diff options
| author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2021-12-28 07:22:29 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-12-28 16:40:22 +0000 |
| commit | eb0ed7b4e255646577d19fdb6c1643c5a55f020d (patch) | |
| tree | 0db91cb1c91e520393f7dbac92b1fb8b0bc8e66f | |
| parent | 646aedf8ea12fb324c40e87e42a668318b3307b9 (diff) | |
| download | chrome-ec-eb0ed7b4e255646577d19fdb6c1643c5a55f020d.tar.gz | |
cr50: fix g2f certificate retrieval
Logical error was introduced in crrev.com/c/3119223 which resulted in
failing attempts to read G2F certificate from virtual nvmem.
This CL fixes it and adds a test for this command.
BUG=b:211820657
TEST=make BOARD=cr50; test/tpm_test/tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I3c46e9e050d5084dbac1b0a7c3d7e378987a3759
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3359755
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
| -rw-r--r-- | board/cr50/dcrypto/u2f.c | 2 | ||||
| -rw-r--r-- | test/tpm_test/u2f_test.py | 34 |
2 files changed, 35 insertions, 1 deletions
diff --git a/board/cr50/dcrypto/u2f.c b/board/cr50/dcrypto/u2f.c index 6680007a44..2496370c60 100644 --- a/board/cr50/dcrypto/u2f.c +++ b/board/cr50/dcrypto/u2f.c @@ -589,7 +589,7 @@ size_t g2f_attestation_cert_serial(const struct u2f_state *state, { p256_int d, pk_x, pk_y; - if (g2f_individual_key_pair(state, &d, &pk_x, &pk_y)) + if (!g2f_individual_key_pair(state, &d, &pk_x, &pk_y)) return 0; /* Note that max length is not currently respected here. */ diff --git a/test/tpm_test/u2f_test.py b/test/tpm_test/u2f_test.py index 8bbacd4eb3..97ca4a4141 100644 --- a/test/tpm_test/u2f_test.py +++ b/test/tpm_test/u2f_test.py @@ -78,6 +78,36 @@ def u2f_attest(tpm, origin, user, challenge, kh, public_key, fail=False): return b'' return sig +def tpm_start(tpm): + tpm_startup = [0x80, 0x01, # TPM_ST_NO_SESSIONS + 0x00, 0x00, 0x00, 0x0c, # commandSize = 12 + 0x00, 0x00, 0x01, 0x44, # TPM_CC_Startup + 0x00, 0x00, # TPM_SU_CLEAR + ] + tpm_startup_cmd = bytes(tpm_startup) + response = tpm.command(tpm_startup_cmd) + return response + +def g2f_get_cert(tpm): + g2f_read = [0x80, 0x02, # TPM_ST_SESSIONS + 0x00, 0x00, 0x00, 0x23, # size + 0x00, 0x00, 0x01, 0x4e, # TPM_CC_NV_READ + 0x01, 0x3f, 0xff, 0x02, # authHandle : TPMI_RH_NV_AUTH + 0x01, 0x3f, 0xff, 0x02, # nvIndex : TPMI_RH_NV_INDEX + 0x00, 0x00, 0x00, 0x09, # authorizationSize : UINT32 + 0x40, 0x00, 0x00, 0x09, # sessionHandle : empty password + 0x00, 0x00, 0x00, 0x00, 0x00, # nonce, sessionAttributes, hmac + 0x01, 0x3b, # nvSize : UINT16 + 0x00, 0x00 # nvOffset : UINT16 + ] + g2f_read_cmd = bytes(g2f_read) + response = tpm.command(g2f_read_cmd) + if len(response) <= 10: + raise subcmd.TpmTestError('Unexpected G2F response: ' + + utils.hex_dump(response)) + print('G2F cert len', len(response)) + return response + def u2f_test(tpm): """Run U2F tests""" origin = b'1' @@ -85,6 +115,10 @@ def u2f_test(tpm): auth = b'3' msg = b'12345' + + tpm_start(tpm) + print('G2F read cert'); + g2f_get_cert(tpm) print('U2F_GENERATE v0'); public_key0, khv0 = u2f_generate(tpm, origin, user, 0, auth) if tpm.debug_enabled(): |