-
Notifications
You must be signed in to change notification settings - Fork 792
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[rom_ext] Add a ROM_EXT for the
prodc
customer
Signed-off-by: Chris Frantz <[email protected]>
- Loading branch information
Showing
7 changed files
with
454 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
# Copyright lowRISC contributors. | ||
# Licensed under the Apache License, Version 2.0, see LICENSE for details. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
load("//rules:const.bzl", "CONST", "hex") | ||
load("//rules:manifest.bzl", "manifest") | ||
load("//rules/opentitan:defs.bzl", "opentitan_binary") | ||
load("//rules:signing.bzl", "offline_presigning_artifacts", "offline_signature_attach") | ||
load("@rules_pkg//pkg:tar.bzl", "pkg_tar") | ||
|
||
package(default_visibility = ["//visibility:public"]) | ||
|
||
# In order to prevent the linker from prematurely discarding symbols, we | ||
# need to give the CRT library last. | ||
LINK_ORDER = [ | ||
"$(location //sw/device/silicon_creator/rom_ext)", | ||
"$(location //sw/device/lib/crt)", | ||
] | ||
|
||
manifest(d = { | ||
"name": "manifest_prodc", | ||
"address_translation": hex(CONST.HARDENED_FALSE), | ||
"identifier": hex(CONST.ROM_EXT), | ||
"manuf_state_creator": hex(CONST.MANUF_STATE.PRODC), | ||
"visibility": ["//visibility:public"], | ||
}) | ||
|
||
# To test that the fake-signed ProdC ROM_EXT can boot, you need a bitstream | ||
# with the OTP word CREATOR_SW_CCFG_MANUF_STATE set to `PRODC` (as above | ||
# in the manifest definition). You can manually create such a bitstream with: | ||
# | ||
# bazel build //hw/bitstream/universal:splice --//hw/bitstream/universal:env=//hw/top_earlgrey:fpga_cw310_sival | ||
opentitan_binary( | ||
name = "rom_ext_fake_prod_signed_slot_a", | ||
exec_env = [ | ||
"//hw/top_earlgrey:silicon_creator", | ||
"//hw/top_earlgrey:fpga_cw310", | ||
"//hw/top_earlgrey:sim_dv_base", | ||
"//hw/top_earlgrey:sim_verilator_base", | ||
], | ||
linker_script = "//sw/device/silicon_creator/rom_ext:ld_slot_a", | ||
linkopts = LINK_ORDER, | ||
manifest = ":manifest_prodc", | ||
rsa_key = {"//sw/device/silicon_creator/rom/keys/fake/rsa:prod_private_key_2": "prod_key_2"}, | ||
deps = [ | ||
"//sw/device/lib/crt", | ||
"//sw/device/silicon_creator/lib:manifest_def", | ||
"//sw/device/silicon_creator/rom_ext", | ||
"//sw/device/silicon_creator/rom_ext/keys/fake", | ||
], | ||
) | ||
|
||
opentitan_binary( | ||
name = "rom_ext_fake_prod_signed_slot_b", | ||
exec_env = [ | ||
"//hw/top_earlgrey:silicon_creator", | ||
"//hw/top_earlgrey:fpga_cw310", | ||
"//hw/top_earlgrey:sim_dv_base", | ||
"//hw/top_earlgrey:sim_verilator_base", | ||
], | ||
linker_script = "//sw/device/silicon_creator/rom_ext:ld_slot_b", | ||
linkopts = LINK_ORDER, | ||
manifest = ":manifest_prodc", | ||
rsa_key = {"//sw/device/silicon_creator/rom/keys/fake/rsa:prod_private_key_2": "prod_key_2"}, | ||
deps = [ | ||
"//sw/device/lib/crt", | ||
"//sw/device/silicon_creator/lib:manifest_def", | ||
"//sw/device/silicon_creator/rom_ext", | ||
"//sw/device/silicon_creator/rom_ext/keys/fake", | ||
], | ||
) | ||
|
||
opentitan_binary( | ||
name = "rom_ext_real_prod_signed_slot_a", | ||
exec_env = [ | ||
"//hw/top_earlgrey:silicon_creator", | ||
"//hw/top_earlgrey:fpga_cw310", | ||
], | ||
linker_script = "//sw/device/silicon_creator/rom_ext:ld_slot_a", | ||
