diff options
| author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2022-01-28 19:57:45 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2022-01-31 23:21:40 +0000 |
| commit | ff49166b382db46f31b8bf1be12196439bc90d02 (patch) | |
| tree | 80fd99dfc52e8d98f732731a2405062fe9155d56 /board/cr50/dcrypto/p256_ec.c | |
| parent | 12d62b7996952bb8108af286e312481cecad02a1 (diff) | |
| download | chrome-ec-ff49166b382db46f31b8bf1be12196439bc90d02.tar.gz | |
cr50: update FIPS module based on operational testing findingsstabilize-14498.B-cr50_stabstabilize-14496.B-cr50_stabfirmware-brya-14505.B-cr50_stabfirmware-brya-14505.71.B-cr50_stab
1. ECDSA pair-wise consistency test failure wasn't updating FIPS status.
Added new failure bit FIPS_FATAL_ECDSA_PWCT.
2. ECDSA KAT was only simulating error in verify, but not in sign.
Split 'fips ecdsa' into 'fips ecver' and 'fips ecsign'.
3. Added a way to introduce self-integrity error by not updating FIPS
module digest with 'FIPS_BREAK=1' during build.
4. Added reporting of FIPS module digest.
BUG=b:134594373
TEST=make CRYPTO_TEST=1;
in ccd test:
fips pwct; tpm_test.py should fail; fips should print error.
-
fips ecver; fips test reports ECDSA error
fips ecsign; fips test reports ECDSA error
-
FIPS module digest is printed
-
FIPS_BREAK=1 make CRYPTO_TEST=1 produce build with zero digest
reporint FIPS self-integrity error.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ib0a92c118f07a76e4b52eaf9b011ff4f73a02c61
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3425998
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Diffstat (limited to 'board/cr50/dcrypto/p256_ec.c')
| -rw-r--r-- | board/cr50/dcrypto/p256_ec.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/board/cr50/dcrypto/p256_ec.c b/board/cr50/dcrypto/p256_ec.c index ac39813abb..6fae0cb52c 100644 --- a/board/cr50/dcrypto/p256_ec.c +++ b/board/cr50/dcrypto/p256_ec.c @@ -117,10 +117,18 @@ enum dcrypto_result dcrypto_p256_key_pwct(struct drbg_ctx *drbg, #endif result = dcrypto_p256_fips_sign_internal(drbg, d, &message, &r, &s); - if (result != DCRYPTO_OK) + if (result != DCRYPTO_OK) { + fips_set_status(FIPS_FATAL_ECDSA_PWCT); return result; + } + + result = dcrypto_p256_ecdsa_verify(x, y, &message, &r, &s); + if (result != DCRYPTO_OK) { + fips_set_status(FIPS_FATAL_ECDSA_PWCT); + return result; + } - return dcrypto_p256_ecdsa_verify(x, y, &message, &r, &s); + return result; } /** |