[rom_ext] Cherry-pick pr27385 from earlgrey_1.0.0

Port pr27385 from earlgrey_1.0.0 to master.

Signed-off-by: Siemen Dhooghe <[email protected]>

Author: siemen11

sw/device/silicon_creator/lib/ownership/BUILD

@@ -83,6 +83,7 @@ dual_cc_library(
             "//sw/device/silicon_creator/lib/drivers:keymgr",
             "//sw/device/silicon_creator/lib/drivers:kmac",
             "//sw/device/silicon_creator/lib/drivers:flash_ctrl",
+            "//sw/device/silicon_creator/lib/sigverify:flash_exec",
         ],
         host = [
             "//sw/device/lib/base:global_mock",
@@ -114,6 +115,7 @@ cc_library(
         "//sw/device/silicon_creator/lib/drivers:flash_ctrl",
         "//sw/device/silicon_creator/lib/drivers:lifecycle",
         "//sw/device/silicon_creator/lib/drivers:rnd",
+        "//sw/device/silicon_creator/lib/sigverify:flash_exec",
     ],
 )
 
@@ -166,6 +168,7 @@ cc_library(
         "//sw/device/silicon_creator/lib/drivers:flash_ctrl",
         "//sw/device/silicon_creator/lib/drivers:hmac",
         "//sw/device/silicon_creator/lib/drivers:lifecycle",
+        "//sw/device/silicon_creator/lib/sigverify:flash_exec",
     ],
 )
 
@@ -183,6 +186,7 @@ cc_test(
         "//sw/device/silicon_creator/lib/boot_svc:boot_svc_header",
         "//sw/device/silicon_creator/lib/drivers:lifecycle",
         "//sw/device/silicon_creator/lib/drivers:rnd",
+        "//sw/device/silicon_creator/lib/sigverify:flash_exec",
         "//sw/device/silicon_creator/testing:rom_test",
         "@googletest//:gtest_main",
     ],
@@ -202,6 +206,7 @@ cc_library(
         "//sw/device/silicon_creator/lib/boot_svc:boot_svc_msg",
         "//sw/device/silicon_creator/lib/drivers:flash_ctrl",
         "//sw/device/silicon_creator/lib/drivers:lifecycle",
+        "//sw/device/silicon_creator/lib/sigverify:flash_exec",
     ],
 )
 
@@ -217,6 +222,7 @@ cc_test(
         "//sw/device/lib/base:hardened",
         "//sw/device/silicon_creator/lib:boot_data",
         "//sw/device/silicon_creator/lib/boot_svc:boot_svc_header",
+        "//sw/device/silicon_creator/lib/sigverify:flash_exec",
         "//sw/device/silicon_creator/testing:rom_test",
         "@googletest//:gtest_main",
     ],

sw/device/silicon_creator/lib/ownership/mock_ownership_key.cc

@@ -9,9 +9,10 @@ extern "C" {
 
 hardened_bool_t ownership_key_validate(size_t page, ownership_key_t key,
                                        const owner_signature_t *signature,
-                                       const void *message, size_t len) {
+                                       const void *message, size_t len,
+                                       uint32_t *flash_exec) {
   return MockOwnershipKey::Instance().validate(page, key, signature, message,
-                                               len);
+                                               len, flash_exec);
 }
 
 rom_error_t ownership_seal_init() {

sw/device/silicon_creator/lib/ownership/mock_ownership_key.h

@@ -19,7 +19,7 @@ class MockOwnershipKey : public global_mock::GlobalMock<MockOwnershipKey> {
  public:
   MOCK_METHOD(hardened_bool_t, validate,
               (size_t, ownership_key_t, const owner_signature_t *, const void *,
-               size_t));
+               size_t, uint32_t *));
   MOCK_METHOD(rom_error_t, seal_init, ());
   MOCK_METHOD(rom_error_t, seal_page, (size_t));
   MOCK_METHOD(rom_error_t, seal_check, (size_t));

sw/device/silicon_creator/lib/ownership/ownership.c

@@ -47,9 +47,9 @@ static owner_page_status_t owner_page_validity_check(size_t page) {
     return kOwnerPageStatusSealed;
   }
 
