| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
.text.fips_checksum section was placed after .text which resulted in
different address for it. Since address of this section is used in FIPS
module it resulted in different digest computed.
BUG=b:138578318
TEST=make BOARD=cr50, check map file to ensure .text.fips_checksum is
just after FIPS module.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ia054fec9191eac8818dcde139320eddbd7c8085b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3218580
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Script inserting FIPS checksum into the image uses the dd utility
which generates stderr output even when there is no errors.
This patch adds code which captures the dd stderr output and prints it
out only if there is an actual error. stdout output of the script is
suppressed unless make was invoked with V=1.
Also made a few modifications as requested by shellcheck.
BUG=none
TEST=make output does not have extra lines.
built and ran a Cr50 image, it reports successful FIPS integrity
self check.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I9121bc5a9a40633b9a3d18ea5766bc1ed274a9c2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210946
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to reduce code footprint, do not link TPM2 library modules,
instead build TPM2 as a single relocatable object module, a collection
of library sources compiled and linked with LTO enabled.
BUG=b:65253310
TEST=observed code space reduced by 1428 bytes, the bss_libtpm2
section remained practically unchanged:
before:
*** 5548 bytes in flash and 5652 bytes in RAM still ...
000104d0 B __bss_libtpm2_start
000155d7 B __bss_libtpm2_end
after:
*** 6976 bytes in flash and 5652 bytes in RAM still ...
000104d0 B __bss_libtpm2_start
000155d4 B __bss_libtpm2_end
Verified that the new Cr50 image allows a Chrome OS to successfully
boot and restart.
Cq-Depend: chromium:3210050
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I32335df29a332da115d8af56c157d5ad4189e9b0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210510
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently tpmtest.py fails to connect to H1 red board first time after
it is flashed, which is not convenient. It looks like the workaround is
to try to read any TPM register. So, implement a workaround.
Frequency of FTDI can be safely increased to 2000Khz.
Reduced delay to start transaction from 10ms to 200us which greatly
improve overall testing (except for RSA which actually runs noticeable
time).
Overall time to run tests decreased from 165s to about 120s, but take
into account RSA key gen tests alone are about 100s.
BUG=none
TEST=testtpm.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ib67b71b36457b33f38135f9cec269dcf35881f54
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3214771
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
test/tpm_test Makefile doesn't build bn_test properly. Need to add
handling of difference between Cr50 and Chip/g dcrypto.
Also, Cr50 code use __always_inline for some functions which itself
requires compiler optimization to turn on. Adding -O2 to CFLAGS.
BUG=None
TEST=make -C test/tpm_test clean
make -C test/tpm_test
make -C test/tpm_test clean
make -C test/tpm_test CR50=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I08749ebaa930fd4f71d7406ed289bf480b5a8510
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3215057
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
make runfuzztests started to fail once both:
https://crrev.com/c/3162473 and https://crrev.com/c/3208916 landed.
Clang seems to incorrectly discarding sections it generated for
profiling, resulting in:
__profc_DCRYPTO_hw_sha256_init' referenced in section .text.compute_hash[compute_hash]' of build/host/cr50_fuzz/libec.a(libec.a.2.o): defined in discarded section `__llvm_prf_cnts[__profd_DCRYPTO_hw_sha256_init]' of build/host/cr50_fuzz/libec.a(libec.a.2.o)
__profc_DCRYPTO_hw_sha256_init' referenced in section .text.create_merkle_tree[create_merkle_tree]' of build/host/cr50_fuzz/libec.a(libec.a.2.o): defined in discarded section `__llvm_prf_cnts[__profd_DCRYPTO_hw_sha256_init]' of build/host/cr50_fuzz/libec.a(libec.a.2.o)
clang-13: error: linker command failed with exit code 1 (use -v to see invocation)
This definition of __always_inline should be useful in other cases, so
moving it into common.h.
Note, we have to #undef it first, as it is previously defined in system
headers.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I073b38a68fd43a14dbe92063011c95758030b225
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3213113
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dependencies for FIPS module were incorrectly set as actual dependency
on $(out)/ec_version.h and $(out)/env_config.h instead of order-only
dependency, causing rebuild on any change in repository.
