Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-13 08:04:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge changes from topic "rss_rse_rename" into integration

Browse source 
* changes:
  refactor(changelog): change all occurrences of RSS to RSE
  refactor(qemu): change all occurrences of RSS to RSE
  refactor(fvp): change all occurrences of RSS to RSE
  refactor(fiptool): change all occurrences of RSS to RSE
  refactor(psa): change all occurrences of RSS to RSE
  refactor(fvp): remove leftovers from rss measured boot support
  refactor(tc): change all occurrences of RSS to RSE
  docs: change all occurrences of RSS to RSE
  refactor(measured-boot): change all occurrences of RSS to RSE
  refactor(rse): change all occurrences of RSS to RSE
  refactor(psa): rename all 'rss' files to 'rse'
  refactor(tc): rename all 'rss' files to 'rse'
  docs: rename all 'rss' files to 'rse'
  refactor(measured-boot): rename all 'rss' files to 'rse'
  refactor(rss): rename all 'rss' files to 'rse'
This commit is contained in:
Manish V Badarkhe 2024-04-26 16:55:04 +02:00 committed by TrustedFirmware Code Review
commit a1901c7d0d
70 changed files with 643 additions and 644 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
changelog.yaml
View file

@ -957,11 +957,12 @@ subsections:
deprecated:
- drivers/arm/mhu
- title: RSS
scope: rss
- title: RSE
scope: rse
deprecated:
- drivers/arm/rss
- rss
- title: TZC
scope: tzc

2
docs/about/features.rst
View file

@ -128,7 +128,7 @@ Additionally the following libraries are marked experimental when included
in a platform:
- MPU translation library ``lib/xlat_mpu``
- RSS comms driver ``drivers/arm/rss``
- RSE comms driver ``drivers/arm/rse``
Still to come
-------------

8
docs/about/maintainers.rst
View file

@ -337,12 +337,12 @@ Message Handling Unit (MHU) driver
:|F|: include/drivers/arm/mhu.h
:|F|: drivers/arm/mhu
Runtime Security Subsystem (RSS) comms driver
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Runtime Security Engine (RSE) comms driver
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
:|M|: David Vincze <david.vincze@arm.com>
:|G|: `davidvincze`_
:|F|: include/drivers/arm/rss_comms.h
:|F|: drivers/arm/rss
:|F|: include/drivers/arm/rse_comms.h
:|F|: drivers/arm/rse
Libfdt wrappers
^^^^^^^^^^^^^^^

2
docs/design_documents/index.rst
View file

@ -9,7 +9,7 @@ Design Documents
context_mgmt_rework
measured_boot_poc
drtm_poc
rss
rse
psci_osi_mode
measured_boot

10
docs/design_documents/measured_boot.rst
View file

@ -91,10 +91,10 @@ The Measured Boot implementation in TF-A supports:
and the variable length crypto agile structure called TCG_PCR_EVENT2. Event
Log driver implemented in TF-A covers later part.
#. RSS
#. RSE
It is one of physical backend to extend the measurements. Please refer this
document :ref:`Runtime Security Subsystem (RSS)` for more details.
document :ref:`Runtime Security Engine (RSE)` for more details.
Platform Interface
------------------
@ -121,7 +121,7 @@ Responsibilities of these platform interfaces are -
void bl2_plat_mboot_init(void);
Initialise all Measured Boot backends supported by the platform
(e.g. Event Log buffer, RSS). As these functions do not return any value,
(e.g. Event Log buffer, RSE). As these functions do not return any value,
the platform should deal with error management, such as logging the error
somewhere, or panicking the system if this is considered a fatal error.
@ -147,7 +147,7 @@ Responsibilities of these platform interfaces are -
- If it is Event Log backend, then record the measurement in TCG Event Log
format.
- If it is a secure crypto-processor (like RSS), then extend the designated
- If it is a secure crypto-processor (like RSE), then extend the designated
PCR (or slot) with the given measurement.
- This function must return 0 on success, a signed integer error code
otherwise.
@ -223,7 +223,7 @@ Responsibilities of these platform interfaces are -
- This function must return 0 on success, a signed integer error code
otherwise.
- In TC2 platform, this function is used to calculate the hash of the given
key and forward this hash to RSS alongside the measurement of the image
key and forward this hash to RSE alongside the measurement of the image
which the key signs.
--------------

148
docs/design_documents/rss.rst → docs/design_documents/rse.rst
View file

@ -1,45 +1,45 @@
Runtime Security Subsystem (RSS)
================================
Runtime Security Engine (RSE)
=============================
This document focuses on the relationship between the Runtime Security Subsystem
(RSS) and the application processor (AP). According to the ARM reference design
the RSS is an independent core next to the AP and the SCP on the same die. It
This document focuses on the relationship between the Runtime Security Engine
(RSE) and the application processor (AP). According to the ARM reference design
the RSE is an independent core next to the AP and the SCP on the same die. It
provides fundamental security guarantees and runtime services for the rest of
the system (e.g.: trusted boot, measured boot, platform attestation,
key management, and key derivation).
At power up RSS boots first from its private ROM code. It validates and loads
At power up RSE boots first from its private ROM code. It validates and loads
its own images and the initial images of SCP and AP. When AP and SCP are
released from reset and their initial code is loaded then they continue their
own boot process, which is the same as on non-RSS systems. Please refer to the
``RSS documentation`` [1]_ for more details about the RSS boot flow.
own boot process, which is the same as on non-RSE systems. Please refer to the
``RSE documentation`` [1]_ for more details about the RSE boot flow.
The last stage of the RSS firmware is a persistent, runtime component. Much
The last stage of the RSE firmware is a persistent, runtime component. Much
like AP_BL31, this is a passive entity which has no periodical task to do and
just waits for external requests from other subsystems. RSS and other
subsystems can communicate with each other over message exchange. RSS waits
just waits for external requests from other subsystems. RSE and other
subsystems can communicate with each other over message exchange. RSE waits
in idle for the incoming request, handles them, and sends a response then goes
back to idle.
RSS communication layer
RSE communication layer
-----------------------
The communication between RSS and other subsystems are primarily relying on the
Message Handling Unit (MHU) module. The number of MHU interfaces between RSS
The communication between RSE and other subsystems are primarily relying on the
Message Handling Unit (MHU) module. The number of MHU interfaces between RSE
and other cores is IMPDEF. Besides MHU other modules also could take part in
the communication. RSS is capable of mapping the AP memory to its address space.
Thereby either RSS core itself or a DMA engine if it is present, can move the
data between memory belonging to RSS or AP. In this way, a bigger amount of data
the communication. RSE is capable of mapping the AP memory to its address space.
Thereby either RSE core itself or a DMA engine if it is present, can move the
data between memory belonging to RSE or AP. In this way, a bigger amount of data
can be transferred in a short time.
The MHU comes in pairs. There is a sender and receiver side. They are connected
to each other. An MHU interface consists of two pairs of MHUs, one sender and
one receiver on both sides. Bidirectional communication is possible over an
interface. One pair provides message sending from AP to RSS and the other pair
from RSS to AP. The sender and receiver are connected via channels. There is an
interface. One pair provides message sending from AP to RSE and the other pair
from RSE to AP. The sender and receiver are connected via channels. There is an
IMPDEF number of channels (e.g: 4-16) between a sender and a receiver module.
The RSS communication layer provides two ways for message exchange:
The RSE communication layer provides two ways for message exchange:
- ``Embedded messaging``: The full message, including header and payload, are
exchanged over the MHU channels. A channel is capable of delivering a single
@ -55,16 +55,16 @@ The RSS communication layer provides two ways for message exchange:
- ``Pointer-access messaging``: The message header and the payload are
separated and they are conveyed in different ways. The header is sent
over the channels, similar to the embedded messaging but the payload is
copied over by RSS core (or by DMA) between the sender and the receiver. This
copied over by RSE core (or by DMA) between the sender and the receiver. This
could be useful in the case of long messages because transaction time is less
compared to the embedded messaging mode. Small payloads are copied by the RSS
compared to the embedded messaging mode. Small payloads are copied by the RSE
core because setting up DMA would require more CPU cycles. The payload is
either copied into an internal buffer or directly read-written by RSS. Actual
behavior depends on RSS setup, whether the partition supports memory-mapped
either copied into an internal buffer or directly read-written by RSE. Actual
behavior depends on RSE setup, whether the partition supports memory-mapped
``iovec``. Therefore, the sender must handle both cases and prevent access to
the memory, where payload data lives, while the RSS handles the request.
the memory, where payload data lives, while the RSE handles the request.
The RSS communication layer supports both ways of messaging in parallel. It is
The RSE communication layer supports both ways of messaging in parallel. It is
decided at runtime based on the message size which way to transfer the message.
.. code-block:: bash
@ -93,25 +93,25 @@ decided at runtime based on the message size which way to transfer the message.
V | | | V V
+----------------------------------------------+ | | +-------------------+
| |--+-+ | |
| RSS | | SRAM |
| RSE | | SRAM |
| | | |
+----------------------------------------------+ +-------------------+
.. Note::
The RSS communication layer is not prepared for concurrent execution. The
The RSE communication layer is not prepared for concurrent execution. The
current use case only requires message exchange during the boot phase. In
the boot phase, only a single core is running and the rest of the cores are
in reset.
Message structure
^^^^^^^^^^^^^^^^^
A description of the message format can be found in the ``RSS communication
A description of the message format can be found in the ``RSE communication
design`` [2]_ document.
Source files
^^^^^^^^^^^^
- RSS comms: ``drivers/arm/rss``
- RSE comms: ``drivers/arm/rse``
- MHU driver: ``drivers/arm/mhu``
@ -119,29 +119,29 @@ API for communication over MHU
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The API is defined in these header files:
- ``include/drivers/arm/rss_comms.h``
- ``include/drivers/arm/rse_comms.h``
- ``include/drivers/arm/mhu.h``
RSS provided runtime services
RSE provided runtime services
-----------------------------
RSS provides the following runtime services:
RSE provides the following runtime services:
- ``Measured boot``: Securely store the firmware measurements which were
computed during the boot process and the associated metadata (image
description, measurement algorithm, etc.). More info on measured boot service
in RSS can be found in the ``measured_boot_integration_guide`` [3]_ .
in RSE can be found in the ``measured_boot_integration_guide`` [3]_ .
- ``Delegated attestation``: Query the platform attestation token and derive a
delegated attestation key. More info on the delegated attestation service
in RSS can be found in the ``delegated_attestation_integration_guide`` [4]_ .
in RSE can be found in the ``delegated_attestation_integration_guide`` [4]_ .
- ``OTP assets management``: Public keys used by AP during the trusted boot
process can be requested from RSS. Furthermore, AP can request RSS to
process can be requested from RSE. Furthermore, AP can request RSE to
increase a non-volatile counter. Please refer to the
``RSS key management`` [5]_ document for more details.
``RSE key management`` [5]_ document for more details.
Runtime service API
^^^^^^^^^^^^^^^^^^^
The RSS provided runtime services implement a PSA aligned API. The parameter
The RSE provided runtime services implement a PSA aligned API. The parameter
encoding follows the PSA client protocol described in the
``Firmware Framework for M`` [6]_ document in chapter 4.4. The implementation is
restricted to the static handle use case therefore only the ``psa_call`` API is
@ -168,7 +168,7 @@ Software and API layers
| |
V V
+------------------------------------------------+
| RSS communication protocol |
| RSE communication protocol |
+------------------------------------------------+
| ^
| mhu_send_data() | mhu_receive_data()
@ -188,7 +188,7 @@ Software and API layers
|
V
+------------------------------------------------+
| MHU HW on RSS side |
| MHU HW on RSE side |
+------------------------------------------------+
| ^
| IRQ | Register access
@ -204,17 +204,17 @@ Software and API layers
+---------------+ +------------------------+
RSS based Measured Boot
RSE based Measured Boot
-----------------------
Measured Boot is the process of cryptographically measuring (computing the hash
value of a binary) the code and critical data used at boot time. The
measurement must be stored in a tamper-resistant way, so the security state
of the device can be attested later to an external party. RSS provides a runtime
of the device can be attested later to an external party. RSE provides a runtime
service which is meant to store measurements and associated metadata alongside.
Data is stored in internal SRAM which is only accessible by the secure runtime
firmware of RSS. Data is stored in so-called measurement slots. A platform has
firmware of RSE. Data is stored in so-called measurement slots. A platform has
IMPDEF number of measurement slots. The measurement storage follows extend
semantics. This means that measurements are not stored directly (as it was
taken) instead they contribute to the current value of the measurement slot.
@ -236,7 +236,7 @@ Defined here:
.. code-block:: c
psa_status_t
rss_measured_boot_extend_measurement(uint8_t index,
rse_measured_boot_extend_measurement(uint8_t index,
const uint8_t *signer_id,
size_t signer_id_size,
const uint8_t *version,
@ -291,27 +291,27 @@ multiple times:
.. Note::
Extending multiple measurements in the same slot leads to some metadata
information loss. Since RSS is not constrained on special HW resources to
information loss. Since RSE is not constrained on special HW resources to
store the measurements and metadata, therefore it is worth considering to
store all of them one by one in distinct slots. However, they are one-by-one
included in the platform attestation token. So, the number of distinct
firmware image measurements has an impact on the size of the attestation
token.
The allocation of the measurement slot among RSS, Root and Realm worlds is
The allocation of the measurement slot among RSE, Root and Realm worlds is
platform dependent. The platform must provide an allocation of the measurement
slot at build time. An example can be found in
``tf-a/plat/arm/board/tc/tc_bl1_measured_boot.c``
Furthermore, the memory, which holds the metadata is also statically allocated
in RSS memory. Some of the fields have a static value (measurement algorithm),
in RSE memory. Some of the fields have a static value (measurement algorithm),
and some of the values have a dynamic value (measurement value) which is updated
by the bootloaders when the firmware image is loaded and measured. The metadata
structure is defined in
``include/drivers/measured_boot/rss/rss_measured_boot.h``.
``include/drivers/measured_boot/rse/rse_measured_boot.h``.
.. code-block:: c
struct rss_mboot_metadata {
struct rse_mboot_metadata {
unsigned int id;
uint8_t slot;
uint8_t signer_id[SIGNER_ID_MAX_SIZE];
@ -328,24 +328,24 @@ Signer-ID API
^^^^^^^^^^^^^
This function calculates the hash of a public key (signer-ID) using the
``Measurement algorithm`` and stores it in the ``rss_mboot_metadata`` field
``Measurement algorithm`` and stores it in the ``rse_mboot_metadata`` field
named ``signer_id``.
Prior to calling this function, the caller must ensure that the ``signer_id``
field points to the zero-filled buffer.
Defined here:
- ``include/drivers/measured_boot/rss/rss_measured_boot.h``
- ``include/drivers/measured_boot/rse/rse_measured_boot.h``
.. code-block:: c
int rss_mboot_set_signer_id(struct rss_mboot_metadata *metadata_ptr,
int rse_mboot_set_signer_id(struct rse_mboot_metadata *metadata_ptr,
const void *pk_oid,
const void *pk_ptr,
size_t pk_len)
- First parameter is the pointer to the ``rss_mboot_metadata`` structure.
- First parameter is the pointer to the ``rse_mboot_metadata`` structure.
- Second parameter is the pointer to the key-OID of the public key.
- Third parameter is the pointer to the public key buffer.
- Fourth parameter is the size of public key buffer.
@ -356,15 +356,15 @@ Build time config options
^^^^^^^^^^^^^^^^^^^^^^^^^
- ``MEASURED_BOOT``: Enable measured boot. It depends on the platform
implementation whether RSS or TPM (or both) backend based measured boot is
implementation whether RSE or TPM (or both) backend based measured boot is
enabled.
- ``MBOOT_RSS_HASH_ALG``: Determine the hash algorithm to measure the images.
- ``MBOOT_RSE_HASH_ALG``: Determine the hash algorithm to measure the images.
The default value is sha-256.
Measured boot flow
^^^^^^^^^^^^^^^^^^
.. figure:: ../resources/diagrams/rss_measured_boot_flow.svg
.. figure:: ../resources/diagrams/rse_measured_boot_flow.svg
:align: center
Sample console log
@ -425,15 +425,15 @@ The detailed description of the delegated attestation service can be found in
the ``Delegated Attestation Service Integration Guide`` [4]_ document.
In the CCA use case, the Realm Management Monitor (RMM) relies on the delegated
attestation service of the RSS to get a realm attestation key and the CCA
attestation service of the RSE to get a realm attestation key and the CCA
platform token. BL31 does not use the service for its own purpose, only calls
it on behalf of RMM. The access to MHU interface and thereby to RSS is
it on behalf of RMM. The access to MHU interface and thereby to RSE is
restricted to BL31 only. Therefore, RMM does not have direct access, all calls
need to go through BL31. The RMM dispatcher module of the BL31 is responsible
for delivering the calls between the two parties.
.. Note::
Currently the connection between the RMM dispatcher and the PSA/RSS layer
Currently the connection between the RMM dispatcher and the PSA/RSE layer
is not yet implemented. RMM dispatcher just returns hard coded data.
Delegated Attestation API
@ -445,7 +445,7 @@ Defined here:
.. code-block:: c
psa_status_t
rss_delegated_attest_get_delegated_key(uint8_t ecc_curve,
rse_delegated_attest_get_delegated_key(uint8_t ecc_curve,
uint32_t key_bits,
uint8_t *key_buf,
size_t key_buf_size,
@ -453,7 +453,7 @@ Defined here:
uint32_t hash_algo);
psa_status_t
rss_delegated_attest_get_token(const uint8_t *dak_pub_hash,
rse_delegated_attest_get_token(const uint8_t *dak_pub_hash,
size_t dak_pub_hash_size,
uint8_t *token_buf,
size_t token_buf_size,
@ -462,7 +462,7 @@ Defined here:
Attestation flow
^^^^^^^^^^^^^^^^
.. figure:: ../resources/diagrams/rss_attestation_flow.svg
.. figure:: ../resources/diagrams/rse_attestation_flow.svg
:align: center
Sample attestation token
@ -623,27 +623,27 @@ JSON format:
"CCA_PLATFORM_VERIFICATION_SERVICE": "www.trustedfirmware.org"
}
RSS OTP Assets Management
RSE OTP Assets Management
-------------------------
RSS provides access for AP to assets in OTP, which include keys for image
RSE provides access for AP to assets in OTP, which include keys for image
signature verification and non-volatile counters for anti-rollback protection.
Non-Volatile Counter API
^^^^^^^^^^^^^^^^^^^^^^^^
AP/RSS interface for retrieving and incrementing non-volatile counters API is
AP/RSE interface for retrieving and incrementing non-volatile counters API is
as follows.
Defined here:
- ``include/lib/psa/rss_platform_api.h``
- ``include/lib/psa/rse_platform_api.h``
.. code-block:: c
psa_status_t rss_platform_nv_counter_increment(uint32_t counter_id)
psa_status_t rse_platform_nv_counter_increment(uint32_t counter_id)
psa_status_t rss_platform_nv_counter_read(uint32_t counter_id,
psa_status_t rse_platform_nv_counter_read(uint32_t counter_id,
uint32_t size, uint8_t *val)
Through this service, we can read/increment any of the 3 non-volatile
@ -656,15 +656,15 @@ counters used on an Arm CCA platform:
Public Key API
^^^^^^^^^^^^^^
AP/RSS interface for reading the ROTPK is as follows.
AP/RSE interface for reading the ROTPK is as follows.
Defined here:
- ``include/lib/psa/rss_platform_api.h``
- ``include/lib/psa/rse_platform_api.h``
.. code-block:: c
psa_status_t rss_platform_key_read(enum rss_key_id_builtin_t key,
psa_status_t rse_platform_key_read(enum rse_key_id_builtin_t key,
uint8_t *data, size_t data_size, size_t *data_length)
Through this service, we can read any of the 3 ROTPKs used on an
@ -677,11 +677,11 @@ Arm CCA platform:
References
----------
.. [1] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rss/readme.html
.. [2] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rss/rss_comms.html
.. [1] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/readme.html
.. [2] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/rse_comms.html
.. [3] https://git.trustedfirmware.org/TF-M/tf-m-extras.git/tree/partitions/measured_boot/measured_boot_integration_guide.rst
.. [4] https://git.trustedfirmware.org/TF-M/tf-m-extras.git/tree/partitions/delegated_attestation/delegated_attest_integration_guide.rst
.. [5] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rss/rss_key_management.html
.. [5] https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/rse_key_management.html
.. [6] https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0063-PSA_Firmware_Framework-1.0.0-2.pdf?revision=2d1429fa-4b5b-461a-a60e-4ef3d8f7f4b4&hash=3BFD6F3E687F324672F18E5BE9F08EDC48087C93
.. [7] https://developer.arm.com/documentation/DEN0096/A_a/?lang=en

6
docs/porting-guide.rst
View file

@ -256,10 +256,10 @@ likely to be suitable for all platform ports.
Defines the maximum address in secure RAM that the BL31 image can occupy.
- **#define : PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE**
- **#define : PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE**
Defines the maximum message size between AP and RSS. Need to define if
platform supports RSS.
Defines the maximum message size between AP and RSE. Need to define if
platform supports RSE.
For every image, the platform must define individual identifiers that will be
used by BL1 or BL2 to load the corresponding image into memory from non-volatile

2
docs/resources/diagrams/plantuml/rss_attestation_flow.puml → docs/resources/diagrams/plantuml/rse_attestation_flow.puml
View file

@ -5,7 +5,7 @@ box AP
participant RMM
participant BL31
endbox
box RSS
box RSE
participant DelegAttest
participant InitAttest
participant MeasuredBoot

79
docs/resources/diagrams/plantuml/rse_measured_boot_flow.puml Normal file
View file

@ -0,0 +1,79 @@
@startuml
skinparam ParticipantPadding 10
skinparam BoxPadding 10
box RSE
participant RSE_BL1_1
participant RSE_BL1_2
participant RSE_BL2
participant RSE_S
endbox
box SCP
participant SCP_BL1
endbox
box AP
participant AP_BL1
participant AP_BL2
participant AP_BL31
endbox
== RSE Boot phase ==
-> RSE_BL1_1: Reset
Rnote over RSE_BL1_1: ROM code, XIP
Rnote over RSE_BL1_2: OTP code, XIP
Rnote over RSE_BL2, AP_BL31: Stored in flash, loaded and executed in RAM
activate RSE_BL1_1 #Green
RSE_BL1_1 -->> RSE_BL1_2: Validate, measure
Rnote over RSE_BL1_1: BL1_2 measurement\n\ saved to a shared buffer
RSE_BL1_1 -> RSE_BL1_2: Pass execution
deactivate RSE_BL1_1
activate RSE_BL1_2 #Green
RSE_BL1_2 -->> RSE_BL2: Validate, measure, load
Rnote over RSE_BL1_2: RSE_BL2 measurement\n\ saved to a shared buffer
RSE_BL1_2 -> RSE_BL2: Pass execution
deactivate RSE_BL1_2
activate RSE_BL2 #Green
RSE_BL2 -->> RSE_S: Validate, measure, load
RSE_BL2 -->> SCP_BL1: Validate, measure, load
Rnote over RSE_BL2: RSE_S and SCP_BL1\n\ measurements saved\n\ to a shared buffer
RSE_BL2 -> SCP_BL1: Release from reset
activate SCP_BL1 #Green
Rnote over RSE_BL2, SCP_BL1: MHU init between RSE and SCP
Rnote over SCP_BL1: Configure memory
Rnote over RSE_BL2: Waits for SCP
SCP_BL1 --> RSE_BL2: Done
RSE_BL2 -->> AP_BL1: Validate, measure, load
Rnote over RSE_BL2: AP_BL1 measurement\n\ saved to a shared buffer
RSE_BL2 -> AP_BL1: Release from reset
activate AP_BL1 #Green
RSE_BL2 -> RSE_S: Pass execution
deactivate RSE_BL2
activate RSE_S #Green
Rnote over RSE_S: Measurements read from\n\ shared buffer and saved by\n\
Measured Boot service to\n\ measurement slots.
== RSE Runtime / AP Boot phase ==
Rnote over RSE_S, AP_BL1: MHU init between RSE and AP
Rnote over AP_BL1: Measure and load:\n\ FW_CONFIG\n\ TB_FW_CONFIG
AP_BL1 -> RSE_S: Extend measurement
Rnote over RSE_S: Measured Boot:\n\ store measurement
AP_BL1 -->> AP_BL2: Validate, measure,load
AP_BL1 -> RSE_S: Extend measurement
Rnote over RSE_S: Measured Boot:\n\ store measurement
AP_BL1 -> AP_BL2: Pass execution
deactivate AP_BL1
activate AP_BL2 #Green
Rnote over AP_BL2: Measure and load:\n\ HW_CONFIG
AP_BL2 -> RSE_S: Extend measurement
Rnote over RSE_S: Measured Boot:\n\ store measurement
AP_BL2 -->> AP_BL31: Validate, measure,load
Rnote over AP_BL2: Measure and load:\n\ BL31
AP_BL2 -> RSE_S: Extend measurement
Rnote over RSE_S: Measured Boot:\n\ store measurement
Rnote over AP_BL2: Measure and load:\n\ RMM
AP_BL2 -> RSE_S: Extend measurement
Rnote over RSE_S: Measured Boot:\n\ store measurement
AP_BL2 -> AP_BL31: Pass execution
deactivate AP_BL2
activate AP_BL31 #Green
== RSE / AP Runtime ==
@enduml

79
docs/resources/diagrams/plantuml/rss_measured_boot_flow.puml
View file

@ -1,79 +0,0 @@
@startuml
skinparam ParticipantPadding 10
skinparam BoxPadding 10
box RSS
participant RSS_BL1_1
participant RSS_BL1_2
participant RSS_BL2
participant RSS_S
endbox
box SCP
participant SCP_BL1
endbox
box AP
participant AP_BL1
participant AP_BL2
participant AP_BL31
endbox
== RSS Boot phase ==
-> RSS_BL1_1: Reset
Rnote over RSS_BL1_1: ROM code, XIP
Rnote over RSS_BL1_2: OTP code, XIP
Rnote over RSS_BL2, AP_BL31: Stored in flash, loaded and executed in RAM
activate RSS_BL1_1 #Green
RSS_BL1_1 -->> RSS_BL1_2: Validate, measure
Rnote over RSS_BL1_1: BL1_2 measurement\n\ saved to a shared buffer
RSS_BL1_1 -> RSS_BL1_2: Pass execution
deactivate RSS_BL1_1
activate RSS_BL1_2 #Green
RSS_BL1_2 -->> RSS_BL2: Validate, measure, load
Rnote over RSS_BL1_2: RSS_BL2 measurement\n\ saved to a shared buffer
RSS_BL1_2 -> RSS_BL2: Pass execution
deactivate RSS_BL1_2
activate RSS_BL2 #Green
RSS_BL2 -->> RSS_S: Validate, measure, load
RSS_BL2 -->> SCP_BL1: Validate, measure, load
Rnote over RSS_BL2: RSS_S and SCP_BL1\n\ measurements saved\n\ to a shared buffer
RSS_BL2 -> SCP_BL1: Release from reset
activate SCP_BL1 #Green
Rnote over RSS_BL2, SCP_BL1: MHU init between RSS and SCP
Rnote over SCP_BL1: Configure memory
Rnote over RSS_BL2: Waits for SCP
SCP_BL1 --> RSS_BL2: Done
RSS_BL2 -->> AP_BL1: Validate, measure, load
Rnote over RSS_BL2: AP_BL1 measurement\n\ saved to a shared buffer
RSS_BL2 -> AP_BL1: Release from reset
activate AP_BL1 #Green
RSS_BL2 -> RSS_S: Pass execution
deactivate RSS_BL2
activate RSS_S #Green
Rnote over RSS_S: Measurements read from\n\ shared buffer and saved by\n\
Measured Boot service to\n\ measurement slots.
== RSS Runtime / AP Boot phase ==
Rnote over RSS_S, AP_BL1: MHU init between RSS and AP
Rnote over AP_BL1: Measure and load:\n\ FW_CONFIG\n\ TB_FW_CONFIG
AP_BL1 -> RSS_S: Extend measurement
Rnote over RSS_S: Measured Boot:\n\ store measurement
AP_BL1 -->> AP_BL2: Validate, measure,load
AP_BL1 -> RSS_S: Extend measurement
Rnote over RSS_S: Measured Boot:\n\ store measurement
AP_BL1 -> AP_BL2: Pass execution
deactivate AP_BL1
activate AP_BL2 #Green
Rnote over AP_BL2: Measure and load:\n\ HW_CONFIG
AP_BL2 -> RSS_S: Extend measurement
Rnote over RSS_S: Measured Boot:\n\ store measurement
AP_BL2 -->> AP_BL31: Validate, measure,load
Rnote over AP_BL2: Measure and load:\n\ BL31
AP_BL2 -> RSS_S: Extend measurement
Rnote over RSS_S: Measured Boot:\n\ store measurement
Rnote over AP_BL2: Measure and load:\n\ RMM
AP_BL2 -> RSS_S: Extend measurement
Rnote over RSS_S: Measured Boot:\n\ store measurement
AP_BL2 -> AP_BL31: Pass execution
deactivate AP_BL2
activate AP_BL31 #Green
== RSS / AP Runtime ==
@enduml

12
docs/resources/diagrams/plantuml/tfa_rss_dfd.puml → docs/resources/diagrams/plantuml/tfa_rse_dfd.puml
View file

@ -5,7 +5,7 @@
'/
/'
TF-A Data Flow Diagram including RSS
TF-A Data Flow Diagram including RSE
'/
@startuml
@ -54,12 +54,12 @@ digraph tfa_dfd {
bl31 [label="TF-A Runtime\n(BL31)" fillcolor="#ddffb3"]
}
# RSS cluster
subgraph cluster_rss{
label ="RSS";
# RSE cluster
subgraph cluster_rse{
label ="RSE";
graph [style=filled color="#000000" fillcolor="#faf9cd"]
rss [label="Runtime Security\n\ Subsystem\n\ (RSS)" fillcolor="#ddffb3"]
rse [label="Runtime Security\n\ Subsystem\n\ (RSE)" fillcolor="#ddffb3"]
}
}
@ -70,7 +70,7 @@ digraph tfa_dfd {
sec -> bl2 [dir="both" lhead=cluster_tfa label="DF4"]
nsec -> bl1 [dir="both" lhead=cluster_tfa, label="DF5"]
bl2 -> tzc [dir="both" ltail=cluster_tfa lhead=cluster_ip label="DF6" minlen=1]
bl31 -> rss [dir="both" ltail=cluster_tfa lhead=cluster_rss label="DF7" minlen=1]
bl31 -> rse [dir="both" ltail=cluster_tfa lhead=cluster_rse label="DF7" minlen=1]
}

4
docs/resources/diagrams/rss_attestation_flow.svg → docs/resources/diagrams/rse_attestation_flow.svg
View file

File diff suppressed because one or more lines are too long
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

98
docs/resources/diagrams/rss_measured_boot_flow.svg → docs/resources/diagrams/rse_measured_boot_flow.svg
View file

File diff suppressed because one or more lines are too long
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 29 KiB

After

Width:  |  Height:  |  Size: 29 KiB

2
docs/threat_model/firmware_threat_model/index.rst
View file

@ -30,7 +30,7 @@ data flow diagram, as well as a list of threats we have identified using the
threat_model
threat_model_el3_spm
threat_model_fvp_r
threat_model_rss_interface
threat_model_rse_interface
threat_model_arm_cca
threat_model_fw_update_and_recovery

28
docs/threat_model/firmware_threat_model/threat_model_rss_interface.rst → docs/threat_model/firmware_threat_model/threat_model_rse_interface.rst
View file

@ -1,41 +1,41 @@
Threat Model for RSS - AP interface
Threat Model for RSE - AP interface
***********************************
************
Introduction
************
This document is an extension for the general TF-A threat-model. It considers
those platforms where a Runtime Security Subsystem (RSS) is included in the SoC
those platforms where a Runtime Security Engine (RSE) is included in the SoC
next to the Application Processor (AP).
********************
Target of Evaluation
********************
The scope of this threat model only includes the interface between the RSS and
The scope of this threat model only includes the interface between the RSE and
AP. Otherwise, the TF-A :ref:`Generic Threat Model` document is applicable for
the AP core. The threat model for the RSS firmware will be provided by the RSS
the AP core. The threat model for the RSE firmware will be provided by the RSE
firmware project in the future.
Data Flow Diagram
=================
This diagram is different only from the general TF-A data flow diagram in that
it includes the RSS and highlights the interface between the AP and the RSS
cores. The interface description only focuses on the AP-RSS interface the rest
it includes the RSE and highlights the interface between the AP and the RSE
cores. The interface description only focuses on the AP-RSE interface the rest
is the same as in the general TF-A threat-model document.
.. uml:: ../../resources/diagrams/plantuml/tfa_rss_dfd.puml
:caption: Figure 1: TF-A Data Flow Diagram including RSS
.. uml:: ../../resources/diagrams/plantuml/tfa_rse_dfd.puml
:caption: Figure 1: TF-A Data Flow Diagram including RSE
.. table:: Table 1: TF-A - RSS data flow diagram
.. table:: Table 1: TF-A - RSE data flow diagram
+-----------------+--------------------------------------------------------+
| Diagram Element | Description |
+=================+========================================================+
| DF7 | | Boot images interact with RSS over a communication |
| DF7 | | Boot images interact with RSE over a communication |
| | channel to record boot measurements and get image |
| | verification keys. At runtime, BL31 obtains the |
| | realm world attestation signing key from RSS. |
| | realm world attestation signing key from RSE. |
+-----------------+--------------------------------------------------------+
Threat Assessment
@ -44,12 +44,12 @@ For this section, please reference the Threat Assessment under the general TF-A
threat-model document, :ref:`Generic Threat Model`. All the threats listed there
are applicable for the AP core, here only the differences are highlighted.
- ID 11: The access to the communication interface between AP and RSS is
- ID 11: The access to the communication interface between AP and RSE is
allowed only for firmware running at EL3. Accidentally exposing this
interface to NSCode can allow malicious code to interact with RSS and
interface to NSCode can allow malicious code to interact with RSE and
gain access to sensitive data.
- ID 13: Relevant in the context of the realm attestation key, which can be
retrieved by BL31 through DF7. The RSS communication protocol layer
retrieved by BL31 through DF7. The RSE communication protocol layer
mitigates against this by clearing its internal buffer when reply is
received. The caller of the API must do the same if data is not needed
anymore.

2
docs/threat_model/supply_chain_threat_model.rst
View file

@ -115,7 +115,7 @@ description of each component and where they are sourced from.
- *EDK2 UEFI*: Normal world bootloader from the EDK2 project [7]_. We use EDK2
UEFI binaries hosted on tf.org servers for testing [8]_.
Other software components used to test TF-A include U-Boot, Linux kernel, RSS,
Other software components used to test TF-A include U-Boot, Linux kernel, RSE,
MCP, and file systems, all sourced from the Arm Reference Platforms teams.
TF-A Toolchain

48
drivers/arm/rss/rss_comms.c → drivers/arm/rse/rse_comms.c
View file

@ -9,16 +9,16 @@
#include <common/debug.h>
#include <drivers/arm/mhu.h>
#include <drivers/arm/rss_comms.h>
#include <drivers/arm/rse_comms.h>
#include <psa/client.h>
#include <rss_comms_protocol.h>
#include <rse_comms_protocol.h>
/* Union as message space and reply space are never used at the same time, and this saves space as
* we can overlap them.
*/
union __packed __attribute__((aligned(4))) rss_comms_io_buffer_t {
struct serialized_rss_comms_msg_t msg;
struct serialized_rss_comms_reply_t reply;
union __packed __attribute__((aligned(4))) rse_comms_io_buffer_t {
struct serialized_rse_comms_msg_t msg;
struct serialized_rse_comms_reply_t reply;
};
static uint8_t select_protocol_version(const psa_invec *in_vec, size_t in_len,
@ -40,13 +40,13 @@ static uint8_t select_protocol_version(const psa_invec *in_vec, size_t in_len,
comms_mhu_msg_size = mhu_get_max_message_size();
comms_embed_msg_min_size = sizeof(struct serialized_rss_comms_header_t) +
sizeof(struct rss_embed_msg_t) -
PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE;
comms_embed_msg_min_size = sizeof(struct serialized_rse_comms_header_t) +
sizeof(struct rse_embed_msg_t) -
PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE;
comms_embed_reply_min_size = sizeof(struct serialized_rss_comms_header_t) +
sizeof(struct rss_embed_reply_t) -
PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE;
comms_embed_reply_min_size = sizeof(struct serialized_rse_comms_header_t) +
sizeof(struct rse_embed_reply_t) -
PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE;
/* Use embed if we can pack into one message and reply, else use
* pointer_access. The underlying MHU transport protocol uses a
@ -63,9 +63,9 @@ static uint8_t select_protocol_version(const psa_invec *in_vec, size_t in_len,
comms_mhu_msg_size - sizeof(uint32_t)) ||
(comms_embed_reply_min_size + out_size_total >
comms_mhu_msg_size - sizeof(uint32_t))) {
return RSS_COMMS_PROTOCOL_POINTER_ACCESS;
return RSE_COMMS_PROTOCOL_POINTER_ACCESS;
} else {
return RSS_COMMS_PROTOCOL_EMBED;
return RSE_COMMS_PROTOCOL_EMBED;
}
}
@ -75,7 +75,7 @@ psa_status_t psa_call(psa_handle_t handle, int32_t type, const psa_invec *in_vec
/* Declared statically to avoid using huge amounts of stack space. Maybe revisit if
* functions not being reentrant becomes a problem.
*/
static union rss_comms_io_buffer_t io_buf;
static union rse_comms_io_buffer_t io_buf;
enum mhu_error_t err;
psa_status_t status;
static uint8_t seq_num = 1U;
@ -94,13 +94,13 @@ psa_status_t psa_call(psa_handle_t handle, int32_t type, const psa_invec *in_vec
io_buf.msg.header.client_id = 1U,
io_buf.msg.header.protocol_ver = select_protocol_version(in_vec, in_len, out_vec, out_len);
status = rss_protocol_serialize_msg(handle, type, in_vec, in_len, out_vec,
status = rse_protocol_serialize_msg(handle, type, in_vec, in_len, out_vec,
out_len, &io_buf.msg, &msg_size);
if (status != PSA_SUCCESS) {
return status;
}
VERBOSE("[RSS-COMMS] Sending message\n");
VERBOSE("[RSE-COMMS] Sending message\n");
VERBOSE("protocol_ver=%u\n", io_buf.msg.header.protocol_ver);
VERBOSE("seq_num=%u\n", io_buf.msg.header.seq_num);
VERBOSE("client_id=%u\n", io_buf.msg.header.client_id);
@ -117,7 +117,7 @@ psa_status_t psa_call(psa_handle_t handle, int32_t type, const psa_invec *in_vec
#if DEBUG
/*
* Poisoning the message buffer (with a known pattern).
* Helps in detecting hypothetical RSS communication bugs.
* Helps in detecting hypothetical RSE communication bugs.
*/
memset(&io_buf.msg, 0xA5, msg_size);
#endif
@ -127,12 +127,12 @@ psa_status_t psa_call(psa_handle_t handle, int32_t type, const psa_invec *in_vec
return PSA_ERROR_COMMUNICATION_FAILURE;
}
VERBOSE("[RSS-COMMS] Received reply\n");
VERBOSE("[RSE-COMMS] Received reply\n");
VERBOSE("protocol_ver=%u\n", io_buf.reply.header.protocol_ver);
VERBOSE("seq_num=%u\n", io_buf.reply.header.seq_num);
VERBOSE("client_id=%u\n", io_buf.reply.header.client_id);
status = rss_protocol_deserialize_reply(out_vec, out_len, &return_val,
status = rse_protocol_deserialize_reply(out_vec, out_len, &return_val,
&io_buf.reply, reply_size);
if (status != PSA_SUCCESS) {
return status;
@ -152,16 +152,16 @@ psa_status_t psa_call(psa_handle_t handle, int32_t type, const psa_invec *in_vec
return return_val;
}
int rss_comms_init(uintptr_t mhu_sender_base, uintptr_t mhu_receiver_base)
int rse_comms_init(uintptr_t mhu_sender_base, uintptr_t mhu_receiver_base)
{
enum mhu_error_t err;
err = mhu_init_sender(mhu_sender_base);
if (err != MHU_ERR_NONE) {
if (err == MHU_ERR_ALREADY_INIT) {
INFO("[RSS-COMMS] Host to RSS MHU driver already initialized\n");
INFO("[RSE-COMMS] Host to RSE MHU driver already initialized\n");
} else {
ERROR("[RSS-COMMS] Host to RSS MHU driver initialization failed: %d\n", err);
ERROR("[RSE-COMMS] Host to RSE MHU driver initialization failed: %d\n", err);
return -1;
}
}
@ -169,9 +169,9 @@ int rss_comms_init(uintptr_t mhu_sender_base, uintptr_t mhu_receiver_base)
err = mhu_init_receiver(mhu_receiver_base);
if (err != MHU_ERR_NONE) {
if (err == MHU_ERR_ALREADY_INIT) {
INFO("[RSS-COMMS] RSS to Host MHU driver already initialized\n");
INFO("[RSE-COMMS] RSE to Host MHU driver already initialized\n");
} else {
ERROR("[RSS-COMMS] RSS to Host MHU driver initialization failed: %d\n", err);
ERROR("[RSE-COMMS] RSE to Host MHU driver initialization failed: %d\n", err);
return -1;
}
}

18
drivers/arm/rss/rss_comms.mk → drivers/arm/rse/rse_comms.mk
View file

@ -4,25 +4,25 @@
# SPDX-License-Identifier: BSD-3-Clause
#
$(warning "RSS driver is an experimental feature")
$(warning "RSE driver is an experimental feature")
RSS_COMMS_SOURCES := $(addprefix drivers/arm/rss/, \
rss_comms.c \
rss_comms_protocol.c \
rss_comms_protocol_embed.c \
rss_comms_protocol_pointer_access.c \
RSE_COMMS_SOURCES := $(addprefix drivers/arm/rse/, \
rse_comms.c \
rse_comms_protocol.c \
rse_comms_protocol_embed.c \
rse_comms_protocol_pointer_access.c \
)
# Default to MHUv2 if PLAT_MHU_VERSION undefined
PLAT_MHU_VERSION ?= 2
ifeq (${PLAT_MHU_VERSION}, 3)
RSS_COMMS_SOURCES += $(addprefix drivers/arm/mhu/, \
RSE_COMMS_SOURCES += $(addprefix drivers/arm/mhu/, \
mhu_v3_x.c \
mhu_wrapper_v3_x.c \
)
else ifeq (${PLAT_MHU_VERSION}, 2)
RSS_COMMS_SOURCES += $(addprefix drivers/arm/mhu/, \
RSE_COMMS_SOURCES += $(addprefix drivers/arm/mhu/, \
mhu_v2_x.c \
mhu_wrapper_v2_x.c \
)
@ -30,5 +30,5 @@ else
$(error Unsupported MHU version)
endif
PLAT_INCLUDES += -Idrivers/arm/rss \
PLAT_INCLUDES += -Idrivers/arm/rse \
-Idrivers/arm/mhu

28
drivers/arm/rss/rss_comms_protocol.c → drivers/arm/rse/rse_comms_protocol.c
View file

@ -7,15 +7,15 @@
#include <assert.h>
#include <common/debug.h>
#include "rss_comms_protocol.h"
#include "rse_comms_protocol.h"
psa_status_t rss_protocol_serialize_msg(psa_handle_t handle,
psa_status_t rse_protocol_serialize_msg(psa_handle_t handle,
int16_t type,
const psa_invec *in_vec,
uint8_t in_len,
const psa_outvec *out_vec,
uint8_t out_len,
struct serialized_rss_comms_msg_t *msg,
struct serialized_rse_comms_msg_t *msg,
size_t *msg_len)
{
psa_status_t status;
@ -25,15 +25,15 @@ psa_status_t rss_protocol_serialize_msg(psa_handle_t handle,
assert(in_vec != NULL);
switch (msg->header.protocol_ver) {
case RSS_COMMS_PROTOCOL_EMBED:
status = rss_protocol_embed_serialize_msg(handle, type, in_vec, in_len, out_vec,
case RSE_COMMS_PROTOCOL_EMBED:
status = rse_protocol_embed_serialize_msg(handle, type, in_vec, in_len, out_vec,
out_len, &msg->msg.embed, msg_len);
if (status != PSA_SUCCESS) {
return status;
}
break;
case RSS_COMMS_PROTOCOL_POINTER_ACCESS:
status = rss_protocol_pointer_access_serialize_msg(handle, type, in_vec, in_len,
case RSE_COMMS_PROTOCOL_POINTER_ACCESS:
status = rse_protocol_pointer_access_serialize_msg(handle, type, in_vec, in_len,
out_vec, out_len,
&msg->msg.pointer_access,
msg_len);
@ -45,26 +45,26 @@ psa_status_t rss_protocol_serialize_msg(psa_handle_t handle,
return PSA_ERROR_NOT_SUPPORTED;
}
*msg_len += sizeof(struct serialized_rss_comms_header_t);
*msg_len += sizeof(struct serialized_rse_comms_header_t);
return PSA_SUCCESS;
}
psa_status_t rss_protocol_deserialize_reply(psa_outvec *out_vec,
psa_status_t rse_protocol_deserialize_reply(psa_outvec *out_vec,
uint8_t out_len,
psa_status_t *return_val,
const struct serialized_rss_comms_reply_t *reply,
const struct serialized_rse_comms_reply_t *reply,
size_t reply_size)
{
assert(reply != NULL);
assert(return_val != NULL);
switch (reply->header.protocol_ver) {
case RSS_COMMS_PROTOCOL_EMBED:
return rss_protocol_embed_deserialize_reply(out_vec, out_len, return_val,
case RSE_COMMS_PROTOCOL_EMBED:
return rse_protocol_embed_deserialize_reply(out_vec, out_len, return_val,
&reply->reply.embed, reply_size);
case RSS_COMMS_PROTOCOL_POINTER_ACCESS:
return rss_protocol_pointer_access_deserialize_reply(out_vec, out_len, return_val,
case RSE_COMMS_PROTOCOL_POINTER_ACCESS:
return rse_protocol_pointer_access_deserialize_reply(out_vec, out_len, return_val,
&reply->reply.pointer_access,
reply_size);
default:

67
drivers/arm/rse/rse_comms_protocol.h Normal file
View file

@ -0,0 +1,67 @@
/*
* Copyright (c) 2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
*/
#ifndef __RSE_COMMS_PROTOCOL_H__
#define __RSE_COMMS_PROTOCOL_H__
#include <cdefs.h>
#include <stdint.h>
#include <psa/client.h>
#include "rse_comms_protocol_embed.h"
#include "rse_comms_protocol_pointer_access.h"
enum rse_comms_protocol_version_t {
RSE_COMMS_PROTOCOL_EMBED = 0,
RSE_COMMS_PROTOCOL_POINTER_ACCESS = 1,
};
struct __packed serialized_rse_comms_header_t {
uint8_t protocol_ver;
uint8_t seq_num;
uint16_t client_id;
};
/* MHU message passed from Host to RSE to deliver a PSA client call */
struct __packed serialized_rse_comms_msg_t {
struct serialized_rse_comms_header_t header;
union __packed {
struct rse_embed_msg_t embed;
struct rse_pointer_access_msg_t pointer_access;
} msg;
};
/* MHU reply message to hold the PSA client reply result returned by RSE */
struct __packed serialized_rse_comms_reply_t {
struct serialized_rse_comms_header_t header;
union __packed {
struct rse_embed_reply_t embed;
struct rse_pointer_access_reply_t pointer_access;
} reply;
};
/* in_len and out_len are uint8_ts, therefore if there are more than 255 iovecs
* an error may occur.
*/
CASSERT(PSA_MAX_IOVEC <= UINT8_MAX, assert_rse_comms_max_iovec_too_large);
psa_status_t rse_protocol_serialize_msg(psa_handle_t handle,
int16_t type,
const psa_invec *in_vec,
uint8_t in_len,
const psa_outvec *out_vec,
uint8_t out_len,
struct serialized_rse_comms_msg_t *msg,
size_t *msg_len);
psa_status_t rse_protocol_deserialize_reply(psa_outvec *out_vec,
uint8_t out_len,
psa_status_t *return_val,
const struct serialized_rse_comms_reply_t *reply,
size_t reply_size);
#endif /* __RSE_COMMS_PROTOCOL_H__ */

6
drivers/arm/rss/rss_comms_protocol_common.h → drivers/arm/rse/rse_comms_protocol_common.h
View file

@ -17,8 +17,8 @@
* Res: Reserved.
*/
#ifndef RSS_COMMS_PROTOCOL_COMMON
#define RSS_COMMS_PROTOCOL_COMMON
#ifndef RSE_COMMS_PROTOCOL_COMMON
#define RSE_COMMS_PROTOCOL_COMMON
#define TYPE_OFFSET (0U)
#define TYPE_MASK (0xFFFFUL << TYPE_OFFSET)
@ -32,4 +32,4 @@
((((uint32_t)(in_len)) << IN_LEN_OFFSET) & IN_LEN_MASK) | \
((((uint32_t)(out_len)) << OUT_LEN_OFFSET) & OUT_LEN_MASK))
#endif /* RSS_COMMS_PROTOCOL_COMMON */
#endif /* RSE_COMMS_PROTOCOL_COMMON */

12
drivers/arm/rss/rss_comms_protocol_embed.c → drivers/arm/rse/rse_comms_protocol_embed.c
View file

@ -9,16 +9,16 @@
#include <string.h>
#include <common/debug.h>
#include "rss_comms_protocol_common.h"
#include "rss_comms_protocol_embed.h"
#include "rse_comms_protocol_common.h"
#include "rse_comms_protocol_embed.h"
psa_status_t rss_protocol_embed_serialize_msg(psa_handle_t handle,
psa_status_t rse_protocol_embed_serialize_msg(psa_handle_t handle,
int16_t type,
const psa_invec *in_vec,
uint8_t in_len,
const psa_outvec *out_vec,
uint8_t out_len,
struct rss_embed_msg_t *msg,
struct rse_embed_msg_t *msg,
size_t *msg_len)
{
uint32_t payload_size = 0;
@ -55,10 +55,10 @@ psa_status_t rss_protocol_embed_serialize_msg(psa_handle_t handle,
return PSA_SUCCESS;
}
psa_status_t rss_protocol_embed_deserialize_reply(psa_outvec *out_vec,
psa_status_t rse_protocol_embed_deserialize_reply(psa_outvec *out_vec,
uint8_t out_len,
psa_status_t *return_val,
const struct rss_embed_reply_t *reply,
const struct rse_embed_reply_t *reply,
size_t reply_size)
{
uint32_t payload_offset = 0;

22
drivers/arm/rss/rss_comms_protocol_embed.h → drivers/arm/rse/rse_comms_protocol_embed.h
View file

@ -5,8 +5,8 @@
*
*/
#ifndef __RSS_COMMS_PROTOCOL_EMBED_H__
#define __RSS_COMMS_PROTOCOL_EMBED_H__
#ifndef __RSE_COMMS_PROTOCOL_EMBED_H__
#define __RSE_COMMS_PROTOCOL_EMBED_H__
#include <cdefs.h>
@ -16,32 +16,32 @@
struct __packed rss_embed_msg_t {
struct __packed rse_embed_msg_t {
psa_handle_t handle;
uint32_t ctrl_param; /* type, in_len, out_len */
uint16_t io_size[PSA_MAX_IOVEC];
uint8_t trailer[PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE];
uint8_t trailer[PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE];
};
struct __packed rss_embed_reply_t {
struct __packed rse_embed_reply_t {
int32_t return_val;
uint16_t out_size[PSA_MAX_IOVEC];
uint8_t trailer[PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE];
uint8_t trailer[PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE];
};
psa_status_t rss_protocol_embed_serialize_msg(psa_handle_t handle,
psa_status_t rse_protocol_embed_serialize_msg(psa_handle_t handle,
int16_t type,
const psa_invec *in_vec,
uint8_t in_len,
const psa_outvec *out_vec,
uint8_t out_len,
struct rss_embed_msg_t *msg,
struct rse_embed_msg_t *msg,
size_t *msg_len);
psa_status_t rss_protocol_embed_deserialize_reply(psa_outvec *out_vec,
psa_status_t rse_protocol_embed_deserialize_reply(psa_outvec *out_vec,
uint8_t out_len,
psa_status_t *return_val,
const struct rss_embed_reply_t *reply,
const struct rse_embed_reply_t *reply,
size_t reply_size);
#endif /* __RSS_COMMS_PROTOCOL_EMBED_H__ */
#endif /* __RSE_COMMS_PROTOCOL_EMBED_H__ */

12
drivers/arm/rss/rss_comms_protocol_pointer_access.c → drivers/arm/rse/rse_comms_protocol_pointer_access.c
View file

@ -6,16 +6,16 @@
*/
#include <assert.h>
#include "rss_comms_protocol_common.h"
#include "rss_comms_protocol_pointer_access.h"
#include "rse_comms_protocol_common.h"
#include "rse_comms_protocol_pointer_access.h"
psa_status_t rss_protocol_pointer_access_serialize_msg(psa_handle_t handle,
psa_status_t rse_protocol_pointer_access_serialize_msg(psa_handle_t handle,
int16_t type,
const psa_invec *in_vec,
uint8_t in_len,
const psa_outvec *out_vec,
uint8_t out_len,
struct rss_pointer_access_msg_t *msg,
struct rse_pointer_access_msg_t *msg,
size_t *msg_len)
{
unsigned int i;
@ -42,10 +42,10 @@ psa_status_t rss_protocol_pointer_access_serialize_msg(psa_handle_t handle,
return PSA_SUCCESS;
}
psa_status_t rss_protocol_pointer_access_deserialize_reply(psa_outvec *out_vec,
psa_status_t rse_protocol_pointer_access_deserialize_reply(psa_outvec *out_vec,
uint8_t out_len,
psa_status_t *return_val,
const struct rss_pointer_access_reply_t *reply,
const struct rse_pointer_access_reply_t *reply,
size_t reply_size)
{
unsigned int i;

18
drivers/arm/rss/rss_comms_protocol_pointer_access.h → drivers/arm/rse/rse_comms_protocol_pointer_access.h
View file

@ -5,38 +5,38 @@
*
*/
#ifndef __RSS_COMMS_PROTOCOL_POINTER_ACCESS_H__
#define __RSS_COMMS_PROTOCOL_POINTER_ACCESS_H__
#ifndef __RSE_COMMS_PROTOCOL_POINTER_ACCESS_H__
#define __RSE_COMMS_PROTOCOL_POINTER_ACCESS_H__
#include <cdefs.h>
#include <psa/client.h>
struct __packed rss_pointer_access_msg_t {
struct __packed rse_pointer_access_msg_t {
psa_handle_t handle;
uint32_t ctrl_param;
uint32_t io_sizes[PSA_MAX_IOVEC];
uint64_t host_ptrs[PSA_MAX_IOVEC];
};
struct __packed rss_pointer_access_reply_t {
struct __packed rse_pointer_access_reply_t {
int32_t return_val;
uint32_t out_sizes[PSA_MAX_IOVEC];
};
psa_status_t rss_protocol_pointer_access_serialize_msg(psa_handle_t handle,
psa_status_t rse_protocol_pointer_access_serialize_msg(psa_handle_t handle,
int16_t type,
const psa_invec *in_vec,
uint8_t in_len,
const psa_outvec *out_vec,
uint8_t out_len,
struct rss_pointer_access_msg_t *msg,
struct rse_pointer_access_msg_t *msg,
size_t *msg_len);
psa_status_t rss_protocol_pointer_access_deserialize_reply(psa_outvec *out_vec,
psa_status_t rse_protocol_pointer_access_deserialize_reply(psa_outvec *out_vec,
uint8_t out_len,
psa_status_t *return_val,
const struct rss_pointer_access_reply_t *reply,
const struct rse_pointer_access_reply_t *reply,
size_t reply_size);
#endif /* __RSS_COMMS_PROTOCOL_POINTER_ACCESS_H__ */
#endif /* __RSE_COMMS_PROTOCOL_POINTER_ACCESS_H__ */

67
drivers/arm/rss/rss_comms_protocol.h
View file

@ -1,67 +0,0 @@
/*
* Copyright (c) 2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
*/
#ifndef __RSS_COMMS_PROTOCOL_H__
#define __RSS_COMMS_PROTOCOL_H__
#include <cdefs.h>
#include <stdint.h>
#include <psa/client.h>
#include "rss_comms_protocol_embed.h"
#include "rss_comms_protocol_pointer_access.h"
enum rss_comms_protocol_version_t {
RSS_COMMS_PROTOCOL_EMBED = 0,
RSS_COMMS_PROTOCOL_POINTER_ACCESS = 1,
};
struct __packed serialized_rss_comms_header_t {
uint8_t protocol_ver;
uint8_t seq_num;
uint16_t client_id;
};
/* MHU message passed from Host to RSS to deliver a PSA client call */
struct __packed serialized_rss_comms_msg_t {
struct serialized_rss_comms_header_t header;
union __packed {
struct rss_embed_msg_t embed;
struct rss_pointer_access_msg_t pointer_access;
} msg;
};
/* MHU reply message to hold the PSA client reply result returned by RSS */
struct __packed serialized_rss_comms_reply_t {
struct serialized_rss_comms_header_t header;
union __packed {
struct rss_embed_reply_t embed;
struct rss_pointer_access_reply_t pointer_access;
} reply;
};
/* in_len and out_len are uint8_ts, therefore if there are more than 255 iovecs
* an error may occur.
*/
CASSERT(PSA_MAX_IOVEC <= UINT8_MAX, assert_rss_comms_max_iovec_too_large);
psa_status_t rss_protocol_serialize_msg(psa_handle_t handle,
int16_t type,
const psa_invec *in_vec,
uint8_t in_len,
const psa_outvec *out_vec,
uint8_t out_len,
struct serialized_rss_comms_msg_t *msg,
size_t *msg_len);
psa_status_t rss_protocol_deserialize_reply(psa_outvec *out_vec,
uint8_t out_len,
psa_status_t *return_val,
const struct serialized_rss_comms_reply_t *reply,
size_t reply_size);
#endif /* __RSS_COMMS_PROTOCOL_H__ */

2
drivers/measured_boot/rss/dice_prot_env.c → drivers/measured_boot/rse/dice_prot_env.c
View file

@ -13,7 +13,7 @@
#include <common/debug.h>
#include <drivers/auth/crypto_mod.h>
#include <drivers/measured_boot/rss/dice_prot_env.h>
#include <drivers/measured_boot/rse/dice_prot_env.h>
#include <lib/cassert.h>
#include <lib/psa/dice_protection_environment.h>

2
drivers/measured_boot/rss/dice_prot_env.mk → drivers/measured_boot/rse/dice_prot_env.mk
View file

@ -26,4 +26,4 @@ $(eval $(call add_defines,\
DPE_DIGEST_SIZE \
)))
DPE_SOURCES += drivers/measured_boot/rss/dice_prot_env.c
DPE_SOURCES += drivers/measured_boot/rse/dice_prot_env.c

0
drivers/measured_boot/rss/qcbor.mk → drivers/measured_boot/rse/qcbor.mk
View file

18
drivers/measured_boot/rss/rss_measured_boot.c → drivers/measured_boot/rse/rse_measured_boot.c
View file

