diff options
author | Andrey Pronin <apronin@chromium.org> | 2019-06-25 16:25:51 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2019-06-27 20:43:57 +0000 |
commit | 700b0ef9d5533d3650d58ca4e4ad4344b197d605 (patch) | |
tree | 6df446fcd4c9dacf910e521289df5bc4a86165ad | |
parent | b7aba9d023d3c7273904860cb81bd7d3bd12e47f (diff) | |
download | chrome-ec-700b0ef9d5533d3650d58ca4e4ad4344b197d605.tar.gz |
cr50: add RSU Dev ID vNVRAM space
This CL adds a vNVRAM space that exposes RSU Device ID for userland.
BRANCH=none
BUG=b:136091350
TEST=Verify that RSU Device ID reported through vNVRAM that uses this
new method mathes the same ID calculated from device ID in G2FA
certificate:
hex_to_binary_file() {
local hex_value="$1"
local file_name="$2"
local escaped_string="$(echo -n "${hex_value}" | \
sed 's/.\{2\}/\\x&/g')"
echo -n -e "${escaped_string}" >"${file_name}"
}
trunks_send --u2f_cert --crt=/tmp/cert
serial="$(openssl x509 -in /tmp/cert -inform der -noout -serial | \
sed 's/serial=\s*//')"
chip_id="$(printf "%64s" ${serial} | sed 's/ /0/g' | \
sed 's/.\{2\}/& /g' | tac -s' ' | sed 's/ //g')"
hex_to_binary_file "${chip_id}" /tmp/chip
rma_device_id="$(openssl sha -sha256 -mac hmac \
-macopt hexkey:"${chip_id}" -hex /tmp/chip | \
sed 's/.*=\s*//' | cut -c1-16)"
hex_to_binary_file "${rma_device_id}" /tmp/data
rsu_salt="Wu8oGt0uu0H8uSGxfo75uSDrGcRk2BXh"
echo -n ${rsu_salt} >> /tmp/data
rsu_device_id="$(openssl sha -sha256 -hex /tmp/data | \
sed 's/.*=\s*//')"
hex_to_binary_file "${rsu_device_id}" /tmp/rsu_device_id
tpm_manager_client read_space --index=0x013fff03 --file=/tmp/vnvram
if diff -q /tmp/rsu_device_id /tmp/vnvram; then
echo "OK"
else
echo "Wrong vNVRAM"
fi
Change-Id: I0f577a54f74da9ef70a092e024b51c7c8219a605
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1677238
Reviewed-by: Louis Collard <louiscollard@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
-rw-r--r-- | board/cr50/tpm2/virtual_nvmem.c | 32 | ||||
-rw-r--r-- | board/cr50/tpm2/virtual_nvmem.h | 2 |
2 files changed, 34 insertions, 0 deletions
diff --git a/board/cr50/tpm2/virtual_nvmem.c b/board/cr50/tpm2/virtual_nvmem.c index 7d637cdcb6..8d3dbc0dec 100644 --- a/board/cr50/tpm2/virtual_nvmem.c +++ b/board/cr50/tpm2/virtual_nvmem.c @@ -9,7 +9,9 @@ #include "board_id.h" #include "console.h" +#include "cryptoc/sha256.h" #include "link_defs.h" +#include "rma_auth.h" #include "sn_bits.h" #include "u2f_impl.h" #include "virtual_nvmem.h" @@ -127,6 +129,14 @@ struct virtual_nv_index_cfg { #define REGISTER_DEPRECATED_CONFIG(r_index) \ REGISTER_CONFIG(r_index, 0, 0) + +/* + * The salt to be mixed in with RMA device ID to produce RSU device ID. + */ +#define RSU_SALT_SIZE 32 +const char kRsuSalt[] = "Wu8oGt0uu0H8uSGxfo75uSDrGcRk2BXh"; +BUILD_ASSERT(ARRAY_SIZE(kRsuSalt) == RSU_SALT_SIZE+1); + /* * Registration of current virtual indexes. * @@ -141,6 +151,7 @@ struct virtual_nv_index_cfg { static void GetBoardId(BYTE *to, size_t offset, size_t size); static void GetSnData(BYTE *to, size_t offset, size_t size); static void GetG2fCert(BYTE *to, size_t offset, size_t size); +static void GetRSUDevID(BYTE *to, size_t offset, size_t size); static const struct virtual_nv_index_cfg index_config[] = { REGISTER_CONFIG(VIRTUAL_NV_INDEX_BOARD_ID, @@ -152,6 +163,9 @@ static const struct virtual_nv_index_cfg index_config[] = { REGISTER_CONFIG(VIRTUAL_NV_INDEX_G2F_CERT, VIRTUAL_NV_INDEX_G2F_CERT_SIZE, GetG2fCert) + REGISTER_CONFIG(VIRTUAL_NV_INDEX_RSU_DEV_ID, + VIRTUAL_NV_INDEX_RSU_DEV_ID_SIZE, + GetRSUDevID) }; /* Check sanity of above config. */ @@ -335,3 +349,21 @@ static void GetG2fCert(BYTE *to, size_t offset, size_t size) } BUILD_ASSERT(VIRTUAL_NV_INDEX_G2F_CERT_SIZE == G2F_ATTESTATION_CERT_MAX_LEN); + +static void GetRSUDevID(BYTE *to, size_t offset, size_t size) +{ + LITE_SHA256_CTX ctx; + uint8_t rma_device_id[RMA_DEVICE_ID_SIZE]; + const uint8_t *rsu_device_id; + + get_rma_device_id(rma_device_id); + + SHA256_init(&ctx); + HASH_update(&ctx, rma_device_id, sizeof(rma_device_id)); + HASH_update(&ctx, kRsuSalt, RSU_SALT_SIZE); + rsu_device_id = HASH_final(&ctx); + + memcpy(to, rsu_device_id + offset, size); +} +BUILD_ASSERT(VIRTUAL_NV_INDEX_RSU_DEV_ID_SIZE == + SHA256_DIGEST_SIZE); diff --git a/board/cr50/tpm2/virtual_nvmem.h b/board/cr50/tpm2/virtual_nvmem.h index ff1cc7991d..8321daa88c 100644 --- a/board/cr50/tpm2/virtual_nvmem.h +++ b/board/cr50/tpm2/virtual_nvmem.h @@ -24,6 +24,7 @@ enum virtual_nv_index { VIRTUAL_NV_INDEX_BOARD_ID = VIRTUAL_NV_INDEX_START, VIRTUAL_NV_INDEX_SN_DATA, VIRTUAL_NV_INDEX_G2F_CERT, + VIRTUAL_NV_INDEX_RSU_DEV_ID, VIRTUAL_NV_INDEX_END, }; /* Reserved space for future virtual indexes; this is the last valid index. */ @@ -35,5 +36,6 @@ enum virtual_nv_index { #define VIRTUAL_NV_INDEX_BOARD_ID_SIZE 12 #define VIRTUAL_NV_INDEX_SN_DATA_SIZE 16 #define VIRTUAL_NV_INDEX_G2F_CERT_SIZE 315 +#define VIRTUAL_NV_INDEX_RSU_DEV_ID_SIZE 32 #endif /* __EC_BOARD_CR50_TPM2_VIRTUAL_NVMEM_H */ |