| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CONFIG_FW_INCLUDE_RO option controls wherever RO is built. This option
didn't work properly and RO was always built. Fix this behavior.
However, when RO is not built RW image should include some 16KB stub.
This is not added yet, so for Cr50 we still set CONFIG_FW_INCLUDE_RO.
Also, corrected behavior of CONFIG_CUSTOMIZED_RO which earlier was not
properly taken into account and behavior depended on custom-ro_objs
variable state which always added some common files so actual result
was that CONFIG_CUSTOMIZED_RO is effectively on for chip/g.
BUG=none
TEST=make buildall -j; make BOARD=cr50 & flash
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I31599170050b360fad5c61dd1f81844bb315e1d6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3195319
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Move DRBG initialization flag inside DRBG context to prevent use of
DRBG which is not properly initialized.
2) Add configurable reseed threshold to cover both deterministic key gen
and non-deterministic randoms. Simplify reseeding logic, remove
similar code snippets. Also, can support NDRBG with reseed threshold
equal to 0, which will result in reseeding each time.
3) Adjust parameter names to match NIST SP 800-90A specification.
4) Enforce checking result of hmac_drbg_generate(), update call sites
to check for errors.
5) Reseeding in generate function consumes additional data as per
NIST SP 800-90Ar1 9.3.1
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1 DRBG_TEST=1;
test/tpm_test/tpm_test.py
in ccd:
hmac_drbg
rand_perf
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0e780b5c237d7fbc64e8b0e74d12559a1f40f84c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183397
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ECDSA signing can vary rarely result in zero s or r value due to
combination of message, nonce and a private key. Detect such cases
and retry with another nonce.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1; tpm_test;
in ccd: dcrypto_ecdsa, u2f_test
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1378259a0dc0e2e62cf071b779c1115c4257dc73
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3188564
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Coreboot-sdk is going to be updated to gcc 11.2 soon. Preliminary tests
show that cr50 can successfully be compiled with it, however default
warnings seems produce to many false positive errors.
Disable string-overflow to make code compile. I tried to fix it, but
found nothing to fix.
Example in dcrypto_bn.c:1323 it complains:
if (!rand64(ctx->rnd)
board/cr50/dcrypto/dcrypto_bn.c: In function 'dcrypto_modexp_blinded':
board/cr50/dcrypto/dcrypto_bn.c:1323:14: warning: 'rand64' accessing
8 bytes in a region of size 0 [-Wstringop-overflow=]
1323 | if (!rand64(ctx->rnd))
| ^
board/cr50/dcrypto/dcrypto_bn.c:1323:14: note:
referencing argument 1 of type 'uint32_t *'
board/cr50/dcrypto/dcrypto_bn.c:1160:13: note: in a call to
function 'rand64'
1160 | static bool rand64(uint32_t dst[2])
| ^
board/cr50/tpm2/ecc.c: In function '_cpri__EccPointMultiply':
board/cr50/tpm2/ecc.c:81:25: warning: 'p256_to_bin' accessing 32 bytes
in a region of size 1 [-Wstringop-overflow=]
81 | p256_to_bin(&out_x, out->x.b.buffer);
| ^
board/cr50/tpm2/ecc.c:81:25: note: referencing argument 2 of type 'uint8_t *'
board/cr50/dcrypto/p256.c:119:6: note: in a call to function 'p256_to_bin'
119 | void p256_to_bin(const p256_int *src, uint8_t dst[P256_NBYTES])
Common pattern is when function prototype defines pointer as an array
of specified type. Interestingly, that in case of ctx->rnd, rnd is
uint32_t rnd[2], so complain is unnecessary. In case of ecc it's hard
to explain that there is enough space.
BUG=None
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I6bc071e4b536095535b9766d14600f5cb491f118
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183334
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cr50 dcrypto use different API to access TRNG - read_rand() which
provides indication wherever reading was successful. Common trng.h
is not needed, so remove it.
BUG=None
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: If8525cd51db157fbfa47adbfe11146a617c947ce
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183468
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1 RND_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0088006cc58f57d21fa2f0d7ecffd833328cb6ca
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183338
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make HMAC_DRBG return codes consistent with other functions.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
in ccd: u2f_test, dcrypto_ecdsa, rma_auth
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9c673a45a250bef32c096f8d8be3152756a64cb7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3180482
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TRNG health tests have defined false positive. NIST recommends values
in the range of 2^(-20) to 20^(-40) - parameter alpha.
We choose 2^(-40), and computed thresholds for 2^(-30) if needed.
In case of false positive we will try to read several times and update
statistics to see if error is intermittent, skip those values until we
either get recovered statistics or will be out of attempts. When out
of attempts we declare a persistent error and report it. With this
implementation we reduce probability of false positive to 2^(-160).
This is in compliance with NIST SP 800-90B, 4.3 point 2:
When the health tests fail, the entropy source shall notify the
consuming application (e.g., the RBG) of the error condition.
The developer may have defined different types of failures (e.g.,
intermittent and persistent), and the application is allowed to react
differently to different types of failures (e.g., by inhibiting output
for a short time). The developer is allowed to define different cutoff
values to detect intermittent and persistent failures. If so, these
values (with corresponding false alarm probabilities) shall be
specified in the submission documentation. If the entropy source detects
intermittent failures and allows the noise source to return to normal
functioning, the designer shall provide evidence that:
a) The intermittent failures handled in this way are indeed extremely
likely to be intermittent failures; and
b) the tests will detect a permanent failure when one occurs, and will
ultimately signal an error condition to the consuming application and
cease operation. In the case where a persistent failure is detected,
the entropy source shall not produce any outputs.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1;
In ccd:
rand_perf
rand perf (repeat several times, each time 8000 readings from TRNG)
fips trng
rand perf (should report errors)
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9db545c1a1e82e7e091724fab6fe46edebeb0650
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3182622
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For crypto code we care about possible concerns during review, so add
more strict warnings. Fix all uses int to uint32_t/size_t comparisons,
make consistent use of size_t vs. uint32_t in crypto code.
Update test/tpm_test/bn_test.c to compile for checking big number
functions correctness.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
TCG tests:
---------------------- Test Result Summary -----------------------------
Test executed on: Thu Sep 23 17:45:19 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I47e5de3d180d3aebb13b3feef4c1da87c9f6a174
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3180279
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to block access to crypto functions when FIPS errors occurred.
To achieve this:
1. Provide wrappers for ECDSA P-256 sign and verify functions
a) DCRYPTO_p256_ecdsa_verify as wrapper for dcrypto_p256_ecdsa_verify
b) DCRYPTO_p256_ecdsa_sign as wrapper for
dcrypto_p256_fips_sign_internal with additional check for FIPS
DRBG initialization which is needed for signing.
2. Switch all ECDSA functions, both internal and external to use
enum dcrypto_result instead of inconsistent 0/1 values.
3. Added warning for unused result code for ECDSA functions.
4. Updated documentation for public APIs
5. In DCRYPTO_p256_key_from_bytes() implemented clear distinction between
bad candidate and failures due to FIPS or pair-wise consistency.
6. U2F, rma_auth, TPM ecc, etc updated to use new return codes.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; rma_auth, u2f_test, etc.
test/tpm_test/tpmtest.py
TCG tests
----------------------------- Test Result Summary ----------------------
Test executed on: Thu Sep 23 09:56:42 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0251bf511771c1c1fd281f6db706d1dedac3e8b8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3179708
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To drop dependency on internal rand_state.drbg_initialized in functions
located in other sources, slightly change fips_drbg_init() logic to
avoid initialization if already initialized.
Also update 0/1 to false/true as rand_state.drbg_initialized is bool.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ia541266c36793c65dffce27a60a20ae25e10f92c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3179316
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use of long return types like 'enum dcrypto_result' with long function
names commonly results in return type being on line alone:
Before:
enum dcrypto_result
DCRYPTO_p256_key_from_bytes(p256_int *x, p256_int *y, p256_int *d,
const uint8_t bytes[P256_NBYTES])
After:
enum dcrypto_result DCRYPTO_p256_key_from_bytes(
p256_int *x, p256_int *y, p256_int *d, const uint8_t bytes[P256_NBYTES])
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I51f5b4cd8dd058796bd4ee5edd786a384460dedf
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3179709
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several functions like lo32(), hi32(), clz() were defined into bn.c,
but clz and ctz are used in fips_rand.c. Move these functions into
internal.h to allow reuse.
Both __builtin_ctz() and __builtin_clz() have undefined behavior for
argument which is zero. Explicitly set result to 32 in such case. It
was the case for __builtin_clz() in bn.c, but not for variants used
in TRNG health tests.
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1; TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ifc6fa7f820080bdad0f14fc079163f4976369724
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3174592
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new command will be used for context switching to make the large
stack of the TPM task available to the AP RO verification code.
Note that we don't want the AP to be able to send this vendor command,
some extension_route_command() enhancement might be necessary.
BUG=b:199904580
TEST=tested along with AP RO verification implementation.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I8599479752b4a7b1982b75cfea61ffad3950681d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3172255
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This API will provide support to the AP RO verification
implementation. The size of data read in one transaction is limited by
SPI_HASH_CHUNK size.
BUG=b:199904580, b:200736744
TEST=tested along with AP RO verification implementation.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: Id4da2add2ce1202d979627dde40325b583004fc5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3172254
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To properly define FIPS module boundary all APIs provided by module
to external applications (TPM2, pinweaver, etc) should be identifiable.
Shuffle functions between dcrypto.h and internal.h to achieve this goal.
Adjust included headers as needed.
BUG=b:134594373
TEST=make buildall; TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ie2679644d62e232a5d5d06f8ed6bf602853ebde2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169558
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All public functionality of FIPS module should be disabled in case
of FIPS errors.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1;
ccd:
fips sha
fips test
u2f_test - should fail
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ice8a0ab6535fcb0bd426ebbe969db1859cbd3ae8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169097
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
struct APPKEY_CTX is an empty struct passed with few APIs and not used
for any purpose. Remove it.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1;
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4bcb8f196b70cefc58a81e8592d83aa70464fcf8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169374
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Folks working on other Haven firmware shared issue that our code for
unaligned access is sensitive to compiler version and with updated gcc
results in broken code. Replacing access_helper with aligned access
and memcpy into aligned buffer if unaligned data is provided results
in smaller and faster code. Unaligned access unfortunately results in
quite lengthy code. Specifically for AES I got back 312 bytes.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test + TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ie03b7ce3a24c4fea0506c204fce82bca719f1b79
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3167003
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NIST statistical tests for TRNG entropy requires to compare entropy
in regular mode (continuous readings) with entropy after TRNG restarts.
Added support for TRNG restart before reading entropy and updated script
to drive tests.
BUG=b:138577834
TEST=test/nist_entropy.sh
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Idc46191be05e8275730726f6debb8007ca361bc6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3165883
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: William Wesson <wesson@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An "Approved" RNG listed in FIPS 140-2 Annex C must be used for the
generation of random data or cryptographic keys used by an approved
security function. Detailed information and guidance on Key Generation
can be found in NIST SP 800-133 and FIPS 140-2 IG 7.8 and D.12.
Many of function use raw entropy from TRNG without any health tests or
even checking returned status, as old API didn't provide any indication
of failure.
With this patch we remove old API: rand() and rand_bytes() and expose
new API:
fips_rand_bytes() - generation of random bits from properly instantiated
and reseeded as needed DRBG.
fips_trng_bytes() - generation of entropy from TRNG with statistical
testing and checking for TRNG failures.
fips_trng_rand32() - generation of 32 bits from TRNG with health check
and indication of status.
ccd, rsa, ecc, pinweaver, rma_auth are updated to use new APIs.
These functions are moved into dcrypto.h which will become "Public API"
for the module.
trng_test vendor command moved to dcrypto/trng.c where it belongs.
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpmtest.py
TCG tests.
-------------------------- Test Result Summary -------------------------
Test executed on: Thu Sep 16 10:16:59 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
======================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I80d103ead1962ee388df5cabfabe0498d8d06d38
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3165870
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace all usages of chromite.lib.cros_logging with the stdlib logging
module.
BUG=b:191490453
TEST=None
BRANCH=None
Signed-off-by: Chris McDonald <cjmcdonald@chromium.org>
Change-Id: I661a620fb514b2b53b6e6c5d76c90cca0280959c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162336
Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>
Reviewed-by: Alex Klein <saklein@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems now HDKF is only used by RSA key gen test from seed and by
test/tpm_test/tpmtest.py, so link it only when CRYPTO_TEST=1 is used.
This saves some space for prod build, as all functions of FIPS module
are linked in as a whole.
BUG=none
TEST=make BOARD=cr50
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I7f925d4dabd8685efe5916933198d5560bdacd9f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3163309
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Hardware HMAC implementation is added for key lengths <= 32 bytes and
more than 64 bytes. Keys between 32 and 64 bytes use hybrid approach.
2. HMAC DRBG performance increased even more from 520us to 320us per
32 bytes.
3. Added support for one-shot SHA operation which is a bit faster than
livestream mode when message length is known beforehand.
4. Image size impact - +216 bytes.
5. Added opportunities to enable keyladder code to use some common
primitives like dcrypto_fifo_load() instead of it's own versions.
6. Added new console command hmac activated with CRYPTO_TEST=1 to
test all paths (hw, sw, hybrid for HMAC) for SHA256, SHA1 and
HMAC SHA256. Due to size of test vectors, you should choose one at
a time to test. Also, since HMAC is used by DRBG, DRBG tests are also
relevant.
BUG=b:195092622
TEST=make CRYPTO_TEST=1; 'hmac' command in console, tests/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Icb3d8a9d0f3bd0509eb72993d5835584bc14640b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3116570
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To cleanly split internal API in internal.h from external API in
dcrypto.h we need to add missing DCRYPTO_p256_is_valid_point().
While adding this switch to enum dcrypto_result for both internal and
external versions.
Added check that provided point is valid to DCRYPTO_p256_point_mul() as
important security precaution. Currently this check is still in
tpm2/ecc.c, but it will be removed in next CLs with switching to
enum dcrypto_result.
Added comments on input parameters and behavior.
BUG=b:134594373
TEST=make BOARD=cr50; test/tpm_test/tpmtest.py; TCG tests
-------------------------- Test Result Summary -------------------------
Test executed on: Tue Sep 14 18:24:10 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4637f7b61b5a502854d9cad03e8e603529278873
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3161507
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. KAT tests should check that result doesn't match expectation for
modified input, not just failing on request. Added modification of input
data in case test break is needed (during module validation).
2. For ECDSA added pair-wise consistency test with known key pair.
However, this test adds roughly 40ms, so disable it and use sign test
with fixed nonce instead.
3. Some internal changes to support functionality - internally provided
dcrypto_p256_ecdsa_sign_raw() which takes precomputed nonce vs. drbg.
This allows generation of nonce with reseeding of DRBG if needed.
Also added dcrypto_p256_fips_sign_internal() which does same as
dcrypto_p256_ecdsa_sign() except that it reseeds DRBG with entropy if
needed.
4. Implemented ECDSA sign test with fixed nonce, and combined with
verify test. This allows to free some space for test vectors.
Also, store SHA256 of message as SHA256 is already tested. This saves
another 96 bytes.
5. KAT test time increased 2X from ~40ms to 60ms due to ECDSA sign test.
5. Run SHA2-256 KAT before self-integrity test, as it is used for
self-integrity.
BUG=b:138577539
TEST=make BOARD=cr50
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1cbd470bc64ef3eb50e9a28055404fb998c65b61
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3144376
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For G2F switched to proper use of DRBG.
For U2F added support for 512-bit entropy, changed DRBG instantiation
in FIPS path.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1; u2f_tests in ccd, tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1acf9947317a8b2f1b53cee0b2d81829c54336d5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3161506
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
p256_int was defined as packed struct to allow in place processing of
TPM2 commands. However, it is not practical to pad and reverse bytes
in place, support for misaligned access results in bloated code, lower
performance and side-channel leaks.
With this change introduce p256_from_be_bin_size() function which
handles all cases with conversion big-endian number into p256_int
internal representation (little-endian for cr50) with skipping leading
zeros if present in big-endian, checking of size and zero padding.
Bonuses:
- code size reduction 336 bytes
- a bit higher performance for p256
- support for zero padded big-endian in TPM2 ECC, as well as more
reliable checks for input parameters.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
in console p256_test as unit test for padding function.
------------------------------ Test Result Summary -----------------------------
Test executed on: Tue Sep 14 15:13:11 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
=========================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Idd04d4e8d30225398814650332fe9be7182a8966
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3138754
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dcrypto p256 microcode in https://crrev.com/c/3133625 introduced shift
in DMEM layout which started to corrupt mod & RR values, so alternating
RSA and P256 led to potential errors in dcrypto_modexp_blinded().
This fix updates layout to move input in the place of mod and thus
preserve mod & RR.
BUG=none
TEST=make BOARD=cr50; TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ic949147f43dfc210ed499c91c70e1ed186670afc
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3160503
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is no point in having separate implementation of always_memset()
which is slow and takes few extra bytes. Make memset's body available
as memset_core() with volatile dest *, thus making it always called
same as with always_memset(). Both memset() and always_memset() becomes
just wrappers on top.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; board boots, FIPS tests passes,
tpm_test.py works.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I68b3f89e757521e94df646f7d643411c53a10da7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3155725
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After https://crrev.com/c/3139977 landed noticed that I need DRBG_TEST=1
to make tpm_test.py to work, as suddenly disabled vendor command with
ccd command.
Added check for successful completion of hmac_drbg_generate() in
test command.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpmtest/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I87053fc0d100a68536680ad8c66358cdb2d5e537
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3155297
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After migration to DRBG use, remove DCRYPTO_ladder_random() function.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ifdb3fd79ec03ac94066a91ed38b61218dbceefde
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3155295
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To simplify identification of FIPS module boundary, move all sources
into same place.
BUG=b:134594373
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I6acd12d12c00a3362041914bd515534f72a08ab2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3150057
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During FIPS refactoring many additional test commands were added to
CRYPTO_TEST=1 image for unit testing. However, this lead to very small
space left in image.
Adding local switches to several CCD commands to activate it only once
working on related parts. This free around 6.5K.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I8f11988d2994c6c4b25748d3c0c07096ba00c392
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3139977
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since https://crrev.com/c/3125994 and https://crrev.com/c/3119223 were
in review at the same time and landed one after another, check for
result of DCRYPTO_equals() wasn't properly updated.
This is a fix addressing that DCRYPTO_equals() now returns DCRYPTO_OK
instead of 1 in case of matching values.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; ccd - u2f_test
test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I582906f9a6be57e1d645370377caa5e5ab3e2481
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3146593
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When both https://crrev.com/c/3125994 and https://crrev.com/c/3119223
landed it resulted in broken host build as function attribute
optimize("") is not supported by clang. This is happened due as both CLs
are relatively independent by nature, but the first one added one of the
sources to host build.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: If1b8425cea418ae42179bef46f6f5998ded3dc1f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3146223
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Inject the fips fingerprint into the cr50 image, so it can verify the
fips module before starting to execute it. This change adds a script to
calculate the checksum and inject it into a elf file before signing.
If CONFIG_FIPS_CHECKSUM is defined, generate an elf file with the fips
checksum and use that to create signed images and hex files.
The build process doesn't change for RO artifacts. Nothing changes if
CONFIG_FIPS_CHECKSUM isn't defined.
The new chain for RW is
ec.RW.elf -> ec.RW.elf.fips -> ec.RW.flat
ec.RW.elf.fips is generated with util/inject_fips_fingerprint.sh.
util/inject_fips_fingerprint.sh calculates the fips module fingerprint,
copies ec.RW.elf to ec.RW.elf.fips, and then injects the fingerprint
into ec.RW.elf.fips.
util/signer/bs will be modified to use ec.RW.elf.fips if it exists in a
followup CL.
BUG=none
TEST=manual
# Verify cr50 is the only board that creates the fips artifacts
make buildall -j
objdump the text.fips_checksum section of ec.RW.elf and
ec.RW_B.elf. Make sure they match ec.RW.fips.checksum and
ec.RW_B.fips.checksum
# Verify cr50 can update to image signed with devid and that
# image shows Stored hash that matches the computed one.
H1_DEVIDS="${DEVID}" make -j BOARD=cr50 CR50_DEV=1
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Change-Id: Iab857ec1b7e3ae0d23681a25467e26286bd68210
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3078053
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change moves the fips checksum into its own section, so objcopy can
be used to update the fips checksum in the elf files.
BUG=none
TEST=make buildall -j
Change-Id: I8004c7efaf607eabd2932ecb9fdf377e0c68b6c0
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3120046
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
P-256 sign requires a random nonce which is generated from provided
DRBG. Implementation of dcrypto_p256_ecdsa_sign() cleaned out DRBG
once nonce is successfully created. This works fine when DRBG is
instantiated just for purposes of signing this particular message,
but doesn't work if we want to use system-wide DRBG which is perfectly
instantiated as reseeded as needed as we want for FIPS. Instantiation
of DRBG using entropy from TRNG is relatively expensive operation
which we can avoid this way.
Moving DRBG management outside ECDSA Sign makes it clearer. Now the
caller is responsible what to do with DRBG and allows further updates
with automated reseeding if ECDSA Sign fails due to DRBG.
In tpm2/ecc.c we can now replace DRBG instantiation with using FIPS DRBG
created during initialization. Still more changes are needed to fully
switch to DRBG use for key gen as we need to handle reseeds properly.
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I092b18cde5f6a8aede0a65e24a892dda9de7afa2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3138384
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set FIPS module build flags to reduce changes in object file due to
compiler's randomization during LTO.
Adjusted several optimization options which resulted in smaller image.
Freed 136 bytes for ToT.
BUG=b:138578318
TEST=make BOARD=cr50, test that image works.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I99d9bf459bda6f1fcbd8dafe6f23539dda110fd8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3123967
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Introduce enum dcrypto_result defining DCRYPTO_OK and DCRYPTO_FAIL
constants such that they have large Hamming distance, thus becoming
more fault-injection resistant.
2. Added value_barrier() and value_barrier_ptr() which prevents compiler
from certain optimizations, removal of conditional execution.
3. Added hardened_select_if_zero() primitive which produce branch-less
selection between values.
4. Added convenience function dcrypto_ok_if_zero() to convert zero into
DCRYPTO_OK.
5. DCRYPTO_equals() implemented in a way that it also checks completion
of all iterations in addition to comparing value. This makes it
resistant to fault injection which would result in no comparisons
made.
6. Updated uses of DCRYPTO_equals() to check for new return code.
7. Few memcmp() replaced with DCRYPTO_equals().
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; tests/tpmtest.py
in console check that FIPS KAT tests passes.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I2a0373e8be97c2d61a2c4743c74614c2ff064a8a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3125994
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Split U2F crypto from U2F command processing by moving all crypto
code into boards/cr50 (platform hooks).
U2F state management is part of common code and passed to U2F crypto
as a parameter.
Previously reviewed as https://crrev.com/c/3034852, but reverted due to
ChromeOS dependency on include/u2f.h. In this revision this is addressed
by restoring include/u2f.h with previous content and new additions
and adjusting dependencies in other headers.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1
console: u2f_test
test/tpmtest.py
FAFT U2F tests pass
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Iff1973c8e475216b801d7adde23b1ef6c4a6f699
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3119223
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch to hardened p256 code sequences for dcrypto which introduce
blinding of secrets and control flow integrity checks.
Dcrypto sequences are taken from cr52 board (/chip/g/fips).
Code size increased by 1008 bytes, but expect savings from aligned
p256_int.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I434a373fc602e01bf815099a3661a2cef93af22f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3133625
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During unit testing discovered an issue with test order specific bug
which resulted in incorrect system-level DRBG initialization. It was
revealed after several independent CLs landed.
This fix corrects this issue.
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1222bc72d5560a4984a78abf53d5e3b2178d0977
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3133626
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FIPS requires pair-wise consistency test for asymmetric key generation
algorithms. For U2F we use only ECDSA P-256, so adding this step into
key generation function.
BUG=b:198219806
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
This test covers U2F and TPM2 uses of ECDSA keygen.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I520a233e700a68b19c863bad05271f97693b5ca9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3131949
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to block access to all crypto in case of FIPS errors. There are
multiple steps to implement, this is one of few.
There is common API crypto_enabled() which is used by nvmem and some
other functions to check wherever access to crypto is possible.
This is same intent as fips_crypto_allowed(), though the latter checks
for FIPS KAT errors, while the former checks only key ladder status.
Here we make all FIPS errors to revoke access from key ladder, and
fips_crypto_allowed() to check key ladder status. This way we also
ensure that in case of FIPS errors access to device secrets will be
blocked.
We moved crypto_api.c from chip/g to board/cr50 to move crypto_enabled()
into fips.c and alias it to fips_crypto_enabled().
crypto_api.h is no longer included from dcrypto.h, and compile time
assert for cipher salt size is moved to proper place.
Since crypto is used by nvmem_init(), move FIPS power-up tests earlier
to ensure nvmem_init() can access crypto.
BUG=b:197893750
TEST=make CRYPTO_TEST=1; tpm_test; check nvmem is properly initialized
on board_init().
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: If70c2a21d61348bd97a47e26db5d8eec08bbf8ed
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3123836
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make DIOA12 an output on Zork, so it can be used for the ccd recovery or
lid switch signals.
BUG=b:197916691
TEST=setting CCD_REC_LID_PIN toggles lid_open on tomato
Change-Id: I755498fd9bb9b764b0e0aa2bf0394c45b087c767
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3124565
Reviewed-by: Ting Shen <phoenixshen@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Ting Shen <phoenixshen@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 5ae1c684271a117539858cb12252959dfe46803c.
Reason for revert: breaks chromeos-ec-headers
BUG=b:197691499
Original change's description:
> u2f: refactoring to split command processing and crypto
>
> Split U2F crypto from U2F command processing by moving all crypto
> code into boards/cr50 (platform hooks).
>
> U2F state management is part of common code and passed to U2F crypto
> as a parameter.
>
> BUG=b:134594373
> TEST=make BOARD=cr50 CRYPTO_TEST=1
> console: u2f_test
> test/tpmtest.py
> FAFT U2F tests pass
>
> Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
> Change-Id: I85442cddb2959bd3102f7f6e6047134ede90951b
> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3034852
> Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
> Reviewed-by: Andrey Pronin <apronin@chromium.org>
> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Bug: b:134594373
Change-Id: I61a965995fcd53b4e155084f5f351574cb84cd1e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3115930
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: David Stevens <stevensd@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Split U2F crypto from U2F command processing by moving all crypto
code into boards/cr50 (platform hooks).
U2F state management is part of common code and passed to U2F crypto
as a parameter.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1
console: u2f_test
test/tpmtest.py
FAFT U2F tests pass
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I85442cddb2959bd3102f7f6e6047134ede90951b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3034852
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
BUG=b:194901448
TEST=none
Change-Id: Ia16d194f042ab44a36e00668f699dfab4df8a536
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3114224
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
