opencomputeproject · bluegate010 · Apr 9, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 9, 2026
diff --git a/specifications/dpe-irot-profile/spec.ocp b/specifications/dpe-irot-profile/spec.ocp
@@ -280,6 +280,9 @@ specification which are omitted by this profile:
 *   An implementation may choose not to support `INTERNAL_INPUT_INFO` or
     `INTERNAL_INPUT_DICE`. If either is not supported and the bit is set, return
     `DPE_STATUS_INVALID_ARGUMENT`.
+*   If a direct child of `CONTEXT_HANDLE` with the same `INPUT_TYPE` already exists,
+    this command SHALL fail with `DPE_STATUS_INVALID_ARGUMENT`. Each `INPUT_TYPE`
+    value SHALL be unique among the direct children of a given context.
 *   If the current number of active TCI nodes is equal to `MAX_CONTEXTS`, this
     command SHALL fail with argument `DPE_STATUS_OUT_OF_MEMORY`.
 *   `RETAIN_PARENT_CONTEXT`:
@@ -310,6 +313,14 @@ specification which are omitted by this profile:
         `INTERNAL_INPUT_DICE` SHALL be ignored. The resulting context
         will have the same values for these flags as the input
         `CONTEXT_HANDLE`.
+    *   If `CONTEXT_HANDLE` refers to a context for which `ALLOW_RECURSIVE`
+        was NOT set during creation, this command SHALL fail with
+        `DPE_STATUS_INVALID_ARGUMENT`.
+*   `ALLOW_RECURSIVE`
+    *   If set, the generated context SHALL have `ALLOW_RECURSIVE` stored as
+        a context property.
+    *   If `RECURSIVE` is also set, this command SHALL fail with
+        `DPE_STATUS_INVALID_ARGUMENT`.
 *   If `CREATE_CERTIFICATE` is set, `EXPORT_CDI` SHALL also be set. Else, this
     command SHALL fail.
 *   If `CREATE_CERTIFICATE` is set, `RETURN_CERTIFICATE` SHALL also be
@@ -442,6 +453,35 @@ specification which are not relevant for this command:
 *   If `OFFSET` is greater than the full size of the certificate chain, this
     command SHALL fail.
 
+### UpdateContextMeasurement
+
+UpdateContextMeasurement is a vendor command that allows the holder of a parent
+context handle to update the TCI measurement of a child context. This is
+semanticaly equivalent to `DeriveContext` with `RECURSIVE` set, but enforces that
+the caller proves ownership of the parent context. Unlike `DeriveContext(RECURSIVE=true)`,
+this command is permitted even if `ALLOW_RECURSIVE` was NOT set on the child context,
+because the update is authorized by the parent rather than by the child context holder.
+
+#### Behavior
+
+*   `PARENT_CONTEXT_HANDLE` is required. If `PARENT_CONTEXT_HANDLE` is the default
+    context handle (all-zero bytes), this command SHALL fail with `DPE_STATUS_INVALID_ARGUMENT`.
+*   `PARENT_CONTEXT_HANDLE` SHALL exist in the caller's locality. If it does not,
+    this command SHALL fail with `DPE_STATUS_INVALID_PARENT_LOCALITY`.
+*   The child context to be updated is identified by `PARENT_CONTEXT_HANDLE` and
+    `INPUT_TYPE`. DPE SHALL select the direct child of `PARENT_CONTEXT_HANDLE` whose
+    type matches `INPUT_TYPE`.
+    *   If no direct child of `PARENT_CONTEXT_HANDLE` has a type matching `INPUT_TYPE`,
+        this command SHALL fail with `DPE_STATUS_INVALID_ARGUMENT`.
+*   The identified child context's TCI SHALL be updated as described in
+    ocp.recursive-derivation.extend-tci.
+*   The `INTERNAL_INPUT_INFO` and `INTERNAL_INPUT_DICE` settings of the child context
+    are not modified by this command; the values established at context creation
+    via DeriveContext are preserved.
+*   `NEW_CONTEXT_HANDLE` SHALL be a rotated handle for the updated child context.
+*   `NEW_PARENT_CONTEXT_HANDLE` SHALL be a rotated handle for `PARENT_CONTEXT_HANDLE`,
+    as if `RETAIN_PARENT_CONTEXT` were always set.
+
 ## Cryptographic Algorithms
 
 Profile `DPE_PROFILE_IROT_P256_SHA256` requires support for the following
@@ -1334,6 +1374,7 @@ Table: Command IDs
 `DPE_COMMAND_DESTROY_CONTEXT`                           | 0xF
 `DPE_COMMAND_GET_CERTIFICATE_CHAIN`                     | 0x10
 Reserved Range for Vendor Commands                      | 0x80000000 - 0x8000FFFF
+`DPE_COMMAND_UPDATE_CONTEXT_MEASUREMENT`                | 0x80000000
 
 Table: Status Codes
 
@@ -1352,6 +1393,7 @@ Table: Status Codes
 `DPE_STATUS_HANDLE_DEFINED`                  | 0x82        | Passed handle is already defined.
 `DPE_STATUS_ARGUMENT_NOT_SUPPORTED`          | 0x83        | Argument is not supported by this profile, implementation, or integration.
 `DPE_STATUS_ALREADY_INITIALIZED`             | 0x84        | InitializeContext has already been called on this DPE reset cycle
+`DPE_STATUS_INVALID_PARENT_LOCALITY`         | 0x85        | Parent ContextHandle does not exist in the caller's locality.
 
