xref: /rk3399_ARM-atf/docs/resources/diagrams/plantuml/rse_attestation_flow.puml (revision 624c9a0b387aa35005b9655e224d664a96d4ca67) 
1a5a5947aSTamas Ban@startuml
2a5a5947aSTamas Banskinparam ParticipantPadding 10
3a5a5947aSTamas Banskinparam BoxPadding 10
4a5a5947aSTamas Banbox AP
5a5a5947aSTamas Banparticipant RMM
6a5a5947aSTamas Banparticipant BL31
7a5a5947aSTamas Banendbox
8*624c9a0bSTamas Banbox RSE
9a5a5947aSTamas Banparticipant DelegAttest
10a5a5947aSTamas Banparticipant InitAttest
11a5a5947aSTamas Banparticipant MeasuredBoot
12a5a5947aSTamas Banparticipant Crypto
13a5a5947aSTamas Banendbox
14a5a5947aSTamas Ban
15a5a5947aSTamas Ban== RMM Boot phase ==
16a5a5947aSTamas Ban
17a5a5947aSTamas BanRMM -> BL31: get_realm_key(\n\t**hash_algo**, ...)
18a5a5947aSTamas BanBL31 -> DelegAttest: get_delegated_key
19a5a5947aSTamas BanDelegAttest -> MeasuredBoot: read_measurement
20a5a5947aSTamas BanRnote over DelegAttest: Compute input\n\ for key derivation\n\ (hash of measurements)
21a5a5947aSTamas BanDelegAttest -> Crypto: derive_key
22a5a5947aSTamas BanRnote over DelegAttest: Compute public key\n\ hash with **hash_algo**.
23a5a5947aSTamas BanRnote over Crypto: Seed is provisioned\n\ in the factory.
24a5a5947aSTamas BanDelegAttest --> BL31: get_delegated_key
25a5a5947aSTamas BanBL31 --> RMM: get_realm_key
26a5a5947aSTamas BanRnote over RMM: Only private key\n\ is returned. Public\n\ key and its hash\n\ must be computed.\n\
27a5a5947aSTamas BanPublic key is included\n\ in the realm token.\n\ Its hash is the input\n\ for get_platform_token
28a5a5947aSTamas BanRMM -> BL31: get_platform_token(\n\t**pub_key_hash**, ...)
29a5a5947aSTamas BanBL31 -> DelegAttest: get_delegated_token
30a5a5947aSTamas BanRnote over DelegAttest: Check **pub_key_hash**\n\ against derived key.
31a5a5947aSTamas BanDelegAttest -> InitAttest: get_initial_token
32a5a5947aSTamas BanRnote over InitAttest: Create the token including\n\ the **pub_key_hash** as the\n\ challenge claim
33a5a5947aSTamas BanInitAttest -> MeasuredBoot: read_measurement
34a5a5947aSTamas BanInitAttest -> Crypto: sign_token
35a5a5947aSTamas BanInitAttest --> DelegAttest:  get_initial_token
36a5a5947aSTamas BanDelegAttest --> BL31: get_delegated_token
37a5a5947aSTamas BanBL31 --> RMM: get_platform_token
38a5a5947aSTamas BanRnote over RMM: Platform token is\n\ cached. It is not\n\ changing within\n\ a power cycle.
39a5a5947aSTamas Ban@enduml
40