diff options
-rw-r--r-- | board/cr50/tpm2/rsa.c | 50 | ||||
-rw-r--r-- | test/tpm_test/rsa_test.py | 15 |
2 files changed, 48 insertions, 17 deletions
diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c index d578a5eb06..ccd84ce77e 100644 --- a/board/cr50/tpm2/rsa.c +++ b/board/cr50/tpm2/rsa.c @@ -10,11 +10,13 @@ #include <assert.h> +TPM2B_BYTE_VALUE(4); +TPM2B_BYTE_VALUE(32); + static void reverse_tpm2b(TPM2B *b) { reverse(b->buffer, b->size); } -TPM2B_BYTE_VALUE(4); static int check_key(const RSA_KEY *key) { @@ -278,8 +280,6 @@ static int generate_prime(struct BIGNUM *b, TPM_ALG_ID hashing, TPM2B *seed, return 0; } -TPM2B_BYTE_VALUE(32); - CRYPT_RESULT _cpri__GenerateKeyRSA( TPM2B *N_buf, TPM2B *p_buf, uint16_t num_bits, uint32_t e_buf, TPM_ALG_ID hashing, TPM2B *seed, @@ -304,7 +304,6 @@ CRYPT_RESULT _cpri__GenerateKeyRSA( uint32_t counter; TPM2B_32_BYTE_VALUE local_seed = { .t = {32} }; - LITE_HMAC_CTX hmac; if (num_bits & 0xF) return CRYPT_FAIL; @@ -316,10 +315,19 @@ CRYPT_RESULT _cpri__GenerateKeyRSA( /* Hash down the primary seed for RSA key generation, so that * the derivation tree is distinct from ECC key derivation. */ - DCRYPTO_HMAC_SHA256_init(&hmac, seed->buffer, seed->size); - HASH_update(&hmac.hash, "RSA", 4); - memcpy(local_seed.t.buffer, DCRYPTO_HMAC_final(&hmac), - local_seed.t.size); +#ifdef CRYPTO_TEST_SETUP + /* Test seed has already been hashed down. */ + memcpy(local_seed.t.buffer, seed->buffer, seed->size); +#else + { + LITE_HMAC_CTX hmac; + + DCRYPTO_HMAC_SHA256_init(&hmac, seed->buffer, seed->size); + HASH_update(&hmac.hash, "RSA", 4); + memcpy(local_seed.t.buffer, DCRYPTO_HMAC_final(&hmac), + local_seed.t.size); + } +#endif if (e_buf == 0) e_buf = RSA_F4; @@ -747,6 +755,12 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_2048_Q = { } }; +static const uint8_t VERIFY_SEED[32] = { + 0x54, 0xef, 0xe3, 0xe9, 0x1e, 0xfa, 0xad, 0x9b, + 0x18, 0x3f, 0x27, 0x12, 0xfd, 0xe7, 0xfb, 0xc6, + 0x60, 0xcc, 0x34, 0x05, 0x00, 0x7d, 0x21, 0x6e, + 0xc2, 0x1e, 0x78, 0xbe, 0x61, 0xc8, 0x41, 0x99 +}; #define MAX_MSG_BYTES RSA_MAX_BYTES #define MAX_LABEL_LEN 32 @@ -784,6 +798,19 @@ static void rsa_command_handler(void *cmd_body, struct BIGNUM bn; char label[MAX_LABEL_LEN]; + /* This is the SHA-256 hash of the RSA template from the TCG + * EK Credential Profile spec. + */ + TPM2B_32_BYTE_VALUE RSA_TEMPLATE_EK_EXTRA = { + .t = {32, { + 0x68, 0xd1, 0xa2, 0x41, 0xfb, 0x27, 0x2f, 0x03, + 0x90, 0xbf, 0xd0, 0x42, 0x8d, 0xad, 0xee, 0xb0, + 0x2b, 0xf4, 0xa1, 0xcd, 0x46, 0xab, 0x6c, 0x39, + 0x1b, 0xa3, 0x1f, 0x51, 0x87, 0x06, 0x8e, 0x6a + } + } + }; + assert(sizeof(size_t) == sizeof(uint32_t)); /* Command format. @@ -926,15 +953,16 @@ static void rsa_command_handler(void *cmd_body, } N.b.size = sizeof(N.t.buffer); p.b.size = sizeof(p.t.buffer); - seed.b.size = sizeof(seed.t.buffer); - rand_bytes(seed.b.buffer, seed.b.size); + seed.b.size = sizeof(VERIFY_SEED); + memcpy(seed.b.buffer, VERIFY_SEED, sizeof(VERIFY_SEED)); if (in_len > 0) { memcpy(label, in, in_len); label[in_len] = '\0'; } if (_cpri__GenerateKeyRSA( &N.b, &p.b, key_len, RSA_F4, TPM_ALG_SHA256, - &seed.b, in_len ? label : NULL, NULL, NULL) + &seed.b, in_len ? label : NULL, + &RSA_TEMPLATE_EK_EXTRA.b, NULL) != CRYPT_SUCCESS) { *response_size = 0; } else { diff --git a/test/tpm_test/rsa_test.py b/test/tpm_test/rsa_test.py index 7f7c28d5e6..1e700cb435 100644 --- a/test/tpm_test/rsa_test.py +++ b/test/tpm_test/rsa_test.py @@ -598,10 +598,10 @@ _KEYTEST_INPUTS = ( ) _KEYGEN_INPUTS = ( - (768, 65537, ''), - (1024, 65537, 'rsa_test'), - (2048, 65537, 'rsa_test'), - (2048, 65537, ''), + (768, 65537, '', None), + (1024, 65537, 'rsa_test', None), + (2048, 65537, 'RSA key by vendor', 20811475686431332186511278472307159547870512766846593830860105577496044159545322178313772755518365593670114793803805067608811418757734989708137784444223785391864604211835387393923163468734914392307047296990698533218399115126417934050463597455237478939601236799120239663591264311485133747167378663829046579164891864068853210530642835833947569643788911200934265596274935082689832626616967124524353322373059893974744194447740045242468136414689225322177212281193879756355471091445748150740871146034049776312457888356154834233819876846764944450478069436248506560967902863015152471662817623176815923756421011384149834497587L), + (2048, 65537, '', None), ) # 2048-bit will be done in hardware (i.e. fast), rest are in software. @@ -681,8 +681,8 @@ def _keytest_tests(tpm): def _keygen_tests(tpm): for data in _KEYGEN_INPUTS: - key_len, e, label = data - test_name = 'RSA-KEYGEN:%d:%d:%s' % data + key_len, e, label, expected_N = data + test_name = 'RSA-KEYGEN:%d:%d:%s' % data[:-1] cmd = _keygen_cmd(key_len, e, label) wrapped_response = tpm.command(tpm.wrap_ext_command(subcmd.RSA, cmd)) @@ -693,6 +693,9 @@ def _keygen_tests(tpm): test_name, utils.hex_dump(result))) N = int(binascii.b2a_hex(result[0:result_len * 2 / 3]), 16) + if expected_N and N != expected_N: + raise subcmd.TpmTestError('%s error:%s' % ( + test_name, utils.hex_dump(result))) p = int(binascii.b2a_hex(result[result_len * 2 / 3:]), 16) q = N / p if not rsa.prime.is_prime(p): |