1 /* 2 * Copyright 2021 Google LLC 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 #include <assert.h> 17 #include <libcr51sign/libcr51sign.h> 18 #include <stdio.h> 19 #include <stdlib.h> 20 #include <string.h> 21 22 #ifdef __cplusplus 23 extern "C" 24 { 25 #endif 26 27 #ifndef USER_PRINT 28 #define CPRINTS(ctx, ...) fprintf(stderr, __VA_ARGS__) 29 #endif 30 31 #define MEMBER_SIZE(type, field) sizeof(((type*)0)->field) 32 33 // True of x is a power of two 34 #define POWER_OF_TWO(x) ((x) && !((x) & ((x)-1))) 35 36 // Maximum version supported. Major revisions are not backwards compatible. 37 #define MAX_MAJOR_VERSION 1 38 39 // Descriptor alignment on the external EEPROM. 40 #define DESCRIPTOR_ALIGNMENT (64 * 1024) 41 42 // SPS EEPROM sector size is 4KiB, since this is the smallest erasable size. 43 #define IMAGE_REGION_ALIGNMENT 4096 44 45 #define MAX_READ_SIZE 1024 46 47 #ifndef ARRAY_SIZE 48 #define ARRAY_SIZE(t) (sizeof(t) / sizeof(t[0])) 49 #endif 50 51 // Values of SIGNATURE_OFFSET shuold be same for all sig types (2048,3072,4096) 52 #define SIGNATURE_OFFSET offsetof(struct signature_rsa3072_pkcs15, modulus) 53 54 #ifndef BUILD_ASSERT 55 #define BUILD_ASSERT(cond) ((void)sizeof(char[1 - 2 * !(cond)])) 56 #endif 57 58 typedef enum libcr51sign_validation_failure_reason failure_reason; 59 60 // Returns the bytes size of keys used in the given signature_scheme. 61 // Return error if signature_scheme is invalid. 62 // 63 static failure_reason get_key_size(enum signature_scheme signature_scheme, 64 uint16_t* key_size) 65 { 66 switch (signature_scheme) 67 { 68 case SIGNATURE_RSA2048_PKCS15: 69 *key_size = 256; 70 return LIBCR51SIGN_SUCCESS; 71 case SIGNATURE_RSA3072_PKCS15: 72 *key_size = 384; 73 return LIBCR51SIGN_SUCCESS; 74 case SIGNATURE_RSA4096_PKCS15: 75 case SIGNATURE_RSA4096_PKCS15_SHA512: 76 *key_size = 512; 77 return LIBCR51SIGN_SUCCESS; 78 default: 79 return LIBCR51SIGN_ERROR_INVALID_SIG_SCHEME; 80 } 81 } 82 83 // Returns the hash_type for a given signature scheme 84 // Returns error if scheme is invalid. 85 failure_reason get_hash_type_from_signature(enum signature_scheme scheme, 86 enum hash_type* type) 87 { 88 switch (scheme) 89 { 90 case SIGNATURE_RSA2048_PKCS15: 91 case SIGNATURE_RSA3072_PKCS15: 92 case SIGNATURE_RSA4096_PKCS15: 93 *type = HASH_SHA2_256; 94 return LIBCR51SIGN_SUCCESS; 95 case SIGNATURE_RSA4096_PKCS15_SHA512: 96 *type = HASH_SHA2_512; 97 return LIBCR51SIGN_SUCCESS; 98 default: 99 return LIBCR51SIGN_ERROR_INVALID_SIG_SCHEME; 100 } 101 } 102 103 // Check if the given hash_type is supported. 104 // Returns error if hash_type is not supported. 105 static failure_reason is_hash_type_supported(enum hash_type type) 106 { 107 switch (type) 108 { 109 case HASH_SHA2_256: 110 case HASH_SHA2_512: 111 return LIBCR51SIGN_SUCCESS; 112 default: 113 return LIBCR51SIGN_ERROR_INVALID_HASH_TYPE; 114 } 115 } 116 117 // Determines digest size for a given hash_type. 118 // Returns error if hash_type is not supported. 119 static failure_reason get_hash_digest_size(enum hash_type type, 120 uint32_t* size) 121 { 122 switch (type) 123 { 124 case HASH_SHA2_256: 125 *size = LIBCR51SIGN_SHA256_DIGEST_SIZE; 126 return LIBCR51SIGN_SUCCESS; 127 case HASH_SHA2_512: 128 *size = LIBCR51SIGN_SHA512_DIGEST_SIZE; 129 return LIBCR51SIGN_SUCCESS; 130 default: 131 return LIBCR51SIGN_ERROR_INVALID_HASH_TYPE; 132 } 133 } 134 135 // Determines hash struct size for a given hash_type. 136 // Returns error if hash_type is not supported. 137 static failure_reason get_hash_struct_size(enum hash_type type, 138 uint32_t* size) 139 { 140 switch (type) 141 { 142 case HASH_SHA2_256: 143 *size = sizeof(struct hash_sha256); 144 return LIBCR51SIGN_SUCCESS; 145 case HASH_SHA2_512: 146 *size = sizeof(struct hash_sha256); 147 return LIBCR51SIGN_SUCCESS; 148 default: 149 return LIBCR51SIGN_ERROR_INVALID_HASH_TYPE; 150 } 151 } 152 153 // Checks that: 154 // - The signing key is trusted 155 // - The target version is not denylisted 156 // If validating a staged update, also checks that: 157 // - The target image family matches the current image family 158 // - The image type transition is legal (i.e. dev -> *|| prod -> prod) or 159 // alternatively that the hardware ID is allowlisted 160 // Assuming the caller has performed following: 161 // board_get_base_key_index(); 162 // board_get_key_array 163 // Possible return codes: 164 // LIBCR51SIGN_SUCCESS = 0, 165 // LIBCR51SIGN_ERROR_RUNTIME_FAILURE = 1, 166 // LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR = 3, 167 // LIBCR51SIGN_ERROR_INVALID_IMAGE_FAMILY = 4, 168 // LIBCR51SIGN_ERROR_IMAGE_TYPE_DISALLOWED = 5, 169 170 static failure_reason 171 validate_transition(const struct libcr51sign_ctx* ctx, 172 const struct libcr51sign_intf* intf, 173 uint32_t signature_struct_offset) 174 { 175 BUILD_ASSERT((offsetof(struct signature_rsa2048_pkcs15, modulus) == 176 SIGNATURE_OFFSET && 177 offsetof(struct signature_rsa3072_pkcs15, modulus) == 178 SIGNATURE_OFFSET && 179 offsetof(struct signature_rsa4096_pkcs15, modulus) == 180 SIGNATURE_OFFSET)); 181 182 // Read up to the modulus. 183 enum 184 { 185 read_len = SIGNATURE_OFFSET 186 }; 187 uint8_t buffer[read_len]; 188 int rv; 189 rv = intf->read(ctx, signature_struct_offset, read_len, buffer); 190 if (rv != LIBCR51SIGN_SUCCESS) 191 { 192 CPRINTS(ctx, 193 "validate_transition: failed to read signature struct\n"); 194 return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; 195 } 196 if (*(uint32_t*)buffer != SIGNATURE_MAGIC) 197 { 198 CPRINTS(ctx, "validate_transition: bad signature magic\n"); 199 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 200 } 201 202 if (ctx->descriptor.image_family != ctx->current_image_family && 203 ctx->descriptor.image_family != IMAGE_FAMILY_ALL && 204 ctx->current_image_family != IMAGE_FAMILY_ALL) 205 { 206 CPRINTS(ctx, "validate_transition: invalid image family\n"); 207 return LIBCR51SIGN_ERROR_INVALID_IMAGE_FAMILY; 208 } 209 210 if (intf->is_production_mode == NULL) 211 { 212 CPRINTS(ctx, "validate_transition: missing is_production_mode\n"); 213 return LIBCR51SIGN_ERROR_INVALID_INTERFACE; 214 } 215 if (intf->is_production_mode() && 216 (ctx->descriptor.image_type == IMAGE_DEV)) 217 { 218 CPRINTS(ctx, "validate_transition: checking exemption allowlist\n"); 219 220 // If function is NULL or if the function call return false, return 221 // error 222 if (intf->prod_to_dev_downgrade_allowed == NULL || 223 !intf->prod_to_dev_downgrade_allowed()) 224 { 225 CPRINTS(ctx, "validate_transition: illegal image type\n"); 226 return LIBCR51SIGN_ERROR_DEV_DOWNGRADE_DISALLOWED; 227 } 228 } 229 return LIBCR51SIGN_SUCCESS; 230 } 231 232 // If caller had provided read_and_hash_update call that, otherwise call 233 // read and then update. 234 235 static failure_reason 236 read_and_hash_update(const struct libcr51sign_ctx* ctx, 237 const struct libcr51sign_intf* intf, 238 uint32_t offset, uint32_t size) 239 { 240 uint8_t read_buffer[MAX_READ_SIZE]; 241 int rv; 242 int read_size; 243 244 if (intf->read_and_hash_update) 245 { 246 rv = intf->read_and_hash_update((void*)ctx, offset, size); 247 } 248 else 249 { 250 if (!intf->hash_update) 251 { 252 CPRINTS(ctx, "read_and_hash_update: missing hash_update\n"); 253 return LIBCR51SIGN_ERROR_INVALID_INTERFACE; 254 } 255 do 256 { 257 read_size = size < MAX_READ_SIZE ? size : MAX_READ_SIZE; 258 rv = intf->read((void*)ctx, offset, read_size, read_buffer); 259 if (rv != LIBCR51SIGN_SUCCESS) 260 { 261 return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; 262 } 263 rv = intf->hash_update((void*)ctx, read_buffer, read_size); 264 if (rv != LIBCR51SIGN_SUCCESS) 265 { 266 return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; 267 } 268 offset += read_size; 269 size -= read_size; 270 } while (size > 0); 271 } 272 return rv; 273 } 274 275 // Validates the image_region array, namely that: 276 // - The regions are aligned, contiguous & exhaustive 277 // - That the image descriptor resides in a static region 278 // 279 // If the array