CR50: Fix ECC key generation to match the code used in factory

Fix the workaround of ECC key generation.

The workaround crrev.com/c/360441 for b/35576109 use a wrong EK
template to generate the hash (object name of publicArea), and
the format of that embedded hash is incorrect either.

BRANCH=none
BUG=b:35576109,b:80207339
TEST=Dump the EK seed from CR50 and verify the public and private
key are matched in both cr50-side (also checked returned value of
CreatePrimary) and factory-side.

Change-Id: Ia53084757d9d848fd92e6ca309de83450cb64309
Signed-off-by: Meng-Huan Yu <menghuan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1329261
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

1 files changed, 27 insertions, 15 deletions

diff --git a/board/cr50/tpm2/ecc.c b/board/cr50/tpm2/ecc.c
index 25ed169832..93002a17ee 100644
--- a/board/cr50/tpm2/ecc.c
+++ b/board/cr50/tpm2/ecc.c
@@ -129,13 +129,27 @@ CRYPT_RESULT _cpri__EccPointMultiply(
 	}
 }
 
-static const TPM2B_32_BYTE_VALUE ECC_TEMPLATE_EK_EXTRA = {
-	.t = {32, {
-			0xC2, 0xE0, 0x31, 0x93, 0x40, 0xFB, 0x48, 0xF1,
-			0x02, 0x53, 0x9E, 0xA9, 0x83, 0x63, 0xF8, 0x1E,
-			0x2D, 0x30, 0x6E, 0x91, 0x8D, 0xD7, 0x78, 0xAB,
-			0xF0, 0x54, 0x73, 0xA2, 0xA6, 0x0D, 0xAE, 0x09,
-		}
+/* The name field of TPM2B_NAME is a TPMT_HA */
+static const uint8_t TPM2_ECC_EK_NAME_TEMPLATE[] = {
+	/* TPM_ALG_SHA256 in big endian. */
+	0x00, 0x0b,
+	/* SHA256 digest of the default template TPMT_PUBLIC. */
+	0x0f, 0x12, 0x77, 0xa2, 0xf3, 0xf3, 0x82, 0xe7,
+	0xf7, 0x5d, 0xb4, 0x66, 0xfa, 0xc2, 0x34, 0x18,
+	0x2a, 0x8d, 0x62, 0xf9, 0x7d, 0xfb, 0xaa, 0xe7,
+	0xb0, 0x6f, 0xdf, 0x52, 0xbd, 0xa5, 0x14, 0x67
+};
+BUILD_ASSERT(sizeof(TPM2_ECC_EK_NAME_TEMPLATE) == 2 + SHA256_DIGEST_SIZE);
+
+/* The first 4 bytes of the wrong template used in factory
+ * c2e0319340fb48f102539ea98363f81e2d306e918dd778abf05473a2a60dae09
+ */
+static const TPM2B_4_BYTE_VALUE TPM2_ECC_EK_NAME_CR50 = {
+	.t = {
+		.size = 4,
+		.buffer = {
+			0xc2, 0xe0, 0x31, 0x93
+		},
 	}
 };
 
@@ -148,7 +162,6 @@ CRYPT_RESULT _cpri__GenerateKeyEcc(
 {
 	TPM2B_4_BYTE_VALUE marshaled_counter = { .t = {4} };
 	TPM2B_32_BYTE_VALUE local_seed = { .t = {32} };
-	TPM2B_4_BYTE_VALUE truncated_extra = { .t = {4} };
 	TPM2B *local_extra;
 	uint32_t count = 0;
 	uint8_t key_bytes[P256_NBYTES];
@@ -173,15 +186,14 @@ CRYPT_RESULT _cpri__GenerateKeyEcc(
 	memcpy(local_seed.t.buffer, DCRYPTO_HMAC_final(&hmac),
 	       local_seed.t.size);
 	always_memset(&hmac, 0, sizeof(hmac));
-	/* TODO(ngm): CRBUG/P/55260: the personalize code uses only
-	 * the first 4 bytes of extra.
+	/* b/35576109: the personalize code uses only the first 4 bytes
+	 * of extra.
 	 */
-	if (extra && extra->size == ECC_TEMPLATE_EK_EXTRA.b.size &&
+	if (extra && extra->size == sizeof(TPM2_ECC_EK_NAME_TEMPLATE) &&
 		memcmp(extra->buffer,
-		       ECC_TEMPLATE_EK_EXTRA.b.buffer,
-		       ECC_TEMPLATE_EK_EXTRA.b.size) == 0) {
-		memcpy(truncated_extra.b.buffer, extra->buffer, 4);
-		local_extra = &truncated_extra.b;
+		       TPM2_ECC_EK_NAME_TEMPLATE,
+		       sizeof(TPM2_ECC_EK_NAME_TEMPLATE)) == 0) {
+		local_extra = (TPM2B *) &TPM2_ECC_EK_NAME_CR50.b;
 	} else {
 		local_extra = extra;
 	}