1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Permission is hereby granted, free of charge, to any person 5 * obtaining a copy of this software and associated documentation 6 * files (the "Software"), to deal in the Software without 7 * restriction, including without limitation the rights to use, copy, 8 * modify, merge, publish, distribute, sublicense, and/or sell copies 9 * of the Software, and to permit persons to whom the Software is 10 * furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #include <android_avb/avb_atx_validate.h> 26 27 #include <android_avb/avb_rsa.h> 28 #include <android_avb/avb_sha.h> 29 #include <android_avb/avb_sysdeps.h> 30 #include <android_avb/avb_util.h> 31 #include <android_avb/avb_ops_user.h> 32 #include <android_avb/rk_avb_ops_user.h> 33 #include <malloc.h> 34 #include <common.h> 35 #ifdef CONFIG_DM_CRYPTO 36 #include <crypto.h> 37 #endif 38 39 /* The most recent unlock challenge generated. */ 40 static uint8_t last_unlock_challenge[AVB_ATX_UNLOCK_CHALLENGE_SIZE]; 41 42 /* Computes the SHA256 |hash| of |length| bytes of |data|. */ 43 static void sha256(const uint8_t* data, 44 uint32_t length, 45 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 46 AvbSHA256Ctx context; 47 avb_sha256_init(&context); 48 avb_sha256_update(&context, data, length); 49 uint8_t* tmp = avb_sha256_final(&context); 50 avb_memcpy(hash, tmp, AVB_SHA256_DIGEST_SIZE); 51 } 52 53 /* Computes the SHA512 |hash| of |length| bytes of |data|. */ 54 static void sha512(const uint8_t* data, 55 uint32_t length, 56 uint8_t hash[AVB_SHA512_DIGEST_SIZE]) { 57 AvbSHA512Ctx context; 58 avb_sha512_init(&context); 59 avb_sha512_update(&context, data, length); 60 uint8_t* tmp = avb_sha512_final(&context); 61 avb_memcpy(hash, tmp, AVB_SHA512_DIGEST_SIZE); 62 } 63 64 /* Computes the SHA256 |hash| of a NUL-terminated |str|. */ 65 static void sha256_str(const char* str, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 66 sha256((const uint8_t*)str, avb_strlen(str), hash); 67 } 68 69 /* Verifies structure and |expected_hash| of permanent |attributes|. */ 70 static bool verify_permanent_attributes( 71 const AvbAtxPermanentAttributes* attributes, 72 const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE]) { 73 uint8_t hash[AVB_SHA256_DIGEST_SIZE]; 74 #ifdef CONFIG_ROCKCHIP_PRELOADER_PUB_KEY 75 #ifdef CONFIG_DM_CRYPTO 76 u32 cap = CRYPTO_MD5 | CRYPTO_SHA1 | CRYPTO_SHA256 | CRYPTO_RSA2048; 77 uint8_t rsa_hash[256] = {0}; 78 uint8_t rsa_hash_revert[256] = {0}; 79 unsigned int rsaResult_temp[8]; 80 unsigned char rsaResult[32] = {0}; 81 struct rk_pub_key pub_key; 82 struct udevice *dev; 83 rsa_key rsa_key; 84 char *temp; 85 int ret = 0; 86 int i; 87 88 memset(&pub_key, 0, sizeof(struct rk_pub_key)); 89 ret = rk_avb_get_pub_key(&pub_key); 90 if (ret) 91 return false; 92 93 ret = rk_avb_get_perm_attr_cer(rsa_hash, 256); 94 if (ret) { 95 avb_error("get_perm_attr_cer error\n"); 96 return false; 97 } 98 99 for (i = 0; i < 256; i++) 100 rsa_hash_revert[255-i] = rsa_hash[i]; 101 102 dev = crypto_get_device(cap); 103 if (!dev) { 104 avb_error("Can't find crypto device for expected capability\n"); 105 return false; 106 } 107 108 memset(&rsa_key, 0x00, sizeof(rsa_key)); 109 rsa_key.algo = CRYPTO_RSA2048; 110 rsa_key.n = (u32 *)&pub_key.rsa_n; 111 rsa_key.e = (u32 *)&pub_key.rsa_e; 112 #ifdef CONFIG_ROCKCHIP_CRYPTO_V1 113 rsa_key.c = (u32 *)&pub_key.rsa_c; 114 #endif 115 ret = crypto_rsa_verify(dev, &rsa_key, (u8 *)rsa_hash_revert, (u8 *)rsaResult_temp); 116 if (ret) { 117 avb_error("Hardware verify error!\n"); 118 return false; 119 } 120 121 temp = (char *)rsaResult_temp; 122 for (i = 0; i < 32; i++) 123 rsaResult[31-i] = temp[i]; 124 125 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 126 if (memcmp((void*)rsaResult, (void*)hash, 32) == 0) 127 return true; 128 129 return false; 130 #endif 131 #else 132 if (attributes->version != 1) { 133 avb_error("Unsupported permanent attributes version.\n"); 134 return false; 135 } 136 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 137 if (0 != avb_safe_memcmp(hash, expected_hash, AVB_SHA256_DIGEST_SIZE)) { 138 avb_error("Invalid permanent attributes.\n"); 139 return false; 140 } 141 return true; 142 #endif 143 } 144 145 /* Verifies the format, key version, usage, and signature of a certificate. */ 146 static bool verify_certificate( 147 const AvbAtxCertificate* certificate, 148 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 149 uint64_t minimum_key_version, 150 const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]) { 151 const AvbAlgorithmData* algorithm_data; 152 uint8_t certificate_hash[AVB_SHA512_DIGEST_SIZE]; 153 154 if (certificate->signed_data.version != 1) { 155 avb_error("Unsupported certificate format.\n"); 156 return false; 157 } 158 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 159 sha512((const uint8_t*)&certificate->signed_data, 160 sizeof(AvbAtxCertificateSignedData), 161 certificate_hash); 162 if (!avb_rsa_verify(authority, 163 AVB_ATX_PUBLIC_KEY_SIZE, 164 certificate->signature, 165 AVB_RSA4096_NUM_BYTES, 166 certificate_hash, 167 AVB_SHA512_DIGEST_SIZE, 168 algorithm_data->padding, 169 algorithm_data->padding_len)) { 170 avb_error("Invalid certificate signature.\n"); 171 return false; 172 } 173 if (certificate->signed_data.key_version < minimum_key_version) { 174 avb_error("Key rollback detected.\n"); 175 return false; 176 } 177 if (0 != avb_safe_memcmp(certificate->signed_data.usage, 178 expected_usage, 179 AVB_SHA256_DIGEST_SIZE)) { 180 avb_error("Invalid certificate usage.\n"); 181 return false; 182 } 183 return true; 184 } 185 186 /* Verifies signature and fields of a PIK certificate. */ 187 static bool verify_pik_certificate( 188 const AvbAtxCertificate* certificate, 189 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 190 uint64_t minimum_version) { 191 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 192 193 sha256_str("com.google.android.things.vboot.ca", expected_usage); 194 if (!verify_certificate( 195 certificate, authority, minimum_version, expected_usage)) { 196 avb_error("Invalid PIK certificate.\n"); 197 return false; 198 } 199 return true; 200 } 201 202 /* Verifies signature and fields of a PSK certificate. */ 203 static bool verify_psk_certificate( 204 const AvbAtxCertificate* certificate, 205 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 206 uint64_t minimum_version, 207 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 208 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 209 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 210 211 sha256_str("com.google.android.things.vboot", expected_usage); 212 if (!verify_certificate( 213 certificate, authority, minimum_version, expected_usage)) { 214 avb_error("Invalid PSK certificate.\n"); 215 return false; 216 } 217 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 218 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 219 expected_subject, 220 AVB_SHA256_DIGEST_SIZE)) { 221 avb_error("PSK: Product ID mismatch.\n"); 222 return false; 223 } 224 return true; 225 } 226 227 /* Verifies signature and fields of a PUK certificate. */ 228 static bool verify_puk_certificate( 229 const AvbAtxCertificate* certificate, 230 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 231 uint64_t minimum_version, 232 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 233 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 234 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 235 236 sha256_str("com.google.android.things.vboot.unlock", expected_usage); 237 if (!verify_certificate( 238 certificate, authority, minimum_version, expected_usage)) { 239 avb_error("Invalid PUK certificate.