| OLD | NEW |
|---|
| (Empty) | |
| 1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 2 * Use of this source code is governed by a BSD-style license that can be |
| 3 * found in the LICENSE file. |
| 4 * |
| 5 * Data structure and API definitions for a verified boot kernel image. |
| 6 */ |
| 7 |
| 8 #ifndef VBOOT_REFERENCE_KERNEL_IMAGE_H_ |
| 9 #define VBOOT_REFERENCE_KERNEL_IMAGE_H_ |
| 10 |
| 11 #include <inttypes.h> |
| 12 |
| 13 #include "rsa.h" |
| 14 #include "sha.h" |
| 15 |
| 16 #define KERNEL_MAGIC "CHROMEOS" |
| 17 #define KERNEL_MAGIC_SIZE 8 |
| 18 |
| 19 /* Kernel config file options according to the Chrome OS drive map design. */ |
| 20 typedef struct kconfig_options { |
| 21 uint32_t version[2]; /* Configuration file version. */ |
| 22 uint32_t kernel_len; /* Size of the kernel. */ |
| 23 uint64_t kernel_load_addr; /* Load address in memory for the kernel image */ |
| 24 uint64_t kernel_entry_addr; /* Address to jump to after kernel is loaded. */ |
| 25 } kconfig_options; |
| 26 |
| 27 |
| 28 typedef struct KernelImage { |
| 29 uint8_t magic[KERNEL_MAGIC_SIZE]; |
| 30 /* Key header */ |
| 31 uint16_t header_version; /* Header version. */ |
| 32 uint16_t header_len; /* Length of the header. */ |
| 33 uint16_t firmware_sign_algorithm; /* Signature algorithm used by the firmware |
| 34 * signing key (used to sign this kernel |
| 35 * header. */ |
| 36 uint16_t kernel_sign_algorithm; /* Signature algorithm used by the kernel |
| 37 * signing key. */ |
| 38 uint16_t kernel_key_version; /* Key Version# for preventing rollbacks. */ |
| 39 uint8_t* kernel_sign_key; /* Pre-processed public half of signing key. */ |
| 40 /* TODO(gauravsh): Do we need a choice of digest algorithms for the header |
| 41 * checksum? */ |
| 42 uint8_t header_checksum[SHA512_DIGEST_SIZE]; /* SHA-512 Crytographic hash of |
| 43 * the concatenation of the |
| 44 * header fields, i.e. |
| 45 * [header_len, |
| 46 * firmware_sign_algorithm, |
| 47 * sign_algorithm, sign_key, |
| 48 * key_version] */ |
| 49 |
| 50 uint8_t* kernel_key_signature; /* Signature of the header above. */ |
| 51 |
| 52 uint16_t kernel_version; /* Kernel Version# for preventing rollbacks. */ |
| 53 kconfig_options options; /* Other kernel/bootloader options. */ |
| 54 |
| 55 uint8_t* config_signature; /* Signature of the kernel config file. */ |
| 56 |
| 57 /* The kernel signature comes first as it may allow us to parallelize |
| 58 * the kernel data fetch and RSA public key operation. |
| 59 */ |
| 60 uint8_t* kernel_signature; /* Signature on [kernel_data]. */ |
| 61 uint8_t* kernel_data; /* Actual kernel data. */ |
| 62 |
| 63 } KernelImage; |
| 64 |
| 65 /* Allocate and return a new KernelImage structure. */ |
| 66 KernelImage* KernelImageNew(void); |
| 67 |
| 68 /* Deep free the contents of [image]. */ |
| 69 void KernelImageFree(KernelImage* image); |
| 70 |
| 71 /* Read kernel data from file named [input_file]. |
| 72 * |
| 73 * Returns a filled up KernelImage on success, NULL on error. |
| 74 */ |
| 75 KernelImage* ReadKernelImage(const char* input_file); |
| 76 |
| 77 /* Write kernel key header from [image] to an open file pointed by the |
| 78 * file descriptor [fd]. |
| 79 */ |
| 80 void WriteKernelHeader(int fd, KernelImage* image); |
| 81 |
| 82 /* Write kernel config from [image] to an open file pointed by the |
| 83 * file descriptor [fd]. |
| 84 */ |
| 85 void WriteKernelConfig(int fd, KernelImage* image); |
| 86 |
| 87 /* Write kernel data from [image] to a file named [input_file]. |
| 88 * |
| 89 * Return [image] on success, NULL on error. |
| 90 */ |
| 91 KernelImage* WriteKernelImage(const char* input_file, |
| 92 KernelImage* image); |
| 93 |
| 94 /* Pretty print the contents of [image]. Only headers and metadata information |
| 95 * is printed. |
| 96 */ |
| 97 void PrintKernelImage(const KernelImage* image); |
| 98 |
| 99 /* Error Codes for VerifyFirmware. */ |
| 100 #define VERIFY_KERNEL_SUCCESS 0 |
| 101 #define VERIFY_KERNEL_INVALID_IMAGE 1 |
| 102 #define VERIFY_KERNEL_KEY_SIGNATURE_FAILED 2 |
| 103 #define VERIFY_KERNEL_INVALID_ALGORITHM 3 |
| 104 #define VERIFY_KERNEL_CONFIG_SIGNATURE_FAILED 4 |
| 105 #define VERIFY_KERNEL_SIGNATURE_FAILED 5 |
| 106 #define VERIFY_KERNEL_WRONG_MAGIC 6 |
| 107 #define VERIFY_KERNEL_MAX 7 /* Generic catch-all. */ |