BUG=b:202225290
TEST=make BOARD=cr50
echo ' ' >> board/cr50/tpm2/rsa.c
make BOARD=cr50
should only rebuild tpm2/rsa.c and not dcrypto/*
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4d2e8e4a2182ddf850ccfad18e9b517f41594d55
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3208539
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc 11.2 changes semantic of how 'static inline' works with LTO, which
causes either ODR or missing symbol issues during linking when several
objects created by LTO.
After several experiments with
inline
extern inline
It seems that using __inline __attribute__(always_inline) is most
reliable method.
BUG=None
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4d0e8bed00bbc3b3e580c4c610a2f733f2525973
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3208916
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 3cac98670745fc5ca82a058fab512567f8444759.
Reason for revert:
This patch breaks building of 'make buildall' and seems to be leaving some generated files in the root directory.
Original change's description:
> cr50_fuzz: Add fuzzer for u2f commands
>
> Currently there's only one fuzzer for Pinweaver and one for host
> commands in cr50. Add a fuzzer for the u2f commands (generate, sign,
> attest) used in the WebAuthn flow to ensure its security. Most regions
> of the concerning functions are covered except for pure error code
> returns and unreachable regions (currently auth secret is not used in
> sign and attest command yet).
>
> Rename old cr50_fuzz namings to pinweaver_fuzz, since they only cover
> Pinweaver commands.
>
> BUG=b:172367435
> TEST=make buildall -j
> TEST=make host-u2f_fuzz && \
> ./build/host/u2f_fuzz/u2f_fuzz.exe -timeout=10 \
> -ignore_ooms=false -ignore_timeouts=false -fork=71; \
> llvm-profdata merge -sparse default.profraw -o default.profdata; \
> llvm-cov show ./build/host/u2f_fuzz/u2f_fuzz.exe \
> -object ./build/host/u2f_fuzz/RO/board/cr50/dcrypto/u2f.o \
> --instr-profile default.profdata \
> board/cr50/dcrypto/u2f.c common/u2f.c > report
>
> Cq-Depend: chromium:3162473
> Change-Id: I02b820cf03f7b46ccad7c3bc7b82e73ff45217c6
> Signed-off-by: Howard Yang <hcyang@google.com>
> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162469
> Reviewed-by: Andrey Pronin <apronin@chromium.org>
> Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
> Reviewed-by: Leo Lai <cylai@google.com>
Bug: b:172367435
Change-Id: Ie844e44e0cd6254553694c23a535f18329cef77d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3212497
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently there's only one fuzzer for Pinweaver and one for host
commands in cr50. Add a fuzzer for the u2f commands (generate, sign,
attest) used in the WebAuthn flow to ensure its security. Most regions
of the concerning functions are covered except for pure error code
returns and unreachable regions (currently auth secret is not used in
sign and attest command yet).
Rename old cr50_fuzz namings to pinweaver_fuzz, since they only cover
Pinweaver commands.
BUG=b:172367435
TEST=make buildall -j
TEST=make host-u2f_fuzz && \
./build/host/u2f_fuzz/u2f_fuzz.exe -timeout=10 \
-ignore_ooms=false -ignore_timeouts=false -fork=71; \
llvm-profdata merge -sparse default.profraw -o default.profdata; \
llvm-cov show ./build/host/u2f_fuzz/u2f_fuzz.exe \
-object ./build/host/u2f_fuzz/RO/board/cr50/dcrypto/u2f.o \
--instr-profile default.profdata \
board/cr50/dcrypto/u2f.c common/u2f.c > report
Cq-Depend: chromium:3162473
Change-Id: I02b820cf03f7b46ccad7c3bc7b82e73ff45217c6
Signed-off-by: Howard Yang <hcyang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162469
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Leo Lai <cylai@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adjust Makefile toolchain setting so that fuzzers can generate coverage
mapping correctly and generate debug symbols for source-based coverage
report. Also, update gitignore to ignore local vscode settings.
BUG=none
TEST=make buildall -j
Change-Id: I6d5c720895cbb9119c9266df998aa5cc308c1e61
Signed-off-by: Howard Yang <hcyang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162473
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to limited space available with CR50_DEV=1, move some of crypto
related functionality which was under CR50_DEV to branches of
CRYPTO_TEST=1, namely:
- SELF_TEST=1 to print self-integrity hashes
- U2F_VERBOSE=1 to print debug information from U2F key generation.
Config options sorted alphabetically in ENV_VARS and in processing
order.
BUG=None
TEST=make BOARD=cr50 CR50_DEV=1
make BOARD=cr50 CRYPTO_TEST=1 SELF_TEST=1
make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1 U2F_VERBOSE=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I66485b2d1fff8c0947aaf31c93348a16101f14b7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3209647
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows a bit more efficient code generation.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1 RND_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ia92116a9aa4ac7d9f77d207205e712c03722dd95
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210238
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To simplify code analysis, move dcrypto's blob into dcrypto_bn.inc
similar to p256 code in dcrypto_p256.inc.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I2ae3a0793bd829c15844d55061952a69a412e2e9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210226
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To simplify code analysis, move dcrypto's blob into dcrypto_sha512.inc
similar to p256 code in dcrypto_p256.inc.
In the process fix minor compiler warning on signed/unsigned compare.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4aac81a3b6fa0c055b83f91575f2d37755845e63
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210229
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding v2 of key handle which drops kh_hmac field and use single
authorization code for all relevant fields.
BUG=b:172971998
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1;
in ccd: u2f_test - unit tests
test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I647ded7a2c157cea91ac48a2ba679def318c1e63
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3199671
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several bn_* function still use static buffer allocation. Switch to
dynamic allocation to enable support for RSA 3K/4K.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
../../build/tpm_test/bn_test
TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I150fa99bde89cc486f7ad945b5a312fe7d787fb0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3207349
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cr50 doesn't use CMAC, it is not even compiled, however during internal
review potential issues with branching on key values were spotted.
1) Fix key expansion to be constant time
2) Switch to enum dcrypto_result
3) Test commands updated to be compatible with FIPS build (use .rodata)
4) Clean up computed tag on stack during verification
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1 CMAC_TEST=1
in ccd: test_cmac 1 2 3 4
test_cmac_ver 1 2 3 4
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Iff9b84dd8fb2baed9152f1ee5c40ef8e4198edd3
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3194972
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Switched RSA public and internal functions to use enum dcrypto_result
2. Added checks for FIPS errors.
3. Updated call sites to properly handle result values.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpm_test.py
TCG tests:
---------------------- Test Result Summary -----------------------------
Test executed on: Mon Oct 5 18:26:07 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I23d391322e55b541d72388b2a4661991a61dd020
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3207348
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1.Implemented dynamic stack allocation of big number buffers to support
up to RSA 4K for all public APIs.
2. Internal function switched to use enum dcrypto_result
3. Added check that provided exponent is at least odd number (should be
prime / co-prime with N).
4. Saving a bit by reusing zero constant.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
TCG tests
---------------------- Test Result Summary -----------------------------
Test executed on: Mon Oct 4 22:46:07 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Id23ebfdc04132de1f26ee0888b00cacdee2eaf43
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3204566
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To support FIPS mode we need to block access to crypto in case of
errors.
1) Added check for FIPS errors into DCRYPTO_aes_init()
2) Return codes updated to enum dcrypto_result
3) Call sites updated to check for return codes
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Id614cc346fe22537e9208196bf1322221a253b0c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3194985
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New options for gcc 11.2 doesn't work on gcc 8.3 since gcc 11.2 update
was reverted.
BUG=None
TEST=make buildall
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Idf965bab903f2700dd01eb028e2a1aa6dc53e101
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3206474
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://crrev.com/c/3192137 changed hash & hmac APIs to return error
codes on failures (primarily FIPS errors), and added convenience api
to set hash mode.
https://crrev.com/c/3172256 was using internal hash API which became
replaced with a new API with error checking, and should be updated
to use a new API.
BUG=none
TEST=make buildall -j; make BOARD=cr50
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I33f31a8913d9a36dac451dac4312a482f761e3f7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3200807
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FIPS module wasn't rebuilt properly when configuration options were
changed. Added proper dependencies to ensure it is rebuilt when needed.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I543eeeb00d7a72c6b8a936948e62830753954f12
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3200516
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To implement FIPS mode for Cr50 we should be able to block access to
crypto functions if errors are detected. Historically all HASH/HMAC
functions were declared as void with no return type.
