RSE: Re-add routing tables and rse_id to OTP

jaccoo01 · adeaarm · commit f6f6aa82daaf · 2025-06-13T17:11:34.000Z
Routing tables and rse_id were removed from the provisioning bundle
binary generation as part of the refactor (but the fields remained in
the OTP layout structures).

Use the new structure defining the routing tables for a single RSE in
the OTP layout and populate it using the previously generated pickle
file. This requires the generation of individual bundles for each
separate RSE in the system and therefore we add the CMake logic to
facilitate this. We only change the blob naming in the case unique
bundles are required so this does not impact platforms that do not use
this feature.

Change-Id: I9082ae435114308139c48ffd3bab158f27258896
Signed-off-by: Jackson Cooper-Driver &lt;jackson.cooper-driver@arm.com&gt;
diff --git a/platform/ext/target/arm/rse/common/otp_lcm.c b/platform/ext/target/arm/rse/common/otp_lcm.c
@@ -132,8 +132,8 @@ struct otp_mapping_t{
     [PLAT_OTP_ID_RSE_ID] = USER_AREA_MAPPING(cm, rse_id),
 #endif
 #ifdef RSE_OTP_HAS_ROUTING_TABLES
-    [PLAT_OTP_ID_RSE_TO_RSE_SENDER_ROUTING_TABLE] = USER_AREA_MAPPING(dm, rse_to_rse_sender_routing_table),
-    [PLAT_OTP_ID_RSE_TO_RSE_RECEIVER_ROUTING_TABLE] = USER_AREA_MAPPING(dm, rse_to_rse_receiver_routing_table),
+    [PLAT_OTP_ID_RSE_TO_RSE_SENDER_ROUTING_TABLE] = USER_AREA_MAPPING(dm, routing_tables.send),
+    [PLAT_OTP_ID_RSE_TO_RSE_RECEIVER_ROUTING_TABLE] = USER_AREA_MAPPING(dm, routing_tables.receive),
 #endif
 };
 
diff --git a/platform/ext/target/arm/rse/common/provisioning/bundle/CMakeLists.txt b/platform/ext/target/arm/rse/common/provisioning/bundle/CMakeLists.txt
@@ -309,6 +309,11 @@ if (TFM_DUMMY_PROVISIONING)
         ${TFM_BL2_ENCRYPTION_KEY_PATH}
     )
 
+    set(DM_BUNDLE_SCRIPT_DEPS
+        $<$<BOOL:${RSE_OTP_HAS_ROUTING_TABLES}>:routing_tables_pickle>
+        $<$<BOOL:${RSE_OTP_HAS_ROUTING_TABLES}>:${CMAKE_CURRENT_BINARY_DIR}/../../config/routing_tables.pickle>
+    )
+
     set(DM_BUNDLE_SCRIPT_ARGS
         $<$<EQUAL:${TFM_BL1_2_SIGNER_AMOUNT},2>:--non_secret_dm:dm.rotpk_areas_0.rotpk_0=${TFM_BL1_2_DM_SIGNING_KEY_PATH}>
         $<$<EQUAL:${TFM_BL1_2_SIGNER_AMOUNT},2>:--non_secret_dm:dm.rotpk_areas_0.rotpk_policy_0=RSE_ROTPK_POLICY_SIG_OPTIONAL>
@@ -319,6 +324,8 @@ if (TFM_DUMMY_PROVISIONING)
         --non_secret_dm:dm.rotpk_areas_0.rotpk_policy_1 RSE_ROTPK_POLICY_SIG_REQUIRED
         --non_secret_dm:dm.rotpk_areas_0.rotpk_type_1 RSE_ROTPK_TYPE_${MCUBOOT_ROTPK_TYPE}
         --non_secret_dm:dm.rotpk_areas_0.rotpk_hash_alg_1 RSE_ROTPK_HASH_ALG_${MCUBOOT_ROTPK_HASH_ALG}
+
+        $<$<BOOL:${RSE_OTP_HAS_ROUTING_TABLES}>:--routing_tables=${CMAKE_CURRENT_BINARY_DIR}/../../config/routing_tables.pickle>
     )
 
     if (RSE_DM_CHAINED_PROVISIONING)
@@ -331,41 +338,83 @@ if (TFM_DUMMY_PROVISIONING)
         endif()
     endif()
 
-    generate_provisioning_bundle(
-        cm_provisioning # bundle type
-        ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/create_cm_provisioning_bundle.py # script
-        cm_provisioning_code # cmake executable target
-        "${RSE_CM_BLOB_VERSION}" # blob version
-        "CM" # valid LCS states
-        "${RSE_SYMMETRIC_PROVISIONING}" # symmetric provisioning enabled
-        "${RSE_PROVISIONING_CM_SIGNATURE_CONFIG}" # signature config
-        "${RSE_CM_PROVISIONING_SIGNING_KEY}" # signature key (if asymmetric)
-        ${CMAKE_BINARY_DIR}/bin/keys/kprov_cm.bin # encryption key
-        "" # PK not in ROM configuration (not for CM)
-        "" # CM ROTPK index if PK not in ROM == CM_ROTPK (not for CM)
-        "${RSE_PROVISIONING_CM_ENCRYPT_CODE_DATA}" # encrypt code and data
-        ON # encrypt secret values
-        "${CM_BUNDLE_SCRIPT_ARGS}" # OTP values args
-        "${CM_BUNDLE_SCRIPT_DEPS}" # script specific CMake dependencies
-    )
+    if (NOT RSE_OTP_HAS_RSE_ID AND NOT RSE_OTP_HAS_ROUTING_TABLES)
+        set(RSE_REQUIRES_UNIQUE_BUNDLES OFF)
+        set(RSE_AMOUNT_LOOP_RANGE 0)
+    else()
+        set(RSE_REQUIRES_UNIQUE_BUNDLES ON)
+        math(EXPR RSE_AMOUNT_LOOP_RANGE "${RSE_AMOUNT} - 1")
+    endif()
 
-    generate_provisioning_bundle(
-        dm_provisioning # bundle type
-        ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/create_dm_provisioning_bundle.py # script
-        dm_provisioning_code # cmake executable target
-        "${RSE_DM_BLOB_VERSION}" # blob version
-        "DM" # valid LCS states
-        "${RSE_SYMMETRIC_PROVISIONING}" # symmetric provisioning enabled
-        "${MAIN_DM_BUNDLE_SIGNATURE_CONFIG}" # signature config
-        "${RSE_CM_PROVISIONING_SIGNING_KEY}" # signature key (if asymmetric)
-        ${CMAKE_BINARY_DIR}/bin/keys/kprov_dm.bin # encryption key
-        "${MAIN_DM_BUNDLE_NOT_IN_ROM_SIGNATURE_CONFIG}" # PK not in ROM configuration
-        "${RSE_PROVISIONING_DM_SIGN_KEY_CM_ROTPK_IDX}" # CM ROTPK index if PK not in ROM == CM_ROTPK
-        "${RSE_PROVISIONING_DM_ENCRYPT_CODE_DATA}" # encrypt code and data
-        ON # encrypt secret values
-        "${DM_BUNDLE_SCRIPT_ARGS}" # OTP values args
-        "" # No additional dependencies
+    foreach(RSE_ID RANGE ${RSE_AMOUNT_LOOP_RANGE})
+        if (RSE_REQUIRES_UNIQUE_BUNDLES)
+            set(BUNDLE_SUFFIX "_${RSE_ID}")
+        else()
+            set(BUNDLE_SUFFIX "")
+        endif()
+        set(CM_BUNDLE_SCRIPT_ARGS_TEMP
+            ${CM_BUNDLE_SCRIPT_ARGS}
+            $<$<BOOL:${RSE_OTP_HAS_RSE_ID}>:--non_secret_cm:cm.rse_id=${RSE_ID}>
+        )
+        set(DM_BUNDLE_SCRIPT_ARGS_TEMP
+            ${DM_BUNDLE_SCRIPT_ARGS}
+            $<$<BOOL:${RSE_OTP_HAS_ROUTING_TABLES}>:--routing_tables_idx=${RSE_ID}>
+        )
+
+        generate_provisioning_bundle(
+            "cm_provisioning${BUNDLE_SUFFIX}" # bundle type
+            ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/create_cm_provisioning_bundle.py # script
+            cm_provisioning_code # cmake executable target
+            "${RSE_CM_BLOB_VERSION}" # blob version
+            "CM" # valid LCS states
+            "${RSE_SYMMETRIC_PROVISIONING}" # symmetric provisioning enabled
+            "${RSE_PROVISIONING_CM_SIGNATURE_CONFIG}" # signature config
+            "${RSE_CM_PROVISIONING_SIGNING_KEY}" # signature key (if asymmetric)
+            ${CMAKE_BINARY_DIR}/bin/keys/kprov_cm.bin # encryption key
+            "" # PK not in ROM configuration (not for CM)
+            "" # CM ROTPK index if PK not in ROM == CM_ROTPK (not for CM)
+            "${RSE_PROVISIONING_CM_ENCRYPT_CODE_DATA}" # encrypt code and data
+            ON # encrypt secret values
+            "${CM_BUNDLE_SCRIPT_ARGS_TEMP}" # OTP values args
+            "${CM_BUNDLE_SCRIPT_DEPS}" # script specific CMake dependencies
+        )
+
+        generate_provisioning_bundle(
+            "dm_provisioning${BUNDLE_SUFFIX}" # bundle type
+            ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/create_dm_provisioning_bundle.py # script
+            dm_provisioning_code # cmake executable target
+            "${RSE_DM_BLOB_VERSION}" # blob version
+            "DM" # valid LCS states
+            "${RSE_SYMMETRIC_PROVISIONING}" # symmetric provisioning enabled
+            "${MAIN_DM_BUNDLE_SIGNATURE_CONFIG}" # signature config
+            "${RSE_CM_PROVISIONING_SIGNING_KEY}" # signature key (if asymmetric)
+            ${CMAKE_BINARY_DIR}/bin/keys/kprov_dm.bin # encryption key
+            "${MAIN_DM_BUNDLE_NOT_IN_ROM_SIGNATURE_CONFIG}" # PK not in ROM configuration
+            "${RSE_PROVISIONING_DM_SIGN_KEY_CM_ROTPK_IDX}" # CM ROTPK index if PK not in ROM == CM_ROTPK
+            "${RSE_PROVISIONING_DM_ENCRYPT_CODE_DATA}" # encrypt code and data
+            ON # encrypt secret values
+            "${DM_BUNDLE_SCRIPT_ARGS_TEMP}" # OTP values args
+            "" # No additional dependencies
+        )
+
+        generate_provisioning_bundle(
+            "combined_provisioning${BUNDLE_SUFFIX}" # bundle type
+            ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/create_combined_provisioning_bundle.py # script
+            combined_provisioning_code # cmake executable target
+            "${RSE_CM_BLOB_VERSION}" # blob version
+            "CM;DM" # valid LCS states
+            "${RSE_SYMMETRIC_PROVISIONING}" # symmetric provisioning enabled
+            "${RSE_PROVISIONING_DM_SIGNATURE_CONFIG}" # signature config
+            "${RSE_CM_PROVISIONING_SIGNING_KEY}" # signature key (if asymmetric)
+            ${CMAKE_BINARY_DIR}/bin/keys/kprov_cm.bin # encryption key
+            "CM_ROTPK" # PK not in ROM configuration
+            "${RSE_PROVISIONING_DM_SIGN_KEY_CM_ROTPK_IDX}" # CM ROTPK index if PK not in ROM == CM_ROTPK
+            "${RSE_PROVISIONING_CM_ENCRYPT_CODE_DATA}" # encrypt code and data
+            ON # encrypt secret values
+            "${CM_BUNDLE_SCRIPT_ARGS_TEMP};${DM_BUNDLE_SCRIPT_ARGS_TEMP}" # OTP values args
+            "${CM_BUNDLE_SCRIPT_DEPS}" # script specific CMake dependencies
     )
+    endforeach()
 
