diff --git a/sw/device/silicon_creator/lib/dice.c b/sw/device/silicon_creator/lib/dice.c index be2bb7a72db5f..705ed668ec260 100644 --- a/sw/device/silicon_creator/lib/dice.c +++ b/sw/device/silicon_creator/lib/dice.c @@ -100,6 +100,7 @@ static void curr_pubkey_le_to_be_convert(attestation_public_key_t *pubkey) { * generated public key is saved at pubkey. */ static rom_error_t common_attestation_keygen( + otbn_boot_attestation_key_type_t key_type, const keymgr_diversification_t *diversifier, attestation_key_seed_t seed, keymgr_state_t desired_keymgr_state, hmac_digest_t *pubkey_id, attestation_public_key_t *pubkey) { @@ -107,7 +108,7 @@ static rom_error_t common_attestation_keygen( // Generate / sideload key material into OTBN, and generate the ECC keypair. HARDENED_RETURN_IF_ERROR( - otbn_boot_attestation_keygen(seed, *diversifier, pubkey)); + otbn_boot_attestation_keygen(seed, key_type, *diversifier, pubkey)); // Keys are represented in certificates in big endian format, but the key is // output from OTBN in little endian format, so we convert the key to @@ -149,7 +150,8 @@ rom_error_t dice_attestation_keygen(dice_key_t desired_key, default: return kErrorDiceInvalidArgument; }; - return common_attestation_keygen(keymgr_diversifier, otbn_ecc_keygen_seed, + return common_attestation_keygen(kOtbnBootAttestationKeyTypeDice, + keymgr_diversifier, otbn_ecc_keygen_seed, desired_state, pubkey_id, pubkey); } @@ -177,7 +179,8 @@ rom_error_t tpm_cert_keygen(tpm_key_t desired_key, hmac_digest_t *pubkey_id, default: return kErrorDiceInvalidArgument; }; - return common_attestation_keygen(keymgr_diversifier, otbn_ecc_keygen_seed, + return common_attestation_keygen(kOtbnBootAttestationKeyTypeTpm, + keymgr_diversifier, otbn_ecc_keygen_seed, kKeymgrStateOwnerKey, pubkey_id, pubkey); } @@ -291,7 +294,8 @@ rom_error_t dice_cdi_0_cert_build(hmac_digest_t *rom_ext_measurement, // Save the CDI_0 private key to OTBN DMEM so it can endorse the next stage. HARDENED_RETURN_IF_ERROR(otbn_boot_attestation_key_save( - kCdi0AttestationKeySeed, kCdi0KeymgrDiversifier)); + kCdi0AttestationKeySeed, kOtbnBootAttestationKeyTypeDice, + kCdi0KeymgrDiversifier)); return kErrorOk; } @@ -339,7 +343,8 @@ rom_error_t dice_cdi_1_cert_build(hmac_digest_t *owner_measurement, // Save the CDI_1 private key to OTBN DMEM so it can endorse the next stage. HARDENED_RETURN_IF_ERROR(otbn_boot_attestation_key_save( - kCdi1AttestationKeySeed, kCdi1KeymgrDiversifier)); + kCdi1AttestationKeySeed, kOtbnBootAttestationKeyTypeDice, + kCdi1KeymgrDiversifier)); return kErrorOk; } diff --git a/sw/device/silicon_creator/lib/drivers/keymgr.c b/sw/device/silicon_creator/lib/drivers/keymgr.c index a2ecb82730e1e..d6ff529d2506f 100644 --- a/sw/device/silicon_creator/lib/drivers/keymgr.c +++ b/sw/device/silicon_creator/lib/drivers/keymgr.c @@ -201,17 +201,21 @@ static rom_error_t keymgr_wait_until_done(void) { return kErrorKeymgrInternal; } -rom_error_t keymgr_generate_attestation_key_otbn( - keymgr_diversification_t diversification) { +rom_error_t keymgr_generate_key_otbn(keymgr_key_type_t key_type, + keymgr_diversification_t diversification) { HARDENED_RETURN_IF_ERROR(keymgr_is_idle()); + uint32_t ctrl = 0; + // Select OTBN as the destination. - uint32_t ctrl = - bitfield_field32_write(0, KEYMGR_CONTROL_SHADOWED_DEST_SEL_FIELD, - KEYMGR_CONTROL_SHADOWED_DEST_SEL_VALUE_OTBN); + ctrl = bitfield_field32_write(0, KEYMGR_CONTROL_SHADOWED_DEST_SEL_FIELD, + KEYMGR_CONTROL_SHADOWED_DEST_SEL_VALUE_OTBN); // Select