[perso] Set up signing and testing

1. Set up offline signing rules for perso binaries.
2. Feed the correct binaries to the test flows based on the SKU.

Signed-off-by: Chris Frantz <[email protected]>

sw/device/silicon_creator/manuf/base/BUILD

@@ -31,6 +31,8 @@ load(
     "//sw/device/silicon_creator/rom_ext/e2e:defs.bzl",
     "OWNER_SLOTS",
 )
+load("@//rules:signing.bzl", "offline_presigning_artifacts", "offline_signature_attach")
+load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
 
 package(default_visibility = ["//visibility:public"])
 
@@ -340,7 +342,7 @@ manifest(d = {
 _FT_PROVISIONING_CMD_ARGS = """
   --elf={sram_ft_individualize}
   --bootstrap={ft_personalize}
-  --second-bootstrap={firmware}
+  --second-bootstrap={bundle}
   --ca-config={ca_config}
 """ + FT_PROVISIONING_INPUTS
 
@@ -351,7 +353,12 @@ _FT_PROVISIONING_HARNESS = "//sw/host/provisioning/ft:ft_{}"
         name = "ft_fw_bundle_{}".format(sku),
         testonly = True,
         bins = {
-            ":ft_personalize_{}".format(sku): SLOTS["a"],
+            # Use a pre-compiled perso binary if the SKU defines it,
+            # else use the label of the opentitan_binary for the SKU.
+            config.get(
+                "perso_bin",
+                ":ft_personalize_{}".format(sku),
+            ): SLOTS["a"],
             config["rom_ext"]: SLOTS["b"],
             config["owner_fw"]: OWNER_SLOTS["b"],
         },
@@ -387,14 +394,17 @@ filegroup(
         },
         fpga = fpga_params(
             timeout = "moderate",
-            assemble = "{ft_personalize}@{rom_ext_slot_a} {rom_ext}@{rom_ext_slot_b} {owner_fw}@{owner_slot_b}",
             binaries =
                 {
                     ":sram_ft_individualize_{}".format(config["otp"]): "sram_ft_individualize",
-                    ":ft_personalize_{}".format(sku): "ft_personalize",
-                    config["rom_ext"]: "rom_ext",
-                    config["owner_fw"]: "owner_fw",
+                    # Use a pre-compiled perso binary if the SKU defines it,
+                    # else use the label of the opentitan_binary for the SKU.
+                    config.get(
+                        "perso_bin",
+                        ":ft_personalize_{}".format(sku),
+                    ): "ft_personalize",
                     config["ca_config"]: "ca_config",
+                    ":ft_fw_bundle_{}".format(sku): "bundle",
                 },
             changes_otp = True,
             data = config["ca_data"],
@@ -451,3 +461,44 @@ test_suite(
         for sku in EARLGREY_SKUS.keys()
     ],
 )
+
+_DISQUALIFIED_FOR_SIGNING = ["emulation"]
+
+[
+    offline_presigning_artifacts(
+        name = "provisioning_{}".format(sku),
+        testonly = True,
+        srcs = [":ft_personalize_{}".format(sku)],
+        ecdsa_key = data["ecdsa_key"],
+        manifest = ":manifest_perso",
+        tags = ["manual"],
+    )
+    for sku, data in EARLGREY_SKUS.items()
+    if data["otp"] not in _DISQUALIFIED_FOR_SIGNING
+]
+
+pkg_tar(
+    name = "digests",
+    testonly = True,
+    srcs = [
+        ":provisioning_{}".format(sku)
+        for sku, data in EARLGREY_SKUS.items()
+        if data["otp"] not in _DISQUALIFIED_FOR_SIGNING
+    ],
+    mode = "0644",
+    tags = ["manual"],
+)
+
+offline_signature_attach(
+    name = "signed",
+    testonly = True,
+    srcs = [
+        ":provisioning_{}".format(sku)
+        for sku, data in EARLGREY_SKUS.items()
+        if data["otp"] not in _DISQUALIFIED_FOR_SIGNING
+    ],
+    ecdsa_signatures = [
+        "//sw/device/silicon_creator/manuf/base/signatures:ecdsa_signatures",
+    ],
+    tags = ["manual"],
+)

sw/device/silicon_creator/manuf/base/binaries/BUILD

@@ -0,0 +1,32 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+load("//rules/opentitan:cc.bzl", "exec_env_filegroup")
+
+package(default_visibility = ["//visibility:public"])
+
+exec_env_filegroup(
+    name = "ft_personalize_sival",
+    testonly = True,
+    exec_env = {
+        "//hw/top_earlgrey:fpga_hyper310_rom_with_fake_keys": "cw310",
+        "//hw/top_earlgrey:fpga_cw340_rom_with_fake_keys": "cw340",
+        "//hw/top_earlgrey:silicon_creator": "silicon",
+    },
+    files = {
+        "ft_personalize_sival_fpga_cw340_rom_with_fake_keys.signed.bin": "cw340",
+        "ft_personalize_sival_fpga_hyper310_rom_with_fake_keys.signed.bin": "cw310",
+        "ft_personalize_sival_silicon_creator.signed.bin": "silicon",
+    },
+)
+
+# ft_personalize_gb_cros_fpga_cw340_rom_with_fake_keys.signed.bin
+# ft_personalize_gb_cros_fpga_hyper310_rom_with_fake_keys.signed.bin
+# ft_personalize_gb_cros_silicon_creator.signed.bin
+# ft_personalize_gb_pie_fpga_cw340_rom_with_fake_keys.signed.bin
+# ft_personalize_gb_pie_fpga_hyper310_rom_with_fake_keys.signed.bin
+# ft_personalize_gb_pie_silicon_creator.signed.bin
+# ft_personalize_gb_pixel_fpga_cw340_rom_with_fake_keys.signed.bin
+# ft_personalize_gb_pixel_fpga_hyper310_rom_with_fake_keys.signed.bin
+# ft_personalize_gb_pixel_silicon_creator.signed.bin

sw/device/silicon_creator/manuf/base/provisioning_inputs.bzl

@@ -31,6 +31,7 @@ EARLGREY_SKUS = {
         "ownership_libs": ["//sw/device/silicon_creator/lib/ownership:test_owner"],
         "rom_ext": "//sw/device/silicon_creator/rom_ext:rom_ext_dice_x509_slot_b",
         "owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
+        "ecdsa_key": {},
     },
     # OTP Config: Emulation; DICE Certs: CWT; Additional Certs: None
     "emulation_dice_cwt": {
@@ -43,6 +44,7 @@ EARLGREY_SKUS = {
         "ownership_libs": ["//sw/device/silicon_creator/lib/ownership:test_owner"],
         "rom_ext": "//sw/device/silicon_creator/rom_ext:rom_ext_dice_cwt_slot_b",
         "owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
+        "ecdsa_key": {},
     },
     # OTP Config: Emulation; DICE Certs: X.509; Additional Certs: TPM EK
     "emulation_tpm": {
@@ -58,9 +60,21 @@ EARLGREY_SKUS = {
         "ownership_libs": ["//sw/device/silicon_creator/lib/ownership:test_owner"],
         "rom_ext": "//sw/device/silicon_creator/rom_ext:rom_ext_dice_x509_slot_b",
         "owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
+        "ecdsa_key": {},
     },
     # TODO(cfrantz, ttrippel): Add SIVAL configs when we sign perso and
     # ROM_EXT binaries.
+    #"sival": {
+    #    "otp": "sival",
+    #    "dice_libs": ["//sw/device/silicon_creator/lib/cert:dice"],
+    #    "host_ext_libs": ["@provisioning_exts//:default_ft_ext_lib"],
+    #    "device_ext_libs": ["@provisioning_exts//:default_perso_fw_ext"],
+    #    "ownership_libs": ["//sw/device/silicon_creator/rom_ext/sival:sival_owner"],
+    #    "rom_ext": "//sw/device/silicon_creator/rom_ext/sival/binaries:rom_ext_dice_x509_prod",
+    #    "owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
+    #    "ecdsa_key": {"//hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys:keyset": "sv00-earlgrey-a1-root-ecdsa-prod-0"},
+    #    "perso_bin": "//sw/device/silicon_creator/manuf/base/binaries:ft_personalize_sival",
+    #},
 } | EXT_EARLGREY_SKUS
 
 _DEVICE_ID_AND_TEST_TOKENS = """

sw/device/silicon_creator/manuf/base/signatures/BUILD

@@ -0,0 +1,15 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+package(default_visibility = ["//visibility:public"])
+
+filegroup(
+    name = "ecdsa_signatures",
+    srcs = glob(["*.ecdsa_sig"]),
+)
+
+filegroup(
+    name = "spx_signatures",
+    srcs = glob(["*.spx_sig"]),
+)

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_gb_cros_fpga_cw340_rom_with_fake_keys.ecdsa_sig

@@ -0,0 +1 @@
+���Y�/#�Hcz�-?:�p�n�2m��eSY��r��L1���>�O�?2���p���¹�P�Pn

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_gb_cros_fpga_hyper310_rom_with_fake_keys.ecdsa_sig

@@ -0,0 +1,2 @@
+:	Ѭ����k	��vwؼn��r�N{��ᓊ#�cX�r�%�`
ƔR�
+(+�RJK�!0

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_gb_cros_silicon_creator.ecdsa_sig

@@ -0,0 +1 @@
+搀�,�;�	��z�X�NE���:W\�Z�݋�EC���߁�R�Q�&Gi�!^���d��r�²q

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_gb_pie_fpga_cw340_rom_with_fake_keys.ecdsa_sig

