Diff: FMC Specification

@@ -1,8 +1,10 @@
1	1	<div style="font-size: 0.85em; color: #656d76; margin-bottom: 1em; padding: 0.5em; background: #f6f8fa; border-radius: 4px;">
2		-📄 Source: <a href="https://github.com/chipsalliance/caliptra-sw/blob/e6e5db26702ee88d530d2789ac87749472a6641c/fmc/README.md" target="_blank">chipsalliance/caliptra-sw/fmc/README.md</a> @ <code>e6e5db2</code>
	2	+📄 Source: <a href="https://github.com/chipsalliance/caliptra-sw/blob/e56467181b5313e53cf6cdc92f705a4127480fc2/fmc/README.md" target="_blank">chipsalliance/caliptra-sw/fmc/README.md</a> @ <code>e564671</code>
3	3	</div>
4	4
5		-# Caliptra - FMC Specification v1.0
	5	+# Caliptra - FMC Specification v2.0.1
	6	+
	7	+Spec Version: 0.9
6	8
7	9	## Scope
8	10
@@ -106,37 +108,44 @@
106	108	\| fht_minor_ver \| 2 \| ROM, FMC \| Minor version of FHT. Initially written by ROM but may be changed to a higher version by FMC. \|
107	109	\| manifest_load_addr \| 4 \| ROM \| Physical base address of Manifest in DCCM SRAM. \|
108	110	\| fips_fw_load_addr_hdl \| 4 \| ROM \| Handle of base address of FIPS Module in ROM or ICCM SRAM. May be 0xFF if there is no discrete module. \|
109		-\| rt_fw_entry_point_hdl \| 4 \| ROM \| Handle of entry point of Runtime FW Module value in data vault. SRAM. \|
110		-\| fmc_tci_dv_hdl \| 4 \| ROM \| Handle of FMC TCI value in the Data Vault. \|
111	111	\| fmc_cdi_kv_hdl \| 4 \| ROM \| Handle of FMC CDI value in the Key Vault. Value of 0xFF indicates not present. \|
112		-\| fmc_priv_key_kv_hdl \| 4 \| ROM \| Handle of FMC Private Alias Key in the Key Vault. \|
113		-\| fmc_pub_key_x_dv_hdl \| 4 \| ROM \| Handle of FMC Public Alias Key X Coordinate in the Data Vault. \|
114		-\| fmc_pub_key_y_dv_hdl \| 4 \| ROM \| Handle of FMC Public Alias Key Y Coordinate in the Data Vault \|
115		-\| fmc_cert_sig_r_dv_hdl \| 4 \| ROM \| Handle of FMC Certificate Signature R Component in the Data Vault. \|
116		-\| fmc_cert_sig_s_dv_hdl \| 4 \| ROM \| Handle of FMC Certificate Signature S Component in the Data Vault. \|
117		-\| fmc_svn_dv_hdl \| 4 \| ROM \| Handle of FMC SVN value in the Data Vault. \|
118		-\| rt_tci_dv_hdl \| 4 \| ROM \| Handle of RT TCI value in the Data Vault. \|
	112	+\| fmc_priv_key_ecdsa_kv_hdl \| 4 \| ROM \| Handle of FMC Alias ECDSA Private Key in the Key Vault. \|
	113	+\| fmc_keypair_seed_mldsa_kv_hdl \| 4 \| ROM \| Handle of FMC Alias MLDSA Key Pair Generation Seed in the Key Vault. \|
	114	+\| fmc_pub_key_ecdsa_x_dv_hdl \| 4 \| ROM \| Handle of FMC Alias ECDSA Public Key X Coordinate in the DCCM datavault. \|
	115	+\| fmc_pub_key_ecdsa_y_dv_hdl \| 4 \| ROM \| Handle of FMC Alias ECDSA Public Key Y Coordinate in the DCCM datavault. \|
	116	+\| fmc_pub_key_mldsa_dv_hdl \| 4 \| ROM \| Handle of FMC Alias MLDSA Public Key in the DCCM datavault. \|
	117	+\| fmc_cert_sig_ecdsa_r_dv_hdl \| 4 \| ROM \| Handle of FMC Certificate ECDSA Signature R Component in the DCCM datavault. \|
	118	+\| fmc_cert_sig_ecdsa_s_dv_hdl \| 4 \| ROM \| Handle of FMC Certificate ECDSA Signature S Component in the DCCM datavault. \|
	119	+\| fmc_cert_sig_mldsa_dv_hdl \| 4 \| ROM \| Handle of FMC Certificate MLDSA Signature in the DCCM datavault. \|
119	120	\| rt_cdi_kv_hdl \| 4 \| FMC \| Handle of RT CDI value in the Key Vault. \|
120		-\| rt_priv_key_kv_hdl \| 4 \| FMC \| Handle of RT Private Alias Key in the Key Vault. \|
121		-\| rt_svn_dv_hdl \| 4 \| FMC \| Handle of RT SVN value in the Data Vault. \|
122		-\| rt_min_svn_dv_hdl \| 4 \| FMC \| Handle of Min RT SVN value in the Data Vault. \|
123		-\| ldevid_tbs_addr \| 4 \| ROM \| Local Device ID TBS Address. \|
124		-\| fmcalias_tbs_addr \| 4 \| ROM \| FMC Alias TBS Address. \|
125		-\| ldevid_tbs_size \| 2 \| ROM \| Local Device ID TBS Size. \|
126		-\| fmcalias_tbs_size \| 2 \| ROM \| FMC Alias TBS Size. \|
	121	+\| rt_priv_key_ecdsa_kv_hdl \| 4 \| FMC \| Handle of RT Alias ECDSA Private Key in the Key Vault. \|
	122	+\| rt_keygen_seed_mldsa_kv_hdl \| 4 \| FMC \| Handle of RT Alias MLDSA Key Generation Seed in the Key Vault. \|
	123	+\| ldevid_tbs_ecdsa_addr \| 4 \| ROM \| Local Device ID ECDSA TBS Address. \|
	124	+\| fmcalias_tbs_ecdsa_addr \| 4 \| ROM \| FMC Alias TBS ECDSA Address. \|
	125	+\| ldevid_tbs_mldsa_addr \| 4 \| ROM \| Local Device ID MLDSA TBS Address. \|
	126	+\| fmcalias_tbs_mldsa_addr \| 4 \| ROM \| FMC Alias TBS MLDSA Address. \|
	127	+\| ldevid_tbs_ecdsa_size \| 2 \| ROM \| Local Device ID ECDSA TBS Size. \|
	128	+\| fmcalias_tbs_ecdsa_size \| 2 \| ROM \| FMC Alias TBS ECDSA Size. \|
	129	+\| ldevid_tbs_mldsa_size \| 2 \| ROM \| Local Device ID MLDSA TBS Size. \|
	130	+\| fmcalias_tbs_mldsa_size \| 2 \| ROM \| FMC Alias TBS MLDSA Size. \|
127	131	\| pcr_log_addr \| 4 \| ROM \| PCR Log Address. \|
128	132	\| pcr_log_index \| 4 \| ROM \| Last empty PCR log entry slot index. \|
129	133	\| meas_log_addr \| 4 \| ROM \| Measurement Log Address. \|
130	134	\| meas_log_index \| 4 \| ROM \| Last empty Measurement log entry slot index. \|
131	135	\| fuse_log_addr \| 4 \| ROM \| Fuse Log Address. \|
132		-\| rt_dice_pub_key \| 96 \| FMC \| RT Alias DICE Public Key. \|
133		-\| rt_dice_sign \| 96 \| FMC \| RT Alias DICE signature. \|
134		-\| ldevid_cert_sig_r_dv_hdl \| 4 \| ROM \| Handle of LDevId Certificate Signature R Component in the Data Vault. \|
135		-\| ldevid_cert_sig_s_dv_hdl \| 4 \| ROM \| Handle of LDevId Certificate Signature S Component in the Data Vault. \|
136		-\| idev_dice_pub_key \| 96 \| ROM \| Initial Device ID Public Key. \|
137		-\| rom_info_addr \| 4 \| ROM \| Address of ROMInfo struct describing the ROM digest and git commit. \|
138		-\| rtalias_tbs_size \| 2 \| FMC \| RT Alias TBS Size. \|
139		-\| reserved \| 1650 \|\| Reserved for future use. \|
	136	+\| rt_dice_pub_key_ecdsa \| 96 \| FMC \| RT Alias DICE ECDSA Public Key. \|
	137	+\| rt_dice_pub_key_mldsa_dv_hdl \| 4 \| FMC \| RT Alias DICE MLDSA Public Key in the DCCM datavault. \|
	138	+\| rt_dice_sign_ecdsa \| 96 \| FMC \| RT Alias DICE ECDSA signature. \|
	139	+\| rt_dice_sign_mldsa_dv_hdl \| 4 \| FMC \| RT Alias DICE MLDSA signature in the DCCM datavault. \|
	140	+\| ldevid_cert_sig_ecdsa_r_dv_hdl \| 4 \| ROM \| Handle of LDevId Certificate ECDSA Signature R Component in the DCCM datavault. \|
	141	+\| ldevid_cert_sig_ecdsa_s_dv_hdl \| 4 \| ROM \| Handle of LDevId Certificate ECDSA Signature S Component in the DCCM datavault. \|
	142	+\| ldevid_cert_sig_mldsa_dv_hdl \| 4 \| ROM \| Handle of LDevId Certificate MLDSA Signature in the DCCM datavault. \|
	143	+\| idev_dice_pub_key_ecdsa \| 96 \| ROM \| Initial Device ID ECDSA Public Key. \|
	144	+\| idev_dice_pub_key_mldsa_dv_hdl \| 4 \| ROM \| Initial Device ID MLDSA Public Key in the DCCM datavault. \|
	145	+\| rom_info_addr \| 4 \| ROM \| Address of ROM Info struct describing the ROM digest and git commit. \|
	146	+\| rtalias_tbs_ecdsa_size \| 2 \| FMC \| RT Alias ECDSA TBS Size. \|
	147	+\| rtalias_tbs_mldsa_size \| 2 \| FMC \| RT Alias MLDSA TBS Size. \|
	148	+\| reserved \| 1588 \|\| Reserved for future use. \|
140	149
141	150
142	151	FHT is currently defined to be 2048 bytes in length.
@@ -167,69 +176,77 @@
167	176	discrete FIPS module does not exist, then this field shall be 0xFF and ROM, FMC, and RT FW must all carry their own code for accessing crypto resources and
168	177	keys.
169	178
170		-### rt_fw_entry_point_hdl
171		-
172		-This field provides the Handle of the DV entry that stores the physical address of the Entry Point of Runtime FW Module in ICCM SRAM.
173		-
174		-### fmc_tci_dv_hdl
175		-
176		-This field provides the Handle into the Data Vault where the TCI<sub>FMC</sub> is stored. TCI<sub>FMC</sub> is a SHA-384 Hash of the FMC Module.
177		-
178	179	### fmc_cdi_kv_hdl
179	180
180	181	This field provides the Handle into the Key Vault where the CDI<sub>FMC</sub> is stored.
181	182
182		-### fmc_priv_key_kv_hdl
183		-
184		-This field provides the Handle into the Key Vault where the PrivateKey<sub>FMC</sub> is stored.
185		-
186		-### fmc_pub_key_x_dv_hdl, fmc_pub_key_y_dv_hdl
187		-
188		-These fields provide the indices into the Data Vault where the PublicKey<sub>FMC</sub> X and Y coordinates are stored.
189		-
190		-### fmc_cert_sig_r_dv_hdl, fmc_cert_sig_s_dv_hdl
191		-
192		-These fields provide the indices into the Data Vault where the Signature<sub>FMC</sub> R and S coordinates are stored.
193		-
194		-### fmc_svn_dv_hdl
195		-
196		-This field provides the Handle into the Data Vault where the SVN<sub>FMC</sub> is stored.
197		-
198		-### rt_tci_dv_hdl
199		-
200		-This field provides the Handle into the Data Vault where the TCI<sub>RT</sub> is stored. TCI<sub>RT</sub> is a SHA-384 Hash of the RT FW Module.
	183	+### fmc_priv_key_ecdsa_kv_hdl
	184	+
	185	+This field provides the Handle into the Key Vault where the ECDSA PrivateKey<sub>FMC</sub> is stored.
	186	+
	187	+### fmc_keypair_seed_mldsa_kv_hdl
	188	+
	189	+This field provides the Handle into the Key Vault where the MLDSA Key Generation Seed<sub>FMC</sub> is stored.
	190	+
	191	+### fmc_pub_key_ecdsa_x_dv_hdl, fmc_pub_key_ecdsa_y_dv_hdl
	192	+
	193	+These fields provide the Handle into the DCCM datavault where the ECDSA PublicKey<sub>FMC</sub> X and Y coordinates are stored.
