summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLouis Collard <louiscollard@chromium.org>2019-01-21 11:53:57 +0800
committerchrome-bot <chrome-bot@chromium.org>2019-01-30 13:06:44 -0800
commitb8b8329840d748037e66f1fe967b205637b116e8 (patch)
treebd1281254467c95d21add38904d63186c58b1ad0
parent8515c963372d1c015f59c54a4acbc4d3c9bf0b19 (diff)
downloadchrome-ec-b8b8329840d748037e66f1fe967b205637b116e8.tar.gz
cr50: Make G2F attestation certificate available in vNVRAM.
As part of a refactor to reduce the amount of U2F-specific code in cr50, the certificate for the fixed G2F key used in U2F attestation needs to be made available to u2fd. BRANCH=none BUG=b:123161715 TEST=read nv space locally Change-Id: I4b457b1446bd13bdb125509218b577bc62f9355b Signed-off-by: Louis Collard <louiscollard@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1424043 Reviewed-by: Andrey Pronin <apronin@chromium.org>
-rw-r--r--board/cr50/tpm2/virtual_nvmem.c17
-rw-r--r--board/cr50/tpm2/virtual_nvmem.h2
-rw-r--r--common/u2f.c15
-rw-r--r--include/u2f_impl.h13
4 files changed, 47 insertions, 0 deletions
diff --git a/board/cr50/tpm2/virtual_nvmem.c b/board/cr50/tpm2/virtual_nvmem.c
index b42dc72e5b..7d637cdcb6 100644
--- a/board/cr50/tpm2/virtual_nvmem.c
+++ b/board/cr50/tpm2/virtual_nvmem.c
@@ -11,6 +11,7 @@
#include "console.h"
#include "link_defs.h"
#include "sn_bits.h"
+#include "u2f_impl.h"
#include "virtual_nvmem.h"
/*
@@ -139,6 +140,7 @@ struct virtual_nv_index_cfg {
static void GetBoardId(BYTE *to, size_t offset, size_t size);
static void GetSnData(BYTE *to, size_t offset, size_t size);
+static void GetG2fCert(BYTE *to, size_t offset, size_t size);
static const struct virtual_nv_index_cfg index_config[] = {
REGISTER_CONFIG(VIRTUAL_NV_INDEX_BOARD_ID,
@@ -147,6 +149,9 @@ static const struct virtual_nv_index_cfg index_config[] = {
REGISTER_CONFIG(VIRTUAL_NV_INDEX_SN_DATA,
VIRTUAL_NV_INDEX_SN_DATA_SIZE,
GetSnData)
+ REGISTER_CONFIG(VIRTUAL_NV_INDEX_G2F_CERT,
+ VIRTUAL_NV_INDEX_G2F_CERT_SIZE,
+ GetG2fCert)
};
/* Check sanity of above config. */
@@ -318,3 +323,15 @@ static void GetSnData(BYTE *to, size_t offset, size_t size)
}
BUILD_ASSERT(VIRTUAL_NV_INDEX_SN_DATA_SIZE ==
sizeof(struct sn_data));
+
+static void GetG2fCert(BYTE *to, size_t offset, size_t size)
+{
+ uint8_t cert[G2F_ATTESTATION_CERT_MAX_LEN] = { 0 };
+
+ if (!g2f_attestation_cert(cert))
+ memset(cert, 0, G2F_ATTESTATION_CERT_MAX_LEN);
+
+ memcpy(to, ((BYTE *) cert) + offset, size);
+}
+BUILD_ASSERT(VIRTUAL_NV_INDEX_G2F_CERT_SIZE ==
+ G2F_ATTESTATION_CERT_MAX_LEN);
diff --git a/board/cr50/tpm2/virtual_nvmem.h b/board/cr50/tpm2/virtual_nvmem.h
index 5d990c1edf..ff1cc7991d 100644
--- a/board/cr50/tpm2/virtual_nvmem.h
+++ b/board/cr50/tpm2/virtual_nvmem.h
@@ -23,6 +23,7 @@ enum virtual_nv_index {
VIRTUAL_NV_INDEX_START = 0x013fff00,
VIRTUAL_NV_INDEX_BOARD_ID = VIRTUAL_NV_INDEX_START,
VIRTUAL_NV_INDEX_SN_DATA,
+ VIRTUAL_NV_INDEX_G2F_CERT,
VIRTUAL_NV_INDEX_END,
};
/* Reserved space for future virtual indexes; this is the last valid index. */
@@ -33,5 +34,6 @@ enum virtual_nv_index {
*/
#define VIRTUAL_NV_INDEX_BOARD_ID_SIZE 12
#define VIRTUAL_NV_INDEX_SN_DATA_SIZE 16
+#define VIRTUAL_NV_INDEX_G2F_CERT_SIZE 315
#endif /* __EC_BOARD_CR50_TPM2_VIRTUAL_NVMEM_H */
diff --git a/common/u2f.c b/common/u2f.c
index aa82d80822..b6c8a799d3 100644
--- a/common/u2f.c
+++ b/common/u2f.c
@@ -81,6 +81,21 @@ static int individual_cert(const p256_int *d, const p256_int *pk_x,
return DCRYPTO_x509_gen_u2f_cert(d, pk_x, pk_y, serial, cert, n);
}
+int g2f_attestation_cert(uint8_t *buf)
+{
+ p256_int d, pk_x, pk_y;
+
+ if (!use_g2f())
+ return 0;
+
+ if (g2f_individual_keypair(&d, &pk_x, &pk_y))
+ return 0;
+
+ /* Note that max length is not currently respected here. */
+ return individual_cert(&d, &pk_x, &pk_y,
+ buf, G2F_ATTESTATION_CERT_MAX_LEN);
+}
+
static unsigned u2f_version(struct apdu apdu, void *buf, unsigned *ret_len,
unsigned max_len)
{
diff --git a/include/u2f_impl.h b/include/u2f_impl.h
index 8e4e80fa4f..f16d278172 100644
--- a/include/u2f_impl.h
+++ b/include/u2f_impl.h
@@ -98,6 +98,19 @@ int g2f_individual_keypair(p256_int *d, p256_int *pk_x, p256_int *pk_y);
*/
int u2f_gen_kek_seed(int commit);
+/* Maximum size in bytes of G2F attestation certificate. */
+#define G2F_ATTESTATION_CERT_MAX_LEN 315
+
+/**
+ * Gets the x509 certificate for the attestation keypair returned
+ * by g2f_individual_keypair().
+ *
+ * @param buf pointer to a buffer that must be at least
+ * G2F_ATTESTATION_CERT_MAX_LEN bytes.
+ * @return size of certificate written to buf, 0 on error.
+ */
+int g2f_attestation_cert(uint8_t *buf);
+
/* ---- protocol extensions ---- */
/* Use non-standard extensions to the U2F protocol */