Skip to content

Tech review and added context to CCA BootSync LP#3469

Merged
pareenaverma merged 3 commits into
ArmDeveloperEcosystem:mainfrom
pareenaverma:content_review
Jul 16, 2026
Merged

Tech review and added context to CCA BootSync LP#3469
pareenaverma merged 3 commits into
ArmDeveloperEcosystem:mainfrom
pareenaverma:content_review

Conversation

@pareenaverma

Copy link
Copy Markdown
Contributor

Before submitting a pull request for a new Learning Path, please review Create a Learning Path

  • [x ] I have reviewed Create a Learning Path

Please do not include any confidential information in your contribution. This includes confidential microarchitecture details and unannounced product information.

  • [ x] I have checked my contribution for confidential information

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the Creative Commons Attribution 4.0 International License.

@anta5010 anta5010 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a few small comments

- Understand how Arm CCA Boot Sync can be used for defining UEFI variables, enabling Secure Boot and share secure data with Arm CCA Realms.
- Lanch Arm CCA Realms with Secure Boot enabled and encrypted file system using an Armv9-A AEM Base Fixed Virtual Platform (FVP) with RME support.
- Explain why BootSync is needed before the Realm guest operating system has networking.
- Describe how the Boot Sync Blocks protocol uses key exchange, attestation, and Boot Information Blocks.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Realm Host Interface specification includes "Boot Injection" appendix which names the protocol as "BIB protocol"
I think this LP should use two difference terms:

  • BootSync - when we describe a workflow
  • BIB protocol (or maybe Boot Injection protocol) - when we mention the protocol used for BootSync

---
# User change
title: "Overview of Arm CCA BootSync and Boot Injection protocol"
title: "Overview of Arm CCA BootSync and Boot Sync Blocks protocol"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BIB protocol


## BootSync protocol stages

The BSB protocol has three logical stages:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BIB protocol

2. Attestation lets the Realm guest firmware request an attestation report from the RMM. The binding key from the secure session is used as challenge data, so the User Context can bind the attestation evidence to this BootSync exchange.
3. Boot Information Blocks release the requested boot data after attestation succeeds. In this Learning Path, those blocks are represented by files whose names begin with the Realm Personalization Value (RPV), such as `ARMCCA01_VAR.dat` and `ARMCCA01_SEC.dat`.

The RPV is important because one User Context service can support multiple Realms. A Realm launched with `--realm-pv ARMCCA01` requests files that start with `ARMCCA01`. If the matching files are missing, BootSync can establish a session and complete attestation, but it cannot provide the requested boot information.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This paragraph and the point 3 above are very implementation specific and not covered by any specs. Maybe we'd better move this information into the workflow page where we manage these files.


The exercises intentionally show both failure and success cases:

- First, you launch a Realm without the variable data file. This demonstrates that the firmware can ask for BootSync data and that the User Context reports a missing `ARMCCA01_VAR.dat` file.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe remove the file name details as well. something like

  • First, you launch a Realm without injection any boot data. This demonstrates that the firmware can run successful attestation and ask for BootSync data.

When the script starts for the first time, it generates Secure Boot signing certificates and creates a Provisioning Data file.
The Provisioning Data is a binary file generated by [GenPd.py](https://gitlab.arm.com/linux-arm/edk2-cca/-/blob/cca/4441_measured_boot_v1/ArmVirtPkg/ArmCcaBootSync/Scripts/GenPd.py) script.
The file contains EFI variables defintions required for enabling SecureBoot.
The file contains UEFI variable definitions required for enabling Secure Boot.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The file contains EFI variables definitions required for enabling UEFI Secure Boot

```

Using `efivar` utility you can check EFI variables to confirm that Secure Boot is not enabled:
Use the `efivar` utility to check the Secure Boot UEFI variable. A value of `0` confirms that Secure Boot is not enabled:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EFI variable

```

Start User Context service:
Start the User Context service again so it can load the new `ARMCCA01_VAR.dat` and `ARMCCA01_SEC.dat` files:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The service doesn't load files when starts. It checks their existence only when is asked for bootsync data.
Maybe just:

  • Relaunch User Context service

```

Using `efivar` utility you can check EFI variables to confirm that Secure Boot is enabled:
Use `efivar` to check the Secure Boot UEFI variable. A value of `1` confirms that Secure Boot is enabled:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EFI variable and UEFI Secure Boot

```

Start User Context service:
Start the User Context service again so it reloads the updated Secret Data file:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Relaunch the User Context service

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @anta5010 addressed all your feedback in 0d3b903

@pareenaverma
pareenaverma merged commit ec2f76b into ArmDeveloperEcosystem:main Jul 16, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants