Diff: Runtime Specification

@@ -1,5 +1,5 @@
1	1	<div style="font-size: 0.85em; color: #656d76; margin-bottom: 1em; padding: 0.5em; background: #f6f8fa; border-radius: 4px;">
2		-📄 Source: <a href="https://github.com/chipsalliance/caliptra-sw/blob/51ff0a89f169bbf8e06acb49b31db555e99fefb6/runtime/README.md" target="_blank">chipsalliance/caliptra-sw/runtime/README.md</a> @ <code>51ff0a8</code>
	2	+📄 Source: <a href="https://github.com/chipsalliance/caliptra-sw/blob/e6e5db26702ee88d530d2789ac87749472a6641c/runtime/README.md" target="_blank">chipsalliance/caliptra-sw/runtime/README.md</a> @ <code>e6e5db2</code>
3	3	</div>
4	4
5	5	# Caliptra Runtime Firmware v1.1
@@ -62,7 +62,100 @@
62	62	possible; however, it will have its own copies of all of these drivers linked into
63	63	the Runtime Firmware binary.
64	64
65		-## Maibox commands
	65	+## Manifest-Based Image Authorization (new in 1.2)
	66	+
	67	+Caliptra's goal is to enable integrators to meet standard security requirements for creating cryptographic identity and securely reporting measurements through DICE and DPE Certificate chains and Caliptra-owned private-public key pairs. In addition, Caliptra 1.0 provides an `ECDSA384_SIGNATURE_VERIFY` command to enable an SoC RoT to verify its own FW signatures so that it can develop an SoC secure boot using Caliptra cryptography. Caliptra 1.1 expanded the verify command to a PQC-safe `LMS_SIGNATURE_VERIFY` command. In each of these cases, it is left up to the vendor to ensure that they build a secure environment for introducing and verifying FW integrity and authenticity and then executing mutable FW.
	68	+
	69	+The Caliptra Measurement manifest feature expands on Caliptra-provided secure verifier abilities. The Measurement Manifest feature provides a standard Caliptra-supported definition to enable the following use cases for integrators, vendors, and owners.
	70	+
	71	+* Caliptra-Endorsed Aggregated Measured Boot
	72	+* Caliptra-Endorsed Local Verifier
	73	+
	74	+Each of these abilities are tied to Caliptra Vendor and Owner FW signing keys and should be independent of any SoC RoT FW signing keys.
	75	+
	76	+Manifest-based image authorization is implemented via two mailbox commands: [`SET_AUTH_MANIFEST`](#set-auth-manifest) and [`AUTHORIZE_AND_STASH`](#authorize-and-stash). For image format of the manifest, please refer [this file](https://github.com/chipsalliance/caliptra-sw/blob/e6e5db26702ee88d530d2789ac87749472a6641c/auth-manifest/README.md).
	77	+
	78	+### Caliptra-Endorsed Aggregated Measured Boot
	79	+
	80	+Aggregated Measured Boot is a verified boot where one signed manifest attests to FW integrity of many different FW measurements. The authenticity of the FW is tied to the trust in the public key signing the measurement manifest, which is endorsed by the Caliptra Vendor and/or Owner FW Keys.
	81	+
	82	+### Caliptra-Endorsed Local Verifier
	83	+
	84	+A local verifier provides an authentication of SoC FW by matching SoC FW measurements with measurements from the Caliptra measurement manifest. In this case, the SoC RoT still has its own FW public-key chain that is verified by the SoC RoT, but in addition the SoC RoT introduces the Caliptra Measurement Manifest, which is endorsed by the Caliptra FW key pair. Caliptra provides approval or disapproval of the measurement of any FW back to the SoC RoT. This effectively provides a multi-factor authentication of SoC FW.
	85	+
	86	+The Caliptra-Endorsed Local Verifier could be required by the owner only or both the vendor and the owner.
	87	+
	88	+The main difference between Caliptra-Endorsed Aggregated Measured Boot and Caliptra-Endorsed Local Verifier is whether the SoC RoT is relying on the Measurement Manifest for SoC Secure Boot services as opposed to using it as an additional verification.
