Skip to content

Commit

Permalink
[update] Update auth manifest metadata limit to 128 (#1773)
Browse files Browse the repository at this point in the history
(cherry picked from commit 926ad4a)
  • Loading branch information
mhatrevi committed Nov 18, 2024
1 parent 851bb85 commit 6c68e91
Show file tree
Hide file tree
Showing 11 changed files with 42 additions and 51 deletions.
2 changes: 1 addition & 1 deletion api/src/mailbox.rs
Original file line number Diff line number Diff line change
Expand Up @@ -948,7 +948,7 @@ pub struct SetAuthManifestReq {
pub manifest: [u8; SetAuthManifestReq::MAX_MAN_SIZE],
}
impl SetAuthManifestReq {
pub const MAX_MAN_SIZE: usize = 8192;
pub const MAX_MAN_SIZE: usize = 14 * 1024;

pub fn as_bytes_partial(&self) -> CaliptraResult<&[u8]> {
if self.manifest_size as usize > Self::MAX_MAN_SIZE {
Expand Down
6 changes: 3 additions & 3 deletions auth-manifest/app/src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ pub(crate) struct AuthManifestKeyConfigFromFile {
}

#[derive(Serialize, Deserialize)]
pub struct ImageMetadata {
pub struct ImageMetadataConfigFromFile {
digest: String,
source: u32,
}
Expand All @@ -54,7 +54,7 @@ pub(crate) struct AuthManifestConfigFromFile {

pub owner_man_key_config: Option<AuthManifestKeyConfigFromFile>,

pub image_metadata_list: Vec<ImageMetadata>,
pub image_metadata_list: Vec<ImageMetadataConfigFromFile>,
}

/// Load Authorization Manifest Key Configuration from file
Expand Down Expand Up @@ -116,7 +116,7 @@ pub(crate) fn owner_config_from_file(
}

pub(crate) fn image_metadata_config_from_file(
config: &Vec<ImageMetadata>,
config: &Vec<ImageMetadataConfigFromFile>,
) -> anyhow::Result<Vec<AuthManifestImageMetadata>> {
let mut image_metadata_list = Vec::new();

Expand Down
6 changes: 2 additions & 4 deletions auth-manifest/gen/src/generator.rs
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,7 @@ impl<Crypto: ImageGeneratorCrypto> AuthManifestGenerator<Crypto> {
let slice = config.image_metadata_list.as_slice();
auth_manifest.image_metadata_col.image_metadata_list[..slice.len()].copy_from_slice(slice);

auth_manifest.image_metadata_col.header.entry_count =
config.image_metadata_list.len() as u32;
auth_manifest.image_metadata_col.header.revision = 0; // [TODO] Need to update this.
auth_manifest.image_metadata_col.entry_count = config.image_metadata_list.len() as u32;

// Generate the preamble.
auth_manifest.preamble.marker = AUTH_MANIFEST_MARKER;
Expand Down Expand Up @@ -118,7 +116,7 @@ impl<Crypto: ImageGeneratorCrypto> AuthManifestGenerator<Crypto> {
// Sign the IMC with the vendor manifest public keys if indicated in the flags.
if config
.flags
.contains(AuthManifestFlags::VENDOR_SIGNATURE_REQURIED)
.contains(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED)
{
if let Some(vendor_man_priv_keys) = config.vendor_man_key_info.priv_keys {
let sig = self.crypto.ecdsa384_sign(
Expand Down
30 changes: 14 additions & 16 deletions auth-manifest/types/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,12 @@ use zerocopy::{AsBytes, FromBytes};
use zeroize::Zeroize;

pub const AUTH_MANIFEST_MARKER: u32 = 0x4154_4D4E;
pub const AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT: usize = 16;
pub const AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT: usize = 128;

bitflags::bitflags! {
#[derive(Default, Copy, Clone, Debug)]
pub struct AuthManifestFlags : u32 {
const VENDOR_SIGNATURE_REQURIED = 0b1;
const VENDOR_SIGNATURE_REQUIRED = 0b1;
}
}

