18 files changed, 231 insertions, 204 deletions
diff --git a/board/cr50/dcrypto/app_cipher.c b/board/cr50/dcrypto/app_cipher.c
index 6bbcfdab11..004db6bd6c 100644
--- a/board/cr50/dcrypto/app_cipher.c
+++ b/board/cr50/dcrypto/app_cipher.c
@@ -4,7 +4,7 @@
  * found in the LICENSE file.
  */
 #include "crypto_api.h"
-#include "dcrypto.h"
+#include "internal.h"
 #include "registers.h"
 
 /* The default build options compile for size (-Os); instruct the
diff --git a/board/cr50/dcrypto/compare.c b/board/cr50/dcrypto/compare.c
index 494e26617e..baf37927b0 100644
--- a/board/cr50/dcrypto/compare.c
+++ b/board/cr50/dcrypto/compare.c
@@ -3,7 +3,7 @@
  * found in the LICENSE file.
  */
 
-#include "dcrypto.h"
+#include "internal.h"
 
 /**
  * CRYPTO_FAST_COMPARE = 1 will enable machine word reads if performance
diff --git a/board/cr50/dcrypto/crypto_common.h b/board/cr50/dcrypto/crypto_common.h
deleted file mode 100644
index 36e5ebe9b7..0000000000
--- a/board/cr50/dcrypto/crypto_common.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/* Copyright 2021 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- */
-#ifndef __EC_FIPS_MODULE_COMMON_H
-#define __EC_FIPS_MODULE_COMMON_H
-
-/**
- * This header file contains types shared between public API in dcrypto.h and
- * internal functions in internal.h.
- */
-
-#include "common.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * Result codes for crypto operations, targeting
- * high Hamming distance from each other.
- */
-enum dcrypto_result {
-	DCRYPTO_OK = 0xAA33AAFF, /* Success. */
-	DCRYPTO_FAIL = 0x55665501, /* Failure. */
-	DCRYPTO_RETRY = 0xA5775A33,
-	DCRYPTO_RESEED_NEEDED = 0x36AA6355,
-};
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __EC_FIPS_MODULE_COMMON_H */
diff --git a/board/cr50/dcrypto/dcrypto.h b/board/cr50/dcrypto/dcrypto.h
index 50285286d9..36f2c40fee 100644
--- a/board/cr50/dcrypto/dcrypto.h
+++ b/board/cr50/dcrypto/dcrypto.h
@@ -13,11 +13,22 @@
 extern "C" {
 #endif
 
-#include "crypto_common.h"
-#include "internal.h"
-
+#include <stdbool.h>
 #include <stddef.h>
 
+#include "hmacsha2.h"
+
+/**
+ * Result codes for crypto operations, targeting
+ * high Hamming distance from each other.
+ */
+enum dcrypto_result {
+	DCRYPTO_OK = 0xAA33AAFF, /* Success. */
+	DCRYPTO_FAIL = 0x55665501, /* Failure. */
+	DCRYPTO_RETRY = 0xA5775A33,
+	DCRYPTO_RESEED_NEEDED = 0x36AA6355,
+};
+
 enum cipher_mode {
 	CIPHER_MODE_ECB = 0, /* NIST SP 800-38A */
 	CIPHER_MODE_CTR = 1, /* NIST SP 800-38A */
@@ -158,8 +169,44 @@ const struct sha256_digest *HMAC_SHA256_hw_final(struct hmac_sha256_ctx *ctx);
 /*
  * BIGNUM utility methods.
  */
+
+/*
+ * Use this structure to avoid alignment problems with input and output
+ * pointers.
+ */
+struct access_helper {
+	uint32_t udata;
+} __packed;
+
+
+struct LITE_BIGNUM {
+	uint32_t dmax;              /* Size of d, in 32-bit words. */
+	struct access_helper *d;  /* Word array, little endian format ... */
+};
+
+
 void DCRYPTO_bn_wrap(struct LITE_BIGNUM *b, void *buf, size_t len);
 
+/**
+ * Return number of bits in big number.
+ * @param b pointer to big number
+ * @return length in bits
+ */
+static inline uint32_t bn_bits(const struct LITE_BIGNUM *b)
+{
+	return b->dmax * sizeof(*b->d) * 8;
+}
+
+/**
+ * Return number of bytes in big number.
+ * @param b pointer to big number
+ * @return length in bits
+ */
+static inline size_t bn_size(const struct LITE_BIGNUM *b)
+{
+	return b->dmax * sizeof(*b->d);
+}
+
 /*
  *  RSA.
  */
@@ -235,6 +282,52 @@ int DCRYPTO_rsa_key_compute(struct LITE_BIGNUM *N, struct LITE_BIGNUM *d,
  *  EC.
  */
 
+/*
+ * Accelerated p256. FIPS PUB 186-4
+ */
+#define P256_BITSPERDIGIT 32
+#define P256_NDIGITS	  8
+#define P256_NBYTES	  32
+
+typedef uint32_t p256_digit;
+/**
+ * P-256 integers internally represented as little-endian 32-bit integer
+ * digits in platform-specific format. On little-endian platform this would
+ * be regular 256-bit little-endian unsigned integer. On big-endian platform
+ * it would big-endian 32-bit digits in little-endian order.
+ *
+ * Defining p256_int as struct to leverage struct assignment.
+ */
+typedef struct p256_int {
+	union {
+		p256_digit a[P256_NDIGITS];
+		uint8_t b8[P256_NBYTES];
+	};
+} p256_int;
+
+/* Clear a p256_int to zero. */
+void p256_clear(p256_int *a);
+
+/* Check p256 is odd. */
+int p256_is_odd(const p256_int *a);
+
+/* Outputs big-endian binary form. No leading zero skips. */
+void p256_to_bin(const p256_int *src, uint8_t dst[P256_NBYTES]);
+
+/**
+ * Reads from big-endian binary form, thus pre-pad with leading
+ * zeros if short. Input length is assumed P256_NBYTES bytes.
+ */
+void p256_from_bin(const uint8_t src[P256_NBYTES], p256_int *dst);
+
+/**
+ * Reads from big-endian binary form of given size, add padding with
+ * zeros if short. Check that leading digits beyond P256_NBYTES are zeroes.
+ *
+ * @return true if provided big-endian fits into p256.
+ */
+bool p256_from_be_bin_size(const uint8_t *src, size_t len, p256_int *dst);
+
 /**
  * Check if point is on NIST P-256 curve
  *
@@ -276,16 +369,19 @@ int DCRYPTO_p256_key_from_bytes(p256_int *x, p256_int *y, p256_int *d,
 				const uint8_t bytes[P256_NBYTES]);
 
 /**
- * Pair-wise consistency test for private and public key.
- *
- * @param drbg - DRBG to use for nonce generation
- * @param d - private key (scalar)
- * @param x - public key part
- * @param y - public key part
- * @return !0 on success
+ * TODO: Provide provide proper wrappers for dcrypto_p256_ecdsa_verify()
+ * and fips_p256_ecdsa_sign()
  */
-int DCRYPTO_p256_key_pwct(struct drbg_ctx *drbg, const p256_int *d,
-			  const p256_int *x, const p256_int *y);
+int dcrypto_p256_ecdsa_verify(const p256_int *key_x, const p256_int *key_y,
+		const p256_int *message, const p256_int *r,
+		const p256_int *s)
+	__attribute__((warn_unused_result));
+
+/* wrapper around dcrypto_p256_ecdsa_sign using FIPS-compliant HMAC_DRBG */
+int fips_p256_ecdsa_sign(const p256_int *key, const p256_int *message,
+			 p256_int *r, p256_int *s);
+
+/************************************************************/
 
 /* P256 based integration encryption (DH+AES128+SHA256).
  * Not FIPS 140-2 compliant, not used other than for tests
@@ -458,6 +554,15 @@ int DCRYPTO_ladder_is_enabled(void);
  */
 
 /**
+ * Initialize the true random number generator (TRNG) in FIPS-compliant
+ * way:
+ * 1. Set 1-bit alphabet
+ * 2. Set maximum possible range for internal ring-oscillator
+ * 3. Disable any other post-processing beyond #2
+ **/
+void fips_init_trng(void);
+
+/**
  * Returns random number from TRNG with indication wherever reading is valid.
  * This is different from rand() which doesn't provide any indication.
  * High 32-bits set to zero in case of error; otherwise value >> 32 == 1
@@ -504,6 +609,22 @@ bool fips_trng_bytes(void *buffer, size_t len)
 bool fips_rand_bytes(void *buffer, size_t len)
 	__attribute__((warn_unused_result));
 
+
+/**
+ * Utility functions.
+ */
+
+/**
+ * An implementation of memset that ought not to be optimized away;
+ * useful for scrubbing security sensitive buffers.
+ *
+ * @param d destination buffer
+ * @param c 8-bit value to fill buffer
+ * @param n size of buffer in bytes
+ * @return d
+ */
+void *always_memset(void *d, int c, size_t n);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/board/cr50/dcrypto/fips.c b/board/cr50/dcrypto/fips.c
index f08b54aea7..b3b401fdfb 100644
--- a/board/cr50/dcrypto/fips.c
+++ b/board/cr50/dcrypto/fips.c
@@ -5,15 +5,13 @@
 
 #include "builtin/endian.h"
 #include "console.h"
-#include "dcrypto.h"
 #include "ec_commands.h"
 #include "extension.h"
-#include "fips.h"
-#include "fips_rand.h"
 #include "flash.h"
 #include "flash_info.h"
 #include "flash_log.h"
 #include "hooks.h"
+#include "internal.h"
 #include "new_nvmem.h"
 #include "nvmem.h"
 #include "nvmem_vars.h"
diff --git a/board/cr50/dcrypto/fips_rand.c b/board/cr50/dcrypto/fips_rand.c
index 701fca0a6f..4529a1cfbf 100644
--- a/board/cr50/dcrypto/fips_rand.c
+++ b/board/cr50/dcrypto/fips_rand.c
@@ -4,8 +4,7 @@
  */
 
 #include "console.h"
-#include "fips.h"
-#include "fips_rand.h"
+#include "internal.h"
 #include "flash_log.h"
 #include "init_chip.h"
 #include "registers.h"
diff --git a/board/cr50/dcrypto/fips_rand.h b/board/cr50/dcrypto/fips_rand.h
index af39269382..10e44c7414 100644
--- a/board/cr50/dcrypto/fips_rand.h
+++ b/board/cr50/dcrypto/fips_rand.h
@@ -18,22 +18,6 @@ extern "C" {
 
 #define TRNG_SAMPLE_BITS 1
 
-/**
- * Initialize the true random number generator (TRNG) in FIPS-compliant
- * way:
- * 1. Set 1-bit alphabet
- * 2. Set maximum possible range for internal ring-oscillator
- * 3. Disable any other post-processing beyond #2
- **/
-void fips_init_trng(void);
-
-/**
- * Returns random number with indication wherever reading is valid. This is
- * different from rand() which doesn't provide any indication.
- * High 32-bits set to zero in case of error; otherwise value >> 32 == 1
- * Use of uint64_t vs. struct results in more efficient code.
- */
-uint64_t read_rand(void);
 
 /**
  * TRNG Health Tests
@@ -86,52 +70,7 @@ uint64_t read_rand(void);
  */
 #define APT_CUTOFF_SAMPLES 692
 
-/**
- * FIPS-compliant TRNG startup.
- * The entropy source's startup tests shall run the continuous health tests
- * over at least 4096 consecutive samples.
- * Note: This function can throw FIPS_FATAL_TRNG error
- *
- * To hide latency of reading TRNG data, this test is executed in 2 stages
- * @param stage is 0 or 1, choosing the stage. On each stage 2048
- * samples are processed. Assuming that some other tasks can be executed
- * between stages, when TRNG FIFO if filled with samples.
- *
- * Some number of samples will be available in entropy_fifo
- */
-bool fips_trng_startup(int stage);
-
-
-/* initialize cr50-wide DRBG replacing rand */
-bool fips_drbg_init(void);
-/* mark cr50-wide DRBG as not initialized */
-void fips_drbg_init_clear(void);
-
-/* FIPS DRBG initialized at boot time/first use. */
-extern struct drbg_ctx fips_drbg;
 
-/**
- * Generate valid P-256 random from FIPS DRBG, reseed DRBG with entropy from
- * verified TRNG if needed.
- *
- * @param drbg DRBG to use
- * @param out output value
- * @return HMAC_DRBG_SUCCESS if out contains random.
- */
-enum hmac_result fips_p256_hmac_drbg_generate(struct drbg_ctx *drbg,
-					      p256_int *out);
-
-/* wrapper around dcrypto_p256_ecdsa_sign using FIPS-compliant HMAC_DRBG */
-int fips_p256_ecdsa_sign(const p256_int *key, const p256_int *message,
-			 p256_int *r, p256_int *s);
-/**
- * wrapper around hmac_drbg_generate to automatically reseed drbg
- * when needed.
- */
-enum hmac_result fips_hmac_drbg_generate_reseed(struct drbg_ctx *ctx, void *out,
-						size_t out_len,
-						const void *input,
-						size_t input_len);
 #ifdef __cplusplus
 }
 #endif
diff --git a/board/cr50/dcrypto/hmacsha2.h b/board/cr50/dcrypto/hmacsha2.h
index 45e5245a65..5e34b99189 100644
--- a/board/cr50/dcrypto/hmacsha2.h
+++ b/board/cr50/dcrypto/hmacsha2.h
@@ -23,6 +23,15 @@
 #define SHA256_BLOCK_DWORDS (SHA256_BLOCK_SIZE / sizeof(uint64_t))
 #define SHA256_DIGEST_WORDS (SHA256_DIGEST_SIZE / sizeof(uint32_t))
 
+#define SHA_DIGEST_WORDS   (SHA_DIGEST_SIZE / sizeof(uint32_t))
+#define SHA256_DIGEST_WORDS (SHA256_DIGEST_SIZE / sizeof(uint32_t))
+
+#ifdef CONFIG_UPTO_SHA512
+#define SHA_DIGEST_MAX_BYTES SHA512_DIGEST_SIZE
+#else
+#define SHA_DIGEST_MAX_BYTES SHA256_DIGEST_SIZE
+#endif
+
 /**
  * Hash contexts. Each context starts with pointer to vtable containing
  * functions to perform implementation specific operations.
diff --git a/board/cr50/dcrypto/internal.h b/board/cr50/dcrypto/internal.h
index f2eb267e0f..e07389542c 100644
--- a/board/cr50/dcrypto/internal.h
+++ b/board/cr50/dcrypto/internal.h
@@ -9,11 +9,11 @@
 #include <string.h>
 
 #include "common.h"
-#include "crypto_common.h"
-
-#include "util.h"
-
+#include "dcrypto.h"
+#include "fips.h"
+#include "fips_rand.h"
 #include "hmacsha2.h"
+#include "util.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -27,26 +27,10 @@ extern "C" {
 #define CTRL_ENCRYPT        1
 #define CTRL_NO_SOFT_RESET  0
 
-#define SHA_DIGEST_WORDS   (SHA_DIGEST_SIZE / sizeof(uint32_t))
-#define SHA256_DIGEST_WORDS (SHA256_DIGEST_SIZE / sizeof(uint32_t))
-
-#ifdef CONFIG_UPTO_SHA512
-#define SHA_DIGEST_MAX_BYTES SHA512_DIGEST_SIZE
-#else
-#define SHA_DIGEST_MAX_BYTES SHA256_DIGEST_SIZE
-#endif
-
 #ifndef CHAR_BIT
 #define CHAR_BIT 8
 #endif
 
