1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Permission is hereby granted, free of charge, to any person 5 * obtaining a copy of this software and associated documentation 6 * files (the "Software"), to deal in the Software without 7 * restriction, including without limitation the rights to use, copy, 8 * modify, merge, publish, distribute, sublicense, and/or sell copies 9 * of the Software, and to permit persons to whom the Software is 10 * furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #include <android_avb/avb_atx_validate.h> 26 27 #include <android_avb/avb_rsa.h> 28 #include <android_avb/avb_sha.h> 29 #include <android_avb/avb_sysdeps.h> 30 #include <android_avb/avb_util.h> 31 #include <android_avb/avb_ops_user.h> 32 #include <android_avb/rk_avb_ops_user.h> 33 #include <malloc.h> 34 #include <common.h> 35 #ifdef CONFIG_DM_CRYPTO 36 #include <crypto.h> 37 #endif 38 39 /* The most recent unlock challenge generated. */ 40 static uint8_t last_unlock_challenge[AVB_ATX_UNLOCK_CHALLENGE_SIZE]; 41 42 /* Computes the SHA256 |hash| of |length| bytes of |data|. */ 43 static void sha256(const uint8_t* data, 44 uint32_t length, 45 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 46 AvbSHA256Ctx context; 47 avb_sha256_init(&context); 48 avb_sha256_update(&context, data, length); 49 uint8_t* tmp = avb_sha256_final(&context); 50 avb_memcpy(hash, tmp, AVB_SHA256_DIGEST_SIZE); 51 } 52 53 /* Computes the SHA512 |hash| of |length| bytes of |data|. */ 54 static void sha512(const uint8_t* data, 55 uint32_t length, 56 uint8_t hash[AVB_SHA512_DIGEST_SIZE]) { 57 AvbSHA512Ctx context; 58 avb_sha512_init(&context); 59 avb_sha512_update(&context, data, length); 60 uint8_t* tmp = avb_sha512_final(&context); 61 avb_memcpy(hash, tmp, AVB_SHA512_DIGEST_SIZE); 62 } 63 64 /* Computes the SHA256 |hash| of a NUL-terminated |str|. */ 65 static void sha256_str(const char* str, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 66 sha256((const uint8_t*)str, avb_strlen(str), hash); 67 } 68 69 /* Verifies structure and |expected_hash| of permanent |attributes|. */ 70 static bool verify_permanent_attributes( 71 const AvbAtxPermanentAttributes* attributes, 72 const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE]) { 73 uint8_t hash[AVB_SHA256_DIGEST_SIZE]; 74 #ifdef CONFIG_ROCKCHIP_PRELOADER_PUB_KEY 75 #ifdef CONFIG_DM_CRYPTO 76 u32 cap = CRYPTO_MD5 | CRYPTO_SHA1 | CRYPTO_SHA256 | CRYPTO_RSA2048; 77 uint8_t rsa_hash[256] = {0}; 78 uint8_t rsa_hash_revert[256] = {0}; 79 unsigned int rsaResult_temp[8]; 80 unsigned char rsaResult[32] = {0}; 81 struct rk_pub_key pub_key; 82 struct udevice *dev; 83 rsa_key rsa_key; 84 char *temp; 85 int ret = 0; 86 int i; 87 88 memset(&pub_key, 0, sizeof(struct rk_pub_key)); 89 ret = rk_avb_get_pub_key(&pub_key); 90 if (ret) 91 return false; 92 93 ret = rk_avb_get_perm_attr_cer(rsa_hash, 256); 94 if (ret) { 95 avb_error("get_perm_attr_cer error\n"); 96 return false; 97 } 98 99 for (i = 0; i < 256; i++) 100 rsa_hash_revert[255-i] = rsa_hash[i]; 101 102 dev = crypto_get_device(cap); 103 if (!dev) { 104 avb_error("Can't find crypto device for expected capability\n"); 105 return false; 106 } 107 108 memset(&rsa_key, 0x00, sizeof(rsa_key)); 109 rsa_key.algo = CRYPTO_RSA2048; 110 rsa_key.n = (u32 *)&pub_key.rsa_n; 111 rsa_key.e = (u32 *)&pub_key.rsa_e; 112 rsa_key.c = (u32 *)&pub_key.rsa_c; 113 ret = crypto_rsa_verify(dev, &rsa_key, (u8 *)rsa_hash_revert, (u8 *)rsaResult_temp); 114 if (ret) { 115 avb_error("Hardware verify error!\n"); 116 return false; 117 } 118 119 temp = (char *)rsaResult_temp; 120 for (i = 0; i < 32; i++) 121 rsaResult[31-i] = temp[i]; 122 123 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 124 if (memcmp((void*)rsaResult, (void*)hash, 32) == 0) 125 return true; 126 127 return false; 128 #endif 129 #else 130 if (attributes->version != 1) { 131 avb_error("Unsupported permanent attributes version.\n"); 132 return false; 133 } 134 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 135 if (0 != avb_safe_memcmp(hash, expected_hash, AVB_SHA256_DIGEST_SIZE)) { 136 avb_error("Invalid permanent attributes.\n"); 137 return false; 138 } 139 return true; 140 #endif 141 } 142 143 /* Verifies the format, key version, usage, and signature of a certificate. */ 144 static bool verify_certificate( 145 const AvbAtxCertificate* certificate, 146 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 147 uint64_t minimum_key_version, 148 const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]) { 149 const AvbAlgorithmData* algorithm_data; 150 uint8_t certificate_hash[AVB_SHA512_DIGEST_SIZE]; 151 152 if (certificate->signed_data.version != 1) { 153 avb_error("Unsupported certificate format.\n"); 154 return false; 155 } 156 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 157 sha512((const uint8_t*)&certificate->signed_data, 158 sizeof(AvbAtxCertificateSignedData), 159 certificate_hash); 160 if (!avb_rsa_verify(authority, 161 AVB_ATX_PUBLIC_KEY_SIZE, 162 certificate->signature, 163 AVB_RSA4096_NUM_BYTES, 164 certificate_hash, 165 AVB_SHA512_DIGEST_SIZE, 166 algorithm_data->padding, 167 algorithm_data->padding_len)) { 168 avb_error("Invalid certificate signature.\n"); 169 return false; 170 } 171 if (certificate->signed_data.key_version < minimum_key_version) { 172 avb_error("Key rollback detected.\n"); 173 return false; 174 } 175 if (0 != avb_safe_memcmp(certificate->signed_data.usage, 176 expected_usage, 177 AVB_SHA256_DIGEST_SIZE)) { 178 avb_error("Invalid certificate usage.\n"); 179 return false; 180 } 181 return true; 182 } 183 184 /* Verifies signature and fields of a PIK certificate. */ 185 static bool verify_pik_certificate( 186 const AvbAtxCertificate* certificate, 187 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 188 uint64_t minimum_version) { 189 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 190 191 sha256_str("com.google.android.things.vboot.ca", expected_usage); 192 if (!verify_certificate( 193 certificate, authority, minimum_version, expected_usage)) { 194 avb_error("Invalid PIK certificate.\n"); 195 return false; 196 } 197 return true; 198 } 199 200 /* Verifies signature and fields of a PSK certificate. */ 201 static bool verify_psk_certificate( 202 const AvbAtxCertificate* certificate, 203 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 204 uint64_t minimum_version, 205 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 206 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 207 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 208 209 sha256_str("com.google.android.things.vboot", expected_usage); 210 if (!verify_certificate( 211 certificate, authority, minimum_version, expected_usage)) { 212 avb_error("Invalid PSK certificate.\n"); 213 return false; 214 } 215 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 216 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 217 expected_subject, 218 AVB_SHA256_DIGEST_SIZE)) { 219 avb_error("PSK: Product ID mismatch.\n"); 220 return false; 221 } 222 return true; 223 } 224 225 /* Verifies signature and fields of a PUK certificate. */ 226 static bool verify_puk_certificate( 227 const AvbAtxCertificate* certificate, 228 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 229 uint64_t minimum_version, 230 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 231 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 232 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 233 234 sha256_str("com.google.android.things.vboot.unlock", expected_usage); 235 if (!verify_certificate( 236 certificate, authority, minimum_version, expected_usage)) { 237 avb_error("Invalid PUK certificate.