fips_rand: FIPS-compliant way to generate randoms

Add proper TRNG health tests and CR50-wide DRBG with reseeding

BUG=b:138578157
TEST=tpmtest.py -t1 fails after cr50 reboot.
rand_perf in console (kick-off FIPS TRNG test) and then
tpmtest.py -t1 and tpmtest.py -t2 should succeed.

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I94c2dbd7a00dedcf1a0f318539a3c73c0c8076ef
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2251381
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>

1 files changed, 3 insertions, 2 deletions

diff --git a/test/tpm_test/trng_test.py b/test/tpm_test/trng_test.py
index 60faa32e99..bdf0477a32 100644
--- a/test/tpm_test/trng_test.py
+++ b/test/tpm_test/trng_test.py
@@ -20,7 +20,8 @@ TRNG_SAMPLE_COUNT = 1000000 # NIST require at least 1000000 of 8-bit samples
 # field     |    size  |                  note
 # ===================================================================
 # text_len  |    2     | number of bytes to read, big endian
-# type      |    1     | 0 = TRNG, other values reserved for extensions
+# type      |    1     | 0 = TRNG, 1 = FIPS TRNG, 2 = FIPS DRBG
+#           |          | other values reserved for extensions
 def get_random_command(size, trng_op):
     """Encode get_random command"""
     return struct.pack(TRNG_TEST_FMT, size, trng_op)
@@ -68,7 +69,7 @@ def trng_test(tpm, trng_output, trng_mode, tsb=1):
         subcmd.TpmTestError: on unexpected target responses
     """
 
-    if trng_mode not in [0]:
+    if trng_mode not in [0, 1, 2]:
         raise subcmd.TpmTestError('Unknown random source: %d' % trng_mode)
 
     # minimal recommended by NIST is 1000 samples per block