1*4882a593Smuzhiyun /*
2*4882a593Smuzhiyun * Copyright (C) 2016 The Android Open Source Project
3*4882a593Smuzhiyun *
4*4882a593Smuzhiyun * Permission is hereby granted, free of charge, to any person
5*4882a593Smuzhiyun * obtaining a copy of this software and associated documentation
6*4882a593Smuzhiyun * files (the "Software"), to deal in the Software without
7*4882a593Smuzhiyun * restriction, including without limitation the rights to use, copy,
8*4882a593Smuzhiyun * modify, merge, publish, distribute, sublicense, and/or sell copies
9*4882a593Smuzhiyun * of the Software, and to permit persons to whom the Software is
10*4882a593Smuzhiyun * furnished to do so, subject to the following conditions:
11*4882a593Smuzhiyun *
12*4882a593Smuzhiyun * The above copyright notice and this permission notice shall be
13*4882a593Smuzhiyun * included in all copies or substantial portions of the Software.
14*4882a593Smuzhiyun *
15*4882a593Smuzhiyun * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16*4882a593Smuzhiyun * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17*4882a593Smuzhiyun * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18*4882a593Smuzhiyun * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19*4882a593Smuzhiyun * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20*4882a593Smuzhiyun * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21*4882a593Smuzhiyun * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22*4882a593Smuzhiyun * SOFTWARE.
23*4882a593Smuzhiyun */
24*4882a593Smuzhiyun #include <common.h>
25*4882a593Smuzhiyun #include <android_image.h>
26*4882a593Smuzhiyun #include <android_avb/avb_slot_verify.h>
27*4882a593Smuzhiyun #include <android_avb/avb_chain_partition_descriptor.h>
28*4882a593Smuzhiyun #include <android_avb/avb_cmdline.h>
29*4882a593Smuzhiyun #include <android_avb/avb_footer.h>
30*4882a593Smuzhiyun #include <android_avb/avb_hash_descriptor.h>
31*4882a593Smuzhiyun #include <android_avb/avb_hashtree_descriptor.h>
32*4882a593Smuzhiyun #include <android_avb/avb_kernel_cmdline_descriptor.h>
33*4882a593Smuzhiyun #include <android_avb/avb_ops_user.h>
34*4882a593Smuzhiyun #include <android_avb/avb_sha.h>
35*4882a593Smuzhiyun #include <android_avb/avb_util.h>
36*4882a593Smuzhiyun #include <android_avb/avb_vbmeta_image.h>
37*4882a593Smuzhiyun #include <android_avb/avb_version.h>
38*4882a593Smuzhiyun
39*4882a593Smuzhiyun /* Maximum number of partitions that can be loaded with avb_slot_verify(). */
40*4882a593Smuzhiyun #define MAX_NUMBER_OF_LOADED_PARTITIONS 32
41*4882a593Smuzhiyun
42*4882a593Smuzhiyun /* Maximum number of vbmeta images that can be loaded with avb_slot_verify(). */
43*4882a593Smuzhiyun #define MAX_NUMBER_OF_VBMETA_IMAGES 32
44*4882a593Smuzhiyun
45*4882a593Smuzhiyun /* Maximum size of a vbmeta image - 64 KiB. */
46*4882a593Smuzhiyun #define VBMETA_MAX_SIZE (64 * 1024)
47*4882a593Smuzhiyun
48*4882a593Smuzhiyun static AvbSlotVerifyResult initialize_persistent_digest(
49*4882a593Smuzhiyun AvbOps* ops,
50*4882a593Smuzhiyun const char* part_name,
51*4882a593Smuzhiyun const char* persistent_value_name,
52*4882a593Smuzhiyun size_t digest_size,
53*4882a593Smuzhiyun const uint8_t* initial_digest,
54*4882a593Smuzhiyun uint8_t* out_digest);
55*4882a593Smuzhiyun
56*4882a593Smuzhiyun /* Helper function to see if we should continue with verification in
57*4882a593Smuzhiyun * allow_verification_error=true mode if something goes wrong. See the
58*4882a593Smuzhiyun * comments for the avb_slot_verify() function for more information.
59*4882a593Smuzhiyun */
result_should_continue(AvbSlotVerifyResult result)60*4882a593Smuzhiyun static inline bool result_should_continue(AvbSlotVerifyResult result) {
61*4882a593Smuzhiyun switch (result) {
62*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_OOM:
63*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_IO:
64*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA:
65*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION:
66*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT:
67*4882a593Smuzhiyun return false;
68*4882a593Smuzhiyun
69*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_OK:
70*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION:
71*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX:
72*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED:
73*4882a593Smuzhiyun return true;
74*4882a593Smuzhiyun }
75*4882a593Smuzhiyun
76*4882a593Smuzhiyun return false;
77*4882a593Smuzhiyun }
78*4882a593Smuzhiyun
load_full_partition(AvbOps * ops,const char * part_name,uint64_t image_size,uint8_t ** out_image_buf,bool * out_image_preloaded,int allow_verification_error)79*4882a593Smuzhiyun static AvbSlotVerifyResult load_full_partition(AvbOps* ops,
80*4882a593Smuzhiyun const char* part_name,
81*4882a593Smuzhiyun uint64_t image_size,
82*4882a593Smuzhiyun uint8_t** out_image_buf,
83*4882a593Smuzhiyun bool* out_image_preloaded,
84*4882a593Smuzhiyun int allow_verification_error) {
85*4882a593Smuzhiyun size_t part_num_read;
86*4882a593Smuzhiyun AvbIOResult io_ret;
87*4882a593Smuzhiyun
88*4882a593Smuzhiyun /* Make sure that we do not overwrite existing data. */
89*4882a593Smuzhiyun avb_assert(*out_image_buf == NULL);
90*4882a593Smuzhiyun avb_assert(!*out_image_preloaded);
91*4882a593Smuzhiyun
92*4882a593Smuzhiyun /* We are going to implicitly cast image_size from uint64_t to size_t in the
93*4882a593Smuzhiyun * following code, so we need to make sure that the cast is safe. */
94*4882a593Smuzhiyun if (image_size != (size_t)(image_size)) {
95*4882a593Smuzhiyun avb_errorv(part_name, ": Partition size too large to load.\n", NULL);
96*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
97*4882a593Smuzhiyun }
98*4882a593Smuzhiyun
99*4882a593Smuzhiyun /* Try use a preloaded one. */
100*4882a593Smuzhiyun if (ops->get_preloaded_partition != NULL) {
101*4882a593Smuzhiyun io_ret = ops->get_preloaded_partition(
102*4882a593Smuzhiyun ops, part_name, image_size, out_image_buf, &part_num_read,
103*4882a593Smuzhiyun allow_verification_error);
104*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
105*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
106*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
107*4882a593Smuzhiyun avb_errorv(part_name, ": Error loading data from partition.\n", NULL);
108*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_IO;
109*4882a593Smuzhiyun }
110*4882a593Smuzhiyun
111*4882a593Smuzhiyun if (*out_image_buf != NULL) {
112*4882a593Smuzhiyun if (part_num_read != image_size) {
113*4882a593Smuzhiyun avb_errorv(part_name, ": Read incorrect number of bytes.\n", NULL);
114*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_IO;
115*4882a593Smuzhiyun }
116*4882a593Smuzhiyun *out_image_preloaded = true;
117*4882a593Smuzhiyun }
118*4882a593Smuzhiyun }
119*4882a593Smuzhiyun
120*4882a593Smuzhiyun /* Allocate and copy the partition. */
121*4882a593Smuzhiyun if (!*out_image_preloaded) {
122*4882a593Smuzhiyun *out_image_buf = avb_malloc(image_size);
123*4882a593Smuzhiyun if (*out_image_buf == NULL) {
124*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
125*4882a593Smuzhiyun }
126*4882a593Smuzhiyun
127*4882a593Smuzhiyun io_ret = ops->read_from_partition(ops,
128*4882a593Smuzhiyun part_name,
129*4882a593Smuzhiyun 0 /* offset */,
130*4882a593Smuzhiyun image_size,
131*4882a593Smuzhiyun *out_image_buf,
132*4882a593Smuzhiyun &part_num_read);
133*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
134*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
135*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
136*4882a593Smuzhiyun avb_errorv(part_name, ": Error loading data from partition.\n", NULL);
137*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_IO;
138*4882a593Smuzhiyun }
139*4882a593Smuzhiyun if (part_num_read != image_size) {
140*4882a593Smuzhiyun avb_errorv(part_name, ": Read incorrect number of bytes.\n", NULL);
141*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_IO;
142*4882a593Smuzhiyun }
143*4882a593Smuzhiyun }
144*4882a593Smuzhiyun
145*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_OK;
146*4882a593Smuzhiyun }
147*4882a593Smuzhiyun
148*4882a593Smuzhiyun /* Reads a persistent digest stored as a named persistent value corresponding to
149*4882a593Smuzhiyun * the given |part_name|. The value is returned in |out_digest| which must point
150*4882a593Smuzhiyun * to |expected_digest_size| bytes. If there is no digest stored for |part_name|
151*4882a593Smuzhiyun * it can be initialized by providing a non-NULL |initial_digest| of length
152*4882a593Smuzhiyun * |expected_digest_size|. This automatic initialization will only occur if the
153*4882a593Smuzhiyun * device is currently locked. The |initial_digest| may be NULL.
154*4882a593Smuzhiyun *
155*4882a593Smuzhiyun * Returns AVB_SLOT_VERIFY_RESULT_OK on success, otherwise returns an
156*4882a593Smuzhiyun * AVB_SLOT_VERIFY_RESULT_ERROR_* error code.
157*4882a593Smuzhiyun *
158*4882a593Smuzhiyun * If the value does not exist, is not supported, or is not populated, and
159*4882a593Smuzhiyun * |initial_digest| is NULL, returns
160*4882a593Smuzhiyun * AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA. If |expected_digest_size| does
161*4882a593Smuzhiyun * not match the stored digest size, also returns
162*4882a593Smuzhiyun * AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA.
163*4882a593Smuzhiyun */
read_persistent_digest(AvbOps * ops,const char * part_name,size_t expected_digest_size,const uint8_t * initial_digest,uint8_t * out_digest)164*4882a593Smuzhiyun static AvbSlotVerifyResult read_persistent_digest(AvbOps* ops,
165*4882a593Smuzhiyun const char* part_name,
166*4882a593Smuzhiyun size_t expected_digest_size,
167*4882a593Smuzhiyun const uint8_t* initial_digest,
168*4882a593Smuzhiyun uint8_t* out_digest) {
169*4882a593Smuzhiyun char* persistent_value_name = NULL;
170*4882a593Smuzhiyun AvbIOResult io_ret = AVB_IO_RESULT_OK;
171*4882a593Smuzhiyun size_t stored_digest_size = 0;
172*4882a593Smuzhiyun
173*4882a593Smuzhiyun if (ops->read_persistent_value == NULL) {
174*4882a593Smuzhiyun avb_errorv(part_name, ": Persistent values are not implemented.\n", NULL);
175*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
176*4882a593Smuzhiyun }
177*4882a593Smuzhiyun persistent_value_name =
178*4882a593Smuzhiyun avb_strdupv(AVB_NPV_PERSISTENT_DIGEST_PREFIX, part_name, NULL);
179*4882a593Smuzhiyun if (persistent_value_name == NULL) {
180*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
181*4882a593Smuzhiyun }
182*4882a593Smuzhiyun
183*4882a593Smuzhiyun io_ret = ops->read_persistent_value(ops,
184*4882a593Smuzhiyun persistent_value_name,
185*4882a593Smuzhiyun expected_digest_size,
186*4882a593Smuzhiyun out_digest,
187*4882a593Smuzhiyun &stored_digest_size);
188*4882a593Smuzhiyun
189*4882a593Smuzhiyun // If no such named persistent value exists and an initial digest value was
190*4882a593Smuzhiyun // given, initialize the named persistent value with the given digest. If
191*4882a593Smuzhiyun // initialized successfully, this will recurse into this function but with a
192*4882a593Smuzhiyun // NULL initial_digest.
193*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_NO_SUCH_VALUE && initial_digest) {
194*4882a593Smuzhiyun AvbSlotVerifyResult ret =
195*4882a593Smuzhiyun initialize_persistent_digest(ops,
196*4882a593Smuzhiyun part_name,
197*4882a593Smuzhiyun persistent_value_name,
198*4882a593Smuzhiyun expected_digest_size,
199*4882a593Smuzhiyun initial_digest,
200*4882a593Smuzhiyun out_digest);
201*4882a593Smuzhiyun avb_free(persistent_value_name);
202*4882a593Smuzhiyun return ret;
203*4882a593Smuzhiyun }
204*4882a593Smuzhiyun avb_free(persistent_value_name);
205*4882a593Smuzhiyun
206*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
207*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
208*4882a593Smuzhiyun } else if (io_ret == AVB_IO_RESULT_ERROR_NO_SUCH_VALUE) {
209*4882a593Smuzhiyun // Treat a missing persistent value as a verification error, which is
210*4882a593Smuzhiyun // ignoreable, rather than a metadata error which is not.
211*4882a593Smuzhiyun avb_errorv(part_name, ": Persistent digest does not exist.\n", NULL);
212*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION;
213*4882a593Smuzhiyun } else if (io_ret == AVB_IO_RESULT_ERROR_INVALID_VALUE_SIZE ||
214*4882a593Smuzhiyun io_ret == AVB_IO_RESULT_ERROR_INSUFFICIENT_SPACE) {
215*4882a593Smuzhiyun avb_errorv(
216*4882a593Smuzhiyun part_name, ": Persistent digest is not of expected size.\n", NULL);
217*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
218*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
219*4882a593Smuzhiyun avb_errorv(part_name, ": Error reading persistent digest.\n", NULL);
220*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_IO;
221*4882a593Smuzhiyun } else if (expected_digest_size != stored_digest_size) {
222*4882a593Smuzhiyun avb_errorv(
223*4882a593Smuzhiyun part_name, ": Persistent digest is not of expected size.\n", NULL);
224*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
225*4882a593Smuzhiyun }
226*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_OK;
227*4882a593Smuzhiyun }
228*4882a593Smuzhiyun
initialize_persistent_digest(AvbOps * ops,const char * part_name,const char * persistent_value_name,size_t digest_size,const uint8_t * initial_digest,uint8_t * out_digest)229*4882a593Smuzhiyun static AvbSlotVerifyResult initialize_persistent_digest(
230*4882a593Smuzhiyun AvbOps* ops,
231*4882a593Smuzhiyun const char* part_name,
232*4882a593Smuzhiyun const char* persistent_value_name,
233*4882a593Smuzhiyun size_t digest_size,
234*4882a593Smuzhiyun const uint8_t* initial_digest,
235*4882a593Smuzhiyun uint8_t* out_digest) {
236*4882a593Smuzhiyun AvbSlotVerifyResult ret;
237*4882a593Smuzhiyun AvbIOResult io_ret = AVB_IO_RESULT_OK;
238*4882a593Smuzhiyun bool is_device_unlocked = true;
239*4882a593Smuzhiyun
240*4882a593Smuzhiyun io_ret = ops->read_is_device_unlocked(ops, &is_device_unlocked);
241*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
242*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
243*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
244*4882a593Smuzhiyun avb_error("Error getting device lock state.\n");
245*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_IO;
246*4882a593Smuzhiyun }
247*4882a593Smuzhiyun
248*4882a593Smuzhiyun if (is_device_unlocked) {
249*4882a593Smuzhiyun avb_debugv(part_name,
250*4882a593Smuzhiyun ": Digest does not exist, device unlocked so not initializing "
251*4882a593Smuzhiyun "digest.\n",
252*4882a593Smuzhiyun NULL);
253*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION;
254*4882a593Smuzhiyun }
255*4882a593Smuzhiyun
256*4882a593Smuzhiyun // Device locked; initialize digest with given initial value.
