[manuf,rom_ext] Update the parameters of perso_tlv_cert_obj_build

When building a perso_blob, the object type was decided by whether that
object needs endorsement or not. It is not feasible when not only one
certificate format needs to be supported by perso_fw and ROM_EXT.
To remediate that it requires the specify the object format by the
caller which needs to add one more parameter.

Signed-off-by: Tommy Chiu <[email protected]>

Author: tommychiu-github

sw/device/silicon_creator/manuf/base/BUILD

@@ -276,6 +276,7 @@ cc_library(
         "//sw/device/lib/base:status",
         "//sw/device/lib/testing/json:provisioning_data",
         "//sw/device/silicon_creator/lib:error",
+        "//sw/device/silicon_creator/lib/cert",
     ],
 )
 

sw/device/silicon_creator/manuf/base/ft_personalize.c

@@ -476,7 +476,7 @@ static status_t personalize_gen_dice_certificates(ujson_t *uj) {
   TRY(perso_tlv_push_cert_to_perso_blob(
       "UDS",
       /*needs_endorsement=*/kDiceCertFormat == kDiceCertFormatX509TcbInfo,
-      all_certs, curr_cert_size, &perso_blob_to_host));
+      kDiceCertFormat, all_certs, curr_cert_size, &perso_blob_to_host));
   LOG_INFO("Generated UDS certificate.");
 
   // Generate CDI_0 keys and cert.
@@ -495,8 +495,8 @@ static status_t personalize_gen_dice_certificates(ujson_t *uj) {
   // DO NOT CHANGE THE "CDI_0" STRING BELOW with modifying the `dice_cert_names`
   // collection in sw/host/provisioning/ft_lib/src/lib.rs.
   TRY(perso_tlv_push_cert_to_perso_blob("CDI_0", /*needs_endorsement=*/false,
-                                        all_certs, curr_cert_size,
-                                        &perso_blob_to_host));
+                                        kDiceCertFormat, all_certs,
+                                        curr_cert_size, &perso_blob_to_host));
   LOG_INFO("Generated CDI_0 certificate.");
 
   // Generate CDI_1 keys and cert.
@@ -516,8 +516,8 @@ static status_t personalize_gen_dice_certificates(ujson_t *uj) {
   // DO NOT CHANGE THE "CDI_1" STRING BELOW with modifying the `dice_cert_names`
   // collection in sw/host/provisioning/ft_lib/src/lib.rs.
   TRY(perso_tlv_push_cert_to_perso_blob("CDI_1", /*needs_endorsement=*/false,
-                                        all_certs, curr_cert_size,
-                                        &perso_blob_to_host));
+                                        kDiceCertFormat, all_certs,
+                                        curr_cert_size, &perso_blob_to_host));
   LOG_INFO("Generated CDI_1 certificate.");
 
   return OK_STATUS();

sw/device/silicon_creator/manuf/base/perso_tlv_data.c

@@ -82,7 +82,8 @@ rom_error_t perso_tlv_get_cert_obj(uint8_t *buf, size_t ltv_buf_size,
   return kErrorOk;
 }
 
-rom_error_t perso_tlv_cert_obj_build(const char *name, bool needs_endorsement,
+rom_error_t perso_tlv_cert_obj_build(const char *name,
+                                     const perso_tlv_object_type_t obj_type,
                                      const uint8_t *cert, size_t cert_size,
                                      uint8_t *buf, size_t *buf_size) {
   perso_tlv_object_header_t obj_header = 0;
@@ -107,14 +108,7 @@ rom_error_t perso_tlv_cert_obj_build(const char *name, bool needs_endorsement,
     return kErrorPersoTlvOutputBufTooSmall;
 
   // Setup the perso LTV object header.
-  if (needs_endorsement) {
-    PERSO_TLV_SET_FIELD(Objh, Type, obj_header, kPersoObjectTypeX509Tbs);
-  } else {
-    // TODO(lowRISC/opentitan:#24281): should decide the obj_type by other
-    // factor
-    // PERSO_TLV_SET_FIELD(Objh, Type, obj_header, kPersoObjectTypeX509Cert);
-    PERSO_TLV_SET_FIELD(Objh, Type, obj_header, kPersoObjectTypeCwtCert);
-  }
+  PERSO_TLV_SET_FIELD(Objh, Type, obj_header, obj_type);
   PERSO_TLV_SET_FIELD(Objh, Size, obj_header, obj_size);
 
