1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation
6 * files (the "Software"), to deal in the Software without
7 * restriction, including without limitation the rights to use, copy,
8 * modify, merge, publish, distribute, sublicense, and/or sell copies
9 * of the Software, and to permit persons to whom the Software is
10 * furnished to do so, subject to the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include <android_avb/avb_atx_validate.h>
26
27 #include <android_avb/avb_rsa.h>
28 #include <android_avb/avb_sha.h>
29 #include <android_avb/avb_sysdeps.h>
30 #include <android_avb/avb_util.h>
31 #include <android_avb/avb_ops_user.h>
32 #include <android_avb/rk_avb_ops_user.h>
33 #include <malloc.h>
34 #include <common.h>
35 #ifdef CONFIG_DM_CRYPTO
36 #include <crypto.h>
37 #endif
38
39 /* The most recent unlock challenge generated. */
40 static uint8_t last_unlock_challenge[AVB_ATX_UNLOCK_CHALLENGE_SIZE];
41 static bool last_unlock_challenge_set = false;
42
43 /* Computes the SHA256 |hash| of |length| bytes of |data|. */
sha256(const uint8_t * data,uint32_t length,uint8_t hash[AVB_SHA256_DIGEST_SIZE])44 static void sha256(const uint8_t* data,
45 uint32_t length,
46 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) {
47 AvbSHA256Ctx context;
48
49 context.tot_len = length;
50 avb_sha256_init(&context);
51 avb_sha256_update(&context, data, length);
52 uint8_t* tmp = avb_sha256_final(&context);
53 avb_memcpy(hash, tmp, AVB_SHA256_DIGEST_SIZE);
54 }
55
56 /* Computes the SHA512 |hash| of |length| bytes of |data|. */
sha512(const uint8_t * data,uint32_t length,uint8_t hash[AVB_SHA512_DIGEST_SIZE])57 static void sha512(const uint8_t* data,
58 uint32_t length,
59 uint8_t hash[AVB_SHA512_DIGEST_SIZE]) {
60 AvbSHA512Ctx context;
61
62 context.tot_len = length;
63 avb_sha512_init(&context);
64 avb_sha512_update(&context, data, length);
65 uint8_t* tmp = avb_sha512_final(&context);
66 avb_memcpy(hash, tmp, AVB_SHA512_DIGEST_SIZE);
67 }
68
69 /* Computes the SHA256 |hash| of a NUL-terminated |str|. */
sha256_str(const char * str,uint8_t hash[AVB_SHA256_DIGEST_SIZE])70 static void sha256_str(const char* str, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) {
71 sha256((const uint8_t*)str, avb_strlen(str), hash);
72 }
73
74 /* Verifies structure and |expected_hash| of permanent |attributes|. */
verify_permanent_attributes(const AvbAtxPermanentAttributes * attributes,const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE])75 static bool verify_permanent_attributes(
76 const AvbAtxPermanentAttributes* attributes,
77 const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE]) {
78 uint8_t hash[AVB_SHA256_DIGEST_SIZE];
79 #ifdef CONFIG_ROCKCHIP_PRELOADER_PUB_KEY
80 #ifdef CONFIG_DM_CRYPTO
81 u32 cap = CRYPTO_MD5 | CRYPTO_SHA1 | CRYPTO_SHA256 | CRYPTO_RSA2048;
82 uint8_t rsa_hash[256] = {0};
83 uint8_t rsa_hash_revert[256] = {0};
84 unsigned int rsaResult_temp[8];
85 unsigned char rsaResult[32] = {0};
86 struct rk_pub_key pub_key;
87 struct udevice *dev;
88 rsa_key rsa_key;
89 char *temp;
90 int ret = 0;
91 int i;
92
93 memset(&pub_key, 0, sizeof(struct rk_pub_key));
94 ret = rk_avb_get_pub_key(&pub_key);
95 if (ret)
96 return false;
97
98 ret = rk_avb_get_perm_attr_cer(rsa_hash, 256);
99 if (ret) {
100 avb_error("get_perm_attr_cer error\n");
