Support signing with an exported CDI after a warm reset (#2125)

clundin25 · web-flow · commit e07b0af6c083 · 2025-06-03T10:44:07.000-07:00
diff --git a/dpe b/dpe
@@ -1 +1 @@
-Subproject commit 54d5d99e567ba64cea5cc3bb2814d2a0697253d0
+Subproject commit f56f66ef4ada62bd99b5670c8384dc2e97e04e94
diff --git a/drivers/src/key_vault.rs b/drivers/src/key_vault.rs
@@ -17,8 +17,11 @@ use bitfield::bitfield;
 use crate::{CaliptraError, CaliptraResult};
 use caliptra_registers::kv::KvReg;
 
+use zerocopy::{IntoBytes, KnownLayout, TryFromBytes};
+
 /// Key Identifier
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq, TryFromBytes, IntoBytes, KnownLayout)]
+#[repr(u8)]
 pub enum KeyId {
     KeyId0 = 0,
     KeyId1 = 1,
@@ -54,6 +57,13 @@ pub enum KeyId {
     KeyId31 = 31,
 }
 
+impl zeroize::Zeroize for KeyId {
+    fn zeroize(&mut self) {
+        // This is a NOP as these enums are just a handle.
+        // This trait is implemented so the slots can be serialized into `PersistentData`.
+    }
+}
+
 impl TryFrom<u8> for KeyId {
     type Error = ();
     fn try_from(original: u8) -> Result<Self, Self::Error> {
diff --git a/drivers/src/lib.rs b/drivers/src/lib.rs
@@ -88,7 +88,7 @@ pub use pcr_bank::{PcrBank, PcrId};
 pub use pcr_reset::PcrResetCounter;
 pub use persistent::fmc_alias_csr::FmcAliasCsr;
 #[cfg(feature = "runtime")]
-pub use persistent::AuthManifestImageMetadataList;
+pub use persistent::{AuthManifestImageMetadataList, ExportedCdiEntry, ExportedCdiHandles};
 
 pub use persistent::{
     FuseLogArray, IdevIdCsr, PcrLogArray, PersistentData, PersistentDataAccessor,
diff --git a/drivers/src/persistent.rs b/drivers/src/persistent.rs
@@ -10,7 +10,7 @@ use caliptra_auth_man_types::{
 use caliptra_error::{CaliptraError, CaliptraResult};
 use caliptra_image_types::ImageManifest;
 #[cfg(feature = "runtime")]
-use dpe::{DpeInstance, U8Bool, MAX_HANDLES};
+use dpe::{DpeInstance, ExportedCdiHandle, U8Bool, MAX_HANDLES};
 use zerocopy::{IntoBytes, KnownLayout, TryFromBytes};
 use zeroize::Zeroize;
 
@@ -26,7 +26,7 @@ use crate::{
 use crate::FmcAliasCsr;
 
 #[cfg(feature = "runtime")]
-use crate::pcr_reset::PcrResetCounter;
+use crate::{pcr_reset::PcrResetCounter, KeyId};
 
 pub const MAX_CSR_SIZE: usize = 512;
 pub const MAN1_SIZE: u32 = 6 * 1024;
@@ -49,12 +49,31 @@ pub const PCR_LOG_MAX_COUNT: usize = 17;
 pub const FUSE_LOG_MAX_COUNT: usize = 62;
 pub const MEASUREMENT_MAX_COUNT: usize = 8;
 
+#[cfg(feature = "runtime")]
+// Currently only can export CDI once, but in the future we may want to support multiple exported
+// CDI handles at the cost of using more KeyVault slots.
+pub const EXPORTED_HANDLES_NUM: usize = 1;
+#[cfg(feature = "runtime")]
+#[derive(Clone, TryFromBytes, IntoBytes, KnownLayout, Zeroize)]
+pub struct ExportedCdiEntry {
+    pub key: KeyId,
+    pub handle: ExportedCdiHandle,
+    pub active: U8Bool,
+}
+
+#[cfg(feature = "runtime")]
+#[derive(Clone, TryFromBytes, IntoBytes, KnownLayout, Zeroize)]
+pub struct ExportedCdiHandles {
+    pub entries: [ExportedCdiEntry; EXPORTED_HANDLES_NUM],
+}
+
 #[cfg(feature = "runtime")]
 const DPE_DCCM_STORAGE: usize = size_of::<DpeInstance>()
     + size_of::<u32>() * MAX_HANDLES
     + size_of::<U8Bool>() * MAX_HANDLES
     + size_of::<U8Bool>()
-    + size_of::<U8Bool>();
+    + size_of::<U8Bool>()
+    + size_of::<ExportedCdiHandles>();
 
 #[cfg(feature = "runtime")]
 const _: () = assert!(DPE_DCCM_STORAGE < DPE_SIZE as usize);
@@ -242,6 +261,8 @@ pub struct PersistentData {
     #[cfg(feature = "runtime")]
     pub runtime_cmd_active: U8Bool,
     #[cfg(feature = "runtime")]
+    pub exported_cdi_slots: ExportedCdiHandles,
+    #[cfg(feature = "runtime")]
     reserved6: [u8; DPE_SIZE as usize - DPE_DCCM_STORAGE],
     #[cfg(not(feature = "runtime"))]
     dpe: [u8; DPE_SIZE as usize],
diff --git a/runtime/src/certify_key_extended.rs b/runtime/src/certify_key_extended.rs
@@ -57,7 +57,7 @@ impl CertifyKeyExtendedCmd {
             &mut pdata.fht.rt_dice_pub_key,
             key_id_rt_cdi,
             key_id_rt_priv_key,
-            &mut drivers.exported_cdi_slots,
+            &mut pdata.exported_cdi_slots,
         );
         let pl0_pauser = pdata.manifest1.header.pl0_pauser;
         let (nb, nf) = Drivers::get_cert_validity_info(&pdata.manifest1);
diff --git a/runtime/src/dpe_crypto.rs b/runtime/src/dpe_crypto.rs
@@ -20,22 +20,17 @@ use caliptra_common::keyids::{
     KEY_ID_DPE_CDI, KEY_ID_DPE_PRIV_KEY, KEY_ID_EXPORTED_DPE_CDI, KEY_ID_TMP,
 };
 use caliptra_drivers::{
-    cprintln, hmac384_kdf, Array4x12, Ecc384, Ecc384PrivKeyIn, Ecc384PubKey, Ecc384Scalar,
-    Ecc384Seed, Hmac384, Hmac384Data, Hmac384Key, Hmac384Tag, KeyId, KeyReadArgs, KeyUsage,
-    KeyVault, KeyWriteArgs, Sha384, Sha384DigestOp, Trng,
+    hmac384_kdf, Array4x12, Ecc384, Ecc384PrivKeyIn, Ecc384PubKey, Ecc384Scalar, Ecc384Seed,
+    ExportedCdiEntry, ExportedCdiHandles, Hmac384, Hmac384Data, Hmac384Key, Hmac384Tag, KeyId,
+    KeyReadArgs, KeyUsage, KeyVault, KeyWriteArgs, Sha384, Sha384DigestOp, Trng,
 };
 use crypto::{AlgLen, Crypto, CryptoBuf, CryptoError, Digest, EcdsaPub, EcdsaSig, Hasher};
 use dpe::{
-    response::DpeErrorCode, x509::MeasurementData, ExportedCdiHandle, MAX_EXPORTED_CDI_SIZE,
+    response::DpeErrorCode, x509::MeasurementData, ExportedCdiHandle, U8Bool, MAX_EXPORTED_CDI_SIZE,
 };
 use zerocopy::IntoBytes;
 use zeroize::Zeroize;
 
-// Currently only can export CDI once, but in the future we may want to support multiple exported
-// CDI handles at the cost of using more KeyVault slots.
-pub const EXPORTED_HANDLES_NUM: usize = 1;
-pub type ExportedCdiHandles = [Option<(KeyId, ExportedCdiHandle)>; EXPORTED_HANDLES_NUM];
-
 pub struct DpeCrypto<'a> {
     sha384: &'a mut Sha384,
     trng: &'a mut Trng,
@@ -156,9 +151,13 @@ impl<'a> DpeCrypto<'a> {
         &mut self,
         exported_cdi_handle: &[u8; MAX_EXPORTED_CDI_SIZE],
     ) -> Option<<DpeCrypto<'a> as crypto::Crypto>::Cdi> {
-        for cdi_slot in self.exported_cdi_slots.iter() {
+        for cdi_slot in self.exported_cdi_slots.entries.iter() {
             match cdi_slot {
-                Some((cdi, handle)) if handle == exported_cdi_handle => return Some(*cdi),
+                ExportedCdiEntry {
+                    key,
+                    handle,
+                    active,
+                } if active.get() && handle == exported_cdi_handle => return Some(*key),
                 _ => (),
             }
         }
@@ -243,18 +242,30 @@ impl<'a> Crypto for DpeCrypto<'a> {
         // Currently we only use one slot for export CDIs.
         let cdi_slot = KEY_ID_EXPORTED_DPE_CDI;
         // Copy the CDI slots to work around the borrow checker.
-        let mut slots_clone = *self.exported_cdi_slots;
+        let mut slots_clone = self.exported_cdi_slots.clone();
 
-        for slot in slots_clone.iter_mut() {
+        for slot in slots_clone.entries.iter_mut() {
             match slot {
                 // Matching existing slot
-                Some((cached_cdi, handle)) if *cached_cdi == cdi_slot => {
+                ExportedCdiEntry {
+                    key,
+                    handle,
+                    active,
+                } if active.get() && *key == cdi_slot => {
                     Err(CryptoError::ExportedCdiHandleDuplicateCdi)?
                 }
-                // Empty slot
-                None => {
+                ExportedCdiEntry {
+                    key,
+                    handle,
+                    active,
+                } if !active.get() => {
+                    // Empty slot
                     let cdi = self.derive_cdi_inner(algs, measurement, info, cdi_slot)?;
-                    *slot = Some((cdi, exported_cdi_handle));
+                    *slot = ExportedCdiEntry {
+                        key: cdi,
+                        handle: exported_cdi_handle,
+                        active: U8Bool::new(true),
+                    };
                     // We need to update `self.exported_cdi_slots` with our mutation.
                     *self.exported_cdi_slots = slots_clone;
                     return Ok(exported_cdi_handle);
@@ -298,10 +309,14 @@ impl<'a> Crypto for DpeCrypto<'a> {
     ) -> Result<(Self::PrivKey, EcdsaPub), CryptoError> {
         let cdi = {
             let mut cdi = None;
-            for cdi_slot in self.exported_cdi_slots.iter() {
+            for cdi_slot in self.exported_cdi_slots.entries.iter() {
                 match cdi_slot {
-                    Some((stored_cdi, stored_handle)) if stored_handle == exported_handle => {
-                        cdi = Some(*stored_cdi);
+                    ExportedCdiEntry {
+                        key,
+                        handle,
+                        active,
+                    } if active.get() && handle == exported_handle => {
+                        cdi = Some(*key);
                         break;
                     }
                     _ => (),
diff --git a/runtime/src/drivers.rs b/runtime/src/drivers.rs
@@ -23,7 +23,6 @@ use crate::{
     PL1_DPE_ACTIVE_CONTEXT_THRESHOLD,
 };
 
-use crate::dpe_crypto::{ExportedCdiHandles, EXPORTED_HANDLES_NUM};
 use arrayvec::ArrayVec;
 use caliptra_cfi_derive_git::{cfi_impl_fn, cfi_mod_fn};
 use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq, cfi_assert_eq_12_words, cfi_launder};
@@ -110,7 +109,6 @@ pub struct Drivers {
     pub is_shutdown: bool,
 
     pub dmtf_device_info: Option<ArrayVec<u8, { AddSubjectAltNameReq::MAX_DEVICE_INFO_LEN }>>,
-    pub exported_cdi_slots: ExportedCdiHandles,
 }
 
 impl Drivers {
@@ -149,7 +147,6 @@ impl Drivers {
             cert_chain: ArrayVec::new(),
             is_shutdown: false,
             dmtf_device_info: None,
-            exported_cdi_slots: [None; EXPORTED_HANDLES_NUM],
         })
     }
 
