From 9ad76bcf40826141a04ee28c57d23d0581755da5 Mon Sep 17 00:00:00 2001 From: Tim Trippel Date: Fri, 7 Feb 2025 09:33:57 -0800 Subject: [PATCH] [rom_ext] fix CDI_* update bug If non-CWT CDI certs are found in flash info page 19, we should treat this case as if the cert page is empty, and regenerate the certs. This enables running an X.509 ROM_EXT first and changing to a CWT ROM_EXT later. Since UDS cert is never generated outside perso (and is on a separate flash page), the UDS cert format is defined at provisioning time. Signed-off-by: Tim Trippel --- sw/device/silicon_creator/rom_ext/rom_ext.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sw/device/silicon_creator/rom_ext/rom_ext.c b/sw/device/silicon_creator/rom_ext/rom_ext.c index 39efe31eb9d704..22b0e379597ea0 100644 --- a/sw/device/silicon_creator/rom_ext/rom_ext.c +++ b/sw/device/silicon_creator/rom_ext/rom_ext.c @@ -630,9 +630,14 @@ static rom_error_t dice_chain_load_cert_obj(const char *name, HARDENED_RETURN_IF_ERROR(err); - // Check if this cert is what we are looking for. + // Check if this cert is what we are looking for. The name and type (X.509 vs + // CWT) should match. HARDENED_CHECK_LE(name_size, sizeof(dice_chain.cert_obj.name)); - if (name == NULL || memcmp(dice_chain.cert_obj.name, name, name_size) != 0) { + const perso_tlv_object_type_t kExpectedCertType = + kDiceCertFormat == kDiceCertFormatX509TcbInfo ? kPersoObjectTypeX509Cert + : kPersoObjectTypeCwtCert; + if (name == NULL || memcmp(dice_chain.cert_obj.name, name, name_size) != 0 || + kExpectedCertType != dice_chain.cert_obj.obj_type) { // Name unmatched, keep the cert_obj but mark it as invalid. dice_chain.cert_valid = kHardenedBoolFalse; return kErrorOk;