cr50: detangle public and internal APIs of FIPS module

To properly define FIPS module boundary all APIs provided by module
to external applications (TPM2, pinweaver, etc) should be identifiable.

Shuffle functions between dcrypto.h and internal.h to achieve this goal.
Adjust included headers as needed.

BUG=b:134594373
TEST=make buildall; TCG tests

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ie2679644d62e232a5d5d06f8ed6bf602853ebde2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169558
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>

18 files changed, 231 insertions, 204 deletions

diff --git a/board/cr50/dcrypto/app_cipher.c b/board/cr50/dcrypto/app_cipher.c
index 6bbcfdab11..004db6bd6c 100644
--- a/board/cr50/dcrypto/app_cipher.c
+++ b/board/cr50/dcrypto/app_cipher.c
@@ -4,7 +4,7 @@
  * found in the LICENSE file.
  */
 #include "crypto_api.h"
-#include "dcrypto.h"
+#include "internal.h"
 #include "registers.h"
 
 /* The default build options compile for size (-Os); instruct the
diff --git a/board/cr50/dcrypto/compare.c b/board/cr50/dcrypto/compare.c
index 494e26617e..baf37927b0 100644
--- a/board/cr50/dcrypto/compare.c
+++ b/board/cr50/dcrypto/compare.c
@@ -3,7 +3,7 @@
  * found in the LICENSE file.
  */
 
-#include "dcrypto.h"
+#include "internal.h"
 
 /**
  * CRYPTO_FAST_COMPARE = 1 will enable machine word reads if performance
diff --git a/board/cr50/dcrypto/crypto_common.h b/board/cr50/dcrypto/crypto_common.h
deleted file mode 100644
index 36e5ebe9b7..0000000000
--- a/board/cr50/dcrypto/crypto_common.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/* Copyright 2021 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- */
-#ifndef __EC_FIPS_MODULE_COMMON_H
-#define __EC_FIPS_MODULE_COMMON_H
-
-/**
- * This header file contains types shared between public API in dcrypto.h and
- * internal functions in internal.h.
- */
-
-#include "common.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * Result codes for crypto operations, targeting
- * high Hamming distance from each other.
- */
-enum dcrypto_result {
-	DCRYPTO_OK = 0xAA33AAFF, /* Success. */
-	DCRYPTO_FAIL = 0x55665501, /* Failure. */
-	DCRYPTO_RETRY = 0xA5775A33,
-	DCRYPTO_RESEED_NEEDED = 0x36AA6355,
-};
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __EC_FIPS_MODULE_COMMON_H */
diff --git a/board/cr50/dcrypto/dcrypto.h b/board/cr50/dcrypto/dcrypto.h
index 50285286d9..36f2c40fee 100644
--- a/board/cr50/dcrypto/dcrypto.h
+++ b/board/cr50/dcrypto/dcrypto.h
@@ -13,11 +13,22 @@
 extern "C" {
 #endif
 
-#include "crypto_common.h"
-#include "internal.h"
-
+#include <stdbool.h>
 #include <stddef.h>
 
+#include "hmacsha2.h"
+
+/**
+ * Result codes for crypto operations, targeting
+ * high Hamming distance from each other.
+ */
+enum dcrypto_result {
+	DCRYPTO_OK = 0xAA33AAFF, /* Success. */
+	DCRYPTO_FAIL = 0x55665501, /* Failure. */
+	DCRYPTO_RETRY = 0xA5775A33,
+	DCRYPTO_RESEED_NEEDED = 0x36AA6355,
+};
+
 enum cipher_mode {
 	CIPHER_MODE_ECB = 0, /* NIST SP 800-38A */
 	CIPHER_MODE_CTR = 1, /* NIST SP 800-38A */
@@ -158,8 +169,44 @@ const struct sha256_digest *HMAC_SHA256_hw_final(struct hmac_sha256_ctx *ctx);
 /*
  * BIGNUM utility methods.
  */
+
+/*
+ * Use this structure to avoid alignment problems with input and output
+ * pointers.
+ */
+struct access_helper {
+	uint32_t udata;
+} __packed;
+
+
+struct LITE_BIGNUM {
+	uint32_t dmax;              /* Size of d, in 32-bit words. */
+	struct access_helper *d;  /* Word array, little endian format ... */
+};
+
+
 void DCRYPTO_bn_wrap(struct LITE_BIGNUM *b, void *buf, size_t len);
 
+/**
+ * Return number of bits in big number.
+ * @param b pointer to big number
+ * @return length in bits
+ */
+static inline uint32_t bn_bits(const struct LITE_BIGNUM *b)
+{
+	return b->dmax * sizeof(*b->d) * 8;
+}
+
+/**
+ * Return number of bytes in big number.
+ * @param b pointer to big number
+ * @return length in bits
+ */
+static inline size_t bn_size(const struct LITE_BIGNUM *b)
+{
+	return b->dmax * sizeof(*b->d);
+}
+
 /*
  *  RSA.
  */
@@ -235,6 +282,52 @@ int DCRYPTO_rsa_key_compute(struct LITE_BIGNUM *N, struct LITE_BIGNUM *d,
  *  EC.
  */
 
+/*
+ * Accelerated p256. FIPS PUB 186-4
+ */
+#define P256_BITSPERDIGIT 32
+#define P256_NDIGITS	  8
+#define P256_NBYTES	  32
+
+typedef uint32_t p256_digit;
+/**
+ * P-256 integers internally represented as little-endian 32-bit integer
+ * digits in platform-specific format. On little-endian platform this would
+ * be regular 256-bit little-endian unsigned integer. On big-endian platform
+ * it would big-endian 32-bit digits in little-endian order.
+ *
+ * Defining p256_int as struct to leverage struct assignment.
+ */
+typedef struct p256_int {
+	union {
+		p256_digit a[P256_NDIGITS];
+		uint8_t b8[P256_NBYTES];
+	};
+} p256_int;
+
+/* Clear a p256_int to zero. */
+void p256_clear(p256_int *a);
+
+/* Check p256 is odd. */
+int p256_is_odd(const p256_int *a);
+
+/* Outputs big-endian binary form. No leading zero skips. */
+void p256_to_bin(const p256_int *src, uint8_t dst[P256_NBYTES]);
+
+/**
+ * Reads from big-endian binary form, thus pre-pad with leading
+ * zeros if short. Input length is assumed P256_NBYTES bytes.
+ */
+void p256_from_bin(const uint8_t src[P256_NBYTES], p256_int *dst);
+
+/**
+ * Reads from big-endian binary form of given size, add padding with
+ * zeros if short. Check that leading digits beyond P256_NBYTES are zeroes.
+ *
+ * @return true if provided big-endian fits into p256.
+ */
+bool p256_from_be_bin_size(const uint8_t *src, size_t len, p256_int *dst);
+
 /**
  * Check if point is on NIST P-256 curve
  *
@@ -276,16 +369,19 @@ int DCRYPTO_p256_key_from_bytes(p256_int *x, p256_int *y, p256_int *d,
 				const uint8_t bytes[P256_NBYTES]);
 
 /**
- * Pair-wise consistency test for private and public key.
- *
- * @param drbg - DRBG to use for nonce generation
- * @param d - private key (scalar)
- * @param x - public key part
- * @param y - public key part
- * @return !0 on success
+ * TODO: Provide provide proper wrappers for dcrypto_p256_ecdsa_verify()
+ * and fips_p256_ecdsa_sign()
  */
-int DCRYPTO_p256_key_pwct(struct drbg_ctx *drbg, const p256_int *d,
-			  const p256_int *x, const p256_int *y);
+int dcrypto_p256_ecdsa_verify(const p256_int *key_x, const p256_int *key_y,
+		const p256_int *message, const p256_int *r,
+		const p256_int *s)
+	__attribute__((warn_unused_result));
+
+/* wrapper around dcrypto_p256_ecdsa_sign using FIPS-compliant HMAC_DRBG */
+int fips_p256_ecdsa_sign(const p256_int *key, const p256_int *message,
+			 p256_int *r, p256_int *s);
+
+/************************************************************/
 
 /* P256 based integration encryption (DH+AES128+SHA256).
  * Not FIPS 140-2 compliant, not used other than for tests
@@ -458,6 +554,15 @@ int DCRYPTO_ladder_is_enabled(void);
  */
 
 /**
+ * Initialize the true random number generator (TRNG) in FIPS-compliant
+ * way:
+ * 1. Set 1-bit alphabet
+ * 2. Set maximum possible range for internal ring-oscillator
+ * 3. Disable any other post-processing beyond #2
+ **/
+void fips_init_trng(void);
+
+/**
  * Returns random number from TRNG with indication wherever reading is valid.
  * This is different from rand() which doesn't provide any indication.
  * High 32-bits set to zero in case of error; otherwise value >> 32 == 1
@@ -504,6 +609,22 @@ bool fips_trng_bytes(void *buffer, size_t len)
 bool fips_rand_bytes(void *buffer, size_t len)
 	__attribute__((warn_unused_result));
 
+
+/**
+ * Utility functions.
+ */
+
+/**
+ * An implementation of memset that ought not to be optimized away;
+ * useful for scrubbing security sensitive buffers.
+ *
+ * @param d destination buffer
+ * @param c 8-bit value to fill buffer
+ * @param n size of buffer in bytes
+ * @return d
+ */
+void *always_memset(void *d, int c, size_t n);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/board/cr50/dcrypto/fips.c b/board/cr50/dcrypto/fips.c
index f08b54aea7..b3b401fdfb 100644
--- a/board/cr50/dcrypto/fips.c
+++ b/board/cr50/dcrypto/fips.c
@@ -5,15 +5,13 @@
 
 #include "builtin/endian.h"
 #include "console.h"
-#include "dcrypto.h"
 #include "ec_commands.h"
 #include "extension.h"
-#include "fips.h"
-#include "fips_rand.h"
 #include "flash.h"
 #include "flash_info.h"
 #include "flash_log.h"
 #include "hooks.h"
+#include "internal.h"
 #include "new_nvmem.h"
 #include "nvmem.h"
 #include "nvmem_vars.h"
diff --git a/board/cr50/dcrypto/fips_rand.c b/board/cr50/dcrypto/fips_rand.c
index 701fca0a6f..4529a1cfbf 100644
--- a/board/cr50/dcrypto/fips_rand.c
+++ b/board/cr50/dcrypto/fips_rand.c
@@ -4,8 +4,7 @@
  */
 
 #include "console.h"
-#include "fips.h"
-#include "fips_rand.h"
+#include "internal.h"
 #include "flash_log.h"
 #include "init_chip.h"
 #include "registers.h"
diff --git a/board/cr50/dcrypto/fips_rand.h b/board/cr50/dcrypto/fips_rand.h
index af39269382..10e44c7414 100644
--- a/board/cr50/dcrypto/fips_rand.h
+++ b/board/cr50/dcrypto/fips_rand.h
@@ -18,22 +18,6 @@ extern "C" {
 
 #define TRNG_SAMPLE_BITS 1
 
-/**
- * Initialize the true random number generator (TRNG) in FIPS-compliant
- * way:
- * 1. Set 1-bit alphabet
- * 2. Set maximum possible range for internal ring-oscillator
- * 3. Disable any other post-processing beyond #2
- **/
-void fips_init_trng(void);
-
-/**
- * Returns random number with indication wherever reading is valid. This is
- * different from rand() which doesn't provide any indication.
- * High 32-bits set to zero in case of error; otherwise value >> 32 == 1
- * Use of uint64_t vs. struct results in more efficient code.
- */
-uint64_t read_rand(void);
 
 /**
  * TRNG Health Tests
@@ -86,52 +70,7 @@ uint64_t read_rand(void);
  */
 #define APT_CUTOFF_SAMPLES 692
 
-/**
- * FIPS-compliant TRNG startup.
- * The entropy source's startup tests shall run the continuous health tests
- * over at least 4096 consecutive samples.
- * Note: This function can throw FIPS_FATAL_TRNG error
- *
- * To hide latency of reading TRNG data, this test is executed in 2 stages
- * @param stage is 0 or 1, choosing the stage. On each stage 2048
- * samples are processed. Assuming that some other tasks can be executed
- * between stages, when TRNG FIFO if filled with samples.
- *
- * Some number of samples will be available in entropy_fifo
- */
-bool fips_trng_startup(int stage);
-
-
-/* initialize cr50-wide DRBG replacing rand */
-bool fips_drbg_init(void);
-/* mark cr50-wide DRBG as not initialized */
-void fips_drbg_init_clear(void);
-
-/* FIPS DRBG initialized at boot time/first use. */
-extern struct drbg_ctx fips_drbg;
 
-/**
- * Generate valid P-256 random from FIPS DRBG, reseed DRBG with entropy from
- * verified TRNG if needed.
- *
- * @param drbg DRBG to use
- * @param out output value
- * @return HMAC_DRBG_SUCCESS if out contains random.
- */
-enum hmac_result fips_p256_hmac_drbg_generate(struct drbg_ctx *drbg,
-					      p256_int *out);
-
-/* wrapper around dcrypto_p256_ecdsa_sign using FIPS-compliant HMAC_DRBG */
-int fips_p256_ecdsa_sign(const p256_int *key, const p256_int *message,
-			 p256_int *r, p256_int *s);
-/**
- * wrapper around hmac_drbg_generate to automatically reseed drbg
- * when needed.
- */
-enum hmac_result fips_hmac_drbg_generate_reseed(struct drbg_ctx *ctx, void *out,
-						size_t out_len,
-						const void *input,
-						size_t input_len);
 #ifdef __cplusplus
 }
 #endif
diff --git a/board/cr50/dcrypto/hmacsha2.h b/board/cr50/dcrypto/hmacsha2.h
index 45e5245a65..5e34b99189 100644
--- a/board/cr50/dcrypto/hmacsha2.h
+++ b/board/cr50/dcrypto/hmacsha2.h
@@ -23,6 +23,15 @@
 #define SHA256_BLOCK_DWORDS (SHA256_BLOCK_SIZE / sizeof(uint64_t))
 #define SHA256_DIGEST_WORDS (SHA256_DIGEST_SIZE / sizeof(uint32_t))
 
+#define SHA_DIGEST_WORDS   (SHA_DIGEST_SIZE / sizeof(uint32_t))
+#define SHA256_DIGEST_WORDS (SHA256_DIGEST_SIZE / sizeof(uint32_t))
+
+#ifdef CONFIG_UPTO_SHA512
+#define SHA_DIGEST_MAX_BYTES SHA512_DIGEST_SIZE
+#else
+#define SHA_DIGEST_MAX_BYTES SHA256_DIGEST_SIZE
+#endif
+
 /**
  * Hash contexts. Each context starts with pointer to vtable containing
  * functions to perform implementation specific operations.
diff --git a/board/cr50/dcrypto/internal.h b/board/cr50/dcrypto/internal.h
index f2eb267e0f..e07389542c 100644
--- a/board/cr50/dcrypto/internal.h
+++ b/board/cr50/dcrypto/internal.h
@@ -9,11 +9,11 @@
 #include <string.h>
 
 #include "common.h"
-#include "crypto_common.h"
-
-#include "util.h"
-
+#include "dcrypto.h"
+#include "fips.h"
+#include "fips_rand.h"
 #include "hmacsha2.h"
+#include "util.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -27,26 +27,10 @@ extern "C" {
 #define CTRL_ENCRYPT        1
 #define CTRL_NO_SOFT_RESET  0
 
-#define SHA_DIGEST_WORDS   (SHA_DIGEST_SIZE / sizeof(uint32_t))
-#define SHA256_DIGEST_WORDS (SHA256_DIGEST_SIZE / sizeof(uint32_t))
-
-#ifdef CONFIG_UPTO_SHA512
-#define SHA_DIGEST_MAX_BYTES SHA512_DIGEST_SIZE
-#else
-#define SHA_DIGEST_MAX_BYTES SHA256_DIGEST_SIZE
-#endif
-
 #ifndef CHAR_BIT
 #define CHAR_BIT 8
 #endif
 
