[signing] Add SiVAL public key material

1. Add sival root (rom->rom_ext) keys. 2. Add sival owner/application keys. 3. Add a sival owner configuration, signed owner binary configuration and FPGA `sku_creator_owner_init` function. 4. Update READMEs to document the hsmtool profile names and describe how keys were generated. Signed-off-by: Chris Frantz <[email protected]>
cfrantz · Nov 18, 2024 · 6bb059c · 6bb059c
1 parent 0f94aae
commit 6bb059c
Show file tree

Hide file tree

Showing 39 changed files with 370 additions and 523 deletions.
diff --git a/hw/ip/otp_ctrl/data/earlgrey_skus/sival/BUILD b/hw/ip/otp_ctrl/data/earlgrey_skus/sival/BUILD
@@ -15,7 +15,6 @@ load(
 )
 load(
     "//rules:otp.bzl",
-    "OTP_SIGVERIFY_FAKE_KEYS",
     "otp_alert_classification",
     "otp_alert_digest",
     "otp_hex",
@@ -29,6 +28,10 @@ load(
 
 package(default_visibility = ["//visibility:public"])
 
+OTP_SIGVERIFY_REAL_KEYS = [
+    "//hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys:ecdsa_root_keys",
+]
+
 otp_json(
     name = "otp_json_creator_sw_cfg",
     partitions = [
@@ -44,7 +47,7 @@ otp_json(
                 # `kSigverifySpxDisabledOtp` in
                 # sw/device/silicon_creator/lib/sigverify/spx_verify.h for
                 # details on how to disable this feature.
-                "CREATOR_SW_CFG_SIGVERIFY_SPX_EN": otp_hex(0x0),
+                "CREATOR_SW_CFG_SIGVERIFY_SPX_EN": otp_hex(0x8d6c8c17),
                 # Enable flash data page scrambling and ECC.
                 "CREATOR_SW_CFG_FLASH_DATA_DEFAULT_CFG": "0000090606",
                 "CREATOR_SW_CFG_FLASH_INFO_BOOT_DATA_CFG": otp_hex(0x0),
@@ -208,13 +211,11 @@ otp_alert_digest(
 otp_image_consts(
     name = "otp_consts_c_file",
     src = "//hw/ip/otp_ctrl/data:otp_json_baseline",
-    # TODO: Replace `OTP_SIGVERIFY_FAKE_KEYS` for real keys once they are
-    # available.
     overlays = [
         ":alert_digest_cfg",
         ":otp_json_creator_sw_cfg",
         ":otp_json_owner_sw_cfg",
-    ] + OTP_SIGVERIFY_FAKE_KEYS,
+    ] + OTP_SIGVERIFY_REAL_KEYS,
 )
 
