Add task named 'attest' that acts as the root of trust for reporting.

oxidecomputer · Jun 22, 2023 · 2fb10de · 2fb10de
1 parent 32bb50e
commit 2fb10de
Show file tree

Hide file tree

Showing 18 changed files with 526 additions and 13 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/app/lpc55xpresso/app-sprot.toml b/app/lpc55xpresso/app-sprot.toml
@@ -208,6 +208,14 @@ pins = [
     { name = "SP_RESET", pin = { port = 1, pin = 5}, alt = 0, direction = "input"},
 ]
 
+[tasks.attest]
+name = "task-attest"
+priority = 5
+max-sizes = {flash = 12256, ram = 16384}
+stacksize = 9000
+start = true
+extern-regions = ["dice_alias", "dice_certs"]
+
 [signing.certs]
 signing-certs = ["../../support/fake_certs/fake_certificate.der.crt"]
 root-certs = ["../../support/fake_certs/fake_certificate.der.crt"]

diff --git a/app/lpc55xpresso/app.toml b/app/lpc55xpresso/app.toml
@@ -133,6 +133,14 @@ task-slots = ["jefe"]
 stacksize = 1200
 extern-regions = ["sram2"]
 
+[tasks.attest]
+name = "task-attest"
+priority = 5
+max-sizes = {flash = 12256, ram = 16384}
+stacksize = 9000
+start = true
+extern-regions = ["dice_alias", "dice_certs"]
+
 [signing.certs]
 signing-certs = ["../../support/fake_certs/fake_certificate.der.crt"]
 root-certs = ["../../support/fake_certs/fake_certificate.der.crt"]

diff --git a/app/oxide-rot-1/app-dev.toml b/app/oxide-rot-1/app-dev.toml
@@ -9,7 +9,7 @@ version = 0
 
 [kernel]
 name = "oxide-rot-1"
-requires = {flash = 52384, ram = 4096}
+requires = {flash = 52512, ram = 4096}
 features = ["dice-self"]
 
 [caboose]
@@ -155,6 +155,14 @@ stacksize = 2048
 [tasks.sp_measure.config]
 binary_path = "../../target/gimlet-c/dist/default/final.bin"
 
+[tasks.attest]
+name = "task-attest"
+priority = 5
+max-sizes = {flash = 12256, ram = 16384}
+stacksize = 9000
+start = true
+extern-regions = ["dice_alias", "dice_certs"]
+
 [signing.certs]
 signing-certs = ["../../support/fake_certs/fake_certificate.der.crt"]
 root-certs = ["../../support/fake_certs/fake_certificate.der.crt"]

diff --git a/app/oxide-rot-1/app.toml b/app/oxide-rot-1/app.toml
@@ -9,7 +9,7 @@ version = 0
 
 [kernel]
 name = "oxide-rot-1"
-requires = {flash = 59840, ram = 2528}
+requires = {flash = 59840, ram = 2696}
 features = ["dice-mfg"]
 
 [caboose]
@@ -134,6 +134,14 @@ start = true
 stacksize = 2600
 task-slots = ["swd"]
 
+[tasks.attest]
+name = "task-attest"
+priority = 5
+max-sizes = {flash = 12256, ram = 16384}
+stacksize = 9000
+start = true
+extern-regions = ["dice_alias", "dice_certs"]
+
 [signing.certs]
 signing-certs = ["../../support/fake_certs/fake_certificate.der.crt"]
 root-certs = ["../../support/fake_certs/fake_certificate.der.crt"]

diff --git a/app/rot-carrier/app.toml b/app/rot-carrier/app.toml
@@ -201,6 +201,14 @@ stacksize = 2048
 [tasks.sp_measure.config]
 binary_path = "../../target/gemini-bu/dist/final.bin"
 
+[tasks.attest]
+name = "task-attest"
+priority = 5
+max-sizes = {flash = 12256, ram = 16384}
+stacksize = 9000
+start = true
+extern-regions = ["dice_alias", "dice_certs"]
+
 [signing.certs]
 signing-certs = ["../../support/fake_certs/fake_certificate.der.crt"]
 root-certs = ["../../support/fake_certs/fake_certificate.der.crt"]

diff --git a/chips/lpc55/chip.toml b/chips/lpc55/chip.toml
@@ -53,14 +53,6 @@ size = 4096
 
 # this is the start of the USB SRAM AHB peripheral (0x4000 bytes total)
 # we appropriate this SRAM for passing DICE artifacts
-[dice_certs]
-address = 0x40100000
-size = 0xa00
-
-[dice_alias]
-address = 0x40100a00
-size = 0x800
-
 [dice_spmeasure]
 address = 0x40101200
 size = 0x800

diff --git a/chips/lpc55/memory.toml b/chips/lpc55/memory.toml
@@ -107,3 +107,37 @@ write = false
 execute = false
 dma = true
 
+# RAM region used to hand common part of DICE certificate chain forward to
+# Hubris tasks
+[[dice_certs]]
+name = "a"
+address = 0x40100000
+size = 0xa00
+read = true
+write = false
+execute = false
+
+[[dice_certs]]
+name = "b"
+address = 0x40100000
+size = 0xa00
+read = true
+write = false
+execute = false
+
+# RAM region used to hand DICE artifacts forward to the attestation responder
+[[dice_alias]]
+name = "a"
+address = 0x40100a00
+size = 0x800
+read = true
+write = true
+execute = false
+
+[[dice_alias]]
+name = "b"
+address = 0x40100a00
+size = 0x800
+read = true
+write = true
+execute = false
diff --git a/idl/attest.idol b/idl/attest.idol
@@ -0,0 +1,45 @@
+// Interface to 'attest' task.
+
+Interface(
+    name: "Attest",
+    ops: {
+        "cert_chain_len": (
+            doc: "Get the number of certs in the attestation cert chain",
+            args: {},
+            reply: Result(
+                ok: "u32",
+                err: Complex("AttestError"),
+            ),
+            encoding: Hubpack,
+            idempotent: true,
+        ),
+        "cert": (
+            doc: "Get a cert from the RoT-R",
+            args: {
+				"index" : "u32",
+                "offset" : "u32",
+            },
+            leases: {
+                "dest": (type: "[u8]", write: true),
+            },
+            reply: Result(
+                ok: "()",
+                err: Complex("AttestError"),
+            ),
+            encoding: Hubpack,
+            idempotent: true,
+        ),
+        "cert_len": (
+            doc: "Get length of a cert in the cert chain",
+            args: {
+                "index" : "u32",
+            },
+            reply: Result(
+                ok: "u32",
+                err: Complex("AttestError"),
+            ),
+            encoding: Hubpack,
+            idempotent: true,
+        )
+    }
+)
diff --git a/lib/dice/src/lib.rs b/lib/dice/src/lib.rs
@@ -295,7 +295,7 @@ impl RngSeed {
 }
 
 #[derive(Deserialize, Serialize, SerializedSize)]
-pub struct PersistIdCert(SizedBlob);
+pub struct PersistIdCert(pub SizedBlob);
 
 #[derive(Deserialize, Serialize, SerializedSize)]
-pub struct IntermediateCert(SizedBlob);
+pub struct IntermediateCert(pub SizedBlob);
diff --git a/lib/stage0-handoff/src/lib.rs b/lib/stage0-handoff/src/lib.rs
@@ -30,7 +30,7 @@ const_assert!(DICE_RANGE.end <= UPDATE_RANGE.start);
 const_assert!(UPDATE_RANGE.end <= MEM_RANGE.end);
 /// The error returned when `HandoffData::load` fails.
 #[derive(
-    Debug, Clone, PartialEq, Eq, Deserialize, Serialize, SerializedSize,
+    Debug, Clone, Copy, PartialEq, Eq, Deserialize, Serialize, SerializedSize,
 )]
 pub enum HandoffDataLoadError {
     Deserialize,

diff --git a/task/attest-api/Cargo.toml b/task/attest-api/Cargo.toml
@@ -0,0 +1,21 @@
+[package]
+name = "attest-api"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+derive-idol-err = { path = "../../lib/derive-idol-err" }
+hubpack = { workspace = true }
+idol-runtime = { workspace = true }
+num-traits = { workspace = true }
+serde = { workspace = true }
+userlib = {  path = "../../sys/userlib", features = ["panic-messages"]  }
+zerocopy = { workspace = true }
+
+[build-dependencies]
+idol = { workspace = true }
+serde = { workspace = true }
+
+[lib]
+test = false
+bench = false
diff --git a/task/attest-api/build.rs b/task/attest-api/build.rs
@@ -0,0 +1,11 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+use idol::client;
+use std::error::Error;
+
+fn main() -> Result<(), Box<dyn Error + Send + Sync>> {
+    client::build_client_stub("../../idl/attest.idol", "client_stub.rs")?;
+    Ok(())
+}
diff --git a/task/attest-api/src/lib.rs b/task/attest-api/src/lib.rs
@@ -0,0 +1,23 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! API crate for the 'attest' task.
+
+#![no_std]
+
+use hubpack::SerializedSize;
+use serde::{Deserialize, Serialize};
+use userlib::sys_send;
+
+#[derive(
+    Copy, Clone, Debug, Deserialize, Eq, PartialEq, Serialize, SerializedSize,
+)]
+pub enum AttestError {
+    CertTooBig,
+    InvalidCertIndex,
+    NoCerts,
+    OutOfRange,
+}
+
+include!(concat!(env!("OUT_DIR"), "/client_stub.rs"));
diff --git a/task/attest/Cargo.toml b/task/attest/Cargo.toml
@@ -0,0 +1,29 @@
+[package]
+name = "task-attest"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+lib-dice = { path = "../../lib/dice" }
+hubpack = { workspace = true }
+idol-runtime = { workspace = true }
+num-traits = { workspace = true }
+ringbuf = { path = "../../lib/ringbuf" }
+serde = { workspace = true }
+stage0-handoff = { path = "../../lib/stage0-handoff" }
+attest-api = { path = "../attest-api" }
+unwrap-lite = { path = "../../lib/unwrap-lite" }
+userlib = { path = "../../sys/userlib", features = ["panic-messages"] }
+zerocopy = { workspace = true }
+
+[build-dependencies]
+anyhow.workspace = true
+idol.workspace = true
+serde.workspace = true
+
+build-util = { path = "../../build/util" }
+
+[[bin]]
+name = "task-attest"
+test = false
+bench = false