| d5f5f466f65b2093d1ccef9ce9fd0edd3cddd9f5 |
|
28-Jan-2017 |
Vadim Bendebury <vbendeb@chromium.org> |
Change NVMEM size to match cr50 implementation
am: 1a68fe6fa8
Change-Id: I57cb0a4c004a3ae3ca4a850d958f358c5cfdfe45
|
| 1a68fe6fa860f563e8b45e3826110ceec75d61a8 |
|
26-Jan-2017 |
Vadim Bendebury <vbendeb@chromium.org> |
Change NVMEM size to match cr50 implementation
The TPM2 library and cr50 board have separate definitions of the NVMEM
size, which need to be changed manually and are enforced by a compile
time check in the cr50 code.
CQ-DEPEND=CL:433184
BRANCH=none
BUG=chrome-os-partner:62260
TEST=see dependent CL for test description
Change-Id: I0586a35b77b2f52538023442f537c7a48b3357e7
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/433839
Reviewed-by: Andrey Pronin <apronin@chromium.org>
/external/tpm2/Implementation.h
|
| 6ece5a16ed875a5d8d5cb500844d43cae3c1413f |
|
05-Jan-2017 |
Vadim Bendebury <vbendeb@chromium.org> |
serialize objects in NVMEM
am: 21756127fd
Change-Id: I3ec3888ba566dc15bd81084da00fe9e581e9296c
|
| 21756127fdebc0b0825aba875c7d0cc75057d3d8 |
|
29-Dec-2016 |
Vadim Bendebury <vbendeb@chromium.org> |
serialize objects in NVMEM
Reference implementation stores OBJECT structures in NVRAM
unmarshaled, even though this structure layout is such that most of
its 1540 bytes remain unused by the object stored in the structure.
Marshaling the structure before storing it in NVMEM allows to save a
lot of room there.
To make sure that marshaling is not processing junk data, clear the
entire structure before allocating a new OBJECT.
This change is meant to be backwards compatible. When data is read
from NVMEM, in case its size is equal the size of OBJECT structure,
data is considered stored unmarshaled and is copied to the output
directly. If the stored size is smaller - unmarshaling function is
invoked.
BUG=chrome-os-partner:60502
TEST=tcg test suite passes (not that it exercises this a lot, just
five instances of storing/retrieving objects for the entire
suite). Will test on real tpm to verify NVMEM storage format
backwards compatibility.
Also tried taking a chrome os device through enterprise
enrollment. With the old code after enrollment there is room for
just two eviction objects left:
# command to retrieve number of objects in nvmem(is in the last
# byte of the response)
localhost ~ # trunks_send --raw 80 01 00 00 00 16 00 00 01 7a 00\
00 00 06 00 00 02 08 00 00 00 01
80010000001B000000000100000006000000010000020800000003
# command to retrieve how many objects the tpm estimates it is
# still possible to store in nvram (is in the last byte of the
# response)
localhost ~ # trunks_send --raw 80 01 00 00 00 16 00 00 01 7a \
00 00 00 06 00 00 02 09 00 00 00 01
80010000001B000000000100000006000000010000020900000002
with the new code after enrollment the responses the above commands
are:
80010000001B000000000100000006000000010000020800000003
80010000001B000000000100000006000000010000020900000004
That is with three objects stored there is room for 4 more
objects.
Also verified that the device enrolled with the old version of the
cr50 firmware remains enrolled after firmware update, which
demonstrates backward compatibility.
Change-Id: Ic2d5f902220b451523b740b57edb7867441d1faa
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/424171
Reviewed-by: Andrey Pronin <apronin@chromium.org>
/external/tpm2/Implementation.h
|
| be42694d9f48772f52a9a03bd5a0a842e160fe1f |
|
21-Dec-2016 |
Andrey Pronin <apronin@chromium.org> |
tpm2: add support for padding-only RSASSA
am: 569c3c58dc
Change-Id: I9c12247c6c6ec66ac1091275db40dc371be9bcab
|
| 569c3c58dc69d5c8628f3c329937c136be38df3f |
|
15-Dec-2016 |
Andrey Pronin <apronin@chromium.org> |
tpm2: add support for padding-only RSASSA
Perform PKCS1-padding-only signing for RSASSA if hashing algorithm is
TPM_ALG_NULL in TPM2_Sign parameters and in the key public area.
This feature is guarded by SUPPORT_PADDING_ONLY_RSASSA macro.
BUG=chrome-os-partner:60967
BRANCH=none
TEST=On a unowned machine with TPM2: corp enroll, login, install
a network certificate (gECC or GMC), then:
a) retrieve the public key from the installed certificate
LIBCHAPS=`ls /usr/lib**/libchaps.so`
CERTID=`pkcs11-tool --module=$LIBCHAPS --slot=1 --type=cert \
-O | grep "ID:" | awk '{print $2}'`
pkcs11-tool --module=$LIBCHAPS --slot=1 --id=$CERTID \
--type=cert -r > /tmp/cert
openssl x509 -inform der -pubkey -noout -in /tmp/cert > /tmp/pub.key
b) sign a sample text using the private key for the certificate and
MD5-RSA-PKCS mechanism, not supported by TPM2_Sign command:
echo "ABCDEF" > /tmp/1.txt
pkcs11-tool --module=$LIBCHAPS --slot=1 --id=$CERTID --sign \
-i /tmp/1.txt -o /tmp/1.sig -m MD5-RSA-PKCS
c) verify signature:
openssl dgst -md5 -verify /tmp/pub.key -signature /tmp/1.sig /tmp/1.txt
Step (b) should succeed and step (c) should return "Verified OK".
Change-Id: Iefc85d163089d6f7e09b3e7a41e1df33ba88fa3b
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/420811
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
/external/tpm2/Implementation.h
|
| 3f545ad4e8c506b5545738bda5ab99d096d47fc0 |
|
05-Dec-2016 |
Andrey Pronin <apronin@chromium.org> |
tpm2: enable all SHA-xxx hashing algorithms
am: f037a5c57c
Change-Id: Ib1700fc14aaa486b3740877aa0598496e6ed01ed
|
| f037a5c57c02fce358df0a78ad30632bb6fea355 |
|
29-Nov-2016 |
Andrey Pronin <apronin@chromium.org> |
tpm2: enable all SHA-xxx hashing algorithms
In practice, RSASSA/SHA-512 is used for signing with tpm-backed keys,
so we need to enable this algorithm. SHA-384 is also enabled, as it
doesn't affect the size of objects, and support for it is also added
in the code.
Note that for cr50 this change combined with CL:415218 is sufficient
to support SHA-384/512 digests in RSA Sign operations. However, more
changes are required to actually support the new hashing algorithm,
and will come in a separate CL.
Bumped NV_FORMAT_VERSION to 2 since this change increases OBJECT size
(that has 5 digest structures inside, so +32 (32->64) to max digest
means +160 bytes to OBJECT).
Note that it leads to decreasing the number of persistent objects that
can be stored in NVRAM.
BUG=chrome-os-partner:59754
TEST=1) On TPM2 simulator for a pre-generated key pair (/tmp/priv.key +
/tmp/pub.key) and input /tmp/1.txt, import the private key, sign
the text using it and SHA512-RSA-PKCS, and verify that the
signature is correct:
openssl pkcs8 -inform pem -outform der -in /tmp/priv.key \
-out /tmp/priv.der -nocrypt
p11_replay --import --path=/tmp/priv.der --type=privkey \
-id=bbbbbb
pkcs11-tool --module=`ls /usr/lib**/libchaps.so` --slot=0 \
--id=bbbbbb --sign -i /tmp/1.txt -o /tmp/1.sig \
-m SHA512-RSA-PKCS
openssl dgst -sha512 -verify /tmp/pub.key \
-signature /tmp/1.sig /tmp/1.txt
The last operation should say "Verified OK".
2) Repeat the same for SHA384-RSA-PKCS and openssl dgst -sha384.
3) Boot on TPM2 board after clearing tpm owner, corp enroll,
login.
Change-Id: I03e24bd0659aa8b1d76dd16640ea44b6eb46bf56
Reviewed-on: https://chromium-review.googlesource.com/415108
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
/external/tpm2/Implementation.h
|
| 06c8e853bbab19061d7363f74cc9c4115fd86e17 |
|
03-Dec-2016 |
Vadim Bendebury <vbendeb@chromium.org> |
Introduce NVRAM storage format versioning
am: 889c3dda30
Change-Id: I9603767efa64fe7148d7580904d2092a1fcaaf23
|
| 889c3dda306f4af76cb3699a28d1dc57a21019e2 |
|
03-Dec-2016 |
Vadim Bendebury <vbendeb@chromium.org> |
Introduce NVRAM storage format versioning
We want to be able to detect situations when NVRAM storage format
changes for whatever reason. At the very least the NVRAM needs to be
reinitialized, ideally its contents should be migrated from old to new
storage format.
This patch implements the reinitialization part.
BUG=chrome-os-partner:60537
TEST=added some code to print out a message when NvInit() is invoked
in NvCheckAndMigrateIfNeeded(). Verified that it is invoked on
the first restart after upgrade to this new version.
Change-Id: Ia713a6fe7814bbe44ed5ce28ebcc0435a99b7716
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/416294
Reviewed-by: Andrey Pronin <apronin@chromium.org>
/external/tpm2/Implementation.h
|
| 81e70877e2e3387beac631dd7acaeed4a7c13022 |
|
29-Nov-2016 |
Andrey Pronin <apronin@chromium.org> |
tpm2: fix algorithm IDs for hashing algorithms
Uncomment the AlgorithmIdentifier values for hashing algorithms.
Without that, all zeroes were used for DER encoding the hash value
when signing using RSASSA.
BUG=chrome-os-partner:59754
BUG=chrome-os-partner:60382
TEST=On TPM2 for a pre-generated key pair (/tmp/priv.key + /tmp/pub.key)
and input /tmp/1.txt, import the private key, sign the text using
it and SHA256-RSA-PKCS, and verify that the signature is correct:
openssl pkcs8 -inform pem -outform der -in /tmp/priv.key \
-out /tmp/priv.der -nocrypt
p11_replay --import --path=/tmp/priv.der --type=privkey \
-id=bbbbbb
pkcs11-tool --module=`ls /usr/lib**/libchaps.so` --slot=0 \
--id=bbbbbb --sign -i /tmp/1.txt -o /tmp/1.sig \
-m SHA256-RSA-PKCS
openssl dgst -sha256 -verify /tmp/pub.key \
-signature /tmp/1.sig /tmp/1.txt
The last operation should say "Verified OK".
Change-Id: I8c29ec320d8c5832267c6295d00440846d27ff87
Reviewed-on: https://chromium-review.googlesource.com/415024
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
/external/tpm2/Implementation.h
|
| a00669d82f95007198d547e8fffbdac49e84b673 |
|
03-Sep-2016 |
Scott <scollyer@chromium.org> |
nvram: Increased NV_MEMORY_SIZE
am: d755c6916e
Change-Id: Ie2e45818d6efca2b4a45caee2bad7267481fef99
|
| d755c6916ec137ec0e3a411c1beba71b44c37678 |
|
31-Aug-2016 |
Scott <scollyer@chromium.org> |
nvram: Increased NV_MEMORY_SIZE
TPM2 is needing more NV memory in certain situations. The previous
limit reflected constraints in Cr50 memory layout. Now that Cr50
layout has changed, the size can be increased.
BRANCH=none
CQ-DEPEND=CL:379095
BUG=chrome-os-partner:56798
TEST=manual
Ran 'make -j BOARD=cr50' which verifies that NV_MEMORY_SIZE matches
the amount allocated in the Cr50 NvMem user buffer definition.
Change-Id: I162cf9ce02d36e24cccdafb42a1f801681ef4ffa
Signed-off-by: Scott <scollyer@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/379076
Commit-Ready: Bill Richardson <wfrichar@chromium.org>
Tested-by: Bill Richardson <wfrichar@chromium.org>
Tested-by: Scott Collyer <scollyer@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
/external/tpm2/Implementation.h
|
| 249adf40237a436028c36b7b5f0f13cca84a7fe5 |
|
08-Aug-2016 |
Vadim Bendebury <vbendeb@chromium.org> |
nvram: match size defined in CR50 code
am: 2cd8968b8d
Change-Id: Ib93229b642a5885d333433d20c28ff75177ec7a9
|
| 2cd8968b8d89f401e0d87d3a033b7a6fa6a51c6f |
|
08-Aug-2016 |
Vadim Bendebury <vbendeb@chromium.org> |
nvram: match size defined in CR50 code
The nvram size must match across the repositories.
CQ-COMMIT=CL:366796
BUG=chrome-os-partner:55898
TEST=tpm does not lock up any more when 'tpm_client --own' is ran on the
Kevin-tpm2 command line
Change-Id: I6170072431f01ab5fecf8701526cae8933117856
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/367010
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
/external/tpm2/Implementation.h
|
| f84687b63b2e0e6a21cef08b2b8cbeddc9bcca6e |
|
08-Mar-2016 |
nagendra modadugu <ngm@google.com> |
Disable algorithms ECDAA, ECSCHNORR, and SM2 (take 2).
am: 16e65be1bd
* commit '16e65be1bdf7ee570373449d8cff729c55fc8776':
Disable algorithms ECDAA, ECSCHNORR, and SM2 (take 2).
|
| 16e65be1bdf7ee570373449d8cff729c55fc8776 |
|
08-Mar-2016 |
nagendra modadugu <ngm@google.com> |
Disable algorithms ECDAA, ECSCHNORR, and SM2 (take 2).
Disable optional algorithms that are currently
unimplemented in EMBEDDED_MODE. This will allow
the TPM2 suite to run the appropriate sub-set of tests.
A previous attempt (7709a63d45f6f7822) at this change
broke the android build, which does not allow undefined
symbols in libraries.
TEST=compilation succeeds
BRANCH=none
BUG=chrome-os-partner:43025,chrome-os-partner:47524
Change-Id: Ibc69b8ad36b2e00baa5a440a388345b65ba960a3
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/331670
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Tested-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
/external/tpm2/Implementation.h
|
| f7d1b3cce5f02fb90c35a5fbd8fa4ca53898c442 |
|
08-Mar-2016 |
nagendra modadugu <ngm@google.com> |
Revert "Disable algorithms ECDAA, ECSCHNORR, and SM2."
am: afa437246f
* commit 'afa437246f4e5ec2c15f1ff5259a5a0c6e856a9d':
Revert "Disable algorithms ECDAA, ECSCHNORR, and SM2."
|
| afa437246f4e5ec2c15f1ff5259a5a0c6e856a9d |
|
08-Mar-2016 |
nagendra modadugu <ngm@google.com> |
Revert "Disable algorithms ECDAA, ECSCHNORR, and SM2."
This reverts commit 7709a63d45f6f782230326c16be7bfa149e9e497,
as it breaks the android build (due to _cpri__EccCommitCompute
remaining undefined, which the android build is stricter about).
BRANCH=none
BUG=chrome-os-partner:43025,chrome-os-partner:47524
TEST=compilation succeeds
Change-Id: I80c5b238b81e68e5673ac8ea72bf112143d328ba
Reviewed-on: https://chromium-review.googlesource.com/331325
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Nagendra Modadugu <ngm@google.com>
/external/tpm2/Implementation.h
|
| ba25035116ccd9364391bfdde38e20a6ea28b9ef |
|
08-Mar-2016 |
nagendra modadugu <ngm@google.com> |
Disable algorithms ECDAA, ECSCHNORR, and SM2.
am: 7709a63d45
* commit '7709a63d45f6f782230326c16be7bfa149e9e497':
Disable algorithms ECDAA, ECSCHNORR, and SM2.
|
| 7709a63d45f6f782230326c16be7bfa149e9e497 |
|
05-Mar-2016 |
nagendra modadugu <ngm@google.com> |
Disable algorithms ECDAA, ECSCHNORR, and SM2.
Disable optional algorithms that are currently
unimplemented. This will allow the TPM2 suite
to run the appropriate sub-set of tests.
TEST=compilation succeeds
BRANCH=none
BUG=chrome-os-partner:43025,chrome-os-partner:47524
Change-Id: I3165eba4eaeaeec0c9e9242b6cee33d3b0bca452
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/330872
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
/external/tpm2/Implementation.h
|
| c426047e74d8e742d414d8e12413760ab01c3b8f |
|
15-Dec-2015 |
Darren Krahn <dkrahn@google.com> |
Define DER prefix values for hashes.
BUG=26192013
Change-Id: I540da17fa2524c0b1e393fa8f8149638eca42b82
/external/tpm2/Implementation.h
|
| e00c54dc27d21aa736c2626d2574eef7790c161c |
|
01-Dec-2015 |
Vadim Bendebury <vbendeb@chromium.org> |
Disable SHA384 support for embedded targets.
Using this algorithm is not necessary, disabling it allows to save
stack size requirements.
BUG=chrome-os-partner:43025
TEST=SHA1 and SHA256 tests pass on CR50
Change-Id: Iec3ee429ac96e4915257ff348404c6f423d1cb02
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/314884
Reviewed-by: Nagendra Modadugu <ngm@google.com>
/external/tpm2/Implementation.h
|
| 0232bace9083911ff90c04b7d1ca39baedf61f81 |
|
18-Sep-2015 |
Vadim Bendebury <vbendeb@chromium.org> |
generator: re-generate source files
This patch is the result of running the code generation scripts from
the previous patch.
The main deviation from the code which existed earlier is the fact
that the TPM types are now generated (before they were manually copied
from an open source implementation).
TPM_Types.h had to be edited manually to exclude all copied stuff and
include the generated file (tmp_types.h).
The changes are minimal - out of the 223 generated files only a
handful differs, ans most of the changes are due to the actual
structure layout and set of supported algorithms changes.
BUG=chromium:501639
TEST=the only change is building the library standalone and as a part
of the cr50 image, both succeed.
Change-Id: I4ef87a08c2457524d7e22d53a58964056414174c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/300663
/external/tpm2/Implementation.h
|
| 7878aefcd59699a343a5699b68a40187e8f878f2 |
|
12-Aug-2015 |
Vadim Bendebury <vbendeb@chromium.org> |
Introduce embedded mode conditional compilation
When running on embedded targets software cryptography is often not
available due to inadequate toolchain capabilities and limited
hardware resources.
Invoking make with EMBEDDED_MODE=1 ROOTDIR=1 will stub out
cryptographic functions and will provide another -I preprocessor
option to allow to pull in alternative .h files not available from the
toolchain.
NV Ram buffer size provisionally is being reduced to 8K. In final
embedded implementation NVRam might be held in flash, in which case
the required memory buffer could limited to one flash block size.
Some big data objects not used in the code are also being compiled out
when building for embedded mode of operation.
BUG=chrome-os-partner:43025
TEST=with the rest of the changes in place the code compiles with the
EC, and TPM startup sequence gets invoked.
Change-Id: I71487570d2032c66b30c0bdf0b152dec6d0ece8a
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/292945
Reviewed-by: Utkarsh Sanghi <usanghi@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@gmail.com>
/external/tpm2/Implementation.h
|
| 34f0a9a6c02270afe1d280bbc65d76cc89e9b873 |
|
29-May-2015 |
Vadim Bendebury <vbendeb@chromium.org> |
Changes to allow compilation of CpriHash.c
CpriHashData.c is not supposed to be a separate compilation unit, is
being removed from Makefile.
BUG=none
TEST=compilation succeeds:
cc -Wall -Werror -c -o /dev/null CpriHash.c
Change-Id: Idd2a987097ac7c90e93552af14c85b0d23ac4ca6
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/274100
Reviewed-by: Utkarsh Sanghi <usanghi@chromium.org>
/external/tpm2/Implementation.h
|
| 5679752bf24c21135884e987c4077e2f71848971 |
|
20-May-2015 |
Vadim Bendebury <vbendeb@chromium.org> |
Initial commit to seed TPM2.0 source code directory
LICENSE file text copied from TCG library specification. README
describes the procedure used to extract source code from parts 3 and 4
of the specification.
The python scripts and part{34}.txt files will be removed in the
following commits.
Change-Id: Ie281e6e988481831f33483053455e8aff8f3f75f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
/external/tpm2/Implementation.h
|