19d7cd834SJayanth Othayoth #pragma once 2*fb6e1fc2SJayanth Othayoth #include <openssl/rsa.h> 3*fb6e1fc2SJayanth Othayoth #include <openssl/evp.h> 4*fb6e1fc2SJayanth Othayoth #include <openssl/pem.h> 59d7cd834SJayanth Othayoth #include <experimental/filesystem> 62ab9b109SJayanth Othayoth #include <set> 7*fb6e1fc2SJayanth Othayoth #include <unistd.h> 8*fb6e1fc2SJayanth Othayoth #include <sys/mman.h> 99d7cd834SJayanth Othayoth 109d7cd834SJayanth Othayoth namespace phosphor 119d7cd834SJayanth Othayoth { 129d7cd834SJayanth Othayoth namespace software 139d7cd834SJayanth Othayoth { 149d7cd834SJayanth Othayoth namespace image 159d7cd834SJayanth Othayoth { 169d7cd834SJayanth Othayoth 179d7cd834SJayanth Othayoth namespace fs = std::experimental::filesystem; 182ab9b109SJayanth Othayoth using Key_t = std::string; 192ab9b109SJayanth Othayoth using Hash_t = std::string; 202ab9b109SJayanth Othayoth using PublicKeyPath = fs::path; 212ab9b109SJayanth Othayoth using HashFilePath = fs::path; 222ab9b109SJayanth Othayoth using KeyHashPathPair = std::pair<HashFilePath, PublicKeyPath>; 232ab9b109SJayanth Othayoth using AvailableKeyTypes = std::set<Key_t>; 249d7cd834SJayanth Othayoth 25*fb6e1fc2SJayanth Othayoth // RAII support for openSSL functions. 26*fb6e1fc2SJayanth Othayoth using BIO_MEM_Ptr = std::unique_ptr<BIO, decltype(&::BIO_free)>; 27*fb6e1fc2SJayanth Othayoth using EVP_PKEY_Ptr = std::unique_ptr<EVP_PKEY, decltype(&::EVP_PKEY_free)>; 28*fb6e1fc2SJayanth Othayoth using EVP_MD_CTX_Ptr = 29*fb6e1fc2SJayanth Othayoth std::unique_ptr<EVP_MD_CTX, decltype(&::EVP_MD_CTX_destroy)>; 30*fb6e1fc2SJayanth Othayoth 312ab9b109SJayanth Othayoth // BMC flash image file name list. 322ab9b109SJayanth Othayoth const std::vector<std::string> bmcImages = {"image-kernel", "image-rofs", 332ab9b109SJayanth Othayoth "image-rwfs", "image-u-boot"}; 34*fb6e1fc2SJayanth Othayoth /** @struct CustomFd 35*fb6e1fc2SJayanth Othayoth * 36*fb6e1fc2SJayanth Othayoth * RAII wrapper for file descriptor. 37*fb6e1fc2SJayanth Othayoth */ 38*fb6e1fc2SJayanth Othayoth struct CustomFd 39*fb6e1fc2SJayanth Othayoth { 40*fb6e1fc2SJayanth Othayoth public: 41*fb6e1fc2SJayanth Othayoth CustomFd() = delete; 42*fb6e1fc2SJayanth Othayoth CustomFd(const CustomFd&) = delete; 43*fb6e1fc2SJayanth Othayoth CustomFd& operator=(const CustomFd&) = delete; 44*fb6e1fc2SJayanth Othayoth CustomFd(CustomFd&&) = default; 45*fb6e1fc2SJayanth Othayoth CustomFd& operator=(CustomFd&&) = default; 46*fb6e1fc2SJayanth Othayoth /** @brief Saves File descriptor and uses it to do file operation 47*fb6e1fc2SJayanth Othayoth * 48*fb6e1fc2SJayanth Othayoth * @param[in] fd - File descriptor 49*fb6e1fc2SJayanth Othayoth */ 50*fb6e1fc2SJayanth Othayoth CustomFd(int fd) : fd(fd) 51*fb6e1fc2SJayanth Othayoth { 52*fb6e1fc2SJayanth Othayoth } 53*fb6e1fc2SJayanth Othayoth 54*fb6e1fc2SJayanth Othayoth ~CustomFd() 55*fb6e1fc2SJayanth Othayoth { 56*fb6e1fc2SJayanth Othayoth if (fd >= 0) 57*fb6e1fc2SJayanth Othayoth { 58*fb6e1fc2SJayanth Othayoth close(fd); 59*fb6e1fc2SJayanth Othayoth } 60*fb6e1fc2SJayanth Othayoth } 61*fb6e1fc2SJayanth Othayoth 62*fb6e1fc2SJayanth Othayoth int operator()() const 63*fb6e1fc2SJayanth Othayoth { 64*fb6e1fc2SJayanth Othayoth return fd; 65*fb6e1fc2SJayanth Othayoth } 66*fb6e1fc2SJayanth Othayoth 67*fb6e1fc2SJayanth Othayoth private: 68*fb6e1fc2SJayanth Othayoth /** @brief File descriptor */ 69*fb6e1fc2SJayanth Othayoth int fd = -1; 70*fb6e1fc2SJayanth Othayoth }; 71*fb6e1fc2SJayanth Othayoth 72*fb6e1fc2SJayanth Othayoth /** @struct CustomMap 73*fb6e1fc2SJayanth Othayoth * 74*fb6e1fc2SJayanth Othayoth * RAII wrapper for mmap. 75*fb6e1fc2SJayanth Othayoth */ 76*fb6e1fc2SJayanth Othayoth struct CustomMap 77*fb6e1fc2SJayanth Othayoth { 78*fb6e1fc2SJayanth Othayoth private: 