search

chipsalliance / caliptra-sw

Caliptra software (ROM, FMC, runtime firmware), and libraries/tools needed to build and test
Apache License 2.0
95 stars 43 forks source link

PCR quoting key source #1737

Open ChiaweiW opened 4 days ago

ChiaweiW commented 4 days ago

Hi Caliptra teams,

We are implementing the attestation service from SoC's perspective with Caliptra integrated. The specification states QUOTE_PCR will use the PCR quoting key to sign the PCR values.

After checking both the SW and HW code, we found that the PCR quoting key is using the key vault ID 7. And the current FMC implementation will place FMC alias private key at key vault ID 7.

We are wondering why FMC alias key (KeyID 7) is used instead of RT alias key (KeyID 5)? As QUOTE_PCR is a mailbox service provided by RT FW.

In addition, would you consider to revise the README of RT to point out the key actually used as PCR quoting key? Thus the verifier will know which key should be used to verify the signature of hashed PCR.

Thanks, Chiawei

jhand2 commented 4 days ago

We are wondering why FMC alias key (KeyID 7) is used instead of RT alias key (KeyID 5)? As QUOTE_PCR is a mailbox service provided by RT FW.

@mhatrevi would you be able to comment here with the rationale?

In addition, would you consider to revise the README of RT to point out the key actually used as PCR quoting key? Thus the verifier will know which key should be used to verify the signature of hashed PCR.

Sounds good, yes we can update the RT spec.