1) Split existing functions into public part (data structs, update and
final parts) and internal part - unchecked init functions.
2) Introduced new functions to start SHA / HMAC operation which returns
status code and block access to crypto in case of FIPS errors.
3) Dcrypto hash algorithms codes updated to match TPM_ALG_ID to simplify
adaptation layer and move checks inside Dcrypto module.
4) Updated all uses of API outside FIPS module to check return code and
act accordingly.
5) As a side effect RSA can now support SHA384 & SHA512 for signing,
board/host mock ups simplified.
BUG=b:197893750
TEST=make buildall -j; make BOARD=cr50 CRYPTO_TEST=1;
test/tpm_test/tpm_test.py
TCG tests
------------------------------ Test Result Summary ---------------------
Test executed on: Tue Sep 28 15:23:35 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ibbc38703496f417cba693c37d39a82a662c3f7ee
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3192137
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While all Dcrypto code for RSA supports 4K, few software functions were
allocating static buffers on stack and thus limiting what RSA sizes
can be supported.
Updating bn_modinv_vartime() and bn_probable_prime() to allocate stack
space dynamically. This simplifies enabling RSA 3K / 4K support.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I7c410d349e8755d491151152168701ecdd54c04c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3193510
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new AP RO verification approach, version 2, places the AP RO
verification structures in the AP RO itself, as described below.
A new section is included in AP RO FMAP, called RO_GSCVD, which
contains all information necessary to verify the AP RO:
gsc_verification_data (GVD) structure, GVD signature, the platform key
to verify the signature and the root key to verify the platform key.
GVD contains an array of AP RO ranges to be verified and the hash of
the contents of those ranges.
The signature of the GVD is followed by the public platform key, which
allows to verify the GVD signature.
The platform key in turn is signed by the root key, and the public
root key is also present in RO_GSCVD, this allows to validate the
platform key.
The hash of the public root key is hardcoded in the GSC firmware, this
gives the GSC the ability to verify the chain of objects in the
RO_GSCVD FMAP area starting with the root key.
This implementation supports both old and new AP RO verification
schemes as follows. The structure describing data saved in the
dedicated GSC flash page has been enhanced to support both old and new
AP RO verification schemes. To maintain backwards compatibility the 16
bit header field version is converted into two byte fields, version
and type. The new version is 1 and the new verification scheme type is
1, the old verification scheme type value is set to zero.
If a V1 structure is found in the H1 hash page, but verification
fails, a V2 verification is attempted just in case the RO was
reprogrammed and now includes RO_GSCVD area in FMAP.
The hash of the root key is saved in the text section named
.rodata.root_key_hash.
As presented, tests/devkeys/kernel_subkey.vbpubk from the
vboot_reference tree is used as the root key. The label of the section
where the hash is stored will allow the signer to replace the test key
hash with the prod root key hash.
Verification process is moved to the TPM task context to satisfy the
increased stack requirements of V2 calculations. This provides an
additional benefit: verification can be triggered by the AP issuing
the vendor command.
A CCD capability will be added in a follow up CL to restrict
conditions when the AP can invoke verification.
BUG=b:199904580
TEST=prepared an AP RO image containing RO_GSCVD and verified that the
AP RO can be verified, and that the local cache of the GVD is
successfully stored and allows to speed up verification.
Experiments have shown that verifying the entire chain starting
with the root key take 670 ms. Verifying of approximately 70KB of
AP RO takes 200 ms.
Verified that V1 AP RO verification is still working as expected,
and that V2 can take over in case the AP RO was updated with an
RO_GSCVD image, and the V1 check does not pass any more.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I1397376cd0394888da2cda16c0126a313f07d426
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3172256
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cr50 so far builds RO and RW images as part of build process.
With adding FIPS module and moving to board-specific crypto library with
different interfaces it become hard to maintain build process as RO
sources use crypto, but with different APIs, and changing that crypto
is challenging as it is also used by other boards with different crypto
APIs.
In this CL we enable RW and RO to have independent selection of crypto
library and include paths, and don't contaminate include paths with
unused things like third_party/cryptoc for RW.
BUG=none
TEST=make buildall -j
make BOARD=cr50
make BOARD=cr50 CRYPTO_TEST=1
Built cr50 images can be flashed and are workable.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1b666fbb8193b79f71c885a761436443fd3fca7b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3200069
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For some reason didn't spot earlier another unnecessary complains of
gcc 11.2 in private-cr5x builds with make buildall -j.
Made it so BOARD can override settings done by CHIP even though CHIP is
loaded later. These settings should apply to both CFLAGS and LDFLAGS
due to LTO build.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I8880c518b23778cccf969909e330e9e2d62b5fae
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3194984
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CONFIG_FW_INCLUDE_RO option controls wherever RO is built. This option
didn't work properly and RO was always built. Fix this behavior.
However, when RO is not built RW image should include some 16KB stub.
This is not added yet, so for Cr50 we still set CONFIG_FW_INCLUDE_RO.
Also, corrected behavior of CONFIG_CUSTOMIZED_RO which earlier was not
properly taken into account and behavior depended on custom-ro_objs
variable state which always added some common files so actual result
was that CONFIG_CUSTOMIZED_RO is effectively on for chip/g.
BUG=none
TEST=make buildall -j; make BOARD=cr50 & flash
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I31599170050b360fad5c61dd1f81844bb315e1d6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3195319
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Move DRBG initialization flag inside DRBG context to prevent use of
DRBG which is not properly initialized.
2) Add configurable reseed threshold to cover both deterministic key gen
and non-deterministic randoms. Simplify reseeding logic, remove
similar code snippets. Also, can support NDRBG with reseed threshold
equal to 0, which will result in reseeding each time.
3) Adjust parameter names to match NIST SP 800-90A specification.
4) Enforce checking result of hmac_drbg_generate(), update call sites
to check for errors.
5) Reseeding in generate function consumes additional data as per
NIST SP 800-90Ar1 9.3.1
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1 DRBG_TEST=1;
test/tpm_test/tpm_test.py
in ccd:
hmac_drbg
rand_perf
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0e780b5c237d7fbc64e8b0e74d12559a1f40f84c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183397
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ECDSA signing can vary rarely result in zero s or r value due to
combination of message, nonce and a private key. Detect such cases
and retry with another nonce.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1; tpm_test;
in ccd: dcrypto_ecdsa, u2f_test
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1378259a0dc0e2e62cf071b779c1115c4257dc73
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3188564
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Coreboot-sdk is going to be updated to gcc 11.2 soon. Preliminary tests
show that cr50 can successfully be compiled with it, however default
warnings seems produce to many false positive errors.
Disable string-overflow to make code compile. I tried to fix it, but
found nothing to fix.
Example in dcrypto_bn.c:1323 it complains:
if (!rand64(ctx->rnd)
board/cr50/dcrypto/dcrypto_bn.c: In function 'dcrypto_modexp_blinded':
board/cr50/dcrypto/dcrypto_bn.c:1323:14: warning: 'rand64' accessing
8 bytes in a region of size 0 [-Wstringop-overflow=]
1323 | if (!rand64(ctx->rnd))
| ^
board/cr50/dcrypto/dcrypto_bn.c:1323:14: note:
referencing argument 1 of type 'uint32_t *'
board/cr50/dcrypto/dcrypto_bn.c:1160:13: note: in a call to
function 'rand64'
1160 | static bool rand64(uint32_t dst[2])
| ^
board/cr50/tpm2/ecc.c: In function '_cpri__EccPointMultiply':
board/cr50/tpm2/ecc.c:81:25: warning: 'p256_to_bin' accessing 32 bytes
in a region of size 1 [-Wstringop-overflow=]
81 | p256_to_bin(&out_x, out->x.b.buffer);
| ^
board/cr50/tpm2/ecc.c:81:25: note: referencing argument 2 of type 'uint8_t *'
board/cr50/dcrypto/p256.c:119:6: note: in a call to function 'p256_to_bin'
119 | void p256_to_bin(const p256_int *src, uint8_t dst[P256_NBYTES])
Common pattern is when function prototype defines pointer as an array
of specified type. Interestingly, that in case of ctx->rnd, rnd is
uint32_t rnd[2], so complain is unnecessary. In case of ecc it's hard
to explain that there is enough space.
BUG=None
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I6bc071e4b536095535b9766d14600f5cb491f118
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183334
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cr50 dcrypto use different API to access TRNG - read_rand() which
provides indication wherever reading was successful. Common trng.h
is not needed, so remove it.
