Add support for MLKEM in grpc client and host libs

Willy Zhang · willyzha · commit e9318370ab2d · 2026-01-20T10:18:34.000-08:00
Update grpc to v1.68.0 and boringssl to support MLKEM.
Add flags for enable MLKEM TLS for clients and servers.
Patch gRPC to force MLKEM key exchange when enabled.

Signed-off-by: Willy Zhang &lt;willyzhang@google.com&gt;
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -8,22 +8,25 @@ module(name = "lowrisc_opentitan_provisioning")
 # Standard Libraries & Utilities
 # -------------------------------------------------------------------------
 
-bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "com_google_absl")
+bazel_dep(name = "abseil-cpp", version = "20240722.0.bcr.1", repo_name = "com_google_absl")
 bazel_dep(name = "bazel_skylib", version = "1.7.1")
-bazel_dep(name = "googletest", version = "1.14.0.bcr.1", repo_name = "com_google_googletest")
+bazel_dep(name = "googletest", version = "1.15.2", repo_name = "com_google_googletest")
 bazel_dep(name = "platforms", version = "0.0.11")
-bazel_dep(name = "re2", version = "2023-09-01", repo_name = "com_googlesource_code_re2")
+bazel_dep(name = "re2", version = "2024-07-02", repo_name = "com_googlesource_code_re2")
 bazel_dep(name = "upb", version = "0.0.0-20230907-e7430e6")
 
 # -------------------------------------------------------------------------
 # Build Rules
 # -------------------------------------------------------------------------
 
 bazel_dep(name = "rules_apple", version = "3.16.1")
+bazel_dep(name = "rules_swift", version = "2.1.1", repo_name = "build_bazel_rules_swift")
 bazel_dep(name = "rules_cc", version = "0.1.2")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_proto", version = "7.0.2")
 
+bazel_dep(name = "aspect_rules_lint", version = "1.0.8")
+
 bazel_dep(name = "rules_foreign_cc", version = "0.9.0")
 single_version_override(
     module_name = "rules_foreign_cc",
@@ -35,17 +38,30 @@ single_version_override(
 # -------------------------------------------------------------------------
 
 bazel_dep(name = "protobuf", version = "29.0", repo_name = "com_google_protobuf")
+bazel_dep(name = "protoc-gen-validate", version = "1.0.4.bcr.2")
 
-bazel_dep(name = "grpc", version = "1.66.0.bcr.3", repo_name = "com_github_grpc_grpc")
+# Use a modern gRPC (compatible with Protobuf 27+)
+bazel_dep(name = "grpc", version = "1.68.0", repo_name = "com_github_grpc_grpc")
 single_version_override(
     module_name = "grpc",
     patch_strip = 0,
     patches = [
         "third_party/google/grpc_windows_config_setting.patch",
         "third_party/google/grpc_windows_endpoint_fix.patch",
+        "third_party/google/grpc_force_mlkem.patch",
     ],
 )
 
+bazel_dep(name = "boringssl")
+archive_override(
+    module_name = "boringssl",
+    integrity = "sha256-dHR3G61xqu8ZpYuovGGINHZ7VxPMPEean1AquU74k5E=",
+    patch_strip = 0,
+    patches = ["third_party/google/boringssl_mingw_fix.patch"],
+    strip_prefix = "boringssl-0.20241024.0",
+    urls = ["https://github.com/google/boringssl/releases/download/0.20241024.0/boringssl-0.20241024.0.tar.gz"],
+)
+
 # -------------------------------------------------------------------------
 # OpenTitan Project
 # -------------------------------------------------------------------------
diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock
diff --git a/config/containers/provapp.yml.tmpl b/config/containers/provapp.yml.tmpl
@@ -15,6 +15,7 @@ spec:
   - name: paserver-1
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pa-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pa-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem
@@ -39,6 +40,7 @@ spec:
   - name: paserver-2
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pa-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pa-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem
@@ -63,6 +65,7 @@ spec:
   - name: paserver-3
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pa-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pa-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem
@@ -87,6 +90,7 @@ spec:
   - name: pbserver
     args:
     - --enable_tls=true
+    - --enable_mlkem=${ENABLE_MLKEM}
     - --service_key=/var/lib/opentitan/config/certs/out/pb-service-key.pem
     - --service_cert=/var/lib/opentitan/config/certs/out/pb-service-cert.pem
     - --ca_root_certs=/var/lib/opentitan/config/certs/out/ca-cert.pem
diff --git a/integration/run_client_tests.sh b/integration/run_client_tests.sh
@@ -9,6 +9,8 @@ set -e
 # in the background and still be able to run other commands in parallel.
 set -m
 
+export ENABLE_MLKEM="true"
+
 # Ensure we are running from the repository root
 cd "$(dirname "$0")/.."
 
diff --git a/integration/run_tls_test.sh b/integration/run_tls_test.sh
@@ -9,12 +9,23 @@ set -e
 # in the background and still be able to run other commands in parallel.
 set -m
 
+export ENABLE_MLKEM="true"
+
 # Ensure we are running from the repository root
 cd "$(dirname "$0")/.."
 
 # Build and deploy the provisioning infrastructure.
 source util/integration_test_setup.sh
 
+# Dump PA logs on failure
+dump_pa_logs() {
+  echo "----------------------------------------------------------------"
+  echo "Dumping PA logs (provapp-paserver-1)..."
+  podman logs provapp-paserver-1
+  echo "----------------------------------------------------------------"
+}
+trap dump_pa_logs ERR
+
 # Run the TLS connection test.
 echo "Running TLS connection test ..."
 bazelisk run //src/ate/test_programs:tls_test -- \
diff --git a/src/ate/test_programs/tls_test.cc b/src/ate/test_programs/tls_test.cc
@@ -113,7 +113,7 @@ int main(int argc, char **argv) {
     LOG(ERROR) << "InitSession with PA failed.";
     return -1;
   }
-  
+
   LOG(INFO) << "TLS Connection to PA established successfully.";
 
   // Close session with PA.
diff --git a/src/pa/loadtest.go b/src/pa/loadtest.go
@@ -46,6 +46,7 @@ var (
 	clientKey       = flag.String("client_key", "", "File path to the PEM encoding of the client's private key")
 	configDir       = flag.String("spm_config_dir", "", "Path to the SKU configuration directory.")
 	enableTLS       = flag.Bool("enable_tls", false, "Enable mTLS secure channel; optional")
+	enableMLKEM     = flag.Bool("enable_mlkem", false, "Enable MLKEM TLS configuration; optional")
 	hsmSOLibPath    = flag.String("hsm_so", "", "File path to the HSM's PKCS#11 shared library.")
 	paAddress       = flag.String("pa_address", "", "the PA server address to connect to; required")
 	parallelClients = flag.Int("parallel_clients", 1, "The total number of clients to run concurrently")
@@ -89,7 +90,7 @@ type clientGroup struct {
 func (c *clientTask) setup(ctx context.Context, skuName string) error {
 	opts := []grpc.DialOption{grpc.WithBlock()}
 	if *enableTLS {
-		credentials, err := grpconn.LoadClientCredentials(*caRootCerts, *clientCert, *clientKey)
+		credentials, err := (&grpconn.Config{EnableMLKEMTLS: *enableMLKEM}).LoadClientCredentials(*caRootCerts, *clientCert, *clientKey)
 		if err != nil {
 			return err
 		}
diff --git a/src/pa/pa_server.go b/src/pa/pa_server.go
@@ -28,6 +28,7 @@ var (
 	enableRegistry  = flag.Bool("enable_registry", false, "Enable connectivity to the Registry server; optional")
 	registryAddress = flag.String("registry_address", "", "the Registry (Buffer) server address to connect to; required")
 	enableTLS       = flag.Bool("enable_tls", false, "Enable mTLS secure channel; optional")
+	enableMLKEM     = flag.Bool("enable_mlkem", false, "Enable MLKEM TLS configuration; optional")
 	serviceKey      = flag.String("service_key", "", "File path to the PEM encoding of the server's private key")
 	serviceCert     = flag.String("service_cert", "", "File path to the PEM encoding of the server's certificate chain")
 	caRootCerts     = flag.String("ca_root_certs", "", "File path to the PEM encoding of the CA root certificates")
@@ -38,7 +39,7 @@ func startPAServer(spmClient pbs.SpmServiceClient) (*grpc.Server, error) {
 	opts := []grpc.ServerOption{}
 	auth_service.NewAuthControllerInstance(*enableTLS)
 	if *enableTLS {
-		credentials, err := grpconn.LoadServerCredentials(*caRootCerts, *serviceCert, *serviceKey)
+		credentials, err := (&grpconn.Config{EnableMLKEMTLS: *enableMLKEM}).LoadServerCredentials(*caRootCerts, *serviceCert, *serviceKey)
 		if err != nil {
 			return nil, err
 		}
@@ -55,7 +56,7 @@ func startPAServer(spmClient pbs.SpmServiceClient) (*grpc.Server, error) {
 func startSPMClient() (pbs.SpmServiceClient, error) {
 	opts := grpc.WithInsecure()
 	if *enableTLS {
-		credentials, err := grpconn.LoadClientCredentials(*caRootCerts, *serviceCert, *serviceKey)
+		credentials, err := (&grpconn.Config{EnableMLKEMTLS: *enableMLKEM}).LoadClientCredentials(*caRootCerts, *serviceCert, *serviceKey)
 		if err != nil {
 			return nil, err
 		}
@@ -102,7 +103,7 @@ func main() {
 			log.Fatalf("`registry_address` parameter missing")
 		}
 		log.Printf("starting Registry client at address: %q", *registryAddress)
-		err = rs.StartRegistryBuffer(*registryAddress, *enableTLS, *caRootCerts, *serviceCert, *serviceKey)
+		err = rs.StartRegistryBuffer(*registryAddress, *enableTLS, *enableMLKEM, *caRootCerts, *serviceCert, *serviceKey)
 		if err != nil {
 			log.Fatalf("failed to initialize Registry client: %v", err)
 		}
diff --git a/src/pa/services/registry_shim/registry_shim.go b/src/pa/services/registry_shim/registry_shim.go
@@ -26,10 +26,10 @@ import (
 
 var registryClient proxybuffer.Registry
 
-func StartRegistryBuffer(registryBufferAddress string, enableTLS bool, caRootCerts string, serviceCert string, serviceKey string) error {
+func StartRegistryBuffer(registryBufferAddress string, enableTLS bool, enableMLKEM bool, caRootCerts string, serviceCert string, serviceKey string) error {
 	opts := grpc.WithInsecure()
 	if enableTLS {
-		credentials, err := grpconn.LoadClientCredentials(caRootCerts, serviceCert, serviceKey)
+		credentials, err := (&grpconn.Config{EnableMLKEMTLS: enableMLKEM}).LoadClientCredentials(caRootCerts, serviceCert, serviceKey)
 		if err != nil {
 			return err
 		}
diff --git a/src/proxy_buffer/pb_server.go b/src/proxy_buffer/pb_server.go
@@ -38,6 +38,7 @@ var (
 	syncerMaxRetriesPerRecord = flag.Int("syncer_max_retries_per_record", 5, "Number of times a record can be retried before it stops pb_server. Anything less than zero will not stop the service. Defaults to 5.")
 	// gRPC server
 	enableTLS   = flag.Bool("enable_tls", false, "Enable mTLS secure channel; optional")
+	enableMLKEM = flag.Bool("enable_mlkem", false, "Enable MLKEM TLS configuration; optional")
 	serviceKey  = flag.String("service_key", "", "File path to the PEM encoding of the server's private key")
 	serviceCert = flag.String("service_cert", "", "File path to the PEM encoding of the server's certificate chain")
 	caRootCerts = flag.String("ca_root_certs", "", "File path to the PEM encoding of the CA root certificates")
@@ -94,7 +95,7 @@ func main() {
 
