diff --git a/Cargo.lock b/Cargo.lock index 8711351e01..de5a4aade4 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -819,6 +819,7 @@ dependencies = [ "caliptra-kat", "caliptra-lms-types", "caliptra-registers", + "caliptra-test", "caliptra-x509", "caliptra_common", "cfg-if 1.0.0", diff --git a/rom/dev/tests/rom_integration_tests/test_warm_reset.rs b/rom/dev/tests/rom_integration_tests/test_warm_reset.rs index 2ddaeb1806..ecce2a6260 100644 --- a/rom/dev/tests/rom_integration_tests/test_warm_reset.rs +++ b/rom/dev/tests/rom_integration_tests/test_warm_reset.rs @@ -9,18 +9,10 @@ use caliptra_common::RomBootStatus::*; use caliptra_drivers::CaliptraError; use caliptra_hw_model::DeviceLifecycle; use caliptra_hw_model::{BootParams, Fuses, HwModel, InitParams, SecurityState}; -use caliptra_test::swap_word_bytes_inplace; -use openssl::sha::sha384; -use zerocopy::AsBytes; +use caliptra_test::image_pk_desc_hash; use crate::helpers; -fn bytes_to_be_words_48(buf: &[u8; 48]) -> [u32; 12] { - let mut result: [u32; 12] = zerocopy::transmute!(*buf); - swap_word_bytes_inplace(&mut result); - result -} - #[test] fn test_warm_reset_success() { let security_state = *SecurityState::default() @@ -38,13 +30,8 @@ fn test_warm_reset_success() { }, ) .unwrap(); - let vendor_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.vendor_pub_key_info.as_bytes(), - )); - let owner_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.owner_pub_key_info.as_bytes(), - )); + let (vendor_pk_desc_hash, owner_pk_desc_hash) = image_pk_desc_hash(&image.manifest); let mut hw = caliptra_hw_model::new( InitParams { diff --git a/runtime/Cargo.toml b/runtime/Cargo.toml index 4cd392abb0..74eb20feba 100644 --- a/runtime/Cargo.toml +++ b/runtime/Cargo.toml @@ -45,6 +45,7 @@ caliptra-image-gen.workspace = true caliptra-image-crypto.workspace = true caliptra-auth-man-gen.workspace = true caliptra-image-serde.workspace = true +caliptra-test.workspace = true caliptra-cfi-lib-git = { workspace = true, features = ["cfi-test"] } openssl.workspace = true sha2 = { version = "0.10.2", default-features = false, features = ["compress"] } diff --git a/runtime/tests/runtime_integration_tests/test_warm_reset.rs b/runtime/tests/runtime_integration_tests/test_warm_reset.rs index ad8a998086..3652c2e643 100644 --- a/runtime/tests/runtime_integration_tests/test_warm_reset.rs +++ b/runtime/tests/runtime_integration_tests/test_warm_reset.rs @@ -8,21 +8,8 @@ use caliptra_builder::{ use caliptra_error::CaliptraError; use caliptra_hw_model::{BootParams, DeviceLifecycle, Fuses, HwModel, InitParams, SecurityState}; use caliptra_registers::mbox::enums::MboxStatusE; +use caliptra_test::image_pk_desc_hash; use dpe::DPE_PROFILE; -use openssl::sha::sha384; -use zerocopy::AsBytes; - -fn swap_word_bytes_inplace(words: &mut [u32]) { - for word in words.iter_mut() { - *word = word.swap_bytes() - } -} - -fn bytes_to_be_words_48(buf: &[u8; 48]) -> [u32; 12] { - let mut result: [u32; 12] = zerocopy::transmute!