Skip to content

Commit

Permalink
[perso] Set up signing and testing
Browse files Browse the repository at this point in the history 
1. Set up offline signing rules for perso binaries.
2. Feed the correct binaries to the test flows based on the SKU.

Signed-off-by: Chris Frantz <[email protected]>
  • Loading branch information
@cfrantz
cfrantz committed Nov 22, 2024
1 parent 96eb371 commit 0e0bcd1
Show file tree
Hide file tree
Showing 3 changed files with 86 additions and 6 deletions.
63 changes: 57 additions & 6 deletions sw/device/silicon_creator/manuf/base/BUILD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ load(
"//sw/device/silicon_creator/rom_ext/e2e:defs.bzl",
"OWNER_SLOTS",
)
load("@//rules:signing.bzl", "offline_presigning_artifacts", "offline_signature_attach")
load("@rules_pkg//pkg:tar.bzl", "pkg_tar")

package(default_visibility = ["//visibility:public"])

Expand Down Expand Up @@ -340,7 +342,7 @@ manifest(d = {
_FT_PROVISIONING_CMD_ARGS = """
--elf={sram_ft_individualize}
--bootstrap={ft_personalize}
--second-bootstrap={firmware}
--second-bootstrap={bundle}
--ca-config={ca_config}
""" + FT_PROVISIONING_INPUTS

Expand All @@ -351,7 +353,12 @@ _FT_PROVISIONING_HARNESS = "//sw/host/provisioning/ft:ft_{}"
name = "ft_fw_bundle_{}".format(sku),
testonly = True,
bins = {
":ft_personalize_{}".format(sku): SLOTS["a"],
# Use a pre-compiled perso binary if the SKU defines it,
# else use the label of the opentitan_binary for the SKU.
config.get(
"perso_bin",
":ft_personalize_{}".format(sku),
): SLOTS["a"],
config["rom_ext"]: SLOTS["b"],
config["owner_fw"]: OWNER_SLOTS["b"],
},
Expand Down Expand Up @@ -387,14 +394,17 @@ filegroup(
},
fpga = fpga_params(
timeout = "moderate",
assemble = "{ft_personalize}@{rom_ext_slot_a} {rom_ext}@{rom_ext_slot_b} {owner_fw}@{owner_slot_b}",
binaries =
{
":sram_ft_individualize_{}".format(config["otp"]): "sram_ft_individualize",
":ft_personalize_{}".format(sku): "ft_personalize",
config["rom_ext"]: "rom_ext",
config["owner_fw"]: "owner_fw",
# Use a pre-compiled perso binary if the SKU defines it,
# else use the label of the opentitan_binary for the SKU.
config.get(
"perso_bin",
":ft_personalize_{}".format(sku),
): "ft_personalize",
config["ca_config"]: "ca_config",
":ft_fw_bundle_{}".format(sku): "bundle",
},
changes_otp = True,
data = config["ca_data"],
Expand Down Expand Up @@ -451,3 +461,44 @@ test_suite(
for sku in EARLGREY_SKUS.keys()
],
)

_DISQUALIFIED_FOR_SIGNING = ["emulation"]

[
offline_presigning_artifacts(
name = "provisioning_{}".format(sku),
testonly = True,
srcs = [":ft_personalize_{}".format(sku)],
ecdsa_key = data["ecdsa_key"],
manifest = ":manifest_perso",
tags = ["manual"],
)
for sku, data in EARLGREY_SKUS.items()
if data["otp"] not in _DISQUALIFIED_FOR_SIGNING
]

pkg_tar(
name = "digests",
testonly = True,
srcs = [
":provisioning_{}".format(sku)
for sku, data in EARLGREY_SKUS.items()
if data["otp"] not in _DISQUALIFIED_FOR_SIGNING
],
mode = "0644",
tags = ["manual"],
)

offline_signature_attach(
name = "signed",
testonly = True,
srcs = [
":provisioning_{}".format(sku)
for sku, data in EARLGREY_SKUS.items()
if data["otp"] not in _DISQUALIFIED_FOR_SIGNING
],
ecdsa_signatures = [
"//sw/device/silicon_creator/manuf/base/signatures:ecdsa_signatures",
],
tags = ["manual"],
)
14 changes: 14 additions & 0 deletions sw/device/silicon_creator/manuf/base/provisioning_inputs.bzl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ EARLGREY_SKUS = {
"ownership_libs": ["//sw/device/silicon_creator/lib/ownership:test_owner"],
"rom_ext": "//sw/device/silicon_creator/rom_ext:rom_ext_dice_x509_slot_b",
"owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
"ecdsa_key": {},
},
# OTP Config: Emulation; DICE Certs: CWT; Additional Certs: None
"emulation_dice_cwt": {
Expand All @@ -43,6 +44,7 @@ EARLGREY_SKUS = {
"ownership_libs": ["//sw/device/silicon_creator/lib/ownership:test_owner"],
"rom_ext": "//sw/device/silicon_creator/rom_ext:rom_ext_dice_cwt_slot_b",
"owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
"ecdsa_key": {},
},
# OTP Config: Emulation; DICE Certs: X.509; Additional Certs: TPM EK
"emulation_tpm": {
Expand All @@ -58,9 +60,21 @@ EARLGREY_SKUS = {
"ownership_libs": ["//sw/device/silicon_creator/lib/ownership:test_owner"],
"rom_ext": "//sw/device/silicon_creator/rom_ext:rom_ext_dice_x509_slot_b",
"owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
"ecdsa_key": {},
},
# TODO(cfrantz, ttrippel): Add SIVAL configs when we sign perso and
# ROM_EXT binaries.
#"sival": {
# "otp": "sival",
# "dice_libs": ["//sw/device/silicon_creator/lib/cert:dice"],
# "host_ext_libs": ["@provisioning_exts//:default_ft_ext_lib"],
# "device_ext_libs": ["@provisioning_exts//:default_perso_fw_ext"],
# "ownership_libs": ["//sw/device/silicon_creator/rom_ext/sival:sival_owner"],
# "rom_ext": "//sw/device/silicon_creator/rom_ext/sival/binaries:rom_ext_dice_x509_prod",
# "owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
# "ecdsa_key": {"//hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys:keyset": "sv00-earlgrey-a1-root-ecdsa-prod-0"},
# "perso_bin": "//sw/device/silicon_creator/manuf/base/binaries:ft_personalize_sival",
#},
} | EXT_EARLGREY_SKUS

_DEVICE_ID_AND_TEST_TOKENS = """
Expand Down
15 changes: 15 additions & 0 deletions sw/device/silicon_creator/manuf/base/signatures/BUILD
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Copyright lowRISC contributors (OpenTitan project).
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0

package(default_visibility = ["//visibility:public"])

filegroup(
name = "ecdsa_signatures",
srcs = glob(["*.ecdsa_sig"]),
)

filegroup(
name = "spx_signatures",
srcs = glob(["*.spx_sig"]),
)

0 comments on commit 0e0bcd1

Please sign in to comment.