 	opts := []grpc.ServerOption{}
 	if *enableTLS {
-		credentials, err := grpconn.LoadServerCredentials(*caRootCerts, *serviceCert, *serviceKey)
+		credentials, err := (&grpconn.Config{EnableMLKEMTLS: *enableMLKEM}).LoadServerCredentials(*caRootCerts, *serviceCert, *serviceKey)
 		if err != nil {
 			log.Fatalf("Failed to load server credentials: %v", err)
 		}
diff --git a/src/spm/spm_server.go b/src/spm/spm_server.go
@@ -24,6 +24,7 @@ var (
 	hsmPWFile     = flag.String("hsm_pw", "", "File path to the HSM's Password; required for TPM")
 	hsmSOPath     = flag.String("hsm_so", "", "File path to the PCKS#11 .so library used to interface to the HSM")
 	enableTLS     = flag.Bool("enable_tls", false, "Enable mTLS secure channel; optional")
+	enableMLKEM   = flag.Bool("enable_mlkem", false, "Enable MLKEM TLS configuration; optional")
 	serviceKey    = flag.String("service_key", "", "File path to the PEM encoding of the server's private key")
 	serviceCert   = flag.String("service_cert", "", "File path to the PEM encoding of the server's certificate chain")
 	caRootCerts   = flag.String("ca_root_certs", "", "File path to the PEM encoding of the CA root certificates")
@@ -35,7 +36,7 @@ var (
 func startSPMServer() (*grpc.Server, error) {
 	opts := []grpc.ServerOption{}
 	if *enableTLS {
-		credentials, err := grpconn.LoadServerCredentials(*caRootCerts, *serviceCert, *serviceKey)
+		credentials, err := (&grpconn.Config{EnableMLKEMTLS: *enableMLKEM}).LoadServerCredentials(*caRootCerts, *serviceCert, *serviceKey)
 		if err != nil {
 			return nil, err
 		}
diff --git a/src/transport/BUILD.bazel b/src/transport/BUILD.bazel
@@ -19,6 +19,12 @@ go_library(
     ],
 )
 
+go_test(
+    name = "grpconn_test",
+    srcs = ["grpconn_test.go"],
+    embed = [":grpconn"],
+)
+
 WINDOWS_LIBS = [
     "-lbcrypt",  # aka: bcrypt.lib
     "-ldbghelp",  # aka: dbghelp.lib
diff --git a/src/transport/grpconn.go b/src/transport/grpconn.go
@@ -34,10 +34,24 @@ func loadCertPool(rootsFilename string) (*x509.CertPool, error) {
 	return certPool, nil
 }
 
+type Config struct  {
+	EnableMLKEMTLS bool 
+}
+
+func (c *Config) applyMLKEMConfig(tlsConfig *tls.Config) {
+	if c.EnableMLKEMTLS {
+		// Strictly prefer MLKEM. This enforces that clients must support MLKEM key exchange.
+		tlsConfig.CurvePreferences = []tls.CurveID{
+			tls.X25519MLKEM768, 
+		}
+		tlsConfig.MinVersion = tls.VersionTLS13
+	}
+}
+
 // LoadServerCredentials returns server side mTLS transport credentials.
 // `rootsFilename` should point to the client CA root certificates in PEM
 // format.
-func LoadServerCredentials(rootsFilename, certFilename, keyFilename string) (credentials.TransportCredentials, error) {
+func (c *Config) LoadServerCredentials(rootsFilename, certFilename, keyFilename string) (credentials.TransportCredentials, error) {
 	certPool, err := loadCertPool(rootsFilename)
 	if err != nil {
 		return nil, err
@@ -48,18 +62,22 @@ func LoadServerCredentials(rootsFilename, certFilename, keyFilename string) (cre
 		return nil, err
 	}
 
-	return credentials.NewTLS(&tls.Config{
-		Certificates:       []tls.Certificate{cert},
-		ClientAuth:         tls.RequireAndVerifyClientCert,
-		ClientCAs:          certPool,
-		InsecureSkipVerify: false,
-	}), nil
+	var tlsConfig = &tls.Config{
+			Certificates:       []tls.Certificate{cert},
+			ClientAuth:         tls.RequireAndVerifyClientCert,
+			ClientCAs:          certPool,
+			InsecureSkipVerify: false,
+	}
+
+	c.applyMLKEMConfig(tlsConfig)
+
+	return credentials.NewTLS(tlsConfig), nil
 }
 
