1Runtime Security Engine (RSE) 2============================= 3 4This document focuses on the relationship between the Runtime Security Engine 5(RSE) and the application processor (AP). According to the ARM reference design 6the RSE is an independent core next to the AP and the SCP on the same die. It 7provides fundamental security guarantees and runtime services for the rest of 8the system (e.g.: trusted boot, measured boot, platform attestation, 9key management, and key derivation). 10 11At power up RSE boots first from its private ROM code. It validates and loads 12its own images and the initial images of SCP and AP. When AP and SCP are 13released from reset and their initial code is loaded then they continue their 14own boot process, which is the same as on non-RSE systems. Please refer to the 15``RSE documentation`` [1]_ for more details about the RSE boot flow. 16 17The last stage of the RSE firmware is a persistent, runtime component. Much 18like AP_BL31, this is a passive entity which has no periodical task to do and 19just waits for external requests from other subsystems. RSE and other 20subsystems can communicate with each other over message exchange. RSE waits 21in idle for the incoming request, handles them, and sends a response then goes 22back to idle. 23 24RSE communication layer 25----------------------- 26 27The communication between RSE and other subsystems are primarily relying on the 28Message Handling Unit (MHU) module. 29 30However, this is possible to use this communication protocol with a different 31mailbox than MHU, by setting the flag ``PLAT_MHU=NO_MHU`` and implementing the 32APIs given in the file: ``include/drivers/arm/rse_comms.h``. 33 34The number of MHU interfaces between RSE and other cores is IMPDEF. Besides MHU 35other modules also could take part in the communication. RSE is capable of 36mapping the AP memory to its address space. 37Thereby either RSE core itself or a DMA engine if it is present, can move the 38data between memory belonging to RSE or AP. In this way, a bigger amount of data 39can be transferred in a short time. 40 41The MHU comes in pairs. There is a sender and receiver side. They are connected 42to each other. An MHU interface consists of two pairs of MHUs, one sender and 43one receiver on both sides. Bidirectional communication is possible over an 44interface. One pair provides message sending from AP to RSE and the other pair 45from RSE to AP. The sender and receiver are connected via channels. There is an 46IMPDEF number of channels (e.g: 4-16) between a sender and a receiver module. 47 48The RSE communication layer provides two ways for message exchange: 49 50- ``Embedded messaging``: The full message, including header and payload, are 51 exchanged over the MHU channels. A channel is capable of delivering a single 52 word. The sender writes the data to the channel register on its side and the 53 receiver can read the data from the channel on the other side. One dedicated 54 channel is used for signalling. It does not deliver any payload it is just 55 meant for signalling that the sender loaded the data to the channel registers 56 so the receiver can read them. The receiver uses the same channel to signal 57 that data was read. Signalling happens via IRQ. If the message is longer than 58 the data fit to the channel registers then the message is sent over in 59 multiple rounds. Both, sender and receiver allocate a local buffer for the 60 messages. Data is copied from/to these buffers to/from the channel registers. 61- ``Pointer-access messaging``: The message header and the payload are 62 separated and they are conveyed in different ways. The header is sent 63 over the channels, similar to the embedded messaging but the payload is 64 copied over by RSE core (or by DMA) between the sender and the receiver. This 65 could be useful in the case of long messages because transaction time is less 66 compared to the embedded messaging mode. Small payloads are copied by the RSE 67 core because setting up DMA would require more CPU cycles. The payload is 68 either copied into an internal buffer or directly read-written by RSE. Actual 69 behavior depends on RSE setup, whether the partition supports memory-mapped 70 ``iovec``. Therefore, the sender must handle both cases and prevent access to 71 the memory, where payload data lives, while the RSE handles the request. 