feat(tbor): implement KeyReport command (attest a masked key)#537
Open
vsonims wants to merge 6 commits into
Open
feat(tbor): implement KeyReport command (attest a masked key)#537vsonims wants to merge 6 commits into
vsonims wants to merge 6 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds TBOR support for attesting masked keys via a new KeyReport command, including firmware handlers, PAL ECC support to derive public keys from private scalars, and host-side schemas/tests/docs to exercise and document the new opcodes.
Changes:
- Implement TBOR
SdSealingKeyGen(0x09) andKeyReport(0x10) firmware handlers and wire them into TBOR dispatch/session classification. - Extend ECC PAL with
ecc_pub_from_priv(std + uno) and add supporting driver logic + tests. - Add/refresh host TBOR schemas, status mirrors, emulator integration tests, and documentation for both commands.
Reviewed changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| fw/plat/uno/fw/pal/src/crypto/ecc.rs | Adds Uno PAL impl for ecc_pub_from_priv via PKA base-point multiplication. |
| fw/plat/uno/fw/crates/key_vault/src/kind.rs | Adds SdSealing key-kind length entry and updates tests/table sizing. |
| fw/plat/std/pal/src/ecc.rs | Adds Std PAL impl for ecc_pub_from_priv delegating to driver. |
| fw/plat/std/pal/src/drivers/vault.rs | Adds SdSealing size mapping for std vault driver and updates tests. |
| fw/plat/std/pal/src/drivers/ecc.rs | Implements pub_from_priv_le and adds round-trip tests vs generated pubkeys. |
| fw/pal/traits/src/vault.rs | Introduces HsmVaultKeyKind::SdSealing and updates the key-kind category docs. |
| fw/pal/traits/src/error.rs | Adds UnsupportedKeyScope / UnsupportedKeyType error codes. |
| fw/pal/traits/src/crypto/ecc.rs | Extends HsmEcc trait with ecc_pub_from_priv and wire-endianness contract. |
| fw/core/lib/src/op.rs | Marks new TBOR opcodes as in-session for session control. |
| fw/core/lib/src/ddi/tbor/sd_sealing_key_gen.rs | New firmware handler to generate P-384 sealing keypair and return masked key + pubkey. |
| fw/core/lib/src/ddi/tbor/mod.rs | Adds new TBOR opcodes, shared CO-session gating helpers, and dispatch wiring. |
| fw/core/lib/src/ddi/tbor/key_report.rs | New firmware handler to unmask a key, derive pubkey, and return PID-signed COSE_Sign1 report. |
| fw/core/ddi/tbor/types/src/sd_sealing_key_gen.rs | Defines firmware-side SdSealingKeyGen wire schema + pinned length constants/tests. |
| fw/core/ddi/tbor/types/src/lib.rs | Exposes the new firmware-side key_report module/types. |
| fw/core/ddi/tbor/types/src/key_report.rs | Defines firmware-side KeyReport wire schema + pinned max/len constants/tests. |
| docs/tbor-ddi/README.md | Updates opcode table to include landed SdSealingKeyGen and new KeyReport entry. |
| docs/tbor-ddi/commands/sd_sealing_key_gen.md | Updates SdSealingKeyGen documentation to reflect masked-key + pubkey response. |
| docs/tbor-ddi/commands/key_report.md | Adds new KeyReport command documentation (request/response/errors/flow). |
| ddi/tbor/types/tests/commands/sd_sealing_key_gen.rs | Adds emu integration tests for SdSealingKeyGen happy-path + reject paths. |
| ddi/tbor/types/tests/commands/mod.rs | Registers new SdSealingKeyGen and KeyReport test modules. |
| ddi/tbor/types/tests/commands/key_report.rs | Adds emu integration tests verifying KeyReport COSE_Sign1 and binding to sealed pubkey. |
| ddi/tbor/types/src/status.rs | Adds host TborStatus mirrors for new error codes. |
| ddi/tbor/types/src/sd_sealing_key_gen.rs | Updates host wrapper to return masked key + pubkey (no key handle). |
| ddi/tbor/types/src/lib.rs | Exposes the new host-side key_report module/types. |
| ddi/tbor/types/src/key_report.rs | Adds host wrapper types for KeyReport request/response. |
Collaborator
Author
|
@copilot resolve the merge conflicts in this pull request |
# Conflicts: # ddi/tbor/types/src/status.rs # ddi/tbor/types/tests/commands/sd_sealing_key_gen.rs # fw/core/lib/src/ddi/tbor/mod.rs # fw/core/lib/src/ddi/tbor/sd_sealing_key_gen.rs # fw/core/lib/src/op.rs # fw/pal/traits/src/error.rs Co-authored-by: vsonims <39780523+vsonims@users.noreply.github.com>
Contributor
Resolved the merge conflicts by merging |
Move the kind→curve mapping out of the KeyReport handler into a new tbor-side from_pal helper (mirrors mbor::from_pal but stays independent of it), including the SdSealing→P384 case that MBOR's table lacks. Borrow report_data straight from the request buffer instead of allocating + copying into scoped scratch; key_report's validate() already enforces the exact KEY_REPORT_DATA_LEN, so the manual length check was redundant too. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Encode the KeyReport TBOR response header with fips_approved=false, matching every other TBOR handler (api_rev, part_final, part_init, psk_change, sd_sealing_key_gen, session_*). KeyReport is not a FIPS-approved operation, so the previous `true` incorrectly set the header's FIPS flag. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The response_round_trips_report schema test encoded the KeyReport response with fips_approved=true; real handlers always encode false, so match that in the test to avoid baking the wrong header flag into examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
radutta99
reviewed
Jul 13, 2026
jaygmsft
reviewed
Jul 14, 2026
| // right masking key before unmasking. | ||
| let masked_key = req.masked_key(); | ||
| let report_data = req.report_data(); | ||
| let scope = peek_metadata(masked_key)?.usage_flags().scope(); |
Contributor
There was a problem hiding this comment.
Should you be validating the tag before doing peek metadata?
jaygmsft
approved these changes
Jul 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add the TBOR
KeyReportcommand (opcode 0x10): it takes a masked key (as produced bySdSealingKeyGen), unmasks it, derives its public component on-device, and returns a PID-signed COSE_Sign1 key-attestation report over it.Handler (
fw/core/lib/src/ddi/tbor/key_report.rs)InvalidPermissions); sessionActive; partitionInitialized. ReusesSdSealingKeyGen's CO / masking-key gate helpers (now hoisted into the sharedtbormodule).pub = priv · Gvia the newHsmEcc::ecc_pub_from_privPAL method → build + sign the COSE_Sign1 report under the partition identity (PID) key.UnsupportedKeyTypeerror (a symmetric report would carry an empty COSE_Key that conveys no key type).PAL + crypto
HsmEcc::ecc_pub_from_priv(derivepubfrom an LE wire scalar) with std (pub_from_priv_ledriver + round-trip tests) and Uno (pka.ecc_gen_pub_key) impls.peek_metadata(scope routing) +unmask, and the key-report COSE builder (both already inmain).Schema + dispatch
KeyReportwire schemas;UnsupportedKeyType(0x08700103) error +TborStatusmirror.Tests + docs
docs/tbor-ddi/commands/key_report.md.Stacking
Firmware size
.textto the Uno image (measured): ~4 KB is the handler's async body folded into the TBOR dispatch state machine (unmask → derive pubkey → build & sign COSE_Sign1 → encode), ~1.5 KB new supporting symbols. The COSE/minicbor builder itself was already inmain(refactor(key-report): minicbor builder + zero-copy DmaBuf decoder #533).Validation
KeyReporttests).-D warnings+ nightly fmt clean.