Google Git
Sign in
android / platform / external / tpm2 / f037a5c57c02fce358df0a78ad30632bb6fea355^! / .
commitf037a5c57c02fce358df0a78ad30632bb6fea355[log] [tgz]
authorAndrey Pronin <[email protected]>Tue Nov 29 12:39:30 2016 -0800
committerchrome-bot <[email protected]>Mon Dec 05 14:49:51 2016 -0800
tree1e07d7257506c646a2ec3879a950bcc260abd7f3
parent889c3dda306f4af76cb3699a28d1dc57a21019e2 [diff]
tpm2: enable all SHA-xxx hashing algorithms

In practice, RSASSA/SHA-512 is used for signing with tpm-backed keys,
so we need to enable this algorithm. SHA-384 is also enabled, as it
doesn't affect the size of objects, and support for it is also added
in the code.

Note that for cr50 this change combined with CL:415218 is sufficient
to support SHA-384/512 digests in RSA Sign operations. However, more
changes are required to actually support the new hashing algorithm,
and will come in a separate CL.

Bumped NV_FORMAT_VERSION to 2 since this change increases OBJECT size
(that has 5 digest structures inside, so +32 (32->64) to max digest
means +160 bytes to OBJECT).
Note that it leads to decreasing the number of persistent objects that
can be stored in NVRAM.

BUG=chrome-os-partner:59754
TEST=1) On TPM2 simulator for a pre-generated key pair (/tmp/priv.key +
     /tmp/pub.key) and input /tmp/1.txt, import the private key, sign
     the text using it and SHA512-RSA-PKCS, and verify that the
     signature is correct:
       openssl pkcs8 -inform pem -outform der -in /tmp/priv.key \
                     -out /tmp/priv.der -nocrypt
       p11_replay --import --path=/tmp/priv.der --type=privkey \
                  -id=bbbbbb
       pkcs11-tool --module=`ls /usr/lib**/libchaps.so` --slot=0 \
                   --id=bbbbbb --sign -i /tmp/1.txt -o /tmp/1.sig \
		   -m SHA512-RSA-PKCS
       openssl dgst -sha512 -verify /tmp/pub.key \
                    -signature /tmp/1.sig /tmp/1.txt
     The last operation should say "Verified OK".
     2) Repeat the same for SHA384-RSA-PKCS and openssl dgst -sha384.
     3) Boot on TPM2 board after clearing tpm owner, corp enroll,
        login.

Change-Id: I03e24bd0659aa8b1d76dd16640ea44b6eb46bf56
Reviewed-on: https://chromium-review.googlesource.com/415108
Commit-Ready: Andrey Pronin <[email protected]>
Tested-by: Andrey Pronin <[email protected]>
Reviewed-by: Nagendra Modadugu <[email protected]>
Reviewed-by: Andrey Pronin <[email protected]>

diff --git a/Implementation.h b/Implementation.h
index ad36191..f67d513 100644
--- a/Implementation.h
+++ b/Implementation.h

@@ -45,12 +45,8 @@
 #define    ALG_XOR                     ALG_YES
 #define    ALG_KEYEDHASH               ALG_YES
 #define    ALG_SHA256                  ALG_YES
-#ifdef EMBEDDED_MODE
-#define    ALG_SHA384                  ALG_NO
-#else
 #define    ALG_SHA384                  ALG_YES
-#endif
-#define    ALG_SHA512                  ALG_NO
+#define    ALG_SHA512                  ALG_YES
 #define    ALG_SM3_256                 ALG_NO
 #define    ALG_SM4                     ALG_NO
 #define    ALG_RSASSA                  (ALG_YES*ALG_RSA)
@@ -265,7 +261,10 @@
 // This must be matched by the package using this library!
 #define NV_MEMORY_SIZE                    16076
 // Versioning NV storage format will allow to smoothly migrate NVRAM contents.
-#define NV_FORMAT_VERSION                 1
+// Versions:
+// 1 - full non-serialized objects in NVRAM, max SHA digest is SHA-256
+// 2 - full non-serialized objects in NVRAM, max SHA digest is SHA-512
+#define NV_FORMAT_VERSION                 2
 #else
 #define NV_MEMORY_SIZE                    16384
 #endif