Open diswd opened 1 month ago
the Key vault module cannot meet the requirements of key management
Can you clarify what specific requirements you have?
the Key vault module cannot meet the requirements of key management
Can you clarify what specific requirements you have?
Hi! Thanks for your reply. I want to understand how Caliptra implements key generation, key update, and key destruction. I didn't find anything about these in Caliptra documents. Could you please tell me the specific description about Caliptra's key generation, key update, and key destruction? Thank you very much!
It depends on what keys you're referring to.
In general, Caliptra stores all keys in the KeyVault peripheral: https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.kv_reg. This supports generation, locking, and clearing. You can find more details at https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.kv_reg
But how this is exposed to SoC callers depends on the key.
For DICE keys created by Caliptra:
For DPE keys (keys created on behalf of the SoC) keys are generated, used, and cleared as part of a single command.
It depends on what keys you're referring to.
In general, Caliptra stores all keys in the KeyVault peripheral: https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.kv_reg. This supports generation, locking, and clearing. You can find more details at https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.kv_reg
But how this is exposed to SoC callers depends on the key.
For DICE keys created by Caliptra:
- IDevID: Generated by ROM, used to sign LDevID Certificate, and then cleared.
- LDevID: Generated by ROM, used to sign FMC Alias Certificate, and then cleared.
- FMC Alias: Generated by ROM, used to sign Runtime Alias Certificate, and then locked by FMC. Unlocked on Caliptra reset. Can be cleared with the FIPS SHUTDOWN command.
- Runtim Alias: Generated by FMC, used to sign PCR quotes and DPE certificates by Runtime. Updated by FMC during impactless update. Can be cleared with the DISABLE_ATTESTATION or FIPS SHUTDOWN commands.
For DPE keys (keys created on behalf of the SoC) keys are generated, used, and cleared as part of a single command.
Ok, thanks for your help!
Oops I just linked the KeyVault register definition twice. I meant to link this for more details: https://github.com/chipsalliance/caliptra-rtl/blob/main/docs/CaliptraHardwareSpecification.md#key-vault
On performance numbers: HW spec carries information on the crypto performance characteristics. Please look at that.
On power: this is process specific.
On performance numbers: HW spec carries information on the crypto performance characteristics. Please look at that.
On power: this is process specific.
Ok, I got it. Thanks for your reply!
Hi! I have some questions about Caliptra. Question: