[provisioning] enable SIVAL cert endorsement with Nitrokeys

The DICE CA key is stored on a Nitrokey, which can be used in a benchtop
provisioning flow to endorse DICE certificates.

Signed-off-by: Tim Trippel <[email protected]>

sw/device/silicon_creator/manuf/base/BUILD

@@ -415,7 +415,7 @@ filegroup(
             tags = [
                 "lc_test_locked0",
                 "manuf",
-            ],
+            ] + ["manual"] if config.get("offline", False) else [],
             test_cmd = _FT_PROVISIONING_CMD_ARGS,
             test_harness = _FT_PROVISIONING_HARNESS.format(sku),
         ),
@@ -449,6 +449,16 @@ filegroup(
 test_suite(
     name = "ft_provision_cw310",
     tags = ["manual"],
+    tests = [
+        ":ft_provision_{}_fpga_hyper310_rom_with_fake_keys".format(sku)
+        for sku, config in EARLGREY_SKUS.items()
+        if not config.get("offline", False)
+    ],
+)
+
+test_suite(
+    name = "ft_provision_including_offline_cw310",
+    tags = ["manual"],
     tests = [
         ":ft_provision_{}_fpga_hyper310_rom_with_fake_keys".format(sku)
         for sku in EARLGREY_SKUS.keys()
@@ -458,6 +468,16 @@ test_suite(
 test_suite(
     name = "ft_provision_cw340",
     tags = ["manual"],
+    tests = [
+        ":ft_provision_{}_fpga_cw340_rom_with_fake_keys".format(sku)
+        for sku, config in EARLGREY_SKUS.items()
+        if not config.get("offline", False)
+    ],
+)
+
+test_suite(
+    name = "ft_provision_including_offline_cw340",
+    tags = ["manual"],
     tests = [
         ":ft_provision_{}_fpga_cw340_rom_with_fake_keys".format(sku)
         for sku in EARLGREY_SKUS.keys()

sw/device/silicon_creator/manuf/base/provisioning_inputs.bzl

@@ -67,8 +67,8 @@ EARLGREY_SKUS = {
     },
     "sival": {
         "otp": "sival",
-        "ca_config": "//sw/device/silicon_creator/manuf/keys/fake:ca_config.json",
-        "ca_data": ["//sw/device/silicon_creator/manuf/keys/fake:ca_data"],
+        "ca_config": "//sw/device/silicon_creator/manuf/keys/sival:ca_config.json",
+        "ca_data": ["//sw/device/silicon_creator/manuf/keys/sival:ca_data"],
         "dice_libs": ["//sw/device/silicon_creator/lib/cert:dice"],
         "host_ext_libs": ["@provisioning_exts//:default_ft_ext_lib"],
         "device_ext_libs": ["@provisioning_exts//:default_perso_fw_ext"],
@@ -79,7 +79,8 @@ EARLGREY_SKUS = {
         "owner_fw": "//sw/device/silicon_owner/bare_metal:bare_metal_slot_b",
         "ecdsa_key": {"//hw/ip/otp_ctrl/data/earlgrey_skus/sival/keys:keyset": "sv00-earlgrey-a1-root-ecdsa-prod-0"},
         "perso_bin": "//sw/device/silicon_creator/manuf/base/binaries:ft_personalize_sival",
-        "orchestrator_cfg": "//sw/host/provisioning/orchestrator/configs/skus:emulation.hjson",
+        "orchestrator_cfg": "//sw/host/provisioning/orchestrator/configs/skus:sival.hjson",
+        "offline": True,
     },
 } | EXT_EARLGREY_SKUS
 

sw/device/silicon_creator/manuf/keys/fake/README.md

@@ -33,17 +33,18 @@ $ openssl ec -in sk.pem -text -noout
 
 To generate a Root CA certificate using the earlier generated private EC key,
 you can use the CSR (Certificate Signing Request) configuration file checked in
-to this directory (`ca.conf`) as in input to the following OpenSSL commands:
+to this repo (`dice_ca.conf` or `ext_ca.conf`) as in input to the following
+OpenSSL commands:
 ```sh
 # Generate the CSR:
-$ openssl req -new -key sk.pem -out ca.csr -config ca.conf
+$ openssl req -new -key sk.pem -out dice_ca.csr -config ../dice_ca.conf
 
 # Generate the X.509 certificate in PEM format:
-$ openssl x509 -req -in ca.csr -signkey sk.pem -out ca.pem -days 3650 \
-    -extfile ca.conf -extensions v3_ca
+$ openssl x509 -req -in dice_ca.csr -signkey sk.pem -out dice_ca.pem \
+    -days 3650 -extfile ../dice_ca.conf -extensions v3_ca
 
 # Examine the generated certificate:
-$ openssl x509 -in ca.pem -text
+$ openssl x509 -in dice_ca.pem -text
 ```
 
 # Generating the RMA unlock token encryption keypair with OpenSSL

sw/device/silicon_creator/manuf/keys/fake/gen_fake_ca.sh

@@ -16,16 +16,16 @@ EXT_CA_KEY="$DICE_CA_KEY"
 
 echo "Generating fake key DICE CA cert ..."
 openssl req -new -key "$DICE_CA_KEY" -keyform der \
-        -out dice_ca.csr -config dice_ca.conf
+        -out dice_ca.csr -config ../dice_ca.conf
 openssl x509 -req -in dice_ca.csr -signkey "$DICE_CA_KEY" \
-        -keyform der -out dice_ca.pem -days 3650 -extfile dice_ca.conf \
+        -keyform der -out dice_ca.pem -days 3650 -extfile ../dice_ca.conf \
         -extensions v3_ca
 echo "Done."
 
 echo "Generating fake key Personalization Extension CA cert ..."
 openssl req -new -key "$EXT_CA_KEY" -keyform der \
-        -out ext_ca.csr -config ext_ca.conf
+        -out ext_ca.csr -config ../ext_ca.conf
 openssl x509 -req -in ext_ca.csr -signkey "$EXT_CA_KEY"  \
-        -keyform der -out ext_ca.pem -days 3650 -extfile ext_ca.conf \
+        -keyform der -out ext_ca.pem -days 3650 -extfile ../ext_ca.conf \
         -extensions v3_ca
 echo "Done."

sw/device/silicon_creator/manuf/keys/sival/BUILD

@@ -0,0 +1,16 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+package(default_visibility = ["//visibility:public"])
+
+exports_files(glob(["**"]))
+
+filegroup(
+    name = "ca_data",
+    srcs = [
+        ":ca_config.json",
+        ":dice_ca.pem",
+        "//sw/device/silicon_creator/manuf/keys/fake:rma_unlock_enc_rsa3072.pub.der",
+    ],
+)

sw/device/silicon_creator/manuf/keys/sival/README.md

@@ -0,0 +1,49 @@
+# CA Endorsement Keys
+
+Certificate Authority endorsement keys are are used to endorse the following
+certificate chains during personalization:
+1. DICE attestation certificate chains, and
+2. SKU specific certificate chains.
+
+The real (private) keys used for the SIVAL SKU are stored on offline HSMs. The
+matching public keys and certificates are checked into the repository.
+
+To use the private keys to endorse the certificates in benchtop provisioning
+flow, one must set the following envars:
+  - `PKCS11_MODULE_PATH`: to point to the PKCS#11 shared library for the
+    hardware token they are using, and
+  - `PKCS11_TOKEN_PIN`: to the PIN used for hardware token authentication.
+
+For example, if the SIVAL private keys are stored on a Nitrokey, and you wanted
+to test the SIVAL FT provisioning flow, you would issue the following Bazel
+command:
+```sh
+bazel test --test_output=streamed \
+  //sw/device/silicon_creator/manuf/base:ft_provision_sival_fpga_hyper310_rom_with_fake_keys \
+  --action_env=PKCS11_MODULE_PATH=/opt/nitrokey/lib/libsc-hsm-pkcs11.so \
+  --action_env=PKCS11_TOKEN_PIN=<pin>
+```
+
+## Generating a Root CA Certificate from a Token Held ECDSA Key
+
+To generate a Root CA certificate from a public key held on a hardware token,
+e.g., Nitrokey, you may use the CSR (Certificate Signing Request) configuration
+file checked in to this repo (`dice_ca.conf`) as in input to the following
+commands:
+```sh
+# Set the PKCS11_MODULE_PATH envar to point to the shared library for the
+# hardware token you are using, e.g.:
+export PKCS11_MODULE_PATH=/opt/nitrokey/lib/libsc-hsm-pkcs11.so
+
+# Generate the CSR:
+openssl req -new -engine pkcs11 -keyform engine -config ../dice_ca.conf -out dice_ca.csr \
+  -key "pkcs11:pin-value=<pin>;object=sv00-earlgrey-a1-ca-dice-0"
+
+# Generate the X.509 certificate in PEM format:
+openssl x509 -req -engine pkcs11 -keyform engine -in dice_ca.csr -out dice_ca.pem \
+  -days 3650 -extfile ../dice_ca.conf -extensions v3_ca \
+  -signkey "pkcs11:pin-value=694201;object=sv00-earlgrey-a1-ca-dice-0"
+
+# Examine the generated certificate:
+openssl x509 -in dice_ca.pem -text
+```

sw/device/silicon_creator/manuf/keys/sival/ca_config.json

@@ -0,0 +1,14 @@
+{
+  "dice": {
+    "certificate": "sw/device/silicon_creator/manuf/keys/sival/dice_ca.pem",
+    "key_id": "0x5398A4F090F2A95C3D52FC98DEB9F2F9AF042F6E",
+    "key_type": "Token",
+    "key": "sv00-earlgrey-a1-ca-dice-0"
+  },
+  "ext": {
+    "certificate": "sw/device/silicon_creator/manuf/keys/sival/dice_ca.pem",
+    "key_id": "0x5398A4F090F2A95C3D52FC98DEB9F2F9AF042F6E",
+    "key_type": "Token",
+    "key": "sv00-earlgrey-a1-ca-dice-0"
+  }
+}

sw/device/silicon_creator/manuf/keys/sival/dice_ca.csr

@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBHjCBxAIBADBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDzANBgNVBAoM
+Bkdvb2dsZTEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFkdvb2dsZSBF
+bmdpbmVlcmluZyBJQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATu4HkgAzRX
+PJAhMw9E/qXZzoQ+Kx3awtKAPk29herxqr7d/bEYWVjKBpMg9QzTjQHQBswmU/H3
+GTr5FCjfas2foAAwCgYIKoZIzj0EAwIDSQAwRgIhAP14uGJ6C2g2lAl06oRrODme
+yjQviuSdqIaszMxFknHtAiEAszHbVPKgTtSnSggw0jFkIx8pZnUJD4cOFJ5EUGOV
+Sk4=
+-----END CERTIFICATE REQUEST-----

sw/device/silicon_creator/manuf/keys/sival/dice_ca.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICqDCCAk+gAwIBAgIUFDAsPzL14w6/jKAtysPUTcGRgM4wCgYIKoZIzj0EAwIw
+YjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQKDAZHb29nbGUxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQDDBZHb29nbGUgRW5naW5lZXJpbmcg
+SUNBMB4XDTI0MTIwNDAzNTgwOFoXDTM0MTIwMjAzNTgwOFowYjELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQKDAZHb29nbGUxFDASBgNVBAsMC0VuZ2lu
+ZWVyaW5nMR8wHQYDVQQDDBZHb29nbGUgRW5naW5lZXJpbmcgSUNBMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAE7uB5IAM0VzyQITMPRP6l2c6EPisd2sLSgD5NvYXq
+8aq+3f2xGFlYygaTIPUM040B0AbMJlPx9xk6+RQo32rNn6OB4jCB3zAdBgNVHQ4E
+FgQUU5ik8JDyqVw9UvyY3rny+a8EL24wgZ8GA1UdIwSBlzCBlIAUU5ik8JDyqVw9
+UvyY3rny+a8EL26hZqRkMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEPMA0G
+A1UECgwGR29vZ2xlMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEfMB0GA1UEAwwWR29v
+Z2xlIEVuZ2luZWVyaW5nIElDQYIUFDAsPzL14w6/jKAtysPUTcGRgM4wDwYDVR0T
+AQH/BAUwAwEB/zALBgNVHQ8EBAMCAYYwCgYIKoZIzj0EAwIDRwAwRAIgQmIdM2Mv
+KI70Huk3zWbukclONM9dAJ8n9qiD0HFnypICIBeaUmZZ1FQtsa0i0KNb7+KH5EvV
+g3u7GESPQU2jEnCj
+-----END CERTIFICATE-----

