1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Permission is hereby granted, free of charge, to any person 5 * obtaining a copy of this software and associated documentation 6 * files (the "Software"), to deal in the Software without 7 * restriction, including without limitation the rights to use, copy, 8 * modify, merge, publish, distribute, sublicense, and/or sell copies 9 * of the Software, and to permit persons to whom the Software is 10 * furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #include <android_avb/avb_atx_validate.h> 26 27 #include <android_avb/avb_rsa.h> 28 #include <android_avb/avb_sha.h> 29 #include <android_avb/avb_sysdeps.h> 30 #include <android_avb/avb_util.h> 31 32 /* The most recent unlock challenge generated. */ 33 static uint8_t last_unlock_challenge[AVB_ATX_UNLOCK_CHALLENGE_SIZE]; 34 35 /* Computes the SHA256 |hash| of |length| bytes of |data|. */ 36 static void sha256(const uint8_t* data, 37 uint32_t length, 38 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 39 AvbSHA256Ctx context; 40 avb_sha256_init(&context); 41 avb_sha256_update(&context, data, length); 42 uint8_t* tmp = avb_sha256_final(&context); 43 avb_memcpy(hash, tmp, AVB_SHA256_DIGEST_SIZE); 44 } 45 46 /* Computes the SHA512 |hash| of |length| bytes of |data|. */ 47 static void sha512(const uint8_t* data, 48 uint32_t length, 49 uint8_t hash[AVB_SHA512_DIGEST_SIZE]) { 50 AvbSHA512Ctx context; 51 avb_sha512_init(&context); 52 avb_sha512_update(&context, data, length); 53 uint8_t* tmp = avb_sha512_final(&context); 54 avb_memcpy(hash, tmp, AVB_SHA512_DIGEST_SIZE); 55 } 56 57 /* Computes the SHA256 |hash| of a NUL-terminated |str|. */ 58 static void sha256_str(const char* str, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 59 sha256((const uint8_t*)str, avb_strlen(str), hash); 60 } 61 62 /* Verifies structure and |expected_hash| of permanent |attributes|. */ 63 static bool verify_permanent_attributes( 64 const AvbAtxPermanentAttributes* attributes, 65 const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE]) { 66 uint8_t hash[AVB_SHA256_DIGEST_SIZE]; 67 68 if (attributes->version != 1) { 69 avb_error("Unsupported permanent attributes version.\n"); 70 return false; 71 } 72 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 73 if (0 != avb_safe_memcmp(hash, expected_hash, AVB_SHA256_DIGEST_SIZE)) { 74 avb_error("Invalid permanent attributes.\n"); 75 return false; 76 } 77 return true; 78 } 79 80 /* Verifies the format, key version, usage, and signature of a certificate. */ 81 static bool verify_certificate( 82 const AvbAtxCertificate* certificate, 83 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 84 uint64_t minimum_key_version, 85 const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]) { 86 const AvbAlgorithmData* algorithm_data; 87 uint8_t certificate_hash[AVB_SHA512_DIGEST_SIZE]; 88 89 if (certificate->signed_data.version != 1) { 90 avb_error("Unsupported certificate format.\n"); 91 return false; 92 } 93 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 94 sha512((const uint8_t*)&certificate->signed_data, 95 sizeof(AvbAtxCertificateSignedData), 96 certificate_hash); 97 if (!avb_rsa_verify(authority, 98 AVB_ATX_PUBLIC_KEY_SIZE, 99 certificate->signature, 100 AVB_RSA4096_NUM_BYTES, 101 certificate_hash, 102 AVB_SHA512_DIGEST_SIZE, 103 algorithm_data->padding, 104 algorithm_data->padding_len)) { 105 avb_error("Invalid certificate signature.\n"); 106 return false; 107 } 108 if (certificate->signed_data.key_version < minimum_key_version) { 109 avb_error("Key rollback detected.\n"); 110 return false; 111 } 112 if (0 != avb_safe_memcmp(certificate->signed_data.usage, 113 expected_usage, 114 AVB_SHA256_DIGEST_SIZE)) { 115 avb_error("Invalid certificate usage.\n"); 116 return false; 117 } 118 return true; 119 } 120 121 /* Verifies signature and fields of a PIK certificate. */ 122 static bool verify_pik_certificate( 123 const AvbAtxCertificate* certificate, 124 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 125 uint64_t minimum_version) { 126 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 127 128 sha256_str("com.google.android.things.vboot.ca", expected_usage); 129 if (!verify_certificate( 130 certificate, authority, minimum_version, expected_usage)) { 131 avb_error("Invalid PIK certificate.