We want to make policy decisions based on whether a system is in development or release mode. For example, development machines may have more lax policy on tech port unlocking; see RFD 492 and 506
This PR adds a SpRot message and Idol function to perform a "development or release" check. The policy decision is made on the RoT, which returns either Development or Release.
The RoT uses two pieces of information to make this policy decision.
First, it checks which keys are active in the Root of Trust's CFPA region, which has four slots:
Release is [valid, valid, invalid, invalid]
Development is [revoked, revoked, valid, valid]
The LPC55's firmware only lets keys go from invalid → valid → revoked; if any of slots 2/3 are valid, then we know that the machine is in Development mode.
However, we also distribute images with a CFPA that only enables key 0 ([valid, invalid, invalid, invalid]). These images use the Bartholomew certificate (fake_certs in this repository), which is not actually secret and is used for convenience when developing.
To detect this case, we check whether the CMPA is unlocked. If the CMPA is unlocked, then we treat the system as in Development.
We want to make policy decisions based on whether a system is in development or release mode. For example, development machines may have more lax policy on tech port unlocking; see RFD 492 and 506
This PR adds a
SpRot
message and Idol function to perform a "development or release" check. The policy decision is made on the RoT, which returns eitherDevelopment
orRelease
.The RoT uses two pieces of information to make this policy decision.
First, it checks which keys are active in the Root of Trust's CFPA region, which has four slots:
[valid, valid, invalid, invalid]
[revoked, revoked, valid, valid]
The LPC55's firmware only lets keys go from
invalid → valid → revoked
; if any of slots 2/3 arevalid
, then we know that the machine is in Development mode.However, we also distribute images with a CFPA that only enables key 0 (
[valid, invalid, invalid, invalid]
). These images use the Bartholomew certificate (fake_certs
in this repository), which is not actually secret and is used for convenience when developing.To detect this case, we check whether the CMPA is unlocked. If the CMPA is unlocked, then we treat the system as in Development.