cr50: Make G2F attestation certificate available in vNVRAM.

As part of a refactor to reduce the amount of U2F-specific code in cr50, the certificate for the fixed G2F key used in U2F attestation needs to be made available to u2fd. BRANCH=none BUG=b:123161715 TEST=read nv space locally Change-Id: I4b457b1446bd13bdb125509218b577bc62f9355b Signed-off-by: Louis Collard <louiscollard@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1424043 Reviewed-by: Andrey Pronin <apronin@chromium.org>
author: Louis Collard <louiscollard@chromium.org> 2019-01-21 11:53:57 +0800
committer: chrome-bot <chrome-bot@chromium.org> 2019-01-30 13:06:44 -0800
commit: b8b8329840d748037e66f1fe967b205637b116e8 (patch)
tree: bd1281254467c95d21add38904d63186c58b1ad0
parent: 8515c963372d1c015f59c54a4acbc4d3c9bf0b19 (diff)
download: chrome-ec-b8b8329840d748037e66f1fe967b205637b116e8.tar.gz
4 files changed, 47 insertions, 0 deletions
diff --git a/board/cr50/tpm2/virtual_nvmem.c b/board/cr50/tpm2/virtual_nvmem.c
index b42dc72e5b..7d637cdcb6 100644
--- a/board/cr50/tpm2/virtual_nvmem.c
+++ b/board/cr50/tpm2/virtual_nvmem.c
@@ -11,6 +11,7 @@
 #include "console.h"
 #include "link_defs.h"
 #include "sn_bits.h"
+#include "u2f_impl.h"
 #include "virtual_nvmem.h"
 
 /*
@@ -139,6 +140,7 @@ struct virtual_nv_index_cfg {
 
 static void GetBoardId(BYTE *to, size_t offset, size_t size);
 static void GetSnData(BYTE *to, size_t offset, size_t size);
+static void GetG2fCert(BYTE *to, size_t offset, size_t size);
 
 static const struct virtual_nv_index_cfg index_config[] = {
 	REGISTER_CONFIG(VIRTUAL_NV_INDEX_BOARD_ID,
@@ -147,6 +149,9 @@ static const struct virtual_nv_index_cfg index_config[] = {
 	REGISTER_CONFIG(VIRTUAL_NV_INDEX_SN_DATA,
 			VIRTUAL_NV_INDEX_SN_DATA_SIZE,
 			GetSnData)
+	REGISTER_CONFIG(VIRTUAL_NV_INDEX_G2F_CERT,
+			VIRTUAL_NV_INDEX_G2F_CERT_SIZE,
+			GetG2fCert)
 };
 
 /* Check sanity of above config. */
@@ -318,3 +323,15 @@ static void GetSnData(BYTE *to, size_t offset, size_t size)
 }
 BUILD_ASSERT(VIRTUAL_NV_INDEX_SN_DATA_SIZE ==
 	     sizeof(struct sn_data));
+
+static void GetG2fCert(BYTE *to, size_t offset, size_t size)
+{
+	uint8_t cert[G2F_ATTESTATION_CERT_MAX_LEN] = { 0 };
+
+	if (!g2f_attestation_cert(cert))
+		memset(cert, 0, G2F_ATTESTATION_CERT_MAX_LEN);
+
+	memcpy(to, ((BYTE *) cert) + offset, size);
+}
+BUILD_ASSERT(VIRTUAL_NV_INDEX_G2F_CERT_SIZE ==
+	     G2F_ATTESTATION_CERT_MAX_LEN);
diff --git a/board/cr50/tpm2/virtual_nvmem.h b/board/cr50/tpm2/virtual_nvmem.h
index 5d990c1edf..ff1cc7991d 100644
--- a/board/cr50/tpm2/virtual_nvmem.h
+++ b/board/cr50/tpm2/virtual_nvmem.h
@@ -23,6 +23,7 @@ enum virtual_nv_index {
 	VIRTUAL_NV_INDEX_START = 0x013fff00,
 	VIRTUAL_NV_INDEX_BOARD_ID = VIRTUAL_NV_INDEX_START,
 	VIRTUAL_NV_INDEX_SN_DATA,
+	VIRTUAL_NV_INDEX_G2F_CERT,
 	VIRTUAL_NV_INDEX_END,
 };
 /* Reserved space for future virtual indexes; this is the last valid index. */
@@ -33,5 +34,6 @@ enum virtual_nv_index {
  */
 #define VIRTUAL_NV_INDEX_BOARD_ID_SIZE	12
 #define VIRTUAL_NV_INDEX_SN_DATA_SIZE	16
+#define VIRTUAL_NV_INDEX_G2F_CERT_SIZE	315
 
 #endif /* __EC_BOARD_CR50_TPM2_VIRTUAL_NVMEM_H */
diff --git a/common/u2f.c b/common/u2f.c
index aa82d80822..b6c8a799d3 100644
--- a/common/u2f.c
+++ b/common/u2f.c
@@ -81,6 +81,21 @@ static int individual_cert(const p256_int *d, const p256_int *pk_x,
 	return DCRYPTO_x509_gen_u2f_cert(d, pk_x, pk_y, serial, cert, n);
 }
 
+int g2f_attestation_cert(uint8_t *buf)
+{
+	p256_int d, pk_x, pk_y;
+
+	if (!use_g2f())
+		return 0;
+
+	if (g2f_individual_keypair(&d, &pk_x, &pk_y))
+		return 0;
+
+	/* Note that max length is not currently respected here. */
+	return individual_cert(&d, &pk_x, &pk_y,
+			       buf, G2F_ATTESTATION_CERT_MAX_LEN);
+}
+
 static unsigned u2f_version(struct apdu apdu, void *buf, unsigned *ret_len,
 			    unsigned max_len)
 {
diff --git a/include/u2f_impl.h b/include/u2f_impl.h
index 8e4e80fa4f..f16d278172 100644
--- a/include/u2f_impl.h
+++ b/include/u2f_impl.h
@@ -98,6 +98,19 @@ int g2f_individual_keypair(p256_int *d, p256_int *pk_x, p256_int *pk_y);
  */
 int u2f_gen_kek_seed(int commit);
 
+/* Maximum size in bytes of G2F attestation certificate. */
+#define G2F_ATTESTATION_CERT_MAX_LEN	315
+
+/**
+ * Gets the x509 certificate for the attestation keypair returned
+ * by g2f_individual_keypair().
+ *
+ * @param buf pointer to a buffer that must be at least
+ * G2F_ATTESTATION_CERT_MAX_LEN bytes.
+ * @return size of certificate written to buf, 0 on error.
+ */
+int g2f_attestation_cert(uint8_t *buf);
+
 /* ---- protocol extensions ---- */
 
 /* Use non-standard extensions to the U2F protocol */
author	Louis Collard <louiscollard@chromium.org>	2019-01-21 11:53:57 +0800
committer	chrome-bot <chrome-bot@chromium.org>	2019-01-30 13:06:44 -0800
commit	b8b8329840d748037e66f1fe967b205637b116e8 (patch)
tree	bd1281254467c95d21add38904d63186c58b1ad0
parent	8515c963372d1c015f59c54a4acbc4d3c9bf0b19 (diff)
download	chrome-ec-b8b8329840d748037e66f1fe967b205637b116e8.tar.gz