summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* cr50: add TRNG testing mode with TRNG restartstabilize-rust-14225.B-cr50_stabVadim Sukhomlinov2021-09-173-3/+21
| | | | | | | | | | | | | | | | | | | | NIST statistical tests for TRNG entropy requires to compare entropy in regular mode (continuous readings) with entropy after TRNG restarts. Added support for TRNG restart before reading entropy and updated script to drive tests. BUG=b:138577834 TEST=test/nist_entropy.sh Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: Idc46191be05e8275730726f6debb8007ca361bc6 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3165883 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: William Wesson <wesson@google.com> Reviewed-by: Andrey Pronin <apronin@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: switch to using DRBG for key generation purposes.Vadim Sukhomlinov2021-09-1719-164/+257
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | An "Approved" RNG listed in FIPS 140-2 Annex C must be used for the generation of random data or cryptographic keys used by an approved security function. Detailed information and guidance on Key Generation can be found in NIST SP 800-133 and FIPS 140-2 IG 7.8 and D.12. Many of function use raw entropy from TRNG without any health tests or even checking returned status, as old API didn't provide any indication of failure. With this patch we remove old API: rand() and rand_bytes() and expose new API: fips_rand_bytes() - generation of random bits from properly instantiated and reseeded as needed DRBG. fips_trng_bytes() - generation of entropy from TRNG with statistical testing and checking for TRNG failures. fips_trng_rand32() - generation of 32 bits from TRNG with health check and indication of status. ccd, rsa, ecc, pinweaver, rma_auth are updated to use new APIs. These functions are moved into dcrypto.h which will become "Public API" for the module. trng_test vendor command moved to dcrypto/trng.c where it belongs. BUG=b:138577416 TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpmtest.py TCG tests. -------------------------- Test Result Summary ------------------------- Test executed on: Thu Sep 16 10:16:59 2021 Performed Tests: 248 Passed Tests: 248 Failed Tests: 0 Errors: 0 Warnings: 0 ====================================================================== Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I80d103ead1962ee388df5cabfabe0498d8d06d38 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3165870 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* Excise cros_logging modulestabilize-rust-14224.B-cr50_stabChris McDonald2021-09-161-1/+1
| | | | | | | | | | | | | | | Replace all usages of chromite.lib.cros_logging with the stdlib logging module. BUG=b:191490453 TEST=None BRANCH=None Signed-off-by: Chris McDonald <cjmcdonald@chromium.org> Change-Id: I661a620fb514b2b53b6e6c5d76c90cca0280959c Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3162336 Reviewed-by: Jack Rosenthal <jrosenth@chromium.org> Reviewed-by: Alex Klein <saklein@chromium.org>
* cr50: dcrypto/hkdf.c only used by CRYPTO_TEST=1 code, so don't link itVadim Sukhomlinov2021-09-151-1/+2
| | | | | | | | | | | | | | | | | | It seems now HDKF is only used by RSA key gen test from seed and by test/tpm_test/tpmtest.py, so link it only when CRYPTO_TEST=1 is used. This saves some space for prod build, as all functions of FIPS module are linked in as a whole. BUG=none TEST=make BOARD=cr50 Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I7f925d4dabd8685efe5916933198d5560bdacd9f Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3163309 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: add support for hardware HMAC and one-shot SHAVadim Sukhomlinov2021-09-154-90/+939
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. Hardware HMAC implementation is added for key lengths <= 32 bytes and more than 64 bytes. Keys between 32 and 64 bytes use hybrid approach. 2. HMAC DRBG performance increased even more from 520us to 320us per 32 bytes. 3. Added support for one-shot SHA operation which is a bit faster than livestream mode when message length is known beforehand. 4. Image size impact - +216 bytes. 5. Added opportunities to enable keyladder code to use some common primitives like dcrypto_fifo_load() instead of it's own versions. 6. Added new console command hmac activated with CRYPTO_TEST=1 to test all paths (hw, sw, hybrid for HMAC) for SHA256, SHA1 and HMAC SHA256. Due to size of test vectors, you should choose one at a time to test. Also, since HMAC is used by DRBG, DRBG tests are also relevant. BUG=b:195092622 TEST=make CRYPTO_TEST=1; 'hmac' command in console, tests/tpmtest.py Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: Icb3d8a9d0f3bd0509eb72993d5835584bc14640b Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3116570 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: added DCRYPTO_p256_is_valid_point() to public API.Vadim Sukhomlinov2021-09-156-22/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To cleanly split internal API in internal.h from external API in dcrypto.h we need to add missing DCRYPTO_p256_is_valid_point(). While adding this switch to enum dcrypto_result for both internal and external versions. Added check that provided point is valid to DCRYPTO_p256_point_mul() as important security precaution. Currently this check is still in tpm2/ecc.c, but it will be removed in next CLs with switching to enum dcrypto_result. Added comments on input parameters and behavior. BUG=b:134594373 TEST=make BOARD=cr50; test/tpm_test/tpmtest.py; TCG tests -------------------------- Test Result Summary ------------------------- Test executed on: Tue Sep 14 18:24:10 2021 Performed Tests: 248 Passed Tests: 248 Failed Tests: 0 Errors: 0 Warnings: 0 ======================================================================== Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I4637f7b61b5a502854d9cad03e8e603529278873 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3161507 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: update FIPS known-answer testsVadim Sukhomlinov2021-09-158-95/+267
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. KAT tests should check that result doesn't match expectation for modified input, not just failing on request. Added modification of input data in case test break is needed (during module validation). 2. For ECDSA added pair-wise consistency test with known key pair. However, this test adds roughly 40ms, so disable it and use sign test with fixed nonce instead. 3. Some internal changes to support functionality - internally provided dcrypto_p256_ecdsa_sign_raw() which takes precomputed nonce vs. drbg. This allows generation of nonce with reseeding of DRBG if needed. Also added dcrypto_p256_fips_sign_internal() which does same as dcrypto_p256_ecdsa_sign() except that it reseeds DRBG with entropy if needed. 4. Implemented ECDSA sign test with fixed nonce, and combined with verify test. This allows to free some space for test vectors. Also, store SHA256 of message as SHA256 is already tested. This saves another 96 bytes. 5. KAT test time increased 2X from ~40ms to 60ms due to ECDSA sign test. 5. Run SHA2-256 KAT before self-integrity test, as it is used for self-integrity. BUG=b:138577539 TEST=make BOARD=cr50 Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I1cbd470bc64ef3eb50e9a28055404fb998c65b61 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3144376 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: switch to FIPS key gen for U2F and G2FVadim Sukhomlinov2021-09-152-13/+68
| | | | | | | | | | | | | | | | | | For G2F switched to proper use of DRBG. For U2F added support for 512-bit entropy, changed DRBG instantiation in FIPS path. BUG=b:134594373 TEST=make BOARD=cr50 CRYPTO_TEST=1; u2f_tests in ccd, tpm_test.py Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I1acf9947317a8b2f1b53cee0b2d81829c54336d5 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3161506 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Andrey Pronin <apronin@chromium.org>
* cr50: make p256_int aligned - improve code size & performanceVadim Sukhomlinov2021-09-147-159/+186
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | p256_int was defined as packed struct to allow in place processing of TPM2 commands. However, it is not practical to pad and reverse bytes in place, support for misaligned access results in bloated code, lower performance and side-channel leaks. With this change introduce p256_from_be_bin_size() function which handles all cases with conversion big-endian number into p256_int internal representation (little-endian for cr50) with skipping leading zeros if present in big-endian, checking of size and zero padding. Bonuses: - code size reduction 336 bytes - a bit higher performance for p256 - support for zero padded big-endian in TPM2 ECC, as well as more reliable checks for input parameters. BUG=none TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py in console p256_test as unit test for padding function. ------------------------------ Test Result Summary ----------------------------- Test executed on: Tue Sep 14 15:13:11 2021 Performed Tests: 248 Passed Tests: 248 Failed Tests: 0 Errors: 0 Warnings: 0 ========================================================= Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: Idd04d4e8d30225398814650332fe9be7182a8966 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3138754 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: fix RSA dcrypto DMEM layout to avoid conflict with P256Vadim Sukhomlinov2021-09-141-2/+9
| | | | | | | | | | | | | | | | | | | | | | | Dcrypto p256 microcode in https://crrev.com/c/3133625 introduced shift in DMEM layout which started to corrupt mod & RR values, so alternating RSA and P256 led to potential errors in dcrypto_modexp_blinded(). This fix updates layout to move input in the place of mod and thus preserve mod & RR. BUG=none TEST=make BOARD=cr50; TCG tests Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: Ic949147f43dfc210ed499c91c70e1ed186670afc Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3160503 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Marius Schilder <mschilder@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: merge always_memset() and memset()stabilize-rust-14220.B-cr50_stabVadim Sukhomlinov2021-09-131-15/+11
| | | | | | | | | | | | | | | | | | | | There is no point in having separate implementation of always_memset() which is slow and takes few extra bytes. Make memset's body available as memset_core() with volatile dest *, thus making it always called same as with always_memset(). Both memset() and always_memset() becomes just wrappers on top. BUG=none TEST=make BOARD=cr50 CRYPTO_TEST=1; board boots, FIPS tests passes, tpm_test.py works. Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I68b3f89e757521e94df646f7d643411c53a10da7 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3155725 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: minor fix - enable DRBG test vendor command with CRYPTO_TEST=1Vadim Sukhomlinov2021-09-131-2/+7
| | | | | | | | | | | | | | | | | | | | | | After https://crrev.com/c/3139977 landed noticed that I need DRBG_TEST=1 to make tpm_test.py to work, as suddenly disabled vendor command with ccd command. Added check for successful completion of hmac_drbg_generate() in test command. BUG=none TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpmtest/tpmtest.py Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I87053fc0d100a68536680ad8c66358cdb2d5e537 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3155297 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: Mary Ruthven <mruthven@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* cr50: remove unused DCRYPTO_ladder_random()stabilize-14217.B-cr50_stabVadim Sukhomlinov2021-09-102-23/+0
| | | | | | | | | | | | | | | After migration to DRBG use, remove DCRYPTO_ladder_random() function. BUG=none TEST=make buildall -j Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: Ifdb3fd79ec03ac94066a91ed38b61218dbceefde Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3155295 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Mary Ruthven <mruthven@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: consolidate FIPS module sources under board/cr50/dcryptoVadim Sukhomlinov2021-09-109-5/+5
| | | | | | | | | | | | | | | | | To simplify identification of FIPS module boundary, move all sources into same place. BUG=b:134594373 TEST=make buildall -j Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I6acd12d12c00a3362041914bd515534f72a08ab2 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3150057 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* cr50: reduce default set of CCD test commands with CRYPTO_TEST=1Vadim Sukhomlinov2021-09-088-6/+73
| | | | | | | | | | | | | | | | | | | | | | During FIPS refactoring many additional test commands were added to CRYPTO_TEST=1 image for unit testing. However, this lead to very small space left in image. Adding local switches to several CCD commands to activate it only once working on related parts. This free around 6.5K. BUG=none TEST=make BOARD=cr50 CRYPTO_TEST=1 Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I8f11988d2994c6c4b25748d3c0c07096ba00c392 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3139977 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: fix u2f after cl:3125994Vadim Sukhomlinov2021-09-081-5/+3
| | | | | | | | | | | | | | | | | | | | | Since https://crrev.com/c/3125994 and https://crrev.com/c/3119223 were in review at the same time and landed one after another, check for result of DCRYPTO_equals() wasn't properly updated. This is a fix addressing that DCRYPTO_equals() now returns DCRYPTO_OK instead of 1 in case of matching values. BUG=none TEST=make BOARD=cr50 CRYPTO_TEST=1; ccd - u2f_test test/tpm_test/tpmtest.py Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I582906f9a6be57e1d645370377caa5e5ab3e2481 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3146593 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: fix make buildall buildsVadim Sukhomlinov2021-09-083-3/+16
| | | | | | | | | | | | | | | | | | | When both https://crrev.com/c/3125994 and https://crrev.com/c/3119223 landed it resulted in broken host build as function attribute optimize("") is not supported by clang. This is happened due as both CLs are relatively independent by nature, but the first one added one of the sources to host build. BUG=none TEST=make buildall -j Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: If1b8425cea418ae42179bef46f6f5998ded3dc1f Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3146223 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* add script to inject the fips fingerprintMary Ruthven2021-09-074-2/+87
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Inject the fips fingerprint into the cr50 image, so it can verify the fips module before starting to execute it. This change adds a script to calculate the checksum and inject it into a elf file before signing. If CONFIG_FIPS_CHECKSUM is defined, generate an elf file with the fips checksum and use that to create signed images and hex files. The build process doesn't change for RO artifacts. Nothing changes if CONFIG_FIPS_CHECKSUM isn't defined. The new chain for RW is ec.RW.elf -> ec.RW.elf.fips -> ec.RW.flat ec.RW.elf.fips is generated with util/inject_fips_fingerprint.sh. util/inject_fips_fingerprint.sh calculates the fips module fingerprint, copies ec.RW.elf to ec.RW.elf.fips, and then injects the fingerprint into ec.RW.elf.fips. util/signer/bs will be modified to use ec.RW.elf.fips if it exists in a followup CL. BUG=none TEST=manual # Verify cr50 is the only board that creates the fips artifacts make buildall -j objdump the text.fips_checksum section of ec.RW.elf and ec.RW_B.elf. Make sure they match ec.RW.fips.checksum and ec.RW_B.fips.checksum # Verify cr50 can update to image signed with devid and that # image shows Stored hash that matches the computed one. H1_DEVIDS="${DEVID}" make -j BOARD=cr50 CR50_DEV=1 Signed-off-by: Mary Ruthven <mruthven@chromium.org> Change-Id: Iab857ec1b7e3ae0d23681a25467e26286bd68210 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3078053 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
* cr50: move fips checksum into its own sectionMary Ruthven2021-09-071-6/+11
| | | | | | | | | | | | | | This change moves the fips checksum into its own section, so objcopy can be used to update the fips checksum in the elf files. BUG=none TEST=make buildall -j Change-Id: I8004c7efaf607eabd2932ecb9fdf377e0c68b6c0 Signed-off-by: Mary Ruthven <mruthven@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3120046 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