72 73The RSE communication layer supports both ways of messaging in parallel. It is 74decided at runtime based on the message size which way to transfer the message. 75 76.. code-block:: bash 77 78 +----------------------------------------------+ +-------------------+ 79 | | | | 80 | AP | | | 81 | | +--->| SRAM | 82 +----------------------------------------------| | | | 83 | BL1 / BL2 / BL31 | | | | 84 +----------------------------------------------+ | +-------------------+ 85 | ^ | ^ ^ 86 | send IRQ | receive |direct | | 87 V | |access | | 88 +--------------------+ +--------------------+ | | | 89 | MHU sender | | MHU receiver | | | Copy data | 90 +--------------------+ +--------------------+ | | | 91 | | | | | | | | | | | 92 | | channels | | | | channels | | | | | 93 | | e.g: 4-16 | | | | e.g: 4-16 | | | V | 94 +--------------------+ +--------------------+ | +-------+ | 95 | MHU receiver | | MHU sender | | +->| DMA | | 96 +--------------------+ +--------------------+ | | +-------+ | 97 | ^ | | ^ | 98 IRQ | receive | send | | | Copy data | 99 V | | | V V 100 +----------------------------------------------+ | | +-------------------+ 101 | |--+-+ | | 102 | RSE | | SRAM | 103 | | | | 104 +----------------------------------------------+ +-------------------+ 105 106.. Note:: 107 108 The RSE communication layer is not prepared for concurrent execution. The 109 current use case only requires message exchange during the boot phase. In 110 the boot phase, only a single core is running and the rest of the cores are 111 in reset. 112 113Message structure 114^^^^^^^^^^^^^^^^^ 115A description of the message format can be found in the ``RSE communication 116design`` [2]_ document. 117 118Source files 119^^^^^^^^^^^^ 120- RSE comms: ``drivers/arm/rse`` 121- MHU driver: ``drivers/arm/mhu`` 122 123 124API for communication over MHU 125^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 126The API is defined in these header files: 127 128- ``include/drivers/arm/rse_comms.h`` 129- ``include/drivers/arm/mhu.h`` 130 131RSE provided runtime services 132----------------------------- 133 134RSE provides the following runtime services: 135 136- ``Measured boot``: Securely store the firmware measurements which were 137 computed during the boot process and the associated metadata (image 138 description, measurement algorithm, etc.). More info on measured boot service 139 in RSE can be found in the ``measured_boot_integration_guide`` [3]_ . 140- ``Delegated attestation``: Query the platform attestation token and derive a 141 delegated attestation key. More info on the delegated attestation service 142 in RSE can be found in the ``delegated_attestation_integration_guide`` [4]_ . 143- ``OTP assets management``: Public keys used by AP during the trusted boot 144 process can be requested from RSE. Furthermore, AP can request RSE to 145 increase a non-volatile counter. Please refer to the 146 ``RSE key management`` [5]_ document for more details. 147- ``DICE Protection Environment``: Securely store the firmware measurements 148 which were computed during the boot process and the associated metadata. It is 149 also capable of representing the boot measurements in the form of a 150 certificate chain, which is queriable. Please refer to the 151 ``DICE Protection Environment (DPE)`` [8]_ document for more details. 152 153Runtime service API 154^^^^^^^^^^^^^^^^^^^ 155The RSE provided runtime services implement a PSA aligned API. The parameter 156encoding follows the PSA client protocol described in the 157``Firmware Framework for M`` [6]_ document in chapter 4.4. The implementation is 158restricted to the static handle use case therefore only the ``psa_call`` API is 159implemented. 160 161 162Software and API layers 163^^^^^^^^^^^^^^^^^^^^^^^ 164 165.. code-block:: bash 166 167 +----------------+ +---------------------+ 168 | BL1 / BL2 | | BL31 | 169 +----------------+ +---------------------+ 170 | | 171 | extend_measurement() | get_delegated_key() 172 | | get_platform_token() 173 V V 174 +----------------+ +---------------------+ 175 | PSA protocol | | PSA protocol | 176 +----------------+ +---------------------+ 177 | | 178 | psa_call() | psa_call() 179 | | 180 V V 181 +------------------------------------------------+ 182 | RSE communication protocol | 183 +------------------------------------------------+ 184 | ^ 185 | mhu_send_data() | mhu_receive_data() 186 | | 187 V | 188 +------------------------------------------------+ 189 | MHU driver | 190 +------------------------------------------------+ 191 | ^ 192 | Register access | IRQ 193 V | 194 +------------------------------------------------+ 195 | MHU HW on AP side | 196 +------------------------------------------------+ 197 ^ 198 | Physical wires 199 | 200 V 201 +------------------------------------------------+ 202 | MHU HW on RSE side | 203 +------------------------------------------------+ 204 | ^ 205 | IRQ | Register access 206 V | 207 +------------------------------------------------+ 208 | MHU driver | 209 +------------------------------------------------+ 210 | | 211 V V 212 +---------------+ +------------------------+ 213 | Measured boot | | Delegated attestation | 214 | service | | service | 215 +---------------+ +------------------------+ 216 217 218RSE based Measured Boot 219----------------------- 220 221Measured Boot is the process of cryptographically measuring (computing the hash 222value of a binary) the code and critical data used at boot time. The 223measurement must be stored in a tamper-resistant way, so the security state 224of the device can be attested later to an external party. RSE provides a runtime 225service which is meant to store measurements and associated metadata alongside. 226 227Data is stored in internal SRAM which is only accessible by the secure runtime 228firmware of RSE. Data is stored in so-called measurement slots. A platform has 229IMPDEF number of measurement slots. The measurement storage follows extend 230semantics. This means that measurements are not stored directly (as it was 231taken) instead they contribute to the current value of the measurement slot. 232The extension implements this logic, where ``||`` stands for concatenation: 233 234.. code-block:: bash 235 236 new_value_of_measurement_slot = Hash(old_value_of_measurement_slot || measurement) 237 238Supported hash algorithms: sha-256, sha-512 239 240Measured Boot API 241^^^^^^^^^^^^^^^^^ 242 243Defined here: 244 245- ``include/lib/psa/measured_boot.h`` 246 247.. code-block:: c 248 249 psa_status_t 250 rse_measured_boot_extend_measurement(uint8_t index, 251 const uint8_t *signer_id, 252 size_t signer_id_size, 253 const uint8_t *version, 254 size_t version_size, 255 uint32_t measurement_algo, 256 const uint8_t *sw_type, 257 size_t sw_type_size, 258 const uint8_t *measurement_value, 259 size_t measurement_value_size, 260 bool lock_measurement); 261 262Measured Boot Metadata 263^^^^^^^^^^^^^^^^^^^^^^ 264 265The following metadata can be stored alongside the measurement: 266 267- ``Signer-id``: Mandatory. The hash of the firmware image signing public key. 268- ``Measurement algorithm``: Optional. The hash algorithm which was used to 269 compute the measurement (e.g.: sha-256, etc.). 270- ``Version info``: Optional. The firmware version info (e.g.: 2.7). 271- ``SW type``: Optional. Short text description (e.g.: BL1, BL2, BL31, etc.) 272 273.. Note:: 274 Version info is not implemented in TF-A yet. 275 276 277The caller must specify in which measurement slot to extend a certain 278measurement and metadata. A measurement slot can be extended by multiple 279measurements. The default value is IMPDEF. All measurement slot is cleared at 280reset, there is no other way to clear them. In the reference implementation, 281the measurement slots are initialized to 0. At the first call to extend the 282measurement in a slot, the extend operation uses the default value of the 283measurement slot. All upcoming extend operation on the same slot contributes 284to the previous value of that measurement slot. 285 286The following rules are kept when a slot is extended multiple times: 287 288- ``Signer-id`` must be the same as the previous call(s), otherwise a 289 PSA_ERROR_NOT_PERMITTED error code is returned. 290 291- ``Measurement algorithm``: must be the same as the previous call(s), 292 otherwise, a PSA_ERROR_NOT_PERMITTED error code is returned. 293 294In case of error no further action is taken (slot is not locked). If there is 295a valid data in a sub-sequent call then measurement slot will be extended. The 296rest of the metadata is handled as follows when a measurement slot is extended 297multiple times: 298 299- ``SW type``: Cleared. 300- ``Version info``: Cleared. 301 302.. Note:: 303 304 Extending multiple measurements in the same slot leads to some metadata 305 information loss. Since RSE is not constrained on special HW resources to 306 store the measurements and metadata, therefore it is worth considering to 307 store all of them one by one in distinct slots. However, they are one-by-one 308 included in the platform attestation token. So, the number of distinct 309 firmware image measurements has an impact on the size of the attestation 310 token. 311 312The allocation of the measurement slot among RSE, Root and Realm worlds is 313platform dependent. The platform must provide an allocation of the measurement 314slot at build time. An example can be found in 315``tf-a/plat/arm/board/tc/tc_bl1_measured_boot.c`` 316Furthermore, the memory, which holds the metadata is also statically allocated 317in RSE memory. Some of the fields have a static value (measurement algorithm), 318and some of the values have a dynamic value (measurement value) which is updated 319by the bootloaders when the firmware image is loaded and measured. The metadata 320structure is defined in 321``include/drivers/measured_boot/rse/rse_measured_boot.h``. 322 323.. code-block:: c 324 325 struct rse_mboot_metadata { 326 unsigned int id; 327 uint8_t slot; 328 uint8_t signer_id[SIGNER_ID_MAX_SIZE]; 329 size_t signer_id_size; 330 uint8_t version[VERSION_MAX_SIZE]; 331 size_t version_size; 332 uint8_t sw_type[SW_TYPE_MAX_SIZE]; 333 size_t sw_type_size; 334 void *pk_oid; 335 bool lock_measurement; 336 }; 337 338Signer-ID API 339^^^^^^^^^^^^^ 340 341This function calculates the hash of a public key (signer-ID) using the 342``Measurement algorithm`` and stores it in the ``rse_mboot_metadata`` field 343named ``signer_id``. 344Prior to calling this function, the caller must ensure that the ``signer_id`` 345field points to the zero-filled buffer. 346 347Defined here: 348 349- ``include/drivers/measured_boot/rse/rse_measured_boot.h`` 350 351.. code-block:: c 352 353 int rse_mboot_set_signer_id(struct rse_mboot_metadata *metadata_ptr, 354 const void *pk_oid, 355 const void *pk_ptr, 356 size_t pk_len) 357 358 359- First parameter is the pointer to the ``rse_mboot_metadata`` structure. 360- Second parameter is the pointer to the key-OID of the public key. 361- Third parameter is the pointer to the public key buffer. 362- Fourth parameter is the size of public key buffer. 363- This function returns 0 on success, a signed integer error code 364 otherwise. 365 366Build time config options 367^^^^^^^^^^^^^^^^^^^^^^^^^ 368 369- ``MEASURED_BOOT``: Enable measured boot. 370- ``MBOOT_RSE_HASH_ALG``: Determine the hash algorithm to measure the images. 371 The default value is sha-256. 372 373Measured boot flow 374^^^^^^^^^^^^^^^^^^ 375 376.. figure:: ../resources/diagrams/rse_measured_boot_flow.svg 377 :align: center 378 379Sample console log 380^^^^^^^^^^^^^^^^^^ 381 382.. code-block:: bash 383 384 INFO: Measured boot extend measurement: 385 INFO: - slot : 6 386 INFO: - signer_id : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 387 INFO: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 388 INFO: - version : 389 INFO: - version_size: 0 390 INFO: - sw_type : FW_CONFIG 391 INFO: - sw_type_size: 10 392 INFO: - algorithm : 2000009 393 INFO: - measurement : aa ea d3 a7 a8 e2 ab 7d 13 a6 cb 34 99 10 b9 a1 394 INFO: : 1b 9f a0 52 c5 a8 b1 d7 76 f2 c1 c1 ef ca 1a df 395 INFO: - locking : true 396 INFO: FCONF: Config file with image ID:31 loaded at address = 0x4001010 397 INFO: Loading image id=24 at address 0x4001300 398 INFO: Image id=24 loaded: 0x4001300 - 0x400153a 399 INFO: Measured boot extend measurement: 400 INFO: - slot : 7 401 INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 402 INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 403 INFO: - version : 404 INFO: - version_size: 0 405 INFO: - sw_type : TB_FW_CONFIG 406 INFO: - sw_type_size: 13 407 INFO: - algorithm : 2000009 408 INFO: - measurement : 05 b9 dc 98 62 26 a7 1c 2d e5 bb af f0 90 52 28 409 INFO: : f2 24 15 8a 3a 56 60 95 d6 51 3a 7a 1a 50 9b b7 410 INFO: - locking : true 411 INFO: FCONF: Config file with image ID:24 loaded at address = 0x4001300 412 INFO: BL1: Loading BL2 413 INFO: Loading image id=1 at address 0x404d000 414 INFO: Image id=1 loaded: 0x404d000 - 0x406412a 415 INFO: Measured boot extend measurement: 416 INFO: - slot : 8 417 INFO: - signer_id : b0 f3 82 09 12 97 d8 3a 37 7a 72 47 1b ec 32 73 418 INFO: : e9 92 32 e2 49 59 f6 5e 8b 4a 4a 46 d8 22 9a da 419 INFO: - version : 420 INFO: - version_size: 0 421 INFO: - sw_type : BL_2 422 INFO: - sw_type_size: 5 423 INFO: - algorithm : 2000009 424 INFO: - measurement : 53 a1 51 75 25 90 fb a1 d9 b8 c8 34 32 3a 01 16 425 INFO: : c9 9e 74 91 7d 28 02 56 3f 5c 40 94 37 58 50 68 426 INFO: - locking : true 427 428Delegated Attestation 429--------------------- 430 431Delegated Attestation Service was mainly developed to support the attestation 432flow on the ``ARM Confidential Compute Architecture`` (ARM CCA) [7]_. 433The detailed description of the delegated attestation service can be found in 434the ``Delegated Attestation Service Integration Guide`` [4]_ document. 435 436In the CCA use case, the Realm Management Monitor (RMM) relies on the delegated 437attestation service of the RSE to get a realm attestation key and the CCA 438platform token. BL31 does not use the service for its own purpose, only calls 439it on behalf of RMM. The access to MHU interface and thereby to RSE is 440restricted to BL31 only. Therefore, RMM does not have direct access, all calls 441need to go through BL31. The RMM dispatcher module of the BL31 is responsible 442for delivering the calls between the two parties. 443 444Delegated Attestation API 445^^^^^^^^^^^^^^^^^^^^^^^^^ 446Defined here: 447 448- ``include/lib/psa/delegated_attestation.h`` 449 450.. code-block:: c 451 452 psa_status_t 453 rse_delegated_attest_get_delegated_key(uint8_t ecc_curve, 454 uint32_t key_bits, 455 uint8_t *key_buf, 456 size_t key_buf_size, 457 size_t *key_size, 458 uint32_t hash_algo); 459 460 psa_status_t 461 rse_delegated_attest_get_token(const uint8_t *dak_pub_hash, 462 size_t dak_pub_hash_size, 463 uint8_t *token_buf, 464 size_t token_buf_size, 465 size_t *token_size); 466 467Attestation flow 468^^^^^^^^^^^^^^^^ 469 470.. figure:: ../resources/diagrams/rse_attestation_flow.svg 471 :align: center 472 473Sample attestation token 474^^^^^^^^^^^^^^^^^^^^^^^^ 475 476Binary format: 477 478.. code-block:: bash 479 480 INFO: DELEGATED ATTEST TEST START 481 INFO: Get delegated attestation key start 482 INFO: Get delegated attest key succeeds, len: 48 483 INFO: Delegated attest key: 484 INFO: 0d 2a 66 61 d4 89 17 e1 70 c6 73 56 df f4 11 fd 485 INFO: 7d 1f 3b 8a a3 30 3d 70 4c d9 06 c3 c7 ef 29 43 486 INFO: 0f ee b5 e7 56 e0 71 74 1b c4 39 39 fd 85 f6 7b 487 INFO: Get platform token start 488 INFO: Get platform token succeeds, len: 1086 489 INFO: Platform attestation token: 490 INFO: d2 84 44 a1 01 38 22 a0 59 05 81 a9 19 01 09 78 491 INFO: 23 74 61 67 3a 61 72 6d 2e 63 6f 6d 2c 32 30 32 492 INFO: 33 3a 63 63 61 5f 70 6c 61 74 66 6f 72 6d 23 31 493 INFO: 2e 30 2e 30 0a 58 20 0d 22 e0 8a 98 46 90 58 48 494 INFO: 63 18 28 34 89 bd b3 6f 09 db ef eb 18 64 df 43 495 INFO: 3f a6 e5 4e a2 d7 11 19 09 5c 58 20 7f 45 4c 46 496 INFO: 02 01 01 00 00 00 00 00 00 00 00 00 03 00 3e 00 497 INFO: 01 00 00 00 50 58 00 00 00 00 00 00 19 01 00 58 498 INFO: 21 01 07 06 05 04 03 02 01 00 0f 0e 0d 0c 0b 0a 499 INFO: 09 08 17 16 15 14 13 12 11 10 1f 1e 1d 1c 1b 1a 500 INFO: 19 18 19 09 61 44 cf cf cf cf 19 09 5b 19 30 03 501 INFO: 19 09 62 67 73 68 61 2d 32 35 36 19 09 60 78 3a 502 INFO: 68 74 74 70 73 3a 2f 2f 76 65 72 61 69 73 6f 6e 503 INFO: 2e 65 78 61 6d 70 6c 65 2f 2e 77 65 6c 6c 2d 6b 504 INFO: 6e 6f 77 6e 2f 76 65 72 61 69 73 6f 6e 2f 76 65 505 INFO: 72 69 66 69 63 61 74 69 6f 6e 19 09 5f 8d a4 01 506 INFO: 69 52 53 45 5f 42 4c 31 5f 32 05 58 20 53 78 79 507 INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 508 INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 509 INFO: 9a 27 1f 2a 91 6b 0b 6e e6 ce cb 24 26 f0 b3 20 510 INFO: 6e f0 74 57 8b e5 5d 9b c9 4f 6f 3f e3 ab 86 aa 511 INFO: 06 67 73 68 61 2d 32 35 36 a4 01 67 52 53 45 5f 512 INFO: 42 4c 32 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 513 INFO: 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 514 INFO: c0 fa 97 3f 7a a3 02 58 20 53 c2 34 e5 e8 47 2b 515 INFO: 6a c5 1c 1a e1 ca b3 fe 06 fa d0 53 be b8 eb fd 516 INFO: 89 77 b0 10 65 5b fd d3 c3 06 67 73 68 61 2d 32 517 INFO: 35 36 a4 01 65 52 53 45 5f 53 05 58 20 53 78 79 518 INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 