(*buf); - swap_word_bytes_inplace(&mut result); - result -} #[test] fn test_rt_journey_pcr_validation() { @@ -40,12 +27,8 @@ fn test_rt_journey_pcr_validation() { }, ) .unwrap(); - let vendor_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.vendor_pub_key_info.as_bytes(), - )); - let owner_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.owner_pub_key_info.as_bytes(), - )); + + let (vendor_pk_desc_hash, owner_pk_desc_hash) = image_pk_desc_hash(&image.manifest); let mut model = caliptra_hw_model::new( InitParams { @@ -107,12 +90,8 @@ fn test_mbox_busy_during_warm_reset() { }, ) .unwrap(); - let vendor_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.vendor_pub_key_info.as_bytes(), - )); - let owner_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.owner_pub_key_info.as_bytes(), - )); + + let (vendor_pk_desc_hash, owner_pk_desc_hash) = image_pk_desc_hash(&image.manifest); let mut model = caliptra_hw_model::new( InitParams { diff --git a/test/src/lib.rs b/test/src/lib.rs index 297ca24f42..5d3186a374 100644 --- a/test/src/lib.rs +++ b/test/src/lib.rs @@ -6,6 +6,7 @@ use caliptra_builder::{ FwId, ImageOptions, }; use caliptra_hw_model::{BootParams, DefaultHwModel, HwModel, InitParams}; +use zerocopy::AsBytes; pub mod crypto; pub mod derive; @@ -13,6 +14,8 @@ mod redact; mod unwrap_single; pub mod x509; +use caliptra_image_types::ImageManifest; +use openssl::sha::sha384; pub use redact::{redact_cert, RedactOpts}; pub use unwrap_single::UnwrapSingle; @@ -28,6 +31,23 @@ pub fn swap_word_bytes_inplace(words: &mut [u32]) { } } +pub fn bytes_to_be_words_48(buf: &[u8; 48]) -> [u32; 12] { + let mut result: [u32; 12] = zerocopy::transmute!(*buf); + swap_word_bytes_inplace(&mut result); + result +} + +// Returns the vendor and owner public key descriptor hashes from the image. +pub fn image_pk_desc_hash(manifest: &ImageManifest) -> ([u32; 12], [u32; 12]) { + let vendor_pk_desc_hash = + bytes_to_be_words_48(&sha384(manifest.preamble.vendor_pub_key_info.as_bytes())); + + let owner_pk_desc_hash = + bytes_to_be_words_48(&sha384(manifest.preamble.owner_pub_key_info.as_bytes())); + + (vendor_pk_desc_hash, owner_pk_desc_hash) +} + // Run a test which boots ROM -> FMC -> test_bin. If test_bin_name is None, // run the production runtime image. pub fn run_test( diff --git a/test/tests/caliptra_integration_tests/fake_collateral_boot_test.rs b/test/tests/caliptra_integration_tests/fake_collateral_boot_test.rs index 811583c884..e6a4f32ef2 100755 --- a/test/tests/caliptra_integration_tests/fake_collateral_boot_test.rs +++ b/test/tests/caliptra_integration_tests/fake_collateral_boot_test.rs @@ -13,7 +13,7 @@ use caliptra_common::mailbox_api::{ use caliptra_hw_model::{BootParams, HwModel, InitParams}; use caliptra_test::{ derive::{DoeInput, DoeOutput, LDevId}, - swap_word_bytes, swap_word_bytes_inplace, + image_pk_desc_hash, swap_word_bytes, x509::{DiceFwid, DiceTcbInfo}, }; use openssl::sha::sha384; @@ -42,12 +42,6 @@ fn get_idevid_pubkey() -> openssl::pkey::PKey { csr.public_key().unwrap() } -fn bytes_to_be_words_48(buf: &[u8; 48]) -> [u32; 12] { - let mut result: [u32; 12] = zerocopy::transmute!(*buf); - swap_word_bytes_inplace(&mut result); - result -} - // [CAP2][TODO] This test is disabled because it needs to be updated. //#[test] fn fake_boot_test() { @@ -64,13 +58,8 @@ fn fake_boot_test() { }, ) .unwrap(); - let vendor_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.vendor_pub_key_info.as_bytes(), - )); - let owner_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.owner_pub_key_info.as_bytes(), - )); + let (vendor_pk_desc_hash, owner_pk_desc_hash) = image_pk_desc_hash(&image.manifest); let mut hw = caliptra_hw_model::new( InitParams { diff --git a/test/tests/caliptra_integration_tests/jtag_test.rs b/test/tests/caliptra_integration_tests/jtag_test.rs index e3615b85d6..34739103fc 100644 --- a/test/tests/caliptra_integration_tests/jtag_test.rs +++ b/test/tests/caliptra_integration_tests/jtag_test.rs @@ -4,17 +4,9 @@ use caliptra_builder::{firmware, get_elf_path, ImageOptions}; use caliptra_api_types::DeviceLifecycle; use caliptra_hw_model::{BootParams, Fuses, HwModel, InitParams, SecurityState}; -use caliptra_test::swap_word_bytes_inplace; -use openssl::sha::sha384; +use caliptra_test::image_pk_desc_hash; use std::io::{BufRead, BufReader, Write}; use std::process::{ChildStdin, Command, Stdio}; -use zerocopy::AsBytes; - -fn bytes_to_be_words_48(buf: &[u8; 48]) -> [u32; 12] { - let mut result: [u32; 12] = zerocopy::transmute!(*buf); - swap_word_bytes_inplace(&mut result); - result -} #[derive(PartialEq, Debug)] enum RegAccess { @@ -95,14 +87,12 @@ fn gdb_test() { }, ) .unwrap(); - let vendor_pk_desc_hash = sha384(image.manifest.preamble.vendor_pub_key_info.as_bytes()); - let owner_pk_desc_hash = sha384(image.manifest.preamble.owner_pub_key_info.as_bytes()); - let vendor_pk_desc_hash_words = bytes_to_be_words_48(&vendor_pk_desc_hash); - let owner_pk_desc_hash_words = bytes_to_be_words_48(&owner_pk_desc_hash); + + let (vendor_pk_desc_hash, owner_pk_desc_hash) = image_pk_desc_hash(&image.manifest); let fuses = Fuses { - key_manifest_pk_hash: vendor_pk_desc_hash_words, - owner_pk_hash: owner_pk_desc_hash_words, + key_manifest_pk_hash: vendor_pk_desc_hash, + owner_pk_hash: owner_pk_desc_hash, fmc_key_manifest_svn: 0b1111111, lms_verify: true, ..Default::default() diff --git a/test/tests/caliptra_integration_tests/smoke_test.rs b/test/tests/caliptra_integration_tests/smoke_test.rs index d915d24059..d5447e133f 100644 --- a/test/tests/caliptra_integration_tests/smoke_test.rs +++ b/test/tests/caliptra_integration_tests/smoke_test.rs @@ -11,12 +11,13 @@ use caliptra_drivers::CaliptraError; use caliptra_hw_model::{BootParams, HwModel, InitParams, SecurityState}; use caliptra_hw_model_types::{RandomEtrngResponses, RandomNibbles}; use caliptra_test::derive::{PcrRtCurrentInput, RtAliasKey}; -use caliptra_test::{derive, redact_cert, run_test, RedactOpts, UnwrapSingle}; use caliptra_test::{ + bytes_to_be_words_48, derive::{DoeInput, DoeOutput, FmcAliasKey, IDevId, LDevId, Pcr0, Pcr0Input}, - swap_word_bytes, swap_word_bytes_inplace, + swap_word_bytes, x509::{DiceFwid, DiceTcbInfo}, }; +use caliptra_test::{derive, redact_cert, run_test, RedactOpts, UnwrapSingle}; use openssl::nid::Nid; use openssl::sha::{sha384, Sha384}; use rand::rngs::StdRng; @@ -132,12 +133,6 @@ fn test_golden_ldevid_pubkey_matches_generated() { .public_eq(&ldevid_pubkey)); } -fn bytes_to_be_words_48(buf: &[u8; 48]) -> [u32; 12] { - let mut result: [u32; 12] = zerocopy::transmute!(*buf); - swap_word_bytes_inplace(&mut result); - result -} - #[test] fn smoke_test() { let security_state = *SecurityState::default() diff --git a/test/tests/caliptra_integration_tests/warm_reset.rs b/test/tests/caliptra_integration_tests/warm_reset.rs index eb6d6a8110..49699f4b15 100644 --- a/test/tests/caliptra_integration_tests/warm_reset.rs +++ b/test/tests/caliptra_integration_tests/warm_reset.rs @@ -8,15 +8,7 @@ use caliptra_builder::{ }; use caliptra_common::mailbox_api::CommandId; use caliptra_hw_model::{mbox_write_fifo, BootParams, HwModel, InitParams, SecurityState}; -use caliptra_test::swap_word_bytes_inplace; -use openssl::sha::sha384; -use zerocopy::AsBytes; - -fn bytes_to_be_words_48(buf: &[u8; 48]) -> [u32; 12] { - let mut result: [u32; 12] = zerocopy::transmute!(*buf); - swap_word_bytes_inplace(&mut result); - result -} +use caliptra_test::image_pk_desc_hash; #[test] fn warm_reset_basic() { @@ -35,12 +27,8 @@ fn warm_reset_basic() { }, ) .unwrap(); - let vendor_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.vendor_pub_key_info.as_bytes(), - )); - let owner_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.owner_pub_key_info.as_bytes(), - )); + + let (vendor_pk_desc_hash, owner_pk_desc_hash) = image_pk_desc_hash(&image.manifest); let mut hw = caliptra_hw_model::new( InitParams { @@ -99,12 +87,8 @@ fn warm_reset_during_fw_load() { }, ) .unwrap(); - let vendor_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.vendor_pub_key_info.as_bytes(), - )); - let owner_pk_desc_hash = bytes_to_be_words_48(&sha384( - image.manifest.preamble.owner_pub_key_info.as_bytes(), - )); + + let (vendor_pk_desc_hash, owner_pk_desc_hash) = image_pk_desc_hash(&image.manifest); let mut hw = caliptra_hw_model::new( InitParams { diff --git a/test/tests/fips_test_suite/common.rs b/test/tests/fips_test_suite/common.rs index 5fb21e790a..e96fa409a5 100755 --- a/test/tests/fips_test_suite/common.rs +++ b/test/tests/fips_test_suite/common.rs @@ -6,7 +6,6 @@ use caliptra_builder::{version, ImageOptions}; use caliptra_common::mailbox_api::*; use caliptra_drivers::FipsTestHook; use caliptra_hw_model::{BootParams, DefaultHwModel, HwModel, InitParams, ModelError, ShaAccMode}; -use caliptra_test::swap_word_bytes_inplace; use dpe::{ commands::*, response::{ @@ -423,12 +422,6 @@ pub fn verify_output_inhibited(hw: &mut T) { verify_sha_engine_output_inhibited(hw); } -pub fn bytes_to_be_words_48(buf: &[u8; 48]) -> [u32; 12] { - let mut result: [u32; 12] = zerocopy::transmute!(*buf); - swap_word_bytes_inplace(&mut result); - result -} - pub fn hook_code_read(hw: &mut T) -> u8 { ((hw.soc_ifc().cptra_dbg_manuf_service_reg().read() & HOOK_CODE_MASK) >> HOOK_CODE_OFFSET) as u8 } diff --git a/test/tests/fips_test_suite/fw_load.rs b/test/tests/fips_test_suite/fw_load.rs index 3821bb7c24..efd441995d 100755 --- a/test/tests/fips_test_suite/fw_load.rs +++ b/test/tests/fips_test_suite/fw_load.rs @@ -19,7 +19,7 @@ use caliptra_image_types::SHA384_DIGEST_WORD_SIZE; use caliptra_image_types::{ FwImageType, ImageBundle, VENDOR_ECC_MAX_KEY_COUNT, VENDOR_LMS_MAX_KEY_COUNT, }; -use openssl::sha::sha384; +use caliptra_test::image_pk_desc_hash; use common::*; use zerocopy::AsBytes; @@ -1195,27 +1195,12 @@ fn fw_load_bad_pub_key_flow(fw_image: ImageBundle, exp_error_code: u32) { // Generate pub key hashes and set fuses // Use a fresh image (will NOT be loaded) let pk_hash_src_image = build_fw_image(ImageOptions::default()); - let vendor_pk_desc_hash = sha384( - pk_hash_src_image - .manifest - .preamble - .vendor_pub_key_info - .as_bytes(), - ); - let owner_pk_desc_hash = sha384( - pk_hash_src_image - .manifest - .preamble - .owner_pub_key_info - .as_bytes(), - ); - let vendor_pk_desc_hash_words = bytes_to_be_words_48(&vendor_pk_desc_hash); - let owner_pk_desc_hash_words = bytes_to_be_words_48(&owner_pk_desc_hash); + let (vendor_pk_desc_hash, owner_pk_desc_hash) = image_pk_desc_hash(&pk_hash_src_image.manifest); let fuses = Fuses { life_cycle: DeviceLifecycle::Production, - key_manifest_pk_hash: vendor_pk_desc_hash_words, - owner_pk_hash: owner_pk_desc_hash_words, + key_manifest_pk_hash: vendor_pk_desc_hash, + owner_pk_hash: owner_pk_desc_hash, lms_verify: true, ..Default::default() };