 # Library containing {CREATOR,OWNER}_SW_CFG and

diff --git a/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/BUILD b/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/BUILD
@@ -0,0 +1,115 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+load("//rules/opentitan:keyutils.bzl", "key_ecdsa")
+load("//rules:signing.bzl", "keyset")
+load("//rules:const.bzl", "CONST")
+load(
+    "//rules:otp.bzl",
+    "otp_hex",
+    "otp_json_rot_keys",
+    "otp_partition",
+)
+
+package(default_visibility = ["//visibility:public"])
+
+key_ecdsa(
+    name = "ecdsa_prod_0",
+    config = "EcdsaP256",
+    method = "hsmtool",
+    pub_key = "sv00-earlgrey-a1-root-ecdsa-prod-0.pub.der",
+    type = "ProdKey",
+)
+
+key_ecdsa(
+    name = "ecdsa_prod_1",
+    config = "EcdsaP256",
+    method = "hsmtool",
+    pub_key = "sv00-earlgrey-a1-root-ecdsa-prod-1.pub.der",
+    type = "ProdKey",
+)
+
+key_ecdsa(
+    name = "ecdsa_prod_2",
+    config = "EcdsaP256",
+    method = "hsmtool",
+    pub_key = "sv00-earlgrey-a1-root-ecdsa-prod-2.pub.der",
+    type = "ProdKey",
+)
+
+key_ecdsa(
+    name = "ecdsa_test_0",
+    config = "EcdsaP256",
+    method = "hsmtool",
+    pub_key = "sv00-earlgrey-a1-root-ecdsa-test-0.pub.der",
+    type = "TestKey",
+)
+
+key_ecdsa(
+    name = "ca_dice_0",
+    config = "EcdsaP256",
+    method = "hsmtool",
+    pub_key = "sv00-earlgrey-a1-ca-dice-0.pub.der",
+    type = "TestKey",
+)
+
+# TODO(#22155, #18313): Decide on keyset vs. keyinfo for supplying signing info to the
+# offline/token signing flows.  Currently, only keyset supports tokens.
+keyset(
+    name = "keyset",
+    build_setting_default = "",
+    keys = {
+        "sv00-earlgrey-a1-root-ecdsa-prod-0.pub.der": "sv00-earlgrey-a1-root-ecdsa-prod-0",
+        "sv00-earlgrey-a1-root-ecdsa-prod-1.pub.der": "sv00-earlgrey-a1-root-ecdsa-prod-1",
+        "sv00-earlgrey-a1-root-ecdsa-prod-2.pub.der": "sv00-earlgrey-a1-root-ecdsa-prod-2",
+        "sv00-earlgrey-a1-root-ecdsa-test-0.pub.der": "sv00-earlgrey-a1-root-ecdsa-test-0",
+    },
+    profile = "earlgrey_a1_sival_root",
+    tool = "//signing:token",
+)
+
+keyset(
+    name = "endorsement",
+    build_setting_default = "",
+    keys = {
+        "sv00-earlgrey-a1-ca-dice-0.pub.der": "sv00-earlgrey-a1-ca-dice-0",
+    },
+    profile = "earlgrey_a1_sival_root",
+    tool = "//signing:token",
+)
+
+otp_json_rot_keys(
+    name = "ecdsa_root_keys",
+    partitions = [
+        otp_partition(
+            name = "ROT_CREATOR_AUTH_CODESIGN",
+            items = {
+                # sv00-earlgrey-a1-root-ecdsa-prod-0.pub.der
+                "ROT_CREATOR_AUTH_CODESIGN_ECDSA_KEY_TYPE0": otp_hex(CONST.SIGVERIFY.KEY_TYPE.PROD),
+                "ROT_CREATOR_AUTH_CODESIGN_ECDSA_KEY0": "0x112eb53614cd78573bfb44005f1f81f71ad8bc614f9b1f0848650d82b6cbbebac48c696274cbb86ede569ca56444702e91e7b09d661f560151ea3f688aa047bb",