257*4882a593Smuzhiyun avb_debugv(part_name,
258*4882a593Smuzhiyun ": Digest does not exist, initializing persistent digest.\n",
259*4882a593Smuzhiyun NULL);
260*4882a593Smuzhiyun io_ret = ops->write_persistent_value(
261*4882a593Smuzhiyun ops, persistent_value_name, digest_size, initial_digest);
262*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
263*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
264*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
265*4882a593Smuzhiyun avb_errorv(part_name, ": Error initializing persistent digest.\n", NULL);
266*4882a593Smuzhiyun return AVB_SLOT_VERIFY_RESULT_ERROR_IO;
267*4882a593Smuzhiyun }
268*4882a593Smuzhiyun
269*4882a593Smuzhiyun // To ensure that the digest value was written successfully - and avoid a
270*4882a593Smuzhiyun // scenario where the digest is simply 'initialized' on every verify - recurse
271*4882a593Smuzhiyun // into read_persistent_digest to read back the written value. The NULL
272*4882a593Smuzhiyun // initial_digest ensures that this will not recurse again.
273*4882a593Smuzhiyun ret = read_persistent_digest(ops, part_name, digest_size, NULL, out_digest);
274*4882a593Smuzhiyun if (ret != AVB_SLOT_VERIFY_RESULT_OK) {
275*4882a593Smuzhiyun avb_errorv(part_name,
276*4882a593Smuzhiyun ": Reading back initialized persistent digest failed!\n",
277*4882a593Smuzhiyun NULL);
278*4882a593Smuzhiyun }
279*4882a593Smuzhiyun return ret;
280*4882a593Smuzhiyun }
281*4882a593Smuzhiyun
load_and_verify_hash_partition(AvbOps * ops,const char * const * requested_partitions,const char * ab_suffix,bool allow_verification_error,const AvbDescriptor * descriptor,AvbSlotVerifyData * slot_data)282*4882a593Smuzhiyun static AvbSlotVerifyResult load_and_verify_hash_partition(
283*4882a593Smuzhiyun AvbOps* ops,
284*4882a593Smuzhiyun const char* const* requested_partitions,
285*4882a593Smuzhiyun const char* ab_suffix,
286*4882a593Smuzhiyun bool allow_verification_error,
287*4882a593Smuzhiyun const AvbDescriptor* descriptor,
288*4882a593Smuzhiyun AvbSlotVerifyData* slot_data) {
289*4882a593Smuzhiyun AvbHashDescriptor hash_desc;
290*4882a593Smuzhiyun const uint8_t* desc_partition_name = NULL;
291*4882a593Smuzhiyun const uint8_t* desc_salt;
292*4882a593Smuzhiyun const uint8_t* desc_digest;
293*4882a593Smuzhiyun char part_name[AVB_PART_NAME_MAX_SIZE];
294*4882a593Smuzhiyun AvbSlotVerifyResult ret;
295*4882a593Smuzhiyun AvbIOResult io_ret;
296*4882a593Smuzhiyun uint8_t* image_buf = NULL;
297*4882a593Smuzhiyun bool image_preloaded = false;
298*4882a593Smuzhiyun uint8_t* digest;
299*4882a593Smuzhiyun size_t digest_len;
300*4882a593Smuzhiyun const char* found = NULL;
301*4882a593Smuzhiyun uint64_t image_size;
302*4882a593Smuzhiyun size_t expected_digest_len = 0;
303*4882a593Smuzhiyun uint8_t expected_digest_buf[AVB_SHA512_DIGEST_SIZE];
304*4882a593Smuzhiyun const uint8_t* expected_digest = NULL;
305*4882a593Smuzhiyun
306*4882a593Smuzhiyun if (!avb_hash_descriptor_validate_and_byteswap(
307*4882a593Smuzhiyun (const AvbHashDescriptor*)descriptor, &hash_desc)) {
308*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
309*4882a593Smuzhiyun goto out;
310*4882a593Smuzhiyun }
311*4882a593Smuzhiyun
312*4882a593Smuzhiyun desc_partition_name =
313*4882a593Smuzhiyun ((const uint8_t*)descriptor) + sizeof(AvbHashDescriptor);
314*4882a593Smuzhiyun desc_salt = desc_partition_name + hash_desc.partition_name_len;
315*4882a593Smuzhiyun desc_digest = desc_salt + hash_desc.salt_len;
316*4882a593Smuzhiyun
317*4882a593Smuzhiyun if (!avb_validate_utf8(desc_partition_name, hash_desc.partition_name_len)) {
318*4882a593Smuzhiyun avb_error("Partition name is not valid UTF-8.\n");
319*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
320*4882a593Smuzhiyun goto out;
321*4882a593Smuzhiyun }
322*4882a593Smuzhiyun
323*4882a593Smuzhiyun /* Don't bother loading or validating unless the partition was
324*4882a593Smuzhiyun * requested in the first place.
325*4882a593Smuzhiyun */
326*4882a593Smuzhiyun found = avb_strv_find_str(requested_partitions,
327*4882a593Smuzhiyun (const char*)desc_partition_name,
328*4882a593Smuzhiyun hash_desc.partition_name_len);
329*4882a593Smuzhiyun if (found == NULL) {
330*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_OK;
331*4882a593Smuzhiyun goto out;
332*4882a593Smuzhiyun }
333*4882a593Smuzhiyun
334*4882a593Smuzhiyun if ((hash_desc.flags & AVB_HASH_DESCRIPTOR_FLAGS_DO_NOT_USE_AB) != 0) {
335*4882a593Smuzhiyun /* No ab_suffix, just copy the partition name as is. */
336*4882a593Smuzhiyun if (hash_desc.partition_name_len >= AVB_PART_NAME_MAX_SIZE) {
337*4882a593Smuzhiyun avb_error("Partition name does not fit.\n");
338*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
339*4882a593Smuzhiyun goto out;
340*4882a593Smuzhiyun }
341*4882a593Smuzhiyun avb_memcpy(part_name, desc_partition_name, hash_desc.partition_name_len);
342*4882a593Smuzhiyun part_name[hash_desc.partition_name_len] = '\0';
343*4882a593Smuzhiyun } else if (hash_desc.digest_len == 0 && avb_strlen(ab_suffix) != 0) {
344*4882a593Smuzhiyun /* No ab_suffix allowed for partitions without a digest in the descriptor
345*4882a593Smuzhiyun * because these partitions hold data unique to this device and are not
346*4882a593Smuzhiyun * updated using an A/B scheme.
347*4882a593Smuzhiyun */
348*4882a593Smuzhiyun avb_error("Cannot use A/B with a persistent digest.\n");
349*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
350*4882a593Smuzhiyun goto out;
351*4882a593Smuzhiyun } else {
352*4882a593Smuzhiyun /* Add ab_suffix to the partition name. */
353*4882a593Smuzhiyun if (!avb_str_concat(part_name,
354*4882a593Smuzhiyun sizeof part_name,
355*4882a593Smuzhiyun (const char*)desc_partition_name,
356*4882a593Smuzhiyun hash_desc.partition_name_len,
357*4882a593Smuzhiyun ab_suffix,
358*4882a593Smuzhiyun avb_strlen(ab_suffix))) {
359*4882a593Smuzhiyun avb_error("Partition name and suffix does not fit.\n");
360*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
361*4882a593Smuzhiyun goto out;
362*4882a593Smuzhiyun }
363*4882a593Smuzhiyun }
364*4882a593Smuzhiyun
365*4882a593Smuzhiyun /* If we're allowing verification errors then hash_desc.image_size
366*4882a593Smuzhiyun * may no longer match what's in the partition... so in this case
367*4882a593Smuzhiyun * just load the entire partition.
368*4882a593Smuzhiyun *
369*4882a593Smuzhiyun * For example, this can happen if a developer does 'fastboot flash
370*4882a593Smuzhiyun * boot /path/to/new/and/bigger/boot.img'. We want this to work
371*4882a593Smuzhiyun * since it's such a common workflow.
372*4882a593Smuzhiyun */
373*4882a593Smuzhiyun image_size = hash_desc.image_size;
374*4882a593Smuzhiyun if (allow_verification_error) {
375*4882a593Smuzhiyun io_ret = ops->get_size_of_partition(ops, part_name, &image_size);
376*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
377*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
378*4882a593Smuzhiyun goto out;
379*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
380*4882a593Smuzhiyun avb_errorv(part_name, ": Error determining partition size.\n", NULL);
381*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO;
382*4882a593Smuzhiyun goto out;
383*4882a593Smuzhiyun }
384*4882a593Smuzhiyun avb_debugv(part_name, ": Loading entire partition.\n", NULL);
385*4882a593Smuzhiyun }
386*4882a593Smuzhiyun
387*4882a593Smuzhiyun ret = load_full_partition(
388*4882a593Smuzhiyun ops, part_name, image_size, &image_buf, &image_preloaded,
389*4882a593Smuzhiyun allow_verification_error);
390*4882a593Smuzhiyun if (ret != AVB_SLOT_VERIFY_RESULT_OK) {
391*4882a593Smuzhiyun goto out;
392*4882a593Smuzhiyun } else if (allow_verification_error) {
393*4882a593Smuzhiyun goto out;
394*4882a593Smuzhiyun }
395*4882a593Smuzhiyun
396*4882a593Smuzhiyun // Although only one of the type might be used, we have to defined the
397*4882a593Smuzhiyun // structure here so that they would live outside the 'if/else' scope to be
398*4882a593Smuzhiyun // used later.
399*4882a593Smuzhiyun AvbSHA256Ctx sha256_ctx;
400*4882a593Smuzhiyun AvbSHA512Ctx sha512_ctx;
401*4882a593Smuzhiyun size_t image_size_to_hash = hash_desc.image_size;
402*4882a593Smuzhiyun // If we allow verification error and the whole partition is smaller than
403*4882a593Smuzhiyun // image size in hash descriptor, we just hash the whole partition.
404*4882a593Smuzhiyun if (image_size_to_hash > image_size) {
405*4882a593Smuzhiyun image_size_to_hash = image_size;
406*4882a593Smuzhiyun }
407*4882a593Smuzhiyun if (avb_strcmp((const char*)hash_desc.hash_algorithm, "sha256") == 0) {
408*4882a593Smuzhiyun sha256_ctx.tot_len = hash_desc.salt_len + image_size_to_hash;
409*4882a593Smuzhiyun avb_sha256_init(&sha256_ctx);
410*4882a593Smuzhiyun avb_sha256_update(&sha256_ctx, desc_salt, hash_desc.salt_len);
411*4882a593Smuzhiyun avb_sha256_update(&sha256_ctx, image_buf, image_size_to_hash);
412*4882a593Smuzhiyun digest = avb_sha256_final(&sha256_ctx);
413*4882a593Smuzhiyun digest_len = AVB_SHA256_DIGEST_SIZE;
414*4882a593Smuzhiyun } else if (avb_strcmp((const char*)hash_desc.hash_algorithm, "sha512") == 0) {
415*4882a593Smuzhiyun sha512_ctx.tot_len = hash_desc.salt_len + image_size_to_hash;
416*4882a593Smuzhiyun avb_sha512_init(&sha512_ctx);
417*4882a593Smuzhiyun avb_sha512_update(&sha512_ctx, desc_salt, hash_desc.salt_len);
418*4882a593Smuzhiyun avb_sha512_update(&sha512_ctx, image_buf, image_size_to_hash);
419*4882a593Smuzhiyun digest = avb_sha512_final(&sha512_ctx);
420*4882a593Smuzhiyun digest_len = AVB_SHA512_DIGEST_SIZE;
421*4882a593Smuzhiyun } else {
422*4882a593Smuzhiyun avb_errorv(part_name, ": Unsupported hash algorithm.\n", NULL);
423*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
424*4882a593Smuzhiyun goto out;
425*4882a593Smuzhiyun }
426*4882a593Smuzhiyun
427*4882a593Smuzhiyun if (hash_desc.digest_len == 0) {
428*4882a593Smuzhiyun /* Expect a match to a persistent digest. */
429*4882a593Smuzhiyun avb_debugv(part_name, ": No digest, using persistent digest.\n", NULL);
430*4882a593Smuzhiyun expected_digest_len = digest_len;
431*4882a593Smuzhiyun expected_digest = expected_digest_buf;
432*4882a593Smuzhiyun avb_assert(expected_digest_len <= sizeof(expected_digest_buf));
433*4882a593Smuzhiyun /* Pass |digest| as the |initial_digest| so devices not yet initialized get
434*4882a593Smuzhiyun * initialized to the current partition digest.
435*4882a593Smuzhiyun */
436*4882a593Smuzhiyun ret = read_persistent_digest(
437*4882a593Smuzhiyun ops, part_name, digest_len, digest, expected_digest_buf);
438*4882a593Smuzhiyun if (ret != AVB_SLOT_VERIFY_RESULT_OK) {
439*4882a593Smuzhiyun goto out;
440*4882a593Smuzhiyun }
441*4882a593Smuzhiyun } else {
442*4882a593Smuzhiyun /* Expect a match to the digest in the descriptor. */
443*4882a593Smuzhiyun expected_digest_len = hash_desc.digest_len;
444*4882a593Smuzhiyun expected_digest = desc_digest;
445*4882a593Smuzhiyun }
446*4882a593Smuzhiyun
447*4882a593Smuzhiyun if (digest_len != expected_digest_len) {
448*4882a593Smuzhiyun avb_errorv(
449*4882a593Smuzhiyun part_name, ": Digest in descriptor not of expected size.\n", NULL);
450*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
451*4882a593Smuzhiyun goto out;
452*4882a593Smuzhiyun }
453*4882a593Smuzhiyun
454*4882a593Smuzhiyun if (avb_safe_memcmp(digest, expected_digest, digest_len) != 0) {
455*4882a593Smuzhiyun avb_errorv(part_name,
456*4882a593Smuzhiyun ": Hash of data does not match digest in descriptor.\n",
457*4882a593Smuzhiyun NULL);
458*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION;
459*4882a593Smuzhiyun goto out;
460*4882a593Smuzhiyun }
461*4882a593Smuzhiyun
462*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_OK;
463*4882a593Smuzhiyun
464*4882a593Smuzhiyun out:
465*4882a593Smuzhiyun
466*4882a593Smuzhiyun /* If it worked and something was loaded, copy to slot_data. */
467*4882a593Smuzhiyun if ((ret == AVB_SLOT_VERIFY_RESULT_OK || result_should_continue(ret)) &&
468*4882a593Smuzhiyun image_buf != NULL) {
469*4882a593Smuzhiyun AvbPartitionData* loaded_partition;
470*4882a593Smuzhiyun if (slot_data->num_loaded_partitions == MAX_NUMBER_OF_LOADED_PARTITIONS) {
471*4882a593Smuzhiyun avb_errorv(part_name, ": Too many loaded partitions.\n", NULL);
472*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
473*4882a593Smuzhiyun goto fail;
474*4882a593Smuzhiyun }
475*4882a593Smuzhiyun loaded_partition =
476*4882a593Smuzhiyun &slot_data->loaded_partitions[slot_data->num_loaded_partitions++];
477*4882a593Smuzhiyun loaded_partition->partition_name = avb_strdup(found);
478*4882a593Smuzhiyun loaded_partition->data_size = image_size;
479*4882a593Smuzhiyun loaded_partition->data = image_buf;
480*4882a593Smuzhiyun loaded_partition->preloaded = image_preloaded;
481*4882a593Smuzhiyun image_buf = NULL;
482*4882a593Smuzhiyun }
483*4882a593Smuzhiyun
484*4882a593Smuzhiyun fail:
485*4882a593Smuzhiyun if (image_buf != NULL && !image_preloaded) {
486*4882a593Smuzhiyun avb_free(image_buf);
487*4882a593Smuzhiyun }
488*4882a593Smuzhiyun return ret;
489*4882a593Smuzhiyun }
490*4882a593Smuzhiyun
load_requested_partitions(AvbOps * ops,const char * const * requested_partitions,const char * ab_suffix,AvbSlotVerifyData * slot_data)491*4882a593Smuzhiyun static AvbSlotVerifyResult load_requested_partitions(
492*4882a593Smuzhiyun AvbOps* ops,
493*4882a593Smuzhiyun const char* const* requested_partitions,
494*4882a593Smuzhiyun const char* ab_suffix,
495*4882a593Smuzhiyun AvbSlotVerifyData* slot_data) {
496*4882a593Smuzhiyun AvbSlotVerifyResult ret;
497*4882a593Smuzhiyun uint8_t* image_buf = NULL;
498*4882a593Smuzhiyun bool image_preloaded = false;
499*4882a593Smuzhiyun size_t n;
500*4882a593Smuzhiyun
501*4882a593Smuzhiyun for (n = 0; requested_partitions[n] != NULL; n++) {
502*4882a593Smuzhiyun char part_name[AVB_PART_NAME_MAX_SIZE];
503*4882a593Smuzhiyun AvbIOResult io_ret;
504*4882a593Smuzhiyun uint64_t image_size;
505*4882a593Smuzhiyun AvbPartitionData* loaded_partition;
506*4882a593Smuzhiyun
507*4882a593Smuzhiyun if (!avb_str_concat(part_name,
508*4882a593Smuzhiyun sizeof part_name,
509*4882a593Smuzhiyun requested_partitions[n],
510*4882a593Smuzhiyun avb_strlen(requested_partitions[n]),
511*4882a593Smuzhiyun ab_suffix,
512*4882a593Smuzhiyun avb_strlen(ab_suffix))) {
513*4882a593Smuzhiyun avb_error("Partition name and suffix does not fit.\n");
514*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
515*4882a593Smuzhiyun goto out;
516*4882a593Smuzhiyun }
517*4882a593Smuzhiyun
518*4882a593Smuzhiyun io_ret = ops->get_size_of_partition(ops, part_name, &image_size);
519*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
520*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
521*4882a593Smuzhiyun goto out;
522*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
523*4882a593Smuzhiyun avb_errorv(part_name, ": Error determining partition size.\n", NULL);
524*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO;
525*4882a593Smuzhiyun goto out;
526*4882a593Smuzhiyun }
527*4882a593Smuzhiyun avb_debugv(part_name, ": Loading entire partition.\n", NULL);
528*4882a593Smuzhiyun
529*4882a593Smuzhiyun ret = load_full_partition(
530*4882a593Smuzhiyun ops, part_name, image_size, &image_buf, &image_preloaded, 1);
531*4882a593Smuzhiyun if (ret != AVB_SLOT_VERIFY_RESULT_OK) {
532*4882a593Smuzhiyun goto out;
533*4882a593Smuzhiyun }
534*4882a593Smuzhiyun
535*4882a593Smuzhiyun /* Move to slot_data. */
536*4882a593Smuzhiyun if (slot_data->num_loaded_partitions == MAX_NUMBER_OF_LOADED_PARTITIONS) {
537*4882a593Smuzhiyun avb_errorv(part_name, ": Too many loaded partitions.\n", NULL);
538*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
539*4882a593Smuzhiyun goto out;
540*4882a593Smuzhiyun }
541*4882a593Smuzhiyun loaded_partition =
542*4882a593Smuzhiyun &slot_data->loaded_partitions[slot_data->num_loaded_partitions++];
543*4882a593Smuzhiyun loaded_partition->partition_name = avb_strdup(requested_partitions[n]);
544*4882a593Smuzhiyun if (loaded_partition->partition_name == NULL) {
545*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
546*4882a593Smuzhiyun goto out;
547*4882a593Smuzhiyun }
548*4882a593Smuzhiyun loaded_partition->data_size = image_size;
549*4882a593Smuzhiyun loaded_partition->data = image_buf; /* Transferring the owner. */
550*4882a593Smuzhiyun loaded_partition->preloaded = image_preloaded;
551*4882a593Smuzhiyun image_buf = NULL;
552*4882a593Smuzhiyun image_preloaded = false;
553*4882a593Smuzhiyun }
554*4882a593Smuzhiyun
555*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_OK;
556*4882a593Smuzhiyun
557*4882a593Smuzhiyun out:
558*4882a593Smuzhiyun /* Free the current buffer if any. */
559*4882a593Smuzhiyun if (image_buf != NULL && !image_preloaded) {
560*4882a593Smuzhiyun avb_free(image_buf);
561*4882a593Smuzhiyun }
562*4882a593Smuzhiyun /* Buffers that are already saved in slot_data will be handled by the caller
563*4882a593Smuzhiyun * even on failure. */
564*4882a593Smuzhiyun return ret;
565*4882a593Smuzhiyun }
566*4882a593Smuzhiyun
load_and_verify_vbmeta(AvbOps * ops,const char * const * requested_partitions,const char * ab_suffix,AvbSlotVerifyFlags flags,bool allow_verification_error,AvbVBMetaImageFlags toplevel_vbmeta_flags,int rollback_index_location,const char * partition_name,size_t partition_name_len,const uint8_t * expected_public_key,size_t expected_public_key_length,AvbSlotVerifyData * slot_data,AvbAlgorithmType * out_algorithm_type,AvbCmdlineSubstList * out_additional_cmdline_subst)567*4882a593Smuzhiyun static AvbSlotVerifyResult load_and_verify_vbmeta(
568*4882a593Smuzhiyun AvbOps* ops,
569*4882a593Smuzhiyun const char* const* requested_partitions,
570*4882a593Smuzhiyun const char* ab_suffix,
571*4882a593Smuzhiyun AvbSlotVerifyFlags flags,
572*4882a593Smuzhiyun bool allow_verification_error,
573*4882a593Smuzhiyun AvbVBMetaImageFlags toplevel_vbmeta_flags,
574*4882a593Smuzhiyun int rollback_index_location,
575*4882a593Smuzhiyun const char* partition_name,
576*4882a593Smuzhiyun size_t partition_name_len,
577*4882a593Smuzhiyun const uint8_t* expected_public_key,
578*4882a593Smuzhiyun size_t expected_public_key_length,
579*4882a593Smuzhiyun AvbSlotVerifyData* slot_data,
580*4882a593Smuzhiyun AvbAlgorithmType* out_algorithm_type,
581*4882a593Smuzhiyun AvbCmdlineSubstList* out_additional_cmdline_subst) {
582*4882a593Smuzhiyun char full_partition_name[AVB_PART_NAME_MAX_SIZE];
583*4882a593Smuzhiyun AvbSlotVerifyResult ret;
584*4882a593Smuzhiyun AvbIOResult io_ret;
585*4882a593Smuzhiyun uint64_t vbmeta_offset;
586*4882a593Smuzhiyun size_t vbmeta_size;
587*4882a593Smuzhiyun uint8_t* vbmeta_buf = NULL;
588*4882a593Smuzhiyun size_t vbmeta_num_read;
589*4882a593Smuzhiyun AvbVBMetaVerifyResult vbmeta_ret;
590*4882a593Smuzhiyun const uint8_t* pk_data;
591*4882a593Smuzhiyun size_t pk_len;
592*4882a593Smuzhiyun AvbVBMetaImageHeader vbmeta_header;
593*4882a593Smuzhiyun uint64_t stored_rollback_index;
594*4882a593Smuzhiyun const AvbDescriptor** descriptors = NULL;
595*4882a593Smuzhiyun size_t num_descriptors;
596*4882a593Smuzhiyun size_t n;
597*4882a593Smuzhiyun bool is_main_vbmeta;
598*4882a593Smuzhiyun bool look_for_vbmeta_footer;
599*4882a593Smuzhiyun AvbVBMetaData* vbmeta_image_data = NULL;
600*4882a593Smuzhiyun
601*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_OK;
602*4882a593Smuzhiyun
603*4882a593Smuzhiyun avb_assert(slot_data != NULL);
604*4882a593Smuzhiyun
605*4882a593Smuzhiyun /* Since we allow top-level vbmeta in 'boot', use
606*4882a593Smuzhiyun * rollback_index_location to determine whether we're the main
607*4882a593Smuzhiyun * vbmeta struct.
608*4882a593Smuzhiyun */
609*4882a593Smuzhiyun is_main_vbmeta = false;
610*4882a593Smuzhiyun if (rollback_index_location == 0) {
611*4882a593Smuzhiyun if ((flags & AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION) == 0) {
612*4882a593Smuzhiyun is_main_vbmeta = true;
613*4882a593Smuzhiyun }
614*4882a593Smuzhiyun }
615*4882a593Smuzhiyun
616*4882a593Smuzhiyun /* Don't use footers for vbmeta partitions ('vbmeta' or
617*4882a593Smuzhiyun * 'vbmeta_<partition_name>').
618*4882a593Smuzhiyun */
619*4882a593Smuzhiyun look_for_vbmeta_footer = true;
620*4882a593Smuzhiyun if (avb_strncmp(partition_name, "vbmeta", avb_strlen("vbmeta")) == 0) {
621*4882a593Smuzhiyun look_for_vbmeta_footer = false;
622*4882a593Smuzhiyun }
623*4882a593Smuzhiyun
624*4882a593Smuzhiyun if (!avb_validate_utf8((const uint8_t*)partition_name, partition_name_len)) {
625*4882a593Smuzhiyun avb_error("Partition name is not valid UTF-8.\n");
626*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
627*4882a593Smuzhiyun goto out;
628*4882a593Smuzhiyun }
629*4882a593Smuzhiyun
630*4882a593Smuzhiyun /* Construct full partition name e.g. system_a. */
631*4882a593Smuzhiyun if (!avb_str_concat(full_partition_name,
632*4882a593Smuzhiyun sizeof full_partition_name,
633*4882a593Smuzhiyun partition_name,
634*4882a593Smuzhiyun partition_name_len,
635*4882a593Smuzhiyun ab_suffix,
636*4882a593Smuzhiyun avb_strlen(ab_suffix))) {
637*4882a593Smuzhiyun avb_error("Partition name and suffix does not fit.\n");
638*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
639*4882a593Smuzhiyun goto out;
640*4882a593Smuzhiyun }
641*4882a593Smuzhiyun
642*4882a593Smuzhiyun /* If we're loading from the main vbmeta partition, the vbmeta struct is in
643*4882a593Smuzhiyun * the beginning. Otherwise we may have to locate it via a footer... if no
644*4882a593Smuzhiyun * footer is found, we look in the beginning to support e.g. vbmeta_<org>
645*4882a593Smuzhiyun * partitions holding data for e.g. super partitions (b/80195851 for
646*4882a593Smuzhiyun * rationale).
647*4882a593Smuzhiyun */
648*4882a593Smuzhiyun vbmeta_offset = 0;
649*4882a593Smuzhiyun vbmeta_size = VBMETA_MAX_SIZE;
650*4882a593Smuzhiyun if (look_for_vbmeta_footer) {
651*4882a593Smuzhiyun uint8_t footer_buf[AVB_FOOTER_SIZE];
652*4882a593Smuzhiyun size_t footer_num_read;
653*4882a593Smuzhiyun AvbFooter footer;
654*4882a593Smuzhiyun
655*4882a593Smuzhiyun io_ret = ops->read_from_partition(ops,
656*4882a593Smuzhiyun full_partition_name,
657*4882a593Smuzhiyun -AVB_FOOTER_SIZE,
658*4882a593Smuzhiyun AVB_FOOTER_SIZE,
659*4882a593Smuzhiyun footer_buf,
660*4882a593Smuzhiyun &footer_num_read);
661*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
662*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
663*4882a593Smuzhiyun goto out;
664*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
665*4882a593Smuzhiyun avb_errorv(full_partition_name, ": Error loading footer.\n", NULL);
666*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO;
667*4882a593Smuzhiyun goto out;
668*4882a593Smuzhiyun }
669*4882a593Smuzhiyun avb_assert(footer_num_read == AVB_FOOTER_SIZE);
670*4882a593Smuzhiyun
671*4882a593Smuzhiyun if (!avb_footer_validate_and_byteswap((const AvbFooter*)footer_buf,
672*4882a593Smuzhiyun &footer)) {
673*4882a593Smuzhiyun avb_debugv(full_partition_name, ": No footer detected.\n", NULL);
674*4882a593Smuzhiyun } else {
675*4882a593Smuzhiyun /* Basic footer sanity check since the data is untrusted. */
676*4882a593Smuzhiyun if (footer.vbmeta_size > VBMETA_MAX_SIZE) {
677*4882a593Smuzhiyun avb_errorv(
678*4882a593Smuzhiyun full_partition_name, ": Invalid vbmeta size in footer.\n", NULL);
679*4882a593Smuzhiyun } else {
680*4882a593Smuzhiyun vbmeta_offset = footer.vbmeta_offset;
681*4882a593Smuzhiyun vbmeta_size = footer.vbmeta_size;
682*4882a593Smuzhiyun }
683*4882a593Smuzhiyun }
684*4882a593Smuzhiyun }
685*4882a593Smuzhiyun
686*4882a593Smuzhiyun vbmeta_buf = avb_malloc(vbmeta_size);
687*4882a593Smuzhiyun if (vbmeta_buf == NULL) {
688*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
689*4882a593Smuzhiyun goto out;
690*4882a593Smuzhiyun }
691*4882a593Smuzhiyun
692*4882a593Smuzhiyun if (vbmeta_offset != 0) {
693*4882a593Smuzhiyun avb_debugv("Loading vbmeta struct in footer from partition '",
694*4882a593Smuzhiyun full_partition_name,
695*4882a593Smuzhiyun "'.\n",
696*4882a593Smuzhiyun NULL);
697*4882a593Smuzhiyun } else {
698*4882a593Smuzhiyun avb_debugv("Loading vbmeta struct from partition '",
699*4882a593Smuzhiyun full_partition_name,
700*4882a593Smuzhiyun "'.\n",
701*4882a593Smuzhiyun NULL);
702*4882a593Smuzhiyun }
703*4882a593Smuzhiyun
704*4882a593Smuzhiyun io_ret = ops->read_from_partition(ops,
705*4882a593Smuzhiyun full_partition_name,
706*4882a593Smuzhiyun vbmeta_offset,
707*4882a593Smuzhiyun vbmeta_size,
708*4882a593Smuzhiyun vbmeta_buf,
709*4882a593Smuzhiyun &vbmeta_num_read);
710*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
711*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
712*4882a593Smuzhiyun goto out;
713*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
714*4882a593Smuzhiyun /* If we're looking for 'vbmeta' but there is no such partition,
715*4882a593Smuzhiyun * go try to get it from the boot partition instead.
716*4882a593Smuzhiyun */
717*4882a593Smuzhiyun if (is_main_vbmeta && io_ret == AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION &&
718*4882a593Smuzhiyun !look_for_vbmeta_footer) {
719*4882a593Smuzhiyun avb_debugv(full_partition_name,
720*4882a593Smuzhiyun ": No such partition. Trying 'boot' instead.\n",
721*4882a593Smuzhiyun NULL);
722*4882a593Smuzhiyun ret = load_and_verify_vbmeta(ops,
723*4882a593Smuzhiyun requested_partitions,
724*4882a593Smuzhiyun ab_suffix,
725*4882a593Smuzhiyun flags,
726*4882a593Smuzhiyun allow_verification_error,
727*4882a593Smuzhiyun 0 /* toplevel_vbmeta_flags */,
728*4882a593Smuzhiyun 0 /* rollback_index_location */,
729*4882a593Smuzhiyun "boot",
730*4882a593Smuzhiyun avb_strlen("boot"),
731*4882a593Smuzhiyun NULL /* expected_public_key */,
732*4882a593Smuzhiyun 0 /* expected_public_key_length */,
733*4882a593Smuzhiyun slot_data,
734*4882a593Smuzhiyun out_algorithm_type,
735*4882a593Smuzhiyun out_additional_cmdline_subst);
736*4882a593Smuzhiyun goto out;
737*4882a593Smuzhiyun } else {
738*4882a593Smuzhiyun avb_errorv(full_partition_name, ": Error loading vbmeta data.\n", NULL);
739*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO;
740*4882a593Smuzhiyun goto out;
741*4882a593Smuzhiyun }
742*4882a593Smuzhiyun }
743*4882a593Smuzhiyun avb_assert(vbmeta_num_read <= vbmeta_size);
744*4882a593Smuzhiyun
745*4882a593Smuzhiyun /* Check if the image is properly signed and get the public key used
746*4882a593Smuzhiyun * to sign the image.
747*4882a593Smuzhiyun */
748*4882a593Smuzhiyun vbmeta_ret =
749*4882a593Smuzhiyun avb_vbmeta_image_verify(vbmeta_buf, vbmeta_num_read, &pk_data, &pk_len);
750*4882a593Smuzhiyun switch (vbmeta_ret) {
751*4882a593Smuzhiyun case AVB_VBMETA_VERIFY_RESULT_OK:
752*4882a593Smuzhiyun avb_assert(pk_data != NULL && pk_len > 0);
753*4882a593Smuzhiyun break;
754*4882a593Smuzhiyun
755*4882a593Smuzhiyun case AVB_VBMETA_VERIFY_RESULT_OK_NOT_SIGNED:
756*4882a593Smuzhiyun case AVB_VBMETA_VERIFY_RESULT_HASH_MISMATCH:
757*4882a593Smuzhiyun case AVB_VBMETA_VERIFY_RESULT_SIGNATURE_MISMATCH:
758*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION;
759*4882a593Smuzhiyun avb_errorv(full_partition_name,
760*4882a593Smuzhiyun ": Error verifying vbmeta image: ",
761*4882a593Smuzhiyun avb_vbmeta_verify_result_to_string(vbmeta_ret),
762*4882a593Smuzhiyun "\n",
763*4882a593Smuzhiyun NULL);
764*4882a593Smuzhiyun if (!allow_verification_error) {
765*4882a593Smuzhiyun goto out;
766*4882a593Smuzhiyun }
767*4882a593Smuzhiyun break;
768*4882a593Smuzhiyun
769*4882a593Smuzhiyun case AVB_VBMETA_VERIFY_RESULT_INVALID_VBMETA_HEADER:
770*4882a593Smuzhiyun /* No way to continue this case. */
771*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
772*4882a593Smuzhiyun avb_errorv(full_partition_name,
773*4882a593Smuzhiyun ": Error verifying vbmeta image: invalid vbmeta header\n",
774*4882a593Smuzhiyun NULL);
775*4882a593Smuzhiyun goto out;
776*4882a593Smuzhiyun
777*4882a593Smuzhiyun case AVB_VBMETA_VERIFY_RESULT_UNSUPPORTED_VERSION:
778*4882a593Smuzhiyun /* No way to continue this case. */
779*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION;
780*4882a593Smuzhiyun avb_errorv(full_partition_name,
781*4882a593Smuzhiyun ": Error verifying vbmeta image: unsupported AVB version\n",
782*4882a593Smuzhiyun NULL);
783*4882a593Smuzhiyun goto out;
784*4882a593Smuzhiyun }
785*4882a593Smuzhiyun
786*4882a593Smuzhiyun /* Byteswap the header. */
787*4882a593Smuzhiyun avb_vbmeta_image_header_to_host_byte_order((AvbVBMetaImageHeader*)vbmeta_buf,
788*4882a593Smuzhiyun &vbmeta_header);
789*4882a593Smuzhiyun
790*4882a593Smuzhiyun /* If we're the toplevel, assign flags so they'll be passed down. */
791*4882a593Smuzhiyun if (is_main_vbmeta) {
792*4882a593Smuzhiyun toplevel_vbmeta_flags = (AvbVBMetaImageFlags)vbmeta_header.flags;
793*4882a593Smuzhiyun } else {
794*4882a593Smuzhiyun if (vbmeta_header.flags != 0) {
795*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
796*4882a593Smuzhiyun avb_errorv(full_partition_name,
797*4882a593Smuzhiyun ": chained vbmeta image has non-zero flags\n",
798*4882a593Smuzhiyun NULL);
799*4882a593Smuzhiyun goto out;
800*4882a593Smuzhiyun }
801*4882a593Smuzhiyun }
802*4882a593Smuzhiyun
803*4882a593Smuzhiyun uint32_t rollback_index_location_to_use = rollback_index_location;
804*4882a593Smuzhiyun
805*4882a593Smuzhiyun /* Check if key used to make signature matches what is expected. */
806*4882a593Smuzhiyun if (pk_data != NULL) {
807*4882a593Smuzhiyun if (expected_public_key != NULL) {
808*4882a593Smuzhiyun avb_assert(!is_main_vbmeta);
809*4882a593Smuzhiyun if (expected_public_key_length != pk_len ||
810*4882a593Smuzhiyun avb_safe_memcmp(expected_public_key, pk_data, pk_len) != 0) {
811*4882a593Smuzhiyun avb_errorv(full_partition_name,
812*4882a593Smuzhiyun ": Public key used to sign data does not match key in chain "
813*4882a593Smuzhiyun "partition descriptor.\n",
814*4882a593Smuzhiyun NULL);
815*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED;
816*4882a593Smuzhiyun if (!allow_verification_error) {
817*4882a593Smuzhiyun goto out;
818*4882a593Smuzhiyun }
819*4882a593Smuzhiyun }
820*4882a593Smuzhiyun } else {
821*4882a593Smuzhiyun bool key_is_trusted = false;
822*4882a593Smuzhiyun const uint8_t* pk_metadata = NULL;
823*4882a593Smuzhiyun size_t pk_metadata_len = 0;
824*4882a593Smuzhiyun
825*4882a593Smuzhiyun if (vbmeta_header.public_key_metadata_size > 0) {
826*4882a593Smuzhiyun pk_metadata = vbmeta_buf + sizeof(AvbVBMetaImageHeader) +
827*4882a593Smuzhiyun vbmeta_header.authentication_data_block_size +
828*4882a593Smuzhiyun vbmeta_header.public_key_metadata_offset;
829*4882a593Smuzhiyun pk_metadata_len = vbmeta_header.public_key_metadata_size;
830*4882a593Smuzhiyun }
831*4882a593Smuzhiyun
832*4882a593Smuzhiyun // If we're not using a vbmeta partition, need to use another AvbOps...
833*4882a593Smuzhiyun if (flags & AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION) {
834*4882a593Smuzhiyun io_ret = ops->validate_public_key_for_partition(
835*4882a593Smuzhiyun ops,
836*4882a593Smuzhiyun full_partition_name,
837*4882a593Smuzhiyun pk_data,
838*4882a593Smuzhiyun pk_len,
839*4882a593Smuzhiyun pk_metadata,
840*4882a593Smuzhiyun pk_metadata_len,
841*4882a593Smuzhiyun &key_is_trusted,
842*4882a593Smuzhiyun &rollback_index_location_to_use);
843*4882a593Smuzhiyun } else {
844*4882a593Smuzhiyun avb_assert(is_main_vbmeta);
845*4882a593Smuzhiyun io_ret = ops->validate_vbmeta_public_key(ops,
846*4882a593Smuzhiyun pk_data,
847*4882a593Smuzhiyun pk_len,
848*4882a593Smuzhiyun pk_metadata,
849*4882a593Smuzhiyun pk_metadata_len,
850*4882a593Smuzhiyun &key_is_trusted);
851*4882a593Smuzhiyun }
852*4882a593Smuzhiyun
853*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
854*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
855*4882a593Smuzhiyun goto out;
856*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
857*4882a593Smuzhiyun avb_errorv(full_partition_name,
858*4882a593Smuzhiyun ": Error while checking public key used to sign data.\n",
859*4882a593Smuzhiyun NULL);
860*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO;
861*4882a593Smuzhiyun goto out;
862*4882a593Smuzhiyun }
863*4882a593Smuzhiyun if (!key_is_trusted) {
864*4882a593Smuzhiyun avb_errorv(full_partition_name,
865*4882a593Smuzhiyun ": Public key used to sign data rejected.\n",
866*4882a593Smuzhiyun NULL);
867*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED;
868*4882a593Smuzhiyun if (!allow_verification_error) {
869*4882a593Smuzhiyun goto out;
870*4882a593Smuzhiyun }
871*4882a593Smuzhiyun }
872*4882a593Smuzhiyun }
873*4882a593Smuzhiyun }
874*4882a593Smuzhiyun
875*4882a593Smuzhiyun /* Check rollback index. */
876*4882a593Smuzhiyun io_ret = ops->read_rollback_index(
877*4882a593Smuzhiyun ops, rollback_index_location_to_use, &stored_rollback_index);
878*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
879*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
880*4882a593Smuzhiyun goto out;
881*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
882*4882a593Smuzhiyun avb_errorv(full_partition_name,
883*4882a593Smuzhiyun ": Error getting rollback index for location.\n",
884*4882a593Smuzhiyun NULL);
885*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO;
886*4882a593Smuzhiyun goto out;
887*4882a593Smuzhiyun }
888*4882a593Smuzhiyun if (vbmeta_header.rollback_index < stored_rollback_index) {
889*4882a593Smuzhiyun avb_errorv(
890*4882a593Smuzhiyun full_partition_name,
891*4882a593Smuzhiyun ": Image rollback index is less than the stored rollback index.\n",
892*4882a593Smuzhiyun NULL);
893*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX;
894*4882a593Smuzhiyun if (!allow_verification_error) {
895*4882a593Smuzhiyun goto out;
896*4882a593Smuzhiyun }
897*4882a593Smuzhiyun }
898*4882a593Smuzhiyun
899*4882a593Smuzhiyun /* Copy vbmeta to vbmeta_images before recursing. */
900*4882a593Smuzhiyun if (is_main_vbmeta) {
901*4882a593Smuzhiyun avb_assert(slot_data->num_vbmeta_images == 0);
902*4882a593Smuzhiyun } else {
903*4882a593Smuzhiyun if (!(flags & AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION)) {
904*4882a593Smuzhiyun avb_assert(slot_data->num_vbmeta_images > 0);
905*4882a593Smuzhiyun }
906*4882a593Smuzhiyun }
907*4882a593Smuzhiyun if (slot_data->num_vbmeta_images == MAX_NUMBER_OF_VBMETA_IMAGES) {
908*4882a593Smuzhiyun avb_errorv(full_partition_name, ": Too many vbmeta images.\n", NULL);
909*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
910*4882a593Smuzhiyun goto out;
911*4882a593Smuzhiyun }
912*4882a593Smuzhiyun vbmeta_image_data = &slot_data->vbmeta_images[slot_data->num_vbmeta_images++];
913*4882a593Smuzhiyun vbmeta_image_data->partition_name = avb_strdup(partition_name);
914*4882a593Smuzhiyun vbmeta_image_data->vbmeta_data = vbmeta_buf;
915*4882a593Smuzhiyun /* Note that |vbmeta_buf| is actually |vbmeta_num_read| bytes long
916*4882a593Smuzhiyun * and this includes data past the end of the image. Pass the
917*4882a593Smuzhiyun * actual size of the vbmeta image. Also, no need to use
918*4882a593Smuzhiyun * avb_safe_add() since the header has already been verified.
919*4882a593Smuzhiyun */
920*4882a593Smuzhiyun vbmeta_image_data->vbmeta_size =
921*4882a593Smuzhiyun sizeof(AvbVBMetaImageHeader) +
922*4882a593Smuzhiyun vbmeta_header.authentication_data_block_size +
923*4882a593Smuzhiyun vbmeta_header.auxiliary_data_block_size;
924*4882a593Smuzhiyun vbmeta_image_data->verify_result = vbmeta_ret;
925*4882a593Smuzhiyun
926*4882a593Smuzhiyun /* If verification has been disabled by setting a bit in the image,
927*4882a593Smuzhiyun * we're done... except that we need to load the entirety of the
928*4882a593Smuzhiyun * requested partitions.
929*4882a593Smuzhiyun */
930*4882a593Smuzhiyun if (vbmeta_header.flags & AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED) {
931*4882a593Smuzhiyun AvbSlotVerifyResult sub_ret;
932*4882a593Smuzhiyun avb_debugv(
933*4882a593Smuzhiyun full_partition_name, ": VERIFICATION_DISABLED bit is set.\n", NULL);
934*4882a593Smuzhiyun /* If load_requested_partitions() fail it is always a fatal
935*4882a593Smuzhiyun * failure (e.g. ERROR_INVALID_ARGUMENT, ERROR_OOM, etc.) rather
936*4882a593Smuzhiyun * than recoverable (e.g. one where result_should_continue()
937*4882a593Smuzhiyun * returns true) and we want to convey that error.
938*4882a593Smuzhiyun */
939*4882a593Smuzhiyun sub_ret = load_requested_partitions(
940*4882a593Smuzhiyun ops, requested_partitions, ab_suffix, slot_data);
941*4882a593Smuzhiyun if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) {
942*4882a593Smuzhiyun ret = sub_ret;
943*4882a593Smuzhiyun }
944*4882a593Smuzhiyun goto out;
945*4882a593Smuzhiyun }
946*4882a593Smuzhiyun
947*4882a593Smuzhiyun /* Now go through all descriptors and take the appropriate action:
948*4882a593Smuzhiyun *
949*4882a593Smuzhiyun * - hash descriptor: Load data from partition, calculate hash, and
950*4882a593Smuzhiyun * checks that it matches what's in the hash descriptor.
951*4882a593Smuzhiyun *
952*4882a593Smuzhiyun * - hashtree descriptor: Do nothing since verification happens
953*4882a593Smuzhiyun * on-the-fly from within the OS. (Unless the descriptor uses a
954*4882a593Smuzhiyun * persistent digest, in which case we need to find it).
955*4882a593Smuzhiyun *
956*4882a593Smuzhiyun * - chained partition descriptor: Load the footer, load the vbmeta
957*4882a593Smuzhiyun * image, verify vbmeta image (includes rollback checks, hash
958*4882a593Smuzhiyun * checks, bail on chained partitions).
959*4882a593Smuzhiyun */
960*4882a593Smuzhiyun descriptors =
961*4882a593Smuzhiyun avb_descriptor_get_all(vbmeta_buf, vbmeta_num_read, &num_descriptors);
962*4882a593Smuzhiyun for (n = 0; n < num_descriptors; n++) {
963*4882a593Smuzhiyun AvbDescriptor desc;
964*4882a593Smuzhiyun
965*4882a593Smuzhiyun if (!avb_descriptor_validate_and_byteswap(descriptors[n], &desc)) {
966*4882a593Smuzhiyun avb_errorv(full_partition_name, ": Descriptor is invalid.\n", NULL);
967*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
968*4882a593Smuzhiyun goto out;
969*4882a593Smuzhiyun }
970*4882a593Smuzhiyun
971*4882a593Smuzhiyun switch (desc.tag) {
972*4882a593Smuzhiyun case AVB_DESCRIPTOR_TAG_HASH: {
973*4882a593Smuzhiyun AvbSlotVerifyResult sub_ret;
974*4882a593Smuzhiyun sub_ret = load_and_verify_hash_partition(ops,
975*4882a593Smuzhiyun requested_partitions,
976*4882a593Smuzhiyun ab_suffix,
977*4882a593Smuzhiyun allow_verification_error,
978*4882a593Smuzhiyun descriptors[n],
979*4882a593Smuzhiyun slot_data);
980*4882a593Smuzhiyun if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) {
981*4882a593Smuzhiyun ret = sub_ret;
982*4882a593Smuzhiyun if (!allow_verification_error || !result_should_continue(ret)) {
983*4882a593Smuzhiyun goto out;
984*4882a593Smuzhiyun }
985*4882a593Smuzhiyun }
986*4882a593Smuzhiyun } break;
987*4882a593Smuzhiyun
988*4882a593Smuzhiyun case AVB_DESCRIPTOR_TAG_CHAIN_PARTITION: {
989*4882a593Smuzhiyun AvbSlotVerifyResult sub_ret;
990*4882a593Smuzhiyun AvbChainPartitionDescriptor chain_desc;
991*4882a593Smuzhiyun const uint8_t* chain_partition_name;
992*4882a593Smuzhiyun const uint8_t* chain_public_key;
993*4882a593Smuzhiyun
994*4882a593Smuzhiyun /* Only allow CHAIN_PARTITION descriptors in the main vbmeta image. */
995*4882a593Smuzhiyun if (!is_main_vbmeta) {
996*4882a593Smuzhiyun avb_errorv(full_partition_name,
997*4882a593Smuzhiyun ": Encountered chain descriptor not in main image.\n",
998*4882a593Smuzhiyun NULL);
999*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
1000*4882a593Smuzhiyun goto out;
1001*4882a593Smuzhiyun }
1002*4882a593Smuzhiyun
1003*4882a593Smuzhiyun if (!avb_chain_partition_descriptor_validate_and_byteswap(
1004*4882a593Smuzhiyun (AvbChainPartitionDescriptor*)descriptors[n], &chain_desc)) {
1005*4882a593Smuzhiyun avb_errorv(full_partition_name,
1006*4882a593Smuzhiyun ": Chain partition descriptor is invalid.\n",
1007*4882a593Smuzhiyun NULL);
1008*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
1009*4882a593Smuzhiyun goto out;
1010*4882a593Smuzhiyun }
1011*4882a593Smuzhiyun
1012*4882a593Smuzhiyun if (chain_desc.rollback_index_location == 0) {
1013*4882a593Smuzhiyun avb_errorv(full_partition_name,
1014*4882a593Smuzhiyun ": Chain partition has invalid "
1015*4882a593Smuzhiyun "rollback_index_location field.\n",
1016*4882a593Smuzhiyun NULL);
1017*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
1018*4882a593Smuzhiyun goto out;
1019*4882a593Smuzhiyun }
1020*4882a593Smuzhiyun
1021*4882a593Smuzhiyun chain_partition_name = ((const uint8_t*)descriptors[n]) +
1022*4882a593Smuzhiyun sizeof(AvbChainPartitionDescriptor);
1023*4882a593Smuzhiyun chain_public_key = chain_partition_name + chain_desc.partition_name_len;
1024*4882a593Smuzhiyun
1025*4882a593Smuzhiyun sub_ret =
1026*4882a593Smuzhiyun load_and_verify_vbmeta(ops,
1027*4882a593Smuzhiyun requested_partitions,
1028*4882a593Smuzhiyun ab_suffix,
1029*4882a593Smuzhiyun flags,
1030*4882a593Smuzhiyun allow_verification_error,
1031*4882a593Smuzhiyun toplevel_vbmeta_flags,
1032*4882a593Smuzhiyun chain_desc.rollback_index_location,
1033*4882a593Smuzhiyun (const char*)chain_partition_name,
1034*4882a593Smuzhiyun chain_desc.partition_name_len,
1035*4882a593Smuzhiyun chain_public_key,
1036*4882a593Smuzhiyun chain_desc.public_key_len,
1037*4882a593Smuzhiyun slot_data,
1038*4882a593Smuzhiyun NULL, /* out_algorithm_type */
1039*4882a593Smuzhiyun NULL /* out_additional_cmdline_subst */);
1040*4882a593Smuzhiyun if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) {
1041*4882a593Smuzhiyun ret = sub_ret;
1042*4882a593Smuzhiyun if (!result_should_continue(ret)) {
1043*4882a593Smuzhiyun goto out;
1044*4882a593Smuzhiyun }
1045*4882a593Smuzhiyun }
1046*4882a593Smuzhiyun } break;
1047*4882a593Smuzhiyun
1048*4882a593Smuzhiyun case AVB_DESCRIPTOR_TAG_KERNEL_CMDLINE: {
1049*4882a593Smuzhiyun const uint8_t* kernel_cmdline;
1050*4882a593Smuzhiyun AvbKernelCmdlineDescriptor kernel_cmdline_desc;
1051*4882a593Smuzhiyun bool apply_cmdline;
1052*4882a593Smuzhiyun
1053*4882a593Smuzhiyun if (!avb_kernel_cmdline_descriptor_validate_and_byteswap(
1054*4882a593Smuzhiyun (AvbKernelCmdlineDescriptor*)descriptors[n],
1055*4882a593Smuzhiyun &kernel_cmdline_desc)) {
1056*4882a593Smuzhiyun avb_errorv(full_partition_name,
1057*4882a593Smuzhiyun ": Kernel cmdline descriptor is invalid.\n",
1058*4882a593Smuzhiyun NULL);
1059*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
1060*4882a593Smuzhiyun goto out;
1061*4882a593Smuzhiyun }
1062*4882a593Smuzhiyun
1063*4882a593Smuzhiyun kernel_cmdline = ((const uint8_t*)descriptors[n]) +
1064*4882a593Smuzhiyun sizeof(AvbKernelCmdlineDescriptor);
1065*4882a593Smuzhiyun
1066*4882a593Smuzhiyun if (!avb_validate_utf8(kernel_cmdline,
1067*4882a593Smuzhiyun kernel_cmdline_desc.kernel_cmdline_length)) {
1068*4882a593Smuzhiyun avb_errorv(full_partition_name,
1069*4882a593Smuzhiyun ": Kernel cmdline is not valid UTF-8.\n",
1070*4882a593Smuzhiyun NULL);
1071*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
1072*4882a593Smuzhiyun goto out;
1073*4882a593Smuzhiyun }
1074*4882a593Smuzhiyun
1075*4882a593Smuzhiyun /* Compare the flags for top-level VBMeta struct with flags in
1076*4882a593Smuzhiyun * the command-line descriptor so command-line snippets only
1077*4882a593Smuzhiyun * intended for a certain mode (dm-verity enabled/disabled)
1078*4882a593Smuzhiyun * are skipped if applicable.
1079*4882a593Smuzhiyun */
1080*4882a593Smuzhiyun apply_cmdline = true;
1081*4882a593Smuzhiyun if (toplevel_vbmeta_flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED) {
1082*4882a593Smuzhiyun if (kernel_cmdline_desc.flags &
1083*4882a593Smuzhiyun AVB_KERNEL_CMDLINE_FLAGS_USE_ONLY_IF_HASHTREE_NOT_DISABLED) {
1084*4882a593Smuzhiyun apply_cmdline = false;
1085*4882a593Smuzhiyun }
1086*4882a593Smuzhiyun } else {
1087*4882a593Smuzhiyun if (kernel_cmdline_desc.flags &
1088*4882a593Smuzhiyun AVB_KERNEL_CMDLINE_FLAGS_USE_ONLY_IF_HASHTREE_DISABLED) {
1089*4882a593Smuzhiyun apply_cmdline = false;
1090*4882a593Smuzhiyun }
1091*4882a593Smuzhiyun }
1092*4882a593Smuzhiyun
1093*4882a593Smuzhiyun if (apply_cmdline) {
1094*4882a593Smuzhiyun if (slot_data->cmdline == NULL) {
1095*4882a593Smuzhiyun slot_data->cmdline =
1096*4882a593Smuzhiyun avb_calloc(kernel_cmdline_desc.kernel_cmdline_length + 1);
1097*4882a593Smuzhiyun if (slot_data->cmdline == NULL) {
1098*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
1099*4882a593Smuzhiyun goto out;
1100*4882a593Smuzhiyun }
1101*4882a593Smuzhiyun avb_memcpy(slot_data->cmdline,
1102*4882a593Smuzhiyun kernel_cmdline,
1103*4882a593Smuzhiyun kernel_cmdline_desc.kernel_cmdline_length);
1104*4882a593Smuzhiyun } else {
1105*4882a593Smuzhiyun /* new cmdline is: <existing_cmdline> + ' ' + <newcmdline> + '\0' */
1106*4882a593Smuzhiyun size_t orig_size = avb_strlen(slot_data->cmdline);
1107*4882a593Smuzhiyun size_t new_size =
1108*4882a593Smuzhiyun orig_size + 1 + kernel_cmdline_desc.kernel_cmdline_length + 1;
1109*4882a593Smuzhiyun char* new_cmdline = avb_calloc(new_size);
1110*4882a593Smuzhiyun if (new_cmdline == NULL) {
1111*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
1112*4882a593Smuzhiyun goto out;
1113*4882a593Smuzhiyun }
1114*4882a593Smuzhiyun avb_memcpy(new_cmdline, slot_data->cmdline, orig_size);
1115*4882a593Smuzhiyun new_cmdline[orig_size] = ' ';
1116*4882a593Smuzhiyun avb_memcpy(new_cmdline + orig_size + 1,
1117*4882a593Smuzhiyun kernel_cmdline,
1118*4882a593Smuzhiyun kernel_cmdline_desc.kernel_cmdline_length);
1119*4882a593Smuzhiyun avb_free(slot_data->cmdline);
1120*4882a593Smuzhiyun slot_data->cmdline = new_cmdline;
1121*4882a593Smuzhiyun }
1122*4882a593Smuzhiyun }
1123*4882a593Smuzhiyun } break;
1124*4882a593Smuzhiyun
1125*4882a593Smuzhiyun case AVB_DESCRIPTOR_TAG_HASHTREE: {
1126*4882a593Smuzhiyun AvbHashtreeDescriptor hashtree_desc;
1127*4882a593Smuzhiyun
1128*4882a593Smuzhiyun if (!avb_hashtree_descriptor_validate_and_byteswap(
1129*4882a593Smuzhiyun (AvbHashtreeDescriptor*)descriptors[n], &hashtree_desc)) {
1130*4882a593Smuzhiyun avb_errorv(
1131*4882a593Smuzhiyun full_partition_name, ": Hashtree descriptor is invalid.\n", NULL);
1132*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
1133*4882a593Smuzhiyun goto out;
1134*4882a593Smuzhiyun }
1135*4882a593Smuzhiyun
1136*4882a593Smuzhiyun /* We only need to continue when there is no digest in the descriptor.
1137*4882a593Smuzhiyun * This is because the only processing here is to find the digest and
1138*4882a593Smuzhiyun * make it available on the kernel command line.
1139*4882a593Smuzhiyun */
1140*4882a593Smuzhiyun if (hashtree_desc.root_digest_len == 0) {
1141*4882a593Smuzhiyun char part_name[AVB_PART_NAME_MAX_SIZE];
1142*4882a593Smuzhiyun size_t digest_len = 0;
1143*4882a593Smuzhiyun uint8_t digest_buf[AVB_SHA512_DIGEST_SIZE];
1144*4882a593Smuzhiyun const uint8_t* desc_partition_name =
1145*4882a593Smuzhiyun ((const uint8_t*)descriptors[n]) + sizeof(AvbHashtreeDescriptor);
1146*4882a593Smuzhiyun
1147*4882a593Smuzhiyun if (!avb_validate_utf8(desc_partition_name,
1148*4882a593Smuzhiyun hashtree_desc.partition_name_len)) {
1149*4882a593Smuzhiyun avb_error("Partition name is not valid UTF-8.\n");
1150*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
1151*4882a593Smuzhiyun goto out;
1152*4882a593Smuzhiyun }
1153*4882a593Smuzhiyun
1154*4882a593Smuzhiyun /* No ab_suffix for partitions without a digest in the descriptor
1155*4882a593Smuzhiyun * because these partitions hold data unique to this device and are
1156*4882a593Smuzhiyun * not updated using an A/B scheme.
1157*4882a593Smuzhiyun */
1158*4882a593Smuzhiyun if ((hashtree_desc.flags &
1159*4882a593Smuzhiyun AVB_HASHTREE_DESCRIPTOR_FLAGS_DO_NOT_USE_AB) == 0 &&
1160*4882a593Smuzhiyun avb_strlen(ab_suffix) != 0) {
1161*4882a593Smuzhiyun avb_error("Cannot use A/B with a persistent root digest.\n");
1162*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
1163*4882a593Smuzhiyun goto out;
1164*4882a593Smuzhiyun }
1165*4882a593Smuzhiyun if (hashtree_desc.partition_name_len >= AVB_PART_NAME_MAX_SIZE) {
1166*4882a593Smuzhiyun avb_error("Partition name does not fit.\n");
1167*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
1168*4882a593Smuzhiyun goto out;
1169*4882a593Smuzhiyun }
1170*4882a593Smuzhiyun avb_memcpy(
1171*4882a593Smuzhiyun part_name, desc_partition_name, hashtree_desc.partition_name_len);
1172*4882a593Smuzhiyun part_name[hashtree_desc.partition_name_len] = '\0';
1173*4882a593Smuzhiyun
1174*4882a593Smuzhiyun /* Determine the expected digest size from the hash algorithm. */
1175*4882a593Smuzhiyun if (avb_strcmp((const char*)hashtree_desc.hash_algorithm, "sha1") ==
1176*4882a593Smuzhiyun 0) {
1177*4882a593Smuzhiyun digest_len = AVB_SHA1_DIGEST_SIZE;
1178*4882a593Smuzhiyun } else if (avb_strcmp((const char*)hashtree_desc.hash_algorithm,
1179*4882a593Smuzhiyun "sha256") == 0) {
1180*4882a593Smuzhiyun digest_len = AVB_SHA256_DIGEST_SIZE;
1181*4882a593Smuzhiyun } else if (avb_strcmp((const char*)hashtree_desc.hash_algorithm,
1182*4882a593Smuzhiyun "sha512") == 0) {
1183*4882a593Smuzhiyun digest_len = AVB_SHA512_DIGEST_SIZE;
1184*4882a593Smuzhiyun } else {
1185*4882a593Smuzhiyun avb_errorv(part_name, ": Unsupported hash algorithm.\n", NULL);
1186*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
1187*4882a593Smuzhiyun goto out;
1188*4882a593Smuzhiyun }
1189*4882a593Smuzhiyun
1190*4882a593Smuzhiyun ret = read_persistent_digest(ops,
1191*4882a593Smuzhiyun part_name,
1192*4882a593Smuzhiyun digest_len,
1193*4882a593Smuzhiyun NULL /* initial_digest */,
1194*4882a593Smuzhiyun digest_buf);
1195*4882a593Smuzhiyun if (ret != AVB_SLOT_VERIFY_RESULT_OK) {
1196*4882a593Smuzhiyun goto out;
1197*4882a593Smuzhiyun }
1198*4882a593Smuzhiyun
1199*4882a593Smuzhiyun if (out_additional_cmdline_subst) {
1200*4882a593Smuzhiyun ret =
1201*4882a593Smuzhiyun avb_add_root_digest_substitution(part_name,
1202*4882a593Smuzhiyun digest_buf,
1203*4882a593Smuzhiyun digest_len,
1204*4882a593Smuzhiyun out_additional_cmdline_subst);
1205*4882a593Smuzhiyun if (ret != AVB_SLOT_VERIFY_RESULT_OK) {
1206*4882a593Smuzhiyun goto out;
1207*4882a593Smuzhiyun }
1208*4882a593Smuzhiyun }
1209*4882a593Smuzhiyun }
1210*4882a593Smuzhiyun } break;
1211*4882a593Smuzhiyun
1212*4882a593Smuzhiyun case AVB_DESCRIPTOR_TAG_PROPERTY:
1213*4882a593Smuzhiyun /* Do nothing. */
1214*4882a593Smuzhiyun break;
1215*4882a593Smuzhiyun }
1216*4882a593Smuzhiyun }
1217*4882a593Smuzhiyun
1218*4882a593Smuzhiyun if (rollback_index_location < 0 ||
1219*4882a593Smuzhiyun rollback_index_location >= AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS) {
1220*4882a593Smuzhiyun avb_errorv(
1221*4882a593Smuzhiyun full_partition_name, ": Invalid rollback_index_location.\n", NULL);
1222*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;
1223*4882a593Smuzhiyun goto out;
1224*4882a593Smuzhiyun }
1225*4882a593Smuzhiyun
1226*4882a593Smuzhiyun slot_data->rollback_indexes[rollback_index_location] =
1227*4882a593Smuzhiyun vbmeta_header.rollback_index;
1228*4882a593Smuzhiyun
1229*4882a593Smuzhiyun if (out_algorithm_type != NULL) {
1230*4882a593Smuzhiyun *out_algorithm_type = (AvbAlgorithmType)vbmeta_header.algorithm_type;
1231*4882a593Smuzhiyun }
1232*4882a593Smuzhiyun
1233*4882a593Smuzhiyun out:
1234*4882a593Smuzhiyun /* If |vbmeta_image_data| isn't NULL it means that it adopted
1235*4882a593Smuzhiyun * |vbmeta_buf| so in that case don't free it here.
1236*4882a593Smuzhiyun */
1237*4882a593Smuzhiyun if (vbmeta_image_data == NULL) {
1238*4882a593Smuzhiyun if (vbmeta_buf != NULL) {
1239*4882a593Smuzhiyun avb_free(vbmeta_buf);
1240*4882a593Smuzhiyun }
1241*4882a593Smuzhiyun }
1242*4882a593Smuzhiyun if (descriptors != NULL) {
1243*4882a593Smuzhiyun avb_free(descriptors);
1244*4882a593Smuzhiyun }
1245*4882a593Smuzhiyun return ret;
1246*4882a593Smuzhiyun }
1247*4882a593Smuzhiyun
avb_manage_hashtree_error_mode(AvbOps * ops,AvbSlotVerifyFlags flags,AvbSlotVerifyData * data,AvbHashtreeErrorMode * out_hashtree_error_mode)1248*4882a593Smuzhiyun static AvbIOResult avb_manage_hashtree_error_mode(
1249*4882a593Smuzhiyun AvbOps* ops,
1250*4882a593Smuzhiyun AvbSlotVerifyFlags flags,
1251*4882a593Smuzhiyun AvbSlotVerifyData* data,
1252*4882a593Smuzhiyun AvbHashtreeErrorMode* out_hashtree_error_mode) {
1253*4882a593Smuzhiyun AvbHashtreeErrorMode ret = AVB_HASHTREE_ERROR_MODE_RESTART;
1254*4882a593Smuzhiyun AvbIOResult io_ret = AVB_IO_RESULT_OK;
1255*4882a593Smuzhiyun uint8_t vbmeta_digest_sha256[AVB_SHA256_DIGEST_SIZE];
1256*4882a593Smuzhiyun uint8_t stored_vbmeta_digest_sha256[AVB_SHA256_DIGEST_SIZE];
1257*4882a593Smuzhiyun size_t num_bytes_read;
1258*4882a593Smuzhiyun
1259*4882a593Smuzhiyun avb_assert(out_hashtree_error_mode != NULL);
1260*4882a593Smuzhiyun avb_assert(ops->read_persistent_value != NULL);
1261*4882a593Smuzhiyun avb_assert(ops->write_persistent_value != NULL);
1262*4882a593Smuzhiyun
1263*4882a593Smuzhiyun // If we're rebooting because of dm-verity corruption, make a note of
1264*4882a593Smuzhiyun // the vbmeta hash so we can stay in 'eio' mode until things change.
1265*4882a593Smuzhiyun if (flags & AVB_SLOT_VERIFY_FLAGS_RESTART_CAUSED_BY_HASHTREE_CORRUPTION) {
1266*4882a593Smuzhiyun avb_debug(
1267*4882a593Smuzhiyun "Rebooting because of dm-verity corruption - "
1268*4882a593Smuzhiyun "recording OS instance and using 'eio' mode.\n");
1269*4882a593Smuzhiyun avb_slot_verify_data_calculate_vbmeta_digest(
1270*4882a593Smuzhiyun data, AVB_DIGEST_TYPE_SHA256, vbmeta_digest_sha256);
1271*4882a593Smuzhiyun io_ret = ops->write_persistent_value(ops,
1272*4882a593Smuzhiyun AVB_NPV_MANAGED_VERITY_MODE,
1273*4882a593Smuzhiyun AVB_SHA256_DIGEST_SIZE,
1274*4882a593Smuzhiyun vbmeta_digest_sha256);
1275*4882a593Smuzhiyun if (io_ret != AVB_IO_RESULT_OK) {
1276*4882a593Smuzhiyun avb_error("Error writing to " AVB_NPV_MANAGED_VERITY_MODE ".\n");
1277*4882a593Smuzhiyun goto out;
1278*4882a593Smuzhiyun }
1279*4882a593Smuzhiyun ret = AVB_HASHTREE_ERROR_MODE_EIO;
1280*4882a593Smuzhiyun io_ret = AVB_IO_RESULT_OK;
1281*4882a593Smuzhiyun goto out;
1282*4882a593Smuzhiyun }
1283*4882a593Smuzhiyun
1284*4882a593Smuzhiyun // See if we're in 'eio' mode.
1285*4882a593Smuzhiyun io_ret = ops->read_persistent_value(ops,
1286*4882a593Smuzhiyun AVB_NPV_MANAGED_VERITY_MODE,
1287*4882a593Smuzhiyun AVB_SHA256_DIGEST_SIZE,
1288*4882a593Smuzhiyun stored_vbmeta_digest_sha256,
1289*4882a593Smuzhiyun &num_bytes_read);
1290*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_NO_SUCH_VALUE ||
1291*4882a593Smuzhiyun (io_ret == AVB_IO_RESULT_OK && num_bytes_read == 0)) {
1292*4882a593Smuzhiyun // This is the usual case ('eio' mode not set).
1293*4882a593Smuzhiyun avb_debug("No dm-verity corruption - using in 'restart' mode.\n");
1294*4882a593Smuzhiyun ret = AVB_HASHTREE_ERROR_MODE_RESTART;
1295*4882a593Smuzhiyun io_ret = AVB_IO_RESULT_OK;
1296*4882a593Smuzhiyun goto out;
1297*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
1298*4882a593Smuzhiyun avb_error("Error reading from " AVB_NPV_MANAGED_VERITY_MODE ".\n");
1299*4882a593Smuzhiyun goto out;
1300*4882a593Smuzhiyun }
1301*4882a593Smuzhiyun if (num_bytes_read != AVB_SHA256_DIGEST_SIZE) {
1302*4882a593Smuzhiyun avb_error(
1303*4882a593Smuzhiyun "Unexpected number of bytes read from " AVB_NPV_MANAGED_VERITY_MODE
1304*4882a593Smuzhiyun ".\n");
1305*4882a593Smuzhiyun io_ret = AVB_IO_RESULT_ERROR_IO;
1306*4882a593Smuzhiyun goto out;
1307*4882a593Smuzhiyun }
1308*4882a593Smuzhiyun
1309*4882a593Smuzhiyun // OK, so we're currently in 'eio' mode and the vbmeta digest of the OS
1310*4882a593Smuzhiyun // that caused this is in |stored_vbmeta_digest_sha256| ... now see if
1311*4882a593Smuzhiyun // the OS we're dealing with now is the same.
1312*4882a593Smuzhiyun avb_slot_verify_data_calculate_vbmeta_digest(
1313*4882a593Smuzhiyun data, AVB_DIGEST_TYPE_SHA256, vbmeta_digest_sha256);
1314*4882a593Smuzhiyun if (avb_memcmp(vbmeta_digest_sha256,
1315*4882a593Smuzhiyun stored_vbmeta_digest_sha256,
1316*4882a593Smuzhiyun AVB_SHA256_DIGEST_SIZE) == 0) {
1317*4882a593Smuzhiyun // It's the same so we're still in 'eio' mode.
1318*4882a593Smuzhiyun avb_debug("Same OS instance detected - staying in 'eio' mode.\n");
1319*4882a593Smuzhiyun ret = AVB_HASHTREE_ERROR_MODE_EIO;
1320*4882a593Smuzhiyun io_ret = AVB_IO_RESULT_OK;
1321*4882a593Smuzhiyun } else {
1322*4882a593Smuzhiyun // It did change!
1323*4882a593Smuzhiyun avb_debug(
1324*4882a593Smuzhiyun "New OS instance detected - changing from 'eio' to 'restart' mode.\n");
1325*4882a593Smuzhiyun io_ret =
1326*4882a593Smuzhiyun ops->write_persistent_value(ops,
1327*4882a593Smuzhiyun AVB_NPV_MANAGED_VERITY_MODE,
1328*4882a593Smuzhiyun 0, // This clears the persistent property.
1329*4882a593Smuzhiyun vbmeta_digest_sha256);
1330*4882a593Smuzhiyun if (io_ret != AVB_IO_RESULT_OK) {
1331*4882a593Smuzhiyun avb_error("Error clearing " AVB_NPV_MANAGED_VERITY_MODE ".\n");
1332*4882a593Smuzhiyun goto out;
1333*4882a593Smuzhiyun }
1334*4882a593Smuzhiyun ret = AVB_HASHTREE_ERROR_MODE_RESTART;
1335*4882a593Smuzhiyun io_ret = AVB_IO_RESULT_OK;
1336*4882a593Smuzhiyun }
1337*4882a593Smuzhiyun
1338*4882a593Smuzhiyun out:
1339*4882a593Smuzhiyun *out_hashtree_error_mode = ret;
1340*4882a593Smuzhiyun return io_ret;
1341*4882a593Smuzhiyun }
1342*4882a593Smuzhiyun
has_system_partition(AvbOps * ops,const char * ab_suffix)1343*4882a593Smuzhiyun static bool has_system_partition(AvbOps* ops, const char* ab_suffix) {
1344*4882a593Smuzhiyun char part_name[AVB_PART_NAME_MAX_SIZE];
1345*4882a593Smuzhiyun char* system_part_name = "system";
1346*4882a593Smuzhiyun char guid_buf[37];
1347*4882a593Smuzhiyun AvbIOResult io_ret;
1348*4882a593Smuzhiyun
1349*4882a593Smuzhiyun if (!avb_str_concat(part_name,
1350*4882a593Smuzhiyun sizeof part_name,
1351*4882a593Smuzhiyun system_part_name,
1352*4882a593Smuzhiyun avb_strlen(system_part_name),
1353*4882a593Smuzhiyun ab_suffix,
1354*4882a593Smuzhiyun avb_strlen(ab_suffix))) {
1355*4882a593Smuzhiyun avb_error("System partition name and suffix does not fit.\n");
1356*4882a593Smuzhiyun return false;
1357*4882a593Smuzhiyun }
1358*4882a593Smuzhiyun
1359*4882a593Smuzhiyun io_ret = ops->get_unique_guid_for_partition(
1360*4882a593Smuzhiyun ops, part_name, guid_buf, sizeof guid_buf);
1361*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION) {
1362*4882a593Smuzhiyun avb_debug("No system partition.\n");
1363*4882a593Smuzhiyun return false;
1364*4882a593Smuzhiyun } else if (io_ret != AVB_IO_RESULT_OK) {
1365*4882a593Smuzhiyun avb_error("Error getting unique GUID for system partition.\n");
1366*4882a593Smuzhiyun return false;
1367*4882a593Smuzhiyun }
1368*4882a593Smuzhiyun
1369*4882a593Smuzhiyun return true;
1370*4882a593Smuzhiyun }
1371*4882a593Smuzhiyun
avb_slot_verify(AvbOps * ops,const char * const * requested_partitions,const char * ab_suffix,AvbSlotVerifyFlags flags,AvbHashtreeErrorMode hashtree_error_mode,AvbSlotVerifyData ** out_data)1372*4882a593Smuzhiyun AvbSlotVerifyResult avb_slot_verify(AvbOps* ops,
1373*4882a593Smuzhiyun const char* const* requested_partitions,
1374*4882a593Smuzhiyun const char* ab_suffix,
1375*4882a593Smuzhiyun AvbSlotVerifyFlags flags,
1376*4882a593Smuzhiyun AvbHashtreeErrorMode hashtree_error_mode,
1377*4882a593Smuzhiyun AvbSlotVerifyData** out_data) {
1378*4882a593Smuzhiyun AvbSlotVerifyResult ret = 0;
1379*4882a593Smuzhiyun AvbSlotVerifyData* slot_data = NULL;
1380*4882a593Smuzhiyun AvbAlgorithmType algorithm_type = AVB_ALGORITHM_TYPE_NONE;
1381*4882a593Smuzhiyun bool using_boot_for_vbmeta = false;
1382*4882a593Smuzhiyun AvbVBMetaImageHeader toplevel_vbmeta;
1383*4882a593Smuzhiyun bool allow_verification_error =
1384*4882a593Smuzhiyun (flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR);
1385*4882a593Smuzhiyun AvbCmdlineSubstList* additional_cmdline_subst = NULL;
1386*4882a593Smuzhiyun
1387*4882a593Smuzhiyun /* Fail early if we're missing the AvbOps needed for slot verification. */
1388*4882a593Smuzhiyun avb_assert(ops->read_is_device_unlocked != NULL);
1389*4882a593Smuzhiyun avb_assert(ops->read_from_partition != NULL);
1390*4882a593Smuzhiyun avb_assert(ops->get_size_of_partition != NULL);
1391*4882a593Smuzhiyun avb_assert(ops->read_rollback_index != NULL);
1392*4882a593Smuzhiyun avb_assert(ops->get_unique_guid_for_partition != NULL);
1393*4882a593Smuzhiyun
1394*4882a593Smuzhiyun if (out_data != NULL) {
1395*4882a593Smuzhiyun *out_data = NULL;
1396*4882a593Smuzhiyun }
1397*4882a593Smuzhiyun
1398*4882a593Smuzhiyun /* Allowing dm-verity errors defeats the purpose of verified boot so
1399*4882a593Smuzhiyun * only allow this if set up to allow verification errors
1400*4882a593Smuzhiyun * (e.g. typically only UNLOCKED mode).
1401*4882a593Smuzhiyun */
1402*4882a593Smuzhiyun if (hashtree_error_mode == AVB_HASHTREE_ERROR_MODE_LOGGING &&
1403*4882a593Smuzhiyun !allow_verification_error) {
1404*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT;
1405*4882a593Smuzhiyun goto fail;
1406*4882a593Smuzhiyun }
1407*4882a593Smuzhiyun
1408*4882a593Smuzhiyun /* Make sure passed-in AvbOps support persistent values if
1409*4882a593Smuzhiyun * asking for libavb to manage verity state.
1410*4882a593Smuzhiyun */
1411*4882a593Smuzhiyun if (hashtree_error_mode == AVB_HASHTREE_ERROR_MODE_MANAGED_RESTART_AND_EIO) {
1412*4882a593Smuzhiyun if (ops->read_persistent_value == NULL ||
1413*4882a593Smuzhiyun ops->write_persistent_value == NULL) {
1414*4882a593Smuzhiyun avb_error(
1415*4882a593Smuzhiyun "Persistent values required for "
1416*4882a593Smuzhiyun "AVB_HASHTREE_ERROR_MODE_MANAGED_RESTART_AND_EIO "
1417*4882a593Smuzhiyun "but are not implemented in given AvbOps.\n");
1418*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT;
1419*4882a593Smuzhiyun goto fail;
1420*4882a593Smuzhiyun }
1421*4882a593Smuzhiyun }
1422*4882a593Smuzhiyun
1423*4882a593Smuzhiyun /* Make sure passed-in AvbOps support verifying public keys and getting
1424*4882a593Smuzhiyun * rollback index location if not using a vbmeta partition.
1425*4882a593Smuzhiyun */
1426*4882a593Smuzhiyun if (flags & AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION) {
1427*4882a593Smuzhiyun if (ops->validate_public_key_for_partition == NULL) {
1428*4882a593Smuzhiyun avb_error(
1429*4882a593Smuzhiyun "AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION was passed but the "
1430*4882a593Smuzhiyun "validate_public_key_for_partition() operation isn't implemented.\n");
1431*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT;
1432*4882a593Smuzhiyun goto fail;
1433*4882a593Smuzhiyun }
1434*4882a593Smuzhiyun } else {
1435*4882a593Smuzhiyun avb_assert(ops->validate_vbmeta_public_key != NULL);
1436*4882a593Smuzhiyun }
1437*4882a593Smuzhiyun
1438*4882a593Smuzhiyun slot_data = avb_calloc(sizeof(AvbSlotVerifyData));
1439*4882a593Smuzhiyun if (slot_data == NULL) {
1440*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
1441*4882a593Smuzhiyun goto fail;
1442*4882a593Smuzhiyun }
1443*4882a593Smuzhiyun slot_data->vbmeta_images =
1444*4882a593Smuzhiyun avb_calloc(sizeof(AvbVBMetaData) * MAX_NUMBER_OF_VBMETA_IMAGES);
1445*4882a593Smuzhiyun if (slot_data->vbmeta_images == NULL) {
1446*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
1447*4882a593Smuzhiyun goto fail;
1448*4882a593Smuzhiyun }
1449*4882a593Smuzhiyun slot_data->loaded_partitions =
1450*4882a593Smuzhiyun avb_calloc(sizeof(AvbPartitionData) * MAX_NUMBER_OF_LOADED_PARTITIONS);
1451*4882a593Smuzhiyun if (slot_data->loaded_partitions == NULL) {
1452*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
1453*4882a593Smuzhiyun goto fail;
1454*4882a593Smuzhiyun }
1455*4882a593Smuzhiyun
1456*4882a593Smuzhiyun additional_cmdline_subst = avb_new_cmdline_subst_list();
1457*4882a593Smuzhiyun if (additional_cmdline_subst == NULL) {
1458*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
1459*4882a593Smuzhiyun goto fail;
1460*4882a593Smuzhiyun }
1461*4882a593Smuzhiyun
1462*4882a593Smuzhiyun if (flags & AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION) {
1463*4882a593Smuzhiyun if (requested_partitions == NULL || requested_partitions[0] == NULL) {
1464*4882a593Smuzhiyun avb_fatal(
1465*4882a593Smuzhiyun "Requested partitions cannot be empty when using "
1466*4882a593Smuzhiyun "AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION");
1467*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT;
1468*4882a593Smuzhiyun goto fail;
1469*4882a593Smuzhiyun }
1470*4882a593Smuzhiyun
1471*4882a593Smuzhiyun /* No vbmeta partition, go through each of the requested partitions... */
1472*4882a593Smuzhiyun for (size_t n = 0; requested_partitions[n] != NULL; n++) {
1473*4882a593Smuzhiyun ret = load_and_verify_vbmeta(ops,
1474*4882a593Smuzhiyun requested_partitions,
1475*4882a593Smuzhiyun ab_suffix,
1476*4882a593Smuzhiyun flags,
1477*4882a593Smuzhiyun allow_verification_error,
1478*4882a593Smuzhiyun 0 /* toplevel_vbmeta_flags */,
1479*4882a593Smuzhiyun 0 /* rollback_index_location */,
1480*4882a593Smuzhiyun requested_partitions[n],
1481*4882a593Smuzhiyun avb_strlen(requested_partitions[n]),
1482*4882a593Smuzhiyun NULL /* expected_public_key */,
1483*4882a593Smuzhiyun 0 /* expected_public_key_length */,
1484*4882a593Smuzhiyun slot_data,
1485*4882a593Smuzhiyun &algorithm_type,
1486*4882a593Smuzhiyun additional_cmdline_subst);
1487*4882a593Smuzhiyun if (!allow_verification_error && ret != AVB_SLOT_VERIFY_RESULT_OK) {
1488*4882a593Smuzhiyun goto fail;
1489*4882a593Smuzhiyun }
1490*4882a593Smuzhiyun }
1491*4882a593Smuzhiyun
1492*4882a593Smuzhiyun } else {
1493*4882a593Smuzhiyun /* Usual path, load "vbmeta"... */
1494*4882a593Smuzhiyun ret = load_and_verify_vbmeta(ops,
1495*4882a593Smuzhiyun requested_partitions,
1496*4882a593Smuzhiyun ab_suffix,
1497*4882a593Smuzhiyun flags,
1498*4882a593Smuzhiyun allow_verification_error,
1499*4882a593Smuzhiyun 0 /* toplevel_vbmeta_flags */,
1500*4882a593Smuzhiyun 0 /* rollback_index_location */,
1501*4882a593Smuzhiyun "vbmeta",
1502*4882a593Smuzhiyun avb_strlen("vbmeta"),
1503*4882a593Smuzhiyun NULL /* expected_public_key */,
1504*4882a593Smuzhiyun 0 /* expected_public_key_length */,
1505*4882a593Smuzhiyun slot_data,
1506*4882a593Smuzhiyun &algorithm_type,
1507*4882a593Smuzhiyun additional_cmdline_subst);
1508*4882a593Smuzhiyun if (!allow_verification_error && ret != AVB_SLOT_VERIFY_RESULT_OK) {
1509*4882a593Smuzhiyun goto fail;
1510*4882a593Smuzhiyun }
1511*4882a593Smuzhiyun }
1512*4882a593Smuzhiyun
1513*4882a593Smuzhiyun if (!result_should_continue(ret)) {
1514*4882a593Smuzhiyun goto fail;
1515*4882a593Smuzhiyun }
1516*4882a593Smuzhiyun
1517*4882a593Smuzhiyun /* If things check out, mangle the kernel command-line as needed. */
1518*4882a593Smuzhiyun if (!(flags & AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION)) {
1519*4882a593Smuzhiyun if (avb_strcmp(slot_data->vbmeta_images[0].partition_name, "vbmeta") != 0) {
1520*4882a593Smuzhiyun avb_assert(
1521*4882a593Smuzhiyun avb_strcmp(slot_data->vbmeta_images[0].partition_name, "boot") == 0);
1522*4882a593Smuzhiyun using_boot_for_vbmeta = true;
1523*4882a593Smuzhiyun }
1524*4882a593Smuzhiyun }
1525*4882a593Smuzhiyun
1526*4882a593Smuzhiyun /* Byteswap top-level vbmeta header since we'll need it below. */
1527*4882a593Smuzhiyun avb_vbmeta_image_header_to_host_byte_order(
1528*4882a593Smuzhiyun (const AvbVBMetaImageHeader*)slot_data->vbmeta_images[0].vbmeta_data,
1529*4882a593Smuzhiyun &toplevel_vbmeta);
1530*4882a593Smuzhiyun
1531*4882a593Smuzhiyun /* Fill in |ab_suffix| field. */
1532*4882a593Smuzhiyun slot_data->ab_suffix = avb_strdup(ab_suffix);
1533*4882a593Smuzhiyun if (slot_data->ab_suffix == NULL) {
1534*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
1535*4882a593Smuzhiyun goto fail;
1536*4882a593Smuzhiyun }
1537*4882a593Smuzhiyun
1538*4882a593Smuzhiyun /* If verification is disabled, we are done ... we specifically
1539*4882a593Smuzhiyun * don't want to add any androidboot.* options since verification
1540*4882a593Smuzhiyun * is disabled.
1541*4882a593Smuzhiyun */
1542*4882a593Smuzhiyun if (toplevel_vbmeta.flags & AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED) {
1543*4882a593Smuzhiyun /* Since verification is disabled we didn't process any
1544*4882a593Smuzhiyun * descriptors and thus there's no cmdline... so set root= such
1545*4882a593Smuzhiyun * that the system partition is mounted.
1546*4882a593Smuzhiyun */
1547*4882a593Smuzhiyun avb_assert(slot_data->cmdline == NULL);
1548*4882a593Smuzhiyun // Devices with dynamic partitions won't have system partition.
1549*4882a593Smuzhiyun // Instead, it has a large super partition to accommodate *.img files.
1550*4882a593Smuzhiyun // See b/119551429 for details.
1551*4882a593Smuzhiyun if (has_system_partition(ops, ab_suffix)) {
1552*4882a593Smuzhiyun slot_data->cmdline =
1553*4882a593Smuzhiyun avb_strdup("root=PARTUUID=$(ANDROID_SYSTEM_PARTUUID)");
1554*4882a593Smuzhiyun } else {
1555*4882a593Smuzhiyun // The |cmdline| field should be a NUL-terminated string.
1556*4882a593Smuzhiyun slot_data->cmdline = avb_strdup("");
1557*4882a593Smuzhiyun }
1558*4882a593Smuzhiyun if (slot_data->cmdline == NULL) {
1559*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
1560*4882a593Smuzhiyun goto fail;
1561*4882a593Smuzhiyun }
1562*4882a593Smuzhiyun } else {
1563*4882a593Smuzhiyun /* If requested, manage dm-verity mode... */
1564*4882a593Smuzhiyun AvbHashtreeErrorMode resolved_hashtree_error_mode = hashtree_error_mode;
1565*4882a593Smuzhiyun if (hashtree_error_mode ==
1566*4882a593Smuzhiyun AVB_HASHTREE_ERROR_MODE_MANAGED_RESTART_AND_EIO) {
1567*4882a593Smuzhiyun AvbIOResult io_ret;
1568*4882a593Smuzhiyun io_ret = avb_manage_hashtree_error_mode(
1569*4882a593Smuzhiyun ops, flags, slot_data, &resolved_hashtree_error_mode);
1570*4882a593Smuzhiyun if (io_ret != AVB_IO_RESULT_OK) {
1571*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO;
1572*4882a593Smuzhiyun if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
1573*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
1574*4882a593Smuzhiyun }
1575*4882a593Smuzhiyun goto fail;
1576*4882a593Smuzhiyun }
1577*4882a593Smuzhiyun }
1578*4882a593Smuzhiyun slot_data->resolved_hashtree_error_mode = resolved_hashtree_error_mode;
1579*4882a593Smuzhiyun
1580*4882a593Smuzhiyun /* Add options... */
1581*4882a593Smuzhiyun AvbSlotVerifyResult sub_ret;
1582*4882a593Smuzhiyun sub_ret = avb_append_options(ops,
1583*4882a593Smuzhiyun flags,
1584*4882a593Smuzhiyun slot_data,
1585*4882a593Smuzhiyun &toplevel_vbmeta,
1586*4882a593Smuzhiyun algorithm_type,
1587*4882a593Smuzhiyun hashtree_error_mode,
1588*4882a593Smuzhiyun resolved_hashtree_error_mode);
1589*4882a593Smuzhiyun if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) {
1590*4882a593Smuzhiyun ret = sub_ret;
1591*4882a593Smuzhiyun goto fail;
1592*4882a593Smuzhiyun }
1593*4882a593Smuzhiyun }
1594*4882a593Smuzhiyun
1595*4882a593Smuzhiyun /* Substitute $(ANDROID_SYSTEM_PARTUUID) and friends. */
1596*4882a593Smuzhiyun if (slot_data->cmdline != NULL && avb_strlen(slot_data->cmdline) != 0) {
1597*4882a593Smuzhiyun char* new_cmdline;
1598*4882a593Smuzhiyun new_cmdline = avb_sub_cmdline(ops,
1599*4882a593Smuzhiyun slot_data->cmdline,
1600*4882a593Smuzhiyun ab_suffix,
1601*4882a593Smuzhiyun using_boot_for_vbmeta,
1602*4882a593Smuzhiyun additional_cmdline_subst);
1603*4882a593Smuzhiyun if (new_cmdline != slot_data->cmdline) {
1604*4882a593Smuzhiyun if (new_cmdline == NULL) {
1605*4882a593Smuzhiyun ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
1606*4882a593Smuzhiyun goto fail;
1607*4882a593Smuzhiyun }
1608*4882a593Smuzhiyun avb_free(slot_data->cmdline);
1609*4882a593Smuzhiyun slot_data->cmdline = new_cmdline;
1610*4882a593Smuzhiyun }
1611*4882a593Smuzhiyun }
1612*4882a593Smuzhiyun
1613*4882a593Smuzhiyun if (out_data != NULL) {
1614*4882a593Smuzhiyun *out_data = slot_data;
1615*4882a593Smuzhiyun } else {
1616*4882a593Smuzhiyun avb_slot_verify_data_free(slot_data);
1617*4882a593Smuzhiyun }
1618*4882a593Smuzhiyun
1619*4882a593Smuzhiyun avb_free_cmdline_subst_list(additional_cmdline_subst);
1620*4882a593Smuzhiyun additional_cmdline_subst = NULL;
1621*4882a593Smuzhiyun
1622*4882a593Smuzhiyun if (!allow_verification_error) {
1623*4882a593Smuzhiyun avb_assert(ret == AVB_SLOT_VERIFY_RESULT_OK);
1624*4882a593Smuzhiyun }
1625*4882a593Smuzhiyun
1626*4882a593Smuzhiyun return ret;
1627*4882a593Smuzhiyun
1628*4882a593Smuzhiyun fail:
1629*4882a593Smuzhiyun if (slot_data != NULL) {
1630*4882a593Smuzhiyun avb_slot_verify_data_free(slot_data);
1631*4882a593Smuzhiyun }
1632*4882a593Smuzhiyun if (additional_cmdline_subst != NULL) {
1633*4882a593Smuzhiyun avb_free_cmdline_subst_list(additional_cmdline_subst);
1634*4882a593Smuzhiyun }
1635*4882a593Smuzhiyun return ret;
1636*4882a593Smuzhiyun }
1637*4882a593Smuzhiyun
avb_slot_verify_data_free(AvbSlotVerifyData * data)1638*4882a593Smuzhiyun void avb_slot_verify_data_free(AvbSlotVerifyData* data) {
1639*4882a593Smuzhiyun if (data->ab_suffix != NULL) {
1640*4882a593Smuzhiyun avb_free(data->ab_suffix);
1641*4882a593Smuzhiyun }
1642*4882a593Smuzhiyun if (data->cmdline != NULL) {
1643*4882a593Smuzhiyun avb_free(data->cmdline);
1644*4882a593Smuzhiyun }
1645*4882a593Smuzhiyun if (data->vbmeta_images != NULL) {
1646*4882a593Smuzhiyun size_t n;
1647*4882a593Smuzhiyun for (n = 0; n < data->num_vbmeta_images; n++) {
1648*4882a593Smuzhiyun AvbVBMetaData* vbmeta_image = &data->vbmeta_images[n];
1649*4882a593Smuzhiyun if (vbmeta_image->partition_name != NULL) {
1650*4882a593Smuzhiyun avb_free(vbmeta_image->partition_name);
1651*4882a593Smuzhiyun }
1652*4882a593Smuzhiyun if (vbmeta_image->vbmeta_data != NULL) {
1653*4882a593Smuzhiyun avb_free(vbmeta_image->vbmeta_data);
1654*4882a593Smuzhiyun }
1655*4882a593Smuzhiyun }
1656*4882a593Smuzhiyun avb_free(data->vbmeta_images);
1657*4882a593Smuzhiyun }
1658*4882a593Smuzhiyun if (data->loaded_partitions != NULL) {
1659*4882a593Smuzhiyun size_t n;
1660*4882a593Smuzhiyun for (n = 0; n < data->num_loaded_partitions; n++) {
1661*4882a593Smuzhiyun AvbPartitionData* loaded_partition = &data->loaded_partitions[n];
1662*4882a593Smuzhiyun if (loaded_partition->partition_name != NULL) {
1663*4882a593Smuzhiyun avb_free(loaded_partition->partition_name);
1664*4882a593Smuzhiyun }
1665*4882a593Smuzhiyun if (loaded_partition->data != NULL && !loaded_partition->preloaded) {
1666*4882a593Smuzhiyun avb_free(loaded_partition->data);
1667*4882a593Smuzhiyun }
1668*4882a593Smuzhiyun }
1669*4882a593Smuzhiyun avb_free(data->loaded_partitions);
1670*4882a593Smuzhiyun }
1671*4882a593Smuzhiyun avb_free(data);
1672*4882a593Smuzhiyun }
1673*4882a593Smuzhiyun
avb_slot_verify_result_to_string(AvbSlotVerifyResult result)1674*4882a593Smuzhiyun const char* avb_slot_verify_result_to_string(AvbSlotVerifyResult result) {
1675*4882a593Smuzhiyun const char* ret = NULL;
1676*4882a593Smuzhiyun
1677*4882a593Smuzhiyun switch (result) {
1678*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_OK:
1679*4882a593Smuzhiyun ret = "OK";
1680*4882a593Smuzhiyun break;
1681*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_OOM:
1682*4882a593Smuzhiyun ret = "ERROR_OOM";
1683*4882a593Smuzhiyun break;
1684*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_IO:
1685*4882a593Smuzhiyun ret = "ERROR_IO";
1686*4882a593Smuzhiyun break;
1687*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION:
1688*4882a593Smuzhiyun ret = "ERROR_VERIFICATION";
1689*4882a593Smuzhiyun break;
1690*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX:
1691*4882a593Smuzhiyun ret = "ERROR_ROLLBACK_INDEX";
1692*4882a593Smuzhiyun break;
1693*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED:
1694*4882a593Smuzhiyun ret = "ERROR_PUBLIC_KEY_REJECTED";
1695*4882a593Smuzhiyun break;
1696*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA:
1697*4882a593Smuzhiyun ret = "ERROR_INVALID_METADATA";
1698*4882a593Smuzhiyun break;
1699*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION:
1700*4882a593Smuzhiyun ret = "ERROR_UNSUPPORTED_VERSION";
1701*4882a593Smuzhiyun break;
1702*4882a593Smuzhiyun case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT:
1703*4882a593Smuzhiyun ret = "ERROR_INVALID_ARGUMENT";
1704*4882a593Smuzhiyun break;
1705*4882a593Smuzhiyun /* Do not add a 'default:' case here because of -Wswitch. */
1706*4882a593Smuzhiyun }
1707*4882a593Smuzhiyun
1708*4882a593Smuzhiyun if (ret == NULL) {
1709*4882a593Smuzhiyun avb_error("Unknown AvbSlotVerifyResult value.\n");
1710*4882a593Smuzhiyun ret = "(unknown)";
1711*4882a593Smuzhiyun }
1712*4882a593Smuzhiyun
1713*4882a593Smuzhiyun return ret;
1714*4882a593Smuzhiyun }
1715*4882a593Smuzhiyun
avb_slot_verify_data_calculate_vbmeta_digest(AvbSlotVerifyData * data,AvbDigestType digest_type,uint8_t * out_digest)1716*4882a593Smuzhiyun void avb_slot_verify_data_calculate_vbmeta_digest(AvbSlotVerifyData* data,
1717*4882a593Smuzhiyun AvbDigestType digest_type,
1718*4882a593Smuzhiyun uint8_t* out_digest) {
1719*4882a593Smuzhiyun bool ret = false;
1720*4882a593Smuzhiyun size_t n;
1721*4882a593Smuzhiyun
1722*4882a593Smuzhiyun switch (digest_type) {
1723*4882a593Smuzhiyun case AVB_DIGEST_TYPE_SHA256: {
1724*4882a593Smuzhiyun AvbSHA256Ctx ctx;
1725*4882a593Smuzhiyun
1726*4882a593Smuzhiyun ctx.tot_len = 0;
1727*4882a593Smuzhiyun for (n = 0; n < data->num_vbmeta_images; n++)
1728*4882a593Smuzhiyun ctx.tot_len += data->vbmeta_images[n].vbmeta_size;
1729*4882a593Smuzhiyun
1730*4882a593Smuzhiyun avb_sha256_init(&ctx);
1731*4882a593Smuzhiyun for (n = 0; n < data->num_vbmeta_images; n++) {
1732*4882a593Smuzhiyun avb_sha256_update(&ctx,
1733*4882a593Smuzhiyun data->vbmeta_images[n].vbmeta_data,
1734*4882a593Smuzhiyun data->vbmeta_images[n].vbmeta_size);
1735*4882a593Smuzhiyun }
1736*4882a593Smuzhiyun avb_memcpy(out_digest, avb_sha256_final(&ctx), AVB_SHA256_DIGEST_SIZE);
1737*4882a593Smuzhiyun ret = true;
1738*4882a593Smuzhiyun } break;
1739*4882a593Smuzhiyun
1740*4882a593Smuzhiyun case AVB_DIGEST_TYPE_SHA512: {
1741*4882a593Smuzhiyun AvbSHA512Ctx ctx;
1742*4882a593Smuzhiyun
1743*4882a593Smuzhiyun ctx.tot_len = 0;
1744*4882a593Smuzhiyun for (n = 0; n < data->num_vbmeta_images; n++)
1745*4882a593Smuzhiyun ctx.tot_len += data->vbmeta_images[n].vbmeta_size;
1746*4882a593Smuzhiyun
1747*4882a593Smuzhiyun avb_sha512_init(&ctx);
1748*4882a593Smuzhiyun for (n = 0; n < data->num_vbmeta_images; n++) {
1749*4882a593Smuzhiyun avb_sha512_update(&ctx,
1750*4882a593Smuzhiyun data->vbmeta_images[n].vbmeta_data,
1751*4882a593Smuzhiyun data->vbmeta_images[n].vbmeta_size);
1752*4882a593Smuzhiyun }
1753*4882a593Smuzhiyun avb_memcpy(out_digest, avb_sha512_final(&ctx), AVB_SHA512_DIGEST_SIZE);
1754*4882a593Smuzhiyun ret = true;
1755*4882a593Smuzhiyun } break;
1756*4882a593Smuzhiyun
1757*4882a593Smuzhiyun /* Do not add a 'default:' case here because of -Wswitch. */
1758*4882a593Smuzhiyun }
1759*4882a593Smuzhiyun
1760*4882a593Smuzhiyun if (!ret) {
1761*4882a593Smuzhiyun avb_fatal("Unknown digest type");
1762*4882a593Smuzhiyun }
1763*4882a593Smuzhiyun }
1764