| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Key combo0 needs to be enabled on all boards, so it can be used to
release the device from reset after AP RO verification fails.
BUG=b:236844541
TEST=pwrb + refresh releases ec rst after AP RO verification failed on
hatch
Change-Id: If5d434a32aba09fd4af85cd668d34997d5851216
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4009402
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A future cl will call usb_spi_sha256_update in more places. Move the
range print statement into usb_spi_sha256_update, so we don't need to
print the range in multiple places later.
BUG=b:236844541
TEST=make -j BOARD=cr50
Change-Id: I9475d14ea0d65be1ad68f606252d50d9af964253
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3840652
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
BUG=none
TEST=none
Change-Id: I61b0b0106a43f723ec3bc805eb190aef00bbd05b
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3894391
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a couple of known issues saving the AP RO verification hash in
cr50, so it's possible AP RO verification will fail even if the AP RO is
ok. Add support for releasing the EC from reset with PWRB + refresh
after AP RO verification fails. This just makes it easier to recover the
device. If the device is released from reset, the status is set to
AP_RO_FAIL_CLEARED and a APROF_FAIL_CLEARED flog event is logged.
This only releases EC reset if the device failed AP RO verification. Any
other verification status won't get cleared by the key combo.
BUG=b:240530668
TEST=trigger verification on a device with a bad hash. Verify the EC is
held in reset until PWRB + refresh is pressed.
make -C extra/usb_updater gsctool
Change-Id: I03a02501e7c91a41374816d82f48a5289f289c39
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3805820
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DO NOT LAND IN RELEASE BRNACHES.
Add chargen to tot images, so we can verify c2d2 and servo micro
functionality with tot cr50 images.
BUG=b:240718978
TEST=run chargen
Change-Id: I98bc344a2914f311a056904a7fc5b650b22c40d0
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3805824
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GPIO_EC_FLASH_SELECT is only used in usb_spi.c and EC_TX_CR50_RX_OUT
isn't used anywhere by cr50. These are both debug signals mainly used by
servo or ccd for flashing the EC. Disable sleep when they're asserted.
Add GPIO_SLEEP_DIS_HIGH to EC_FLASH_SELECT, so sleep is disabled when
it's set to 1.
Add GPIO_SLEEP_DIS_LOW to EC_TX_CR50_RX_OUT, so sleep is disabled when
it's set to 0.
BUG=none
TEST=gpioset EC_TX_CR50_RX_OUT and gpiset EC_FLASH_SELECT change the
gpiocfg sleepmask.
Change-Id: Ice4c0d85349eeb547644b134904f95e4a4fe375b
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3605882
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add GPIO_SLEEP_DIS_LOW and GPIO_SLEEP_DIS_HIGH to disable sleep when a
gpio with one of those flags is asserted.
GPIO_SLEEP_DIS_LOW disables sleep when the signal is set to 0.
GPIO_SLEEP_DIS_HIGH disables sleep when the signal is set to 1.
This will disable all forms of sleep. The flags can be used for ccd
signals to ensure cr50 doesn't enter sleep while c2d2 or servo micro are
relying on a ccd signal to flash the device.
These flags should not be add to signals used during normal cr50
operation. They disable regular sleep regular sleep so using them will
significantly increase cr50 power consumption.
This change adds GPIO_SLEEP_DIS_HIGH to AP_FLASH_SELECT. I'll add more
signals in followup CLs.
This change also replaces SLEEP_MASK_CHARGING with SLEEP_MASK_GPIO.
Nothing was using SLEEP_MASK_CHARGING.
BUG=b:229974371
TEST=Toggle AP_FLASH_SELECT while the AP is off. Verify cr50 doesn't
enter deep sleep and the gpiocfg and sleepmask output looks ok.
> gpioset AP_FLASH_SELECT 1
> gpiocfg
GPIO0_GPIO1: read 0 drive 0
GPIO0_GPIO2: read 1 drive 1
GPIO1_GPIO0: read 0 INT_RISING
GPIO1_GPIO1: read 0 INT_HIGH
GPIO1_GPIO4: read 0 INT_FALLING
GPIO1_GPIO5: read 0 drive 1
GPIO1_GPIO7: read 0 INT_RISING
GPIO1_GPIO8: read 0 INT_FALLING
gpio sleepmask: 00001000
> sleepmask
sleep mask: 00000008
> gpioset AP_FLASH_SELECT 0
> gpiocfg
GPIO0_GPIO1: read 0 drive 0
GPIO0_GPIO2: read 0 drive 0
GPIO1_GPIO0: read 0 INT_RISING
GPIO1_GPIO1: read 0 INT_HIGH
GPIO1_GPIO4: read 0 INT_FALLING
GPIO1_GPIO5: read 0 drive 1
GPIO1_GPIO7: read 0 INT_RISING
GPIO1_GPIO8: read 0 INT_FALLING
gpio sleepmask: 00000000
> sleepmask
sleep mask: 00000000
>
Change-Id: I1de35455c5a6702635fb714b14d6791f8e5eb2ed
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3605881
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
BUG=b:229974371
TEST=Assert AP_FLASH_SELECT then enter and exit deep sleep on EC-EFS
board.
Change-Id: I00437076ef4881dd60dd67e511100410dd155555
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3607064
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New boards generate very short pulses on TPM_RST_L. They deassert
TPM_RST_L and then quickly reassert it. Most processing is not done in
the assert/deassert interrupts. The interrupts schedule deferred
functions to reset the TPM and set the AP state.
tpm_rst_asserted sets the AP state to debouncing and schedules
deferred_set_ap_off_data for a second later.
tpm_rst_deasserted schedules a deferred_tpm_rst_isr call ASAP.
deferred_tpm_rst_isr sets the AP state to on and cancels any pending
deferred_set_ap_off calls. If there's a short period where the AP is
off, cr50 won't enable deep sleep or disable the TPM, it'll be in the
debouncing state until the rising edge, and then the AP will be set back
to on.
The issue with short pulses is cr50 doesn't fully process
deferred_tpm_rst_isr before the tpm_rst_asserted interrupt is
triggered.
tpm_rst_deasserted is triggered which schedules deferred_tpm_rst_isr
tpm_rst_asserted is triggered which schedules deferred_set_ap_off
deferred_tpm_rst_isr is processed which sets the AP state to on and
cancels deferred_set_ap_off.
Even though tpm_rst_asserted happened after tpm_rst_deasserted cr50
process set_ap_on which cancels the pending set_ap_off call. Cr50 gets
left with the AP state on even though tpm_rst_asserted was the last
interrupt. This change adds polling to catch this state after a second,
so cr50 can enable deep sleep.
BUG=b:226680127
TEST=manual
reset the AP on hoglin. check for appoll messages
run firmware_Cr50DeviceState on hatch
comment out enabling the TPM_RST_L interrupt handlers.
verify cr50 eventually gets to the correct ap state.
Change-Id: Ib100d4019a1e65cc4c5ce699d268f65884b4f009
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3597031
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add "K" or "F" to the AP state to give more information about the device
state. K for kernel. F for Firmware.
This uses 48 bytes
BUG=b:148492097
TEST=check ccdstate output at different times during boot. Run
firmware_Cr50DeviceState
Change-Id: If2a26c39047b9ae1818eb8d6afbaafa3d1765ca5
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3597035
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resetting the AP interferes with factory processes. Wipe the tpm,
disable AP communications, and then enable factory mode without
resetting the AP, so factory scripts can continue running and don't need
to handle a device reset.
BUG=b:229355653
TEST=manual
# "Disconnect" the battery, so cr50 can enable factory mode.
bp disconnect atboot
# Enable factory mode
gsctool -aF enable
# Verify cr50 wipes the TPM
[52.115535 tpm_reset_request(1, 1)]
[52.116683 tpm_reset_now(1)]
[52.494602 Compaction done, went from 12304 to 60 bytes]
...
[52.587989 tpm_reset_now: done]
[52.588844 TPM is erased]
# Verify the AP stayed up and the TPM is disabled
gsctool -af
Problems reading from TPM, got 10 bytes
Failed to start transfer
Change-Id: If64df4e834c8ae65de36c0ebb7ea868d558089bd
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3597032
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
g2f_attestation_cert() is another function which is invoked on the TPM
command context, when virtual TPM NVMEM spaces are read.
One of the side effects of invoking of g2f_attestation_cert() is the
creation of the U2F state, if it did not exist before. In this case
the state should not be immediately committed to the NVMEM, the commit
will happen when the TPM command execution is completed.
BUG=b:199981251
TEST=running ./test/tpm_test/tpmtest.py does not trigger the 'attempt
to commit in unlocked state' message any more.
'make buildall' and 'make CRYTPO_TEST=1 BOARD=cr50' pass
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I708e8807ffd3207cc6ab84a0e380908e715f7a15
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3482487
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The disable deep sleep variable is supposed to be temporary and only
apply to the next TPM_RST_L pulse. If TPM_RST_L doesn't get asserted
within 10 seconds of the disable deep sleep vendor command, it probably
means something went wrong with suspend and it was aborted. Clear
disable deep sleep after 10 seconds, so it doesn't get applied to some
other suspend.
BUG=b:222124677
TEST=manual
# Send command to disable deep sleep
trunks_send --raw 80010000000c20000000003b
> [50.252944 dis DS]
ccdstate
DS Dis: on
# Wait 10 seconds and make sure cr50 clears it
> [60.252941 DDS: clear]
# Send command to disable deep sleep
trunks_send --raw 80010000000c20000000003b
# Shutdown the device immediately.
shudown -P now
# Verify cr50 disables deep sleep
1 [24.650581 dis DS]
1/[27.364002 tpm_rst_asserted]
[28.364776 AP off]
[28.365516 Block DS]
# Wait 20 seconds. Check that cr50 doesn't clear it
> ccdstate
DS Dis: on
AP: off
..
> idle
idle action: sleep
# boot the device
10| 1 inicom2.8Minicom2.8[85.437511 deferred_tpm_rst_isr]
[85.438472 AP on]
[85.439010 set TPM wake]
[85.439594 tpm_reset_request(0, 0)]
[85.440494 tpm_reset_now(0)]
[85.443954 tpm_init]
tpm_manufactured: manufactured
[85.446109 tpm_reset_now: done]
[85.446891 DDS: clear]
# shutdown the device
# check cr50 enters deep sleep
Change-Id: I2140dbb01e8d9b21c5f5309e43efc21b636361e5
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3498704
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DIOA1 PINMUX definition uses a GPIO flag instead of a DIO flag. It
doesn't matter that much, because GPIO_INPUT maps to DIO_DIRECT_INPUT
which is a noop. i2cp_set_pinmux configures the DIOA1 input in existing
images. This change just modifies the flag for correctness.
BUG=b:221090807
TEST=check pinmux output on spi and i2c boards. Verify it doesn't
change.
Change-Id: I227156e5799d872da32a87a7bcab4ae638c18c08
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3495872
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a vendor command that returns the time since user_pres_l was
asserted. This is only used for testing.
Tracking user_pres_l needs to be enabled with a vendor command since
DIOM4 may not be pulled up and may be pulled down on old boards.
Enabling the vendor command survives deep sleep reset. It gets cleared
after cr50 reset.
Cr50 clears the user_pres_l status if tracking is disabled.
BUG=b:219981194,b:208504127
TEST=manual
# Verify it survives deep sleep
sudo gsctool -y enable
sudo gsctool -y
...
user pres enabled
# enter deep sleep
sudo gsctool -y
...
user pres enabled
# Verify it doesn't survive cr50 reboot
sudo gsctool -y enable
sudo gsctool -y
...
user pres enabled
cr50 > reboot
sudo gsctool -y
...
user pres disabled
# Check gsctool output after triggering DIOM4 pulse
sudo gsctool -y enable
# Trigger pulse and wait 5 seconds
sudo gsctool -y
...
user pres enabled
last press: 5064331
Change-Id: Ib37980a5cd8d3378bf718e8e32a7d4152435a816
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3495863
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem is in the below chain invoked on processing TPM Clear command:
_plat__OwnerClearCallback()
u2f_gen_kek_seed()
u2f_get_state()
u2f_load_or_create_state()
write_tpm_nvmem_hidden()
NvCommit()
This chain is executed only if U2F data do not exist in the NVMEM.
The end result is write_tpm_nvmem_hidden() invoking nvmem_commit()
which removes the lock, which in turn causes the error when tmp command
processor tries to commit nvmem in the end of processing the command.
This is why the problem happens only once, after the first time U2F data
is present and the above chain is not traversed.
In the fix we avoid calling u2f_get_state() from u2f_gen_kek_seed() by
updating U2F state in memory if it is loaded and in nvmem directly.
Also discovered and fixing bug that resulted in platform owner
not being properly cleaned due incorrect error checking.
_plat__OwnerClearCallback() modified to print error status.
However, this fix doesn't address a case when tpm_test.py fails first
time on TPM2_Startup.
BUG=b:199981251
TEST=tcg tests now passes without errors from clean TPM state,
test/tpm_test/tpmtest.py passes U2F tests.
in CCD with CRYPTO_TEST=1
fips kek works after initial fw upload.
fips u2f
fips kek works with U2F state.
----------------------- Test Environment -------------------------------
Test Suite Version: 2.1a
Operating System: Linux
Processor Information: Intel(R) Core(TM) i9-10885H CPU @ 2.40GHz
TDDL Version: SocketTDDL
-------------------------- Test Object ---------------------------------
TPM Vendor: CROS
TPM Firmware Version: a77bf07 2
TPM Spec Version: 1.16
Vendor Specific Info: xCG , fTPM, ,
Tested Spec Version: 1.16
---------------------- Test Result Summary -----------------------------
Test executed on: Tue Feb 22 19:07:53 2022
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I452129bd696c5207dbef22ef1489fdab924677eb
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3482484
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cr50 resets the EC when key_combo0 is pressed, so it can clear the ec
boot mode.
BUG=b:219102909
TEST=none
Change-Id: I3d024b5a16d5658cf259b5513513e7734aa62d31
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3457894
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This CL in case of unorderly TPM reset that doesn't also reset GSC
preserves RAM-backed values of orderly nv indices.
BUG=b:201101365
TEST=1) create an orderly counter
2) increment it
3) trigger EC reset
4) verify that the counter value was preserved
Cq-Depend: chromium:3417937
Change-Id: I799183ad06584055d025c2acf5f83ff2ded32d39
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3418122
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Mary Ruthven <mruthven@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. ECDSA pair-wise consistency test failure wasn't updating FIPS status.
Added new failure bit FIPS_FATAL_ECDSA_PWCT.
2. ECDSA KAT was only simulating error in verify, but not in sign.
Split 'fips ecdsa' into 'fips ecver' and 'fips ecsign'.
3. Added a way to introduce self-integrity error by not updating FIPS
module digest with 'FIPS_BREAK=1' during build.
4. Added reporting of FIPS module digest.
BUG=b:134594373
TEST=make CRYPTO_TEST=1;
in ccd test:
fips pwct; tpm_test.py should fail; fips should print error.
-
fips ecver; fips test reports ECDSA error
fips ecsign; fips test reports ECDSA error
-
FIPS module digest is printed
-
FIPS_BREAK=1 make CRYPTO_TEST=1 produce build with zero digest
reporint FIPS self-integrity error.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ib0a92c118f07a76e4b52eaf9b011ff4f73a02c61
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3425998
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a vendor command to disable deep sleep the next time TPM_RST_L is
asserted. Normally cr50 enters deep sleep whenever TPM_RST_L is
asserted. New boards want to disable deep sleep during certain power
states. This vendor command allows the AP to disable deep sleep for the
next suspend cycle.
When deep sleep is disabled, cr50 modifies TPM_RST_L to be WAKE_HIGH and
sets it back to WAKE_LOW after TPM_RST_L is deasserted, so TPM_RST_L
doesn't constantly wake cr50 from regular sleep.
This uses 248 bytes
BUG=b:214479456
TEST=manual
# Check G3 resume works ok.
# Disable Deep Sleep from the AP. The vendor command is 59
# (0x3b)
trunks_send --raw 80010000000c20000000003b
ccdstate
DS Dis: on
AP > shutdown -P now
...
[454.992733 Block DS]
ccdstate
DS Dis: on
pinmux
40060018: DIOM3 0 IN WAKE_HIGH
idle
idle action: sleep
# Verify cr50 starts cycling through sleep spinner at two ticks
# a second.
EC > powerbtn
# check the cr50 console
...
A�UART on]
10/ 1 [102.484012 Missed edge]
[102.484352 deferred_tpm_rst_isr]
[102.484580 AP on]
[102.484779 set TPM wake]
[102.484981 tpm_reset_request(0, 0)]
[102.485279 tpm_reset_now(0)]
[547.928375 AP on]
[547.928615 set TPM wake]
pinmux
40060018: DIOM3 0 IN WAKE_LOW
# Disable Deep Sleep from the AP. The vendor command is 59
# (0x3b)
trunks_send --raw 80010000000c20000000003b
ccdstate
DS Dis: on
ecrst pulse
...
[602.638427 AP on]
[547.928615 set TPM wake]
[602.638668 tpm_reset_request(0, 0)]
...
ccdstate
DS Dis: off
# Check S3 resume works ok.
# Use AP commands to enter S3
AP > trunks_send --raw 80010000000c20000000003b
AP > echo deep > /sys/power/mem_sleep
AP > echo mem > /sys/power/state
10\ 1 [243.409412 dis DS]
1|[249.536811 tpm_rst_asserted]
[250.537197 AP off]
[250.537631 Block DS]
# Wake the AP with a power button press from the EC
EC > powerbtn
# verify cr50 prints "Missed edge", but the device resumes ok.
1/ 10- 1 [270.112655 Missed edge]
[270.113037 deferred_tpm_rst_isr]
[270.113315 AP on]
[270.113529 set TPM wake]
[270.113712 tpm_reset_request(0, 0)]
[270.114013 tpm_reset_now(0)]
[270.116996 tpm_init]
tpm_manufactured: manufactured
[270.118301 tpm_reset_now: done]
[270.156967 PinWeaver: Loading Tree!]
[270.189353 Skipping commit]
Change-Id: I96049a9d38b5c66acad9c73628f588f4cf6b2b3f
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3406587
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add "ERROR" and some exclamation points to make invalid strap messages
more noticeable.
BUG=b:214550629
TEST=look at invalid strap error messages on red board.
strap pin readings: a1:3 a9:1 a6:1 a12:3
[0.005569 WARN Ambiguous strap cfg. Use spi based on old brdprop.]
[0.006675 get_properties: ERROR NO TABLE ENTRY!!! cfg: 0x7 prop: 0x1]
strap pin readings: a1:3 a9:1 a6:1 a12:3
[0.005649 get_properties: ERROR INVALID STRAP PINS!!! cfg 0xd7 prop 0x42
Change-Id: Ie1e29fd4152a2b3f984989e37b771339895e6a0e
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3390071
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
| |
BUG=none
TEST=cr50 uses red board straps after power-on and hard resets.
Change-Id: I0ee4a48a3e8661565dede1f7686cf6b2e1181914
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3386406
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Log brdprop errors in flog, so the team can track brdprop errors from
the AP without grepping through cr50 logs.
BUG=b:214550629
TEST=flash on red board. Verify invalid strap events are logged.
enable closed-loop-reset on the red board. Verify "ambiguous" strap
logs are ignored.
Change-Id: Ibea73fb19119fa81ed3652c5d68e430cdbae9fa5
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3386405
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do FIPS power-on test on cold boot only and only redo it on wake
from sleep if there was an error earlier. However, when waking we didn't
set FIPS mode flags properly causing incorrect reporting of not-approved
mode while there are no errors.
On the other side, some nvmem code which doesn't use FIPS crypto was
calling crypto_enabled() before FIPS power-on tests where completed,
which caused failure of load_ec_hash when it was present. Adjust
behavior of crypto_enabled to only check for lack of FIPS errors, but
not completion of power-on tests. This way we unblock nvmem init code
early in the boot, while still block access if any FIPS errors happens
later.
BUG=none
TEST=make; in CCD - try idle d
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ibae3654cc1289fef439f9e03cb90170f3377f0da
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3373465
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems we have relatively high number of devices with slow TRNG,
mostly Octopus and Grunt platforms. To mitigate potential issues reduce
load on TRNG during witness generation in prime number check, relying
on already generated random from DRBG.
BUG=b:211648605
TEST=test/tpm_test/tpm_test.py - checking RSA key gen and that
deterministic key gen is not affected.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Id661ad4191321b761c25a5c1fc3bda10336feff9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3361250
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems we have relatively high number of devices with slow TRNG,
mostly Octopus and Grunt platforms. To mitigate potential issues
increased TRNG reset counts from 8 to 16 to give a chance to recover,
and updated recording of TRNG stall to record only first occurrence
of stall per 32-bit.
BUG=b:211648605
TEST=test/tpm_test/nist_entropy.sh - loads TRNG
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I11d0e9ca2955894b2ed95dbfbf71ad8ff153c53e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3358466
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace int to size_t in DCRYPTO_x509_* functions to indicate that
returned value is actually a size.
Replaced int to enum dcrypto_result and removed arithmetic on enum in
DCRYPTO_x509_gen_u2f_cert_name() to make code clear.
Added intermediate variable certificate_len in GetG2fCert to make logic
clear. However, virtual nvmem requires further refactoring to replace
void with size_t to escalate errors if any.
Added check that G2F certificate is not all zeroes in tpm_test.py
BUG=b:212517336
TEST=test/tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I5ee4567219f43dd3c7e7ef7d260b446732c5c22d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3361100
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Logical error introduced in crrev.com/c/3179708 that causes x509 gen u2f
cert failed. Fix the incorrect interpretation of the `result` variable in
an `if` statement.
BUG=b:211820657
TEST=make buildall -j
TEST=manual test, u2fd get g2f certificate doesn't fail anymore
Change-Id: I37aaa5946c43896458c93a67352b5f2d92a1965a
Signed-off-by: Howard Yang <hcyang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3360325
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Logical error was introduced in crrev.com/c/3119223 which resulted in
failing attempts to read G2F certificate from virtual nvmem.
This CL fixes it and adds a test for this command.
BUG=b:211820657
TEST=make BOARD=cr50; test/tpm_test/tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I3c46e9e050d5084dbac1b0a7c3d7e378987a3759
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3359755
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify the hash_command_handler print statements, so it's easy to tell
the difference between firmware and hardware hash commands with the
console output.
BUG=b:210879337
TEST=make -j BOARD=cr50 CRYPTO_TEST=1
Change-Id: I0fca79c102cd284b564fe6ca8464c22c1629e2a0
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3345983
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Only default to SPI and PLT_RST when no valid properties are found.
