Add support for MLKEM in grpc client and host libs

Update grpc to v1.68.0 and boringssl to support MLKEM.
Add flags for enable MLKEM TLS for clients and servers.
Patch gRPC to force MLKEM key exchange when enabled.

Signed-off-by: Willy Zhang <[email protected]>

Author: Willy Zhang

MODULE.bazel

@@ -27,15 +27,15 @@ register_toolchains("@llvm_toolchain_host//:all")
 # Dependencies
 # -------------------------------------------------------------------------
 
-bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "com_google_absl")
+bazel_dep(name = "abseil-cpp", version = "20240722.0.bcr.1", repo_name = "com_google_absl")
 bazel_dep(name = "bazel_skylib", version = "1.7.1")
-bazel_dep(name = "googletest", version = "1.14.0.bcr.1", repo_name = "com_google_googletest")
-bazel_dep(name = "re2", version = "2023-09-01", repo_name = "com_googlesource_code_re2")
+bazel_dep(name = "googletest", version = "1.15.2", repo_name = "com_google_googletest")
+bazel_dep(name = "re2", version = "2024-07-02", repo_name = "com_googlesource_code_re2")
 bazel_dep(name = "platforms", version = "0.0.11")
 bazel_dep(name = "rules_cc", version = "0.1.2")
 bazel_dep(name = "rules_fuzzing", version = "0.5.2")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
-bazel_dep(name = "rules_proto", version = "6.0.2")
+bazel_dep(name = "rules_proto", version = "7.0.2")
 bazel_dep(name = "aspect_rules_lint", version = "1.0.8")
 bazel_dep(name = "rules_rust", version = "0.59.2")
 
@@ -73,19 +73,33 @@ http_archive(
     urls = ["https://github.com/inazarenko/protobuf-matchers/archive/7c8e15741bcea83db7819cc472c3e96301a95158.zip"],
 )
 
+bazel_dep(name = "protoc-gen-validate", version = "1.0.4.bcr.2")
+
 # Use a modern gRPC (compatible with Protobuf 27+)
-bazel_dep(name = "grpc", version = "1.66.0.bcr.3", repo_name = "com_github_grpc_grpc")
+bazel_dep(name = "grpc", version = "1.68.0", repo_name = "com_github_grpc_grpc")
+
+bazel_dep(name = "boringssl")
+archive_override(
+    module_name = "boringssl",
+    integrity = "sha256-dHR3G61xqu8ZpYuovGGINHZ7VxPMPEean1AquU74k5E=",
+    patch_strip = 0,
+    patches = ["third_party/google/boringssl_mingw_fix.patch"],
+    strip_prefix = "boringssl-0.20241024.0",
+    urls = ["https://github.com/google/boringssl/releases/download/0.20241024.0/boringssl-0.20241024.0.tar.gz"],
+)
+
 single_version_override(
     module_name = "grpc",
     patch_strip = 0,
     patches = [
         "third_party/google/grpc_windows_config_setting.patch",
         "third_party/google/grpc_windows_endpoint_fix.patch",
+        "third_party/google/grpc_force_mlkem.patch",
     ],
 )
 
 # Pin Protobuf explicitly to ensure sync
-bazel_dep(name = "protobuf", version = "27.3", repo_name = "com_google_protobuf")
+bazel_dep(name = "protobuf", version = "29.0", repo_name = "com_google_protobuf")
 
 # Explicitly add upb (required by gRPC 1.66+ in Bzlmod)
 bazel_dep(name = "upb", version = "0.0.0-20230907-e7430e6")
@@ -95,8 +109,8 @@ single_version_override(
     version = "0.9.0",
 )
 
-bazel_dep(name = "rules_apple", version = "3.5.1", repo_name = "build_bazel_rules_apple")
-bazel_dep(name = "rules_swift", version = "1.18.0", repo_name = "build_bazel_rules_swift")
+bazel_dep(name = "rules_apple", version = "3.13.0", repo_name = "build_bazel_rules_apple")
+bazel_dep(name = "rules_swift", version = "2.1.1", repo_name = "build_bazel_rules_swift")
 
 # Go Toolchain: Used for Go code
 bazel_dep(name = "rules_go", version = "0.52.0", repo_name = "io_bazel_rules_go")

MODULE.bazel.lock

@@ -15,6 +15,7 @@ spec:
   - name: paserver-1
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pa-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pa-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem
@@ -39,6 +40,7 @@ spec:
   - name: paserver-2
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pa-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pa-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem
@@ -63,6 +65,7 @@ spec:
   - name: paserver-3
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pa-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pa-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem
@@ -87,6 +90,7 @@ spec:
   - name: pbserver
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pb-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pb-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem

config/containers/provapp.yml.tmpl

@@ -9,6 +9,8 @@ set -e
 # in the background and still be able to run other commands in parallel.
 set -m
 
+export ENABLE_MLKEM="true"
+
 # Ensure we are running from the repository root
 cd "$(dirname "$0")/.."
 

integration/run_client_tests.sh

@@ -9,12 +9,23 @@ set -e
 # in the background and still be able to run other commands in parallel.
 set -m
 
+export ENABLE_MLKEM="true"
+
 # Ensure we are running from the repository root
 cd "$(dirname "$0")/.."
 
 # Build and deploy the provisioning infrastructure.
 source util/integration_test_setup.sh
 
+# Dump PA logs on failure
+dump_pa_logs() {
+  echo "----------------------------------------------------------------"
+  echo "Dumping PA logs (provapp-paserver-1)..."
+  podman logs provapp-paserver-1
+  echo "----------------------------------------------------------------"
+}
+trap dump_pa_logs ERR
+
 # Run the TLS connection test.
 echo "Running TLS connection test ..."
 bazelisk run //src/ate/test_programs:tls_test -- \

integration/run_tls_test.sh

@@ -113,7 +113,7 @@ int main(int argc, char **argv) {
     LOG(ERROR) << "InitSession with PA failed.";
     return -1;
   }
-  
+
   LOG(INFO) << "TLS Connection to PA established successfully.";
 
   // Close session with PA.

src/ate/test_programs/tls_test.cc

@@ -46,6 +46,7 @@ var (
 	clientKey       = flag.String("client_key", "", "File path to the PEM encoding of the client's private key")
 	configDir       = flag.String("spm_config_dir", "", "Path to the SKU configuration directory.")
 	enableTLS       = flag.Bool("enable_tls", false, "Enable mTLS secure channel; optional")
+	enableMLKEM     = flag.Bool("enable_mlkem", false, "Enable MLKEM TLS configuration; optional")
 	hsmSOLibPath    = flag.String("hsm_so", "", "File path to the HSM's PKCS#11 shared library.")
 	paAddress       = flag.String("pa_address", "", "the PA server address to connect to; required")
 	parallelClients = flag.Int("parallel_clients", 1, "The total number of clients to run concurrently")
@@ -89,7 +90,7 @@ type clientGroup struct {
 func (c *clientTask) setup(ctx context.Context, skuName string) error {
 	opts := []grpc.DialOption{grpc.WithBlock()}
 	if *enableTLS {
-		credentials, err := grpconn.LoadClientCredentials(*caRootCerts, *clientCert, *clientKey)
+		credentials, err := (&grpconn.Config{EnableMLKEMTLS: *enableMLKEM}).LoadClientCredentials(*caRootCerts, *clientCert, *clientKey)
 		if err != nil {
 			return err
 		}

