common: add rma_auth console command

The new console command uses the alternative TPM command execution
path to generate the RMA challenge and also allows to verify the RMA
authentication code.

This patch also limits the rma challenge/auth code printouts to images
supporting debug features (built with CR50_DEV=1), and limits the code
included when building test images.

BRANCH=cr50
BUG=b:67008109
TEST=while running TCG tpm test ran the new console command multiple
     times, observed all tests pass and the command always succeed.

Change-Id: I9ca3e86040d8adbdbe70f33cf2b317075f823f36
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/699524
Reviewed-by: Randall Spangler <rspangler@chromium.org>
(cherry picked from commit a7587bea86719c289ba58914c9dda36eca0acff0)
Reviewed-on: https://chromium-review.googlesource.com/828672

1 files changed, 81 insertions, 9 deletions

diff --git a/common/rma_auth.c b/common/rma_auth.c
index e7f6db121f..926dfb1328 100644
--- a/common/rma_auth.c
+++ b/common/rma_auth.c
@@ -13,8 +13,10 @@
 #include "curve25519.h"
 #include "extension.h"
 #include "rma_auth.h"
+#include "shared_mem.h"
 #include "system.h"
 #include "timer.h"
+#include "tpm_registers.h"
 #include "tpm_vendor_cmds.h"
 #include "util.h"
 
@@ -178,6 +180,7 @@ int rma_try_authcode(const char *code)
 	return rv;
 }
 
+#ifndef TEST_BUILD
 /*
  * Trigger generating of the new challenge/authcode pair. If successful, store
  * the challenge in the vendor command response buffer and send it to the
@@ -186,7 +189,6 @@ int rma_try_authcode(const char *code)
 static enum vendor_cmd_rc get_challenge(uint8_t *buf, size_t *buf_size)
 {
 	int rv;
-	size_t i;
 
 	if (*buf_size < sizeof(challenge)) {
 		*buf_size = 1;
@@ -204,15 +206,21 @@ static enum vendor_cmd_rc get_challenge(uint8_t *buf, size_t *buf_size)
 	*buf_size = sizeof(challenge) - 1;
 	memcpy(buf, rma_get_challenge(), *buf_size);
 
-	CPRINTF("%s: generated challenge:\n", __func__);
-	for (i = 0; i < *buf_size; i++)
-		CPRINTF("%c", ((uint8_t *)buf)[i]);
-	CPRINTF("\n");
+#ifdef CR50_DEV
+	{
+		size_t i;
 
-	CPRINTF("%s: expected authcode: ", __func__);
-	for (i = 0; i < RMA_AUTHCODE_CHARS; i++)
-		CPRINTF("%c", authcode[i]);
-	CPRINTF("\n");
+		CPRINTF("%s: generated challenge:\n", __func__);
+		for (i = 0; i < *buf_size; i++)
+			CPRINTF("%c", ((uint8_t *)buf)[i]);
+		CPRINTF("\n");
+
+		CPRINTF("%s: expected authcode: ", __func__);
+		for (i = 0; i < RMA_AUTHCODE_CHARS; i++)
+			CPRINTF("%c", authcode[i]);
+		CPRINTF("\n");
+	}
+#endif
 
 	return VENDOR_RC_SUCCESS;
 }
@@ -271,3 +279,67 @@ static enum vendor_cmd_rc rma_challenge_response(enum vendor_cmd_cc code,
 }
 DECLARE_VENDOR_COMMAND(VENDOR_CC_RMA_CHALLENGE_RESPONSE,
 		       rma_challenge_response);
+
+
+#define RMA_CMD_BUF_SIZE (sizeof(struct tpm_cmd_header) + \
+			  RMA_CHALLENGE_BUF_SIZE)
+static int rma_auth_cmd(int argc, char **argv)
+{
+	struct tpm_cmd_header *tpmh;
+	int rv;
+
+	if (argc > 2) {
+		ccprintf("Error: the only accepted parameter is"
+			 " the auth code to check\n");
+		return EC_ERROR_PARAM_COUNT;
+	}
+
+	if (argc == 2) {
+		if (rma_try_authcode(argv[1]) != EC_SUCCESS) {
+			ccprintf("Auth code does not match.\n");
+			return EC_ERROR_PARAM1;
+		}
+		ccprintf("Auth code match!\n");
+		return EC_SUCCESS;
+	}
+
+	rv = shared_mem_acquire(RMA_CMD_BUF_SIZE, (char **)&tpmh);
+	if (rv != EC_SUCCESS)
+		return rv;
+
+	/* Build the extension command to request RMA AUTH challenge. */
+	tpmh->tag = htobe16(0x8001); /* TPM_ST_NO_SESSIONS */
+	tpmh->size = htobe32(sizeof(struct tpm_cmd_header));
+	tpmh->command_code = htobe32(TPM_CC_VENDOR_BIT_MASK);
+	tpmh->subcommand_code = htobe16(VENDOR_CC_RMA_CHALLENGE_RESPONSE);
+
+	tpm_alt_extension(tpmh, RMA_CMD_BUF_SIZE);
+
+	/* Return status in the command code field now. */
+	if (tpmh->command_code) {
+		ccprintf("RMA Auth error 0x%x\n", be32toh(tpmh->command_code));
+		rv = EC_ERROR_UNKNOWN;
+	} else {
+		/* Success, let's print out the challenge. */
+		int i;
+		char *challenge = (char *)(tpmh + 1);
+
+		for (i = 0; i < RMA_CHALLENGE_CHARS; i++) {
+			if (!(i % 5)) {
+				if (!(i % 20))
+					ccprintf("\n");
+				ccprintf(" ");
+			}
+			ccprintf("%c", challenge[i]);
+		}
+		ccprintf("\n");
+	}
+
+	shared_mem_release(tpmh);
+	return EC_SUCCESS;
+}
+
+DECLARE_SAFE_CONSOLE_COMMAND(rma_auth, rma_auth_cmd, NULL,
+			     "rma_auth [auth code] - "
+			"Generate RMA challenge or check auth code match\n");
+#endif