-/*
- * Use this structure to avoid alignment problems with input and output
- * pointers.
- */
-struct access_helper {
-	uint32_t udata;
-} __packed;
 
 #ifndef SECTION_IS_RO
 int dcrypto_grab_sha_hw(void);
@@ -62,17 +46,12 @@ void dcrypto_sha_fifo_load(const void *data, size_t n);
 #define LITE_BN_BITS2        32
 #define LITE_BN_BYTES        4
 
-struct LITE_BIGNUM {
-	uint32_t dmax;              /* Size of d, in 32-bit words. */
-	struct access_helper *d;  /* Word array, little endian format ... */
-};
 
 #define BN_DIGIT(b, i) ((b)->d[(i)].udata)
 
 void bn_init(struct LITE_BIGNUM *bn, void *buf, size_t len);
-#define bn_size(b) ((b)->dmax * LITE_BN_BYTES)
 #define bn_words(b) ((b)->dmax)
-#define bn_bits(b) ((b)->dmax * LITE_BN_BITS2)
+
 int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b);
 int bn_check_topbit(const struct LITE_BIGNUM *N);
 int bn_modexp(struct LITE_BIGNUM *output,
@@ -144,20 +123,69 @@ enum hmac_result hmac_drbg_generate(struct drbg_ctx *ctx, void *out,
 				    size_t input_len);
 void drbg_exit(struct drbg_ctx *ctx);
 
+/**
+ * TRNG service functions
+ */
+
+/**
+ * Returns random number with indication wherever reading is valid. This is
+ * different from rand() which doesn't provide any indication.
+ * High 32-bits set to zero in case of error; otherwise value >> 32 == 1
+ * Use of uint64_t vs. struct results in more efficient code.
+ */
+uint64_t read_rand(void);
+
+/**
+ * FIPS-compliant TRNG startup.
+ * The entropy source's startup tests shall run the continuous health tests
+ * over at least 4096 consecutive samples.
+ * Note: This function can throw FIPS_FATAL_TRNG error
+ *
+ * To hide latency of reading TRNG data, this test is executed in 2 stages
+ * @param stage is 0 or 1, choosing the stage. On each stage 2048
+ * samples are processed. Assuming that some other tasks can be executed
+ * between stages, when TRNG FIFO if filled with samples.
+ *
+ * Some number of samples will be available in entropy_fifo
+ */
+bool fips_trng_startup(int stage);
+
+
+/* initialize cr50-wide DRBG replacing rand */
+bool fips_drbg_init(void);
+/* mark cr50-wide DRBG as not initialized */
+void fips_drbg_init_clear(void);
+
+/* FIPS DRBG initialized at boot time/first use. */
+extern struct drbg_ctx fips_drbg;
+
+/**
+ * Generate valid P-256 random from FIPS DRBG, reseed DRBG with entropy from
+ * verified TRNG if needed.
+ *
+ * @param drbg DRBG to use
+ * @param out output value
+ * @return HMAC_DRBG_SUCCESS if out contains random.
+ */
+enum hmac_result fips_p256_hmac_drbg_generate(struct drbg_ctx *drbg,
+					      p256_int *out);
+
+/**
+ * wrapper around hmac_drbg_generate to automatically reseed drbg
+ * when needed.
+ */
+enum hmac_result fips_hmac_drbg_generate_reseed(struct drbg_ctx *ctx, void *out,
+						size_t out_len,
+						const void *input,
+						size_t input_len);
+
 /* Set seed for fast random number generator using LFSR. */
 void set_fast_random_seed(uint32_t seed);
 
 /* Generate week pseudorandom using LFSR for blinding purposes. */
 uint32_t fast_random(void);
 
-/*
- * Accelerated p256. FIPS PUB 186-4
- */
-#define P256_BITSPERDIGIT 32
-#define P256_NDIGITS	  8
-#define P256_NBYTES	  32
 
