1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Permission is hereby granted, free of charge, to any person 5 * obtaining a copy of this software and associated documentation 6 * files (the "Software"), to deal in the Software without 7 * restriction, including without limitation the rights to use, copy, 8 * modify, merge, publish, distribute, sublicense, and/or sell copies 9 * of the Software, and to permit persons to whom the Software is 10 * furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 #include <common.h> 25 #include <sysmem.h> 26 #include <android_avb/avb_slot_verify.h> 27 #include <android_avb/avb_chain_partition_descriptor.h> 28 #include <android_avb/avb_cmdline.h> 29 #include <android_avb/avb_footer.h> 30 #include <android_avb/avb_hash_descriptor.h> 31 #include <android_avb/avb_hashtree_descriptor.h> 32 #include <android_avb/avb_kernel_cmdline_descriptor.h> 33 #include <android_avb/avb_sha.h> 34 #include <android_avb/avb_util.h> 35 #include <android_avb/avb_vbmeta_image.h> 36 #include <android_avb/avb_version.h> 37 38 /* Maximum number of partitions that can be loaded with avb_slot_verify(). */ 39 #define MAX_NUMBER_OF_LOADED_PARTITIONS 32 40 41 /* Maximum number of vbmeta images that can be loaded with avb_slot_verify(). */ 42 #define MAX_NUMBER_OF_VBMETA_IMAGES 32 43 44 /* Maximum size of a vbmeta image - 64 KiB. */ 45 #define VBMETA_MAX_SIZE (64 * 1024) 46 47 /* Helper function to see if we should continue with verification in 48 * allow_verification_error=true mode if something goes wrong. See the 49 * comments for the avb_slot_verify() function for more information. 50 */ 51 static inline bool result_should_continue(AvbSlotVerifyResult result) { 52 switch (result) { 53 case AVB_SLOT_VERIFY_RESULT_ERROR_OOM: 54 case AVB_SLOT_VERIFY_RESULT_ERROR_IO: 55 case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA: 56 case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION: 57 case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT: 58 return false; 59 60 case AVB_SLOT_VERIFY_RESULT_OK: 61 case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: 62 case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX: 63 case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED: 64 return true; 65 } 66 67 return false; 68 } 69 70 static AvbSlotVerifyResult load_full_partition(AvbOps* ops, 71 const char* part_name, 72 uint64_t image_size, 73 uint8_t** out_image_buf, 74 bool* out_image_preloaded) { 75 size_t part_num_read; 76 AvbIOResult io_ret; 77 78 /* Make sure that we do not overwrite existing data. */ 79 avb_assert(*out_image_buf == NULL); 80 avb_assert(!*out_image_preloaded); 81 82 /* We are going to implicitly cast image_size from uint64_t to size_t in the 83 * following code, so we need to make sure that the cast is safe. */ 84 if (image_size != (size_t)(image_size)) { 85 avb_errorv(part_name, ": Partition size too large to load.\n", NULL); 86 return AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 87 } 88 89 /* Try use a preloaded one. */ 90 if (ops->get_preloaded_partition != NULL) { 91 io_ret = ops->get_preloaded_partition( 92 ops, part_name, image_size, out_image_buf, &part_num_read); 93 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 94 return AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 95 } else if (io_ret != AVB_IO_RESULT_OK) { 96 avb_errorv(part_name, ": Error loading data from partition.\n", NULL); 97 return AVB_SLOT_VERIFY_RESULT_ERROR_IO; 98 } 99 100 if (*out_image_buf != NULL) { 101 if (part_num_read != image_size) { 102 avb_errorv(part_name, ": Read incorrect number of bytes.\n", NULL); 103 return AVB_SLOT_VERIFY_RESULT_ERROR_IO; 104 } 105 *out_image_preloaded = true; 106 } 107 } 108 109 /* Allocate and copy the partition. */ 110 if (!*out_image_preloaded) { 111 *out_image_buf = sysmem_alloc(MEMBLK_ID_AVB_ANDROID, image_size); 112 if (*out_image_buf == NULL) { 113 return AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 114 } 115 116 io_ret = ops->read_from_partition(ops, 117 part_name, 118 0 /* offset */, 119 image_size, 120 *out_image_buf, 121 &part_num_read); 122 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 123 return AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 124 } else if (io_ret != AVB_IO_RESULT_OK) { 125 avb_errorv(part_name, ": Error loading data from partition.\n", NULL); 126 return AVB_SLOT_VERIFY_RESULT_ERROR_IO; 127 } 128 if (part_num_read != image_size) { 129 avb_errorv(part_name, ": Read incorrect number of bytes.\n", NULL); 130 return AVB_SLOT_VERIFY_RESULT_ERROR_IO; 131 } 132 } 133 134 return AVB_SLOT_VERIFY_RESULT_OK; 135 } 136 137 static AvbSlotVerifyResult read_persistent_digest(AvbOps* ops, 138 const char* part_name, 139 size_t expected_digest_size, 140 uint8_t* out_digest) { 141 char* persistent_value_name = NULL; 142 AvbIOResult io_ret = AVB_IO_RESULT_OK; 143 size_t stored_digest_size = 0; 144 145 if (ops->read_persistent_value == NULL) { 146 avb_errorv(part_name, ": Persistent values are not implemented.\n", NULL); 147 return AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 148 } 149 persistent_value_name = 150 avb_strdupv(AVB_NPV_PERSISTENT_DIGEST_PREFIX, part_name, NULL); 151 if (persistent_value_name == NULL) { 152 return AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 153 } 154 io_ret = ops->read_persistent_value(ops, 155 persistent_value_name, 156 expected_digest_size, 157 out_digest, 158 &stored_digest_size); 159 avb_free(persistent_value_name); 160 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 161 return AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 162 } else if (io_ret == AVB_IO_RESULT_ERROR_NO_SUCH_VALUE) { 163 avb_errorv(part_name, ": Persistent digest does not exist.