Skip to content

Commit

Permalink
[signing] Add test_owner SPX+ keys
Browse files Browse the repository at this point in the history 
1. Generate SPHINCS+ keys for the test_owner.
2. Fix the signing rules to sign keys from a KeyInfo provider.

Signed-off-by: Chris Frantz <[email protected]>
  • Loading branch information
@cfrantz
cfrantz committed Nov 12, 2024
1 parent 12df1fd commit 01fcb50
Show file tree
Hide file tree
Showing 8 changed files with 99 additions and 3 deletions.
20 changes: 18 additions & 2 deletions rules/signing.bzl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,8 +188,24 @@ def _presigning_artifacts(ctx, opentitantool, src, manifest, ecdsa_key, rsa_key,

spx_args = []
if spx_key:
spx_args.append("--spx-key={}".format(spx_key.file.path))
inputs.append(spx_key.file)
# Check if the provider is KeyInfo or KeySetInfo
info = getattr(spx_key, "info", None)
selected_spx_key = getattr(spx_key, "file", None)
if info:
# Provider is KeyInfo; get the key file.
if info.private_key:
selected_spx_key = spx_key.info.private_key
elif info.pub_key:
selected_spx_key = spx_key.info.pub_key
else:
fail("Expected a SPHINCS+ key with a private_key or pub_key attributes.")
elif selected_spx_key:
# Provider is KeySetInfo; we already have the key file.
pass
else:
fail("Expected either KeyInfo or KeySetInfo; got neither")
spx_args.append("--spx-key={}".format(selected_spx_key.path))
inputs.append(selected_spx_key)
ctx.actions.run(
outputs = [pre],
inputs = inputs,
Expand Down
24 changes: 23 additions & 1 deletion sw/device/silicon_creator/lib/ownership/keys/fake/BUILD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0

load("//rules/opentitan:keyutils.bzl", "key_ecdsa")
load("//rules/opentitan:keyutils.bzl", "key_ecdsa", "key_sphincs_plus")

package(default_visibility = ["//visibility:public"])

Expand All @@ -12,7 +12,9 @@ cc_library(
hdrs = [
"activate_ecdsa_p256.h",
"app_dev_ecdsa_p256.h",
"app_dev_spx.h",
"app_prod_ecdsa_p256.h",
"app_prod_spx.h",
"app_test_ecdsa_p256.h",
"owner_ecdsa_p256.h",
"unlock_ecdsa_p256.h",
Expand Down Expand Up @@ -87,6 +89,15 @@ key_ecdsa(
type = "ProdKey",
)

key_sphincs_plus(
name = "app_prod_spx",
config = "Sha2128s",
method = "local",
private_key = "app_prod_spx.pem",
pub_key = "app_prod_spx.pub.pem",
type = "ProdKey",
)

key_ecdsa(
name = "app_dev_ecdsa",
config = "EcdsaP256",
Expand All @@ -96,6 +107,17 @@ key_ecdsa(
type = "DevKey",
)

key_sphincs_plus(
name = "app_dev_spx",
# TODO(cfrantz): Change this to Prehash after putting
# the prehash infrastructure in place.
config = "Sha2128s",
method = "local",
private_key = "app_dev_spx.pem",
pub_key = "app_dev_spx.pub.pem",
type = "DevKey",
)

key_ecdsa(
name = "app_test_ecdsa",
config = "EcdsaP256",
Expand Down
22 changes: 22 additions & 0 deletions sw/device/silicon_creator/lib/ownership/keys/fake/app_dev_spx.h
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
// Copyright lowRISC contributors (OpenTitan project).
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0

#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_OWNERSHIP_KEYS_FAKE_APP_DEV_SPX_H_
#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_OWNERSHIP_KEYS_FAKE_APP_DEV_SPX_H_

#define APP_DEV_SPX \
{ \
.data = { \
2635496609, \
3094453936, \
1095047114, \
875270085, \
1206311292, \
2547787469, \
354526470, \
195185787 \
} \
}

#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_OWNERSHIP_KEYS_FAKE_APP_DEV_SPX_H_
4 changes: 4 additions & 0 deletions sw/device/silicon_creator/lib/ownership/keys/fake/app_dev_spx.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
-----BEGIN RAW:SPHINCS+_SHA2_128s_simple PRIVATE KEY-----
u7uaeZ+G20io4GS4Jov0um6HEHEFjHuQDuYn6l6eLwqhfBadsJ5xuMoXRUHFjys0
fNnmR80m3JcGpSEVe0yiCw==
-----END RAW:SPHINCS+_SHA2_128s_simple PRIVATE KEY-----
3 changes: 3 additions & 0 deletions sw/device/silicon_creator/lib/ownership/keys/fake/app_dev_spx.pub.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
-----BEGIN RAW:SPHINCS+_SHA2_128s_simple PUBLIC KEY-----
oXwWnbCecbjKF0VBxY8rNHzZ5kfNJtyXBqUhFXtMogs=
-----END RAW:SPHINCS+_SHA2_128s_simple PUBLIC KEY-----
22 changes: 22 additions & 0 deletions sw/device/silicon_creator/lib/ownership/keys/fake/app_prod_spx.h
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
// Copyright lowRISC contributors (OpenTitan project).
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0

#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_OWNERSHIP_KEYS_FAKE_APP_PROD_SPX_H_
#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_OWNERSHIP_KEYS_FAKE_APP_PROD_SPX_H_

#define APP_PROD_SPX \
{ \
.data = { \
342329895, \
2013107991, \
2297648695, \
3306667688, \
2064727507, \
1555686114, \
1109351432, \
3336892138 \
} \
}

#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_OWNERSHIP_KEYS_FAKE_APP_PROD_SPX_H_
4 changes: 4 additions & 0 deletions sw/device/silicon_creator/lib/ownership/keys/fake/app_prod_spx.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
-----BEGIN RAW:SPHINCS+_SHA2_128s_simple PRIVATE KEY-----
1s9ET2uLFvVqk3uY41Pnco52JCezKO/cd8pveYWf4hYnimcUF5f9dzdW84iovhfF
0z0Re+LiuVwIXB9C6u7kxg==
-----END RAW:SPHINCS+_SHA2_128s_simple PRIVATE KEY-----
3 changes: 3 additions & 0 deletions sw/device/silicon_creator/lib/ownership/keys/fake/app_prod_spx.pub.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
-----BEGIN RAW:SPHINCS+_SHA2_128s_simple PUBLIC KEY-----
J4pnFBeX/Xc3VvOIqL4XxdM9EXvi4rlcCFwfQuru5MY=
-----END RAW:SPHINCS+_SHA2_128s_simple PUBLIC KEY-----

0 comments on commit 01fcb50

Please sign in to comment.