zinger: check RW firmware signature

The Zinger RW is now signed with 2048-bit RSA key (using SHA-256 as
digest).
This CL implements the verification mechanism.

note: the RSA key used for signing must be provided as a .pem file.
The path to .pem file must be provided in the PEM environment variable.
By default, it's using the dev key stored in zinger_dev_key.pem.

Signed-off-by: Vincent Palatin <vpalatin@chromium.org>

BRANCH=samus
BUG=chrome-os-partner:28336
TEST=on Zinger, run with properly signed RW firmware and corrupted
firmware and check the serial traces.

Change-Id: Ia58482458904a3ed72d6b0e95996cae86a0ead83
Reviewed-on: https://chromium-review.googlesource.com/220178
Commit-Queue: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Alec Berg <alecaberg@chromium.org>

1 files changed, 7 insertions, 6 deletions

diff --git a/board/zinger/hardware.c b/board/zinger/hardware.c
index 1b22ec64c4..061f3bdf89 100644
--- a/board/zinger/hardware.c
+++ b/board/zinger/hardware.c
@@ -9,7 +9,8 @@
 #include "common.h"
 #include "cpu.h"
 #include "registers.h"
-#include "sha1.h"
+#include "rsa.h"
+#include "sha256.h"
 #include "task.h"
 #include "timer.h"
 #include "util.h"
@@ -374,11 +375,11 @@ exit_er:
 	return res;
 }
 
-static struct sha1_ctx ctx;
+static struct sha256_ctx ctx;
 uint8_t *flash_hash_rw(void)
 {
-	sha1_init(&ctx);
-	sha1_update(&ctx, (void *)CONFIG_FLASH_BASE + CONFIG_FW_RW_OFF,
-		    CONFIG_FW_RW_SIZE - 32);
-	return sha1_final(&ctx);
+	SHA256_init(&ctx);
+	SHA256_update(&ctx, (void *)CONFIG_FLASH_BASE + CONFIG_FW_RW_OFF,
+		    CONFIG_FW_RW_SIZE - RSANUMBYTES);
+	return SHA256_final(&ctx);
 }