From 3dfcc8d779fd99b4ae1c8f948ad6ebf1ca4f9a73 Mon Sep 17 00:00:00 2001 From: Fabrizio Damato Date: Wed, 8 Apr 2026 13:49:13 -0700 Subject: [PATCH 1/4] dpe-irot-profile: add BLOCK_RECURSIVE attribute and UpdateContext vendor command Signed-off-by: Fabrizio Damato --- specifications/dpe-irot-profile/spec.ocp | 70 +++++++++++++++++++++++- 1 file changed, 69 insertions(+), 1 deletion(-) diff --git a/specifications/dpe-irot-profile/spec.ocp b/specifications/dpe-irot-profile/spec.ocp index d1a5f4f..ec565af 100644 --- a/specifications/dpe-irot-profile/spec.ocp +++ b/specifications/dpe-irot-profile/spec.ocp @@ -280,6 +280,9 @@ specification which are omitted by this profile: * An implementation may choose not to support `INTERNAL_INPUT_INFO` or `INTERNAL_INPUT_DICE`. If either is not supported and the bit is set, return `DPE_STATUS_INVALID_ARGUMENT`. +* If a direct child of `CONTEXT_HANDLE` with the same `INPUT_TYPE` already exists, + this command SHALL fail with `DPE_STATUS_INVALID_ARGUMENT`. Each `INPUT_TYPE` + value SHALL be unique among the direct children of a given context. * If the current number of active TCI nodes is equal to `MAX_CONTEXTS`, this command SHALL fail with argument `DPE_STATUS_OUT_OF_MEMORY`. * `RETAIN_PARENT_CONTEXT`: @@ -310,6 +313,14 @@ specification which are omitted by this profile: `INTERNAL_INPUT_DICE` SHALL be ignored. The resulting context will have the same values for these flags as the input `CONTEXT_HANDLE`. + * If `CONTEXT_HANDLE` refers to a context for which `BLOCK_RECURSIVE` + was set during creation, this command SHALL fail with + `DPE_STATUS_INVALID_ARGUMENT`. +* `BLOCK_RECURSIVE` + * If set, the generated context SHALL have `BLOCK_RECURSIVE` stored as + a context property. + * If `RECURSIVE` is also set, this command SHALL fail with + `DPE_STATUS_INVALID_ARGUMENT`. * If `CREATE_CERTIFICATE` is set, `EXPORT_CDI` SHALL also be set. Else, this command SHALL fail. * If `CREATE_CERTIFICATE` is set, `RETURN_CERTIFICATE` SHALL also be @@ -442,6 +453,34 @@ specification which are not relevant for this command: * If `OFFSET` is greater than the full size of the certificate chain, this command SHALL fail. +### UpdateContext + +UpdateContext is a vendor command that allows the holder of a parent context handle +to update the TCI measurement of a child context. This is semantically equivalent to +`DeriveContext` with `RECURSIVE` set, but enforces that the caller proves ownership +of the parent context. Unlike `DeriveContext(RECURSIVE=true)`, this command is +permitted even if `BLOCK_RECURSIVE` was set on the child context, because the update +is authorized by the parent rather than by the child context holder. + +#### Behavior + +* `PARENT_CONTEXT_HANDLE` is required. If `PARENT_CONTEXT_HANDLE` is the null + handle (all-zero bytes), this command SHALL fail with `DPE_STATUS_INVALID_ARGUMENT`. +* `PARENT_CONTEXT_HANDLE` SHALL exist in the caller's locality. If it does not, + this command SHALL fail with `DPE_STATUS_INVALID_HANDLE`. +* The child context to be updated is identified by `PARENT_CONTEXT_HANDLE` and + `INPUT_TYPE`. DPE SHALL select