diff options
-rw-r--r-- | board/cr50/build.mk | 43 | ||||
-rw-r--r-- | board/cr50/dcrypto/fips.c | 8 | ||||
-rw-r--r-- | board/cr50/dcrypto/u2f.c | 12 | ||||
-rw-r--r-- | board/cr50/fips_cmd.c | 6 |
4 files changed, 40 insertions, 29 deletions
diff --git a/board/cr50/build.mk b/board/cr50/build.mk index 3f1c40f9c6..b6d1d959cb 100644 --- a/board/cr50/build.mk +++ b/board/cr50/build.mk @@ -22,19 +22,20 @@ ifeq ($(BOARD_MK_INCLUDED_ONCE),) # List of variables which can be defined in the environment or set in the make # command line. -ENV_VARS := CR50_DEV CRYPTO_TEST H1_RED_BOARD U2F_TEST RND_TEST DRBG_TEST\ - ECDSA_TEST DCRYPTO_TEST P256_BIN_TEST SHA1_TEST SHA256_TEST\ - HMAC_SHA256_TEST CMAC_TEST +ENV_VARS := CR50_DEV CRYPTO_TEST CMAC_TEST DCRYPTO_TEST DRBG_TEST ECDSA_TEST\ + H1_RED_BOARD HMAC_SHA256_TEST P256_BIN_TEST RND_TEST SELF_TEST\ + SHA1_TEST SHA256_TEST U2F_TEST U2F_VERBOSE + +ifneq ($(H1_RED_BOARD),) +CPPFLAGS += -DH1_RED_BOARD=$(EMPTY) +endif ifneq ($(CRYPTO_TEST),) CPPFLAGS += -DCRYPTO_TEST_SETUP -ifneq ($(U2F_TEST),) -CPPFLAGS_RW += -DCRYPTO_TEST_CMD_U2F_TEST=1 -endif - -ifneq ($(RND_TEST),) -CPPFLAGS_RW += -DCRYPTO_TEST_CMD_RAND=1 +# These options only work with CRYPTO_TEST=1 +ifneq ($(DCRYPTO_TEST),) +CPPFLAGS_RW += -DCRYPTO_TEST_CMD_DCRYPTO_TEST=1 endif ifneq ($(DRBG_TEST),) @@ -45,14 +46,22 @@ ifneq ($(ECDSA_TEST),) CPPFLAGS_RW += -DCRYPTO_TEST_CMD_DCRYPTO_ECDSA=1 endif -ifneq ($(DCRYPTO_TEST),) -CPPFLAGS_RW += -DCRYPTO_TEST_CMD_DCRYPTO_TEST=1 +ifneq ($(HMAC_SHA256_TEST),) +CPPFLAGS_RW += -DHMAC_SHA256_TEST=1 endif ifneq ($(P256_BIN_TEST),) CPPFLAGS_RW += -DP256_BIN_TEST=1 endif +ifneq ($(RND_TEST),) +CPPFLAGS_RW += -DCRYPTO_TEST_CMD_RAND=1 +endif + +ifneq ($(SELF_TEST),) +CPPFLAGS_RW += -DSELF_INTEGRITY_TEST=1 +endif + ifneq ($(SHA1_TEST),) CPPFLAGS_RW += -DSHA1_TEST=1 endif @@ -61,12 +70,16 @@ ifneq ($(SHA256_TEST),) CPPFLAGS_RW += -DSHA256_TEST=1 endif -ifneq ($(HMAC_SHA256_TEST),) -CPPFLAGS_RW += -DHMAC_SHA256_TEST=1 +ifneq ($(U2F_TEST),) +CPPFLAGS_RW += -DCRYPTO_TEST_CMD_U2F_TEST=1 endif +ifneq ($(U2F_VERBOSE),) +CPPFLAGS_RW += -DU2F_DEV_VERBOSE=1 endif +endif # CRYPTO_TEST=1 + BOARD_MK_INCLUDED_ONCE=1 SIG_EXTRA = --cros @@ -173,10 +186,6 @@ board-y += tpm_nvmem_ops.o board-y += wp.o board-$(CONFIG_PINWEAVER)+=pinweaver_tpm_imports.o -ifneq ($(H1_RED_BOARD),) -CPPFLAGS += -DH1_RED_BOARD=$(EMPTY) -endif - # Build fips code separately ifneq ($(fips-y),) RW_BD_OUT=$(out)/RW/$(BDIR) diff --git a/board/cr50/dcrypto/fips.c b/board/cr50/dcrypto/fips.c index 5e9422d2c3..2ea98187c4 100644 --- a/board/cr50/dcrypto/fips.c +++ b/board/cr50/dcrypto/fips.c @@ -642,18 +642,22 @@ static bool call_on_stack(void *new_stack, bool (*func)(void)) const struct sha256_digest fips_integrity __attribute__((section(".rodata.fips.checksum"))); +#ifndef SELF_INTEGRITY_TEST +#define SELF_INTEGRITY_TEST 0 +#endif + static enum dcrypto_result fips_self_integrity(void) { struct sha256_digest digest; size_t module_length = &__fips_module_end - &__fips_module_start; -#ifdef CR50_DEV +#if SELF_INTEGRITY_TEST CPRINTS("FIPS self-integrity start %x, length %u", (uintptr_t)&__fips_module_start, module_length); #endif SHA256_hw_hash(&__fips_module_start, module_length, &digest); -#ifdef CR50_DEV +#if SELF_INTEGRITY_TEST CPRINTS("Stored: %ph", HEX_BUF(fips_integrity.b8, SHA256_DIGEST_SIZE)); CPRINTS("Computed: %ph", diff --git a/board/cr50/dcrypto/u2f.c b/board/cr50/dcrypto/u2f.c index 4cd267ac61..1b2fc4f17c 100644 --- a/board/cr50/dcrypto/u2f.c +++ b/board/cr50/dcrypto/u2f.c @@ -3,7 +3,7 @@ * found in the LICENSE file. */ -#if defined(CRYPTO_TEST_SETUP) || defined(CR50_DEV) +#if defined(CRYPTO_TEST_SETUP) #include "console.h" #endif @@ -55,7 +55,7 @@ static void u2f_origin_user_mac(const struct u2f_state *state, HMAC_SHA256_update(&ctx, origin_seed, U2F_ORIGIN_SEED_SIZE); if (kh_version == U2F_KH_VERSION_1) HMAC_SHA256_update(&ctx, &kh_version, sizeof(kh_version)); -#ifdef CR50_DEV_U2F_VERBOSE +#ifdef U2F_DEV_VERBOSE ccprintf("origin %ph\n", HEX_BUF(origin, U2F_APPID_SIZE)); ccprintf("user %ph\n", HEX_BUF(user, U2F_USER_SECRET_SIZE)); ccprintf("origin_seed %ph\n", @@ -63,7 +63,7 @@ static void u2f_origin_user_mac(const struct u2f_state *state, cflush(); #endif memcpy(kh_hmac, HMAC_SHA256_final(&ctx), SHA256_DIGEST_SIZE); -#ifdef CR50_DEV_U2F_VERBOSE +#ifdef U2F_DEV_VERBOSE ccprintf("kh_hmac %ph\n", HEX_BUF(kh_hmac, SHA256_DIGEST_SIZE)); cflush(); #endif @@ -248,7 +248,7 @@ static enum ec_error_list u2f_origin_user_key_pair( else if (result != DCRYPTO_OK) return EC_ERROR_HW_INTERNAL; -#ifdef CR50_DEV_U2F_VERBOSE +#ifdef U2F_DEV_VERBOSE ccprintf("user private key %ph\n", HEX_BUF(d, sizeof(*d))); cflush(); if (pk_x) @@ -449,7 +449,7 @@ u2f_attest_keyhandle_pubkey(const struct u2f_state *state, p256_to_bin(&opk_y, kh_pubkey.y); kh_pubkey.pointFormat = U2F_POINT_UNCOMPRESSED; -#ifdef CR50_DEV_U2F_VERBOSE +#ifdef U2F_DEV_VERBOSE ccprintf("recreated key %ph\n", HEX_BUF(&kh_pubkey, sizeof(kh_pubkey))); ccprintf("provided key %ph\n", HEX_BUF(public_key, sizeof(kh_pubkey))); #endif @@ -632,7 +632,7 @@ enum ec_error_list u2f_attest(const struct u2f_state *state, /* Derive G2F Attestation Key. */ if (!g2f_individual_key_pair(state, &d, &pk_x, &pk_y)) { -#ifdef CR50_DEV +#ifdef U2F_DEV_VERBOSE ccprintf("G2F Attestation key generation failed\n"); #endif return EC_ERROR_HW_INTERNAL; diff --git a/board/cr50/fips_cmd.c b/board/cr50/fips_cmd.c index aca39fbae7..5dbe19a291 100644 --- a/board/cr50/fips_cmd.c +++ b/board/cr50/fips_cmd.c @@ -68,7 +68,7 @@ static void fips_print_status(void) } DECLARE_HOOK(HOOK_INIT, fips_print_status, HOOK_PRIO_INIT_PRINT_FIPS_STATUS); -#if defined(CRYPTO_TEST_SETUP) || defined(CR50_DEV) +#if defined(CRYPTO_TEST_SETUP) static const uint8_t k_salt = NVMEM_VAR_G2F_SALT; static void print_u2f_keys_status(void) @@ -130,7 +130,7 @@ static int cmd_fips_status(int argc, char **argv) fips_print_test_time(); fips_print_mode(); } -#if defined(CRYPTO_TEST_SETUP) || defined(CR50_DEV) +#ifdef CRYPTO_TEST_SETUP else if (!strncmp(argv[1], "new", 3)) CPRINTS("u2f update status: %d", u2f_update_keys()); else if (!strncmp(argv[1], "del", 3)) @@ -142,8 +142,6 @@ static int cmd_fips_status(int argc, char **argv) print_u2f_keys_status(); else if (!strncmp(argv[1], "gen", 3)) u2f_keys(); -#endif -#ifdef CRYPTO_TEST_SETUP else if (!strncmp(argv[1], "trng", 4)) fips_break_cmd = FIPS_BREAK_TRNG; else if (!strncmp(argv[1], "sha", 3)) |