1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Permission is hereby granted, free of charge, to any person 5 * obtaining a copy of this software and associated documentation 6 * files (the "Software"), to deal in the Software without 7 * restriction, including without limitation the rights to use, copy, 8 * modify, merge, publish, distribute, sublicense, and/or sell copies 9 * of the Software, and to permit persons to whom the Software is 10 * furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #include <android_avb/avb_atx_validate.h> 26 27 #include <android_avb/avb_rsa.h> 28 #include <android_avb/avb_sha.h> 29 #include <android_avb/avb_sysdeps.h> 30 #include <android_avb/avb_util.h> 31 #include <android_avb/avb_ops_user.h> 32 #include <android_avb/rk_avb_ops_user.h> 33 #include <malloc.h> 34 #include <common.h> 35 #ifdef CONFIG_DM_CRYPTO 36 #include <crypto.h> 37 #endif 38 39 /* The most recent unlock challenge generated. */ 40 static uint8_t last_unlock_challenge[AVB_ATX_UNLOCK_CHALLENGE_SIZE]; 41 static bool last_unlock_challenge_set = false; 42 43 /* Computes the SHA256 |hash| of |length| bytes of |data|. */ 44 static void sha256(const uint8_t* data, 45 uint32_t length, 46 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 47 AvbSHA256Ctx context; 48 avb_sha256_init(&context); 49 avb_sha256_update(&context, data, length); 50 uint8_t* tmp = avb_sha256_final(&context); 51 avb_memcpy(hash, tmp, AVB_SHA256_DIGEST_SIZE); 52 } 53 54 /* Computes the SHA512 |hash| of |length| bytes of |data|. */ 55 static void sha512(const uint8_t* data, 56 uint32_t length, 57 uint8_t hash[AVB_SHA512_DIGEST_SIZE]) { 58 AvbSHA512Ctx context; 59 avb_sha512_init(&context); 60 avb_sha512_update(&context, data, length); 61 uint8_t* tmp = avb_sha512_final(&context); 62 avb_memcpy(hash, tmp, AVB_SHA512_DIGEST_SIZE); 63 } 64 65 /* Computes the SHA256 |hash| of a NUL-terminated |str|. */ 66 static void sha256_str(const char* str, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 67 sha256((const uint8_t*)str, avb_strlen(str), hash); 68 } 69 70 /* Verifies structure and |expected_hash| of permanent |attributes|. */ 71 static bool verify_permanent_attributes( 72 const AvbAtxPermanentAttributes* attributes, 73 const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE]) { 74 uint8_t hash[AVB_SHA256_DIGEST_SIZE]; 75 #ifdef CONFIG_ROCKCHIP_PRELOADER_PUB_KEY 76 #ifdef CONFIG_DM_CRYPTO 77 u32 cap = CRYPTO_MD5 | CRYPTO_SHA1 | CRYPTO_SHA256 | CRYPTO_RSA2048; 78 uint8_t rsa_hash[256] = {0}; 79 uint8_t rsa_hash_revert[256] = {0}; 80 unsigned int rsaResult_temp[8]; 81 unsigned char rsaResult[32] = {0}; 82 struct rk_pub_key pub_key; 83 struct udevice *dev; 84 rsa_key rsa_key; 85 char *temp; 86 int ret = 0; 87 int i; 88 89 memset(&pub_key, 0, sizeof(struct rk_pub_key)); 90 ret = rk_avb_get_pub_key(&pub_key); 91 if (ret) 92 return false; 93 94 ret = rk_avb_get_perm_attr_cer(rsa_hash, 256); 95 if (ret) { 96 avb_error("get_perm_attr_cer error\n"); 97 return false; 98 } 99 100 for (i = 0; i < 256; i++) 101 rsa_hash_revert[255-i] = rsa_hash[i]; 102 103 dev = crypto_get_device(cap); 104 if (!dev) { 105 avb_error("Can't find crypto device for expected capability\n"); 106 return false; 107 } 108 109 memset(&rsa_key, 0x00, sizeof(rsa_key)); 110 rsa_key.algo = CRYPTO_RSA2048; 111 rsa_key.n = (u32 *)&pub_key.rsa_n; 112 rsa_key.e = (u32 *)&pub_key.rsa_e; 113 #ifdef CONFIG_ROCKCHIP_CRYPTO_V1 114 rsa_key.c = (u32 *)&pub_key.rsa_c; 115 #endif 116 ret = crypto_rsa_verify(dev, &rsa_key, (u8 *)rsa_hash_revert, (u8 *)rsaResult_temp); 117 if (ret) { 118 avb_error("Hardware verify error!\n"); 119 return false; 120 } 121 122 temp = (char *)rsaResult_temp; 123 for (i = 0; i < 32; i++) 124 rsaResult[31-i] = temp[i]; 125 126 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 127 if (memcmp((void*)rsaResult, (void*)hash, 32) == 0) 128 return true; 129 130 return false; 131 #endif 132 #else 133 if (attributes->version != 1) { 134 avb_error("Unsupported permanent attributes version.\n"); 135 return false; 136 } 137 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 138 if (0 != avb_safe_memcmp(hash, expected_hash, AVB_SHA256_DIGEST_SIZE)) { 139 avb_error("Invalid permanent attributes.\n"); 140 return false; 141 } 142 return true; 143 #endif 144 } 145 146 /* Verifies the format, key version, usage, and signature of a certificate. */ 147 static bool verify_certificate( 148 const AvbAtxCertificate* certificate, 149 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 150 uint64_t minimum_key_version, 151 const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]) { 152 const AvbAlgorithmData* algorithm_data; 153 uint8_t certificate_hash[AVB_SHA512_DIGEST_SIZE]; 154 155 if (certificate->signed_data.version != 1) { 156 avb_error("Unsupported certificate format.\n"); 157 return false; 158 } 159 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 160 sha512((const uint8_t*)&certificate->signed_data, 161 sizeof(AvbAtxCertificateSignedData), 162 certificate_hash); 163 if (!avb_rsa_verify(authority, 164 AVB_ATX_PUBLIC_KEY_SIZE, 165 certificate->signature, 166 AVB_RSA4096_NUM_BYTES, 167 certificate_hash, 168 AVB_SHA512_DIGEST_SIZE, 169 algorithm_data->padding, 170 algorithm_data->padding_len)) { 171 avb_error("Invalid certificate signature.\n"); 172 return false; 173 } 174 if (certificate->signed_data.key_version < minimum_key_version) { 175 avb_error("Key rollback detected.\n"); 176 return false; 177 } 178 if (0 != avb_safe_memcmp(certificate->signed_data.usage, 179 expected_usage, 180 AVB_SHA256_DIGEST_SIZE)) { 181 avb_error("Invalid certificate usage.\n"); 182 return false; 183 } 184 return true; 185 } 186 187 /* Verifies signature and fields of a PIK certificate. */ 188 static bool verify_pik_certificate( 189 const AvbAtxCertificate* certificate, 190 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 191 uint64_t minimum_version) { 192 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 193 194 sha256_str("com.google.android.things.vboot.ca", expected_usage); 195 if (!verify_certificate( 196 certificate, authority, minimum_version, expected_usage)) { 197 avb_error("Invalid PIK certificate.\n"); 198 return false; 199 } 200 return true; 201 } 202 203 /* Verifies signature and fields of a PSK certificate. */ 204 static bool verify_psk_certificate( 205 const AvbAtxCertificate* certificate, 206 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 207 uint64_t minimum_version, 208 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 209 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 210 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 211 212 sha256_str("com.google.android.things.vboot", expected_usage); 213 if (!verify_certificate( 214 certificate, authority, minimum_version, expected_usage)) { 215 avb_error("Invalid PSK certificate.\n"); 216 return false; 217 } 218 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 219 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 220 expected_subject, 221 AVB_SHA256_DIGEST_SIZE)) { 222 avb_error("PSK: Product ID mismatch.\n"); 223 return false; 224 } 225 return true; 226 } 227 228 /* Verifies signature and fields of a PUK certificate. */ 229 static bool verify_puk_certificate( 230 const AvbAtxCertificate* certificate, 231 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 232 uint64_t minimum_version, 233 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 234 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 235 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 236 237 sha256_str("com.google.android.things.vboot.unlock", expected_usage); 238 if (!verify_certificate( 239 certificate, authority, minimum_version, expected_usage)) { 240 avb_error("Invalid PUK certificate.\n"); 241 return false; 242 } 243 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 244 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 245 expected_subject, 246 AVB_SHA256_DIGEST_SIZE)) { 247 avb_error("PUK: Product ID mismatch.\n"); 248 return false; 249 } 250 return true; 251 } 252 253 AvbIOResult avb_atx_validate_vbmeta_public_key( 254 AvbOps* ops, 255 const uint8_t* public_key_data, 256 size_t public_key_length, 257 const uint8_t* public_key_metadata, 258 size_t public_key_metadata_length, 259 bool* out_is_trusted) { 260 AvbIOResult result = AVB_IO_RESULT_OK; 261 AvbAtxPermanentAttributes permanent_attributes; 262 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 263 AvbAtxPublicKeyMetadata metadata; 264 uint64_t minimum_version; 265 266 /* Be pessimistic so we can exit early without having to remember to clear. 267 */ 268 *out_is_trusted = false; 269 270 /* Read and verify permanent attributes. */ 271 result = ops->atx_ops->read_permanent_attributes(ops->atx_ops, 272 &permanent_attributes); 273 if (result != AVB_IO_RESULT_OK) { 274 avb_error("Failed to read permanent attributes.\n"); 275 return result; 276 } 277 result = ops->atx_ops->read_permanent_attributes_hash( 278 ops->atx_ops, permanent_attributes_hash); 279 if (result != AVB_IO_RESULT_OK) { 280 avb_error("Failed to read permanent attributes hash.\n"); 281 return result; 282 } 283 if (!verify_permanent_attributes(&permanent_attributes, 284 permanent_attributes_hash)) { 285 return AVB_IO_RESULT_OK; 286 } 287 288 /* Sanity check public key metadata. */ 289 if (public_key_metadata_length != sizeof(AvbAtxPublicKeyMetadata)) { 290 avb_error("Invalid public key metadata.\n"); 291 return AVB_IO_RESULT_OK; 292 } 293 avb_memcpy(&metadata, public_key_metadata, sizeof(AvbAtxPublicKeyMetadata)); 294 if (metadata.version != 1) { 295 avb_error("Unsupported public key metadata.\n"); 296 return AVB_IO_RESULT_OK; 297 } 298 299 /* Verify the PIK certificate. */ 300 result = ops->read_rollback_index( 301 ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 302 if (result != AVB_IO_RESULT_OK) { 303 avb_error("Failed to read PIK minimum version.\n"); 304 return result; 305 } 306 if (!verify_pik_certificate(&metadata.product_intermediate_key_certificate, 307 permanent_attributes.product_root_public_key, 308 minimum_version)) { 309 return AVB_IO_RESULT_OK; 310 } 311 312 /* Verify the PSK certificate. */ 313 result = ops->read_rollback_index( 314 ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 315 if (result != AVB_IO_RESULT_OK) { 316 avb_error("Failed to read PSK minimum version.\n"); 317 return result; 318 } 319 if (!verify_psk_certificate( 320 &metadata.product_signing_key_certificate, 321 metadata.product_intermediate_key_certificate.signed_data.public_key, 322 minimum_version, 323 permanent_attributes.product_id)) { 324 return AVB_IO_RESULT_OK; 325 } 326 327 /* Verify the PSK is the same key that verified vbmeta. */ 328 if (public_key_length != AVB_ATX_PUBLIC_KEY_SIZE) { 329 avb_error("Public key length mismatch.\n"); 330 return AVB_IO_RESULT_OK; 331 } 332 if (0 != avb_safe_memcmp( 333 metadata.product_signing_key_certificate.signed_data.public_key, 334 public_key_data, 335 AVB_ATX_PUBLIC_KEY_SIZE)) { 336 avb_error("Public key mismatch.\n"); 337 return AVB_IO_RESULT_OK; 338 } 339 340 /* Report the key versions used during verification. */ 341 ops->atx_ops->set_key_version( 342 ops->atx_ops, 343 AVB_ATX_PIK_VERSION_LOCATION, 344 metadata.product_intermediate_key_certificate.signed_data.key_version); 345 ops->atx_ops->set_key_version( 346 ops->atx_ops, 347 AVB_ATX_PSK_VERSION_LOCATION, 348 metadata.product_signing_key_certificate.signed_data.key_version); 349 350 *out_is_trusted = true; 351 return AVB_IO_RESULT_OK; 352 } 353 354 AvbIOResult avb_atx_generate_unlock_challenge( 355 AvbAtxOps* atx_ops, AvbAtxUnlockChallenge* out_unlock_challenge) { 356 AvbIOResult result = AVB_IO_RESULT_OK; 357 AvbAtxPermanentAttributes permanent_attributes; 358 359 /* We need the permanent attributes to compute the product_id_hash. */ 360 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 361 if (result != AVB_IO_RESULT_OK) { 362 avb_error("Failed to read permanent attributes.\n"); 363 return result; 364 } 365 result = atx_ops->get_random( 366 atx_ops, AVB_ATX_UNLOCK_CHALLENGE_SIZE, last_unlock_challenge); 367 if (result != AVB_IO_RESULT_OK) { 368 avb_error("Failed to generate random challenge.\n"); 369 return result; 370 } 371 last_unlock_challenge_set = true; 372 out_unlock_challenge->version = 1; 373 sha256(permanent_attributes.product_id, 374 AVB_ATX_PRODUCT_ID_SIZE, 375 out_unlock_challenge->product_id_hash); 376 avb_memcpy(out_unlock_challenge->challenge, 377 last_unlock_challenge, 378 AVB_ATX_UNLOCK_CHALLENGE_SIZE); 379 return result; 380 } 381 382 AvbIOResult avb_atx_validate_unlock_credential( 383 AvbAtxOps* atx_ops, 384 const AvbAtxUnlockCredential* unlock_credential, 385 bool* out_is_trusted) { 386 AvbIOResult result = AVB_IO_RESULT_OK; 387 AvbAtxPermanentAttributes permanent_attributes; 388 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 389 uint64_t minimum_version; 390 const AvbAlgorithmData* algorithm_data; 391 uint8_t challenge_hash[AVB_SHA512_DIGEST_SIZE]; 392 393 /* Be pessimistic so we can exit early without having to remember to clear. 394 */ 395 *out_is_trusted = false; 396 397 /* Sanity check the credential. */ 398 if (unlock_credential->version != 1) { 399 avb_error("Unsupported unlock credential format.\n"); 400 return AVB_IO_RESULT_OK; 401 } 402 403 /* Read and verify permanent attributes. */ 404 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 405 if (result != AVB_IO_RESULT_OK) { 406 avb_error("Failed to read permanent attributes.\n"); 407 return result; 408 } 409 result = atx_ops->read_permanent_attributes_hash(atx_ops, 410 permanent_attributes_hash); 411 if (result != AVB_IO_RESULT_OK) { 412 avb_error("Failed to read permanent attributes hash.\n"); 413 return result; 414 } 415 if (!verify_permanent_attributes(&permanent_attributes, 416 permanent_attributes_hash)) { 417 return AVB_IO_RESULT_OK; 418 } 419 420 /* Verify the PIK certificate. */ 421 result = atx_ops->ops->read_rollback_index( 422 atx_ops->ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 423 if (result != AVB_IO_RESULT_OK) { 424 avb_error("Failed to read PIK minimum version.\n"); 425 return result; 426 } 427 if (!verify_pik_certificate( 428 &unlock_credential->product_intermediate_key_certificate, 429 permanent_attributes.product_root_public_key, 430 minimum_version)) { 431 return AVB_IO_RESULT_OK; 432 } 433 434 /* Verify the PUK certificate. The minimum version is shared with the PSK. */ 435 result = atx_ops->ops->read_rollback_index( 436 atx_ops->ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 437 if (result != AVB_IO_RESULT_OK) { 438 avb_error("Failed to read PSK minimum version.\n"); 439 return result; 440 } 441 if (!verify_puk_certificate( 442 &unlock_credential->product_unlock_key_certificate, 443 unlock_credential->product_intermediate_key_certificate.signed_data 444 .public_key, 445 minimum_version, 446 permanent_attributes.product_id)) { 447 return AVB_IO_RESULT_OK; 448 } 449 450 /* Hash the most recent unlock challenge. */ 451 if (!last_unlock_challenge_set) { 452 avb_error("Challenge does not exist.\n"); 453 return AVB_IO_RESULT_OK; 454 } 455 sha512(last_unlock_challenge, AVB_ATX_UNLOCK_CHALLENGE_SIZE, challenge_hash); 456 last_unlock_challenge_set = false; 457 458 /* Verify the challenge signature. */ 459 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 460 if (!avb_rsa_verify(unlock_credential->product_unlock_key_certificate 461 .signed_data.public_key, 462 AVB_ATX_PUBLIC_KEY_SIZE, 463 unlock_credential->challenge_signature, 464 AVB_RSA4096_NUM_BYTES, 465 challenge_hash, 466 AVB_SHA512_DIGEST_SIZE, 467 algorithm_data->padding, 468 algorithm_data->padding_len)) { 469 avb_error("Invalid unlock challenge signature.\n"); 470 return AVB_IO_RESULT_OK; 471 } 472 473 *out_is_trusted = true; 474 return AVB_IO_RESULT_OK; 475 } 476