blob: ee7aa69b4483bbd22cf2ee6780067253dc2f2d4a [file] [log] [blame]
# Copyright lowRISC contributors.
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0
load("@lowrisc_opentitan//rules:otp.bzl", "otp_image", "otp_json", "otp_partition")
package(default_visibility = ["//visibility:public"])
exports_files(glob(["autogen/**"]))
filegroup(
name = "all_files",
srcs = glob(["**"]),
)
filegroup(
name = "all_hjson_files",
srcs = glob(["**/*.hjson"]),
)
# A fork from opentitan's hw/ip/otp_ctrl/data:img_rma target. However, there is
# no otp_json_alert_digest_cfg overlay for it requires opentitantool to generate
# the new OWNER_SW_CFG_ROM_ALERT_DIGEST_* values.
otp_image(
name = "otp_img_rma",
src = "@lowrisc_opentitan//hw/ip/otp_ctrl/data:otp_json_rma",
overlays = [
"@lowrisc_opentitan//hw/ip/otp_ctrl/data:otp_json_creator_sw_cfg",
"@lowrisc_opentitan//hw/ip/otp_ctrl/data:otp_json_owner_sw_cfg",
"@lowrisc_opentitan//hw/ip/otp_ctrl/data:otp_json_hw_cfg",
],
)
################
otp_json(
name = "otp_json_empty",
partitions = [
otp_partition(
name = "SECRET0",
items = {
"TEST_UNLOCK_TOKEN": "0",
"TEST_EXIT_TOKEN": "0",
},
lock = False,
),
otp_partition(
name = "SECRET1",
items = {
"FLASH_ADDR_KEY_SEED": "0",
"FLASH_DATA_KEY_SEED": "0",
"SRAM_DATA_KEY_SEED": "0",
},
lock = False,
),
otp_partition(
name = "SECRET2",
items = {
"RMA_TOKEN": "0",
"CREATOR_ROOT_KEY_SHARE0": "0",
"CREATOR_ROOT_KEY_SHARE1": "0",
},
lock = False,
),
otp_partition(
name = "LIFE_CYCLE",
count = 8,
# Should we set this to TEST_UNLOCKED0?
state = "TEST_UNLOCKED0",
),
],
seed = "0",
)
otp_json(
name = "otp_json_creator_sw_cfg",
partitions = [
otp_partition(
name = "CREATOR_SW_CFG",
items = {
"CREATOR_SW_CFG_DIGEST": "0x0",
# Use software mod_exp implementation for signature
# verification. See the definition of `hardened_bool_t` in
# sw/device/lib/base/hardened.h.
"CREATOR_SW_CFG_SIGVERIFY_RSA_MOD_EXP_IBEX_EN": "0",
# Mark the first three keys as valid and remaining as invalid
# since we currently have only three keys. See the definition of
# `hardened_byte_bool_t` in sw/device/lib/base/hardened.h.
"CREATOR_SW_CFG_SIGVERIFY_RSA_KEY_EN": "0",
# Enable use of entropy for countermeasures. See the definition
# of `hardened_bool_t` in sw/device/lib/base/hardened.h.
"CREATOR_SW_CFG_RNG_EN": "0",
# ROM execution is enabled if this item is set to a non-zero
# value.
"CREATOR_SW_CFG_ROM_EXEC_EN": "0",
# Value to write to the cpuctrl CSR in `rom_init()`.
# See:
# https://ibex-core.readthedocs.io/en/latest/03_reference/cs_registers.html#cpu-control-register-cpuctrl
"CREATOR_SW_CFG_CPUCTRL": "0",
"CREATOR_SW_CFG_JITTER_EN": "0",
# Value of the min_security_version_rom_ext field of the
# default boot data.
"CREATOR_SW_CFG_MIN_SEC_VER_ROM_EXT": "0x0",
# Value of the min_security_version_bl0 field of the default
# boot data.
"CREATOR_SW_CFG_MIN_SEC_VER_BL0": "0x0",
# Enable the default boot data in PROD and PROD_END life cycle
# states. See the definition of `hardened_bool_t` in
# sw/device/lib/base/hardened.h.
"CREATOR_SW_CFG_DEFAULT_BOOT_DATA_IN_PROD_EN": "0",
# Enable AST initialization.
"CREATOR_SW_CFG_AST_INIT_EN": "0",
# TODO: This enables a busyloop in the ROM to give time to
# trigger an RMA lifecycle transition via JTAG. The current
# value of 10 cycles is useful for test code which verifies
# the path through the ROM. This value is not useful for a
# real chip.
"CREATOR_SW_CFG_RMA_SPIN_EN": "0",
"CREATOR_SW_CFG_RMA_SPIN_CYCLES": "0",
# Entropy source health check default values. This needs to be
# populated when `CREATOR_SW_CFG_RNG_EN` is set to true.
"CREATOR_SW_CFG_RNG_REPCNT_THRESHOLDS": "0",
"CREATOR_SW_CFG_RNG_REPCNTS_THRESHOLDS": "0",
"CREATOR_SW_CFG_RNG_ADAPTP_HI_THRESHOLDS": "0",
"CREATOR_SW_CFG_RNG_ADAPTP_LO_THRESHOLDS": "0",
"CREATOR_SW_CFG_RNG_BUCKET_THRESHOLDS": "0",
"CREATOR_SW_CFG_RNG_MARKOV_HI_THRESHOLDS": "0",
"CREATOR_SW_CFG_RNG_MARKOV_LO_THRESHOLDS": "0",
"CREATOR_SW_CFG_RNG_EXTHT_HI_THRESHOLDS": "0",
"CREATOR_SW_CFG_RNG_EXTHT_LO_THRESHOLDS": "0",
"CREATOR_SW_CFG_RNG_ALERT_THRESHOLD": "0",
"CREATOR_SW_CFG_RNG_HEALTH_CONFIG_DIGEST": "0",
},
),
],
)
otp_json(
name = "otp_json_owner_sw_cfg",
partitions = [
otp_partition(
name = "OWNER_SW_CFG",
items = {
"OWNER_SW_CFG_DIGEST": "0x0",
# Enable bootstrap. See `hardened_bool_t` in
# sw/device/lib/base/hardened.h.
"OWNER_SW_CFG_ROM_BOOTSTRAP_EN": "0",
# Set to 0x739 to use the ROM_EXT hash measurement as the key
# manager attestation binding value.
"OWNER_SW_CFG_ROM_KEYMGR_ROM_EXT_MEAS_EN": "0x0",
# Report errors without any redaction.
"OWNER_SW_CFG_ROM_ERROR_REPORTING": "0",
# Set the enables to kAlertEnableNone.
# See `alert_enable_t` in
# sw/device/silicon_creator/lib/drivers/alert.h
"OWNER_SW_CFG_ROM_ALERT_CLASS_EN": "0",
# Set the esclation policies to kAlertEscalateNone.
# See `alert_escalate_t` in
# sw/device/silicon_creator/lib/drivers/alert.h
"OWNER_SW_CFG_ROM_ALERT_ESCALATION": "0",
# Set the classifiactions to kAlertClassX.
# See `alert_class_t` in
# sw/device/silicon_creator/lib/drivers/alert.h
"OWNER_SW_CFG_ROM_ALERT_CLASSIFICATION": ["0"] * 80,
# Set the classifiactions to kAlertClassX. See `alert_class_t` in
# sw/device/silicon_creator/lib/drivers/alert.h
"OWNER_SW_CFG_ROM_LOCAL_ALERT_CLASSIFICATION": ["0"] * 16,
# Set the alert accumulation thresholds to 0 per class.
"OWNER_SW_CFG_ROM_ALERT_ACCUM_THRESH": ["0x00000000"] * 4,
# Set the alert timeout cycles to 0 per class.
"OWNER_SW_CFG_ROM_ALERT_TIMEOUT_CYCLES": ["0x00000000"] * 4,
# Set the alert phase cycles to 0,10,10,0xFFFFFFFF for classes
# A and B, and to all zeros for classes C and D.
"OWNER_SW_CFG_ROM_ALERT_PHASE_CYCLES": [
"0x0",
"0",
"0",
"0",
"0x0",
"0",
"0",
"0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
],
},
),
],
)
otp_json(
name = "otp_json_hw_cfg",
partitions = [
otp_partition(
name = "HW_CFG",
items = {
"DEVICE_ID": "0",
# Cryptolib and chip-level tests require access to the CSRNG
# software interfaces.
"EN_CSRNG_SW_APP_READ": False,
"EN_SRAM_IFETCH": False,
# Cryptolib and chip-level tests require access to the
# entropy_src FW data interface.
"EN_ENTROPY_SRC_FW_READ": False,
# Cryptolib and chip-level tests require access to the
# entropy_src FW override interface.
"EN_ENTROPY_SRC_FW_OVER": False,
},
lock = False,
),
],
)
otp_image(
name = "otp_img_empty",
src = ":otp_json_empty",
overlays = [
":otp_json_creator_sw_cfg",
":otp_json_owner_sw_cfg",
":otp_json_hw_cfg",
],
)