Make RT depend on caliptra-cfi and update DPE version

chipsalliance · Feb 14, 2024 · 11edcf3 · 11edcf3
1 parent c64e913
commit 11edcf3
Show file tree

Hide file tree

Showing 20 changed files with 79 additions and 29 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -91,6 +91,8 @@ bit-vec = "0.6.3"
 caliptra-api = { path = "api" }
 caliptra-cfi-lib = { path = "cfi/lib", default-features = false, features = ["cfi", "cfi-counter" ] }
 caliptra-cfi-derive = { path = "cfi/derive" }
+caliptra-cfi-lib-git = { git = "https://github.com/chipsalliance/caliptra-cfi.git", package = "caliptra-cfi-lib-git", rev = "9f315fcf11fe006e95e62149f54f98620e5244e7", default-features = false, features = ["cfi", "cfi-counter" ] }
+caliptra-cfi-derive-git = { git = "https://github.com/chipsalliance/caliptra-cfi.git", package = "caliptra-cfi-derive-git", rev = "9f315fcf11fe006e95e62149f54f98620e5244e7"}
 caliptra_common = { path = "common", default-features = false }
 caliptra-coverage = { path = "coverage" }
 caliptra-builder = { path = "builder" }

diff --git a/dpe b/dpe
diff --git a/drivers/Cargo.toml b/drivers/Cargo.toml
@@ -23,10 +23,12 @@ zerocopy.workspace = true
 zeroize.workspace = true
 caliptra-cfi-lib = { workspace = true, default-features = false, features = ["cfi", "cfi-counter" ] }
 caliptra-cfi-derive.workspace = true
+caliptra-cfi-lib-git = { workspace = true, default-features = false, features = ["cfi", "cfi-counter" ], optional = true }
+caliptra-cfi-derive-git = { workspace = true, optional = true }
 
 [features]
 emu = []
-runtime = ["dep:dpe"]
+runtime = ["dep:dpe", "dep:caliptra-cfi-lib-git", "dep:caliptra-cfi-derive-git"]
 fmc = []
 fpga_realtime = ["caliptra-hw-model/fpga_realtime"]
 itrng = ["caliptra-hw-model/itrng"]

diff --git a/drivers/src/lib.rs b/drivers/src/lib.rs
@@ -94,6 +94,19 @@ pub use sha384acc::{Sha384Acc, Sha384AccOp, ShaAccLockState};
 pub use soc_ifc::{report_boot_status, Lifecycle, MfgFlags, ResetReason, SocIfc};
 pub use trng::Trng;
 
+#[allow(unused_imports)]
+#[cfg(not(feature = "runtime"))]
+use caliptra_cfi_derive;
+#[allow(unused_imports)]
+#[cfg(feature = "runtime")]
+use caliptra_cfi_derive_git as caliptra_cfi_derive;
+#[allow(unused_imports)]
+#[cfg(not(feature = "runtime"))]
+use caliptra_cfi_lib;
+#[allow(unused_imports)]
+#[cfg(feature = "runtime")]
+use caliptra_cfi_lib_git as caliptra_cfi_lib;
+
 cfg_if::cfg_if! {
     if #[cfg(feature = "emu")] {
         mod uart;

diff --git a/runtime/Cargo.toml b/runtime/Cargo.toml
@@ -6,8 +6,8 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
-caliptra-cfi-lib = { workspace = true, default-features = false, features = ["cfi", "cfi-counter" ] }
-caliptra-cfi-derive.workspace = true
+caliptra-cfi-lib-git = { workspace = true, default-features = false, features = ["cfi", "cfi-counter" ] }
+caliptra-cfi-derive-git.workspace = true
 caliptra_common = { workspace = true, default-features = false, features = ["runtime"] }
 caliptra-cpu.workspace = true
 caliptra-drivers = { workspace = true, features = ["runtime"] }
@@ -38,7 +38,7 @@ caliptra-image-fake-keys.workspace = true
 caliptra-image-gen.workspace = true
 caliptra-image-openssl.workspace = true
 caliptra-image-serde.workspace = true
-caliptra-cfi-lib = { workspace = true, features = ["cfi-test"] }
+caliptra-cfi-lib-git = { workspace = true, features = ["cfi-test"] }
 openssl.workspace = true
 sha2 = { version = "0.10.2", default-features = false, features = ["compress"] }
 cms.workspace = true

