cr50: replace direct calls to EC OS from FIPS module with callbacks

In order to implement self-integrity test for FIPS module we need to
make sure binary code of module in image doesn't change from build to
build. To do that we already place FIPS module as constant address.
However, any call to functions outside the module creates a relocation
which is changing depending on location of that external function in the
image. To prevent that we either need to bring these functions in the
module like it was done with memcpy() and some others or replace their
invocations with callbacks. Task & Memory management functions are hard
to bring in the module, so replace few invocations with indirect calls
using vtable. This way invocation code will remain the same.

1. Identify and minimize dependency on EC OS - remove few asserts
   and cprintfs.
2. Remove checking privilege level in TRNG init - we know that it is
   high by the order of initialization in board_init() and that our
   RO doesn't drop permissions. Correct initialization of TRNG is
   important for certification, so we can't just assume it may be
   initialized improperly.
3. Added vtable with EC OS functions, initialization of FIPS module
   vtable in board_init().
4. Switched to using vtable instead of direct calls. Note, we continue
   to use EC OS with CRYPTO_TEST=1 to reduce vtable size and image
   size.

BUG=b:138578318
TEST=make BOARD=cr50; tests

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ibd7bd2353fc4e7e5886f9bfef96b36dc64ff2359
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3107847
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>

1 files changed, 27 insertions, 0 deletions

diff --git a/board/cr50/board.c b/board/cr50/board.c
index 96f90f6cee..a564efae02 100644
--- a/board/cr50/board.c
+++ b/board/cr50/board.c
@@ -14,7 +14,9 @@
 #include "endian.h"
 #include "extension.h"
 #include "fips_rand.h"
+#include "fips.h"
 #include "flash.h"
+#include "flash_log.h"
 #include "flash_config.h"
 #include "gpio.h"
 #include "ite_sync.h"
@@ -29,6 +31,7 @@
 #include "recovery_button.h"
 #include "registers.h"
 #include "scratch_reg1.h"
+#include "shared_mem.h"
 #include "signed_header.h"
 #include "spi.h"
 #include "system.h"
@@ -43,6 +46,7 @@
 #include "usb_i2c.h"
 #include "usb_spi.h"
 #include "util.h"
+#include "watchdog.h"
 #include "wp.h"
 
 /* Define interrupt and gpio structs */
@@ -840,6 +844,28 @@ static void board_init(void)
 #else
 	static enum ccd_state ccd_init_state = CCD_STATE_LOCKED;
 #endif
+	static const struct fips_vtable fips_module_vtable = {
+		.shared_mem_acquire = shared_mem_acquire,
+		.shared_mem_release = shared_mem_release,
+#ifdef CONFIG_FLASH_LOG
+		.flash_log_add_event = flash_log_add_event,
+#endif
+		.get_time = get_time,
+		.task_enable_irq = task_enable_irq,
+		.task_wait_event_mask = task_wait_event_mask,
+		.task_set_event = task_set_event,
+		.task_get_current = task_get_current,
+		.task_start_irq_handler = task_start_irq_handler,
+		.task_resched_if_needed = task_resched_if_needed,
+		.mutex_lock = mutex_lock,
+		.mutex_unlock = mutex_unlock,
+#ifdef CONFIG_WATCHDOG
+		.watchdog_reload = watchdog_reload
+#endif
+	};
+
+	/* Provide callbacks to FIPS module as soon as possible. */
+	fips_set_callbacks(&fips_module_vtable);
 
 	/*
 	 * Deep sleep resets should be considered valid and should not impact
@@ -850,6 +876,7 @@ static void board_init(void)
 	configure_board_specific_gpios();
 	init_pmu();
 	reset_wake_logic();
+	/* It is important to init TRNG before dropping run level. */
 	fips_init_trng();
 	maybe_trigger_ite_sync();
 	init_jittery_clock(1);