Skip to content

Commit

Permalink
runtime: Aesthetic enhancement using ok_or when decoding mb input
Browse files Browse the repository at this point in the history 
Instead of having the bulk of the mailbox execution code indented below
a if let Some(...) else Err(CaliptraError::...) statement use
.ok_or(CaliptraError:...)? to reduce indentation.

Signed-off-by: Arthur Heymans <[email protected]>
  • Loading branch information
@ArthurHeymans @jhand2
ArthurHeymans authored and jhand2 committed Aug 12, 2024
1 parent 51ff0a8 commit 974f7ef
Show file tree
Hide file tree
Showing 4 changed files with 255 additions and 267 deletions.
132 changes: 65 additions & 67 deletions runtime/src/certify_key_extended.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,78 +34,76 @@ use crate::{
pub struct CertifyKeyExtendedCmd;
impl CertifyKeyExtendedCmd {
pub(crate) fn execute(drivers: &mut Drivers, cmd_args: &[u8]) -> CaliptraResult<MailboxResp> {
if let Some(cmd) = CertifyKeyExtendedReq::read_from(cmd_args) {
let hashed_rt_pub_key = drivers.compute_rt_alias_sn()?;
let key_id_rt_cdi = Drivers::get_key_id_rt_cdi(drivers)?;
let key_id_rt_priv_key = Drivers::get_key_id_rt_priv_key(drivers)?;
let pdata = drivers.persistent_data.get_mut();
let crypto = DpeCrypto::new(
&mut drivers.sha384,
&mut drivers.trng,
&mut drivers.ecc384,
&mut drivers.hmac384,
&mut drivers.key_vault,
&mut pdata.fht.rt_dice_pub_key,
key_id_rt_cdi,
key_id_rt_priv_key,
);
let pl0_pauser = pdata.manifest1.header.pl0_pauser;
let (nb, nf) = Drivers::get_cert_validity_info(&pdata.manifest1);
// Populate the otherName only if requested and provided by ADD_SUBJECT_ALT_NAME
let dmtf_device_info = if cmd.flags.contains(CertifyKeyExtendedFlags::DMTF_OTHER_NAME) {
drivers
.dmtf_device_info
.as_ref()
.map(|dmtf_device_info| dmtf_device_info.as_bytes())
} else {
None
};
let mut env = DpeEnv::<CptraDpeTypes> {
crypto,
platform: DpePlatform::new(
pl0_pauser,
&hashed_rt_pub_key,
&drivers.cert_chain,
&nb,
&nf,
dmtf_device_info,
),
};
let cmd = CertifyKeyExtendedReq::read_from(cmd_args)
.ok_or(CaliptraError::RUNTIME_INSUFFICIENT_MEMORY)?;
let hashed_rt_pub_key = drivers.compute_rt_alias_sn()?;
let key_id_rt_cdi = Drivers::get_key_id_rt_cdi(drivers)?;
let key_id_rt_priv_key = Drivers::get_key_id_rt_priv_key(drivers)?;
let pdata = drivers.persistent_data.get_mut();
let crypto = DpeCrypto::new(
&mut drivers.sha384,
&mut drivers.trng,
&mut drivers.ecc384,
&mut drivers.hmac384,
&mut drivers.key_vault,
&mut pdata.fht.rt_dice_pub_key,
key_id_rt_cdi,
key_id_rt_priv_key,
);
let pl0_pauser = pdata.manifest1.header.pl0_pauser;
let (nb, nf) = Drivers::get_cert_validity_info(&pdata.manifest1);
// Populate the otherName only if requested and provided by ADD_SUBJECT_ALT_NAME
let dmtf_device_info = if cmd.flags.contains(CertifyKeyExtendedFlags::DMTF_OTHER_NAME) {
drivers
.dmtf_device_info
.as_ref()
.map(|dmtf_device_info| dmtf_device_info.as_bytes())
} else {
None
};
let mut env = DpeEnv::<CptraDpeTypes> {
crypto,
platform: DpePlatform::new(
pl0_pauser,
&hashed_rt_pub_key,
&drivers.cert_chain,
&nb,
&nf,
dmtf_device_info,
),
};

let locality = drivers.mbox.user();
// Cannot call CERTIFY_KEY_EXTENDED from PL1
if Drivers::is_caller_pl1(pl0_pauser, pdata.manifest1.header.flags, locality) {
return Err(CaliptraError::RUNTIME_INCORRECT_PAUSER_PRIVILEGE_LEVEL);
}
let locality = drivers.mbox.user();
// Cannot call CERTIFY_KEY_EXTENDED from PL1
if Drivers::is_caller_pl1(pl0_pauser, pdata.manifest1.header.flags, locality) {
return Err(CaliptraError::RUNTIME_INCORRECT_PAUSER_PRIVILEGE_LEVEL);
}

let mut dpe = &mut pdata.dpe;
let certify_key_cmd = CertifyKeyCmd::read_from(&cmd.certify_key_req[..])
.ok_or(CaliptraError::RUNTIME_DPE_COMMAND_DESERIALIZATION_FAILED)?;
let resp = certify_key_cmd.execute(dpe, &mut env, locality);
let mut dpe = &mut pdata.dpe;
let certify_key_cmd = CertifyKeyCmd::read_from(&cmd.certify_key_req[..])
.ok_or(CaliptraError::RUNTIME_DPE_COMMAND_DESERIALIZATION_FAILED)?;
let resp = certify_key_cmd.execute(dpe, &mut env, locality);

let certify_key_resp = match resp {
Ok(Response::CertifyKey(certify_key_resp)) => certify_key_resp,
Ok(_) => return Err(CaliptraError::RUNTIME_CERTIFY_KEY_EXTENDED_FAILED),
Err(e) => {
// If there is extended error info, populate CPTRA_FW_EXTENDED_ERROR_INFO
if let Some(ext_err) = e.get_error_detail() {
drivers.soc_ifc.set_fw_extended_error(ext_err);
}
return Err(CaliptraError::RUNTIME_CERTIFY_KEY_EXTENDED_FAILED);
let certify_key_resp = match resp {
Ok(Response::CertifyKey(certify_key_resp)) => certify_key_resp,
Ok(_) => return Err(CaliptraError::RUNTIME_CERTIFY_KEY_EXTENDED_FAILED),
Err(e) => {
// If there is extended error info, populate CPTRA_FW_EXTENDED_ERROR_INFO
if let Some(ext_err) = e.get_error_detail() {
drivers.soc_ifc.set_fw_extended_error(ext_err);
}
};
return Err(CaliptraError::RUNTIME_CERTIFY_KEY_EXTENDED_FAILED);
}
};

let certify_key_extended_resp = CertifyKeyExtendedResp {
hdr: MailboxRespHeader::default(),
certify_key_resp: certify_key_resp
.as_bytes()
.try_into()
.map_err(|_| CaliptraError::RUNTIME_DPE_RESPONSE_SERIALIZATION_FAILED)?,
};
let certify_key_extended_resp = CertifyKeyExtendedResp {
hdr: MailboxRespHeader::default(),
certify_key_resp: certify_key_resp
.as_bytes()
.try_into()
.map_err(|_| CaliptraError::RUNTIME_DPE_RESPONSE_SERIALIZATION_FAILED)?,
};

Ok(MailboxResp::CertifyKeyExtended(certify_key_extended_resp))
} else {
Err(CaliptraError::RUNTIME_INSUFFICIENT_MEMORY)
}
Ok(MailboxResp::CertifyKeyExtended(certify_key_extended_resp))
}
}
140 changes: 69 additions & 71 deletions runtime/src/stash_measurement.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,83 +32,81 @@ impl StashMeasurementCmd {
#[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
#[inline(never)]
pub(crate) fn execute(drivers: &mut Drivers, cmd_args: &[u8]) -> CaliptraResult<MailboxResp> {
if let Some(cmd) = StashMeasurementReq::read_from(cmd_args) {
let dpe_result = {
let hashed_rt_pub_key = drivers.compute_rt_alias_sn()?;
let key_id_rt_cdi = Drivers::get_key_id_rt_cdi(drivers)?;
let key_id_rt_priv_key = Drivers::get_key_id_rt_priv_key(drivers)?;
let pdata = drivers.persistent_data.get_mut();
let mut crypto = DpeCrypto::new(
&mut drivers.sha384,
&mut drivers.trng,
&mut drivers.ecc384,
&mut drivers.hmac384,
&mut drivers.key_vault,
&mut pdata.fht.rt_dice_pub_key,
key_id_rt_cdi,
key_id_rt_priv_key,
);
let (nb, nf) = Drivers::get_cert_validity_info(&pdata.manifest1);
let mut env = DpeEnv::<CptraDpeTypes> {
crypto,
platform: DpePlatform::new(
pdata.manifest1.header.pl0_pauser,
&hashed_rt_pub_key,
&drivers.cert_chain,
&nb,
&nf,
None,
),
};
let cmd = StashMeasurementReq::read_from(cmd_args)
.ok_or(CaliptraError::RUNTIME_INSUFFICIENT_MEMORY)?;
let dpe_result = {
let hashed_rt_pub_key = drivers.compute_rt_alias_sn()?;
let key_id_rt_cdi = Drivers::get_key_id_rt_cdi(drivers)?;
let key_id_rt_priv_key = Drivers::get_key_id_rt_priv_key(drivers)?;
let pdata = drivers.persistent_data.get_mut();
let mut crypto = DpeCrypto::new(
&mut drivers.sha384,
&mut drivers.trng,
&mut drivers.ecc384,
&mut drivers.hmac384,
&mut drivers.key_vault,
&mut pdata.fht.rt_dice_pub_key,
key_id_rt_cdi,
key_id_rt_priv_key,
);
let (nb, nf) = Drivers::get_cert_validity_info(&pdata.manifest1);
let mut env = DpeEnv::<CptraDpeTypes> {
crypto,
platform: DpePlatform::new(
pdata.manifest1.header.pl0_pauser,
&hashed_rt_pub_key,
&drivers.cert_chain,
&nb,
&nf,
None,
),
};

let pl0_pauser = pdata.manifest1.header.pl0_pauser;
let flags = pdata.manifest1.header.flags;
let locality = drivers.mbox.user();
// Check that adding this measurement to DPE doesn't cause
// the PL0 context threshold to be exceeded.
Drivers::is_dpe_context_threshold_exceeded(
pl0_pauser, flags, locality, &pdata.dpe, false,
)?;
// let pdata_mut = drivers.persistent_data.get_mut();
let derive_context_resp = DeriveContextCmd {
handle: ContextHandle::default(),
data: cmd.measurement,
flags: DeriveContextFlags::MAKE_DEFAULT
| DeriveContextFlags::CHANGE_LOCALITY
| DeriveContextFlags::INPUT_ALLOW_CA
| DeriveContextFlags::INPUT_ALLOW_X509,
tci_type: u32::from_be_bytes(cmd.metadata),
target_locality: locality,
}
.execute(&mut pdata.dpe, &mut env, locality);
let pl0_pauser = pdata.manifest1.header.pl0_pauser;
let flags = pdata.manifest1.header.flags;
let locality = drivers.mbox.user();
// Check that adding this measurement to DPE doesn't cause
// the PL0 context threshold to be exceeded.
Drivers::is_dpe_context_threshold_exceeded(
pl0_pauser, flags, locality, &pdata.dpe, false,
)?;
// let pdata_mut = drivers.persistent_data.get_mut();
let derive_context_resp = DeriveContextCmd {
handle: ContextHandle::default(),
data: cmd.measurement,
flags: DeriveContextFlags::MAKE_DEFAULT
| DeriveContextFlags::CHANGE_LOCALITY
| DeriveContextFlags::INPUT_ALLOW_CA
| DeriveContextFlags::INPUT_ALLOW_X509,
tci_type: u32::from_be_bytes(cmd.metadata),
target_locality: locality,
}
.execute(&mut pdata.dpe, &mut env, locality);

match derive_context_resp {
Ok(_) => DpeErrorCode::NoError,
Err(e) => {
// If there is extended error info, populate CPTRA_FW_EXTENDED_ERROR_INFO
if let Some(ext_err) = e.get_error_detail() {
drivers.soc_ifc.set_fw_extended_error(ext_err);
}
e
match derive_context_resp {
Ok(_) => DpeErrorCode::NoError,
Err(e) => {
// If there is extended error info, populate CPTRA_FW_EXTENDED_ERROR_INFO
if let Some(ext_err) = e.get_error_detail() {
drivers.soc_ifc.set_fw_extended_error(ext_err);
}
e
}
};

if let DpeErrorCode::NoError = dpe_result {
// Extend the measurement into PCR31
drivers.pcr_bank.extend_pcr(
PCR_ID_STASH_MEASUREMENT,
&mut drivers.sha384,
cmd.measurement.as_bytes(),
)?;
}
};

Ok(MailboxResp::StashMeasurement(StashMeasurementResp {
hdr: MailboxRespHeader::default(),
dpe_result: dpe_result.get_error_code(),
}))
} else {
Err(CaliptraError::RUNTIME_INSUFFICIENT_MEMORY)
if let DpeErrorCode::NoError = dpe_result {
// Extend the measurement into PCR31
drivers.pcr_bank.extend_pcr(
PCR_ID_STASH_MEASUREMENT,
&mut drivers.sha384,
cmd.measurement.as_bytes(),
)?;
}

Ok(MailboxResp::StashMeasurement(StashMeasurementResp {
hdr: MailboxRespHeader::default(),
dpe_result: dpe_result.get_error_code(),
}))
}
}
Loading

0 comments on commit 974f7ef

Please sign in to comment.