Skip to content

Commit

Permalink
Update all sha calls and add test hook.
Browse files Browse the repository at this point in the history
  • Loading branch information
@mtimkovich
mtimkovich committed Feb 27, 2025
1 parent 4250469 commit 066c62a
Show file tree
Hide file tree
Showing 5 changed files with 152 additions and 80 deletions.
20 changes: 20 additions & 0 deletions common/src/verifier.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,26 @@ impl<'a, 'b> ImageVerificationEnv for &mut FirmwareImageVerificationEnv<'a, 'b>
Ok(digest.0)
}

fn sha512_acc_digest(
&mut self,
offset: u32,
len: u32,
digest_failure: CaliptraError,
) -> CaliptraResult<ImageDigest512> {
let mut sha_acc = unsafe { Sha2_512_384Acc::new(Sha512AccCsr::new()) };
let mut digest = Array4x16::default();

if let Some(mut sha_acc_op) = sha_acc.try_start_operation(ShaAccLockState::NotAcquired)? {
sha_acc_op
.digest_512(len, offset, false, &mut digest)
.map_err(|_| digest_failure)?;
} else {
Err(CaliptraError::KAT_SHA2_512_384_ACC_DIGEST_START_OP_FAILURE)?;
};

Ok(digest.0)
}

/// ECC-384 Verification routine
fn ecc384_verify(
&mut self,
Expand Down
5 changes: 5 additions & 0 deletions drivers/src/sha2_512_384acc.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,11 @@ impl Sha2_512_384AccOp<'_> {
maintain_data_endianess: bool,
digest: Sha384Digest,
) -> CaliptraResult<()> {
#[cfg(feature = "fips-test-hooks")]
unsafe {
crate::FipsTestHook::error_if_hook_set(crate::FipsTestHook::SHA384_DIGEST_FAILURE)?
}

self.digest_generic(
dlen,
start_address,
Expand Down
8 changes: 8 additions & 0 deletions image/verify/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,14 @@ pub trait ImageVerificationEnv {
digest_failure: CaliptraError,
) -> CaliptraResult<ImageDigest384>;

/// Calculate SHA-512 Digest with accelerator
fn sha512_acc_digest(
&mut self,
offset: u32,
len: u32,
digest_failure: CaliptraError,
) -> CaliptraResult<ImageDigest512>;

/// Perform ECC-384 Verification
fn ecc384_verify(
&mut self,
Expand Down
158 changes: 78 additions & 80 deletions image/verify/src/verifier.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -503,13 +503,11 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {
)
};

let actual = &self
.env
.sha384_digest(range.start, range.len() as u32)
.map_err(|err| {
self.env.set_fw_extended_error(err.into());
CaliptraError::IMAGE_VERIFIER_ERR_VENDOR_PUB_KEY_DIGEST_FAILURE
})?;
let actual = &self.env.sha384_acc_digest(
range.start,
range.len() as u32,
CaliptraError::IMAGE_VERIFIER_ERR_VENDOR_PUB_KEY_DIGEST_FAILURE,
)?;

if cfi_launder(expected) != actual {
Err(CaliptraError::IMAGE_VERIFIER_ERR_VENDOR_PUB_KEY_DIGEST_MISMATCH)?;
Expand Down Expand Up @@ -539,13 +537,11 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {
span.start as u32 + offset..span.end as u32 + offset
};

let actual = &self
.env
.sha384_digest(range.start, range.len() as u32)
.map_err(|err| {
self.env.set_fw_extended_error(err.into());
CaliptraError::IMAGE_VERIFIER_ERR_VENDOR_PUB_KEY_DIGEST_FAILURE
})?;
let actual = &self.env.sha384_acc_digest(
range.start,
range.len() as u32,
CaliptraError::IMAGE_VERIFIER_ERR_VENDOR_PUB_KEY_DIGEST_FAILURE,
)?;

if cfi_launder(expected) != actual {
Err(CaliptraError::IMAGE_VERIFIER_ERR_VENDOR_ECC_PUB_KEY_DIGEST_MISMATCH)?;
Expand Down Expand Up @@ -592,10 +588,11 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {
LMS_PUB_KEY_BYTE_SIZE
} as u32;

let actual = &self.env.sha384_digest(start, size).map_err(|err| {
self.env.set_fw_extended_error(err.into());
CaliptraError::IMAGE_VERIFIER_ERR_VENDOR_PUB_KEY_DIGEST_FAILURE
})?;
let actual = &self.env.sha384_acc_digest(
start,
size,
CaliptraError::IMAGE_VERIFIER_ERR_VENDOR_PUB_KEY_DIGEST_FAILURE,
)?;

