# Commits which modify this file MUST generate the new .png!
msc {
tenant [textbgcolor="green"],
host [textbgcolor="red"],
bios [textbgcolor="orange"],
bootloader [textbgcolor="orange"],
kernel [textbgcolor="orange"],
psp [textbgcolor="yellow"];
tenant=>host [label="cert chain request"];
host=>psp [label="cert chain request"];
psp=>host [label="cert chain reply\n(w/ firmware version)"];
host=>tenant [label="cert chain reply\n(w/ firmware version)"];
...;
tenant box tenant [label="validate cert chain"];
tenant box tenant [label="validate fw version"];
tenant box tenant [label="craft exec policy"];
tenant box tenant [label="random cdh keypair"];
tenant box tenant [label="random tek/tik"];
tenant box tenant [label="DH(cdh, pdh) => z"];
tenant box tenant [label="KDF(z) => master"];
tenant box tenant [label="KDF(master) => kek"];
tenant box tenant [label="KDF(master) => kik"];
tenant => host [label="CDH, MAC(tik, policy),\nMAC(kik, ENC(kek, tek||tik))"];
host => psp [label="CDH, MAC(tik, policy),\nMAC(kik, ENC(kek, tek||tik))"];
psp box psp [label="DH(cdh, pdh) => z"];
psp box psp [label="KDF(z) => master"];
psp box psp [label="KDF(master) => kek"];
psp box psp [label="KDF(master) => kik"];
psp box psp [label="check MAC(kik, ...)"];
psp box psp [label="DEC(kek, tek||tik)"];
host => psp [label="guest pages"];
psp box psp [label="measure guest pages"];
psp => host [label="MAC(tik, measurement)"];
host => tenant [label="MAC(tik, measurement)"];
tenant box tenant [label="validate measure"];
tenant box tenant [label="prepare metadata"];
tenant => host [label="enc = ENC(tek, metadata)\nMAC(tik, enc)"];
host => psp [label="enc = ENC(tek, metadata)\nMAC(tik, enc)"];
psp => bios [label="decrypt metadata into guest memory"];
--- [label="VM START"];
bios => bootloader [label="metadata"];
bootloader => kernel [label="metadata"];
kernel box kernel [label="unlock volume"];
--- [label="BOOT COMPLETE"];
}