\n", NULL); 164 return AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 165 } else if (io_ret == AVB_IO_RESULT_ERROR_INVALID_VALUE_SIZE || 166 io_ret == AVB_IO_RESULT_ERROR_INSUFFICIENT_SPACE || 167 expected_digest_size != stored_digest_size) { 168 avb_errorv( 169 part_name, ": Persistent digest is not of expected size.\n", NULL); 170 return AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 171 } else if (io_ret != AVB_IO_RESULT_OK) { 172 avb_errorv(part_name, ": Error reading persistent digest.\n", NULL); 173 return AVB_SLOT_VERIFY_RESULT_ERROR_IO; 174 } 175 return AVB_SLOT_VERIFY_RESULT_OK; 176 } 177 178 static AvbSlotVerifyResult load_and_verify_hash_partition( 179 AvbOps* ops, 180 const char* const* requested_partitions, 181 const char* ab_suffix, 182 bool allow_verification_error, 183 const AvbDescriptor* descriptor, 184 AvbSlotVerifyData* slot_data) { 185 AvbHashDescriptor hash_desc; 186 const uint8_t* desc_partition_name = NULL; 187 const uint8_t* desc_salt; 188 const uint8_t* desc_digest; 189 char part_name[AVB_PART_NAME_MAX_SIZE]; 190 AvbSlotVerifyResult ret; 191 AvbIOResult io_ret; 192 uint8_t* image_buf = NULL; 193 bool image_preloaded = false; 194 uint8_t* digest; 195 size_t digest_len; 196 const char* found; 197 uint64_t image_size = 0; 198 size_t expected_digest_len = 0; 199 uint8_t expected_digest_buf[AVB_SHA512_DIGEST_SIZE]; 200 const uint8_t* expected_digest = NULL; 201 202 if (!avb_hash_descriptor_validate_and_byteswap( 203 (const AvbHashDescriptor*)descriptor, &hash_desc)) { 204 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 205 goto out; 206 } 207 208 desc_partition_name = 209 ((const uint8_t*)descriptor) + sizeof(AvbHashDescriptor); 210 desc_salt = desc_partition_name + hash_desc.partition_name_len; 211 desc_digest = desc_salt + hash_desc.salt_len; 212 213 if (!avb_validate_utf8(desc_partition_name, hash_desc.partition_name_len)) { 214 avb_error("Partition name is not valid UTF-8.\n"); 215 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 216 goto out; 217 } 218 219 /* Don't bother loading or validating unless the partition was 220 * requested in the first place. 221 */ 222 found = avb_strv_find_str(requested_partitions, 223 (const char*)desc_partition_name, 224 hash_desc.partition_name_len); 225 if (found == NULL) { 226 ret = AVB_SLOT_VERIFY_RESULT_OK; 227 goto out; 228 } 229 230 if ((hash_desc.flags & AVB_HASH_DESCRIPTOR_FLAGS_DO_NOT_USE_AB) != 0) { 231 /* No ab_suffix, just copy the partition name as is. */ 232 if (hash_desc.partition_name_len >= AVB_PART_NAME_MAX_SIZE) { 233 avb_error("Partition name does not fit.\n"); 234 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 235 goto out; 236 } 237 avb_memcpy(part_name, desc_partition_name, hash_desc.partition_name_len); 238 part_name[hash_desc.partition_name_len] = '\0'; 239 } else if (hash_desc.digest_len == 0 && avb_strlen(ab_suffix) != 0) { 240 /* No ab_suffix allowed for partitions without a digest in the descriptor 241 * because these partitions hold data unique to this device and are not 242 * updated using an A/B scheme. 243 */ 244 avb_error("Cannot use A/B with a persistent digest.\n"); 245 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 246 goto out; 247 } else { 248 /* Add ab_suffix to the partition name. */ 249 if (!avb_str_concat(part_name, 250 sizeof part_name, 251 (const char*)desc_partition_name, 252 hash_desc.partition_name_len, 253 ab_suffix, 254 avb_strlen(ab_suffix))) { 255 avb_error("Partition name and suffix does not fit.\n"); 256 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 257 goto out; 258 } 259 } 260 261 /* If we're allowing verification errors then hash_desc.image_size 262 * may no longer match what's in the partition... so in this case 263 * just load the entire partition. 264 * 265 * For example, this can happen if a developer does 'fastboot flash 266 * boot /path/to/new/and/bigger/boot.img'. We want this to work 267 * since it's such a common workflow. 268 */ 269 image_size = hash_desc.image_size; 270 if (allow_verification_error) { 271 if (ops->get_size_of_partition == NULL) { 272 avb_errorv(part_name, 273 ": The get_size_of_partition() operation is " 274 "not implemented so we may not load the entire partition. " 275 "Please implement.", 276 NULL); 277 } else { 278 io_ret = ops->get_size_of_partition(ops, part_name, &image_size); 279 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 280 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 281 goto out; 282 } else if (io_ret != AVB_IO_RESULT_OK) { 283 avb_errorv(part_name, ": Error determining partition size.\n", NULL); 284 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 285 goto out; 286 } 287 avb_debugv(part_name, ": Loading entire partition.\n", NULL); 288 } 289 } 290 291 ret = load_full_partition( 292 ops, part_name, image_size, &image_buf, &image_preloaded); 293 if (ret != AVB_SLOT_VERIFY_RESULT_OK) { 294 goto out; 295 } 296 297 if (avb_strcmp((const char*)hash_desc.hash_algorithm, "sha256") == 0) { 298 AvbSHA256Ctx sha256_ctx; 299 avb_sha256_init(&sha256_ctx); 300 avb_sha256_update(&sha256_ctx, desc_salt, hash_desc.salt_len); 301 avb_sha256_update(&sha256_ctx, image_buf, hash_desc.image_size); 302 digest = avb_sha256_final(&sha256_ctx); 303 digest_len = AVB_SHA256_DIGEST_SIZE; 304 } else if (avb_strcmp((const char*)hash_desc.hash_algorithm, "sha512") == 0) { 305 AvbSHA512Ctx sha512_ctx; 306 avb_sha512_init(&sha512_ctx); 307 avb_sha512_update(&sha512_ctx, desc_salt, hash_desc.salt_len); 308 avb_sha512_update(&sha512_ctx, image_buf, hash_desc.image_size); 309 digest = avb_sha512_final(&sha512_ctx); 310 digest_len = AVB_SHA512_DIGEST_SIZE; 311 } else { 312 avb_errorv(part_name, ": Unsupported hash algorithm.\n", NULL); 313 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 314 goto out; 315 } 316 317 if (hash_desc.digest_len == 0) { 318 // Expect a match to a persistent digest. 319 avb_debugv(part_name, ": No digest, using persistent digest.