Addressing PR feedback: Iteration 1

chipsalliance · Nov 20, 2024 · 2776c5e · 2776c5e
1 parent ae68dde
commit 2776c5e
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 6 deletions.
diff --git a/rom/dev/src/flow/cold_reset/idev_id.rs b/rom/dev/src/flow/cold_reset/idev_id.rs
@@ -216,11 +216,16 @@ impl InitDevIdLayer {
         let ecc_keypair = result?;
 
         // Derive the MLDSA Key Pair.
-        let mldsa_key_pair =
-            Crypto::mldsa_key_gen(env, cdi, b"idevid_mldsa_key", mldsa_keypair_seed)?;
+        let result = Crypto::mldsa_key_gen(env, cdi, b"idevid_mldsa_key", mldsa_keypair_seed);
+        if cfi_launder(result.is_ok()) {
+            cfi_assert!(result.is_ok());
+        } else {
+            cfi_assert!(result.is_err());
+        }
+        let mldsa_keypair = result?;
 
         report_boot_status(IDevIdKeyPairDerivationComplete.into());
-        Ok((ecc_keypair, mldsa_key_pair))
+        Ok((ecc_keypair, mldsa_keypair))
     }
 
     /// Generate Local Device ID CSR

diff --git a/rom/dev/src/flow/cold_reset/ldev_id.rs b/rom/dev/src/flow/cold_reset/ldev_id.rs
@@ -152,11 +152,16 @@ impl LocalDevIdLayer {
         let ecc_keypair = result?;
 
         // Derive the MLDSA Key Pair.
-        let mldsa_key_pair =
-            Crypto::mldsa_key_gen(env, cdi, b"ldevid_mldsa_key", mldsa_keypair_seed)?;
+        let result = Crypto::mldsa_key_gen(env, cdi, b"ldevid_mldsa_key", mldsa_keypair_seed);
+        if cfi_launder(result.is_ok()) {
+            cfi_assert!(result.is_ok());
+        } else {
+            cfi_assert!(result.is_err());
+        }
+        let mldsa_keypair = result?;
 
         report_boot_status(LDevIdKeyPairDerivationComplete.into());
-        Ok((ecc_keypair, mldsa_key_pair))
+        Ok((ecc_keypair, mldsa_keypair))
     }
 
     /// Generate Local Device ID Certificate Signature
@@ -235,6 +240,8 @@ impl LocalDevIdLayer {
         //  Copy TBS to DCCM.
         copy_tbs(ecc_tbs.tbs(), TbsType::LdevidTbs, env)?;
 
+        // [CAP2][TODO] Generate the MLDSA TBS
+
         report_boot_status(LDevIdCertSigGenerationComplete.into());
         Ok(())
     }

diff --git a/rom/dev/src/flow/cold_reset/x509.rs b/rom/dev/src/flow/cold_reset/x509.rs
@@ -64,6 +64,7 @@ impl X509 {
     }
 
     fn pub_key_digest(env: &mut RomEnv, pub_key: &PubKey) -> CaliptraResult<Array4x8> {
+        // Define an array large enough to hold the largest public key.
         let mut pub_key_bytes: [u8; size_of::<Mldsa87PubKey>()] = [0; size_of::<Mldsa87PubKey>()];
         let pub_key_size = Self::get_pubkey_bytes(pub_key, &mut pub_key_bytes);
         Crypto::sha256_digest(env, &pub_key_bytes[..pub_key_size])