OLD | NEW |
1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
2 * Use of this source code is governed by a BSD-style license that can be | 2 * Use of this source code is governed by a BSD-style license that can be |
3 * found in the LICENSE file. | 3 * found in the LICENSE file. |
4 * | 4 * |
5 * Data structure and API definitions for a verified boot firmware image. | 5 * Data structure and API definitions for a verified boot firmware image. |
6 */ | 6 */ |
7 | 7 |
8 #ifndef VBOOT_REFERENCE_FIRMWARE_IMAGE_H_ | 8 #ifndef VBOOT_REFERENCE_FIRMWARE_IMAGE_H_ |
9 #define VBOOT_REFERENCE_FIRMWARE_IMAGE_H_ | 9 #define VBOOT_REFERENCE_FIRMWARE_IMAGE_H_ |
10 | 10 |
11 #include <inttypes.h> | 11 #include <inttypes.h> |
12 | 12 |
13 #include "rsa.h" | 13 #include "rsa.h" |
14 #include "sha.h" | 14 #include "sha.h" |
15 | 15 |
16 #define FIRMWARE_MAGIC "CHROMEOS" | 16 #define FIRMWARE_MAGIC "CHROMEOS" |
17 #define FIRMWARE_MAGIC_SIZE 8 | 17 #define FIRMWARE_MAGIC_SIZE 8 |
18 #define FIRMWARE_PREAMBLE_SIZE 8 | 18 #define FIRMWARE_PREAMBLE_SIZE 8 |
19 | 19 |
20 #define ROOT_SIGNATURE_ALGORITHM 11 /* RSA 8192 and SHA-512. */ | 20 /* RSA 8192 and SHA-512. */ |
| 21 #define ROOT_SIGNATURE_ALGORITHM 11 |
21 #define ROOT_SIGNATURE_ALGORITHM_STRING "11" | 22 #define ROOT_SIGNATURE_ALGORITHM_STRING "11" |
22 | 23 |
23 typedef struct FirmwareImage { | 24 typedef struct FirmwareImage { |
24 uint8_t magic[FIRMWARE_MAGIC_SIZE]; | 25 uint8_t magic[FIRMWARE_MAGIC_SIZE]; |
25 /* Key Header */ | 26 /* Key Header */ |
26 uint16_t header_len; /* Length of the header. */ | 27 uint16_t header_len; /* Length of the header. */ |
27 uint16_t sign_algorithm; /* Signature algorithm used by the signing key. */ | 28 uint16_t sign_algorithm; /* Signature algorithm used by the signing key. */ |
28 uint8_t* sign_key; /* Pre-processed public half of signing key. */ | 29 uint8_t* sign_key; /* Pre-processed public half of signing key. */ |
29 uint16_t key_version; /* Key Version# for preventing rollbacks. */ | 30 uint16_t key_version; /* Key Version# for preventing rollbacks. */ |
30 uint8_t header_hash[SHA512_DIGEST_SIZE]; /* SHA-512 hash of the header.*/ | 31 uint8_t header_checksum[SHA512_DIGEST_SIZE]; /* SHA-512 hash of the header.*/ |
31 | 32 |
32 uint8_t key_signature[RSA8192NUMBYTES]; /* Signature of the header above. */ | 33 uint8_t key_signature[RSA8192NUMBYTES]; /* Signature of the header above. */ |
33 | 34 |
34 /* Firmware Preamble. */ | 35 /* Firmware Preamble. */ |
35 uint16_t firmware_version; /* Firmware Version# for preventing rollbacks.*/ | 36 uint16_t firmware_version; /* Firmware Version# for preventing rollbacks.*/ |
36 uint32_t firmware_len; /* Length of the rest of the R/W firmware data. */ | 37 uint32_t firmware_len; /* Length of the rest of the R/W firmware data. */ |
37 uint8_t preamble[FIRMWARE_PREAMBLE_SIZE]; /* Remaining preamble data.*/ | 38 uint8_t preamble[FIRMWARE_PREAMBLE_SIZE]; /* Remaining preamble data.*/ |
38 | 39 |
39 uint8_t* preamble_signature; /* Signature over the preamble. */ | 40 uint8_t* preamble_signature; /* Signature over the preamble. */ |
40 | 41 |
41 /* The firmware signature comes first as it may allow us to parallelize | 42 /* The firmware signature comes first as it may allow us to parallelize |
42 * the firmware data fetch and RSA public operation. | 43 * the firmware data fetch and RSA public operation. |
43 */ | 44 */ |
44 uint8_t* firmware_signature; /* Signature on [firmware_data]. */ | 45 uint8_t* firmware_signature; /* Signature on [firmware_data]. */ |
45 uint8_t* firmware_data; /* Rest of firmware data */ | 46 uint8_t* firmware_data; /* Rest of firmware data */ |
46 | 47 |
47 } FirmwareImage; | 48 } FirmwareImage; |
48 | 49 |
49 /* Allocate and return a new FirmwareImage structure. */ | 50 /* Allocate and return a new FirmwareImage structure. */ |
50 FirmwareImage* FirmwareImageNew(void); | 51 FirmwareImage* FirmwareImageNew(void); |
51 | 52 |
52 /* Deep free the contents of [fw]. */ | 53 /* Deep free the contents of [fw]. */ |
53 void FirmwareImageFree(FirmwareImage* fw); | 54 void FirmwareImageFree(FirmwareImage* fw); |
54 | 55 |
55 /* Read firmware data from file named [input_file] into [image]. | 56 /* Read firmware data from file named [input_file] into [image]. |
56 * | 57 * |
57 * Returns a filled up FirmwareImage on success, NULL on error. | 58 * Returns a filled up FirmwareImage on success, NULL on error. |
58 */ | 59 */ |
59 FirmwareImage* ReadFirmware(const char* input_file, | 60 FirmwareImage* ReadFirmwareImage(const char* input_file, |
60 FirmwareImage* image); | 61 FirmwareImage* image); |
61 | 62 |
62 /* Write firmware header from [image] to an open file pointed by the | 63 /* Write firmware header from [image] to an open file pointed by the |
63 * file descriptor [fd]. | 64 * file descriptor [fd]. |
64 */ | 65 */ |
65 void WriteFirmwareHeader(int fd, FirmwareImage* image); | 66 void WriteFirmwareHeader(int fd, FirmwareImage* image); |
66 | 67 |
67 /* Write firmware preamble from [image] to an open file pointed by the | 68 /* Write firmware preamble from [image] to an open file pointed by the |
68 * file descriptor [fd]. | 69 * file descriptor [fd]. |
69 */ | 70 */ |
70 void WriteFirmwarePreamble(int fd, FirmwareImage* image); | 71 void WriteFirmwarePreamble(int fd, FirmwareImage* image); |
71 | 72 |
72 | 73 |
73 /* Write firmware data from [image] into a file named [input_file]. | 74 /* Write firmware data from [image] into a file named [input_file]. |
74 * | 75 * |
75 * Return [image] on success, NULL on error. | 76 * Return [image] on success, NULL on error. |
76 */ | 77 */ |
77 FirmwareImage* WriteFirmware(const char* input_file, | 78 FirmwareImage* WriteFirmwareImage(const char* input_file, |
78 FirmwareImage* image); | 79 FirmwareImage* image); |
79 | 80 |
80 /* Pretty print the contents of [image]. Only headers and metadata information | 81 /* Pretty print the contents of [image]. Only headers and metadata information |
81 * is printed. | 82 * is printed. |
82 */ | 83 */ |
83 void PrintFirmware(const FirmwareImage* image); | 84 void PrintFirmwareImage(const FirmwareImage* image); |
| 85 |
| 86 /* Error Codes for VerifyFirmware* family of functions. */ |
| 87 #define VERIFY_FIRMWARE_SUCCESS 0 |
| 88 #define VERIFY_FIRMWARE_INVALID_IMAGE 1 |
| 89 #define VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED 2 |
| 90 #define VERIFY_FIRMWARE_INVALID_ALGORITHM 3 |
| 91 #define VERIFY_FIRMWARE_PREAMBLE_SIGNATURE_FAILED 4 |
| 92 #define VERIFY_FIRMWARE_SIGNATURE_FAILED 5 |
| 93 #define VERIFY_FIRMWARE_WRONG_MAGIC 6 |
| 94 #define VERIFY_FIRMWARE_MAX 7 /* Generic catch-all. */ |
| 95 |
| 96 char* kVerifyFirmwareErrors[VERIFY_FIRMWARE_MAX]; |
| 97 |
| 98 /* Checks for the sanity of the firmware header pointed by [header_blob]. |
| 99 * If [dev_mode] is enabled, also checks the root key signature using the |
| 100 * pre-processed public root key [root_key_blob]. |
| 101 * |
| 102 * On success, put signature algorithm in [algorithm], header length |
| 103 * in [header_len], and return 0. |
| 104 * Else, return error code on failure. |
| 105 */ |
| 106 int VerifyFirmwareHeader(const uint8_t* root_key_blob, |
| 107 const uint8_t* header_blob, |
| 108 const int dev_mode, |
| 109 int* algorithm, |
| 110 int* header_len); |
| 111 |
| 112 /* Checks the preamble signature on firmware preamble pointed by |
| 113 * [preamble_blob] using the signing key [sign_key]. |
| 114 * |
| 115 * On success, put firmware length into [firmware_len], and return 0. |
| 116 * Else, return error code on failure. |
| 117 */ |
| 118 int VerifyFirmwarePreamble(RSAPublicKey* sign_key, |
| 119 const uint8_t* preamble_blob, |
| 120 int algorithm, |
| 121 int* firmware_len); |
| 122 |
| 123 /* Checks the signature on the firmware data at location [firmware_data_start]. |
| 124 * The length of the actual firmware data is firmware_len and it is assumed to |
| 125 * be prepended with the signature whose size depends on the signature_algorithm |
| 126 * [algorithm]. |
| 127 * |
| 128 * Return 0 on success, error code on failure. |
| 129 */ |
| 130 int VerifyFirmwareData(RSAPublicKey* sign_key, |
| 131 const uint8_t* firmware_data_start, |
| 132 int firmware_len, |
| 133 int algorithm); |
| 134 |
| 135 /* Performs a chained verify of the firmware blob [firmware_blob]. If |
| 136 * [dev_mode] is 0 [inactive], then the pre-processed public root key |
| 137 * [root_key_blob] is used the verify the signature of the signing key, |
| 138 * else the check is skipped. |
| 139 * |
| 140 * Returns 0 on success, error code on failure. |
| 141 * |
| 142 * NOTE: The length of the firmware blob is derived from reading the fields |
| 143 * in the first few bytes of the buffer. This might look risky but in firmware |
| 144 * land, the start address of the firmware_blob will always be fixed depending |
| 145 * on the memory map on the particular platform. In addition, the signature on |
| 146 * length itself is checked early in the verification process for extra safety. |
| 147 */ |
| 148 int VerifyFirmware(const uint8_t* root_key_blob, |
| 149 const uint8_t* firmware_blob, |
| 150 const int dev_mode); |
84 | 151 |
85 /* Performs a chained verify of the firmware [image]. If [dev_mode] is | 152 /* Performs a chained verify of the firmware [image]. If [dev_mode] is |
86 * 0 (inactive), then the [root_key] is used to verify the signature of | 153 * 0 (inactive), then the [root_key] is used to verify the signature of |
87 * the signing key, else the check is skipped. | 154 * the signing key, else the check is skipped. |
88 * | 155 * |
89 * Returns 0 on success, error code on failure. | 156 * Returns 0 on success, error code on failure. |
90 */ | 157 */ |
91 int VerifyFirmware(const RSAPublicKey* root_key, | 158 int VerifyFirmwareImage(const RSAPublicKey* root_key, |
92 const FirmwareImage* image, | 159 const FirmwareImage* image, |
93 const int dev_mode); | 160 const int dev_mode); |
94 | |
95 /* Error Codes for VerifyFirmware. */ | |
96 #define VERIFY_SUCCESS 0 | |
97 #define VERIFY_INVALID_IMAGE 1 | |
98 #define VERIFY_ROOT_SIGNATURE_FAILED 2 | |
99 #define VERIFY_INVALID_ALGORITHM 3 | |
100 #define VERIFY_PREAMBLE_SIGNATURE_FAILED 4 | |
101 #define VERIFY_FIRMWARE_SIGNATURE_FAILED 5 | |
102 #define VERIFY_MAX 6 /* Generic catch-all. */ | |
103 | |
104 char* kVerifyFirmwareErrors[VERIFY_MAX]; | |
105 | 161 |
106 /* Maps error codes from VerifyFirmware() to error description. */ | 162 /* Maps error codes from VerifyFirmware() to error description. */ |
107 char* VerifyErrorString(int error); | 163 char* VerifyErrorString(int error); |
108 | 164 |
109 | |
110 /* Helper function to invoke external program to calculate signature on | |
111 * [input_file] using private key [key_file] and signature algorithm | |
112 * [algorithm]. | |
113 * | |
114 * Returns the signature. Caller owns the buffer and must Free() it. | |
115 */ | |
116 uint8_t* SignatureFile(char* input_fie, char* key_file, int algorithm); | |
117 | |
118 /* Add a root key signature to the key header to a firmware image [image] | 165 /* Add a root key signature to the key header to a firmware image [image] |
119 * using the private root key in file [root_key_file]. | 166 * using the private root key in file [root_key_file]. |
120 * | 167 * |
121 * Return 1 on success, 0 on failure. | 168 * Return 1 on success, 0 on failure. |
122 */ | 169 */ |
123 int AddKeySignature(FirmwareImage* image, char* root_key_file); | 170 int AddKeySignature(FirmwareImage* image, char* root_key_file); |
124 | 171 |
125 /* Add firmware and preamble signature to a firmware image [image] | 172 /* Add firmware and preamble signature to a firmware image [image] |
126 * using the private signing key in file [signing_key_file]. | 173 * using the private signing key in file [signing_key_file]. |
127 * | 174 * |
128 * Return 1 on success, 0 on failure. | 175 * Return 1 on success, 0 on failure. |
129 */ | 176 */ |
130 int AddFirmwareSignature(FirmwareImage* image, char* signing_key_file, | 177 int AddFirmwareSignature(FirmwareImage* image, char* signing_key_file, |
131 int algorithm); | 178 int algorithm); |
132 | 179 |
133 #endif /* VBOOT_REFERENCE_FIRMWARE_IMAGE_H_ */ | 180 #endif /* VBOOT_REFERENCE_FIRMWARE_IMAGE_H_ */ |
OLD | NEW |