Adding command to get owner pub key hash received with image bundle

api/src/mailbox.rs

@@ -54,6 +54,9 @@ impl CommandId {
 
     // The get IDevID CSR command.
     pub const GET_IDEV_CSR: Self = Self(0x4944_4352); // "IDCR"
+
+    // The get Owner Pub Key Hash command.
+    pub const GET_OWNER_PUB_KEY_HASH: Self = Self(0x4F50_5542); // "OPUB"
 }
 
 impl From<u32> for CommandId {
@@ -155,6 +158,7 @@ pub enum MailboxResp {
     CertifyKeyExtended(CertifyKeyExtendedResp),
     AuthorizeAndStash(AuthorizeAndStashResp),
     GetIdevCsr(GetIdevCsrResp),
+    GetOwnerPubKeyHash(GetOwnerPubKeyHashResp),
 }
 
 impl MailboxResp {
@@ -176,6 +180,7 @@ impl MailboxResp {
             MailboxResp::CertifyKeyExtended(resp) => Ok(resp.as_bytes()),
             MailboxResp::AuthorizeAndStash(resp) => Ok(resp.as_bytes()),
             MailboxResp::GetIdevCsr(resp) => Ok(resp.as_bytes()),
+            MailboxResp::GetOwnerPubKeyHash(resp) => Ok(resp.as_bytes()),
         }
     }
 
@@ -197,6 +202,7 @@ impl MailboxResp {
             MailboxResp::CertifyKeyExtended(resp) => Ok(resp.as_bytes_mut()),
             MailboxResp::AuthorizeAndStash(resp) => Ok(resp.as_bytes_mut()),
             MailboxResp::GetIdevCsr(resp) => Ok(resp.as_bytes_mut()),
+            MailboxResp::GetOwnerPubKeyHash(resp) => Ok(resp.as_bytes_mut()),
         }
     }
 
@@ -257,6 +263,7 @@ pub enum MailboxReq {
     CertifyKeyExtended(CertifyKeyExtendedReq),
     SetAuthManifest(SetAuthManifestReq),
     AuthorizeAndStash(AuthorizeAndStashReq),
+    GetOwnerPubKeyHash(GetOwnerPubKeyHashReq),
 }
 
 impl MailboxReq {
@@ -282,6 +289,7 @@ impl MailboxReq {
             MailboxReq::CertifyKeyExtended(req) => Ok(req.as_bytes()),
             MailboxReq::SetAuthManifest(req) => Ok(req.as_bytes()),
             MailboxReq::AuthorizeAndStash(req) => Ok(req.as_bytes()),
+            MailboxReq::GetOwnerPubKeyHash(req) => Ok(req.as_bytes()),
         }
     }
 
@@ -307,6 +315,7 @@ impl MailboxReq {
             MailboxReq::CertifyKeyExtended(req) => Ok(req.as_bytes_mut()),
             MailboxReq::SetAuthManifest(req) => Ok(req.as_bytes_mut()),
             MailboxReq::AuthorizeAndStash(req) => Ok(req.as_bytes_mut()),
+            MailboxReq::GetOwnerPubKeyHash(req) => Ok(req.as_bytes_mut()),
         }
     }
 
@@ -332,6 +341,7 @@ impl MailboxReq {
             MailboxReq::CertifyKeyExtended(_) => CommandId::CERTIFY_KEY_EXTENDED,
             MailboxReq::SetAuthManifest(_) => CommandId::SET_AUTH_MANIFEST,
             MailboxReq::AuthorizeAndStash(_) => CommandId::AUTHORIZE_AND_STASH,
+            MailboxReq::GetOwnerPubKeyHash(_) => CommandId::GET_OWNER_PUB_KEY_HASH,
         }
     }
 
@@ -1092,6 +1102,36 @@ pub struct AuthorizeAndStashResp {
 }
 impl Response for AuthorizeAndStashResp {}
 
+// GET_OWNER_PUB_KEY_HASH
+#[repr(C)]
+#[derive(Default, Debug, AsBytes, FromBytes, PartialEq, Eq)]
+pub struct GetOwnerPubKeyHashReq {
+    pub hdr: MailboxReqHeader,
+}
+
+impl Request for GetOwnerPubKeyHashReq {
+    const ID: CommandId = CommandId::GET_OWNER_PUB_KEY_HASH;
+    type Resp = GetOwnerPubKeyHashResp;
+}
+
+#[repr(C)]
+#[derive(Debug, AsBytes, FromBytes, PartialEq, Eq)]
+pub struct GetOwnerPubKeyHashResp {
+    pub hdr: MailboxRespHeader,
+    pub key_hash: [u8; 48],
+}
+
+impl ResponseVarSize for GetOwnerPubKeyHashResp {}
+
+impl Default for GetOwnerPubKeyHashResp {
+    fn default() -> Self {
+        Self {
+            hdr: MailboxRespHeader::default(),
+            key_hash: [0u8; 48],
+        }
+    }
+}
+
 /// Retrieves dlen bytes  from the mailbox.
 pub fn mbox_read_response(
     mbox: mbox::RegisterBlock<impl MmioMut>,

runtime/src/get_owner_pub_key_hash.rs

@@ -0,0 +1,33 @@
+// Licensed under the Apache-2.0 license
+
+use crate::Drivers;
+
+use caliptra_cfi_derive_git::cfi_impl_fn;
+use caliptra_cfi_lib_git::cfi_launder;
+
+use caliptra_common::{
+    cprintln,
+    mailbox_api::{GetOwnerPubKeyHashReq, GetOwnerPubKeyHashResp, MailboxResp, MailboxRespHeader},
+};
+use caliptra_error::{CaliptraError, CaliptraResult};
+
+use zerocopy::{AsBytes, FromBytes};
+
+pub struct GetOwnerPubKeyHashCmd;
+impl GetOwnerPubKeyHashCmd {
+    #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
+    #[inline(never)]
+    pub(crate) fn execute(drivers: &mut Drivers, cmd_args: &[u8]) -> CaliptraResult<MailboxResp> {
+        if let Some(cmd) = GetOwnerPubKeyHashReq::read_from(cmd_args) {
+            let mut resp = GetOwnerPubKeyHashResp::default();
+
+            // Copy the pub key hash from the last cold boot from the data vault
+            resp.key_hash
+                .copy_from_slice(drivers.data_vault.owner_pk_hash().as_bytes());
+
+            Ok(MailboxResp::GetOwnerPubKeyHash(resp))
+        } else {
+            Err(CaliptraError::RUNTIME_INSUFFICIENT_MEMORY)
+        }
+    }
+}

runtime/src/lib.rs

@@ -23,6 +23,7 @@ mod dpe_platform;
 mod drivers;
 pub mod fips;
 mod get_idev_csr;
+mod get_owner_pub_key_hash;
 pub mod handoff;
 mod hmac;
 pub mod info;
@@ -41,6 +42,7 @@ use authorize_and_stash::AuthorizeAndStashCmd;
 use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq, cfi_assert_ne, cfi_launder, CfiCounter};
 use caliptra_registers::soc_ifc::SocIfcReg;
 pub use drivers::{Drivers, PauserPrivileges};
+use get_owner_pub_key_hash::GetOwnerPubKeyHashCmd;
 use mailbox::Mailbox;
 
 use crate::capabilities::CapabilitiesCmd;
@@ -229,6 +231,7 @@ fn handle_command(drivers: &mut Drivers) -> CaliptraResult<MboxStatusE> {
         CommandId::SET_AUTH_MANIFEST => SetAuthManifestCmd::execute(drivers, cmd_bytes),
         CommandId::AUTHORIZE_AND_STASH => AuthorizeAndStashCmd::execute(drivers, cmd_bytes),
         CommandId::GET_IDEV_CSR => GetIdevCsrCmd::execute(drivers, cmd_bytes),
+        CommandId::GET_OWNER_PUB_KEY_HASH => GetOwnerPubKeyHashCmd::execute(drivers, cmd_bytes),
         _ => Err(CaliptraError::RUNTIME_UNIMPLEMENTED_COMMAND),
     }?;
 

runtime/tests/runtime_integration_tests/main.rs

@@ -9,6 +9,7 @@ mod test_disable;
 mod test_ecdsa;
 mod test_fips;
 mod test_get_idev_csr;
+mod test_get_owner_pub_key_hash;
 mod test_info;
 mod test_invoke_dpe;
 mod test_lms;

runtime/tests/runtime_integration_tests/test_get_owner_pub_key_hash.rs

@@ -0,0 +1,45 @@
+// Licensed under the Apache-2.0 license
+
+use caliptra_api::{mailbox::GetOwnerPubKeyHashResp, SocManager};
+use caliptra_builder::{get_ci_rom_version, CiRomVersion};
+use caliptra_common::mailbox_api::{CommandId, GetIdevCsrResp, MailboxReqHeader};
+use caliptra_drivers::{IdevIdCsr, MfgFlags};
+use caliptra_error::CaliptraError;
+use caliptra_hw_model::{HwModel, ModelError};
+use caliptra_runtime::RtBootStatus;
+use openssl::x509::X509Req;
+use zerocopy::{AsBytes, FromBytes};
+
+use crate::{
+    common::{run_rt_test, RuntimeTestArgs},
+    test_get_owner_pub_key_hash,
+};
+
+#[test]
+fn test_get_owner_pub_key_hash() {
+    let mut model = run_rt_test(RuntimeTestArgs::default());
+
+    let payload = MailboxReqHeader {
+        chksum: caliptra_common::checksum::calc_checksum(
+            u32::from(CommandId::GET_OWNER_PUB_KEY_HASH),
+            &[],
+        ),
+    };
+
+    let result =
+        model.mailbox_execute(CommandId::GET_OWNER_PUB_KEY_HASH.into(), payload.as_bytes());
+
+    let response = result.unwrap().unwrap();
+
+    let get_owner_pub_key_hash_resp =
+        GetOwnerPubKeyHashResp::read_from(response.as_bytes()).unwrap();
+
+    // Check against our fake owner public key hash
+    let mut exp_pub_key_hash =
+        openssl::sha::sha384(caliptra_image_fake_keys::OWNER_PUBLIC_KEYS.as_bytes());
+    // FLip endianness by each dword for the hash
+    for dword in exp_pub_key_hash.chunks_exact_mut(4) {
+        dword.reverse();
+    }
+    assert_eq!(exp_pub_key_hash, get_owner_pub_key_hash_resp.key_hash);
+}