Merge remote-tracking branch 'goog/upstream-master' into D2-TM-007

* goog/upstream-master: nugget: Add new command to verify GSA and GSC secure channel Bug: 210925512 Change-Id: I535fe3e8b678d63c119b88d540380837d87264a7
author: Joseph Jang <josephjang@google.com> 2022-02-07 12:58:32 +0800
committer: Tommy Chiu <tommychiu@google.com> 2022-04-25 21:43:36 +0800
commit: d36a738233db06ba165243048fbea39f96abd81d (patch)
tree: d8e2465533f6e2a174bd42675987fbd88a1f7ac1
parent: 3f85afdb72d03494762e21a9169a4a3496cb224e (diff)
download: generic-d36a738233db06ba165243048fbea39f96abd81d.tar.gz
2 files changed, 82 insertions, 0 deletions
diff --git a/nugget/include/app_nugget.h b/nugget/include/app_nugget.h
index fbf5ddd..f713299 100644
--- a/nugget/include/app_nugget.h
+++ b/nugget/include/app_nugget.h
@@ -467,6 +467,84 @@ struct gsa_gsc_psk_persist_storage {
  * @param reply_len    64 + 32
  */
 
+/**
+ * enum gsa_gsc_psk_state - GSA-GSC PSK state
+ * @GSA_GSC_PSK_STATE_UNKNOWN: Unknown state (initial state)
+ * @GSA_GSC_PSK_STATE_KEY_VERIFY_SUCCESS: GSA and GSC PSK match
+ * @GSA_GSC_PSK_STATE_KEY_MISMATCH: GSA and GSC PSK mismatch
+ * @GSA_GSC_PSK_STATE_GSA_INTERNAL_ERROR: GSA has internal error
+ * @GSA_GSC_PSK_STATE_GSA_HAS_NO_KEY: GSA has no PSK
+ * @GSA_GSC_PSK_STATE_GSA_CRYPTO_PRNG_FAIL: GSA crypto prng function fail
+ * @GSA_GSC_PSK_STATE_GSA_CRYPTO_HKDF_FAIL: GSA crypto HKDF function fail
+ * @GSA_GSC_PSK_STATE_GSA_CRYPTO_HMAC_FAIL: GSA crypto HMAC function fail
+ * @GSA_GSC_PSK_STATE_GSA_CRYPTO_DONE: GSA crypto operations complete
+ * @GSA_GSC_PSK_STATE_GSC_HAS_NO_KEY: GSC has no PSK
+ * @GSA_GSC_PSK_STATE_GSC_NOT_IN_BOOTLOADER: GSC is not in bootloader
+ * @GSA_GSC_PSK_STATE_GSC_INVALID_PARAMETER: GSC received invalid request data
+ * @GSA_GSC_PSK_STATE_GSC_INTERNAL_ERROR: GSC has internal error
+ * @GSA_GSC_PSK_STATE_GSC_CRYPTO_HKDF_FAIL: GSC crypto HKDF function fail
+ * @GSA_GSC_PSK_STATE_GSC_CRYPTO_HMAC_FAIL: GSC crypto HMAC function fail
+ * @GSA_GSC_PSK_STATE_GSC_EXCEED_MAX_RETRY_COUNT: exceed max psk verification retry count (100)
+ * @GSA_GSA_PSK_STATE_GSC_NOS_CALL_FAIL: GSC nos call fail
+ */
+enum gsa_gsc_psk_state {
+  GSA_GSC_PSK_STATE_UNKNOWN,
+  GSA_GSC_PSK_STATE_KEY_VERIFY_SUCCESS,
+  GSA_GSC_PSK_STATE_KEY_MISMATCH,
+  GSA_GSC_PSK_STATE_GSA_INTERNAL_ERROR,
+  GSA_GSC_PSK_STATE_GSA_HAS_NO_KEY,
+  GSA_GSC_PSK_STATE_GSA_CRYPTO_PRNG_FAIL,
+  GSA_GSC_PSK_STATE_GSA_CRYPTO_HKDF_FAIL,
+  GSA_GSC_PSK_STATE_GSA_CRYPTO_HMAC_FAIL,
+  GSA_GSC_PSK_STATE_GSA_CRYPTO_DONE,
+  GSA_GSC_PSK_STATE_GSC_HAS_NO_KEY,
+  GSA_GSC_PSK_STATE_GSC_NOT_IN_BOOTLOADER,
+  GSA_GSC_PSK_STATE_GSC_INVALID_PARAMETER,
+  GSA_GSC_PSK_STATE_GSC_INTERNAL_ERROR,
+  GSA_GSC_PSK_STATE_GSC_CRYPTO_HKDF_FAIL,
+  GSA_GSC_PSK_STATE_GSC_CRYPTO_HMAC_FAIL,
+  GSA_GSC_PSK_STATE_GSC_EXCEED_MAX_RETRY_COUNT,
+  GSA_GSA_PSK_STATE_GSC_NOS_CALL_FAIL,
+};
+
+#define VERIFY_PSK_REQ_HEADER_SIZE 17
+#define VERIFY_PSK_REQ_VERSION 0
+#define VERIFY_PSK_NONCE_SIZE 32
+#define VERIFY_PSK_HMAC_SIZE 32
+/**
+ * struct verify_psk_request - verify gsa-gsc pre-shared key request
+ * @version: struct verify_psk_request version
+ * @header:  header of verify_psk_request
+ * @nonce: 12 bytes random number
+ * @gsa_psk_state: GSA pre-shared key state
+ * @hmac: hmac = HMAC-SHA256(key = derived-psk, data = version || header ||
+ * nonce || gsa_psk_state)
+ */
+struct verify_psk_request {
+    char header[VERIFY_PSK_REQ_HEADER_SIZE];
+    uint8_t version;
+    uint8_t nonce[VERIFY_PSK_NONCE_SIZE];
+    uint8_t gsa_psk_state;
+    uint8_t hmac[VERIFY_PSK_HMAC_SIZE];
+};
+
+#define VERIFY_SECURE_CHANNEL_RETRY_COUNT_VERSION 0
+struct secure_channel_retry_count_persist_storage {
+	uint8_t version;
+	uint8_t verify_psk_retry_count;
+	uint8_t reserved[2];
+};
+
+#define NUGGET_PARAM_VERIFY_GSA_GSC_PSK 0x0018
+/*
+ * Verify GSA GSC pre-shared key command
+ *
+ * @param args         struct verify_psk_request
+ * @param arg_len      63 bytes
+ * @param reply        psk verification result
+ * @param reply_len    1 bytes
+ */
+
 /****************************************************************************/
 /* Test related commands */
 
diff --git a/nugget/include/citadel_events.h b/nugget/include/citadel_events.h
index 3e3a33e..24babee 100644
--- a/nugget/include/citadel_events.h
+++ b/nugget/include/citadel_events.h
@@ -64,6 +64,7 @@ enum event_id {
   EVENT_REBOOTED = 2,  // Device rebooted.
   EVENT_UPGRADED = 3,  // Device has upgraded.
   EVENT_ALERT_V2 = 4,  // Globalsec Alertv2 fired
+  EVENT_SEC_CH_STATE = 5,  // Update GSA-GSC secure channel state.
 };
 
 /*
@@ -103,6 +104,9 @@ struct event_record {
       uint16_t temp_max;
       uint32_t bus_err;
     } alert_v2;
+    struct {
+      uint32_t state;
+    } sec_ch_state;
 
     /* uninterpreted */
     union {
author	Joseph Jang <josephjang@google.com>	2022-02-07 12:58:32 +0800
committer	Tommy Chiu <tommychiu@google.com>	2022-04-25 21:43:36 +0800
commit	d36a738233db06ba165243048fbea39f96abd81d (patch)
tree	d8e2465533f6e2a174bd42675987fbd88a1f7ac1
parent	3f85afdb72d03494762e21a9169a4a3496cb224e (diff)
download	generic-d36a738233db06ba165243048fbea39f96abd81d.tar.gz