From c3ae679209955004e69661c773c178671832a881 Mon Sep 17 00:00:00 2001 From: Tim Trippel Date: Mon, 12 Feb 2024 14:23:28 -0800 Subject: [PATCH] [personalize] add creator pubkey ID to UDS cert This updates the UDS cert generation code to add the creator pubkey ID, which is generated via a KMAC operation over the public key itself. The creator pubkey ID becomes the serial number for the UDS certificate. Signed-off-by: Tim Trippel --- .../manuf/skus/earlgrey_a0/sival_bringup/BUILD | 1 + .../skus/earlgrey_a0/sival_bringup/ft_personalize_3.c | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/sw/device/silicon_creator/manuf/skus/earlgrey_a0/sival_bringup/BUILD b/sw/device/silicon_creator/manuf/skus/earlgrey_a0/sival_bringup/BUILD index 223f8f9e7dd55e..cf1aeffce530cb 100644 --- a/sw/device/silicon_creator/manuf/skus/earlgrey_a0/sival_bringup/BUILD +++ b/sw/device/silicon_creator/manuf/skus/earlgrey_a0/sival_bringup/BUILD @@ -274,6 +274,7 @@ opentitan_binary( "//sw/device/silicon_creator/lib:otbn_boot_services", "//sw/device/silicon_creator/lib/cert:cdi_0_template_library", "//sw/device/silicon_creator/lib/cert:uds_template_library", + "//sw/device/silicon_creator/lib/cert:util", "//sw/device/silicon_creator/lib/drivers:flash_ctrl", "//sw/device/silicon_creator/lib/drivers:hmac", "//sw/device/silicon_creator/lib/drivers:keymgr", diff --git a/sw/device/silicon_creator/manuf/skus/earlgrey_a0/sival_bringup/ft_personalize_3.c b/sw/device/silicon_creator/manuf/skus/earlgrey_a0/sival_bringup/ft_personalize_3.c index 0b180508dd9d90..c95fddfa9144f0 100644 --- a/sw/device/silicon_creator/manuf/skus/earlgrey_a0/sival_bringup/ft_personalize_3.c +++ b/sw/device/silicon_creator/manuf/skus/earlgrey_a0/sival_bringup/ft_personalize_3.c @@ -13,6 +13,7 @@ #include "sw/device/silicon_creator/lib/attestation.h" #include "sw/device/silicon_creator/lib/attestation_key_diversifiers.h" #include "sw/device/silicon_creator/lib/cert/uds.h" // Generated. +#include "sw/device/silicon_creator/lib/cert/util.h" #include "sw/device/silicon_creator/lib/drivers/flash_ctrl.h" #include "sw/device/silicon_creator/lib/drivers/hmac.h" #include "sw/device/silicon_creator/lib/drivers/keymgr.h" @@ -95,19 +96,21 @@ static status_t gen_uds_keys_and_cert(void) { kAttestationPublicKeyCoordBytes); TRY(otbn_boot_attestation_key_save(kUdsAttestationKeySeed, kUdsKeymgrDiversifier)); - uint8_t creator_pub_key_id[kCertKeyIdSizeInBytes] = {0}; + + // Generate the UDS key ID. + uint32_t creator_pub_key_id[kOtCertPubkeyIdSizeIn32BitWords]; + TRY(ot_cert_gen_key_id(&uds_pubkey, kUdsKeyIdSalt, creator_pub_key_id)); // Generate the UDS (unendorsed) UDS certificate. uds_tbs_values_t uds_cert_tbs_params = { // TODO(#19455): include OTP measurements in attestation keygen / cert. - // TODO(#19455): include creator pub key ID in cert. .otp_creator_sw_cfg_hash = NULL, .otp_creator_sw_cfg_hash_size = 0, .otp_owner_sw_cfg_hash = NULL, .otp_owner_sw_cfg_hash_size = 0, .otp_hw_cfg0_hash = NULL, .otp_hw_cfg0_hash_size = 0, - .creator_pub_key_id = creator_pub_key_id, + .creator_pub_key_id = (unsigned char *)creator_pub_key_id, .creator_pub_key_id_size = kCertKeyIdSizeInBytes, .auth_key_key_id = in_data.auth_key_key_id, .auth_key_key_id_size = kCertKeyIdSizeInBytes,