79*fb6e1fc2SJayanth Othayoth /** @brief starting address of the map */ 80*fb6e1fc2SJayanth Othayoth void* addr; 81*fb6e1fc2SJayanth Othayoth 82*fb6e1fc2SJayanth Othayoth /** @brief length of the mapping */ 83*fb6e1fc2SJayanth Othayoth size_t length; 84*fb6e1fc2SJayanth Othayoth 85*fb6e1fc2SJayanth Othayoth public: 86*fb6e1fc2SJayanth Othayoth CustomMap() = delete; 87*fb6e1fc2SJayanth Othayoth CustomMap(const CustomMap&) = delete; 88*fb6e1fc2SJayanth Othayoth CustomMap& operator=(const CustomMap&) = delete; 89*fb6e1fc2SJayanth Othayoth CustomMap(CustomMap&&) = default; 90*fb6e1fc2SJayanth Othayoth CustomMap& operator=(CustomMap&&) = default; 91*fb6e1fc2SJayanth Othayoth 92*fb6e1fc2SJayanth Othayoth /** @brief Saves starting address of the map and 93*fb6e1fc2SJayanth Othayoth * and length of the file. 94*fb6e1fc2SJayanth Othayoth * @param[in] addr - Starting address of the map 95*fb6e1fc2SJayanth Othayoth * @param[in] length - length of the map 96*fb6e1fc2SJayanth Othayoth */ 97*fb6e1fc2SJayanth Othayoth CustomMap(void* addr, size_t length) : addr(addr), length(length) 98*fb6e1fc2SJayanth Othayoth { 99*fb6e1fc2SJayanth Othayoth } 100*fb6e1fc2SJayanth Othayoth 101*fb6e1fc2SJayanth Othayoth ~CustomMap() 102*fb6e1fc2SJayanth Othayoth { 103*fb6e1fc2SJayanth Othayoth munmap(addr, length); 104*fb6e1fc2SJayanth Othayoth } 105*fb6e1fc2SJayanth Othayoth 106*fb6e1fc2SJayanth Othayoth void* operator()() const 107*fb6e1fc2SJayanth Othayoth { 108*fb6e1fc2SJayanth Othayoth return addr; 109*fb6e1fc2SJayanth Othayoth } 110*fb6e1fc2SJayanth Othayoth }; 111*fb6e1fc2SJayanth Othayoth 1129d7cd834SJayanth Othayoth /** @class Signature 1139d7cd834SJayanth Othayoth * @brief Contains signature verification functions. 1149d7cd834SJayanth Othayoth * @details The software image class that contains the signature 1159d7cd834SJayanth Othayoth * verification functions for signed image. 1169d7cd834SJayanth Othayoth */ 1179d7cd834SJayanth Othayoth class Signature 1189d7cd834SJayanth Othayoth { 1199d7cd834SJayanth Othayoth public: 1209d7cd834SJayanth Othayoth Signature() = delete; 1219d7cd834SJayanth Othayoth Signature(const Signature&) = delete; 1229d7cd834SJayanth Othayoth Signature& operator=(const Signature&) = delete; 1239d7cd834SJayanth Othayoth Signature(Signature&&) = default; 1249d7cd834SJayanth Othayoth Signature& operator=(Signature&&) = default; 1259d7cd834SJayanth Othayoth ~Signature() = default; 1269d7cd834SJayanth Othayoth 1272ab9b109SJayanth Othayoth /** 1282ab9b109SJayanth Othayoth * @brief Constructs Signature. 1292ab9b109SJayanth Othayoth * @param[in] imageDirPath - image path 1302ab9b109SJayanth Othayoth * @param[in] signedConfPath - Path of public key 1312ab9b109SJayanth Othayoth * hash function files 1329d7cd834SJayanth Othayoth */ 1332ab9b109SJayanth Othayoth Signature(const fs::path& imageDirPath, const fs::path& signedConfPath); 1349d7cd834SJayanth Othayoth 1359d7cd834SJayanth Othayoth /** 1369d7cd834SJayanth Othayoth * @brief Image signature verification function. 1379d7cd834SJayanth Othayoth * Verify the Manifest and public key file signature using the 1389d7cd834SJayanth Othayoth * public keys available in the system first. After successful 1399d7cd834SJayanth Othayoth * validation, continue the whole image files signature 1409d7cd834SJayanth Othayoth * validation using the image specific public key and the 1419d7cd834SJayanth Othayoth * hash function. 1429d7cd834SJayanth Othayoth * 1439d7cd834SJayanth Othayoth * @return true if signature verification was successful, 1449d7cd834SJayanth Othayoth * false if not 1459d7cd834SJayanth Othayoth */ 1469d7cd834SJayanth Othayoth bool verify(); 1479d7cd834SJayanth Othayoth 1489d7cd834SJayanth Othayoth private: 1492ab9b109SJayanth Othayoth /** 1502ab9b109SJayanth Othayoth * @brief Function used for system level file signature validation 1512ab9b109SJayanth Othayoth * of image specfic publickey file and manifest file 1522ab9b109SJayanth Othayoth * using the available public keys and hash functions 1532ab9b109SJayanth Othayoth * in the system. 