1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Permission is hereby granted, free of charge, to any person 5 * obtaining a copy of this software and associated documentation 6 * files (the "Software"), to deal in the Software without 7 * restriction, including without limitation the rights to use, copy, 8 * modify, merge, publish, distribute, sublicense, and/or sell copies 9 * of the Software, and to permit persons to whom the Software is 10 * furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #include <android_avb/avb_atx_validate.h> 26 27 #include <android_avb/avb_rsa.h> 28 #include <android_avb/avb_sha.h> 29 #include <android_avb/avb_sysdeps.h> 30 #include <android_avb/avb_util.h> 31 #include <android_avb/avb_ops_user.h> 32 #include <android_avb/rk_avb_ops_user.h> 33 #include <malloc.h> 34 #include <common.h> 35 #ifdef CONFIG_CRYPTO_ROCKCHIP 36 #include <rockchip_crypto/rockchip_crypto.h> 37 #endif 38 39 /* The most recent unlock challenge generated. */ 40 static uint8_t last_unlock_challenge[AVB_ATX_UNLOCK_CHALLENGE_SIZE]; 41 42 /* Computes the SHA256 |hash| of |length| bytes of |data|. */ 43 static void sha256(const uint8_t* data, 44 uint32_t length, 45 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 46 AvbSHA256Ctx context; 47 avb_sha256_init(&context); 48 avb_sha256_update(&context, data, length); 49 uint8_t* tmp = avb_sha256_final(&context); 50 avb_memcpy(hash, tmp, AVB_SHA256_DIGEST_SIZE); 51 } 52 53 /* Computes the SHA512 |hash| of |length| bytes of |data|. */ 54 static void sha512(const uint8_t* data, 55 uint32_t length, 56 uint8_t hash[AVB_SHA512_DIGEST_SIZE]) { 57 AvbSHA512Ctx context; 58 avb_sha512_init(&context); 59 avb_sha512_update(&context, data, length); 60 uint8_t* tmp = avb_sha512_final(&context); 61 avb_memcpy(hash, tmp, AVB_SHA512_DIGEST_SIZE); 62 } 63 64 /* Computes the SHA256 |hash| of a NUL-terminated |str|. */ 65 static void sha256_str(const char* str, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 66 sha256((const uint8_t*)str, avb_strlen(str), hash); 67 } 68 69 /* Verifies structure and |expected_hash| of permanent |attributes|. */ 70 static bool verify_permanent_attributes( 71 const AvbAtxPermanentAttributes* attributes, 72 const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE]) { 73 uint8_t hash[AVB_SHA256_DIGEST_SIZE]; 74 #ifdef CONFIG_ROCKCHIP_PRELOADER_PUB_KEY 75 #ifdef CONFIG_CRYPTO_ROCKCHIP 76 struct rk_pub_key pub_key; 77 int i; 78 uint8_t rsa_hash[256] = {0}; 79 uint8_t rsa_hash_revert[256] = {0}; 80 unsigned int rsaResult_temp[8]; 81 unsigned char rsaResult[32] = {0}; 82 char *temp; 83 struct rk_crypto_desc crypto_desc; 84 int ret = 0; 85 86 if (rk_crypto_probe()) 87 return false; 88 89 memset(&pub_key, 0, sizeof(struct rk_pub_key)); 90 ret = rk_avb_get_pub_key(&pub_key); 91 if (ret) 92 return false; 93 94 ret = rk_avb_get_perm_attr_cer(rsa_hash, 256); 95 if (ret) { 96 avb_error("get_perm_attr_cer error\n"); 97 return false; 98 } 99 100 for (i = 0; i < 256; i++) 101 rsa_hash_revert[255-i] = rsa_hash[i]; 102 103 ret = get_rk_crypto_desc(&crypto_desc); 104 if (ret) { 105 avb_error("get_rk_crypto_desc error\n"); 106 return false; 107 } 108 109 ret = rk_crypto_rsa_init(&crypto_desc); 110 if (ret) { 111 avb_error("rk_crypto_rsa_init error\n"); 112 return false; 113 } 114 115 ret = rk_crypto_rsa_start(&crypto_desc, (u32 *)(rsa_hash_revert), 116 pub_key.rsa_n, pub_key.rsa_e, pub_key.rsa_c); 117 if (ret) { 118 avb_error("rk_crypto_rsa_start error\n"); 119 return false; 120 } 121 122 ret = rk_crypto_rsa_end(&crypto_desc, rsaResult_temp); 123 if (ret) { 124 avb_error("rk_crypto_rsa_end error\n"); 125 return false; 126 } 127 128 temp = (char *)rsaResult_temp; 129 for (i = 0; i < 32; i++) 130 rsaResult[31-i] = temp[i]; 131 132 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 133 if (memcmp((void*)rsaResult, (void*)hash, 32) == 0) 134 return true; 135 136 return false; 137 #endif 138 #else 139 if (attributes->version != 1) { 140 avb_error("Unsupported permanent attributes version.\n"); 141 return false; 142 } 143 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 144 if (0 != avb_safe_memcmp(hash, expected_hash, AVB_SHA256_DIGEST_SIZE)) { 145 avb_error("Invalid permanent attributes.\n"); 146 return false; 147 } 148 return true; 149 #endif 150 } 151 152 /* Verifies the format, key version, usage, and signature of a certificate. */ 153 static bool verify_certificate( 154 const AvbAtxCertificate* certificate, 155 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 156 uint64_t minimum_key_version, 157 const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]) { 158 const AvbAlgorithmData* algorithm_data; 159 uint8_t certificate_hash[AVB_SHA512_DIGEST_SIZE]; 160 161 if (certificate->signed_data.version != 1) { 162 avb_error("Unsupported certificate format.\n"); 163 return false; 164 } 165 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 166 sha512((const uint8_t*)&certificate->signed_data, 167 sizeof(AvbAtxCertificateSignedData), 168 certificate_hash); 169 if (!avb_rsa_verify(authority, 170 AVB_ATX_PUBLIC_KEY_SIZE, 171 certificate->signature, 172 AVB_RSA4096_NUM_BYTES, 173 certificate_hash, 174 AVB_SHA512_DIGEST_SIZE, 175 algorithm_data->padding, 176 algorithm_data->padding_len)) { 177 avb_error("Invalid certificate signature.\n"); 178 return false; 179 } 180 if (certificate->signed_data.key_version < minimum_key_version) { 181 avb_error("Key rollback detected.\n"); 182 return false; 183 } 184 if (0 != avb_safe_memcmp(certificate->signed_data.usage, 185 expected_usage, 186 AVB_SHA256_DIGEST_SIZE)) { 187 avb_error("Invalid certificate usage.\n"); 188 return false; 189 } 190 return true; 191 } 192 193 /* Verifies signature and fields of a PIK certificate. */ 194 static bool verify_pik_certificate( 195 const AvbAtxCertificate* certificate, 196 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 197 uint64_t minimum_version) { 198 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 199 200 sha256_str("com.google.android.things.vboot.ca", expected_usage); 201 if (!verify_certificate( 202 certificate, authority, minimum_version, expected_usage)) { 203 avb_error("Invalid PIK certificate.\n"); 204 return false; 205 } 206 return true; 207 } 208 209 /* Verifies signature and fields of a PSK certificate. */ 210 static bool verify_psk_certificate( 211 const AvbAtxCertificate* certificate, 212 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 213 uint64_t minimum_version, 214 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 215 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 216 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 217 218 sha256_str("com.google.android.things.vboot", expected_usage); 219 if (!verify_certificate( 220 certificate, authority, minimum_version, expected_usage)) { 221 avb_error("Invalid PSK certificate.\n"); 222 return false; 223 } 224 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 225 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 226 expected_subject, 227 AVB_SHA256_DIGEST_SIZE)) { 228 avb_error("PSK: Product ID mismatch.\n"); 229 return false; 230 } 231 return true; 232 } 233 234 /* Verifies signature and fields of a PUK certificate. */ 235 static bool verify_puk_certificate( 236 const AvbAtxCertificate* certificate, 237 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 238 uint64_t minimum_version, 239 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 240 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 241 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 242 243 sha256_str("com.google.android.things.vboot.unlock", expected_usage); 244 if (!verify_certificate( 245 certificate, authority, minimum_version, expected_usage)) { 246 avb_error("Invalid PUK certificate.\n"); 247 return false; 248 } 249 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 250 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 251 expected_subject, 252 AVB_SHA256_DIGEST_SIZE)) { 253 avb_error("PUK: Product ID mismatch.\n"); 254 return false; 255 } 256 return true; 257 } 258 259 AvbIOResult avb_atx_validate_vbmeta_public_key( 260 AvbOps* ops, 261 const uint8_t* public_key_data, 262 size_t public_key_length, 263 const uint8_t* public_key_metadata, 264 size_t public_key_metadata_length, 265 bool* out_is_trusted) { 266 AvbIOResult result = AVB_IO_RESULT_OK; 267 AvbAtxPermanentAttributes permanent_attributes; 268 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 269 AvbAtxPublicKeyMetadata metadata; 270 uint64_t minimum_version; 271 272 /* Be pessimistic so we can exit early without having to remember to clear. 273 */ 274 *out_is_trusted = false; 275 276 /* Read and verify permanent attributes. */ 277 result = ops->atx_ops->read_permanent_attributes(ops->atx_ops, 278 &permanent_attributes); 279 if (result != AVB_IO_RESULT_OK) { 280 avb_error("Failed to read permanent attributes.\n"); 281 return result; 282 } 283 result = ops->atx_ops->read_permanent_attributes_hash( 284 ops->atx_ops, permanent_attributes_hash); 285 if (result != AVB_IO_RESULT_OK) { 286 avb_error("Failed to read permanent attributes hash.\n"); 287 return result; 288 } 289 if (!verify_permanent_attributes(&permanent_attributes, 290 permanent_attributes_hash)) { 291 return AVB_IO_RESULT_OK; 292 } 293 294 /* Sanity check public key metadata. */ 295 if (public_key_metadata_length != sizeof(AvbAtxPublicKeyMetadata)) { 296 avb_error("Invalid public key metadata.\n"); 297 return AVB_IO_RESULT_OK; 298 } 299 avb_memcpy(&metadata, public_key_metadata, sizeof(AvbAtxPublicKeyMetadata)); 300 if (metadata.version != 1) { 301 avb_error("Unsupported public key metadata.\n"); 302 return AVB_IO_RESULT_OK; 303 } 304 305 /* Verify the PIK certificate. */ 306 result = ops->read_rollback_index( 307 ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 308 if (result != AVB_IO_RESULT_OK) { 309 avb_error("Failed to read PIK minimum version.\n"); 310 return result; 311 } 312 if (!verify_pik_certificate(&metadata.product_intermediate_key_certificate, 313 permanent_attributes.product_root_public_key, 314 minimum_version)) { 315 return AVB_IO_RESULT_OK; 316 } 317 318 /* Verify the PSK certificate. */ 319 result = ops->read_rollback_index( 320 ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 321 if (result != AVB_IO_RESULT_OK) { 322 avb_error("Failed to read PSK minimum version.\n"); 323 return result; 324 } 325 if (!verify_psk_certificate( 326 &metadata.product_signing_key_certificate, 327 metadata.product_intermediate_key_certificate.signed_data.public_key, 328 minimum_version, 329 permanent_attributes.product_id)) { 330 return AVB_IO_RESULT_OK; 331 } 332 333 /* Verify the PSK is the same key that verified vbmeta. */ 334 if (public_key_length != AVB_ATX_PUBLIC_KEY_SIZE) { 335 avb_error("Public key length mismatch.\n"); 336 return AVB_IO_RESULT_OK; 337 } 338 if (0 != avb_safe_memcmp( 339 metadata.product_signing_key_certificate.signed_data.public_key, 340 public_key_data, 341 AVB_ATX_PUBLIC_KEY_SIZE)) { 342 avb_error("Public key mismatch.\n"); 343 return AVB_IO_RESULT_OK; 344 } 345 346 /* Report the key versions used during verification. */ 347 ops->atx_ops->set_key_version( 348 ops->atx_ops, 349 AVB_ATX_PIK_VERSION_LOCATION, 350 metadata.product_intermediate_key_certificate.signed_data.key_version); 351 ops->atx_ops->set_key_version( 352 ops->atx_ops, 353 AVB_ATX_PSK_VERSION_LOCATION, 354 metadata.product_signing_key_certificate.signed_data.key_version); 355 356 *out_is_trusted = true; 357 return AVB_IO_RESULT_OK; 358 } 359 360 AvbIOResult avb_atx_generate_unlock_challenge( 361 AvbAtxOps* atx_ops, AvbAtxUnlockChallenge* out_unlock_challenge) { 362 AvbIOResult result = AVB_IO_RESULT_OK; 363 AvbAtxPermanentAttributes permanent_attributes; 364 365 /* We need the permanent attributes to compute the product_id_hash. */ 366 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 367 if (result != AVB_IO_RESULT_OK) { 368 avb_error("Failed to read permanent attributes.\n"); 369 return result; 370 } 371 result = atx_ops->get_random( 372 atx_ops, AVB_ATX_UNLOCK_CHALLENGE_SIZE, last_unlock_challenge); 373 if (result != AVB_IO_RESULT_OK) { 374 avb_error("Failed to generate random challenge.\n"); 375 return result; 376 } 377 out_unlock_challenge->version = 1; 378 sha256(permanent_attributes.product_id, 379 AVB_ATX_PRODUCT_ID_SIZE, 380 out_unlock_challenge->product_id_hash); 381 avb_memcpy(out_unlock_challenge->challenge, 382 last_unlock_challenge, 383 AVB_ATX_UNLOCK_CHALLENGE_SIZE); 384 return result; 385 } 386 387 AvbIOResult avb_atx_validate_unlock_credential( 388 AvbAtxOps* atx_ops, 389 const AvbAtxUnlockCredential* unlock_credential, 390 bool* out_is_trusted) { 391 AvbIOResult result = AVB_IO_RESULT_OK; 392 AvbAtxPermanentAttributes permanent_attributes; 393 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 394 uint64_t minimum_version; 395 const AvbAlgorithmData* algorithm_data; 396 uint8_t challenge_hash[AVB_SHA512_DIGEST_SIZE]; 397 398 /* Be pessimistic so we can exit early without having to remember to clear. 399 */ 400 *out_is_trusted = false; 401 402 /* Sanity check the credential. */ 403 if (unlock_credential->version != 1) { 404 avb_error("Unsupported unlock credential format.\n"); 405 return AVB_IO_RESULT_OK; 406 } 407 408 /* Read and verify permanent attributes. */ 409 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 410 if (result != AVB_IO_RESULT_OK) { 411 avb_error("Failed to read permanent attributes.\n"); 412 return result; 413 } 414 result = atx_ops->read_permanent_attributes_hash(atx_ops, 415 permanent_attributes_hash); 416 if (result != AVB_IO_RESULT_OK) { 417 avb_error("Failed to read permanent attributes hash.\n"); 418 return result; 419 } 420 if (!verify_permanent_attributes(&permanent_attributes, 421 permanent_attributes_hash)) { 422 return AVB_IO_RESULT_OK; 423 } 424 425 /* Verify the PIK certificate. */ 426 result = atx_ops->ops->read_rollback_index( 427 atx_ops->ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 428 if (result != AVB_IO_RESULT_OK) { 429 avb_error("Failed to read PIK minimum version.\n"); 430 return result; 431 } 432 if (!verify_pik_certificate( 433 &unlock_credential->product_intermediate_key_certificate, 434 permanent_attributes.product_root_public_key, 435 minimum_version)) { 436 return AVB_IO_RESULT_OK; 437 } 438 439 /* Verify the PUK certificate. The minimum version is shared with the PSK. */ 440 result = atx_ops->ops->read_rollback_index( 441 atx_ops->ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 442 if (result != AVB_IO_RESULT_OK) { 443 avb_error("Failed to read PSK minimum version.\n"); 444 return result; 445 } 446 if (!verify_puk_certificate( 447 &unlock_credential->product_unlock_key_certificate, 448 unlock_credential->product_intermediate_key_certificate.signed_data 449 .public_key, 450 minimum_version, 451 permanent_attributes.product_id)) { 452 return AVB_IO_RESULT_OK; 453 } 454 455 /* Verify the challenge signature. */ 456 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 457 sha512(last_unlock_challenge, AVB_ATX_UNLOCK_CHALLENGE_SIZE, challenge_hash); 458 if (!avb_rsa_verify(unlock_credential->product_unlock_key_certificate 459 .signed_data.public_key, 460 AVB_ATX_PUBLIC_KEY_SIZE, 461 unlock_credential->challenge_signature, 462 AVB_RSA4096_NUM_BYTES, 463 challenge_hash, 464 AVB_SHA512_DIGEST_SIZE, 465 algorithm_data->padding, 466 algorithm_data->padding_len)) { 467 avb_error("Invalid unlock challenge signature.\n"); 468 return AVB_IO_RESULT_OK; 469 } 470 471 *out_is_trusted = true; 472 return AVB_IO_RESULT_OK; 473 } 474