Add a new crypto helper and move the module up a layer.

The move will allow crypto helpers to be used from runtime-update flows.

The new helper will be used in cases where borrowing RomEnv is not allowed.

rom/dev/src/flow/cold_reset/crypto.rs → rom/dev/src/crypto.rs

@@ -157,19 +157,20 @@ impl Crypto {
     /// * `mode` - HMAC Mode
     #[inline(always)]
     pub fn hmac_kdf(
-        env: &mut RomEnv,
+        hmac: &mut Hmac,
+        trng: &mut Trng,
         key: KeyId,
         label: &[u8],
         context: Option<&[u8]>,
         output: KeyId,
         mode: HmacMode,
     ) -> CaliptraResult<()> {
         hmac_kdf(
-            &mut env.hmac,
+            hmac,
             KeyReadArgs::new(key).into(),
             label,
             context,
-            &mut env.trng,
+            trng,
             KeyWriteArgs::new(
                 output,
                 KeyUsage::default()
@@ -181,6 +182,27 @@ impl Crypto {
         )
     }
 
+    /// Version of hmac_kdf() that takes a RomEnv.
+    #[inline(always)]
+    pub fn env_hmac_kdf(
+        env: &mut RomEnv,
+        key: KeyId,
+        label: &[u8],
+        context: Option<&[u8]>,
+        output: KeyId,
+        mode: HmacMode,
+    ) -> CaliptraResult<()> {
+        Crypto::hmac_kdf(
+            &mut env.hmac,
+            &mut env.trng,
+            key,
+            label,
+            context,
+            output,
+            mode,
+        )
+    }
+
     /// Generate ECC Key Pair
     ///
     /// # Arguments
@@ -199,7 +221,7 @@ impl Crypto {
         label: &[u8],
         priv_key: KeyId,
     ) -> CaliptraResult<Ecc384KeyPair> {
-        Crypto::hmac_kdf(env, cdi, label, None, KEY_ID_TMP, HmacMode::Hmac512)?;
+        Crypto::env_hmac_kdf(env, cdi, label, None, KEY_ID_TMP, HmacMode::Hmac512)?;
 
         let key_out = Ecc384PrivKeyOut::Key(KeyWriteArgs::new(
             priv_key,
@@ -271,7 +293,7 @@ impl Crypto {
         key_pair_seed: KeyId,
     ) -> CaliptraResult<MlDsaKeyPair> {
         // Generate the seed for key pair generation.
-        Crypto::hmac_kdf(env, cdi, label, None, key_pair_seed, HmacMode::Hmac512)?;
+        Crypto::env_hmac_kdf(env, cdi, label, None, key_pair_seed, HmacMode::Hmac512)?;
 
         // Generate the public key.
         let pub_key = env

rom/dev/src/flow/cold_reset/dice.rs

@@ -13,7 +13,7 @@ Abstract:
 
 --*/
 
-use super::crypto::{Ecc384KeyPair, MlDsaKeyPair};
+use crate::crypto::{Ecc384KeyPair, MlDsaKeyPair};
 use zeroize::Zeroize;
 
 /// DICE Layer Input

rom/dev/src/flow/cold_reset/fmc_alias.rs

@@ -13,12 +13,11 @@ Abstract:
 
 --*/
 
-use super::crypto::{Crypto, Ecc384KeyPair};
 use super::dice::{DiceInput, DiceOutput};
 use super::fw_processor::FwProcInfo;
 use super::x509::X509;
 use crate::cprintln;
-use crate::flow::cold_reset::crypto::{MlDsaKeyPair, PubKey};
+use crate::crypto::{Crypto, Ecc384KeyPair, MlDsaKeyPair, PubKey};
 use crate::flow::cold_reset::{copy_tbs, TbsType};
 use crate::print::HexBytes;
 use crate::rom_env::RomEnv;
@@ -126,7 +125,7 @@ impl FmcAliasLayer {
     fn derive_cdi(env: &mut RomEnv, measurements: &Array4x12, cdi: KeyId) -> CaliptraResult<()> {
         let mut measurements: [u8; 48] = measurements.into();
 
-        let result = Crypto::hmac_kdf(
+        let result = Crypto::env_hmac_kdf(
             env,
             cdi,
             b"alias_fmc_cdi",

rom/dev/src/flow/cold_reset/idev_id.rs

@@ -13,10 +13,10 @@ Abstract:
 
 --*/
 
-use super::crypto::*;
 use super::dice::*;
 use super::x509::*;
 use crate::cprintln;
+use crate::crypto::{Crypto, Ecc384KeyPair, Ecdsa384SignatureAdapter, MlDsaKeyPair, PubKey};
 use crate::print::HexBytes;
 use crate::rom_env::RomEnv;
 #[cfg(not(feature = "no-cfi"))]
@@ -180,7 +180,7 @@ impl InitDevIdLayer {
     /// * `cdi` - Key Slot to store the generated CDI
     #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
     fn derive_cdi(env: &mut RomEnv, uds: KeyId, cdi: KeyId) -> CaliptraResult<()> {
-        Crypto::hmac_kdf(env, uds, b"idevid_cdi", None, cdi, HmacMode::Hmac512)?;
+        Crypto::env_hmac_kdf(env, uds, b"idevid_cdi", None, cdi, HmacMode::Hmac512)?;
 
         cprintln!("[idev] Erasing UDS.KEYID = {}", uds as u8);
         env.key_vault.erase_key(uds)?;

rom/dev/src/flow/cold_reset/ldev_id.rs

@@ -13,10 +13,10 @@ Abstract:
 
 --*/
 
-use super::crypto::*;
 use super::dice::*;
 use super::x509::*;
 use crate::cprintln;
+use crate::crypto::{Crypto, Ecc384KeyPair, MlDsaKeyPair, PubKey};
 use crate::flow::cold_reset::{copy_tbs, TbsType};
 use crate::print::HexBytes;
 use crate::rom_env::RomEnv;

rom/dev/src/flow/cold_reset/mod.rs

@@ -12,7 +12,6 @@ Abstract:
 
 --*/
 
-mod crypto;
 mod dice;
 mod fmc_alias;
 mod fw_processor;

rom/dev/src/flow/cold_reset/x509.rs

@@ -11,8 +11,8 @@ Abstract:
     File contains X509 Certificate & CSR related utility functions
 
 --*/
-use super::crypto::{Crypto, PubKey};
 use crate::cprintln;
+use crate::crypto::{Crypto, PubKey};
 use crate::rom_env::RomEnv;
 use caliptra_drivers::*;
 use core::mem::size_of;

rom/dev/src/main.rs

@@ -41,6 +41,7 @@ core::arch::global_asm!(include_str!(concat!(
     "/start_preprocessed.S"
 )));
 
+mod crypto;
 mod exception;
 mod fht;
 mod flow;