fw(uno): device-id cert chain — get_cert / get_cert_chain_info#577
Open
radutta99 wants to merge 5 commits into
Open
fw(uno): device-id cert chain — get_cert / get_cert_chain_info#577radutta99 wants to merge 5 commits into
radutta99 wants to merge 5 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR brings up the Uno/Manticore device-id certificate chain support by adding boot-time chain storage/readers (DTCM CBLOB + GSRAM alias), generating a deterministic partition-id (PID) leaf certificate on demand, and aligning host-facing public-key byte order with X.509/SEC1 expectations. It also includes a UPKA submission ordering fix to prevent intermittent BUS_ERROR under load.
Changes:
- Reserve a DTCM region for an HSP-pushed device-id cert-chain CBLOB and add a
cert_blobcrate to parse it safely. - Implement Uno PAL
HsmCertStore(get_cert_chain_info/get_cert) to serve: device-id chain → alias cert → deterministically generated PID leaf. - Fix host-facing SEC1 public-key endianness in PartInfo / EstablishCredential paths and add a UPKA hardware barrier before command submission.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| fw/plat/uno/rdl/soc/dtcm_map.rdl | Shrinks per-IO DTCM scratch stride and reserves a fixed DTCM region for the device-id cert CBLOB. |
| fw/plat/uno/fw/reg/soc/src/hsm_dtcm.rs | Updates DTCM offsets/strides and exposes the new DEV_ID_CERT_BLOB region via register overlay. |
| fw/plat/uno/fw/pal/src/lib.rs | Wires in new PAL modules for device-id CBLOB and GSRAM alias access. |
| fw/plat/uno/fw/pal/src/gsram_alias.rs | Adds read-only accessors for HSP-provisioned alias key/cert in GSRAM. |
| fw/plat/uno/fw/pal/src/dev_id_cblob.rs | Adds read-only accessor for parsing the boot-time device-id cert-chain CBLOB in DTCM. |
| fw/plat/uno/fw/pal/src/cert.rs | Implements Uno HsmCertStore and on-demand deterministic PID leaf generation/signing. |
| fw/plat/uno/fw/pal/Cargo.toml | Adds dependencies needed for x509 building and CBLOB parsing. |
| fw/plat/uno/fw/drivers/upka/src/executor.rs | Replaces compiler fence with a hardware dmb barrier before UPKA submission. |
| fw/plat/uno/fw/drivers/upka/Cargo.toml | Adds cortex-m dependency for dmb(). |
| fw/plat/uno/fw/crates/cert_blob/src/lib.rs | Introduces the CBLOB container definition + parser + tests for boot-pushed device-id chain. |
| fw/plat/uno/fw/crates/cert_blob/Cargo.toml | New crate manifest for azihsm_fw_uno_cert_blob. |
| fw/plat/uno/fw/Cargo.toml | Registers the new cert_blob crate and adds workspace deps needed for it. |
| fw/core/lib/src/ddi/tbor/part_info.rs | Converts partition identity pubkey to big-endian SEC1 coordinate order for host output. |
| fw/core/lib/src/ddi/mbor/establish_credential.rs | Hashes partition pubkey in SEC1 big-endian form before POTA signature verification. |
| fw/core/ddi/tbor/types/src/part_info.rs | Updates type docs to reflect big-endian SEC1 coordinate order. |
| fw/core/crypto/x509-builder/src/lib.rs | Enables async-in-trait lint allowance and updates module/docs for the PID leaf profile. |
| fw/core/crypto/x509-builder/src/leaf_cert.rs | Replaces auto-generated leaf template with a hand-maintained single-CN PID leaf profile template. |
| fw/core/crypto/x509-builder/src/cert_builder.rs | Adds TbsSigner hook + shared signed-cert plumbing and updates leaf params for the PID profile. |
| fw/core/crypto/x509-builder/gen/src/main.rs | Adds warnings about generator overwriting the hand-maintained PID leaf template. |
Comments suppressed due to low confidence (1)
fw/plat/uno/rdl/soc/dtcm_map.rdl:16
- This DTCM layout change (1.5KB DTCM_IO_BUF stride + DEV_ID_CERT_BLOB) leaves several other in-repo memory-map comments out of sync (e.g. fw/plat/uno/fw/memory.x still documents 66KB DTCM_IO_BUF and omits DEV_ID_CERT_BLOB; fw/plat/uno/fw/pal/src/io.rs still says DTCM_IO_BUF is 2KB; fw/plat/uno/rdl/soc/uno.rdl still references the old DTCM_IO_BUF base). Updating those comments alongside this map would reduce confusion and avoid future overlap mistakes.
// 0x2002_EC00 DTCM_IO_BUF[33] (49.5 KB, per-IO NonDma scratch, 1.5 KB each)
// 0x2003_B400 DEV_ID_CERT_BLOB (16 KB, HSP-pushed device-id cert CBLOB)
// 0x2003_F400 CRASHDUMP_BASE (1024 B)
// 0x2003_F800 CORE_RUN_STATUS (4 B)
//
// memory.x should set RAM LENGTH = 187K to prevent the linker from
// placing .bss/stack into the reserved upper region.
radutta99
force-pushed
the
user/radutta/ddi-get-cert-chain
branch
from
July 17, 2026 23:35
4451b78 to
9b09d93
Compare
radutta99
force-pushed
the
user/radutta/ddi-get-cert-chain
branch
from
July 18, 2026 01:00
9b09d93 to
9c294b6
Compare
radutta99
force-pushed
the
user/radutta/ddi-get-cert-chain
branch
from
July 18, 2026 01:18
9c294b6 to
bb467c3
Compare
radutta99
force-pushed
the
user/radutta/ddi-get-cert-chain
branch
from
July 18, 2026 01:47
bb467c3 to
0208180
Compare
radutta99
force-pushed
the
user/radutta/ddi-get-cert-chain
branch
from
July 18, 2026 02:04
0208180 to
25fedba
Compare
radutta99
force-pushed
the
user/radutta/ddi-get-cert-chain
branch
from
July 18, 2026 02:40
25fedba to
e1a790c
Compare
radutta99
force-pushed
the
user/radutta/ddi-get-cert-chain
branch
from
July 18, 2026 02:57
e1a790c to
97a1b6c
Compare
Reserve the DTCM DEV_ID_CERT_BLOB region for the boot-time device-id certificate blob, add the cert_blob crate that parses it, and add the GSRAM alias key/cert reader used to sign the PID leaf.
radutta99
force-pushed
the
user/radutta/ddi-get-cert-chain
branch
from
July 18, 2026 04:05
97a1b6c to
aa273a5
Compare
radutta99
force-pushed
the
user/radutta/ddi-get-cert-chain
branch
from
July 18, 2026 04:43
aa273a5 to
f5136e8
Compare
Add a TbsSigner hook and build_leaf_cert_with_signer to the x509 builder, share the signed-cert plumbing, and collapse the leaf profiles into the single-CN AZIHSM firmware profile. Wire deterministic PID leaf generation on uno on top of this profile.
radutta99
force-pushed
the
user/radutta/ddi-get-cert-chain
branch
from
July 18, 2026 05:54
f5136e8 to
7f95613
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 22 out of 22 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
fw/plat/uno/fw/pal/src/cert.rs:336
- Index arithmetic in DER parsing uses unchecked
+with attacker-controlled DER length fields (e.g.,oid_len,bool_len). A malformed alias certificate could make these additions overflowusizeand panic in debug builds, violating the “must not panic on any input” trust-boundary requirement. Usechecked_addto compute indices and fail closed withNoneon overflow.
// Skip past the OID TLV header + value.
let (oid_len, oid_len_bytes) = parse_der_length(der, pos + 1)?;
let idx = pos + 1 + oid_len_bytes + oid_len;
Serve the device-id chain from the boot-time DTCM CBLOB, generate the PID leaf on demand, and return matching query/copy lengths. Emit the leaf public key and the thumbprint inputs in big-endian so the leaf verifies against the alias key and the served chain thumbprint matches.
…verify verify_pota_signature's doc contract says it materializes SHA-384(0x04 || x || y) with x/y in natural big-endian (DER/X.509), matching what the host signs. But it copied part_id_pub_key raw, which is PKA-native little-endian on both PALs, so the HSM actually hashed 0x04 || x_le || y_le. The host signs over the big-endian pubkey (from the get-cert-chain leaf / openssl SEC1), so the digests differed and ecc_verify failed with EccVerifyFailed (then GetSessionEncryptionKey -> CredentialsNotEstablished). Reverse each coordinate LE->BE when building the uncompressed point, so the hash is the true SEC1 0x04 || x_be || y_be. Byte-order conversion lives in the handler (per PR #535), so this is correct for both the LE-native uno and std PALs and needs no PAL change. Fixes the get-cert-chain path (open_session / get_cert_chain); the digest reversal added in #535 was orthogonal (it reversed the hash output, not the pubkey bytes hashed inside it).
The UPKA executor issued a command by writing the descriptor (opcode + operand addresses) to descriptor memory, then writing the engine's command register to trigger the AXI read. Between the two it used a compiler_fence, which only constrains compiler ordering and emits no hardware barrier. On the Cortex-M7 the descriptor stores can still sit in the store buffer when the command-register write triggers the engine, so the engine reads stale operand addresses and raises BUS_ERROR. Single-threaded the timing hid it; under concurrent load (multiple handle_io tasks driving different engines) it surfaced as intermittent UPKA BUS_ERROR (e.g. get_cert_chain multithread tests, 5 of 7 threads). Replace the compiler_fence with cortex_m::asm::dmb(), matching every other descriptor-driven driver in this tree (sha, aes, gdma, iic, oic, ipc) — the upka driver was the only one using a bare compiler fence. Validated on the EVB: test_get_cert_chain_multithread and test_get_cert_chain_info_multithread now pass, and the single-threaded cert-chain / bring-up tests remain green.
radutta99
force-pushed
the
user/radutta/ddi-get-cert-chain
branch
from
July 18, 2026 06:06
7f95613 to
33aa2e1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings up the device-id certificate chain on the uno (Manticore) platform:
get_cert/get_cert_chain_infonow serve a full chain — device-id CA →alias → deterministically-generated PID leaf — that verifies with
openssland whose thumbprint matches the host-computed value.
This branch is rebased on latest
main(the deterministic-ECDSA-P384 work itdepended on has since merged), so the diff here is cert-chain only.
Commits
DTCM
DEV_ID_CERT_BLOBregion, add thecert_blobcrate that parses theboot-time device-id blob, and add the GSRAM alias key/cert reader.
TbsSignerhook +build_leaf_cert_with_signer, shared signed-certplumbing, and a single-CN AZIHSM firmware leaf profile.
the device-id chain from the boot-time DTCM CBLOB, generate the PID leaf on
demand, and emit the leaf pubkey / thumbprint inputs in big-endian.
fixes an intermittent UPKA
BUS_ERRORunder concurrent load.Testing
Flashed to the physical EVB and run via
azihsm_ddi_tests(nix driver,/dev/azihsm0):get_cert_chainsuite — 4/4 pass (test_get_certificate_chain,test_get_cert_chain_length_multiple_times, both*_multithread); theserved chain
openssl verifys and the leaf thumbprint matches.establish_credential/open_session/close_session/get_establish_cred_encryption_key/get_session_encryption_key— thenon-LM functional cases pass. Remaining failures are pre-existing bring-up
gaps unrelated to this change (LM-env tests, malformed-P384 negative tests,
single-winner election, est-cred nonce-on-reset).