From 2edab39bca2dfc2cdb2b1e3b5284ed6ae87b51de Mon Sep 17 00:00:00 2001 From: Anthony Rocha Date: Wed, 1 Jan 2025 16:41:17 -0800 Subject: [PATCH] Code review feedback. --- builder/src/firmware.rs | 8 ++++---- common/src/lib.rs | 4 ++-- drivers/Cargo.toml | 2 +- drivers/src/lib.rs | 2 +- drivers/src/persistent.rs | 10 +++++----- error/src/lib.rs | 3 +++ fmc/Cargo.toml | 2 +- fmc/build.sh | 2 +- fmc/src/flow/crypto.rs | 4 ++++ fmc/src/flow/fmc_alias_csr.rs | 3 ++- fmc/src/flow/mod.rs | 20 ++++++++++++------- runtime/Cargo.toml | 5 +++-- runtime/build.sh | 1 + runtime/src/get_fmc_alias_csr.rs | 3 ++- runtime/src/lib.rs | 3 +++ .../caliptra_integration_tests/jtag_test.rs | 2 +- 16 files changed, 47 insertions(+), 27 deletions(-) diff --git a/builder/src/firmware.rs b/builder/src/firmware.rs index 56cf61afa4..3fc17847c0 100644 --- a/builder/src/firmware.rs +++ b/builder/src/firmware.rs @@ -42,7 +42,7 @@ pub const ROM_WITH_FIPS_TEST_HOOKS: FwId = FwId { pub const FMC_WITH_UART: FwId = FwId { crate_name: "caliptra-fmc", bin_name: "caliptra-fmc", - features: &["emu"], + features: &["emu", "fmc-alias-csr"], }; pub const FMC_FAKE_WITH_UART: FwId = FwId { @@ -54,13 +54,13 @@ pub const FMC_FAKE_WITH_UART: FwId = FwId { pub const APP: FwId = FwId { crate_name: "caliptra-runtime", bin_name: "caliptra-runtime", - features: &["fips_self_test"], + features: &["fips_self_test", "fmc-alias-csr"], }; pub const APP_WITH_UART: FwId = FwId { crate_name: "caliptra-runtime", bin_name: "caliptra-runtime", - features: &["emu", "fips_self_test"], + features: &["emu", "fips_self_test", "fmc-alias-csr"], }; pub const APP_WITH_UART_FIPS_TEST_HOOKS: FwId = FwId { @@ -72,7 +72,7 @@ pub const APP_WITH_UART_FIPS_TEST_HOOKS: FwId = FwId { pub const APP_WITH_UART_FPGA: FwId = FwId { crate_name: "caliptra-runtime", bin_name: "caliptra-runtime", - features: &["emu", "fips_self_test", "fpga_realtime"], + features: &["emu", "fips_self_test", "fmc-alias-csr", "fpga_realtime"], }; pub mod caliptra_builder_tests { diff --git a/common/src/lib.rs b/common/src/lib.rs index 8fb9032abc..8c804df09a 100644 --- a/common/src/lib.rs +++ b/common/src/lib.rs @@ -38,9 +38,9 @@ pub use fuse::{FuseLogEntry, FuseLogEntryId}; pub use pcr::{PcrLogEntry, PcrLogEntryId, RT_FW_CURRENT_PCR, RT_FW_JOURNEY_PCR}; pub const FMC_ORG: u32 = 0x40000000; -pub const FMC_SIZE: u32 = 22 * 1024 - 512; +pub const FMC_SIZE: u32 = 21 * 1024; pub const RUNTIME_ORG: u32 = FMC_ORG + FMC_SIZE; -pub const RUNTIME_SIZE: u32 = 95 * 1024 + 512; +pub const RUNTIME_SIZE: u32 = 96 * 1024; pub use memory_layout::{DATA_ORG, PERSISTENT_DATA_ORG}; pub use wdt::{restart_wdt, start_wdt, stop_wdt, WdtTimeout}; diff --git a/drivers/Cargo.toml b/drivers/Cargo.toml index ff90f5fa5c..04caa0a43f 100644 --- a/drivers/Cargo.toml +++ b/drivers/Cargo.toml @@ -37,7 +37,7 @@ verilator = ["caliptra-hw-model/verilator"] no-cfi = [] "hw-1.0" = ["caliptra-builder/hw-1.0", "caliptra-registers/hw-1.0"] fips-test-hooks = [] -fmc_alias_csr = [] +fmc-alias-csr = [] [dev-dependencies] caliptra-api.workspace = true diff --git a/drivers/src/lib.rs b/drivers/src/lib.rs index 