diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2018-03-30 21:23:52 -0700 |
|---|---|---|
| committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2018-04-17 18:44:33 +0000 |
| commit | 10caf0ecd37ebd674c38d5a91780a1efce8f7e90 (patch) | |
| tree | 320a1b622946b5e0fa2d7ee5d98b9ba4e131b965 | |
| parent | 6348dbe6d42cf8a44b069498e837cc3e68f3bf08 (diff) | |
| download | chrome-ec-10caf0ecd37ebd674c38d5a91780a1efce8f7e90.tar.gz | |
cr50: use run time generated public RMA key definition
Use RMA public key definition generated based on the binary blob
containing the key and key ID.
Key generation is controlled by the make file in common/, but actual
key blob comes from the board directory.
The structure holding the key and key ID is being modified to allow
initialization using a flat array.
No more need in defining CONFIG_RMA_AUTH_SERVER_PUBLIC_KEY and
CONFIG_RMA_AUTH_SERVER_KEY_ID.
Conflicts:
common/build.mk
BRANCH=cr50, cr50-mp
BUG=b:73296144, b:74100307
TEST='make buildall' still succeeds.
test RMA server generated authentication codes are accepted when
unlocking RMA.
Change-Id: I8ade94de6eb69b3e49bc5b948dbac20e59962acf
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/990783
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
(cherry picked from commit f2eac533dcad117e4f631f00d27977ca611dc497)
Reviewed-on: https://chromium-review.googlesource.com/1015612
| -rw-r--r-- | board/cr50/board.h | 9 | ||||
| -rw-r--r-- | common/build.mk | 9 | ||||
| -rw-r--r-- | common/rma_auth.c | 16 | ||||
| -rw-r--r-- | include/config.h | 3 | ||||
| -rw-r--r-- | test/test_config.h | 9 |
5 files changed, 26 insertions, 20 deletions
diff --git a/board/cr50/board.h b/board/cr50/board.h index 6bf889dad9..c87cd3e651 100644 --- a/board/cr50/board.h +++ b/board/cr50/board.h @@ -352,15 +352,6 @@ enum nvmem_users { #define CONFIG_RMA_AUTH #define CONFIG_RNG -/* Should be eventually injected into the image at build time. */ -#define CONFIG_RMA_AUTH_SERVER_PUBLIC_KEY { \ - 0xe3, 0xe5, 0x66, 0xf3, 0x12, 0x25, 0x74, 0xba, \ - 0xb3, 0x8f, 0x9f, 0x41, 0x80, 0x3b, 0x58, 0x9a, \ - 0xb0, 0xdc, 0x71, 0x64, 0x1b, 0x6d, 0x22, 0x82, \ - 0x9f, 0x22, 0x31, 0xb3, 0x56, 0x94, 0x8e, 0x13} - -#define CONFIG_RMA_AUTH_SERVER_KEY_ID 0 - #define CONFIG_ENABLE_H1_ALERTS #endif /* __CROS_EC_BOARD_H */ diff --git a/common/build.mk b/common/build.mk index 032948c755..2a8799076f 100644 --- a/common/build.mk +++ b/common/build.mk @@ -144,3 +144,12 @@ ifneq ($(CONFIG_RSA_OPTIMIZED),) $(out)/RW/common/rsa.o: CFLAGS+=-O3 $(out)/RO/common/rsa.o: CFLAGS+=-O3 endif + +ifeq ($(TEST_BUILD),) + +$(out)/RW/common/rma_auth.o: $(out)/rma_key_from_blob.h + +$(out)/rma_key_from_blob.h: board/$(BOARD)/rma_key_blob.test util/bin2h.sh + $(Q)util/bin2h.sh RMA_KEY_BLOB $< $@ + +endif diff --git a/common/rma_auth.c b/common/rma_auth.c index 9d137b6b25..f5217b3938 100644 --- a/common/rma_auth.c +++ b/common/rma_auth.c @@ -22,6 +22,10 @@ #include "tpm_vendor_cmds.h" #include "util.h" +#ifndef TEST_BUILD +#include "rma_key_from_blob.h" +#endif + #ifdef CONFIG_DCRYPTO #include "dcrypto.h" #else @@ -38,11 +42,15 @@ /* Server public key and key ID */ static const struct { - uint8_t server_pub_key[32]; - uint8_t server_key_id; + union { + uint8_t raw_blob[33]; + struct { + uint8_t server_pub_key[32]; + uint8_t server_key_id; + }; + }; } __packed rma_key_blob = { - CONFIG_RMA_AUTH_SERVER_PUBLIC_KEY, - CONFIG_RMA_AUTH_SERVER_KEY_ID + .raw_blob = RMA_KEY_BLOB }; BUILD_ASSERT(sizeof(rma_key_blob) == 33); diff --git a/include/config.h b/include/config.h index 441a0f0395..baa4dda2a8 100644 --- a/include/config.h +++ b/include/config.h @@ -1973,9 +1973,6 @@ /* Support RMA auth challenge-response */ #undef CONFIG_RMA_AUTH -/* If that's defined, the server public key and ID must also be defined */ -#undef CONFIG_RMA_AUTH_SERVER_PUBLIC_KEY /* 32 bytes: {0xNN, 0xNN, ... 0xNN} */ -#undef CONFIG_RMA_AUTH_SERVER_KEY_ID /* 6-bit key ID, 0xMM */ /* Enable hardware Random Number generator support */ #undef CONFIG_RNG diff --git a/test/test_config.h b/test/test_config.h index 4175ed0a2d..4f718919de 100644 --- a/test/test_config.h +++ b/test/test_config.h @@ -61,11 +61,14 @@ #ifdef TEST_RMA_AUTH /* Test server public and private keys */ -#define RMA_TEST_SERVER_PUBLIC_KEY { \ +#define RMA_KEY_BLOB { \ 0x03, 0xae, 0x2d, 0x2c, 0x06, 0x23, 0xe0, 0x73, \ 0x0d, 0xd3, 0xb7, 0x92, 0xac, 0x54, 0xc5, 0xfd, \ 0x7e, 0x9c, 0xf0, 0xa8, 0xeb, 0x7e, 0x2a, 0xb5, \ - 0xdb, 0xf4, 0x79, 0x5f, 0x8a, 0x0f, 0x28, 0x3f} + 0xdb, 0xf4, 0x79, 0x5f, 0x8a, 0x0f, 0x28, 0x3f, \ + 0x10 \ + } + #define RMA_TEST_SERVER_PRIVATE_KEY { \ 0x47, 0x3b, 0xa5, 0xdb, 0xc4, 0xbb, 0xd6, 0x77, \ 0x20, 0xbd, 0xd8, 0xbd, 0xc8, 0x7a, 0xbb, 0x07, \ @@ -76,8 +79,6 @@ #define CONFIG_BASE32 #define CONFIG_CURVE25519 #define CONFIG_RMA_AUTH -#define CONFIG_RMA_AUTH_SERVER_PUBLIC_KEY RMA_TEST_SERVER_PUBLIC_KEY -#define CONFIG_RMA_AUTH_SERVER_KEY_ID RMA_TEST_SERVER_KEY_ID #define CONFIG_RNG #define CONFIG_SHA256 #define CC_EXTENSION CC_COMMAND |