Enable ML-KEM key change in TLS handshake between gRPC server/clients

.github/workflows/main.yml

@@ -58,7 +58,11 @@ jobs:
       # above is not sufficient on self hosted runners.
       - name: Initialize LFS objects
         run: git lfs pull
+      - name: Run provisioning appliance load test
+        run: OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev ./integration/run_pa_loadtest.sh --prod
+      - name: Run TLS test
+        run: OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev ./integration/run_tls_test.sh --prod
       - name: Run integration tests (SoftHSM2)
-        run: OT_PROV_ORCHESTRATOR_PATH="${OT_PROV_ORCHESTRATOR_PATH}" OT_PROV_ORCHESTRATOR_UNPACK="${OT_PROV_ORCHESTRATOR_UNPACK}" OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev ./run_integration_tests.sh
+        run: OT_PROV_ORCHESTRATOR_PATH="${OT_PROV_ORCHESTRATOR_PATH}" OT_PROV_ORCHESTRATOR_UNPACK="${OT_PROV_ORCHESTRATOR_UNPACK}" OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev ./integration/run_ate_tests.sh
       - name: Run integration tests (Thales HSM)
-        run: OT_PROV_ORCHESTRATOR_PATH="${OT_PROV_ORCHESTRATOR_PATH}" OT_PROV_ORCHESTRATOR_UNPACK="${OT_PROV_ORCHESTRATOR_UNPACK}" OPENTITAN_VAR_DIR=$(pwd)/.otvar-prod ./run_integration_tests.sh --prod
+        run: OT_PROV_ORCHESTRATOR_PATH="${OT_PROV_ORCHESTRATOR_PATH}" OT_PROV_ORCHESTRATOR_UNPACK="${OT_PROV_ORCHESTRATOR_UNPACK}" OPENTITAN_VAR_DIR=$(pwd)/.otvar-prod ./integration/run_ate_tests.sh --prod

MODULE.bazel

@@ -8,22 +8,25 @@ module(name = "lowrisc_opentitan_provisioning")
 # Standard Libraries & Utilities
 # -------------------------------------------------------------------------
 
-bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "com_google_absl")
+bazel_dep(name = "abseil-cpp", version = "20240722.0.bcr.1", repo_name = "com_google_absl")
 bazel_dep(name = "bazel_skylib", version = "1.7.1")
-bazel_dep(name = "googletest", version = "1.14.0.bcr.1", repo_name = "com_google_googletest")
+bazel_dep(name = "googletest", version = "1.15.2", repo_name = "com_google_googletest")
 bazel_dep(name = "platforms", version = "0.0.11")
-bazel_dep(name = "re2", version = "2023-09-01", repo_name = "com_googlesource_code_re2")
+bazel_dep(name = "re2", version = "2024-07-02", repo_name = "com_googlesource_code_re2")
 bazel_dep(name = "upb", version = "0.0.0-20230907-e7430e6")
 
 # -------------------------------------------------------------------------
 # Build Rules
 # -------------------------------------------------------------------------
 
 bazel_dep(name = "rules_apple", version = "3.16.1")
+bazel_dep(name = "rules_swift", version = "2.1.1", repo_name = "build_bazel_rules_swift")
 bazel_dep(name = "rules_cc", version = "0.1.2")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_proto", version = "7.0.2")
 
+bazel_dep(name = "aspect_rules_lint", version = "1.0.8")
+
 bazel_dep(name = "rules_foreign_cc", version = "0.9.0")
 single_version_override(
     module_name = "rules_foreign_cc",
@@ -35,17 +38,30 @@ single_version_override(
 # -------------------------------------------------------------------------
 
 bazel_dep(name = "protobuf", version = "29.0", repo_name = "com_google_protobuf")
+bazel_dep(name = "protoc-gen-validate", version = "1.0.4.bcr.2")
 
-bazel_dep(name = "grpc", version = "1.66.0.bcr.3", repo_name = "com_github_grpc_grpc")
+# Use a modern gRPC (compatible with Protobuf 27+)
+bazel_dep(name = "grpc", version = "1.68.0", repo_name = "com_github_grpc_grpc")
 single_version_override(
     module_name = "grpc",
     patch_strip = 0,
     patches = [
         "third_party/google/grpc_windows_config_setting.patch",
         "third_party/google/grpc_windows_endpoint_fix.patch",
+        "third_party/google/grpc_force_mlkem.patch",
     ],
 )
 
+bazel_dep(name = "boringssl")
+archive_override(
+    module_name = "boringssl",
+    integrity = "sha256-dHR3G61xqu8ZpYuovGGINHZ7VxPMPEean1AquU74k5E=",
+    patch_strip = 0,
+    patches = ["third_party/google/boringssl_mingw_fix.patch"],
+    strip_prefix = "boringssl-0.20241024.0",
+    urls = ["https://github.com/google/boringssl/releases/download/0.20241024.0/boringssl-0.20241024.0.tar.gz"],
+)
+
 # -------------------------------------------------------------------------
 # OpenTitan Project
 # -------------------------------------------------------------------------

README.md

@@ -63,7 +63,8 @@ $ bazelisk test //...
 To run integration test cases:
 
 ```console
-$ ./run_integration_tests.sh
+$ ./integration/run_pa_loadtest.sh
+$ ./integration/run_ate_tests.sh
 ```
 
 To format the code before submitting changes:

config/containers/provapp.yml.tmpl

@@ -15,6 +15,7 @@ spec:
   - name: paserver-1
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pa-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pa-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem
@@ -39,6 +40,7 @@ spec:
   - name: paserver-2
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pa-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pa-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem
@@ -63,6 +65,7 @@ spec:
   - name: paserver-3
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pa-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pa-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem
@@ -87,6 +90,7 @@ spec:
   - name: pbserver
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pb-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pb-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem

docs/deployment.md

@@ -197,5 +197,5 @@ The following steps can be used to test the install from a development environme
 #   is required.
 # * --prod: Builds and deploys the test environment using the test configuration.
 #   This involves connecting to a physical HSM.
-FPGA=skip ./run_integration_tests.sh
+./integration/run_pa_loadtest.sh
 ```

docs/spm.md

@@ -40,7 +40,7 @@ The following section describes how to run the SPM server in development mode.
 For SoftHSM2 initialization use `--local` option if more than one developer is
 using the system to avoid conflicts (no sudo is required).
 
-See `run_integration_tests.sh` for an example of how to configure and run
+See `integration/run_pa_loadtest.sh` for an example of how to configure and run
 the SPM and PA servers.
 
 ### Configure SoftHSM2

run_integration_tests.sh → integration/run_ate_tests.sh

@@ -9,26 +9,13 @@ set -e
 # in the background and still be able to run other commands in parallel.
 set -m
 
-# Build and deploy the provisioning infrastructure.
-source util/integration_test_setup.sh
+export ENABLE_MLKEM="true"
 
-SKU_NAMES="sival,cr01,pi01,ti01"
+# Ensure we are running from the repository root
+cd "$(dirname "$0")/.."
 
-# Run the PA loadtest.
-echo "Running PA loadtest ..."
-bazelisk run //src/pa:loadtest -- \
-   --ca_root_certs=${DEPLOYMENT_DIR}/certs/out/ca-cert.pem \
-   --client_cert="${DEPLOYMENT_DIR}/certs/out/ate-client-cert.pem" \
-   --client_key="${DEPLOYMENT_DIR}/certs/out/ate-client-key.pem" \
-   --enable_tls=true \
-   --hsm_so="${HSMTOOL_MODULE}" \
-   --pa_address="${OTPROV_DNS_PA}:${OTPROV_PORT_PA}" \
-   --parallel_clients=5 \
-   --sku_auth="test_password" \
-   --sku_names="${SKU_NAMES}" \
-   --spm_config_dir="${DEPLOYMENT_DIR}/spm" \
-   --total_duts=10
-echo "Done."
+# Build and deploy the provisioning infrastructure.
+source util/integration_test_setup.sh
 
 # Run the CP and FT flows (default to hyper340 since that is installed in CI).
 FPGA="${FPGA:-hyper340}"

integration/run_pa_loadtest.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+# Explicitly enable job control so that we can run the SPM server
+# in the background and still be able to run other commands in parallel.
+set -m
+
+# Ensure we are running from the repository root
+cd "$(dirname "$0")/.."
+
+# Build and deploy the provisioning infrastructure.
+source util/integration_test_setup.sh
+
+SKU_NAMES="sival,cr01,pi01,ti01"
+
+# Run the PA loadtest.
+echo "Running PA loadtest ..."
+bazelisk run //src/pa:loadtest -- \
+   --ca_root_certs=${DEPLOYMENT_DIR}/certs/out/ca-cert.pem \
+   --client_cert="${DEPLOYMENT_DIR}/certs/out/ate-client-cert.pem" \
+   --client_key="${DEPLOYMENT_DIR}/certs/out/ate-client-key.pem" \
+   --enable_tls=true \
+   --hsm_so="${HSMTOOL_MODULE}" \
+   --pa_address="${OTPROV_DNS_PA}:${OTPROV_PORT_PA}" \
+   --parallel_clients=5 \
+   --sku_auth="test_password" \
+   --sku_names="${SKU_NAMES}" \
+   --spm_config_dir="${DEPLOYMENT_DIR}/spm" \
+   --total_duts=10
+echo "Done."
+

integration/run_tls_test.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+# Explicitly enable job control so that we can run the SPM server
+# in the background and still be able to run other commands in parallel.
+set -m
+
+export ENABLE_MLKEM="true"
+
+# Ensure we are running from the repository root
+cd "$(dirname "$0")/.."
+
+# Build and deploy the provisioning infrastructure.
+source util/integration_test_setup.sh
+
+# Dump PA logs on failure
+dump_pa_logs() {
+  echo "----------------------------------------------------------------"
+  echo "Dumping PA logs (provapp-paserver-1)..."
+  podman logs provapp-paserver-1
+  echo "----------------------------------------------------------------"
+}
+trap dump_pa_logs ERR
+
+# Run the TLS connection test.
+echo "Running TLS connection test ..."
+bazelisk run //src/ate/test_programs:tls_test -- \
+  --enable_mtls=true \
+  --client_cert="${DEPLOYMENT_DIR}/certs/out/ate-client-cert.pem" \
+  --client_key="${DEPLOYMENT_DIR}/certs/out/ate-client-key.pem" \
+  --ca_root_certs=${DEPLOYMENT_DIR}/certs/out/ca-cert.pem \
+  --pa_target="ipv4:${OTPROV_IP_PA}:${OTPROV_PORT_PA}" \
+  --sku="sival" \
+  --sku_auth_pw="test_password"
+
+echo "Done."
+

src/ate/test_programs/BUILD.bazel

@@ -40,3 +40,17 @@ cc_binary(
         "@lowrisc_opentitan//sw/device/lib/dif:lc_ctrl",
     ],
 )
+
+cc_binary(
+    name = "tls_test",
+    srcs = ["tls_test.cc"],
+    deps = [
