Skip to content

Commit

Permalink
[rom_ext] Add a ROM_EXT for the prodc customer
Browse files Browse the repository at this point in the history
Signed-off-by: Chris Frantz <[email protected]>
  • Loading branch information
cfrantz committed Jan 3, 2024
1 parent 4842002 commit 0b7af69
Show file tree
Hide file tree
Showing 7 changed files with 454 additions and 0 deletions.
137 changes: 137 additions & 0 deletions sw/device/silicon_creator/rom_ext/prodc/BUILD
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
# Copyright lowRISC contributors.
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0

load("//rules:const.bzl", "CONST", "hex")
load("//rules:manifest.bzl", "manifest")
load("//rules/opentitan:defs.bzl", "opentitan_binary")
load("//rules:signing.bzl", "offline_presigning_artifacts", "offline_signature_attach")
load("@rules_pkg//pkg:tar.bzl", "pkg_tar")

package(default_visibility = ["//visibility:public"])

# In order to prevent the linker from prematurely discarding symbols, we
# need to give the CRT library last.
LINK_ORDER = [
"$(location //sw/device/silicon_creator/rom_ext)",
"$(location //sw/device/lib/crt)",
]

manifest(d = {
"name": "manifest_prodc",
"address_translation": hex(CONST.HARDENED_FALSE),
"identifier": hex(CONST.ROM_EXT),
"manuf_state_creator": hex(CONST.MANUF_STATE.PRODC),
"visibility": ["//visibility:public"],
})

# To test that the fake-signed ProdC ROM_EXT can boot, you need a bitstream
# with the OTP word CREATOR_SW_CCFG_MANUF_STATE set to `PRODC` (as above
# in the manifest definition). You can manually create such a bitstream with:
#
# bazel build //hw/bitstream/universal:splice --//hw/bitstream/universal:env=//hw/top_earlgrey:fpga_cw310_sival
opentitan_binary(
name = "rom_ext_fake_prod_signed_slot_a",
exec_env = [
"//hw/top_earlgrey:silicon_creator",
"//hw/top_earlgrey:fpga_cw310",
"//hw/top_earlgrey:sim_dv_base",
"//hw/top_earlgrey:sim_verilator_base",
],
linker_script = "//sw/device/silicon_creator/rom_ext:ld_slot_a",
linkopts = LINK_ORDER,
manifest = ":manifest_prodc",
rsa_key = {"//sw/device/silicon_creator/rom/keys/fake/rsa:prod_private_key_2": "prod_key_2"},
deps = [
"//sw/device/lib/crt",
"//sw/device/silicon_creator/lib:manifest_def",
"//sw/device/silicon_creator/rom_ext",
"//sw/device/silicon_creator/rom_ext/keys/fake",
],
)

opentitan_binary(
name = "rom_ext_fake_prod_signed_slot_b",
exec_env = [
"//hw/top_earlgrey:silicon_creator",
"//hw/top_earlgrey:fpga_cw310",
"//hw/top_earlgrey:sim_dv_base",
"//hw/top_earlgrey:sim_verilator_base",
],
linker_script = "//sw/device/silicon_creator/rom_ext:ld_slot_b",
linkopts = LINK_ORDER,
manifest = ":manifest_prodc",
rsa_key = {"//sw/device/silicon_creator/rom/keys/fake/rsa:prod_private_key_2": "prod_key_2"},
deps = [
"//sw/device/lib/crt",
"//sw/device/silicon_creator/lib:manifest_def",
"//sw/device/silicon_creator/rom_ext",
"//sw/device/silicon_creator/rom_ext/keys/fake",
],
)

opentitan_binary(
name = "rom_ext_real_prod_signed_slot_a",
exec_env = [
"//hw/top_earlgrey:silicon_creator",
"//hw/top_earlgrey:fpga_cw310",
],
linker_script = "//sw/device/silicon_creator/rom_ext:ld_slot_a",
linkopts = LINK_ORDER,
deps = [
"//sw/device/lib/crt",
"//sw/device/silicon_creator/lib:manifest_def",
"//sw/device/silicon_creator/rom_ext",
"//sw/device/silicon_creator/rom_ext/prodc/keys",
],
)

