OLD | NEW |
1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
2 * Use of this source code is governed by a BSD-style license that can be | 2 * Use of this source code is governed by a BSD-style license that can be |
3 * found in the LICENSE file. | 3 * found in the LICENSE file. |
4 * | 4 * |
5 * Functions for generating and manipulating a verified boot firmware image. | 5 * Functions for generating and manipulating a verified boot firmware image. |
6 */ | 6 */ |
7 | 7 |
8 #include "firmware_image.h" | 8 #include "firmware_image.h" |
9 | 9 |
10 #include <fcntl.h> | 10 #include <fcntl.h> |
(...skipping 304 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
315 "Preamble Signature Failed.", | 315 "Preamble Signature Failed.", |
316 "Firmware Signature Failed.", | 316 "Firmware Signature Failed.", |
317 "Wrong Firmware Magic.", | 317 "Wrong Firmware Magic.", |
318 "Invalid Firmware Header Checksum.", | 318 "Invalid Firmware Header Checksum.", |
319 "Firmware Signing Key Rollback.", | 319 "Firmware Signing Key Rollback.", |
320 "Firmware Version Rollback." | 320 "Firmware Version Rollback." |
321 }; | 321 }; |
322 | 322 |
323 int VerifyFirmwareHeader(const uint8_t* root_key_blob, | 323 int VerifyFirmwareHeader(const uint8_t* root_key_blob, |
324 const uint8_t* header_blob, | 324 const uint8_t* header_blob, |
325 const int dev_mode, | |
326 int* algorithm, | 325 int* algorithm, |
327 int* header_len) { | 326 int* header_len) { |
328 int firmware_sign_key_len; | 327 int firmware_sign_key_len; |
329 int root_key_len; | 328 int root_key_len; |
330 uint16_t hlen, algo; | 329 uint16_t hlen, algo; |
331 uint8_t* header_checksum = NULL; | 330 uint8_t* header_checksum = NULL; |
332 | 331 |
333 /* Base Offset for the header_checksum field. Actual offset is | 332 /* Base Offset for the header_checksum field. Actual offset is |
334 * this + firmware_sign_key_len. */ | 333 * this + firmware_sign_key_len. */ |
335 int base_header_checksum_offset = (FIELD_LEN(header_len) + | 334 int base_header_checksum_offset = (FIELD_LEN(header_len) + |
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
414 firmware_data_start + signature_len, /* Data to | 413 firmware_data_start + signature_len, /* Data to |
415 * verify */ | 414 * verify */ |
416 firmware_len, /* Length of data. */ | 415 firmware_len, /* Length of data. */ |
417 firmware_data_start, /* Expected Signature */ | 416 firmware_data_start, /* Expected Signature */ |
418 algorithm)) | 417 algorithm)) |
419 return VERIFY_FIRMWARE_SIGNATURE_FAILED; | 418 return VERIFY_FIRMWARE_SIGNATURE_FAILED; |
420 return 0; | 419 return 0; |
421 } | 420 } |
422 | 421 |
423 int VerifyFirmware(const uint8_t* root_key_blob, | 422 int VerifyFirmware(const uint8_t* root_key_blob, |
424 const uint8_t* firmware_blob, | 423 const uint8_t* firmware_blob) { |
425 const int dev_mode) { | |
426 int error_code; | 424 int error_code; |
427 int algorithm; /* Signing key algorithm. */ | 425 int algorithm; /* Signing key algorithm. */ |
428 RSAPublicKey* firmware_sign_key = NULL; | 426 RSAPublicKey* firmware_sign_key = NULL; |
429 int firmware_sign_key_len, signature_len, header_len, firmware_len; | 427 int firmware_sign_key_len, signature_len, header_len, firmware_len; |
430 const uint8_t* header_ptr = NULL; /* Pointer to header. */ | 428 const uint8_t* header_ptr = NULL; /* Pointer to header. */ |
431 const uint8_t* firmware_sign_key_ptr = NULL; /* Pointer to signing key. */ | 429 const uint8_t* firmware_sign_key_ptr = NULL; /* Pointer to signing key. */ |
432 const uint8_t* preamble_ptr = NULL; /* Pointer to preamble block. */ | 430 const uint8_t* preamble_ptr = NULL; /* Pointer to preamble block. */ |
433 const uint8_t* firmware_ptr = NULL; /* Pointer to firmware signature/data. */ | 431 const uint8_t* firmware_ptr = NULL; /* Pointer to firmware signature/data. */ |
434 | 432 |
435 /* Note: All the offset calculations are based on struct FirmwareImage which | 433 /* Note: All the offset calculations are based on struct FirmwareImage which |
436 * is defined in include/firmware_image.h. */ | 434 * is defined in include/firmware_image.h. */ |
437 | 435 |
438 /* Compare magic bytes. */ | 436 /* Compare magic bytes. */ |
439 if (SafeMemcmp(firmware_blob, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE)) | 437 if (SafeMemcmp(firmware_blob, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE)) |
440 return VERIFY_FIRMWARE_WRONG_MAGIC; | 438 return VERIFY_FIRMWARE_WRONG_MAGIC; |
441 header_ptr = firmware_blob + FIRMWARE_MAGIC_SIZE; | 439 header_ptr = firmware_blob + FIRMWARE_MAGIC_SIZE; |
442 | 440 |
443 /* Only continue if header verification succeeds. */ | 441 /* Only continue if header verification succeeds. */ |
444 if ((error_code = VerifyFirmwareHeader(root_key_blob, header_ptr, dev_mode, | 442 if ((error_code = VerifyFirmwareHeader(root_key_blob, header_ptr, |
445 &algorithm, &header_len))) | 443 &algorithm, &header_len))) |
446 return error_code; /* AKA jump to revovery. */ | 444 return error_code; /* AKA jump to revovery. */ |
447 | 445 |
448 /* Parse signing key into RSAPublicKey structure since it is required multiple | 446 /* Parse signing key into RSAPublicKey structure since it is required multiple |
449 * times. */ | 447 * times. */ |
450 firmware_sign_key_len = RSAProcessedKeySize(algorithm); | 448 firmware_sign_key_len = RSAProcessedKeySize(algorithm); |
451 firmware_sign_key_ptr = header_ptr + (FIELD_LEN(header_len) + | 449 firmware_sign_key_ptr = header_ptr + (FIELD_LEN(header_len) + |
452 FIELD_LEN(firmware_sign_algorithm) + | 450 FIELD_LEN(firmware_sign_algorithm) + |
453 FIELD_LEN(firmware_key_version)); | 451 FIELD_LEN(firmware_key_version)); |
454 firmware_sign_key = RSAPublicKeyFromBuf(firmware_sign_key_ptr, | 452 firmware_sign_key = RSAPublicKeyFromBuf(firmware_sign_key_ptr, |
(...skipping 19 matching lines...) Expand all Loading... |
474 algorithm))) { | 472 algorithm))) { |
475 RSAPublicKeyFree(firmware_sign_key); | 473 RSAPublicKeyFree(firmware_sign_key); |
476 return error_code; /* AKA jump to recovery. */ | 474 return error_code; /* AKA jump to recovery. */ |
477 } | 475 } |
478 | 476 |
479 RSAPublicKeyFree(firmware_sign_key); | 477 RSAPublicKeyFree(firmware_sign_key); |
480 return 0; /* Success! */ | 478 return 0; /* Success! */ |
481 } | 479 } |
482 | 480 |
483 int VerifyFirmwareImage(const RSAPublicKey* root_key, | 481 int VerifyFirmwareImage(const RSAPublicKey* root_key, |
484 const FirmwareImage* image, | 482 const FirmwareImage* image) { |
485 const int dev_mode) { | |
486 RSAPublicKey* firmware_sign_key = NULL; | 483 RSAPublicKey* firmware_sign_key = NULL; |
487 uint8_t* header_digest = NULL; | 484 uint8_t* header_digest = NULL; |
488 uint8_t* preamble_digest = NULL; | 485 uint8_t* preamble_digest = NULL; |
489 uint8_t* firmware_digest = NULL; | 486 uint8_t* firmware_digest = NULL; |
490 int firmware_sign_key_size; | 487 int firmware_sign_key_size; |
491 int signature_size; | 488 int signature_size; |
492 int error_code = 0; | 489 int error_code = 0; |
493 DigestContext ctx; | 490 DigestContext ctx; |
494 | 491 |
495 if (!image) | 492 if (!image) |
496 return VERIFY_FIRMWARE_INVALID_IMAGE; | 493 return VERIFY_FIRMWARE_INVALID_IMAGE; |
497 | 494 |
498 /* Verify root key signature on the sign key header if we | 495 /* Verify root key signature on the sign key header if we |
499 * are not in dev mode. | 496 * are not in dev mode. |
500 * | 497 * |
501 * TODO(gauravsh): Add additional sanity checks here for: | 498 * TODO(gauravsh): Add additional sanity checks here for: |
502 * 1) verifying the header length is correct. | 499 * 1) verifying the header length is correct. |
503 * 2) header_checksum is correct. | 500 * 2) header_checksum is correct. |
504 */ | 501 */ |
505 /* TODO(gauravsh): The [dev_mode] switch is actually irrelevant | 502 |
506 * for the firmware verification. | 503 /* Check key signature. */ |
507 * Change this to always verify the root key signature and change | 504 DigestInit(&ctx, ROOT_SIGNATURE_ALGORITHM); |
508 * test expectations appropriately. | 505 DigestUpdate(&ctx, (uint8_t*) &image->header_len, |
509 */ | 506 FIELD_LEN(header_len)); |
510 if (!dev_mode) { | 507 DigestUpdate(&ctx, (uint8_t*) &image->firmware_sign_algorithm, |
511 DigestInit(&ctx, ROOT_SIGNATURE_ALGORITHM); | 508 FIELD_LEN(firmware_sign_algorithm)); |
512 DigestUpdate(&ctx, (uint8_t*) &image->header_len, | 509 DigestUpdate(&ctx, (uint8_t*) &image->firmware_key_version, |
513 FIELD_LEN(header_len)); | 510 FIELD_LEN(firmware_key_version)); |
514 DigestUpdate(&ctx, (uint8_t*) &image->firmware_sign_algorithm, | 511 DigestUpdate(&ctx, image->firmware_sign_key, |
515 FIELD_LEN(firmware_sign_algorithm)); | 512 RSAProcessedKeySize(image->firmware_sign_algorithm)); |
516 DigestUpdate(&ctx, (uint8_t*) &image->firmware_key_version, | 513 DigestUpdate(&ctx, image->header_checksum, |
517 FIELD_LEN(firmware_key_version)); | 514 FIELD_LEN(header_checksum)); |
518 DigestUpdate(&ctx, image->firmware_sign_key, | 515 header_digest = DigestFinal(&ctx); |
519 RSAProcessedKeySize(image->firmware_sign_algorithm)); | 516 if (!RSAVerify(root_key, image->firmware_key_signature, |
520 DigestUpdate(&ctx, image->header_checksum, | 517 FIELD_LEN(firmware_key_signature), |
521 FIELD_LEN(header_checksum)); | 518 ROOT_SIGNATURE_ALGORITHM, |
522 header_digest = DigestFinal(&ctx); | 519 header_digest)) { |
523 if (!RSAVerify(root_key, image->firmware_key_signature, | 520 error_code = VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED; |
524 FIELD_LEN(firmware_key_signature), | 521 goto verify_failure; |
525 ROOT_SIGNATURE_ALGORITHM, | |
526 header_digest)) { | |
527 error_code = VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED; | |
528 goto verify_failure; | |
529 } | |
530 } | 522 } |
531 | 523 |
532 /* Get sign key to verify the rest of the firmware. */ | 524 /* Get sign key to verify the rest of the firmware. */ |
533 firmware_sign_key_size = RSAProcessedKeySize(image->firmware_sign_algorithm); | 525 firmware_sign_key_size = RSAProcessedKeySize(image->firmware_sign_algorithm); |
534 firmware_sign_key = RSAPublicKeyFromBuf(image->firmware_sign_key, | 526 firmware_sign_key = RSAPublicKeyFromBuf(image->firmware_sign_key, |
535 firmware_sign_key_size); | 527 firmware_sign_key_size); |
536 signature_size = siglen_map[image->firmware_sign_algorithm]; | 528 signature_size = siglen_map[image->firmware_sign_algorithm]; |
537 | 529 |
538 if (image->firmware_sign_algorithm >= kNumAlgorithms) | 530 if (image->firmware_sign_algorithm >= kNumAlgorithms) |
539 return VERIFY_FIRMWARE_INVALID_ALGORITHM; | 531 return VERIFY_FIRMWARE_INVALID_ALGORITHM; |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
675 * outright reject a firmware with an older firmware key version. A malformed | 667 * outright reject a firmware with an older firmware key version. A malformed |
676 * or corrupted firmware blob will still fail when VerifyFirmware() is called | 668 * or corrupted firmware blob will still fail when VerifyFirmware() is called |
