Caliptra Runtime Firmware directly maps DPE Clients to their associated PAUSER value, which DPE interprets as their LOCALITY.
Caliptra assigns LOCALITY 0xFFFF_FFFF for itself, and use it to attest to its own measurements (e.g. RTFJ).
For this reason, It should be required for both Caliptra ROM and Runtime Firmware to reject all mailbox transactions coming from PAUSER 0xFFFF_FFFF.
A stash measurement, or a generic DPE command coming from that PAUSER would be otherwise attested as Caliptra measured.
varuns-nvidia
commented
2 weeks ago
Caliptra Runtime Firmware directly maps DPE Clients to their associated PAUSER value, which DPE interprets as their LOCALITY. Caliptra assigns LOCALITY 0xFFFF_FFFF for itself, and use it to attest to its own measurements (e.g. RTFJ).
For this reason, It should be required for both Caliptra ROM and Runtime Firmware to reject all mailbox transactions coming from PAUSER 0xFFFF_FFFF.