[signing] Sign ROM_EXT 0.102

Build and sign ROM_EXT 0.102.

Signed-off-by: Chris Frantz <[email protected]>

signing/logs/2025-02-07.md

@@ -0,0 +1,184 @@
+# Signing Ceremony 2025-02-07
+
+- Purpose:
+    - Create new a ROM\_EXT release for Earlgrey A1 silicon.
+    - Correct the ROM_EXT flash protection regions.
+    - Introduce ECDSA P256 + SLH-DSA hybrid signing for application payloads.
+- Participants: cfrantz (leader), moidx(witness), ttrippel (witness).
+
+## Ceremony Prolog
+
+Before the ceremony, we double checked build reproducibility.
+At opentitan commit fa29558e3d605600db08350d1dffb681f65b7472 on branch
+`earlgrey_1.0.0`, we ran:
+
+```
+bazel build --stamp \
+    //sw/device/silicon_creator/rom_ext/sival:digests \
+    @provisioning_exts//shared/rom_ext/gb:digests
+
+sha256sum \
+    bazel-out/k8-fastbuild/bin/sw/device/silicon_creator/rom_ext/sival/digests.tar \
+    bazel-out/k8-fastbuild/bin/external/provisioning_exts/shared/rom_ext/gb/digests.tar
+eacd161fd033b4383cd7396d0c13122a1a086049dd9d722087a3b87fb3282b45  bazel-out/k8-fastbuild/bin/sw/device/silicon_creator/rom_ext/sival/digests.tar
+49bc29af1e4771e0f5248777f197a07b9665f92896251771777b7124d604729d  bazel-out/k8-fastbuild/bin/external/provisioning_exts/shared/rom_ext/gb/digests.tar
+
+```
+
+Note: there is a build reproducibility error with the `dice_cwt` variant of the ROM_EXT.  We verified that the `dice_x509` ROM_EXTs are reproducible by examining the SHA256 digets of the digest files:
+
+```
+sival$ sha256sum *x509*.digest
+be1a9f502cb7419b2b980e288a9ba7e2629a23744dc788711ac732a2d5ebfc0d  rom_ext_dice_x509_prod_slot_a_fpga_cw310.digest
+be1a9f502cb7419b2b980e288a9ba7e2629a23744dc788711ac732a2d5ebfc0d  rom_ext_dice_x509_prod_slot_a_fpga_cw340.digest
+bdf03ffd4972d216c7d8c9990c6c5310aa7165f2cea39e20d5541efb58454a96  rom_ext_dice_x509_prod_slot_a_silicon_creator.digest
+1ad4c3e1cc4155645457cc2ac556bf42e6e789b1cbb52546c11e7d14f83eadaa  rom_ext_dice_x509_prod_slot_b_fpga_cw310.digest
+1ad4c3e1cc4155645457cc2ac556bf42e6e789b1cbb52546c11e7d14f83eadaa  rom_ext_dice_x509_prod_slot_b_fpga_cw340.digest
+b1dc4d7351f36832acede7d0db5090c10466c96eb154af3232428ff1f093c035  rom_ext_dice_x509_prod_slot_b_silicon_creator.digest
+e67c1e6e4d8b159de67f6970ec0da5ba0ae321a84905077fea2d17d91c1d78b3  rom_ext_dice_x509_prod_slot_virtual_fpga_cw310.digest
+e67c1e6e4d8b159de67f6970ec0da5ba0ae321a84905077fea2d17d91c1d78b3  rom_ext_dice_x509_prod_slot_virtual_fpga_cw340.digest
+be38e349ba3331b3081103ba1c2ca136488b22b42a5c25cd612884b002ba6ae8  rom_ext_dice_x509_prod_slot_virtual_silicon_creator.digest
+
+gb$ sha256sum *x509*.digest
+9b96c73872a8ef7fb24fac722805d64dd3919b409a6d558b05bc44dd98e8fff0  rom_ext_dice_x509_prod_slot_a_fpga_cw310.digest
+9b96c73872a8ef7fb24fac722805d64dd3919b409a6d558b05bc44dd98e8fff0  rom_ext_dice_x509_prod_slot_a_fpga_cw340.digest
+1ce702517305ae501c3a5b52c24a9300add0518eb866e1a9c5f1e94de96bd6aa  rom_ext_dice_x509_prod_slot_a_silicon_creator.digest
+2517e453520009e7933500519a928553014f15c0b631b3af9a9e61bb12513c6c  rom_ext_dice_x509_prod_slot_b_fpga_cw310.digest
+2517e453520009e7933500519a928553014f15c0b631b3af9a9e61bb12513c6c  rom_ext_dice_x509_prod_slot_b_fpga_cw340.digest
+224de5da6fee9721f3663135fdb44de9e74366b29d7baa60d33a2dbacef6ccc3  rom_ext_dice_x509_prod_slot_b_silicon_creator.digest
+66925ca85ccf19fee3fe98644eb887b253305ca18a2ee6cffa2722ed0b2b5014  rom_ext_dice_x509_prod_slot_virtual_fpga_cw310.digest
+66925ca85ccf19fee3fe98644eb887b253305ca18a2ee6cffa2722ed0b2b5014  rom_ext_dice_x509_prod_slot_virtual_fpga_cw340.digest
+d0117ca73a009d2dc2cbede1372df93a2c7417acc3cbe993ac95f6e0d80a2675  rom_ext_dice_x509_prod_slot_virtual_silicon_creator.digest
+```
+
+We copied the digests and `hsmtool` to a staging subdirectory.
+```
+cp bazel-out/k8-fastbuild/bin/sw/device/silicon_creator/rom_ext/sival/digests.tar ~/siging/sival.tar
+cp bazel-out/k8-fastbuild/bin/external/provisioning_exts/shared/rom_ext/gb/digests.tar ~/signing/gb.tar
+cp bazel-out/k8-fastbuild/bin/sw/host/hsmtool/hsmtool ~/signing
+```
+
+## NitroKey Preparation
+
+In order to communicate with the NitroKey token holding the key material, we used the `opensc` package.
+
+## Ceremony
+
+### Setup & Authenticate to the HSM
+
+```
+$ cd ~/signing
+$ export HSMTOOL_MODULE=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+
+$ ./hsmtool token list
+{
+  "tokens": [
+    {
+      "label": "earlgrey_a1 (UserPIN)",
+      "manufacturer_id": "www.CardContact.de",
+      "model": "PKCS#15 emulated",
+      "serial_number": "DENK0107124"
+    }
+  ]
+}
+
+$ export HSMTOOL_SPX_MODULE=pkcs11-ef
+```
+
+## Signing
+
+Signing was performed in the staging subdirectory.
+I have an `hsmtool` profile defined named `earlgrey_a1_opensc` which supplies the username and PIN.
+
+### Sival signatures
+
+```
+$ mkdir sival
+$ cd sival
+$ tar xvf ../sival.tar
+$ ../hsmtool --profile earlgrey_a1_opensc exec presigning.json
+```
+
+### GB signatures
+
+```
+$ mkdir gb
+$ cd gb
+$ tar xvf ../gb.tar
+$ ../hsmtool --profile earlgrey_a1_opensc exec presigning.json
+```
+
+## Ceremony Epilog
+
+After signing, the signatures were collected so they could be tested prior to
+publishing the signatures and binaries.
+
+```
+$ tar cvf signatures.tar */*_sig
+gb/rom_ext_dice_cwt_prod_slot_a_fpga_cw310.ecdsa_sig
+gb/rom_ext_dice_cwt_prod_slot_a_fpga_cw310.spx_sig
+gb/rom_ext_dice_cwt_prod_slot_a_fpga_cw340.ecdsa_sig
+gb/rom_ext_dice_cwt_prod_slot_a_fpga_cw340.spx_sig
+gb/rom_ext_dice_cwt_prod_slot_a_silicon_creator.ecdsa_sig
+gb/rom_ext_dice_cwt_prod_slot_a_silicon_creator.spx_sig
+gb/rom_ext_dice_cwt_prod_slot_b_fpga_cw310.ecdsa_sig
+gb/rom_ext_dice_cwt_prod_slot_b_fpga_cw310.spx_sig
+gb/rom_ext_dice_cwt_prod_slot_b_fpga_cw340.ecdsa_sig
+gb/rom_ext_dice_cwt_prod_slot_b_fpga_cw340.spx_sig
+gb/rom_ext_dice_cwt_prod_slot_b_silicon_creator.ecdsa_sig
+gb/rom_ext_dice_cwt_prod_slot_b_silicon_creator.spx_sig
+gb/rom_ext_dice_cwt_prod_slot_virtual_fpga_cw310.ecdsa_sig
+gb/rom_ext_dice_cwt_prod_slot_virtual_fpga_cw310.spx_sig
+gb/rom_ext_dice_cwt_prod_slot_virtual_fpga_cw340.ecdsa_sig
+gb/rom_ext_dice_cwt_prod_slot_virtual_fpga_cw340.spx_sig
+gb/rom_ext_dice_cwt_prod_slot_virtual_silicon_creator.ecdsa_sig
+gb/rom_ext_dice_cwt_prod_slot_virtual_silicon_creator.spx_sig
+gb/rom_ext_dice_x509_prod_slot_a_fpga_cw310.ecdsa_sig
+gb/rom_ext_dice_x509_prod_slot_a_fpga_cw310.spx_sig
+gb/rom_ext_dice_x509_prod_slot_a_fpga_cw340.ecdsa_sig
+gb/rom_ext_dice_x509_prod_slot_a_fpga_cw340.spx_sig
+gb/rom_ext_dice_x509_prod_slot_a_silicon_creator.ecdsa_sig
+gb/rom_ext_dice_x509_prod_slot_a_silicon_creator.spx_sig
+gb/rom_ext_dice_x509_prod_slot_b_fpga_cw310.ecdsa_sig
+gb/rom_ext_dice_x509_prod_slot_b_fpga_cw310.spx_sig
+gb/rom_ext_dice_x509_prod_slot_b_fpga_cw340.ecdsa_sig
+gb/rom_ext_dice_x509_prod_slot_b_fpga_cw340.spx_sig
+gb/rom_ext_dice_x509_prod_slot_b_silicon_creator.ecdsa_sig
+gb/rom_ext_dice_x509_prod_slot_b_silicon_creator.spx_sig
+gb/rom_ext_dice_x509_prod_slot_virtual_fpga_cw310.ecdsa_sig
+gb/rom_ext_dice_x509_prod_slot_virtual_fpga_cw310.spx_sig
+gb/rom_ext_dice_x509_prod_slot_virtual_fpga_cw340.ecdsa_sig
+gb/rom_ext_dice_x509_prod_slot_virtual_fpga_cw340.spx_sig
+gb/rom_ext_dice_x509_prod_slot_virtual_silicon_creator.ecdsa_sig
+gb/rom_ext_dice_x509_prod_slot_virtual_silicon_creator.spx_sig
+sival/rom_ext_dice_cwt_prod_slot_a_fpga_cw310.ecdsa_sig
+sival/rom_ext_dice_cwt_prod_slot_a_fpga_cw340.ecdsa_sig
+sival/rom_ext_dice_cwt_prod_slot_a_silicon_creator.ecdsa_sig
+sival/rom_ext_dice_cwt_prod_slot_b_fpga_cw310.ecdsa_sig
+sival/rom_ext_dice_cwt_prod_slot_b_fpga_cw340.ecdsa_sig
+sival/rom_ext_dice_cwt_prod_slot_b_silicon_creator.ecdsa_sig
+sival/rom_ext_dice_cwt_prod_slot_virtual_fpga_cw310.ecdsa_sig
+sival/rom_ext_dice_cwt_prod_slot_virtual_fpga_cw340.ecdsa_sig
+sival/rom_ext_dice_cwt_prod_slot_virtual_silicon_creator.ecdsa_sig
+sival/rom_ext_dice_x509_prod_slot_a_fpga_cw310.ecdsa_sig
+sival/rom_ext_dice_x509_prod_slot_a_fpga_cw340.ecdsa_sig
+sival/rom_ext_dice_x509_prod_slot_a_silicon_creator.ecdsa_sig
+sival/rom_ext_dice_x509_prod_slot_b_fpga_cw310.ecdsa_sig
+sival/rom_ext_dice_x509_prod_slot_b_fpga_cw340.ecdsa_sig
+sival/rom_ext_dice_x509_prod_slot_b_silicon_creator.ecdsa_sig
+sival/rom_ext_dice_x509_prod_slot_virtual_fpga_cw310.ecdsa_sig
+sival/rom_ext_dice_x509_prod_slot_virtual_fpga_cw340.ecdsa_sig
+sival/rom_ext_dice_x509_prod_slot_virtual_silicon_creator.ecdsa_sig
+
+$ exit
+```
+
+### Attaching signatures
+
+The following command was used to attach the signatures to the ROM\_EXT binaries:
+
+```
+bazel build --stamp \
+    //sw/device/silicon_creator/rom_ext/sival:signed \
+    @provisioning_exts//shared/rom_ext/gb:signed
+```

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_cwt_prod_slot_a_silicon_creator.ecdsa_sig

@@ -1 +1 @@
-�V�ش�{3g�N�v�Ԛ

�H���՟��?⮿���Fڤ��$
���s�����S��
+$*���q[��Z\�<�`�	h��H-�R
/`�<�W��U�x�a�Qe�ޔ��Oxnփ����W�r

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_cwt_prod_slot_b_silicon_creator.ecdsa_sig

@@ -1 +1,2 @@
-�z�5�@�����c�	�7��
몋��V�����C�MPb�����=��4\��#q����p��
+��zC嵱�D�NBd��B�*O�K��&#q��
+�w��0A�_H#���� �?��'����;�^

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_cwt_prod_slot_virtual_fpga_cw340.ecdsa_sig

@@ -1 +1 @@
-���P��0�Zz�-�r�������FXe��X7ؒB��na愓�� &UV�Wú$�\=���{�
+`2X�ۯ��Wg�5����x��Y'��$��8Ic7� �J�ʍ���B}�Vc7����̾�~�F�v�

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_cwt_prod_slot_virtual_silicon_creator.ecdsa_sig

@@ -1 +1 @@
-��[Q���,���0��i�_)v��8��,��R����T�ӿ=�u��]�}S������
+R+۳ٜ�����tՁ���j��]���9ykhyk�w��v�V���֓XmmC��0|�	�	H�Q,

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_x509_prod_slot_a_silicon_creator.ecdsa_sig

@@ -1,2 +1,2 @@
-�<n�����b��S�����H�~���ݦ���
��ϋX}?L���
-vǥ�(R�������
+Y
+ym���l��p8�чU[�����Mw���M���%�Yq<�f���`�	��X։�e&��R�

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_x509_prod_slot_b_fpga_cw340.ecdsa_sig

@@ -1 +1 @@
-~w:������=n�o�$��?]m<S��c�EBYK�y�,�o�K1��ͥ��n7��5��O
+������	X��lÇ�J���U�!ґS�'�g� CT���Y�#_`|�n�x
ư҃i–�

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_x509_prod_slot_b_silicon_creator.ecdsa_sig

@@ -1 +1 @@
-r�tK�3�����Dv���A���J�_��
&Z�nk�*Q�r�-ʺ���h��2�*k=�[
+�dv/�:ěm<����V�i�����jىA"�gZ�`es3ԍ�s�S,�F{��l8��Q/�d�_��

sw/device/silicon_creator/rom_ext/sival/signatures/rom_ext_dice_x509_prod_slot_virtual_fpga_cw340.ecdsa_sig

@@ -1,2 +1 @@
-�M��d.�AJ�\������%КÌ�~
-̖��,�5󑛎\f�E�$i�J�2�x-l��d
+�����ywe鳕V��70k��+�s�4;`$z*����)�ΤzU��۵Ǖ������3���G�%