[dice,cwt] Endorse and store all 4 DICE CWT/X509 certificates

In this implementation,
- Add one more object type "kPersoObjectTypeCwtCert" to reflects the CWT
  implementation
- Update "struct personalize_extension_pre_endorse{}" to pass more OTP
  measurments to the perso_ext for uds_build_tbs()
- Update the personalize_endorse_certificates() logic, to parse the
  payload based on DICE chain type

Bug: 356532759
Test: //sw/device/silicon_creator/manuf/base:ft_provision_cw340
Signed-off-by: Tommy Chiu <[email protected]>

Author: tommychiu-github

sw/device/silicon_creator/lib/cert/cert.h

@@ -51,6 +51,15 @@ enum {
   kCertKeyIdSizeInBytes = kCertX509Asn1SerialNumberSizeInBytes,
 };
 
+/**
+ * DICE certificate format. It supports 2 types currently.
+ * Each DICE implementation declares one of those specifically.
+ */
+typedef enum dice_cert_format {
+  kDiceCertFormatX509TcbInfo = 0,
+  kDiceCertFormatCWTAndroid = 1,
+} dice_cert_format_t;
+
 /**
  * Defines a grouping of certificates onto a single flash info page.
  */

sw/device/silicon_creator/lib/cert/dice.c

@@ -34,6 +34,8 @@ static cdi_1_sig_values_t cdi_1_cert_params = {
     .tbs_size = kCdi1MaxTbsSizeBytes,
 };
 
+const dice_cert_format_t kDiceCertFormat = kDiceCertFormatX509TcbInfo;
+
 static_assert(kDiceMeasurementSizeInBytes == 32,
               "The DICE attestation measurement size should equal the size of "
               "the keymgr binding registers.");

sw/device/silicon_creator/lib/cert/dice.h

@@ -23,6 +23,7 @@ enum {
   kDiceMeasurementSizeInBytes = kDiceMeasurementSizeInBits / 8,
 };
 
+extern const dice_cert_format_t kDiceCertFormat;
 /**
  * DICE ECC key descriptors.
  */

sw/device/silicon_creator/manuf/base/ft_personalize.c

@@ -107,13 +107,15 @@ static cert_key_id_pair_t cdi_1_key_ids = {
     .cert = &cdi_1_pubkey_id,
 };
 static ecdsa_p256_public_key_t curr_pubkey = {.x = {0}, .y = {0}};
+static ecdsa_p256_public_key_t uds_pubkey = {.x = {0}, .y = {0}};
 static perso_blob_t perso_blob_to_host;    // Perso data device => host.
 static perso_blob_t perso_blob_from_host;  // Perso data host => device.
 
 /**
  * Certificates flash info page layout.
  */
 static uint8_t all_certs[8192];
+static size_t uds_offset;
 static size_t cdi_0_offset;
 static size_t cdi_1_offset;
 static cert_flash_info_layout_t cert_flash_layout[] = {
@@ -367,6 +369,7 @@ static status_t hash_certificate(const flash_ctrl_info_page_t *page,
   if (size) {
     *size = obj_size;
   }
+
   return OK_STATUS();
 }
 
@@ -456,6 +459,7 @@ static status_t personalize_gen_dice_certificates(ujson_t *uj) {
   curr_cert_size = kUdsMaxTbsSizeBytes;
   TRY(otbn_boot_cert_ecc_p256_keygen(kDiceKeyUds, &uds_pubkey_id,
                                      &curr_pubkey));
+  memcpy(&uds_pubkey, &curr_pubkey, sizeof(ecdsa_p256_public_key_t));
   TRY(otbn_boot_attestation_key_save(kDiceKeyUds.keygen_seed_idx,
                                      kDiceKeyUds.type,
                                      *kDiceKeyUds.keymgr_diversifier));
@@ -468,9 +472,11 @@ static status_t personalize_gen_dice_certificates(ujson_t *uj) {
       all_certs, &curr_cert_size));
   // DO NOT CHANGE THE "UDS" STRING BELOW with modifying the `dice_cert_names`
   // collection in sw/host/provisioning/ft_lib/src/lib.rs.
-  TRY(perso_tlv_push_cert_to_perso_blob("UDS", /*needs_endorsement=*/true,
-                                        all_certs, curr_cert_size,
-                                        &perso_blob_to_host));
+  uds_offset = perso_blob_to_host.next_free;
+  TRY(perso_tlv_push_cert_to_perso_blob(
+      "UDS",
+      /*needs_endorsement=*/kDiceCertFormat == kDiceCertFormatX509TcbInfo,
+      all_certs, curr_cert_size, &perso_blob_to_host));
   LOG_INFO("Generated UDS certificate.");
 
   // Generate CDI_0 keys and cert.
@@ -628,14 +634,24 @@ static status_t personalize_endorse_certificates(ujson_t *uj) {
   // LTV object.
   perso_tlv_cert_obj_t block;
 
-  // Exract the UDS cert perso LTV object.
-  TRY(extract_next_cert(&next_cert, &free_room));
-
-  // Extract the two CDI cert perso LTV objects which were endorsed on-device
-  // and sent to the host.
-  size_t cdi_offsets[] = {cdi_0_offset, cdi_1_offset};
-  for (size_t i = 0; i < ARRAYSIZE(cdi_offsets); i++) {
-    size_t offset = cdi_offsets[i];
+  // CWT DICE doesn't need host to endorse any certificate for it, so all
+  // payload are in the "perso_blob_to_host".
+  // Default to this setting, and move to X509 setting if the flag is set.
+  size_t cert_offsets[3] = {uds_offset, cdi_0_offset, cdi_1_offset};
+  size_t cert_offsets_count = 3;
+  if (kDiceCertFormat == kDiceCertFormatX509TcbInfo) {
+    // Exract the UDS cert perso LTV object.
+    TRY(extract_next_cert(&next_cert, &free_room));
+    // Extract the two CDI cert perso LTV objects which were endorsed on-device
+    // and sent to the host.
+    cert_offsets[0] = cert_offsets[1];
+    cert_offsets[1] = cert_offsets[2];
+    cert_offsets_count = 2;
+  }
+  // Extract the cert perso LTV objects which were endorsed on-device and send
+  // to the host.
+  for (size_t i = 0; i < cert_offsets_count; i++) {
+    size_t offset = cert_offsets[i];
     TRY(perso_tlv_get_cert_obj(perso_blob_to_host.body + offset,
                                sizeof(perso_blob_to_host.body) - offset,
                                &block));
@@ -782,7 +798,15 @@ bool test_main(void) {
       .certgen_inputs = &certgen_inputs,
       .perso_blob_to_host = &perso_blob_to_host,
       .cert_flash_layout = cert_flash_layout,
-      .flash_ctrl_handle = &flash_ctrl_state};
+      .flash_ctrl_handle = &flash_ctrl_state,
+      .uds_pubkey = &uds_pubkey,
+      .uds_pubkey_id = &uds_pubkey_id,
+      .otp_creator_sw_cfg_measurement = &otp_creator_sw_cfg_measurement,
+      .otp_owner_sw_cfg_measurement = &otp_owner_sw_cfg_measurement,
+      .otp_rot_creator_auth_codesign_measurement =
+          &otp_rot_creator_auth_codesign_measurement,
+      .otp_rot_creator_auth_state_measurement =
+          &otp_rot_creator_auth_state_measurement};
   CHECK_STATUS_OK(personalize_extension_pre_cert_endorse(&pre_endorse));
 
   CHECK_STATUS_OK(personalize_endorse_certificates(&uj));

sw/device/silicon_creator/manuf/base/perso_tlv_data.c

@@ -28,7 +28,8 @@ rom_error_t perso_tlv_get_cert_obj(uint8_t *buf, size_t ltv_buf_size,
   // Extract LTV object type.
   PERSO_TLV_GET_FIELD(Objh, Type, objh, &obj_type);
   obj->obj_type = obj_type;
-  if (obj_type != kPersoObjectTypeX509Cert) {
+  if (obj_type != kPersoObjectTypeX509Cert &&
+      obj_type != kPersoObjectTypeCwtCert) {
     LOG_INFO("Skipping object of type %d", obj_type);
     return kErrorPersoTlvCertObjNotFound;
   }
@@ -67,12 +68,15 @@ rom_error_t perso_tlv_get_cert_obj(uint8_t *buf, size_t ltv_buf_size,
   obj->cert_body_p = buf;
 
   // Sanity check on the certificate body size.
-  size_t decoded_cert_size =
-      cert_x509_asn1_decode_size_header(obj->cert_body_p);
-  if (decoded_cert_size != obj->cert_body_size) {
-    LOG_ERROR("Unexpected cert size %d instead of %d for cert %s",
-              decoded_cert_size, obj->cert_body_size, obj->name);
-    return kErrorPersoTlvInternal;
+  // TODO(24281): add sanity check on CWT certificate body size.
+  if (obj_type == kPersoObjectTypeX509Cert) {
+    size_t decoded_cert_size =
+        cert_x509_asn1_decode_size_header(obj->cert_body_p);
+    if (decoded_cert_size != obj->cert_body_size) {
+      LOG_ERROR("Unexpected cert size %d instead of %d for cert %s",
+                decoded_cert_size, obj->cert_body_size, obj->name);
+      return kErrorPersoTlvInternal;
+    }
   }
 
   return kErrorOk;
@@ -106,7 +110,10 @@ rom_error_t perso_tlv_cert_obj_build(const char *name, bool needs_endorsement,
   if (needs_endorsement) {
     PERSO_TLV_SET_FIELD(Objh, Type, obj_header, kPersoObjectTypeX509Tbs);
   } else {
-    PERSO_TLV_SET_FIELD(Objh, Type, obj_header, kPersoObjectTypeX509Cert);
+    // TODO(lowRISC/opentitan:#24281): should decide the obj_type by other
+    // factor
+    // PERSO_TLV_SET_FIELD(Objh, Type, obj_header, kPersoObjectTypeX509Cert);
+    PERSO_TLV_SET_FIELD(Objh, Type, obj_header, kPersoObjectTypeCwtCert);
   }
   PERSO_TLV_SET_FIELD(Objh, Size, obj_header, obj_size);
 

sw/device/silicon_creator/manuf/base/perso_tlv_data.h

@@ -29,6 +29,7 @@ typedef enum perso_tlv_object_type {
   kPersoObjectTypeX509Tbs = 0,
   kPersoObjectTypeX509Cert = 1,
   kPersoObjectTypeDevSeed = 2,
+  kPersoObjectTypeCwtCert = 3,
 } perso_tlv_object_type_t;
 
 typedef uint16_t perso_tlv_object_header_t;

sw/device/silicon_creator/manuf/base/personalize_ext.h

@@ -48,11 +48,26 @@ typedef struct personalize_extension_pre_endorse {
    * knows where to place endorsed objects received from the host.
    */
   cert_flash_info_layout_t *cert_flash_layout;
-
   /**
    * Pointer to the flash controller handle necessary for proper flash access.
    */
   dif_flash_ctrl_state_t *flash_ctrl_handle;
+  /**
+   * Pointer to the UDS public key. Personalization extensions may require
+   * accessing it to generate different certificate chains that fit a specific
+   * SKU's requirements.
+   */
+  ecdsa_p256_public_key_t *uds_pubkey;
+  hmac_digest_t *uds_pubkey_id;
+  /**
+   * Pointer to the OTP measurements used to generate the UDS public key.
+   * Personalization extensions may require accessing these to generate
+   * different certificate chains that fit a specific SKU's requirements.
+   */
+  hmac_digest_t *otp_creator_sw_cfg_measurement;
+  hmac_digest_t *otp_owner_sw_cfg_measurement;
+  hmac_digest_t *otp_rot_creator_auth_codesign_measurement;
+  hmac_digest_t *otp_rot_creator_auth_state_measurement;
 } personalize_extension_pre_endorse_t;
 
 /**

sw/host/provisioning/ft_lib/src/lib.rs

@@ -15,8 +15,7 @@ use p256::NistP256;
 use zerocopy::AsBytes;
 
 use cert_lib::{
-    get_cert_size, parse_and_endorse_x509_cert, validate_cert_chain, CertEndorsementKey,
-    EndorsedCert,
+    parse_and_endorse_x509_cert, validate_cert_chain, CertEndorsementKey, EndorsedCert,
 };
 use ft_ext_lib::ft_ext;
 use opentitanlib::app::TransportWrapper;
@@ -244,15 +243,6 @@ fn get_cert(data: &[u8]) -> Result<CertHeader> {
     let header_size = header_len + name_len;
     let cert_body: Vec<u8> = data[header_size..wrapped_size].to_vec();
 
-    // Sanity check, total size and cert size must  match
-    let cert_size = get_cert_size(&cert_body)?;
-    if cert_size != cert_body.len() {
-        bail!(
-            "cert size {} does not match length {}",
-            cert_size,
-            cert_body.len()
-        );
-    }
     Ok(CertHeader {
         wrapped_size,
         cert_name,
@@ -350,7 +340,7 @@ fn provision_certificates(
         }
         start += obj_header_size;
         match header.obj_type {
-            ObjType::EndorsedX509Cert | ObjType::UnendorsedX509Cert => (),
+            ObjType::EndorsedX509Cert | ObjType::UnendorsedX509Cert | ObjType::EndorsedCwtCert => {}
             ObjType::DevSeed => {
                 let dev_seed_size = header.obj_size - obj_header_size;
                 let seeds = &perso_blob.body[start..start + dev_seed_size];
@@ -390,7 +380,10 @@ fn provision_certificates(
         };
 
         // Collect all DICE certs to validate the chain.
-        if dice_cert_names.contains(cert.cert_name) {
+        // TODO(lowRISC/opentitan:#24281): Add CWT verifier
+        if dice_cert_names.contains(cert.cert_name)
+            && header.obj_type == ObjType::UnendorsedX509Cert
+        {
             dice_cert_chain.push(EndorsedCert {
                 format: CertFormat::X509,
                 name: cert.cert_name.to_string(),
@@ -401,7 +394,10 @@ fn provision_certificates(
 
         // Ensure all certs parse with OpenSSL (even those that where endorsed on device).
         log::info!("{} Cert: {}", cert.cert_name, hex::encode(&cert_bytes));
-        let _ = parse_certificate(&cert_bytes)?;
+        // TODO(lowRISC/opentitan:#24281): Add CWT parser
+        if header.obj_type != ObjType::DevSeed && header.obj_type != ObjType::EndorsedCwtCert {
+            let _ = parse_certificate(&cert_bytes)?;
+        }
         // Push the cert into the hasher so we can ensure the certs written to the device's flash
         // info pages match those verified on the host.
         cert_hasher.update(cert_bytes);
@@ -443,6 +439,7 @@ fn provision_certificates(
     }
 
     // Validate the certificate endorsements with OpenSSL.
+    // TODO(lowRISC/opentitan:#24281): Add CWT verifier
     log::info!("Validating DICE certificate chain with OpenSSL ...");
     validate_cert_chain(ca_certificate.to_str().unwrap(), &dice_cert_chain)?;
     log::info!("Success.");

sw/host/provisioning/perso_tlv_lib/src/lib.rs

@@ -11,6 +11,7 @@ pub enum ObjType {
     UnendorsedX509Cert = perso_tlv_objects::perso_tlv_object_type_kPersoObjectTypeX509Tbs as isize,
     EndorsedX509Cert = perso_tlv_objects::perso_tlv_object_type_kPersoObjectTypeX509Cert as isize,
     DevSeed = perso_tlv_objects::perso_tlv_object_type_kPersoObjectTypeDevSeed as isize,
+    EndorsedCwtCert = perso_tlv_objects::perso_tlv_object_type_kPersoObjectTypeCwtCert as isize,
 }
 
 impl ObjType {
@@ -19,6 +20,7 @@ impl ObjType {
             0 => Ok(ObjType::UnendorsedX509Cert),
             1 => Ok(ObjType::EndorsedX509Cert),
             2 => Ok(ObjType::DevSeed),
+            3 => Ok(ObjType::EndorsedCwtCert),
             _ => bail!("incorrect input value of {value} for ObjType"),
         }
     }