[rom_ext] fix CDI_* update bug

If non-CWT CDI certs are found in flash info page 19, we should treat this case as if the cert page is empty, and regenerate the certs. This enables running an X.509 ROM_EXT first and changing to a CWT ROM_EXT later. Since UDS cert is never generated outside perso (and is on a separate flash page), the UDS cert format is defined at provisioning time. Signed-off-by: Tim Trippel <[email protected]>
lowRISC · Feb 7, 2025 · 9ad76bc · 9ad76bc
1 parent 2d37e7b
commit 9ad76bc
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/sw/device/silicon_creator/rom_ext/rom_ext.c b/sw/device/silicon_creator/rom_ext/rom_ext.c
@@ -630,9 +630,14 @@ static rom_error_t dice_chain_load_cert_obj(const char *name,
 
   HARDENED_RETURN_IF_ERROR(err);
 
-  // Check if this cert is what we are looking for.
+  // Check if this cert is what we are looking for. The name and type (X.509 vs
+  // CWT) should match.
   HARDENED_CHECK_LE(name_size, sizeof(dice_chain.cert_obj.name));
-  if (name == NULL || memcmp(dice_chain.cert_obj.name, name, name_size) != 0) {
+  const perso_tlv_object_type_t kExpectedCertType =
+      kDiceCertFormat == kDiceCertFormatX509TcbInfo ? kPersoObjectTypeX509Cert
+                                                    : kPersoObjectTypeCwtCert;
+  if (name == NULL || memcmp(dice_chain.cert_obj.name, name, name_size) != 0 ||
+      kExpectedCertType != dice_chain.cert_obj.obj_type) {
     // Name unmatched, keep the cert_obj but mark it as invalid.
     dice_chain.cert_valid = kHardenedBoolFalse;
     return kErrorOk;