[crypto] binary blob: add compilation rule

Add a custom compilation rule in bazel that compiles crypto into a
binary blob and include this blob into libotcrypto. This library can then
be used for an application and allows to perform a self-integrity check
on the binary blob.

Try it out via ./bazelisk build //sw/device/lib/crypto:cryptolib
--config=fips_all

Also added two rules to get the elf or dis of the cryptolib in this
mode.

With thanks to Elieva Pignat <elievap@google.com>

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>

Author: siemen11

rules/opentitan/cc.bzl

@@ -237,6 +237,227 @@ def _build_binary(ctx, exec_env, name, deps, kind):
     )
     return provides, signed
 
+def _opentitan_binary_blob(ctx):
+    """
+    Create a library containing the library as a binary blob and a parser to
+    this binary blob. The following steps are done to create the final library:
+    - Generate jump table and its parser from public header files and a linker
+      script for the creation of the binary blob
+    - Compile the jump table with the library and create an executable
+      from it using the linker script
+    - Extract the binary from the executable (the last bytes can contain the hash
+    - Compute the hash of the binary file and replace its last bytes by the hash
+    - Create a c file that contain the binary blob as an array
+    - Compile the parser and the binary blob array
+    - Create the library
+    """
+
+    # Name for the files generated by this rule
+    name_jump_table_c = ctx.attr.name + "_jump_table.c"
+    name_jump_table_h = ctx.attr.name + "_jump_table.h"
+    name_lib_parser = ctx.attr.name + "_lib_parser.c"
+    name_linker_script = ctx.attr.name + "_linker_script.ld"
+    name_elf = ctx.attr.name + ".elf"
+    name_bin = ctx.attr.name + ".bin"
+    name_sha = ctx.attr.name + ".sha384"
+    name_bin_sha = ctx.attr.name + "_sha384.bin"
+    name_blob = ctx.attr.name + "_blob.c"
+    name_library = ctx.attr.name + ".a"
+
+    deps_blob = ctx.attr.deps_blob
+    deps_lib = ctx.attr.deps
+
+    cc_toolchain = find_cc_toolchain(ctx)
+
+    # Declare output files generated by generate_jump_table.py.
+    linker_script = ctx.actions.declare_file(name_linker_script)
+    jump_table_c = ctx.actions.declare_file(name_jump_table_c)
+    jump_table_h = ctx.actions.declare_file(name_jump_table_h)
+    lib_parser_c = ctx.actions.declare_file(name_lib_parser)
+
+    # Prepare the arguments for generate_jump_table.py
+    extra_args = []
+    if ctx.attr.pic:
+        extra_args.append("--pic")
+
+    if len(ctx.files.config) == 1:
+        extra_args.append("--config={}".format(ctx.files.config[0].path))
+
+    header = ctx.attr.header
+    header_list = [h for head in ctx.attr.header for h in head.files.to_list()]
+    address = ctx.var.get("ADDRESS", "0")
+
+    # Generate jump table and parser files from public headers
+    ctx.actions.run(
+        outputs = [linker_script, jump_table_c, jump_table_h, lib_parser_c],
+        inputs = header_list + ctx.files.config,
+        arguments = [
+            "--binary_blob",
+            "--address={}".format(address),
+            "--out-dir={}".format(jump_table_c.dirname),
+            "--prefix={}".format(ctx.attr.name),
+        ] + extra_args + [h.path for h in header_list],
+        executable = ctx.executable._generate_jump_table,
+    )
+
+    features = cc_common.configure_features(
+        ctx = ctx,
+        cc_toolchain = cc_toolchain,
+        requested_features = ctx.features,
+        unsupported_features = ctx.disabled_features,
+    )
+
+    compilation_contexts = [
+        dep_blob[CcInfo].compilation_context
+        for dep_blob in deps_blob
+    ]
+
+    # Compile the jump table and include it to libotcrypto library
+    hdrs = [jump_table_h]
+    srcs = [jump_table_c]
+    cctx, cout = cc_common.compile(
+        name = ctx.attr.name,
+        actions = ctx.actions,
+        feature_configuration = features,
+        cc_toolchain = cc_toolchain,
+        compilation_contexts = compilation_contexts,
+        srcs = srcs,
+        private_hdrs = hdrs,
+        user_compile_flags = ["-ffreestanding"] + _expand(ctx, "copts", ctx.attr.copts),
+        defines = _expand(ctx, "defines", ctx.attr.defines),
+        local_defines = _expand(ctx, "local_defines", ctx.attr.local_defines),
+        quote_includes = _expand(ctx, "includes", ctx.attr.includes),
+    )
+
+    linking_contexts = [
+        dep_blob[CcInfo].linking_context
+        for dep_blob in deps_blob
+    ]
+
+    # Add the linker script to the linking_contexts
+    linking_input = cc_common.create_linker_input(owner = ctx.label, additional_inputs = depset([linker_script]))
+    linking_contexts.append(cc_common.create_linking_context(linker_inputs = depset([linking_input])))
+    extra_linkopts = (ctx.attr.linkopts or [])
+
+    linkopts = [
+        "-static",
+        "-nostdlib",
+        "-nostartfiles",
+        "-Wl,-T{}".format(linker_script.path),
+    ] + _expand(ctx, "linkopts", extra_linkopts)
+
+    # Create an executable from the libotcrypto by using the linker script
+    elf_file = ctx.actions.declare_file(name_elf)
+    linking_outputs = cc_common.link(
+        name = name_elf,
+        actions = ctx.actions,
+        output_type = "executable",
+        feature_configuration = features,
+        cc_toolchain = cc_toolchain,
+        compilation_outputs = cout,
+        linking_contexts = linking_contexts,
+        user_link_flags = linkopts,
+    )
+
+    # Create a disassembly file from the elf file
+    dis_file = obj_disassemble(
+        ctx,
+        name = ctx.attr.name,
+        src = linking_outputs.executable,
+    )
+
+    # Extract the binary from the elf file
+    binary_file = ctx.actions.declare_file(name_bin)
+    ctx.actions.run(
+        outputs = [binary_file],
+        inputs = [elf_file],
+        executable = ctx.executable._riscv32_objcopy,
+        arguments = ["-O", "binary", elf_file.path, binary_file.path],
+        use_default_shell_env = True,
+    )
+
+    # Compute the hash of the binary file
+    hash_file = ctx.actions.declare_file(name_sha)
+    ctx.actions.run_shell(
+        inputs = [binary_file],
+        outputs = [hash_file],
+        # Remove the last 48 bytes (the hash table) before computing the hash
+        command = "head -c -48 {} | sha384sum | awk '{{print $1}}' |  xxd -r -p  > {}".format(binary_file.path, hash_file.path),
+    )
+
+    # Compute the hash of the binary file
+    binary_hash_file = ctx.actions.declare_file(name_bin_sha)
+    ctx.actions.run_shell(
+        inputs = [binary_file, hash_file],
+        outputs = [binary_hash_file],
+        # Replace the last 48 bytes by the hash
+        command = "head -c -48 {} > {} && cat {} >> {}".format(binary_file.path, binary_hash_file.path, hash_file.path, binary_hash_file.path),
+    )
+
+    # Generate a C file that contain an array (blob) of the binary file content
+    blob_file = ctx.actions.declare_file(name_blob)
+    ctx.actions.run_shell(
+        inputs = [binary_hash_file],
+        outputs = [blob_file],
+        command = "xxd -i -n blob {} | sed 's/unsigned char/const unsigned char __attribute__((section (\".text.blob\"), aligned(4)))/' > {}"
+            .format(binary_hash_file.path, blob_file.path),
+    )
+
+    # Creation of the library that contains the binary blob and lib_parser.c
+    # to be able to parse it
+    srcs_lib = [blob_file, lib_parser_c]
+    hdrs_lib = ctx.files.hdrs + [jump_table_h] + header_list
+    compilation_contexts = [
+        dep_lib[CcInfo].compilation_context
+        for dep_lib in deps_lib
+    ]
+
+    (ctx_object, objects) = cc_common.compile(
+        name = ctx.attr.name,
+        actions = ctx.actions,
+        feature_configuration = features,
+        cc_toolchain = cc_toolchain,
+        compilation_contexts = compilation_contexts,
+        srcs = srcs_lib,
+        private_hdrs = hdrs_lib,
+        user_compile_flags = _expand(ctx, "copts", ctx.attr.copts),
+        defines = _expand(ctx, "defines", ctx.attr.defines),
+        local_defines = _expand(ctx, "local_defines", ctx.attr.local_defines),
+        quote_includes = _expand(ctx, "includes", ctx.attr.includes),
+    )
+
+    # Create a library from it
+    object_files = objects.objects
+    library_file = ctx.actions.declare_file(name_library)
+    ctx.actions.run(
+        inputs = object_files,
+        outputs = [library_file],
+        executable = ctx.executable._riscv32_ar,
+        arguments = ["rcs", library_file.path] + [obj.path for obj in object_files],
+    )
+
+    return [
+        DefaultInfo(files = depset([library_file, dis_file, elf_file])),
+        OutputGroupInfo(
+            elf_file = depset([linking_outputs.executable]),
+            dis_file = depset([dis_file]),
+        ),
+        CcInfo(
+            # The context allows consumers to link against this library
+            linking_context = cc_common.create_linking_context(
+                linker_inputs = depset([cc_common.create_linker_input(
+                    owner = ctx.label,
+                    libraries = depset([cc_common.create_library_to_link(
+                        actions = ctx.actions,
+                        feature_configuration = features,
+                        cc_toolchain = cc_toolchain,
+                        static_library = library_file,
+                    )]),
+                )]),
+            ),
+        ),
+    ]
+
 def _opentitan_binary(ctx):
     providers = []
     default_info = []
@@ -361,6 +582,53 @@ common_binary_attrs = {
     ),
 }
 
