| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently there's only one fuzzer for Pinweaver and one for host
commands in cr50. Add a fuzzer for the u2f commands (generate, sign,
attest) used in the WebAuthn flow to ensure its security. Most regions
of the concerning functions are covered except for pure error code
returns and unreachable regions (currently auth secret is not used in
sign and attest command yet).
Rename old cr50_fuzz namings to pinweaver_fuzz, since they only cover
Pinweaver commands.
BUG=b:172367435
TEST=make buildall -j
TEST=make host-u2f_fuzz && \
./build/host/u2f_fuzz/u2f_fuzz.exe -timeout=10 \
-ignore_ooms=false -ignore_timeouts=false -fork=71; \
llvm-profdata merge -sparse default.profraw -o default.profdata; \
llvm-cov show ./build/host/u2f_fuzz/u2f_fuzz.exe \
-object ./build/host/u2f_fuzz/RO/board/cr50/dcrypto/u2f.o \
--instr-profile default.profdata \
board/cr50/dcrypto/u2f.c common/u2f.c > report
Cq-Depend: chromium:3162473
Change-Id: I02b820cf03f7b46ccad7c3bc7b82e73ff45217c6
Signed-off-by: Howard Yang <hcyang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162469
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Leo Lai <cylai@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adjust Makefile toolchain setting so that fuzzers can generate coverage
mapping correctly and generate debug symbols for source-based coverage
report. Also, update gitignore to ignore local vscode settings.
BUG=none
TEST=make buildall -j
Change-Id: I6d5c720895cbb9119c9266df998aa5cc308c1e61
Signed-off-by: Howard Yang <hcyang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162473
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to limited space available with CR50_DEV=1, move some of crypto
related functionality which was under CR50_DEV to branches of
CRYPTO_TEST=1, namely:
- SELF_TEST=1 to print self-integrity hashes
- U2F_VERBOSE=1 to print debug information from U2F key generation.
Config options sorted alphabetically in ENV_VARS and in processing
order.
BUG=None
TEST=make BOARD=cr50 CR50_DEV=1
make BOARD=cr50 CRYPTO_TEST=1 SELF_TEST=1
make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1 U2F_VERBOSE=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I66485b2d1fff8c0947aaf31c93348a16101f14b7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3209647
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows a bit more efficient code generation.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1 RND_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ia92116a9aa4ac7d9f77d207205e712c03722dd95
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210238
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To simplify code analysis, move dcrypto's blob into dcrypto_bn.inc
similar to p256 code in dcrypto_p256.inc.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I2ae3a0793bd829c15844d55061952a69a412e2e9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210226
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To simplify code analysis, move dcrypto's blob into dcrypto_sha512.inc
similar to p256 code in dcrypto_p256.inc.
In the process fix minor compiler warning on signed/unsigned compare.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4aac81a3b6fa0c055b83f91575f2d37755845e63
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210229
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding v2 of key handle which drops kh_hmac field and use single
authorization code for all relevant fields.
BUG=b:172971998
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1;
in ccd: u2f_test - unit tests
test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I647ded7a2c157cea91ac48a2ba679def318c1e63
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3199671
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several bn_* function still use static buffer allocation. Switch to
dynamic allocation to enable support for RSA 3K/4K.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
../../build/tpm_test/bn_test
TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I150fa99bde89cc486f7ad945b5a312fe7d787fb0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3207349
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cr50 doesn't use CMAC, it is not even compiled, however during internal
review potential issues with branching on key values were spotted.
1) Fix key expansion to be constant time
2) Switch to enum dcrypto_result
3) Test commands updated to be compatible with FIPS build (use .rodata)
4) Clean up computed tag on stack during verification
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1 CMAC_TEST=1
in ccd: test_cmac 1 2 3 4
test_cmac_ver 1 2 3 4
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Iff9b84dd8fb2baed9152f1ee5c40ef8e4198edd3
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3194972
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Switched RSA public and internal functions to use enum dcrypto_result
2. Added checks for FIPS errors.
3. Updated call sites to properly handle result values.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpm_test.py
TCG tests:
---------------------- Test Result Summary -----------------------------
Test executed on: Mon Oct 5 18:26:07 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I23d391322e55b541d72388b2a4661991a61dd020
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3207348
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1.Implemented dynamic stack allocation of big number buffers to support
up to RSA 4K for all public APIs.
2. Internal function switched to use enum dcrypto_result
3. Added check that provided exponent is at least odd number (should be
prime / co-prime with N).
4. Saving a bit by reusing zero constant.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
TCG tests
---------------------- Test Result Summary -----------------------------
Test executed on: Mon Oct 4 22:46:07 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Id23ebfdc04132de1f26ee0888b00cacdee2eaf43
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3204566
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To support FIPS mode we need to block access to crypto in case of
errors.
1) Added check for FIPS errors into DCRYPTO_aes_init()
2) Return codes updated to enum dcrypto_result
3) Call sites updated to check for return codes
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Id614cc346fe22537e9208196bf1322221a253b0c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3194985
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New options for gcc 11.2 doesn't work on gcc 8.3 since gcc 11.2 update
was reverted.
BUG=None
TEST=make buildall
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Idf965bab903f2700dd01eb028e2a1aa6dc53e101
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3206474
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://crrev.com/c/3192137 changed hash & hmac APIs to return error
codes on failures (primarily FIPS errors), and added convenience api
to set hash mode.
https://crrev.com/c/3172256 was using internal hash API which became
replaced with a new API with error checking, and should be updated
to use a new API.
BUG=none
TEST=make buildall -j; make BOARD=cr50
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I33f31a8913d9a36dac451dac4312a482f761e3f7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3200807
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FIPS module wasn't rebuilt properly when configuration options were
changed. Added proper dependencies to ensure it is rebuilt when needed.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I543eeeb00d7a72c6b8a936948e62830753954f12
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3200516
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To implement FIPS mode for Cr50 we should be able to block access to
crypto functions if errors are detected. Historically all HASH/HMAC
functions were declared as void with no return type.
1) Split existing functions into public part (data structs, update and
final parts) and internal part - unchecked init functions.
2) Introduced new functions to start SHA / HMAC operation which returns
status code and block access to crypto in case of FIPS errors.
3) Dcrypto hash algorithms codes updated to match TPM_ALG_ID to simplify
adaptation layer and move checks inside Dcrypto module.
4) Updated all uses of API outside FIPS module to check return code and
act accordingly.
5) As a side effect RSA can now support SHA384 & SHA512 for signing,
board/host mock ups simplified.
BUG=b:197893750
TEST=make buildall -j; make BOARD=cr50 CRYPTO_TEST=1;
test/tpm_test/tpm_test.py
TCG tests
------------------------------ Test Result Summary ---------------------
Test executed on: Tue Sep 28 15:23:35 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ibbc38703496f417cba693c37d39a82a662c3f7ee
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3192137
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While all Dcrypto code for RSA supports 4K, few software functions were
allocating static buffers on stack and thus limiting what RSA sizes
can be supported.
Updating bn_modinv_vartime() and bn_probable_prime() to allocate stack
space dynamically. This simplifies enabling RSA 3K / 4K support.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I7c410d349e8755d491151152168701ecdd54c04c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3193510
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new AP RO verification approach, version 2, places the AP RO
verification structures in the AP RO itself, as described below.
A new section is included in AP RO FMAP, called RO_GSCVD, which
contains all information necessary to verify the AP RO:
gsc_verification_data (GVD) structure, GVD signature, the platform key
to verify the signature and the root key to verify the platform key.
GVD contains an array of AP RO ranges to be verified and the hash of
the contents of those ranges.
The signature of the GVD is followed by the public platform key, which
allows to verify the GVD signature.
The platform key in turn is signed by the root key, and the public
root key is also present in RO_GSCVD, this allows to validate the
platform key.
The hash of the public root key is hardcoded in the GSC firmware, this
gives the GSC the ability to verify the chain of objects in the
RO_GSCVD FMAP area starting with the root key.
This implementation supports both old and new AP RO verification
schemes as follows. The structure describing data saved in the
dedicated GSC flash page has been enhanced to support both old and new
AP RO verification schemes. To maintain backwards compatibility the 16
bit header field version is converted into two byte fields, version
and type. The new version is 1 and the new verification scheme type is
1, the old verification scheme type value is set to zero.
If a V1 structure is found in the H1 hash page, but verification
fails, a V2 verification is attempted just in case the RO was
reprogrammed and now includes RO_GSCVD area in FMAP.
The hash of the root key is saved in the text section named
.rodata.root_key_hash.
As presented, tests/devkeys/kernel_subkey.vbpubk from the
vboot_reference tree is used as the root key. The label of the section
where the hash is stored will allow the signer to replace the test key
hash with the prod root key hash.
Verification process is moved to the TPM task context to satisfy the
increased stack requirements of V2 calculations. This provides an
additional benefit: verification can be triggered by the AP issuing
the vendor command.
A CCD capability will be added in a follow up CL to restrict
conditions when the AP can invoke verification.
BUG=b:199904580
TEST=prepared an AP RO image containing RO_GSCVD and verified that the
AP RO can be verified, and that the local cache of the GVD is
successfully stored and allows to speed up verification.
Experiments have shown that verifying the entire chain starting
with the root key take 670 ms. Verifying of approximately 70KB of
AP RO takes 200 ms.
Verified that V1 AP RO verification is still working as expected,
and that V2 can take over in case the AP RO was updated with an
RO_GSCVD image, and the V1 check does not pass any more.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I1397376cd0394888da2cda16c0126a313f07d426
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3172256
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cr50 so far builds RO and RW images as part of build process.
With adding FIPS module and moving to board-specific crypto library with
different interfaces it become hard to maintain build process as RO
sources use crypto, but with different APIs, and changing that crypto
is challenging as it is also used by other boards with different crypto
APIs.
In this CL we enable RW and RO to have independent selection of crypto
library and include paths, and don't contaminate include paths with
unused things like third_party/cryptoc for RW.
BUG=none
TEST=make buildall -j
make BOARD=cr50
make BOARD=cr50 CRYPTO_TEST=1
Built cr50 images can be flashed and are workable.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1b666fbb8193b79f71c885a761436443fd3fca7b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3200069
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For some reason didn't spot earlier another unnecessary complains of
gcc 11.2 in private-cr5x builds with make buildall -j.
Made it so BOARD can override settings done by CHIP even though CHIP is
loaded later. These settings should apply to both CFLAGS and LDFLAGS
due to LTO build.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I8880c518b23778cccf969909e330e9e2d62b5fae
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3194984
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CONFIG_FW_INCLUDE_RO option controls wherever RO is built. This option
didn't work properly and RO was always built. Fix this behavior.
However, when RO is not built RW image should include some 16KB stub.
This is not added yet, so for Cr50 we still set CONFIG_FW_INCLUDE_RO.
Also, corrected behavior of CONFIG_CUSTOMIZED_RO which earlier was not
properly taken into account and behavior depended on custom-ro_objs
variable state which always added some common files so actual result
was that CONFIG_CUSTOMIZED_RO is effectively on for chip/g.
BUG=none
TEST=make buildall -j; make BOARD=cr50 & flash
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I31599170050b360fad5c61dd1f81844bb315e1d6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3195319
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Move DRBG initialization flag inside DRBG context to prevent use of
DRBG which is not properly initialized.
2) Add configurable reseed threshold to cover both deterministic key gen
and non-deterministic randoms. Simplify reseeding logic, remove
similar code snippets. Also, can support NDRBG with reseed threshold
equal to 0, which will result in reseeding each time.
3) Adjust parameter names to match NIST SP 800-90A specification.
4) Enforce checking result of hmac_drbg_generate(), update call sites
to check for errors.
5) Reseeding in generate function consumes additional data as per
NIST SP 800-90Ar1 9.3.1
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1 DRBG_TEST=1;
test/tpm_test/tpm_test.py
in ccd:
hmac_drbg
rand_perf
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0e780b5c237d7fbc64e8b0e74d12559a1f40f84c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183397
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ECDSA signing can vary rarely result in zero s or r value due to
combination of message, nonce and a private key. Detect such cases
and retry with another nonce.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1; tpm_test;
in ccd: dcrypto_ecdsa, u2f_test
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1378259a0dc0e2e62cf071b779c1115c4257dc73
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3188564
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Coreboot-sdk is going to be updated to gcc 11.2 soon. Preliminary tests
show that cr50 can successfully be compiled with it, however default
warnings seems produce to many false positive errors.
Disable string-overflow to make code compile. I tried to fix it, but
found nothing to fix.
Example in dcrypto_bn.c:1323 it complains:
if (!rand64(ctx->rnd)
board/cr50/dcrypto/dcrypto_bn.c: In function 'dcrypto_modexp_blinded':
board/cr50/dcrypto/dcrypto_bn.c:1323:14: warning: 'rand64' accessing
8 bytes in a region of size 0 [-Wstringop-overflow=]
1323 | if (!rand64(ctx->rnd))
| ^
board/cr50/dcrypto/dcrypto_bn.c:1323:14: note:
referencing argument 1 of type 'uint32_t *'
board/cr50/dcrypto/dcrypto_bn.c:1160:13: note: in a call to
function 'rand64'
1160 | static bool rand64(uint32_t dst[2])
| ^
board/cr50/tpm2/ecc.c: In function '_cpri__EccPointMultiply':
board/cr50/tpm2/ecc.c:81:25: warning: 'p256_to_bin' accessing 32 bytes
in a region of size 1 [-Wstringop-overflow=]
81 | p256_to_bin(&out_x, out->x.b.buffer);
| ^
board/cr50/tpm2/ecc.c:81:25: note: referencing argument 2 of type 'uint8_t *'
board/cr50/dcrypto/p256.c:119:6: note: in a call to function 'p256_to_bin'
119 | void p256_to_bin(const p256_int *src, uint8_t dst[P256_NBYTES])
Common pattern is when function prototype defines pointer as an array
of specified type. Interestingly, that in case of ctx->rnd, rnd is
uint32_t rnd[2], so complain is unnecessary. In case of ecc it's hard
to explain that there is enough space.
BUG=None
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I6bc071e4b536095535b9766d14600f5cb491f118
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183334
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cr50 dcrypto use different API to access TRNG - read_rand() which
provides indication wherever reading was successful. Common trng.h
is not needed, so remove it.
BUG=None
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: If8525cd51db157fbfa47adbfe11146a617c947ce
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183468
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1 RND_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0088006cc58f57d21fa2f0d7ecffd833328cb6ca
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183338
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make HMAC_DRBG return codes consistent with other functions.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
in ccd: u2f_test, dcrypto_ecdsa, rma_auth
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9c673a45a250bef32c096f8d8be3152756a64cb7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3180482
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TRNG health tests have defined false positive. NIST recommends values
in the range of 2^(-20) to 20^(-40) - parameter alpha.
We choose 2^(-40), and computed thresholds for 2^(-30) if needed.
In case of false positive we will try to read several times and update
statistics to see if error is intermittent, skip those values until we
either get recovered statistics or will be out of attempts. When out
of attempts we declare a persistent error and report it. With this
implementation we reduce probability of false positive to 2^(-160).
This is in compliance with NIST SP 800-90B, 4.3 point 2:
When the health tests fail, the entropy source shall notify the
consuming application (e.g., the RBG) of the error condition.
The developer may have defined different types of failures (e.g.,
intermittent and persistent), and the application is allowed to react
differently to different types of failures (e.g., by inhibiting output
for a short time). The developer is allowed to define different cutoff
values to detect intermittent and persistent failures. If so, these
values (with corresponding false alarm probabilities) shall be
specified in the submission documentation. If the entropy source detects
intermittent failures and allows the noise source to return to normal
functioning, the designer shall provide evidence that:
a) The intermittent failures handled in this way are indeed extremely
likely to be intermittent failures; and
b) the tests will detect a permanent failure when one occurs, and will
ultimately signal an error condition to the consuming application and
cease operation. In the case where a persistent failure is detected,
the entropy source shall not produce any outputs.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1;
In ccd:
rand_perf
rand perf (repeat several times, each time 8000 readings from TRNG)
fips trng
rand perf (should report errors)
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9db545c1a1e82e7e091724fab6fe46edebeb0650
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3182622
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For crypto code we care about possible concerns during review, so add
more strict warnings. Fix all uses int to uint32_t/size_t comparisons,
make consistent use of size_t vs. uint32_t in crypto code.
Update test/tpm_test/bn_test.c to compile for checking big number
functions correctness.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
TCG tests:
---------------------- Test Result Summary -----------------------------
Test executed on: Thu Sep 23 17:45:19 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I47e5de3d180d3aebb13b3feef4c1da87c9f6a174
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3180279
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to block access to crypto functions when FIPS errors occurred.
To achieve this:
1. Provide wrappers for ECDSA P-256 sign and verify functions
a) DCRYPTO_p256_ecdsa_verify as wrapper for dcrypto_p256_ecdsa_verify
b) DCRYPTO_p256_ecdsa_sign as wrapper for
dcrypto_p256_fips_sign_internal with additional check for FIPS
DRBG initialization which is needed for signing.
2. Switch all ECDSA functions, both internal and external to use
enum dcrypto_result instead of inconsistent 0/1 values.
3. Added warning for unused result code for ECDSA functions.
4. Updated documentation for public APIs
5. In DCRYPTO_p256_key_from_bytes() implemented clear distinction between
bad candidate and failures due to FIPS or pair-wise consistency.
6. U2F, rma_auth, TPM ecc, etc updated to use new return codes.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; rma_auth, u2f_test, etc.
test/tpm_test/tpmtest.py
TCG tests
----------------------------- Test Result Summary ----------------------
Test executed on: Thu Sep 23 09:56:42 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0251bf511771c1c1fd281f6db706d1dedac3e8b8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3179708
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To drop dependency on internal rand_state.drbg_initialized in functions
located in other sources, slightly change fips_drbg_init() logic to
avoid initialization if already initialized.
Also update 0/1 to false/true as rand_state.drbg_initialized is bool.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ia541266c36793c65dffce27a60a20ae25e10f92c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3179316
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use of long return types like 'enum dcrypto_result' with long function
names commonly results in return type being on line alone:
Before:
enum dcrypto_result
DCRYPTO_p256_key_from_bytes(p256_int *x, p256_int *y, p256_int *d,
const uint8_t bytes[P256_NBYTES])
After:
enum dcrypto_result DCRYPTO_p256_key_from_bytes(
p256_int *x, p256_int *y, p256_int *d, const uint8_t bytes[P256_NBYTES])
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I51f5b4cd8dd058796bd4ee5edd786a384460dedf
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3179709
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several functions like lo32(), hi32(), clz() were defined into bn.c,
but clz and ctz are used in fips_rand.c. Move these functions into
internal.h to allow reuse.
Both __builtin_ctz() and __builtin_clz() have undefined behavior for
argument which is zero. Explicitly set result to 32 in such case. It
was the case for __builtin_clz() in bn.c, but not for variants used
in TRNG health tests.
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1; TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ifc6fa7f820080bdad0f14fc079163f4976369724
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3174592
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new command will be used for context switching to make the large
stack of the TPM task available to the AP RO verification code.
Note that we don't want the AP to be able to send this vendor command,
some extension_route_command() enhancement might be necessary.
BUG=b:199904580
TEST=tested along with AP RO verification implementation.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I8599479752b4a7b1982b75cfea61ffad3950681d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3172255
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This API will provide support to the AP RO verification
implementation. The size of data read in one transaction is limited by
SPI_HASH_CHUNK size.
BUG=b:199904580, b:200736744
TEST=tested along with AP RO verification implementation.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: Id4da2add2ce1202d979627dde40325b583004fc5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3172254
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To properly define FIPS module boundary all APIs provided by module
to external applications (TPM2, pinweaver, etc) should be identifiable.
Shuffle functions between dcrypto.h and internal.h to achieve this goal.