-typedef uint32_t p256_digit;
 typedef int32_t p256_sdigit;
 typedef uint64_t p256_ddigit;
 typedef int64_t p256_sddigit;
@@ -165,32 +193,11 @@ typedef int64_t p256_sddigit;
 #define P256_DIGITS(x)	 ((x)->a)
 #define P256_DIGIT(x, y) ((x)->a[y])
 
-/**
- * P-256 integers internally represented as little-endian 32-bit integer
- * digits in platform-specific format. On little-endian platform this would
- * be regular 256-bit little-endian unsigned integer. On big-endian platform
- * it would big-endian 32-bit digits in little-endian order.
- *
- * Defining p256_int as struct to leverage struct assignment.
- */
-typedef struct p256_int {
-	union {
-		p256_digit a[P256_NDIGITS];
-		uint8_t b8[P256_NBYTES];
-	};
-} p256_int;
-
 extern const p256_int SECP256r1_nMin2;
 
-/* Clear a p256_int to zero. */
-void p256_clear(p256_int *a);
-
 /* Check p256 is a zero. */
 int p256_is_zero(const p256_int *a);
 
-/* Check p256 is odd. */
-int p256_is_odd(const p256_int *a);
-
 /* c := a + (single digit)b, returns carry 1 on carry. */
 int p256_add_d(const p256_int *a, p256_digit b, p256_int *c);
 
@@ -200,22 +207,6 @@ int p256_cmp(const p256_int *a, const p256_int *b);
 /* Return -1 if a < b. */
 int p256_lt_blinded(const p256_int *a, const p256_int *b);
 
-/* Outputs big-endian binary form. No leading zero skips. */
-void p256_to_bin(const p256_int *src, uint8_t dst[P256_NBYTES]);
-
-/**
- * Reads from big-endian binary form, thus pre-pad with leading
- * zeros if short. Input length is assumed P256_NBYTES bytes.
- */
-void p256_from_bin(const uint8_t src[P256_NBYTES], p256_int *dst);
-
-/**
- * Reads from big-endian binary form of given size, add padding with
- * zeros if short. Check that leading digits beyond P256_NBYTES are zeroes.
- *
- * @return true if provided big-endian fits into p256.
- */
-bool p256_from_be_bin_size(const uint8_t *src, size_t len, p256_int *dst);
 
 /**
  * Raw sign with provided nonce (k). Used internally and for testing.
@@ -248,6 +239,18 @@ enum dcrypto_result dcrypto_p256_is_valid_point(const p256_int *x,
 						const p256_int *y)
 	__attribute__((warn_unused_result));
 
+/**
+ * Pair-wise consistency test for private and public key.
+ *
+ * @param drbg - DRBG to use for nonce generation
+ * @param d - private key (scalar)
+ * @param x - public key part
+ * @param y - public key part
+ * @return !0 on success
+ */
+int DCRYPTO_p256_key_pwct(struct drbg_ctx *drbg, const p256_int *d,
+			  const p256_int *x, const p256_int *y);
+
 /* Wipe content of rnd with pseudo-random values. */
 void p256_fast_random(p256_int *rnd);
 
@@ -291,11 +294,6 @@ void dcrypto_imem_load(size_t offset, const uint32_t *opcodes,
  */
 uint32_t dcrypto_dmem_load(size_t offset, const void *words, size_t n_words);
 
-/**
- * An implementation of memset that ought not to be optimized away;
- * useful for scrubbing security sensitive buffers.
- */
-void *always_memset(void *s, int c, size_t n);
 
 #ifndef __alias
 #define __alias(func) __attribute__((alias(#func)))
diff --git a/board/cr50/dcrypto/p256.c b/board/cr50/dcrypto/p256.c
index 49c2fe4b2b..cfbf068b7a 100644
--- a/board/cr50/dcrypto/p256.c
+++ b/board/cr50/dcrypto/p256.c
@@ -3,8 +3,8 @@
  * found in the LICENSE file.
  */
 
