cr50: switch CR50_DEV in FIPS module to branches of CRYPTO_TEST

Due to limited space available with CR50_DEV=1, move some of crypto related functionality which was under CR50_DEV to branches of CRYPTO_TEST=1, namely: - SELF_TEST=1 to print self-integrity hashes - U2F_VERBOSE=1 to print debug information from U2F key generation. Config options sorted alphabetically in ENV_VARS and in processing order. BUG=None TEST=make BOARD=cr50 CR50_DEV=1 make BOARD=cr50 CRYPTO_TEST=1 SELF_TEST=1 make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1 U2F_VERBOSE=1 Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I66485b2d1fff8c0947aaf31c93348a16101f14b7 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3209647 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
author: Vadim Sukhomlinov <sukhomlinov@google.com> 2021-10-06 14:38:51 -0700
committer: Commit Bot <commit-bot@chromium.org> 2021-10-07 04:09:29 +0000
commit: fdf35d0b476089cb2c08bc13ac5dda2782d505cd (patch)
tree: 3f2fba4157c38cd269a8690a9dbebbd698163dbd
parent: b0c5e43185183ef71e07c569e362c28ec3c82ba2 (diff)
download: chrome-ec-fdf35d0b476089cb2c08bc13ac5dda2782d505cd.tar.gz
4 files changed, 40 insertions, 29 deletions
diff --git a/board/cr50/build.mk b/board/cr50/build.mk
index 3f1c40f9c6..b6d1d959cb 100644
--- a/board/cr50/build.mk
+++ b/board/cr50/build.mk
@@ -22,19 +22,20 @@ ifeq ($(BOARD_MK_INCLUDED_ONCE),)
 
 # List of variables which can be defined in the environment or set in the make
 # command line.
-ENV_VARS := CR50_DEV CRYPTO_TEST H1_RED_BOARD U2F_TEST RND_TEST DRBG_TEST\
-	    ECDSA_TEST DCRYPTO_TEST P256_BIN_TEST SHA1_TEST SHA256_TEST\
-	    HMAC_SHA256_TEST CMAC_TEST
+ENV_VARS := CR50_DEV CRYPTO_TEST CMAC_TEST DCRYPTO_TEST DRBG_TEST ECDSA_TEST\
+	    H1_RED_BOARD HMAC_SHA256_TEST P256_BIN_TEST RND_TEST SELF_TEST\
+	    SHA1_TEST SHA256_TEST U2F_TEST U2F_VERBOSE
+
+ifneq ($(H1_RED_BOARD),)
+CPPFLAGS += -DH1_RED_BOARD=$(EMPTY)
+endif
 
 ifneq ($(CRYPTO_TEST),)
 CPPFLAGS += -DCRYPTO_TEST_SETUP
 
-ifneq ($(U2F_TEST),)
-CPPFLAGS_RW += -DCRYPTO_TEST_CMD_U2F_TEST=1
-endif
-
-ifneq ($(RND_TEST),)
-CPPFLAGS_RW += -DCRYPTO_TEST_CMD_RAND=1
+# These options only work with CRYPTO_TEST=1
+ifneq ($(DCRYPTO_TEST),)
+CPPFLAGS_RW += -DCRYPTO_TEST_CMD_DCRYPTO_TEST=1
 endif
 
 ifneq ($(DRBG_TEST),)
@@ -45,14 +46,22 @@ ifneq ($(ECDSA_TEST),)
 CPPFLAGS_RW += -DCRYPTO_TEST_CMD_DCRYPTO_ECDSA=1
 endif
 
-ifneq ($(DCRYPTO_TEST),)
-CPPFLAGS_RW += -DCRYPTO_TEST_CMD_DCRYPTO_TEST=1
+ifneq ($(HMAC_SHA256_TEST),)
+CPPFLAGS_RW += -DHMAC_SHA256_TEST=1
 endif
 
 ifneq ($(P256_BIN_TEST),)
 CPPFLAGS_RW += -DP256_BIN_TEST=1
 endif
 
+ifneq ($(RND_TEST),)
+CPPFLAGS_RW += -DCRYPTO_TEST_CMD_RAND=1
+endif
+
+ifneq ($(SELF_TEST),)
+CPPFLAGS_RW += -DSELF_INTEGRITY_TEST=1
+endif
+
 ifneq ($(SHA1_TEST),)
 CPPFLAGS_RW += -DSHA1_TEST=1
 endif
@@ -61,12 +70,16 @@ ifneq ($(SHA256_TEST),)
 CPPFLAGS_RW += -DSHA256_TEST=1
 endif
 
-ifneq ($(HMAC_SHA256_TEST),)
-CPPFLAGS_RW += -DHMAC_SHA256_TEST=1
+ifneq ($(U2F_TEST),)
+CPPFLAGS_RW += -DCRYPTO_TEST_CMD_U2F_TEST=1
 endif
 
+ifneq ($(U2F_VERBOSE),)
+CPPFLAGS_RW += -DU2F_DEV_VERBOSE=1
 endif
 
+endif # CRYPTO_TEST=1
+
 
 BOARD_MK_INCLUDED_ONCE=1
 SIG_EXTRA = --cros
@@ -173,10 +186,6 @@ board-y += tpm_nvmem_ops.o
 board-y += wp.o
 board-$(CONFIG_PINWEAVER)+=pinweaver_tpm_imports.o
 
-ifneq ($(H1_RED_BOARD),)
-CPPFLAGS += -DH1_RED_BOARD=$(EMPTY)
-endif
-
 # Build fips code separately
 ifneq ($(fips-y),)
 RW_BD_OUT=$(out)/RW/$(BDIR)
diff --git a/board/cr50/dcrypto/fips.c b/board/cr50/dcrypto/fips.c
index 5e9422d2c3..2ea98187c4 100644
--- a/board/cr50/dcrypto/fips.c
+++ b/board/cr50/dcrypto/fips.c
@@ -642,18 +642,22 @@ static bool call_on_stack(void *new_stack, bool (*func)(void))
 const struct sha256_digest fips_integrity
 	__attribute__((section(".rodata.fips.checksum")));
 
+#ifndef SELF_INTEGRITY_TEST
+#define SELF_INTEGRITY_TEST 0
+#endif
+
 static enum dcrypto_result fips_self_integrity(void)
 {
 	struct sha256_digest digest;
 	size_t module_length = &__fips_module_end - &__fips_module_start;
 
-#ifdef CR50_DEV
+#if SELF_INTEGRITY_TEST
 	CPRINTS("FIPS self-integrity start %x, length %u",
 		(uintptr_t)&__fips_module_start, module_length);
 #endif
 	SHA256_hw_hash(&__fips_module_start, module_length, &digest);
 
-#ifdef CR50_DEV
+#if SELF_INTEGRITY_TEST
 	CPRINTS("Stored:   %ph",
 		HEX_BUF(fips_integrity.b8, SHA256_DIGEST_SIZE));
 	CPRINTS("Computed: %ph",
diff --git a/board/cr50/dcrypto/u2f.c b/board/cr50/dcrypto/u2f.c
index 4cd267ac61..1b2fc4f17c 100644
--- a/board/cr50/dcrypto/u2f.c
+++ b/board/cr50/dcrypto/u2f.c
@@ -3,7 +3,7 @@
  * found in the LICENSE file.
  */
 
-#if defined(CRYPTO_TEST_SETUP) || defined(CR50_DEV)
+#if defined(CRYPTO_TEST_SETUP)
 #include "console.h"
 #endif
 
@@ -55,7 +55,7 @@ static void u2f_origin_user_mac(const struct u2f_state *state,
 	HMAC_SHA256_update(&ctx, origin_seed, U2F_ORIGIN_SEED_SIZE);
 	if (kh_version == U2F_KH_VERSION_1)
 		HMAC_SHA256_update(&ctx, &kh_version, sizeof(kh_version));
-#ifdef CR50_DEV_U2F_VERBOSE
+#ifdef U2F_DEV_VERBOSE
 	ccprintf("origin %ph\n", HEX_BUF(origin, U2F_APPID_SIZE));
 	ccprintf("user %ph\n", HEX_BUF(user, U2F_USER_SECRET_SIZE));
 	ccprintf("origin_seed %ph\n",
@@ -63,7 +63,7 @@ static void u2f_origin_user_mac(const struct u2f_state *state,
 	cflush();
 #endif
 	memcpy(kh_hmac, HMAC_SHA256_final(&ctx), SHA256_DIGEST_SIZE);
-#ifdef CR50_DEV_U2F_VERBOSE
+#ifdef U2F_DEV_VERBOSE
 	ccprintf("kh_hmac %ph\n", HEX_BUF(kh_hmac, SHA256_DIGEST_SIZE));
 	cflush();
 #endif
@@ -248,7 +248,7 @@ static enum ec_error_list u2f_origin_user_key_pair(
 	else if (result != DCRYPTO_OK)
 		return EC_ERROR_HW_INTERNAL;
 
