From 1c760802c36628dbbdcc32813cd65c8a2cd553fd Mon Sep 17 00:00:00 2001 From: Arthur Heymans Date: Wed, 20 Nov 2024 14:37:59 +0100 Subject: [PATCH] Add keyvault with 64b keys --- sw-emulator/lib/periph/src/asym_ecc384.rs | 2 +- sw-emulator/lib/periph/src/doe.rs | 20 +++++++++++--- sw-emulator/lib/periph/src/hash_sha512.rs | 28 ++++++++++--------- sw-emulator/lib/periph/src/key_vault.rs | 33 ++++++++++++----------- sw-emulator/lib/periph/src/root_bus.rs | 6 +++-- 5 files changed, 53 insertions(+), 36 deletions(-) diff --git a/sw-emulator/lib/periph/src/asym_ecc384.rs b/sw-emulator/lib/periph/src/asym_ecc384.rs index 859890a200..f4d0dd249a 100644 --- a/sw-emulator/lib/periph/src/asym_ecc384.rs +++ b/sw-emulator/lib/periph/src/asym_ecc384.rs @@ -638,7 +638,7 @@ impl AsymEcc384 { let pcr_digest = self.hash_sha512.pcr_hash_digest(); - let signature = Ecc384::sign(&pcr_key, &pcr_digest); + let signature = Ecc384::sign(&pcr_key[..48].try_into().unwrap(), &pcr_digest); self.sig_r = words_from_bytes_le(&signature.r); self.sig_s = words_from_bytes_le(&signature.s); } diff --git a/sw-emulator/lib/periph/src/doe.rs b/sw-emulator/lib/periph/src/doe.rs index a4536ac671..47a48dfd13 100644 --- a/sw-emulator/lib/periph/src/doe.rs +++ b/sw-emulator/lib/periph/src/doe.rs @@ -298,8 +298,14 @@ mod tests { let mut ku_hmac_key = KeyUsage::default(); ku_hmac_key.set_hmac_key(true); - assert_eq!(key_vault.read_key(2, ku_hmac_data).unwrap(), PLAIN_TEXT_UDS); - assert_eq!(key_vault.read_key(2, ku_hmac_key).unwrap(), PLAIN_TEXT_UDS); + assert_eq!( + key_vault.read_key(2, ku_hmac_data).unwrap()[..48], + PLAIN_TEXT_UDS + ); + assert_eq!( + key_vault.read_key(2, ku_hmac_key).unwrap()[..48], + PLAIN_TEXT_UDS + ); } #[test] @@ -364,8 +370,14 @@ mod tests { let mut ku_hmac_key = KeyUsage::default(); ku_hmac_key.set_hmac_key(true); - assert_eq!(key_vault.read_key(3, ku_hmac_data).unwrap(), PLAIN_TEXT_FE); - assert_eq!(key_vault.read_key(3, ku_hmac_key).unwrap(), PLAIN_TEXT_FE); + assert_eq!( + key_vault.read_key(3, ku_hmac_data).unwrap()[..48], + PLAIN_TEXT_FE + ); + assert_eq!( + key_vault.read_key(3, ku_hmac_key).unwrap()[..48], + PLAIN_TEXT_FE + ); } #[test] diff --git a/sw-emulator/lib/periph/src/hash_sha512.rs b/sw-emulator/lib/periph/src/hash_sha512.rs index a781edb1fb..59718f88d6 100644 --- a/sw-emulator/lib/periph/src/hash_sha512.rs +++ b/sw-emulator/lib/periph/src/hash_sha512.rs @@ -536,7 +536,7 @@ impl HashSha512Regs { // Copy the hash to the PCR if this is the last block and PCR_HASH_EXTEND is set. let pcr_id = self.block_read_ctrl.reg.read(BlockReadControl::KEY_ID); self.key_vault - .write_pcr(pcr_id, array_ref![self.hash.data(), 0, KeyVault::KEY_SIZE]) + .write_pcr(pcr_id, array_ref![self.hash.data(), 0, KeyVault::PCR_SIZE]) .unwrap(); self.block_read_ctrl @@ -560,10 +560,13 @@ impl HashSha512Regs { // Clear the block self.block.fill(0); - let result: Result<[u8; KeyVault::KEY_SIZE], BusError> = if pcr_hash_extend == 0 { + let result: Result<[u8; KeyVault::PCR_SIZE], BusError> = if pcr_hash_extend == 0 { let mut key_usage = KeyUsage::default(); key_usage.set_sha_data(true); - self.key_vault.read_key(key_id, key_usage) + match self.key_vault.read_key(key_id, key_usage) { + Err(x) => Err(x), + Ok(x) => Ok(x[..KeyVault::PCR_SIZE].try_into().unwrap()), + } } else { Ok(self.key_vault.read_pcr(key_id)) }; @@ -582,8 +585,8 @@ impl HashSha512Regs { if let Some(data) = data { if pcr_hash_extend != 0 { // Copy the PCR (48 bytes) to the block registers. - self.block[..KeyVault::KEY_SIZE / 4].copy_from_slice(&words_from_bytes_le( - &<[u8; KeyVault::KEY_SIZE]>::try_from(&data[..KeyVault::KEY_SIZE]).unwrap(), + self.block[..KeyVault::PCR_SIZE / 4].copy_from_slice(&words_from_bytes_le( + &<[u8; KeyVault::PCR_SIZE]>::try_from(&data[..KeyVault::PCR_SIZE]).unwrap(), )); self.pcr_present = true; } else { @@ -603,13 +606,12 @@ impl HashSha512Regs { /// /// # Arguments /// - /// * `data_len` - Size of the data /// * `data` - Data to hash. This is in big-endian format. /// /// # Error /// /// * `None` - fn format_block(&mut self, data: &[u8; KeyVault::KEY_SIZE]) { + fn format_block(&mut self, data: &[u8]) { let mut block_arr = [0u8; SHA512_BLOCK_SIZE]; block_arr[..data.len()].copy_from_slice(&data[..data.len()]); @@ -1170,7 +1172,7 @@ mod tests { #[test] fn test_sha384_kv_block_read() { - let test_block: [u8; KeyVault::KEY_SIZE] = [ + let test_block: [u8; SHA384_HASH_SIZE] = [ 0x9c, 0x2f, 0x48, 0x76, 0x0d, 0x13, 0xac, 0x42, 0xea, 0xd1, 0x96, 0xe5, 0x4d, 0xcb, 0xaa, 0x5e, 0x58, 0x72, 0x06, 0x62, 0xa9, 0x6b, 0x91, 0x94, 0xe9, 0x81, 0x33, 0x29, 0xbd, 0xb6, 0x27, 0xc7, 0xc1, 0xca, 0x77, 0x15, 0x31, 0x16, 0x32, 0xc1, 0x39, 0xe7, @@ -1196,7 +1198,7 @@ mod tests { #[test] fn test_sha384_kv_block_read_fail() { - let test_block: [u8; KeyVault::KEY_SIZE] = [ + let test_block: [u8; SHA384_HASH_SIZE] = [ 0x9c, 0x2f, 0x48, 0x76, 0x0d, 0x13, 0xac, 0x42, 0xea, 0xd1, 0x96, 0xe5, 0x4d, 0xcb, 0xaa, 0x5e, 0x58, 0x72, 0x06, 0x62, 0xa9, 0x6b, 0x91, 0x94, 0xe9, 0x81, 0x33, 0x29, 0xbd, 0xb6, 0x27, 0xc7, 0xc1, 0xca, 0x77, 0x15, 0x31, 0x16, 0x32, 0xc1, 0x39, 0xe7, @@ -1239,7 +1241,7 @@ mod tests { #[test] fn test_sha384_kv_hash_write() { - let test_block: [u8; KeyVault::KEY_SIZE] = [ + let test_block: [u8; SHA384_HASH_SIZE] = [ 0x9c, 0x2f, 0x48, 0x76, 0x0d, 0x13, 0xac, 0x42, 0xea, 0xd1, 0x96, 0xe5, 0x4d, 0xcb, 0xaa, 0x5e, 0x58, 0x72, 0x06, 0x62, 0xa9, 0x6b, 0x91, 0x94, 0xe9, 0x81, 0x33, 0x29, 0xbd, 0xb6, 0x27, 0xc7, 0xc1, 0xca, 0x77, 0x15, 0x31, 0x16, 0x32, 0xc1, 0x39, 0xe7, @@ -1265,7 +1267,7 @@ mod tests { #[test] fn