-
Notifications
You must be signed in to change notification settings - Fork 804
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[signing] Support SPX signing with
hsmtool
1. Enhance the signing rules to use the spx signing commands added to hsmtool. 2. Change the PKCS#11 provider from sc-hsm-embedded to opensc. - sc-hsm-embedded supports RSA3072 and ECDSA P256 signatures, but does not support CKO_DATA objects. - opensc supports ECDSA P256 signatures and CKO_DATA objects, but does not support RSA3072 signatures. We no longer use RSA3072 signatures for signing code; we _can_ use CKO_DATA objects to hold SPX keys for signing. Signed-off-by: Chris Frantz <cfrantz@google.com>
- Loading branch information
Showing
4 changed files
with
104 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
# Copyright lowRISC contributors (OpenTitan project). | ||
# Licensed under the Apache License, Version 2.0, see LICENSE for details. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
load("@rules_foreign_cc//foreign_cc:configure.bzl", "configure_make") | ||
|
||
package(default_visibility = ["//visibility:public"]) | ||
|
||
filegroup( | ||
name = "all_srcs", | ||
srcs = glob(["**"]), | ||
) | ||
|
||
configure_make( | ||
name = "opensc", | ||
args = ["-j"], | ||
autoreconf = True, | ||
autoreconf_options = ["-fi"], | ||
configure_in_place = True, | ||
configure_options = [ | ||
# Lie about the completions dir so that "make install" won't get | ||
# confused about what is already installed on the host. | ||
# This doesn't affect the build, as the installation happens in | ||
# a bazel-supplied target directory, but it does prevent make from | ||
# seeing the system's `/usr/share/bash-completion/completions` | ||
# directory and complaining that it will be unable to install there. | ||
"--with-completiondir=xxx-completions", | ||
], | ||
lib_source = ":all_srcs", | ||
out_shared_libs = [ | ||
# It would be nice to configure this package to build `opensc-pkcs11.so` | ||
# as a shared object that statically links `libopensc`, but I don't see | ||
# a way to do that via the configure script. Users of this library | ||
# will have to set LD_LIBRARY_PATH appropriately to see the needed | ||
# shared libraries (e.g. `//signing/tokens:nitrokey`). | ||
"libopensc.so", | ||
"libopensc.so.12", | ||
"opensc-pkcs11.so", | ||
], | ||
) | ||
|
||
filegroup( | ||
name = "gen_dir", | ||
srcs = [":opensc"], | ||
output_group = "gen_dir", | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters