owner_pk_hash is mixed into PCR0 from image, not fuses - Githubissues

chipsalliance / caliptra-sw

Caliptra software (ROM, FMC, runtime firmware), and libraries/tools needed to build and test

Apache License 2.0

94 stars 44 forks source link

owner_pk_hash is mixed into PCR0 from image, not fuses #415

Closed korran closed 1 year ago

korran commented 1 year ago

When mixing vendor_pub_key_hash into PCR0, we take the value from the fuse-bank rather than from the image:

https://github.com/chipsalliance/caliptra-sw/blob/c5b1dbfc026ad07c154fe1670162ec826011e94b/rom/dev/src/pcr.rs#L82-L84

But for owner_pk_hash, we take the value from the data-vault, which is the same as the value from the image:

https://github.com/chipsalliance/caliptra-sw/blob/c5b1dbfc026ad07c154fe1670162ec826011e94b/rom/dev/src/pcr.rs#L86-L88

Similarly, when building the certificate, we take the owner hash from the image, not the fuses:

https://github.com/chipsalliance/caliptra-sw/blob/c5b1dbfc026ad07c154fe1670162ec826011e94b/rom/dev/src/flow/cold_reset/fmc_alias.rs#L156

Thus, if the owner_pk_hash fuse was never set, you wouldn't know based on the DICE certs.

bluegate010 commented 1 year ago

Addressing in https://github.com/chipsalliance/caliptra-sw/pull/802