[keymgr] D2(S) Signoff

[msfschaffner]

Description

Ensure D2(S) signoff criteria are still maintained (this is not a focus area block).

[andreaskurth]

Commits since Earlgrey-ES tapeout

git rev-parse HEAD

c73929e

git log Earlgrey-M2.5.2-RC0..HEAD --oneline hw/ip/keymgr

• 52da8f7 [keymgr] Add missing CM annotation
  --> RTL changed but only a CM label added
• 0d14dd6 [docs] Fix repetitions of the definite article
  --> no RTL changed; spelling fixed in spec
• 5639924 Revert "[edn] Move prim_edn_req out of prim"
  --> reverts 3b4e36e below
• c721c51 [rtl, prim] Add 'commit' functionality to prim_count
  --> RTL changed but no functional difference
• e81b588 [keymgr/otp_ctrl] Add support for creator/owner seeds
  --> RTL changes with minimal functional impact for keymgr:
  1. In otp_ctrl_pkg::otp_keymgr_key_t the creator root key shares got renamed and the valid signal got split into one valid signal per share.
  2. keymgr can now take the creator and owner seed from flash instead of OTP iff the UseOtpSeedsInsteadOfFlash synthesis parameter is enabled, which is disabled in Earlgrey -- so this does not change functionality for Earlgrey.
• 61a237e [util/reggen] reverse order of substruct generation
  --> RTL changed but no functional difference
• 3b4e36e [edn] Move prim_edn_req out of prim
  --> reverted by 5639924 above
• de31bdf [reggen] Remove the devmode input
  --> RTL changed but no functional difference
• 963a500 [doc] Minor tweak to md sanitisation code
  --> no RTL changed; spec docs changed but changes should be structural only
• 975a6eb [adc_ctrl,dv] Tidy up access to intr_state in env_cfg files
  --> no RTL nor specification changed
• 1b16ca2 [reggen] Add mubi support SWAccess that sets/clears a reg
  --> RTL changed but no functional difference
• 59f8142 [doc] Moved badges over to using hosted images
  --> no RTL nor specification changed
• 8ba7e45 [SiVal] Test plan updates for keymgr
  --> no RTL nor specification changed
• 19c05ad [doc] keymgr registers and interfaces now use CMDGEN
  --> no RTL changed; spec docs changed but changes should be structural only
• 7688e71 [reggen] Add initial support for version and cip_id hjson fields
  --> no RTL changed
• fbd888e Revert "[reggen] Add CIP_IDs and bump all major versions"
  --> reverts commit below
• 0ba10b3 [reggen] Add CIP_IDs and bump all major versions
  --> reverted by commit above
• e47df29 [misc] Use lc_tx_t testing functions at endpoints
  --> RTL changed but no functional difference

Issues closed since the Earlgrey-ES tapeout

https://github.com/lowRISC/opentitan/issues?q=is%3Aissue+is%3Aclosed+closed%3A%3E2023-06-27+keymgr

• [keymgr] Ensure "disabled" state is not exposed to software #2136
  --> not planned
• Bug in prim_subreg_arb.sv #5416
  --> bug in prim_subreg that got resolved
• [keymgr] Entropy to first key #7614
  --> resolved for Earlgrey-ES tapeout already but got closed afterwards
• [keymgr] input selection blanking #8947
  --> not planned
• [entropy_complex] Corner case tests at the chip level #10970
  --> top-level test
• [kmac] SCA hardening follow-up tasks #12323
  --> not planned
• [lc_ctrl] keymgr div key inconsistency #14047
  --> resolved in [lc_ctrl] Use unique diversification values #21372: keymgr now gets a unique diversification value (from lc_ctrl) for each group of life cycle states
• [dv/kmac] Make sure kmac does not hang when sideload key valid bit is dropped #14596
  --> kmac
• Aligning behavior on local caching of entropy for secure wipe #15473
  --> not planned for Earlgrey-PROD
• [flash_ctrl] Usability improvements #15783
  --> flash_ctrl
• [edn] Elevate CSRNG status errors to fatal alerts #15894
  --> edn
• [rom_ctrl] The ROM ctrl ignores integrity bits when fetching the digest for comparison #16072
  --> not planned
• Flow error that dc is unsupported for job runtime extraction #16562
  --> unrelated to keymgr
• //sw/device/tests/crypto:rsa_3072_verify_functest_wycheproof tests hang #16805
  --> test issue
• [manuf] Test: manuf_ft_provision_attestation #18228
  --> test issue
• [rtl/kmac] Improve handling of dropped edn requests #19232
  --> kmac
• [bazel] New rules: //sw/device/silicon_creator/rom/e2e/keymgr/BUILD #20108
  --> bazel
• [chip-test] chip_sw_otbn_keymgr #20120
  --> top-level test
• [keymgr_dpe] messge material is valid for invalid advance operations on erased slot  #20467
  --> keymgr_dpe
• [keymgr_dpe] successful disable operation leads to OpDoneFail status  #20468
  --> keymgr_dpe
• [kmac] Improve PRNG implementation #20828
  --> kmac
• [dv] Add countermeasure annotations in RTL #20887
  --> CM annotations
• [kmac] D2S Signoff #20978
  --> kmac
• [otp_ctrl] D2S Signoff #20983
  --> otp_ctrl
• [pwrmgr] D2(S) Signoff #20990
  --> pwrmgr
• [otp_ctrl] V2S Signoff #21018
  --> otp_ctrl
• [pwrmgr] V2(S) Signoff #21025
  --> pwrmgr
• [top_darjeeling] Lifecycle controller lc_owner_seed_sw_rw_en_o signal not connected #21044
  --> top_darjeeling
• [chip-test] chip_sw_flash_keymgr_seeds #21455
  --> SiVal
• [chip-test] chip_sw_keymgr_derive_attestation #21504
  --> SiVal

