163d2a5c7SDorjoy Chowdhury /*
263d2a5c7SDorjoy Chowdhury * EIF (Enclave Image Format) related helpers
363d2a5c7SDorjoy Chowdhury *
463d2a5c7SDorjoy Chowdhury * Copyright (c) 2024 Dorjoy Chowdhury <dorjoychy111@gmail.com>
563d2a5c7SDorjoy Chowdhury *
663d2a5c7SDorjoy Chowdhury * This work is licensed under the terms of the GNU GPL, version 2 or
763d2a5c7SDorjoy Chowdhury * (at your option) any later version. See the COPYING file in the
863d2a5c7SDorjoy Chowdhury * top-level directory.
963d2a5c7SDorjoy Chowdhury */
1063d2a5c7SDorjoy Chowdhury
1163d2a5c7SDorjoy Chowdhury #include "qemu/osdep.h"
1263d2a5c7SDorjoy Chowdhury #include "qemu/bswap.h"
1363d2a5c7SDorjoy Chowdhury #include "qapi/error.h"
1463d2a5c7SDorjoy Chowdhury #include "crypto/hash.h"
1563d2a5c7SDorjoy Chowdhury #include "crypto/x509-utils.h"
1663d2a5c7SDorjoy Chowdhury #include <zlib.h> /* for crc32 */
1763d2a5c7SDorjoy Chowdhury #include <cbor.h>
1863d2a5c7SDorjoy Chowdhury
1963d2a5c7SDorjoy Chowdhury #include "hw/core/eif.h"
2063d2a5c7SDorjoy Chowdhury
2163d2a5c7SDorjoy Chowdhury #define MAX_SECTIONS 32
2263d2a5c7SDorjoy Chowdhury
2363d2a5c7SDorjoy Chowdhury /* members are ordered according to field order in .eif file */
2463d2a5c7SDorjoy Chowdhury typedef struct EifHeader {
2563d2a5c7SDorjoy Chowdhury uint8_t magic[4]; /* must be .eif in ascii i.e., [46, 101, 105, 102] */
2663d2a5c7SDorjoy Chowdhury uint16_t version;
2763d2a5c7SDorjoy Chowdhury uint16_t flags;
2863d2a5c7SDorjoy Chowdhury uint64_t default_memory;
2963d2a5c7SDorjoy Chowdhury uint64_t default_cpus;
3063d2a5c7SDorjoy Chowdhury uint16_t reserved;
3163d2a5c7SDorjoy Chowdhury uint16_t section_cnt;
3263d2a5c7SDorjoy Chowdhury uint64_t section_offsets[MAX_SECTIONS];
3363d2a5c7SDorjoy Chowdhury uint64_t section_sizes[MAX_SECTIONS];
3463d2a5c7SDorjoy Chowdhury uint32_t unused;
3563d2a5c7SDorjoy Chowdhury uint32_t eif_crc32;
3663d2a5c7SDorjoy Chowdhury } QEMU_PACKED EifHeader;
3763d2a5c7SDorjoy Chowdhury
3863d2a5c7SDorjoy Chowdhury /* members are ordered according to field order in .eif file */
3963d2a5c7SDorjoy Chowdhury typedef struct EifSectionHeader {
4063d2a5c7SDorjoy Chowdhury /*
4163d2a5c7SDorjoy Chowdhury * 0 = invalid, 1 = kernel, 2 = cmdline, 3 = ramdisk, 4 = signature,
4263d2a5c7SDorjoy Chowdhury * 5 = metadata
4363d2a5c7SDorjoy Chowdhury */
4463d2a5c7SDorjoy Chowdhury uint16_t section_type;
4563d2a5c7SDorjoy Chowdhury uint16_t flags;
4663d2a5c7SDorjoy Chowdhury uint64_t section_size;
4763d2a5c7SDorjoy Chowdhury } QEMU_PACKED EifSectionHeader;
4863d2a5c7SDorjoy Chowdhury
4963d2a5c7SDorjoy Chowdhury enum EifSectionTypes {
5063d2a5c7SDorjoy Chowdhury EIF_SECTION_INVALID = 0,
5163d2a5c7SDorjoy Chowdhury EIF_SECTION_KERNEL = 1,
5263d2a5c7SDorjoy Chowdhury EIF_SECTION_CMDLINE = 2,
5363d2a5c7SDorjoy Chowdhury EIF_SECTION_RAMDISK = 3,
5463d2a5c7SDorjoy Chowdhury EIF_SECTION_SIGNATURE = 4,
5563d2a5c7SDorjoy Chowdhury EIF_SECTION_METADATA = 5,
5663d2a5c7SDorjoy Chowdhury EIF_SECTION_MAX = 6,
5763d2a5c7SDorjoy Chowdhury };
5863d2a5c7SDorjoy Chowdhury
section_type_to_string(uint16_t type)5963d2a5c7SDorjoy Chowdhury static const char *section_type_to_string(uint16_t type)
6063d2a5c7SDorjoy Chowdhury {
6163d2a5c7SDorjoy Chowdhury const char *str;
6263d2a5c7SDorjoy Chowdhury switch (type) {
6363d2a5c7SDorjoy Chowdhury case EIF_SECTION_INVALID:
6463d2a5c7SDorjoy Chowdhury str = "invalid";
6563d2a5c7SDorjoy Chowdhury break;
6663d2a5c7SDorjoy Chowdhury case EIF_SECTION_KERNEL:
6763d2a5c7SDorjoy Chowdhury str = "kernel";
6863d2a5c7SDorjoy Chowdhury break;
6963d2a5c7SDorjoy Chowdhury case EIF_SECTION_CMDLINE:
7063d2a5c7SDorjoy Chowdhury str = "cmdline";
7163d2a5c7SDorjoy Chowdhury break;
7263d2a5c7SDorjoy Chowdhury case EIF_SECTION_RAMDISK:
7363d2a5c7SDorjoy Chowdhury str = "ramdisk";
7463d2a5c7SDorjoy Chowdhury break;
7563d2a5c7SDorjoy Chowdhury case EIF_SECTION_SIGNATURE:
7663d2a5c7SDorjoy Chowdhury str = "signature";
7763d2a5c7SDorjoy Chowdhury break;
7863d2a5c7SDorjoy Chowdhury case EIF_SECTION_METADATA:
7963d2a5c7SDorjoy Chowdhury str = "metadata";
8063d2a5c7SDorjoy Chowdhury break;
8163d2a5c7SDorjoy Chowdhury default:
8263d2a5c7SDorjoy Chowdhury str = "unknown";
8363d2a5c7SDorjoy Chowdhury break;
8463d2a5c7SDorjoy Chowdhury }
8563d2a5c7SDorjoy Chowdhury
8663d2a5c7SDorjoy Chowdhury return str;
8763d2a5c7SDorjoy Chowdhury }
8863d2a5c7SDorjoy Chowdhury
read_eif_header(FILE * f,EifHeader * header,uint32_t * crc,Error ** errp)8963d2a5c7SDorjoy Chowdhury static bool read_eif_header(FILE *f, EifHeader *header, uint32_t *crc,
9063d2a5c7SDorjoy Chowdhury Error **errp)
9163d2a5c7SDorjoy Chowdhury {
9263d2a5c7SDorjoy Chowdhury size_t got;
9363d2a5c7SDorjoy Chowdhury size_t header_size = sizeof(*header);
9463d2a5c7SDorjoy Chowdhury
9563d2a5c7SDorjoy Chowdhury got = fread(header, 1, header_size, f);
9663d2a5c7SDorjoy Chowdhury if (got != header_size) {
9763d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to read EIF header");
9863d2a5c7SDorjoy Chowdhury return false;
9963d2a5c7SDorjoy Chowdhury }
10063d2a5c7SDorjoy Chowdhury
10163d2a5c7SDorjoy Chowdhury if (memcmp(header->magic, ".eif", 4) != 0) {
10263d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid EIF image. Magic mismatch.");
10363d2a5c7SDorjoy Chowdhury return false;
10463d2a5c7SDorjoy Chowdhury }
10563d2a5c7SDorjoy Chowdhury
10663d2a5c7SDorjoy Chowdhury /* Exclude header->eif_crc32 field from CRC calculation */
10763d2a5c7SDorjoy Chowdhury *crc = crc32(*crc, (uint8_t *)header, header_size - 4);
10863d2a5c7SDorjoy Chowdhury
10963d2a5c7SDorjoy Chowdhury header->version = be16_to_cpu(header->version);
11063d2a5c7SDorjoy Chowdhury header->flags = be16_to_cpu(header->flags);
11163d2a5c7SDorjoy Chowdhury header->default_memory = be64_to_cpu(header->default_memory);
11263d2a5c7SDorjoy Chowdhury header->default_cpus = be64_to_cpu(header->default_cpus);
11363d2a5c7SDorjoy Chowdhury header->reserved = be16_to_cpu(header->reserved);
11463d2a5c7SDorjoy Chowdhury header->section_cnt = be16_to_cpu(header->section_cnt);
11563d2a5c7SDorjoy Chowdhury
11663d2a5c7SDorjoy Chowdhury for (int i = 0; i < MAX_SECTIONS; ++i) {
11763d2a5c7SDorjoy Chowdhury header->section_offsets[i] = be64_to_cpu(header->section_offsets[i]);
11863d2a5c7SDorjoy Chowdhury }
11963d2a5c7SDorjoy Chowdhury
12063d2a5c7SDorjoy Chowdhury for (int i = 0; i < MAX_SECTIONS; ++i) {
12163d2a5c7SDorjoy Chowdhury header->section_sizes[i] = be64_to_cpu(header->section_sizes[i]);
122*b7e55bd9SPaolo Bonzini if (header->section_sizes[i] > SSIZE_MAX) {
123*b7e55bd9SPaolo Bonzini error_setg(errp, "Invalid EIF image. Section size out of bounds");
124*b7e55bd9SPaolo Bonzini return false;
125*b7e55bd9SPaolo Bonzini }
12663d2a5c7SDorjoy Chowdhury }
12763d2a5c7SDorjoy Chowdhury
12863d2a5c7SDorjoy Chowdhury header->unused = be32_to_cpu(header->unused);
12963d2a5c7SDorjoy Chowdhury header->eif_crc32 = be32_to_cpu(header->eif_crc32);
13063d2a5c7SDorjoy Chowdhury return true;
13163d2a5c7SDorjoy Chowdhury }
13263d2a5c7SDorjoy Chowdhury
read_eif_section_header(FILE * f,EifSectionHeader * section_header,uint32_t * crc,Error ** errp)13363d2a5c7SDorjoy Chowdhury static bool read_eif_section_header(FILE *f, EifSectionHeader *section_header,
13463d2a5c7SDorjoy Chowdhury uint32_t *crc, Error **errp)
13563d2a5c7SDorjoy Chowdhury {
13663d2a5c7SDorjoy Chowdhury size_t got;
13763d2a5c7SDorjoy Chowdhury size_t section_header_size = sizeof(*section_header);
13863d2a5c7SDorjoy Chowdhury
13963d2a5c7SDorjoy Chowdhury got = fread(section_header, 1, section_header_size, f);
14063d2a5c7SDorjoy Chowdhury if (got != section_header_size) {
14163d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to read EIF section header");
14263d2a5c7SDorjoy Chowdhury return false;
14363d2a5c7SDorjoy Chowdhury }
14463d2a5c7SDorjoy Chowdhury
14563d2a5c7SDorjoy Chowdhury *crc = crc32(*crc, (uint8_t *)section_header, section_header_size);
14663d2a5c7SDorjoy Chowdhury
14763d2a5c7SDorjoy Chowdhury section_header->section_type = be16_to_cpu(section_header->section_type);
14863d2a5c7SDorjoy Chowdhury section_header->flags = be16_to_cpu(section_header->flags);
14963d2a5c7SDorjoy Chowdhury section_header->section_size = be64_to_cpu(section_header->section_size);
15063d2a5c7SDorjoy Chowdhury return true;
15163d2a5c7SDorjoy Chowdhury }
15263d2a5c7SDorjoy Chowdhury
15363d2a5c7SDorjoy Chowdhury /*
15463d2a5c7SDorjoy Chowdhury * Upon success, the caller is responsible for unlinking and freeing *tmp_path.
15563d2a5c7SDorjoy Chowdhury */
get_tmp_file(const char * template,char ** tmp_path,Error ** errp)15663d2a5c7SDorjoy Chowdhury static bool get_tmp_file(const char *template, char **tmp_path, Error **errp)
15763d2a5c7SDorjoy Chowdhury {
15863d2a5c7SDorjoy Chowdhury int tmp_fd;
15963d2a5c7SDorjoy Chowdhury
16063d2a5c7SDorjoy Chowdhury *tmp_path = NULL;
16163d2a5c7SDorjoy Chowdhury tmp_fd = g_file_open_tmp(template, tmp_path, NULL);
16263d2a5c7SDorjoy Chowdhury if (tmp_fd < 0 || *tmp_path == NULL) {
16363d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to create temporary file for template %s",
16463d2a5c7SDorjoy Chowdhury template);
16563d2a5c7SDorjoy Chowdhury return false;
16663d2a5c7SDorjoy Chowdhury }
16763d2a5c7SDorjoy Chowdhury
16863d2a5c7SDorjoy Chowdhury close(tmp_fd);
16963d2a5c7SDorjoy Chowdhury return true;
17063d2a5c7SDorjoy Chowdhury }
17163d2a5c7SDorjoy Chowdhury
safe_fclose(FILE * f)17263d2a5c7SDorjoy Chowdhury static void safe_fclose(FILE *f)
17363d2a5c7SDorjoy Chowdhury {
17463d2a5c7SDorjoy Chowdhury if (f) {
17563d2a5c7SDorjoy Chowdhury fclose(f);
17663d2a5c7SDorjoy Chowdhury }
17763d2a5c7SDorjoy Chowdhury }
17863d2a5c7SDorjoy Chowdhury
safe_unlink(char * f)17963d2a5c7SDorjoy Chowdhury static void safe_unlink(char *f)
18063d2a5c7SDorjoy Chowdhury {
18163d2a5c7SDorjoy Chowdhury if (f) {
18263d2a5c7SDorjoy Chowdhury unlink(f);
18363d2a5c7SDorjoy Chowdhury }
18463d2a5c7SDorjoy Chowdhury }
18563d2a5c7SDorjoy Chowdhury
18663d2a5c7SDorjoy Chowdhury /*
18763d2a5c7SDorjoy Chowdhury * Upon success, the caller is reponsible for unlinking and freeing *kernel_path
18863d2a5c7SDorjoy Chowdhury */
