diff --git a/drivers/src/hmac384_kdf.rs b/drivers/src/hmac384_kdf.rs index 2da0b22279..12600cba85 100644 --- a/drivers/src/hmac384_kdf.rs +++ b/drivers/src/hmac384_kdf.rs @@ -32,21 +32,23 @@ use caliptra_error::CaliptraResult; /// the label and context. /// * `trng` - TRNG driver instance /// * `output` - Location to store the output +/// * `mode` - HMAC Mode #[cfg_attr(not(feature = "no-cfi"), cfi_mod_fn)] -pub fn hmac384_kdf( +pub fn hmac_kdf( hmac: &mut Hmac, key: HmacKey, label: &[u8], context: Option<&[u8]>, trng: &mut Trng, output: HmacTag, + mode: HmacMode, ) -> CaliptraResult<()> { #[cfg(feature = "fips-test-hooks")] unsafe { crate::FipsTestHook::error_if_hook_set(crate::FipsTestHook::HMAC384_FAILURE)? } - let mut hmac_op = hmac.hmac_init(&key, trng, output, HmacMode::Hmac384)?; + let mut hmac_op = hmac.hmac_init(&key, trng, output, mode)?; hmac_op.update(&1_u32.to_be_bytes())?; hmac_op.update(label)?; diff --git a/drivers/src/lib.rs b/drivers/src/lib.rs index 910b6c8521..57f12110c7 100644 --- a/drivers/src/lib.rs +++ b/drivers/src/lib.rs @@ -77,7 +77,7 @@ pub use fuse_bank::{ }; pub use hand_off::FirmwareHandoffTable; pub use hmac::{Hmac, HmacData, HmacKey, HmacMode, HmacOp, HmacTag}; -pub use hmac384_kdf::hmac384_kdf; +pub use hmac384_kdf::hmac_kdf; pub use key_vault::{KeyId, KeyUsage, KeyVault}; pub use kv_access::{KeyReadArgs, KeyWriteArgs}; pub use lms::{ diff --git a/drivers/test-fw/src/bin/hmac_tests.rs b/drivers/test-fw/src/bin/hmac_tests.rs index 5f7b73af58..c65b519a54 100755 --- a/drivers/test-fw/src/bin/hmac_tests.rs +++ b/drivers/test-fw/src/bin/hmac_tests.rs @@ -17,7 +17,7 @@ Abstract: use caliptra_cfi_lib::CfiCounter; use caliptra_drivers::{ - hmac384_kdf, Array4x12, Array4x16, Ecc384, Ecc384PrivKeyOut, Ecc384Scalar, Ecc384Seed, Hmac, + hmac_kdf, Array4x12, Array4x16, Ecc384, Ecc384PrivKeyOut, Ecc384Scalar, Ecc384Seed, Hmac, HmacMode, KeyId, KeyReadArgs, KeyUsage, KeyWriteArgs, Trng, }; use caliptra_kat::Hmac384KdfKat; @@ -406,7 +406,7 @@ fn test_hmac5() { assert_eq!(hmac_step_1, hmac_step_2); } -fn test_kdf( +fn test_kdf_hmac384( key_0: &[u8; 48], msg_0: &[u8], label: &[u8], @@ -445,13 +445,14 @@ fn test_kdf( let kdf_out = KeyWriteArgs::new(KeyId::KeyId1, KeyUsage::default().set_ecc_key_gen_seed_en()); - hmac384_kdf( + hmac_kdf( &mut hmac384, kdf_key_in.into(), label, context, &mut trng, kdf_out.into(), + HmacMode::Hmac384, ) .unwrap(); @@ -471,7 +472,7 @@ fn test_kdf( } // context_len = 48 -fn test_kdf0() { +fn test_kdf0_hmac384() { let key_0 = [ 0x9e, 0x2c, 0xce, 0xc7, 0x00, 0x16, 0x1e, 0x42, 0xff, 0x0e, 0x13, 0x8c, 0x48, 0x89, 0xe4, 0xd6, 0xa0, 0x88, 0x8d, 0x13, 0x1d, 0x58, 0xcb, 0x44, 0xf5, 0xe2, 0x92, 0x47, 0x59, 0x64, @@ -504,7 +505,7 @@ fn test_kdf0() { 0xcb, 0x13, 0x18, ]; - test_kdf( + test_kdf_hmac384( &key_0, &msg_0, &label, @@ -515,7 +516,7 @@ fn test_kdf0() { } // context_len = 0 -fn test_kdf1() { +fn test_kdf1_hmac384() { let key_0 = [ 0xd3, 0x45, 0xe5, 0x14, 0x19, 0xda, 0xc6, 0x9c, 0x70, 0xc8, 0x22, 0x71, 0xe9, 0x12, 0x28, 0x58, 0x65, 0x64, 0x16, 0xc9, 0x92, 0xf3, 0xda, 0x58, 0x5a, 0xca, 0x96, 0xe5, 0x99, 0x29, @@ -542,11 +543,11 @@ fn test_kdf1() { 0x9a, 0xa4, 0x19, ]; - test_kdf(&key_0, &msg_0, &label, None, &out_pub_x, &out_pub_y); + test_kdf_hmac384(&key_0, &msg_0, &label, None, &out_pub_x, &out_pub_y); } // Test using a NIST vector. -fn test_kdf2() { +fn test_kdf2_hmac384() { let mut hmac384 = unsafe { Hmac::new(HmacReg::new()) }; let mut trng = unsafe { Trng::new( @@ -578,19 +579,114 @@ fn test_kdf2() { let mut out_buf = Array4x12::default(); - hmac384_kdf( + hmac_kdf( &mut hmac384, (&Array4x12::from(&key)).into(), &label, None, &mut trng, (&mut out_buf).into(), + HmacMode::Hmac384, ) .unwrap(); assert_eq!(<[u8; 48]>::from(out_buf)[..out.len()], out); } +fn test_kdf0_hmac512() { + let mut hmac = unsafe { Hmac::new(HmacReg::new()) }; + let mut trng = unsafe { + Trng::new( + CsrngReg::new(), + EntropySrcReg::new(), + SocIfcTrngReg::new(), + &SocIfcReg::new(), + ) + .unwrap() + }; + + let key = [ + 0x0f, 0xf2, 0xc2, 0x79, 0x65, 0x3a, 0x7b, 0x95, 0x4a, 0xfb, 0x00, 0x96, 0xc2, 0xb1, 0x6e, + 0x59, 0x1f, 0xa3, 0x2e, 0xef, 0x39, 0xed, 0xd8, 0x14, 0x1c, 0x65, 0x13, 0xd6, 0xdc, 0x6c, + 0x08, 0x63, 0xaf, 0x0e, 0x94, 0xbf, 0xd5, 0x7b, 0x17, 0x81, 0x7c, 0xd1, 0x03, 0x8f, 0x37, + 0x63, 0x9c, 0xf8, 0xd6, 0x38, 0x71, 0xae, 0xf4, 0x6e, 0xe8, 0x19, 0x47, 0x52, 0x6b, 0xc5, + 0x45, 0x4c, 0x13, 0xf2, + ]; + let label = [ + 0x16, 0xee, 0x1d, 0xae, 0xf6, 0xa0, 0x31, 0x6a, 0xa0, 0x46, 0x76, 0x46, 0xc5, 0x21, 0xfa, + 0x30, 0x16, 0x5f, 0xe3, 0x36, 0xb2, 0x49, 0x60, 0x0f, 0x1e, 0x56, 0x5d, 0x28, 0x7b, 0x97, + 0x01, 0x80, 0x33, 0xe2, 0xba, 0xd4, 0x5d, 0x76, 0xc6, 0x68, 0x5d, 0x77, 0x33, 0x9b, 0x27, + 0xeb, 0xdd, 0x9c, 0xce, 0x1b, 0x34, 0xc1, 0xe4, 0x61, 0x9a, 0x97, 0x77, 0x4d, 0x94, 0xe7, + ]; + let out = [ + 0xbc, 0x0e, 0x3c, 0xb2, 0xb7, 0x8b, 0xd9, 0xd6, 0xe2, 0xec, 0x54, 0x46, 0x72, 0xad, 0xbe, + 0x44, 0x39, 0x8f, 0xdb, 0xa7, 0xef, 0x33, 0x2f, 0x1c, 0x42, 0x35, 0xc1, 0x04, 0xca, 0x32, + 0xec, 0x00, 0xfb, 0x47, 0xd4, 0x72, 0x09, 0xe1, 0x51, 0x97, + ]; + + let mut out_buf = Array4x16::default(); + + hmac_kdf( + &mut hmac, + (&Array4x16::from(&key)).into(), + &label, + None, + &mut trng, + (&mut out_buf).into(), + HmacMode::Hmac512, + ) + .unwrap(); + + assert_eq!