Software APIs
keymgr.c
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/silicon_creator/lib/drivers/keymgr.h"
6 
7 #include <assert.h>
8 
9 #include "sw/device/lib/base/abs_mmio.h"
10 #include "sw/device/lib/base/macros.h"
11 #include "sw/device/lib/runtime/hart.h"
12 #include "sw/device/silicon_creator/lib/base/sec_mmio.h"
13 
14 #include "hw/top_earlgrey/sw/autogen/top_earlgrey.h"
15 #include "keymgr_regs.h" // Generated.
16 
17 #define KEYMGR_ASSERT(a, b) static_assert(a == b, "Bad value for " #a)
18 KEYMGR_ASSERT(kScKeymgrStateReset, KEYMGR_WORKING_STATE_STATE_VALUE_RESET);
19 KEYMGR_ASSERT(kScKeymgrStateInit, KEYMGR_WORKING_STATE_STATE_VALUE_INIT);
20 KEYMGR_ASSERT(kScKeymgrStateCreatorRootKey,
21  KEYMGR_WORKING_STATE_STATE_VALUE_CREATOR_ROOT_KEY);
22 KEYMGR_ASSERT(kScKeymgrStateOwnerIntermediateKey,
23  KEYMGR_WORKING_STATE_STATE_VALUE_OWNER_INTERMEDIATE_KEY);
24 KEYMGR_ASSERT(kScKeymgrStateOwnerKey,
25  KEYMGR_WORKING_STATE_STATE_VALUE_OWNER_KEY);
26 KEYMGR_ASSERT(kScKeymgrStateDisabled,
27  KEYMGR_WORKING_STATE_STATE_VALUE_DISABLED);
28 KEYMGR_ASSERT(kScKeymgrStateInvalid, KEYMGR_WORKING_STATE_STATE_VALUE_INVALID);
29 
30 enum {
31  kBase = TOP_EARLGREY_KEYMGR_BASE_ADDR,
32 };
33 
34 /**
35  * Checks the key manager `expected_state`.
36  *
37  * This function reads and clears the status and error code registers.
38  *
39  * @return `kErrorOk` if the key manager is at the `expected_state` and the
40  * status is idle or success.
41  */
42 OT_WARN_UNUSED_RESULT
43 static rom_error_t expected_state_check(uint32_t expected_state) {
44  // Read and clear the status register by writing back the read value,
45  // polling until the status is non-WIP.
46  uint32_t op_status;
47  uint32_t op_status_field;
48  do {
49  op_status = abs_mmio_read32(kBase + KEYMGR_OP_STATUS_REG_OFFSET);
50  abs_mmio_write32(kBase + KEYMGR_OP_STATUS_REG_OFFSET, op_status);
51  op_status_field =
52  bitfield_field32_read(op_status, KEYMGR_OP_STATUS_STATUS_FIELD);
53  } while (op_status_field == KEYMGR_OP_STATUS_STATUS_VALUE_WIP ||
54  op_status_field == KEYMGR_OP_STATUS_STATUS_VALUE_DONE_SUCCESS);
55 
56  // Read and clear the error register by writing back the read value.
57  uint32_t error_code = abs_mmio_read32(kBase + KEYMGR_ERR_CODE_REG_OFFSET);
58  abs_mmio_write32(kBase + KEYMGR_ERR_CODE_REG_OFFSET, error_code);
59 
60  // Read the working state with sec_mmio so that we can check the expected
61  // value periodically.
62  uint32_t got_state = sec_mmio_read32(kBase + KEYMGR_WORKING_STATE_REG_OFFSET);
63  if (op_status_field == KEYMGR_OP_STATUS_STATUS_VALUE_IDLE &&
64  error_code == 0u && got_state == expected_state) {
65  return kErrorOk;
66  }
67  return kErrorKeymgrInternal;
68 }
69 
70 void sc_keymgr_entropy_reseed_interval_set(uint16_t entropy_reseed_interval) {
71  SEC_MMIO_ASSERT_WRITE_INCREMENT(kScKeymgrSecMmioEntropyReseedIntervalSet, 1);
72  uint32_t reg = bitfield_field32_write(
73  0, KEYMGR_RESEED_INTERVAL_SHADOWED_VAL_FIELD, entropy_reseed_interval);
74  sec_mmio_write32_shadowed(kBase + KEYMGR_RESEED_INTERVAL_SHADOWED_REG_OFFSET,
75  reg);
76 }
77 
78 void sc_keymgr_sw_binding_set(
79  const keymgr_binding_value_t *binding_value_sealing,
80  const keymgr_binding_value_t *binding_value_attestation) {
81  SEC_MMIO_ASSERT_WRITE_INCREMENT(kScKeymgrSecMmioSwBindingSet, 17);
82 
83  // Write and lock (rw0c) the software binding value. This register is unlocked
84  // by hardware upon a successful state transition.