-/*
- * Use this structure to avoid alignment problems with input and output
- * pointers.
- */
-struct access_helper {
-	uint32_t udata;
-} __packed;
 
 #ifndef SECTION_IS_RO
 int dcrypto_grab_sha_hw(void);
@@ -62,17 +46,12 @@ void dcrypto_sha_fifo_load(const void *data, size_t n);
 #define LITE_BN_BITS2        32
 #define LITE_BN_BYTES        4
 
-struct LITE_BIGNUM {
-	uint32_t dmax;              /* Size of d, in 32-bit words. */
-	struct access_helper *d;  /* Word array, little endian format ... */
-};
 
 #define BN_DIGIT(b, i) ((b)->d[(i)].udata)
 
 void bn_init(struct LITE_BIGNUM *bn, void *buf, size_t len);
-#define bn_size(b) ((b)->dmax * LITE_BN_BYTES)
 #define bn_words(b) ((b)->dmax)
-#define bn_bits(b) ((b)->dmax * LITE_BN_BITS2)
+
 int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b);
 int bn_check_topbit(const struct LITE_BIGNUM *N);
 int bn_modexp(struct LITE_BIGNUM *output,
@@ -144,20 +123,69 @@ enum hmac_result hmac_drbg_generate(struct drbg_ctx *ctx, void *out,
 				    size_t input_len);
 void drbg_exit(struct drbg_ctx *ctx);
 
+/**
+ * TRNG service functions
+ */
+
+/**
+ * Returns random number with indication wherever reading is valid. This is
+ * different from rand() which doesn't provide any indication.
+ * High 32-bits set to zero in case of error; otherwise value >> 32 == 1
+ * Use of uint64_t vs. struct results in more efficient code.
+ */
+uint64_t read_rand(void);
+
+/**
+ * FIPS-compliant TRNG startup.
+ * The entropy source's startup tests shall run the continuous health tests
+ * over at least 4096 consecutive samples.
+ * Note: This function can throw FIPS_FATAL_TRNG error
+ *
+ * To hide latency of reading TRNG data, this test is executed in 2 stages
+ * @param stage is 0 or 1, choosing the stage. On each stage 2048
+ * samples are processed. Assuming that some other tasks can be executed
+ * between stages, when TRNG FIFO if filled with samples.
+ *
+ * Some number of samples will be available in entropy_fifo
+ */
+bool fips_trng_startup(int stage);
+
+
+/* initialize cr50-wide DRBG replacing rand */
+bool fips_drbg_init(void);
+/* mark cr50-wide DRBG as not initialized */
+void fips_drbg_init_clear(void);
+
+/* FIPS DRBG initialized at boot time/first use. */
+extern struct drbg_ctx fips_drbg;
+
+/**
+ * Generate valid P-256 random from FIPS DRBG, reseed DRBG with entropy from
+ * verified TRNG if needed.
+ *
+ * @param drbg DRBG to use
+ * @param out output value
+ * @return HMAC_DRBG_SUCCESS if out contains random.
+ */
+enum hmac_result fips_p256_hmac_drbg_generate(struct drbg_ctx *drbg,
+					      p256_int *out);
+
+/**
+ * wrapper around hmac_drbg_generate to automatically reseed drbg
+ * when needed.
+ */
+enum hmac_result fips_hmac_drbg_generate_reseed(struct drbg_ctx *ctx, void *out,
+						size_t out_len,
+						const void *input,
+						size_t input_len);
+
 /* Set seed for fast random number generator using LFSR. */
 void set_fast_random_seed(uint32_t seed);
 
 /* Generate week pseudorandom using LFSR for blinding purposes. */
 uint32_t fast_random(void);
 
-/*
- * Accelerated p256. FIPS PUB 186-4
- */
-#define P256_BITSPERDIGIT 32
-#define P256_NDIGITS	  8
-#define P256_NBYTES	  32
 
-typedef uint32_t p256_digit;
 typedef int32_t p256_sdigit;
 typedef uint64_t p256_ddigit;
 typedef int64_t p256_sddigit;
@@ -165,32 +193,11 @@ typedef int64_t p256_sddigit;
 #define P256_DIGITS(x)	 ((x)->a)
 #define P256_DIGIT(x, y) ((x)->a[y])
 