-  hardened_bool_t result = ownership_key_validate(page, kOwnershipKeyOwner,
-                                                  &owner_page[page].signature,
-                                                  &owner_page[page], sig_len);
+  hardened_bool_t result = ownership_key_validate(
+      page, kOwnershipKeyOwner, &owner_page[page].signature, &owner_page[page],
+      sig_len, NULL);
   if (result == kHardenedBoolFalse) {
     // If the page is bad, destroy the RAM copy.
     memset(&owner_page[page], 0x5a, sizeof(owner_page[0]));

sw/device/silicon_creator/lib/ownership/ownership_activate.c

@@ -13,6 +13,7 @@
 #include "sw/device/silicon_creator/lib/error.h"
 #include "sw/device/silicon_creator/lib/ownership/owner_block.h"
 #include "sw/device/silicon_creator/lib/ownership/ownership_key.h"
+#include "sw/device/silicon_creator/lib/sigverify/flash_exec.h"
 
 rom_error_t ownership_activate(boot_data_t *bootdata,
                                hardened_bool_t write_both_pages) {
@@ -62,15 +63,21 @@ static rom_error_t activate_handler(boot_svc_msg_t *msg,
     return kErrorOwnershipInvalidInfoPage;
   }
 
+  // Set the variable checking whether the correct signatures have been
+  // verified.
+  uint32_t flash_exec = 0;
+
   // Check the activation key and the nonce.
   size_t len = (uintptr_t)&msg->ownership_activate_req.signature -
                (uintptr_t)&msg->ownership_activate_req.primary_bl0_slot;
   if (ownership_key_validate(/*page=*/1, kOwnershipKeyActivate,
                              &msg->ownership_activate_req.signature,
-                             &msg->ownership_activate_req.primary_bl0_slot,
-                             len) == kHardenedBoolFalse) {
+                             &msg->ownership_activate_req.primary_bl0_slot, len,
+                             &flash_exec) == kHardenedBoolFalse) {
     return kErrorOwnershipInvalidSignature;
   }
+  // Verify that we passed signature verification for the message.
+  HARDENED_CHECK_EQ(flash_exec, kSigverifyFlashExec);
   if (!nonce_equal(&msg->ownership_activate_req.nonce, &bootdata->nonce)) {
     return kErrorOwnershipInvalidNonce;
   }

sw/device/silicon_creator/lib/ownership/ownership_activate_unittest.cc

@@ -21,10 +21,12 @@
 #include "sw/device/silicon_creator/lib/ownership/datatypes.h"
 #include "sw/device/silicon_creator/lib/ownership/mock_ownership_key.h"
 #include "sw/device/silicon_creator/lib/ownership/owner_block.h"
+#include "sw/device/silicon_creator/lib/sigverify/flash_exec.h"
 #include "sw/device/silicon_creator/testing/rom_test.h"
 
 namespace {
 using ::testing::_;
+using ::testing::DoAll;
 using ::testing::Return;
 using ::testing::SetArgPointee;
 
@@ -131,8 +133,9 @@ TEST_P(OwnershipActivateValidStateTest, InvalidVersion) {
   MakePage1Valid(true);
   owner_page[1].header.version.major = 5;
 
