Caliptra Runtime Firmware v1.1

This specification describes the Caliptra Runtime Firmware.

Runtime Firmware environment

This section provides an overview of the Runtime Firmware environment.

Boot and initialization

The Runtime Firmware main function SHALL perform the following on cold boot reset:

• Initialize the DICE Protection Environment (DPE)
• Initialize any SRAM structures used by Runtime Firmware

For behavior during other types of reset, see Runtime firmware updates.

If Runtime Firmware detects that Caliptra was reset during the execution of an operation, Runtime Firmware calls DISABLE_ATTESTATION because the internal state of Caliptra may be corrupted.

Main loop

After booting, Caliptra Runtime Firmware is responsible for the following.

• Wait for mailbox interrupts. On mailbox interrupt, Runtime Firmware:
  • Reads command from mailbox
  • Executes command
  • Writes response to mailbox and sets necessary status registers
  • Sleeps until next interrupt
• On panic, Runtime Firmware:
  • Saves diagnostic information

Callers must wait until Caliptra is no longer busy to call a mailbox command.

Fault handling

A mailbox command can fail to complete in the following ways:

• Hang or timeout, which result in the watchdog firing
• Unrecoverable panic

In both of these cases, the panic handler writes diagnostic panic information to registers that are readable by the SoC. Firmware then undergoes an impactless reset.

The caller is expected to check status registers upon reading responses from the mailbox.

Depending on the type of fault, the SoC may:

• Resubmit the mailbox command
• Attempt to update Runtime Firmware
• Perform a full SoC reset
• Some other SoC-specific behavior

Drivers

Caliptra Runtime Firmware will share driver code with ROM and FMC where possible; however, it will have its own copies of all of these drivers linked into the Runtime Firmware binary.

Maibox commands

All mailbox command codes are little endian.

Table: Mailbox command result codes

Relevant registers:

• mbox_csr -> COMMAND: Command code to execute.
• mbox_csr -> DLEN: Number of bytes written to mailbox.
• CPTRA_FW_ERROR_NON_FATAL: Status code of mailbox command. Any result other than SUCCESS signifies a mailbox command failure.

CALIPTRA_FW_LOAD

The CALIPTRA_FW_LOAD command is handled by both ROM and Runtime Firmware.

ROM behavior

On cold boot, ROM exposes the CALIPTRA_FW_LOAD mailbox command to accept the firmware image that ROM will boot. This image includes Manifest, FMC, and Runtime firmware.

Runtime Firmware behavior

Caliptra Runtime Firmware also exposes the CALIPTRA_FW_LOAD mailbox command for loading impactless updates. For more information, see Runtime Firmware updates.

Command Code: 0x4657_4C44 ("FWLD")

Table: CALIPTRA_FW_LOAD input arguments

CALIPTRA_FW_LOAD returns no output arguments.

CAPABILITIES

Exposes a command to retrieve firmware capabilities

Command Code: 0x4341_5053 ("CAPS")

Table: CAPABILITIES input arguments

Table: CAPABILITIES output arguments

GET_IDEV_CERT

Exposes a command to reconstruct the IDEVID CERT.

Command Code: 0x4944_4543 ("IDEC")

Table: GET_IDEV_CERT input arguments

Table: GET_IDEV_CERT output arguments

POPULATE_IDEV_CERT

Exposes a command that allows the SoC to provide a DER-encoded IDevId certificate on every boot. The IDevId certificate is added to the start of the certificate chain.

Command Code: 0x4944_4550 ("IDEP")

Table: POPULATE_IDEV_CERT input arguments

Table: POPULATE_IDEV_CERT output arguments

GET_IDEV_INFO

Exposes a command to get an IDEVID public key.

Command Code: 0x4944_4549 ("IDEI")

Table: GET_IDEV_INFO input arguments

Table: GET_IDEV_INFO output arguments

GET_LDEV_CERT

Exposes a command to get a self-signed LDevID certificate signed by IDevID.

Command Code: 0x4C44_4556 ("LDEV")

Table: GET_LDEV_CERT input arguments

Table: GET_LDEV_CERT output arguments

GET_FMC_ALIAS_CERT

Exposes a command to get a self-signed FMC alias certificate signed by LDevID.

Command Code: 0x4345_5246 ("CERF")

Table: GET_FMC_ALIAS_CERT input arguments

Table: GET_FMC_ALIAS_CERT output arguments

GET_RT_ALIAS_CERT

Exposes a command to get a self-signed Runtime alias certificate signed by the FMC alias.

Command Code: 0x4345_5252 ("CERR")

Table: GET_RT_ALIAS_CERT input arguments

Table: GET_RT_ALIAS_CERT output arguments

ECDSA384_SIGNATURE_VERIFY

Verifies an ECDSA P-384 signature. The hash to be verified is taken from Caliptra's SHA384 accelerator peripheral.

