Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[spm] Make HSM assets configurable at the SKU level. #50

Merged
merged 2 commits into from
Feb 4, 2025
Merged

[spm] Make HSM assets configurable at the SKU level. #50

merged 2 commits into from
Feb 4, 2025

Conversation

moidx
Copy link
Collaborator

@moidx moidx commented Feb 4, 2025

Refactor the key loading mechanism so that the spm
only loads assets specific to the SKU configuration provided
at service instantiation.

The following SKU configuration settings are introduced in this change:

  • SymmetricKeys: List of keys of pk11.ClassSecretKey type.
  • PrivateKeys: List of keys of pk11.ClassPrivateKey type.
  • Certs: List of certificates, including root and intermediate CA
    certificates.

moidx added 2 commits February 3, 2025 21:06
@moidx
[cfg] Remove no longer used sku_tpm_2.yml.
c613e37 
This configuration file was used in older integration test cases. Remove
as it is no longer used.

Signed-off-by: Miguel Osorio <[email protected]>
@moidx
[spm] Make HSM assets configurable at the SKU level.
3e8351b 
Refactor the key loading mechanism so that the spm
only loads assets specific to the SKU configuration provided
at service instantiation.

The following SKU configuration settings are introduced in this change:

* `SymmetricKeys`: List of keys of `pk11.ClassSecretKey` type.
* `PrivateKeys`: List of keys of  `pk11.ClassPrivateKey` type.
* `Certs`: List of certificates, including root and intermediate CA
  certificates.

Signed-off-by: Miguel Osorio <[email protected]>
@moidx moidx requested a review from timothytrippel February 4, 2025 05:13
timothytrippel
timothytrippel approved these changes Feb 4, 2025
View reviewed changes
config/dev/spm/sku_sival.yml
rootCAPath: certs/NuvotonTPMRootCA0200.cer
symmetricKeys:
- name: "HighSecKdfSeed"
- name: "LowSecKdfSeed"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I presume in a follow up you will load the Root CA, DICE ICA, and SKU-specific CA keys for this sku too?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I will do it in the same PR that enables loadtest for EndorseCerts.

@moidx moidx merged commit 3e36a9a into lowRISC:main Feb 4, 2025
4 checks passed
@moidx moidx deleted the spm-updates branch February 4, 2025 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timothytrippel timothytrippel timothytrippel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@moidx @timothytrippel