Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feat] Update LMS vendor public key max. count to 32 #542

Merged
merged 2 commits into from
Jul 27, 2023
Merged

[feat] Update LMS vendor public key max. count to 32 #542

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cd79509
[feat] Update LMS vendor public key max. count to 32
mhatrevi Jul 24, 2023
966fd4a
Merge branch 'main' into vmhatre/LMS-key-count
korran Jul 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions common/src/memory_layout.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,13 +26,13 @@ pub const MBOX_ORG: u32 = 0x30000000;
pub const ICCM_ORG: u32 = 0x40000000;
pub const DCCM_ORG: u32 = 0x50000000;
pub const MAN1_ORG: u32 = 0x50000000;
pub const MAN2_ORG: u32 = 0x50001400;
pub const FHT_ORG: u32 = 0x50002800;
pub const LDEVID_TBS_ORG: u32 = 0x50003000;
pub const FMCALIAS_TBS_ORG: u32 = 0x50003400;
pub const PCR_LOG_ORG: u32 = 0x50003800;
pub const FUSE_LOG_ORG: u32 = 0x50003C00;
pub const DATA_ORG: u32 = 0x50004000;
pub const MAN2_ORG: u32 = 0x50001800;
pub const FHT_ORG: u32 = 0x50003000;
pub const LDEVID_TBS_ORG: u32 = 0x50003800;
pub const FMCALIAS_TBS_ORG: u32 = 0x50003C00;
pub const PCR_LOG_ORG: u32 = 0x50004000;
pub const FUSE_LOG_ORG: u32 = 0x50004400;
pub const DATA_ORG: u32 = 0x50004800;
pub const STACK_ORG: u32 = 0x5001C000;
pub const ESTACK_ORG: u32 = 0x5001F800;
pub const NSTACK_ORG: u32 = 0x5001FC00;
Expand All @@ -45,14 +45,14 @@ pub const ROM_SIZE: u32 = 32 * 1024;
pub const MBOX_SIZE: u32 = 128 * 1024;
pub const ICCM_SIZE: u32 = 128 * 1024;
pub const DCCM_SIZE: u32 = 128 * 1024;
pub const MAN1_SIZE: u32 = 5 * 1024;
pub const MAN2_SIZE: u32 = 5 * 1024;
pub const MAN1_SIZE: u32 = 6 * 1024;
pub const MAN2_SIZE: u32 = 6 * 1024;
pub const FHT_SIZE: u32 = 2 * 1024;
pub const LDEVID_TBS_SIZE: u32 = 1024;
pub const FMCALIAS_TBS_SIZE: u32 = 1024;
pub const PCR_LOG_SIZE: usize = 1024;
pub const FUSE_LOG_SIZE: usize = 1024;
pub const DATA_SIZE: u32 = 96 * 1024;
pub const DATA_SIZE: u32 = 94 * 1024;
pub const STACK_SIZE: u32 = 14 * 1024;
pub const ESTACK_SIZE: u32 = 1024;
pub const NSTACK_SIZE: u32 = 1024;
Expand Down
4 changes: 2 additions & 2 deletions cpu/gen/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ pub fn gen_memory_x(iccm_org: u32, iccm_size: u32) -> String {
r#"
ICCM_ORG = 0x{:08X};
DCCM_ORG = 0x50000000;
DATA_ORG = 0x50004400;
DATA_ORG = 0x50004800;
STACK_ORG = 0x5001C000;
ESTACK_ORG = 0x5001F800;
NSTACK_ORG = 0x5001FC00;
Expand All @@ -19,7 +19,7 @@ pub fn gen_memory_x(iccm_org: u32, iccm_size: u32) -> String {

