1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Permission is hereby granted, free of charge, to any person 5 * obtaining a copy of this software and associated documentation 6 * files (the "Software"), to deal in the Software without 7 * restriction, including without limitation the rights to use, copy, 8 * modify, merge, publish, distribute, sublicense, and/or sell copies 9 * of the Software, and to permit persons to whom the Software is 10 * furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #include <android_avb/avb_atx_validate.h> 26 27 #include <android_avb/avb_rsa.h> 28 #include <android_avb/avb_sha.h> 29 #include <android_avb/avb_sysdeps.h> 30 #include <android_avb/avb_util.h> 31 #include <android_avb/avb_ops_user.h> 32 #include <android_avb/rk_avb_ops_user.h> 33 #include <malloc.h> 34 #include <common.h> 35 #ifdef CONFIG_DM_CRYPTO 36 #include <crypto.h> 37 #endif 38 39 /* The most recent unlock challenge generated. */ 40 static uint8_t last_unlock_challenge[AVB_ATX_UNLOCK_CHALLENGE_SIZE]; 41 static bool last_unlock_challenge_set = false; 42 43 /* Computes the SHA256 |hash| of |length| bytes of |data|. */ 44 static void sha256(const uint8_t* data, 45 uint32_t length, 46 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 47 AvbSHA256Ctx context; 48 49 context.tot_len = length; 50 avb_sha256_init(&context); 51 avb_sha256_update(&context, data, length); 52 uint8_t* tmp = avb_sha256_final(&context); 53 avb_memcpy(hash, tmp, AVB_SHA256_DIGEST_SIZE); 54 } 55 56 /* Computes the SHA512 |hash| of |length| bytes of |data|. */ 57 static void sha512(const uint8_t* data, 58 uint32_t length, 59 uint8_t hash[AVB_SHA512_DIGEST_SIZE]) { 60 AvbSHA512Ctx context; 61 62 context.tot_len = length; 63 avb_sha512_init(&context); 64 avb_sha512_update(&context, data, length); 65 uint8_t* tmp = avb_sha512_final(&context); 66 avb_memcpy(hash, tmp, AVB_SHA512_DIGEST_SIZE); 67 } 68 69 /* Computes the SHA256 |hash| of a NUL-terminated |str|. */ 70 static void sha256_str(const char* str, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 71 sha256((const uint8_t*)str, avb_strlen(str), hash); 72 } 73 74 /* Verifies structure and |expected_hash| of permanent |attributes|. */ 75 static bool verify_permanent_attributes( 76 const AvbAtxPermanentAttributes* attributes, 77 const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE]) { 78 uint8_t hash[AVB_SHA256_DIGEST_SIZE]; 79 #ifdef CONFIG_ROCKCHIP_PRELOADER_PUB_KEY 80 #ifdef CONFIG_DM_CRYPTO 81 u32 cap = CRYPTO_MD5 | CRYPTO_SHA1 | CRYPTO_SHA256 | CRYPTO_RSA2048; 82 uint8_t rsa_hash[256] = {0}; 83 uint8_t rsa_hash_revert[256] = {0}; 84 unsigned int rsaResult_temp[8]; 85 unsigned char rsaResult[32] = {0}; 86 struct rk_pub_key pub_key; 87 struct udevice *dev; 88 rsa_key rsa_key; 89 char *temp; 90 int ret = 0; 91 int i; 92 93 memset(&pub_key, 0, sizeof(struct rk_pub_key)); 94 ret = rk_avb_get_pub_key(&pub_key); 95 if (ret) 96 return false; 97 98 ret = rk_avb_get_perm_attr_cer(rsa_hash, 256); 99 if (ret) { 100 avb_error("get_perm_attr_cer error\n"); 101 return false; 102 } 103 104 for (i = 0; i < 256; i++) 105 rsa_hash_revert[255-i] = rsa_hash[i]; 106 107 dev = crypto_get_device(cap); 108 if (!dev) { 109 avb_error("Can't find crypto device for expected capability\n"); 110 return false; 111 } 112 113 memset(&rsa_key, 0x00, sizeof(rsa_key)); 114 rsa_key.algo = CRYPTO_RSA2048; 115 rsa_key.n = (u32 *)&pub_key.rsa_n; 116 rsa_key.e = (u32 *)&pub_key.rsa_e; 117 #ifdef CONFIG_ROCKCHIP_CRYPTO_V1 118 rsa_key.c = (u32 *)&pub_key.rsa_c; 119 #endif 120 ret = crypto_rsa_verify(dev, &rsa_key, (u8 *)rsa_hash_revert, (u8 *)rsaResult_temp); 121 if (ret) { 122 avb_error("Hardware verify error!\n"); 123 return false; 124 } 125 126 temp = (char *)rsaResult_temp; 127 for (i = 0; i < 32; i++) 128 rsaResult[31-i] = temp[i]; 129 130 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 131 if (memcmp((void*)rsaResult, (void*)hash, 32) == 0) 132 return true; 133 134 return false; 135 #endif 136 #else 137 if (attributes->version != 1) { 138 avb_error("Unsupported permanent attributes version.\n"); 139 return false; 140 } 141 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 142 if (0 != avb_safe_memcmp(hash, expected_hash, AVB_SHA256_DIGEST_SIZE)) { 143 avb_error("Invalid permanent attributes.\n"); 144 return false; 145 } 146 return true; 147 #endif 148 } 149 150 /* Verifies the format, key version, usage, and signature of a certificate. */ 151 static bool verify_certificate( 152 const AvbAtxCertificate* certificate, 153 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 154 uint64_t minimum_key_version, 155 const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]) { 156 const AvbAlgorithmData* algorithm_data; 157 uint8_t certificate_hash[AVB_SHA512_DIGEST_SIZE]; 158 159 if (certificate->signed_data.version != 1) { 160 avb_error("Unsupported certificate format.\n"); 161 return false; 162 } 163 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 164 sha512((const uint8_t*)&certificate->signed_data, 165 sizeof(AvbAtxCertificateSignedData), 166 certificate_hash); 167 if (!avb_rsa_verify(authority, 168 AVB_ATX_PUBLIC_KEY_SIZE, 169 certificate->signature, 170 AVB_RSA4096_NUM_BYTES, 171 certificate_hash, 172 AVB_SHA512_DIGEST_SIZE, 173 algorithm_data->padding, 174 algorithm_data->padding_len)) { 175 avb_error("Invalid certificate signature.\n"); 176 return false; 177 } 178 if (certificate->signed_data.key_version < minimum_key_version) { 179 avb_error("Key rollback detected.\n"); 180 return false; 181 } 182 if (0 != avb_safe_memcmp(certificate->signed_data.usage, 183 expected_usage, 184 AVB_SHA256_DIGEST_SIZE)) { 185 avb_error("Invalid certificate usage.\n"); 186 return false; 187 } 188 return true; 189 } 190 191 /* Verifies signature and fields of a PIK certificate. */ 192 static bool verify_pik_certificate( 193 const AvbAtxCertificate* certificate, 194 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 195 uint64_t minimum_version) { 196 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 197 198 sha256_str("com.google.android.things.vboot.ca", expected_usage); 199 if (!verify_certificate( 200 certificate, authority, minimum_version, expected_usage)) { 201 avb_error("Invalid PIK certificate.\n"); 202 return false; 203 } 204 return true; 205 } 206 207 /* Verifies signature and fields of a PSK certificate. */ 208 static bool verify_psk_certificate( 209 const AvbAtxCertificate* certificate, 210 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 211 uint64_t minimum_version, 212 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 213 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 214 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 215 216 sha256_str("com.google.android.things.vboot", expected_usage); 217 if (!verify_certificate( 218 certificate, authority, minimum_version, expected_usage)) { 219 avb_error("Invalid PSK certificate.\n"); 220 return false; 221 } 222 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 223 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 224 expected_subject, 225 AVB_SHA256_DIGEST_SIZE)) { 226 avb_error("PSK: Product ID mismatch.\n"); 227 return false; 228 } 229 return true; 230 } 231 232 /* Verifies signature and fields of a PUK certificate. */ 233 static bool verify_puk_certificate( 234 const AvbAtxCertificate* certificate, 235 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 236 uint64_t minimum_version, 237 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 238 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 239 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 240 241 sha256_str("com.google.android.things.vboot.unlock", expected_usage); 242 if (!verify_certificate( 243 certificate, authority, minimum_version, expected_usage)) { 244 avb_error("Invalid PUK certificate.\n"); 245 return false; 246 } 247 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 248 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 249 expected_subject, 250 AVB_SHA256_DIGEST_SIZE)) { 251 avb_error("PUK: Product ID mismatch.\n"); 252 return false; 253 } 254 return true; 255 } 256 257 AvbIOResult avb_atx_validate_vbmeta_public_key( 258 AvbOps* ops, 259 const uint8_t* public_key_data, 260 size_t public_key_length, 261 const uint8_t* public_key_metadata, 262 size_t public_key_metadata_length, 263 bool* out_is_trusted) { 264 AvbIOResult result = AVB_IO_RESULT_OK; 265 AvbAtxPermanentAttributes permanent_attributes; 266 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 267 AvbAtxPublicKeyMetadata metadata; 268 uint64_t minimum_version; 269 270 /* Be pessimistic so we can exit early without having to remember to clear. 271 */ 272 *out_is_trusted = false; 273 274 /* Read and verify permanent attributes. */ 275 result = ops->atx_ops->read_permanent_attributes(ops->atx_ops, 276 &permanent_attributes); 277 if (result != AVB_IO_RESULT_OK) { 278 avb_error("Failed to read permanent attributes.\n"); 279 return result; 280 } 281 result = ops->atx_ops->read_permanent_attributes_hash( 282 ops->atx_ops, permanent_attributes_hash); 283 if (result != AVB_IO_RESULT_OK) { 284 avb_error("Failed to read permanent attributes hash.\n"); 285 return result; 286 } 287 if (!verify_permanent_attributes(&permanent_attributes, 288 permanent_attributes_hash)) { 289 return AVB_IO_RESULT_OK; 290 } 291 292 /* Sanity check public key metadata. */ 293 if (public_key_metadata_length != sizeof(AvbAtxPublicKeyMetadata)) { 294 avb_error("Invalid public key metadata.\n"); 295 return AVB_IO_RESULT_OK; 296 } 297 avb_memcpy(&metadata, public_key_metadata, sizeof(AvbAtxPublicKeyMetadata)); 298 if (metadata.version != 1) { 299 avb_error("Unsupported public key metadata.\n"); 300 return AVB_IO_RESULT_OK; 301 } 302 303 /* Verify the PIK certificate. */ 304 result = ops->read_rollback_index( 305 ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 306 if (result != AVB_IO_RESULT_OK) { 307 avb_error("Failed to read PIK minimum version.\n"); 308 return result; 309 } 310 if (!verify_pik_certificate(&metadata.product_intermediate_key_certificate, 311 permanent_attributes.product_root_public_key, 312 minimum_version)) { 313 return AVB_IO_RESULT_OK; 314 } 315 316 /* Verify the PSK certificate. */ 317 result = ops->read_rollback_index( 318 ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 319 if (result != AVB_IO_RESULT_OK) { 320 avb_error("Failed to read PSK minimum version.\n"); 321 return result; 322 } 323 if (!verify_psk_certificate( 324 &metadata.product_signing_key_certificate, 325 metadata.product_intermediate_key_certificate.signed_data.public_key, 326 minimum_version, 327 permanent_attributes.product_id)) { 328 return AVB_IO_RESULT_OK; 329 } 330 331 /* Verify the PSK is the same key that verified vbmeta. */ 332 if (public_key_length != AVB_ATX_PUBLIC_KEY_SIZE) { 333 avb_error("Public key length mismatch.\n"); 334 return AVB_IO_RESULT_OK; 335 } 336 if (0 != avb_safe_memcmp( 337 metadata.product_signing_key_certificate.signed_data.public_key, 338 public_key_data, 339 AVB_ATX_PUBLIC_KEY_SIZE)) { 340 avb_error("Public key mismatch.\n"); 341 return AVB_IO_RESULT_OK; 342 } 343 344 /* Report the key versions used during verification. */ 345 ops->atx_ops->set_key_version( 346 ops->atx_ops, 347 AVB_ATX_PIK_VERSION_LOCATION, 348 metadata.product_intermediate_key_certificate.signed_data.key_version); 349 ops->atx_ops->set_key_version( 350 ops->atx_ops, 351 AVB_ATX_PSK_VERSION_LOCATION, 352 metadata.product_signing_key_certificate.signed_data.key_version); 353 354 *out_is_trusted = true; 355 return AVB_IO_RESULT_OK; 356 } 357 358 AvbIOResult avb_atx_generate_unlock_challenge( 359 AvbAtxOps* atx_ops, AvbAtxUnlockChallenge* out_unlock_challenge) { 360 AvbIOResult result = AVB_IO_RESULT_OK; 361 AvbAtxPermanentAttributes permanent_attributes; 362 363 /* We need the permanent attributes to compute the product_id_hash. */ 364 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 365 if (result != AVB_IO_RESULT_OK) { 366 avb_error("Failed to read permanent attributes.\n"); 367 return result; 368 } 369 result = atx_ops->get_random( 370 atx_ops, AVB_ATX_UNLOCK_CHALLENGE_SIZE, last_unlock_challenge); 371 if (result != AVB_IO_RESULT_OK) { 372 avb_error("Failed to generate random challenge.\n"); 373 return result; 374 } 375 last_unlock_challenge_set = true; 376 out_unlock_challenge->version = 1; 377 sha256(permanent_attributes.product_id, 378 AVB_ATX_PRODUCT_ID_SIZE, 379 out_unlock_challenge->product_id_hash); 380 avb_memcpy(out_unlock_challenge->challenge, 381 last_unlock_challenge, 382 AVB_ATX_UNLOCK_CHALLENGE_SIZE); 383 return result; 384 } 385 386 AvbIOResult avb_atx_validate_unlock_credential( 387 AvbAtxOps* atx_ops, 388 const AvbAtxUnlockCredential* unlock_credential, 389 bool* out_is_trusted) { 390 AvbIOResult result = AVB_IO_RESULT_OK; 391 AvbAtxPermanentAttributes permanent_attributes; 392 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 393 uint64_t minimum_version; 394 const AvbAlgorithmData* algorithm_data; 395 uint8_t challenge_hash[AVB_SHA512_DIGEST_SIZE]; 396 397 /* Be pessimistic so we can exit early without having to remember to clear. 398 */ 399 *out_is_trusted = false; 400 401 /* Sanity check the credential. */ 402 if (unlock_credential->version != 1) { 403 avb_error("Unsupported unlock credential format.\n"); 404 return AVB_IO_RESULT_OK; 405 } 406 407 /* Read and verify permanent attributes. */ 408 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 409 if (result != AVB_IO_RESULT_OK) { 410 avb_error("Failed to read permanent attributes.\n"); 411 return result; 412 } 413 result = atx_ops->read_permanent_attributes_hash(atx_ops, 414 permanent_attributes_hash); 415 if (result != AVB_IO_RESULT_OK) { 416 avb_error("Failed to read permanent attributes hash.\n"); 417 return result; 418 } 419 if (!verify_permanent_attributes(&permanent_attributes, 420 permanent_attributes_hash)) { 421 return AVB_IO_RESULT_OK; 422 } 423 424 /* Verify the PIK certificate. */ 425 result = atx_ops->ops->read_rollback_index( 426 atx_ops->ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 427 if (result != AVB_IO_RESULT_OK) { 428 avb_error("Failed to read PIK minimum version.\n"); 429 return result; 430 } 431 if (!verify_pik_certificate( 432 &unlock_credential->product_intermediate_key_certificate, 433 permanent_attributes.product_root_public_key, 434 minimum_version)) { 435 return AVB_IO_RESULT_OK; 436 } 437 438 /* Verify the PUK certificate. The minimum version is shared with the PSK. */ 439 result = atx_ops->ops->read_rollback_index( 440 atx_ops->ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 441 if (result != AVB_IO_RESULT_OK) { 442 avb_error("Failed to read PSK minimum version.\n"); 443 return result; 444 } 445 if (!verify_puk_certificate( 446 &unlock_credential->product_unlock_key_certificate, 447 unlock_credential->product_intermediate_key_certificate.signed_data 448 .public_key, 449 minimum_version, 450 permanent_attributes.product_id)) { 451 return AVB_IO_RESULT_OK; 452 } 453 454 /* Hash the most recent unlock challenge. */ 455 if (!last_unlock_challenge_set) { 456 avb_error("Challenge does not exist.\n"); 457 return AVB_IO_RESULT_OK; 458 } 459 sha512(last_unlock_challenge, AVB_ATX_UNLOCK_CHALLENGE_SIZE, challenge_hash); 460 last_unlock_challenge_set = false; 461 462 /* Verify the challenge signature. */ 463 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 464 if (!avb_rsa_verify(unlock_credential->product_unlock_key_certificate 465 .signed_data.public_key, 466 AVB_ATX_PUBLIC_KEY_SIZE, 467 unlock_credential->challenge_signature, 468 AVB_RSA4096_NUM_BYTES, 469 challenge_hash, 470 AVB_SHA512_DIGEST_SIZE, 471 algorithm_data->padding, 472 algorithm_data->padding_len)) { 473 avb_error("Invalid unlock challenge signature.\n"); 474 return AVB_IO_RESULT_OK; 475 } 476 477 *out_is_trusted = true; 478 return AVB_IO_RESULT_OK; 479 } 480