cr50: drop cryptoc for SHA1/SHA2 supportstabilize-14150.882.B-cr50_stabstabilize-14150.881.B-cr50_stabstabilize-14150.74.B-cr50_stabstabilize-14150.734.B-cr50_stabstabilize-14150.64.B-cr50_stabstabilize-14150.43.B-cr50_stabstabilize-14150.376.B-cr50_stabrelease-R94-14150.B-cr50_stabrelease-R94-14150.49.B-cr50_stab

To implement FIPS module we need to bring many crypto functions in the
module boundary. Unfortunately, cryptoc is a third-party library used
by dcrypto code in cr50. Cryptoc is also not well-maintained and shared
with other projects. While just making local copy of cryptoc would
solve an issue, it's suboptimal as prevents from many optimizations and
improvements.

Provided SHA & HMAC implementations from Ti50 project. This provides
better performance (500us vs. 670us earlier for HMAC DRBG) and reduce
code size. This implementation also enables stack use savings when
only specific digest is needed. Earlier SHA512 context was allocated
when only SHA256 is needed greatly increasing stack consumption for
code using HMAC_DRBG and others.

However, it introduce subtle API changes which require handling.
As for tests, since core implementation is hardware-independent, make
it available for BOARD=host too.

Before change (with cryptoc):
*** 12368 bytes in flash and 5784 bytes in RAM

After:
*** 13136 bytes in flash and 5796 bytes in RAM

BUG=b:138578318
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I2ff5362aee9078ce83dc1f8081943a5101d5f666
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3064201
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>

4 files changed, 38 insertions, 16 deletions

diff --git a/chip/g/usb_spi.h b/chip/g/usb_spi.h
index 2432dc2cd9..4cf38742af 100644
--- a/chip/g/usb_spi.h
+++ b/chip/g/usb_spi.h
@@ -8,7 +8,7 @@
 /* USB SPI driver for Chrome EC */
 
 #include "compile_time_macros.h"
-#include "cryptoc/sha256.h"
+#include "dcrypto.h"
 #include "hooks.h"
 #include "queue.h"
 #include "queue_policies.h"
@@ -280,8 +280,4 @@ static inline bool usb_spi_shortcut_active(void) { return false; }
 void enable_ap_spi_hash_shortcut(void);
 void disable_ap_spi_hash_shortcut(void);
 
-int usb_spi_sha256_start(HASH_CTX *ctx);
-int usb_spi_sha256_update(HASH_CTX *ctx, uint32_t offset, uint32_t size);
-void usb_spi_sha256_final(HASH_CTX *ctx, void *digest, size_t digest_size);
-
 #endif /* __CROS_EC_USB_SPI_H */
diff --git a/chip/host/build.mk b/chip/host/build.mk
index 8b7ab0efc2..0ea6027533 100644
--- a/chip/host/build.mk
+++ b/chip/host/build.mk
@@ -15,9 +15,16 @@ chip-$(HAS_TASK_KEYSCAN)+=keyboard_raw.o
 endif
 
 ifeq ($(CONFIG_DCRYPTO),y)
-CPPFLAGS += -I$(abspath ./chip/g)
-dirs-y += chip/g/dcrypto
+CPPFLAGS += -I$(abspath ./board/cr50)
+dirs-y += board/cr50/dcrypto
+LDFLAGS_EXTRA += -lcrypto
 endif
+
+ifeq ($(CONFIG_DCRYPTO_MOCK),y)
+CPPFLAGS += -I$(abspath ./board/cr50)
+dirs-y += board/cr50/dcrypto
+endif
+
 dirs-y += chip/host/dcrypto
 
 chip-$(CONFIG_DCRYPTO)+= dcrypto/aes.o
@@ -26,4 +33,11 @@ chip-$(CONFIG_DCRYPTO)+= dcrypto/app_key.o
 chip-$(CONFIG_DCRYPTO)+= dcrypto/sha256.o
 
 # Object files that can be shared with the Cr50 dcrypto implementation
-chip-$(CONFIG_DCRYPTO)+= ../g/dcrypto/hmac.o
+chip-$(CONFIG_DCRYPTO)+= ../../board/cr50/dcrypto/hmac_sw.o
+chip-$(CONFIG_DCRYPTO)+= ../../board/cr50/dcrypto/sha1.o
+chip-$(CONFIG_DCRYPTO)+= ../../board/cr50/dcrypto/sha256.o
+chip-$(CONFIG_DCRYPTO)+= ../../board/cr50/dcrypto/hmac_drbg.o
+
+# We still want raw SHA & HMAC implementations for mocked dcrypto
+chip-$(CONFIG_DCRYPTO_MOCK)+= ../../board/cr50/dcrypto/sha256.o
+chip-$(CONFIG_DCRYPTO_MOCK)+= ../../board/cr50/dcrypto/hmac_sw.o
\ No newline at end of file
diff --git a/chip/host/dcrypto/app_cipher.c b/chip/host/dcrypto/app_cipher.c
index 4c4809005c..a3ce4e3184 100644
--- a/chip/host/dcrypto/app_cipher.c
+++ b/chip/host/dcrypto/app_cipher.c
@@ -9,15 +9,15 @@
 void app_compute_hash(const void *p_buf, size_t num_bytes, void *p_hash,
 		      size_t hash_len)
 {
-	uint8_t digest[SHA256_DIGEST_SIZE];
+	struct sha256_digest digest;
 
 	/*
 	 * Use the built in dcrypto engine to generate the sha1 hash of the
 	 * buffer.
 	 */
-	DCRYPTO_SHA256_hash(p_buf, num_bytes, digest);
+	SHA256_hw_hash(p_buf, num_bytes, &digest);
 
-	memcpy(p_hash, digest, MIN(hash_len, sizeof(digest)));
+	memcpy(p_hash, digest.b8, MIN(hash_len, sizeof(digest)));
 
 	if (hash_len > sizeof(digest))
 		memset((uint8_t *)p_hash + sizeof(digest), 0,
diff --git a/chip/host/dcrypto/sha256.c b/chip/host/dcrypto/sha256.c
index 429588c8ac..1c9fda27c2 100644
--- a/chip/host/dcrypto/sha256.c
+++ b/chip/host/dcrypto/sha256.c
@@ -5,14 +5,26 @@
 
 #include "dcrypto.h"
 
-void DCRYPTO_SHA256_init(LITE_SHA256_CTX *ctx, uint32_t sw_required)
+void SHA256_hw_init(struct sha256_ctx *ctx)
 {
-	SHA256_init(ctx);
+	SHA256_sw_init(ctx);
 }
 
-const uint8_t *DCRYPTO_SHA256_hash(const void *data, uint32_t n,
-				uint8_t *digest)
+const struct sha256_digest *SHA256_hw_hash(const void *data, size_t n,
+					   struct sha256_digest *digest)
 {
-	SHA256_hash(data, n, digest);
+	SHA256_sw_hash(data, n, digest);
 	return digest;
 }
+
+void HMAC_SHA256_hw_init(struct hmac_sha256_ctx *ctx, const void *key,
+			      size_t len)
+{
+	SHA256_hw_init(&ctx->hash);
+	HMAC_sw_init((union hmac_ctx *)ctx, key, len);
+}
+
+const struct sha256_digest *HMAC_SHA256_hw_final(struct hmac_sha256_ctx *ctx)
+{
+	return HMAC_SHA256_final(ctx);
+}