OLD | NEW |
| (Empty) |
1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 // | |
5 // Utility for manipulating verified boot kernel images. | |
6 // | |
7 | |
8 #include "kernel_utility.h" | |
9 | |
10 #include <getopt.h> | |
11 #include <stdio.h> | |
12 #include <stdint.h> // Needed for UINT16_MAX. | |
13 #include <stdlib.h> | |
14 #include <unistd.h> | |
15 | |
16 #include <iostream> | |
17 | |
18 extern "C" { | |
19 #include "cryptolib.h" | |
20 #include "file_keys.h" | |
21 #include "kernel_image.h" | |
22 #include "stateful_util.h" | |
23 #include "utility.h" | |
24 } | |
25 | |
26 using std::cerr; | |
27 | |
28 // Macro to determine the size of a field structure in the KernelImage | |
29 // structure. | |
30 #define FIELD_LEN(field) (sizeof(((KernelImage*)0)->field)) | |
31 | |
32 namespace vboot_reference { | |
33 | |
34 KernelUtility::KernelUtility(): image_(NULL), | |
35 firmware_key_pub_(NULL), | |
36 header_version_(1), | |
37 firmware_sign_algorithm_(-1), | |
38 kernel_sign_algorithm_(-1), | |
39 kernel_key_version_(-1), | |
40 kernel_version_(-1), | |
41 padding_(0), | |
42 kernel_len_(0), | |
43 is_generate_(false), | |
44 is_verify_(false), | |
45 is_describe_(false), | |
46 is_only_vblock_(false) {} | |
47 | |
48 KernelUtility::~KernelUtility() { | |
49 RSAPublicKeyFree(firmware_key_pub_); | |
50 KernelImageFree(image_); | |
51 } | |
52 | |
53 void KernelUtility::PrintUsage(void) { | |
54 cerr << "\n" | |
55 "Utility to generate/verify/describe a verified boot kernel image\n" | |
56 "\n" | |
57 "Usage: kernel_utility <--generate|--verify|--describe> [OPTIONS]\n" | |
58 "\n" | |
59 "For \"--describe\", the required OPTIONS are:\n" | |
60 " --in <infile>\t\t\t\tSigned boot image to describe.\n" | |
61 "\n" | |
62 "For \"--verify\", required OPTIONS are:\n" | |
63 " --in <infile>\t\t\t\tSigned boot image to verify.\n" | |
64 " --firmware_key_pub <pubkeyfile>\tPre-processed public firmware key\n" | |
65 "\n" | |
66 "For \"--generate\", required OPTIONS are:\n" | |
67 " --firmware_key <privkeyfile>\t\tPrivate firmware signing key file\n" | |
68 " --kernel_key_pub <pubkeyfile>\t\tPre-processed public kernel signing" | |
69 " key\n" | |
70 " --firmware_sign_algorithm <algoid>\tSigning algorithm for firmware\n" | |
71 " --kernel_sign_algorithm <algoid>\tSigning algorithm for kernel\n" | |
72 " --kernel_key_version <number>\t\tKernel signing key version number\n" | |
73 "OR\n" | |
74 " --subkey_in <subkeyfile>\t\tExisting key signature header\n" | |
75 "\n" | |
76 " --kernel_key <privkeyfile>\t\tPrivate kernel signing key file\n" | |
77 " --kernel_version <number>\t\tKernel Version number\n" | |
78 " --config <file>\t\t\tEmbedded kernel command-line parameters\n" | |
79 " --bootloader <file>\t\t\tEmbedded bootloader stub\n" | |
80 " --vmlinuz <file>\t\t\tEmbedded kernel image\n" | |
81 " --out <outfile>\t\t\tOutput file for verified boot image\n" | |
82 "\n" | |
83 "Optional arguments for \"--generate\" are:\n" | |
84 " --padding <size>\t\t\tPad the header to this size\n" | |
85 " --subkey_out\t\t\t\tJust output the subkey (key verification) header\n" | |
86 " --vblock\t\t\t\tJust output the verification block\n" | |
87 "\n" | |
88 "<algoid> (for --*_sign_algorithm) is one of the following:\n"; | |
89 for (int i = 0; i < kNumAlgorithms; i++) { | |
90 cerr << " " << i << " for " << algo_strings[i] << "\n"; | |
91 } | |
92 cerr << "\n\n"; | |
93 } | |
94 | |
95 bool KernelUtility::ParseCmdLineOptions(int argc, char* argv[]) { | |
96 int option_index, i; | |
97 char *e = 0; | |
98 enum { | |
99 OPT_FIRMWARE_KEY = 1000, | |
100 OPT_FIRMWARE_KEY_PUB, | |
101 OPT_KERNEL_KEY, | |
102 OPT_KERNEL_KEY_PUB, | |
103 OPT_SUBKEY_IN, | |
104 OPT_FIRMWARE_SIGN_ALGORITHM, | |
105 OPT_KERNEL_SIGN_ALGORITHM, | |
106 OPT_KERNEL_KEY_VERSION, | |
107 OPT_KERNEL_VERSION, | |
108 OPT_IN, | |
109 OPT_OUT, | |
110 OPT_GENERATE, | |
111 OPT_VERIFY, | |
112 OPT_DESCRIBE, | |
113 OPT_VBLOCK, | |
114 OPT_BOOTLOADER, | |
115 OPT_VMLINUZ, | |
116 OPT_CONFIG, | |
117 OPT_PADDING, | |
118 OPT_SUBKEY_OUT, | |
119 }; | |
120 static struct option long_options[] = { | |
121 {"firmware_key", 1, 0, OPT_FIRMWARE_KEY }, | |
122 {"firmware_key_pub", 1, 0, OPT_FIRMWARE_KEY_PUB }, | |
123 {"kernel_key", 1, 0, OPT_KERNEL_KEY }, | |
124 {"kernel_key_pub", 1, 0, OPT_KERNEL_KEY_PUB }, | |
125 {"subkey_in", 1, 0, OPT_SUBKEY_IN }, | |
126 {"firmware_sign_algorithm", 1, 0, OPT_FIRMWARE_SIGN_ALGORITHM }, | |
127 {"kernel_sign_algorithm", 1, 0, OPT_KERNEL_SIGN_ALGORITHM }, | |
128 {"kernel_key_version", 1, 0, OPT_KERNEL_KEY_VERSION }, | |
129 {"kernel_version", 1, 0, OPT_KERNEL_VERSION }, | |
130 {"in", 1, 0, OPT_IN }, | |
131 {"out", 1, 0, OPT_OUT }, | |
132 {"generate", 0, 0, OPT_GENERATE }, | |
133 {"verify", 0, 0, OPT_VERIFY }, | |
134 {"describe", 0, 0, OPT_DESCRIBE }, | |
135 {"vblock", 0, 0, OPT_VBLOCK }, | |
136 {"bootloader", 1, 0, OPT_BOOTLOADER }, | |
137 {"vmlinuz", 1, 0, OPT_VMLINUZ }, | |
138 {"config", 1, 0, OPT_CONFIG }, | |
139 {"padding", 1, 0, OPT_PADDING }, | |
140 {"subkey_out", 0, 0, OPT_SUBKEY_OUT }, | |
141 {NULL, 0, 0, 0} | |
142 }; | |
143 while ((i = getopt_long(argc, argv, "", long_options, &option_index)) != -1) { | |
144 switch (i) { | |
145 case '?': | |
146 return false; | |
147 break; | |
148 case OPT_FIRMWARE_KEY: | |
149 firmware_key_file_ = optarg; | |
150 break; | |
151 case OPT_FIRMWARE_KEY_PUB: | |
152 firmware_key_pub_file_ = optarg; | |
153 break; | |
154 case OPT_KERNEL_KEY: | |
155 kernel_key_file_ = optarg; | |
156 break; | |
157 case OPT_KERNEL_KEY_PUB: | |
158 kernel_key_pub_file_ = optarg; | |
159 break; | |
160 case OPT_SUBKEY_IN: | |
161 subkey_in_file_ = optarg; | |
162 break; | |
163 case OPT_FIRMWARE_SIGN_ALGORITHM: | |
164 firmware_sign_algorithm_ = strtol(optarg, &e, 0); | |
165 if (!*optarg || (e && *e)) { | |
166 cerr << "Invalid argument to --" | |
167 << long_options[option_index].name | |
168 << ": " << optarg << "\n"; | |
169 return false; | |
170 } | |
171 break; | |
172 case OPT_KERNEL_SIGN_ALGORITHM: | |
173 kernel_sign_algorithm_ = strtol(optarg, &e, 0); | |
174 if (!*optarg || (e && *e)) { | |
175 cerr << "Invalid argument to --" | |
176 << long_options[option_index].name | |
177 << ": " << optarg << "\n"; | |
178 return false; | |
179 } | |
180 break; | |
181 case OPT_KERNEL_KEY_VERSION: | |
182 kernel_key_version_ = strtol(optarg, &e, 0); | |
183 if (!*optarg || (e && *e)) { | |
184 cerr << "Invalid argument to --" | |
185 << long_options[option_index].name | |
186 << ": " << optarg << "\n"; | |
187 return false; | |
188 } | |
189 break; | |
190 case OPT_KERNEL_VERSION: | |
191 kernel_version_ = strtol(optarg, &e, 0); | |
192 if (!*optarg || (e && *e)) { | |
193 cerr << "Invalid argument to --" | |
194 << long_options[option_index].name | |
195 << ": " << optarg << "\n"; | |
196 return false; | |
197 } | |
198 break; | |
199 case OPT_IN: | |
200 in_file_ = optarg; | |
201 break; | |
202 case OPT_OUT: | |
203 out_file_ = optarg; | |
204 break; | |
205 case OPT_GENERATE: | |
206 is_generate_ = true; | |
207 break; | |
208 case OPT_VERIFY: | |
209 is_verify_ = true; | |
210 break; | |
211 case OPT_DESCRIBE: | |
212 is_describe_ = true; | |
213 break; | |
214 case OPT_VBLOCK: | |
215 is_only_vblock_ = true; | |
216 break; | |
217 case OPT_BOOTLOADER: | |
218 bootloader_file_ = optarg; | |
219 break; | |
220 case OPT_VMLINUZ: | |
221 vmlinuz_file_ = optarg; | |
222 break; | |
223 case OPT_CONFIG: | |
224 config_file_ = optarg; | |
225 break; | |
226 case OPT_PADDING: | |
227 padding_ = strtol(optarg, &e, 0); | |
228 if (!*optarg || (e && *e)) { | |
229 cerr << "Invalid argument to --" | |
230 << long_options[option_index].name | |
231 << ": " << optarg << "\n"; | |
232 return false; | |
233 } | |
234 break; | |
235 case OPT_SUBKEY_OUT: | |
236 is_subkey_out_ = true; | |
237 break; | |
238 } | |
239 } | |
240 return CheckOptions(); | |
241 } | |
242 | |
243 void KernelUtility::OutputSignedImage(void) { | |
244 if (image_) { | |
245 if (!WriteKernelImage(out_file_.c_str(), image_, | |
246 is_only_vblock_, | |
247 is_subkey_out_)) { | |
248 cerr << "Couldn't write verified boot kernel image to file " | |
249 << out_file_ <<".\n"; | |
250 } | |
251 } | |
252 } | |
253 | |
254 void KernelUtility::DescribeSignedImage(void) { | |
255 image_ = ReadKernelImage(in_file_.c_str()); | |
256 if (!image_) { | |
257 cerr << "Couldn't read kernel image or malformed image.\n"; | |
258 return; | |
259 } | |
260 PrintKernelImage(image_); | |
261 } | |
262 | |
263 bool KernelUtility::GenerateSignedImage(void) { | |
264 uint64_t kernel_key_pub_len; | |
265 | |
266 image_ = KernelImageNew(); | |
267 Memcpy(image_->magic, KERNEL_MAGIC, KERNEL_MAGIC_SIZE); | |
268 | |
269 if (subkey_in_file_.empty()) { | |
270 // We must generate the kernel key signature header (subkey header) | |
271 // ourselves. | |
272 image_->header_version = 1; | |
273 image_->firmware_sign_algorithm = (uint16_t) firmware_sign_algorithm_; | |
274 // Copy pre-processed public signing key. | |
275 image_->kernel_sign_algorithm = (uint16_t) kernel_sign_algorithm_; | |
276 image_->kernel_sign_key = BufferFromFile(kernel_key_pub_file_.c_str(), | |
277 &kernel_key_pub_len); | |
278 if (!image_->kernel_sign_key) | |
279 return false; | |
280 image_->kernel_key_version = kernel_key_version_; | |
281 | |
282 // Update header length. | |
283 image_->header_len = GetKernelHeaderLen(image_); | |
284 // Calculate header checksum. | |
285 CalculateKernelHeaderChecksum(image_, image_->header_checksum); | |
286 | |
287 // Generate and add the key signatures. | |
288 if (!AddKernelKeySignature(image_, firmware_key_file_.c_str())) { | |
289 cerr << "Couldn't write key signature to verified boot kernel image.\n"; | |
290 return false; | |
291 } | |
292 } else { | |
293 // Use existing subkey header. | |
294 MemcpyState st; | |
295 uint8_t* subkey_header_buf = NULL; | |
296 uint64_t subkey_len; | |
297 int header_len; | |
298 int kernel_key_signature_len; | |
299 int kernel_sign_key_len; | |
300 uint8_t header_checksum[FIELD_LEN(header_checksum)]; | |
301 | |
302 subkey_header_buf = BufferFromFile(subkey_in_file_.c_str(), &subkey_len); | |
303 if (!subkey_header_buf) { | |
304 cerr << "Couldn't read subkey header from file %s\n" | |
305 << subkey_in_file_.c_str(); | |
306 return false; | |
307 } | |
308 st.remaining_len = subkey_len; | |
309 st.remaining_buf = subkey_header_buf; | |
310 st.overrun = 0; | |
311 | |
312 // TODO(gauravsh): This is basically the same code as the first half of | |
313 // of ReadKernelImage(). Refactor to eliminate code duplication. | |
314 | |
315 StatefulMemcpy(&st, &image_->header_version, FIELD_LEN(header_version)); | |
316 StatefulMemcpy(&st, &image_->header_len, FIELD_LEN(header_len)); | |
317 StatefulMemcpy(&st, &image_->firmware_sign_algorithm, | |
318 FIELD_LEN(firmware_sign_algorithm)); | |
319 StatefulMemcpy(&st, &image_->kernel_sign_algorithm, | |
320 FIELD_LEN(kernel_sign_algorithm)); | |
321 | |
322 // Valid Kernel Key signing algorithm. | |
323 if (image_->firmware_sign_algorithm >= kNumAlgorithms) { | |
324 Free(subkey_header_buf); | |
325 return NULL; | |
326 } | |
327 | |
328 // Valid Kernel Signing Algorithm? | |
329 if (image_->kernel_sign_algorithm >= kNumAlgorithms) { | |
330 Free(subkey_header_buf); | |
331 return NULL; | |
332 } | |
333 | |
334 // Compute size of pre-processed RSA public keys and signatures. | |
335 kernel_key_signature_len = siglen_map[image_->firmware_sign_algorithm]; | |
336 kernel_sign_key_len = RSAProcessedKeySize(image_->kernel_sign_algorithm); | |
337 | |
338 // Check whether key header length is correct. | |
339 header_len = GetKernelHeaderLen(image_); | |
340 if (header_len != image_->header_len) { | |
341 debug("Header length mismatch. Got: %d, Expected: %d\n", | |
342 image_->header_len, header_len); | |
343 Free(subkey_header_buf); | |
344 return NULL; | |
345 } | |
346 | |
347 // Read pre-processed public half of the kernel signing key. | |
348 StatefulMemcpy(&st, &image_->kernel_key_version, | |
349 FIELD_LEN(kernel_key_version)); | |
350 image_->kernel_sign_key = (uint8_t*) Malloc(kernel_sign_key_len); | |
