feat: add negative unit tests for debug unlock

Signed-off-by: Arthur Heymans <arthur.heymans@9elements.com>
chipsalliance · Jan 13, 2025 · 3aeb731 · 3aeb731
1 parent 671c275
commit 3aeb731
Show file tree

Hide file tree

Showing 3 changed files with 498 additions and 18 deletions.
diff --git a/error/src/lib.rs b/error/src/lib.rs
@@ -699,7 +699,9 @@ impl CaliptraError {
         CaliptraError::new_const(0xa0000004);
     pub const ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN_MBOX_CMD: CaliptraError =
         CaliptraError::new_const(0xa0000005);
-    pub const ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN: CaliptraError =
+    pub const ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN_WRONG_PUBLIC_KEYS: CaliptraError =
+        CaliptraError::new_const(0xa0000006);
+    pub const ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN_INVALID_SIGNATURE: CaliptraError =
         CaliptraError::new_const(0xa0000006);
 }
 

diff --git a/rom/dev/src/flow/debug_unlock.rs b/rom/dev/src/flow/debug_unlock.rs
@@ -225,15 +225,15 @@ fn handle_production_token(
     if payload_length(token.length)
         != size_of::<ProductionAuthDebugUnlockToken>() - size_of::<MailboxReqHeader>()
     {
-        Err(CaliptraError::ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN)?
+        Err(CaliptraError::ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN_INVALID_SIGNATURE)?
     }
 
     // Debug level
     if payload_length(token.unlock_category) != payload_length(request.unlock_category) {
-        return Err(CaliptraError::ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN);
+        return Err(CaliptraError::ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN_INVALID_SIGNATURE);
     }
     if cfi_launder(token.challenge) != challenge.challenge {
-        return Err(CaliptraError::ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN);
+        return Err(CaliptraError::ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN_INVALID_SIGNATURE);
     } else {
         caliptra_cfi_lib::cfi_assert_eq_12_words(
             &Array4x12::from(token.challenge).0,
@@ -262,7 +262,7 @@ fn handle_production_token(
     if cfi_launder(request_digest) != fuse_digest {
         env.soc_ifc.finish_ss_dbg_unluck(false);
         txn.set_uc_tap_unlock(false);
-        return Err(CaliptraError::ROM_SS_DBG_UNLOCK_MANUF_INVALID_TOKEN);
+        return Err(CaliptraError::ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN_WRONG_PUBLIC_KEYS);
     } else {
         caliptra_cfi_lib::cfi_assert_eq_12_words(
             &request_digest.0[..12].try_into().unwrap(),
@@ -289,7 +289,7 @@ fn handle_production_token(
     if result == Ecc384Result::SigVerifyFailed {
         env.soc_ifc.finish_ss_dbg_unluck(false);
         txn.set_uc_tap_unlock(false);
-        Err(CaliptraError::ROM_SS_DBG_UNLOCK_MANUF_INVALID_TOKEN)?;
+        return Err(CaliptraError::ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN_INVALID_SIGNATURE);
     }
 
     let mut digest_op = env.sha2_512_384.sha512_digest_init()?;
@@ -306,7 +306,7 @@ fn handle_production_token(
     )?;
 
     if result == Mldsa87Result::SigVerifyFailed {
-        return Err(CaliptraError::ROM_SS_DBG_UNLOCK_MANUF_INVALID_TOKEN);
+        return Err(CaliptraError::ROM_SS_DBG_UNLOCK_PROD_INVALID_TOKEN_INVALID_SIGNATURE);
     }
     Ok(())
 }