[sw,dice] Store CDI 0 to static_critical section

The previous method of transferring CDI_0 from immutable ROM_EXT to mutable
ROM_EXT stored data in flash memory, negatively impacting both firmware size
and boot time. To solve the issue, this commit allocates space within the
static_critical section to transfer the CDI_0 cert using RAM.

Change-Id: I7cda7bdd1cd2adebb80c1089189b7960ae7f1deb
Signed-off-by: Yi-Hsuan Deng <yhdeng@google.com>

Author: sasdf

sw/device/silicon_creator/imm_rom_ext/BUILD

@@ -35,6 +35,7 @@ cc_library(
         "//sw/device/silicon_creator/lib/base:boot_measurements",
         "//sw/device/silicon_creator/lib/base:sec_mmio",
         "//sw/device/silicon_creator/lib/base:static_critical",
+        "//sw/device/silicon_creator/lib/base:static_dice",
         "//sw/device/silicon_creator/lib/cert:dice_chain",
         "//sw/device/silicon_creator/lib/drivers:rnd",
         "//sw/device/silicon_creator/lib/ownership:ownership_key",
@@ -65,6 +66,7 @@ ld_library(
         "//hw/top_earlgrey/sw/autogen:top_earlgrey_memory",
         "//sw/device:info_sections",
         "//sw/device/silicon_creator/lib/base:static_critical_sections",
+        "//sw/device/silicon_creator/lib/base:static_dice_sections",
     ],
 )
 

sw/device/silicon_creator/imm_rom_ext/imm_rom_ext.c

@@ -48,7 +48,6 @@ static rom_error_t imm_rom_ext_start(void) {
   // Establish our identity.
   const manifest_t *rom_ext = rom_ext_manifest();
   HARDENED_RETURN_IF_ERROR(dice_chain_init());
-  // TODO: Move UDS cert check to mutable ROM_EXT.
   HARDENED_RETURN_IF_ERROR(dice_chain_attestation_silicon());
 
   // Sideload sealing key to KMAC hw keyslot.
@@ -57,9 +56,6 @@ static rom_error_t imm_rom_ext_start(void) {
   HARDENED_RETURN_IF_ERROR(
       dice_chain_attestation_creator(&boot_measurements.rom_ext, rom_ext));
 
-  // Write the DICE certs to flash if they have been updated.
-  HARDENED_RETURN_IF_ERROR(dice_chain_flush_flash());
-
   // Make mutable part executable.
   HARDENED_RETURN_IF_ERROR(imm_rom_ext_epmp_mutable_rx(rom_ext));
 

sw/device/silicon_creator/imm_rom_ext/imm_rom_ext_common.ld

@@ -83,6 +83,12 @@ SECTIONS {
    */
   INCLUDE sw/device/silicon_creator/lib/base/static_critical.ld
 
+  /**
+   * Critical static data that is accessible by both the immutable and
+   * mutable ROM extension.
+   */
+  INCLUDE sw/device/silicon_creator/lib/base/static_dice.ld
+
   /**
    * Mutable data section, at the bottom of ram_main. This will be initialized
    * from flash at runtime by the CRT.

sw/device/silicon_creator/lib/base/BUILD

@@ -124,6 +124,32 @@ cc_library(
     ],
 )
 
+cc_library(
+    name = "static_dice_cdi_0",
+    srcs = ["static_dice_cdi_0.c"],
+    hdrs = ["static_dice_cdi_0.h"],
+    deps = [
+        "//sw/device/lib/base:macros",
+        "//sw/device/silicon_creator/lib/drivers:hmac",
+    ],
+    # This library provides a special symbol that the linker will find.
+    alwayslink = True,
+)
+
+ld_library(
+    name = "static_dice_sections",
+    includes = [
+        "static_dice.ld",
+    ],
+)
+
+cc_library(
+    name = "static_dice",
+    deps = [
+        ":static_dice_cdi_0",
+    ],
+)
+
 cc_library(
     name = "chip",
     hdrs = ["chip.h"],

sw/device/silicon_creator/lib/base/static_dice.ld

@@ -0,0 +1,25 @@
+/* Copyright lowRISC contributors (OpenTitan project). */
+/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
+/* SPDX-License-Identifier: Apache-2.0 */
+
+/**
+ * DICE variables stored in the .static_dice section of RAM.
+ *
+ * These variables are transferred from immutable ROM_EXT to mutable ROM_EXT.
+ *
+ * This file should be included inside of a `SECTIONS` block where a
+ * `ram_main` memory is defined, and should come before all other main
+ * memory sections and after the .static_critical section.
+ */
+
+.static_dice (NOLOAD) : ALIGN(4) {
+  ASSERT(
+    . == ORIGIN(ram_main) + SIZEOF(.static_critical),
+    "Error: .static_dice section does not follow the .static_critical section.");
+
+  KEEP(*(.static_dice.cdi_0))
+
+  ASSERT(
+    SIZEOF(.static_dice) == 1092,
+    "Error: .static_dice section size has changed");
+} > ram_main

sw/device/silicon_creator/lib/base/static_dice_cdi_0.c

@@ -0,0 +1,15 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#include "sw/device/silicon_creator/lib/base/static_dice_cdi_0.h"
+
+#include "sw/device/lib/base/macros.h"
+
+// CDI 0 cert signed by immutable ROM_EXT.
+//
+// This is placed at a fixed location in memory within the
+// .static_dice section. It will be populated by the immutable
+// ROM_EXT before the jump to mutable ROM_EXT.
+OT_SET_BSS_SECTION(".static_dice.cdi_0",
+                   OT_USED static_dice_cdi_0_t static_dice_cdi_0;)

sw/device/silicon_creator/lib/base/static_dice_cdi_0.h

@@ -0,0 +1,34 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_BASE_STATIC_DICE_CDI_0_H_
+#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_BASE_STATIC_DICE_CDI_0_H_
+
+#include <stdint.h>
+
+#include "sw/device/lib/base/macros.h"
+#include "sw/device/silicon_creator/lib/drivers/hmac.h"
+
+enum {
+  kCdi0CertStaticCriticalSizeBytes = 1024,
+};
+
+// The dice chain information that the immutable ROM_EXT will pass to the
+// mutable ROM_EXT.
+typedef struct {
+  hmac_digest_t uds_pubkey_id;
+  hmac_digest_t cdi_0_pubkey_id;
+  uint32_t cert_size;
+  uint8_t cert_data[kCdi0CertStaticCriticalSizeBytes];
+} static_dice_cdi_0_t;
+
+OT_ASSERT_MEMBER_OFFSET(static_dice_cdi_0_t, uds_pubkey_id, 0);
+OT_ASSERT_MEMBER_OFFSET(static_dice_cdi_0_t, cdi_0_pubkey_id, 32);
+OT_ASSERT_MEMBER_OFFSET(static_dice_cdi_0_t, cert_size, 64);
+OT_ASSERT_MEMBER_OFFSET(static_dice_cdi_0_t, cert_data, 68);
+OT_ASSERT_SIZE(static_dice_cdi_0_t, 1092);
+
+extern static_dice_cdi_0_t static_dice_cdi_0;
+
+#endif  // OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_BASE_STATIC_DICE_CDI_0_H_

sw/device/silicon_creator/lib/cert/BUILD

@@ -226,6 +226,7 @@ cc_library(
         "//sw/device/silicon_creator/lib:manifest",
         "//sw/device/silicon_creator/lib/base:boot_measurements",
         "//sw/device/silicon_creator/lib/base:sec_mmio",
+        "//sw/device/silicon_creator/lib/base:static_dice_cdi_0",
         "//sw/device/silicon_creator/lib/base:util",
         "//sw/device/silicon_creator/lib/cert:dice",
         "//sw/device/silicon_creator/lib/drivers:flash_ctrl",

sw/device/silicon_creator/lib/cert/dice_chain.c

@@ -10,6 +10,7 @@
 #include "sw/device/lib/crypto/drivers/entropy.h"
 #include "sw/device/silicon_creator/lib/base/boot_measurements.h"
 #include "sw/device/silicon_creator/lib/base/sec_mmio.h"
+#include "sw/device/silicon_creator/lib/base/static_dice_cdi_0.h"
 #include "sw/device/silicon_creator/lib/base/util.h"
 #include "sw/device/silicon_creator/lib/cert/dice.h"
 #include "sw/device/silicon_creator/lib/dbg_print.h"
@@ -97,6 +98,11 @@ typedef struct dice_chain {
 
 static dice_chain_t dice_chain;
 
+cert_key_id_pair_t dice_chain_cdi_0_key_ids = (cert_key_id_pair_t){
+    .endorsement = &static_dice_cdi_0.uds_pubkey_id,
+    .cert = &static_dice_cdi_0.cdi_0_pubkey_id,
+};
+
 // Get the size of the remaining tail space that is not processed yet.
 OT_WARN_UNUSED_RESULT
 OT_NOINLINE
@@ -277,31 +283,13 @@ rom_error_t dice_chain_attestation_silicon(void) {
   sc_keymgr_advance_state();
   HARDENED_RETURN_IF_ERROR(sc_keymgr_state_check(kScKeymgrStateCreatorRootKey));
   HARDENED_RETURN_IF_ERROR(otbn_boot_cert_ecc_p256_keygen(
-      kDiceKeyUds, &dice_chain.subject_pubkey_id, &dice_chain.subject_pubkey));
-
-  // Switch page for the factory provisioned UDS cert.
-  RETURN_IF_ERROR(dice_chain_load_flash(&kFlashCtrlInfoPageFactoryCerts));
-
-  // Check if the UDS cert is valid.
-  RETURN_IF_ERROR(dice_chain_load_cert_obj("UDS", /*name_size=*/4));
-  if (dice_chain.cert_valid == kHardenedBoolFalse) {
-    // The UDS key ID (and cert itself) should never change unless:
-    // 1. there is a hardware issue / the page has been corrupted, or
-    // 2. the cert has not yet been provisioned.
-    //
-    // In both cases, we do nothing, and boot normally, later attestation
-    // attempts will fail in a detectable manner.
-    dbg_puts("Warning: UDS certificate not valid.\r\n");
-  } else {
-    // Cert is valid, move to the next one.
-    dice_chain_next_cert_obj();
-  }
+      kDiceKeyUds, &static_dice_cdi_0.uds_pubkey_id,
+      &dice_chain.subject_pubkey));
 
   // Save UDS key for signing next stage cert.
   RETURN_IF_ERROR(otbn_boot_attestation_key_save(
       kDiceKeyUds.keygen_seed_idx, kDiceKeyUds.type,
       *kDiceKeyUds.keymgr_diversifier));
-  dice_chain.endorsement_pubkey_id = dice_chain.subject_pubkey_id;
 
   return kErrorOk;
 }
@@ -319,7 +307,8 @@ rom_error_t dice_chain_attestation_creator(
       /*attest_binding=*/rom_ext_measurement,
       rom_ext_manifest->max_key_version));
   HARDENED_RETURN_IF_ERROR(otbn_boot_cert_ecc_p256_keygen(
-      kDiceKeyCdi0, &dice_chain.subject_pubkey_id, &dice_chain.subject_pubkey));
+      kDiceKeyCdi0, &static_dice_cdi_0.cdi_0_pubkey_id,
+      &dice_chain.subject_pubkey));
 