(<[u8; 64]>::from(out_buf)[..out.len()], out); +} + +fn test_kdf1_hmac512() { + let mut hmac = unsafe { Hmac::new(HmacReg::new()) }; + let mut trng = unsafe { + Trng::new( + CsrngReg::new(), + EntropySrcReg::new(), + SocIfcTrngReg::new(), + &SocIfcReg::new(), + ) + .unwrap() + }; + + let key = [ + 0xa9, 0xf4, 0xa2, 0xc5, 0xaf, 0x83, 0x98, 0x67, 0xf5, 0xdb, 0x5a, 0x1e, 0x52, 0x0a, 0xb3, + 0xcc, 0xa7, 0x2a, 0x16, 0x6c, 0xa6, 0x0d, 0xe5, 0x12, 0xfd, 0x7f, 0xe7, 0xe6, 0x4c, 0xf9, + 0x4f, 0x92, 0xcf, 0x1d, 0x8b, 0x63, 0x61, 0x75, 0xf2, 0x93, 0xe0, 0x03, 0x27, 0x5e, 0x02, + 0x10, 0x18, 0xc3, 0xf0, 0xed, 0xe4, 0x95, 0x99, 0x7a, 0x50, 0x5e, 0xc9, 0xa2, 0xaf, 0xeb, + 0x04, 0x95, 0xbe, 0x57, + ]; + let label = [ + 0x8e, 0x9d, 0xb3, 0x33, 0x57, 0x79, 0xdb, 0x68, 0x8b, 0xcf, 0xe0, 0x96, 0x66, 0x8d, 0x9c, + 0x3b, 0xc6, 0x4e, 0x19, 0x3e, 0x35, 0x29, 0xc4, 0x30, 0xe6, 0x8d, 0x09, 0xd5, 0x6c, 0x83, + 0x7d, 0xd6, 0xc0, 0xf9, 0x46, 0x78, 0xf1, 0x21, 0xa6, 0x8e, 0xe1, 0xfe, 0xea, 0x47, 0x35, + 0xda, 0x85, 0xa4, 0x9d, 0x34, 0xa5, 0x29, 0x0a, 0xa3, 0x9f, 0x7b, 0x40, 0xde, 0x43, 0x5f, + ]; + let out = [ + 0x6d, 0xb8, 0x80, 0xda, 0xac, 0x98, 0xb0, 0x78, 0xee, 0x38, 0x9a, 0x21, 0x64, 0x25, 0x2d, + 0xed, 0x61, 0x32, 0x2d, 0x66, 0x1e, 0x2b, 0x49, 0x24, 0x7e, 0xa9, 0x21, 0xe5, 0x44, 0x67, + 0x5d, 0x8f, 0x17, 0xaf, 0x2b, 0xf6, 0x6d, 0xd4, 0x0d, 0x81, + ]; + + let mut out_buf = Array4x16::default(); + + hmac_kdf( + &mut hmac, + (&Array4x16::from(&key)).into(), + &label, + None, + &mut trng, + (&mut out_buf).into(), + HmacMode::Hmac512, + ) + .unwrap(); + + assert_eq!(<[u8; 64]>::from(out_buf)[..out.len()], out); +} + fn test_hmac_multi_block() { let mut hmac384 = unsafe { Hmac::new(HmacReg::new()) }; let mut trng = unsafe { @@ -1015,9 +1111,11 @@ test_suite! { test_hmac4, test_hmac_kv_multiblock, test_hmac5, - test_kdf0, - test_kdf1, - test_kdf2, + test_kdf0_hmac384, + test_kdf1_hmac384, + test_kdf2_hmac384, + test_kdf0_hmac512, + test_kdf1_hmac512, test_hmac_multi_block, test_hmac_exact_single_block, test_hmac_multi_block_two_step, diff --git a/fmc/src/flow/crypto.rs b/fmc/src/flow/crypto.rs index 23e83edae9..1aeced16e0 100644 --- a/fmc/src/flow/crypto.rs +++ b/fmc/src/flow/crypto.rs @@ -9,9 +9,7 @@ use crate::fmc_env::FmcEnv; use caliptra_cfi_derive::cfi_impl_fn; use caliptra_common::{crypto::Ecc384KeyPair, keyids::KEY_ID_TMP}; use caliptra_drivers::{ - hmac384_kdf, okref, Array4x12, Array4x5, Array4x8, CaliptraResult, Ecc384PrivKeyIn, - Ecc384PrivKeyOut, Ecc384PubKey, Ecc384Result, Ecc384Signature, KeyId, KeyReadArgs, KeyUsage, - KeyWriteArgs, Sha256Alg, + hmac_kdf, okref, Array4x12, Array4x5, Array4x8, CaliptraResult, Ecc384PrivKeyIn, Ecc384PrivKeyOut, Ecc384PubKey, Ecc384Result, Ecc384Signature, HmacMode, KeyId, KeyReadArgs, KeyUsage, KeyWriteArgs, Sha256Alg }; pub enum Crypto {} @@ -78,8 +76,9 @@ impl Crypto { label: &[u8], context: Option<&[u8]>, output: KeyId, + mode: HmacMode ) -> CaliptraResult<()> { - hmac384_kdf( + hmac_kdf( &mut env.hmac384, KeyReadArgs::new(key).into(), label, @@ -92,6 +91,7 @@ impl Crypto { .set_ecc_key_gen_seed_en(), ) .into(), + mode, ) } @@ -114,7 +114,7 @@ impl Crypto { label: &[u8], priv_key: KeyId, ) -> CaliptraResult { - Crypto::hmac384_kdf(env, cdi, label, None, KEY_ID_TMP)?; + Crypto::hmac384_kdf(env, cdi, label, None, KEY_ID_TMP, HmacMode::Hmac384,)?; let key_out = Ecc384PrivKeyOut::Key(KeyWriteArgs::new( priv_key, diff --git a/fmc/src/flow/rt_alias.rs b/fmc/src/flow/rt_alias.rs index 404925dde4..d6d689ee81 100644 --- a/fmc/src/flow/rt_alias.rs +++ b/fmc/src/flow/rt_alias.rs @@ -28,8 +28,7 @@ use caliptra_common::crypto::Ecc384KeyPair; use caliptra_common::keyids::{KEY_ID_RT_CDI, KEY_ID_RT_PRIV_KEY, KEY_ID_TMP}; use caliptra_common::HexBytes; use caliptra_drivers::{ - okref, report_boot_status, CaliptraError, CaliptraResult, Ecc384Result, KeyId, PersistentData, - ResetReason, + okref, report_boot_status, CaliptraError, CaliptraResult, Ecc384Result, HmacMode, KeyId, PersistentData, ResetReason }; use caliptra_x509::{NotAfter, NotBefore, RtAliasCertTbs, RtAliasCertTbsParams}; @@ -252,7 +251,7 @@ impl RtAliasLayer { tci[SHA384_HASH_SIZE..2 * SHA384_HASH_SIZE].copy_from_slice(&image_manifest_digest); // Permute CDI from FMC TCI - Crypto::hmac384_kdf(env, fmc_cdi, b"rt_alias_cdi", Some(&tci), rt_cdi)?; + Crypto::hmac384_kdf(env, fmc_cdi, b"rt_alias_cdi", Some(&tci), rt_cdi, HmacMode::Hmac384,)?; report_boot_status(FmcBootStatus::RtAliasDeriveCdiComplete as u32); Ok(()) } diff --git a/kat/src/hmac384kdf_kat.rs b/kat/src/hmac384kdf_kat.rs index 30015dab22..3e8b20ad22 100644 --- a/kat/src/hmac384kdf_kat.rs +++ b/kat/src/hmac384kdf_kat.rs @@ -12,7 +12,7 @@ Abstract: --*/ -use caliptra_drivers::{hmac384_kdf, Array4x12, CaliptraError, CaliptraResult, Hmac, Trng}; +use caliptra_drivers::{hmac_kdf, Array4x12, CaliptraError, CaliptraResult, Hmac, HmacMode, Trng}; const KEY: Array4x12 = Array4x12::new([ 0xb57dc523, 0x54afee11, 0xedb4c905, 0x2a528344, 0x348b2c6b, 0x6c39f321, 0x33ed3bb7, 0x2035a4ab, @@ -67,7 +67,7 @@ impl Hmac384KdfKat { fn kat_nist_vector(&self, hmac: &mut Hmac, trng: &mut Trng) -> CaliptraResult<()> { let mut out = Array4x12::default(); - hmac384_kdf(hmac, (&KEY).into(), &LABEL, None, trng, (&mut out).into()) + hmac_kdf(hmac, (&KEY).into(), &LABEL, None, trng, (&mut