\n"); 240 return false; 241 } 242 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 243 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 244 expected_subject, 245 AVB_SHA256_DIGEST_SIZE)) { 246 avb_error("PUK: Product ID mismatch.\n"); 247 return false; 248 } 249 return true; 250 } 251 252 AvbIOResult avb_atx_validate_vbmeta_public_key( 253 AvbOps* ops, 254 const uint8_t* public_key_data, 255 size_t public_key_length, 256 const uint8_t* public_key_metadata, 257 size_t public_key_metadata_length, 258 bool* out_is_trusted) { 259 AvbIOResult result = AVB_IO_RESULT_OK; 260 AvbAtxPermanentAttributes permanent_attributes; 261 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 262 AvbAtxPublicKeyMetadata metadata; 263 uint64_t minimum_version; 264 265 /* Be pessimistic so we can exit early without having to remember to clear. 266 */ 267 *out_is_trusted = false; 268 269 /* Read and verify permanent attributes. */ 270 result = ops->atx_ops->read_permanent_attributes(ops->atx_ops, 271 &permanent_attributes); 272 if (result != AVB_IO_RESULT_OK) { 273 avb_error("Failed to read permanent attributes.\n"); 274 return result; 275 } 276 result = ops->atx_ops->read_permanent_attributes_hash( 277 ops->atx_ops, permanent_attributes_hash); 278 if (result != AVB_IO_RESULT_OK) { 279 avb_error("Failed to read permanent attributes hash.\n"); 280 return result; 281 } 282 if (!verify_permanent_attributes(&permanent_attributes, 283 permanent_attributes_hash)) { 284 return AVB_IO_RESULT_OK; 285 } 286 287 /* Sanity check public key metadata. */ 288 if (public_key_metadata_length != sizeof(AvbAtxPublicKeyMetadata)) { 289 avb_error("Invalid public key metadata.\n"); 290 return AVB_IO_RESULT_OK; 291 } 292 avb_memcpy(&metadata, public_key_metadata, sizeof(AvbAtxPublicKeyMetadata)); 293 if (metadata.version != 1) { 294 avb_error("Unsupported public key metadata.\n"); 295 return AVB_IO_RESULT_OK; 296 } 297 298 /* Verify the PIK certificate. */ 299 result = ops->read_rollback_index( 300 ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 301 if (result != AVB_IO_RESULT_OK) { 302 avb_error("Failed to read PIK minimum version.\n"); 303 return result; 304 } 305 if (!verify_pik_certificate(&metadata.product_intermediate_key_certificate, 306 permanent_attributes.product_root_public_key, 307 minimum_version)) { 308 return AVB_IO_RESULT_OK; 309 } 310 311 /* Verify the PSK certificate. */ 312 result = ops->read_rollback_index( 313 ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 314 if (result != AVB_IO_RESULT_OK) { 315 avb_error("Failed to read PSK minimum version.\n"); 316 return result; 317 } 318 if (!verify_psk_certificate( 319 &metadata.product_signing_key_certificate, 320 metadata.product_intermediate_key_certificate.signed_data.public_key, 321 minimum_version, 322 permanent_attributes.product_id)) { 323 return AVB_IO_RESULT_OK; 324 } 325 326 /* Verify the PSK is the same key that verified vbmeta. */ 327 if (public_key_length != AVB_ATX_PUBLIC_KEY_SIZE) { 328 avb_error("Public key length mismatch.\n"); 329 return AVB_IO_RESULT_OK; 330 } 331 if (0 != avb_safe_memcmp( 332 metadata.product_signing_key_certificate.signed_data.public_key, 333 public_key_data, 334 AVB_ATX_PUBLIC_KEY_SIZE)) { 335 avb_error("Public key mismatch.\n"); 336 return AVB_IO_RESULT_OK; 337 } 338 339 /* Report the key versions used during verification. */ 340 ops->atx_ops->set_key_version( 341 ops->atx_ops, 342 AVB_ATX_PIK_VERSION_LOCATION, 343 metadata.product_intermediate_key_certificate.signed_data.key_version); 344 ops->atx_ops->set_key_version( 345 ops->atx_ops, 346 AVB_ATX_PSK_VERSION_LOCATION, 347 metadata.product_signing_key_certificate.signed_data.key_version); 348 349 *out_is_trusted = true; 350 return AVB_IO_RESULT_OK; 351 } 352 353 AvbIOResult avb_atx_generate_unlock_challenge( 354 AvbAtxOps* atx_ops, AvbAtxUnlockChallenge* out_unlock_challenge) { 355 AvbIOResult result = AVB_IO_RESULT_OK; 356 AvbAtxPermanentAttributes permanent_attributes; 357 358 /* We need the permanent attributes to compute the product_id_hash. */ 359 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 360 if (result != AVB_IO_RESULT_OK) { 361 avb_error("Failed to read permanent attributes.