Skip to content

Isolate no cpu int#3669

Draft
v-ramalleti wants to merge 279 commits into
chipsalliance:mainfrom
v-ramalleti:isolate-no-cpu-int
Draft

Isolate no cpu int#3669
v-ramalleti wants to merge 279 commits into
chipsalliance:mainfrom
v-ramalleti:isolate-no-cpu-int

Conversation

@v-ramalleti

Copy link
Copy Markdown
Contributor

No description provided.

mhatrevi and others added 30 commits September 22, 2025 06:21
This update modifies the emulator to reset the MBOX AXI users and their locks during a warm reset. It also enhances the warm reset integration tests to reprogram the AXI users and their locks afterward.
Tock uses Unicode characters in utf8 occasionally and our demos might
use them to make everything pretty.

This should have no performance impact when using plain ASCII, as the
new behavior is only triggered on non-ASCII characters.

Miraculously, the characters used for tests (like `0xff`) are not valid
in UTF-8 sequences.
…#2528)

During a warm reset, the cptra_fw_rev_id registers are cleared, causing RT commands such as VERSION to return a firmware version of 0. This update re-applies the FMC and RT firmware versions during RT initialization by reading them from the manifest stored in DCCM.

This is a temporary workaround until the hardware update planned for version 2.2 addresses the issue more robustly.
This exposes the default LC tokens programmed into OTP so they can be
used by downstream FPGA E2E test cases that excercise LC state
transitions.

Signed-off-by: Tim Trippel <ttrippel@google.com>
Previously, the JTAG TAP only had functions to read and write LCC
registers, i.e. when connected to the LCC TAP. This updates the TAP
logic to enable connecting to the Caliptra Core TAP as well.

Signed-off-by: Tim Trippel <ttrippel@google.com>
At the end of the recovery flow before notifying the MCU firmware is ready, Caliptra needs to set the reset reason. This change adds that capability.

This is described in more detail in https://github.com/chipsalliance/caliptra-ss/blob/main/docs/CaliptraSSIntegrationSpecification.md#mcu-fw-boot-update.
…liance#2545)

If CM_SHA_INIT contains more than 128 bytes, then an intermediate hash
is generated and restored when starting CM_SHA_UPDATE.

If the CM_SHA_UPDATE does not contain enough data to trigger another
block write, then we would try to immediately save the SHA state.
In that case, the hardware status would show ready but not valid, so the
driver would get into an infinite loop waiting for the save state to be
ready.

This addresses this condition by not doing triggering a save if we did
not write enough data and instead using the old intermediate hash.
…e#2494)

In 2.0 subsystem mode, the UDS and FE secrets are not guaranteed to be zeroizable. For non-identity keys, such as stable keys and derivatives, the keys and any uses of them must be marked as FIPS invalid.

For 2.0 passive mode, the integrator is expected to guarantee that the UDS and FE are zeroizable. For 2.1 in both modes, UDS and FE must be zeroizable.

This reserves one of the bits in the CMKs to be used as a FIPS bit and adds the logic to propagate that to derived CMKs and to the mailbox commands that use them.

This adds tests for the behavior in subsystem and passive mode for all cryptographic mailbox commands as well.
The test is disabled in the FPGA for now due to flakiness of booting all
the way to runtime, but it has been tested as working and is ready for
CI whenever that flakiness is resolved.

To support this command (and probably others) we need to pass in SoC
manifest and MCU FW when operating in subsystem mode, otherwise the FPGA
subsystem boot flow will fail.

We also need to set the SoC Manifest Max SVN in fuses so that these are
routed back to the Caliptra fuse registers.
This allows provisioning the FPGA bitstream at runtime.
…iance#2553)

This fixes some configuration errors to enable connecting to the
Caliptra Core TAP. This will enable completing the manuf debug unlock
test.

Signed-off-by: Tim Trippel <ttrippel@google.com>
…e#2547)

* Enable disabled ActivateFw and AuthAndStash integ tests

Previously all ActivateFw and AuthAndStash integ tests were disabled
when testing FPGA.

This was because these integ tests needs an external test SRAM to
exchange data with Caliptra. SW emulator is using a SW SRAM which is not
available previously in HW.

To work around this, we will be using the MCU MBOX SRAM as a test SRAM
to enable these tests.

* fix compile error for fpga_realitime

* Addressed feedback

- Currently CI FPGA bitstream is flaky in running runtime, disable these
tests for now. It did pass on local FPGA tests
- Use a single function to write to test sram
- correct yaml filters

* Correct unlock procedure
…e#2499)

This will notify the MCU test ROM that it is ready to start loading mutable firmware for both Caliptra and MCU.
This fixes the OpenOCD config since chipsalliance#397 merged, thus aligning the JTAG
pin ordering across all TAPs. This should be merged after the bitstreams
are updated in CI.

Signed-off-by: Tim Trippel <ttrippel@google.com>
…e#2572)

These tests are causing the new panics. They still need to be triaged, but this can unblock current development efforts.
…liance#2566)

* [jtag] add missing mailbox register address

This adds a missing Caliptra Core TAP mailbox register address to the
enum of JTAG accessible registers.

Signed-off-by: Tim Trippel <ttrippel@google.com>

* [hw-model] enable provisioning the debug unlock token in OTP

This updates the FPGA subsystem HW model to provision a default debug
unlock token to enable testing the manuf debug unlock flow.

Signed-off-by: Tim Trippel <ttrippel@google.com>

---------

Signed-off-by: Tim Trippel <ttrippel@google.com>
* R/W filesystem
* SSH,TMUX,RSYNC
* Pre-provisioned SSH keys
* The CSR generation is 3x slower on main-2.x, so reduce iterations by
  66%.
* Increase timeout for boot stress test
Will be used for the nightly 2.x release.
nquarton and others added 30 commits March 26, 2026 14:08
This is required for FIPS compliance whenever an ECDSA key pair is used
for ECDH key agreement.

(cherry picked from commit f84abd7)
This is required for FIPS compliance whenever an MLDSA key pair is generated.

(cherry picked from commit cb79806)
This way the public keys aren't encoded using sentinel values, but
instead use a prefix/suffix pattern. This saves a ton of space,
especially for MLDSA public keys, which are 2592 bytes each in the TBS
templates.

(cherry picked from commit 9248d79)
The TBS_TEMPLATE constant is only used in tests for some types but
not all. Adding #[allow(dead_code)] alongside #[cfg(test)] prevents
clippy dead_code warnings for types without test references.
…#3561)

* [hw-model] Wait for subsystem boot completion in tests

* [gha] bump MCU ROM commit
…ate dlen against mailbox SRAM size (chipsalliance#3414) (chipsalliance#3571)

Co-authored-by: arosenbaum84 <136463300+arosenbaum84@users.noreply.github.com>
mark PK hash as valid, and update OTP PQC key type encoding

Signed-off-by: Amit Kumar-Hermosillo <amitkh@google.com>
This renames the crate and updates all of the local dependencies. This makes it
more consistent with the other crates in the project.
This renames the crate and updates all of the local dependencies. This makes it
more consistent with the other crates in the project.
This renames the crate and updates all of the local dependencies. This makes it
more consistent with the other crates in the project.
Cherry-picked RT alias changes from original commit eaf3fa4.
 Excludes IDevID, LDevID, and FMC alias changes that affect caliptra ROM.

 - Add TCG_DICE_KP_ECA extended key usage to RT alias ECC and ML-DSA certs
 - Regenerate X509 templates with the new EKU extension
 - Update DPE submodule to 769ae8d (ECA EKU verification fix)
)

Renames the following crates:

* ureg-codegen -> caliptra-ureg-codegen
* ureg-schema -> caliptra-ureg-schema
* ureg-systemrdl -> caliptra-ureg-systemrdl

This renames the crate and updates all of the local dependencies. This makes it
more consistent with the other crates in the project.
Cherry-picked from main commit a39153c. Adds rt_mldsa_keypair_seed_kv_hdl to PersistentData so runtime can access the RT MLDSA keypair seed for signing operations. To avoid ROM changes, the MLDSA seed handle is stored in PersistentData.

Also renames rt_priv_key_kv_hdl to rt_ecc_priv_key_kv_hdl for clarity.
…e#3339)

Cherry-picked from main commit ec94318. Adds attested CSR support
with LDevID key type. Uses COSE Sign1 wrapped EAT claims.

Increase STACK_SIZE from 116KB to 140KB to accommodate attested CSR
COSE/CBOR encoding stack usage.

Adapted for caliptra-2.0: caliptra-ocp-eat naming, .fht accessor
path, caliptra_cfi_derive_git.

Co-authored-by: Max Timkovich <max@timkovi.ch>
- Remove CsrData struct; Reuse single scratch buffer across CSR generation and signing
- Increase RUNTIME_SIZE from 154KB to 156KB for new CSR templates
Squashed cherry-picks from main:
- chipsalliance#3013: Update to just before adding SVN (DPE sub → b1c0e99)
- chipsalliance#3018: Support SVN in DeriveContext (DPE sub → c9b67f5)
- chipsalliance#3022: Use dpe::State for shared state (DPE sub → 57690bd)
- chipsalliance#3029: New Crypto API (DPE sub → 81aea72)
- chipsalliance#3038: Use both RT PCRs in RT DPE context
- chipsalliance#3164: Unify DPE environment creation

Note: CertifyKeyCsr DPE verification test is temporarily disabled.
It requires DPE commit 4986ac5 ("verification: Add ECA EKU and fix
CSR signature verification (chipsalliance#510)") which will be picked up in a
later phase when the DPE submodule is updated further.
Squashed backport of:
- [dpe] Update DPE to hybrid build feature (chipsalliance#3070)
- [dpe] Remove DPE submodule and references (chipsalliance#3217)
- [dpe] Update DPE submodule to latest commit (chipsalliance#3216)
…hipsalliance#3637)

These registers are allowed to be written by SoC / MCU, but not by
Caliptra. We don't have a good way to enforce such a separation in the
emulator at the moment, so we mark them as RW.
…hipsalliance#3638)

This adds the following fields to `FwInfoResp`:

* vendor_pub_key_hash
* image_manifest_pqc_type
* vendor_ecc384_pub_key_index
* vendor_pqc_pub_key_index

These will be used by MCU key revocation APIs to make sure it is safe to revoke
a key.
…nce#3643)

Switch secrets_valid to True so DOE reads UDS and FE from strap registers
    instead of OTP. This gives deterministic and identical IdevID on FPGA and emulator
  for SPDM attestation tests
…ance#3259)

These internal timers might be saved up during hitless update, where the
MCU processor is halted. When it comes out of reset, the timers would
immediately try to fire, which could trigger the wrong code to be
executed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.