Diff: Runtime Specification

@@ -1,10 +1,10 @@
1	1	<div style="font-size: 0.85em; color: #656d76; margin-bottom: 1em; padding: 0.5em; background: #f6f8fa; border-radius: 4px;">
2		-📄 Source: <a href="https://github.com/chipsalliance/caliptra-sw/blob/1fa3967dd3bcac87b4b13f94d07e3583a5f50091/runtime/README.md" target="_blank">chipsalliance/caliptra-sw/runtime/README.md</a> @ <code>1fa3967</code>
	2	+📄 Source: <a href="https://github.com/chipsalliance/caliptra-sw/blob/fce741f907127d64224d8d814e5d3ded1a4d3c80/runtime/README.md" target="_blank">chipsalliance/caliptra-sw/runtime/README.md</a> @ <code>fce741f</code>
3	3	</div>
4	4
5		-# Caliptra Runtime Firmware v2.0.1
6		-
7		-Spec version: 0.3
	5	+# Caliptra Runtime Firmware v2.1
	6	+
	7	+Spec version: 1.0
8	8
9	9	This specification describes the Caliptra Runtime Firmware.
10	10
@@ -25,9 +25,14 @@
25	25	* [Cryptographic mailbox commands](#cryptographic-mailbox-commands-new-in-20)
26	26	* `ECDSA384_SIGNATURE_VERIFY` and `LMS_SIGNATURE_VERIFY`require the hash to be included in the message, as the SHA accelerator registers are no longer accessible outside Caliptra.
27	27
	28	+v2.1:
	29	+
	30	+* [External mailbox commands](#external-mailbox-cmd)
	31	+* [Encrypted firmware support](#encrypted-firmware-support-21-subsystem-mode-only)
	32	+* [OCP LOCK v1.0 commands](#mailbox-commands-ocp-lock-v10)
	33	+
	34	+
28	35	## Spec Opens
29		-
30		-* Cryptographic Mailbox: ML-KEM support
31	36
32	37	## Runtime Firmware environment
33	38
@@ -40,6 +45,19 @@
40	45	* Initialize the [DICE Protection Environment (DPE)](#dice-protection-environment-dpe)
41	46	* Initialize any SRAM structures used by Runtime Firmware
42	47	* Upload the firwmare to the Manufacturer Control Unit (2.0, susbystem mode only)
	48	+
	49	+#### Encrypted Firmware Support (2.1, subsystem mode only)
	50	+
	51	+When ROM receives the `RI_DOWNLOAD_ENCRYPTED_FIRMWARE` command instead of `RI_DOWNLOAD_FIRMWARE`, it sets the boot mode to `EncryptedFirmware`. In this mode:
	52	+
	53	+1. Runtime downloads the encrypted MCU firmware to MCU SRAM via the recovery interface
	54	+2. Runtime does not activate the MCU firmware immediately
	55	+3. The MCU ROM can then:
	56	+ - Import an AES key using `CM_IMPORT`
	57	+ - Decrypt the firmware in-place using `CM_AES_GCM_DECRYPT_DMA`
	58	+ - Send `CM_ACTIVATE_FIRMWARE` to activate the decrypted MCU firmware
	59	+
	60	+The `CM_AES_GCM_DECRYPT_DMA` command is intended to be used for the `EncryptedFirmware` boot mode and performs a SHA384 integrity check of the ciphertext before decryption, but can be used to decrypt other images as well in any boot mode.
43	61
44	62	For behavior during other types of reset, see [Runtime firmware updates](#runtime-firmware-updates).
45	63
@@ -94,7 +112,7 @@
94	112
95	113	CM itself does not provide any storage for the keys: when generated, they are returned to the caller in encrypted form, and must be passed back to be used.
96	114
97		-These mailbox commands provide SHA, HMAC, HKDF, AES, RNG, MLDSA, and ECDSA services.
	115	+These mailbox commands provide SHA, HMAC, HKDF, AES, RNG, MLDSA, ECDSA, and ML-KEM services.
98	116
99	117	Note that while MLDSA and ECDSA keys can be imported, generated, and used in the cryptographic mailbox commands (i.e., `CM_` commands) through CMKs, these keys are NOT* tied DICE or DPE, so their use may be restricted for certain purposes.
100	118
@@ -126,8 +144,7 @@
126	144
127	145	\| Name \| Bits \| Description \|
128	146	\| ------------- \| -------- \| -------------------------------------- \|
129		-\| version \| 8 \| CMK version. Currently always 1. \|
130		-\| flags \| 8 \| Bit 0 = FIPS valid \|
	147	+\| version \| 16 \| CMK version. Currently always 1. \|
131	148	\| length \| 16 \| how many bits of key material are used \|
132	149	\| key usage \| 8 \| represents which kind of key this is \|
133	150	\| id \| 24 \| ID number \|
@@ -162,8 +179,10 @@
162	179	\| --------- \| --------- \|
163	180	\| 0 \| Reserved \|
164	181	\| 1 \| HMAC \|
165		-\| 2 \| HKDF \|
166		-\| 3 \| AES \|
	182	+\| 2 \| AES \|
	183	+\| 3 \| ECDSA \|
	184	+\| 4 \| MLDSA \|
	185	+\| 5 \| ML-KEM \|
167	186
168	187
169	188	#### Replay Prevention and Deletion
@@ -187,7 +206,7 @@
187	206
188	207	Each of these abilities are tied to Caliptra Vendor and Owner FW signing keys and should be independent of any SoC RoT FW signing keys.
189	208
190		-Manifest-based image authorization is implemented via two mailbox commands: [`SET_AUTH_MANIFEST`](#set-auth-manifest), and [`AUTHORIZE_AND_STASH`](#authorize-and-stash).
	209	+Manifest-based image authorization is implemented via two mailbox commands: [`SET_AUTH_MANIFEST`](#set_auth_manifest), and [`AUTHORIZE_AND_STASH`](#authorize_and_stash).
191	210
192	211	### Caliptra-Endorsed Aggregated Measured Boot
193	212
@@ -367,7 +386,14 @@
367	386	\| -------- \| -------- \| ---------------
368	387	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian.
369	388	\| fips\_status \| u32 \| Indicates if the command is FIPS approved or an error.
370		-\| capabilities \| u8[16] \| Firmware capabilities
	389	+\| capabilities \| u8[16] \| Firmware capabilities. See table below for details.
	390	+
	391	+Table: Firmware Capabilities Flags
	392	+
	393	+\| Name \| Bit \| Description
	394	+\| --------------- \| ------- \| ---------------
	395	+\| `RT_BASE` \| 64 \| Base capabilities for Caliptra Runtime v2.1.
	396	+\| `RT_OCP_LOCK` \| 65 \| Runtime firmware and hardware supports OCP LOCK.
371	397
372	398	### GET\_IDEV\_ECC384\_CERT
373	399
@@ -811,13 +837,13 @@
811	837	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian.
812	838	\| fips\_status \| u32 \| Indicates if the command is FIPS approved or an error.
813	839
814		-### INVOKE\_DPE\_COMMAND
815		-
816		-Invokes a serialized DPE command.
	840	+### INVOKE\_DPE\_ECC384
	841	+
	842	+Invokes a serialized EC-P384 DPE profile command.
817	843
818	844	Command Code: `0x4450_4543` ("DPEC")
819	845
820		-Table: `INVOKE_DPE_COMMAND` input arguments
	846	+Table: `INVOKE_DPE_ECC384` input arguments
821	847
822	848	\| Name \| Type \| Description
823	849	\| -------- \| -------- \| ---------------
@@ -825,7 +851,49 @@
825	851	\| data\_size \| u32 \| Length in bytes of the valid data in the data field.
826	852	\| data \| u8[...] \| DPE command structure as defined in the DPE iRoT profile.
827	853
828		-Table: `INVOKE_DPE_COMMAND` output arguments
	854	+Table: `INVOKE_DPE_ECC384` output arguments
	855	+
	856	+\| Name \| Type \| Description
	857	+\| -------- \| -------- \| ---------------
	858	+\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian.
	859	+\| fips\_status \| u32 \| Indicates if the command is FIPS approved or an error.
	860	+\| data\_size \| u32 \| Length in bytes of the valid data in the data field.
	861	+\| data \| u8[...] \| DPE response structure as defined in the DPE iRoT profile.
	862	+
	863	+### INVOKE\_DPE\_MLDSA87
	864	+
	865	+Invokes a serialized ML-DSA-87 DPE profile command. In subsystem mode a response
	866	+can be DMA'ed to an external address. This is especially useful for large
	867	+commands like `CertifyKey` or `DeriveContext` when exporting a CDI. Both of
	868	+these responses contain a potentially large certificate/CSR. To use this
	869	+feature, set the EXTERNAL_AXI_RESPONSE in `flags` and set the corresponding
	870	+AXI address and size fields. The response over the mailbox will only contain a
	871	+mailbox header (`chksum` and `fips_status`). The full response including the
	872	+mailbox header will be found at the given address.
	873	+
	874	+Command Code: `0x4450_4543` ("DPEC")
	875	+
	876	+Table: `INVOKE_DPE_MLDSA87` input arguments
	877	+
	878	+\| Name \| Type \| Description \|
	879	+\| -------------- \| -------- \| --------------------------------------------------------------------------- \|
	880	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	881	+\| flags \| u32 \| Flags to give configurations of the command. \|
	882	+\| axi\_addr\_lo \| u32 \| Lower word of the destination physical address. \|
	883	+\| axi\_addr\_hi \| u32 \| Upper word of the destination physical address. \|
	884	+\| axi\_max\_size \| u32 \| Maximum DMA response size. \|
	885	+\| data\_size \| u32 \| Length in bytes of the valid data in the data field. \|
	886	+\| data \| u8[...] \| DPE command structure as defined in the DPE iRoT profile. \|
	887	+
	888	+
	889	+Table: `INVOKE_DPE_MLDSA87` input flags
	890	+
	891	+\| Name \| Value \|
	892	+\| ----------------------- \| --------- \|
	893	+\| EXTERNAL\_AXI\_RESPONSE \| 1 << 31 \|
	894	+
	895	+
	896	+Table: `INVOKE_DPE_MLDSA87` output arguments
829	897
830	898	\| Name \| Type \| Description
831	899	\| -------- \| -------- \| ---------------
@@ -1143,35 +1211,69 @@
1143	1211	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian.
1144	1212	\| fips\_status \| u32 \| Indicates if the command is FIPS approved or an error.
1145	1213
1146		-### CERTIFY\_KEY\_EXTENDED
1147		-
1148		-Produces a DPE leaf certificate or CSR containing custom extensions provided by the SoC.
	1214	+### CERTIFY\_KEY\_EXTENDED\_ECC384
	1215	+
	1216	+Produces an ECC-P384 DPE leaf certificate or CSR containing custom extensions provided by the SoC.
1149	1217
1150	1218	Command Code: `0x434B_4558` ("CKEX")
1151	1219
1152		-Table: `CERTIFY_KEY_EXTENDED` input arguments
	1220	+Table: `CERTIFY_KEY_EXTENDED_ECC384` input arguments
1153	1221
1154	1222	\| Name \| Type \| Description \|
1155	1223	\| ----------------- \| -------- \| --------------------------------------------------------------------------- \|
1156	1224	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	1225	+\| flags \| u32 \| Flags determining which custom extensions to include in the certificate. \|
1157	1226	\| certify\_key\_req \| u8[72] \| Certify Key Request. \|
1158		-\| flags \| u32 \| Flags determining which custom extensions to include in the certificate. \|
1159		-
1160		-
1161		-Table: `CERTIFY_KEY_EXTENDED` input flags
	1227	+
	1228	+
	1229	+Table: `CERTIFY_KEY_EXTENDED_ECC384` input flags
1162	1230
1163	1231	\| Name \| Offset \|
1164		-\| --------------- \| ---------- \|
1165		-\| DMTF_OTHER_NAME \| 1 << 31 \|
1166		-
1167		-
1168		-Table: `CERTIFY_KEY_EXTENDED` output arguments
1169		-
1170		-\| Name \| Type \| Description \|
1171		-\| ------------------ \| -------- \| -------------------------------------------------------------------------- \|
	1232	+\| ----------------- \| ---------- \|
	1233	+\| DMTF\_OTHER\_NAME \| 1 << 31 \|
	1234	+
	1235	+
	1236	+Table: `CERTIFY_KEY_EXTENDED_ECC384` output arguments
	1237	+
	1238	+\| Name \| Type \| Description \|
	1239	+\| ------------------ \| --------- \| -------------------------------------------------------------------------- \|
1172	1240	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
1173	1241	\| fips\_status \| u32 \| Indicates if the command is FIPS approved or an error. \|
1174		-\| certify\_key\_resp \| u8[2176] \| Certify Key Response. \|
	1242	+\| size \| u32 \| The size of the response in the certify\_key\_resp field. \|
	1243	+\| certify\_key\_resp \| u8[25152] \| Certify Key Response. \|
	1244	+
	1245	+
	1246	+### CERTIFY\_KEY\_EXTENDED\_MLDSA87
	1247	+
	1248	+Produces an ML-DSA-87 DPE leaf certificate or CSR containing custom extensions provided by the SoC.
