cr50: add functionality to support FIPS testing by lab

1) Add test commands to break all KAT tests [fips hmac/drbg/ecdsa/pwct]
2) To support PWCT demo reduced number of attempts to retrieve valid
   p256 key candidate to 16. Probability of false negative would be less
   than 2^-4080 (255*16), but will prevent DoS attack if it consistently
   fails for real reasons.
3) Fixed HMAC KAT test failure (was bound SHA failure earlier).

BUG=b:138576604
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1
In ccd:
fips
fips hmac
fips test - see FIPS error
reboot
fips drbg
fips test - see FIPS error
reboot
fips ecdsa
fips test - see FIPS error
reboot
fips pwct
u2f_test - see NOT PASSED of u2f_generate/u2f_sign

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0a812075bb2436f5823eff446b725f19974a2a31
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3221770
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>

3 files changed, 14 insertions, 4 deletions

diff --git a/board/cr50/dcrypto/fips.c b/board/cr50/dcrypto/fips.c
index 2ea98187c4..5fd1327aee 100644
--- a/board/cr50/dcrypto/fips.c
+++ b/board/cr50/dcrypto/fips.c
@@ -185,7 +185,7 @@ static bool fips_hmac_sha256_kat(void)
 
 	HMAC_SHA256_hw_init(&ctx, k, sizeof(k));
 	memcpy(in_mem, in, sizeof(in));
-	if (fips_break_cmd == FIPS_BREAK_SHA256)
+	if (fips_break_cmd == FIPS_BREAK_HMAC_SHA256)
 		in_mem[0] ^= 1;
 	HMAC_SHA256_update(&ctx, in_mem, sizeof(in_mem));
 	return DCRYPTO_equals(HMAC_SHA256_hw_final(&ctx), ans,
diff --git a/board/cr50/dcrypto/u2f.c b/board/cr50/dcrypto/u2f.c
index 1b2fc4f17c..f8d4eb997f 100644
--- a/board/cr50/dcrypto/u2f.c
+++ b/board/cr50/dcrypto/u2f.c
@@ -212,7 +212,7 @@ static enum ec_error_list u2f_origin_user_key_pair(
 		 */
 		hmac_drbg_init(&drbg, state->drbg_entropy,
 			       state->drbg_entropy_size, dev_salt, P256_NBYTES,
-			       NULL, 0, HMAC_DRBG_DO_NOT_AUTO_RESEED);
+			       NULL, 0, 16);
 		result = hmac_drbg_generate(&drbg, key_seed, sizeof(key_seed),
 					    key_handle, key_handle_size);
 	} else {
@@ -228,7 +228,7 @@ static enum ec_error_list u2f_origin_user_key_pair(
 		hmac_drbg_init(&drbg, state->drbg_entropy,
 			       state->drbg_entropy_size, key_handle,
 			       key_handle_size, NULL, 0,
-			       HMAC_DRBG_DO_NOT_AUTO_RESEED);
+			       16);
 
 		/**
 		 * Additional data = Device_ID (constant coming from HW).
@@ -563,7 +563,7 @@ static bool g2f_individual_key_pair(const struct u2f_state *state, p256_int *d,
 		hmac_drbg_init(&drbg, state->drbg_entropy,
 			       state->drbg_entropy_size, state->salt,
 			       sizeof(state->salt), NULL, 0,
-			       HMAC_DRBG_DO_NOT_AUTO_RESEED);
+			       16);
 
 		do {
 			/**
diff --git a/board/cr50/fips_cmd.c b/board/cr50/fips_cmd.c
index 5dbe19a291..816e5280d6 100644
--- a/board/cr50/fips_cmd.c
+++ b/board/cr50/fips_cmd.c
@@ -146,6 +146,16 @@ static int cmd_fips_status(int argc, char **argv)
 			fips_break_cmd = FIPS_BREAK_TRNG;
 		else if (!strncmp(argv[1], "sha", 3))
 			fips_break_cmd = FIPS_BREAK_SHA256;
+		else if (!strncmp(argv[1], "hmac", 4))
+			fips_break_cmd = FIPS_BREAK_HMAC_SHA256;
+		else if (!strncmp(argv[1], "drbg", 4))
+			fips_break_cmd = FIPS_BREAK_HMAC_DRBG;
+		else if (!strncmp(argv[1], "ecdsa", 5))
+			fips_break_cmd = FIPS_BREAK_ECDSA;
+		else if (!strncmp(argv[1], "pwct", 4))
+			fips_break_cmd = FIPS_BREAK_ECDSA_PWCT;
+		else if (!strncmp(argv[1], "none", 4))
+			fips_break_cmd = FIPS_NO_BREAK;
 #endif
 	}
 	return 0;