sw/host/provisioning/cert_lib/src/lib.rs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
+use std::env;
 use std::fs::{self, OpenOptions};
 use std::io::{Read, Write};
 use std::path::PathBuf;
@@ -137,7 +138,8 @@ fn parse_and_endorse_x509_cert_token(tbs: Vec<u8>, key_id: &str) -> Result<Vec<u
     file.write_all(&tbs)?;
     drop(file);
 
-    let binding_key = String::from("pkcs11:object=") + key_id;
+    let token_pin = env::var("PKCS11_TOKEN_PIN")?;
+    let key_uri = format!("pkcs11:pin-value={};object={}", token_pin, key_id);
     openssl_command(&[
         "dgst",
         "-sha256",
@@ -146,7 +148,7 @@ fn parse_and_endorse_x509_cert_token(tbs: Vec<u8>, key_id: &str) -> Result<Vec<u
         "-keyform",
         "engine",
         "-sign",
-        binding_key.as_str(),
+        key_uri.as_str(),
         "-out",
         sig_filename,
         tbs_filename,

sw/host/provisioning/orchestrator/configs/skus/emulation.hjson

@@ -2,8 +2,6 @@
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
 
-# OpenTitan SIVAL SKU configuration.
-
 {
   name: "emulation",
   product: "earlgrey_a1",

sw/host/provisioning/orchestrator/configs/skus/sival.hjson

@@ -2,26 +2,25 @@
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
 
-# OpenTitan SIVAL SKU configuration.
-
 {
   name: "sival",
   product: "earlgrey_a1",
   si_creator: "nuvoton",
   package: "npcr10",
   target_lc_state: "prod",
-  # TODO: update with real CA and RMA token keys.
   dice_ca: {
-    certificate: "sw/device/silicon_creator/manuf/keys/fake/dice_ca.pem",
-    key: "sw/device/silicon_creator/manuf/keys/fake/sk.pkcs8.der",
-    key_type: "Raw",
-    key_id: "0xfe584ae7_53790cfd_8601a312_fb32d3c1_b822d112"
+    certificate: "sv00-earlgrey-a1-ca-dice-0",
+    key: "sv00-earlgrey-a1-ca-dice-0",
+    key_type: "Token",
+    key_id: "0x0"
   }
+  // There are no certs provisioned in the extension portion of the firmware, so
+  // we use the same CA as the DICE CA.
   ext_ca: {
-    certificate: "sw/device/silicon_creator/manuf/keys/fake/ext_ca.pem",
-    key: "sw/device/silicon_creator/manuf/keys/fake/sk.pkcs8.der",
-    key_type: "Raw",
-    key_id: "0xfe584ae7_53790cfd_8601a312_fb32d3c1_b822d112"
+    certificate: "sv00-earlgrey-a1-ca-dice-0",
+    key: "sv00-earlgrey-a1-ca-dice-0",
+    key_type: "Token",
+    key_id: "0x0"
   }
   token_encrypt_key: "sw/device/silicon_creator/manuf/keys/fake/rma_unlock_enc_rsa3072.pub.der"
 }