ICCM_SIZE = 0x{:08X};
DCCM_SIZE = 128K;
DATA_SIZE = 95K;
DATA_SIZE = 94K;
STACK_SIZE = 14K;
ESTACK_SIZE = 1K;
NSTACK_SIZE = 1K;
Expand Down
4 changes: 2 additions & 2 deletions drivers/src/fuse_bank.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,9 +197,9 @@ impl FuseBank<'_> {
/// # Returns
/// lms vendor public key revocation mask
///
pub fn vendor_lms_pub_key_revocation(&self) -> VendorPubKeyRevocation {
pub fn vendor_lms_pub_key_revocation(&self) -> u32 {
let soc_ifc_regs = self.soc_ifc.regs();
VendorPubKeyRevocation::from_bits_truncate(soc_ifc_regs.fuse_lms_revocation().read())
soc_ifc_regs.fuse_lms_revocation().read()
}

/// Get the owner public key hash.
Expand Down
10 changes: 5 additions & 5 deletions fmc/test-fw/test-rt/memory.x
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ ROM_ORG = 0x00000000;
META_ORG = ROM_SIZE;
ICCM_ORG = 0x40004000; /* Range [0x40000000 - 0x40003FFF] is reserved for FMC */
DCCM_ORG = 0x50000000;
FHT_ORG = 0x50002800;
DATA_ORG = 0x50003000;
FHT_ORG = 0x50003000;
DATA_ORG = 0x50004800;
STACK_ORG = 0x5001C000;
ESTACK_ORG = 0x5001F800;
NSTACK_ORG = 0x5001FC00;
Expand All @@ -15,10 +15,10 @@ ROM_SIZE = 32K;
MBOX_SIZE = 128K;
ICCM_SIZE = 112K;
DCCM_SIZE = 128K;
MAN1_SIZE = 5K;
MAN2_SIZE = 5K;
MAN1_SIZE = 6K;
MAN2_SIZE = 6K;
FHT_SIZE = 2K;
DATA_SIZE = 100K;
DATA_SIZE = 94K;
STACK_SIZE = 14K;
ESTACK_SIZE = 1K;
NSTACK_SIZE = 1K;
Expand Down
56 changes: 56 additions & 0 deletions image/fake-keys/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,34 @@ pub const VENDOR_PUBLIC_KEYS: ImageVendorPubKeys = ImageVendorPubKeys {
VENDOR_LMS_KEY1_PUBLIC,
VENDOR_LMS_KEY2_PUBLIC,
VENDOR_LMS_KEY3_PUBLIC,
VENDOR_LMS_KEY0_PUBLIC,
VENDOR_LMS_KEY1_PUBLIC,
VENDOR_LMS_KEY2_PUBLIC,
VENDOR_LMS_KEY3_PUBLIC,
VENDOR_LMS_KEY0_PUBLIC,
VENDOR_LMS_KEY1_PUBLIC,
VENDOR_LMS_KEY2_PUBLIC,
VENDOR_LMS_KEY3_PUBLIC,
VENDOR_LMS_KEY0_PUBLIC,
VENDOR_LMS_KEY1_PUBLIC,
VENDOR_LMS_KEY2_PUBLIC,
VENDOR_LMS_KEY3_PUBLIC,
VENDOR_LMS_KEY0_PUBLIC,
VENDOR_LMS_KEY1_PUBLIC,
VENDOR_LMS_KEY2_PUBLIC,
VENDOR_LMS_KEY3_PUBLIC,
VENDOR_LMS_KEY0_PUBLIC,
VENDOR_LMS_KEY1_PUBLIC,
VENDOR_LMS_KEY2_PUBLIC,
VENDOR_LMS_KEY3_PUBLIC,
VENDOR_LMS_KEY0_PUBLIC,
VENDOR_LMS_KEY1_PUBLIC,
VENDOR_LMS_KEY2_PUBLIC,
VENDOR_LMS_KEY3_PUBLIC,
VENDOR_LMS_KEY0_PUBLIC,
VENDOR_LMS_KEY1_PUBLIC,
VENDOR_LMS_KEY2_PUBLIC,
VENDOR_LMS_KEY3_PUBLIC,
],
};

Expand All @@ -267,6 +295,34 @@ pub const VENDOR_PRIVATE_KEYS: ImageVendorPrivKeys = ImageVendorPrivKeys {
VENDOR_LMS_KEY1_PRIVATE,
VENDOR_LMS_KEY2_PRIVATE,
VENDOR_LMS_KEY3_PRIVATE,
VENDOR_LMS_KEY0_PRIVATE,
VENDOR_LMS_KEY1_PRIVATE,
VENDOR_LMS_KEY2_PRIVATE,
VENDOR_LMS_KEY3_PRIVATE,
VENDOR_LMS_KEY0_PRIVATE,
VENDOR_LMS_KEY1_PRIVATE,
VENDOR_LMS_KEY2_PRIVATE,
VENDOR_LMS_KEY3_PRIVATE,
VENDOR_LMS_KEY0_PRIVATE,
VENDOR_LMS_KEY1_PRIVATE,
VENDOR_LMS_KEY2_PRIVATE,
VENDOR_LMS_KEY3_PRIVATE,
VENDOR_LMS_KEY0_PRIVATE,
VENDOR_LMS_KEY1_PRIVATE,
VENDOR_LMS_KEY2_PRIVATE,
VENDOR_LMS_KEY3_PRIVATE,
VENDOR_LMS_KEY0_PRIVATE,
VENDOR_LMS_KEY1_PRIVATE,
VENDOR_LMS_KEY2_PRIVATE,
VENDOR_LMS_KEY3_PRIVATE,
VENDOR_LMS_KEY0_PRIVATE,
VENDOR_LMS_KEY1_PRIVATE,
VENDOR_LMS_KEY2_PRIVATE,
VENDOR_LMS_KEY3_PRIVATE,
VENDOR_LMS_KEY0_PRIVATE,
VENDOR_LMS_KEY1_PRIVATE,
VENDOR_LMS_KEY2_PRIVATE,
VENDOR_LMS_KEY3_PRIVATE,
],
};

Expand Down
2 changes: 1 addition & 1 deletion image/types/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ use zerocopy::{AsBytes, FromBytes};

pub const MANIFEST_MARKER: u32 = 0x4E414D43;
pub const VENDOR_ECC_KEY_COUNT: u32 = 4;
pub const VENDOR_LMS_KEY_COUNT: u32 = 4;
pub const VENDOR_LMS_KEY_COUNT: u32 = 32;
pub const OWNER_LMS_KEY_COUNT: u32 = 1;
pub const MAX_TOC_ENTRY_COUNT: u32 = 2;
pub const IMAGE_REVISION_BYTE_SIZE: usize = 20;
Expand Down
4 changes: 2 additions & 2 deletions image/verify/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ pub struct ImageVerificationLogInfo {
pub owner_lms_pub_key_idx: Option<u32>,

/// Vendor LMS Public Key Revocation Fuse
pub fuse_vendor_lms_pub_key_revocation: Option<VendorPubKeyRevocation>,
pub fuse_vendor_lms_pub_key_revocation: Option<u32>,

/// First Mutable code's logging information
pub fmc_log_info: ImageSvnLogInfo,
Expand Down Expand Up @@ -134,7 +134,7 @@ pub trait ImageVerificationEnv {
fn vendor_ecc_pub_key_revocation(&self) -> VendorPubKeyRevocation;

/// Get Vendor LMS Public Key Revocation list
fn vendor_lms_pub_key_revocation(&self) -> VendorPubKeyRevocation;
fn vendor_lms_pub_key_revocation(&self) -> u32;

/// Get Owner Public Key Digest from fuses
fn owner_pub_key_digest_fuses(&self) -> ImageDigest;
Expand Down
15 changes: 7 additions & 8 deletions image/verify/src/verifier.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ struct HeaderInfo<'a> {
vendor_ecc_pub_key_revocation: VendorPubKeyRevocation,
vendor_ecc_info: (&'a ImageEccPubKey, &'a ImageEccSignature),
vendor_lms_info: Option<(&'a ImageLmsPublicKey, &'a ImageLmsSignature)>,
vendor_lms_pub_key_revocation: Option<VendorPubKeyRevocation>,
vendor_lms_pub_key_revocation: Option<u32>,
owner_ecc_info: Option<(&'a ImageEccPubKey, &'a ImageEccSignature)>,
owner_lms_info: Option<(&'a ImageLmsPublicKey, &'a ImageLmsSignature)>,
owner_pub_keys_digest: ImageDigest,
Expand Down Expand Up @@ -157,7 +157,7 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {
// Verify LMS Vendor Key Index
let mut vendor_lms_pub_key_idx: Option<u32> = None;
let mut vendor_lms_info: Option<(&ImageLmsPublicKey, &'a ImageLmsSignature)> = None;
let mut vendor_lms_pub_key_revocation: Option<VendorPubKeyRevocation> = None;
let mut vendor_lms_pub_key_revocation: Option<u32> = None;

