diff --git a/app/lpc55xpresso/app.toml b/app/lpc55xpresso/app.toml index 880860371..078b9d7a6 100644 --- a/app/lpc55xpresso/app.toml +++ b/app/lpc55xpresso/app.toml @@ -115,9 +115,9 @@ name = "drv-lpc55-rng" priority = 3 uses = ["rng", "pmc"] start = true -stacksize = 3000 +stacksize = 4400 task-slots = ["syscon_driver"] -extern-regions = ["dice_rng"] +extern-regions = ["dice_certs", "dice_rng"] [tasks.pong] name = "task-pong" diff --git a/app/rot-carrier/app.toml b/app/rot-carrier/app.toml index d08df5eba..d575f4aba 100644 --- a/app/rot-carrier/app.toml +++ b/app/rot-carrier/app.toml @@ -101,9 +101,9 @@ name = "drv-lpc55-rng" priority = 5 uses = ["rng", "pmc"] start = true -stacksize = 3000 +stacksize = 4400 task-slots = ["syscon_driver"] -extern-regions = ["dice_rng"] +extern-regions = ["dice_certs", "dice_rng"] [tasks.sprot] name = "drv-lpc55-sprot-server" diff --git a/drv/lpc55-rng/build.rs b/drv/lpc55-rng/build.rs index 41de164f7..63afe7869 100644 --- a/drv/lpc55-rng/build.rs +++ b/drv/lpc55-rng/build.rs @@ -34,13 +34,26 @@ fn main() -> Result<()> { return Err(anyhow!("no data regions found")); } + let region = data_regions + .get("dice_certs") + .ok_or_else(|| anyhow::anyhow!("dice_certs data region not found"))?; + writeln!(out, "use crate::config::DataRegion;\n\n")?; + + writeln!( + out, + r##"pub const CERT_DATA: DataRegion = DataRegion {{ + address: {:#x}, + size: {:#x}, +}};"##, + region.address, region.size + )?; + let region = data_regions .get("dice_rng") .ok_or_else(|| anyhow!("dice_rng data region not found"))?; writeln!( out, - r##"use crate::config::DataRegion; -pub const RNG_DATA: DataRegion = DataRegion {{ + r##"pub const RNG_DATA: DataRegion = DataRegion {{ address: {:#x}, size: {:#x}, }};"##, diff --git a/drv/lpc55-rng/src/main.rs b/drv/lpc55-rng/src/main.rs index 23bf22882..2a7ddeb45 100644 --- a/drv/lpc55-rng/src/main.rs +++ b/drv/lpc55-rng/src/main.rs @@ -17,7 +17,10 @@ use drv_lpc55_syscon_api::Syscon; use drv_rng_api::RngError; use hubpack::SerializedSize; use idol_runtime::{ClientError, NotificationHandler, RequestError}; -use lib_dice::{RngData, RngSeed, SeedBuf}; +use lib_dice::{ + persistid_cert_tmpl::{SUBJECT_CN_LENGTH, SUBJECT_CN_RANGE}, + CertData, RngData, RngSeed, SeedBuf, +}; use lib_lpc55_rng::Lpc55Rng; use rand_chacha::ChaCha20Rng; use rand_core::{impls, Error, RngCore, SeedableRng}; @@ -39,7 +42,7 @@ mod build { include!(concat!(env!("OUT_DIR"), "/rng-config.rs")); } -use build::RNG_DATA; +use build::{CERT_DATA, RNG_DATA}; task_slot!(SYSCON, syscon_driver); @@ -70,6 +73,7 @@ where fn new( seed: RngSeed, mut reseeder: R, + pid: &[u8], threshold: usize, ) -> Result { let threshold = if threshold == 0 { @@ -82,6 +86,9 @@ where // mix platform unique seed drived by measured boot Digest::update(&mut mixer, seed.as_bytes()); + // mix in unique platform id + Digest::update(&mut mixer, pid); + // w/ 32 bytes from HRNG let mut buf = Zeroizing::new(T::Seed::default()); reseeder.try_fill_bytes(buf.as_mut())?; @@ -160,10 +167,11 @@ impl Lpc55RngServer { fn new( seed: RngSeed, reseeder: Lpc55Rng, + pid: &[u8], threshold: usize, ) -> Result { Ok(Lpc55RngServer(ReseedingRng::new( - seed, reseeder, threshold, + seed, reseeder, pid, threshold, )?)) } } @@ -234,10 +242,18 @@ fn main() -> ! { .unwrap_lite() .seed }; + let pid: [u8; SUBJECT_CN_LENGTH] = { + let cert_data: CertData = + load_data_from_region(&CERT_DATA).unwrap_lite(); + cert_data.persistid_cert.0.as_bytes()[SUBJECT_CN_RANGE] + .try_into() + .unwrap_lite() + }; + let rng = Lpc55Rng::new(&Syscon::from(SYSCON.get_task_id())); let threshold = 0x100000; // 1 MiB - let mut rng = Lpc55RngServer::new(seed, rng, threshold) + let mut rng = Lpc55RngServer::new(seed, rng, &pid, threshold) .expect("Failed to create Lpc55RngServer"); let mut buffer = [0u8; idl::INCOMING_SIZE]; diff --git a/lib/dice/src/lib.rs b/lib/dice/src/lib.rs index f0d556296..06cfcf2f6 100644 --- a/lib/dice/src/lib.rs +++ b/lib/dice/src/lib.rs @@ -30,7 +30,7 @@ mod alias_cert_tmpl; mod deviceid_cert_tmpl; mod handoff; mod mfg; -mod persistid_cert_tmpl; +pub mod persistid_cert_tmpl; mod persistid_csr_tmpl; pub use crate::mfg::{ DiceMfg, DiceMfgState, PersistIdSeed, SelfMfg, SerialMfg, diff --git a/lib/dice/src/persistid_cert_tmpl.rs b/lib/dice/src/persistid_cert_tmpl.rs index d4c03afb0..68140acfd 100644 --- a/lib/dice/src/persistid_cert_tmpl.rs +++ b/lib/dice/src/persistid_cert_tmpl.rs @@ -12,7 +12,10 @@ use core::ops::Range; pub const SIZE: usize = 441; pub const SERIAL_NUMBER_RANGE: Range = 15..16; pub const ISSUER_CN_RANGE: Range = 82..114; -pub const SUBJECT_CN_RANGE: Range = 207..239; +pub const SUBJECT_CN_START: usize = 207; +pub const SUBJECT_CN_END: usize = 239; +pub const SUBJECT_CN_RANGE: Range = SUBJECT_CN_START..SUBJECT_CN_END; +pub const SUBJECT_CN_LENGTH: usize = SUBJECT_CN_END - SUBJECT_CN_START; pub const PUB_RANGE: Range = 251..283; pub const SIG_RANGE: Range = 377..441; pub const SIGNDATA_RANGE: Range = 4..367;