Skip to content

Commit

Permalink
[spm] add ability to generate hashed OT LC tokens
Browse files Browse the repository at this point in the history
This updates the SPM to enable generating cSHAKE128 hashed OpenTitan
lifecycle tokens using the DeriveSymmetricKeys RPC function.

This partially addresses #4.

Signed-off-by: Tim Trippel <ttrippel@google.com>
  • Loading branch information
timothytrippel committed Oct 8, 2024
1 parent 798f82f commit 892487b
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 3 deletions.
2 changes: 1 addition & 1 deletion src/pa/loadtest.go
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ func (c *clientTask) ot_run(ctx context.Context, numCalls int) {
},
&pbp.SymmetricKeygenParams{
Seed: pbp.SymmetricKeySeed_SYMMETRIC_KEY_SEED_HIGH_SECURITY,
Type: pbp.SymmetricKeyType_SYMMETRIC_KEY_TYPE_RAW,
Type: pbp.SymmetricKeyType_SYMMETRIC_KEY_TYPE_HASHED_OT_LC_TOKEN,
Size: pbp.SymmetricKeySize_SYMMETRIC_KEY_SIZE_128_BITS,
Diversifier: "rma,device_id",
},
Expand Down
2 changes: 2 additions & 0 deletions src/spm/services/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ go_library(
"//src/pk11",
"@org_golang_google_grpc//codes",
"@org_golang_google_grpc//status",
"@org_golang_x_crypto//sha3",
],
)

Expand All @@ -76,5 +77,6 @@ go_test(
"@com_github_google_go_cmp//cmp",
"@com_github_google_tink_go//kwp/subtle:go_default_library",
"@org_golang_x_crypto//hkdf",
"@org_golang_x_crypto//sha3",
],
)
10 changes: 9 additions & 1 deletion src/spm/services/se_pk11.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"fmt"
"reflect"

"golang.org/x/crypto/sha3"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"

Expand Down Expand Up @@ -376,7 +377,14 @@ func (h *HSM) GenerateSymmetricKeys(params []*SymmetricKeygenParams) ([][]byte,
"failed to parse extracted symmetric key: %v", ok)
}
keyBytes := []byte(aesKey)
// TODO: format it based on type (i.e. LC token or RAW)
if p.KeyType == SymmetricKeyTypeHashedOtLcToken {
// OpenTitan lifecycle tokens are stored in OTP in hashed form using the
// cSHAKE128 algorithm with the "LC_CTRL" customization string.
hasher := sha3.NewCShake128([]byte(""), []byte("LC_CTRL"))
hasher.Write(keyBytes)
hasher.Read(keyBytes)
}

symmetricKeys = append(symmetricKeys, keyBytes)
}

Expand Down
8 changes: 7 additions & 1 deletion src/spm/services/se_pk11_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"github.com/google/go-cmp/cmp"
kwp "github.com/google/tink/go/kwp/subtle"
"golang.org/x/crypto/hkdf"
"golang.org/x/crypto/sha3"

"github.com/lowRISC/opentitan-provisioning/src/cert/signer"
"github.com/lowRISC/opentitan-provisioning/src/cert/templates/tpm"
Expand Down Expand Up @@ -103,7 +104,7 @@ func TestGenerateSymmKeys(t *testing.T) {
// RMA token
rmaTokenParams := SymmetricKeygenParams{
UseHighSecuritySeed: true,
KeyType: SymmetricKeyTypeRaw,
KeyType: SymmetricKeyTypeHashedOtLcToken,
SizeInBits: 128,
Sku: "test sku",
Diversifier: "rma: device_id",
Expand Down Expand Up @@ -138,6 +139,11 @@ func TestGenerateSymmKeys(t *testing.T) {
}
expected_key := make([]byte, len(keys[i]))
keyGenerator.Read(expected_key)
if p.KeyType == SymmetricKeyTypeHashedOtLcToken {
hasher := sha3.NewCShake128([]byte(""), []byte("LC_CTRL"))
hasher.Write(expected_key)
hasher.Read(expected_key)
}

// Check the actual and expected keys are equal.
log.Printf("Actual Key: %q", hex.EncodeToString(keys[i]))
Expand Down

0 comments on commit 892487b

Please sign in to comment.