	1249	+
	1250	+Command Code: `0x434B_584D` ("CKXM")
	1251	+
	1252	+Table: `CERTIFY_KEY_EXTENDED_MLDSA87` input arguments
	1253	+
	1254	+\| Name \| Type \| Description \|
	1255	+\| ----------------- \| -------- \| --------------------------------------------------------------------------- \|
	1256	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	1257	+\| flags \| u32 \| Flags determining which custom extensions to include in the certificate. \|
	1258	+\| certify\_key\_req \| u8[72] \| Certify Key Request. \|
	1259	+
	1260	+
	1261	+Table: `CERTIFY_KEY_EXTENDED_MLDSA87` input flags
	1262	+
	1263	+\| Name \| Offset \|
	1264	+\| ----------------------- \| ---------- \|
	1265	+\| DMTF\_OTHER\_NAME \| 1 << 31 \|
	1266	+\| EXTERNAL\_AXI\_RESPONSE \| 1 << 30 \|
	1267	+
	1268	+
	1269	+Table: `CERTIFY_KEY_EXTENDED_MLDSA87` output arguments
	1270	+
	1271	+\| Name \| Type \| Description \|
	1272	+\| ------------------ \| --------- \| -------------------------------------------------------------------------- \|
	1273	+\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
	1274	+\| fips\_status \| u32 \| Indicates if the command is FIPS approved or an error. \|
	1275	+\| size \| u32 \| The size of the response in the certify\_key\_resp field. \|
	1276	+\| certify\_key\_resp \| u8[25152] \| Certify Key Response. \|
1175	1277
1176	1278
1177	1279	### SET_AUTH_MANIFEST
@@ -1182,8 +1284,8 @@
1182	1284
1183	1285	Table: `SET_AUTH_MANIFEST` input arguments
1184	1286
1185		-\| Name \| Type \| Description
1186		-\| -------- \| -------- \| ---------------
	1287	+\| Name \| Type \| Description \|
	1288	+\| -------- \| -------- \| --------------- \|
1187	1289	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
1188	1290	\| manifest size \| u32 \| The size of the full Authentication Manifest \|
1189	1291	\| preamble\_marker \| u32 \| Marker needs to be 0x4154_4D4E for the preamble to be valid \|
@@ -1219,17 +1321,17 @@
1219	1321	\| Name \| Type \| Description \|
1220	1322	\| ------------------------ \| --------- \| ---------------- \|
1221	1323	\| Image Hash \| u8[48] \| SHA2-384 hash of a SOC image. \|
1222		-
1223		-\| Image_id \| u32 \| This corresponds to the `Image Identifier` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1224		-\| Component_id \| u32 \| This corresponds to the `Component Id` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1225		-\| flags \| u32 \| This corresponds to the `flags` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1226		-\| Image Load Address High \| u32 \| This corresponds to the `Image Load Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1227		-\| Image Load Address Low \| u32 \| This corresponds to the `Image Load Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1228		-\| Staging Address High \| u32 \| This corresponds to the `Staging Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1229		-\| Staging Address Low \| u32 \| This corresponds to the `Staging Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1230		-\| Classification \| u32 \| This corresponds to the `Classification` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1231		-\| Version Number \| u32 \| This corresponds to the `Version Number` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1232		-\| Version String \| u8[32] \| This corresponds to the `Version String` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
	1324	+\| Image_id \| u32 \| This corresponds to the `Image Identifier` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1325	+\| Component_id \| u32 \| This corresponds to the `Component Id` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1326	+\| flags \| u32 \| This corresponds to the `flags` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1327	+\| Image Load Address High \| u32 \| This corresponds to the `Image Load Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1328	+\| Image Load Address Low \| u32 \| This corresponds to the `Image Load Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1329	+\| Staging Address High \| u32 \| This corresponds to the `Staging Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1330	+\| Staging Address Low \| u32 \| This corresponds to the `Staging Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1331	+\| Classification \| u32 \| This corresponds to the `Classification` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1332	+\| Version Number \| u32 \| This corresponds to the `Version Number` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1333	+\| Version String \| u8[32] \| This corresponds to the `Version String` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1334	+
1233	1335
1234	1336	### VERIFY_AUTH_MANIFEST
1235	1337
@@ -1251,8 +1353,8 @@
1251	1353
1252	1354	Table: `AUTHORIZE_AND_STASH` input arguments
1253	1355
1254		-\| Name \| Type \| Description
1255		-\| ------------\| -------- \| ---------------
	1356	+\| Name \| Type \| Description \|
	1357	+\| ------------ \| -------- \| --------------- \|
1256	1358	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
1257	1359	\| fw_id \| u8[4] \| Firmware id of the image, in little-endian format \|
1258	1360	\| measurement \| u8[48] \| Digest of the image requested for authorization. The `source` field needs to be set to '1` for InRequest, otherwise<br />this field is ignored. \|
@@ -1274,8 +1376,8 @@
1274	1376	\| --------------- \| -------- \| -------------------------------------------------------------------------- \|
1275	1377	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
1276	1378	\| fips_status \| u32 \| Indicates if the command is FIPS approved or an error. \|
1277		-
1278		-\| auth_req_result \| u32 \|AUTHORIZE_IMAGE (0xDEADC0DE), IMAGE_NOT_AUTHORIZED (0x21523F21) or IMAGE_HASH_MISMATCH (0x8BFB95CB)
	1379	+\| auth_req_result \| u32 \| AUTHORIZE_IMAGE (0xDEADC0DE), IMAGE_NOT_AUTHORIZED (0x21523F21) or IMAGE_HASH_MISMATCH (0x8BFB95CB) \|
	1380	+
1279	1381
1280	1382	### GET_IMAGE_INFO
1281	1383
@@ -1288,8 +1390,8 @@
1288	1390	\| Name \| Type \| Description \|
1289	1391	\| -------------- \| -------------- \| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \|
1290	1392	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
1291		-
1292		-\| fw_id \| u32 \| Firmware id of the image, in little-endian format
	1393	+\| fw_id \| u32 \| Firmware id of the image, in little-endian format \|
	1394	+
1293	1395
1294	1396	Table: `GET_IMAGE_INFO` output arguments
1295	1397
@@ -1297,17 +1399,38 @@
1297	1399	\| -------------- \| -------------- \| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \|
1298	1400	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
1299	1401	\| fips_status \| u32 \| Indicates if the command is FIPS approved or an error. \|
1300		-
1301		-\| Component_id \| u32 \| This corresponds to the `Component Id` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1302		-\| flags \| u32 \| This corresponds to the `flags` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1303		-\| Image Load Address High \| u32 \| This corresponds to the `Image Load Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1304		-\| Image Load Address Low \| u32 \| This corresponds to the `Image Load Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1305		-\| Staging Address High \| u32 \| This corresponds to the `Staging Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1306		-\| Staging Address Low \| u32 \| This corresponds to the `Staging Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1307		-\| Classification \| u32 \| This corresponds to the `Classification` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1308		-\| Version Number \| u32 \| This corresponds to the `Version Number` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1309		-\| Version String \| u8[32] \| This corresponds to the `Version String` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main-2.x/auth-manifest/README.md)
1310		-
	1402	+\| Component_id \| u32 \| This corresponds to the `Component Id` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1403	+\| flags \| u32 \| This corresponds to the `flags` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1404	+\| Image Load Address High \| u32 \| This corresponds to the `Image Load Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1405	+\| Image Load Address Low \| u32 \| This corresponds to the `Image Load Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1406	+\| Staging Address High \| u32 \| This corresponds to the `Staging Address High` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1407	+\| Staging Address Low \| u32 \| This corresponds to the `Staging Address Low` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1408	+\| Classification \| u32 \| This corresponds to the `Classification` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1409	+\| Version Number \| u32 \| This corresponds to the `Version Number` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1410	+\| Version String \| u8[32] \| This corresponds to the `Version String` field in the [SoC Manifest](https://github.com/chipsalliance/caliptra-sw/blob/main/auth-manifest/README.md) \|
	1411	+
	1412	+
	1413	+### GET\_MCU\_FW\_SIZE
	1414	+
	1415	+Returns the size and SHA-384 digest of the MCU firmware image that was downloaded during the recovery flow. This command is used by MCU ROM during encrypted boot so it can issue `CM_AES_GCM_DECRYPT_DMA` with the correct size and without recomputing the digest.
	1416	+
	1417	+Command Code: `0x474D_4653` ("GMFS")
	1418	+
	1419	+Table: `GET_MCU_FW_SIZE` input arguments
	1420	+
	1421	+\| Name \| Type \| Description \|
	1422	+\| -------------- \| -------------- \| --------------------------------------------------------------------------- \|
	1423	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	1424	+
	1425	+
	1426	+Table: `GET_MCU_FW_SIZE` output arguments
	1427	+
	1428	+\| Name \| Type \| Description \|
	1429	+\| -------------- \| -------------- \| -------------------------------------------------------------------------- \|
	1430	+\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
	1431	+\| fips_status \| u32 \| Indicates if the command is FIPS approved or an error. \|
	1432	+\| size \| u32 \| Size of the MCU firmware image in bytes. \|
	1433	+\| sha384 \| u8[48] \| SHA-384 digest of the encrypted MCU firmware image. \|
1311	1434
1312	1435
1313	1436	### ACTIVATE_FIRMWARE
@@ -1334,6 +1457,28 @@
1334	1457	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
1335	1458	\| fips_status \| u32 \| Indicates if the command is FIPS approved or an error. \|
1336	1459
	1460	+
	1461	+## Mailbox commands: OCP LOCK v1.0
	1462	+
	1463	+These commands are defined in the OCP LOCK v1.0 [specification](https://github.com/chipsalliance/Caliptra/blob/main/doc/ocp_lock/releases/OCP_LOCK_Specification_v1.0_RC2.pdf).
	1464	+
	1465	+### ENUMERATE_HPKE_HANDLES
	1466	+### REPORT_HEK_METADATA
	1467	+### GET_ALGORITHMS
	1468	+### INITIALIZE_MEK_SECRET
	1469	+### ROTATE_HPKE_KEY
	1470	+### GENERATE_MEK
	1471	+### GENERATE_MPK
	1472	+### REWRAP_MPK
	1473	+### ENABLE_MPK
	1474	+### MIX_MPK
	1475	+### GET_HPKE_PUB_KEY
	1476	+### TEST_ACCESS_KEY
	1477	+### GET_STATUS
	1478	+### CLEAR_KEY_CACHE
	1479	+### UNLOAD_MEK
	1480	+### LOAD_MEK
	1481	+### DERIVE_MEK
1337	1482
1338	1483	## Mailbox commands: Cryptographic Mailbox (2.0)
1339	1484
@@ -1437,6 +1582,99 @@
1437	1582	\| fips_status \| u32 \| FIPS approved or an error \|
1438	1583	\| hash size \| u32 \|\|
1439	1584	\| hash \| u8[hash size] \|\|
	1585	+
	1586	+
	1587	+### CM\_SHAKE256\_INIT
	1588	+
	1589	+This starts the computation of a SHAKE256 extendable-output hash, which may be larger than a single mailbox command allows.
	1590	+
	1591	+Note: Unlike the CM\_SHA commands, SHAKE256 cannot save and restore hardware state between calls. Instead, the SHA3 hardware state is kept live, and the context returned to the caller is an encrypted random session token. If any other SHA3 operation occurs between INIT and FINAL, the session is invalidated and UPDATE/FINAL will return an error.
	1592	+
	1593	+The sequence to use these are:
	1594	+* 1 `CM_SHAKE256_INIT` command
	1595	+* 0 or more `CM_SHAKE256_UPDATE` commands
	1596	+* 1 `CM_SHAKE256_FINAL` command
	1597	+
	1598	+For each command, the context from the previous command's output must be passed as an input.
	1599	+
	1600	+The `SHAKE256_CONTEXT_SIZE` is always exactly 44 bytes long (encrypted session token).
	1601	+
	1602	+The maximum supported input data size per command is 4096 bytes.
	1603	+
	1604	+Command Code: `0x434D_5849` ("CMXI")
	1605	+
	1606	+Table: `CM_SHAKE256_INIT` input arguments
	1607	+
	1608	+\| Name \| Type \| Description \|
	1609	+\| --------- \| ------------- \| --------------- \|
	1610	+\| chksum \| u32 \|\|
	1611	+\| data size \| u32 \|\|
	1612	+\| data \| u8[data size] \| Data to hash \|
	1613	+
	1614	+
	1615	+Table: `CM_SHAKE256_INIT` output arguments
	1616	+
	1617	+\| Name \| Type \| Description \|
	1618	+\| ----------- \| ------------------------- \| -------------------------------------------------- \|
	1619	+\| chksum \| u32 \|\|
	1620	+\| fips_status \| u32 \| FIPS approved or an error \|
	1621	+\| context \| u8[SHAKE256_CONTEXT_SIZE] \| Passed to `CM_SHAKE256_UPDATE` / `CM_SHAKE256_FINAL` \|
	1622	+
	1623	+
	1624	+### CM\_SHAKE256\_UPDATE
	1625	+
	1626	+This continues a SHAKE256 computation started by `CM_SHAKE256_INIT` or from another `CM_SHAKE256_UPDATE`.
	1627	+
	1628	+The context MUST be passed in from `CM_SHAKE256_INIT` or `CM_SHAKE256_UPDATE`.
	1629	+
	1630	+Command Code: `0x434D_5855` ("CMXU")
	1631	+
	1632	+Table: `CM_SHAKE256_UPDATE` input arguments
	1633	+
	1634	+\| Name \| Type \| Description \|
	1635	+\| --------- \| ------------------------- \| ---------------------------------------------------- \|
	1636	+\| chksum \| u32 \|\|
	1637	+\| context \| u8[SHAKE256_CONTEXT_SIZE] \| From `CM_SHAKE256_INIT` / `CM_SHAKE256_UPDATE` \|
	1638	+\| data size \| u32 \|\|
	1639	+\| data \| u8[data size] \| Data to hash \|
	1640	+
	1641	+
	1642	+Table: `CM_SHAKE256_UPDATE` output arguments
	1643	+
	1644	+\| Name \| Type \| Description \|
	1645	+\| ----------- \| ------------------------- \| -------------------------------------------------- \|
	1646	+\| chksum \| u32 \|\|
	1647	+\| fips_status \| u32 \| FIPS approved or an error \|
	1648	+\| context \| u8[SHAKE256_CONTEXT_SIZE] \| Passed to `CM_SHAKE256_UPDATE` / `CM_SHAKE256_FINAL` \|
	1649	+
	1650	+
	1651	+### CM\_SHAKE256\_FINAL
	1652	+
	1653	+This finalizes the SHAKE256 computation and produces the hash of all of the data.
	1654	+
	1655	+The context MUST be passed in from `CM_SHAKE256_INIT` or `CM_SHAKE256_UPDATE`.
	1656	+
	1657	+The output is always a 64-byte SHAKE256 digest.
	1658	+
	1659	+Command Code: `0x434D_5846` ("CMXF")
	1660	+
	1661	+Table: `CM_SHAKE256_FINAL` input arguments
	1662	+
	1663	+\| Name \| Type \| Description \|
	1664	+\| ----------- \| ------------------------- \| ---------------------------------------------- \|
	1665	+\| chksum \| u32 \|\|
	1666	+\| context \| u8[SHAKE256_CONTEXT_SIZE] \| From `CM_SHAKE256_INIT` / `CM_SHAKE256_UPDATE` \|
	1667	+\| data size \| u32 \| May be 0 \|
	1668	+\| data \| u8[data size] \| Data to hash \|
	1669	+
	1670	+
	1671	+Table: `CM_SHAKE256_FINAL` output arguments
	1672	+
	1673	+\| Name \| Type \| Description \|
	1674	+\| ----------- \| -------- \| ------------------------- \|
	1675	+\| chksum \| u32 \|\|
	1676	+\| fips_status \| u32 \| FIPS approved or an error \|
	1677	+\| hash \| u8[64] \| SHAKE256 digest \|
1440	1678
1441	1679
1442	1680	### CM\_HMAC
@@ -1727,6 +1965,79 @@
1727	1965	\| fips_status \| u32 \| FIPS approved or an error \|
1728	1966
1729	1967
	1968	+### CM_MLKEM_KEY_GEN
	1969	+
	1970	+Generates an ML-KEM-1024 encapsulation key from the seed (seed\_d \|\| seed\_z, 64 bytes) stored in a CMK with key usage `Mlkem`.
	1971	+
	1972	+The key generation algorithm is described in [FIPS 203](https://csrc.nist.gov/pubs/fips/203/final).
	1973	+
	1974	+Command Code: `0x434D_4C4B` ("CMLK")
	1975	+
	1976	+Table: `CM_MLKEM_KEY_GEN` input arguments
	1977	+\| Name \| Type \| Description \|
	1978	+\| -------- \| -------- \| ---------------------------------------- \|
	1979	+\| chksum \| u32 \|\|
	1980	+\| CMK \| CMK \| ML-KEM seed (seed\_d \|\| seed\_z) \|
	1981	+
	1982	+
	1983	+Table: `CM_MLKEM_KEY_GEN` output arguments
	1984	+\| Name \| Type \| Description \|
	1985	+\| ----------- \| -------- \| ---------------------------------------- \|
	1986	+\| chksum \| u32 \|\|
	1987	+\| fips_status \| u32 \| FIPS approved or an error \|
	1988	+\| encaps_key \| u8[1568] \| ML-KEM-1024 encapsulation key \|
	1989	+
	1990	+
	1991	+### CM_MLKEM_ENCAPSULATE
	1992	+
	1993	+Performs ML-KEM-1024 encapsulation against the provided encapsulation key, producing a ciphertext and a shared key wrapped as a CMK.
	1994	+
	1995	+The encapsulation algorithm is described in [FIPS 203](https://csrc.nist.gov/pubs/fips/203/final).
	1996	+
	1997	+Command Code: `0x434D_4C45` ("CMLE")
	1998	+
	1999	+Table: `CM_MLKEM_ENCAPSULATE` input arguments
	2000	+\| Name \| Type \| Description \|
	2001	+\| ----------- \| -------- \| ---------------------------------------- \|
	2002	+\| chksum \| u32 \|\|
	2003	+\| key_usage \| u32 \| Key usage for the output CMK \|
	2004	+\| encaps_key \| u8[1568] \| ML-KEM-1024 encapsulation key \|
	2005	+
	2006	+
	2007	+Table: `CM_MLKEM_ENCAPSULATE` output arguments
	2008	+\| Name \| Type \| Description \|
	2009	+\| ----------- \| -------- \| ---------------------------------------- \|
	2010	+\| chksum \| u32 \|\|
	2011	+\| fips_status \| u32 \| FIPS approved or an error \|
	2012	+\| ciphertext \| u8[1568] \| ML-KEM-1024 ciphertext \|
	2013	+\| shared_key \| CMK \| CMK of the shared secret key \|
	2014	+
	2015	+
	2016	+### CM_MLKEM_DECAPSULATE
	2017	+
	2018	+Performs ML-KEM-1024 decapsulation using the seed in the provided CMK and the given ciphertext, recovering the shared key wrapped as a CMK. This uses the hardware's combined keygen\_decapsulate operation to avoid materializing the full 3168-byte decapsulation key in memory.
	2019	+
	2020	+The decapsulation algorithm is described in [FIPS 203](https://csrc.nist.gov/pubs/fips/203/final).
	2021	+
	2022	+Command Code: `0x434D_4C44` ("CMLD")
	2023	+
	2024	+Table: `CM_MLKEM_DECAPSULATE` input arguments
	2025	+\| Name \| Type \| Description \|
	2026	+\| ----------- \| -------- \| ---------------------------------------- \|
	2027	+\| chksum \| u32 \|\|
	2028	+\| key_usage \| u32 \| Key usage for the output CMK \|
	2029	+\| CMK \| CMK \| ML-KEM seed (seed\_d \|\| seed\_z) \|
	2030	+\| ciphertext \| u8[1568] \| ML-KEM-1024 ciphertext to decapsulate \|
	2031	+
	2032	+
	2033	+Table: `CM_MLKEM_DECAPSULATE` output arguments
	2034	+\| Name \| Type \| Description \|
	2035	+\| ----------- \| -------- \| ---------------------------------------- \|
	2036	+\| chksum \| u32 \|\|
	2037	+\| fips_status \| u32 \| FIPS approved or an error \|
	2038	+\| shared_key \| CMK \| CMK of the shared secret key \|
	2039	+
	2040	+
1730	2041	### CM_AES_ENCRYPT_INIT
1731	2042
1732	2043	Generic AES operation for unauthenticated AES operations.
@@ -1773,8 +2084,7 @@
1773	2084	\| mode \| u32 \|\|
1774	2085	\| key \| u8[32] \|\|
1775	2086	\| iv \| u8[16] \|\|
1776		-\| fips_status \| u8 \| 1 = FIPS valid \|
1777		-\| reserved \| u8[75] \| Reserved for additional fields \|
	2087	+\| reserved \| u8[76] \| Reserved for additional fields \|
1778	2088
1779	2089
1780	2090	The size of the (encrypted) context is always exactly 156 bytes,
@@ -1923,8 +2233,7 @@
1923	2233	\| GHASH state \| u8[16] \|\|
1924	2234	\| current length \| u32 \| value mod 16 is buffer size \|
1925	2235	\| buffer \| u8[16] \|\|
1926		-\| fips_status \| u8 \| 1 = FIPS valid \|
1927		-\| reserved \| u8[15] \|\|
	2236	+\| reserved \| u8[16] \|\|
1928	2237
1929	2238
1930	2239	The size of the (encrypted) context is always exactly 128 bytes,
@@ -2196,6 +2505,44 @@
2196	2505	\| plaintext \| u8[plaintext size] \|\|
2197	2506
2198	2507
	2508	+### CM_AES_GCM_DECRYPT_DMA
	2509	+
	2510	+Performs in-place AES-256-GCM decryption of data at an AXI address using DMA. This command is specifically designed for decrypting MCU firmware that was downloaded via the `RI_DOWNLOAD_ENCRYPTED_FIRMWARE` command.
	2511	+
	2512	+Important restrictions:
	2513	+- This command is only available in subsystem mode, as DMA is only available in subsystem.
	2514	+- This command is only available when the boot mode is `EncryptedFirmware`, which is set by ROM when it receives the `RI_DOWNLOAD_ENCRYPTED_FIRMWARE` command.
	2515	+- The command performs a two-pass operation:
	2516	+ 1. First pass: Verifies the SHA384 hash of the encrypted data at the AXI address
	2517	+ 2. Second pass: Performs in-place AES-GCM decryption via DMA
	2518	+
	2519	+The CMK must be an AES key (key usage = 3) that was previously imported using `CM_IMPORT`.
	2520	+
	2521	+Command Code: `0x434D_4444` ("CMDD")
	2522	+
	2523	+Table: `CM_AES_GCM_DECRYPT_DMA` input arguments
	2524	+\| Name \| Type \| Description \|
	2525	+\| --------------------- \| --------- \| ---------------------------------------------------- \|
	2526	+\| chksum \| u32 \| Checksum over other input arguments \|
	2527	+\| cmk \| CMK \| Encrypted CMK containing the AES-256 key \|
	2528	+\| iv \| u32[3] \| AES-GCM initialization vector (12 bytes) \|
	2529	+\| tag \| u32[4] \| AES-GCM authentication tag (16 bytes) \|
	2530	+\| encrypted_data_sha384 \| u8[48] \| SHA384 hash of the encrypted data for verification \|
	2531	+\| axi_addr_lo \| u32 \| Lower 32 bits of the AXI address \|
	2532	+\| axi_addr_hi \| u32 \| Upper 32 bits of the AXI address \|
	2533	+\| length \| u32 \| Length of data to decrypt in bytes \|
	2534	+\| aad_length \| u32 \| Length of AAD in bytes (0-4095) \|
	2535	+\| aad \| u8[...] \| Additional authenticated data \|
	2536	+
	2537	+
	2538	+Table: `CM_AES_GCM_DECRYPT_DMA` output arguments
	2539	+\| Name \| Type \| Description \|
	2540	+\| ------------ \| -------- \| ----------------------------------------------------- \|
	2541	+\| chksum \| u32 \| Checksum over other output arguments \|
	2542	+\| fips_status \| u32 \| FIPS approved or an error \|
	2543	+\| tag_verified \| u32 \| 1 if GCM tag verification succeeded, 0 if it failed \|
	2544	+
	2545	+
2199	2546	### CM_ECDH_GENERATE
2200	2547
2201	2548	This computes the first half of an Elliptic Curve Diffie-Hellman exchange to compute an ephemeral shared key pair with another party.
@@ -2324,22 +2671,20 @@
2324	2671	If a key usage other than HMAC is desired, then the KDF or HKDF
2325	2672	mailbox functions can be used to derive a key from the returned CMK.
2326	2673
2327		-Note that in Caliptra 2.0 in subsystem mode, derived stable keys, their derivatives, and commands using them will be marked with a FIPS status of invalid since the UDS and FE cannot be completely zeroized.
2328		-
2329	2674	Command Code: `0x434D_4453` ("CMDS")
2330	2675
2331	2676	Table: `CM_DERIVE_STABLE_KEY` input arguments
2332	2677
2333		-\| Name \| Type \| Description
2334		-\| -------- \| -------- \| ---------------
	2678	+\| Name \| Type \| Description \|
	2679	+\| -------- \| -------- \| --------------- \|
2335	2680	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
2336	2681	\| key_type \| u32 \| Source key to derive the stable key from. 0x0000_0001: IDevId <br> 0x0000_0002: LDevId \|
2337	2682	\| info \| u8[32] \| Data to use in the key derivation. \|
2338	2683
2339	2684
2340	2685	Table: `CM_DERIVE_STABLE_KEY` output arguments
2341		-\| Name \| Type \| Description
2342		-\| -------- \| -------- \| ---------------
	2686	+\| Name \| Type \| Description \|
	2687	+\| -------- \| -------- \| --------------- \|
2343	2688	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
2344	2689	\| cmk \| CMK \| CMK that stores the stable key material \|
2345	2690
@@ -2349,9 +2694,6 @@
2349	2694	Imports the specified key and returns a CMK for it.
2350	2695
2351	2696	Usage information is required so that the key can be verified and used appropriately.
2352		-
2353		-Note that it is the caller's responsibility to ensure that the source
2354		-key material meets FIPS requirements, such as zeroization.
2355	2697
2356	2698	Command Code: `0x434D_494D` ("CMIM")
2357	2699
@@ -2436,14 +2778,14 @@
2436	2778
2437	2779	Table: `GET_IDEV_ECC384_CSR` input arguments
2438	2780
2439		-\| Name \| Type \| Description
2440		-\| -------- \| -------- \| ---------------
	2781	+\| Name \| Type \| Description \|
	2782	+\| -------- \| -------- \| --------------- \|
2441	2783	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
2442	2784
2443	2785
2444	2786	Table: `GET_IDEV_ECC384_CSR` output arguments
2445		-\| Name \| Type \| Description
2446		-\| -------- \| -------- \| ---------------
	2787	+\| Name \| Type \| Description \|
	2788	+\| -------- \| -------- \| --------------- \|
2447	2789	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
2448	2790	\| data\_size \| u32 \| Length in bytes of the valid data in the data field. \|
2449	2791	\| data \| u8[...] \| DER-encoded ECC384 IDevID certificate signing request. \|
@@ -2455,14 +2797,14 @@
2455	2797
2456	2798	Table: `GET_IDEV_MLDSA87_CSR` input arguments
2457	2799
2458		-\| Name \| Type \| Description
2459		-\| -------- \| -------- \| ---------------
	2800	+\| Name \| Type \| Description \|
	2801	+\| -------- \| -------- \| --------------- \|
2460	2802	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
2461	2803
2462	2804
2463	2805	Table: `GET_IDEV_MLDSA87_CSR` output arguments
2464		-\| Name \| Type \| Description
2465		-\| -------- \| -------- \| ---------------
	2806	+\| Name \| Type \| Description \|
	2807	+\| -------- \| -------- \| --------------- \|
2466	2808	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
2467	2809	\| data\_size \| u32 \| Length in bytes of the valid data in the data field. \|
2468	2810	\| data \| u8[...] \| DER-encoded MLDSA87 IDevID certificate signing request. \|
@@ -2482,14 +2824,14 @@
2482	2824
2483	2825	Table: `GET_FMC_ALIAS_ECC384_CSR` input arguments
2484	2826
2485		-\| Name \| Type \| Description
2486		-\| -------- \| -------- \| ---------------
	2827	+\| Name \| Type \| Description \|
	2828	+\| -------- \| -------- \| --------------- \|
2487	2829	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
2488	2830
2489	2831
2490	2832	Table: `GET_FMC_ALIAS_ECC384_CSR` output arguments
2491		-\| Name \| Type \| Description
2492		-\| -------- \| -------- \| ---------------
	2833	+\| Name \| Type \| Description \|
	2834	+\| -------- \| -------- \| --------------- \|
2493	2835	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
2494	2836	\| data\_size \| u32 \| Length in bytes of the valid data in the data field. \|
2495	2837	\| data \| u8[...] \| DER-encoded ECC384 FMC Alias certificate signing request. \|
@@ -2501,19 +2843,67 @@
2501	2843
2502	2844	Table: `GET_FMC_ALIAS_MLDSA87_CSR` input arguments
2503	2845
2504		-\| Name \| Type \| Description
2505		-\| -------- \| -------- \| ---------------
	2846	+\| Name \| Type \| Description \|
	2847	+\| -------- \| -------- \| --------------- \|
2506	2848	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
2507	2849
2508	2850
2509	2851	Table: `GET_FMC_ALIAS_MLDSA87_CSR` output arguments
2510		-\| Name \| Type \| Description
2511		-\| -------- \| -------- \| ---------------
	2852	+\| Name \| Type \| Description \|
	2853	+\| -------- \| -------- \| --------------- \|
2512	2854	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
2513	2855	\| data\_size \| u32 \| Length in bytes of the valid data in the data field. \|
2514	2856	\| data \| u8[...] \| DER-encoded MLDSA87 FMC Alias certificate signing request. \|
2515	2857
2516	2858
	2859	+### GET\_ATTESTED\_ECC384\_CSR
	2860	+
	2861	+Generates an attested ECC384 certificate signing request (CSR) in Entity Attestation Token (EAT) format as per the [OCP Device Identity Provisioning](https://opencomputeproject.github.io/Security/device-identity-provisioning/HEAD/) specification, signed by the `RT Alias` key for the requested Device Identity Key.
	2862	+
	2863	+Command Code: `0x4145_4352` ("AECR")
	2864	+
	2865	+Table: `GET_ATTESTED_ECC384_CSR` input arguments
	2866	+
	2867	+\| Name \| Type \| Description \|
	2868	+\| -------- \| -------- \| --------------- \|
	2869	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	2870	+\| key_id \| u32 \| Key ID for which CSR is requested.<br> 0x0000_0001: LDevId <br> 0x0000_0002: FMC Alias <br> 0x0000_0003: RT Alias \|
	2871	+\| nonce \| u8[32] \| Nonce to be included in the CSR EAT. \|
	2872	+
	2873	+
	2874	+Table: `GET_ATTESTED_ECC384_CSR` output arguments
	2875	+
	2876	+\| Name \| Type \| Description \|
	2877	+\| -------- \| -------- \| --------------- \|
	2878	+\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
	2879	+\| data\_size \| u32 \| Length in bytes of the valid data in the data field. \|
	2880	+\| data \| u8[...] \| DER-encoded ECC384 attested certificate signing request. \|
	2881	+
	2882	+
	2883	+### GET\_ATTESTED\_MLDSA87\_CSR
	2884	+
	2885	+Generates an attested MLDSA87 certificate signing request (CSR) in Entity Attestation Token (EAT) format as per the [OCP Device Identity Provisioning](https://opencomputeproject.github.io/Security/device-identity-provisioning/HEAD/) specification, signed by the `RT Alias` key for the requested Device Identity Key.
	2886	+
	2887	+Command Code: `0x414D_4352` ("AMCR")
	2888	+
	2889	+Table: `GET_ATTESTED_MLDSA87_CSR` input arguments
	2890	+
	2891	+\| Name \| Type \| Description \|
	2892	+\| -------- \| -------- \| --------------- \|
	2893	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	2894	+\| key_id \| u32 \| Key ID for which CSR is requested.<br> 0x0000_0001: LDevId <br> 0x0000_0002: FMC Alias <br> 0x0000_0003: RT Alias \|
	2895	+\| nonce \| u8[32] \| Nonce to be included in the CSR EAT. \|
	2896	+
	2897	+
	2898	+Table: `GET_ATTESTED_MLDSA87_CSR` output arguments
	2899	+
	2900	+\| Name \| Type \| Description \|
	2901	+\| -------- \| -------- \| --------------- \|
	2902	+\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
	2903	+\| data\_size \| u32 \| Length in bytes of the valid data in the data field. \|
	2904	+\| data \| u8[...] \| DER-encoded MLDSA87 attested certificate signing request. \|
	2905	+
	2906	+
2517	2907	### SIGN\_WITH\_EXPORTED\_ECDSA
2518	2908
2519	2909	Command Code: `0x5357_4545` ("SWEE")
@@ -2522,16 +2912,16 @@
2522	2912
2523	2913	Table: `SIGN_WITH_EXPORTED_ECDSA` input arguments
2524	2914
2525		-\| Name \| Type \| Description
2526		-\| -------- \| -------- \| ---------------
	2915	+\| Name \| Type \| Description \|
	2916	+\| -------- \| -------- \| --------------- \|
2527	2917	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
2528	2918	\| exported_cdi_handle \| u8[32] \| The Exported CDI handle returned by the DPE `DeriveContext` command. Little endian. \|
2529	2919	\| tbs \| u8[48] \| The bytes to be signed. Little endian. \|
2530	2920
2531	2921
2532	2922	Table: `SIGN_WITH_EXPORTED_ECDSA` output arguments
2533		-\| Name \| Type \| Description
2534		-\| -------- \| -------- \| ---------------
	2923	+\| Name \| Type \| Description \|
	2924	+\| -------- \| -------- \| --------------- \|
2535	2925	\| derived_pubkey_x \| u8[48] \| The X BigNum of the ECDSA public key associated with the signing key. \|
2536	2926	\| derived_pubkey_y \| u8[48] \| The Y BigNum of the ECDSA public key associated with the signing key. \|
2537	2927	\| signature_r \| u8[48] \| The R BigNum of an ECDSA signature. \|
@@ -2548,8 +2938,8 @@
2548	2938
2549	2939	Table: `REVOKE_EXPORTED_CDI_HANDLE` input arguments
2550	2940
2551		-\| Name \| Type \| Description
2552		-\| -------- \| -------- \| ---------------
	2941	+\| Name \| Type \| Description \|
	2942	+\| -------- \| -------- \| --------------- \|
2553	2943	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
2554	2944	\| exported_cdi_handle \| u8[32] \| The Exported CDI handle returned by the DPE `DeriveContext` command. Little endian. \|
2555	2945
@@ -2559,6 +2949,35 @@
2559	2949	The `exported_cdi_handle` is no longer usable after calling `REVOKE_EXPORTED_CDI_HANDLE` with it. After the `exported_cdi_handle`
2560	2950	has been revoked, a new exported CDI can be created by calling `DeriveContext` with the `export-cdi` and `create-certificate` flags.
2561	2951
	2952	+### EXTERNAL_MAILBOX_CMD
	2953	+
	2954	+Command Code: `0x4558_544D` ("EXTM")
	2955	+
	2956	+Note: This command is only available in subsystem mode in 2.1+.
	2957	+
	2958	+Executes a mailbox command located at an AXI address.
	2959	+This allows for executing mailbox commands that are larger than the mailbox allows.
	2960	+
	2961	+This is currently mostly useful for FIRMWARE_LOAD (as part of an update) or SET_AUTH_MANIFEST.
	2962	+
	2963	+The response is still written to the mailbox.
	2964	+
	2965	+The checksum is over the EXTM command, not the command that is loaded over AXI.
	2966	+That external command will still need its own checksum, if applicable.
	2967	+
	2968	+Table: `EXTERNAL_MAILBOX_CMD` input arguments
	2969	+
	2970	+\| Name \| Type \| Description \|
	2971	+\| -------- \| -------- \| --------------- \|
	2972	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
	2973	+\| command_id \| u32 \| Command ID for the mailbox command to be executed. Little endian. \|
	2974	+\| command_size \| u32 \| Size of the mailbox command to be executed. Little endian. \|
	2975	+\| axi_address_low \| u32 \| Lower 32 bits of the AXI address that contains the mailbox command. Little endian. \|
	2976	+\| axi_address_high \| u32 \| High 32 bits of the AXI address that contains the mailbox command. Little endian. \|
	2977	+
	2978	+
	2979	+The response will be the response of the executed external command.
	2980	+
2562	2981	### REALLOCATE\_DPE\_CONTEXT\_LIMITS
2563	2982
2564	2983	Command Code: '5243_5458` ("RCTX")
@@ -2567,15 +2986,15 @@
2567	2986
2568	2987	Table: `REALLOCATE_DPE_CONTEXT_LIMITS` input arguments
2569	2988
2570		-\| Name \| Type \| Description
2571		-\| -------- \| -------- \| ---------------
	2989	+\| Name \| Type \| Description \|
	2990	+\| -------- \| -------- \| --------------- \|
2572	2991	\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian. \|
2573	2992	\| pl0_context_limit \| u32 \| Number of contexts to allocate to PL0. PL1 will receive remaining contexts. \|
2574	2993
2575	2994
2576	2995	Table: `REALLOCATE_DPE_CONTEXT_LIMITS` output arguments
2577		-\| Name \| Type \| Description
2578		-\| -------- \| -------- \| ---------------
	2996	+\| Name \| Type \| Description \|
	2997	+\| -------- \| -------- \| --------------- \|
2579	2998	\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian. \|
2580	2999	\| fips_status \| u32 \| Indicates if the command is FIPS approved or an error. \|
2581	3000	\| new_pl0_context_limit \| u32 \| Number of contexts assigned to PL0 after the reallocation \|
@@ -2586,6 +3005,97 @@
2586	3005
2587	3006	Note: 2 PL0 contexts are used by Caliptra itself during initialization.
2588	3007
	3008	+### FE\_PROG
	3009	+
	3010	+Programs Field Entropy (FE) into one of 4 FE partitions in the OTP fuse controller. This command
	3011	+is typically used during device provisioning flows.
	3012	+
	3013	+Note: This command is only available when the device is in the Production lifecycle state.
	3014	+
	3015	+Command Code: `0x4645_5052` ("FEPR")
	3016	+
	3017	+Table: `FE_PROG` input arguments
	3018	+
	3019	+\| Name \| Type \| Description
	3020	+\| -------- \| -------- \| ---------------
	3021	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian.
	3022	+\| partition \| u32 \| FE partition number (valid values: 0–3).
	3023	+
	3024	+`FE_PROG` returns no output arguments other than the mailbox response header.
	3025	+
	3026	+### PRODUCTION\_AUTH\_DEBUG\_UNLOCK\_REQ
	3027	+
	3028	+Initiates the production debug unlock flow by generating a cryptographic challenge. The caller
	3029	+must solve the challenge by signing it with the appropriate ECC and MLDSA keys and returning
	3030	+the result via the [`PRODUCTION_AUTH_DEBUG_UNLOCK_TOKEN`](#production_auth_debug_unlock_token)
	3031	+command.
	3032	+
	3033	+This command performs the same function as the ROM's `AUTH_DEBUG_UNLOCK_REQ` command
	3034	+(documented in the [ROM README](../rom/dev/README.md#debug-unlock)), but is available at
	3035	+runtime.
	3036	+
	3037	+Note: This command requires the device to be in the Production lifecycle state and the
	3038	+`PROD_DEBUG_UNLOCK_REQ` bit in the `SS_DBG_MANUF_SERVICE_REG_REQ` register to be set.
	3039	+
	3040	+Command Code: `0x5044_5552` ("PDUR")
	3041	+
	3042	+Table: `PRODUCTION_AUTH_DEBUG_UNLOCK_REQ` input arguments
	3043	+
	3044	+\| Name \| Type \| Description
	3045	+\| -------- \| -------- \| ---------------
	3046	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian.
	3047	+\| length \| u32 \| Length of the payload in DWORDs.
	3048	+\| unlock\_level \| u8 \| Debug unlock level (1–8).
	3049	+\| reserved \| u8[3] \| Reserved.
	3050	+
	3051	+Table: `PRODUCTION_AUTH_DEBUG_UNLOCK_REQ` output arguments
	3052	+
	3053	+\| Name \| Type \| Description
	3054	+\| -------- \| -------- \| ---------------
	3055	+\| chksum \| u32 \| Checksum over other output arguments, computed by Caliptra. Little endian.
	3056	+\| fips\_status \| u32 \| Indicates if the command is FIPS approved or an error.
	3057	+\| length \| u32 \| Length of the response payload in DWORDs.
	3058	+\| unique\_device\_identifier \| u8[32] \| Device identifier of the Caliptra device.
	3059	+\| challenge \| u8[48] \| Random challenge number generated by Caliptra.
	3060	+
	3061	+### PRODUCTION\_AUTH\_DEBUG\_UNLOCK\_TOKEN
	3062	+
	3063	+Completes the production debug unlock handshake by validating the caller's solution to the
	3064	+challenge generated by
	3065	+[`PRODUCTION_AUTH_DEBUG_UNLOCK_REQ`](#production_auth_debug_unlock_req). The caller must
	3066	+provide the device identifier and challenge from the previous request along with ECC-384 and
	3067	+ML-DSA-87 signatures proving possession of the authorized debug unlock key.
	3068	+
	3069	+Upon successful validation, Caliptra authorizes the debug unlock by setting the unlock level
	3070	+in the `SS_SOC_DBG_UNLOCK_LEVEL` register.
	3071	+
	3072	+This command performs the same function as the ROM's `AUTH_DEBUG_UNLOCK_TOKEN` command
	3073	+(documented in the [ROM README](../rom/dev/README.md#debug-unlock)), but is available at
	3074	+runtime.
	3075	+
	3076	+Note: This command requires a preceding successful `PRODUCTION_AUTH_DEBUG_UNLOCK_REQ` in
	3077	+the same boot session. The challenge is consumed on use and cannot be replayed.
	3078	+
	3079	+Command Code: `0x5044_5554` ("PDUT")
	3080	+
	3081	+Table: `PRODUCTION_AUTH_DEBUG_UNLOCK_TOKEN` input arguments
	3082	+
	3083	+\| Name \| Type \| Description
	3084	+\| -------- \| -------- \| ---------------
	3085	+\| chksum \| u32 \| Checksum over other input arguments, computed by the caller. Little endian.
	3086	+\| length \| u32 \| Length of the payload in DWORDs.
	3087	+\| unique\_device\_identifier \| u8[32] \| Device identifier (must match value from challenge response).
	3088	+\| unlock\_level \| u8 \| Debug unlock level (1–8, must match the original request).
	3089	+\| reserved \| u8[3] \| Reserved.
	3090	+\| challenge \| u8[48] \| Challenge (must match value from challenge response).
	3091	+\| ecc\_public\_key \| u8[96] \| ECC P-384 public key.
	3092	+\| mldsa\_public\_key \| u8[2592] \| ML-DSA-87 public key.
	3093	+\| ecc\_signature \| u8[96] \| ECC P-384 signature of the message hashed using SHA2-384. R (48 bytes) \| S (48 bytes).
	3094	+\| mldsa\_signature \| u8[4628] \| ML-DSA-87 signature of the message hashed using SHA2-512 (4627 bytes + 1 reserved byte).
	3095	+
	3096	+`PRODUCTION_AUTH_DEBUG_UNLOCK_TOKEN` returns no output arguments other than the mailbox
	3097	+response header.
	3098	+
2589	3099	## Checksum
2590	3100
2591	3101	For every command except for FIRMWARE_LOAD, the request and response feature a checksum. This
@@ -2652,10 +3162,10 @@
2652	3162
2653	3163	1. Validate DPE state in SRAM
2654	3164	1. Ensure the TCI tree is well-formed
2655		- 1. Ensure all nodes chain to the root (TYPE = RTJM, “Internal TCI” flag is set)
	3165	+ 1. Ensure all nodes chain to the root (TYPE = RTMR, “Internal TCI” flag is set)
2656	3166	1. Verify that the “Latest TCI” field of the TCI Node that contains the
2657		- Runtime Journey PCR (TYPE = RTJM, “Internal TCI” flag is set) matches the
2658		- “Latest” Runtime PCR value from PCRX
	3167	+ Runtime PCRs (TYPE = RTMR, “Internal TCI” flag is set) matches the
	3168	+ “Latest” and Journey Runtime PCR values.
2659	3169	1. Ensure `SHA384_HASH(0x00..00, TCI from SRAM) == RT_FW_JOURNEY_PCR`
2660	3170	1. Check that retired and inactive contexts do not have tags
2661	3171	1. If any validations fail, Runtime Firmware executes the
@@ -2704,7 +3214,7 @@
2704	3214
2705	3215	At boot Caliptra Runtime FW consumes part of the PL0 active contexts (initially 16) to DeriveContext for:
2706	3216	- RTFW Journey (RTFJ) Measurement (1)
2707		- - Mailbox Valid Pauser digest (MBVP) (1)
	3217	+ - Caliptra Configured Initialization Values digest (CCIV) (1)
2708	3218	- ROM Stashed Measurements (max 8)
2709	3219
2710	3220	Further, it is not allowed for PL1 to call DeriveContext with the intent to change locality to PL0's locality; this would increase the number
@@ -2758,14 +3268,21 @@
2758	3268
2759	3269	* Runtime Firmware SHALL initialize the default context in “internal-cdi” mode.
2760	3270	* Perform the following initial measurements:
2761		- * Call DeriveContext with Caliptra Journey PCR
	3271	+ * Call DeriveContext with Caliptra RT PCRs
2762	3272	* INPUT\_DATA = PCRX (RT journey PCR as defined in the FHT)
2763		- * TYPE = “RTJM”
	3273	+ * TYPE = “RTMR”
2764	3274	* CONTEXT\_HANDLE = default context
2765	3275	* TARGET\_LOCALITY = Caliptra locality (0xFFFFFFFF)
2766		- * Call DeriveContext with mailbox valid PAUSERS
2767		- * INPUT\_DATA = Hash of [CPTRA\_VALID\_PAUSER register](https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.soc_ifc_reg.CPTRA_MBOX_VALID_PAUSER%5B0%5D).
2768		- * TYPE = “MBVP”
	3276	+ * Call DeriveContext with hash of initialization values below
	3277	+ * INPUT\_DATA = Hash of:
	3278	+ * [CPTRA\_VALID\_PAUSER register](https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.soc_ifc_reg.CPTRA_MBOX_VALID_PAUSER%5B0%5D)
	3279	+ * PL0 PAUSER locality
	3280	+ * Flags from FW image manifest header
	3281	+ * FMC load address
	3282	+ * FMC entry point
	3283	+ * Runtime load address
	3284	+ * Runtime entry point
	3285	+ * TYPE = "CCIV"
2769	3286	* CONTEXT\_HANDLE = default context
2770	3287	* TARGET\_LOCALITY = PL0 PAUSER
2771	3288	* Call DeriveContext for each STASH\_MEASUREMENT call made during Caliptra ROM execution

Changes to Runtime Specification