Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hsmtool] Add support for kdf secrets. #26291

Merged
merged 1 commit into from
Feb 15, 2025
Merged

[hsmtool] Add support for kdf secrets. #26291

merged 1 commit into from
Feb 15, 2025

Conversation

moidx
Copy link
Contributor

@moidx moidx commented Feb 14, 2025

KDF secrets are used to derive OpenTitan TEST_UNLOCK and TEST_EXIT tokens in the provisioning infrastructure. This change adds support for import/export operations in plaintext mode. A follow up commit will add support for wrapped keys, as well as pkcs12 container support to be able to load the secrets into USB tokens.

@moidx moidx requested a review from cfrantz February 14, 2025 01:29
@moidx moidx requested a review from a team as a code owner February 14, 2025 01:29
@moidx moidx requested review from timothytrippel and removed request for a team February 14, 2025 04:48
cfrantz
cfrantz approved these changes Feb 14, 2025
View reviewed changes
Copy link
Contributor

@cfrantz cfrantz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

sw/host/hsmtool/src/commands/kdf/mod.rs Show resolved Hide resolved
moidx added a commit to moidx/ot-prov that referenced this pull request Feb 15, 2025
@moidx
[hsm] Load symmetric keys using hsmtool.
3faf039 
With lowRISC/opentitan#26291, `hmstool` has been
updated to support generic secrets. The HSM configuration for OpenTitan
SKUs will be handled by `hsmtool` scripts.

Signed-off-by: Miguel Osorio <[email protected]>
@moidx moidx mentioned this pull request Feb 15, 2025
Merged
@moidx
[hsmtool] Add support for kdf secrets.
94139bd 
KDF secrets are used to derive OpenTitan `TEST_UNLOCK` and `TEST_EXIT`
tokens in the provisioning infrastructure. This change adds support for
import/export operations in plaintext mode. A follow up commit will add
support for wrapped keys, as well as pkcs12 container support to be able
to load the secrets into USB tokens.

Signed-off-by: Miguel Osorio <[email protected]>
@moidx moidx merged commit 2816f76 into lowRISC:earlgrey_1.0.0 Feb 15, 2025
31 of 32 checks passed
@moidx moidx deleted the hsmtool-add-kdf branch February 15, 2025 05:52
moidx added a commit to moidx/ot-prov that referenced this pull request Feb 15, 2025
@moidx
[hsm] Load symmetric keys using hsmtool.
b9467e9 
With lowRISC/opentitan#26291, `hmstool` has been
updated to support generic secrets. The HSM configuration for OpenTitan
SKUs will be handled by `hsmtool` scripts.

Signed-off-by: Miguel Osorio <[email protected]>
moidx added a commit to lowRISC/opentitan-provisioning that referenced this pull request Feb 15, 2025
@moidx
[hsm] Load symmetric keys using hsmtool.
398f0c6 
With lowRISC/opentitan#26291, `hmstool` has been
updated to support generic secrets. The HSM configuration for OpenTitan
SKUs will be handled by `hsmtool` scripts.

Signed-off-by: Miguel Osorio <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfrantz cfrantz cfrantz approved these changes

@timothytrippel timothytrippel Awaiting requested review from timothytrippel

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@moidx @cfrantz