Expand Down Expand Up @@ -139,18 +139,6 @@ pub struct AuthManifestImageMetadata {
pub image_source: u32,
}

/// Caliptra Authorization Manifest Image Metadata Collection Header
#[repr(C)]
#[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize, Default)]
#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
pub struct AuthManifestImageMetadataCollectionHeader {
pub revision: u32,

pub reserved: [u8; 12],

pub entry_count: u32,
}

impl Default for AuthManifestImageMetadata {
fn default() -> Self {
AuthManifestImageMetadata {
Expand All @@ -162,14 +150,24 @@ impl Default for AuthManifestImageMetadata {

/// Caliptra Authorization Manifest Image Metadata Collection
#[repr(C)]
#[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize, Default)]
#[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize)]
#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
pub struct AuthManifestImageMetadataCollection {
pub header: AuthManifestImageMetadataCollectionHeader,
pub entry_count: u32,

pub image_metadata_list: [AuthManifestImageMetadata; AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT],
}

impl Default for AuthManifestImageMetadataCollection {
fn default() -> Self {
AuthManifestImageMetadataCollection {
entry_count: 0,
image_metadata_list: [AuthManifestImageMetadata::default();
AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT],
}
}
}

/// Caliptra Image Authorization Manifest
#[repr(C)]
#[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize, Default)]
Expand Down
2 changes: 1 addition & 1 deletion drivers/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ pub use okref::okref;
pub use pcr_bank::{PcrBank, PcrId};
pub use pcr_reset::PcrResetCounter;
#[cfg(feature = "runtime")]
pub use persistent::{AuthManifestImageMetadataList, AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT};
pub use persistent::AuthManifestImageMetadataList;
pub use persistent::{
FuseLogArray, PcrLogArray, PersistentData, PersistentDataAccessor, StashMeasurementArray,
FUSE_LOG_MAX_COUNT, MEASUREMENT_MAX_COUNT, PCR_LOG_MAX_COUNT,
Expand Down
6 changes: 3 additions & 3 deletions drivers/src/memory_layout.rs
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ pub const FUSE_LOG_ORG: u32 = MEASUREMENT_LOG_ORG + MEASUREMENT_LOG_SIZE;
pub const DPE_ORG: u32 = FUSE_LOG_ORG + FUSE_LOG_SIZE;
pub const PCR_RESET_COUNTER_ORG: u32 = DPE_ORG + DPE_SIZE;
pub const AUTH_MAN_IMAGE_METADATA_LIST_ORG: u32 = PCR_RESET_COUNTER_ORG + PCR_RESET_COUNTER_SIZE;
pub const DATA_ORG: u32 = AUTH_MAN_IMAGE_METADATA_LIST_ORG + AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE;
pub const DATA_ORG: u32 = AUTH_MAN_IMAGE_METADATA_LIST_ORG + AUTH_MAN_IMAGE_METADATA_MAX_SIZE;

pub const STACK_ORG: u32 = DATA_ORG + DATA_SIZE;
pub const ROM_STACK_ORG: u32 = STACK_ORG + (STACK_SIZE - ROM_STACK_SIZE);
Expand Down Expand Up @@ -76,8 +76,8 @@ pub const MEASUREMENT_LOG_SIZE: u32 = 1024;
pub const FUSE_LOG_SIZE: u32 = 1024;
pub const DPE_SIZE: u32 = 5 * 1024;
pub const PCR_RESET_COUNTER_SIZE: u32 = 1024;
pub const AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE: u32 = 1024;
pub const DATA_SIZE: u32 = 69 * 1024;
pub const AUTH_MAN_IMAGE_METADATA_MAX_SIZE: u32 = 7 * 1024;
pub const DATA_SIZE: u32 = 63 * 1024;
pub const STACK_SIZE: u32 = 22 * 1024;
pub const ROM_STACK_SIZE: u32 = 14 * 1024;
pub const ESTACK_SIZE: u32 = 1024;
Expand Down
17 changes: 8 additions & 9 deletions drivers/src/persistent.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@
use core::{marker::PhantomData, mem::size_of, ptr::addr_of};

#[cfg(feature = "runtime")]
use caliptra_auth_man_types::AuthManifestImageMetadata;
#[cfg(feature = "runtime")]
use caliptra_auth_man_types::AuthManifestImageMetadataCollection;
use caliptra_auth_man_types::{
AuthManifestImageMetadata, AuthManifestImageMetadataCollection,
AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT,
};
use caliptra_image_types::ImageManifest;
#[cfg(feature = "runtime")]
use dpe::{DpeInstance, U8Bool, MAX_HANDLES};
Expand All @@ -25,8 +26,6 @@ use crate::pcr_reset::PcrResetCounter;
pub const PCR_LOG_MAX_COUNT: usize = 17;
pub const FUSE_LOG_MAX_COUNT: usize = 62;
pub const MEASUREMENT_MAX_COUNT: usize = 8;
#[cfg(feature = "runtime")]
pub const AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT: usize = 8;

#[cfg(feature = "runtime")]
const DPE_DCCM_STORAGE: usize = size_of::<DpeInstance>()
Expand All @@ -42,7 +41,7 @@ pub type FuseLogArray = [FuseLogEntry; FUSE_LOG_MAX_COUNT];
pub type StashMeasurementArray = [MeasurementLogEntry; MEASUREMENT_MAX_COUNT];
#[cfg(feature = "runtime")]
pub type AuthManifestImageMetadataList =
[AuthManifestImageMetadata; AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT];
[AuthManifestImageMetadata; AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT];

#[derive(FromBytes, AsBytes, Zeroize)]
#[repr(C)]
Expand Down Expand Up @@ -99,12 +98,12 @@ pub struct PersistentData {
#[cfg(feature = "runtime")]
pub auth_manifest_image_metadata_col: AuthManifestImageMetadataCollection,
#[cfg(feature = "runtime")]
reserved9: [u8; memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE as usize
reserved9: [u8; memory_layout::AUTH_MAN_IMAGE_METADATA_MAX_SIZE as usize
- size_of::<AuthManifestImageMetadataCollection>()],

#[cfg(not(feature = "runtime"))]
pub auth_manifest_image_metadata_col:
[u8; memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE as usize],
[u8; memory_layout::AUTH_MAN_IMAGE_METADATA_MAX_SIZE as usize],
}
impl PersistentData {
pub fn assert_matches_layout() {
Expand Down Expand Up @@ -139,7 +138,7 @@ impl PersistentData {
assert_eq!(
P.add(1) as u32,
memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_ORG
+ memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE
+ memory_layout::AUTH_MAN_IMAGE_METADATA_MAX_SIZE
);
}
}
Expand Down
4 changes: 1 addition & 3 deletions runtime/src/authorize_and_stash.rs
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,7 @@ use core::mem::size_of;

use crate::{dpe_crypto::DpeCrypto, CptraDpeTypes, DpePlatform, Drivers, StashMeasurementCmd};
use caliptra_auth_man_types::{
AuthManifestImageMetadataCollection, AuthManifestImageMetadataCollectionHeader,
AuthManifestPreamble, AUTH_MANIFEST_MARKER,
AuthManifestImageMetadataCollection, AuthManifestPreamble, AUTH_MANIFEST_MARKER,
};
use caliptra_cfi_derive_git::cfi_impl_fn;
use caliptra_cfi_lib_git::cfi_launder;
Expand All @@ -30,7 +29,6 @@ use caliptra_drivers::{
pcr_log::PCR_ID_STASH_MEASUREMENT, Array4x12, Array4xN, AuthManifestImageMetadataList,
CaliptraError, CaliptraResult, Ecc384, Ecc384PubKey, Ecc384Signature, HashValue, Lms,
PersistentData, RomPqcVerifyConfig, Sha256, Sha384, SocIfc,
AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT,
};
use caliptra_image_types::{
ImageDigest, ImageEccPubKey, ImageEccSignature, ImageLmsPublicKey, ImageLmsSignature,
Expand Down
2 changes: 1 addition & 1 deletion runtime/src/packet.rs
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ pub struct Packet {
pub len: usize, // Length in bytes
}

const MAX_PAYLOAD_SIZE: usize = 2050; // in dwords
const MAX_PAYLOAD_SIZE: usize = 3586; // in dwords

impl Default for Packet {
fn default() -> Self {
Expand Down
14 changes: 6 additions & 8 deletions runtime/src/set_auth_manifest.rs
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ use core::mem::size_of;
use crate::verify;
use crate::{dpe_crypto::DpeCrypto, CptraDpeTypes, DpePlatform, Drivers};
use caliptra_auth_man_types::{
AuthManifestFlags, AuthManifestImageMetadataCollection,
AuthManifestImageMetadataCollectionHeader, AuthManifestPreamble, AUTH_MANIFEST_MARKER,
AuthManifestFlags, AuthManifestImageMetadataCollection, AuthManifestPreamble,
AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT, AUTH_MANIFEST_MARKER,
};
use caliptra_cfi_derive_git::cfi_impl_fn;
use caliptra_cfi_lib_git::cfi_launder;
Expand All @@ -30,7 +30,6 @@ use caliptra_drivers::{
pcr_log::PCR_ID_STASH_MEASUREMENT, Array4x12, Array4xN, AuthManifestImageMetadataList,
CaliptraError, CaliptraResult, Ecc384, Ecc384PubKey, Ecc384Signature, HashValue, Lms,
PersistentData, RomPqcVerifyConfig, Sha256, Sha384, SocIfc,
AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT,
};
use caliptra_image_types::{
ImageDigest, ImageEccPubKey, ImageEccSignature, ImageLmsPublicKey, ImageLmsSignature,
Expand Down Expand Up @@ -221,7 +220,7 @@ impl SetAuthManifestCmd {
soc_ifc: &SocIfc,
) -> CaliptraResult<()> {
let flags = AuthManifestFlags::from(auth_manifest_preamble.flags);
if !flags.contains(AuthManifestFlags::VENDOR_SIGNATURE_REQURIED) {
if !flags.contains(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED) {
return Ok(());
}
// Verify the vendor ECC signature over the image metadata collection.
Expand Down Expand Up @@ -340,7 +339,7 @@ impl SetAuthManifestCmd {
sha256: &mut Sha256,
soc_ifc: &SocIfc,
) -> CaliptraResult<()> {
if cmd_buf.len() < size_of::<AuthManifestImageMetadataCollectionHeader>() {
if cmd_buf.len() < size_of::<u32>() {
Err(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_SIZE)?;
}

Expand All @@ -354,9 +353,8 @@ impl SetAuthManifestCmd {

image_metadata_col.as_bytes_mut()[..col_size].copy_from_slice(buf);

if image_metadata_col.header.entry_count == 0
|| image_metadata_col.header.entry_count
> AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT as u32
if image_metadata_col.entry_count == 0
|| image_metadata_col.entry_count > AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT as u32
{
Err(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT)?;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ fn test_auth_manifest() -> AuthorizationManifest {
owner_man_key_info,
image_metadata_list,
version: 1,
flags: AuthManifestFlags::VENDOR_SIGNATURE_REQURIED,
flags: AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED,
};

let gen = AuthManifestGenerator::new(Crypto::default());
Expand Down Expand Up @@ -273,7 +273,7 @@ fn test_set_auth_manifest_invalid_owner_lms_sig() {
#[test]
fn test_set_auth_manifest_invalid_metadata_list_count() {
let mut auth_manifest = test_auth_manifest();
auth_manifest.image_metadata_col.header.entry_count = 0;
auth_manifest.image_metadata_col.entry_count = 0;
test_manifest_expect_err(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT,
Expand Down

0 comments on commit 6c68e91

Please sign in to comment.