Hello, I am currently developing with the Multi-RSE Topology and have an inquiry regarding the following

*1. Overview & Environment*

-

*Version:* Trusted Firmware-M (TF-M) 2.2.2 -

*Target Architecture:* MULTI_RSE_TOPOLOGY enabled environment -

*Related Modules:* boot_hal_bl1_2.c, rse_handshake.c

*2. Background & Code Analysis* We are currently analyzing the BL1 boot sequence code to set up a Multi-RSE environment. Looking at the boot_platform_post_init() function in platform/ext/target/arm/rse/common/bl1/boot_hal_bl1_2.c, the vHUK is generated in the following sequence:

1.

Calls rse_derive_vhuk_seed() 2.

Checks the CM_POLICIES_VHUK_AGREEMENT_REQUIRED policy, then executes rse_handshake(vhuk_seed) 3.

Calls rse_setup_vhuk() to derive the final vHUK based on the aggregated Seed array.

*3. Issue Description* However, upon analyzing the operational structure in rse_handshake.c, we suspect a synchronization defect exists where the Server (Primary RSE) and multiple Clients (Secondary RSEs) will end up generating different final vHUKs.

-

Looking at the rse_handshake_server() logic, the server replies to the client *immediately* within the receive loop with the *currently* aggregated vhuk_seeds_buf every time it receives a Seed from a client. -

Because of this behavior, Client 1 (the first to connect) receives an incomplete array (e.g., [C0, C1, 0, 0]) that lacks the seeds of subsequent clients. Only the last client to connect receives the fully populated array ([C0, C1, C2, C3]). -

Consequently, each Client executes rse_setup_vhuk() with a different state of vhuk_seeds_buf. This ultimately leads to mismatched final vHUK values across the RSEs within the system.

*4. Questions*

1.

Is this behavior (returning an incomplete Seed array based on the client connection order) an intended operation within the security architecture? 2.

If this is not intended, is this a known bug in TF-M 2.2.2 where the logic for the Server to broadcast (or perform a 2-Phase synchronization of) the completed array to all clients *after* gathering all seeds is missing? 3.

Could you please provide a workaround for this issue, or guide us to a specific patch/commit if this has been resolved in a newer version?

Thank you in advance for your support.