is consistent, proceeds to hash the static regions and 280 // validates the hash. d_offset is the absolute image descriptor offset 281 282 static failure_reason validate_payload_regions( 283 const struct libcr51sign_ctx* ctx, struct libcr51sign_intf* intf, 284 uint32_t d_offset, struct libcr51sign_validated_regions* image_regions) 285 { 286 // Allocate buffer to accomodate largest supported hash-type(SHA512) 287 uint8_t magic_and_digest[MEMBER_SIZE(struct hash_sha512, hash_magic) + 288 LIBCR51SIGN_SHA512_DIGEST_SIZE]; 289 uint8_t dcrypto_digest[LIBCR51SIGN_SHA512_DIGEST_SIZE]; 290 uint32_t byte_count, region_count, image_size, hash_offset, digest_size; 291 uint32_t i; 292 uint8_t d_region_num = 0; 293 int rv; 294 struct image_region const* region; 295 296 if (image_regions == NULL) 297 { 298 CPRINTS(ctx, "Missing image region input\n"); 299 return LIBCR51SIGN_ERROR_INVALID_REGION_INPUT; 300 } 301 302 BUILD_ASSERT((MEMBER_SIZE(struct hash_sha256, hash_magic) == 303 MEMBER_SIZE(struct hash_sha512, hash_magic))); 304 image_size = ctx->descriptor.image_size; 305 region_count = ctx->descriptor.region_count; 306 hash_offset = d_offset + sizeof(struct image_descriptor) + 307 region_count * sizeof(struct image_region); 308 // Read the image_region array. 309 310 if (region_count > ARRAY_SIZE(image_regions->image_regions)) 311 { 312 CPRINTS(ctx, "validate_payload_regions: " 313 "ctx->descriptor.region_count is greater " 314 "than LIBCR51SIGN_MAX_REGION_COUNT\n"); 315 return LIBCR51SIGN_ERROR_INVALID_REGION_SIZE; 316 } 317 318 rv = intf->read(ctx, d_offset + sizeof(struct image_descriptor), 319 region_count * sizeof(struct image_region), 320 (uint8_t*)&image_regions->image_regions); 321 322 image_regions->region_count = region_count; 323 324 if (rv != LIBCR51SIGN_SUCCESS) 325 { 326 CPRINTS(ctx, 327 "validate_payload_regions: failed to read region array\n"); 328 return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; 329 } 330 331 // Validate that the regions are contiguous & exhaustive. 332 for (i = 0, byte_count = 0; i < region_count; i++) 333 { 334 region = image_regions->image_regions + i; 335 336 CPRINTS(ctx, 337 "validate_payload_regions: region #%d \"%s\" (%x - %x)\n", 338 i, (const char*)region->region_name, region->region_offset, 339 region->region_offset + region->region_size); 340 if ((region->region_offset % IMAGE_REGION_ALIGNMENT) != 0 || 341 (region->region_size % IMAGE_REGION_ALIGNMENT) != 0) 342 { 343 CPRINTS(ctx, "validate_payload_regions: regions must be sector " 344 "aligned\n"); 345 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 346 } 347 if (region->region_offset != byte_count || 348 region->region_size > image_size - byte_count) 349 { 350 CPRINTS(ctx, 351 "validate_payload_regions: invalid region array\n"); 352 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 353 } 354 byte_count += region->region_size; 355 // The image descriptor must be part of a static region. 356 if (d_offset >= region->region_offset && d_offset < byte_count) 357 { 358 d_region_num = i; 359 CPRINTS( 360 ctx, 361 "validate_payload_regions: image descriptor in region %d\n", 362 i); 363 // The descriptor can't span regions. 364 if (ctx->descriptor.descriptor_area_size > byte_count || 365 !(region->region_attributes & IMAGE_REGION_STATIC)) 366 { 367 CPRINTS( 368 ctx, 369 "validate_payload_regions: descriptor must reside in " 370 "static region\n"); 371 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 372 } 373 } 374 } 375 if (byte_count != image_size) 376 { 377 CPRINTS(ctx, "validate_payload_regions: invalid image size\n"); 378 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 379 } 380 381 rv = get_hash_digest_size(ctx->descriptor.hash_type, &digest_size); 382 if (rv != LIBCR51SIGN_SUCCESS) 383 { 384 return rv; 385 } 386 387 rv = intf->read(ctx, hash_offset, 388 MEMBER_SIZE(struct hash_sha256, hash_magic) + 389 digest_size, 390 magic_and_digest); 391 if (rv != LIBCR51SIGN_SUCCESS) 392 { 393 CPRINTS( 394 ctx, 395 "validate_payload_regions: failed to read hash from flash\n"); 396 return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; 397 } 398 if (*(uint32_t*)magic_and_digest != HASH_MAGIC) 399 { 400 CPRINTS(ctx, "validate_payload_regions: bad hash magic\n"); 401 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 402 } 403 rv = intf->hash_init(ctx, ctx->descriptor.hash_type); 404 if (rv != LIBCR51SIGN_SUCCESS) 405 { 406 CPRINTS(ctx, "validate_payload_regions: hash_init failed\n"); 407 return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; 408 } 409 for (i = 0; i < region_count; i++) 410 { 411 uint32_t hash_start, hash_size; 412 region = image_regions->image_regions + i; 413 414 if (!(region->region_attributes & IMAGE_REGION_STATIC)) 415 { 416 continue; 417 } 418 hash_start = region->region_offset; 419 hash_size = region->region_size; 420 421 // Skip the descriptor. 422 do 423 { 424 if (i == d_region_num) 425 { 426 hash_size = d_offset - hash_start; 427 } 428 429 if (!hash_size) 430 { 431 hash_start += ctx->descriptor.descriptor_area_size; 432 hash_size = (region->region_offset + region->region_size - 433 hash_start); 434 } 435 CPRINTS("validate_payload_regions: hashing %s (%x - %x)\n", 436 (const char*)region->region_name, hash_start, 437 hash_start + hash_size); 438 // Read the image_region array. 439 rv = read_and_hash_update(ctx, intf, hash_start, hash_size); 440 if (rv != LIBCR51SIGN_SUCCESS) 441 { 442 return rv; 443 } 444 hash_start += hash_size; 445 } while (hash_start != region->region_offset + region->region_size); 446 } 447 rv = intf->hash_final((void*)ctx, (uint8_t*)dcrypto_digest); 448 449 if (rv != LIBCR51SIGN_SUCCESS) 450 { 451 return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; 452 } 453 454 if (memcmp(magic_and_digest + 455 MEMBER_SIZE(struct hash_sha256, hash_magic), 456 dcrypto_digest, digest_size)) 457 { 458 CPRINTS(ctx, "validate_payload_regions: invalid hash\n"); 459 return LIBCR51SIGN_ERROR_INVALID_HASH; 460 } 461 // Image is valid. 462 return LIBCR51SIGN_SUCCESS; 463 } 464 465 // Create empty image_regions to pass to validate_payload_regions 466 // Support validate_payload_regions_helper to remove image_regions as a 467 // required input. 468 469 static failure_reason 470 allocate_and_validate_payload_regions(const struct libcr51sign_ctx* ctx, 471 struct libcr51sign_intf* intf, 472 uint32_t d_offset) 473 { 474 struct libcr51sign_validated_regions image_regions; 475 return validate_payload_regions(ctx, intf, d_offset, &image_regions); 476 } 477 478 // Wrapper around validate_payload_regions to allow nullptr for 479 // image_regions. Calls allocate_and_validate_payload_regions when 480 // image_regions is nullptr to create placer holder image_regions. 481 482 static failure_reason validate_payload_regions_helper( 483 const struct libcr51sign_ctx* ctx, struct libcr51sign_intf* intf, 484 uint32_t d_offset, struct libcr51sign_validated_regions* image_regions) 485 { 486 if (image_regions) 487 { 488 return validate_payload_regions(ctx, intf, d_offset, image_regions); 489 } 490 491 return allocate_and_validate_payload_regions(ctx, intf, d_offset); 492 } 493 494 // Check if the given signature_scheme is supported. 495 // Returns nonzero on error, zero on success 496 497 static failure_reason 498 is_signature_scheme_supported(enum signature_scheme scheme) 499 { 500 switch (scheme) 501 { 502 case SIGNATURE_RSA2048_PKCS15: 503 case SIGNATURE_RSA3072_PKCS15: 504 case SIGNATURE_RSA4096_PKCS15: 505 case SIGNATURE_RSA4096_PKCS15_SHA512: 506 return LIBCR51SIGN_SUCCESS; 507 default: 508 return LIBCR51SIGN_ERROR_INVALID_SIG_SCHEME; 509 } 510 } 511 512 // Returns size of signature struct size in |size| 513 // Returns nonzero on error, zero on success 514 515 static failure_reason 516 get_signature_struct_size(enum signature_scheme scheme, uint32_t* size) 517 { 518 switch (scheme) 519 { 520 case SIGNATURE_RSA2048_PKCS15: 521 *size = sizeof(struct signature_rsa2048_pkcs15); 522 return LIBCR51SIGN_SUCCESS; 523 case SIGNATURE_RSA3072_PKCS15: 524 *size = sizeof(struct signature_rsa3072_pkcs15); 525 return LIBCR51SIGN_SUCCESS; 526 case SIGNATURE_RSA4096_PKCS15: 527 case SIGNATURE_RSA4096_PKCS15_SHA512: 528 *size = sizeof(struct signature_rsa4096_pkcs15); 529 return LIBCR51SIGN_SUCCESS; 530 default: 531 return LIBCR51SIGN_ERROR_INVALID_SIG_SCHEME; 532 } 533 } 534 535 static failure_reason 536 get_signature_field_offset(enum signature_scheme scheme, 537 uint32_t* offset) 538 { 539 switch (scheme) 540 { 541 case SIGNATURE_RSA2048_PKCS15: 542 *offset = offsetof(struct signature_rsa2048_pkcs15, signature); 543 return LIBCR51SIGN_SUCCESS; 544 case SIGNATURE_RSA3072_PKCS15: 545 *offset = offsetof(struct signature_rsa3072_pkcs15, signature); 546 return LIBCR51SIGN_SUCCESS; 547 case SIGNATURE_RSA4096_PKCS15: 548 case SIGNATURE_RSA4096_PKCS15_SHA512: 549 *offset = offsetof(struct signature_rsa4096_pkcs15, signature); 550 return LIBCR51SIGN_SUCCESS; 551 default: 552 return LIBCR51SIGN_ERROR_INVALID_SIG_SCHEME; 553 } 554 } 555 556 // Validates the signature (of type scheme) read from "device" at 557 //"raw_signature_offset" with "public_key" over a SHA256/SHA512 digest of 558 // EEPROM area "data_offset:data_size". 559 560 static failure_reason validate_signature( 561 const struct libcr51sign_ctx* ctx, const struct libcr51sign_intf* intf, 562 uint32_t data_offset, uint32_t data_size, enum signature_scheme scheme, 563 uint32_t raw_signature_offset) 564 { 565 uint8_t signature[LIBCR51SIGN_MAX_SIGNATURE_SIZE]; 566 uint16_t key_size; 567 uint32_t digest_size; 568 uint8_t dcrypto_digest[LIBCR51SIGN_SHA512_DIGEST_SIZE]; 569 int rv; 570 enum hash_type hash_type; 571 572 if (!intf->hash_init) 573 { 574 CPRINTS(ctx, "validate_signature: missing hash_init\n"); 575 return LIBCR51SIGN_ERROR_INVALID_INTERFACE; 576 } 577 rv = get_hash_type_from_signature(scheme, &hash_type); 578 if (rv != LIBCR51SIGN_SUCCESS) 579 { 580 CPRINTS( 581 ctx, 582 "validate_payload_regions: hash_type from signature failed\n"); 583 return rv; 584 } 585 rv = intf->hash_init(ctx, hash_type); 586 if (rv != LIBCR51SIGN_SUCCESS) 587 { 588 CPRINTS(ctx, "validate_payload_regions: hash_init failed\n"); 589 return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; 590 } 591 rv = read_and_hash_update(ctx, intf, data_offset, data_size); 592 if (rv != LIBCR51SIGN_SUCCESS) 593 { 594 CPRINTS(ctx, "validate_signature: hash_update failed\n"); 595 return rv; 596 } 597 if (!intf->hash_final) 598 { 599 CPRINTS(ctx, "validate_signature: missing hash_final\n"); 600 return LIBCR51SIGN_ERROR_INVALID_INTERFACE; 601 } 602 rv = intf->hash_final((void*)ctx, dcrypto_digest); 603 if (rv != LIBCR51SIGN_SUCCESS) 604 { 605 CPRINTS(ctx, 606 "validate_signature: hash_final failed (status = %d)\n", 607 rv); 608 return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; 609 } 610 rv = get_key_size(scheme, &key_size); 611 if (rv != LIBCR51SIGN_SUCCESS) 612 { 613 return rv; 614 } 615 616 rv = intf->read(ctx, raw_signature_offset, key_size, signature); 617 if (rv != LIBCR51SIGN_SUCCESS) 618 { 619 CPRINTS( 620 ctx, 621 "validate_signature: failed to read signature (status = %d)\n", 622 rv); 623 return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; 624 } 625 if (!intf->verify_signature) 626 { 627 CPRINTS(ctx, "validate_signature: missing verify_signature\n"); 628 return LIBCR51SIGN_ERROR_INVALID_INTERFACE; 629 } 630 rv = get_hash_digest_size(hash_type, &digest_size); 631 if (rv != LIBCR51SIGN_SUCCESS) 632 { 633 return rv; 634 } 635 rv = intf->verify_signature(ctx, scheme, signature, key_size, 636 dcrypto_digest, digest_size); 637 if (rv != LIBCR51SIGN_SUCCESS) 638 { 639 CPRINTS(ctx, 640 "validate_signature: verification failed (status = %d)\n", 641 rv); 642 return LIBCR51SIGN_ERROR_INVALID_SIGNATURE; 643 } 644 CPRINTS(ctx, "validate_signature: verification succeeded\n"); 645 return LIBCR51SIGN_SUCCESS; 646 } 647 648 // Sanity checks the image descriptor & validates its signature. 649 // This function does not validate the image_region array or image hash. 650 // 651 //@param[in] ctx context which describes the image and holds opaque private 652 // data for the user of the library 653 //@param[in] intf function pointers which interface to the current system 654 // and environment 655 //@param offset Absolute image descriptor flash offset. 656 //@param relative_offset Image descriptor offset relative to image start. 657 //@param max_size Maximum size of the flash space in bytes. 658 //@param descriptor Output pointer to an image_descriptor struct 659 660 static failure_reason validate_descriptor( 661 const struct libcr51sign_ctx* ctx, const struct libcr51sign_intf* intf, 662 uint32_t offset, uint32_t relative_offset, uint32_t max_size) 663 { 664 uint32_t max_descriptor_size, signed_size, signature_scheme, 665 signature_offset; 666 uint32_t signature_struct_offset, signature_struct_size, 667 hash_struct_size; 668 int rv; 669 670 max_descriptor_size = max_size - relative_offset; 671 if (max_size < relative_offset || 672 max_descriptor_size < sizeof(struct image_descriptor)) 673 { 674 CPRINTS(ctx, "validate_descriptor: invalid arguments\n"); 675 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 676 } 677 678 rv = intf->read(ctx, offset, sizeof(ctx->descriptor), 679 (uint8_t*)&ctx->descriptor); 680 if (rv != LIBCR51SIGN_SUCCESS) 681 { 682 CPRINTS(ctx, "validate_descriptor: failed to read descriptor\n"); 683 return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; 684 } 685 if (ctx->descriptor.descriptor_magic != DESCRIPTOR_MAGIC || 686 ctx->descriptor.descriptor_offset != relative_offset || 687 ctx->descriptor.region_count == 0 || 688 ctx->descriptor.descriptor_area_size > max_descriptor_size || 689 ctx->descriptor.image_size > max_size) 690 { 691 CPRINTS(ctx, "validate_descriptor: invalid descriptor\n"); 692 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 693 } 694 if (intf->image_size_valid == NULL) 695 { 696 // Preserve original behavior of requiring exact image_size match if 697 // no operator is provided. 698 if (ctx->descriptor.image_size != max_size) 699 { 700 CPRINTS(ctx, "validate_descriptor: invalid image size\n"); 701 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 702 } 703 } 704 else if (!intf->image_size_valid(ctx->descriptor.image_size)) 705 { 706 CPRINTS(ctx, "validate_descriptor: invalid image size\n"); 707 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 708 } 709 if (ctx->descriptor.image_type != IMAGE_DEV && 710 ctx->descriptor.image_type != IMAGE_PROD && 711 ctx->descriptor.image_type != IMAGE_BREAKOUT && 712 ctx->descriptor.image_type != IMAGE_TEST && 713 ctx->descriptor.image_type != IMAGE_UNSIGNED_INTEGRITY) 714 { 715 CPRINTS(ctx, "validate_descriptor: bad image type\n"); 716 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 717 } 718 // Although the image_descriptor struct supports unauthenticated 719 // images, Haven will not allow it. 720 // Haven only supports SHA256 + RSA2048/RSA3072_PKCS15 currently. 721 722 signature_scheme = ctx->descriptor.signature_scheme; 723 724 rv = is_signature_scheme_supported(signature_scheme); 725 if (rv != LIBCR51SIGN_SUCCESS) 726 { 727 return rv; 728 } 729 rv = is_hash_type_supported(ctx->descriptor.hash_type); 730 if (rv != LIBCR51SIGN_SUCCESS) 731 { 732 CPRINTS(ctx, "validate_payload_regions: invalid hash type\n"); 733 return rv; 734 } 735 if (ctx->descriptor.descriptor_major > MAX_MAJOR_VERSION || 736 ctx->descriptor.region_count > LIBCR51SIGN_MAX_REGION_COUNT) 737 { 738 CPRINTS(ctx, "validate_descriptor: unsupported descriptor\n"); 739 return LIBCR51SIGN_ERROR_UNSUPPORTED_DESCRIPTOR; 740 } 741 rv = 742 get_signature_struct_size(signature_scheme, &signature_struct_size); 743 if (rv != LIBCR51SIGN_SUCCESS) 744 { 745 return rv; 746 } 747 748 // Compute the size of the signed portion of the image descriptor. 