chipsalliance · mhatrevi · Nov 10, 2024 · Nov 5, 2024 · Nov 6, 2024 · Nov 7, 2024
diff --git a/api/src/mailbox.rs b/api/src/mailbox.rs
@@ -948,7 +948,7 @@ pub struct SetAuthManifestReq {
     pub manifest: [u8; SetAuthManifestReq::MAX_MAN_SIZE],
 }
 impl SetAuthManifestReq {
-    pub const MAX_MAN_SIZE: usize = 8192;
+    pub const MAX_MAN_SIZE: usize = 14 * 1024;
 
     pub fn as_bytes_partial(&self) -> CaliptraResult<&[u8]> {
         if self.manifest_size as usize > Self::MAX_MAN_SIZE {

diff --git a/auth-manifest/app/src/config.rs b/auth-manifest/app/src/config.rs
@@ -38,7 +38,7 @@ pub(crate) struct AuthManifestKeyConfigFromFile {
 }
 
 #[derive(Serialize, Deserialize)]
-pub struct ImageMetadata {
+pub struct ImageMetadataConfigFromFile {
     digest: String,
     source: u32,
 }
@@ -54,7 +54,7 @@ pub(crate) struct AuthManifestConfigFromFile {
 
     pub owner_man_key_config: Option<AuthManifestKeyConfigFromFile>,
 
-    pub image_metadata_list: Vec<ImageMetadata>,
+    pub image_metadata_list: Vec<ImageMetadataConfigFromFile>,
 }
 
 /// Load Authorization Manifest Key Configuration from file
@@ -116,7 +116,7 @@ pub(crate) fn owner_config_from_file(
 }
 
 pub(crate) fn image_metadata_config_from_file(
-    config: &Vec<ImageMetadata>,
+    config: &Vec<ImageMetadataConfigFromFile>,
 ) -> anyhow::Result<Vec<AuthManifestImageMetadata>> {
     let mut image_metadata_list = Vec::new();
 

diff --git a/auth-manifest/gen/src/generator.rs b/auth-manifest/gen/src/generator.rs
@@ -47,9 +47,7 @@ impl<Crypto: ImageGeneratorCrypto> AuthManifestGenerator<Crypto> {
         let slice = config.image_metadata_list.as_slice();
         auth_manifest.image_metadata_col.image_metadata_list[..slice.len()].copy_from_slice(slice);
 
-        auth_manifest.image_metadata_col.header.entry_count =
-            config.image_metadata_list.len() as u32;
-        auth_manifest.image_metadata_col.header.revision = 0; // [TODO] Need to update this.
+        auth_manifest.image_metadata_col.entry_count = config.image_metadata_list.len() as u32;
 
         // Generate the preamble.
         auth_manifest.preamble.marker = AUTH_MANIFEST_MARKER;
@@ -118,7 +116,7 @@ impl<Crypto: ImageGeneratorCrypto> AuthManifestGenerator<Crypto> {
         // Sign the IMC with the vendor manifest public keys if indicated in the flags.
         if config
             .flags
-            .contains(AuthManifestFlags::VENDOR_SIGNATURE_REQURIED)
+            .contains(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED)
         {
             if let Some(vendor_man_priv_keys) = config.vendor_man_key_info.priv_keys {
                 let sig = self.crypto.ecdsa384_sign(

diff --git a/auth-manifest/types/src/lib.rs b/auth-manifest/types/src/lib.rs
@@ -23,12 +23,12 @@ use zerocopy::{AsBytes, FromBytes};
 use zeroize::Zeroize;
 
 pub const AUTH_MANIFEST_MARKER: u32 = 0x4154_4D4E;
-pub const AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT: usize = 16;
+pub const AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT: usize = 128;
 
 bitflags::bitflags! {
     #[derive(Default, Copy, Clone, Debug)]
     pub struct AuthManifestFlags : u32 {
-        const VENDOR_SIGNATURE_REQURIED = 0b1;
+        const VENDOR_SIGNATURE_REQUIRED = 0b1;
     }
 }
 
@@ -139,18 +139,6 @@ pub struct AuthManifestImageMetadata {
     pub image_source: u32,
 }
 
-/// Caliptra Authorization Manifest Image Metadata Collection Header
-#[repr(C)]
-#[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize, Default)]
-#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
-pub struct AuthManifestImageMetadataCollectionHeader {
-    pub revision: u32,
-
-    pub reserved: [u8; 12],
-
-    pub entry_count: u32,
-}
-
 impl Default for AuthManifestImageMetadata {
     fn default() -> Self {
         AuthManifestImageMetadata {
@@ -162,14 +150,24 @@ impl Default for AuthManifestImageMetadata {
 
 /// Caliptra Authorization Manifest Image Metadata Collection
 #[repr(C)]
-#[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize, Default)]
+#[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize)]
 #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 pub struct AuthManifestImageMetadataCollection {
-    pub header: AuthManifestImageMetadataCollectionHeader,
+    pub entry_count: u32,
 
     pub image_metadata_list: [AuthManifestImageMetadata; AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT],
 }
 
+impl Default for AuthManifestImageMetadataCollection {
+    fn default() -> Self {
+        AuthManifestImageMetadataCollection {
+            entry_count: 0,
+            image_metadata_list: [AuthManifestImageMetadata::default();
+                AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT],
+        }
+    }
+}
+
 /// Caliptra Image Authorization Manifest
 #[repr(C)]
 #[derive(AsBytes, FromBytes, Clone, Copy, Debug, Zeroize, Default)]

@@ -87,7 +87,7 @@ pub use okref::okref;
 pub use pcr_bank::{PcrBank, PcrId};
 pub use pcr_reset::PcrResetCounter;
 #[cfg(feature = "runtime")]
-pub use persistent::{AuthManifestImageMetadataList, AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT};
+pub use persistent::AuthManifestImageMetadataList;
 pub use persistent::{
     FuseLogArray, PcrLogArray, PersistentData, PersistentDataAccessor, StashMeasurementArray,
     FUSE_LOG_MAX_COUNT, MEASUREMENT_MAX_COUNT, PCR_LOG_MAX_COUNT,

@@ -40,7 +40,7 @@ pub const FUSE_LOG_ORG: u32 = 0x50005000;
 pub const DPE_ORG: u32 = 0x50005400;
 pub const PCR_RESET_COUNTER_ORG: u32 = 0x50006800;
 pub const AUTH_MAN_IMAGE_METADATA_LIST_ORG: u32 = 0x50006C00;
-pub const DATA_ORG: u32 = 0x50007000;
+pub const DATA_ORG: u32 = 0x50008800;
 
 pub const STACK_ORG: u32 = 0x5001A000;
 pub const ROM_STACK_ORG: u32 = 0x5001C000;
@@ -71,8 +71,8 @@ pub const MEASUREMENT_LOG_SIZE: u32 = 1024;
 pub const FUSE_LOG_SIZE: u32 = 1024;
 pub const DPE_SIZE: u32 = 5 * 1024;
 pub const PCR_RESET_COUNTER_SIZE: u32 = 1024;
-pub const AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE: u32 = 1024;
-pub const DATA_SIZE: u32 = 76 * 1024;
+pub const AUTH_MAN_IMAGE_METADATA_MAX_SIZE: u32 = 7 * 1024;
+pub const DATA_SIZE: u32 = 70 * 1024;
 pub const STACK_SIZE: u32 = 22 * 1024;
 pub const ROM_STACK_SIZE: u32 = 14 * 1024;
 pub const ESTACK_SIZE: u32 = 1024;

@@ -3,9 +3,10 @@
 use core::{marker::PhantomData, mem::size_of, ptr::addr_of};
 
 #[cfg(feature = "runtime")]
-use caliptra_auth_man_types::AuthManifestImageMetadata;
-#[cfg(feature = "runtime")]
-use caliptra_auth_man_types::AuthManifestImageMetadataCollection;
+use caliptra_auth_man_types::{
+    AuthManifestImageMetadata, AuthManifestImageMetadataCollection,
+    AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT,
+};
 use caliptra_image_types::ImageManifest;
 #[cfg(feature = "runtime")]
 use dpe::{DpeInstance, U8Bool, MAX_HANDLES};
@@ -25,8 +26,6 @@ use crate::pcr_reset::PcrResetCounter;
 pub const PCR_LOG_MAX_COUNT: usize = 17;
 pub const FUSE_LOG_MAX_COUNT: usize = 62;
 pub const MEASUREMENT_MAX_COUNT: usize = 8;
-#[cfg(feature = "runtime")]
-pub const AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT: usize = 8;
 
 #[cfg(feature = "runtime")]
 const DPE_DCCM_STORAGE: usize = size_of::<DpeInstance>()
@@ -42,7 +41,7 @@ pub type FuseLogArray = [FuseLogEntry; FUSE_LOG_MAX_COUNT];
 pub type StashMeasurementArray = [MeasurementLogEntry; MEASUREMENT_MAX_COUNT];
 #[cfg(feature = "runtime")]
 pub type AuthManifestImageMetadataList =
-    [AuthManifestImageMetadata; AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT];
+    [AuthManifestImageMetadata; AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT];
 
 #[derive(FromBytes, AsBytes, Zeroize)]
 #[repr(C)]
@@ -95,12 +94,12 @@ pub struct PersistentData {
     #[cfg(feature = "runtime")]
     pub auth_manifest_image_metadata_col: AuthManifestImageMetadataCollection,
     #[cfg(feature = "runtime")]
-    reserved9: [u8; memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE as usize
+    reserved9: [u8; memory_layout::AUTH_MAN_IMAGE_METADATA_MAX_SIZE as usize
         - size_of::<AuthManifestImageMetadataCollection>()],
 
     #[cfg(not(feature = "runtime"))]
     pub auth_manifest_image_metadata_col:
-        [u8; memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE as usize],
+        [u8; memory_layout::AUTH_MAN_IMAGE_METADATA_MAX_SIZE as usize],
 }
 impl PersistentData {
     pub fn assert_matches_layout() {
@@ -131,7 +130,7 @@ impl PersistentData {
             assert_eq!(
                 P.add(1) as u32,
                 memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_ORG
-                    + memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_MAX_SIZE
+                    + memory_layout::AUTH_MAN_IMAGE_METADATA_MAX_SIZE
             );
         }
     }

@@ -738,10 +738,8 @@ Command Code: `0x4154_4D4E` ("ATMN")
 | metadata\_vendor\_LMS\_sig    | u32[1344]    | Metadata Vendor LMOTS-SHA192-W4 signature                                   |
 | metadata\_owner\_ecc384\_sig  | u32[24]      | Metadata Owner ECC384 signature                                             |
 | metadata\_owner\_LMS\_sig     | u32[1344]    | Metadata Owner LMOTS-SHA192-W4 signature                                    |
-| metadata\_header\_revision    | u32          | Revision of the metadata header                                             |
-| metadata\_header\_reserved    | u32[3]       | Reserved                                                                    |
 | metadata\_entry\_entry\_count | u32          | number of metadata entries                                                  |
-| metadata\_entries             | MetaData[16] | The max number of metadata is 16 but less can be used                       |
+| metadata\_entries             | MetaData[128] | The max number of metadata entries is 128 but less can be used             |
 
 
 *Table: `AUTH_MANIFEST_FLAGS` input flags*

@@ -17,8 +17,7 @@ use core::mem::size_of;
 
 use crate::{dpe_crypto::DpeCrypto, CptraDpeTypes, DpePlatform, Drivers, StashMeasurementCmd};
 use caliptra_auth_man_types::{
-    AuthManifestImageMetadataCollection, AuthManifestImageMetadataCollectionHeader,
-    AuthManifestPreamble, AUTH_MANIFEST_MARKER,
+    AuthManifestImageMetadataCollection, AuthManifestPreamble, AUTH_MANIFEST_MARKER,
 };
 use caliptra_cfi_derive_git::cfi_impl_fn;
 use caliptra_cfi_lib_git::cfi_launder;
@@ -30,7 +29,6 @@ use caliptra_drivers::{
     pcr_log::PCR_ID_STASH_MEASUREMENT, Array4x12, Array4xN, AuthManifestImageMetadataList,
     CaliptraError, CaliptraResult, Ecc384, Ecc384PubKey, Ecc384Signature, HashValue, Lms,
     PersistentData, RomVerifyConfig, Sha256, Sha384, SocIfc,
-    AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT,
 };
 use caliptra_image_types::{
     ImageDigest, ImageEccPubKey, ImageEccSignature, ImageLmsPublicKey, ImageLmsSignature,

@@ -25,7 +25,7 @@ pub struct Packet {
     pub len: usize, // Length in bytes
 }
 
-const MAX_PAYLOAD_SIZE: usize = 2050; // in dwords
+const MAX_PAYLOAD_SIZE: usize = 3586; // in dwords
 
 impl Default for Packet {
     fn default() -> Self {

@@ -18,8 +18,8 @@ use core::mem::size_of;
 use crate::verify;
 use crate::{dpe_crypto::DpeCrypto, CptraDpeTypes, DpePlatform, Drivers};
 use caliptra_auth_man_types::{
-    AuthManifestFlags, AuthManifestImageMetadataCollection,
-    AuthManifestImageMetadataCollectionHeader, AuthManifestPreamble, AUTH_MANIFEST_MARKER,
+    AuthManifestFlags, AuthManifestImageMetadataCollection, AuthManifestPreamble,
+    AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT, AUTH_MANIFEST_MARKER,
 };
 use caliptra_cfi_derive_git::cfi_impl_fn;
 use caliptra_cfi_lib_git::cfi_launder;
@@ -30,7 +30,6 @@ use caliptra_drivers::{
     pcr_log::PCR_ID_STASH_MEASUREMENT, Array4x12, Array4xN, AuthManifestImageMetadataList,
     CaliptraError, CaliptraResult, Ecc384, Ecc384PubKey, Ecc384Signature, HashValue, Lms,
     PersistentData, RomVerifyConfig, Sha256, Sha384, SocIfc,
-    AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT,
 };
 use caliptra_image_types::{
     ImageDigest, ImageEccPubKey, ImageEccSignature, ImageLmsPublicKey, ImageLmsSignature,
@@ -239,7 +238,7 @@ impl SetAuthManifestCmd {
         soc_ifc: &SocIfc,
     ) -> CaliptraResult<()> {
         let flags = AuthManifestFlags::from(auth_manifest_preamble.flags);
-        if !flags.contains(AuthManifestFlags::VENDOR_SIGNATURE_REQURIED) {
+        if !flags.contains(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED) {
             return Ok(());
         }
         // Verify the vendor ECC signature over the image metadata collection.
@@ -362,7 +361,7 @@ impl SetAuthManifestCmd {
         sha256: &mut Sha256,
         soc_ifc: &SocIfc,
     ) -> CaliptraResult<()> {
-        if cmd_buf.len() < size_of::<AuthManifestImageMetadataCollectionHeader>() {
+        if cmd_buf.len() < size_of::<u32>() {
             Err(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_SIZE)?;
         }
 
@@ -376,9 +375,8 @@ impl SetAuthManifestCmd {
 
         image_metadata_col.as_bytes_mut()[..col_size].copy_from_slice(buf);
 
-        if image_metadata_col.header.entry_count == 0
-            || image_metadata_col.header.entry_count
-                > AUTH_MANIFEST_IMAGE_METADATA_LIST_MAX_COUNT as u32
+        if image_metadata_col.entry_count == 0
+            || image_metadata_col.entry_count > AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT as u32
         {
             Err(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT)?;
         }

@@ -97,7 +97,7 @@ fn test_auth_manifest() -> AuthorizationManifest {
         owner_man_key_info,
         image_metadata_list,
         version: 1,
-        flags: AuthManifestFlags::VENDOR_SIGNATURE_REQURIED,
+        flags: AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED,
     };
 
     let gen = AuthManifestGenerator::new(Crypto::default());
@@ -273,7 +273,7 @@ fn test_set_auth_manifest_invalid_owner_lms_sig() {
 #[test]
 fn test_set_auth_manifest_invalid_metadata_list_count() {
     let mut auth_manifest = test_auth_manifest();
-    auth_manifest.image_metadata_col.header.entry_count = 0;
+    auth_manifest.image_metadata_col.entry_count = 0;
     test_manifest_expect_err(
         auth_manifest,
         CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT,