Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/platform/vboot_reference/utils/kernel_image_fw.c

Issue 1599001: VBoot Reference: Refactor Pass 1: Split {firmware|kernel}_image (Closed)
Patch Set: Created 10 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « src/platform/vboot_reference/utils/kernel_image.c ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
2 * Use of this source code is governed by a BSD-style license that can be
3 * found in the LICENSE file.
4 *
5 * Functions for verifying a verified boot kernel image.
6 * (Firmware portion)
7 */
8
9 #include "kernel_image_fw.h"
10
11 #include "padding.h"
12 #include "rollback_index.h"
13 #include "rsa_utility.h"
14 #include "sha_utility.h"
15 #include "utility.h"
16
17 /* Macro to determine the size of a field structure in the KernelImage
18 * structure. */
19 #define FIELD_LEN(field) (sizeof(((KernelImage*)0)->field))
20 #define KERNEL_CONFIG_FIELD_LEN (FIELD_LEN(kernel_version) + FIELD_LEN(options.v ersion) + \
21 FIELD_LEN(options.cmd_line) + \
22 FIELD_LEN(options.kernel_len) + \
23 FIELD_LEN(options.kernel_load_addr) + \
24 FIELD_LEN(options.kernel_entry_addr))
25
26 char* kVerifyKernelErrors[VERIFY_KERNEL_MAX] = {
27 "Success.",
28 "Invalid Image.",
29 "Kernel Key Signature Failed.",
30 "Invalid Kernel Verification Algorithm.",
31 "Config Signature Failed.",
32 "Kernel Signature Failed.",
33 "Wrong Kernel Magic.",
34 };
35
36 int VerifyKernelHeader(const uint8_t* firmware_key_blob,
37 const uint8_t* header_blob,
38 const int dev_mode,
39 int* firmware_algorithm,
40 int* kernel_algorithm,
41 int* kernel_header_len) {
42 int kernel_sign_key_len;
43 int firmware_sign_key_len;
44 uint16_t header_version, header_len;
45 uint16_t firmware_sign_algorithm, kernel_sign_algorithm;
46 uint8_t* header_checksum = NULL;
47
48 /* Base Offset for the header_checksum field. Actual offset is
49 * this + kernel_sign_key_len. */
50 int base_header_checksum_offset = (FIELD_LEN(header_version) +
51 FIELD_LEN(header_len) +
52 FIELD_LEN(firmware_sign_algorithm) +
53 FIELD_LEN(kernel_sign_algorithm) +
54 FIELD_LEN(kernel_key_version));
55
56 Memcpy(&header_version, header_blob, sizeof(header_version));
57 Memcpy(&header_len, header_blob + FIELD_LEN(header_version),
58 sizeof(header_len));
59 Memcpy(&firmware_sign_algorithm,
60 header_blob + (FIELD_LEN(header_version) +
61 FIELD_LEN(header_len)),
62 sizeof(firmware_sign_algorithm));
63 Memcpy(&kernel_sign_algorithm,
64 header_blob + (FIELD_LEN(header_version) +
65 FIELD_LEN(header_len) +
66 FIELD_LEN(firmware_sign_algorithm)),
67 sizeof(kernel_sign_algorithm));
68
69 /* TODO(gauravsh): Make this return two different error types depending
70 * on whether the firmware or kernel signing algorithm is invalid. */
71 if (firmware_sign_algorithm >= kNumAlgorithms)
72 return VERIFY_KERNEL_INVALID_ALGORITHM;
73 if (kernel_sign_algorithm >= kNumAlgorithms)
74 return VERIFY_KERNEL_INVALID_ALGORITHM;
75
76 *firmware_algorithm = (int) firmware_sign_algorithm;
77 *kernel_algorithm = (int) kernel_sign_algorithm;
78 kernel_sign_key_len = RSAProcessedKeySize(kernel_sign_algorithm);
79 firmware_sign_key_len = RSAProcessedKeySize(firmware_sign_algorithm);
80
81
82 /* Verify if header len is correct? */
83 if (header_len != (base_header_checksum_offset +
84 kernel_sign_key_len +
85 FIELD_LEN(header_checksum))) {
86 debug("VerifyKernelHeader: Header length mismatch\n");
87 return VERIFY_KERNEL_INVALID_IMAGE;
88 }
89 *kernel_header_len = (int) header_len;
90
91 /* Verify if the hash of the header is correct. */
92 header_checksum = DigestBuf(header_blob,
93 header_len - FIELD_LEN(header_checksum),
94 SHA512_DIGEST_ALGORITHM);
95 if (SafeMemcmp(header_checksum,
96 header_blob + (base_header_checksum_offset +
97 kernel_sign_key_len),
98 FIELD_LEN(header_checksum))) {
99 Free(header_checksum);
100 debug("VerifyKernelHeader: Invalid header hash\n");
101 return VERIFY_KERNEL_INVALID_IMAGE;
102 }
103 Free(header_checksum);
104
105 /* Verify kernel key signature unless we are in dev mode. */
106 if (!dev_mode) {
107 if (!RSAVerifyBinary_f(firmware_key_blob, NULL, /* Key to use */
108 header_blob, /* Data to verify */
109 header_len, /* Length of data */
110 header_blob + header_len, /* Expected Signature */
111 firmware_sign_algorithm))
112 return VERIFY_KERNEL_KEY_SIGNATURE_FAILED;
113 }
114 return 0;
115 }
116
117 int VerifyKernelConfig(RSAPublicKey* kernel_sign_key,
118 const uint8_t* config_blob,
119 int algorithm,
120 uint64_t* kernel_len) {
121 uint64_t len;
122 if (!RSAVerifyBinary_f(NULL, kernel_sign_key, /* Key to use */
123 config_blob, /* Data to verify */
124 KERNEL_CONFIG_FIELD_LEN, /* Length of data */
125 config_blob + KERNEL_CONFIG_FIELD_LEN, /* Expected
126 * Signature */
127 algorithm))
128 return VERIFY_KERNEL_CONFIG_SIGNATURE_FAILED;
129
130 Memcpy(&len,
131 config_blob + (FIELD_LEN(kernel_version) + FIELD_LEN(options.version) +
132 FIELD_LEN(options.cmd_line)),
133 sizeof(len));
134 *kernel_len = len;
135 return 0;
136 }
137
138 int VerifyKernelData(RSAPublicKey* kernel_sign_key,
139 const uint8_t* kernel_config_start,
140 const uint8_t* kernel_data_start,
141 uint64_t kernel_len,
142 int algorithm) {
143 int signature_len = siglen_map[algorithm];
144 uint8_t* digest;
145 DigestContext ctx;
146
147 /* Since the kernel signature is computed over the kernel version, options
148 * and data, which does not form a contiguous region of memory, we calculate
149 * the message digest ourselves. */
150 DigestInit(&ctx, algorithm);
151 DigestUpdate(&ctx, kernel_config_start, KERNEL_CONFIG_FIELD_LEN);
152 DigestUpdate(&ctx, kernel_data_start + signature_len, kernel_len);
153 digest = DigestFinal(&ctx);
154 if (!RSAVerifyBinaryWithDigest_f(
155 NULL, kernel_sign_key, /* Key to use. */
156 digest, /* Digest of the data to verify. */
157 kernel_data_start, /* Expected Signature */
158 algorithm)) {
159 Free(digest);
160 return VERIFY_KERNEL_SIGNATURE_FAILED;
161 }
162 Free(digest);
163 return 0;
164 }
165
166 int VerifyKernel(const uint8_t* firmware_key_blob,
167 const uint8_t* kernel_blob,
168 const int dev_mode) {
169 int error_code;
170 int firmware_sign_algorithm; /* Firmware signing key algorithm. */
171 int kernel_sign_algorithm; /* Kernel Signing key algorithm. */
172 RSAPublicKey* kernel_sign_key;
173 int kernel_sign_key_len, kernel_key_signature_len, kernel_signature_len,
174 header_len;
175 uint64_t kernel_len;
176 const uint8_t* header_ptr; /* Pointer to header. */
177 const uint8_t* kernel_sign_key_ptr; /* Pointer to signing key. */
178 const uint8_t* config_ptr; /* Pointer to kernel config block. */
179 const uint8_t* kernel_ptr; /* Pointer to kernel signature/data. */
180
181 /* Note: All the offset calculations are based on struct FirmwareImage which
182 * is defined in include/firmware_image.h. */
183
184 /* Compare magic bytes. */
185 if (SafeMemcmp(kernel_blob, KERNEL_MAGIC, KERNEL_MAGIC_SIZE))
186 return VERIFY_KERNEL_WRONG_MAGIC;
187 header_ptr = kernel_blob + KERNEL_MAGIC_SIZE;
188
189 /* Only continue if header verification succeeds. */
190 if ((error_code = VerifyKernelHeader(firmware_key_blob, header_ptr, dev_mode,
191 &firmware_sign_algorithm,
192 &kernel_sign_algorithm, &header_len))) {
193 debug("VerifyKernel: Kernel header verification failed.\n");
194 return error_code; /* AKA jump to recovery. */
195 }
196 /* Parse signing key into RSAPublicKey structure since it is required multiple
197 * times. */
198 kernel_sign_key_len = RSAProcessedKeySize(kernel_sign_algorithm);
199 kernel_sign_key_ptr = header_ptr + (FIELD_LEN(header_version) +
200 FIELD_LEN(header_len) +
201 FIELD_LEN(firmware_sign_algorithm) +
202 FIELD_LEN(kernel_sign_algorithm) +
203 FIELD_LEN(kernel_key_version));
204 kernel_sign_key = RSAPublicKeyFromBuf(kernel_sign_key_ptr,
205 kernel_sign_key_len);
206 kernel_signature_len = siglen_map[kernel_sign_algorithm];
207 kernel_key_signature_len = siglen_map[firmware_sign_algorithm];
208
209 /* Only continue if config verification succeeds. */
210 config_ptr = (header_ptr + header_len + kernel_key_signature_len);
211 if ((error_code = VerifyKernelConfig(kernel_sign_key, config_ptr,
212 kernel_sign_algorithm,
213 &kernel_len))) {
214 RSAPublicKeyFree(kernel_sign_key);
215 return error_code; /* AKA jump to recovery. */
216 }
217 /* Only continue if kernel data verification succeeds. */
218 kernel_ptr = (config_ptr +
219 KERNEL_CONFIG_FIELD_LEN + /* Skip config block/signature. */
220 kernel_signature_len);
221
222 if ((error_code = VerifyKernelData(kernel_sign_key, config_ptr, kernel_ptr,
223 kernel_len,
224 kernel_sign_algorithm))) {
225 RSAPublicKeyFree(kernel_sign_key);
226 return error_code; /* AKA jump to recovery. */
227 }
228 RSAPublicKeyFree(kernel_sign_key);
229 return 0; /* Success! */
230 }
231
232 uint32_t GetLogicalKernelVersion(uint8_t* kernel_blob) {
233 uint8_t* kernel_ptr;
234 uint16_t kernel_key_version;
235 uint16_t kernel_version;
236 uint16_t firmware_sign_algorithm;
237 uint16_t kernel_sign_algorithm;
238 int kernel_key_signature_len;
239 int kernel_sign_key_len;
240 kernel_ptr = kernel_blob + (FIELD_LEN(magic) +
241 FIELD_LEN(header_version) +
242 FIELD_LEN(header_len));
243 Memcpy(&firmware_sign_algorithm, kernel_ptr, sizeof(firmware_sign_algorithm));
244 kernel_ptr += FIELD_LEN(firmware_sign_algorithm);
245 Memcpy(&kernel_sign_algorithm, kernel_ptr, sizeof(kernel_sign_algorithm));
246 kernel_ptr += FIELD_LEN(kernel_sign_algorithm);
247 Memcpy(&kernel_key_version, kernel_ptr, sizeof(kernel_key_version));
248
249 if (firmware_sign_algorithm >= kNumAlgorithms)
250 return 0;
251 if (kernel_sign_algorithm >= kNumAlgorithms)
252 return 0;
253 kernel_key_signature_len = siglen_map[firmware_sign_algorithm];
254 kernel_sign_key_len = RSAProcessedKeySize(kernel_sign_algorithm);
255 kernel_ptr += (FIELD_LEN(kernel_key_version) +
256 kernel_sign_key_len +
257 FIELD_LEN(header_checksum) +
258 kernel_key_signature_len);
259 Memcpy(&kernel_version, kernel_ptr, sizeof(kernel_version));
260 return CombineUint16Pair(kernel_key_version, kernel_version);
261 }
262
263 int VerifyKernelDriver_f(uint8_t* firmware_key_blob,
264 kernel_entry* kernelA,
265 kernel_entry* kernelB,
266 int dev_mode) {
267 int i;
268 /* Contains the logical kernel version (32-bit) which is calculated as
269 * (kernel_key_version << 16 | kernel_version) where
270 * [kernel_key_version], [firmware_version] are both 16-bit.
