stage0: Use the dice library to implement minimal self-signed credentials.

flihp · flihp · commit f08ebadeb025 · 2022-09-02T16:07:23.000-07:00
This commit collects the DICE CDI from the NXP ROM, creates an ed25519
key pair from it (effectively the DeviceId) and uses this key to create
a self-signed DeviceId cert. The hash of the hubris image that will be
launched by stage0 is then hashed and the output used to generate the
Alias credentials (used for attestation). Finally the keying material
used to create the Alias key, and the cert chain from the Alias back to
the DeviceId are written to memory for use in an attestation exchange by
a future hubris task.

If run on an lpc55 with DICE disabled (the default config) none of the
DICE artifacts will be created and hubris will be booted as usual.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/app/lpc55xpresso/stage0.toml b/app/lpc55xpresso/stage0.toml
@@ -2,15 +2,15 @@ name = "lpc55xpresso"
 target = "thumbv8m.main-none-eabihf"
 board = "lpcxpresso55s69"
 chip = "../../chips/lpc55"
-stacksize = 1024
 secure-separation = true
 image-names = ["stage0"]
 external-images = ["a", "b"]
 
 [kernel]
 name = "stage0"
-requires = {flash = 0x4000, ram = 4096}
-features = ["tz_support"]
+requires = {flash = 0x7000, ram = 8192}
+features = ["tz_support", "dice"]
+stacksize = 8000
 
 [tasks.idle]
 name = "task-idle"
diff --git a/stage0/Cargo.toml b/stage0/Cargo.toml
@@ -4,22 +4,34 @@ version = "0.1.0"
 edition = "2018"
 
 [features]
+dice = ["dice_crate", "digest", "salty", "sha3", "unwrap-lite"]
 tz_support = []
 
 [dependencies]
 cortex-m = {version = "0.7", features = ["inline-asm"]}
 cortex-m-rt = "0.6.12"
+digest = { version = "0.10", optional = true }
 panic-semihosting = "0.5.3"
 lpc55_romapi = { path = "../drv/lpc55-romapi" }
 panic-halt = "0.2.0"
 lpc55-pac = {version = "0.3.0", features = ["rt"]}
 ecdsa = { version = "0.12.4", default-features = false, features = ["der"] }
 p256 = { version = "0.9.0", default-features = false, features = ["ecdsa", "ecdsa-core"] }
 hmac = { version = "0.10.1", default-features = false }
-sha2 = { version = "0.9.2", default-features = false }
+salty = { version = "0.2", optional = true }
+sha3 = { version = "0.10", default-features = false, optional = true }
 zerocopy = "0.6.1"
-cfg-if = "1"
 abi = { path = "../sys/abi" }
+unwrap-lite = { path = "../lib/unwrap-lite", optional = true }
+nb = "1"
+
+# features & deps can't have the same name, using this method from:
+# https://github.com/RustCrypto/RSA/pull/41/files
+[dependencies.dice_crate]
+package = "dice"
+path = "../lib/dice"
+default-features = false
+optional = true
 
