[crypto] Cryptolib binary blob

.bazelrc

@@ -92,6 +92,12 @@ build:clang_tidy_fix --aspects rules/quality.bzl%clang_tidy_fix_aspect
 build:clang_tidy_fix --output_groups=clang_tidy
 build:clang_tidy_fix --spawn_strategy=local
 
+# The configuration of the crypto library.
+# The development is the default version which allows for static libraries.
+# The fips version is one which is position independent code, as a binary blob, calculating a hash across its boundary.
+common:dev --//rules/configs:pic_flag=False --//rules/configs:hashed_flag=False --//rules/configs:type_flag="static"  --//rules/configs:config_flag="dev"
+common:fips_all --//rules/configs:pic_flag=True --//rules/configs:hashed_flag=True --//rules/configs:type_flag="binary_blob" --//rules/configs:config_flag="fips_all"
+
 # AddressSanitizer (ASan) catches runtime out-of-bounds accesses to globals, the
 # stack, and (less importantly for OpenTitan) the heap. ASan instruments
 # programs at compile time and also requires a runtime library.

rules/configs/BUILD

@@ -0,0 +1,89 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+load("@bazel_skylib//rules:common_settings.bzl", "bool_flag", "string_flag")
+
+package(default_visibility = ["//visibility:public"])
+
+exports_files(["fips_all.txt"])
+
+config_setting(
+    name = "pic",
+    flag_values = {
+        ":pic_flag": "True",
+    },
+)
+
+config_setting(
+    name = "hashed",
+    flag_values = {
+        ":hashed_flag": "True",
+    },
+)
+
+config_setting(
+    name = "type_static",
+    flag_values = {
+        ":type_flag": "static",
+    },
+)
+
+config_setting(
+    name = "type_binary_blob",
+    flag_values = {
+        ":type_flag": "binary_blob",
+    },
+)
+
+config_setting(
+    name = "type_relocatable",
+    flag_values = {
+        ":type_flag": "relocatable",
+    },
+)
+
+config_setting(
+    name = "fips_all",
+    flag_values = {
+        ":config_flag": "fips_all",
+    },
+)
+
+# Enable compilation of position-independent code
+bool_flag(
+    name = "pic_flag",
+    build_setting_default = False,
+)
+
+# Indicate how crypto API should be compiled:
+#    - static: using cc_library rule
+#    - binary_blob: using opentitan_binary_blob rule which create a binary blob
+#        and provide it in a byte array.
+#    - relocatable: using opentitan_relocatable rule which create a relocatable
+#        library.
+string_flag(
+    name = "type_flag",
+    build_setting_default = "static",
+    values = [
+        "static",
+        "binary_blob",
+        "relocatable",
+    ],
+)
+
+# Enable the self-integration check (hash) of the library.
+# Note: not compatible with type_static
+bool_flag(
+    name = "hashed_flag",
+    build_setting_default = False,
+)
+
+string_flag(
+    name = "config_flag",
+    build_setting_default = "dev",
+    values = [
+        "dev",
+        "fips_all",
+    ],
+)

rules/configs/fips_all.txt

@@ -0,0 +1,126 @@
+otcrypto_aes_gcm_encrypt
+otcrypto_aes_gcm_decrypt
+otcrypto_aes_gcm_encrypt_init
+otcrypto_aes_gcm_decrypt_init
+otcrypto_aes_gcm_update_aad
+otcrypto_aes_gcm_update_encrypted_data
+otcrypto_aes_gcm_encrypt_final
+otcrypto_aes_gcm_decrypt_final
+otcrypto_aes_padded_plaintext_length
+otcrypto_aes_impl
+otcrypto_aes
+otcrypto_build_info
+otcrypto_drbg_instantiate
+otcrypto_drbg_reseed
+otcrypto_drbg_manual_instantiate
+otcrypto_drbg_manual_reseed
+otcrypto_drbg_generate
+otcrypto_drbg_manual_generate
+otcrypto_drbg_uninstantiate
+otcrypto_ed25519_keygen
+otcrypto_ed25519_sign
+otcrypto_ed25519_verify
+otcrypto_ed25519_keygen_async_start
+otcrypto_ed25519_keygen_async_finalize
+otcrypto_ed25519_sign_part1_async_start
+otcrypto_ed25519_sign_part2_async_start
+otcrypto_ed25519_sign_async_finalize
+otcrypto_ed25519_verify_async_start
+otcrypto_ed25519_verify_async_finalize
+otcrypto_ecdsa_p256_keygen
+otcrypto_ecdsa_p256_sign_config_k
+otcrypto_ecdsa_p256_sign
+otcrypto_ecdsa_p256_verify
+otcrypto_ecdsa_p256_sign_verify
+otcrypto_ecdh_p256_keygen
+otcrypto_ecdh_p256
+otcrypto_p256_point_on_curve
+otcrypto_ecdsa_p256_keygen_async_start
+otcrypto_ecdsa_p256_keygen_async_finalize
+otcrypto_ecdsa_p256_sign_config_k_async_start
+otcrypto_ecdsa_p256_sign_async_start
+otcrypto_ecdsa_p256_sign_async_finalize
+otcrypto_ecdsa_p256_verify_async_start
+otcrypto_ecdsa_p256_verify_async_finalize
+otcrypto_ecdh_p256_keygen_async_start
+otcrypto_ecdh_p256_keygen_async_finalize
+otcrypto_ecdh_p256_async_start
+otcrypto_ecdh_p256_async_finalize
+otcrypto_ecc_p256_public_key_import
+otcrypto_ecc_p256_public_key_export
+otcrypto_ecc_p256_private_key_import
+otcrypto_ecc_p256_private_key_export
+otcrypto_ecdsa_p384_keygen_async_start
+otcrypto_ecdsa_p384_keygen
+otcrypto_ecdsa_p384_sign_config_k
+otcrypto_ecdsa_p384_sign
+otcrypto_ecdsa_p384_verify
+otcrypto_ecdsa_p384_sign_verify
+otcrypto_ecdh_p384_keygen
+otcrypto_ecdh_p384
+otcrypto_p384_point_on_curve
+otcrypto_ecdsa_p384_keygen_async_finalize
+otcrypto_ecdsa_p384_sign_config_k_async_start
+otcrypto_ecdsa_p384_sign_async_start
+otcrypto_ecdsa_p384_sign_async_finalize
+otcrypto_ecdsa_p384_verify_async_start
+otcrypto_ecdsa_p384_verify_async_finalize
+otcrypto_ecdh_p384_keygen_async_start
+otcrypto_ecdh_p384_keygen_async_finalize
+otcrypto_ecdh_p384_async_start
+otcrypto_ecdh_p384_async_finalize
+otcrypto_ecc_p384_public_key_import
+otcrypto_ecc_p384_public_key_export
+otcrypto_ecc_p384_private_key_import
+otcrypto_ecc_p384_private_key_export
+otcrypto_hkdf
+otcrypto_hkdf_extract
+otcrypto_hkdf_expand
+otcrypto_hmac
+otcrypto_hmac_init
+otcrypto_hmac_update
+otcrypto_hmac_final
+otcrypto_kdf_ctr_hmac
+otcrypto_symmetric_keygen
+otcrypto_hw_backed_key
+otcrypto_wrapped_key_len
+otcrypto_key_wrap
+otcrypto_key_unwrap
+otcrypto_import_blinded_key
+otcrypto_export_blinded_key
+otcrypto_kmac_kdf
+otcrypto_kmac
+otcrypto_rsa_public_key_construct
+otcrypto_rsa_keygen_async_start
+otcrypto_rsa_keygen
+otcrypto_rsa_private_key_from_exponents
+otcrypto_rsa_keypair_from_cofactor
+otcrypto_rsa_sign
+otcrypto_rsa_verify
+otcrypto_rsa_encrypt
+otcrypto_rsa_decrypt
+otcrypto_rsa_keygen_async_finalize
+otcrypto_rsa_keypair_from_cofactor_async_start
+otcrypto_rsa_keypair_from_cofactor_async_finalize
+otcrypto_rsa_sign_async_start
+otcrypto_rsa_sign_async_finalize
+otcrypto_rsa_verify_async_start
+otcrypto_rsa_verify_async_finalize
+otcrypto_rsa_encrypt_async_start
+otcrypto_rsa_encrypt_async_finalize
+otcrypto_rsa_decrypt_async_start
+otcrypto_rsa_decrypt_async_finalize
+otcrypto_sha2_256
+otcrypto_sha2_384
+otcrypto_sha2_512
+otcrypto_sha2_init
+otcrypto_sha2_update
+otcrypto_sha2_final
+otcrypto_sha3_224
+otcrypto_sha3_256
+otcrypto_sha3_384
+otcrypto_sha3_512
+otcrypto_shake128
+otcrypto_shake256
+otcrypto_cshake128
+otcrypto_cshake256