271 */
272 uint32_t kernelA_lversion, kernelB_lversion;
273 uint32_t min_lversion; /* Minimum of kernel A and kernel B lversion. */
274 uint32_t stored_lversion; /* Stored logical version in the TPM. */
275 kernel_entry* try_kernel[2]; /* Kernel in try order. */
276 int try_kernel_which[2]; /* Which corresponding kernel in the try order */
277 uint32_t try_kernel_lversion[2]; /* Their logical versions. */
278
279 /* [kernel_to_boot] will eventually contain the boot path to follow
280 * and is returned to the caller. Initially, we set it to recovery. If
281 * a valid bootable kernel is found, it will be set to that. */
282 int kernel_to_boot = BOOT_KERNEL_RECOVERY_CONTINUE;
283
284
285 /* The TPM must already have be initialized, so no need to call SetupTPM(). */
286
287 /* We get the key versions by reading directly from the image blobs without
288 * any additional (expensive) sanity checking on the blob since it's faster to
289 * outright reject a kernel with an older kernel key version. A malformed
290 * or corrupted kernel blob will still fail when VerifyKernel() is called
291 * on it.
292 */
293 kernelA_lversion = GetLogicalKernelVersion(kernelA->kernel_blob);
294 kernelB_lversion = GetLogicalKernelVersion(kernelB->kernel_blob);
295 min_lversion = Min(kernelA_lversion, kernelB_lversion);
296 stored_lversion = CombineUint16Pair(GetStoredVersion(KERNEL_KEY_VERSION),
297 GetStoredVersion(KERNEL_VERSION));
298
299 /* TODO(gauravsh): The kernel entries kernelA and kernelB come from the
300 * partition table - verify its signature/checksum before proceeding
301 * further. */
302
303 /* The logic for deciding which kernel to boot from is taken from the
304 * the Chromium OS Drive Map design document.
305 *
306 * We went to consider the kernels in their according to their boot
307 * priority attribute value.
308 */
309
310 if (kernelA->boot_priority >= kernelB->boot_priority) {
311 try_kernel[0] = kernelA;
312 try_kernel_which[0] = BOOT_KERNEL_A_CONTINUE;
313 try_kernel_lversion[0] = kernelA_lversion;
314 try_kernel[1] = kernelB;
315 try_kernel_which[1] = BOOT_KERNEL_B_CONTINUE;
316 try_kernel_lversion[1] = kernelB_lversion;
317 } else {
318 try_kernel[0] = kernelB;
319 try_kernel_which[0] = BOOT_KERNEL_B_CONTINUE;
320 try_kernel_lversion[0] = kernelB_lversion;
321 try_kernel[1] = kernelA;
322 try_kernel_which[1] = BOOT_KERNEL_A_CONTINUE;
323 try_kernel_lversion[1] = kernelA_lversion;
324 }
325
326 /* TODO(gauravsh): Changes to boot_tries_remaining and boot_priority
327 * below should be propagated to partition table. This will be added
328 * once the firmware parition table parsing code is in. */
329 for (i = 0; i < 2; i++) {
330 if ((try_kernel[i]->boot_success_flag ||
331 try_kernel[i]->boot_tries_remaining) &&
332 (VERIFY_KERNEL_SUCCESS == VerifyKernel(firmware_key_blob,
333 try_kernel[i]->kernel_blob,
334 dev_mode))) {
335 if (try_kernel[i]->boot_tries_remaining > 0)
336 try_kernel[i]->boot_tries_remaining--;
337 if (stored_lversion > try_kernel_lversion[i])
338 continue; /* Rollback: I am afraid I can't let you do that Dave. */
339 if (i == 0 && (stored_lversion < try_kernel_lversion[1])) {
340 /* The higher priority kernel is valid and bootable, See if we
341 * need to update the stored version for rollback prevention. */
342 if (VERIFY_KERNEL_SUCCESS == VerifyKernel(firmware_key_blob,
343 try_kernel[1]->kernel_blob,
344 dev_mode)) {
345 WriteStoredVersion(KERNEL_KEY_VERSION,
346 (uint16_t) (min_lversion >> 16));
347 WriteStoredVersion(KERNEL_VERSION,
348 (uint16_t) (min_lversion & 0xFFFF));
349 stored_lversion = min_lversion; /* Update stored version as it's
350 * used later. */
351 }
352 }
353 kernel_to_boot = try_kernel_which[i];
354 break; /* We found a valid kernel. */
355 }
356 try_kernel[i]->boot_priority = 0;
357 } /* for loop. */
358
359 /* Lock Kernel TPM rollback indices from further writes.
360 * TODO(gauravsh): Figure out if these can be combined into one
361 * 32-bit location since we seem to always use them together. This can help
362 * us minimize the number of NVRAM writes/locks (which are limited over flash
363 * memory lifetimes.
364 */
365 LockStoredVersion(KERNEL_KEY_VERSION);
366 LockStoredVersion(KERNEL_VERSION);
367 return kernel_to_boot;
368 }
OLDNEW
« no previous file with comments | « src/platform/vboot_reference/utils/kernel_image.c ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698