diff options
author | Joseph Jang <josephjang@google.com> | 2022-02-07 12:58:32 +0800 |
---|---|---|
committer | Tommy Chiu <tommychiu@google.com> | 2022-04-25 21:43:36 +0800 |
commit | d36a738233db06ba165243048fbea39f96abd81d (patch) | |
tree | d8e2465533f6e2a174bd42675987fbd88a1f7ac1 | |
parent | 3f85afdb72d03494762e21a9169a4a3496cb224e (diff) | |
download | generic-d36a738233db06ba165243048fbea39f96abd81d.tar.gz |
Merge remote-tracking branch 'goog/upstream-master' into D2-TM-007
* goog/upstream-master:
nugget: Add new command to verify GSA and GSC secure channel
Bug: 210925512
Change-Id: I535fe3e8b678d63c119b88d540380837d87264a7
-rw-r--r-- | nugget/include/app_nugget.h | 78 | ||||
-rw-r--r-- | nugget/include/citadel_events.h | 4 |
2 files changed, 82 insertions, 0 deletions
diff --git a/nugget/include/app_nugget.h b/nugget/include/app_nugget.h index fbf5ddd..f713299 100644 --- a/nugget/include/app_nugget.h +++ b/nugget/include/app_nugget.h @@ -467,6 +467,84 @@ struct gsa_gsc_psk_persist_storage { * @param reply_len 64 + 32 */ +/** + * enum gsa_gsc_psk_state - GSA-GSC PSK state + * @GSA_GSC_PSK_STATE_UNKNOWN: Unknown state (initial state) + * @GSA_GSC_PSK_STATE_KEY_VERIFY_SUCCESS: GSA and GSC PSK match + * @GSA_GSC_PSK_STATE_KEY_MISMATCH: GSA and GSC PSK mismatch + * @GSA_GSC_PSK_STATE_GSA_INTERNAL_ERROR: GSA has internal error + * @GSA_GSC_PSK_STATE_GSA_HAS_NO_KEY: GSA has no PSK + * @GSA_GSC_PSK_STATE_GSA_CRYPTO_PRNG_FAIL: GSA crypto prng function fail + * @GSA_GSC_PSK_STATE_GSA_CRYPTO_HKDF_FAIL: GSA crypto HKDF function fail + * @GSA_GSC_PSK_STATE_GSA_CRYPTO_HMAC_FAIL: GSA crypto HMAC function fail + * @GSA_GSC_PSK_STATE_GSA_CRYPTO_DONE: GSA crypto operations complete + * @GSA_GSC_PSK_STATE_GSC_HAS_NO_KEY: GSC has no PSK + * @GSA_GSC_PSK_STATE_GSC_NOT_IN_BOOTLOADER: GSC is not in bootloader + * @GSA_GSC_PSK_STATE_GSC_INVALID_PARAMETER: GSC received invalid request data + * @GSA_GSC_PSK_STATE_GSC_INTERNAL_ERROR: GSC has internal error + * @GSA_GSC_PSK_STATE_GSC_CRYPTO_HKDF_FAIL: GSC crypto HKDF function fail + * @GSA_GSC_PSK_STATE_GSC_CRYPTO_HMAC_FAIL: GSC crypto HMAC function fail + * @GSA_GSC_PSK_STATE_GSC_EXCEED_MAX_RETRY_COUNT: exceed max psk verification retry count (100) + * @GSA_GSA_PSK_STATE_GSC_NOS_CALL_FAIL: GSC nos call fail + */ +enum gsa_gsc_psk_state { + GSA_GSC_PSK_STATE_UNKNOWN, + GSA_GSC_PSK_STATE_KEY_VERIFY_SUCCESS, + GSA_GSC_PSK_STATE_KEY_MISMATCH, + GSA_GSC_PSK_STATE_GSA_INTERNAL_ERROR, + GSA_GSC_PSK_STATE_GSA_HAS_NO_KEY, + GSA_GSC_PSK_STATE_GSA_CRYPTO_PRNG_FAIL, + GSA_GSC_PSK_STATE_GSA_CRYPTO_HKDF_FAIL, + GSA_GSC_PSK_STATE_GSA_CRYPTO_HMAC_FAIL, + GSA_GSC_PSK_STATE_GSA_CRYPTO_DONE, + GSA_GSC_PSK_STATE_GSC_HAS_NO_KEY, + GSA_GSC_PSK_STATE_GSC_NOT_IN_BOOTLOADER, + GSA_GSC_PSK_STATE_GSC_INVALID_PARAMETER, + GSA_GSC_PSK_STATE_GSC_INTERNAL_ERROR, + GSA_GSC_PSK_STATE_GSC_CRYPTO_HKDF_FAIL, + GSA_GSC_PSK_STATE_GSC_CRYPTO_HMAC_FAIL, + GSA_GSC_PSK_STATE_GSC_EXCEED_MAX_RETRY_COUNT, + GSA_GSA_PSK_STATE_GSC_NOS_CALL_FAIL, +}; + +#define VERIFY_PSK_REQ_HEADER_SIZE 17 +#define VERIFY_PSK_REQ_VERSION 0 +#define VERIFY_PSK_NONCE_SIZE 32 +#define VERIFY_PSK_HMAC_SIZE 32 +/** + * struct verify_psk_request - verify gsa-gsc pre-shared key request + * @version: struct verify_psk_request version + * @header: header of verify_psk_request + * @nonce: 12 bytes random number + * @gsa_psk_state: GSA pre-shared key state + * @hmac: hmac = HMAC-SHA256(key = derived-psk, data = version || header || + * nonce || gsa_psk_state) + */ +struct verify_psk_request { + char header[VERIFY_PSK_REQ_HEADER_SIZE]; + uint8_t version; + uint8_t nonce[VERIFY_PSK_NONCE_SIZE]; + uint8_t gsa_psk_state; + uint8_t hmac[VERIFY_PSK_HMAC_SIZE]; +}; + +#define VERIFY_SECURE_CHANNEL_RETRY_COUNT_VERSION 0 +struct secure_channel_retry_count_persist_storage { + uint8_t version; + uint8_t verify_psk_retry_count; + uint8_t reserved[2]; +}; + +#define NUGGET_PARAM_VERIFY_GSA_GSC_PSK 0x0018 +/* + * Verify GSA GSC pre-shared key command + * + * @param args struct verify_psk_request + * @param arg_len 63 bytes + * @param reply psk verification result + * @param reply_len 1 bytes + */ + /****************************************************************************/ /* Test related commands */ diff --git a/nugget/include/citadel_events.h b/nugget/include/citadel_events.h index 3e3a33e..24babee 100644 --- a/nugget/include/citadel_events.h +++ b/nugget/include/citadel_events.h @@ -64,6 +64,7 @@ enum event_id { EVENT_REBOOTED = 2, // Device rebooted. EVENT_UPGRADED = 3, // Device has upgraded. EVENT_ALERT_V2 = 4, // Globalsec Alertv2 fired + EVENT_SEC_CH_STATE = 5, // Update GSA-GSC secure channel state. }; /* @@ -103,6 +104,9 @@ struct event_record { uint16_t temp_max; uint32_t bus_err; } alert_v2; + struct { + uint32_t state; + } sec_ch_state; /* uninterpreted */ union { |