cr50: reduce hash implementation stack requirements

Stack space is pretty tight on cr50, and since there is no need to
support SHA digest sizes in excess of 256 bits, the digest buffer size
should be reduced.

This patch makes the maximum expected digest size dependent on the set
of configured hash algorithms, moves hash size related asserts from
run time to compile time, and passes compile time definition to the
TPM2 library to increase its hash state container (it became too small
when SHA384 was disabled).

The sw context requirements should be reduced, but this is a task for
another day. We also do not have to store a local digest copy if the
API allowed reading a partial digest.

CQ-DEPEND=CL:314883
BRANCH=none
BUG=chrome-os-partner:43025, chromium:564862
TEST=all tests pass:
  $ ./test/tpm_test/tpmtest.py
  Starting MPSSE at 800 kHz
  Connected to device vid:did:rid of 1ae0:0028:00
  SUCCESS: AES:ECB common
  SUCCESS: AES:ECB128 1
  SUCCESS: AES:ECB192 1
  SUCCESS: AES:ECB256 1
  SUCCESS: AES:ECB256 2
  SUCCESS: AES:CTR128I 1
  SUCCESS: AES:CTR256I 1
  SUCCESS: sha1:single 0
  SUCCESS: sha256:single 0
  /New max timeout: 1 s
  SUCCESS: sha256:finish 1
  SUCCESS: sha1:finish 3
  SUCCESS: sha256:finish 2

Change-Id: Iaef3a230469de129e72418814e1d113b447c0137
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/314695
Reviewed-by: Nagendra Modadugu <ngm@google.com>

5 files changed, 31 insertions, 16 deletions

diff --git a/board/cr50/build.mk b/board/cr50/build.mk
index aa84171346..a734411747 100644
--- a/board/cr50/build.mk
+++ b/board/cr50/build.mk
@@ -44,6 +44,9 @@ LDFLAGS_EXTRA += -L$(out)/tpm2 -ltpm2
 # For the benefit of the tpm2 library.
 INCLUDE_ROOT := $(abspath ./include)
 CFLAGS += -I$(INCLUDE_ROOT)
+# Make sure the context of the software sha256 implementation fits. If it ever
+# increases, a compile time assert will fire in tpm2/hash.c.
+CFLAGS += -DUSER_MIN_HASH_STATE_SIZE=210
 
 # Add dependencies on that library
 $(out)/RO/ec.RO.elf: $(out)/tpm2/libtpm2.a
diff --git a/board/cr50/tpm2/hash.c b/board/cr50/tpm2/hash.c
index 8d3dc9a05d..157e8526ef 100644
--- a/board/cr50/tpm2/hash.c
+++ b/board/cr50/tpm2/hash.c
@@ -42,11 +42,11 @@ uint16_t _cpri__GetHashBlockSize(TPM_ALG_ID alg)
 	return lookup_hash_info(alg)->blockSize;
 }
 
+BUILD_ASSERT(sizeof(CPRI_HASH_STATE) == sizeof(EXPORT_HASH_STATE));
 void _cpri__ImportExportHashState(CPRI_HASH_STATE *osslFmt,
 				EXPORT_HASH_STATE *externalFmt,
 				IMPORT_EXPORT direction)
 {
-	pAssert(sizeof(CPRI_HASH_STATE) == sizeof(EXPORT_HASH_STATE));
 	if (direction == IMPORT_STATE)
 		memcpy(osslFmt, externalFmt, sizeof(CPRI_HASH_STATE));
 	else
@@ -88,13 +88,14 @@ uint16_t _cpri__HashBlock(TPM_ALG_ID alg, uint32_t in_len, uint8_t *in,
 	return out_len;
 }
 
+BUILD_ASSERT(sizeof(struct HASH_CTX) <=
+	     sizeof(((CPRI_HASH_STATE *)0)->state));
 uint16_t _cpri__StartHash(TPM_ALG_ID alg, BOOL sequence,
-			CPRI_HASH_STATE *state)
+			  CPRI_HASH_STATE *state)
 {
 	struct HASH_CTX *ctx = (struct HASH_CTX *) state->state;
 	uint16_t result;
 
-	pAssert(sizeof(struct HASH_CTX) < sizeof(state->state));
 	switch (alg) {
 	case TPM_ALG_SHA1:
 		DCRYPTO_SHA1_init(ctx, sequence);
diff --git a/chip/g/dcrypto/dcrypto.h b/chip/g/dcrypto/dcrypto.h
index 7cafb224da..a39350fd13 100644
--- a/chip/g/dcrypto/dcrypto.h
+++ b/chip/g/dcrypto/dcrypto.h
@@ -26,17 +26,6 @@ enum encrypt_mode {
 	ENCRYPT_MODE = 1
 };
 
-#define SHA1_DIGEST_BYTES    20
-#define SHA256_DIGEST_BYTES  32
-#define SHA384_DIGEST_BYTES  48
-#define SHA512_DIGEST_BYTES  64
-#define SHA_DIGEST_MAX_BYTES SHA512_DIGEST_BYTES
-
-#define SHA1_DIGEST_WORDS   (SHA1_DIGEST_BYTES / sizeof(uint32_t))
-#define SHA256_DIGEST_WORDS (SHA256_DIGEST_BYTES / sizeof(uint32_t))
-#define SHA384_DIGEST_WORDS (SHA384_DIGEST_BYTES / sizeof(uint32_t))
-#define SHA512_DIGEST_WORDS (SHA512_DIGEST_BYTES / sizeof(uint32_t))
-
 struct HASH_CTX;   /* Forward declaration. */
 
 typedef struct HASH_CTX SHA1_CTX;
diff --git a/chip/g/dcrypto/internal.h b/chip/g/dcrypto/internal.h
index 279b2798e7..3be8a406a7 100644
--- a/chip/g/dcrypto/internal.h
+++ b/chip/g/dcrypto/internal.h
@@ -26,10 +26,30 @@ struct HASH_VTAB {
 	uint32_t size;
 };
 
+#define SHA1_DIGEST_BYTES    20
+#define SHA256_DIGEST_BYTES  32
+#define SHA384_DIGEST_BYTES  48
+#define SHA512_DIGEST_BYTES  64
+
+#define SHA1_DIGEST_WORDS   (SHA1_DIGEST_BYTES / sizeof(uint32_t))
+#define SHA256_DIGEST_WORDS (SHA256_DIGEST_BYTES / sizeof(uint32_t))
+#define SHA384_DIGEST_WORDS (SHA384_DIGEST_BYTES / sizeof(uint32_t))
+#define SHA512_DIGEST_WORDS (SHA512_DIGEST_BYTES / sizeof(uint32_t))
+
+#if defined(CONFIG_SHA512)
+#define SHA_DIGEST_MAX_BYTES SHA512_DIGEST_BYTES
+#elif defined(CONFIG_SHA384)
+#define SHA_DIGEST_MAX_BYTES SHA384_DIGEST_BYTES
+#elif defined(CONFIG_SHA256)
+#define SHA_DIGEST_MAX_BYTES SHA256_DIGEST_BYTES
+#elif defined CONFIG_SHA1
+#define SHA_DIGEST_MAX_BYTES SHA1_DIGEST_BYTES
+#endif
+
 struct HASH_CTX {
 	const struct HASH_VTAB *vtab;
 	union {
-		uint8_t buf[64];
+		uint8_t buf[SHA_DIGEST_MAX_BYTES];
 		struct sha1_ctx sw_sha1;
 		struct sha256_ctx sw_sha256;
 	} u;
diff --git a/include/config.h b/include/config.h
index 6a63cd6adb..40db719b68 100644
--- a/include/config.h
+++ b/include/config.h
@@ -1522,8 +1522,10 @@
 /* Support computing SHA-1 hash */
 #undef CONFIG_SHA1
 
-/* Support computing SHA-256 hash (without the VBOOT code) */
+/* Support computing of other hash sizes (without the VBOOT code) */
 #undef CONFIG_SHA256
+#undef CONFIG_SHA384
+#undef CONFIG_SHA512
 
 /* Emulate the CLZ (Count Leading Zeros) in software for CPU lacking support */
 #undef CONFIG_SOFTWARE_CLZ