[sw/silicon_creator] Read usage constraints from hardware during ROM_EXT verification
Fixes #5956.
Signed-off-by: Alphan Ulusoy <alphan@google.com>
diff --git a/sw/device/silicon_creator/lib/manifest.c b/sw/device/silicon_creator/lib/manifest.c
index aead7c2..3bbfcff 100644
--- a/sw/device/silicon_creator/lib/manifest.c
+++ b/sw/device/silicon_creator/lib/manifest.c
@@ -6,7 +6,7 @@
// Extern declarations for the inline functions in the manifest header.
extern rom_error_t manifest_check(const manifest_t *manifest);
-extern manifest_signed_region_t manifest_signed_region_get(
+extern manifest_digest_region_t manifest_digest_region_get(
const manifest_t *manifest);
extern epmp_region_t manifest_code_region_get(const manifest_t *manifest);
extern uintptr_t manifest_entry_point_get(const manifest_t *manifest);
diff --git a/sw/device/silicon_creator/lib/manifest.h b/sw/device/silicon_creator/lib/manifest.h
index bf774b8..e1ab6c0 100644
--- a/sw/device/silicon_creator/lib/manifest.h
+++ b/sw/device/silicon_creator/lib/manifest.h
@@ -125,9 +125,19 @@
*
* RSASSA-PKCS1-v1_5 signature of the image generated using a 3072-bit RSA
* private key and the SHA-256 hash function. The signed region of an image
- * starts immediately after this field and ends at the end of the image. The
- * start and the length of the signed region can be obtained using
- * `manifest_signed_region_get`.
+ * starts immediately after this field and ends at the end of the image.
+ *
+ * On-target verification should also integrate usage constraints comparison
+ * to signature verification to harden it against potential attacks. During
+ * verification, the digest of an image should be computed by first reading
+ * the usage constraints from the hardware and then concatenating the rest of
+ * the image:
+ *
+ * digest = SHA256(usage_constraints_from_hw || rest_of_the_image)
+ *
+ * The start and the length of the region that should be concatenated to the
+ * usage constraints read from the hardware can be obtained using
+ * `manifest_digest_region_get()`.
*/
sigverify_rsa_buffer_t signature;
/**
@@ -219,18 +229,18 @@
OT_ASSERT_SIZE(manifest_t, MANIFEST_SIZE);
/**
- * Signed region of an image.
+ * Region of an image that should be included in the digest computation.
*/
-typedef struct manifest_signed_region {
+typedef struct manifest_digest_region {
/**
- * Start of the signed region of an image.
+ * Start of the region.
*/
const void *start;
/**
- * Length of the signed region of an image in bytes.
+ * Length of the region in bytes.
*/
size_t length;
-} manifest_signed_region_t;
+} manifest_digest_region_t;
/**
* Allowed bounds for the `length` field.
@@ -279,16 +289,25 @@
}
/**
- * Gets the signed region of an image.
+ * Gets the region of the image that should be included in the digest
+ * computation.
*
- * @param manifest A manifest
- * return signed_region Signed region of an image.
+ * Digest region of an image starts immediately after the `usage_constraints`
+ * field of its manifest and ends at the end of the image.
+ *
+ * @param manifest A manifest.
+ * return digest_region Region of the image that should be included in the
+ * digest computation.
*/
-inline manifest_signed_region_t manifest_signed_region_get(
+inline manifest_digest_region_t manifest_digest_region_get(
const manifest_t *manifest) {
- return (manifest_signed_region_t){
- .start = (const char *)manifest + sizeof(manifest->signature),
- .length = manifest->length - sizeof(manifest->signature),
+ enum {
+ kDigestRegionOffset =
+ sizeof(manifest->signature) + sizeof(manifest->usage_constraints),
+ };
+ return (manifest_digest_region_t){
+ .start = (const char *)manifest + kDigestRegionOffset,
+ .length = manifest->length - kDigestRegionOffset,
};
}
@@ -324,7 +343,7 @@
* Declarations for the functions above that should be defined in tests.
