[dice] Move dice key related seeds to a separate library

Both X509 and CWT DICE implementations need these definitions. Move it out from the original source file for code reuse. Signed-off-by: Tommy Chiu <[email protected]>
lowRISC · Nov 6, 2024 · 02addf8 · 02addf8
1 parent 738f662
commit 02addf8
Show file tree

Hide file tree

Showing 5 changed files with 103 additions and 137 deletions.
diff --git a/sw/device/silicon_creator/lib/cert/BUILD b/sw/device/silicon_creator/lib/cert/BUILD
@@ -101,9 +101,9 @@ cc_library(
         "//sw/device/silicon_creator/lib/base:util",
         "//sw/device/silicon_creator/lib/cert:cdi_0_template_library",
         "//sw/device/silicon_creator/lib/cert:cdi_1_template_library",
+        "//sw/device/silicon_creator/lib/cert:dice_keys",
         "//sw/device/silicon_creator/lib/cert:uds_template_library",
         "//sw/device/silicon_creator/lib/drivers:hmac",
-        "//sw/device/silicon_creator/lib/drivers:keymgr",
         "//sw/device/silicon_creator/lib/drivers:lifecycle",
         "//sw/device/silicon_creator/lib/sigverify:ecdsa_p256_key",
         "//sw/device/silicon_creator/manuf/lib:flash_info_fields",
@@ -130,6 +130,17 @@ cc_library(
         "//hw/ip/otp_ctrl/data:otp_ctrl_c_regs",
         "//sw/device/lib/base:status",
         "//sw/device/silicon_creator/lib:attestation",
+        "//sw/device/silicon_creator/lib/cert:dice_keys",
+        "//sw/device/silicon_creator/manuf/lib:flash_info_fields",
+    ],
+)
+
+cc_library(
+    name = "dice_keys",
+    srcs = ["dice_keys.c"],
+    hdrs = ["dice_keys.h"],
+    deps = [
+        "//sw/device/silicon_creator/lib/drivers:keymgr",
         "//sw/device/silicon_creator/manuf/lib:flash_info_fields",
     ],
 )

diff --git a/sw/device/silicon_creator/lib/cert/dice.c b/sw/device/silicon_creator/lib/cert/dice.c
@@ -12,9 +12,9 @@
 #include "sw/device/silicon_creator/lib/cert/cdi_0.h"  // Generated.
 #include "sw/device/silicon_creator/lib/cert/cdi_1.h"  // Generated.
 #include "sw/device/silicon_creator/lib/cert/cert.h"
+#include "sw/device/silicon_creator/lib/cert/dice_keys.h"
 #include "sw/device/silicon_creator/lib/cert/uds.h"  // Generated.
 #include "sw/device/silicon_creator/lib/drivers/hmac.h"
-#include "sw/device/silicon_creator/lib/drivers/keymgr.h"
 #include "sw/device/silicon_creator/lib/drivers/lifecycle.h"
 #include "sw/device/silicon_creator/lib/error.h"
 #include "sw/device/silicon_creator/lib/otbn_boot_services.h"
@@ -48,73 +48,6 @@ static bool is_debug_exposed(void) {
   return true;
 }
 
-// UDS (Creator) attestation key diverisfier constants.
-// Note: versions are always set to 0 so these keys are always valid from the
-// perspective of the keymgr hardware.
-const sc_keymgr_diversification_t kUdsKeymgrDiversifier = {
-    .salt =
-        {
-            0xabffa6a9,
-            0xc781f1ad,
-            0x4c1107ad,
-            0xf9210d85,
-            0x0931f555,
-            0x6c5aef5d,
-            0xb9ba4df0,
-            0x77b248d2,
-        },
-    .version = 0,
-};
-// CDI_0 (OwnerIntermediate) attestation key diverisfier constants.
-const sc_keymgr_diversification_t kCdi0KeymgrDiversifier = {
-    .salt =
-        {
-            0x3e5913c7,
-            0x41156f1d,
-            0x998ddb9f,
-            0xfa334191,
-            0x8a85380e,
-            0xba76ca1a,
-            0xdb17c4a7,
-            0xfb8852dc,
-        },
-    .version = 0,
-};
-// CDI_1 (Owner) attestation key diverisfier constants.
-const sc_keymgr_diversification_t kCdi1KeymgrDiversifier = {
-    .salt =
-        {
-            0x2d12c2e3,
-            0x6acc6876,
-            0x4bfb07ee,
-            0xc45fc414,
-            0x5d4fa9de,
-            0xf295b128,
-            0x50f49882,
-            0xbbdefa29,
-        },
-    .version = 0,
-};
-
-const sc_keymgr_ecc_key_t kDiceKeyUds = {
-    .type = kScKeymgrKeyTypeAttestation,
-    .keygen_seed_idx = kFlashInfoFieldUdsKeySeedIdx,
-    .keymgr_diversifier = &kUdsKeymgrDiversifier,
-    .required_keymgr_state = kScKeymgrStateCreatorRootKey,
-};
-const sc_keymgr_ecc_key_t kDiceKeyCdi0 = {
-    .type = kScKeymgrKeyTypeAttestation,
-    .keygen_seed_idx = kFlashInfoFieldCdi0KeySeedIdx,
-    .keymgr_diversifier = &kCdi0KeymgrDiversifier,
-    .required_keymgr_state = kScKeymgrStateOwnerIntermediateKey,
-};
-const sc_keymgr_ecc_key_t kDiceKeyCdi1 = {
-    .type = kScKeymgrKeyTypeAttestation,
-    .keygen_seed_idx = kFlashInfoFieldCdi1KeySeedIdx,
-    .keymgr_diversifier = &kCdi1KeymgrDiversifier,
-    .required_keymgr_state = kScKeymgrStateOwnerKey,
-};
-
 rom_error_t dice_uds_tbs_cert_build(
     hmac_digest_t *otp_creator_sw_cfg_measurement,
     hmac_digest_t *otp_owner_sw_cfg_measurement,

diff --git a/sw/device/silicon_creator/lib/cert/dice_cwt.c b/sw/device/silicon_creator/lib/cert/dice_cwt.c
@@ -8,8 +8,8 @@
 #include "sw/device/silicon_creator/lib/cert/cbor.h"
 #include "sw/device/silicon_creator/lib/cert/cert.h"
 #include "sw/device/silicon_creator/lib/cert/dice.h"
+#include "sw/device/silicon_creator/lib/cert/dice_keys.h"
 #include "sw/device/silicon_creator/lib/drivers/hmac.h"
-#include "sw/device/silicon_creator/lib/drivers/keymgr.h"
 #include "sw/device/silicon_creator/lib/drivers/otp.h"
 #include "sw/device/silicon_creator/lib/error.h"
 #include "sw/device/silicon_creator/lib/sigverify/ecdsa_p256_key.h"
@@ -29,73 +29,6 @@ const int64_t kCoseKeyAlgEcdsa256 = -7;
 const int64_t kCoseEc2CrvP256 = 1;
 const int64_t kCoseKeyKtyEc2 = 2;
 
-// UDS (Creator) attestation key diverisfier constants.
-// Note: versions are always set to 0 so these keys are always valid from the
-// perspective of the keymgr hardware.
-const sc_keymgr_diversification_t kUdsKeymgrDiversifier = {
-    .salt =
-        {
-            0xabffa6a9,
-            0xc781f1ad,
-            0x4c1107ad,
-            0xf9210d85,
-            0x0931f555,
-            0x6c5aef5d,
-            0xb9ba4df0,
-            0x77b248d2,
-        },
-    .version = 0,
-};
-// CDI_0 (OwnerIntermediate) attestation key diverisfier constants.
-const sc_keymgr_diversification_t kCdi0KeymgrDiversifier = {
-    .salt =
-        {
-            0x3e5913c7,
-            0x41156f1d,
-            0x998ddb9f,
-            0xfa334191,
-            0x8a85380e,
-            0xba76ca1a,
-            0xdb17c4a7,
-            0xfb8852dc,
-        },
-    .version = 0,
-};
-// CDI_1 (Owner) attestation key diverisfier constants.
-const sc_keymgr_diversification_t kCdi1KeymgrDiversifier = {
-    .salt =
-        {
-            0x2d12c2e3,
-            0x6acc6876,
-            0x4bfb07ee,
-            0xc45fc414,
-            0x5d4fa9de,
-            0xf295b128,
-            0x50f49882,
-            0xbbdefa29,
-        },
-    .version = 0,
-};
-
-const sc_keymgr_ecc_key_t kDiceKeyUds = {
-    .type = kScKeymgrKeyTypeAttestation,
-    .keygen_seed_idx = kFlashInfoFieldUdsKeySeedIdx,
-    .keymgr_diversifier = &kUdsKeymgrDiversifier,
-    .required_keymgr_state = kScKeymgrStateCreatorRootKey,
-};
-const sc_keymgr_ecc_key_t kDiceKeyCdi0 = {
-    .type = kScKeymgrKeyTypeAttestation,
-    .keygen_seed_idx = kFlashInfoFieldCdi0KeySeedIdx,
-    .keymgr_diversifier = &kCdi0KeymgrDiversifier,
-    .required_keymgr_state = kScKeymgrStateOwnerIntermediateKey,
-};
-const sc_keymgr_ecc_key_t kDiceKeyCdi1 = {
-    .type = kScKeymgrKeyTypeAttestation,
-    .keygen_seed_idx = kFlashInfoFieldCdi1KeySeedIdx,
-    .keymgr_diversifier = &kCdi1KeymgrDiversifier,
-    .required_keymgr_state = kScKeymgrStateOwnerKey,
-};
-
 // PubKeyECDSA256 = {               ; COSE_Key [RFC9052 s7]
 //     1 : 2,                       ; Key type : EC2
 //     3 : AlgorithmES256,          ; Algorithm : ECDSA w/ SHA-256

diff --git a/sw/device/silicon_creator/lib/cert/dice_keys.c b/sw/device/silicon_creator/lib/cert/dice_keys.c
@@ -0,0 +1,75 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#include "sw/device/silicon_creator/lib/drivers/keymgr.h"
+#include "sw/device/silicon_creator/manuf/lib/flash_info_fields.h"
+
+// UDS (Creator) attestation key diverisfier constants.
+// Note: versions are always set to 0 so these keys are always valid from the
+// perspective of the keymgr hardware.
+const sc_keymgr_diversification_t kUdsKeymgrDiversifier = {
+    .salt =
+        {
+            0xabffa6a9,
+            0xc781f1ad,
+            0x4c1107ad,
+            0xf9210d85,
+            0x0931f555,
+            0x6c5aef5d,
+            0xb9ba4df0,
+            0x77b248d2,
+        },
+    .version = 0,
+};
+// CDI_0 (OwnerIntermediate) attestation key diverisfier constants.
+const sc_keymgr_diversification_t kCdi0KeymgrDiversifier = {
+    .salt =
+        {
+            0x3e5913c7,
+            0x41156f1d,
+            0x998ddb9f,
+            0xfa334191,
+            0x8a85380e,
+            0xba76ca1a,
+            0xdb17c4a7,
+            0xfb8852dc,
+        },
+    .version = 0,
+};
+// CDI_1 (Owner) attestation key diverisfier constants.
+const sc_keymgr_diversification_t kCdi1KeymgrDiversifier = {
+    .salt =
+        {
+            0x2d12c2e3,
+            0x6acc6876,
+            0x4bfb07ee,
+            0xc45fc414,
+            0x5d4fa9de,
+            0xf295b128,
+            0x50f49882,
+            0xbbdefa29,
+        },
+    .version = 0,
+};
+
+const sc_keymgr_ecc_key_t kDiceKeyUds = {
+    .type = kScKeymgrKeyTypeAttestation,
+    .keygen_seed_idx = kFlashInfoFieldUdsKeySeedIdx,
+    .keymgr_diversifier = &kUdsKeymgrDiversifier,
+    .required_keymgr_state = kScKeymgrStateCreatorRootKey,
+};
+
+const sc_keymgr_ecc_key_t kDiceKeyCdi0 = {
+    .type = kScKeymgrKeyTypeAttestation,
+    .keygen_seed_idx = kFlashInfoFieldCdi0KeySeedIdx,
+    .keymgr_diversifier = &kCdi0KeymgrDiversifier,
+    .required_keymgr_state = kScKeymgrStateOwnerIntermediateKey,
+};
+
+const sc_keymgr_ecc_key_t kDiceKeyCdi1 = {
+    .type = kScKeymgrKeyTypeAttestation,
+    .keygen_seed_idx = kFlashInfoFieldCdi1KeySeedIdx,
+    .keymgr_diversifier = &kCdi1KeymgrDiversifier,
+    .required_keymgr_state = kScKeymgrStateOwnerKey,
+};
diff --git a/sw/device/silicon_creator/lib/cert/dice_keys.h b/sw/device/silicon_creator/lib/cert/dice_keys.h
@@ -0,0 +1,14 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_CERT_DICE_KEYS_H_
+#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_CERT_DICE_KEYS_H_
+
+#include "sw/device/silicon_creator/lib/drivers/keymgr.h"
+
+extern const sc_keymgr_ecc_key_t kDiceKeyUds;
+extern const sc_keymgr_ecc_key_t kDiceKeyCdi0;
+extern const sc_keymgr_ecc_key_t kDiceKeyCdi1;
+
+#endif  // OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_CERT_DICE_KEYS_H_