Skip to content

Commit 3e775c5

Browse files
sasdfpamaury
sasdf
authored and
pamaury
committed
[rom_ext] Update CDI_0 regen by imm_section without re-checking
The imm_section verifies if the CDI_0 cache matches, so rom_ext doesn't need to check it again. Change-Id: Ic031317d285e73cdf15c29ec5965f62a7590b89f Signed-off-by: Yi-Hsuan Deng <[email protected]> (cherry picked from commit 78587f7)
1 parent 40f6658 commit 3e775c5

File tree

1 file changed

+8
-14
lines changed

1 file changed

+8
-14
lines changed

sw/device/silicon_creator/lib/cert/dice_chain.c

Lines changed: 8 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -376,31 +376,25 @@ static rom_error_t dice_chain_attestation_check_uds(void) {
376376
return kErrorOk;
377377
}
378378

379-
// Compare the CDI_0 identity in the static critical section to the CDI_0 cert
380-
// cached in the flash, and refresh the cache if invalid.
379+
// Refresh the cache if a new CDI_0 is generated.
381380
static rom_error_t dice_chain_attestation_check_cdi_0(void) {
382381
// Switch page for the device CDI chain.
383382
RETURN_IF_ERROR(dice_chain_load_flash(&kFlashCtrlInfoPageDiceCerts));
384383

385384
// Seek to skip previous objects.
386385
RETURN_IF_ERROR(dice_chain_skip_cert_obj("UDS", /*name_size=*/4));
387386

388-
// Refresh cdi 0 if invalid
387+
// Set the endorsement key for the next cert.
389388
dice_chain.endorsement_pubkey_id = static_dice_cdi_0.cdi_0_pubkey_id;
390-
dice_chain.subject_pubkey_id = static_dice_cdi_0.cdi_0_pubkey_id;
391-
dice_chain.subject_pubkey = static_dice_cdi_0.cdi_0_pubkey;
392-
RETURN_IF_ERROR(dice_chain_load_cert_obj("CDI_0", /*name_size=*/6));
393-
if (dice_chain.cert_valid == kHardenedBoolFalse) {
389+
390+
// Save cdi 0 to flash if regenerated.
391+
if (static_dice_cdi_0.cert_size != 0) {
394392
dbg_puts("warning: CDI_0 certificate not valid; updating\r\n");
395-
// Update the cert page buffer.
396-
RETURN_IF_ERROR(dice_chain_push_cert("CDI_0", static_dice_cdi_0.cert_data,
397-
static_dice_cdi_0.cert_size));
393+
return dice_chain_push_cert("CDI_0", static_dice_cdi_0.cert_data,
394+
static_dice_cdi_0.cert_size);
398395
} else {
399-
// Cert is valid, move to the next one.
400-
dice_chain_next_cert_obj();
396+
return dice_chain_skip_cert_obj("CDI_0", /*name_size=*/6);
401397
}
402-
403-
return kErrorOk;
404398
}
405399

406400
rom_error_t dice_chain_attestation_owner(

0 commit comments

Comments
 (0)