@ -9,7 +9,7 @@
#include <common/debug.h>
#include <drivers/auth/crypto_mod.h>
#include <drivers/measured_boot/rss/rss_measured_boot.h>
#include <drivers/measured_boot/rse/rse_measured_boot.h>
#include <lib/psa/measured_boot.h>
#include <psa/crypto_types.h>
#include <psa/crypto_values.h>
@ -46,12 +46,12 @@ static bool null_arr(const uint8_t *signer_id, size_t signer_id_size)
#endif /* ENABLE_ASSERTIONS */
/* Functions' declarations */
void rss_measured_boot_init(struct rss_mboot_metadata *metadata_ptr)
void rse_measured_boot_init(struct rse_mboot_metadata *metadata_ptr)
{
assert(metadata_ptr != NULL);
/* Init the non-const members of the metadata structure */
while (metadata_ptr->id != RSS_MBOOT_INVALID_ID) {
while (metadata_ptr->id != RSE_MBOOT_INVALID_ID) {
assert(null_arr(metadata_ptr->signer_id, MBOOT_DIGEST_SIZE));
metadata_ptr->sw_type_size =
strlen((const char *)&metadata_ptr->sw_type) + 1;
@ -59,7 +59,7 @@ void rss_measured_boot_init(struct rss_mboot_metadata *metadata_ptr)
}
}
int rss_mboot_measure_and_record(struct rss_mboot_metadata *metadata_ptr,
int rse_mboot_measure_and_record(struct rse_mboot_metadata *metadata_ptr,
uintptr_t data_base, uint32_t data_size,
uint32_t data_id)
{
@ -70,13 +70,13 @@ int rss_mboot_measure_and_record(struct rss_mboot_metadata *metadata_ptr,
assert(metadata_ptr != NULL);
/* Get the metadata associated with this image. */
while ((metadata_ptr->id != RSS_MBOOT_INVALID_ID) &&
while ((metadata_ptr->id != RSE_MBOOT_INVALID_ID) &&
(metadata_ptr->id != data_id)) {
metadata_ptr++;
}
/* If image is not present in metadata array then skip */
if (metadata_ptr->id == RSS_MBOOT_INVALID_ID) {
if (metadata_ptr->id == RSE_MBOOT_INVALID_ID) {
return 0;
}
@ -87,7 +87,7 @@ int rss_mboot_measure_and_record(struct rss_mboot_metadata *metadata_ptr,
return rc;
}
ret = rss_measured_boot_extend_measurement(
ret = rse_measured_boot_extend_measurement(
metadata_ptr->slot,
metadata_ptr->signer_id,
metadata_ptr->signer_id_size,
@ -106,7 +106,7 @@ int rss_mboot_measure_and_record(struct rss_mboot_metadata *metadata_ptr,
return 0;
}
int rss_mboot_set_signer_id(struct rss_mboot_metadata *metadata_ptr,
int rse_mboot_set_signer_id(struct rse_mboot_metadata *metadata_ptr,
const void *pk_oid,
const void *pk_ptr,
size_t pk_len)
@ -125,7 +125,7 @@ int rss_mboot_set_signer_id(struct rss_mboot_metadata *metadata_ptr,
* The platform may decide not to measure all of the images
* in the system.
*/
while (metadata_ptr->id != RSS_MBOOT_INVALID_ID) {
while (metadata_ptr->id != RSE_MBOOT_INVALID_ID) {
/* Get the metadata associated with this key-oid */
if (metadata_ptr->pk_oid == pk_oid) {
if (hash_calc_done == false) {

14
drivers/measured_boot/rss/rss_measured_boot.mk → drivers/measured_boot/rse/rse_measured_boot.mk
View file

@ -6,27 +6,27 @@
# Hash algorithm for measured boot
# SHA-256 (or stronger) is required.
MBOOT_RSS_HASH_ALG := sha256
MBOOT_RSE_HASH_ALG := sha256
ifeq (${MBOOT_RSS_HASH_ALG}, sha512)
ifeq (${MBOOT_RSE_HASH_ALG}, sha512)
MBOOT_ALG_ID := MBOOT_ALG_SHA512
MBOOT_DIGEST_SIZE := 64U
else ifeq (${MBOOT_RSS_HASH_ALG}, sha384)
else ifeq (${MBOOT_RSE_HASH_ALG}, sha384)
MBOOT_ALG_ID := MBOOT_ALG_SHA384
MBOOT_DIGEST_SIZE := 48U
else
MBOOT_ALG_ID := MBOOT_ALG_SHA256
MBOOT_DIGEST_SIZE := 32U
endif #MBOOT_RSS_HASH_ALG
endif #MBOOT_RSE_HASH_ALG
# Set definitions for Measured Boot driver.
$(eval $(call add_defines,\
$(sort \
MBOOT_ALG_ID \
MBOOT_DIGEST_SIZE \
MBOOT_RSS_BACKEND \
MBOOT_RSE_BACKEND \
)))
MEASURED_BOOT_SRC_DIR := drivers/measured_boot/rss/
MEASURED_BOOT_SRC_DIR := drivers/measured_boot/rse/
MEASURED_BOOT_SOURCES += ${MEASURED_BOOT_SRC_DIR}rss_measured_boot.c
MEASURED_BOOT_SOURCES += ${MEASURED_BOOT_SRC_DIR}rse_measured_boot.c

8
include/drivers/arm/rss_comms.h → include/drivers/arm/rse_comms.h
View file

@ -5,11 +5,11 @@
*
*/
#ifndef RSS_COMMS_H
#define RSS_COMMS_H
#ifndef RSE_COMMS_H
#define RSE_COMMS_H
#include <stdint.h>
int rss_comms_init(uintptr_t mhu_sender_base, uintptr_t mhu_receiver_base);
int rse_comms_init(uintptr_t mhu_sender_base, uintptr_t mhu_receiver_base);
#endif /* RSS_COMMS_H */
#endif /* RSE_COMMS_H */

0
include/drivers/measured_boot/rss/dice_prot_env.h → include/drivers/measured_boot/rse/dice_prot_env.h
View file

16
include/drivers/measured_boot/rss/rss_measured_boot.h → include/drivers/measured_boot/rse/rse_measured_boot.h
View file

@ -4,17 +4,17 @@
* SPDX-License-Identifier: BSD-3-Clause
*/
#ifndef RSS_MEASURED_BOOT_H
#define RSS_MEASURED_BOOT_H
#ifndef RSE_MEASURED_BOOT_H
#define RSE_MEASURED_BOOT_H
#include <stdint.h>
#include <common/debug.h>
#include <drivers/measured_boot/metadata.h>
#define RSS_MBOOT_INVALID_ID UINT32_MAX
#define RSE_MBOOT_INVALID_ID UINT32_MAX
struct rss_mboot_metadata {
struct rse_mboot_metadata {
unsigned int id;
uint8_t slot;
uint8_t signer_id[SIGNER_ID_MAX_SIZE];
@ -28,13 +28,13 @@ struct rss_mboot_metadata {
};
/* Functions' declarations */
void rss_measured_boot_init(struct rss_mboot_metadata *metadata_ptr);
int rss_mboot_measure_and_record(struct rss_mboot_metadata *metadata_ptr,
void rse_measured_boot_init(struct rse_mboot_metadata *metadata_ptr);
int rse_mboot_measure_and_record(struct rse_mboot_metadata *metadata_ptr,
uintptr_t data_base, uint32_t data_size,
uint32_t data_id);
int rss_mboot_set_signer_id(struct rss_mboot_metadata *metadata_ptr,
int rse_mboot_set_signer_id(struct rse_mboot_metadata *metadata_ptr,
const void *pk_oid, const void *pk_ptr,
size_t pk_len);
#endif /* RSS_MEASURED_BOOT_H */
#endif /* RSE_MEASURED_BOOT_H */

16
include/lib/psa/delegated_attestation.h
View file

@ -15,9 +15,9 @@
#include "psa/error.h"
/* RSS Delegated Attestation message types that distinguish its services. */
#define RSS_DELEGATED_ATTEST_GET_DELEGATED_KEY 1001U
#define RSS_DELEGATED_ATTEST_GET_PLATFORM_TOKEN 1002U
/* RSE Delegated Attestation message types that distinguish its services. */
#define RSE_DELEGATED_ATTEST_GET_DELEGATED_KEY 1001U
#define RSE_DELEGATED_ATTEST_GET_PLATFORM_TOKEN 1002U
/**
* The aim of these APIs to get a derived signing key (private only) for the
@ -28,13 +28,13 @@
* key is bind to the platform token (details below).
*
* Expected usage model:
* - First rss_delegated_attest_get_delegated_key() API need to be called to
* - First rse_delegated_attest_get_delegated_key() API need to be called to
* obtain the private part of the delegated attestation key. The public part
* of key is computed by the cryptographic library when the key is
* registered.
* - Secondly the rss_delegated_attest_get_token() must be called to obtain
* - Secondly the rse_delegated_attest_get_token() must be called to obtain
* platform attestation token. The hash of the public key (computed by
* the hash_algo indicated in the rss_delegated_attest_get_delegated_key()
* the hash_algo indicated in the rse_delegated_attest_get_delegated_key()
* call) must be the input of this call. This ensures that nothing but the
* previously derived delegated key is bindable to the platform token.
*/
@ -74,7 +74,7 @@
* platform attestation token as they are cryptographically linked together.
*/
psa_status_t
rss_delegated_attest_get_delegated_key(uint8_t ecc_curve,
rse_delegated_attest_get_delegated_key(uint8_t ecc_curve,
uint32_t key_bits,
uint8_t *key_buf,
size_t key_buf_size,
@ -100,7 +100,7 @@ rss_delegated_attest_get_delegated_key(uint8_t ecc_curve,
* code will be returned.
*/
psa_status_t
rss_delegated_attest_get_token(const uint8_t *dak_pub_hash,
rse_delegated_attest_get_token(const uint8_t *dak_pub_hash,
size_t dak_pub_hash_size,
uint8_t *token_buf,
size_t token_buf_size,

4
include/lib/psa/dice_protection_environment.h
View file

@ -14,7 +14,7 @@
#include <dice.h>
/* Additional defines for max size limit. These limits are set by DPE in RSS. */
/* Additional defines for max size limit. These limits are set by DPE in RSE. */
#define DICE_AUTHORITY_DESCRIPTOR_MAX_SIZE 64
#define DICE_CONFIG_DESCRIPTOR_MAX_SIZE 64
#define DICE_CODE_DESCRIPTOR_MAX_SIZE 32
@ -28,7 +28,7 @@ typedef int32_t dpe_error_t;
#define DPE_ARGUMENT_NOT_SUPPORTED ((dpe_error_t)4)
#define DPE_SESSION_EXHAUSTED ((dpe_error_t)5)
/* Custom values in RSS based DPE implementation */
/* Custom values in RSE based DPE implementation */
#define DPE_INSUFFICIENT_MEMORY ((dpe_error_t)128)
#define DPE_ERR_CBOR_FORMATTING ((dpe_error_t)129)

6
include/lib/psa/measured_boot.h
View file

@ -43,11 +43,11 @@
* - When the requested slot is not accessible to the caller.
*/
/* Not a standard PSA API, just an extension therefore use the 'rss_' prefix
/* Not a standard PSA API, just an extension therefore use the 'rse_' prefix
* rather than the usual 'psa_'.
*/
psa_status_t
rss_measured_boot_extend_measurement(uint8_t index,
rse_measured_boot_extend_measurement(uint8_t index,
const uint8_t *signer_id,
size_t signer_id_size,
const uint8_t *version,
@ -92,7 +92,7 @@ rss_measured_boot_extend_measurement(uint8_t index,
* PSA_ERROR_DOES_NOT_EXIST
* - The requested slot is empty, does not contain a measurement.
*/
psa_status_t rss_measured_boot_read_measurement(uint8_t index,
psa_status_t rse_measured_boot_read_measurement(uint8_t index,
uint8_t *signer_id,
size_t signer_id_size,
size_t *signer_id_len,

14
include/lib/psa/psa_manifest/sid.h
View file

@ -8,19 +8,19 @@
#ifndef PSA_MANIFEST_SID_H
#define PSA_MANIFEST_SID_H
/******** RSS_SP_CRYPTO ********/
#define RSS_CRYPTO_HANDLE (0x40000100U)
/******** RSE_SP_CRYPTO ********/
#define RSE_CRYPTO_HANDLE (0x40000100U)
/******** RSS_SP_PLATFORM ********/
#define RSS_PLATFORM_SERVICE_HANDLE (0x40000105U)
/******** RSE_SP_PLATFORM ********/
#define RSE_PLATFORM_SERVICE_HANDLE (0x40000105U)
/******** PSA_SP_MEASURED_BOOT ********/
#define RSS_MEASURED_BOOT_HANDLE (0x40000110U)
#define RSE_MEASURED_BOOT_HANDLE (0x40000110U)
/******** PSA_SP_DELEGATED_ATTESTATION ********/
#define RSS_DELEGATED_SERVICE_HANDLE (0x40000111U)
#define RSE_DELEGATED_SERVICE_HANDLE (0x40000111U)
/******** PSA_SP_DICE_PROTECTION_ENVIRONMENT ********/
#define RSS_DPE_SERVICE_HANDLE (0x40000112U)
#define RSE_DPE_SERVICE_HANDLE (0x40000112U)
#endif /* PSA_MANIFEST_SID_H */

32
include/lib/psa/rss_crypto_defs.h → include/lib/psa/rse_crypto_defs.h
View file

@ -5,8 +5,8 @@
*
*/
#ifndef RSS_CRYPTO_DEFS_H
#define RSS_CRYPTO_DEFS_H
#ifndef RSE_CRYPTO_DEFS_H
#define RSE_CRYPTO_DEFS_H
/* Declares types that encode errors, algorithms, key types, policies, etc. */
#include "psa/crypto_types.h"
@ -16,31 +16,31 @@
* to the corresponding API implementation in the Crypto service backend.
*
*/
#define RSS_CRYPTO_EXPORT_PUBLIC_KEY_SID (uint16_t)(0x701)
#define RSE_CRYPTO_EXPORT_PUBLIC_KEY_SID (uint16_t)(0x701)
/*
* The persistent key identifiers for RSS builtin keys.
* The persistent key identifiers for RSE builtin keys.
*/
enum rss_key_id_builtin_t {
RSS_BUILTIN_KEY_ID_HOST_S_ROTPK = 0x7FFF816Cu,
RSS_BUILTIN_KEY_ID_HOST_NS_ROTPK,
RSS_BUILTIN_KEY_ID_HOST_CCA_ROTPK,
enum rse_key_id_builtin_t {
RSE_BUILTIN_KEY_ID_HOST_S_ROTPK = 0x7FFF816Cu,
RSE_BUILTIN_KEY_ID_HOST_NS_ROTPK,
RSE_BUILTIN_KEY_ID_HOST_CCA_ROTPK,
};
/*
* This type is used to overcome a limitation within RSS firmware in the number of maximum
* This type is used to overcome a limitation within RSE firmware in the number of maximum
* IOVECs it can use especially in psa_aead_encrypt and psa_aead_decrypt.
*/
#define RSS_CRYPTO_MAX_NONCE_LENGTH (16u)
struct rss_crypto_aead_pack_input {
uint8_t nonce[RSS_CRYPTO_MAX_NONCE_LENGTH];
#define RSE_CRYPTO_MAX_NONCE_LENGTH (16u)
struct rse_crypto_aead_pack_input {
uint8_t nonce[RSE_CRYPTO_MAX_NONCE_LENGTH];
uint32_t nonce_length;
};
/*
* Structure used to pack non-pointer types in a call to PSA Crypto APIs
*/
struct rss_crypto_pack_iovec {
struct rse_crypto_pack_iovec {
psa_key_id_t key_id; /* !< Key id */
psa_algorithm_t alg; /* !< Algorithm */
uint32_t op_handle; /*
@ -56,7 +56,7 @@ struct rss_crypto_pack_iovec {
* AEAD
*/
struct rss_crypto_aead_pack_input aead_in; /*
struct rse_crypto_aead_pack_input aead_in; /*
* !< Packs AEAD-related
* inputs
*/
@ -64,7 +64,7 @@ struct rss_crypto_pack_iovec {
uint16_t function_id; /*
* !< Used to identify the function in the
* API dispatcher to the service backend
* See rss_crypto_func_sid for detail
* See rse_crypto_func_sid for detail
*/
uint16_t step; /* !< Key derivation step */
union {
@ -76,4 +76,4 @@ struct rss_crypto_pack_iovec {
};
};
#endif /* RSS_CRYPTO_DEFS_H */
#endif /* RSE_CRYPTO_DEFS_H */

