Update hal_dice_update_cdi

yosuke-wolfssl · yosuke-wolfssl · commit ca08164b0cec · 2026-04-28T10:41:13.000+09:00
diff --git a/arch.mk b/arch.mk
@@ -875,7 +875,8 @@ ifeq ($(TARGET),mcxn)
       -I$(ELS_PKC)/src/platforms/mcxn/inc
     OBJS+=\
       $(ELS_PKC)/src/comps/mcuxClEls/src/mcuxClEls_Common.o \
-      $(ELS_PKC)/src/comps/mcuxClEls/src/mcuxClEls_Kdf.o
+      $(ELS_PKC)/src/comps/mcuxClEls/src/mcuxClEls_Kdf.o \
+      $(ELS_PKC)/src/comps/mcuxClEls/src/mcuxClEls_KeyManagement.o
   endif
 endif
 
diff --git a/hal/mcxn.c b/hal/mcxn.c
@@ -46,6 +46,7 @@
 #include "mcuxClEls_Ecc.h"
 #include "mcuxClEls_KeyManagement.h"
 #include "mcuxCsslFlowProtection.h"
+#include <wolfssl/wolfcrypt/sha256.h>
 
 /* Key slot holding the UDS (pre-loaded by ROM before DICE).
  * TODO: Replace with NXP_DIE_DICE_UDS_MK_SK */
@@ -420,13 +421,13 @@ int hal_attestation_get_ueid(uint8_t *buf, size_t *len)
     }
 
     /* 32 bytes CUSTOM PAD */
-    memset(deriv, 0, sizeof(deriv));
-    memcpy(deriv, "WOLFBOOT-UEID", 13);
+    XMEMSET(deriv, 0, sizeof(deriv));
+    XMEMCPY(deriv, "WOLFBOOT-UEID", 13);
 
     /* UEID Type RANDOM */
     buf[0] = 0x01;
 
-    /* Trigger the HKDF operation.
+    /* Trigger the HKDF command.
      * We just give the names of token and return value
      * since it's declared within the macro */
     MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(res_hkdf, tok_hkdf,
@@ -439,11 +440,11 @@ int hal_attestation_get_ueid(uint8_t *buf, size_t *len)
     MCUX_CSSL_FP_FUNCTION_CALL_END();
 
     /* Wait for hardware to finish */
-    MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(res_w2, tok_w2,
+    MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(res_w, tok_w,
         mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR));
 
-    if ((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClEls_WaitForOperation) != tok_w2) ||
-        (MCUXCLELS_STATUS_OK != res_w2))
+    if ((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClEls_WaitForOperation) != tok_w) ||
+        (MCUXCLELS_STATUS_OK != res_w))
         return -1;
 
     MCUX_CSSL_FP_FUNCTION_CALL_END();
@@ -459,62 +460,112 @@ int hal_attestation_get_lifecycle(uint32_t *lifecycle)
     return 0;
 }
 
+/* Derive new CDI from measurement and previous CDI */
 int hal_dice_update_cdi(const uint8_t *measurement, size_t meas_len)
 {
     static int cdi_step = 0;
+    uint8_t deriv[MCUXCLELS_HKDF_RFC5869_DERIVATIONDATA_SIZE];
+    wc_Sha256 sha;
+    mcuxClEls_HkdfOption_t opts;
+    mcuxClEls_KeyProp_t props;
+    int ret = 0;
 
     if (cdi_step == 0) {
         /*
-         * Component [0] is the wolfBoot hash. The ROM already incorporated
+         * Component [0] is the wolfBoot hash. The boot ROM already incorporated
          * it as: HKDF(UDS, wolfBoot_hash) -> initial_CDI.
          * Skip re-applying it — doing so would produce the wrong CDI chain.
          */
         cdi_step++;
-        return 0;
+        return ret;
+    }
+    else if (cdi_step > 1) {
+        /* Limit to 2 components (including wolfBoot) due to key slot constraints */
+        ret = -1;
     }
 
-    /*
-     * Component [1+]: mix this measurement into the CDI chain via ELS HKDF RFC5869.
-     *
-     * The 32-byte derivation data buffer must be composed as:
-     *   deriv[0..30] = info/label  (31 bytes, zero-padded)
-     *   deriv[31]    = 0x01        (RFC5869 counter byte for single-block expansion)
-     * The SDK does NOT add this formatting automatically.
-     *
-     * NOTE: The exact label policy (truncate SHA-384 to 31 bytes, or pre-hash
-     * to SHA-256 then take first 31 bytes) and alignment with the ROM's approach
-     * for component[0] must be confirmed before finalizing this implementation.
-     * See also: whether a separate RFC5869 Extract step is needed before Expand.
-     *
-     * TODO: Implement using mcuxClEls_KeyDelete_Async + mcuxClEls_Hkdf_Rfc5869_Async:
-     *
-     *   // Step 1: Free target slot (KDELETE, cmd 0xB)
-     *   MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(...,
-     *       mcuxClEls_KeyDelete_Async(MCXN_ELS_DICE_CDI_DERIVED_KEYSLOT));
-     *   mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR);
-     *
-     *   // Step 2: Compose derivation data {label[31 bytes], counter[1 byte]}
-     *   uint8_t deriv[MCUXCLELS_HKDF_RFC5869_DERIVATIONDATA_SIZE] = {0};
-     *   size_t label_len = (meas_len < 31u) ? meas_len : 31u;
-     *   memcpy(deriv, measurement, label_len);
-     *   deriv[31] = 0x01u;
-     *
-     *   // Step 3: Derive new CDI into freed slot
-     *   mcuxClEls_HkdfOption_t opts = {0};
-     *   opts.bits.rtfdrvdat = MCUXCLELS_HKDF_VALUE_RTF_DERIV_DISABLE;
-     *   mcuxClEls_KeyProp_t props = {.word.value =
-     *       MCUXCLELS_KEYPROPERTY_VALUE_HKDF | MCUXCLELS_KEYPROPERTY_VALUE_ACTIVE};
-     *   MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(...,
-     *       mcuxClEls_Hkdf_Rfc5869_Async(opts,
-     *           MCXN_ELS_DICE_CDI_INITIAL_KEYSLOT,
-     *           MCXN_ELS_DICE_CDI_DERIVED_KEYSLOT,
-     *           props, deriv));
-     *   mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR);
-     */
-    cdi_step++;
-    (void)measurement;
-    (void)meas_len;
-    return -1; /* placeholder */
+    XMEMSET(deriv, 0, sizeof(deriv));
+
+    if (measurement == NULL || meas_len == 0) {
+        ret = -1;
+    }
+
+    if (ret == 0) {
+        if (meas_len > SHA256_DIGEST_SIZE) {
+            /* Pre-hash to SHA-256 digest */
+            ret = wc_InitSha256(&sha);
+            if (ret == 0) {
+                ret = wc_Sha256Update(&sha, measurement, (word32)meas_len);
+                if (ret == 0) {
+                    ret = wc_Sha256Final(&sha, deriv);
+                }
+                wc_Sha256Free(&sha);
+            }
+        }
+        else {
+            XMEMCPY(deriv, measurement, meas_len);
+        }
+    }
+
+    if (ret == 0) {
+        /* Trigger the KDELETE command to free the key slot.
+         * We just give the names of token and return value
+         * since it's declared within the macro */
+        MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(res_kdel, tok_kdel,
+            mcuxClEls_KeyDelete_Async(MCXN_ELS_DICE_CDI_DERIVED_KEYSLOT));
+
+        if ((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClEls_KeyDelete_Async) != tok_kdel) ||
+            (MCUXCLELS_STATUS_OK_WAIT != res_kdel))
+            ret = -1;
+
+        MCUX_CSSL_FP_FUNCTION_CALL_END();
+
+        /* Wait for hardware to finish */
+        MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(res_w, tok_w,
+            mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR));
+
+        if ((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClEls_WaitForOperation) != tok_w) ||
+            (MCUXCLELS_STATUS_OK != res_w))
+            ret = -1;
+
+        MCUX_CSSL_FP_FUNCTION_CALL_END();
+    }
+
+    if (ret == 0) {
+        opts.word.value = MCUXCLELS_HKDF_ALGO_RFC5869;
+        /* UPPROT|UKGSRC|UHKDF|FGP|KBASE|KACTV|KSIZE */
+        props.word.value = 0x440200E1U;
+        
+        /* Trigger the HKDF command.
+         * We just give the names of token and return value
+         * since it's declared within the macro */
+        MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(res_hkdf, tok_hkdf,
+            mcuxClEls_Hkdf_Rfc5869_Async(opts, 
+                                         MCXN_ELS_DICE_CDI_INITIAL_KEYSLOT,
+                                         MCXN_ELS_DICE_CDI_DERIVED_KEYSLOT,
+                                         props, deriv));
+
+        if ((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClEls_Hkdf_Rfc5869_Async) != tok_hkdf) ||
+            (MCUXCLELS_STATUS_OK_WAIT != res_hkdf))
+            ret = -1;
+
+        MCUX_CSSL_FP_FUNCTION_CALL_END();
+
+        /* Wait for hardware to finish */
+        MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(res_w, tok_w,
+            mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR));
+
+        if ((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClEls_WaitForOperation) != tok_w) ||
+            (MCUXCLELS_STATUS_OK != res_w))
+            ret = -1;
+
+        MCUX_CSSL_FP_FUNCTION_CALL_END();
+    }
+
+    if (ret == 0) 
+        cdi_step++;
+    
+    return ret;
 }
 
 int hal_dice_create_attest_key(void)
