CR50: add a golden test for RSA key gen from a fixed seed

Add a test that verifies RSA keygen from a fixed seed and
template from the TCG EK Credential Profile spec.

BRANCH=none
BUG=chrome-os-partner:43025,chrome-os-partner:47524
TEST=tests under test/tpmtest pass

Change-Id: I2f1cfb8460a0497c93079b89b9ff4e031eaff358
Reviewed-on: https://chromium-review.googlesource.com/356561
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

2 files changed, 48 insertions, 17 deletions

diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c
index d578a5eb06..ccd84ce77e 100644
--- a/board/cr50/tpm2/rsa.c
+++ b/board/cr50/tpm2/rsa.c
@@ -10,11 +10,13 @@
 
 #include <assert.h>
 
+TPM2B_BYTE_VALUE(4);
+TPM2B_BYTE_VALUE(32);
+
 static void reverse_tpm2b(TPM2B *b)
 {
 	reverse(b->buffer, b->size);
 }
-TPM2B_BYTE_VALUE(4);
 
 static int check_key(const RSA_KEY *key)
 {
@@ -278,8 +280,6 @@ static int generate_prime(struct BIGNUM *b, TPM_ALG_ID hashing, TPM2B *seed,
 	return 0;
 }
 
-TPM2B_BYTE_VALUE(32);
-
 CRYPT_RESULT _cpri__GenerateKeyRSA(
 	TPM2B *N_buf, TPM2B *p_buf, uint16_t num_bits,
 	uint32_t e_buf, TPM_ALG_ID hashing, TPM2B *seed,
@@ -304,7 +304,6 @@ CRYPT_RESULT _cpri__GenerateKeyRSA(
 
 	uint32_t counter;
 	TPM2B_32_BYTE_VALUE local_seed = { .t = {32} };
-	LITE_HMAC_CTX hmac;
 
 	if (num_bits & 0xF)
 		return CRYPT_FAIL;
@@ -316,10 +315,19 @@ CRYPT_RESULT _cpri__GenerateKeyRSA(
 
 	/* Hash down the primary seed for RSA key generation, so that
 	 * the derivation tree is distinct from ECC key derivation. */
-	DCRYPTO_HMAC_SHA256_init(&hmac, seed->buffer, seed->size);
-	HASH_update(&hmac.hash, "RSA", 4);
-	memcpy(local_seed.t.buffer, DCRYPTO_HMAC_final(&hmac),
-	       local_seed.t.size);
+#ifdef CRYPTO_TEST_SETUP
+	/* Test seed has already been hashed down. */
+	memcpy(local_seed.t.buffer, seed->buffer, seed->size);
+#else
+	{
+		LITE_HMAC_CTX hmac;
+
+		DCRYPTO_HMAC_SHA256_init(&hmac, seed->buffer, seed->size);
+		HASH_update(&hmac.hash, "RSA", 4);
+		memcpy(local_seed.t.buffer, DCRYPTO_HMAC_final(&hmac),
+			local_seed.t.size);
+	}
+#endif
 
 	if (e_buf == 0)
 		e_buf = RSA_F4;
@@ -747,6 +755,12 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_2048_Q = {
 	}
 };
 
+static const uint8_t VERIFY_SEED[32] = {
+	0x54, 0xef, 0xe3, 0xe9, 0x1e, 0xfa, 0xad, 0x9b,
+	0x18, 0x3f, 0x27, 0x12, 0xfd, 0xe7, 0xfb, 0xc6,
+	0x60, 0xcc, 0x34, 0x05, 0x00, 0x7d, 0x21, 0x6e,
+	0xc2, 0x1e, 0x78, 0xbe, 0x61, 0xc8, 0x41, 0x99
+};
 
 #define MAX_MSG_BYTES RSA_MAX_BYTES
 #define MAX_LABEL_LEN 32
@@ -784,6 +798,19 @@ static void rsa_command_handler(void *cmd_body,
 	struct BIGNUM bn;
 	char label[MAX_LABEL_LEN];
 
+	/* This is the SHA-256 hash of the RSA template from the TCG
+	 * EK Credential Profile spec.
+	 */
+	TPM2B_32_BYTE_VALUE RSA_TEMPLATE_EK_EXTRA = {
+		.t = {32, {
+				0x68, 0xd1, 0xa2, 0x41, 0xfb, 0x27, 0x2f, 0x03,
+				0x90, 0xbf, 0xd0, 0x42, 0x8d, 0xad, 0xee, 0xb0,
+				0x2b, 0xf4, 0xa1, 0xcd, 0x46, 0xab, 0x6c, 0x39,
+				0x1b, 0xa3, 0x1f, 0x51, 0x87, 0x06, 0x8e, 0x6a
+			}
+		}
+	};
+
 	assert(sizeof(size_t) == sizeof(uint32_t));
 
 	/* Command format.
@@ -926,15 +953,16 @@ static void rsa_command_handler(void *cmd_body,
 		}
 		N.b.size = sizeof(N.t.buffer);
 		p.b.size = sizeof(p.t.buffer);
-		seed.b.size = sizeof(seed.t.buffer);
-		rand_bytes(seed.b.buffer, seed.b.size);
+		seed.b.size = sizeof(VERIFY_SEED);
+		memcpy(seed.b.buffer, VERIFY_SEED, sizeof(VERIFY_SEED));
 		if (in_len > 0) {
 			memcpy(label, in, in_len);
 			label[in_len] = '\0';
 		}
 		if (_cpri__GenerateKeyRSA(
 				&N.b, &p.b, key_len, RSA_F4, TPM_ALG_SHA256,
-				&seed.b, in_len ? label : NULL, NULL, NULL)
+				&seed.b, in_len ? label : NULL,
+				&RSA_TEMPLATE_EK_EXTRA.b, NULL)
 			!= CRYPT_SUCCESS) {
 			*response_size = 0;
 		} else {
diff --git a/test/tpm_test/rsa_test.py b/test/tpm_test/rsa_test.py
index 7f7c28d5e6..1e700cb435 100644
--- a/test/tpm_test/rsa_test.py
+++ b/test/tpm_test/rsa_test.py
@@ -598,10 +598,10 @@ _KEYTEST_INPUTS = (
 )
 
 _KEYGEN_INPUTS = (
-  (768, 65537, ''),
-  (1024, 65537, 'rsa_test'),
-  (2048, 65537, 'rsa_test'),
-  (2048, 65537, ''),
+  (768, 65537, '', None),
+  (1024, 65537, 'rsa_test', None),
+  (2048, 65537, 'RSA key by vendor', 20811475686431332186511278472307159547870512766846593830860105577496044159545322178313772755518365593670114793803805067608811418757734989708137784444223785391864604211835387393923163468734914392307047296990698533218399115126417934050463597455237478939601236799120239663591264311485133747167378663829046579164891864068853210530642835833947569643788911200934265596274935082689832626616967124524353322373059893974744194447740045242468136414689225322177212281193879756355471091445748150740871146034049776312457888356154834233819876846764944450478069436248506560967902863015152471662817623176815923756421011384149834497587L),
+  (2048, 65537, '', None),
 )
 
 # 2048-bit will be done in hardware (i.e. fast), rest are in software.
@@ -681,8 +681,8 @@ def _keytest_tests(tpm):
 
 def _keygen_tests(tpm):
   for data in _KEYGEN_INPUTS:
-    key_len, e, label = data
-    test_name = 'RSA-KEYGEN:%d:%d:%s' % data
+    key_len, e, label, expected_N = data
+    test_name = 'RSA-KEYGEN:%d:%d:%s' % data[:-1]
     cmd = _keygen_cmd(key_len, e, label)
 
     wrapped_response = tpm.command(tpm.wrap_ext_command(subcmd.RSA, cmd))
@@ -693,6 +693,9 @@ def _keygen_tests(tpm):
         test_name, utils.hex_dump(result)))
 
     N = int(binascii.b2a_hex(result[0:result_len * 2 / 3]), 16)
+    if expected_N and N != expected_N:
+      raise subcmd.TpmTestError('%s error:%s' % (
+          test_name, utils.hex_dump(result)))
     p = int(binascii.b2a_hex(result[result_len * 2 / 3:]), 16)
     q = N / p
     if not rsa.prime.is_prime(p):