if self.env.lms_verify_enabled() {
(vendor_lms_pub_key_idx, vendor_lms_pub_key_revocation) =
Expand Down Expand Up @@ -263,7 +263,7 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {
&mut self,
preamble: &ImagePreamble,
_reason: ResetReason,
) -> CaliptraResult<(Option<u32>, Option<VendorPubKeyRevocation>)> {
) -> CaliptraResult<(Option<u32>, Option<u32>)> {
const SECOND_LAST_KEY_IDX: u32 = VENDOR_LMS_KEY_COUNT - 2;
const LAST_KEY_IDX: u32 = SECOND_LAST_KEY_IDX + 1;

Expand All @@ -272,8 +272,7 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {

match key_idx {
0..=SECOND_LAST_KEY_IDX => {
let key = VendorPubKeyRevocation::from_bits_truncate(0x01u32 << key_idx);
if revocation.contains(key) {
if (revocation & (0x01u32 << key_idx)) != 0 {
Err(CaliptraError::IMAGE_VERIFIER_ERR_VENDOR_LMS_PUB_KEY_REVOKED)?;
}
}
Expand Down Expand Up @@ -1666,7 +1665,7 @@ mod tests {
verify_lms_result: bool,
vendor_pub_key_digest: ImageDigest,
vendor_ecc_pub_key_revocation: VendorPubKeyRevocation,
vendor_lms_pub_key_revocation: VendorPubKeyRevocation,
vendor_lms_pub_key_revocation: u32,
owner_pub_key_digest: ImageDigest,
lifecycle: Lifecycle,
}
Expand All @@ -1680,7 +1679,7 @@ mod tests {
verify_lms_result: false,
vendor_pub_key_digest: ImageDigest::default(),
vendor_ecc_pub_key_revocation: VendorPubKeyRevocation::default(),
vendor_lms_pub_key_revocation: VendorPubKeyRevocation::default(),
vendor_lms_pub_key_revocation: 0,
owner_pub_key_digest: ImageDigest::default(),
lifecycle: Lifecycle::Unprovisioned,
}
Expand Down Expand Up @@ -1726,7 +1725,7 @@ mod tests {
self.vendor_ecc_pub_key_revocation
}

fn vendor_lms_pub_key_revocation(&self) -> VendorPubKeyRevocation {
fn vendor_lms_pub_key_revocation(&self) -> u32 {
self.vendor_lms_pub_key_revocation
}

Expand Down
2 changes: 1 addition & 1 deletion rom/dev/src/flow/cold_reset/fw_processor.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,7 +267,7 @@ impl FirmwareProcessor {
{
log_fuse_data(
FuseLogEntryId::VendorLmsPubKeyRevocation,
fuse_vendor_lms_pub_key_revocation.bits().as_bytes(),
fuse_vendor_lms_pub_key_revocation.as_bytes(),
)?;
}

Expand Down
4 changes: 2 additions & 2 deletions rom/dev/src/rom.ld
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ ENTRY(_start)
ROM_ORG = 0x00000000;
ICCM_ORG = 0x40000000;
DCCM_ORG = 0x50000000;
DATA_ORG = 0x50004000;
DATA_ORG = 0x50004800;
STACK_ORG = 0x5001C000;
ESTACK_ORG = 0x5001F800;
NSTACK_ORG = 0x5001FC00;
Expand All @@ -33,7 +33,7 @@ ROM_RELAXATION_PADDING = 4k;
ROM_SIZE = 32K;
ICCM_SIZE = 128K;
DCCM_SIZE = 128K;
DATA_SIZE = 96K;
DATA_SIZE = 94K;
STACK_SIZE = 14K;
ESTACK_SIZE = 1K;
NSTACK_SIZE = 1K;
Expand Down
2 changes: 1 addition & 1 deletion rom/dev/src/verifier.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ impl<'a> ImageVerificationEnv for &mut RomImageVerificationEnv<'a> {
}