if cfi_launder(expected) != actual {
Err(CaliptraError::IMAGE_VERIFIER_ERR_VENDOR_PQC_PUB_KEY_DIGEST_MISMATCH)?;
Expand All @@ -622,13 +619,11 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {
)
};

let actual = &self
.env
.sha384_digest(range.start, range.len() as u32)
.map_err(|err| {
self.env.set_fw_extended_error(err.into());
CaliptraError::IMAGE_VERIFIER_ERR_OWNER_PUB_KEY_DIGEST_FAILURE
})?;
let actual = &self.env.sha384_acc_digest(
range.start,
range.len() as u32,
CaliptraError::IMAGE_VERIFIER_ERR_OWNER_PUB_KEY_DIGEST_FAILURE,
)?;

let fuses_digest = &self.env.owner_pub_key_digest_fuses();

Expand Down Expand Up @@ -674,26 +669,22 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {
};

// Vendor header digest is calculated up to the owner_data field.
let vendor_digest_384 = self
.env
.sha384_digest(range.start, vendor_header_len as u32)
.map_err(|err| {
self.env.set_fw_extended_error(err.into());
CaliptraError::IMAGE_VERIFIER_ERR_HEADER_DIGEST_FAILURE
})?;
let vendor_digest_384 = self.env.sha384_acc_digest(
range.start,
vendor_header_len as u32,
CaliptraError::IMAGE_VERIFIER_ERR_HEADER_DIGEST_FAILURE,
)?;

let mut vendor_digest_holder = ImageDigestHolder {
digest_384: &vendor_digest_384,
digest_512: None,
};

let owner_digest_384 = self
.env
.sha384_digest(range.start, range.len() as u32)
.map_err(|err| {
self.env.set_fw_extended_error(err.into());
CaliptraError::IMAGE_VERIFIER_ERR_HEADER_DIGEST_FAILURE
})?;
let owner_digest_384 = self.env.sha384_acc_digest(
range.start,
range.len() as u32,
CaliptraError::IMAGE_VERIFIER_ERR_HEADER_DIGEST_FAILURE,
)?;

let mut owner_digest_holder = ImageDigestHolder {
digest_384: &owner_digest_384,
Expand All @@ -705,22 +696,32 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {

// Update vendor_digest_holder and owner_digest_holder with SHA512 digests if MLDSA validation i required.
if let PqcKeyInfo::Mldsa(_, _) = info.vendor_pqc_info {
vendor_digest_512 = self
.env
.sha512_digest(range.start, vendor_header_len as u32)
.map_err(|err| {
self.env.set_fw_extended_error(err.into());
CaliptraError::IMAGE_VERIFIER_ERR_HEADER_DIGEST_FAILURE
})?;
// vendor_digest_512 = self
// .env
// .sha512_digest(range.start, vendor_header_len as u32)
// .map_err(|err| {
// self.env.set_fw_extended_error(err.into());
// CaliptraError::IMAGE_VERIFIER_ERR_HEADER_DIGEST_FAILURE
// })?;
vendor_digest_512 = self.env.sha512_acc_digest(
range.start,
vendor_header_len as u32,
CaliptraError::IMAGE_VERIFIER_ERR_HEADER_DIGEST_FAILURE,
)?;
vendor_digest_holder.digest_512 = Some(&vendor_digest_512);

owner_digest_512 = self
.env
.sha512_digest(range.start, range.len() as u32)
.map_err(|err| {
self.env.set_fw_extended_error(err.into());
CaliptraError::IMAGE_VERIFIER_ERR_HEADER_DIGEST_FAILURE
})?;
// owner_digest_512 = self
// .env
// .sha512_digest(range.start, range.len() as u32)
// .map_err(|err| {
// self.env.set_fw_extended_error(err.into());
// CaliptraError::IMAGE_VERIFIER_ERR_HEADER_DIGEST_FAILURE
// })?;
owner_digest_512 = self.env.sha512_acc_digest(
range.start,
range.len() as u32,
CaliptraError::IMAGE_VERIFIER_ERR_HEADER_DIGEST_FAILURE,
)?;
owner_digest_holder.digest_512 = Some(&owner_digest_512);
}