+
+                # sv00-earlgrey-a1-root-ecdsa-prod-1.pub.der
+                "ROT_CREATOR_AUTH_CODESIGN_ECDSA_KEY_TYPE1": otp_hex(CONST.SIGVERIFY.KEY_TYPE.PROD),
+                "ROT_CREATOR_AUTH_CODESIGN_ECDSA_KEY1": "0x8f522f2bcf8ca3f443d70b86f2479b3cc73d4c1384363edc38cf545ad6aaf46d2a7f529f489446e9d29e7624af46824f2964ca991cd5c4d84adc632bc436fc3d",
+
+                # sv00-earlgrey-a1-root-ecdsa-prod-2.pub.der
+                "ROT_CREATOR_AUTH_CODESIGN_ECDSA_KEY_TYPE2": otp_hex(CONST.SIGVERIFY.KEY_TYPE.PROD),
+                "ROT_CREATOR_AUTH_CODESIGN_ECDSA_KEY2": "0x1295b177eaec69f04c421e8f58bb55f89c8001ba1c3e5f45bec154fb25136e20bde6d117d7ff3af127348cb63574ccc3da8a1db44660350908384089a7948feb",
+
+                # sv00-earlgrey-a1-root-ecdsa-test-0.pub.der
+                "ROT_CREATOR_AUTH_CODESIGN_ECDSA_KEY_TYPE3": otp_hex(CONST.SIGVERIFY.KEY_TYPE.TEST),
+                "ROT_CREATOR_AUTH_CODESIGN_ECDSA_KEY3": "0x39dc04654afd697af53f530a3806de08f4d513f4e7bdb33ede83bf38960005ea3b4c161ce2acf000babd10689f8da3a3132eff0b3bbdf26acacaa3d3473d006d",
+            },
+        ),
+        otp_partition(
+            name = "ROT_CREATOR_AUTH_STATE",
+            items = {
+                "ROT_CREATOR_AUTH_STATE_ECDSA_KEY0": otp_hex(CONST.SIGVERIFY.KEY_STATE.PROVISIONED),
+                "ROT_CREATOR_AUTH_STATE_ECDSA_KEY1": otp_hex(CONST.SIGVERIFY.KEY_STATE.PROVISIONED),
+                "ROT_CREATOR_AUTH_STATE_ECDSA_KEY2": otp_hex(CONST.SIGVERIFY.KEY_STATE.PROVISIONED),
+                "ROT_CREATOR_AUTH_STATE_ECDSA_KEY3": otp_hex(CONST.SIGVERIFY.KEY_STATE.PROVISIONED),
+            },
+        ),
+    ],
+)
diff --git a/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/sv00-earlgrey-a1-ca-dice-0.pub.der b/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/sv00-earlgrey-a1-ca-dice-0.pub.der
diff --git a/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/sv00-earlgrey-a1-root-ecdsa-prod-0.pub.der b/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/sv00-earlgrey-a1-root-ecdsa-prod-0.pub.der
diff --git a/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/sv00-earlgrey-a1-root-ecdsa-prod-1.pub.der b/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/sv00-earlgrey-a1-root-ecdsa-prod-1.pub.der
diff --git a/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/sv00-earlgrey-a1-root-ecdsa-prod-2.pub.der b/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/sv00-earlgrey-a1-root-ecdsa-prod-2.pub.der
diff --git a/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/sv00-earlgrey-a1-root-ecdsa-test-0.pub.der b/hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys/sv00-earlgrey-a1-root-ecdsa-test-0.pub.der
diff --git a/signing/README.md b/signing/README.md
@@ -2,7 +2,7 @@
 
 ## Configuration of NitroKeys
 
-> The following configuration only works in the `earlgrey_es_sival` branch.
+> The following configuration only works in the `earlgrey_1.0.0` branch.
 
 NitroKeys are a personal security token used to hold the signing keys for
 TEST and DEV devices.  NitroKeys can be used to sign tests and binaries for
@@ -21,8 +21,8 @@ mode to 600.
 
 ```json
 {
-  "earlgrey_a0": {
-    "token": "earlgrey_a0_000",
+  "earlgrey_a1_sival_root": {
+    "token": "earlgrey_a1_000",
     "user": "user",
     "pin": "xxxxxx"
   }
@@ -51,7 +51,7 @@ keyset in question.  For `silicon_creator` code, the keyset is
 ```console
 bazel build \
     --//signing:token=//signing/tokens:nitrokey \
-    --//sw/device/silicon_creator/rom/keys/real/rsa:keyset=earlgrey_a0_dev_0 \
+    --//sw/device/silicon_creator/rom/keys/real/rsa:keyset=earlgrey_a1_dev_0 \
     //label-of-target
 ```
 
@@ -68,8 +68,8 @@ mode to 600.
 
 ```json
 {
-  "earlgrey_z0_sival": {
-    "token": "ot-earlgrey-z0-sival",
+  "earlgrey_a1_sival_owner": {
+    "token": "ot-earlgrey-a1-sival",
     "user": "user"
   }
 }
@@ -80,13 +80,13 @@ example:
 
 ```json
 {
-  "earlgrey_a0": {
-    "token": "earlgrey_a0_000",
+  "earlgrey_a1_sival_root": {
+    "token": "earlgrey_a1",
     "user": "user",
     "pin": "XXXXXX"
   },
-  "earlgrey_z0_sival": {
-    "token": "ot-earlgrey-z0-sival",
+  "earlgrey_a1_sival": {
+    "token": "ot-earlgrey-a1-sival",
     "user": "user"
   }
 }

diff --git a/signing/tokens/BUILD b/signing/tokens/BUILD
@@ -26,15 +26,15 @@ signing_tool(
 signing_tool(
     name = "cloud_kms_sival",
     data = [
-        "earlgrey_z1_sival.yaml",
+        "ot-earlgrey-a1-sival.yaml",
         "@cloud_kms_hsm//:libkmsp11",
     ],
     env = {
         # The Cloud KMS PKCS11 provider needs to know where the user's home
         # is in order to load the gclould credentials.
         "HOME": ENV["HOME"],
         "HSMTOOL_MODULE": "$(location @cloud_kms_hsm//:libkmsp11)",
-        "KMS_PKCS11_CONFIG": "$(location earlgrey_z1_sival.yaml)",
+        "KMS_PKCS11_CONFIG": "$(location ot-earlgrey-a1-sival.yaml)",
     },
     location = "token",
     tool = "//sw/host/hsmtool",

diff --git a/signing/tokens/earlgrey_z1_sival.yaml → signing/tokens/ot-earlgrey-a1-sival.yaml b/signing/tokens/earlgrey_z1_sival.yaml → signing/tokens/ot-earlgrey-a1-sival.yaml
@@ -4,6 +4,6 @@
 
 ---
 tokens:
-  - key_ring: "projects/otkms-407107/locations/us-west1/keyRings/ot-earlgrey-z0-sival"
-    label: "ot-earlgrey-z0-sival"
+  - key_ring: "projects/otkms-407107/locations/us-west1/keyRings/ot-earlgrey-a1-sival"
+    label: "ot-earlgrey-a1-sival"
 log_directory: "/tmp"
diff --git a/sw/device/silicon_creator/rom_ext/sival/BUILD b/sw/device/silicon_creator/rom_ext/sival/BUILD
@@ -25,22 +25,26 @@ LINK_ORDER = [
 manifest(d = {
     "name": "manifest_sival",
     "identifier": hex(CONST.ROM_EXT),
-    "manuf_state_creator": hex(CONST.MANUF_STATE.SIVAL),
     "version_major": ROM_EXT_VERSION.MAJOR,
     "version_minor": ROM_EXT_VERSION.MINOR,
     "security_version": ROM_EXT_VERSION.SECURITY,
     "visibility": ["//visibility:private"],
 })
 
-# To test that the fake-signed SiVAL ROM_EXT can boot, you need a bitstream
-# with the OTP word CREATOR_SW_CCFG_MANUF_STATE set to `SIVAL` (as above
-# in the manifest definition).  You can manually create such a bitstream with:
+# To test that the prod-signed SiVAL ROM_EXT boots on the FPGA, you need a bitstream
+# with the sival keys pre-programmed into OTP.
+# You can manually create such a bitstream with:
 #
-# bazel build //hw/bitstream/universal:splice --//hw/bitstream/universal:env=//hw/top_earlgrey:fpga_cw310_sival
+# bazel build //hw/bitstream/universal:splice \
+#   --//hw/bitstream/universal:env=//hw/top_earlgrey:fpga_hyper310_rom_ext \
+#   --//hw/bitstream/universal:otp=//hw/ip/otp_ctrl/data/earlgrey_skus/sival:otp_img_prod_manuf_personalized
 [
     opentitan_binary(
-        name = "rom_ext_fake_prod_signed_slot_{}".format(slot),
-        ecdsa_key = {"//sw/device/silicon_creator/rom/keys/fake/ecdsa:prod_key_0_ecdsa_p256": "prod_key_0"},
+        name = "rom_ext_fake_slot_{}".format(slot),
+        ecdsa_key = select({
+            "//signing:test_keys": {"//sw/device/silicon_creator/rom/keys/fake/ecdsa:prod_key_0_ecdsa_p256": "prod_key_0"},
+            "//conditions:default": {"//hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys:keyset": "sv00-earlgrey-a1-root-ecdsa-test-0"},
+        }),
         exec_env = [
             "//hw/top_earlgrey:silicon_creator",