-#include "dcrypto.h"
 #include "endian.h"
+#include "internal.h"
 
 const p256_int SECP256r1_nMin2 = /* P-256 curve order - 2 */
 	{ .a = { 0xfc632551 - 2, 0xf3b9cac2, 0xa7179e84, 0xbce6faad, -1, -1, 0,
diff --git a/board/cr50/dcrypto/p256_ec.c b/board/cr50/dcrypto/p256_ec.c
index b681d7ddef..5c7f355a67 100644
--- a/board/cr50/dcrypto/p256_ec.c
+++ b/board/cr50/dcrypto/p256_ec.c
@@ -2,12 +2,7 @@
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
-
-#include "dcrypto.h"
-#include "fips.h"
-#include "fips_rand.h"
-
-#include <stdint.h>
+#include "internal.h"
 
 /* p256_base_point_mul sets {out_x,out_y} = nG, where n is < the
  * order of the group. */
diff --git a/board/cr50/dcrypto/u2f.c b/board/cr50/dcrypto/u2f.c
index 21997f07fc..e8f6584c69 100644
--- a/board/cr50/dcrypto/u2f.c
+++ b/board/cr50/dcrypto/u2f.c
@@ -7,9 +7,7 @@
 #include "console.h"
 #endif
 
-#include "dcrypto.h"
-#include "fips.h"
-#include "fips_rand.h"
+#include "internal.h"
 
 #include "u2f_cmds.h"
 #include "u2f_impl.h"
diff --git a/board/cr50/dcrypto/x509.c b/board/cr50/dcrypto/x509.c
index 9005325a3e..6c4a8f0b15 100644
--- a/board/cr50/dcrypto/x509.c
+++ b/board/cr50/dcrypto/x509.c
@@ -3,9 +3,7 @@
  * found in the LICENSE file.
  */
 
-#include "dcrypto.h"
-
-#include <stdint.h>
+#include "internal.h"
 
 /* Limit the size of long form encoded objects to < 64 kB. */
 #define MAX_ASN1_OBJ_LEN_BYTES 3
diff --git a/board/cr50/tpm2/aes.c b/board/cr50/tpm2/aes.c
index 5fe431222a..7adca75f3b 100644
--- a/board/cr50/tpm2/aes.c
+++ b/board/cr50/tpm2/aes.c
@@ -4,7 +4,9 @@
  */
 
 #include "CryptoEngine.h"
+#include "common.h"
 #include "dcrypto.h"
+#include "util.h"
 
 #include <assert.h>
 
diff --git a/board/cr50/tpm2/hkdf.c b/board/cr50/tpm2/hkdf.c
index dcc494af16..d950d865ab 100644
--- a/board/cr50/tpm2/hkdf.c
+++ b/board/cr50/tpm2/hkdf.c
@@ -4,6 +4,7 @@
  */
 
 #include "dcrypto.h"
+#include "util.h"
 
 #ifdef CRYPTO_TEST_SETUP
 
diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c
index 0dc0404b79..78cc3562de 100644
--- a/board/cr50/tpm2/rsa.c
+++ b/board/cr50/tpm2/rsa.c
@@ -8,8 +8,7 @@
 #include "Hierarchy_fp.h"
 
 #include "dcrypto.h"
-#include "trng.h"
-
+#include "util.h"
 
 #include <assert.h>
 
diff --git a/common/ccd_config.c b/common/ccd_config.c
index d009acfd92..12e88689ad 100644
--- a/common/ccd_config.c
+++ b/common/ccd_config.c
@@ -21,6 +21,7 @@
 #include "tpm_registers.h"
 #include "tpm_vendor_cmds.h"
 #include "wp.h"
+#include "util.h"
 
 #define CPRINTS(format, args...) cprints(CC_CCD, format, ## args)
 #define CPRINTF(format, args...) cprintf(CC_CCD, format, ## args)
diff --git a/test/u2f.c b/test/u2f.c
index ddaba0e8dd..36c1b5a1d4 100644
--- a/test/u2f.c
+++ b/test/u2f.c
@@ -8,6 +8,9 @@
 #include "test_util.h"
 #include "u2f_impl.h"
 
+#include "internal.h"
+#include "util.h"
+
 /******************************************************************************/
 /* Mock implementations of cr50 board.
  */