| Jamie Fox | d0adc74 | 2023-03-28 17:05:28 +0100 | [diff] [blame] | 1 | ########################### |
| 2 | DICE Protection Environment |
| 3 | ########################### |
| 4 | |
| 5 | The DICE Protection Environment (DPE) service makes it possible to execute DICE |
| 6 | commands within an isolated execution environment. It provides clients with an |
| 7 | interface to send DICE commands, encoded as CBOR objects, that act on opaque |
| 8 | context handles. The DPE service performs DICE derivations and certification on |
| 9 | its internal contexts, without exposing the DICE secrets (private keys and CDIs) |
| 10 | outside of the isolated execution environment. |
| 11 | |
| 12 | For a full description of DPE, see the |
| 13 | `DPE Specification <https://trustedcomputinggroup.org/wp-content/uploads/TCG-DICE-Protection-Environment-Specification_14february2023-1.pdf>`_. |
| 14 | |
| 15 | DPE consists of both a runtime service and boot time integration. The DPE |
| 16 | service is currently a work in progress. |
| 17 | |
| 18 | ********* |
| 19 | Boot time |
| 20 | ********* |
| 21 | |
| 22 | A platform integrating DPE must perform the following boot-time functions: |
| 23 | |
| 24 | - Derive a RoT CDI from the UDS (HUK) provisioned in OTP, lifecycle state and |
| 25 | measurement of the first firmware stage after ROM (BL1_2), and store it via a |
| 26 | platform-specific mechanism to be retrieved at runtime. |
| 27 | |
| 28 | - Store boot measurements and metadata for all images loaded by the bootloaders |
| 29 | in the TF-M shared boot data area. |
| 30 | |
| 31 | ******************* |
| 32 | Runtime DPE service |
| 33 | ******************* |
| 34 | |
| 35 | The runtime DPE service provides the following functionality. |
| 36 | |
| 37 | Initialization |
| 38 | ============== |
| 39 | |
| 40 | At initialization, DPE completes the following tasks: |
| 41 | |
| 42 | - Retrieves and processes offline measurements and metadata from the TF-M shared |
| 43 | boot data area. |
| 44 | |
| 45 | - Retrieves the RoT CDI generated at boot time by calling the |
| 46 | ``dpe_plat_get_rot_cdi()`` platform function. |
| 47 | |
| 48 | - Derives DICE contexts for the RoT layer and platform layer, using the values |
| 49 | processed from boot data and the RoT CDI. |
| 50 | |
| 51 | - Shares the initial context handle, corresponding to the newly-created child |
| 52 | context, with the first client (AP BL1), via a platform-specific mechanism. |
| 53 | |
| 54 | Context management |
| 55 | ================== |
| 56 | |
| 57 | The internal DICE contexts are referred to by clients of the DPE service using |
| 58 | opaque context handles. Each DPE command generates a new context handle that is |
| 59 | returned to the client to refer to the new internal state. Each context handle |
| 60 | can only be used once, so clients must use the "retain context" parameter of the |
| 61 | DPE commands if they wish to obtain a fresh handle to the same context. |
| 62 | |
| 63 | The context handles are 32-bit integers, where the lower 16-bits is the index of |
| 64 | the context within the service and the upper 16-bits is a random nonce. |
| 65 | |
| 66 | The internal contexts are associated with the 32-bit ID of the owner of the |
| 67 | context. The DPE service only permits the owner to access the context through |
| 68 | its context handle. In the TF-M integration, the ID is bound to the PSA Client |
| 69 | ID of the sender of the DPE message. |
| 70 | |
| 71 | Client APIs |
| 72 | =========== |
| 73 | |
| 74 | The DPE partition in TF-M wraps the DPE commands into PSA messages. The request |
| 75 | manager abstracts PSA message handling, and the remainder of the service avoids |
| 76 | coupling to TF-M partition specifics. |
| 77 | |
| 78 | The DPE commands themselves are CBOR-encoded objects that the DPE decode layer |
| 79 | decodes into calls to one of the following supported DICE functions. |
| 80 | |
| 81 | DeriveChild |
| 82 | ----------- |
| 83 | |
| 84 | Adds a component context to the layer, consisting of: |
| 85 | |
| 86 | - Context handle |
| 87 | - Parent context handle |
| 88 | - Linked layer |
| 89 | - Is leaf |
| 90 | - Client ID |
| 91 | - DICE input values |
| 92 | |
| 93 | - Code hash |
| 94 | - Config value |
| 95 | - Authority hash |
| 96 | - Operating mode |
| 97 | |
| 98 | When a layer is finalized (create_certificate=true), it: |
| 99 | |
| 100 | - Computes the Attestation CDI and Sealing CDI. |
| 101 | |
| 102 | - Derives an attestation keypair from the Attestation CDI. |
| 103 | |
| 104 | - Creates the corresponding certificate and signs it with the previous layer's |
| 105 | attestation private key. |
| 106 | |
| 107 | - Stores the finalized certificate in DPE partition SRAM. |
| 108 | |
| 109 | Certificates are created in the CBOR Web Token (CWT) format, using the QCBOR |
| 110 | and t_cose libraries. CWT is specified in |
| 111 | `RFC 8392 <https://www.rfc-editor.org/rfc/rfc8392.html>`_, |
| 112 | with customization from |
| 113 | `Open DICE <https://pigweed.googlesource.com/open-dice/+/refs/heads/main/docs/specification.md#CBOR-UDS-Certificates>`_. |
| 114 | |
| 115 | CertifyKey |
| 116 | ---------- |
| 117 | |
| 118 | Generates a leaf certificate and returns the full certificate chain leading to |
| 119 | it. If a public key is supplied, then it certifies the key. |
| 120 | |
| 121 | - Adds label (if supplied) to list of measurements. |
| 122 | |
| 123 | - Finalizes the layer (as for DeriveChild above). |
| 124 | |
| 125 | - Returns the certificate chain (collection of individual certificates) as a |
| 126 | CBOR array with format [+COSE_Sign1, COSE_Key]. The (pre-provisioned) root |
| 127 | attestation public key is the first element in the CBOR array. |
| 128 | |
| 129 | Seal |
| 130 | ---- |
| 131 | |
| 132 | Encrypts and authenticates data using two keys derived from the Sealing CDI, |
| 133 | identifiers of the software components in the chain and a supplied label. |
| 134 | |
| 135 | - Not currently implemented. |
| 136 | |
| 137 | Unseal |
| 138 | ------ |
| 139 | |
| 140 | Inverse of Seal. |
| 141 | |
| 142 | - Not currently implemented. |
| 143 | |
| 144 | -------------- |
| 145 | |
| 146 | *Copyright (c) 2023, Arm Limited. All rights reserved.* |