-  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _))
-      .WillOnce(Return(kHardenedBoolTrue));
+  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _, _))
+      .WillOnce(DoAll(SetArgPointee<5>(kSigverifyFlashExec),
+                      Return(kHardenedBoolTrue)));
   EXPECT_CALL(lifecycle_, DeviceId(_))
       .WillOnce(SetArgPointee<0>((lifecycle_device_id_t){0}));
   EXPECT_CALL(hdr_, Finalize(_, _, _));
@@ -147,8 +150,8 @@ TEST_P(OwnershipActivateValidStateTest, InvalidSignature) {
   // We want to pass the page 1 validity test to check the signature on the
   // message.
   MakePage1Valid(true);
-  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _))
-      .WillOnce(Return(kHardenedBoolFalse));
+  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _, _))
+      .WillOnce(DoAll(SetArgPointee<5>(0), Return(kHardenedBoolFalse)));
   EXPECT_CALL(hdr_, Finalize(_, _, _));
 
   rom_error_t error = ownership_activate_handler(&message_, &bootdata_);
@@ -162,8 +165,9 @@ TEST_P(OwnershipActivateValidStateTest, InvalidNonce) {
   // We want to pass the page 1 validity test to check the nonce of the
   // message.
   MakePage1Valid(true);
-  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _))
-      .WillOnce(Return(kHardenedBoolTrue));
+  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _, _))
+      .WillOnce(DoAll(SetArgPointee<5>(kSigverifyFlashExec),
+                      Return(kHardenedBoolTrue)));
   EXPECT_CALL(hdr_, Finalize(_, _, _));
 
   rom_error_t error = ownership_activate_handler(&message_, &bootdata_);
@@ -176,8 +180,9 @@ TEST_P(OwnershipActivateValidStateTest, InvalidActivateDin) {
   // We want to pass the page 1 validity test to check the nonce of the
   // message.
   MakePage1Valid(true);
-  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _))
-      .WillOnce(Return(kHardenedBoolTrue));
+  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _, _))
+      .WillOnce(DoAll(SetArgPointee<5>(kSigverifyFlashExec),
+                      Return(kHardenedBoolTrue)));
   EXPECT_CALL(lifecycle_, DeviceId(_))
       .WillOnce(SetArgPointee<0>((lifecycle_device_id_t){0, 1, 1}));
   EXPECT_CALL(hdr_, Finalize(_, _, _));
@@ -228,8 +233,9 @@ TEST_P(OwnershipActivateValidStateTest, OwnerPageValid) {
   bootdata_.next_owner[0] = 12345;
   MakePage1Valid(true);
 
-  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _))
-      .WillOnce(Return(kHardenedBoolTrue));
+  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _, _))
+      .WillOnce(DoAll(SetArgPointee<5>(kSigverifyFlashExec),
+                      Return(kHardenedBoolTrue)));
   EXPECT_CALL(lifecycle_, DeviceId(_))
       .WillOnce(SetArgPointee<0>((lifecycle_device_id_t){0}));
 
@@ -297,8 +303,9 @@ TEST_P(OwnershipActivateValidStateTest, UpdateBootdataBl0) {
   MakePage1Valid(true);
   owner_page[1].min_security_version_bl0 = 5;
 
-  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _))
-      .WillOnce(Return(kHardenedBoolTrue));
+  EXPECT_CALL(ownership_key_, validate(1, kOwnershipKeyActivate, _, _, _, _))
+      .WillOnce(DoAll(SetArgPointee<5>(kSigverifyFlashExec),
+                      Return(kHardenedBoolTrue)));
   EXPECT_CALL(lifecycle_, DeviceId(_))
       .WillOnce(SetArgPointee<0>((lifecycle_device_id_t){0}));
 

sw/device/silicon_creator/lib/ownership/ownership_key.c

@@ -10,6 +10,7 @@
 #include "sw/device/silicon_creator/lib/drivers/keymgr.h"
 #include "sw/device/silicon_creator/lib/drivers/kmac.h"
 #include "sw/device/silicon_creator/lib/ownership/ecdsa.h"
+#include "sw/device/silicon_creator/lib/sigverify/flash_exec.h"
 
