Skip to content

Commit

Permalink
Cert tweaks to names and TCB info
Browse files Browse the repository at this point in the history
  • Loading branch information
@nquarton
nquarton committed Oct 30, 2024
1 parent f102017 commit 656e273
Show file tree
Hide file tree
Showing 24 changed files with 120 additions and 104 deletions.
4 changes: 2 additions & 2 deletions FROZEN_IMAGES.sha384sum
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# WARNING: Do not update this file without the approval of the Caliptra TAC
91b951fbe655919a1e123b86add18ab604d049f6d2b2bbefac4cd554a4411eaf22247973c47490e243b9a5b1d197feb3 caliptra-rom-no-log.bin
105cda4bbc0f2f0096d058eda9090670da0d90c8e3066cb44027843e9a490db61933b524ca78fe78351a7fd26a124c03 caliptra-rom-with-log.bin
e4a45236589f76070b0e6eb09995693a49579c4ca8949078f2f007c93e1e423a90e9fa719ac593df1d98174ab448502d caliptra-rom-no-log.bin
b5e10dcbc719846cb1e4b72857dcf1c25395de0ba7f297e3296eadd8893440e3d72e4f98f6167d327baeb6b2c7c9a1dc caliptra-rom-with-log.bin
2 changes: 1 addition & 1 deletion fmc/tests/fmc_integration_tests/test_rtalias.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ fn test_fht_info() {
let data = hw.mailbox_execute(TEST_CMD_READ_FHT, &[]).unwrap().unwrap();
let fht = FirmwareHandoffTable::read_from_prefix(data.as_bytes()).unwrap();
assert_eq!(fht.ldevid_tbs_size, 552);
assert_eq!(fht.fmcalias_tbs_size, 786);
assert_eq!(fht.fmcalias_tbs_size, 771);
assert_eq!(fht.ldevid_tbs_addr, 0x50003C00);
assert_eq!(fht.fmcalias_tbs_addr, 0x50004000);
assert_eq!(fht.pcr_log_addr, 0x50004800);
Expand Down
11 changes: 7 additions & 4 deletions rom/dev/build.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,10 +86,13 @@ fn main() {
use x509_parser::signature_value::EcdsaSigValue;

let ws_dir = workspace_dir();
let ldev_file = std::fs::read(
ws_dir.join("test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.der"),
)
.unwrap();
let ldev_file_path =
ws_dir.join("test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.der");
println!(
"cargo:rerun-if-changed={}",
ldev_file_path.to_str().unwrap()
);
let ldev_file = std::fs::read(ldev_file_path).unwrap();

let mut parser = X509CertificateParser::new();
let (_, cert) = parser.parse(&ldev_file).unwrap();
Expand Down
2 changes: 1 addition & 1 deletion rom/dev/src/flow/cold_reset/fmc_alias.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,6 @@ impl FmcAliasLayer {
flags |= dice::FLAG_BIT_DEBUG;
}

flags.to_be_bytes()
flags.reverse_bits().to_be_bytes()
}
}
2 changes: 1 addition & 1 deletion rom/dev/tests/rom_integration_tests/test_fmcalias_derivation.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -743,7 +743,7 @@ fn test_fht_info() {
let data = hw.mailbox_execute(0x1000_0003, &[]).unwrap().unwrap();
let fht = FirmwareHandoffTable::read_from_prefix(data.as_bytes()).unwrap();
assert_eq!(fht.ldevid_tbs_size, 552);
assert_eq!(fht.fmcalias_tbs_size, 786);
assert_eq!(fht.fmcalias_tbs_size, 771);
assert_eq!(fht.ldevid_tbs_addr, LDEVID_TBS_ORG);
assert_eq!(fht.fmcalias_tbs_addr, FMCALIAS_TBS_ORG);
assert_eq!(fht.pcr_log_addr, PCR_LOG_ORG);
Expand Down
4 changes: 2 additions & 2 deletions rom/dev/tools/test-fmc/src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,11 @@ pub fn main() {}
// Dummy RO data to max out FMC image size to 16K.
// Note: Adjust this value to account for new changes in this FMC image.
#[cfg(all(feature = "interactive_test_fmc", not(feature = "fake-fmc")))]
const PAD_LEN: usize = 4988; // TEST_FMC_INTERACTIVE
const PAD_LEN: usize = 4996; // TEST_FMC_INTERACTIVE
#[cfg(all(feature = "fake-fmc", not(feature = "interactive_test_fmc")))]
const PAD_LEN: usize = 5224; // FAKE_TEST_FMC_WITH_UART
#[cfg(all(feature = "interactive_test_fmc", feature = "fake-fmc"))]
const PAD_LEN: usize = 5452; // FAKE_TEST_FMC_INTERACTIVE
const PAD_LEN: usize = 5460; // FAKE_TEST_FMC_INTERACTIVE
#[cfg(not(any(feature = "interactive_test_fmc", feature = "fake-fmc")))]
const PAD_LEN: usize = 0;

Expand Down
2 changes: 1 addition & 1 deletion runtime/src/dpe_platform.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ impl Platform for DpePlatform<'_> {
&mut self,
out: &mut [u8; MAX_ISSUER_NAME_SIZE],
) -> Result<usize, PlatformError> {
const CALIPTRA_CN: &[u8] = b"Caliptra 1.0 Rt Alias";
const CALIPTRA_CN: &[u8] = b"Caliptra 1.x Rt Alias";
let mut issuer_writer = CertWriter::new(out, true);

// Caliptra RDN SerialNumber field is always a Sha256 hash
Expand Down
5 changes: 4 additions & 1 deletion test/src/x509.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,10 @@ impl DiceTcbInfo {
})
.transpose()?
.unwrap_or_default(),
flags: d.read_optional_implicit_element(7)?,
flags: d
.read_optional_implicit_element::<asn1::BitString>(7)?
.and_then(|b| b.as_bytes().try_into().ok())
.map(u32::from_be_bytes),
vendor_info: d
.read_optional_implicit_element::<&[u8]>(8)?
.map(|s| s.to_vec()),
Expand Down
22 changes: 11 additions & 11 deletions test/tests/caliptra_integration_tests/smoke_test.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,8 @@ fn retrieve_csr_test() {
let csr_txt = String::from_utf8(csr.to_text().unwrap()).unwrap();

// To update the CSR testdata:
// std::fs::write("tests/smoke_testdata/idevid_csr.txt", &csr_txt).unwrap();
// std::fs::write("tests/smoke_testdata/idevid_csr.der", &csr_der).unwrap();
// std::fs::write("tests/caliptra_integration_tests/smoke_testdata/idevid_csr.txt", &csr_txt).unwrap();
// std::fs::write("tests/caliptra_integration_tests/smoke_testdata/idevid_csr.der", &csr_der).unwrap();

println!("csr: {}", csr_txt);

Expand Down Expand Up @@ -215,8 +215,8 @@ fn smoke_test() {
let ldev_cert_txt = String::from_utf8(ldev_cert.to_text().unwrap()).unwrap();

// To update the ldev cert testdata:
// std::fs::write("tests/smoke_testdata/ldevid_cert.txt", &ldev_cert_txt).unwrap();
// std::fs::write("tests/smoke_testdata/ldevid_cert.der", ldev_cert_der).unwrap();
// std::fs::write("tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.txt", &ldev_cert_txt).unwrap();
// std::fs::write("tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.der", ldev_cert_der).unwrap();

assert_eq!(
ldev_cert_txt.as_str(),
Expand Down Expand Up @@ -287,13 +287,13 @@ fn smoke_test() {
digest: device_info_hash.to_vec(),
},],

flags: Some(0x80000000),
flags: Some(0x00000001),
ty: Some(b"DEVICE_INFO".to_vec()),
..Default::default()
},
DiceTcbInfo {
vendor: Some("Caliptra".into()),
model: Some("FMC".into()),
vendor: None,
model: None,
// This is from the SVN in the image (9)
svn: Some(0x109),
fwids: vec![DiceFwid {
Expand Down Expand Up @@ -459,8 +459,8 @@ fn smoke_test() {
assert_eq!(
rt_dice_tcb_info,
Some(DiceTcbInfo {
vendor: Some("Caliptra".into()),
model: Some("RT".into()),
vendor: None,
model: None,
svn: Some(0x100),
fwids: vec![DiceFwid {
// RT
Expand Down Expand Up @@ -609,8 +609,8 @@ fn smoke_test() {
assert_eq!(
rt_dice_tcb_info2,
Some(DiceTcbInfo {
vendor: Some("Caliptra".into()),
model: Some("RT".into()),
vendor: None,
model: None,
svn: Some(0x100),
fwids: vec![DiceFwid {
// FMC
Expand Down
Binary file modified test/tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.der
View file
Binary file not shown.
6 changes: 3 additions & 3 deletions test/tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@ Certificate:
Serial Number:
44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44
Signature Algorithm: ecdsa-with-SHA384
Issuer: CN=Caliptra 1.0 LDevID/serialNumber=21EEEF9A4C61D4B9E3D94BEA46F9A12AC6887CE2188559F40FF95777E8014889
Issuer: CN=Caliptra 1.x LDevID/serialNumber=21EEEF9A4C61D4B9E3D94BEA46F9A12AC6887CE2188559F40FF95777E8014889
Validity
Not Before: Jan 1 00:00:00 2023 GMT
Not After : Dec 31 23:59:59 9999 GMT
Subject: CN=Caliptra 1.0 FMC Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Subject: CN=Caliptra 1.x FMC Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
Expand All @@ -30,7 +30,7 @@ Certificate:
2.23.133.5.4.4:
0....................
2.23.133.5.4.5:
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
X509v3 Subject Key Identifier:
44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44
X509v3 Authority Key Identifier:
Expand Down
Binary file modified test/tests/caliptra_integration_tests/smoke_testdata/idevid_csr.der
View file
Binary file not shown.
14 changes: 7 additions & 7 deletions test/tests/caliptra_integration_tests/smoke_testdata/idevid_csr.txt
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN=Caliptra 1.0 IDevID/serialNumber=8E3C1A058F704A11821F7B48D340AEF99DDABADC1090D74D057FECCF73294ED6
Subject: CN=Caliptra 1.x IDevID/serialNumber=8E3C1A058F704A11821F7B48D340AEF99DDABADC1090D74D057FECCF73294ED6
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
Expand All @@ -25,9 +25,9 @@ Certificate Request:
0....................
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:64:02:30:7c:74:fd:28:ce:0f:f9:e9:da:ef:90:84:a5:af:
c0:42:d1:e2:08:84:67:d6:6a:e8:dc:46:cc:02:1d:80:da:37:
50:91:ee:75:09:ed:15:55:0f:31:15:23:c9:bb:e6:e1:02:30:
24:fd:1b:5b:47:cc:14:4a:66:a5:bb:e7:04:74:f0:21:36:37:
f4:9e:5d:cd:a1:42:bf:f6:82:5c:a1:f4:51:43:e2:97:fc:95:
ce:56:b1:67:e1:bf:e1:26:3a:ce:a1:f3
30:65:02:31:00:ed:8e:44:4e:3c:7f:6f:96:4a:5d:cb:e1:ea:
08:a0:57:f5:d7:b5:6d:ce:72:9e:b8:8c:88:38:f6:50:35:90:
bd:6b:59:db:29:52:13:2e:fc:a8:b6:8d:8a:33:d3:2a:cf:02:
30:6d:40:6a:1f:7c:9e:74:8f:28:dc:14:73:e0:96:92:d8:74:
fa:30:58:04:54:84:77:e9:52:3a:0d:63:fa:f3:1a:68:c3:88:
07:50:a7:5d:6f:f7:a9:da:98:f7:8c:48:2a
Binary file modified test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.der
View file
Binary file not shown.
16 changes: 8 additions & 8 deletions test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@ Certificate:
Serial Number:
25:ee:ef:9a:4c:61:d4:b9:e3:d9:4b:ea:46:f9:a1:2a:c6:88:7c:e2
Signature Algorithm: ecdsa-with-SHA384
Issuer: CN=Caliptra 1.0 IDevID/serialNumber=8E3C1A058F704A11821F7B48D340AEF99DDABADC1090D74D057FECCF73294ED6
Issuer: CN=Caliptra 1.x IDevID/serialNumber=8E3C1A058F704A11821F7B48D340AEF99DDABADC1090D74D057FECCF73294ED6
Validity
Not Before: Jan 1 00:00:00 2023 GMT
Not After : Dec 31 23:59:59 9999 GMT
Subject: CN=Caliptra 1.0 LDevID/serialNumber=21EEEF9A4C61D4B9E3D94BEA46F9A12AC6887CE2188559F40FF95777E8014889
Subject: CN=Caliptra 1.x LDevID/serialNumber=21EEEF9A4C61D4B9E3D94BEA46F9A12AC6887CE2188559F40FF95777E8014889
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
Expand All @@ -35,9 +35,9 @@ Certificate:
42:4F:3A:C7:45:DD:BD:50:15:05:7F:5B:F8:3E:9C:D6:48:10:B0:41
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:66:02:31:00:9b:0e:19:91:81:f6:90:a7:43:34:60:d8:1d:
69:c4:a5:63:52:a3:c8:93:cf:4c:11:be:e1:a1:8d:47:a6:b5:
63:78:42:3f:8a:85:f2:34:b4:ab:5a:18:01:f6:e7:ff:92:02:
31:00:e1:21:cf:21:fe:44:09:81:95:01:fd:29:ad:f5:29:a9:
01:6a:2e:a3:15:bf:65:ab:2a:e5:82:7c:ef:f1:b8:59:bd:7e:
60:cf:15:c7:2a:64:ea:cf:2b:7b:9b:ff:42:d3
30:65:02:30:27:24:23:0f:77:0a:b4:a9:95:dc:a1:96:e0:cd:
5d:f9:29:08:eb:80:7d:74:55:05:7a:22:b9:62:08:96:a2:7a:
08:21:3d:8a:c6:1f:3c:71:e0:8d:48:83:ab:9c:64:1a:02:31:
00:ad:8a:98:ea:e7:33:13:bb:02:b6:12:fa:24:ef:ae:f4:5b:
73:57:97:37:82:56:a8:e9:c8:b6:87:d9:2d:7d:43:bc:be:cd:
82:d3:0f:85:5a:15:56:8e:a2:08:f9:ec:ce
Binary file modified test/tests/caliptra_integration_tests/smoke_testdata/rt_alias_cert_redacted.der
View file
Binary file not shown.
6 changes: 3 additions & 3 deletions test/tests/caliptra_integration_tests/smoke_testdata/rt_alias_cert_redacted.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@ Certificate:
Serial Number:
44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44
Signature Algorithm: ecdsa-with-SHA384
Issuer: CN=Caliptra 1.0 FMC Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Issuer: CN=Caliptra 1.x FMC Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Validity
Not Before: Jan 1 00:00:00 2023 GMT
Not After : Dec 31 23:59:59 9999 GMT
Subject: CN=Caliptra 1.0 Rt Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Subject: CN=Caliptra 1.x Rt Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
Expand All @@ -30,7 +30,7 @@ Certificate:
2.23.133.5.4.4:
0....................
2.23.133.5.4.1:
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
X509v3 Subject Key Identifier:
44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44
X509v3 Authority Key Identifier:
Expand Down
8 changes: 4 additions & 4 deletions x509/build/build.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ fn gen_init_devid_csr(out_dir: &str) {
.add_basic_constraints_ext(true, 5)
.add_key_usage_ext(usage)
.add_ueid_ext(&[0xFF; 17]);
let template = bldr.tbs_template("Caliptra 1.0 IDevID");
let template = bldr.tbs_template("Caliptra 1.x IDevID");
CodeGen::gen_code("InitDevIdCsrTbs", template, out_dir);
}

Expand All @@ -67,7 +67,7 @@ fn gen_local_devid_cert(out_dir: &str) {
.add_basic_constraints_ext(true, 4)
.add_key_usage_ext(usage)
.add_ueid_ext(&[0xFF; 17]);
let template = bldr.tbs_template("Caliptra 1.0 LDevID", "Caliptra 1.0 IDevID");
let template = bldr.tbs_template("Caliptra 1.x LDevID", "Caliptra 1.x IDevID");
CodeGen::gen_code("LocalDevIdCertTbs", template, out_dir);
}

Expand Down Expand Up @@ -98,7 +98,7 @@ fn gen_fmc_alias_cert(out_dir: &str) {
},
}],
);
let template = bldr.tbs_template("Caliptra 1.0 FMC Alias", "Caliptra 1.0 LDevID");
let template = bldr.tbs_template("Caliptra 1.x FMC Alias", "Caliptra 1.x LDevID");
CodeGen::gen_code("FmcAliasCertTbs", template, out_dir);
}

Expand All @@ -122,6 +122,6 @@ fn gen_rt_alias_cert(out_dir: &str) {
digest: &[0xCD; 48],
},
}]);
let template = bldr.tbs_template("Caliptra 1.0 Rt Alias", "Caliptra 1.0 FMC Alias");
let template = bldr.tbs_template("Caliptra 1.x Rt Alias", "Caliptra 1.x FMC Alias");
CodeGen::gen_code("RtAliasCertTbs", template, out_dir);
}
4 changes: 3 additions & 1 deletion x509/build/cert.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,9 +90,11 @@ impl<Algo: SigningAlgorithm> CertTemplateBuilder<Algo> {
device_fwids: &[FwidParam],
fmc_fwids: &[FwidParam],
) -> Self {
// This method of finding the offsets is fragile. Especially for the 1 byte values.
// These may need to be updated to stay unique when the cert template is updated.
let flags: u32 = 0xC0C1C2C3;
let svn: u8 = 0xC4;
let svn_fuses: u8 = 0xC5;
let svn_fuses: u8 = 0xC6;

self.exts
.push(x509::make_fmc_dice_tcb_info_ext(
Expand Down
Loading

0 comments on commit 656e273

Please sign in to comment.