Deprecate FMC SVN from build tooling and firmware.

There are no functional changes in this commit.

- The reported FMC SVN is now accurately renamed to be the cold-boot firmware SVN.
- As the ROM now ignores the FMC SVN in images, build tooling longer allows populating the FMC image's SVN.

api/src/mailbox.rs

@@ -776,9 +776,9 @@ impl Response for FipsVersionResp {}
 pub struct FwInfoResp {
     pub hdr: MailboxRespHeader,
     pub pl0_pauser: u32,
-    pub runtime_svn: u32,
-    pub min_runtime_svn: u32,
-    pub fmc_manifest_svn: u32,
+    pub fw_svn: u32,
+    pub min_fw_svn: u32,
+    pub cold_boot_fw_svn: u32,
     pub attestation_disabled: u32,
     pub rom_revision: [u8; 20],
     pub fmc_revision: [u8; 20],

api/src/soc_mgr.rs

@@ -139,10 +139,8 @@ pub trait SocManager {
         self.soc_ifc()
             .cptra_owner_pk_hash()
             .write(&fuses.owner_pk_hash);
-        self.soc_ifc()
-            .fuse_fmc_key_manifest_svn()
-            .write(|_| fuses.fmc_key_manifest_svn);
-        self.soc_ifc().fuse_runtime_svn().write(&fuses.runtime_svn);
+        self.soc_ifc().fuse_fmc_key_manifest_svn().write(|_| 0); // deprecated fuse.
+        self.soc_ifc().fuse_runtime_svn().write(&fuses.fw_svn);
         self.soc_ifc()
             .fuse_anti_rollback_disable()
             .write(|w| w.dis(fuses.anti_rollback_disable));

api/types/src/lib.rs

@@ -159,8 +159,7 @@ pub struct Fuses {
     pub key_manifest_pk_hash: [u32; 12],
     pub key_manifest_pk_hash_mask: U4,
     pub owner_pk_hash: [u32; 12],
-    pub fmc_key_manifest_svn: u32,
-    pub runtime_svn: [u32; 4],
+    pub fw_svn: [u32; 4],
     pub anti_rollback_disable: bool,
     pub idevid_cert_attr: [u32; 24],
     pub idevid_manuf_hsm_id: [u32; 4],
@@ -177,8 +176,7 @@ impl Default for Fuses {
             key_manifest_pk_hash: Default::default(),
             key_manifest_pk_hash_mask: Default::default(),
             owner_pk_hash: Default::default(),
-            fmc_key_manifest_svn: Default::default(),
-            runtime_svn: Default::default(),
+            fw_svn: Default::default(),
             anti_rollback_disable: Default::default(),
             idevid_cert_attr: Default::default(),
             idevid_manuf_hsm_id: Default::default(),

builder/src/lib.rs

@@ -455,9 +455,8 @@ pub fn elf_size(elf_bytes: &[u8]) -> io::Result<u64> {
 #[derive(Clone)]
 pub struct ImageOptions {
     pub fmc_version: u16,
-    pub fmc_svn: u32,
     pub app_version: u32,
-    pub app_svn: u32,
+    pub fw_svn: u32,
     pub vendor_config: ImageGeneratorVendorConfig,
     pub owner_config: Option<ImageGeneratorOwnerConfig>,
     pub pqc_key_type: FwVerificationPqcKeyType,
@@ -466,9 +465,8 @@ impl Default for ImageOptions {
     fn default() -> Self {
         Self {
             fmc_version: Default::default(),
-            fmc_svn: Default::default(),
             app_version: Default::default(),
-            app_svn: Default::default(),
+            fw_svn: Default::default(),
             vendor_config: caliptra_image_fake_keys::VENDOR_CONFIG_KEY_0,
             owner_config: Some(caliptra_image_fake_keys::OWNER_CONFIG),
             pqc_key_type: FwVerificationPqcKeyType::LMS,
@@ -485,13 +483,9 @@ pub fn build_and_sign_image(
     let app_elf = build_firmware_elf(app)?;
     let gen = ImageGenerator::new(Crypto::default());
     let image = gen.generate(&ImageGeneratorConfig {
-        fmc: ElfExecutable::new(
-            &fmc_elf,
-            opts.fmc_version as u32,
-            opts.fmc_svn,
-            image_revision()?,
-        )?,
-        runtime: ElfExecutable::new(&app_elf, opts.app_version, opts.app_svn, image_revision()?)?,
+        fmc: ElfExecutable::new(&fmc_elf, opts.fmc_version as u32, image_revision()?)?,
+        runtime: ElfExecutable::new(&app_elf, opts.app_version, image_revision()?)?,
+        fw_svn: opts.fw_svn,
         vendor_config: opts.vendor_config,
         owner_config: opts.owner_config,
         pqc_key_type: opts.pqc_key_type,

common/src/verifier.rs

@@ -172,9 +172,9 @@ impl<'a, 'b> ImageVerificationEnv for &mut FirmwareImageVerificationEnv<'a, 'b>
         self.data_vault.fmc_tci().into()
     }
 
-    // Get Runtime fuse SVN
-    fn runtime_fuse_svn(&self) -> u32 {
-        self.soc_ifc.fuse_bank().runtime_fuse_svn()
+    // Get firmware fuse SVN
+    fn fw_fuse_svn(&self) -> u32 {
+        self.soc_ifc.fuse_bank().fw_fuse_svn()
     }
 
     fn iccm_range(&self) -> Range<u32> {

drivers/src/data_vault.rs

@@ -29,7 +29,7 @@ pub struct ColdResetEntries {
     fmc_mldsa_pk: Mldsa87PubKey,
     fmc_tci: Array4x12,
     owner_pk_hash: Array4x12,
-    fmc_svn: u32,
+    cold_boot_fw_svn: u32,
     rom_cold_boot_status: u32,
     fmc_entry_point: u32,
     vendor_ecc_pk_index: u32,
@@ -43,7 +43,7 @@ pub struct WarmResetEntries {
     rt_svn: u32,
     rt_entry_point: u32,
     manifest_addr: u32,
-    rt_min_svn: u32,
+    fw_min_svn: u32,
     rom_update_reset_status: u32,
 }
 
@@ -168,22 +168,22 @@ impl DataVault {
         self.cold_reset_entries.owner_pk_hash
     }
 
-    /// Set the fmc security version number.
+    /// Set the cold-boot firmware security version number.
     ///
     /// # Arguments
-    /// * `svn` - fmc security version number
+    /// * `svn` - firmware security version number
     ///
-    pub fn set_fmc_svn(&mut self, svn: u32) {
-        self.cold_reset_entries.fmc_svn = svn;
+    pub fn set_cold_boot_fw_svn(&mut self, svn: u32) {
+        self.cold_reset_entries.cold_boot_fw_svn = svn;
     }
 
-    /// Get the fmc security version number.
+    /// Get the cold-boot firmware security version number.
     ///
     /// # Returns
-    /// * fmc security version number
+    /// * cold-boot firmware security version number
     ///
-    pub fn fmc_svn(&self) -> u32 {
-        self.cold_reset_entries.fmc_svn
+    pub fn cold_boot_fw_svn(&self) -> u32 {
+        self.cold_reset_entries.cold_boot_fw_svn
     }
 
     /// Set the fmc entry point.
@@ -294,40 +294,40 @@ impl DataVault {
         self.warm_reset_entries.rt_tci
     }
 
-    /// Set the rt security version number.
+    /// Set the fw security version number.
     ///
     /// # Arguments
-    /// * `svn` - rt security version number
+    /// * `svn` - fw security version number
     ///
-    pub fn set_rt_svn(&mut self, svn: u32) {
-        self.warm_reset_entries.rt_svn = svn;
+    pub fn set_fw_svn(&mut self, svn: u32) {
+        self.warm_reset_entries.fw_svn = svn;
     }
 
