Caliptra IDEVID Certificate Signing Request
ChiaweiWang3
177 views
9 slides
Aug 26, 2024
Slide 1 of 9
1
2
3
4
5
6
7
8
9
About This Presentation
Introduction of Caliptra IDEVID CSR generation.
Slide Content
Caliptra1.0 –IDEVID CSR
Chiawei, Wang
2024/06/04
Chiawei, Wang
2024/06/04
●Initial Device Identifier
○IDEVID certificate
●IDEVID Certificate Signing Request
○To-Be-Signed construction
●IDEVID Certificate Reconstruction
Table of Content
○IDEVID certificate
●IDEVID Certificate Signing Request
○To-Be-Signed construction
●IDEVID Certificate Reconstruction
Table of Content
●Per-deviceunique asymmetric ECDSA384 key pair
○Endorse next level Local Device Identifier (LDEVID)
○Sign measurements for the device attestation
●Generated by per-device unique UDS
○FUSE_UDS_SEED
○https://github.com/chipsalliance/Caliptra/blob/main/doc/Caliptra.md#uds
○https://chipsalliance.github.io/caliptra-rtl/main/external-
regs/?p=caliptra_top_reg.generic_and_fuse_reg.fuse_uds_seed%5B0%5D
Initial Device Identifier (IDEVID)
○Endorse next level Local Device Identifier (LDEVID)
○Sign measurements for the device attestation
●Generated by per-device unique UDS
○FUSE_UDS_SEED
○https://github.com/chipsalliance/Caliptra/blob/main/doc/Caliptra.md#uds
○https://chipsalliance.github.io/caliptra-rtl/main/external-
regs/?p=caliptra_top_reg.generic_and_fuse_reg.fuse_uds_seed%5B0%5D
Initial Device Identifier (IDEVID)
●Certificate is composed by an identity, a public key, and a signature
○Identity refers to the owner of the public key
○Signature endorses the validity of the identity and the belonging public key
●IDEVID certificatesis signedduring the manufacturing process
○Prove a key pair belongs to one corresponding, unique device chip
●Terminology
○DER –A binary encoding format for ANS.1 document
IDEVID Certificate
○Identity refers to the owner of the public key
○Signature endorses the validity of the identity and the belonging public key
●IDEVID certificatesis signedduring the manufacturing process
○Prove a key pair belongs to one corresponding, unique device chip
●Terminology
○DER –A binary encoding format for ANS.1 document
IDEVID Certificate
●CSR is generated by Caliptraif requested
○CPTRA_DBG_MANUF_SERVICE_REG[0] = 0’b1
○SoC reads the CSR via mailbox
●CSR is composed by
○DER_SEQ (0x30) || LEN (0x82 0xHH 0xHH) || TBS.der|| OID.der|| Signature.der
○OID: constant defined in Caliptrasource
○Signature: ECDSA384 signature of TBS.der
IDEVID Certificate Signing Request (CSR)
○CPTRA_DBG_MANUF_SERVICE_REG[0] = 0’b1
○SoC reads the CSR via mailbox
●CSR is composed by
○DER_SEQ (0x30) || LEN (0x82 0xHH 0xHH) || TBS.der|| OID.der|| Signature.der
○OID: constant defined in Caliptrasource
○Signature: ECDSA384 signature of TBS.der
IDEVID Certificate Signing Request (CSR)
●https://certlogik.com/decoder/
●-----BEGIN CERTIFICATE REQUEST-----
MIIBuDCCAT4CAQAwaTEcMBoGA1UEAwwTQ2FsaXB0cmEgMS4wIElEZXZJRDFJMEcG
A1UEBRNAMjdCODhBQUNGNDI3NEJBNEE2NTA5MEYyQzkxNDM4MjBERkMwNjA0NDEw
NEJGMEI2QzkxNTQzRDJCNThCNDBGNzB2MBAGByqGSM49AgEGBSuBBAAiA2IABJGr
CEdkkFkeeI5U+dmTeaUUtk6YzhGHPAzgiY+vPKKiTVDbOXtNm4aDrglE+/K0yUvV
ptBsRubEDMujZ5LTDpcY5b+jCfgak0uiKmDSbBFPUbdS3zllEsq1FLe0pZg2B6BW
MFQGCSqGSIb3DQEJDjFHMEUwEgYDVR0TAQH/BAgwBgEB/wIBBTAOBgNVHQ8BAf8E
BAMCAgQwHwYGZ4EFBQQEBBUwEwQRAAAAAAAAAAAAAAAAAAAAAAAwCgYIKoZIzj0E
AwMDaAAwZQIxAN7Ntf7b6ZqNPP01vQQmqWZGDNPEZaDFeNAjn4EFgYJgWubO2nN3
aXpzCSWbUNLjHQIwFnDobcUAL2t/08F7sQB0D+B1cENtetQCYJh6gpqK+odUuRC6
pG3GdO3VFKIqJiqP
-----END CERTIFICATE REQUEST-----
IDEVID CSR Example
●-----BEGIN CERTIFICATE REQUEST-----
MIIBuDCCAT4CAQAwaTEcMBoGA1UEAwwTQ2FsaXB0cmEgMS4wIElEZXZJRDFJMEcG
A1UEBRNAMjdCODhBQUNGNDI3NEJBNEE2NTA5MEYyQzkxNDM4MjBERkMwNjA0NDEw
NEJGMEI2QzkxNTQzRDJCNThCNDBGNzB2MBAGByqGSM49AgEGBSuBBAAiA2IABJGr
CEdkkFkeeI5U+dmTeaUUtk6YzhGHPAzgiY+vPKKiTVDbOXtNm4aDrglE+/K0yUvV
ptBsRubEDMujZ5LTDpcY5b+jCfgak0uiKmDSbBFPUbdS3zllEsq1FLe0pZg2B6BW
MFQGCSqGSIb3DQEJDjFHMEUwEgYDVR0TAQH/BAgwBgEB/wIBBTAOBgNVHQ8BAf8E
BAMCAgQwHwYGZ4EFBQQEBBUwEwQRAAAAAAAAAAAAAAAAAAAAAAAwCgYIKoZIzj0E
AwMDaAAwZQIxAN7Ntf7b6ZqNPP01vQQmqWZGDNPEZaDFeNAjn4EFgYJgWubO2nN3
aXpzCSWbUNLjHQIwFnDobcUAL2t/08F7sQB0D+B1cENtetQCYJh6gpqK+odUuRC6
pG3GdO3VFKIqJiqP
-----END CERTIFICATE REQUEST-----
IDEVID CSR Example
●https://the-x.cn/en-US/encodings/Asn1.aspx
●30 82 01 3e 02 01 00 30 69 31 1c 30 1a 06 03 55 04 03 0c 13 43 61 6c 69 70 74 72 61 20 31 2e 30 20 49 44 65 76
49 44 31 49 30 47 06 03 55 04 05 13 40 5f 5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f
5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f
5f5f5f30 76 30 10 06 07 2a 86 48 ce3d 02 01 06 05 2b 81 04 00 22 03 62 00 5f5f5f5f5f5f5f5f5f5f5f
5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f
5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f
5f5f5f5f5f5f5f5f5f5f5f5fa0 56 30 54 06 09 2a 86 48 86 f7 0d 01 09 0e 31 47 30 45 30 12 06 03 55 1d
13 01 01 ff 04 08 30 06 01 01 ff 02 01 05 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 02 04 30 1f 06 06 67 81 05
05 04 04 04 15 30 13 04 11 5f 5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f
●Those in color will be overwritten with real value during CSR generation
To-Be-Signed Template (TBS)
●Subject SN
●Public Key
●UEID
●30 82 01 3e 02 01 00 30 69 31 1c 30 1a 06 03 55 04 03 0c 13 43 61 6c 69 70 74 72 61 20 31 2e 30 20 49 44 65 76
49 44 31 49 30 47 06 03 55 04 05 13 40 5f 5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f
5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f
5f5f5f30 76 30 10 06 07 2a 86 48 ce3d 02 01 06 05 2b 81 04 00 22 03 62 00 5f5f5f5f5f5f5f5f5f5f5f
5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f
5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f
5f5f5f5f5f5f5f5f5f5f5f5fa0 56 30 54 06 09 2a 86 48 86 f7 0d 01 09 0e 31 47 30 45 30 12 06 03 55 1d
13 01 01 ff 04 08 30 06 01 01 ff 02 01 05 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 02 04 30 1f 06 06 67 81 05
05 04 04 04 15 30 13 04 11 5f 5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f
●Those in color will be overwritten with real value during CSR generation
To-Be-Signed Template (TBS)
●Subject SN
●Public Key
●UEID
●Subject Serial Number
○SHA256(ECDSA384_PubKey.der)
●Unique Endpoint Identifier
○Constructed from FUSE_IDEVID_CERT_ATTR (SoC OTP)
○UEID[17]= [
UeidType||
ManufactureSerialNumber1 ||
ManufactureSerialNumber2 ||
ManufactureSerialNumber3 ||
ManufactureSerialNumber4
]
○UEID type –https://www.ietf.org/archive/id/draft-ietf-rats-eat-21.html#section-4.2.1.1
TBS Construction
○SHA256(ECDSA384_PubKey.der)
●Unique Endpoint Identifier
○Constructed from FUSE_IDEVID_CERT_ATTR (SoC OTP)
○UEID[17]= [
UeidType||
ManufactureSerialNumber1 ||
ManufactureSerialNumber2 ||
ManufactureSerialNumber3 ||
ManufactureSerialNumber4
]
○UEID type –https://www.ietf.org/archive/id/draft-ietf-rats-eat-21.html#section-4.2.1.1
TBS Construction
●Flags –Subject Key Identifier algorithm
○0 →KeyID= SHA1(ECDSA384_PubKey.der)
○1 →KeyID= SHA256(ECDSA384_PubKey.der)
○2 →KeyID= SHA384(ECDSA384_PubKey.der)
○3 →From FUSE_IDEVID_CERT_ATTR.SubjectKeyIDn
FUSE_IDEVID_CERT_ATTR Cont.
○0 →KeyID= SHA1(ECDSA384_PubKey.der)
○1 →KeyID= SHA256(ECDSA384_PubKey.der)
○2 →KeyID= SHA384(ECDSA384_PubKey.der)
○3 →From FUSE_IDEVID_CERT_ATTR.SubjectKeyIDn
FUSE_IDEVID_CERT_ATTR Cont.
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 177
- Slides 9
- Age 485 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
45 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
52 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
44 views
14
Fertility awareness methods for women in the society
Isaiah47
43 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
44 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
42 views