diff options
| author | nagendra modadugu <ngm@google.com> | 2016-10-11 15:48:09 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2016-10-11 23:01:41 -0700 |
| commit | 36c4e34bea14177927f393043c41c52d92671364 (patch) | |
| tree | 51a17e509ae2e24a31f1fdb03d43f903426bb4a4 /board/cr50 | |
| parent | d809d1614f0d9fd0b332c6046f8e2e66eb4adff6 (diff) | |
| download | chrome-ec-36c4e34bea14177927f393043c41c52d92671364.tar.gz | |
CR50: recognize the production endorsement CA
Add the production endorsement CA public key to
the endorsement certificate validation flow.
This change retains recognition of the test
endorsement CA public key as well, and either
issuer is accepted as valid.
BRANCH=none
BUG=none
TEST=build succeeds
Change-Id: I2666fdfb19ce8c950ef1a9190bc7b994a105132c
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/396554
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Diffstat (limited to 'board/cr50')
| -rw-r--r-- | board/cr50/tpm2/endorsement.c | 43 |
1 files changed, 41 insertions, 2 deletions
diff --git a/board/cr50/tpm2/endorsement.c b/board/cr50/tpm2/endorsement.c index 1d189e8a78..fe6732cff6 100644 --- a/board/cr50/tpm2/endorsement.c +++ b/board/cr50/tpm2/endorsement.c @@ -69,7 +69,7 @@ struct cros_perso_certificate_response_v0 { BUILD_ASSERT(sizeof(struct cros_perso_response_component_info_v0) == 8); BUILD_ASSERT(sizeof(struct cros_perso_certificate_response_v0) == 8); -/* TODO(ngm): replace with real pub key. */ +/* Test endorsement CA root. */ static const uint32_t TEST_ENDORSEMENT_CA_RSA_N[64] = { 0xfa3b34ed, 0x3c59ad05, 0x912d6623, 0x83302402, 0xd43b6755, 0x5777021a, 0xaf37e9a1, 0x45c0e8ad, @@ -89,6 +89,26 @@ static const uint32_t TEST_ENDORSEMENT_CA_RSA_N[64] = { 0x486fb315, 0xa1098c31, 0x5dc50dd6, 0xcdc10874 }; +/* Production endorsement CA root. */ +static const uint32_t PROD_ENDORSEMENT_CA_RSA_N[64] = { + 0xeb6a07bf, 0x6cf8eca6, 0x4756e85e, 0x2fc3874c, + 0xa4c23e87, 0xc364dffe, 0x2a2ddb95, 0x2f7f0e1e, + 0xdb485bd8, 0xce8aa808, 0xe062001b, 0x187811c3, + 0x0e400462, 0xb7097a01, 0xb988152b, 0xba9d058a, + 0x814b6691, 0xc70a694f, 0x8108c7f0, 0x4c7a1f33, + 0x5cfda48e, 0xef303dbc, 0x84f5a3ea, 0x14607435, + 0xc72f1e60, 0x345d0b38, 0x0ac16927, 0xbdf903c7, + 0x11b660ed, 0x21ebfe0e, 0x8c8b303c, 0xd6eff6cb, + 0x76156bf7, 0x57735ce4, 0x8b7a87ed, 0x7a757188, + 0xd4fb3eb0, 0xc67fa05d, 0x163f0cf5, 0x69d8abf3, + 0xec105749, 0x1de78f37, 0xb885a62f, 0x81344a82, + 0x390df2b7, 0x58a7c56a, 0xa938f471, 0x506ee7d4, + 0x2ca0f2a3, 0x2aa5392c, 0x39052797, 0x199e837c, + 0x0d367b81, 0xb7bbff6f, 0x0ea99f5f, 0xfbac0d2a, + 0x7bbe018d, 0x265fc995, 0x34f73008, 0x5e2cd747, + 0x42096e33, 0x0c15f816, 0xffa7f7d2, 0xbd6f0198 +}; + static const struct RSA TEST_ENDORSEMENT_CA_RSA_PUB = { .e = RSA_F4, .N = { @@ -101,6 +121,18 @@ static const struct RSA TEST_ENDORSEMENT_CA_RSA_PUB = { }, }; +static const struct RSA PROD_ENDORSEMENT_CA_RSA_PUB = { + .e = RSA_F4, + .N = { + .dmax = sizeof(PROD_ENDORSEMENT_CA_RSA_N) / sizeof(uint32_t), + .d = (struct access_helper *) PROD_ENDORSEMENT_CA_RSA_N, + }, + .d = { + .dmax = 0, + .d = NULL, + }, +}; + static int validate_cert( const struct cros_perso_response_component_info_v0 *cert_info, const struct cros_perso_certificate_response_v0 *cert, @@ -115,8 +147,15 @@ static int validate_cert( if (cert->cert_len > MAX_NV_BUFFER_SIZE) return 0; - /* Verify certificate signature. */ + /* Verify certificate signature; accept either root CA. + * Getting here implies that the previous mac check on the + * endorsement seed passed, and that one of these two CA + * certificates serve as roots for the installed endorsement + * certificate. + */ return DCRYPTO_x509_verify(cert->cert, cert->cert_len, + &PROD_ENDORSEMENT_CA_RSA_PUB) || + DCRYPTO_x509_verify(cert->cert, cert->cert_len, &TEST_ENDORSEMENT_CA_RSA_PUB); } |