opentitan icon indicating copy to clipboard operation
opentitan copied to clipboard

Published 20 hours ago verified publisher icon lowRISC

[dv,flash_ctrl] Fix initialization of secret pages

Open matutem opened this issue 1 year ago • 3 comments

Description

The flash_ctrl block level environment initializes pages 1, 2, and 3 with random data with scrambling and ecc configured per the update_secret_partition function at https://cs.opensource.google/opentitan/opentitan/+/master:hw/ip/flash_ctrl/dv/env/seq_lib/flash_ctrl_base_vseq.sv;drc=30d7e787c753caaa03fe68a4a70da1bbcbc1d96f;l=1452. This is done in apply_reset.

Subsequent reads will instead derive the scrambling and ecc properties from the settings applied to the CSRs. These settings can be different from the ones used in update_secret_partition, which will cause ecc errors on reads, and there are tests that show this problem. Also notice the assumption that the setting of hw_info_cfg_override, via cfg.ovrd_ecc_dis and cfg.ovrd_scr_dis, do not affect page 3. Interestingly, I have not found how these hw_info_cfg_override (or cfg.ovrd_???_dis) are used in DV: apparently we only use the configured per page settings.

The question is what is the use model of these pages? Should the CSRs be set to definitive values to match initialization? Should these pages be re-initialized on reset, as they are now?

matutem avatar Apr 24 '24 16:04 matutem

@timothytrippel Can you provide some cross-references as to how these pages are being configured during provisioning?

Quick reference here:

  • page 0: manufacturing info
  • page 1: Creator secret. Configured during FT manufacturing stage. Once in the lifetime of the device.
  • page 2: Owner secret. Configuring during FT manufacturing stage. At the architecture level, we also want to support updates to this page as part of ownership transfer.
  • page 3: wafer auth secret. Initialized in CP stage, consumed in FT. Configured once.
  • page 4: Attestation keygen seeds. Configured during FT manufacturing stage with entropy extracted out of CSRNG.

The scrambling, HE, and ECC settings can be taken from the provisioning config.

moidx avatar Apr 24 '24 18:04 moidx

The configuration of the above flash info pages are a bit scattered across the code base ATM, but:

  1. the configurations of pages 0, 3, and 4 are here: https://cs.opensource.google/opentitan/opentitan/+/master:sw/device/silicon_creator/manuf/skus/earlgrey_a0/sival_bringup/flash_info_permissions.h
  2. the configurations of pages 1 and 2 are set by the testutils function: https://cs.opensource.google/opentitan/opentitan/+/master:sw/device/silicon_creator/manuf/lib/personalize.c;drc=fd80f15301a949b7a416d291c02cb4ab3240675f;l=236

timothytrippel avatar Apr 24 '24 23:04 timothytrippel

The initialization happens via flash_crl_mp_info_page_cfg from the given page_cfg. The caller passes mp_info_pages[bank][info_type][$] (last dim is the per info type number of pages).

Pages in question are mp_info[any][0][0..3] should have scramble_en and ecc_enable per flash_ctrl_pkg::CfgAllowRead: https://cs.opensource.google/opentitan/opentitan/+/master:hw/top_earlgrey/ip/flash_ctrl/rtl/autogen/flash_ctrl_pkg.sv;drc=30d7e787c753caaa03fe68a4a70da1bbcbc1d96f;l=237 modulated by cfg.ovrd_ecc_dis. Add in base randomize.

matutem avatar May 04 '24 08:05 matutem