This document describes the composition of the Silicon Creator and Silicon Owner cryptographic identities and the Silicon Owner root key derivation scheme. This scheme is based on a symmetric key manager with support for software binding and key versioning.
This document also defines a non-cryptographic Device Identifier to facilitate silicon tracking during manufacturing flows. The Device Identifier is also mixed into the Creator Identity.
Further, this scheme is compatible with the Open DICE profile.
Overall identity flow:
DICE compatible identity flow:
Boot stages:
ROM
: Metal ROM, sometimes known as Boot ROM.ROM_EXT
: ROM Extension. Stored in flash and signed by the Silicon Creator[^1].BL0
: Bootloader. Signed by the Silicon Owner.Kernel
: Signed by the Silicon Owner.Key manager operations:
KM_DERIVE
: Key manager one-way function used to derive a new symmetric key.Memory state operations:
CLEAR_BEFORE_NEXT_BOOT_STAGE
: Clear key material before moving to the next boot stage.CLEAR_AFTER_USE
: Clear immediately after use.The device identifier is a globally unique 256b value provisioned on each device‘s OTP memory in early manufacturing stages (e.g. wafer test). It is used to facilitate device tracking during manufacturing and provisioning. This value is also used as a component in the generation of the device’s Silicon Creator Identity, a cryptographically unique identity.
The 256b value is split into two halves. The first contains hardware origin information following a global standard format, while the second one is defined by the device SKU provisioning requirements.
128b Hardware origin information
128b SKU specific device information
The device provisioner information varies for each provisioning use case. Each use case must have a specification defining the allocation of these bits. See the UICC EID Specification as an example.
CreatorRootKey
)The following sequence describes the creation of the CreatorRootKey
. All inputs into the key manager can be locked down during ROM execution.
The size of the inputs is dependent on the security strength and masking configuration of the implementation. Depending on the KM_DERIVE intrinsic function, one of the following two mixing operations is acceptable:
Cascading:
Key0 = KM_DERIVE(RootKey, DiversificationKey) Key1 = KM_DERIVE(Key0, HealthStateMeasurement) Key2 = KM_DERIVE(Key1, DeviceIdentifier) Key3 = KM_DERIVE(Key2, ROMExtSecurityDescriptor) CreatorRootKey = KM_DERIVE(Key3, HardwareRevisionSecret)
Collapsed:
The concatenation function must be injective. This can be achieved by fixing the width of all the operands.
CreatorRootKey = KM_DERIVE(RootKey, DiversificationKey | HealthStateMeasurement | DeviceIdentifier | ROMExtSecurityDescriptor | HardwareRevisionSecret)
Hidden from software once personalization is complete.
Hidden from software once provisioned.
Some values are read from the device life cycle controller. The device life cycle state should be consumed by the ROM stage.
The debug mode shall be used as well if there are multiple debug configurations supported by a single life cycle state.
The CreatorRootKey can be used to generate the Creator Identity key and the OwnerIntermediateKey described in the following sections.
The Creator Identity is an asymmetric key derived from the CreatorRootKey
. It is used as a cryptographic identifier bound to the device and the Silicon Creator. It is used to attest to the authenticity of the physical device and the ROM and ROM_EXT configuration.
The Creator Identity is generated as follows:
CreatorIdentitySeed = KM_DERIVE(CreatorRootKey, IdentityDiversificationConstant) // ASYM_KDF is a KDF function compliant to the Asymmetric Key // requirements defined in the Attestation specification document. CreatorIdentity_Private = ASYM_KDF(CreatorIdentitySeed) CLEAR_BEFORE_NEXT_BOOT_STAGE(CreatorIdentitySeed, CreatorIdentity_Private)
Hidden from software.
The CreatorIdentitySeed
and the private portion of the Creator Identity shall be cleared before the ROM Extension hands over execution to the Silicon Owner first boot stage.
The OwnerIntermediateKey
is used as a root component of the Silicon Owner key hierarchy. It is used to establish a cryptographic link to the root secrets provisioned at manufacturing time.
Visibility
The OwnerIntermediateKey
shall be kept hidden from software to mitigate owner impersonation attacks.
The OwnerIntermediateKey
is generated as follows:
OwnerIntermediateKey = KM_DERIVE(CreatorRootKey, OwnerRootSecret | SoftwareBindingValue)
The OwnerRootSecret has different visibility options depending on the level of isolation provided in hardware:
The Owner Identity is used as a cryptographic identifier bound to the device and the Silicon Owner. It is used in Attestation flows. The Owner Identity is not expected to change during the lifetime of the device ownership assignment.
OwnerIdentitySeed = KM_DERIVE(OwnerIntermediateKey, OwnerRootIdentityKey) // ASYM_KDF is a KDF function compliant to the Asymmetric Key // requirements defined in the Attestation specification document. OwnerIdentity_Private = ASYM_KDF(OwnerIdentitySeed) CLEAR_BEFORE_NEXT_BOOT_STAGE(OwnerRootSeed, OwnerIdentity_Private)
Visibility: Hidden from software.
The OwnerIdentitySeed
and the private portion of the Owner Identity shall be cleared before the bootloader (BL0) hands over execution to the kernel.
The key manager supports the generation of versioned keys with lineage to the OwnerRootKey
for software consumption and sideload operations.
OwnerRootKey = KM_DERIVE(OwnerIntermediateKey, SoftwareBindingValue) Key0 = KM_DERIVE(OwnerRootKey, KeyVersion) Key1 = KM_DERIVE(Key0, KeyID) Key2 = KM_DERIVE(Key1, Salt) VersionedKey = KM_DERIVE(Key2, SoftwareExportConstant) CLEAR_AFTER_USE(VersionedKey)
If the implementation allows it, the generation of the version key can be collapsed as follows:
OwnerRootKey = KM_DERIVE(OwnerIntermediateKey, SoftwareBindingValue) VersionedKey = KM_DERIVE(OwnerRootKey, KeyVersion | KeyID | Salt | SoftwareExportConstant)
The concatenation function must be injective. This can be achieved by fixing the width of all the operands.
Visibility: Hidden from software.
The value should also pass the version comparison criteria configured during secure boot. See Key Versioning for more details.
Visibility: Hidden from software.
Software binding is used to ensure that the key derivation scheme is only reproducible for a trusted software configuration. This is achieved by having the secure boot implementation configure runtime-irrevocable binding tags in the key derivation scheme. Such tags are usually delivered inside the signed manifest of each code partition.
OpenTitan shall support software binding for at least two Silicon Owner code stages (e.g. bootloader and kernel). It is expected that the kernel will implement binding with the application layer exclusively in software.
Each key manager binding stage shall provide at least 128b of data.
Key versioning is the mechanism by which software implements key rotation triggered by security updates. Since there may be more than one updateable code partition in the system, the key versioning scheme has to implement at least 8 32b version comparators with lockable controls, which will be configured as part of the secure boot process.
The next figure shows an example on how to configure the maximum key version constraints in the key manager. The ROM_EXT software verifies the BL0 manifest, and configures one of the maximum key version registers with the maximum allowable version stored in the BL0 manifest. In the same way, the BL0 software verifies the Kernel manifest and configures a separate key version register. The software implementation is free to allocate more than one maximum key version register per boot stage.
Note: The diagram is overly simplified and does not take into account security hardening.
Secrets wrapped with versioned keys shall have additional metadata including Key Version, Key ID and salt information.
The versioned key generation is gated on the version comparison check enforced by the key manager implementation. The following set of operations will only succeed if the key version set by software is valid.
Note: The diagram is overly simplified and does not take into account security hardening.
The hardware may opt to implement a software interface with higher level one-way step functions to advance the internal state of the key manager. The following are the minimum set of steps required:
1 CreatorRootKey 2 OwnerIntermediateKey 3 OwnerRootKey
Instantiations of the key manager can be conditioned to start at the current internal state of the key manager, for example, kernel-level instantiations may always start at the OwnerRootKey
level, assuming the previous boot stages advanced the state of the key manager.
The following code block presents a simplified version of an API implemented on hardware with support for high level step functions.
typedef enum kmgr_state { kKMgrUninitialized = 0, kKMgrCreatorRootKey, kKMgrOwnerIntermediateKey, kKMgrOwnerRootKey, kKMgrDisabled, } kmgr_state_t; /** * Initialise an instance of the Key Manager * * @param base_addr Base address of an instance of the Key Manager * @param kmgr Key Manager state data. * @return true if the function was successful, false otherwise */ bool keymgr_init(mmio_region_t base_addr, kmgr_t* kmgr); /** * Advance Key Manager state * * Advances internal state of Key Manager. All state transitions * persist until the next system reset. * * The hardware supports the following transitions: * Uninitialized --> CreatorRootKey --> * OwnerIntermediateKey --> OwnerRootKey * * Defensive measures may trigger a state transition to Disabled. * * @param kmgr Key Manager state data. * @return true if the function was successful, false otherwise. */ bool keymgr_advance_state(const kmgr_t* kmgr); /** * @return Current Key Manager state associated with |kmgr| * instance */ kmgr_state_t keymgr_get_state(const kmgr_t* kmgr);
The following high level software interface may be supported by hardware to generate versioned keys. The hardware may opt to implement versioned key functionality at each of the high level key manager states.