test_sha384_kv_hash_write_fail() { - let test_block: [u8; KeyVault::KEY_SIZE] = [ + let test_block: [u8; SHA384_HASH_SIZE] = [ 0x9c, 0x2f, 0x48, 0x76, 0x0d, 0x13, 0xac, 0x42, 0xea, 0xd1, 0x96, 0xe5, 0x4d, 0xcb, 0xaa, 0x5e, 0x58, 0x72, 0x06, 0x62, 0xa9, 0x6b, 0x91, 0x94, 0xe9, 0x81, 0x33, 0x29, 0xbd, 0xb6, 0x27, 0xc7, 0xc1, 0xca, 0x77, 0x15, 0x31, 0x16, 0x32, 0xc1, 0x39, 0xe7, @@ -1294,7 +1296,7 @@ mod tests { #[test] fn test_sha384_kv_block_read_hash_write() { - let test_block: [u8; KeyVault::KEY_SIZE] = [ + let test_block: [u8; SHA384_HASH_SIZE] = [ 0x9c, 0x2f, 0x48, 0x76, 0x0d, 0x13, 0xac, 0x42, 0xea, 0xd1, 0x96, 0xe5, 0x4d, 0xcb, 0xaa, 0x5e, 0x58, 0x72, 0x06, 0x62, 0xa9, 0x6b, 0x91, 0x94, 0xe9, 0x81, 0x33, 0x29, 0xbd, 0xb6, 0x27, 0xc7, 0xc1, 0xca, 0x77, 0x15, 0x31, 0x16, 0x32, 0xc1, 0x39, 0xe7, @@ -1321,7 +1323,7 @@ mod tests { } } - fn test_pcr_hash_extend(data: &[u8], pcr_data: &mut [u8; KeyVault::KEY_SIZE], expected: &[u8]) { + fn test_pcr_hash_extend(data: &[u8], pcr_data: &mut [u8; SHA384_HASH_SIZE], expected: &[u8]) { // Prime the PCR vault. let clock = Clock::new(); let pcr_id = 0; diff --git a/sw-emulator/lib/periph/src/key_vault.rs b/sw-emulator/lib/periph/src/key_vault.rs index 7e86033583..57532129ff 100644 --- a/sw-emulator/lib/periph/src/key_vault.rs +++ b/sw-emulator/lib/periph/src/key_vault.rs @@ -20,7 +20,7 @@ use std::cell::RefCell; use std::rc::Rc; use tock_registers::{register_bitfields, LocalRegisterCopy}; -mod constants { +pub mod constants { #![allow(unused)] // Key Vault @@ -109,7 +109,7 @@ mod constants { pub const PCR_CONTROL_REG_RESET_VAL: u32 = 0; /// Key Memory Size - pub const KEY_REG_SIZE: usize = 0x600; + pub const KEY_REG_SIZE: usize = 0x800; /// Key control register reset value pub const KEY_CONTROL_REG_RESET_VAL: u32 = 0; @@ -145,8 +145,9 @@ pub struct KeyVault { } impl KeyVault { + pub const PCR_SIZE: usize = 48; pub const KEY_COUNT: u32 = 32; - pub const KEY_SIZE: usize = 48; + pub const KEY_SIZE: usize = 64; pub const KEY_CONTROL_REG_OFFSET: u32 = 0; pub const KEY_CONTROL_REG_WIDTH: u32 = 0x4; @@ -725,7 +726,7 @@ mod tests { #[test] fn test_key_private_read_write() { - let expected: [u8; KeyVault::KEY_SIZE] = [ + let expected: &[u8] = &[ 0x11, 0x65, 0xb3, 0x40, 0x6f, 0xf0, 0xb5, 0x2a, 0x3d, 0x24, 0x72, 0x1f, 0x78, 0x54, 0x62, 0xca, 0x22, 0x76, 0xc9, 0xf4, 0x54, 0xa1, 0x16, 0xc2, 0xb2, 0xba, 0x20, 0x17, 0x1a, 0x79, 0x05, 0xea, 0x5a, 0x02, 0x66, 0x82, 0xeb, 0x65, 0x9c, 0x4d, 0x5f, 0x11, @@ -738,10 +739,10 @@ mod tests { for idx in 0..KeyVault::KEY_COUNT { vault - .write_key(idx, &expected, u32::from(key_usage)) + .write_key(idx, expected, u32::from(key_usage)) .unwrap(); let returned = vault.read_key(idx, key_usage).unwrap(); - assert_eq!(&returned, &expected); + assert_eq!(&returned[..expected.len()], expected); } } @@ -773,7 +774,8 @@ mod tests { 0x11, 0x65, 0xb3, 0x40, 0x6f, 0xf0, 0xb5, 0x2a, 0x3d, 0x24, 0x72, 0x1f, 0x78, 0x54, 0x62, 0xca, 0x22, 0x76, 0xc9, 0xf4, 0x54, 0xa1, 0x16, 0xc2, 0xb2, 0xba, 0x20, 0x17, 0x1a, 0x79, 0x05, 0xea, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ] ); } @@ -903,7 +905,7 @@ mod tests { #[test] fn test_key_private_read_blocked() { - let expected: [u8; KeyVault::KEY_SIZE] = [ + let expected: &[u8] = &[ 0x11, 0x65, 0xb3, 0x40, 0x6f, 0xf0, 0xb5, 0x2a, 0x3d, 0x24, 0x72, 0x1f, 0x78, 0x54, 0x62, 0xca, 0x22, 0x76, 0xc9, 0xf4, 0x54, 0xa1, 0x16, 0xc2, 0xb2, 0xba, 0x20, 0x17, 0x1a, 0x79, 0x05, 0xea, 0x5a, 0x02, 0x66, 0x82, 0xeb, 0x65, 0x9c, 0x4d, 0x5f, 0x11, @@ -926,7 +928,7 @@ mod tests { ); assert!(vault - .write_key(key_id, &expected, u32::from(key_usage)) + .write_key(key_id, expected, u32::from(key_usage)) .is_ok()); // Block read access to the key. @@ -947,7 +949,7 @@ mod tests { #[test] fn test_key_private_write_blocked() { - let expected: [u8; KeyVault::KEY_SIZE] = [ + let expected: &[u8] = &[ 0x11, 0x65, 0xb3, 0x40, 0x6f, 0xf0, 0xb5, 0x2a, 0x3d, 0x24, 0x72, 0x1f, 0x78, 0x54, 0x62, 0xca, 0x22, 0x76, 0xc9, 0xf4, 0x54, 0xa1, 0x16, 0xc2, 0xb2, 0xba, 0x20, 0x17, 0x1a, 0x79, 0x05, 0xea, 0x5a, 0x02, 0x66, 0x82, 0xeb, 0x65, 0x9c, 0x4d, 0x5f, 0x11, @@ -975,7 +977,7 @@ mod tests { assert_eq!( vault - .write_key(key_id, &expected, u32::from(key_usage)) + .write_key(key_id, expected, u32::from(key_usage)) .err(), Some(BusError::StoreAccessFault) ); @@ -984,7 +986,7 @@ mod tests { #[test] fn test_key_clear() { - let expected: [u8; KeyVault::KEY_SIZE] = [ + let expected: &[u8] = &[ 0x11, 0x65, 0xb3, 0x40, 0x6f, 0xf0, 0xb5, 0x2a, 0x3d, 0x24, 0x72, 0x1f, 0x78, 0x54, 0x62, 0xca, 0x22, 0x76, 0xc9, 0xf4, 0x54, 0xa1, 0x16, 0xc2, 0xb2, 0xba, 0x20, 0x17, 0x1a, 0x79, 0x05, 0xea, 0x5a, 0x02, 0x66, 0x82, 0xeb, 0x65, 0x9c, 0x4d, 0x5f, 0x11, @@ -1001,12 +1003,11 @@ mod tests { for key_id in 0..KeyVault::KEY_COUNT { assert_eq!( - vault - .write_key(key_id, &expected, u32::from(key_usage)) - .ok(), + vault.write_key(key_id, expected, u32::from(key_usage)).ok(), Some(()) ); - assert_eq!(&vault.read_key(key_id, key_usage).unwrap(), &expected); + let key = vault.read_key(key_id, key_usage).unwrap(); + assert_eq!(&key[..expected.len()], expected); // Clear the key. assert_eq!( diff --git a/sw-emulator/lib/periph/src/root_bus.rs b/sw-emulator/lib/periph/src/root_bus.rs index f410149d23..0013624a0f 100644 --- a/sw-emulator/lib/periph/src/root_bus.rs +++ b/sw-emulator/lib/periph/src/root_bus.rs @@ -415,7 +415,8 @@ mod tests { 0x00_u8, 0x11, 0x22, 0x33, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa ] ); } @@ -446,7 +447,8 @@ mod tests { 0x00_u8, 0x11, 0x22, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ] ); }