Expand Down Expand Up @@ -1031,13 +1032,11 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {
)
};

let actual = self
.env
.sha384_digest(range.start, range.len() as u32)
.map_err(|err| {
self.env.set_fw_extended_error(err.into());
CaliptraError::IMAGE_VERIFIER_ERR_TOC_DIGEST_FAILURE
})?;
let actual = self.env.sha384_acc_digest(
range.start,
range.len() as u32,
CaliptraError::IMAGE_VERIFIER_ERR_TOC_DIGEST_FAILURE,
)?;

if cfi_launder(*verify_info.digest) != actual {
Err(CaliptraError::IMAGE_VERIFIER_ERR_TOC_DIGEST_MISMATCH)?;
Expand Down Expand Up @@ -1140,19 +1139,11 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {
)
};

let actual = self
.env
.sha384_digest(range.start, range.len() as u32)
.map_err(|err| {
self.env.set_fw_extended_error(err.into());
CaliptraError::IMAGE_VERIFIER_ERR_FMC_DIGEST_FAILURE
})?;

// let actual = self.env.sha384_acc_digest(
// range.start,
// range.len() as u32,
// CaliptraError::IMAGE_VERIFIER_ERR_FMC_DIGEST_FAILURE,
// )?;
let actual = self.env.sha384_acc_digest(
range.start,
range.len() as u32,
CaliptraError::IMAGE_VERIFIER_ERR_FMC_DIGEST_FAILURE,
)?;

if cfi_launder(verify_info.digest) != actual {
Err(CaliptraError::IMAGE_VERIFIER_ERR_FMC_DIGEST_MISMATCH)?;
Expand Down Expand Up @@ -1216,13 +1207,11 @@ impl<Env: ImageVerificationEnv> ImageVerifier<Env> {
)
};

let actual = self
.env
.sha384_digest(range.start, range.len() as u32)
.map_err(|err| {
self.env.set_fw_extended_error(err.into());
CaliptraError::IMAGE_VERIFIER_ERR_RUNTIME_DIGEST_FAILURE
})?;
let actual = self.env.sha384_acc_digest(
range.start,
range.len() as u32,
CaliptraError::IMAGE_VERIFIER_ERR_RUNTIME_DIGEST_FAILURE,
)?;

if cfi_launder(verify_info.digest) != actual {
Err(CaliptraError::IMAGE_VERIFIER_ERR_RUNTIME_DIGEST_MISMATCH)?;
Expand Down Expand Up @@ -2397,6 +2386,15 @@ mod tests {
Ok(self.digest_384)
}

fn sha512_acc_digest(
&mut self,
_offset: u32,
_len: u32,
_digest_failure: CaliptraError,
) -> CaliptraResult<ImageDigest512> {
Ok(self.digest_512)
}

fn ecc384_verify(
&mut self,
_digest: &ImageDigest384,
Expand Down
41 changes: 41 additions & 0 deletions rom/dev/src/flow/fake.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ use caliptra_drivers::*;
use caliptra_error::CaliptraError;
use caliptra_image_types::*;
use caliptra_image_verify::ImageVerificationEnv;
use caliptra_registers::sha512_acc::Sha512AccCsr;
use core::ops::Range;
use fw_processor::FirmwareProcessor;

Expand Down Expand Up @@ -274,6 +275,46 @@ impl<'a, 'b> ImageVerificationEnv for &mut FakeRomImageVerificationEnv<'a, 'b> {
Ok(self.sha2_512_384.sha512_digest(data)?.0)
}

fn sha384_acc_digest(
&mut self,
offset: u32,
len: u32,
digest_failure: CaliptraError,
) -> CaliptraResult<ImageDigest384> {
let mut sha_acc = unsafe { Sha2_512_384Acc::new(Sha512AccCsr::new()) };
let mut digest = Array4x12::default();

if let Some(mut sha_acc_op) = sha_acc.try_start_operation(ShaAccLockState::NotAcquired)? {
sha_acc_op
.digest_384(len, offset, false, &mut digest)
.map_err(|_| digest_failure)?;
} else {
Err(CaliptraError::KAT_SHA2_512_384_ACC_DIGEST_START_OP_FAILURE)?;
};

Ok(digest.0)
}

fn sha512_acc_digest(
&mut self,
offset: u32,
len: u32,
digest_failure: CaliptraError,
) -> CaliptraResult<ImageDigest512> {
let mut sha_acc = unsafe { Sha2_512_384Acc::new(Sha512AccCsr::new()) };
let mut digest = Array4x16::default();

if let Some(mut sha_acc_op) = sha_acc.try_start_operation(ShaAccLockState::NotAcquired)? {
sha_acc_op
.digest_512(len, offset, false, &mut digest)
.map_err(|_| digest_failure)?;
} else {
Err(CaliptraError::KAT_SHA2_512_384_ACC_DIGEST_START_OP_FAILURE)?;
};

Ok(digest.0)
}

/// ECC-384 Verification routine
fn ecc384_verify(
&mut self,
Expand Down

0 comments on commit 066c62a

Please sign in to comment.