85  for (size_t i = 0; i < ARRAYSIZE(binding_value_sealing->data); ++i) {
86  sec_mmio_write32(
87  kBase + KEYMGR_SEALING_SW_BINDING_0_REG_OFFSET + i * sizeof(uint32_t),
88  binding_value_sealing->data[i]);
89  }
90  for (size_t i = 0; i < ARRAYSIZE(binding_value_attestation->data); ++i) {
91  sec_mmio_write32(
92  kBase + KEYMGR_ATTEST_SW_BINDING_0_REG_OFFSET + i * sizeof(uint32_t),
93  binding_value_attestation->data[i]);
94  }
95  sec_mmio_write32(kBase + KEYMGR_SW_BINDING_REGWEN_REG_OFFSET, 0);
96 }
97 
98 void sc_keymgr_sw_binding_unlock_wait(void) {
99  while (!abs_mmio_read32(kBase + KEYMGR_SW_BINDING_REGWEN_REG_OFFSET)) {
100  }
101  // Ignore the return value since this read is performed to check and update
102  // the expected value.
103  OT_DISCARD(sec_mmio_read32(kBase + KEYMGR_SW_BINDING_REGWEN_REG_OFFSET));
104 }
105 
106 void sc_keymgr_creator_max_ver_set(uint32_t max_key_ver) {
107  SEC_MMIO_ASSERT_WRITE_INCREMENT(kScKeymgrSecMmioCreatorMaxVerSet, 2);
108  // Write and lock (rw0c) the max key version.
109  sec_mmio_write32_shadowed(
110  kBase + KEYMGR_MAX_CREATOR_KEY_VER_SHADOWED_REG_OFFSET, max_key_ver);
111  sec_mmio_write32(kBase + KEYMGR_MAX_CREATOR_KEY_VER_REGWEN_REG_OFFSET, 0);
112 }
113 
114 void sc_keymgr_owner_int_max_ver_set(uint32_t max_key_ver) {
115  SEC_MMIO_ASSERT_WRITE_INCREMENT(kScKeymgrSecMmioOwnerIntMaxVerSet, 2);
116  // Write and lock (rw0c) the max key version.
117  sec_mmio_write32_shadowed(
118  kBase + KEYMGR_MAX_OWNER_INT_KEY_VER_SHADOWED_REG_OFFSET, max_key_ver);
119  sec_mmio_write32(kBase + KEYMGR_MAX_OWNER_INT_KEY_VER_REGWEN_REG_OFFSET, 0);
120 }
121 
122 void sc_keymgr_owner_max_ver_set(uint32_t max_key_ver) {
123  SEC_MMIO_ASSERT_WRITE_INCREMENT(kScKeymgrSecMmioOwnerMaxVerSet, 2);
124  // Write and lock (rw0c) the max key version.
125  sec_mmio_write32_shadowed(
126  kBase + KEYMGR_MAX_OWNER_KEY_VER_SHADOWED_REG_OFFSET, max_key_ver);
127  sec_mmio_write32(kBase + KEYMGR_MAX_OWNER_KEY_VER_REGWEN_REG_OFFSET, 0);
128 }
129 
130 void sc_keymgr_advance_state(void) {
131  uint32_t reg =
132  bitfield_field32_write(0, KEYMGR_CONTROL_SHADOWED_DEST_SEL_FIELD,
133  KEYMGR_CONTROL_SHADOWED_DEST_SEL_VALUE_NONE);
134  reg = bitfield_field32_write(reg, KEYMGR_CONTROL_SHADOWED_OPERATION_FIELD,
135  KEYMGR_CONTROL_SHADOWED_OPERATION_VALUE_ADVANCE);
136  abs_mmio_write32_shadowed(kBase + KEYMGR_CONTROL_SHADOWED_REG_OFFSET, reg);
137 
138  abs_mmio_write32(kBase + KEYMGR_START_REG_OFFSET, 1);
139 }
140 
141 rom_error_t sc_keymgr_state_check(sc_keymgr_state_t expected_state) {
142  return expected_state_check(expected_state);
143 }
144 
145 /**
146  * Fails if the keymgr is not idle.