\n", NULL); 320 expected_digest_len = digest_len; 321 expected_digest = expected_digest_buf; 322 avb_assert(expected_digest_len <= sizeof(expected_digest_buf)); 323 ret = 324 read_persistent_digest(ops, part_name, digest_len, expected_digest_buf); 325 if (ret != AVB_SLOT_VERIFY_RESULT_OK) { 326 goto out; 327 } 328 } else { 329 // Expect a match to the digest in the descriptor. 330 expected_digest_len = hash_desc.digest_len; 331 expected_digest = desc_digest; 332 } 333 334 if (digest_len != expected_digest_len) { 335 avb_errorv( 336 part_name, ": Digest in descriptor not of expected size.\n", NULL); 337 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 338 goto out; 339 } 340 341 if (avb_safe_memcmp(digest, expected_digest, digest_len) != 0) { 342 avb_errorv(part_name, 343 ": Hash of data does not match digest in descriptor.\n", 344 NULL); 345 ret = AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION; 346 goto out; 347 } 348 349 ret = AVB_SLOT_VERIFY_RESULT_OK; 350 351 out: 352 353 /* If it worked and something was loaded, copy to slot_data. */ 354 if ((ret == AVB_SLOT_VERIFY_RESULT_OK || result_should_continue(ret)) && 355 image_buf != NULL) { 356 AvbPartitionData* loaded_partition; 357 if (slot_data->num_loaded_partitions == MAX_NUMBER_OF_LOADED_PARTITIONS) { 358 avb_errorv(part_name, ": Too many loaded partitions.\n", NULL); 359 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 360 goto fail; 361 } 362 loaded_partition = 363 &slot_data->loaded_partitions[slot_data->num_loaded_partitions++]; 364 loaded_partition->partition_name = avb_strdup(found); 365 loaded_partition->data_size = image_size; 366 loaded_partition->data = image_buf; 367 loaded_partition->preloaded = image_preloaded; 368 image_buf = NULL; 369 } 370 371 fail: 372 if (image_buf != NULL && !image_preloaded) { 373 sysmem_free((phys_addr_t)image_buf); 374 } 375 return ret; 376 } 377 378 static AvbSlotVerifyResult load_requested_partitions( 379 AvbOps* ops, 380 const char* const* requested_partitions, 381 const char* ab_suffix, 382 AvbSlotVerifyData* slot_data) { 383 AvbSlotVerifyResult ret; 384 uint8_t* image_buf = NULL; 385 bool image_preloaded = false; 386 size_t n; 387 388 if (ops->get_size_of_partition == NULL) { 389 avb_error("get_size_of_partition() not implemented.\n"); 390 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT; 391 goto out; 392 } 393 394 for (n = 0; requested_partitions[n] != NULL; n++) { 395 char part_name[AVB_PART_NAME_MAX_SIZE]; 396 AvbIOResult io_ret; 397 uint64_t image_size; 398 AvbPartitionData* loaded_partition; 399 400 if (!avb_str_concat(part_name, 401 sizeof part_name, 402 requested_partitions[n], 403 avb_strlen(requested_partitions[n]), 404 ab_suffix, 405 avb_strlen(ab_suffix))) { 406 avb_error("Partition name and suffix does not fit.\n"); 407 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 408 goto out; 409 } 410 411 io_ret = ops->get_size_of_partition(ops, part_name, &image_size); 412 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 413 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 414 goto out; 415 } else if (io_ret != AVB_IO_RESULT_OK) { 416 avb_errorv(part_name, ": Error determining partition size.\n", NULL); 417 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 418 goto out; 419 } 420 avb_debugv(part_name, ": Loading entire partition.\n", NULL); 421 422 ret = load_full_partition( 423 ops, part_name, image_size, &image_buf, &image_preloaded); 424 if (ret != AVB_SLOT_VERIFY_RESULT_OK) { 425 goto out; 426 } 427 428 /* Move to slot_data. */ 429 if (slot_data->num_loaded_partitions == MAX_NUMBER_OF_LOADED_PARTITIONS) { 430 avb_errorv(part_name, ": Too many loaded partitions.\n", NULL); 431 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 432 goto out; 433 } 434 loaded_partition = 435 &slot_data->loaded_partitions[slot_data->num_loaded_partitions++]; 436 loaded_partition->partition_name = avb_strdup(requested_partitions[n]); 437 if (loaded_partition->partition_name == NULL) { 438 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 439 goto out; 440 } 441 loaded_partition->data_size = image_size; 442 loaded_partition->data = image_buf; /* Transferring the owner. */ 443 loaded_partition->preloaded = image_preloaded; 444 image_buf = NULL; 445 image_preloaded = false; 446 } 447 448 ret = AVB_SLOT_VERIFY_RESULT_OK; 449 450 out: 451 /* Free the current buffer if any. */ 452 if (image_buf != NULL && !image_preloaded) { 453 sysmem_free((phys_addr_t)image_buf); 454 } 455 /* Buffers that are already saved in slot_data will be handled by the caller 456 * even on failure. */ 457 return ret; 458 } 459 460 static AvbSlotVerifyResult load_and_verify_vbmeta( 461 AvbOps* ops, 462 const char* const* requested_partitions, 463 const char* ab_suffix, 464 bool allow_verification_error, 465 AvbVBMetaImageFlags toplevel_vbmeta_flags, 466 int rollback_index_location, 467 const char* partition_name, 468 size_t partition_name_len, 469 const uint8_t* expected_public_key, 470 size_t expected_public_key_length, 471 AvbSlotVerifyData* slot_data, 472 AvbAlgorithmType* out_algorithm_type, 473 AvbCmdlineSubstList* out_additional_cmdline_subst) { 474 char full_partition_name[AVB_PART_NAME_MAX_SIZE]; 475 AvbSlotVerifyResult ret; 476 AvbIOResult io_ret; 477 size_t vbmeta_offset; 478 size_t vbmeta_size; 479 uint8_t* vbmeta_buf = NULL; 480 size_t vbmeta_num_read; 481 AvbVBMetaVerifyResult vbmeta_ret; 482 const uint8_t* pk_data; 483 size_t pk_len; 484 AvbVBMetaImageHeader vbmeta_header; 485 uint64_t stored_rollback_index; 486 const AvbDescriptor** descriptors = NULL; 487 size_t num_descriptors; 488 size_t n; 489 bool is_main_vbmeta; 490 bool is_vbmeta_partition; 491 AvbVBMetaData* vbmeta_image_data = NULL; 492 493 ret = AVB_SLOT_VERIFY_RESULT_OK; 494 495 avb_assert(slot_data != NULL); 496 497 /* Since we allow top-level vbmeta in 'boot', use 498 * rollback_index_location to determine whether we're the main 499 * vbmeta struct. 