docs: document UEID construction from fuses to certificate bytes#3633
Merged
Conversation
Add a new 'UEID (Unique Endpoint Identifier)' subsection to rom/dev/README.md describing how the 17-byte UEID is assembled from FUSE_IDEVID_CERT_ATTR words 11-15 (UeidType + ManufacturerSerialNumber1..4, little-endian), how it is wrapped in the TCG DICE Ueid X.509 extension (OID 2.23.133.5.4.4), and showing a full end-to-end example from fuse values to the DER bytes emitted in the IDevID CSR, LDevID cert, and FMC Alias cert. Verified by running the existing cert_test_with_ueid integration test in rom/dev/tests/rom_integration_tests/test_image_validation.rs, which programs the exact fuse values used in the example and confirms the documented UEID byte sequence (010102030405060708090A0B0C0D0E0F10) appears in all three emitted certificates.
swenson
requested review from
JohnTraverAmd,
ajisaxena,
korran,
mhatrevi,
timothytrippel,
vsonims and
zhalvorsen
as code owners
zhalvorsen
previously approved these changes
Apr 17, 2026
Pad the first column to match the widest row so the markdown table source is aligned.
zhalvorsen
approved these changes
Apr 17, 2026
mhatrevi
approved these changes
Apr 17, 2026
Collaborator
Author
|
Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a new 'UEID (Unique Endpoint Identifier)' subsection to rom/dev/README.md describing how the 17-byte UEID is assembled from FUSE_IDEVID_CERT_ATTR words 11-15 (UeidType + ManufacturerSerialNumber1..4, little-endian), how it is wrapped in the TCG DICE Ueid X.509 extension (OID 2.23.133.5.4.4), and showing a full end-to-end example from fuse values to the DER bytes emitted in the IDevID CSR, LDevID cert, and FMC Alias cert.
Verified by running the existing cert_test_with_ueid integration test in rom/dev/tests/rom_integration_tests/test_image_validation.rs, which programs the exact fuse values used in the example and confirms the documented UEID byte sequence (010102030405060708090A0B0C0D0E0F10) appears in all three emitted certificates.