From 5c5c11b5eb2f185aeb6ae432520093b0ef684b26 Mon Sep 17 00:00:00 2001 From: Ye Li Date: Tue, 5 Jun 2018 01:30:34 -0700 Subject: [PATCH] MLK-18591-1 android: Add the AVB library Porting the android AVB lib from imx u-boot v2018.03. Since 2019 u-boot has added latest AVB library, try to reuse it. Signed-off-by: Ye Li (cherry picked from commit 2105662ada738a271e12a81d775134a5821dc38f) (cherry picked from commit f7291d86c4183ce2e299ad271aa5618c71507ffc) (cherry picked from commit b871714c519e1bda3de6afbd354bee2cb246e4b7) (cherry picked from commit 64520f3e5f495ecce79177fba11e3d41299529b2) (cherry picked from commit 076fe5bc4d29deaf6d008e579b5cfe7408bc4525) --- common/board_r.c | 11 + include/fsl_avb.h | 274 ++++++ lib/Kconfig | 21 +- lib/Makefile | 1 + lib/avb/Makefile | 18 + lib/avb/fsl/Makefile | 10 + lib/avb/fsl/debug.h | 35 + lib/avb/fsl/fsl_atx_attributes.c | 145 +++ lib/avb/fsl/fsl_atx_attributes.h | 18 + lib/avb/fsl/fsl_avb.c | 861 ++++++++++++++++++ lib/avb/fsl/fsl_avb_ab_flow.c | 1105 +++++++++++++++++++++++ lib/avb/fsl/fsl_avb_sysdeps_uboot.c | 70 ++ lib/avb/fsl/fsl_avbkey.c | 1192 +++++++++++++++++++++++++ lib/avb/fsl/fsl_avbkey.h | 108 +++ lib/avb/fsl/fsl_bootctl.c | 209 +++++ lib/avb/fsl/fsl_public_key.h | 144 +++ lib/avb/fsl/utils.c | 216 +++++ lib/avb/fsl/utils.h | 42 + lib/avb/libavb_ab/Makefile | 2 + lib/avb/libavb_ab/avb_ab_flow.c | 540 +++++++++++ lib/avb/libavb_ab/avb_ab_flow.h | 261 ++++++ lib/avb/libavb_ab/avb_ab_ops.h | 79 ++ lib/avb/libavb_ab/libavb_ab.h | 51 ++ lib/avb/libavb_atx/Makefile | 2 + lib/avb/libavb_atx/avb_atx_ops.h | 84 ++ lib/avb/libavb_atx/avb_atx_types.h | 96 ++ lib/avb/libavb_atx/avb_atx_validate.c | 401 +++++++++ lib/avb/libavb_atx/avb_atx_validate.h | 91 ++ lib/avb/libavb_atx/libavb_atx.h | 41 + lib/libavb/Makefile | 3 + lib/libavb/avb_cmdline.c | 4 +- lib/libavb/avb_crc32.c | 114 +++ lib/libavb/avb_slot_verify.c | 55 ++ 33 files changed, 6301 insertions(+), 3 deletions(-) create mode 100644 include/fsl_avb.h create mode 100644 lib/avb/Makefile create mode 100644 lib/avb/fsl/Makefile create mode 100644 lib/avb/fsl/debug.h create mode 100644 lib/avb/fsl/fsl_atx_attributes.c create mode 100644 lib/avb/fsl/fsl_atx_attributes.h create mode 100644 lib/avb/fsl/fsl_avb.c create mode 100644 lib/avb/fsl/fsl_avb_ab_flow.c create mode 100644 lib/avb/fsl/fsl_avb_sysdeps_uboot.c create mode 100644 lib/avb/fsl/fsl_avbkey.c create mode 100644 lib/avb/fsl/fsl_avbkey.h create mode 100755 lib/avb/fsl/fsl_bootctl.c create mode 100644 lib/avb/fsl/fsl_public_key.h create mode 100644 lib/avb/fsl/utils.c create mode 100644 lib/avb/fsl/utils.h create mode 100644 lib/avb/libavb_ab/Makefile create mode 100644 lib/avb/libavb_ab/avb_ab_flow.c create mode 100644 lib/avb/libavb_ab/avb_ab_flow.h create mode 100644 lib/avb/libavb_ab/avb_ab_ops.h create mode 100644 lib/avb/libavb_ab/libavb_ab.h create mode 100644 lib/avb/libavb_atx/Makefile create mode 100644 lib/avb/libavb_atx/avb_atx_ops.h create mode 100644 lib/avb/libavb_atx/avb_atx_types.h create mode 100644 lib/avb/libavb_atx/avb_atx_validate.c create mode 100644 lib/avb/libavb_atx/avb_atx_validate.h create mode 100644 lib/avb/libavb_atx/libavb_atx.h create mode 100644 lib/libavb/avb_crc32.c diff --git a/common/board_r.c b/common/board_r.c index c835ff8e26..2fde0a1359 100644 --- a/common/board_r.c +++ b/common/board_r.c @@ -578,6 +578,14 @@ int initr_mem(void) } #endif +#if defined(AVB_RPMB) && !defined(CONFIG_SPL) +extern int init_avbkey(void); +static int initr_avbkey(void) +{ + return init_avbkey(); +} +#endif + static int run_main_loop(void) { #ifdef CONFIG_SANDBOX @@ -797,6 +805,9 @@ static init_fnc_t init_sequence_r[] = { #endif #ifdef CONFIG_EFI_SETUP_EARLY (init_fnc_t)efi_init_obj_list, +#endif +#if defined(AVB_RPMB) && !defined(CONFIG_SPL) + initr_avbkey, #endif run_main_loop, }; diff --git a/include/fsl_avb.h b/include/fsl_avb.h new file mode 100644 index 0000000000..225f42ab09 --- /dev/null +++ b/include/fsl_avb.h @@ -0,0 +1,274 @@ +/* + * Copyright (C) 2016 Freescale Semiconductor, Inc. + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#ifndef __FSL_AVB_H__ +#define __FSL_AVB_H__ + +#include "../lib/avb/libavb_ab/libavb_ab.h" +#include "../lib/avb/libavb_atx/libavb_atx.h" +/* Reads |num_bytes| from offset |offset| from partition with name + * |partition| (NUL-terminated UTF-8 string). If |offset| is + * negative, its absolute value should be interpreted as the number + * of bytes from the end of the partition. + * + * This function returns AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION if + * there is no partition with the given name, + * AVB_IO_RESULT_ERROR_RANGE_OUTSIDE_PARTITION if the requested + * |offset| is outside the partition, and AVB_IO_RESULT_ERROR_IO if + * there was an I/O error from the underlying I/O subsystem. If the + * operation succeeds as requested AVB_IO_RESULT_OK is returned and + * the data is available in |buffer|. + * + * The only time partial I/O may occur is if reading beyond the end + * of the partition. In this case the value returned in + * |out_num_read| may be smaller than |num_bytes|. + */ +AvbIOResult fsl_read_from_partition(AvbOps* ops, const char* partition, + int64_t offset, size_t num_bytes, + void* buffer, size_t* out_num_read); + +/* multi block read version + * */ +AvbIOResult fsl_read_from_partition_multi(AvbOps* ops, const char* partition, + int64_t offset, size_t num_bytes, + void* buffer, size_t* out_num_read); + +/* Writes |num_bytes| from |bffer| at offset |offset| to partition + * with name |partition| (NUL-terminated UTF-8 string). If |offset| + * is negative, its absolute value should be interpreted as the + * number of bytes from the end of the partition. + * + * This function returns AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION if + * there is no partition with the given name, + * AVB_IO_RESULT_ERROR_RANGE_OUTSIDE_PARTITION if the requested + * byterange goes outside the partition, and AVB_IO_RESULT_ERROR_IO + * if there was an I/O error from the underlying I/O subsystem. If + * the operation succeeds as requested AVB_IO_RESULT_OK is + * returned. + * + * This function never does any partial I/O, it either transfers all + * of the requested bytes or returns an error. + */ +AvbIOResult fsl_write_to_partition(AvbOps* ops, const char* partition, + int64_t offset, size_t num_bytes, + const void* buffer); + +/* Reads A/B metadata from persistent storage. Returned data is + * properly byteswapped. Returns AVB_IO_RESULT_OK on success, error + * code otherwise. + * + * If the data read is invalid (e.g. wrong magic or CRC checksum + * failure), the metadata shoule be reset using avb_ab_data_init() + * and then written to persistent storage. + * + * Implementations will typically