fips: move FIPS error injection under CR50_DEV

Prevent access to FIPS CCD commands which can inject errors due to unclear security impact. Instead, made them available only in CR50_DEV builts. Same with vendor commands - moved them from CRYPTO_TEST to under CR50_DEV. BUG=b:138577491 TEST=help fips, fips sha/trng - ignored Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> Change-Id: Ic86db02f2c9c5abbea8f3f23ee56a5f5f570e177 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2321344 Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> Reviewed-by: Mary Ruthven <mruthven@chromium.org> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
author: Vadim Sukhomlinov <sukhomlinov@google.com> 2020-07-27 14:42:55 -0700
committer: Commit Bot <commit-bot@chromium.org> 2020-07-29 06:54:48 +0000
commit: 7c6ed95d0f454d5496f8104d5cb4244c3999b5b5 (patch)
tree: 9416281449431960e18165457b0f825ac9f20c69
parent: 623a6f4730414586a376faa7cc16aa239590f3c2 (diff)
download: chrome-ec-7c6ed95d0f454d5496f8104d5cb4244c3999b5b5.tar.gz
1 files changed, 8 insertions, 7 deletions
diff --git a/board/cr50/fips.c b/board/cr50/fips.c
index 5844a1d637..c0f22f0ca6 100644
--- a/board/cr50/fips.c
+++ b/board/cr50/fips.c
@@ -757,17 +757,18 @@ static int cmd_fips_status(int argc, char **argv)
 	if (argc == 2) {
 		if (!strncmp(argv[1], "on", 2))
 			fips_set_policy(true);
-#ifdef CR50_DEV
-		else if (!strncmp(argv[1], "off", 3))
-			fips_set_policy(false);
-#endif
 		else if (!strncmp(argv[1], "test", 4)) {
 			fips_print_test_time(fips_power_up_tests());
 			fips_print_mode();
-		} else if (!strncmp(argv[1], "trng", 4))
+		}
+#ifdef CR50_DEV
+		else if (!strncmp(argv[1], "off", 3))
+			fips_set_policy(false);
+		else if (!strncmp(argv[1], "trng", 4))
 			fips_break_cmd = FIPS_BREAK_TRNG;
 		else if (!strncmp(argv[1], "sha", 3))
 			fips_break_cmd = FIPS_BREAK_SHA256;
+#endif
 	}
 	return 0;
 }
@@ -776,7 +777,7 @@ DECLARE_SAFE_CONSOLE_COMMAND(fips, cmd_fips_status,
 #ifdef CR50_DEV
 	"[on | off | test | trng | sha]",
 #else
-	"[on | test | trng | sha]",
+	"[on | test]",
 #endif
 	"Report or change FIPS status, run tests, simulate errors");
 
@@ -814,7 +815,7 @@ static enum vendor_cmd_rc fips_cmd(enum vendor_cmd_cc code, void *buf,
 		memcpy(buf, &fips_reverse, sizeof(fips_reverse));
 		*response_size = sizeof(fips_reverse);
 		break;
-#ifdef CRYPTO_TEST_SETUP
+#ifdef CR50_DEV
 	case FIPS_CMD_BREAK_TRNG:
 		fips_break_cmd = FIPS_BREAK_TRNG;
 		break;
author	Vadim Sukhomlinov <sukhomlinov@google.com>	2020-07-27 14:42:55 -0700
committer	Commit Bot <commit-bot@chromium.org>	2020-07-29 06:54:48 +0000
commit	7c6ed95d0f454d5496f8104d5cb4244c3999b5b5 (patch)
tree	9416281449431960e18165457b0f825ac9f20c69
parent	623a6f4730414586a376faa7cc16aa239590f3c2 (diff)
download	chrome-ec-7c6ed95d0f454d5496f8104d5cb4244c3999b5b5.tar.gz