From 7cb476cdd9b35ffe89491a3decb39e5c8ec38690 Mon Sep 17 00:00:00 2001
From: Tim Trippel <ttrippel@google.com>
Date: Tue, 3 Dec 2024 15:22:21 -0800
Subject: [PATCH] [provisioning] enable SIVAL cert endorsement with Nitrokeys

The DICE CA key is stored on a Nitrokey, which can be used in a benchtop
provisioning flow to endorse DICE certificates.

Signed-off-by: Tim Trippel <ttrippel@google.com>
---
 sw/device/silicon_creator/manuf/base/BUILD    | 22 ++++++++++++++++-
 .../manuf/base/provisioning_inputs.bzl        |  7 +++---
 .../silicon_creator/manuf/keys/sival/BUILD    | 16 +++++++++++++
 .../manuf/keys/sival/README.md                | 24 +++++++++++++++++++
 .../manuf/keys/sival/ca_config.json           | 14 +++++++++++
 .../manuf/keys/sival/dice_ca.pem              | 13 ++++++++++
 sw/host/provisioning/cert_lib/src/lib.rs      |  6 +++--
 .../orchestrator/configs/skus/emulation.hjson |  2 --
 .../orchestrator/configs/skus/sival.hjson     | 21 ++++++++--------
 9 files changed, 106 insertions(+), 19 deletions(-)
 create mode 100644 sw/device/silicon_creator/manuf/keys/sival/BUILD
 create mode 100644 sw/device/silicon_creator/manuf/keys/sival/README.md
 create mode 100644 sw/device/silicon_creator/manuf/keys/sival/ca_config.json
 create mode 100644 sw/device/silicon_creator/manuf/keys/sival/dice_ca.pem

diff --git a/sw/device/silicon_creator/manuf/base/BUILD b/sw/device/silicon_creator/manuf/base/BUILD
index 30519b9eafcd97..2e5d4411d97a0a 100644
--- a/sw/device/silicon_creator/manuf/base/BUILD
+++ b/sw/device/silicon_creator/manuf/base/BUILD
@@ -415,7 +415,7 @@ filegroup(
             tags = [
                 "lc_test_locked0",
                 "manuf",
-            ],
+            ] + ["manual"] if config.get("offline", False) else [],
             test_cmd = _FT_PROVISIONING_CMD_ARGS,
             test_harness = _FT_PROVISIONING_HARNESS.format(sku),
         ),
@@ -449,6 +449,16 @@ filegroup(
 test_suite(
     name = "ft_provision_cw310",
     tags = ["manual"],
+    tests = [
+        ":ft_provision_{}_fpga_hyper310_rom_with_fake_keys".format(sku)
+        for sku, config in EARLGREY_SKUS.items()
+        if not config.get("offline", False)
+    ],
+)
+
+test_suite(
+    name = "ft_provision_including_offline_cw310",
+    tags = ["manual"],
     tests = [
         ":ft_provision_{}_fpga_hyper310_rom_with_fake_keys".format(sku)
         for sku in EARLGREY_SKUS.keys()
@@ -458,6 +468,16 @@ test_suite(
 test_suite(
     name = "ft_provision_cw340",
     tags = ["manual"],
+    tests = [
+        ":ft_provision_{}_fpga_cw340_rom_with_fake_keys".format(sku)
+        for sku, config in EARLGREY_SKUS.items()
+        if not config.get("offline", False)
+    ],
+)
+
+test_suite(
+    name = "ft_provision_including_offline_cw340",
+    tags = ["manual"],
     tests = [
         ":ft_provision_{}_fpga_cw340_rom_with_fake_keys".format(sku)
         for sku in EARLGREY_SKUS.keys()
diff --git a/sw/device/silicon_creator/manuf/base/provisioning_inputs.bzl b/sw/device/silicon_creator/manuf/base/provisioning_inputs.bzl
index 42844289d5c235..36124bf15192c9 100644
--- a/sw/device/silicon_creator/manuf/base/provisioning_inputs.bzl
+++ b/sw/device/silicon_creator/manuf/base/provisioning_inputs.bzl
@@ -67,8 +67,8 @@ EARLGREY_SKUS = {
     },
     "sival": {
         "otp": "sival",
-        "ca_config": "//sw/device/silicon_creator/manuf/keys/fake:ca_config.json",
-        "ca_data": ["//sw/device/silicon_creator/manuf/keys/fake:ca_data"],
+        "ca_config": "//sw/device/silicon_creator/manuf/keys/sival:ca_config.json",
+        "ca_data": ["//sw/device/silicon_creator/manuf/keys/sival:ca_data"],
         "dice_libs": ["//sw/device/silicon_creator/lib/cert:dice"],
         "host_ext_libs": ["@provisioning_exts//:default_ft_ext_lib"],
         "device_ext_libs": ["@provisioning_exts//:default_perso_fw_ext"],
@@ -79,7 +79,8 @@ EARLGREY_SKUS = {
         "owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
         "ecdsa_key": {"//hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys:keyset": "sv00-earlgrey-a1-root-ecdsa-prod-0"},
         "perso_bin": "//sw/device/silicon_creator/manuf/base/binaries:ft_personalize_sival",
-        "orchestrator_cfg": "//sw/host/provisioning/orchestrator/configs/skus:emulation.hjson",
+        "orchestrator_cfg": "//sw/host/provisioning/orchestrator/configs/skus:sival.hjson",
+        "offline": True,
     },
 } | EXT_EARLGREY_SKUS
 