     if (RSE_DM_CHAINED_PROVISIONING)
         generate_provisioning_bundle(
@@ -387,24 +436,6 @@ if (TFM_DUMMY_PROVISIONING)
         )
     endif()
 
-    generate_provisioning_bundle(
-        combined_provisioning # bundle type
-        ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/create_combined_provisioning_bundle.py # script
-        combined_provisioning_code # cmake executable target
-        "${RSE_CM_BLOB_VERSION}" # blob version
-        "CM;DM" # valid LCS states
-        "${RSE_SYMMETRIC_PROVISIONING}" # symmetric provisioning enabled
-        "${RSE_PROVISIONING_DM_SIGNATURE_CONFIG}" # signature config
-        "${RSE_CM_PROVISIONING_SIGNING_KEY}" # signature key (if asymmetric)
-        ${CMAKE_BINARY_DIR}/bin/keys/kprov_cm.bin # encryption key
-        "CM_ROTPK" # PK not in ROM configuration
-        "${RSE_PROVISIONING_DM_SIGN_KEY_CM_ROTPK_IDX}" # CM ROTPK index if PK not in ROM == CM_ROTPK
-        "${RSE_PROVISIONING_CM_ENCRYPT_CODE_DATA}" # encrypt code and data
-        ON # encrypt secret values
-        "${CM_BUNDLE_SCRIPT_ARGS};${DM_BUNDLE_SCRIPT_ARGS}" # OTP values args
-        "${CM_BUNDLE_SCRIPT_DEPS}" # script specific CMake dependencies
-    )
-
     if (RSE_NON_ENDORSED_DM_PROVISIONING)
         generate_provisioning_bundle(
             plain_data_handler_provisioning # bundle type
diff --git a/platform/ext/target/arm/rse/common/rse_otp_layout.h b/platform/ext/target/arm/rse/common/rse_otp_layout.h
@@ -12,6 +12,7 @@
 
 #include "rse_otp_config.h"
 #include "lcm_otp_layout.h"
+#include "rse_routing_tables.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -124,8 +125,7 @@ __PACKED_STRUCT rse_otp_dm_area_t {
     uint32_t config_flags;
 
 #ifdef RSE_OTP_HAS_ROUTING_TABLES
-    uint32_t rse_to_rse_sender_routing_table[RSE_ROUTING_TABLES_SIZE];
-    uint32_t rse_to_rse_receiver_routing_table[RSE_ROUTING_TABLES_SIZE];
+    struct rse_single_node_routing_tables_t routing_tables;
 #endif
 
 #ifdef RSE_OTP_DM_SUBPLATFORM_ITEMS
diff --git a/platform/ext/target/arm/rse/common/scripts/create_combined_provisioning_bundle.py b/platform/ext/target/arm/rse/common/scripts/create_combined_provisioning_bundle.py
@@ -29,6 +29,8 @@
 import provisioning_config as pc
 from provisioning_config import Provisioning_config
 
+from routing_tables import Routing_tables
+
 
 def add_arguments(parser : argparse.ArgumentParser,
                   prefix : str = "",
@@ -74,6 +76,9 @@ def parse_args(args : argparse.Namespace,
     kwargs['otp_config'].set_cm_offsets_automatically()
     kwargs['otp_config'].set_dm_offsets_automatically()
     kwargs['provisioning_config'].set_area_infos_from_otp_config(**kwargs)
+    if 'routing_tables_idx' in kwargs:
+        assert 'routing_tables' in kwargs
+        kwargs['provisioning_config'].set_routing_tables(kwargs['routing_tables_idx'],kwargs['routing_tables'])
 
     logger.debug(kwargs['provisioning_config'].non_secret_cm_layout)
     logger.debug(kwargs['provisioning_config'].secret_cm_layout)
diff --git a/platform/ext/target/arm/rse/common/scripts/create_dm_provisioning_bundle.py b/platform/ext/target/arm/rse/common/scripts/create_dm_provisioning_bundle.py
@@ -26,27 +26,36 @@
 import provisioning_config as pc
 from provisioning_config import Provisioning_config
 
+import routing_tables as rt
+from routing_tables import Routing_tables
+
 
 def add_arguments(parser : argparse.ArgumentParser,
                   prefix : str = "",
                   required : bool = True,
                   ) -> None:
     oc.add_arguments(parser, prefix, required)
+    rt.add_arguments(parser, prefix, required=False)
     pc.add_arguments(parser, prefix, required, regions=["non_secret_dm", "secret_dm"])
     pmc.add_arguments(parser, prefix, required,
                       message_type="RSE_PROVISIONING_MESSAGE_TYPE_BLOB")
 
     arg_utils.add_prefixed_argument(parser, "provisioning_code_elf", prefix, help="provisioning code image elf file",
                                             type=arg_utils.arg_type_elf_section(["CODE", "DATA"]), required=True)
+    arg_utils.add_prefixed_argument(parser, "routing_tables_idx", prefix,
+                                    help="The index within the system wide routing table to add to the provisioning bundle",
+                                    type=int, required=False)
 
 def parse_args(args : argparse.Namespace,
                prefix : str = "",
                default_field_owner : str = "dm"
                ) -> dict:
     out = {}
     out |= dict(zip(["code", "elf_data"], arg_utils.get_arg(args, "provisioning_code_elf", prefix)))
+    out |= arg_utils.parse_args_automatically(args, ["routing_tables_idx"], prefix)
 
     out |= oc.parse_args(args, prefix=prefix)
+    out |= rt.parse_args(args, prefix=prefix)
     out |= pc.parse_args(args, prefix=prefix, otp_config = out["otp_config"])
     out |= pmc.parse_args(args, prefix=prefix)
 
@@ -79,6 +88,9 @@ def parse_args(args : argparse.Namespace,
 
     kwargs['otp_config'].set_dm_offsets_automatically()
     kwargs['provisioning_config'].set_area_infos_from_otp_config(**kwargs)
+    if 'routing_tables_idx' in kwargs:
+        assert 'routing_tables' in kwargs
+        kwargs['provisioning_config'].set_routing_tables(kwargs['routing_tables_idx'],kwargs['routing_tables'])
 
     logger.debug(kwargs['provisioning_config'].non_secret_dm_layout)
     logger.debug(kwargs['provisioning_config'].secret_dm_layout)
diff --git a/platform/ext/target/arm/rse/common/scripts/modules/provisioning_config.py b/platform/ext/target/arm/rse/common/scripts/modules/provisioning_config.py
@@ -15,6 +15,7 @@
 import arg_utils
 import argparse
 from otp_config import OTP_config
+from routing_tables import Routing_tables
 from cryptography.hazmat.primitives import hashes
 
 import logging
@@ -396,6 +397,11 @@ def set_area_infos_from_otp_config(self,
             if dm_sets_dm_and_dynamic_area_size:
                 self.__get_layout_field_and_set(False, "dynamic_area_info", otp_config.header.dynamic_area_info.to_bytes())
 
+    def set_routing_tables(self,
+                           idx : int,
+                           routing_tables : Routing_tables):
+        self.non_secret_dm_layout.dm.routing_tables.set_value_from_bytes(routing_tables.get_rse_routing_table_bytes(idx))
+
 script_description = """
 This script takes an instance of rse_provisioning_layout.h, rse_rotpk_policy.h,
 and a set of definitions (extracted from compile_commands.json), and creates a
