| OLD | NEW |
|---|
| 1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 2 * Use of this source code is governed by a BSD-style license that can be | 2 * Use of this source code is governed by a BSD-style license that can be |
| 3 * found in the LICENSE file. | 3 * found in the LICENSE file. |
| 4 * | 4 * |
| 5 * Functions for generating and manipulating a verified boot firmware image. | 5 * Functions for generating and manipulating a verified boot firmware image. |
| 6 */ | 6 */ |
| 7 | 7 |
| 8 #include "firmware_image.h" | 8 #include "firmware_image.h" |
| 9 | 9 |
| 10 #include <sys/types.h> | 10 #include <sys/types.h> |
| 11 #include <sys/stat.h> | 11 #include <sys/stat.h> |
| 12 #include <fcntl.h> | 12 #include <fcntl.h> |
| 13 #include <unistd.h> | 13 #include <unistd.h> |
| 14 | 14 |
| 15 #include "cryptolib.h" | 15 #include "cryptolib.h" |
| 16 #include "file_keys.h" | 16 #include "file_keys.h" |
| 17 #include "signature_digest.h" | 17 #include "signature_digest.h" |
| 18 #include "stateful_util.h" | 18 #include "stateful_util.h" |
| 19 | 19 |
| 20 /* Macro to determine the size of a field structure in the FirmwareImage | 20 /* Macro to determine the size of a field structure in the FirmwareImage |
| 21 * structure. */ | 21 * structure. */ |
| 22 #define FIELD_LEN(field) (sizeof(((FirmwareImage*)0)->field)) | 22 #define FIELD_LEN(field) (sizeof(((FirmwareImage*)0)->field)) |
| 23 | 23 |
| 24 FirmwareImage* FirmwareImageNew(void) { | 24 FirmwareImage* FirmwareImageNew(void) { |
| 25 FirmwareImage* image = (FirmwareImage*) Malloc(sizeof(FirmwareImage)); | 25 FirmwareImage* image = (FirmwareImage*) Malloc(sizeof(FirmwareImage)); |
| 26 if (image) { | 26 if (image) { |
| 27 image->firmware_sign_key = NULL; | 27 image->firmware_sign_key = NULL; |
| 28 image->kernel_subkey_sign_key = NULL; |
| 28 image->preamble_signature = NULL; | 29 image->preamble_signature = NULL; |
| 29 image->firmware_signature = NULL; | 30 image->firmware_signature = NULL; |
| 30 image->firmware_data = NULL; | 31 image->firmware_data = NULL; |
| 31 } | 32 } |
| 32 return image; | 33 return image; |
| 33 } | 34 } |
| 34 | 35 |
| 35 void FirmwareImageFree(FirmwareImage* image) { | 36 void FirmwareImageFree(FirmwareImage* image) { |
| 36 if (image) { | 37 if (image) { |
| 37 Free(image->firmware_sign_key); | 38 Free(image->firmware_sign_key); |
| 39 Free(image->kernel_subkey_sign_key); |
| 38 Free(image->preamble_signature); | 40 Free(image->preamble_signature); |
| 39 Free(image->firmware_signature); | 41 Free(image->firmware_signature); |
| 40 Free(image->firmware_data); | 42 Free(image->firmware_data); |
| 41 Free(image); | 43 Free(image); |
| 42 } | 44 } |
| 43 } | 45 } |
| 44 | 46 |
| 45 FirmwareImage* ReadFirmwareImage(const char* input_file) { | 47 FirmwareImage* ReadFirmwareImage(const char* input_file) { |
| 46 uint64_t file_size; | 48 uint64_t file_size; |
| 47 int image_len = 0; /* Total size of the firmware image. */ | 49 int image_len = 0; /* Total size of the firmware image. */ |
| (...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 109 return NULL; | 111 return NULL; |
| 110 } | 112 } |
| 111 | 113 |
| 112 /* Read key signature. */ | 114 /* Read key signature. */ |
| 113 StatefulMemcpy(&st, image->firmware_key_signature, | 115 StatefulMemcpy(&st, image->firmware_key_signature, |
| 114 FIELD_LEN(firmware_key_signature)); | 116 FIELD_LEN(firmware_key_signature)); |
| 115 | 117 |
| 116 /* Read the firmware preamble. */ | 118 /* Read the firmware preamble. */ |
| 117 StatefulMemcpy(&st,&image->firmware_version, FIELD_LEN(firmware_version)); | 119 StatefulMemcpy(&st,&image->firmware_version, FIELD_LEN(firmware_version)); |
| 118 StatefulMemcpy(&st, &image->firmware_len, FIELD_LEN(firmware_len)); | 120 StatefulMemcpy(&st, &image->firmware_len, FIELD_LEN(firmware_len)); |
| 121 StatefulMemcpy(&st, &image->kernel_subkey_sign_algorithm, |
| 122 FIELD_LEN(kernel_subkey_sign_algorithm)); |
| 123 StatefulMemcpy(&st, image->kernel_subkey_sign_key, |
| 124 RSAProcessedKeySize(image->kernel_subkey_sign_algorithm)); |
| 119 StatefulMemcpy(&st, image->preamble, FIELD_LEN(preamble)); | 125 StatefulMemcpy(&st, image->preamble, FIELD_LEN(preamble)); |
| 120 | 126 |
| 121 /* Read firmware preamble signature. */ | 127 /* Read firmware preamble signature. */ |
| 122 image->preamble_signature = (uint8_t*) Malloc(signature_len); | 128 image->preamble_signature = (uint8_t*) Malloc(signature_len); |
| 123 StatefulMemcpy(&st, image->preamble_signature, signature_len); | 129 StatefulMemcpy(&st, image->preamble_signature, signature_len); |
| 124 | 130 |
| 125 image->firmware_signature = (uint8_t*) Malloc(signature_len); | 131 image->firmware_signature = (uint8_t*) Malloc(signature_len); |
| 126 StatefulMemcpy(&st, image->firmware_signature, signature_len); | 132 StatefulMemcpy(&st, image->firmware_signature, signature_len); |
| 127 | 133 |
| 128 image->firmware_data = (uint8_t*) Malloc(image->firmware_len); | 134 image->firmware_data = (uint8_t*) Malloc(image->firmware_len); |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 180 RSAProcessedKeySize(image->firmware_sign_algorithm)); | 186 RSAProcessedKeySize(image->firmware_sign_algorithm)); |
| 181 StatefulMemcpy_r(&st, &image->header_checksum, FIELD_LEN(header_checksum)); | 187 StatefulMemcpy_r(&st, &image->header_checksum, FIELD_LEN(header_checksum)); |
| 182 | 188 |
| 183 if (st.overrun || st.remaining_len != 0) { /* Underrun or Overrun. */ | 189 if (st.overrun || st.remaining_len != 0) { /* Underrun or Overrun. */ |
| 184 Free(header_blob); | 190 Free(header_blob); |
| 185 return NULL; | 191 return NULL; |
| 186 } | 192 } |
| 187 return header_blob; | 193 return header_blob; |
| 188 } | 194 } |
| 189 | 195 |
| 190 int GetFirmwarePreambleLen(void) { | |
| 191 return (FIELD_LEN(firmware_version) + FIELD_LEN(firmware_len) + | |
| 192 FIELD_LEN(preamble)); | |
| 193 } | |
| 194 | 196 |
| 195 uint8_t* GetFirmwarePreambleBlob(const FirmwareImage* image) { | 197 uint8_t* GetFirmwarePreambleBlob(const FirmwareImage* image) { |
| 196 uint8_t* preamble_blob = NULL; | 198 uint8_t* preamble_blob = NULL; |
| 197 MemcpyState st; | 199 MemcpyState st; |
| 200 uint64_t preamble_len = GetFirmwarePreambleLen( |
| 201 image->kernel_subkey_sign_algorithm); |
| 198 | 202 |
| 199 preamble_blob = (uint8_t*) Malloc(GetFirmwarePreambleLen()); | 203 preamble_blob = (uint8_t*) Malloc(preamble_len); |
| 200 st.remaining_len = GetFirmwarePreambleLen(); | 204 st.remaining_len = preamble_len; |
| 201 st.remaining_buf = preamble_blob; | 205 st.remaining_buf = preamble_blob; |
| 202 st.overrun = 0; | 206 st.overrun = 0; |
| 203 | 207 |
| 204 StatefulMemcpy_r(&st, &image->firmware_version, FIELD_LEN(firmware_version)); | 208 StatefulMemcpy_r(&st, &image->firmware_version, FIELD_LEN(firmware_version)); |
| 205 StatefulMemcpy_r(&st, &image->firmware_len, FIELD_LEN(firmware_len)); | 209 StatefulMemcpy_r(&st, &image->firmware_len, FIELD_LEN(firmware_len)); |
| 210 StatefulMemcpy_r(&st, &image->kernel_subkey_sign_algorithm, |
| 211 FIELD_LEN(kernel_subkey_sign_algorithm)); |
| 212 StatefulMemcpy_r(&st, image->kernel_subkey_sign_key, |
| 213 RSAProcessedKeySize(image->kernel_subkey_sign_algorithm)); |
| 206 StatefulMemcpy_r(&st, image->preamble, FIELD_LEN(preamble)); | 214 StatefulMemcpy_r(&st, image->preamble, FIELD_LEN(preamble)); |
| 207 | 215 |
| 208 if (st.overrun || st.remaining_len != 0 ) { /* Underrun or Overrun. */ | 216 if (st.overrun || st.remaining_len != 0 ) { /* Underrun or Overrun. */ |
| 209 Free(preamble_blob); | 217 Free(preamble_blob); |
| 210 return NULL; | 218 return NULL; |
| 211 } | 219 } |
| 212 return preamble_blob; | 220 return preamble_blob; |
| 213 } | 221 } |
| 214 | 222 |
| 215 | 223 |
| 216 uint8_t* GetFirmwareBlob(const FirmwareImage* image, uint64_t* blob_len) { | 224 uint8_t* GetFirmwareBlob(const FirmwareImage* image, uint64_t* blob_len) { |
| 217 int firmware_signature_len; | 225 int firmware_signature_len; |
| 218 uint8_t* firmware_blob = NULL; | 226 uint8_t* firmware_blob = NULL; |
| 219 uint8_t* header_blob = NULL; | 227 uint8_t* header_blob = NULL; |
| 220 uint8_t* preamble_blob = NULL; | 228 uint8_t* preamble_blob = NULL; |
| 221 MemcpyState st; | 229 MemcpyState st; |
| 222 | 230 |
| 223 if (!image) | 231 if (!image) |
| 224 return NULL; | 232 return NULL; |
| 225 | 233 |
| 226 firmware_signature_len = siglen_map[image->firmware_sign_algorithm]; | 234 firmware_signature_len = siglen_map[image->firmware_sign_algorithm]; |
| 227 *blob_len = (FIELD_LEN(magic) + | 235 *blob_len = (FIELD_LEN(magic) + |
| 228 GetFirmwareHeaderLen(image) + | 236 GetFirmwareHeaderLen(image) + |
| 229 FIELD_LEN(firmware_key_signature) + | 237 FIELD_LEN(firmware_key_signature) + |
| 230 GetFirmwarePreambleLen() + | 238 GetFirmwarePreambleLen(image->kernel_subkey_sign_algorithm) + |
| 231 2 * firmware_signature_len + | 239 2 * firmware_signature_len + |
| 232 image->firmware_len); | 240 image->firmware_len); |
| 233 firmware_blob = (uint8_t*) Malloc(*blob_len); | 241 firmware_blob = (uint8_t*) Malloc(*blob_len); |
| 234 st.remaining_len = *blob_len; | 242 st.remaining_len = *blob_len; |
| 235 st.remaining_buf = firmware_blob; | 243 st.remaining_buf = firmware_blob; |
| 236 st.overrun = 0; | 244 st.overrun = 0; |
| 237 | 245 |
| 238 header_blob = GetFirmwareHeaderBlob(image); | 246 header_blob = GetFirmwareHeaderBlob(image); |
| 239 preamble_blob = GetFirmwarePreambleBlob(image); | 247 preamble_blob = GetFirmwarePreambleBlob(image); |
| 240 | 248 |
| 241 StatefulMemcpy_r(&st, image->magic, FIELD_LEN(magic)); | 249 StatefulMemcpy_r(&st, image->magic, FIELD_LEN(magic)); |
| 242 StatefulMemcpy_r(&st, header_blob, GetFirmwareHeaderLen(image)); | 250 StatefulMemcpy_r(&st, header_blob, GetFirmwareHeaderLen(image)); |
| 243 StatefulMemcpy_r(&st, image->firmware_key_signature, | 251 StatefulMemcpy_r(&st, image->firmware_key_signature, |
| 244 FIELD_LEN(firmware_key_signature)); | 252 FIELD_LEN(firmware_key_signature)); |
| 245 StatefulMemcpy_r(&st, preamble_blob, GetFirmwarePreambleLen()); | 253 StatefulMemcpy_r(&st, preamble_blob, |
| 254 GetFirmwarePreambleLen(image->kernel_subkey_sign_algorithm)); |
| 246 StatefulMemcpy_r(&st, image->preamble_signature, firmware_signature_len); | 255 StatefulMemcpy_r(&st, image->preamble_signature, firmware_signature_len); |
| 247 StatefulMemcpy_r(&st, image->firmware_signature, firmware_signature_len); | 256 StatefulMemcpy_r(&st, image->firmware_signature, firmware_signature_len); |
| 248 StatefulMemcpy_r(&st, image->firmware_data, image->firmware_len); | 257 StatefulMemcpy_r(&st, image->firmware_data, image->firmware_len); |
| 249 | 258 |
| 250 Free(preamble_blob); | 259 Free(preamble_blob); |
| 251 Free(header_blob); | 260 Free(header_blob); |
| 252 | 261 |
| 253 if (st.overrun || st.remaining_len != 0) { /* Underrun or Overrun. */ | 262 if (st.overrun || st.remaining_len != 0) { /* Underrun or Overrun. */ |
| 254 Free(firmware_blob); | 263 Free(firmware_blob); |
| 255 return NULL; | 264 return NULL; |
| (...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 390 | 399 |
| 391 if (image->firmware_sign_algorithm >= kNumAlgorithms) | 400 if (image->firmware_sign_algorithm >= kNumAlgorithms) |
| 392 return VERIFY_FIRMWARE_INVALID_ALGORITHM; | 401 return VERIFY_FIRMWARE_INVALID_ALGORITHM; |
| 393 | 402 |
| 394 /* Verify firmware preamble signature. */ | 403 /* Verify firmware preamble signature. */ |
| 395 DigestInit(&ctx, image->firmware_sign_algorithm); | 404 DigestInit(&ctx, image->firmware_sign_algorithm); |
| 396 DigestUpdate(&ctx, (uint8_t*) &image->firmware_version, | 405 DigestUpdate(&ctx, (uint8_t*) &image->firmware_version, |
| 397 FIELD_LEN(firmware_version)); | 406 FIELD_LEN(firmware_version)); |
| 398 DigestUpdate(&ctx, (uint8_t*) &image->firmware_len, | 407 DigestUpdate(&ctx, (uint8_t*) &image->firmware_len, |
| 399 FIELD_LEN(firmware_len)); | 408 FIELD_LEN(firmware_len)); |
| 409 DigestUpdate(&ctx, (uint8_t*) &image->kernel_subkey_sign_algorithm, |
| 410 FIELD_LEN(kernel_subkey_sign_algorithm)); |
| 411 DigestUpdate(&ctx, (uint8_t*) image->kernel_subkey_sign_key, |
| 412 RSAProcessedKeySize(image->kernel_subkey_sign_algorithm)); |
| 400 DigestUpdate(&ctx, (uint8_t*) &image->preamble, | 413 DigestUpdate(&ctx, (uint8_t*) &image->preamble, |
| 401 FIELD_LEN(preamble)); | 414 FIELD_LEN(preamble)); |
| 402 preamble_digest = DigestFinal(&ctx); | 415 preamble_digest = DigestFinal(&ctx); |
| 403 if (!RSAVerify(firmware_sign_key, image->preamble_signature, | 416 if (!RSAVerify(firmware_sign_key, image->preamble_signature, |
| 404 signature_size, image->firmware_sign_algorithm, | 417 signature_size, image->firmware_sign_algorithm, |
| 405 preamble_digest)) { | 418 preamble_digest)) { |
| 406 error_code = VERIFY_FIRMWARE_PREAMBLE_SIGNATURE_FAILED; | 419 error_code = VERIFY_FIRMWARE_PREAMBLE_SIGNATURE_FAILED; |
| 407 goto verify_failure; | 420 goto verify_failure; |
| 408 } | 421 } |
| 409 | 422 |
| 410 /* Verify firmware signature - firmware signature is on the contents | 423 /* Verify firmware signature - firmware signature is on the contents |
| 411 of firmware preamble + firmware_data. */ | 424 of firmware preamble + firmware_data. */ |
| 412 DigestInit(&firmware_ctx, image->firmware_sign_algorithm); | 425 DigestInit(&firmware_ctx, image->firmware_sign_algorithm); |
| 413 DigestUpdate(&firmware_ctx, (uint8_t*) &image->firmware_version, | 426 DigestUpdate(&firmware_ctx, (uint8_t*) &image->firmware_version, |
| 414 FIELD_LEN(firmware_version)); | 427 FIELD_LEN(firmware_version)); |
| 415 DigestUpdate(&firmware_ctx, (uint8_t*) &image->firmware_len, | 428 DigestUpdate(&firmware_ctx, (uint8_t*) &image->firmware_len, |
| 416 FIELD_LEN(firmware_len)); | 429 FIELD_LEN(firmware_len)); |
| 430 DigestUpdate(&firmware_ctx, (uint8_t*) &image->kernel_subkey_sign_algorithm, |
| 431 FIELD_LEN(kernel_subkey_sign_algorithm)); |
| 432 DigestUpdate(&firmware_ctx, (uint8_t*) image->kernel_subkey_sign_key, |
| 433 RSAProcessedKeySize(image->kernel_subkey_sign_algorithm)); |
| 417 DigestUpdate(&firmware_ctx, (uint8_t*) &image->preamble, | 434 DigestUpdate(&firmware_ctx, (uint8_t*) &image->preamble, |
| 418 FIELD_LEN(preamble)); | 435 FIELD_LEN(preamble)); |
| 419 DigestUpdate(&firmware_ctx, image->firmware_data, image->firmware_len); | 436 DigestUpdate(&firmware_ctx, image->firmware_data, image->firmware_len); |
| 420 firmware_digest = DigestFinal(&firmware_ctx); | 437 firmware_digest = DigestFinal(&firmware_ctx); |
| 421 if (!RSAVerify(firmware_sign_key, image->firmware_signature, | 438 if (!RSAVerify(firmware_sign_key, image->firmware_signature, |
| 422 signature_size, image->firmware_sign_algorithm, | 439 signature_size, image->firmware_sign_algorithm, |
| 423 firmware_digest)) { | 440 firmware_digest)) { |
| 424 error_code = VERIFY_FIRMWARE_SIGNATURE_FAILED; | 441 error_code = VERIFY_FIRMWARE_SIGNATURE_FAILED; |
| 425 goto verify_failure; | 442 goto verify_failure; |
| 426 } | 443 } |
| (...skipping 30 matching lines...) Expand all Loading... |
| 457 Free(signature); | 474 Free(signature); |
| 458 return 1; | 475 return 1; |
| 459 } | 476 } |
| 460 | 477 |
| 461 int AddFirmwareSignature(FirmwareImage* image, const char* signing_key_file) { | 478 int AddFirmwareSignature(FirmwareImage* image, const char* signing_key_file) { |
| 462 uint8_t* preamble_blob = NULL; | 479 uint8_t* preamble_blob = NULL; |
| 463 uint8_t* preamble_signature = NULL; | 480 uint8_t* preamble_signature = NULL; |
| 464 uint8_t* firmware_signature = NULL; | 481 uint8_t* firmware_signature = NULL; |
| 465 uint8_t* firmware_buf = NULL; | 482 uint8_t* firmware_buf = NULL; |
| 466 int signature_len = siglen_map[image->firmware_sign_algorithm]; | 483 int signature_len = siglen_map[image->firmware_sign_algorithm]; |
| 484 uint64_t preamble_len = GetFirmwarePreambleLen( |
| 485 image->kernel_subkey_sign_algorithm); |
| 467 | 486 |
| 468 preamble_blob = GetFirmwarePreambleBlob(image); | 487 preamble_blob = GetFirmwarePreambleBlob(image); |
| 469 if (!preamble_blob) | 488 if (!preamble_blob) |
| 470 return 0; | 489 return 0; |
| 471 if (!(preamble_signature = SignatureBuf(preamble_blob, | 490 if (!(preamble_signature = SignatureBuf(preamble_blob, |
| 472 GetFirmwarePreambleLen(), | 491 preamble_len, |
| 473 signing_key_file, | 492 signing_key_file, |
| 474 image->firmware_sign_algorithm))) { | 493 image->firmware_sign_algorithm))) { |
| 475 Free(preamble_blob); | 494 Free(preamble_blob); |
| 476 return 0; | 495 return 0; |
| 477 } | 496 } |
| 478 image->preamble_signature = (uint8_t*) Malloc(signature_len); | 497 image->preamble_signature = (uint8_t*) Malloc(signature_len); |
| 479 Memcpy(image->preamble_signature, preamble_signature, signature_len); | 498 Memcpy(image->preamble_signature, preamble_signature, signature_len); |
| 480 Free(preamble_signature); | 499 Free(preamble_signature); |
| 481 /* Firmware signature must be calculated on preamble + firmware_data | 500 /* Firmware signature must be calculated on preamble + firmware_data |
| 482 * to avoid splicing attacks. */ | 501 * to avoid splicing attacks. */ |
| 483 firmware_buf = (uint8_t*) Malloc(GetFirmwarePreambleLen() + | 502 firmware_buf = (uint8_t*) Malloc(preamble_len + |
| 484 image->firmware_len); | 503 image->firmware_len); |
| 485 Memcpy(firmware_buf, preamble_blob, GetFirmwarePreambleLen()); | 504 Memcpy(firmware_buf, preamble_blob, preamble_len); |
| 486 Memcpy(firmware_buf + GetFirmwarePreambleLen(), image->firmware_data, | 505 Memcpy(firmware_buf + preamble_len, image->firmware_data, |
| 487 image->firmware_len); | 506 image->firmware_len); |
| 488 if (!(firmware_signature = SignatureBuf(firmware_buf, | 507 if (!(firmware_signature = SignatureBuf(firmware_buf, |
| 489 GetFirmwarePreambleLen() + | 508 preamble_len + |
| 490 image->firmware_len, | 509 image->firmware_len, |
| 491 signing_key_file, | 510 signing_key_file, |
| 492 image->firmware_sign_algorithm))) { | 511 image->firmware_sign_algorithm))) { |
| 493 Free(preamble_blob); | 512 Free(preamble_blob); |
| 494 Free(firmware_buf); | 513 Free(firmware_buf); |
| 495 return 0; | 514 return 0; |
| 496 } | 515 } |
| 497 image->firmware_signature = (uint8_t*) Malloc(signature_len); | 516 image->firmware_signature = (uint8_t*) Malloc(signature_len); |
| 498 Memcpy(image->firmware_signature, firmware_signature, signature_len); | 517 Memcpy(image->firmware_signature, firmware_signature, signature_len); |
| 499 Free(firmware_signature); | 518 Free(firmware_signature); |
| 500 Free(firmware_buf); | 519 Free(firmware_buf); |
| 501 Free(preamble_blob); | 520 Free(preamble_blob); |
| 502 return 1; | 521 return 1; |
| 503 } | 522 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2589001:
Add a kernel subkey signing algorithm key and algorithm fields to firmware preamble. (Closed)
Base URL: ssh://git@gitrw.chromium.org/chromiumos