diff --git a/sig/Hygon Arch/assets/CSV/oca_test_1.png b/sig/Hygon Arch/assets/CSV/oca_test_1.png
new file mode 100644
index 0000000000000000000000000000000000000000..fc5da5b898c02f34ecd74b0f32837a17b71a786b
Binary files /dev/null and b/sig/Hygon Arch/assets/CSV/oca_test_1.png differ
diff --git a/sig/Hygon Arch/assets/CSV/oca_test_2.png b/sig/Hygon Arch/assets/CSV/oca_test_2.png
new file mode 100644
index 0000000000000000000000000000000000000000..efa5d8af18ac4c64bc1384c65820e43c37c55725
Binary files /dev/null and b/sig/Hygon Arch/assets/CSV/oca_test_2.png differ
diff --git a/sig/Hygon Arch/assets/CSV/oca_test_3.png b/sig/Hygon Arch/assets/CSV/oca_test_3.png
new file mode 100644
index 0000000000000000000000000000000000000000..da7f4fafe7181053278ea8643b2cb334d13c9099
Binary files /dev/null and b/sig/Hygon Arch/assets/CSV/oca_test_3.png differ
diff --git a/sig/Hygon Arch/assets/CSV/oca_test_4.png b/sig/Hygon Arch/assets/CSV/oca_test_4.png
new file mode 100644
index 0000000000000000000000000000000000000000..133784370b6bd134c8d913ec47c5895c44e6518b
Binary files /dev/null and b/sig/Hygon Arch/assets/CSV/oca_test_4.png differ
diff --git a/sig/Hygon Arch/assets/CSV/oca_test_5.png b/sig/Hygon Arch/assets/CSV/oca_test_5.png
new file mode 100644
index 0000000000000000000000000000000000000000..24c526648e9abff7d1e9817c5c1a3ab4bff1ada3
Binary files /dev/null and b/sig/Hygon Arch/assets/CSV/oca_test_5.png differ
diff --git a/sig/Hygon Arch/assets/CSV/oca_test_6.png b/sig/Hygon Arch/assets/CSV/oca_test_6.png
new file mode 100644
index 0000000000000000000000000000000000000000..1fca15a40f6fbf420d09b6ed2da452139c2c0e87
Binary files /dev/null and b/sig/Hygon Arch/assets/CSV/oca_test_6.png differ
diff --git a/sig/Hygon Arch/assets/CSV/oca_test_7.png b/sig/Hygon Arch/assets/CSV/oca_test_7.png
new file mode 100644
index 0000000000000000000000000000000000000000..ef2a687588045b7ad250ad0fa588b5d810c07324
Binary files /dev/null and b/sig/Hygon Arch/assets/CSV/oca_test_7.png differ
diff --git a/sig/Hygon Arch/assets/CSV/oca_test_flow.png b/sig/Hygon Arch/assets/CSV/oca_test_flow.png
new file mode 100644
index 0000000000000000000000000000000000000000..483829089d82778efa2cb2ad57a916ae9272808c
Binary files /dev/null and b/sig/Hygon Arch/assets/CSV/oca_test_flow.png differ
diff --git a/sig/Hygon Arch/assets/attestation_2.png b/sig/Hygon Arch/assets/attestation_2.png
index a2e4261d0075bbc094a932c1c3f7efb48945f4af..5a9e48d355d2d648443ddc5ec9d0b5ddfc411fbd 100644
Binary files a/sig/Hygon Arch/assets/attestation_2.png and b/sig/Hygon Arch/assets/attestation_2.png differ
diff --git "a/sig/Hygon Arch/content/2-CSV\346\265\213\350\257\225\346\226\207\346\241\243/3-\350\231\232\346\213\237\346\234\272/10-\346\265\213\350\257\225OCA\347\255\276\345\220\215\351\252\214\347\255\276\350\277\207\347\250\213.md" "b/sig/Hygon Arch/content/2-CSV\346\265\213\350\257\225\346\226\207\346\241\243/3-\350\231\232\346\213\237\346\234\272/10-\346\265\213\350\257\225OCA\347\255\276\345\220\215\351\252\214\347\255\276\350\277\207\347\250\213.md"
new file mode 100644
index 0000000000000000000000000000000000000000..debad659ae116fb41e8e2a979091785cfc09af30
--- /dev/null
+++ "b/sig/Hygon Arch/content/2-CSV\346\265\213\350\257\225\346\226\207\346\241\243/3-\350\231\232\346\213\237\346\234\272/10-\346\265\213\350\257\225OCA\347\255\276\345\220\215\351\252\214\347\255\276\350\277\207\347\250\213.md"
@@ -0,0 +1,147 @@
+
+## 功能描述
+关于OCA的概念,请参考[10-技术介绍 2-CSV远程认证技术介绍](https://openanolis.cn/sig/Hygon-Arch/doc/1256840217191415834?lang=zh)。