	194	+
	195	+### fmc_pub_key_mldsa_dv_hdl
	196	+
	197	+This field provides the Handle into the DCCM datavault where the MLDSA PublicKey<sub>FMC</sub> is stored.
	198	+
	199	+### fmc_cert_sig_ecdsa_r_dv_hdl, fmc_cert_sig_ecdsa_s_dv_hdl
	200	+
	201	+These fields provide the Handle into the DCCM datavault where the ECDSA Signature<sub>FMC</sub> R and S coordinates are stored.
	202	+
	203	+### fmc_cert_sig_mldsa_dv_hdl
	204	+
	205	+This field provides the Handle into the DCCM datavault where the MLDSA Signature<sub>FMC</sub> is stored.
201	206
202	207	### rt_cdi_kv_hdl
203	208
204	209	This field provides the Handle into the Key Vault where the CDI<sub>RT</sub> is stored.
205	210
206		-### rt_priv_key_kv_hdl
207		-
208		-This field provides the Handle into the Key Vault where the PrivateKey<sub>RT</sub> is stored.
209		-
210		-### rt_svn_dv_hdl
211		-
212		-This field provides the Handle into the Data Vault where the SVN<sub>RT</sub> is stored.
213		-
214		-### rt_min_svn_dv_hdl
215		-
216		-This field provides the Handle into the Data Vault where the Min-SVN<sub>RT</sub> is stored. Upon cold-boot this is set to SVN<sub>RT</sub>. On subsequent boots this is set to MIN(SVN<sub>RT</sub>, Min-SVN<sub>RT</sub>).
217		-
218		-### ldevid_tbs_addr
219		-
220		-This field provides the address of the To Be Signed portion of the LDevID certificate.
221		-
222		-### fmcalias_tbs_addr
223		-
224		-This field provides the address of the To Be Signed portion of the FMC Alias certificate.
225		-
226		-### ldevid_tbs_size
227		-
228		-This field provides the size of the To Be Signed portion of the LDevID certificate.
229		-
230		-### fmcalias_tbs_size
231		-
232		-This field provides the size of the To Be Signed portion of the FMC Alias certificate.
	211	+### rt_priv_key_ecdsa_kv_hdl
	212	+
	213	+This field provides the Handle into the Key Vault where the ECDSA PrivateKey<sub>RT</sub> is stored.
	214	+
	215	+### rt_keygen_seed_mldsa_kv_hdl
	216	+
	217	+This field provides the Handle into the Key Vault where the MLDSA Key Generation Seed<sub>RT</sub> is stored.
	218	+
	219	+### ldevid_tbs_ecdsa_addr
	220	+
	221	+This field provides the address of the To Be Signed portion of the LDevID ECDSA certificate.
	222	+
	223	+### fmcalias_tbs_ecdsa_addr
	224	+
	225	+This field provides the address of the To Be Signed portion of the FMC Alias ECDSA certificate.
	226	+
	227	+### ldevid_tbs_mldsa_addr
	228	+
	229	+This field provides the address of the To Be Signed portion of the LDevID MLDSA certificate.
	230	+
	231	+### fmcalias_tbs_mldsa_addr
	232	+
	233	+This field provides the address of the To Be Signed portion of the FMC Alias MLDSA certificate.
	234	+
	235	+### ldevid_tbs_ecdsa_size
	236	+
	237	+This field provides the size of the To Be Signed portion of the LDevID ECDSA certificate.
	238	+
	239	+### fmcalias_tbs_ecdsa_size
	240	+
	241	+This field provides the size of the To Be Signed portion of the FMC Alias ECDSA certificate.
	242	+
	243	+### ldevid_tbs_mldsa_size
	244	+
	245	+This field provides the size of the To Be Signed portion of the LDevID MLDSA certificate.
	246	+
	247	+### fmcalias_tbs_mldsa_size
	248	+
	249	+This field provides the size of the To Be Signed portion of the FMC Alias MLDSA certificate.
233	250
234	251	### pcr_log_addr
235	252
@@ -251,38 +268,58 @@
251	268
252	269	This field provides the address of the Fuse Log
253	270
254		-### rt_dice_pub_key
255		-
256		-This field provides the Runtime Alias Public Key.
257		-
258		-### rt_dice_sign
259		-
260		-This field provides the Runtime Alias certificate signature.
261		-
262		-### ldevid_cert_sig_r_dv_hdl, ldevid_cert_sig_s_dv_hdl
263		-
264		-These fields provide the indices into the Data Vault where the Signature<sub>LDevId</sub> R and S coordinates are stored.
265		-
266		-### idev_dice_pub_key
267		-
268		-This field provides the IDevID Public Key.
	271	+### rt_dice_pub_key_ecdsa
	272	+
	273	+This field provides the Runtime Alias ECDSA Public Key.
	274	+
	275	+### rt_dice_pub_key_mldsa_dv_hdl
	276	+
	277	+This field provides the Handle into the DCCM datavault where the Runtime Alias MLDSA Public Key is stored.
	278	+
	279	+### rt_dice_sign_ecdsa
	280	+
	281	+This field provides the Runtime Alias certificate ECDSA signature.
	282	+
	283	+### rt_dice_sign_mldsa_dv_hdl
	284	+
	285	+This field provides the Handle into the DCCM datavault where the Runtime Alias certificate MLDSA signature is stored.
	286	+
	287	+### ldevid_cert_sig_ecdsa_r_dv_hdl, ldevid_cert_sig_ecdsa_s_dv_hdl
	288	+
	289	+These fields provide the Handle into the DCCM datavault where the ECDSA Signature<sub>LDevId</sub> R and S coordinates are stored.
	290	+
	291	+### ldevid_cert_sig_mldsa_dv_hdl
	292	+
	293	+This field provides the Handle into the DCCM datavault where the MLDSA Signature<sub>LDevId</sub> is stored.
	294	+
	295	+### idev_dice_pub_key_ecdsa
	296	+
	297	+This field provides the ECDSA IDevID Public Key.
	298	+
	299	+### idev_dice_pub_key_mldsa_dv_hdl
	300	+
	301	+This field provides the Handle into the DCCM datavault where the MLDSA IDevID Public Key is stored.
269	302
270	303	### rom_info_addr
271	304
272	305	This field provides the address of the RomInfo structure.
273	306
274		-### rtalias_tbs_size
275		-
276		-This field provides the size of the To Be Signed portion of the Runtime Alias certificate.
277		-
278		-### rt_hash_chain_max_svn
279		-
280		-This field informs firmware of the maximum RT SVN, which value was used
281		-to determine the length of RT FW's hash chain.
282		-
283		-### rt_hash_chain_kv_hdl
284		-
285		-This field provides the Handle into the Key Vault where RT's hash chain is stored.
	307	+### rtalias_tbs_ecdsa_size
	308	+
	309	+This field provides the size of the To Be Signed portion of the Runtime Alias ECDSA certificate.
	310	+
	311	+### rtalias_tbs_mldsa_size
	312	+
	313	+This field provides the size of the To Be Signed portion of the Runtime Alias MLDSA certificate.
	314	+
	315	+### fw_key_ladder_max_svn
	316	+
	317	+This field informs firmware of the maximum FW SVN, which value was used
	318	+to determine the length of FW's key ladder.
	319	+
	320	+### fw_key_ladder_kv_hdl
	321	+
	322	+This field provides the Handle into the Key Vault where FW's key ladder is stored.
286	323
287	324	### reserved
288	325
@@ -305,21 +342,22 @@
305	342	1. FMC locates the discrete FW-based FIPS Crypto Module in ICCM using fht.fips_fw_base_addr (if not 0xFFFF_FFFF) and calls its initialization routine. Otherwise FMC
306	343	utilizes the ROM-based FIPS Crypto Module or its own internal FIPS Crypto services in implementations without a discrete FW-based FIPS Crypto Module.
307	344	1. FMC locates the Manifest at fht.manifest_load_addr.
308		-1. FMC reads the measurement of the Runtime FW Module, TCI<sub>RT</sub>, from the Data Vault that has previously been validated by ROM.
	345	+1. FMC reads the measurement of the Runtime FW Module, TCI<sub>RT</sub>, from the DCCM datavault that has previously been validated by ROM.
309	346	1. FMC reads the manifest address of the Image Bundle from the HandOff Table, and calculates the SHA-384 TCI<sub>MAN</sub>
310	347	1. FMC clears Current PCR
311	348	1. FMC extends Current and Journey PCR registers with TCI<sub>RT</sub>.
312	349	1. FMC extends Current and Journey PCR registers with TCI<sub>MAN</sub>.
313	350	1. FMC locks Current and Journey PCR registers.