the attestation CDI. - ctrl = bitfield_bit32_write(ctrl, KEYMGR_CONTROL_SHADOWED_CDI_SEL_BIT, true); + if (key_type == kKeymgrKeyTypeAttestation) { + ctrl = + bitfield_bit32_write(ctrl, KEYMGR_CONTROL_SHADOWED_CDI_SEL_BIT, true); + } // Select the "generate" operation. ctrl = bitfield_field32_write( diff --git a/sw/device/silicon_creator/lib/drivers/keymgr.h b/sw/device/silicon_creator/lib/drivers/keymgr.h index d72c72cf9d845..e76e424849e84 100644 --- a/sw/device/silicon_creator/lib/drivers/keymgr.h +++ b/sw/device/silicon_creator/lib/drivers/keymgr.h @@ -184,18 +184,27 @@ OT_WARN_UNUSED_RESULT rom_error_t keymgr_state_check(keymgr_state_t expected_state); /** - * Derive a key manager key for the OTBN block. + * Keymgr output-generate key types (attestation or sealing). + */ +typedef enum keymgr_key_type { + kKeymgrKeyTypeAttestation = 0, + kKeymgrKeyTypeSealing = 1, +} keymgr_key_type_t; + +/** + * Generate a key manager key and sideload to the OTBN block. * * Calls the key manager to sideload a key into the OTBN hardware block and - * waits until the operation is complete before returning. Always uses the - * attestation (not sealing) CDI; call this only for attestation keys. + * waits until the operation is complete before returning. Can sideload an + * attestation or sealing key based on user input. * + * @param key_type Key type: attestation or sealing. * @param diversification Diversification input for the key derivation. * @return OK or error. */ OT_WARN_UNUSED_RESULT -rom_error_t keymgr_generate_attestation_key_otbn( - const keymgr_diversification_t diversification); +rom_error_t keymgr_generate_key_otbn(keymgr_key_type_t key_type, + keymgr_diversification_t diversification); /** * Clear OTBN's sideloaded key slot. diff --git a/sw/device/silicon_creator/lib/drivers/keymgr_unittest.cc b/sw/device/silicon_creator/lib/drivers/keymgr_unittest.cc index d700daa86fe67..7f7e095e592d6 100644 --- a/sw/device/silicon_creator/lib/drivers/keymgr_unittest.cc +++ b/sw/device/silicon_creator/lib/drivers/keymgr_unittest.cc @@ -211,7 +211,7 @@ TEST_F(KeymgrTest, CheckStateInvalidResponse) { kErrorKeymgrInternal); } -TEST_F(KeymgrTest, GenAttestationKey) { +TEST_F(KeymgrTest, GenOtbnAttestationKey) { keymgr_diversification_t test_diversification = { .salt = {0xf0f1f2f3, 0xf4f5f6f7, 0xf8f9fafb, 0xfcfdfeff, 0xd0d1d2d3, 0xd4d5d6d7, 0xd8d9dadb, 0xdcdddedf}, @@ -236,11 +236,42 @@ TEST_F(KeymgrTest, GenAttestationKey) { ExpectWaitUntilDone(/*busy_cycles=*/2, KEYMGR_OP_STATUS_STATUS_VALUE_DONE_SUCCESS); - EXPECT_EQ(keymgr_generate_attestation_key_otbn(test_diversification), - kErrorOk); + EXPECT_EQ( + keymgr_generate_key_otbn(kKeymgrKeyTypeAttestation, test_diversification), + kErrorOk); +} + +TEST_F(KeymgrTest, GenOtbnSealingKey) { + keymgr_diversification_t test_diversification = { + .salt = {0xf0f1f2f3, 0xf4f5f6f7, 0xf8f9fafb, 0xfcfdfeff, 0xd0d1d2d3, + 0xd4d5d6d7, 0xd8d9dadb, 0xdcdddedf}, + .version = cfg_.max_key_ver - 1, + }; + + ExpectIdleCheck(KEYMGR_OP_STATUS_STATUS_VALUE_IDLE); + EXPECT_ABS_WRITE32_SHADOWED( + base_ + KEYMGR_CONTROL_SHADOWED_REG_OFFSET, + { + {KEYMGR_CONTROL_SHADOWED_DEST_SEL_OFFSET, + KEYMGR_CONTROL_SHADOWED_DEST_SEL_VALUE_OTBN}, + {KEYMGR_CONTROL_SHADOWED_CDI_SEL_BIT, false}, + {KEYMGR_CONTROL_SHADOWED_OPERATION_OFFSET, + KEYMGR_CONTROL_SHADOWED_OPERATION_VALUE_GENERATE_HW_OUTPUT}, + }); + ExpectDiversificationWrite(test_diversification); + EXPECT_ABS_WRITE32(base_ + KEYMGR_START_REG_OFFSET, + { + {KEYMGR_START_EN_BIT, true}, + }); + ExpectWaitUntilDone(/*busy_cycles=*/2, + KEYMGR_OP_STATUS_STATUS_VALUE_DONE_SUCCESS); + + EXPECT_EQ( + keymgr_generate_key_otbn(kKeymgrKeyTypeSealing, test_diversification), + kErrorOk); } -TEST_F(KeymgrTest, GenAttestationKeyNotIdle) { +TEST_F(KeymgrTest, GenOtbnKeyNotIdle) { keymgr_diversification_t test_diversification = { .salt = {0xf0f1f2f3, 0xf4f5f6f7, 0xf8f9fafb, 0xfcfdfeff, 0xd0d1d2d3, 0xd4d5d6d7, 0xd8d9dadb, 0xdcdddedf}, @@ -248,17 +279,20 @@ TEST_F(KeymgrTest, GenAttestationKeyNotIdle) { }; ExpectIdleCheck(KEYMGR_OP_STATUS_STATUS_VALUE_WIP); - EXPECT_EQ(keymgr_generate_attestation_key_otbn(test_diversification), - kErrorKeymgrInternal); + EXPECT_EQ( + keymgr_generate_key_otbn(kKeymgrKeyTypeAttestation, test_diversification), + kErrorKeymgrInternal); ExpectIdleCheck(KEYMGR_OP_STATUS_STATUS_VALUE_DONE_ERROR); - EXPECT_EQ(keymgr_generate_attestation_key_otbn(test_diversification), - kErrorKeymgrInternal); + EXPECT_EQ( + keymgr_generate_key_otbn(kKeymgrKeyTypeAttestation, test_diversification), + kErrorKeymgrInternal); ExpectIdleCheck(KEYMGR_OP_STATUS_STATUS_VALUE_DONE_SUCCESS); - EXPECT_EQ(keymgr_generate_attestation_key_otbn(test_diversification), - kErrorKeymgrInternal); + EXPECT_EQ( + keymgr_generate_key_otbn(kKeymgrKeyTypeAttestation, test_diversification), + kErrorKeymgrInternal); } -TEST_F(KeymgrTest, GenAttestationKeyError) { +TEST_F(KeymgrTest, GenOtbnKeyError) { keymgr_diversification_t test_diversification = { .salt = {0xf0f1f2f3, 0xf4f5f6f7, 0xf8f9fafb, 0xfcfdfeff, 0xd0d1d2d3, 0xd4d5d6d7, 0xd8d9dadb, 0xdcdddedf}, @@ -286,8 +320,9 @@ TEST_F(KeymgrTest, GenAttestationKeyError) { EXPECT_ABS_READ32(base_ + KEYMGR_ERR_CODE_REG_OFFSET, err_code); EXPECT_ABS_WRITE32(base_ + KEYMGR_ERR_CODE_REG_OFFSET, err_code); - EXPECT_EQ(keymgr_generate_attestation_key_otbn(test_diversification), - kErrorKeymgrInternal); + EXPECT_EQ( + keymgr_generate_key_otbn(kKeymgrKeyTypeAttestation, test_diversification), + kErrorKeymgrInternal); } TEST_F(KeymgrTest, SideloadClearOtbn) { diff --git a/sw/device/silicon_creator/lib/otbn_boot_services.c b/sw/device/silicon_creator/lib/otbn_boot_services.c index 72df8fc423050..b9d78dd837df2 100644 --- a/sw/device/silicon_creator/lib/otbn_boot_services.c +++ b/sw/device/silicon_creator/lib/otbn_boot_services.c @@ -129,11 +129,12 @@ rom_error_t otbn_boot_app_load(void) { return otbn_load_app(kOtbnAppBoot); } rom_error_t otbn_boot_attestation_keygen( attestation_key_seed_t additional_seed, + otbn_boot_attestation_key_type_t key_type, keymgr_diversification_t diversification, attestation_public_key_t *public_key) { // Trigger key manager to sideload the attestation key into OTBN. HARDENED_RETURN_IF_ERROR( - keymgr_generate_attestation_key_otbn(diversification)); + keymgr_generate_key_otbn((keymgr_key_type_t)key_type, diversification)); // Write the mode. uint32_t mode = kOtbnBootModeAttestationKeygen; @@ -172,10 +173,11 @@ rom_error_t otbn_boot_attestation_keygen( rom_error_t otbn_boot_attestation_key_save( attestation_key_seed_t additional_seed, + otbn_boot_attestation_key_type_t key_type, keymgr_diversification_t diversification) { // Trigger key manager to sideload the attestation key into OTBN. HARDENED_RETURN_IF_ERROR( - keymgr_generate_attestation_key_otbn(diversification)); + keymgr_generate_key_otbn((keymgr_key_type_t)key_type, diversification)); // Write the mode. uint32_t mode = kOtbnBootModeAttestationKeySave; diff --git a/sw/device/silicon_creator/lib/otbn_boot_services.h b/sw/device/silicon_creator/lib/otbn_boot_services.h index a511853482211..2d1715e8f7895 100644 --- a/sw/device/silicon_creator/lib/otbn_boot_services.h +++ b/sw/device/silicon_creator/lib/otbn_boot_services.h @@ -29,6 +29,14 @@ extern "C" { OT_WARN_UNUSED_RESULT rom_error_t otbn_boot_app_load(void); +/** + * OTBN attestation key types (DICE or TPM). + */ +typedef enum otbn_boot_attestation_key_type { + kOtbnBootAttestationKeyTypeDice = kKeymgrKeyTypeAttestation, + kOtbnBootAttestationKeyTypeTpm = kKeymgrKeyTypeSealing, +} otbn_boot_attestation_key_type_t; + /** * Generate an attestation public key from a keymgr-derived secret. * @@ -47,6 +55,9 @@ rom_error_t otbn_boot_app_load(void); * `otbn_boot_app_load`. * * @param additional_seed The attestation key generation seed to load. + * @param key_type OTBN attestation key type to generate. "DICE" attestation + * keys are based on "attestation" keys from the keymgr; "TPM" + * attestation keys are based on "sealing keys from the keymgr. * @param diversification Salt and version information for key manager. * @param[out] public_key Attestation public key. * @return The result of the operation. @@ -54,6 +65,7 @@ rom_error_t otbn_boot_app_load(void); OT_WARN_UNUSED_RESULT rom_error_t otbn_boot_attestation_keygen( attestation_key_seed_t additional_seed, + otbn_boot_attestation_key_type_t key_type, keymgr_diversification_t diversification, attestation_public_key_t *public_key); @@ -68,12 +80,16 @@ rom_error_t otbn_boot_attestation_keygen( * `otbn_boot_app_load`. * * @param additional_seed The attestation key generation seed to load. + * @param key_type OTBN attestation key type to generate. "DICE" attestation + * keys are based on "attestation" keys from the keymgr; "TPM" + * attestation keys are based on "sealing keys from the keymgr. * @param diversification Salt and version information for key manager. * @return The result of the operation. */ OT_WARN_UNUSED_RESULT rom_error_t otbn_boot_attestation_key_save( attestation_key_seed_t additional_seed, + otbn_boot_attestation_key_type_t key_type, keymgr_diversification_t diversification); /** diff --git a/sw/device/silicon_creator/lib/otbn_boot_services_functest.c b/sw/device/silicon_creator/lib/otbn_boot_services_functest.c index 009cb1c36af4f..a01df89dc4d30 100644 --- a/sw/device/silicon_creator/lib/otbn_boot_services_functest.c +++ b/sw/device/silicon_creator/lib/otbn_boot_services_functest.c @@ -159,24 +159,34 @@ rom_error_t attestation_keygen_test(void) { // Check that key generations with different seeds result in different keys. attestation_public_key_t pk_uds; RETURN_IF_ERROR(otbn_boot_attestation_keygen(kUdsAttestationKeySeed, + kOtbnBootAttestationKeyTypeDice, kDiversification, &pk_uds)); attestation_public_key_t pk_cdi0; RETURN_IF_ERROR(otbn_boot_attestation_keygen(kCdi0AttestationKeySeed, + kOtbnBootAttestationKeyTypeDice, kDiversification, &pk_cdi0)); attestation_public_key_t pk_cdi1; RETURN_IF_ERROR(otbn_boot_attestation_keygen(kCdi1AttestationKeySeed, + kOtbnBootAttestationKeyTypeDice, kDiversification, &pk_cdi1)); + attestation_public_key_t pk_tpm_ek; + RETURN_IF_ERROR(otbn_boot_attestation_keygen(kTpmEkAttestationKeySeed, + kOtbnBootAttestationKeyTypeTpm, + kDiversification, &pk_tpm_ek)); CHECK_ARRAYS_NE((unsigned char *)&pk_uds, (unsigned char *)&pk_cdi0, sizeof(pk_uds)); CHECK_ARRAYS_NE((unsigned char *)&pk_uds, (unsigned char *)&pk_cdi1, sizeof(pk_uds)); CHECK_ARRAYS_NE((unsigned char *)&pk_cdi0, (unsigned char *)&pk_cdi1, sizeof(pk_uds)); + CHECK_ARRAYS_NE((unsigned char *)&pk_tpm_ek, (unsigned char *)&pk_cdi1, + sizeof(pk_uds)); // Check that running the same key generation twice results in the same key. attestation_public_key_t pk_uds_again; RETURN_IF_ERROR(otbn_boot_attestation_keygen( - kUdsAttestationKeySeed, kDiversification, &pk_uds_again)); + kUdsAttestationKeySeed, kOtbnBootAttestationKeyTypeDice, kDiversification, + &pk_uds_again)); CHECK_ARRAYS_EQ((unsigned char *)&pk_uds_again, (unsigned char *)&pk_uds, sizeof(pk_uds)); @@ -188,7 +198,8 @@ rom_error_t attestation_keygen_test(void) { diversification_modified.salt[0] ^= 1; attestation_public_key_t pk_uds_div; RETURN_IF_ERROR(otbn_boot_attestation_keygen( - kUdsAttestationKeySeed, diversification_modified, &pk_uds_div)); + kUdsAttestationKeySeed, kOtbnBootAttestationKeyTypeDice, + diversification_modified, &pk_uds_div)); CHECK_ARRAYS_NE((unsigned char *)&pk_uds_div, (unsigned char *)&pk_uds, sizeof(pk_uds)); return kErrorOk; @@ -198,9 +209,11 @@ rom_error_t attestation_advance_and_endorse_test(void) { // Generate and save the a keypair. attestation_public_key_t pk; RETURN_IF_ERROR(otbn_boot_attestation_keygen(kUdsAttestationKeySeed, + kOtbnBootAttestationKeyTypeDice, kDiversification, &pk)); - RETURN_IF_ERROR( - otbn_boot_attestation_key_save(kUdsAttestationKeySeed, kDiversification)); + RETURN_IF_ERROR(otbn_boot_attestation_key_save( + kUdsAttestationKeySeed, kOtbnBootAttestationKeyTypeDice, + kDiversification)); // Advance keymgr to the next stage. CHECK_STATUS_OK( @@ -246,13 +259,15 @@ rom_error_t attestation_advance_and_endorse_test(void) { // N.B. This test will lock OTBN, so it needs to be the last test that runs. rom_error_t attestation_save_clear_key_test(void) { // Save and then clear a private key. - RETURN_IF_ERROR( - otbn_boot_attestation_key_save(kUdsAttestationKeySeed, kDiversification)); + RETURN_IF_ERROR(otbn_boot_attestation_key_save( + kUdsAttestationKeySeed, kOtbnBootAttestationKeyTypeDice, + kDiversification)); RETURN_IF_ERROR(otbn_boot_attestation_key_clear()); // Save the private key again and check that endorsing succeeds. - RETURN_IF_ERROR( - otbn_boot_attestation_key_save(kUdsAttestationKeySeed, kDiversification)); + RETURN_IF_ERROR(otbn_boot_attestation_key_save( + kUdsAttestationKeySeed, kOtbnBootAttestationKeyTypeDice, + kDiversification)); hmac_digest_t digest; hmac_sha256(kEndorseTestMessage, kEndorseTestMessageLen, &digest); attestation_signature_t sig; diff --git a/sw/device/silicon_creator/rom_ext/rom_ext.c b/sw/device/silicon_creator/rom_ext/rom_ext.c index a564e0454cbd7..bc895314602a6 100644 --- a/sw/device/silicon_creator/rom_ext/rom_ext.c +++ b/sw/device/silicon_creator/rom_ext/rom_ext.c @@ -300,7 +300,8 @@ static rom_error_t rom_ext_attestation_keygen( HARDENED_RETURN_IF_ERROR(dice_attestation_keygen(kDiceKeyUds, &uds_pubkey_id, &curr_attestation_pubkey)); HARDENED_RETURN_IF_ERROR(otbn_boot_attestation_key_save( - kUdsAttestationKeySeed, kUdsKeymgrDiversifier)); + kUdsAttestationKeySeed, kOtbnBootAttestationKeyTypeDice, + kUdsKeymgrDiversifier)); // TODO(#22921): fix cert updating check and re-enable checks below. curr_cert_valid = kHardenedBoolTrue; /*HARDENED_RETURN_IF_ERROR(cert_x509_asn1_check_serial_number(*/