[sival] Add a few crypto/boot services test refs to testplan.

Also remove one reference to a KMAC crypto test that doesn't actually cover the test point, and make a small adjustment to the boot services test so that it covers all key manager stages. Signed-off-by: Jade Philipoom <[email protected]> (cherry picked from commit 886c368)
lowRISC · Nov 19, 2024 · 59f886e · 59f886e
1 parent c5984f8
commit 59f886e
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 7 deletions.
diff --git a/hw/top_earlgrey/data/ip/chip_keymgr_testplan.hjson b/hw/top_earlgrey/data/ip/chip_keymgr_testplan.hjson
@@ -98,7 +98,10 @@
       si_stage: SV3
       lc_states: ["PROD"]
       tests: ["chip_sw_keymgr_sideload_kmac"]
-      bazel: ["//sw/device/tests:keymgr_sideload_kmac_test"]
+      bazel: [
+        "//sw/device/tests:keymgr_sideload_kmac_test",
+        "//sw/device/tests/crypto:kmac_sideload_functest",
+      ]
     }
     {
       name: chip_sw_keymgr_sideload_aes
@@ -134,6 +137,8 @@
       bazel: [
         "//sw/device/tests/crypto:ecdh_p256_sideload_functest",
         "//sw/device/tests/crypto:ecdsa_p256_sideload_functest",
+        "//sw/device/tests/crypto:ecdh_p384_sideload_functest",
+        "//sw/device/tests/crypto:ecdsa_p384_sideload_functest",
       ]
     }
     {
@@ -142,7 +147,6 @@
 
             - For each keymgr operational state: `CreatorRootKey`, `OwnerIntKey` and `OwnerKey`:
               - Generate identity SW output for the Attestation CDI.
-              - Generate SW output for the Attestation CDI.
               - Generate OTBN sideload output for the Attestation CDI.
             - Ensure that the key output changes after calculating the previous steps after a
               keymgr advance operation.
@@ -170,7 +174,10 @@
             si_stage: SV2
             lc_states: ["PROD"]
             tests: []
-            bazel: []
+            bazel: [
+              // Covers all points in the test except for the software binding registers.
+              "//sw/device/silicon_creator/lib:otbn_boot_services_functest",
+            ]
     }
     {
       name: chip_sw_keymgr_derive_sealing

diff --git a/hw/top_earlgrey/data/ip/chip_kmac_testplan.hjson b/hw/top_earlgrey/data/ip/chip_kmac_testplan.hjson
@@ -277,7 +277,7 @@
       si_stage: SV3
       lc_states: ["PROD"]
       tests: []
-      bazel: ["//sw/device/tests/crypto:kmac_functest_hardcoded"]
+      bazel: []
     }
     {
       name: chip_sw_kmac_error_conditions

diff --git a/sw/device/silicon_creator/lib/otbn_boot_services_functest.c b/sw/device/silicon_creator/lib/otbn_boot_services_functest.c
@@ -20,6 +20,9 @@ OTTF_DEFINE_TEST_CONFIG();
 // Keymgr handle for this test.
 static dif_keymgr_t keymgr;
 
+// Global variable holding the number of times we advanced keymgr after startup.
+size_t num_keymgr_advances = 0;
+
 // Message value for signature generation/verification tests.
 const char kTestMessage[] = "Test message.";
 const size_t kTestMessageLen = sizeof(kTestMessage) - 1;
@@ -131,9 +134,19 @@ rom_error_t attestation_advance_and_endorse_test(void) {
                                                  kDiversification));
 
   // Advance keymgr to the next stage.
-  CHECK_STATUS_OK(
-      keymgr_testutils_check_state(&keymgr, kDifKeymgrStateCreatorRootKey));
-  CHECK_STATUS_OK(keymgr_testutils_advance_state(&keymgr, &kOwnerIntParams));
+  if (num_keymgr_advances == 0) {
+    CHECK_STATUS_OK(
+        keymgr_testutils_check_state(&keymgr, kDifKeymgrStateCreatorRootKey));
+    CHECK_STATUS_OK(keymgr_testutils_advance_state(&keymgr, &kOwnerIntParams));
+    num_keymgr_advances++;
+  } else {
+    CHECK(num_keymgr_advances == 1);
+    CHECK_STATUS_OK(keymgr_testutils_check_state(
+        &keymgr, kDifKeymgrStateOwnerIntermediateKey));
+    CHECK_STATUS_OK(
+        keymgr_testutils_advance_state(&keymgr, &kOwnerRootKeyParams));
+    num_keymgr_advances++;
+  }
 
   // Run endorsement (should overwrite the key with randomness when done).
   hmac_digest_t digest;
@@ -154,6 +167,14 @@ rom_error_t attestation_advance_and_endorse_test(void) {
   RETURN_IF_ERROR(otbn_boot_sigverify(&pk, &sig, &digest, recovered_r));
   CHECK_ARRAYS_NE(recovered_r, sig.r, ARRAYSIZE(sig.r));
 
+  // Check that generating a new key with the same diversification as before
+  // now gets a different public key because keymgr has advanced.
+  ecdsa_p256_public_key_t pk_adv;
+  RETURN_IF_ERROR(otbn_boot_attestation_keygen(kFlashInfoFieldUdsKeySeedIdx,
+                                               kScKeymgrKeyTypeAttestation,
+                                               kDiversification, &pk_adv));
+  CHECK_ARRAYS_NE((unsigned char *)&pk, (unsigned char *)&pk_adv, sizeof(pk));
+
   return kErrorOk;
 }
 
@@ -231,6 +252,8 @@ bool test_main(void) {
   EXECUTE_TEST(result, sigverify_test);
   EXECUTE_TEST(result, attestation_keygen_test);
   EXECUTE_TEST(result, attestation_advance_and_endorse_test);
+  EXECUTE_TEST(result, attestation_keygen_test);
+  EXECUTE_TEST(result, attestation_advance_and_endorse_test);
   EXECUTE_TEST(result, attestation_save_clear_key_test);
 
   return status_ok(result);