Skip to content

Commit

Permalink
[manuf] add CA for endorsing certs in perso extension
Browse files Browse the repository at this point in the history 
This CA should have a pathlen of 0. This fixes #24955.

Signed-off-by: Tim Trippel <[email protected]>
  • Loading branch information
@timothytrippel
timothytrippel committed Nov 20, 2024
1 parent 10e5b6f commit 0754ea7
Show file tree
Hide file tree
Showing 13 changed files with 78 additions and 45 deletions.
1 change: 0 additions & 1 deletion sw/device/silicon_creator/manuf/base/provisioning_inputs.bzl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,6 @@ CP_PROVISIONING_INPUTS = _DEVICE_ID_AND_TEST_TOKENS + """
--wafer-auth-secret="0x00000000_00000000_00000000_00000000_00000000_00000000_00000000_00000000"
"""

# Note that uds-auth-key-id below is the actual hash of the public key of cert_endorsement_key.sk.der
FT_PROVISIONING_INPUTS = _DEVICE_ID_AND_TEST_TOKENS + """
--target-mission-mode-lc-state="prod"
--rma-unlock-token="0x01234567_89abcdef_01234567_89abcdef"
Expand Down
3 changes: 2 additions & 1 deletion sw/device/silicon_creator/manuf/keys/fake/BUILD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,9 @@ exports_files(glob(["**"]))
filegroup(
name = "ca_data",
srcs = [
":ca.pem",
":ca_config.json",
":dice_ca.pem",
":ext_ca.pem",
":sk.pkcs8.der",
],
)
Binary file removed sw/device/silicon_creator/manuf/keys/fake/ca.der
View file
Binary file not shown.
4 changes: 2 additions & 2 deletions sw/device/silicon_creator/manuf/keys/fake/ca_config.json
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
{
"dice": {
"certificate": "sw/device/silicon_creator/manuf/keys/fake/ca.pem",
"certificate": "sw/device/silicon_creator/manuf/keys/fake/dice_ca.pem",
"key_id": "0xfe584ae7_53790cfd_8601a312_fb32d3c1_b822d112",
"key_type": "Raw",
"key": "sw/device/silicon_creator/manuf/keys/fake/sk.pkcs8.der"
},
"ext": {
"certificate": "sw/device/silicon_creator/manuf/keys/fake/ca.pem",
"certificate": "sw/device/silicon_creator/manuf/keys/fake/ext_ca.pem",
"key_id": "0xfe584ae7_53790cfd_8601a312_fb32d3c1_b822d112",
"key_type": "Raw",
"key": "sw/device/silicon_creator/manuf/keys/fake/sk.pkcs8.der"
Expand Down
0 ...e/silicon_creator/manuf/keys/fake/ca.conf → ...icon_creator/manuf/keys/fake/dice_ca.conf
View file
File renamed without changes.
8 changes: 4 additions & 4 deletions ...ce/silicon_creator/manuf/keys/fake/ca.csr → ...licon_creator/manuf/keys/fake/dice_ca.csr
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIBHTCBxAIBADBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDzANBgNVBAoM
MIIBHjCBxAIBADBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDzANBgNVBAoM
Bkdvb2dsZTEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFkdvb2dsZSBF
bmdpbmVlcmluZyBJQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARhCQgjUnab
iUu5ivmebhjhb+4TQuX/A2SWLfzDeQGDuCjsezqPTEP1OHqu3GlW3ovZhyp40Ju5
IwR1vy/vNJkVoAAwCgYIKoZIzj0EAwIDSAAwRQIhANepinY8fzxEZ3EyxMymfFjk
9X+Rd9HbyxPkzSD8vi7wAiAWLyR99Lk9wc2GgXKcA6COmQzCB9bzlGAdYJSDrMVM
jg==
IwR1vy/vNJkVoAAwCgYIKoZIzj0EAwIDSQAwRgIhANd3QObsB9NM9Lc+EH9cCmAK
fmqincHoi4gok4ETUimBAiEAiM66dAP5wWVUx44EbwqCxfaHqzstUhvReMY+NFUk
9sw=
-----END CERTIFICATE REQUEST-----
12 changes: 6 additions & 6 deletions ...ce/silicon_creator/manuf/keys/fake/ca.pem → ...licon_creator/manuf/keys/fake/dice_ca.pem
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICqjCCAk+gAwIBAgIUG0NwWZ6+cxC7v+kO6zyiRNjbB64wCgYIKoZIzj0EAwIw
MIICqjCCAk+gAwIBAgIUJv7onAWj7JNoJSyEsCUBgjk2+zYwCgYIKoZIzj0EAwIw
YjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQKDAZHb29nbGUxFDAS
BgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQDDBZHb29nbGUgRW5naW5lZXJpbmcg
SUNBMB4XDTI0MTAzMDIyNTYxMloXDTM0MTAyODIyNTYxMlowYjELMAkGA1UEBhMC
SUNBMB4XDTI0MTEyMDA1NTAwMVoXDTM0MTExODA1NTAwMVowYjELMAkGA1UEBhMC
VVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQKDAZHb29nbGUxFDASBgNVBAsMC0VuZ2lu
ZWVyaW5nMR8wHQYDVQQDDBZHb29nbGUgRW5naW5lZXJpbmcgSUNBMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEYQkII1J2m4lLuYr5nm4Y4W/uE0Ll/wNkli38w3kB
g7go7Hs6j0xD9Th6rtxpVt6L2YcqeNCbuSMEdb8v7zSZFaOB4jCB3zAdBgNVHQ4E
FgQU/lhK51N5DP2GAaMS+zLTwbgi0RIwgZ8GA1UdIwSBlzCBlIAU/lhK51N5DP2G
AaMS+zLTwbgi0RKhZqRkMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEPMA0G
A1UECgwGR29vZ2xlMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEfMB0GA1UEAwwWR29v
Z2xlIEVuZ2luZWVyaW5nIElDQYIUG0NwWZ6+cxC7v+kO6zyiRNjbB64wDwYDVR0T
AQH/BAUwAwEB/zALBgNVHQ8EBAMCAYYwCgYIKoZIzj0EAwIDSQAwRgIhAJiPs5uH
cbsQqf5sL33xJP2QjgqiAl1SuQn3axk3OxmLAiEAi85Nj0coqJ46qdSdQ78msnMf
a75PcoVcLy67k6leXuw=
Z2xlIEVuZ2luZWVyaW5nIElDQYIUJv7onAWj7JNoJSyEsCUBgjk2+zYwDwYDVR0T
AQH/BAUwAwEB/zALBgNVHQ8EBAMCAYYwCgYIKoZIzj0EAwIDSQAwRgIhAPzca+db
ovJwN1OmPDGgSicNps3RWvrP/nksY4farEYxAiEA/L0dVERnafk9Td91vfwgVkdh
hz/d1FGzU4U3yK/mSxo=
-----END CERTIFICATE-----
19 changes: 19 additions & 0 deletions sw/device/silicon_creator/manuf/keys/fake/ext_ca.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
x509_extensions = v3_ca

[dn]
C=US
ST=CA
O=Google
OU=Engineering
CN=Google Engineering ICA

[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true,pathlen:0
keyUsage = digitalSignature, keyCertSign, cRLSign
8 changes: 8 additions & 0 deletions sw/device/silicon_creator/manuf/keys/fake/ext_ca.csr
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIBHDCBxAIBADBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDzANBgNVBAoM
Bkdvb2dsZTEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFkdvb2dsZSBF
bmdpbmVlcmluZyBJQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARhCQgjUnab
iUu5ivmebhjhb+4TQuX/A2SWLfzDeQGDuCjsezqPTEP1OHqu3GlW3ovZhyp40Ju5
IwR1vy/vNJkVoAAwCgYIKoZIzj0EAwIDRwAwRAIgDaVN/ErF4G+Cik+kI+CWzyYM
H5RTVTlnWMeNjN+/7hgCIDXx+UNTnVHTn65zpBIA2gcrNSQuVWNdP4FenkaQ6rzE
-----END CERTIFICATE REQUEST-----
17 changes: 17 additions & 0 deletions sw/device/silicon_creator/manuf/keys/fake/ext_ca.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICqzCCAlKgAwIBAgIUHBQ65PLk6uqL4sgrTKIzhKkNBnIwCgYIKoZIzj0EAwIw
YjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQKDAZHb29nbGUxFDAS
BgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQDDBZHb29nbGUgRW5naW5lZXJpbmcg
SUNBMB4XDTI0MTEyMDA1NTAwMVoXDTM0MTExODA1NTAwMVowYjELMAkGA1UEBhMC
VVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQKDAZHb29nbGUxFDASBgNVBAsMC0VuZ2lu
ZWVyaW5nMR8wHQYDVQQDDBZHb29nbGUgRW5naW5lZXJpbmcgSUNBMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEYQkII1J2m4lLuYr5nm4Y4W/uE0Ll/wNkli38w3kB
g7go7Hs6j0xD9Th6rtxpVt6L2YcqeNCbuSMEdb8v7zSZFaOB5TCB4jAdBgNVHQ4E
FgQU/lhK51N5DP2GAaMS+zLTwbgi0RIwgZ8GA1UdIwSBlzCBlIAU/lhK51N5DP2G
AaMS+zLTwbgi0RKhZqRkMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEPMA0G
A1UECgwGR29vZ2xlMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEfMB0GA1UEAwwWR29v
Z2xlIEVuZ2luZWVyaW5nIElDQYIUHBQ65PLk6uqL4sgrTKIzhKkNBnIwEgYDVR0T
AQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAYYwCgYIKoZIzj0EAwIDRwAwRAIgYdNw
iqkObB2VTkY13TNpDJVfIcKY3SADGyxzPd7fXDkCIEgNnHcY6lZDtxMIMrYNBtzv
0tlUlOrK65oc7hLQR2C4
-----END CERTIFICATE-----
47 changes: 18 additions & 29 deletions sw/device/silicon_creator/manuf/keys/fake/gen_fake_ca.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,40 +3,29 @@
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0
#
# This script will generate two self signed CA certificates, both using the same
# configuration defined in ca.conf, but signed by different private keys.
# One using the test key file present in the current directory and the other one
# a key stored in Google Cloud KMS.
#
# Signing with Cloud KMS requires the following:
# - a Google KMS integration library
# (https://github.com/GoogleCloudPlatform/kms-integrations) module
# - a configuration file describing the Cloud KMS project containing the key.
#
# PKCS11_MODULE_PATH and KMS_PKCS11_CONFIG environment variables are set to
# point at these objects. If both variables are present the script attempts to
# generate a Cloud KMS signed certificate.
# This script will generate two self signed CA certificates, each using a
# different configuration, but signed by the same (fake) private keys. These
# root CA certificates may be used for testing perso flows on the FPGA.

set -e

cd "$(dirname "$0")"
echo "Generating fake key CA cert ..."
openssl req -new -key raw/sk.pkcs8.der -keyform der \
-out raw/ca.csr -config ca.conf
openssl x509 -req -in raw/ca.csr -signkey raw/sk.pkcs8.der \
-keyform der -out raw/ca.pem -days 3650 -extfile ca.conf \

DICE_CA_KEY="sk.pkcs8.der"
EXT_CA_KEY="$DICE_CA_KEY"

echo "Generating fake key DICE CA cert ..."
openssl req -new -key "$DICE_CA_KEY" -keyform der \
-out dice_ca.csr -config dice_ca.conf
openssl x509 -req -in dice_ca.csr -signkey "$DICE_CA_KEY" \
-keyform der -out dice_ca.pem -days 3650 -extfile dice_ca.conf \
-extensions v3_ca
echo "Done."

if [[ -z ${KMS_PKCS11_CONFIG} || -z ${PKCS11_MODULE_PATH} ]]; then
echo "Cloud KMS env not set, skipping Cloud KMS cert generation"
exit 0
fi
echo "Generating Cloud KMS key CA cert ..."
openssl req -new -key pkcs11:object=gcs-kms-earlgrey-ze-ca-p256-sha256-key \
-engine pkcs11 -keyform engine -out ckms/ca.csr -config ca.conf
openssl x509 -req -in ckms/ca.csr \
-engine pkcs11 -keyform engine \
-key pkcs11:object=gcs-kms-earlgrey-ze-ca-p256-sha256-key \
-out ckms/ca.pem -days 140 -extfile ca.conf -extensions v3_ca
echo "Generating fake key Personalization Extension CA cert ..."
openssl req -new -key "$EXT_CA_KEY" -keyform der \
-out ext_ca.csr -config ext_ca.conf
openssl x509 -req -in ext_ca.csr -signkey "$EXT_CA_KEY" \
-keyform der -out ext_ca.pem -days 3650 -extfile ext_ca.conf \
-extensions v3_ca
echo "Done."
2 changes: 1 addition & 1 deletion sw/host/provisioning/cert_lib/BUILD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ package(default_visibility = ["//visibility:public"])
rust_library(
name = "cert_lib",
srcs = ["src/lib.rs"],
data = ["//sw/device/silicon_creator/manuf/keys/fake:ca.pem"],
data = ["//sw/device/silicon_creator/manuf/keys/fake:ext_ca.pem"],
deps = [
"//sw/host/opentitanlib",
"//sw/host/ot_certs",
Expand Down
2 changes: 1 addition & 1 deletion sw/host/provisioning/cert_lib/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -294,7 +294,7 @@ mod tests {

#[test]
fn validate_good() {
let ca_pem = "./sw/device/silicon_creator/manuf/keys/fake/raw/raw_ca.pem";
let ca_pem = "./sw/device/silicon_creator/manuf/keys/fake/ext_ca.pem";
// The below byte blob is a proper TPM EK certificate generated during test runs.
let mut cert0 = EndorsedCert {
format: CertFormat::X509,
Expand Down

0 comments on commit 0754ea7

Please sign in to comment.