diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2018-05-10 21:41:33 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-05-16 12:41:38 -0700 |
| commit | 607865dca4965720feec5cb0d3a9148e4ab69b29 (patch) | |
| tree | 104d44d8b4cd189acc71141ee5e54a5471c7bcbf /board/cr50/tpm2 | |
| parent | d9354c9cd980ce2d57b8b4ccdad921054579ae99 (diff) | |
| download | chrome-ec-607865dca4965720feec5cb0d3a9148e4ab69b29.tar.gz | |
cr50: in dev mode allow unverified certificates
When running signed with dev keys and the fallback certificate is not
available, proceed installing unverified root certificate. This at
least allows to keep basic TPM functions like storing objects in NVMEM
to keep going. Added a new return value to indicate this condition.
BRANCH=cr50, cr50-mp
BUG=none
TEST=verified that it is possible to switch chromebook between prod
and dev modes when running with a dev signed Cr50.
Change-Id: I5b16d0bcbcfb25368f65075e1d2d485a69cb729f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1054990
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Diffstat (limited to 'board/cr50/tpm2')
| -rw-r--r-- | board/cr50/tpm2/endorsement.c | 47 |
1 files changed, 33 insertions, 14 deletions
diff --git a/board/cr50/tpm2/endorsement.c b/board/cr50/tpm2/endorsement.c index 62f6893fa5..a9751d43fb 100644 --- a/board/cr50/tpm2/endorsement.c +++ b/board/cr50/tpm2/endorsement.c @@ -24,6 +24,7 @@ #include "flash_info.h" #include "printf.h" #include "registers.h" +#include "system.h" #include "tpm_manufacture.h" #include "tpm_registers.h" @@ -610,10 +611,10 @@ enum manufacturing_status tpm_endorse(void) HASH_update(&hmac.hash, p, RO_CERTS_REGION_SIZE - 32); if (!DCRYPTO_equals(p + RO_CERTS_REGION_SIZE - 32, DCRYPTO_HMAC_final(&hmac), 32)) { -#ifdef CR50_INCLUDE_FALLBACK_CERT - CPRINTF("%s: bad cert region hmac; falling back\n" - " to fixed endorsement\n", __func__); + const struct SignedHeader *h; + CPRINTF("%s: bad cert region hmac;", __func__); +#ifdef CR50_INCLUDE_FALLBACK_CERT /* HMAC verification failure indicates either * a manufacture fault, or mis-match in * production mode and currently running @@ -625,21 +626,39 @@ enum manufacturing_status tpm_endorse(void) * by production infrastructure. */ if (!install_fixed_certs()) { - CPRINTF("%s: failed to install fixed " - "endorsement certs; \n" - " unknown endorsement state\n", - __func__); + CPRINTF(" failed to install fixed " + "endorsement certs;"); + result = mnf_hmac_mismatch; + break; } #else - CPRINTF("%s: bad cert region hmac; no certs installed!" - "\n", __func__); -#endif + h = (const struct SignedHeader *) + get_program_memory_addr + (system_get_image_copy()); + if (G_SIGNED_FOR_PROD(h)) { + + /* TODO(ngm): is this state considered + * endorsement failure? + */ + CPRINTF("NO certs installed\n"); + result = mnf_hmac_mismatch; + break; + } - /* TODO(ngm): is this state considered - * endorsement failure? + /* + * This will install bogus certificate, will happen + * only when Cr50 image is signed with dev key. + * + * Installing bogus certificate helps with simple TPM + * operations, as it allows to prevent TPM going + * through manufacturing process after every reset, + * but the generated RSA endorsement will not + * correspond to the certificate, which will cause + * problems when TPM identity is required. */ - result = mnf_hmac_mismatch; - break; + result = mnf_unverified_cert; + CPRINTF("instaling UNVERIFIED certs\n"); +#endif } if (!handle_cert( |