BUG=None
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: If8525cd51db157fbfa47adbfe11146a617c947ce
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183468
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1 RND_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0088006cc58f57d21fa2f0d7ecffd833328cb6ca
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183338
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make HMAC_DRBG return codes consistent with other functions.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
in ccd: u2f_test, dcrypto_ecdsa, rma_auth
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9c673a45a250bef32c096f8d8be3152756a64cb7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3180482
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TRNG health tests have defined false positive. NIST recommends values
in the range of 2^(-20) to 20^(-40) - parameter alpha.
We choose 2^(-40), and computed thresholds for 2^(-30) if needed.
In case of false positive we will try to read several times and update
statistics to see if error is intermittent, skip those values until we
either get recovered statistics or will be out of attempts. When out
of attempts we declare a persistent error and report it. With this
implementation we reduce probability of false positive to 2^(-160).
This is in compliance with NIST SP 800-90B, 4.3 point 2:
When the health tests fail, the entropy source shall notify the
consuming application (e.g., the RBG) of the error condition.
The developer may have defined different types of failures (e.g.,
intermittent and persistent), and the application is allowed to react
differently to different types of failures (e.g., by inhibiting output
for a short time). The developer is allowed to define different cutoff
values to detect intermittent and persistent failures. If so, these
values (with corresponding false alarm probabilities) shall be
specified in the submission documentation. If the entropy source detects
intermittent failures and allows the noise source to return to normal
functioning, the designer shall provide evidence that:
a) The intermittent failures handled in this way are indeed extremely
likely to be intermittent failures; and
b) the tests will detect a permanent failure when one occurs, and will
ultimately signal an error condition to the consuming application and
cease operation. In the case where a persistent failure is detected,
the entropy source shall not produce any outputs.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1;
In ccd:
rand_perf
rand perf (repeat several times, each time 8000 readings from TRNG)
fips trng
rand perf (should report errors)
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9db545c1a1e82e7e091724fab6fe46edebeb0650
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3182622
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For crypto code we care about possible concerns during review, so add
more strict warnings. Fix all uses int to uint32_t/size_t comparisons,
make consistent use of size_t vs. uint32_t in crypto code.
Update test/tpm_test/bn_test.c to compile for checking big number
functions correctness.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
TCG tests:
---------------------- Test Result Summary -----------------------------
Test executed on: Thu Sep 23 17:45:19 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I47e5de3d180d3aebb13b3feef4c1da87c9f6a174
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3180279
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to block access to crypto functions when FIPS errors occurred.
To achieve this:
1. Provide wrappers for ECDSA P-256 sign and verify functions
a) DCRYPTO_p256_ecdsa_verify as wrapper for dcrypto_p256_ecdsa_verify
b) DCRYPTO_p256_ecdsa_sign as wrapper for
dcrypto_p256_fips_sign_internal with additional check for FIPS
DRBG initialization which is needed for signing.
2. Switch all ECDSA functions, both internal and external to use
enum dcrypto_result instead of inconsistent 0/1 values.
3. Added warning for unused result code for ECDSA functions.
4. Updated documentation for public APIs
5. In DCRYPTO_p256_key_from_bytes() implemented clear distinction between
bad candidate and failures due to FIPS or pair-wise consistency.
6. U2F, rma_auth, TPM ecc, etc updated to use new return codes.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; rma_auth, u2f_test, etc.
test/tpm_test/tpmtest.py
TCG tests
----------------------------- Test Result Summary ----------------------
Test executed on: Thu Sep 23 09:56:42 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0251bf511771c1c1fd281f6db706d1dedac3e8b8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3179708
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To drop dependency on internal rand_state.drbg_initialized in functions
located in other sources, slightly change fips_drbg_init() logic to
avoid initialization if already initialized.
