xref: /openbmc/openpower-pnor-code-mgmt/image_verify.hpp (revision be20e8722ed86bf929995e96a2d2c99a85b1b51a)
1 #pragma once
2 #include "utils.hpp"
3 
4 #include <openssl/evp.h>
5 #include <openssl/pem.h>
6 #include <openssl/rsa.h>
7 #include <sys/mman.h>
8 #include <unistd.h>
9 
10 #include <filesystem>
11 #include <set>
12 #include <string>
13 
14 namespace openpower
15 {
16 namespace software
17 {
18 namespace image
19 {
20 
21 using Key_t = std::string;
22 using Hash_t = std::string;
23 using PublicKeyPath = std::filesystem::path;
24 using HashFilePath = std::filesystem::path;
25 using KeyHashPathPair = std::pair<HashFilePath, PublicKeyPath>;
26 using AvailableKeyTypes = std::set<Key_t>;
27 
28 // RAII support for openSSL functions.
29 using BIO_MEM_Ptr = std::unique_ptr<BIO, decltype(&::BIO_free)>;
30 using EVP_PKEY_Ptr = std::unique_ptr<EVP_PKEY, decltype(&::EVP_PKEY_free)>;
31 using EVP_MD_CTX_Ptr =
32     std::unique_ptr<EVP_MD_CTX, decltype(&::EVP_MD_CTX_free)>;
33 
34 /** @struct CustomFd
35  *
36  *  RAII wrapper for file descriptor.
37  */
38 struct CustomFd
39 {
40   public:
41     CustomFd() = delete;
42     CustomFd(const CustomFd&) = delete;
43     CustomFd& operator=(const CustomFd&) = delete;
44     CustomFd(CustomFd&&) = default;
45     CustomFd& operator=(CustomFd&&) = default;
46     /** @brief Saves File descriptor and uses it to do file operation
47      *
48      *  @param[in] fd - File descriptor
49      */
50     explicit CustomFd(int fd) : fd(fd)
51     {}
52 
53     ~CustomFd()
54     {
55         if (fd >= 0)
56         {
57             close(fd);
58         }
59     }
60 
61     int operator()() const
62     {
63         return fd;
64     }
65 
66   private:
67     /** @brief File descriptor */
68     int fd = -1;
69 };
70 
71 /** @struct CustomMap
72  *
73  *  RAII wrapper for mmap.
74  */
75 struct CustomMap
76 {
77   private:
78     /** @brief starting address of the map   */
79     void* addr;
80 
81     /** @brief length of the mapping   */
82     size_t length;
83 
84   public:
85     CustomMap() = delete;
86     CustomMap(const CustomMap&) = delete;
87     CustomMap& operator=(const CustomMap&) = delete;
88     CustomMap(CustomMap&&) = default;
89     CustomMap& operator=(CustomMap&&) = default;
90 
91     /** @brief Saves starting address of the map and
92      *         and length of the file.
93      *  @param[in]  addr - Starting address of the map
94      *  @param[in]  length - length of the map
95      */
96     CustomMap(void* addr, size_t length) : addr(addr), length(length)
97     {}
98 
99     ~CustomMap()
100     {
101         munmap(addr, length);
102     }
103 
104     void* operator()() const
105     {
106         return addr;
107     }
108 };
109 
110 /** @class Signature
111  *  @brief Contains signature verification functions.
112  *  @details The software image class that contains the signature
113  *           verification functions for signed image.
114  */
115 class Signature
116 {
117   public:
118     Signature() = delete;
119     Signature(const Signature&) = delete;
120     Signature& operator=(const Signature&) = delete;
121     Signature(Signature&&) = default;
122     Signature& operator=(Signature&&) = default;
123     ~Signature() = default;
124 
125     /**
126      * @brief Constructs Signature.
127      * @param[in]  imageDirPath - image path
128      * @param[in]  signedConfPath - Path of public key
129      *                              hash function files
130      */
131     explicit Signature(const std::filesystem::path& imageDirPath,
132                        const std::string& pnorFileName,
133                        const std::filesystem::path& signedConfPath);
134 
135     /**
136      * @brief Image signature verification function.
137      *        Verify the Manifest and public key file signature using the
138      *        public keys available in the system first. After successful
139      *        validation, continue the whole image files signature
140      *        validation using the image specific public key and the
141      *        hash function.
142      *
143      *        @return true if signature verification was successful,
144      *                     false if not
145      */
146     bool verify();
147 
148   private:
149     /**
150      * @brief Function used for system level file signature validation
151      *        of image specific publickey file and manifest file
152      *        using the available public keys and hash functions
153      *        in the system.
154      *        Refer code-update documentation for more details.
155      */
156     bool systemLevelVerify();
157 
158     /**
159      *  @brief Return all key types stored in the BMC based on the
160      *         public key and hashfunc files stored in the BMC.
161      *
162      *  @return list
163      */
164     AvailableKeyTypes getAvailableKeyTypesFromSystem() const;
165 
166     /**
167      *  @brief Return public key and hash function file names for the
168      *  corresponding key type
169      *
170      *  @param[in]  key - key type
171      *  @return Pair of hash and public key file names
172      */
173     inline KeyHashPathPair getKeyHashFileNames(const Key_t& key) const;
174 
175     /**
176      * @brief Verify the file signature using public key and hash function
177      *
178      * @param[in]  - Image file path
179      * @param[in]  - Signature file path
180      * @param[in]  - Public key
181      * @param[in]  - Hash function name
182      * @return true if signature verification was successful, false if not
183      */
184     bool verifyFile(const std::filesystem::path& file,
185                     const std::filesystem::path& signature,
186                     const std::filesystem::path& publicKey,
187                     const std::string& hashFunc);
188 
189     /**
190      * @brief Create RSA object from the public key
191      * @param[in]  - publickey
192      * @param[out] - RSA Object.
193      */
194     inline RSA* createPublicRSA(const std::filesystem::path& publicKey);
195 
196     /**
197      * @brief Memory map the  file
198      * @param[in]  - file path
199      * @param[in]  - file size
200      * @param[out] - Custom Mmap address
201      */
202     CustomMap mapFile(const std::filesystem::path& path, size_t size);
203 
204     /** @brief Directory where software images are placed*/
205     std::filesystem::path imageDirPath;
206 
207     /** @brief The PNOR file name in imageDirPath */
208     std::string pnorFileName;
209 
210     /** @brief Path of public key and hash function files */
211     std::filesystem::path signedConfPath;
212 
213     /** @brief key type defined in mainfest file */
214     Key_t keyType;
215 
216     /** @brief Hash type defined in mainfest file */
217     Hash_t hashType;
218 };
219 
220 } // namespace image
221 } // namespace software
222 } // namespace openpower
223