* cr50: remove drbg_exit() from dcrypto_p256_ecdsa_sign()Vadim Sukhomlinov2021-09-043-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | P-256 sign requires a random nonce which is generated from provided DRBG. Implementation of dcrypto_p256_ecdsa_sign() cleaned out DRBG once nonce is successfully created. This works fine when DRBG is instantiated just for purposes of signing this particular message, but doesn't work if we want to use system-wide DRBG which is perfectly instantiated as reseeded as needed as we want for FIPS. Instantiation of DRBG using entropy from TRNG is relatively expensive operation which we can avoid this way. Moving DRBG management outside ECDSA Sign makes it clearer. Now the caller is responsible what to do with DRBG and allows further updates with automated reseeding if ECDSA Sign fails due to DRBG. In tpm2/ecc.c we can now replace DRBG instantiation with using FIPS DRBG created during initialization. Still more changes are needed to fully switch to DRBG use for key gen as we need to handle reseeds properly. BUG=b:138577416 TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I092b18cde5f6a8aede0a65e24a892dda9de7afa2 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3138384 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: adjust FIPS module build flags for reproducible buildVadim Sukhomlinov2021-09-041-1/+10
| | | | | | | | | | | | | | | | | | | Set FIPS module build flags to reduce changes in object file due to compiler's randomization during LTO. Adjusted several optimization options which resulted in smaller image. Freed 136 bytes for ToT. BUG=b:138578318 TEST=make BOARD=cr50, test that image works. Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I99d9bf459bda6f1fcbd8dafe6f23539dda110fd8 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3123967 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: add hardened crypto return codes, harden DCRYPTO_equalsVadim Sukhomlinov2021-09-0410-44/+216
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. Introduce enum dcrypto_result defining DCRYPTO_OK and DCRYPTO_FAIL constants such that they have large Hamming distance, thus becoming more fault-injection resistant. 2. Added value_barrier() and value_barrier_ptr() which prevents compiler from certain optimizations, removal of conditional execution. 3. Added hardened_select_if_zero() primitive which produce branch-less selection between values. 4. Added convenience function dcrypto_ok_if_zero() to convert zero into DCRYPTO_OK. 5. DCRYPTO_equals() implemented in a way that it also checks completion of all iterations in addition to comparing value. This makes it resistant to fault injection which would result in no comparisons made. 6. Updated uses of DCRYPTO_equals() to check for new return code. 7. Few memcmp() replaced with DCRYPTO_equals(). BUG=b:197893750 TEST=make BOARD=cr50 CRYPTO_TEST=1; tests/tpmtest.py in console check that FIPS KAT tests passes. Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I2a0373e8be97c2d61a2c4743c74614c2ff064a8a Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3125994 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* u2f: refactoring to split command processing and cryptoVadim Sukhomlinov2021-09-0214-744/+1315
| | | | | | | | | | | | | | | | | | | | | | | | | | | Split U2F crypto from U2F command processing by moving all crypto code into boards/cr50 (platform hooks). U2F state management is part of common code and passed to U2F crypto as a parameter. Previously reviewed as https://crrev.com/c/3034852, but reverted due to ChromeOS dependency on include/u2f.h. In this revision this is addressed by restoring include/u2f.h with previous content and new additions and adjusting dependencies in other headers. BUG=b:134594373 TEST=make BOARD=cr50 CRYPTO_TEST=1 console: u2f_test test/tpmtest.py FAFT U2F tests pass Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: Iff1973c8e475216b801d7adde23b1ef6c4a6f699 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3119223 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: update dcrypto p256 codeVadim Sukhomlinov2021-09-012-743/+1041
| | | | | | | | | | | | | | | | | | | | | Switch to hardened p256 code sequences for dcrypto which introduce blinding of secrets and control flow integrity checks. Dcrypto sequences are taken from cr52 board (/chip/g/fips). Code size increased by 1008 bytes, but expect savings from aligned p256_int. BUG=none TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I434a373fc602e01bf815099a3661a2cef93af22f Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3133625 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: fix initialization check for FIPS DRBGVadim Sukhomlinov2021-09-011-7/+3
| | | | | | | | | | | | | | | | | | | During unit testing discovered an issue with test order specific bug which resulted in incorrect system-level DRBG initialization. It was revealed after several independent CLs landed. This fix corrects this issue. BUG=b:138577416 TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I1222bc72d5560a4984a78abf53d5e3b2178d0977 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3133626 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: add pair-wise consistency test for ECDSA key generation.Vadim Sukhomlinov2021-08-313-8/+54
| | | | | | | | | | | | | | | | | | | FIPS requires pair-wise consistency test for asymmetric key generation algorithms. For U2F we use only ECDSA P-256, so adding this step into key generation function. BUG=b:198219806 TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py This test covers U2F and TPM2 uses of ECDSA keygen. Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I520a233e700a68b19c863bad05271f97693b5ca9 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3131949 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: merge crypto_enabled() and fips_crypto_allowed()Vadim Sukhomlinov2021-08-318-19/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to block access to all crypto in case of FIPS errors. There are multiple steps to implement, this is one of few. There is common API crypto_enabled() which is used by nvmem and some other functions to check wherever access to crypto is possible. This is same intent as fips_crypto_allowed(), though the latter checks for FIPS KAT errors, while the former checks only key ladder status. Here we make all FIPS errors to revoke access from key ladder, and fips_crypto_allowed() to check key ladder status. This way we also ensure that in case of FIPS errors access to device secrets will be blocked. We moved crypto_api.c from chip/g to board/cr50 to move crypto_enabled() into fips.c and alias it to fips_crypto_enabled(). crypto_api.h is no longer included from dcrypto.h, and compile time assert for cipher salt size is moved to proper place. Since crypto is used by nvmem_init(), move FIPS power-up tests earlier to ensure nvmem_init() can access crypto. BUG=b:197893750 TEST=make CRYPTO_TEST=1; tpm_test; check nvmem is properly initialized on board_init(). Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: If70c2a21d61348bd97a47e26db5d8eec08bbf8ed Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3123836 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* add BOARD_CCD_REC_LID_PIN_DIOA12 to Zork brdpropstabilize-14189.B-cr50_stabMary Ruthven2021-08-271-1/+2
| | | | | | | | | | | | | | | | Make DIOA12 an output on Zork, so it can be used for the ccd recovery or lid switch signals. BUG=b:197916691 TEST=setting CCD_REC_LID_PIN toggles lid_open on tomato Change-Id: I755498fd9bb9b764b0e0aa2bf0394c45b087c767 Signed-off-by: Mary Ruthven <mruthven@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3124565 Reviewed-by: Ting Shen <phoenixshen@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Ting Shen <phoenixshen@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* Revert "u2f: refactoring to split command processing and crypto"stabilize-14179.B-cr50_stabstabilize-14178.B-cr50_stabDavid Stevens2021-08-2514-1308/+787
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 5ae1c684271a117539858cb12252959dfe46803c. Reason for revert: breaks chromeos-ec-headers BUG=b:197691499 Original change's description: > u2f: refactoring to split command processing and crypto > > Split U2F crypto from U2F command processing by moving all crypto > code into boards/cr50 (platform hooks). > > U2F state management is part of common code and passed to U2F crypto > as a parameter. > > BUG=b:134594373 > TEST=make BOARD=cr50 CRYPTO_TEST=1 > console: u2f_test > test/tpmtest.py > FAFT U2F tests pass > > Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> > Change-Id: I85442cddb2959bd3102f7f6e6047134ede90951b > Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3034852 > Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> > Reviewed-by: Andrey Pronin <apronin@chromium.org> > Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> > Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org> Bug: b:134594373 Change-Id: I61a965995fcd53b4e155084f5f351574cb84cd1e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3115930 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Owners-Override: David Stevens <stevensd@chromium.org>
* u2f: refactoring to split command processing and cryptoVadim Sukhomlinov2021-08-2414-787/+1308
| | | | | | | | | | | | | | | | | | | | | | Split U2F crypto from U2F command processing by moving all crypto code into boards/cr50 (platform hooks). U2F state management is part of common code and passed to U2F crypto as a parameter. BUG=b:134594373 TEST=make BOARD=cr50 CRYPTO_TEST=1 console: u2f_test test/tpmtest.py FAFT U2F tests pass Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I85442cddb2959bd3102f7f6e6047134ede90951b Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3034852 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: prepare to release 0.{5,6}.51Mary Ruthven2021-08-242-2/+2
| | | | | | | | | | | BUG=b:194901448 TEST=none Change-Id: Ia16d194f042ab44a36e00668f699dfab4df8a536 Signed-off-by: Mary Ruthven <mruthven@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3114224 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* cr50: prod: use 6 as the major versionMary Ruthven2021-08-241-1/+1
| | | | | | | | | | | | | | | | Use 6 as the major version in util/signer/ec_RW-manifest-prod.json to reduce merge conflicts in the branches This has no real effect since we don't prod sign TOT images. BUG=none TEST=none Change-Id: I1300a4080ea4a5fee3115f1e32736985789d9c11 Signed-off-by: Mary Ruthven <mruthven@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3114223 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* cr50: replace direct calls to EC OS from FIPS module with callbacksVadim Sukhomlinov2021-08-239-44/+195
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to implement self-integrity test for FIPS module we need to make sure binary code of module in image doesn't change from build to build. To do that we already place FIPS module as constant address. However, any call to functions outside the module creates a relocation which is changing depending on location of that external function in the image. To prevent that we either need to bring these functions in the module like it was done with memcpy() and some others or replace their invocations with callbacks. Task & Memory management functions are hard to bring in the module, so replace few invocations with indirect calls using vtable. This way invocation code will remain the same. 1. Identify and minimize dependency on EC OS - remove few asserts and cprintfs. 2. Remove checking privilege level in TRNG init - we know that it is high by the order of initialization in board_init() and that our RO doesn't drop permissions. Correct initialization of TRNG is important for certification, so we can't just assume it may be initialized improperly. 3. Added vtable with EC OS functions, initialization of FIPS module vtable in board_init(). 4. Switched to using vtable instead of direct calls. Note, we continue to use EC OS with CRYPTO_TEST=1 to reduce vtable size and image size. BUG=b:138578318 TEST=make BOARD=cr50; tests Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: Ibd7bd2353fc4e7e5886f9bfef96b36dc64ff2359 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3107847 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Andrey Pronin <apronin@chromium.org>
* fips: fix printing fips hashMary Ruthven2021-08-201-3/+4
| | | | | | | | | | | | BUG=none TEST=make -j BOARD=cr50 CR50_DEV=1 Change-Id: I3f5281047ff3f349161e37633320e63b4a8fb318 Signed-off-by: Mary Ruthven <mruthven@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3108328 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* tpm_mode: move s_tpm_mode to .bss.Tpm2_commonMary Ruthven2021-08-191-6/+12
| | | | | | | | | | | | | | | | Move tpm_mode_s to .bss.Tpm2_common, so TPM_MODE_ENABLED is cleared during tpm reset events. Cr50 still clears TPM_MODE_DISABLED by doing a hard reset instead of triggering a tpm reset event. BUG=b:191180387,b:196820239 TEST=run firmawre_Cr50TpmMode Change-Id: I5f5cedb7b5b6a03bf504583c378fae87896cef2b Signed-off-by: Mary Ruthven <mruthven@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3105485 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
* cr50: refactor TRNG use, implement rand() using read_rand()Vadim Sukhomlinov2021-08-194-88/+90
| | | | | | | | | | | | | | | | | | | | | | | | | | In preparation to switching from TRNG to DRBG, refactor to remove duplicated code, reduce code size. 1. Isolate hardware-dependent code (trng.c) from platform-agnostic in fips_rand.c. This will enable better host emulation for tests. 2. Change how read_rand() returns status to take advantage of ARM ABI. Unfortunately any composite type on ARM is returned on stack. Use uint64_t with combined validity flag in high bits and random in low 32 bits. This alone reduce code size around 100 bytes. 3. Avoid code duplication by implementing rand() using read_rand(). 4. Drop use of common/trng.h to reduce dependency on code outside boundary. To be completed with migration to DRBG. BUG=b:138577416 TEST=make BOARD=cr50 CRYPTO_TEST=1; rand_perf and FIPS tests Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: Ifdc42e7210414a4abeac8c132a684e451fbbc19c Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3100489 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: final touches to remove cryptoc dependencystabilize-14163.B-cr50_stabVadim Sukhomlinov2021-08-1613-115/+262
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | To implement FIPS module we need to bring many crypto functions in the module boundary. Unfortunately, cryptoc is a third-party library used by dcrypto code in cr50. Cryptoc is also not well-maintained and shared with other projects. While just making local copy of cryptoc would solve an issue, it's suboptimal as prevents from many optimizations and improvements. 1. Clean-up of #include dependencies on cryptoc 2. Build configuration drops linking with cryptoc for cr50 3. Dcrypto SHA512 code updated to compile and partially tested. It is about 4x faster on large messages, and about 620 bytes larger. Added an config option to use Dcrypto version as software, but not enabled. More testing is needed to make sure it's safe and doesn't have unintended interactions with RSA and ECDSA Dcrypto code. BUG=b:138578318 TEST=make BOARD=cr50 CRYPTO_TEST=1; tpm_test Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I030b60b75daeec9c8ef079017a73345829bf7f0b Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3093093 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: update FIPS initialization logic to match security policyVadim Sukhomlinov2021-08-1310-374/+341
| | | | | | | | | | | | | | | | | | | | | | | | | | FIPS security policy was updated to move U2F key management out of scope as it doesn't add anything from certification standpoint on L1, but greatly complicates design and requires flash operations to be in the FIPS module boundary. This change aligns FIPS initialization flow with security policy: 1) Checking of U2F key type is removed and would be handled during U2F command processing to choose approved / not-approved key gen. 2) FIPS module is always in approved mode when self-integrity tests, known-answer tests and TRNG power-up tests succeeds. 3) Implementation of console command and TPM2 command moved out of FIPS boundary. BUG=b:134594373 TEST=make BOARD=cr50 [CRYPTO_TEST=1]; console commands Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I03fc8fa450927e4d37e691770e872e7ffa5b628d Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3093088 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: drop cryptoc for p256 implementationstabilize-14151.B-cr50_stabVadim Sukhomlinov2021-08-1213-133/+309
| | | | | | | | | | | | | | | | | | | | | | | | | | | | To implement FIPS module we need to bring many crypto functions in the module boundary. Unfortunately, cryptoc is a third-party library used by dcrypto code in cr50. Cryptoc is also not well-maintained and shared with other projects. While just making local copy of cryptoc would solve an issue, it's suboptimal as prevents from many optimizations and improvements. Removed redundant functions (dcrypto_p256_pick and dcrypto_p256_rand). Another improvement is separation of platform independent code in p256.c to support better host-side unit tests. For this purpose added fast random number generator using LFSR to replace use of TRNG for blinding and wiping secrets where security strength is not required. BUG=b:138578318 TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py in console: dcrypto_ecdsa Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I9bfd13b8006ddca55508635962be4502a56532b5 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3087833 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: drop cryptoc for SHA1/SHA2 supportstabilize-14150.882.B-cr50_stabstabilize-14150.881.B-cr50_stabstabilize-14150.74.B-cr50_stabstabilize-14150.734.B-cr50_stabstabilize-14150.64.B-cr50_stabstabilize-14150.43.B-cr50_stabstabilize-14150.376.B-cr50_stabrelease-R94-14150.B-cr50_stabrelease-R94-14150.49.B-cr50_stabVadim Sukhomlinov2021-08-1243-730/+1799
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To implement FIPS module we need to bring many crypto functions in the module boundary. Unfortunately, cryptoc is a third-party library used by dcrypto code in cr50. Cryptoc is also not well-maintained and shared with other projects. While just making local copy of cryptoc would solve an issue, it's suboptimal as prevents from many optimizations and improvements. Provided SHA & HMAC implementations from Ti50 project. This provides better performance (500us vs. 670us earlier for HMAC DRBG) and reduce code size. This implementation also enables stack use savings when only specific digest is needed. Earlier SHA512 context was allocated when only SHA256 is needed greatly increasing stack consumption for code using HMAC_DRBG and others. However, it introduce subtle API changes which require handling. As for tests, since core implementation is hardware-independent, make it available for BOARD=host too. Before change (with cryptoc): *** 12368 bytes in flash and 5784 bytes in RAM After: *** 13136 bytes in flash and 5796 bytes in RAM BUG=b:138578318 TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I2ff5362aee9078ce83dc1f8081943a5101d5f666 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3064201 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: drop cryptoc for always_memset()stabilize-14149.B-cr50_stabVadim Sukhomlinov2021-08-1015-15/+18
| | | | | | | | | | | | | | | | | | | To implement FIPS module we need to bring many crypto functions in the module boundary. Unfortunately, cryptoc is a third-party library used by dcrypto code in cr50. Cryptoc is also not well-maintained and shared with other projects. BUG=b:138578318 TEST=make BOARD=cr50 CRYPTO_TEST=1 Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I40090f5d32df088c88d7313dd693fc8a0dd4b308 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3083187 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* cr50: fix CRYPTO_TEST=1 broken due to FIPS codeVadim Sukhomlinov2021-08-094-11/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | Linker script used by FIPS module broke several extension commands used for testing due to section name used (no wildcards support). FIPS self-integrity tests broke access to crypto commands as until there is no correct digest it fails and prevents access to crypto. This is temporary fix until digest computation is done. TPM tests requires GCM for testing - adding this module when built with CRYPTO_TEST=1. U2F test status made a bit clearer (printing success) and hex dumps of key handles, signatures only printed in debug mode now. BUG=none TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I7c974abf8ac71de2949b35a4411f77a03d9048a0 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3082325 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: prepare to release 0.{5,6}.50Mary Ruthven2021-08-052-2/+2
| | | | | | | | | | BUG=b:194901448 TEST=none Change-Id: I9d4d5133d26ac528b2ecf5e1b0f4be20a47badb8 Signed-off-by: Mary Ruthven <mruthven@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3072819 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
* usb_spi: Remove stm32spi.py since no one uses itYilin Yang2021-08-041-140/+0
| | | | | | | | | | | | | | | | | BUG=chromium:1031705 BRANCH=master TEST=None Signed-off-by: kerker <kerker@chromium.org> Change-Id: Idf4f5342da6b3f3307e1948c165d44b83031543a Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2425983 Reviewed-by: Hung-Te Lin <hungte@chromium.org> Reviewed-by: Yu-Ping Wu <yupingso@chromium.org> (cherry picked from commit 24f03775900d085130f4d411da3bfdfe29afc7ef) Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3067596 Reviewed-by: Craig Hesling <hesling@chromium.org> Commit-Queue: Mary Ruthven <mruthven@chromium.org> Tested-by: Mary Ruthven <mruthven@chromium.org>
* usb_spi: move to Raiden V2 implementationVadim Bendebury2021-08-028-10/+740
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch introduces an alternative USB SPI protocol implementation to be used by Cr50: Raiden V2. The SPI USB endpoint descriptor is modified to advertise the new version in the bInterfaceProtocol, which allows the flashrom utility to use the new protocol version. Protocol version 2 implements segmentation and reassembly where longer flash read and write PDUs can be transferred split into shorter fixed size USB packets. The comment section in usb_spi_v2.c describes the protocol in detail. Each time a USB packet is received from the host, the packet header is examined to determine the command. The command could be a DUT configuration query OR a request to read and or write some data from/to the SPI flash chip, OR a request to retransmit the last PDU from the beginning. This patch implementation does not process the retransmittion request command yet, in case a packet is dropped flashrom would need to be re-run. This is a