out).into(), HmacMode::Hmac384,) .map_err(|_| CaliptraError::KAT_HMAC384_FAILURE)?; if EXPECTED_OUT != <[u8; 48]>::from(out)[..EXPECTED_OUT.len()] { diff --git a/rom/dev/src/flow/cold_reset/crypto.rs b/rom/dev/src/flow/cold_reset/crypto.rs index e9cc8a3a12..a5f1f2ab4d 100644 --- a/rom/dev/src/flow/cold_reset/crypto.rs +++ b/rom/dev/src/flow/cold_reset/crypto.rs @@ -137,7 +137,7 @@ impl Crypto { ) } - /// Calculate HMAC-348 KDF + /// Calculate HMAC KDF /// /// # Arguments /// @@ -146,15 +146,17 @@ impl Crypto { /// * `label` - Input label /// * `context` - Input context /// * `output` - Key slot to store the output + /// * `mode` - HMAC Mode #[inline(always)] - pub fn hmac384_kdf( + pub fn hmac_kdf( env: &mut RomEnv, key: KeyId, label: &[u8], context: Option<&[u8]>, output: KeyId, + mode: HmacMode ) -> CaliptraResult<()> { - hmac384_kdf( + hmac_kdf( &mut env.hmac384, KeyReadArgs::new(key).into(), label, @@ -167,6 +169,7 @@ impl Crypto { .set_ecc_key_gen_seed_en(), ) .into(), + mode, ) } @@ -188,7 +191,7 @@ impl Crypto { label: &[u8], priv_key: KeyId, ) -> CaliptraResult { - Crypto::hmac384_kdf(env, cdi, label, None, KEY_ID_TMP)?; + Crypto::hmac_kdf(env, cdi, label, None, KEY_ID_TMP, HmacMode::Hmac512,)?; let key_out = Ecc384PrivKeyOut::Key(KeyWriteArgs::new( priv_key, @@ -260,8 +263,7 @@ impl Crypto { key_pair_seed: KeyId, ) -> CaliptraResult { // Generate the seed for key pair generation. - // [CAP2][TODO] Change this to hmac512_kdfwhen available. - Crypto::hmac384_kdf(env, cdi, label, None, key_pair_seed)?; + Crypto::hmac_kdf(env, cdi, label, None, key_pair_seed, HmacMode::Hmac512,)?; // Generate the public key. let pub_key = env diff --git a/rom/dev/src/flow/cold_reset/fmc_alias.rs b/rom/dev/src/flow/cold_reset/fmc_alias.rs index c880a93c15..39b2011db5 100644 --- a/rom/dev/src/flow/cold_reset/fmc_alias.rs +++ b/rom/dev/src/flow/cold_reset/fmc_alias.rs @@ -31,7 +31,7 @@ use caliptra_common::keyids::{ }; use caliptra_common::pcr::PCR_ID_FMC_CURRENT; use caliptra_common::RomBootStatus::*; -use caliptra_drivers::{okmutref, report_boot_status, Array4x12, CaliptraResult, KeyId, Lifecycle}; +use caliptra_drivers::{okmutref, report_boot_status, Array4x12, CaliptraResult, HmacMode, KeyId, Lifecycle}; use caliptra_x509::{FmcAliasCertTbs, FmcAliasCertTbsParams}; use zeroize::Zeroize; @@ -111,7 +111,7 @@ impl FmcAliasLayer { fn derive_cdi(env: &mut RomEnv, measurements: &Array4x12, cdi: KeyId) -> CaliptraResult<()> { let mut measurements: [u8; 48] = measurements.into(); - let result = Crypto::hmac384_kdf(env, cdi, b"fmc_alias_cdi", Some(&measurements), cdi); + let result = Crypto::hmac_kdf(env, cdi, b"fmc_alias_cdi", Some(&measurements), cdi, HmacMode::Hmac512,); measurements.zeroize(); result?; report_boot_status(FmcAliasDeriveCdiComplete.into()); diff --git a/rom/dev/src/flow/cold_reset/idev_id.rs b/rom/dev/src/flow/cold_reset/idev_id.rs index 705dadfc13..b188e9af72 100644 --- a/rom/dev/src/flow/cold_reset/idev_id.rs +++ b/rom/dev/src/flow/cold_reset/idev_id.rs @@ -183,7 +183,7 @@ impl InitDevIdLayer { /// * `cdi` - Key Slot to store the generated CDI #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)] fn derive_cdi(env: &mut RomEnv, uds: KeyId, cdi: KeyId) -> CaliptraResult<()> { - Crypto::hmac384_kdf(env, uds, b"idevid_cdi", None, cdi)?; + Crypto::hmac_kdf(env, uds, b"idevid_cdi", None, cdi, HmacMode::Hmac512)?; cprintln!("[idev] Erasing UDS.KEYID = {}", uds as u8); env.key_vault.erase_key(uds)?; diff --git a/runtime/src/disable.rs b/runtime/src/disable.rs index 9c0d567f5a..d6fe7dc982 100644 --- a/runtime/src/disable.rs +++ b/runtime/src/disable.rs @@ -16,8 +16,7 @@ use crate::Drivers; use caliptra_cfi_derive_git::cfi_impl_fn; use caliptra_common::mailbox_api::MailboxResp; use caliptra_drivers::{ - hmac384_kdf, Array4x12, CaliptraError, CaliptraResult, Ecc384Seed, HmacKey, KeyReadArgs, - KeyUsage, KeyWriteArgs, + hmac_kdf, Array4x12, CaliptraError, CaliptraResult, Ecc384Seed, HmacKey, HmacMode, KeyReadArgs, KeyUsage, KeyWriteArgs }; use dpe::U8Bool; @@ -54,7 +53,7 @@ impl DisableAttestationCmd { #[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)] fn zero_rt_cdi(drivers: &mut Drivers) -> CaliptraResult<()> { let key_id_rt_cdi = Drivers::get_key_id_rt_cdi(drivers)?; - hmac384_kdf( + hmac_kdf( &mut drivers.hmac384, HmacKey::Array4x12(&Array4x12::default()), b"zero_rt_cdi", @@ -67,6 +66,7 @@ impl DisableAttestationCmd { .set_ecc_key_gen_seed_en(), ) .into(), + HmacMode::Hmac384 )?; Ok(()) diff --git a/runtime/src/dpe_crypto.rs b/runtime/src/dpe_crypto.rs index b8fd4798d3..75f1905c6e 100644 --- a/runtime/src/dpe_crypto.rs +++ b/runtime/src/dpe_crypto.rs @@ -18,7 +18,7 @@ use caliptra_cfi_derive_git::cfi_impl_fn; use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq, cfi_launder}; use caliptra_common::keyids::{KEY_ID_DPE_CDI, KEY_ID_DPE_PRIV_KEY, KEY_ID_TMP}; use caliptra_drivers::{ - cprintln, hmac384_kdf, Array4x12, Ecc384, Ecc384PrivKeyIn, Ecc384PubKey, Ecc384Scalar, + cprintln, hmac_kdf, Array4x12, Ecc384, Ecc384PrivKeyIn, Ecc384PubKey, Ecc384Scalar, Ecc384Seed, Hmac, HmacData, HmacKey, HmacMode, HmacTag, KeyId, KeyReadArgs, KeyUsage, KeyVault, KeyWriteArgs, Sha384, Sha384DigestOp, Trng, }; @@ -30,7 +30,7 @@ pub struct DpeCrypto<'a> { sha384: &'a mut Sha384, trng: &'a mut Trng, ecc384: &'a mut