/// Retrieve Vendor LMS Public Key Revocation Bitmask
fn vendor_lms_pub_key_revocation(&self) -> VendorPubKeyRevocation {
fn vendor_lms_pub_key_revocation(&self) -> u32 {
self.soc_ifc.fuse_bank().vendor_lms_pub_key_revocation()
}

Expand Down
8 changes: 4 additions & 4 deletions rom/dev/tests/test_fmcalias_derivation.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -477,10 +477,10 @@ fn test_fht_info() {
let fht = FirmwareHandoffTable::read_from_prefix(data.as_bytes()).unwrap();
assert_eq!(fht.ldevid_tbs_size, 530);
assert_eq!(fht.fmcalias_tbs_size, 742);
assert_eq!(fht.ldevid_tbs_addr, 0x50003000);
assert_eq!(fht.fmcalias_tbs_addr, 0x50003400);
assert_eq!(fht.pcr_log_addr, 0x50003800);
assert_eq!(fht.fuse_log_addr, 0x50003C00);
assert_eq!(fht.ldevid_tbs_addr, 0x50003800);
assert_eq!(fht.fmcalias_tbs_addr, 0x50003C00);
assert_eq!(fht.pcr_log_addr, 0x50004000);
assert_eq!(fht.fuse_log_addr, 0x50004400);

// [TODO] Expand test to validate additional FHT fields.
}
27 changes: 13 additions & 14 deletions rom/dev/tests/test_image_validation.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,14 +204,14 @@ fn test_preamble_vendor_ecc_pubkey_revocation() {
fn test_preamble_vendor_lms_pubkey_revocation() {
let rom = caliptra_builder::build_firmware_rom(&ROM_WITH_UART).unwrap();
const LAST_KEY_IDX: u32 = VENDOR_LMS_KEY_COUNT - 1;
const VENDOR_CONFIG_LIST: [ImageGeneratorVendorConfig; VENDOR_LMS_KEY_COUNT as usize] = [
VENDOR_CONFIG_KEY_0,
VENDOR_CONFIG_KEY_1,
VENDOR_CONFIG_KEY_2,
VENDOR_CONFIG_KEY_3,
];

for vendor_config in VENDOR_CONFIG_LIST {
for idx in 0..VENDOR_LMS_KEY_COUNT {
let vendor_config = ImageGeneratorVendorConfig {
ecc_key_idx: 3,
lms_key_idx: idx,
..VENDOR_CONFIG_KEY_0
};

let mut image_options = ImageOptions::default();
let key_idx = vendor_config.lms_key_idx;
image_options.vendor_config = vendor_config;
Expand Down Expand Up @@ -256,14 +256,13 @@ fn test_preamble_vendor_lms_pubkey_revocation() {
#[test]
fn test_preamble_vendor_lms_optional_no_pubkey_revocation_check() {
let rom = caliptra_builder::build_firmware_rom(&ROM_WITH_UART).unwrap();
const VENDOR_CONFIG_LIST: [ImageGeneratorVendorConfig; VENDOR_LMS_KEY_COUNT as usize] = [
VENDOR_CONFIG_KEY_0,
VENDOR_CONFIG_KEY_1,
VENDOR_CONFIG_KEY_2,
VENDOR_CONFIG_KEY_3,
];

for vendor_config in VENDOR_CONFIG_LIST {
for idx in 0..VENDOR_LMS_KEY_COUNT {
let vendor_config = ImageGeneratorVendorConfig {
ecc_key_idx: 3,
lms_key_idx: idx,
..VENDOR_CONFIG_KEY_0
};
let image_options = caliptra_builder::ImageOptions {
vendor_config,
..Default::default()
Expand Down
Loading