OLD | NEW |
1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
2 * Use of this source code is governed by a BSD-style license that can be | 2 * Use of this source code is governed by a BSD-style license that can be |
3 * found in the LICENSE file. | 3 * found in the LICENSE file. |
4 * | 4 * |
5 * Functions for generating and manipulating a verified boot firmware image. | 5 * Functions for generating and manipulating a verified boot firmware image. |
6 */ | 6 */ |
7 | 7 |
8 #include "firmware_image.h" | 8 #include "firmware_image.h" |
9 | 9 |
10 #include <fcntl.h> | 10 #include <fcntl.h> |
11 #include <limits.h> | 11 #include <limits.h> |
12 #include <stdio.h> | 12 #include <stdio.h> |
13 #include <sys/types.h> | 13 #include <sys/types.h> |
14 #include <sys/stat.h> | 14 #include <sys/stat.h> |
15 #include <unistd.h> | 15 #include <unistd.h> |
16 | 16 |
17 #include "file_keys.h" | 17 #include "file_keys.h" |
18 #include "padding.h" | 18 #include "padding.h" |
19 #include "rsa_utility.h" | 19 #include "rsa_utility.h" |
20 #include "sha_utility.h" | 20 #include "sha_utility.h" |
| 21 #include "signature_digest.h" |
21 #include "utility.h" | 22 #include "utility.h" |
22 | 23 |
23 /* Macro to determine the size of a field structure in the FirmwareImage | 24 /* Macro to determine the size of a field structure in the FirmwareImage |
24 * structure. */ | 25 * structure. */ |
25 #define FIELD_LEN(field) (sizeof(((FirmwareImage*)0)->field)) | 26 #define FIELD_LEN(field) (sizeof(((FirmwareImage*)0)->field)) |
26 | 27 |
27 FirmwareImage* FirmwareImageNew(void) { | 28 FirmwareImage* FirmwareImageNew(void) { |
28 FirmwareImage* image = (FirmwareImage*) Malloc(sizeof(FirmwareImage)); | 29 FirmwareImage* image = (FirmwareImage*) Malloc(sizeof(FirmwareImage)); |
29 if (image) { | 30 if (image) { |
30 image->sign_key = NULL; | 31 image->firmware_sign_key = NULL; |
31 image->preamble_signature = NULL; | 32 image->preamble_signature = NULL; |
32 image->firmware_signature = NULL; | 33 image->firmware_signature = NULL; |
33 image->firmware_data = NULL; | 34 image->firmware_data = NULL; |
34 } | 35 } |
35 return image; | 36 return image; |
36 } | 37 } |
37 | 38 |
38 void FirmwareImageFree(FirmwareImage* image) { | 39 void FirmwareImageFree(FirmwareImage* image) { |
39 if (image) { | 40 if (image) { |
40 Free(image->sign_key); | 41 Free(image->firmware_sign_key); |
41 Free(image->preamble_signature); | 42 Free(image->preamble_signature); |
42 Free(image->firmware_signature); | 43 Free(image->firmware_signature); |
43 Free(image->firmware_data); | 44 Free(image->firmware_data); |
| 45 Free(image); |
44 } | 46 } |
45 } | 47 } |
46 | 48 |
47 FirmwareImage* ReadFirmwareImage(const char* input_file) { | 49 FirmwareImage* ReadFirmwareImage(const char* input_file) { |
48 uint32_t file_size; | 50 uint32_t file_size; |
49 int image_len = 0; /* Total size of the firmware image. */ | 51 int image_len = 0; /* Total size of the firmware image. */ |
50 int header_len = 0; | 52 int header_len = 0; |
51 int sign_key_len; | 53 int firmware_sign_key_len; |
52 int signature_len; | 54 int signature_len; |
53 uint8_t* firmware_buf; | 55 uint8_t* firmware_buf; |
54 MemcpyState st; | 56 MemcpyState st; |
55 FirmwareImage* image = FirmwareImageNew(); | 57 FirmwareImage* image = FirmwareImageNew(); |
56 | 58 |
57 if (!image) | 59 if (!image) |
58 return NULL; | 60 return NULL; |
59 | 61 |
60 firmware_buf = BufferFromFile(input_file, &file_size); | 62 firmware_buf = BufferFromFile(input_file, &file_size); |
61 image_len = file_size; | 63 image_len = file_size; |
62 | 64 |
63 st.remaining_len = image_len; | 65 st.remaining_len = image_len; |
64 st.remaining_buf = firmware_buf; | 66 st.remaining_buf = firmware_buf; |
65 | 67 |
66 /* Read and compare magic bytes. */ | 68 /* Read and compare magic bytes. */ |
67 if (!StatefulMemcpy(&st, &image->magic, FIRMWARE_MAGIC_SIZE)) | 69 StatefulMemcpy(&st, &image->magic, FIRMWARE_MAGIC_SIZE); |
68 goto parse_failure; | |
69 | |
70 if (SafeMemcmp(image->magic, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE)) { | 70 if (SafeMemcmp(image->magic, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE)) { |
71 fprintf(stderr, "Wrong Firmware Magic.\n"); | 71 fprintf(stderr, "Wrong Firmware Magic.\n"); |
72 goto parse_failure; | 72 Free(firmware_buf); |
| 73 return NULL; |
| 74 } |
| 75 StatefulMemcpy(&st, &image->header_len, FIELD_LEN(header_len)); |
| 76 StatefulMemcpy(&st, &image->firmware_sign_algorithm, |
| 77 FIELD_LEN(firmware_sign_algorithm)); |
| 78 |
| 79 /* Valid Algorithm? */ |
| 80 if (image->firmware_sign_algorithm >= kNumAlgorithms) { |
| 81 Free(firmware_buf); |
| 82 return NULL; |
73 } | 83 } |
74 | 84 |
75 StatefulMemcpy(&st, &image->header_len, FIELD_LEN(header_len)); | |
76 StatefulMemcpy(&st, &image->sign_algorithm, FIELD_LEN(sign_algorithm)); | |
77 | |
78 /* Valid Algorithm? */ | |
79 if (image->sign_algorithm >= kNumAlgorithms) | |
80 goto parse_failure; | |
81 | |
82 /* Compute size of pre-processed RSA public key and signature. */ | 85 /* Compute size of pre-processed RSA public key and signature. */ |
83 sign_key_len = RSAProcessedKeySize(image->sign_algorithm); | 86 firmware_sign_key_len = RSAProcessedKeySize(image->firmware_sign_algorithm); |
84 signature_len = siglen_map[image->sign_algorithm]; | 87 signature_len = siglen_map[image->firmware_sign_algorithm]; |
85 | |
86 | 88 |
87 /* Check whether the header length is correct. */ | 89 /* Check whether the header length is correct. */ |
88 header_len = (FIELD_LEN(header_len) + | 90 header_len = (FIELD_LEN(header_len) + |
89 FIELD_LEN(sign_algorithm) + | 91 FIELD_LEN(firmware_sign_algorithm) + |
90 sign_key_len + | 92 firmware_sign_key_len + |
91 FIELD_LEN(key_version) + | 93 FIELD_LEN(firmware_key_version) + |
92 FIELD_LEN(header_checksum)); | 94 FIELD_LEN(header_checksum)); |
93 if (header_len != image->header_len) { | 95 if (header_len != image->header_len) { |
94 fprintf(stderr, "Header length mismatch. Got: %d Expected: %d\n", | 96 fprintf(stderr, "Header length mismatch. Got: %d Expected: %d\n", |
95 image->header_len, header_len); | 97 image->header_len, header_len); |
96 goto parse_failure; | 98 Free(firmware_buf); |
| 99 return NULL; |
97 } | 100 } |
98 | 101 |
99 /* Read pre-processed public half of the sign key. */ | 102 /* Read pre-processed public half of the sign key. */ |
100 image->sign_key = (uint8_t*) Malloc(sign_key_len); | 103 image->firmware_sign_key = (uint8_t*) Malloc(firmware_sign_key_len); |
101 StatefulMemcpy(&st, image->sign_key, sign_key_len); | 104 StatefulMemcpy(&st, image->firmware_sign_key, firmware_sign_key_len); |
102 StatefulMemcpy(&st, &image->key_version, FIELD_LEN(key_version)); | 105 StatefulMemcpy(&st, &image->firmware_key_version, |
| 106 FIELD_LEN(firmware_key_version)); |
103 StatefulMemcpy(&st, image->header_checksum, FIELD_LEN(header_checksum)); | 107 StatefulMemcpy(&st, image->header_checksum, FIELD_LEN(header_checksum)); |
104 | 108 |
105 /* Read key signature. */ | 109 /* Read key signature. */ |
106 StatefulMemcpy(&st, image->key_signature, FIELD_LEN(key_signature)); | 110 StatefulMemcpy(&st, image->firmware_key_signature, |
| 111 FIELD_LEN(firmware_key_signature)); |
107 | 112 |
108 /* Read the firmware preamble. */ | 113 /* Read the firmware preamble. */ |
109 StatefulMemcpy(&st,&image->firmware_version, FIELD_LEN(firmware_version)); | 114 StatefulMemcpy(&st,&image->firmware_version, FIELD_LEN(firmware_version)); |
110 StatefulMemcpy(&st, &image->firmware_len, FIELD_LEN(firmware_len)); | 115 StatefulMemcpy(&st, &image->firmware_len, FIELD_LEN(firmware_len)); |
111 StatefulMemcpy(&st, image->preamble, FIELD_LEN(preamble)); | 116 StatefulMemcpy(&st, image->preamble, FIELD_LEN(preamble)); |
112 | 117 |
113 /* Read firmware preamble signature. */ | 118 /* Read firmware preamble signature. */ |
114 image->preamble_signature = (uint8_t*) Malloc(signature_len); | 119 image->preamble_signature = (uint8_t*) Malloc(signature_len); |
115 StatefulMemcpy(&st, image->preamble_signature, signature_len); | 120 StatefulMemcpy(&st, image->preamble_signature, signature_len); |
116 | 121 |
117 image->firmware_signature = (uint8_t*) Malloc(signature_len); | 122 image->firmware_signature = (uint8_t*) Malloc(signature_len); |
118 StatefulMemcpy(&st, image->firmware_signature, signature_len); | 123 StatefulMemcpy(&st, image->firmware_signature, signature_len); |
119 | 124 |
120 image->firmware_data = (uint8_t*) Malloc(image->firmware_len); | 125 image->firmware_data = (uint8_t*) Malloc(image->firmware_len); |
121 StatefulMemcpy(&st, image->firmware_data, image->firmware_len); | 126 StatefulMemcpy(&st, image->firmware_data, image->firmware_len); |
122 | 127 |
123 if(st.remaining_len != 0) /* Overrun or underrun. */ | 128 if(st.remaining_len != 0) { /* Overrun or underrun. */ |
124 goto parse_failure; | 129 Free(firmware_buf); |
| 130 return NULL; |
| 131 } |
125 | 132 |
126 Free(firmware_buf); | 133 Free(firmware_buf); |
127 return image; | 134 return image; |
128 | |
129 parse_failure: | |
130 Free(firmware_buf); | |
131 return NULL; | |
132 } | 135 } |
133 | 136 |
134 void WriteFirmwareHeader(int fd, FirmwareImage* image) { | 137 int GetFirmwareHeaderLen(const FirmwareImage* image) { |
135 int sign_key_len; | 138 return (FIELD_LEN(header_len) + FIELD_LEN(header_len) + |
136 write(fd, &image->header_len, FIELD_LEN(header_len)); | 139 RSAProcessedKeySize(image->firmware_sign_algorithm) + |
137 write(fd, &image->sign_algorithm, FIELD_LEN(header_len)); | 140 FIELD_LEN(firmware_key_version) + FIELD_LEN(header_checksum)); |
138 sign_key_len = (image->header_len - FIELD_LEN(header_len) - | |
139 FIELD_LEN(sign_algorithm) - | |
140 FIELD_LEN(key_version) - | |
141 FIELD_LEN(header_checksum)); | |
142 write(fd, image->sign_key, sign_key_len); | |
143 write(fd, &image->key_version, FIELD_LEN(key_version)); | |
144 write(fd, &image->header_checksum, FIELD_LEN(header_checksum)); | |
145 } | 141 } |
146 | 142 |
147 void WriteFirmwarePreamble(int fd, FirmwareImage* image) { | 143 uint8_t* GetFirmwareHeaderBlob(const FirmwareImage* image) { |
148 write(fd, &image->firmware_version, | 144 uint8_t* header_blob = NULL; |
149 FIELD_LEN(firmware_version)); | 145 MemcpyState st; |
150 write(fd, &image->firmware_len, FIELD_LEN(firmware_len)); | 146 |
151 write(fd, image->preamble, FIELD_LEN(preamble)); | 147 header_blob = (uint8_t*) Malloc(GetFirmwareHeaderLen(image)); |
| 148 st.remaining_len = GetFirmwareHeaderLen(image); |
| 149 st.remaining_buf = header_blob; |
| 150 |
| 151 StatefulMemcpy_r(&st, &image->header_len, FIELD_LEN(header_len)); |
| 152 StatefulMemcpy_r(&st, &image->firmware_sign_algorithm, FIELD_LEN(header_len)); |
| 153 StatefulMemcpy_r(&st, image->firmware_sign_key, |
| 154 RSAProcessedKeySize(image->firmware_sign_algorithm)); |
| 155 StatefulMemcpy_r(&st, &image->firmware_key_version, |
| 156 FIELD_LEN(firmware_key_version)); |
| 157 StatefulMemcpy_r(&st, &image->header_checksum, FIELD_LEN(header_checksum)); |
| 158 |
| 159 if (st.remaining_len != 0) { /* Underrun or Overrun. */ |
| 160 Free(header_blob); |
| 161 return NULL; |
| 162 } |
| 163 return header_blob; |
152 } | 164 } |
153 | 165 |
154 FirmwareImage* WriteFirmwareImage(const char* input_file, | 166 int GetFirmwarePreambleLen(const FirmwareImage* image) { |
155 FirmwareImage* image) { | 167 return (FIELD_LEN(firmware_version) + FIELD_LEN(firmware_len) + |
156 int fd; | 168 FIELD_LEN(preamble)); |
157 int signature_len; | 169 } |
| 170 |
| 171 uint8_t* GetFirmwarePreambleBlob(const FirmwareImage* image) { |
| 172 uint8_t* preamble_blob = NULL; |
| 173 MemcpyState st; |
| 174 |
| 175 preamble_blob = (uint8_t*) Malloc(GetFirmwarePreambleLen(image)); |
| 176 st.remaining_len = GetFirmwarePreambleLen(image); |
| 177 st.remaining_buf = preamble_blob; |
| 178 |
| 179 StatefulMemcpy_r(&st, &image->firmware_version, FIELD_LEN(firmware_version)); |
| 180 StatefulMemcpy_r(&st, &image->firmware_len, FIELD_LEN(firmware_len)); |
| 181 StatefulMemcpy_r(&st, image->preamble, FIELD_LEN(preamble)); |
| 182 |
| 183 if (st.remaining_len != 0 ) { /* Underrun or Overrun. */ |
| 184 Free(preamble_blob); |
| 185 return NULL; |
| 186 } |
| 187 return preamble_blob; |
| 188 } |
| 189 |
| 190 |
| 191 uint8_t* GetFirmwareBlob(const FirmwareImage* image, int* blob_len) { |
| 192 int firmware_signature_len; |
| 193 uint8_t* firmware_blob = NULL; |
| 194 uint8_t* header_blob = NULL; |
| 195 uint8_t* preamble_blob = NULL; |
| 196 MemcpyState st; |
158 | 197 |
159 if (!image) | 198 if (!image) |
160 return NULL; | 199 return NULL; |
| 200 |
| 201 firmware_signature_len = siglen_map[image->firmware_sign_algorithm]; |
| 202 *blob_len = (FIELD_LEN(magic) + |
| 203 GetFirmwareHeaderLen(image) + |
| 204 FIELD_LEN(firmware_key_signature) + |
| 205 GetFirmwarePreambleLen(image) + |
| 206 2 * firmware_signature_len + |
| 207 image->firmware_len); |
| 208 firmware_blob = (uint8_t*) Malloc(*blob_len); |
| 209 st.remaining_len = *blob_len; |
| 210 st.remaining_buf = firmware_blob; |
| 211 |
| 212 header_blob = GetFirmwareHeaderBlob(image); |
| 213 preamble_blob = GetFirmwarePreambleBlob(image); |
| 214 |
| 215 StatefulMemcpy_r(&st, image->magic, FIELD_LEN(magic)); |
| 216 StatefulMemcpy_r(&st, header_blob, GetFirmwareHeaderLen(image)); |
| 217 StatefulMemcpy_r(&st, image->firmware_key_signature, |
| 218 FIELD_LEN(firmware_key_signature)); |
| 219 StatefulMemcpy_r(&st, preamble_blob, GetFirmwarePreambleLen(image)); |
| 220 StatefulMemcpy_r(&st, image->preamble_signature, firmware_signature_len); |
| 221 StatefulMemcpy_r(&st, image->firmware_signature, firmware_signature_len); |
| 222 StatefulMemcpy_r(&st, image->firmware_data, image->firmware_len); |
| 223 |
| 224 Free(preamble_blob); |
| 225 Free(header_blob); |
| 226 |
| 227 if (st.remaining_len != 0) { /* Underrun or Overrun. */ |
| 228 Free(firmware_blob); |
| 229 return NULL; |
| 230 } |
| 231 return firmware_blob; |
| 232 } |
| 233 |
| 234 int WriteFirmwareImage(const char* input_file, |
| 235 const FirmwareImage* image) { |
| 236 int fd; |
| 237 uint8_t* firmware_blob; |
| 238 int blob_len; |
| 239 |
| 240 if (!image) |
| 241 return 0; |
161 if (-1 == (fd = creat(input_file, S_IRWXU))) { | 242 if (-1 == (fd = creat(input_file, S_IRWXU))) { |
162 fprintf(stderr, "Couldn't open file for writing.\n"); | 243 fprintf(stderr, "Couldn't open file for writing.\n"); |
163 return NULL; | 244 return 0; |
164 } | 245 } |
165 | 246 |
166 write(fd, image->magic, FIELD_LEN(magic)); | 247 firmware_blob = GetFirmwareBlob(image, &blob_len); |
167 WriteFirmwareHeader(fd, image); | 248 if (!firmware_blob) { |
168 write(fd, image->key_signature, FIELD_LEN(key_signature)); | 249 fprintf(stderr, "Couldn't create firmware blob from FirmwareImage.\n"); |
169 signature_len = siglen_map[image->sign_algorithm]; | 250 return 0; |
170 WriteFirmwarePreamble(fd, image); | 251 } |
171 write(fd, image->preamble_signature, signature_len); | 252 if (blob_len != write(fd, firmware_blob, blob_len)) { |
172 write(fd, image->firmware_signature, signature_len); | 253 fprintf(stderr, "Couldn't write Firmware Image to file: %s\n", input_file); |
173 write(fd, image->firmware_data, image->firmware_len); | 254 Free(firmware_blob); |
174 | 255 close(fd); |
| 256 return 0; |
| 257 } |
| 258 Free(firmware_blob); |
175 close(fd); | 259 close(fd); |
176 return image; | 260 return 1; |
177 } | 261 } |
178 | 262 |
179 void PrintFirmwareImage(const FirmwareImage* image) { | 263 void PrintFirmwareImage(const FirmwareImage* image) { |
180 if (!image) | 264 if (!image) |
181 return; | 265 return; |
182 | 266 |
183 /* Print header. */ | 267 /* Print header. */ |
184 printf("Header Length = %d\n" | 268 printf("Header Length = %d\n" |
185 "Algorithm Id = %d\n" | 269 "Algorithm Id = %d\n" |
186 "Signature Algorithm = %s\n" | 270 "Signature Algorithm = %s\n" |
187 "Key Version = %d\n\n", | 271 "Key Version = %d\n\n", |
188 image->header_len, | 272 image->header_len, |
189 image->sign_algorithm, | 273 image->firmware_sign_algorithm, |
190 algo_strings[image->sign_algorithm], | 274 algo_strings[image->firmware_sign_algorithm], |
191 image->key_version); | 275 image->firmware_key_version); |
192 /* TODO(gauravsh): Output hash and key signature here? */ | 276 /* TODO(gauravsh): Output hash and key signature here? */ |
193 /* Print preamble. */ | 277 /* Print preamble. */ |
194 printf("Firmware Version = %d\n" | 278 printf("Firmware Version = %d\n" |
195 "Firmware Length = %d\n\n", | 279 "Firmware Length = %d\n\n", |
196 image->firmware_version, | 280 image->firmware_version, |
197 image->firmware_len); | 281 image->firmware_len); |
198 /* Output key signature here? */ | 282 /* Output key signature here? */ |
199 } | 283 } |
200 | 284 |
201 char* kVerifyFirmwareErrors[VERIFY_FIRMWARE_MAX] = { | 285 char* kVerifyFirmwareErrors[VERIFY_FIRMWARE_MAX] = { |
202 "Success.", | 286 "Success.", |
203 "Invalid Image.", | 287 "Invalid Image.", |
204 "Root Key Signature Failed.", | 288 "Root Key Signature Failed.", |
205 "Invalid Verification Algorithm.", | 289 "Invalid Verification Algorithm.", |
206 "Preamble Signature Failed.", | 290 "Preamble Signature Failed.", |
207 "Firmware Signature Failed.", | 291 "Firmware Signature Failed.", |
208 "Wrong Firmware Magic.", | 292 "Wrong Firmware Magic.", |
209 }; | 293 }; |
210 | 294 |
211 int VerifyFirmwareHeader(const uint8_t* root_key_blob, | 295 int VerifyFirmwareHeader(const uint8_t* root_key_blob, |
212 const uint8_t* header_blob, | 296 const uint8_t* header_blob, |
213 const int dev_mode, | 297 const int dev_mode, |
214 int* algorithm, | 298 int* algorithm, |
215 int* header_len) { | 299 int* header_len) { |
216 int sign_key_len; | 300 int firmware_sign_key_len; |
217 int root_key_len; | 301 int root_key_len; |
218 uint16_t hlen, algo; | 302 uint16_t hlen, algo; |
219 uint8_t* header_checksum = NULL; | 303 uint8_t* header_checksum = NULL; |
220 | 304 |
221 /* Base Offset for the header_checksum field. Actual offset is | 305 /* Base Offset for the header_checksum field. Actual offset is |
222 * this + sign_key_len. */ | 306 * this + firmware_sign_key_len. */ |
223 int base_header_checksum_offset = (FIELD_LEN(header_len) + | 307 int base_header_checksum_offset = (FIELD_LEN(header_len) + |
224 FIELD_LEN(sign_algorithm) + | 308 FIELD_LEN(firmware_sign_algorithm) + |
225 FIELD_LEN(key_version)); | 309 FIELD_LEN(firmware_key_version)); |
226 | 310 |
227 | 311 |
228 root_key_len = RSAProcessedKeySize(ROOT_SIGNATURE_ALGORITHM); | 312 root_key_len = RSAProcessedKeySize(ROOT_SIGNATURE_ALGORITHM); |
229 Memcpy(&hlen, header_blob, sizeof(hlen)); | 313 Memcpy(&hlen, header_blob, sizeof(hlen)); |
230 Memcpy(&algo, | 314 Memcpy(&algo, |
231 header_blob + FIELD_LEN(sign_algorithm), | 315 header_blob + FIELD_LEN(firmware_sign_algorithm), |
232 sizeof(algo)); | 316 sizeof(algo)); |
233 if (algo >= kNumAlgorithms) | 317 if (algo >= kNumAlgorithms) |
234 return VERIFY_FIRMWARE_INVALID_ALGORITHM; | 318 return VERIFY_FIRMWARE_INVALID_ALGORITHM; |
235 *algorithm = (int) algo; | 319 *algorithm = (int) algo; |
236 sign_key_len = RSAProcessedKeySize(*algorithm); | 320 firmware_sign_key_len = RSAProcessedKeySize(*algorithm); |
237 | 321 |
238 /* Verify if header len is correct? */ | 322 /* Verify if header len is correct? */ |
239 if (hlen != (base_header_checksum_offset + | 323 if (hlen != (base_header_checksum_offset + |
240 sign_key_len + | 324 firmware_sign_key_len + |
241 FIELD_LEN(header_checksum))) | 325 FIELD_LEN(header_checksum))) |
242 return VERIFY_FIRMWARE_INVALID_IMAGE; | 326 return VERIFY_FIRMWARE_INVALID_IMAGE; |
243 | 327 |
244 *header_len = (int) hlen; | 328 *header_len = (int) hlen; |
245 | 329 |
246 /* Verify if the hash of the header is correct. */ | 330 /* Verify if the hash of the header is correct. */ |
247 header_checksum = DigestBuf(header_blob, | 331 header_checksum = DigestBuf(header_blob, |
248 *header_len - FIELD_LEN(header_checksum), | 332 *header_len - FIELD_LEN(header_checksum), |
249 SHA512_DIGEST_ALGORITHM); | 333 SHA512_DIGEST_ALGORITHM); |
250 if (SafeMemcmp(header_checksum, | 334 if (SafeMemcmp(header_checksum, |
251 header_blob + (base_header_checksum_offset + sign_key_len), | 335 header_blob + (base_header_checksum_offset + |
| 336 firmware_sign_key_len), |
252 FIELD_LEN(header_checksum))) { | 337 FIELD_LEN(header_checksum))) { |
253 Free(header_checksum); | 338 Free(header_checksum); |
254 return VERIFY_FIRMWARE_INVALID_IMAGE; | 339 return VERIFY_FIRMWARE_INVALID_IMAGE; |
255 } | 340 } |
256 Free(header_checksum); | 341 Free(header_checksum); |
257 | 342 |
258 /* Verify root key signature unless we are in dev mode. */ | 343 /* Verify root key signature unless we are in dev mode. */ |
259 if (!dev_mode) { | 344 if (!dev_mode) { |
260 if (!RSAVerifyBinary_f(root_key_blob, NULL, /* Key to use */ | 345 if (!RSAVerifyBinary_f(root_key_blob, NULL, /* Key to use */ |
261 header_blob, /* Data to verify */ | 346 header_blob, /* Data to verify */ |
262 *header_len, /* Length of data */ | 347 *header_len, /* Length of data */ |
263 header_blob + *header_len, /* Expected Signature */ | 348 header_blob + *header_len, /* Expected Signature */ |
264 ROOT_SIGNATURE_ALGORITHM)) | 349 ROOT_SIGNATURE_ALGORITHM)) |
265 return VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED; | 350 return VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED; |
266 } | 351 } |
267 return 0; | 352 return 0; |
268 } | 353 } |
269 | 354 |
270 int VerifyFirmwarePreamble(RSAPublicKey* sign_key, | 355 int VerifyFirmwarePreamble(RSAPublicKey* firmware_sign_key, |
271 const uint8_t* preamble_blob, | 356 const uint8_t* preamble_blob, |
272 int algorithm, | 357 int algorithm, |
273 int* firmware_len) { | 358 int* firmware_len) { |
274 uint32_t len; | 359 uint32_t len; |
275 int preamble_len; | 360 int preamble_len; |
276 preamble_len = (FIELD_LEN(firmware_version) + | 361 preamble_len = (FIELD_LEN(firmware_version) + |
277 FIELD_LEN(firmware_len) + | 362 FIELD_LEN(firmware_len) + |
278 FIELD_LEN(preamble)); | 363 FIELD_LEN(preamble)); |
279 if (!RSAVerifyBinary_f(NULL, sign_key, /* Key to use */ | 364 if (!RSAVerifyBinary_f(NULL, firmware_sign_key, /* Key to use */ |
280 preamble_blob, /* Data to verify */ | 365 preamble_blob, /* Data to verify */ |
281 preamble_len, /* Length of data */ | 366 preamble_len, /* Length of data */ |
282 preamble_blob + preamble_len, /* Expected Signature */ | 367 preamble_blob + preamble_len, /* Expected Signature */ |
283 algorithm)) | 368 algorithm)) |
284 return VERIFY_FIRMWARE_PREAMBLE_SIGNATURE_FAILED; | 369 return VERIFY_FIRMWARE_PREAMBLE_SIGNATURE_FAILED; |
285 | 370 |
286 Memcpy(&len, preamble_blob + FIELD_LEN(firmware_version), | 371 Memcpy(&len, preamble_blob + FIELD_LEN(firmware_version), |
287 sizeof(len)); | 372 sizeof(len)); |
288 *firmware_len = (int) len; | 373 *firmware_len = (int) len; |
289 return 0; | 374 return 0; |
290 } | 375 } |
291 | 376 |
292 int VerifyFirmwareData(RSAPublicKey* sign_key, | 377 int VerifyFirmwareData(RSAPublicKey* firmware_sign_key, |
293 const uint8_t* firmware_data_start, | 378 const uint8_t* firmware_data_start, |
294 int firmware_len, | 379 int firmware_len, |
295 int algorithm) { | 380 int algorithm) { |
296 int signature_len = siglen_map[algorithm]; | 381 int signature_len = siglen_map[algorithm]; |
297 if (!RSAVerifyBinary_f(NULL, sign_key, /* Key to use. */ | 382 if (!RSAVerifyBinary_f(NULL, firmware_sign_key, /* Key to use. */ |
298 firmware_data_start + signature_len, /* Data to | 383 firmware_data_start + signature_len, /* Data to |
299 * verify */ | 384 * verify */ |
300 firmware_len, /* Length of data. */ | 385 firmware_len, /* Length of data. */ |
301 firmware_data_start, /* Expected Signature */ | 386 firmware_data_start, /* Expected Signature */ |
302 algorithm)) | 387 algorithm)) |
303 return VERIFY_FIRMWARE_SIGNATURE_FAILED; | 388 return VERIFY_FIRMWARE_SIGNATURE_FAILED; |
304 return 0; | 389 return 0; |
305 } | 390 } |
306 | 391 |
307 int VerifyFirmware(const uint8_t* root_key_blob, | 392 int VerifyFirmware(const uint8_t* root_key_blob, |
308 const uint8_t* firmware_blob, | 393 const uint8_t* firmware_blob, |
309 const int dev_mode) { | 394 const int dev_mode) { |
310 int error_code; | 395 int error_code; |
311 int algorithm; /* Signing key algorithm. */ | 396 int algorithm; /* Signing key algorithm. */ |
312 RSAPublicKey* sign_key; | 397 RSAPublicKey* firmware_sign_key; |
313 int sign_key_len, signature_len, header_len, firmware_len; | 398 int firmware_sign_key_len, signature_len, header_len, firmware_len; |
314 const uint8_t* header_ptr; /* Pointer to header. */ | 399 const uint8_t* header_ptr; /* Pointer to header. */ |
315 const uint8_t* sign_key_ptr; /* Pointer to signing key. */ | 400 const uint8_t* firmware_sign_key_ptr; /* Pointer to signing key. */ |
316 const uint8_t* preamble_ptr; /* Pointer to preamble block. */ | 401 const uint8_t* preamble_ptr; /* Pointer to preamble block. */ |
317 const uint8_t* firmware_ptr; /* Pointer to firmware signature/data. */ | 402 const uint8_t* firmware_ptr; /* Pointer to firmware signature/data. */ |
318 | 403 |
319 /* Note: All the offset calculations are based on struct FirmwareImage which | 404 /* Note: All the offset calculations are based on struct FirmwareImage which |
320 * is defined in include/firmware_image.h. */ | 405 * is defined in include/firmware_image.h. */ |
321 | 406 |
322 /* Compare magic bytes. */ | 407 /* Compare magic bytes. */ |
323 if (SafeMemcmp(firmware_blob, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE)) | 408 if (SafeMemcmp(firmware_blob, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE)) |
324 return VERIFY_FIRMWARE_WRONG_MAGIC; | 409 return VERIFY_FIRMWARE_WRONG_MAGIC; |
325 header_ptr = firmware_blob + FIRMWARE_MAGIC_SIZE; | 410 header_ptr = firmware_blob + FIRMWARE_MAGIC_SIZE; |
326 | 411 |
327 /* Only continue if header verification succeeds. */ | 412 /* Only continue if header verification succeeds. */ |
328 if ((error_code = VerifyFirmwareHeader(root_key_blob, header_ptr, dev_mode, | 413 if ((error_code = VerifyFirmwareHeader(root_key_blob, header_ptr, dev_mode, |
329 &algorithm, &header_len))) | 414 &algorithm, &header_len))) |
330 return error_code; /* AKA jump to revovery. */ | 415 return error_code; /* AKA jump to revovery. */ |
331 | 416 |
332 /* Parse signing key into RSAPublicKey structure since it is required multiple | 417 /* Parse signing key into RSAPublicKey structure since it is required multiple |
333 * times. */ | 418 * times. */ |
334 sign_key_len = RSAProcessedKeySize(algorithm); | 419 firmware_sign_key_len = RSAProcessedKeySize(algorithm); |
335 sign_key_ptr = header_ptr + (FIELD_LEN(header_len) + | 420 firmware_sign_key_ptr = header_ptr + (FIELD_LEN(header_len) + |
336 FIELD_LEN(sign_algorithm)); | 421 FIELD_LEN(firmware_sign_algorithm)); |
337 sign_key = RSAPublicKeyFromBuf(sign_key_ptr, sign_key_len); | 422 firmware_sign_key = RSAPublicKeyFromBuf(firmware_sign_key_ptr, |
| 423 firmware_sign_key_len); |
338 signature_len = siglen_map[algorithm]; | 424 signature_len = siglen_map[algorithm]; |
339 | 425 |
340 /* Only continue if preamble verification succeeds. */ | 426 /* Only continue if preamble verification succeeds. */ |
341 preamble_ptr = (header_ptr + header_len + | 427 preamble_ptr = (header_ptr + header_len + |
342 FIELD_LEN(key_signature)); | 428 FIELD_LEN(firmware_key_signature)); |
343 if ((error_code = VerifyFirmwarePreamble(sign_key, preamble_ptr, algorithm, | 429 if ((error_code = VerifyFirmwarePreamble(firmware_sign_key, preamble_ptr, |
| 430 algorithm, |
344 &firmware_len))) | 431 &firmware_len))) |
345 return error_code; /* AKA jump to recovery. */ | 432 return error_code; /* AKA jump to recovery. */ |
346 | 433 |
347 /* Only continue if firmware data verification succeeds. */ | 434 /* Only continue if firmware data verification succeeds. */ |
348 firmware_ptr = (preamble_ptr + | 435 firmware_ptr = (preamble_ptr + |
349 FIELD_LEN(firmware_version) + | 436 FIELD_LEN(firmware_version) + |
350 FIELD_LEN(firmware_len) + | 437 FIELD_LEN(firmware_len) + |
351 FIELD_LEN(preamble) + | 438 FIELD_LEN(preamble) + |
352 signature_len); | 439 signature_len); |
353 | 440 |
354 if ((error_code = VerifyFirmwareData(sign_key, firmware_ptr, firmware_len, | 441 if ((error_code = VerifyFirmwareData(firmware_sign_key, firmware_ptr, |
| 442 firmware_len, |
355 algorithm))) | 443 algorithm))) |
356 return error_code; /* AKA jump to recovery. */ | 444 return error_code; /* AKA jump to recovery. */ |
357 | 445 |
358 return 0; /* Success! */ | 446 return 0; /* Success! */ |
359 } | 447 } |
360 | 448 |
361 int VerifyFirmwareImage(const RSAPublicKey* root_key, | 449 int VerifyFirmwareImage(const RSAPublicKey* root_key, |
362 const FirmwareImage* image, | 450 const FirmwareImage* image, |
363 const int dev_mode) { | 451 const int dev_mode) { |
364 RSAPublicKey* sign_key; | 452 RSAPublicKey* firmware_sign_key; |
365 uint8_t* header_digest = NULL; | 453 uint8_t* header_digest = NULL; |
366 uint8_t* preamble_digest = NULL; | 454 uint8_t* preamble_digest = NULL; |
367 uint8_t* firmware_digest = NULL; | 455 uint8_t* firmware_digest = NULL; |
368 int sign_key_size; | 456 int firmware_sign_key_size; |
369 int signature_size; | 457 int signature_size; |
370 int error_code = 0; | 458 int error_code = 0; |
371 DigestContext ctx; | 459 DigestContext ctx; |
372 | 460 |
373 if (!image) | 461 if (!image) |
374 return VERIFY_FIRMWARE_INVALID_IMAGE; | 462 return VERIFY_FIRMWARE_INVALID_IMAGE; |
