diff options
| author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2021-09-27 17:47:29 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-10-02 04:01:49 +0000 |
| commit | 0ad46f2259b79b07a1d4b114fd58472a88c19282 (patch) | |
| tree | 8313e9894a779c602cca27fd79b81bcc9a7ca3b6 /include | |
| parent | 7b25ee08172491864900e3a2ba59d761355f4069 (diff) | |
| download | chrome-ec-0ad46f2259b79b07a1d4b114fd58472a88c19282.tar.gz | |
cr50: provide public crypto API for HMAC/HASH with error reporting.
To implement FIPS mode for Cr50 we should be able to block access to
crypto functions if errors are detected. Historically all HASH/HMAC
functions were declared as void with no return type.
1) Split existing functions into public part (data structs, update and
final parts) and internal part - unchecked init functions.
2) Introduced new functions to start SHA / HMAC operation which returns
status code and block access to crypto in case of FIPS errors.
3) Dcrypto hash algorithms codes updated to match TPM_ALG_ID to simplify
adaptation layer and move checks inside Dcrypto module.
4) Updated all uses of API outside FIPS module to check return code and
act accordingly.
5) As a side effect RSA can now support SHA384 & SHA512 for signing,
board/host mock ups simplified.
BUG=b:197893750
TEST=make buildall -j; make BOARD=cr50 CRYPTO_TEST=1;
test/tpm_test/tpm_test.py
TCG tests
------------------------------ Test Result Summary ---------------------
Test executed on: Tue Sep 28 15:23:35 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ibbc38703496f417cba693c37d39a82a662c3f7ee
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3192137
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/pinweaver.h | 7 | ||||
| -rw-r--r-- | include/rma_auth.h | 3 |
2 files changed, 7 insertions, 3 deletions
diff --git a/include/pinweaver.h b/include/pinweaver.h index 21571da7b0..6eb1f46092 100644 --- a/include/pinweaver.h +++ b/include/pinweaver.h @@ -163,8 +163,11 @@ void import_leaf(const struct unimported_leaf_data_t *unimported, /* Computes the total number of the sibling hashes along a path. */ int get_path_auxiliary_hash_count(const struct merkle_tree_t *merkle_tree); -/* Computes the parent hash for an array of child hashes. */ -void compute_hash(const uint8_t hashes[][PW_HASH_SIZE], uint16_t num_hashes, +/** + * Computes the parent hash for an array of child hashes. + * Return EC_SUCCESS if successful. + */ +int compute_hash(const uint8_t hashes[][PW_HASH_SIZE], uint16_t num_hashes, struct index_t location, const uint8_t child_hash[PW_HASH_SIZE], uint8_t result[PW_HASH_SIZE]); diff --git a/include/rma_auth.h b/include/rma_auth.h index 0a4d7c7e71..caca9d07cc 100644 --- a/include/rma_auth.h +++ b/include/rma_auth.h @@ -75,7 +75,8 @@ int rma_try_authcode(const char *code); * * @param rma_device_id Pointer to the buffer that will be filled with * the ID. The buffer must be of size RMA_DEVICE_ID_SIZE. + * @return EC_SUCCESS if successful */ -void get_rma_device_id(uint8_t rma_device_id[RMA_DEVICE_ID_SIZE]); +int get_rma_device_id(uint8_t rma_device_id[RMA_DEVICE_ID_SIZE]); #endif |