the direct child of `PARENT_CONTEXT_HANDLE` whose + type matches `INPUT_TYPE`. + * If no direct child of `PARENT_CONTEXT_HANDLE` has a type matching `INPUT_TYPE`, + this command SHALL fail with `DPE_STATUS_INVALID_ARGUMENT`. +* The identified child context's TCI SHALL be updated as described in + ocp.recursive-derivation.extend-tci. +* An implementation may choose not to support `INTERNAL_INPUT_INFO` or + `INTERNAL_INPUT_DICE`. If either is not supported and the bit is set, return + `DPE_STATUS_INVALID_ARGUMENT`. +* `NEW_CONTEXT_HANDLE` SHALL be a rotated handle for the updated child context. +* `NEW_PARENT_CONTEXT_HANDLE` SHALL be a rotated handle for the parent context. + ## Cryptographic Algorithms Profile `DPE_PROFILE_IROT_P256_SHA256` requires support for the following @@ -1334,6 +1373,7 @@ Table: Command IDs `DPE_COMMAND_DESTROY_CONTEXT` | 0xF `DPE_COMMAND_GET_CERTIFICATE_CHAIN` | 0x10 Reserved Range for Vendor Commands | 0x80000000 - 0x8000FFFF +`DPE_COMMAND_UPDATE_CONTEXT` | 0x80000000 Table: Status Codes @@ -1544,7 +1584,8 @@ Table: `DERIVE_CONTEXT_INPUT_ARGS` struct | | | 24 | `RECURSIVE` | If set, do a recursive derivation on `CONTEXT_HANDLE`. | | | 23 | `EXPORT_CDI` | Whether CDI should be exported for this context. | | | 22 | `CREATE_CERTIFICATE` | Whether a certificate is generated for the derived context. -| | | 21:0 | `RESERVED` | Reserved +| | | 21 | `BLOCK_RECURSIVE` | If set, the generated context SHALL NOT be allowed to call DeriveContext with `RECURSIVE` set. +| | | 20:0 | `RESERVED` | Reserved | 0x20 + H | `BYTES` | 31:0 | `INPUT_TYPE` | 4-byte measurement type field | 0x24 + H | `U32` | 31:0 | `TARGET_LOCALITY` | Locality in which `NEW_CONTEXT_HANDLE` will be created if `CHANGE_LOCALITY` is set. | 0x28 + H | `U32` | 31:0 | `INPUT_SVN` | SVN added to TCI node. Callers SHOULD set this field to `0` when SVN is unused. @@ -1685,3 +1726,30 @@ Table: `GET_CERTIFICATE_CHAIN_OUTPUT_ARGS` struct | 0x08 | `U32` | 31:0 | `PROFILE` | One of `DPE_PROFILE_*`. | 0x0C | `U32` | 31:0 | `CERTIFICATE_SIZE` | Number of bytes used in `CERTIFICATE_CHAIN`. Can be smaller than requested if no bytes are left to read. | 0x10 | `BYTES` | 16383:0 | `CERTIFICATE_CHAIN` | Returned certificate chain. This may be a partial certificate chain. + +#### UpdateContext ABI + +Table: `UPDATE_CONTEXT_INPUT_ARGS` struct + +| **Byte Offset** | **Type** | **Bits** | **Name** | **Description** +| --------- | -------------- | --------- | -------------------------------- | --------------------------------------------------------- +| 0x00 | `U32` | 31:0 | `MAGIC` | Magic number `DPE_COMMAND_MAGIC`. +| 0x04 | `U32` | 31:0 | `COMMAND_ID` | `DPE_COMMAND_UPDATE_CONTEXT`. +| 0x08 | `U32` | 31:0 | `PROFILE` | One of `DPE_PROFILE_*`. +| 0x0C | `BYTES` | 127:0 | `PARENT_CONTEXT_HANDLE` | Handle of the parent context. Required; command fails if null or not found. +| 0x1C | `HASH` | | `INPUT_DATA` | Hash to measure. +| 0x1C + H | `BITFIELD` | 31 | `INTERNAL_INPUT_INFO` | Use dpe-info internal input if 1. +| | | 30 | `INTERNAL_INPUT_DICE` | Use dpe-dice internal input if 1. +| | | 29:0 | `RESERVED` | Reserved. +| 0x20 + H | `BYTES` | 31:0 | `INPUT_TYPE` | 4-byte type used to identify the child of `PARENT_CONTEXT_HANDLE` to update. +| 0x24 + H | `U32` | 31:0 | `INPUT_SVN` | SVN added to TCI node. Callers SHOULD set this field to `0` when SVN is unused. + +Table: `UPDATE_CONTEXT_OUTPUT_ARGS` struct + +| **Byte Offset** | **Type** | **Bits** | **Name** | **Description** +| --------- | ---------- | ------- | ------------------------------- | -------------------------------------------------- +| 0x00 | `U32` | 31:0 | `MAGIC` | Magic number `DPE_RESPONSE_MAGIC`. +| 0x04 | `U32` | 31:0 | `STATUS` | One of `DPE_STATUS_*`. +| 0x08 | `U32` | 31:0 | `PROFILE` | One of `DPE_PROFILE_*`. +| 0x0C | `BYTES` | 127:0 | `NEW_CONTEXT_HANDLE` | Rotated handle for the updated child context. +| 0x1C | `BYTES` | 127:0 | `NEW_PARENT_CONTEXT_HANDLE` | Rotated handle for the parent context. From 983fd909bdef4a175ebec7416a28810f5129ce74 Mon Sep 17 00:00:00 2001 From: Fabrizio Damato Date: Wed, 8 Apr 2026 14:50:06 -0700 Subject: [PATCH 2/4] Update new vendor command to UpdateContextMeasurement Signed-off-by: Fabrizio Damato --- specifications/dpe-irot-profile/spec.ocp | 34 +++++++++++------------- 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/specifications/dpe-irot-profile/spec.ocp b/specifications/dpe-irot-profile/spec.ocp index ec565af..db73d8c 100644 --- a/specifications/dpe-irot-profile/spec.ocp +++ b/specifications/dpe-irot-profile/spec.ocp @@ -453,14 +453,14 @@ specification which are not relevant for this command: * If `OFFSET` is greater than the full size of the certificate chain, this command SHALL fail. -### UpdateContext +### UpdateContextMeasurement -UpdateContext is a vendor command that allows the holder of a parent context handle -to update the TCI measurement of a child context. This is semantically equivalent to -`DeriveContext` with `RECURSIVE` set, but enforces that the caller proves ownership -of the parent context. Unlike `DeriveContext(RECURSIVE=true)`, this command is -permitted even if `BLOCK_RECURSIVE` was set on the child context, because the update -is authorized by the parent rather than by the child context holder. +UpdateContextMeasurement is a vendor command that allows the holder of a parent +context handle to update the TCI measurement of a child context. This is +semanticaly equivalent to `DeriveContext` with `RECURSIVE` set, but enforces that +the caller proves ownership of the parent context. Unlike `DeriveContext(RECURSIVE=true)`, +this command is permitted even if `BLOCK_RECURSIVE` was set on the child context, +because the update is authorized by the parent rather than by the child context holder. #### Behavior @@ -475,9 +475,9 @@ is authorized by the parent rather than by the child context holder. this command SHALL fail with `DPE_STATUS_INVALID_ARGUMENT`. * The identified child context's TCI SHALL be updated as described in ocp.recursive-derivation.extend-tci. -* An implementation may choose not to support `INTERNAL_INPUT_INFO` or - `INTERNAL_INPUT_DICE`. If either is not supported and the bit is set, return - `DPE_STATUS_INVALID_ARGUMENT`. +* The `INTERNAL_INPUT_INFO` and `INTERNAL_INPUT_DICE` settings of the child context + are not modified by this command; the values established at context creation + via DeriveContext are preserved. * `NEW_CONTEXT_HANDLE` SHALL be a rotated handle for the updated child context. * `NEW_PARENT_CONTEXT_HANDLE` SHALL be a rotated handle for the parent context. @@ -1373,7 +1373,7 @@ Table: Command IDs `DPE_COMMAND_DESTROY_CONTEXT` | 0xF `DPE_COMMAND_GET_CERTIFICATE_CHAIN` | 0x10 Reserved Range for Vendor Commands | 0x80000000 - 0x8000FFFF -`DPE_COMMAND_UPDATE_CONTEXT` | 0x80000000 +`DPE_COMMAND_UPDATE_CONTEXT_MEASUREMENT` | 0x80000000 Table: Status Codes @@ -1727,24 +1727,22 @@ Table: `GET_CERTIFICATE_CHAIN_OUTPUT_ARGS` struct | 0x0C | `U32` | 31:0 | `CERTIFICATE_SIZE` | Number of bytes used in `CERTIFICATE_CHAIN`. Can be smaller than requested if no bytes are left to read. | 0x10 | `BYTES` | 16383:0 | `CERTIFICATE_CHAIN` | Returned certificate chain. This may be a partial certificate chain. -#### UpdateContext ABI +#### UpdateContextMeasurement ABI -Table: `UPDATE_CONTEXT_INPUT_ARGS` struct +Table: `UPDATE_CONTEXT_MEASUREMENT_INPUT_ARGS` struct | **Byte Offset** | **Type** | **Bits** | **Name** | **Description** | --------- | -------------- | --------- | -------------------------------- | --------------------------------------------------------- | 0x00 | `U32` | 31:0 | `MAGIC` | Magic number `DPE_COMMAND_MAGIC`. -| 0x04 | `U32` | 31:0 | `COMMAND_ID` | `DPE_COMMAND_UPDATE_CONTEXT`. +| 0x04 | `U32` | 31:0 | `COMMAND_ID` | `DPE_COMMAND_UPDATE_CONTEXT_MEASUREMENT`. | 0x08 | `U32` | 31:0 | `PROFILE` | One of `DPE_PROFILE_*`. | 0x0C | `BYTES` | 127:0 | `PARENT_CONTEXT_HANDLE` | Handle of the parent context. Required; command fails if null or not found. | 0x1C | `HASH` | | `INPUT_DATA` | Hash to measure. -| 0x1C + H | `BITFIELD` | 31 | `INTERNAL_INPUT_INFO` | Use dpe-info internal input if 1. -| | | 30 | `INTERNAL_INPUT_DICE` | Use dpe-dice internal input if 1. -| | | 29:0 | `RESERVED` | Reserved. +| 0x1C + H | `BITFIELD` | 31:0 | `RESERVED` | Reserved. | 0x20 + H | `BYTES` | 31:0 | `INPUT_TYPE` | 4-byte type used to identify the child of `PARENT_CONTEXT_HANDLE` to update. | 0x24 + H | `U32` | 31:0 | `INPUT_SVN` | SVN added to TCI node. Callers SHOULD set this field to `0` when SVN is unused. -Table: `UPDATE_CONTEXT_OUTPUT_ARGS` struct +Table: `UPDATE_CONTEXT_MEASUREMENT_OUTPUT_ARGS` struct | **Byte Offset** | **Type** | **Bits** | **Name** | **Description** | --------- | ---------- | ------- | ------------------------------- | -------------------------------------------------- From 6ccf853d36ff733cbb657def35872a9864e82868 Mon Sep 17 00:00:00 2001 From: Fabrizio Damato Date: Thu, 9 Apr 2026 11:00:25 -0700 Subject: [PATCH 3/4] DPE I-ROT Profile spec: address UpdateContextMeasurement review feedback - Use "default context handle" instead of "null handle" - Introduce DPE_STATUS_INVALID_PARENT_LOCALITY for locality check failure = Describe NEW_PARENT_CONTEXT_HANDLE using RETAIN_PARENT_CONTEXT pattern Signed-off-by: Fabrizio Damato --- specifications/dpe-irot-profile/spec.ocp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/specifications/dpe-irot-profile/spec.ocp b/specifications/dpe-irot-profile/spec.ocp index db73d8c..579343b 100644 --- a/specifications/dpe-irot-profile/spec.ocp +++ b/specifications/dpe-irot-profile/spec.ocp @@ -464,10 +464,10 @@ because the update is authorized by the parent rather than by the child context #### Behavior -* `PARENT_CONTEXT_HANDLE` is required. If `PARENT_CONTEXT_HANDLE` is the null - handle (all-zero bytes), this command SHALL fail with `DPE_STATUS_INVALID_ARGUMENT`. +* `PARENT_CONTEXT_HANDLE` is required. If `PARENT_CONTEXT_HANDLE` is the default + context handle (all-zero bytes), this command SHALL fail with `DPE_STATUS_INVALID_ARGUMENT`. * `PARENT_CONTEXT_HANDLE` SHALL exist in the caller's locality. If it does not, - this command SHALL fail with `DPE_STATUS_INVALID_HANDLE`. + this command SHALL fail with `DPE_STATUS_INVALID_PARENT_LOCALITY`. * The child context to be updated is identified by `PARENT_CONTEXT_HANDLE` and `INPUT_TYPE`. DPE SHALL select the direct child of `PARENT_CONTEXT_HANDLE` whose type matches `INPUT_TYPE`. @@ -479,7 +479,8 @@ because the update is authorized by the parent rather than by the child context are not modified by this command; the values established at context creation via DeriveContext are preserved. * `NEW_CONTEXT_HANDLE` SHALL be a rotated handle for the updated child context. -* `NEW_PARENT_CONTEXT_HANDLE` SHALL be a rotated handle for the parent context. +* `NEW_PARENT_CONTEXT_HANDLE` SHALL be a rotated handle for `PARENT_CONTEXT_HANDLE`, + as if `RETAIN_PARENT_CONTEXT` were always set. ## Cryptographic Algorithms @@ -1392,6 +1393,7 @@ Table: Status Codes `DPE_STATUS_HANDLE_DEFINED` | 0x82 | Passed handle is already defined. `DPE_STATUS_ARGUMENT_NOT_SUPPORTED` | 0x83 | Argument is not supported by this profile, implementation, or integration. `DPE_STATUS_ALREADY_INITIALIZED` | 0x84 | InitializeContext has already been called on this DPE reset cycle +`DPE_STATUS_INVALID_PARENT_LOCALITY` | 0x85 | Parent ContextHandle does not exist in the caller's locality. Table: Magic Constants From 497e23f222d744c772909aa2925362c325703346 Mon Sep 17 00:00:00 2001 From: Fabrizio Damato Date: Thu, 9 Apr 2026 11:43:14 -0700 Subject: [PATCH 4/4] DPE I-RoT profile Spec: Replace BLOCK_RECURSIVE with ALLOW_RECURSIVE Signed-off-by: Fabrizio Damato --- specifications/dpe-irot-profile/spec.ocp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/specifications/dpe-irot-profile/spec.ocp b/specifications/dpe-irot-profile/spec.ocp index 579343b..5384d25 100644 --- a/specifications/dpe-irot-profile/spec.ocp +++ b/specifications/dpe-irot-profile/spec.ocp @@ -313,11 +313,11 @@ specification which are omitted by this profile: `INTERNAL_INPUT_DICE` SHALL be ignored. The resulting context will have the same values for these flags as the input `CONTEXT_HANDLE`. - * If `CONTEXT_HANDLE` refers to a context for which `BLOCK_RECURSIVE` - was set during creation, this command SHALL fail with + * If `CONTEXT_HANDLE` refers to a context for which `ALLOW_RECURSIVE` + was NOT set during creation, this