749 signed_size = 750 sizeof(struct image_descriptor) + 751 ctx->descriptor.region_count * sizeof(struct image_region); 752 rv = get_hash_struct_size(ctx->descriptor.hash_type, &hash_struct_size); 753 if (rv != LIBCR51SIGN_SUCCESS) 754 { 755 return rv; 756 } 757 signed_size += hash_struct_size; 758 if (ctx->descriptor.denylist_size) 759 { 760 signed_size += sizeof(struct denylist); 761 signed_size += 762 ctx->descriptor.denylist_size * sizeof(struct denylist_record); 763 } 764 if (ctx->descriptor.blob_size) 765 { 766 signed_size += sizeof(struct blob); 767 // Previous additions are guaranteed not to overflow. 768 if (ctx->descriptor.blob_size > 769 ctx->descriptor.descriptor_area_size - signed_size) 770 { 771 CPRINTS(ctx, "validate_descriptor: invalid blob size (0x%x)\n", 772 ctx->descriptor.blob_size); 773 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 774 } 775 signed_size += ctx->descriptor.blob_size; 776 } 777 if (signature_struct_size > 778 ctx->descriptor.descriptor_area_size - signed_size) 779 { 780 CPRINTS(ctx, 781 "validate_descriptor: invalid descriptor area size " 782 "(expected = 0x%x, actual = 0x%x)\n", 783 ctx->descriptor.descriptor_area_size, 784 signed_size + signature_struct_size); 785 return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR; 786 } 787 signature_struct_offset = signed_size; 788 // Omit the actual signature. 789 rv = get_signature_field_offset(signature_scheme, &signature_offset); 790 if (rv != LIBCR51SIGN_SUCCESS) 791 { 792 return rv; 793 } 794 signed_size += signature_offset; 795 796 // Lookup key & validate transition. 797 rv = validate_transition(ctx, intf, offset + signature_struct_offset); 798 799 if (rv != LIBCR51SIGN_SUCCESS) 800 { 801 return rv; 802 } 803 return validate_signature(ctx, intf, offset, signed_size, 804 signature_scheme, offset + signed_size); 805 } 806 807 // Scans the external EEPROM for a magic value at "alignment" boundaries. 808 // 809 //@param device Handle to the external EEPROM. 810 //@param magic 8-byte pattern to search for. 811 //@param start_offset Offset to begin searching at. 812 //@param limit Exclusive address (e.g. EEPROM size). 813 //@param alignment Alignment boundaries (POW2) to search on. 814 //@param header_offset Location to place the new header offset. 815 //@return LIBCR51SIGN_SUCCESS (or non-zero on error). 816 817 int scan_for_magic_8(const struct libcr51sign_ctx* ctx, 818 const struct libcr51sign_intf* intf, uint64_t magic, 819 uint32_t start_offset, uint32_t limit, 820 uint32_t alignment, uint32_t* header_offset) 821 { 822 uint64_t read_data; 823 uint32_t offset; 824 int rv; 825 826 if (limit <= start_offset || limit > ctx->end_offset || 827 limit < sizeof(magic) || !POWER_OF_TWO(alignment)) 828 { 829 return LIBCR51SIGN_ERROR_INVALID_ARGUMENT; 830 } 831 832 if (!intf->read) 833 { 834 CPRINTS(ctx, "scan_for_magic_8: missing intf->read\n"); 835 return LIBCR51SIGN_ERROR_INVALID_INTERFACE; 836 } 837 // Align start_offset to the next valid boundary. 838 start_offset = ((start_offset - 1) & ~(alignment - 1)) + alignment; 839 for (offset = start_offset; offset < limit - sizeof(magic); 840 offset += alignment) 841 { 842 rv = intf->read((void*)ctx, offset, sizeof(read_data), 843 (uint8_t*)&read_data); 844 if (rv != LIBCR51SIGN_SUCCESS) 845 { 846 return rv; 847 } 848 if (read_data == magic) 849 { 850 if (header_offset) 851 { 852 *header_offset = offset; 853 } 854 return LIBCR51SIGN_SUCCESS; 855 } 856 } 857 // Failed to locate magic. 858 return LIBCR51SIGN_ERROR_FAILED_TO_LOCATE_MAGIC; 859 } 860 861 // Check whether the signature on the image is valid. 862 // Validates the authenticity of an EEPROM image. Scans for & validates the 863 // signature on the image descriptor. If the descriptor validates, hashes 864 // the rest of the image to verify its integrity. 