diff options
author | Louis Collard <louiscollard@chromium.org> | 2019-01-21 11:53:57 +0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2019-01-30 13:06:44 -0800 |
commit | b8b8329840d748037e66f1fe967b205637b116e8 (patch) | |
tree | bd1281254467c95d21add38904d63186c58b1ad0 | |
parent | 8515c963372d1c015f59c54a4acbc4d3c9bf0b19 (diff) | |
download | chrome-ec-b8b8329840d748037e66f1fe967b205637b116e8.tar.gz |
cr50: Make G2F attestation certificate available in vNVRAM.
As part of a refactor to reduce the amount of U2F-specific
code in cr50, the certificate for the fixed G2F key used
in U2F attestation needs to be made available to u2fd.
BRANCH=none
BUG=b:123161715
TEST=read nv space locally
Change-Id: I4b457b1446bd13bdb125509218b577bc62f9355b
Signed-off-by: Louis Collard <louiscollard@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1424043
Reviewed-by: Andrey Pronin <apronin@chromium.org>
-rw-r--r-- | board/cr50/tpm2/virtual_nvmem.c | 17 | ||||
-rw-r--r-- | board/cr50/tpm2/virtual_nvmem.h | 2 | ||||
-rw-r--r-- | common/u2f.c | 15 | ||||
-rw-r--r-- | include/u2f_impl.h | 13 |
4 files changed, 47 insertions, 0 deletions
diff --git a/board/cr50/tpm2/virtual_nvmem.c b/board/cr50/tpm2/virtual_nvmem.c index b42dc72e5b..7d637cdcb6 100644 --- a/board/cr50/tpm2/virtual_nvmem.c +++ b/board/cr50/tpm2/virtual_nvmem.c @@ -11,6 +11,7 @@ #include "console.h" #include "link_defs.h" #include "sn_bits.h" +#include "u2f_impl.h" #include "virtual_nvmem.h" /* @@ -139,6 +140,7 @@ struct virtual_nv_index_cfg { static void GetBoardId(BYTE *to, size_t offset, size_t size); static void GetSnData(BYTE *to, size_t offset, size_t size); +static void GetG2fCert(BYTE *to, size_t offset, size_t size); static const struct virtual_nv_index_cfg index_config[] = { REGISTER_CONFIG(VIRTUAL_NV_INDEX_BOARD_ID, @@ -147,6 +149,9 @@ static const struct virtual_nv_index_cfg index_config[] = { REGISTER_CONFIG(VIRTUAL_NV_INDEX_SN_DATA, VIRTUAL_NV_INDEX_SN_DATA_SIZE, GetSnData) + REGISTER_CONFIG(VIRTUAL_NV_INDEX_G2F_CERT, + VIRTUAL_NV_INDEX_G2F_CERT_SIZE, + GetG2fCert) }; /* Check sanity of above config. */ @@ -318,3 +323,15 @@ static void GetSnData(BYTE *to, size_t offset, size_t size) } BUILD_ASSERT(VIRTUAL_NV_INDEX_SN_DATA_SIZE == sizeof(struct sn_data)); + +static void GetG2fCert(BYTE *to, size_t offset, size_t size) +{ + uint8_t cert[G2F_ATTESTATION_CERT_MAX_LEN] = { 0 }; + + if (!g2f_attestation_cert(cert)) + memset(cert, 0, G2F_ATTESTATION_CERT_MAX_LEN); + + memcpy(to, ((BYTE *) cert) + offset, size); +} +BUILD_ASSERT(VIRTUAL_NV_INDEX_G2F_CERT_SIZE == + G2F_ATTESTATION_CERT_MAX_LEN); diff --git a/board/cr50/tpm2/virtual_nvmem.h b/board/cr50/tpm2/virtual_nvmem.h index 5d990c1edf..ff1cc7991d 100644 --- a/board/cr50/tpm2/virtual_nvmem.h +++ b/board/cr50/tpm2/virtual_nvmem.h @@ -23,6 +23,7 @@ enum virtual_nv_index { VIRTUAL_NV_INDEX_START = 0x013fff00, VIRTUAL_NV_INDEX_BOARD_ID = VIRTUAL_NV_INDEX_START, VIRTUAL_NV_INDEX_SN_DATA, + VIRTUAL_NV_INDEX_G2F_CERT, VIRTUAL_NV_INDEX_END, }; /* Reserved space for future virtual indexes; this is the last valid index. */ @@ -33,5 +34,6 @@ enum virtual_nv_index { */ #define VIRTUAL_NV_INDEX_BOARD_ID_SIZE 12 #define VIRTUAL_NV_INDEX_SN_DATA_SIZE 16 +#define VIRTUAL_NV_INDEX_G2F_CERT_SIZE 315 #endif /* __EC_BOARD_CR50_TPM2_VIRTUAL_NVMEM_H */ diff --git a/common/u2f.c b/common/u2f.c index aa82d80822..b6c8a799d3 100644 --- a/common/u2f.c +++ b/common/u2f.c @@ -81,6 +81,21 @@ static int individual_cert(const p256_int *d, const p256_int *pk_x, return DCRYPTO_x509_gen_u2f_cert(d, pk_x, pk_y, serial, cert, n); } +int g2f_attestation_cert(uint8_t *buf) +{ + p256_int d, pk_x, pk_y; + + if (!use_g2f()) + return 0; + + if (g2f_individual_keypair(&d, &pk_x, &pk_y)) + return 0; + + /* Note that max length is not currently respected here. */ + return individual_cert(&d, &pk_x, &pk_y, + buf, G2F_ATTESTATION_CERT_MAX_LEN); +} + static unsigned u2f_version(struct apdu apdu, void *buf, unsigned *ret_len, unsigned max_len) { diff --git a/include/u2f_impl.h b/include/u2f_impl.h index 8e4e80fa4f..f16d278172 100644 --- a/include/u2f_impl.h +++ b/include/u2f_impl.h @@ -98,6 +98,19 @@ int g2f_individual_keypair(p256_int *d, p256_int *pk_x, p256_int *pk_y); */ int u2f_gen_kek_seed(int commit); +/* Maximum size in bytes of G2F attestation certificate. */ +#define G2F_ATTESTATION_CERT_MAX_LEN 315 + +/** + * Gets the x509 certificate for the attestation keypair returned + * by g2f_individual_keypair(). + * + * @param buf pointer to a buffer that must be at least + * G2F_ATTESTATION_CERT_MAX_LEN bytes. + * @return size of certificate written to buf, 0 on error. + */ +int g2f_attestation_cert(uint8_t *buf); + /* ---- protocol extensions ---- */ /* Use non-standard extensions to the U2F protocol */ |