diff --git a/runtime/src/disable.rs b/runtime/src/disable.rs
@@ -13,7 +13,7 @@ Abstract:
 --*/
 
 use crate::Drivers;
-use caliptra_cfi_derive::cfi_impl_fn;
+use caliptra_cfi_derive_git::cfi_impl_fn;
 use caliptra_common::mailbox_api::MailboxResp;
 use caliptra_drivers::{
     hmac384_kdf, Array4x12, CaliptraError, CaliptraResult, Ecc384Seed, Hmac384Key, KeyReadArgs,

diff --git a/runtime/src/dpe_crypto.rs b/runtime/src/dpe_crypto.rs
@@ -14,7 +14,8 @@ Abstract:
 
 use core::cmp::min;
 
-use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq, cfi_launder};
+use caliptra_cfi_derive_git::cfi_impl_fn;
+use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq, cfi_launder};
 use caliptra_common::keyids::{KEY_ID_DPE_CDI, KEY_ID_DPE_PRIV_KEY, KEY_ID_TMP};
 use caliptra_drivers::{
     cprintln, hmac384_kdf, Array4x12, Ecc384, Ecc384PrivKeyIn, Ecc384PubKey, Ecc384Scalar,
@@ -128,6 +129,7 @@ impl<'a> Crypto for DpeCrypto<'a> {
         }
     }
 
+    #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
     fn derive_cdi(
         &mut self,
         algs: AlgLen,
@@ -162,6 +164,7 @@ impl<'a> Crypto for DpeCrypto<'a> {
         }
     }
 
+    #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
     fn derive_key_pair(
         &mut self,
         algs: AlgLen,

diff --git a/runtime/src/drivers.rs b/runtime/src/drivers.rs
@@ -24,8 +24,8 @@ use crate::{
 };
 
 use arrayvec::ArrayVec;
-use caliptra_cfi_derive::{cfi_impl_fn, cfi_mod_fn};
-use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq, cfi_assert_eq_12_words, cfi_launder};
+use caliptra_cfi_derive_git::{cfi_impl_fn, cfi_mod_fn};
+use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq, cfi_assert_eq_12_words, cfi_launder};
 use caliptra_drivers::KeyId;
 use caliptra_drivers::{
     cprint, cprintln, pcr_log::RT_FW_JOURNEY_PCR, Array4x12, CaliptraError, CaliptraResult,

diff --git a/runtime/src/fips.rs b/runtime/src/fips.rs
@@ -11,7 +11,7 @@ Abstract:
     File contains FIPS module and FIPS self test.
 
 --*/
-use caliptra_cfi_derive::{cfi_impl_fn, cfi_mod_fn};
+use caliptra_cfi_derive_git::{cfi_impl_fn, cfi_mod_fn};
 use caliptra_common::cprintln;
 use caliptra_common::mailbox_api::{MailboxResp, MailboxRespHeader};
 use caliptra_drivers::CaliptraError;
@@ -57,7 +57,7 @@ impl FipsModule {
 pub mod fips_self_test_cmd {
     use super::*;
     use crate::RtBootStatus::{RtFipSelfTestComplete, RtFipSelfTestStarted};
-    use caliptra_cfi_lib::cfi_assert_eq_8_words;
+    use caliptra_cfi_lib_git::cfi_assert_eq_8_words;
     use caliptra_common::HexBytes;
     use caliptra_common::{
         verifier::FirmwareImageVerificationEnv, FMC_ORG, FMC_SIZE, RUNTIME_ORG, RUNTIME_SIZE,

diff --git a/runtime/src/hmac.rs b/runtime/src/hmac.rs
@@ -12,8 +12,8 @@ Abstract:
 
