From 700b0ef9d5533d3650d58ca4e4ad4344b197d605 Mon Sep 17 00:00:00 2001
From: Andrey Pronin <apronin@chromium.org>
Date: Tue, 25 Jun 2019 16:25:51 -0700
Subject: cr50: add RSU Dev ID vNVRAM space
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This CL adds a vNVRAM space that exposes RSU Device ID for userland.

BRANCH=none
BUG=b:136091350
TEST=Verify that RSU Device ID reported through vNVRAM that uses this
     new method mathes the same ID calculated from device ID in G2FA
     certificate:

  hex_to_binary_file() {
    local hex_value="$1"
    local file_name="$2"
    local escaped_string="$(echo -n "${hex_value}" | \
                          sed 's/.\{2\}/\\x&/g')"
    echo -n -e "${escaped_string}" >"${file_name}"
  }

  trunks_send --u2f_cert --crt=/tmp/cert
  serial="$(openssl x509 -in /tmp/cert -inform der -noout -serial | \
            sed 's/serial=\s*//')"

  chip_id="$(printf "%64s" ${serial} | sed 's/ /0/g' | \
             sed 's/.\{2\}/& /g' | tac -s' ' | sed 's/ //g')"
  hex_to_binary_file "${chip_id}" /tmp/chip

  rma_device_id="$(openssl sha -sha256 -mac hmac \
                   -macopt hexkey:"${chip_id}" -hex /tmp/chip | \
                   sed 's/.*=\s*//' | cut -c1-16)"
  hex_to_binary_file "${rma_device_id}" /tmp/data

  rsu_salt="Wu8oGt0uu0H8uSGxfo75uSDrGcRk2BXh"
  echo -n ${rsu_salt} >> /tmp/data

  rsu_device_id="$(openssl sha -sha256 -hex /tmp/data | \
                   sed 's/.*=\s*//')"
  hex_to_binary_file "${rsu_device_id}" /tmp/rsu_device_id

  tpm_manager_client read_space --index=0x013fff03 --file=/tmp/vnvram
  if diff -q /tmp/rsu_device_id /tmp/vnvram; then
    echo "OK"
  else
    echo "Wrong vNVRAM"
  fi

Change-Id: I0f577a54f74da9ef70a092e024b51c7c8219a605
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1677238
Reviewed-by: Louis Collard <louiscollard@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
---
 board/cr50/tpm2/virtual_nvmem.c | 32 ++++++++++++++++++++++++++++++++
 board/cr50/tpm2/virtual_nvmem.h |  2 ++
 2 files changed, 34 insertions(+)

(limited to 'board/cr50')

diff --git a/board/cr50/tpm2/virtual_nvmem.c b/board/cr50/tpm2/virtual_nvmem.c
index 7d637cdcb6..8d3dbc0dec 100644
--- a/board/cr50/tpm2/virtual_nvmem.c
+++ b/board/cr50/tpm2/virtual_nvmem.c
@@ -9,7 +9,9 @@
 
 #include "board_id.h"
 #include "console.h"
+#include "cryptoc/sha256.h"
 #include "link_defs.h"
+#include "rma_auth.h"
 #include "sn_bits.h"
 #include "u2f_impl.h"
 #include "virtual_nvmem.h"
@@ -127,6 +129,14 @@ struct virtual_nv_index_cfg {
 #define REGISTER_DEPRECATED_CONFIG(r_index) \
 	REGISTER_CONFIG(r_index, 0, 0)
 
+
+/*
+ * The salt to be mixed in with RMA device ID to produce RSU device ID.
+ */
+#define RSU_SALT_SIZE 32
+const char kRsuSalt[] = "Wu8oGt0uu0H8uSGxfo75uSDrGcRk2BXh";
+BUILD_ASSERT(ARRAY_SIZE(kRsuSalt) == RSU_SALT_SIZE+1);
+
 /*
  * Registration of current virtual indexes.
  *
@@ -141,6 +151,7 @@ struct virtual_nv_index_cfg {
 static void GetBoardId(BYTE *to, size_t offset, size_t size);
 static void GetSnData(BYTE *to, size_t offset, size_t size);
 static void GetG2fCert(BYTE *to, size_t offset, size_t size);
+static void GetRSUDevID(BYTE *to, size_t offset, size_t size);
 
 static const struct virtual_nv_index_cfg index_config[] = {
 	REGISTER_CONFIG(VIRTUAL_NV_INDEX_BOARD_ID,
@@ -152,6 +163,9 @@ static const struct virtual_nv_index_cfg index_config[] = {
 	REGISTER_CONFIG(VIRTUAL_NV_INDEX_G2F_CERT,
 			VIRTUAL_NV_INDEX_G2F_CERT_SIZE,
 			GetG2fCert)
+	REGISTER_CONFIG(VIRTUAL_NV_INDEX_RSU_DEV_ID,
+			VIRTUAL_NV_INDEX_RSU_DEV_ID_SIZE,
+			GetRSUDevID)
 };
 
 /* Check sanity of above config. */
@@ -335,3 +349,21 @@ static void GetG2fCert(BYTE *to, size_t offset, size_t size)
 }
 BUILD_ASSERT(VIRTUAL_NV_INDEX_G2F_CERT_SIZE ==
 	     G2F_ATTESTATION_CERT_MAX_LEN);
+
+static void GetRSUDevID(BYTE *to, size_t offset, size_t size)
+{
+	LITE_SHA256_CTX ctx;
+	uint8_t rma_device_id[RMA_DEVICE_ID_SIZE];
+	const uint8_t *rsu_device_id;
+
+	get_rma_device_id(rma_device_id);
+
+	SHA256_init(&ctx);
+	HASH_update(&ctx, rma_device_id, sizeof(rma_device_id));
+	HASH_update(&ctx, kRsuSalt, RSU_SALT_SIZE);
+	rsu_device_id = HASH_final(&ctx);
+
+	memcpy(to, rsu_device_id + offset, size);
+}
+BUILD_ASSERT(VIRTUAL_NV_INDEX_RSU_DEV_ID_SIZE ==
+	     SHA256_DIGEST_SIZE);
diff --git a/board/cr50/tpm2/virtual_nvmem.h b/board/cr50/tpm2/virtual_nvmem.h
index ff1cc7991d..8321daa88c 100644
--- a/board/cr50/tpm2/virtual_nvmem.h
+++ b/board/cr50/tpm2/virtual_nvmem.h
@@ -24,6 +24,7 @@ enum virtual_nv_index {
 	VIRTUAL_NV_INDEX_BOARD_ID = VIRTUAL_NV_INDEX_START,
 	VIRTUAL_NV_INDEX_SN_DATA,
 	VIRTUAL_NV_INDEX_G2F_CERT,
+	VIRTUAL_NV_INDEX_RSU_DEV_ID,
 	VIRTUAL_NV_INDEX_END,
 };
 /* Reserved space for future virtual indexes; this is the last valid index. */
@@ -35,5 +36,6 @@ enum virtual_nv_index {
 #define VIRTUAL_NV_INDEX_BOARD_ID_SIZE	12
 #define VIRTUAL_NV_INDEX_SN_DATA_SIZE	16
 #define VIRTUAL_NV_INDEX_G2F_CERT_SIZE	315
+#define VIRTUAL_NV_INDEX_RSU_DEV_ID_SIZE 32
 
 #endif /* __EC_BOARD_CR50_TPM2_VIRTUAL_NVMEM_H */
-- 
cgit v1.2.1