opentitan_binary(
name = "rom_ext_real_prod_signed_slot_b",
exec_env = [
"//hw/top_earlgrey:silicon_creator",
"//hw/top_earlgrey:fpga_cw310",
],
linker_script = "//sw/device/silicon_creator/rom_ext:ld_slot_b",
linkopts = LINK_ORDER,
deps = [
"//sw/device/lib/crt",
"//sw/device/silicon_creator/lib:manifest_def",
"//sw/device/silicon_creator/rom_ext",
"//sw/device/silicon_creator/rom_ext/prodc/keys",
],
)

offline_presigning_artifacts(
name = "presigning",
testonly = True,
srcs = [
":rom_ext_real_prod_signed_slot_a",
":rom_ext_real_prod_signed_slot_b",
],
manifest = ":manifest_prodc",
rsa_key = {
"//sw/device/silicon_creator/rom/keys/real/rsa:keyset": "earlgrey_a0_prod_2",
},
tags = ["manual"],
)

pkg_tar(
name = "digests",
testonly = True,
srcs = [":presigning"],
mode = "0644",
tags = ["manual"],
)

offline_signature_attach(
name = "signed",
testonly = True,
srcs = [
":presigning",
],
rsa_signatures = [
"//sw/device/silicon_creator/rom_ext/prodc/signatures:rsa_signatures",
],
tags = ["manual"],
)
56 changes: 56 additions & 0 deletions sw/device/silicon_creator/rom_ext/prodc/keys/BUILD
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# Copyright lowRISC contributors.
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0

load("//rules:signing.bzl", "keyset")

package(default_visibility = ["//visibility:public"])

cc_library(
name = "keys",
srcs = [
"sigverify_rsa_keys_prodc.c",
"//sw/device/silicon_creator/rom_ext:sigverify_keys.h",
],
hdrs = [
"earlgrey_z1_prodc_1.h",
],
deps = [
"//hw/ip/otp_ctrl/data:otp_ctrl_regs",
"//sw/device/lib/base:macros",
"//sw/device/silicon_creator/lib/sigverify",
],
)

cc_test(
name = "keys_unittest",
srcs = [
"sigverify_rsa_keys_prodc_unittest.cc",
"//sw/device/silicon_creator/lib/sigverify:rsa_verify.c",
"//sw/device/silicon_creator/lib/sigverify:rsa_verify.h",
],
deps = [
":keys",
"//sw/device/lib/base:hardened",
"//sw/device/silicon_creator/lib/drivers:hmac",
"//sw/device/silicon_creator/lib/drivers:lifecycle",
"//sw/device/silicon_creator/lib/drivers:otp",
"//sw/device/silicon_creator/lib/sigverify:mod_exp_ibex_device_library",
"//sw/device/silicon_creator/lib/sigverify:mod_exp_otbn",
"//sw/device/silicon_creator/lib/sigverify:rsa_key",
"//sw/device/silicon_creator/lib/sigverify:rsa_verify",
"//sw/device/silicon_creator/rom_ext:sigverify_keys",
"//sw/device/silicon_creator/testing:rom_test",
"@googletest//:gtest_main",
],
)

keyset(
name = "keyset",
build_setting_default = "",
keys = {
"earlgrey_z1_prodc_1.der": "earlgrey_z1_prodc_1",
},
profile = "earlgrey_z1_prodc",
tool = "//signing:token",
)
Binary file not shown.
39 changes: 39 additions & 0 deletions sw/device/silicon_creator/rom_ext/prodc/keys/earlgrey_z1_prodc_1.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
// Copyright lowRISC contributors.
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0

#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_ROM_EXT_PRODC_KEYS_EARLGREY_Z1_PRODC_1_H_
#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_ROM_EXT_PRODC_KEYS_EARLGREY_Z1_PRODC_1_H_