677 * on it. | 669 * on it. |
678 */ | 670 */ |
679 firmwareA_lversion = GetLogicalFirmwareVersion(firmwareA); | 671 firmwareA_lversion = GetLogicalFirmwareVersion(firmwareA); |
680 firmwareB_lversion = GetLogicalFirmwareVersion(firmwareB); | 672 firmwareB_lversion = GetLogicalFirmwareVersion(firmwareB); |
681 min_lversion = Min(firmwareA_lversion, firmwareB_lversion); | 673 min_lversion = Min(firmwareA_lversion, firmwareB_lversion); |
682 stored_lversion = CombineUint16Pair(GetStoredVersion(FIRMWARE_KEY_VERSION), | 674 stored_lversion = CombineUint16Pair(GetStoredVersion(FIRMWARE_KEY_VERSION), |
683 GetStoredVersion(FIRMWARE_VERSION)); | 675 GetStoredVersion(FIRMWARE_VERSION)); |
684 /* Always try FirmwareA first. */ | 676 /* Always try FirmwareA first. */ |
685 if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareA, | 677 if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareA)) |
686 0)) | |
687 firmwareA_is_verified = 1; | 678 firmwareA_is_verified = 1; |
688 if (firmwareA_is_verified && (stored_lversion < firmwareA_lversion)) { | 679 if (firmwareA_is_verified && (stored_lversion < firmwareA_lversion)) { |
689 /* Stored version may need to be updated but only if FirmwareB | 680 /* Stored version may need to be updated but only if FirmwareB |
690 * is successfully verified and has a logical version greater than | 681 * is successfully verified and has a logical version greater than |
691 * the stored logical version. */ | 682 * the stored logical version. */ |
692 if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB, | 683 if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB)) { |
693 0)) { | |
694 if (stored_lversion < firmwareB_lversion) { | 684 if (stored_lversion < firmwareB_lversion) { |
695 WriteStoredVersion(FIRMWARE_KEY_VERSION, | 685 WriteStoredVersion(FIRMWARE_KEY_VERSION, |
696 (uint16_t) (min_lversion >> 16)); | 686 (uint16_t) (min_lversion >> 16)); |
697 WriteStoredVersion(FIRMWARE_VERSION, | 687 WriteStoredVersion(FIRMWARE_VERSION, |
698 (uint16_t) (min_lversion & 0x00FFFF)); | 688 (uint16_t) (min_lversion & 0x00FFFF)); |
699 stored_lversion = min_lversion; /* Update stored version as it's used | 689 stored_lversion = min_lversion; /* Update stored version as it's used |
700 * later. */ | 690 * later. */ |
701 } | 691 } |
702 } | 692 } |
703 } | 693 } |
(...skipping 22 matching lines...) Expand all Loading... |
726 if (firmwareA_is_verified) { | 716 if (firmwareA_is_verified) { |
727 if (stored_lversion <= firmwareA_lversion) | 717 if (stored_lversion <= firmwareA_lversion) |
728 return BOOT_FIRMWARE_A_CONTINUE; | 718 return BOOT_FIRMWARE_A_CONTINUE; |
729 } else { | 719 } else { |
730 /* If FirmwareA was not valid, then we skipped over the | 720 /* If FirmwareA was not valid, then we skipped over the |
731 * check to update the rollback indices and a Verify of FirmwareB wasn't | 721 * check to update the rollback indices and a Verify of FirmwareB wasn't |
732 * attempted. | 722 * attempted. |
733 * If FirmwareB is not a rollback, then we attempt to do the verification. | 723 * If FirmwareB is not a rollback, then we attempt to do the verification. |
734 */ | 724 */ |
735 if (stored_lversion <= firmwareB_lversion && | 725 if (stored_lversion <= firmwareB_lversion && |
736 (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB, | 726 (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB))) |
737 0))) | |
738 return BOOT_FIRMWARE_B_CONTINUE; | 727 return BOOT_FIRMWARE_B_CONTINUE; |
739 } | 728 } |
740 /* D'oh: No bootable firmware. */ | 729 /* D'oh: No bootable firmware. */ |
741 return BOOT_FIRMWARE_RECOVERY_CONTINUE; | 730 return BOOT_FIRMWARE_RECOVERY_CONTINUE; |
742 } | 731 } |
OLD | NEW |