-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: If requested, persist IDevID CSR for later retrieval #1687
Labels
Comments
cc @mhatrevi @nquarton @varuns-nvidia let me know if you have any thoughts |
I'm a fan of this proposal and the variation. Based on the recent discussions in OCP Security WG, CSRs are valuable for device users and not just device vendors. Allowing RT to retrieve IDevID CSR in a production lifecycle stage would be useful. |
clundin25
added a commit
to clundin25/caliptra-sw
that referenced
this issue
Oct 23, 2024
* This resolves chipsalliance#1687, for ROM.
clundin25
added a commit
to clundin25/caliptra-sw
that referenced
this issue
Oct 23, 2024
* This resolves chipsalliance#1687, for ROM.
clundin25
added a commit
to clundin25/caliptra-sw
that referenced
this issue
Oct 23, 2024
* This resolves chipsalliance#1687, for ROM.
clundin25
added a commit
to clundin25/caliptra-sw
that referenced
this issue
Oct 23, 2024
* This resolves chipsalliance#1687, for ROM.
clundin25
added a commit
to clundin25/caliptra-sw
that referenced
this issue
Oct 29, 2024
* This resolves chipsalliance#1687, for ROM.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Targeted Release: ROM 1.3
Impacted FW stages: ROM only
Background
If the CPTRA_DBG_MANUF_SERVICE_REG
MFG_FLAG_GEN_IDEV_CSR
bit is set, Caliptra ROM will generate/sign an IDevID CSR and write it to the mailbox. The SoC Manager must retrieve the CSR from the Caliptra mailbox before it can do anything else (e.g. callSTASH_MEASUREMENT
).Proposal
The general expectation is that this flow is being done by SoC ROM. Instead of making SoC ROM deal with exporting the IDevID CSR, we should provide an option to retrieve the CSR at a later point. Proposal to achieve this:
MFG_FLAG_GEN_IDEV_CSR
is set, write IDevID CSR to temporary DCCM (can be cleared before ROM jumps to FMC)This allows SoC manager to retrieve the CSR at any point until it boots Caliptra mutable FW. Notably, it can stash measurements and load its mutable manufacturing fw which can deal with the CSR.
If CSR request bit was not set prior to ROM boot, this mailbox command will fail.
(Optional) Variation
There is a small change we could make where we persist the IDevID CSR in DCCM, add it's offset/size to the FHT, and add a mailbox command to RT to retrieve it. This is a bit more flexible and allows the SoC to retrieve the CSR at any time. But it seems unnecessary. If SoC manager is fetching/booting Caliptra firmware, surely it can handle storing the CSR somewhere.
The goal of this proposal is just to allow SoC ROM to be as simple as possible.
The text was updated successfully, but these errors were encountered: