jhand2
commented
1 month ago the Key vault module cannot meet the requirements of key management
Can you clarify what specific requirements you have?
Open diswd opened 1 month ago
jhand2
commented
1 month ago the Key vault module cannot meet the requirements of key management
Can you clarify what specific requirements you have?
diswd
commented
1 month ago the Key vault module cannot meet the requirements of key management
Can you clarify what specific requirements you have?
Hi! Thanks for your reply. I want to understand how Caliptra implements key generation, key update, and key destruction. I didn't find anything about these in Caliptra documents. Could you please tell me the specific description about Caliptra's key generation, key update, and key destruction? Thank you very much!
jhand2
commented
1 month ago It depends on what keys you're referring to.
In general, Caliptra stores all keys in the KeyVault peripheral: https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.kv_reg. This supports generation, locking, and clearing. You can find more details at https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.kv_reg
But how this is exposed to SoC callers depends on the key.
For DICE keys created by Caliptra:
For DPE keys (keys created on behalf of the SoC) keys are generated, used, and cleared as part of a single command.
diswd
commented
1 month ago It depends on what keys you're referring to.
In general, Caliptra stores all keys in the KeyVault peripheral: https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.kv_reg. This supports generation, locking, and clearing. You can find more details at https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.kv_reg
But how this is exposed to SoC callers depends on the key.
For DICE keys created by Caliptra:
- IDevID: Generated by ROM, used to sign LDevID Certificate, and then cleared.
- LDevID: Generated by ROM, used to sign FMC Alias Certificate, and then cleared.
- FMC Alias: Generated by ROM, used to sign Runtime Alias Certificate, and then locked by FMC. Unlocked on Caliptra reset. Can be cleared with the FIPS SHUTDOWN command.
- Runtim Alias: Generated by FMC, used to sign PCR quotes and DPE certificates by Runtime. Updated by FMC during impactless update. Can be cleared with the DISABLE_ATTESTATION or FIPS SHUTDOWN commands.
For DPE keys (keys created on behalf of the SoC) keys are generated, used, and cleared as part of a single command.
Ok, thanks for your help!
jhand2
commented
1 month ago Oops I just linked the KeyVault register definition twice. I meant to link this for more details: https://github.com/chipsalliance/caliptra-rtl/blob/main/docs/CaliptraHardwareSpecification.md#key-vault
bharatpillilli
commented
1 month ago On performance numbers: HW spec carries information on the crypto performance characteristics. Please look at that.
On power: this is process specific.
diswd
commented
1 month ago On performance numbers: HW spec carries information on the crypto performance characteristics. Please look at that.
On power: this is process specific.
Ok, I got it. Thanks for your reply!
Hi! I have some questions about Caliptra. Question: