| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CQ for cr50 doesn't cover all targets of interest.
Borrow script from /platform/ec and adjust it a bit to cr50 targets.
BUG=b:202192433
TEST=./firmware_builder.py --metrics m.pb build
./firmware_builder.py --metrics m.pb test
./firmware_builder.py --metrics m.pb bundle
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I77ab1134fb2b7df1e16314068dac05ba8ef49094
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3224365
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To implement CQ make a copy of firmware_builder.py script into cr50
as a first step.
BUG=b:202192433
TEST=N/A
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9d4354242e49e0e1e4029c773fe291fab92d62df
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3224376
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
TEST=make buildall -j
Change-Id: Ief14c16e37842794a60c7d10e068db94083aa359
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3221960
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Howard Yang <hcyang@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It should not be possible to trigger AP RO verification by sending the
vendor command over the USB interface, it should be triggered only
when the user enters the existing key sequence, or when coming from
the AP as a TPM command.
When verification is triggered by the key sequence the verification
function is still invoked as a TPM vendor command, because a context
switch into TPM task is required to be able to use its large stack.
The problem is that when TPM task processes context switching
commands, it unconditionally sets the bit indicating that they come
from USB. This is required for some CCD commands, but not for the AP
RO verification request.
Let's introduce a new flag to be able to tell between commands coming
from USB and from alternative sources, and allow AP RO verification be
triggered by alternative sources but not from USB.
BUG=b:202902506
TEST=AP RO verification still could be triggered by key presses and
through a TPM command coming from the AP, but is rejected if sent
over USB by the host.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: Ib3b5bd9867cc3038d9123b23c7a25886331a179c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3221776
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With planned upgrade to gcc 11.2 we need to make sure it will not fail
cr50 build as it will be a reason to revert. gcc 11.2 gives us 1768 b
back after TPM2 LTO, but it changes default linker behavior and produce
LTO object file during partial link unless -flinker-output=nolto-rel is
used. This option however fail 8.3 build.
Also, gcc 11.2 introduced new optimization path IPA modref which doesn't
play nice with LTO and partial link used together, causing gcc crash.
To overcome this issue add -fno-ipa-modref when gcc 11.2 is used. This
results in almost no impact on code size.
BUG=none
TEST=make BOARD=cr50 tested with gcc 8.3 and gcc 11.2
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I78a3b3403e84dc4a426dede02b399d9d249ece81
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3218577
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Patrick Georgi <pgeorgi@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
U2F_Sign is expected to receive pre-hashed version of user credentials
so should apply SHA2-256 to the value before key handle verification.
Also, enforce user verification with authentication time secret if no
user presence (power button press) is requested.
test/tpm_test/tpmtest.py updated to apply SHA256 in U2F_Generate to
match expected u2fd behavior.
BUG=b:172971998
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1;
test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I92d73cd1fc0d962fefe11faeb4ce0ed68c798aa7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3221264
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Howard Yang <hcyang@google.com>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Introduced AES register structure and replaced register access with
accesses to fields. In many cases it reduce code size and number of
instructions.
2. Deduplication between AES implementation and App Cipher which use
AES engine with key coming from key ladder. Added internal function
dcrypto_aes_process() which applies current AES configuration to
aligned data in highly optimized manner, same as previous outer_loop
and inner_loop() functions.
Overall it saves 322 bytes with gcc 8.3
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpm_test.py
In ccd: cipher [to test app_cipher];
TCG Tests.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I6551e21e5e8798aa4691cb6ba476d565778cea3d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3213610
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move declarations of AES-GCM, AES-CMAC, ECIES, HKDF and few other
functions from dcrypto.h into internal.h.
Merge tpm2/hkdf.c into dcrypto/hkdf.c. It contains only function used
for testing and HKDF itself is only used for CRYPTO_TEST=1.
BUG=b:134594373
TEST=make buildall -j; make BOARD=cr50 CRYPTO_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I56c03ff4e8838871cdb28c0d9946c39754d9e054
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3219576
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Add test commands to break all KAT tests [fips hmac/drbg/ecdsa/pwct]
2) To support PWCT demo reduced number of attempts to retrieve valid
p256 key candidate to 16. Probability of false negative would be less
than 2^-4080 (255*16), but will prevent DoS attack if it consistently
fails for real reasons.
3) Fixed HMAC KAT test failure (was bound SHA failure earlier).
BUG=b:138576604
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1
In ccd:
fips
fips hmac
fips test - see FIPS error
reboot
fips drbg
fips test - see FIPS error
reboot
fips ecdsa
fips test - see FIPS error
reboot
fips pwct
u2f_test - see NOT PASSED of u2f_generate/u2f_sign
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0a812075bb2436f5823eff446b725f19974a2a31
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3221770
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Block EC UART output and EC COMM with 'ccdblock TRISTATE_EC enable'.
This removes the EC UART output, prevents EC-EFS2, and removes the
pulldown from the EC RX signal.
This is used for flashing the EC with c2d2. It's only available when CCD
is enabled.
BUG=b:202464674
TEST=manual
# Disconnect servo. Verify EC tx is disabled and there's no pull
# down after tristating the EC
> ccdblock TRISTATE_EC enable
CCD ports blocked: EC IGNORE_SERVO
WARNING: enabling UART while servo is connected may damage
hardware EC_CR50_COMM TRISTATE_EC
> pinmux
...
400600c8: DIOB5 0 IN
400600d0: DIOB6 16 IN GPIO0_GPIO15
...
> ccdstate
...
State flags: UARTAP USBEC+TX
CCD ports blocked: EC EC_CR50_COMM TRISTATE_EC
...
# Check UART TX is re-enabled after disabling TRISTATE_EC
> ccdblock TRISTATE_EC disable
CCD ports blocked: (none)
> ccdstate
...
State flags: UARTAP+TX UARTEC+TX I2C SPI USBEC+TX
CCD ports blocked: (none)
...
> pinmux
...
400600c8: DIOB5 78 IN UART2_TX
400600d0: DIOB6 16 IN GPIO0_GPIO15
...
# Connect servo, so cr50 disables the EC UART on it's own.
# Verify the pulldown is removed after tristating the EC.
> ccdstate
...
State flags: UARTAP UARTEC USBEC+TX
CCD ports blocked: (none)
> pinmux
...
400600c8: DIOB5 0 IN PD
400600d0: DIOB6 16 IN GPIO0_GPIO15
...
> ccdblock TRISTATE_EC enable
CCD ports blocked: EC EC_CR50_COMM TRISTATE_EC
> ccdstate
...
State flags: UARTAP USBEC+TX
CCD ports blocked: EC EC_CR50_COMM TRISTATE_EC
# Check PD is removed from DIOB5
> pinmux
...
400600c8: DIOB5 0 IN
400600d0: DIOB6 16 IN GPIO0_GPIO15
...
# Check PD is re-enabled after disabling TRISTATE_EC
> ccdblock TRISTATE_EC disable
CCD ports blocked: (none)
> ccdstate
...
State flags: UARTAP UARTEC USBEC+TX
CCD ports blocked: (none)
> pinmux
...
400600c8: DIOB5 0 IN PD
400600d0: DIOB6 16 IN GPIO0_GPIO15
Change-Id: I7bde996be3914bd5d625ad99e418f9bd2c0f41d1
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3219760
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the AP is off, cr50 doesn't need to enable the AP UART. Having it
enabled could cause power leakage if the signals aren't terminated
correctly. Check ap_is_on and ap_uart_is_on before enabling the AP
UART.
BUG=b:136602563
TEST=firmware_Cr50DeviceState
Change-Id: I192bdc4caef8cfa0ce6d8a3ca181b16388e35cd4
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3219756
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
FE_TPM_I2C_ERROR events don't mean much and it's not a big deal if cr50
needs to recover the I2C bus. Remove FE_TPM_I2C_ERROR logging from
chip/i2cp.
BUG=b:146067724
TEST=make buildall -j
Change-Id: I2bdce35fc794559c8236b1c14d87fa4372ffafa4
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3219755
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a reland of 3cac98670745fc5ca82a058fab512567f8444759
The structure of u2f command related types are updated before the
original CL lands. Update the fuzzer to correctly fuzz the new code, and
ignore the profdata generated by fuzzers in .gitignore.
Original change's description:
> cr50_fuzz: Add fuzzer for u2f commands
>
> Currently there's only one fuzzer for Pinweaver and one for host
> commands in cr50. Add a fuzzer for the u2f commands (generate, sign,
> attest) used in the WebAuthn flow to ensure its security. Most regions
> of the concerning functions are covered except for pure error code
> returns and unreachable regions (currently auth secret is not used in
> sign and attest command yet).
>
> Rename old cr50_fuzz namings to pinweaver_fuzz, since they only cover
> Pinweaver commands.
>
> BUG=b:172367435
> TEST=make buildall -j
> TEST=make host-u2f_fuzz && \
> ./build/host/u2f_fuzz/u2f_fuzz.exe -timeout=10 \
> -ignore_ooms=false -ignore_timeouts=false -fork=71; \
> llvm-profdata merge -sparse default.profraw -o default.profdata; \
> llvm-cov show ./build/host/u2f_fuzz/u2f_fuzz.exe \
> -object ./build/host/u2f_fuzz/RO/board/cr50/dcrypto/u2f.o \
> --instr-profile default.profdata \
> board/cr50/dcrypto/u2f.c common/u2f.c > report
>
> Cq-Depend: chromium:3162473
> Change-Id: I02b820cf03f7b46ccad7c3bc7b82e73ff45217c6
> Signed-off-by: Howard Yang <hcyang@google.com>
> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162469
> Reviewed-by: Andrey Pronin <apronin@chromium.org>
> Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
> Reviewed-by: Leo Lai <cylai@google.com>
Bug: b:172367435
Change-Id: I279e20b21a11e0ec957b6a5c3e95bc9a3b9df196
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3217474
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Howard Yang <hcyang@google.com>
Commit-Queue: Howard Yang <hcyang@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
.text.fips_checksum section was placed after .text which resulted in
different address for it. Since address of this section is used in FIPS
module it resulted in different digest computed.
BUG=b:138578318
TEST=make BOARD=cr50, check map file to ensure .text.fips_checksum is
just after FIPS module.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ia054fec9191eac8818dcde139320eddbd7c8085b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3218580
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Script inserting FIPS checksum into the image uses the dd utility
which generates stderr output even when there is no errors.
This patch adds code which captures the dd stderr output and prints it
out only if there is an actual error. stdout output of the script is
suppressed unless make was invoked with V=1.
Also made a few modifications as requested by shellcheck.
BUG=none
TEST=make output does not have extra lines.
built and ran a Cr50 image, it reports successful FIPS integrity
self check.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I9121bc5a9a40633b9a3d18ea5766bc1ed274a9c2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210946
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to reduce code footprint, do not link TPM2 library modules,
instead build TPM2 as a single relocatable object module, a collection
of library sources compiled and linked with LTO enabled.
BUG=b:65253310
TEST=observed code space reduced by 1428 bytes, the bss_libtpm2
section remained practically unchanged:
before:
*** 5548 bytes in flash and 5652 bytes in RAM still ...
000104d0 B __bss_libtpm2_start
000155d7 B __bss_libtpm2_end
after:
*** 6976 bytes in flash and 5652 bytes in RAM still ...
000104d0 B __bss_libtpm2_start
000155d4 B __bss_libtpm2_end
Verified that the new Cr50 image allows a Chrome OS to successfully
boot and restart.
Cq-Depend: chromium:3210050
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I32335df29a332da115d8af56c157d5ad4189e9b0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210510
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently tpmtest.py fails to connect to H1 red board first time after
it is flashed, which is not convenient. It looks like the workaround is
to try to read any TPM register. So, implement a workaround.
Frequency of FTDI can be safely increased to 2000Khz.
Reduced delay to start transaction from 10ms to 200us which greatly
improve overall testing (except for RSA which actually runs noticeable
time).
Overall time to run tests decreased from 165s to about 120s, but take
into account RSA key gen tests alone are about 100s.
BUG=none
TEST=testtpm.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ib67b71b36457b33f38135f9cec269dcf35881f54
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3214771
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
test/tpm_test Makefile doesn't build bn_test properly. Need to add
handling of difference between Cr50 and Chip/g dcrypto.
Also, Cr50 code use __always_inline for some functions which itself
requires compiler optimization to turn on. Adding -O2 to CFLAGS.
BUG=None
TEST=make -C test/tpm_test clean
make -C test/tpm_test
make -C test/tpm_test clean
make -C test/tpm_test CR50=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I08749ebaa930fd4f71d7406ed289bf480b5a8510
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3215057
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
make runfuzztests started to fail once both:
https://crrev.com/c/3162473 and https://crrev.com/c/3208916 landed.
Clang seems to incorrectly discarding sections it generated for
profiling, resulting in:
__profc_DCRYPTO_hw_sha256_init' referenced in section .text.compute_hash[compute_hash]' of build/host/cr50_fuzz/libec.a(libec.a.2.o): defined in discarded section `__llvm_prf_cnts[__profd_DCRYPTO_hw_sha256_init]' of build/host/cr50_fuzz/libec.a(libec.a.2.o)
__profc_DCRYPTO_hw_sha256_init' referenced in section .text.create_merkle_tree[create_merkle_tree]' of build/host/cr50_fuzz/libec.a(libec.a.2.o): defined in discarded section `__llvm_prf_cnts[__profd_DCRYPTO_hw_sha256_init]' of build/host/cr50_fuzz/libec.a(libec.a.2.o)
clang-13: error: linker command failed with exit code 1 (use -v to see invocation)
This definition of __always_inline should be useful in other cases, so
moving it into common.h.
Note, we have to #undef it first, as it is previously defined in system
headers.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I073b38a68fd43a14dbe92063011c95758030b225
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3213113
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dependencies for FIPS module were incorrectly set as actual dependency
on $(out)/ec_version.h and $(out)/env_config.h instead of order-only
dependency, causing rebuild on any change in repository.
BUG=b:202225290
TEST=make BOARD=cr50
echo ' ' >> board/cr50/tpm2/rsa.c
make BOARD=cr50
should only rebuild tpm2/rsa.c and not dcrypto/*
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4d2e8e4a2182ddf850ccfad18e9b517f41594d55
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3208539
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc 11.2 changes semantic of how 'static inline' works with LTO, which
causes either ODR or missing symbol issues during linking when several
objects created by LTO.
After several experiments with
inline
extern inline
It seems that using __inline __attribute__(always_inline) is most
reliable method.
BUG=None
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4d0e8bed00bbc3b3e580c4c610a2f733f2525973
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3208916
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 3cac98670745fc5ca82a058fab512567f8444759.
Reason for revert:
This patch breaks building of 'make buildall' and seems to be leaving some generated files in the root directory.
Original change's description:
> cr50_fuzz: Add fuzzer for u2f commands
>
> Currently there's only one fuzzer for Pinweaver and one for host
> commands in cr50. Add a fuzzer for the u2f commands (generate, sign,
> attest) used in the WebAuthn flow to ensure its security. Most regions
> of the concerning functions are covered except for pure error code
> returns and unreachable regions (currently auth secret is not used in
> sign and attest command yet).
>
> Rename old cr50_fuzz namings to pinweaver_fuzz, since they only cover
> Pinweaver commands.
>
> BUG=b:172367435
> TEST=make buildall -j
> TEST=make host-u2f_fuzz && \
> ./build/host/u2f_fuzz/u2f_fuzz.exe -timeout=10 \
> -ignore_ooms=false -ignore_timeouts=false -fork=71; \
> llvm-profdata merge -sparse default.profraw -o default.profdata; \
> llvm-cov show ./build/host/u2f_fuzz/u2f_fuzz.exe \
> -object ./build/host/u2f_fuzz/RO/board/cr50/dcrypto/u2f.o \
> --instr-profile default.profdata \
> board/cr50/dcrypto/u2f.c common/u2f.c > report
>
> Cq-Depend: chromium:3162473
> Change-Id: I02b820cf03f7b46ccad7c3bc7b82e73ff45217c6
> Signed-off-by: Howard Yang <hcyang@google.com>
> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162469
> Reviewed-by: Andrey Pronin <apronin@chromium.org>
> Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
> Reviewed-by: Leo Lai <cylai@google.com>
Bug: b:172367435
Change-Id: Ie844e44e0cd6254553694c23a535f18329cef77d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3212497
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently there's only one fuzzer for Pinweaver and one for host
commands in cr50. Add a fuzzer for the u2f commands (generate, sign,
attest) used in the WebAuthn flow to ensure its security. Most regions
of the concerning functions are covered except for pure error code
returns and unreachable regions (currently auth secret is not used in
sign and attest command yet).
Rename old cr50_fuzz namings to pinweaver_fuzz, since they only cover
Pinweaver commands.
BUG=b:172367435
TEST=make buildall -j
TEST=make host-u2f_fuzz && \
./build/host/u2f_fuzz/u2f_fuzz.exe -timeout=10 \
-ignore_ooms=false -ignore_timeouts=false -fork=71; \
llvm-profdata merge -sparse default.profraw -o default.profdata; \
llvm-cov show ./build/host/u2f_fuzz/u2f_fuzz.exe \
-object ./build/host/u2f_fuzz/RO/board/cr50/dcrypto/u2f.o \
--instr-profile default.profdata \
board/cr50/dcrypto/u2f.c common/u2f.c > report
Cq-Depend: chromium:3162473
Change-Id: I02b820cf03f7b46ccad7c3bc7b82e73ff45217c6
Signed-off-by: Howard Yang <hcyang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162469
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Leo Lai <cylai@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adjust Makefile toolchain setting so that fuzzers can generate coverage
mapping correctly and generate debug symbols for source-based coverage
report. Also, update gitignore to ignore local vscode settings.
BUG=none
TEST=make buildall -j
Change-Id: I6d5c720895cbb9119c9266df998aa5cc308c1e61
Signed-off-by: Howard Yang <hcyang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162473
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to limited space available with CR50_DEV=1, move some of crypto
related functionality which was under CR50_DEV to branches of
CRYPTO_TEST=1, namely:
- SELF_TEST=1 to print self-integrity hashes
- U2F_VERBOSE=1 to print debug information from U2F key generation.
Config options sorted alphabetically in ENV_VARS and in processing
order.
BUG=None
TEST=make BOARD=cr50 CR50_DEV=1
make BOARD=cr50 CRYPTO_TEST=1 SELF_TEST=1
make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1 U2F_VERBOSE=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I66485b2d1fff8c0947aaf31c93348a16101f14b7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3209647
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows a bit more efficient code generation.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1 RND_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ia92116a9aa4ac7d9f77d207205e712c03722dd95
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210238
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To simplify code analysis, move dcrypto's blob into dcrypto_bn.inc
similar to p256 code in dcrypto_p256.inc.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I2ae3a0793bd829c15844d55061952a69a412e2e9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210226
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To simplify code analysis, move dcrypto's blob into dcrypto_sha512.inc
similar to p256 code in dcrypto_p256.inc.
In the process fix minor compiler warning on signed/unsigned compare.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4aac81a3b6fa0c055b83f91575f2d37755845e63
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210229
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding v2 of key handle which drops kh_hmac field and use single
authorization code for all relevant fields.
BUG=b:172971998
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1;
in ccd: u2f_test - unit tests
test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I647ded7a2c157cea91ac48a2ba679def318c1e63
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3199671
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several bn_* function still use static buffer allocation. Switch to
dynamic allocation to enable support for RSA 3K/4K.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
../../build/tpm_test/bn_test
TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I150fa99bde89cc486f7ad945b5a312fe7d787fb0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3207349
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cr50 doesn't use CMAC, it is not even compiled, however during internal
review potential issues with branching on key values were spotted.
1) Fix key expansion to be constant time
2) Switch to enum dcrypto_result
3) Test commands updated to be compatible with FIPS build (use .rodata)
4) Clean up computed tag on stack during verification
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1 CMAC_TEST=1
in ccd: test_cmac 1 2 3 4
test_cmac_ver 1 2 3 4
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Iff9b84dd8fb2baed9152f1ee5c40ef8e4198edd3
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3194972
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Switched RSA public and internal functions to use enum dcrypto_result
2. Added checks for FIPS errors.
3. Updated call sites to properly handle result values.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpm_test.py
TCG tests:
---------------------- Test Result Summary -----------------------------
Test executed on: Mon Oct 5 18:26:07 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I23d391322e55b541d72388b2a4661991a61dd020
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3207348
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1.Implemented dynamic stack allocation of big number buffers to support
up to RSA 4K for all public APIs.
