summaryrefslogtreecommitdiff
path: root/include/rma_auth.h
diff options
context:
space:
mode:
authorRandall Spangler <rspangler@chromium.org>2017-06-21 13:10:57 -0700
committerchrome-bot <chrome-bot@chromium.org>2017-06-30 16:02:50 -0700
commit282765fdd409fd16ed1e092e5d7fee8de5af7a5a (patch)
tree6ba38fa099ef790c72d34f1caa458bd731aa39d3 /include/rma_auth.h
parent4a8b509020ce5104abf9b43335283cb39c7b75b2 (diff)
downloadchrome-ec-282765fdd409fd16ed1e092e5d7fee8de5af7a5a.tar.gz
common: Add RMA reset auth challenge-response crypto
RMA auth uses X25519 to generate a relatively small challenge and response. Currently, nothing calls the rma_auth code. We'll need console and TPM vendor commands to do so. BUG=b:37952913 BRANCH=none TEST=make buildall Change-Id: Iec7f2d0e3dc8243f79b009ead16bb3ba9f1bef9d Signed-off-by: Randall Spangler <rspangler@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/544184
Diffstat (limited to 'include/rma_auth.h')
-rw-r--r--include/rma_auth.h80
1 files changed, 80 insertions, 0 deletions
diff --git a/include/rma_auth.h b/include/rma_auth.h
new file mode 100644
index 0000000000..db39468595
--- /dev/null
+++ b/include/rma_auth.h
@@ -0,0 +1,80 @@
+/* Copyright 2017 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+/* RMA challenge-response */
+
+#ifndef __CROS_EC_RMA_AUTH_H
+#define __CROS_EC_RMA_AUTH_H
+
+#include <stdint.h>
+
+/* Test server public and private keys */
+#define RMA_TEST_SERVER_PUBLIC_KEY { \
+ 0x03, 0xae, 0x2d, 0x2c, 0x06, 0x23, 0xe0, 0x73, \
+ 0x0d, 0xd3, 0xb7, 0x92, 0xac, 0x54, 0xc5, 0xfd, \
+ 0x7e, 0x9c, 0xf0, 0xa8, 0xeb, 0x7e, 0x2a, 0xb5, \
+ 0xdb, 0xf4, 0x79, 0x5f, 0x8a, 0x0f, 0x28, 0x3f}
+#define RMA_TEST_SERVER_PRIVATE_KEY { \
+ 0x47, 0x3b, 0xa5, 0xdb, 0xc4, 0xbb, 0xd6, 0x77, \
+ 0x20, 0xbd, 0xd8, 0xbd, 0xc8, 0x7a, 0xbb, 0x07, \
+ 0x03, 0x79, 0xba, 0x7b, 0x52, 0x8c, 0xec, 0xb3, \
+ 0x4d, 0xaa, 0x69, 0xf5, 0x65, 0xb4, 0x31, 0xad}
+#define RMA_TEST_SERVER_KEY_ID 0x10
+
+/* Current challenge protocol version */
+#define RMA_CHALLENGE_VERSION 0
+
+/* Getters and setters for version_key_id byte */
+#define RMA_CHALLENGE_VKID_BYTE(version, keyid) \
+ (((version) << 6) | ((keyid) & 0x3f))
+#define RMA_CHALLENGE_GET_VERSION(vkidbyte) ((vkidbyte) >> 6)
+#define RMA_CHALLENGE_GET_KEY_ID(vkidbyte) ((vkidbyte) & 0x3f)
+
+struct __packed rma_challenge {
+ /* Top 2 bits are protocol version; bottom 6 are server KeyID */
+ uint8_t version_key_id;
+
+ /* Ephemeral public key from device */
+ uint8_t device_pub_key[32];
+
+ /* Board ID (.type) */
+ uint8_t board_id[4];
+
+ /* Device ID */
+ uint8_t device_id[8];
+};
+
+/* Size of encoded challenge and response, and buffer sizes to hold them */
+#define RMA_CHALLENGE_CHARS 80
+#define RMA_CHALLENGE_BUF_SIZE (RMA_CHALLENGE_CHARS + 1)
+
+#define RMA_AUTHCODE_CHARS 8
+#define RMA_AUTHCODE_BUF_SIZE (RMA_AUTHCODE_CHARS + 1)
+
+/**
+ * Create a new RMA challenge/response
+ *
+ * @return EC_SUCCESS, EC_ERROR_TIMEOUT if too soon since the last challenge,
+ * or other non-zero error code.
+ */
+int rma_create_challenge(void);
+
+/**
+ * Get the current challenge string
+ *
+ * @return a pointer to the challenge string. String will be empty if there
+ * is no active challenge.
+ */
+const char *rma_get_challenge(void);
+
+/**
+ * Try a RMA authorization code
+ *
+ * @param code Authorization code to try
+ * @return EC_SUCCESS if the response was correct, or non-zero error code.
+ */
+int rma_try_authcode(const char *code);
+
+#endif