Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[manuf] Preventing Perso Firmware Execution After Personalization #24610

Open
12 tasks
anthonychen1251 opened this issue Sep 20, 2024 · 0 comments
Open
12 tasks

[manuf] Preventing Perso Firmware Execution After Personalization #24610

anthonychen1251 opened this issue Sep 20, 2024 · 0 comments
Assignees
@anthonychen1251
Labels
Component:Software Issue related to Software Manufacturing Issues related to manufacturing tasks (hw or sw) Type:Task Tasks, to-do list.

Comments

@anthonychen1251
Copy link
Member

anthonychen1251 commented Sep 20, 2024
edited
Loading

Description

Currently, the perso firmware remains executable even after personalization is complete. The Perso firmware lacks an embedded immutable ROM extension, despite having a valid signature. If the immutable ROM extension feature is enabled and the corresponding hash is provisioned, running perso again may result in ROM self-shutdown due to an invalid immutable ROM extension hash. Consequently, ROM will not attempt to boot from an alternative slot, eliminating the possibility of booting into a valid ROM extension under these circumstances. This situation renders the device bricked until another image is bootstrapped. To mitigate this, we propose binding the creator manufacturing state within usage constraints, ensuring the perso firmware's signature is invalidated once the device is fully personalized. More details described here

The goal is to implement the new FT flow below

  1. Individualization:
    a. Skip the provisioning of the immutable ROM extension OTP fields, CREATOR_SW_CFG_MANUF_STATE and OWNER_SW_CFG_ROM_KEYMGR_OTP_MEAS_EN,

  2. Bootstrap with Perso + ROM_EXT bundle.

  3. Personalization:
    a. Configure the secret1 (flash scrambling seed) and part of SW_CFG regions.
    b. Reboot and re-bootstrap (required when flash scrambling is enabled).
    c. Personalize the device.
    d. Fully provision the SW_CFG regions, including immutable ROM extension OTP fields and enabling ROM_KEYMGR_OTP_MEAS_EN.
    e. Transitions the CREATOR_SW_CFG_MANUF_STATE to Personalized.
    f. Write-lock both SW_CFG regions.

  4. Reboot to ROM_EXT.

Tasks

  • Update the manuf lib to:
    • Move the provisioning of immutable ROM extension OTP fields, CREATOR_SW_CFG_MANUF_STATE and OWNER_SW_CFG_ROM_KEYMGR_OTP_MEAS_EN from FT individualization stage to the FT personalization stage
  • Update the bazel rules (potentially under //hw/ip/otp_ctrl/data) to:
    • Define two manufacturing state transitions: Initial -> Personalized.
    • Calculate the OTP measurement during the build of perso
    • Enable OWNER_SW_CFG_ROM_KEYMGR_OTP_MEAS_EN by default.
    • Calculate the actual value of Personalized state during the build of perso.
  • Update the manifest to:
    • Set the binding_value field to pre-calculated OTP measurement on perso’s manifest
    • Set the bit 8 of selector_bits (mapped to manuf_state_creator) field to 1 on perso/rom_ext's manifest.
    • Set manuf_state_creator field to Initial on perso’s manifest
    • Set manuf_state_creator field to Personalized on rom_ext's manifest
@anthonychen1251 anthonychen1251 self-assigned this Sep 20, 2024
@anthonychen1251 anthonychen1251 added Component:Software Issue related to Software Manufacturing Issues related to manufacturing tasks (hw or sw) Type:Task Tasks, to-do list. labels Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anthonychen1251 anthonychen1251

Labels
Component:Software Issue related to Software Manufacturing Issues related to manufacturing tasks (hw or sw) Type:Task Tasks, to-do list.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@anthonychen1251