2. Internal function switched to use enum dcrypto_result
3. Added check that provided exponent is at least odd number (should be
prime / co-prime with N).
4. Saving a bit by reusing zero constant.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
TCG tests
---------------------- Test Result Summary -----------------------------
Test executed on: Mon Oct 4 22:46:07 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Id23ebfdc04132de1f26ee0888b00cacdee2eaf43
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3204566
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To support FIPS mode we need to block access to crypto in case of
errors.
1) Added check for FIPS errors into DCRYPTO_aes_init()
2) Return codes updated to enum dcrypto_result
3) Call sites updated to check for return codes
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Id614cc346fe22537e9208196bf1322221a253b0c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3194985
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New options for gcc 11.2 doesn't work on gcc 8.3 since gcc 11.2 update
was reverted.
BUG=None
TEST=make buildall
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Idf965bab903f2700dd01eb028e2a1aa6dc53e101
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3206474
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://crrev.com/c/3192137 changed hash & hmac APIs to return error
codes on failures (primarily FIPS errors), and added convenience api
to set hash mode.
https://crrev.com/c/3172256 was using internal hash API which became
replaced with a new API with error checking, and should be updated
to use a new API.
BUG=none
TEST=make buildall -j; make BOARD=cr50
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I33f31a8913d9a36dac451dac4312a482f761e3f7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3200807
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FIPS module wasn't rebuilt properly when configuration options were
changed. Added proper dependencies to ensure it is rebuilt when needed.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I543eeeb00d7a72c6b8a936948e62830753954f12
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3200516
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To implement FIPS mode for Cr50 we should be able to block access to
crypto functions if errors are detected. Historically all HASH/HMAC
functions were declared as void with no return type.
1) Split existing functions into public part (data structs, update and
final parts) and internal part - unchecked init functions.
2) Introduced new functions to start SHA / HMAC operation which returns
status code and block access to crypto in case of FIPS errors.
3) Dcrypto hash algorithms codes updated to match TPM_ALG_ID to simplify
adaptation layer and move checks inside Dcrypto module.
4) Updated all uses of API outside FIPS module to check return code and
act accordingly.
5) As a side effect RSA can now support SHA384 & SHA512 for signing,
board/host mock ups simplified.
BUG=b:197893750
TEST=make buildall -j; make BOARD=cr50 CRYPTO_TEST=1;
test/tpm_test/tpm_test.py
TCG tests
------------------------------ Test Result Summary ---------------------
Test executed on: Tue Sep 28 15:23:35 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ibbc38703496f417cba693c37d39a82a662c3f7ee
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3192137
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While all Dcrypto code for RSA supports 4K, few software functions were
allocating static buffers on stack and thus limiting what RSA sizes
can be supported.
Updating bn_modinv_vartime() and bn_probable_prime() to allocate stack
space dynamically. This simplifies enabling RSA 3K / 4K support.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I7c410d349e8755d491151152168701ecdd54c04c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3193510
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new AP RO verification approach, version 2, places the AP RO
verification structures in the AP RO itself, as described below.
A new section is included in AP RO FMAP, called RO_GSCVD, which
contains all information necessary to verify the AP RO:
gsc_verification_data (GVD) structure, GVD signature, the platform key
to verify the signature and the root key to verify the platform key.
GVD contains an array of AP RO ranges to be verified and the hash of
the contents of those ranges.
The signature of the GVD is followed by the public platform key, which
allows to verify the GVD signature.
The platform key in turn is signed by the root key, and the public
root key is also present in RO_GSCVD, this allows to validate the
platform key.
The hash of the public root key is hardcoded in the GSC firmware, this
gives the GSC the ability to verify the chain of objects in the
RO_GSCVD FMAP area starting with the root key.
This implementation supports both old and new AP RO verification
schemes as follows. The structure describing data saved in the
dedicated GSC flash page has been enhanced to support both old and new
AP RO verification schemes. To maintain backwards compatibility the 16
bit header field version is converted into two byte fields, version
and type. The new version is 1 and the new verification scheme type is
1, the old verification scheme type value is set to zero.
If a V1 structure is found in the H1 hash page, but verification
fails, a V2 verification is attempted just in case the RO was
reprogrammed and now includes RO_GSCVD area in FMAP.
The hash of the root key is saved in the text section named
.rodata.root_key_hash.
As presented, tests/devkeys/kernel_subkey.vbpubk from the
vboot_reference tree is used as the root key. The label of the section
where the hash is stored will allow the signer to replace the test key
hash with the prod root key hash.
Verification process is moved to the TPM task context to satisfy the
increased stack requirements of V2 calculations. This provides an
additional benefit: verification can be triggered by the AP issuing
the vendor command.
A CCD capability will be added in a follow up CL to restrict
conditions when the AP can invoke verification.
BUG=b:199904580
TEST=prepared an AP RO image containing RO_GSCVD and verified that the
AP RO can be verified, and that the local cache of the GVD is
successfully stored and allows to speed up verification.
Experiments have shown that verifying the entire chain starting
with the root key take 670 ms. Verifying of approximately 70KB of
AP RO takes 200 ms.
Verified that V1 AP RO verification is still working as expected,
and that V2 can take over in case the AP RO was updated with an
RO_GSCVD image, and the V1 check does not pass any more.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I1397376cd0394888da2cda16c0126a313f07d426
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3172256
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cr50 so far builds RO and RW images as part of build process.
With adding FIPS module and moving to board-specific crypto library with
different interfaces it become hard to maintain build process as RO
sources use crypto, but with different APIs, and changing that crypto
is challenging as it is also used by other boards with different crypto
APIs.
In this CL we enable RW and RO to have independent selection of crypto
library and include paths, and don't contaminate include paths with
unused things like third_party/cryptoc for RW.
BUG=none
TEST=make buildall -j
make BOARD=cr50
make BOARD=cr50 CRYPTO_TEST=1
Built cr50 images can be flashed and are workable.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1b666fbb8193b79f71c885a761436443fd3fca7b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3200069
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For some reason didn't spot earlier another unnecessary complains of
gcc 11.2 in private-cr5x builds with make buildall -j.
Made it so BOARD can override settings done by CHIP even though CHIP is
loaded later. These settings should apply to both CFLAGS and LDFLAGS
due to LTO build.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I8880c518b23778cccf969909e330e9e2d62b5fae
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3194984
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CONFIG_FW_INCLUDE_RO option controls wherever RO is built. This option
didn't work properly and RO was always built. Fix this behavior.
However, when RO is not built RW image should include some 16KB stub.
This is not added yet, so for Cr50 we still set CONFIG_FW_INCLUDE_RO.
Also, corrected behavior of CONFIG_CUSTOMIZED_RO which earlier was not
properly taken into account and behavior depended on custom-ro_objs
variable state which always added some common files so actual result
was that CONFIG_CUSTOMIZED_RO is effectively on for chip/g.
BUG=none
TEST=make buildall -j; make BOARD=cr50 & flash
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I31599170050b360fad5c61dd1f81844bb315e1d6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3195319
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Move DRBG initialization flag inside DRBG context to prevent use of
DRBG which is not properly initialized.
2) Add configurable reseed threshold to cover both deterministic key gen
and non-deterministic randoms. Simplify reseeding logic, remove
similar code snippets. Also, can support NDRBG with reseed threshold
equal to 0, which will result in reseeding each time.
3) Adjust parameter names to match NIST SP 800-90A specification.
4) Enforce checking result of hmac_drbg_generate(), update call sites
to check for errors.
5) Reseeding in generate function consumes additional data as per
NIST SP 800-90Ar1 9.3.1
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1 DRBG_TEST=1;
test/tpm_test/tpm_test.py
in ccd:
hmac_drbg
rand_perf
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0e780b5c237d7fbc64e8b0e74d12559a1f40f84c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183397
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ECDSA signing can vary rarely result in zero s or r value due to
combination of message, nonce and a private key. Detect such cases
and retry with another nonce.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1; tpm_test;
in ccd: dcrypto_ecdsa, u2f_test
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1378259a0dc0e2e62cf071b779c1115c4257dc73
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3188564
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Coreboot-sdk is going to be updated to gcc 11.2 soon. Preliminary tests
show that cr50 can successfully be compiled with it, however default
warnings seems produce to many false positive errors.
Disable string-overflow to make code compile. I tried to fix it, but
found nothing to fix.
Example in dcrypto_bn.c:1323 it complains:
if (!rand64(ctx->rnd)
board/cr50/dcrypto/dcrypto_bn.c: In function 'dcrypto_modexp_blinded':
board/cr50/dcrypto/dcrypto_bn.c:1323:14: warning: 'rand64' accessing
8 bytes in a region of size 0 [-Wstringop-overflow=]
1323 | if (!rand64(ctx->rnd))
| ^
board/cr50/dcrypto/dcrypto_bn.c:1323:14: note:
referencing argument 1 of type 'uint32_t *'
board/cr50/dcrypto/dcrypto_bn.c:1160:13: note: in a call to
function 'rand64'
1160 | static bool rand64(uint32_t dst[2])
| ^
board/cr50/tpm2/ecc.c: In function '_cpri__EccPointMultiply':
board/cr50/tpm2/ecc.c:81:25: warning: 'p256_to_bin' accessing 32 bytes
in a region of size 1 [-Wstringop-overflow=]
81 | p256_to_bin(&out_x, out->x.b.buffer);
| ^
board/cr50/tpm2/ecc.c:81:25: note: referencing argument 2 of type 'uint8_t *'
board/cr50/dcrypto/p256.c:119:6: note: in a call to function 'p256_to_bin'
119 | void p256_to_bin(const p256_int *src, uint8_t dst[P256_NBYTES])
Common pattern is when function prototype defines pointer as an array
of specified type. Interestingly, that in case of ctx->rnd, rnd is
uint32_t rnd[2], so complain is unnecessary. In case of ecc it's hard
to explain that there is enough space.
BUG=None
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I6bc071e4b536095535b9766d14600f5cb491f118
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183334
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cr50 dcrypto use different API to access TRNG - read_rand() which
provides indication wherever reading was successful. Common trng.h
is not needed, so remove it.
BUG=None
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: If8525cd51db157fbfa47adbfe11146a617c947ce
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183468
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1 RND_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0088006cc58f57d21fa2f0d7ecffd833328cb6ca
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183338
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make HMAC_DRBG return codes consistent with other functions.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
in ccd: u2f_test, dcrypto_ecdsa, rma_auth
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9c673a45a250bef32c096f8d8be3152756a64cb7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3180482
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TRNG health tests have defined false positive. NIST recommends values
in the range of 2^(-20) to 20^(-40) - parameter alpha.
We choose 2^(-40), and computed thresholds for 2^(-30) if needed.
In case of false positive we will try to read several times and update
statistics to see if error is intermittent, skip those values until we
either get recovered statistics or will be out of attempts. When out
of attempts we declare a persistent error and report it. With this
implementation we reduce probability of false positive to 2^(-160).
This is in compliance with NIST SP 800-90B, 4.3 point 2:
When the health tests fail, the entropy source shall notify the
consuming application (e.g., the RBG) of the error condition.
The developer may have defined different types of failures (e.g.,
intermittent and persistent), and the application is allowed to react
differently to different types of failures (e.g., by inhibiting output
for a short time). The developer is allowed to define different cutoff
values to detect intermittent and persistent failures. If so, these
values (with corresponding false alarm probabilities) shall be
specified in the submission documentation. If the entropy source detects
intermittent failures and allows the noise source to return to normal
functioning, the designer shall provide evidence that:
a) The intermittent failures handled in this way are indeed extremely
likely to be intermittent failures; and
b) the tests will detect a permanent failure when one occurs, and will
ultimately signal an error condition to the consuming application and
cease operation. In the case where a persistent failure is detected,
the entropy source shall not produce any outputs.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1;
In ccd:
rand_perf
rand perf (repeat several times, each time 8000 readings from TRNG)
fips trng
rand perf (should report errors)
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9db545c1a1e82e7e091724fab6fe46edebeb0650
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3182622
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
