cr50: prepare for supporting both x25519 and p256 test keys

The signer script is checking the elf files for presence of test RMA
keys, currently hardcoded to be x25519 keys.

The algorithm (x25519 vs p256) is going to become a compile time
option, the script should be prepared to determine the type of the key
at run time, because the script could be used for signing images from
different branches, compiled with different config options.

The prod p256 key does not yet exist.

BRANCH=none
BUG=b:73296606
TEST=verified that prod signing images including x25519 keys is still
     working as expected.

Change-Id: Icf48845279912ecc9ccdecec1764fcb5f85d22bd
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1079698
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>

6 files changed, 55 insertions, 9 deletions

diff --git a/board/cr50/rma_key_blob.README.md b/board/cr50/rma_key_blob.README.md
index 8270086bfe..66fa0c04da 100644
--- a/board/cr50/rma_key_blob.README.md
+++ b/board/cr50/rma_key_blob.README.md
@@ -1,6 +1,7 @@
-The rma_key_blob.{prod,test} files in this directory are 33 byte binary blobs
-concatenating the 32 byte of respective public key used by prod or test RMA
-server and one byte of the key ID.
+The rma_key_blob.{p256,x25519}.{prod,test} files in this directory are binary
+blobs concatenating the respective public key used by prod or test RMA server
+and single byte of the key ID. The key size for p256 is 65 bytes, for x25519 -
+32 bytes.
 
 The util/bin2h.sh script is used to convert these binary blobs into .h
 file containing a #define statement which is suitable for use in C.
diff --git a/board/cr50/rma_key_blob.prod b/board/cr50/rma_key_blob.x25519.prod
index 54e8fd5a1d..54e8fd5a1d 100644
--- a/board/cr50/rma_key_blob.prod
+++ b/board/cr50/rma_key_blob.x25519.prod
diff --git a/board/cr50/rma_key_blob.test b/board/cr50/rma_key_blob.x25519.test
index c8b0062e64..c8b0062e64 100644
--- a/board/cr50/rma_key_blob.test
+++ b/board/cr50/rma_key_blob.x25519.test
diff --git a/chip/g/build.mk b/chip/g/build.mk
index f54a5de8ac..7b55bc1a97 100644
--- a/chip/g/build.mk
+++ b/chip/g/build.mk
@@ -145,7 +145,14 @@ SIGNER_MANIFEST := $(shell mktemp /tmp/h1.signer.XXXXXX)
 RW_SIGNER_EXTRAS += -j $(SIGNER_MANIFEST) -x util/signer/fuses.xml
 
 ifneq ($(CR50_SWAP_RMA_KEYS),)
-RMA_KEY_BASE := board/$(BOARD)/rma_key_blob
+
+ifneq ($(CONFIG_RMA_AUTH_USE_P256),)
+CURVE := p256
+else
+CURVE := x25519
+endif
+
+RMA_KEY_BASE := board/$(BOARD)/rma_key_blob.$(CURVE)
 RW_SIGNER_EXTRAS += --swap $(RMA_KEY_BASE).test,$(RMA_KEY_BASE).prod
 endif
 
diff --git a/common/build.mk b/common/build.mk
index 602f553457..65665993b2 100644
--- a/common/build.mk
+++ b/common/build.mk
@@ -182,7 +182,7 @@ endif
 ifeq ($(TEST_BUILD),)
 
 ifeq ($(CONFIG_RMA_AUTH_USE_P256),)
-BLOB_FILE = rma_key_blob.test
+BLOB_FILE = rma_key_blob.x25519.test
 else
 BLOB_FILE = rma_key_blob.p256.test
 endif
diff --git a/util/signer/bs b/util/signer/bs
index 6a7eef169c..b40871b8ff 100755
--- a/util/signer/bs
+++ b/util/signer/bs
@@ -143,6 +143,44 @@ find_blob_in_blob() {
   return 1
 }
 
+# This function accepts two arguments, names of the two elf files.
+#
+# The files are searched for test RMA public key patterns - x25519 or p256,
+# both files are supposed to have pattern of one of these keys and not the
+# other. If this holds true the function prints the public key base name. If
+# not both files include the same key, or include more than one key, the
+# function reports failure and exits the script.
+determine_rma_key_base() {
+  local base_name="${EC_ROOT}/board/cr50/rma_key_blob"
+  local curve
+  local curves=( "x25519" "p256" )
+  local elf
+  local elves=( "$1" "$2" )
+  local key_file
+  local mask=1
+  local result=0
+
+  for curve in ${curves[@]}; do
+    key_file="${base_name}.${curve}.test"
+    for elf in ${elves[@]}; do
+      if find_blob_in_blob "${elf}" "${key_file}"; then
+        result=$(( result | mask ))
+      fi
+      mask=$(( mask << 1 ))
+    done
+  done
+
+  case "${result}" in
+    (3)  curve="x25519";;
+    (12) curve="p256";;
+    (*) echo "could not determine key type in the elves" >&2
+        exit 1
+        ;;
+  esac
+
+  echo "${base_name}.${curve}.test"
+}
+
 SIGNER="cr50-codesigner"
 if ! which "${SIGNER}" 2>/dev/null > /dev/null; then
   echo "${SIGNER} is not available, try running 'sudo emerge cr50-utils'" >&2
@@ -212,7 +250,7 @@ if [[ -n "${do_prod}" && -n "${do_b1}" ]]; then
   exit 1
 fi
 
-RMA_KEY_BASE="${EC_ROOT}/board/cr50/rma_key_blob"
+rma_key_base="$(determine_rma_key_base ${elves[@]})"
 
 signer_command_params=()
 signer_command_params+=(--b -x ${EC_BIN_ROOT}/fuses.xml)
@@ -222,7 +260,7 @@ else
   cp "${EC_BIN_ROOT}/ec_RW-manifest-prod.json" "${tmpf}"
   signer_command_params+=(-k ${EC_BIN_ROOT}/cr50_RW-prod.pem.pub)
   # Swap test public RMA server key with the prod version.
-  signer_command_params+=(-S "${RMA_KEY_BASE}.test","${RMA_KEY_BASE}.prod")
+  signer_command_params+=(-S "${rma_key_base}.test","${rma_key_base}.prod")
 fi
 signer_command_params+=(-j ${tmpf})
 
@@ -253,13 +291,13 @@ for elf in ${elves[@]}; do
     exit 1
   fi
 
-  if find_blob_in_blob  "${signed_file}" "${RMA_KEY_BASE}.test"; then
+  if find_blob_in_blob  "${signed_file}" "${rma_key_base}.test"; then
     echo "${progname}: test RMA key in the signed image!" >&2
     rm *."${dst_suffix}"
     exit 1
   fi
 
-  if ! find_blob_in_blob "${signed_file}" "${RMA_KEY_BASE}.prod"; then
+  if ! find_blob_in_blob "${signed_file}" "${rma_key_base}.prod"; then
     echo "${progname}: prod RMA key not in the signed image!" >&2
     rm *."${dst_suffix}"
     exit 1