| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After working with temporary copies of rollback secret, clear them using
always_memset() in third_party/cryptoc/util.c. For boards that have
CONFIG_ROLLBACK_SECRET_SIZE, configure CONFIG_LIBCRYPTOC automatically.
BRANCH=nocturne
BUG=chromium:968809,chromium:989594,b:130238794
TEST=make -j buildall
TEST=tested fingerprint enrollment and matching on nocturne DUT, which
uses rollback_get_secret().
Change-Id: I44fb5ef7d43c080e4d33c8d9a7d9298e194e1cf3
Signed-off-by: Yicheng Li <yichengli@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1731544
Reviewed-by: Tom Hughes <tomhughes@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BRANCH=none
BUG=b:124996507
TEST=In hatch_fp and nocturne_fp console with CONFIG_RWSIG_JUMP_TIMEOUT
increased to large value and console_task stack size increased to
4096:
> rollbackinfo
rollback minimum version: 0
RW rollback version: 0
rollback 0: 00000000 00000000 0b112233 [00..00] *
rollback 1: ffffffff ffffffff ffffffff [ff..ff]
> rollbackupdate 1
> rollbackinfo
rollback minimum version: 1
RW rollback version: 0
rollback 0: 00000000 00000000 0b112233 [00..00]
rollback 1: 00000001 00000001 0b112233 [00..00] *
> rollbackaddent 1234
> rollbackinfo
rollback minimum version: 1
RW rollback version: 0
rollback 0: 00000002 00000001 0b112233 [e5..8c] *
rollback 1: 00000001 00000001 0b112233 [00..00]
TEST=test_that --board=nocturne <IP> firmware_Fingerprint.ObeysRollback
firmware_Fingerprint.ObeysRollback [ PASSED ]
firmware_Fingerprint.ObeysRollback/firmware_Fingerprint [ PASSED ]
Change-Id: I90b524138ca1125e2c1b62936b9f6fbe00e957d4
Signed-off-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1681379
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mock rollback_get_secret() and use it to test derive_encryption_key().
BRANCH=nocturne
BUG=chromium:927095
TEST=make -j buildall
TEST=tested enrollment, matching and multifinger on nocturne DUT
TEST=verified test key vectors by running boringSSL's HKDF
(https://boringssl.googlesource.com/boringssl/+/c0b4c72b6d4c6f4828a373ec454bd646390017d4/crypto/hkdf/)
locally
Change-Id: Ie2f51e4f64788d938e43d0c5c18685d1cfdd001c
Signed-off-by: Yicheng Li <yichengli@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1652495
Reviewed-by: Nicolas Norvez <norvez@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unprotect the MPU before we write to the rollback block, else
the EC crashes.
BRANCH=nocturne
BUG=b:116216642
TEST=ectool --name=cros_fp reboot_ec; sleep 0.5; \
ectool --name=cros_fp rwsigaction abort && \
ectool --name=cros_fp addentropy reset && \
ectool --name=cros_fp reboot_ec
TEST=Flash EC RW with rollback version 1, no crash, rollback
version is incremented
Change-Id: I2f7a057d4a94be97c52a8acaa4b9d864cabf280c
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1236917
Commit-Ready: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rollback id will be useful to check that the secret has actually
been wiped. Min rollback version and RW rollback version might
be useful in the future.
BRANCH=nocturne
BUG=b:115733483
TEST=ectool --name=cros_fp rollbackinfo
=> Rollback block id: X
ectool --name=cros_fp reboot_ec; sleep 0.5; \
ectool --name=cros_fp rwsigaction abort && \
ectool --name=cros_fp addentropy reset && \
ectool --name=cros_fp reboot_ec
ectool --name=cros_fp rollbackinfo
=> Rollback block id: X+2
Change-Id: I039d26d302d3a12b0d41acca34aa28d4a2dd096d
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1226126
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Nicolas Norvez <norvez@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want to prevent easy readout of the rollback region, so we
protect it using the MPU. There is a short duration of time where
the region is unprotected (when we actually need to read the
information back), but we shorten it by disabling interrupts.
BRANCH=none
BUG=b:111330723
TEST=flashread 0xe0000, rw 0x80e0020, md 0x80e0020,
ectool flashread 0xc0000 0x1000 x
=> All cause EC to crash and reboot
TEST=rollbackinfo still works
Change-Id: I85ee757b3e261de392af03bd958b36d140a1080a
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1143106
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Nicolas Norvez <norvez@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To generate a new secret, we add entropy (generated from local
HW TRNG) to the existing secret (sha256(old secret || entropy)).
This essentially re-keys the EC.
On STM32H7, erasing rollback flash block can take up to 4 seconds,
which exceeds the timeout of a normal host command. Therefore,
ADD_ENTROPY command is asynchronous (adding the entropy itself
is performed in a deferred hook), and its status must be checked
repeatedly by the host.
In some cases, it is critical that the old key is not left in
the backup rollback block(s). For this purpose, we add a special
action ADD_ENTROPY_RESET_ASYNC that adds entropy multiple times,
until all the rollback blocks have been overwritten.
BRANCH=none
BUG=b:111190988
TEST=EC> rollbackinfo
DUT> ./ectool --name=cros_fp reboot_ec RO && \
sleep 0.3 && ./ectool --name=cros_fp addentropy
EC> rollbackinfo
=> See that that a single rollback block has been overridden
TEST=Repeat with ./ectool --name=cros_fp addentropy reset
=> See that both rollback blocks have been overridden
Change-Id: I3058b0a91591fab543ba6890f7356e671016edfa
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1132826
Reviewed-by: Nicolas Norvez <norvez@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
flash_write (rightfully) fails if the size of not a multiple of
CONFIG_FLASH_WRITE_SIZE.
BRANCH=none
BUG=b:111190988
TEST=rollbackupdate works on both whiskers and nocturne_fp
Change-Id: I8e0b1f59b06d33f4171b6e09af94a5b7a60acc61
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1127803
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Louis Collard <louiscollard@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
| |
BRANCH=none
BUG=b:111190988
TEST=make buildall -j
Change-Id: I9cea8ce0270ca8a3f4fd33663d78d7d7c5b93643
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1128784
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BRANCH=none
BUG=b:38486828
TEST=Flash hammer
Change-Id: I50088a78e75d6ea8d62e439fdc8bf18d46319462
Reviewed-on: https://chromium-review.googlesource.com/532474
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mix in board-generated entropy with the externally provided one,
which should help make the per-device secret stronger.
BRANCH=none
BUG=b:38486828
TEST=reboot; rollbackaddent Hello => works fine when USB is connected,
fails otherwise, as board-generated entropy relies on USB timing.
Change-Id: I314f44759c5f8b859913a748db95e9d42b5cdd11
Reviewed-on: https://chromium-review.googlesource.com/518609
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For pairing purpose, we want to store some secret random number in
the base. The most convenient location for this is the rollback
region.
Since the rollback region can now be updated without incrementing
rollback_min_version (when we add entropy to the secret), we need
to add an increasing id to tell the code which rollback region is
the latest.
We also add console commands to manually add entropy.
BRANCH=none
BUG=b:38486828
TEST=Flash hammer (with or without CONFIG_ROLLBACK_ENTROPY_SIZE set)
rollbackinfo => 1 version 0 block, 1 empty block, RW verifies
correctly.
rollbackupdate 0; rollbackinfo => No change
rollbackupdate 1; reboot => RO refuses to jump to RW
only when CONFIG_ROLLBACK_ENTROPY_SIZE is set:
rollbackinfo => Secret is [00..00] on both blocks (so the data
was copied correctly)
rollbackupdate 2, 3, 4; rollbackinfo => Writes alternate
between the 2 blocks.
rollbackupdate 2 => Refuses to downgrade version
TEST=From blank secret [00..00], 'rollbackaddent Hello' updates it
to [ba..fa], which matches the output of:
(dd if=/dev/zero bs=1 count=32; echo -n Hello) | sha256sum
Change-Id: I79c3e790e56e21958cc1b4ba05bd4e5f359d3090
Reviewed-on: https://chromium-review.googlesource.com/511985
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Typically, we do not need RW section to be able to update rollback
information (rollback block should be protected when RW is running),
so we can save some flash space by undefining this option.
BRANCH=none
BUG=b:35586219
TEST=make newsizes saves ~420 bytes on hammer and staff.
Change-Id: Ic457673e56ace083f2ebb1ca0f37f54bf125bfa4
Reviewed-on: https://chromium-review.googlesource.com/511983
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is useful for debugging, to understand if the RW rollback
version is ahead of current rollback version.
BRANCH=none
BUG=b:35586219
TEST=Flash hammer, rollbackinfo in EC console
Change-Id: I2634199845f1b35447e0938a35b862f79cb24ffa
Reviewed-on: https://chromium-review.googlesource.com/489886
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is done at RO stage. If the rollback region is unprotected, update
it to match the version in the RW image.
If the rollback region is protected, we can't do that update, so we wait
for RW to unlock that region (presumably after AP has verified that image
is somewhat functional) before updating it.
BRANCH=none
BUG=b:35586219
TEST=flashwp true; reboot => hammer reboots twice
flashinfo shows RO+rollback protected:
Flags: wp_gpio_asserted ro_at_boot ro_now rollback_at_boot rollback_now
Protected now:
YYYYYYYY YYYYYYYY Y....... ........
TEST=Hack version.c to add "+1" to rollback_version, check that RO updates
ROLLBACK info block on first boot.
TEST=Use hack above, convert rwsig to separate task, add 5000 ms delay in
rwsig just before rollback information is updated. Then:
Quickly type: flashwp true; reboot; flashwp all; reboot
=> Wait for system to jump to RW
rollbackinfo => minimum version 0
flashwp norb; reboot; wait for jump to RW
rollbackinfo => minimum version 1
Change-Id: I78e502315c611c5edaf34b8d70a12fedd3e57bdf
Reviewed-on: https://chromium-review.googlesource.com/452816
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
Implement actual rollback protection. First, we add a new field
in the version structure, which is an incrementing integer
(we'll start by shipping images with version 0, and gradually
increase the number as required). This allows us to release
new versions of the EC without necessarily bumping the rollback
protection.
For the rollback protection block itself, it contains 2 sub-blocks
of equal size (normally, 2k), that are individually erasable.
The rollback code looks at both, and takes the most restrictive one
to determine the desired rollback minimum version. The blocks
are also allowed to be erased (full of 1's), in which case the
rollback minimum version is assumed to be 0.
We also add an FMAP entry, in case we later decide to allow the
signer to increment the rollback version.
Also note that, like any version_data struct change, this change
breaks compatibility between old and new RO/RW.
Follow-up code will take care of auto-updating the rollback block
as required, and properly manage block protection.
BRANCH=none
BUG=b:35586219
TEST=Flash hammer
rollbackinfo => 1 version 0 block, 1 empty block, RW verifies
correctly.
rollbackupdate 0; rollbackinfo => No change
rollbackupdate 1; reboot => RO refuses to jump to RW
rollbackupdate 2, 3, 4; rollbackinfo => Writes alternate
between the 2 blocks.
rollbackupdate 2 => Refuses to downgrade version
Change-Id: Ia969afb481a93deb912b9153bdd95ace01ad8fa7
Reviewed-on: https://chromium-review.googlesource.com/452815
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|