#define EARLGREY_Z1_PRODC_1 \
{ \
.n = \
{{ \
0xd7af0dd5, 0x0a2296ff, 0x03627e28, 0x858e557a, 0xf31e2246, \
0x1972ff61, 0xfa972b63, 0x2f755cb8, 0xcbb7f242, 0x8b14a139, \
0xaf2ef152, 0x4f2991a6, 0x2b647171, 0xd9778edb, 0x434acb79, \
0x4fde9aa1, 0xa7be6fa0, 0xfd1e2d4f, 0xc06d497c, 0x6385b2ec, \
0x6b1799af, 0x3eedaf0f, 0x58a80508, 0xf9f991f3, 0xf8abee4c, \
0x3517ba93, 0x0f625565, 0x2c02427a, 0x3dce3809, 0x072194cd, \
0xe455076c, 0xab1189f1, 0x29afca62, 0xe487061c, 0xeef2255d, \
0x91c96072, 0xad54cb22, 0xe63ea5ff, 0xc6cf64ef, 0x66d27d1d, \
0x396dd4e3, 0x5bbdb7ed, 0xf7c805cf, 0xa70a282f, 0x19a8b307, \
0x6dd3008b, 0x686e3788, 0x0ccfdb19, 0xc47a821a, 0x83c157f5, \
0x52fea68b, 0xd645f4d2, 0x206ed7cb, 0x899c7b1b, 0x9a777335, \
0x0bc65c6b, 0x8fcea773, 0xd1799e75, 0xbc23d660, 0x0e8c18a8, \
0x6527b5d4, 0x3eb7e278, 0x93546a7e, 0x67deba97, 0x9433cb40, \
0x6b330bdf, 0xcfe52600, 0xa02f8cc2, 0xea50b2da, 0x549891cb, \
0x87735ceb, 0xf257b804, 0xd96c7566, 0x4dcf77da, 0xe38b464f, \
0xb6c9afca, 0xeab879b2, 0x3fb1ed41, 0xe1f20209, 0x2819397f, \
0x3c6ef023, 0x0c754ffe, 0x61512fb7, 0x448b297e, 0xba5af191, \
0x88dd9d71, 0xd6e05fa9, 0x5266d4a8, 0x005aa42e, 0x58cbf6c4, \
0x65df874e, 0x0afcf690, 0x2b24b10b, 0xf3f422ab, 0x55933e0c, \
0xba900bcb, \
}}, \
.n0_inv = { \
0x52763c83, 0x4c89d945, 0x7dc117bd, 0x923a4240, \
0x88605510, 0x7f38dd72, 0xa3963a0e, 0x865793d2, \
}, \
}

#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_ROM_EXT_PRODC_KEYS_EARLGREY_Z1_PRODC_1_H_
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
// Copyright lowRISC contributors.
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0

#include "sw/device/lib/base/macros.h"
#include "sw/device/silicon_creator/rom_ext/prodc/keys/earlgrey_z1_prodc_1.h"
#include "sw/device/silicon_creator/rom_ext/sigverify_keys.h"

/**
* Number of RSA public keys.
*/
enum {
kSigverifyRsaKeysCnt_ = 1,
};
const size_t kSigverifyRsaKeysCnt = kSigverifyRsaKeysCnt_;

/**
* Step size to use when checking RSA public keys.
*
* This must be coprime with and less than `kSigverifyNumRsaKeys`.
* Note: Step size is not applicable when `kSigverifyNumRsaKeys` is 1.
*/
const size_t kSigverifyRsaKeysStep = 1;

/**
* Fake public keys for signature verification in tests.
*
* Please see sw/device/silicon_creator/rom/keys/README.md for more
* details.
*/
const sigverify_rom_ext_key_t kSigverifyRsaKeys[kSigverifyRsaKeysCnt_] = {
{
.key = EARLGREY_Z1_PRODC_1,
.key_type = kSigverifyKeyTypeFirmwareProd,
},
};
Loading

0 comments on commit 0b7af69

Please sign in to comment.