| Randall Spangler | 6f1b82a | 2014-12-03 12:29:37 -0800 | [diff] [blame] | 1 | /* Copyright (c) 2014 The Chromium OS Authors. All rights reserved. |
| 2 | * Use of this source code is governed by a BSD-style license that can be |
| 3 | * found in the LICENSE file. |
| 4 | * |
| 5 | * Common functions between firmware and kernel verified boot. |
| 6 | */ |
| 7 | |
| 8 | #ifndef VBOOT_REFERENCE_VB2_COMMON_H_ |
| 9 | #define VBOOT_REFERENCE_VB2_COMMON_H_ |
| 10 | |
| 11 | #include "2api.h" |
| 12 | #include "2common.h" |
| 13 | #include "2return_codes.h" |
| 14 | #include "2sha.h" |
| 15 | #include "2struct.h" |
| 16 | #include "vb2_struct.h" |
| 17 | |
| 18 | /* |
| 19 | * Helper functions to get data pointed to by a public key or signature. |
| 20 | */ |
| 21 | |
| 22 | const uint8_t *vb2_packed_key_data(const struct vb2_packed_key *key); |
| 23 | uint8_t *vb2_signature_data(struct vb2_signature *sig); |
| 24 | |
| 25 | /** |
| 26 | * Verify the data pointed to by a subfield is inside the parent data. |
| 27 | * |
| 28 | * The subfield has a header pointed to by member, and a separate data |
| 29 | * field at an offset relative to the header. That is: |
| 30 | * |
| 31 | * struct parent { |
| 32 | * (possibly other parent fields) |
| 33 | * struct member { |
| 34 | * (member header fields) |
| 35 | * }; |
| 36 | * (possibly other parent fields) |
| 37 | * }; |
| 38 | * (possibly some other parent data) |
| 39 | * (member data) |
| 40 | * (possibly some other parent data) |
| 41 | * |
| 42 | * @param parent Parent data |
| 43 | * @param parent_size Parent size in bytes |
| 44 | * @param member Subfield header |
| 45 | * @param member_size Size of subfield header in bytes |
| 46 | * @param member_data_offset Offset of member data from start of member |
| 47 | * @param member_data_size Size of member data in bytes |
| 48 | * @return VB2_SUCCESS, or non-zero if error. |
| 49 | */ |
| 50 | int vb2_verify_member_inside(const void *parent, size_t parent_size, |
| 51 | const void *member, size_t member_size, |
| 52 | ptrdiff_t member_data_offset, |
| 53 | size_t member_data_size); |
| 54 | |
| 55 | /** |
| 56 | * Verify a signature is fully contained in its parent data |
| 57 | * |
| 58 | * @param parent Parent data |
| 59 | * @param parent_size Parent size in bytes |
| 60 | * @param sig Signature pointer |
| 61 | * @return VB2_SUCCESS, or non-zero if error. |
| 62 | */ |
| 63 | int vb2_verify_signature_inside(const void *parent, |
| 64 | uint32_t parent_size, |
| 65 | const struct vb2_signature *sig); |
| 66 | |
| 67 | |
| 68 | /** |
| 69 | * Verify a packed key is fully contained in its parent data |
| 70 | * |
| 71 | * @param parent Parent data |
| 72 | * @param parent_size Parent size in bytes |
| 73 | * @param key Packed key pointer |
| 74 | * @return VB2_SUCCESS, or non-zero if error. |
| 75 | */ |
| 76 | int vb2_verify_packed_key_inside(const void *parent, |
| 77 | uint32_t parent_size, |
| 78 | const struct vb2_packed_key *key); |
| 79 | |
| 80 | /** |
| 81 | * Unpack a vboot1-format key for use in verification |
| 82 | * |
| 83 | * The elements of the unpacked key will point into the source buffer, so don't |
| 84 | * free the source buffer until you're done with the key. |
| 85 | * |
| 86 | * @param key Destintion for unpacked key |
| 87 | * @param buf Source buffer containing packed key |
| 88 | * @param size Size of buffer in bytes |
| 89 | * @return VB2_SUCCESS, or non-zero error code if error. |
| 90 | */ |
| 91 | int vb2_unpack_key(struct vb2_public_key *key, |
| 92 | const uint8_t *buf, |
| 93 | uint32_t size); |
| 94 | |
| 95 | /** |
| 96 | * Verify a signature against an expected hash digest. |
| 97 | * |
| 98 | * @param key Key to use in signature verification |
| 99 | * @param sig Signature to verify (may be destroyed in process) |
| 100 | * @param digest Digest of signed data |
| 101 | * @param wb Work buffer |
| 102 | * @return VB2_SUCCESS, or non-zero if error. |
| 103 | */ |
| 104 | int vb2_verify_digest(const struct vb2_public_key *key, |
| 105 | struct vb2_signature *sig, |
| 106 | const uint8_t *digest, |
| 107 | const struct vb2_workbuf *wb); |
| 108 | |
| 109 | /** |
| 110 | * Verify data matches signature. |
| 111 | * |
| 112 | * @param data Data to verify |
| 113 | * @param size Size of data buffer. Note that amount of data to |
| 114 | * actually validate is contained in sig->data_size. |
| 115 | * @param sig Signature of data (destroyed in process) |
| 116 | * @param key Key to use to validate signature |
| 117 | * @param wb Work buffer |
| 118 | * @return VB2_SUCCESS, or non-zero error code if error. |
| 119 | */ |
| 120 | int vb2_verify_data(const uint8_t *data, |
| 121 | uint32_t size, |
| 122 | struct vb2_signature *sig, |
| 123 | const struct vb2_public_key *key, |
| 124 | const struct vb2_workbuf *wb); |
| 125 | |
| 126 | /** |
| Randall Spangler | b87d1ec | 2015-05-19 12:45:20 -0700 | [diff] [blame] | 127 | * Check the sanity of a key block structure. |
| 128 | * |
| 129 | * Verifies all the header fields. Does not verify key index or key block |
| 130 | * flags. Should be called before verifying the key block data itself using |
| 131 | * the key. (This function does not itself verify the signature - just that |
| 132 | * the right amount of data is claimed to be signed.) |
| 133 | * |
| 134 | * @param block Key block to verify |
| 135 | * @param size Size of key block buffer |
| 136 | * @param sig Which signature inside the keyblock to use |
| 137 | */ |
| 138 | int vb2_check_keyblock(const struct vb2_keyblock *block, |
| 139 | uint32_t size, |
| 140 | const struct vb2_signature *sig); |
| 141 | |
| 142 | /** |
| 143 | * Verify a key block using a public key. |
| Randall Spangler | 6f1b82a | 2014-12-03 12:29:37 -0800 | [diff] [blame] | 144 | * |
| 145 | * Header fields are also checked for sanity. Does not verify key index or key |
| 146 | * block flags. Signature inside block is destroyed during check. |
| 147 | * |
| 148 | * @param block Key block to verify |
| 149 | * @param size Size of key block buffer |
| 150 | * @param key Key to use to verify block |
| 151 | * @param wb Work buffer |
| 152 | * @return VB2_SUCCESS, or non-zero error code if error. |
| 153 | */ |
| 154 | int vb2_verify_keyblock(struct vb2_keyblock *block, |
| 155 | uint32_t size, |
| 156 | const struct vb2_public_key *key, |
| 157 | const struct vb2_workbuf *wb); |
| 158 | |
| 159 | /** |
| Randall Spangler | 3d5cd88 | 2015-05-20 17:22:17 -0700 | [diff] [blame] | 160 | * Verify a key block using its hash. |
| 161 | * |
| 162 | * Header fields are also checked for sanity. Does not verify key index or key |
| 163 | * block flags. Use this for self-signed keyblocks in developer mode. |
| 164 | * |
| 165 | * @param block Key block to verify |
| 166 | * @param size Size of key block buffer |
| 167 | * @param key Key to use to verify block |
| 168 | * @param wb Work buffer |
| 169 | * @return VB2_SUCCESS, or non-zero error code if error. |
| 170 | */ |
| 171 | int vb2_verify_keyblock_hash(const struct vb2_keyblock *block, |
| 172 | uint32_t size, |
| 173 | const struct vb2_workbuf *wb); |
| 174 | |
| 175 | /** |
| Randall Spangler | 6f1b82a | 2014-12-03 12:29:37 -0800 | [diff] [blame] | 176 | * Check the sanity of a firmware preamble using a public key. |
| 177 | * |
| 178 | * The signature in the preamble is destroyed during the check. |
| 179 | * |
| 180 | * @param preamble Preamble to verify |
| 181 | * @param size Size of preamble buffer |
| 182 | * @param key Key to use to verify preamble |
| 183 | * @param wb Work buffer |
| 184 | * @return VB2_SUCCESS, or non-zero error code if error. |
| 185 | */ |
| 186 | int vb2_verify_fw_preamble(struct vb2_fw_preamble *preamble, |
| 187 | uint32_t size, |
| 188 | const struct vb2_public_key *key, |
| 189 | const struct vb2_workbuf *wb); |
| 190 | |
| Randall Spangler | 2d25e83 | 2015-05-12 16:39:01 -0700 | [diff] [blame] | 191 | /** |
| 192 | * Check the sanity of a kernel preamble using a public key. |
| 193 | * |
| 194 | * The signature in the preamble is destroyed during the check. |
| 195 | * |
| 196 | * @param preamble Preamble to verify |
| 197 | * @param size Size of preamble buffer |
| 198 | * @param key Key to use to verify preamble |
| 199 | * @param wb Work buffer |
| 200 | * @return VB2_SUCCESS, or non-zero error code if error. |
| 201 | */ |
| 202 | int vb2_verify_kernel_preamble(struct vb2_kernel_preamble *preamble, |
| 203 | uint32_t size, |
| 204 | const struct vb2_public_key *key, |
| 205 | const struct vb2_workbuf *wb); |
| 206 | |
| Randall Spangler | 158b296 | 2016-06-03 14:00:27 -0700 | [diff] [blame] | 207 | /** |
| 208 | * Retrieve the 16-bit vmlinuz header address and size from the preamble. |
| 209 | * |
| 210 | * Size 0 means there is no 16-bit vmlinuz header present. Old preamble |
| 211 | * versions (<2.1) return 0 for both fields. |
| 212 | * |
| 213 | * @param preamble Preamble to check |
| 214 | * @param vmlinuz_header_address Destination for header address |
| 215 | * @param vmlinuz_header_size Destination for header size |
| 216 | */ |
| 217 | void vb2_kernel_get_vmlinuz_header(const struct vb2_kernel_preamble *preamble, |
| 218 | uint64_t *vmlinuz_header_address, |
| 219 | uint32_t *vmlinuz_header_size); |
| 220 | |
| 221 | /** |
| 222 | * Get the flags for the kernel preamble. |
| 223 | * |
| 224 | * @param preamble Preamble to check |
| 225 | * @return Flags for the preamble. Old preamble versions (<2.2) return 0. |
| 226 | */ |
| 227 | uint32_t vb2_kernel_get_flags(const struct vb2_kernel_preamble *preamble); |
| 228 | |
| Randall Spangler | 6f1b82a | 2014-12-03 12:29:37 -0800 | [diff] [blame] | 229 | #endif /* VBOOT_REFERENCE_VB2_COMMON_H_ */ |