linkopts = LINK_ORDER, | ||
deps = [ | ||
"//sw/device/lib/crt", | ||
"//sw/device/silicon_creator/lib:manifest_def", | ||
"//sw/device/silicon_creator/rom_ext", | ||
"//sw/device/silicon_creator/rom_ext/prodc/keys", | ||
], | ||
) | ||
|
||
opentitan_binary( | ||
name = "rom_ext_real_prod_signed_slot_b", | ||
exec_env = [ | ||
"//hw/top_earlgrey:silicon_creator", | ||
"//hw/top_earlgrey:fpga_cw310", | ||
], | ||
linker_script = "//sw/device/silicon_creator/rom_ext:ld_slot_b", | ||
linkopts = LINK_ORDER, | ||
deps = [ | ||
"//sw/device/lib/crt", | ||
"//sw/device/silicon_creator/lib:manifest_def", | ||
"//sw/device/silicon_creator/rom_ext", | ||
"//sw/device/silicon_creator/rom_ext/prodc/keys", | ||
], | ||
) | ||
|
||
offline_presigning_artifacts( | ||
name = "presigning", | ||
testonly = True, | ||
srcs = [ | ||
":rom_ext_real_prod_signed_slot_a", | ||
":rom_ext_real_prod_signed_slot_b", | ||
], | ||
manifest = ":manifest_prodc", | ||
rsa_key = { | ||
"//sw/device/silicon_creator/rom/keys/real/rsa:keyset": "earlgrey_a0_prod_2", | ||
}, | ||
tags = ["manual"], | ||
) | ||
|
||
pkg_tar( | ||
name = "digests", | ||
testonly = True, | ||
srcs = [":presigning"], | ||
mode = "0644", | ||
tags = ["manual"], | ||
) | ||
|
||
offline_signature_attach( | ||
name = "signed", | ||
testonly = True, | ||
srcs = [ | ||
":presigning", | ||
], | ||
rsa_signatures = [ | ||
"//sw/device/silicon_creator/rom_ext/prodc/signatures:rsa_signatures", | ||
], | ||
tags = ["manual"], | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
# Copyright lowRISC contributors. | ||
# Licensed under the Apache License, Version 2.0, see LICENSE for details. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
load("//rules:signing.bzl", "keyset") | ||
|
||
package(default_visibility = ["//visibility:public"]) | ||
|
||
cc_library( | ||
name = "keys", | ||
srcs = [ | ||
"sigverify_rsa_keys_prodc.c", | ||
"//sw/device/silicon_creator/rom_ext:sigverify_keys.h", | ||
], | ||
hdrs = [ | ||
"earlgrey_z1_prodc_1.h", | ||
], | ||
deps = [ | ||
"//hw/ip/otp_ctrl/data:otp_ctrl_regs", | ||
"//sw/device/lib/base:macros", | ||
"//sw/device/silicon_creator/lib/sigverify", | ||
], | ||
) | ||
|
||
cc_test( | ||
name = "keys_unittest", | ||
srcs = [ | ||
"sigverify_rsa_keys_prodc_unittest.cc", | ||
"//sw/device/silicon_creator/lib/sigverify:rsa_verify.c", | ||
"//sw/device/silicon_creator/lib/sigverify:rsa_verify.h", | ||
], | ||
deps = [ | ||
":keys", | ||
"//sw/device/lib/base:hardened", | ||
"//sw/device/silicon_creator/lib/drivers:hmac", | ||
"//sw/device/silicon_creator/lib/drivers:lifecycle", | ||
"//sw/device/silicon_creator/lib/drivers:otp", | ||
"//sw/device/silicon_creator/lib/sigverify:mod_exp_ibex_device_library", | ||
"//sw/device/silicon_creator/lib/sigverify:mod_exp_otbn", | ||
"//sw/device/silicon_creator/lib/sigverify:rsa_key", | ||
"//sw/device/silicon_creator/lib/sigverify:rsa_verify", | ||
"//sw/device/silicon_creator/rom_ext:sigverify_keys", | ||
"//sw/device/silicon_creator/testing:rom_test", | ||
"@googletest//:gtest_main", | ||
], | ||
) | ||
|
||
keyset( | ||
name = "keyset", | ||
build_setting_default = "", | ||
keys = { | ||
"earlgrey_z1_prodc_1.der": "earlgrey_z1_prodc_1", | ||
}, | ||
profile = "earlgrey_z1_prodc", | ||
tool = "//signing:token", | ||
) |
Binary file added
BIN
+398 Bytes
sw/device/silicon_creator/rom_ext/prodc/keys/earlgrey_z1_prodc_1.der
Binary file not shown.
39 changes: 39 additions & 0 deletions
39
sw/device/silicon_creator/rom_ext/prodc/keys/earlgrey_z1_prodc_1.h
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
// Copyright lowRISC contributors. | ||
// Licensed under the Apache License, Version 2.0, see LICENSE for details. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_ROM_EXT_PRODC_KEYS_EARLGREY_Z1_PRODC_1_H_ | ||
#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_ROM_EXT_PRODC_KEYS_EARLGREY_Z1_PRODC_1_H_ | ||
|
||
#define EARLGREY_Z1_PRODC_1 \ | ||
{ \ | ||
.n = \ | ||
{{ \ | ||
0xd7af0dd5, 0x0a2296ff, 0x03627e28, 0x858e557a, 0xf31e2246, \ | ||
0x1972ff61, 0xfa972b63, 0x2f755cb8, 0xcbb7f242, 0x8b14a139, \ | ||
0xaf2ef152, 0x4f2991a6, 0x2b647171, 0xd9778edb, 0x434acb79, \ | ||
0x4fde9aa1, 0xa7be6fa0, 0xfd1e2d4f, 0xc06d497c, 0x6385b2ec, \ | ||
0x6b1799af, 0x3eedaf0f, 0x58a80508, 0xf9f991f3, 0xf8abee4c, \ | ||
0x3517ba93, 0x0f625565, 0x2c02427a, 0x3dce3809, 0x072194cd, \ | ||
0xe455076c, 0xab1189f1, 0x29afca62, 0xe487061c, 0xeef2255d, \ | ||
0x91c96072, 0xad54cb22, 0xe63ea5ff, 0xc6cf64ef, 0x66d27d1d, \ | ||
0x396dd4e3, 0x5bbdb7ed, 0xf7c805cf, 0xa70a282f, 0x19a8b307, \ | ||
0x6dd3008b, 0x686e3788, 0x0ccfdb19, 0xc47a821a, 0x83c157f5, \ | ||
0x52fea68b, 0xd645f4d2, 0x206ed7cb, 0x899c7b1b, 0x9a777335, \ | ||
0x0bc65c6b, 0x8fcea773, 0xd1799e75, 0xbc23d660, 0x0e8c18a8, \ | ||
0x6527b5d4, 0x3eb7e278, 0x93546a7e, 0x67deba97, 0x9433cb40, \ | ||
0x6b330bdf, 0xcfe52600, 0xa02f8cc2, 0xea50b2da, 0x549891cb, \ | ||
0x87735ceb, 0xf257b804, 0xd96c7566, 0x4dcf77da, 0xe38b464f, \ | ||
0xb6c9afca, 0xeab879b2, 0x3fb1ed41, 0xe1f20209, 0x2819397f, \ | ||
0x3c6ef023, 0x0c754ffe, 0x61512fb7, 0x448b297e, 0xba5af191, \ | ||
0x88dd9d71, 0xd6e05fa9, 0x5266d4a8, 0x005aa42e, 0x58cbf6c4, \ | ||
0x65df874e, 0x0afcf690, 0x2b24b10b, 0xf3f422ab, 0x55933e0c, \ | ||
0xba900bcb, \ | ||
}}, \ | ||
.n0_inv = { \ | ||
0x52763c83, 0x4c89d945, 0x7dc117bd, 0x923a4240, \ | ||
0x88605510, 0x7f38dd72, 0xa3963a0e, 0x865793d2, \ | ||
}, \ | ||
} | ||
|
||
#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_ROM_EXT_PRODC_KEYS_EARLGREY_Z1_PRODC_1_H_ |
36 changes: 36 additions & 0 deletions
36
sw/device/silicon_creator/rom_ext/prodc/keys/sigverify_rsa_keys_prodc.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
// Copyright lowRISC contributors. | ||
// Licensed under the Apache License, Version 2.0, see LICENSE for details. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
#include "sw/device/lib/base/macros.h" | ||
#include "sw/device/silicon_creator/rom_ext/prodc/keys/earlgrey_z1_prodc_1.h" | ||
#include "sw/device/silicon_creator/rom_ext/sigverify_keys.h" | ||
|
||
/** | ||
* Number of RSA public keys. | ||
*/ | ||
enum { | ||
kSigverifyRsaKeysCnt_ = 1, | ||
}; | ||
const size_t kSigverifyRsaKeysCnt = kSigverifyRsaKeysCnt_; | ||
|
||
/** | ||
* Step size to use when checking RSA public keys. | ||
* | ||
* This must be coprime with and less than `kSigverifyNumRsaKeys`. | ||
* Note: Step size is not applicable when `kSigverifyNumRsaKeys` is 1. | ||
*/ | ||
const size_t kSigverifyRsaKeysStep = 1; | ||
|
||
/** | ||
* Fake public keys for signature verification in tests. | ||
* | ||
* Please see sw/device/silicon_creator/rom/keys/README.md for more | ||
* details. | ||
*/ | ||
const sigverify_rom_ext_key_t kSigverifyRsaKeys[kSigverifyRsaKeysCnt_] = { | ||
{ | ||
.key = EARLGREY_Z1_PRODC_1, | ||
.key_type = kSigverifyKeyTypeFirmwareProd, | ||
}, | ||
}; |
Oops, something went wrong.