Currently open issues

https://github.com/lowRISC/opentitan/issues?q=is%3Aissue+is%3Aopen+keymgr

• [keymgr, kmac] Context Switch (save/restore) #3479
  --> future release / backlog
• [sw] polling in ROM #6220
  --> ROM
• [hw/kmac] Setup kmac for security verification and check for key leakage from keymgr port #6543
  --> kmac
• [hw/kmac] key integrity checks #6546
  --> cryptolib
• [top, edn] Future enhancement to edn interface to various blocks #7667
  --> edn
• Error status registers during an operation, and otherwise #7901
  --> future release / backlog
• [keymgr] Security enhancement #8120
  --> D2S & M3; thus we expect security hardening changes for keymgr and should not sign off D2S yet
• [keymgr] Verify entropy from EDN is used correctly #8458
  --> V2S & M5
• [top, doc] Top level documentation for keymgr seed flow #9206
  --> doc improvement
• [rom_ext] Possibly check ROM digest against a known value? #10323
  --> ROM_EXT
• [kmac] kmac does not check key validation in sw initiated sequence #10704
  --> kmac
• [kmac] ROM_CTRL reset glitch alert not working? #10724
  --> kmac
• [req/ack] Examine req/ack interfaces between IP blocks and enhance their security #11172
  --> future release / backlog
• [chip-test] chip_sw_kmac_app_keymgr #14171
  --> top-level test
• [dif] Add missing dif to access fault CSRs #14518
  --> DIF
• [kmac] Entropy error code #15088
  --> Integrated
• [crypto] Add sideloaded key support to the cryptolib. #15590
  --> cryptolib
• [chip-test] chip_sw_keymgr_sideload_kmac_error #16070
  --> top-level test
• [chip-test] Move C tests without external host from tests/sim_dv/ to tests/ #16636
  --> top-level test
• [tlul] Side-channel Hamming weight leakage of data on TL-UL #16767
  --> cryptolib
• [keymgr/kmac] how kmac should send kmac_data_i.error #16792
  --> ROM_EXT
• [kmac] Expecting error after clearing sideload key #16855
  --> kmac
• [crypto] Implement hardening for ECDSA scalars. #16952
  --> cryptolib
• [tlul] TL-UL data zeroing inconsistencies #17330
  --> future release / backlog
• [rom, rom_ext] Incorporate secure boot verification key type in key manager derivations #17341
  --> ROM_EXT
• [dv/keymgr] Zero coverage of anchored netlist constants #17472
  --> V3 & M5
• [keymgr, security] Assume adversarial SW model regarding keymgr analysis #17585
  --> future release / backlog
• [crypto] Use hardened memory functions in cryptolib. #17711
  --> cryptolib
• [dv/keymgr] a direct sequence to change otp key on the fly #17773
  --> V3 & M5
• [test-triage, keymgr] KMAC request inputs do not match  #17776
  --> M3
• [keymgr, kmac] Entropy error code SW guideline #17785
  --> cryptolib
• [dv/keymgr] Enable keymgr_hwsw_invalid_input_vseq in stress_all_with_rand_reset  #18013
  --> V3 & M5
• [dv/keymgr] List the unchecked regs #18344
  --> V3 & M5
• [test-triage] keymgr_kmac_rsp_err #18644
  --> M5
• [dvsim/dc] Macro `ASSERT_KNOWN matchs the definition is failure #19361
  --> not directly related to keymgr
• [SiVal] Add list of functional features to the comportability specification  #19444
  --> SiVal
• [rom_ext] Generate keys & fill in certificate templates #19588
  --> ROM_EXT
• [rom_ext] Ownership Transfer configuration #19595
  --> ROM_EXT
• [bazel, dvsim] Convert dvsim-executed tests to the new rules #19797
  --> build system
• [chip-test] chip_sw_keymgr_key_derivation #19805
  --> SiVal
• [crypto] Don't leave a sideloaded key in Ibex-visible memory #19875
  --> cryptolib
• [rom,rom_ext] Test sideload-clear timing for keymgr. #20023
  --> ROM
• [sival] prod_all_tests #20194
  --> SiVal
• [boot_flow] Self-authenticate boot images for faster boot flow #20414
  --> future release / backlog
• [chip-test] chip_sw_keymgr_derive_attestation #20442
  --> SiVal
• [keymgr_dpe,dv] Check that advance operation is not successful when retain_parent == true and destination slot equals source slot #20819
  --> keymgr_dpe
• [keymgr] D2(S) Signoff #20981
  --> this issue
• [keymgr] V2(S) Signoff #21016
  --> V2(S) signoff
• [keymgr_dpe/dv] Improve pass rate of keymgr_dpe_smoke #21094
  --> keymgr_dpe
• [chip-test] Incomplete SiVal Stage 1 and 2 tests #21222
  --> SiVal
• [keymgr_dpe] Implement stress_all and stress_all_with_rand_reset test #21299
  --> keymgr_dpe
• [chip-test] chip_sw_keymgr_key_derivation #21500
  --> SiVal
• [chip-test] chip_sw_keymgr_sideload_kmac #21501
  --> SiVal
• [chip-test] chip_sw_keymgr_sideload_aes #21502
  --> SiVal
• [chip-test] chip_sw_keymgr_sideload_otbn #21503
  --> SiVal
• [chip-test] chip_sw_keymgr_derive_sealing #21505
  --> SiVal
• [manuf] provision a (diversification) constant to the OwnerSeed info page #21555
  --> ROM
• [rom,rom_ext] integrate attestation key & cert (UDS, CDI_0, CDI_1) update/gen into ROM_EXT #21583
  --> ROM
• [sival,triag] Some SiVal ROM_EXT are broken #21706
  --> SiVal
• [cryptolib] support for EC key generation from provided DRBG #21936
  --> cryptolib
• [silicon_creator] namespace all silicon_creator drivers with scd_ prefix #21937
  --> SW
• [csrng] Side loading of entropy from key manager #22117
  --> feature request under discussion, not gating this signoff on it
• [cryptolib] Consider adding a keymgr API to read the maximum key version available. #22214
  --> cryptolib
• [keymgr] RootKey from OTP shall be a FIPS-key #22283
  --> looks like a provisioning issue rather than a HW issue; otherwise feature request to be discussed, not gating this signoff on it
• [keymgr] add support for injected FIPS key and swap key/context in KMAC #22296
  --> feature request under discussion, not gating this signoff on it
• [keymgr] Ability to run known-answer tests for KMAC #22297
  --> feature request under discussion, not gating this signoff on it
• [cryptolib] change implementation of HW backed keys #22301
  --> cryptolib

