cr50: drop cryptoc for SHA1/SHA2 supportstabilize-14150.882.B-cr50_stabstabilize-14150.881.B-cr50_stabstabilize-14150.74.B-cr50_stabstabilize-14150.734.B-cr50_stabstabilize-14150.64.B-cr50_stabstabilize-14150.43.B-cr50_stabstabilize-14150.376.B-cr50_stabrelease-R94-14150.B-cr50_stabrelease-R94-14150.49.B-cr50_stab

To implement FIPS module we need to bring many crypto functions in the
module boundary. Unfortunately, cryptoc is a third-party library used
by dcrypto code in cr50. Cryptoc is also not well-maintained and shared
with other projects. While just making local copy of cryptoc would
solve an issue, it's suboptimal as prevents from many optimizations and
improvements.

Provided SHA & HMAC implementations from Ti50 project. This provides
better performance (500us vs. 670us earlier for HMAC DRBG) and reduce
code size. This implementation also enables stack use savings when
only specific digest is needed. Earlier SHA512 context was allocated
when only SHA256 is needed greatly increasing stack consumption for
code using HMAC_DRBG and others.

However, it introduce subtle API changes which require handling.
As for tests, since core implementation is hardware-independent, make
it available for BOARD=host too.

Before change (with cryptoc):
*** 12368 bytes in flash and 5784 bytes in RAM

After:
*** 13136 bytes in flash and 5796 bytes in RAM

BUG=b:138578318
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I2ff5362aee9078ce83dc1f8081943a5101d5f666
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3064201
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>

1 files changed, 18 insertions, 17 deletions

diff --git a/board/cr50/fips.c b/board/cr50/fips.c
index 51a392e2ac..948bd2fba4 100644
--- a/board/cr50/fips.c
+++ b/board/cr50/fips.c
@@ -153,7 +153,7 @@ void fips_throw_err(enum fips_status err)
 /* KAT for SHA256, test values from OpenSSL. */
 static bool fips_sha256_kat(void)
 {
-	struct HASH_CTX ctx;
+	struct sha256_ctx ctx;
 
 	static const uint8_t in[] = /* "etaonrishd" */ { 0x65, 0x74, 0x61, 0x6f,
 							 0x6e, 0x72, 0x69, 0x73,
@@ -164,16 +164,16 @@ static bool fips_sha256_kat(void)
 				       0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6,
 				       0x50, 0x4f, 0x47, 0x57 };
 
-	DCRYPTO_SHA256_init(&ctx, 0);
-	HASH_update(&ctx, in, sizeof(in));
+	SHA256_hw_init(&ctx);
+	SHA256_update(&ctx, in, sizeof(in));
 	return !(fips_break_cmd == FIPS_BREAK_SHA256) &&
-	       (memcmp(HASH_final(&ctx), ans, SHA256_DIGEST_SIZE) == 0);
+	       (memcmp(SHA256_final(&ctx), ans, SHA256_DIGEST_SIZE) == 0);
 }
 
 /* KAT for HMAC-SHA256, test values from OpenSSL. */
 static bool fips_hmac_sha256_kat(void)
 {
-	LITE_HMAC_CTX ctx;
+	struct hmac_sha256_ctx ctx;
 
 	static const uint8_t k[SHA256_DIGEST_SIZE] =
 		/* "etaonrishd" */ { 0x65, 0x74, 0x61, 0x6f, 0x6e, 0x72, 0x69,
@@ -190,10 +190,11 @@ static bool fips_hmac_sha256_kat(void)
 				       0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51,
 				       0xff, 0xda, 0x24, 0xf4 };
 
-	DCRYPTO_HMAC_SHA256_init(&ctx, k, sizeof(k));
-	HASH_update(&ctx.hash, in, sizeof(in));
+	HMAC_SHA256_hw_init(&ctx, k, sizeof(k));
+	HMAC_SHA256_update(&ctx, in, sizeof(in));
 	return !(fips_break_cmd == FIPS_BREAK_HMAC_SHA256) &&
-	       (memcmp(DCRYPTO_HMAC_final(&ctx), ans, SHA256_DIGEST_SIZE) == 0);
+	       (memcmp(HMAC_SHA256_hw_final(&ctx), ans, SHA256_DIGEST_SIZE) ==
+		0);
 }
 
 /**
@@ -397,12 +398,12 @@ static bool fips_ecdsa_verify_kat(void)
 	};
 
 	p256_int p256_digest;
-	uint8_t digest[SHA256_DIGEST_SIZE];
+	struct sha256_digest digest;
 	uint8_t bad_msg[128];
 	int passed;
 
-	DCRYPTO_SHA256_hash(msg, sizeof(msg), digest);
-	p256_from_bin(digest, &p256_digest);
+	SHA256_hw_hash(msg, sizeof(msg), &digest);
+	p256_from_bin(digest.b8, &p256_digest);
 	passed = dcrypto_p256_ecdsa_verify(&qx, &qy, &p256_digest, &r, &s);
 	if (!passed)
 		return false;
@@ -413,8 +414,8 @@ static bool fips_ecdsa_verify_kat(void)
 	 */
 	memcpy(bad_msg, msg, sizeof(msg));
 	bad_msg[92] ^= 0x10;
-	DCRYPTO_SHA256_hash(bad_msg, sizeof(bad_msg), digest);
-	p256_from_bin(digest, &p256_digest);
+	SHA256_hw_hash(bad_msg, sizeof(bad_msg), &digest);
+	p256_from_bin(digest.b8, &p256_digest);
 	passed = dcrypto_p256_ecdsa_verify(&qx, &qy, &p256_digest, &r, &s);
 	return !(fips_break_cmd == FIPS_BREAK_ECDSA) && (passed == 0);
 }
@@ -580,19 +581,19 @@ static bool call_on_stack(void *new_stack, bool (*func)(void))
 }
 
 /* Placeholder for SHA256 digest of module computed during build time. */
-const uint8_t fips_integrity[SHA256_DIGEST_SIZE]
+const struct sha256_digest fips_integrity
 	__attribute__((section(".rodata.fips.checksum")));
 
 static bool fips_self_integrity(void)
 {
-	uint8_t digest[SHA256_DIGEST_SIZE];
+	struct sha256_digest digest;
 	size_t module_length = &__fips_module_end - &__fips_module_start;
 
 #ifdef CR50_DEV
 	CPRINTS("FIPS self-integrity start %x, length %u",
 		(uintptr_t)&__fips_module_start, module_length);
 #endif
-	DCRYPTO_SHA256_hash(&__fips_module_start, module_length, digest);
+	SHA256_hw_hash(&__fips_module_start, module_length, &digest);
 
 #ifdef CR50_DEV
 	CPRINTS("Stored, %ph, computed %ph",
@@ -600,7 +601,7 @@ static bool fips_self_integrity(void)
 		HEX_BUF(digest, sizeof(digest)));
 #endif
 
-	return DCRYPTO_equals(fips_integrity, digest, sizeof(digest));
+	return DCRYPTO_equals(fips_integrity.b8, digest.b8, sizeof(digest));
 }
 
 /**