 // LoadClientCredentials returns client side mTLS transport credentials.
 // `rootsFilename` should point to the server CA root certificates in PEM
 // format.
-func LoadClientCredentials(rootsFilename, certFilename, keyFilename string) (credentials.TransportCredentials, error) {
+func (c *Config) LoadClientCredentials(rootsFilename, certFilename, keyFilename string) (credentials.TransportCredentials, error) {
 	certPool, err := loadCertPool(rootsFilename)
 	if err != nil {
 		return nil, err
@@ -70,10 +88,14 @@ func LoadClientCredentials(rootsFilename, certFilename, keyFilename string) (cre
 		return nil, err
 	}
 
-	return credentials.NewTLS(&tls.Config{
-		Certificates: []tls.Certificate{cert},
-		RootCAs:      certPool,
-	}), nil
+	var tlsConfig = &tls.Config{
+		Certificates:     []tls.Certificate{cert},
+		RootCAs:          certPool,
+	}
+
+	c.applyMLKEMConfig(tlsConfig)
+
+	return credentials.NewTLS(tlsConfig), nil
 }
 
 func ExtractClientIP(ctx context.Context) (string, error) {
@@ -137,4 +159,4 @@ func CheckEndpointInterceptor(ctx context.Context, req interface{}, info *grpc.U
 	}
 	// If the IP or DNS name match, proceed with the next handler
 	return handler(ctx, req)
-}
+}
diff --git a/src/transport/grpconn_test.go b/src/transport/grpconn_test.go
@@ -0,0 +1,68 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+package grpconn
+
+import (
+	"crypto/tls"
+	"testing"
+)
+
+func TestApplyMLKEMConfig(t *testing.T) {
+	tests := []struct {
+		name           string
+		enableMLKEM    bool
+		expectMinVer   uint16
+		expectCurve    bool
+	}{
+		{
+			name:           "Disabled",
+			enableMLKEM:    false,
+			expectMinVer:   0, // Default 0 means allow lower versions (implementation dependent, usually 1.0 or 1.2)
+			expectCurve:    false,
+		},
+		{
+			name:           "Enabled",
+			enableMLKEM:    true,
+			expectMinVer:   tls.VersionTLS13,
+			expectCurve:    true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			cfg := &Config{EnableMLKEMTLS: tc.enableMLKEM}
+			tlsConfig := &tls.Config{}
+			
+			cfg.applyMLKEMConfig(tlsConfig)
+
+			if tc.enableMLKEM {
+				if tlsConfig.MinVersion != tc.expectMinVer {
+					t.Errorf("Expected MinVersion %v, got %v", tc.expectMinVer, tlsConfig.MinVersion)
+				}
+
+				found := false
+				for _, curve := range tlsConfig.CurvePreferences {
+					if curve == tls.X25519MLKEM768 {
+						found = true
+						break
+					}
+				}
+				if !tc.expectCurve {
+					t.Errorf("Expected MLKEM curve to be present")
+				} else if !found {
+					t.Errorf("Expected MLKEM curve to be present")
+				}
+			} else {
+				// When disabled, we expect no changes to the default (empty) tlsConfig
+				if tlsConfig.MinVersion != 0 {
+					t.Errorf("Expected MinVersion 0, got %v", tlsConfig.MinVersion)
+				}
+				if len(tlsConfig.CurvePreferences) > 0 {
+					t.Errorf("Expected no CurvePreferences, got %v", tlsConfig.CurvePreferences)
+				}
+			}
+		})
+	}
+}
diff --git a/src/vendor/registry_shim/registry_shim.go b/src/vendor/registry_shim/registry_shim.go
diff --git a/third_party/google/boringssl_mingw_fix.patch b/third_party/google/boringssl_mingw_fix.patch
diff --git a/third_party/google/grpc_force_mlkem.patch b/third_party/google/grpc_force_mlkem.patch
diff --git a/util/containers/deploy_test_k8_pod.sh b/util/containers/deploy_test_k8_pod.sh
diff --git a/util/integration_test_setup.sh b/util/integration_test_setup.sh

Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,7 @@ int main(int argc, char **argv) {`
`113`	`113`	`LOG(ERROR) << "InitSession with PA failed.";`
`114`	`114`	`return -1;`
`115`	`115`	`}`
`116`		`-`
	`116`	`+`
`117`	`117`	`LOG(INFO) << "TLS Connection to PA established successfully.";`
`118`	`118`
`119`	`119`	`// Close session with PA.`