Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: If requested, persist IDevID CSR for later retrieval #1687

Open
jhand2 opened this issue Sep 20, 2024 · 2 comments · May be fixed by #1732
Open

RFC: If requested, persist IDevID CSR for later retrieval #1687

jhand2 opened this issue Sep 20, 2024 · 2 comments · May be fixed by #1732
Assignees
Labels
enhancement New feature or request ROM 1.next

Comments

@jhand2
Copy link
Collaborator

jhand2 commented Sep 20, 2024

Targeted Release: ROM 1.3
Impacted FW stages: ROM only

Background

If the CPTRA_DBG_MANUF_SERVICE_REG MFG_FLAG_GEN_IDEV_CSR bit is set, Caliptra ROM will generate/sign an IDevID CSR and write it to the mailbox. The SoC Manager must retrieve the CSR from the Caliptra mailbox before it can do anything else (e.g. call STASH_MEASUREMENT).

Proposal

The general expectation is that this flow is being done by SoC ROM. Instead of making SoC ROM deal with exporting the IDevID CSR, we should provide an option to retrieve the CSR at a later point. Proposal to achieve this:

  1. If MFG_FLAG_GEN_IDEV_CSR is set, write IDevID CSR to temporary DCCM (can be cleared before ROM jumps to FMC)
  2. Add ROM mailbox command to retrieve IDevID CSR

This allows SoC manager to retrieve the CSR at any point until it boots Caliptra mutable FW. Notably, it can stash measurements and load its mutable manufacturing fw which can deal with the CSR.

If CSR request bit was not set prior to ROM boot, this mailbox command will fail.

(Optional) Variation

There is a small change we could make where we persist the IDevID CSR in DCCM, add it's offset/size to the FHT, and add a mailbox command to RT to retrieve it. This is a bit more flexible and allows the SoC to retrieve the CSR at any time. But it seems unnecessary. If SoC manager is fetching/booting Caliptra firmware, surely it can handle storing the CSR somewhere.

The goal of this proposal is just to allow SoC ROM to be as simple as possible.

@jhand2 jhand2 added enhancement New feature or request ROM 1.next labels Sep 20, 2024
@jhand2
Copy link
Collaborator Author

jhand2 commented Sep 20, 2024

cc @mhatrevi @nquarton @varuns-nvidia let me know if you have any thoughts

@varuns-nvidia
Copy link

I'm a fan of this proposal and the variation. Based on the recent discussions in OCP Security WG, CSRs are valuable for device users and not just device vendors. Allowing RT to retrieve IDevID CSR in a production lifecycle stage would be useful.

@clundin25 clundin25 self-assigned this Oct 10, 2024
clundin25 added a commit to clundin25/caliptra-sw that referenced this issue Oct 23, 2024
clundin25 added a commit to clundin25/caliptra-sw that referenced this issue Oct 23, 2024
clundin25 added a commit to clundin25/caliptra-sw that referenced this issue Oct 23, 2024
clundin25 added a commit to clundin25/caliptra-sw that referenced this issue Oct 23, 2024
clundin25 added a commit to clundin25/caliptra-sw that referenced this issue Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request ROM 1.next
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants