Fixing nightly CI failures and adding frozen 1.1 ROM

.github/workflows/fpga.yml

@@ -420,11 +420,6 @@ jobs:
           TEST_BIN=/tmp/caliptra-test-binaries
           VARS="CPTRA_UIO_NUM=4 CALIPTRA_PREBUILT_FW_DIR=/tmp/caliptra-test-firmware CALIPTRA_IMAGE_NO_GIT_REVISION=1"
 
-          if [[ "${{ inputs.workflow_call }}" && "${{ inputs.hw-version }}" != "latest" ]]; then
-            VARS+=" FIPS_TEST_HW_EXP_VERSION=1_0_0"
-            VARS+=" FIPS_TEST_ROM_EXP_VERSION=1_0_1"
-          fi
-
           if [ "${{ inputs.rom-logging }}" == "true" ] || [ -z "${{ inputs.rom-logging }}" ]; then
             VARS+=" CPTRA_ROM_TYPE=ROM_WITH_UART"
           elif [ "${{ inputs.rom-logging }}" == false ]; then

builder/Cargo.toml

@@ -25,6 +25,8 @@ zerocopy.workspace = true
 default = ["openssl"]
 slow_tests = []
 "hw-1.0" = []
+"ci-rom-1.0" = []
+"ci-rom-1.1" = []
 openssl = ["caliptra-image-crypto/openssl"]
 rustcrypto = ["caliptra-image-crypto/rustcrypto"]
 

builder/src/lib.rs

@@ -366,19 +366,38 @@ pub fn build_firmware_elf(id: &FwId<'static>) -> io::Result<Arc<Vec<u8>>> {
 /// a particular hardware version. DO NOT USE this for ROM-only tests.
 pub fn rom_for_fw_integration_tests() -> io::Result<Cow<'static, [u8]>> {
     let rom_from_env = firmware::rom_from_env();
-    if cfg!(feature = "hw-1.0") {
+    if cfg!(all(feature = "hw-1.0", not(feature = "ci-rom-1.0"))) {
+        panic!("ci-rom-1.0 is required for hw-1.0");
+    }
+    if cfg!(feature = "ci-rom-1.0") {
         if rom_from_env == &firmware::ROM {
             Ok(
-                include_bytes!("../../hw/1.0/caliptra-rom-1.0.1-9342687.bin")
+                include_bytes!("../../rom/ci_frozen_rom/1.0/caliptra-rom-1.0.3-e8e23d9.bin")
                     .as_slice()
                     .into(),
             )
         } else if rom_from_env == &firmware::ROM_WITH_UART {
+            Ok(include_bytes!(
+                "../../rom/ci_frozen_rom/1.0/caliptra-rom-with-log-1.0.3-e8e23d9.bin"
+            )
+            .as_slice()
+            .into())
+        } else {
+            Err(other_err(format!("Unexpected ROM fwid {rom_from_env:?}")))
+        }
+    } else if cfg!(feature = "ci-rom-1.1") {
+        if rom_from_env == &firmware::ROM {
             Ok(
-                include_bytes!("../../hw/1.0/caliptra-rom-with-log-1.0.1-9342687.bin")
+                include_bytes!("../../rom/ci_frozen_rom/1.1/caliptra-rom-1.1.0-51ff0a8.bin")
                     .as_slice()
                     .into(),
             )
+        } else if rom_from_env == &firmware::ROM_WITH_UART {
+            Ok(include_bytes!(
+                "../../rom/ci_frozen_rom/1.1/caliptra-rom-with-log-1.1.0-51ff0a8.bin"
+            )
+            .as_slice()
+            .into())
         } else {
             Err(other_err(format!("Unexpected ROM fwid {rom_from_env:?}")))
         }

fmc/Cargo.toml

@@ -41,3 +41,5 @@ itrng = ["caliptra-hw-model/itrng"]
 verilator = ["caliptra-hw-model/verilator"]
 fake-fmc = []
 "hw-1.0" = ["caliptra-builder/hw-1.0", "caliptra-cpu/hw-1.0", "caliptra-drivers/hw-1.0", "caliptra-registers/hw-1.0"]
+"ci-rom-1.0" = ["caliptra-builder/ci-rom-1.0"]
+"ci-rom-1.1" = ["caliptra-builder/ci-rom-1.1"]

fmc/tests/fmc_integration_tests/test_rtalias.rs

@@ -91,7 +91,11 @@ fn test_fht_info() {
     let data = hw.mailbox_execute(TEST_CMD_READ_FHT, &[]).unwrap().unwrap();
     let fht = FirmwareHandoffTable::read_from_prefix(data.as_bytes()).unwrap();
     assert_eq!(fht.ldevid_tbs_size, 552);
-    assert_eq!(fht.fmcalias_tbs_size, 753);
+    if cfg!(any(feature = "ci-rom-1.0", feature = "ci-rom-1.1")) {
+        assert_eq!(fht.fmcalias_tbs_size, 786);
+    } else {
+        assert_eq!(fht.fmcalias_tbs_size, 753);
+    }
     assert_eq!(fht.ldevid_tbs_addr, 0x50003C00);
     assert_eq!(fht.fmcalias_tbs_addr, 0x50004000);
     assert_eq!(fht.pcr_log_addr, 0x50004800);

runtime/Cargo.toml

@@ -65,3 +65,5 @@ no-cfi = ["caliptra-image-verify/no-cfi", "caliptra-drivers/no-cfi"]
 fpga_realtime = ["caliptra-drivers/fpga_realtime"]
 "hw-1.0" = ["caliptra-builder/hw-1.0", "caliptra-drivers/hw-1.0", "caliptra-registers/hw-1.0", "caliptra-kat/hw-1.0","caliptra-cpu/hw-1.0"]
 fips-test-hooks = ["caliptra-drivers/fips-test-hooks"]
+"ci-rom-1.0" = ["caliptra-builder/ci-rom-1.0"]
+"ci-rom-1.1" = ["caliptra-builder/ci-rom-1.1"]

runtime/tests/runtime_integration_tests/test_get_idev_csr.rs

@@ -25,20 +25,27 @@ fn test_get_csr() {
         chksum: caliptra_common::checksum::calc_checksum(u32::from(CommandId::GET_IDEV_CSR), &[]),
     };
 
-    let response = model
-        .mailbox_execute(CommandId::GET_IDEV_CSR.into(), payload.as_bytes())
-        .unwrap()
-        .unwrap();
+    let result = model.mailbox_execute(CommandId::GET_IDEV_CSR.into(), payload.as_bytes());
 
-    let get_idv_csr_resp = GetIdevCsrResp::read_from(response.as_bytes()).unwrap();
+    if cfg!(any(feature = "ci-rom-1.0", feature = "ci-rom-1.1")) {
+        // 1.0 and 1.1 ROM do not support this feature
+        assert_eq!(
+            result.unwrap_err(),
+            ModelError::MailboxCmdFailed(CaliptraError::RUNTIME_GET_IDEV_ID_UNSUPPORTED_ROM.into())
+        );
+    } else {
+        let response = result.unwrap().unwrap();
 
-    assert_ne!(IdevIdCsr::UNPROVISIONED_CSR, get_idv_csr_resp.data_size);
-    assert_ne!(0, get_idv_csr_resp.data_size);
+        let get_idv_csr_resp = GetIdevCsrResp::read_from(response.as_bytes()).unwrap();
 
-    let csr_bytes = &get_idv_csr_resp.data[..get_idv_csr_resp.data_size as usize];
-    assert_ne!([0; 512], csr_bytes);
+        assert_ne!(IdevIdCsr::UNPROVISIONED_CSR, get_idv_csr_resp.data_size);
+        assert_ne!(0, get_idv_csr_resp.data_size);
 
-    assert!(X509Req::from_der(csr_bytes).is_ok());
+        let csr_bytes = &get_idv_csr_resp.data[..get_idv_csr_resp.data_size as usize];
+        assert_ne!([0; 512], csr_bytes);
+
+        assert!(X509Req::from_der(csr_bytes).is_ok());
+    }
 }
 
 #[test]
@@ -56,8 +63,17 @@ fn test_missing_csr() {
     let response = model
         .mailbox_execute(CommandId::GET_IDEV_CSR.into(), payload.as_bytes())
         .unwrap_err();
-    assert_eq!(
-        response,
-        ModelError::MailboxCmdFailed(CaliptraError::RUNTIME_GET_IDEV_ID_UNPROVISIONED.into())
-    );
+
+    if cfg!(any(feature = "ci-rom-1.0", feature = "ci-rom-1.1")) {
+        // 1.0 and 1.1 ROM do not support this feature
+        assert_eq!(
+            response,
+            ModelError::MailboxCmdFailed(CaliptraError::RUNTIME_GET_IDEV_ID_UNSUPPORTED_ROM.into())
+        );
+    } else {
+        assert_eq!(
+            response,
+            ModelError::MailboxCmdFailed(CaliptraError::RUNTIME_GET_IDEV_ID_UNPROVISIONED.into())
+        );
+    }
 }

test/Cargo.toml

@@ -45,3 +45,5 @@ verilator = ["caliptra-hw-model/verilator"]
 fips_self_test = ["caliptra-runtime/fips_self_test"]
 test_env_immutable_rom = []
 "hw-1.0" = ["caliptra-builder/hw-1.0", "caliptra-drivers/hw-1.0", "caliptra-hw-model/hw-1.0"]
+"ci-rom-1.0" = ["caliptra-builder/ci-rom-1.0"]
+"ci-rom-1.1" = ["caliptra-builder/ci-rom-1.1"]

test/tests/caliptra_integration_tests/smoke_test.rs

@@ -25,6 +25,50 @@ use regex::Regex;
 use std::mem;
 use zerocopy::AsBytes;
 
+// Support testing against older versions of ROM in CI
+// More constants may need to be added here as the ROMs further diverge
+#[cfg(feature = "ci-rom-1.0")]
+mod rom_specific_test_params {
+    #[allow(dead_code)]
+    pub const TESTDATA_PATH: &str = "tests/caliptra_integration_tests/smoke_testdata/rom-1.0";
+    pub const FMC_ALIAS_CERT_REDACTED_TXT: &str =
+        include_str!("smoke_testdata/rom-1.0/fmc_alias_cert_redacted.txt");
+    pub const FMC_ALIAS_CERT_REDACTED_DER: &[u8] =
+        include_bytes!("smoke_testdata/rom-1.0/fmc_alias_cert_redacted.der");
+    pub const TCB_INFO_VENDOR: Option<&str> = Some("Caliptra");
+    pub const TCB_DEVICE_INFO_MODEL: Option<&str> = Some("Device");
+    pub const TCB_FMC_INFO_MODEL: Option<&str> = Some("FMC");
+    pub const TCB_INFO_FLAGS: Option<u32> = Some(0x80000000);
+}
+#[cfg(feature = "ci-rom-1.1")]
+mod rom_specific_test_params {
+    #[allow(dead_code)]
+    pub const TESTDATA_PATH: &str = "tests/caliptra_integration_tests/smoke_testdata/rom-1.1";
+    pub const FMC_ALIAS_CERT_REDACTED_TXT: &str =
+        include_str!("smoke_testdata/rom-1.1/fmc_alias_cert_redacted.txt");
+    pub const FMC_ALIAS_CERT_REDACTED_DER: &[u8] =
+        include_bytes!("smoke_testdata/rom-1.1/fmc_alias_cert_redacted.der");
+    pub const TCB_INFO_VENDOR: Option<&str> = Some("Caliptra");
+    pub const TCB_DEVICE_INFO_MODEL: Option<&str> = Some("Device");
+    pub const TCB_FMC_INFO_MODEL: Option<&str> = Some("FMC");
+    pub const TCB_INFO_FLAGS: Option<u32> = Some(0x80000000);
+}
+#[cfg(all(not(feature = "ci-rom-1.0"), not(feature = "ci-rom-1.1")))]
+mod rom_specific_test_params {
+    #[allow(dead_code)]
+    pub const TESTDATA_PATH: &str = "tests/caliptra_integration_tests/smoke_testdata/rom-latest";
+    pub const FMC_ALIAS_CERT_REDACTED_TXT: &str =
+        include_str!("smoke_testdata/rom-latest/fmc_alias_cert_redacted.txt");
+    pub const FMC_ALIAS_CERT_REDACTED_DER: &[u8] =
+        include_bytes!("smoke_testdata/rom-latest/fmc_alias_cert_redacted.der");
+    pub const TCB_INFO_VENDOR: Option<&str> = None;
+    pub const TCB_DEVICE_INFO_MODEL: Option<&str> = None;
+    pub const TCB_FMC_INFO_MODEL: Option<&str> = None;
+    pub const TCB_INFO_FLAGS: Option<u32> = Some(0x00000001);
+}
+
+use rom_specific_test_params::*;
+
 #[track_caller]
 fn assert_output_contains(haystack: &str, needle: &str) {
     assert!(
@@ -278,22 +322,22 @@ fn smoke_test() {
         dice_tcb_info,
         [
             DiceTcbInfo {
-                vendor: None,
-                model: None,
+                vendor: TCB_INFO_VENDOR.map(String::from),
+                model: TCB_DEVICE_INFO_MODEL.map(String::from),
                 // This is from the SVN in the fuses (7 bits set)
                 svn: Some(0x107),
                 fwids: vec![DiceFwid {
                     hash_alg: asn1::oid!(2, 16, 840, 1, 101, 3, 4, 2, 2),
                     digest: device_info_hash.to_vec(),
                 },],
 
-                flags: Some(0x00000001),
+                flags: TCB_INFO_FLAGS,
                 ty: Some(b"DEVICE_INFO".to_vec()),
                 ..Default::default()
             },
             DiceTcbInfo {
-                vendor: None,
-                model: None,
+                vendor: TCB_INFO_VENDOR.map(String::from),
+                model: TCB_FMC_INFO_MODEL.map(String::from),
                 // This is from the SVN in the image (9)
                 svn: Some(0x109),
                 fwids: vec![DiceFwid {
@@ -404,17 +448,14 @@ fn smoke_test() {
             String::from_utf8(fmc_alias_cert_redacted.to_text().unwrap()).unwrap();
 
         // To update the alias-cert golden-data:
-        // std::fs::write("tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.txt", &fmc_alias_cert_redacted_txt).unwrap();
-        // std::fs::write("tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.der", &fmc_alias_cert_redacted_der).unwrap();
+        // std::fs::write(format!("{}/fmc_alias_cert_redacted.txt", TESTDATA_PATH), &fmc_alias_cert_redacted_txt).unwrap();
+        // std::fs::write(format!("{}/fmc_alias_cert_redacted.der", TESTDATA_PATH), &fmc_alias_cert_redacted_der).unwrap();
 
         assert_eq!(
             fmc_alias_cert_redacted_txt.as_str(),
-            include_str!("smoke_testdata/fmc_alias_cert_redacted.txt")
-        );
-        assert_eq!(
-            fmc_alias_cert_redacted_der,
-            include_bytes!("smoke_testdata/fmc_alias_cert_redacted.der")
+            FMC_ALIAS_CERT_REDACTED_TXT
         );
+        assert_eq!(fmc_alias_cert_redacted_der, FMC_ALIAS_CERT_REDACTED_DER);
     }
 
     let rt_alias_cert_resp = hw

test/tests/caliptra_integration_tests/smoke_testdata/rom-1.0/fmc_alias_cert_redacted.txt

@@ -0,0 +1,45 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44
+        Signature Algorithm: ecdsa-with-SHA384
+        Issuer: CN=Caliptra 1.0 LDevID/serialNumber=21EEEF9A4C61D4B9E3D94BEA46F9A12AC6887CE2188559F40FF95777E8014889
+        Validity
+            Not Before: Jan  1 00:00:00 2023 GMT
+            Not After : Dec 31 23:59:59 9999 GMT
+        Subject: CN=Caliptra 1.0 FMC Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:d1:7f:d2:78:d2:2e:75:eb:f0:ed:36:2d:f0:46:
+                    18:24:c4:54:5d:db:07:08:53:e8:a2:d3:a9:d0:a3:
+                    ca:59:8d:86:06:08:4e:78:ab:c8:cf:13:5d:5d:1b:
+                    bb:d7:6c:f2:64:49:0e:f4:a2:95:fa:8e:0f:0f:1f:
+                    ee:22:fc:88:57:1a:55:9f:7c:e9:68:dc:67:c5:13:
+                    d7:fc:bb:79:b6:09:da:23:1d:ef:b1:bf:96:72:3d:
+                    fd:b2:8d:86:f1:6f:5d
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:3
+            X509v3 Key Usage: critical
+                Certificate Sign
+            2.23.133.5.4.4: 
+                0....................
+            2.23.133.5.4.5: 
+                DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
+            X509v3 Subject Key Identifier: 
+                44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44
+            X509v3 Authority Key Identifier: 
+                21:EE:EF:9A:4C:61:D4:B9:E3:D9:4B:EA:46:F9:A1:2A:C6:88:7C:E2
+    Signature Algorithm: ecdsa-with-SHA384
+    Signature Value:
+        30:64:02:30:44:44:44:44:44:44:44:44:44:44:44:44:44:44:
+        44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:
+        44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:02:30:
+        44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:
+        44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:
+        44:44:44:44:44:44:44:44:44:44:44:44

