moidx
commented
1 year ago CC @pamaury
Open moidx opened 1 year ago
moidx
commented
1 year ago CC @pamaury
timothytrippel
commented
1 year ago This should be addressed by #19493
Description
Background
Currently Bazel uses a default
DEFAULT_SIGNING_KEYSdictionary to configure the key used to sign any opentitan binary target. In some cases the dictionary is iterated to generate binaries signed with all available keys.PR #17316 adds support for a ROM_EXT key domain, which is used to manage signing and verification of the first Silicon Owner boot partition. This key domain will be available for OpenTitan configurations that don't have Ownership Transfer support available, and where ownership of the chip is explicitly assigned by the ROM_EXT configured in flash.
Minimum key domain requirements
This issue is used to track the work needed to add support for multiple key domains to the build system. At a minimum the following key domains need to be supported:
ROM key domain: Any binaries verified by theROM, e.g.ROM_EXTROM_EXT key domain: Any binaries verified by theROM_EXT, e.g. first Silicon Owner boot stageSilicon Owner key domain: Any binaries verified by any intermediate Silicon Owner stage. This key domain is available mainly for reference implementation purposes.CC @cfrantz @timothytrippel