| OLD | NEW |
|---|
| 1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 2 * Use of this source code is governed by a BSD-style license that can be | 2 * Use of this source code is governed by a BSD-style license that can be |
| 3 * found in the LICENSE file. | 3 * found in the LICENSE file. |
| 4 * | 4 * |
| 5 * Functions for generating and manipulating a verified boot firmware image. | 5 * Functions for generating and manipulating a verified boot firmware image. |
| 6 */ | 6 */ |
| 7 | 7 |
| 8 #include "firmware_image.h" | 8 #include "firmware_image.h" |
| 9 | 9 |
| 10 #include <fcntl.h> | 10 #include <fcntl.h> |
| (...skipping 304 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 315 "Preamble Signature Failed.", | 315 "Preamble Signature Failed.", |
| 316 "Firmware Signature Failed.", | 316 "Firmware Signature Failed.", |
| 317 "Wrong Firmware Magic.", | 317 "Wrong Firmware Magic.", |
| 318 "Invalid Firmware Header Checksum.", | 318 "Invalid Firmware Header Checksum.", |
| 319 "Firmware Signing Key Rollback.", | 319 "Firmware Signing Key Rollback.", |
| 320 "Firmware Version Rollback." | 320 "Firmware Version Rollback." |
| 321 }; | 321 }; |
| 322 | 322 |
| 323 int VerifyFirmwareHeader(const uint8_t* root_key_blob, | 323 int VerifyFirmwareHeader(const uint8_t* root_key_blob, |
| 324 const uint8_t* header_blob, | 324 const uint8_t* header_blob, |
| 325 const int dev_mode, | |
| 326 int* algorithm, | 325 int* algorithm, |
| 327 int* header_len) { | 326 int* header_len) { |
| 328 int firmware_sign_key_len; | 327 int firmware_sign_key_len; |
| 329 int root_key_len; | 328 int root_key_len; |
| 330 uint16_t hlen, algo; | 329 uint16_t hlen, algo; |
| 331 uint8_t* header_checksum = NULL; | 330 uint8_t* header_checksum = NULL; |
| 332 | 331 |
| 333 /* Base Offset for the header_checksum field. Actual offset is | 332 /* Base Offset for the header_checksum field. Actual offset is |
| 334 * this + firmware_sign_key_len. */ | 333 * this + firmware_sign_key_len. */ |
| 335 int base_header_checksum_offset = (FIELD_LEN(header_len) + | 334 int base_header_checksum_offset = (FIELD_LEN(header_len) + |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 414 firmware_data_start + signature_len, /* Data to | 413 firmware_data_start + signature_len, /* Data to |
| 415 * verify */ | 414 * verify */ |
| 416 firmware_len, /* Length of data. */ | 415 firmware_len, /* Length of data. */ |
| 417 firmware_data_start, /* Expected Signature */ | 416 firmware_data_start, /* Expected Signature */ |
| 418 algorithm)) | 417 algorithm)) |
| 419 return VERIFY_FIRMWARE_SIGNATURE_FAILED; | 418 return VERIFY_FIRMWARE_SIGNATURE_FAILED; |
| 420 return 0; | 419 return 0; |
| 421 } | 420 } |
| 422 | 421 |
| 423 int VerifyFirmware(const uint8_t* root_key_blob, | 422 int VerifyFirmware(const uint8_t* root_key_blob, |
| 424 const uint8_t* firmware_blob, | 423 const uint8_t* firmware_blob) { |
| 425 const int dev_mode) { | |
| 426 int error_code; | 424 int error_code; |
| 427 int algorithm; /* Signing key algorithm. */ | 425 int algorithm; /* Signing key algorithm. */ |
| 428 RSAPublicKey* firmware_sign_key = NULL; | 426 RSAPublicKey* firmware_sign_key = NULL; |
| 429 int firmware_sign_key_len, signature_len, header_len, firmware_len; | 427 int firmware_sign_key_len, signature_len, header_len, firmware_len; |
| 430 const uint8_t* header_ptr = NULL; /* Pointer to header. */ | 428 const uint8_t* header_ptr = NULL; /* Pointer to header. */ |
| 431 const uint8_t* firmware_sign_key_ptr = NULL; /* Pointer to signing key. */ | 429 const uint8_t* firmware_sign_key_ptr = NULL; /* Pointer to signing key. */ |
| 432 const uint8_t* preamble_ptr = NULL; /* Pointer to preamble block. */ | 430 const uint8_t* preamble_ptr = NULL; /* Pointer to preamble block. */ |
| 433 const uint8_t* firmware_ptr = NULL; /* Pointer to firmware signature/data. */ | 431 const uint8_t* firmware_ptr = NULL; /* Pointer to firmware signature/data. */ |
| 434 | 432 |
| 435 /* Note: All the offset calculations are based on struct FirmwareImage which | 433 /* Note: All the offset calculations are based on struct FirmwareImage which |
| 436 * is defined in include/firmware_image.h. */ | 434 * is defined in include/firmware_image.h. */ |
| 437 | 435 |
| 438 /* Compare magic bytes. */ | 436 /* Compare magic bytes. */ |
| 439 if (SafeMemcmp(firmware_blob, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE)) | 437 if (SafeMemcmp(firmware_blob, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE)) |
| 440 return VERIFY_FIRMWARE_WRONG_MAGIC; | 438 return VERIFY_FIRMWARE_WRONG_MAGIC; |
| 441 header_ptr = firmware_blob + FIRMWARE_MAGIC_SIZE; | 439 header_ptr = firmware_blob + FIRMWARE_MAGIC_SIZE; |
| 442 | 440 |
| 443 /* Only continue if header verification succeeds. */ | 441 /* Only continue if header verification succeeds. */ |
| 444 if ((error_code = VerifyFirmwareHeader(root_key_blob, header_ptr, dev_mode, | 442 if ((error_code = VerifyFirmwareHeader(root_key_blob, header_ptr, |
| 445 &algorithm, &header_len))) | 443 &algorithm, &header_len))) |
| 446 return error_code; /* AKA jump to revovery. */ | 444 return error_code; /* AKA jump to revovery. */ |
| 447 | 445 |
| 448 /* Parse signing key into RSAPublicKey structure since it is required multiple | 446 /* Parse signing key into RSAPublicKey structure since it is required multiple |
| 449 * times. */ | 447 * times. */ |
| 450 firmware_sign_key_len = RSAProcessedKeySize(algorithm); | 448 firmware_sign_key_len = RSAProcessedKeySize(algorithm); |
| 451 firmware_sign_key_ptr = header_ptr + (FIELD_LEN(header_len) + | 449 firmware_sign_key_ptr = header_ptr + (FIELD_LEN(header_len) + |
| 452 FIELD_LEN(firmware_sign_algorithm) + | 450 FIELD_LEN(firmware_sign_algorithm) + |
| 453 FIELD_LEN(firmware_key_version)); | 451 FIELD_LEN(firmware_key_version)); |
| 454 firmware_sign_key = RSAPublicKeyFromBuf(firmware_sign_key_ptr, | 452 firmware_sign_key = RSAPublicKeyFromBuf(firmware_sign_key_ptr, |
| (...skipping 19 matching lines...) Expand all Loading... |
| 474 algorithm))) { | 472 algorithm))) { |
| 475 RSAPublicKeyFree(firmware_sign_key); | 473 RSAPublicKeyFree(firmware_sign_key); |
| 476 return error_code; /* AKA jump to recovery. */ | 474 return error_code; /* AKA jump to recovery. */ |
| 477 } | 475 } |
| 478 | 476 |
| 479 RSAPublicKeyFree(firmware_sign_key); | 477 RSAPublicKeyFree(firmware_sign_key); |
| 480 return 0; /* Success! */ | 478 return 0; /* Success! */ |
| 481 } | 479 } |
| 482 | 480 |
| 483 int VerifyFirmwareImage(const RSAPublicKey* root_key, | 481 int VerifyFirmwareImage(const RSAPublicKey* root_key, |
| 484 const FirmwareImage* image, | 482 const FirmwareImage* image) { |
| 485 const int dev_mode) { | |
| 486 RSAPublicKey* firmware_sign_key = NULL; | 483 RSAPublicKey* firmware_sign_key = NULL; |
| 487 uint8_t* header_digest = NULL; | 484 uint8_t* header_digest = NULL; |
| 488 uint8_t* preamble_digest = NULL; | 485 uint8_t* preamble_digest = NULL; |
| 489 uint8_t* firmware_digest = NULL; | 486 uint8_t* firmware_digest = NULL; |
| 490 int firmware_sign_key_size; | 487 int firmware_sign_key_size; |
| 491 int signature_size; | 488 int signature_size; |
| 492 int error_code = 0; | 489 int error_code = 0; |
| 493 DigestContext ctx; | 490 DigestContext ctx; |
| 494 | 491 |
| 495 if (!image) | 492 if (!image) |
| 496 return VERIFY_FIRMWARE_INVALID_IMAGE; | 493 return VERIFY_FIRMWARE_INVALID_IMAGE; |
| 497 | 494 |
| 498 /* Verify root key signature on the sign key header if we | 495 /* Verify root key signature on the sign key header if we |
| 499 * are not in dev mode. | 496 * are not in dev mode. |
| 500 * | 497 * |
| 501 * TODO(gauravsh): Add additional sanity checks here for: | 498 * TODO(gauravsh): Add additional sanity checks here for: |
| 502 * 1) verifying the header length is correct. | 499 * 1) verifying the header length is correct. |
| 503 * 2) header_checksum is correct. | 500 * 2) header_checksum is correct. |
| 504 */ | 501 */ |
| 505 /* TODO(gauravsh): The [dev_mode] switch is actually irrelevant | 502 |
| 506 * for the firmware verification. | 503 /* Check key signature. */ |
| 507 * Change this to always verify the root key signature and change | 504 DigestInit(&ctx, ROOT_SIGNATURE_ALGORITHM); |
| 508 * test expectations appropriately. | 505 DigestUpdate(&ctx, (uint8_t*) &image->header_len, |
| 509 */ | 506 FIELD_LEN(header_len)); |
| 510 if (!dev_mode) { | 507 DigestUpdate(&ctx, (uint8_t*) &image->firmware_sign_algorithm, |
| 511 DigestInit(&ctx, ROOT_SIGNATURE_ALGORITHM); | 508 FIELD_LEN(firmware_sign_algorithm)); |
| 512 DigestUpdate(&ctx, (uint8_t*) &image->header_len, | 509 DigestUpdate(&ctx, (uint8_t*) &image->firmware_key_version, |
| 513 FIELD_LEN(header_len)); | 510 FIELD_LEN(firmware_key_version)); |
| 514 DigestUpdate(&ctx, (uint8_t*) &image->firmware_sign_algorithm, | 511 DigestUpdate(&ctx, image->firmware_sign_key, |
| 515 FIELD_LEN(firmware_sign_algorithm)); | 512 RSAProcessedKeySize(image->firmware_sign_algorithm)); |
| 516 DigestUpdate(&ctx, (uint8_t*) &image->firmware_key_version, | 513 DigestUpdate(&ctx, image->header_checksum, |
| 517 FIELD_LEN(firmware_key_version)); | 514 FIELD_LEN(header_checksum)); |
| 518 DigestUpdate(&ctx, image->firmware_sign_key, | 515 header_digest = DigestFinal(&ctx); |
| 519 RSAProcessedKeySize(image->firmware_sign_algorithm)); | 516 if (!RSAVerify(root_key, image->firmware_key_signature, |
| 520 DigestUpdate(&ctx, image->header_checksum, | 517 FIELD_LEN(firmware_key_signature), |
| 521 FIELD_LEN(header_checksum)); | 518 ROOT_SIGNATURE_ALGORITHM, |
| 522 header_digest = DigestFinal(&ctx); | 519 header_digest)) { |
| 523 if (!RSAVerify(root_key, image->firmware_key_signature, | 520 error_code = VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED; |
| 524 FIELD_LEN(firmware_key_signature), | 521 goto verify_failure; |
| 525 ROOT_SIGNATURE_ALGORITHM, | |
| 526 header_digest)) { | |
| 527 error_code = VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED; | |
| 528 goto verify_failure; | |
| 529 } | |
| 530 } | 522 } |
| 531 | 523 |
| 532 /* Get sign key to verify the rest of the firmware. */ | 524 /* Get sign key to verify the rest of the firmware. */ |
| 533 firmware_sign_key_size = RSAProcessedKeySize(image->firmware_sign_algorithm); | 525 firmware_sign_key_size = RSAProcessedKeySize(image->firmware_sign_algorithm); |
| 534 firmware_sign_key = RSAPublicKeyFromBuf(image->firmware_sign_key, | 526 firmware_sign_key = RSAPublicKeyFromBuf(image->firmware_sign_key, |
| 535 firmware_sign_key_size); | 527 firmware_sign_key_size); |
| 536 signature_size = siglen_map[image->firmware_sign_algorithm]; | 528 signature_size = siglen_map[image->firmware_sign_algorithm]; |
| 537 | 529 |
| 538 if (image->firmware_sign_algorithm >= kNumAlgorithms) | 530 if (image->firmware_sign_algorithm >= kNumAlgorithms) |
| 539 return VERIFY_FIRMWARE_INVALID_ALGORITHM; | 531 return VERIFY_FIRMWARE_INVALID_ALGORITHM; |
| (...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 675 * outright reject a firmware with an older firmware key version. A malformed | 667 * outright reject a firmware with an older firmware key version. A malformed |
| 676 * or corrupted firmware blob will still fail when VerifyFirmware() is called | 668 * or corrupted firmware blob will still fail when VerifyFirmware() is called |
| 677 * on it. | 669 * on it. |
| 678 */ | 670 */ |
| 679 firmwareA_lversion = GetLogicalFirmwareVersion(firmwareA); | 671 firmwareA_lversion = GetLogicalFirmwareVersion(firmwareA); |
| 680 firmwareB_lversion = GetLogicalFirmwareVersion(firmwareB); | 672 firmwareB_lversion = GetLogicalFirmwareVersion(firmwareB); |
| 681 min_lversion = Min(firmwareA_lversion, firmwareB_lversion); | 673 min_lversion = Min(firmwareA_lversion, firmwareB_lversion); |
| 682 stored_lversion = CombineUint16Pair(GetStoredVersion(FIRMWARE_KEY_VERSION), | 674 stored_lversion = CombineUint16Pair(GetStoredVersion(FIRMWARE_KEY_VERSION), |
| 683 GetStoredVersion(FIRMWARE_VERSION)); | 675 GetStoredVersion(FIRMWARE_VERSION)); |
| 684 /* Always try FirmwareA first. */ | 676 /* Always try FirmwareA first. */ |
| 685 if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareA, | 677 if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareA)) |
| 686 0)) | |
| 687 firmwareA_is_verified = 1; | 678 firmwareA_is_verified = 1; |
| 688 if (firmwareA_is_verified && (stored_lversion < firmwareA_lversion)) { | 679 if (firmwareA_is_verified && (stored_lversion < firmwareA_lversion)) { |
| 689 /* Stored version may need to be updated but only if FirmwareB | 680 /* Stored version may need to be updated but only if FirmwareB |
| 690 * is successfully verified and has a logical version greater than | 681 * is successfully verified and has a logical version greater than |
| 691 * the stored logical version. */ | 682 * the stored logical version. */ |
| 692 if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB, | 683 if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB)) { |
| 693 0)) { | |
| 694 if (stored_lversion < firmwareB_lversion) { | 684 if (stored_lversion < firmwareB_lversion) { |
| 695 WriteStoredVersion(FIRMWARE_KEY_VERSION, | 685 WriteStoredVersion(FIRMWARE_KEY_VERSION, |
| 696 (uint16_t) (min_lversion >> 16)); | 686 (uint16_t) (min_lversion >> 16)); |
| 697 WriteStoredVersion(FIRMWARE_VERSION, | 687 WriteStoredVersion(FIRMWARE_VERSION, |
| 698 (uint16_t) (min_lversion & 0x00FFFF)); | 688 (uint16_t) (min_lversion & 0x00FFFF)); |
| 699 stored_lversion = min_lversion; /* Update stored version as it's used | 689 stored_lversion = min_lversion; /* Update stored version as it's used |
| 700 * later. */ | 690 * later. */ |
| 701 } | 691 } |
| 702 } | 692 } |
| 703 } | 693 } |
| (...skipping 22 matching lines...) Expand all Loading... |
| 726 if (firmwareA_is_verified) { | 716 if (firmwareA_is_verified) { |
| 727 if (stored_lversion <= firmwareA_lversion) | 717 if (stored_lversion <= firmwareA_lversion) |
| 728 return BOOT_FIRMWARE_A_CONTINUE; | 718 return BOOT_FIRMWARE_A_CONTINUE; |
| 729 } else { | 719 } else { |
| 730 /* If FirmwareA was not valid, then we skipped over the | 720 /* If FirmwareA was not valid, then we skipped over the |
| 731 * check to update the rollback indices and a Verify of FirmwareB wasn't | 721 * check to update the rollback indices and a Verify of FirmwareB wasn't |
| 732 * attempted. | 722 * attempted. |
| 733 * If FirmwareB is not a rollback, then we attempt to do the verification. | 723 * If FirmwareB is not a rollback, then we attempt to do the verification. |
| 734 */ | 724 */ |
| 735 if (stored_lversion <= firmwareB_lversion && | 725 if (stored_lversion <= firmwareB_lversion && |
| 736 (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB, | 726 (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB))) |
| 737 0))) | |
| 738 return BOOT_FIRMWARE_B_CONTINUE; | 727 return BOOT_FIRMWARE_B_CONTINUE; |
| 739 } | 728 } |
| 740 /* D'oh: No bootable firmware. */ | 729 /* D'oh: No bootable firmware. */ |
| 741 return BOOT_FIRMWARE_RECOVERY_CONTINUE; | 730 return BOOT_FIRMWARE_RECOVERY_CONTINUE; |
| 742 } | 731 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1280002:
Move test utility functions to a common place. (Closed)
