The design doc for the feature: https://docs.google.com/document/d/1MGmglGvneHMHuL7jIRiTHspSGNXdIhwMMxvnpXwsmVk/edit?ts=5a83f46b# This issue includes the implementation for the policy needed.
This has been moved to https://buganizer.corp.google.com/issues/77799573.
marking this as a duplicate since we're tracking the bug internally
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/38343e4e2e6645e70048cc0cf49d4af1059c2f7f commit 38343e4e2e6645e70048cc0cf49d4af1059c2f7f Author: Igor <igorcov@chromium.org> Date: Wed May 16 23:42:40 2018 tpm_manager: Update the usage of PolicyPCR The PolicyPCR function from PolicySession is refactored to accept a map of PCR index - PCR value on input instead of single index + value. This CL updates the usage of the function to use the map. BUG= chromium:812165 TEST=unit tests pass. Change-Id: I12f9f53a5469e2fad4c8c9103b73e8781a0a6752 Reviewed-on: https://chromium-review.googlesource.com/1012839 Commit-Ready: Igor <igorcov@chromium.org> Tested-by: Igor <igorcov@chromium.org> Reviewed-by: Igor <igorcov@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/38343e4e2e6645e70048cc0cf49d4af1059c2f7f/tpm_manager/server/tpm2_nvram_test.cc [modify] https://crrev.com/38343e4e2e6645e70048cc0cf49d4af1059c2f7f/tpm_manager/server/tpm2_nvram_impl.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/334ce1c2d5d1aba0eb2cda27db15608bb9b7458f commit 334ce1c2d5d1aba0eb2cda27db15608bb9b7458f Author: Igor <igorcov@chromium.org> Date: Wed May 16 23:42:41 2018 chaps: Fix the use of PolicyPCR after refactor The PolicyPCR function from PolicySession is refactored to accept a list of PCR indexes at input. This CL updates the usages of PolicyPCR from chaps package to use vector parameter. BUG= chromium:812165 TEST=unit tests pass. Change-Id: I08a463677d57a55eb3ea457d40c31a52a2892c0d Reviewed-on: https://chromium-review.googlesource.com/1014038 Commit-Ready: Igor <igorcov@chromium.org> Tested-by: Igor <igorcov@chromium.org> Reviewed-by: Igor <igorcov@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/334ce1c2d5d1aba0eb2cda27db15608bb9b7458f/chaps/tpm2_utility_impl.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6 commit 7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6 Author: Igor <igorcov@chromium.org> Date: Wed May 16 23:42:38 2018 cryptohome: Refactor the functions to use multiple PCR indexes at input For additional security in ARC sessions, a new cryptohome key is required that is bound to both, PCR0 and PCR4. This CL updates the methods that will be used for creating of the new key, enabling them to accept multiple PCR indexes and values at the input. The new key is planned to be created and used in a follow-up set of CLs that will perform the migration of vault keyset by encrypting it with the new key. Desgin doc for proposal: https://docs.google.com/document/d/1MGmglGvneHMHuL7jIRiTHspSGNXdIhwMMxvnpXwsmVk/edit?ts=5a83f46b# BUG= chromium:812165 TEST=Unit tests and cryptohome-tpm-live-test on both tpm1.2 and tpm2.0 devices. CQ-DEPEND=CL:1014038 Change-Id: I76f6fcbe24c490532314b327a5f166f61101225f Reviewed-on: https://chromium-review.googlesource.com/964362 Commit-Ready: Igor <igorcov@chromium.org> Tested-by: Igor <igorcov@chromium.org> Reviewed-by: Igor <igorcov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/tpm_live_test.cc [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/tpm_live_test.h [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/mount_unittest.cc [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/tpm2_impl.cc [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/tpm1.h [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/mock_tpm.cc [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/tpm.h [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/bootlockbox/boot_lockbox.cc [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/crypto_unittest.cc [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/tpm2_impl.h [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/tpm_impl.cc [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/tpm_impl.h [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/stub_tpm.h [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/tpm2.h [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/crypto.cc [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/bootlockbox/boot_lockbox_unittest.cc [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/mock_tpm.h [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/tpm2_test.cc [modify] https://crrev.com/7c9c5ef18c537939a54fdc00dec1f6ec8a3b23f6/cryptohome/signature_sealing_backend_tpm2_impl.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/47656b7c6c32f5c3ca33a74b2342104205072e3e commit 47656b7c6c32f5c3ca33a74b2342104205072e3e Author: Igor <igorcov@chromium.org> Date: Wed May 16 23:42:40 2018 attestation: Update function usage to use multiple PCRs The functions CreateRSAKeyPair and GetPolicyDigestForPcrValues from trunks/tpm_utility are updated to support multiple PCR values at input. This CL updates the classes from attestation that uses those functions. BUG= chromium:812165 TEST=Unit tests pass and manual testing Change-Id: Ic01e8dcac454f29beb6aa16120709a373b55e720 Reviewed-on: https://chromium-review.googlesource.com/978127 Commit-Ready: Igor <igorcov@chromium.org> Tested-by: Igor <igorcov@chromium.org> Reviewed-by: Igor <igorcov@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/47656b7c6c32f5c3ca33a74b2342104205072e3e/attestation/common/tpm_utility_v2.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79 commit fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79 Author: Igor <igorcov@chromium.org> Date: Wed May 16 23:42:39 2018 trunks: Refactor the functions to use multiple PCR indexes at input For additional security for ARC sessions, a new cryptohome key is required that is bound to both, PCR0 and PCR2. This CL updates the functions involved in creation of a PCR bound key to accept multiple PCR indexes in input. BUG= chromium:812165 TEST=Unit tests and trunks_client --regression_test Change-Id: I0a57eeb54affac10725e4cdeba700b3c813554cb Reviewed-on: https://chromium-review.googlesource.com/978167 Commit-Ready: Igor <igorcov@chromium.org> Tested-by: Igor <igorcov@chromium.org> Reviewed-by: Igor <igorcov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/mock_policy_session.h [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/trunks_factory_for_test.cc [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/policy_session_impl.cc [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/trunks_client_test.cc [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/policy_session_test.cc [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/trunks_client_test.h [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/tpm_utility_impl.cc [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/tpm_utility_test.cc [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/trunks_client.cc [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/tpm_utility_impl.h [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/policy_session.h [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/mock_tpm_utility.h [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/tpm_utility.h [modify] https://crrev.com/fc91e3d2ac24afafeed45ce3b25c0f1c915a3e79/trunks/policy_session_impl.h
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/220c7800ac4916d72ea7f92537bb43e39478aacd commit 220c7800ac4916d72ea7f92537bb43e39478aacd Author: Igor <igorcov@chromium.org> Date: Wed Nov 07 19:40:44 2018 cryptohome: Implementation for binding LE credentials to PCR For additional security needed as result of running ARC++ on the device the low entropy (LE) credentials should pass additional validation for some PCR values. The PCR indexes and values to be validated by pinweaver are decided in cryptohome. This CL includes the required PCR criteria when inserting a new LE credential. Also it takes care of migration for old credentials that don't have associated PCR criteria. The change should work even if the CR50 code is not updated to validate the PCR values. In this case the call to CR50 is converted to be sent in the old format, and the response to CheckCredentials doesn't contain reset_secret. BUG= chromium:812165 TEST=manual and unit tests CQ-DEPEND=CL:1165543 Change-Id: Ief724c6c8d46ee1907bca99f361beb5b1dba93b4 Reviewed-on: https://chromium-review.googlesource.com/1124856 Commit-Ready: Igor <igorcov@chromium.org> Tested-by: Igor <igorcov@chromium.org> Reviewed-by: Igor <igorcov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/le_credential_manager_unittest.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/vault_keyset.h [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/mount.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/le_credential_manager.h [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/mock_vault_keyset.h [add] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/mock_le_credential_manager.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/fake_le_credential_metadata.proto [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/tpm_impl.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/vault_keyset_unittest.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/crypto_unittest.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/vault_keyset.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/crypto.h [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/crypto.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/homedirs_unittest.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/make_tests.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/fake_le_credential_backend.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/pinweaver_le_credential_backend.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/le_credential_manager.cc [add] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/mock_le_credential_manager.h [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/make_tests.h [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/mount_unittest.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/le_credential_backend.h [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/mount.h [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/fake_le_credential_backend.h [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/BUILD.gn [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/tpm.h [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/homedirs.cc [modify] https://crrev.com/220c7800ac4916d72ea7f92537bb43e39478aacd/cryptohome/pinweaver_le_credential_backend.h
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3 commit 47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3 Author: Igor <igorcov@chromium.org> Date: Wed Nov 07 19:40:45 2018 trunks: Implementation for binding LE credentials to PCR For additional security needed as result of running ARC++ on the device the low entropy (LE) credentials should pass additional validation for some PCR values. The PCR indexes and values to be validated by pinweaver are decided in cryptohome. This CL includes the required changes in trunks to perform the migration of pinweaver credentials that don't have associated PCR criteria. BUG= chromium:812165 TEST=manual, unit tests, pinweaver_client selftest, test_that -b ${BOARD} ${test_host} firmware_Cr50PinWeaverServer test_that -b ${BOARD} ${test_host} platform_CryptohomeLECredentialManagerServer CQ-DEPEND=CL:1112014 Change-Id: I4a626cdbf5f6525e6bf77adcd492a30fa471cdb2 Reviewed-on: https://chromium-review.googlesource.com/1165543 Commit-Ready: Igor <igorcov@chromium.org> Tested-by: Igor <igorcov@chromium.org> Reviewed-by: Igor <igorcov@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3/trunks/trunks_factory_for_test.cc [modify] https://crrev.com/47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3/trunks/tpm_pinweaver.cc [modify] https://crrev.com/47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3/trunks/pinweaver_client.cc [modify] https://crrev.com/47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3/trunks/mock_tpm_utility.cc [modify] https://crrev.com/47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3/trunks/tpm_pinweaver.h [modify] https://crrev.com/47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3/trunks/tpm_utility.h [modify] https://crrev.com/47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3/trunks/mock_tpm_utility.h [modify] https://crrev.com/47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3/trunks/tpm_utility_impl.cc [modify] https://crrev.com/47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3/trunks/tpm_utility_impl.h [modify] https://crrev.com/47517ff59e7527e7f1f8900d9a06d1b3ba67a1b3/trunks/pinweaver.proto
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/ec/+/a771ac1213c4b0066d81ded4b8132f9506d7634d commit a771ac1213c4b0066d81ded4b8132f9506d7634d Author: Igor <igorcov@chromium.org> Date: Wed Nov 07 19:40:45 2018 Cr50: Add valid PCR value for pinweaver In order to bind the PIN authentication to PCR4, required for additional security, a set of valid PCR criteria is added as metadata in the leaf of the tree. Each criteria has a bitmask of PCR indexes and the digest sha256 that should be obtained from concatenation of PCR values for the respective indexes. Pinweaver will handle both types of requests, in old and the new format. For migration of old leaves that don't have the new field, the process expects cryptohome to detect that the leaf needs migration based on protocol used, leaf version and if the list of PCR criteria is empty. In case the leaf needs migration, cryptohome should insert a new leaf with the same data and remove the old one. The PCR criteria set is created on Chrome OS side. Details of that implementation is in https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1124856 BRANCH=none BUG= chromium:812165 TEST=sudo V=1 make run-pinweaver -j pinweaver_client selftest Deploy old image on a device and create an account setting a PIN code as well. Deploy the new image and new CR50 build. Login and check that the migration works well. Also try to put device to sleep and unlock. Check that a new credential creation with new version works as well and sleep + unlock work as expected. Extend PCR4 on device and check that login/unlock works only for the user which obfuscated_username was used to extend the PCR. Also check that authentication works with cases when old cryptohome and new pinweaver is deployed, or old pinweaver and new cryptohome. CQ-DEPEND=CL:1124856 Change-Id: If778c4e46b9945afadfd2af7d58353005624d668 Signed-off-by: igorcov@chromium.org Reviewed-on: https://chromium-review.googlesource.com/1112014 Commit-Ready: Igor <igorcov@chromium.org> Tested-by: Igor <igorcov@chromium.org> Reviewed-by: Igor <igorcov@chromium.org> Reviewed-by: Randall Spangler <rspangler@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/a771ac1213c4b0066d81ded4b8132f9506d7634d/include/pinweaver_types.h [modify] https://crrev.com/a771ac1213c4b0066d81ded4b8132f9506d7634d/include/pinweaver.h [modify] https://crrev.com/a771ac1213c4b0066d81ded4b8132f9506d7634d/test/pinweaver.c [modify] https://crrev.com/a771ac1213c4b0066d81ded4b8132f9506d7634d/include/pinweaver_tpm_imports.h [modify] https://crrev.com/a771ac1213c4b0066d81ded4b8132f9506d7634d/board/cr50/pinweaver_tpm_imports.c [modify] https://crrev.com/a771ac1213c4b0066d81ded4b8132f9506d7634d/common/pinweaver.c
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/ec/+/fbebed9881bffafae49d45d4902b01e87b38d790 commit fbebed9881bffafae49d45d4902b01e87b38d790 Author: Igor <igorcov@chromium.org> Date: Wed Jan 09 20:37:14 2019 Cr50: Add valid PCR value for pinweaver In order to bind the PIN authentication to PCR4, required for additional security, a set of valid PCR criteria is added as metadata in the leaf of the tree. Each criteria has a bitmask of PCR indexes and the digest sha256 that should be obtained from concatenation of PCR values for the respective indexes. Pinweaver will handle both types of requests, in old and the new format. For migration of old leaves that don't have the new field, the process expects cryptohome to detect that the leaf needs migration based on protocol used, leaf version and if the list of PCR criteria is empty. In case the leaf needs migration, cryptohome should insert a new leaf with the same data and remove the old one. The PCR criteria set is created on Chrome OS side. Details of that implementation is in https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1124856 BRANCH=none BUG= chromium:812165 TEST=sudo V=1 make run-pinweaver -j pinweaver_client selftest Deploy old image on a device and create an account setting a PIN code as well. Deploy the new image and new CR50 build. Login and check that the migration works well. Also try to put device to sleep and unlock. Check that a new credential creation with new version works as well and sleep + unlock work as expected. Extend PCR4 on device and check that login/unlock works only for the user which obfuscated_username was used to extend the PCR. Also check that authentication works with cases when old cryptohome and new pinweaver is deployed, or old pinweaver and new cryptohome. CQ-DEPEND=CL:1124856 Change-Id: If778c4e46b9945afadfd2af7d58353005624d668 Signed-off-by: igorcov@chromium.org Reviewed-on: https://chromium-review.googlesource.com/1112014 Commit-Ready: Igor <igorcov@chromium.org> Tested-by: Igor <igorcov@chromium.org> Reviewed-by: Igor <igorcov@chromium.org> Reviewed-by: Randall Spangler <rspangler@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> (cherry picked from commit a771ac1213c4b0066d81ded4b8132f9506d7634d) Reviewed-on: https://chromium-review.googlesource.com/c/1403844 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> [modify] https://crrev.com/fbebed9881bffafae49d45d4902b01e87b38d790/include/pinweaver_types.h [modify] https://crrev.com/fbebed9881bffafae49d45d4902b01e87b38d790/include/pinweaver.h [modify] https://crrev.com/fbebed9881bffafae49d45d4902b01e87b38d790/test/pinweaver.c [modify] https://crrev.com/fbebed9881bffafae49d45d4902b01e87b38d790/include/pinweaver_tpm_imports.h [modify] https://crrev.com/fbebed9881bffafae49d45d4902b01e87b38d790/board/cr50/pinweaver_tpm_imports.c [modify] https://crrev.com/fbebed9881bffafae49d45d4902b01e87b38d790/common/pinweaver.c
Comment 1 by ovanieva@google.com
, Feb 16 2018