Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cherry-pick] #22772, #22837, and #22810 to earlgrey_es_sival branch #22907

Closed
wants to merge 10 commits into from
Closed

[cherry-pick] #22772, #22837, and #22810 to earlgrey_es_sival branch #22907

wants to merge 10 commits into from

Conversation

timothytrippel
Copy link
Contributor

This cherry picks several commits from master that enable TPM attestation key generation off of the correct (sealing) side of the keymgr's key ladder.

@timothytrippel timothytrippel requested review from cfrantz and a team as code owners April 30, 2024 19:57
@timothytrippel timothytrippel removed request for a team April 30, 2024 19:57
pamaury and others added 10 commits May 1, 2024 15:08
@pamaury @timothytrippel
[ot_certs] Rename extensions to private_extensions
a82b1c0 
Signed-off-by: Amaury Pouly <[email protected]>
(cherry picked from commit 80c8a02)
@pamaury @timothytrippel
[ot_certs] Rework Name handling
a9d6f85 
Names were previously represented as maps but this is problematic
for two reasons:
- order is not preserved,
- it cannot represente multi-valued RDNs (although they are are).

This commit changes the representation to an array of maps so that
it maps cleanly to the ASN1 representation (sequence of sets). In
particular the order in the array preserved while the order in the
map/set is arbitrary (this matches the expected X501 behaviour).
This makes the hjson a little bit more ugly but it's not too terrible.
One issue that arises from this change is that although it is very
easy to modify the builder to handle multi-valued RDNs, the openssl
parser cannot reconstruct them because the openssl-sys binding
misses a function (see FIXME in the code). Since multi-valued RDNs
are rare and not used in our codebase presently, we simply assume
single-valued RDNs are the moment.

Signed-off-by: Amaury Pouly <[email protected]>
(cherry picked from commit 11e5cf5)
@pamaury @timothytrippel
[third_party/rust] Update rust dependency
018cb98 
The main purpose of this commit is to update the openssl crate version
to a newer version. However, repinning breaks sw/host/tests/crypto
because they depend on specific crates and crate features that are
not explicitely set in Cargo.toml, hence this commit also corrects
that.

Signed-off-by: Amaury Pouly <[email protected]>
(cherry picked from commit 3a8460d)
@pamaury @timothytrippel
[ot_certs] Replace unsafe code with safe wrapper
05b21a9 
The newer version of the openssl crate provides a safe wrapper
to get a directory name out of a general name.

Signed-off-by: Amaury Pouly <[email protected]>
(cherry picked from commit 16a55f0)
@timothytrippel
[manuf] add ujson CRC to personalize_functest
83f6469 
This adds a CRC over the host-->device UJSON communication to improve
test reliability.

Signed-off-by: Tim Trippel <[email protected]>
(cherry picked from commit b561be4)
@timothytrippel
[manuf] increase reliability of lc read testutil
9d53d3d 
The LC read test utility was not waiting for the lc_ctrl to be ready to
receive transactions before reading the LC state. This increases the
reliability of this utility, and test cases that use it, specifically,
the `ft_provision` test case.

Additionally, this move the `ft_provision` silicon exec_env to the
`teacup` interface (a minor cleanup).

Signed-off-by: Tim Trippel <[email protected]>
(cherry picked from commit 8312753)
@timothytrippel
[manuf] refactor personalize_functest to optimize code reuse
a89b382 
This refactor's the `personalize_functest` to optimize code reuse.

Signed-off-by: Tim Trippel <[email protected]>
(cherry picked from commit fcb75f7)
@timothytrippel
[sw/silicon_creator] enable OTBN boot services to gen TPM keys
a2b9e4d 
This refactors the OTBN boot services library, and silicon_creator
keymgr driver to enable generating two types attestation keys:
1. DICE keys, that are based on the attestation side of the key ladder,
   and
2. TPM keys, that are based on the sealing side of the key ladder.

This fixes lowRISC#22622.

Signed-off-by: Tim Trippel <[email protected]>
(cherry picked from commit 641d4e0)
@timothytrippel
[test] adjust exec_env of otbn_boot_functest
fbc7685 
The `otbn_boot_services_functest` must run in the ROM_EXT slot since it
manipulates the keygmr state, which normally is done by the ROM_EXT.

This partially addresses lowRISC#21706.

Signed-off-by: Tim Trippel <[email protected]>
(cherry picked from commit 698b5a6)
@timothytrippel
[dice] refactor dice lib to reduce code size
1b159b1 
This refactors the dice lib to optimize code reuse and follow lib asset
naming conventions.

Signed-off-by: Tim Trippel <[email protected]>
(cherry picked from commit b217f41)
This was referenced May 3, 2024
Merged
Merged
@timothytrippel
Copy link
Contributor Author

Closing this, as I split this into two smaller PRs (#22967 and #22968) to deal with the CI issues.

@timothytrippel timothytrippel deleted the cherry-pick branch May 30, 2024 18:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moidx moidx moidx approved these changes

@cfrantz cfrantz cfrantz approved these changes

@pamaury pamaury pamaury approved these changes

@vbendeb vbendeb Awaiting requested review from vbendeb

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@timothytrippel @pamaury @cfrantz @moidx