test/tests/caliptra_integration_tests/smoke_testdata/rom-1.1/fmc_alias_cert_redacted.txt

@@ -0,0 +1,45 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44
+        Signature Algorithm: ecdsa-with-SHA384
+        Issuer: CN=Caliptra 1.0 LDevID/serialNumber=21EEEF9A4C61D4B9E3D94BEA46F9A12AC6887CE2188559F40FF95777E8014889
+        Validity
+            Not Before: Jan  1 00:00:00 2023 GMT
+            Not After : Dec 31 23:59:59 9999 GMT
+        Subject: CN=Caliptra 1.0 FMC Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:d1:7f:d2:78:d2:2e:75:eb:f0:ed:36:2d:f0:46:
+                    18:24:c4:54:5d:db:07:08:53:e8:a2:d3:a9:d0:a3:
+                    ca:59:8d:86:06:08:4e:78:ab:c8:cf:13:5d:5d:1b:
+                    bb:d7:6c:f2:64:49:0e:f4:a2:95:fa:8e:0f:0f:1f:
+                    ee:22:fc:88:57:1a:55:9f:7c:e9:68:dc:67:c5:13:
+                    d7:fc:bb:79:b6:09:da:23:1d:ef:b1:bf:96:72:3d:
+                    fd:b2:8d:86:f1:6f:5d
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:3
+            X509v3 Key Usage: critical
+                Certificate Sign
+            2.23.133.5.4.4: 
+                0....................
+            2.23.133.5.4.5: 
+                DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
+            X509v3 Subject Key Identifier: 
+                44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44
+            X509v3 Authority Key Identifier: 
+                21:EE:EF:9A:4C:61:D4:B9:E3:D9:4B:EA:46:F9:A1:2A:C6:88:7C:E2
+    Signature Algorithm: ecdsa-with-SHA384
+    Signature Value:
+        30:64:02:30:44:44:44:44:44:44:44:44:44:44:44:44:44:44:
+        44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:
+        44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:02:30:
+        44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:
+        44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:
+        44:44:44:44:44:44:44:44:44:44:44:44

test/tests/fips_test_suite/common.rs

@@ -51,9 +51,14 @@ const ROM_EXP_1_0_1: RomExpVals = RomExpVals {
     ],
 };
 
+const ROM_EXP_1_0_3: RomExpVals = RomExpVals {
+    rom_version: 0x803, // 1.0.3
+    ..ROM_EXP_1_0_1
+};
+
 const ROM_EXP_1_1_0: RomExpVals = RomExpVals {
     rom_version: 0x840, // 1.1.0
-    ..ROM_EXP_1_0_1
+    ..ROM_EXP_1_0_3
 };
 
 const ROM_EXP_CURRENT: RomExpVals = RomExpVals { ..ROM_EXP_1_1_0 };
@@ -91,6 +96,8 @@ impl HwExpVals {
                     version
                 ),
             }
+        } else if cfg!(feature = "hw-1.0") {
+            HW_EXP_1_0_0
         } else {
             HW_EXP_CURRENT
         }
@@ -102,11 +109,16 @@ impl RomExpVals {
             match version.as_str() {
                 // Add more versions here
                 "1_0_1" => ROM_EXP_1_0_1,
+                "1_0_3" => ROM_EXP_1_0_3,
                 _ => panic!(
                     "FIPS Test: Unknown version for expected ROM values ({})",
                     version
                 ),
             }
+        } else if cfg!(feature = "ci-rom-1.0") {
+            ROM_EXP_1_0_3
+        } else if cfg!(feature = "ci-rom-1.1") {
+            ROM_EXP_1_1_0
         } else {
             ROM_EXP_CURRENT
         }