[hsm] Add support for Gem engine.

This commits enables the use of the gem engine with Thales HSMs. The
test infrastructure uses the `OTPROV_USE_GEM_ENGINE=true` enable it.

The token_init.sh script was moved under //config:token_init.sh. The
script is now called in prod mode, but restristed to only run certgen.

Signed-off-by: Miguel Osorio <miguelosorio@google.com>

Author: moidx

config/BUILD.bazel

@@ -8,5 +8,6 @@ filegroup(
     name = "deploy_script",
     srcs = [
         ":deploy.sh",
+        ":token_init.sh",
     ],
 )

config/dev/BUILD.bazel

@@ -6,9 +6,7 @@ package(default_visibility = ["//visibility:public"])
 
 filegroup(
     name = "deploy_config",
-    srcs = [
-        ":token_init.sh",
-    ] + glob(
+    srcs = glob(
         [
             "env/**",
             "certs/**",

config/dev/token_init.sh

@@ -34,3 +34,13 @@ export HSMTOOL_MODULE=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
 export HSMTOOL_USER="user"
 export HSMTOOL_TOKEN="${SPM_HSM_TOKEN_SPM}"
 export HSMTOOL_PIN="${SPM_HSM_PIN_USER}"
+
+# `openssl` PKCS11 engine support.
+# In production environments, this flag needs to be set to "true" to support
+# generation of certificates with openssl and the target HSM.
+# The `SLOT` environment variables need to be set to the target HSM slot
+# numbers for offline and SPM instances.
+export OTPROV_USE_GEM_ENGINE=true
+export OTPROV_GEM_SLOT_OFFLINE=1
+export OTPROV_GEM_SLOT_SPM=0
+export OTPROV_GEM_SLOT_CERT_OPS="${OTPROV_GEM_SLOT_OFFLINE}"

config/prod/env/spm.env

@@ -0,0 +1,114 @@
+#!/bin/bash
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+if [[ -z "${CONFIG_SUBDIR}" ]]; then
+  echo "Error: CONFIG_SUBDIR environment variable is not set."
+  exit 1
+fi
+
+CONFIG_DIR="${OPENTITAN_VAR_DIR}/config/${CONFIG_SUBDIR}"
+
+source "${CONFIG_DIR}/env/spm.env"
+
+export HSMTOOL_BIN="${OPENTITAN_VAR_DIR}/bin/hsmtool"
+
+# Check token initialization dependencies.
+if [ -z "${OPENTITAN_VAR_DIR}" ]; then
+  echo "Error: OPENTITAN_VAR_DIR environment variable is not set."
+  return 1
+fi
+
+if [ ! -d "${OPENTITAN_VAR_DIR}" ]; then
+  echo "Error: OPENTITAN_VAR_DIR directory '${OPENTITAN_VAR_DIR}' does not exist."
+  return 1
+fi
+
+if [ ! -x "${HSMTOOL_BIN}" ]; then
+  echo "Error: '${HSMTOOL_BIN}' is not executable or does not exist."
+  return 1
+fi
+
+function run_hsm_init() {
+  local init_script="$1"
+  local original_dir="$(pwd)"
+
+  trap 'cd "${original_dir}" || { echo "Error: Could not change back to original directory '${original_dir}'."; return 1; }' EXIT
+
+  if [ ! -f "${init_script}" ]; then
+    echo "Error: File '${init_script}' does not exist."
+    return 1
+  fi
+
+  local file_dir="$(dirname "${init_script}")"
+
+  cd "${file_dir}" || {
+    echo "Error: Could not change directory to '${init_script}'."
+    return 1
+  }
+
+  shift
+
+  echo "Running HSM initialization script: ${init_script}"
+  "${init_script}" "$@"
+
+  cd "${original_dir}" || {
+    echo "Error: Could not change back to original directory '${original_dir}'."
+    return 1
+  }
+}
+
+if [[ "dev" == "${CONFIG_SUBDIR}" ]]; then
+  # Run the HSM initialization script for SPM.
+  run_hsm_init "${CONFIG_DIR}/spm/sku/spm_init.bash" \
+    -m "${HSMTOOL_MODULE}" \
+    -t "${SPM_HSM_TOKEN_SPM}" \
+    -s "${SOFTHSM2_CONF_SPM}" \
+    -p "${HSMTOOL_PIN}"
+
+  run_hsm_init "${CONFIG_DIR}/spm/sku/spm_export.bash" \
+    -m "${HSMTOOL_MODULE}" \
+    -t "${SPM_HSM_TOKEN_SPM}" \
+    -s "${SOFTHSM2_CONF_SPM}" \
+    -p "${HSMTOOL_PIN}" \
+    -o "${CONFIG_DIR}/spm/sku/spm_hsm_init.tar.gz"
+
+  # Run the SKU initilization script in the offline HSM partition.
+  run_hsm_init "${CONFIG_DIR}/spm/sku/sival/offline_init.bash" \
+    -m "${HSMTOOL_MODULE}" \
+    -t "${SPM_HSM_TOKEN_OFFLINE}" \
+    -s "${SOFTHSM2_CONF_OFFLINE}" \
+    -p "${HSMTOOL_PIN}"
+
+  run_hsm_init "${CONFIG_DIR}/spm/sku/sival/offline_export.bash" \
+    -m "${HSMTOOL_MODULE}" \
+    -t "${SPM_HSM_TOKEN_OFFLINE}" \
+    -s "${SOFTHSM2_CONF_OFFLINE}" \
+    -p "${HSMTOOL_PIN}" \
+    -i "${CONFIG_DIR}/spm/sku/spm_hsm_init.tar.gz" \
+    -o "${CONFIG_DIR}/spm/sku/sival/hsm_offline_init.tar.gz"
+
+  # Run the SKU initialization script in the SPM partition.
+  run_hsm_init "${CONFIG_DIR}/spm/sku/sival/spm_sku_init.bash" \
+    -m "${HSMTOOL_MODULE}" \
+    -t "${SPM_HSM_TOKEN_SPM}" \
+    -s "${SOFTHSM2_CONF_SPM}" \
+    -p "${HSMTOOL_PIN}" \
+    -i "${CONFIG_DIR}/spm/sku/sival/hsm_offline_init.tar.gz" \
+    -o "${CONFIG_DIR}/spm/sku/sival/hsm_sival_sku.tar.gz"
+else
+  # In production, we only run the offline export script with the -c flag
+  # to generate the CA certificates. The -s flag is not used here.
+  run_hsm_init "${CONFIG_DIR}/spm/sku/sival/offline_export.bash" \
+    -m "${HSMTOOL_MODULE}" \
+    -t "${SPM_HSM_TOKEN_OFFLINE}" \
+    -s "${SOFTHSM2_CONF_OFFLINE}" \
+    -p "${HSMTOOL_PIN}" \
+    -o "${CONFIG_DIR}/spm/sku/sival/hsm_offline_init.tar.gz" \
+    -c
+fi
+
+echo "HSM initialization complete."

config/token_init.sh

@@ -103,7 +103,7 @@ The following command initializes the keys in the HSM for test purposes.
 > step.
 
 ```console
-$ config/dev/token_init.sh
+$ config/token_init.sh
 ```
 
 ### Start SPM Server