5988219dc8..0e74ccbb1b 100644 --- a/drivers/src/lib.rs +++ b/drivers/src/lib.rs @@ -86,7 +86,7 @@ pub use okref::okmutref; pub use okref::okref; pub use pcr_bank::{PcrBank, PcrId}; pub use pcr_reset::PcrResetCounter; -#[cfg(feature = "fmc")] +#[cfg(feature = "fmc-alias-csr")] pub use persistent::fmc_alias_csr::FmcAliasCsr; #[cfg(feature = "runtime")] pub use persistent::AuthManifestImageMetadataList; diff --git a/drivers/src/persistent.rs b/drivers/src/persistent.rs index 1533b3554a..5f60a2b268 100644 --- a/drivers/src/persistent.rs +++ b/drivers/src/persistent.rs @@ -21,7 +21,7 @@ use crate::{ FirmwareHandoffTable, }; -#[cfg(feature = "fmc")] +#[cfg(feature = "fmc-alias-csr")] use crate::FmcAliasCsr; #[cfg(feature = "runtime")] @@ -74,7 +74,7 @@ pub struct IdevIdCsr { csr: [u8; MAX_CSR_SIZE], } -#[cfg(feature = "fmc")] +#[cfg(feature = "fmc-alias-csr")] pub mod fmc_alias_csr { use super::*; @@ -262,13 +262,13 @@ pub struct PersistentData { pub idevid_csr: IdevIdCsr, reserved10: [u8; IDEVID_CSR_SIZE as usize - size_of::()], - #[cfg(feature = "fmc")] + #[cfg(feature = "fmc-alias-csr")] pub fmc_alias_csr: FmcAliasCsr, - #[cfg(feature = "fmc")] + #[cfg(feature = "fmc-alias-csr")] reserved11: [u8; FMC_ALIAS_CSR_SIZE as usize - size_of::()], - #[cfg(not(feature = "fmc"))] + #[cfg(not(feature = "fmc-alias-csr"))] pub fmc_alias_csr: [u8; FMC_ALIAS_CSR_SIZE as usize], // Reserved memory for future objects. diff --git a/error/src/lib.rs b/error/src/lib.rs index b477793ae8..8cbcbb449f 100644 --- a/error/src/lib.rs +++ b/error/src/lib.rs @@ -453,6 +453,9 @@ impl CaliptraError { pub const RUNTIME_GET_FMC_CSR_UNPROVISIONED: CaliptraError = CaliptraError::new_const(0x000E0054); + pub const RUNTIME_GET_FMC_CSR_UNSUPPORTED_FMC: CaliptraError = + CaliptraError::new_const(0x000E0055); + /// FMC Errors pub const FMC_GLOBAL_NMI: CaliptraError = CaliptraError::new_const(0x000F0001); pub const FMC_GLOBAL_EXCEPTION: CaliptraError = CaliptraError::new_const(0x000F0002); diff --git a/fmc/Cargo.toml b/fmc/Cargo.toml index 7de33fa57e..eacf45d763 100644 --- a/fmc/Cargo.toml +++ b/fmc/Cargo.toml @@ -42,4 +42,4 @@ itrng = ["caliptra-hw-model/itrng"] verilator = ["caliptra-hw-model/verilator"] fake-fmc = [] "hw-1.0" = ["caliptra-builder/hw-1.0", "caliptra-cpu/hw-1.0", "caliptra-drivers/hw-1.0", "caliptra-registers/hw-1.0"] -fmc_alias_csr = ["caliptra-drivers/fmc_alias_csr"] \ No newline at end of file +fmc-alias-csr = ["caliptra-drivers/fmc-alias-csr"] \ No newline at end of file diff --git a/fmc/build.sh b/fmc/build.sh index dce5b31441..dcd7526e37 100755 --- a/fmc/build.sh +++ b/fmc/build.sh @@ -9,5 +9,5 @@ cargo build \ --target riscv32imc-unknown-none-elf \ --profile=firmware \ --no-default-features \ - --features=fmc_alias_csr \ + --features=fmc-alias-csr \ --bin=caliptra-fmc diff --git a/fmc/src/flow/crypto.rs b/fmc/src/flow/crypto.rs index 60e6a4ca2b..e1e275305f 100644 --- a/fmc/src/flow/crypto.rs +++ b/fmc/src/flow/crypto.rs @@ -8,7 +8,9 @@ Abstract: use caliptra_x509::Ecdsa384Signature; use crate::fmc_env::FmcEnv; +#[cfg(feature = "fmc-alias-csr")] use caliptra_drivers::okmutref; +#[cfg(feature = "fmc-alias-csr")] use zeroize::Zeroize; use caliptra_cfi_derive::cfi_impl_fn; @@ -218,12 +220,14 @@ impl Crypto { /// /// * `env` - FMC Environment /// * `priv_key` - Key slot to retrieve the private key + /// * `pub_key` - Public key to verify with /// * `data` - Input data to hash /// /// # Returns /// /// * `Ecc384Signature` - Signature #[inline(always)] + #[cfg(feature = "fmc-alias-csr")] pub fn ecdsa384_sign_and_verify( env: &mut FmcEnv, priv_key: KeyId, diff --git a/fmc/src/flow/fmc_alias_csr.rs b/fmc/src/flow/fmc_alias_csr.rs index 386ba45f81..01d147dcb9 100644 --- a/fmc/src/flow/fmc_alias_csr.rs +++ b/fmc/src/flow/fmc_alias_csr.rs @@ -12,6 +12,7 @@ use crate::flow::crypto::Ecdsa384SignatureAdapter; use zeroize::Zeroize; use caliptra_drivers::okmutref; + use caliptra_drivers::FmcAliasCsr; use caliptra_x509::FmcAliasCsrTbs; @@ -25,7 +26,7 @@ use caliptra_x509::Ecdsa384CsrBuilder; /// /// # Arguments /// -/// * `hand_off` - HandOff +/// * `env` - FMC Environment /// /// # Returns /// diff --git a/fmc/src/flow/mod.rs b/fmc/src/flow/mod.rs index 466dc1c518..c532f5441c 100644 --- a/fmc/src/flow/mod.rs +++ b/fmc/src/flow/mod.rs @@ -14,14 +14,13 @@ Abstract: mod crypto; pub mod dice; +#[cfg(feature = "fmc-alias-csr")] mod fmc_alias_csr; mod pcr; mod rt_alias; mod tci; mod x509; -use caliptra_drivers::ResetReason; - use crate::flow::rt_alias::RtAliasLayer; use crate::fmc_env::FmcEnv; @@ -33,11 +32,18 @@ use caliptra_drivers::CaliptraResult; /// /// * `env` - FMC Environment pub fn run(env: &mut FmcEnv) -> CaliptraResult<()> { - let reset_reason = env.soc_ifc.reset_reason(); - - if reset_reason == ResetReason::ColdReset { - // Generate the FMC Alias Certificate Signing Request (CSR) - fmc_alias_csr::generate_csr(env)?; + #[cfg(feature = "fmc-alias-csr")] + { + use caliptra_cfi_lib::cfi_assert_eq; + use caliptra_drivers::ResetReason; + + let reset_reason = env.soc_ifc.reset_reason(); + + if reset_reason == ResetReason::ColdReset { + cfi_assert_eq(env.soc_ifc.reset_reason(), ResetReason::ColdReset); + // Generate the FMC Alias Certificate Signing Request (CSR) + fmc_alias_csr::generate_csr(env)?; + } } RtAliasLayer::run(env) diff --git a/runtime/Cargo.toml b/runtime/Cargo.toml index 3669787260..8f521e7ede 100644 --- a/runtime/Cargo.toml +++ b/runtime/Cargo.toml @@ -11,7 +11,7 @@ caliptra-cfi-lib-git = { workspace = true, default-features = false, features = caliptra-cfi-derive-git.workspace = true caliptra_common = { workspace = true, default-features = false, features = ["runtime"] } caliptra-cpu.workspace = true -caliptra-drivers = { workspace = true, features = ["fmc", "runtime"] } +caliptra-drivers = { workspace = true, features = ["fmc-alias-csr", "runtime"] } caliptra-error = { workspace = true, default-features = false } caliptra-image-types = { workspace = true, default-features = false } caliptra-auth-man-types = { workspace = true, default-features = false } @@ -64,4 +64,5 @@ fips_self_test=[] no-cfi = ["caliptra-image-verify/no-cfi", "caliptra-drivers/no-cfi"] fpga_realtime = ["caliptra-drivers/fpga_realtime"] "hw-1.0" = ["caliptra-builder/hw-1.0", "caliptra-drivers/hw-1.0", "caliptra-registers/hw-1.0", "caliptra-kat/hw-1.0","caliptra-cpu/hw-1.0"] -fips-test-hooks = ["caliptra-drivers/fips-test-hooks"] \ No newline at end of file +fips-test-hooks = ["caliptra-drivers/fips-test-hooks"] +fmc-alias-csr = ["caliptra-drivers/fmc-alias-csr"] \ No newline at end of file diff --git a/runtime/build.sh b/runtime/build.sh index 4d38168cfd..79dda8ca62 100755 --- a/runtime/build.sh +++ b/runtime/build.sh @@ -9,4 +9,5 @@ cargo build \ --target riscv32imc-unknown-none-elf \ --profile=firmware \ --no-default-features \ + --features=fmc-alias-csr \ --bin=caliptra-runtime diff --git a/runtime/src/get_fmc_alias_csr.rs b/runtime/src/get_fmc_alias_csr.rs index 76d17ae1ce..2e3b46fc8d 100644 --- a/runtime/src/get_fmc_alias_csr.rs +++ b/runtime/src/get_fmc_alias_csr.rs @@ -17,13 +17,14 @@ use zerocopy::{FromBytes, IntoBytes}; pub struct GetFmcAliasCsrCmd; impl GetFmcAliasCsrCmd { - // #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)] + #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)] #[inline(never)] pub(crate) fn execute(drivers: &mut Drivers, cmd_args: &[u8]) -> CaliptraResult { let csr_persistent_mem = &drivers.persistent_data.get().fmc_alias_csr; match csr_persistent_mem.get_csr_len() { FmcAliasCsr::UNPROVISIONED_CSR => Err(CaliptraError::RUNTIME_GET_FMC_CSR_UNPROVISIONED), + 0 => Err(CaliptraError::RUNTIME_GET_FMC_CSR_UNSUPPORTED_FMC), len => { let mut resp = GetFmcAliasCsrResp { data_size: len, diff --git a/runtime/src/lib.rs b/runtime/src/lib.rs index b740ac9529..be9229616e 100644 --- a/runtime/src/lib.rs +++ b/runtime/src/lib.rs @@ -22,6 +22,7 @@ mod dpe_crypto; mod dpe_platform; mod drivers; pub mod fips; +#[cfg(feature = "fmc-alias-csr")] mod get_fmc_alias_csr; mod get_idev_csr; pub mod handoff; @@ -59,6 +60,7 @@ pub use fips::FipsShutdownCmd; pub use fips::{fips_self_test_cmd, fips_self_test_cmd::SelfTestStatus}; pub use populate_idev::PopulateIDevIdCertCmd; +#[cfg(feature = "fmc-alias-csr")] pub use get_fmc_alias_csr::GetFmcAliasCsrCmd; pub use get_idev_csr::GetIdevCsrCmd; pub use info::{FwInfoCmd, IDevIdInfoCmd}; @@ -227,6 +229,7 @@ fn handle_command(drivers: &mut Drivers) -> CaliptraResult { CommandId::SET_AUTH_MANIFEST => SetAuthManifestCmd::execute(drivers, cmd_bytes), CommandId::AUTHORIZE_AND_STASH => AuthorizeAndStashCmd::execute(drivers, cmd_bytes), CommandId::GET_IDEV_CSR => GetIdevCsrCmd::execute(drivers, cmd_bytes), + #[cfg(feature = "fmc-alias-csr")] CommandId::GET_FMC_ALIAS_CSR => GetFmcAliasCsrCmd::execute(drivers, cmd_bytes), _ => Err(CaliptraError::RUNTIME_UNIMPLEMENTED_COMMAND), }?; diff --git a/test/tests/caliptra_integration_tests/jtag_test.rs b/test/tests/caliptra_integration_tests/jtag_test.rs index 77131fae84..9814f15a4e 100644 --- a/test/tests/caliptra_integration_tests/jtag_test.rs +++ b/test/tests/caliptra_integration_tests/jtag_test.rs @@ -121,7 +121,7 @@ fn gdb_test() { .unwrap(); hw.step(); - hw.step_until_output_contains("[rt] Runtime listening for mailbox commands...\n") + hw.step_until_output_contains("[rt] listening for commands...\n") .unwrap(); #[cfg(feature = "fpga_realtime")]