	89	+
	90	+### SoC RoT Enforcement of Measurement Manifest
	91	+
	92	+In both use cases, the SoC RoT chooses to provide the Caliptra Measurement Manifest and to enforce the result of the authorization. Caliptra 1.x is not capable of providing any enforcement of measurements for SoC FW execution.
	93	+
	94	+### Caliptra Measurement Manifest Signing Keys Authenticity
	95	+
	96	+Caliptra 1.0 and 1.1 do not put any requirements on how the SoC RoT ensures integrity and authenticity of SoC FW other than requiring the SoC RoT to provide a measurement to Caliptra of any SoC FW before execution. Caliptra Measurement Manifest enables the SoC RoT to perform the integrity check through Caliptra-authorized FW signing keys.
	97	+
	98	+### Unique Measurement Manifest Signing Keys
	99	+
	100	+In order to reduce usage of the Caliptra FW Signing keys, the measurement manifest will be signed by new key pairs: one for the owner and optionally one for the vendor. These new key pairs are endorsed once by the Caliptra FW signing keys, the signature being in the Measurement Manifest, thus allowing the measurement manifest keys to be used independently of the Caliptra FW signing keys.
	101	+
	102	+### Caliptra Measurement Manifest Vendor Public Key Authenticity
	103	+
	104	+The Measurement Manifest MUST have an endorsement by the Caliptra Vendor Public Key. In order to fulfill this requirement, the Vendor has 2 options:
	105	+
	106	+* Vendor signing of `Image Metadata Collection` required: The Vendor creates a new Measurement keypair which will sign the measurement manifest and endorses this new public key with the Caliptra FW Vendor Private Key. The signature covers both the new public key as well as the flags field which indicates that the new Measurement Key Pair will be enforced.
	107	+* Vendor signing of `Image Metadata Collection` not required: Vendor leaves the Vendor public key as all zeros, and clears the flag which enforces vendor signing and then endorses these fields with a signature in the Measurement Manifest. In this case, the Vendor releases ownership of enforcing any specific FW in execution.
	108	+
	109	+### Caliptra Measurement Manifest Owner Public Key Authenticity
	110	+
	111	+Caliptra will always verify the endorsement of the Measurement Manifest Owner Public key and require that it signed the measurement manifest.
	112	+
	113	+This feature is accomplished by having the SoC send a manifest to Caliptra Runtime through the `SET_AUTH_MANIFEST` mailbox command. The manifest will include a set of hashes for the different SoC images. Later, the SOC will ask for authorization for its images from the Caliptra Runtime through the `AUTHORIZE_AND_STASH` new mailbox command. Caliptra Runtime will authorize the image based on whether its hash was contained in the manifest.
	114	+
	115	+#### Preamble
	116	+
	117	+The manifest begins with the Preamble section, which contains new manifest ECC and LMS public keys of the vendor and the owner. These public keys correspond to the private keys that sign the Image Metadata Collection (IMC) section. These signatures are included in the Preamble. The Caliptra firmware's private keys endorse the manifest's public keys and these endorsements (i.e., signatures) are part of the Preamble as well.
	118	+
	119	+#### Image Metadata Collection (IMC)
	120	+
	121	+The IMC is a collection of Image Metadata entries (IME). Each IME has a hash that matches one of the multiple SoC images. The manifest vendor and owner private keys sign the IMC. The Preamble holds the IMC signatures. The manifest IMC vendor signatures are optional and are validated only if the Flags field Bit 0 is set to 1. Up to 127 image hashes will be supported.
	122	+
	123	+#### Caliptra Measurement Manifest Keys Endorsement Verification Steps
	124	+
	125	+When Caliptra receives the Measurement Manifest, Caliptra will:
	126	+
	127	+* Verify the vendor endorsement using the Caliptra Vendor FW Public Key and compare with the vendor endorsement signature.
	128	+* If the vendor endorsement is invalid, the `SET_AUTH_MANIFEST` command will be rejected.
	129	+* If the vendor endorsement is valid, Caliptra will check if a vendor manifest measurement key is required:
	130	+ * If the key is required, Caliptra will trust the Vendor Public key that was just endorsed.
	131	+ * If the key is not required, Caliptra will not perform any more vendor verifications on this measurement manifest.
	132	+* Verify the owner endorsement using the Caliptra owner public key and compare with the owner endorsement signature.
	133	+ * If the owner endorsement is invalid, the `SET_AUTH_MANIFEST` command will be rejected.
	134	+ * Otherwise, the owner public key will be trusted and Caliptra will use it to verify the overall measurement manifest.
	135	+
	136	+### Image Authorization Sequence
	137	+
	138	+The diagram below illustrates how this feature is part of the Caliptra boot flow, and the order of operations needed to use the feature.
	139	+
	140	+```mermaid
	141	+sequenceDiagram
	142	+ ROM->>FMC: Launch FMC
	143	+ FMC->>Runtime: Launch RT
	144	+ Runtime->>SOC: RDY_FOR_RT
	145	+ Note over Runtime,SOC: Manifest Load
	146	+ SOC->>Runtime: SET_AUTH_MANIFEST
	147	+ Runtime-->>SOC: Success/Failure
	148	+ Note over Runtime,SOC: Image Authorization
	149	+ loop n times
	150	+ SOC->>Runtime: AUTHORIZE_AND_STASH
	151	+ Runtime-->>SOC: Success/Failure
	152	+ end
	153	+
	154	+ Note over Runtime,SOC: DPE Attestation
	155	+ SOC->>Runtime: DPE Attestation
	156	+```
	157	+
	158	+## Mailbox commands
66	159
67	160	All mailbox command codes are little endian.
68	161
@@ -200,7 +293,7 @@
200	293
201	294	### GET\_LDEV\_CERT
202	295
203		-Exposes a command to get a self-signed LDevID certificate signed by IDevID.
	296	+Exposes a command to get an LDevID certificate signed by IDevID.
204	297
205	298	Command Code: `0x4C44_4556` ("LDEV")
206	299
@@ -221,7 +314,7 @@
221	314
222	315	### GET\_FMC\_ALIAS\_CERT
223	316
224		-Exposes a command to get a self-signed FMC alias certificate signed by LDevID.
	317	+Exposes a command to get an FMC alias certificate signed by LDevID.
225	318
226	319	Command Code: `0x4345_5246` ("CERF")
227	320
@@ -242,7 +335,7 @@
242	335
243	336	### GET\_RT\_ALIAS\_CERT
244	337
245		-Exposes a command to get a self-signed Runtime alias certificate signed by the FMC alias.
	338	+Exposes a command to get a Runtime alias certificate signed by the FMC alias.
246	339
247	340	Command Code: `0x4345_5252` ("CERR")
248	341
@@ -331,12 +424,13 @@
331	424
332	425	### STASH\_MEASUREMENT
333	426
334		-Makes a measurement into the DPE default context. This command is intendend for
	427	+Makes a measurement into the DPE default context. This command is intended for
335	428	callers who update infrequently and cannot tolerate a changing DPE API surface.
336	429
337	430	* Call the DPE DeriveContext command with the DefaultContext in the locality of
338	431	the PL0 PAUSER.
339	432	* Extend the measurement into PCR31 (`PCR_ID_STASH_MEASUREMENT`).
	433	+* Note: This command can only be called in the locality of the PL0 PAUSER.
340	434
341	435	Command Code: `0x4D45_4153` ("MEAS")
342	436
@@ -556,6 +650,8 @@
556	650	### FW\_INFO
557	651
558	652	Retrieves information about the current Runtime Firmware, FMC, and ROM.
	653	+
	654	+NOTE: Additional fields and info may be appended to the response in subsequent FW versions.
559	655
560	656	Command Code: `0x494E_464F` ("INFO")
561	657
@@ -582,6 +678,7 @@
582	678	\| rom_sha256_digest \| u32[8] \| Digest of ROM binary.
583	679	\| fmc_sha384_digest \| u32[12] \| Digest of FMC binary.
584	680	\| runtime_sha384_digest \| u32[12] \| Digest of runtime binary.
	681	+\| owner_pub_key_hash \| u32[12] \| Hash of the owner public keys provided in the image bundle manifest.
585	682
586	683	### VERSION
587	684
@@ -715,6 +812,225 @@
715	812	\| fips\_status \| u32 \| Indicates if the command is FIPS approved or an error.
716	813	\| certify\_key\_resp \| u8[2176] \| Certify Key Response.
717	814
	815	+### SET\_AUTH\_MANIFEST
	816	+
	817	+Command Code: `0x4154_4D4E` ("ATMN")
	818	+
	819	+Table: `SET_AUTH_MANIFEST` input arguments
	820	+
	821	+\| Name \| Type \| Description \|
	822	+\| ------------------------------ \| ------------------ \| --------------- \|
	823	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	824	+\| manifest size \| u32 \| The size of the full Authentication Manifest \|
	825	+\| manifest\_marker \| u32 \| Marker needs to be 0x4154_4D4E for the preamble to be valid \|
	826	+\| preamble\_size \| u32 \| Size of the preamble \|
	827	+\| manifest\_version \| u32 \| Version of the preamble \|
	828	+\| manifest\_flags \| u32 \| Manifest flags. See `AUTH_MANIFEST_FLAGS` below. \|
	829	+\| manifest\_vendor\_ecc384\_key \| u32[24] \| Manifest Vendor ECC P-384 public key used to verify the IMC Signature. <br> X-Coordinate: Public Key X-Coordinate (48 bytes) <br> Y-Coordinate: Public Key Y-Coordinate (48 bytes) \|
	830	+\| manifest\_vendor\_lms\_key \| u32[12] \| Manifest Vendor LMS public key used to verify the IMC Signature. <br> tree_type: LMS Algorithm Type (4 bytes) <br> otstype: LMS Ots Algorithm Type (4 bytes) <br> id: (16 bytes) <br> digest: (24 bytes) <br> Note: If LMS validation is not required, this should field should be zeroed out. \|
	831	+\| manifest\_vendor\_ecc384\_sig \| u32[24] \| Manifest Vendor ECDSA P-384 signature of the Version, Flags, Vendor ECC and LMS public keys, hashed using SHA2-384. <br> R-Coordinate: Random Point (48 bytes) <br> S-Coordinate: Proof (48 bytes) \|
	832	+\| manifest\_vendor\_LMS\_sig \| u32[405] \| Vendor LMS signature of the Version, Flags, Vendor ECC and LMS public keys, hashed using SHA2-384. <br> q: Leaf of the Merkle tree where the OTS public key appears (4 bytes) <br> ots: Lmots Signature (1252 bytes) <br> tree_type: Lms Algorithm Type (4 bytes) <br> tree_path: Path through the tree from the leaf associated with the LM-OTS signature to the root. (360 bytes) <br> Note: If LMS validation is not required, this should field should be zeroed out. \|
	833	+\| manifest\_owner\_ecc384\_key \| u32[24] \| Manifest Owner ECC P-384 public key used to verify the IMC Signature. <br> X-Coordinate: Public Key X-Coordinate (48 bytes) <br> Y-Coordinate: Public Key Y-Coordinate (48 bytes) \|
	834	+\| manifest\_owner\_lms\_key \| u32[12] \| Manifest Owner LMS public key used to verify the IMC Signature. <br> tree_type: LMS Algorithm Type (4 bytes) <br> otstype: LMS Ots Algorithm Type (4 bytes) <br> id: (16 bytes) <br> digest: (24 bytes) <br> Note: If LMS validation is not required, this should field should be zeroed out. \|
	835	+\| manifest\_owner\_ecc384\_sig \| u32[24] \| Owner ECDSA P-384 signature of the Owner ECC and LMS public keys, hashed using SHA2-384. <br> R-Coordinate: Random Point (48 bytes) <br> S-Coordinate: Proof (48 bytes) \|
	836	+\| manifest\_owner\_LMS\_sig \| u32[405] \| Owner LMS signature of the Version, Flags, Owner ECC and LMS public keys, hashed using SHA2-384. <br> q: Leaf of the Merkle tree where the OTS public key appears (4 bytes) <br> ots: Lmots Signature (1252 bytes) <br> tree_type: Lms Algorithm Type (4 bytes) <br> tree_path: Path through the tree from the leaf associated with the LM-OTS signature to the root. (360 bytes) <br> Note: If LMS validation is not required, this should field should be zeroed out. \|
	837	+\| metadata\_vendor\_ecc384\_sig \| u32[24] \| Metadata Vendor ECC384 signature over the image metadata collection using the manifest vendor ecc384 key. \|
	838	+\| metadata\_vendor\_LMS\_sig \| u32[405] \| Metadata Vendor LMOTS-SHA192-W4 signature over the image metadata collection using the manifest vendor LMS key. \|
	839	+\| metadata\_owner\_ecc384\_sig \| u32[24] \| Metadata Owner ECC384 signature over the image metadata collection using the manifest owner ecc384 key. \|