351 StatefulMemcpy(&st, image_->kernel_sign_key, kernel_sign_key_len); | |
352 StatefulMemcpy(&st, image_->header_checksum, FIELD_LEN(header_checksum)); | |
353 | |
354 // Check whether the header checksum matches. | |
355 CalculateKernelHeaderChecksum(image_, header_checksum); | |
356 if (SafeMemcmp(header_checksum, image_->header_checksum, | |
357 FIELD_LEN(header_checksum))) { | |
358 debug("Invalid kernel header checksum!\n"); | |
359 Free(subkey_header_buf); | |
360 return NULL; | |
361 } | |
362 | |
363 // Read key signature. | |
364 image_->kernel_key_signature = (uint8_t*) Malloc(kernel_key_signature_len); | |
365 StatefulMemcpy(&st, image_->kernel_key_signature, | |
366 kernel_key_signature_len); | |
367 | |
368 Free(subkey_header_buf); | |
369 if (st.overrun || st.remaining_len != 0) /* Overrun or underrun. */ | |
370 return false; | |
371 return true; | |
372 } | |
373 | |
374 // Fill up kernel preamble and kernel data. | |
375 image_->kernel_version = kernel_version_; | |
376 if (padding_) | |
377 image_->padded_header_size = padding_; | |
378 image_->kernel_data = GenerateKernelBlob(vmlinuz_file_.c_str(), | |
379 config_file_.c_str(), | |
380 bootloader_file_.c_str(), | |
381 &image_->kernel_len, | |
382 &image_->bootloader_offset, | |
383 &image_->bootloader_size); | |
384 if (!image_->kernel_data) | |
385 return false; | |
386 | |
387 // Generate and add the preamble and data signatures. | |
388 if (!AddKernelSignature(image_, kernel_key_file_.c_str())) { | |
389 cerr << "Couldn't write firmware signature to verified boot kernel image.\n"
; | |
390 return false; | |
391 } | |
392 return true; | |
393 } | |
394 | |
395 bool KernelUtility::VerifySignedImage(void) { | |
396 int error; | |
397 firmware_key_pub_ = RSAPublicKeyFromFile(firmware_key_pub_file_.c_str()); | |
398 image_ = ReadKernelImage(in_file_.c_str()); | |
399 | |
400 if (!firmware_key_pub_) { | |
401 cerr << "Couldn't read pre-processed public root key.\n"; | |
402 return false; | |
403 } | |
404 | |
405 if (!image_) { | |
406 cerr << "Couldn't read kernel image or malformed image.\n"; | |
407 return false; | |
408 } | |
409 if (!(error = VerifyKernelImage(firmware_key_pub_, image_, 0))) | |
410 return true; | |
411 cerr << VerifyKernelErrorString(error) << "\n"; | |
412 return false; | |
413 } | |
414 | |
415 bool KernelUtility::CheckOptions(void) { | |
416 // Ensure that only one of --{describe|generate|verify} is set. | |
417 if (!((is_describe_ && !is_generate_ && !is_verify_) || | |
418 (!is_describe_ && is_generate_ && !is_verify_) || | |
419 (!is_describe_ && !is_generate_ && is_verify_))) { | |
420 cerr << "One (and only one) of --describe, --generate or --verify " | |
421 << "must be specified.\n"; | |
422 return false; | |
423 } | |
424 // Common required options. | |
425 // Required options for --describe. | |
426 if (is_describe_) { | |
427 if (in_file_.empty()) { | |
428 cerr << "No input file specified.\n"; | |
429 return false; | |
430 } | |
431 } | |
432 // Required options for --verify. | |
433 if (is_verify_) { | |
434 if (firmware_key_pub_file_.empty()) { | |
435 cerr << "No pre-processed public firmware key file specified.\n"; | |
436 return false; | |
437 } | |
438 if (in_file_.empty()) { | |
439 cerr << "No input file specified.\n"; | |
440 return false; | |
441 } | |
442 } | |
443 // Required options for --generate. | |
444 if (is_generate_) { | |
445 if (subkey_in_file_.empty()) { | |
446 // Firmware private key (root key), kernel signing public | |
447 // key, and signing algorithms are required to generate the key signature | |
448 // header. | |
449 if (firmware_key_file_.empty()) { | |
450 cerr << "No firmware key file specified.\n"; | |
451 return false; | |
452 } | |
453 if (kernel_key_pub_file_.empty()) { | |
454 cerr << "No pre-processed public kernel key file specified\n"; | |
455 return false; | |
456 } | |
457 if (kernel_key_version_ <= 0 || kernel_key_version_ > UINT16_MAX) { | |
458 cerr << "Invalid or no kernel key version specified.\n"; | |
459 return false; | |
460 } | |
461 if (firmware_sign_algorithm_ < 0 || | |
462 firmware_sign_algorithm_ >= kNumAlgorithms) { | |
463 cerr << "Invalid or no firmware signing key algorithm specified.\n"; | |
464 return false; | |
465 } | |
466 if (kernel_sign_algorithm_ < 0 || | |
467 kernel_sign_algorithm_ >= kNumAlgorithms) { | |
468 cerr << "Invalid or no kernel signing key algorithm specified.\n"; | |
469 return false; | |
470 } | |
471 } | |
472 if (kernel_key_file_.empty()) { | |
473 cerr << "No kernel key file specified.\n"; | |
474 return false; | |
475 } | |
476 if (kernel_version_ <=0 || kernel_version_ > UINT16_MAX) { | |
477 cerr << "Invalid or no kernel version specified.\n"; | |
478 return false; | |
479 } | |
480 if (out_file_.empty()) { | |
481 cerr <<"No output file specified.\n"; | |
482 return false; | |
483 } | |
484 if (config_file_.empty()) { | |
485 cerr << "No config file specified.\n"; | |
486 return false; | |
487 } | |
488 if (bootloader_file_.empty()) { | |
489 cerr << "No bootloader file specified.\n"; | |
490 return false; | |
491 } | |
492 if (vmlinuz_file_.empty()) { | |
493 cerr << "No vmlinuz file specified.\n"; | |
494 return false; | |
495 } | |
496 // TODO(gauravsh): Enforce only one of --vblock or --subkey_out is specified | |
497 } | |
498 return true; | |
499 } | |
500 | |
501 } // namespace vboot_reference | |
502 | |
503 int main(int argc, char* argv[]) { | |
504 vboot_reference::KernelUtility ku; | |
505 if (!ku.ParseCmdLineOptions(argc, argv)) { | |
506 ku.PrintUsage(); | |
507 return -1; | |
508 } | |
509 if (ku.is_describe()) { | |
510 ku.DescribeSignedImage(); | |
511 } | |
512 else if (ku.is_generate()) { | |
513 if (!ku.GenerateSignedImage()) | |
514 return -1; | |
515 ku.OutputSignedImage(); | |
516 } | |
517 else if (ku.is_verify()) { | |
518 cerr << "Verification "; | |
519 if (ku.VerifySignedImage()) | |
520 cerr << "SUCCESS.\n"; | |
521 else | |
522 cerr << "FAILURE.\n"; | |
523 } | |
524 return 0; | |
525 } | |
OLD | NEW |