@@ -388,7 +385,7 @@ impl Drivers {
             &mut pdata.fht.rt_dice_pub_key,
             key_id_rt_cdi,
             key_id_rt_priv_key,
-            &mut drivers.exported_cdi_slots,
+            &mut pdata.exported_cdi_slots,
         );
 
         let (nb, nf) = Self::get_cert_validity_info(&pdata.manifest1);
diff --git a/runtime/src/invoke_dpe.rs b/runtime/src/invoke_dpe.rs
@@ -60,7 +60,7 @@ impl InvokeDpeCmd {
                 &mut pdata.fht.rt_dice_pub_key,
                 key_id_rt_cdi,
                 key_id_rt_priv_key,
-                &mut drivers.exported_cdi_slots,
+                &mut pdata.exported_cdi_slots,
             );
             let pl0_pauser = pdata.manifest1.header.pl0_pauser;
             let (nb, nf) = Drivers::get_cert_validity_info(&pdata.manifest1);
diff --git a/runtime/src/revoke_exported_cdi_handle.rs b/runtime/src/revoke_exported_cdi_handle.rs
@@ -10,9 +10,12 @@ use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq, cfi_launder};
 use caliptra_common::mailbox_api::{
     MailboxResp, MailboxRespHeader, RevokeExportedCdiHandleReq, RevokeExportedCdiHandleResp,
 };
+use caliptra_drivers::ExportedCdiEntry;
 use caliptra_error::{CaliptraError, CaliptraResult};
 
+use dpe::U8Bool;
 use zerocopy::{FromBytes, IntoBytes};
+use zeroize::Zeroize;
 
 pub struct RevokeExportedCdiHandleCmd;
 impl RevokeExportedCdiHandleCmd {
@@ -30,13 +33,26 @@ impl RevokeExportedCdiHandleCmd {
             }
         }
 
-        for slot in drivers.exported_cdi_slots.iter_mut() {
+        for slot in drivers
+            .persistent_data
+            .get_mut()
+            .exported_cdi_slots
+            .entries
+            .iter_mut()
+        {
             match slot {
-                Some((cdi, handle)) if *handle == cmd.exported_cdi_handle => {
+                ExportedCdiEntry {
+                    key,
+                    handle,
+                    active,
+                } if *handle == cmd.exported_cdi_handle && active.get() => {
                     #[cfg(not(feature = "no-cfi"))]
                     cfi_assert!(*handle == cmd.exported_cdi_handle);
 
-                    *slot = None;
+                    // Setting to false is redundant with zeroize but included for clarity.
+                    *active = U8Bool::new(false);
+                    slot.zeroize();
+
                     return Ok(MailboxResp::RevokeExportedCdiHandle(
                         RevokeExportedCdiHandleResp::default(),
                     ));
diff --git a/runtime/src/sign_with_exported_ecdsa.rs b/runtime/src/sign_with_exported_ecdsa.rs
@@ -71,17 +71,18 @@ impl SignWithExportedEcdsaCmd {
 
         let key_id_rt_cdi = Drivers::get_key_id_rt_cdi(drivers)?;
         let key_id_rt_priv_key = Drivers::get_key_id_rt_priv_key(drivers)?;
+        let pdata = drivers.persistent_data.get_mut();
 
         let mut crypto = DpeCrypto::new(
             &mut drivers.sha384,
             &mut drivers.trng,
             &mut drivers.ecc384,
             &mut drivers.hmac384,
             &mut drivers.key_vault,
-            &mut drivers.persistent_data.get_mut().fht.rt_dice_pub_key,
+            &mut pdata.fht.rt_dice_pub_key,
             key_id_rt_cdi,
             key_id_rt_priv_key,
-            &mut drivers.exported_cdi_slots,
+            &mut pdata.exported_cdi_slots,
         );
 
         let digest = Digest::new(&cmd.tbs)
diff --git a/runtime/src/stash_measurement.rs b/runtime/src/stash_measurement.rs
@@ -62,7 +62,7 @@ impl StashMeasurementCmd {
                 &mut pdata.fht.rt_dice_pub_key,
                 key_id_rt_cdi,
                 key_id_rt_priv_key,
-                &mut drivers.exported_cdi_slots,
+                &mut pdata.exported_cdi_slots,
             );
             let (nb, nf) = Drivers::get_cert_validity_info(&pdata.manifest1);
             let mut env = DpeEnv::<CptraDpeTypes> {
diff --git a/runtime/tests/runtime_integration_tests/test_invoke_dpe.rs b/runtime/tests/runtime_integration_tests/test_invoke_dpe.rs
diff --git a/runtime/tests/runtime_integration_tests/test_sign_with_export_ecdsa.rs b/runtime/tests/runtime_integration_tests/test_sign_with_export_ecdsa.rs