pretty rare condition, but if deemed necessary support can be added later. H1 SPI controller supports multibuffer transactions where the CS signal is kept asserted while the controller clocks the bus when the next portion of data to write becomes available or there is more room to read data to send back to the host. This allows to support arbitrary length read and write transactions. There is no need to support write transactions longer than 256 bytes of data, as this is a typical SPI flash chip page size. For read direction the size of 2040 was chosen, which is close to 2K and takes full payload of 34 USB packets on top of 2 byte headers. The protocol state machine on the device sideOB can be in one of two states, IDLE or WRITING. Many of host requests do not require the device to change state: configuration requests, or writes of short blocks of data (fitting into one USB packet) can be executed immediately. Requests to read long blocks of data can still be executed without leaving the IDLE state, the device starts the SPI transaction and then iterates reading one packet worth of data at a time and sends it back to the host. Once the entire PDU is read, the CS is deasserted. In case the host requests to write a block of data which does not fit into a USB packet the device asserts the CS, sends the first received block to the SPI flash chip and then enters the WRITING state, expecting the controller to send the rest of the PDU in following packets. Once the entire PDU is transferred the CS is deasserted and state is changed back to IDLE. BUG=b:79492818 TEST=performed numerous flash read/write operations with 16M SPI flash chip on the Atlas device. Timing results comparison of various operations: Raiden V1 Raiden V2 Reading entire chip: 3m 16s 0m 52s Vanilla writing of new image: 16m 22s 5m 48s Writing of AP firmware into an erased flash chip (no read before or after writing) 4m 12s 1m 38s Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Change-Id: I374f3caab7146fc84b62274e9e713430d7d31de0 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2977965 Reviewed-by: Brian Nemec <bnemec@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org>
* cr50: add basic U2F test to tpmtest, disable eciesVadim Sukhomlinov2021-07-284-10/+132
| | | | | | | | | | | | | | | | | | | | | Add basic test to U2F generate, sign and attest commands to make sure commands are processed correctly. When build with CRYPTO_TEST=1 pretend that power button for U2F is always pressed when requested to simulate user presence. BUG=None TEST=make BOARD=cr50 CRYPTO_TEST=1 tests/tpmtest.py Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I8fda8037ea7322eb5fa46421ded6da3d1bba9c66 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3048103 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Mary Ruthven <mruthven@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: add FIPS module self-integrity checkVadim Sukhomlinov2021-07-282-0/+33
| | | | | | | | | | | | | | | | | Added computation of FIPS module SHA256 digest and comparison with precomputed value. BUG=b:138578318 TEST=make BOARD=cr50, check console output Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I3aaac07ff460b5021f2b7dab4f6df2710325c60b Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3045839 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* cr50: add linker script to consolidate FIPS module sectionsVadim Sukhomlinov2021-07-232-4/+88
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added linker script to sort by name all symbols from FIPS module and place them together in text.fips, rodata.fips and bss.fips sections which are later placed at fixed locations by chip's linker script. Note, this has impact on image size as LTO intentionally won't work across FIPS module boundary and probably don't discard some unused functions. Currently size increase is 1544 bytes. List of functions added: fips_p256_ecdsa_sign fips_drbg_clear DCRYPTO_asn1_sigp board_set_fips_policy_test u2f_gen_kek DCRYPTO_asn1_pubp fips_drbg_init fips_throw_err board_fips_enforced fips_trng_bytes dcrypto_p256_pick DCRYPTO_hkdf dcrypto_p256_rnd fips_mode adaptive_proportion_test fips_rand_bytes fips_set_policy board_fips_power_up_done fips_crypto_allowed Note, some of these functions can be removed, and some will be used once switch to FIPS key gen. BUG=b:138578318 TEST=make BOARD=cr50 Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: I0ab3cf1fc7fd6de2025b69d46c71625d96d7873b Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3041098 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
* Add necessary utilities to the FIPS boundarystabilize-14106.B-cr50_stabMary Ruthven2021-07-224-0/+210
| | | | | | | | | | | | | | | | | | | | BUG=none TEST=make buildall -j find -name util.o board/cr50/dcrypto/util.o is only a part of the cr50 build ./build/cr50/RO/common/util.o ./build/cr50/RO/board/cr50/dcrypto/util.o ./build/cr50/RW/common/util.o ./build/cr50/RW/board/cr50/dcrypto/util.o ./build/cr50/cryptoc/util.o Change-Id: Ib1e82922548f9ec483338baaad94c6b2cb10f371 Signed-off-by: Mary Ruthven <mruthven@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3043359 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
* common/util: group the code needed in the fips moduleMary Ruthven2021-07-212-177/+195
| | | | | | | | | | | | | | | | | | | Group the code we are going to move into the fips module. memcmp memcpy memset memmove reverse strncmp BUG=none TEST=make buildall -j Change-Id: Idb1162dd47f00f676cb1c1ec3f77b85808ad9c30 Signed-off-by: Mary Ruthven <mruthven@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3043358 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
View Lorry Controller Status