500 */ 501 is_main_vbmeta = (rollback_index_location == 0); 502 is_vbmeta_partition = (avb_strcmp(partition_name, "vbmeta") == 0); 503 504 if (!avb_validate_utf8((const uint8_t*)partition_name, partition_name_len)) { 505 avb_error("Partition name is not valid UTF-8.\n"); 506 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 507 goto out; 508 } 509 510 /* Construct full partition name. */ 511 if (!avb_str_concat(full_partition_name, 512 sizeof full_partition_name, 513 partition_name, 514 partition_name_len, 515 ab_suffix, 516 avb_strlen(ab_suffix))) { 517 avb_error("Partition name and suffix does not fit.\n"); 518 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 519 goto out; 520 } 521 522 avb_debugv("Loading vbmeta struct from partition '", 523 full_partition_name, 524 "'.\n", 525 NULL); 526 527 /* If we're loading from the main vbmeta partition, the vbmeta 528 * struct is in the beginning. Otherwise we have to locate it via a 529 * footer. 530 */ 531 if (is_vbmeta_partition) { 532 vbmeta_offset = 0; 533 vbmeta_size = VBMETA_MAX_SIZE; 534 } else { 535 uint8_t footer_buf[AVB_FOOTER_SIZE]; 536 size_t footer_num_read; 537 AvbFooter footer; 538 539 io_ret = ops->read_from_partition(ops, 540 full_partition_name, 541 -AVB_FOOTER_SIZE, 542 AVB_FOOTER_SIZE, 543 footer_buf, 544 &footer_num_read); 545 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 546 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 547 goto out; 548 } else if (io_ret != AVB_IO_RESULT_OK) { 549 avb_errorv(full_partition_name, ": Error loading footer.\n", NULL); 550 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 551 goto out; 552 } 553 avb_assert(footer_num_read == AVB_FOOTER_SIZE); 554 555 if (!avb_footer_validate_and_byteswap((const AvbFooter*)footer_buf, 556 &footer)) { 557 avb_errorv(full_partition_name, ": Error validating footer.\n", NULL); 558 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 559 goto out; 560 } 561 562 /* Basic footer sanity check since the data is untrusted. */ 563 if (footer.vbmeta_size > VBMETA_MAX_SIZE) { 564 avb_errorv( 565 full_partition_name, ": Invalid vbmeta size in footer.\n", NULL); 566 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 567 goto out; 568 } 569 570 vbmeta_offset = footer.vbmeta_offset; 571 vbmeta_size = footer.vbmeta_size; 572 } 573 574 vbmeta_buf = avb_malloc(vbmeta_size); 575 if (vbmeta_buf == NULL) { 576 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 577 goto out; 578 } 579 580 io_ret = ops->read_from_partition(ops, 581 full_partition_name, 582 vbmeta_offset, 583 vbmeta_size, 584 vbmeta_buf, 585 &vbmeta_num_read); 586 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 587 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 588 goto out; 589 } else if (io_ret != AVB_IO_RESULT_OK) { 590 /* If we're looking for 'vbmeta' but there is no such partition, 591 * go try to get it from the boot partition instead. 592 */ 593 if (is_main_vbmeta && io_ret == AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION && 594 is_vbmeta_partition) { 595 avb_debugv(full_partition_name, 596 ": No such partition. Trying 'boot' instead.\n", 597 NULL); 598 ret = load_and_verify_vbmeta(ops, 599 requested_partitions, 600 ab_suffix, 601 allow_verification_error, 602 0 /* toplevel_vbmeta_flags */, 603 0 /* rollback_index_location */, 604 "boot", 605 avb_strlen("boot"), 606 NULL /* expected_public_key */, 607 0 /* expected_public_key_length */, 608 slot_data, 609 out_algorithm_type, 610 out_additional_cmdline_subst); 611 goto out; 612 } else { 613 avb_errorv(full_partition_name, ": Error loading vbmeta data.\n", NULL); 614 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 615 goto out; 616 } 617 } 618 avb_assert(vbmeta_num_read <= vbmeta_size); 619 620 /* Check if the image is properly signed and get the public key used 621 * to sign the image. 622 */ 623 vbmeta_ret = 624 avb_vbmeta_image_verify(vbmeta_buf, vbmeta_num_read, &pk_data, &pk_len); 625 switch (vbmeta_ret) { 626 case AVB_VBMETA_VERIFY_RESULT_OK: 627 avb_assert(pk_data != NULL && pk_len > 0); 628 break; 629 630 case AVB_VBMETA_VERIFY_RESULT_OK_NOT_SIGNED: 631 case AVB_VBMETA_VERIFY_RESULT_HASH_MISMATCH: 632 case AVB_VBMETA_VERIFY_RESULT_SIGNATURE_MISMATCH: 633 ret = AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION; 634 avb_errorv(full_partition_name, 635 ": Error verifying vbmeta image: ", 636 avb_vbmeta_verify_result_to_string(vbmeta_ret), 637 "\n", 638 NULL); 639 if (!allow_verification_error) { 640 goto out; 641 } 642 break; 643 644 case AVB_VBMETA_VERIFY_RESULT_INVALID_VBMETA_HEADER: 645 /* No way to continue this case. */ 646 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 647 avb_errorv(full_partition_name, 648 ": Error verifying vbmeta image: invalid vbmeta header\n", 649 NULL); 650 goto out; 651 652 case AVB_VBMETA_VERIFY_RESULT_UNSUPPORTED_VERSION: 653 /* No way to continue this case. */ 654 ret = AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION; 655 avb_errorv(full_partition_name, 656 ": Error verifying vbmeta image: unsupported AVB version\n", 657 NULL); 658 goto out; 659 } 660 661 /* Byteswap the header. */ 662 avb_vbmeta_image_header_to_host_byte_order((AvbVBMetaImageHeader*)vbmeta_buf, 663 &vbmeta_header); 664 665 /* If we're the toplevel, assign flags so they'll be passed down. */ 666 if (is_main_vbmeta) { 667 toplevel_vbmeta_flags = (AvbVBMetaImageFlags)vbmeta_header.flags; 668 } else { 669 if (vbmeta_header.flags != 0) { 670 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 671 avb_errorv(full_partition_name, 672 ": chained vbmeta image has non-zero flags\n", 673 NULL); 674 goto out; 675 } 676 } 677 678 /* Check if key used to make signature matches what is expected. */ 679 if (pk_data != NULL) { 680 if (expected_public_key != NULL) { 681 avb_assert(!is_main_vbmeta); 682 if (expected_public_key_length != pk_len || 683 avb_safe_memcmp(expected_public_key, pk_data, pk_len) != 0) { 684 avb_errorv(full_partition_name, 685 ": Public key used to sign data does not match key in chain " 686 "partition descriptor.\n", 687 NULL); 688 ret = AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED; 689 if (!allow_verification_error) { 690 goto out; 691 } 692 } 693 } else { 694 bool key_is_trusted = false; 695 const uint8_t* pk_metadata = NULL; 696 size_t pk_metadata_len = 0; 697 698 if (vbmeta_header.public_key_metadata_size > 0) { 699 pk_metadata = vbmeta_buf + sizeof(AvbVBMetaImageHeader) + 700 vbmeta_header.authentication_data_block_size + 701 vbmeta_header.public_key_metadata_offset; 702 pk_metadata_len = vbmeta_header.public_key_metadata_size; 703 } 704 705 avb_assert(is_main_vbmeta); 706 io_ret = ops->validate_vbmeta_public_key( 707 ops, pk_data, pk_len, pk_metadata, pk_metadata_len, &key_is_trusted); 708 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 709 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 710 goto out; 711 } else if (io_ret != AVB_IO_RESULT_OK) { 712 avb_errorv(full_partition_name, 713 ": Error while checking public key used to sign data.\n", 714 NULL); 715 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 716 goto out; 717 } 718 if (!key_is_trusted) { 719 avb_errorv(full_partition_name, 720 ": Public key used to sign data rejected.\n", 721 NULL); 722 ret = AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED; 723 if (!allow_verification_error) { 724 goto out; 725 } 726 } 727 } 728 } 729 730 /* Check rollback index. */ 731 io_ret = ops->read_rollback_index( 732 ops, rollback_index_location, &stored_rollback_index); 733 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 734 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 735 goto out; 736 } else if (io_ret != AVB_IO_RESULT_OK) { 737 avb_errorv(full_partition_name, 738 ": Error getting rollback index for location.\n", 739 NULL); 740 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 741 goto out; 742 } 743 if (vbmeta_header.rollback_index < stored_rollback_index) { 744 avb_errorv( 745 full_partition_name, 746 ": Image rollback index is less than the stored rollback index.\n", 747 NULL); 748 ret = AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX; 749 if (!allow_verification_error) { 750 goto out; 751 } 752 } 753 754 /* Copy vbmeta to vbmeta_images before recursing. */ 755 if (is_main_vbmeta) { 756 avb_assert(slot_data->num_vbmeta_images == 0); 757 } else { 758 avb_assert(slot_data->num_vbmeta_images > 0); 759 } 760 if (slot_data->num_vbmeta_images == MAX_NUMBER_OF_VBMETA_IMAGES) { 761 avb_errorv(full_partition_name, ": Too many vbmeta images.\n", NULL); 762 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 763 goto out; 764 } 765 vbmeta_image_data = &slot_data->vbmeta_images[slot_data->num_vbmeta_images++]; 766 vbmeta_image_data->partition_name = avb_strdup(partition_name); 767 vbmeta_image_data->vbmeta_data = vbmeta_buf; 768 /* Note that |vbmeta_buf| is actually |vbmeta_num_read| bytes long 769 * and this includes data past the end of the image. Pass the 770 * actual size of the vbmeta image. Also, no need to use 771 * avb_safe_add() since the header has already been verified. 772 */ 773 vbmeta_image_data->vbmeta_size = 774 sizeof(AvbVBMetaImageHeader) + 775 vbmeta_header.authentication_data_block_size + 776 vbmeta_header.auxiliary_data_block_size; 777 vbmeta_image_data->verify_result = vbmeta_ret; 778 779 /* If verification has been disabled by setting a bit in the image, 780 * we're done... except that we need to load the entirety of the 781 * requested partitions. 782 */ 783 if (vbmeta_header.flags & AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED) { 784 AvbSlotVerifyResult sub_ret; 785 avb_debugv( 786 full_partition_name, ": VERIFICATION_DISABLED bit is set.\n", NULL); 787 /* If load_requested_partitions() fail it is always a fatal 788 * failure (e.g. ERROR_INVALID_ARGUMENT, ERROR_OOM, etc.) rather 789 * than recoverable (e.g. one where result_should_continue() 790 * returns true) and we want to convey that error. 791 */ 792 sub_ret = load_requested_partitions( 793 ops, requested_partitions, ab_suffix, slot_data); 794 if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) { 795 ret = sub_ret; 796 } 797 goto out; 798 } 799 800 /* Now go through all descriptors and take the appropriate action: 801 * 802 * - hash descriptor: Load data from partition, calculate hash, and 803 * checks that it matches what's in the hash descriptor. 804 * 805 * - hashtree descriptor: Do nothing since verification happens 806 * on-the-fly from within the OS. (Unless the descriptor uses a 807 * persistent digest, in which case we need to find it). 808 * 809 * - chained partition descriptor: Load the footer, load the vbmeta 810 * image, verify vbmeta image (includes rollback checks, hash 811 * checks, bail on chained partitions). 812 */ 813 descriptors = 814 avb_descriptor_get_all(vbmeta_buf, vbmeta_num_read, &num_descriptors); 815 for (n = 0; n < num_descriptors; n++) { 816 AvbDescriptor desc; 817 818 if (!avb_descriptor_validate_and_byteswap(descriptors[n], &desc)) { 819 avb_errorv(full_partition_name, ": Descriptor is invalid.\n", NULL); 820 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 821 goto out; 822 } 823 824 switch (desc.tag) { 825 case AVB_DESCRIPTOR_TAG_HASH: { 826 AvbSlotVerifyResult sub_ret; 827 sub_ret = load_and_verify_hash_partition(ops, 828 requested_partitions, 829 ab_suffix, 830 allow_verification_error, 831 descriptors[n], 832 slot_data); 833 if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) { 834 ret = sub_ret; 835 if (!allow_verification_error || !result_should_continue(ret)) { 836 goto out; 837 } 838 } 839 } break; 840 841 case AVB_DESCRIPTOR_TAG_CHAIN_PARTITION: { 842 AvbSlotVerifyResult sub_ret; 843 AvbChainPartitionDescriptor chain_desc; 844 const uint8_t* chain_partition_name; 845 const uint8_t* chain_public_key; 846 847 /* Only allow CHAIN_PARTITION descriptors in the main vbmeta image. */ 848 if (!is_main_vbmeta) { 849 avb_errorv(full_partition_name, 850 ": Encountered chain descriptor not in main image.\n", 851 NULL); 852 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 853 goto out; 854 } 855 856 if (!avb_chain_partition_descriptor_validate_and_byteswap( 857 (AvbChainPartitionDescriptor*)descriptors[n], &chain_desc)) { 858 avb_errorv(full_partition_name, 859 ": Chain partition descriptor is invalid.\n", 860 NULL); 861 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 862 goto out; 863 } 864 865 if (chain_desc.rollback_index_location == 0) { 866 avb_errorv(full_partition_name, 867 ": Chain partition has invalid " 868 "rollback_index_location field.\n", 869 NULL); 870 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 871 goto out; 872 } 873 874 chain_partition_name = ((const uint8_t*)descriptors[n]) + 875 sizeof(AvbChainPartitionDescriptor); 876 chain_public_key = chain_partition_name + chain_desc.partition_name_len; 877 878 sub_ret = 879 load_and_verify_vbmeta(ops, 880 requested_partitions, 881 ab_suffix, 882 allow_verification_error, 883 toplevel_vbmeta_flags, 884 chain_desc.rollback_index_location, 885 (const char*)chain_partition_name, 886 chain_desc.partition_name_len, 887 chain_public_key, 888 chain_desc.public_key_len, 889 slot_data, 890 NULL, /* out_algorithm_type */ 891 NULL /* out_additional_cmdline_subst */); 892 if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) { 893 ret = sub_ret; 894 if (!result_should_continue(ret)) { 895 goto out; 896 } 897 } 898 } break; 899 900 case AVB_DESCRIPTOR_TAG_KERNEL_CMDLINE: { 901 const uint8_t* kernel_cmdline; 902 AvbKernelCmdlineDescriptor kernel_cmdline_desc; 903 bool apply_cmdline; 904 905 if (!avb_kernel_cmdline_descriptor_validate_and_byteswap( 906 (AvbKernelCmdlineDescriptor*)descriptors[n], 907 &kernel_cmdline_desc)) { 908 avb_errorv(full_partition_name, 909 ": Kernel cmdline descriptor is invalid.\n", 910 NULL); 911 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 912 goto out; 913 } 914 915 kernel_cmdline = ((const uint8_t*)descriptors[n]) + 916 sizeof(AvbKernelCmdlineDescriptor); 917 918 if (!avb_validate_utf8(kernel_cmdline, 919 kernel_cmdline_desc.kernel_cmdline_length)) { 920 avb_errorv(full_partition_name, 921 ": Kernel cmdline is not valid UTF-8.\n", 922 NULL); 923 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 924 goto out; 925 } 926 927 /* Compare the flags for top-level VBMeta struct with flags in 928 * the command-line descriptor so command-line snippets only 929 * intended for a certain mode (dm-verity enabled/disabled) 930 * are skipped if applicable. 931 */ 932 apply_cmdline = true; 933 if (toplevel_vbmeta_flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED) { 934 if (kernel_cmdline_desc.flags & 935 AVB_KERNEL_CMDLINE_FLAGS_USE_ONLY_IF_HASHTREE_NOT_DISABLED) { 936 apply_cmdline = false; 937 } 938 } else { 939 if (kernel_cmdline_desc.flags & 940 AVB_KERNEL_CMDLINE_FLAGS_USE_ONLY_IF_HASHTREE_DISABLED) { 941 apply_cmdline = false; 942 } 943 } 944 945 if (apply_cmdline) { 946 if (slot_data->cmdline == NULL) { 947 slot_data->cmdline = 948 avb_calloc(kernel_cmdline_desc.kernel_cmdline_length + 1); 949 if (slot_data->cmdline == NULL) { 950 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 951 goto out; 952 } 953 avb_memcpy(slot_data->cmdline, 954 kernel_cmdline, 955 kernel_cmdline_desc.kernel_cmdline_length); 956 } else { 957 /* new cmdline is: <existing_cmdline> + ' ' + <newcmdline> + '\0' */ 958 size_t orig_size = avb_strlen(slot_data->cmdline); 959 size_t new_size = 960 orig_size + 1 + kernel_cmdline_desc.kernel_cmdline_length + 1; 961 char* new_cmdline = avb_calloc(new_size); 962 if (new_cmdline == NULL) { 963 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 964 goto out; 965 } 966 avb_memcpy(new_cmdline, slot_data->cmdline, orig_size); 967 new_cmdline[orig_size] = ' '; 968 avb_memcpy(new_cmdline + orig_size + 1, 969 kernel_cmdline, 970 kernel_cmdline_desc.kernel_cmdline_length); 971 avb_free(slot_data->cmdline); 972 slot_data->cmdline = new_cmdline; 973 } 974 } 975 } break; 976 977 case AVB_DESCRIPTOR_TAG_HASHTREE: { 978 AvbHashtreeDescriptor hashtree_desc; 979 980 if (!avb_hashtree_descriptor_validate_and_byteswap( 981 (AvbHashtreeDescriptor*)descriptors[n], &hashtree_desc)) { 982 avb_errorv( 983 full_partition_name, ": Hashtree descriptor is invalid.\n", NULL); 984 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 985 goto out; 986 } 987 988 /* We only need to continue when there is no digest in the descriptor. 989 * This is because the only processing here is to find the digest and 990 * make it available on the kernel command line. 991 */ 992 if (hashtree_desc.root_digest_len == 0) { 993 char part_name[AVB_PART_NAME_MAX_SIZE]; 994 size_t digest_len = 0; 995 uint8_t digest_buf[AVB_SHA512_DIGEST_SIZE]; 996 const uint8_t* desc_partition_name = 997 ((const uint8_t*)descriptors[n]) + sizeof(AvbHashtreeDescriptor); 998 999 if (!avb_validate_utf8(desc_partition_name, 1000 hashtree_desc.partition_name_len)) { 1001 avb_error("Partition name is not valid UTF-8.\n"); 1002 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 1003 goto out; 1004 } 1005 1006 /* No ab_suffix for partitions without a digest in the descriptor 1007 * because these partitions hold data unique to this device and are 1008 * not updated using an A/B scheme. 1009 */ 1010 if ((hashtree_desc.flags & 1011 AVB_HASHTREE_DESCRIPTOR_FLAGS_DO_NOT_USE_AB) == 0 && 1012 avb_strlen(ab_suffix) != 0) { 1013 avb_error("Cannot use A/B with a persistent root digest.\n"); 1014 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 1015 goto out; 1016 } 1017 if (hashtree_desc.partition_name_len >= AVB_PART_NAME_MAX_SIZE) { 1018 avb_error("Partition name does not fit.\n"); 1019 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 1020 goto out; 1021 } 1022 avb_memcpy( 1023 part_name, desc_partition_name, hashtree_desc.partition_name_len); 1024 part_name[hashtree_desc.partition_name_len] = '\0'; 1025 1026 /* Determine the expected digest size from the hash algorithm. */ 1027 if (avb_strcmp((const char*)hashtree_desc.hash_algorithm, "sha1") == 1028 0) { 1029 digest_len = AVB_SHA1_DIGEST_SIZE; 1030 } else if (avb_strcmp((const char*)hashtree_desc.hash_algorithm, 1031 "sha256") == 0) { 1032 digest_len = AVB_SHA256_DIGEST_SIZE; 1033 } else if (avb_strcmp((const char*)hashtree_desc.hash_algorithm, 1034 "sha512") == 0) { 1035 digest_len = AVB_SHA512_DIGEST_SIZE; 1036 } else { 1037 avb_errorv(part_name, ": Unsupported hash algorithm.\n", NULL); 1038 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 1039 goto out; 1040 } 1041 1042 ret = read_persistent_digest(ops, part_name, digest_len, digest_buf); 1043 if (ret != AVB_SLOT_VERIFY_RESULT_OK) { 1044 goto out; 1045 } 1046 1047 if (out_additional_cmdline_subst) { 1048 ret = 1049 avb_add_root_digest_substitution(part_name, 1050 digest_buf, 1051 digest_len, 1052 out_additional_cmdline_subst); 1053 if (ret != AVB_SLOT_VERIFY_RESULT_OK) { 1054 goto out; 1055 } 1056 } 1057 } 1058 } break; 1059 1060 case AVB_DESCRIPTOR_TAG_PROPERTY: 1061 /* Do nothing. */ 1062 break; 1063 } 1064 } 1065 1066 if (rollback_index_location >= AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS) { 1067 avb_errorv( 1068 full_partition_name, ": Invalid rollback_index_location.\n", NULL); 1069 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 1070 goto out; 1071 } 1072 1073 slot_data->rollback_indexes[rollback_index_location] = 1074 vbmeta_header.rollback_index; 1075 1076 if (out_algorithm_type != NULL) { 1077 *out_algorithm_type = (AvbAlgorithmType)vbmeta_header.algorithm_type; 1078 } 1079 1080 out: 1081 /* If |vbmeta_image_data| isn't NULL it means that it adopted 1082 * |vbmeta_buf| so in that case don't free it here. 1083 */ 1084 if (vbmeta_image_data == NULL) { 1085 if (vbmeta_buf != NULL) { 1086 avb_free(vbmeta_buf); 1087 } 1088 } 1089 if (descriptors != NULL) { 1090 avb_free(descriptors); 1091 } 1092 return ret; 1093 } 1094 1095 AvbSlotVerifyResult avb_slot_verify(AvbOps* ops, 1096 const char* const* requested_partitions, 1097 const char* ab_suffix, 1098 AvbSlotVerifyFlags flags, 1099 AvbHashtreeErrorMode hashtree_error_mode, 1100 AvbSlotVerifyData** out_data) { 1101 AvbSlotVerifyResult ret; 1102 AvbSlotVerifyData* slot_data = NULL; 1103 AvbAlgorithmType algorithm_type = AVB_ALGORITHM_TYPE_NONE; 1104 bool using_boot_for_vbmeta = false; 1105 AvbVBMetaImageHeader toplevel_vbmeta; 1106 bool allow_verification_error = 1107 (flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR); 1108 AvbCmdlineSubstList* additional_cmdline_subst = NULL; 1109 1110 /* Fail early if we're missing the AvbOps needed for slot verification. 1111 * 1112 * For now, handle get_size_of_partition() not being implemented. In 1113 * a later release we may change that. 1114 */ 1115 avb_assert(ops->read_is_device_unlocked != NULL); 1116 avb_assert(ops->read_from_partition != NULL); 1117 avb_assert(ops->validate_vbmeta_public_key != NULL); 1118 avb_assert(ops->read_rollback_index != NULL); 1119 avb_assert(ops->get_unique_guid_for_partition != NULL); 1120 1121 if (out_data != NULL) { 1122 *out_data = NULL; 1123 } 1124 1125 /* Allowing dm-verity errors defeats the purpose of verified boot so 1126 * only allow this if set up to allow verification errors 1127 * (e.g. typically only UNLOCKED mode). 1128 */ 1129 if (hashtree_error_mode == AVB_HASHTREE_ERROR_MODE_LOGGING && 1130 !allow_verification_error) { 1131 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT; 1132 goto fail; 1133 } 1134 1135 slot_data = avb_calloc(sizeof(AvbSlotVerifyData)); 1136 if (slot_data == NULL) { 1137 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1138 goto fail; 1139 } 1140 slot_data->vbmeta_images = 1141 avb_calloc(sizeof(AvbVBMetaData) * MAX_NUMBER_OF_VBMETA_IMAGES); 1142 if (slot_data->vbmeta_images == NULL) { 1143 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1144 goto fail; 1145 } 1146 slot_data->loaded_partitions = 1147 avb_calloc(sizeof(AvbPartitionData) * MAX_NUMBER_OF_LOADED_PARTITIONS); 1148 if (slot_data->loaded_partitions == NULL) { 1149 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1150 goto fail; 1151 } 1152 1153 additional_cmdline_subst = avb_new_cmdline_subst_list(); 1154 if (additional_cmdline_subst == NULL) { 1155 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1156 goto fail; 1157 } 1158 1159 ret = load_and_verify_vbmeta(ops, 1160 requested_partitions, 1161 ab_suffix, 1162 allow_verification_error, 1163 0 /* toplevel_vbmeta_flags */, 1164 0 /* rollback_index_location */, 1165 "vbmeta", 1166 avb_strlen("vbmeta"), 1167 NULL /* expected_public_key */, 1168 0 /* expected_public_key_length */, 1169 slot_data, 1170 &algorithm_type, 1171 additional_cmdline_subst); 1172 if (!allow_verification_error && ret != AVB_SLOT_VERIFY_RESULT_OK) { 1173 goto fail; 1174 } 1175 1176 /* If things check out, mangle the kernel command-line as needed. */ 1177 if (result_should_continue(ret)) { 1178 if (avb_strcmp(slot_data->vbmeta_images[0].partition_name, "vbmeta") != 0) { 1179 avb_assert( 1180 avb_strcmp(slot_data->vbmeta_images[0].partition_name, "boot") == 0); 1181 using_boot_for_vbmeta = true; 1182 } 1183 1184 /* Byteswap top-level vbmeta header since we'll need it below. */ 1185 avb_vbmeta_image_header_to_host_byte_order( 1186 (const AvbVBMetaImageHeader*)slot_data->vbmeta_images[0].vbmeta_data, 1187 &toplevel_vbmeta); 1188 1189 /* Fill in |ab_suffix| field. */ 1190 slot_data->ab_suffix = avb_strdup(ab_suffix); 1191 if (slot_data->ab_suffix == NULL) { 1192 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1193 goto fail; 1194 } 1195 1196 /* If verification is disabled, we are done ... we specifically 1197 * don't want to add any androidboot.* options since verification 1198 * is disabled. 1199 */ 1200 if (toplevel_vbmeta.flags & AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED) { 1201 /* Since verification is disabled we didn't process any 1202 * descriptors and thus there's no cmdline... so set root= such 1203 * that the system partition is mounted. 1204 */ 1205 avb_assert(slot_data->cmdline == NULL); 1206 slot_data->cmdline = 1207 avb_strdup("root=PARTUUID=$(ANDROID_SYSTEM_PARTUUID)"); 1208 if (slot_data->cmdline == NULL) { 1209 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1210 goto fail; 1211 } 1212 } else { 1213 /* Add options - any failure in avb_append_options() is either an 1214 * I/O or OOM error. 1215 */ 1216 AvbSlotVerifyResult sub_ret = avb_append_options(ops, 1217 slot_data, 1218 &toplevel_vbmeta, 1219 algorithm_type, 1220 hashtree_error_mode); 1221 if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) { 1222 ret = sub_ret; 1223 goto fail; 1224 } 1225 } 1226 1227 /* Substitute $(ANDROID_SYSTEM_PARTUUID) and friends. */ 1228 if (slot_data->cmdline != NULL) { 1229 char* new_cmdline; 1230 new_cmdline = avb_sub_cmdline(ops, 1231 slot_data->cmdline, 1232 ab_suffix, 1233 using_boot_for_vbmeta, 1234 additional_cmdline_subst); 1235 if (new_cmdline != slot_data->cmdline) { 1236 if (new_cmdline == NULL) { 1237 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1238 goto fail; 1239 } 1240 avb_free(slot_data->cmdline); 1241 slot_data->cmdline = new_cmdline; 1242 } 1243 } 1244 1245 if (out_data != NULL) { 1246 *out_data = slot_data; 1247 } else { 1248 avb_slot_verify_data_free(slot_data); 1249 } 1250 } 1251 1252 avb_free_cmdline_subst_list(additional_cmdline_subst); 1253 additional_cmdline_subst = NULL; 1254 1255 if (!allow_verification_error) { 1256 avb_assert(ret == AVB_SLOT_VERIFY_RESULT_OK); 1257 } 1258 1259 return ret; 1260 1261 fail: 1262 if (slot_data != NULL) { 1263 avb_slot_verify_data_free(slot_data); 1264 } 1265 if (additional_cmdline_subst != NULL) { 1266 avb_free_cmdline_subst_list(additional_cmdline_subst); 1267 } 1268 return ret; 1269 } 1270 1271 void avb_slot_verify_data_free(AvbSlotVerifyData* data) { 1272 if (data->ab_suffix != NULL) { 1273 avb_free(data->ab_suffix); 1274 } 1275 if (data->cmdline != NULL) { 1276 avb_free(data->cmdline); 1277 } 1278 if (data->vbmeta_images != NULL) { 1279 size_t n; 1280 for (n = 0; n < data->num_vbmeta_images; n++) { 1281 AvbVBMetaData* vbmeta_image = &data->vbmeta_images[n]; 1282 if (vbmeta_image->partition_name != NULL) { 1283 avb_free(vbmeta_image->partition_name); 1284 } 1285 if (vbmeta_image->vbmeta_data != NULL) { 1286 avb_free(vbmeta_image->vbmeta_data); 1287 } 1288 } 1289 avb_free(data->vbmeta_images); 1290 } 1291 if (data->loaded_partitions != NULL) { 1292 size_t n; 1293 for (n = 0; n < data->num_loaded_partitions; n++) { 1294 AvbPartitionData* loaded_partition = &data->loaded_partitions[n]; 1295 if (loaded_partition->partition_name != NULL) { 1296 avb_free(loaded_partition->partition_name); 1297 } 1298 if (loaded_partition->data != NULL && !loaded_partition->preloaded) { 1299 sysmem_free((phys_addr_t)loaded_partition->data); 1300 } 1301 } 1302 avb_free(data->loaded_partitions); 1303 } 1304 avb_free(data); 1305 } 1306 1307 const char* avb_slot_verify_result_to_string(AvbSlotVerifyResult result) { 1308 const char* ret = NULL; 1309 1310 switch (result) { 1311 case AVB_SLOT_VERIFY_RESULT_OK: 1312 ret = "OK"; 1313 break; 1314 case AVB_SLOT_VERIFY_RESULT_ERROR_OOM: 1315 ret = "ERROR_OOM"; 1316 break; 1317 case AVB_SLOT_VERIFY_RESULT_ERROR_IO: 1318 ret = "ERROR_IO"; 1319 break; 1320 case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: 1321 ret = "ERROR_VERIFICATION"; 1322 break; 1323 case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX: 1324 ret = "ERROR_ROLLBACK_INDEX"; 1325 break; 1326 case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED: 1327 ret = "ERROR_PUBLIC_KEY_REJECTED"; 1328 break; 1329 case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA: 1330 ret = "ERROR_INVALID_METADATA"; 1331 break; 1332 case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION: 1333 ret = "ERROR_UNSUPPORTED_VERSION"; 1334 break; 1335 case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT: 1336 ret = "ERROR_INVALID_ARGUMENT"; 1337 break; 1338 /* Do not add a 'default:' case here because of -Wswitch. */ 1339 } 1340 1341 if (ret == NULL) { 1342 avb_error("Unknown AvbSlotVerifyResult value.\n"); 1343 ret = "(unknown)"; 1344 } 1345 1346 return ret; 1347 } 1348 1349 void avb_slot_verify_data_calculate_vbmeta_digest(AvbSlotVerifyData* data, 1350 AvbDigestType digest_type, 1351 uint8_t* out_digest) { 1352 bool ret = false; 1353 size_t n; 1354 1355 switch (digest_type) { 1356 case AVB_DIGEST_TYPE_SHA256: { 1357 AvbSHA256Ctx ctx; 1358 avb_sha256_init(&ctx); 1359 for (n = 0; n < data->num_vbmeta_images; n++) { 1360 avb_sha256_update(&ctx, 1361 data->vbmeta_images[n].vbmeta_data, 1362 data->vbmeta_images[n].vbmeta_size); 1363 } 1364 avb_memcpy(out_digest, avb_sha256_final(&ctx), AVB_SHA256_DIGEST_SIZE); 1365 ret = true; 1366 } break; 1367 1368 case AVB_DIGEST_TYPE_SHA512: { 1369 AvbSHA512Ctx ctx; 1370 avb_sha512_init(&ctx); 1371 for (n = 0; n < data->num_vbmeta_images; n++) { 1372 avb_sha512_update(&ctx, 1373 data->vbmeta_images[n].vbmeta_data, 1374 data->vbmeta_images[n].vbmeta_size); 1375 } 1376 avb_memcpy(out_digest, avb_sha512_final(&ctx), AVB_SHA512_DIGEST_SIZE); 1377 ret = true; 1378 } break; 1379 1380 /* Do not add a 'default:' case here because of -Wswitch. */ 1381 } 1382 1383 if (!ret) { 1384 avb_fatal("Unknown digest type"); 1385 } 1386 } 1387