From f2def7c6c3b06829fa02f9eabe3bc156db992d4b Mon Sep 17 00:00:00 2001
From: Tim Trippel <ttrippel@google.com>
Date: Tue, 3 Dec 2024 20:22:29 -0800
Subject: [PATCH] [provisioning] check in SIVAL RMA unlock token wrapping
 pubkey

This pubkey is used to encrypt RMA unlock tokens during FT before saving
them to the registry.

Signed-off-by: Tim Trippel <ttrippel@google.com>
---
 .../silicon_creator/manuf/keys/fake/README.md     |   2 +-
 .../keys/sival/rma_unlock_enc_rsa3072.pub.der     | Bin 0 -> 422 bytes
 .../orchestrator/configs/skus/sival.hjson         |   2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)
 create mode 100644 sw/device/silicon_creator/manuf/keys/sival/rma_unlock_enc_rsa3072.pub.der

diff --git a/sw/device/silicon_creator/manuf/keys/fake/README.md b/sw/device/silicon_creator/manuf/keys/fake/README.md
index 1bf35d7c3e1da4..66fbb798c8a8c1 100644
--- a/sw/device/silicon_creator/manuf/keys/fake/README.md
+++ b/sw/device/silicon_creator/manuf/keys/fake/README.md
@@ -62,6 +62,6 @@ $ openssl genrsa -out rma_unlock_enc_rsa3072.pem 3072
 $ openssl rsa -in rma_unlock_enc_rsa3072.pem -pubout -out rma_unlock_enc_rsa3072.pub.pem
 
 ### Convert the PEM files to DER files:
-$ openssl rsa -in rma_unlock_enc_rsa3072.pem -outform der -out rma_unlock_enc_rsa3072..der
+$ openssl rsa -in rma_unlock_enc_rsa3072.pem -outform der -out rma_unlock_enc_rsa3072.der
 $ openssl rsa -pubin -in rma_unlock_enc_rsa3072.pub.pem -outform der -out rma_unlock_enc_rsa3072.pub.der
 ```
diff --git a/sw/device/silicon_creator/manuf/keys/sival/rma_unlock_enc_rsa3072.pub.der b/sw/device/silicon_creator/manuf/keys/sival/rma_unlock_enc_rsa3072.pub.der
new file mode 100644
index 0000000000000000000000000000000000000000..a5fdac83e949d381fe054cd1414751e8385b0e0f
GIT binary patch
literal 422
zcmV;X0a^Yqf&rp14F(A+hDe6@4FLfG1potr0gnJMf&q#Gf&qa5ya3QZ)x77uZ`6iL
zJ?HqT+v%Mu4<*$3l{$GF_!Y;dQvDrr)f&ro=1gV;-nw-$BGjV7$xgZLr@Cr>PP5V(
zj;38*0KD&K#z&;)0i<?-Y1d{;COK>gV3Y=z6Bl@jux2@CN|eOj>92E`glDz1U#h0y
z72?7t&E(OoiviVQ@TPe#;_I>MnuPM>4e#CJf$pnYbdOW%>3okyz&E_zTS5&k@RW&1
zn1{r4>JXCi0NN~+`d=*v#$##i5<AG<@)aYtmj|}d%JT)qcvLlWQ0Zwuj{60nkBwi4
zp0<)^rXxT&GPAZ*<sgxC9OW&Agm32zJj4Md{g2v2*;Vd})2})>luhqwV0M3eXSb>p
zm-Q?`0J#jbTFA;h7&I>R!#hkgvA!jp42IR!3sc)Z`FV#RPrQCyddrPRd2W2%e^NFr
z#z_G(y;aazx#jg@r+HPxXu{h{$aoq;D(1)%w!*tAG7=OGdli_j=!Zl~(4Kz6m{z`$
QPK6AWY7hyP0s{d60Z5q3uK)l5

literal 0
HcmV?d00001

diff --git a/sw/host/provisioning/orchestrator/configs/skus/sival.hjson b/sw/host/provisioning/orchestrator/configs/skus/sival.hjson
index a3773bc8eea031..260c90c064b56e 100644
--- a/sw/host/provisioning/orchestrator/configs/skus/sival.hjson
+++ b/sw/host/provisioning/orchestrator/configs/skus/sival.hjson
@@ -22,5 +22,5 @@
     key_type: "Token",
     key_id: "0x0"
   }
-  token_encrypt_key: "sw/device/silicon_creator/manuf/keys/fake/rma_unlock_enc_rsa3072.pub.der"
+  token_encrypt_key: "sw/device/silicon_creator/manuf/keys/sival/rma_unlock_enc_rsa3072.pub.der"
 }