-#ifdef CR50_DEV_U2F_VERBOSE
+#ifdef U2F_DEV_VERBOSE
 	ccprintf("user private key %ph\n", HEX_BUF(d, sizeof(*d)));
 	cflush();
 	if (pk_x)
@@ -449,7 +449,7 @@ u2f_attest_keyhandle_pubkey(const struct u2f_state *state,
 	p256_to_bin(&opk_y, kh_pubkey.y);
 	kh_pubkey.pointFormat = U2F_POINT_UNCOMPRESSED;
 
-#ifdef CR50_DEV_U2F_VERBOSE
+#ifdef U2F_DEV_VERBOSE
 	ccprintf("recreated key %ph\n", HEX_BUF(&kh_pubkey, sizeof(kh_pubkey)));
 	ccprintf("provided key %ph\n", HEX_BUF(public_key, sizeof(kh_pubkey)));
 #endif
@@ -632,7 +632,7 @@ enum ec_error_list u2f_attest(const struct u2f_state *state,
 
 	/* Derive G2F Attestation Key. */
 	if (!g2f_individual_key_pair(state, &d, &pk_x, &pk_y)) {
-#ifdef CR50_DEV
+#ifdef U2F_DEV_VERBOSE
 		ccprintf("G2F Attestation key generation failed\n");
 #endif
 		return EC_ERROR_HW_INTERNAL;
diff --git a/board/cr50/fips_cmd.c b/board/cr50/fips_cmd.c
index aca39fbae7..5dbe19a291 100644
--- a/board/cr50/fips_cmd.c
+++ b/board/cr50/fips_cmd.c
@@ -68,7 +68,7 @@ static void fips_print_status(void)
 }
 DECLARE_HOOK(HOOK_INIT, fips_print_status, HOOK_PRIO_INIT_PRINT_FIPS_STATUS);
 
-#if defined(CRYPTO_TEST_SETUP) || defined(CR50_DEV)
+#if defined(CRYPTO_TEST_SETUP)
 static const uint8_t k_salt = NVMEM_VAR_G2F_SALT;
 
 static void print_u2f_keys_status(void)
@@ -130,7 +130,7 @@ static int cmd_fips_status(int argc, char **argv)
 			fips_print_test_time();
 			fips_print_mode();
 		}
-#if defined(CRYPTO_TEST_SETUP) || defined(CR50_DEV)
+#ifdef CRYPTO_TEST_SETUP
 		else if (!strncmp(argv[1], "new", 3))
 			CPRINTS("u2f update status: %d", u2f_update_keys());
 		else if (!strncmp(argv[1], "del", 3))
@@ -142,8 +142,6 @@ static int cmd_fips_status(int argc, char **argv)
 			print_u2f_keys_status();
 		else if (!strncmp(argv[1], "gen", 3))
 			u2f_keys();
-#endif
-#ifdef CRYPTO_TEST_SETUP
 		else if (!strncmp(argv[1], "trng", 4))
 			fips_break_cmd = FIPS_BREAK_TRNG;
 		else if (!strncmp(argv[1], "sha", 3))
author	Vadim Sukhomlinov <sukhomlinov@google.com>	2021-10-06 14:38:51 -0700
committer	Commit Bot <commit-bot@chromium.org>	2021-10-07 04:09:29 +0000
commit	fdf35d0b476089cb2c08bc13ac5dda2782d505cd (patch)
tree	3f2fba4157c38cd269a8690a9dbebbd698163dbd
parent	b0c5e43185183ef71e07c569e362c28ec3c82ba2 (diff)
download	chrome-ec-fdf35d0b476089cb2c08bc13ac5dda2782d505cd.tar.gz