Skip to content

Backport 27407 ([rom_ext] Fix incorrect key ID values that cause CDI_0 to be re-signed) #29219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pamaury merged 2 commits into from
Jan 30, 2026
Merged

Backport 27407 ([rom_ext] Fix incorrect key ID values that cause CDI_0 to be re-signed) #29219

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
feccdb2
[rom_ext] Fix CDI_0 skip checks
sasdf Jun 11, 2025
e6bf523
[rom_ext] Update CDI_0 regen by imm_section without re-checking
sasdf Jun 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 10 additions & 14 deletions sw/device/silicon_creator/lib/cert/dice_chain.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,8 @@ rom_error_t dice_chain_attestation_creator(
RETURN_IF_ERROR(dice_chain_skip_cert_obj("UDS", /*name_size=*/4));

// Check if the current CDI_0 cert is valid.
dice_chain.subject_pubkey_id = static_dice_cdi_0.cdi_0_pubkey_id;
dice_chain.subject_pubkey = static_dice_cdi_0.cdi_0_pubkey;
RETURN_IF_ERROR(dice_chain_load_cert_obj("CDI_0", /*name_size=*/6));
if (dice_chain.cert_valid == kHardenedBoolFalse) {
// Update the cert page buffer.
Expand Down Expand Up @@ -374,31 +376,25 @@ static rom_error_t dice_chain_attestation_check_uds(void) {
return kErrorOk;
}

// Compare the CDI_0 identity in the static critical section to the CDI_0 cert
// cached in the flash, and refresh the cache if invalid.
// Refresh the cache if a new CDI_0 is generated.
static rom_error_t dice_chain_attestation_check_cdi_0(void) {
// Switch page for the device CDI chain.
RETURN_IF_ERROR(dice_chain_load_flash(&kFlashCtrlInfoPageDiceCerts));

// Seek to skip previous objects.
RETURN_IF_ERROR(dice_chain_skip_cert_obj("UDS", /*name_size=*/4));

// Refresh cdi 0 if invalid
// Set the endorsement key for the next cert.
dice_chain.endorsement_pubkey_id = static_dice_cdi_0.cdi_0_pubkey_id;
dice_chain.subject_pubkey_id = static_dice_cdi_0.cdi_0_pubkey_id;
dice_chain.subject_pubkey = static_dice_cdi_0.cdi_0_pubkey;
RETURN_IF_ERROR(dice_chain_load_cert_obj("CDI_0", /*name_size=*/6));
if (dice_chain.cert_valid == kHardenedBoolFalse) {

// Save cdi 0 to flash if regenerated.
if (static_dice_cdi_0.cert_size != 0) {
dbg_puts("warning: CDI_0 certificate not valid; updating\r\n");
// Update the cert page buffer.
RETURN_IF_ERROR(dice_chain_push_cert("CDI_0", static_dice_cdi_0.cert_data,
static_dice_cdi_0.cert_size));
return dice_chain_push_cert("CDI_0", static_dice_cdi_0.cert_data,
static_dice_cdi_0.cert_size);
} else {
// Cert is valid, move to the next one.
dice_chain_next_cert_obj();
return dice_chain_skip_cert_obj("CDI_0", /*name_size=*/6);
}

return kErrorOk;
}

rom_error_t dice_chain_attestation_owner(
Expand Down