147  *
148  * @return OK if the key manager is idle, kErrorKeymgrInternal otherwise.
149  */
150 OT_WARN_UNUSED_RESULT
151 static rom_error_t keymgr_is_idle(void) {
152  uint32_t reg = abs_mmio_read32(kBase + KEYMGR_OP_STATUS_REG_OFFSET);
153  uint32_t status = bitfield_field32_read(reg, KEYMGR_OP_STATUS_STATUS_FIELD);
154  if (launder32(status) == KEYMGR_OP_STATUS_STATUS_VALUE_IDLE) {
155  HARDENED_CHECK_EQ(status, KEYMGR_OP_STATUS_STATUS_VALUE_IDLE);
156  return kErrorOk;
157  }
158  return kErrorKeymgrInternal;
159 }
160 
161 /**
162  * Wait for the key manager to finish an operation.
163  *
164  * Polls the key manager until it is no longer busy. If the operation completed
165  * successfully or the key manager was already idle, returns kErrorOk. If
166  * there was an error during the operation, reads and clears the error code
167  * and returns kErrorKeymgrInternal.
168  *
169  * @return OK or error.
170  */
171 OT_WARN_UNUSED_RESULT
172 static rom_error_t keymgr_wait_until_done(void) {
173  // Poll the OP_STATUS register until it is something other than "WIP".
174  uint32_t reg;
175  uint32_t status;
176  do {
177  // Read OP_STATUS and then clear by writing back the value we read.
178  reg = abs_mmio_read32(kBase + KEYMGR_OP_STATUS_REG_OFFSET);
179  abs_mmio_write32(kBase + KEYMGR_OP_STATUS_REG_OFFSET, reg);
180  status = bitfield_field32_read(reg, KEYMGR_OP_STATUS_STATUS_FIELD);
181  } while (status == KEYMGR_OP_STATUS_STATUS_VALUE_WIP);
182 
183  // Check if the key manager reported errors. If it is already idle or
184  // completed an operation successfully, return an OK status. A `WIP` status
185  // should not be possible because of the check above.
186  switch (launder32(status)) {
187  case KEYMGR_OP_STATUS_STATUS_VALUE_IDLE:
188  HARDENED_CHECK_EQ(status, KEYMGR_OP_STATUS_STATUS_VALUE_IDLE);
189  return kErrorOk;
190  case KEYMGR_OP_STATUS_STATUS_VALUE_DONE_SUCCESS:
191  HARDENED_CHECK_EQ(status, KEYMGR_OP_STATUS_STATUS_VALUE_DONE_SUCCESS);
192  return kErrorOk;
193  case KEYMGR_OP_STATUS_STATUS_VALUE_DONE_ERROR: {
194  // Clear the ERR_CODE register before returning.
195  uint32_t err_code = abs_mmio_read32(kBase + KEYMGR_ERR_CODE_REG_OFFSET);
196  abs_mmio_write32(kBase + KEYMGR_ERR_CODE_REG_OFFSET, err_code);
197  return kErrorKeymgrInternal;
198  }
199  }
200 
201  // Should be unreachable.
202  HARDENED_TRAP();
203  return kErrorKeymgrInternal;
204 }
205 
206 rom_error_t sc_keymgr_generate_key(
207  sc_keymgr_dest_t destination, sc_keymgr_key_type_t key_type,
208  sc_keymgr_diversification_t diversification) {
209  HARDENED_RETURN_IF_ERROR(keymgr_is_idle());
210 
211  uint32_t ctrl = 0;
212 
213  // Select OTBN as the destination.
214  ctrl = bitfield_field32_write(0, KEYMGR_CONTROL_SHADOWED_DEST_SEL_FIELD,
215  destination);
216 
217  // Select the attestation CDI.
218  if (key_type == kScKeymgrKeyTypeAttestation) {
219  ctrl =
220  bitfield_bit32_write(ctrl, KEYMGR_CONTROL_SHADOWED_CDI_SEL_BIT, true);
221  }
222 
223  // Select the "generate" operation.