+
+
+当平台所有者OCA与CSV固件所有者(CPU厂商)不同时,OCA可生成自己拥有的公私钥对,并对PEK证书签名。
+虚拟机用户请求的远程认证报告中包含了PEK的公钥证书,该证书包含了CEK和OCA两个签名。
+用户可用OCA公钥验证PEK证书中的OCA签名,若验证通过,可证明远程报告属于OCA(同时也属于CPU厂商)。
+
+
+本文测试了OCA产生密钥对和验签远程证明报告中的PEK签名的过程。
+
+## 测试方案说明
+
+
+### 测试环境
+本测试包含两个机器环境:
+1) CSV虚拟机运行机器环境:该机器运行CSV虚拟机
+2) OCA机器环境:该机器为OCA所拥有,用于保存OCA的私密数据,比如OCA私钥。OCA需保证该环境的安全。
+
+
+
+
+
+需要注意的是,生成OCA公私钥对和OCA对PEK证书签名的过程,需要使用OCA私钥,必须在OCA自己的环境中完成。
+对远程证明报告证明中的PEK签名的验证,只需用到OCA公钥,可以在OCA环境中完成,也可以在CSV环境或者其他环境中完成,
+本测试过程以在OCA环境中完成为例。
+
+## 测试过程
+### 在OCA机器环境: 生成OCA公私钥对
+
+请先运行openssl version命令判断版本
+
+#### openssl 1.1.1
+
+生成私钥
+```
+openssl ecparam -genkey -name SM2 -out oca_priv.key
+```
+生成公钥
+```
+openssl ec -in oca_priv.key -pubout -out oca_public_key.pem
+```
+
+
+#### openssl 3.0.9
+将下列代码复制到脚本中运行
+```
+#!/bin/bash
+
+# Generate SM2 private key (raw EC format without extra parameters)
+openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:SM2 -pkeyopt ec_param_enc:named_curve -out sm2_key.pem
+
+# SM2 curve parameters in Base64 encoding (from OpenSSL 1.1.1)
+sm2_params_base64="BggqgRzPVQGCLQ=="
+
+# Combine the SM2 private key into a format compatible with OpenSSL 1.1.1
+output_key="oca_priv.key"
+{
+ echo "-----BEGIN EC PARAMETERS-----"
+ echo "$sm2_params_base64"
+ echo "-----END EC PARAMETERS-----"
+ # Modify private key header to match EC private key format
+ cat sm2_key.pem | sed 's/BEGIN PRIVATE KEY/BEGIN EC PRIVATE KEY/g' | sed 's/END PRIVATE KEY/END EC PRIVATE KEY/g'
+} > "$output_key"
+
+#generate the public key
+openssl pkey -in sm2_key.pem -pubout -out oca_public.key
+
+# Clean up temporary files
+rm sm2_key.pem
+
+# Output message indicating that the private key has been generated
+echo "SM2 private key has been generated: $output_key"
+
+# Output message indicating that the public key has been generated
+echo "SM2 public key has been generated: oca_public.key"
+```
+
+### 在CSV机器环境: reset PEK,并产生PEK_CSR:
+reset PEK
+```
+sudo ./hag csv factory_reset
+```
+产生PEK_CSR
+```
+sudo ./hag csv pek_csr
+```
+
+
+
+此命令会产生pek_csr.cert和pek_csr_readable.txt两个文件
+pek_csr.cert为PEK公钥签名请求文件,其中OCA签名字段为空,待OCA私钥签名。
+将pek_csr.cert拷贝到OCA环境中
+
+### 在OCA机器环境: 用OCA私钥为PEK公钥签名和OCA公钥自签名
+
+```
+$ cd /opt/hygon/csv/
+$ sudo ./build_devkit.sh
+$ cd /opt/hygon/csv/pek_oca
+```
+```
+$ ./pek_oca pek_csr.cert oca_priv.key
+```
+
+
+输入的oca_priv.key和pek_csr.cert分别为前两步流程中输出的文件,
+此命令将输出pek_csr.signed.cert和oca.cert。
+pek_csr.signed.cert包含了OCA私钥对PEK公钥的签名,oca.cert包含了OCA私钥对OCA公钥的签名。
+
+如果想为OCA的公钥添加自定义user id,可使用命令
+
./pek_oca pek_csr.cert oca_priv.key your_userid
+否则OCA公钥的user id默认为OCA_USER_ID
+
+将pek_csr.signed.cert和oca.cert复制到CSV环境
+
+### 在CSV机器环境: 导入签名后的PEK_CSR和OCA自签名证书
+(hag general version >= 2257)
+```
+sudo ./hag csv pek_cert_import -in pek_csr.signed.cert oca.cert
+```
+
+
+
+### 在CSV机器环境: 启动虚拟机,生成远程证明报告
+请参考
+[1-测试内存加密 测试远程认证功能章节](https://openanolis.cn/sig/Hygon-Arch/doc/865622215810225948?lang=zh)
+
+将虚拟机中生成的远程报告report.cert和随机数文件nonce.bin拷贝到OCA环境
+
+
+
+### 在OCA机器环境:验证远程证明报告中的PEK签名为OCA所签
+```
+cd /opt/hygon/csv/attestation/
+./verify-attestation true oca.cert
+```
+其中oca.cert为步骤“用OCA私钥为PEK公钥签名和OCA公钥自签名”产生的OCA自签名公钥证书,用于验证证书中的PEK签名。
+此命令会使用oca.cert中的公钥验证远程证明报告中PEK公钥证书的OCA签名,
+此命令同时将oca.cert中的公钥保存为openssl pem格式的文件oca_pubkey_output.pem,
+用户可将其与第一步中生成的oca_public_key.pem对比,比较文件内容是否一致。
+验证过程还会打印出OCA公钥的USER ID,用户可人工对比是否与pek_oca输入的USER ID一致。
+若全部一致,则证明:远程报告中的PEK中的OCA签名正确,且使用的公钥为OCA使用者产生,说明远程认证包含了正确的OCA签名。
+
+
+
\ No newline at end of file