Refactor top-level document structure
In preparation for extending documentation on PSA certified and
secure processing environments, the top-level structure has been
cleaned-up and simplified. PNGs from tf-m for docs home have
been reused for consistency.
Signed-off-by: Julian Hall <julian.hall@arm.com>
Change-Id: Id2b7d9b46dd90f419d00c417a06003e32862ead0
diff --git a/docs/developer/deployments/index.rst b/docs/developer/deployments/index.rst
deleted file mode 100644
index 40a6949..0000000
--- a/docs/developer/deployments/index.rst
+++ /dev/null
@@ -1,31 +0,0 @@
-Deployments
-===========
-In the context of the Trusted Services project, a deployment represents a build of an
-assembly of components that is intended to run within a specific environment. Some
-deployments may be built for different platforms using platform specific components
-if needed. The concept of a deployment is general purpose and can be applied to building
-a wide range of targets such as secure partition images, user-space tools, shared libraries
-and test executables.
-
-Supported deployments are described on the following pages:
-
-.. toctree::
- :maxdepth: 1
-
- secure-partitions
- test-executables
- libraries
- tools-demo-apps
-
-Related deployments:
-
- - :ref:`Project Structure`
- - :ref:`Portability Model`
- - :ref:`Build Instructions`
- - :ref:`Running Tests`
-
---------------
-
-*Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.*
-
-SPDX-License-Identifier: BSD-3-Clause
diff --git a/docs/developer/deployments/libraries.rst b/docs/developer/deployments/libraries.rst
deleted file mode 100644
index 2e60d86..0000000
--- a/docs/developer/deployments/libraries.rst
+++ /dev/null
@@ -1,51 +0,0 @@
-Libraries
-=========
-Some deployments build common functionality into libraries that may be used by
-other deployments or external applications. The following library deployments
-are currently supported:
-
-libts
------
-Userspace applications that depend on trusted services may use *libts* for handling
-service discovery and RPC messaging. A major benefit to application developers is
-that *libts* entirely decouples client applications from details of where a service
-provider is deployed and how to communicate with it. All TS test executables and
-tools that interact with service providers use *libts*.
-
-To facilitate test and development within a native PC environment, the *libts*
-deployment for the *linux-pc* environment integrates a set of service providers
-into the library itself. From a client application's perspective, this looks
-exactly the same as when running on a target platform with service providers
-deployed in secure processing environments. For more information, see:
-:ref:`Service Locator`.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * | *linux-pc* - service providers integrated into library
- * | *arm-linux* - communicates with service providers in secure processing environment
- * - Used by
- - * Userspace applications
-
-libsp
------
-*libsp* provides a functional interface for using FF-A messaging and memory
-management facilities. *libsp* is used in SP deployments. For more information, see:
-:ref:`libsp`.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * | *opteesp*
- * - Used by
- - * Secure partitions
-
---------------
-
-*Copyright (c) 2022, Arm Limited and Contributors. All rights reserved.*
-
-SPDX-License-Identifier: BSD-3-Clause
diff --git a/docs/developer/deployments/secure-partitions.rst b/docs/developer/deployments/secure-partitions.rst
deleted file mode 100644
index 8e6ba24..0000000
--- a/docs/developer/deployments/secure-partitions.rst
+++ /dev/null
@@ -1,133 +0,0 @@
-Secure Partitions
-=================
-Secure partition (SP) deployments are concerned with building SP images that can
-be loaded and run under a secure partition manager such as Hafnium or OP-TEE.
-SP images will usually include service provider components that expose a
-service interface that may be reached using FF-A messages. A set of SP images
-will be loaded and verified by device firmware to provide the required services.
-
-The following SP deployments are currently supported:
-
-crypto
-------
-An instance of the crypto service provider is built into an SP image to
-perform cryptographic operations on behalf of clients running in different
-partitions. Backend crypto operations are implemented by the crypto library
-component of MbedTLS. This deployment provides the cryptographic facilities
-needed for PSA certification. For more information, see:
-:ref:`Crypto Service Description`.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
- * - External Dependencies
- - * | TRNG (platform specific)
- * | Secure storage SP
-
-attestation
------------
-An instance of the attestation service provider is built into an SP image
-to support remote attestation use-cases. The service provider obtains a
-trusted view of the boot state of device firmware from the TPM event log
-collected by the boot loader. This deployment provides the initial attestation
-facility needed for PSA certification. For more information, see:
-:ref:`Attestation Service Description`.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
- * - External Dependencies
- - * | TPM Event Log (via SP boot parameter)
- * | Crypto SP
-
-internal-trusted-storage & protected-storage
---------------------------------------------
-Two secure storage SP deployments are provided to allow different classes
-of storage to coexist on a device. Both deployments build an instance of
-the secure storage service provider with a storage backend. To allow
-different security trade-offs to be made and to support different hardware,
-a system integrator may configure which storage backend to use. Secure storage
-is a requirement for PSA certification. For more information, see:
-:ref:`Secure Storage Service Description`.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
- * - External Dependencies
- - * Depends on configured storage backend
-
-se-proxy
---------
-The se-proxy SP provides access to services hosted by a secure enclave (hence
-'se'). A secure enclave consists of a separate MCU, connected to the host via
-a secure communications channel. To protect access to the communication channel,
-the se-proxy SP is assigned exclusive access to the communication peripheral via
-device or memory regions defined in the SP manifest. The deployment integrates
-multiple service providers into the SP image. After performing access control,
-service requests are forwarded to the secure enclave.
-
-The se-proxy deployment includes proxies for the following services:
-
- - Crypto
- - Attestation
- - Internal Trusted Storage
- - Protected Storage
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
- * - External Dependencies
- - * SE communication peripheral (platform specific)
-
-smm-gateway
------------
-An instance of the smm-variable service provider is built into the smm-gateway SP
-image to provide secure world backing for UEFI SMM services. The smm-gateway SP
-provides a lightweight alternative to StMM. For more information, see:
-:ref:`UEFI SMM Services`.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
- * - External Dependencies
- - * | Secure storage service instance (e.g. hosted by protected-storage SP)
- * | Crypto service instance (e.g. hosted crypto SP)
-
-env-test
---------
-An instance of the test runner service provider is built into an SP image to
-allow test cases to be run from within the SP isolated environment. The SP
-image also includes environment and platform specific test cases to allow
-access to FF-A services and platform hardware to be tested. The test runner
-service provider is intended to be used in conjunction with a client that
-coordinates which tests to run and collects test results.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
- * - External Dependencies
- - * Any hardware accessed by test cases (platform specific)
-
---------------
-
-*Copyright (c) 2022, Arm Limited and Contributors. All rights reserved.*
-
-SPDX-License-Identifier: BSD-3-Clause
diff --git a/docs/developer/deployments/test-executables.rst b/docs/developer/deployments/test-executables.rst
deleted file mode 100644
index db569f3..0000000
--- a/docs/developer/deployments/test-executables.rst
+++ /dev/null
@@ -1,113 +0,0 @@
-Test Executables
-================
-The Trusted Services project maintains a number of deployments concerned with
-test. Although there may be some coverage overlap between different deployments,
-in general, the built test executables corresponding to different deployments
-serve different purposes. Most test executables may be run either on target
-hardware or a development PC as a native application. For more information, see:
-:ref:`Running Tests`.
-
-The following test deployments are currently supported:
-
-component-test
---------------
-The component-test deployment combines a large set of tests and components into
-a monolithic image that may be run as a userspace application. The CppUtest test
-framework is used for running tests and capturing results. The component-test
-executable may be built and run very quickly to obtain a first pass check for
-build failures or regressions.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * | *linux-pc*
- * | *arm-linux*
- * - Used for
- - * | Build testing
- * | Development support and debug
- * | Regression testing
-
-ts-service-test
----------------
-The ts-service-test deployment combines test suites that exercise service providers
-via their standard service interfaces where test cases perform the role of service client.
