[manuf] Propose to store DICE certificates in the flash_info with the "Cert Header" #24942
Closed
2 of 4 tasks
Comments
tommychiu-github
added
Component:SiliconValidation
Manufacturing
|
@timothytrippel for viz |
I have a patch for that already. Can file a PR soon. |
tommychiu-github
added a commit
to tommychiu-github/opentitan
that referenced
this issue
Oct 30, 2024
Currently, during ft_perso, the host write the RAW endorsed DICE certificate to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Bug: lowRISC#24942 Test: //sw/device/silicon_creator/manuf/base:ft_provision_cw340
tommychiu-github
added a commit
to tommychiu-github/opentitan
that referenced
this issue
Oct 30, 2024
Currently, during ft_perso, the host write the RAW endorsed DICE certificate to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Bug: lowRISC#24942 Test: //sw/device/silicon_creator/manuf/base:ft_provision_cw340 Signed-off-by: Tommy Chiu <[email protected]>
|
This sound reasonable to me. It looks like #24951 is the associated fix? |
Yes, that's it. |
tommychiu-github
added a commit
to tommychiu-github/opentitan
that referenced
this issue
Oct 31, 2024
Currently, during ft_perso, the host write the RAW endorsed DICE certificate to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Bug: lowRISC#24942 Test: //sw/device/silicon_creator/manuf/base:ft_provision_cw340 Signed-off-by: Tommy Chiu <[email protected]>
tommychiu-github
added a commit
to tommychiu-github/opentitan
that referenced
this issue
Oct 31, 2024
Currently, during ft_perso, the host write the RAW endorsed DICE certificate to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Bug: lowRISC#24942 Test: //sw/device/silicon_creator/manuf/base:ft_provision_cw340 Signed-off-by: Tommy Chiu <[email protected]>
tommychiu-github
added a commit
to tommychiu-github/opentitan
that referenced
this issue
Oct 31, 2024
Currently, during ft_perso, the host write the RAW endorsed DICE certificate to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Bug: lowRISC#24942 Test: //sw/device/silicon_creator/manuf/base:ft_provision_cw340 Signed-off-by: Tommy Chiu <[email protected]>
tommychiu-github
added a commit
to tommychiu-github/opentitan
that referenced
this issue
Nov 1, 2024
Currently, during ft_perso, the host write the RAW endorsed DICE certificate to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Bug: lowRISC#24942 Test: //sw/device/silicon_creator/manuf/base:ft_provision_cw340 Signed-off-by: Tommy Chiu <[email protected]>
tommychiu-github
added a commit
to tommychiu-github/opentitan
that referenced
this issue
Nov 1, 2024
Currently, during ft_perso, the host write the RAW endorsed DICE certificate to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Bug: lowRISC#24942 Test: //sw/device/silicon_creator/manuf/base:ft_provision_cw340 Signed-off-by: Tommy Chiu <[email protected]>
timothytrippel
pushed a commit
to timothytrippel/opentitan
that referenced
this issue
Nov 2, 2024
Currently, during ft_perso, the host writes the raw endorsed X.509 certificates (in ASN.1 DER format) to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the ASN.1 header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Bug: lowRISC#24942 Test: //sw/device/silicon_creator/manuf/base:ft_provision_cw340 Co-authored-by: Tommy Chiu <[email protected]> Signed-off-by: Tim Trippel <[email protected]>
timothytrippel
pushed a commit
to timothytrippel/opentitan
that referenced
this issue
Nov 2, 2024
Currently, during ft_perso, the host writes the raw endorsed X.509 certificates (in ASN.1 DER format) to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the ASN.1 header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Bug: lowRISC#24942 Test: //sw/device/silicon_creator/manuf/base:ft_provision_cw340 Co-authored-by: Tommy Chiu <[email protected]> Signed-off-by: Tim Trippel <[email protected]>
timothytrippel
pushed a commit
to timothytrippel/opentitan
that referenced
this issue
Nov 2, 2024
Currently, during ft_perso, the host writes the raw endorsed X.509 certificates (in ASN.1 DER format) to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the ASN.1 header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Bug: lowRISC#24942 Test: //sw/device/silicon_creator/manuf/base:ft_provision_cw340 Co-authored-by: Tommy Chiu <[email protected]> Signed-off-by: Tim Trippel <[email protected]>
timothytrippel
added a commit
to timothytrippel/opentitan
that referenced
this issue
Nov 2, 2024
Currently, during ft_perso, the host writes the raw endorsed X.509 certificates (in ASN.1 DER format) to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the ASN.1 header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Fixes lowRISC#24942. Co-authored-by: Tommy Chiu <[email protected]> Signed-off-by: Tim Trippel <[email protected]>
timothytrippel
added a commit
that referenced
this issue
Nov 5, 2024
Currently, during ft_perso, the host writes the raw endorsed X.509 certificates (in ASN.1 DER format) to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the ASN.1 header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Fixes #24942. Co-authored-by: Tommy Chiu <[email protected]> Signed-off-by: Tim Trippel <[email protected]>
timothytrippel
added a commit
to timothytrippel/opentitan
that referenced
this issue
Nov 7, 2024
Currently, during ft_perso, the host writes the raw endorsed X.509 certificates (in ASN.1 DER format) to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the ASN.1 header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Fixes lowRISC#24942. Co-authored-by: Tommy Chiu <[email protected]> Signed-off-by: Tim Trippel <[email protected]> (cherry picked from commit fc628e6)
timothytrippel
added a commit
that referenced
this issue
Nov 8, 2024
Currently, during ft_perso, the host writes the raw endorsed X.509 certificates (in ASN.1 DER format) to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the ASN.1 header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Fixes #24942. Co-authored-by: Tommy Chiu <[email protected]> Signed-off-by: Tim Trippel <[email protected]> (cherry picked from commit fc628e6)
andrea-caforio
pushed a commit
to andrea-caforio/opentitan
that referenced
this issue
Nov 12, 2024
Currently, during ft_perso, the host writes the raw endorsed X.509 certificates (in ASN.1 DER format) to flash_info pages. When it needs to access them later on, the certificate length is calculated by parsing the ASN.1 header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically). Fixes lowRISC#24942. Co-authored-by: Tommy Chiu <[email protected]> Signed-off-by: Tim Trippel <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Test point name
NA
Host side component
None
OpenTitanTool infrastructure implemented
None
Silicon Validation (SiVal)
Yes
Emulation Targets
Contact person
No response
Checklist
Please fill out this checklist as items are completed. Link to PRs and issues as appropriate.
Currently, during ft_perso, the host write the RAW endorsed DICE certificate to flash_info pages.
When it needs to access them later on, the certificate length is calculated by parsing the header (1 or 2 bytes). This design works for X509 but not CWT-CBOR since there's no such information in some CBOR types (map, array specifically).
Ref:
I'm proposing to change the certificat storing format as below. The certificate is prepended by a 16 bits header followed by the ASCII characters of the certificate name, followed by the certificate body.
This format is used already when transfering tbs & certificates from host vs. device.
The original X509 parsing logic can be reused for cross checking the result from the Cert Header.
Update
Move to the new storing format based on the conclusion.
The text was updated successfully, but these errors were encountered: