[manuf] enable extension CA to be optional

Some FT provisioning flows do not make use of the extension CA, so we
make it an optional argument.

Signed-off-by: Tim Trippel <[email protected]>

sw/device/silicon_creator/manuf/keys/sival/ca_config.json

@@ -4,11 +4,5 @@
     "key_id": "0x5398A4F090F2A95C3D52FC98DEB9F2F9AF042F6E",
     "key_type": "Token",
     "key": "sv00-earlgrey-a1-ca-dice-0"
-  },
-  "ext": {
-    "certificate": "sw/device/silicon_creator/manuf/keys/sival/dice_ca.pem",
-    "key_id": "0x5398A4F090F2A95C3D52FC98DEB9F2F9AF042F6E",
-    "key_type": "Token",
-    "key": "sv00-earlgrey-a1-ca-dice-0"
   }
 }

sw/host/provisioning/ft/BUILD

@@ -21,6 +21,7 @@ package(default_visibility = ["//visibility:public"])
             "//sw/host/provisioning/ujson_lib",
             "//sw/host/provisioning/util_lib",
             "@crate_index//:anyhow",
+            "@crate_index//:arrayvec",
             "@crate_index//:base64ct",
             "@crate_index//:clap",
             "@crate_index//:elliptic-curve",

sw/host/provisioning/ft/src/main.rs

@@ -7,6 +7,7 @@ use std::path::PathBuf;
 use std::time::{Duration, Instant};
 
 use anyhow::{bail, Context, Result};
+use arrayvec::ArrayVec;
 use base64ct::{Base64, Encoding};
 use clap::{Args, Parser};
 use elliptic_curve::pkcs8::DecodePrivateKey;
@@ -188,7 +189,11 @@ fn main() -> Result<()> {
         hex_string_to_u32_arrayvec::<8>(opts.provisioning_data.owner_measurement.as_str())?;
     let owner_security_version = opts.provisioning_data.owner_security_version;
     let dice_ca_key_id = hex_string_to_u8_arrayvec::<20>(ca_cfgs["dice"].key_id.as_str())?;
-    let ext_ca_key_id = hex_string_to_u8_arrayvec::<20>(ca_cfgs["ext"].key_id.as_str())?;
+    let ext_ca_key_id = if let Some(ext) = ca_cfgs.get("ext") {
+        hex_string_to_u8_arrayvec::<20>(ext.key_id.as_str())?
+    } else {
+        ArrayVec::<u8, 20>::new()
+    };
     let _perso_certgen_inputs = ManufCertgenInputs {
         rom_ext_measurement: rom_ext_measurement.clone(),
         rom_ext_security_version,

sw/host/provisioning/ft_lib/src/lib.rs

@@ -317,8 +317,6 @@ fn provision_certificates(
     // Extract CAs.
     let dice_ca_cert = &ca_cfgs["dice"].certificate;
     let dice_ca_key = &ca_keys["dice"];
-    let ext_ca_cert = &ca_cfgs["ext"].certificate;
-    let ext_ca_key = &ca_keys["ext"];
 
     // DICE certificate names.
     let dice_cert_names = HashSet::from(["UDS", "CDI_0", "CDI_1"]);
@@ -358,6 +356,7 @@ fn provision_certificates(
             let cert_bytes = if dice_cert_names.contains(cert.cert_name) {
                 parse_and_endorse_x509_cert(cert.cert_body.clone(), dice_ca_key)?
             } else {
+                let ext_ca_key = &ca_keys["ext"];
                 parse_and_endorse_x509_cert(cert.cert_body.clone(), ext_ca_key)?
             };
 
@@ -451,15 +450,22 @@ fn provision_certificates(
     // TODO(lowRISC/opentitan:#24281): Add CWT verifier
     let t0 = Instant::now();
     if !dice_cert_chain.is_empty() {
-        log::info!("Validating DICE certificate chain with OpenSSL ...");
+        log::info!(
+            "Validating DICE certificate chain with OpenSSL (root CA: {:?}) ...",
+            dice_ca_cert
+        );
         validate_cert_chain(dice_ca_cert.to_str().unwrap(), &dice_cert_chain)?;
         log::info!("Success.");
     }
     response.stats.log_elapsed_time("perso-validate-dice", t0);
 
     let t0 = Instant::now();
     if !sku_specific_certs.is_empty() {
-        log::info!("Validating SKU-specific certificates with OpenSSL ...");
+        let ext_ca_cert = &ca_cfgs["ext"].certificate;
+        log::info!(
+            "Validating SKU-specific certificates with OpenSSL (root CA: {:?}) ...",
+            ext_ca_cert
+        );
         for sku_specific_cert in sku_specific_certs.iter() {
             validate_cert_chain(ext_ca_cert.to_str().unwrap(), &[sku_specific_cert.clone()])?;
         }