src/pa/loadtest.go

@@ -28,6 +28,7 @@ var (
 	enableRegistry  = flag.Bool("enable_registry", false, "Enable connectivity to the Registry server; optional")
 	registryAddress = flag.String("registry_address", "", "the Registry (Buffer) server address to connect to; required")
 	enableTLS       = flag.Bool("enable_tls", false, "Enable mTLS secure channel; optional")
+	enableMLKEM     = flag.Bool("enable_mlkem", false, "Enable MLKEM TLS configuration; optional")
 	serviceKey      = flag.String("service_key", "", "File path to the PEM encoding of the server's private key")
 	serviceCert     = flag.String("service_cert", "", "File path to the PEM encoding of the server's certificate chain")
 	caRootCerts     = flag.String("ca_root_certs", "", "File path to the PEM encoding of the CA root certificates")
@@ -38,7 +39,7 @@ func startPAServer(spmClient pbs.SpmServiceClient) (*grpc.Server, error) {
 	opts := []grpc.ServerOption{}
 	auth_service.NewAuthControllerInstance(*enableTLS)
 	if *enableTLS {
-		credentials, err := grpconn.LoadServerCredentials(*caRootCerts, *serviceCert, *serviceKey)
+		credentials, err := (&grpconn.Config{EnableMLKEMTLS: *enableMLKEM}).LoadServerCredentials(*caRootCerts, *serviceCert, *serviceKey)
 		if err != nil {
 			return nil, err
 		}
@@ -55,7 +56,7 @@ func startPAServer(spmClient pbs.SpmServiceClient) (*grpc.Server, error) {
 func startSPMClient() (pbs.SpmServiceClient, error) {
 	opts := grpc.WithInsecure()
 	if *enableTLS {
-		credentials, err := grpconn.LoadClientCredentials(*caRootCerts, *serviceCert, *serviceKey)
+		credentials, err := (&grpconn.Config{EnableMLKEMTLS: *enableMLKEM}).LoadClientCredentials(*caRootCerts, *serviceCert, *serviceKey)
 		if err != nil {
 			return nil, err
 		}
@@ -102,7 +103,7 @@ func main() {
 			log.Fatalf("`registry_address` parameter missing")
 		}
 		log.Printf("starting Registry client at address: %q", *registryAddress)
-		err = rs.StartRegistryBuffer(*registryAddress, *enableTLS, *caRootCerts, *serviceCert, *serviceKey)
+		err = rs.StartRegistryBuffer(*registryAddress, *enableTLS, *enableMLKEM, *caRootCerts, *serviceCert, *serviceKey)
 		if err != nil {
 			log.Fatalf("failed to initialize Registry client: %v", err)
 		}

src/pa/pa_server.go

@@ -26,10 +26,10 @@ import (
 
 var registryClient proxybuffer.Registry
 
-func StartRegistryBuffer(registryBufferAddress string, enableTLS bool, caRootCerts string, serviceCert string, serviceKey string) error {
+func StartRegistryBuffer(registryBufferAddress string, enableTLS bool, enableMLKEM bool, caRootCerts string, serviceCert string, serviceKey string) error {
 	opts := grpc.WithInsecure()
 	if enableTLS {
-		credentials, err := grpconn.LoadClientCredentials(caRootCerts, serviceCert, serviceKey)
+		credentials, err := (&grpconn.Config{EnableMLKEMTLS: enableMLKEM}).LoadClientCredentials(caRootCerts, serviceCert, serviceKey)
 		if err != nil {
 			return err
 		}

src/pa/services/registry_shim/registry_shim.go

@@ -38,6 +38,7 @@ var (
 	syncerMaxRetriesPerRecord = flag.Int("syncer_max_retries_per_record", 5, "Number of times a record can be retried before it stops pb_server. Anything less than zero will not stop the service. Defaults to 5.")
 	// gRPC server
 	enableTLS   = flag.Bool("enable_tls", false, "Enable mTLS secure channel; optional")
+	enableMLKEM = flag.Bool("enable_mlkem", false, "Enable MLKEM TLS configuration; optional")
 	serviceKey  = flag.String("service_key", "", "File path to the PEM encoding of the server's private key")
 	serviceCert = flag.String("service_cert", "", "File path to the PEM encoding of the server's certificate chain")
 	caRootCerts = flag.String("ca_root_certs", "", "File path to the PEM encoding of the CA root certificates")
@@ -94,7 +95,7 @@ func main() {
 
 	opts := []grpc.ServerOption{}
 	if *enableTLS {
-		credentials, err := grpconn.LoadServerCredentials(*caRootCerts, *serviceCert, *serviceKey)
+		credentials, err := (&grpconn.Config{EnableMLKEMTLS: *enableMLKEM}).LoadServerCredentials(*caRootCerts, *serviceCert, *serviceKey)
 		if err != nil {
 			log.Fatalf("Failed to load server credentials: %v", err)
 		}