g: add application directed wrappers for key-ladder keys

Add functions that derive application specific keys based
on FRK2.  For the moment, derived keys need to be manually
copied into the AES engine.  Since key-ladder state depends
on the code-signer (prod vs. dev), application derived keys
are also different in the two modes.  Thus ciphertext blobs
produced by prod-signed code cannot be decrypted by dev-signed
code.

To minimize stack requirements on the hook_task, the SHA
context in DCRYPTO_appkey_init() is placed in allocated/freed
memory.  This SHA object will become unnecessary once the
AES engine is seeded directly from the key-ladder.

BRANCH=none
BUG=chrome-os-partner:55331
TEST=pending

Change-Id: Ifb274b15e61be317e02ec31fc52f9a41e06dcba3
Signed-off-by: nagendra modadugu <ngm@google.com>
Signed-off-by: Marius Schilder <mschilder@chromium.org>
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/428170
Reviewed-by: Nagendra Modadugu <ngm@google.com>

3 files changed, 64 insertions, 2 deletions

diff --git a/chip/g/build.mk b/chip/g/build.mk
index c6f2f47c96..f5df5069d4 100644
--- a/chip/g/build.mk
+++ b/chip/g/build.mk
@@ -29,6 +29,7 @@ chip-y += uartn.o
 endif
 
 chip-$(CONFIG_DCRYPTO)+= dcrypto/aes.o
+chip-$(CONFIG_DCRYPTO)+= dcrypto/app_key.o
 chip-$(CONFIG_DCRYPTO)+= dcrypto/bn.o
 chip-$(CONFIG_DCRYPTO)+= dcrypto/bn_hw.o
 chip-$(CONFIG_DCRYPTO)+= dcrypto/compare.o
diff --git a/chip/g/dcrypto/app_key.c b/chip/g/dcrypto/app_key.c
new file mode 100644
index 0000000000..0c560656ef
--- /dev/null
+++ b/chip/g/dcrypto/app_key.c
@@ -0,0 +1,50 @@
+/* Copyright 2016 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+#include "dcrypto.h"
+#include "internal.h"
+#include "endian.h"
+#include "registers.h"
+#include "console.h"
+#include "shared_mem.h"
+
+#include "cryptoc/util.h"
+
+static const char * const dcrypto_app_names[] = {
+	"NVMEM"
+};
+
+int DCRYPTO_appkey_init(enum dcrypto_appid appid, struct APPKEY_CTX *ctx)
+{
+	LITE_HMAC_CTX *hmac_ctx;
+
+	if (appid >= ARRAY_SIZE(dcrypto_app_names))
+		return 0;
+
+	memset(ctx, 0, sizeof(ctx));
+
+	if (!DCRYPTO_ladder_compute_frk2(0, ctx->key))
+		return 0;
+
+	if (shared_mem_acquire(sizeof(LITE_HMAC_CTX),
+			       (char **)&hmac_ctx) != EC_SUCCESS) {
+		return 0;
+	}
+
+	HMAC_SHA256_init(hmac_ctx, ctx->key, sizeof(ctx->key));
+	HMAC_update(hmac_ctx, dcrypto_app_names[appid],
+		strlen(dcrypto_app_names[appid]));
+	memcpy(ctx->key, HMAC_final(hmac_ctx), SHA256_DIGEST_SIZE);
+
+	always_memset(hmac_ctx, 0, sizeof(LITE_HMAC_CTX));
+
+	shared_mem_release(hmac_ctx);
+	return 1;
+}
+
+void DCRYPTO_appkey_finish(struct APPKEY_CTX *ctx)
+{
+	always_memset(ctx, 0, sizeof(struct APPKEY_CTX));
+	GREG32(KEYMGR, AES_WIPE_SECRETS) = 1;
+}
diff --git a/chip/g/dcrypto/dcrypto.h b/chip/g/dcrypto/dcrypto.h
index a5b38acdbc..3b80f6e6b8 100644
--- a/chip/g/dcrypto/dcrypto.h
+++ b/chip/g/dcrypto/dcrypto.h
@@ -201,9 +201,20 @@ int DCRYPTO_x509_verify(const uint8_t *cert, size_t len,
  */
 int DCRYPTO_equals(const void *a, const void *b, size_t len);
 
+int DCRYPTO_ladder_compute_frk2(size_t major_fw_version, uint8_t *frk2);
+
 /*
- * Key ladder related functions.
+ * Application key related functions.
  */
-int DCRYPTO_ladder_compute_frk2(size_t major_fw_version, uint8_t *frk2);
+enum dcrypto_appid {
+	NVMEM = 0
+};
+
+struct APPKEY_CTX {
+	uint8_t key[SHA256_DIGEST_SIZE];
+};
+
+int DCRYPTO_appkey_init(enum dcrypto_appid id, struct APPKEY_CTX *ctx);
+void DCRYPTO_appkey_finish(struct APPKEY_CTX *ctx);
 
 #endif  /* ! __EC_CHIP_G_DCRYPTO_DCRYPTO_H */