519 INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 520 INFO: 11 21 cf cc d5 91 3f 0a 63 fe c4 0a 6f fd 44 ea 521 INFO: 64 f9 dc 13 5c 66 63 4b a0 01 d1 0b cf 43 02 a2 522 INFO: 06 67 73 68 61 2d 32 35 36 a4 01 66 41 50 5f 42 523 INFO: 4c 31 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 8b 524 INFO: 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 c0 525 INFO: fa 97 3f 7a a3 02 58 20 15 71 b5 ec 78 bd 68 51 526 INFO: 2b f7 83 0b b6 a2 a4 4b 20 47 c7 df 57 bc e7 9e 527 INFO: b8 a1 c0 e5 be a0 a5 01 06 67 73 68 61 2d 32 35 528 INFO: 36 a4 01 66 41 50 5f 42 4c 32 05 58 20 53 78 79 529 INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 530 INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 531 INFO: 10 15 9b af 26 2b 43 a9 2d 95 db 59 da e1 f7 2c 532 INFO: 64 51 27 30 16 61 e0 a3 ce 4e 38 b2 95 a9 7c 58 533 INFO: 06 67 73 68 61 2d 32 35 36 a4 01 67 53 43 50 5f 534 INFO: 42 4c 31 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 535 INFO: 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 536 INFO: c0 fa 97 3f 7a a3 02 58 20 10 12 2e 85 6b 3f cd 537 INFO: 49 f0 63 63 63 17 47 61 49 cb 73 0a 1a a1 cf aa 538 INFO: d8 18 55 2b 72 f5 6d 6f 68 06 67 73 68 61 2d 32 539 INFO: 35 36 a4 01 67 53 43 50 5f 42 4c 32 05 58 20 f1 540 INFO: 4b 49 87 90 4b cb 58 14 e4 45 9a 05 7e d4 d2 0f 541 INFO: 58 a6 33 15 22 88 a7 61 21 4d cd 28 78 0b 56 02 542 INFO: 58 20 aa 67 a1 69 b0 bb a2 17 aa 0a a8 8a 65 34 543 INFO: 69 20 c8 4c 42 44 7c 36 ba 5f 7e a6 5f 42 2c 1f 544 INFO: e5 d8 06 67 73 68 61 2d 32 35 36 a4 01 67 41 50 545 INFO: 5f 42 4c 33 31 05 58 20 53 78 79 63 07 53 5d f3 546 INFO: ec 8d 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 547 INFO: 22 38 c0 fa 97 3f 7a a3 02 58 20 2e 6d 31 a5 98 548 INFO: 3a 91 25 1b fa e5 ae fa 1c 0a 19 d8 ba 3c f6 01 549 INFO: d0 e8 a7 06 b4 cf a9 66 1a 6b 8a 06 67 73 68 61 550 INFO: 2d 32 35 36 a4 01 63 52 4d 4d 05 58 20 53 78 79 551 INFO: 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 41 41 9c 552 INFO: 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 02 58 20 553 INFO: a1 fb 50 e6 c8 6f ae 16 79 ef 33 51 29 6f d6 71 554 INFO: 34 11 a0 8c f8 dd 17 90 a4 fd 05 fa e8 68 81 64 555 INFO: 06 67 73 68 61 2d 32 35 36 a4 01 69 48 57 5f 43 556 INFO: 4f 4e 46 49 47 05 58 20 53 78 79 63 07 53 5d f3 557 INFO: ec 8d 8b 15 a2 e2 dc 56 41 41 9c 3d 30 60 cf e3 558 INFO: 22 38 c0 fa 97 3f 7a a3 02 58 20 1a 25 24 02 97 559 INFO: 2f 60 57 fa 53 cc 17 2b 52 b9 ff ca 69 8e 18 31 560 INFO: 1f ac d0 f3 b0 6e ca ae f7 9e 17 06 67 73 68 61 561 INFO: 2d 32 35 36 a4 01 69 46 57 5f 43 4f 4e 46 49 47 562 INFO: 05 58 20 53 78 79 63 07 53 5d f3 ec 8d 8b 15 a2 563 INFO: e2 dc 56 41 41 9c 3d 30 60 cf e3 22 38 c0 fa 97 564 INFO: 3f 7a a3 02 58 20 9a 92 ad bc 0c ee 38 ef 65 8c 565 INFO: 71 ce 1b 1b f8 c6 56 68 f1 66 bf b2 13 64 4c 89 566 INFO: 5c cb 1a d0 7a 25 06 67 73 68 61 2d 32 35 36 a4 567 INFO: 01 6c 54 42 5f 46 57 5f 43 4f 4e 46 49 47 05 58 568 INFO: 20 53 78 79 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 569 INFO: 56 41 41 9c 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a 570 INFO: a3 02 58 20 23 89 03 18 0c c1 04 ec 2c 5d 8b 3f 571 INFO: 20 c5 bc 61 b3 89 ec 0a 96 7d f8 cc 20 8c dc 7c 572 INFO: d4 54 17 4f 06 67 73 68 61 2d 32 35 36 a4 01 6d 573 INFO: 53 4f 43 5f 46 57 5f 43 4f 4e 46 49 47 05 58 20 574 INFO: 53 78 79 63 07 53 5d f3 ec 8d 8b 15 a2 e2 dc 56 575 INFO: 41 41 9c 3d 30 60 cf e3 22 38 c0 fa 97 3f 7a a3 576 INFO: 02 58 20 e6 c2 1e 8d 26 0f e7 18 82 de bd b3 39 577 INFO: d2 40 2a 2c a7 64 85 29 bc 23 03 f4 86 49 bc e0 578 INFO: 38 00 17 06 67 73 68 61 2d 32 35 36 58 60 31 d0 579 INFO: 4d 52 cc de 95 2c 1e 32 cb a1 81 88 5a 40 b8 cc 580 INFO: 38 e0 52 8c 1e 89 58 98 07 64 2a a5 e3 f2 bc 37 581 INFO: f9 53 74 50 6b ff 4d 2e 4b e7 06 3c 4d 72 41 92 582 INFO: 70 c7 22 e8 d4 d9 3e e8 b6 c9 fa ce 3b 43 c9 76 583 INFO: 1a 49 94 1a b6 f3 8f fd ff 49 6a d4 63 b4 cb fa 584 INFO: 11 d8 3e 23 e3 1f 7f 62 32 9d e3 0c 1c c8 585 INFO: DELEGATED ATTEST TEST END 586 587JSON format: 588 589.. code-block:: JSON 590 591 { 592 "CCA_ATTESTATION_PROFILE": "tag:arm.com,2023:cca_platform#1.0.0", 593 "CCA_PLATFORM_CHALLENGE": "b'0D22E08A98469058486318283489BDB36F09DBEFEB1864DF433FA6E54EA2D711'", 594 "CCA_PLATFORM_IMPLEMENTATION_ID": "b'7F454C4602010100000000000000000003003E00010000005058000000000000'", 595 "CCA_PLATFORM_INSTANCE_ID": "b'0107060504030201000F0E0D0C0B0A090817161514131211101F1E1D1C1B1A1918'", 596 "CCA_PLATFORM_CONFIG": "b'CFCFCFCF'", 597 "CCA_PLATFORM_LIFECYCLE": "secured_3003", 598 "CCA_PLATFORM_HASH_ALGO_ID": "sha-256", 599 "CCA_PLATFORM_VERIFICATION_SERVICE": "https://veraison.example/.well-known/veraison/verification", 600 "CCA_PLATFORM_SW_COMPONENTS": [ 601 { 602 "SW_COMPONENT_TYPE": "RSE_BL1_2", 603 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 604 "MEASUREMENT_VALUE": "b'9A271F2A916B0B6EE6CECB2426F0B3206EF074578BE55D9BC94F6F3FE3AB86AA'", 605 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 606 }, 607 { 608 "SW_COMPONENT_TYPE": "RSE_BL2", 609 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 610 "MEASUREMENT_VALUE": "b'53C234E5E8472B6AC51C1AE1CAB3FE06FAD053BEB8EBFD8977B010655BFDD3C3'", 611 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 612 }, 613 { 614 "SW_COMPONENT_TYPE": "RSE_S", 615 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 616 "MEASUREMENT_VALUE": "b'1121CFCCD5913F0A63FEC40A6FFD44EA64F9DC135C66634BA001D10BCF4302A2'", 617 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 618 }, 619 { 620 "SW_COMPONENT_TYPE": "AP_BL1", 621 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 622 "MEASUREMENT_VALUE": "b'1571B5EC78BD68512BF7830BB6A2A44B2047C7DF57BCE79EB8A1C0E5BEA0A501'", 623 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 624 }, 625 { 626 "SW_COMPONENT_TYPE": "AP_BL2", 627 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 628 "MEASUREMENT_VALUE": "b'10159BAF262B43A92D95DB59DAE1F72C645127301661E0A3CE4E38B295A97C58'", 629 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 630 }, 631 { 632 "SW_COMPONENT_TYPE": "SCP_BL1", 633 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 634 "MEASUREMENT_VALUE": "b'10122E856B3FCD49F063636317476149CB730A1AA1CFAAD818552B72F56D6F68'", 635 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 636 }, 637 { 638 "SW_COMPONENT_TYPE": "SCP_BL2", 639 "SIGNER_ID": "b'F14B4987904BCB5814E4459A057ED4D20F58A633152288A761214DCD28780B56'", 640 "MEASUREMENT_VALUE": "b'AA67A169B0BBA217AA0AA88A65346920C84C42447C36BA5F7EA65F422C1FE5D8'", 641 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 642 }, 643 { 644 "SW_COMPONENT_TYPE": "AP_BL31", 645 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 646 "MEASUREMENT_VALUE": "b'2E6D31A5983A91251BFAE5AEFA1C0A19D8BA3CF601D0E8A706B4CFA9661A6B8A'", 647 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 648 }, 649 { 650 "SW_COMPONENT_TYPE": "RMM", 651 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 652 "MEASUREMENT_VALUE": "b'A1FB50E6C86FAE1679EF3351296FD6713411A08CF8DD1790A4FD05FAE8688164'", 653 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 654 }, 655 { 656 "SW_COMPONENT_TYPE": "HW_CONFIG", 657 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 658 "MEASUREMENT_VALUE": "b'1A252402972F6057FA53CC172B52B9FFCA698E18311FACD0F3B06ECAAEF79E17'", 659 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 660 }, 661 { 662 "SW_COMPONENT_TYPE": "FW_CONFIG", 663 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 664 "MEASUREMENT_VALUE": "b'9A92ADBC0CEE38EF658C71CE1B1BF8C65668F166BFB213644C895CCB1AD07A25'", 665 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 666 }, 667 { 668 "SW_COMPONENT_TYPE": "TB_FW_CONFIG", 669 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 670 "MEASUREMENT_VALUE": "b'238903180CC104EC2C5D8B3F20C5BC61B389EC0A967DF8CC208CDC7CD454174F'", 671 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 672 }, 673 { 674 "SW_COMPONENT_TYPE": "SOC_FW_CONFIG", 675 "SIGNER_ID": "b'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3'", 676 "MEASUREMENT_VALUE": "b'E6C21E8D260FE71882DEBDB339D2402A2CA7648529BC2303F48649BCE0380017'", 677 "CCA_SW_COMPONENT_HASH_ID": "sha-256" 678 } 679 ] 680 } 681 682RSE based DICE Protection Environment 683------------------------------------- 684 685The ``DICE Protection Environment (DPE)`` [8]_ service makes it possible to 686execute |DICE| commands within an isolated execution environment. It provides 687clients with an interface to send DICE commands, encoded as CBOR objects, 688that act on opaque context handles. The |DPE| service performs |DICE| 689derivations and certification on its internal contexts, without exposing the 690|DICE| secrets (private keys and CDIs) outside of the isolated execution 691environment. 