When vendor commands are processed by the TPM device, the result of
the command execution is communicated through the TPM response header.
When vendor commands are sent through USB the command execution result
value is lost, as the USB reply includes only the response payload,
(if any), but not the result value.
With this patch the single byte result value is prepended to the USB
response payload. The recipient will always look for the value in the
first byte of the response to find the vendor command execution
status.
The corresponding change to the Cr50 usb_updater will remove the
response code from the payload before considering the command's return
data.
BRANCH=cr50
BUG=b:35587387,b:35587053
TEST=verified proper existing extension commands processing (post
reset, turn update on) by the new version of usb_updater and
backwards compatibility with earlier Cr50 RW version (down to
0.0.13).
Change-Id: I5c8b3ea71d3cbbaccc06c909754944b3ab04675d
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/525093
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
The USB FW upgrade endpoint should really only accept vendor commands
required to perform the firmware update. This commit adds a whitelist
that is checked whenever a vendor command is received over this
endpoint.
The allowed commands over USB are the following:
- EXTENSION_POST_RESET
- VENDOR_CC_IMMEDIATE_RESET (only for dev images)
There is also functionality to have a whitelist for vendor commands that
come over the TPM interface.
BUG=chrome-os-partner:62815
BRANCH=None
TEST=Flash Cr50 with image containing this change. Verify that an
upgrade over USB to newer image works.
TEST=Try using usb_updater to send a vendor command that's not in the
whitelist. Verify that the vendor command is dropped.
Change-Id: I71f8ba090a1cc6c9e7c30ce0dd3c25259e8f292f
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/443447
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Let's make sure that both embedded and host side use the same command
definitions. To avoid host compilation problems move the definitions
into a separate file.
BRANCH=none
BUG=none
TEST=compilation still works.
Change-Id: Id0d85a51aebabed0637965b3b19d7ed42c46e75e
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/414945
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Cr50 updates in development environment should allow resetting the
device immediately after update (without the need for SYS_RST_L to be
toggled).
This patch adds a vendor command to do just that.
BRANCH=none
BUG=chrome-os-partner:60013. chrome-os-partner:60321
TEST=none yet, with the rest of the patches applied the target gets
rebooted immediately after a cr50 code update. Also, observed
that flashing the console does not quite work, opend
crosbug.com/p/60321 to address this.
Change-Id: Ia6f99ad6d22004347ad02aac2cbf4dd6c5594928
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/414442
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
This returns the system information that is needed to determine the
correct signing keys for firmware updates.
BUG=chrome-os-partner:59747
BUG=chrome-os-partner:59705
BRANCH=none
TEST=make buildall; test on Reef
Run the "sysinfo" command on the Cr50 console:
> sysinfo
Reset flags: 0x00000800 (hard)
Chip: g cr50 B2
RO keyid: 0x3716ee6b(dev)
RW keyid: 0xb93d6539(dev)
DEV_ID: 0x017950ab 0x04656742
>
Send the raw command bytes from the Reef AP, observe the result:
# /tmp/trunks_send --raw 80 01 00 00 00 0C 20 00 00 00 00 12
80010000001C0000000000123716EE6BB93D6539017950AB04656742
#
The result contains the same information from the console command:
8001 TPM_ST_NO_SESSIONS
0000001C responseSize (28 bytes)
00000000 RC_SUCCESS
0012 vendor-specific subcommand
3716EE6B RO keyid
B93D6539 RW keyid
017950AB DEV_ID0
04656742 DEV_ID1
Change-Id: I82de3ebfb3e9be3b707583bc825d2efbcf851c5c
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/413106
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
This allows custom TPM commands to be declared using the a
DECLARE_VENDOR_COMMAND macro instead of the original (and still
unchanged) DECLARE_EXTENSION_COMMAND macro.
The new commands are nearly identical, but they are encapsulated
using the vendor-specific protocols described in the TPMv2 spec.
Our original extensions use a non-standard command code, and
return a non-standard struct on completion, which can be
confusing to standard TPM drivers and tools.
Demonstrating the use of the new macros, this adds commands to
obtain the state of the Cr50 restricted console lock, or to set
the lock. There is intentionally no command to unlock the
console.
Note that this CL just adds the commands to the Cr50. We still
need to provide a nice userspace utility for the AP to use.
BUG=chrome-os-partner:58230
BUG=chrome-os-partner:57940
BRANCH=none
TEST=make buildall; load, boot, test, and update again on Reef
On Reef, I can use the trunks_send tool to send the raw TPM bytes
to invoke these commands:
Get the lock state:
# trunks_send 80 01 00 00 00 0C 20 00 00 00 00 10
80010000000D00000000001000
The last byte 00 indicates that the lock is NOT set, so set it:
# trunks_send 80 01 00 00 00 0C 20 00 00 00 00 10
80010000000C000000000011
Success. On the Cr50 console, I see it take effect:
[480.080444 The console is locked]
Query the state again:
# trunks_send 80 01 00 00 00 0C 20 00 00 00 00 10
80010000000D00000000001001
and now the last byte 01 indicates that the console is locked.
And of course the existing extension commands still work as
before. In addition to uploading firmware, I can use the
usb_updater from my build machine to query the running firmware
version:
$ ./extra/usb_updater/usb_updater -f
open_device 18d1:5014
found interface 4 endpoint 5, chunk_len 64
READY
-------
start
Target running protocol version 5
Offsets: backup RO at 0x40000, backup RW at 0x4000
Keyids: RO 0x3716ee6b, RW 0xb93d6539
Current versions:
RO 0.0.10
RW 0.0.9
$
Change-Id: I7fb1d888bf808c2ef0b2b07c782e926063cc2cc4
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/409692
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
While USB updates have a mechanism to trigger the target reset, SPI
updates do not have it.
This patch adds an extension command to cause the device reset.
BRANCH=none
BUG=chrome-os-partner:58226
TEST=with the rest of the patches applied verified that the system
gets reset and the new image version kicks in on both gru (over
SPI) and reef (over USB).
Change-Id: I498538670e2c43d17b13510288eb9ae75eb7b761
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/395628
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
I keep thinking this refers to "Embedded Controller" instead of
"Elliptic Curve Cryptography". Make it clearer.
There's no functional change, I'm just renaming a constant.
BUG=none
BRANCH=none
TEST=make buildall; run tests on Cr50 dev board
make -C test/tpm_test && sudo ./test/tpm_test/tpmtest.py
Change-Id: Iaf2e2839e88fdbbcb1a712934be56a0dd47e4a70
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/366752
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Add support for SHA256 based HKDF key
derivation as specified in RFC 5869. This
change includes test vectors from the RFC.
BRANCH=none
BUG=chrome-os-partner:43025,chrome-os-partner:47524
TEST=tests under test/tpm2 pass
Change-Id: I7d0e4e92775b74c41643f45587fc08f56d8916aa
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/336091
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
This patch suggests a firmware upgrade mechanism implemented through
an extended TPM command.
The firmware is transmitted in chunks, each chunk accompanied by its
checksum (first 32 bits of SHA1) and the base address.
The first chunk is of size zero and has the base address set to zero.
When the first chunk is received, the command handler determines the
destination flash space (A or B), erases it, and returns its base
address to the caller, such that the firmware update agent can tell in
which of the two spaces it should write the update.
The ultimate verification happens after the device is reset - the
integrity and authentity of the firmware upgrade is verified at that
point, the new firmware will not be started unless it is properly
signed.
BRANCH=none
BUG=chrome-os-partner:37754
TEST=with all patches applied it is possible to upgrade firmware in
both spaces A and B.
Change-Id: I6aedc587ec630d65ba81000496f372c9044959a0
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/327415
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Includes support for encrypt / decrypt,
and sign / verify; padding schemes OAEP /
PKCS1; supporting bignum library.
RSA key sizes must be a multiple of 32-bits
(with the top bit set). Keying material,
input and output buffers are required to be
word-aligned.
BRANCH=none
TEST=added encrypt/decrypt sign/verify tests, compatibility with openssl tested
BUG=chrome-os-partner:43025,chrome-os-partner:47524
Change-Id: I6bc324c651e3178bb45bb75ab5935d9bc07efbce
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/316942
Commit-Ready: Marius Schilder <mschilder@chromium.org>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
A new extended subcommand code (1) is being added to handle hash
testing.
The new subcommand handler keeps track of multiple sha1 and sha256
contexts the host might want to exercise. The number of available
contexts is limited by the amount of available free memory.
One of four hash operations could be requested by the host: 'Start',
'Continue', 'Finish' - when hashing a single stream over multiple
extended command messages, and 'Single' when the entire message to be
hashed is included in one extended command payload.
The command payload had the following format:
* field | size | note
* ===================================================================
* mode | 1 | 0 - start, 1 - cont., 2 - finish, 3 - single
* hash_mode | 1 | 0 - sha1, 1 - sha256
* handle | 1 | seassion handle, ignored in 'single' mode
* text_len | 2 | size of the text to process, big endian
* text | text_len | text to hash
As soon as the first 'Start' message is encountered, the handler tries
to allocate shared memory to keep track of the test contexts, the
amount of available memory determines how many contexts the handler
can support concurrently.
As soon as the last 'Finish' command is encountered, the handler
returns the shared memory to the 'heap'.
BRANCH=none
BUG=chrome-os-partner:43025
TEST=after adding the host side implementation and fixing a couple of
bugs, hash tests pass (see upcoming patches).
Change-Id: Iae18552d6220d670d1c6f32294f0af1a8d0d5c90
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/314692
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
This patch introduces a facility which would allow to compile in
callbacks for arbitrary commands passed over various communication
protocols.
Typically this will be used for testing, when various test commands
are multiplexed over an existing protocol.
The callbacks are associated with 16 bit command codes. On input the
callback receives a buffer, containing the command's argument, the
size of the command argument and the maximum size of the buffer. On
output the callback stores processing result in the same buffer and
updates the size to the actual amount of returned data.
Callback descriptors are stored in a dedicated read only section which
is scanned by extension_route_command() to find a callback associated
with a certain command code.
A console channel is also being introduced to allow controlling
console output generated by extension commands handlers.
BRANCH=none
BUG=chrome-os-partner:47524
TEST=none yet
Change-Id: I8ae16a78ca7d72176a5e7f74dd7a232078e7c06c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/312586
Reviewed-by: Randall Spangler <rspangler@chromium.org>
