Vboot reference: A basic user-land verified boot firmware signing and verification utility.

src/platform/vboot_reference/utils/firmware_utility.cc

+// Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Utility for manipulating verified boot firmware images.
+//
+
+#include "firmware_utility.h"
+
+#include <errno.h>
+#include <getopt.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <iostream>
+
+extern "C" {
+#include "file_keys.h"
+#include "firmware_image.h"
+#include "padding.h"
+#include "rsa_utility.h"
+#include "sha_utility.h"
+#include "utility.h"
+}
+
+extern int errno;
+using std::cerr;
+
+namespace vboot_reference {
+
+FirmwareUtility::FirmwareUtility():
+    image_(NULL),
+    root_key_pub_(NULL),
+    firmware_version_(-1),
+    key_version_(-1),
+    sign_algorithm_(-1),
+    is_generate_(false),
+    is_verify_(false) {
+}
+
+FirmwareUtility::~FirmwareUtility() {
+  RSAPublicKeyFree(root_key_pub_);
+  FirmwareImageFree(image_);
+}
+
+void FirmwareUtility::PrintUsage(void) {
+  cerr <<
+      "Utility to generate/verify a verified boot firmware image\n\n"
+      "Usage: firmware_utility <--generate|--verify> [OPTIONS]\n\n"
+      "For \"--verify\",  required OPTIONS are:\n"
+      "--in <infile>\t\t\tVerified boot firmware image to verify.\n"
+      "--root_key_pub <pubkeyfile>\tPre-processed public root key "
+      "to use for verification.\n\n"
+      "For \"--generate\", required OPTIONS are:\n"
+      "--root_key <privkeyfile>\tPrivate root key file\n"
+      "--sign_key <privkeyfile>\tPrivate signing key file\n"
+      "--sign_key_pub <pubkeyfile>\tPre-processed public signing"
+      " key\n"
+      "--sign_algorithm <algoid>\tSigning algorithm to use\n"
+      "--key_version <version#>\tSigning Key Version#\n"
+      "--firmware_version <version#>\tFirmware Version#\n"
+      "--in <infile>\t\t\tFirmware Image to sign\n"
+      "--out <outfile>\t\t\tOutput file for verified boot firmware image\n\n"
+      "<algoid> (for --sign-algorithm) is one of the following:\n";
+  for (int i = 0; i < kNumAlgorithms; i++) {
+    cerr << i << " for " << algo_strings[i] << "\n";
+  }
+  cerr << "\n\n";
+}
+
+bool FirmwareUtility::ParseCmdLineOptions(int argc, char* argv[]) {
+  int option_index;
+  static struct option long_options[] = {
+    {"root_key", 1, 0, 0},
+    {"root_key_pub", 1, 0, 0},
+    {"sign_key", 1, 0, 0},
+    {"sign_key_pub", 1, 0, 0},
+    {"sign_algorithm", 1, 0, 0},
+    {"key_version", 1, 0, 0},
+    {"firmware_version", 1, 0, 0},
+    {"in", 1, 0, 0},
+    {"out", 1, 0, 0},
+    {"generate", 0, 0, 0},
+    {"verify", 0, 0, 0},
+    {NULL, 0, 0, 0}
+  };
+  while (1) {
+    int i = getopt_long(argc, argv, "", long_options, &option_index);
+    if (-1 == i)  // Done with option processing.
+      break;
+    if ('?' == i)  // Invalid option found.
+      return false;
+
+    if (0 == i) {
+      switch(option_index) {
+        case 0:  // root_key
+          root_key_file_ = optarg;
+          break;
+        case 1:  // root_key_pub
+          root_key_pub_file_ = optarg;
+          break;
+        case 2:  // sign_key
+          sign_key_file_ = optarg;
+          break;
+        case 3:  // sign_key_pub
+          sign_key_pub_file_ = optarg;
+          break;
+        case 4:  // sign_algorithm
+          errno = 0;  // strtol() returns an error via errno
+          sign_algorithm_ = strtol(optarg, (char**) NULL, 10);
+          if (errno)
+            return false;
+          break;
+        case 5:  // key_version
+          errno = 0;
+          key_version_ = strtol(optarg, (char**) NULL, 10);
+          if (errno)
+            return false;
+          break;
+        case 6:  // firmware_version
+          errno = 0;
+          firmware_version_ = strtol(optarg, (char**) NULL, 10);
+          if (errno)
+            return false;
+          break;
+        case 7:  // in
+          in_file_ = optarg;
+          break;
+        case 8:  // out
+          out_file_ = optarg;
+          break;
+        case 9:  // generate
+          is_generate_ = true;
+          break;
+        case 10: // verify
+          is_verify_ = true;
+          break;
+      }
+    }
+  }
+  return CheckOptions();
+}
+
+
+void FirmwareUtility::OutputSignedImage(void) {
+  if (image_) {
+    if (!WriteFirmwareImage(out_file_.c_str(), image_)) {
+        cerr << "Couldn't write verified boot image to file "
+                  << out_file_ <<".\n";
+    }
+  }
+}
+
+bool FirmwareUtility::GenerateSignedImage(void) {
+  uint32_t sign_key_pub_len;
+  uint8_t* header_checksum;
+  DigestContext ctx;
+  image_ = FirmwareImageNew();
+
+  Memcpy(image_->magic, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE);
+
+  // Copy pre-processed public signing key.
+  image_->sign_algorithm = (uint16_t) sign_algorithm_;
+  image_->sign_key = BufferFromFile(sign_key_pub_file_.c_str(),
+                                    &sign_key_pub_len);
+  if (!image_->sign_key)
+    return false;
+  image_->key_version = key_version_;
+
+  // Update header length.
+  image_->header_len = (sizeof(image_->header_len) +
+                        sizeof(image_->sign_algorithm) +
+                        sign_key_pub_len +
+                        sizeof(image_->key_version) +
+                        sizeof(image_->header_checksum));
+
+  // Calculate header checksum.
+  DigestInit(&ctx, SHA512_DIGEST_ALGORITHM);
+  DigestUpdate(&ctx, (uint8_t*) &image_->header_len,
+               sizeof(image_->header_len));
+  DigestUpdate(&ctx, (uint8_t*) &image_->sign_algorithm,
+               sizeof(image_->sign_algorithm));
+  DigestUpdate(&ctx, image_->sign_key,
+               RSAProcessedKeySize(image_->sign_algorithm));
+  DigestUpdate(&ctx, (uint8_t*) &image_->key_version,
+               sizeof(image_->key_version));
+  header_checksum = DigestFinal(&ctx);
+  Memcpy(image_->header_checksum, header_checksum, SHA512_DIGEST_SIZE);
+  Free(header_checksum);
+
+  image_->firmware_version = firmware_version_;
+  image_->firmware_len = 0;
+  // TODO(gauravsh): Populate this with the right bytes once we decide
+  // what goes into the preamble.
+  Memset(image_->preamble, 'P', FIRMWARE_PREAMBLE_SIZE);
+  image_->firmware_data = BufferFromFile(in_file_.c_str(),
+                                         &image_->firmware_len);
+  if (!image_)
+    return false;
+  // Generate and add the signatures.
+  if(!AddFirmwareKeySignature(image_, root_key_file_.c_str())) {
+    cerr << "Couldn't write key signature to verified boot image.\n";
+    return false;
+  }
+
+  if(!AddFirmwareSignature(image_, sign_key_file_.c_str(),
+                           image_->sign_algorithm)) {
+    cerr << "Couldn't write firmware signature to verified boot image.\n";
+    return false;
+  }
+  return true;
+}
+
+bool FirmwareUtility::VerifySignedImage(void) {
+  int error;
+  root_key_pub_ = RSAPublicKeyFromFile(root_key_pub_file_.c_str());
+  image_ = ReadFirmwareImage(in_file_.c_str());
+
+  if (!root_key_pub_) {
+    cerr << "Couldn't read pre-processed public root key.\n";
+    return false;
+  }
+
+  if (!image_) {
+    cerr << "Couldn't read firmware image or malformed image.\n";
+    return false;
+  }
+  if(!(error = VerifyFirmwareImage(root_key_pub_, image_, 0)))  // Trusted Mode.
+    return true;
+  cerr << VerifyFirmwareErrorString(error) << "\n";
+  return false;;
+}
+
+bool FirmwareUtility::CheckOptions(void) {
+  if (is_generate_ == is_verify_) {
+    cerr << "One of --generate or --verify must be specified.\n";
+    return false;
+  }
+  // Common required options.
+  if (in_file_.empty()) {
+    cerr << "No input file specified." << "\n";
+    return false;
+  }
+  // Required options for --verify.
+  if (is_verify_ && root_key_pub_file_.empty()) {
+    cerr << "No pre-processed public root key file specified." << "\n";
+    return false;
+  }
+  // Required options for --generate.
+  if (is_generate_) {
+    if (root_key_file_.empty()) {
+      cerr << "No root key file specified." << "\n";
+      return false;
+    }
+    if (firmware_version_ <= 0 || firmware_version_ > 0xFFFF) {
+      cerr << "Invalid or no firmware version specified." << "\n";
+      return false;
+    }
+    if (sign_key_file_.empty()) {
+      cerr << "No signing key file specified." << "\n";
+      return false;
+    }
+    if (sign_key_pub_file_.empty()) {
+      cerr << "No pre-processed public signing key file specified." << "\n";
+      return false;
+    }
+    if (key_version_ <= 0 || key_version_ > 0xFFFF) {
+      cerr << "Invalid or no key version specified." << "\n";
+      return false;
+    }
+    if (sign_algorithm_ < 0 || sign_algorithm_ >= kNumAlgorithms) {
+      cerr << "Invalid or no signing key algorithm specified." << "\n";
+      return false;
+    }
+    if (out_file_.empty()) {
+      cerr <<"No output file specified." << "\n";
+      return false;
+    }
+  }
+  return true;
+}
+
+
+}  // namespace vboot_reference
+
+int main(int argc, char* argv[]) {
+  vboot_reference::FirmwareUtility fu;
+  if (!fu.ParseCmdLineOptions(argc, argv)) {
+    fu.PrintUsage();
+    return -1;
+  }
+  if (fu.is_generate()) {
+    if (!fu.GenerateSignedImage())
+      return -1;
+    fu.OutputSignedImage();
+  }
+  if (fu.is_verify()) {
+    cerr << "Verification ";
+    if(fu.VerifySignedImage())
+      cerr << "SUCCESS.\n";
+    else
+      cerr << "FAILURE.\n";
+  }
+  return 0;
+}