[manuf] add ATE GPIO signalling to FT individualize

This updates the FT individualization FW to add GPIO signalling for:
- test start on IOA4,
- test done on IOA1, and
- test error on IOA0.

Additionally, this removes more noisy message logs from the FW.

Signed-off-by: Tim Trippel <ttrippel@google.com>

[perso] setup keymgr OwnerKey stage with PROD binding

Some SKUs build factory installed certs based on PROD diversifier. Since
ROM_EXT and Owner FW cannot update these keys/certs on the next boot,
perso must set them to PROD.

Signed-off-by: Tim Trippel <ttrippel@google.com>

[hsmtool] Use `strum` and `clap::ValueEnum` in `hsmtool::util:wrap`

This change adds `strum` and `clak::ValueEnum` to the
`hsmtool::util::wrap:Wrap` enum to simplify cli string formatting.

This change also switches the default import/export wrapping mechanism
for aes and kdf to `rsa-pkcs`. This is to have a default configuration
that is compatible with SoftHSM (i.e. there is no current support for
rsa-pkcs-oaep wrap/unwrap operations in SoftHSM).

Signed-off-by: Miguel Osorio <miguelosorio@google.com>

[hsmtool] Add support for kdf secrets.

KDF secrets are used to derive OpenTitan `TEST_UNLOCK` and `TEST_EXIT`
tokens in the provisioning infrastructure. This change adds support for
import/export operations in plaintext mode. A follow up commit will add
support for wrapped keys, as well as pkcs12 container support to be able
to load the secrets into USB tokens.

Signed-off-by: Miguel Osorio <miguelosorio@google.com>

[rom_ext] fix CDI_* update bug

If non-CWT CDI certs are found in flash info page 19, we should treat
this case as if the cert page is empty, and regenerate the certs. This
enables running an X.509 ROM_EXT first and changing to a CWT ROM_EXT
later. Since UDS cert is never generated outside perso (and is on a
separate flash page), the UDS cert format is defined at provisioning
time.

Signed-off-by: Tim Trippel <ttrippel@google.com>

[bazel] Fix runfile path to QEMU binary

These canonical paths are different between Bazel 6, 7, and 8. The
`rules_python` runfiles library will perform repository mappings before
using this path, so we can use `qemu_opentitan` instead of the
canonical name.

Signed-off-by: James Wainwright <james.wainwright@lowrisc.org>
(commit is original to earlgrey_1.0.0)

[bazel] patch rules_fuzzing to work in airgapped mode

rules_fuzzing uses rules_python to pull in python packages. This
required patching to work in airgapped mode, similar to the patching
that was done for rules_python: we needed to disable hash requirements
and enable pull packages from a pre-cached wheels repo.

Signed-off-by: Tim Trippel <ttrippel@google.com>

[bazel,airgapped] fetch earlgrey_1.0.0 bitstreams

Bitstream schemas can change on the main branch so we want to fetch the
earlgrey_1.0.0 bitstreams in particular.

Signed-off-by: Tim Trippel <ttrippel@google.com>

This is Release Candidate 0 for Earlgrey-PROD.A2.M6.

Earlgrey-PROD.M6 Release

The main goal of the Earlgrey-PROD.M6 milestone is to triage potential
ECO candidates identified after Earlgrey-PROD-M5, and to implement any
approved and final ECOs. With Earlgrey-PROD.M6, the physical design
reached its final state for the production tapeout.