DPE: Do not use DPE_ROT_LAYER_IDX for creating certificate
Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: Ibfed56bdec2e338a5fe1f0a2266d146ab7cf919c
diff --git a/partitions/dice_protection_environment/dpe_certificate.c b/partitions/dice_protection_environment/dpe_certificate.c
index 629f1cf..956119f 100644
--- a/partitions/dice_protection_environment/dpe_certificate.c
+++ b/partitions/dice_protection_environment/dpe_certificate.c
@@ -372,13 +372,13 @@
}
static dpe_error_t add_issuer_claim(QCBOREncodeContext *cbor_enc_ctx,
- uint16_t layer_idx,
+ const struct layer_context_t *layer_ctx,
psa_key_id_t root_attest_key_id,
const struct layer_context_t *parent_layer_ctx)
{
uint8_t rot_cdi_id[DICE_ID_SIZE];
- if (layer_idx == DPE_ROT_LAYER_IDX) {
+ if (layer_ctx->is_rot_layer) {
/* For the RoT layer, issuer id is derived from the root attestation key */
if (derive_cdi_id(root_attest_key_id, rot_cdi_id,
sizeof(rot_cdi_id)) != PSA_SUCCESS) {
@@ -421,7 +421,7 @@
/* The RoT layer certificate is signed by the provisioned attestation key,
* all other layers are signed by the parent layer's attestation key.
*/
- if (layer_idx == DPE_ROT_LAYER_IDX) {
+ if (layer_ctx->is_rot_layer) {
attest_key_id = dpe_plat_get_root_attest_key_id();
} else {
attest_key_id = parent_layer_ctx->data.attest_key_id;
@@ -439,7 +439,7 @@
/* Add all the required claims */
/* Add issuer/authority claim */
- err = add_issuer_claim(cbor_enc_ctx, layer_idx, attest_key_id, parent_layer_ctx);
+ err = add_issuer_claim(cbor_enc_ctx, layer_ctx, attest_key_id, parent_layer_ctx);
if (err != DPE_NO_ERROR) {
return err;
}
diff --git a/partitions/dice_protection_environment/dpe_context_mngr.c b/partitions/dice_protection_environment/dpe_context_mngr.c
index 13a3719..ebed284 100644
--- a/partitions/dice_protection_environment/dpe_context_mngr.c
+++ b/partitions/dice_protection_environment/dpe_context_mngr.c
@@ -84,6 +84,7 @@
layer_ctx_array[i].state = LAYER_STATE_CLOSED;
layer_ctx_array[i].parent_layer_idx = INVALID_LAYER_IDX;
layer_ctx_array[i].is_cdi_to_be_exported = false;
+ layer_ctx_array[i].is_rot_layer = false;
layer_ctx_array[i].cert_id = DPE_CERT_ID_INVALID;
(void)memset(&layer_ctx_array[i].attest_cdi_hash_input, 0,
sizeof(layer_ctx_array[i].attest_cdi_hash_input));
@@ -303,7 +304,7 @@
parent_layer_ctx = &layer_ctx_array[parent_layer_idx];
/* For RoT Layer, CDI and issuer seed values are calculated by BL1_1 */
- if ((layer_idx != DPE_ROT_LAYER_IDX) &&
+ if ((!layer_ctx->is_rot_layer) &&
(!layer_ctx->is_external_pub_key_provided)) {
/* Except for RoT Layer with no external public key supplied */
@@ -461,6 +462,7 @@
struct component_context_t *rot_comp_ctx = &component_ctx_array[0];
struct layer_context_t *rot_layer_ctx = &layer_ctx_array[DPE_ROT_LAYER_IDX];
+ rot_layer_ctx->is_rot_layer = true;
/* Parent layer for RoT context's layer is same */
rot_layer_ctx->parent_layer_idx = DPE_ROT_LAYER_IDX;
diff --git a/partitions/dice_protection_environment/dpe_context_mngr.h b/partitions/dice_protection_environment/dpe_context_mngr.h
index edcc9f3..544f519 100644
--- a/partitions/dice_protection_environment/dpe_context_mngr.h
+++ b/partitions/dice_protection_environment/dpe_context_mngr.h
@@ -99,6 +99,7 @@
enum layer_state_t state;
bool is_external_pub_key_provided;
bool is_cdi_to_be_exported;
+ bool is_rot_layer;
uint32_t cert_id;
};