g: update test RO to allow self-signed RWs.

Instead of hard-coded embedded public keys, use public key from header.
Also accommodate padding checks for both 3071 and 2048 signatures.

BUG=none
BRANCH=none
TEST="make board=cr50;vhaven build/cr50/ec.hex --sku 2 --debug_rom"
      now successfully boots to console.
Signed-off-by: mschilder@google.com
Change-Id: I493d4832d4b78c734949fe980ef5c9de2d3e4fa1
Reviewed-on: https://chromium-review.googlesource.com/1256058
Commit-Ready: Marius Schilder <mschilder@chromium.org>
Tested-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

3 files changed, 18 insertions, 55 deletions

diff --git a/chip/g/loader/launch.c b/chip/g/loader/launch.c
index 54edc84268..cf701a21cb 100644
--- a/chip/g/loader/launch.c
+++ b/chip/g/loader/launch.c
@@ -144,7 +144,7 @@ void tryLaunch(uint32_t adr, size_t max_size)
 
 	if (!unlockedForExecution()) {
 		/* Assume warm-boot failed; do full RSA verify. */
-		LOADERKEY_verify(hdr->keyid, hdr->signature, hash);
+		LOADERKEY_verify(&hdr->keyid, hdr->signature, hash);
 		/*
 		 * PWRDN_SCRATCH* should be write-locked, tied to successful
 		 * SIG_MATCH. Thus ARM is only able to write this hash if
diff --git a/chip/g/loader/verify.c b/chip/g/loader/verify.c
index 6700ca8ca3..41b1c6cddd 100644
--- a/chip/g/loader/verify.c
+++ b/chip/g/loader/verify.c
@@ -13,47 +13,6 @@
 #define RSA_NUM_WORDS 96
 #define RSA_NUM_BYTES (RSA_NUM_WORDS * 4)
 
-
-static const uint32_t LOADERKEY_A[RSA_NUM_WORDS + 1] = {
-	0xea54076f, 0xe986c871, 0x8cffffb4, 0xd7c50bda, 0x30700ee0, 0xc023a878,
-	0x30e7fdf8, 0x5bb0c06f, 0x1d25d80f, 0x18e181f7, 0xfbf7a8b0, 0x331c16d4,
-	0xeb042379, 0x4cef13ec, 0x5b2072e7, 0xc807b01d, 0x443fb117, 0xd2e04e5b,
-	0xcb984393, 0x85d90d9d, 0x0332dcb8, 0xd42ccacf, 0x787e3947, 0x1975095c,
-	0x2d523b0b, 0xf815be95, 0x00db9a2c, 0x6c08442b, 0x57a022bb, 0x9d5c84ed,
-	0x46a6d275, 0x4392dcf8, 0xfa6812e3, 0xe0f3a3e6, 0xc8ff3f61, 0xd518dbac,
-	0xbba7376a, 0x767a219a, 0x9d153119, 0x980b16f8, 0x79eb5078, 0xb869924d,
-	0x2e392cc2, 0x76c04f32, 0xe35ea788, 0xcb67fa62, 0x30efec79, 0x36f04ae0,
-	0x2212a5fc, 0x51c41de8, 0x2b0b84db, 0x6803ca1c, 0x39a248fd, 0xa0c31ee2,
-	0xb1ca22b6, 0x16e54056, 0x086f6591, 0x3825208d, 0x079c157b, 0xe51c15a6,
-	0x0dd1c66f, 0x8267b8ae, 0xf06b4f85, 0xc68b27ab, 0x31bcd5fc, 0x34d563b7,
-	0xc4d2212e, 0x1e770199, 0xaf797061, 0x824d4853, 0x526e18cd, 0x4bb8a0dc,
-	0xeb9377fe, 0x04fda73c, 0x2933f8a6, 0xe16c0432, 0x40ea1bd5, 0x9efcd77e,
-	0x92be9e55, 0x003c1128, 0x48442cf9, 0x80b4fb31, 0xfe1e3df3, 0x1d28e14d,
-	0xe99c0f9d, 0x521d38c2, 0x0082c4f1, 0xcff25d56, 0x0d3e7186, 0xe72b98f0,
-	0xefaa5689, 0x74051ed5, 0x6b7e7fff, 0x822b1944, 0x77a94732, 0x8d0b9aaf,
-	0x7a8ee958
-};
-
-const uint32_t LOADERKEY_B[RSA_NUM_WORDS + 1] = {
-	0xeea8b39f, 0xdfa457a1, 0x8b81fdc3, 0xb0204c84, 0x297b9db2, 0xaa70318d,
-	0x8cd41a68, 0x4aa0f9bb, 0xf63f9d69, 0xf0fe64b0, 0x96e42e2d, 0x5e494b1d,
-	0x066cefd0, 0xde949c16, 0xc92499ed, 0x92229990, 0x48ac3b1a, 0x1dfc2388,
-	0xda71d258, 0x826ddedf, 0xd0220e70, 0x6140dedf, 0x92bcdec7, 0xcdf91c22,
-	0xaa110aed, 0xc371c2f9, 0xa3fedf2a, 0xfd2c6a07, 0xe71aabce, 0x7f426484,
-	0x0ac51128, 0x4bab4ca2, 0x0162d0b9, 0x49fef7e3, 0xeda8664e, 0x14b92b7a,
-	0x0397dbb7, 0x5b9eb94a, 0x069b5059, 0x3851f46b, 0x45bbcaba, 0x0b812652,
-	0x7cd8b10b, 0xcaeccc32, 0x0ffd08e3, 0xfe6f0306, 0x8c02d5f7, 0xafdc4595,
-	0xe0edda47, 0x0cc821db, 0x50beeae5, 0xb9868c18, 0xefd2de11, 0xdfecd15c,
-	0xa8937a70, 0x223d9d95, 0x1b70848b, 0x54fa9176, 0x8bf012ef, 0xd37c1446,
-	0xf9a7ebeb, 0xbf2dfa9a, 0xdc6b8ea0, 0xe5f8bc4d, 0x539222b5, 0x192521e4,
-	0xe7088628, 0x2646bb56, 0x6fcc5d70, 0x3f1cd8e9, 0xae9cec24, 0xf53b6559,
-	0x6f091891, 0x5342fa61, 0xbfee50e9, 0x211ad58a, 0xd1c5aa17, 0x252dfa56,
-	0x17131164, 0x4630a459, 0x2f681f51, 0x3fb9ab3c, 0x6c8e0a70, 0xa34a868b,
-	0xe960e702, 0xa470d241, 0x00647369, 0xa4c25391, 0xd1926cf9, 0x5fce5488,
-	0xd171cb2e, 0x8a7c982e, 0xc89cbe39, 0xc0e019d8, 0x82cd1ebe, 0x68918fce,
-	0x5ec138fd
-};
-
 #define RANDOM_STEP 5
 
 inline uint32_t bswap(uint32_t a)
@@ -121,10 +80,9 @@ static void montMul1(const uint32_t *key,
 		montMulAdd(key, c, 0, a);
 }
 
-#if LOADERKEYEXP == 3
 /* In-place exponentiation to power 3 % key. */
-static void modpow(const uint32_t *key,
-		   const uint32_t *signature, uint32_t *out)
+static void modpow3(const uint32_t *key,
+		    const uint32_t *signature, uint32_t *out)
 {
 	static uint32_t aaR[RSA_NUM_WORDS];
 	static uint32_t aaaR[RSA_NUM_WORDS];
@@ -133,8 +91,8 @@ static void modpow(const uint32_t *key,
 	montMul(key, aaaR, aaR, signature);
 	montMul1(key, out, aaaR);
 }
-#endif
-void LOADERKEY_verify(uint32_t keyid, const uint32_t *signature,
+
+void LOADERKEY_verify(const uint32_t *key, const uint32_t *signature,
 		      const uint32_t *sha256)
 {
 	static uint32_t buf[RSA_NUM_WORDS]
@@ -142,18 +100,23 @@ void LOADERKEY_verify(uint32_t keyid, const uint32_t *signature,
 	static uint32_t hash[SHA256_DIGEST_WORDS]
 		__attribute__((section(".guarded_data")));
 	uint32_t step, offset;
-	const uint32_t *key;
 	int i;
 
-	if (keyid == LOADERKEY_B[0])
-		key = LOADERKEY_B;
-	else
-		key = LOADERKEY_A;
-
-	modpow(key, signature, buf);
+	modpow3(key, signature, buf);
 	VERBOSE("sig %.384h\n", buf);
 
 	/*
+	 * If key was not 3Kb, assume 2Kb and expand for subsequent
+	 * padding + hash verification mangling.
+	 */
+	if (key[96] == 0) {
+		buf[95] ^= buf[63];
+		buf[63] ^= 0x1ffff;
+		for (i = 63; i < 95; ++i)
+			buf[i] ^= -1;
+	}
+
+	/*
 	 * XOR in offsets across buf. Mostly to get rid of all those -1 words
 	 * in there.
 	 */
diff --git a/chip/g/loader/verify.h b/chip/g/loader/verify.h
index 74988dc605..fe279e46c0 100644
--- a/chip/g/loader/verify.h
+++ b/chip/g/loader/verify.h
@@ -10,7 +10,7 @@
  * Verify a RSA PKCS1.5 signature against an expected sha256. Unlocks for
  * execution upon success.
  */
-void LOADERKEY_verify(uint32_t keyid,
+void LOADERKEY_verify(const uint32_t *key,
 		      const uint32_t *signature, const uint32_t *sha256);
 
 #endif  /* __EC_CHIP_G_LOADER_VERIFY_H */