1542ab9b109SJayanth Othayoth * Refer code-update documenation for more details. 1552ab9b109SJayanth Othayoth */ 1562ab9b109SJayanth Othayoth bool systemLevelVerify(); 1572ab9b109SJayanth Othayoth 1582ab9b109SJayanth Othayoth /** 1592ab9b109SJayanth Othayoth * @brief Return all key types stored in the BMC based on the 1602ab9b109SJayanth Othayoth * public key and hashfunc files stored in the BMC. 1612ab9b109SJayanth Othayoth * 1622ab9b109SJayanth Othayoth * @return list 1632ab9b109SJayanth Othayoth */ 1642ab9b109SJayanth Othayoth AvailableKeyTypes getAvailableKeyTypesFromSystem() const; 1652ab9b109SJayanth Othayoth 1662ab9b109SJayanth Othayoth /** 1672ab9b109SJayanth Othayoth * @brief Return public key and hash function file names for the 1682ab9b109SJayanth Othayoth * corresponding key type 1692ab9b109SJayanth Othayoth * 1702ab9b109SJayanth Othayoth * @param[in] key - key type 1712ab9b109SJayanth Othayoth * @return Pair of hash and public key file names 1722ab9b109SJayanth Othayoth */ 1732ab9b109SJayanth Othayoth inline KeyHashPathPair getKeyHashFileNames(const Key_t& key) const; 1742ab9b109SJayanth Othayoth 1752ab9b109SJayanth Othayoth /** 1762ab9b109SJayanth Othayoth * @brief Verify the file signature using public key and hash function 1772ab9b109SJayanth Othayoth * 1782ab9b109SJayanth Othayoth * @param[in] - Image file path 1792ab9b109SJayanth Othayoth * @param[in] - Signature file path 1802ab9b109SJayanth Othayoth * @param[in] - Public key 1812ab9b109SJayanth Othayoth * @param[in] - Hash function name 1822ab9b109SJayanth Othayoth * @return true if signature verification was successful, false if not 1832ab9b109SJayanth Othayoth */ 1842ab9b109SJayanth Othayoth bool verifyFile(const fs::path& file, const fs::path& signature, 1852ab9b109SJayanth Othayoth const fs::path& publicKey, const std::string& hashFunc); 1862ab9b109SJayanth Othayoth 187*fb6e1fc2SJayanth Othayoth /** 188*fb6e1fc2SJayanth Othayoth * @brief Create RSA object from the public key 189*fb6e1fc2SJayanth Othayoth * @param[in] - publickey 190*fb6e1fc2SJayanth Othayoth * @param[out] - RSA Object. 191*fb6e1fc2SJayanth Othayoth */ 192*fb6e1fc2SJayanth Othayoth inline RSA* createPublicRSA(const fs::path& publicKey); 193*fb6e1fc2SJayanth Othayoth 194*fb6e1fc2SJayanth Othayoth /** 195*fb6e1fc2SJayanth Othayoth * @brief Memory map the file 196*fb6e1fc2SJayanth Othayoth * @param[in] - file path 197*fb6e1fc2SJayanth Othayoth * @param[in] - file size 198*fb6e1fc2SJayanth Othayoth * @param[out] - Custom Mmap address 199*fb6e1fc2SJayanth Othayoth */ 200*fb6e1fc2SJayanth Othayoth CustomMap mapFile(const fs::path& path, size_t size); 201*fb6e1fc2SJayanth Othayoth 2029d7cd834SJayanth Othayoth /** @brief Directory where software images are placed*/ 2039d7cd834SJayanth Othayoth fs::path imageDirPath; 2042ab9b109SJayanth Othayoth 2052ab9b109SJayanth Othayoth /** @brief Path of public key and hash function files */ 2062ab9b109SJayanth Othayoth fs::path signedConfPath; 2072ab9b109SJayanth Othayoth 2082ab9b109SJayanth Othayoth /** @brief key type defined in mainfest file */ 2092ab9b109SJayanth Othayoth Key_t keyType; 2102ab9b109SJayanth Othayoth 2112ab9b109SJayanth Othayoth /** @brief Hash type defined in mainfest file */ 2122ab9b109SJayanth Othayoth Hash_t hashType; 2139d7cd834SJayanth Othayoth }; 2149d7cd834SJayanth Othayoth 2159d7cd834SJayanth Othayoth } // namespace image 2169d7cd834SJayanth Othayoth } // namespace software 2179d7cd834SJayanth Othayoth } // namespace phosphor 218