Adding the stash measurement functionality to AuthorizeAndStashCmd (#…

…1763)
chipsalliance · Nov 4, 2024 · 9803094 · 9803094
1 parent 613df2b
commit 9803094
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 11 deletions.
diff --git a/error/src/lib.rs b/error/src/lib.rs
@@ -441,6 +441,8 @@ impl CaliptraError {
     pub const RUNTIME_AUTH_AND_STASH_UNSUPPORTED_IMAGE_SOURCE: CaliptraError =
         CaliptraError::new_const(0x000E004E);
     pub const RUNTIME_CMD_RESERVED_PAUSER: CaliptraError = CaliptraError::new_const(0x000E004F);
+    pub const RUNTIME_AUTH_AND_STASH_MEASUREMENT_DPE_ERROR: CaliptraError =
+        CaliptraError::new_const(0x000E0050);
 
     /// FMC Errors
     pub const FMC_GLOBAL_NMI: CaliptraError = CaliptraError::new_const(0x000F0001);

diff --git a/runtime/src/authorize_and_stash.rs b/runtime/src/authorize_and_stash.rs
@@ -15,7 +15,7 @@ Abstract:
 use core::cmp::min;
 use core::mem::size_of;
 
-use crate::{dpe_crypto::DpeCrypto, CptraDpeTypes, DpePlatform, Drivers};
+use crate::{dpe_crypto::DpeCrypto, CptraDpeTypes, DpePlatform, Drivers, StashMeasurementCmd};
 use caliptra_auth_man_types::{
     AuthManifestImageMetadataCollection, AuthManifestImageMetadataCollectionHeader,
     AuthManifestPreamble, AUTH_MANIFEST_MARKER,
@@ -76,10 +76,22 @@ impl AuthorizeAndStashCmd {
                 }
             }
 
-            let flags: AuthAndStashFlags = cmd.flags.into();
-            if !flags.contains(AuthAndStashFlags::SKIP_STASH) {
-                // TODO: Stash the image hash
-                Err(CaliptraError::RUNTIME_UNIMPLEMENTED_COMMAND)?;
+            // Stash the measurement if the image is authorized.
+            if auth_result == AUTHORIZE_IMAGE {
+                let flags: AuthAndStashFlags = cmd.flags.into();
+                if !flags.contains(AuthAndStashFlags::SKIP_STASH) {
+                    let dpe_result = StashMeasurementCmd::stash_measurement(
+                        drivers,
+                        &cmd.metadata,
+                        &cmd.measurement,
+                    )?;
+                    if dpe_result != DpeErrorCode::NoError {
+                        drivers
+                            .soc_ifc
+                            .set_fw_extended_error(dpe_result.get_error_code());
+                        Err(CaliptraError::RUNTIME_AUTH_AND_STASH_MEASUREMENT_DPE_ERROR)?;
+                    }
+                }
             }
 
             Ok(MailboxResp::AuthorizeAndStash(AuthorizeAndStashResp {

diff --git a/runtime/src/stash_measurement.rs b/runtime/src/stash_measurement.rs
@@ -31,9 +31,11 @@ pub struct StashMeasurementCmd;
 impl StashMeasurementCmd {
     #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
     #[inline(never)]
-    pub(crate) fn execute(drivers: &mut Drivers, cmd_args: &[u8]) -> CaliptraResult<MailboxResp> {
-        let cmd = StashMeasurementReq::read_from(cmd_args)
-            .ok_or(CaliptraError::RUNTIME_INSUFFICIENT_MEMORY)?;
+    pub(crate) fn stash_measurement(
+        drivers: &mut Drivers,
+        metadata: &[u8; 4],
+        measurement: &[u8; 48],
+    ) -> CaliptraResult<DpeErrorCode> {
         let dpe_result = {
             match drivers.caller_privilege_level() {
                 // Only PL0 can call STASH_MEASUREMENT
@@ -78,12 +80,12 @@ impl StashMeasurementCmd {
 
             let derive_context_resp = DeriveContextCmd {
                 handle: ContextHandle::default(),
-                data: cmd.measurement,
+                data: *measurement,
                 flags: DeriveContextFlags::MAKE_DEFAULT
                     | DeriveContextFlags::CHANGE_LOCALITY
                     | DeriveContextFlags::INPUT_ALLOW_CA
                     | DeriveContextFlags::INPUT_ALLOW_X509,
-                tci_type: u32::from_ne_bytes(cmd.metadata),
+                tci_type: u32::from_ne_bytes(*metadata),
                 target_locality: locality,
             }
             .execute(&mut pdata.dpe, &mut env, locality);
@@ -105,10 +107,19 @@ impl StashMeasurementCmd {
             drivers.pcr_bank.extend_pcr(
                 PCR_ID_STASH_MEASUREMENT,
                 &mut drivers.sha384,
-                cmd.measurement.as_bytes(),
+                measurement.as_bytes(),
             )?;
         }
 
+        Ok(dpe_result)
+    }
+
+    pub(crate) fn execute(drivers: &mut Drivers, cmd_args: &[u8]) -> CaliptraResult<MailboxResp> {
+        let cmd = StashMeasurementReq::read_from(cmd_args)
+            .ok_or(CaliptraError::RUNTIME_INSUFFICIENT_MEMORY)?;
+
+        let dpe_result = Self::stash_measurement(drivers, &cmd.metadata, &cmd.measurement)?;
+
         Ok(MailboxResp::StashMeasurement(StashMeasurementResp {
             hdr: MailboxRespHeader::default(),
             dpe_result: dpe_result.get_error_code(),