-Service discovery and RPC messaging is handled by the *libts* shared library. On real targets,
-the *libts* library uses a dynamic discovery mechanism to locate and communicate with real
-service deployments. For native PC builds, service providers are embedded into the *libts*
-library itself, allowing service level testing within a native PC environment.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * | *linux-pc* - tests against service providers integrated into *libts*
- * | *arm-linux* - tests against real service deployments
- * - Used for
- - * | End-to-end service testing
- * | Security testing
- * | Development support and debug
- * | Regression testing
-
-uefi-test
----------
-The uefi-test deployment includes service level tests for UEFI SMM services.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * | *linux-pc* - tests against service providers integrated into *libts*
- * | *arm-linux* - tests against real service deployments using MM_COMMUNICATE
- * - Used for
- - * | UEFI service level testing
- * | Regression testing
-
-psa-api-test
-------------
-Used for PSA API conformance testing using test suites from: `PSA Arch Test project`_.
-Tests are integrated with service clients to enable end-to-end testing against deployed
-service providers. Separate executables are built for each API under test. As with
-ts-service-test and uefi-test, service discovery and messaging is handled by *libts*,
-allowing API tests to be run on real targets or within a native PC environment.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * | *linux-pc* - tests against service providers integrated into *libts*
- * | *arm-linux* - tests against real service deployments
- * - Used for
- - * | PSA API conformance testing
- * | Regression testing
-
-ts-remote-test
---------------
-The ts-remote-test deployment builds a userspace application that allows a remote
-test runner to be discovered and controlled. It implements a subset of the the
-CppUtest command line interface but instead of running tests directly, it
-communicates with the remote test runner to run tests and collect results. Can
-be used, for example, to control the running of tests included in the env-test
-deployment.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * | *linux-pc* - tests against test runner service provider integrated into *libts*
- * | *arm-linux* - tests against real test runner deployment e.g. env-test
- * - Used for
- - * | Running environment tests
-
---------------
-
-.. _`PSA Arch Test project`: https://github.com/ARM-software/psa-arch-tests.git
-
-*Copyright (c) 2022, Arm Limited and Contributors. All rights reserved.*
-
-SPDX-License-Identifier: BSD-3-Clause
diff --git a/docs/developer/deployments/tools-demo-apps.rst b/docs/developer/deployments/tools-demo-apps.rst
deleted file mode 100644
index f3c3adf..0000000
--- a/docs/developer/deployments/tools-demo-apps.rst
+++ /dev/null
@@ -1,41 +0,0 @@
-Tools & Demo Applications
-=========================
-The following deployments are concerned with building tools and demo applications.
-
-platform-inspect
-----------------
-The *platform-inspect* tool may be run from a Linux terminal to inspect and
-report information about platform firmware. Functionality is currently limited
-to retrieving a firmware attestation report and printing its contents.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * | *linux-pc*
- * | *arm-linux*
- * - Used for
- - * | Obtaining information about platform firmware
-
-ts-demo
--------
-*ts-demo* is a simple application that uses the Crypto service to perform some
-typical sign, verify and encrypt operations. It is intended to be used as an
-example of how trusted services can be used by userspace applications.
-
-.. list-table::
- :widths: 1 2
- :header-rows: 0
-
- * - Supported Environments
- - * | *linux-pc*
- * | *arm-linux*
- * - Used for
- - * | Provides an example for how to use trusted services
-
---------------
-
-*Copyright (c) 2022, Arm Limited and Contributors. All rights reserved.*
-
-SPDX-License-Identifier: BSD-3-Clause
diff --git a/docs/developer/index.rst b/docs/developer/index.rst
index 5fe886f..1fdccae 100644
--- a/docs/developer/index.rst
+++ b/docs/developer/index.rst
@@ -1,5 +1,5 @@
-Developer Docs
-==============
+Developer Documents
+===================
.. toctree::
:maxdepth: 1
@@ -10,8 +10,6 @@
portability-model
service-access-protocols
service-locator
- deployments/index
- service-descriptions/index
software-requirements
build-instructions
running-tests
diff --git a/docs/developer/service-descriptions/attest-service-description.rst b/docs/developer/service-descriptions/attest-service-description.rst
deleted file mode 100644
index 2843ede..0000000
--- a/docs/developer/service-descriptions/attest-service-description.rst
+++ /dev/null
@@ -1,269 +0,0 @@
-Attestation Service Description
-===============================
-Service Overview
-----------------
-The Attestation service is responsible for reporting on the security state of a device.
-Because information is signed, a remote party may verify that the information is intact
-and authentic. The Attestation service can be used as part of an infrastructure for
-remote security monitoring. The Attestation service provider performs the following
-functions:
-
- 1. Collates information about device hardware and firmware. This information must be obtained in a secure way to provide a suitably trustworthy snapshot of a device's security state.
- 2. Prepares and signs a report that includes the information as a set of claims about the device.
-
-Like other trusted services, the Attestation service provider runs within a secure
-processing environment such as a secure partition or secondary MCU. Service operations
-are invoked by clients using a service access protocol that defines the serialization of
-requests and responses carried by the underlying RPC layer. Client-side adapters are
-available that support service access using the following C APIs:
-
- - **PSA Initial Attestation API** - used during normal device operation to obtain a fresh attestation token.
- - **Attestation Provisioning API** - used during manufacture for key provisioning operations.
-
-Project Directories
--------------------
-Components within the Trusted Services project related to the Attestation service are
-located under the following directories:
-
-.. list-table::
- :header-rows: 1
-
- * - Directory
- - Contains
- * - components/service/attestation
- - Service specific code and API header files.
- * - protocols/service/attestation
- - Service access protocol definitions.
- * - deployments/attestation
- - Build files and deployment specific code for building the attestation service provider to run in different environments.
- * - deployments/platform-inspect
- - A user-space application that retrieves information about platform firmware and hardware and produces a pretty printed output.
-
-Attestation report
-------------------
-A fresh attestation report may be requested at any time to obtain the current view
-of a device's security state. The report is encoded as a CBOR token, signed using
-the CBOR Object Signing and Encryption protocol (COSE). For more information about
-the report contents and encoding, see:
-https://www.psacertified.org/blog/what-is-an-entity-attestation-token/. The following
-text shows the typical content of an attestation report. This report was retrieved
-and decoded using the *platform-inspect* command line application::
-
- attestation_report:
- challenge: 32 2d 69 64 ba df b2 f3 28 e8 27 88 50 68 c2 94 7c 4d a9 71 ce 14 e9 f4 88 26 45 9d 2c f5 3c 1b
- client_id: 0
- boot_seed: 6c eb 03 90 46 e2 09 27 f2 1c 7c a2 2c 1a a6 a2 bd 41 5e 3c aa be 4a b1 fd 35 52 95 b9 74 32 42
- security_lifecycle: 3000
- instance_id: 01 cb e9 65 fc 88 90 69 36 4b b1 0c ef 04 ae 97 aa d7 7c f9 74 41 4d f5 41 0c d3 9d e3 df 97 de c5
- sw_components:
- type: BL_2
- digest: a8 4f b4 7b 54 d9 4b ab 49 73 63 f7 9b fc 66 cb 85 12 ab 18 6f 24 74 01 5d cf 33 f3 80 9e 9b 20
-
- type: BL_31
- digest: 2f d3 43 6c 6f ef 9b 11 c2 16 dd 1f 8b df 9b a5 24 14 a5 c1 97 0c 3a 6c 78 bf ef 64 0f c1 23 e1
-
- type: HW_CONFIG
- digest: f3 de 4e 17 a1 a5 a7 fe d9 d9 f4 16 3c 49 36 7e ae f7 2f 2a a8 87 e6 b6 22 89 cd 27 dc 1c 80 25
-
- type: SOC_FW_CONFIG
- digest: 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0
-
- type: BL_32
- digest: 62 22 4f 0f b0 5d b4 77 1b 3f a5 2e ab 76 1e 61 17 b8 c6 6e ac 8c c8 4d 2e b0 7d 70 08 60 4b 41
-
- type: BL32_EXTRA1_IMAGE
- digest: 39 d2 b8 5d 93 5d f6 d8 f8 ed 0c 1a 3a e3 c8 90 72 19 f4 88 5c 79 15 05 7b f0 76 db c1 4c 5d 77
-
- type: BL_33
- digest: b5 d6 08 61 dd fa 6d da a3 f7 a5 de d6 8f 6f 39 25 b1 57 fa 3e db 46 42 58 24 8e 81 1c 45 5d 38
-
- type: NT_FW_CONFIG
- digest: 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6 fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a
-
-Design Description
-------------------
-Components related to the Attestation service are partitioned as follows:
-
-.. uml:: uml/AttestPartitioning.puml
-
-The partitioning into components reflects the following problem areas:
-
-.. list-table::
- :header-rows: 1
-
- * - Component
- - Problem Area
- * - claims
- - Collecting diverse information about a device and presenting it in a uniform way. Provides an extensible framework that allows new sources of information to be added while avoiding coupling to other components.
- * - client
- - Client side adapters for calling service operations.
- * - key_mngr
- - Manages provisioning related operations and access to the key (IAK) used for report signing.
- * - reporter
- - Combines the set of claims that forms the content of an attestation report, encoding it and signing using the IAK.
- * - provider
- - The service provider that handles incoming requests.
- * - protocol
- - The service access protocol definition that describes supported operations and the serialization of input and output parameters.
-
-Claims Model
-''''''''''''
-The set of available claims about a device and the method for obtaining them is likely to
-vary between different platforms. The following are examples of likely variations:
-
- - The method for collecting boot measurements will depend on the boot loader and on SoC architecture. Some likely variations are:
-
- - Passed forward using a TPM event log or via a proprietary format.
- - Boot measurements are stored in TPM PCR type registers that need to be read to obtain claims about loaded components.
- - The set of information passed forward by the boot loader may vary between platforms. Information such as the boot seed or device lifecycle state may be owned by the boot loader on some platforms but not on others.
- - Platform vendors may wish to include custom claims within the attestation report that reflect vendor specific views of security state.
-
-To accommodate these variations, a flexible claims model is implemented with the following
-characteristics:
-
- - Any claim is represented by a common structure with members to identify:
-
- - The category of claim - e.g. this is a claim about device hardware, firmware, the verification service.
- - The subject of the claim - a claim specific identifier
- - A variant id to identify the data type for a claim - e.g. integer, byte string, text string or a collection.
- - Arbitrarily complex claim structures may be presented in a normalized way using combinations of claim variants.
- - Claims are collected by a set of 'claim sources'. Each concrete claim source implements the platform specific method for collecting information and representing it in standard way. The set of claim sources used may vary for different deployments.
- - Claim sources are registered with the claims_register. This is a singleton that provides methods for querying for different sets of claims e.g. all device claims or all firmware measurements. By collating claims by category, tight coupling between the reporter and the set of available claims is avoided.
-
-The following class diagram illustrates the implemented claims model:
-
-.. uml:: uml/AttestClaimsModel.puml
-
-Claim Sources
-"""""""""""""
-It is envisaged that the number of concrete claim sources will grow to cope with differences
-between platforms and the need to include custom claims in attestation reports. The following
-table lists some existing claim sources:
-
-.. list-table::
- :header-rows: 1
-
- * - Claim Source
- - Description
- * - event_log
- - A claim source that sources a claim_collection variant. An iterator may be created that allows claims within a TCG event log to be iterated over and accessed.
- * - boot_seed_generator
- - Where a boot seed is not available from another source, a boot_seed_generator may be used in a deployment. On the first call to get_claim(), a random boot seed is generated and returned as a byte_string claim variant. On subsequent calls, the same boot seed value is return.
- * - instance_id
- - A claim source that returns a device instance ID, derived from the IAK public key.
- * - null_lifecycle
- - Used when there is no hardware backed support for the device lifecycle state variable. This claim source just returns a lifecycle state of 'unknown'.
-
-Reporter
-""""""""
-The contents of the attestation report created by the reporter is determined by the set of
-claim sources registered with the claims_register. To generate a PSA compliant attestation
-report, the reporter queries for the following categories of claim:
-
- - Device
- - Verification service
- - Boot measurements
-
-Having collated all claims, the report is serialized as a CBOR object using the qcbor
-open source library. The CBOR object is then signed using the *t_cose* library to produce
-the final attestation token.
-
-Provisioning Flows
-------------------
-The Attestation service uses the IAK (an ECDSA key pair) for signing attestation reports.
-An external verification service needs a way of establishing trust in the IAK used by a
-device to sign a report. This trust relationship is formed when a device is provisioned
-during manufacture. During provisioning, the following steps must be performed in a
-secure manufacturing environment:
-
- 1. A unique IAK is generated and stored as a persistent key in the device's secure key store.
- 2. The IAK public key is obtained and stored in a central database of trusted devices. The hash of the IAK public key (the device's instance ID) is used as the database key for accessing the stored key.
-
-To verify the authenticity of an attestation report, an external verifier must query
-the database using the instance ID claim contained within the report. The signature on
-the report is viewed as authentic if the following are true:
-
- - A key record exists for the given instance ID within the database.
- - The signature is verified successfully using the corresponding public key.
-
-The attestation access protocol supports operations to support provisioning. These
-operations may be invoked using simple client C API (see *attest_provision.h*) or by
-using the access protocol directly for non-C clients. The following two alternative
-provisioning flows are supported:
-
-Self-generated IAK
-''''''''''''''''''
-When a device powers up before provisioning has been performed, no IAK will exist in
-the device's key store. As long as no attestation related service operations are
-performed, the device will remain in this state. To trigger the self generation of
-an IAK, factory provisioning software should call the *export_iak_public_key* operation.
-If no IAK exists, one will be generated using the device's TRNG. A benefit of this
-flow is that the IAK private key value is never externally exposed. To support test
-deployments where no persistent storage is used, the self-generated IAK flow may
-optionally generate a volatile key instead of persistent key.:
-
-.. uml:: uml/AttestSelfGeneratedIAKflow.puml
-
-Imported IAK
-''''''''''''
-To support external generation of the IAK, a one-time key import operation is also
-supported. When a device is in the pre-provisioned state where no IAK exists, the
-import_iak may be called by factory provisioning software. Importantly, *import_iak*
-may only be called once. An attempt to call it again will be rejected.:
-
-.. uml:: uml/AttestImportedIAKflow.puml
-
-Testing the Attestation Service
--------------------------------
-The following CppUtest based test suites are available for attestation service testing.
-All component and service level tests may be run on a real target device and as part
-of a native PC built binary.
-
-Component-Level Test Suites
-'''''''''''''''''''''''''''
-Test suites included in deployments of *component-test*:
-
-.. list-table::
- :header-rows: 1
-
- * - Test Suite
- - Coverage
- - File Location
- * - TcgEventLogTests
- - Tests decoding and iterator access to a TCG event log.
- - service/attestation/claims/sources/event_log/test
- * - AttestationReporterTests
- - Checks the contents and signing of a generated attestation report.
- - service/attestation/test/component
-
-Service-Level Test Suites
-'''''''''''''''''''''''''
-Test suites included in deployments of *ts-service-test*. Test cases act as conventional
-service clients:
-
-.. list-table::
- :header-rows: 1
-
- * - Test Suite
- - Coverage
- - File Location
- * - AttestationServiceTests
- - Different attestation token request scenarios
- - service/attestation/test/service
- * - AttestationProvisioningTests
- - Tests provisioning flows and checks defence against misuse of provisioning operations.
- - service/attestation/test/service
-
-Environment Tests
-'''''''''''''''''
-When deployed within a secure partition, the attestation SP relies on access to externally
-provided information such as the TPM event log. Test have been added to the *env_test* SP
-deployment to check that features that the attestation SP relies on are working as expected.
-Tests included in the *env_test* SP deployment may be invoked from Linux user-space using the
-*ts-remote-test/arm-linux* deployment.
-
---------------
-
-*Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.*
-
-SPDX-License-Identifier: BSD-3-Clause
diff --git a/docs/developer/service-descriptions/crypto-service-description.rst b/docs/developer/service-descriptions/crypto-service-description.rst
deleted file mode 100644
index 717c73b..0000000
--- a/docs/developer/service-descriptions/crypto-service-description.rst
+++ /dev/null
@@ -1,85 +0,0 @@
-Crypto Service Description
-==========================
-Service Overview
-----------------
-The Crypto service provides a rich set of cryptographic operations with the backing
-of a private key store. Clients identify keys using opaque key handles, enabling
-cryptographic operations to be performed without exposing key values beyond the
-boundary of the service's secure processing environment. This pattern underpins
-the security guarantees offered by the Crypto service.
-
-The set of supported operations is aligned to the PSA Crypto API. C API functions
-are invoked by clients using the Crypto service access protocol. All types and values
-defined by the PSA Crypto C API are projected by the Crypto access protocol. The
-one-to-one mapping between the C API and Crypto access protocol allows developers
-to use PSA Crypto documentation and examples to understand details of the protocol.
-
-Supported operations fall into the following categories:
-
- * Key lifetime management
- * Message signing and signature verification
- * Asymmetric encryption/decryption
- * Random number generation
-
-Service Provider Implementation
--------------------------------
-The default crypto service provider uses the Mbed Crypto library to implement backend
-operations. The following diagram illustrates the component dependencies in the crypto
-service provider implementation (note that there are many more handlers than
-illustrated):
-
-.. uml:: uml/CryptoProviderClassDiagram.puml
-
-The packages illustrated reflect the partitioning of the code into separate directories.
-Functionality is partitioned as follows:
-
-Crypto Provider
-'''''''''''''''
-Implements the set of handlers that map incoming RPC call requests to PSA Crypto API
-function calls. A separate handler function exists for each operation supported by the
-service.
-
-Crypto Serializer
-'''''''''''''''''
-Incoming call request parameters are de-serialized and response parameters serialized
-by a serializer. The trusted services framework allows for the use of alternative
-serializers to support different parameter encoding schemes.
-
-Mbed Crypto
-'''''''''''
-All cryptographic operations are handled by an instance of the Mbed Crypto library.
-The library is built with a specific configuration that creates dependencies on the
-following:
-
- * PSA ITS API for persistent key storage
- * External entropy source
-
-Secure Storage
-''''''''''''''
-Persistent storage of keys is handled by an instance of the Secure Storage service.
-The service is accessed via a client that presents the PSA ITS API at its upper edge.
-This is needed for compatibility with Mbed Crypto. As long as it meets security
-requirements, any Secure Storage service provider may be used. An RPC session between
-the Crypto and Secure Storage service providers is established during initialization
-and is maintained for the lifetime of the Crypto service provider.
-
-Entropy Source
-''''''''''''''
-Certain cryptographic operations, such as key generation, require use of a
-cryptographically secure random number generator. To allow a hardware TRNG to be used,
-the Mbed Crypto library is configured to use an externally provided entropy source.
-Any deployment of the service provider must include an implementation of the following
-function::
-
- int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen)
-
-For production deployments, an implementation of this function should be provided that
-obtains the requested bytes of entropy from a suitable source. To allow the Crypto
-service to be used where no hardware backed implementation is available, a software
-only implementation is provided.
-
---------------
-
-*Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.*
-
-SPDX-License-Identifier: BSD-3-Clause
diff --git a/docs/developer/service-descriptions/image/smm-gateway-layers.svg b/docs/developer/service-descriptions/image/smm-gateway-layers.svg
deleted file mode 100644
index e930e6c..0000000
--- a/docs/developer/service-descriptions/image/smm-gateway-layers.svg
+++ /dev/null
@@ -1,4 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Do not edit this file with editors other than diagrams.net -->
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg xmlns="http://www.w3.org/2000/svg" style="background-color: rgb(255, 255, 255);" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="1243px" height="319px" viewBox="-0.5 -0.5 1243 319" content="<mxfile host="confluence.arm.com" modified="2021-12-15T14:28:45.848Z" agent="5.0 (X11)" etag="RyVEXBLsGt1b45TKPOvv" version="15.3.7" type="atlas"><mxAtlasLibraries/><diagram id="wNY_4wXUTk2zhrBGsPOK" name="Page-1">7VpZd9o4FP41nDPzQA9YtoFHtrRp4wmFpFleOMYWRo1tMbLCkl8/khcwkoCcBIjJNH2odbXY/u69311MCbSDxVdiTycWdqFf0iruogQ6JU3TgFZh/3HJMpFUQaOWSDyC3FS2FgzQC0yF6UbvGbkw2lhIMfYpmm4KHRyG0KEbMpsQPN9cNsb+5l2ntpfesbIWDBzbh9KyO+TSSSKtG7nV3yDyJtmdq5V0JrCzxakgmtgunudEoFsCbYIxTa6CRRv6HL0Ml2TfxZbZ1YMRGNLXbMCX92DgwoVjVMu3326Nxa8AlNNTZrb/nL5w20f8QK3SI9iBUYRCjw264QwRHAbxVPw2dJlBRPBz6EJ+l2oJtOYTROFgajt8ds6sgskmNPDT6THy/Tb2MYn3gq7J/zF5RAl+grkZHWgdo8ZmfHsE/R6OEEU4ZHMOewbIFrVmkFDENHUlLKCY39P2kadc3kwnRphSHPBHwiHN3bgS/60eKdM6YBIZ8gw/djZc5ESpCr5CHEBKlmxJOls2MtNJPaKsp+P52ry0bM0kZ1ogsyw7NWlvdfha6+wiVbzaCObN25vpyyj48eg+jsOLZvQIaFmXjCAKgqFnUzi3+aMPeifSeUtLof9kOq9q+3WuH03nL4/ez6sZMhrgx8U0+P6z3QhnZU3Seb/HTqq0bd9n0Gmmzx6hNeJXHr/6y7KG7WvLuv3nst286f69wyIq+y3iII4ENkGtK/yoqsDUPBakQILUYvxpewmDXtlLJa4XF80CgllVsdKx0OxY5rwf3nlRff777sGbWfWX7lYD7YbuFCMehopvoqtkYLuJVhunBPWcTVQEU2Wip0WzJqEpoQRDt8mzUB6UfJtlU04cZGxCZXEOLwYTWd6n2MaDBz74YmTDziI/2VlmowWi99kZ7Dq3i43Wm/gg27NVNxF+Jg7cH0PY23iQ7ndl6Gap9hZN5xSpCoaZjEDfpmi2maCrlJveoZfQxcqQ9MamIWk1wUCSF0+35TNq6SRdOEkTTkqgkU6KrW314m83wLrszhaP4WsSlAySeRvdtLW9SVOAXJdvbxEYoRd7FB/FLSfm4fhNjVbJ6GR5W8t2nryYHnIZ1jj+U5rbTt8S+WFV6aXPUcoXU0reqHzR9NpBLKdqbmi7XBW0jcfjCL5X0coMXS7TDsY0J2UMUCwm0MSQYjbYq7+NC6TwJLLK4bhAaSJyvsTCNhPkAnzxqWCn8f/vqOB6bBGrg5cAhNMHs69PrfpAQQUDSGaIuR0j/rR3855UTSjWmaY0x1EV6645Mg3zSPWHdsLyQwmz7E68JzKzCYqtjeG7Qn1K8Ay5PHM+P9xF1lLgrp8Ud7lCKXyk2+WmhYl05qaejbemvKLBiAcdLsopYZVblQNW9f9q9i+bravusNe/vrluX1+dQ6zbaf5FinVa7QSxDv/bb5Dho/a9v7hpTX4PW8OnjiLW7WlSspSHrfj4ZoXY8D1l40eJpBzOzqbxI2J50r6PEkzF9xLoPJM4K6CY8C+Kfz6avFftuhCxlN/JgELtB/lmotS7sYWOtrekEz76cBfS6wWjI/N86UjE8uPpSG5DK+joU5QrIvaKauW00GepUEHKlbd+NtiqmnyZsyuvyH8C2OXwBSmHNOE3GO/o++m1vUcdriRS26CcJZ9h52+3exWpHDpJ608Nh5zFfyq2KQg7gKrg0pW3s4OYLMhHHZsd5IbalqT0bEgh84I/pBDDIVejn4oU9nZaX5uC1IpFMkIKAhqCxbyWYgxtz0HHJhi5Ku4NePoxyIqQQVaEnCvhZB722QmHDdc/R0+Wr3/VD7r/AQ==</diagram></mxfile>"><defs/><g><rect x="1" y="17" width="250" height="300" rx="37.5" ry="37.5" fill="#e6e6e6" stroke="#432d57" stroke-width="3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe center; width: 248px; height: 1px; padding-top: 14px; margin-left: 2px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Client Processing Environment</div></div></div></foreignObject><text x="126" y="14" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">Client Processing Environment</text></switch></g><rect x="431" y="17" width="450" height="300" rx="45" ry="45" fill="#e6e6e6" stroke="#b20000" stroke-width="3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe center; width: 448px; height: 1px; padding-top: 14px; margin-left: 432px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">smm_gateway SP</div></div></div></foreignObject><text x="656" y="14" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">smm_gateway SP</text></switch></g><rect x="21" y="137" width="210" height="60" fill="#ffffff" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 208px; height: 1px; padding-top: 167px; margin-left: 22px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">RPC Caller<br />(MM_COMMUNICATE)</div></div></div></foreignObject><text x="126" y="171" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">RPC Caller...</text></switch></g><rect x="21" y="197" width="210" height="60" fill="#ffffff" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 208px; height: 1px; padding-top: 227px; margin-left: 22px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Messaging Layer<br />(FFA)</div></div></div></foreignObject><text x="126" y="231" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">Messaging Layer...</text></switch></g><rect x="451" y="137" width="190" height="60" fill="#ffffff" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 188px; height: 1px; padding-top: 167px; margin-left: 452px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">RPC Endpoint<br />(MM_COMMUNICATE)</div></div></div></foreignObject><text x="546" y="171" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">RPC Endpoint...</text></switch></g><rect x="451" y="197" width="190" height="60" fill="#ffffff" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 188px; height: 1px; padding-top: 227px; margin-left: 452px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Messaging Layer<br />(FFA)</div></div></div></foreignObject><text x="546" y="231" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">Messaging Layer...</text></switch></g><path d="M 237.37 167 L 444.63 167" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 232.12 167 L 239.12 163.5 L 237.37 167 L 239.12 170.5 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 449.88 167 L 442.88 170.5 L 444.63 167 L 442.88 163.5 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 158px; margin-left: 331px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">MM COMMUNICATE</div></div></div></foreignObject><text x="331" y="161" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">MM COMMUNICATE</text></switch></g><path d="M 237.37 227 L 444.63 227" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 232.12 227 L 239.12 223.5 L 237.37 227 L 239.12 230.5 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 449.88 227 L 442.88 230.5 L 444.63 227 L 442.88 223.5 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 218px; margin-left: 331px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">FFA Messaging</div></div></div></foreignObject><text x="331" y="221" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">FFA Messaging</text></switch></g><rect x="21" y="77" width="210" height="60" fill="#fff2cc" stroke="#d6b656" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 208px; height: 1px; padding-top: 107px; margin-left: 22px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Service Client</div></div></div></foreignObject><text x="126" y="111" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">Service Client</text></switch></g><rect x="451" y="77" width="410" height="60" fill="#fff2cc" stroke="#d6b656" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 408px; height: 1px; padding-top: 107px; margin-left: 452px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">smm_variable service provider</div></div></div></foreignObject><text x="656" y="111" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">smm_variable service provider</text></switch></g><path d="M 237.37 107 L 444.63 107" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 232.12 107 L 239.12 103.5 L 237.37 107 L 239.12 110.5 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 449.88 107 L 442.88 110.5 L 444.63 107 L 442.88 103.5 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 98px; margin-left: 342px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">SMM_VARIABLE_PROTOCOL</div></div></div></foreignObject><text x="342" y="101" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">SMM_VARIABLE_PROTOCOL</text></switch></g><rect x="671" y="137" width="190" height="60" fill="#ffffff" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 188px; height: 1px; padding-top: 167px; margin-left: 672px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">RPC Caller<br />(FFARPC)</div></div></div></foreignObject><text x="766" y="171" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">RPC Caller...</text></switch></g><rect x="671" y="197" width="190" height="60" fill="#ffffff" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 188px; height: 1px; padding-top: 227px; margin-left: 672px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Messaging Layer<br />(FFA)</div></div></div></foreignObject><text x="766" y="231" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">Messaging Layer...</text></switch></g><rect x="1011" y="17" width="230" height="300" rx="34.5" ry="34.5" fill="#e6e6e6" stroke="#b20000" stroke-width="3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe center; width: 228px; height: 1px; padding-top: 14px; margin-left: 1012px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">secure storage SP</div></div></div></foreignObject><text x="1126" y="14" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">secure storage SP</text></switch></g><rect x="1031" y="137" width="190" height="60" fill="#ffffff" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 188px; height: 1px; padding-top: 167px; margin-left: 1032px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">RPC Endpoint<br />FFARPC</div></div></div></foreignObject><text x="1126" y="171" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">RPC Endpoint...</text></switch></g><rect x="1031" y="197" width="190" height="60" fill="#ffffff" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 188px; height: 1px; padding-top: 227px; margin-left: 1032px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Messaging Layer<br />(FFA)</div></div></div></foreignObject><text x="1126" y="231" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">Messaging Layer...</text></switch></g><rect x="1031" y="77" width="190" height="60" fill="#fff2cc" stroke="#d6b656" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 188px; height: 1px; padding-top: 107px; margin-left: 1032px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">secure storage service provider</div></div></div></foreignObject><text x="1126" y="111" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">secure storage service provider</text></switch></g><path d="M 867.37 227 L 1024.63 227" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 862.12 227 L 869.12 223.5 L 867.37 227 L 869.12 230.5 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 1029.88 227 L 1022.88 230.5 L 1024.63 227 L 1022.88 223.5 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 218px; margin-left: 942px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">FFA Messaging</div></div></div></foreignObject><text x="942" y="221" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">FFA Messaging</text></switch></g><path d="M 867.37 166.5 L 1024.63 166.5" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 862.12 166.5 L 869.12 163 L 867.37 166.5 L 869.12 170 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 1029.88 166.5 L 1022.88 170 L 1024.63 166.5 L 1022.88 163 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 157px; margin-left: 942px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">FFARPC</div></div></div></foreignObject><text x="942" y="161" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">FFARPC</text></switch></g><path d="M 867.37 107 L 1024.63 107" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 862.12 107 L 869.12 103.5 L 867.37 107 L 869.12 110.5 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 1029.88 107 L 1022.88 110.5 L 1024.63 107 L 1022.88 103.5 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 98px; margin-left: 942px;"><div style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">PSA Secure Storage</div></div></div></foreignObject><text x="942" y="101" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">PSA Secure Storage</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg>
\ No newline at end of file
diff --git a/docs/developer/service-descriptions/index.rst b/docs/developer/service-descriptions/index.rst
deleted file mode 100644
index 6574a3e..0000000
--- a/docs/developer/service-descriptions/index.rst
+++ /dev/null
@@ -1,17 +0,0 @@
-Service Descriptions
-====================
-
-.. toctree::
- :maxdepth: 1
- :caption: Contents:
-
- attest-service-description
- crypto-service-description
- secure-storage-service-description
- uefi-smm-services
-
---------------
-
-*Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.*
-
-SPDX-License-Identifier: BSD-3-Clause
diff --git a/docs/developer/service-descriptions/secure-storage-service-description.rst b/docs/developer/service-descriptions/secure-storage-service-description.rst
deleted file mode 100644
index defb2b5..0000000
--- a/docs/developer/service-descriptions/secure-storage-service-description.rst
+++ /dev/null
@@ -1,172 +0,0 @@
-Secure Storage Service Description
-==================================
-Service Overview
-----------------
-The Secure Storage service provides a generic persistent object store for valuable
-assets such as cryptographic keys. The confidentiality and integrity of stored data
-is typically achieved using keys that are bound to the device. The backend object
-store can be implemented in different ways, depending on available hardware such as:
-
- * On-SoC secure world peripherals such as NV counters.
- * A hardware unique key stored in OTP.
- * Internal flash (on-die or in package).
- * On-SoC crypto island with persistent storage.
- * RPMB partition in a an external eMMC chip.
-
-The secure storage service provider architecture offers flexibility to use alternative
-backend storage implementations to suite available hardware.
-
-Service Access Protocol
------------------------
-A client accesses any instance of the Secure Storage service using a common secure
-storage access protocol. Although multiple secure storage service instances may exist
-on a device, they are all accessed using the same access protocol. By standardizing on
-a common protocol, client applications maintain compatibility with any secure storage
-provider instance.
-
-The protocol definition lives here::
-
- protocols/service/secure_storage
-
-PSA Storage Classes
--------------------
-Backend storage implementations that rely on external components, such as a flash chip,
-will require security measures that are not necessarily needed when on-chip or in-package
-storage is used. The PSA Storage API specification introduces the storage classes
-*Protected* and *Internal Trusted* to distinguish between externally and internally provided
-storage. These storage class designations are used for naming secure storage service instances.
-For example, the secure storage deployment that uses an RPMB backend is referred to as
-Protected Storage. The two storage classes have the following characteristics. Both
-classes of storage are required to support the notion of data ownership and to implement
-access control based on policy set by the owner.
-
-Internal Trusted Storage
-''''''''''''''''''''''''
-Internal trusted storage uses isolated or shielded locations for storage. Example
-storage backends could be on-die or in package flash memory that is inherently secure.
-Alternatively, storage may be delegated to an on-die secure enclave that offers equivalent
-security properities. An external storage device may also be used, as long as there is a
-cryptographic binding between the owning secure partition and the stored data that prevents
-unauthorized access to the storage device.
-
-To provide a persisent store for fundamental objects such as device ID and trust anchor
-certificates, access control based on the secure lifecycle state should be possible to
-support access policies such as r/w during manufacture but read-only in all other lifecycle
-states.
-
-Protected Storage
-'''''''''''''''''
-Protected storage uses an external memory device for persistent storage. To meet PSA
-security goals, the following protection measures should exist:
-
- * Privacy and integrity protection to prevent data access and modification by an
- unauthorized agent.
- * Replay protection to prevent the current set of stored data being replaced by an
- old set.
-
-Common implementation options for a protected store are:
-
- * RPMB partition in an eMMC device. Access to the device is brokered by a normal-world
- agent such as tee-supplicant.
- * Dedicated serial flash device with secure-world only access.
- * Normal-world filesystem for backend storage. Data is encrypted and integrity protected
- in the secure-world.
-
-PSA Storage C API
------------------
-For client application developers who wish to use the PSA Storage API to access secure
-storage, two storage frontends are available; one that implements the Protected Storage
-API and another that implements the Internal Trusted Storage API.
-
-Storage Frontend and Backend Separation
----------------------------------------
-For flexibility, secure storage components are separated between frontend and backend.
-All storage backends implement a common public interface and may be used with any storage
-frontend. A storage frontend presents an interface that suites a particular type of consumer.
-The following class diagram illustrates how a storage frontend is decoupled from any concrete
-storage backend through the use of an abstract storage backend interface.
-
-.. uml:: uml/SecureStorageClassDiagram.puml
-
-Some example storage frontends:
-
- * Secure storage service provider - provides access using the secure storage access protocol.
- * ITS frontend - provides secure storage access via PSA Internal Trusted Storage C API
- * PS frontend - provides secure storage access via PSA Protected Storage C API
-
-Some example storage backends:
-
- * RPMB storage backend
- * Secure enclave storage backend
- * Normal-world filesystem backend
- * Secure storage service client
-
-Components related to storage frontends and backends live under the following TS project directories::
-
- components/service/secure_storage/frontend
- components/service/secure_storage/backend
-
-Storage Frontend and Backend Responsibilities
----------------------------------------------
-A storage frontend is responsible for presenting an interface that is suitable for a particular
-type of consumer. For example, the Mbed TLS library depends on the PSA Internal Trusted Storage C
-API for accessing persistent storage. The ITS frontend provides an implementation of this API at
-its upper edge. Where appropriate, a storage frontend will be responsible for sanitizing input
-parameters.
-
-A storage backend is responsible for:
-
- * Realizing the common storage backend interface.
- * Implementing per object access control based on the provided client ID. The client ID associated
- with the creator of an object is treated as the object owner.
- * Providing persistent storage with appropriate security and robustness properties.
-
-Storage Factory
----------------
-To decouple generic code from environment and platform specific code, a storage factory
-interface is defined that provides a common interface for constructing storage backends.
-A concrete storage factory may use environment specific methods and configuration to construct
-a suitable storage backend. Allows new storage backends to be added without impacting service
-provider implementations. The factory method uses PSA storage classifications to allow a
-service provider to specify the security characteristics of the backend. How those security
-characteristics are realized will depend on the secure processing environment and platform.
-
-A concrete storage factory may exploit any of the following to influence how the storage
-backend is constructed:
-
- * Environment and platform specific factory component used in deployment
- * Runtime configuration e.g. from Device Tree
- * The PSA storage classification specified by the SP initialization code.
-
-Concrete storage factory components live under the following TS project directory::
-
- components/service/secure_storage/factory
-
-Storage Frontend/Backend Combinations
--------------------------------------
-The following storage frontend/backend combinations are used in different deployments.
-
-Persistent Key Store for Crypto Service Provider
-''''''''''''''''''''''''''''''''''''''''''''''''
-The Crypto service provider uses the Mbed Crypto portion of Mbed TLS to implement crypto
-operations. Persistent keys are stored via the PSA Internal Trusted Storage C API.
-In the opteesp deployment of the Crypto service provider, a storage client backend is
-used that accesses a secure store provided by a separate secure partition. The following
-deployment diagram illustrates the storage frontend/backend combination used:
-
-.. uml:: uml/InternalTrustedDeploymentDiagram.puml
-
-Proxy for OP-TEE Provided Storage
-'''''''''''''''''''''''''''''''''
-When service providers are deployed in secure partitions running under OP-TEE, access
-to OP-TEE provided secure storage is possible via an S-EL1 SP that hosts a secure storage
-provider instance. The following deployment diagram illustrates how secure storage
-access is brokered by an S-EL0 proxy:
-
-.. uml:: uml/ProtectedProxyDeploymentDiagram.puml
-
---------------
-
-*Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.*
-
-SPDX-License-Identifier: BSD-3-Clause
diff --git a/docs/developer/service-descriptions/uefi-smm-services.rst b/docs/developer/service-descriptions/uefi-smm-services.rst
deleted file mode 100644
index 3795063..0000000
--- a/docs/developer/service-descriptions/uefi-smm-services.rst
+++ /dev/null
@@ -1,243 +0,0 @@
-UEFI SMM Services
-=================
-The Trusted Services project provides support for UEFI System Management Mode (SMM) services via the
-SMM Gateway secure partition. The SMM Gateway adopts the API Gateway design pattern, popular in
-microservices architecture. The pattern decouples clients from backend service providers using an
-API gateway that presents a domain specific interface to clients while delegating operations to a
-set of backend microservices. An API gateway will typically use multiple backend services and may
-perform protocol translation while presenting a single service entry point for clients. The SMM
-Gateway works in a similar manner - clients access SMM services using standard SMM protocol messages,
-carried by an RPC mechanism. Service requests are forwarded by the SMM Gateway to backend service
-providers for operations such as secure persistent storage and signature verification.
-
-SMM Gateway is intended to be used on non-EDK2 platforms as an alternative to the EDK2 StandaloneMM
-(StMM) component. The current SMM Gateway version only supports the SMM Variable service. Additional
-SMM service providers may be added to SMM Gateway if required. By deliberately limiting functionality
-and exploiting backend services, the SMM Gateway SP can be significantly lighter-weight than StMM.
-This option is intended to be used on more resource constrained devices that tend to use u-boot.
-There is of course the possibility that other SMM services will need to be supported in the future.
-In such cases, a judgement should be made as to whether StMM should be used rather than extending the SP.
-
-.. uml:: uml/SmmGatewayOverview.puml
-
-SMM Variable Service
---------------------
-Overview
-''''''''
-UEFI Variable support is provided by the *smm_variable* service provider component. This service provider
-is structured in the same way as other service providers within the TS project. Features of this
-component are:
-
- * Source file location: ``components/service/smm_variable``
- * Public interface definitions: ``protocols/service/smm_variable``
- * Can be used with any RPC layer - not tied to MM Communicate RPC.
- * Volatile and non-volatile storage is accessed via instances of the common *storage_backend* interface.
-
-The *smm-gateway/opteesp* deployment integrates the *smm_variable* service provider with the following:
-
- * An MM Communicate based RPC endpoint.
- * A *mock_store* instance for volatile variables.
- * A *secure_storage_client* for non-volatile variables.
-
-During SP initialization, the *smm-gateway* uses pre-configured information to discover a backend secure
-storage SP for NV storage.
-
-The following diagram illustrates how the *smm_variable* service provider is integrated into the *smm-gateway*.
-
-.. image:: image/smm-gateway-layers.svg
-
-Because the *smm_variable* service provider is independent of any particular environment, alternative deployments
-are possible e.g.
-
- * *smm_variable* service provider running within a GP TA with storage off-loaded to the GP TEE Internal API.
- * *smm_variable* service provider running within a secure enclave with its own internal flash storage.
-
-Supported Functions
-'''''''''''''''''''
-The *smm_variable* service provider supports the following functions:
-
-.. list-table::
- :header-rows: 1
-
- * - SMM Variable Function
- - Purpose
- - Backend service interaction
- * - SMM_VARIABLE_FUNCTION_GET_VARIABLE
- - Get variable data identified by GUID/name.
- - Query index and get object from appropriate storage backend.
- * - SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME
- - Called multiple times to enumerate stored variables.
- - Find variable in index and return next.
- * - SMM_VARIABLE_FUNCTION_SET_VARIABLE
- - Adds a new variable or updates an existing one.
- - | Sets object in storage backend and if necessary, updates index
- | and syncs to storage.
- * - SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO
- - Returns information about the variable store.
- - Iterates over stored variables to determine space used.
- * - SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE
- - Called by OS when boot phase is complete.
- - | Updates view of runtime state held by smm_variable service provider.
- | State variable used when implementing state dependent access control.
- * - SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_SET
- - | Set constraints that are checked on the SetVariable operation.
- | Allows a platform to set check policy.
- - | Variable index holds variable check constraints object for each variable.
- | This is updated by this function.
- * - SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET
- - Get the variable check constraints.
- - Reads the variable check constraints object.
- * - SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE
- - | Returns the maximum variable data size, excluding any
- | auth header.
- - | Considers size constraints imposed by backend stores and RPC response
- | payload constraints.
-
-Supported Variable Attributes
-'''''''''''''''''''''''''''''
-The following variable attributes are supported:
-
-.. list-table::
- :widths: 3 1 3
- :header-rows: 1
-
- * - SMM Variable Attribute
- - Support
- - Comment
- * - EFI_VARIABLE_NON_VOLATILE
- - yes
- - Determines which storage backend is used.
- * - EFI_VARIABLE_BOOTSERVICE_ACCESS
- - yes
- - Boot service access controlled by smm_variable service provider.
- * - EFI_VARIABLE_RUNTIME_ACCESS
- - yes
- - Runtime access controlled by smm_variable service provider.
- * - EFI_VARIABLE_HARDWARE_ERROR_RECORD
- - no
- -
- * - EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
- - no
- -
- * - EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
- - not yet
- - Will be needed for secure boot support
- * - EFI_VARIABLE_APPEND_WRITE
- - yes
- - Implemented by overwriting entire variable data.
-
-SMM Variable Tests
-''''''''''''''''''
-The following test components exist for the SMM Variable service:
-
-.. list-table::
- :header-rows: 1
-
- * - Test Component
- - Description
- - Included in deployments
- * - ``component/service/smm_variable/backend/test``
- - | Component tests for the variable_index and variable_store backend
- | components. Can be run in a native PC environment.
- - ``deployments/component-test/*``
- * - ``component/service/smm_variable/test/service``
- - | End-to-end service level tests that call service operations from
- | the perspective of a client. Can be run in a native PC environment
- | or on the Arm target platform.
- - | ``deployments/ts-service-test/linux-pc``
- | ``deployments/uefi-test/arm-linux``
-
-SMM Gateway Build Configuration
--------------------------------
-The smm-gateway SP image may be built using the default configuration parameters defined
-within relevant source files. In practice, it is likely that at least some configuration
-values will need to be overridden. The following table lists build-time configuration
-parameters that may be overridden by global C pre-processor defines.
-
-.. list-table::
- :widths: 2 2 2 1
- :header-rows: 1
-
- * - Config define
- - Usage
- - File
- - Default value
- * - SMM_GATEWAY_MAX_UEFI_VARIABLES
- - Maximum number of variables
- - ``deployments/smm-gateway/smm_gateway.c``
- - 40
- * - SMM_GATEWAY_NV_STORE_SN
- - The service ID for the backend NV variable store
- - ``deployments/smm-gateway/smm_gateway.c``
- - Protected Storage SP
-
-MM Communicate RPC Layer
-------------------------
-To maintain compatibility with existing SMM service clients, an MM Communicate based RPC
-layer has been developed that uses the same 'carveout' buffer scheme as StMM. When SMM
-Gateway is used instead of StMM, existing SMM variable clients should interoperate seamlessly.
-The MM Communicate RPC components implement the standard TS RPC interfaces and can be used as
-a general purpose RPC for calls from normal world to secure world. The following MM Communicate
-RPC components have been added:
-
- * ``components/rpc/mm_communicate/endpoint/sp`` - an RPC endpoint that handles FFA direct
- calls with MM Communicate and SMM message carried in a shared 'carveout' buffer. Call requests
- are demultiplexed to the appropriate service interface based on the service GUID carried in
- the MM Communicate header. Suitable for use in SP deployments.
- * ``components/rpc/mm_communicate/caller/linux`` - an RPC caller that calls service operations
- associated with the destination service interface from Linux user-space. Uses the MM Communicate
- protocol, sent over FFA using the Debug FFA kernel driver. Service level tests that run against
- the SMM Gateway use this RPC caller for invoking SMM service operations.
-
-The following register mapping is assumed for FFA based direct calls to an SP that handles the MM
-Communicate RPC protocol:
-
-.. list-table::
- :widths: 1 2 2 2
- :header-rows: 1
-
- * - Registers
- - FF-A layer
- - MM_COMMUNICATE Request
- - MM_COMMUNICATE Response
- * - W0
- - Function ID
- - | FFA_MSG_SEND_DIRECT_REQ
- | (0x8400006F/0xC400006F)
- - | FFA_MSG_SEND_DIRECT_RESP
- | (0x84000070/0xC4000070)
- * - W1
- - Source/Destination ID
- - Source/Destination ID
- - Source/Destination ID
- * - W2/X2
- - Reserved
- - 0x00000000
- - 0x00000000
- * - W3/X3
- - Parameter[0]
- - Address of the MM communication buffer
- - | ARM_SVC_ID_SP_EVENT_COMPLETE
- | (0x84000061/0xC4000061)
- * - W4/X4
- - Parameter[1]
- - Size of the MM communication buffer
- - SUCCESS/[error code]
- * - W5/X5
- - Parameter[2]
- - 0x00000000
- - 0x00000000
- * - W6/X6
- - Parameter[3]
- - 0x00000000
- - 0x00000000
- * - W7/X7
- - Parameter[4]
- - 0x00000000
- - 0x00000000
-
---------------
-
-*Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.*
-
-SPDX-License-Identifier: BSD-3-Clause
diff --git a/docs/developer/service-descriptions/uml/AttestClaimsModel.puml b/docs/developer/service-descriptions/uml/AttestClaimsModel.puml
deleted file mode 100644
index fb54f71..0000000
--- a/docs/developer/service-descriptions/uml/AttestClaimsModel.puml
+++ /dev/null
@@ -1,43 +0,0 @@
-'-------------------------------------------------------------------------------
-' Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
-'
-' SPDX-License-Identifier: BSD-3-Clause
-'
-'-------------------------------------------------------------------------------
-
-@startuml
-
-abstract class claim_iterator {
- {abstract} void first()
- {abstract} void next()
- {abstract} bool is_done()
- {abstract} claim current()
-}
-
-abstract class claim_source {
- {abstract} bool get_claim(claim *claim)
-}
-
-class claim {
- +category: int
- +subject_id: int
- +variant_id: int
-}
-
-class claims_register <<singleton>> {
- void add_claim_source(claim_source)
- void query_by_category(category, claim_vector)