want to use avb_ab_data_read() + * here to use the 'misc' partition for persistent storage. + */ +AvbIOResult fsl_read_ab_metadata(AvbABOps* ab_ops, struct AvbABData* data); + +/* Writes A/B metadata to persistent storage. This will byteswap and + * update the CRC as needed. Returns AVB_IO_RESULT_OK on success, + * error code otherwise. + * + * Implementations will typically want to use avb_ab_data_write() + * here to use the 'misc' partition for persistent storage. + */ +AvbIOResult fsl_write_ab_metadata(AvbABOps* ab_ops, const struct AvbABData* data); + +/* Checks if the given public key used to sign the 'vbmeta' + * partition is trusted. Boot loaders typically compare this with + * embedded key material generated with 'avbtool + * extract_public_key'. + * + * If AVB_IO_RESULT_OK is returned then |out_is_trusted| is set - + * true if trusted or false if untrusted. + */ +AvbIOResult fsl_validate_vbmeta_public_key_rpmb(AvbOps* ops, + const uint8_t* public_key_data, + size_t public_key_length, + const uint8_t* public_key_metadata, + size_t public_key_metadata_length, + bool* out_is_trusted); + +/* Gets the rollback index corresponding to the slot given by + * |rollback_index_slot|. The value is returned in + * |out_rollback_index|. Returns AVB_IO_RESULT_OK if the rollback + * index was retrieved, otherwise an error code. + * + * A device may have a limited amount of rollback index slots (say, + * one or four) so may error out if |rollback_index_slot| exceeds + * this number. + */ +AvbIOResult fsl_read_rollback_index_rpmb(AvbOps* ops, size_t rollback_index_slot, + uint64_t* out_rollback_index); + +/* Sets the rollback index corresponding to the slot given by + * |rollback_index_slot| to |rollback_index|. Returns + * AVB_IO_RESULT_OK if the rollback index was set, otherwise an + * error code. + * + * A device may have a limited amount of rollback index slots (say, + * one or four) so may error out if |rollback_index_slot| exceeds + * this number. + */ +AvbIOResult fsl_write_rollback_index_rpmb(AvbOps* ops, size_t rollback_index_slot, + uint64_t rollback_index); + +/* Gets whether the device is unlocked. The value is returned in + * |out_is_unlocked| (true if unlocked, false otherwise). Returns + * AVB_IO_RESULT_OK if the state was retrieved, otherwise an error + * code. + */ +AvbIOResult fsl_read_is_device_unlocked(AvbOps* ops, bool* out_is_unlocked); + +/* Gets the unique partition GUID for a partition with name in + * |partition| (NUL-terminated UTF-8 string). The GUID is copied as + * a string into |guid_buf| of size |guid_buf_size| and will be NUL + * terminated. The string must be lower-case and properly + * hyphenated. For example: + * + * 527c1c6d-6361-4593-8842-3c78fcd39219 + * + * Returns AVB_IO_RESULT_OK on success, otherwise an error code. + */ +AvbIOResult fsl_get_unique_guid_for_partition(AvbOps* ops, + const char* partition, + char* guid_buf, + size_t guid_buf_size); + +/* Gets the size of a partition with the name in |partition| + * (NUL-terminated UTF-8 string). Returns the value in + * |out_size_num_bytes|. + * Returns AVB_IO_RESULT_OK on success, otherwise an error code. + */ +AvbIOResult fsl_get_size_of_partition(AvbOps* ops, + const char* partition, + uint64_t* out_size_num_bytes); +/* check if the fastboot getvar cmd is for query [avb] bootctl's slot var + * cmd is the fastboot getvar's cmd in + * return true if it is a bootctl related cmd, false if it's not. + * */ +bool is_slotvar_avb(char *cmd); + +/* Get current bootable slot with higher priority. + * return 0 for the first slot + * return 1 for the second slot + * return -1 for not supported slot + * */ +int get_curr_slot(AvbABData *ab_data); + +/* return 0 for the first slot + * return 1 for the second slot + * return -1 for not supported slot + * */ +int slotidx_from_suffix(char *suffix); + +/* return fastboot's getvar cmd response + * cmd is the fastboot getvar's cmd in + * if return 0, buffer is bootctl's slot var out + * if return -1, buffer is error string + * */ +int get_slotvar_avb(AvbABOps *ab_ops, char *cmd, char *buffer, size_t size); + +/* reset rollback_index part in avbkey partition + * used in the switch from LOCK to UNLOCK + * return 0 if success, non 0 if fail. + * */ +int rbkidx_erase(void); + +/* init the avbkey in rpmb partition, include the header/public key/rollback index + * for public key/rollback index part, use caam to do encrypt + * return 0 if success, non 0 if fail. + * */ +int avbkey_init(uint8_t *plainkey, uint32_t keylen); + +/* read a/b metadata to get curr slot + * return slot suffix '_a'/'_b' or NULL */ +char *select_slot(AvbABOps *ab_ops); + +/* Reads permanent |attributes| data. There are no restrictions on where this + * data is stored. On success, returns AVB_IO_RESULT_OK and populates + * |attributes|. + */ +AvbIOResult fsl_read_permanent_attributes( + AvbAtxOps* atx_ops, AvbAtxPermanentAttributes* attributes); + +/* Reads a |hash| of permanent attributes. This hash MUST be retrieved from a + * permanently read-only location (e.g. fuses) when a device is LOCKED. On + * success, returned AVB_IO_RESULT_OK and populates |hash|. + */ +AvbIOResult fsl_read_permanent_attributes_hash(AvbAtxOps* atx_ops, + uint8_t hash[AVB_SHA256_DIGEST_SIZE]); + +/* Provides the key version of a key used during verification. This may be + * useful for managing the minimum key version. + */ +void fsl_set_key_version(AvbAtxOps* atx_ops, + size_t rollback_index_location, + uint64_t key_version); + +/* This is the fast version of avb_ab_flow(), this function will + * not check another slot if one slot can pass the verify (or verify + * fail is acceptable). + */ +AvbABFlowResult avb_ab_flow_fast(AvbABOps* ab_ops, + const char* const* requested_partitions, + AvbSlotVerifyFlags flags, + AvbHashtreeErrorMode hashtree_error_mode, + AvbSlotVerifyData** out_data); + +/* This is for legacy i.mx6/7 which don't enable A/B but want to + * verify boot/recovery with AVB */ +AvbABFlowResult avb_single_flow(AvbABOps* ab_ops, + const char* const* requested_partitions, + AvbSlotVerifyFlags flags, + AvbHashtreeErrorMode hashtree_error_mode, + AvbSlotVerifyData** out_data); + +/* Avb verify flow for dual bootloader, only the slot chosen by SPL will + * be verified. + */ +AvbABFlowResult avb_flow_dual_uboot(AvbABOps* ab_ops, + const char* const* requested_partitions, + AvbSlotVerifyFlags flags, + AvbHashtreeErrorMode hashtree_error_mode, + AvbSlotVerifyData** out_data); +/* Generates |num_bytes| random bytes and stores them in |output|, + * which must point to a buffer large enough to store the bytes. + * + * Returns AVB_IO_RESULT_OK on success, otherwise an error code. + */ +AvbIOResult fsl_get_random(AvbAtxOps* atx_ops, + size_t num_bytes, + uint8_t* output); + +/* Program