Hello, I am currently developing with the Multi-RSE Topology and have an inquiry regarding the following  

1. Overview & Environment

• Version: Trusted Firmware-M (TF-M) 2.2.2

• Target Architecture: MULTI_RSE_TOPOLOGY enabled environment

• Related Modules: boot_hal_bl1_2.c, rse_handshake.c

2. Background & Code Analysis We are currently analyzing the BL1 boot sequence code to set up a Multi-RSE environment. Looking at the boot_platform_post_init() function in platform/ext/target/arm/rse/common/bl1/boot_hal_bl1_2.c, the vHUK is generated in the following sequence:

1. Calls rse_derive_vhuk_seed()

2. Checks the CM_POLICIES_VHUK_AGREEMENT_REQUIRED policy, then executes rse_handshake(vhuk_seed)

3. Calls rse_setup_vhuk() to derive the final vHUK based on the aggregated Seed array.

3. Issue Description However, upon analyzing the operational structure in rse_handshake.c, we suspect a synchronization defect exists where the Server (Primary RSE) and multiple Clients (Secondary RSEs) will end up generating different final vHUKs.

• Looking at the rse_handshake_server() logic, the server replies to the client immediately within the receive loop with the currently aggregated vhuk_seeds_buf every time it receives a Seed from a client.

• Because of this behavior, Client 1 (the first to connect) receives an incomplete array (e.g., [C0, C1, 0, 0]) that lacks the seeds of subsequent clients. Only the last client to connect receives the fully populated array ([C0, C1, C2, C3]).

• Consequently, each Client executes rse_setup_vhuk() with a different state of vhuk_seeds_buf. This ultimately leads to mismatched final vHUK values across the RSEs within the system.

4. Questions

1. Is this behavior (returning an incomplete Seed array based on the client connection order) an intended operation within the security architecture?

2. If this is not intended, is this a known bug in TF-M 2.2.2 where the logic for the Server to broadcast (or perform a 2-Phase synchronization of) the completed array to all clients after gathering all seeds is missing?

3. Could you please provide a workaround for this issue, or guide us to a specific patch/commit if this has been resolved in a newer version?

Thank you in advance for your support.