search

chipsalliance / Caliptra

Caliptra IP and firmware for integrated Root of Trust block
Apache License 2.0
236 stars 33 forks source link

PCR quoting key source #239

Closed ChiaweiW closed 3 weeks ago

ChiaweiW commented 3 weeks ago

Hi Caliptra teams,

We are implementing the attestation service from SoC's perspective with Caliptra integrated. The specification states QUOTE_PCR will use the PCR quoting key to sign the PCR values.

After checking both the SW and HW code, we found that the PCR quoting key is using the key vault ID 7. And the current FMC implementation will place FMC alias private key at key vault ID 7.

We are wondering why FMC alias key (KeyID 7) is used instead of RT alias key (KeyID 5)? As QUOTE_PCR is a mailbox service provided by RT FW.

In addition, would you consider to revise the README to point out the key actually used as PCR quoting key? Thus the verifier will know which key should be used to verify the signature of hashed PCR.

Thanks, Chiawei

ChiaweiW commented 3 weeks ago

Re-post this issue to caliptra-sw and close it here.