[sw/mask_rom] Move keys inside the mask_rom folder This comming implement the following changes: * Move ROM public keys inside the sw/device/silicon_creator/mask_rom/keys folder. * Split keys into header files to simplify auditing. * Update the key policies to TEST, as the device boots by default in RMA mode in the repository. * Change the key names from fpga_key to test_key. Signed-off-by: Miguel Osorio <miguelosorio@google.com>
diff --git a/sw/device/meson.build b/sw/device/meson.build index ed9b592..200661a 100644 --- a/sw/device/meson.build +++ b/sw/device/meson.build
@@ -156,11 +156,11 @@ # Signing keys for ROM_EXT images. signing_keys = { - 'fpga_key_0': { - 'path': meson.source_root() / 'sw/device/silicon_creator/keys/fpga_key_0.private.der', + 'test_key_0': { + 'path': meson.source_root() / 'sw/device/silicon_creator/mask_rom/keys/test_key_0_rsa_3072_exp_f4.der', }, - 'fpga_key_1': { - 'path': meson.source_root() / 'sw/device/silicon_creator/keys/fpga_key_1.private.der', + 'test_key_1': { + 'path': meson.source_root() / 'sw/device/silicon_creator/mask_rom/keys/test_key_1_rsa_3072_exp_3.der', }, }
diff --git a/sw/device/silicon_creator/lib/sigverify_functest.c b/sw/device/silicon_creator/lib/sigverify_functest.c index f8355fe..6a1253c 100644 --- a/sw/device/silicon_creator/lib/sigverify_functest.c +++ b/sw/device/silicon_creator/lib/sigverify_functest.c
@@ -55,7 +55,7 @@ 0x55e2c441, 0xa6141c6f, 0x0b691a17, 0xbe151202, 0xb9f0e104, 0x5d411db9, }}; -// sw/device/silicon_creator/keys/fpga_key_0.public.der +// sw/device/silicon_creator/mask_rom/keys/test_key_0_rsa_3072_exp_f4.public.der static const sigverify_rsa_key_t kKeyExp65537 = { .n = {{ 0x5801a2bd, 0xeff64a46, 0xc8cf2251, 0xa7cd62cb, 0x634a39c2, 0x55c936d3, @@ -89,7 +89,7 @@ .exponent = 65537, }; -// sw/device/silicon_creator/keys/fpga_key_1.public.der +// sw/device/silicon_creator/mask_rom/keys/test_key_1_rsa_3072_exp_3.public.der static const sigverify_rsa_key_t kKeyExp3 = { .n = {{ 0xbd158913, 0xab75ea1a, 0xc04e5292, 0x68f5778a, 0xa71418c7, 0xddc4fc1c,
diff --git a/sw/device/silicon_creator/lib/sigverify_mod_exp_ibex_unittest.cc b/sw/device/silicon_creator/lib/sigverify_mod_exp_ibex_unittest.cc index a6e35c8..d5c8cdc 100644 --- a/sw/device/silicon_creator/lib/sigverify_mod_exp_ibex_unittest.cc +++ b/sw/device/silicon_creator/lib/sigverify_mod_exp_ibex_unittest.cc
@@ -72,7 +72,7 @@ constexpr SigTestCase kSigTestCases[2]{ // message: "test" { - // sw/device/silicon_creator/keys/fpga_key_0.public.der + // sw/device/silicon_creator/mask_rom/keys/test_key_0_rsa_3072_exp_f4.public.der .key = { .n = {{ @@ -138,7 +138,7 @@ }, // message: "test" { - // sw/device/silicon_creator/keys/fpga_key_1.public.der + // sw/device/silicon_creator/mask_rom/keys/test_key_1_rsa_3072_exp_3.public.der .key = { .n = {{
diff --git a/sw/device/silicon_creator/keys/README.md b/sw/device/silicon_creator/mask_rom/keys/README.md similarity index 100% rename from sw/device/silicon_creator/keys/README.md rename to sw/device/silicon_creator/mask_rom/keys/README.md
diff --git a/sw/device/silicon_creator/keys/fpga_key_0.private.der b/sw/device/silicon_creator/mask_rom/keys/test_key_0_rsa_3072_exp_f4.der similarity index 100% rename from sw/device/silicon_creator/keys/fpga_key_0.private.der rename to sw/device/silicon_creator/mask_rom/keys/test_key_0_rsa_3072_exp_f4.der Binary files differ
diff --git a/sw/device/silicon_creator/mask_rom/keys/test_key_0_rsa_3072_exp_f4.h b/sw/device/silicon_creator/mask_rom/keys/test_key_0_rsa_3072_exp_f4.h new file mode 100644 index 0000000..7e23dff --- /dev/null +++ b/sw/device/silicon_creator/mask_rom/keys/test_key_0_rsa_3072_exp_f4.h
@@ -0,0 +1,41 @@ +// Copyright lowRISC contributors. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_KEYS_TEST_KEY_0_RSA_3072_EXP_F4_H_ +#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_KEYS_TEST_KEY_0_RSA_3072_EXP_F4_H_ + +#define TEST_KEY_0_RSA_3072_EXP_F4 \ + { \ + .n = \ + {{ \ + 0x5801a2bd, 0xeff64a46, 0xc8cf2251, 0xa7cd62cb, 0x634a39c2, \ + 0x55c936d3, 0x463d61fc, 0x762ebbaa, 0x01aadfb2, 0x23da15d1, \ + 0x8475fdc6, 0x4ec67b7b, 0xe9364570, 0xd23ec7c7, 0x98038d63, \ + 0x5688a56b, 0x68037add, 0xb20ff289, 0x9d96c1ce, 0xbac0b8cd, \ + 0xead33d0b, 0x195f89c8, 0xd7dc110e, 0xf5bccc12, 0x8dfa33dc, \ + 0xedc404d2, 0x74ef8524, 0x9197c0c8, 0x79cc448e, 0x4c9c505d, \ + 0x4a586ad7, 0xe2d0f071, 0x589f28c2, 0x2ca7fc22, 0x0354b0e2, \ + 0xefb63b44, 0x33a75b04, 0x9e194454, 0x1b4b2cde, 0x8e3f78e0, \ + 0x5260877c, 0x05685b72, 0x4868ad4e, 0x10303ac9, 0x05ac2411, \ + 0x5e797381, 0xd5407668, 0xe3522348, 0xa33134f8, 0x38f7a953, \ + 0xd926f672, 0x136f6753, 0xb186b0ab, 0x5ccab586, 0x61e5bf2e, \ + 0x9fc0eebb, 0x788ed0bd, 0x47b5fc70, 0xf971262a, 0x3b40d99b, \ + 0x5b9fd926, 0xce3c93bf, 0xd406005e, 0x72b9e555, 0xc9b9273e, \ + 0xfcef747f, 0xf0a35598, 0x2761e8f6, 0xec1799df, 0x462bc52d, \ + 0x8e47218b, 0x429ccdae, 0xe7e7d66c, 0x70c70b03, 0x0356c3d2, \ + 0x3cb3e7d1, 0xd42d035d, 0x83c529a3, 0x8df9930e, 0xb082e1f0, \ + 0x07509c30, 0x5c33a350, 0x4f6884b9, 0x7b9d2de0, 0x0f1d16b3, \ + 0x38dbcf55, 0x168580ea, 0xc2f2aca4, 0x43f0ae60, 0x227dd2ed, \ + 0xd8dc61f4, 0x9404e8bc, 0x0db76fe3, 0x3491d3b0, 0x6ca44e27, \ + 0xcda63719, \ + }}, \ + .n0_inv = \ + { \ + 0x9c9a176b, 0x44d6fa52, 0x71a63ec4, 0xadc94595, \ + 0x3fd9bc73, 0xa83cdc95, 0xbe1bc819, 0x2b421fae, \ + }, \ + .exponent = 65537, \ + } + +#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_KEYS_TEST_KEY_0_RSA_3072_EXP_F4_H_
diff --git a/sw/device/silicon_creator/keys/fpga_key_0.public.der b/sw/device/silicon_creator/mask_rom/keys/test_key_0_rsa_3072_exp_f4.pub.der similarity index 100% rename from sw/device/silicon_creator/keys/fpga_key_0.public.der rename to sw/device/silicon_creator/mask_rom/keys/test_key_0_rsa_3072_exp_f4.pub.der Binary files differ
diff --git a/sw/device/silicon_creator/keys/fpga_key_1.private.der b/sw/device/silicon_creator/mask_rom/keys/test_key_1_rsa_3072_exp_3.der similarity index 100% rename from sw/device/silicon_creator/keys/fpga_key_1.private.der rename to sw/device/silicon_creator/mask_rom/keys/test_key_1_rsa_3072_exp_3.der Binary files differ
diff --git a/sw/device/silicon_creator/mask_rom/keys/test_key_1_rsa_3072_exp_3.h b/sw/device/silicon_creator/mask_rom/keys/test_key_1_rsa_3072_exp_3.h new file mode 100644 index 0000000..ae81d5d --- /dev/null +++ b/sw/device/silicon_creator/mask_rom/keys/test_key_1_rsa_3072_exp_3.h
@@ -0,0 +1,41 @@ +// Copyright lowRISC contributors. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_KEYS_TEST_KEY_1_RSA_3072_EXP_3_H_ +#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_KEYS_TEST_KEY_1_RSA_3072_EXP_3_H_ + +#define TEST_KEY_1_RSA_3072_EXP_3 \ + { \ + .n = \ + {{ \ + 0xbd158913, 0xab75ea1a, 0xc04e5292, 0x68f5778a, 0xa71418c7, \ + 0xddc4fc1c, 0xcb09302d, 0xedf3142b, 0x656d7d85, 0xf761d32a, \ + 0x2d334d1b, 0x26c91770, 0x5b9ba5a0, 0x00ac6c05, 0xbabaf1bb, \ + 0xa8299ecc, 0xb4223f99, 0x5b676ad3, 0xcaa786c2, 0x3e2f1785, \ + 0x204b6991, 0x21fa118f, 0x435573ab, 0xa3353ba1, 0x1074c161, \ + 0x2ad5e901, 0x7310247c, 0x1e21b8e9, 0x0cfc7762, 0x0a9139b1, \ + 0xfc655b33, 0x6990faaf, 0xbb88faec, 0x7c7bd6ef, 0x261e4555, \ + 0x6bc3d813, 0x5ce6e18b, 0xdd308629, 0x37d3d54d, 0x65acd84d, \ + 0x97b7e0c3, 0xc0d35caa, 0xb0be177a, 0x09473af3, 0x67f43155, \ + 0x3b2f7661, 0xf9255df2, 0x1b42c84c, 0x355cd607, 0x835e74ca, \ + 0x1d011c4e, 0x46652555, 0x1566f96f, 0x6cffd2f9, 0x204e783e, \ + 0xa178a2eb, 0xe7297a95, 0xd7380039, 0x1a685545, 0x76ed97c9, \ + 0x6bc0b1b7, 0xd9b1338e, 0xa3b23005, 0x6fe7109f, 0x01c232e1, \ + 0x851639c5, 0xe81d338c, 0x25ebe0c4, 0x5b0202cd, 0x3690cb70, \ + 0xad13b664, 0x8bf7833e, 0x6017349c, 0xf6e90b08, 0x953ef3d8, \ + 0x4bc11817, 0xd0f6e840, 0xfe01a954, 0x9b866209, 0xb9653ff8, \ + 0x0d654f5c, 0xff78177c, 0x3688833c, 0x57cc0c30, 0x71965be7, \ + 0xf61fb728, 0xaeac8ca2, 0xbdc9848b, 0x954c529f, 0x9917ac7f, \ + 0x4ba4c007, 0xce2dbf0b, 0xfc7d8504, 0x2712580b, 0xd0293151, \ + 0xa4dbbff3, \ + }}, \ + .n0_inv = \ + { \ + 0x079056e5, 0xe151dae1, 0xd4f9deee, 0xe18c4cab, \ + 0x868f9abe, 0x8643ed1c, 0x58022be6, 0x8f8972c9, \ + }, \ + .exponent = 3, \ + } + +#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_KEYS_TEST_KEY_1_RSA_3072_EXP_3_H_
diff --git a/sw/device/silicon_creator/keys/fpga_key_1.public.der b/sw/device/silicon_creator/mask_rom/keys/test_key_1_rsa_3072_exp_3.pub.der similarity index 100% rename from sw/device/silicon_creator/keys/fpga_key_1.public.der rename to sw/device/silicon_creator/mask_rom/keys/test_key_1_rsa_3072_exp_3.pub.der Binary files differ
diff --git a/sw/device/silicon_creator/mask_rom/sigverify_keys.c b/sw/device/silicon_creator/mask_rom/sigverify_keys.c index f3180a3..8e0cbbe 100644 --- a/sw/device/silicon_creator/mask_rom/sigverify_keys.c +++ b/sw/device/silicon_creator/mask_rom/sigverify_keys.c
@@ -11,6 +11,8 @@ #include "sw/device/lib/base/hardened.h" #include "sw/device/silicon_creator/lib/drivers/otp.h" #include "sw/device/silicon_creator/lib/sigverify.h" +#include "sw/device/silicon_creator/mask_rom/keys/test_key_0_rsa_3072_exp_f4.h" +#include "sw/device/silicon_creator/mask_rom/keys/test_key_1_rsa_3072_exp_3.h" #include "sw/device/silicon_creator/mask_rom/sigverify_keys_ptrs.h" #include "otp_ctrl_regs.h" @@ -18,107 +20,19 @@ /** * Public keys for signature verification. * - * Note: Updating the struct below currently requires some manual steps since we - * don't have a tool to generate them yet: - * - `n` (modulus) can be obtained using `openssl` and converting its output to - * little-endian, - * - `n0_inv` can be computed using `n`, and - * - `exponent` can be obtained using `openssl`. - * - * Please see sw/device/silicon_creator/keys/README.md for more details. + * Please see sw/device/silicon_creator/mask_rom/keys/README.md for more + * details. */ const sigverify_mask_rom_key_t kSigVerifyRsaKeys[kSigVerifyNumRsaKeys] = { - // sw/device/silicon_creator/keys/fpga_key_0.public.der [0] = { - .key = - { - .n = {{ - 0x5801a2bd, 0xeff64a46, 0xc8cf2251, 0xa7cd62cb, - 0x634a39c2, 0x55c936d3, 0x463d61fc, 0x762ebbaa, - 0x01aadfb2, 0x23da15d1, 0x8475fdc6, 0x4ec67b7b, - 0xe9364570, 0xd23ec7c7, 0x98038d63, 0x5688a56b, - 0x68037add, 0xb20ff289, 0x9d96c1ce, 0xbac0b8cd, - 0xead33d0b, 0x195f89c8, 0xd7dc110e, 0xf5bccc12, - 0x8dfa33dc, 0xedc404d2, 0x74ef8524, 0x9197c0c8, - 0x79cc448e, 0x4c9c505d, 0x4a586ad7, 0xe2d0f071, - 0x589f28c2, 0x2ca7fc22, 0x0354b0e2, 0xefb63b44, - 