summaryrefslogtreecommitdiff
path: root/board/cr50/dcrypto/fips.h
diff options
context:
space:
mode:
authorVadim Sukhomlinov <sukhomlinov@google.com>2022-01-28 19:57:45 -0800
committerCommit Bot <commit-bot@chromium.org>2022-01-31 23:21:40 +0000
commitff49166b382db46f31b8bf1be12196439bc90d02 (patch)
tree80fd99dfc52e8d98f732731a2405062fe9155d56 /board/cr50/dcrypto/fips.h
parent12d62b7996952bb8108af286e312481cecad02a1 (diff)
downloadchrome-ec-ff49166b382db46f31b8bf1be12196439bc90d02.tar.gz
cr50: update FIPS module based on operational testing findingsstabilize-14498.B-cr50_stabstabilize-14496.B-cr50_stabfirmware-brya-14505.B-cr50_stabfirmware-brya-14505.71.B-cr50_stab
1. ECDSA pair-wise consistency test failure wasn't updating FIPS status. Added new failure bit FIPS_FATAL_ECDSA_PWCT. 2. ECDSA KAT was only simulating error in verify, but not in sign. Split 'fips ecdsa' into 'fips ecver' and 'fips ecsign'. 3. Added a way to introduce self-integrity error by not updating FIPS module digest with 'FIPS_BREAK=1' during build. 4. Added reporting of FIPS module digest. BUG=b:134594373 TEST=make CRYPTO_TEST=1; in ccd test: fips pwct; tpm_test.py should fail; fips should print error. - fips ecver; fips test reports ECDSA error fips ecsign; fips test reports ECDSA error - FIPS module digest is printed - FIPS_BREAK=1 make CRYPTO_TEST=1 produce build with zero digest reporint FIPS self-integrity error. Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: Ib0a92c118f07a76e4b52eaf9b011ff4f73a02c61 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3425998 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Mary Ruthven <mruthven@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Diffstat (limited to 'board/cr50/dcrypto/fips.h')
-rw-r--r--board/cr50/dcrypto/fips.h26
1 files changed, 12 insertions, 14 deletions
diff --git a/board/cr50/dcrypto/fips.h b/board/cr50/dcrypto/fips.h
index cfd39bb1fc..ca1fd689f0 100644
--- a/board/cr50/dcrypto/fips.h
+++ b/board/cr50/dcrypto/fips.h
@@ -37,14 +37,10 @@ enum fips_status {
#endif
FIPS_FATAL_SELF_INTEGRITY = 1 << 10,
FIPS_FATAL_BN_MATH = 1 << 11,
+ FIPS_FATAL_ECDSA_PWCT = 1 << 12,
FIPS_FATAL_OTHER = 1 << 15,
-/* For CRYPTO_TEST ignore self-integrity errors. */
-#ifdef CRYPTO_TEST_SETUP
- FIPS_ERROR_MASK = 0xffff & ~FIPS_FATAL_SELF_INTEGRITY,
-#else
FIPS_ERROR_MASK = 0xffff,
-#endif
FIPS_RFU_MASK = 0x7fff0000
};
@@ -56,13 +52,14 @@ enum fips_break {
FIPS_BREAK_SHA256 = 2,
FIPS_BREAK_HMAC_SHA256 = 3,
FIPS_BREAK_HMAC_DRBG = 4,
- FIPS_BREAK_ECDSA = 5,
- FIPS_BREAK_ECDSA_PWCT = 6,
+ FIPS_BREAK_ECDSA_VER = 5,
+ FIPS_BREAK_ECDSA_SIGN = 6,
+ FIPS_BREAK_ECDSA_PWCT = 7,
#ifdef CONFIG_FIPS_AES_CBC_256
- FIPS_BREAK_AES256 = 7,
+ FIPS_BREAK_AES256 = 8,
#endif
#ifdef CONFIG_FIPS_RSA2048
- FIPS_BREAK_RSA2048 = 8,
+ FIPS_BREAK_RSA2048 = 9,
#endif
};
@@ -82,15 +79,16 @@ enum fips_cmd {
FIPS_CMD_BREAK_SHA256 = 4,
FIPS_CMD_BREAK_HMAC_SHA256 = 5,
FIPS_CMD_BREAK_HMAC_DRBG = 6,
- FIPS_CMD_BREAK_ECDSA = 7,
- FIPS_CMD_BREAK_ECDSA_PWCT = 8,
+ FIPS_CMD_BREAK_ECDSA_VER = 7,
+ FIPS_CMD_BREAK_ECDSA_SIGN = 8,
+ FIPS_CMD_BREAK_ECDSA_PWCT = 9,
#ifdef CONFIG_FIPS_AES_CBC_256
- FIPS_CMD_BREAK_AES256 = 9,
+ FIPS_CMD_BREAK_AES256 = 10,
#endif
#ifdef CONFIG_FIPS_RSA2048
- FIPS_CMD_BREAK_RSA2048 = 10,
+ FIPS_CMD_BREAK_RSA2048 = 11,
#endif
- FIPS_CMD_NO_BREAK = 11
+ FIPS_CMD_NO_BREAK = 12
};
/* These symbols defined in core/cortex-m/ec.lds.S. */
View Lorry Controller Status