summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornagendra modadugu <ngm@google.com>2016-06-11 01:46:27 -0700
committerchrome-bot <chrome-bot@chromium.org>2016-06-15 15:29:13 -0700
commitea1515ae13800b968933656728881ff330d38ebe (patch)
tree5fd8f8ac0438505cc83030e3836addd6ba40905e
parent4e3cbd845b1709369c1784a5a5a83be28c004933 (diff)
downloadchrome-ec-ea1515ae13800b968933656728881ff330d38ebe.tar.gz
CR50: give ecc and rsa keys distinct derivation templates
This change implements distinct key derivation trees for ECC and RSA key generation. The seed used for derivation is HMAC(primary_seed, ALG), where ALG is either "ECC", or "RSA". BRANCH=none BUG=chrome-os-partner:43025,chrome-os-partner:47524 TEST=all tests in test/tpm_test/tpmtest.py pass Change-Id: Iee85731bdac02b7b1061e9220786bee52dbf6289 Signed-off-by: nagendra modadugu <ngm@google.com> Reviewed-on: https://chromium-review.googlesource.com/351750 Commit-Ready: Nagendra Modadugu <ngm@google.com> Tested-by: Nagendra Modadugu <ngm@google.com> Reviewed-by: Marius Schilder <mschilder@chromium.org> Reviewed-by: Bill Richardson <wfrichar@chromium.org>
-rw-r--r--board/cr50/tpm2/ecc.c17
-rw-r--r--board/cr50/tpm2/rsa.c22
2 files changed, 35 insertions, 4 deletions
diff --git a/board/cr50/tpm2/ecc.c b/board/cr50/tpm2/ecc.c
index e54a74dee7..d6f73c0cf1 100644
--- a/board/cr50/tpm2/ecc.c
+++ b/board/cr50/tpm2/ecc.c
@@ -22,6 +22,7 @@ static void reverse_tpm2b(TPM2B *b)
}
TPM2B_BYTE_VALUE(4);
+TPM2B_BYTE_VALUE(32);
static int check_p256_param(const TPM2B_ECC_PARAMETER *a)
{
@@ -135,8 +136,10 @@ CRYPT_RESULT _cpri__GenerateKeyEcc(
TPM2B *seed, const char *label, TPM2B *extra, UINT32 *counter)
{
TPM2B_4_BYTE_VALUE marshaled_counter = { .t = {4} };
+ TPM2B_32_BYTE_VALUE local_seed = { .t = {32} };
uint32_t count = 0;
uint8_t key_bytes[P256_NBYTES];
+ LITE_HMAC_CTX hmac;
if (curve_id != TPM_ECC_NIST_P256)
return CRYPT_PARAMETER;
@@ -150,10 +153,18 @@ CRYPT_RESULT _cpri__GenerateKeyEcc(
if (count == 0)
count++;
+ /* Hash down the primary seed for ECC key generation, so that
+ * the derivation tree is distinct from RSA key derivation. */
+ DCRYPTO_HMAC_SHA256_init(&hmac, seed->buffer, seed->size);
+ HASH_update(&hmac.hash, "ECC", 4);
+ memcpy(local_seed.t.buffer, DCRYPTO_HMAC_final(&hmac),
+ local_seed.t.size);
+
for (; count != 0; count++) {
memcpy(marshaled_counter.t.buffer, &count, sizeof(count));
- _cpri__KDFa(hash_alg, seed, label, extra, &marshaled_counter.b,
- sizeof(key_bytes) * 8, key_bytes, NULL, FALSE);
+ _cpri__KDFa(hash_alg, &local_seed.b, label, extra,
+ &marshaled_counter.b, sizeof(key_bytes) * 8, key_bytes,
+ NULL, FALSE);
if (DCRYPTO_p256_key_from_bytes(
(p256_int *) q->x.b.buffer,
(p256_int *) q->y.b.buffer,
@@ -169,6 +180,8 @@ CRYPT_RESULT _cpri__GenerateKeyEcc(
break;
}
}
+ /* TODO(ngm): implement secure memset. */
+ memset(local_seed.t.buffer, 0, local_seed.t.size);
if (count == 0)
FAIL(FATAL_ERROR_INTERNAL);
diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c
index 985bbd58a0..d578a5eb06 100644
--- a/board/cr50/tpm2/rsa.c
+++ b/board/cr50/tpm2/rsa.c
@@ -278,6 +278,8 @@ static int generate_prime(struct BIGNUM *b, TPM_ALG_ID hashing, TPM2B *seed,
return 0;
}
+TPM2B_BYTE_VALUE(32);
+
CRYPT_RESULT _cpri__GenerateKeyRSA(
TPM2B *N_buf, TPM2B *p_buf, uint16_t num_bits,
uint32_t e_buf, TPM_ALG_ID hashing, TPM2B *seed,
@@ -301,6 +303,8 @@ CRYPT_RESULT _cpri__GenerateKeyRSA(
struct BIGNUM N;
uint32_t counter;
+ TPM2B_32_BYTE_VALUE local_seed = { .t = {32} };
+ LITE_HMAC_CTX hmac;
if (num_bits & 0xF)
return CRYPT_FAIL;
@@ -310,6 +314,13 @@ CRYPT_RESULT _cpri__GenerateKeyRSA(
if (seed == NULL || seed->size * 8 < 2 * security_strength)
return CRYPT_FAIL;
+ /* Hash down the primary seed for RSA key generation, so that
+ * the derivation tree is distinct from ECC key derivation. */
+ DCRYPTO_HMAC_SHA256_init(&hmac, seed->buffer, seed->size);
+ HASH_update(&hmac.hash, "RSA", 4);
+ memcpy(local_seed.t.buffer, DCRYPTO_HMAC_final(&hmac),
+ local_seed.t.size);
+
if (e_buf == 0)
e_buf = RSA_F4;
@@ -323,17 +334,23 @@ CRYPT_RESULT _cpri__GenerateKeyRSA(
counter = *counter_in;
else
counter = 1;
- if (!generate_prime(&p, hashing, seed, label, extra, &counter)) {
+ if (!generate_prime(&p, hashing, &local_seed.b, label, extra,
+ &counter)) {
if (counter_in != NULL)
*counter_in = counter;
+ /* TODO(ngm): implement secure memset. */
+ memset(local_seed.t.buffer, 0, local_seed.t.size);
return CRYPT_FAIL;
}
if (label == label_p)
label = label_q;
- if (!generate_prime(&q, hashing, seed, label, extra, &counter)) {
+ if (!generate_prime(&q, hashing, &local_seed.b, label, extra,
+ &counter)) {
if (counter_in != NULL)
*counter_in = counter;
+ /* TODO(ngm): implement secure memset. */
+ memset(local_seed.t.buffer, 0, local_seed.t.size);
return CRYPT_FAIL;
}
@@ -347,6 +364,7 @@ CRYPT_RESULT _cpri__GenerateKeyRSA(
reverse_tpm2b(p_buf);
/* TODO(ngm): replace with secure memset. */
memset(q_buf, 0, sizeof(q_buf));
+ memset(local_seed.t.buffer, 0, local_seed.t.size);
return CRYPT_SUCCESS;
}