diff options
author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2020-07-27 14:42:55 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2020-07-29 06:54:48 +0000 |
commit | 7c6ed95d0f454d5496f8104d5cb4244c3999b5b5 (patch) | |
tree | 9416281449431960e18165457b0f825ac9f20c69 /board/cr50/fips.c | |
parent | 623a6f4730414586a376faa7cc16aa239590f3c2 (diff) | |
download | chrome-ec-7c6ed95d0f454d5496f8104d5cb4244c3999b5b5.tar.gz |
fips: move FIPS error injection under CR50_DEV
Prevent access to FIPS CCD commands which can inject errors
due to unclear security impact. Instead, made them available
only in CR50_DEV builts. Same with vendor commands - moved them
from CRYPTO_TEST to under CR50_DEV.
BUG=b:138577491
TEST=help fips, fips sha/trng - ignored
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ic86db02f2c9c5abbea8f3f23ee56a5f5f570e177
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2321344
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Diffstat (limited to 'board/cr50/fips.c')
-rw-r--r-- | board/cr50/fips.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/board/cr50/fips.c b/board/cr50/fips.c index 5844a1d637..c0f22f0ca6 100644 --- a/board/cr50/fips.c +++ b/board/cr50/fips.c @@ -757,17 +757,18 @@ static int cmd_fips_status(int argc, char **argv) if (argc == 2) { if (!strncmp(argv[1], "on", 2)) fips_set_policy(true); -#ifdef CR50_DEV - else if (!strncmp(argv[1], "off", 3)) - fips_set_policy(false); -#endif else if (!strncmp(argv[1], "test", 4)) { fips_print_test_time(fips_power_up_tests()); fips_print_mode(); - } else if (!strncmp(argv[1], "trng", 4)) + } +#ifdef CR50_DEV + else if (!strncmp(argv[1], "off", 3)) + fips_set_policy(false); + else if (!strncmp(argv[1], "trng", 4)) fips_break_cmd = FIPS_BREAK_TRNG; else if (!strncmp(argv[1], "sha", 3)) fips_break_cmd = FIPS_BREAK_SHA256; +#endif } return 0; } @@ -776,7 +777,7 @@ DECLARE_SAFE_CONSOLE_COMMAND(fips, cmd_fips_status, #ifdef CR50_DEV "[on | off | test | trng | sha]", #else - "[on | test | trng | sha]", + "[on | test]", #endif "Report or change FIPS status, run tests, simulate errors"); @@ -814,7 +815,7 @@ static enum vendor_cmd_rc fips_cmd(enum vendor_cmd_cc code, void *buf, memcpy(buf, &fips_reverse, sizeof(fips_reverse)); *response_size = sizeof(fips_reverse); break; -#ifdef CRYPTO_TEST_SETUP +#ifdef CR50_DEV case FIPS_CMD_BREAK_TRNG: fips_break_cmd = FIPS_BREAK_TRNG; break; |