[bazel] Move key consts and utils to opentitan rules

Signed-off-by: James Wainwright <[email protected]>
lowRISC · Oct 18, 2024 · 0dd6a4f · 0dd6a4f
1 parent 4c15302
commit 0dd6a4f
Show file tree

Hide file tree

Showing 24 changed files with 188 additions and 321 deletions.
diff --git a/hw/top_earlgrey/dv/env/chip_env_cfg.sv b/hw/top_earlgrey/dv/env/chip_env_cfg.sv
@@ -455,7 +455,7 @@ class chip_env_cfg #(type RAL_T = chip_ral_pkg::chip_reg_block) extends cip_base
           // A flash image could be signed, and if it is, Bazel will attach a
           // suffix to the image name.
           if ("signed" inside {sw_image_flags[i]}) begin
-            // Options match DEFAULT_SIGNING_KEYS in `rules/opentitan.bzl`.
+            // Options match DEFAULT_SIGNING_KEYS in `rules/opentitan/keyutils.bzl`.
             if ("fake_ecdsa_dev_key_0" inside {sw_image_flags[i]}) begin
               sw_images[i] = $sformatf("%0s.fake_ecdsa_dev_key_0.signed", sw_images[i]);
             end else if ("fake_ecdsa_prod_key_0" inside {sw_image_flags[i]}) begin

diff --git a/rules/opentitan.bzl b/rules/opentitan.bzl
@@ -17,6 +17,11 @@ load("@crt//rules:transition.bzl", "platform_target")
 load("@bazel_skylib//rules:common_settings.bzl", "BuildSettingInfo")
 load("@bazel_skylib//lib:structs.bzl", "structs")
 load("//rules/opentitan:toolchain.bzl", "LOCALTOOLS_TOOLCHAIN")
+load(
+    "//rules/opentitan:keyutils.bzl",
+    "ECDSA_ONLY_KEY_STRUCTS",
+    "RSA_ONLY_ROM_EXT_KEY_STRUCTS",
+)
 
 """Rules to build OpenTitan for the RISC-V target"""
 
@@ -42,139 +47,9 @@ PER_DEVICE_DEPS = {
     "fpga_cw340": ["@//sw/device/lib/arch:fpga_cw340"],
 }
 
-def create_key_(name, label, hw_lc_states):
-    return struct(
-        name = name,
-        label = label,
-        hw_lc_states = hw_lc_states,
-    )
-
-def create_test_key(name, label):
-    return create_key_(name, label, [
-        CONST.LCV.TEST_UNLOCKED0,
-        CONST.LCV.TEST_UNLOCKED1,
-        CONST.LCV.TEST_UNLOCKED2,
-        CONST.LCV.TEST_UNLOCKED3,
-        CONST.LCV.TEST_UNLOCKED4,
-        CONST.LCV.TEST_UNLOCKED5,
-        CONST.LCV.TEST_UNLOCKED6,
-        CONST.LCV.TEST_UNLOCKED7,
-        CONST.LCV.RMA,
-    ])
-
-def create_dev_key(name, label):
-    return create_key_(name, label, [
-        CONST.LCV.DEV,
-    ])
-
-def create_prod_key(name, label):
-    return create_key_(name, label, [
-        CONST.LCV.TEST_UNLOCKED0,
-        CONST.LCV.TEST_UNLOCKED1,
-        CONST.LCV.TEST_UNLOCKED2,
-        CONST.LCV.TEST_UNLOCKED3,
-        CONST.LCV.TEST_UNLOCKED4,
-        CONST.LCV.TEST_UNLOCKED5,
-        CONST.LCV.TEST_UNLOCKED6,
-        CONST.LCV.TEST_UNLOCKED7,
-        CONST.LCV.DEV,
-        CONST.LCV.PROD,
-        CONST.LCV.PROD_END,
-        CONST.LCV.RMA,
-    ])
-
-def create_key_struct(ecdsa_key, rsa_key, spx_key):
-    return struct(
-        ecdsa = ecdsa_key,
-        rsa = rsa_key,
-        spx = spx_key,
-    )
-
-# Keys available in the repo
-SILICON_CREATOR_KEYS = struct(
-    FAKE = struct(
-        ECDSA = struct(
-            TEST = [
-                create_test_key("fake_ecdsa_test_key_0", "@//sw/device/silicon_creator/rom/keys/fake/ecdsa:test_key_0_ecdsa_p256"),
-            ],
-            DEV = [
-                create_dev_key("fake_ecdsa_dev_key_0", "@//sw/device/silicon_creator/rom/keys/fake/ecdsa:dev_key_0_ecdsa_p256"),
-            ],
-            PROD = [
-                create_prod_key("fake_ecdsa_prod_key_0", "@//sw/device/silicon_creator/rom/keys/fake/ecdsa:prod_key_0_ecdsa_p256"),
-            ],
-        ),
-        SPX = struct(
-            TEST = [
-                create_test_key("fake_spx_test_key_0", "@//sw/device/silicon_creator/rom/keys/fake/spx:test_key_0_spx"),
-            ],
-            DEV = [
-                create_dev_key("fake_spx_dev_key_0", "@//sw/device/silicon_creator/rom/keys/fake/spx:dev_key_0_spx"),
-            ],
-            PROD = [
-                create_prod_key("fake_spx_prod_key_0", "@//sw/device/silicon_creator/rom/keys/fake/spx:prod_key_0_spx"),
-            ],
-        ),
-    ),
-    # We can't expose real private keys publicly.
-    REAL = None,
-    UNAUTHORIZED = struct(
-        SPX = [
-            create_key_("spx_unauthorized_0", "@//sw/device/silicon_creator/rom/keys/unauthorized/spx:unauthorized_0_spx", []),
-        ],
-    ),
-)
-
-SILICON_OWNER_KEYS = struct(
-    FAKE = struct(
-        RSA = struct(
-            TEST = [
-                create_test_key("fake_rsa_rom_ext_test_key_0", "@//sw/device/silicon_creator/rom_ext/keys/fake:rom_ext_test_private_key_0"),
-            ],
-            DEV = [
-                create_dev_key("fake_rsa_rom_ext_dev_key_0", "@//sw/device/silicon_creator/rom_ext/keys/fake:rom_ext_dev_private_key_0"),
-            ],
-            PROD = None,
-        ),
-        # We can't expose real private keys publicly.
-        REAL = None,
-        UNAUTHORIZED = None,
-    ),
-)
-
 def flatten(l):
     return [item for ll in l for item in ll]
 
-def key_allowed_in_lc_state(key, hw_lc_state_val):
-    all_hw_lc_state_vals = structs.to_dict(CONST.LCV).values()
-    if not hw_lc_state_val in all_hw_lc_state_vals:
-        fail("Wrong life cycle state value: '{}', must be one of {}. Did you pass a string instead of the integer value?".format(hw_lc_state_val, all_hw_lc_state_vals))
-    return hw_lc_state_val in key.hw_lc_states
-
-def filter_key_structs_for_lc_state(key_structs, hw_lc_state):
-    return [k for k in key_structs if (
-        (not k.rsa or key_allowed_in_lc_state(k.rsa, hw_lc_state)) and
-        (not k.ecdsa or key_allowed_in_lc_state(k.ecdsa, hw_lc_state)) and
-        (not k.spx or key_allowed_in_lc_state(k.spx, hw_lc_state))
-    )]
-
-ECDSA_ONLY_KEY_STRUCTS = [
-    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.TEST[0], None, None),
-    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.DEV[0], None, None),
-    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.PROD[0], None, None),
-]
-
-ECDSA_SPX_KEY_STRUCTS = [
-    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.TEST[0], None, SILICON_CREATOR_KEYS.FAKE.SPX.TEST[0]),
-    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.DEV[0], None, SILICON_CREATOR_KEYS.FAKE.SPX.DEV[0]),
-    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.PROD[0], None, SILICON_CREATOR_KEYS.FAKE.SPX.PROD[0]),
-]
-
-RSA_ONLY_ROM_EXT_KEY_STRUCTS = [
-    create_key_struct(None, SILICON_OWNER_KEYS.FAKE.RSA.TEST[0], None),
-    create_key_struct(None, SILICON_OWNER_KEYS.FAKE.RSA.DEV[0], None),
-]
-
 def _obj_transform_impl(ctx):
     cc_toolchain = find_cc_toolchain(ctx)
     outputs = []

diff --git a/rules/opentitan/keyutils.bzl b/rules/opentitan/keyutils.bzl
@@ -2,8 +2,9 @@
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
 
-load("//rules:opentitan.bzl", "key_allowed_in_lc_state")
 load("//rules:signing.bzl", "KeyInfo")
+load("//rules:const.bzl", "CONST")
+load("@bazel_skylib//lib:structs.bzl", "structs")
 
 def _build_key_info_handler(id):
     """Return a handler that creates a KeyInfo provider.
@@ -161,3 +162,133 @@ def spx_key_by_name(key_structs, nickname):
     return {
         keys[0].spx.label: keys[0].spx.name,
     }
+
+def key_allowed_in_lc_state(key, hw_lc_state_val):
+    all_hw_lc_state_vals = structs.to_dict(CONST.LCV).values()
+    if not hw_lc_state_val in all_hw_lc_state_vals:
+        fail("Wrong life cycle state value: '{}', must be one of {}. Did you pass a string instead of the integer value?".format(hw_lc_state_val, all_hw_lc_state_vals))
+    return hw_lc_state_val in key.hw_lc_states
+
+def filter_key_structs_for_lc_state(key_structs, hw_lc_state):
+    return [k for k in key_structs if (
+        (not k.rsa or key_allowed_in_lc_state(k.rsa, hw_lc_state)) and
+        (not k.ecdsa or key_allowed_in_lc_state(k.ecdsa, hw_lc_state)) and
+        (not k.spx or key_allowed_in_lc_state(k.spx, hw_lc_state))
+    )]
+
+def create_key_(name, label, hw_lc_states):
+    return struct(
+        name = name,
+        label = label,
+        hw_lc_states = hw_lc_states,
+    )
+
+def create_test_key(name, label):
+    return create_key_(name, label, [
+        CONST.LCV.TEST_UNLOCKED0,
+        CONST.LCV.TEST_UNLOCKED1,
+        CONST.LCV.TEST_UNLOCKED2,
+        CONST.LCV.TEST_UNLOCKED3,
+        CONST.LCV.TEST_UNLOCKED4,
+        CONST.LCV.TEST_UNLOCKED5,
+        CONST.LCV.TEST_UNLOCKED6,
+        CONST.LCV.TEST_UNLOCKED7,
+        CONST.LCV.RMA,
+    ])
+
+def create_dev_key(name, label):
+    return create_key_(name, label, [
+        CONST.LCV.DEV,
+    ])
+
+def create_prod_key(name, label):
+    return create_key_(name, label, [
+        CONST.LCV.TEST_UNLOCKED0,
+        CONST.LCV.TEST_UNLOCKED1,
+        CONST.LCV.TEST_UNLOCKED2,
+        CONST.LCV.TEST_UNLOCKED3,
+        CONST.LCV.TEST_UNLOCKED4,
+        CONST.LCV.TEST_UNLOCKED5,
+        CONST.LCV.TEST_UNLOCKED6,
+        CONST.LCV.TEST_UNLOCKED7,
+        CONST.LCV.DEV,
+        CONST.LCV.PROD,
+        CONST.LCV.PROD_END,
+        CONST.LCV.RMA,
+    ])
+
+def create_key_struct(ecdsa_key, rsa_key, spx_key):
+    return struct(
+        ecdsa = ecdsa_key,
+        rsa = rsa_key,
+        spx = spx_key,
+    )
+
+# Keys available in the repo
+SILICON_CREATOR_KEYS = struct(
+    FAKE = struct(
+        ECDSA = struct(
+            TEST = [
+                create_test_key("fake_ecdsa_test_key_0", "@//sw/device/silicon_creator/rom/keys/fake/ecdsa:test_key_0_ecdsa_p256"),
+            ],
+            DEV = [
+                create_dev_key("fake_ecdsa_dev_key_0", "@//sw/device/silicon_creator/rom/keys/fake/ecdsa:dev_key_0_ecdsa_p256"),
+            ],
+            PROD = [
+                create_prod_key("fake_ecdsa_prod_key_0", "@//sw/device/silicon_creator/rom/keys/fake/ecdsa:prod_key_0_ecdsa_p256"),
+            ],
+        ),
+        SPX = struct(
+            TEST = [
+                create_test_key("fake_spx_test_key_0", "@//sw/device/silicon_creator/rom/keys/fake/spx:test_key_0_spx"),
+            ],
+            DEV = [
+                create_dev_key("fake_spx_dev_key_0", "@//sw/device/silicon_creator/rom/keys/fake/spx:dev_key_0_spx"),
+            ],
+            PROD = [
+                create_prod_key("fake_spx_prod_key_0", "@//sw/device/silicon_creator/rom/keys/fake/spx:prod_key_0_spx"),
+            ],
+        ),
+    ),
+    # We can't expose real private keys publicly.
+    REAL = None,
+    UNAUTHORIZED = struct(
+        SPX = [
+            create_key_("spx_unauthorized_0", "@//sw/device/silicon_creator/rom/keys/unauthorized/spx:unauthorized_0_spx", []),
+        ],
+    ),
+)
+
+SILICON_OWNER_KEYS = struct(
+    FAKE = struct(
+        RSA = struct(
+            TEST = [
+                create_test_key("fake_rsa_rom_ext_test_key_0", "@//sw/device/silicon_creator/rom_ext/keys/fake:rom_ext_test_private_key_0"),
+            ],
+            DEV = [
+                create_dev_key("fake_rsa_rom_ext_dev_key_0", "@//sw/device/silicon_creator/rom_ext/keys/fake:rom_ext_dev_private_key_0"),
+            ],
+            PROD = None,
+        ),
+        # We can't expose real private keys publicly.
+        REAL = None,
+        UNAUTHORIZED = None,
+    ),
+)
+
+ECDSA_ONLY_KEY_STRUCTS = [
+    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.TEST[0], None, None),
+    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.DEV[0], None, None),
+    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.PROD[0], None, None),
+]
+
+ECDSA_SPX_KEY_STRUCTS = [
+    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.TEST[0], None, SILICON_CREATOR_KEYS.FAKE.SPX.TEST[0]),
+    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.DEV[0], None, SILICON_CREATOR_KEYS.FAKE.SPX.DEV[0]),
+    create_key_struct(SILICON_CREATOR_KEYS.FAKE.ECDSA.PROD[0], None, SILICON_CREATOR_KEYS.FAKE.SPX.PROD[0]),
+]
+
+RSA_ONLY_ROM_EXT_KEY_STRUCTS = [
+    create_key_struct(None, SILICON_OWNER_KEYS.FAKE.RSA.TEST[0], None),
+    create_key_struct(None, SILICON_OWNER_KEYS.FAKE.RSA.DEV[0], None),
+]
diff --git a/rules/opentitan_test.bzl b/rules/opentitan_test.bzl
@@ -4,10 +4,10 @@
 
