feat(fw): add InitBk3 firmware handler with masked key codec#372
Merged
Conversation
vsonims
reviewed
May 7, 2026
vsonims
reviewed
May 7, 2026
jaygmsft
force-pushed
the
user/jayg/init_bk3
branch
3 times, most recently
from
431438e to
8882e7c
Compare
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jaygmsft
force-pushed
the
user/jayg/init_bk3
branch
3 times, most recently
from
3b25628 to
822a07d
Compare
Adds the firmware-side InitBk3 DDI handler that masks a 48-byte BK3 against the partition's 80-byte BK_BOOT using AES-CBC-256 + HMAC-SHA-384 (encrypt-then-MAC), producing an mcr-hsm-compatible 244-byte MaskedKey wire-format blob. New crate fw/core/crypto/masked-key/ hosts the wire format and encode logic. Public surface: - mask_cbc(pal, io, masking_key, plaintext, metadata, out) - MASKING_KEY_AES_CBC_256_HMAC_384_LEN The encoder uses zerocopy-derived #[repr(C)] header structs as the single layout-of-truth and writes the blob directly into a caller- supplied DMA buffer (zero-init precondition checked via plaintext staging. Also includes: - fw/core/ddi/mbor/types/src/masked_key.rs: DdiMaskedKeyMetadata - Integration smoke tests in ddi/lib/tests/integration/init_bk3_smoke.rs - Copyright/format fixes in unrelated touched crypto files Validated: - 4/4 init_bk3 smoke tests pass against emu - 10/10 emu smoke tests pass - fmt + copyright clean Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jaygmsft
force-pushed
the
user/jayg/init_bk3
branch
from
822a07d to
a863166
Compare
…intext - Drop the redundant `[..masked_bk_boot_len]` slice on the `part_set_masked_bk_boot` call since `&mut DmaBuf` already deref-coerces to `&[u8]`. - Bind `bk_boot_plain = &bk_boot_dma[..BK_BOOT_LEN]` once and reuse it for both `mask_cbc` calls (size-query and fill). - Trim the doc comments on `BK3_KEY_ATTRIBUTES`, `BK_BOOT_MK_LABEL`, and `BK_BOOT_KEY_ATTRIBUTES` to keep only the PKCS#11 rationale that is not obvious from the const definition itself. `BK_BOOT_KEY_ATTRIBUTES` now points at `BK3_KEY_ATTRIBUTES` and only calls out the `local` flag difference (on-device generation vs. host import). - Replace the per-step numbered fn-level doc on `handle_init_bk3` with a tight 5-phase pipeline overview; the body's section markers already cover the per-step detail. No behavior change. Build clean, `init_bk3_smoke` 4/4 pass on emu, fmt and copyright clean. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
vsonims
approved these changes
May 26, 2026
* ddi/sim: `set_sealed_bk3_data` now returns `SealedBk3AlreadySet` instead of the generic `KeyAlreadyExists` so the simulator agrees with the firmware (old and new) and the public `DdiStatus` enum on this specific error. * ddi/lib/tests: update `sealed_bk3_smoke::test_set_sealed_bk3_twice_fails` and `live_migration_sim::test_live_migration_sealed_bk3` to assert the specific `SealedBk3AlreadySet` status now produced by both backends. * ddi/lib/tests: relax `init_bk3_smoke::test_init_bk3_smoke` length assertion from exact 244 bytes to a sanity range. The firmware and simulator legitimately populate different optional metadata fields, so the encoded envelope size differs while still being a valid `MaskedKey`. The smoke test should not lock in either backend's exact metadata set. * fw/core/crypto/masked-key, fw/pal/traits: address clippy lints (`is_multiple_of` and `too_many_arguments`). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add the InitBk3 DDI command handler and supporting infrastructure for BK3 initialization and masked key operations.
New modules:
PAL changes:
DDI integration test results with --features emu (566 total):
32 passed, 534 failed, 0 skipped
DDI smoke test results with --features emu (9 total):
9 passed, 0 failed, 0 skipped