Properly evaluate PL0 PAUSERs when the fw header bit is unset

Previously, if PL0 PAUSER bit was unset, all users were treated as PL0. Align with the spec and treat them all as PL1 in that case.
chipsalliance · May 23, 2024 · 8afc249 · 8afc249
1 parent 60d38f9
commit 8afc249
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/runtime/src/drivers.rs b/runtime/src/drivers.rs
@@ -590,7 +590,8 @@ impl Drivers {
     /// * `flags` - Flags from manifest header
     /// * `locality` - Caller's locality
     pub fn is_caller_pl1(pl0_pauser: u32, flags: u32, locality: u32) -> bool {
-        flags & PL0_PAUSER_FLAG == 0 && locality != pl0_pauser
+        (flags & PL0_PAUSER_FLAG == 0) // There is no PL0 PAUSER
+            || (locality != pl0_pauser) // There is a PL0 PAUSER, but it's not the current user
     }
 
     /// Get the KeyId for the RT Alias CDI

diff --git a/runtime/tests/runtime_integration_tests/test_pauser_privilege_levels.rs b/runtime/tests/runtime_integration_tests/test_pauser_privilege_levels.rs
@@ -453,3 +453,46 @@ fn test_measurement_log_pl_context_threshold() {
             == u32::from(CaliptraError::RUNTIME_PL0_USED_DPE_CONTEXT_THRESHOLD_REACHED)
     });
 }
+
+#[test]
+fn test_pl0_unset_in_header() {
+    let fuses = Fuses::default();
+    let rom = caliptra_builder::rom_for_fw_integration_tests().unwrap();
+    let mut model = caliptra_hw_model::new(BootParams {
+        init_params: InitParams {
+            rom: &rom,
+            security_state: SecurityState::from(fuses.life_cycle as u32),
+            ..Default::default()
+        },
+        fuses,
+        ..Default::default()
+    })
+    .unwrap();
+
+    let mut opts = ImageOptions::default();
+    opts.vendor_config.pl0_pauser = None;
+    let image_bundle =
+        caliptra_builder::build_and_sign_image(&FMC_WITH_UART, &APP_WITH_UART, opts).unwrap();
+
+    model
+        .upload_firmware(&image_bundle.to_bytes().unwrap())
+        .unwrap();
+
+    model.step_until(|m| {
+        m.soc_ifc().cptra_boot_status().read() == u32::from(RtBootStatus::RtReadyForCommands)
+    });
+
+    // If PL0 PAUSER is unset, make sure PL0-only operation fails
+    let certify_key_cmd = CertifyKeyCmd {
+        handle: ContextHandle::default(),
+        label: TEST_LABEL,
+        flags: CertifyKeyFlags::empty(),
+        format: CertifyKeyCmd::FORMAT_X509,
+    };
+    let resp = execute_dpe_cmd(
+        &mut model,
+        &mut Command::CertifyKey(certify_key_cmd),
+        DpeResult::MboxCmdFailure(CaliptraError::RUNTIME_INCORRECT_PAUSER_PRIVILEGE_LEVEL),
+    );
+    assert!(resp.is_none());
+}