| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While all Dcrypto code for RSA supports 4K, few software functions were
allocating static buffers on stack and thus limiting what RSA sizes
can be supported.
Updating bn_modinv_vartime() and bn_probable_prime() to allocate stack
space dynamically. This simplifies enabling RSA 3K / 4K support.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I7c410d349e8755d491151152168701ecdd54c04c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3193510
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new AP RO verification approach, version 2, places the AP RO
verification structures in the AP RO itself, as described below.
A new section is included in AP RO FMAP, called RO_GSCVD, which
contains all information necessary to verify the AP RO:
gsc_verification_data (GVD) structure, GVD signature, the platform key
to verify the signature and the root key to verify the platform key.
GVD contains an array of AP RO ranges to be verified and the hash of
the contents of those ranges.
The signature of the GVD is followed by the public platform key, which
allows to verify the GVD signature.
The platform key in turn is signed by the root key, and the public
root key is also present in RO_GSCVD, this allows to validate the
platform key.
The hash of the public root key is hardcoded in the GSC firmware, this
gives the GSC the ability to verify the chain of objects in the
RO_GSCVD FMAP area starting with the root key.
This implementation supports both old and new AP RO verification
schemes as follows. The structure describing data saved in the
dedicated GSC flash page has been enhanced to support both old and new
AP RO verification schemes. To maintain backwards compatibility the 16
bit header field version is converted into two byte fields, version
and type. The new version is 1 and the new verification scheme type is
1, the old verification scheme type value is set to zero.
If a V1 structure is found in the H1 hash page, but verification
fails, a V2 verification is attempted just in case the RO was
reprogrammed and now includes RO_GSCVD area in FMAP.
The hash of the root key is saved in the text section named
.rodata.root_key_hash.
As presented, tests/devkeys/kernel_subkey.vbpubk from the
vboot_reference tree is used as the root key. The label of the section
where the hash is stored will allow the signer to replace the test key
hash with the prod root key hash.
Verification process is moved to the TPM task context to satisfy the
increased stack requirements of V2 calculations. This provides an
additional benefit: verification can be triggered by the AP issuing
the vendor command.
A CCD capability will be added in a follow up CL to restrict
conditions when the AP can invoke verification.
BUG=b:199904580
TEST=prepared an AP RO image containing RO_GSCVD and verified that the
AP RO can be verified, and that the local cache of the GVD is
successfully stored and allows to speed up verification.
Experiments have shown that verifying the entire chain starting
with the root key take 670 ms. Verifying of approximately 70KB of
AP RO takes 200 ms.
Verified that V1 AP RO verification is still working as expected,
and that V2 can take over in case the AP RO was updated with an
RO_GSCVD image, and the V1 check does not pass any more.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I1397376cd0394888da2cda16c0126a313f07d426
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3172256
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cr50 so far builds RO and RW images as part of build process.
With adding FIPS module and moving to board-specific crypto library with
different interfaces it become hard to maintain build process as RO
sources use crypto, but with different APIs, and changing that crypto
is challenging as it is also used by other boards with different crypto
APIs.
In this CL we enable RW and RO to have independent selection of crypto
library and include paths, and don't contaminate include paths with
unused things like third_party/cryptoc for RW.
BUG=none
TEST=make buildall -j
make BOARD=cr50
make BOARD=cr50 CRYPTO_TEST=1
Built cr50 images can be flashed and are workable.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1b666fbb8193b79f71c885a761436443fd3fca7b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3200069
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For some reason didn't spot earlier another unnecessary complains of
gcc 11.2 in private-cr5x builds with make buildall -j.
Made it so BOARD can override settings done by CHIP even though CHIP is
loaded later. These settings should apply to both CFLAGS and LDFLAGS
due to LTO build.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I8880c518b23778cccf969909e330e9e2d62b5fae
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3194984
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CONFIG_FW_INCLUDE_RO option controls wherever RO is built. This option
didn't work properly and RO was always built. Fix this behavior.
However, when RO is not built RW image should include some 16KB stub.
This is not added yet, so for Cr50 we still set CONFIG_FW_INCLUDE_RO.
Also, corrected behavior of CONFIG_CUSTOMIZED_RO which earlier was not
properly taken into account and behavior depended on custom-ro_objs
variable state which always added some common files so actual result
was that CONFIG_CUSTOMIZED_RO is effectively on for chip/g.
BUG=none
TEST=make buildall -j; make BOARD=cr50 & flash
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I31599170050b360fad5c61dd1f81844bb315e1d6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3195319
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Move DRBG initialization flag inside DRBG context to prevent use of
DRBG which is not properly initialized.
2) Add configurable reseed threshold to cover both deterministic key gen
and non-deterministic randoms. Simplify reseeding logic, remove
similar code snippets. Also, can support NDRBG with reseed threshold
equal to 0, which will result in reseeding each time.
3) Adjust parameter names to match NIST SP 800-90A specification.
4) Enforce checking result of hmac_drbg_generate(), update call sites
to check for errors.
5) Reseeding in generate function consumes additional data as per
NIST SP 800-90Ar1 9.3.1
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1 DRBG_TEST=1;
test/tpm_test/tpm_test.py
in ccd:
hmac_drbg
rand_perf
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0e780b5c237d7fbc64e8b0e74d12559a1f40f84c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183397
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ECDSA signing can vary rarely result in zero s or r value due to
combination of message, nonce and a private key. Detect such cases
and retry with another nonce.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1; tpm_test;
in ccd: dcrypto_ecdsa, u2f_test
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1378259a0dc0e2e62cf071b779c1115c4257dc73
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3188564
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cr50 dcrypto use different API to access TRNG - read_rand() which
provides indication wherever reading was successful. Common trng.h
is not needed, so remove it.
BUG=None
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: If8525cd51db157fbfa47adbfe11146a617c947ce
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183468
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1 RND_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0088006cc58f57d21fa2f0d7ecffd833328cb6ca
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183338
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make HMAC_DRBG return codes consistent with other functions.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
in ccd: u2f_test, dcrypto_ecdsa, rma_auth
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9c673a45a250bef32c096f8d8be3152756a64cb7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3180482
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TRNG health tests have defined false positive. NIST recommends values
in the range of 2^(-20) to 20^(-40) - parameter alpha.
We choose 2^(-40), and computed thresholds for 2^(-30) if needed.
In case of false positive we will try to read several times and update
statistics to see if error is intermittent, skip those values until we
either get recovered statistics or will be out of attempts. When out
of attempts we declare a persistent error and report it. With this
implementation we reduce probability of false positive to 2^(-160).
This is in compliance with NIST SP 800-90B, 4.3 point 2:
When the health tests fail, the entropy source shall notify the
consuming application (e.g., the RBG) of the error condition.
The developer may have defined different types of failures (e.g.,
intermittent and persistent), and the application is allowed to react
differently to different types of failures (e.g., by inhibiting output
for a short time). The developer is allowed to define different cutoff
values to detect intermittent and persistent failures. If so, these
values (with corresponding false alarm probabilities) shall be
specified in the submission documentation. If the entropy source detects
intermittent failures and allows the noise source to return to normal
functioning, the designer shall provide evidence that:
a) The intermittent failures handled in this way are indeed extremely
likely to be intermittent failures; and
b) the tests will detect a permanent failure when one occurs, and will
ultimately signal an error condition to the consuming application and
cease operation. In the case where a persistent failure is detected,
the entropy source shall not produce any outputs.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1;
In ccd:
rand_perf
rand perf (repeat several times, each time 8000 readings from TRNG)
fips trng
rand perf (should report errors)
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9db545c1a1e82e7e091724fab6fe46edebeb0650
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3182622
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For crypto code we care about possible concerns during review, so add
more strict warnings. Fix all uses int to uint32_t/size_t comparisons,
make consistent use of size_t vs. uint32_t in crypto code.
Update test/tpm_test/bn_test.c to compile for checking big number
functions correctness.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
TCG tests:
---------------------- Test Result Summary -----------------------------
Test executed on: Thu Sep 23 17:45:19 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I47e5de3d180d3aebb13b3feef4c1da87c9f6a174
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3180279
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to block access to crypto functions when FIPS errors occurred.
To achieve this:
1. Provide wrappers for ECDSA P-256 sign and verify functions
a) DCRYPTO_p256_ecdsa_verify as wrapper for dcrypto_p256_ecdsa_verify
b) DCRYPTO_p256_ecdsa_sign as wrapper for
dcrypto_p256_fips_sign_internal with additional check for FIPS
DRBG initialization which is needed for signing.
2. Switch all ECDSA functions, both internal and external to use
enum dcrypto_result instead of inconsistent 0/1 values.
3. Added warning for unused result code for ECDSA functions.
4. Updated documentation for public APIs
5. In DCRYPTO_p256_key_from_bytes() implemented clear distinction between
bad candidate and failures due to FIPS or pair-wise consistency.
6. U2F, rma_auth, TPM ecc, etc updated to use new return codes.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; rma_auth, u2f_test, etc.
test/tpm_test/tpmtest.py
TCG tests
----------------------------- Test Result Summary ----------------------
Test executed on: Thu Sep 23 09:56:42 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0251bf511771c1c1fd281f6db706d1dedac3e8b8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3179708
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To drop dependency on internal rand_state.drbg_initialized in functions
located in other sources, slightly change fips_drbg_init() logic to
avoid initialization if already initialized.
Also update 0/1 to false/true as rand_state.drbg_initialized is bool.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ia541266c36793c65dffce27a60a20ae25e10f92c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3179316
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several functions like lo32(), hi32(), clz() were defined into bn.c,
but clz and ctz are used in fips_rand.c. Move these functions into
internal.h to allow reuse.
Both __builtin_ctz() and __builtin_clz() have undefined behavior for
argument which is zero. Explicitly set result to 32 in such case. It
was the case for __builtin_clz() in bn.c, but not for variants used
in TRNG health tests.
BUG=None
TEST=make BOARD=cr50 CRYPTO_TEST=1; TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ifc6fa7f820080bdad0f14fc079163f4976369724
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3174592
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This API will provide support to the AP RO verification
implementation. The size of data read in one transaction is limited by
SPI_HASH_CHUNK size.
BUG=b:199904580, b:200736744
TEST=tested along with AP RO verification implementation.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: Id4da2add2ce1202d979627dde40325b583004fc5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3172254
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To properly define FIPS module boundary all APIs provided by module
to external applications (TPM2, pinweaver, etc) should be identifiable.
Shuffle functions between dcrypto.h and internal.h to achieve this goal.
Adjust included headers as needed.
BUG=b:134594373
TEST=make buildall; TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ie2679644d62e232a5d5d06f8ed6bf602853ebde2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169558
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All public functionality of FIPS module should be disabled in case
of FIPS errors.
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1;
ccd:
fips sha
fips test
u2f_test - should fail
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ice8a0ab6535fcb0bd426ebbe969db1859cbd3ae8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169097
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
struct APPKEY_CTX is an empty struct passed with few APIs and not used
for any purpose. Remove it.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1;
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4bcb8f196b70cefc58a81e8592d83aa70464fcf8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3169374
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Folks working on other Haven firmware shared issue that our code for
unaligned access is sensitive to compiler version and with updated gcc
results in broken code. Replacing access_helper with aligned access
and memcpy into aligned buffer if unaligned data is provided results
in smaller and faster code. Unaligned access unfortunately results in
quite lengthy code. Specifically for AES I got back 312 bytes.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test + TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ie03b7ce3a24c4fea0506c204fce82bca719f1b79
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3167003
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NIST statistical tests for TRNG entropy requires to compare entropy
in regular mode (continuous readings) with entropy after TRNG restarts.
Added support for TRNG restart before reading entropy and updated script
to drive tests.
BUG=b:138577834
TEST=test/nist_entropy.sh
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Idc46191be05e8275730726f6debb8007ca361bc6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3165883
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: William Wesson <wesson@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An "Approved" RNG listed in FIPS 140-2 Annex C must be used for the
generation of random data or cryptographic keys used by an approved
security function. Detailed information and guidance on Key Generation
can be found in NIST SP 800-133 and FIPS 140-2 IG 7.8 and D.12.
Many of function use raw entropy from TRNG without any health tests or
even checking returned status, as old API didn't provide any indication
of failure.
With this patch we remove old API: rand() and rand_bytes() and expose
new API:
fips_rand_bytes() - generation of random bits from properly instantiated
and reseeded as needed DRBG.
fips_trng_bytes() - generation of entropy from TRNG with statistical
testing and checking for TRNG failures.
fips_trng_rand32() - generation of 32 bits from TRNG with health check
and indication of status.
ccd, rsa, ecc, pinweaver, rma_auth are updated to use new APIs.
These functions are moved into dcrypto.h which will become "Public API"
for the module.
trng_test vendor command moved to dcrypto/trng.c where it belongs.
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpmtest.py
TCG tests.
-------------------------- Test Result Summary -------------------------
Test executed on: Thu Sep 16 10:16:59 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
======================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I80d103ead1962ee388df5cabfabe0498d8d06d38
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3165870
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems now HDKF is only used by RSA key gen test from seed and by
test/tpm_test/tpmtest.py, so link it only when CRYPTO_TEST=1 is used.
This saves some space for prod build, as all functions of FIPS module
are linked in as a whole.
BUG=none
TEST=make BOARD=cr50
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I7f925d4dabd8685efe5916933198d5560bdacd9f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3163309
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Hardware HMAC implementation is added for key lengths <= 32 bytes and
more than 64 bytes. Keys between 32 and 64 bytes use hybrid approach.
2. HMAC DRBG performance increased even more from 520us to 320us per
32 bytes.
3. Added support for one-shot SHA operation which is a bit faster than
livestream mode when message length is known beforehand.
4. Image size impact - +216 bytes.
5. Added opportunities to enable keyladder code to use some common
primitives like dcrypto_fifo_load() instead of it's own versions.
6. Added new console command hmac activated with CRYPTO_TEST=1 to
test all paths (hw, sw, hybrid for HMAC) for SHA256, SHA1 and
HMAC SHA256. Due to size of test vectors, you should choose one at
a time to test. Also, since HMAC is used by DRBG, DRBG tests are also
relevant.
BUG=b:195092622
TEST=make CRYPTO_TEST=1; 'hmac' command in console, tests/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Icb3d8a9d0f3bd0509eb72993d5835584bc14640b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3116570
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To cleanly split internal API in internal.h from external API in
dcrypto.h we need to add missing DCRYPTO_p256_is_valid_point().
While adding this switch to enum dcrypto_result for both internal and
external versions.
Added check that provided point is valid to DCRYPTO_p256_point_mul() as
important security precaution. Currently this check is still in
tpm2/ecc.c, but it will be removed in next CLs with switching to
enum dcrypto_result.
Added comments on input parameters and behavior.
BUG=b:134594373
TEST=make BOARD=cr50; test/tpm_test/tpmtest.py; TCG tests
-------------------------- Test Result Summary -------------------------
Test executed on: Tue Sep 14 18:24:10 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
========================================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I4637f7b61b5a502854d9cad03e8e603529278873
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3161507
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. KAT tests should check that result doesn't match expectation for
modified input, not just failing on request. Added modification of input
data in case test break is needed (during module validation).
2. For ECDSA added pair-wise consistency test with known key pair.
However, this test adds roughly 40ms, so disable it and use sign test
with fixed nonce instead.
3. Some internal changes to support functionality - internally provided
dcrypto_p256_ecdsa_sign_raw() which takes precomputed nonce vs. drbg.
This allows generation of nonce with reseeding of DRBG if needed.
Also added dcrypto_p256_fips_sign_internal() which does same as
dcrypto_p256_ecdsa_sign() except that it reseeds DRBG with entropy if
needed.
4. Implemented ECDSA sign test with fixed nonce, and combined with
verify test. This allows to free some space for test vectors.
Also, store SHA256 of message as SHA256 is already tested. This saves
another 96 bytes.
5. KAT test time increased 2X from ~40ms to 60ms due to ECDSA sign test.
5. Run SHA2-256 KAT before self-integrity test, as it is used for
self-integrity.
BUG=b:138577539
TEST=make BOARD=cr50
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1cbd470bc64ef3eb50e9a28055404fb998c65b61
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3144376
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For G2F switched to proper use of DRBG.
For U2F added support for 512-bit entropy, changed DRBG instantiation
in FIPS path.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1; u2f_tests in ccd, tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1acf9947317a8b2f1b53cee0b2d81829c54336d5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3161506
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
p256_int was defined as packed struct to allow in place processing of
TPM2 commands. However, it is not practical to pad and reverse bytes
in place, support for misaligned access results in bloated code, lower
performance and side-channel leaks.
With this change introduce p256_from_be_bin_size() function which
handles all cases with conversion big-endian number into p256_int
internal representation (little-endian for cr50) with skipping leading
zeros if present in big-endian, checking of size and zero padding.
Bonuses:
- code size reduction 336 bytes
- a bit higher performance for p256
- support for zero padded big-endian in TPM2 ECC, as well as more
reliable checks for input parameters.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
in console p256_test as unit test for padding function.
------------------------------ Test Result Summary -----------------------------
Test executed on: Tue Sep 14 15:13:11 2021
Performed Tests: 248
Passed Tests: 248
Failed Tests: 0
Errors: 0
Warnings: 0
=========================================================
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Idd04d4e8d30225398814650332fe9be7182a8966
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3138754
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dcrypto p256 microcode in https://crrev.com/c/3133625 introduced shift
in DMEM layout which started to corrupt mod & RR values, so alternating
RSA and P256 led to potential errors in dcrypto_modexp_blinded().
This fix updates layout to move input in the place of mod and thus
preserve mod & RR.
BUG=none
TEST=make BOARD=cr50; TCG tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ic949147f43dfc210ed499c91c70e1ed186670afc
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3160503
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is no point in having separate implementation of always_memset()
which is slow and takes few extra bytes. Make memset's body available
as memset_core() with volatile dest *, thus making it always called
same as with always_memset(). Both memset() and always_memset() becomes
just wrappers on top.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; board boots, FIPS tests passes,
tpm_test.py works.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I68b3f89e757521e94df646f7d643411c53a10da7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3155725
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After https://crrev.com/c/3139977 landed noticed that I need DRBG_TEST=1
to make tpm_test.py to work, as suddenly disabled vendor command with
ccd command.
Added check for successful completion of hmac_drbg_generate() in
test command.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpmtest/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I87053fc0d100a68536680ad8c66358cdb2d5e537
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3155297
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After migration to DRBG use, remove DCRYPTO_ladder_random() function.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ifdb3fd79ec03ac94066a91ed38b61218dbceefde
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3155295
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To simplify identification of FIPS module boundary, move all sources
into same place.
BUG=b:134594373
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I6acd12d12c00a3362041914bd515534f72a08ab2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3150057
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During FIPS refactoring many additional test commands were added to
CRYPTO_TEST=1 image for unit testing. However, this lead to very small
space left in image.
Adding local switches to several CCD commands to activate it only once
working on related parts. This free around 6.5K.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I8f11988d2994c6c4b25748d3c0c07096ba00c392
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3139977
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since https://crrev.com/c/3125994 and https://crrev.com/c/3119223 were
in review at the same time and landed one after another, check for
result of DCRYPTO_equals() wasn't properly updated.
This is a fix addressing that DCRYPTO_equals() now returns DCRYPTO_OK
instead of 1 in case of matching values.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; ccd - u2f_test
test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I582906f9a6be57e1d645370377caa5e5ab3e2481
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3146593
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When both https://crrev.com/c/3125994 and https://crrev.com/c/3119223
landed it resulted in broken host build as function attribute
optimize("") is not supported by clang. This is happened due as both CLs
are relatively independent by nature, but the first one added one of the
sources to host build.
BUG=none
TEST=make buildall -j
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: If1b8425cea418ae42179bef46f6f5998ded3dc1f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3146223
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Inject the fips fingerprint into the cr50 image, so it can verify the
fips module before starting to execute it. This change adds a script to
calculate the checksum and inject it into a elf file before signing.
If CONFIG_FIPS_CHECKSUM is defined, generate an elf file with the fips
checksum and use that to create signed images and hex files.
The build process doesn't change for RO artifacts. Nothing changes if
CONFIG_FIPS_CHECKSUM isn't defined.
The new chain for RW is
ec.RW.elf -> ec.RW.elf.fips -> ec.RW.flat
ec.RW.elf.fips is generated with util/inject_fips_fingerprint.sh.
util/inject_fips_fingerprint.sh calculates the fips module fingerprint,
copies ec.RW.elf to ec.RW.elf.fips, and then injects the fingerprint
into ec.RW.elf.fips.
util/signer/bs will be modified to use ec.RW.elf.fips if it exists in a
followup CL.
BUG=none
TEST=manual
# Verify cr50 is the only board that creates the fips artifacts
make buildall -j
objdump the text.fips_checksum section of ec.RW.elf and
ec.RW_B.elf. Make sure they match ec.RW.fips.checksum and
ec.RW_B.fips.checksum
# Verify cr50 can update to image signed with devid and that
# image shows Stored hash that matches the computed one.
H1_DEVIDS="${DEVID}" make -j BOARD=cr50 CR50_DEV=1
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Change-Id: Iab857ec1b7e3ae0d23681a25467e26286bd68210
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3078053
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
P-256 sign requires a random nonce which is generated from provided
DRBG. Implementation of dcrypto_p256_ecdsa_sign() cleaned out DRBG
once nonce is successfully created. This works fine when DRBG is
instantiated just for purposes of signing this particular message,
but doesn't work if we want to use system-wide DRBG which is perfectly
instantiated as reseeded as needed as we want for FIPS. Instantiation
of DRBG using entropy from TRNG is relatively expensive operation
which we can avoid this way.
Moving DRBG management outside ECDSA Sign makes it clearer. Now the
caller is responsible what to do with DRBG and allows further updates
with automated reseeding if ECDSA Sign fails due to DRBG.
In tpm2/ecc.c we can now replace DRBG instantiation with using FIPS DRBG
created during initialization. Still more changes are needed to fully
switch to DRBG use for key gen as we need to handle reseeds properly.
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I092b18cde5f6a8aede0a65e24a892dda9de7afa2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3138384
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set FIPS module build flags to reduce changes in object file due to
compiler's randomization during LTO.
Adjusted several optimization options which resulted in smaller image.
Freed 136 bytes for ToT.
BUG=b:138578318
TEST=make BOARD=cr50, test that image works.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I99d9bf459bda6f1fcbd8dafe6f23539dda110fd8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3123967
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Introduce enum dcrypto_result defining DCRYPTO_OK and DCRYPTO_FAIL
constants such that they have large Hamming distance, thus becoming
more fault-injection resistant.
2. Added value_barrier() and value_barrier_ptr() which prevents compiler
from certain optimizations, removal of conditional execution.
3. Added hardened_select_if_zero() primitive which produce branch-less
selection between values.
4. Added convenience function dcrypto_ok_if_zero() to convert zero into
DCRYPTO_OK.
5. DCRYPTO_equals() implemented in a way that it also checks completion
of all iterations in addition to comparing value. This makes it
resistant to fault injection which would result in no comparisons
made.
6. Updated uses of DCRYPTO_equals() to check for new return code.
7. Few memcmp() replaced with DCRYPTO_equals().
BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; tests/tpmtest.py
in console check that FIPS KAT tests passes.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I2a0373e8be97c2d61a2c4743c74614c2ff064a8a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3125994
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Split U2F crypto from U2F command processing by moving all crypto
code into boards/cr50 (platform hooks).
U2F state management is part of common code and passed to U2F crypto
as a parameter.
Previously reviewed as https://crrev.com/c/3034852, but reverted due to
ChromeOS dependency on include/u2f.h. In this revision this is addressed
by restoring include/u2f.h with previous content and new additions
and adjusting dependencies in other headers.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1
console: u2f_test
test/tpmtest.py
FAFT U2F tests pass
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Iff1973c8e475216b801d7adde23b1ef6c4a6f699
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3119223
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch to hardened p256 code sequences for dcrypto which introduce
blinding of secrets and control flow integrity checks.
Dcrypto sequences are taken from cr52 board (/chip/g/fips).
Code size increased by 1008 bytes, but expect savings from aligned
p256_int.
BUG=none
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I434a373fc602e01bf815099a3661a2cef93af22f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3133625
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During unit testing discovered an issue with test order specific bug
which resulted in incorrect system-level DRBG initialization. It was
revealed after several independent CLs landed.
This fix corrects this issue.
BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I1222bc72d5560a4984a78abf53d5e3b2178d0977
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3133626
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FIPS requires pair-wise consistency test for asymmetric key generation
algorithms. For U2F we use only ECDSA P-256, so adding this step into
key generation function.
BUG=b:198219806
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
This test covers U2F and TPM2 uses of ECDSA keygen.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I520a233e700a68b19c863bad05271f97693b5ca9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3131949
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to block access to all crypto in case of FIPS errors. There are
multiple steps to implement, this is one of few.
There is common API crypto_enabled() which is used by nvmem and some
other functions to check wherever access to crypto is possible.
This is same intent as fips_crypto_allowed(), though the latter checks
for FIPS KAT errors, while the former checks only key ladder status.
Here we make all FIPS errors to revoke access from key ladder, and
fips_crypto_allowed() to check key ladder status. This way we also
ensure that in case of FIPS errors access to device secrets will be
blocked.
We moved crypto_api.c from chip/g to board/cr50 to move crypto_enabled()
into fips.c and alias it to fips_crypto_enabled().
crypto_api.h is no longer included from dcrypto.h, and compile time
assert for cipher salt size is moved to proper place.
Since crypto is used by nvmem_init(), move FIPS power-up tests earlier
to ensure nvmem_init() can access crypto.
BUG=b:197893750
TEST=make CRYPTO_TEST=1; tpm_test; check nvmem is properly initialized
on board_init().
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: If70c2a21d61348bd97a47e26db5d8eec08bbf8ed
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3123836
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make DIOA12 an output on Zork, so it can be used for the ccd recovery or
lid switch signals.
BUG=b:197916691
TEST=setting CCD_REC_LID_PIN toggles lid_open on tomato
Change-Id: I755498fd9bb9b764b0e0aa2bf0394c45b087c767
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3124565
Reviewed-by: Ting Shen <phoenixshen@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Ting Shen <phoenixshen@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 5ae1c684271a117539858cb12252959dfe46803c.
Reason for revert: breaks chromeos-ec-headers
BUG=b:197691499
Original change's description:
> u2f: refactoring to split command processing and crypto
>
> Split U2F crypto from U2F command processing by moving all crypto
> code into boards/cr50 (platform hooks).
>
> U2F state management is part of common code and passed to U2F crypto
> as a parameter.
>
> BUG=b:134594373
> TEST=make BOARD=cr50 CRYPTO_TEST=1
> console: u2f_test
> test/tpmtest.py
> FAFT U2F tests pass
>
> Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
> Change-Id: I85442cddb2959bd3102f7f6e6047134ede90951b
> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3034852
> Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
> Reviewed-by: Andrey Pronin <apronin@chromium.org>
> Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
> Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Bug: b:134594373
Change-Id: I61a965995fcd53b4e155084f5f351574cb84cd1e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3115930
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: David Stevens <stevensd@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Split U2F crypto from U2F command processing by moving all crypto
code into boards/cr50 (platform hooks).
U2F state management is part of common code and passed to U2F crypto
as a parameter.
BUG=b:134594373
TEST=make BOARD=cr50 CRYPTO_TEST=1
console: u2f_test
test/tpmtest.py
FAFT U2F tests pass
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I85442cddb2959bd3102f7f6e6047134ede90951b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3034852
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to implement self-integrity test for FIPS module we need to
make sure binary code of module in image doesn't change from build to
build. To do that we already place FIPS module as constant address.
However, any call to functions outside the module creates a relocation
which is changing depending on location of that external function in the
image. To prevent that we either need to bring these functions in the
module like it was done with memcpy() and some others or replace their
invocations with callbacks. Task & Memory management functions are hard
to bring in the module, so replace few invocations with indirect calls
using vtable. This way invocation code will remain the same.
1. Identify and minimize dependency on EC OS - remove few asserts
and cprintfs.
2. Remove checking privilege level in TRNG init - we know that it is
high by the order of initialization in board_init() and that our
RO doesn't drop permissions. Correct initialization of TRNG is
important for certification, so we can't just assume it may be
initialized improperly.
3. Added vtable with EC OS functions, initialization of FIPS module
vtable in board_init().
4. Switched to using vtable instead of direct calls. Note, we continue
to use EC OS with CRYPTO_TEST=1 to reduce vtable size and image
size.
BUG=b:138578318
TEST=make BOARD=cr50; tests
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: Ibd7bd2353fc4e7e5886f9bfef96b36dc64ff2359
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3107847
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=none
TEST=make -j BOARD=cr50 CR50_DEV=1
Change-Id: I3f5281047ff3f349161e37633320e63b4a8fb318
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3108328
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|