diff options
-rw-r--r-- | board/cr50/build.mk | 3 | ||||
-rw-r--r-- | board/cr50/dcrypto/fips_module.ld | 2 | ||||
-rw-r--r-- | board/cr50/fips.c | 7 | ||||
-rw-r--r-- | test/tpm_test/u2f_test.py | 24 |
4 files changed, 25 insertions, 11 deletions
diff --git a/board/cr50/build.mk b/board/cr50/build.mk index 5ff5894cb8..d1bbc4a517 100644 --- a/board/cr50/build.mk +++ b/board/cr50/build.mk @@ -66,6 +66,9 @@ fips-${CONFIG_DCRYPTO_BOARD} += dcrypto/dcrypto_bn.o fips-${CONFIG_DCRYPTO_BOARD} += dcrypto/dcrypto_p256.o fips-${CONFIG_DCRYPTO_BOARD} += dcrypto/compare.o fips-${CONFIG_DCRYPTO_BOARD} += dcrypto/dcrypto_runtime.o +ifneq ($(CRYPTO_TEST),) +fips-${CONFIG_DCRYPTO_BOARD} += dcrypto/gcm.o +endif fips-${CONFIG_DCRYPTO_BOARD} += dcrypto/hkdf.o fips-${CONFIG_DCRYPTO_BOARD} += dcrypto/hmac.o fips-${CONFIG_DCRYPTO_BOARD} += dcrypto/hmac_drbg.o diff --git a/board/cr50/dcrypto/fips_module.ld b/board/cr50/dcrypto/fips_module.ld index 62b303c8ce..7199beb107 100644 --- a/board/cr50/dcrypto/fips_module.ld +++ b/board/cr50/dcrypto/fips_module.ld @@ -15,7 +15,7 @@ SECTIONS .rodata.cmds.fips : { *(.rodata.cmds.*) } - .rodata.extensioncmds.fips : { + .rodata.extensioncmds : { *(.rodata.extensioncmds) } .rodata.irqprio : { diff --git a/board/cr50/fips.c b/board/cr50/fips.c index f89b3ff205..51a392e2ac 100644 --- a/board/cr50/fips.c +++ b/board/cr50/fips.c @@ -120,15 +120,18 @@ static bool fips_u2f_compliant(void) return false; } -/* Return true if crypto can be used (no failures detectd). */ +/* Return true if crypto can be used (no failures detected). */ bool fips_crypto_allowed(void) { /** * We never allow crypto if there were errors, no matter * if we are in FIPS approved or not-approved mode. + * Until self-integrity works properly (b/138578318), ignore it. + * TODO(b/138578318): remove ignoring of FIPS_FATAL_SELF_INTEGRITY. */ return ((_fips_status & FIPS_POWER_UP_TEST_DONE) && - !(_fips_status & FIPS_ERROR_MASK)); + !(_fips_status & + (FIPS_ERROR_MASK & (~FIPS_FATAL_SELF_INTEGRITY)))); } void fips_throw_err(enum fips_status err) diff --git a/test/tpm_test/u2f_test.py b/test/tpm_test/u2f_test.py index 9cb7d5e609..6fe470dc8d 100644 --- a/test/tpm_test/u2f_test.py +++ b/test/tpm_test/u2f_test.py @@ -49,7 +49,8 @@ def u2f_sign(tpm, origin, user, auth, kh, msg, flag, fail=False): if size != 12: raise subcmd.TpmTestError('Unexpected response: ' + utils.hex_dump(response)) - print('response: ', hex(response_code)) + if tpm.debug_enabled(): + print('U2F sign response: ', hex(response_code)) return b'' return sig @@ -81,20 +82,27 @@ def u2f_test(tpm): auth = b'3' msg = b'12345' public_key1, khv1 = u2f_generate(tpm, origin, user, 0, auth) - print('key_handle v1 = ',utils.hex_dump(khv1), len(khv1)) - print('public_key v1 = ',utils.hex_dump(public_key1), len(public_key1)) + if tpm.debug_enabled(): + print('key_handle v1 = ',utils.hex_dump(khv1), len(khv1)) + print('public_key v1 = ',utils.hex_dump(public_key1), len(public_key1)) public_key2, khv2 = u2f_generate(tpm, origin, user, 8, auth) - print('key_handle v2 = ',utils.hex_dump(khv2), len(khv2)) + if tpm.debug_enabled(): + print('key_handle v2 = ',utils.hex_dump(khv2), len(khv2)) sig1 = u2f_sign(tpm, origin, user, auth, khv1, msg, 2) - print('sig v1 = ',utils.hex_dump(sig1), len(sig1)) + if tpm.debug_enabled(): + print('sig v1 = ',utils.hex_dump(sig1), len(sig1)) sig1 = u2f_sign(tpm, origin, user, auth, khv2, msg, 2) - print('sig v2 = ',utils.hex_dump(sig1), len(sig1)) + if tpm.debug_enabled(): + print('sig v2 = ',utils.hex_dump(sig1), len(sig1)) sig1 = u2f_sign(tpm, user, origin, auth, khv2, msg, 2, fail=True) - print('sig v2 = ',utils.hex_dump(sig1), len(sig1)) + if tpm.debug_enabled(): + print('sig v2 = ',utils.hex_dump(sig1), len(sig1)) sig_attest = u2f_attest(tpm, origin, user, auth, khv1, public_key1) - print('sig attest = ',utils.hex_dump(sig_attest), len(sig_attest)) + if tpm.debug_enabled(): + print('sig attest = ',utils.hex_dump(sig_attest), len(sig_attest)) + print('%sSUCCESS: %s' % (utils.cursor_back(), 'U2F test')) |