-}
-
-claim <|-- claim_collection
-claim <|-- text_string_claim
-claim <|-- byte_string_claim
-claim <|-- integer_claim
-claim <|-- measurement_claim
-
-claim_iterator ..> claim
-claim_collection ..> claim_iterator
-claim_source ..> claim
-claims_register -> "0..*" claim_source
-
-@enduml
diff --git a/docs/developer/service-descriptions/uml/AttestImportedIAKflow.puml b/docs/developer/service-descriptions/uml/AttestImportedIAKflow.puml
deleted file mode 100644
index fef117c..0000000
--- a/docs/developer/service-descriptions/uml/AttestImportedIAKflow.puml
+++ /dev/null
@@ -1,21 +0,0 @@
-'-------------------------------------------------------------------------------
-' Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
-'
-' SPDX-License-Identifier: BSD-3-Clause
-'
-'-------------------------------------------------------------------------------
-
-@startuml
-participant "factory app"
-participant "attestation service"
-participant "keystore"
-
-hnote over "keystore": empty
-"factory app" -> "attestation service" : import_iak
-"attestation service" -> "keystore" : check_exists
-"attestation service" <-- "keystore" : false
-"attestation service" -> "keystore" : store_key
-hnote over "keystore": provisioned
-"factory app" <-- "attestation service" : success
-
-@enduml
diff --git a/docs/developer/service-descriptions/uml/AttestPartitioning.puml b/docs/developer/service-descriptions/uml/AttestPartitioning.puml
deleted file mode 100644
index 9e85862..0000000
--- a/docs/developer/service-descriptions/uml/AttestPartitioning.puml
+++ /dev/null
@@ -1,23 +0,0 @@
-'-------------------------------------------------------------------------------
-' Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
-'
-' SPDX-License-Identifier: BSD-3-Clause
-'
-'-------------------------------------------------------------------------------
-
-@startuml
-
-package claims
-package client
-package key_mngr
-package reporter
-package provider
-package protocol
-
-client ..> protocol
-provider ..> protocol
-provider ..> reporter
-provider ..> key_mngr
-reporter ..> claims
-
-@enduml
diff --git a/docs/developer/service-descriptions/uml/AttestSelfGeneratedIAKflow.puml b/docs/developer/service-descriptions/uml/AttestSelfGeneratedIAKflow.puml
deleted file mode 100644
index 7fdae1b..0000000
--- a/docs/developer/service-descriptions/uml/AttestSelfGeneratedIAKflow.puml
+++ /dev/null
@@ -1,22 +0,0 @@
-'-------------------------------------------------------------------------------
-' Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
-'
-' SPDX-License-Identifier: BSD-3-Clause
-'
-'-------------------------------------------------------------------------------
-
-@startuml
-participant "factory app"
-participant "attestation service"
-participant "keystore"
-
-hnote over "keystore": empty
-"factory app" -> "attestation service" : export_iak_public_key
-"attestation service" -> "keystore" : check_exists
-"attestation service" <-- "keystore" : false
-"attestation service" -> "attestation service" : generate_key
-"attestation service" -> "keystore" : store_key
-hnote over "keystore": provisioned
-"factory app" <-- "attestation service" : public_key
-
-@enduml
diff --git a/docs/developer/service-descriptions/uml/CryptoProviderClassDiagram.puml b/docs/developer/service-descriptions/uml/CryptoProviderClassDiagram.puml
deleted file mode 100644
index 65c6d83..0000000
--- a/docs/developer/service-descriptions/uml/CryptoProviderClassDiagram.puml
+++ /dev/null
@@ -1,49 +0,0 @@
-'-------------------------------------------------------------------------------
-' Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
-'
-' SPDX-License-Identifier: BSD-3-Clause
-'
-'-------------------------------------------------------------------------------
-
-@startuml
-allow_mixing
-left to right direction
-
-
-package CryptoProvider
-{
- class handler
- class generate_key_handler
- class import_key_handler
- class sign_hash_handler
- generate_key_handler --|> handler
- import_key_handler --|> handler
- sign_hash_handler --|> handler
-}
-package CryptoSerializer
-{
- class crypto_serializer
- class protobuf_crypto_serializer
- class packed_c_crypto_serializer
- protobuf_crypto_serializer --|> crypto_serializer
- packed_c_crypto_serializer --|> crypto_serializer
-}
-package MbedCrypto
-{
- class libmbedcrypto
-}
-package SecureStorage
-{
- class its_client
-}
-package EntropySource
-{
- class hw_entropy_source
-}
-
-CryptoProvider ..> CryptoSerializer
-CryptoProvider ..> MbedCrypto
-MbedCrypto ..> SecureStorage
-MbedCrypto ..> EntropySource
-
-@enduml
\ No newline at end of file
diff --git a/docs/developer/service-descriptions/uml/InternalTrustedDeploymentDiagram.puml b/docs/developer/service-descriptions/uml/InternalTrustedDeploymentDiagram.puml
deleted file mode 100644
index 13d26b0..0000000
--- a/docs/developer/service-descriptions/uml/InternalTrustedDeploymentDiagram.puml
+++ /dev/null
@@ -1,20 +0,0 @@
-'-------------------------------------------------------------------------------
-' Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
-'
-' SPDX-License-Identifier: BSD-3-Clause
-'
-'-------------------------------------------------------------------------------
-
-@startuml
-
-node crypto_sp {
- [its_frontend] -> [secure_storage_client]
-}
-
-node internal_trusted_store_sp {
- [secure_storage_provider] -> [secure_flash_store]
-}
-
-[secure_storage_client] -> [secure_storage_provider]
-
-@enduml
\ No newline at end of file
diff --git a/docs/developer/service-descriptions/uml/ProtectedProxyDeploymentDiagram.puml b/docs/developer/service-descriptions/uml/ProtectedProxyDeploymentDiagram.puml
deleted file mode 100644
index a6d5c14..0000000
--- a/docs/developer/service-descriptions/uml/ProtectedProxyDeploymentDiagram.puml
+++ /dev/null
@@ -1,25 +0,0 @@
-'-------------------------------------------------------------------------------
-' Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
-'
-' SPDX-License-Identifier: BSD-3-Clause
-'
-'-------------------------------------------------------------------------------
-
-@startuml
-
-node crypto_sp {
- [its_frontend:0] -> [secure_storage_client:0]
-}
-
-node protected_store_sp {
- [secure_storage_provider:1] -> [secure_storage_client:1]
-}
-
-node sel1_sp {
- [secure_storage_provider:2] -> [optee_store:2]
-}
-
-[secure_storage_client:0] -> [secure_storage_provider:1]
-[secure_storage_client:1] -> [secure_storage_provider:2]
-
-@enduml
\ No newline at end of file
diff --git a/docs/developer/service-descriptions/uml/SecureStorageClassDiagram.puml b/docs/developer/service-descriptions/uml/SecureStorageClassDiagram.puml
deleted file mode 100644
index 60177eb..0000000
--- a/docs/developer/service-descriptions/uml/SecureStorageClassDiagram.puml
+++ /dev/null
@@ -1,28 +0,0 @@
-'-------------------------------------------------------------------------------
-' Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
-'
-' SPDX-License-Identifier: BSD-3-Clause
-'
-'-------------------------------------------------------------------------------
-
-@startuml
-
-interface storage_backend
-{
- +{abstract} set()
- +{abstract} get()
- +{abstract} get_info()
- +{abstract} remove()
- +{abstract} create()
- +{abstract} set_extended()
-}
-
-secure_flash_store -u--|> storage_backend
-secure_storage_client -u--|> storage_backend
-null_store -u--|> storage_backend
-
-secure_storage_provider -d--> storage_backend
-its_frontend -d--> storage_backend
-ps_frontend -d--> storage_backend
-
-@enduml
\ No newline at end of file
diff --git a/docs/developer/service-descriptions/uml/SmmGatewayOverview.puml b/docs/developer/service-descriptions/uml/SmmGatewayOverview.puml
deleted file mode 100644
index f53d2a4..0000000
--- a/docs/developer/service-descriptions/uml/SmmGatewayOverview.puml
+++ /dev/null
@@ -1,14 +0,0 @@
-'-------------------------------------------------------------------------------
-' Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
-'
-' SPDX-License-Identifier: BSD-3-Clause
-'
-'-------------------------------------------------------------------------------
-
-@startuml
-
-[u-boot efi services] -down- [smm gateway]
-[smm gateway] -down- [secure storage service]
-[smm gateway] -down- [crypto service]
-
-@enduml
