cr50: use run time generated public RMA key definition

Use RMA public key definition generated based on the binary blob
containing the key and key ID.

Key generation is controlled by the make file in common/, but actual
key blob comes from the board directory.

The structure holding the key and key ID is being modified to allow
initialization using a flat array.

No more need in defining CONFIG_RMA_AUTH_SERVER_PUBLIC_KEY and
CONFIG_RMA_AUTH_SERVER_KEY_ID.

 Conflicts:
	common/build.mk

BRANCH=cr50, cr50-mp
BUG=b:73296144, b:74100307
TEST='make buildall' still succeeds.
     test RMA server generated authentication codes are accepted when
     unlocking RMA.

Change-Id: I8ade94de6eb69b3e49bc5b948dbac20e59962acf
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/990783
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
(cherry picked from commit f2eac533dc)
Reviewed-on: https://chromium-review.googlesource.com/1015612

board/cr50/board.h

@@ -352,15 +352,6 @@ enum nvmem_users {
 #define CONFIG_RMA_AUTH
 #define CONFIG_RNG
 
-/* Should be eventually injected into the image at build time. */
-#define CONFIG_RMA_AUTH_SERVER_PUBLIC_KEY {			\
-		0xe3, 0xe5, 0x66, 0xf3, 0x12, 0x25, 0x74, 0xba,	\
-		0xb3, 0x8f, 0x9f, 0x41, 0x80, 0x3b, 0x58, 0x9a, \
-		0xb0, 0xdc, 0x71, 0x64, 0x1b, 0x6d, 0x22, 0x82, \
-		0x9f, 0x22, 0x31, 0xb3, 0x56, 0x94, 0x8e, 0x13}
-
-#define CONFIG_RMA_AUTH_SERVER_KEY_ID	  0
-
 #define CONFIG_ENABLE_H1_ALERTS
 
 #endif /* __CROS_EC_BOARD_H */

common/build.mk

@@ -144,3 +144,12 @@ ifneq ($(CONFIG_RSA_OPTIMIZED),)
 $(out)/RW/common/rsa.o: CFLAGS+=-O3
 $(out)/RO/common/rsa.o: CFLAGS+=-O3
 endif
+
+ifeq ($(TEST_BUILD),)
+
+$(out)/RW/common/rma_auth.o: $(out)/rma_key_from_blob.h
+
+$(out)/rma_key_from_blob.h: board/$(BOARD)/rma_key_blob.test util/bin2h.sh
+	$(Q)util/bin2h.sh RMA_KEY_BLOB $< $@
+
+endif

common/rma_auth.c

@@ -22,6 +22,10 @@
 #include "tpm_vendor_cmds.h"
 #include "util.h"
 
+#ifndef TEST_BUILD
+#include "rma_key_from_blob.h"
+#endif
+
 #ifdef CONFIG_DCRYPTO
 #include "dcrypto.h"
 #else
@@ -38,11 +42,15 @@
 
 /* Server public key and key ID */
 static const struct  {
-	uint8_t server_pub_key[32];
-	uint8_t server_key_id;
+	union {
+		uint8_t raw_blob[33];
+		struct {
+			uint8_t server_pub_key[32];
+			uint8_t server_key_id;
+		};
+	};
 } __packed rma_key_blob = {
-	CONFIG_RMA_AUTH_SERVER_PUBLIC_KEY,
-	CONFIG_RMA_AUTH_SERVER_KEY_ID
+	.raw_blob = RMA_KEY_BLOB
 };
 
 BUILD_ASSERT(sizeof(rma_key_blob) == 33);

include/config.h

@@ -1973,9 +1973,6 @@
 
 /* Support RMA auth challenge-response */
 #undef CONFIG_RMA_AUTH
-/* If that's defined, the server public key and ID must also be defined */
-#undef CONFIG_RMA_AUTH_SERVER_PUBLIC_KEY  /* 32 bytes: {0xNN, 0xNN, ... 0xNN} */
-#undef CONFIG_RMA_AUTH_SERVER_KEY_ID      /* 6-bit key ID, 0xMM */
 
 /* Enable hardware Random Number generator support */
 #undef CONFIG_RNG

test/test_config.h

@@ -61,11 +61,14 @@
 #ifdef TEST_RMA_AUTH
 
 /* Test server public and private keys */
-#define RMA_TEST_SERVER_PUBLIC_KEY {				\
+#define RMA_KEY_BLOB	{					\
 		0x03, 0xae, 0x2d, 0x2c, 0x06, 0x23, 0xe0, 0x73, \
 		0x0d, 0xd3, 0xb7, 0x92, 0xac, 0x54, 0xc5, 0xfd,	\
 		0x7e, 0x9c, 0xf0, 0xa8, 0xeb, 0x7e, 0x2a, 0xb5,	\
-		0xdb, 0xf4, 0x79, 0x5f, 0x8a, 0x0f, 0x28, 0x3f}
+		0xdb, 0xf4, 0x79, 0x5f, 0x8a, 0x0f, 0x28, 0x3f, \
+		0x10						\
+	}
+
 #define RMA_TEST_SERVER_PRIVATE_KEY {				\
 		0x47, 0x3b, 0xa5, 0xdb, 0xc4, 0xbb, 0xd6, 0x77, \
 		0x20, 0xbd, 0xd8, 0xbd, 0xc8, 0x7a, 0xbb, 0x07,	\
@@ -76,8 +79,6 @@
 #define CONFIG_BASE32
 #define CONFIG_CURVE25519
 #define CONFIG_RMA_AUTH
-#define CONFIG_RMA_AUTH_SERVER_PUBLIC_KEY RMA_TEST_SERVER_PUBLIC_KEY
-#define CONFIG_RMA_AUTH_SERVER_KEY_ID RMA_TEST_SERVER_KEY_ID
 #define CONFIG_RNG
 #define CONFIG_SHA256
 #define CC_EXTENSION CC_COMMAND