\n"); 132 return false; 133 } 134 return true; 135 } 136 137 /* Verifies signature and fields of a PSK certificate. */ 138 static bool verify_psk_certificate( 139 const AvbAtxCertificate* certificate, 140 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 141 uint64_t minimum_version, 142 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 143 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 144 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 145 146 sha256_str("com.google.android.things.vboot", expected_usage); 147 if (!verify_certificate( 148 certificate, authority, minimum_version, expected_usage)) { 149 avb_error("Invalid PSK certificate.\n"); 150 return false; 151 } 152 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 153 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 154 expected_subject, 155 AVB_SHA256_DIGEST_SIZE)) { 156 avb_error("PSK: Product ID mismatch.\n"); 157 return false; 158 } 159 return true; 160 } 161 162 /* Verifies signature and fields of a PUK certificate. */ 163 static bool verify_puk_certificate( 164 const AvbAtxCertificate* certificate, 165 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 166 uint64_t minimum_version, 167 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 168 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 169 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 170 171 sha256_str("com.google.android.things.vboot.unlock", expected_usage); 172 if (!verify_certificate( 173 certificate, authority, minimum_version, expected_usage)) { 174 avb_error("Invalid PUK certificate.\n"); 175 return false; 176 } 177 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 178 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 179 expected_subject, 180 AVB_SHA256_DIGEST_SIZE)) { 181 avb_error("PUK: Product ID mismatch.\n"); 182 return false; 183 } 184 return true; 185 } 186 187 AvbIOResult avb_atx_validate_vbmeta_public_key( 188 AvbOps* ops, 189 const uint8_t* public_key_data, 190 size_t public_key_length, 191 const uint8_t* public_key_metadata, 192 size_t public_key_metadata_length, 193 bool* out_is_trusted) { 194 AvbIOResult result = AVB_IO_RESULT_OK; 195 AvbAtxPermanentAttributes permanent_attributes; 196 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 197 AvbAtxPublicKeyMetadata metadata; 198 uint64_t minimum_version; 199 200 /* Be pessimistic so we can exit early without having to remember to clear. 201 */ 202 *out_is_trusted = false; 203 204 /* Read and verify permanent attributes. */ 205 result = ops->atx_ops->read_permanent_attributes(ops->atx_ops, 206 &permanent_attributes); 207 if (result != AVB_IO_RESULT_OK) { 208 avb_error("Failed to read permanent attributes.\n"); 209 return result; 210 } 211 result = ops->atx_ops->read_permanent_attributes_hash( 212 ops->atx_ops, permanent_attributes_hash); 213 if (result != AVB_IO_RESULT_OK) { 214 avb_error("Failed to read permanent attributes hash.\n"); 215 return result; 216 } 217 if (!verify_permanent_attributes(&permanent_attributes, 218 permanent_attributes_hash)) { 219 return AVB_IO_RESULT_OK; 220 } 221 222 /* Sanity check public key metadata. */ 223 if (public_key_metadata_length != sizeof(AvbAtxPublicKeyMetadata)) { 224 avb_error("Invalid public key metadata.\n"); 225 return AVB_IO_RESULT_OK; 226 } 227 avb_memcpy(&metadata, public_key_metadata, sizeof(AvbAtxPublicKeyMetadata)); 228 if (metadata.version != 1) { 229 avb_error("Unsupported public key metadata.\n"); 230 return AVB_IO_RESULT_OK; 231 } 232 233 /* Verify the PIK certificate. */ 234 result = ops->read_rollback_index( 235 ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 236 if (result != AVB_IO_RESULT_OK) { 237 avb_error("Failed to read PIK minimum version.\n"); 238 return result; 239 } 240 if (!verify_pik_certificate(&metadata.product_intermediate_key_certificate, 241 permanent_attributes.product_root_public_key, 242 minimum_version)) { 243 return AVB_IO_RESULT_OK; 244 } 245 246 /* Verify the PSK certificate. */ 247 result = ops->read_rollback_index( 248 ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 249 if (result != AVB_IO_RESULT_OK) { 250 avb_error("Failed to read PSK minimum version.\n"); 251 return result; 252 } 253 if (!verify_psk_certificate( 254 &metadata.product_signing_key_certificate, 255 metadata.product_intermediate_key_certificate.signed_data.public_key, 256 minimum_version, 257 permanent_attributes.product_id)) { 258 return AVB_IO_RESULT_OK; 259 } 260 261 /* Verify the PSK is the same key that verified vbmeta. */ 262 if (public_key_length != AVB_ATX_PUBLIC_KEY_SIZE) { 263 avb_error("Public key length mismatch.\n"); 264 return AVB_IO_RESULT_OK; 265 } 266 if (0 != avb_safe_memcmp( 267 metadata.product_signing_key_certificate.signed_data.public_key, 268 public_key_data, 269 AVB_ATX_PUBLIC_KEY_SIZE)) { 270 avb_error("Public key mismatch.