Changes to Runtime Specification

Comparing version 2.0 to 1.2
+1804 additions -246 deletions
@@ -1,10 +1,33 @@
11 <div style="font-size: 0.85em; color: #656d76; margin-bottom: 1em; padding: 0.5em; background: #f6f8fa; border-radius: 4px;">
2-đź“„ Source: <a href="https://github.com/chipsalliance/caliptra-sw/blob/e6e5db26702ee88d530d2789ac87749472a6641c/runtime/README.md" target="_blank">chipsalliance/caliptra-sw/runtime/README.md</a> @ <code>e6e5db2</code>
2+đź“„ Source: <a href="https://github.com/chipsalliance/caliptra-sw/blob/e56467181b5313e53cf6cdc92f705a4127480fc2/runtime/README.md" target="_blank">chipsalliance/caliptra-sw/runtime/README.md</a> @ <code>e564671</code>
33 </div>
44
5-# Caliptra Runtime Firmware v1.1
5+# Caliptra Runtime Firmware v2.0.1
6+
7+*Spec version: 0.3*
68
79 This specification describes the Caliptra Runtime Firmware.
10+
11+## Changelog
12+
13+v1.1:
14+
15+* [LMS Signature Verification](#lms_signature_verify-new-in-11)
16+
17+v1.2:
18+
19+* [Manifest-Based Image Authorization](#manifest-based-image-authorization-new-in-12)
20+
21+v2.0:
22+
23+* Add support for passive mode (same as 1.x) and subsystem (or active) mode
24+* [MCU Runtime loading](#boot-and-initialization) (subsystem mode)
25+* [Cryptographic mailbox commands](#cryptographic-mailbox-commands-new-in-20)
26+* `ECDSA384_SIGNATURE_VERIFY` and `LMS_SIGNATURE_VERIFY`require the hash to be included in the message, as the SHA accelerator registers are no longer accessible outside Caliptra.
27+
28+## Spec Opens
29+
30+* Cryptographic Mailbox: ML-KEM support
831
932 ## Runtime Firmware environment
1033
@@ -16,11 +39,11 @@
1639
1740 * Initialize the [DICE Protection Environment (DPE)](#dice-protection-environment-dpe)
1841 * Initialize any SRAM structures used by Runtime Firmware
42+* Upload the firwmare to the Manufacturer Control Unit (2.0, susbystem mode only)
1943
2044 For behavior during other types of reset, see [Runtime firmware updates](#runtime-firmware-updates).
2145
22-If Runtime Firmware detects that Caliptra was reset during the execution of an operation, Runtime Firmware calls `DISABLE_ATTESTATION` because the internal state of Caliptra may
23-be corrupted.
46+If Runtime Firmware detects that Caliptra was reset during the execution of an operation, Runtime Firmware calls `DISABLE_ATTESTATION` because the internal state of Caliptra may be corrupted.
2447
2548 ### Main loop
2649
@@ -62,7 +85,98 @@
6285 possible; however, it will have its own copies of all of these drivers linked into
6386 the Runtime Firmware binary.
6487
65-## Manifest-Based Image Authorization (new in 1.2)
88+## Cryptographic Mailbox Commands (new in 2.0)
89+
90+Cryptographic mailbox (CM) commands are a flexible set of mailbox commands that provide access to Caliptra's cryptographic cabilities.
91+This is meant for offloaded key storage and use, supporting protocols like SPDM and OCP LOCK.
92+
93+These commands are not meant to be high-performance as they are accessed via mailbox commands.
94+
95+CM itself does not provide any storage for the keys: when generated, they are returned to the caller in encrypted form, and must be passed back to be used.
96+
97+These mailbox commands provide SHA, HMAC, HKDF, AES, RNG, MLDSA, and ECDSA services.
98+
99+Note that while MLDSA and ECDSA keys can be imported, generated, and used in the cryptographic mailbox commands (i.e., `CM_*` commands) through CMKs, these keys are *NOT* tied DICE or DPE, so their use may be restricted for certain purposes.
100+
101+MLDSA and ECDSA keys managed by DPE use the separate `ECDSA384_SIGNATURE_VERIFY`, `LMS_SIGNATURE_VERIFY`, and `MLDSA87_SIGNATURE_VERIFY` mailbox commands, which do not use the cryptographic mailbox system and are not managed by CMKs.
102+
103+
104+### References
105+
106+* [SPDM 1.3.1 (DSP0274)](https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.3.1.pdf), dated 2024-07-01.
107+* [OCP Attestation v1.1](https://docs.google.com/document/d/1wA0hbJdtCpcQ1NvsVsYr2IeCkwQbgC7e/edit)
108+* [RFC 5869 (HKDF)](https://www.rfc-editor.org/rfc/rfc5869.html)
109+* [RFC 8446](https://datatracker.ietf.org/doc/html/rfc8446) Section 7.4.2 & IEEE 1363 (TLS ECDH secret derivation)
110+
111+### Contexts
112+
113+Several of the methods, such as SHA and AES, support contexts so that multiple users can have in-flight requests at the same time.
114+
115+The contexts contain the internal structures necessary to resume operations to support data that may exceed the size of a single mailbox command.
116+
117+These contexts are intended to be opaque to the user, and SHALL be encrypted and authenticated if they contain sensitive internal data.
118+
119+### Keys
120+
121+Cryptographic Mailbox Key (CMKs) are used to store keys. Certain commands generate and return a new CMK. Most commands that use CMKs will also return a new CMK, as it is necessary to track CMKs so that they are not used beyond any relevant limits for their key type.
122+
123+They are returned from commands that generate keys and must be passed back to Caliptra to be used. These keys are encrypted and opaque to the mailbox caller.
124+
125+Internally, the unecrypted CMKs have the following structure:
126+
127+| **Name** | **Bits** | **Description** |
128+| ------------- | -------- | -------------------------------------- |
129+| version | 8 | CMK version. Currently always 1. |
130+| flags | 8 | Bit 0 = FIPS valid |
131+| length | 16 | how many bits of key material are used |
132+| key usage | 8 | represents which kind of key this is |
133+| id | 24 | ID number |
134+| usage counter | 64 | how many times this key has been used |
135+||| This MAY only be tracked for AES keys |
136+| key material | 512 | bits used for the key material |
137+
138+
139+The encrypted CMKs have the structure:
140+
141+| **Name** | **Bits** | **Description** |
142+| --------------- | -------- | ------------------------------ |
143+| domain | 32 | reserved |
144+| domain metadata | 128 | reserved |
145+| iv | 96 ||
146+| ciphertext | 640 | encrypted CMK data (see above) |
147+| GCM tag | 128 ||
148+
149+
150+The total size of the CMK is therefore 128 bytes.
151+
152+Only the encrypted CMKs will appear in mailbox messages.
153+
154+The key used to encrypt the CMKs is randomized on reset, which means that CMKs cannot be used between resets.
155+The IV is a randomized 1-up counter that is incremented for every key created.
156+
157+#### Key Usage
158+
159+The internal CMK structure and several commands use a key usage tag to specify how a key can be used:
160+
161+| **Value** | **Usage** |
162+| --------- | --------- |
163+| 0 | Reserved |
164+| 1 | HMAC |
165+| 2 | HKDF |
166+| 3 | AES |
167+
168+
169+#### Replay Prevention and Deletion
170+
171+To prevent replay attacks, Caliptra will have a small table that maps a CMK's internal ID to its last known usage counters.
172+Whenever a CMK is used, this table is checked and updated.
173+
174+This is necessary for AES-256-GCM in particular to ensure that keys are only used a certain number of times, as per [NIST SP 800-38D, Section 8.3](https://doi.org/10.6028/NIST.SP.800-38D).
175+Only AES-256-GCM keys need to be tracked in this table, but other keys MAY be tracked as well.
176+
177+This requires 96 bits of storage per AES-256-GCM key. These can stored as a sorted list in the DCCM.
178+
179+## Manifest-Based Image Authorization
66180
67181 Caliptra's goal is to enable integrators to meet standard security requirements for creating cryptographic identity and securely reporting measurements through DICE and DPE Certificate chains and Caliptra-owned private-public key pairs. In addition, Caliptra 1.0 provides an `ECDSA384_SIGNATURE_VERIFY` command to enable an SoC RoT to verify its own FW signatures so that it can develop an SoC secure boot using Caliptra cryptography. Caliptra 1.1 expanded the verify command to a PQC-safe `LMS_SIGNATURE_VERIFY` command. In each of these cases, it is left up to the vendor to ensure that they build a secure environment for introducing and verifying FW integrity and authenticity and then executing mutable FW.
68182
@@ -73,7 +187,7 @@
73187
74188 Each of these abilities are tied to Caliptra Vendor and Owner FW signing keys and should be independent of any SoC RoT FW signing keys.
75189
76-Manifest-based image authorization is implemented via two mailbox commands: [`SET_AUTH_MANIFEST`](#set-auth-manifest) and [`AUTHORIZE_AND_STASH`](#authorize-and-stash). For image format of the manifest, please refer [this file](https://github.com/chipsalliance/caliptra-sw/blob/e6e5db26702ee88d530d2789ac87749472a6641c/auth-manifest/README.md).
190+Manifest-based image authorization is implemented via two mailbox commands: [`SET_AUTH_MANIFEST`](#set-auth-manifest), and [`AUTHORIZE_AND_STASH`](#authorize-and-stash).
77191
78192 ### Caliptra-Endorsed Aggregated Measured Boot
79193
@@ -85,7 +199,7 @@
85199
86200 The Caliptra-Endorsed Local Verifier could be required by the owner only or both the vendor and the owner.
87201
88-The main difference between Caliptra-Endorsed Aggregated Measured Boot and Caliptra-Endorsed Local Verifier is whether the SoC RoT is relying on the Measurement Manifest for SoC Secure Boot services as opposed to using it as an additional verification.
202+The main difference between Caliptra-Endorsed Aggregated Measured Boot and Caliptra-Endorsed Local Verifier is if the SoC RoT is relying on the Measurement Manifest for SoC Secure Boot services as opposed as using it as an additional verification.
89203
90204 ### SoC RoT Enforcement of Measurement Manifest
91205
@@ -97,24 +211,24 @@
97211
98212 ### Unique Measurement Manifest Signing Keys
99213
100-In order to reduce usage of the Caliptra FW Signing keys, the measurement manifest will be signed by new key pairs: one for the owner and optionally one for the vendor. These new key pairs are endorsed once by the Caliptra FW signing keys, the signature being in the Measurement Manifest, thus allowing the measurement manifest keys to be used independently of the Caliptra FW signing keys.
214+In order to reduce usage of the Caliptra FW Signing keys, the measurement manifest will be signed by new key pairs: one for the owner and possibly one for the vendor. These new key pairs are endorsed once using a single signature within the Measurement Manifest, thus allowing the measurement manifest keys to be used independently of the Caliptra FW signing keys.
101215
102216 ### Caliptra Measurement Manifest Vendor Public Key Authenticity
103217
104218 The Measurement Manifest MUST have an endorsement by the Caliptra Vendor Public Key. In order to fulfill this requirement, the Vendor has 2 options:
105219
106-* Vendor signing of `Image Metadata Collection` required: The Vendor creates a new Measurement keypair which will sign the measurement manifest and endorses this new public key with the Caliptra FW Vendor Private Key. The signature covers both the new public key as well as the flags field which indicates that the new Measurement Key Pair will be enforced.
107-* Vendor signing of `Image Metadata Collection` **not** required: Vendor leaves the Vendor public key as all zeros, and clears the flag which enforces vendor signing and then endorses these fields with a signature in the Measurement Manifest. In this case, the Vendor releases ownership of enforcing any specific FW in execution.
220+* Vendor signing required: The Vendor creates a new Measurement keypair which will sign the measurement manifest and endorses the new public key with the Caliptra FW Vendor Private Key. The signature covers both the new public key as well as the flags field which indicates that the new Measurement Key Pair will be enforced.
221+* Vendor signing **not** required: Vendor leaves the Vendor public key as all zeros, and clears the flag which enforces vendor signing and then endorses these fields with a signature in the Measurement Manifest. In this case, the Vendor releases ownership of enforcing any specific FW in execution.
108222
109223 ### Caliptra Measurement Manifest Owner Public Key Authenticity
110224
111225 Caliptra will always verify the endorsement of the Measurement Manifest Owner Public key and require that it signed the measurement manifest.
112226
113-This feature is accomplished by having the SoC send a manifest to Caliptra Runtime through the `SET_AUTH_MANIFEST` mailbox command. The manifest will include a set of hashes for the different SoC images. Later, the SOC will ask for authorization for its images from the Caliptra Runtime through the `AUTHORIZE_AND_STASH` new mailbox command. Caliptra Runtime will authorize the image based on whether its hash was contained in the manifest.
227+This feature is accomplished by having the SoC send a manifest to Caliptra Runtime through the `SET_AUTH_MANIFEST` mailbox command. The manifest will include a set of hashes for the different SoC images. Later, the SOC will ask for authorization for its images from the Caliptra Runtime through the `AUTHORIZE_AND_STASH` new mailbox commands. Caliptra Runtime will authorize the image based on whether its hash was contained in the manifest.
114228
115229 #### Preamble
116230
117-The manifest begins with the Preamble section, which contains new manifest ECC and LMS public keys of the vendor and the owner. These public keys correspond to the private keys that sign the Image Metadata Collection (IMC) section. These signatures are included in the Preamble. The Caliptra firmware's private keys endorse the manifest's public keys and these endorsements (i.e., signatures) are part of the Preamble as well.
231+The manifest begins with the Preamble section, which contains new manifest ECC and either MLDSA or LMS public keys of the vendor and the owner. These public keys correspond to the private keys that sign the Image Metadata Collection (IMC) section. These signatures are included in the Preamble. The Caliptra firmware's private keys endorse the manifest's public keys and these endorsements (i.e., signatures) are part of the Preamble as well.
118232
119233 #### Image Metadata Collection (IMC)
120234
@@ -133,6 +247,10 @@
133247 * If the owner endorsement is invalid, the `SET_AUTH_MANIFEST` command will be rejected.
134248 * Otherwise, the owner public key will be trusted and Caliptra will use it to verify the overall measurement manifest.
135249
250+#### Measurement Manifest Version Number
251+
252+A Measurement Manifest VN is used to ensure that some enforcement is possible if a progression of measurements is required. 32 bits of the existing unused `IDEVID_MANUF_IDENTIFIER` fuse (128 bits) can be repurposed for this. This can be accomplished by updating Caliptra's main specification to redefine the fuse definition and its usage from "Programming time" to "Field Programmable".
253+
136254 ### Image Authorization Sequence
137255
138256 The diagram below illustrates how this feature is part of the Caliptra boot flow, and the order of operations needed to use the feature.
@@ -143,7 +261,7 @@
143261 FMC->>Runtime: Launch RT
144262 Runtime->>SOC: RDY_FOR_RT
145263 Note over Runtime,SOC: Manifest Load
146- SOC->>Runtime: SET_AUTH_MANIFEST
264+ SOC->>Runtime: SET_MANIFEST
147265 Runtime-->>SOC: Success/Failure
148266 Note over Runtime,SOC: Image Authorization
149267 loop n times
@@ -161,14 +279,19 @@
161279
162280 *Table: Mailbox command result codes*
163281
164-| **Name** | **Value** | Description
165-| ------- | ----- | -----------
166-| `SUCCESS` | `0x0000_0000` | Mailbox command succeeded
167-| `BAD_VENDOR_SIG` | `0x5653_4947` ("VSIG") | Vendor signature check failed
168-| `BAD_OWNER_SIG` | `0x4F53_4947` ("OSIG") | Owner signature check failed
169-| `BAD_SIG` | `0x4253_4947` ("BSIG") | Generic signature check failure (for crypto offload)
170-| `BAD_IMAGE` | `0x4249_4D47` ("BIMG") | Malformed input image
171-| `BAD_CHKSUM` | `0x4243_484B` ("BCHK") | Checksum check failed on input arguments
282+| **Name** | **Value** | Description |
283+| ---------------- | ---------------------- | ---------------------------------------------------- |
284+| `SUCCESS` | `0x0000_0000` | Mailbox command succeeded |
285+| `BAD_VENDOR_SIG` | `0x5653_4947` ("VSIG") | Vendor signature check failed |
286+| `BAD_OWNER_SIG` | `0x4F53_4947` ("OSIG") | Owner signature check failed |
287+| `BAD_SIG` | `0x4253_4947` ("BSIG") | Generic signature check failure (for crypto offload) |
288+| `BAD_IMAGE` | `0x4249_4D47` ("BIMG") | Malformed input image |
289+| `BAD_CHKSUM` | `0x4243_484B` ("BCHK") | Checksum check failed on input arguments |
290+| `CME_BAD_CMK` | `0x434D_424B` ("CMBK") | Invalid CMK |
291+| `CME_CMK_OFLW` | `0x434D_424F` ("CMBO") | CMK has been used too many times |
292+| `CME_BAD_CTXT` | `0x434D_4243` ("CMBC") | Bad context |
293+| `CME_FULL` | `0x434D_4546` ("CMEF") | Too many Cryptographic Mailbox usage counters in use |
294+
172295
173296 Relevant registers:
174297
@@ -177,30 +300,54 @@
177300 * CPTRA\_FW\_ERROR\_NON\_FATAL: Status code of mailbox command. Any result
178301 other than `SUCCESS` signifies a mailbox command failure.
179302
180-### CALIPTRA\_FW\_LOAD
181-
182-The `CALIPTRA_FW_LOAD` command is handled by both ROM and Runtime Firmware.
303+Mailbox user 0xFFFF_FFFF is reserved for Caliptra internal use. All mailbox
304+commands from that user will fail.
305+
306+### FW\_LOAD
307+
308+The `FIRMWARE_LOAD` command is handled by both ROM and Runtime Firmware.
183309
184310 #### ROM behavior
185311
186-On cold boot, ROM exposes the `CALIPTRA_FW_LOAD` mailbox command to accept
312+On cold boot, ROM exposes the `FIRMWARE_LOAD` mailbox command to accept
187313 the firmware image that ROM will boot. This image includes Manifest, FMC, and Runtime
188314 firmware.
189315
190316 #### Runtime Firmware behavior
191317
192-Caliptra Runtime Firmware also exposes the `CALIPTRA_FW_LOAD` mailbox command for loading
318+Caliptra Runtime Firmware also exposes the `FIRMWARE_LOAD` mailbox command for loading
193319 impactless updates. For more information, see [Runtime Firmware updates](#runtime-firmware-updates).
194320
195321 Command Code: `0x4657_4C44` ("FWLD")
196322
197-*Table: `CALIPTRA_FW_LOAD` input arguments*
323+*Table: `FIRMWARE_LOAD` input arguments*
198324
199325 | **Name** | **Type** | **Description**
200326 | -------- | -------- | ---------------
201327 | data | u8[...] | Firmware image to load.
202328
203-`CALIPTRA_FW_LOAD` returns no output arguments.
329+`FIRMWARE_LOAD` returns no output arguments.
330+
331+### FIRMWARE\_VERIFY
332+
333+The `FIRMWARE_VERIFY` command is used to verify a Caliptra Firmware Bundle.
334+
335+Command Code: `0x4657_5652` ("FWVR")
336+
337+*Table: `FIRMWARE_VERIFY` input arguments*
338+
339+| **Name** | **Type** | **Description**
340+| -------- | -------- | ---------------
341+| data | u8[...] | Firmware image bundle to verify.
342+
343+*Table: `FIRMWARE_VERIFY` output arguments*
344+
345+| **Name** | **Type** | **Description** |
346+| -------------- | -------------- | -------------------------------------------------------------------------- |
347+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian. |
348+| fips_status | u32 | Indicates if the command is FIPS approved or an error. |
349+| verify_result | u32 | VERIFY_SUCCESS (0xDEADC0DE), VERIFY_FAILED (0x21523F21) |
350+
204351
205352 ### CAPABILITIES
206353
@@ -222,13 +369,13 @@
222369 | fips\_status | u32 | Indicates if the command is FIPS approved or an error.
223370 | capabilities | u8[16] | Firmware capabilities
224371
225-### GET\_IDEV\_CERT
226-
227-Exposes a command to reconstruct the IDEVID CERT.
372+### GET\_IDEV\_ECC384\_CERT
373+
374+Exposes a command to reconstruct the ECC384 IDEV CERT.
228375
229376 Command Code: `0x4944_4543` ("IDEC")
230377
231-*Table: `GET_IDEV_CERT` input arguments*
378+*Table: `GET_IDEV_ECC384_CERT` input arguments*
232379
233380 | **Name** | **Type** | **Description**
234381 | -------- | -------- | ---------------
@@ -238,51 +385,98 @@
238385 | tbs\_size | u32 | Size of the TBS.
239386 | tbs | u8[916] | TBS, with a maximum size of 916. Only bytes up to tbs_size are used.
240387
241-*Table: `GET_IDEV_CERT` output arguments*
388+*Table: `GET_IDEV_ECC384_CERT` output arguments*
242389
243390 | **Name** | **Type** | **Description**
244391 | -------- | -------- | ---------------
245392 | chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
246393 | fips\_status | u32 | Indicates if the command is FIPS approved or an error.
247-| cert\_size | u32 | Length in bytes of the cert field in use for the IDevId certificate.
248-| cert | u8[1024] | DER-encoded IDevID CERT.
249-
250-### POPULATE\_IDEV\_CERT
394+| cert\_size | u32 | Length in bytes of the cert field in use for the IDev ECC384 certificate.
395+| cert | u8[1024] | DER-encoded IDev ECC384 CERT.
396+
397+### GET\_IDEV\_MLDSA87\_CERT
398+
399+Exposes a command to reconstruct the MLDSA87 IDEV CERT.
400+
401+Command Code: `0x4944_4D43` ("IDMC")
402+
403+*Table: `GET_IDEV_MLDSA87_CERT` input arguments*
404+
405+| **Name** | **Type** | **Description**
406+| -------- | -------- | ---------------
407+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
408+| tbs\_size | u32 | Size of the TBS.
409+| signature | u8[4628] | MLDSA87 signature bytes.
410+| tbs | u8[2820] | TBS, with a maximum size of 2820. Only bytes up to tbs_size are used.
411+
412+*Table: `GET_IDEV_MLDSA87_CERT` output arguments*
413+
414+| **Name** | **Type** | **Description**
415+| -------- | -------- | ---------------
416+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
417+| fips\_status | u32 | Indicates if the command is FIPS approved or an error.
418+| cert\_size | u32 | Length in bytes of the cert field in use for the IDev MLDSA87 certificate.
419+| cert | u8[...] | DER-encoded IDev MLDSA87 CERT.
420+
421+### POPULATE\_IDEV\_ECC384\_CERT
251422
252423 Exposes a command that allows the SoC to provide a DER-encoded
253-IDevId certificate on every boot. The IDevId certificate is added
424+ECC384 IDev certificate on every boot. The ECC384 IDev certificate is added
254425 to the start of the certificate chain.
255426
256427 Command Code: `0x4944_4550` ("IDEP")
257428
258-*Table: `POPULATE_IDEV_CERT` input arguments*
429+*Table: `POPULATE_IDEV_ECC384_CERT` input arguments*
259430
260431 | **Name** | **Type** | **Description**
261432 | -------- | -------- | ---------------
262433 | chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
263-| cert\_size | u32 | Size of the DER-encoded IDevId certificate.
264-| cert | u8[1024] | DER-encoded IDevID CERT.
265-
266-*Table: `POPULATE_IDEV_CERT` output arguments*
434+| cert\_size | u32 | Size of the DER-encoded ECC384 IDevId certificate.
435+| cert | u8[1024] | DER-encoded ECC384 IDev CERT.
436+
437+*Table: `POPULATE_IDEV_ECC384_CERT` output arguments*
267438
268439 | **Name** | **Type** | **Description**
269440 | -------- | -------- | ---------------
270441 | chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
271442 | fips\_status | u32 | Indicates if the command is FIPS approved or an error.
272443
273-### GET\_IDEV\_INFO
274-
275-Exposes a command to get an IDEVID public key.
444+### POPULATE\_IDEV\_MLDSA87\_CERT
445+
446+Exposes a command that allows the SoC to provide a DER-encoded
447+MLDSA87 IDev certificate on every boot. The MLDSA87 IDev certificate is added
448+to the start of the certificate chain.
449+
450+Command Code: `0x4944_4D50` ("IDMP")
451+
452+*Table: `POPULATE_IDEV_MLDSA87_CERT` input arguments*
453+
454+| **Name** | **Type** | **Description**
455+| -------- | -------- | ---------------
456+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
457+| cert\_size | u32 | Size of the DER-encoded MLDSA87 IDev certificate.
458+| cert | u8[8192] | DER-encoded MLDSA87 IDev CERT.
459+
460+*Table: `POPULATE_IDEV_MLDSA87_CERT` output arguments*
461+
462+| **Name** | **Type** | **Description**
463+| -------- | -------- | ---------------
464+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
465+| fips\_status | u32 | Indicates if the command is FIPS approved or an error.
466+
467+### GET\_IDEV\_ECC384\_INFO
468+
469+Exposes a command to get the IDEVID ECC384 public key.
276470
277471 Command Code: `0x4944_4549` ("IDEI")
278472
279-*Table: `GET_IDEV_INFO` input arguments*
473+*Table: `GET_IDEV_ECC384_INFO` input arguments*
280474
281475 | **Name** | **Type** | **Description**
282476 | -------- | -------- | ---------------
283477 | chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
284478
285-*Table: `GET_IDEV_INFO` output arguments*
479+*Table: `GET_IDEV_ECC384_INFO` output arguments*
286480
287481 | **Name** | **Type** | **Description**
288482 | -------- | -------- | ---------------
@@ -291,78 +485,160 @@
291485 | idev\_pub\_x | u8[48] | X portion of ECDSA IDevId key.
292486 | idev\_pub\_y | u8[48] | Y portion of ECDSA IDevId key.
293487
294-### GET\_LDEV\_CERT
295-
296-Exposes a command to get an LDevID certificate signed by IDevID.
297-
298-Command Code: `0x4C44_4556` ("LDEV")
299-
300-*Table: `GET_LDEV_CERT` input arguments*
488+### GET\_IDEV\_MLDSA87\_INFO
489+
490+Exposes a command to get the IDEVID MLDSA87 public key.
491+
492+Command Code: `0x4944_4D49` ("IDMI")
493+
494+*Table: `GET_IDEV_MLDSA87_INFO` input arguments*
301495
302496 | **Name** | **Type** | **Description**
303497 | -------- | -------- | ---------------
304498 | chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
305499
306-*Table: `GET_LDEV_CERT` output arguments*
500+*Table: `GET_IDEV_MLDSA87_INFO` output arguments*
501+
502+| **Name** | **Type** | **Description**
503+| -------- | -------- | ---------------
504+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
505+| fips\_status | u32 | Indicates if the command is FIPS approved or an error.
506+| idev\_pub\_key | u8[2592] | MLDSA IDevId public key.
507+
508+### GET\_LDEV\_ECC384\_CERT
509+
510+Exposes a command to get an LDevID ECC384 certificate signed by ECC384 IDevID private key.
511+
512+Command Code: `0x4C44_4556` ("LDEV")
513+
514+*Table: `GET_LDEV_ECC384_CERT` input arguments*
515+
516+| **Name** | **Type** | **Description**
517+| -------- | -------- | ---------------
518+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
519+
520+*Table: `GET_LDEV_ECC384_CERT` output arguments*
307521
308522 | **Name** | **Type** | **Description**
309523 | -------- | -------- | ---------------
310524 | chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
311525 | fips\_status | u32 | Indicates if the command is FIPS approved or an error.
312526 | data\_size | u32 | Length in bytes of the valid data in the data field.
313-| data | u8[...] | DER-encoded LDevID certificate.
314-
315-### GET\_FMC\_ALIAS\_CERT
316-
317-Exposes a command to get an FMC alias certificate signed by LDevID.
318-
319-Command Code: `0x4345_5246` ("CERF")
320-
321-*Table: `GET_FMC_ALIAS_CERT` input arguments*
527+| data | u8[...] | DER-encoded ECC384 LDevID certificate.
528+
529+### GET\_LDEV\_MLDSA87\_CERT
530+
531+Exposes a command to get an LDevID MLDSA87 certificate signed by MLDSA87 IDevID private key.
532+
533+Command Code: `0x4C44_4D43` ("LDMC")
534+
535+*Table: `GET_LDEV_MLDSA87_CERT` input arguments*
322536
323537 | **Name** | **Type** | **Description**
324538 | -------- | -------- | ---------------
325539 | chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
326540
327-*Table: `GET_FMC_ALIAS_CERT` output arguments*
541+*Table: `GET_LDEV_MLDSA87_CERT` output arguments*
328542
329543 | **Name** | **Type** | **Description**
330544 | -------- | -------- | ---------------
331545 | chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
332546 | fips\_status | u32 | Indicates if the command is FIPS approved or an error.
333547 | data\_size | u32 | Length in bytes of the valid data in the data field.
334-| data | u8[...] | DER-encoded FMC alias certificate.
335-
336-### GET\_RT\_ALIAS\_CERT
337-
338-Exposes a command to get a Runtime alias certificate signed by the FMC alias.
339-
340-Command Code: `0x4345_5252` ("CERR")
341-
342-*Table: `GET_RT_ALIAS_CERT` input arguments*
548+| data | u8[...] | DER-encoded MLDSA87 LDevID certificate.
549+
550+### GET\_FMC\_ALIAS\_ECC384\_CERT
551+
552+Exposes a command to get a FMC alias ECC384 certificate signed by the ECC384 LDevID private key.
553+
554+Command Code: `0x4345_5246` ("CERF")
555+
556+*Table: `GET_FMC_ALIAS_ECC384_CERT` input arguments*
343557
344558 | **Name** | **Type** | **Description**
345559 | -------- | -------- | ---------------
346560 | chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
347561
348-*Table: `GET_RT_ALIAS_CERT` output arguments*
562+*Table: `GET_FMC_ALIAS_ECC384_CERT` output arguments*
349563
350564 | **Name** | **Type** | **Description**
351565 | -------- | -------- | ---------------
352566 | chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
353567 | fips\_status | u32 | Indicates if the command is FIPS approved or an error.
354568 | data\_size | u32 | Length in bytes of the valid data in the data field.
355-| data | u8[...] | DER-encoded Runtime alias certificate.
569+| data | u8[...] | DER-encoded FMC alias ECC384 certificate.
570+
571+### GET\_FMC\_ALIAS\_MLDSA87\_CERT
572+
573+Exposes a command to get a FMC alias MLDSA87 certificate signed by the MLDSA87 LDevID private key.
574+
575+Command Code: `0x434D_4346` ("CMCF")
576+
577+*Table: `GET_FMC_ALIAS_MLDSA87_CERT` input arguments*
578+
579+| **Name** | **Type** | **Description**
580+| -------- | -------- | ---------------
581+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
582+
583+*Table: `GET_FMC_ALIAS_MLDSA87_CERT` output arguments*
584+
585+| **Name** | **Type** | **Description**
586+| -------- | -------- | ---------------
587+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
588+| fips\_status | u32 | Indicates if the command is FIPS approved or an error.
589+| data\_size | u32 | Length in bytes of the valid data in the data field.
590+| data | u8[...] | DER-encoded FMC alias MLDSA87 certificate.
591+
592+### GET\_RT\_ALIAS\_ECC384\_CERT
593+
594+Exposes a command to get a Runtime alias ECC384 certificate signed by the ECC384 FMC alias private key.
595+
596+Command Code: `0x4345_5252` ("CERR")
597+
598+*Table: `GET_RT_ALIAS_ECC384_CERT` input arguments*
599+
600+| **Name** | **Type** | **Description**
601+| -------- | -------- | ---------------
602+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
603+
604+*Table: `GET_RT_ALIAS_ECC384_CERT` output arguments*
605+
606+| **Name** | **Type** | **Description**
607+| -------- | -------- | ---------------
608+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
609+| fips\_status | u32 | Indicates if the command is FIPS approved or an error.
610+| data\_size | u32 | Length in bytes of the valid data in the data field.
611+| data | u8[...] | DER-encoded Runtime alias ECC384 certificate.
612+
613+### GET\_RT\_ALIAS\_MLDSA87\_CERT
614+
615+Exposes a command to get a Runtime alias MLDSA87 certificate signed by the MLDSA87 FMC alias private key.
616+
617+Command Code: `0x434D_4352` ("CMCR")
618+
619+*Table: `GET_RT_ALIAS_MLDSA87_CERT` input arguments*
620+
621+| **Name** | **Type** | **Description**
622+| -------- | -------- | ---------------
623+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
624+
625+*Table: `GET_RT_ALIAS_MLDSA87_CERT` output arguments*
626+
627+| **Name** | **Type** | **Description**
628+| -------- | -------- | ---------------
629+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
630+| fips\_status | u32 | Indicates if the command is FIPS approved or an error.
631+| data\_size | u32 | Length in bytes of the valid data in the data field.
632+| data | u8[...] | DER-encoded Runtime alias MLDSA87 certificate.
356633
357634 ### ECDSA384\_SIGNATURE\_VERIFY
358635
359-Verifies an ECDSA P-384 signature. The hash to be verified is taken from
360-Caliptra's SHA384 accelerator peripheral.
636+Verifies an ECDSA P-384 signature. The hash to be verified is taken from the input (new in 2.0).
361637
362638 In the event of an invalid signature, the mailbox command will report CMD_FAILURE
363639 and the cause will be logged as a non-fatal error.
364640
365-Command Code: `0x5349_4756` ("SIGV")
641+Command Code: `0x4543_5632` ("ECV2")
366642
367643 *Table: `ECDSA384_SIGNATURE_VERIFY` input arguments*
368644
@@ -373,6 +649,7 @@
373649 | pub\_key\_y | u8[48] | Y portion of ECDSA verification key.
374650 | signature\_r | u8[48] | R portion of signature to verify.
375651 | signature\_s | u8[48] | S portion of signature to verify.
652+| hash | u8[48] | SHA384 digest to verify.
376653
377654 *Table: `ECDSA384_SIGNATURE_VERIFY` output arguments*
378655
@@ -383,8 +660,7 @@
383660
384661 ### LMS\_SIGNATURE\_VERIFY
385662
386-Verifies an LMS signature. The hash to be verified is taken from
387-Caliptra's SHA384 accelerator peripheral.
663+Verifies an LMS signature. The hash to be verified is taken from the input (new in 2.0).
388664
389665 In the event of an invalid signature, the mailbox command will report CMD_FAILURE
390666 and the cause will be logged as a non-fatal error.
@@ -399,7 +675,7 @@
399675 | w | 4 | Width (in bits) of the Winternitz coefficient
400676 | h | 15 | Height of the tree
401677
402-Command Code: `0x4C4D_5356` ("LMSV")
678+Command Code: `0x4C4D_5632` ("LMV2")
403679
404680 *Table: `LMS_SIGNATURE_VERIFY` input arguments*
405681
@@ -414,6 +690,7 @@
414690 | signature\_ots | u8[1252] | LM-OTS signature
415691 | signature\_tree\_type | u8[4] | LMS signature Algorithm type. Must equal 12.
416692 | signature\_tree\_path | u8[360] | Path through the tree from the leaf associated with the LM-OTS signature to the root
693+| hash | u8[48] | SHA384 digest to verify.
417694
418695 *Table: `LMS_SIGNATURE_VERIFY` output arguments*
419696
@@ -422,6 +699,58 @@
422699 | chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
423700 | fips\_status | u32 | Indicates if the command is FIPS approved or an error.
424701
702+### MLDSA87_SIGNATURE_VERIFY
703+
704+Verifies the signature against the message and MLDSA-87 public key.
705+
706+The public key and signature formats are described in [FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
707+
708+The command will only return a success if the signature is valid.
709+
710+Command Code: `0x4D4C_5632` ("MLV2")
711+
712+*Table: `MLDSA87_SIGNATURE_VERIFY` input arguments*
713+| **Name** | **Type** | **Description** |
714+| --------- | ------------ | ------------------ |
715+| chksum | u32 ||
716+| pub_key | u8[2592] | Public key |
717+| signature | u8[4627] | Signature to check |
718+| padding | u8[1] ||
719+| data len | u32 | Length of message |
720+| data | u8[data len] | Message to check |
721+
722+
723+
724+*Table: `MLDSA87_SIGNATURE_VERIFY` output arguments*
725+| **Name** | **Type** | **Description** |
726+| ----------- | -------- | -------------------------- |
727+| chksum | u32 ||
728+| fips_status | u32 | FIPS approved or an error |
729+
730+
731+
732+### INSTALL\_OWNER\_PK\_HASH
733+
734+Exposes a command to save the owner public key hash in persistent data.
735+
736+Command Code: `0x4F57_4E50` ("OWNP")
737+
738+*Table: `INSTALL_OWNER_PK_HASH` input arguments*
739+
740+| **Name** | **Type** | **Description**
741+| -------- | -------- | ---------------
742+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
743+| digest | u32[12] | Owner public key hash.
744+
745+*Table: `INSTALL_OWNER_PK_HASH` output arguments*
746+
747+| **Name** | **Type** | **Description**
748+| -------- | -------- | ---------------
749+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
750+| fips\_status | u32 | Indicates if the command is FIPS approved or an error.
751+| dpe\_result | u32 | Result code, 0 on success.
752+
753+
425754 ### STASH\_MEASUREMENT
426755
427756 Makes a measurement into the DPE default context. This command is intended for
@@ -430,7 +759,7 @@
430759 * Call the DPE DeriveContext command with the DefaultContext in the locality of
431760 the PL0 PAUSER.
432761 * Extend the measurement into PCR31 (`PCR_ID_STASH_MEASUREMENT`).
433-* **Note**: This command can only be called in the locality of the PL0 PAUSER.
762+* **Note**: This command can only be called in the locality of the PL0 PAUSER.
434763
435764 Command Code: `0x4D45_4153` ("MEAS")
436765
@@ -505,14 +834,14 @@
505834 | data\_size | u32 | Length in bytes of the valid data in the data field.
506835 | data | u8[...] | DPE response structure as defined in the DPE iRoT profile.
507836
508-### QUOTE\_PCRS
509-
510-Generates a signed quote over all Caliptra hardware PCRs that are using the Caliptra PCR quoting key.
837+### QUOTE\_PCRS\_ECC384
838+
839+Generates a signed quote over all Caliptra hardware PCRs using the Caliptra PCR ECC384 quoting key.
511840 All PCR values are hashed together with the nonce to produce the quote.
512841
513842 Command Code: `0x5043_5251` ("PCRQ")
514843
515-*Table: `QUOTE_PCRS` input arguments*
844+*Table: `QUOTE_PCRS_ECC384` input arguments*
516845
517846 | **Name** | **Type** | **Description**
518847 | -------- | -------- | ---------------
@@ -521,18 +850,46 @@
521850
522851 PcrValue is defined as u8[48]
523852
524-*Table: `QUOTE_PCRS` output arguments*
525-
526-| **Name** | **Type** | **Description**
527-| -------- | -------- | ---------------
528-| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
529-| fips\_status | u32 | Indicates if the command is FIPS approved or an error.
530-| PCRs | PcrValue[32] | Values of all PCRs.
531-| nonce | u8[32] | Return the nonce used as input for convenience.
532-| digest | u8[48] | Return the digest over the PCR values and the nonce.
533-| reset\_ctrs | u32[32] | Reset counters for all PCRs.
534-| signature\_r | u8[48] | R portion of the signature over the PCR quote.
535-| signature\_s | u8[48] | S portion of the signature over the PCR quote.
853+*Table: `QUOTE_PCRS_ECC384` output arguments*
854+
855+| **Name** | **Type** | **Description**
856+| -------- | -------- | ---------------
857+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
858+| fips\_status | u32 | Indicates if the command is FIPS approved or an error.
859+| PCRs | PcrValue[32] | Values of all PCRs.
860+| nonce | u8[32] | Return the nonce used as input for convenience.
861+| reset\_ctrs | u32[32] | Reset counters for all PCRs.
862+| digest | u8[48] | Return the lower 48 bytes of SHA2-512 digest over the PCR values and the nonce.
863+| signature\_r | u8[48] | ECC P-384 R portion of the signature over the `ecc_digest`. </br> The FMC Alias ECC P-384 private key stored in Key Vault slot 7 is utilized for the signing operation.
864+| signature\_s | u8[48] | ECC P-384 S portion of the signature over the `ecc_digest`.
865+
866+### QUOTE\_PCRS\_MLDSA87
867+
868+Generates a signed quote over all Caliptra hardware PCRs that are using the Caliptra PCR Mldsa87 quoting key.
869+All PCR values are hashed together with the nonce to produce the quote.
870+
871+Command Code: `0x5043_524D` ("PCRM")
872+
873+*Table: `QUOTE_PCRS_MLDSA87` input arguments*
874+
875+| **Name** | **Type** | **Description**
876+| -------- | -------- | ---------------
877+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
878+| nonce | u8[32] | Caller-supplied nonce to be included in signed data.
879+
880+PcrValue is defined as u8[48]
881+
882+*Table: `QUOTE_PCRS_MLDSA87` output arguments*
883+
884+| **Name** | **Type** | **Description**
885+| -------- | -------- | ---------------
886+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
887+| fips\_status | u32 | Indicates if the command is FIPS approved or an error.
888+| PCRs | PcrValue[32] | Values of all PCRs.
889+| nonce | u8[32] | Return the nonce used as input for convenience.
890+| reset\_ctrs | u32[32] | Reset counters for all PCRs.
891+| digest | u8[64] | Return the SHA2-512 digest over the PCR values and the nonce, in byte reversed order.
892+| signature | u8[4628] | MLDSA-87 signature over the `digest` (4627 bytes + 1 Reserved byte). </br> The FMC Alias MLDSA seed stored in Key Vault slot 8 is utilized to generate the private key, which is subsequently used for the signing operation.
536893
537894 ### EXTEND\_PCR
538895
@@ -668,9 +1025,9 @@
6681025 | chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
6691026 | fips\_status | u32 | Indicates if the command is FIPS approved or an error.
6701027 | pl0_pauser | u32 | PAUSER with PL0 privileges (from image header).
671-| runtime_svn | u32 | Runtime SVN.
672-| min_runtime_svn | u32 | Min Runtime SVN.
673-| fmc_manifest_svn | u32 | FMC SVN.
1028+| firmware_svn | u32 | Firmware SVN.
1029+| min_firmware_svn | u32 | Min Firmware SVN.
1030+| cold_boot_fw_svn | u32 | Cold-boot Firmware SVN.
6741031 | attestation_disabled | u32 | State of attestation disable.
6751032 | rom_revision | u8[20] | Revision (Git commit ID) of ROM build.
6761033 | fmc_revision | u8[20] | Revision (Git commit ID) of FMC build.
@@ -679,6 +1036,8 @@
6791036 | fmc_sha384_digest | u32[12] | Digest of FMC binary.
6801037 | runtime_sha384_digest | u32[12] | Digest of runtime binary.
6811038 | owner_pub_key_hash | u32[12] | Hash of the owner public keys provided in the image bundle manifest.
1039+| authman_sha384_digest | u32[12] | Hash of the authorization manifest provided by SET_AUTH_MANIFEST.
1040+| most_recent_fw_error | u32 | Most recent FW non-fatal error (shows current non-fatal error if non-zero)
6821041
6831042 ### VERSION
6841043
@@ -761,10 +1120,10 @@
7611120
7621121 ### ADD\_SUBJECT\_ALT\_NAME
7631122
764-Provides a subject alternative name otherName. Whenever CERTIFY_KEY_EXTENDED is called with the
765-DMTF_OTHER_NAME flag after ADD_SUBJECT_ALT_NAME is called, the resulting DPE CSR or leaf certificate
766-will contain a subject alternative name extension containing the provided otherName, which must be a
767-DMTF device info. All such certificates produced by CERTIFY_KEY_EXTENDED will continue to have the
1123+Provides a subject alternative name otherName. Whenever CERTIFY_KEY_EXTENDED is called with the
1124+DMTF_OTHER_NAME flag after ADD_SUBJECT_ALT_NAME is called, the resulting DPE CSR or leaf certificate
1125+will contain a subject alternative name extension containing the provided otherName, which must be a
1126+DMTF device info. All such certificates produced by CERTIFY_KEY_EXTENDED will continue to have the
7681127 DMTF otherName subject alternative name extension until reset.
7691128
7701129 Command Code: `0x414C_544E` ("ALTN")
@@ -792,178 +1151,1374 @@
7921151
7931152 *Table: `CERTIFY_KEY_EXTENDED` input arguments*
7941153
795-| **Name** | **Type** | **Description**
796-| -------- | -------- | ---------------
797-| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian.
798-| certify\_key\_req | u8[72] | Certify Key Request.
799-| flags | u32 | Flags determining which custom extensions to include in the certificate.
1154+| **Name** | **Type** | **Description** |
1155+| ----------------- | -------- | --------------------------------------------------------------------------- |
1156+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian. |
1157+| certify\_key\_req | u8[72] | Certify Key Request. |
1158+| flags | u32 | Flags determining which custom extensions to include in the certificate. |
1159+
8001160
8011161 *Table: `CERTIFY_KEY_EXTENDED` input flags*
8021162
803-| **Name** | **Offset**
804-| -------- | ----------
805-| DMTF_OTHER_NAME | 1 << 31
1163+| **Name** | **Offset** |
1164+| --------------- | ---------- |
1165+| DMTF_OTHER_NAME | 1 << 31 |
1166+
8061167
8071168 *Table: `CERTIFY_KEY_EXTENDED` output arguments*
1169+
1170+| **Name** | **Type** | **Description** |
1171+| ------------------ | -------- | -------------------------------------------------------------------------- |
1172+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian. |
1173+| fips\_status | u32 | Indicates if the command is FIPS approved or an error. |
1174+| certify\_key\_resp | u8[2176] | Certify Key Response. |
1175+
1176+
1177+### SET_AUTH_MANIFEST
1178+
1179+The SoC uses this command and `SET_IMAGE_METADTA` to program an image manifest for Manifest-Based Image Authorization to Caliptra. In response to these commands, the Caliptra Runtime will verify the manifest by authenticating the public keys and in turn using them to authenticate the IMC. On successful verification, the Runtime will store the IMEs into DCCM for future use.
1180+
1181+Command Code: `0x4154_4D4E` ("ATMN")
1182+
1183+*Table: `SET_AUTH_MANIFEST` input arguments*
8081184
8091185 | **Name** | **Type** | **Description**
8101186 | -------- | -------- | ---------------
811-| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian.
812-| fips\_status | u32 | Indicates if the command is FIPS approved or an error.
813-| certify\_key\_resp | u8[2176] | Certify Key Response.
814-
815-### SET\_AUTH\_MANIFEST
816-
817-Command Code: `0x4154_4D4E` ("ATMN")
818-
819-*Table: `SET_AUTH_MANIFEST` input arguments*
820-
821-| **Name** | **Type** | **Description** |
822-| ------------------------------ | ------------------ | --------------- |
8231187 | chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian. |
8241188 | manifest size | u32 | The size of the full Authentication Manifest |
825-| manifest\_marker | u32 | Marker needs to be 0x4154_4D4E for the preamble to be valid |
1189+| preamble\_marker | u32 | Marker needs to be 0x4154_4D4E for the preamble to be valid |
8261190 | preamble\_size | u32 | Size of the preamble |
827-| manifest\_version | u32 | Version of the preamble |
828-| manifest\_flags | u32 | Manifest flags. See `AUTH_MANIFEST_FLAGS` below. |
829-| manifest\_vendor\_ecc384\_key | u32[24] | Manifest Vendor ECC P-384 public key used to verify the IMC Signature. <br> **X-Coordinate:** Public Key X-Coordinate (48 bytes) <br> **Y-Coordinate:** Public Key Y-Coordinate (48 bytes) |
830-| manifest\_vendor\_lms\_key | u32[12] | Manifest Vendor LMS public key used to verify the IMC Signature. <br> **tree_type:** LMS Algorithm Type (4 bytes) <br> **otstype:** LMS Ots Algorithm Type (4 bytes) <br> **id:** (16 bytes) <br> **digest:** (24 bytes) <br> Note: If LMS validation is not required, this should field should be zeroed out. |
831-| manifest\_vendor\_ecc384\_sig | u32[24] | Manifest Vendor ECDSA P-384 signature of the Version, Flags, Vendor ECC and LMS public keys, hashed using SHA2-384. <br> **R-Coordinate:** Random Point (48 bytes) <br> **S-Coordinate:** Proof (48 bytes) |
832-| manifest\_vendor\_LMS\_sig | u32[405] | Vendor LMS signature of the Version, Flags, Vendor ECC and LMS public keys, hashed using SHA2-384. <br> **q:** Leaf of the Merkle tree where the OTS public key appears (4 bytes) <br> **ots:** Lmots Signature (1252 bytes) <br> **tree_type:** Lms Algorithm Type (4 bytes) <br> **tree_path:** Path through the tree from the leaf associated with the LM-OTS signature to the root. (360 bytes) <br> Note: If LMS validation is not required, this should field should be zeroed out. |
833-| manifest\_owner\_ecc384\_key | u32[24] | Manifest Owner ECC P-384 public key used to verify the IMC Signature. <br> **X-Coordinate:** Public Key X-Coordinate (48 bytes) <br> **Y-Coordinate:** Public Key Y-Coordinate (48 bytes) |
834-| manifest\_owner\_lms\_key | u32[12] | Manifest Owner LMS public key used to verify the IMC Signature. <br> **tree_type:** LMS Algorithm Type (4 bytes) <br> **otstype:** LMS Ots Algorithm Type (4 bytes) <br> **id:** (16 bytes) <br> **digest:** (24 bytes) <br> Note: If LMS validation is not required, this should field should be zeroed out. |
835-| manifest\_owner\_ecc384\_sig | u32[24] | Owner ECDSA P-384 signature of the Owner ECC and LMS public keys, hashed using SHA2-384. <br> **R-Coordinate:** Random Point (48 bytes) <br> **S-Coordinate:** Proof (48 bytes) |
836-| manifest\_owner\_LMS\_sig | u32[405] | Owner LMS signature of the Version, Flags, Owner ECC and LMS public keys, hashed using SHA2-384. <br> **q:** Leaf of the Merkle tree where the OTS public key appears (4 bytes) <br> **ots:** Lmots Signature (1252 bytes) <br> **tree_type:** Lms Algorithm Type (4 bytes) <br> **tree_path:** Path through the tree from the leaf associated with the LM-OTS signature to the root. (360 bytes) <br> Note: If LMS validation is not required, this should field should be zeroed out. |
837-| metadata\_vendor\_ecc384\_sig | u32[24] | Metadata Vendor ECC384 signature over the image metadata collection using the manifest vendor ecc384 key. |
838-| metadata\_vendor\_LMS\_sig | u32[405] | Metadata Vendor LMOTS-SHA192-W4 signature over the image metadata collection using the manifest vendor LMS key. |
839-| metadata\_owner\_ecc384\_sig | u32[24] | Metadata Owner ECC384 signature over the image metadata collection using the manifest owner ecc384 key. |
840-| metadata\_owner\_LMS\_sig | u32[405] | Metadata Owner LMOTS-SHA192-W4 signature over the image metadata collection manifest owner LMS key. |
1191+| preamble\_version | u32 | Version of the preamble |
1192+| preamble\_flags | u32 | Manifest flags. See AUTH_MANIFEST_FLAGS below |
1193+| preamble\_vendor\_ecc384\_key | u32[24] | Vendor ECC384 key with X and Y coordinates in that order |
1194+| preamble\_vendor\_pqc\_key | u32[648] | Vendor MLDSA-87 or LMS-SHA192-H15 key |
1195+| preamble\_vendor\_ecc384\_sig | u32[24] | Vendor ECC384 signature |
1196+| preamble\_vendor\_PQC\_sig | u32[1157] | Vendor MLDSA-87 or LMOTS-SHA192-W4 signature |
1197+| preamble\_owner\_ecc384\_key | u32[24] | Owner ECC384 key with X and Y coordinates in that order |
1198+| preamble\_owner\_pqc\_key | u32[648] | Owner MLDSA-87 or LMS-SHA192-H15 key |
1199+| preamble\_owner\_ecc384\_sig | u32[24] | Owner ECC384 signature |
1200+| preamble\_owner\_PQC\_sig | u32[1157] | Owner MLDSA-87 or LMOTS-SHA192-W4 signature |
1201+| metadata\_vendor\_ecc384\_sig | u32[24] | Metadata Vendor ECC384 signature |
1202+| metadata\_vendor\_PQC\_sig | u32[1157] | Metadata Vendor MLDSA-87 or LMOTS-SHA192-W4 signature |
1203+| metadata\_owner\_ecc384\_sig | u32[24] | Metadata Owner ECC384 signature |
1204+| metadata\_owner\_PQC\_sig | u32[1157] | Metadata Owner MLDSA-87 or LMOTS-SHA192-W4 signature |
8411205 | metadata\_entry\_entry\_count | u32 | number of metadata entries |
842-| metadata\_entries | MetaData[127] | The max number of metadata entries is 127 but less can be used |
1206+| metadata\_entries | Metadata[127] | The max number of metadata entries is 127 but less can be used |
8431207
8441208
8451209
8461210 *Table: `AUTH_MANIFEST_FLAGS` input flags*
847-
8481211 | **Name** | **Value** |
849-| --------------------------- | ----------- |
1212+| ------------------------- | --------- |
8501213 | VENDOR_SIGNATURE_REQUIRED | 1 << 0 |
8511214
8521215
8531216 *Table: `AUTH_MANIFEST_METADATA_ENTRY` digest entries*
8541217
855-| **Name** | **Type** | **Description** |
856-| --------------- | ---------- | ---------------------------------- |
857-| fw\_id | u32 | Id of the image |
858-| flags | u32 | See `METADATA_ENTRY_FLAGS` below |
859-| digest | u32[48] | Digest of the image |
860-
861-
862-
863-*Table: `METADATA_ENTRY_FLAGS` input flags*
864-
865-| **Name** | **Size (Bits)** | **Description** |
866-| --------------------- | ----------------- | ----------------- |
867-| image\_source | 2 | 1: InRequest |
868-| ignore\_auth\_check | 1 | If set, the image digest is not compared for the firmware id |
869-
870-
871-*Table: `SET_AUTH_MANIFEST` output arguments*
872-
873-| **Name** | **Type** | **Description** |
874-| -------- | -------- | --------------- |
875-| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian. |
876-| fips\_status | u32 | Indicates if the command is FIPS approved or an error. |
877-
1218+
1219+| **Name** | **Type** | **Description** |
1220+| ------------------------ | --------- | ---------------- |
1221+| Image Hash | u8[48] | SHA2-384 hash of a SOC image. |
1222+
1223+| Image_id | u32 | This corresponds to the `Image Identifier` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1224+| Component_id | u32 | This corresponds to the `Component Id` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1225+| flags | u32 | This corresponds to the `flags` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1226+| Image Load Address High | u32 | This corresponds to the `Image Load Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1227+| Image Load Address Low | u32 | This corresponds to the `Image Load Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1228+| Staging Address High | u32 | This corresponds to the `Staging Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1229+| Staging Address Low | u32 | This corresponds to the `Staging Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1230+| Classification | u32 | This corresponds to the `Classification` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1231+| Version Number | u32 | This corresponds to the `Version Number` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1232+| Version String | u8[32] | This corresponds to the `Version String` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1233+
1234+### VERIFY_AUTH_MANIFEST
1235+
1236+This command verifies the integrity and authenticity of the provided image manifest. Unlike `SET_AUTH_MANIFEST`, it performs validation only and does not persist the manifest in DCCM.
1237+
1238+Command Code: `0x4154_564D` ("ATVM")
1239+
1240+The input arguments are the same as the `SET_AUTH_MANIFEST` command.
8781241
8791242
8801243 ### AUTHORIZE_AND_STASH
8811244
1245+The SoC uses this command to request authorization of its various SoC images. This command has the option to receive the image hash directly from SoC or from an external source (e.g., SHA Acc).
1246+
1247+The SoC uses this command repeatedly to ask for authorization to run its different images. The Runtime will verify that the image hash is contained in the IMC and will allow or reject the image based on that check. The command also enables stashing of the image hash by default with an option to skip stashing if needed. The SVN field is intended for anti-rollback protection.
1248+
1249+
8821250 Command Code: `0x4154_5348` ("ATSH")
8831251
8841252 *Table: `AUTHORIZE_AND_STASH` input arguments*
8851253
886-| **Name** | **Type** | **Description** |
887-| ------------ | -------- | --------------- |
1254+| **Name** | **Type** | **Description**
1255+| ------------| -------- | ---------------
8881256 | chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian. |
8891257 | fw_id | u8[4] | Firmware id of the image, in little-endian format |
890-| measurement | u8[48] | Digest of the image requested for authorization |
1258+| measurement | u8[48] | Digest of the image requested for authorization. The `source` field needs to be set to '1` for InRequest, otherwise<br />this field is ignored. |
8911259 | context | u8[48] | Context field for `svn`; e.g., a hash of the public key that authenticated the SVN. |
892-| svn | u32 | SVN |
1260+| svn | u32 | The version of the image |
8931261 | flags | u32 | See AUTHORIZE_AND_STASH_FLAGS below |
894-| source | u32 | Enumeration values: { InRequest(1) } |
1262+| source | u32 | This field identifies the source of the digest to be used to compare with the SoC's<br />SHA digest in the SoC Manifest<br /><br />Values<br />1 - InRequest - Use the hash in the 'measurement' field of this command<br /><br />3 - LoadAddress - The image located in the `ImageLoadAddress` will be streamed to the SHA Accelerator to <br /> retrieve the digest that will be used for authorization.<br />4 - ImageStagingAddress - The image located in the `StagingAddress` will be streamed to the SHA Accelerator to<br /> retrieve the digest that will be used for authorization |
1263+| image_size | u32 | The size of the image to hash. Only valid if source is `ImageLoadAddress` or `StagingAddress` |
8951264
8961265
8971266 *Table: `AUTHORIZE_AND_STASH_FLAGS` input flags*
898-
8991267 | **Name** | **Value** |
900-| ------------ | ------------ |
1268+| ----------- | --------- |
9011269 | SKIP\_STASH | 1 << 0 |
9021270
9031271
9041272 *Table: `AUTHORIZE_AND_STASH` output arguments*
905-| **Name** | **Type** | **Description**
906-| ----------------| -------- | ---------------
1273+| **Name** | **Type** | **Description** |
1274+| --------------- | -------- | -------------------------------------------------------------------------- |
9071275 | chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian. |
9081276 | fips_status | u32 | Indicates if the command is FIPS approved or an error. |
909-| auth_req_result | u32 | AUTHORIZE_IMAGE (0xDEADC0DE), IMAGE_NOT_AUTHORIZED (0x21523F21) or IMAGE_HASH_MISMATCH (0x8BFB95CB) |
910-
911-
912-### GET\_IDEVID\_CSR
913-
914-Command Code: `0x4944_4352` ("IDCR")
915-
916-*Table: `GET_IDEVID_CSR` input arguments*
1277+
1278+| auth_req_result | u32 |AUTHORIZE_IMAGE (0xDEADC0DE), IMAGE_NOT_AUTHORIZED (0x21523F21) or IMAGE_HASH_MISMATCH (0x8BFB95CB)
1279+
1280+### GET_IMAGE_INFO
1281+
1282+The MCU uses this command to retrieve the Image Metadata Entry defined in the SoC Manifest given by an index to the Image Metadata Collection (IMC).
1283+
1284+Command Code: `0x494D_4530` ("IME0")
1285+
1286+*Table: `GET_IMAGE_INFO` input arguments*
1287+
1288+| **Name** | **Type** | **Description** |
1289+| -------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
1290+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian. |
1291+
1292+| fw_id | u32 | Firmware id of the image, in little-endian format
1293+
1294+*Table: `GET_IMAGE_INFO` output arguments*
1295+
1296+| **Name** | **Type** | **Description** |
1297+| -------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
1298+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian. |
1299+| fips_status | u32 | Indicates if the command is FIPS approved or an error. |
1300+
1301+| Component_id | u32 | This corresponds to the `Component Id` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1302+| flags | u32 | This corresponds to the `flags` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1303+| Image Load Address High | u32 | This corresponds to the `Image Load Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1304+| Image Load Address Low | u32 | This corresponds to the `Image Load Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1305+| Staging Address High | u32 | This corresponds to the `Staging Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1306+| Staging Address Low | u32 | This corresponds to the `Staging Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1307+| Classification | u32 | This corresponds to the `Classification` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1308+| Version Number | u32 | This corresponds to the `Version Number` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1309+| Version String | u8[32] | This corresponds to the `Version String` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1310+
1311+
1312+
1313+### ACTIVATE_FIRMWARE
1314+
1315+The MCU uses this command to 'activate' the image that has been previously downloaded through PLDM - T5.
1316+For the full behavior of this command, refer to the [Subsystem Support for Hitless Updates](https://github.com/chipsalliance/Caliptra/blob/main/doc/Caliptra.md#subsystem-support-for-hitless-updates) specification.
1317+
1318+Command Code: `0x4143_5446` ("ACTF")
1319+
1320+*Table: `ACTIVATE_FIRMWARE` input arguments*
1321+
1322+| **Name** | **Type** | **Description** |
1323+| -------------- | -------------- | --------------------------------------------------------------------------- |
1324+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian. |
1325+| count | u32 | Number of image_ids to activate. Item count of image_ids array parameter |
1326+| mcu_image_size | u32 | Size of MCU image, if included in the activation |
1327+| image_ids | Array of u8[4] | Array of Image ids in little-endian format |
1328+
1329+
1330+*Table: `ACTIVATE_FIRMWARE` output arguments*
1331+
1332+| **Name** | **Type** | **Description** |
1333+| -------------- | -------------- | -------------------------------------------------------------------------- |
1334+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian. |
1335+| fips_status | u32 | Indicates if the command is FIPS approved or an error. |
1336+
1337+
1338+## Mailbox commands: Cryptographic Mailbox (2.0)
1339+
1340+These commands are used by the [Cryptograhic Mailbox](#cryptographic-mailbox-commands-new-in-20) system.
1341+
1342+### CM_SHA_INIT
1343+
1344+This starts the computation of a SHA hash of data, which may be larger than a single mailbox command allows. It also supports additional algorithms.
1345+
1346+**Note:** ROM provides a simpler one-shot `CM_SHA` command for hashing data in a single operation. However, that command is ROM-only and is not available in runtime. For runtime, use these streaming commands (CM_SHA_INIT, CM_SHA_UPDATE, CM_SHA_FINAL) which support contexts and incremental hashing of large data.
1347+
1348+The sequence to use these are:
1349+* 1 `CM_SHA_INIT` command
1350+* 0 or more `CM_SHA_UPDATE` commands
1351+* 1 `CM_SHA_FINAL` command
1352+
1353+For each command, the context from the previous command's output must be passed as an input.
1354+
1355+The `SHA_CONTEXT_SIZE` is always exactly 200 bytes long.
1356+
1357+The maximum supported data size for the SHA commands is 4096 bytes.
1358+
1359+Command Code: `0x434D_5349` ("CMSI")
1360+
1361+*Table: `CM_SHA_INIT` input arguments*
1362+
1363+| **Name** | **Type** | **Description** |
1364+| -------------- | ------------- | ------------------ |
1365+| chksum | u32 ||
1366+| hash algorithm | u32 | Enum. |
1367+||| Value 0 = reserved |
1368+||| Value 1 = SHA2-384 |
1369+||| Value 2 = SHA2-512 |
1370+| data size | u32 ||
1371+| data | u8[data size] | Data to hash |
1372+
1373+
1374+*Table: `CM_SHA_INIT` output arguments*
1375+| **Name** | **Type** | **Description** |
1376+| ------------ | -------------------- | ------------------------------------------ |
1377+| chksum | u32 ||
1378+| fips_status | u32 | FIPS approved or an error |
1379+| context | u8[SHA_CONTEXT_SIZE] | Passed to `CM_SHA_UPDATE` / `CM_SHA_FINAL` |
1380+
1381+
1382+*Table: `CM_SHA_INIT` / `CM_SHA_UPDATE` / `CM_SHA_FINAL` internal context*
1383+| **Name** | **Type** | **Description** |
1384+| ----------------- | -------- | --------------- |
1385+| input buffer | u8[128] ||
1386+| intermediate hash | u8[64] ||
1387+| length | u32 ||
1388+| hash algorithm | u32 ||
1389+
1390+
1391+### CM_SHA_UPDATE
1392+
1393+This continues a SHA computation started by `CM_SHA_INIT` or from another `CM_SHA_UPDATE`.
1394+
1395+The context MUST be passed in from `CM_SHA_INIT` or `CM_SHA_UPDATE`.
1396+
1397+Command Code: `0x434D_5355` ("CMSU")
1398+
1399+*Table: `CM_SHA_UPDATE` input arguments*
1400+| **Name** | **Type** | **Description** |
1401+| ------------ | -------------------- | ------------------------------------ |
1402+| chksum | u32 ||
1403+| context | u8[SHA_CONTEXT_SIZE] | From `CM_SHA_INIT` / `CM_SHA_UPDATE` |
1404+| data size | u32 ||
1405+| data | u8[data size] | Data to hash |
1406+
1407+
1408+*Table: `CM_SHA_UPDATE` output arguments*
1409+| **Name** | **Type** | **Description** |
1410+| ------------ | -------------------- | ------------------------------------------ |
1411+| chksum | u32 ||
1412+| fips_status | u32 | FIPS approved or an error |
1413+| context | u8[SHA_CONTEXT_SIZE] | Passed to `CM_SHA_UPDATE` / `CM_SHA_FINAL` |
1414+
1415+
1416+### CM_SHA_FINAL
1417+
1418+This finalizes the computation of a SHA and produces the hash of all of the data.
1419+
1420+The context MUST be passed in from `CM_SHA_INIT` or `CMA_SHA_UPDATE`.
1421+
1422+Command Code: `0x434D_5346` ("CMSF")
1423+
1424+*Table: `CM_SHA_FINAL` input arguments*
1425+| **Name** | **Type** | **Description** |
1426+| ------------ | -------------------- | ------------------------------------ |
1427+| chksum | u32 ||
1428+| context | u8[SHA_CONTEXT_SIZE] | From `CM_SHA_INIT` / `CM_SHA_UPDATE` |
1429+| data size | u32 | May be 0 |
1430+| data | u8[data size] | Data to hash |
1431+
1432+
1433+*Table: `CM_SHA_FINAL` output arguments*
1434+| **Name** | **Type** | **Description** |
1435+| ----------- | ------------- | ------------------------- |
1436+| chksum | u32 ||
1437+| fips_status | u32 | FIPS approved or an error |
1438+| hash size | u32 ||
1439+| hash | u8[hash size] ||
1440+
1441+
1442+### CM\_HMAC
1443+
1444+Computes an HMAC according to [RFC 2104](https://datatracker.ietf.org/doc/html/rfc2104) with select SHA algorithm support. The data must fit into a single mailbox command.
1445+
1446+The CMK must have been created for HMAC / HKDF usage.
1447+
1448+Command Code: `0x434D_484D` ("CMHM")
1449+
1450+*Table: `CM_HMAC` input arguments*
1451+| **Name** | **Type** | **Description** |
1452+| -------------- | ------------- | ----------------- |
1453+| chksum | u32 ||
1454+| CMK | CMK | CMK to use as key |
1455+| hash algorithm | u32 | Enum. |
1456+||| 0 = reserved |
1457+||| 1 = SHA2-384 |
1458+||| 2 = SHA2-512 |
1459+| data size | u32 ||
1460+| data | u8[data size] | Data to MAC |
1461+
1462+
1463+
1464+*Table: `CM_HMAC` output arguments*
1465+| **Name** | **Type** | **Description** |
1466+| ----------- | ------------ | ------------------------- |
1467+| chksum | u32 ||
1468+| fips_status | u32 | FIPS approved or an error |
1469+| mac size | u32 ||
1470+| mac | u8[mac size] ||
1471+
1472+
1473+### CM_HMAC_KDF_COUNTER
1474+
1475+Implements HMAC KDF in Counter Moder as specified in as specified in [RFC 5869](https://www.rfc-editor.org/rfc/rfc5869.html) and [NIST SP800-108](https://csrc.nist.gov/pubs/sp/800/108/r1/upd1/final) Section 4.1 (KDF in Counter Mode, Section 4.1).
1476+
1477+The CMK must have been created for HMAC usage.
1478+
1479+The output length will be automatically chosen to match the key usage.
1480+
1481+Command Code: `0x434D_4B43` ("CMKC")
1482+
1483+*Table: `CM_HMAC_KDF_COUNTER` input arguments*
1484+| **Name** | **Type** | **Description** |
1485+| -------------- | -------------- | ------------------------- |
1486+| chksum | u32 ||
1487+| KIN CMK | CMK | Input key |
1488+| hash algorithm | u32 | Enum. |
1489+||| Value 0 = reserved |
1490+||| Value 1 = SHA2-384 |
1491+||| Value 2 = SHA2-512 |
1492+| key usage | u32 | usage tag of output key |
1493+| key size | u32 | size (in bytes) for the output key; MUST be valid for the key usage |
1494+| label size | u32 ||
1495+| label | u8[label size] ||
1496+
1497+
1498+*Table: `CM_HMAC_KDF_COUNTER` output arguments*
1499+| **Name** | **Type** | **Description** |
1500+| ----------- | -------- | --------------------------------------- |
1501+| chksum | u32 ||
1502+| fips_status | u32 | FIPS approved or an error |
1503+| KOUT CMK | CMK | CMK that stores the output key material |
1504+
1505+
1506+### CM_HKDF_EXTRACT
1507+
1508+Implements HKDF-Extract as specified in [RFC 5869](https://www.rfc-editor.org/rfc/rfc5869.html).
1509+
1510+The CMKs for IKM and salt must have been created for HMAC usage. The output will be tagged for HMAC usage.
1511+
1512+Use CM_IMPORT to import non-secret (plaintext) salt or IKMs to use
1513+with HKDF-Extract after right-padding to 48 or 64 bytes with zeros.
1514+
1515+Command Code: `0x434D_4B54` ("CMKT")
1516+
1517+*Table: `CM_HKDF_EXTRACT` input arguments*
1518+| **Name** | **Type** | **Description** |
1519+| -------------- | -------- | ------------------------- |
1520+| chksum | u32 ||
1521+| hash algorithm | u32 | Enum. |
1522+||| Value 0 = reserved |
1523+||| Value 1 = SHA2-384 |
1524+||| Value 2 = SHA2-512 |
1525+| salt CMK | CMK | Salt CMK. |
1526+| IKM CMK | CMK | Input key material CMK |
1527+
1528+
1529+*Table: `CM_HKDF_EXTRACT` output arguments*
1530+| **Name** | **Type** | **Description** |
1531+| ----------- | -------- | --------------------------------------- |
1532+| chksum | u32 ||
1533+| fips_status | u32 | FIPS approved or an error |
1534+| PRK CMK | u8[32] | CMK that stores the output (PRK) to use |
1535+||| with HKDF-Expand |
1536+
1537+
1538+### CM_HKDF_EXPAND
1539+
1540+Implements HKDF-Expand as specified in [RFC 5869](https://www.rfc-editor.org/rfc/rfc5869.html).
1541+
1542+The CMK must have been created for HMAC usage.
1543+
1544+The output length will be automatically chosen to match the key usage.
1545+
1546+Command Code: `0x434D_4B50` ("CMKP")
1547+
1548+*Table: `CM_HKDF_EXPAND` input arguments*
1549+| **Name** | **Type** | **Description** |
1550+| -------------- | ------------- | ------------------------------- |
1551+| chksum | u32 ||
1552+| PRK CMK | CMK ||
1553+| hash algorithm | u32 | Enum. |
1554+||| Value 0 = reserved |
1555+||| Value 1 = SHA2-384 |
1556+||| Value 2 = SHA2-512 |
1557+| key usage | u32 | usage tag of output key |
1558+| key size | u32 | size (in bytes) for the OKM; |
1559+||| MUST be valid for the key usage |
1560+| info size | u32 ||
1561+| info | u8[info size] ||
1562+
1563+
1564+*Table: `CM_HKDF_EXPAND` output arguments*
1565+Command Code: `0x434D_4B43` ("CMKC")
1566+
1567+| **Name** | **Type** | **Description** |
1568+| ----------- | -------- | --------------------------------------- |
1569+| chksum | u32 ||
1570+| fips_status | u32 | FIPS approved or an error |
1571+| OKM CMK | CMK | CMK that stores the output key material |
1572+
1573+
1574+
1575+### CM_MLDSA_PUBLIC_KEY
1576+
1577+Returns the public key associated with the MLDSA-87 key (seed) in a CMK.
1578+
1579+The public key format is described in [FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
1580+
1581+Command Code: `0x434D_4D50` ("CMMP")
1582+
1583+*Table: `CM_MLDSA_PUBLIC_KEY` input arguments*
1584+| **Name** | **Type** | **Description** |
1585+| -------- | -------- | ----------------- |
1586+| chksum | u32 ||
1587+| CMK | CMK | Private key seed |
1588+
1589+
1590+*Table: `CM_MLDSA_PUBLIC_KEY` output arguments*
1591+| **Name** | **Type** | **Description** |
1592+| ----------- | -------- | -------------------------- |
1593+| chksum | u32 ||
1594+| fips_status | u32 | FIPS approved or an error |
1595+| Public key | u8[2592] | Public key |
1596+
1597+
1598+### CM_MLDSA_SIGN
1599+
1600+Signs the message with the MLDSA-87 key.
1601+
1602+The signature format is described in [FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
1603+
1604+Command Code: `0x434D_4D53` ("CMMS")
1605+
1606+*Table: `CM_MLDSA_SIGN` input arguments*
1607+| **Name** | **Type** | **Description** |
1608+| -------- | ------------ | ----------------- |
1609+| chksum | u32 ||
1610+| CMK | CMK | Private key seed |
1611+| data len | u32 | Length of message |
1612+| data | u8[data len] | Message to sign |
1613+
1614+
1615+*Table: `CM_MLDSA_SIGN` output arguments*
1616+| **Name** | **Type** | **Description** |
1617+| ----------- | -------- | -------------------------- |
1618+| chksum | u32 ||
1619+| fips_status | u32 | FIPS approved or an error |
1620+| signature | u8[4627] | Signature |
1621+| padding | u8[1] ||
1622+
1623+
1624+### CM_MLDSA_VERIFY
1625+
1626+Verifies the signature against the message and MLDSA-87 key.
1627+
1628+The signature format is described in [FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
1629+
1630+The command will only return a success if the signature is valid.
1631+
1632+Command Code: `0x434D_4D56` ("CMMV")
1633+
1634+*Table: `CM_MLDSA_VERIFY` input arguments*
1635+| **Name** | **Type** | **Description** |
1636+| --------- | ------------ | ------------------ |
1637+| chksum | u32 ||
1638+| CMK | CMK | Private key seed |
1639+| signature | u8[4627] | Signature to check |
1640+| padding | u8[1] ||
1641+| data len | u32 | Length of message |
1642+| data | u8[data len] | Message to check |
1643+
1644+
1645+*Table: `CM_MLDSA_VERIFY` output arguments*
1646+| **Name** | **Type** | **Description** |
1647+| ----------- | -------- | -------------------------- |
1648+| chksum | u32 ||
1649+| fips_status | u32 | FIPS approved or an error |
1650+
1651+
1652+### CM_ECDSA_PUBLIC_KEY
1653+
1654+Returns the public key associated with the ECDSA-384 key seed in a CMK.
1655+
1656+The public key consists of its `x` and `y` values described in [FIPS 186-5](https://csrc.nist.gov/pubs/fips/186-5/final) encoded in big-endian byte order.
1657+
1658+Command Code: `0x434D_4550` ("CMEP")
1659+
1660+*Table: `CM_ECDSA_PUBLIC_KEY` input arguments*
1661+| **Name** | **Type** | **Description** |
1662+| -------- | -------- | ----------------- |
1663+| chksum | u32 ||
1664+| CMK | CMK | Private key seed |
1665+
1666+
1667+*Table: `CM_ECDSA_PUBLIC_KEY` output arguments*
1668+| **Name** | **Type** | **Description** |
1669+| ----------- | -------- | -------------------------- |
1670+| chksum | u32 ||
1671+| fips_status | u32 | FIPS approved or an error |
1672+| pubkey_x | u8[48] | The X BigNum of the ECDSA public key generated from the seed |
1673+| pubkey_y | u8[48] | The Y BigNum of the ECDSA public key generated from the seed |
1674+
1675+
1676+### CM_ECDSA_SIGN
1677+
1678+Signs the SHA384 hash of the message with the ECDSA-384 key.
1679+
1680+The signature consists of its `r` and `s` values described in [FIPS 186-5](https://csrc.nist.gov/pubs/fips/186-5/final) encoded in big-endian byte order.
1681+
1682+Command Code: `0x434D_5D53` ("CMES")
1683+
1684+*Table: `CM_ECDSA_SIGN` input arguments*
1685+| **Name** | **Type** | **Description** |
1686+| -------- | ------------ | ----------------- |
1687+| chksum | u32 ||
1688+| CMK | CMK | Private key seed |
1689+| data len | u32 | Length of message |
1690+| data | u8[data len] | Message to sign |
1691+
1692+
1693+*Table: `CM_ECDSA_SIGN` output arguments*
1694+| **Name** | **Type** | **Description** |
1695+| ------------ | -------- | ------------------------------------ |
1696+| chksum | u32 ||
1697+| fips_status | u32 | FIPS approved or an error |
1698+| signature_r | u8[48] | The R BigNum of the ECDSA signature |
1699+| signature_s | u8[48] | The S BigNum of the ECDSA signature |
1700+
1701+
1702+### CM_ECDSA_VERIFY
1703+
1704+Verifies the signature against the SHA384 hash of the message and ECDSA-384 key.
1705+
1706+The signature consists of its `r` and `s` values described in [FIPS 186-5](https://csrc.nist.gov/pubs/fips/186-5/final) encoded in big-endian byte order.
1707+
1708+The command will only return a success if the signature is valid.
1709+
1710+Command Code: `0x434D_4556` ("CMEV")
1711+
1712+*Table: `CM_ECDSA_VERIFY` input arguments*
1713+| **Name** | **Type** | **Description** |
1714+| ------------ | ------------ | ----------------------------------- |
1715+| chksum | u32 ||
1716+| CMK | CMK | Private key seed |
1717+| signature_r | u8[48] | The R BigNum of an ECDSA signature |
1718+| signature_s | u8[48] | The S BigNum of an ECDSA signature |
1719+| data len | u32 | Length of message |
1720+| data | u8[data len] | Message to check |
1721+
1722+
1723+*Table: `CM_ECDSA_VERIFY` output arguments*
1724+| **Name** | **Type** | **Description** |
1725+| ----------- | -------- | -------------------------- |
1726+| chksum | u32 ||
1727+| fips_status | u32 | FIPS approved or an error |
1728+
1729+
1730+### CM_AES_ENCRYPT_INIT
1731+
1732+Generic AES operation for unauthenticated AES operations.
1733+AES GCM operations use separate commands elsewhere.
1734+
1735+AES-256-CBC only supports using a random 128-bit IV.
1736+
1737+For CBC, the size must be a multiple of 16 bytes.
1738+CTR mode supports input of any size up to the maximum cryptographic mailbox size.
1739+
1740+The CMK must have been created for AES usage.