101 return false;
102 }
103
104 for (i = 0; i < 256; i++)
105 rsa_hash_revert[255-i] = rsa_hash[i];
106
107 dev = crypto_get_device(cap);
108 if (!dev) {
109 avb_error("Can't find crypto device for expected capability\n");
110 return false;
111 }
112
113 memset(&rsa_key, 0x00, sizeof(rsa_key));
114 rsa_key.algo = CRYPTO_RSA2048;
115 rsa_key.n = (u32 *)&pub_key.rsa_n;
116 rsa_key.e = (u32 *)&pub_key.rsa_e;
117 #ifdef CONFIG_ROCKCHIP_CRYPTO_V1
118 rsa_key.c = (u32 *)&pub_key.rsa_c;
119 #endif
120 ret = crypto_rsa_verify(dev, &rsa_key, (u8 *)rsa_hash_revert, (u8 *)rsaResult_temp);
121 if (ret) {
122 avb_error("Hardware verify error!\n");
123 return false;
124 }
125
126 temp = (char *)rsaResult_temp;
127 for (i = 0; i < 32; i++)
128 rsaResult[31-i] = temp[i];
129
130 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash);
131 if (memcmp((void*)rsaResult, (void*)hash, 32) == 0)
132 return true;
133
134 return false;
135 #endif
136 #else
137 if (attributes->version != 1) {
138 avb_error("Unsupported permanent attributes version.\n");
139 return false;
140 }
141 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash);
142 if (0 != avb_safe_memcmp(hash, expected_hash, AVB_SHA256_DIGEST_SIZE)) {
143 avb_error("Invalid permanent attributes.\n");
144 return false;
145 }
146 return true;
147 #endif
148 }
149
150 /* Verifies the format, key version, usage, and signature of a certificate. */
verify_certificate(const AvbAtxCertificate * certificate,const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],uint64_t minimum_key_version,const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE])151 static bool verify_certificate(
152 const AvbAtxCertificate* certificate,
153 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],
154 uint64_t minimum_key_version,
155 const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]) {
156 const AvbAlgorithmData* algorithm_data;
157 uint8_t certificate_hash[AVB_SHA512_DIGEST_SIZE];
158
159 if (certificate->signed_data.version != 1) {
160 avb_error("Unsupported certificate format.\n");
161 return false;
162 }
163 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096);
164 sha512((const uint8_t*)&certificate->signed_data,
165 sizeof(AvbAtxCertificateSignedData),
166 certificate_hash);
167 if (!avb_rsa_verify(authority,
168 AVB_ATX_PUBLIC_KEY_SIZE,
169 certificate->signature,
170 AVB_RSA4096_NUM_BYTES,
171 certificate_hash,
172 AVB_SHA512_DIGEST_SIZE,
173 algorithm_data->padding,
174 algorithm_data->padding_len)) {
175 avb_error("Invalid certificate signature.\n");
176 return false;
177 }
178 if (certificate->signed_data.key_version < minimum_key_version) {
179 avb_error("Key rollback detected.\n");
180 return false;
181 }
182 if (0 != avb_safe_memcmp(certificate->signed_data.usage,
183 expected_usage,
184 AVB_SHA256_DIGEST_SIZE)) {
185 avb_error("Invalid certificate usage.\n");
186 return false;
187 }
188 return true;
189 }
190
191 /* Verifies signature and fields of a PIK certificate. */
verify_pik_certificate(const AvbAtxCertificate * certificate,const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],uint64_t minimum_version)192 static bool verify_pik_certificate(
193 const AvbAtxCertificate* certificate,
194 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],
195 uint64_t minimum_version) {
196 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE];
197
198 sha256_str("com.google.android.things.vboot.ca", expected_usage);
199 if (!verify_certificate(
200 certificate, authority, minimum_version, expected_usage)) {
201 avb_error("Invalid PIK certificate.\n");
202 return false;
203 }
204 return true;
205 }
206
207 /* Verifies signature and fields of a PSK certificate. */
verify_psk_certificate(const AvbAtxCertificate * certificate,const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],uint64_t minimum_version,const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE])208 static bool verify_psk_certificate(
209 const AvbAtxCertificate* certificate,
210 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],
211 uint64_t minimum_version,
212 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) {
213 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE];
214 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE];
215
216 sha256_str("com.google.android.things.vboot", expected_usage);
217 if (!verify_certificate(
218 certificate, authority, minimum_version, expected_usage)) {
219 avb_error("Invalid PSK certificate.\n");
220 return false;
221 }
222 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject);
223 if (0 != avb_safe_memcmp(certificate->signed_data.subject,
224 expected_subject,
225 AVB_SHA256_DIGEST_SIZE)) {
226 avb_error("PSK: Product ID mismatch.\n");
227 return false;
228 }
229 return true;
230 }
231
232 /* Verifies signature and fields of a PUK certificate. */
verify_puk_certificate(const AvbAtxCertificate * certificate,const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],uint64_t minimum_version,const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE])233 static bool verify_puk_certificate(
234 const AvbAtxCertificate* certificate,
235 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],
236 uint64_t minimum_version,
237 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) {
238 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE];
239 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE];
240
241 sha256_str("com.google.android.things.vboot.unlock", expected_usage);
242 if (!verify_certificate(
243 certificate, authority, minimum_version, expected_usage)) {
244 avb_error("Invalid PUK certificate.\n");
245 return false;
246 }
247 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject);
248 if (0 != avb_safe_memcmp(certificate->signed_data.subject,
249 expected_subject,
250 AVB_SHA256_DIGEST_SIZE)) {
251 avb_error("PUK: Product ID mismatch.\n");
252 return false;
253 }
254 return true;
255 }
256
avb_atx_validate_vbmeta_public_key(AvbOps * ops,const uint8_t * public_key_data,size_t public_key_length,const uint8_t * public_key_metadata,size_t public_key_metadata_length,bool * out_is_trusted)257 AvbIOResult avb_atx_validate_vbmeta_public_key(
258 AvbOps* ops,
259 const uint8_t* public_key_data,
260 size_t public_key_length,
261 const uint8_t* public_key_metadata,
262 size_t public_key_metadata_length,
263 bool* out_is_trusted) {
264 AvbIOResult result = AVB_IO_RESULT_OK;
265 AvbAtxPermanentAttributes permanent_attributes;
266 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE];
267 AvbAtxPublicKeyMetadata metadata;
268 uint64_t minimum_version;
269
270 /* Be pessimistic so we can exit early without having to remember to clear.
271 */
272 *out_is_trusted = false;
273
274 /* Read and verify permanent attributes. */
275 result = ops->atx_ops->read_permanent_attributes(ops->atx_ops,
276 &permanent_attributes);
277 if (result != AVB_IO_RESULT_OK) {
278 avb_error("Failed to read permanent attributes.\n");
279 return result;
280 }
281 result = ops->atx_ops->read_permanent_attributes_hash(
282 ops->atx_ops, permanent_attributes_hash);
283 if (result != AVB_IO_RESULT_OK) {
284 avb_error("Failed to read permanent attributes hash.\n");
285 return result;
286 }
287 if (!verify_permanent_attributes(&permanent_attributes,
288 permanent_attributes_hash)) {
289 return AVB_IO_RESULT_OK;
290 }
291
292 /* Sanity check public key metadata. */
293 if (public_key_metadata_length != sizeof(AvbAtxPublicKeyMetadata)) {
294 avb_error("Invalid public key metadata.\n");
295 return AVB_IO_RESULT_OK;
296 }
297 avb_memcpy(&metadata, public_key_metadata, sizeof(AvbAtxPublicKeyMetadata));
298 if (metadata.version != 1) {
299 avb_error("Unsupported public key metadata.\n");
300 return AVB_IO_RESULT_OK;
301 }
302
303 /* Verify the PIK certificate. */
304 result = ops->read_rollback_index(
305 ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version);
306 if (result != AVB_IO_RESULT_OK) {
307 avb_error("Failed to read PIK minimum version.\n");
308 return result;
309 }
310 if (!verify_pik_certificate(&metadata.product_intermediate_key_certificate,
311 permanent_attributes.product_root_public_key,
312 minimum_version)) {
313 return AVB_IO_RESULT_OK;
314 }
315
316 /* Verify the PSK certificate. */
317 result = ops->read_rollback_index(
318 ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version);
319 if (result != AVB_IO_RESULT_OK) {
320 avb_error("Failed to read PSK minimum version.\n");
321 return result;
322 }
323 if (!verify_psk_certificate(
324 &metadata.product_signing_key_certificate,
325 metadata.product_intermediate_key_certificate.signed_data.public_key,
326 minimum_version,
327 permanent_attributes.product_id)) {
328 return AVB_IO_RESULT_OK;
329 }
330
331 /* Verify the PSK is the same key that verified vbmeta. */
332 if (public_key_length != AVB_ATX_PUBLIC_KEY_SIZE) {
333 avb_error("Public key length mismatch.\n");
334 return AVB_IO_RESULT_OK;
335 }
336 if (0 != avb_safe_memcmp(
337 metadata.product_signing_key_certificate.signed_data.public_key,
338 public_key_data,
339 AVB_ATX_PUBLIC_KEY_SIZE)) {
340 avb_error("Public key mismatch.\n");
341 return AVB_IO_RESULT_OK;
342 }
343
344 /* Report the key versions used during verification. */
345 ops->atx_ops->set_key_version(
346 ops->atx_ops,
347 AVB_ATX_PIK_VERSION_LOCATION,
348 metadata.product_intermediate_key_certificate.signed_data.key_version);
349 ops->atx_ops->set_key_version(
350 ops->atx_ops,
351 AVB_ATX_PSK_VERSION_LOCATION,
352 metadata.product_signing_key_certificate.signed_data.key_version);
353
354 *out_is_trusted = true;
355 return AVB_IO_RESULT_OK;
356 }
357
avb_atx_generate_unlock_challenge(AvbAtxOps * atx_ops,AvbAtxUnlockChallenge * out_unlock_challenge)358 AvbIOResult avb_atx_generate_unlock_challenge(
359 AvbAtxOps* atx_ops, AvbAtxUnlockChallenge* out_unlock_challenge) {
360 AvbIOResult result = AVB_IO_RESULT_OK;
361 AvbAtxPermanentAttributes permanent_attributes;
362
363 /* We need the permanent attributes to compute the product_id_hash. */
364 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes);
365 if (result != AVB_IO_RESULT_OK) {
366 avb_error("Failed to read permanent attributes.\n");
367 return result;
368 }
369 result = atx_ops->get_random(
370 atx_ops, AVB_ATX_UNLOCK_CHALLENGE_SIZE, last_unlock_challenge);
371 if (result != AVB_IO_RESULT_OK) {
372 avb_error("Failed to generate random challenge.\n");
373 return result;
374 }
375 last_unlock_challenge_set = true;
376 out_unlock_challenge->version = 1;
377 sha256(permanent_attributes.product_id,
378 AVB_ATX_PRODUCT_ID_SIZE,
379 out_unlock_challenge->product_id_hash);
380 avb_memcpy(out_unlock_challenge->challenge,
381 last_unlock_challenge,
382 AVB_ATX_UNLOCK_CHALLENGE_SIZE);
383 return result;
384 }
385
avb_atx_validate_unlock_credential(AvbAtxOps * atx_ops,const AvbAtxUnlockCredential * unlock_credential,bool * out_is_trusted)386 AvbIOResult avb_atx_validate_unlock_credential(
387 AvbAtxOps* atx_ops,
388 const AvbAtxUnlockCredential* unlock_credential,
389 bool* out_is_trusted) {
390 AvbIOResult result = AVB_IO_RESULT_OK;
391 AvbAtxPermanentAttributes permanent_attributes;
392 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE];
393 uint64_t minimum_version;
394 const AvbAlgorithmData* algorithm_data;
395 uint8_t challenge_hash[AVB_SHA512_DIGEST_SIZE];
396
397 /* Be pessimistic so we can exit early without having to remember to clear.
398 */
399 *out_is_trusted = false;
400
401 /* Sanity check the credential. */
402 if (unlock_credential->version != 1) {
403 avb_error("Unsupported unlock credential format.\n");
404 return AVB_IO_RESULT_OK;
405 }
406
407 /* Read and verify permanent attributes. */
408 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes);
409 if (result != AVB_IO_RESULT_OK) {
410 avb_error("Failed to read permanent attributes.\n");
411 return result;
412 }
413 result = atx_ops->read_permanent_attributes_hash(atx_ops,
414 permanent_attributes_hash);
415 if (result != AVB_IO_RESULT_OK) {
416 avb_error("Failed to read permanent attributes hash.\n");
417 return result;
418 }
419 if (!verify_permanent_attributes(&permanent_attributes,
420 permanent_attributes_hash)) {
421 return AVB_IO_RESULT_OK;
422 }
423
424 /* Verify the PIK certificate. */
425 result = atx_ops->ops->read_rollback_index(
426 atx_ops->ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version);
427 if (result != AVB_IO_RESULT_OK) {
428 avb_error("Failed to read PIK minimum version.\n");
429 return result;
430 }
431 if (!verify_pik_certificate(
432 &unlock_credential->product_intermediate_key_certificate,
433 permanent_attributes.product_root_public_key,
434 minimum_version)) {
435 return AVB_IO_RESULT_OK;
436 }
437
438 /* Verify the PUK certificate. The minimum version is shared with the PSK. */
439 result = atx_ops->ops->read_rollback_index(
440 atx_ops->ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version);
441 if (result != AVB_IO_RESULT_OK) {
442 avb_error("Failed to read PSK minimum version.\n");
443 return result;
444 }
445 if (!verify_puk_certificate(
446 &unlock_credential->product_unlock_key_certificate,
447 unlock_credential->product_intermediate_key_certificate.signed_data
448 .public_key,
449 minimum_version,
450 permanent_attributes.product_id)) {
451 return AVB_IO_RESULT_OK;
452 }
453
454 /* Hash the most recent unlock challenge. */
455 if (!last_unlock_challenge_set) {
456 avb_error("Challenge does not exist.\n");
457 return AVB_IO_RESULT_OK;
458 }
459 sha512(last_unlock_challenge, AVB_ATX_UNLOCK_CHALLENGE_SIZE, challenge_hash);
460 last_unlock_challenge_set = false;
461
462 /* Verify the challenge signature. */
463 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096);
464 if (!avb_rsa_verify(unlock_credential->product_unlock_key_certificate
465 .signed_data.public_key,
466 AVB_ATX_PUBLIC_KEY_SIZE,
467 unlock_credential->challenge_signature,
468 AVB_RSA4096_NUM_BYTES,
469 challenge_hash,
470 AVB_SHA512_DIGEST_SIZE,
471 algorithm_data->padding,
472 algorithm_data->padding_len)) {
473 avb_error("Invalid unlock challenge signature.\n");
474 return AVB_IO_RESULT_OK;
475 }
476
477 *out_is_trusted = true;
478 return AVB_IO_RESULT_OK;
479 }
480