From 282765fdd409fd16ed1e092e5d7fee8de5af7a5a Mon Sep 17 00:00:00 2001 From: Randall Spangler Date: Wed, 21 Jun 2017 13:10:57 -0700 Subject: common: Add RMA reset auth challenge-response crypto RMA auth uses X25519 to generate a relatively small challenge and response. Currently, nothing calls the rma_auth code. We'll need console and TPM vendor commands to do so. BUG=b:37952913 BRANCH=none TEST=make buildall Change-Id: Iec7f2d0e3dc8243f79b009ead16bb3ba9f1bef9d Signed-off-by: Randall Spangler Reviewed-on: https://chromium-review.googlesource.com/544184 --- include/rma_auth.h | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 include/rma_auth.h (limited to 'include/rma_auth.h') diff --git a/include/rma_auth.h b/include/rma_auth.h new file mode 100644 index 0000000000..db39468595 --- /dev/null +++ b/include/rma_auth.h @@ -0,0 +1,80 @@ +/* Copyright 2017 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +/* RMA challenge-response */ + +#ifndef __CROS_EC_RMA_AUTH_H +#define __CROS_EC_RMA_AUTH_H + +#include + +/* Test server public and private keys */ +#define RMA_TEST_SERVER_PUBLIC_KEY { \ + 0x03, 0xae, 0x2d, 0x2c, 0x06, 0x23, 0xe0, 0x73, \ + 0x0d, 0xd3, 0xb7, 0x92, 0xac, 0x54, 0xc5, 0xfd, \ + 0x7e, 0x9c, 0xf0, 0xa8, 0xeb, 0x7e, 0x2a, 0xb5, \ + 0xdb, 0xf4, 0x79, 0x5f, 0x8a, 0x0f, 0x28, 0x3f} +#define RMA_TEST_SERVER_PRIVATE_KEY { \ + 0x47, 0x3b, 0xa5, 0xdb, 0xc4, 0xbb, 0xd6, 0x77, \ + 0x20, 0xbd, 0xd8, 0xbd, 0xc8, 0x7a, 0xbb, 0x07, \ + 0x03, 0x79, 0xba, 0x7b, 0x52, 0x8c, 0xec, 0xb3, \ + 0x4d, 0xaa, 0x69, 0xf5, 0x65, 0xb4, 0x31, 0xad} +#define RMA_TEST_SERVER_KEY_ID 0x10 + +/* Current challenge protocol version */ +#define RMA_CHALLENGE_VERSION 0 + +/* Getters and setters for version_key_id byte */ +#define RMA_CHALLENGE_VKID_BYTE(version, keyid) \ + (((version) << 6) | ((keyid) & 0x3f)) +#define RMA_CHALLENGE_GET_VERSION(vkidbyte) ((vkidbyte) >> 6) +#define RMA_CHALLENGE_GET_KEY_ID(vkidbyte) ((vkidbyte) & 0x3f) + +struct __packed rma_challenge { + /* Top 2 bits are protocol version; bottom 6 are server KeyID */ + uint8_t version_key_id; + + /* Ephemeral public key from device */ + uint8_t device_pub_key[32]; + + /* Board ID (.type) */ + uint8_t board_id[4]; + + /* Device ID */ + uint8_t device_id[8]; +}; + +/* Size of encoded challenge and response, and buffer sizes to hold them */ +#define RMA_CHALLENGE_CHARS 80 +#define RMA_CHALLENGE_BUF_SIZE (RMA_CHALLENGE_CHARS + 1) + +#define RMA_AUTHCODE_CHARS 8 +#define RMA_AUTHCODE_BUF_SIZE (RMA_AUTHCODE_CHARS + 1) + +/** + * Create a new RMA challenge/response + * + * @return EC_SUCCESS, EC_ERROR_TIMEOUT if too soon since the last challenge, + * or other non-zero error code. + */ +int rma_create_challenge(void); + +/** + * Get the current challenge string + * + * @return a pointer to the challenge string. String will be empty if there + * is no active challenge. + */ +const char *rma_get_challenge(void); + +/** + * Try a RMA authorization code + * + * @param code Authorization code to try + * @return EC_SUCCESS if the response was correct, or non-zero error code. + */ +int rma_try_authcode(const char *code); + +#endif -- cgit v1.2.1