[provisioning] enable benchtop SIVAL cert endorsement with Nitrokeys #25502
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
timothytrippel
force-pushed
the
enable-nk-cert-endorse
branch
3 times, most recently
from
4300c8f to
df5848b
Compare
cfrantz
approved these changes
Dec 4, 2024
| "key_type": "Token", | ||
| "key": "sv00-earlgrey-a1-ca-dice-0" | ||
| }, | ||
| "ext": { |
There was a problem hiding this comment.
TODO: make ext optional for skus that don't have extra certs.
moidx
approved these changes
Dec 4, 2024
timothytrippel
force-pushed
the
enable-nk-cert-endorse
branch
from
df5848b to
6c364e5
Compare
milesdai
approved these changes
Dec 4, 2024
timothytrippel
force-pushed
the
enable-nk-cert-endorse
branch
from
6c364e5 to
7cb476c
Compare
timothytrippel
force-pushed
the
enable-nk-cert-endorse
branch
from
7cb476c to
24ddaf3
Compare
timothytrippel
force-pushed
the
enable-nk-cert-endorse
branch
from
24ddaf3 to
3ec1f6f
Compare
Ah right, fixed. Thanks. |
timothytrippel
force-pushed
the
enable-nk-cert-endorse
branch
4 times, most recently
from
94375f7 to
1d960d5
Compare
The DICE CA key is stored on a Nitrokey, which can be used in a benchtop provisioning flow to endorse DICE certificates. Signed-off-by: Tim Trippel <[email protected]>
This pubkey is used to encrypt RMA unlock tokens during FT before saving them to the registry. Signed-off-by: Tim Trippel <[email protected]>
The DIN portion of the device ID contains fields that are in BCD format, as was updated in lowRISC#25493. However, the test was not updated accordingly. Moreover, lowRISC#25493 only added parsing BCD formated DINs, but not generating them from the internal DIN object representation. This has also been fixed. Signed-off-by: Tim Trippel <[email protected]>
timothytrippel
force-pushed
the
enable-nk-cert-endorse
branch
2 times, most recently
from
473f2cb to
b966c9e
Compare
The ujson payload containing the device ID was sent to the FT individualize in the wrong order. Signed-off-by: Tim Trippel <[email protected]>
The personalization binaries of non-emulation SKUs are checked into the the repo, and therefore have a different path. Fix the orchestrator script to use the correct path for these binaries. Signed-off-by: Tim Trippel <[email protected]>
timothytrippel
force-pushed
the
enable-nk-cert-endorse
branch
from
b966c9e to
aa2a802
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The DICE CA key may be stored on a Nitrokey, which can be used in a benchtop provisioning flow to endorse DICE certificates. This enables such flows by simply setting an envar (
PKCS11_MODULE_PATH) and plugging in a Nitrokey to the host machine.