[crypto/dice] Add dice attestation sign and keygen

The cryptolib needs a feature to recreate the CDI key from ROM_EXT
without allowing Ibex direct read access to it. The cryptolib should get
a keygen function to return the public attestation key and a sign
function to sign with the attestation key.

Currently, the ecc_p256_dice_functest simply generates the public key
and performs a sign-then-verify operation. This was rerun several times
to check the same public key is generated. However, in the future, this
test needs to improve such that it checks the public key against the
x509 cert from the ROM_EXT.

Co-authored-by: Chris Frantz <cfrantz@google.com>
Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>

Author: 2 people

sw/device/lib/crypto/drivers/keymgr.c

@@ -125,19 +125,17 @@ static status_t keymgr_wait_until_done(void) {
 /**
  * Set the control register of the key manager.
  *
- * The CDI select bit is always set to false for this driver (i.e. Sealing
- * CDI). The driver does not support attestation CDI.
- *
  * @param dest (NONE, AES, OTBN, or KMAC)
  * @param operation (GENERATE_SW or GENERATE_HW)
+ * @param attestation (true, false)
  */
-#define WRITE_CTRL(dest, operation)                                            \
+#define WRITE_CTRL(dest, operation, attestation)                               \
   do {                                                                         \
     uint32_t ctrl =                                                            \
         bitfield_field32_write(0, KEYMGR_CONTROL_SHADOWED_DEST_SEL_FIELD,      \
                                KEYMGR_CONTROL_SHADOWED_DEST_SEL_VALUE_##dest); \
     ctrl = bitfield_bit32_write(ctrl, KEYMGR_CONTROL_SHADOWED_CDI_SEL_BIT,     \
-                                false);                                        \
+                                attestation);                                  \
     ctrl = bitfield_field32_write(                                             \
         ctrl, KEYMGR_CONTROL_SHADOWED_OPERATION_FIELD,                         \
         KEYMGR_CONTROL_SHADOWED_OPERATION_VALUE_##operation##_OUTPUT);         \
@@ -150,14 +148,15 @@ static status_t keymgr_wait_until_done(void) {
  *
  * @param dest (NONE, AES, OTBN, or KMAC)
  * @param operation (GENERATE_SW or GENERATE_HW)
+ * @param attestation (true, false)
  */
-#define VERIFY_CTRL(dest, operation)                                           \
+#define VERIFY_CTRL(dest, operation, attestation)                              \
   do {                                                                         \
     uint32_t ctrl =                                                            \
         bitfield_field32_write(0, KEYMGR_CONTROL_SHADOWED_DEST_SEL_FIELD,      \
                                KEYMGR_CONTROL_SHADOWED_DEST_SEL_VALUE_##dest); \
     ctrl = bitfield_bit32_write(ctrl, KEYMGR_CONTROL_SHADOWED_CDI_SEL_BIT,     \
-                                false);                                        \
+                                attestation);                                  \
     ctrl = bitfield_field32_write(                                             \
         ctrl, KEYMGR_CONTROL_SHADOWED_OPERATION_FIELD,                         \
         KEYMGR_CONTROL_SHADOWED_OPERATION_VALUE_##operation##_OUTPUT);         \
@@ -173,14 +172,14 @@ status_t keymgr_generate_key_sw(keymgr_diversification_t diversification,
   HARDENED_TRY(keymgr_is_idle());
 
   // Set the control register to generate a software-visible key.
-  WRITE_CTRL(NONE, GENERATE_SW);
+  WRITE_CTRL(NONE, GENERATE_SW, false);
 
   // Start the operation and wait for it to complete.
   HARDENED_TRY(keymgr_start(diversification));
   HARDENED_TRY(keymgr_wait_until_done());
 
   // Check the control register.
-  VERIFY_CTRL(NONE, GENERATE_SW);
+  VERIFY_CTRL(NONE, GENERATE_SW, false);
 
