[bazel] Initial build/release system

skus/extras.json

@@ -0,0 +1,28 @@
+[
+  {
+    "rule": "http_archive",
+    "name": "presign_perso",
+    "type": "tar.xz",
+    "url": "https://github.com/lowRISC/ot-sku/releases/download/FAKE_BUILD_20260518_rc00/presign_perso.tar.xz"
+  },
+  {
+    "rule": "http_archive",
+    "name": "presign_rom_ext",
+    "type": "tar.xz",
+    "url": "https://github.com/lowRISC/ot-sku/releases/download/FAKE_BUILD_20260518_rc00/presign_rom_ext.tar.xz"
+  },
+
+  {
+    "rule": "http_archive",
+    "name": "perso_release",
+    "type": "tar.xz",
+    "url": "https://github.com/lowRISC/ot-sku/releases/download/FAKE_RELEASE_20260518_rc00/perso_release.tar.xz"
+  },
+  {
+    "rule": "http_archive",
+    "name": "rom_ext_release",
+    "type": "tar.xz",
+    "url": "https://github.com/lowRISC/ot-sku/releases/download/FAKE_RELEASE_20260518_rc00/rom_ext_release.tar.xz"
+  }
+
+]

skus/open/binaries/perso/BUILD

@@ -44,8 +44,8 @@ exec_env_filegroup(
     # The "fake_keys" filenames are an unfortunate consequence of a historical
     # choice of naming convention.  They are, in fact, signed by offline HSM keys.
     files = {
-        "ft_personalize_ot00_fpga_cw340_rom_with_fake_keys.signed.bin": "cw340",
-        "ft_personalize_ot00_fpga_hyper310_rom_with_fake_keys.signed.bin": "cw310",
-        "ft_personalize_ot00_silicon_creator.signed.bin": "silicon",
+        "@provisioning_exts_extra//perso_release:ft_personalize_ot00_fpga_cw340_rom_with_fake_keys.signed.bin": "cw340",
+        "@provisioning_exts_extra//perso_release:ft_personalize_ot00_fpga_hyper310_rom_with_fake_keys.signed.bin": "cw310",
+        "@provisioning_exts_extra//perso_release:ft_personalize_ot00_silicon_creator.signed.bin": "silicon",
     },
 )

skus/open/orchestrator/ot00.hjson

@@ -9,7 +9,7 @@
   package: "npcr13",
   target_lc_state: "prod",
   otp: "ot00",
-  perso_bin: "external/provisioning_exts/open/binaries/perso/ft_personalize_{sku}_{target}.signed.bin",
+  perso_bin: "external/+hooks+provisioning_exts_extra/perso_release/ft_personalize_{sku}_{target}.signed.bin",
 
   // We'd like to wait for "USB-DFU rescue ready", but ft_lib::check_slot_b_boot_up
   // fails if we observe "BFV:.*" and the rescue ready message is after the boot

skus/open/orchestrator/ot00_staging.hjson

@@ -9,8 +9,7 @@
   package: "npcr13",
   target_lc_state: "prod",
   otp: "ot00",
-  // TODO: replace ot00 with {sku} once signed binaries are available
-  perso_bin: "external/provisioning_exts/open/binaries/perso/ft_personalize_ot00_{target}.signed.bin",
+  perso_bin: "external/+hooks+provisioning_exts_extra/perso_release/ft_personalize_{sku}_{target}.signed.bin",
 
   // We'd like to wait for "USB-DFU rescue ready", but ft_lib::check_slot_b_boot_up
   // fails if we observe "BFV:.*" and the rescue ready message is after the boot

skus/open/perso/BUILD

@@ -0,0 +1,86 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+load("@lowrisc_opentitan//rules:signing.bzl", "offline_presigning_artifacts", "offline_signature_attach")
+load("@lowrisc_opentitan//rules:signing.bzl", "signature_test")
+load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
+load(
+    "@lowrisc_opentitan//sw/device/silicon_creator/manuf/base:provisioning_inputs.bzl",
+    "disqualified_for_signing",
+)
+load("@provisioning_exts//:cfg.bzl", "EXT_EARLGREY_SKUS")
+
+package(default_visibility = ["//visibility:public"])
+
+SKU = "ot00"
+
+offline_presigning_artifacts(
+    name = "provisioning_{}".format(SKU),
+    testonly = True,
+    srcs = ["@lowrisc_opentitan//sw/device/silicon_creator/manuf/base:ft_personalize_{}".format(SKU)],
+    ecdsa_key = EXT_EARLGREY_SKUS[SKU]["ecdsa_key"],
+    manifest = "@lowrisc_opentitan//sw/device/silicon_creator/manuf/base:manifest_perso",
+    spx_key = EXT_EARLGREY_SKUS[SKU]["spx_key"],
+    tags = ["manual"],
+)
+
+# We want to publish pre-signed binaries in the presign package.
+# Use a filegroup to capture the binary output group.
+filegroup(
+    name = "binaries_{}".format(SKU),
+    testonly = True,
+    srcs = ["provisioning_{}".format(SKU)],
+    output_group = "binary",
+    tags = ["manual"],
+)
+
+pkg_tar(
+    name = "presign_perso",
+    testonly = True,
+    srcs = [
+        "@provisioning_exts//shared/repo:presign_repo",
+        ":provisioning_{}".format(SKU),
+        ":binaries_{}".format(SKU),
+    ],
+    extension = "tar.xz",
+    mode = "0644",
+    tags = ["manual"],
+)
+
+offline_signature_attach(
+    name = "signed",
+    testonly = True,
+    srcs = [
+        "@provisioning_exts_extra//presign_perso:presigned",
+    ],
+    ecdsa_signatures = [
+        "{}:ecdsa_signatures".format(EXT_EARLGREY_SKUS[SKU]["signature_prefix"]),
+    ],
+    spx_signatures = [
+        "{}:spx_signatures".format(EXT_EARLGREY_SKUS[SKU]["signature_prefix"]),
+    ],
+    tags = ["manual"],
+)
+
+signature_test(
+    name = "signature_test",
+    srcs = [
+        ":signed",
+    ],
+    ecdsa_key = EXT_EARLGREY_SKUS[SKU]["ecdsa_key"],
+    spx_key = EXT_EARLGREY_SKUS[SKU]["spx_key"],
+    tags = ["manual"],
+)
+
+pkg_tar(
+    name = "perso_release",
+    testonly = True,
+    srcs = [
+        ":signed",
+        "@provisioning_exts//shared/repo:file_repo",
+    ],
+    extension = "tar.xz",
+    mode = "0644",
+    tags = ["manual"],
+)

skus/open/rom_ext/BUILD

@@ -3,6 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 load("@lowrisc_opentitan//rules:const.bzl", "CONST", "hex")
+load("@lowrisc_opentitan//rules:signing.bzl", "signature_test")
 load("@lowrisc_opentitan//rules:manifest.bzl", "manifest")
 load("@lowrisc_opentitan//rules:signing.bzl", "offline_presigning_artifacts", "offline_signature_attach")
 load("@lowrisc_opentitan//rules/opentitan:defs.bzl", "opentitan_binary")
@@ -100,43 +101,6 @@ opentitan_binary(
     ],
 )
 
