Move min-SVN calculation from FMC to ROM. (#1812)

This change moves the min-SVN check from FMC to ROM.
chipsalliance · Nov 25, 2024 · f22cbca · f22cbca
1 parent 0076a1b
commit f22cbca
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 94 deletions.
diff --git a/drivers/src/hand_off.rs b/drivers/src/hand_off.rs
@@ -293,19 +293,13 @@ pub struct FirmwareHandoffTable {
     pub rtalias_tbs_size: u16,
 
     /// Maximum value RT FW SVN can take.
-    #[cfg(any(feature = "fmc", feature = "runtime"))]
     pub rt_hash_chain_max_svn: u16,
 
     /// Index of RT hash chain value in the Key Vault.
-    #[cfg(any(feature = "fmc", feature = "runtime"))]
     pub rt_hash_chain_kv_hdl: HandOffDataHandle,
 
     /// Reserved for future use.
-    #[cfg(any(feature = "fmc", feature = "runtime"))]
     pub reserved: [u8; 1632],
-
-    #[cfg(not(any(feature = "fmc", feature = "runtime")))]
-    pub reserved: [u8; 1638],
 }
 
 impl Default for FirmwareHandoffTable {
@@ -347,16 +341,9 @@ impl Default for FirmwareHandoffTable {
             idev_dice_mldsa_pub_key_load_addr: 0,
             rom_info_addr: RomAddr::new(FHT_INVALID_ADDRESS),
             rtalias_tbs_size: 0,
-
-            #[cfg(any(feature = "fmc", feature = "runtime"))]
             rt_hash_chain_max_svn: 0,
-            #[cfg(any(feature = "fmc", feature = "runtime"))]
             rt_hash_chain_kv_hdl: HandOffDataHandle(0),
-            #[cfg(any(feature = "fmc", feature = "runtime"))]
             reserved: [0u8; 1632],
-
-            #[cfg(not(any(feature = "fmc", feature = "runtime")))]
-            reserved: [0u8; 1638],
         }
     }
 }

diff --git a/fmc/src/flow/rt_alias.rs b/fmc/src/flow/rt_alias.rs
@@ -111,9 +111,6 @@ impl RtAliasLayer {
             .set_pcr_lock(caliptra_common::RT_FW_JOURNEY_PCR);
         cprintln!("[alias rt] Lock RT PCRs Done");
 
-        cprintln!("[alias rt] Populate DV");
-        Self::populate_dv(env)?;
-        cprintln!("[alias rt] Populate DV Done");
         report_boot_status(crate::FmcBootStatus::RtMeasurementComplete as u32);
 
         // Retrieve Dice Input Layer from Hand Off and Derive Key
@@ -183,27 +180,6 @@ impl RtAliasLayer {
         }
     }
 
-    /// Populate Data Vault
-    ///
-    /// # Arguments
-    ///
-    /// * `env` - FMC Environment
-    /// * `hand_off` - HandOff
-    #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
-    pub fn populate_dv(env: &mut FmcEnv) -> CaliptraResult<()> {
-        let rt_svn = HandOff::rt_svn(env);
-        let reset_reason = env.soc_ifc.reset_reason();
-
-        let rt_min_svn = if reset_reason == ResetReason::ColdReset {
-            cfi_assert_eq(reset_reason, ResetReason::ColdReset);
-            rt_svn
-        } else {
-            core::cmp::min(rt_svn, HandOff::rt_min_svn(env))
-        };
-
-        HandOff::set_and_lock_rt_min_svn(env, rt_min_svn)
-    }
-
     fn get_cert_validity_info(
         manifest: &caliptra_image_types::ImageManifest,
     ) -> (NotBefore, NotAfter) {

diff --git a/fmc/src/hand_off.rs b/fmc/src/hand_off.rs
@@ -196,50 +196,6 @@ impl HandOff {
         }
     }
 
-    /// Retrieve runtime minimum SVN.
-    pub fn rt_min_svn(env: &FmcEnv) -> u32 {
-        let ds: DataStore =
-            Self::fht(env)
-                .rt_min_svn_dv_hdl
-                .try_into()
-                .unwrap_or_else(|e: CaliptraError| {
-                    cprintln!("[fht] Invalid RT Min SVN handle");
-                    handle_fatal_error(e.into())
-                });
-
-        // The data store must be a warm reset entry.
-        match ds {
-            DataVaultNonSticky4(dv_entry) => env.data_vault.read_warm_reset_entry4(dv_entry),
-            _ => {
-                handle_fatal_error(CaliptraError::FMC_HANDOFF_INVALID_PARAM.into());
-            }
-        }
-    }
-
-    #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
-    pub fn set_and_lock_rt_min_svn(env: &mut FmcEnv, min_svn: u32) -> CaliptraResult<()> {
-        let ds: DataStore =
-            Self::fht(env)
-                .rt_min_svn_dv_hdl
-                .try_into()
-                .unwrap_or_else(|e: CaliptraError| {
-                    cprintln!("[fht] Invalid RT Min SVN handle");
-                    handle_fatal_error(e.into())
-                });
-
-        // The data store must be a warm reset entry.
-        match ds {
-            DataVaultNonSticky4(dv_entry) => {
-                env.data_vault.write_warm_reset_entry4(dv_entry, min_svn);
-                env.data_vault.lock_warm_reset_entry4(dv_entry);
-                Ok(())
-            }
-            _ => {
-                handle_fatal_error(CaliptraError::FMC_HANDOFF_INVALID_PARAM.into());
-            }
-        }
-    }
-
     /// Store runtime Dice Signature
     #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
     pub fn set_rt_dice_signature(env: &mut FmcEnv, sig: &Ecc384Signature) {
@@ -270,18 +226,6 @@ impl HandOff {
         }
     }
 
-    #[allow(dead_code)]
-    #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
-    pub fn set_rt_hash_chain_max_svn(env: &mut FmcEnv, max_svn: u16) {
-        Self::fht_mut(env).rt_hash_chain_max_svn = max_svn;
-    }
-
-    #[allow(dead_code)]
-    #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
-    pub fn set_rt_hash_chain_kv_hdl(env: &mut FmcEnv, kv_slot: KeyId) {
-        Self::fht_mut(env).rt_hash_chain_kv_hdl = Self::key_id_to_handle(kv_slot)
-    }
-
     /// The FMC CDI is stored in a 32-bit DataVault sticky register.
     fn key_id_to_handle(key_id: KeyId) -> HandOffDataHandle {
         HandOffDataHandle(((Vault::KeyVault as u32) << 12) | key_id as u32)

diff --git a/rom/dev/src/flow/cold_reset/fw_processor.rs b/rom/dev/src/flow/cold_reset/fw_processor.rs
@@ -567,6 +567,7 @@ impl FirmwareProcessor {
         data_vault.write_warm_reset_entry48(WarmResetEntry48::RtTci, &info.runtime.digest.into());
 
         data_vault.write_warm_reset_entry4(WarmResetEntry4::RtSvn, info.fw_svn);
+        data_vault.write_warm_reset_entry4(WarmResetEntry4::RtMinSvn, info.fw_svn); // At cold-boot, min_svn == curr_svn
 
         data_vault.write_warm_reset_entry4(WarmResetEntry4::RtEntryPoint, info.runtime.entry_point);
 

diff --git a/rom/dev/src/flow/update_reset.rs b/rom/dev/src/flow/update_reset.rs
@@ -215,7 +215,11 @@ impl UpdateResetFlow {
     fn populate_data_vault(data_vault: &mut DataVault, info: &ImageVerificationInfo) {
         data_vault.write_warm_reset_entry48(WarmResetEntry48::RtTci, &info.runtime.digest.into());
 
+        let cur_min_svn = data_vault.read_warm_reset_entry4(WarmResetEntry4::RtMinSvn);
+        let new_min_svn = core::cmp::min(cur_min_svn, info.fw_svn);
+
         data_vault.write_warm_reset_entry4(WarmResetEntry4::RtSvn, info.fw_svn);
+        data_vault.write_warm_reset_entry4(WarmResetEntry4::RtMinSvn, new_min_svn);
 
         data_vault.write_warm_reset_entry4(WarmResetEntry4::RtEntryPoint, info.runtime.entry_point);
 

diff --git a/rom/dev/src/lock.rs b/rom/dev/src/lock.rs
@@ -99,7 +99,9 @@ fn lock_common_reg_set(env: &mut RomEnv) {
     env.data_vault
         .lock_warm_reset_entry4(WarmResetEntry4::RtSvn);
 
-    // Do not lock Runtime minimum SVN; FMC will manage this.
+    // Lock the Firmware Min-SVN in data vault until next reset
+    env.data_vault
+        .lock_warm_reset_entry4(WarmResetEntry4::RtMinSvn);
 
     // Lock the Runtime entry point in data vault until next reset
     env.data_vault