-    /// Get the rt security version number.
+    /// Get the fw security version number.
     ///
     /// # Returns
-    /// * rt security version number
+    /// * fw security version number
     ///
-    pub fn rt_svn(&self) -> u32 {
-        self.warm_reset_entries.rt_svn
+    pub fn fw_svn(&self) -> u32 {
+        self.warm_reset_entries.fw_svn
     }
 
-    /// Set the rt minimum security version number.
+    /// Set the fw minimum security version number.
     ///
     /// # Arguments
-    /// * `svn` - rt minimum security version number
+    /// * `svn` - fw minimum security version number
     ///
-    pub fn set_rt_min_svn(&mut self, svn: u32) {
-        self.warm_reset_entries.rt_min_svn = svn;
+    pub fn set_fw_min_svn(&mut self, svn: u32) {
+        self.warm_reset_entries.fw_min_svn = svn;
     }
 
-    /// Get the rt minimum security version number.
+    /// Get the fw minimum security version number.
     ///
     /// # Returns
-    /// * rt minimum security version number
+    /// * fw minimum security version number
     ///
-    pub fn rt_min_svn(&self) -> u32 {
-        self.warm_reset_entries.rt_min_svn
+    pub fn fw_min_svn(&self) -> u32 {
+        self.warm_reset_entries.fw_min_svn
     }
 
     /// Set the rt entry.

drivers/src/fuse_bank.rs

@@ -271,32 +271,17 @@ impl FuseBank<'_> {
         soc_ifc_regs.fuse_anti_rollback_disable().read().dis()
     }
 
-    /// Get the fmc fuse security version number.
+    /// Get the firmware fuse security version number.
     ///
     /// # Arguments
     /// * None
     ///
     /// # Returns
-    ///     fmc security version number
+    ///     firmware security version number
     ///
-    pub fn fmc_fuse_svn(&self) -> u32 {
-        let soc_ifc_regs = self.soc_ifc.regs();
-        32 - soc_ifc_regs
-            .fuse_fmc_key_manifest_svn()
-            .read()
-            .leading_zeros()
-    }
-
-    /// Get the runtime fuse security version number.
-    ///
-    /// # Arguments
-    /// * None
-    ///
-    /// # Returns
-    ///     runtime security version number
-    ///
-    pub fn runtime_fuse_svn(&self) -> u32 {
+    pub fn fw_fuse_svn(&self) -> u32 {
         let soc_ifc_regs = self.soc_ifc.regs();
+        // The legacy name of this register is `fuse_runtime_svn`
         first_set_msbit(&soc_ifc_regs.fuse_runtime_svn().read())
     }
 

drivers/src/fuse_log.rs

@@ -21,13 +21,13 @@ pub enum FuseLogEntryId {
     Invalid = 0,
     VendorEccPubKeyIndex = 1,      // 4 bytes  (From Manifest)
     VendorEccPubKeyRevocation = 2, // 4 bytes  (From Fuse)
-    ManifestFmcSvn = 3,            // 4 bytes
+    ColdBootFwSvn = 3,             // 4 bytes
     ManifestReserved0 = 4,         // 4 bytes
     #[deprecated]
     _DeprecatedFuseFmcSvn = 5, // 4 bytes
-    ManifestRtSvn = 6,             // 4 bytes
+    ManifestFwSvn = 6,             // 4 bytes
     ManifestReserved1 = 7,         // 4 bytes
-    FuseRtSvn = 8,                 // 4 bytes
+    FuseFwSvn = 8,                 // 4 bytes
     VendorPqcPubKeyIndex = 9,      // 4 bytes  (From Manifest)
     VendorPqcPubKeyRevocation = 10, // 4 bytes  (From Fuse)
 }
@@ -38,12 +38,12 @@ impl From<u32> for FuseLogEntryId {
         match id {
             1 => FuseLogEntryId::VendorEccPubKeyIndex,
             2 => FuseLogEntryId::VendorEccPubKeyRevocation,
-            3 => FuseLogEntryId::ManifestFmcSvn,
+            3 => FuseLogEntryId::ColdBootFwSvn,
             4 => FuseLogEntryId::ManifestReserved0,
             5 => FuseLogEntryId::_DeprecatedFuseFmcSvn,
-            6 => FuseLogEntryId::ManifestRtSvn,
+            6 => FuseLogEntryId::ManifestFwSvn,
             7 => FuseLogEntryId::ManifestReserved1,
-            8 => FuseLogEntryId::FuseRtSvn,
+            8 => FuseLogEntryId::FuseFwSvn,
             9 => FuseLogEntryId::VendorPqcPubKeyIndex,
             10 => FuseLogEntryId::VendorPqcPubKeyRevocation,
             _ => FuseLogEntryId::Invalid,

drivers/src/hand_off.rs

@@ -200,11 +200,11 @@ pub struct FirmwareHandoffTable {
     /// RtAlias TBS Size.
     pub rtalias_tbs_size: u16,
 
-    /// Maximum value RT FW SVN can take.
-    pub rt_hash_chain_max_svn: u16,
+    /// Maximum value FW SVN can take.
+    pub fw_hash_chain_max_svn: u16,
 
-    /// Index of RT hash chain value in the Key Vault.
-    pub rt_hash_chain_kv_hdl: HandOffDataHandle,
+    /// Index of FW hash chain value in the Key Vault.
+    pub fw_hash_chain_kv_hdl: HandOffDataHandle,
 
     /// Reserved for future use.
     pub reserved: [u8; FHT_RESERVED_SIZE],
@@ -237,8 +237,8 @@ impl Default for FirmwareHandoffTable {
             idev_dice_mldsa_pub_key_load_addr: 0,
             rom_info_addr: RomAddr::new(FHT_INVALID_ADDRESS),
             rtalias_tbs_size: 0,
-            rt_hash_chain_max_svn: 0,
-            rt_hash_chain_kv_hdl: HandOffDataHandle(0),
+            fw_hash_chain_max_svn: 0,
+            fw_hash_chain_kv_hdl: HandOffDataHandle(0),
             reserved: [0u8; FHT_RESERVED_SIZE],
         }
     }

error/src/lib.rs

@@ -229,10 +229,10 @@ impl CaliptraError {
         CaliptraError::new_const(0x000b002a);
     pub const IMAGE_VERIFIER_ERR_RUNTIME_ENTRY_POINT_UNALIGNED: CaliptraError =
         CaliptraError::new_const(0x000b002b);
-    pub const IMAGE_VERIFIER_ERR_RUNTIME_SVN_GREATER_THAN_MAX_SUPPORTED: CaliptraError =
+    pub const IMAGE_VERIFIER_ERR_FIRMWARE_SVN_GREATER_THAN_MAX_SUPPORTED: CaliptraError =
         CaliptraError::new_const(0x000b002c);
-    // 0x000b002d was IMAGE_VERIFIER_ERR_RUNTIME_SVN_LESS_THAN_MIN_SUPPORTED
-    pub const IMAGE_VERIFIER_ERR_RUNTIME_SVN_LESS_THAN_FUSE: CaliptraError =
+    // 0x000b002d was IMAGE_VERIFIER_ERR_FIRMWARE_SVN_LESS_THAN_MIN_SUPPORTED
+    pub const IMAGE_VERIFIER_ERR_FIRMWARE_SVN_LESS_THAN_FUSE: CaliptraError =
         CaliptraError::new_const(0x000b002e);
     pub const IMAGE_VERIFIER_ERR_IMAGE_LEN_MORE_THAN_BUNDLE_SIZE: CaliptraError =
         CaliptraError::new_const(0x000b002f);
@@ -434,10 +434,11 @@ impl CaliptraError {
         CaliptraError::new_const(0x000E002A);
     pub const RUNTIME_CMD_BUSY_DURING_WARM_RESET: CaliptraError =
         CaliptraError::new_const(0x000E002B);
-    pub const RUNTIME_RT_SVN_HANDOFF_FAILED: CaliptraError = CaliptraError::new_const(0x000E002C);
-    pub const RUNTIME_RT_MIN_SVN_HANDOFF_FAILED: CaliptraError =
+    pub const RUNTIME_FW_SVN_HANDOFF_FAILED: CaliptraError = CaliptraError::new_const(0x000E002C);
+    pub const RUNTIME_FW_MIN_SVN_HANDOFF_FAILED: CaliptraError =
         CaliptraError::new_const(0x000E002D);
-    pub const RUNTIME_FMC_SVN_HANDOFF_FAILED: CaliptraError = CaliptraError::new_const(0x000E002E);
+    pub const RUNTIME_COLD_BOOT_FW_SVN_HANDOFF_FAILED: CaliptraError =
+        CaliptraError::new_const(0x000E002E);
     pub const RUNTIME_CONTEXT_HAS_TAG_VALIDATION_FAILED: CaliptraError =
         CaliptraError::new_const(0x000E002F);
     pub const RUNTIME_LDEV_ID_CERT_TOO_BIG: CaliptraError = CaliptraError::new_const(0x000E0030);