read_eif_kernel(FILE * f,uint64_t size,char ** kernel_path,uint8_t * kernel,uint32_t * crc,Error ** errp)18963d2a5c7SDorjoy Chowdhury static bool read_eif_kernel(FILE *f, uint64_t size, char **kernel_path,
19063d2a5c7SDorjoy Chowdhury uint8_t *kernel, uint32_t *crc, Error **errp)
19163d2a5c7SDorjoy Chowdhury {
19263d2a5c7SDorjoy Chowdhury size_t got;
19363d2a5c7SDorjoy Chowdhury FILE *tmp_file = NULL;
19463d2a5c7SDorjoy Chowdhury
19563d2a5c7SDorjoy Chowdhury *kernel_path = NULL;
19663d2a5c7SDorjoy Chowdhury if (!get_tmp_file("eif-kernel-XXXXXX", kernel_path, errp)) {
19763d2a5c7SDorjoy Chowdhury goto cleanup;
19863d2a5c7SDorjoy Chowdhury }
19963d2a5c7SDorjoy Chowdhury
20063d2a5c7SDorjoy Chowdhury tmp_file = fopen(*kernel_path, "wb");
20163d2a5c7SDorjoy Chowdhury if (tmp_file == NULL) {
20263d2a5c7SDorjoy Chowdhury error_setg_errno(errp, errno, "Failed to open temporary file %s",
20363d2a5c7SDorjoy Chowdhury *kernel_path);
20463d2a5c7SDorjoy Chowdhury goto cleanup;
20563d2a5c7SDorjoy Chowdhury }
20663d2a5c7SDorjoy Chowdhury
20763d2a5c7SDorjoy Chowdhury got = fread(kernel, 1, size, f);
20863d2a5c7SDorjoy Chowdhury if ((uint64_t) got != size) {
20963d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to read EIF kernel section data");
21063d2a5c7SDorjoy Chowdhury goto cleanup;
21163d2a5c7SDorjoy Chowdhury }
21263d2a5c7SDorjoy Chowdhury
21363d2a5c7SDorjoy Chowdhury got = fwrite(kernel, 1, size, tmp_file);
21463d2a5c7SDorjoy Chowdhury if ((uint64_t) got != size) {
21563d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to write EIF kernel section data to temporary"
21663d2a5c7SDorjoy Chowdhury " file");
21763d2a5c7SDorjoy Chowdhury goto cleanup;
21863d2a5c7SDorjoy Chowdhury }
21963d2a5c7SDorjoy Chowdhury
22063d2a5c7SDorjoy Chowdhury *crc = crc32(*crc, kernel, size);
22163d2a5c7SDorjoy Chowdhury fclose(tmp_file);
22263d2a5c7SDorjoy Chowdhury
22363d2a5c7SDorjoy Chowdhury return true;
22463d2a5c7SDorjoy Chowdhury
22563d2a5c7SDorjoy Chowdhury cleanup:
22663d2a5c7SDorjoy Chowdhury safe_fclose(tmp_file);
22763d2a5c7SDorjoy Chowdhury
22863d2a5c7SDorjoy Chowdhury safe_unlink(*kernel_path);
22963d2a5c7SDorjoy Chowdhury g_free(*kernel_path);
23063d2a5c7SDorjoy Chowdhury *kernel_path = NULL;
23163d2a5c7SDorjoy Chowdhury
23263d2a5c7SDorjoy Chowdhury return false;
23363d2a5c7SDorjoy Chowdhury }
23463d2a5c7SDorjoy Chowdhury
read_eif_cmdline(FILE * f,uint64_t size,char * cmdline,uint32_t * crc,Error ** errp)23563d2a5c7SDorjoy Chowdhury static bool read_eif_cmdline(FILE *f, uint64_t size, char *cmdline,
23663d2a5c7SDorjoy Chowdhury uint32_t *crc, Error **errp)
23763d2a5c7SDorjoy Chowdhury {
23863d2a5c7SDorjoy Chowdhury size_t got = fread(cmdline, 1, size, f);
23963d2a5c7SDorjoy Chowdhury if ((uint64_t) got != size) {
24063d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to read EIF cmdline section data");
24163d2a5c7SDorjoy Chowdhury return false;
24263d2a5c7SDorjoy Chowdhury }
24363d2a5c7SDorjoy Chowdhury
24463d2a5c7SDorjoy Chowdhury *crc = crc32(*crc, (uint8_t *)cmdline, size);
24563d2a5c7SDorjoy Chowdhury return true;
24663d2a5c7SDorjoy Chowdhury }
24763d2a5c7SDorjoy Chowdhury
read_eif_ramdisk(FILE * eif,FILE * initrd,uint64_t size,uint8_t * ramdisk,uint32_t * crc,Error ** errp)24863d2a5c7SDorjoy Chowdhury static bool read_eif_ramdisk(FILE *eif, FILE *initrd, uint64_t size,
24963d2a5c7SDorjoy Chowdhury uint8_t *ramdisk, uint32_t *crc, Error **errp)
25063d2a5c7SDorjoy Chowdhury {
25163d2a5c7SDorjoy Chowdhury size_t got;
25263d2a5c7SDorjoy Chowdhury
25363d2a5c7SDorjoy Chowdhury got = fread(ramdisk, 1, size, eif);
25463d2a5c7SDorjoy Chowdhury if ((uint64_t) got != size) {
25563d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to read EIF ramdisk section data");
25663d2a5c7SDorjoy Chowdhury return false;
25763d2a5c7SDorjoy Chowdhury }
25863d2a5c7SDorjoy Chowdhury
25963d2a5c7SDorjoy Chowdhury got = fwrite(ramdisk, 1, size, initrd);
26063d2a5c7SDorjoy Chowdhury if ((uint64_t) got != size) {
26163d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to write EIF ramdisk data to temporary file");
26263d2a5c7SDorjoy Chowdhury return false;
26363d2a5c7SDorjoy Chowdhury }
26463d2a5c7SDorjoy Chowdhury
26563d2a5c7SDorjoy Chowdhury *crc = crc32(*crc, ramdisk, size);
26663d2a5c7SDorjoy Chowdhury return true;
26763d2a5c7SDorjoy Chowdhury }
26863d2a5c7SDorjoy Chowdhury
get_signature_fingerprint_sha384(FILE * eif,uint64_t size,uint8_t * sha384,uint32_t * crc,Error ** errp)26963d2a5c7SDorjoy Chowdhury static bool get_signature_fingerprint_sha384(FILE *eif, uint64_t size,
27063d2a5c7SDorjoy Chowdhury uint8_t *sha384,
27163d2a5c7SDorjoy Chowdhury uint32_t *crc,
27263d2a5c7SDorjoy Chowdhury Error **errp)
27363d2a5c7SDorjoy Chowdhury {
27463d2a5c7SDorjoy Chowdhury size_t got;
27563d2a5c7SDorjoy Chowdhury g_autofree uint8_t *sig = NULL;
27663d2a5c7SDorjoy Chowdhury g_autofree uint8_t *cert = NULL;
27763d2a5c7SDorjoy Chowdhury cbor_item_t *item = NULL;
27863d2a5c7SDorjoy Chowdhury cbor_item_t *pcr0 = NULL;
27963d2a5c7SDorjoy Chowdhury size_t len;
28063d2a5c7SDorjoy Chowdhury size_t hash_len = QCRYPTO_HASH_DIGEST_LEN_SHA384;
28163d2a5c7SDorjoy Chowdhury struct cbor_pair *pair;
28263d2a5c7SDorjoy Chowdhury struct cbor_load_result result;
28363d2a5c7SDorjoy Chowdhury bool ret = false;
28463d2a5c7SDorjoy Chowdhury
285*b7e55bd9SPaolo Bonzini sig = g_try_malloc(size);
286*b7e55bd9SPaolo Bonzini if (!sig) {
287*b7e55bd9SPaolo Bonzini error_setg(errp, "Out of memory reading signature section");
288*b7e55bd9SPaolo Bonzini goto cleanup;
289*b7e55bd9SPaolo Bonzini }
290*b7e55bd9SPaolo Bonzini
29163d2a5c7SDorjoy Chowdhury got = fread(sig, 1, size, eif);
29263d2a5c7SDorjoy Chowdhury if ((uint64_t) got != size) {
29363d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to read EIF signature section data");
29463d2a5c7SDorjoy Chowdhury goto cleanup;
29563d2a5c7SDorjoy Chowdhury }
29663d2a5c7SDorjoy Chowdhury
29763d2a5c7SDorjoy Chowdhury *crc = crc32(*crc, sig, size);
29863d2a5c7SDorjoy Chowdhury
29963d2a5c7SDorjoy Chowdhury item = cbor_load(sig, size, &result);
30063d2a5c7SDorjoy Chowdhury if (!item || result.error.code != CBOR_ERR_NONE) {
30163d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to load signature section data as CBOR");
30263d2a5c7SDorjoy Chowdhury goto cleanup;
30363d2a5c7SDorjoy Chowdhury }
30463d2a5c7SDorjoy Chowdhury if (!cbor_isa_array(item) || cbor_array_size(item) < 1) {
30563d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid signature CBOR");
30663d2a5c7SDorjoy Chowdhury goto cleanup;
30763d2a5c7SDorjoy Chowdhury }
30863d2a5c7SDorjoy Chowdhury pcr0 = cbor_array_get(item, 0);
30963d2a5c7SDorjoy Chowdhury if (!pcr0) {
31063d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to get PCR0 signature");
31163d2a5c7SDorjoy Chowdhury goto cleanup;
31263d2a5c7SDorjoy Chowdhury }
31363d2a5c7SDorjoy Chowdhury if (!cbor_isa_map(pcr0) || cbor_map_size(pcr0) != 2) {
31463d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid signature CBOR");
31563d2a5c7SDorjoy Chowdhury goto cleanup;
31663d2a5c7SDorjoy Chowdhury }
31763d2a5c7SDorjoy Chowdhury pair = cbor_map_handle(pcr0);
31863d2a5c7SDorjoy Chowdhury if (!cbor_isa_string(pair->key) || cbor_string_length(pair->key) != 19 ||
31963d2a5c7SDorjoy Chowdhury memcmp(cbor_string_handle(pair->key), "signing_certificate", 19) != 0) {
32063d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid signautre CBOR");
32163d2a5c7SDorjoy Chowdhury goto cleanup;
32263d2a5c7SDorjoy Chowdhury }
32363d2a5c7SDorjoy Chowdhury if (!cbor_isa_array(pair->value)) {
32463d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid signature CBOR");
32563d2a5c7SDorjoy Chowdhury goto cleanup;
32663d2a5c7SDorjoy Chowdhury }
32763d2a5c7SDorjoy Chowdhury len = cbor_array_size(pair->value);
32863d2a5c7SDorjoy Chowdhury if (len == 0) {
32963d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid signature CBOR");
33063d2a5c7SDorjoy Chowdhury goto cleanup;
33163d2a5c7SDorjoy Chowdhury }
332*b7e55bd9SPaolo Bonzini cert = g_try_malloc(len);
333*b7e55bd9SPaolo Bonzini if (!cert) {
334*b7e55bd9SPaolo Bonzini error_setg(errp, "Out of memory reading signature section");
335*b7e55bd9SPaolo Bonzini goto cleanup;
336*b7e55bd9SPaolo Bonzini }
337*b7e55bd9SPaolo Bonzini
33863d2a5c7SDorjoy Chowdhury for (int i = 0; i < len; ++i) {
33963d2a5c7SDorjoy Chowdhury cbor_item_t *tmp = cbor_array_get(pair->value, i);
34063d2a5c7SDorjoy Chowdhury if (!tmp) {
34163d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid signature CBOR");
34263d2a5c7SDorjoy Chowdhury goto cleanup;
34363d2a5c7SDorjoy Chowdhury }
34463d2a5c7SDorjoy Chowdhury if (!cbor_isa_uint(tmp) || cbor_int_get_width(tmp) != CBOR_INT_8) {
34563d2a5c7SDorjoy Chowdhury cbor_decref(&tmp);
34663d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid signature CBOR");
34763d2a5c7SDorjoy Chowdhury goto cleanup;
34863d2a5c7SDorjoy Chowdhury }
34963d2a5c7SDorjoy Chowdhury cert[i] = cbor_get_uint8(tmp);
35063d2a5c7SDorjoy Chowdhury cbor_decref(&tmp);
35163d2a5c7SDorjoy Chowdhury }
35263d2a5c7SDorjoy Chowdhury
35363d2a5c7SDorjoy Chowdhury if (qcrypto_get_x509_cert_fingerprint(cert, len, QCRYPTO_HASH_ALGO_SHA384,
35463d2a5c7SDorjoy Chowdhury sha384, &hash_len, errp)) {
35563d2a5c7SDorjoy Chowdhury goto cleanup;
35663d2a5c7SDorjoy Chowdhury }
35763d2a5c7SDorjoy Chowdhury
35863d2a5c7SDorjoy Chowdhury ret = true;
35963d2a5c7SDorjoy Chowdhury
36063d2a5c7SDorjoy Chowdhury cleanup:
36163d2a5c7SDorjoy Chowdhury if (pcr0) {
36263d2a5c7SDorjoy Chowdhury cbor_decref(&pcr0);
36363d2a5c7SDorjoy Chowdhury }
36463d2a5c7SDorjoy Chowdhury if (item) {
36563d2a5c7SDorjoy Chowdhury cbor_decref(&item);
36663d2a5c7SDorjoy Chowdhury }
36763d2a5c7SDorjoy Chowdhury return ret;
36863d2a5c7SDorjoy Chowdhury }
36963d2a5c7SDorjoy Chowdhury
37063d2a5c7SDorjoy Chowdhury /* Expects file to have offset 0 before this function is called */
get_file_size(FILE * f,Error ** errp)37163d2a5c7SDorjoy Chowdhury static long get_file_size(FILE *f, Error **errp)
37263d2a5c7SDorjoy Chowdhury {
37363d2a5c7SDorjoy Chowdhury long size;
37463d2a5c7SDorjoy Chowdhury
37563d2a5c7SDorjoy Chowdhury if (fseek(f, 0, SEEK_END) != 0) {
37663d2a5c7SDorjoy Chowdhury error_setg_errno(errp, errno, "Failed to seek to the end of file");
37763d2a5c7SDorjoy Chowdhury return -1;
37863d2a5c7SDorjoy Chowdhury }
37963d2a5c7SDorjoy Chowdhury
38063d2a5c7SDorjoy Chowdhury size = ftell(f);
38163d2a5c7SDorjoy Chowdhury if (size == -1) {
38263d2a5c7SDorjoy Chowdhury error_setg_errno(errp, errno, "Failed to get offset");
38363d2a5c7SDorjoy Chowdhury return -1;
38463d2a5c7SDorjoy Chowdhury }
38563d2a5c7SDorjoy Chowdhury
38663d2a5c7SDorjoy Chowdhury if (fseek(f, 0, SEEK_SET) != 0) {
38763d2a5c7SDorjoy Chowdhury error_setg_errno(errp, errno, "Failed to seek back to the start");
38863d2a5c7SDorjoy Chowdhury return -1;
38963d2a5c7SDorjoy Chowdhury }
39063d2a5c7SDorjoy Chowdhury
39163d2a5c7SDorjoy Chowdhury return size;
39263d2a5c7SDorjoy Chowdhury }
39363d2a5c7SDorjoy Chowdhury
get_SHA384_digest(GList * list,uint8_t * digest,Error ** errp)39463d2a5c7SDorjoy Chowdhury static bool get_SHA384_digest(GList *list, uint8_t *digest, Error **errp)
39563d2a5c7SDorjoy Chowdhury {
39663d2a5c7SDorjoy Chowdhury size_t digest_len = QCRYPTO_HASH_DIGEST_LEN_SHA384;
39763d2a5c7SDorjoy Chowdhury size_t list_len = g_list_length(list);
39863d2a5c7SDorjoy Chowdhury struct iovec *iovec_list = g_new0(struct iovec, list_len);
39963d2a5c7SDorjoy Chowdhury bool ret = true;
40063d2a5c7SDorjoy Chowdhury GList *l;
40163d2a5c7SDorjoy Chowdhury int i;
40263d2a5c7SDorjoy Chowdhury
40363d2a5c7SDorjoy Chowdhury for (i = 0, l = list; l != NULL; l = l->next, i++) {
40463d2a5c7SDorjoy Chowdhury iovec_list[i] = *(struct iovec *) l->data;
40563d2a5c7SDorjoy Chowdhury }
40663d2a5c7SDorjoy Chowdhury
40763d2a5c7SDorjoy Chowdhury if (qcrypto_hash_bytesv(QCRYPTO_HASH_ALGO_SHA384, iovec_list, list_len,
40863d2a5c7SDorjoy Chowdhury &digest, &digest_len, errp) < 0) {
40963d2a5c7SDorjoy Chowdhury ret = false;
41063d2a5c7SDorjoy Chowdhury }
41163d2a5c7SDorjoy Chowdhury
41263d2a5c7SDorjoy Chowdhury g_free(iovec_list);
41363d2a5c7SDorjoy Chowdhury return ret;
41463d2a5c7SDorjoy Chowdhury }
41563d2a5c7SDorjoy Chowdhury
free_iovec(struct iovec * iov)41663d2a5c7SDorjoy Chowdhury static void free_iovec(struct iovec *iov)
41763d2a5c7SDorjoy Chowdhury {
41863d2a5c7SDorjoy Chowdhury if (iov) {
41963d2a5c7SDorjoy Chowdhury g_free(iov->iov_base);
42063d2a5c7SDorjoy Chowdhury g_free(iov);
42163d2a5c7SDorjoy Chowdhury }
42263d2a5c7SDorjoy Chowdhury }
42363d2a5c7SDorjoy Chowdhury
42463d2a5c7SDorjoy Chowdhury /*
42563d2a5c7SDorjoy Chowdhury * Upon success, the caller is reponsible for unlinking and freeing
42663d2a5c7SDorjoy Chowdhury * *kernel_path, *initrd_path and freeing *cmdline.
42763d2a5c7SDorjoy Chowdhury */
read_eif_file(const char * eif_path,const char * machine_initrd,char ** kernel_path,char ** initrd_path,char ** cmdline,uint8_t * image_sha384,uint8_t * bootstrap_sha384,uint8_t * app_sha384,uint8_t * fingerprint_sha384,bool * signature_found,Error ** errp)42863d2a5c7SDorjoy Chowdhury bool read_eif_file(const char *eif_path, const char *machine_initrd,
42963d2a5c7SDorjoy Chowdhury char **kernel_path, char **initrd_path, char **cmdline,
43063d2a5c7SDorjoy Chowdhury uint8_t *image_sha384, uint8_t *bootstrap_sha384,
43163d2a5c7SDorjoy Chowdhury uint8_t *app_sha384, uint8_t *fingerprint_sha384,
43263d2a5c7SDorjoy Chowdhury bool *signature_found, Error **errp)
43363d2a5c7SDorjoy Chowdhury {
43463d2a5c7SDorjoy Chowdhury FILE *f = NULL;
43563d2a5c7SDorjoy Chowdhury FILE *machine_initrd_f = NULL;
43663d2a5c7SDorjoy Chowdhury FILE *initrd_path_f = NULL;
43763d2a5c7SDorjoy Chowdhury long machine_initrd_size;
43863d2a5c7SDorjoy Chowdhury uint32_t crc = 0;
43963d2a5c7SDorjoy Chowdhury EifHeader eif_header;
44063d2a5c7SDorjoy Chowdhury bool seen_sections[EIF_SECTION_MAX] = {false};
44163d2a5c7SDorjoy Chowdhury /* kernel + ramdisks + cmdline sha384 hash */
44263d2a5c7SDorjoy Chowdhury GList *iov_PCR0 = NULL;
44363d2a5c7SDorjoy Chowdhury /* kernel + boot ramdisk + cmdline sha384 hash */
44463d2a5c7SDorjoy Chowdhury GList *iov_PCR1 = NULL;
44563d2a5c7SDorjoy Chowdhury /* application ramdisk(s) hash */
44663d2a5c7SDorjoy Chowdhury GList *iov_PCR2 = NULL;
44763d2a5c7SDorjoy Chowdhury uint8_t *ptr = NULL;
44863d2a5c7SDorjoy Chowdhury struct iovec *iov_ptr = NULL;
44963d2a5c7SDorjoy Chowdhury
45063d2a5c7SDorjoy Chowdhury *signature_found = false;
45163d2a5c7SDorjoy Chowdhury *kernel_path = *initrd_path = *cmdline = NULL;
45263d2a5c7SDorjoy Chowdhury
45363d2a5c7SDorjoy Chowdhury f = fopen(eif_path, "rb");
45463d2a5c7SDorjoy Chowdhury if (f == NULL) {
45563d2a5c7SDorjoy Chowdhury error_setg_errno(errp, errno, "Failed to open %s", eif_path);
45663d2a5c7SDorjoy Chowdhury goto cleanup;
45763d2a5c7SDorjoy Chowdhury }
45863d2a5c7SDorjoy Chowdhury
45963d2a5c7SDorjoy Chowdhury if (!read_eif_header(f, &eif_header, &crc, errp)) {
46063d2a5c7SDorjoy Chowdhury goto cleanup;
46163d2a5c7SDorjoy Chowdhury }
46263d2a5c7SDorjoy Chowdhury
46363d2a5c7SDorjoy Chowdhury if (eif_header.version < 4) {
46463d2a5c7SDorjoy Chowdhury error_setg(errp, "Expected EIF version 4 or greater");
46563d2a5c7SDorjoy Chowdhury goto cleanup;
46663d2a5c7SDorjoy Chowdhury }
46763d2a5c7SDorjoy Chowdhury
46863d2a5c7SDorjoy Chowdhury if (eif_header.flags != 0) {
46963d2a5c7SDorjoy Chowdhury error_setg(errp, "Expected EIF flags to be 0");
47063d2a5c7SDorjoy Chowdhury goto cleanup;
47163d2a5c7SDorjoy Chowdhury }
47263d2a5c7SDorjoy Chowdhury
47363d2a5c7SDorjoy Chowdhury if (eif_header.section_cnt > MAX_SECTIONS) {
47463d2a5c7SDorjoy Chowdhury error_setg(errp, "EIF header section count must not be greater than "
47563d2a5c7SDorjoy Chowdhury "%d but found %d", MAX_SECTIONS, eif_header.section_cnt);
47663d2a5c7SDorjoy Chowdhury goto cleanup;
47763d2a5c7SDorjoy Chowdhury }
47863d2a5c7SDorjoy Chowdhury
47963d2a5c7SDorjoy Chowdhury for (int i = 0; i < eif_header.section_cnt; ++i) {
48063d2a5c7SDorjoy Chowdhury EifSectionHeader hdr;
48163d2a5c7SDorjoy Chowdhury uint16_t section_type;
48263d2a5c7SDorjoy Chowdhury
483619d1447SPaolo Bonzini if (eif_header.section_offsets[i] > OFF_MAX) {
484619d1447SPaolo Bonzini error_setg(errp, "Invalid EIF image. Section offset out of bounds");
485619d1447SPaolo Bonzini goto cleanup;
486619d1447SPaolo Bonzini }
48763d2a5c7SDorjoy Chowdhury if (fseek(f, eif_header.section_offsets[i], SEEK_SET) != 0) {
48863d2a5c7SDorjoy Chowdhury error_setg_errno(errp, errno, "Failed to offset to %" PRIu64 " in EIF file",
48963d2a5c7SDorjoy Chowdhury eif_header.section_offsets[i]);
49063d2a5c7SDorjoy Chowdhury goto cleanup;
49163d2a5c7SDorjoy Chowdhury }
49263d2a5c7SDorjoy Chowdhury
49363d2a5c7SDorjoy Chowdhury if (!read_eif_section_header(f, &hdr, &crc, errp)) {
49463d2a5c7SDorjoy Chowdhury goto cleanup;
49563d2a5c7SDorjoy Chowdhury }
49663d2a5c7SDorjoy Chowdhury
49763d2a5c7SDorjoy Chowdhury if (hdr.flags != 0) {
49863d2a5c7SDorjoy Chowdhury error_setg(errp, "Expected EIF section header flags to be 0");
49963d2a5c7SDorjoy Chowdhury goto cleanup;
50063d2a5c7SDorjoy Chowdhury }
50163d2a5c7SDorjoy Chowdhury
50263d2a5c7SDorjoy Chowdhury if (eif_header.section_sizes[i] != hdr.section_size) {
50363d2a5c7SDorjoy Chowdhury error_setg(errp, "EIF section size mismatch between header and "
50463d2a5c7SDorjoy Chowdhury "section header: header %" PRIu64 ", section header %" PRIu64,
50563d2a5c7SDorjoy Chowdhury eif_header.section_sizes[i],
50663d2a5c7SDorjoy Chowdhury hdr.section_size);
50763d2a5c7SDorjoy Chowdhury goto cleanup;
50863d2a5c7SDorjoy Chowdhury }
50963d2a5c7SDorjoy Chowdhury
51063d2a5c7SDorjoy Chowdhury section_type = hdr.section_type;
51163d2a5c7SDorjoy Chowdhury
51263d2a5c7SDorjoy Chowdhury switch (section_type) {
51363d2a5c7SDorjoy Chowdhury case EIF_SECTION_KERNEL:
51463d2a5c7SDorjoy Chowdhury if (seen_sections[EIF_SECTION_KERNEL]) {
51563d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid EIF image. More than 1 kernel "
51663d2a5c7SDorjoy Chowdhury "section");
51763d2a5c7SDorjoy Chowdhury goto cleanup;
51863d2a5c7SDorjoy Chowdhury }
51963d2a5c7SDorjoy Chowdhury
520*b7e55bd9SPaolo Bonzini ptr = g_try_malloc(hdr.section_size);
521*b7e55bd9SPaolo Bonzini if (!ptr) {
522*b7e55bd9SPaolo Bonzini error_setg(errp, "Out of memory reading kernel section");
523*b7e55bd9SPaolo Bonzini goto cleanup;
524*b7e55bd9SPaolo Bonzini }
52563d2a5c7SDorjoy Chowdhury
52663d2a5c7SDorjoy Chowdhury iov_ptr = g_malloc(sizeof(struct iovec));
52763d2a5c7SDorjoy Chowdhury iov_ptr->iov_base = ptr;
52863d2a5c7SDorjoy Chowdhury iov_ptr->iov_len = hdr.section_size;
52963d2a5c7SDorjoy Chowdhury
53063d2a5c7SDorjoy Chowdhury iov_PCR0 = g_list_append(iov_PCR0, iov_ptr);
53163d2a5c7SDorjoy Chowdhury iov_PCR1 = g_list_append(iov_PCR1, iov_ptr);
53263d2a5c7SDorjoy Chowdhury
53363d2a5c7SDorjoy Chowdhury if (!read_eif_kernel(f, hdr.section_size, kernel_path, ptr, &crc,
53463d2a5c7SDorjoy Chowdhury errp)) {
53563d2a5c7SDorjoy Chowdhury goto cleanup;
53663d2a5c7SDorjoy Chowdhury }
53763d2a5c7SDorjoy Chowdhury
53863d2a5c7SDorjoy Chowdhury break;
53963d2a5c7SDorjoy Chowdhury case EIF_SECTION_CMDLINE:
54063d2a5c7SDorjoy Chowdhury {
54163d2a5c7SDorjoy Chowdhury uint64_t size;
54263d2a5c7SDorjoy Chowdhury uint8_t *cmdline_copy;
54363d2a5c7SDorjoy Chowdhury if (seen_sections[EIF_SECTION_CMDLINE]) {
54463d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid EIF image. More than 1 cmdline "
54563d2a5c7SDorjoy Chowdhury "section");
54663d2a5c7SDorjoy Chowdhury goto cleanup;
54763d2a5c7SDorjoy Chowdhury }
54863d2a5c7SDorjoy Chowdhury size = hdr.section_size;
549*b7e55bd9SPaolo Bonzini *cmdline = g_try_malloc(size + 1);
550*b7e55bd9SPaolo Bonzini if (!*cmdline) {
551*b7e55bd9SPaolo Bonzini error_setg(errp, "Out of memory reading command line section");
552*b7e55bd9SPaolo Bonzini goto cleanup;
553*b7e55bd9SPaolo Bonzini }
55463d2a5c7SDorjoy Chowdhury if (!read_eif_cmdline(f, size, *cmdline, &crc, errp)) {
55563d2a5c7SDorjoy Chowdhury goto cleanup;
55663d2a5c7SDorjoy Chowdhury }
55763d2a5c7SDorjoy Chowdhury (*cmdline)[size] = '\0';
55863d2a5c7SDorjoy Chowdhury
55963d2a5c7SDorjoy Chowdhury /*
56063d2a5c7SDorjoy Chowdhury * We make a copy of '*cmdline' for putting it in iovecs so that
56163d2a5c7SDorjoy Chowdhury * we can easily free all the iovec entries later as we cannot
56263d2a5c7SDorjoy Chowdhury * free '*cmdline' which is used by the caller.
56363d2a5c7SDorjoy Chowdhury */
56463d2a5c7SDorjoy Chowdhury cmdline_copy = g_memdup2(*cmdline, size);
56563d2a5c7SDorjoy Chowdhury
56663d2a5c7SDorjoy Chowdhury iov_ptr = g_malloc(sizeof(struct iovec));
56763d2a5c7SDorjoy Chowdhury iov_ptr->iov_base = cmdline_copy;
56863d2a5c7SDorjoy Chowdhury iov_ptr->iov_len = size;
56963d2a5c7SDorjoy Chowdhury
57063d2a5c7SDorjoy Chowdhury iov_PCR0 = g_list_append(iov_PCR0, iov_ptr);
57163d2a5c7SDorjoy Chowdhury iov_PCR1 = g_list_append(iov_PCR1, iov_ptr);
57263d2a5c7SDorjoy Chowdhury break;
57363d2a5c7SDorjoy Chowdhury }
57463d2a5c7SDorjoy Chowdhury case EIF_SECTION_RAMDISK:
57563d2a5c7SDorjoy Chowdhury {
57663d2a5c7SDorjoy Chowdhury if (!seen_sections[EIF_SECTION_RAMDISK]) {
57763d2a5c7SDorjoy Chowdhury /*
57863d2a5c7SDorjoy Chowdhury * If this is the first time we are seeing a ramdisk section,
57963d2a5c7SDorjoy Chowdhury * we need to create the initrd temporary file.
58063d2a5c7SDorjoy Chowdhury */
58163d2a5c7SDorjoy Chowdhury if (!get_tmp_file("eif-initrd-XXXXXX", initrd_path, errp)) {
58263d2a5c7SDorjoy Chowdhury goto cleanup;
58363d2a5c7SDorjoy Chowdhury }
58463d2a5c7SDorjoy Chowdhury initrd_path_f = fopen(*initrd_path, "wb");
58563d2a5c7SDorjoy Chowdhury if (initrd_path_f == NULL) {
58663d2a5c7SDorjoy Chowdhury error_setg_errno(errp, errno, "Failed to open file %s",
58763d2a5c7SDorjoy Chowdhury *initrd_path);
58863d2a5c7SDorjoy Chowdhury goto cleanup;
58963d2a5c7SDorjoy Chowdhury }
59063d2a5c7SDorjoy Chowdhury }
59163d2a5c7SDorjoy Chowdhury
592*b7e55bd9SPaolo Bonzini ptr = g_try_malloc(hdr.section_size);
593*b7e55bd9SPaolo Bonzini if (!ptr) {
594*b7e55bd9SPaolo Bonzini error_setg(errp, "Out of memory reading initrd section");
595*b7e55bd9SPaolo Bonzini goto cleanup;
596*b7e55bd9SPaolo Bonzini }
59763d2a5c7SDorjoy Chowdhury
59863d2a5c7SDorjoy Chowdhury iov_ptr = g_malloc(sizeof(struct iovec));
59963d2a5c7SDorjoy Chowdhury iov_ptr->iov_base = ptr;
60063d2a5c7SDorjoy Chowdhury iov_ptr->iov_len = hdr.section_size;
60163d2a5c7SDorjoy Chowdhury
60263d2a5c7SDorjoy Chowdhury iov_PCR0 = g_list_append(iov_PCR0, iov_ptr);
60363d2a5c7SDorjoy Chowdhury /*
60463d2a5c7SDorjoy Chowdhury * If it's the first ramdisk, we need to hash it into bootstrap
60563d2a5c7SDorjoy Chowdhury * i.e., iov_PCR1, otherwise we need to hash it into app i.e.,
60663d2a5c7SDorjoy Chowdhury * iov_PCR2.
60763d2a5c7SDorjoy Chowdhury */
60863d2a5c7SDorjoy Chowdhury if (!seen_sections[EIF_SECTION_RAMDISK]) {
60963d2a5c7SDorjoy Chowdhury iov_PCR1 = g_list_append(iov_PCR1, iov_ptr);
61063d2a5c7SDorjoy Chowdhury } else {
61163d2a5c7SDorjoy Chowdhury iov_PCR2 = g_list_append(iov_PCR2, iov_ptr);
61263d2a5c7SDorjoy Chowdhury }
61363d2a5c7SDorjoy Chowdhury
61463d2a5c7SDorjoy Chowdhury if (!read_eif_ramdisk(f, initrd_path_f, hdr.section_size, ptr,
61563d2a5c7SDorjoy Chowdhury &crc, errp)) {
61663d2a5c7SDorjoy Chowdhury goto cleanup;
61763d2a5c7SDorjoy Chowdhury }
61863d2a5c7SDorjoy Chowdhury
61963d2a5c7SDorjoy Chowdhury break;
62063d2a5c7SDorjoy Chowdhury }
62163d2a5c7SDorjoy Chowdhury case EIF_SECTION_SIGNATURE:
62263d2a5c7SDorjoy Chowdhury *signature_found = true;
62363d2a5c7SDorjoy Chowdhury if (!get_signature_fingerprint_sha384(f, hdr.section_size,
62463d2a5c7SDorjoy Chowdhury fingerprint_sha384, &crc,
62563d2a5c7SDorjoy Chowdhury errp)) {
62663d2a5c7SDorjoy Chowdhury goto cleanup;
62763d2a5c7SDorjoy Chowdhury }
62863d2a5c7SDorjoy Chowdhury break;
62963d2a5c7SDorjoy Chowdhury default:
63063d2a5c7SDorjoy Chowdhury /* other sections including invalid or unknown sections */
63163d2a5c7SDorjoy Chowdhury {
63263d2a5c7SDorjoy Chowdhury uint8_t *buf;
63363d2a5c7SDorjoy Chowdhury size_t got;
63463d2a5c7SDorjoy Chowdhury uint64_t size = hdr.section_size;
635*b7e55bd9SPaolo Bonzini buf = g_try_malloc(size);
636*b7e55bd9SPaolo Bonzini if (!buf) {
637*b7e55bd9SPaolo Bonzini error_setg(errp, "Out of memory reading unknown section");
638*b7e55bd9SPaolo Bonzini goto cleanup;
639*b7e55bd9SPaolo Bonzini }
64063d2a5c7SDorjoy Chowdhury got = fread(buf, 1, size, f);
64163d2a5c7SDorjoy Chowdhury if ((uint64_t) got != size) {
64263d2a5c7SDorjoy Chowdhury g_free(buf);
64363d2a5c7SDorjoy Chowdhury error_setg(errp, "Failed to read EIF %s section data",
64463d2a5c7SDorjoy Chowdhury section_type_to_string(section_type));
64563d2a5c7SDorjoy Chowdhury goto cleanup;
64663d2a5c7SDorjoy Chowdhury }
64763d2a5c7SDorjoy Chowdhury crc = crc32(crc, buf, size);
64863d2a5c7SDorjoy Chowdhury g_free(buf);
64963d2a5c7SDorjoy Chowdhury break;
65063d2a5c7SDorjoy Chowdhury }
65163d2a5c7SDorjoy Chowdhury }
65263d2a5c7SDorjoy Chowdhury
65363d2a5c7SDorjoy Chowdhury if (section_type < EIF_SECTION_MAX) {
65463d2a5c7SDorjoy Chowdhury seen_sections[section_type] = true;
65563d2a5c7SDorjoy Chowdhury }
65663d2a5c7SDorjoy Chowdhury }
65763d2a5c7SDorjoy Chowdhury
65863d2a5c7SDorjoy Chowdhury if (!seen_sections[EIF_SECTION_KERNEL]) {
65963d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid EIF image. No kernel section.");
66063d2a5c7SDorjoy Chowdhury goto cleanup;
66163d2a5c7SDorjoy Chowdhury }
66263d2a5c7SDorjoy Chowdhury if (!seen_sections[EIF_SECTION_CMDLINE]) {
66363d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid EIF image. No cmdline section.");
66463d2a5c7SDorjoy Chowdhury goto cleanup;
66563d2a5c7SDorjoy Chowdhury }
66663d2a5c7SDorjoy Chowdhury if (!seen_sections[EIF_SECTION_RAMDISK]) {
66763d2a5c7SDorjoy Chowdhury error_setg(errp, "Invalid EIF image. No ramdisk section.");
66863d2a5c7SDorjoy Chowdhury goto cleanup;
66963d2a5c7SDorjoy Chowdhury }
67063d2a5c7SDorjoy Chowdhury
67163d2a5c7SDorjoy Chowdhury if (eif_header.eif_crc32 != crc) {
67263d2a5c7SDorjoy Chowdhury error_setg(errp, "CRC mismatch. Expected %u but header has %u.",
67363d2a5c7SDorjoy Chowdhury crc, eif_header.eif_crc32);
67463d2a5c7SDorjoy Chowdhury goto cleanup;
67563d2a5c7SDorjoy Chowdhury }
67663d2a5c7SDorjoy Chowdhury
67763d2a5c7SDorjoy Chowdhury /*
67863d2a5c7SDorjoy Chowdhury * Let's append the initrd file from "-initrd" option if any. Although
67963d2a5c7SDorjoy Chowdhury * we pass the crc pointer to read_eif_ramdisk, it is not useful anymore.
68063d2a5c7SDorjoy Chowdhury * We have already done the crc mismatch check above this code.
68163d2a5c7SDorjoy Chowdhury */
68263d2a5c7SDorjoy Chowdhury if (machine_initrd) {
68363d2a5c7SDorjoy Chowdhury machine_initrd_f = fopen(machine_initrd, "rb");
68463d2a5c7SDorjoy Chowdhury if (machine_initrd_f == NULL) {
68563d2a5c7SDorjoy Chowdhury error_setg_errno(errp, errno, "Failed to open initrd file %s",
68663d2a5c7SDorjoy Chowdhury machine_initrd);
68763d2a5c7SDorjoy Chowdhury goto cleanup;
68863d2a5c7SDorjoy Chowdhury }
68963d2a5c7SDorjoy Chowdhury
69063d2a5c7SDorjoy Chowdhury machine_initrd_size = get_file_size(machine_initrd_f, errp);
69163d2a5c7SDorjoy Chowdhury if (machine_initrd_size == -1) {
69263d2a5c7SDorjoy Chowdhury goto cleanup;
69363d2a5c7SDorjoy Chowdhury }
69463d2a5c7SDorjoy Chowdhury
695*b7e55bd9SPaolo Bonzini ptr = g_try_malloc(machine_initrd_size);
696*b7e55bd9SPaolo Bonzini if (!ptr) {
697*b7e55bd9SPaolo Bonzini error_setg(errp, "Out of memory reading initrd file");
698*b7e55bd9SPaolo Bonzini goto cleanup;
699*b7e55bd9SPaolo Bonzini }
70063d2a5c7SDorjoy Chowdhury
70163d2a5c7SDorjoy Chowdhury iov_ptr = g_malloc(sizeof(struct iovec));
70263d2a5c7SDorjoy Chowdhury iov_ptr->iov_base = ptr;
70363d2a5c7SDorjoy Chowdhury iov_ptr->iov_len = machine_initrd_size;
70463d2a5c7SDorjoy Chowdhury
70563d2a5c7SDorjoy Chowdhury iov_PCR0 = g_list_append(iov_PCR0, iov_ptr);
70663d2a5c7SDorjoy Chowdhury iov_PCR2 = g_list_append(iov_PCR2, iov_ptr);
70763d2a5c7SDorjoy Chowdhury
70863d2a5c7SDorjoy Chowdhury if (!read_eif_ramdisk(machine_initrd_f, initrd_path_f,
70963d2a5c7SDorjoy Chowdhury machine_initrd_size, ptr, &crc, errp)) {
71063d2a5c7SDorjoy Chowdhury goto cleanup;
71163d2a5c7SDorjoy Chowdhury }
71263d2a5c7SDorjoy Chowdhury }
71363d2a5c7SDorjoy Chowdhury
71463d2a5c7SDorjoy Chowdhury if (!get_SHA384_digest(iov_PCR0, image_sha384, errp)) {
71563d2a5c7SDorjoy Chowdhury goto cleanup;
71663d2a5c7SDorjoy Chowdhury }
71763d2a5c7SDorjoy Chowdhury if (!get_SHA384_digest(iov_PCR1, bootstrap_sha384, errp)) {
71863d2a5c7SDorjoy Chowdhury goto cleanup;
71963d2a5c7SDorjoy Chowdhury }
72063d2a5c7SDorjoy Chowdhury if (!get_SHA384_digest(iov_PCR2, app_sha384, errp)) {
72163d2a5c7SDorjoy Chowdhury goto cleanup;
72263d2a5c7SDorjoy Chowdhury }
72363d2a5c7SDorjoy Chowdhury
72463d2a5c7SDorjoy Chowdhury /*
72563d2a5c7SDorjoy Chowdhury * We only need to free iov_PCR0 entries because iov_PCR1 and
72663d2a5c7SDorjoy Chowdhury * iov_PCR2 iovec entries are subsets of iov_PCR0 iovec entries.
72763d2a5c7SDorjoy Chowdhury */
72863d2a5c7SDorjoy Chowdhury g_list_free_full(iov_PCR0, (GDestroyNotify) free_iovec);
72963d2a5c7SDorjoy Chowdhury g_list_free(iov_PCR1);
73063d2a5c7SDorjoy Chowdhury g_list_free(iov_PCR2);
73163d2a5c7SDorjoy Chowdhury fclose(f);
73263d2a5c7SDorjoy Chowdhury fclose(initrd_path_f);
73363d2a5c7SDorjoy Chowdhury safe_fclose(machine_initrd_f);
73463d2a5c7SDorjoy Chowdhury return true;
73563d2a5c7SDorjoy Chowdhury
73663d2a5c7SDorjoy Chowdhury cleanup:
73763d2a5c7SDorjoy Chowdhury g_list_free_full(iov_PCR0, (GDestroyNotify) free_iovec);
73863d2a5c7SDorjoy Chowdhury g_list_free(iov_PCR1);
73963d2a5c7SDorjoy Chowdhury g_list_free(iov_PCR2);
74063d2a5c7SDorjoy Chowdhury
74163d2a5c7SDorjoy Chowdhury safe_fclose(f);
74263d2a5c7SDorjoy Chowdhury safe_fclose(initrd_path_f);
74363d2a5c7SDorjoy Chowdhury safe_fclose(machine_initrd_f);
74463d2a5c7SDorjoy Chowdhury
74563d2a5c7SDorjoy Chowdhury safe_unlink(*kernel_path);
74663d2a5c7SDorjoy Chowdhury g_free(*kernel_path);
74763d2a5c7SDorjoy Chowdhury *kernel_path = NULL;
74863d2a5c7SDorjoy Chowdhury
74963d2a5c7SDorjoy Chowdhury safe_unlink(*initrd_path);
75063d2a5c7SDorjoy Chowdhury g_free(*initrd_path);
75163d2a5c7SDorjoy Chowdhury *initrd_path = NULL;
75263d2a5c7SDorjoy Chowdhury
75363d2a5c7SDorjoy Chowdhury g_free(*cmdline);
75463d2a5c7SDorjoy Chowdhury *cmdline = NULL;
75563d2a5c7SDorjoy Chowdhury
75663d2a5c7SDorjoy Chowdhury return false;
75763d2a5c7SDorjoy Chowdhury }
758