diff --git a/sw/device/silicon_creator/manuf/keys/sival/BUILD b/sw/device/silicon_creator/manuf/keys/sival/BUILD
new file mode 100644
index 00000000000000..2cc3e2fa2041d4
--- /dev/null
+++ b/sw/device/silicon_creator/manuf/keys/sival/BUILD
@@ -0,0 +1,16 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+package(default_visibility = ["//visibility:public"])
+
+exports_files(glob(["**"]))
+
+filegroup(
+    name = "ca_data",
+    srcs = [
+        ":ca_config.json",
+        ":dice_ca.pem",
+        "//sw/device/silicon_creator/manuf/keys/fake:rma_unlock_enc_rsa3072.pub.der",
+    ],
+)
diff --git a/sw/device/silicon_creator/manuf/keys/sival/README.md b/sw/device/silicon_creator/manuf/keys/sival/README.md
new file mode 100644
index 00000000000000..1861e2b50b8e5b
--- /dev/null
+++ b/sw/device/silicon_creator/manuf/keys/sival/README.md
@@ -0,0 +1,24 @@
+# CA Endorsement Keys
+
+Certificate Authority endorsement keys are are used to endorse the following
+certificate chains during personalization:
+1. DICE attestation certificate chains, and
+2. SKU specific certificate chains.
+
+The real (private) keys used for the SIVAL SKU are stored on offline HSMs. The
+matching public keys and certificates are checked into the repository.
+
+To use the private keys to endorse the certificates in benchtop provisioning
+flow, one must set the following envars:
+  - `PKCS11_MODULE_PATH`: to point to the PKCS#11 shared library for the
+    hardware token they are using, and
+  - `PKCS11_TOKEN_PIN`: to the PIN used for hardware token authentication.
+
+For example, if the SIVAL private keys are stored on a Nitrokey, and you wanted
+to test the SIVAL FT provisioning flow, you would issue the following Bazel
+command:
+```sh
+bazel test --test_output=streamed \
+  //sw/device/silicon_creator/manuf/base:ft_provision_sival_fpga_hyper310_rom_with_fake_keys \
+  --action_env=PKCS11_MODULE_PATH=/opt/nitrokey/lib/libsc-hsm-pkcs11.so,PKCS11_TOKEN_PIN=<pin>
+```
diff --git a/sw/device/silicon_creator/manuf/keys/sival/ca_config.json b/sw/device/silicon_creator/manuf/keys/sival/ca_config.json
new file mode 100644
index 00000000000000..14f9d7455d0ec1
--- /dev/null
+++ b/sw/device/silicon_creator/manuf/keys/sival/ca_config.json
@@ -0,0 +1,14 @@
+{
+  "dice": {
+    "certificate": "sw/device/silicon_creator/manuf/keys/sival/dice_ca.pem",
+    "key_id": "0x5398A4F090F2A95C3D52FC98DEB9F2F9AF042F6E",
+    "key_type": "Token",
+    "key": "sv00-earlgrey-a1-ca-dice-0"
+  },
+  "ext": {
+    "certificate": "sw/device/silicon_creator/manuf/keys/sival/dice_ca.pem",
+    "key_id": "0x5398A4F090F2A95C3D52FC98DEB9F2F9AF042F6E",
+    "key_type": "Token",
+    "key": "sv00-earlgrey-a1-ca-dice-0"
+  }
+}
diff --git a/sw/device/silicon_creator/manuf/keys/sival/dice_ca.pem b/sw/device/silicon_creator/manuf/keys/sival/dice_ca.pem
new file mode 100644
index 00000000000000..bead3f586d8800
--- /dev/null
+++ b/sw/device/silicon_creator/manuf/keys/sival/dice_ca.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICCTCCAa+gAwIBAgIUfAUcL0N+fldtTdHg9BxeFFnfcVgwCgYIKoZIzj0EAwIw
+WTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1Nh
+bkpvc2UxDzANBgNVBAoMBkdvb2dsZTESMBAGA1UEAwwJb3BlbnRpdGFuMCAXDTI0
+MTExNTAwMDA1OVoYDzIwNTIwNDAxMDAwMDU5WjBZMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEQMA4GA1UEBwwHU2FuSm9zZTEPMA0GA1UECgwGR29v
+Z2xlMRIwEAYDVQQDDAlvcGVudGl0YW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AATu4HkgAzRXPJAhMw9E/qXZzoQ+Kx3awtKAPk29herxqr7d/bEYWVjKBpMg9QzT
+jQHQBswmU/H3GTr5FCjfas2fo1MwUTAdBgNVHQ4EFgQUU5ik8JDyqVw9UvyY3rny
++a8EL24wHwYDVR0jBBgwFoAUU5ik8JDyqVw9UvyY3rny+a8EL24wDwYDVR0TAQH/
+BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEAxEt33H247CtAoe6RGGf3yBOxf9Yj
+RWnePCJXdMIWIEACIHY1ZFYTLVZ9nzLPsU8Kl6DzmSU5h3Ykyf9qoAy7q7nF
+-----END CERTIFICATE-----
diff --git a/sw/host/provisioning/cert_lib/src/lib.rs b/sw/host/provisioning/cert_lib/src/lib.rs
index 513179fabda483..d85ab0e256396c 100644
--- a/sw/host/provisioning/cert_lib/src/lib.rs
+++ b/sw/host/provisioning/cert_lib/src/lib.rs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
+use std::env;
 use std::fs::{self, OpenOptions};
 use std::io::{Read, Write};
 use std::path::PathBuf;
@@ -137,7 +138,8 @@ fn parse_and_endorse_x509_cert_token(tbs: Vec<u8>, key_id: &str) -> Result<Vec<u
     file.write_all(&tbs)?;
     drop(file);
 
-    let binding_key = String::from("pkcs11:object=") + key_id;
+    let token_pin = env::var("PKCS11_TOKEN_PIN")?;
+    let key_uri = format!("pkcs11:pin-value={};object={}", token_pin, key_id);
     openssl_command(&[
         "dgst",
         "-sha256",
@@ -146,7 +148,7 @@ fn parse_and_endorse_x509_cert_token(tbs: Vec<u8>, key_id: &str) -> Result<Vec<u
         "-keyform",
         "engine",
         "-sign",
-        binding_key.as_str(),
+        key_uri.as_str(),
         "-out",
         sig_filename,
         tbs_filename,
diff --git a/sw/host/provisioning/orchestrator/configs/skus/emulation.hjson b/sw/host/provisioning/orchestrator/configs/skus/emulation.hjson
index e2a387f4436d7d..5b583bc5e1a995 100644
--- a/sw/host/provisioning/orchestrator/configs/skus/emulation.hjson
+++ b/sw/host/provisioning/orchestrator/configs/skus/emulation.hjson
@@ -2,8 +2,6 @@
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
 
-# OpenTitan SIVAL SKU configuration.
-
 {
   name: "emulation",
   product: "earlgrey_a1",
diff --git a/sw/host/provisioning/orchestrator/configs/skus/sival.hjson b/sw/host/provisioning/orchestrator/configs/skus/sival.hjson
index dd9a2aa3377bb2..a3773bc8eea031 100644
--- a/sw/host/provisioning/orchestrator/configs/skus/sival.hjson
+++ b/sw/host/provisioning/orchestrator/configs/skus/sival.hjson
@@ -2,26 +2,25 @@
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
 
-# OpenTitan SIVAL SKU configuration.
-
 {
   name: "sival",
   product: "earlgrey_a1",
   si_creator: "nuvoton",
   package: "npcr10",
   target_lc_state: "prod",
-  # TODO: update with real CA and RMA token keys.
   dice_ca: {
-    certificate: "sw/device/silicon_creator/manuf/keys/fake/dice_ca.pem",
-    key: "sw/device/silicon_creator/manuf/keys/fake/sk.pkcs8.der",
-    key_type: "Raw",
-    key_id: "0xfe584ae7_53790cfd_8601a312_fb32d3c1_b822d112"
+    certificate: "sv00-earlgrey-a1-ca-dice-0",
+    key: "sv00-earlgrey-a1-ca-dice-0",
+    key_type: "Token",
+    key_id: "0x0"
   }
+  // There are no certs provisioned in the extension portion of the firmware, so
+  // we use the same CA as the DICE CA.
   ext_ca: {
-    certificate: "sw/device/silicon_creator/manuf/keys/fake/ext_ca.pem",
-    key: "sw/device/silicon_creator/manuf/keys/fake/sk.pkcs8.der",
-    key_type: "Raw",
-    key_id: "0xfe584ae7_53790cfd_8601a312_fb32d3c1_b822d112"
+    certificate: "sv00-earlgrey-a1-ca-dice-0",
+    key: "sv00-earlgrey-a1-ca-dice-0",
+    key_type: "Token",
+    key_id: "0x0"
   }
   token_encrypt_key: "sw/device/silicon_creator/manuf/keys/fake/rma_unlock_enc_rsa3072.pub.der"
 }