224  ctrl = bitfield_field32_write(
225  ctrl, KEYMGR_CONTROL_SHADOWED_OPERATION_FIELD,
226  KEYMGR_CONTROL_SHADOWED_OPERATION_VALUE_GENERATE_HW_OUTPUT);
227 
228  // Write the control register.
229  abs_mmio_write32_shadowed(kBase + KEYMGR_CONTROL_SHADOWED_REG_OFFSET, ctrl);
230 
231  // Set the version.
232  abs_mmio_write32(kBase + KEYMGR_KEY_VERSION_REG_OFFSET,
233  diversification.version);
234  // Set the salt.
235  for (size_t i = 0; i < kScKeymgrSaltNumWords; i++) {
236  abs_mmio_write32(kBase + KEYMGR_SALT_0_REG_OFFSET + (i * sizeof(uint32_t)),
237  diversification.salt[i]);
238  }
239 
240  // Issue the start command.
241  abs_mmio_write32(kBase + KEYMGR_START_REG_OFFSET, 1 << KEYMGR_START_EN_BIT);
242 
243  // Block until keymgr is done.
244  return keymgr_wait_until_done();
245 }
246 
247 rom_error_t sc_keymgr_sideload_clear(sc_keymgr_dest_t destination) {
248  HARDENED_RETURN_IF_ERROR(keymgr_is_idle());
249 
250  // Set SIDELOAD_CLEAR to begin continuously clearing the requested slot.
251  abs_mmio_write32(
252  kBase + KEYMGR_SIDELOAD_CLEAR_REG_OFFSET,
253  bitfield_field32_write(0, KEYMGR_SIDELOAD_CLEAR_VAL_FIELD, destination));
254 
255  // Read back the value (hardening measure).
256  uint32_t sideload_clear =
257  abs_mmio_read32(kBase + KEYMGR_SIDELOAD_CLEAR_REG_OFFSET);
258  if (bitfield_field32_read(sideload_clear, KEYMGR_SIDELOAD_CLEAR_VAL_FIELD) !=
259  destination) {
260  return kErrorKeymgrInternal;
261  }
262 
263  // Spin for 100 microseconds.
264  // TODO(#20024): this value seems to work for tests, but it would be good to
265  // run a more principled analysis.
266  busy_spin_micros(100);
267 
268  // Stop continuous clearing.
269  abs_mmio_write32(
270  kBase + KEYMGR_SIDELOAD_CLEAR_REG_OFFSET,
271  bitfield_field32_write(0, KEYMGR_SIDELOAD_CLEAR_VAL_FIELD,
272  KEYMGR_SIDELOAD_CLEAR_VAL_VALUE_NONE));
273 
274  return kErrorOk;
275 }
276 
277 rom_error_t sc_keymgr_owner_int_advance(keymgr_binding_value_t *sealing_binding,
278  keymgr_binding_value_t *attest_binding,
279  uint32_t max_key_version) {
280  HARDENED_RETURN_IF_ERROR(sc_keymgr_state_check(kScKeymgrStateCreatorRootKey));
281  sc_keymgr_sw_binding_set(sealing_binding, attest_binding);
282  sc_keymgr_owner_int_max_ver_set(max_key_version);
283  sc_keymgr_advance_state();
284  HARDENED_RETURN_IF_ERROR(
285  sc_keymgr_state_check(kScKeymgrStateOwnerIntermediateKey));
286  return kErrorOk;
287 }
288 
289 rom_error_t sc_keymgr_owner_advance(keymgr_binding_value_t *sealing_binding,
290  keymgr_binding_value_t *attest_binding,
291  uint32_t max_key_version) {
292  HARDENED_RETURN_IF_ERROR(
293  sc_keymgr_state_check(kScKeymgrStateOwnerIntermediateKey));
294  sc_keymgr_sw_binding_set(sealing_binding, attest_binding);
295  sc_keymgr_owner_max_ver_set(max_key_version);
296  sc_keymgr_advance_state();
297  HARDENED_RETURN_IF_ERROR(sc_keymgr_state_check(kScKeymgrStateOwnerKey));
298  return kErrorOk;
299 }
300 
301 extern rom_error_t sc_keymgr_generate_key_otbn(
302  sc_keymgr_key_type_t key_type, sc_keymgr_diversification_t diversification);
303 extern rom_error_t sc_keymgr_sideload_clear_otbn(void);
Return to OpenTitan Documentation