Fuse "IDEVID CERT IDEVID ATTR" and IDevID Certificate incomplete correlation, discrepancy and typo.

[myviewfinder]

Summary: Caliptra main specification and Caliptra Integration spec. do not fully define the fuse "Certificate Attribute" fields with corresponding fields in the IDevID Certificate. There is also typo in the Caliptra ROM spec. Details below.

1. What does fuse Certificate Attribute "Flags (byte 0, bits [1:0]): Key ID algorithm for IDevID Subject Key Identifier" correspond to in the IDevID Cert ? I.e. is Table 7: IDevID certificate missing the "Subject Key Identifier" field?

2. What should fuse Certificate Attribute "Subject Key ID (bytes 4 to 23) " be when fuse Certificate Attribute's Flags != 3?

3. What is fuse Certificate Attribute "Manufacturer Serial Number (bytes 28 to 43):" used for? Table 7 does not have such a IDevID certificate field.

4. There are discrepancies in the Certificate Attributes (i) fuse size and (ii) location of fields among various specification. Main spec encoding of these attribute fuses below table 7 defines attributes = 44 bytes, versus

• the followings with 96 bytes: Fuse Map table 19 with 768 bits = 96bytes (https://github.com/chipsalliance/Caliptra/blob/main/doc/Caliptra.md#fuse-map),
• ereg fuse register fuse_idevid_cert_attr fuse array size = 0x60 , and
• ROM spec. 768 bits

5. Typo in ROM spec FUSE_IDEVID_CERT_ATTR with same encoding value of "2" for both SHA256 and SHA384 selections.

6. ROM spec FUSE_IDEVID_CERT_ATTR fields & locations discrepancies with that in the Caliptra main spec.'s encoding of these attribute fuses below table 7

[varuns-nvidia]

1. The fuse IDEVID_CERT_ATTR bits 0 and 1 tell Caliptra ROM what is the format and the input data for the IDevID subject key identifier. Yes you're right that Table 7 should include the Subject Key Identifier.
2. The value is don't care because the Flags tell Caliptra ROM not to consume that value.
3. It is used to generate the tcg-dice-Ueid extension value.
4. The fuse bits allocated in the Caliptra fuse map is 96 bytes = 768 bits. Of those, only 44 bytes have defined usage.
5. @mhatrevi please review
6. @mhatrevi please review

[varuns-nvidia]

I've pushed #206 with the main spec updates adding Subject Key Identifier.

[myviewfinder]

1. The fuse IDEVID_CERT_ATTR bits 0 and 1 tell Caliptra ROM what is the format and the input data for the IDevID subject key identifier. Yes you're right that Table 7 should include the Subject Key Identifier.
2. The value is don't care because the Flags tell Caliptra ROM not to consume that value.
3. It is used to generate the tcg-dice-Ueid extension value.
4. The fuse bits allocated in the Caliptra fuse map is 96 bytes = 768 bits. Of those, only 44 bytes have defined usage.
5. @mhatrevi please review
6. @mhatrevi please review

@varuns-nvidia ,
About your response to bullet no.2, please kindly clarify in the Caliptra Main specification that SoC shall treat it as Don't Care in byte(4 to 23) when Flags != 3 .

Additional issue on bullet no.3, does the text below miss out listing the IDevID, since IDevID cert. field also has tcg-dice-Ueid field?

"Manufacturer Serial Number (bytes 28 to 43): the 128-bit unique serial number of the device to be used for the TCG UEID extension in the Caliptra-generated LDevID, AliasFMC, and AliasRT certificates."

About your response to bullet no.4, please consider the following clarification in the Caliptra Main spec. encoding of certificate attribute fuses below table 7:

Reserved (byte 44 to byte 95)

7. In general does Caliptra have an expectation on any reserved field value, such as 0 ?