diff options
author | Igor <igorcov@chromium.org> | 2018-06-21 16:39:57 +0200 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-11-07 11:40:45 -0800 |
commit | a771ac1213c4b0066d81ded4b8132f9506d7634d (patch) | |
tree | 892bfd2b0a654fef263d055cb54d95f70435a6a2 /include/pinweaver.h | |
parent | 8d48f6e390823d2a89808ea6f9dc8c7348134440 (diff) | |
download | chrome-ec-a771ac1213c4b0066d81ded4b8132f9506d7634d.tar.gz |
Cr50: Add valid PCR value for pinweaver
In order to bind the PIN authentication to PCR4, required for
additional security, a set of valid PCR criteria is added as metadata
in the leaf of the tree. Each criteria has a bitmask of PCR indexes
and the digest sha256 that should be obtained from concatenation of
PCR values for the respective indexes. Pinweaver will handle
both types of requests, in old and the new format.
For migration of old leaves that don't have the new field, the
process expects cryptohome to detect that the leaf needs migration
based on protocol used, leaf version and if the list of PCR
criteria is empty. In case the leaf needs migration, cryptohome
should insert a new leaf with the same data and remove the old one.
The PCR criteria set is created on Chrome OS side. Details of that
implementation is in
https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1124856
BRANCH=none
BUG=chromium:812165
TEST=sudo V=1 make run-pinweaver -j
pinweaver_client selftest
Deploy old image on a device and create an account setting a PIN code
as well. Deploy the new image and new CR50 build. Login and check that the
migration works well. Also try to put device to sleep and unlock. Check
that a new credential creation with new version works as well and sleep +
unlock work as expected. Extend PCR4 on device and check that login/unlock
works only for the user which obfuscated_username was used to extend the
PCR. Also check that authentication works with cases when old cryptohome
and new pinweaver is deployed, or old pinweaver and new cryptohome.
CQ-DEPEND=CL:1124856
Change-Id: If778c4e46b9945afadfd2af7d58353005624d668
Signed-off-by: igorcov@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/1112014
Commit-Ready: Igor <igorcov@chromium.org>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Diffstat (limited to 'include/pinweaver.h')
-rw-r--r-- | include/pinweaver.h | 14 |
1 files changed, 1 insertions, 13 deletions
diff --git a/include/pinweaver.h b/include/pinweaver.h index 7c7a8fb1cb..1f373ba582 100644 --- a/include/pinweaver.h +++ b/include/pinweaver.h @@ -65,18 +65,6 @@ struct PW_PACKED pw_log_storage_t { }; /* Do not remove fields within the same PW_LEAF_MAJOR_VERSION. */ -/* Unencrypted part of the leaf data. - */ -struct PW_PACKED leaf_public_data_t { - struct label_t label; - struct delay_schedule_entry_t delay_schedule[PW_SCHED_COUNT]; - - /* State used to rate limit. */ - struct pw_timestamp_t timestamp; - struct attempt_count_t attempt_count; -}; - -/* Do not remove fields within the same PW_LEAF_MAJOR_VERSION. */ /* Encrypted part of the leaf data. */ struct PW_PACKED PW_ALIGN_TO_BLK leaf_sensitive_data_t { @@ -142,7 +130,7 @@ void pinweaver_init(void); * merkle_tree->root needs to be updated with new_root outside of this function. */ int pw_handle_request(struct merkle_tree_t *merkle_tree, - const struct pw_request_t *request, + struct pw_request_t *request, struct pw_response_t *response); /******************************************************************************/ |