ban Version info is not implemented in TF-A yet. 269a5a5947aSTamas Ban 270a5a5947aSTamas Ban 271a5a5947aSTamas BanThe caller must specify in which measurement slot to extend a certain 272a5a5947aSTamas Banmeasurement and metadata. A measurement slot can be extended by multiple 273a5a5947aSTamas Banmeasurements. The default value is IMPDEF. All measurement slot is cleared at 274a5a5947aSTamas Banreset, there is no other way to clear them. In the reference implementation, 275a5a5947aSTamas Banthe measurement slots are initialized to 0. At the first call to extend the 276a5a5947aSTamas Banmeasurement in a slot, the extend operation uses the default value of the 277a5a5947aSTamas Banmeasurement slot. All upcoming extend operation on the same slot contributes 278a5a5947aSTamas Banto the previous value of that measurement slot. 279a5a5947aSTamas Ban 280a5a5947aSTamas BanThe following rules are kept when a slot is extended multiple times: 281a5a5947aSTamas Ban 282a5a5947aSTamas Ban- ``Signer-id`` must be the same as the previous call(s), otherwise a 283a5a5947aSTamas Ban PSA_ERROR_NOT_PERMITTED error code is returned. 284a5a5947aSTamas Ban 285a5a5947aSTamas Ban- ``Measurement algorithm``: must be the same as the previous call(s), 286a5a5947aSTamas Ban otherwise, a PSA_ERROR_NOT_PERMITTED error code is returned. 287a5a5947aSTamas Ban 288a5a5947aSTamas BanIn case of error no further action is taken (slot is not locked). If there is 289a5a5947aSTamas Bana valid data in a sub-sequent call then measurement slot will be extended. The 290a5a5947aSTamas Banrest of the metadata is handled as follows when a measurement slot is extended 291a5a5947aSTamas Banmultiple times: 292a5a5947aSTamas Ban 293a5a5947aSTamas Ban- ``SW type``: Cleared. 294a5a5947aSTamas Ban- ``Version info``: Cleared. 295a5a5947aSTamas Ban 296a5a5947aSTamas Ban.. Note:: 297a5a5947aSTamas Ban 298a5a5947aSTamas Ban Extending multiple measurements in the same slot leads to some metadata 299624c9a0bSTamas Ban information loss. Since RSE is not constrained on special HW resources to 300a5a5947aSTamas Ban store the measurements and metadata, therefore it is worth considering to 301a5a5947aSTamas Ban store all of them one by one in distinct slots. However, they are one-by-one 302a5a5947aSTamas Ban included in the platform attestation token. So, the number of distinct 303a5a5947aSTamas Ban firmware image measurements has an impact on the size of the attestation 304a5a5947aSTamas Ban token. 305a5a5947aSTamas Ban 306624c9a0bSTamas BanThe allocation of the measurement slot among RSE, Root and Realm worlds is 307a5a5947aSTamas Banplatform dependent. The platform must provide an allocation of the measurement 308a5a5947aSTamas Banslot at build time. An example can be found in 309a5a5947aSTamas Ban``tf-a/plat/arm/board/tc/tc_bl1_measured_boot.c`` 310a5a5947aSTamas BanFurthermore, the memory, which holds the metadata is also statically allocated 311624c9a0bSTamas Banin RSE memory. Some of the fields have a static value (measurement algorithm), 312a5a5947aSTamas Banand some of the values have a dynamic value (measurement value) which is updated 313a5a5947aSTamas Banby the bootloaders when the firmware image is loaded and measured. The metadata 314a5a5947aSTamas Banstructure is defined in 315624c9a0bSTamas Ban``include/drivers/measured_boot/rse/rse_measured_boot.h``. 316a5a5947aSTamas Ban 317a5a5947aSTamas Ban.. code-block:: c 318a5a5947aSTamas Ban 319624c9a0bSTamas Ban struct rse_mboot_metadata { 320a5a5947aSTamas Ban unsigned int id; 321a5a5947aSTamas Ban uint8_t slot; 322a5a5947aSTamas Ban uint8_t signer_id[SIGNER_ID_MAX_SIZE]; 323a5a5947aSTamas Ban size_t signer_id_size; 324a5a5947aSTamas Ban uint8_t version[VERSION_MAX_SIZE]; 325a5a5947aSTamas Ban size_t version_size; 326a5a5947aSTamas Ban uint8_t sw_type[SW_TYPE_MAX_SIZE]; 327a5a5947aSTamas Ban size_t sw_type_size; 328a5a5947aSTamas Ban void *pk_oid; 329a5a5947aSTamas Ban bool lock_measurement; 330a5a5947aSTamas Ban }; 331a5a5947aSTamas Ban 332a5a5947aSTamas BanSigner-ID API 333a5a5947aSTamas Ban^^^^^^^^^^^^^ 334a5a5947aSTamas Ban 335a5a5947aSTamas BanThis function calculates the hash of a public key (signer-ID) using the 336624c9a0bSTamas Ban``Measurement algorithm`` and stores it in the ``rse_mboot_metadata`` field 337a5a5947aSTamas Bannamed ``signer_id``. 