1@startuml 2skinparam ParticipantPadding 10 3skinparam BoxPadding 10 4box AP 5participant RMM 6participant BL31 7endbox 8box RSE 9participant DelegAttest 10participant InitAttest 11participant MeasuredBoot 12participant Crypto 13endbox 14 15== RMM Boot phase == 16 17RMM -> BL31: get_realm_key(\n\t**hash_algo**, ...) 18BL31 -> DelegAttest: get_delegated_key 19DelegAttest -> MeasuredBoot: read_measurement 20Rnote over DelegAttest: Compute input\n\ for key derivation\n\ (hash of measurements) 21DelegAttest -> Crypto: derive_key 22Rnote over DelegAttest: Compute public key\n\ hash with **hash_algo**. 23Rnote over Crypto: Seed is provisioned\n\ in the factory. 24DelegAttest --> BL31: get_delegated_key 25BL31 --> RMM: get_realm_key 26Rnote over RMM: Only private key\n\ is returned. Public\n\ key and its hash\n\ must be computed.\n\ 27Public key is included\n\ in the realm token.\n\ Its hash is the input\n\ for get_platform_token 28RMM -> BL31: get_platform_token(\n\t**pub_key_hash**, ...) 29BL31 -> DelegAttest: get_delegated_token 30Rnote over DelegAttest: Check **pub_key_hash**\n\ against derived key. 31DelegAttest -> InitAttest: get_initial_token 32Rnote over InitAttest: Create the token including\n\ the **pub_key_hash** as the\n\ challenge claim 33InitAttest -> MeasuredBoot: read_measurement 34InitAttest -> Crypto: sign_token 35InitAttest --> DelegAttest: get_initial_token 36DelegAttest --> BL31: get_delegated_token 37BL31 --> RMM: get_platform_token 38Rnote over RMM: Platform token is\n\ cached. It is not\n\ changing within\n\ a power cycle. 39@enduml 40