   // Collect the output. To avoid side-channel lekage, first randomize the
   // destination buffers using memshred. Then copy the key using a hardened
@@ -203,13 +202,13 @@ status_t keymgr_generate_key_aes(keymgr_diversification_t diversification) {
   HARDENED_TRY(keymgr_is_idle());
 
   // Set the control register to generate an AES key.
-  WRITE_CTRL(AES, GENERATE_HW);
+  WRITE_CTRL(AES, GENERATE_HW, false);
 
   // Start the operation and wait for it to complete.
   HARDENED_TRY(keymgr_start(diversification));
   HARDENED_TRY(keymgr_wait_until_done());
   // Check the control register.
-  VERIFY_CTRL(AES, GENERATE_HW);
+  VERIFY_CTRL(AES, GENERATE_HW, false);
 
   return OTCRYPTO_OK;
 }
@@ -220,29 +219,50 @@ status_t keymgr_generate_key_kmac(keymgr_diversification_t diversification) {
   HARDENED_TRY(keymgr_is_idle());
 
   // Set the control register to generate a KMAC key.
-  WRITE_CTRL(KMAC, GENERATE_HW);
+  WRITE_CTRL(KMAC, GENERATE_HW, false);
 
   // Start the operation and wait for it to complete.
   HARDENED_TRY(keymgr_start(diversification));
   HARDENED_TRY(keymgr_wait_until_done());
   // Check the control register.
-  VERIFY_CTRL(KMAC, GENERATE_HW);
+  VERIFY_CTRL(KMAC, GENERATE_HW, false);
   return OTCRYPTO_OK;
 }
 
-status_t keymgr_generate_key_otbn(keymgr_diversification_t diversification) {
+status_t keymgr_generate_key_otbn(keymgr_diversification_t diversification,
+                                  hardened_bool_t attestation) {
   // Ensure that the entropy complex has been initialized and keymgr is idle.
   HARDENED_TRY(entropy_complex_check());
   HARDENED_TRY(keymgr_is_idle());
 
   // Set the control register to generate an OTBN key.
-  WRITE_CTRL(OTBN, GENERATE_HW);
+  switch (attestation) {
+    case kHardenedBoolFalse:
+      WRITE_CTRL(OTBN, GENERATE_HW, false);
+      break;
+    case kHardenedBoolTrue:
+      WRITE_CTRL(OTBN, GENERATE_HW, true);
+      break;
+    default:
+      HARDENED_TRAP();
+      return OTCRYPTO_FATAL_ERR;
+  }
 
   // Start the operation and wait for it to complete.
   HARDENED_TRY(keymgr_start(diversification));
   HARDENED_TRY(keymgr_wait_until_done());
   // Check the control register.
-  VERIFY_CTRL(OTBN, GENERATE_HW);
+  switch (attestation) {
+    case kHardenedBoolFalse:
+      VERIFY_CTRL(OTBN, GENERATE_HW, false);
+      break;
+    case kHardenedBoolTrue:
+      VERIFY_CTRL(OTBN, GENERATE_HW, true);
+      break;
+    default:
+      HARDENED_TRAP();
+      return OTCRYPTO_FATAL_ERR;
+  }
   return OTCRYPTO_OK;
 }
 

sw/device/lib/crypto/drivers/keymgr.h

@@ -95,11 +95,13 @@ status_t keymgr_generate_key_kmac(
  * waits until the operation is complete before returning.
  *
  * @param diversification Diversification input for the key derivation.
+ * @param attestation Whether to use the DICE key.
  * @return OK or error.
  */
 OT_WARN_UNUSED_RESULT
 status_t keymgr_generate_key_otbn(
-    const keymgr_diversification_t diversification);
+    const keymgr_diversification_t diversification,
+    hardened_bool_t attestation);
 
 /**
  * Clear the sideloaded AES key.

sw/device/lib/crypto/drivers/keymgr_test.c

@@ -78,7 +78,14 @@ status_t kmac_basic_test(void) {
  * Test generating a single sideloaded OTBN key.
  */
 status_t otbn_basic_test(void) {
-  return keymgr_generate_key_otbn(kTestDiversification);
+  return keymgr_generate_key_otbn(kTestDiversification, kHardenedBoolFalse);
+}
+
+/**
+ * Test generating a single sideloaded OTBN CDI key.
+ */
+status_t otbn_basic_cdi_test(void) {
+  return keymgr_generate_key_otbn(kTestDiversification, kHardenedBoolTrue);
 }
 
 /**
@@ -212,6 +219,7 @@ bool test_main(void) {
   EXECUTE_TEST(result, aes_basic_test);
   EXECUTE_TEST(result, kmac_basic_test);
   EXECUTE_TEST(result, otbn_basic_test);
+  EXECUTE_TEST(result, otbn_basic_cdi_test);
   EXECUTE_TEST(result, run_negative_test);
 
   return status_ok(result);

sw/device/lib/crypto/impl/ecc/BUILD

@@ -33,6 +33,7 @@ cc_library(
         "//sw/device/lib/base:hardened_memory",
         "//sw/device/lib/crypto/drivers:otbn",
         "//sw/device/lib/crypto/drivers:rv_core_ibex",
+        "//sw/device/lib/crypto/impl:integrity",
         "//sw/device/lib/crypto/impl:status",
         "//sw/otbn/crypto:run_p256",
     ],

sw/device/lib/crypto/impl/ecc/p256.c

@@ -8,6 +8,7 @@
 #include "sw/device/lib/base/hardened.h"
 #include "sw/device/lib/base/hardened_memory.h"
 #include "sw/device/lib/crypto/drivers/otbn.h"
+#include "sw/device/lib/crypto/include/integrity.h"
 
 #include "hw/top_earlgrey/sw/autogen/top_earlgrey.h"
 
@@ -31,6 +32,9 @@ OTBN_DECLARE_SYMBOL_ADDR(run_p256, k0_io);  // Secret scalar k (share 0).
 OTBN_DECLARE_SYMBOL_ADDR(run_p256, k1_io);  // Secret scalar k (share 1).
 OTBN_DECLARE_SYMBOL_ADDR(run_p256, x_r);    // ECDSA verification result.
 OTBN_DECLARE_SYMBOL_ADDR(run_p256, ok);     // Status code.
+OTBN_DECLARE_SYMBOL_ADDR(
+    run_p256,
+    attestation_additional_seed);  // Additional seed for attestation keygen.
 
 static const otbn_addr_t kOtbnVarMode = OTBN_ADDR_T_INIT(run_p256, mode);
 static const otbn_addr_t kOtbnVarMsg = OTBN_ADDR_T_INIT(run_p256, msg);
@@ -44,6 +48,8 @@ static const otbn_addr_t kOtbnVarK0 = OTBN_ADDR_T_INIT(run_p256, k0_io);
 static const otbn_addr_t kOtbnVarK1 = OTBN_ADDR_T_INIT(run_p256, k1_io);
 static const otbn_addr_t kOtbnVarXr = OTBN_ADDR_T_INIT(run_p256, x_r);
 static const otbn_addr_t kOtbnVarOk = OTBN_ADDR_T_INIT(run_p256, ok);
+static const otbn_addr_t kOtbnVarBootAttestationAdditionalSeed =
+    OTBN_ADDR_T_INIT(run_p256, attestation_additional_seed);
 
 // Declare mode constants.
 OTBN_DECLARE_SYMBOL_ADDR(run_p256, MODE_KEYGEN);
@@ -99,12 +105,12 @@ enum {
    * The expected instruction counts for constant time functions.
    */
   kModeKeygenInsCnt = 573915,
-  kModeKeygenSideloadInsCnt = 573800,
+  kModeKeygenSideloadInsCnt = 573807,
   kModeEcdhInsCnt = 581600,
-  kModeEcdhSideloadInsCnt = 581658,
+  kModeEcdhSideloadInsCnt = 581665,
   kModeEcdsaSignConfigKInsCnt = 606939,
   kModeEcdsaSignInsCnt = 607089,
-  kModeEcdsaSignSideloadInsCnt = 607147,
+  kModeEcdsaSignSideloadInsCnt = 607154,
   kModePointOnCurveCheckInsCnt = 224,
   kModeBasePointMultInsCnt = 573749,
   kModeShareSecretKeyInsCnt = 147,
@@ -188,6 +194,36 @@ status_t p256_sideload_keygen_start(void) {
   // Set mode so start() will jump into sideload-keygen.
   uint32_t mode = kOtbnP256ModeSideloadKeygen;
   HARDENED_TRY(otbn_dmem_write(kOtbnP256ModeWords, &mode, kOtbnVarMode));
+  // No attestation seed is used.
+  HARDENED_TRY(otbn_dmem_set(kDiceAttestationMaxSeedLength, 0,
+                             kOtbnVarBootAttestationAdditionalSeed));
+
+  // Start the OTBN routine.
+  return otbn_execute();
+}
+
+status_t p256_sideload_attestation_keygen_start(
+    otcrypto_const_word32_buf_t *attestation_seed) {
+  if (launder32(attestation_seed->len) > kDiceAttestationMaxSeedLength) {
+    return OTCRYPTO_BAD_ARGS;
+  }
+
+  HARDENED_CHECK_EQ(kHardenedBoolTrue, OTCRYPTO_CHECK_BUF(attestation_seed));
+
+  // Load the P-256 app. Fails if OTBN is non-idle.
+  HARDENED_TRY(otbn_load_app(kOtbnAppP256));
+
+  // Set mode so start() will jump into sideload-keygen.
+  uint32_t mode = kOtbnP256ModeSideloadKeygen;
+  HARDENED_TRY(otbn_dmem_write(kOtbnP256ModeWords, &mode, kOtbnVarMode));
+
+  HARDENED_TRY(otbn_dmem_write(attestation_seed->len, attestation_seed->data,
+                               kOtbnVarBootAttestationAdditionalSeed));
+  // Pad the remainder by zeros.
+  HARDENED_TRY(
+      otbn_dmem_set(kDiceAttestationMaxSeedLength - attestation_seed->len, 0,
+                    kOtbnVarBootAttestationAdditionalSeed +
+                        attestation_seed->len * sizeof(uint32_t)));
 
   // Start the OTBN routine.
   return otbn_execute();
@@ -309,6 +345,9 @@ status_t p256_ecdsa_sideload_sign_start(
   // Set mode so start() will jump into sideloaded signing.
   uint32_t mode = kOtbnP256ModeSideloadSign;
   HARDENED_TRY(otbn_dmem_write(kOtbnP256ModeWords, &mode, kOtbnVarMode));
+  // No attestation seed is used.
+  HARDENED_TRY(otbn_dmem_set(kDiceAttestationMaxSeedLength, 0,
+                             kOtbnVarBootAttestationAdditionalSeed));
 
   // Set the message digest.
   HARDENED_TRY(set_message_digest(digest));
@@ -317,6 +356,37 @@ status_t p256_ecdsa_sideload_sign_start(
   return otbn_execute();
 }
 
+status_t p256_sideload_attestation_sign_start(
+    const uint32_t digest[kP256ScalarWords],
+    otcrypto_const_word32_buf_t *attestation_seed) {
+  if (launder32(attestation_seed->len) > kDiceAttestationMaxSeedLength) {
+    return OTCRYPTO_BAD_ARGS;
+  }
+  HARDENED_CHECK_EQ(kHardenedBoolTrue, OTCRYPTO_CHECK_BUF(attestation_seed));
+
+  // Load the P-256 app. Fails if OTBN is non-idle.
+  HARDENED_TRY(otbn_load_app(kOtbnAppP256));
+
+  // Set mode so start() will jump into sideloaded signing.
+  uint32_t mode = kOtbnP256ModeSideloadSign;
+  HARDENED_TRY(otbn_dmem_write(kOtbnP256ModeWords, &mode, kOtbnVarMode));
+
+  // Set the message digest.
+  HARDENED_TRY(set_message_digest(digest));
+
+  // Write the attestation seed to the extra variables area.
+  HARDENED_TRY(otbn_dmem_write(attestation_seed->len, attestation_seed->data,
+                               kOtbnVarBootAttestationAdditionalSeed));
+  // Pad the remainder by zeros.
+  HARDENED_TRY(
+      otbn_dmem_set(kDiceAttestationMaxSeedLength - attestation_seed->len, 0,
+                    kOtbnVarBootAttestationAdditionalSeed +
+                        attestation_seed->len * sizeof(uint32_t)));
+
+  // Start the OTBN routine.
+  return otbn_execute();
+}
+
 status_t p256_ecdsa_sign_finalize(p256_ecdsa_signature_t *result) {
   uint32_t ins_cnt;
   // Spin here waiting for OTBN to complete.
@@ -472,6 +542,10 @@ status_t p256_sideload_ecdh_start(const p256_point_t *public_key) {
   // Set the public key y coordinate.
   HARDENED_TRY(otbn_dmem_write(kP256CoordWords, public_key->y, kOtbnVarY));
 
+  // No attestation seed is used.
+  HARDENED_TRY(otbn_dmem_set(kDiceAttestationMaxSeedLength, 0,
+                             kOtbnVarBootAttestationAdditionalSeed));
+
   // Start the OTBN routine.
   return otbn_execute();
 }

sw/device/lib/crypto/impl/ecc/p256.h

@@ -73,6 +73,10 @@ enum {
    */
   kP256MaskedScalarTotalShareWords =
       kP256MaskedScalarNumShares * kP256MaskedScalarShareWords,
+  /**
+   * Maximum length of the attestation seed for the CDI key.
+   */
+  kDiceAttestationMaxSeedLength = 512 / 32,
 };
 
 /**
@@ -218,6 +222,20 @@ status_t p256_keygen_finalize(p256_masked_scalar_t *private_key,
 OT_WARN_UNUSED_RESULT
 status_t p256_sideload_keygen_start(void);
 
+/**
+ * Start an async P-256 sideloaded keypair generation operation with the CDI
+ * secret on OTBN.
+ *
+ * Expects a sideloaded key from keymgr to be already loaded on OTBN. Returns
+ * an `OTCRYPTO_ASYNC_INCOMPLETE` error if OTBN is busy.
+ *
+ * @param attestation_seed The additional per-chip fixed entropy.
+ * @return Result of the operation (OK or error).
+ */
+OT_WARN_UNUSED_RESULT
+status_t p256_sideload_attestation_keygen_start(
+    otcrypto_const_word32_buf_t *attestation_seed);
+
 /**
  * Finish an async P-256 sideloaded keypair generation operation on OTBN.
  *
@@ -282,6 +300,22 @@ OT_WARN_UNUSED_RESULT
 status_t p256_ecdsa_sideload_sign_start(
     const uint32_t digest[kP256ScalarWords]);
 
+/**
+ * Start an async ECDSA/P-256 signature generation operation on OTBN with the
+ * CDI key.
+ *
+ * Expects a sideloaded key from keymgr to be already loaded on OTBN. Returns
+ * an `OTCRYPTO_ASYNC_INCOMPLETE` error if OTBN is busy.
+ *
+ * @param digest Digest of the message to sign.
+ * @param attestation_seed The additional per-chip fixed entropy.
+ * @return Result of the operation (OK or error).
+ */
+OT_WARN_UNUSED_RESULT
+status_t p256_sideload_attestation_sign_start(
+    const uint32_t digest[kP256ScalarWords],
+    otcrypto_const_word32_buf_t *attestation_seed);
+
 /**
  * Finish an async ECDSA/P-256 signature generation operation on OTBN.
  *