diff --git a/signing/README.md b/signing/README.md index 64621ff1e7445..bf011c7a43ada 100644 --- a/signing/README.md +++ b/signing/README.md @@ -2,6 +2,8 @@ ## Configuration of NitroKeys +> The following configuration only works in the `earlgrey_es_sival` branch. + NitroKeys are a personal security token used to hold the signing keys for TEST and DEV devices. NitroKeys can be used to sign tests and binaries for devices in the TEST or DEV lifecycle states. @@ -29,6 +31,8 @@ mode to 600. ## Signing with a token +> The following configuration only works in the `earlgrey_es_sival` branch. + Once a profile configuration is in place, you can build binaries signed by the keyset by telling bazel that you want to use a token. @@ -184,7 +188,7 @@ instead of the real keys: ```console opentitantool \ - rsa sign \ + ecdsa sign \ --input= \ --output= \ @@ -196,7 +200,7 @@ Normally, in this step, the signatures created in the signing ceremony would be copied into the target directory. ```console -cp -f bazel-bin/signing/examples/*.sig signing/examples/signatures/ +cp -f bazel-bin/signing/examples/*sig signing/examples/signatures/ ``` ### Attach signatures producing final signed binaries diff --git a/signing/examples/BUILD b/signing/examples/BUILD index 0547cc6e65c7e..b308c4cabaff6 100644 --- a/signing/examples/BUILD +++ b/signing/examples/BUILD @@ -4,7 +4,7 @@ load( "//rules:signing.bzl", - "offline_fake_rsa_sign", + "offline_fake_ecdsa_sign", "offline_presigning_artifacts", "offline_signature_attach", ) @@ -18,31 +18,6 @@ offline_presigning_artifacts( srcs = [ "//sw/device/examples/hello_world", ], - manifest = "//sw/device/silicon_creator/rom_ext:manifest", - # To sign with real keys, replace the rsa_key with the label of a real - # key (e.g. //sw/device/silicon_creator/rom/keys/real/rsa:earlgrey_a0_test_0). - # This is left as a fake key so that the presigning artifacts will be - # appropriate for the `fake_sign` rule below. - rsa_key = { - "//sw/device/silicon_creator/rom/keys/fake/rsa:test_private_key_0": "fake_test_key_0", - }, - tags = ["manual"], -) - -pkg_tar( - name = "digests", - testonly = True, - srcs = [":presigning"], - mode = "0644", - tags = ["manual"], -) - -offline_presigning_artifacts( - name = "presigning_ecdsa", - testonly = True, - srcs = [ - "//sw/device/examples/hello_world", - ], # To sign with real keys, replace the ecdsa_key with the label of a real # key. # This is left as a fake key so that the presigning artifacts will be @@ -55,9 +30,9 @@ offline_presigning_artifacts( ) pkg_tar( - name = "digests_ecdsa", + name = "digests", testonly = True, - srcs = [":presigning_ecdsa"], + srcs = [":presigning"], mode = "0644", tags = ["manual"], ) @@ -66,12 +41,12 @@ pkg_tar( # that would normally be created by the offline signing operation. # These signatures can be copied into the `signatures` directory and attached # to the binaries to test the offline signing flow without an HSM operation. -offline_fake_rsa_sign( +offline_fake_ecdsa_sign( name = "fake", testonly = True, srcs = [":presigning"], - rsa_key = { - "//sw/device/silicon_creator/rom/keys/fake/rsa:test_private_key_0": "fake_test_key_0", + ecdsa_key = { + "//sw/device/silicon_creator/rom/keys/fake/ecdsa:test_key_0_ecdsa_p256": "fake_test_key_0", }, tags = ["manual"], ) @@ -82,8 +57,8 @@ offline_signature_attach( srcs = [ ":presigning", ], - rsa_signatures = [ - "//signing/examples/signatures:rsa_signatures", + ecdsa_signatures = [ + "//signing/examples/signatures:ecdsa_signatures", ], tags = ["manual"], ) diff --git a/signing/examples/signatures/BUILD b/signing/examples/signatures/BUILD index e228896bd0a5d..58a31b9e9b3fc 100644 --- a/signing/examples/signatures/BUILD +++ b/signing/examples/signatures/BUILD @@ -5,8 +5,8 @@ package(default_visibility = ["//visibility:public"]) filegroup( - name = "rsa_signatures", - srcs = glob(["*.rsa_sig"]), + name = "ecdsa_signatures", + srcs = glob(["*.ecdsa_sig"]), ) filegroup(