[rom_ext, attestation] Fix DICE measurements

1. Report the DICE measurements in big-endian order.
2. Check the key IDs reported by the DICE certs.

Signed-off-by: Chris Frantz <[email protected]>
(cherry picked from commit 4f179e0)
(cherry picked from commit 4b7192e)

Author: cfrantz

sw/device/silicon_creator/lib/cert/dice.c

@@ -85,11 +85,13 @@ rom_error_t dice_cdi_0_cert_build(hmac_digest_t *rom_ext_measurement,
                                   uint8_t *cert, size_t *cert_size) {
   uint32_t rom_ext_security_version_be =
       __builtin_bswap32(rom_ext_security_version);
+  hmac_digest_t rom_ext_hash = *rom_ext_measurement;
+  util_reverse_bytes(&rom_ext_hash, sizeof(rom_ext_hash));
 
   // Generate the TBS certificate.
   cdi_0_tbs_values_t cdi_0_tbs_params = {0};
 
-  TEMPLATE_SET(cdi_0_tbs_params, Cdi0, RomExtHash, rom_ext_measurement->digest);
+  TEMPLATE_SET(cdi_0_tbs_params, Cdi0, RomExtHash, rom_ext_hash.digest);
   TEMPLATE_SET(cdi_0_tbs_params, Cdi0, RomExtSecurityVersion,
                &rom_ext_security_version_be);
   TEMPLATE_SET(cdi_0_tbs_params, Cdi0, OwnerIntermediatePubKeyEcX,
@@ -139,13 +141,17 @@ rom_error_t dice_cdi_1_cert_build(hmac_digest_t *owner_measurement,
                                   uint8_t *cert, size_t *cert_size) {
   uint32_t owner_security_version_be =
       __builtin_bswap32(owner_security_version);
+  hmac_digest_t owner_hash = *owner_measurement;
+  hmac_digest_t owner_manifest_hash = *owner_manifest_measurement;
+  util_reverse_bytes(&owner_hash, sizeof(owner_hash));
+  util_reverse_bytes(&owner_manifest_hash, sizeof(owner_manifest_hash));
 
   // Generate the TBS certificate.
   cdi_1_tbs_values_t cdi_1_tbs_params = {0};
 
-  TEMPLATE_SET(cdi_1_tbs_params, Cdi1, OwnerHash, owner_measurement->digest);
+  TEMPLATE_SET(cdi_1_tbs_params, Cdi1, OwnerHash, owner_hash.digest);
   TEMPLATE_SET(cdi_1_tbs_params, Cdi1, OwnerManifestHash,
-               owner_manifest_measurement->digest);
+               owner_manifest_hash.digest);
   TEMPLATE_SET(cdi_1_tbs_params, Cdi1, OwnerSecurityVersion,
                &owner_security_version_be);
   TEMPLATE_SET(cdi_1_tbs_params, Cdi1, OwnerPubKeyEcX, cdi_1_pubkey->x);

sw/host/tests/attestation/BUILD

@@ -15,6 +15,7 @@ rust_binary(
         "@crate_index//:anyhow",
         "@crate_index//:base64ct",
         "@crate_index//:clap",
+        "@crate_index//:hex",
         "@crate_index//:humantime",
         "@crate_index//:log",
         "@crate_index//:num-bigint-dig",

sw/host/tests/attestation/attestation_test.rs

@@ -18,7 +18,7 @@ use opentitanlib::test_utils::init::InitializeTest;
 use opentitanlib::uart::console::UartConsole;
 use opentitanlib::util::file::FromReader;
 
-use ot_certs::template::{CertificateExtension, Value};
+use ot_certs::template::{AttributeType, CertificateExtension, Name, SubjectPublicKeyInfo, Value};
 use ot_certs::x509;
 
 #[derive(Debug, Parser)]
@@ -68,6 +68,23 @@ fn get_base64_blob(haystack: &str, rx: &str) -> Result<Vec<u8>> {
     Ok(bin)
 }
 
+fn check_public_key(key: &SubjectPublicKeyInfo, id: &[u8], subject: &Name) -> Result<bool> {
+    let SubjectPublicKeyInfo::EcPublicKey(info) = key;
+
+    let mut material = Vec::new();
+    material.extend(&info.public_key.x.get_value().to_bytes_be());
+    material.extend(&info.public_key.y.get_value().to_bytes_be());
+    let hash = sha256::sha256(&material).to_be_bytes();
+    let keyid = &hash[..20];
+    log::info!("computed id = {:?}", hex::encode(keyid));
+    log::info!("         id = {:?}", hex::encode(id));
+
+    let name = subject[0][&AttributeType::SerialNumber].get_value();
+    log::info!("    subject = {:?}", name);
+
+    Ok(keyid == id && &hex::encode(keyid) == name)
+}
+
 fn attestation_test(opts: &Opts, transport: &TransportWrapper) -> Result<()> {
     let uart = transport.uart("console")?;
     let capture = UartConsole::wait_for(
@@ -91,20 +108,26 @@ fn attestation_test(opts: &Opts, transport: &TransportWrapper) -> Result<()> {
 
     let image = Image::read_from_file(opts.init.bootstrap.bootstrap.as_deref().unwrap())?;
 
-    // TODO: determine the correct endianness for expressing these measurements.
     let measurements = image
         .subimages()?
         .iter()
-        .map(|s| s.compute_digest().unwrap().to_le_bytes())
+        .map(|s| s.compute_digest().unwrap().to_be_bytes())
         .collect::<Vec<_>>();
     let owner_measurements = [
         // The owner page digests should not include the signature or seal fields.
-        sha256::sha256(&owner_page_0[0..OwnerBlock::SIGNATURE_OFFSET]).to_le_bytes(),
-        sha256::sha256(&owner_page_1[0..OwnerBlock::SIGNATURE_OFFSET]).to_le_bytes(),
+        sha256::sha256(&owner_page_0[0..OwnerBlock::SIGNATURE_OFFSET]).to_be_bytes(),
+        sha256::sha256(&owner_page_1[0..OwnerBlock::SIGNATURE_OFFSET]).to_be_bytes(),
     ];
 
     let CertificateExtension::DiceTcbInfo(dice) = &cdi0.private_extensions[0];
-    log::info!("Checking CDI_0 (ROM_EXT) DICE Extension: {dice:#?}");
+    log::info!("Checking CDI_0 (ROM_EXT) DICE certificate: {cdi0:#?}");
+    // Check that the subject key and subject key identifiers match.
+    log::info!("Subject key:");
+    assert!(check_public_key(
+        &cdi0.subject_public_key_info,
+        cdi0.subject_key_identifier.get_value(),
+        &cdi0.subject,
+    )?);
     assert_eq!(dice.model.get_value(), "ROM_EXT");
     assert_eq!(dice.vendor.get_value(), "OpenTitan");
     assert_eq!(dice.layer.get_value(), &BigUint::from(1u8));
@@ -113,7 +136,21 @@ fn attestation_test(opts: &Opts, transport: &TransportWrapper) -> Result<()> {
     assert_eq!(fw_ids[0].digest.get_value(), &measurements[0]);
 
     let CertificateExtension::DiceTcbInfo(dice) = &cdi1.private_extensions[0];
-    log::info!("Checking CDI_1 (Owner) DICE Extension: {dice:#?}");
+    log::info!("Checking CDI_1 (Owner) DICE certificate: {cdi1:#?}");
+    // Check that the subject key and subject key identifiers match.
+    log::info!("Subject key:");
+    assert!(check_public_key(
+        &cdi1.subject_public_key_info,
+        cdi1.subject_key_identifier.get_value(),
+        &cdi1.subject,
+    )?);
+    // Check that the authority key identifier of CDI_1 is the subject key of CDI_0.
+    log::info!("Issuer key:");
+    assert!(check_public_key(
+        &cdi0.subject_public_key_info,
+        cdi1.authority_key_identifier.get_value(),
+        &cdi1.issuer,
+    )?);
     assert_eq!(dice.model.get_value(), "Owner");
     assert_eq!(dice.vendor.get_value(), "OpenTitan");
     assert_eq!(dice.layer.get_value(), &BigUint::from(2u8));