314	351	1. FMC derives CDI<sub>RT</sub> from CDI<sub>FMC</sub> mixed with TCI<sub>RT</sub> and TCI<sub>MAN</sub>, then stores it in the Key Vault.
315		-1. FMC updates fht.rt_cdi_kv_hdl in the FHT.
316		-1. FMC derives AliasKeyPair<sub>RT</sub> from CDI<sub>RT</sub>. The Private Key is stored in the Key Vault while the Public Key X and Y coordinates are stored
317		- in the Data Vault.
318		-1. FMC updates fht.rt_priv_key_kv_hdl, fht.rt_pub_key_x_dv_hdl, and fht.rt_pub_key_y_dv_hdl in the FHT.
319		-1. FMC generates an x509 certificate with PubKey<sub>RT</sub> as the subject and signed by PrivKey<sub>FMC</sub>.
320		-1. FMC stores the Cert<sub>RT</sub> signature in the Data Vault.
321		-1. FMC updates fht.rt_cert_sig_r_dv_hdl and fht.rt_cert_sig_r_dv_hdl in the FHT.
322		-1. FMC ensures that CDI<sub>FMC</sub> and PrivateKey<sub>FMC</sub> are locked to block further usage until the next boot.
	352	+1. FMC updates fht.rt_cdi_ecdsa_kv_hdl and fht.rt_cdi_mldsa_kv_hdl in the FHT.
	353	+1. FMC derives ECDSA and MLDSA AliasKeyPair<sub>RT</sub> from CDI<sub>RT</sub>. The ECDSA Private Key and the MLDSA Key Generation Seed are stored in the Key Vault, while the ECDSA Public Key X and Y coordinates and MLDSA Public Key are stored in the DCCM datavault.
	354	+1. FMC updates fht.rt_priv_key_ecdsa_kv_hdl, fht.rt_pub_key_ecdsa_x_dv_hdl, and fht.rt_pub_key_ecdsa_y_dv_hdl in the FHT.
	355	+1. FMC updates fht.rt_keypair_seed_mldsa_kv_hdl and fht.rt_pub_key_mldsa_dv_hdl in the FHT.
	356	+1. FMC generates ECDSA and MLDSA x509 certificates with ECDSA and MLDSA PubKeys<sub>RT</sub> as the subject and signed by PrivKeys<sub>FMC</sub>.
	357	+1. FMC stores the ECDSA and MLDSA Cert<sub>RT</sub> signatures in the DCCM datavault.
	358	+1. FMC updates fht.rt_cert_sig_ecdsa_r_dv_hdl and fht.rt_cert_sig_ecdsa_s_dv_hdl in the FHT.
	359	+1. FMC updates fht.rt_cert_sig_mldsa_dv_hdl in the FHT.
	360	+1. FMC ensures that CDI<sub>FMC</sub>, ECDSA PrivateKey<sub>FMC</sub> and MLDSA KeyPair Generation Seed<sub>FMC</sub> are locked to block further usage until the next boot.
323	361	1. FMC locates the Runtime FW Module in ICCM at fht.rt_fw_load_addr.
324	362	1. FMC jumps to the Runtime FW Module entry point at fht.rt_fw_entry_point.
325	363
@@ -327,18 +365,32 @@
327	365
328	366	- Vault state as follows:
329	367
330		-\| Slot \| Key Vault \| PCR Bank \| Data Vault 48 Byte (Sticky) \| Data Vault 4 Byte (Sticky) \|
331		-\| ------ \| ----------- \| ---------- \| ----------------------------- \| ---------------------------- \|
332		-\| 0 \|\|\| 🔒LDevID Pub Key X \| 🔒FMC SVN \|
333		-\| 1 \|\|\| 🔒LDevID Pub Key Y \| 🔒Manufacturer Public Key Index \|
334		-\| 2 \|\|\| 🔒LDevID Cert Signature R \|
335		-\| 3 \|\|\| 🔒LDevID Cert Signature S \|
336		-\| 4 \|\|\| 🔒Alias FMC Pub Key X \|
337		-\| 5 \|\|\| 🔒Alias FMC Pub Key Y \|
338		-\| 6 \| Alias FMC CDI (48 bytes) \|\| 🔒Alias FMC Cert Signature R \|
339		-\| 7 \| Alias FMC Private Key (48 bytes) \|\| 🔒Alias FMC Cert Signature S \|
340		-\| 8 \|\|\| 🔒FMC Digest \|
341		-\| 9 \|\|\| 🔒Owner PK Hash \|
	368	+\| Slot \| Key Vault \|
	369	+\| ------ \| -------------------------------------------- \|
	370	+\| 6 \| Alias FMC CDI (64 bytes) \|
	371	+\| 7 \| Alias FMC Private Key - ECDSA (48 bytes) \|
	372	+\| 8 \| Alias FMC Key Pair Seed - MLDSA (32 bytes) \|
	373	+
	374	+
	375	+\| DCCM datavault \|
	376	+\| ----------------------------------- \|
	377	+\| 🔒LDevID ECDSA Pub Key X \|
	378	+\| 🔒LDevID ECDSA Pub Key Y \|
	379	+\| 🔒LDevID MLDSA Pub Key \|
	380	+\| 🔒LDevID Cert ECDSA Signature R \|
	381	+\| 🔒LDevID Cert ECDSA Signature S \|
	382	+\| 🔒LDevID Cert MLDSA Signature \|
	383	+\| 🔒Alias FMC ECDSA Pub Key X \|
	384	+\| 🔒Alias FMC ECDSA Pub Key Y \|
	385	+\| 🔒Alias FMC MLDSA Pub Key \|
	386	+\| 🔒Alias FMC Cert Signature R \|
	387	+\| 🔒Alias FMC Cert Signature S \|
	388	+\| 🔒Alias FMC Cert MLDSA Signature \|
	389	+\| 🔒FMC Digest \|
	390	+\| 🔒FW SVN \|
	391	+\| 🔒Owner PK Hash \|
	392	+\| 🔒Manufacturer Public Key Index \|
	393	+
342	394
343	395
344	396	<center>
@@ -362,7 +414,7 @@
362	414	FMC->>+FIPS: InitFipsFw() (if needed)
363	415	FIPS-->>-FMC: return()
364	416	FMC->>FMC: LocateManifest(fht)
365		- FMC->>FMC: GetRtMeasurement(fht.rt_tci_dv_hdl)
	417	+ FMC->>FMC: GetRtMeasurement(data_vault.rt_tci)
366	418
367	419	rect rgba(0, 100, 200, .2)
368	420
@@ -382,15 +434,20 @@
382	434	rect rgba(0, 0, 200, .2)
383	435	note over FIPS, FMC: DICE-related derivations will be<br> defined in greater detail later
384	436
385		- FMC->>+FIPS: DeriveCdi(fht.FmcCdiKvhdl, "rt_alias_cdi", RtTci)
	437	+ FMC->>+FIPS: DeriveCdi(fht.fmc_cdi_kv_hdl, "alias_rt_cdi", RtTci)
386	438	FIPS-->>-FMC: return(fht.rt_cdi_kv_hdl)
387		- FMC->>+FIPS: DeriveKeyPair(fht.rt_cdi_kv_hdl, "rt_alias_keygen")
388		- FIPS-->>-FMC: return(fht.rt_priv_key_kv_hdl,<br> fht.rt_pub_key_x_dv_hdl,<br> fht.rt_pub_key_y_dv_hdl)
389		- FMC->>+FIPS: CertifyKey(fht.rt_pub_key_x_dv_hdl,<br> fht.rt_pub_key_y_dv_hdl,<br> fht.fmc_priv_key_kv_hdl)
390		- FIPS-->>-FMC: return(fht.rt_cert_sig_r_dv_hdl, fht.rt_cert_sig_s_dv_hdl)
	439	+ FMC->>+FIPS: DeriveKeyPair(fht.rt_cdi_kv_hdl, "alias_rt_ecc_key")
	440	+ FIPS-->>-FMC: return(fht.rt_priv_key_ecdsa_kv_hdl,<br> fht.rt_pub_key_ecdsa_x_dv_hdl,<br> fht.rt_pub_key_ecdsa_y_dv_hdl)
	441	+ FMC->>+FIPS: CertifyKey(fht.rt_pub_key_ecdsa_x_dv_hdl,<br> fht.rt_pub_key_ecdsa_y_dv_hdl,<br> fht.fmc_priv_key_ecdsa_kv_hdl)
	442	+ FIPS-->>-FMC: return(fht.rt_cert_sig_ecdsa_r_dv_hdl, fht.rt_cert_sig_ecdsa_s_dv_hdl)
	443	+ FMC->>+FIPS: DeriveKeyPair(fht.rt_cdi_kv_hdl, "alias_rt_mldsa_key")
	444	+ FIPS-->>-FMC: return(fht.rt_mldsa_seed_kv_hdl,<br> fht.rt_pub_key_mldsa_dv_hdl)
	445	+ FMC->>+FIPS: CertifyKey(fht.rt_pub_key_mldsa_dv_hdl,<br> fht.fmc_seed_mldsa_kv_hdl)
	446	+ FIPS-->>-FMC: return(fht.rt_cert_sig_mldsa_dv_hdl)
391	447	FMC->>+FIPS: LockKey(fht.fmc_cdi_kv_hdl)
392	448	FIPS-->>-FMC: return()
393		- FMC->>+FIPS: LockKey(fht.fmc_priv_key_kv_hdl)
	449	+ FMC->>+FIPS: LockKey(fht.fmc_priv_key_ecdsa_kv_hdl)
	450	+ FMC->>+FIPS: LockKey(fht.fmc_seed_mldsa_kv_hdl)
394	451	FIPS-->>-FMC: return()
395	452
396	453	end %% rect
@@ -409,18 +466,34 @@
409	466
410	467	- Vault state as follows:
411	468
412		-\| Slot \| Key Vault \| PCR Bank \| Data Vault 48 Byte (Sticky) \| Data Vault 4 Byte (Sticky) \|
413		-\| ------ \| ----------- \| ---------- \| ----------------------------- \| ---------------------------- \|
414		-\| 0 \|\|\| 🔒LDevID Pub Key X \| 🔒FMC SVN \|
415		-\| 1 \|\|\| 🔒LDevID Pub Key Y \| 🔒Manufacturer Public Key Index \|
416		-\| 2 \|\|\| 🔒LDevID Cert Signature R \|
417		-\| 3 \|\|\| 🔒LDevID Cert Signature S \|
418		-\| 4 \| Alias RT CDI (48 bytes) \|\| 🔒Alias FMC Pub Key X \|
419		-\| 5 \| Alias RT Private Key (48 bytes) \|\| 🔒Alias FMC Pub Key Y \|
420		-\| 6 \| Alias FMC CDI (48 bytes) \|\| 🔒Alias FMC Cert Signature R \|
421		-\| 7 \| Alias FMC Private Key (48 bytes) \|\| 🔒Alias FMC Cert Signature S \|
422		-\| 8 \|\|\| 🔒FMC Digest \|
423		-\| 9 \|\|\| 🔒Owner PK Hash \|
	469	+\| Slot \| Key Vault \|
	470	+\| ------ \| -------------------------------------------- \|
	471	+\| 4 \| Alias RT CDI (64 bytes) \|
	472	+\| 5 \| Alias RT Private Key (48 bytes) \|
	473	+\| 6 \| Alias FMC CDI (64 bytes) \|
	474	+\| 7 \| Alias FMC Private Key (48 bytes) \|
	475	+\| 8 \| Alias FMC Key Pair Seed - MLDSA (32 bytes) \|
	476	+\| 9 \| Alias RT Key Pair Seed - MLDSA (32 bytes) \|
	477	+
	478	+
	479	+\| DCCM datavault \|
	480	+\| ------------------------------------- \|
	481	+\| 🔒LDevID ECDSA Pub Key X \|
	482	+\| 🔒LDevID ECDSA Pub Key Y \|
	483	+\| 🔒LDevID MLDSA Pub Key \|
	484	+\| 🔒LDevID Cert ECDA Signature R \|
	485	+\| 🔒LDevID Cert ECDSA Signature S \|
	486	+\| 🔒LDevID Cert MLDSA Signature \|
	487	+\| 🔒Alias FMC ECDSA Pub Key X \|
	488	+\| 🔒Alias FMC ECDSA Pub Key Y \|
	489	+\| 🔒Alias FMC MLDSA Pub Key \|
	490	+\| 🔒Alias FMC Cert ECDSA Signature R \|
	491	+\| 🔒Alias FMC Cert ECDSA Signature S \|
	492	+\| 🔒Alias FMC Cert MLDSA Signature \|
	493	+\| 🔒FMC Digest \|
	494	+\| 🔒FW SVN \|
	495	+\| 🔒Owner PK Hash \|
	496	+\| 🔒Manufacturer Public Key Index \|
424	497
425	498
426	499	## Resets

Changes to FMC Specification