Ecc384, - hmac384: &'a mut Hmac, + hmac: &'a mut Hmac, key_vault: &'a mut KeyVault, rt_pub_key: &'a mut Ecc384PubKey, key_id_rt_cdi: KeyId, @@ -53,7 +53,7 @@ impl<'a> DpeCrypto<'a> { sha384, trng, ecc384, - hmac384, + hmac: hmac384, key_vault, rt_pub_key, key_id_rt_cdi, @@ -144,8 +144,8 @@ impl<'a> Crypto for DpeCrypto<'a> { hasher.update(info)?; let context = hasher.finish()?; - hmac384_kdf( - self.hmac384, + hmac_kdf( + self.hmac, KeyReadArgs::new(self.key_id_rt_cdi).into(), b"derive_cdi", Some(context.bytes()), @@ -157,6 +157,7 @@ impl<'a> Crypto for DpeCrypto<'a> { .set_ecc_key_gen_seed_en(), ) .into(), + HmacMode::Hmac384, ) .map_err(|e| CryptoError::CryptoLibError(u32::from(e)))?; Ok(KEY_ID_DPE_CDI) @@ -175,14 +176,15 @@ impl<'a> Crypto for DpeCrypto<'a> { match algs { AlgLen::Bit256 => Err(CryptoError::Size), AlgLen::Bit384 => { - hmac384_kdf( - self.hmac384, + hmac_kdf( + self.hmac, KeyReadArgs::new(*cdi).into(), label, Some(info), self.trng, KeyWriteArgs::new(KEY_ID_TMP, KeyUsage::default().set_ecc_key_gen_seed_en()) .into(), + HmacMode::Hmac384, ) .map_err(|e| CryptoError::CryptoLibError(u32::from(e)))?; @@ -329,20 +331,21 @@ impl<'a> Crypto for DpeCrypto<'a> { // derive an hmac key let mut hmac_key = Array4x12::default(); - hmac384_kdf( - self.hmac384, + hmac_kdf( + self.hmac, HmacKey::Array4x12(&Array4x12::from(hmac_ikm)), &[], None, self.trng, HmacTag::Array4x12(&mut hmac_key), + HmacMode::Hmac384, ) .map_err(|e| CryptoError::CryptoLibError(u32::from(e)))?; hmac_ikm.zeroize(); // sign digest with HMAC key let mut tag = Array4x12::default(); - self.hmac384 + self.hmac .hmac( &HmacKey::Array4x12(&hmac_key), &HmacData::Slice(digest.bytes()), diff --git a/runtime/src/hmac.rs b/runtime/src/hmac.rs index 19c3b13945..4527a3b375 100644 --- a/runtime/src/hmac.rs +++ b/runtime/src/hmac.rs @@ -16,7 +16,7 @@ use caliptra_cfi_derive_git::{cfi_impl_fn, cfi_mod_fn}; use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq, cfi_launder}; use caliptra_common::{crypto::Ecc384KeyPair, keyids::KEY_ID_TMP}; use caliptra_drivers::{ - hmac384_kdf, Array4x12, Ecc384PrivKeyOut, Ecc384PubKey, HmacData, HmacKey, HmacMode, HmacTag, + hmac_kdf, Array4x12, Ecc384PrivKeyOut, Ecc384PubKey, HmacData, HmacKey, HmacMode, HmacTag, KeyId, KeyReadArgs, KeyUsage, KeyWriteArgs, }; use caliptra_error::CaliptraResult; @@ -44,7 +44,7 @@ fn ecc384_key_gen( label: &[u8], priv_key: KeyId, ) -> CaliptraResult { - hmac384_kdf( + hmac_kdf( &mut drivers.hmac384, KeyReadArgs::new(input).into(), label, @@ -57,6 +57,7 @@ fn ecc384_key_gen( .set_ecc_key_gen_seed_en(), ) .into(), + HmacMode::Hmac384, )?; let pub_key = drivers.ecc384.key_pair(