\n"); 271 return AVB_IO_RESULT_OK; 272 } 273 274 /* Report the key versions used during verification. */ 275 ops->atx_ops->set_key_version( 276 ops->atx_ops, 277 AVB_ATX_PIK_VERSION_LOCATION, 278 metadata.product_intermediate_key_certificate.signed_data.key_version); 279 ops->atx_ops->set_key_version( 280 ops->atx_ops, 281 AVB_ATX_PSK_VERSION_LOCATION, 282 metadata.product_signing_key_certificate.signed_data.key_version); 283 284 *out_is_trusted = true; 285 return AVB_IO_RESULT_OK; 286 } 287 288 AvbIOResult avb_atx_generate_unlock_challenge( 289 AvbAtxOps* atx_ops, AvbAtxUnlockChallenge* out_unlock_challenge) { 290 AvbIOResult result = AVB_IO_RESULT_OK; 291 AvbAtxPermanentAttributes permanent_attributes; 292 293 /* We need the permanent attributes to compute the product_id_hash. */ 294 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 295 if (result != AVB_IO_RESULT_OK) { 296 avb_error("Failed to read permanent attributes.\n"); 297 return result; 298 } 299 result = atx_ops->get_random( 300 atx_ops, AVB_ATX_UNLOCK_CHALLENGE_SIZE, last_unlock_challenge); 301 if (result != AVB_IO_RESULT_OK) { 302 avb_error("Failed to generate random challenge.\n"); 303 return result; 304 } 305 out_unlock_challenge->version = 1; 306 sha256(permanent_attributes.product_id, 307 AVB_ATX_PRODUCT_ID_SIZE, 308 out_unlock_challenge->product_id_hash); 309 avb_memcpy(out_unlock_challenge->challenge, 310 last_unlock_challenge, 311 AVB_ATX_UNLOCK_CHALLENGE_SIZE); 312 return result; 313 } 314 315 AvbIOResult avb_atx_validate_unlock_credential( 316 AvbAtxOps* atx_ops, 317 const AvbAtxUnlockCredential* unlock_credential, 318 bool* out_is_trusted) { 319 AvbIOResult result = AVB_IO_RESULT_OK; 320 AvbAtxPermanentAttributes permanent_attributes; 321 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 322 uint64_t minimum_version; 323 const AvbAlgorithmData* algorithm_data; 324 uint8_t challenge_hash[AVB_SHA512_DIGEST_SIZE]; 325 326 /* Be pessimistic so we can exit early without having to remember to clear. 327 */ 328 *out_is_trusted = false; 329 330 /* Sanity check the credential. */ 331 if (unlock_credential->version != 1) { 332 avb_error("Unsupported unlock credential format.\n"); 333 return AVB_IO_RESULT_OK; 334 } 335 336 /* Read and verify permanent attributes. */ 337 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 338 if (result != AVB_IO_RESULT_OK) { 339 avb_error("Failed to read permanent attributes.\n"); 340 return result; 341 } 342 result = atx_ops->read_permanent_attributes_hash(atx_ops, 343 permanent_attributes_hash); 344 if (result != AVB_IO_RESULT_OK) { 345 avb_error("Failed to read permanent attributes hash.\n"); 346 return result; 347 } 348 if (!verify_permanent_attributes(&permanent_attributes, 349 permanent_attributes_hash)) { 350 return AVB_IO_RESULT_OK; 351 } 352 353 /* Verify the PIK certificate. */ 354 result = atx_ops->ops->read_rollback_index( 355 atx_ops->ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 356 if (result != AVB_IO_RESULT_OK) { 357 avb_error("Failed to read PIK minimum version.\n"); 358 return result; 359 } 360 if (!verify_pik_certificate( 361 &unlock_credential->product_intermediate_key_certificate, 362 permanent_attributes.product_root_public_key, 363 minimum_version)) { 364 return AVB_IO_RESULT_OK; 365 } 366 367 /* Verify the PUK certificate. The minimum version is shared with the PSK. */ 368 result = atx_ops->ops->read_rollback_index( 369 atx_ops->ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 370 if (result != AVB_IO_RESULT_OK) { 371 avb_error("Failed to read PSK minimum version.\n"); 372 return result; 373 } 374 if (!verify_puk_certificate( 375 &unlock_credential->product_unlock_key_certificate, 376 unlock_credential->product_intermediate_key_certificate.signed_data 377 .public_key, 378 minimum_version, 379 permanent_attributes.product_id)) { 380 return AVB_IO_RESULT_OK; 381 } 382 383 /* Verify the challenge signature. */ 384 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 385 sha512(last_unlock_challenge, AVB_ATX_UNLOCK_CHALLENGE_SIZE, challenge_hash); 386 if (!avb_rsa_verify(unlock_credential->product_unlock_key_certificate 387 .signed_data.public_key, 388 AVB_ATX_PUBLIC_KEY_SIZE, 389 unlock_credential->challenge_signature, 390 AVB_RSA4096_NUM_BYTES, 391 challenge_hash, 392 AVB_SHA512_DIGEST_SIZE, 393 algorithm_data->padding, 394 algorithm_data->padding_len)) { 395 avb_error("Invalid unlock challenge signature.\n"); 396 return AVB_IO_RESULT_OK; 397 } 398 399 *out_is_trusted = true; 400 return AVB_IO_RESULT_OK; 401 } 402