Adjust included headers as needed.
BUG=b:134594373
TEST=make buildall; TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ie2679644d62e232a5d5d06f8ed6bf602853ebde2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169558
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All public functionality of FIPS module should be disabled in case
of FIPS errors.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1;
ccd:
fips sha
fips test
u2f_test - should fail
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ice8a0ab6535fcb0bd426ebbe969db1859cbd3ae8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169097
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
struct APPKEY_CTX is an empty struct passed with few APIs and not used
for any purpose. Remove it.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1;
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4bcb8f196b70cefc58a81e8592d83aa70464fcf8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169374
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Folks working on other Haven firmware shared issue that our code for
unaligned access is sensitive to compiler version and with updated gcc
results in broken code. Replacing access_helper with aligned access
and memcpy into aligned buffer if unaligned data is provided results
in smaller and faster code. Unaligned access unfortunately results in
quite lengthy code. Specifically for AES I got back 312 bytes.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test + TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ie03b7ce3a24c4fea0506c204fce82bca719f1b79
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3167003
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NIST statistical tests for TRNG entropy requires to compare entropy
in regular mode (continuous readings) with entropy after TRNG restarts.
Added support for TRNG restart before reading entropy and updated script
to drive tests.
BUG=b:138577834
TEST=test/nist_entropy.sh
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Idc46191be05e8275730726f6debb8007ca361bc6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3165883
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: William Wesson <wesson@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An "Approved" RNG listed in FIPS 140-2 Annex C must be used for the
generation of random data or cryptographic keys used by an approved
security function. Detailed information and guidance on Key Generation
can be found in NIST SP 800-133 and FIPS 140-2 IG 7.8 and D.12.
Many of function use raw entropy from TRNG without any health tests or
even checking returned status, as old API didn't provide any indication
of failure.
With this patch we remove old API: rand() and rand_bytes() and expose
new API:
fips_rand_bytes() - generation of random bits from properly instantiated
and reseeded as needed DRBG.
fips_trng_bytes() - generation of entropy from TRNG with statistical
testing and checking for TRNG failures.
fips_trng_rand32() - generation of 32 bits from TRNG with health check
and indication of status.
ccd, rsa, ecc, pinweaver, rma_auth are updated to use new APIs.
These functions are moved into dcrypto.h which will become "Public API"
for the module.
trng_test vendor command moved to dcrypto/trng.c where it belongs.
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpmtest.py
TCG tests.
-------------------------- Test Result Summary -------------------------
Test executed on: Thu Sep 16 10:16:59 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
======================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I80d103ead1962ee388df5cabfabe0498d8d06d38
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3165870
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace all usages of chromite.lib.cros_logging with the stdlib logging
module.
BUG=b:191490453
TEST=None
BRANCH=None
Signed-off-by: Chris McDonald <cjmcdonald@chromium.org>
Change-Id: I661a620fb514b2b53b6e6c5d76c90cca0280959c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162336
Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>
Reviewed-by: Alex Klein <saklein@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems now HDKF is only used by RSA key gen test from seed and by
test/tpm_test/tpmtest.py, so link it only when CRYPTO_TEST=1 is used.
This saves some space for prod build, as all functions of FIPS module
are linked in as a whole.
BUG=none
TEST=make BOARD=cr50
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I7f925d4dabd8685efe5916933198d5560bdacd9f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3163309
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Hardware HMAC implementation is added for key lengths <= 32 bytes and
more than 64 bytes. Keys between 32 and 64 bytes use hybrid approach.
2. HMAC DRBG performance increased even more from 520us to 320us per
32 bytes.
3. Added support for one-shot SHA operation which is a bit faster than
livestream mode when message length is known beforehand.
4. Image size impact - +216 bytes.
5. Added opportunities to enable keyladder code to use some common
primitives like dcrypto_fifo_load() instead of it's own versions.
6. Added new console command hmac activated with CRYPTO_TEST=1 to
test all paths (hw, sw, hybrid for HMAC) for SHA256, SHA1 and
HMAC SHA256. Due to size of test vectors, you should choose one at
a time to test. Also, since HMAC is used by DRBG, DRBG tests are also
relevant.