 [[bin]]
 name = "stage0"
diff --git a/stage0/src/dice.rs b/stage0/src/dice.rs
@@ -0,0 +1,82 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+use crate::image_header::Image;
+use core::str::FromStr;
+use dice_crate::{
+    AliasCert, AliasData, AliasOkm, Cdi, CdiL1, DeviceIdOkm, DeviceIdSelfCert,
+    Handoff, SeedBuf, SerialNumber,
+};
+use lpc55_pac::Peripherals;
+use salty::signature::Keypair;
+use sha3::{Digest, Sha3_256};
+use unwrap_lite::UnwrapLite;
+
+fn get_deviceid_keypair(cdi: &Cdi) -> Keypair {
+    let devid_okm = DeviceIdOkm::from_cdi(cdi);
+
+    Keypair::from(devid_okm.as_bytes())
+}
+
+// TODO: get the legit SN from somewhere
+// https://github.com/oxidecomputer/hubris/issues/734
+fn get_serial_number() -> SerialNumber {
+    SerialNumber::from_str("0123456789ab").expect("SerialNumber::from_str")
+}
+
+pub fn run(image: &Image) {
+    // Turn on the memory we're using to handoff DICE artifacts and create
+    // type to interact with said memory. We turn this on unconditionally
+    // if DICE is enabled so that hubris tasks will always get valid memory
+    // even if it's all 0's.
+    let syscon = Peripherals::take().unwrap_lite().SYSCON;
+    let handoff = Handoff::turn_on(&syscon);
+
+    let cdi = match Cdi::from_reg() {
+        Some(cdi) => cdi,
+        None => return,
+    };
+
+    let dname_sn = get_serial_number();
+    let deviceid_keypair = get_deviceid_keypair(&cdi);
+    let mut cert_sn = 0;
+
+    let deviceid_cert =
+        DeviceIdSelfCert::new(cert_sn, &dname_sn, &deviceid_keypair);
+    cert_sn += 1;
+
+    // Collect hash(es) of TCB. The first TCB Component Identifier (TCI)
+    // calculated is the Hubris image. The DICE specs call this collection
+    // of TCIs the FWID. This hash is stored in keeys certified by the
+    // DeviceId. This hash should be 'updated' with relevant configuration
+    // and code as FWID for Hubris becomes known.
+    // TODO: This is a particularly naive way to calculate the FWID:
+    // https://github.com/oxidecomputer/hubris/issues/736
+    let mut fwid = Sha3_256::new();
+    fwid.update(image.as_bytes());
+    let fwid = fwid.finalize();
+
+    // create CDI for layer 1 (L1) firmware (the hubris image we're booting)
+    let cdi_l1 = CdiL1::new(&cdi, fwid.as_ref());
+
+    // derive alias key
+    let alias_okm = AliasOkm::from_cdi(&cdi_l1);
+    let alias_keypair = Keypair::from(alias_okm.as_bytes());
+
+    let alias_cert = AliasCert::new(
+        cert_sn,
+        &dname_sn,
+        &alias_keypair.public,
+        fwid.as_ref(),
+        &deviceid_keypair,
+    );
+
+    let alias_data = AliasData {
+        seed: alias_okm,
+        alias_cert,
+        deviceid_cert,
+    };
+
+    handoff.store(&alias_data);
+}
diff --git a/stage0/src/image_header.rs b/stage0/src/image_header.rs
@@ -56,6 +56,22 @@ impl Image {
         self.0 as *const ImageVectors as u32
     }
 
+    #[cfg(feature = "dice")]
+    fn get_img_size(&self) -> Option<usize> {
+        use core::convert::TryFrom;
+
+        usize::try_from((unsafe { &*self.get_header() }).total_image_len).ok()
+    }
+
+    #[cfg(feature = "dice")]
+    pub fn as_bytes(&self) -> &[u8] {
+        use unwrap_lite::UnwrapLite;
+
+        let img_ptr = self.get_img_start() as *const u8;
+        let img_size = self.get_img_size().unwrap_lite();
+        unsafe { core::slice::from_raw_parts(img_ptr, img_size) }
+    }
+
     fn get_header(&self) -> *const ImageHeader {
         // SAFETY: This generated by the linker script which we trust
         // Note that this is generated from _this_ image's linker script
diff --git a/stage0/src/main.rs b/stage0/src/main.rs
@@ -15,6 +15,8 @@ extern crate panic_halt;
 use cortex_m::peripheral::Peripherals;
 use cortex_m_rt::entry;
 
+#[cfg(feature = "dice")]
+mod dice;
 // FIXME Need to fixup the secure interface calls
 //mod hypo;
 mod image_header;
@@ -178,6 +180,9 @@ fn main() -> ! {
         None => panic!(),
     };
 
+    #[cfg(feature = "dice")]
+    dice::run(&imagea);
+
     unsafe {
         branch_to_image(imagea);
     }