fmc/Makefile

@@ -73,12 +73,11 @@ build-fw-image: gen-certs build-emu build-test-rt
 		--pqc-pk-idx 3 \
 		--fmc $(TARGET_DIR)/caliptra-fmc \
 		--fmc-version 0 \
-		--fmc-svn 0 \
 		--fmc-rev $(GIT_REV) \
 		--rt $(TARGET_DIR)/caliptra-runtime \
 		--rt-version 0 \
-		--rt-svn 0 \
 		--rt-rev $(GIT_REV) \
+		--fw-svn 0 \
 		--out $(TARGET_DIR)/caliptra-rom-test-fw \
 
 bloat: build

fmc/README.md

@@ -306,14 +306,14 @@ This field provides the size of the *To Be Signed* portion of the Runtime Alias
 
 This field provides the size of the *To Be Signed* portion of the Runtime Alias MLDSA certificate.
 
-### rt_hash_chain_max_svn
+### fw_hash_chain_max_svn
 
-This field informs firmware of the maximum RT SVN, which value was used
-to determine the length of RT FW's hash chain.
+This field informs firmware of the maximum FW SVN, which value was used
+to determine the length of FW's hash chain.
 
-### rt_hash_chain_kv_hdl
+### fw_hash_chain_kv_hdl
 
-This field provides the Handle into the Key Vault where RT's hash chain is stored.
+This field provides the Handle into the Key Vault where FW's hash chain is stored.
 
 ### reserved
 
@@ -380,7 +380,7 @@ The following list of steps are to be performed by FMC on each boot when ROM jum
 | 🔒Alias FMC Cert Signature S     |
 | 🔒Alias FMC Cert MLDSA Signature |
 | 🔒FMC Digest                     |
-| 🔒FMC SVN                        |
+| 🔒FW SVN                         |
 | 🔒Owner PK Hash                  |
 | 🔒Manufacturer Public Key Index  |
 
@@ -482,7 +482,7 @@ sequenceDiagram
 | 🔒Alias FMC Cert ECDSA Signature S |
 | 🔒Alias FMC Cert MLDSA Signature   |
 | 🔒FMC Digest                       |
-| 🔒FMC SVN                          |
+| 🔒FW SVN                           |
 | 🔒Owner PK Hash                    |
 | 🔒Manufacturer Public Key Index    |
 

fmc/src/flow/rt_alias.rs

@@ -281,7 +281,7 @@ impl RtAliasLayer {
         let serial_number = &X509::cert_sn(env, pub_key)?;
 
         let rt_tci: [u8; 48] = HandOff::rt_tci(env).into();
-        let rt_svn = HandOff::rt_svn(env) as u8;
+        let fw_svn = HandOff::fw_svn(env) as u8;
 
         // Certificate `To Be Signed` Parameters
         let params = RtAliasCertTbsParams {
@@ -295,7 +295,7 @@ impl RtAliasLayer {
             public_key: &pub_key.to_der(),
             not_before,
             not_after,
-            tcb_info_rt_svn: &rt_svn.to_be_bytes(),
+            tcb_info_fw_svn: &fw_svn.to_be_bytes(),
             tcb_info_rt_tci: &rt_tci,
             // Are there any fields missing?
         };