865 // 866 // @param[in] ctx - context which describes the image and holds opaque 867 // private 868 // data for the user of the library 869 // @param[in] intf - function pointers which interface to the current system 870 // and environment 871 // @param[out] image_regions - image_region pointer to an array for the 872 // output 873 // 874 // @return nonzero on error, zero on success 875 876 failure_reason libcr51sign_validate( 877 const struct libcr51sign_ctx* ctx, struct libcr51sign_intf* intf, 878 struct libcr51sign_validated_regions* image_regions) 879 { 880 uint32_t image_limit = 0; 881 int rv, rv_first_desc = LIBCR51SIGN_SUCCESS; 882 uint32_t descriptor_offset; 883 884 if (!ctx) 885 { 886 CPRINTS(ctx, "Missing context\n"); 887 return LIBCR51SIGN_ERROR_INVALID_CONTEXT; 888 } 889 else if (!intf) 890 { 891 CPRINTS(ctx, "Missing interface\n"); 892 return LIBCR51SIGN_ERROR_INVALID_INTERFACE; 893 } 894 895 rv = scan_for_magic_8(ctx, intf, DESCRIPTOR_MAGIC, ctx->start_offset, 896 ctx->end_offset, DESCRIPTOR_ALIGNMENT, 897 &descriptor_offset); 898 while (rv == LIBCR51SIGN_SUCCESS) 899 { 900 CPRINTS(ctx, "validate: potential image descriptor found @%x\n", 901 descriptor_offset); 902 // Validation is split into 2 functions to minimize 903 // stack usage. 904 905 rv = validate_descriptor(ctx, intf, descriptor_offset, 906 descriptor_offset - ctx->start_offset, 907 ctx->end_offset - ctx->start_offset); 908 if (rv != LIBCR51SIGN_SUCCESS) 909 { 910 CPRINTS(ctx, "validate: validate_descriptor() failed ec%d\n", 911 rv); 912 } 913 914 if (rv == LIBCR51SIGN_SUCCESS) 915 { 916 rv = validate_payload_regions_helper( 917 ctx, intf, descriptor_offset, image_regions); 918 if (rv == LIBCR51SIGN_SUCCESS) 919 { 920 CPRINTS(ctx, "validate: success!\n"); 921 return rv; 922 } 923 CPRINTS(ctx, 924 "validate: validate_payload_regions() failed ec%d\n", 925 rv); 926 } 927 // Store the first desc fail reason if any 928 if (rv != LIBCR51SIGN_SUCCESS && 929 rv_first_desc == LIBCR51SIGN_SUCCESS) 930 rv_first_desc = rv; 931 932 // scan_for_magic_8() will round up to the next aligned boundary. 933 descriptor_offset++; 934 image_limit = ctx->end_offset - ctx->start_offset; 935 rv = scan_for_magic_8(ctx, intf, DESCRIPTOR_MAGIC, 936 descriptor_offset, image_limit, 937 DESCRIPTOR_ALIGNMENT, &descriptor_offset); 938 } 939 CPRINTS(ctx, "validate: failed to validate image ec%d\n", rv); 940 // If desc validation failed for some reason then return that reason 941 if (rv_first_desc != LIBCR51SIGN_SUCCESS) 942 return rv_first_desc; 943 else 944 return rv; 945 } 946 947 // @func to returns the libcr51sign error code as a string 948 // @param[in] ec - Error code 949 // @return error code in string format 950 951 const char* libcr51sign_errorcode_to_string(failure_reason ec) 952 { 953 switch (ec) 954 { 955 case LIBCR51SIGN_SUCCESS: 956 return "Success"; 957 case LIBCR51SIGN_ERROR_RUNTIME_FAILURE: 958 return "Runtime Error Failure"; 959 case LIBCR51SIGN_ERROR_UNSUPPORTED_DESCRIPTOR: 960 return "Unsupported descriptor"; 961 case LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR: 962 return "Invalid descriptor"; 963 case LIBCR51SIGN_ERROR_INVALID_IMAGE_FAMILY: 964 return "Invalid image family"; 965 case LIBCR51SIGN_ERROR_IMAGE_TYPE_DISALLOWED: 966 return "Image type disallowed"; 967 case LIBCR51SIGN_ERROR_DEV_DOWNGRADE_DISALLOWED: 968 return "Dev downgrade disallowed"; 969 case LIBCR51SIGN_ERROR_UNTRUSTED_KEY: 970 return "Untrusted key"; 971 case LIBCR51SIGN_ERROR_INVALID_SIGNATURE: 972 return "Invalid signature"; 973 case LIBCR51SIGN_ERROR_INVALID_HASH: 974 return "Invalid hash"; 975 case LIBCR51SIGN_ERROR_INVALID_HASH_TYPE: 976 return "Invalid hash type"; 977 case LIBCR51SIGN_ERROR_INVALID_ARGUMENT: 978 return "Invalid Argument"; 979 case LIBCR51SIGN_ERROR_FAILED_TO_LOCATE_MAGIC: 980 return "Failed to locate descriptor"; 981 case LIBCR51SIGN_ERROR_INVALID_CONTEXT: 982 return "Invalid context"; 983 case LIBCR51SIGN_ERROR_INVALID_INTERFACE: 984 return "Invalid interface"; 985 case LIBCR51SIGN_ERROR_INVALID_SIG_SCHEME: 986 return "Invalid signature scheme"; 987 case LIBCR51SIGN_ERROR_INVALID_REGION_INPUT: 988 return "Invalid image region input"; 989 case LIBCR51SIGN_ERROR_INVALID_REGION_SIZE: 990 return "Invalid image region size"; 991 default: 992 return "Unknown error"; 993 } 994 } 995 996 #ifdef __cplusplus 997 } // extern "C" 998 #endif 999