BUG=b:210760012
TEST=make clobber ; make -j BOARD=cr50 CRYPTO_TEST=1 H1_RED_BOARD=1
Change-Id: Ic2842bc305322deb5fdc43e1d3487d499e9cb23b
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3341778
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the keep_ec_in_reset call into do_ap_ro_check, so AP RO
verification will hold the EC in reset when it's triggered from the AP.
This change removes the ap_ro_verification_failed_ variable, so all of
the AP RO verification is included in ap_ro_info. ap_ro_ver_state isn't
needed anymore, so this CL removes it.
BUG=b:207545621
TEST=make clobber ; make buildall -j
Change-Id: Id0b2e04b042d48f2b8a9dae021e762369ca5f3eb
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3300174
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
AP RO verification test keys in vboot_reverence have been updated, by
crrev.com/c/3297447, this patch brings the root public key payload hash
in sync.
BUG=b:141191727
TEST=built a Cr50 image for guybrush and used it to verify AP RO hash
signed with the new test key.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I121d3738db28e473e2bfd1f8fcf8c7681bad1ddd
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3298880
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
| |
|
|
|
|
|
|
|
|
| |
BUG=b:173227629
TEST=make buildall -j
Change-Id: Iaf8028984cc58cc4108907fdba4ea4b38c43cf70
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3293250
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Ignore self-integrity error only for CRYPTO_TEST=1
2. Adjust logic around FIPS_MODE_ACTIVE flag with test reruns during
simulation. This flag should be set if no FIPS errors detected.
Existing logic never reset this bit in case of errors and didn't
update it in case of test reruns.
BUG=b:138578318
TEST=make BOARD=cr50 CRYPTO_TEST=1
in ccd: fips test
fips sha
fips test - should display error code 0x40000010
ChromeOS is booting fine.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ifddb7d091954737ad7db86afccc199069143fa06
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3261382
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Mary Ruthven <mruthven@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixing build error arm-eabi/bin/ld: Not enough space for shared memory.
collect2: error: ld returned 1 exit status
make: *** [Makefile.rules:472: build/cr50/RW/ec.RW.elf] Error 1
Crypto tests doesn't use much shared memory, but allocate more data
statically.
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Id0e01481c9fd481955c11b5d7ef63251585cfe48
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3251702
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cr50 is getting new CCD capabilities. The GUC image won't have them.
This change adds 0.3.22 to the versions, so cr50 will set all
capabilities including the new ones to Always after the first update in
the factory.
BUG=none
TEST=cr50 prints the GUC message if 0.0.22, 0.0.13, or 0.3.22 are in the
inactive region. It doesn't with 0.5.51
Change-Id: Idc8d7b8a0687d36f59aaad31cd5ce026ab351a7d
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3237199
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Certain test configurations present a problem for the raiden protocol
V2 implementation on the Cr50 side, which result in random SPI read
failures.
While the issue is still being investigated this patch offers a
workaround, where SPI and USB transactions are not overlaid, the
driver first reads the entire requested number of bytes into a buffer,
and then sends them to the host in multiple USB packets.
Since buffer memory can not be permanently dedicated to the driver, it
uses dynamic allocation to acquire the buffer. The allocation could
fail, for instance when the flashrom operation is requested soon after
startup and heap memory is used for NVMEM compaction. If the
allocation fails, the driver sends an error packet to the host, and
the host requests to restart the response. To be able to restart the
response the driver now stores the request.
With some instrumentation, measurements taken on reading of 200 2040
byte blocks have shown that memory was held by this driver for 94% of
the duration.
To address the case when flashrom session is interrupted mid PDU
transfer, do not wait for the transmit queue to become available for
more than 500 ms. In case the queue gets stuck return without waiting
any more, this will make sure the allocated buffer is freed.
BUG=b:196820680
TEST=successfully ran hundreds of cycles of read, and read and write
on the setup which exhibits the problem without this patch on
pretty much every read attempt.
The slow down caused by this change is pretty small: average of
five attempts to read 16MB of SPI flash on guybrush device take
50.560s before this change and 51.267s after this change, which
is a 1.7% slowdown.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I82c98f912a8763b7e242dad48997a8d2ffbaf29a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3188568
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
u2f_generate() may return partially initialized key handle in case of
ECDSA error, and u2f_sign() and u2f_attest() may return garbage in the
signature. While error codes are properly handled by the callers, it
is better to implement defense in depth and clean all residual data.
This is also helpful for FIPS testing demo when actual zeroes are more
convincing than just error codes. Example is proposed method for ECDSA
pair-wise consistency testing, when injection of error in PWCT should
result in clearly visible error status.
BUG=b:198219806
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1
fips pwct
u2f_test - should return zero in key handle, public key and signatures.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I7ad0c69563a215aade00d495c0623f6c6e00b755
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3224360
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As a result of further discussion GVD layout has been changed to
include signature and root key headers in the GVD header. This patch
makes modification to accommodate the new header structure.
BUG=b:141191727
TEST=A guybrush RO image created in vboot reference tree as follows:
build/futility/futility vbutil_keyblock --pack ~/tmp/packed \
--datapubkey tests/devkeys/firmware_data_key.vbpubk \
--signprivate tests/devkeys/kernel_subkey.vbprivk
build/futility/futility gscvd --outfile ~/tmp/guybrush-signed \
-R 818100:10000,f00000:100,f80000:2000,f8c000:1000 \
-k ~/tmp/packed -p tests/devkeys/firmware_data_key.vbprivk \
-b 5a5a4352 -r tests/devkeys/kernel_subkey.vbpubk \
~/tmp/image-guybrush.serial.bin
A guybrush device was programmed with ~/tmp/guybrush-signed, and AP
RO verification was attempted by pressing the appropriate button
combination, GVD verification succeeded.
Generate a signed image again, using an incorrect Board ID value, try
verification, observe failure due to incorrect Board ID.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I4da753649eef6e10353619e0f7af19d2f6846b75
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3224808
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Intent of pair-wise consistency test is to ensure that private key
matches the public key, so update what we change when simulating error.
BUG=b:198219806
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1;
u2f_test; passes
fips pwct
u2f_test; fails on u2f_generate, u2f_sign and u2f_attest.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I35de5608184fc9f28db4912f2b62795d53d48f43
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3229800
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Once all H1 Entropy tests completed at different environmental points
our entropy estimate changed to value 0.77. Also we decided to use
alpha = 2^-39 vs. 2^-40. This requires change of RCT and APT cutoff
values.
RCT cutoff value changed to compile-time constant computation, added
static asserts to make sure it is valid and matches known values.
APT cutoff can't be computed at compile time and updated to values
matching entropy and alpha.
Updated entropy size for instantiation of FIPS DRBG.
Reseeding interval is reduced to 1000 from 10000 to make it more
non-deterministic. Performance impact is very low - can't even measure
it precisely.
BUG=b:138577834
TEST=make BOARD=cr50 CRYPTO_TEST=1; tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I38735492d072b3d4445fca926524ef1c159627a5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3223967
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the IGNORE_SERVO warning to the end of ccdblock output, so it
doesn't break up the ports blocked.
BUG=none
TEST=enable ccdblock EC_CR50_COMM and IGNORE_SERVO. Verify EC_CR50_COMM
shows up in the port blocked field.
> ccdblock
CCD ports blocked: EC_CR50_COMM IGNORE_SERVO
WARNING: enabling UART while servo is connected may damage hardware
Change-Id: I423f05d3d4c097c2e2fc2fd6db83a8d1f6b410a0
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3219761
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With planned upgrade to gcc 11.2 we need to make sure it will not fail
cr50 build as it will be a reason to revert. gcc 11.2 gives us 1768 b
back after TPM2 LTO, but it changes default linker behavior and produce
LTO object file during partial link unless -flinker-output=nolto-rel is
used. This option however fail 8.3 build.
Also, gcc 11.2 introduced new optimization path IPA modref which doesn't
play nice with LTO and partial link used together, causing gcc crash.
To overcome this issue add -fno-ipa-modref when gcc 11.2 is used. This
results in almost no impact on code size.
BUG=none
TEST=make BOARD=cr50 tested with gcc 8.3 and gcc 11.2
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I78a3b3403e84dc4a426dede02b399d9d249ece81
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3218577
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Patrick Georgi <pgeorgi@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Introduced AES register structure and replaced register access with
accesses to fields. In many cases it reduce code size and number of
instructions.
2. Deduplication between AES implementation and App Cipher which use
AES engine with key coming from key ladder. Added internal function
dcrypto_aes_process() which applies current AES configuration to
aligned data in highly optimized manner, same as previous outer_loop
and inner_loop() functions.
Overall it saves 322 bytes with gcc 8.3
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpm_test.py
In ccd: cipher [to test app_cipher];
TCG Tests.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I6551e21e5e8798aa4691cb6ba476d565778cea3d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3213610
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move declarations of AES-GCM, AES-CMAC, ECIES, HKDF and few other
functions from dcrypto.h into internal.h.
Merge tpm2/hkdf.c into dcrypto/hkdf.c. It contains only function used
for testing and HKDF itself is only used for CRYPTO_TEST=1.
BUG=b:134594373
TEST=make buildall -j; make BOARD=cr50 CRYPTO_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I56c03ff4e8838871cdb28c0d9946c39754d9e054
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3219576
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Add test commands to break all KAT tests [fips hmac/drbg/ecdsa/pwct]
2) To support PWCT demo reduced number of attempts to retrieve valid
p256 key candidate to 16. Probability of false negative would be less
than 2^-4080 (255*16), but will prevent DoS attack if it consistently
fails for real reasons.
3) Fixed HMAC KAT test failure (was bound SHA failure earlier).
BUG=b:138576604
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1
In ccd:
fips
fips hmac
fips test - see FIPS error
reboot
fips drbg
fips test - see FIPS error
reboot
fips ecdsa
fips test - see FIPS error
reboot
fips pwct
u2f_test - see NOT PASSED of u2f_generate/u2f_sign
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0a812075bb2436f5823eff446b725f19974a2a31
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3221770
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Block EC UART output and EC COMM with 'ccdblock TRISTATE_EC enable'.
This removes the EC UART output, prevents EC-EFS2, and removes the
pulldown from the EC RX signal.
This is used for flashing the EC with c2d2. It's only available when CCD
is enabled.
BUG=b:202464674
TEST=manual
# Disconnect servo. Verify EC tx is disabled and there's no pull
# down after tristating the EC
> ccdblock TRISTATE_EC enable
CCD ports blocked: EC IGNORE_SERVO
WARNING: enabling UART while servo is connected may damage
hardware EC_CR50_COMM TRISTATE_EC
> pinmux
...
400600c8: DIOB5 0 IN
400600d0: DIOB6 16 IN GPIO0_GPIO15
...
> ccdstate
...
State flags: UARTAP USBEC+TX
CCD ports blocked: EC EC_CR50_COMM TRISTATE_EC
...
# Check UART TX is re-enabled after disabling TRISTATE_EC
> ccdblock TRISTATE_EC disable
CCD ports blocked: (none)
> ccdstate
...
State flags: UARTAP+TX UARTEC+TX I2C SPI USBEC+TX
CCD ports blocked: (none)
...
> pinmux
...
400600c8: DIOB5 78 IN UART2_TX
400600d0: DIOB6 16 IN GPIO0_GPIO15
...
# Connect servo, so cr50 disables the EC UART on it's own.
# Verify the pulldown is removed after tristating the EC.
> ccdstate
...
State flags: UARTAP UARTEC USBEC+TX
CCD ports blocked: (none)
> pinmux
...
400600c8: DIOB5 0 IN PD
400600d0: DIOB6 16 IN GPIO0_GPIO15
...
> ccdblock TRISTATE_EC enable
CCD ports blocked: EC EC_CR50_COMM TRISTATE_EC
> ccdstate
...
State flags: UARTAP USBEC+TX
CCD ports blocked: EC EC_CR50_COMM TRISTATE_EC
# Check PD is removed from DIOB5
> pinmux
...
400600c8: DIOB5 0 IN
400600d0: DIOB6 16 IN GPIO0_GPIO15
...
# Check PD is re-enabled after disabling TRISTATE_EC
> ccdblock TRISTATE_EC disable
CCD ports blocked: (none)
> ccdstate
...
State flags: UARTAP UARTEC USBEC+TX
CCD ports blocked: (none)
> pinmux
...
400600c8: DIOB5 0 IN PD
400600d0: DIOB6 16 IN GPIO0_GPIO15
Change-Id: I7bde996be3914bd5d625ad99e418f9bd2c0f41d1
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3219760
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the AP is off, cr50 doesn't need to enable the AP UART. Having it
enabled could cause power leakage if the signals aren't terminated
correctly. Check ap_is_on and ap_uart_is_on before enabling the AP
UART.
BUG=b:136602563
TEST=firmware_Cr50DeviceState
Change-Id: I192bdc4caef8cfa0ce6d8a3ca181b16388e35cd4
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3219756
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to reduce code footprint, do not link TPM2 library modules,
instead build TPM2 as a single relocatable object module, a collection
of library sources compiled and linked with LTO enabled.
BUG=b:65253310
TEST=observed code space reduced by 1428 bytes, the bss_libtpm2
section remained practically unchanged:
before:
*** 5548 bytes in flash and 5652 bytes in RAM still ...
000104d0 B __bss_libtpm2_start
000155d7 B __bss_libtpm2_end
after:
*** 6976 bytes in flash and 5652 bytes in RAM still ...
000104d0 B __bss_libtpm2_start
000155d4 B __bss_libtpm2_end
Verified that the new Cr50 image allows a Chrome OS to successfully
boot and restart.
Cq-Depend: chromium:3210050
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I32335df29a332da115d8af56c157d5ad4189e9b0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210510
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