In the event of an invalid signature, the mailbox command will report CMD_FAILURE and the cause will be logged as a non-fatal error.

Command Code: 0x5349_4756 ("SIGV")

Table: ECDSA384_SIGNATURE_VERIFY input arguments

Table: ECDSA384_SIGNATURE_VERIFY output arguments

LMS_SIGNATURE_VERIFY

Verifies an LMS signature. The hash to be verified is taken from Caliptra's SHA384 accelerator peripheral.

In the event of an invalid signature, the mailbox command will report CMD_FAILURE and the cause will be logged as a non-fatal error.

The supported parameter set is limited to those used for the caliptra image signature: Table: LMS parameters

Command Code: 0x4C4D_5356 ("LMSV")

Table: LMS_SIGNATURE_VERIFY input arguments

Table: LMS_SIGNATURE_VERIFY output arguments

STASH_MEASUREMENT

Makes a measurement into the DPE default context. This command is intendend for callers who update infrequently and cannot tolerate a changing DPE API surface.

• Call the DPE DeriveContext command with the DefaultContext in the locality of the PL0 PAUSER.
• Extend the measurement into PCR31 (PCR_ID_STASH_MEASUREMENT).

Command Code: 0x4D45_4153 ("MEAS")

Table: STASH_MEASUREMENT input arguments

Table: STASH_MEASUREMENT output arguments

DISABLE_ATTESTATION

Disables attestation by erasing the CDI and DICE key. This command is intended for callers who update infrequently and cannot tolerate a changing DPE API surface. It is intended for situations where Caliptra firmware cannot be loaded and the SoC must proceed with boot.

Upon receipt of this command, Caliptra's current CDI is replaced with zeroes, and the associated DICE key is re-derived from the zeroed CDI.

This command is intended to allow the SoC to continue booting for diagnostic and error reporting. All attestations produced in this mode are expected to fail certificate chain validation. Caliptra MUST undergo a cold reset in order to re-enable attestation.

Command Code: 0x4453_424C ("DSBL")

Table: DISABLE_ATTESTATION input arguments

Table: DISABLE_ATTESTATION output arguments

INVOKE_DPE_COMMAND

Invokes a serialized DPE command.

Command Code: 0x4450_4543 ("DPEC")

Table: INVOKE_DPE_COMMAND input arguments

Table: INVOKE_DPE_COMMAND output arguments

QUOTE_PCRS

Generates a signed quote over all Caliptra hardware PCRs that are using the Caliptra PCR quoting key. All PCR values are hashed together with the nonce to produce the quote.

Command Code: 0x5043_5251 ("PCRQ")

Table: QUOTE_PCRS input arguments

PcrValue is defined as u8[48]

Table: QUOTE_PCRS output arguments

EXTEND_PCR

Extends a Caliptra hardware PCR.

Command Code: 0x5043_5245 ("PCRE")

Table: EXTEND_PCR input arguments

Table: EXTEND_PCR output arguments

Note that extensions made into Caliptra's PCRs are not appended to Caliptra's internal PCR log.

GET_PCR_LOG

Gets Caliptra's internal PCR log.

Command Code: 0x504C_4F47 ("PLOG")

Table: GET_PCR_LOG input arguments

Table: GET_PCR_LOG output arguments

See pcr_log.rs for the format of the log.

Note: the log contents reflect PCR extensions that are made autonomously by Caliptra during boot. The log contents are not preserved across cold or update resets. Callers who wish to verify PCRs that are autonomously extended during update reset should cache the log before triggering an update reset.

INCREMENT_PCR_RESET_COUNTER

Increments the reset counter for a PCR.

Command Code: 0x5043_5252 ("PCRR")

Table: INCREMENT_PCR_RESET_COUNTER input arguments

Table: INCREMENT_PCR_RESET_COUNTER output arguments

DPE_TAG_TCI

Associates a unique tag with a DPE context.

Command Code: 0x5451_4754 ("TAGT")

Table: DPE_TAG_TCI input arguments

Table: DPE_TAG_TCI output arguments

DPE_GET_TAGGED_TCI

Retrieves the TCI measurements corresponding to the tagged DPE context.

Command Code: 0x4754_4744 ("GTGD")

Table: DPE_GET_TAGGED_TCI input arguments

Table: DPE_GET_TAGGED_TCI output arguments

FW_INFO

Retrieves information about the current Runtime Firmware, FMC, and ROM.

Command Code: 0x494E_464F ("INFO")

Table: FW_INFO input arguments

Table: FW_INFO output arguments

VERSION

FIPS command to get version info for the module

Command Code: 0x4650_5652 ("FPVR")

Table: VERSION input arguments

Table: VERSION output arguments

SELF_TEST_START

FIPS command to start the self tests

Command Code: 0x4650_4C54

Table: SELF_TEST_START input arguments

Table: SELF_TEST_START output arguments

SELF_TEST_GET_RESULTS

FIPS command to get the results of the self tests. Mailbox command will return a failure if still active.

