Skip to content

Commit

Permalink
[sw] Change cert template engine to pre-generated method.
Browse files Browse the repository at this point in the history 
The current certificate builder library consumes ~7KB.
Additionally, the immutable ROM extension duplicates the ASN.1/CBOR library,
adding another ~1.5KB.

Given the proximity to the 64KB size limit, this change aims to provide a
more lightweight certificate construction approach.

Change-Id: I11a10ca1c833d238cae67ef30daf9ffcac40e9ae
Signed-off-by: Yi-Hsuan Deng <[email protected]>
  • Loading branch information
@sasdf
sasdf committed Feb 21, 2025
1 parent 89cd29d commit 5144277
Show file tree
Hide file tree
Showing 20 changed files with 1,561 additions and 641 deletions.
15 changes: 11 additions & 4 deletions rules/certificates.bzl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,14 +117,21 @@ def certificate_template(name, template, cert_format = "x509"):
output_group = "unittest",
)

if cert_format == "x509":
runtime_deps = [
"@//sw/device/silicon_creator/lib/cert:asn1",
"@//sw/device/silicon_creator/lib/cert:template",
]
else:
runtime_deps = [
"@//sw/device/silicon_creator/lib/cert:cbor",
]

native.cc_library(
name = "{}_library".format(name),
srcs = [":{}_srcs".format(name)],
hdrs = [":{}_hdrs".format(name)],
deps = [
"@//sw/device/silicon_creator/lib/cert:asn1",
"@//sw/device/silicon_creator/lib/cert:cbor",
],
deps = runtime_deps,
)

native.cc_test(
Expand Down
11 changes: 11 additions & 0 deletions sw/device/silicon_creator/lib/cert/BUILD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,17 @@ cc_test(
],
)

cc_library(
name = "template",
srcs = ["template.c"],
hdrs = ["template.h"],
deps = [
"//sw/device/lib/base:macros",
"//sw/device/lib/base:memory",
"//sw/device/lib/base:status",
],
)

cc_library(
name = "cert",
srcs = ["cert.c"],
Expand Down
23 changes: 13 additions & 10 deletions sw/device/silicon_creator/lib/cert/cdi_0.hjson
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,43 +10,46 @@
// (x and y) which are 32-bytes integers.
owner_intermediate_pub_key_ec_x: {
type: "integer",
size: 32,
exact-size: 32,
},
owner_intermediate_pub_key_ec_y: {
type: "integer",
size: 32,
exact-size: 32,
},
// Owner intermediate public key ID: this is a 20-byte hash
// derived from the owner intermediate public key.
owner_intermediate_pub_key_id: {
type: "byte-array",
size: 20,
exact-size: 20,
tweak-msb: true,
},
// This is the identifier of the public key used to
// sign this certificate (creator key).
creator_pub_key_id: {
type: "byte-array",
size: 20,
exact-size: 20,
tweak-msb: true,
},
// Hash of the ROM_EXT (SHA256).
rom_ext_hash: {
type: "byte-array",
size: 32,
exact-size: 32,
},
// ROM_EXT security version, used to prevent rollback.
rom_ext_security_version: {
type: "integer",
size: 4,
type: "byte-array",
exact-size: 4,
tweak-msb: true,
}
// Certificate signature: the result of signing with ECDSA
// are two integers named "r" and "s"
cert_signature_r: {
type: "integer",
size: 32,
range-size: [24, 32],
},
cert_signature_s: {
type: "integer",
size: 32,
range-size: [24, 32],
},
},

Expand Down Expand Up @@ -85,7 +88,7 @@
type: "dice_tcb_info",
vendor: "OpenTitan",
model: "ROM_EXT",
svn: { var: "rom_ext_security_version" },
svn: { var: "rom_ext_security_version", convert: "big-endian" },
layer: 1,
fw_ids: [
{ hash_algorithm: "sha256", digest: { var: "rom_ext_hash" } },
Expand Down
25 changes: 14 additions & 11 deletions sw/device/silicon_creator/lib/cert/cdi_1.hjson
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,48 +10,51 @@
// (x and y) which are 32-bytes integers.
owner_pub_key_ec_x: {
type: "integer",
size: 32,
exact-size: 32,
},
owner_pub_key_ec_y: {
type: "integer",
size: 32,
exact-size: 32,
},
// Owner public key ID: this is a 20-byte hash
// derived from the owner public key.
owner_pub_key_id: {
type: "byte-array",
size: 20,
exact-size: 20,
tweak-msb: true,
},
// This is the identifier of the public key used to
// sign this certificate (owner intermediate key).
owner_intermediate_pub_key_id: {
type: "byte-array",
size: 20,
exact-size: 20,
tweak-msb: true,
},
// Hash of the owner stage firmware (SHA256).
owner_hash: {
type: "byte-array",
size: 32,
exact-size: 32,
},
// Hash of the owner manifest (SHA256).
owner_manifest_hash: {
type: "byte-array",
size: 32,
exact-size: 32,
},
// Owner security version, used to prevent rollback.
owner_security_version: {
type: "integer",
size: 4,
type: "byte-array",
exact-size: 4,
tweak-msb: true,
}
// Certificate signature: the result of signing with ECDSA
// are two integers named "r" and "s"
cert_signature_r: {
type: "integer",
size: 32,
range-size: [24, 32],
},
cert_signature_s: {
type: "integer",
size: 32,
range-size: [24, 32],
},
},

Expand Down Expand Up @@ -90,7 +93,7 @@
type: "dice_tcb_info",
vendor: "OpenTitan",
model: "Owner",
svn: { var: "owner_security_version" },
svn: { var: "owner_security_version", convert: "big-endian" },
layer: 2,
fw_ids: [
{ hash_algorithm: "sha256", digest: { var: "owner_hash" } },
Expand Down
4 changes: 3 additions & 1 deletion sw/device/silicon_creator/lib/cert/cert.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,8 +102,10 @@ rom_error_t cert_x509_asn1_check_serial_number(const uint8_t *cert_page_buffer,
&cert_page_buffer[sn_bytes_offset], asn1_integer_length);

// Check the serial number in the certificate matches what was expected.
// The first byte is skipped since the MSb might be modified for achieving
// fixed-length certificate.
*matches = kHardenedBoolFalse;
for (size_t i = 0; i < kCertX509Asn1SerialNumberSizeInBytes; ++i) {
for (size_t i = 1; i < kCertX509Asn1SerialNumberSizeInBytes; ++i) {
if (launder32(actual_serial_number[i]) != expected_sn_bytes[i]) {
HARDENED_CHECK_NE(actual_serial_number[i], expected_sn_bytes[i]);
return kErrorOk;
Expand Down
Loading

0 comments on commit 5144277

Please sign in to comment.