VBoot Reference: Fix splicing bugs in Firmware and Kernel verification.

src/platform/vboot_reference/include/firmware_image.h

 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  *
  * Data structure and API definitions for a verified boot firmware image.
  */
 
 #ifndef VBOOT_REFERENCE_FIRMWARE_IMAGE_H_
 #define VBOOT_REFERENCE_FIRMWARE_IMAGE_H_
 
@@ skipping 26 matching lines @@
   /* Firmware Preamble. */
   uint16_t firmware_version;  /* Firmware Version# for preventing rollbacks.*/
   uint64_t firmware_len;  /* Length of the rest of the R/W firmware data. */
   uint8_t preamble[FIRMWARE_PREAMBLE_SIZE];  /* Remaining preamble data.*/
 
   uint8_t* preamble_signature;  /* Signature over the preamble. */
 
   /* The firmware signature comes first as it may allow us to parallelize
    * the firmware data fetch and RSA public operation.
    */
-  uint8_t* firmware_signature;  /* Signature on [firmware_data]. */
+  uint8_t* firmware_signature;  /* Signature on the Preamble +
+                                   [firmware_data]. */
   uint8_t* firmware_data;  /* Rest of firmware data */
 
 } FirmwareImage;
 
 /* Allocate and return a new FirmwareImage structure. */
 FirmwareImage* FirmwareImageNew(void);
 
 /* Deep free the contents of [fw]. */
 void FirmwareImageFree(FirmwareImage* fw);
 
@@ skipping 77 matching lines @@
  * [preamble_blob] using the signing key [sign_key].
  *
  * On success, put firmware length into [firmware_len], and return 0.
  * Else, return error code on failure.
  */
 int VerifyFirmwarePreamble(RSAPublicKey* sign_key,
                            const uint8_t* preamble_blob,
                            int algorithm,
                            int* firmware_len);
 
-/* Checks the signature on the firmware data at location [firmware_data_start].
+/* Checks the signature on the preamble + firmware data at
+ * [preamble_start] and [firmware_data_start].
  * The length of the actual firmware data is firmware_len and it is assumed to
  * be prepended with the signature whose size depends on the signature_algorithm
- * [algorithm].
+ * [algorithm]. This signature also covers the preamble data (but not the
+ * preamble signature itself).
  *
  * Return 0 on success, error code on failure.
  */
 int VerifyFirmwareData(RSAPublicKey* sign_key,
+                       const uint8_t* preamble_start,
                        const uint8_t* firmware_data_start,
                        int firmware_len,
                        int algorithm);
 
 /* Performs a chained verify of the firmware blob [firmware_blob].
  *
  * Returns 0 on success, error code on failure.
  *
  * NOTE: The length of the firmware blob is derived from reading the fields
  * in the first few bytes of the buffer. This might look risky but in firmware
@@ skipping 44 matching lines @@
  * Returns the code path to follow. It is one of:
  * BOOT_FIRMWARE_A_CONTINUE          Boot from Firmware A
  * BOOT_FIRMWARE_B_CONTINUE          Boot from Firmware B
  * BOOT_FIRMWARE_RECOVERY_CONTINUE   Jump to recovery mode
  */
 int VerifyFirmwareDriver_f(uint8_t* root_key_blob,
                            uint8_t* firmwareA,
                            uint8_t* firmwareB);
 
 #endif  /* VBOOT_REFERENCE_FIRMWARE_IMAGE_H_ */