From 7724c5ca3a161b417642bc0ad825f71349b0c138 Mon Sep 17 00:00:00 2001
From: Jeff Andersen <jeffandersen@google.com>
Date: Tue, 26 Nov 2024 13:46:41 -0800
Subject: [PATCH] Add a new crypto helper and move the module up a layer.

The move will allow crypto helpers to be used from runtime-update flows.

The new helper will be used in cases where borrowing RomEnv is not allowed.
---
 rom/dev/src/{flow/cold_reset => }/crypto.rs | 32 +++++++++++++++++----
 rom/dev/src/flow/cold_reset/dice.rs         |  2 +-
 rom/dev/src/flow/cold_reset/fmc_alias.rs    |  5 ++--
 rom/dev/src/flow/cold_reset/idev_id.rs      |  4 +--
 rom/dev/src/flow/cold_reset/ldev_id.rs      |  2 +-
 rom/dev/src/flow/cold_reset/mod.rs          |  1 -
 rom/dev/src/flow/cold_reset/x509.rs         |  2 +-
 rom/dev/src/main.rs                         |  1 +
 8 files changed, 35 insertions(+), 14 deletions(-)
 rename rom/dev/src/{flow/cold_reset => }/crypto.rs (91%)

diff --git a/rom/dev/src/flow/cold_reset/crypto.rs b/rom/dev/src/crypto.rs
similarity index 91%
rename from rom/dev/src/flow/cold_reset/crypto.rs
rename to rom/dev/src/crypto.rs
index 7432bdbe8b..6bf2bfa9b6 100644
--- a/rom/dev/src/flow/cold_reset/crypto.rs
+++ b/rom/dev/src/crypto.rs
@@ -157,7 +157,8 @@ impl Crypto {
     /// * `mode` - HMAC Mode
     #[inline(always)]
     pub fn hmac_kdf(
-        env: &mut RomEnv,
+        hmac: &mut Hmac,
+        trng: &mut Trng,
         key: KeyId,
         label: &[u8],
         context: Option<&[u8]>,
@@ -165,11 +166,11 @@ impl Crypto {
         mode: HmacMode,
     ) -> CaliptraResult<()> {
         hmac_kdf(
-            &mut env.hmac,
+            hmac,
             KeyReadArgs::new(key).into(),
             label,
             context,
-            &mut env.trng,
+            trng,
             KeyWriteArgs::new(
                 output,
                 KeyUsage::default()
@@ -181,6 +182,27 @@ impl Crypto {
         )
     }
 
+    /// Version of hmac_kdf() that takes a RomEnv.
+    #[inline(always)]
+    pub fn env_hmac_kdf(
+        env: &mut RomEnv,
+        key: KeyId,
+        label: &[u8],
+        context: Option<&[u8]>,
+        output: KeyId,
+        mode: HmacMode,
+    ) -> CaliptraResult<()> {
+        Crypto::hmac_kdf(
+            &mut env.hmac,
+            &mut env.trng,
+            key,
+            label,
+            context,
+            output,
+            mode,
+        )
+    }
+
     /// Generate ECC Key Pair
     ///
     /// # Arguments
@@ -199,7 +221,7 @@ impl Crypto {
         label: &[u8],
         priv_key: KeyId,
     ) -> CaliptraResult<Ecc384KeyPair> {
-        Crypto::hmac_kdf(env, cdi, label, None, KEY_ID_TMP, HmacMode::Hmac512)?;
+        Crypto::env_hmac_kdf(env, cdi, label, None, KEY_ID_TMP, HmacMode::Hmac512)?;
 
         let key_out = Ecc384PrivKeyOut::Key(KeyWriteArgs::new(
             priv_key,
@@ -271,7 +293,7 @@ impl Crypto {
         key_pair_seed: KeyId,
     ) -> CaliptraResult<MlDsaKeyPair> {
         // Generate the seed for key pair generation.
-        Crypto::hmac_kdf(env, cdi, label, None, key_pair_seed, HmacMode::Hmac512)?;
+        Crypto::env_hmac_kdf(env, cdi, label, None, key_pair_seed, HmacMode::Hmac512)?;
 
         // Generate the public key.
         let pub_key = env
diff --git a/rom/dev/src/flow/cold_reset/dice.rs b/rom/dev/src/flow/cold_reset/dice.rs
index 92b5a19c56..5edbfa1614 100644
--- a/rom/dev/src/flow/cold_reset/dice.rs
+++ b/rom/dev/src/flow/cold_reset/dice.rs
@@ -13,7 +13,7 @@ Abstract:
 
 --*/
 
-use super::crypto::{Ecc384KeyPair, MlDsaKeyPair};
+use crate::crypto::{Ecc384KeyPair, MlDsaKeyPair};
 use zeroize::Zeroize;
 
 /// DICE Layer Input
diff --git a/rom/dev/src/flow/cold_reset/fmc_alias.rs b/rom/dev/src/flow/cold_reset/fmc_alias.rs
index 3ce68c231f..c77d0f6910 100644
--- a/rom/dev/src/flow/cold_reset/fmc_alias.rs
+++ b/rom/dev/src/flow/cold_reset/fmc_alias.rs
@@ -13,12 +13,11 @@ Abstract:
 
 --*/
 
-use super::crypto::{Crypto, Ecc384KeyPair};
 use super::dice::{DiceInput, DiceOutput};
 use super::fw_processor::FwProcInfo;
 use super::x509::X509;
 use crate::cprintln;
-use crate::flow::cold_reset::crypto::{MlDsaKeyPair, PubKey};
+use crate::crypto::{Crypto, Ecc384KeyPair, MlDsaKeyPair, PubKey};
 use crate::flow::cold_reset::{copy_tbs, TbsType};
 use crate::print::HexBytes;
 use crate::rom_env::RomEnv;
@@ -126,7 +125,7 @@ impl FmcAliasLayer {
     fn derive_cdi(env: &mut RomEnv, measurements: &Array4x12, cdi: KeyId) -> CaliptraResult<()> {
         let mut measurements: [u8; 48] = measurements.into();
 
-        let result = Crypto::hmac_kdf(
+        let result = Crypto::env_hmac_kdf(
             env,
             cdi,
             b"alias_fmc_cdi",
diff --git a/rom/dev/src/flow/cold_reset/idev_id.rs b/rom/dev/src/flow/cold_reset/idev_id.rs
index e761df95bc..aa7f5afb18 100644
--- a/rom/dev/src/flow/cold_reset/idev_id.rs
+++ b/rom/dev/src/flow/cold_reset/idev_id.rs
@@ -13,10 +13,10 @@ Abstract:
 
 --*/
 
-use super::crypto::*;
 use super::dice::*;
 use super::x509::*;
 use crate::cprintln;
+use crate::crypto::{Crypto, Ecc384KeyPair, Ecdsa384SignatureAdapter, MlDsaKeyPair, PubKey};
 use crate::print::HexBytes;
 use crate::rom_env::RomEnv;
 #[cfg(not(feature = "no-cfi"))]
@@ -180,7 +180,7 @@ impl InitDevIdLayer {
     /// * `cdi` - Key Slot to store the generated CDI
     #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
     fn derive_cdi(env: &mut RomEnv, uds: KeyId, cdi: KeyId) -> CaliptraResult<()> {
-        Crypto::hmac_kdf(env, uds, b"idevid_cdi", None, cdi, HmacMode::Hmac512)?;
+        Crypto::env_hmac_kdf(env, uds, b"idevid_cdi", None, cdi, HmacMode::Hmac512)?;
 
         cprintln!("[idev] Erasing UDS.KEYID = {}", uds as u8);
         env.key_vault.erase_key(uds)?;
diff --git a/rom/dev/src/flow/cold_reset/ldev_id.rs b/rom/dev/src/flow/cold_reset/ldev_id.rs
index 5b7386dd1b..898ce72c80 100644
--- a/rom/dev/src/flow/cold_reset/ldev_id.rs
+++ b/rom/dev/src/flow/cold_reset/ldev_id.rs
@@ -13,10 +13,10 @@ Abstract:
 
 --*/
 
-use super::crypto::*;
 use super::dice::*;
 use super::x509::*;
 use crate::cprintln;
+use crate::crypto::{Crypto, Ecc384KeyPair, MlDsaKeyPair, PubKey};
 use crate::flow::cold_reset::{copy_tbs, TbsType};
 use crate::print::HexBytes;
 use crate::rom_env::RomEnv;
diff --git a/rom/dev/src/flow/cold_reset/mod.rs b/rom/dev/src/flow/cold_reset/mod.rs
index 0b07a8d003..54cbf908dd 100644
--- a/rom/dev/src/flow/cold_reset/mod.rs
+++ b/rom/dev/src/flow/cold_reset/mod.rs
@@ -12,7 +12,6 @@ Abstract:
 
 --*/
 
-mod crypto;
 mod dice;
 mod fmc_alias;
 mod fw_processor;
diff --git a/rom/dev/src/flow/cold_reset/x509.rs b/rom/dev/src/flow/cold_reset/x509.rs
index c48a63429b..6ff1dc68aa 100644
--- a/rom/dev/src/flow/cold_reset/x509.rs
+++ b/rom/dev/src/flow/cold_reset/x509.rs
@@ -11,8 +11,8 @@ Abstract:
     File contains X509 Certificate & CSR related utility functions
 
 --*/
-use super::crypto::{Crypto, PubKey};
 use crate::cprintln;
+use crate::crypto::{Crypto, PubKey};
 use crate::rom_env::RomEnv;
 use caliptra_drivers::*;
 use core::mem::size_of;
diff --git a/rom/dev/src/main.rs b/rom/dev/src/main.rs
index e8464de91d..f27bb8ff96 100644
--- a/rom/dev/src/main.rs
+++ b/rom/dev/src/main.rs
@@ -41,6 +41,7 @@ core::arch::global_asm!(include_str!(concat!(
     "/start_preprocessed.S"
 )));
 
+mod crypto;
 mod exception;
 mod fht;
 mod flow;