   // Setup the cert object header.
@@ -138,11 +132,20 @@ rom_error_t perso_tlv_cert_obj_build(const char *name, bool needs_endorsement,
 
 status_t perso_tlv_push_cert_to_perso_blob(const char *name,
                                            bool needs_endorsement,
+                                           const dice_cert_format_t dice_format,
                                            const uint8_t *cert,
                                            size_t cert_size, perso_blob_t *pb) {
   // Build the perso TLV cert object and push it to the perso blob.
   size_t obj_size = sizeof(pb->body) - pb->next_free;
-  TRY(perso_tlv_cert_obj_build(name, needs_endorsement, cert, cert_size,
+  perso_tlv_object_type_t obj_type = kPersoObjectTypeCwtCert;
+  if (dice_format == kDiceCertFormatX509TcbInfo) {
+    if (needs_endorsement) {
+      obj_type = kPersoObjectTypeX509Tbs;
+    } else {
+      obj_type = kPersoObjectTypeX509Cert;
+    }
+  }
+  TRY(perso_tlv_cert_obj_build(name, obj_type, cert, cert_size,
                                pb->body + pb->next_free, &obj_size));
 
   // Update the perso blob offset and object count.

sw/device/silicon_creator/manuf/base/perso_tlv_data.h

@@ -11,6 +11,7 @@
 
 #include "sw/device/lib/base/status.h"
 #include "sw/device/lib/testing/json/provisioning_data.h"
+#include "sw/device/silicon_creator/lib/cert/cert.h"
 #include "sw/device/silicon_creator/lib/error.h"
 
 /**
@@ -184,8 +185,7 @@ rom_error_t perso_tlv_get_cert_obj(uint8_t *buf, size_t ltv_buf_size,
  * +----------------------------------------------+
  *
  * @param name The name of the certificate.
- * @param needs_endorsement Defines the type of the LTV object the certificate
- *                          is wrapped into (TBS or fully formed).
+ * @param obj_type The object type that needs to encoded.
  * @param cert The binary certificate blob.
  * @param cert_size Size of the certificate blob in bytes.
  * @param[out] buf Output buffer to copy the data into.
@@ -194,7 +194,8 @@ rom_error_t perso_tlv_get_cert_obj(uint8_t *buf, size_t ltv_buf_size,
  * @return status of the operation.
  */
 OT_WARN_UNUSED_RESULT
-rom_error_t perso_tlv_cert_obj_build(const char *name, bool needs_endorsement,
+rom_error_t perso_tlv_cert_obj_build(const char *name,
+                                     const perso_tlv_object_type_t obj_type,
                                      const uint8_t *cert, size_t cert_size,
                                      uint8_t *buf, size_t *buf_size);
 
@@ -206,6 +207,7 @@ rom_error_t perso_tlv_cert_obj_build(const char *name, bool needs_endorsement,
  * @param name The name of the certificate.
  * @param needs_endorsement Defines the type of the LTV object the certificate
  *                          is wrapped into (TBS or fully formed).
+ * @param cert_format The format of the certificate.
  * @param cert The binary certificate blob.
  * @param cert_size Size of the certificate blob in bytes.
  * @param perso_blob Pointer to the `perso_blob_t` to copy the object to.
@@ -214,6 +216,7 @@ rom_error_t perso_tlv_cert_obj_build(const char *name, bool needs_endorsement,
 OT_WARN_UNUSED_RESULT
 status_t perso_tlv_push_cert_to_perso_blob(const char *name,
                                            bool needs_endorsement,
+                                           const dice_cert_format_t cert_format,
                                            const uint8_t *cert,
                                            size_t cert_size, perso_blob_t *pb);
 

sw/device/silicon_creator/manuf/base/tpm_personalize_ext.c

@@ -80,9 +80,9 @@ static status_t personalize_gen_tpm_ek_certificate(
   curr_cert_size = sizeof(cert_buffer);
   TRY(tpm_ek_tbs_cert_build(&tpm_key_ids, &curr_pubkey, cert_buffer,
                             &curr_cert_size));
-  return perso_tlv_push_cert_to_perso_blob("TPM EK", /*needs_endorsement=*/true,
-                                           cert_buffer, curr_cert_size,
-                                           perso_blob);
+  return perso_tlv_push_cert_to_perso_blob(
+      "TPM EK", /*needs_endorsement=*/true, kDiceCertFormatX509TcbInfo,
+      cert_buffer, curr_cert_size, perso_blob);
 }
 
 status_t personalize_extension_pre_cert_endorse(

sw/device/silicon_creator/rom_ext/rom_ext.c

@@ -543,9 +543,9 @@ static rom_error_t dice_chain_push_cert(const char *name, const uint8_t *cert,
 
   // Encode the certificate to the tail buffer.
   size_t cert_page_left = dice_chain_get_tail_size();
-  HARDENED_RETURN_IF_ERROR(perso_tlv_cert_obj_build(
-      name, /*needs_endorsement=*/false, cert, cert_size,
-      dice_chain_get_tail_buffer(), &cert_page_left));
+  HARDENED_RETURN_IF_ERROR(
+      perso_tlv_cert_obj_build(name, kPersoObjectTypeX509Cert, cert, cert_size,
+                               dice_chain_get_tail_buffer(), &cert_page_left));
 
   // Move the offset to the new tail.
   HARDENED_RETURN_IF_ERROR(perso_tlv_get_cert_obj(dice_chain_get_tail_buffer(),