	840	+\| metadata\_owner\_LMS\_sig \| u32[405] \| Metadata Owner LMOTS-SHA192-W4 signature over the image metadata collection manifest owner LMS key. \|
	841	+\| metadata\_entry\_entry\_count \| u32 \| number of metadata entries \|
	842	+\| metadata\_entries \| MetaData[127] \| The max number of metadata entries is 127 but less can be used \|
	843	+
	844	+
	845	+
	846	+Table: `AUTH_MANIFEST_FLAGS` input flags
	847	+
	848	+\| Name \| Value \|
	849	+\| --------------------------- \| ----------- \|
	850	+\| VENDOR_SIGNATURE_REQUIRED \| 1 << 0 \|
	851	+
	852	+
	853	+Table: `AUTH_MANIFEST_METADATA_ENTRY` digest entries
	854	+
	855	+\| Name \| Type \| Description \|
	856	+\| --------------- \| ---------- \| ---------------------------------- \|
	857	+\| fw\_id \| u32 \| Id of the image \|
	858	+\| flags \| u32 \| See `METADATA_ENTRY_FLAGS` below \|
	859	+\| digest \| u32[48] \| Digest of the image \|
	860	+
	861	+
	862	+
	863	+Table: `METADATA_ENTRY_FLAGS` input flags
	864	+
	865	+\| Name \| Size (Bits) \| Description \|
	866	+\| --------------------- \| ----------------- \| ----------------- \|
	867	+\| image\_source \| 2 \| 1: InRequest \|
	868	+\| ignore\_auth\_check \| 1 \| If set, the image digest is not compared for the firmware id \|
	869	+
	870	+
	871	+Table: `SET_AUTH_MANIFEST` output arguments
	872	+
	873	+\| Name \| Type \| Description \|
	874	+\| -------- \| -------- \| --------------- \|
	875	+\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
	876	+\| fips\_status \| u32 \| Indicates if the command is FIPS approved or an error. \|
	877	+
	878	+
	879	+
	880	+### AUTHORIZE_AND_STASH
	881	+
	882	+Command Code: `0x4154_5348` ("ATSH")
	883	+
	884	+Table: `AUTHORIZE_AND_STASH` input arguments
	885	+
	886	+\| Name \| Type \| Description \|
	887	+\| ------------ \| -------- \| --------------- \|
	888	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	889	+\| fw_id \| u8[4] \| Firmware id of the image, in little-endian format \|
	890	+\| measurement \| u8[48] \| Digest of the image requested for authorization \|
	891	+\| context \| u8[48] \| Context field for `svn`; e.g., a hash of the public key that authenticated the SVN. \|
	892	+\| svn \| u32 \| SVN \|
	893	+\| flags \| u32 \| See AUTHORIZE_AND_STASH_FLAGS below \|
	894	+\| source \| u32 \| Enumeration values: { InRequest(1) } \|
	895	+
	896	+
	897	+Table: `AUTHORIZE_AND_STASH_FLAGS` input flags
	898	+
	899	+\| Name \| Value \|
	900	+\| ------------ \| ------------ \|
	901	+\| SKIP\_STASH \| 1 << 0 \|
	902	+
	903	+
	904	+Table: `AUTHORIZE_AND_STASH` output arguments
	905	+\| Name \| Type \| Description
	906	+\| ----------------\| -------- \| ---------------
	907	+\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
	908	+\| fips_status \| u32 \| Indicates if the command is FIPS approved or an error. \|
	909	+\| auth_req_result \| u32 \| AUTHORIZE_IMAGE (0xDEADC0DE), IMAGE_NOT_AUTHORIZED (0x21523F21) or IMAGE_HASH_MISMATCH (0x8BFB95CB) \|
	910	+
	911	+
	912	+### GET\_IDEVID\_CSR
	913	+
	914	+Command Code: `0x4944_4352` ("IDCR")
	915	+
	916	+Table: `GET_IDEVID_CSR` input arguments
	917	+
	918	+\| Name \| Type \| Description
	919	+\| -------- \| -------- \| ---------------
	920	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	921	+
	922	+
	923	+Table: `GET_IDEVID_CSR` output arguments
	924	+\| Name \| Type \| Description
	925	+\| -------- \| -------- \| ---------------
	926	+\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
	927	+\| data\_size \| u32 \| Length in bytes of the valid data in the data field. \|
	928	+\| data \| u8[...] \| DER-encoded IDevID certificate signing request. \|
	929	+
	930	+
	931	+The `mfg_flag_gen_idev_id_csr` manufacturing flag MUST have been set to generate a CSR.