Command Code: 0x4650_4C67

Table: SELF_TEST_GET_RESULTS input arguments

Table: SELF_TEST_GET_RESULTS output arguments

SHUTDOWN

FIPS command to zeroize and shut down the module

Command Code: 0x4650_5344 ("FPSD")

Table: SHUTDOWN input arguments

Table: SHUTDOWN output arguments

ADD_SUBJECT_ALT_NAME

Provides a subject alternative name otherName. Whenever CERTIFY_KEY_EXTENDED is called with the DMTF_OTHER_NAME flag after ADD_SUBJECT_ALT_NAME is called, the resulting DPE CSR or leaf certificate will contain a subject alternative name extension containing the provided otherName, which must be a DMTF device info. All such certificates produced by CERTIFY_KEY_EXTENDED will continue to have the DMTF otherName subject alternative name extension until reset.

Command Code: 0x414C_544E ("ALTN")

Table: ADD_SUBJECT_ALT_NAME input arguments

Table: ADD_SUBJECT_ALT_NAME output arguments

CERTIFY_KEY_EXTENDED

Produces a DPE leaf certificate or CSR containing custom extensions provided by the SoC.

Command Code: 0x434B_4558 ("CKEX")

Table: CERTIFY_KEY_EXTENDED input arguments

Table: CERTIFY_KEY_EXTENDED input flags

Table: CERTIFY_KEY_EXTENDED output arguments

Checksum

For every command except for FW_LOAD, the request and response feature a checksum. This mitigates glitches between clients and Caliptra.

The checksum is a little-endian 32-bit value, defined as:

0 - (SUM(command code bytes) + SUM(request/response bytes))

The sum of all bytes in a request/response body, and command code, should be zero.

If Caliptra detects an invalid checksum in input parameters, it returns BAD_CHKSUM as the result.

Caliptra also computes a checksum over all of the responses and writes it to the chksum field.

FIPS status

For every command, the firmware responds with a FIPS status of FIPS approved. There is currently no use case for any other responses or error values.

Table: FIPS status codes

Runtime Firmware updates

Caliptra Runtime Firmware accepts impactless updates that update Caliptra’s firmware without resetting other cores in the SoC.

Applying updates

A Runtime Firmware update is triggered by the CALIPTRA_FW_LOAD command. Upon receiving this command, Runtime Firmware does the following:

1. Locks the mailbox to writes
2. Invokes impactless reset

After impactless reset is invoked, FMC loads the hash of the image from the verified Manifest into the necessary PCRs:

1. Runtime Journey PCR
2. Runtime Latest PCR

If ROM validation of the image fails:

• ROM SHALL NOT clear the Runtime Latest PCR. It SHALL still re-lock this PCR with the existing value.
• FMC SHALL NOT extend either of the Runtime PCRs.

Boot process after update

After an impactless update is applied, the new Runtime Firmware is able to sample a register to determine if it has undergone an Impactless Reset. In this case, the new Runtime Firmware must:

1. Validate DPE state in SRAM
   1. Ensure the TCI tree is well-formed
   2. Ensure all nodes chain to the root (TYPE = RTJM, “Internal TCI” flag is set)
2. Verify that the “Latest TCI” field of the TCI Node that contains the Runtime Journey PCR (TYPE = RTJM, “Internal TCI” flag is set) matches the “Latest” Runtime PCR value from PCRX
   1. Ensure SHA384_HASH(0x00..00, TCI from SRAM) == RT_FW_JOURNEY_PCR
3. Check that retired and inactive contexts do not have tags
4. If any validations fail, Runtime Firmware executes the DISABLE_ATTESTATION command

DICE Protection Environment (DPE)

Caliptra Runtime Firmware SHALL implement a profile of the DICE Protection Environment (DPE) API.

PAUSER privilege levels

Caliptra uses PAUSER as a HW mechanism to distinguish DPE Client localities. Caliptra models PAUSER callers to its mailbox as having 1 of 2 privilege levels:

• PL0 - High privilege. Only 1 PAUSER in the SoC may be at PL0. The PL0 PAUSER is denoted in the signed Caliptra firmware image. The PL0 PAUSER may call any supported DPE commands. Only PL0 can use the CertifyKey command. Success of the CertifyKey command signifies to the caller that it is at PL0. Only PL0 can use the POPULATE_IDEV_CERT mailbox command.
• PL1 - Restricted privilege. All other PAUSERs in the SoC are PL1. Caliptra SHALL fail any calls to the DPE CertifyKey with format=X509 by PL1 callers. PL1 callers should use the CSR format instead.

PAUSER and Locality map 1:1. Consequently, only the single DPE Client associated with PL0 level, is authorized to invoke CertifyKey DPE command with format=x509. All other DPE Clients have instead restricted privileges associated to PL1 (as described above).

PAUSER privilege level active context limits

Each active context in DPE is activated from either PL0 or PL1 through the InvokeDpe mailbox command calling the DeriveContext or InitializeContext DPE commands. However, a caller could easily exhaust space in DPE's context array by repeatedly calling the aforementioned DPE commands with certain flags set.

To prevent this, we establish active context limits for each PAUSER privilege level:

• PL0 - 16 active contexts
• PL1 - 16 active contexts

If a DPE command were to activate a new context such that the total number of active contexts in a privilege level is above its active context limit, the InvokeDpe command should fail.

At boot Caliptra Runtime FW consumes part of the PL0 active contexts (initially 16) to DeriveContext for:

• RTFW Journey (RTFJ) Measurement (1)
• Mailbox Valid Pauser digest (MBVP) (1)
• ROM Stashed Measurements (max 8)

Further, it is not allowed for PL1 to call DeriveContext with the intent to change locality to PL0's locality; this would increase the number of active contexts in PL0's locality, and hence allow PL1 to DOS PL0.

DPE profile implementation

The DPE iRoT profile leaves some choices up to implementers. This section describes specific requirements for the Caliptra DPE implementation.

Supported DPE commands

Caliptra DPE supports the following commands:

• GetProfile
• InitializeContext
• DeriveContext
• CertifyKey
  • Caliptra DPE supports two formats for CertifyKey: X.509 and PKCS#10 CSR. X.509 is only available to PL0 PAUSERs.
• Sign
• RotateContextHandle
• DestroyContext
• GetCertificateChain

DPE state atomicity

This implementation guarantees that no internal DPE state is changed if a command fails for any reason. This includes context handle rotation; single-use context handles are not rotated if a command fails.

On failure, DPE only returns a command header, with no additional command-specific response parameters. This is in line with the CBOR-based main DPE spec, which does not return a response payload on failure.

Initializing DPE

Caliptra Runtime Firmware is responsible for initializing DPE’s default context.

• Runtime Firmware SHALL initialize the default context in “internal-cdi” mode.
• Perform the following initial measurements:
  • Call DeriveContext with Caliptra Journey PCR
    • INPUT_DATA = PCRX (RT journey PCR as defined in the FHT)
    • TYPE = “RTJM”
    • CONTEXT_HANDLE = default context
    • TARGET_LOCALITY = Caliptra locality (0xFFFFFFFF)
  • Call DeriveContext with mailbox valid PAUSERS
    • INPUT_DATA = Hash of CPTRA_VALID_PAUSER register.
    • TYPE = “MBVP”
    • CONTEXT_HANDLE = default context
    • TARGET_LOCALITY = PL0 PAUSER
  • Call DeriveContext for each STASH_MEASUREMENT call made during Caliptra ROM execution
    • INPUT_DATA = measurement parameter to STASH_MEASUREMENT
    • TYPE = type parameter to STASH_MEASUREMENT
    • CONTEXT_HANDLE = default context
    • TARGET_LOCALITY = PL0 PAUSER

CDI derivation

The DPE Sign and CertifyKey commands derive an asymmetric key for that handle.

DPE first collects measurements and concatenates them in a byte buffer, MEASUREMENT_DATA:

• LABEL parameter passed to Sign or CertifyKey.
• The TCI_NODE_DATA structures in the path from the current TCI node to the root, inclusive, starting with the current node.

To derive a CDI for a given context, DPE shall use KeyVault hardware with the following inputs:

• CDI = Runtime Firmware CDI (from KeyVault)
• Label = LABEL parameter provided to Sign or CertifyKey
• Context = MEASUREMENT_DATA

The CDI shall be loaded into KeyVault slot 8.

Leaf key derivation

To derive an asymmetric key for Sign and CertifyKey, Runtime Firmware does the following:

• Derives an ECC P384 keypair from KV slot 8 CDI into KV slot 9
• For CertifyKey: Requests the public key
• For Sign: Signs passed data
• Erases KeyVault slots 8 and 9

Internal representation of TCI nodes

Certificate generation

The DPE Runtime Alias Key SHALL sign DPE leaf certificates and CSRs.

The DPE GET_CERTIFICATE_CHAIN command shall return the following certificates:

• IDevID (optionally added by the SoC via POPULATE_IDEV_CERT)
• LDevID
• FMC Alias
• Runtime Alias

DPE leaf certificate definition

*MultiTcbInfo contains one TcbInfo for each TCI Node in the path from the current TCI Node to the root. Max of 32.