-/**
- * P-256 integers internally represented as little-endian 32-bit integer
- * digits in platform-specific format. On little-endian platform this would
- * be regular 256-bit little-endian unsigned integer. On big-endian platform
- * it would big-endian 32-bit digits in little-endian order.
- *
- * Defining p256_int as struct to leverage struct assignment.
- */
-typedef struct p256_int {
-	union {
-		p256_digit a[P256_NDIGITS];
-		uint8_t b8[P256_NBYTES];
-	};
-} p256_int;
-
 extern const p256_int SECP256r1_nMin2;
 
-/* Clear a p256_int to zero. */
-void p256_clear(p256_int *a);
-
 /* Check p256 is a zero. */
 int p256_is_zero(const p256_int *a);
 
-/* Check p256 is odd. */
-int p256_is_odd(const p256_int *a);
-
 /* c := a + (single digit)b, returns carry 1 on carry. */
 int p256_add_d(const p256_int *a, p256_digit b, p256_int *c);
 
@@ -200,22 +207,6 @@ int p256_cmp(const p256_int *a, const p256_int *b);
 /* Return -1 if a < b. */
 int p256_lt_blinded(const p256_int *a, const p256_int *b);
 
-/* Outputs big-endian binary form. No leading zero skips. */
-void p256_to_bin(const p256_int *src, uint8_t dst[P256_NBYTES]);
-
-/**
- * Reads from big-endian binary form, thus pre-pad with leading
- * zeros if short. Input length is assumed P256_NBYTES bytes.
- */
-void p256_from_bin(const uint8_t src[P256_NBYTES], p256_int *dst);
-
-/**
- * Reads from big-endian binary form of given size, add padding with
- * zeros if short. Check that leading digits beyond P256_NBYTES are zeroes.
- *
- * @return true if provided big-endian fits into p256.
- */
-bool p256_from_be_bin_size(const uint8_t *src, size_t len, p256_int *dst);
 
 /**
  * Raw sign with provided nonce (k). Used internally and for testing.
@@ -248,6 +239,18 @@ enum dcrypto_result dcrypto_p256_is_valid_point(const p256_int *x,
 						const p256_int *y)
 	__attribute__((warn_unused_result));
 
+/**
+ * Pair-wise consistency test for private and public key.
+ *
+ * @param drbg - DRBG to use for nonce generation
+ * @param d - private key (scalar)
+ * @param x - public key part
+ * @param y - public key part
+ * @return !0 on success
+ */
+int DCRYPTO_p256_key_pwct(struct drbg_ctx *drbg, const p256_int *d,
+			  const p256_int *x, const p256_int *y);
+
 /* Wipe content of rnd with pseudo-random values. */
 void p256_fast_random(p256_int *rnd);
 
@@ -291,11 +294,6 @@ void dcrypto_imem_load(size_t offset, const uint32_t *opcodes,
  */
 uint32_t dcrypto_dmem_load(size_t offset, const void *words, size_t n_words);
 
-/**
- * An implementation of memset that ought not to be optimized away;
- * useful for scrubbing security sensitive buffers.
- */
-void *always_memset(void *s, int c, size_t n);
 
 #ifndef __alias
 #define __alias(func) __attribute__((alias(#func)))
diff --git a/board/cr50/dcrypto/p256.c b/board/cr50/dcrypto/p256.c
index 49c2fe4b2b..cfbf068b7a 100644
--- a/board/cr50/dcrypto/p256.c
+++ b/board/cr50/dcrypto/p256.c
@@ -3,8 +3,8 @@
  * found in the LICENSE file.
  */
 