+        "//src/ate:ate_lib",
+        "//src/version",
+        "@com_google_absl//absl/flags:flag",
+        "@com_google_absl//absl/flags:parse",
+        "@com_google_absl//absl/log",
+        "@com_google_absl//absl/status",
+        "@com_google_absl//absl/status:statusor",
+    ],
+)

src/ate/test_programs/tls_test.cc

@@ -0,0 +1,126 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#include <grpcpp/grpcpp.h>
+
+#include <fstream>
+#include <iomanip>
+#include <iostream>
+#include <memory>
+#include <sstream>
+#include <string>
+
+#include "absl/flags/flag.h"
+#include "absl/flags/parse.h"
+#include "absl/flags/usage_config.h"
+#include "absl/log/log.h"
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "src/ate/ate_api.h"
+#include "src/version/version.h"
+
+/**
+ * PA configuration flags.
+ */
+ABSL_FLAG(std::string, pa_target, "",
+          "Endpoint address in gRPC name-syntax format, including port "
+          "number. For example: \"localhost:5000\", "
+          "\"ipv4:127.0.0.1:5000,127.0.0.2:5000\", or "
+          "\"ipv6:[::1]:5000,[::1]:5001\".");
+ABSL_FLAG(std::string, load_balancing_policy, "",
+          "gRPC load balancing policy. If not set, it will be selected by "
+          "the gRPC library. For example: \"round_robin\" or "
+          "\"pick_first\".");
+ABSL_FLAG(std::string, sku, "", "SKU string to initialize the PA session.");
+ABSL_FLAG(std::string, sku_auth_pw, "",
+          "SKU authorization password string to initialize the PA session.");
+
+/**
+ * mTLS configuration flags.
+ */
+ABSL_FLAG(bool, enable_mtls, false, "Enable mTLS secure channel.");
+ABSL_FLAG(std::string, client_key, "",
+          "File path to the PEM encoding of the client's private key.");
+ABSL_FLAG(std::string, client_cert, "",
+          "File path to the PEM encoding of the  client's certificate chain.");
+ABSL_FLAG(std::string, ca_root_certs, "",
+          "File path to the PEM encoding of the server root certificates.");
+
+namespace {
+using provisioning::VersionFormatted;
+
+absl::StatusOr<ate_client_ptr> AteClientNew(void) {
+  client_options_t options;
+
+  std::string pa_target = absl::GetFlag(FLAGS_pa_target);
+  if (pa_target.empty()) {
+    return absl::InvalidArgumentError(
+        "--pa_target not set. This is a required argument.");
+  }
+  options.pa_target = pa_target.c_str();
+  options.enable_mtls = absl::GetFlag(FLAGS_enable_mtls);
+
+  std::string lb_policy = absl::GetFlag(FLAGS_load_balancing_policy);
+  options.load_balancing_policy = lb_policy.c_str();
+
+  std::string pem_private_key = absl::GetFlag(FLAGS_client_key);
+  std::string pem_cert_chain = absl::GetFlag(FLAGS_client_cert);
+  std::string pem_root_certs = absl::GetFlag(FLAGS_ca_root_certs);
+
+  if (options.enable_mtls) {
+    if (pem_private_key.empty() || pem_cert_chain.empty() ||
+        pem_root_certs.empty()) {
+      return absl::InvalidArgumentError(
+          "--client_key, --client_cert, and --ca_root_certs are required "
+          "arguments when --enable_mtls is set.");
+    }
+    options.pem_private_key = pem_private_key.c_str();
+    options.pem_cert_chain = pem_cert_chain.c_str();
+    options.pem_root_certs = pem_root_certs.c_str();
+  }
+
+  ate_client_ptr ate_client;
+  if (CreateClient(&ate_client, &options) != 0) {
+    return absl::InternalError("Failed to create ATE client.");
+  }
+  return ate_client;
+}
+
+}  // namespace
+
+int main(int argc, char **argv) {
+  // Parse cmd line args.
+  absl::FlagsUsageConfig config;
+  absl::SetFlagsUsageConfig(config);
+  absl::ParseCommandLine(argc, argv);
+
+  // Set version string.
+  config.version_string = &VersionFormatted;
+  LOG(INFO) << VersionFormatted();
+
+  // Instantiate an ATE client (gateway to PA).
+  auto ate_client_result = AteClientNew();
+  if (!ate_client_result.ok()) {
+    LOG(ERROR) << ate_client_result.status().message() << std::endl;
+    return -1;
+  }
+  ate_client_ptr ate_client = ate_client_result.value();
+
+  // Init session with PA.
+  if (InitSession(ate_client, absl::GetFlag(FLAGS_sku).c_str(),
+                  absl::GetFlag(FLAGS_sku_auth_pw).c_str()) != 0) {
+    LOG(ERROR) << "InitSession with PA failed.";
+    return -1;
+  }
+
+  LOG(INFO) << "TLS Connection to PA established successfully.";
+
+  // Close session with PA.
+  if (CloseSession(ate_client) != 0) {
+    LOG(ERROR) << "CloseSession with PA failed.";
+    return -1;
+  }
+  DestroyClient(ate_client);
+  return 0;
+}