BUG=b:195092622
TEST=make CRYPTO_TEST=1; 'hmac' command in console, tests/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Icb3d8a9d0f3bd0509eb72993d5835584bc14640b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3116570
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To cleanly split internal API in internal.h from external API in
dcrypto.h we need to add missing DCRYPTO_p256_is_valid_point().
While adding this switch to enum dcrypto_result for both internal and
external versions.
Added check that provided point is valid to DCRYPTO_p256_point_mul() as
important security precaution. Currently this check is still in
tpm2/ecc.c, but it will be removed in next CLs with switching to
enum dcrypto_result.
Added comments on input parameters and behavior.
BUG=b:134594373
TEST=make BOARD=cr50; test/tpm_test/tpmtest.py; TCG tests
-------------------------- Test Result Summary -------------------------
Test executed on: Tue Sep 14 18:24:10 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4637f7b61b5a502854d9cad03e8e603529278873
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3161507
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. KAT tests should check that result doesn't match expectation for
modified input, not just failing on request. Added modification of input
data in case test break is needed (during module validation).
2. For ECDSA added pair-wise consistency test with known key pair.
However, this test adds roughly 40ms, so disable it and use sign test
with fixed nonce instead.
3. Some internal changes to support functionality - internally provided
dcrypto_p256_ecdsa_sign_raw() which takes precomputed nonce vs. drbg.
This allows generation of nonce with reseeding of DRBG if needed.
Also added dcrypto_p256_fips_sign_internal() which does same as
dcrypto_p256_ecdsa_sign() except that it reseeds DRBG with entropy if
needed.
4. Implemented ECDSA sign test with fixed nonce, and combined with
verify test. This allows to free some space for test vectors.
Also, store SHA256 of message as SHA256 is already tested. This saves
another 96 bytes.
5. KAT test time increased 2X from ~40ms to 60ms due to ECDSA sign test.
5. Run SHA2-256 KAT before self-integrity test, as it is used for
self-integrity.
BUG=b:138577539
TEST=make BOARD=cr50
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1cbd470bc64ef3eb50e9a28055404fb998c65b61
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3144376
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For G2F switched to proper use of DRBG.
For U2F added support for 512-bit entropy, changed DRBG instantiation
in FIPS path.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1; u2f_tests in ccd, tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1acf9947317a8b2f1b53cee0b2d81829c54336d5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3161506
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
p256_int was defined as packed struct to allow in place processing of
TPM2 commands. However, it is not practical to pad and reverse bytes
in place, support for misaligned access results in bloated code, lower
performance and side-channel leaks.
With this change introduce p256_from_be_bin_size() function which
handles all cases with conversion big-endian number into p256_int
internal representation (little-endian for cr50) with skipping leading
zeros if present in big-endian, checking of size and zero padding.
Bonuses:
- code size reduction 336 bytes
- a bit higher performance for p256
- support for zero padded big-endian in TPM2 ECC, as well as more
reliable checks for input parameters.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
in console p256_test as unit test for padding function.
------------------------------ Test Result Summary -----------------------------
Test executed on: Tue Sep 14 15:13:11 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
=========================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Idd04d4e8d30225398814650332fe9be7182a8966
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3138754
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dcrypto p256 microcode in https://crrev.com/c/3133625 introduced shift
in DMEM layout which started to corrupt mod & RR values, so alternating
RSA and P256 led to potential errors in dcrypto_modexp_blinded().
This fix updates layout to move input in the place of mod and thus
preserve mod & RR.
BUG=none
TEST=make BOARD=cr50; TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ic949147f43dfc210ed499c91c70e1ed186670afc
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3160503
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is no point in having separate implementation of always_memset()
which is slow and takes few extra bytes. Make memset's body available
as memset_core() with volatile dest *, thus making it always called
same as with always_memset(). Both memset() and always_memset() becomes
just wrappers on top.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; board boots, FIPS tests passes,
tpm_test.py works.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I68b3f89e757521e94df646f7d643411c53a10da7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3155725
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|