18
include/lib/psa/rss_platform_api.h → include/lib/psa/rse_platform_api.h
View file

@ -5,16 +5,16 @@
*
*/
#ifndef RSS_PLATFORM_API_H
#define RSS_PLATFORM_API_H
#ifndef RSE_PLATFORM_API_H
#define RSE_PLATFORM_API_H
#include <stdint.h>
#include "psa/error.h"
#include <rss_crypto_defs.h>
#include <rse_crypto_defs.h>
#define RSS_PLATFORM_API_ID_NV_READ (1010)
#define RSS_PLATFORM_API_ID_NV_INCREMENT (1011)
#define RSE_PLATFORM_API_ID_NV_READ (1010)
#define RSE_PLATFORM_API_ID_NV_INCREMENT (1011)
/*
* Increments the given non-volatile (NV) counter by one
@ -25,7 +25,7 @@
* it returns a PSA_ERROR.
*/
psa_status_t
rss_platform_nv_counter_increment(uint32_t counter_id);
rse_platform_nv_counter_increment(uint32_t counter_id);
/*
* Reads the given non-volatile (NV) counter
@ -39,7 +39,7 @@ rss_platform_nv_counter_increment(uint32_t counter_id);
* it returns a PSA_ERROR.
*/
psa_status_t
rss_platform_nv_counter_read(uint32_t counter_id,
rse_platform_nv_counter_read(uint32_t counter_id,
uint32_t size, uint8_t *val);
/*
@ -54,7 +54,7 @@ rss_platform_nv_counter_read(uint32_t counter_id,
* it returns a PSA_ERROR.
*/
psa_status_t
rss_platform_key_read(enum rss_key_id_builtin_t key, uint8_t *data,
rse_platform_key_read(enum rse_key_id_builtin_t key, uint8_t *data,
size_t data_size, size_t *data_length);
#endif /* RSS_PLATFORM_API_H */
#endif /* RSE_PLATFORM_API_H */

12
lib/psa/delegated_attestation.c
View file

@ -10,7 +10,7 @@
#include <psa_manifest/sid.h>
psa_status_t
rss_delegated_attest_get_delegated_key(uint8_t ecc_curve,
rse_delegated_attest_get_delegated_key(uint8_t ecc_curve,
uint32_t key_bits,
uint8_t *key_buf,
size_t key_buf_size,
@ -31,8 +31,8 @@ rss_delegated_attest_get_delegated_key(uint8_t ecc_curve,
return PSA_ERROR_INVALID_ARGUMENT;
}
status = psa_call(RSS_DELEGATED_SERVICE_HANDLE,
RSS_DELEGATED_ATTEST_GET_DELEGATED_KEY,
status = psa_call(RSE_DELEGATED_SERVICE_HANDLE,
RSE_DELEGATED_ATTEST_GET_DELEGATED_KEY,
in_vec, IOVEC_LEN(in_vec),
out_vec, IOVEC_LEN(out_vec));
if (status == PSA_SUCCESS) {
@ -43,7 +43,7 @@ rss_delegated_attest_get_delegated_key(uint8_t ecc_curve,
}
psa_status_t
rss_delegated_attest_get_token(const uint8_t *dak_pub_hash,
rse_delegated_attest_get_token(const uint8_t *dak_pub_hash,
size_t dak_pub_hash_size,
uint8_t *token_buf,
size_t token_buf_size,
@ -61,8 +61,8 @@ rss_delegated_attest_get_token(const uint8_t *dak_pub_hash,
return PSA_ERROR_INVALID_ARGUMENT;
}
status = psa_call(RSS_DELEGATED_SERVICE_HANDLE,
RSS_DELEGATED_ATTEST_GET_PLATFORM_TOKEN,
status = psa_call(RSE_DELEGATED_SERVICE_HANDLE,
RSE_DELEGATED_ATTEST_GET_PLATFORM_TOKEN,
in_vec, IOVEC_LEN(in_vec),
out_vec, IOVEC_LEN(out_vec));
if (status == PSA_SUCCESS) {

2
lib/psa/dice_protection_environment.c
View file

@ -258,7 +258,7 @@ static int32_t dpe_client_call(const char *cmd_input, size_t cmd_input_size,
{ cmd_output, *cmd_output_size },
};
err = psa_call(RSS_DPE_SERVICE_HANDLE, 0,
err = psa_call(RSE_DPE_SERVICE_HANDLE, 0,
in_vec, IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
if (err == PSA_SUCCESS) {

10
lib/psa/measured_boot.c
View file

@ -63,7 +63,7 @@ static void log_measurement(uint8_t index,
}
psa_status_t
rss_measured_boot_extend_measurement(uint8_t index,
rse_measured_boot_extend_measurement(uint8_t index,
const uint8_t *signer_id,
size_t signer_id_size,
const uint8_t *version,
@ -115,13 +115,13 @@ rss_measured_boot_extend_measurement(uint8_t index,
measurement_algo, measurement_value,
measurement_value_size, lock_measurement);
return psa_call(RSS_MEASURED_BOOT_HANDLE,
RSS_MEASURED_BOOT_EXTEND,
return psa_call(RSE_MEASURED_BOOT_HANDLE,
RSE_MEASURED_BOOT_EXTEND,
in_vec, IOVEC_LEN(in_vec),
NULL, 0);
}
psa_status_t rss_measured_boot_read_measurement(uint8_t index,
psa_status_t rse_measured_boot_read_measurement(uint8_t index,
uint8_t *signer_id,
size_t signer_id_size,
size_t *signer_id_len,
@ -158,7 +158,7 @@ psa_status_t rss_measured_boot_read_measurement(uint8_t index,
{.base = measurement_value, .len = measurement_value_size}
};
status = psa_call(RSS_MEASURED_BOOT_HANDLE, RSS_MEASURED_BOOT_READ,
status = psa_call(RSE_MEASURED_BOOT_HANDLE, RSE_MEASURED_BOOT_READ,
in_vec, IOVEC_LEN(in_vec),
out_vec, IOVEC_LEN(out_vec));

4
lib/psa/measured_boot_private.h
View file

@ -13,8 +13,8 @@
#include <drivers/measured_boot/metadata.h>
/* Measured boot message types that distinguish its services */
#define RSS_MEASURED_BOOT_READ 1001U
#define RSS_MEASURED_BOOT_EXTEND 1002U
#define RSE_MEASURED_BOOT_READ 1001U
#define RSE_MEASURED_BOOT_EXTEND 1002U
struct measured_boot_read_iovec_in_t {
uint8_t index;

26
lib/psa/rss_platform.c → lib/psa/rse_platform.c
View file

@ -7,24 +7,24 @@
#include <psa/client.h>
#include <psa_manifest/sid.h>
#include <rss_crypto_defs.h>
#include <rss_platform_api.h>
#include <rse_crypto_defs.h>
#include <rse_platform_api.h>
psa_status_t
rss_platform_nv_counter_increment(uint32_t counter_id)
rse_platform_nv_counter_increment(uint32_t counter_id)
{
struct psa_invec in_vec[1];
in_vec[0].base = &counter_id;
in_vec[0].len = sizeof(counter_id);
return psa_call(RSS_PLATFORM_SERVICE_HANDLE,
RSS_PLATFORM_API_ID_NV_INCREMENT,
return psa_call(RSE_PLATFORM_SERVICE_HANDLE,
RSE_PLATFORM_API_ID_NV_INCREMENT,
in_vec, 1, NULL, 0);
}
psa_status_t
rss_platform_nv_counter_read(uint32_t counter_id,
rse_platform_nv_counter_read(uint32_t counter_id,
uint32_t size, uint8_t *val)
{
struct psa_invec in_vec[1];
@ -36,30 +36,30 @@ rss_platform_nv_counter_read(uint32_t counter_id,
out_vec[0].base = val;
out_vec[0].len = size;
return psa_call(RSS_PLATFORM_SERVICE_HANDLE,
RSS_PLATFORM_API_ID_NV_READ,
return psa_call(RSE_PLATFORM_SERVICE_HANDLE,
RSE_PLATFORM_API_ID_NV_READ,
in_vec, 1, out_vec, 1);
}
psa_status_t
rss_platform_key_read(enum rss_key_id_builtin_t key, uint8_t *data,
rse_platform_key_read(enum rse_key_id_builtin_t key, uint8_t *data,
size_t data_size, size_t *data_length)
{
psa_status_t status;
struct rss_crypto_pack_iovec iov = {
.function_id = RSS_CRYPTO_EXPORT_PUBLIC_KEY_SID,
struct rse_crypto_pack_iovec iov = {
.function_id = RSE_CRYPTO_EXPORT_PUBLIC_KEY_SID,
.key_id = key,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct rss_crypto_pack_iovec)},
{.base = &iov, .len = sizeof(struct rse_crypto_pack_iovec)},
};
psa_outvec out_vec[] = {
{.base = data, .len = data_size}
};
status = psa_call(RSS_CRYPTO_HANDLE, PSA_IPC_CALL,
status = psa_call(RSE_CRYPTO_HANDLE, PSA_IPC_CALL,
in_vec, IOVEC_LEN(in_vec),
out_vec, IOVEC_LEN(out_vec));

4
plat/arm/board/fvp/fvp_common_measured_boot.c
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2021-2023, Arm Limited. All rights reserved.
* Copyright (c) 2021-2024, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -9,12 +9,10 @@
#include <common/desc_image_load.h>
#include <drivers/measured_boot/event_log/event_log.h>
#include <drivers/measured_boot/rss/rss_measured_boot.h>
#include <plat/arm/common/plat_arm.h>
#include <plat/common/platform.h>
extern event_log_metadata_t fvp_event_log_metadata[];
extern struct rss_mboot_metadata fvp_rss_mboot_metadata[];
int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data)
{

2
plat/arm/board/fvp/fvp_plat_attest_token.c
View file

@ -98,7 +98,7 @@ static const uint8_t sample_platform_token[] = {
/*
* Get the hardcoded platform attestation token as FVP does not support
* RSS.
* RSE.
*/
int plat_rmmd_get_cca_attest_token(uintptr_t buf, size_t *len,
uintptr_t hash, size_t hash_size)

2
plat/arm/board/fvp/fvp_realm_attest_key.c
View file

@ -19,7 +19,7 @@ static const uint8_t sample_delegated_key[] = {
/*
* Get the hardcoded delegated realm attestation key as FVP
* does not support RSS.
* does not support RSE.
*/
int plat_rmmd_get_cca_realm_attest_key(uintptr_t buf, size_t *len,
unsigned int type)

18
plat/arm/board/tc/include/platform_def.h
View file

@ -193,11 +193,11 @@
/*
* In the current implementation the RoT Service request that requires the
* biggest message buffer is the RSS_DELEGATED_ATTEST_GET_PLATFORM_TOKEN. The
* biggest message buffer is the RSE_DELEGATED_ATTEST_GET_PLATFORM_TOKEN. The
* maximum required buffer size is calculated based on the platform-specific
* needs of this request.
*/
#define PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE 0x500
#define PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE 0x500
#define TC_DEVICE_BASE 0x21000000
#define TC_DEVICE_SIZE 0x5f000000
@ -279,13 +279,13 @@
/* Index of SDS region used in the communication with SCP */
#define SDS_SCP_AP_REGION_ID U(0)
/* Index of SDS region used in the communication with RSS */
#define SDS_RSS_AP_REGION_ID U(1)
/* Index of SDS region used in the communication with RSE */
#define SDS_RSE_AP_REGION_ID U(1)
/*
* Memory region for RSS's shared data storage (SDS)
* Memory region for RSE's shared data storage (SDS)
* It is placed right after the SCMI payload area.
*/
#define PLAT_ARM_RSS_AP_SDS_MEM_BASE (CSS_SCMI_PAYLOAD_BASE + \
#define PLAT_ARM_RSE_AP_SDS_MEM_BASE (CSS_SCMI_PAYLOAD_BASE + \
CSS_SCMI_PAYLOAD_SIZE_MAX)
#define PLAT_ARM_CLUSTER_COUNT U(1)
@ -306,9 +306,9 @@
#endif /* TARGET_PLATFORM == 3 */
#define PLAT_MHUV2_BASE PLAT_CSS_MHU_BASE
/* TC2: AP<->RSS MHUs */
#define PLAT_RSS_AP_SND_MHU_BASE UL(0x2A840000)
#define PLAT_RSS_AP_RCV_MHU_BASE UL(0x2A850000)
/* TC2: AP<->RSE MHUs */
#define PLAT_RSE_AP_SND_MHU_BASE UL(0x2A840000)
#define PLAT_RSE_AP_RCV_MHU_BASE UL(0x2A850000)
#define CSS_SYSTEM_PWR_DMN_LVL ARM_PWR_LVL2
#define PLAT_MAX_PWR_LVL ARM_PWR_LVL1

4
plat/arm/board/tc/include/tc_plat.h
View file

@ -8,7 +8,7 @@
#define TC_PLAT_H
#ifdef PLATFORM_TEST_ROTPK
#include <rss_crypto_defs.h>
#include <rse_crypto_defs.h>
#endif
void tc_bl31_common_platform_setup(void);
@ -23,7 +23,7 @@ int nv_counter_test(void);
#ifdef PLATFORM_TEST_ROTPK
struct key_id_info {
enum rss_key_id_builtin_t key_id;
enum rse_key_id_builtin_t key_id;
const char *key_id_name;
};

20
plat/arm/board/tc/nv_counter_test.c
View file

@ -7,9 +7,9 @@
#include <stdint.h>
#include <stdio.h>
#include <drivers/arm/rss_comms.h>
#include <drivers/arm/rse_comms.h>
#include <plat/common/platform.h>
#include "rss_platform_api.h"
#include "rse_platform_api.h"
#include <platform_def.h>
@ -20,30 +20,30 @@ int nv_counter_test(void)
uint32_t new_val;
uint32_t id;
status = rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE, PLAT_RSS_AP_RCV_MHU_BASE);
status = rse_comms_init(PLAT_RSE_AP_SND_MHU_BASE, PLAT_RSE_AP_RCV_MHU_BASE);
if (status != PSA_SUCCESS) {
printf("Failed to initialize RSS communication channel - psa_status = %d\n", status);
printf("Failed to initialize RSE communication channel - psa_status = %d\n", status);
return -1;
}
for (id = 0; id < 3; id++) {
status = rss_platform_nv_counter_read(id, sizeof(old_val), (uint8_t *)&old_val);
status = rse_platform_nv_counter_read(id, sizeof(old_val), (uint8_t *)&old_val);
if (status != PSA_SUCCESS) {
printf("Failed during first id=(%d) rss_platform_nv_counter_read - psa_status = %d\n",
printf("Failed during first id=(%d) rse_platform_nv_counter_read - psa_status = %d\n",
id, status);
return -1;
}
status = rss_platform_nv_counter_increment(id);
status = rse_platform_nv_counter_increment(id);
if (status != PSA_SUCCESS) {
printf("Failed during id=(%d) rss_platform_nv_counter_increment - psa_status = %d\n",
printf("Failed during id=(%d) rse_platform_nv_counter_increment - psa_status = %d\n",
id, status);
return -1;
}
status = rss_platform_nv_counter_read(id, sizeof(new_val), (uint8_t *)&new_val);
status = rse_platform_nv_counter_read(id, sizeof(new_val), (uint8_t *)&new_val);
if (status != PSA_SUCCESS) {
printf("Failed during second id=(%d) rss_platform_nv_counter_read - psa_status = %d\n",
printf("Failed during second id=(%d) rse_platform_nv_counter_read - psa_status = %d\n",
id, status);
return -1;
}

16
plat/arm/board/tc/plat_def_fip_uuid.h
View file

@ -10,28 +10,28 @@
#include "uuid.h"
#define UUID_RSS_FIRMWARE_BL1_2 \
#define UUID_RSE_FIRMWARE_BL1_2 \
{{0x0a, 0xa5, 0xb1, 0xbe}, {0xe7, 0x84}, {0x41, 0xc5}, 0x81, 0xb8, {0x4a, 0x41, 0xcb, 0x4a, 0xd2, 0xdf}}
#define UUID_RSS_FIRMWARE_BL2 \
#define UUID_RSE_FIRMWARE_BL2 \
{{0xa3, 0xb3, 0xb3, 0x0d}, {0xeb, 0xc9}, {0x40, 0x48}, 0xb4, 0x80, {0x15, 0x53, 0x61, 0xc1, 0x70, 0x48}}
#define UUID_RSS_FIRMWARE_SCP_BL1 \
#define UUID_RSE_FIRMWARE_SCP_BL1 \
{{0xbf, 0xd5, 0x09, 0x8d}, {0xa7, 0x07}, {0x4f, 0x15}, 0x89, 0x1c, {0x37, 0x22, 0x10, 0xcb, 0x51, 0xe2}}
#define UUID_RSS_FIRMWARE_AP_BL1 \
#define UUID_RSE_FIRMWARE_AP_BL1 \
{{0x12, 0x4c, 0x50, 0xe0}, {0xf2, 0xda}, {0x45, 0xe9}, 0x85, 0xc8, {0xda, 0xd9, 0x60, 0x9b, 0x7a, 0x11}}
#define UUID_RSS_FIRMWARE_NS \
#define UUID_RSE_FIRMWARE_NS \
{{0x8d, 0x95, 0x9f, 0x72}, {0xb8, 0xb1}, {0x42, 0x11}, 0x9a, 0xe6, {0x4b, 0x80, 0x97, 0x47, 0x5a, 0xd9}}
#define UUID_RSS_FIRMWARE_S \
#define UUID_RSE_FIRMWARE_S \
{{0x22, 0xea, 0x33, 0x85}, {0xf8, 0x6e}, {0x47, 0x93}, 0x96, 0x8a, {0x2f, 0xe3, 0xdd, 0x50, 0x33, 0xcc}}
#define UUID_RSS_SIC_TABLES_NS \
#define UUID_RSE_SIC_TABLES_NS \
{{0xd9, 0x10, 0x00, 0x72}, {0x6a, 0x28}, {0x4b, 0xec}, 0xb0, 0xd6, {0x8c, 0xed, 0xc4, 0x15, 0x7c, 0xe0}}
#define UUID_RSS_SIC_TABLES_S \
#define UUID_RSE_SIC_TABLES_S \
{{0xc7, 0x38, 0xd0, 0xde}, {0x8c, 0x26}, {0x48, 0x51}, 0x93, 0x36, {0xf3, 0xdb, 0xe2, 0x96, 0x65, 0x18}}
#endif /* __PLAT_DEF_FIP_UUID__ */

18
plat/arm/board/tc/platform.mk
View file

@ -173,20 +173,20 @@ $(eval $(call TOOL_ADD_PAYLOAD,${TC_HW_CONFIG},--hw-config,${TC_HW_CONFIG}))
# Include Measured Boot makefile before any Crypto library makefile.
# Crypto library makefile may need default definitions of Measured Boot build
# flags present in Measured Boot makefile.
$(info Including rss_comms.mk)
$(info Including rse_comms.mk)
ifeq (${MEASURED_BOOT},1)
$(info Including rss_comms.mk)
include drivers/arm/rss/rss_comms.mk
$(info Including rse_comms.mk)
include drivers/arm/rse/rse_comms.mk
BL1_SOURCES += ${RSS_COMMS_SOURCES}
BL2_SOURCES += ${RSS_COMMS_SOURCES}
BL1_SOURCES += ${RSE_COMMS_SOURCES}
BL2_SOURCES += ${RSE_COMMS_SOURCES}
PLAT_INCLUDES += -Iinclude/lib/psa
ifeq (${DICE_PROTECTION_ENVIRONMENT},1)
$(info Including qcbor.mk)
include drivers/measured_boot/rss/qcbor.mk
include drivers/measured_boot/rse/qcbor.mk
$(info Including dice_prot_env.mk)
include drivers/measured_boot/rss/dice_prot_env.mk
include drivers/measured_boot/rse/dice_prot_env.mk
BL1_SOURCES += ${QCBOR_SOURCES} \
${DPE_SOURCES} \
@ -206,8 +206,8 @@ ifeq (${MEASURED_BOOT},1)
PLAT_INCLUDES += -I${QCBOR_INCLUDES} \
-Iinclude/lib/dice
else
$(info Including rss_measured_boot.mk)
include drivers/measured_boot/rss/rss_measured_boot.mk
$(info Including rse_measured_boot.mk)
include drivers/measured_boot/rse/rse_measured_boot.mk
BL1_SOURCES += ${MEASURED_BOOT_SOURCES} \
plat/arm/board/tc/tc_common_measured_boot.c \

30
plat/arm/board/tc/platform_test.mk
View file

@ -5,42 +5,42 @@
$(eval $(call add_define,PLATFORM_TESTS))
ifeq (${PLATFORM_TEST},rss-nv-counters)
include drivers/arm/rss/rss_comms.mk
ifeq (${PLATFORM_TEST},rse-nv-counters)
include drivers/arm/rse/rse_comms.mk
# Test code.
BL31_SOURCES += plat/arm/board/tc/nv_counter_test.c
# Code under testing.
BL31_SOURCES += lib/psa/rss_platform.c \
${RSS_COMMS_SOURCES}
BL31_SOURCES += lib/psa/rse_platform.c \
${RSE_COMMS_SOURCES}
PLAT_INCLUDES += -Iinclude/lib/psa
$(eval $(call add_define,PLATFORM_TEST_NV_COUNTERS))
else ifeq (${PLATFORM_TEST},rss-rotpk)
include drivers/arm/rss/rss_comms.mk
else ifeq (${PLATFORM_TEST},rse-rotpk)
include drivers/arm/rse/rse_comms.mk
# Test code.
BL31_SOURCES += plat/arm/board/tc/rotpk_test.c
# Code under testing.
BL31_SOURCES += lib/psa/rss_platform.c \
${RSS_COMMS_SOURCES}
BL31_SOURCES += lib/psa/rse_platform.c \
${RSE_COMMS_SOURCES}
PLAT_INCLUDES += -Iinclude/lib/psa
$(eval $(call add_define,PLATFORM_TEST_ROTPK))
else ifeq (${PLATFORM_TEST},tfm-testsuite)
include drivers/arm/rss/rss_comms.mk
include drivers/arm/rse/rse_comms.mk
# The variables need to be set to compile the platform test:
ifeq (${TF_M_TESTS_PATH},)
# Example: ../rss/tf-m-tests
# Example: ../rse/tf-m-tests
$(error Error: TF_M_TESTS_PATH not set)
endif
ifeq (${TF_M_EXTRAS_PATH},)
# Example: ../rss/tf-m-extras
# Example: ../rse/tf-m-extras
$(error Error: TF_M_EXTRAS_PATH not set)
endif
ifeq (${MEASUREMENT_VALUE_SIZE},)
@ -68,11 +68,11 @@ else ifeq (${PLATFORM_TEST},tfm-testsuite)
psa_crypto_slot_management.c \
)
BL31_SOURCES += ${RSS_COMMS_SOURCES} \
BL31_SOURCES += ${RSE_COMMS_SOURCES} \
plat/arm/common/arm_dyn_cfg.c \
${TC_BASE}/rss_ap_tests.c \
${TC_BASE}/rss_ap_testsuites.c \
${TC_BASE}/rss_ap_test_stubs.c \
${TC_BASE}/rse_ap_tests.c \
${TC_BASE}/rse_ap_testsuites.c \
${TC_BASE}/rse_ap_test_stubs.c \
$(TF_M_TESTS_PATH)/tests_reg/test/framework/test_framework.c \
$(MEASURED_BOOT_TESTS_PATH)/measured_boot_common.c \
$(MEASURED_BOOT_TESTS_PATH)/measured_boot_tests_common.c \

16
plat/arm/board/tc/rotpk_test.c
View file

@ -7,9 +7,9 @@
#include <stdint.h>
#include <stdio.h>
#include <drivers/arm/rss_comms.h>
#include <drivers/arm/rse_comms.h>
#include <plat/common/platform.h>
#include <rss_platform_api.h>
#include <rse_platform_api.h>
#include <tc_plat.h>
static void print_hex(const char *key_id_name, size_t key_size, const uint8_t *key_buf)
@ -28,19 +28,19 @@ int rotpk_test(void)
size_t key_size;
struct key_id_info key_ids[3] = {
{.key_id = RSS_BUILTIN_KEY_ID_HOST_S_ROTPK, .key_id_name = "Secure-ROTPK"},
{.key_id = RSS_BUILTIN_KEY_ID_HOST_NS_ROTPK, .key_id_name = "NS-ROTPK"},
{.key_id = RSS_BUILTIN_KEY_ID_HOST_CCA_ROTPK, .key_id_name = "CCA-ROTPK"}
{.key_id = RSE_BUILTIN_KEY_ID_HOST_S_ROTPK, .key_id_name = "Secure-ROTPK"},
{.key_id = RSE_BUILTIN_KEY_ID_HOST_NS_ROTPK, .key_id_name = "NS-ROTPK"},
{.key_id = RSE_BUILTIN_KEY_ID_HOST_CCA_ROTPK, .key_id_name = "CCA-ROTPK"}
};
status = rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE, PLAT_RSS_AP_RCV_MHU_BASE);
status = rse_comms_init(PLAT_RSE_AP_SND_MHU_BASE, PLAT_RSE_AP_RCV_MHU_BASE);
if (status != PSA_SUCCESS) {
printf("Failed to initialize RSS communication channel - psa_status = %d\n", status);
printf("Failed to initialize RSE communication channel - psa_status = %d\n", status);
return -1;
}
for (int i = 0; i < ARRAY_SIZE(key_ids); i++) {
status = rss_platform_key_read(key_ids[i].key_id, key_buf,
status = rse_platform_key_read(key_ids[i].key_id, key_buf,
sizeof(key_buf), &key_size);
if (status != PSA_SUCCESS) {
printf("Failed to retrieve %s - psa_status = %d\n", key_ids[i].key_id_name, status);

8
plat/arm/board/tc/rss_ap_test_stubs.c → plat/arm/board/tc/rse_ap_test_stubs.c
View file

@ -26,7 +26,7 @@ tfm_measured_boot_extend_measurement(uint8_t index,
size_t measurement_value_size,
bool lock_measurement)
{
return rss_measured_boot_extend_measurement(index,
return rse_measured_boot_extend_measurement(index,
signer_id,
signer_id_size,
version,
@ -56,7 +56,7 @@ tfm_measured_boot_read_measurement(uint8_t index,
size_t *measurement_value_len,
bool *is_locked)
{
return rss_measured_boot_read_measurement(index,
return rse_measured_boot_read_measurement(index,
signer_id,
signer_id_size,
signer_id_len,
@ -80,7 +80,7 @@ tfm_delegated_attest_get_token(const uint8_t *dak_pub_hash,
size_t token_buf_size,
size_t *token_size)
{
return rss_delegated_attest_get_token(dak_pub_hash,
return rse_delegated_attest_get_token(dak_pub_hash,
dak_pub_hash_size,
token_buf,
token_buf_size,
@ -95,7 +95,7 @@ tfm_delegated_attest_get_delegated_key(uint8_t ecc_curve,
size_t *key_size,
uint32_t hash_algo)
{
return rss_delegated_attest_get_delegated_key(ecc_curve,
return rse_delegated_attest_get_delegated_key(ecc_curve,
key_bits,
key_buf,
key_buf_size,

6
plat/arm/board/tc/rss_ap_tests.c → plat/arm/board/tc/rse_ap_tests.c
View file

@ -10,9 +10,9 @@
#include <mbedtls_common.h>
#include <plat/common/platform.h>
#include <psa/crypto.h>
#include <rss_comms.h>
#include <rse_comms.h>
#include "rss_ap_testsuites.h"
#include "rse_ap_testsuites.h"
static struct test_suite_t test_suites[] = {
{.freg = register_testsuite_delegated_attest},
@ -32,7 +32,7 @@ static int run_tests(void)
size_t i;
/* Initialize test environment. */
rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE, PLAT_RSS_AP_RCV_MHU_BASE);
rse_comms_init(PLAT_RSE_AP_SND_MHU_BASE, PLAT_RSE_AP_RCV_MHU_BASE);
mbedtls_init();
status = psa_crypto_init();
if (status != PSA_SUCCESS) {

2
plat/arm/board/tc/rss_ap_testsuites.c → plat/arm/board/tc/rse_ap_testsuites.c
View file

@ -11,7 +11,7 @@
* necessary because both files define the function `extra_tests_init`, so a
* linker error occurs when both are linked to BL31. This file defines a macro
* that renames the colliding function names to something unique.
* `plat/arm/board/tc/rss_ap_tests.c` can call the test init functions with
* `plat/arm/board/tc/rse_ap_tests.c` can call the test init functions with
* their new name.
*/

6
plat/arm/board/tc/rss_ap_testsuites.h → plat/arm/board/tc/rse_ap_testsuites.h
View file

@ -5,12 +5,12 @@
* SPDX-License-Identifier: BSD-3-Clause
*/
#ifndef RSS_AP_TESTSUITES_H
#define RSS_AP_TESTSUITES_H
#ifndef RSE_AP_TESTSUITES_H
#define RSE_AP_TESTSUITES_H
#include <test_framework.h>
void register_testsuite_measured_boot(struct test_suite_t *p_test_suite);
void register_testsuite_delegated_attest(struct test_suite_t *p_test_suite);
#endif /* RSS_AP_TESTSUITES_H */
#endif /* RSE_AP_TESTSUITES_H */

28
plat/arm/board/tc/tc_bl1_dpe.c
View file

@ -8,11 +8,11 @@
#include <common/debug.h>
#include <drivers/arm/css/sds.h>
#include <drivers/arm/rss_comms.h>
#include <drivers/arm/rse_comms.h>
#include <drivers/delay_timer.h>
#include <drivers/generic_delay_timer.h>
#include <drivers/measured_boot/metadata.h>
#include <drivers/measured_boot/rss/dice_prot_env.h>
#include <drivers/measured_boot/rse/dice_prot_env.h>
#include <plat/arm/common/plat_arm.h>
#include <plat/common/platform.h>
#include <platform_def.h>
@ -53,7 +53,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
};
/* Effective timeout of 10000 ms */
#define RSS_DPE_BOOT_10US_RETRIES 1000000
#define RSE_DPE_BOOT_10US_RETRIES 1000000
#define TC2_SDS_DPE_CTX_HANDLE_STRUCT_ID 0x0000000A
/* Context handle is meant to be used by BL2. Sharing it via TB_FW_CONFIG */
@ -66,20 +66,20 @@ void plat_dpe_share_context_handle(int *ctx_handle)
void plat_dpe_get_context_handle(int *ctx_handle)
{
int retry = RSS_DPE_BOOT_10US_RETRIES;
int retry = RSE_DPE_BOOT_10US_RETRIES;
int ret;
/* Initialize System level generic or SP804 timer */
generic_delay_timer_init();
/* Check the initialization of the Shared Data Storage area between RSS
* and AP. Since AP_BL1 is executed first then a bit later the RSS
/* Check the initialization of the Shared Data Storage area between RSE
* and AP. Since AP_BL1 is executed first then a bit later the RSE
* runtime, which initialize this area, therefore AP needs to check it
* in a loop until it gets written by RSS Secure Runtime.
* in a loop until it gets written by RSE Secure Runtime.
*/
VERBOSE("Waiting for DPE service initialization in RSS Secure Runtime\n");
VERBOSE("Waiting for DPE service initialization in RSE Secure Runtime\n");
while (retry > 0) {
ret = sds_init(SDS_RSS_AP_REGION_ID);
ret = sds_init(SDS_RSE_AP_REGION_ID);
if (ret != SDS_OK) {
udelay(10);
retry--;
@ -93,11 +93,11 @@ void plat_dpe_get_context_handle(int *ctx_handle)
plat_panic_handler();
} else {
VERBOSE("DPE init succeeded in %dms.\n",
(RSS_DPE_BOOT_10US_RETRIES - retry) / 100);
(RSE_DPE_BOOT_10US_RETRIES - retry) / 100);
}
/* TODO: call this in a loop to avoid reading unfinished data */
ret = sds_struct_read(SDS_RSS_AP_REGION_ID,
ret = sds_struct_read(SDS_RSE_AP_REGION_ID,
TC2_SDS_DPE_CTX_HANDLE_STRUCT_ID,
0,
ctx_handle,
@ -113,9 +113,9 @@ void plat_dpe_get_context_handle(int *ctx_handle)
void bl1_plat_mboot_init(void)
{
/* Initialize the communication channel between AP and RSS */
(void)rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE,
PLAT_RSS_AP_RCV_MHU_BASE);
/* Initialize the communication channel between AP and RSE */
(void)rse_comms_init(PLAT_RSE_AP_SND_MHU_BASE,
PLAT_RSE_AP_RCV_MHU_BASE);
dpe_init(tc_dpe_metadata);
}

16
plat/arm/board/tc/tc_bl1_measured_boot.c
View file

@ -6,9 +6,9 @@
#include <stdint.h>
#include <drivers/arm/rss_comms.h>
#include <drivers/arm/rse_comms.h>
#include <drivers/measured_boot/metadata.h>
#include <drivers/measured_boot/rss/rss_measured_boot.h>
#include <drivers/measured_boot/rse/rse_measured_boot.h>
#include <tools_share/zero_oid.h>
#include <plat/arm/common/plat_arm.h>
@ -17,7 +17,7 @@
/* Table with platform specific image IDs and metadata. Intentionally not a
* const struct, some members might set by bootloaders during trusted boot.
*/
struct rss_mboot_metadata tc_rss_mboot_metadata[] = {
struct rse_mboot_metadata tc_rse_mboot_metadata[] = {
{
.id = FW_CONFIG_ID,
.slot = U(6),
@ -41,16 +41,16 @@ struct rss_mboot_metadata tc_rss_mboot_metadata[] = {
.lock_measurement = true },
{
.id = RSS_MBOOT_INVALID_ID }
.id = RSE_MBOOT_INVALID_ID }
};
void bl1_plat_mboot_init(void)
{
/* Initialize the communication channel between AP and RSS */
(void)rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE,
PLAT_RSS_AP_RCV_MHU_BASE);
/* Initialize the communication channel between AP and RSE */
(void)rse_comms_init(PLAT_RSE_AP_SND_MHU_BASE,
PLAT_RSE_AP_RCV_MHU_BASE);
rss_measured_boot_init(tc_rss_mboot_metadata);
rse_measured_boot_init(tc_rse_mboot_metadata);
}
void bl1_plat_mboot_finish(void)

10
plat/arm/board/tc/tc_bl2_dpe.c
View file

@ -7,9 +7,9 @@
#include <stdint.h>
#include <common/debug.h>
#include <drivers/arm/rss_comms.h>
#include <drivers/arm/rse_comms.h>
#include <drivers/measured_boot/metadata.h>
#include <drivers/measured_boot/rss/dice_prot_env.h>
#include <drivers/measured_boot/rse/dice_prot_env.h>
#include <plat/arm/common/plat_arm.h>
#include <plat/common/platform.h>
#include <platform_def.h>
@ -211,9 +211,9 @@ void plat_dpe_get_context_handle(int *ctx_handle)
void bl2_plat_mboot_init(void)
{
/* Initialize the communication channel between AP and RSS */
(void)rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE,
PLAT_RSS_AP_RCV_MHU_BASE);
/* Initialize the communication channel between AP and RSE */
(void)rse_comms_init(PLAT_RSE_AP_SND_MHU_BASE,
PLAT_RSE_AP_RCV_MHU_BASE);
dpe_init(tc_dpe_metadata);
}

16
plat/arm/board/tc/tc_bl2_measured_boot.c
View file

@ -6,9 +6,9 @@
#include <stdint.h>
#include <drivers/arm/rss_comms.h>
#include <drivers/arm/rse_comms.h>
#include <drivers/measured_boot/metadata.h>
#include <drivers/measured_boot/rss/rss_measured_boot.h>
#include <drivers/measured_boot/rse/rse_measured_boot.h>
#include <tools_share/tbbr_oid.h>
#include <plat/common/common_def.h>
@ -17,7 +17,7 @@
/* TC specific table with image IDs and metadata. Intentionally not a
* const struct, some members might set by bootloaders during trusted boot.
*/
struct rss_mboot_metadata tc_rss_mboot_metadata[] = {
struct rse_mboot_metadata tc_rse_mboot_metadata[] = {
{
.id = BL31_IMAGE_ID,
.slot = U(9),
@ -40,16 +40,16 @@ struct rss_mboot_metadata tc_rss_mboot_metadata[] = {
.pk_oid = SOC_FW_CONFIG_KEY_OID,
.lock_measurement = true },
{
.id = RSS_MBOOT_INVALID_ID }
.id = RSE_MBOOT_INVALID_ID }
};
void bl2_plat_mboot_init(void)
{
/* Initialize the communication channel between AP and RSS */
(void)rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE,
PLAT_RSS_AP_RCV_MHU_BASE);
/* Initialize the communication channel between AP and RSE */
(void)rse_comms_init(PLAT_RSE_AP_SND_MHU_BASE,
PLAT_RSE_AP_RCV_MHU_BASE);
rss_measured_boot_init(tc_rss_mboot_metadata);
rse_measured_boot_init(tc_rse_mboot_metadata);
}
void bl2_plat_mboot_finish(void)

4
plat/arm/board/tc/tc_common_dpe.c
View file

@ -9,7 +9,7 @@
#include <stdint.h>
#include <common/desc_image_load.h>
#include <drivers/measured_boot/rss/dice_prot_env.h>
#include <drivers/measured_boot/rse/dice_prot_env.h>
extern struct dpe_metadata tc_dpe_metadata[];
@ -17,7 +17,7 @@ int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data)
{
int err;
/* Calculate image hash and record it in the DPE service in RSS. */
/* Calculate image hash and record it in the DPE service in RSE. */
err = dpe_measure_and_record(tc_dpe_metadata,
image_data->image_base,
image_data->image_size,

12
plat/arm/board/tc/tc_common_measured_boot.c
View file

@ -8,22 +8,22 @@
#include <stdint.h>
#include <common/desc_image_load.h>
#include <drivers/measured_boot/rss/rss_measured_boot.h>
#include <drivers/measured_boot/rse/rse_measured_boot.h>
extern struct rss_mboot_metadata tc_rss_mboot_metadata[];
extern struct rse_mboot_metadata tc_rse_mboot_metadata[];
int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data)
{
int err;
/* Calculate image hash and record data in RSS */
err = rss_mboot_measure_and_record(tc_rss_mboot_metadata,
/* Calculate image hash and record data in RSE */
err = rse_mboot_measure_and_record(tc_rse_mboot_metadata,
image_data->image_base,
image_data->image_size,
image_id);
if (err != 0) {
ERROR("%s%s image id %u (%i)\n",
"Failed to ", "record in RSS", image_id, err);
"Failed to ", "record in RSE", image_id, err);
}
return err;
@ -31,6 +31,6 @@ int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data)
int plat_mboot_measure_key(void *pk_oid, void *pk_ptr, unsigned int pk_len)
{
return rss_mboot_set_signer_id(tc_rss_mboot_metadata, pk_oid, pk_ptr,
return rse_mboot_set_signer_id(tc_rse_mboot_metadata, pk_oid, pk_ptr,
pk_len);
}

6
plat/arm/board/tc/tc_dpe_cert.h
View file

@ -20,10 +20,10 @@
* RoT Cert. | | | +->TOS_FW_CONF | | |
* +------------+ | +->SCP_BL1 +-----+-----+-->FW_CONF +->AP_BL32 | | +->PVMFW |
* | | | | | | | | | | | |
* | RSS_BL1_2--+-----+-->RSS_BL2------->AP_BL1--+-----+------------->AP_BL2------------+-----+-->AP_BL33 |
* | RSE_BL1_2--+-----+-->RSE_BL2------->AP_BL1--+-----+------------->AP_BL2------------+-----+-->AP_BL33 |
* | | | | | | | | | | | |
* +------------+ | +->RSS_S +-----+-----+-->TB_FW_CONF +->AP_BL31 | | +->HYPERVISOR |
* | +->RSS_NS | | +->SCP_BL2 | | |
* +------------+ | +->RSE_S +-----+-----+-->TB_FW_CONF +->AP_BL31 | | +->HYPERVISOR |
* | +->RSE_NS | | +->SCP_BL2 | | |
* | | | +->HW_CONF | | |
* +--------------------------+ | +---------------+-----+-->NT_FW_CONF |
* | | | |

2
plat/arm/board/tc/tc_plat.c
View file

@ -165,7 +165,7 @@ void plat_arm_secure_wdt_refresh(void)
static sds_region_desc_t tc_sds_regions[] = {
{ .base = PLAT_ARM_SDS_MEM_BASE },
{ .base = PLAT_ARM_RSS_AP_SDS_MEM_BASE },
{ .base = PLAT_ARM_RSE_AP_SDS_MEM_BASE },
};
sds_region_desc_t *plat_sds_get_regions(unsigned int *region_count)

2
plat/qemu/common/qemu_plat_attest_token.c
View file

@ -98,7 +98,7 @@ static const uint8_t sample_platform_token[] = {
/*
* Get the hardcoded platform attestation token as QEMU does not support
* RSS.
* RSE.
*/
int plat_rmmd_get_cca_attest_token(uintptr_t buf, size_t *len,
uintptr_t hash, size_t hash_size)

2
plat/qemu/common/qemu_realm_attest_key.c
View file

@ -19,7 +19,7 @@ static const uint8_t sample_delegated_key[] = {
/*
* Get the hardcoded delegated realm attestation key as QEMU
* does not support RSS.
* does not support RSE.
*/
int plat_rmmd_get_cca_realm_attest_key(uintptr_t buf, size_t *len,
unsigned int type)

48
tools/fiptool/plat_fiptool/arm/board/tc/plat_def_uuid_config.c
View file

@ -13,44 +13,44 @@
toc_entry_t plat_def_toc_entries[] = {
{
.name = "RSS Firmware BL1_2 image",
.uuid = UUID_RSS_FIRMWARE_BL1_2,
.cmdline_name = "rss-bl1_2"
.name = "RSE Firmware BL1_2 image",
.uuid = UUID_RSE_FIRMWARE_BL1_2,
.cmdline_name = "rse-bl1_2"
},
{
.name = "RSS Firmware BL2 image",
.uuid = UUID_RSS_FIRMWARE_BL2,
.cmdline_name = "rss-bl2"
.name = "RSE Firmware BL2 image",
.uuid = UUID_RSE_FIRMWARE_BL2,
.cmdline_name = "rse-bl2"
},
{
.name = "RSS Firmware SCP BL1 image",
.uuid = UUID_RSS_FIRMWARE_SCP_BL1,
.cmdline_name = "rss-scp-bl1"
.name = "RSE Firmware SCP BL1 image",
.uuid = UUID_RSE_FIRMWARE_SCP_BL1,
.cmdline_name = "rse-scp-bl1"
},
{
.name = "RSS Firmware AP BL1 image",
.uuid = UUID_RSS_FIRMWARE_AP_BL1,
.cmdline_name = "rss-ap-bl1"
.name = "RSE Firmware AP BL1 image",
.uuid = UUID_RSE_FIRMWARE_AP_BL1,
.cmdline_name = "rse-ap-bl1"
},
{
.name = "RSS Firmware non-secure image",
.uuid = UUID_RSS_FIRMWARE_NS,
.cmdline_name = "rss-ns"
.name = "RSE Firmware non-secure image",
.uuid = UUID_RSE_FIRMWARE_NS,
.cmdline_name = "rse-ns"
},
{
.name = "RSS Firmware secure image",
.uuid = UUID_RSS_FIRMWARE_S,
.cmdline_name = "rss-s"
.name = "RSE Firmware secure image",
.uuid = UUID_RSE_FIRMWARE_S,
.cmdline_name = "rse-s"
},
{
.name = "RSS Firmware non-secure SIC tables",
.uuid = UUID_RSS_SIC_TABLES_NS,
.cmdline_name = "rss-sic-tables-ns"
.name = "RSE Firmware non-secure SIC tables",
.uuid = UUID_RSE_SIC_TABLES_NS,
.cmdline_name = "rse-sic-tables-ns"
},
{
.name = "RSS Firmware secure SIC tables",
.uuid = UUID_RSS_SIC_TABLES_S,
.cmdline_name = "rss-sic-tables-s"
.name = "RSE Firmware secure SIC tables",
.uuid = UUID_RSE_SIC_TABLES_S,
.cmdline_name = "rse-sic-tables-s"
},
{