1 /* 2 * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <assert.h> 8 #include <stdint.h> 9 #include <string.h> 10 11 #include <platform_def.h> 12 13 #include <common/debug.h> 14 #include <common/tbbr/cot_def.h> 15 #include <drivers/auth/auth_common.h> 16 #include <drivers/auth/auth_mod.h> 17 #include <drivers/auth/crypto_mod.h> 18 #include <drivers/auth/img_parser_mod.h> 19 #include <drivers/fwu/fwu.h> 20 #include <lib/fconf/fconf_tbbr_getter.h> 21 #include <plat/common/platform.h> 22 23 #include <tools_share/zero_oid.h> 24 25 /* ASN.1 tags */ 26 #define ASN1_INTEGER 0x02 27 28 #define return_if_error(rc) \ 29 do { \ 30 if (rc != 0) { \ 31 return rc; \ 32 } \ 33 } while (0) 34 35 #pragma weak plat_set_nv_ctr2 36 37 static int cmp_auth_param_type_desc(const auth_param_type_desc_t *a, 38 const auth_param_type_desc_t *b) 39 { 40 if ((a->type == b->type) && (a->cookie == b->cookie)) { 41 return 0; 42 } 43 return 1; 44 } 45 46 /* 47 * This function obtains the requested authentication parameter data from the 48 * information extracted from the parent image after its authentication. 49 */ 50 static int auth_get_param(const auth_param_type_desc_t *param_type_desc, 51 const auth_img_desc_t *img_desc, 52 void **param, unsigned int *len) 53 { 54 int i; 55 56 if (img_desc->authenticated_data == NULL) 57 return 1; 58 59 for (i = 0 ; i < COT_MAX_VERIFIED_PARAMS ; i++) { 60 if (0 == cmp_auth_param_type_desc(param_type_desc, 61 img_desc->authenticated_data[i].type_desc)) { 62 *param = img_desc->authenticated_data[i].data.ptr; 63 *len = img_desc->authenticated_data[i].data.len; 64 return 0; 65 } 66 } 67 68 return 1; 69 } 70 71 /* 72 * Authenticate an image by matching the data hash 73 * 74 * This function implements 'AUTH_METHOD_HASH'. To authenticate an image using 75 * this method, the image must contain: 76 * 77 * - The data to calculate the hash from 78 * 79 * The parent image must contain: 80 * 81 * - The hash to be matched with (including hash algorithm) 82 * 83 * For a successful authentication, both hashes must match. The function calls 84 * the crypto-module to check this matching. 85 * 86 * Parameters: 87 * param: parameters to perform the hash authentication 88 * img_desc: pointer to image descriptor so we can know the image type 89 * and parent image 90 * img: pointer to image in memory 91 * img_len: length of image (in bytes) 92 * 93 * Return: 94 * 0 = success, Otherwise = error 95 */ 96 static int auth_hash(const auth_method_param_hash_t *param, 97 const auth_img_desc_t *img_desc, 98 void *img, unsigned int img_len) 99 { 100 void *data_ptr, *hash_der_ptr; 101 unsigned int data_len, hash_der_len; 102 int rc = 0; 103 104 /* Get the hash from the parent image. This hash will be DER encoded 105 * and contain the hash algorithm */ 106 rc = auth_get_param(param->hash, img_desc->parent, 107 &hash_der_ptr, &hash_der_len); 108 return_if_error(rc); 109 110 /* Get the data to be hashed from the current image */ 111 rc = img_parser_get_auth_param(img_desc->img_type, param->data, 112 img, img_len, &data_ptr, &data_len); 113 return_if_error(rc); 114 115 /* Ask the crypto module to verify this hash */ 116 rc = crypto_mod_verify_hash(data_ptr, data_len, 117 hash_der_ptr, hash_der_len); 118 119 return rc; 120 } 121 122 /* 123 * Authenticate by digital signature 124 * 125 * This function implements 'AUTH_METHOD_SIG'. To authenticate an image using 126 * this method, the image must contain: 127 * 128 * - Data to be signed 129 * - Signature 130 * - Signature algorithm 131 * 132 * We rely on the image parser module to extract this data from the image. 133 * The parent image must contain: 134 * 135 * - Public key (or a hash of it) 136 * 137 * If the parent image contains only a hash of the key, we will try to obtain 138 * the public key from the image itself (i.e. self-signed certificates). In that 139 * case, the signature verification is considered just an integrity check and 140 * the authentication is established by calculating the hash of the key and 141 * comparing it with the hash obtained from the parent. 142 * 143 * If the image has no parent (NULL), it means it has to be authenticated using 144 * the ROTPK stored in the platform. Again, this ROTPK could be the key itself 145 * or a hash of it. 146 * 147 * Return: 0 = success, Otherwise = error 148 */ 149 static int auth_signature(const auth_method_param_sig_t *param, 150 const auth_img_desc_t *img_desc, 151 void *img, unsigned int img_len) 152 { 153 void *data_ptr, *pk_ptr, *cnv_pk_ptr, *pk_plat_ptr, *sig_ptr, *sig_alg_ptr, *pk_oid; 154 unsigned int data_len, pk_len, cnv_pk_len, pk_plat_len, sig_len, sig_alg_len; 155 unsigned int flags = 0; 156 int rc = 0; 157 158 /* Get the data to be signed from current image */ 159 rc = img_parser_get_auth_param(img_desc->img_type, param->data, 160 img, img_len, &data_ptr, &data_len); 161 return_if_error(rc); 162 163 /* Get the signature from current image */ 164 rc = img_parser_get_auth_param(img_desc->img_type, param->sig, 165 img, img_len, &sig_ptr, &sig_len); 166 return_if_error(rc); 167 168 /* Get the signature algorithm from current image */ 169 rc = img_parser_get_auth_param(img_desc->img_type, param->alg, 170 img, img_len, &sig_alg_ptr, &sig_alg_len); 171 return_if_error(rc); 172 173 /* Get the public key from the parent. If there is no parent (NULL), 174 * the certificate has been signed with the ROTPK, so we have to get 175 * the PK from the platform */ 176 if (img_desc->parent != NULL) { 177 rc = auth_get_param(param->pk, img_desc->parent, 178 &pk_ptr, &pk_len); 179 return_if_error(rc); 180 } else { 181 /* 182 * Root certificates are signed with the ROTPK, so we have to 183 * get it from the platform. 184 */ 185 rc = plat_get_rotpk_info(param->pk->cookie, &pk_plat_ptr, 186 &pk_plat_len, &flags); 187 return_if_error(rc); 188 189 assert(is_rotpk_flags_valid(flags)); 190 191 /* Also retrieve the key from the image. */ 192 rc = img_parser_get_auth_param(img_desc->img_type, 193 param->pk, img, img_len, 194 &pk_ptr, &pk_len); 195 return_if_error(rc); 196 197 /* 198 * Validate the certificate's key against the platform ROTPK. 199 * 200 * Platform may store key in one of the following way - 201 * 1. Hash of ROTPK 202 * 2. Hash if prefixed, suffixed or modified ROTPK 203 * 3. Full ROTPK 204 */ 205 if ((flags & ROTPK_NOT_DEPLOYED) != 0U) { 206 NOTICE("ROTPK is not deployed on platform. " 207 "Skipping ROTPK verification.\n"); 208 } else if ((flags & ROTPK_IS_HASH) != 0U) { 209 /* 210 * platform may store the hash of a prefixed, 211 * suffixed or modified pk 212 */ 213 rc = crypto_mod_convert_pk(pk_ptr, pk_len, &cnv_pk_ptr, &cnv_pk_len); 214 return_if_error(rc); 215 216 /* 217 * The hash of the certificate's public key must match 218 * the hash of the ROTPK. 219 */ 220 rc = crypto_mod_verify_hash(cnv_pk_ptr, cnv_pk_len, 221 pk_plat_ptr, pk_plat_len); 222 return_if_error(rc); 223 } else { 224 /* Platform supports full ROTPK */ 225 if ((pk_len != pk_plat_len) || 226 (memcmp(pk_plat_ptr, pk_ptr, pk_len) != 0)) { 227 ERROR("plat and cert ROTPK len mismatch\n"); 228 return -1; 229 } 230 } 231 232 /* 233 * Set Zero-OID for ROTPK(subject key) as a the certificate 234 * does not hold Key-OID information for ROTPK. 235 */ 236 if (param->pk->cookie != NULL) { 237 pk_oid = param->pk->cookie; 238 } else { 239 pk_oid = ZERO_OID; 240 } 241 242 /* 243 * Public key is verified at this stage, notify platform 244 * to measure and publish it. 245 */ 246 rc = plat_mboot_measure_key(pk_oid, pk_ptr, pk_len); 247 if (rc != 0) { 248 WARN("Public Key measurement failure = %d\n", rc); 249 } 250 } 251 252 /* Ask the crypto module to verify the signature */ 253 rc = crypto_mod_verify_signature(data_ptr, data_len, 254 sig_ptr, sig_len, 255 sig_alg_ptr, sig_alg_len, 256 pk_ptr, pk_len); 257 258 return rc; 259 } 260 261 /* 262 * Authenticate by Non-Volatile counter 263 * 264 * To protect the system against rollback, the platform includes a non-volatile 265 * counter whose value can only be increased. All certificates include a counter 266 * value that should not be lower than the value stored in the platform. If the 267 * value is larger, the counter in the platform must be updated to the new value 268 * (provided it has been authenticated). 269 * 270 * Return: 0 = success, Otherwise = error 271 * Returns additionally, 272 * cert_nv_ctr -> NV counter value present in the certificate 273 * need_nv_ctr_upgrade = 0 -> platform NV counter upgrade is not needed 274 * need_nv_ctr_upgrade = 1 -> platform NV counter upgrade is needed 275 */ 276 static int auth_nvctr(const auth_method_param_nv_ctr_t *param, 277 const auth_img_desc_t *img_desc, 278 void *img, unsigned int img_len, 279 unsigned int *cert_nv_ctr, 280 bool *need_nv_ctr_upgrade) 281 { 282 unsigned char *p; 283 void *data_ptr = NULL; 284 unsigned int data_len, len, i; 285 unsigned int plat_nv_ctr; 286 int rc = 0; 287 bool is_trial_run = false; 288 289 /* Get the counter value from current image. The AM expects the IPM 290 * to return the counter value as a DER encoded integer */ 291 rc = img_parser_get_auth_param(img_desc->img_type, param->cert_nv_ctr, 292 img, img_len, &data_ptr, &data_len); 293 return_if_error(rc); 294 295 /* Parse the DER encoded integer */ 296 assert(data_ptr); 297 p = (unsigned char *)data_ptr; 298 299 /* 300 * Integers must be at least 3 bytes: 1 for tag, 1 for length, and 1 301 * for value. The first byte (tag) must be ASN1_INTEGER. 302 */ 303 if ((data_len < 3) || (*p != ASN1_INTEGER)) { 304 /* Invalid ASN.1 integer */ 305 return 1; 306 } 307 p++; 308 309 /* 310 * NV-counters are unsigned integers up to 31 bits. Trailing 311 * padding is not allowed. 312 */ 313 len = (unsigned int)*p; 314 if ((len > 4) || (data_len - 2 != len)) { 315 return 1; 316 } 317 p++; 318 319 /* Check the number is not negative */ 320 if (*p & 0x80) { 321 return 1; 322 } 323 324 /* Convert to unsigned int. This code is for a little-endian CPU */ 325 *cert_nv_ctr = 0; 326 for (i = 0; i < len; i++) { 327 *cert_nv_ctr = (*cert_nv_ctr << 8) | *p++; 328 } 329 330 /* Get the counter from the platform */ 331 rc = plat_get_nv_ctr(param->plat_nv_ctr->cookie, &plat_nv_ctr); 332 return_if_error(rc); 333 334 if (*cert_nv_ctr < plat_nv_ctr) { 335 /* Invalid NV-counter */ 336 return 1; 337 } else if (*cert_nv_ctr > plat_nv_ctr) { 338 #if PSA_FWU_SUPPORT && IMAGE_BL2 339 is_trial_run = fwu_is_trial_run_state(); 340 #endif /* PSA_FWU_SUPPORT && IMAGE_BL2 */ 341 *need_nv_ctr_upgrade = !is_trial_run; 342 } 343 344 return 0; 345 } 346 347 int plat_set_nv_ctr2(void *cookie, const auth_img_desc_t *img_desc __unused, 348 unsigned int nv_ctr) 349 { 350 return plat_set_nv_ctr(cookie, nv_ctr); 351 } 352 353 /* 354 * Return the parent id in the output parameter '*parent_id' 355 * 356 * Return value: 357 * 0 = Image has parent, 1 = Image has no parent or parent is authenticated 358 */ 359 int auth_mod_get_parent_id(unsigned int img_id, unsigned int *parent_id) 360 { 361 const auth_img_desc_t *img_desc = NULL; 362 363 assert(parent_id != NULL); 364 /* Get the image descriptor */ 365 img_desc = FCONF_GET_PROPERTY(tbbr, cot, img_id); 366 367 /* Check if the image has no parent (ROT) */ 368 if (img_desc->parent == NULL) { 369 *parent_id = 0; 370 return 1; 371 } 372 373 /* Check if the parent has already been authenticated */ 374 if (auth_img_flags[img_desc->parent->img_id] & IMG_FLAG_AUTHENTICATED) { 375 *parent_id = 0; 376 return 1; 377 } 378 379 *parent_id = img_desc->parent->img_id; 380 return 0; 381 } 382 383 /* 384 * Initialize the different modules in the authentication framework 385 */ 386 void auth_mod_init(void) 387 { 388 /* Check we have a valid CoT registered */ 389 assert(cot_desc_ptr != NULL); 390 391 /* Image parser module */ 392 img_parser_init(); 393 } 394 395 /* 396 * Authenticate a certificate/image 397 * 398 * Return: 0 = success, Otherwise = error 399 */ 400 int auth_mod_verify_img(unsigned int img_id, 401 void *img_ptr, 402 unsigned int img_len) 403 { 404 const auth_img_desc_t *img_desc = NULL; 405 const auth_param_type_desc_t *type_desc = NULL; 406 const auth_method_desc_t *auth_method = NULL; 407 void *param_ptr; 408 unsigned int param_len; 409 int rc, i; 410 unsigned int cert_nv_ctr = 0; 411 bool need_nv_ctr_upgrade = false; 412 bool sig_auth_done = false; 413 const auth_method_param_nv_ctr_t *nv_ctr_param = NULL; 414 415 /* Get the image descriptor from the chain of trust */ 416 img_desc = FCONF_GET_PROPERTY(tbbr, cot, img_id); 417 418 /* Ask the parser to check the image integrity */ 419 rc = img_parser_check_integrity(img_desc->img_type, img_ptr, img_len); 420 return_if_error(rc); 421 422 /* Authenticate the image using the methods indicated in the image 423 * descriptor. */ 424 if (img_desc->img_auth_methods == NULL) 425 return 1; 426 for (i = 0 ; i < AUTH_METHOD_NUM ; i++) { 427 auth_method = &img_desc->img_auth_methods[i]; 428 switch (auth_method->type) { 429 case AUTH_METHOD_NONE: 430 rc = 0; 431 break; 432 case AUTH_METHOD_HASH: 433 rc = auth_hash(&auth_method->param.hash, 434 img_desc, img_ptr, img_len); 435 break; 436 case AUTH_METHOD_SIG: 437 rc = auth_signature(&auth_method->param.sig, 438 img_desc, img_ptr, img_len); 439 sig_auth_done = true; 440 break; 441 case AUTH_METHOD_NV_CTR: 442 nv_ctr_param = &auth_method->param.nv_ctr; 443 rc = auth_nvctr(nv_ctr_param, 444 img_desc, img_ptr, img_len, 445 &cert_nv_ctr, &need_nv_ctr_upgrade); 446 break; 447 default: 448 /* Unknown authentication method */ 449 rc = 1; 450 break; 451 } 452 return_if_error(rc); 453 } 454 455 /* 456 * Do platform NV counter upgrade only if the certificate gets 457 * authenticated, and platform NV-counter upgrade is needed. 458 */ 459 if (need_nv_ctr_upgrade && sig_auth_done) { 460 rc = plat_set_nv_ctr2(nv_ctr_param->plat_nv_ctr->cookie, 461 img_desc, cert_nv_ctr); 462 return_if_error(rc); 463 } 464 465 /* Extract the parameters indicated in the image descriptor to 466 * authenticate the children images. */ 467 if (img_desc->authenticated_data != NULL) { 468 for (i = 0 ; i < COT_MAX_VERIFIED_PARAMS ; i++) { 469 if (img_desc->authenticated_data[i].type_desc == NULL) { 470 continue; 471 } 472 473 /* Get the parameter from the image parser module */ 474 rc = img_parser_get_auth_param(img_desc->img_type, 475 img_desc->authenticated_data[i].type_desc, 476 img_ptr, img_len, ¶m_ptr, ¶m_len); 477 return_if_error(rc); 478 479 /* Check parameter size */ 480 if (param_len > img_desc->authenticated_data[i].data.len) { 481 return 1; 482 } 483 484 /* Copy the parameter for later use */ 485 memcpy((void *)img_desc->authenticated_data[i].data.ptr, 486 (void *)param_ptr, param_len); 487 488 /* 489 * If this is a public key then measure and publicise 490 * it. 491 */ 492 type_desc = img_desc->authenticated_data[i].type_desc; 493 if (type_desc->type == AUTH_PARAM_PUB_KEY) { 494 rc = plat_mboot_measure_key(type_desc->cookie, 495 param_ptr, 496 param_len); 497 if (rc != 0) { 498 WARN("Public Key measurement " 499 "failure = %d\n", rc); 500 } 501 } 502 } 503 } 504 505 /* Mark image as authenticated */ 506 auth_img_flags[img_desc->img_id] |= IMG_FLAG_AUTHENTICATED; 507 508 return 0; 509 } 510