             "//hw/top_earlgrey:fpga_cw310",
@@ -51,8 +55,10 @@ manifest(d = {
         linker_script = "//sw/device/silicon_creator/rom_ext:ld_slot_{}".format(slot),
         linkopts = LINK_ORDER,
         manifest = ":manifest_sival",
-        spx_key = {"//sw/device/silicon_creator/rom/keys/fake/spx:prod_key_0_spx": "prod_key_0"},
         deps = [
+            # The sival_owner C library is included only in the "fake" ROM_EXT,
+            # as it is typically used to test FPGA flows and the FPGA doesn't
+            # retain ownership information across bitstream reloads.
             ":sival_owner",
             "//sw/device/lib/crt",
             "//sw/device/silicon_creator/lib:manifest_def",
@@ -64,7 +70,7 @@ manifest(d = {
 
 [
     opentitan_binary(
-        name = "rom_ext_real_prod_signed_slot_{}".format(slot),
+        name = "rom_ext_prod_slot_{}".format(slot),
         exec_env = [
             "//hw/top_earlgrey:silicon_creator",
             "//hw/top_earlgrey:fpga_cw310",
@@ -73,7 +79,8 @@ manifest(d = {
         linker_script = "//sw/device/silicon_creator/rom_ext:ld_slot_{}".format(slot),
         linkopts = LINK_ORDER,
         deps = [
-            ":sival_owner",
+            # The sival_owner C library is excluded from the real ROM_EXT,
+            # as chips maintain their ownership configuration in flash.
             "//sw/device/lib/crt",
             "//sw/device/silicon_creator/lib:manifest_def",
             "//sw/device/silicon_creator/rom_ext",
@@ -86,11 +93,12 @@ offline_presigning_artifacts(
     name = "presigning",
     testonly = True,
     srcs = [
-        ":rom_ext_real_prod_signed_slot_a",
-        ":rom_ext_real_prod_signed_slot_b",
+        ":rom_ext_prod_slot_a",
+        ":rom_ext_prod_slot_b",
+        ":rom_ext_prod_slot_virtual",
     ],
     ecdsa_key = {
-        "//sw/device/silicon_creator/rom/keys/fake/ecdsa:prod_key_0_ecdsa_p256": "prod_key_0_ecdsa_p256",
+        "//hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys:keyset": "sv00-earlgrey-a1-root-ecdsa-prod-0",
     },
     manifest = ":manifest_sival",
     tags = ["manual"],
@@ -118,14 +126,16 @@ offline_signature_attach(
 
 cc_library(
     name = "sival_owner",
-    srcs = ["sival_owner.c"],
+    srcs = [
+        "sival_owner.c",
+        "sival_owner.h",
+    ],
     deps = [
         "//sw/device/silicon_creator/lib:boot_data",
         "//sw/device/silicon_creator/lib/drivers:flash_ctrl",
         "//sw/device/silicon_creator/lib/ownership",
         "//sw/device/silicon_creator/lib/ownership:datatypes",
         "//sw/device/silicon_creator/lib/ownership:owner_block",
-        "//sw/device/silicon_creator/rom_ext/sival/keys:includes",
     ],
     alwayslink = True,
 )
diff --git a/sw/device/silicon_creator/rom_ext/sival/README.md b/sw/device/silicon_creator/rom_ext/sival/README.md
@@ -0,0 +1,42 @@
+# SiVAL ROM\_EXT
+
+The ROM\_EXT build in this directory is for chips that are configured as the SiVAL SKU.
+
+The SiVAL SKU is initialized with the SiVAL owner during provisioning.
+The human-readable owner configuration is `sival_owner.json5` and is translated to binary form with the following command:
+
+```bash
+cd $REPO_TOP
+opentitantool ownership config \
+    --input sw/device/silicon_creator/rom_ext/sival/sival_owner.json5 \
+    sw/device/silicon_creator/rom_ext/sival/sival_owner.bin
+```
+
+The configuration is signed using the owner key stored in the Cloud KMS keyring `ot-earlgrey-a1-sival`: 
+
+```bash
+cd $REPO_TOP
+
+# From https://github.com/GoogleCloudPlatform/kms-integrations/releases/tag/pkcs11-v1.2
+export HSMTOOL_MODULE=$(pwd)/libkmsp11.so
+export KMS_PKCS11_CONFIG=signing/tokens/ot-earlgrey-a1-sival.yaml
+
+hsmtool -t ot-earlgrey-a1-sival ecdsa sign \
+    -l sv00-ownership-owner-0 \
+    --little-endian \
+    --format=slice:0..1952 \
+    --update-in-place=1952..2016 \
+    sw/device/silicon_creator/rom_ext/sival/sival_owner.bin
+```
+
+The header file `sival_owner.h` was created by dumping the binary file to a C header.
+This file is only used by the "fake" ROM\_EXT used in testing FPGA configurations.
+NOTE: the repeating unused data pattern `ZZZZ` can be cut out of the hexdump as the `sku_creator_owner_init` function will fill the unused portion of the owner page with that pattern.
+```bash
+cd $REPO_TOP
+
+./util/sh/scripts/bin2c.sh \
+    --input sw/device/silicon_creator/rom_ext/sival/sival_owner.bin \
+    --output sw/device/silicon_creator/rom_ext/sival/sival_owner.h \
+    --name sival_owner
+```