	932	+
	933	+When called from ROM, if the CSR was not previously provisioned this command will return `FW_PROC_MAILBOX_UNPROVISIONED_CSR(0x0102000A)`.
	934	+
	935	+When called from runtime, if the CSR was not previously provisioned this command will return `RUNTIME_GET_IDEV_ID_UNPROVISIONED(0x000E0051)`. If the ROM did not support CSR generation, this command will return `RUNTIME_GET_IDEV_ID_UNSUPPORTED_ROM(0x000E0052)`.
	936	+
	937	+
	938	+
	939	+When the `mfg_flag_gen_idev_id_csr` flag has been set, the SoC MUST wait for the `flow_status_set_idevid_csr_ready` bit to be set by Caliptra. Once set, the SoC MUST clear the `mfg_flag_gen_idev_id_csr` flag for Caliptra to progress.
	940	+
	941	+### GET\_FMC\_ALIAS\_CSR
	942	+
	943	+Command Code: `0x464D_4352` ("FMCR")
	944	+
	945	+Table: `GET_FMC_ALIAS_CSR` input arguments
	946	+
	947	+\| Name \| Type \| Description
	948	+\| -------- \| -------- \| ---------------
	949	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	950	+
	951	+
	952	+Table: `GET_FMC_ALIAS_CSR` output arguments
	953	+\| Name \| Type \| Description
	954	+\| -------- \| -------- \| ---------------
	955	+\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
	956	+\| data\_size \| u32 \| Length in bytes of the valid data in the data field. \|
	957	+\| data \| u8[...] \| DER-encoded FMC ALIAS certificate signing request. \|
	958	+
	959	+
	960	+The FMC Alias CSR is generated unconditionally on every cold boot.
	961	+
	962	+### SIGN\_WITH\_EXPORTED\_ECDSA
	963	+
	964	+Command Code: `0x5357_4545` ("SWEE")
	965	+
	966	+Note: This command is only available in the locality of the PL0 PAUSER.
	967	+
	968	+Table: `SIGN_WITH_EXPORTED_ECDSA` input arguments
	969	+
	970	+\| Name \| Type \| Description
	971	+\| -------- \| -------- \| ---------------
	972	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	973	+\| exported_cdi_handle \| u8[32] \| The Exported CDI handle returned by the DPE `DeriveContext` command. Little endian. \|
	974	+\| tbs \| u8[48] \| The bytes to be signed. Little endian. \|
	975	+
	976	+
	977	+Table: `SIGN_WITH_EXPORTED_ECDSA` output arguments
	978	+\| Name \| Type \| Description
	979	+\| -------- \| -------- \| ---------------
	980	+\| derived_pubkey_x \| u8[48] \| The X BigNum of the ECDSA public key associated with the signing key. \|
	981	+\| derived_pubkey_y \| u8[48] \| The Y BigNum of the ECDSA public key associated with the signing key. \|
	982	+\| signature_r \| u8[48] \| The R BigNum of an ECDSA signature. \|
	983	+\| signature_s \| u8[48] \| The S BigNum of an ECDSA signature. \|
	984	+
	985	+
	986	+The `exported_cdi` can be created by calling `DeriveContext` with the `export-cdi` and `create-certificate` flags.
	987	+
	988	+### REVOKE\_EXPORTED\_CDI\_HANDLE
	989	+
	990	+Command Code: `5256_4348` ("RVCH")
	991	+
	992	+Note: This command is only available in the locality of the PL0 PAUSER.
	993	+
	994	+Table: `REVOKE_EXPORTED_CDI_HANDLE` input arguments
	995	+
	996	+\| Name \| Type \| Description
	997	+\| -------- \| -------- \| ---------------
	998	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	999	+\| exported_cdi_handle \| u8[32] \| The Exported CDI handle returned by the DPE `DeriveContext` command. Little endian. \|
	1000	+
	1001	+
	1002	+The `exported_cdi` can be created by calling `DeriveContext` with the `export-cdi` and `create-certificate` flags.
	1003	+
	1004	+The `exported_cdi_handle` is no longer usable after calling `REVOKE_EXPORTED_CDI_HANDLE` with it. After the `exported_cdi_handle`
	1005	+has been revoked, a new exported CDI can be created by calling `DeriveContext` with the `export-cdi` and `create-certificate` flags.
	1006	+
	1007	+### REALLOCATE\_DPE\_CONTEXT\_LIMITS
	1008	+
	1009	+Command Code: '5243_5458` ("RCTX")
	1010	+
	1011	+Note: This command is only available in the locality of the PL0 PAUSER.
	1012	+
	1013	+Table: `REALLOCATE_DPE_CONTEXT_LIMITS` input arguments
	1014	+
	1015	+\| Name \| Type \| Description
	1016	+\| -------- \| -------- \| ---------------
	1017	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	1018	+\| pl0_context_limit \| u32 \| Number of contexts to allocate to PL0. PL1 will receive remaining contexts. \|
	1019	+
	1020	+
	1021	+Table: `REALLOCATE_DPE_CONTEXT_LIMITS` output arguments
	1022	+\| Name \| Type \| Description
	1023	+\| -------- \| -------- \| ---------------
	1024	+\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
	1025	+\| fips_status \| u32 \| Indicates if the command is FIPS approved or an error. \|
	1026	+\| new_pl0_context_limit \| u32 \| Number of contexts assigned to PL0 after the reallocation \|
	1027	+\| new_pl1_context_limit \| u32 \| Number of contexts assigned to PL1 after the reallocation \|
	1028	+
	1029	+
	1030	+This allows the user to reallocate the 32 DPE contexts between PL0 and PL1. By default, each gets 16 contexts.
	1031	+
	1032	+Note: 2 PL0 contexts are used by Caliptra itself during initialization.
	1033	+
718	1034	## Checksum
719	1035
720	1036	For every command except for FW_LOAD, the request and response feature a checksum. This
@@ -780,10 +1096,10 @@
780	1096
781	1097	1. Validate DPE state in SRAM
782	1098	1. Ensure the TCI tree is well-formed
783		- 1. Ensure all nodes chain to the root (TYPE = RTJM, “Internal TCI” flag is set)
	1099	+ 1. Ensure all nodes chain to the root (TYPE = RTMR, “Internal TCI” flag is set)
784	1100	1. Verify that the “Latest TCI” field of the TCI Node that contains the
785		- Runtime Journey PCR (TYPE = RTJM, “Internal TCI” flag is set) matches the
786		- “Latest” Runtime PCR value from PCRX
	1101	+ Runtime PCRs (TYPE = RTMR, “Internal TCI” flag is set) matches the
	1102	+ “Latest” and Journey Runtime PCR values.
787	1103	1. Ensure `SHA384_HASH(0x00..00, TCI from SRAM) == RT_FW_JOURNEY_PCR`
788	1104	1. Check that retired and inactive contexts do not have tags
789	1105	1. If any validations fail, Runtime Firmware executes the
@@ -860,6 +1176,7 @@
860	1176	* GetProfile
861	1177	* InitializeContext
862	1178	* DeriveContext
	1179	+ * Note: The "export-cdi" flag is only available in the locality of the PL0 PAUSER.
863	1180	* CertifyKey
864	1181	* Caliptra DPE supports two formats for CertifyKey: X.509 and PKCS#10 CSR.
865	1182	X.509 is only available to PL0 PAUSERs.
@@ -884,9 +1201,9 @@
884	1201
885	1202	* Runtime Firmware SHALL initialize the default context in “internal-cdi” mode.
886	1203	* Perform the following initial measurements:
887		- * Call DeriveContext with Caliptra Journey PCR
	1204	+ * Call DeriveContext with Caliptra RT PCRs
888	1205	* INPUT\_DATA = PCRX (RT journey PCR as defined in the FHT)
889		- * TYPE = “RTJM”
	1206	+ * TYPE = “RTMR”
890	1207	* CONTEXT\_HANDLE = default context
891	1208	* TARGET\_LOCALITY = Caliptra locality (0xFFFFFFFF)
892	1209	* Call DeriveContext with mailbox valid PAUSERS
@@ -951,29 +1268,29 @@
951	1268
952	1269	### DPE leaf certificate definition
953	1270
954		-\| Field \| Sub field \| Value
955		-\| ------------- \| --------- \| ---------
956		-\| Version \| v3 \| 2
957		-\| Serial Number \| \| First 20 bytes of sha256 hash of DPE Alias public key
958		-\| Issuer Name \| CN \| Caliptra Runtime Alias
959		-\| \| serialNumber \| First 20 bytes of sha384 hash of Runtime Alias public key
960		-\| Validity \| notBefore \| notBefore from firmware manifest
961		-\| \| notAfter \| notAfter from firmware manifest
962		-\| Subject Name \| CN \| Caliptra DPE Leaf
963		-\| \| serialNumber \| SHA384 hash of Subject public key
964		-\| Subject Public Key Info \| Algorithm \| ecdsa-with-SHA384
965		-\| \| Parameters \| Named Curve = prime384v1
966		-\| \| Public Key \| DPE Alias Public Key value
967		-\| Signature Algorithm Identifier \| Algorithm \| ecdsa-with-SHA384
968		-\| \| Parameters \| Named Curve = prime384v1
969		-\| Signature Value \| \| Digital signature for the certificate
970		-\| KeyUsage \| keyCertSign \| 1
971		-\| Basic Constraints \| CA \| False
972		-\| Policy OIDs \| \| id-tcg-kp-attestLoc
973		-\| tcg-dice-MultiTcbInfo\* \| FWIDs \| [0] "Journey" TCI Value
974		-\| \| \| [1] "Current" TCI Value. Latest `INPUT_DATA` made by DeriveContext.
975		-\| \| Type \| 4-byte TYPE field of TCI node
976		-\| \| VendorInfo \| Locality of the caller (analog for PAUSER)
	1271	+\| Field \| Sub field \| Value
	1272	+\| ------------- \| --------- \| ---------
	1273	+\| Version \| v3 \| 2
	1274	+\| Serial Number \| \| First 20 bytes of sha256 hash of DPE Alias public key
	1275	+\| Issuer Name \| CN \| Caliptra Runtime Alias
	1276	+\| \| serialNumber \| First 20 bytes of sha384 hash of Runtime Alias public key
	1277	+\| Validity \| notBefore \| notBefore from firmware manifest
	1278	+\| \| notAfter \| notAfter from firmware manifest
	1279	+\| Subject Name \| CN \| Caliptra DPE Leaf
	1280	+\| \| serialNumber \| SHA384 hash of Subject public key
	1281	+\| Subject Public Key Info \| Algorithm \| ecdsa-with-SHA384
	1282	+\| \| Parameters \| Named Curve = prime384v1
	1283	+\| \| Public Key \| DPE Alias Public Key value
	1284	+\| Signature Algorithm Identifier \| Algorithm \| ecdsa-with-SHA384
	1285	+\| \| Parameters \| Named Curve = prime384v1
	1286	+\| Signature Value \| \| Digital signature for the certificate
	1287	+\| KeyUsage \| keyCertSign \| 1
	1288	+\| Basic Constraints \| CA \| False
	1289	+\| Policy OIDs \| \| id-tcg-kp-attestLoc
	1290	+\| tcg-dice-MultiTcbInfo\* \| FWIDs \| [0] "Current" TCI Value. Latest `INPUT_DATA` made by DeriveContext
	1291	+\| \| IntegrityRegisters \| [0] "Journey" TCI Value.
	1292	+\| \| Type \| 4-byte TYPE field of TCI node
	1293	+\| \| VendorInfo \| Locality of the caller (analog for PAUSER)
977	1294
978	1295	\*MultiTcbInfo contains one TcbInfo for each TCI Node in the path from the
979	1296	current TCI Node to the root. Max of 32.

Changes to Runtime Specification