| Tamas Ban | f6aed63 | 2022-10-13 16:42:48 +0200 | [diff] [blame] | 1 | @startuml |
| 2 | skinparam ParticipantPadding 10 |
| 3 | skinparam BoxPadding 10 |
| 4 | box AP |
| 5 | participant RMM |
| 6 | participant BL31 |
| 7 | endbox |
| 8 | box RSS |
| 9 | participant DelegAttest |
| 10 | participant InitAttest |
| 11 | participant MeasuredBoot |
| 12 | participant Crypto |
| 13 | endbox |
| 14 | |
| 15 | == RMM Boot phase == |
| 16 | |
| 17 | RMM -> BL31: get_realm_key(\n\t**hash_algo**, ...) |
| 18 | BL31 -> DelegAttest: get_delegated_key |
| 19 | DelegAttest -> MeasuredBoot: read_measurement |
| 20 | Rnote over DelegAttest: Compute input\n\ for key derivation\n\ (hash of measurements) |
| 21 | DelegAttest -> Crypto: derive_key |
| 22 | Rnote over DelegAttest: Compute public key\n\ hash with **hash_algo**. |
| 23 | Rnote over Crypto: Seed is provisioned\n\ in the factory. |
| 24 | DelegAttest --> BL31: get_delegated_key |
| 25 | BL31 --> RMM: get_realm_key |
| 26 | Rnote over RMM: Only private key\n\ is returned. Public\n\ key and its hash\n\ must be computed.\n\ |
| 27 | Public key is included\n\ in the realm token.\n\ Its hash is the input\n\ for get_platform_token |
| 28 | RMM -> BL31: get_platform_token(\n\t**pub_key_hash**, ...) |
| 29 | BL31 -> DelegAttest: get_delegated_token |
| 30 | Rnote over DelegAttest: Check **pub_key_hash**\n\ against derived key. |
| 31 | DelegAttest -> InitAttest: get_initial_token |
| 32 | Rnote over InitAttest: Create the token including\n\ the **pub_key_hash** as the\n\ challenge claim |
| 33 | InitAttest -> MeasuredBoot: read_measurement |
| 34 | InitAttest -> Crypto: sign_token |
| 35 | InitAttest --> DelegAttest: get_initial_token |
| 36 | DelegAttest --> BL31: get_delegated_token |
| 37 | BL31 --> RMM: get_platform_token |
| 38 | Rnote over RMM: Platform token is\n\ cached. It is not\n\ changing within\n\ a power cycle. |
| 39 | @enduml |