Adding hw-1.0 build test and FMC size fix

.github/workflows/build-test.yml

@@ -107,6 +107,13 @@ jobs:
           (cd rom/dev && ./build.sh)
           sccache --show-stats
 
+      # Make sure FMC and runtime can build for hw-1.0
+      - name: hw-1.0 build test
+        run: |
+          mkdir hw-1.0_build_test
+          cargo run --manifest-path=builder/Cargo.toml --bin image --features=hw-1.0 -- --fw hw-1.0_build_test/image-bundle.bin
+          rm -r hw-1.0_build_test
+
       # Clippy needs to build crates as part of the check, so do it after the
       # build.
       - name: Clippy lint check

common/src/lib.rs

@@ -42,5 +42,9 @@ pub const FMC_SIZE: u32 = 21 * 1024;
 pub const RUNTIME_ORG: u32 = FMC_ORG + FMC_SIZE;
 pub const RUNTIME_SIZE: u32 = 96 * 1024;
 
+// Max size of runtime code should be 118K to allow room for the manifest
+#[allow(clippy::assertions_on_constants)]
+const _: () = assert!((FMC_SIZE + RUNTIME_SIZE) < (118 * 1024));
+
 pub use memory_layout::{DATA_ORG, PERSISTENT_DATA_ORG};
 pub use wdt::{restart_wdt, start_wdt, stop_wdt, WdtTimeout};

fmc/src/flow/rt_alias.rs

@@ -49,21 +49,21 @@ impl RtAliasLayer {
             return Err(CaliptraError::FMC_ALIAS_KV_COLLISION);
         }
 
-        cprintln!("[aliasrt] Derive CDI");
-        cprintln!("[aliasrt] Store in in slot 0x{:x}", KEY_ID_RT_CDI as u8);
+        cprintln!("[art] Derive CDI");
+        cprintln!("[art] Store in in slot 0x{:x}", KEY_ID_RT_CDI as u8);
 
         // Derive CDI
         Self::derive_cdi(env, input.cdi, KEY_ID_RT_CDI)?;
         report_boot_status(FmcBootStatus::RtAliasDeriveCdiComplete as u32);
-        cprintln!("[aliasrt] Derive Key Pair");
+        cprintln!("[art] Derive Key Pair");
         cprintln!(
-            "[aliasrt] Store priv key in slot 0x{:x}",
+            "[art] Store priv key in slot 0x{:x}",
             KEY_ID_RT_PRIV_KEY as u8
         );
 
         // Derive DICE Key Pair from CDI
         let key_pair = Self::derive_key_pair(env, KEY_ID_RT_CDI, KEY_ID_RT_PRIV_KEY)?;
-        cprintln!("[aliasrt] Derive Key Pair - Done");
+        cprintln!("[art] Derive Key Pair - Done");
         report_boot_status(FmcBootStatus::RtAliasKeyPairDerivationComplete as u32);
 
         // Generate the Subject Serial Number and Subject Key Identifier.
@@ -101,16 +101,16 @@ impl RtAliasLayer {
     #[inline(never)]
     pub fn run(env: &mut FmcEnv) -> CaliptraResult<()> {
         Self::extend_pcrs(env)?;
-        cprintln!("[aliasrt] Extend RT PCRs Done");
+        cprintln!("[art] Extend RT PCRs Done");
 
         env.pcr_bank
             .set_pcr_lock(caliptra_common::RT_FW_CURRENT_PCR);
         env.pcr_bank
             .set_pcr_lock(caliptra_common::RT_FW_JOURNEY_PCR);
-        cprintln!("[aliasrt] Lock RT PCRs Done");
+        cprintln!("[art] Lock RT PCRs Done");
 
         Self::populate_dv(env)?;
-        cprintln!("[aliasrt] Populate DV Done");
+        cprintln!("[art] Populate DV Done");
         report_boot_status(crate::FmcBootStatus::RtMeasurementComplete as u32);
 
         // Retrieve Dice Input Layer from Hand Off and Derive Key
@@ -326,7 +326,7 @@ impl RtAliasLayer {
 
         // Sign the `To Be Signed` portion
         cprintln!(
-            "[aliasrt] Signing Cert with AUTHO
+            "[art] Signing Cert with AUTHO
             RITY.KEYID = {}",
             auth_priv_key as u8
         );
@@ -337,23 +337,20 @@ impl RtAliasLayer {
         let sig = Crypto::ecdsa384_sign(env, auth_priv_key, auth_pub_key, tbs.tbs());
         let sig = okref(&sig)?;
         // Clear the authority private key
-        cprintln!(
-            "[aliasrt] Erasing AUTHORITY.KEYID = {}",
-            auth_priv_key as u8
-        );
+        cprintln!("[art] Erasing AUTHORITY.KEYID = {}", auth_priv_key as u8);
         // FMC ensures that CDIFMC and PrivateKeyFMC are locked to block further usage until the next boot.
         env.key_vault.set_key_use_lock(auth_priv_key);
         env.key_vault.set_key_use_lock(input.cdi);
 
         let _pub_x: [u8; 48] = (&pub_key.x).into();
         let _pub_y: [u8; 48] = (&pub_key.y).into();
-        cprintln!("[aliasrt] PUB.X = {}", HexBytes(&_pub_x));
-        cprintln!("[aliasrt] PUB.Y = {}", HexBytes(&_pub_y));
+        cprintln!("[art] PUB.X = {}", HexBytes(&_pub_x));
+        cprintln!("[art] PUB.Y = {}", HexBytes(&_pub_y));
 
         let _sig_r: [u8; 48] = (&sig.r).into();
         let _sig_s: [u8; 48] = (&sig.s).into();
-        cprintln!("[aliasrt] SIG.R = {}", HexBytes(&_sig_r));
-        cprintln!("[aliasrt] SIG.S = {}", HexBytes(&_sig_s));
+        cprintln!("[art] SIG.R = {}", HexBytes(&_sig_r));
+        cprintln!("[art] SIG.S = {}", HexBytes(&_sig_s));
 
         // Verify the signature of the `To Be Signed` portion
         if Crypto::ecdsa384_verify(env, auth_pub_key, tbs.tbs(), sig)? != Ecc384Result::Success {