\n"); 238 return false; 239 } 240 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 241 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 242 expected_subject, 243 AVB_SHA256_DIGEST_SIZE)) { 244 avb_error("PUK: Product ID mismatch.\n"); 245 return false; 246 } 247 return true; 248 } 249 250 AvbIOResult avb_atx_validate_vbmeta_public_key( 251 AvbOps* ops, 252 const uint8_t* public_key_data, 253 size_t public_key_length, 254 const uint8_t* public_key_metadata, 255 size_t public_key_metadata_length, 256 bool* out_is_trusted) { 257 AvbIOResult result = AVB_IO_RESULT_OK; 258 AvbAtxPermanentAttributes permanent_attributes; 259 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 260 AvbAtxPublicKeyMetadata metadata; 261 uint64_t minimum_version; 262 263 /* Be pessimistic so we can exit early without having to remember to clear. 264 */ 265 *out_is_trusted = false; 266 267 /* Read and verify permanent attributes. */ 268 result = ops->atx_ops->read_permanent_attributes(ops->atx_ops, 269 &permanent_attributes); 270 if (result != AVB_IO_RESULT_OK) { 271 avb_error("Failed to read permanent attributes.\n"); 272 return result; 273 } 274 result = ops->atx_ops->read_permanent_attributes_hash( 275 ops->atx_ops, permanent_attributes_hash); 276 if (result != AVB_IO_RESULT_OK) { 277 avb_error("Failed to read permanent attributes hash.\n"); 278 return result; 279 } 280 if (!verify_permanent_attributes(&permanent_attributes, 281 permanent_attributes_hash)) { 282 return AVB_IO_RESULT_OK; 283 } 284 285 /* Sanity check public key metadata. */ 286 if (public_key_metadata_length != sizeof(AvbAtxPublicKeyMetadata)) { 287 avb_error("Invalid public key metadata.\n"); 288 return AVB_IO_RESULT_OK; 289 } 290 avb_memcpy(&metadata, public_key_metadata, sizeof(AvbAtxPublicKeyMetadata)); 291 if (metadata.version != 1) { 292 avb_error("Unsupported public key metadata.\n"); 293 return AVB_IO_RESULT_OK; 294 } 295 296 /* Verify the PIK certificate. */ 297 result = ops->read_rollback_index( 298 ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 299 if (result != AVB_IO_RESULT_OK) { 300 avb_error("Failed to read PIK minimum version.\n"); 301 return result; 302 } 303 if (!verify_pik_certificate(&metadata.product_intermediate_key_certificate, 304 permanent_attributes.product_root_public_key, 305 minimum_version)) { 306 return AVB_IO_RESULT_OK; 307 } 308 309 /* Verify the PSK certificate. */ 310 result = ops->read_rollback_index( 311 ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 312 if (result != AVB_IO_RESULT_OK) { 313 avb_error("Failed to read PSK minimum version.\n"); 314 return result; 315 } 316 if (!verify_psk_certificate( 317 &metadata.product_signing_key_certificate, 318 metadata.product_intermediate_key_certificate.signed_data.public_key, 319 minimum_version, 320 permanent_attributes.product_id)) { 321 return AVB_IO_RESULT_OK; 322 } 323 324 /* Verify the PSK is the same key that verified vbmeta. */ 325 if (public_key_length != AVB_ATX_PUBLIC_KEY_SIZE) { 326 avb_error("Public key length mismatch.\n"); 327 return AVB_IO_RESULT_OK; 328 } 329 if (0 != avb_safe_memcmp( 330 metadata.product_signing_key_certificate.signed_data.public_key, 331 public_key_data, 332 AVB_ATX_PUBLIC_KEY_SIZE)) { 333 avb_error("Public key mismatch.\n"); 334 return AVB_IO_RESULT_OK; 335 } 336 337 /* Report the key versions used during verification. */ 338 ops->atx_ops->set_key_version( 339 ops->atx_ops, 340 AVB_ATX_PIK_VERSION_LOCATION, 341 metadata.product_intermediate_key_certificate.signed_data.key_version); 342 ops->atx_ops->set_key_version( 343 ops->atx_ops, 344 AVB_ATX_PSK_VERSION_LOCATION, 345 metadata.product_signing_key_certificate.signed_data.key_version); 346 347 *out_is_trusted = true; 348 return AVB_IO_RESULT_OK; 349 } 350 351 AvbIOResult avb_atx_generate_unlock_challenge( 352 AvbAtxOps* atx_ops, AvbAtxUnlockChallenge* out_unlock_challenge) { 353 AvbIOResult result = AVB_IO_RESULT_OK; 354 AvbAtxPermanentAttributes permanent_attributes; 355 356 /* We need the permanent attributes to compute the product_id_hash. */ 357 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 358 if (result != AVB_IO_RESULT_OK) { 359 avb_error("Failed to read permanent attributes.