[dice, ot_certs] add CWT DICE certificate templates

stevenchtsai · stevenchtsai · commit efa780442277 · 2024-11-07T22:57:32.000+08:00
Signed-off-by: Steven Tsai &lt;steventsai@google.com&gt;
diff --git a/sw/device/silicon_creator/lib/cert/BUILD b/sw/device/silicon_creator/lib/cert/BUILD
@@ -34,6 +34,30 @@ certificate_template(
     template = "cdi_1.hjson",
 )
 
+certificate_template(
+    name = "cwt_cose_key_template",
+    cert_format = "cwt",
+    template = "cwt_cose_key.hjson",
+)
+
+certificate_template(
+    name = "cwt_dice_chain_entry_payload_template",
+    cert_format = "cwt",
+    template = "cwt_dice_chain_entry_payload.hjson",
+)
+
+certificate_template(
+    name = "cwt_dice_chain_entry_input_template",
+    cert_format = "cwt",
+    template = "cwt_dice_chain_entry_input.hjson",
+)
+
+certificate_template(
+    name = "cwt_dice_chain_entry_template",
+    cert_format = "cwt",
+    template = "cwt_dice_chain_entry.hjson",
+)
+
 certificate_template(
     name = "tpm_ek_template",
     template = "tpm_ek.hjson",
diff --git a/sw/device/silicon_creator/lib/cert/cwt_cose_key.hjson b/sw/device/silicon_creator/lib/cert/cwt_cose_key.hjson
@@ -0,0 +1,63 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+{
+    name: "cwt_cose_key",
+
+    variables: {
+        // Creator public key: this is an EC point on
+        // the prime256v1 curve so it has two components
+        // (x and y) which are 32-bytes integers.
+        creator_pub_key_ec_x: {
+            type: "byte-array",
+            exact-size: 32,
+        },
+        creator_pub_key_ec_y: {
+            type: "byte-array",
+            exact-size: 32,
+        },
+    },
+
+    constants: {
+        key_type_label: {
+            type: "integer",
+            value: 1
+        },
+        key_type_value: {
+            type: "integer",
+            value: 2
+        },
+        alg_type_label: {
+            type: "integer",
+            value: 3
+        },
+        alg_type_value: {
+            type: "integer",
+            value: -7
+        },
+        curve_type_label: {
+            type: "integer",
+            value: -1
+        },
+        curve_type_value: {
+            type: "integer",
+            value: 1
+        },
+        key_x_label: {
+            type: "integer",
+            value: -2
+        },
+        key_y_label: {
+            type: "integer",
+            value: -3
+        },
+    },
+
+    structure: {
+        key_type_label: key_type_value
+        alg_type_label: alg_type_value
+        curve_type_label: curve_type_value
+        key_x_label: creator_pub_key_ec_x
+        key_y_label: creator_pub_key_ec_y
+    }
+}
diff --git a/sw/device/silicon_creator/lib/cert/cwt_dice_chain_entry.hjson b/sw/device/silicon_creator/lib/cert/cwt_dice_chain_entry.hjson
@@ -0,0 +1,40 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+{
+    name: "cwt_dice_chain_entry",
+
+    variables: {
+        payload: {
+            type: "byte-array",
+            max-size: 437
+            // kCwtDiceChainEntryPayloadMaxVariableSizeBytes from bazel-bin/sw/device/silicon_creator/lib/cert/cwt_dice_chain_entry_payload.h
+        },
+        signature: {
+            type: "byte-array",
+            exact-size: 64
+        },
+    },
+
+    constants: {
+        one_label: {
+            type: "integer",
+            value: 1
+        },
+        neg_seven_value: {
+            type: "integer",
+            value: -7
+        },
+    },
+
+    structure: [
+        {
+            "cbor-byte-array": {
+                one_label: neg_seven_value
+            }
+        },
+        {},
+        payload
+        signature
+    ]
+}
diff --git a/sw/device/silicon_creator/lib/cert/cwt_dice_chain_entry_input.hjson b/sw/device/silicon_creator/lib/cert/cwt_dice_chain_entry_input.hjson
@@ -0,0 +1,48 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+{
+    name: "cwt_dice_chain_entry_input",
+
+    variables: {
+        payload: {
+            type: "byte-array",
+            max-size: 437
+            // kCwtDiceChainEntryPayloadMaxVariableSizeBytes from bazel-bin/sw/device/silicon_creator/lib/cert/cwt_dice_chain_entry_payload.h
+        },
+    },
+
+    constants: {
+        context_value: {
+            type: "string",
+            value: "Signature1"
+        },
+        zero_value: {
+            type: "integer",
+            value: 0
+        },
+        one_label: {
+            type: "integer",
+            value: 1
+        },
+        neg_seven_value: {
+            type: "integer",
+            value: -7
+        },
+        single_zero_byte_array: {
+            type: "byte-array",
+            value: ""
+        },
+    },
+
+    structure: [
+        context_value
+        {
+            "cbor-byte-array": {
+                one_label: neg_seven_value
+            }
+        },
+        single_zero_byte_array
+        payload
+    ]
+}
diff --git a/sw/device/silicon_creator/lib/cert/cwt_dice_chain_entry_payload.hjson b/sw/device/silicon_creator/lib/cert/cwt_dice_chain_entry_payload.hjson
@@ -0,0 +1,105 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+{
+    name: "cwt_dice_chain_entry_payload",
+
+    variables: {
+        issuer: {
+            type: "string",
+            max-size: 64,
+        },
+        subject: {
+            type: "string",
+            max-size: 64,
+        },
+        code_hash: {
+            type: "byte-array",
+            exact-size: 32,
+        },
+        config_hash: {
+            type: "byte-array",
+            exact-size: 32,
+        },
+        config_desc: {
+            type: "byte-array",
+            max-size: 64,
+        },
+        auth_hash: {
+            type: "byte-array",
+            exact-size: 32,
+        },
+        mode: {
+            type: "byte-array",
+            exact-size: 1,
+        },
+        subject_pk: {
+            type: "byte-array",
+            exact-size: 77,
+        },
+        profile_name: {
+            type: "string",
+            exact-size: 10,
+        },
+    },
+
+    constants: {
+        issuer_label: {
+            type: "integer",
+            value: 1
+        },
+        subject_label: {
+            type: "integer",
+            value: 2
+        },
+        profile_name_label: {
+            type: "integer",
+            value: -4670554
+        },
+        subject_pk_label: {
+            type: "integer",
+            value: -4670552
+        },
+        key_usage_label: {
+            type: "integer",
+            value: -4670553
+        },
+        key_usage_value: {
+            type: "byte-array",
+            value: "20"
+        },
+        code_hash_label: {
+            type: "integer",
+            value: -4670545
+        },
+        config_hash_label: {
+            type: "integer",
+            value: -4670547
+        },
+        config_desc_label: {
+            type: "integer",
+            value: -4670548
+        },
+        auth_hash_label: {
+            type: "integer",
+            value: -4670549
+        },
+        mode_label: {
+            type: "integer",
+            value: -4670551
+        },
+    },
+
+    structure: {
+        issuer_label: issuer
+        subject_label: subject
+        code_hash_label: code_hash
+        config_hash_label: config_hash
+        config_desc_label: config_desc
+        auth_hash_label: auth_hash
+        mode_label: mode
+        subject_pk_label: subject_pk
+        key_usage_label: key_usage_value
+        profile_name_label: profile_name
+    }
+}