/** * Generate versioned key for a given |key_id|. * * Generates a versioned key rooted in the current state of the * key manager. Requires the key manager to be in one of the * following states: * CreatorRootKey, OwnerIntermediateKey, OwnerRootKey * * @param kmgr Key Manager state data. * @param key_version Key version. Each version 32b word shall * be less than its associated max version value. Requires the * maximum version registers to be configured before calling this * function * @param key_id Key identifier. * @param versioned_key Key output. * @return true if the function was successful, false otherwise. */ bool keymgr_generate_vk(const kmgr_t *kmgr, const uint32_t key_version[8], const uint32_t key_id[8] uint32_t *versioned_key[8]);
The Silicon Creator and Silicon Owner identities may be collapsed, leaving the Silicon Creator identity as the sole identity supported by the platform. This would require the Ownership Transfer flow to support a Certificate Signing Request (CSR) command to be able to endorse the identity by the owner PKI.
The current approach enforces a separate OwnerRootSecret provisioned at Ownership Transfer time to provide isolation between device owners.
The identities can be generated outside the key manager and be completely managed by software. The key manager in this case can be used to generate storage wrapping keys for the identity seeds.
The current design includes support for identity states which forces the mixing of class level constants (i.e. IdentityDiversificationConstant
, OwnerRootIdentityKey
) for each identity seed. This ensures lineage to the RootKey and the Device Identifier. Additional provisioning requirements would have to be considered if the Identity Seeds are not derived from the Root Key.
The hardware may be required to support more than 256b of software binding data. Additional bits may be added in 256b increments to support more complex software binding schemes.
KM_DERIVE function and security strength claims
Key Manager derive functions should support at least 256b of security strength.
Note on standards: The key derivation function (KM_DERIVE
), when instantiated with a Pseudorandom Function (PRF), shall be compatible with NIST SP 800-133r2[^2] section 6.3: Symmetric Keys Produced by Combining (Multiple) Keys and Other Data. This imposes provisioning requirements for the root keys, which are covered in the Provisioning specification.
Security strength for the KM_DERIVE
function based on a Pseudorandom Function (PRF)[^3]:
SCA countermeasures for AES are more widely available in literature.
No planned support for HMAC-SHA3.
Need to verify with a lab that the claim for 800-133r2 section 6.3 compliance holds.
Certification using a KMAC construction is challenged by the following issues.
Common Criteria:
FIPS - NIST specs:
Security strength for the KM_DERIVE function based on a Deterministic RNG (DRNG):
Compliant to NIST 800-133r2 section 4 (Need to verify claim with a lab).
Key recovery attacks on user inputs
The hardware shall support countermeasures against key recovery attacks for all software controlled inputs.
Version comparison registers
The hardware shall support at least 8 32b write-lockable version comparison registers to provide key versioning functionality.
Software-Hardware binding registers
The hardware shall support at least 256b of software write-lockable registers to implement software-hardware key manager binding as part of the secure boot implementation.
Support for key IDs (key handles or salt value)
The hardware shall support versioned key derivations for software provided key IDs. A key ID is defined as a 256b value used as a key handle.
Root secrets isolation from software
The hardware shall isolate the RootKey
and other provisioned secrets from software after completion of personalization at manufacturing time.
Isolation between boot stages
Later boot stages shall have no access to secrets maintained by previous boot stages.
Lockable inputs
The software shall configure runtime lockable inputs as part of the secure boot implementation to fix the construction of identities and root keys in the key manager.
Integrity and confidentiality of secret values
Hardware secrets stored in OTP and flash shall be scrambled to increase the difficulty of physical attacks.
Silicon Creator identity invalidation (optional)
ROM Extension updates may invalidate the Silicon Owner and Silicon Creator identities as well as the root keys.
Fallback support
The implementation should consider a software based backup mechanism to mitigate security and/or certification issues with the main implementation. The backup mechanism shall not rely on secrets from the main implementation.
[^1]: The Silicon Creator is the logical entity, or logical collection of entities that manufactures, packages, tests and provisions the chip with its first identity.
[^2]: Recommendation for Cryptographic Key Generation (NIST SP 800-133r2).
[^3]: Security strengths for PRF functions as documented in: Recommendation for Key-Derivation Methods in Key-Establishment Schemes (NIST 800-56Cr1)
[^4]: SOG-IS Crypto Working Group SOG-IS Crypto Evaluation Scheme Agreed Cryptographic Mechanisms