command SHALL fail with `DPE_STATUS_INVALID_ARGUMENT`. -* `BLOCK_RECURSIVE` - * If set, the generated context SHALL have `BLOCK_RECURSIVE` stored as +* `ALLOW_RECURSIVE` + * If set, the generated context SHALL have `ALLOW_RECURSIVE` stored as a context property. * If `RECURSIVE` is also set, this command SHALL fail with `DPE_STATUS_INVALID_ARGUMENT`. @@ -459,7 +459,7 @@ UpdateContextMeasurement is a vendor command that allows the holder of a parent context handle to update the TCI measurement of a child context. This is semanticaly equivalent to `DeriveContext` with `RECURSIVE` set, but enforces that the caller proves ownership of the parent context. Unlike `DeriveContext(RECURSIVE=true)`, -this command is permitted even if `BLOCK_RECURSIVE` was set on the child context, +this command is permitted even if `ALLOW_RECURSIVE` was NOT set on the child context, because the update is authorized by the parent rather than by the child context holder. #### Behavior @@ -1583,10 +1583,10 @@ Table: `DERIVE_CONTEXT_INPUT_ARGS` struct | | | 27 | `CHANGE_LOCALITY` | Whether `NEW_CONTEXT_HANDLE` is created in a different locality than the caller's locality. | | | 26 | `ALLOW_NEW_CONTEXT_TO_EXPORT` | Whether callers referencing the new context can export the CDI. | | | 25 | `INPUT_ALLOW_X509` | Whether callers referencing the new context can request an X.509 cert. If false, the context can only request a CSR. -| | | 24 | `RECURSIVE` | If set, do a recursive derivation on `CONTEXT_HANDLE`. +| | | 24 | `RECURSIVE` | If set, do a recursive derivation on `CONTEXT_HANDLE`. `ALLOW_RECURSIVE` MUST have been set when `CONTEXT_HANDLE` was created, or this command SHALL fail. | | | 23 | `EXPORT_CDI` | Whether CDI should be exported for this context. | | | 22 | `CREATE_CERTIFICATE` | Whether a certificate is generated for the derived context. -| | | 21 | `BLOCK_RECURSIVE` | If set, the generated context SHALL NOT be allowed to call DeriveContext with `RECURSIVE` set. +| | | 21 | `ALLOW_RECURSIVE` | If set, the generated context SHALL be allowed to call DeriveContext with `RECURSIVE` set. | | | 20:0 | `RESERVED` | Reserved | 0x20 + H | `BYTES` | 31:0 | `INPUT_TYPE` | 4-byte measurement type field | 0x24 + H | `U32` | 31:0 | `TARGET_LOCALITY` | Locality in which `NEW_CONTEXT_HANDLE` will be created if `CHANGE_LOCALITY` is set. @@ -1738,7 +1738,7 @@ Table: `UPDATE_CONTEXT_MEASUREMENT_INPUT_ARGS` struct | 0x00 | `U32` | 31:0 | `MAGIC` | Magic number `DPE_COMMAND_MAGIC`. | 0x04 | `U32` | 31:0 | `COMMAND_ID` | `DPE_COMMAND_UPDATE_CONTEXT_MEASUREMENT`. | 0x08 | `U32` | 31:0 | `PROFILE` | One of `DPE_PROFILE_*`. -| 0x0C | `BYTES` | 127:0 | `PARENT_CONTEXT_HANDLE` | Handle of the parent context. Required; command fails if null or not found. +| 0x0C | `BYTES` | 127:0 | `PARENT_CONTEXT_HANDLE` | Handle of the parent context. Required; command fails if invalid or not found. | 0x1C | `HASH` | | `INPUT_DATA` | Hash to measure. | 0x1C + H | `BITFIELD` | 31:0 | `RESERVED` | Reserved. | 0x20 + H | `BYTES` | 31:0 | `INPUT_TYPE` | 4-byte type used to identify the child of `PARENT_CONTEXT_HANDLE` to update.