diff options
| author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2021-08-26 14:57:06 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-08-31 17:06:06 +0000 |
| commit | 8ddc58e3ce801e2ce72e78fc28bf026436dc22b2 (patch) | |
| tree | 2547ea394f34b70c81b9470475998a7e1d04d9ca /board/cr50/dcrypto/dcrypto.h | |
| parent | 6b7b22bc5abf09c823451f12b50559c197ed6c32 (diff) | |
| download | chrome-ec-8ddc58e3ce801e2ce72e78fc28bf026436dc22b2.tar.gz | |
cr50: merge crypto_enabled() and fips_crypto_allowed()
We need to block access to all crypto in case of FIPS errors. There are
multiple steps to implement, this is one of few.
There is common API crypto_enabled() which is used by nvmem and some
other functions to check wherever access to crypto is possible.
This is same intent as fips_crypto_allowed(), though the latter checks
for FIPS KAT errors, while the former checks only key ladder status.
Here we make all FIPS errors to revoke access from key ladder, and
fips_crypto_allowed() to check key ladder status. This way we also
ensure that in case of FIPS errors access to device secrets will be
blocked.
We moved crypto_api.c from chip/g to board/cr50 to move crypto_enabled()
into fips.c and alias it to fips_crypto_enabled().
crypto_api.h is no longer included from dcrypto.h, and compile time
assert for cipher salt size is moved to proper place.
Since crypto is used by nvmem_init(), move FIPS power-up tests earlier
to ensure nvmem_init() can access crypto.
BUG=b:197893750
TEST=make CRYPTO_TEST=1; tpm_test; check nvmem is properly initialized
on board_init().
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: If70c2a21d61348bd97a47e26db5d8eec08bbf8ed
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3123836
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Diffstat (limited to 'board/cr50/dcrypto/dcrypto.h')
| -rw-r--r-- | board/cr50/dcrypto/dcrypto.h | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/board/cr50/dcrypto/dcrypto.h b/board/cr50/dcrypto/dcrypto.h index ef3c778398..b94bbd7eb3 100644 --- a/board/cr50/dcrypto/dcrypto.h +++ b/board/cr50/dcrypto/dcrypto.h @@ -15,8 +15,6 @@ extern "C" { #include "internal.h" -#include "crypto_api.h" - #include <stddef.h> enum cipher_mode { @@ -396,10 +394,6 @@ void DCRYPTO_appkey_finish(struct APPKEY_CTX *ctx); int DCRYPTO_appkey_derive(enum dcrypto_appid appid, const uint32_t input[8], uint32_t output[8]); -/* Number of bytes in the salt object. */ -#define DCRYPTO_CIPHER_SALT_SIZE 16 -BUILD_ASSERT(DCRYPTO_CIPHER_SALT_SIZE == CIPHER_SALT_SIZE); - /* * Encrypt/decrypt a flat blob. * |