diff --git a/api/src/mailbox.rs b/api/src/mailbox.rs index ed666ea4e0..c0d941132e 100644 --- a/api/src/mailbox.rs +++ b/api/src/mailbox.rs @@ -948,7 +948,7 @@ pub struct SetAuthManifestReq { pub manifest: [u8; SetAuthManifestReq::MAX_MAN_SIZE], } impl SetAuthManifestReq { - pub const MAX_MAN_SIZE: usize = 8192; + pub const MAX_MAN_SIZE: usize = 14 * 1024; pub fn as_bytes_partial(&self) -> CaliptraResult<&[u8]> { if self.manifest_size as usize > Self::MAX_MAN_SIZE { diff --git a/auth-manifest/app/src/config.rs b/auth-manifest/app/src/config.rs index 1ee33df7c6..a94f966b00 100644 --- a/auth-manifest/app/src/config.rs +++ b/auth-manifest/app/src/config.rs @@ -38,7 +38,7 @@ pub(crate) struct AuthManifestKeyConfigFromFile { } #[derive(Serialize, Deserialize)] -pub struct ImageMetadata { +pub struct ImageMetadataConfigFromFile { digest: String, source: u32, } @@ -54,7 +54,7 @@ pub(crate) struct AuthManifestConfigFromFile { pub owner_man_key_config: Option, - pub image_metadata_list: Vec, + pub image_metadata_list: Vec, } /// Load Authorization Manifest Key Configuration from file @@ -116,7 +116,7 @@ pub(crate) fn owner_config_from_file( } pub(crate) fn image_metadata_config_from_file( - config: &Vec, + config: &Vec, ) -> anyhow::Result> { let mut image_metadata_list = Vec::new(); diff --git a/auth-manifest/gen/src/generator.rs b/auth-manifest/gen/src/generator.rs index 09f0e7a04c..d9d487f8af 100644 --- a/auth-manifest/gen/src/generator.rs +++ b/auth-manifest/gen/src/generator.rs @@ -47,9 +47,7 @@ impl AuthManifestGenerator { let slice = config.image_metadata_list.as_slice(); auth_manifest.image_metadata_col.image_metadata_list[..slice.len()].copy_from_slice(slice); - auth_manifest.image_metadata_col.header.entry_count = - config.image_metadata_list.len() as u32; - auth_manifest.image_metadata_col.header.revision = 0; // [TODO] Need to update this. + auth_manifest.image_metadata_col.entry_count = config.image_metadata_list.len() as u32; // Generate the preamble. auth_manifest.preamble.marker = AUTH_MANIFEST_MARKER; @@ -118,7 +116,7 @@ impl AuthManifestGenerator { // Sign the IMC with the vendor manifest public keys if indicated in the flags. if config .flags - .contains(AuthManifestFlags::VENDOR_SIGNATURE_REQURIED) + .contains(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED) { if let Some(vendor_man_priv_keys) = config.vendor_man_key_info.priv_keys { let sig = self.crypto.ecdsa384_sign( diff --git a/auth-manifest/types/src/lib.rs b/auth-manifest/types/src/lib.rs index 004e9c0b50..a6aa13e67b 100644 --- a/auth-manifest/types/src/lib.rs +++ b/auth-manifest/types/src/lib.rs @@ -23,12 +23,12 @@ use zerocopy::{AsBytes, FromBytes}; use zeroize::Zeroize; pub const AUTH_MANIFEST_MARKER: u32 = 0x4154_4D4E; -pub const AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT: usize = 16; +pub const AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT: usize = 128; bitflags::bitflags! { #[derive(Default, Copy, Clone, Debug)] pub struct AuthManifestFlags : u32 { - const VENDOR_SIGNATURE_REQURIED = 0b1; + const VENDOR_SIGNATURE_REQUIRED = 0b1; } } @@ -139,18 +139,6 @@ pub struct AuthManifestImageMetadata { pub image_source: u32, } -/// Caliptra Authorization Manifest Image Metadata Collection Header -#[repr(C)] -#[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize, Default)] -#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] -pub struct AuthManifestImageMetadataCollectionHeader { - pub revision: u32, - - pub reserved: [u8; 12], - - pub entry_count: u32, -} - impl Default for AuthManifestImageMetadata { fn default() -> Self { AuthManifestImageMetadata { @@ -162,14 +150,24 @@ impl Default for AuthManifestImageMetadata { /// Caliptra Authorization Manifest Image Metadata Collection #[repr(C)] -#[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize, Default)] +#[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize)] #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] pub struct AuthManifestImageMetadataCollection { - pub header: AuthManifestImageMetadataCollectionHeader, + pub entry_count: u32, pub image_metadata_list: [AuthManifestImageMetadata; AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT], } +impl Default for AuthManifestImageMetadataCollection { + fn default() -> Self { + AuthManifestImageMetadataCollection { + entry_count: 0, + image_metadata_list: [AuthManifestImageMetadata::default(); + AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT], + } + } +} + /// Caliptra Image Authorization Manifest #[repr(C)] #[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize, Default)] diff --git a/drivers/src/lib.rs b/drivers/src/lib.rs index 910b6c8521..d89ace877d 100644 --- a/drivers/src/lib.rs +++ b/drivers/src/lib.rs @@ -91,7 +91,7 @@ pub use okref::okref; pub use pcr_bank::{PcrBank, PcrId}; pub use pcr_reset::PcrResetCounter; #[cfg(feature = "runtime")] -pub use persistent::{AuthManifestImageMetadataList, AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT}; +pub use persistent::AuthManifestImageMetadataList; pub use persistent::{ FuseLogArray, PcrLogArray, PersistentData, PersistentDataAccessor, StashMeasurementArray, FUSE_LOG_MAX_COUNT, MEASUREMENT_MAX_COUNT, PCR_LOG_MAX_COUNT, diff --git a/drivers/src/memory_layout.rs b/drivers/src/memory_layout.rs index 1705f6c774..b371d3e719 100644 --- a/drivers/src/memory_layout.rs +++ b/drivers/src/memory_layout.rs @@ -44,7 +44,7 @@ pub const FUSE_LOG_ORG: u32 = MEASUREMENT_LOG_ORG + MEASUREMENT_LOG_SIZE; pub const DPE_ORG: u32 = FUSE_LOG_ORG + FUSE_LOG_SIZE; pub const PCR_RESET_COUNTER_ORG: u32 = DPE_ORG + DPE_SIZE; pub const AUTH_MAN_IMAGE_METADATA_LIST_ORG: u32 = PCR_RESET_COUNTER_ORG + PCR_RESET_COUNTER_SIZE; -pub const DATA_ORG: u32 = AUTH_MAN_IMAGE_METADATA_LIST_ORG + AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE; +pub const DATA_ORG: u32 = AUTH_MAN_IMAGE_METADATA_LIST_ORG + AUTH_MAN_IMAGE_METADATA_MAX_SIZE; pub const STACK_ORG: u32 = DATA_ORG + DATA_SIZE; pub const ROM_STACK_ORG: u32 = STACK_ORG + (STACK_SIZE - ROM_STACK_SIZE); @@ -76,8 +76,8 @@ pub const MEASUREMENT_LOG_SIZE: u32 = 1024; pub const FUSE_LOG_SIZE: u32 = 1024; pub const DPE_SIZE: u32 = 5 * 1024; pub const PCR_RESET_COUNTER_SIZE: u32 = 1024; -pub const AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE: u32 = 1024; -pub const DATA_SIZE: u32 = 69 * 1024; +pub const AUTH_MAN_IMAGE_METADATA_MAX_SIZE: u32 = 7 * 1024; +pub const DATA_SIZE: u32 = 63 * 1024; pub const STACK_SIZE: u32 = 22 * 1024; pub const ROM_STACK_SIZE: u32 = 14 * 1024; pub const ESTACK_SIZE: u32 = 1024; diff --git a/drivers/src/persistent.rs b/drivers/src/persistent.rs index d1a2b01643..4afbf7535a 100644 --- a/drivers/src/persistent.rs +++ b/drivers/src/persistent.rs @@ -3,9 +3,10 @@ use core::{marker::PhantomData, mem::size_of, ptr::addr_of}; #[cfg(feature = "runtime")] -use caliptra_auth_man_types::AuthManifestImageMetadata; -#[cfg(feature = "runtime")] -use caliptra_auth_man_types::AuthManifestImageMetadataCollection; +use caliptra_auth_man_types::{ + AuthManifestImageMetadata, AuthManifestImageMetadataCollection, + AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT, +}; use caliptra_image_types::ImageManifest; #[cfg(feature = "runtime")] use dpe::{DpeInstance, U8Bool, MAX_HANDLES}; @@ -25,8 +26,6 @@ use crate::pcr_reset::PcrResetCounter; pub const PCR_LOG_MAX_COUNT: usize = 17; pub const FUSE_LOG_MAX_COUNT: usize = 62; pub const MEASUREMENT_MAX_COUNT: usize = 8; -#[cfg(feature = "runtime")] -pub const AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT: usize = 8; #[cfg(feature = "runtime")] const DPE_DCCM_STORAGE: usize = size_of::() @@ -42,7 +41,7 @@ pub type FuseLogArray = [FuseLogEntry; FUSE_LOG_MAX_COUNT]; pub type StashMeasurementArray = [MeasurementLogEntry; MEASUREMENT_MAX_COUNT]; #[cfg(feature = "runtime")] pub type AuthManifestImageMetadataList = - [AuthManifestImageMetadata; AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT]; + [AuthManifestImageMetadata; AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT]; #[derive(FromBytes, AsBytes, Zeroize)] #[repr(C)] @@ -99,12 +98,12 @@ pub struct PersistentData { #[cfg(feature = "runtime")] pub auth_manifest_image_metadata_col: AuthManifestImageMetadataCollection, #[cfg(feature = "runtime")] - reserved9: [u8; memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE as usize + reserved9: [u8; memory_layout::AUTH_MAN_IMAGE_METADATA_MAX_SIZE as usize - size_of::()], #[cfg(not(feature = "runtime"))] pub auth_manifest_image_metadata_col: - [u8; memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE as usize], + [u8; memory_layout::AUTH_MAN_IMAGE_METADATA_MAX_SIZE as usize], } impl PersistentData { pub fn assert_matches_layout() { @@ -139,7 +138,7 @@ impl PersistentData { assert_eq!( P.add(1) as u32, memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_ORG - + memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE + + memory_layout::AUTH_MAN_IMAGE_METADATA_MAX_SIZE ); } } diff --git a/runtime/src/authorize_and_stash.rs b/runtime/src/authorize_and_stash.rs index 0ff44365a0..9a1de26c0f 100644 --- a/runtime/src/authorize_and_stash.rs +++ b/runtime/src/authorize_and_stash.rs @@ -17,8 +17,7 @@ use core::mem::size_of; use crate::{dpe_crypto::DpeCrypto, CptraDpeTypes, DpePlatform, Drivers, StashMeasurementCmd}; use caliptra_auth_man_types::{ - AuthManifestImageMetadataCollection, AuthManifestImageMetadataCollectionHeader, - AuthManifestPreamble, AUTH_MANIFEST_MARKER, + AuthManifestImageMetadataCollection, AuthManifestPreamble, AUTH_MANIFEST_MARKER, }; use caliptra_cfi_derive_git::cfi_impl_fn; use caliptra_cfi_lib_git::cfi_launder; @@ -30,7 +29,6 @@ use caliptra_drivers::{ pcr_log::PCR_ID_STASH_MEASUREMENT, Array4x12, Array4xN, AuthManifestImageMetadataList, CaliptraError, CaliptraResult, Ecc384, Ecc384PubKey, Ecc384Signature, HashValue, Lms, PersistentData, RomPqcVerifyConfig, Sha256, Sha384, SocIfc, - AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT, }; use caliptra_image_types::{ ImageDigest, ImageEccPubKey, ImageEccSignature, ImageLmsPublicKey, ImageLmsSignature, diff --git a/runtime/src/packet.rs b/runtime/src/packet.rs index 3072e2e673..1a925fb32b 100644 --- a/runtime/src/packet.rs +++ b/runtime/src/packet.rs @@ -25,7 +25,7 @@ pub struct Packet { pub len: usize, // Length in bytes } -const MAX_PAYLOAD_SIZE: usize = 2050; // in dwords +const