Skip to content

[feat] Add Stable Owner Key derivation from HEK seed#3625

Merged
mhatrevi merged 11 commits into
chipsalliance:mainfrom
mhatrevi:vmhatre/stable-owner-key
May 6, 2026
Merged

[feat] Add Stable Owner Key derivation from HEK seed#3625
mhatrevi merged 11 commits into
chipsalliance:mainfrom
mhatrevi:vmhatre/stable-owner-key

Conversation

@mhatrevi
Copy link
Copy Markdown
Collaborator

@mhatrevi mhatrevi commented Apr 16, 2026

ROM derives a Stable Owner Root Key from HEK seed via HKDF into KV15 during cold boot. CM_DERIVE_STABLE_KEY gains OwnerKey (0x3) which uses CMAC-KDF + HMAC-KDF with label "Stable Owner Key" to produce child keys as encrypted CMKs.

Both ROM firmware processor and runtime handle the new key type with identical derivation logic. Adds integration tests for all three key types (IDevId, LDevId, OwnerKey) and a separate test verifying different personalization seeds produce different keys.

@mhatrevi
[feat] Add Stable Owner Key derivation from HEK seed
74fc39e 
ROM derives a Stable Owner Root Key from HEK seed via HKDF into KV15
during cold boot. CM_DERIVE_STABLE_KEY gains OwnerKey (0x3) which uses
CMAC-KDF + HMAC-KDF with label "Stable Owner Key" to produce child
keys as encrypted CMKs.

Both ROM firmware processor and runtime handle the new key type with
identical derivation logic. Adds integration tests for all three key
types (IDevId, LDevId, OwnerKey) and a separate test verifying
different personalization seeds produce different keys.
@mhatrevi
Copy link
Copy Markdown
Collaborator Author

mhatrevi commented Apr 16, 2026
edited
Loading

Implements chipsalliance/Caliptra#657

swenson
swenson previously approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, one nit

Comment thread rom/dev/src/flow/cold_reset/idev_id.rs Outdated
clundin25
clundin25 reviewed Apr 17, 2026
View reviewed changes
Comment thread rom/dev/src/flow/cold_reset/idev_id.rs
clundin25
clundin25 reviewed Apr 17, 2026
View reviewed changes
Comment thread rom/dev/src/flow/cold_reset/idev_id.rs Outdated
clundin25
clundin25 reviewed Apr 17, 2026
View reviewed changes
Comment thread runtime/src/cryptographic_mailbox.rs
@mhatrevi mhatrevi marked this pull request as ready for review April 20, 2026 16:29
bluegate010
bluegate010 reviewed Apr 20, 2026
View reviewed changes
Comment thread rom/dev/src/flow/cold_reset/idev_id.rs Outdated
Comment thread runtime/src/cryptographic_mailbox.rs
clundin25
clundin25 reviewed Apr 21, 2026
View reviewed changes
Comment thread rom/dev/src/flow/cold_reset/idev_id.rs Outdated
@mhatrevi mhatrevi requested a review from jlmahowa-amd as a code owner April 24, 2026 00:52
mlvisaya
mlvisaya reviewed Apr 29, 2026
View reviewed changes
Comment thread runtime/src/cryptographic_mailbox.rs Outdated
swenson
swenson previously approved these changes May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread drivers/src/soc_ifc.rs
swenson
swenson approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mhatrevi mhatrevi added this pull request to the merge queue May 6, 2026
Merged via the queue into chipsalliance:main with commit 24205a8 May 6, 2026
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bluegate010 bluegate010 bluegate010 left review comments

@mlvisaya mlvisaya mlvisaya left review comments

@clundin25 clundin25 clundin25 left review comments

@swenson swenson swenson approved these changes

@jhand2 jhand2 Awaiting requested review from jhand2 jhand2 is a code owner

@fdamato fdamato Awaiting requested review from fdamato fdamato is a code owner

@rusty1968 rusty1968 Awaiting requested review from rusty1968 rusty1968 is a code owner

@vsonims vsonims Awaiting requested review from vsonims vsonims is a code owner

@zhalvorsen zhalvorsen Awaiting requested review from zhalvorsen zhalvorsen is a code owner

@timothytrippel timothytrippel Awaiting requested review from timothytrippel timothytrippel is a code owner

@ajisaxena ajisaxena Awaiting requested review from ajisaxena ajisaxena is a code owner

@korran korran Awaiting requested review from korran korran is a code owner

@JohnTraverAmd JohnTraverAmd Awaiting requested review from JohnTraverAmd JohnTraverAmd is a code owner

@jlmahowa-amd jlmahowa-amd Awaiting requested review from jlmahowa-amd jlmahowa-amd is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mhatrevi @swenson @bluegate010 @mlvisaya @clundin25