Software APIs
personalize_ext.h
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_MANUF_BASE_PERSONALIZE_EXT_H_
6 #define OPENTITAN_SW_DEVICE_SILICON_CREATOR_MANUF_BASE_PERSONALIZE_EXT_H_
7 
8 #include "sw/device/lib/base/status.h"
9 #include "sw/device/lib/dif/dif_flash_ctrl.h"
10 #include "sw/device/lib/testing/json/provisioning_data.h"
11 #include "sw/device/silicon_creator/lib/cert/cert.h"
12 #include "sw/device/silicon_creator/lib/sigverify/ecdsa_p256_key.h"
13 
14 enum {
15  /**
16  * Index of the first available page in the `cert_flash_layout` array that
17  * personalization extensions may use.
18  */
19  kCertFlashLayoutExt0Idx = 2,
20  /**
21  * Index of the second available page in the `cert_flash_layout` array that
22  * personalization extensions may use.
23  */
24  kCertFlashLayoutExt1Idx = 3,
25 };
26 
27 /**
28  * Parameters passed to personalization extension function invoked before data
29  * is sent to the host for endorsement. Not all parameters are necessarily used
30  * by all extension implementations.
31  */
32 typedef struct personalize_extension_pre_endorse {
33  /**
34  * Serialization interface, marshals/unmarshals structures' fields and
35  * communicates with the host.
36  */
37  ujson_t *uj;
38  /**
39  * Pointer to information used for generating certificates.
40  */
41  manuf_certgen_inputs_t *certgen_inputs;
42  /**
43  * Pointer to the TLV data blob sent to the host for endorsement.
44  */
45  perso_blob_t *perso_blob_to_host;
46  /**
47  * Pointer to the flash layout table, the extension could enable disabled
48  * entries in the table and configure its INFO space use so that the caller
49  * knows where to place endorsed objects received from the host.
50  */
51  cert_flash_info_layout_t *cert_flash_layout;
52  /**
53  * Pointer to the flash controller handle necessary for proper flash access.
54  */
55  dif_flash_ctrl_state_t *flash_ctrl_handle;
56  /**
57  * Pointer to the UDS public key. Personalization extensions may require
58  * accessing it to generate different certificate chains that fit a specific
59  * SKU's requirements.
60  */
61  ecdsa_p256_public_key_t *uds_pubkey;
62  hmac_digest_t *uds_pubkey_id;
63  /**
64  * Pointer to the OTP measurements used to generate the UDS public key.
65  * Personalization extensions may require accessing these to generate
66  * different certificate chains that fit a specific SKU's requirements.
67  */
68  hmac_digest_t *otp_creator_sw_cfg_measurement;
69  hmac_digest_t *otp_owner_sw_cfg_measurement;
70  hmac_digest_t *otp_rot_creator_auth_codesign_measurement;
71  hmac_digest_t *otp_rot_creator_auth_state_measurement;
72 } personalize_extension_pre_endorse_t;
73 
74 /**
75  * Parameters passed to personalization extension function invoked after the
76  * host finished endorsement processing and sent endorsed data to the device.
77  */
78 typedef struct personalize_extension_post_endorse {
79  /**
80  * Serialization interface, marshals/unmarshals structures' fields and
81  * communicates with the host.
82  */
83  ujson_t *uj;
84  /**
85  * Pointer to the TLV data blob received from the host.
86  */
87  perso_blob_t *perso_blob_from_host;
88  /**
89  * Pointer to the flash layout table used previously when saving pre
90  * endorsement data..
91  */
92  cert_flash_info_layout_t *cert_flash_layout;
93 } personalize_extension_post_endorse_t;
94 
95 /**
96  * A custom extension to the personalization flow.
97  *
98  * This extension runs *BEFORE* TBS certificates are sent to the host to be
99  * endorsed. Implementing this extension enables SKU owners to add more TBS
100  * certificates to the list of certificates to be endorsed by the host.
101  */
102 status_t personalize_extension_pre_cert_endorse(
103  personalize_extension_pre_endorse_t *pre_params);
104 
105 /**
106  * A custom extension to the personalization flow.
107  *
108  * This extension runs *AFTER* (endorsed) certificates are sent back to the
109  * device from the host. Implementing this extension enables SKU owners to
110  * provision additional data into flash, in addition to the endorsed
111  * certificates in the `perso_blob_from_host` struct.
112  */
113 status_t personalize_extension_post_cert_endorse(
114  personalize_extension_post_endorse_t *post_params);
115 
116 #endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_MANUF_BASE_PERSONALIZE_EXT_H_
Return to OpenTitan Documentation