Summary

Re RTL changes, e81b588 is the only RTL change with minimal functional impact; the only functional change is that each creator root key share now has its own valid signal. The two valid signals get ANDed in keymgr_ctrl before u_key_valid_sync. This doesn't create glitch problems because the signals only ever transition from 0 to 1. DV has been changed to take this into account.

Re closed design issues since Earlgrey-ES tapeout, #19146 fixed a bug in prim_subreg_arb (#5146), which is relevant for keymgr, and #21372 changed lc_ctrl so that keymgr now gets a unique diversification value for each group of life cycle states (resolving #14047). Top-level tests cover these changes.

Re open design issues, #8120 is an open item for D2S, so we should not sign off D2S at this point. #22117, #22296, and #22297 could be open items for D2 but they are under discussion, so I suggest we don't gate this signoff on them. If we decide that at least one of those items need a keymgr design change, that could be a minor change as part of D3 or, if it's a major change, we will have to re-open D2.

In conclusion, I think this analysis supports signing keymgr off at D2 but not D2S. I'll create a separate issue for keymgr D2S signoff as part of M3.

[andreaskurth]

@vogelpi: May I ask you for feedback on my analysis and D2 signoff approval if you agree?

[vogelpi]

Thanks for putting this together @andreaskurth !

To be honest, I am in favor of signing of D2S. This is the state keymgr was before and as you pointed out, no significant changes have gone in since the last sign-off. So there is IMO no need to go back down again. I agree that there are a couple of security hardening changes we want to do for M3. But all of them are minor. We also keep adding security improvements to other blocks after hitting D2S.

D2S just says security countermeasures are implemented and this is the case for keymgr. The things coming in M3 are not about adding new countermeasures but minor improvements to existing things.

So to summarize: signing of at D2 is definitely okay, signing of at D2S would be preferred from my side. It will save us further paper work in M3.

[andreaskurth]

Alright, given that (1) keymgr has been signed off at D2S before and the changes since then don't revert D2S and (2) #8120 is tracked for M3, I agree that we can sign keymgr off at D2S again.