tpm2: enable all SHA-xxx hashing algorithms
In practice, RSASSA/SHA-512 is used for signing with tpm-backed keys,
so we need to enable this algorithm. SHA-384 is also enabled, as it
doesn't affect the size of objects, and support for it is also added
in the code.
Note that for cr50 this change combined with CL:415218 is sufficient
to support SHA-384/512 digests in RSA Sign operations. However, more
changes are required to actually support the new hashing algorithm,
and will come in a separate CL.
Bumped NV_FORMAT_VERSION to 2 since this change increases OBJECT size
(that has 5 digest structures inside, so +32 (32->64) to max digest
means +160 bytes to OBJECT).
Note that it leads to decreasing the number of persistent objects that
can be stored in NVRAM.
BUG=chrome-os-partner:59754
TEST=1) On TPM2 simulator for a pre-generated key pair (/tmp/priv.key +
/tmp/pub.key) and input /tmp/1.txt, import the private key, sign
the text using it and SHA512-RSA-PKCS, and verify that the
signature is correct:
openssl pkcs8 -inform pem -outform der -in /tmp/priv.key \
-out /tmp/priv.der -nocrypt
p11_replay --import --path=/tmp/priv.der --type=privkey \
-id=bbbbbb
pkcs11-tool --module=`ls /usr/lib**/libchaps.so` --slot=0 \
--id=bbbbbb --sign -i /tmp/1.txt -o /tmp/1.sig \
-m SHA512-RSA-PKCS
openssl dgst -sha512 -verify /tmp/pub.key \
-signature /tmp/1.sig /tmp/1.txt
The last operation should say "Verified OK".
2) Repeat the same for SHA384-RSA-PKCS and openssl dgst -sha384.
3) Boot on TPM2 board after clearing tpm owner, corp enroll,
login.
Change-Id: I03e24bd0659aa8b1d76dd16640ea44b6eb46bf56
Reviewed-on: https://chromium-review.googlesource.com/415108
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
1 file changed