*/
rom_error_t manifest_check(const manifest_t *manifest);
-manifest_signed_region_t manifest_signed_region_get(const manifest_t *manifest);
+manifest_digest_region_t manifest_digest_region_get(const manifest_t *manifest);
epmp_region_t manifest_code_region_get(const manifest_t *manifest);
uintptr_t manifest_entry_point_get(const manifest_t *manifest);
#endif
diff --git a/sw/device/silicon_creator/lib/manifest_unittest.cc b/sw/device/silicon_creator/lib/manifest_unittest.cc
index b2824dc..010de21 100644
--- a/sw/device/silicon_creator/lib/manifest_unittest.cc
+++ b/sw/device/silicon_creator/lib/manifest_unittest.cc
@@ -22,15 +22,17 @@
manifest_t manifest_{};
};
-TEST_F(ManifestTest, SignedRegionGet) {
- manifest_signed_region_t signed_region =
- manifest_signed_region_get(&manifest_);
+TEST_F(ManifestTest, DigestRegionGet) {
+ manifest_digest_region_t digest_region =
+ manifest_digest_region_get(&manifest_);
- // Signed region starts after `signature` and ends at the end of the image.
- EXPECT_EQ(signed_region.start, reinterpret_cast<const char *>(&manifest_) +
- sizeof(manifest_t::signature));
- EXPECT_EQ(signed_region.length,
- manifest_.length - sizeof(manifest_t::signature));
+ // Digest region starts immediately after `usage_constraints` and ends at the
+ // end of the image.
+ size_t digest_region_offset =
+ sizeof(manifest_t::signature) + sizeof(manifest_t::usage_constraints);
+ EXPECT_EQ(digest_region.start,
+ reinterpret_cast<const char *>(&manifest_) + digest_region_offset);
+ EXPECT_EQ(digest_region.length, manifest_.length - digest_region_offset);
}
TEST_F(ManifestTest, CodeRegionGet) {
diff --git a/sw/device/silicon_creator/lib/mock_manifest.h b/sw/device/silicon_creator/lib/mock_manifest.h
index 40be0cb..821e4ee 100644
--- a/sw/device/silicon_creator/lib/mock_manifest.h
+++ b/sw/device/silicon_creator/lib/mock_manifest.h
@@ -17,7 +17,7 @@
class MockManifest : public GlobalMock<MockManifest> {
public:
MOCK_METHOD(rom_error_t, Check, (const manifest_t *));
- MOCK_METHOD(manifest_signed_region_t, SignedRegion, (const manifest_t *));
+ MOCK_METHOD(manifest_digest_region_t, DigestRegion, (const manifest_t *));
MOCK_METHOD(epmp_region_t, CodeRegion, (const manifest_t *));
MOCK_METHOD(uintptr_t, EntryPoint, (const manifest_t *));
};
@@ -32,9 +32,9 @@
return MockManifest::Instance().Check(manifest);
}
-manifest_signed_region_t manifest_signed_region_get(
+manifest_digest_region_t manifest_digest_region_get(
const manifest_t *manifest) {
- return MockManifest::Instance().SignedRegion(manifest);
+ return MockManifest::Instance().DigestRegion(manifest);
}
epmp_region_t manifest_code_region_get(const manifest_t *manifest) {
diff --git a/sw/device/silicon_creator/mask_rom/mask_rom.c b/sw/device/silicon_creator/mask_rom/mask_rom.c
index 3a96741..0e60ea4 100644
--- a/sw/device/silicon_creator/mask_rom/mask_rom.c
+++ b/sw/device/silicon_creator/mask_rom/mask_rom.c
@@ -110,11 +110,18 @@
RETURN_IF_ERROR(sigverify_rsa_key_get(
sigverify_rsa_key_id_get(&manifest->modulus), lc_state, &key));
- // TODO(#5956): Manifest usage constraints.
- manifest_signed_region_t signed_region = manifest_signed_region_get(manifest);
hmac_sha256_init();
+ // Hash usage constraints.
+ manifest_usage_constraints_t usage_constraints_from_hw;
+ sigverify_usage_constraints_get(manifest->usage_constraints.selector_bits,
+ &usage_constraints_from_hw);
+ RETURN_IF_ERROR(hmac_sha256_update(&usage_constraints_from_hw,
+ sizeof(usage_constraints_from_hw)));
+ // Hash the remaining part of the image.
+ manifest_digest_region_t digest_region = manifest_digest_region_get(manifest);
RETURN_IF_ERROR(
- hmac_sha256_update(signed_region.start, signed_region.length));
+ hmac_sha256_update(digest_region.start, digest_region.length));
+ // Verify signature
hmac_digest_t act_digest;
RETURN_IF_ERROR(hmac_sha256_final(&act_digest));
RETURN_IF_ERROR(