338a5a5947aSTamas BanPrior to calling this function, the caller must ensure that the ``signer_id`` 339a5a5947aSTamas Banfield points to the zero-filled buffer. 340a5a5947aSTamas Ban 341a5a5947aSTamas BanDefined here: 342a5a5947aSTamas Ban 343624c9a0bSTamas Ban- ``include/drivers/measured_boot/rse/rse_measured_boot.h`` 344a5a5947aSTamas Ban 345a5a5947aSTamas Ban.. code-block:: c 346a5a5947aSTamas Ban 347624c9a0bSTamas Ban int rse_mboot_set_signer_id(struct rse_mboot_metadata *metadata_ptr, 348a5a5947aSTamas Ban const void *pk_oid, 349a5a5947aSTamas Ban const void *pk_ptr, 350a5a5947aSTamas Ban size_t pk_len) 351a5a5947aSTamas Ban 352a5a5947aSTamas Ban 353624c9a0bSTamas Ban- First parameter is the pointer to the ``rse_mboot_metadata`` structure. 354a5a5947aSTamas Ban- Second parameter is the pointer to the key-OID of the public key. 355a5a5947aSTamas Ban- Third parameter is the pointer to the public key buffer. 356a5a5947aSTamas Ban- Fourth parameter is the size of public key buffer. 357a5a5947aSTamas Ban- This function returns 0 on success, a signed integer error code 358a5a5947aSTamas Ban otherwise. 359a5a5947aSTamas Ban 360a5a5947aSTamas BanBuild time config options 361a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 362a5a5947aSTamas Ban 363*e4582e42STamas Ban- ``MEASURED_BOOT``: Enable measured boot. 364624c9a0bSTamas Ban- ``MBOOT_RSE_HASH_ALG``: Determine the hash algorithm to measure the images. 365a5a5947aSTamas Ban The default value is sha-256. 366a5a5947aSTamas Ban 367a5a5947aSTamas BanMeasured boot flow 368a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^ 369a5a5947aSTamas Ban 370624c9a0bSTamas Ban.. figure:: ../resources/diagrams/rse_measured_boot_flow.svg 371a5a5947aSTamas Ban :align: center 372a5a5947aSTamas Ban 373a5a5947aSTamas BanSample console log 374a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^ 375a5a5947aSTamas Ban 376a5a5947aSTamas Ban.. code-block:: bash 377a5a5947aSTamas Ban 378a5a5947aSTamas Ban INFO: Measured boot extend measurement: 379a5a5947aSTamas Ban INFO: - slot : 6 380a5a5947aSTamas Ban INFO: - signer_id : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 381a5a5947aSTamas Ban INFO: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 382a5a5947aSTamas Ban INFO: - version : 383a5a5947aSTamas Ban INFO: - version_size: 0 384a5a5947aSTamas Ban INFO: - sw_type : FW_CONFIG 385a5a5947aSTamas Ban INFO: - sw_type_size: 10 386a5a5947aSTamas Ban INFO: - algorithm : 2000009 387a5a5947aSTamas Ban INFO: - measurement : aa ea d3 a7 a8 e2 ab 7d 13 a6 cb 34 99 10 b9 a1 388a5a5947aSTamas Ban INFO: : 1b 9f a0 52 c5 a8 b1 d7 76 f2 c1 c1 ef ca 1a df 389a5a5947aSTamas Ban INFO: - locking : true 390a5a5947aSTamas Ban INFO: FCONF: Config file with image ID:31 loaded at address = 0x4001010 391a5a5947aSTamas Ban INFO: Loading image id=24 at address 0x4001300 392a5a5947aSTamas Ban INFO: Image id=24 loaded: 0x4001300 - 0x400153a 393a5a5947aSTamas Ban INFO: Measured boot extend measurement: 394a5a5947aSTamas Ban INFO: - slot : 7 395a5a5947aSTamas Ban INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 396a5a5947aSTamas Ban INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 397a5a5947aSTamas Ban INFO: - version : 398a5a5947aSTamas Ban INFO: - version_size: 0 399a5a5947aSTamas Ban INFO: - sw_type : TB_FW_CONFIG 400a5a5947aSTamas Ban INFO: - sw_type_size: 13 401a5a5947aSTamas Ban INFO: - algorithm : 2000009 402a5a5947aSTamas Ban INFO: - measurement : 05 b9 dc 98 62 26 a7 1c 2d e5 bb af f0 90 52 28 403a5a5947aSTamas Ban INFO: : f2 24 15 8a 3a 56 60 95 d6 51 3a 7a 1a 50 9b b7 404a5a5947aSTamas Ban INFO: - locking : true 405a5a5947aSTamas Ban INFO: FCONF: Config file with image ID:24 loaded at address = 0x4001300 406a5a5947aSTamas Ban INFO: BL1: Loading BL2 407a5a5947aSTamas Ban INFO: Loading image id=1 at address 0x404d000 408a5a5947aSTamas Ban INFO: Image id=1 loaded: 0x404d000 - 0x406412a 409a5a5947aSTamas Ban INFO: Measured boot extend measurement: 410a5a5947aSTamas Ban INFO: - slot : 8 411a5a5947aSTamas Ban INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 412a5a5947aSTamas Ban INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 413a5a5947aSTamas Ban INFO: - version : 414a5a5947aSTamas Ban INFO: - version_size: 0 415a5a5947aSTamas Ban INFO: - sw_type : BL_2 416a5a5947aSTamas Ban INFO: - sw_type_size: 5 417a5a5947aSTamas Ban INFO: - algorithm : 2000009 418a5a5947aSTamas Ban INFO: - measurement : 53 a1 51 75 25 90 fb a1 d9 b8 c8 34 32 3a 01 16 419a5a5947aSTamas Ban INFO: : c9 9e 74 91 7d 28 02 56 3f 5c 40 94 37 58 50 68 420a5a5947aSTamas Ban INFO: - locking : true 421a5a5947aSTamas Ban 422a5a5947aSTamas BanDelegated Attestation 423a5a5947aSTamas Ban--------------------- 424a5a5947aSTamas Ban 425a5a5947aSTamas BanDelegated Attestation Service was mainly developed to support the attestation 426a5a5947aSTamas Banflow on the ``ARM Confidential Compute Architecture`` (ARM CCA) [7]_. 427a5a5947aSTamas BanThe detailed description of the delegated attestation service can be found in 428a5a5947aSTamas Banthe ``Delegated Attestation Service Integration Guide`` [4]_ document. 429a5a5947aSTamas Ban 430a5a5947aSTamas BanIn the CCA use case, the Realm Management Monitor (RMM) relies on the delegated 431624c9a0bSTamas Banattestation service of the RSE to get a realm attestation key and the CCA 432a5a5947aSTamas Banplatform token. BL31 does not use the service for its own purpose, only calls 433624c9a0bSTamas Banit on behalf of RMM. The access to MHU interface and thereby to RSE is 434a5a5947aSTamas Banrestricted to BL31 only. Therefore, RMM does not have direct access, all calls 435a5a5947aSTamas Banneed to go through BL31. The RMM dispatcher module of the BL31 is responsible 436a5a5947aSTamas Banfor delivering the calls between the two parties. 437a5a5947aSTamas Ban 438a5a5947aSTamas BanDelegated Attestation API 439a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 440a5a5947aSTamas BanDefined here: 441a5a5947aSTamas Ban 442a5a5947aSTamas Ban- ``include/lib/psa/delegated_attestation.h`` 443a5a5947aSTamas Ban 444a5a5947aSTamas Ban.. code-block:: c 445a5a5947aSTamas Ban 446a5a5947aSTamas Ban psa_status_t 447624c9a0bSTamas Ban rse_delegated_attest_get_delegated_key(uint8_t ecc_curve, 448a5a5947aSTamas Ban uint32_t key_bits, 449a5a5947aSTamas Ban uint8_t *key_buf, 450a5a5947aSTamas Ban size_t key_buf_size, 451a5a5947aSTamas Ban size_t *key_size, 452a5a5947aSTamas Ban uint32_t hash_algo); 453a5a5947aSTamas Ban 454a5a5947aSTamas Ban psa_status_t 455624c9a0bSTamas Ban rse_delegated_attest_get_token(const uint8_t *dak_pub_hash, 456a5a5947aSTamas Ban size_t dak_pub_hash_size, 457a5a5947aSTamas Ban uint8_t *token_buf, 458a5a5947aSTamas Ban size_t token_buf_size, 459a5a5947aSTamas Ban size_t *token_size); 460a5a5947aSTamas Ban 461a5a5947aSTamas BanAttestation flow 462a5a5947aSTamas Ban^^^^^^^^^^^^^^^^ 463a5a5947aSTamas Ban 464624c9a0bSTamas Ban.. figure:: ../resources/diagrams/rse_attestation_flow.svg 465a5a5947aSTamas Ban :align: center 466a5a5947aSTamas Ban 467a5a5947aSTamas BanSample attestation token 468a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^ 469a5a5947aSTamas Ban 470a5a5947aSTamas BanBinary format: 471a5a5947aSTamas Ban 472a5a5947aSTamas Ban.. code-block:: bash 473a5a5947aSTamas Ban 474a5a5947aSTamas Ban INFO: DELEGATED ATTEST TEST START 475a5a5947aSTamas Ban INFO: Get delegated attestation key start 476a5a5947aSTamas Ban INFO: Get delegated attest key succeeds, len: 48 477a5a5947aSTamas Ban INFO: Delegated attest key: 478a5a5947aSTamas Ban INFO: 0d 2a 66 61 d4 89 17 e1 70 c6 73 56 df f4 11 fd 479a5a5947aSTamas Ban INFO: 7d 1f 3b 8a a3 30 3d 70 4c d9 06 c3 c7 ef 29 43 480a5a5947aSTamas Ban INFO: 0f ee b5 e7 56 e0 71 74 1b c4 39 39 fd 85 f6 7b 481a5a5947aSTamas Ban INFO: Get platform token start 482a5a5947aSTamas Ban INFO: Get platform token succeeds, len: 1086 483a5a5947aSTamas Ban INFO: Platform attestation token: 4845c8b5f9fSTamas Ban INFO: d2 84 44 a1 01 38 22 a0 59 05 81 a9 19 01 09 78 4855c8b5f9fSTamas Ban INFO: 23 74 61 67 3a 61 72 6d 2e 63 6f 6d 2c 32 30 32 4865c8b5f9fSTamas Ban INFO: 33 3a 63 63 61 5f 70 6c 61 74 66 6f 72 6d 23 31 4875c8b5f9fSTamas Ban INFO: 2e 30 2e 30 0a 58 20 0d 22 e0 8a 98 46 90 58 48 4885c8b5f9fSTamas Ban INFO: 63 18 28 34 89 bd b3 6f 09 db ef eb 18 64 df 43 4895c8b5f9fSTamas Ban INFO: 3f a6 e5 4e a2 d7 11 19 09 5c 58 20 7f 45 4c 46 4905c8b5f9fSTamas Ban INFO: 02 01 01 00 00 00 00 00 00 00 00 00 03 00 3e 00 4915c8b5f9fSTamas Ban INFO: 01 00 00 00 50 58 00 00 00 00 00 00 19 01 00 58 4925c8b5f9fSTamas Ban INFO: 21 01 07 06 05 04 03 02 01 00 0f 0e 0d 0c 0b 0a 4935c8b5f9fSTamas Ban INFO: 09 08 17 16 15 14 13 12 11 10 1f 1e 1d 1c 1b 1a 4945c8b5f9fSTamas Ban INFO: 19 18 19 09 61 44 cf cf cf cf 19 09 5b 19 30 03 4955c8b5f9fSTamas Ban INFO: 19 09 62 67 73 68 61 2d 32 35 36 19 09 60 78 3a 4965c8b5f9fSTamas Ban INFO: 68 74 74 70 73 3a 2f 2f 76 65 72 61 69 73 6f 6e 4975c8b5f9fSTamas Ban INFO: 2e 65 78 61 6d 70 6c 65 2f 2e 77 65 6c 6c 2d 6b 4985c8b5f9fSTamas Ban INFO: 6e 6f 77 6e 2f 76 65 72 61 69 73 6f 6e 2f 76 65 4995c8b5f9fSTamas Ban INFO: 72 69 66 69 63 61 74 69 6f 6e 19 09 5f 8d a4 01 5005c8b5f9fSTamas Ban INFO: 69 52 53 45 5f 42 4c 31 5f 32 05 58 20 53 78 79 5015c8b5f9fSTamas Ban INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 5025c8b5f9fSTamas Ban INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 5035c8b5f9fSTamas Ban INFO: 9a 27 1f 2a 91 6b 0b 6e e6 ce cb 24 26 f0 b3 20 5045c8b5f9fSTamas Ban INFO: 6e f0 74 57 8b e5 5d 9b c9 4f 6f 3f e3 ab 86 aa 5055c8b5f9fSTamas Ban INFO: 06 67 73 68 61 2d 32 35 36 a4 01 67 52 53 45 5f 5066dfeb60aSThomas Fossati INFO: 42 4c 32 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 5076dfeb60aSThomas Fossati INFO: 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 5085c8b5f9fSTamas Ban INFO: c0 fa 97 3f 7a a3 02 58 20 53 c2 34 e5 e8 47 2b 5095c8b5f9fSTamas Ban INFO: 6a c5 1c 1a e1 ca b3 fe 06 fa d0 53 be b8 eb fd 5105c8b5f9fSTamas Ban INFO: 89 77 b0 10 65 5b fd d3 c3 06 67 73 68 61 2d 32 5115c8b5f9fSTamas Ban INFO: 35 36 a4 01 65 52 53 45 5f 53 05 58 20 53 78 79 5125c8b5f9fSTamas Ban INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 5135c8b5f9fSTamas Ban INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 5145c8b5f9fSTamas Ban INFO: 11 21 cf cc d5 91 3f 0a 63 fe c4 0a 6f fd 44 ea 5155c8b5f9fSTamas Ban INFO: 64 f9 dc 13 5c 66 63 4b a0 01 d1 0b cf 43 02 a2 5165c8b5f9fSTamas Ban INFO: 06 67 73 68 61 2d 32 35 36 a4 01 66 41 50 5f 42 5175c8b5f9fSTamas Ban INFO: 4c 31 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 8b 5185c8b5f9fSTamas Ban INFO: 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 c0 5195c8b5f9fSTamas Ban INFO: fa 97 3f 7a a3 02 58 20 15 71 b5 ec 78 bd 68 51 5205c8b5f9fSTamas Ban INFO: 2b f7 83 0b b6 a2 a4 4b 20 47 c7 df 57 bc e7 9e 5215c8b5f9fSTamas Ban INFO: b8 a1 c0 e5 be a0 a5 01 06 67 73 68 61 2d 32 35 5225c8b5f9fSTamas Ban INFO: 36 a4 01 66 41 50 5f 42 4c 32 05 58 20 53 78 79 5235c8b5f9fSTamas Ban INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 5245c8b5f9fSTamas Ban INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 5255c8b5f9fSTamas Ban INFO: 10 15 9b af 26 2b 43 a9 2d 95 db 59 da e1 f7 2c 5265c8b5f9fSTamas Ban INFO: 64 51 27 30 16 61 e0 a3 ce 4e 38 b2 95 a9 7c 58 5275c8b5f9fSTamas Ban INFO: 06 67 73 68 61 2d 32 35 36 a4 01 67 53 43 50 5f 5285c8b5f9fSTamas Ban INFO: 42 4c 31 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 5296dfeb60aSThomas Fossati INFO: 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 5305c8b5f9fSTamas Ban INFO: c0 fa 97 3f 7a a3 02 58 20 10 12 2e 85 6b 3f cd 5315c8b5f9fSTamas Ban INFO: 49 f0 63 63 63 17 47 61 49 cb 73 0a 1a a1 cf aa 5325c8b5f9fSTamas Ban INFO: d8 18 55 2b 72 f5 6d 6f 68 06 67 73 68 61 2d 32 5335c8b5f9fSTamas Ban INFO: 35 36 a4 01 67 53 43 50 5f 42 4c 32 05 58 20 f1 5345c8b5f9fSTamas Ban INFO: 4b 49 87 90 4b cb 58 14 e4 45 9a 05 7e d4 d2 0f 5355c8b5f9fSTamas Ban INFO: 58 a6 33 15 22 88 a7 61 21 4d cd 28 78 0b 56 02 5365c8b5f9fSTamas Ban INFO: 58 