\n"); 362 return result; 363 } 364 result = atx_ops->get_random( 365 atx_ops, AVB_ATX_UNLOCK_CHALLENGE_SIZE, last_unlock_challenge); 366 if (result != AVB_IO_RESULT_OK) { 367 avb_error("Failed to generate random challenge.\n"); 368 return result; 369 } 370 out_unlock_challenge->version = 1; 371 sha256(permanent_attributes.product_id, 372 AVB_ATX_PRODUCT_ID_SIZE, 373 out_unlock_challenge->product_id_hash); 374 avb_memcpy(out_unlock_challenge->challenge, 375 last_unlock_challenge, 376 AVB_ATX_UNLOCK_CHALLENGE_SIZE); 377 return result; 378 } 379 380 AvbIOResult avb_atx_validate_unlock_credential( 381 AvbAtxOps* atx_ops, 382 const AvbAtxUnlockCredential* unlock_credential, 383 bool* out_is_trusted) { 384 AvbIOResult result = AVB_IO_RESULT_OK; 385 AvbAtxPermanentAttributes permanent_attributes; 386 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 387 uint64_t minimum_version; 388 const AvbAlgorithmData* algorithm_data; 389 uint8_t challenge_hash[AVB_SHA512_DIGEST_SIZE]; 390 391 /* Be pessimistic so we can exit early without having to remember to clear. 392 */ 393 *out_is_trusted = false; 394 395 /* Sanity check the credential. */ 396 if (unlock_credential->version != 1) { 397 avb_error("Unsupported unlock credential format.\n"); 398 return AVB_IO_RESULT_OK; 399 } 400 401 /* Read and verify permanent attributes. */ 402 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); 403 if (result != AVB_IO_RESULT_OK) { 404 avb_error("Failed to read permanent attributes.\n"); 405 return result; 406 } 407 result = atx_ops->read_permanent_attributes_hash(atx_ops, 408 permanent_attributes_hash); 409 if (result != AVB_IO_RESULT_OK) { 410 avb_error("Failed to read permanent attributes hash.\n"); 411 return result; 412 } 413 if (!verify_permanent_attributes(&permanent_attributes, 414 permanent_attributes_hash)) { 415 return AVB_IO_RESULT_OK; 416 } 417 418 /* Verify the PIK certificate. */ 419 result = atx_ops->ops->read_rollback_index( 420 atx_ops->ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 421 if (result != AVB_IO_RESULT_OK) { 422 avb_error("Failed to read PIK minimum version.\n"); 423 return result; 424 } 425 if (!verify_pik_certificate( 426 &unlock_credential->product_intermediate_key_certificate, 427 permanent_attributes.product_root_public_key, 428 minimum_version)) { 429 return AVB_IO_RESULT_OK; 430 } 431 432 /* Verify the PUK certificate. The minimum version is shared with the PSK. */ 433 result = atx_ops->ops->read_rollback_index( 434 atx_ops->ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 435 if (result != AVB_IO_RESULT_OK) { 436 avb_error("Failed to read PSK minimum version.\n"); 437 return result; 438 } 439 if (!verify_puk_certificate( 440 &unlock_credential->product_unlock_key_certificate, 441 unlock_credential->product_intermediate_key_certificate.signed_data 442 .public_key, 443 minimum_version, 444 permanent_attributes.product_id)) { 445 return AVB_IO_RESULT_OK; 446 } 447 448 /* Verify the challenge signature. */ 449 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 450 sha512(last_unlock_challenge, AVB_ATX_UNLOCK_CHALLENGE_SIZE, challenge_hash); 451 if (!avb_rsa_verify(unlock_credential->product_unlock_key_certificate 452 .signed_data.public_key, 453 AVB_ATX_PUBLIC_KEY_SIZE, 454 unlock_credential->challenge_signature, 455 AVB_RSA4096_NUM_BYTES, 456 challenge_hash, 457 AVB_SHA512_DIGEST_SIZE, 458 algorithm_data->padding, 459 algorithm_data->padding_len)) { 460 avb_error("Invalid unlock challenge signature.\n"); 461 return AVB_IO_RESULT_OK; 462 } 463 464 *out_is_trusted = true; 465 return AVB_IO_RESULT_OK; 466 } 467