diff options
author | Randall Spangler <rspangler@chromium.org> | 2017-06-21 13:10:57 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-06-30 16:02:50 -0700 |
commit | 282765fdd409fd16ed1e092e5d7fee8de5af7a5a (patch) | |
tree | 6ba38fa099ef790c72d34f1caa458bd731aa39d3 /include | |
parent | 4a8b509020ce5104abf9b43335283cb39c7b75b2 (diff) | |
download | chrome-ec-282765fdd409fd16ed1e092e5d7fee8de5af7a5a.tar.gz |
common: Add RMA reset auth challenge-response crypto
RMA auth uses X25519 to generate a relatively small challenge and
response.
Currently, nothing calls the rma_auth code. We'll need console and
TPM vendor commands to do so.
BUG=b:37952913
BRANCH=none
TEST=make buildall
Change-Id: Iec7f2d0e3dc8243f79b009ead16bb3ba9f1bef9d
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/544184
Diffstat (limited to 'include')
-rw-r--r-- | include/config.h | 6 | ||||
-rw-r--r-- | include/rma_auth.h | 80 |
2 files changed, 86 insertions, 0 deletions
diff --git a/include/config.h b/include/config.h index 5d41162d04..0ba9da8743 100644 --- a/include/config.h +++ b/include/config.h @@ -1916,6 +1916,12 @@ /* Support IR357x Link voltage regulator debugging / reprogramming */ #undef CONFIG_REGULATOR_IR357X +/* Support RMA auth challenge-response */ +#undef CONFIG_RMA_AUTH +/* If that's defined, the server public key and ID must also be defined */ +#undef CONFIG_RMA_AUTH_SERVER_PUBLIC_KEY /* 32 bytes: {0xNN, 0xNN, ... 0xNN} */ +#undef CONFIG_RMA_AUTH_SERVER_KEY_ID /* 6-bit key ID, 0xMM */ + /* Enable hardware Random Number generator support */ #undef CONFIG_RNG diff --git a/include/rma_auth.h b/include/rma_auth.h new file mode 100644 index 0000000000..db39468595 --- /dev/null +++ b/include/rma_auth.h @@ -0,0 +1,80 @@ +/* Copyright 2017 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +/* RMA challenge-response */ + +#ifndef __CROS_EC_RMA_AUTH_H +#define __CROS_EC_RMA_AUTH_H + +#include <stdint.h> + +/* Test server public and private keys */ +#define RMA_TEST_SERVER_PUBLIC_KEY { \ + 0x03, 0xae, 0x2d, 0x2c, 0x06, 0x23, 0xe0, 0x73, \ + 0x0d, 0xd3, 0xb7, 0x92, 0xac, 0x54, 0xc5, 0xfd, \ + 0x7e, 0x9c, 0xf0, 0xa8, 0xeb, 0x7e, 0x2a, 0xb5, \ + 0xdb, 0xf4, 0x79, 0x5f, 0x8a, 0x0f, 0x28, 0x3f} +#define RMA_TEST_SERVER_PRIVATE_KEY { \ + 0x47, 0x3b, 0xa5, 0xdb, 0xc4, 0xbb, 0xd6, 0x77, \ + 0x20, 0xbd, 0xd8, 0xbd, 0xc8, 0x7a, 0xbb, 0x07, \ + 0x03, 0x79, 0xba, 0x7b, 0x52, 0x8c, 0xec, 0xb3, \ + 0x4d, 0xaa, 0x69, 0xf5, 0x65, 0xb4, 0x31, 0xad} +#define RMA_TEST_SERVER_KEY_ID 0x10 + +/* Current challenge protocol version */ +#define RMA_CHALLENGE_VERSION 0 + +/* Getters and setters for version_key_id byte */ +#define RMA_CHALLENGE_VKID_BYTE(version, keyid) \ + (((version) << 6) | ((keyid) & 0x3f)) +#define RMA_CHALLENGE_GET_VERSION(vkidbyte) ((vkidbyte) >> 6) +#define RMA_CHALLENGE_GET_KEY_ID(vkidbyte) ((vkidbyte) & 0x3f) + +struct __packed rma_challenge { + /* Top 2 bits are protocol version; bottom 6 are server KeyID */ + uint8_t version_key_id; + + /* Ephemeral public key from device */ + uint8_t device_pub_key[32]; + + /* Board ID (.type) */ + uint8_t board_id[4]; + + /* Device ID */ + uint8_t device_id[8]; +}; + +/* Size of encoded challenge and response, and buffer sizes to hold them */ +#define RMA_CHALLENGE_CHARS 80 +#define RMA_CHALLENGE_BUF_SIZE (RMA_CHALLENGE_CHARS + 1) + +#define RMA_AUTHCODE_CHARS 8 +#define RMA_AUTHCODE_BUF_SIZE (RMA_AUTHCODE_CHARS + 1) + +/** + * Create a new RMA challenge/response + * + * @return EC_SUCCESS, EC_ERROR_TIMEOUT if too soon since the last challenge, + * or other non-zero error code. + */ +int rma_create_challenge(void); + +/** + * Get the current challenge string + * + * @return a pointer to the challenge string. String will be empty if there + * is no active challenge. + */ +const char *rma_get_challenge(void); + +/** + * Try a RMA authorization code + * + * @param code Authorization code to try + * @return EC_SUCCESS if the response was correct, or non-zero error code. + */ +int rma_try_authcode(const char *code); + +#endif |