cr50: remove drbg_exit() from dcrypto_p256_ecdsa_sign()

P-256 sign requires a random nonce which is generated from provided
DRBG. Implementation of dcrypto_p256_ecdsa_sign() cleaned out DRBG
once nonce is successfully created. This works fine when DRBG is
instantiated just for purposes of signing this particular message,
but doesn't work if we want to use system-wide DRBG which is perfectly
instantiated as reseeded as needed as we want for FIPS. Instantiation
of DRBG using entropy from TRNG is relatively expensive operation
which we can avoid this way.

Moving DRBG management outside ECDSA Sign makes it clearer. Now the
caller is responsible what to do with DRBG and allows further updates
with automated reseeding if ECDSA Sign fails due to DRBG.

In tpm2/ecc.c we can now replace DRBG instantiation with using FIPS DRBG
created during initialization. Still more changes are needed to fully
switch to DRBG use for key gen as we need to handle reseeds properly.

BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I092b18cde5f6a8aede0a65e24a892dda9de7afa2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3138384
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>

3 files changed, 6 insertions, 5 deletions

diff --git a/board/cr50/dcrypto/dcrypto_p256.c b/board/cr50/dcrypto/dcrypto_p256.c
index c03145938b..e13e9b51bb 100644
--- a/board/cr50/dcrypto/dcrypto_p256.c
+++ b/board/cr50/dcrypto/dcrypto_p256.c
@@ -150,7 +150,6 @@ int dcrypto_p256_ecdsa_sign(struct drbg_ctx *drbg, const p256_int *key,
 
 	/* Pick uniform 0 < k < R */
 	result |= (p256_hmac_drbg_generate(drbg, &k) != HMAC_DRBG_SUCCESS);
-	drbg_exit(drbg);
 
 	CP8WB(k, &k, &rnd);
 
diff --git a/board/cr50/dcrypto/x509.c b/board/cr50/dcrypto/x509.c
index 3850100443..9005325a3e 100644
--- a/board/cr50/dcrypto/x509.c
+++ b/board/cr50/dcrypto/x509.c
@@ -428,6 +428,7 @@ int DCRYPTO_x509_gen_u2f_cert_name(const p256_int *d, const p256_int *pk_x,
 	struct sha256_ctx sha;
 	p256_int h, r, s;
 	struct drbg_ctx drbg;
+	int result;
 
 	SEQ_START(ctx, V_SEQ, SEQ_LARGE) {  /* outer seq */
 	/*
@@ -517,7 +518,9 @@ int DCRYPTO_x509_gen_u2f_cert_name(const p256_int *d, const p256_int *pk_x,
 	SHA256_update(&sha, body, (ctx.p + ctx.n) - body);
 	p256_from_bin(SHA256_final(&sha)->b8, &h);
 	hmac_drbg_init_rfc6979(&drbg, d, &h);
-	if (!dcrypto_p256_ecdsa_sign(&drbg, d, &h, &r, &s))
+	result = dcrypto_p256_ecdsa_sign(&drbg, d, &h, &r, &s);
+	drbg_exit(&drbg);
+	if (!result)
 		return 0;
 
 	/* Append X509 signature */
diff --git a/board/cr50/tpm2/ecc.c b/board/cr50/tpm2/ecc.c
index 39d5dcf607..90a6dac08b 100644
--- a/board/cr50/tpm2/ecc.c
+++ b/board/cr50/tpm2/ecc.c
@@ -9,6 +9,7 @@
 #include "CryptoEngine.h"
 #include "TPMB.h"
 
+#include "fips_rand.h"
 #include "trng.h"
 #include "util.h"
 #include "dcrypto.h"
@@ -264,7 +265,6 @@ CRYPT_RESULT _cpri__SignEcc(
 	const size_t digest_len = MIN(digest->size, sizeof(digest_local));
 	p256_int p256_digest;
 	int result;
-	struct drbg_ctx drbg;
 
 	if (curve_id != TPM_ECC_NIST_P256)
 		return CRYPT_PARAMETER;
@@ -284,8 +284,7 @@ CRYPT_RESULT _cpri__SignEcc(
 		reverse_tpm2b(&d->b);
 		append_zeros_to_p256_param(d);
 
-		hmac_drbg_init_rand(&drbg, 512);
-		result = dcrypto_p256_ecdsa_sign(&drbg,
+		result = fips_p256_ecdsa_sign(
 				(p256_int *) d->b.buffer,
 				&p256_digest,
 				(p256_int *) r->b.buffer,