diff options
author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2023-02-19 11:41:09 -0800 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-02-20 01:55:47 +0000 |
commit | 81541ac95446d126b562ee067d1196d4035cf054 (patch) | |
tree | 7c587e2a52cfc09fa376e0347bc9d4c73e3f36b9 | |
parent | f24055ddd803f994adb767932c254939720dbe61 (diff) | |
download | chrome-ec-81541ac95446d126b562ee067d1196d4035cf054.tar.gz |
cr50: fix zeroization of U2F secrets
Due to incorrect flags for TPM2 objects U2F secrets were not fully
zeroized (however were overwritten with new owner). Doesn't affect G2F.
BUG=b:268382629
TEST=make CRYPTO_TEST=1 U2F_TEST=1
fips del
fips old
fips u2f # prints old keys
u2f_test # all tests passed
fips del
fips new
fips u2f # print new key size
u2f_test # all tests passed
fips del
fips u2f # prints 0 sizes for u2f secrets
Change-Id: I2549dd5fd20937170c9b8d87363d90b138fdc4dc
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4269450
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Code-Coverage: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
-rw-r--r-- | board/cr50/u2f_state_load.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/board/cr50/u2f_state_load.c b/board/cr50/u2f_state_load.c index b9ff9ec178..d63194f65d 100644 --- a/board/cr50/u2f_state_load.c +++ b/board/cr50/u2f_state_load.c @@ -172,12 +172,14 @@ enum ec_error_list u2f_gen_kek_seed(void) } /* Can't include TPM2 headers, so just define constant locally. */ -#define HR_NV_INDEX (1U << 24) +#define TPM_HT_HIDDEN ((uint8_t)0xfe) +#define HR_SHIFT 24 +#define HR_HIDDEN (TPM_HT_HIDDEN << HR_SHIFT) enum ec_error_list u2f_zeroize_keys(void) { - const uint32_t u2fobjs[] = { TPM_HIDDEN_U2F_KEK | HR_NV_INDEX, - TPM_HIDDEN_U2F_KH_SALT | HR_NV_INDEX, 0 }; + const uint32_t u2fobjs[] = { TPM_HIDDEN_U2F_KEK | HR_HIDDEN, + TPM_HIDDEN_U2F_KH_SALT | HR_HIDDEN, 0 }; enum ec_error_list result1, result2; |