From 1e238e5e87adbf32345dc3c853eed3f5aca0ccf9 Mon Sep 17 00:00:00 2001 From: Jeff Andersen Date: Tue, 26 Nov 2024 15:01:37 -0800 Subject: [PATCH] Populate LDevID CDI in the fake ROM boot flow. ROM will use the LDevID CDI to compute the firmware's hash chain. --- rom/dev/src/flow/fake.rs | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/rom/dev/src/flow/fake.rs b/rom/dev/src/flow/fake.rs index 091650c013..6ca822fd9d 100644 --- a/rom/dev/src/flow/fake.rs +++ b/rom/dev/src/flow/fake.rs @@ -26,6 +26,7 @@ use crate::print::HexBytes; use crate::rom_env::RomEnv; use caliptra_common::RomBootStatus::*; use caliptra_common::{ + keyids::KEY_ID_ROM_FMC_CDI, memory_layout::{FMCALIAS_TBS_ORG, FMCALIAS_TBS_SIZE, LDEVID_TBS_ORG, LDEVID_TBS_SIZE}, FirmwareHandoffTable, }; @@ -154,6 +155,8 @@ impl FakeRomFlow { // SKIP Execute IDEVID layer // LDEVID cert copy_canned_ldev_cert(env)?; + // LDEVID cdi + initialize_fake_ldevid_cdi(env)?; // Unlock the SHA Acc by creating a SHA Acc operation and dropping it. // In real ROM, this is done as part of executing the SHA-ACC KAT. @@ -187,6 +190,17 @@ impl FakeRomFlow { } } +// Used to derive the firmware's hash chain. +fn initialize_fake_ldevid_cdi(env: &mut RomEnv) -> CaliptraResult<()> { + env.hmac.hmac( + &HmacKey::Array4x12(&Array4x12::default()), + &HmacData::Slice(b""), + &mut env.trng, + KeyWriteArgs::new(KEY_ID_ROM_FMC_CDI, KeyUsage::default().set_hmac_key_en()).into(), + HmacMode::Hmac384, + ) +} + pub fn copy_canned_ldev_cert(env: &mut RomEnv) -> CaliptraResult<()> { // Store signature env.data_vault.set_ldev_dice_signature(&FAKE_LDEV_SIG);