From 2776c5e402fec09e9335c65caec8591057a04aca Mon Sep 17 00:00:00 2001
From: Vishal Mhatre <vishal.mhatre@gmail.com>
Date: Tue, 19 Nov 2024 15:52:34 -0800
Subject: [PATCH] Addressing PR feedback: Iteration 1

---
 rom/dev/src/flow/cold_reset/idev_id.rs | 11 ++++++++---
 rom/dev/src/flow/cold_reset/ldev_id.rs | 13 ++++++++++---
 rom/dev/src/flow/cold_reset/x509.rs    |  1 +
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/rom/dev/src/flow/cold_reset/idev_id.rs b/rom/dev/src/flow/cold_reset/idev_id.rs
index c915b1bba7..2168d19d57 100644
--- a/rom/dev/src/flow/cold_reset/idev_id.rs
+++ b/rom/dev/src/flow/cold_reset/idev_id.rs
@@ -216,11 +216,16 @@ impl InitDevIdLayer {
         let ecc_keypair = result?;
 
         // Derive the MLDSA Key Pair.
-        let mldsa_key_pair =
-            Crypto::mldsa_key_gen(env, cdi, b"idevid_mldsa_key", mldsa_keypair_seed)?;
+        let result = Crypto::mldsa_key_gen(env, cdi, b"idevid_mldsa_key", mldsa_keypair_seed);
+        if cfi_launder(result.is_ok()) {
+            cfi_assert!(result.is_ok());
+        } else {
+            cfi_assert!(result.is_err());
+        }
+        let mldsa_keypair = result?;
 
         report_boot_status(IDevIdKeyPairDerivationComplete.into());
-        Ok((ecc_keypair, mldsa_key_pair))
+        Ok((ecc_keypair, mldsa_keypair))
     }
 
     /// Generate Local Device ID CSR
diff --git a/rom/dev/src/flow/cold_reset/ldev_id.rs b/rom/dev/src/flow/cold_reset/ldev_id.rs
index 5331298241..8f2c1f35db 100644
--- a/rom/dev/src/flow/cold_reset/ldev_id.rs
+++ b/rom/dev/src/flow/cold_reset/ldev_id.rs
@@ -152,11 +152,16 @@ impl LocalDevIdLayer {
         let ecc_keypair = result?;
 
         // Derive the MLDSA Key Pair.
-        let mldsa_key_pair =
-            Crypto::mldsa_key_gen(env, cdi, b"ldevid_mldsa_key", mldsa_keypair_seed)?;
+        let result = Crypto::mldsa_key_gen(env, cdi, b"ldevid_mldsa_key", mldsa_keypair_seed);
+        if cfi_launder(result.is_ok()) {
+            cfi_assert!(result.is_ok());
+        } else {
+            cfi_assert!(result.is_err());
+        }
+        let mldsa_keypair = result?;
 
         report_boot_status(LDevIdKeyPairDerivationComplete.into());
-        Ok((ecc_keypair, mldsa_key_pair))
+        Ok((ecc_keypair, mldsa_keypair))
     }
 
     /// Generate Local Device ID Certificate Signature
@@ -235,6 +240,8 @@ impl LocalDevIdLayer {
         //  Copy TBS to DCCM.
         copy_tbs(ecc_tbs.tbs(), TbsType::LdevidTbs, env)?;
 
+        // [CAP2][TODO] Generate the MLDSA TBS
+
         report_boot_status(LDevIdCertSigGenerationComplete.into());
         Ok(())
     }
diff --git a/rom/dev/src/flow/cold_reset/x509.rs b/rom/dev/src/flow/cold_reset/x509.rs
index fe76a6a771..c48a63429b 100644
--- a/rom/dev/src/flow/cold_reset/x509.rs
+++ b/rom/dev/src/flow/cold_reset/x509.rs
@@ -64,6 +64,7 @@ impl X509 {
     }
 
     fn pub_key_digest(env: &mut RomEnv, pub_key: &PubKey) -> CaliptraResult<Array4x8> {
+        // Define an array large enough to hold the largest public key.
         let mut pub_key_bytes: [u8; size_of::<Mldsa87PubKey>()] = [0; size_of::<Mldsa87PubKey>()];
         let pub_key_size = Self::get_pubkey_bytes(pub_key, &mut pub_key_bytes);
         Crypto::sha256_digest(env, &pub_key_bytes[..pub_key_size])