\n"); 360 return result; 361 } 362 result = atx_ops->get_random( 363 atx_ops, AVB_ATX_UNLOCK_CHALLENGE_SIZE, last_unlock_challenge); 364 if (result != AVB_IO_RESULT_OK) { 365 avb_error("Failed to generate random challenge.\n"); 366 return result; 367 } 368 out_unlock_challenge->version = 1; 369 sha256(permanent_attributes.product_id, 370 AVB_ATX_PRODUCT_ID_SIZE, 371 out_unlock_challenge->product_id_hash); 372 avb_memcpy(out_unlock_challenge->challenge, 373 last_unlock_challenge, 374 AVB_ATX_UNLOCK_CHALLENGE_SIZE); 375 return result; 376 } 377 378 AvbIOResult avb_atx_validate_unlock_credential( 379 AvbAtxOps* atx_ops, 380 const AvbAtxUnlockCredential* unlock_credential, 381 bool* out_is_trusted) { 382 AvbIOResult result = AVB_IO_RESULT_OK; 383 AvbAtxPermanentAttributes permanent_attributes; 384 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 385 uint64_t minimum_version; 386 const AvbAlgorithmData* algorithm_data; 387 uint8_t challenge_hash[AVB_SHA512_DIGEST_SIZE]; 388 389 /* Be pessimistic so we can exit early without having to remember to clear. 390 */ 391 *out_is_trusted = false; 392 393 /* Sanity check the credential. */ 394 if (unlock_credential->version != 1) { 395 avb_error("Unsupported unlock credential format.\n"); 396 return AVB_IO_RESULT_OK; 397 } 398 399 /* Read and verify permanent attributes. */ 400 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 401 if (result != AVB_IO_RESULT_OK) { 402 avb_error("Failed to read permanent attributes.\n"); 403 return result; 404 } 405 result = atx_ops->read_permanent_attributes_hash(atx_ops, 406 permanent_attributes_hash); 407 if (result != AVB_IO_RESULT_OK) { 408 avb_error("Failed to read permanent attributes hash.\n"); 409 return result; 410 } 411 if (!verify_permanent_attributes(&permanent_attributes, 412 permanent_attributes_hash)) { 413 return AVB_IO_RESULT_OK; 414 } 415 416 /* Verify the PIK certificate. */ 417 result = atx_ops->ops->read_rollback_index( 418 atx_ops->ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 419 if (result != AVB_IO_RESULT_OK) { 420 avb_error("Failed to read PIK minimum version.\n"); 421 return result; 422 } 423 if (!verify_pik_certificate( 424 &unlock_credential->product_intermediate_key_certificate, 425 permanent_attributes.product_root_public_key, 426 minimum_version)) { 427 return AVB_IO_RESULT_OK; 428 } 429 430 /* Verify the PUK certificate. The minimum version is shared with the PSK. */ 431 result = atx_ops->ops->read_rollback_index( 432 atx_ops->ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 433 if (result != AVB_IO_RESULT_OK) { 434 avb_error("Failed to read PSK minimum version.\n"); 435 return result; 436 } 437 if (!verify_puk_certificate( 438 &unlock_credential->product_unlock_key_certificate, 439 unlock_credential->product_intermediate_key_certificate.signed_data 440 .public_key, 441 minimum_version, 442 permanent_attributes.product_id)) { 443 return AVB_IO_RESULT_OK; 444 } 445 446 /* Verify the challenge signature. */ 447 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 448 sha512(last_unlock_challenge, AVB_ATX_UNLOCK_CHALLENGE_SIZE, challenge_hash); 449 if (!avb_rsa_verify(unlock_credential->product_unlock_key_certificate 450 .signed_data.public_key, 451 AVB_ATX_PUBLIC_KEY_SIZE, 452 unlock_credential->challenge_signature, 453 AVB_RSA4096_NUM_BYTES, 454 challenge_hash, 455 AVB_SHA512_DIGEST_SIZE, 456 algorithm_data->padding, 457 algorithm_data->padding_len)) { 458 avb_error("Invalid unlock challenge signature.\n"); 459 return AVB_IO_RESULT_OK; 460 } 461 462 *out_is_trusted = true; 463 return AVB_IO_RESULT_OK; 464 } 465