 Table: Magic Constants
 
@@ -1541,10 +1583,11 @@ Table: `DERIVE_CONTEXT_INPUT_ARGS` struct
 |                 |                | 27        | `CHANGE_LOCALITY`                | Whether `NEW_CONTEXT_HANDLE` is created in a different locality than the caller's locality.
 |                 |                | 26        | `ALLOW_NEW_CONTEXT_TO_EXPORT`    | Whether callers referencing the new context can export the CDI.
 |                 |                | 25        | `INPUT_ALLOW_X509`               | Whether callers referencing the new context can request an X.509 cert. If false, the context can only request a CSR.
-|                 |                | 24        | `RECURSIVE`                      | If set, do a recursive derivation on `CONTEXT_HANDLE`.
+|                 |                | 24        | `RECURSIVE`                      | If set, do a recursive derivation on `CONTEXT_HANDLE`. `ALLOW_RECURSIVE` MUST have been set when `CONTEXT_HANDLE` was created, or this command SHALL fail.
 |                 |                | 23        | `EXPORT_CDI`                     | Whether CDI should be exported for this context.
 |                 |                | 22        | `CREATE_CERTIFICATE`             | Whether a certificate is generated for the derived context.
-|                 |                | 21:0      | `RESERVED`                       | Reserved
+|                 |                | 21        | `ALLOW_RECURSIVE`                | If set, the generated context SHALL be allowed to call DeriveContext with `RECURSIVE` set.
+|                 |                | 20:0      | `RESERVED`                       | Reserved
 | 0x20 + H        | `BYTES`        | 31:0      | `INPUT_TYPE`                     | 4-byte measurement type field
 | 0x24 + H        | `U32`          | 31:0      | `TARGET_LOCALITY`                | Locality in which `NEW_CONTEXT_HANDLE` will be created if `CHANGE_LOCALITY` is set.
 | 0x28 + H        | `U32`          | 31:0      | `INPUT_SVN`                      | SVN added to TCI node. Callers SHOULD set this field to `0` when SVN is unused.
@@ -1685,3 +1728,28 @@ Table: `GET_CERTIFICATE_CHAIN_OUTPUT_ARGS` struct
 | 0x08            | `U32`         | 31:0      | `PROFILE`                | One of `DPE_PROFILE_*`.
 | 0x0C            | `U32`         | 31:0      | `CERTIFICATE_SIZE`       | Number of bytes used in `CERTIFICATE_CHAIN`. Can be smaller than requested if no bytes are left to read.
 | 0x10            | `BYTES`       | 16383:0   | `CERTIFICATE_CHAIN`      | Returned certificate chain. This may be a partial certificate chain.
+
+#### UpdateContextMeasurement ABI
+
+Table: `UPDATE_CONTEXT_MEASUREMENT_INPUT_ARGS` struct
+
+| **Byte Offset** | **Type**       | **Bits**  | **Name**                         | **Description**
+| ---------       | -------------- | --------- | -------------------------------- | ---------------------------------------------------------
+| 0x00            | `U32`          | 31:0      | `MAGIC`                          | Magic number `DPE_COMMAND_MAGIC`.
+| 0x04            | `U32`          | 31:0      | `COMMAND_ID`                     | `DPE_COMMAND_UPDATE_CONTEXT_MEASUREMENT`.
+| 0x08            | `U32`          | 31:0      | `PROFILE`                        | One of `DPE_PROFILE_*`.
+| 0x0C            | `BYTES`        | 127:0     | `PARENT_CONTEXT_HANDLE`          | Handle of the parent context. Required; command fails if invalid or not found.
+| 0x1C            | `HASH`         |           | `INPUT_DATA`                     | Hash to measure.
+| 0x1C + H        | `BITFIELD`     | 31:0      | `RESERVED`                       | Reserved.
+| 0x20 + H        | `BYTES`        | 31:0      | `INPUT_TYPE`                     | 4-byte type used to identify the child of `PARENT_CONTEXT_HANDLE` to update.
+| 0x24 + H        | `U32`          | 31:0      | `INPUT_SVN`                      | SVN added to TCI node. Callers SHOULD set this field to `0` when SVN is unused.
+
+Table: `UPDATE_CONTEXT_MEASUREMENT_OUTPUT_ARGS` struct
+
+| **Byte Offset** | **Type**      | **Bits** | **Name**                        | **Description**
+| ---------       | ----------    | -------  | ------------------------------- | --------------------------------------------------
+| 0x00            | `U32`         | 31:0     | `MAGIC`                         | Magic number `DPE_RESPONSE_MAGIC`.
+| 0x04            | `U32`         | 31:0     | `STATUS`                        | One of `DPE_STATUS_*`.
+| 0x08            | `U32`         | 31:0     | `PROFILE`                       | One of `DPE_PROFILE_*`.
+| 0x0C            | `BYTES`       | 127:0    | `NEW_CONTEXT_HANDLE`            | Rotated handle for the updated child context.
+| 0x1C            | `BYTES`       | 127:0    | `NEW_PARENT_CONTEXT_HANDLE`     | Rotated handle for the parent context.