+opentitan_binary_blob = rv_rule(
+    implementation = _opentitan_binary_blob,
+    attrs = dict(common_binary_attrs.items() + {
+        "hdrs": attr.label_list(
+            allow_files = True,
+            doc = "The list of header file requires for the creation of the library.",
+        ),
+        "header": attr.label_list(
+            allow_files = True,
+            doc = "Public header files to generate jump_table and parser.",
+        ),
+        "config": attr.label(
+            default = None,
+            allow_files = True,
+            doc = "File containing the functions to be included into the blob",
+        ),
+        "deps_blob": attr.label_list(
+            providers = [CcInfo],
+            doc = "The list of other libraries to be for the creation of the binary blob.",
+        ),
+        "pic": attr.bool(
+            default = False,
+            doc = "Indicate if the code is position independent ",
+        ),
+        "_cc_toolchain": attr.label(default = Label("@bazel_tools//tools/cpp:current_cc_toolchain")),
+        "_riscv32_objcopy": attr.label(
+            default = Label("@lowrisc_rv32imcb_toolchain//:bin/riscv32-unknown-elf-objcopy"),
+            allow_single_file = True,
+            executable = True,
+            cfg = "exec",
+        ),
+        "_riscv32_ar": attr.label(
+            default = Label("@lowrisc_rv32imcb_toolchain//:bin/riscv32-unknown-elf-ar"),
+            allow_single_file = True,
+            executable = True,
+            cfg = "exec",
+        ),
+        "_generate_jump_table": attr.label(
+            default = "//util:generate_jump_table",
+            executable = True,
+            cfg = "exec",
+        ),
+    }.items()),
+    fragments = ["cpp"],
+    toolchains = ["@rules_cc//cc:toolchain_type"],
+)
+
 opentitan_binary = rv_rule(
     implementation = _opentitan_binary,
     attrs = dict(common_binary_attrs.items() + {

rules/opentitan/defs.bzl

@@ -13,6 +13,7 @@ load(
 load(
     "@lowrisc_opentitan//rules/opentitan:cc.bzl",
     _opentitan_binary = "opentitan_binary",
+    _opentitan_binary_blob = "opentitan_binary_blob",
     _opentitan_test = "opentitan_test",
 )
 load(
@@ -76,6 +77,7 @@ OPENTITAN_PLATFORM = _OPENTITAN_PLATFORM
 opentitan_transition = _opentitan_transition
 
 opentitan_binary = _opentitan_binary
+opentitan_binary_blob = _opentitan_binary_blob
 fpga_cw305 = _fpga_cw305
 fpga_cw310 = _fpga_cw310
 fpga_cw340 = _fpga_cw340

sw/device/lib/crypto/BUILD

@@ -4,10 +4,11 @@
 
 package(default_visibility = ["//visibility:public"])
 
-load("//rules/opentitan:defs.bzl", "OPENTITAN_CPU")
+load("//rules/opentitan:defs.bzl", "OPENTITAN_CPU", "opentitan_binary_blob")
 load("//rules/opentitan:static_library.bzl", "ot_static_library")
 load("@rules_pkg//pkg:mappings.bzl", "pkg_files")
 load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
+load("//rules:linker.bzl", "ld_library")
 
 cc_library(
     name = "otcrypto_api",
@@ -45,13 +46,59 @@ cc_library(
     ],
 )
 
+opentitan_binary_blob(
+    name = "otcrypto_binary_blob_api",
+    config = select({
+        "//rules/configs:fips_all": "//rules/configs:fips_all.txt",
+        "//conditions:default": None,
+    }),
+    deps_blob = [
+        ":otcrypto_api",
+        "//sw/device/lib/crypto/include:crypto_hdrs",
+        "//sw/device/lib/base:memory",
+        "//sw/device/lib/runtime:log",
+    ],
+    # Public headers so generate_jump_table.py can parse them
+    header = [
+        "//sw/device/lib/crypto/include:aes.h",
+        "//sw/device/lib/crypto/include:aes_gcm.h",
+        "//sw/device/lib/crypto/include:drbg.h",
+        "//sw/device/lib/crypto/include:ecc_curve25519.h",
+        "//sw/device/lib/crypto/include:ecc_p256.h",
+        "//sw/device/lib/crypto/include:ecc_p384.h",
+        "//sw/device/lib/crypto/include:hkdf.h",
+        "//sw/device/lib/crypto/include:hmac.h",
+        "//sw/device/lib/crypto/include:kdf_ctr.h",
+        "//sw/device/lib/crypto/include:key_transport.h",
+        "//sw/device/lib/crypto/include:kmac.h",
+        "//sw/device/lib/crypto/include:kmac_kdf.h",
+        "//sw/device/lib/crypto/include:otcrypto.h",
+        "//sw/device/lib/crypto/include:rsa.h",
+        "//sw/device/lib/crypto/include:security_config.h",
+        "//sw/device/lib/crypto/include:sha2.h",
+        "//sw/device/lib/crypto/include:sha3.h",
+        "//sw/device/lib/crypto/include:x25519.h",
+    ],
+    linkopts = select({
+        "//rules/configs:pic": ["-mno-relax"],
+        "//conditions:default": [],
+    }),
+    pic = select({
+        "//rules/configs:pic": True,
+        "//conditions:default": False,
+    }),
+    deps = [
+        "//hw/top_earlgrey/sw/autogen:top_earlgrey",
+        "//sw/device/lib/crypto/include:crypto_hdrs",
+    ],
+)
+
 # Top-level cryptolib target.
 ot_static_library(
     name = "otcrypto",
     deps = select({
         "//rules/configs:type_static": [":otcrypto_api"],
-        # Only static type is supported for the moment
-        #"//rules/configs:type_binary_blob": [":otcrypto_binary_blob_api"],
+        "//rules/configs:type_binary_blob": [":otcrypto_binary_blob_api"],
         #"//rules/configs:type_relocatable": [":otcrypto_relocatable_api",],
         "//conditions:default": [],
     }),
@@ -105,3 +152,13 @@ pkg_tar(
     ],
     extension = "tar.xz",
 )
+
+filegroup(
+    name = "otcrypto_binary_blob_elf",
+    srcs = [":otcrypto_binary_blob_api"],
+)
+
+filegroup(
+    name = "otcrypto_binary_blob_dis",
+    srcs = [":otcrypto_binary_blob_api"],
+)