20 aa 67 a1 69 b0 bb a2 17 aa 0a a8 8a 65 34 5375c8b5f9fSTamas Ban INFO: 69 20 c8 4c 42 44 7c 36 ba 5f 7e a6 5f 42 2c 1f 5385c8b5f9fSTamas Ban INFO: e5 d8 06 67 73 68 61 2d 32 35 36 a4 01 67 41 50 5395c8b5f9fSTamas Ban INFO: 5f 42 4c 33 31 05 58 20 53 78 79 63 07 53 5d f3 5405c8b5f9fSTamas Ban INFO: ec 8d 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 5415c8b5f9fSTamas Ban INFO: 22 38 c0 fa 97 3f 7a a3 02 58 20 2e 6d 31 a5 98 5425c8b5f9fSTamas Ban INFO: 3a 91 25 1b fa e5 ae fa 1c 0a 19 d8 ba 3c f6 01 5435c8b5f9fSTamas Ban INFO: d0 e8 a7 06 b4 cf a9 66 1a 6b 8a 06 67 73 68 61 5445c8b5f9fSTamas Ban INFO: 2d 32 35 36 a4 01 63 52 4d 4d 05 58 20 53 78 79 5455c8b5f9fSTamas Ban INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 5465c8b5f9fSTamas Ban INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 5475c8b5f9fSTamas Ban INFO: a1 fb 50 e6 c8 6f ae 16 79 ef 33 51 29 6f d6 71 5485c8b5f9fSTamas Ban INFO: 34 11 a0 8c f8 dd 17 90 a4 fd 05 fa e8 68 81 64 5495c8b5f9fSTamas Ban INFO: 06 67 73 68 61 2d 32 35 36 a4 01 69 48 57 5f 43 5505c8b5f9fSTamas Ban INFO: 4f 4e 46 49 47 05 58 20 53 78 79 63 07 53 5d f3 5515c8b5f9fSTamas Ban INFO: ec 8d 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 5525c8b5f9fSTamas Ban INFO: 22 38 c0 fa 97 3f 7a a3 02 58 20 1a 25 24 02 97 5535c8b5f9fSTamas Ban INFO: 2f 60 57 fa 53 cc 17 2b 52 b9 ff ca 69 8e 18 31 5545c8b5f9fSTamas Ban INFO: 1f ac d0 f3 b0 6e ca ae f7 9e 17 06 67 73 68 61 5555c8b5f9fSTamas Ban INFO: 2d 32 35 36 a4 01 69 46 57 5f 43 4f 4e 46 49 47 5565c8b5f9fSTamas Ban INFO: 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 8b 15 a2 5575c8b5f9fSTamas Ban INFO: e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 c0 fa 97 5585c8b5f9fSTamas Ban INFO: 3f 7a a3 02 58 20 9a 92 ad bc 0c ee 38 ef 65 8c 5595c8b5f9fSTamas Ban INFO: 71 ce 1b 1b f8 c6 56 68 f1 66 bf b2 13 64 4c 89 5605c8b5f9fSTamas Ban INFO: 5c cb 1a d0 7a 25 06 67 73 68 61 2d 32 35 36 a4 5615c8b5f9fSTamas Ban INFO: 01 6c 54 42 5f 46 57 5f 43 4f 4e 46 49 47 05 58 5626dfeb60aSThomas Fossati INFO: 20 53 78 79 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 5636dfeb60aSThomas Fossati INFO: 56 41 41 9c 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a 5645c8b5f9fSTamas Ban INFO: a3 02 58 20 23 89 03 18 0c c1 04 ec 2c 5d 8b 3f 5655c8b5f9fSTamas Ban INFO: 20 c5 bc 61 b3 89 ec 0a 96 7d f8 cc 20 8c dc 7c 5665c8b5f9fSTamas Ban INFO: d4 54 17 4f 06 67 73 68 61 2d 32 35 36 a4 01 6d 5675c8b5f9fSTamas Ban INFO: 53 4f 43 5f 46 57 5f 43 4f 4e 46 49 47 05 58 20 5685c8b5f9fSTamas Ban INFO: 53 78 79 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 5695c8b5f9fSTamas Ban INFO: 41 41 9c 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 5705c8b5f9fSTamas Ban INFO: 02 58 20 e6 c2 1e 8d 26 0f e7 18 82 de bd b3 39 5715c8b5f9fSTamas Ban INFO: d2 40 2a 2c a7 64 85 29 bc 23 03 f4 86 49 bc e0 5725c8b5f9fSTamas Ban INFO: 38 00 17 06 67 73 68 61 2d 32 35 36 58 60 31 d0 5735c8b5f9fSTamas Ban INFO: 4d 52 cc de 95 2c 1e 32 cb a1 81 88 5a 40 b8 cc 5745c8b5f9fSTamas Ban INFO: 38 e0 52 8c 1e 89 58 98 07 64 2a a5 e3 f2 bc 37 5755c8b5f9fSTamas Ban INFO: f9 53 74 50 6b ff 4d 2e 4b e7 06 3c 4d 72 41 92 5765c8b5f9fSTamas Ban INFO: 70 c7 22 e8 d4 d9 3e e8 b6 c9 fa ce 3b 43 c9 76 5775c8b5f9fSTamas Ban INFO: 1a 49 94 1a b6 f3 8f fd ff 49 6a d4 63 b4 cb fa 5785c8b5f9fSTamas Ban INFO: 11 d8 3e 23 e3 1f 7f 62 32 9d e3 0c 1c c8 579a5a5947aSTamas Ban INFO: DELEGATED ATTEST TEST END 580a5a5947aSTamas Ban 581a5a5947aSTamas BanJSON format: 582a5a5947aSTamas Ban 583a5a5947aSTamas Ban.. code-block:: JSON 584a5a5947aSTamas Ban 585a5a5947aSTamas Ban { 5865c8b5f9fSTamas Ban "CCA_ATTESTATION_PROFILE": "tag:arm.com,2023:cca_platform#1.0.0", 5875c8b5f9fSTamas Ban "CCA_PLATFORM_CHALLENGE": "b'0D22E08A98469058486318283489BDB36F09DBEFEB1864DF433FA6E54EA2D711'", 5886dfeb60aSThomas Fossati "CCA_PLATFORM_IMPLEMENTATION_ID": "b'7F454C4602010100000000000000000003003E00010000005058000000000000'", 5896dfeb60aSThomas Fossati "CCA_PLATFORM_INSTANCE_ID": "b'0107060504030201000F0E0D0C0B0A090817161514131211101F1E1D1C1B1A1918'", 5906dfeb60aSThomas Fossati "CCA_PLATFORM_CONFIG": "b'CFCFCFCF'", 5916dfeb60aSThomas Fossati "CCA_PLATFORM_LIFECYCLE": "secured_3003", 5926dfeb60aSThomas Fossati "CCA_PLATFORM_HASH_ALGO_ID": "sha-256", 5936dfeb60aSThomas Fossati "CCA_PLATFORM_VERIFICATION_SERVICE": "https://veraison.example/.well-known/veraison/verification", 594a5a5947aSTamas Ban "CCA_PLATFORM_SW_COMPONENTS": [ 595a5a5947aSTamas Ban { 5966dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "RSE_BL1_2", 5976dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 5986dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'9A271F2A916B0B6EE6CECB2426F0B3206EF074578BE55D9BC94F6F3FE3AB86AA'", 5996dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 600a5a5947aSTamas Ban }, 601a5a5947aSTamas Ban { 6026dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "RSE_BL2", 6036dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6046dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'53C234E5E8472B6AC51C1AE1CAB3FE06FAD053BEB8EBFD8977B010655BFDD3C3'", 6056dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 606a5a5947aSTamas Ban }, 607a5a5947aSTamas Ban { 6086dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "RSE_S", 6096dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6106dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'1121CFCCD5913F0A63FEC40A6FFD44EA64F9DC135C66634BA001D10BCF4302A2'", 6116dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 612a5a5947aSTamas Ban }, 613a5a5947aSTamas Ban { 6146dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "AP_BL1", 6156dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6166dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'1571B5EC78BD68512BF7830BB6A2A44B2047C7DF57BCE79EB8A1C0E5BEA0A501'", 6176dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 618a5a5947aSTamas Ban }, 619a5a5947aSTamas Ban { 6206dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "AP_BL2", 6216dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6226dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'10159BAF262B43A92D95DB59DAE1F72C645127301661E0A3CE4E38B295A97C58'", 6236dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 624a5a5947aSTamas Ban }, 625a5a5947aSTamas Ban { 6266dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "SCP_BL1", 6276dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6286dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'10122E856B3FCD49F063636317476149CB730A1AA1CFAAD818552B72F56D6F68'", 6296dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 630a5a5947aSTamas Ban }, 631a5a5947aSTamas Ban { 6326dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "SCP_BL2", 6336dfeb60aSThomas Fossati "SIGNER_ID": "b'F14B4987904BCB5814E4459A057ED4D20F58A633152288A761214DCD28780B56'", 6346dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'AA67A169B0BBA217AA0AA88A65346920C84C42447C36BA5F7EA65F422C1FE5D8'", 6356dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 636a5a5947aSTamas Ban }, 637a5a5947aSTamas Ban { 6386dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "AP_BL31", 6396dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6406dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'2E6D31A5983A91251BFAE5AEFA1C0A19D8BA3CF601D0E8A706B4CFA9661A6B8A'", 6416dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 642a5a5947aSTamas Ban }, 643a5a5947aSTamas Ban { 6446dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "RMM", 6456dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6466dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'A1FB50E6C86FAE1679EF3351296FD6713411A08CF8DD1790A4FD05FAE8688164'", 6476dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 6486dfeb60aSThomas Fossati }, 6496dfeb60aSThomas Fossati { 6506dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "HW_CONFIG", 6516dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6526dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'1A252402972F6057FA53CC172B52B9FFCA698E18311FACD0F3B06ECAAEF79E17'", 6536dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 6546dfeb60aSThomas Fossati }, 6556dfeb60aSThomas Fossati { 