cr50: switch to using DRBG for key generation purposes.

An "Approved" RNG listed in FIPS 140-2 Annex C must be used for the
generation of random data or cryptographic keys used by an approved
security function. Detailed information and guidance on Key Generation
can be found in NIST SP 800-133 and FIPS 140-2 IG 7.8 and D.12.

Many of function use raw entropy from TRNG without any health tests or
even checking returned status, as old API didn't provide any indication
of failure.

With this patch we remove old API: rand() and rand_bytes() and expose
new API:
fips_rand_bytes() - generation of random bits from properly instantiated
and reseeded as needed DRBG.
fips_trng_bytes() - generation of entropy from TRNG with statistical
testing and checking for TRNG failures.
fips_trng_rand32() - generation of 32 bits from TRNG with health check
and indication of status.

ccd, rsa, ecc, pinweaver, rma_auth are updated to use new APIs.

These functions are moved into dcrypto.h which will become "Public API"
for the module.

trng_test vendor command moved to dcrypto/trng.c where it belongs.

BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpmtest.py
TCG tests.
-------------------------- Test Result Summary -------------------------
  Test executed on:		Thu Sep 16 10:16:59 2021
  Performed Tests:		248
  Passed Tests:			248
  Failed Tests:			0
  Errors:			0
  Warnings:			0
======================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>

Change-Id: I80d103ead1962ee388df5cabfabe0498d8d06d38
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3165870
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>

1 files changed, 51 insertions, 0 deletions

diff --git a/board/cr50/dcrypto/dcrypto.h b/board/cr50/dcrypto/dcrypto.h
index d65bbea0c6..b89eccd84e 100644
--- a/board/cr50/dcrypto/dcrypto.h
+++ b/board/cr50/dcrypto/dcrypto.h
@@ -459,6 +459,57 @@ int DCRYPTO_app_cipher(enum dcrypto_appid appid, const void *salt, void *out,
  */
 int DCRYPTO_ladder_is_enabled(void);
 
+/**
+ * Random number generation functions.
+ */
+
+/**
+ * Returns random number from TRNG with indication wherever reading is valid.
+ * This is different from rand() which doesn't provide any indication.
+ * High 32-bits set to zero in case of error; otherwise value >> 32 == 1
+ * Use of uint64_t vs. struct results in more efficient code.
+ * Random is passed continuous TRNG health tests.
+ *
+ * @return uint64_t, low 32 bits - random  high 32 bits - validity status
+ */
+uint64_t fips_trng_rand32(void);
+
+/**
+ * Return true if fips_trng_rand() result contains valid random from TRNG.
+ * @param rand value from fips_trng_rand32() or read_rand()
+ *
+ * @return true if rand contains valid random
+ */
+
+static inline bool rand_valid(uint64_t rand)
+{
+	return (rand >> 32) != 0;
+}
+
+/**
+ * Fill buffer with FIPS health checked randoms directly from TRNG.
+ *
+ * @param buffer buffer to fill
+ * @param len size of buffer in bytes
+ * @return true if successful
+ * @return false if TRNG failed, values didn't pass health test
+ *         or module crypto failed
+ */
+bool fips_trng_bytes(void *buffer, size_t len)
+	__attribute__((warn_unused_result));
+
+/**
+ * Fill buffer with random bytes from FIPS-compliant HMAC_DRBG_SHA256,
+ * instantiated during system start-up and reseeded as needed.
+ *
+ * @param buffer buffer to fill
+ * @param len size of buffer in bytes
+ * @return true if successful
+ * @return false if any errors occurred or module crypto failed
+ */
+bool fips_rand_bytes(void *buffer, size_t len)
+	__attribute__((warn_unused_result));
+
 #ifdef __cplusplus
 }
 #endif