From c939edf66ee52a92481a0f71b36931d80545ae29 Mon Sep 17 00:00:00 2001 From: Vishal Mhatre Date: Fri, 1 Nov 2024 21:02:14 +0530 Subject: [PATCH 1/3] Adding the stash measurement functionality to AuthorizeAndStashCmd --- error/src/lib.rs | 2 ++ runtime/src/authorize_and_stash.rs | 16 +++++++++++++--- runtime/src/stash_measurement.rs | 23 +++++++++++++++++------ 3 files changed, 32 insertions(+), 9 deletions(-) diff --git a/error/src/lib.rs b/error/src/lib.rs index 7d94ae0834..7ef6f8476e 100644 --- a/error/src/lib.rs +++ b/error/src/lib.rs @@ -441,6 +441,8 @@ impl CaliptraError { pub const RUNTIME_AUTH_AND_STASH_UNSUPPORTED_IMAGE_SOURCE: CaliptraError = CaliptraError::new_const(0x000E004E); pub const RUNTIME_CMD_RESERVED_PAUSER: CaliptraError = CaliptraError::new_const(0x000E004F); + pub const RUNTIME_AUTH_AND_STASH_MEASUREMENT_DPE_ERROR: CaliptraError = + CaliptraError::new_const(0x000E0050); /// FMC Errors pub const FMC_GLOBAL_NMI: CaliptraError = CaliptraError::new_const(0x000F0001); diff --git a/runtime/src/authorize_and_stash.rs b/runtime/src/authorize_and_stash.rs index 17d1da1639..e2f613692b 100644 --- a/runtime/src/authorize_and_stash.rs +++ b/runtime/src/authorize_and_stash.rs @@ -15,7 +15,7 @@ Abstract: use core::cmp::min; use core::mem::size_of; -use crate::{dpe_crypto::DpeCrypto, CptraDpeTypes, DpePlatform, Drivers}; +use crate::{dpe_crypto::DpeCrypto, CptraDpeTypes, DpePlatform, Drivers, StashMeasurementCmd}; use caliptra_auth_man_types::{ AuthManifestImageMetadataCollection, AuthManifestImageMetadataCollectionHeader, AuthManifestPreamble, AUTH_MANIFEST_MARKER, @@ -78,8 +78,18 @@ impl AuthorizeAndStashCmd { let flags: AuthAndStashFlags = cmd.flags.into(); if !flags.contains(AuthAndStashFlags::SKIP_STASH) { - // TODO: Stash the image hash - Err(CaliptraError::RUNTIME_UNIMPLEMENTED_COMMAND)?; + // TODO do we need to return this? + let dpe_result = StashMeasurementCmd::stash_measurement( + drivers, + &cmd.metadata, + &cmd.measurement, + )?; + if dpe_result != DpeErrorCode::NoError { + drivers + .soc_ifc + .set_fw_extended_error(dpe_result.get_error_code()); + Err(CaliptraError::RUNTIME_AUTH_AND_STASH_MEASUREMENT_DPE_ERROR)?; + } } Ok(MailboxResp::AuthorizeAndStash(AuthorizeAndStashResp { diff --git a/runtime/src/stash_measurement.rs b/runtime/src/stash_measurement.rs index 02a9da0b79..a72538ab31 100644 --- a/runtime/src/stash_measurement.rs +++ b/runtime/src/stash_measurement.rs @@ -31,9 +31,11 @@ pub struct StashMeasurementCmd; impl StashMeasurementCmd { #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)] #[inline(never)] - pub(crate) fn execute(drivers: &mut Drivers, cmd_args: &[u8]) -> CaliptraResult { - let cmd = StashMeasurementReq::read_from(cmd_args) - .ok_or(CaliptraError::RUNTIME_INSUFFICIENT_MEMORY)?; + pub(crate) fn stash_measurement( + drivers: &mut Drivers, + metadata: &[u8; 4], + measurement: &[u8; 48], + ) -> CaliptraResult { let dpe_result = { match drivers.caller_privilege_level() { // Only PL0 can call STASH_MEASUREMENT @@ -78,12 +80,12 @@ impl StashMeasurementCmd { let derive_context_resp = DeriveContextCmd { handle: ContextHandle::default(), - data: cmd.measurement, + data: *measurement, flags: DeriveContextFlags::MAKE_DEFAULT | DeriveContextFlags::CHANGE_LOCALITY | DeriveContextFlags::INPUT_ALLOW_CA | DeriveContextFlags::INPUT_ALLOW_X509, - tci_type: u32::from_ne_bytes(cmd.metadata), + tci_type: u32::from_ne_bytes(*metadata), target_locality: locality, } .execute(&mut pdata.dpe, &mut env, locality); @@ -105,10 +107,19 @@ impl StashMeasurementCmd { drivers.pcr_bank.extend_pcr( PCR_ID_STASH_MEASUREMENT, &mut drivers.sha384, - cmd.measurement.as_bytes(), + measurement.as_bytes(), )?; } + Ok(dpe_result) + } + + pub(crate) fn execute(drivers: &mut Drivers, cmd_args: &[u8]) -> CaliptraResult { + let cmd = StashMeasurementReq::read_from(cmd_args) + .ok_or(CaliptraError::RUNTIME_INSUFFICIENT_MEMORY)?; + + let dpe_result = Self::stash_measurement(drivers, &cmd.metadata, &cmd.measurement)?; + Ok(MailboxResp::StashMeasurement(StashMeasurementResp { hdr: MailboxRespHeader::default(), dpe_result: dpe_result.get_error_code(), From ffa9286f3207c15239fad43c600a7560a7a0970c Mon Sep 17 00:00:00 2001 From: Vishal Mhatre Date: Sat, 2 Nov 2024 05:45:48 +0530 Subject: [PATCH 2/3] Removing leftover comment --- runtime/src/authorize_and_stash.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/runtime/src/authorize_and_stash.rs b/runtime/src/authorize_and_stash.rs index e2f613692b..38c6efbe58 100644 --- a/runtime/src/authorize_and_stash.rs +++ b/runtime/src/authorize_and_stash.rs @@ -78,7 +78,6 @@ impl AuthorizeAndStashCmd { let flags: AuthAndStashFlags = cmd.flags.into(); if !flags.contains(AuthAndStashFlags::SKIP_STASH) { - // TODO do we need to return this? let dpe_result = StashMeasurementCmd::stash_measurement( drivers, &cmd.metadata, From c0d0386d6bfa31897fd7bf5f4cfc14b98ed899f7 Mon Sep 17 00:00:00 2001 From: Vishal Mhatre Date: Mon, 4 Nov 2024 16:51:09 +0530 Subject: [PATCH 3/3] Not stashing the measurement if hash is not authorized --- runtime/src/authorize_and_stash.rs | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/runtime/src/authorize_and_stash.rs b/runtime/src/authorize_and_stash.rs index 38c6efbe58..2eb7eb4e2e 100644 --- a/runtime/src/authorize_and_stash.rs +++ b/runtime/src/authorize_and_stash.rs @@ -76,18 +76,21 @@ impl AuthorizeAndStashCmd { } } - let flags: AuthAndStashFlags = cmd.flags.into(); - if !flags.contains(AuthAndStashFlags::SKIP_STASH) { - let dpe_result = StashMeasurementCmd::stash_measurement( - drivers, - &cmd.metadata, - &cmd.measurement, - )?; - if dpe_result != DpeErrorCode::NoError { - drivers - .soc_ifc - .set_fw_extended_error(dpe_result.get_error_code()); - Err(CaliptraError::RUNTIME_AUTH_AND_STASH_MEASUREMENT_DPE_ERROR)?; + // Stash the measurement if the image is authorized. + if auth_result == AUTHORIZE_IMAGE { + let flags: AuthAndStashFlags = cmd.flags.into(); + if !flags.contains(AuthAndStashFlags::SKIP_STASH) { + let dpe_result = StashMeasurementCmd::stash_measurement( + drivers, + &cmd.metadata, + &cmd.measurement, + )?; + if dpe_result != DpeErrorCode::NoError { + drivers + .soc_ifc + .set_fw_extended_error(dpe_result.get_error_code()); + Err(CaliptraError::RUNTIME_AUTH_AND_STASH_MEASUREMENT_DPE_ERROR)?; + } } }