375 | 463 |
376 /* Verify root key signature on the sign key header if we | 464 /* Verify root key signature on the sign key header if we |
377 * are not in dev mode. | 465 * are not in dev mode. |
378 * | 466 * |
379 * TODO(gauravsh): Add additional sanity checks here for: | 467 * TODO(gauravsh): Add additional sanity checks here for: |
380 * 1) verifying the header length is correct. | 468 * 1) verifying the header length is correct. |
381 * 2) header_checksum is correct. | 469 * 2) header_checksum is correct. |
382 */ | 470 */ |
383 if (!dev_mode) { | 471 if (!dev_mode) { |
384 DigestInit(&ctx, ROOT_SIGNATURE_ALGORITHM); | 472 DigestInit(&ctx, ROOT_SIGNATURE_ALGORITHM); |
385 DigestUpdate(&ctx, (uint8_t*) &image->header_len, | 473 DigestUpdate(&ctx, (uint8_t*) &image->header_len, |
386 FIELD_LEN(header_len)); | 474 FIELD_LEN(header_len)); |
387 DigestUpdate(&ctx, (uint8_t*) &image->sign_algorithm, | 475 DigestUpdate(&ctx, (uint8_t*) &image->firmware_sign_algorithm, |
388 FIELD_LEN(sign_algorithm)); | 476 FIELD_LEN(firmware_sign_algorithm)); |
389 DigestUpdate(&ctx, image->sign_key, | 477 DigestUpdate(&ctx, image->firmware_sign_key, |
390 RSAProcessedKeySize(image->sign_algorithm)); | 478 RSAProcessedKeySize(image->firmware_sign_algorithm)); |
391 DigestUpdate(&ctx, (uint8_t*) &image->key_version, | 479 DigestUpdate(&ctx, (uint8_t*) &image->firmware_key_version, |
392 FIELD_LEN(key_version)); | 480 FIELD_LEN(firmware_key_version)); |
393 DigestUpdate(&ctx, image->header_checksum, | 481 DigestUpdate(&ctx, image->header_checksum, |
394 FIELD_LEN(header_checksum)); | 482 FIELD_LEN(header_checksum)); |
395 header_digest = DigestFinal(&ctx); | 483 header_digest = DigestFinal(&ctx); |
396 if (!RSA_verify(root_key, image->key_signature, | 484 if (!RSAVerify(root_key, image->firmware_key_signature, |
397 FIELD_LEN(key_signature), | 485 FIELD_LEN(firmware_key_signature), |
398 ROOT_SIGNATURE_ALGORITHM, | 486 ROOT_SIGNATURE_ALGORITHM, |
399 header_digest)) { | 487 header_digest)) { |
400 error_code = VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED; | 488 error_code = VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED; |
401 goto verify_failure; | 489 goto verify_failure; |
402 } | 490 } |
403 } | 491 } |
404 | 492 |
405 /* Get sign key to verify the rest of the firmware. */ | 493 /* Get sign key to verify the rest of the firmware. */ |
406 sign_key_size = RSAProcessedKeySize(image->sign_algorithm); | 494 firmware_sign_key_size = RSAProcessedKeySize(image->firmware_sign_algorithm); |
407 sign_key = RSAPublicKeyFromBuf(image->sign_key, | 495 firmware_sign_key = RSAPublicKeyFromBuf(image->firmware_sign_key, |
408 sign_key_size); | 496 firmware_sign_key_size); |
409 signature_size = siglen_map[image->sign_algorithm]; | 497 signature_size = siglen_map[image->firmware_sign_algorithm]; |
410 | 498 |
411 if (image->sign_algorithm >= kNumAlgorithms) | 499 if (image->firmware_sign_algorithm >= kNumAlgorithms) |
412 return VERIFY_FIRMWARE_INVALID_ALGORITHM; | 500 return VERIFY_FIRMWARE_INVALID_ALGORITHM; |
413 | 501 |
414 /* Verify firmware preamble signature. */ | 502 /* Verify firmware preamble signature. */ |
415 DigestInit(&ctx, image->sign_algorithm); | 503 DigestInit(&ctx, image->firmware_sign_algorithm); |
416 DigestUpdate(&ctx, (uint8_t*) &image->firmware_version, | 504 DigestUpdate(&ctx, (uint8_t*) &image->firmware_version, |
417 FIELD_LEN(firmware_version)); | 505 FIELD_LEN(firmware_version)); |
418 DigestUpdate(&ctx, (uint8_t*) &image->firmware_len, | 506 DigestUpdate(&ctx, (uint8_t*) &image->firmware_len, |
419 FIELD_LEN(firmware_len)); | 507 FIELD_LEN(firmware_len)); |
420 DigestUpdate(&ctx, (uint8_t*) &image->preamble, | 508 DigestUpdate(&ctx, (uint8_t*) &image->preamble, |
421 FIELD_LEN(preamble)); | 509 FIELD_LEN(preamble)); |
422 preamble_digest = DigestFinal(&ctx); | 510 preamble_digest = DigestFinal(&ctx); |
423 if (!RSA_verify(sign_key, image->preamble_signature, | 511 if (!RSAVerify(firmware_sign_key, image->preamble_signature, |
424 signature_size, image->sign_algorithm, | 512 signature_size, image->firmware_sign_algorithm, |
425 preamble_digest)) { | 513 preamble_digest)) { |
426 error_code = VERIFY_FIRMWARE_PREAMBLE_SIGNATURE_FAILED; | 514 error_code = VERIFY_FIRMWARE_PREAMBLE_SIGNATURE_FAILED; |
427 goto verify_failure; | 515 goto verify_failure; |
428 } | 516 } |
429 | 517 |
430 /* Verify firmware signature. */ | 518 /* Verify firmware signature. */ |
431 firmware_digest = DigestBuf(image->firmware_data, | 519 firmware_digest = DigestBuf(image->firmware_data, |
432 image->firmware_len, | 520 image->firmware_len, |
433 image->sign_algorithm); | 521 image->firmware_sign_algorithm); |
434 if(!RSA_verify(sign_key, image->firmware_signature, | 522 if (!RSAVerify(firmware_sign_key, image->firmware_signature, |
435 signature_size, image->sign_algorithm, | 523 signature_size, image->firmware_sign_algorithm, |
436 firmware_digest)) { | 524 firmware_digest)) { |
437 error_code = VERIFY_FIRMWARE_SIGNATURE_FAILED; | 525 error_code = VERIFY_FIRMWARE_SIGNATURE_FAILED; |
438 goto verify_failure; | 526 goto verify_failure; |
439 } | 527 } |
440 | 528 |
441 verify_failure: | 529 verify_failure: |
442 Free(firmware_digest); | 530 Free(firmware_digest); |
443 Free(preamble_digest); | 531 Free(preamble_digest); |
444 Free(header_digest); | 532 Free(header_digest); |
445 return error_code; | 533 return error_code; |
446 } | 534 } |
447 | 535 |
448 const char* VerifyFirmwareErrorString(int error) { | 536 const char* VerifyFirmwareErrorString(int error) { |
449 return kVerifyFirmwareErrors[error]; | 537 return kVerifyFirmwareErrors[error]; |
450 } | 538 } |
451 | 539 |
452 int AddFirmwareKeySignature(FirmwareImage* image, const char* root_key_file) { | 540 int AddFirmwareKeySignature(FirmwareImage* image, const char* root_key_file) { |
453 int tmp_hdr_fd; | 541 uint8_t* header_blob = NULL; |
454 char* tmp_hdr_file = ".tmpHdrFile"; | |
455 uint8_t* signature; | 542 uint8_t* signature; |
456 | 543 if (!image || !root_key_file) |
457 if(-1 == (tmp_hdr_fd = creat(tmp_hdr_file, S_IRWXU))) { | 544 return 0; |
458 fprintf(stderr, "Could not open temporary file for writing " | 545 header_blob = GetFirmwareHeaderBlob(image); |
459 "firmware header.\n"); | 546 if (!header_blob) |
| 547 return 0; |
| 548 if (!(signature = SignatureBuf(header_blob, |
| 549 GetFirmwareHeaderLen(image), |
| 550 root_key_file, |
| 551 ROOT_SIGNATURE_ALGORITHM))) { |
| 552 Free(header_blob); |
460 return 0; | 553 return 0; |
461 } | 554 } |
462 WriteFirmwareHeader(tmp_hdr_fd, image); | 555 Memcpy(image->firmware_key_signature, signature, RSA8192NUMBYTES); |
463 close(tmp_hdr_fd); | 556 Free(header_blob); |
464 | 557 Free(signature); |
465 if (!(signature = SignatureFile(tmp_hdr_file, root_key_file, | |
466 ROOT_SIGNATURE_ALGORITHM))) | |
467 return 0; | |
468 Memcpy(image->key_signature, signature, RSA8192NUMBYTES); | |
469 return 1; | 558 return 1; |
470 } | 559 } |
471 | 560 |
472 int AddFirmwareSignature(FirmwareImage* image, const char* signing_key_file, | 561 int AddFirmwareSignature(FirmwareImage* image, const char* signing_key_file) { |
473 int algorithm) { | 562 uint8_t* preamble_blob; |
474 int tmp_preamble_fd; | |
475 char* tmp_preamble_file = ".tmpPreambleFile"; | |
476 int tmp_firmware_fd; | |
477 char* tmp_firmware_file = ".tmpFirmwareFile"; | |
478 uint8_t* preamble_signature; | 563 uint8_t* preamble_signature; |
479 uint8_t* firmware_signature; | 564 uint8_t* firmware_signature; |
480 int signature_len = siglen_map[algorithm]; | 565 int signature_len = siglen_map[image->firmware_sign_algorithm]; |
481 | 566 |
482 /* Write preamble to a file. */ | 567 preamble_blob = GetFirmwarePreambleBlob(image); |
483 if(-1 == (tmp_preamble_fd = creat(tmp_preamble_file, S_IRWXU))) { | 568 if (!(preamble_signature = SignatureBuf(preamble_blob, |
484 fprintf(stderr, "Could not open temporary file for writing " | 569 GetFirmwarePreambleLen(image), |
485 "firmware preamble.\n"); | 570 signing_key_file, |
| 571 image->firmware_sign_algorithm))) { |
| 572 Free(preamble_blob); |
486 return 0; | 573 return 0; |
487 } | 574 } |
488 WriteFirmwarePreamble(tmp_preamble_fd, image); | |
489 close(tmp_preamble_fd); | |
490 if (!(preamble_signature = SignatureFile(tmp_preamble_file, signing_key_file, | |
491 algorithm))) | |
492 return 0; | |
493 image->preamble_signature = (uint8_t*) Malloc(signature_len); | 575 image->preamble_signature = (uint8_t*) Malloc(signature_len); |
494 Memcpy(image->preamble_signature, preamble_signature, signature_len); | 576 Memcpy(image->preamble_signature, preamble_signature, signature_len); |
495 Free(preamble_signature); | 577 Free(preamble_signature); |
496 | 578 |
497 if (-1 == (tmp_firmware_fd = creat(tmp_firmware_file, S_IRWXU))) { | 579 if (!(firmware_signature = SignatureBuf(image->firmware_data, |
498 fprintf(stderr, "Could not open temporary file for writing " | 580 image->firmware_len, |
499 "firmware.\n"); | 581 signing_key_file, |
| 582 image->firmware_sign_algorithm))) |
500 return 0; | 583 return 0; |
501 } | |
502 write(tmp_firmware_fd, image->firmware_data, image->firmware_len); | |
503 close(tmp_firmware_fd); | |
504 | |
505 if (!(firmware_signature = SignatureFile(tmp_firmware_file, signing_key_file, | |
506 algorithm))) { | |
507 fprintf(stderr, "Could not open temporary file for writing " | |
508 "firmware.\n"); | |
509 return 0; | |
510 } | |
511 image->firmware_signature = (uint8_t*) Malloc(signature_len); | 584 image->firmware_signature = (uint8_t*) Malloc(signature_len); |
512 Memcpy(image->firmware_signature, firmware_signature, signature_len); | 585 Memcpy(image->firmware_signature, firmware_signature, signature_len); |
513 Free(firmware_signature); | 586 Free(firmware_signature); |
514 return 1; | 587 return 1; |
515 } | 588 } |
OLD | NEW |