[perso] Initialize ownership during perso

1. Initialize the ownership sealing key during the UDS stage of keymgr
   setup.
2. Call the `sku_creator_owner_init` function to initialize the
   ownership INFO page.
3. Link in the per-sku `<sku>_owner` implementations of
   `sku_creator_owner_init`.

Signed-off-by: Chris Frantz <[email protected]>

sw/device/silicon_creator/manuf/base/BUILD

@@ -321,6 +321,7 @@ manifest(d = {
             "//sw/device/lib/testing/test_framework:status",
             "//sw/device/lib/testing/test_framework:ujson_ottf",
             "//sw/device/silicon_creator/lib:attestation",
+            "//sw/device/silicon_creator/lib:boot_data",
             "//sw/device/silicon_creator/lib:otbn_boot_services",
             "//sw/device/silicon_creator/lib/base:util",
             "//sw/device/silicon_creator/lib/cert",
@@ -331,10 +332,12 @@ manifest(d = {
             "//sw/device/silicon_creator/lib/drivers:hmac",
             "//sw/device/silicon_creator/lib/drivers:keymgr",
             "//sw/device/silicon_creator/lib/drivers:kmac",
+            "//sw/device/silicon_creator/lib/ownership:owner_block",
+            "//sw/device/silicon_creator/lib/ownership:ownership_key",
             "//sw/device/silicon_creator/manuf/lib:flash_info_fields",
             "//sw/device/silicon_creator/manuf/lib:individualize_sw_cfg_{}".format(config["otp"]),
             "//sw/device/silicon_creator/manuf/lib:personalize",
-        ] + config["dice_libs"] + config["device_ext_libs"],
+        ] + config["dice_libs"] + config["device_ext_libs"] + config.get("ownership_libs", []),
     )
     for sku, config in EARLGREY_SKUS.items()
 ]

sw/device/silicon_creator/manuf/base/ft_personalize.c

@@ -21,6 +21,7 @@
 #include "sw/device/silicon_creator/lib/attestation.h"
 #include "sw/device/silicon_creator/lib/base/boot_measurements.h"
 #include "sw/device/silicon_creator/lib/base/util.h"
+#include "sw/device/silicon_creator/lib/boot_data.h"
 #include "sw/device/silicon_creator/lib/cert/cdi_0.h"  // Generated.
 #include "sw/device/silicon_creator/lib/cert/cdi_1.h"  // Generated.
 #include "sw/device/silicon_creator/lib/cert/cert.h"
@@ -34,6 +35,8 @@
 #include "sw/device/silicon_creator/lib/error.h"
 #include "sw/device/silicon_creator/lib/manifest.h"
 #include "sw/device/silicon_creator/lib/otbn_boot_services.h"
+#include "sw/device/silicon_creator/lib/ownership/owner_block.h"
+#include "sw/device/silicon_creator/lib/ownership/ownership_key.h"
 #include "sw/device/silicon_creator/manuf/base/perso_tlv_data.h"
 #include "sw/device/silicon_creator/manuf/base/personalize_ext.h"
 #include "sw/device/silicon_creator/manuf/lib/flash_info_fields.h"
@@ -151,6 +154,16 @@ static cert_flash_info_layout_t cert_flash_layout[] = {
     },
 };
 
+/**
+ * Ownership initialization function.
+ */
+OT_WEAK rom_error_t
+sku_creator_owner_init(boot_data_t *bootdata, owner_config_t *config,
+                       owner_application_keyring_t *keyring) {
+  LOG_ERROR("No ownership initialization");
+  return kErrorOk;
+}
+
 static void log_self_hash(void) {
   // clang-format off
   LOG_INFO("Personalization Firmware Hash: 0x%08x%08x%08x%08x%08x%08x%08x%08x",
@@ -500,6 +513,9 @@ static status_t personalize_gen_dice_certificates(ujson_t *uj) {
       kDiceCertFormat, all_certs, curr_cert_size, &perso_blob_to_host));
   LOG_INFO("Generated UDS certificate.");
 
+  ownership_seal_init();
+  LOG_INFO("Initialized ownership sealing in UDS state.");
+
   // Generate CDI_0 keys and cert.
   curr_cert_size = kCdi0MaxCertSizeBytes;
   compute_keymgr_owner_int_binding(&certgen_inputs);
@@ -544,6 +560,18 @@ static status_t personalize_gen_dice_certificates(ujson_t *uj) {
   return OK_STATUS();
 }
 
+static status_t install_owner(void) {
+  boot_data_t boot_data;
+  TRY(boot_data_read(kLcStateProd, &boot_data));
+
+  owner_config_t config;
+  owner_config_default(&config);
+  owner_application_keyring_t keyring = {0};
+
+  TRY(sku_creator_owner_init(&boot_data, &config, &keyring));
+  return OK_STATUS();
+}
+
 // Returns how much data is left in the perso blob receive buffer (i.e., `body`
 // field). Useful when scanning the receive buffer containing perso LTV objects.
 static size_t max_available(void) {
@@ -815,6 +843,7 @@ bool test_main(void) {
   CHECK_STATUS_OK(lc_ctrl_testutils_operational_state_check(&lc_ctrl));
   CHECK_STATUS_OK(personalize_otp_and_flash_secrets(&uj));
   CHECK_STATUS_OK(personalize_gen_dice_certificates(&uj));
+  CHECK_STATUS_OK(install_owner());
 
   personalize_extension_pre_endorse_t pre_endorse = {
       .uj = &uj,

sw/device/silicon_creator/manuf/base/provisioning_inputs.bzl

@@ -26,6 +26,7 @@ EARLGREY_SKUS = {
         "dice_libs": ["//sw/device/silicon_creator/lib/cert:dice"],
         "host_ext_libs": ["@provisioning_exts//:default_ft_ext_lib"],
         "device_ext_libs": ["@provisioning_exts//:default_perso_fw_ext"],
+        "ownership_libs": ["//sw/device/silicon_creator/rom_ext/sival:sival_owner"],
         "rom_ext": "//sw/device/silicon_creator/rom_ext/sival:rom_ext_fake_prod_signed_slot_b",
         "owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
     },
@@ -48,6 +49,7 @@ EARLGREY_SKUS = {
             "//sw/device/silicon_creator/lib/cert:tpm_ek_template_library",
             "//sw/device/silicon_creator/manuf/base:tpm_perso_fw_ext",
         ],
+        "ownership_libs": ["//sw/device/silicon_creator/rom_ext/sival:sival_owner"],
         "rom_ext": "//sw/device/silicon_creator/rom_ext/sival:rom_ext_fake_prod_signed_slot_b",
         "owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
     },