@@ -0,0 +1 @@
+�/������r�sؕVL�����A��y?TTFu�����׺�%[�M�r�W�\v՘i����

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_gb_pie_fpga_hyper310_rom_with_fake_keys.ecdsa_sig

@@ -0,0 +1 @@
+�)��"f��u|*���ڢK�
i�=�����39X8�����}H����(���v�%�������d~

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_gb_pie_silicon_creator.ecdsa_sig

@@ -0,0 +1,2 @@
+�(,W�%륬ؽ��dy\�4/������{}e���kP�h}�7_�?�^9ρ7[�ł�S
+�R�
CdE

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_gb_pixel_fpga_cw340_rom_with_fake_keys.ecdsa_sig

@@ -0,0 +1 @@
+�H�\��*qy�Y*lj!5���Rp�v�8�~������#}�߻}mf�
���R�y��6Fzհ�

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_gb_pixel_fpga_hyper310_rom_with_fake_keys.ecdsa_sig

@@ -0,0 +1 @@
+w���5X��W;ƴ܈ �+�=3�lAW�H��"�Ôz\��Ƒe���1;ѵr6��Sۚƀd�Ϫ

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_gb_pixel_silicon_creator.ecdsa_sig

@@ -0,0 +1 @@
+�����()��Ҁ)��vyq��*�OHP�	h$�)���Jr�X��bl(V��2ma�����

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_sival_fpga_cw340_rom_with_fake_keys.ecdsa_sig

@@ -0,0 +1,2 @@
+�RJNwchҌ��r�=p0Q4�/�'b�P=�GL��=�����F7mo�+fmq��pb�
+��

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_sival_fpga_hyper310_rom_with_fake_keys.ecdsa_sig

@@ -0,0 +1 @@
+�p�6��3ԝ-=��v���Ev��N���6;q�ȇ8�6dJ��S�>1l5=�b$���0��k����

sw/device/silicon_creator/manuf/base/signatures/ft_personalize_sival_silicon_creator.ecdsa_sig

@@ -0,0 +1 @@
+�t!h�L��}��F��b�����!���Js��ZE{C�㉡�-�EcS'��g��}{2k�~ P�C;

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_cwt_prod_slot_a_fpga_cw310.ecdsa_sig

@@ -0,0 +1 @@
+�����~��g~�����b@I��U���4���SO��=Y�Ms��{2O��c�zHD�§j�e

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_cwt_prod_slot_a_silicon_creator.ecdsa_sig

@@ -0,0 +1 @@
+ࣖ[�2o���癝ڢ�Sd�cb$�RP����Ax�"�XH��k;�)PfE{�;�y����	

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_cwt_prod_slot_b_fpga_cw310.ecdsa_sig

@@ -0,0 +1 @@
+��Y�?\I�h7#E���b��Lk,��IQ�����k�g{x��G���*�~��>�����Բ�|��P

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_cwt_prod_slot_b_fpga_cw340.ecdsa_sig

@@ -0,0 +1,2 @@
+ ! ���!��yL8�z���+?���Yz
+|h�V-���!�6|^��1�5[��q��Z��A:

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_cwt_prod_slot_b_silicon_creator.ecdsa_sig

@@ -0,0 +1 @@
+��\]�ї}o6���T~�ڊ"^B��ʰ,;ڏ�r6Tڢ�N%Y%zl��$���?��

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_cwt_prod_slot_virtual_fpga_cw340.ecdsa_sig

@@ -0,0 +1 @@
+-�C]��E���RuОy��k�l�[B�W�����j[���z5�KJ�͹P�mWD�8+���b}��V

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_cwt_prod_slot_virtual_silicon_creator.ecdsa_sig

@@ -0,0 +1,2 @@
+2���gp��sԴ��2��1����M�����dPb�]����d�ԝ_�T�O�
+�b8�

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_x509_prod_slot_a_fpga_cw340.ecdsa_sig

@@ -0,0 +1 @@
+������=ͤ)�U����K�q��q�K���9��p�u�Lm��>dL�D>�A�w��

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_x509_prod_slot_a_silicon_creator.ecdsa_sig

@@ -0,0 +1 @@
+~H�J��s��)���6`���i����J�������,���s8;n�8�+�� �&���1BE��

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_x509_prod_slot_b_fpga_cw340.ecdsa_sig

@@ -0,0 +1,2 @@
+���υ.�ʋo�����a���$2.�_wj�a
+!*�ƟF43�^:+����[�s���ۻ"`

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_x509_prod_slot_virtual_silicon_creator.ecdsa_sig

@@ -0,0 +1 @@
+f!w%���A�T�3	cҗcO��'56!������r�(\J�[&|ݥ`ΰ-�n��CA��