| Index: src/platform/vboot_reference/utils/firmware_image.c
|
| diff --git a/src/platform/vboot_reference/utils/firmware_image.c b/src/platform/vboot_reference/utils/firmware_image.c
|
| index 2e3f92441ee40fc2698ec47eddbdc12f6d072e6d..803ef893254bf73c77054e3d963bba1378f7414c 100644
|
| --- a/src/platform/vboot_reference/utils/firmware_image.c
|
| +++ b/src/platform/vboot_reference/utils/firmware_image.c
|
| @@ -9,14 +9,12 @@
|
|
|
| #include <fcntl.h>
|
| #include <limits.h>
|
| -#include <stdio.h>
|
| #include <sys/types.h>
|
| #include <sys/stat.h>
|
| #include <unistd.h>
|
|
|
| #include "file_keys.h"
|
| #include "padding.h"
|
| -#include "rollback_index.h"
|
| #include "rsa_utility.h"
|
| #include "sha_utility.h"
|
| #include "signature_digest.h"
|
| @@ -71,7 +69,7 @@ FirmwareImage* ReadFirmwareImage(const char* input_file) {
|
| /* Read and compare magic bytes. */
|
| StatefulMemcpy(&st, &image->magic, FIRMWARE_MAGIC_SIZE);
|
| if (SafeMemcmp(image->magic, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE)) {
|
| - fprintf(stderr, "Wrong Firmware Magic.\n");
|
| + debug("Wrong Firmware Magic.\n");
|
| Free(firmware_buf);
|
| return NULL;
|
| }
|
| @@ -92,8 +90,8 @@ FirmwareImage* ReadFirmwareImage(const char* input_file) {
|
| /* Check whether the header length is correct. */
|
| header_len = GetFirmwareHeaderLen(image);
|
| if (header_len != image->header_len) {
|
| - fprintf(stderr, "Header length mismatch. Got: %d Expected: %d\n",
|
| - image->header_len, header_len);
|
| + debug("Header length mismatch. Got: %d Expected: %d\n",
|
| + image->header_len, header_len);
|
| Free(firmware_buf);
|
| return NULL;
|
| }
|
| @@ -109,7 +107,7 @@ FirmwareImage* ReadFirmwareImage(const char* input_file) {
|
| CalculateFirmwareHeaderChecksum(image, header_checksum);
|
| if (SafeMemcmp(header_checksum, image->header_checksum,
|
| FIELD_LEN(header_checksum))) {
|
| - fprintf(stderr, "Invalid firmware header checksum!\n");
|
| + debug("Invalid firmware header checksum!\n");
|
| Free(firmware_buf);
|
| return NULL;
|
| }
|
| @@ -271,17 +269,17 @@ int WriteFirmwareImage(const char* input_file,
|
| if (!image)
|
| return 0;
|
| if (-1 == (fd = creat(input_file, S_IRWXU))) {
|
| - fprintf(stderr, "Couldn't open file for writing.\n");
|
| + debug("Couldn't open file for writing.\n");
|
| return 0;
|
| }
|
|
|
| firmware_blob = GetFirmwareBlob(image, &blob_len);
|
| if (!firmware_blob) {
|
| - fprintf(stderr, "Couldn't create firmware blob from FirmwareImage.\n");
|
| + debug("Couldn't create firmware blob from FirmwareImage.\n");
|
| return 0;
|
| }
|
| if (blob_len != write(fd, firmware_blob, blob_len)) {
|
| - fprintf(stderr, "Couldn't write Firmware Image to file: %s\n", input_file);
|
| + debug("Couldn't write Firmware Image to file: %s\n", input_file);
|
| Free(firmware_blob);
|
| close(fd);
|
| return 0;
|
| @@ -296,7 +294,7 @@ void PrintFirmwareImage(const FirmwareImage* image) {
|
| return;
|
|
|
| /* Print header. */
|
| - printf("Header Length = %d\n"
|
| + debug("Header Length = %d\n"
|
| "Firmware Signature Algorithm = %s\n"
|
| "Firmware Key Version = %d\n\n",
|
| image->header_len,
|
| @@ -304,201 +302,13 @@ void PrintFirmwareImage(const FirmwareImage* image) {
|
| image->firmware_key_version);
|
| /* TODO(gauravsh): Output hash and key signature here? */
|
| /* Print preamble. */
|
| - printf("Firmware Version = %d\n"
|
| + debug("Firmware Version = %d\n"
|
| "Firmware Length = %" PRIu64 "\n\n",
|
| image->firmware_version,
|
| image->firmware_len);
|
| /* Output key signature here? */
|
| }
|
|
|
| -char* kVerifyFirmwareErrors[VERIFY_FIRMWARE_MAX] = {
|
| - "Success.",
|
| - "Invalid Image.",
|
| - "Root Key Signature Failed.",
|
| - "Invalid Verification Algorithm.",
|
| - "Preamble Signature Failed.",
|
| - "Firmware Signature Failed.",
|
| - "Wrong Firmware Magic.",
|
| - "Invalid Firmware Header Checksum.",
|
| - "Firmware Signing Key Rollback.",
|
| - "Firmware Version Rollback."
|
| -};
|
| -
|
| -int VerifyFirmwareHeader(const uint8_t* root_key_blob,
|
| - const uint8_t* header_blob,
|
| - int* algorithm,
|
| - int* header_len) {
|
| - int firmware_sign_key_len;
|
| - int root_key_len;
|
| - uint16_t hlen, algo;
|
| - uint8_t* header_checksum = NULL;
|
| -
|
| - /* Base Offset for the header_checksum field. Actual offset is
|
| - * this + firmware_sign_key_len. */
|
| - int base_header_checksum_offset = (FIELD_LEN(header_len) +
|
| - FIELD_LEN(firmware_sign_algorithm) +
|
| - FIELD_LEN(firmware_key_version));
|
| -
|
| -
|
| - root_key_len = RSAProcessedKeySize(ROOT_SIGNATURE_ALGORITHM);
|
| - Memcpy(&hlen, header_blob, sizeof(hlen));
|
| - Memcpy(&algo,
|
| - header_blob + FIELD_LEN(firmware_sign_algorithm),
|
| - sizeof(algo));
|
| - if (algo >= kNumAlgorithms)
|
| - return VERIFY_FIRMWARE_INVALID_ALGORITHM;
|
| - *algorithm = (int) algo;
|
| - firmware_sign_key_len = RSAProcessedKeySize(*algorithm);
|
| -
|
| - /* Verify that header len is correct. */
|
| - if (hlen != (base_header_checksum_offset +
|
| - firmware_sign_key_len +
|
| - FIELD_LEN(header_checksum)))
|
| - return VERIFY_FIRMWARE_INVALID_IMAGE;
|
| -
|
| - *header_len = (int) hlen;
|
| -
|
| - /* Verify if the hash of the header is correct. */
|
| - header_checksum = DigestBuf(header_blob,
|
| - *header_len - FIELD_LEN(header_checksum),
|
| - SHA512_DIGEST_ALGORITHM);
|
| - if (SafeMemcmp(header_checksum,
|
| - header_blob + (base_header_checksum_offset +
|
| - firmware_sign_key_len),
|
| - FIELD_LEN(header_checksum))) {
|
| - Free(header_checksum);
|
| - return VERIFY_FIRMWARE_WRONG_HEADER_CHECKSUM;
|
| - }
|
| - Free(header_checksum);
|
| -
|
| - /* Root key signature on the firmware signing key is always checked
|
| - * irrespective of dev mode. */
|
| - if (!RSAVerifyBinary_f(root_key_blob, NULL, /* Key to use */
|
| - header_blob, /* Data to verify */
|
| - *header_len, /* Length of data */
|
| - header_blob + *header_len, /* Expected Signature */
|
| - ROOT_SIGNATURE_ALGORITHM))
|
| - return VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED;
|
| - return 0;
|
| -}
|
| -
|
| -int VerifyFirmwarePreamble(RSAPublicKey* firmware_sign_key,
|
| - const uint8_t* preamble_blob,
|
| - int algorithm,
|
| - uint64_t* firmware_len) {
|
| - uint64_t len;
|
| - int preamble_len;
|
| - uint16_t firmware_version;
|
| -
|
| - Memcpy(&firmware_version, preamble_blob, sizeof(firmware_version));
|
| -
|
| - preamble_len = (FIELD_LEN(firmware_version) +
|
| - FIELD_LEN(firmware_len) +
|
| - FIELD_LEN(preamble));
|
| - if (!RSAVerifyBinary_f(NULL, firmware_sign_key, /* Key to use */
|
| - preamble_blob, /* Data to verify */
|
| - preamble_len, /* Length of data */
|
| - preamble_blob + preamble_len, /* Expected Signature */
|
| - algorithm))
|
| - return VERIFY_FIRMWARE_PREAMBLE_SIGNATURE_FAILED;
|
| -
|
| - Memcpy(&len, preamble_blob + FIELD_LEN(firmware_version),
|
| - sizeof(len));
|
| - *firmware_len = len;
|
| - return 0;
|
| -}
|
| -
|
| -int VerifyFirmwareData(RSAPublicKey* firmware_sign_key,
|
| - const uint8_t* preamble_start,
|
| - const uint8_t* firmware_data_start,
|
| - uint64_t firmware_len,
|
| - int algorithm) {
|
| - int signature_len = siglen_map[algorithm];
|
| - uint8_t* digest;
|
| - DigestContext ctx;
|
| -
|
| - /* Since the firmware signature is over the preamble and the firmware data,
|
| - * which does not form a contiguous region of memory, we calculate the
|
| - * message digest ourselves. */
|
| - DigestInit(&ctx, algorithm);
|
| - DigestUpdate(&ctx, preamble_start, GetFirmwarePreambleLen());
|
| - DigestUpdate(&ctx, firmware_data_start + signature_len, firmware_len);
|
| - digest = DigestFinal(&ctx);
|
| - if (!RSAVerifyBinaryWithDigest_f(
|
| - NULL, firmware_sign_key, /* Key to use. */
|
| - digest, /* Digest of the data to verify. */
|
| - firmware_data_start, /* Expected Signature */
|
| - algorithm)) {
|
| - Free(digest);
|
| - return VERIFY_FIRMWARE_SIGNATURE_FAILED;
|
| - }
|
| - Free(digest);
|
| - return 0;
|
| -}
|
| -
|
| -int VerifyFirmware(const uint8_t* root_key_blob,
|
| - const uint8_t* firmware_blob) {
|
| - int error_code = 0;
|
| - int algorithm; /* Signing key algorithm. */
|
| - RSAPublicKey* firmware_sign_key = NULL;
|
| - int firmware_sign_key_len, signature_len, header_len;
|
| - uint64_t firmware_len;
|
| - const uint8_t* header_ptr = NULL; /* Pointer to header. */
|
| - const uint8_t* firmware_sign_key_ptr = NULL; /* Pointer to signing key. */
|
| - const uint8_t* preamble_ptr = NULL; /* Pointer to preamble block. */
|
| - const uint8_t* firmware_ptr = NULL; /* Pointer to firmware signature/data. */
|
| -
|
| - /* Note: All the offset calculations are based on struct FirmwareImage which
|
| - * is defined in include/firmware_image.h. */
|
| -
|
| - /* Compare magic bytes. */
|
| - if (SafeMemcmp(firmware_blob, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE))
|
| - return VERIFY_FIRMWARE_WRONG_MAGIC;
|
| - header_ptr = firmware_blob + FIRMWARE_MAGIC_SIZE;
|
| -
|
| - /* Only continue if header verification succeeds. */
|
| - if ((error_code = VerifyFirmwareHeader(root_key_blob, header_ptr,
|
| - &algorithm, &header_len)))
|
| - return error_code; /* AKA jump to revovery. */
|
| -
|
| - /* Parse signing key into RSAPublicKey structure since it is required multiple
|
| - * times. */
|
| - firmware_sign_key_len = RSAProcessedKeySize(algorithm);
|
| - firmware_sign_key_ptr = header_ptr + (FIELD_LEN(header_len) +
|
| - FIELD_LEN(firmware_sign_algorithm) +
|
| - FIELD_LEN(firmware_key_version));
|
| - firmware_sign_key = RSAPublicKeyFromBuf(firmware_sign_key_ptr,
|
| - firmware_sign_key_len);
|
| - signature_len = siglen_map[algorithm];
|
| -
|
| - /* Only continue if preamble verification succeeds. */
|
| - preamble_ptr = (header_ptr + header_len +
|
| - FIELD_LEN(firmware_key_signature));
|
| - if ((error_code = VerifyFirmwarePreamble(firmware_sign_key, preamble_ptr,
|
| - algorithm,
|
| - &firmware_len))) {
|
| - RSAPublicKeyFree(firmware_sign_key);
|
| - fprintf(stderr, "Couldn't verify Firmware preamble.\n");
|
| - return error_code; /* AKA jump to recovery. */
|
| - }
|
| - /* Only continue if firmware data verification succeeds. */
|
| - firmware_ptr = (preamble_ptr +
|
| - GetFirmwarePreambleLen() +
|
| - signature_len);
|
| -
|
| - if ((error_code = VerifyFirmwareData(firmware_sign_key, preamble_ptr,
|
| - firmware_ptr,
|
| - firmware_len,
|
| - algorithm))) {
|
| - RSAPublicKeyFree(firmware_sign_key);
|
| - fprintf(stderr, "Couldn't verify Firmware data.\n");
|
| - return error_code; /* AKA jump to recovery. */
|
| - }
|
| -
|
| - RSAPublicKeyFree(firmware_sign_key);
|
| - return 0; /* Success! */
|
| -}
|
| -
|
| int VerifyFirmwareImage(const RSAPublicKey* root_key,
|
| const FirmwareImage* image) {
|
| RSAPublicKey* firmware_sign_key = NULL;
|
| @@ -662,114 +472,3 @@ int AddFirmwareSignature(FirmwareImage* image, const char* signing_key_file) {
|
| Free(preamble_blob);
|
| return 1;
|
| }
|
| -
|
| -uint32_t GetLogicalFirmwareVersion(uint8_t* firmware_blob) {
|
| - uint16_t firmware_key_version;
|
| - uint16_t firmware_version;
|
| - uint16_t firmware_sign_algorithm;
|
| - int firmware_sign_key_len;
|
| - Memcpy(&firmware_sign_algorithm,
|
| - firmware_blob + (FIELD_LEN(magic) + /* Offset to field. */
|
| - FIELD_LEN(header_len)),
|
| - sizeof(firmware_sign_algorithm));
|
| - Memcpy(&firmware_key_version,
|
| - firmware_blob + (FIELD_LEN(magic) + /* Offset to field. */
|
| - FIELD_LEN(header_len) +
|
| - FIELD_LEN(firmware_sign_algorithm)),
|
| - sizeof(firmware_key_version));
|
| - if (firmware_sign_algorithm >= kNumAlgorithms)
|
| - return 0;
|
| - firmware_sign_key_len = RSAProcessedKeySize(firmware_sign_algorithm);
|
| - Memcpy(&firmware_version,
|
| - firmware_blob + (FIELD_LEN(magic) + /* Offset to field. */
|
| - FIELD_LEN(header_len) +
|
| - FIELD_LEN(firmware_key_version) +
|
| - firmware_sign_key_len +
|
| - FIELD_LEN(header_checksum) +
|
| - FIELD_LEN(firmware_key_signature)),
|
| - sizeof(firmware_version));
|
| - return CombineUint16Pair(firmware_key_version, firmware_version);
|
| -}
|
| -
|
| -int VerifyFirmwareDriver_f(uint8_t* root_key_blob,
|
| - uint8_t* firmwareA,
|
| - uint8_t* firmwareB) {
|
| - /* Contains the logical firmware version (32-bit) which is calculated as
|
| - * (firmware_key_version << 16 | firmware_version) where
|
| - * [firmware_key_version] [firmware_version] are both 16-bit.
|
| - */
|
| - uint32_t firmwareA_lversion, firmwareB_lversion;
|
| - uint8_t firmwareA_is_verified = 0; /* Whether firmwareA verify succeeded. */
|
| - uint32_t min_lversion; /* Minimum of firmware A and firmware lversion. */
|
| - uint32_t stored_lversion; /* Stored logical version in the TPM. */
|
| -
|
| - /* Initialize the TPM since we'll be reading the rollback indices. */
|
| - SetupTPM();
|
| -
|
| - /* We get the key versions by reading directly from the image blobs without
|
| - * any additional (expensive) sanity checking on the blob since it's faster to
|
| - * outright reject a firmware with an older firmware key version. A malformed
|
| - * or corrupted firmware blob will still fail when VerifyFirmware() is called
|
| - * on it.
|
| - */
|
| - firmwareA_lversion = GetLogicalFirmwareVersion(firmwareA);
|
| - firmwareB_lversion = GetLogicalFirmwareVersion(firmwareB);
|
| - min_lversion = Min(firmwareA_lversion, firmwareB_lversion);
|
| - stored_lversion = CombineUint16Pair(GetStoredVersion(FIRMWARE_KEY_VERSION),
|
| - GetStoredVersion(FIRMWARE_VERSION));
|
| - /* Always try FirmwareA first. */
|
| - if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareA))
|
| - firmwareA_is_verified = 1;
|
| - if (firmwareA_is_verified && (stored_lversion < firmwareA_lversion)) {
|
| - /* Stored version may need to be updated but only if FirmwareB
|
| - * is successfully verified and has a logical version greater than
|
| - * the stored logical version. */
|
| - if (stored_lversion < firmwareB_lversion) {
|
| - if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB)) {
|
| - WriteStoredVersion(FIRMWARE_KEY_VERSION,
|
| - (uint16_t) (min_lversion >> 16));
|
| - WriteStoredVersion(FIRMWARE_VERSION,
|
| - (uint16_t) (min_lversion & 0x00FFFF));
|
| - stored_lversion = min_lversion; /* Update stored version as it's used
|
| - * later. */
|
| - }
|
| - }
|
| - }
|
| - /* Lock Firmware TPM rollback indices from further writes. */
|
| - /* TODO(gauravsh): Figure out if these can be combined into one
|
| - * 32-bit location since we seem to always use them together. This can help
|
| - * us minimize the number of NVRAM writes/locks (which are limited over flash
|
| - * memory lifetimes.
|
| - */
|
| - LockStoredVersion(FIRMWARE_KEY_VERSION);
|
| - LockStoredVersion(FIRMWARE_VERSION);
|
| -
|
| - /* Determine which firmware (if any) to jump to.
|
| - *
|
| - * We always attempt to jump to FirmwareA first. If verification of FirmwareA
|
| - * fails, we try FirmwareB. In all cases, if the firmware successfully
|
| - * verified but is a rollback, we jump to recovery.
|
| - *
|
| - * Note: This means that if FirmwareA verified successfully and is a
|
| - * rollback, then no attempt is made to check FirmwareB. We still jump to
|
| - * recovery. FirmwareB is only used as a backup in case FirmwareA gets
|
| - * corrupted. Since newer firmware updates are always written to A,
|
| - * the case where firmware A is verified but a rollback should not occur in
|
| - * normal operation.
|
| - */
|
| - if (firmwareA_is_verified) {
|
| - if (stored_lversion <= firmwareA_lversion)
|
| - return BOOT_FIRMWARE_A_CONTINUE;
|
| - } else {
|
| - /* If FirmwareA was not valid, then we skipped over the
|
| - * check to update the rollback indices and a Verify of FirmwareB wasn't
|
| - * attempted.
|
| - * If FirmwareB is not a rollback, then we attempt to do the verification.
|
| - */
|
| - if (stored_lversion <= firmwareB_lversion &&
|
| - (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB)))
|
| - return BOOT_FIRMWARE_B_CONTINUE;
|
| - }
|
| - /* D'oh: No bootable firmware. */
|
| - return BOOT_FIRMWARE_RECOVERY_CONTINUE;
|
| -}
|
|
|
Chromium Code Reviews
Issue 1599001:
VBoot Reference: Refactor Pass 1: Split {firmware|kernel}_image (Closed)