1741+
1742+Command Code: `0x434D_4349` ("CMCI")
1743+
1744+*Table: `CM_AES_ENCRYPT_INIT` input arguments*
1745+| **Name** | **Type** | **Description** |
1746+| -------------- | ------------------ | ------------------------------------- |
1747+| chksum | u32 ||
1748+| CMK | CMK | CMK of the key to use to encrypt |
1749+| mode/flags | u32 | Requested mode and flags. |
1750+||| 0 = Reserved |
1751+||| 1 = CBC |
1752+||| 2 = CTR |
1753+| plaintext size | u32 | MUST be non-zero |
1754+| plaintext | u8[plaintext size] | Data to encrypt |
1755+
1756+
1757+*Table: `CM_AES_ENCRYPT_INIT` output arguments*
1758+| **Name** | **Type** | **Description** |
1759+| --------------- | ------------------- | -------------------------------- |
1760+| chksum | u32 ||
1761+| fips_status | u32 | FIPS approved or an error |
1762+| context | AES_CONTEXT ||
1763+| iv | u8[16] ||
1764+| ciphertext size | u32 ||
1765+| ciphertext | u8[ciphertext size] | Output encrypted data |
1766+
1767+
1768+The encrypted and authenticated context's internal structure will be:
1769+
1770+*Table: internal context for CM_AES_* operations*
1771+| **Name** | **Type** | **Description** |
1772+| -------------- | -------- | ------------------------------ |
1773+| mode | u32 ||
1774+| key | u8[32] ||
1775+| iv | u8[16] ||
1776+| fips_status | u8 | 1 = FIPS valid |
1777+| reserved | u8[75] | Reserved for additional fields |
1778+
1779+
1780+The size of the (encrypted) context is always exactly 156 bytes,
1781+and we will use the type `AES_CONTEXT` to represent `u8[156]`.
1782+
1783+### CM_AES_ENCRYPT_UPDATE
1784+
1785+This continues (or finishes) an AES computation started by `CM_AES_ENCRYPT_INIT` or from another `CM_AES_ENCRYPT_UPDATE`.
1786+
1787+There is no `CM_AES_ENCRYPT_FINISH` since unauthenticated AES modes do not output a final tag.
1788+
1789+The context MUST be passed in from `CM_AES_ENCRYPT_INIT` or `CM_AES_ENCRYPT_UPDATE`.
1790+
1791+For CBC, the size must be a multiple of 16 bytes.
1792+CTR mode supports input of any size up to the maximum cryptographic mailbox size.
1793+
1794+Command Code: `0x434D_4355` ("CMCU")
1795+
1796+*Table: `CM_AES_ENCRYPT_UPDATE` input arguments*
1797+| **Name** | **Type** | **Description** |
1798+| -------------- | ------------------ | ---------------- |
1799+| chksum | u32 ||
1800+| context | AES_CONTEXT ||
1801+| plaintext size | u32 | MUST be non-zero |
1802+| plaintext | u8[plaintext size] | Data to encrypt |
1803+
1804+
1805+*Table: `CM_AES_ENCRYPT_UPDATE` output arguments*
1806+| **Name** | **Type** | **Description** |
1807+| -------------- | ------------------- | ------------------------- |
1808+| chksum | u32 ||
1809+| fips_status | u32 | FIPS approved or an error |
1810+| context | AES_CONTEXT ||
1811+| cipertext size | u32 ||
1812+| ciphertext | u8[ciphertext size] ||
1813+
1814+
1815+### CM_AES_DECRYPT_INIT
1816+
1817+Starts an AES-256 unauthenaticed decryption computation.
1818+
1819+The CMK must have been created for AES usage.
1820+
1821+For CBC, the size must be a multiple of 16 bytes.
1822+CTR mode supports input of any size up to the maximum cryptographic mailbox size.
1823+
1824+The IV must match what was passed and returned from the initial encryption operation.
1825+
1826+Command Code: `0x434D_414A` ("CMAJ")
1827+
1828+*Table: `CM_AES_DECRYPT_INIT` input arguments*
1829+| **Name** | **Type** | **Description** |
1830+| --------------- | ------------------- | ------------------------- |
1831+| chksum | u32 ||
1832+| CMK | CMK | CMK to use for decryption |
1833+| mode/flags | u32 | Requested mode and flags. |
1834+||| 0 = Reserved |
1835+||| 1 = CBC |
1836+||| 2 = CTR |
1837+| iv | u8[16] ||
1838+| ciphertext size | u32 | MUST be non-zero |
1839+| ciphertext | u8[ciphertext size] | Data to decrypt |
1840+
1841+
1842+*Table: `CM_AES_DECRYPT_INIT` output arguments*
1843+| **Name** | **Type** | **Description** |
1844+| -------------- | ------------------ | ------------------------- |
1845+| chksum | u32 ||
1846+| fips_status | u32 | FIPS approved or an error |
1847+| context | AES_CONTEXT ||
1848+| plaintext size | u32 ||
1849+| plaintext | u8[plaintext size] | Decrypted data |
1850+
1851+
1852+The encrypted and authenticated context's internal structure will be the same as for encryption.
1853+
1854+### CM_AES_DECRYPT_UPDATE
1855+
1856+This continues an AES computation started by `CM_AES_DECRYPT_INIT` or from another `CM_AES_DECRYPT_UPDATE`.
1857+
1858+There is no `CM_AES_DECRYPT_FINISH` since unauthenticated modes do not output a final tag.
1859+
1860+The context MUST be passed in from `CM_AES_DECRYPT_INIT` or `CM_AES_DECRYPT_UPDATE`.
1861+
1862+For CBC, the size must be a multiple of 16 bytes.
1863+CTR mode supports input of any size up to the maximum cryptographic mailbox size.
1864+
1865+Command Code: `0x434D_4155` ("CMAU")
1866+
1867+*Table: `CM_AES_DECRYPT_UPDATE` input arguments*
1868+| **Name** | **Type** | **Description** |
1869+| --------------- | ------------------- | ---------------- |
1870+| chksum | u32 ||
1871+| context | AES_CONTEXT ||
1872+| ciphertext size | u32 | MUST be non-zero |
1873+| ciphertext | u8[ciphertext size] | Data to decrypt |
1874+
1875+
1876+*Table: `CM_AES_DECRYPT_UPDATE` output arguments*
1877+| **Name** | **Type** | **Description** |
1878+| -------------- | ------------------ | ------------------------- |
1879+| chksum | u32 ||
1880+| fips_status | u32 | FIPS approved or an error |
1881+| context | AES_CONTEXT ||
1882+| plaintext size | u32 ||
1883+| plaintext | u8[plaintext size] | Decrypted data |
1884+
1885+
1886+### CM_AES_GCM_ENCRYPT_INIT
1887+
1888+Currently only supports AES-256-GCM with a random 96-bit IV.
1889+
1890+Additional authenticated data (AAD) can only be passed during the `INIT` command, so is limited to the maximum cryptographic mailbox data size (4096 bytes).
1891+
1892+The CMK must have been created for AES usage, except if the SPDM mode flag has been used, in which case the CMK must have been created for HMAC usage.
1893+
1894+Command Code: `0x434D_4749` ("CMGI")
1895+
1896+*Table: `CM_AES_GCM_ENCRYPT_INIT` input arguments*
1897+| **Name** | **Type** | **Description** |
1898+| -------------- | ------------------ | -------------------------------- |
1899+| chksum | u32 ||
1900+| reserved | u32 ||
1901+| CMK | CMK | CMK of the key to use to encrypt |
1902+| aad size | u32 ||
1903+| aad | u8[aad size] | Additional authenticated data |
1904+
1905+
1906+*Table: `CM_AES_GCM_ENCRYPT_INIT` output arguments*
1907+| **Name** | **Type** | **Description** |
1908+| -------------- | ------------------- | -------------------------------- |
1909+| chksum | u32 ||
1910+| fips_status | u32 | FIPS approved or an error |
1911+| context | AES_GCM_CONTEXT ||
1912+| iv | u8[12] ||
1913+
1914+
1915+The encrypted and authenticated context's internal structure will be:
1916+
1917+*Table: internal context for CM_AES_GCM_ENCRYPT_* operations*
1918+| **Name** | **Type** | **Description** |
1919+| -------------- | -------- | --------------------------- |
1920+| key | u8[32] ||
1921+| iv | u8[12] ||
1922+| aad length | u32 ||
1923+| GHASH state | u8[16] ||
1924+| current length | u32 | value mod 16 is buffer size |
1925+| buffer | u8[16] ||
1926+| fips_status | u8 | 1 = FIPS valid |
1927+| reserved | u8[15] ||
1928+
1929+
1930+The size of the (encrypted) context is always exactly 128 bytes,
1931+and we will use the type `AES_GCM_CONTEXT` to represent `u8[128]` below.
1932+
1933+
1934+### CM_AES_GCM_SPDM_ENCRYPT_INIT
1935+
1936+Derives the AES key and IV following the [SPDM 1.4](https://www.dmtf.org/dsp/dsp0274) and [Secured Messages using SPDM 1.1](https://www.dmtf.org/dsp/dsp0277) specifications.
1937+
1938+Currently only supports AES-256-GCM.
1939+
1940+Additional authenticated data (AAD) can only be passed during the `INIT` command, so is limited to the maximum cryptographic mailbox data size (4096 bytes).
1941+
1942+The CMK must have been created for **HMAC** usage.
1943+
1944+The CMK passed in should be the SPDM major secret CMK created for HMAC usage. The key and IV used for encryption shall follow the [SPDM 1.4](https://www.dmtf.org/dsp/dsp0274) section 12.7 derivation with `key_length` equal to 32 bytes and `iv_length` equal to 12 bytes.
1945+
1946+```
1947+EncryptionKey = HKDF-Expand(major-secret, bin_str5, key_length);
1948+IV = HKDF-Expand(major-secret, bin_str6, iv_length);
1949+bin_str5 = BinConcat(key_length, Version, "key", null);
1950+bin_str6 = BinConcat(iv_length, Version, "iv", null);
1951+```
1952+
1953+The provided 64-bit message counter will be XOR'd with the IV to produce the message IV. The Secure SPDM standard requires the counter endianness flag to be little, but big endian is also supported to aid in compatibility with some implementations.
1954+
1955+Note that it is **critical** that the same CMK and counter never be used more than once when encrypting or decrypting in SPDM mode as doing so could compromise the plaintext of the messages.
1956+
1957+For the update and final operations, there are not any SPDM-specific commands; `CM_AES_GCM_ENCRYPT_UPDATE` and `CM_AES_GCM_ENCRYPT_FINAL` should be used.
1958+
1959+Command Code: `0x434D_5345` ("CMSE")
1960+
1961+*Table: `CM_AES_GCM_SPDM_ENCRYPT_INIT` input arguments*
1962+| **Name** | **Type** | **Description** |
1963+| ------------------ | ------------------ | --------------------------------- |
1964+| chksum | u32 ||
1965+| spdm version | u8 | The value should be equal to the |
1966+||| byte representation of the SPDM |
1967+||| version, e.g., 0x13 = SPDM 1.3 |
1968+| counter endianness | u8 | XOR the counter with the IV using |
1969+||| the given endianness. |
1970+||| 0 = Little endian (standard) |
1971+||| 1 = Big endian |
1972+| reserved | u8[2] | Reserved |
1973+| counter | u8[8] | 8-byte counter in little-endian |
1974+||| format that is XOR'd into the IV |
1975+| CMK | CMK | CMK of the key to use to encrypt |
1976+| aad size | u32 ||
1977+| aad | u8[aad size] | Additional authenticated data |
1978+
1979+
1980+*Table: `CM_AES_GCM_SPDM_ENCRYPT_INIT` output arguments*
1981+| **Name** | **Type** | **Description** |
1982+| -------------- | ------------------- | -------------------------------- |
1983+| chksum | u32 ||
1984+| fips_status | u32 | FIPS approved or an error |
1985+| context | AES_GCM_CONTEXT ||
1986+
1987+
1988+Unlike in the standard AES GCM encrypt init command, the IV is *not* returned.
1989+
1990+The encrypted and authenticated context's internal structure will be the same as for described in [CM_AES_GCM_ENCRYPT_INIT](#CM_AES_GCM_ENCRYPT_INIT).
1991+
1992+### CM_AES_GCM_ENCRYPT_UPDATE
1993+
1994+This continues an AES computation started by `CM_AES_GCM_ENCRYPT_INIT` or from another `CM_AES_GCM_ENCRYPT_UPDATE`.
1995+
1996+The context MUST be passed in from `CM_AES_GCM_ENCRYPT_INIT` or `CM_AES_GCM_ENCRYPT_UPDATE`.
1997+
1998+Command Code: `0x434D_4755` ("CMGU")
1999+
2000+*Table: `CM_AES_GCM_ENCRYPT_UPDATE` input arguments*
2001+| **Name** | **Type** | **Description** |
2002+| -------------- | ------------------ | ---------------- |
2003+| chksum | u32 ||
2004+| context | AES_GCM_CONTEXT ||
2005+| plaintext size | u32 | MUST be non-zero |
2006+| plaintext | u8[plaintext size] | Data to encrypt |
2007+
2008+
2009+*Table: `CM_AES_GCM_ENCRYPT_UPDATE` output arguments*
2010+| **Name** | **Type** | **Description** |
2011+| -------------- | ------------------- | ------------------------------- |
2012+| chksum | u32 ||
2013+| fips_status | u32 | FIPS approved or an error |
2014+| context | AES_GCM_CONTEXT ||
2015+| cipertext size | u32 | could be greater than plaintext by 16 bytes |
2016+| ciphertext | u8[ciphertext size] ||
2017+
2018+
2019+### CM_AES_GCM_ENCRYPT_FINAL
2020+
2021+This finalizes the computation of the AES GCM encryption and produces the final ciphertext and tag.
2022+
2023+The context MUST be passed in from `CM_AES_GCM_ENCRYPT_INIT` or `CM_AES_GCM_ENCRYPT_UPDATE`.
2024+
2025+Command Code: `0x434D_4746` ("CMGF")
2026+
2027+*Table: `CM_AES_GCM_ENCRYPT_FINAL` input arguments*
2028+| **Name** | **Type** | **Description** |
2029+| -------------- | ------------------ | --------------- |
2030+| chksum | u32 ||
2031+| context | AES_GCM_CONTEXT ||
2032+| plaintext size | u32 | MAY be 0 |
2033+| plaintext | u8[plaintext size] | Data to encrypt |
2034+
2035+
2036+*Table: `CM_AES_GCM_ENCRYPT_FINAL` output arguments*
2037+| **Name** | **Type** | **Description** |
2038+| -------------- | ------------------- | -------------------------------- |
2039+| chksum | u32 ||
2040+| fips_status | u32 | FIPS approved or an error |
2041+| tag | u8[16] ||
2042+| cipertext size | u32 | could be greater than plaintext by 16 bytes |
2043+| ciphertext | u8[ciphertext size] ||
2044+
2045+
2046+The tag returned will always be 16 bytes. Shorter tags can be constructed by truncating.
2047+
2048+### CM_AES_GCM_DECRYPT_INIT
2049+
2050+Starts an AES-256-GCM decryption computation.
2051+
2052+Currently only supports AES-256-GCM with a 96-bit IV.
2053+
2054+Additional authenticated data (AAD) can only be passed during the `INIT` command, so is limited to the maximum cryptographic mailbox data size (4096 bytes).
2055+
2056+The AAD and IV must match what was passed and returned from the encryption operation.
2057+
2058+The CMK must have been created for **AES** usage.
2059+
2060+Command Code: `0x434D_4449` ("CMDI")
2061+
2062+*Table: `CM_AES_GCM_DECRYPT_INIT` input arguments*
2063+| **Name** | **Type** | **Description** |
2064+| --------------- | ------------ | -------------------------------- |
2065+| chksum | u32 ||
2066+| reserved | u32 | Reserved |
2067+| CMK | CMK | CMK to use for decryption |
2068+| iv | u8[12] ||
2069+| aad size | u32 ||
2070+| aad | u8[aad size] | Additional authenticated data |
2071+
2072+
2073+*Table: `CM_AES_GCM_DECRYPT_INIT` output arguments*
2074+| **Name** | **Type** | **Description** |
2075+| -------------- | ------------------ | ------------------------- |
2076+| chksum | u32 ||
2077+| fips_status | u32 | FIPS approved or an error |
2078+| context | AES_GCM_CONTEXT ||
2079+
2080+
2081+The encrypted and authenticated context's internal structure will be the same as for encryption.
2082+
2083+### CM_AES_SPDM_GCM_DECRYPT_INIT
2084+
2085+Starts an AES-256-GCM decryption computation in SPDM mode.
2086+
2087+Currently only supports AES-256-GCM with a 96-bit IV.
2088+
2089+Additional authenticated data (AAD) can only be passed during the `INIT` command, so is limited to the maximum cryptographic mailbox data size (4096 bytes).
2090+
2091+The AAD must match what was passed and returned from the encryption operation.
2092+
2093+The CMK must have been created for **HMAC** usage.
2094+
2095+The CMK passed in should be the SPDM major secret CMK created for HMAC usage. The key and IV used for encryption shall follow the [SPDM 1.4](https://www.dmtf.org/dsp/dsp0274) section 12.7 derivation with `key_length` 256 and `iv_length` 96.
2096+
2097+```
2098+EncryptionKey = HKDF-Expand(major-secret, bin_str5, key_length);
2099+IV = HKDF-Expand(major-secret, bin_str6, iv_length);
2100+bin_str5 = BinConcat(key_length, Version, "key", null);
2101+bin_str6 = BinConcat(iv_length, Version, "iv", null);
2102+```
2103+
2104+The provided 64-bit message counter will be XOR'd with the IV to produce the message IV. The Secure SPDM standard requires the counter endianness flag to be little, but big endian is also supported to aid in compatibility with some implementations.
2105+
2106+Note that it is **critical** that the same CMK and counter never be used more than once when encrypting or decrypting in SPDM mode as doing so could compromise the plaintext of the messages.
2107+
2108+Command Code: `0x434D_5344` ("CMSD")
2109+
2110+*Table: `CM_AES_GCM_SPDM_DECRYPT_INIT` input arguments*
2111+| **Name** | **Type** | **Description** |
2112+| ------------------ | ------------------ | --------------------------------- |
2113+| chksum | u32 ||
2114+| spdm version | u8 | The value should be equal to the |
2115+||| byte representation of the SPDM |
2116+||| version, e.g., 0x13 = SPDM 1.3 |
2117+| counter endianness | u8 | XOR the counter with the IV using |
2118+||| the given endianness. |
2119+||| 0 = Little endian (standard) |
2120+||| 1 = Big endian |
2121+| reserved | u8[2] | Reserved |
2122+| counter | u8[8] | 8-byte counter in little-endian |
2123+||| format that is XOR'd into the IV |
2124+| CMK | CMK | CMK to use for decryption |
2125+| aad size | u32 ||
2126+| aad | u8[aad size] | Additional authenticated data |
2127+
2128+
2129+*Table: `CM_AES_GCM_SPDM_DECRYPT_INIT` output arguments*
2130+| **Name** | **Type** | **Description** |
2131+| -------------- | ------------------ | ------------------------- |
2132+| chksum | u32 ||
2133+| fips_status | u32 | FIPS approved or an error |
2134+| context | AES_GCM_CONTEXT ||
2135+
2136+
2137+The encrypted and authenticated context's internal structure will be the same as for encryption.
2138+
2139+### CM_AES_GCM_DECRYPT_UPDATE
2140+
2141+This continues an AES computation started by `CM_AES_GCM_DECRYPT_INIT` or from another `CM_AES_GCM_DECRYPT_UPDATE`.
2142+
2143+The context MUST be passed in from `CM_AES_GCM_DECRYPT_INIT` or `CM_AES_GCM_DECRYPT_UPDATE`.
2144+
2145+Command Code: `0x434D_4455` ("CMDU")
2146+
2147+*Table: `CM_AES_GCM_DECRYPT_UPDATE` input arguments*
2148+| **Name** | **Type** | **Description** |
2149+| --------------- | ------------------- | ---------------- |
2150+| chksum | u32 ||
2151+| context | AES_GCM_CONTEXT ||
2152+| ciphertext size | u32 | MUST be non-zero |
2153+| ciphertext | u8[ciphertext size] | Data to decrypt |
2154+
2155+
2156+*Table: `CM_AES_GCM_DECRYPT_UPDATE` output arguments*
2157+| **Name** | **Type** | **Description** |
2158+| -------------- | ------------------ | ------------------------- |
2159+| chksum | u32 ||
2160+| fips_status | u32 | FIPS approved or an error |
2161+| context | AES_GCM_CONTEXT ||
2162+| plaintext size | u32 | MAY be 0 |
2163+| plaintext | u8[plaintext size] ||
2164+
2165+
2166+### CM_AES_GCM_DECRYPT_FINAL
2167+
2168+This finalizes the computation of the AES GCM decryption and produces the final ciphertext.
2169+
2170+The context MUST be passed in from `CM_AES_GCM_DECRYPT_INIT` or `CM_AES_GCM_DECRYPT_UPDATE`.
2171+
2172+Tags between 0 and 16 bytes are supported but must be passed (on the right) with zeroes to 16 bytes.
2173+
2174+The caller MUST verify that the tag verified field is set to 1 before using the result.
2175+
2176+Command Code: `0x434D_4446` ("CMDF")
2177+
2178+*Table: `CM_AES_GCM_DECRYPT_FINAL` input arguments*
2179+| **Name** | **Type** | **Description** |
2180+| --------------- | ------------------- | --------------------------------- |
2181+| chksum | u32 ||
2182+| context | AES_GCM_CONTEXT ||
2183+| tag size | u32 | Can be 8, 9, ..., 16 |
2184+| tag | u8[16] | Right-padded with zeroes |
2185+| ciphertext size | u32 | MAY be 0 |
2186+| ciphertext | u8[ciphertext size] | Data to decrypt |
2187+
2188+
2189+*Table: `CM_AES_GCM_DECRYPT_FINAL` output arguments*
2190+| **Name** | **Type** | **Description** |
2191+| -------------- | ------------------ | ------------------------------------ |
2192+| chksum | u32 ||
2193+| fips_status | u32 | FIPS approved or an error |
2194+| tag verified | u32 | 1 if tags matched, 0 if they did not |
2195+| plaintext size | u32 | MAY be 0 |
2196+| plaintext | u8[plaintext size] ||
2197+
2198+
2199+### CM_ECDH_GENERATE
2200+
2201+This computes the first half of an Elliptic Curve Diffie-Hellman exchange to compute an ephemeral shared key pair with another party.
2202+
2203+Currently only supports the NIST P-384 curve.
2204+
2205+The returned context must be passed to the `CM_ECDH_FINISH` command. The context contains the (encrypted) secret coefficient.
2206+
2207+The returned exchange data format is the concatenation of the x- and y-coordinates of the public point encoded as big-endian integers, padded to 48 bytes each.
2208+
2209+Command Code: `0x434D_4547` ("CMEG")
2210+
2211+*Table: `CM_ECDH_GENERATE` input arguments*
2212+| **Name** | **Type** | **Description** |
2213+| ----------- | -------- | -------------------- |
2214+| chksum | u32 ||
2215+
2216+
2217+*Table: `CM_ECDH_GENERATE` output arguments*
2218+| **Name** | **Type** | **Description** |
2219+| ------------- | -------- | ------------------------------------- |
2220+| chksum | u32 ||
2221+| fips_status | u32 | FIPS approved or an error |
2222+| context | u8[76] | Used as the input to `CM_ECDH_FINISH` |
2223+| exchange data | u8[96] | i.e., the public point |
2224+
2225+
2226+*Table: `CM_ECDH_GENERATE` / `CM_ECDH_FINISH` internal context*
2227+| **Name** | **Type** | **Description** |
2228+| ------------------ | -------- | --------------- |
2229+| Secret coefficient | u8[48] ||
2230+
2231+
2232+The encrypted context size (76 bytes) is the size of the internal context (48 bytes) plus as 12-byte IV and a 16-byte authentication tag.
2233+
2234+### CM_ECDH_FINISH
2235+
2236+This computes the second half of an Elliptic Curve Diffie-Hellman exchange.
2237+
2238+Currently only supports the NIST P-384 curve.
2239+
2240+The context must be passed from the `CM_ECDH_GENERATE` command.
2241+
2242+The incoming exchange data MUST be the concatenation of the x- and y- coordinates of the other side's public point, encoded as big-endian integers, padded to 48 bytes each.
2243+
2244+The produced shared secret is 384 bits.
2245+
2246+Command Code: `0x434D_4546` ("CMEF")
2247+
2248+*Table: `CM_ECDH_FINISH` input arguments*
2249+| **Name** | **Type** | **Description** |
2250+| ---------------------- | -------- | -------------------------------------------------------- |
2251+| chksum |||
2252+| context | u8[76] | This MUST come from the output of the `CM_ECDH_GENERATE` |
2253+| key usage | u32 | usage tag of the kind of key that will be output |
2254+| incoming exchange data | u8[96] | the other side's public point |
2255+
2256+
2257+The context used as an input is the same as the output context from `CM_ECDH_GENERATE` above.
2258+
2259+*Table: `CM_ECDH_FINISH` output arguments*
2260+| **Name** | **Type** | **Description** |
2261+| ----------- | -------- | ------------------------------- |
2262+| chksum | u32 ||
2263+| fips_status | u32 | FIPS approved or an error |
2264+| output CMK | CMK | Output CMK of the shared secret |
2265+
2266+
2267+
2268+### CM_RANDOM_STIR
2269+
2270+This allows additional entropy to be added to the underlying deterministic random bit generator, if the hardware is using a CSRNG DRBG.
2271+
2272+Command Code: `0x434D_5253` ("CMRS")
2273+
2274+*Table: `CM_RANDOM_STIR` input arguments*
2275+
2276+| **Name** | **Type** | **Description** |
2277+| ---------- | -------------- | --------------- |
2278+| chksum | u32 ||
2279+| input size | u32 ||
2280+| input | u8[input size] ||
2281+
2282+
2283+*Table: `CM_RANDOM_STIR` output arguments*
2284+| **Name** | **Type** | **Description** |
2285+| ----------- | -------- | ------------------------- |
2286+| chksum | u32 ||
2287+| fips_status | u32 | FIPS approved or an error |
2288+
2289+
2290+### CM_RANDOM_GENERATE
2291+
2292+This generates random bytes that are returned from the internal RNG.
2293+
2294+Command Code: `0x434D_5247` ("CMRG")
2295+
2296+*Table: `CM_RANDOM_GENERATE` input arguments*
2297+
2298+| **Name** | **Type** | **Description** |
2299+| ------------------- | -------- | --------------- |
2300+| chksum | u32 ||
2301+| data size to return | u32 ||
2302+
2303+
2304+
2305+*Table: `CM_RANDOM_GENERATE` output arguments*
2306+| **Name** | **Type** | **Description** |
2307+| ----------- | --------------- | ------------------------- |
2308+| chksum | u32 ||
2309+| fips_status | u32 | FIPS approved or an error |
2310+| output size | u32 | size of output |
2311+| output | u8[output size] ||
2312+
2313+
2314+### CM\_DERIVE\_STABLE\_KEY
2315+
2316+Derives an HMAC key that has a stable value across resets from either
2317+IDevId or LDevId.
2318+
2319+The (interior) value of the returned CMK will be the stable across resets as it is derived indirectly from the IDevId or LDevId CDIs.
2320+The actual encrypted bytes of the CMK will *not* be the same, and
2321+the encrypted CMK itself cannot be used across resets. So, the key
2322+will always need to be re-derived after every *cold* reset.
2323+
2324+If a key usage other than HMAC is desired, then the KDF or HKDF
2325+mailbox functions can be used to derive a key from the returned CMK.
2326+
2327+Note that in Caliptra 2.0 in subsystem mode, derived stable keys, their derivatives, and commands using them will be marked with a FIPS status of invalid since the UDS and FE cannot be completely zeroized.
2328+
2329+Command Code: `0x434D_4453` ("CMDS")
2330+
2331+*Table: `CM_DERIVE_STABLE_KEY` input arguments*
9172332
9182333 | **Name** | **Type** | **Description**
9192334 | -------- | -------- | ---------------
9202335 | chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian. |
921-
922-
923-*Table: `GET_IDEVID_CSR` output arguments*
2336+| key_type | u32 | Source key to derive the stable key from. **0x0000_0001:** IDevId <br> **0x0000_0002:** LDevId |
2337+| info | u8[32] | Data to use in the key derivation. |
2338+
2339+
2340+*Table: `CM_DERIVE_STABLE_KEY` output arguments*
2341+| **Name** | **Type** | **Description**
2342+| -------- | -------- | ---------------
2343+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian. |
2344+| cmk | CMK | CMK that stores the stable key material |
2345+
2346+
2347+### CM_IMPORT
2348+
2349+Imports the specified key and returns a CMK for it.
2350+
2351+Usage information is required so that the key can be verified and used appropriately.
2352+
2353+Note that it is the caller's responsibility to ensure that the source
2354+key material meets FIPS requirements, such as zeroization.
2355+
2356+Command Code: `0x434D_494D` ("CMIM")
2357+
2358+*Table: `CM_IMPORT` input arguments*
2359+
2360+| **Name** | **Type** | **Description** |
2361+| ---------- | -------------- | --------------------------------------- |
2362+| chksum | u32 ||
2363+| key usage | u32 | Tag to specify how the data can be used |
2364+| input size | u32 | This MUST agree with the key usage |
2365+| input | u8[input size] ||
2366+
2367+
2368+*Table: `CM_IMPORT` output arguments*
2369+| **Name** | **Type** | **Description** |
2370+| ----------- | -------- | --------------------------- |
2371+| chksum | u32 ||
2372+| fips_status | u32 | FIPS approved or an error |
2373+| CMK | CMK | CMK containing imported key |
2374+
2375+
2376+### CM_DELETE
2377+
2378+Deletes the object stored with the given mailbox ID.
2379+
2380+Command Code: `0x434D_444C` ("CMDL")
2381+
2382+*Table: `CM_DELETE` input arguments*
2383+
2384+| **Name** | **Type** | **Description** |
2385+| -------- | -------- | --------------- |
2386+| chksum | u32 ||
2387+| CMK | CMK | CMK to delete |
2388+
2389+
2390+*Table: `CM_DELETE` output arguments*
2391+| **Name** | **Type** | **Description** |
2392+| ----------- | -------- | ------------------------- |
2393+| chksum | u32 ||
2394+| fips_status | u32 | FIPS approved or an error |
2395+
2396+
2397+### CM_CLEAR
2398+
2399+The entire contents of the CMK storage is wiped. All known keys will be invalidated.
2400+
2401+Command Code: `0x434D_434C` ("CMCL")
2402+
2403+`CM_CLEAR` takes no input arguments.
2404+
2405+*Table: `CM_CLEAR` output arguments*
2406+| **Name** | **Type** | **Description** |
2407+| ----------- | -------- | ------------------------- |
2408+| chksum | u32 ||
2409+| fips_status | u32 | FIPS approved or an error |
2410+
2411+
2412+### CM_STATUS
2413+
2414+Queries the status cryptographic mailbox system.
2415+
2416+The usage storage records the number of entries used and total for for usage tracking.
2417+Usage tracking is only currently implemented for AES, so this is is effectively the number of AES keys used and total potential available AES keys.
2418+
2419+Command Code: `0x434D_5354` ("CMST")
2420+
2421+`CM_STATUS` takes no input arguments.
2422+
2423+*Table: `CM_STATUS` output arguments*
2424+| **Name** | **Type** | **Description** |
2425+| ------------------- | -------- | ------------------------------------ |
2426+| chksum | u32 ||
2427+| fips_status | u32 | FIPS approved or an error |
2428+| used usage storage | u32 | CMK usage storage (in entries) |
2429+| total usage storage | u32 | Total CMK usage storage (in entries) |
2430+
2431+
2432+
2433+### GET\_IDEV\_ECC384\_CSR
2434+
2435+Command Code: `0x4944_4352` ("IDCR")
2436+
2437+*Table: `GET_IDEV_ECC384_CSR` input arguments*
2438+
2439+| **Name** | **Type** | **Description**
2440+| -------- | -------- | ---------------
2441+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian. |
2442+
2443+
2444+*Table: `GET_IDEV_ECC384_CSR` output arguments*
9242445 | **Name** | **Type** | **Description**
9252446 | -------- | -------- | ---------------
9262447 | chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian. |
9272448 | data\_size | u32 | Length in bytes of the valid data in the data field. |
928-| data | u8[...] | DER-encoded IDevID certificate signing request. |
929-
930-
931-The `mfg_flag_gen_idev_id_csr` manufacturing flag **MUST** have been set to generate a CSR.
932-
933-When called from ROM, if the CSR was not previously provisioned this command will return `FW_PROC_MAILBOX_UNPROVISIONED_CSR(0x0102000A)`.
934-
935-When called from runtime, if the CSR was not previously provisioned this command will return `RUNTIME_GET_IDEV_ID_UNPROVISIONED(0x000E0051)`. If the ROM did not support CSR generation, this command will return `RUNTIME_GET_IDEV_ID_UNSUPPORTED_ROM(0x000E0052)`.
936-
937-
938-
939-When the `mfg_flag_gen_idev_id_csr` flag has been set, the SoC **MUST** wait for the `flow_status_set_idevid_csr_ready` bit to be set by Caliptra. Once set, the SoC **MUST** clear the `mfg_flag_gen_idev_id_csr` flag for Caliptra to progress.
940-
941-### GET\_FMC\_ALIAS\_CSR
942-
943-Command Code: `0x464D_4352` ("FMCR")
944-
945-*Table: `GET_FMC_ALIAS_CSR` input arguments*
2449+| data | u8[...] | DER-encoded ECC384 IDevID certificate signing request. |
2450+
2451+
2452+### GET\_IDEV\_MLDSA87\_CSR
2453+
2454+Command Code: `0x4944_4d52` ("IDMR")
2455+
2456+*Table: `GET_IDEV_MLDSA87_CSR` input arguments*
9462457
9472458 | **Name** | **Type** | **Description**
9482459 | -------- | -------- | ---------------
9492460 | chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian. |
9502461
9512462
952-*Table: `GET_FMC_ALIAS_CSR` output arguments*
2463+*Table: `GET_IDEV_MLDSA87_CSR` output arguments*
9532464 | **Name** | **Type** | **Description**
9542465 | -------- | -------- | ---------------
9552466 | chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian. |
9562467 | data\_size | u32 | Length in bytes of the valid data in the data field. |
957-| data | u8[...] | DER-encoded FMC ALIAS certificate signing request. |
958-
959-
960-The FMC Alias CSR is generated unconditionally on every cold boot.
2468+| data | u8[...] | DER-encoded MLDSA87 IDevID certificate signing request. |
2469+
2470+
2471+The `mfg_flag_gen_idev_id_csr` manufacturing flag **MUST** have been set to generate a CSR.
2472+
2473+When called from ROM, if the CSR was not previously provisioned this command will return `FW_PROC_MAILBOX_UNPROVISIONED_CSR(0x0102000A)`.
2474+
2475+When called from runtime, if the CSR was not previously provisioned this command will return `RUNTIME_GET_IDEV_ID_UNPROVISIONED(0x000E0051)`. If the ROM did not support CSR generation, this command will return `RUNTIME_GET_IDEV_ID_UNSUPPORTED_ROM(0x000E0052)`.
2476+
2477+When the `mfg_flag_gen_idev_id_csr` flag has been set, the SoC **MUST** wait for the `flow_status_set_idevid_csr_ready` bit to be set by Caliptra. Once set, the SoC **MUST** clear the `mfg_flag_gen_idev_id_csr` flag for Caliptra to progress.
2478+
2479+### GET\_FMC\_ALIAS\_ECC384\_CSR
2480+
2481+Command Code: `0x464D_4352` ("FMCR")
2482+
2483+*Table: `GET_FMC_ALIAS_ECC384_CSR` input arguments*
2484+
2485+| **Name** | **Type** | **Description**
2486+| -------- | -------- | ---------------
2487+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian. |
2488+
2489+
2490+*Table: `GET_FMC_ALIAS_ECC384_CSR` output arguments*
2491+| **Name** | **Type** | **Description**
2492+| -------- | -------- | ---------------
2493+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian. |
2494+| data\_size | u32 | Length in bytes of the valid data in the data field. |
2495+| data | u8[...] | DER-encoded ECC384 FMC Alias certificate signing request. |
2496+
2497+
2498+### GET\_FMC\_ALIAS\_MLDSA87\_CSR
2499+
2500+Command Code: `0x464d_4452` ("FMDR")
2501+
2502+*Table: `GET_FMC_ALIAS_MLDSA87_CSR` input arguments*
2503+
2504+| **Name** | **Type** | **Description**
2505+| -------- | -------- | ---------------
2506+| chksum | u32 | Checksum over other input arguments, computed by the caller. Little endian. |
2507+
2508+
2509+*Table: `GET_FMC_ALIAS_MLDSA87_CSR` output arguments*
2510+| **Name** | **Type** | **Description**
2511+| -------- | -------- | ---------------
2512+| chksum | u32 | Checksum over other output arguments, computed by Caliptra. Little endian. |
2513+| data\_size | u32 | Length in bytes of the valid data in the data field. |
2514+| data | u8[...] | DER-encoded MLDSA87 FMC Alias certificate signing request. |
2515+
9612516
9622517 ### SIGN\_WITH\_EXPORTED\_ECDSA
9632518
9642519 Command Code: `0x5357_4545` ("SWEE")
9652520
966-**Note**: This command is only available in the locality of the PL0 PAUSER.
2521+**Note**: This command is only available in the locality of the PL0 PAUSER.
9672522
9682523 *Table: `SIGN_WITH_EXPORTED_ECDSA` input arguments*
9692524
@@ -989,7 +2544,7 @@
9892544
9902545 Command Code: `5256_4348` ("RVCH")
9912546
992-**Note**: This command is only available in the locality of the PL0 PAUSER.
2547+**Note**: This command is only available in the locality of the PL0 PAUSER.
9932548
9942549 *Table: `REVOKE_EXPORTED_CDI_HANDLE` input arguments*
9952550
@@ -1001,14 +2556,14 @@
10012556
10022557 The `exported_cdi` can be created by calling `DeriveContext` with the `export-cdi` and `create-certificate` flags.
10032558
1004-The `exported_cdi_handle` is no longer usable after calling `REVOKE_EXPORTED_CDI_HANDLE` with it. After the `exported_cdi_handle`
2559+The `exported_cdi_handle` is no longer usable after calling `REVOKE_EXPORTED_CDI_HANDLE` with it. After the `exported_cdi_handle`
10052560 has been revoked, a new exported CDI can be created by calling `DeriveContext` with the `export-cdi` and `create-certificate` flags.
10062561
10072562 ### REALLOCATE\_DPE\_CONTEXT\_LIMITS
10082563
10092564 Command Code: '5243_5458` ("RCTX")
10102565
1011-**Note**: This command is only available in the locality of the PL0 PAUSER.
2566+**Note**: This command is only available in the locality of the PL0 PAUSER.
10122567
10132568 *Table: `REALLOCATE_DPE_CONTEXT_LIMITS` input arguments*
10142569
@@ -1033,7 +2588,7 @@
10332588
10342589 ## Checksum
10352590
1036-For every command except for FW_LOAD, the request and response feature a checksum. This
2591+For every command except for FIRMWARE_LOAD, the request and response feature a checksum. This
10372592 mitigates glitches between clients and Caliptra.
10382593
10392594 The checksum is a little-endian 32-bit value, defined as:
@@ -1058,10 +2613,11 @@
10582613
10592614 *Table: FIPS status codes*
10602615
1061-| **Name** | **Value** | Description
1062-| ------- | ----- | -----------
1063-| `FIPS_APPROVED` | `0x0000_0000` | Status of command is FIPS approved
1064-| `RESERVED` | `0x0000_0001 - 0xFFFF_FFFF` | Other values reserved, will not be sent by Caliptra
2616+| **Name** | **Value** | Description |
2617+| --------------- | --------------------------- | --------------------------------------------------- |
2618+| `FIPS_APPROVED` | `0x0000_0000` | Status of command is FIPS approved |
2619+| `RESERVED` | `0x0000_0001 - 0xFFFF_FFFF` | Other values reserved, will not be sent by Caliptra |
2620+
10652621
10662622 ## Runtime Firmware updates
10672623
@@ -1070,7 +2626,7 @@
10702626
10712627 ### Applying updates
10722628
1073-A Runtime Firmware update is triggered by the `CALIPTRA_FW_LOAD` command. Upon
2629+A Runtime Firmware update is triggered by the `FIRMWARE_LOAD` command. Upon
10742630 receiving this command, Runtime Firmware does the following:
10752631
10762632 1. Locks the mailbox to writes
@@ -1096,10 +2652,10 @@
10962652
10972653 1. Validate DPE state in SRAM
10982654 1. Ensure the TCI tree is well-formed
1099- 1. Ensure all nodes chain to the root (TYPE = RTMR, “Internal TCI” flag is set)
2655+ 1. Ensure all nodes chain to the root (TYPE = RTJM, “Internal TCI” flag is set)
11002656 1. Verify that the “Latest TCI” field of the TCI Node that contains the
1101- Runtime PCRs (TYPE = RTMR, “Internal TCI” flag is set) matches the
1102- “Latest” and Journey Runtime PCR values.
2657+ Runtime Journey PCR (TYPE = RTJM, “Internal TCI” flag is set) matches the
2658+ “Latest” Runtime PCR value from PCRX
11032659 1. Ensure `SHA384_HASH(0x00..00, TCI from SRAM) == RT_FW_JOURNEY_PCR`
11042660 1. Check that retired and inactive contexts do not have tags
11052661 1. If any validations fail, Runtime Firmware executes the
@@ -1119,14 +2675,14 @@
11192675 is denoted in the signed Caliptra firmware image. The PL0 PAUSER may call any
11202676 supported DPE commands. Only PL0 can use the CertifyKey command. Success of the
11212677 CertifyKey command signifies to the caller that it is at PL0. Only PL0 can use
1122- the POPULATE\_IDEV\_CERT mailbox command.
2678+ the POPULATE\_IDEV\_ECC384\_CERT and POPULATE\_IDEV\_MLDSA87\_CERT mailbox commands.
11232679 * PL1 - Restricted privilege. All other PAUSERs in the SoC are PL1. Caliptra
11242680 SHALL fail any calls to the DPE CertifyKey with format=X509 by PL1 callers.
11252681 PL1 callers should use the CSR format instead.
11262682
11272683 PAUSER and Locality map 1:1. Consequently, only the single DPE Client associated
1128-with PL0 level, is authorized to invoke CertifyKey DPE command with format=x509.
1129-All other DPE Clients have instead restricted privileges associated to PL1 (as
2684+with PL0 level, is authorized to invoke CertifyKey DPE command with format=x509.
2685+All other DPE Clients have instead restricted privileges associated to PL1 (as
11302686 described above).
11312687
11322688 #### PAUSER privilege level active context limits
@@ -1159,15 +2715,16 @@
11592715 The DPE iRoT profile leaves some choices up to implementers. This section
11602716 describes specific requirements for the Caliptra DPE implementation.
11612717
1162-| Name | Value | Description
1163-| ---- | ----- | -----------
1164-| Profile Variant | `DPE_PROFILE_IROT_P384_SHA384` | The profile variant that Caliptra implements.
1165-| KDF | SP800-108 HMAC-CTR | KDF to use for CDI (tcg.derive.kdf-sha384) and asymmetric key (tcg.derive.kdf-sha384-p384) derivation.
1166-| Simulation Context Support | Yes | Whether Caliptra implements the optional Simulation Contexts feature.
1167-| Supports ExtendTci | Yes | Whether Caliptra implements the optional ExtendTci command.
1168-| Supports Auto Init | Yes | Whether Caliptra will automatically initialize the default DPE context.
1169-| Supports Rotate Context | Yes | Whether Caliptra supports the optional RotateContextHandle command.
1170-| CertifyKey Alias Key | Caliptra Runtime Alias Key | The key that will be used to sign certificates that are produced by the DPE CertifyKey command.
2718+| Name | Value | Description |
2719+| -------------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------ |
2720+| Profile Variant | `DPE_PROFILE_IROT_P384_SHA384` | The profile variant that Caliptra implements. |
2721+| KDF | SP800-108 HMAC-CTR | KDF to use for CDI (tcg.derive.kdf-sha384) and asymmetric key (tcg.derive.kdf-sha384-p384) derivation. |
2722+| Simulation Context Support | Yes | Whether Caliptra implements the optional Simulation Contexts feature. |
2723+| Supports ExtendTci | Yes | Whether Caliptra implements the optional ExtendTci command. |
2724+| Supports Auto Init | Yes | Whether Caliptra will automatically initialize the default DPE context. |
2725+| Supports Rotate Context | Yes | Whether Caliptra supports the optional RotateContextHandle command. |
2726+| CertifyKey Alias Key | Caliptra Runtime Alias Key | The key that will be used to sign certificates that are produced by the DPE CertifyKey command. |
2727+
11712728
11722729 ### Supported DPE commands
11732730
@@ -1176,7 +2733,7 @@
11762733 * GetProfile
11772734 * InitializeContext
11782735 * DeriveContext
1179- * **Note**: The "export-cdi" flag is only available in the locality of the PL0 PAUSER.
2736+ * **Note**: The "export-cdi" flag is only available in the locality of the PL0 PAUSER.
11802737 * CertifyKey
11812738 * Caliptra DPE supports two formats for CertifyKey: X.509 and PKCS#10 CSR.
11822739 X.509 is only available to PL0 PAUSERs.
@@ -1201,9 +2758,9 @@
12012758
12022759 * Runtime Firmware SHALL initialize the default context in “internal-cdi” mode.
12032760 * Perform the following initial measurements:
1204- * Call DeriveContext with Caliptra RT PCRs
2761+ * Call DeriveContext with Caliptra Journey PCR
12052762 * INPUT\_DATA = PCRX (RT journey PCR as defined in the FHT)
1206- * TYPE = “RTMR”
2763+ * TYPE = “RTJM”
12072764 * CONTEXT\_HANDLE = default context
12082765 * TARGET\_LOCALITY = Caliptra locality (0xFFFFFFFF)
12092766 * Call DeriveContext with mailbox valid PAUSERS
@@ -1248,12 +2805,13 @@
12482805
12492806 ### Internal representation of TCI nodes
12502807
1251-| **Byte offset** | **Bits** | **Name** | **Description**
1252-| ----- | ---- | ---------------- | -----------------------------------------------------
1253-| 0x00 | 383:0 | `TCI_CURRENT` | Current TCI measurement value
1254-| 0x30 | 383:0 | `TCI_CUMULATIVE` | TCI measurement value
1255-| 0x60 | 31:0 | `TYPE` | `TYPE` parameter to the DeriveContext call that created this node
1256-| 0x64 | 31:0 | `LOCALITY` | `TARGET_LOCALITY` parameter to the DeriveContext call that created this node (PAUSER)
2808+| **Byte offset** | **Bits** | **Name** | **Description** |
2809+| --------------- | -------- | ---------------- | ------------------------------------------------------------------------------------- |
2810+| 0x00 | 383:0 | `TCI_CURRENT` | Current TCI measurement value |
2811+| 0x30 | 383:0 | `TCI_CUMULATIVE` | TCI measurement value |
2812+| 0x60 | 31:0 | `TYPE` | `TYPE` parameter to the DeriveContext call that created this node |
2813+| 0x64 | 31:0 | `LOCALITY` | `TARGET_LOCALITY` parameter to the DeriveContext call that created this node (PAUSER) |
2814+
12572815
12582816 ### Certificate generation
12592817
@@ -1261,7 +2819,7 @@
12612819
12622820 The DPE `GET_CERTIFICATE_CHAIN` command shall return the following certificates:
12632821
1264-* IDevID (optionally added by the SoC via POPULATE\_IDEV\_CERT)
2822+* IDevID (optionally added by the SoC via POPULATE\_IDEV\_ECC384\_CERT)
12652823 * LDevID
12662824 * FMC Alias
12672825 * Runtime Alias