 load(
     "@//rules:opentitan.bzl",
-    "ECDSA_ONLY_KEY_STRUCTS",
     "opentitan_flash_binary",
     "opentitan_rom_binary",
 )
+load("//rules/opentitan:keyutils.bzl", "ECDSA_ONLY_KEY_STRUCTS")
 load("@bazel_skylib//lib:shell.bzl", "shell")
 load("@bazel_skylib//lib:collections.bzl", "collections")
 

diff --git a/sw/device/silicon_creator/manuf/tests/BUILD b/sw/device/silicon_creator/manuf/tests/BUILD
@@ -4,10 +4,7 @@
 
 load("//rules:const.bzl", "CONST", "get_lc_items")
 load("//rules:lc.bzl", "lc_raw_unlock_token")
-load(
-    "//rules:opentitan.bzl",
-    "ECDSA_SPX_KEY_STRUCTS",
-)
+load("//rules/opentitan:keyutils.bzl", "ECDSA_SPX_KEY_STRUCTS")
 load(
     "//rules:otp.bzl",
     "OTP_SIGVERIFY_FAKE_KEYS",

diff --git a/sw/device/silicon_creator/rom/e2e/BUILD b/sw/device/silicon_creator/rom/e2e/BUILD
@@ -2,36 +2,23 @@
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
 
-load(
-    "@bazel_skylib//lib:dicts.bzl",
-    "dicts",
-)
-load(
-    "//rules:const.bzl",
-    "CONST",
-    "hex_digits",
-)
+load("@bazel_skylib//lib:dicts.bzl", "dicts")
+load("//rules:const.bzl", "CONST", "hex_digits")
 load(
     "//rules:opentitan.bzl",
-    "ECDSA_ONLY_KEY_STRUCTS",
     "bin_to_vmem",
     "scramble_flash_vmem",
 )
+load("//rules/opentitan:keyutils.bzl", "ECDSA_ONLY_KEY_STRUCTS")
 load(
     "//rules:otp.bzl",
     "OTP_SIGVERIFY_FAKE_KEYS",
     "otp_image",
     "otp_json",
     "otp_partition",
 )
-load(
-    "//rules:rom_e2e.bzl",
-    "maybe_skip_in_ci",
-)
-load(
-    "//rules:splice.bzl",
-    "bitstream_splice",
-)
+load("//rules:rom_e2e.bzl", "maybe_skip_in_ci")
+load("//rules:splice.bzl", "bitstream_splice")
 load(
     "//sw/device/silicon_creator/rom/e2e:defs.bzl",
     "MSG_PASS",