1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Permission is hereby granted, free of charge, to any person 5 * obtaining a copy of this software and associated documentation 6 * files (the "Software"), to deal in the Software without 7 * restriction, including without limitation the rights to use, copy, 8 * modify, merge, publish, distribute, sublicense, and/or sell copies 9 * of the Software, and to permit persons to whom the Software is 10 * furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #include <android_avb/avb_atx_validate.h> 26 27 #include <android_avb/avb_rsa.h> 28 #include <android_avb/avb_sha.h> 29 #include <android_avb/avb_sysdeps.h> 30 #include <android_avb/avb_util.h> 31 #include <android_avb/avb_ops_user.h> 32 #include <android_avb/rk_avb_ops_user.h> 33 #include <malloc.h> 34 #include <common.h> 35 #ifdef CONFIG_DM_CRYPTO 36 #include <crypto.h> 37 #endif 38 39 /* The most recent unlock challenge generated. */ 40 static uint8_t last_unlock_challenge[AVB_ATX_UNLOCK_CHALLENGE_SIZE]; 41 static bool last_unlock_challenge_set = false; 42 43 /* Computes the SHA256 |hash| of |length| bytes of |data|. */ 44 static void sha256(const uint8_t* data, 45 uint32_t length, 46 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 47 AvbSHA256Ctx context; 48 49 context.tot_len = length; 50 avb_sha256_init(&context); 51 avb_sha256_update(&context, data, length); 52 uint8_t* tmp = avb_sha256_final(&context); 53 avb_memcpy(hash, tmp, AVB_SHA256_DIGEST_SIZE); 54 } 55 56 /* Computes the SHA512 |hash| of |length| bytes of |data|. */ 57 static void sha512(const uint8_t* data, 58 uint32_t length, 59 uint8_t hash[AVB_SHA512_DIGEST_SIZE]) { 60 AvbSHA512Ctx context; 61 avb_sha512_init(&context); 62 avb_sha512_update(&context, data, length); 63 uint8_t* tmp = avb_sha512_final(&context); 64 avb_memcpy(hash, tmp, AVB_SHA512_DIGEST_SIZE); 65 } 66 67 /* Computes the SHA256 |hash| of a NUL-terminated |str|. */ 68 static void sha256_str(const char* str, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 69 sha256((const uint8_t*)str, avb_strlen(str), hash); 70 } 71 72 /* Verifies structure and |expected_hash| of permanent |attributes|. */ 73 static bool verify_permanent_attributes( 74 const AvbAtxPermanentAttributes* attributes, 75 const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE]) { 76 uint8_t hash[AVB_SHA256_DIGEST_SIZE]; 77 #ifdef CONFIG_ROCKCHIP_PRELOADER_PUB_KEY 78 #ifdef CONFIG_DM_CRYPTO 79 u32 cap = CRYPTO_MD5 | CRYPTO_SHA1 | CRYPTO_SHA256 | CRYPTO_RSA2048; 80 uint8_t rsa_hash[256] = {0}; 81 uint8_t rsa_hash_revert[256] = {0}; 82 unsigned int rsaResult_temp[8]; 83 unsigned char rsaResult[32] = {0}; 84 struct rk_pub_key pub_key; 85 struct udevice *dev; 86 rsa_key rsa_key; 87 char *temp; 88 int ret = 0; 89 int i; 90 91 memset(&pub_key, 0, sizeof(struct rk_pub_key)); 92 ret = rk_avb_get_pub_key(&pub_key); 93 if (ret) 94 return false; 95 96 ret = rk_avb_get_perm_attr_cer(rsa_hash, 256); 97 if (ret) { 98 avb_error("get_perm_attr_cer error\n"); 99 return false; 100 } 101 102 for (i = 0; i < 256; i++) 103 rsa_hash_revert[255-i] = rsa_hash[i]; 104 105 dev = crypto_get_device(cap); 106 if (!dev) { 107 avb_error("Can't find crypto device for expected capability\n"); 108 return false; 109 } 110 111 memset(&rsa_key, 0x00, sizeof(rsa_key)); 112 rsa_key.algo = CRYPTO_RSA2048; 113 rsa_key.n = (u32 *)&pub_key.rsa_n; 114 rsa_key.e = (u32 *)&pub_key.rsa_e; 115 #ifdef CONFIG_ROCKCHIP_CRYPTO_V1 116 rsa_key.c = (u32 *)&pub_key.rsa_c; 117 #endif 118 ret = crypto_rsa_verify(dev, &rsa_key, (u8 *)rsa_hash_revert, (u8 *)rsaResult_temp); 119 if (ret) { 120 avb_error("Hardware verify error!\n"); 121 return false; 122 } 123 124 temp = (char *)rsaResult_temp; 125 for (i = 0; i < 32; i++) 126 rsaResult[31-i] = temp[i]; 127 128 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 129 if (memcmp((void*)rsaResult, (void*)hash, 32) == 0) 130 return true; 131 132 return false; 133 #endif 134 #else 135 if (attributes->version != 1) { 136 avb_error("Unsupported permanent attributes version.\n"); 137 return false; 138 } 139 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 140 if (0 != avb_safe_memcmp(hash, expected_hash, AVB_SHA256_DIGEST_SIZE)) { 141 avb_error("Invalid permanent attributes.\n"); 142 return false; 143 } 144 return true; 145 #endif 146 } 147 148 /* Verifies the format, key version, usage, and signature of a certificate. */ 149 static bool verify_certificate( 150 const AvbAtxCertificate* certificate, 151 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 152 uint64_t minimum_key_version, 153 const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]) { 154 const AvbAlgorithmData* algorithm_data; 155 uint8_t certificate_hash[AVB_SHA512_DIGEST_SIZE]; 156 157 if (certificate->signed_data.version != 1) { 158 avb_error("Unsupported certificate format.\n"); 159 return false; 160 } 161 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 162 sha512((const uint8_t*)&certificate->signed_data, 163 sizeof(AvbAtxCertificateSignedData), 164 certificate_hash); 165 if (!avb_rsa_verify(authority, 166 AVB_ATX_PUBLIC_KEY_SIZE, 167 certificate->signature, 168 AVB_RSA4096_NUM_BYTES, 169 certificate_hash, 170 AVB_SHA512_DIGEST_SIZE, 171 algorithm_data->padding, 172 algorithm_data->padding_len)) { 173 avb_error("Invalid certificate signature.\n"); 174 return false; 175 } 176 if (certificate->signed_data.key_version < minimum_key_version) { 177 avb_error("Key rollback detected.\n"); 178 return false; 179 } 180 if (0 != avb_safe_memcmp(certificate->signed_data.usage, 181 expected_usage, 182 AVB_SHA256_DIGEST_SIZE)) { 183 avb_error("Invalid certificate usage.\n"); 184 return false; 185 } 186 return true; 187 } 188 189 /* Verifies signature and fields of a PIK certificate. */ 190 static bool verify_pik_certificate( 191 const AvbAtxCertificate* certificate, 192 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 193 uint64_t minimum_version) { 194 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 195 196 sha256_str("com.google.android.things.vboot.ca", expected_usage); 197 if (!verify_certificate( 198 certificate, authority, minimum_version, expected_usage)) { 199 avb_error("Invalid PIK certificate.\n"); 200 return false; 201 } 202 return true; 203 } 204 205 /* Verifies signature and fields of a PSK certificate. */ 206 static bool verify_psk_certificate( 207 const AvbAtxCertificate* certificate, 208 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 209 uint64_t minimum_version, 210 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 211 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 212 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 213 214 sha256_str("com.google.android.things.vboot", expected_usage); 215 if (!verify_certificate( 216 certificate, authority, minimum_version, expected_usage)) { 217 avb_error("Invalid PSK certificate.\n"); 218 return false; 219 } 220 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 221 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 222 expected_subject, 223 AVB_SHA256_DIGEST_SIZE)) { 224 avb_error("PSK: Product ID mismatch.\n"); 225 return false; 226 } 227 return true; 228 } 229 230 /* Verifies signature and fields of a PUK certificate. */ 231 static bool verify_puk_certificate( 232 const AvbAtxCertificate* certificate, 233 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 234 uint64_t minimum_version, 235 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 236 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 237 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 238 239 sha256_str("com.google.android.things.vboot.unlock", expected_usage); 240 if (!verify_certificate( 241 certificate, authority, minimum_version, expected_usage)) { 242 avb_error("Invalid PUK certificate.\n"); 243 return false; 244 } 245 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 246 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 247 expected_subject, 248 AVB_SHA256_DIGEST_SIZE)) { 249 avb_error("PUK: Product ID mismatch.\n"); 250 return false; 251 } 252 return true; 253 } 254 255 AvbIOResult avb_atx_validate_vbmeta_public_key( 256 AvbOps* ops, 257 const uint8_t* public_key_data, 258 size_t public_key_length, 259 const uint8_t* public_key_metadata, 260 size_t public_key_metadata_length, 261 bool* out_is_trusted) { 262 AvbIOResult result = AVB_IO_RESULT_OK; 263 AvbAtxPermanentAttributes permanent_attributes; 264 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 265 AvbAtxPublicKeyMetadata metadata; 266 uint64_t minimum_version; 267 268 /* Be pessimistic so we can exit early without having to remember to clear. 269 */ 270 *out_is_trusted = false; 271 272 /* Read and verify permanent attributes. */ 273 result = ops->atx_ops->read_permanent_attributes(ops->atx_ops, 274 &permanent_attributes); 275 if (result != AVB_IO_RESULT_OK) { 276 avb_error("Failed to read permanent attributes.\n"); 277 return result; 278 } 279 result = ops->atx_ops->read_permanent_attributes_hash( 280 ops->atx_ops, permanent_attributes_hash); 281 if (result != AVB_IO_RESULT_OK) { 282 avb_error("Failed to read permanent attributes hash.\n"); 283 return result; 284 } 285 if (!verify_permanent_attributes(&permanent_attributes, 286 permanent_attributes_hash)) { 287 return AVB_IO_RESULT_OK; 288 } 289 290 /* Sanity check public key metadata. */ 291 if (public_key_metadata_length != sizeof(AvbAtxPublicKeyMetadata)) { 292 avb_error("Invalid public key metadata.\n"); 293 return AVB_IO_RESULT_OK; 294 } 295 avb_memcpy(&metadata, public_key_metadata, sizeof(AvbAtxPublicKeyMetadata)); 296 if (metadata.version != 1) { 297 avb_error("Unsupported public key metadata.\n"); 298 return AVB_IO_RESULT_OK; 299 } 300 301 /* Verify the PIK certificate. */ 302 result = ops->read_rollback_index( 303 ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 304 if (result != AVB_IO_RESULT_OK) { 305 avb_error("Failed to read PIK minimum version.\n"); 306 return result; 307 } 308 if (!verify_pik_certificate(&metadata.product_intermediate_key_certificate, 309 permanent_attributes.product_root_public_key, 310 minimum_version)) { 311 return AVB_IO_RESULT_OK; 312 } 313 314 /* Verify the PSK certificate. */ 315 result = ops->read_rollback_index( 316 ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 317 if (result != AVB_IO_RESULT_OK) { 318 avb_error("Failed to read PSK minimum version.\n"); 319 return result; 320 } 321 if (!verify_psk_certificate( 322 &metadata.product_signing_key_certificate, 323 metadata.product_intermediate_key_certificate.signed_data.public_key, 324 minimum_version, 325 permanent_attributes.product_id)) { 326 return AVB_IO_RESULT_OK; 327 } 328 329 /* Verify the PSK is the same key that verified vbmeta. */ 330 if (public_key_length != AVB_ATX_PUBLIC_KEY_SIZE) { 331 avb_error("Public key length mismatch.\n"); 332 return AVB_IO_RESULT_OK; 333 } 334 if (0 != avb_safe_memcmp( 335 metadata.product_signing_key_certificate.signed_data.public_key, 336 public_key_data, 337 AVB_ATX_PUBLIC_KEY_SIZE)) { 338 avb_error("Public key mismatch.\n"); 339 return AVB_IO_RESULT_OK; 340 } 341 342 /* Report the key versions used during verification. */ 343 ops->atx_ops->set_key_version( 344 ops->atx_ops, 345 AVB_ATX_PIK_VERSION_LOCATION, 346 metadata.product_intermediate_key_certificate.signed_data.key_version); 347 ops->atx_ops->set_key_version( 348 ops->atx_ops, 349 AVB_ATX_PSK_VERSION_LOCATION, 350 metadata.product_signing_key_certificate.signed_data.key_version); 351 352 *out_is_trusted = true; 353 return AVB_IO_RESULT_OK; 354 } 355 356 AvbIOResult avb_atx_generate_unlock_challenge( 357 AvbAtxOps* atx_ops, AvbAtxUnlockChallenge* out_unlock_challenge) { 358 AvbIOResult result = AVB_IO_RESULT_OK; 359 AvbAtxPermanentAttributes permanent_attributes; 360 361 /* We need the permanent attributes to compute the product_id_hash. */ 362 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 363 if (result != AVB_IO_RESULT_OK) { 364 avb_error("Failed to read permanent attributes.\n"); 365 return result; 366 } 367 result = atx_ops->get_random( 368 atx_ops, AVB_ATX_UNLOCK_CHALLENGE_SIZE, last_unlock_challenge); 369 if (result != AVB_IO_RESULT_OK) { 370 avb_error("Failed to generate random challenge.\n"); 371 return result; 372 } 373 last_unlock_challenge_set = true; 374 out_unlock_challenge->version = 1; 375 sha256(permanent_attributes.product_id, 376 AVB_ATX_PRODUCT_ID_SIZE, 377 out_unlock_challenge->product_id_hash); 378 avb_memcpy(out_unlock_challenge->challenge, 379 last_unlock_challenge, 380 AVB_ATX_UNLOCK_CHALLENGE_SIZE); 381 return result; 382 } 383 384 AvbIOResult avb_atx_validate_unlock_credential( 385 AvbAtxOps* atx_ops, 386 const AvbAtxUnlockCredential* unlock_credential, 387 bool* out_is_trusted) { 388 AvbIOResult result = AVB_IO_RESULT_OK; 389 AvbAtxPermanentAttributes permanent_attributes; 390 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 391 uint64_t minimum_version; 392 const AvbAlgorithmData* algorithm_data; 393 uint8_t challenge_hash[AVB_SHA512_DIGEST_SIZE]; 394 395 /* Be pessimistic so we can exit early without having to remember to clear. 396 */ 397 *out_is_trusted = false; 398 399 /* Sanity check the credential. */ 400 if (unlock_credential->version != 1) { 401 avb_error("Unsupported unlock credential format.\n"); 402 return AVB_IO_RESULT_OK; 403 } 404 405 /* Read and verify permanent attributes. */ 406 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 407 if (result != AVB_IO_RESULT_OK) { 408 avb_error("Failed to read permanent attributes.\n"); 409 return result; 410 } 411 result = atx_ops->read_permanent_attributes_hash(atx_ops, 412 permanent_attributes_hash); 413 if (result != AVB_IO_RESULT_OK) { 414 avb_error("Failed to read permanent attributes hash.\n"); 415 return result; 416 } 417 if (!verify_permanent_attributes(&permanent_attributes, 418 permanent_attributes_hash)) { 419 return AVB_IO_RESULT_OK; 420 } 421 422 /* Verify the PIK certificate. */ 423 result = atx_ops->ops->read_rollback_index( 424 atx_ops->ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 425 if (result != AVB_IO_RESULT_OK) { 426 avb_error("Failed to read PIK minimum version.\n"); 427 return result; 428 } 429 if (!verify_pik_certificate( 430 &unlock_credential->product_intermediate_key_certificate, 431 permanent_attributes.product_root_public_key, 432 minimum_version)) { 433 return AVB_IO_RESULT_OK; 434 } 435 436 /* Verify the PUK certificate. The minimum version is shared with the PSK. */ 437 result = atx_ops->ops->read_rollback_index( 438 atx_ops->ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 439 if (result != AVB_IO_RESULT_OK) { 440 avb_error("Failed to read PSK minimum version.\n"); 441 return result; 442 } 443 if (!verify_puk_certificate( 444 &unlock_credential->product_unlock_key_certificate, 445 unlock_credential->product_intermediate_key_certificate.signed_data 446 .public_key, 447 minimum_version, 448 permanent_attributes.product_id)) { 449 return AVB_IO_RESULT_OK; 450 } 451 452 /* Hash the most recent unlock challenge. */ 453 if (!last_unlock_challenge_set) { 454 avb_error("Challenge does not exist.\n"); 455 return AVB_IO_RESULT_OK; 456 } 457 sha512(last_unlock_challenge, AVB_ATX_UNLOCK_CHALLENGE_SIZE, challenge_hash); 458 last_unlock_challenge_set = false; 459 460 /* Verify the challenge signature. */ 461 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 462 if (!avb_rsa_verify(unlock_credential->product_unlock_key_certificate 463 .signed_data.public_key, 464 AVB_ATX_PUBLIC_KEY_SIZE, 465 unlock_credential->challenge_signature, 466 AVB_RSA4096_NUM_BYTES, 467 challenge_hash, 468 AVB_SHA512_DIGEST_SIZE, 469 algorithm_data->padding, 470 algorithm_data->padding_len)) { 471 avb_error("Invalid unlock challenge signature.\n"); 472 return AVB_IO_RESULT_OK; 473 } 474 475 *out_is_trusted = true; 476 return AVB_IO_RESULT_OK; 477 } 478