-offline_presigning_artifacts(
-    name = "presigning",
-    testonly = True,
-    srcs = [":rom_ext_dice_x509_prod_slot_virtual"],
-    ecdsa_key = {
-        "//open/keys/root:keyset": "ot00-earlgrey-a2-root-ecdsa-prod-0",
-    },
-    manifest = ":manifest_open",
-    spx_key = {
-        "//open/keys/root:spxset": "ot00-earlgrey-a2-root-slhdsa-prod-0",
-    },
-    tags = ["manual"],
-)
-
-pkg_tar(
-    name = "digests",
-    testonly = True,
-    srcs = [":presigning"],
-    mode = "0644",
-    tags = ["manual"],
-)
-
-offline_signature_attach(
-    name = "signed",
-    testonly = True,
-    srcs = [
-        ":presigning",
-    ],
-    ecdsa_signatures = [
-        "//open/signatures/rom_ext:ecdsa_signatures",
-    ],
-    spx_signatures = [
-        "//open/signatures/rom_ext:spx_signatures",
-    ],
-    tags = ["manual"],
-)
-
 genrule(
     name = "owner_bin",
     srcs = [
@@ -148,7 +112,7 @@ genrule(
     # inverted dependency relationship between lowRISC/opentitan and
     # ot-sku.  Remove after converting to bzlmod.
     cmd = """
-        ln -s external/provisioning_exts+/open . && \
+        ln -s external/+hooks+provisioning_exts/open . && \
         $(execpath @lowrisc_opentitan//sw/host/opentitantool) --rcfile= \
             ownership config --input $(location :owner.json5) $@
     """,
@@ -188,3 +152,81 @@ cc_library(
     ],
     alwayslink = True,
 )
+
+offline_presigning_artifacts(
+    name = "rom_ext",
+    testonly = True,
+    srcs = [":rom_ext_dice_x509_prod_slot_virtual"],
+    ecdsa_key = {
+        "//open/keys/root:keyset": "ot00-earlgrey-a2-root-ecdsa-prod-0",
+    },
+    manifest = ":manifest_open",
+    spx_key = {
+        "//open/keys/root:spxset": "ot00-earlgrey-a2-root-slhdsa-prod-0",
+    },
+    tags = ["manual"],
+)
+
+# We want to publish pre-signed binaries in the presign package.
+# Use a filegroup to capture the binary output group.
+filegroup(
+    name = "binaries",
+    testonly = True,
+    srcs = [":rom_ext"],
+    output_group = "binary",
+    tags = ["manual"],
+)
+
+pkg_tar(
+    name = "presign_rom_ext",
+    testonly = True,
+    srcs = [
+        ":binaries",
+        ":rom_ext",
+        "@provisioning_exts//shared/repo:presign_repo",
+    ],
+    extension = "tar.xz",
+    mode = "0644",
+    tags = ["manual"],
+)
+
+offline_signature_attach(
+    name = "signed",
+    testonly = True,
+    srcs = [
+        "@provisioning_exts_extra//presign_rom_ext:presigned",
+    ],
+    ecdsa_signatures = [
+        "//open/signatures/rom_ext:ecdsa_signatures",
+    ],
+    spx_signatures = [
+        "//open/signatures/rom_ext:spx_signatures",
+    ],
+    tags = ["manual"],
+)
+
+signature_test(
+    name = "signature_test",
+    srcs = [
+        ":signed",
+    ],
+    ecdsa_key = {
+        "//open/keys/root:keyset": "ot00-earlgrey-a2-root-ecdsa-prod-0",
+    },
+    spx_key = {
+        "//open/keys/root:spxset": "ot00-earlgrey-a2-root-slhdsa-prod-0",
+    },
+    tags = ["manual"],
+)
+
+pkg_tar(
+    name = "rom_ext_release",
+    testonly = True,
+    srcs = [
+        ":signed",
+        "@provisioning_exts//shared/repo:file_repo",
+    ],
+    extension = "tar.xz",
+    mode = "0644",
+    tags = ["manual"],
+)

skus/shared/repo/BUILD.bazel

@@ -0,0 +1,31 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+load("@rules_pkg//pkg:mappings.bzl", "pkg_files")
+
+package(default_visibility = ["//visibility:public"])
+
+pkg_files(
+    name = "file_repo",
+    srcs = [
+        "build_bazel",
+        "repo_bazel",
+    ],
+    renames = {
+        "build_bazel": "BUILD.bazel",
+        "repo_bazel": "REPO.bazel",
+    },
+)
+
+pkg_files(
+    name = "presign_repo",
+    srcs = [
+        "presign_bazel",
+        "repo_bazel",
+    ],
+    renames = {
+        "presign_bazel": "BUILD.bazel",
+        "repo_bazel": "REPO.bazel",
+    },
+)

skus/shared/repo/build_bazel

@@ -0,0 +1,7 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+package(default_visibility = ["//visibility:public"])
+
+exports_files(glob(["**"]))

skus/shared/repo/presign_bazel

@@ -0,0 +1,12 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+package(default_visibility = ["//visibility:public"])
+
+exports_files(glob(["**"]))
+
+filegroup(
+    name = "presigned",
+    srcs = glob(["*.pre-signing"]),
+)

skus/shared/repo/repo_bazel

@@ -0,0 +1,3 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0