RFC: If requested, persist IDevID CSR for later retrieval

[jhand2]

Targeted Release: ROM 1.3
Impacted FW stages: ROM only

Background

If the CPTRA_DBG_MANUF_SERVICE_REG MFG_FLAG_GEN_IDEV_CSR bit is set, Caliptra ROM will generate/sign an IDevID CSR and write it to the mailbox. The SoC Manager must retrieve the CSR from the Caliptra mailbox before it can do anything else (e.g. call STASH_MEASUREMENT).

Proposal

The general expectation is that this flow is being done by SoC ROM. Instead of making SoC ROM deal with exporting the IDevID CSR, we should provide an option to retrieve the CSR at a later point. Proposal to achieve this:

1. If MFG_FLAG_GEN_IDEV_CSR is set, write IDevID CSR to temporary DCCM (can be cleared before ROM jumps to FMC)
2. Add ROM mailbox command to retrieve IDevID CSR

This allows SoC manager to retrieve the CSR at any point until it boots Caliptra mutable FW. Notably, it can stash measurements and load its mutable manufacturing fw which can deal with the CSR.

If CSR request bit was not set prior to ROM boot, this mailbox command will fail.

(Optional) Variation

There is a small change we could make where we persist the IDevID CSR in DCCM, add it's offset/size to the FHT, and add a mailbox command to RT to retrieve it. This is a bit more flexible and allows the SoC to retrieve the CSR at any time. But it seems unnecessary. If SoC manager is fetching/booting Caliptra firmware, surely it can handle storing the CSR somewhere.

The goal of this proposal is just to allow SoC ROM to be as simple as possible.

[jhand2]

cc @mhatrevi @nquarton @varuns-nvidia let me know if you have any thoughts

[varuns-nvidia]

I'm a fan of this proposal and the variation. Based on the recent discussions in OCP Security WG, CSRs are valuable for device users and not just device vendors. Allowing RT to retrieve IDevID CSR in a production lifecycle stage would be useful.