MAX_PAYLOAD_SIZE: usize = 3586; // in dwords impl Default for Packet { fn default() -> Self { diff --git a/runtime/src/set_auth_manifest.rs b/runtime/src/set_auth_manifest.rs index b582a8b098..666f2c8f12 100644 --- a/runtime/src/set_auth_manifest.rs +++ b/runtime/src/set_auth_manifest.rs @@ -18,8 +18,8 @@ use core::mem::size_of; use crate::verify; use crate::{dpe_crypto::DpeCrypto, CptraDpeTypes, DpePlatform, Drivers}; use caliptra_auth_man_types::{ - AuthManifestFlags, AuthManifestImageMetadataCollection, - AuthManifestImageMetadataCollectionHeader, AuthManifestPreamble, AUTH_MANIFEST_MARKER, + AuthManifestFlags, AuthManifestImageMetadataCollection, AuthManifestPreamble, + AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT, AUTH_MANIFEST_MARKER, }; use caliptra_cfi_derive_git::cfi_impl_fn; use caliptra_cfi_lib_git::cfi_launder; @@ -30,7 +30,6 @@ use caliptra_drivers::{ pcr_log::PCR_ID_STASH_MEASUREMENT, Array4x12, Array4xN, AuthManifestImageMetadataList, CaliptraError, CaliptraResult, Ecc384, Ecc384PubKey, Ecc384Signature, HashValue, Lms, PersistentData, RomPqcVerifyConfig, Sha256, Sha384, SocIfc, - AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT, }; use caliptra_image_types::{ ImageDigest, ImageEccPubKey, ImageEccSignature, ImageLmsPublicKey, ImageLmsSignature, @@ -221,7 +220,7 @@ impl SetAuthManifestCmd { soc_ifc: &SocIfc, ) -> CaliptraResult<()> { let flags = AuthManifestFlags::from(auth_manifest_preamble.flags); - if !flags.contains(AuthManifestFlags::VENDOR_SIGNATURE_REQURIED) { + if !flags.contains(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED) { return Ok(()); } // Verify the vendor ECC signature over the image metadata collection. @@ -340,7 +339,7 @@ impl SetAuthManifestCmd { sha256: &mut Sha256, soc_ifc: &SocIfc, ) -> CaliptraResult<()> { - if cmd_buf.len() < size_of::() { + if cmd_buf.len() < size_of::() { Err(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_SIZE)?; } @@ -354,9 +353,8 @@ impl SetAuthManifestCmd { image_metadata_col.as_bytes_mut()[..col_size].copy_from_slice(buf); - if image_metadata_col.header.entry_count == 0 - || image_metadata_col.header.entry_count - > AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT as u32 + if image_metadata_col.entry_count == 0 + || image_metadata_col.entry_count > AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT as u32 { Err(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT)?; } diff --git a/runtime/tests/runtime_integration_tests/test_set_auth_manifest.rs b/runtime/tests/runtime_integration_tests/test_set_auth_manifest.rs index dc3dd5ee04..d15ba3314a 100644 --- a/runtime/tests/runtime_integration_tests/test_set_auth_manifest.rs +++ b/runtime/tests/runtime_integration_tests/test_set_auth_manifest.rs @@ -97,7 +97,7 @@ fn test_auth_manifest() -> AuthorizationManifest { owner_man_key_info, image_metadata_list, version: 1, - flags: AuthManifestFlags::VENDOR_SIGNATURE_REQURIED, + flags: AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED, }; let gen = AuthManifestGenerator::new(Crypto::default()); @@ -273,7 +273,7 @@ fn test_set_auth_manifest_invalid_owner_lms_sig() { #[test] fn test_set_auth_manifest_invalid_metadata_list_count() { let mut auth_manifest = test_auth_manifest(); - auth_manifest.image_metadata_col.header.entry_count = 0; + auth_manifest.image_metadata_col.entry_count = 0; test_manifest_expect_err( auth_manifest, CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT,