Skip to content

Instantly share code, notes, and snippets.

Last active September 22, 2022 17:13
What would you like to do?
DICE notes


  • UDS: Unique Device Secret. This is a per-device hardware-level secret accessible to the DICE but not accessible after the DICE runs.
  • CDI: Compound Device Identifier. This value represents the hardware/software combination measured by the DICE. This is the DICE output and is passed to the software which has been measured. This is a secret.


Hash Function

A hash function (e.g. SHA2-384):

hash = H(input)

Key Derivation Function

CDI = KDF(length, ikm, salt, info): Key Derivation Function. Output length is length. It takes an Initial Key Material (ikm), a cryptographic salt and additional information info.

Asymetric Key Pair Derivation Function

PrivateKey, PublicKey = ASYM_KDF(input)

which can be decomposed in:

  1. PrivateKey = KDF(N, input, KEY_SALT, "Key Pair")
  2. PublicKey is derived from PrivateKey depending on the chosen algorithm.

DICE cycle


InputValues = [Code, Config, Mode] (for the loaded layer)

CDI Generation

CDI_1 = KDF(N, CDI_0, H(InputValues), "CDI") where CDI_0 is UDS.

CDI_1_PrivateKey, CDI_1_PublicKey = ASYM_KDF(CDI_1)

CDI Certificate Generation

Subject = CDI_1_Public Issuer = CDI_0_Public


CDI_1 and CDI_1_Certificate




HKDF Rust Crate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment