diff options
| author | Andrey Pronin <apronin@chromium.org> | 2016-11-29 12:39:30 -0800 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2016-12-05 14:49:51 -0800 |
| commit | f037a5c57c02fce358df0a78ad30632bb6fea355 (patch) | |
| tree | 1e07d7257506c646a2ec3879a950bcc260abd7f3 | |
| parent | 889c3dda306f4af76cb3699a28d1dc57a21019e2 (diff) | |
| download | tpm2-f037a5c57c02fce358df0a78ad30632bb6fea355.tar.gz | |
tpm2: enable all SHA-xxx hashing algorithms
In practice, RSASSA/SHA-512 is used for signing with tpm-backed keys,
so we need to enable this algorithm. SHA-384 is also enabled, as it
doesn't affect the size of objects, and support for it is also added
in the code.
Note that for cr50 this change combined with CL:415218 is sufficient
to support SHA-384/512 digests in RSA Sign operations. However, more
changes are required to actually support the new hashing algorithm,
and will come in a separate CL.
Bumped NV_FORMAT_VERSION to 2 since this change increases OBJECT size
(that has 5 digest structures inside, so +32 (32->64) to max digest
means +160 bytes to OBJECT).
Note that it leads to decreasing the number of persistent objects that
can be stored in NVRAM.
BUG=chrome-os-partner:59754
TEST=1) On TPM2 simulator for a pre-generated key pair (/tmp/priv.key +
/tmp/pub.key) and input /tmp/1.txt, import the private key, sign
the text using it and SHA512-RSA-PKCS, and verify that the
signature is correct:
openssl pkcs8 -inform pem -outform der -in /tmp/priv.key \
-out /tmp/priv.der -nocrypt
p11_replay --import --path=/tmp/priv.der --type=privkey \
-id=bbbbbb
pkcs11-tool --module=`ls /usr/lib**/libchaps.so` --slot=0 \
--id=bbbbbb --sign -i /tmp/1.txt -o /tmp/1.sig \
-m SHA512-RSA-PKCS
openssl dgst -sha512 -verify /tmp/pub.key \
-signature /tmp/1.sig /tmp/1.txt
The last operation should say "Verified OK".
2) Repeat the same for SHA384-RSA-PKCS and openssl dgst -sha384.
3) Boot on TPM2 board after clearing tpm owner, corp enroll,
login.
Change-Id: I03e24bd0659aa8b1d76dd16640ea44b6eb46bf56
Reviewed-on: https://chromium-review.googlesource.com/415108
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
| -rw-r--r-- | Implementation.h | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/Implementation.h b/Implementation.h index ad36191..f67d513 100644 --- a/Implementation.h +++ b/Implementation.h @@ -45,12 +45,8 @@ #define ALG_XOR ALG_YES #define ALG_KEYEDHASH ALG_YES #define ALG_SHA256 ALG_YES -#ifdef EMBEDDED_MODE -#define ALG_SHA384 ALG_NO -#else #define ALG_SHA384 ALG_YES -#endif -#define ALG_SHA512 ALG_NO +#define ALG_SHA512 ALG_YES #define ALG_SM3_256 ALG_NO #define ALG_SM4 ALG_NO #define ALG_RSASSA (ALG_YES*ALG_RSA) @@ -265,7 +261,10 @@ // This must be matched by the package using this library! #define NV_MEMORY_SIZE 16076 // Versioning NV storage format will allow to smoothly migrate NVRAM contents. -#define NV_FORMAT_VERSION 1 +// Versions: +// 1 - full non-serialized objects in NVRAM, max SHA digest is SHA-256 +// 2 - full non-serialized objects in NVRAM, max SHA digest is SHA-512 +#define NV_FORMAT_VERSION 2 #else #define NV_MEMORY_SIZE 16384 #endif |