   // Switch page for the device generated CDI_0.
   RETURN_IF_ERROR(dice_chain_load_flash(&kFlashCtrlInfoPageDiceCerts));
@@ -332,33 +321,83 @@ rom_error_t dice_chain_attestation_creator(
   if (dice_chain.cert_valid == kHardenedBoolFalse) {
     dbg_puts("CDI_0 certificate not valid. Updating it ...\r\n");
     // Update the cert page buffer.
-    size_t updated_cert_size = kScratchCertSizeBytes;
-    HARDENED_RETURN_IF_ERROR(
-        dice_cdi_0_cert_build((hmac_digest_t *)rom_ext_measurement->data,
-                              rom_ext_manifest->security_version,
-                              &dice_chain.key_ids, &dice_chain.subject_pubkey,
-                              dice_chain.scratch_cert, &updated_cert_size));
-    RETURN_IF_ERROR(dice_chain_push_cert("CDI_0", dice_chain.scratch_cert,
-                                         updated_cert_size));
+    static_dice_cdi_0.cert_size = sizeof(static_dice_cdi_0.cert_data);
+    HARDENED_RETURN_IF_ERROR(dice_cdi_0_cert_build(
+        (hmac_digest_t *)rom_ext_measurement->data,
+        rom_ext_manifest->security_version, &dice_chain_cdi_0_key_ids,
+        &dice_chain.subject_pubkey, static_dice_cdi_0.cert_data,
+        &static_dice_cdi_0.cert_size));
   } else {
-    // Cert is valid, move to the next one.
-    dice_chain_next_cert_obj();
-
     // Replace UDS with CDI_0 key for endorsing next stage cert.
     HARDENED_RETURN_IF_ERROR(otbn_boot_attestation_key_save(
         kDiceKeyCdi0.keygen_seed_idx, kDiceKeyCdi0.type,
         *kDiceKeyCdi0.keymgr_diversifier));
   }
-  dice_chain.endorsement_pubkey_id = dice_chain.subject_pubkey_id;
 
   sc_keymgr_sw_binding_unlock_wait();
 
   return kErrorOk;
 }
 
+// Compare the UDS identity in the static critical section to the UDS cert
+// cached in the flash.
+static rom_error_t dice_chain_attestation_check_uds(void) {
+  // Switch page for the factory provisioned UDS cert.
+  RETURN_IF_ERROR(dice_chain_load_flash(&kFlashCtrlInfoPageFactoryCerts));
+
+  // Check if the UDS cert is valid.
+  dice_chain.endorsement_pubkey_id = static_dice_cdi_0.uds_pubkey_id;
+  dice_chain.subject_pubkey_id = static_dice_cdi_0.uds_pubkey_id;
+  RETURN_IF_ERROR(dice_chain_load_cert_obj("UDS", /*name_size=*/4));
+  if (dice_chain.cert_valid == kHardenedBoolFalse) {
+    // The UDS key ID (and cert itself) should never change unless:
+    // 1. there is a hardware issue / the page has been corrupted, or
+    // 2. the cert has not yet been provisioned.
+    //
+    // In both cases, we do nothing, and boot normally, later attestation
+    // attempts will fail in a detectable manner.
+
+    // CAUTION: This error message should match the one in
+    //   //sw/host/provisioning/ft_lib/src/lib.rs
+    dbg_puts("error: UDS certificate not valid\r\n");
+  }
+
+  return kErrorOk;
+}
+
+// Compare the CDI_0 identity in the static critical section to the CDI_0 cert
+// cached in the flash, and refresh the cache if invalid.
+static rom_error_t dice_chain_attestation_check_cdi_0(void) {
+  // Switch page for the device CDI chain.
+  RETURN_IF_ERROR(dice_chain_load_flash(&kFlashCtrlInfoPageDiceCerts));
+
+  // Seek to skip previous objects.
+  RETURN_IF_ERROR(dice_chain_skip_cert_obj("UDS", /*name_size=*/4));
+
+  // Refresh cdi 0 if invalid
+  dice_chain.endorsement_pubkey_id = static_dice_cdi_0.cdi_0_pubkey_id;
+  dice_chain.subject_pubkey_id = static_dice_cdi_0.cdi_0_pubkey_id;
+  RETURN_IF_ERROR(dice_chain_load_cert_obj("CDI_0", /*name_size=*/6));
+  if (dice_chain.cert_valid == kHardenedBoolFalse) {
+    dbg_puts("warning: CDI_0 certificate not valid; updating\r\n");
+    // Update the cert page buffer.
+    RETURN_IF_ERROR(dice_chain_push_cert("CDI_0", static_dice_cdi_0.cert_data,
+                                         static_dice_cdi_0.cert_size));
+  } else {
+    // Cert is valid, move to the next one.
+    dice_chain_next_cert_obj();
+  }
+
+  return kErrorOk;
+}
+
 rom_error_t dice_chain_attestation_owner(
     const manifest_t *owner_manifest, keymgr_binding_value_t *bl0_measurement,
     hmac_digest_t *owner_measurement, keymgr_binding_value_t *sealing_binding) {
+  // Handles the certificates from the immutable rom_ext first.
+  RETURN_IF_ERROR(dice_chain_attestation_check_uds());
+  RETURN_IF_ERROR(dice_chain_attestation_check_cdi_0());
+
   // Generate CDI_1 attestation keys and (potentially) update certificate.
   SEC_MMIO_WRITE_INCREMENT(kScKeymgrSecMmioSwBindingSet +
                            kScKeymgrSecMmioOwnerIntMaxVerSet);
@@ -384,14 +423,7 @@ rom_error_t dice_chain_attestation_owner(
   HARDENED_RETURN_IF_ERROR(otbn_boot_cert_ecc_p256_keygen(
       kDiceKeyCdi1, &dice_chain.subject_pubkey_id, &dice_chain.subject_pubkey));
 
-  // Switch page for the device generated CDI_1.
-  RETURN_IF_ERROR(dice_chain_load_flash(&kFlashCtrlInfoPageDiceCerts));
-
-  // Seek to skip previous objects.
-  RETURN_IF_ERROR(dice_chain_skip_cert_obj("UDS", /*name_size=*/4));
-  RETURN_IF_ERROR(dice_chain_skip_cert_obj("CDI_0", /*name_size=*/6));
-
-  // Check if the current CDI_0 cert is valid.
+  // Check if the current CDI_1 cert is valid.
   RETURN_IF_ERROR(dice_chain_load_cert_obj("CDI_1", /*name_size=*/6));
   if (dice_chain.cert_valid == kHardenedBoolFalse) {
     dbg_puts("CDI_1 certificate not valid. Updating it ...\r\n");

sw/device/silicon_creator/rom_ext/BUILD

@@ -104,6 +104,7 @@ ld_library(
     deps = [
         "//sw/device:info_sections",
         "//sw/device/silicon_creator/lib/base:static_critical_sections",
+        "//sw/device/silicon_creator/lib/base:static_dice_sections",
     ],
 )
 
@@ -191,6 +192,7 @@ cc_library(
         "//sw/device/silicon_creator/lib/base:chip",
         "//sw/device/silicon_creator/lib/base:sec_mmio",
         "//sw/device/silicon_creator/lib/base:static_critical",
+        "//sw/device/silicon_creator/lib/base:static_dice",
         "//sw/device/silicon_creator/lib/boot_svc:boot_svc_msg",
         "//sw/device/silicon_creator/lib/cert:dice_chain",
         "//sw/device/silicon_creator/lib/drivers:ast",

sw/device/silicon_creator/rom_ext/rom_ext_common.ld

@@ -147,6 +147,12 @@ SECTIONS {
    */
   INCLUDE sw/device/silicon_creator/lib/base/static_critical.ld
 
+  /**
+   * Critical static data that is accessible by both the immutable and
+   * mutable ROM extension.
+   */
+  INCLUDE sw/device/silicon_creator/lib/base/static_dice.ld
+
   /**
    * Mutable data section, at the bottom of ram_main. This will be initialized
    * from flash at runtime by the CRT.