 // RAM copy of the owner INFO pages from flash.
 extern owner_block_t owner_page[2];
@@ -18,7 +19,10 @@ OT_WEAK const owner_key_t *const kNoOwnerRecoveryKey;
 
 hardened_bool_t ownership_key_validate(size_t page, ownership_key_t key,
                                        const owner_signature_t *signature,
-                                       const void *message, size_t len) {
+                                       const void *message, size_t len,
+                                       uint32_t *flash_exec) {
+  // TODO: Pipe this through to a secure ecdsa.
+  *flash_exec = kSigverifyFlashExec;
   if ((key & kOwnershipKeyUnlock) == kOwnershipKeyUnlock) {
     if (ecdsa_verify_message(&owner_page[page].unlock_key.ecdsa,
                              &signature->ecdsa, message,

sw/device/silicon_creator/lib/ownership/ownership_key.h

@@ -49,11 +49,14 @@ typedef struct owner_secret_page {
  * @param signature The signature over the message.
  * @param message Pointer to the message.
  * @param len Size of the message.
+ * @param flash_exec The magic value signifying whether the signature was
+ * verified.
  * @return kHardenedBoolTrue if the message is valid.
  */
 hardened_bool_t ownership_key_validate(size_t page, ownership_key_t key,
                                        const owner_signature_t *signature,
-                                       const void *message, size_t len);
+                                       const void *message, size_t len,
+                                       uint32_t *flash_exec);
 
 /**
  * Initialize sealing.

sw/device/silicon_creator/lib/ownership/ownership_unlock.c

@@ -13,6 +13,7 @@
 #include "sw/device/silicon_creator/lib/error.h"
 #include "sw/device/silicon_creator/lib/ownership/owner_block.h"
 #include "sw/device/silicon_creator/lib/ownership/ownership_key.h"
+#include "sw/device/silicon_creator/lib/sigverify/flash_exec.h"
 
 static hardened_bool_t is_locked_none(uint32_t ownership_state) {
   if (ownership_state == kOwnershipStateLockedOwner ||
@@ -24,12 +25,16 @@ static hardened_bool_t is_locked_none(uint32_t ownership_state) {
   return kHardenedBoolTrue;
 }
 
-static rom_error_t do_unlock(boot_svc_msg_t *msg, boot_data_t *bootdata) {
+static rom_error_t do_unlock(boot_svc_msg_t *msg, boot_data_t *bootdata,
+                             uint32_t *flash_exec) {
   // Verify that the nonce is correct.
   if (!nonce_equal(&msg->ownership_unlock_req.nonce, &bootdata->nonce)) {
     return kErrorOwnershipInvalidNonce;
   }
 
+  // Verify that we passed signature verification for the message.
+  HARDENED_CHECK_EQ(*flash_exec, kSigverifyFlashExec);
+
   // Verify the device identification number is correct.
   lifecycle_device_id_t device_id;
   lifecycle_device_id_get(&device_id);
@@ -59,6 +64,9 @@ static rom_error_t unlock(boot_svc_msg_t *msg, boot_data_t *bootdata) {
   size_t len = (uintptr_t)&msg->ownership_unlock_req.signature -
                (uintptr_t)&msg->ownership_unlock_req.unlock_mode;
   if (bootdata->ownership_state == kOwnershipStateLockedOwner) {
+    // Set the variable checking whether the correct signatures have been
+    // verified
+    uint32_t flash_exec = 0;
     switch (owner_page[0].update_mode) {
       case kOwnershipUpdateModeOpen:
         // The Open mode allows unlock to any unlock state.
@@ -79,21 +87,24 @@ static rom_error_t unlock(boot_svc_msg_t *msg, boot_data_t *bootdata) {
     if (ownership_key_validate(
             /*page=*/0, kOwnershipKeyUnlock | kOwnershipKeyRecovery,
             &msg->ownership_unlock_req.signature,
-            &msg->ownership_unlock_req.unlock_mode,
-            len) == kHardenedBoolFalse) {
+            &msg->ownership_unlock_req.unlock_mode, len,
+            &flash_exec) == kHardenedBoolFalse) {
       return kErrorOwnershipInvalidSignature;
     }
-    return do_unlock(msg, bootdata);
+    return do_unlock(msg, bootdata, &flash_exec);
   } else if (is_locked_none(bootdata->ownership_state) == kHardenedBoolTrue) {
     // In the No-Owner state, we check against the silicon_creator's
     // no_owner_recovery_key.
+    // Set the variable checking whether the correct signatures have been
+    // verified
+    uint32_t flash_exec = 0;
     if (ownership_key_validate(/*page=*/0, kOwnershipKeyRecovery,
                                &msg->ownership_unlock_req.signature,
-                               &msg->ownership_unlock_req.unlock_mode,
-                               len) == kHardenedBoolFalse) {
+                               &msg->ownership_unlock_req.unlock_mode, len,
+                               &flash_exec) == kHardenedBoolFalse) {
       return kErrorOwnershipInvalidSignature;
     }
-    return do_unlock(msg, bootdata);
+    return do_unlock(msg, bootdata, &flash_exec);
   } else {
     return kErrorOwnershipInvalidState;
   }
@@ -102,6 +113,9 @@ static rom_error_t unlock(boot_svc_msg_t *msg, boot_data_t *bootdata) {
 static rom_error_t unlock_update(boot_svc_msg_t *msg, boot_data_t *bootdata) {
   size_t len = (uintptr_t)&msg->ownership_unlock_req.signature -
                (uintptr_t)&msg->ownership_unlock_req.unlock_mode;
+  // Set the variable checking whether the correct signatures have been
+  // verified.
+  uint32_t flash_exec = 0;
   if (bootdata->ownership_state == kOwnershipStateLockedOwner) {
     switch (owner_page[0].update_mode) {
       case kOwnershipUpdateModeNewVersion:
@@ -118,11 +132,11 @@ static rom_error_t unlock_update(boot_svc_msg_t *msg, boot_data_t *bootdata) {
     // Check the signature against the unlock key.
     if (ownership_key_validate(/*page=*/0, kOwnershipKeyUnlock,
                                &msg->ownership_unlock_req.signature,
-                               &msg->ownership_unlock_req.unlock_mode,
-                               len) == kHardenedBoolFalse) {
+                               &msg->ownership_unlock_req.unlock_mode, len,
+                               &flash_exec) == kHardenedBoolFalse) {
       return kErrorOwnershipInvalidSignature;
     }
-    return do_unlock(msg, bootdata);
+    return do_unlock(msg, bootdata, &flash_exec);
   }
   return kErrorOwnershipInvalidState;
 }
@@ -133,13 +147,18 @@ static rom_error_t unlock_abort(boot_svc_msg_t *msg, boot_data_t *bootdata) {
   if (bootdata->ownership_state == kOwnershipStateUnlockedEndorsed ||
       bootdata->ownership_state == kOwnershipStateUnlockedAny ||
       bootdata->ownership_state == kOwnershipStateUnlockedSelf) {
+    // Set the variable checking whether the correct signatures have been
+    // verified.
+    uint32_t flash_exec = 0;
     // Check the signature against the unlock key.
     if (ownership_key_validate(/*page=*/0, kOwnershipKeyUnlock,
                                &msg->ownership_unlock_req.signature,
-                               &msg->ownership_unlock_req.unlock_mode,
-                               len) == kHardenedBoolFalse) {
+                               &msg->ownership_unlock_req.unlock_mode, len,
+                               &flash_exec) == kHardenedBoolFalse) {
       return kErrorOwnershipInvalidSignature;
     }
+    // Verify that we passed signature verification for the message.
+    HARDENED_CHECK_EQ(flash_exec, kSigverifyFlashExec);
     if (!nonce_equal(&msg->ownership_unlock_req.nonce, &bootdata->nonce)) {
       return kErrorOwnershipInvalidNonce;
     }