Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / f6aed634558d6b24264e8266b4e6a824ea240d5b^! / . / docs / resources / diagrams / plantuml / rss_attestation_flow.puml
commitf6aed634558d6b24264e8266b4e6a824ea240d5b[log] [tgz]
authorTamas Ban <tamas.ban@arm.com>Thu Oct 13 16:42:48 2022 +0200
committerTamas Ban <tamas.ban@arm.com>Mon Feb 13 10:44:23 2023 +0100
tree21617a7301a07bf9cfd7b2a0485cb3f23c7269cf
parentcc8cb065e8b0fc1a3509a854326599adf2870708 [diff] [blame]
docs: add Runtime Security Subsystem (RSS) documentation

Describe:
  - RSS-AP communication
  - RSS runtime services
  - Measured boot
  - Delegated Attestation

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Iaef93361a09355a1edaabcc0c59126e006ad251a

diff --git a/docs/resources/diagrams/plantuml/rss_attestation_flow.puml b/docs/resources/diagrams/plantuml/rss_attestation_flow.puml
new file mode 100644
index 0000000..aca5c01
--- /dev/null
+++ b/docs/resources/diagrams/plantuml/rss_attestation_flow.puml

@@ -0,0 +1,39 @@
+@startuml
+skinparam ParticipantPadding 10
+skinparam BoxPadding 10
+box AP
+participant RMM
+participant BL31
+endbox
+box RSS
+participant DelegAttest
+participant InitAttest
+participant MeasuredBoot
+participant Crypto
+endbox
+
+== RMM Boot phase ==
+
+RMM -> BL31: get_realm_key(\n\t**hash_algo**, ...)
+BL31 -> DelegAttest: get_delegated_key
+DelegAttest -> MeasuredBoot: read_measurement
+Rnote over DelegAttest: Compute input\n\ for key derivation\n\ (hash of measurements)
+DelegAttest -> Crypto: derive_key
+Rnote over DelegAttest: Compute public key\n\ hash with **hash_algo**.
+Rnote over Crypto: Seed is provisioned\n\ in the factory.
+DelegAttest --> BL31: get_delegated_key
+BL31 --> RMM: get_realm_key
+Rnote over RMM: Only private key\n\ is returned. Public\n\ key and its hash\n\ must be computed.\n\
+Public key is included\n\ in the realm token.\n\ Its hash is the input\n\ for get_platform_token
+RMM -> BL31: get_platform_token(\n\t**pub_key_hash**, ...)
+BL31 -> DelegAttest: get_delegated_token
+Rnote over DelegAttest: Check **pub_key_hash**\n\ against derived key.
+DelegAttest -> InitAttest: get_initial_token
+Rnote over InitAttest: Create the token including\n\ the **pub_key_hash** as the\n\ challenge claim
+InitAttest -> MeasuredBoot: read_measurement
+InitAttest -> Crypto: sign_token
+InitAttest --> DelegAttest:  get_initial_token
+DelegAttest --> BL31: get_delegated_token
+BL31 --> RMM: get_platform_token
+Rnote over RMM: Platform token is\n\ cached. It is not\n\ changing within\n\ a power cycle.
+@enduml