 --*/
 
-use caliptra_cfi_derive::{cfi_impl_fn, cfi_mod_fn};
-use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq, cfi_launder};
+use caliptra_cfi_derive_git::{cfi_impl_fn, cfi_mod_fn};
+use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq, cfi_launder};
 use caliptra_common::{crypto::Ecc384KeyPair, keyids::KEY_ID_TMP};
 use caliptra_drivers::{
     hmac384_kdf, Array4x12, Ecc384PrivKeyOut, Ecc384PubKey, Hmac384Data, Hmac384Key, Hmac384Tag,

diff --git a/runtime/src/invoke_dpe.rs b/runtime/src/invoke_dpe.rs
@@ -13,7 +13,7 @@ Abstract:
 --*/
 
 use crate::{CptraDpeTypes, DpeCrypto, DpeEnv, DpePlatform, Drivers, PL0_PAUSER_FLAG};
-use caliptra_cfi_derive::cfi_impl_fn;
+use caliptra_cfi_derive_git::cfi_impl_fn;
 use caliptra_common::mailbox_api::{InvokeDpeReq, InvokeDpeResp, MailboxResp, MailboxRespHeader};
 use caliptra_drivers::{CaliptraError, CaliptraResult};
 use crypto::{AlgLen, Crypto};

diff --git a/runtime/src/lib.rs b/runtime/src/lib.rs
@@ -32,7 +32,7 @@ mod verify;
 
 // Used by runtime tests
 pub mod mailbox;
-use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq, cfi_assert_ne, cfi_launder, CfiCounter};
+use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq, cfi_assert_ne, cfi_launder, CfiCounter};
 use caliptra_registers::soc_ifc::SocIfcReg;
 pub use drivers::Drivers;
 use mailbox::Mailbox;

diff --git a/runtime/src/main.rs b/runtime/src/main.rs
@@ -17,7 +17,7 @@ Abstract:
 #[cfg(target_arch = "riscv32")]
 core::arch::global_asm!(include_str!("ext_intr.S"));
 
-use caliptra_cfi_lib::CfiCounter;
+use caliptra_cfi_lib_git::CfiCounter;
 use caliptra_common::{cprintln, handle_fatal_error};
 use caliptra_cpu::{log_trap_record, TrapRecord};
 use caliptra_error::CaliptraError;
@@ -65,7 +65,13 @@ pub extern "C" fn entry_point() -> ! {
 
     if !cfg!(feature = "no-cfi") {
         cprintln!("[state] CFI Enabled");
-        let mut entropy_gen = || drivers.trng.generate().map(|a| a.0);
+        let mut entropy_gen = || {
+            drivers
+                .trng
+                .generate()
+                .map(|a| a.0)
+                .map_err(|_| caliptra_cfi_lib_git::CfiPanicInfo::TrngError)
+        };
         CfiCounter::reset(&mut entropy_gen);
         CfiCounter::reset(&mut entropy_gen);
         CfiCounter::reset(&mut entropy_gen);

diff --git a/runtime/src/pcr.rs b/runtime/src/pcr.rs
@@ -13,7 +13,7 @@ Abstract:
 --*/
 
 use crate::Drivers;
-use caliptra_cfi_derive::cfi_impl_fn;
+use caliptra_cfi_derive_git::cfi_impl_fn;
 use caliptra_common::mailbox_api::{
     ExtendPcrReq, IncrementPcrResetCounterReq, MailboxResp, MailboxRespHeader, QuotePcrsReq,
     QuotePcrsResp,

diff --git a/runtime/src/stash_measurement.rs b/runtime/src/stash_measurement.rs
@@ -13,7 +13,7 @@ Abstract:
 --*/
 
 use crate::{dpe_crypto::DpeCrypto, CptraDpeTypes, DpePlatform, Drivers};
-use caliptra_cfi_derive::cfi_impl_fn;
+use caliptra_cfi_derive_git::cfi_impl_fn;
 use caliptra_common::mailbox_api::{
     MailboxResp, MailboxRespHeader, StashMeasurementReq, StashMeasurementResp,
 };

diff --git a/runtime/src/tagging.rs b/runtime/src/tagging.rs
@@ -12,7 +12,8 @@ Abstract:
 
 --*/
 
-use caliptra_cfi_derive::cfi_impl_fn;
+use crate::CfiCounter;
+use caliptra_cfi_derive_git::cfi_impl_fn;
 use caliptra_common::mailbox_api::{
     GetTaggedTciReq, GetTaggedTciResp, MailboxResp, MailboxRespHeader, TagTciReq,
 };

diff --git a/runtime/src/update.rs b/runtime/src/update.rs
@@ -13,7 +13,7 @@ Abstract:
 --*/
 
 use crate::Drivers;
-use caliptra_cfi_derive::cfi_mod_fn;
+use caliptra_cfi_derive_git::cfi_mod_fn;
 use caliptra_drivers::{CaliptraError, CaliptraResult};
 
 #[cfg_attr(not(feature = "no-cfi"), cfi_mod_fn)]

diff --git a/runtime/src/verify.rs b/runtime/src/verify.rs
@@ -13,7 +13,7 @@ Abstract:
 --*/
 
 use crate::Drivers;
-use caliptra_cfi_derive::cfi_impl_fn;
+use caliptra_cfi_derive_git::cfi_impl_fn;
 #[cfg(feature = "test_only_commands")]
 use caliptra_common::mailbox_api::HmacVerifyReq;
 use caliptra_common::mailbox_api::{EcdsaVerifyReq, MailboxResp};

diff --git a/test/tests/caliptra_integration_tests/smoke_test.rs b/test/tests/caliptra_integration_tests/smoke_test.rs
@@ -667,11 +667,11 @@ fn test_rt_wdt_timeout() {
 
     // TODO: Don't hard-code these; maybe measure from a previous boot?
     let rt_wdt_timeout_cycles = if cfg!(any(feature = "verilator", feature = "fpga_realtime")) {
-        27_200_000
+        27_300_000
     } else if firmware::rom_from_env() == &firmware::ROM_WITH_UART {
-        3_200_000
+        3_300_000
     } else {
-        3_000_000
+        3_100_000
     };
 
     let security_state = *caliptra_hw_model::SecurityState::default().set_debug_locked(true);
@@ -716,9 +716,9 @@ fn test_fmc_wdt_timeout() {
 
     // TODO: Don't hard-code these; maybe measure from a previous boot?
     let fmc_wdt_timeout_cycles = if cfg!(any(feature = "verilator", feature = "fpga_realtime")) {
-        25_200_000
+        25_300_000
     } else {
-        2_920_000
+        3_020_000
     };
 
     let rom = caliptra_builder::build_firmware_rom(firmware::rom_from_env()).unwrap();
+27 −0		Cargo.lock
+4 −0		Cargo.toml
+7 −5		ci.sh
+3 −0		crypto/Cargo.toml
+25 −0		crypto/src/lib.rs
+4 −0		crypto/src/openssl.rs
+6 −1		dpe/Cargo.toml
+27 −0		dpe/fuzz/Cargo.lock
+38 −10		dpe/src/commands/certify_key.rs
+61 −6		dpe/src/commands/derive_context.rs
+24 −2		dpe/src/commands/destroy_context.rs
+6 −0		dpe/src/commands/get_certificate_chain.rs
+17 −0		dpe/src/commands/initialize_context.rs
+15 −0		dpe/src/commands/mod.rs
+21 −3		dpe/src/commands/rotate_context.rs
+40 −5		dpe/src/commands/sign.rs
+43 −6		dpe/src/dpe_instance.rs
+181 −12		dpe/src/validation.rs
+1 −1		simulator/Cargo.toml
+1 −1		tools/Cargo.toml