Skip to content

[keymgr_dpe] Replace keymgr in EG - PR9 top level integration#30697

Draft
rroth-lowrisc wants to merge 34 commits into
lowRISC:masterfrom
rroth-lowrisc:keymgr_dpe_PR9_top_integration
Draft

[keymgr_dpe] Replace keymgr in EG - PR9 top level integration#30697
rroth-lowrisc wants to merge 34 commits into
lowRISC:masterfrom
rroth-lowrisc:keymgr_dpe_PR9_top_integration

Conversation

@rroth-lowrisc

Copy link
Copy Markdown

PR9 - Top level integration

This PR is the ninth in a series which will replace the keymgr with the kemgr_dpe in earlgrey. The replacement was approved by this RFC.

Merge-Dependencies

Note: The last three PR's (#30668 / #30670 / #30677) can only be merged after this PR is approved as the SW are not included in the build system until this PR.

Relevant Commits

The last ??? commits.

Description

This PR actually replaces the keymgr with the keymgr_dpe on the top-layer. All backdoor loads in the chip_if.sv are disable for the time being. It is possible to select if the creator / owner seed is provided by either the flash_ctrl or the otp_ctrl. To avoid breaking a lot of tests they are updated directly inside this PR.

The first commit encompasses all changes on the top-layer to replace the keymgr with keymgr_dpe. I split all autogenerated code into a separate commit to allow for a faster review process.

In general all commits in this PR needs to be squashed together as otherwise we will have a broken master between commits.

Split the otp_keymgr_key interface into its respective components.
Future version of the keymgr(_dpe) may receive the information from
different IP's rather than combined from the otp_ctrl.

To avoid a circular dependencies the DevIdWidth instantiated
in keymgr_dpe_pkg replaces the otp_ctrl_pkg::DeviceIdWidth.

As the keymgr still expects the combined message the earlgrey top
manually combines the key material. This fix will be removed when
the keymgr is replaced by the keymgr_dpe.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit updates the `otp_ctrl` dv to reflect the new interface between
the `keymgr` and the `otp_ctrl`. The secret / seed verification inside the
otp_ctrl scoreboard template are no longer dynamically generated. The reason
is that the previously shared port signal has been split into its respective
components, which does not interacts well with the dynamic generation anymore.

However, adding a secret to the otp now results in a port-list change anyways the
resulting overhead is deemed acceptable.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit removes all otp_ctrl dependency in the keymgr_dpe dv.
This change ensures that the dv architecture accurately reflects
the dependency in the RTL implementation.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit improves the block level dv by:
- Introducing more verbose messages
- Latching the correct DEFAULT_UDS_POLICY
- Prevent ambiguous state after the disable operation
  by restricting any advance call

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
The scoreboard loads the UDS directly from the DUT via interface.
The problem is the keymgr_dpe initializes the slot for the UDS with
randomness. The initally loaded UDS is xored with the randomness
already present in the destination slot as countermeasure for SCA.
The scoreboard however can currently not recreate this randomness
thus the backdoor load.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Introduction of the third bootstage defined in the opentitan identities-and-root-keys
(https://opentitan.org/book/doc/security/specs/identities_and_root_keys/index.html)
strategy. The `creator_seed` is now consumed by BootStageOwnerInt rather
than by BootStageCreator.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit allows for a limited parametrization by the top without
having a fully templated IP. The top can define the following:

- Number of bootstages (either two or three)
- Number of ROM digest values
- Number of HW slots instanciated (up to 8 slots)

The block level dv is extended to test two different configurations,
called earlgrey and darjeeling.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Add three missing features to the dif of the keymgr_dpe.

- The disable function to transition the keymgr_dpe into the disabled state
- The configuration function to set the re-seeding interval of the keymgr_dpe
- Any sideloaded key on the sideload interface can now be cleared by sw

Add an empty `dif_keymgr_dpe_unittest.cc` file to avoid triggering error
during the top integration, tracked in Issue lowRISC#30609.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit introduces a first version of the keymgr_dpe sw in
the silicon creator lib. It covers the basic keymgr_dpe features.

Add source / header file **without** linking them in the
appropriate *BUILD* file as some dependencies do not exist yet!

Add an empty keymgr_dpe_unittest.cc file to avoid triggering error
during the top integration, tracked in Issue lowRISC#30609.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
To ensure backwards compatibility, the file has been split into two
sections due to the different boot processes. The first part covers
the boot process for darjeeling and the second part covers the boot process
for earlgrey. This `if define ...` should either be replaced with two
testutils files for the keymgr_dpe (linked by Bazel according to the top)
or with a finer granularity of defines (e.g. function-wise)

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit introduces a first version of the keymgr_dpe sw in
the crypto lib. It covers the basic keymgr_dpe features.

Add source / header file **without** linking them in the
appropriate BUILD file as some dependencies do not exist yet!

This commit contains the backported changes from the following
git commit hashes (changes done in `keymgr` but relevant for
`keymgr_dpe` too):

- 9dcbb05
- 4afe7cd
- ab8c166
- b10d2fe
- e587303
- 068c37e

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit introduces the test for the `keymgr_dpe` driver inside
the crypto lib. It covers the basic `keymgr_dpe` features.

Add source / header file **without** linking them in the
appropriate BUILD file as some dependencies do not exist yet!

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit replaces the `keymgr` in Earl Grey with `keymgr_dpe` to
implement the DICE Protected Environment (DPE) extension, which
enables Key Manager to handle a multi-branch key derivation tree
with independent secrets stored in parallel hardware slots.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit encompass all autogenerated code from the previous
commit. This commit should be squashed before the merge.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
The creator / owner seed for the `keymgr_dpe` can be provided by
the  `flash` or the `otp`. The source is defined by a newly introduced
toplevel parameter.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit removes all countermeasures targeting modules from the original `keymgr`.
The `./ci/scripts/check-countermeasures.sh earlgrey`script does not recognize cross
ip countermeasures. These countermeasures must be re-enabled once the `keymgr` is
deprecated and all relevant modules are mitgrated to the `keymgr_dpe`.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Change all the dependencies in the build-system from the
deprecated `keymgr` to `keymgr_dpe`.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
…em further up)

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit disables all tests that are failing due to the `keymgr_dpe`
migration. All of the excluded tests contain references to the old `keymgr`,
which need to be updated.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
First draft for the `keymgr_dpe` functest which tests the basic
functionality of the keymgr_dpe driver.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Replace all occurrence of `keymgr` with their respective counterpart
from `keymgr_dpe`.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Replace all occurrence of `keymgr` with their respective counterpart
from `keymgr_dpe`.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Replace all occurrence of `keymgr` with their respective counterpart
from `keymgr_dpe`.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Replace all occurrence of `keymgr` with their respective counterpart
from `keymgr_dpe`.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Replace all occurrence of `keymgr` with their respective counterpart
from `keymgr_dpe`.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Replace all occurrence of `keymgr` with their respective counterpart
from `keymgr_dpe`.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
…eep`

Replace all occurrence of `keymgr` with their respective counterpart
from `keymgr_dpe`.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Replace all occurrence of `keymgr` with their respective counterpart
from `keymgr_dpe`.

Currently this test does not end successfully, however the same error
appears in the nightly build too.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Signed-off-by: Raphael Roth <rroth@lowrisc.org>
…estplan`

Replace the `keymgr_testplan` with the `keymgr_dpe_testplan`. Temporarily disable all `crypto`
tests as the library is not updated yet. Remove the `chip_sw_keymgr_derive_attestation` and the
`chip_sw_keymgr_derive_sealing` as these tests cannot be ported directly. In the future, these
tests should be included again as soon as a suitable replacement test is written.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Signed-off-by: Raphael Roth <rroth@lowrisc.org>
@rroth-lowrisc rroth-lowrisc force-pushed the keymgr_dpe_PR9_top_integration branch from e5af58b to a4efea8 Compare July 13, 2026 07:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant