lowRISC / opentitan

OpenTitan: Open source silicon root of trust
https://www.opentitan.org
Apache License 2.0
2.57k stars 764 forks source link

[opentitantool] Cleanup spx+ commands #18183

Open jon-flatley opened 1 year ago

jon-flatley commented 1 year ago

Description

Per comments in #18041 there is some cleanup that is needed in the openttiantool spx commands.

timothytrippel commented 1 year ago

Is there something tracking adding the spx pub key export operation, i.e. exporting the public keys to header files that can be included in the ROM / any future bootstage? (as is possible with the similar RSA opentitantool command)

To get the real keys generated / added to the ROM I had to hack shell script together to gen the header files.

msfschaffner commented 1 year ago

CC @cfrantz

vbendeb commented 1 week ago

there is yet another issue which requires clean up: not sure if this affects other modes, but in PreHashedSha256 mode digest generated by opentitantool image digest ... needs to be converted from big endian into little endian before signing in order foropentitantool image manifest verify --spx .... and ROM_EXT validations to succeed.

But opentitantool spx verify --domain PreHashedSha256 <key> <digest> <signature> invocation expects the digest as is, without endianness change.

ROM_EXT and opentitnantool image manifest verify ... cases should be updated to match opentitantool image digest ... output.

@timothytrippel @cfrantz