-#include "dcrypto.h"
 #include "endian.h"
+#include "internal.h"
 
 const p256_int SECP256r1_nMin2 = /* P-256 curve order - 2 */
 	{ .a = { 0xfc632551 - 2, 0xf3b9cac2, 0xa7179e84, 0xbce6faad, -1, -1, 0,
diff --git a/board/cr50/dcrypto/p256_ec.c b/board/cr50/dcrypto/p256_ec.c
index b681d7ddef..5c7f355a67 100644
--- a/board/cr50/dcrypto/p256_ec.c
+++ b/board/cr50/dcrypto/p256_ec.c
@@ -2,12 +2,7 @@
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
-
-#include "dcrypto.h"
-#include "fips.h"
-#include "fips_rand.h"
-
-#include <stdint.h>
+#include "internal.h"
 
 /* p256_base_point_mul sets {out_x,out_y} = nG, where n is < the
  * order of the group. */
diff --git a/board/cr50/dcrypto/u2f.c b/board/cr50/dcrypto/u2f.c
index 21997f07fc..e8f6584c69 100644
--- a/board/cr50/dcrypto/u2f.c
+++ b/board/cr50/dcrypto/u2f.c
@@ -7,9 +7,7 @@
 #include "console.h"
 #endif
 
-#include "dcrypto.h"
-#include "fips.h"
-#include "fips_rand.h"
+#include "internal.h"
 
 #include "u2f_cmds.h"
 #include "u2f_impl.h"
diff --git a/board/cr50/dcrypto/x509.c b/board/cr50/dcrypto/x509.c
index 9005325a3e..6c4a8f0b15 100644
--- a/board/cr50/dcrypto/x509.c
+++ b/board/cr50/dcrypto/x509.c
@@ -3,9 +3,7 @@
  * found in the LICENSE file.
  */
 
-#include "dcrypto.h"
-
-#include <stdint.h>
+#include "internal.h"
 
 /* Limit the size of long form encoded objects to < 64 kB. */
 #define MAX_ASN1_OBJ_LEN_BYTES 3
diff --git a/board/cr50/tpm2/aes.c b/board/cr50/tpm2/aes.c
index 5fe431222a..7adca75f3b 100644
--- a/board/cr50/tpm2/aes.c
+++ b/board/cr50/tpm2/aes.c
@@ -4,7 +4,9 @@
  */
 
 #include "CryptoEngine.h"
+#include "common.h"
 #include "dcrypto.h"
+#include "util.h"
 
 #include <assert.h>
 
diff --git a/board/cr50/tpm2/hkdf.c b/board/cr50/tpm2/hkdf.c
index dcc494af16..d950d865ab 100644
--- a/board/cr50/tpm2/hkdf.c
+++ b/board/cr50/tpm2/hkdf.c
@@ -4,6 +4,7 @@
  */
 
 #include "dcrypto.h"
+#include "util.h"
 
 #ifdef CRYPTO_TEST_SETUP
 
diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c
index 0dc0404b79..78cc3562de 100644
--- a/board/cr50/tpm2/rsa.c
+++ b/board/cr50/tpm2/rsa.c
@@ -8,8 +8,7 @@
 #include "Hierarchy_fp.h"
 
 #include "dcrypto.h"
-#include "trng.h"
-
+#include "util.h"
 
 #include <assert.h>
 
diff --git a/common/ccd_config.c b/common/ccd_config.c
index d009acfd92..12e88689ad 100644
--- a/common/ccd_config.c
+++ b/common/ccd_config.c
@@ -21,6 +21,7 @@
 #include "tpm_registers.h"
 #include "tpm_vendor_cmds.h"
 #include "wp.h"
+#include "util.h"
 
 #define CPRINTS(format, args...) cprints(CC_CCD, format, ## args)
 #define CPRINTF(format, args...) cprintf(CC_CCD, format, ## args)
diff --git a/test/u2f.c b/test/u2f.c
index ddaba0e8dd..36c1b5a1d4 100644
--- a/test/u2f.c
+++ b/test/u2f.c
@@ -8,6 +8,9 @@
 #include "test_util.h"
 #include "u2f_impl.h"
 
+#include "internal.h"
+#include "util.h"
+
 /******************************************************************************/
 /* Mock implementations of cr50 board.
  */