search

chipsalliance / Caliptra

Caliptra IP and firmware for integrated Root of Trust block
Apache License 2.0
116 stars 29 forks source link

Fuse "IDEVID CERT IDEVID ATTR" and IDevID Certificate incomplete correlation, discrepancy and typo. #205

Open myviewfinder opened 2 months ago

myviewfinder commented 2 months ago

Summary: Caliptra main specification and Caliptra Integration spec. do not fully define the fuse "Certificate Attribute" fields with corresponding fields in the IDevID Certificate. There is also typo in the Caliptra ROM spec. Details below.

  1. What does fuse Certificate Attribute "Flags (byte 0, bits [1:0]): Key ID algorithm for IDevID Subject Key Identifier" correspond to in the IDevID Cert ? I.e. is Table 7: IDevID certificate missing the "Subject Key Identifier" field?

  2. What should fuse Certificate Attribute "Subject Key ID (bytes 4 to 23) " be when fuse Certificate Attribute's Flags != 3?

  3. What is fuse Certificate Attribute "Manufacturer Serial Number (bytes 28 to 43):" used for? Table 7 does not have such a IDevID certificate field.

  4. There are discrepancies in the Certificate Attributes (i) fuse size and (ii) location of fields among various specification. Main spec encoding of these attribute fuses below table 7 defines attributes = 44 bytes, versus

  1. Typo in ROM spec FUSE_IDEVID_CERT_ATTR with same encoding value of "2" for both SHA256 and SHA384 selections.

  2. ROM spec FUSE_IDEVID_CERT_ATTR fields & locations discrepancies with that in the Caliptra main spec.'s encoding of these attribute fuses below table 7

varuns-nvidia commented 2 months ago
  1. The fuse IDEVID_CERT_ATTR bits 0 and 1 tell Caliptra ROM what is the format and the input data for the IDevID subject key identifier. Yes you're right that Table 7 should include the Subject Key Identifier.
  2. The value is don't care because the Flags tell Caliptra ROM not to consume that value.
  3. It is used to generate the tcg-dice-Ueid extension value.
  4. The fuse bits allocated in the Caliptra fuse map is 96 bytes = 768 bits. Of those, only 44 bytes have defined usage.
  5. @mhatrevi please review
  6. @mhatrevi please review
varuns-nvidia commented 2 months ago

I've pushed https://github.com/chipsalliance/Caliptra/pull/206 with the main spec updates adding Subject Key Identifier.

myviewfinder commented 2 months ago
  1. The fuse IDEVID_CERT_ATTR bits 0 and 1 tell Caliptra ROM what is the format and the input data for the IDevID subject key identifier. Yes you're right that Table 7 should include the Subject Key Identifier.
  2. The value is don't care because the Flags tell Caliptra ROM not to consume that value.
  3. It is used to generate the tcg-dice-Ueid extension value.
  4. The fuse bits allocated in the Caliptra fuse map is 96 bytes = 768 bits. Of those, only 44 bytes have defined usage.
  5. @mhatrevi please review
  6. @mhatrevi please review

@varuns-nvidia , About your response to bullet no.2, please kindly clarify in the Caliptra Main specification that SoC shall treat it as Don't Care in byte(4 to 23) when Flags != 3 .

Additional issue on bullet no.3, does the text below miss out listing the IDevID, since IDevID cert. field also has tcg-dice-Ueid field?

"Manufacturer Serial Number (bytes 28 to 43): the 128-bit unique serial number of the device to be used for the TCG UEID extension in the Caliptra-generated LDevID, AliasFMC, and AliasRT certificates."

About your response to bullet no.4, please consider the following clarification in the Caliptra Main spec. encoding of certificate attribute fuses below table 7:

Reserved (byte 44 to byte 95)

  1. In general does Caliptra have an expectation on any reserved field value, such as 0 ?