6566dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "FW_CONFIG", 6576dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6586dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'9A92ADBC0CEE38EF658C71CE1B1BF8C65668F166BFB213644C895CCB1AD07A25'", 6596dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 6606dfeb60aSThomas Fossati }, 6616dfeb60aSThomas Fossati { 6626dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "TB_FW_CONFIG", 6636dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6646dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'238903180CC104EC2C5D8B3F20C5BC61B389EC0A967DF8CC208CDC7CD454174F'", 6656dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 6666dfeb60aSThomas Fossati }, 6676dfeb60aSThomas Fossati { 6686dfeb60aSThomas Fossati "SW_COMPONENT_TYPE": "SOC_FW_CONFIG", 6696dfeb60aSThomas Fossati "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 6706dfeb60aSThomas Fossati "MEASUREMENT_VALUE": "b'E6C21E8D260FE71882DEBDB339D2402A2CA7648529BC2303F48649BCE0380017'", 6716dfeb60aSThomas Fossati "CCA_SW_COMPONENT_HASH_ID": "sha-256" 672a5a5947aSTamas Ban } 6736dfeb60aSThomas Fossati ] 674a5a5947aSTamas Ban } 675a5a5947aSTamas Ban 676*e4582e42STamas BanRSE based DICE Protection Environment 677*e4582e42STamas Ban------------------------------------- 678*e4582e42STamas Ban 679*e4582e42STamas BanThe ``DICE Protection Environment (DPE)`` [8]_ service makes it possible to 680*e4582e42STamas Banexecute |DICE| commands within an isolated execution environment. It provides 681*e4582e42STamas Banclients with an interface to send DICE commands, encoded as CBOR objects, 682*e4582e42STamas Banthat act on opaque context handles. The |DPE| service performs |DICE| 683*e4582e42STamas Banderivations and certification on its internal contexts, without exposing the 684*e4582e42STamas Ban|DICE| secrets (private keys and CDIs) outside of the isolated execution 685*e4582e42STamas Banenvironment. 686*e4582e42STamas Ban 687*e4582e42STamas Ban|DPE| API 688*e4582e42STamas Ban^^^^^^^^^ 689*e4582e42STamas Ban 690*e4582e42STamas BanDefined here: 691*e4582e42STamas Ban 692*e4582e42STamas Ban- ``include/lib/psa/dice_protection_environment.h`` 693*e4582e42STamas Ban 694*e4582e42STamas Ban.. code-block:: c 695*e4582e42STamas Ban 696*e4582e42STamas Ban dpe_error_t 697*e4582e42STamas Ban dpe_derive_context(int context_handle, 698*e4582e42STamas Ban uint32_t cert_id, 699*e4582e42STamas Ban bool retain_parent_context, 700*e4582e42STamas Ban bool allow_new_context_to_derive, 701*e4582e42STamas Ban bool create_certificate, 702*e4582e42STamas Ban const DiceInputValues *dice_inputs, 703*e4582e42STamas Ban int32_t target_locality, 704*e4582e42STamas Ban bool return_certificate, 705*e4582e42STamas Ban bool allow_new_context_to_export, 706*e4582e42STamas Ban bool export_cdi, 707*e4582e42STamas Ban int *new_context_handle, 708*e4582e42STamas Ban int *new_parent_context_handle, 709*e4582e42STamas Ban uint8_t *new_certificate_buf, 710*e4582e42STamas Ban size_t new_certificate_buf_size, 711*e4582e42STamas Ban size_t *new_certificate_actual_size, 712*e4582e42STamas Ban uint8_t *exported_cdi_buf, 713*e4582e42STamas Ban size_t exported_cdi_buf_size, 714*e4582e42STamas Ban size_t *exported_cdi_actual_size); 715*e4582e42STamas Ban 716*e4582e42STamas BanBuild time config options 717*e4582e42STamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 718*e4582e42STamas Ban 719*e4582e42STamas Ban- ``MEASURED_BOOT``: Enable measured boot. 720*e4582e42STamas Ban- ``DICE_PROTECTION_ENVIRONMENT``: Boolean flag to specify the measured boot 721*e4582e42STamas Ban backend when |RSE| based ``MEASURED_BOOT`` is enabled. The default value is 722*e4582e42STamas Ban ``0``. When set to ``1`` then measurements and additional metadata collected 723*e4582e42STamas Ban during the measured boot process are sent to the |DPE| for storage and 724*e4582e42STamas Ban processing. 725*e4582e42STamas Ban- ``DPE_ALG_ID``: Determine the hash algorithm to measure the images. The 726*e4582e42STamas Ban default value is sha-256. 727*e4582e42STamas Ban 728*e4582e42STamas BanExample certificate chain 729*e4582e42STamas Ban^^^^^^^^^^^^^^^^^^^^^^^^^ 730*e4582e42STamas Ban 731*e4582e42STamas Ban``plat/arm/board/tc/tc_dpe.h`` 732*e4582e42STamas Ban 733624c9a0bSTamas BanRSE OTP Assets Management 734a5a5947aSTamas Ban------------------------- 735a5a5947aSTamas Ban 736624c9a0bSTamas BanRSE provides access for AP to assets in OTP, which include keys for image 737a5a5947aSTamas Bansignature verification and non-volatile counters for anti-rollback protection. 738a5a5947aSTamas Ban 739a5a5947aSTamas BanNon-Volatile Counter API 740a5a5947aSTamas Ban^^^^^^^^^^^^^^^^^^^^^^^^ 741a5a5947aSTamas Ban 742624c9a0bSTamas BanAP/RSE interface for retrieving and incrementing non-volatile counters API is 743a5a5947aSTamas Banas follows. 744a5a5947aSTamas Ban 745a5a5947aSTamas BanDefined here: 746a5a5947aSTamas Ban 747624c9a0bSTamas Ban- ``include/lib/psa/rse_platform_api.h`` 748a5a5947aSTamas Ban 749a5a5947aSTamas Ban.. code-block:: c 750a5a5947aSTamas Ban 751624c9a0bSTamas Ban psa_status_t rse_platform_nv_counter_increment(uint32_t counter_id) 752a5a5947aSTamas Ban 753624c9a0bSTamas Ban psa_status_t rse_platform_nv_counter_read(uint32_t counter_id, 754a5a5947aSTamas Ban uint32_t size, uint8_t *val) 755a5a5947aSTamas Ban 756a5a5947aSTamas BanThrough this service, we can read/increment any of the 3 non-volatile 757a5a5947aSTamas Bancounters used on an Arm CCA platform: 758a5a5947aSTamas Ban 759a5a5947aSTamas Ban- ``Non-volatile counter for CCA firmware (BL2, BL31, RMM).`` 760a5a5947aSTamas Ban- ``Non-volatile counter for secure firmware.`` 761a5a5947aSTamas Ban- ``Non-volatile counter for non-secure firmware.`` 762a5a5947aSTamas Ban 763a5a5947aSTamas BanPublic Key API 764a5a5947aSTamas Ban^^^^^^^^^^^^^^ 765a5a5947aSTamas Ban 766624c9a0bSTamas BanAP/RSE interface for reading the ROTPK is as follows. 767a5a5947aSTamas Ban 768a5a5947aSTamas BanDefined here: 769a5a5947aSTamas Ban 770624c9a0bSTamas Ban- ``include/lib/psa/rse_platform_api.h`` 771a5a5947aSTamas Ban 772a5a5947aSTamas Ban.. code-block:: c 773a5a5947aSTamas Ban 774624c9a0bSTamas Ban psa_status_t rse_platform_key_read(enum rse_key_id_builtin_t key, 775a5a5947aSTamas Ban uint8_t *data, size_t data_size, size_t *data_length) 776a5a5947aSTamas Ban 777a5a5947aSTamas BanThrough this service, we can read any of the 3 ROTPKs used on an 778a5a5947aSTamas BanArm CCA platform: 779a5a5947aSTamas Ban 780a5a5947aSTamas Ban- ``ROTPK for CCA firmware (BL2, BL31, RMM).`` 781a5a5947aSTamas Ban- ``ROTPK for secure firmware.`` 782a5a5947aSTamas Ban- ``ROTPK for non-secure firmware.`` 783a5a5947aSTamas Ban 784a5a5947aSTamas BanReferences 785a5a5947aSTamas Ban---------- 786a5a5947aSTamas Ban 787*e4582e42STamas Ban.. [1] https://trustedfirmware-m.readthedocs.io/en/latest/platform/arm/rse/index.html 788*e4582e42STamas Ban.. [2] https://trustedfirmware-m.readthedocs.io/en/latest/platform/arm/rse/rse_comms.html 789*e4582e42STamas Ban.. [3] https://trustedfirmware-m.readthedocs.io/projects/tf-m-extras/en/latest/partitions/measured_boot_integration_guide.html 790*e4582e42STamas Ban.. [4] https://trustedfirmware-m.readthedocs.io/projects/tf-m-extras/en/latest/partitions/delegated_attestation/delegated_attest_integration_guide.html 791*e4582e42STamas Ban.. [5] https://trustedfirmware-m.readthedocs.io/en/latest/platform/arm/rse/rse_key_management.html 792a5a5947aSTamas Ban.. [6] https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0063-PSA_Firmware_Framework-1.0.0-2.pdf?revision=2d1429fa-4b5b-461a-a60e-4ef3d8f7f4b4&hash=3BFD6F3E687F324672F18E5BE9F08EDC48087C93 793a5a5947aSTamas Ban.. [7] https://developer.arm.com/documentation/DEN0096/A_a/?lang=en 794*e4582e42STamas Ban.. [8] https://trustedfirmware-m.readthedocs.io/projects/tf-m-extras/en/latest/partitions/dice_protection_environment/dice_protection_environment.html 795a5a5947aSTamas Ban 796a5a5947aSTamas Ban-------------- 797a5a5947aSTamas Ban 7985c8b5f9fSTamas Ban*Copyright (c) 2023-2024, Arm Limited. All rights reserved.* 7996dfeb60aSThomas Fossati*Copyright (c) 2024, Linaro Limited. All rights reserved.* 800
