Deprecate FMC SVN.

As part of this deprecation, the duties of tracking min-SVN have
been moved from FMC to ROM. This is a prelude to having ROM compute
the Stable Identity chain based on the firmware's singular SVN.

This does not alter the external API for Caliptra, with the sole
exception that what was previously reported as the FMC's SVN is
now the value of the FMC+RT FW SVN as it was during cold-boot.

api/src/mailbox.rs

@@ -769,9 +769,9 @@ impl Response for FipsVersionResp {}
 pub struct FwInfoResp {
     pub hdr: MailboxRespHeader,
     pub pl0_pauser: u32,
-    pub runtime_svn: u32,
-    pub min_runtime_svn: u32,
-    pub fmc_manifest_svn: u32,
+    pub fw_svn: u32,
+    pub min_fw_svn: u32,
+    pub deprecated_fmc_svn: u32,
     pub attestation_disabled: u32,
     pub rom_revision: [u8; 20],
     pub fmc_revision: [u8; 20],

api/types/src/lib.rs

@@ -159,8 +159,7 @@ pub struct Fuses {
     pub key_manifest_pk_hash: [u32; 12],
     pub key_manifest_pk_hash_mask: U4,
     pub owner_pk_hash: [u32; 12],
-    pub fmc_key_manifest_svn: u32,
-    pub runtime_svn: [u32; 4],
+    pub fw_svn: [u32; 4],
     pub anti_rollback_disable: bool,
     pub idevid_cert_attr: [u32; 24],
     pub idevid_manuf_hsm_id: [u32; 4],
@@ -177,8 +176,7 @@ impl Default for Fuses {
             key_manifest_pk_hash: Default::default(),
             key_manifest_pk_hash_mask: Default::default(),
             owner_pk_hash: Default::default(),
-            fmc_key_manifest_svn: Default::default(),
-            runtime_svn: Default::default(),
+            fw_svn: Default::default(),
             anti_rollback_disable: Default::default(),
             idevid_cert_attr: Default::default(),
             idevid_manuf_hsm_id: Default::default(),

builder/src/lib.rs

@@ -439,9 +439,7 @@ pub fn elf_size(elf_bytes: &[u8]) -> io::Result<u64> {
 #[derive(Clone)]
 pub struct ImageOptions {
     pub fmc_version: u16,
-    pub fmc_svn: u32,
     pub app_version: u32,
-    pub app_svn: u32,
     pub vendor_config: ImageGeneratorVendorConfig,
     pub owner_config: Option<ImageGeneratorOwnerConfig>,
     pub fw_image_type: FwImageType,
@@ -450,9 +448,7 @@ impl Default for ImageOptions {
     fn default() -> Self {
         Self {
             fmc_version: Default::default(),
-            fmc_svn: Default::default(),
             app_version: Default::default(),
-            app_svn: Default::default(),
             vendor_config: caliptra_image_fake_keys::VENDOR_CONFIG_KEY_0,
             owner_config: Some(caliptra_image_fake_keys::OWNER_CONFIG),
             fw_image_type: FwImageType::EccLms,
@@ -469,13 +465,8 @@ pub fn build_and_sign_image(
     let app_elf = build_firmware_elf(app)?;
     let gen = ImageGenerator::new(Crypto::default());
     let image = gen.generate(&ImageGeneratorConfig {
-        fmc: ElfExecutable::new(
-            &fmc_elf,
-            opts.fmc_version as u32,
-            opts.fmc_svn,
-            image_revision()?,
-        )?,
-        runtime: ElfExecutable::new(&app_elf, opts.app_version, opts.app_svn, image_revision()?)?,
+        fmc: ElfExecutable::new(&fmc_elf, opts.fmc_version as u32, image_revision()?)?,
+        runtime: ElfExecutable::new(&app_elf, opts.app_version, image_revision()?)?,
         vendor_config: opts.vendor_config,
         owner_config: opts.owner_config,
         fw_image_type: opts.fw_image_type,

common/src/verifier.rs

@@ -175,14 +175,9 @@ impl<'a, 'b> ImageVerificationEnv for &mut FirmwareImageVerificationEnv<'a, 'b>
         self.data_vault.fmc_tci().into()
     }
 
-    // Get Fuse FMC Key Manifest SVN
-    fn fmc_fuse_svn(&self) -> u32 {
-        self.soc_ifc.fuse_bank().fmc_fuse_svn()
-    }
-
-    // Get Runtime fuse SVN
-    fn runtime_fuse_svn(&self) -> u32 {
-        self.soc_ifc.fuse_bank().runtime_fuse_svn()
+    // Get firmware fuse SVN
+    fn fw_fuse_svn(&self) -> u32 {
+        self.soc_ifc.fuse_bank().fw_fuse_svn()
     }
 
     fn iccm_range(&self) -> Range<u32> {

drivers/src/data_vault.rs

@@ -69,7 +69,7 @@ impl From<ColdResetEntry48> for usize {
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum ColdResetEntry4 {
-    FmcSvn = 0,
+    DeprecatedFmcSvn = 0,
     RomColdBootStatus = 1,
     FmcEntryPoint = 2,
     EccVendorPubKeyIndex = 3,
@@ -80,7 +80,7 @@ impl TryFrom<u8> for ColdResetEntry4 {
     type Error = ();
     fn try_from(value: u8) -> Result<Self, Self::Error> {
         match value {
-            0 => Ok(Self::FmcSvn),
+            0 => Ok(Self::DeprecatedFmcSvn),
             2 => Ok(Self::FmcEntryPoint),
             3 => Ok(Self::EccVendorPubKeyIndex),
             4 => Ok(Self::LmsVendorPubKeyIndex),
@@ -132,10 +132,10 @@ impl From<WarmResetEntry48> for usize {
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum WarmResetEntry4 {
-    RtSvn = 0,
+    FwSvn = 0,
     RtEntryPoint = 1,
     ManifestAddr = 2,
-    RtMinSvn = 3,
+    FwMinSvn = 3,
     RomUpdateResetStatus = 4,
 }
 
@@ -161,10 +161,10 @@ impl TryFrom<u8> for WarmResetEntry4 {
     type Error = ();
     fn try_from(original: u8) -> Result<Self, Self::Error> {
         match original {
-            0 => Ok(Self::RtSvn),
+            0 => Ok(Self::FwSvn),
             1 => Ok(Self::RtEntryPoint),
             2 => Ok(Self::ManifestAddr),
-            3 => Ok(Self::RtMinSvn),
+            3 => Ok(Self::FwMinSvn),
             _ => Err(()),
         }
     }
@@ -298,15 +298,6 @@ impl DataVault {
         self.read_cold_reset_entry48(ColdResetEntry48::OwnerPubKeyHash)
     }
 
-    /// Get the fmc security version number.
-    ///
-    /// # Returns
-    /// * fmc security version number
-    ///
-    pub fn fmc_svn(&self) -> u32 {
-        self.read_cold_reset_entry4(ColdResetEntry4::FmcSvn)
-    }
-
     /// Get the fmc entry.
     ///
     /// # Returns
@@ -361,22 +352,22 @@ impl DataVault {
         self.read_warm_reset_entry48(WarmResetEntry48::RtTci)
     }
 
-    /// Get the rt security version number.
+    /// Get the fw security version number.
     ///
     /// # Returns
-    /// * rt security version number
+    /// * fw security version number
     ///
-    pub fn rt_svn(&self) -> u32 {
-        self.read_warm_reset_entry4(WarmResetEntry4::RtSvn)
+    pub fn fw_svn(&self) -> u32 {
+        self.read_warm_reset_entry4(WarmResetEntry4::FwSvn)
     }
 
-    /// Get the rt minimum security version number.
+    /// Get the fw minimum security version number.
     ///
     /// # Returns
-    /// * rt minimum security version number
+    /// * fw minimum security version number
     ///
-    pub fn rt_min_svn(&self) -> u32 {
-        self.read_warm_reset_entry4(WarmResetEntry4::RtMinSvn)
+    pub fn fw_min_svn(&self) -> u32 {
+        self.read_warm_reset_entry4(WarmResetEntry4::FwMinSvn)
     }
 
     /// Get the rt entry.

drivers/src/fuse_bank.rs

@@ -246,32 +246,17 @@ impl FuseBank<'_> {
         soc_ifc_regs.fuse_anti_rollback_disable().read().dis()
     }
 
-    /// Get the fmc fuse security version number.
+    /// Get the firmware fuse security version number.
     ///
     /// # Arguments
     /// * None
     ///
     /// # Returns
-    ///     fmc security version number
+    ///     firmware security version number
     ///
-    pub fn fmc_fuse_svn(&self) -> u32 {
-        let soc_ifc_regs = self.soc_ifc.regs();
-        32 - soc_ifc_regs
-            .fuse_fmc_key_manifest_svn()
-            .read()
-            .leading_zeros()
-    }
-
-    /// Get the runtime fuse security version number.
-    ///
-    /// # Arguments
-    /// * None
-    ///
-    /// # Returns
-    ///     runtime security version number
-    ///
-    pub fn runtime_fuse_svn(&self) -> u32 {
+    pub fn fw_fuse_svn(&self) -> u32 {
         let soc_ifc_regs = self.soc_ifc.regs();
+        // The legacy name of this register is `fuse_runtime_svn`
         first_set_msbit(&soc_ifc_regs.fuse_runtime_svn().read())
     }
 

drivers/src/fuse_log.rs

@@ -21,12 +21,12 @@ pub enum FuseLogEntryId {
     Invalid = 0,
     VendorEccPubKeyIndex = 1,       // 4 bytes  (From Manifest)
     VendorEccPubKeyRevocation = 2,  // 4 bytes  (From Fuse)
-    ManifestFmcSvn = 3,             // 4 bytes
+    DeprecatedManifestFmcSvn = 3,   // 4 bytes
     ManifestReserved0 = 4,          // 4 bytes
-    FuseFmcSvn = 5,                 // 4 bytes
-    ManifestRtSvn = 6,              // 4 bytes
+    DeprecatedFuseFmcSvn = 5,       // 4 bytes
+    ManifestFwSvn = 6,              // 4 bytes
     ManifestReserved1 = 7,          // 4 bytes
-    FuseRtSvn = 8,                  // 4 bytes
+    FuseFwSvn = 8,                  // 4 bytes
     VendorLmsPubKeyIndex = 9,       // 4 bytes  (From Manifest)
     VendorLmsPubKeyRevocation = 10, // 4 bytes  (From Fuse)
 }
@@ -36,12 +36,12 @@ impl From<u32> for FuseLogEntryId {
         match id {
             1 => FuseLogEntryId::VendorEccPubKeyIndex,
             2 => FuseLogEntryId::VendorEccPubKeyRevocation,
-            3 => FuseLogEntryId::ManifestFmcSvn,
+            3 => FuseLogEntryId::DeprecatedManifestFmcSvn,
             4 => FuseLogEntryId::ManifestReserved0,
-            5 => FuseLogEntryId::FuseFmcSvn,
-            6 => FuseLogEntryId::ManifestRtSvn,
+            5 => FuseLogEntryId::DeprecatedFuseFmcSvn,
+            6 => FuseLogEntryId::ManifestFwSvn,
             7 => FuseLogEntryId::ManifestReserved1,
-            8 => FuseLogEntryId::FuseRtSvn,
+            8 => FuseLogEntryId::FuseFwSvn,
             9 => FuseLogEntryId::VendorLmsPubKeyIndex,
             10 => FuseLogEntryId::VendorLmsPubKeyRevocation,
             _ => FuseLogEntryId::Invalid,

drivers/src/hand_off.rs

@@ -223,8 +223,8 @@ pub struct FirmwareHandoffTable {
     /// Index of FMC Certificate Signature S Component in the Data Vault.
     pub fmc_cert_sig_s_dv_hdl: HandOffDataHandle,
 
-    /// Index of FMC SVN value in the Data Vault
-    pub fmc_svn_dv_hdl: HandOffDataHandle,
+    /// Index of FMC SVN value in the Data Vault. Deprecated.
+    pub deprecated_fmc_svn_dv_hdl: HandOffDataHandle,
 
     /// Index of RT TCI value in the Data Vault.
     pub rt_tci_dv_hdl: HandOffDataHandle,
@@ -235,11 +235,11 @@ pub struct FirmwareHandoffTable {
     /// Index of RT Private Alias Key in the Key Vault.
     pub rt_priv_key_kv_hdl: HandOffDataHandle,
 
-    /// Index of RT SVN value in the Data Vault
-    pub rt_svn_dv_hdl: HandOffDataHandle,
+    /// Index of FW SVN value in the Data Vault
+    pub fw_svn_dv_hdl: HandOffDataHandle,
 
-    /// Index of RT Min SVN value in the Data Vault
-    pub rt_min_svn_dv_hdl: HandOffDataHandle,
+    /// Index of FW Min SVN value in the Data Vault
+    pub fw_min_svn_dv_hdl: HandOffDataHandle,
 
     /// LdevId TBS Address
     pub ldevid_tbs_addr: u32,
@@ -289,20 +289,14 @@ pub struct FirmwareHandoffTable {
     /// RtAlias TBS Size.
     pub rtalias_tbs_size: u16,
 
-    /// Maximum value RT FW SVN can take.
-    #[cfg(any(feature = "fmc", feature = "runtime"))]
-    pub rt_hash_chain_max_svn: u16,
+    /// Maximum value FW SVN can take.
+    pub fw_hash_chain_max_svn: u16,
 
     /// Index of RT hash chain value in the Key Vault.
-    #[cfg(any(feature = "fmc", feature = "runtime"))]
     pub rt_hash_chain_kv_hdl: HandOffDataHandle,
 
     /// Reserved for future use.
-    #[cfg(any(feature = "fmc", feature = "runtime"))]
     pub reserved: [u8; 1636],
-
-    #[cfg(not(any(feature = "fmc", feature = "runtime")))]
-    pub reserved: [u8; 1642],
 }
 
 impl Default for FirmwareHandoffTable {
@@ -321,12 +315,12 @@ impl Default for FirmwareHandoffTable {
             fmc_pub_key_y_dv_hdl: FHT_INVALID_HANDLE,
             fmc_cert_sig_r_dv_hdl: FHT_INVALID_HANDLE,
             fmc_cert_sig_s_dv_hdl: FHT_INVALID_HANDLE,
-            fmc_svn_dv_hdl: FHT_INVALID_HANDLE,
+            deprecated_fmc_svn_dv_hdl: FHT_INVALID_HANDLE,
             rt_tci_dv_hdl: FHT_INVALID_HANDLE,
             rt_cdi_kv_hdl: FHT_INVALID_HANDLE,
             rt_priv_key_kv_hdl: FHT_INVALID_HANDLE,
-            rt_svn_dv_hdl: FHT_INVALID_HANDLE,
-            rt_min_svn_dv_hdl: FHT_INVALID_HANDLE,
+            fw_svn_dv_hdl: FHT_INVALID_HANDLE,
+            fw_min_svn_dv_hdl: FHT_INVALID_HANDLE,
             ldevid_tbs_addr: 0,
             fmcalias_tbs_addr: 0,
             ldevid_tbs_size: 0,
@@ -343,16 +337,9 @@ impl Default for FirmwareHandoffTable {
             idev_dice_pub_key: Ecc384PubKey::default(),
             rom_info_addr: RomAddr::new(FHT_INVALID_ADDRESS),
             rtalias_tbs_size: 0,
-
-            #[cfg(any(feature = "fmc", feature = "runtime"))]
-            rt_hash_chain_max_svn: 0,
-            #[cfg(any(feature = "fmc", feature = "runtime"))]
+            fw_hash_chain_max_svn: 0,
             rt_hash_chain_kv_hdl: HandOffDataHandle(0),
-            #[cfg(any(feature = "fmc", feature = "runtime"))]
             reserved: [0u8; 1636],
-
-            #[cfg(not(any(feature = "fmc", feature = "runtime")))]
-            reserved: [0u8; 1642],
         }
     }
 }
@@ -395,15 +382,14 @@ pub fn print_fht(fht: &FirmwareHandoffTable) {
         "FMC Certificate Signature S DV Handle: 0x{:08x}",
         fht.fmc_cert_sig_s_dv_hdl.0
     );
-    crate::cprintln!("FMC SVN DV Handle: 0x{:08x}", fht.fmc_svn_dv_hdl.0);
     crate::cprintln!("RT TCI DV Handle: 0x{:08x}", fht.rt_tci_dv_hdl.0);
     crate::cprintln!("RT CDI KV Handle: 0x{:08x}", fht.rt_cdi_kv_hdl.0);
     crate::cprintln!(
         "RT Private Key KV Handle: 0x{:08x}",
         fht.rt_priv_key_kv_hdl.0
     );
-    crate::cprintln!("RT SVN DV Handle: 0x{:08x}", fht.rt_svn_dv_hdl.0);
-    crate::cprintln!("RT Min SVN DV Handle: 0x{:08x}", fht.rt_min_svn_dv_hdl.0);
+    crate::cprintln!("FW SVN DV Handle: 0x{:08x}", fht.fw_svn_dv_hdl.0);
+    crate::cprintln!("FW Min SVN DV Handle: 0x{:08x}", fht.fw_min_svn_dv_hdl.0);
 
     crate::cprintln!("LdevId TBS Address: 0x{:08x}", fht.ldevid_tbs_addr);
     crate::cprintln!("LdevId TBS Size: {} bytes", fht.ldevid_tbs_size);

error/README.md

@@ -88,16 +88,16 @@
 | Image Verifier | Verifier | FmcLoadAddrUnaligned |0x000B0022 |
 | Image Verifier | Verifier | FmcEntryPointInvalid |0x000B0023 |
 | Image Verifier | Verifier | FmcEntryPointUnaligned |0x000B0024 |
-| Image Verifier | Verifier | FmcSvnGreaterThanMaxSupported |0x000B0025 |
-| Image Verifier | Verifier | FmcSvnLessThanMinSupported |0x000B0026 |
-| Image Verifier | Verifier | FmcSvnLessThanFuse |0x000B0027 |
+| Image Verifier | Verifier | (Deprecated) FmcSvnGreaterThanMaxSupported |0x000B0025 |
+| Image Verifier | Verifier | (Deprecated) FmcSvnLessThanMinSupported |0x000B0026 |
+| Image Verifier | Verifier | (Deprecated) FmcSvnLessThanFuse |0x000B0027 |
 | Image Verifier | Verifier | RuntimeLoadAddrInvalid |0x000B0028 |
 | Image Verifier | Verifier | RuntimeLoadAddrUnaligned |0x000B0029 |
 | Image Verifier | Verifier | RuntimeEntryPointInvalid |0x000B002A |
 | Image Verifier | Verifier | RuntimeEntryPointUnaligned |0x000B002B |
-| Image Verifier | Verifier | RuntimeSvnGreaterThanMaxSupported |0x000B002C |
-| Image Verifier | Verifier | RuntimeSvnLessThanMinSupported |0x000B002D |
-| Image Verifier | Verifier | RuntimeSvnLessThanFuse |0x000B002E |
+| Image Verifier | Verifier | FirmwareSvnGreaterThanMaxSupported |0x000B002C |
+| Image Verifier | Verifier | (Deprecated) FirmwareSvnLessThanMinSupported |0x000B002D |
+| Image Verifier | Verifier | FirmwareSvnLessThanFuse |0x000B002E |
 | Driver | LMS | InvalidLmsAlgorithmType |0x000C0001 |
 | Driver | LMS | InvalidLmotsAlgorithmType |0x000C0002 |
 | Driver | LMS | InvalidWinternitzParameter |0x000C0003 |