692 693|DPE| API 694^^^^^^^^^ 695 696Defined here: 697 698- ``include/lib/psa/dice_protection_environment.h`` 699 700.. code-block:: c 701 702 dpe_error_t 703 dpe_derive_context(int context_handle, 704 uint32_t cert_id, 705 bool retain_parent_context, 706 bool allow_new_context_to_derive, 707 bool create_certificate, 708 const DiceInputValues *dice_inputs, 709 int32_t target_locality, 710 bool return_certificate, 711 bool allow_new_context_to_export, 712 bool export_cdi, 713 int *new_context_handle, 714 int *new_parent_context_handle, 715 uint8_t *new_certificate_buf, 716 size_t new_certificate_buf_size, 717 size_t *new_certificate_actual_size, 718 uint8_t *exported_cdi_buf, 719 size_t exported_cdi_buf_size, 720 size_t *exported_cdi_actual_size); 721 722Build time config options 723^^^^^^^^^^^^^^^^^^^^^^^^^ 724 725- ``MEASURED_BOOT``: Enable measured boot. 726- ``DICE_PROTECTION_ENVIRONMENT``: Boolean flag to specify the measured boot 727 backend when |RSE| based ``MEASURED_BOOT`` is enabled. The default value is 728 ``0``. When set to ``1`` then measurements and additional metadata collected 729 during the measured boot process are sent to the |DPE| for storage and 730 processing. 731- ``DPE_ALG_ID``: Determine the hash algorithm to measure the images. The 732 default value is sha-256. 733 734Example certificate chain 735^^^^^^^^^^^^^^^^^^^^^^^^^ 736 737``plat/arm/board/tc/tc_dpe.h`` 738 739RSE OTP Assets Management 740------------------------- 741 742RSE provides access for AP to assets in OTP, which include keys for image 743signature verification and non-volatile counters for anti-rollback protection. 744 745Non-Volatile Counter API 746^^^^^^^^^^^^^^^^^^^^^^^^ 747 748AP/RSE interface for retrieving and incrementing non-volatile counters API is 749as follows. 750 751Defined here: 752 753- ``include/lib/psa/rse_platform_api.h`` 754 755.. code-block:: c 756 757 psa_status_t rse_platform_nv_counter_increment(uint32_t counter_id) 758 759 psa_status_t rse_platform_nv_counter_read(uint32_t counter_id, 760 uint32_t size, uint8_t *val) 761 762Through this service, we can read/increment any of the 3 non-volatile 763counters used on an Arm CCA platform: 764 765- ``Non-volatile counter for CCA firmware (BL2, BL31, RMM).`` 766- ``Non-volatile counter for secure firmware.`` 767- ``Non-volatile counter for non-secure firmware.`` 768 769Public Key API 770^^^^^^^^^^^^^^ 771 772AP/RSE interface for reading the ROTPK is as follows. 773 774Defined here: 775 776- ``include/lib/psa/rse_platform_api.h`` 777 778.. code-block:: c 779 780 psa_status_t rse_platform_key_read(enum rse_key_id_builtin_t key, 781 uint8_t *data, size_t data_size, size_t *data_length) 782 783Through this service, we can read any of the 3 ROTPKs used on an 784Arm CCA platform: 785 786- ``ROTPK for CCA firmware (BL2, BL31, RMM).`` 787- ``ROTPK for secure firmware.`` 788- ``ROTPK for non-secure firmware.`` 789 790Get entropy API 791^^^^^^^^^^^^^^^ 792 793AP/RSE interface for reading the entropy is as follows. 794 795Defined here: 796 797- ``include/lib/psa/rse_platform_api.h`` 798 799.. code-block:: c 800 801 psa_status_t rse_platform_get_entropy(uint8_t *data, size_t data_size) 802 803Through this service, we can read an entropy generated from RSE. 804 805References 806---------- 807 808.. [1] https://trustedfirmware-m.readthedocs.io/en/latest/platform/arm/rse/index.html 809.. [2] https://trustedfirmware-m.readthedocs.io/en/latest/platform/arm/rse/rse_comms.html 810.. [3] https://trustedfirmware-m.readthedocs.io/projects/tf-m-extras/en/latest/partitions/measured_boot_integration_guide.html 811.. [4] https://trustedfirmware-m.readthedocs.io/projects/tf-m-extras/en/latest/partitions/delegated_attestation/delegated_attest_integration_guide.html 812.. [5] https://trustedfirmware-m.readthedocs.io/en/latest/platform/arm/rse/rse_key_management.html 813.. [6] https://developer.arm.com/documentation/den0063 814.. [7] https://developer.arm.com/documentation/DEN0096/A_a/?lang=en 815.. [8] https://trustedfirmware-m.readthedocs.io/projects/tf-m-extras/en/latest/partitions/dice_protection_environment/dice_protection_environment.html 816 817-------------- 818 819*Copyright (c) 2023-2025, Arm Limited. All rights reserved.* 820*Copyright (c) 2024, Linaro Limited. All rights reserved.* 821*Copyright (c) 2025, STMicroelectronics - All Rights Reserved* 822