0x33a75b04, 0x9e194454, 0x1b4b2cde, 0x8e3f78e0, - 0x5260877c, 0x05685b72, 0x4868ad4e, 0x10303ac9, - 0x05ac2411, 0x5e797381, 0xd5407668, 0xe3522348, - 0xa33134f8, 0x38f7a953, 0xd926f672, 0x136f6753, - 0xb186b0ab, 0x5ccab586, 0x61e5bf2e, 0x9fc0eebb, - 0x788ed0bd, 0x47b5fc70, 0xf971262a, 0x3b40d99b, - 0x5b9fd926, 0xce3c93bf, 0xd406005e, 0x72b9e555, - 0xc9b9273e, 0xfcef747f, 0xf0a35598, 0x2761e8f6, - 0xec1799df, 0x462bc52d, 0x8e47218b, 0x429ccdae, - 0xe7e7d66c, 0x70c70b03, 0x0356c3d2, 0x3cb3e7d1, - 0xd42d035d, 0x83c529a3, 0x8df9930e, 0xb082e1f0, - 0x07509c30, 0x5c33a350, 0x4f6884b9, 0x7b9d2de0, - 0x0f1d16b3, 0x38dbcf55, 0x168580ea, 0xc2f2aca4, - 0x43f0ae60, 0x227dd2ed, 0xd8dc61f4, 0x9404e8bc, - 0x0db76fe3, 0x3491d3b0, 0x6ca44e27, 0xcda63719, - }}, - .n0_inv = - { - 0x9c9a176b, - 0x44d6fa52, - 0x71a63ec4, - 0xadc94595, - 0x3fd9bc73, - 0xa83cdc95, - 0xbe1bc819, - 0x2b421fae, - }, - .exponent = 65537, - }, - .key_type = kSigverifyKeyTypeProd, + .key = TEST_KEY_0_RSA_3072_EXP_F4, + .key_type = kSigverifyKeyTypeTest, }, - // sw/device/silicon_creator/keys/fpga_key_1.public.der [1] = { - .key = - { - .n = {{ - 0xbd158913, 0xab75ea1a, 0xc04e5292, 0x68f5778a, - 0xa71418c7, 0xddc4fc1c, 0xcb09302d, 0xedf3142b, - 0x656d7d85, 0xf761d32a, 0x2d334d1b, 0x26c91770, - 0x5b9ba5a0, 0x00ac6c05, 0xbabaf1bb, 0xa8299ecc, - 0xb4223f99, 0x5b676ad3, 0xcaa786c2, 0x3e2f1785, - 0x204b6991, 0x21fa118f, 0x435573ab, 0xa3353ba1, - 0x1074c161, 0x2ad5e901, 0x7310247c, 0x1e21b8e9, - 0x0cfc7762, 0x0a9139b1, 0xfc655b33, 0x6990faaf, - 0xbb88faec, 0x7c7bd6ef, 0x261e4555, 0x6bc3d813, - 0x5ce6e18b, 0xdd308629, 0x37d3d54d, 0x65acd84d, - 0x97b7e0c3, 0xc0d35caa, 0xb0be177a, 0x09473af3, - 0x67f43155, 0x3b2f7661, 0xf9255df2, 0x1b42c84c, - 0x355cd607, 0x835e74ca, 0x1d011c4e, 0x46652555, - 0x1566f96f, 0x6cffd2f9, 0x204e783e, 0xa178a2eb, - 0xe7297a95, 0xd7380039, 0x1a685545, 0x76ed97c9, - 0x6bc0b1b7, 0xd9b1338e, 0xa3b23005, 0x6fe7109f, - 0x01c232e1, 0x851639c5, 0xe81d338c, 0x25ebe0c4, - 0x5b0202cd, 0x3690cb70, 0xad13b664, 0x8bf7833e, - 0x6017349c, 0xf6e90b08, 0x953ef3d8, 0x4bc11817, - 0xd0f6e840, 0xfe01a954, 0x9b866209, 0xb9653ff8, - 0x0d654f5c, 0xff78177c, 0x3688833c, 0x57cc0c30, - 0x71965be7, 0xf61fb728, 0xaeac8ca2, 0xbdc9848b, - 0x954c529f, 0x9917ac7f, 0x4ba4c007, 0xce2dbf0b, - 0xfc7d8504, 0x2712580b, 0xd0293151, 0xa4dbbff3, - }}, - .n0_inv = - { - 0x079056e5, - 0xe151dae1, - 0xd4f9deee, - 0xe18c4cab, - 0x868f9abe, - 0x8643ed1c, - 0x58022be6, - 0x8f8972c9, - }, - .exponent = 3, - }, - .key_type = kSigverifyKeyTypeProd, + .key = TEST_KEY_1_RSA_3072_EXP_3, + .key_type = kSigverifyKeyTypeTest, }, };