cr50: add RSU Dev ID vNVRAM space

This CL adds a vNVRAM space that exposes RSU Device ID for userland. BRANCH=none BUG=b:136091350 TEST=Verify that RSU Device ID reported through vNVRAM that uses this new method mathes the same ID calculated from device ID in G2FA certificate: hex_to_binary_file() { local hex_value="$1" local file_name="$2" local escaped_string="$(echo -n "${hex_value}" | \ sed 's/.\{2\}/\\x&/g')" echo -n -e "${escaped_string}" >"${file_name}" } trunks_send --u2f_cert --crt=/tmp/cert serial="$(openssl x509 -in /tmp/cert -inform der -noout -serial | \ sed 's/serial=\s*//')" chip_id="$(printf "%64s" ${serial} | sed 's/ /0/g' | \ sed 's/.\{2\}/& /g' | tac -s' ' | sed 's/ //g')" hex_to_binary_file "${chip_id}" /tmp/chip rma_device_id="$(openssl sha -sha256 -mac hmac \ -macopt hexkey:"${chip_id}" -hex /tmp/chip | \ sed 's/.*=\s*//' | cut -c1-16)" hex_to_binary_file "${rma_device_id}" /tmp/data rsu_salt="Wu8oGt0uu0H8uSGxfo75uSDrGcRk2BXh" echo -n ${rsu_salt} >> /tmp/data rsu_device_id="$(openssl sha -sha256 -hex /tmp/data | \ sed 's/.*=\s*//')" hex_to_binary_file "${rsu_device_id}" /tmp/rsu_device_id tpm_manager_client read_space --index=0x013fff03 --file=/tmp/vnvram if diff -q /tmp/rsu_device_id /tmp/vnvram; then echo "OK" else echo "Wrong vNVRAM" fi Change-Id: I0f577a54f74da9ef70a092e024b51c7c8219a605 Signed-off-by: Andrey Pronin <apronin@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1677238 Reviewed-by: Louis Collard <louiscollard@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> (cherry picked from commit 700b0ef9d5533d3650d58ca4e4ad4344b197d605) Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1684234 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org> (cherry picked from commit 9d4fa0aa22ab4f80b3aab43c19a58e5fa7c2d53d) Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1705743 (cherry picked from commit 85d1d3d0f1925f74a983dc77dab746ae19cd62cc)
author: Andrey Pronin <apronin@chromium.org> 2019-06-25 16:25:51 -0700
committer: Vadim Bendebury <vbendeb@chromium.org> 2019-09-21 19:11:25 -0700
commit: 43834b9cbac633b1fcf2c855502f36d774d15ab8 (patch)
tree: 8a33de544fbd445ca1cb7ee2e47c61933c5717d5
parent: db8c2aa8aa6a1a42fe31154d4d874f94bf474ff1 (diff)
download: chrome-ec-43834b9cbac633b1fcf2c855502f36d774d15ab8.tar.gz
2 files changed, 34 insertions, 0 deletions
diff --git a/board/cr50/tpm2/virtual_nvmem.c b/board/cr50/tpm2/virtual_nvmem.c
index 7d637cdcb6..8d3dbc0dec 100644
--- a/board/cr50/tpm2/virtual_nvmem.c
+++ b/board/cr50/tpm2/virtual_nvmem.c
@@ -9,7 +9,9 @@
 
 #include "board_id.h"
 #include "console.h"
+#include "cryptoc/sha256.h"
 #include "link_defs.h"
+#include "rma_auth.h"
 #include "sn_bits.h"
 #include "u2f_impl.h"
 #include "virtual_nvmem.h"
@@ -127,6 +129,14 @@ struct virtual_nv_index_cfg {
 #define REGISTER_DEPRECATED_CONFIG(r_index) \
 	REGISTER_CONFIG(r_index, 0, 0)
 
+
+/*
+ * The salt to be mixed in with RMA device ID to produce RSU device ID.
+ */
+#define RSU_SALT_SIZE 32
+const char kRsuSalt[] = "Wu8oGt0uu0H8uSGxfo75uSDrGcRk2BXh";
+BUILD_ASSERT(ARRAY_SIZE(kRsuSalt) == RSU_SALT_SIZE+1);
+
 /*
  * Registration of current virtual indexes.
  *
@@ -141,6 +151,7 @@ struct virtual_nv_index_cfg {
 static void GetBoardId(BYTE *to, size_t offset, size_t size);
 static void GetSnData(BYTE *to, size_t offset, size_t size);
 static void GetG2fCert(BYTE *to, size_t offset, size_t size);
+static void GetRSUDevID(BYTE *to, size_t offset, size_t size);
 
 static const struct virtual_nv_index_cfg index_config[] = {
 	REGISTER_CONFIG(VIRTUAL_NV_INDEX_BOARD_ID,
@@ -152,6 +163,9 @@ static const struct virtual_nv_index_cfg index_config[] = {
 	REGISTER_CONFIG(VIRTUAL_NV_INDEX_G2F_CERT,
 			VIRTUAL_NV_INDEX_G2F_CERT_SIZE,
 			GetG2fCert)
+	REGISTER_CONFIG(VIRTUAL_NV_INDEX_RSU_DEV_ID,
+			VIRTUAL_NV_INDEX_RSU_DEV_ID_SIZE,
+			GetRSUDevID)
 };
 
 /* Check sanity of above config. */
@@ -335,3 +349,21 @@ static void GetG2fCert(BYTE *to, size_t offset, size_t size)
 }
 BUILD_ASSERT(VIRTUAL_NV_INDEX_G2F_CERT_SIZE ==
 	     G2F_ATTESTATION_CERT_MAX_LEN);
+
+static void GetRSUDevID(BYTE *to, size_t offset, size_t size)
+{
+	LITE_SHA256_CTX ctx;
+	uint8_t rma_device_id[RMA_DEVICE_ID_SIZE];
+	const uint8_t *rsu_device_id;
+
+	get_rma_device_id(rma_device_id);
+
+	SHA256_init(&ctx);
+	HASH_update(&ctx, rma_device_id, sizeof(rma_device_id));
+	HASH_update(&ctx, kRsuSalt, RSU_SALT_SIZE);
+	rsu_device_id = HASH_final(&ctx);
+
+	memcpy(to, rsu_device_id + offset, size);
+}
+BUILD_ASSERT(VIRTUAL_NV_INDEX_RSU_DEV_ID_SIZE ==
+	     SHA256_DIGEST_SIZE);
diff --git a/board/cr50/tpm2/virtual_nvmem.h b/board/cr50/tpm2/virtual_nvmem.h
index ff1cc7991d..8321daa88c 100644
--- a/board/cr50/tpm2/virtual_nvmem.h
+++ b/board/cr50/tpm2/virtual_nvmem.h
@@ -24,6 +24,7 @@ enum virtual_nv_index {
 	VIRTUAL_NV_INDEX_BOARD_ID = VIRTUAL_NV_INDEX_START,
 	VIRTUAL_NV_INDEX_SN_DATA,
 	VIRTUAL_NV_INDEX_G2F_CERT,
+	VIRTUAL_NV_INDEX_RSU_DEV_ID,
 	VIRTUAL_NV_INDEX_END,
 };
 /* Reserved space for future virtual indexes; this is the last valid index. */
@@ -35,5 +36,6 @@ enum virtual_nv_index {
 #define VIRTUAL_NV_INDEX_BOARD_ID_SIZE	12
 #define VIRTUAL_NV_INDEX_SN_DATA_SIZE	16
 #define VIRTUAL_NV_INDEX_G2F_CERT_SIZE	315
+#define VIRTUAL_NV_INDEX_RSU_DEV_ID_SIZE 32
 
 #endif /* __EC_BOARD_CR50_TPM2_VIRTUAL_NVMEM_H */
author	Andrey Pronin <apronin@chromium.org>	2019-06-25 16:25:51 -0700
committer	Vadim Bendebury <vbendeb@chromium.org>	2019-09-21 19:11:25 -0700
commit	43834b9cbac633b1fcf2c855502f36d774d15ab8 (patch)
tree	8a33de544fbd445ca1cb7ee2e47c61933c5717d5
parent	db8c2aa8aa6a1a42fe31154d4d874f94bf474ff1 (diff)
download	chrome-ec-43834b9cbac633b1fcf2c855502f36d774d15ab8.tar.gz