CR50: give ecc and rsa keys distinct derivation templates

This change implements distinct key derivation trees for
ECC and RSA key generation.  The seed used for derivation
is HMAC(primary_seed, ALG), where ALG is either
"ECC", or "RSA".

BRANCH=none
BUG=chrome-os-partner:43025,chrome-os-partner:47524
TEST=all tests in test/tpm_test/tpmtest.py pass

Change-Id: Iee85731bdac02b7b1061e9220786bee52dbf6289
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/351750
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>

2 files changed, 35 insertions, 4 deletions

diff --git a/board/cr50/tpm2/ecc.c b/board/cr50/tpm2/ecc.c
index e54a74dee7..d6f73c0cf1 100644
--- a/board/cr50/tpm2/ecc.c
+++ b/board/cr50/tpm2/ecc.c
@@ -22,6 +22,7 @@ static void reverse_tpm2b(TPM2B *b)
 }
 
 TPM2B_BYTE_VALUE(4);
+TPM2B_BYTE_VALUE(32);
 
 static int check_p256_param(const TPM2B_ECC_PARAMETER *a)
 {
@@ -135,8 +136,10 @@ CRYPT_RESULT _cpri__GenerateKeyEcc(
 	TPM2B *seed, const char *label,	TPM2B *extra, UINT32 *counter)
 {
 	TPM2B_4_BYTE_VALUE marshaled_counter = { .t = {4} };
+	TPM2B_32_BYTE_VALUE local_seed = { .t = {32} };
 	uint32_t count = 0;
 	uint8_t key_bytes[P256_NBYTES];
+	LITE_HMAC_CTX hmac;
 
 	if (curve_id != TPM_ECC_NIST_P256)
 		return CRYPT_PARAMETER;
@@ -150,10 +153,18 @@ CRYPT_RESULT _cpri__GenerateKeyEcc(
 	if (count == 0)
 		count++;
 
+	/* Hash down the primary seed for ECC key generation, so that
+	 * the derivation tree is distinct from RSA key derivation. */
+	DCRYPTO_HMAC_SHA256_init(&hmac, seed->buffer, seed->size);
+	HASH_update(&hmac.hash, "ECC", 4);
+	memcpy(local_seed.t.buffer, DCRYPTO_HMAC_final(&hmac),
+	       local_seed.t.size);
+
 	for (; count != 0; count++) {
 		memcpy(marshaled_counter.t.buffer, &count, sizeof(count));
-		_cpri__KDFa(hash_alg, seed, label, extra, &marshaled_counter.b,
-			sizeof(key_bytes) * 8, key_bytes, NULL, FALSE);
+		_cpri__KDFa(hash_alg, &local_seed.b, label, extra,
+			&marshaled_counter.b, sizeof(key_bytes) * 8, key_bytes,
+			NULL, FALSE);
 		if (DCRYPTO_p256_key_from_bytes(
 				(p256_int *) q->x.b.buffer,
 				(p256_int *) q->y.b.buffer,
@@ -169,6 +180,8 @@ CRYPT_RESULT _cpri__GenerateKeyEcc(
 			break;
 		}
 	}
+	/* TODO(ngm): implement secure memset. */
+	memset(local_seed.t.buffer, 0, local_seed.t.size);
 
 	if (count == 0)
 		FAIL(FATAL_ERROR_INTERNAL);
diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c
index 985bbd58a0..d578a5eb06 100644
--- a/board/cr50/tpm2/rsa.c
+++ b/board/cr50/tpm2/rsa.c
@@ -278,6 +278,8 @@ static int generate_prime(struct BIGNUM *b, TPM_ALG_ID hashing, TPM2B *seed,
 	return 0;
 }
 
+TPM2B_BYTE_VALUE(32);
+
 CRYPT_RESULT _cpri__GenerateKeyRSA(
 	TPM2B *N_buf, TPM2B *p_buf, uint16_t num_bits,
 	uint32_t e_buf, TPM_ALG_ID hashing, TPM2B *seed,
@@ -301,6 +303,8 @@ CRYPT_RESULT _cpri__GenerateKeyRSA(
 	struct BIGNUM N;
 
 	uint32_t counter;
+	TPM2B_32_BYTE_VALUE local_seed = { .t = {32} };
+	LITE_HMAC_CTX hmac;
 
 	if (num_bits & 0xF)
 		return CRYPT_FAIL;
@@ -310,6 +314,13 @@ CRYPT_RESULT _cpri__GenerateKeyRSA(
 	if (seed == NULL || seed->size * 8 < 2 * security_strength)
 		return CRYPT_FAIL;
 
+	/* Hash down the primary seed for RSA key generation, so that
+	 * the derivation tree is distinct from ECC key derivation. */
+	DCRYPTO_HMAC_SHA256_init(&hmac, seed->buffer, seed->size);
+	HASH_update(&hmac.hash, "RSA", 4);
+	memcpy(local_seed.t.buffer, DCRYPTO_HMAC_final(&hmac),
+	       local_seed.t.size);
+
 	if (e_buf == 0)
 		e_buf = RSA_F4;
 
@@ -323,17 +334,23 @@ CRYPT_RESULT _cpri__GenerateKeyRSA(
 		counter = *counter_in;
 	else
 		counter = 1;
-	if (!generate_prime(&p, hashing, seed, label, extra, &counter)) {
+	if (!generate_prime(&p, hashing, &local_seed.b, label, extra,
+			    &counter)) {
 		if (counter_in != NULL)
 			*counter_in = counter;
+		/* TODO(ngm): implement secure memset. */
+		memset(local_seed.t.buffer, 0, local_seed.t.size);
 		return CRYPT_FAIL;
 	}
 
 	if (label == label_p)
 		label = label_q;
-	if (!generate_prime(&q, hashing, seed, label, extra, &counter)) {
+	if (!generate_prime(&q, hashing, &local_seed.b, label, extra,
+			    &counter)) {
 		if (counter_in != NULL)
 			*counter_in = counter;
+		/* TODO(ngm): implement secure memset. */
+		memset(local_seed.t.buffer, 0, local_seed.t.size);
 		return CRYPT_FAIL;
 	}
 
@@ -347,6 +364,7 @@ CRYPT_RESULT _cpri__GenerateKeyRSA(
 	reverse_tpm2b(p_buf);
 	/* TODO(ngm): replace with secure memset. */
 	memset(q_buf, 0, sizeof(q_buf));
+	memset(local_seed.t.buffer, 0, local_seed.t.size);
 	return CRYPT_SUCCESS;
 }