Also update 0/1 to false/true as rand_state.drbg_initialized is bool.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ia541266c36793c65dffce27a60a20ae25e10f92c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3179316
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use of long return types like 'enum dcrypto_result' with long function
names commonly results in return type being on line alone:
Before:
enum dcrypto_result
DCRYPTO_p256_key_from_bytes(p256_int *x, p256_int *y, p256_int *d,
const uint8_t bytes[P256_NBYTES])
After:
enum dcrypto_result DCRYPTO_p256_key_from_bytes(
p256_int *x, p256_int *y, p256_int *d, const uint8_t bytes[P256_NBYTES])
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I51f5b4cd8dd058796bd4ee5edd786a384460dedf
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3179709
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several functions like lo32(), hi32(), clz() were defined into bn.c,
but clz and ctz are used in fips_rand.c. Move these functions into
internal.h to allow reuse.
Both __builtin_ctz() and __builtin_clz() have undefined behavior for
argument which is zero. Explicitly set result to 32 in such case. It
was the case for __builtin_clz() in bn.c, but not for variants used
in TRNG health tests.
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1; TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ifc6fa7f820080bdad0f14fc079163f4976369724
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3174592
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new command will be used for context switching to make the large
stack of the TPM task available to the AP RO verification code.
Note that we don't want the AP to be able to send this vendor command,
some extension_route_command() enhancement might be necessary.
BUG=b:199904580
TEST=tested along with AP RO verification implementation.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I8599479752b4a7b1982b75cfea61ffad3950681d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3172255
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This API will provide support to the AP RO verification
implementation. The size of data read in one transaction is limited by
SPI_HASH_CHUNK size.
BUG=b:199904580, b:200736744
TEST=tested along with AP RO verification implementation.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: Id4da2add2ce1202d979627dde40325b583004fc5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3172254
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To properly define FIPS module boundary all APIs provided by module
to external applications (TPM2, pinweaver, etc) should be identifiable.
Shuffle functions between dcrypto.h and internal.h to achieve this goal.
Adjust included headers as needed.
BUG=b:134594373
TEST=make buildall; TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ie2679644d62e232a5d5d06f8ed6bf602853ebde2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169558
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All public functionality of FIPS module should be disabled in case
of FIPS errors.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1;
ccd:
fips sha
fips test
u2f_test - should fail
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ice8a0ab6535fcb0bd426ebbe969db1859cbd3ae8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169097
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
struct APPKEY_CTX is an empty struct passed with few APIs and not used
for any purpose. Remove it.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1;
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4bcb8f196b70cefc58a81e8592d83aa70464fcf8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169374
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Folks working on other Haven firmware shared issue that our code for
unaligned access is sensitive to compiler version and with updated gcc
results in broken code. Replacing access_helper with aligned access
and memcpy into aligned buffer if unaligned data is provided results
in smaller and faster code. Unaligned access unfortunately results in
quite lengthy code. Specifically for AES I got back 312 bytes.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test + TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ie03b7ce3a24c4fea0506c204fce82bca719f1b79
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3167003
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NIST statistical tests for TRNG entropy requires to compare entropy
in regular mode (continuous readings) with entropy after TRNG restarts.
Added support for TRNG restart before reading entropy and updated script
to drive tests.
BUG=b:138577834
TEST=test/nist_entropy.sh
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Idc46191be05e8275730726f6debb8007ca361bc6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3165883
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: William Wesson <wesson@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An "Approved" RNG listed in FIPS 140-2 Annex C must be used for the
generation of random data or cryptographic keys used by an approved
security function. Detailed information and guidance on Key Generation
can be found in NIST SP 800-133 and FIPS 140-2 IG 7.8 and D.12.
Many of function use raw entropy from TRNG without any health tests or
even checking returned status, as old API didn't provide any indication
of failure.
With this patch we remove old API: rand() and rand_bytes() and expose
new API:
fips_rand_bytes() - generation of random bits from properly instantiated
and reseeded as needed DRBG.
fips_trng_bytes() - generation of entropy from TRNG with statistical
testing and checking for TRNG failures.
fips_trng_rand32() - generation of 32 bits from TRNG with health check
and indication of status.
ccd, rsa, ecc, pinweaver, rma_auth are updated to use new APIs.
These functions are moved into dcrypto.h which will become "Public API"
for the module.
trng_test vendor command moved to dcrypto/trng.c where it belongs.
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpmtest.py
TCG tests.
-------------------------- Test Result Summary -------------------------
Test executed on: Thu Sep 16 10:16:59 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
======================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I80d103ead1962ee388df5cabfabe0498d8d06d38
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3165870
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
