summaryrefslogtreecommitdiff
path: root/board/cr50/fips_cmd.c
diff options
context:
space:
mode:
Diffstat (limited to 'board/cr50/fips_cmd.c')
-rw-r--r--board/cr50/fips_cmd.c90
1 files changed, 41 insertions, 49 deletions
diff --git a/board/cr50/fips_cmd.c b/board/cr50/fips_cmd.c
index 554b048c25..6642bd3396 100644
--- a/board/cr50/fips_cmd.c
+++ b/board/cr50/fips_cmd.c
@@ -21,7 +21,7 @@
#include "system.h"
#include "task.h"
#include "tpm_nvmem_ops.h"
-#include "u2f_cmds.h"
+#include "u2f_impl.h"
/**
* Create IRQ handler calling FIPS module's dcrypto_done_interrupt() on
@@ -68,46 +68,47 @@ static void fips_print_status(void)
}
DECLARE_HOOK(HOOK_INIT, fips_print_status, HOOK_PRIO_INIT_PRINT_FIPS_STATUS);
-#if defined(CRYPTO_TEST_SETUP) || defined(CR50_DEV)
+#ifdef CRYPTO_TEST_SETUP
static const uint8_t k_salt = NVMEM_VAR_G2F_SALT;
-static void print_u2f_keys_status(void)
-{
- struct u2f_state state;
- bool load_result;
- size_t hmac_len, drbg_len;
-
- hmac_len = read_tpm_nvmem_size(TPM_HIDDEN_U2F_KEK);
- drbg_len = read_tpm_nvmem_size(TPM_HIDDEN_U2F_KH_SALT);
- load_result = u2f_load_or_create_state(&state, false);
+/* Can't include TPM2 headers, so just define constant locally. */
+#define HR_NV_INDEX (1U << 24)
- CPRINTS("U2F HMAC len: %u, U2F Entropy len: %u, U2F load:%u, "
- "State DRBG len:%u", hmac_len,
- drbg_len, load_result, state.drbg_entropy_size);
-}
-
-static void u2f_keys(void)
+/* Wipe old U2F keys. */
+static void u2f_zeroize_non_fips(void)
{
- CPRINTS("U2F state %x", (uintptr_t)u2f_get_state());
- print_u2f_keys_status();
+ const uint32_t u2fobjs[] = { TPM_HIDDEN_U2F_KEK | HR_NV_INDEX,
+ TPM_HIDDEN_U2F_KH_SALT | HR_NV_INDEX, 0 };
+ /* Delete NVMEM_VAR_G2F_SALT. */
+ setvar(&k_salt, sizeof(k_salt), NULL, 0);
+ /* Remove U2F keys and wipe all deleted objects. */
+ nvmem_erase_tpm_data_selective(u2fobjs);
}
-/* Set U2F keys as old. */
-static void fips_set_old_u2f_keys(void)
+/* Set U2F keys to old or new version. */
+static void fips_set_u2f_keys(bool active)
{
- uint8_t random[32];
-
- u2f_zeroize_keys();
-
- /* Create fake u2f keys old style */
- fips_trng_bytes(random, sizeof(random));
- setvar(&k_salt, sizeof(k_salt), random, sizeof(random));
-
- fips_trng_bytes(random, sizeof(random));
- write_tpm_nvmem_hidden(TPM_HIDDEN_U2F_KEK, sizeof(random), random, 1);
- fips_trng_bytes(random, sizeof(random));
- write_tpm_nvmem_hidden(TPM_HIDDEN_U2F_KH_SALT, sizeof(random), random,
- 1);
+ if (!active) {
+ /* Old version. */
+ uint8_t random[32];
+ /* Create fake u2f keys old style */
+ fips_trng_bytes(random, sizeof(random));
+ setvar(&k_salt, sizeof(k_salt), random, sizeof(random));
+
+ fips_trng_bytes(random, sizeof(random));
+ write_tpm_nvmem_hidden(TPM_HIDDEN_U2F_KEK, sizeof(random),
+ random, 1);
+ fips_trng_bytes(random, sizeof(random));
+ write_tpm_nvmem_hidden(TPM_HIDDEN_U2F_KH_SALT, sizeof(random),
+ random, 1);
+ } else {
+ /**
+ * TODO(sukhomlinov): Implement new key generation after merging
+ * https://crrev.com/c/3034852 and adding FIPS key gen.
+ */
+ u2f_zeroize_non_fips();
+ }
+ system_reset(EC_RESET_FLAG_SECURITY);
}
#endif
@@ -126,20 +127,11 @@ static int cmd_fips_status(int argc, char **argv)
fips_print_test_time();
fips_print_mode();
}
-#if defined(CRYPTO_TEST_SETUP) || defined(CR50_DEV)
+#ifdef CRYPTO_TEST_SETUP
else if (!strncmp(argv[1], "new", 3))
- CPRINTS("u2f update status: %d", u2f_update_keys());
- else if (!strncmp(argv[1], "del", 3))
- CPRINTS("u2f zeroization status: %d",
- u2f_zeroize_keys());
+ fips_set_u2f_keys(true); /* we can reboot here... */
else if (!strncmp(argv[1], "old", 3))
- fips_set_old_u2f_keys();
- else if (!strncmp(argv[1], "u2f", 3))
- print_u2f_keys_status();
- else if (!strncmp(argv[1], "gen", 3))
- u2f_keys();
-#endif
-#ifdef CRYPTO_TEST_SETUP
+ fips_set_u2f_keys(false); /* we can reboot here... */
else if (!strncmp(argv[1], "trng", 4))
fips_break_cmd = FIPS_BREAK_TRNG;
else if (!strncmp(argv[1], "sha", 3))
@@ -152,7 +144,7 @@ static int cmd_fips_status(int argc, char **argv)
DECLARE_SAFE_CONSOLE_COMMAND(
fips, cmd_fips_status,
#ifdef CRYPTO_TEST_SETUP
- "[test | new | old | u2f | gen | trng | sha]",
+ "[test | new | old | trng | sha]",
"Report FIPS status, switch U2F key, run tests, simulate errors");
#else
"[test]", "Report FIPS status, run tests");
@@ -189,10 +181,10 @@ static enum vendor_cmd_rc fips_cmd(enum vendor_cmd_cc code, void *buf,
memcpy(buf, &fips_reverse, sizeof(fips_reverse));
*response_size = sizeof(fips_reverse);
break;
+#ifdef CRYPTO_TEST_SETUP
case FIPS_CMD_ON:
- u2f_update_keys();
+ fips_set_u2f_keys(true); /* we can reboot here... */
break;
-#ifdef CRYPTO_TEST_SETUP
case FIPS_CMD_BREAK_TRNG:
fips_break_cmd = FIPS_BREAK_TRNG;
break;
View Lorry Controller Status