| 108 |
| 109 char* kVerifyKernelErrors[VERIFY_KERNEL_MAX]; |
| 110 |
| 111 /* Checks for the sanity of the kernel header pointed by [kernel_header_blob]. |
| 112 * If [dev_mode] is enabled, also checks the firmware key signature using the |
| 113 * pre-processed public firmware signing key [firmware_sign_key_blob]. |
| 114 * |
| 115 * On success, put firmware signature algorithm in [firmware_algorithm], |
| 116 * kernel signature algorithm in [kernel_algorithm], kernel header |
| 117 * length in [header_len], and return 0. |
| 118 * Else, return error code on failure. |
| 119 */ |
| 120 int VerifyFirmwareHeader(const uint8_t* firmware_sign_key_blob, |
| 121 const uint8_t* kernel_header_blob, |
| 122 const int dev_mode, |
| 123 int* firmware_algorithm, |
| 124 int* kernel_algorithm, |
| 125 int* header_len); |
| 126 |
| 127 /* Checks the kernel config (analogous to preamble for firmware) signature on |
| 128 * kernel config pointed by [kernel_config_blob] using the signing key |
| 129 * [kernel_sign_key]. |
| 130 * |
| 131 * On success, put kernel length into [kernel_len], and return 0. |
| 132 * Else, return error code on failure. |
| 133 */ |
| 134 int VerifyKernelConfig(RSAPublicKey* kernel_sign_key, |
| 135 const uint8_t* kernel_config_blob, |
| 136 int algorithm, |
| 137 int* kernel_len); |
| 138 |
| 139 /* Checks the signature on the kernel data at location [kernel_data_start]. |
| 140 * The length of the actual kernel data is kernel _len and it is assumed to |
| 141 * be prepended with the signature whose size depends on the signature_algorithm |
| 142 * [algorithm]. |
| 143 * |
| 144 * Return 0 on success, error code on failure. |
| 145 */ |
| 146 int VerifyKernelData(RSAPublicKey* kernel_sign_key, |
| 147 const uint8_t* kernel_data_start, |
| 148 int kernel_len, |
| 149 int algorithm); |
| 150 |
| 151 /* Performs a chained verify of the kernel blob [kernel_blob]. If |
| 152 * [dev_mode] is 0 [inactive], then the pre-processed public signing key |
| 153 * [root_key_blob] is used to verify the signature of the signing key, |
| 154 * else the check is skipped. |
| 155 * |
| 156 * TODO(gauravsh): Does the dev mode only effect the R/W firmware verification, |
| 157 * or kernel verification, or both? |
| 158 * |
| 159 * Returns 0 on success, error code on failure. |
| 160 * |
| 161 * NOTE: The length of the kernel blob is derived from reading the fields |
| 162 * in the first few bytes of the buffer. This might look risky but in firmware |
| 163 * land, the start address of the kernel_blob will always be fixed depending |
| 164 * on the memory map on the particular platform. In addition, the signature on |
| 165 * length itself is checked early in the verification process for extra safety. |
| 166 */ |
| 167 int VerifyKernel(const uint8_t* signing_key_blob, |
| 168 const uint8_t* kernel_blob, |
| 169 const int dev_mode); |
| 170 |
| 171 /* Performs a chained verify of the kernel [image]. If [dev_mode] is |
| 172 * 0 (inactive), then the [firmware_signing_key] is used to verify the signature |
| 173 * of the signing key, else the check is skipped. |
| 174 * |
| 175 * Returns 0 on success, error code on failure. |
| 176 */ |
| 177 int VerifyKernelImage(const RSAPublicKey* firmware_signing_key, |
| 178 const KernelImage* image, |
| 179 int dev_mode); |
| 180 |
| 181 |
| 182 /* Maps error codes from VerifyKernel*() to error description. */ |
| 183 const char* VerifyKernelErrorString(int error); |
| 184 |
| 185 /* Add a kernel signing key signature to the key header to a kernel image |
| 186 * [image] using the private key in file [firmware_key_file]. |
| 187 * |
| 188 * Return 1 on success, 0 on failure. |
| 189 */ |
| 190 int AddKernelKeySignature(KernelImage* image, const char* firmware_key_file); |
| 191 |
| 192 /* Add a kernel and kernel config signature to a kernel image [image] |
| 193 * using the private signing key in file [kernel_sigining_key_file]. |
| 194 * |
| 195 * Return 1 on success, 0 on failure. |
| 196 */ |
| 197 int AddKernelSignature(KernelImage* image, const char* kernel_sigining_key_file, |
| 198 int algorithm); |
| 199 |
| 200 #endif /* VBOOT_REFERENCE_KERNEL_IMAGE_H_ */ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 660161:
Vboot Reference: Add functions to verify signed kernel images. (Closed)