ATX perm_attr into RPMB partition */ +int avb_atx_fuse_perm_attr(uint8_t *staged_buffer, uint32_t size); + +/* Initialize rpmb key with the staged key */ +int fastboot_set_rpmb_key(uint8_t *staged_buf, uint32_t key_size); + +/* Initialize rpmb key with random key which is generated by caam rng */ +int fastboot_set_rpmb_random_key(void); + +/* Generate ATX unlock challenge */ +int avb_atx_get_unlock_challenge(struct AvbAtxOps* atx_ops, + uint8_t *upload_buffer, uint32_t *size); +/* Verify ATX unlock credential */ +int avb_atx_verify_unlock_credential(struct AvbAtxOps* atx_ops, + uint8_t *staged_buffer); +/* Check if the perm-attr have been fused. */ +bool perm_attr_are_fused(void); + +/* Check if the unlock vboot is already disabled */ +bool at_unlock_vboot_is_disabled(void); + +/* disable at unlock vboot */ +int at_disable_vboot_unlock(void); + +/* Set vbmeta public key */ +int avb_set_public_key(uint8_t *staged_buffer, uint32_t size); +#endif /* __FSL_AVB_H__ */ diff --git a/lib/Kconfig b/lib/Kconfig index 7288340614..8291964686 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -345,6 +345,25 @@ config LIBAVB device. Introduces such features as boot chain of trust, rollback protection etc. +config AVB_SUPPORT + bool "Enable Android AVB lib support" + select LIBAVB + +config AVB_ATX + bool "Enable AVB_ATX support" + depends on AVB_SUPPORT + +config APPEND_BOOTARGS + bool "Append bootargs support" + +config DUAL_BOOTLOADER + bool "Enable dual bootloader support" + help + Enable A/B bootloader select in SPL. + +config AT_AUTHENTICATE_UNLOCK + bool "Enable authenticate unlock for Android Things devices" + endmenu menu "Hashing Support" @@ -440,7 +459,7 @@ config LZ4 is included. The LZ4 algorithm can run in-place as long as the compressed image is loaded to the end of the output buffer, and trades lower compression ratios for much faster decompression. - + NOTE: This implements the release version of the LZ4 frame format as generated by default by the 'lz4' command line tool. This is not the same as the outdated, less efficient legacy diff --git a/lib/Makefile b/lib/Makefile index edc1c3dd4f..9e7cef7a99 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -72,6 +72,7 @@ obj-$(CONFIG_$(SPL_)LZMA) += lzma/ obj-$(CONFIG_$(SPL_)LZ4) += lz4_wrapper.o obj-$(CONFIG_LIBAVB) += libavb/ +obj-$(CONFIG_AVB_SUPPORT) += avb/ obj-$(CONFIG_$(SPL_TPL_)OF_LIBFDT) += libfdt/ ifneq ($(CONFIG_$(SPL_TPL_)BUILD)$(CONFIG_$(SPL_TPL_)OF_PLATDATA),yy) diff --git a/lib/avb/Makefile b/lib/avb/Makefile new file mode 100644 index 0000000000..00957e253b --- /dev/null +++ b/lib/avb/Makefile @@ -0,0 +1,18 @@ +subdir-ccflags-y += -I./lib/avb \ + -D_FILE_OFFSET_BITS=64 \ + -D_POSIX_C_SOURCE=199309L \ + -Wa,--noexecstack \ + -Wall \ + -Wextra \ + -Wformat=2 \ + -Wno-type-limits \ + -Wno-psabi \ + -Wno-unused-parameter \ + -ffunction-sections \ + -std=gnu99 + +ifndef CONFIG_SPL_BUILD +obj-y += libavb_ab/ +obj-$(CONFIG_AVB_ATX) += libavb_atx/ +endif +obj-y += fsl/ diff --git a/lib/avb/fsl/Makefile b/lib/avb/fsl/Makefile new file mode 100644 index 0000000000..9c2fb44fc0 --- /dev/null +++ b/lib/avb/fsl/Makefile @@ -0,0 +1,10 @@ +ifndef CONFIG_SPL_BUILD +obj-y += fsl_avb.o +obj-y += fsl_bootctl.o +obj-y += fsl_avb_sysdeps_uboot.o +endif + +obj-y += fsl_avbkey.o +obj-y += utils.o +obj-y += fsl_avb_ab_flow.o +obj-$(CONFIG_AVB_ATX) += fsl_atx_attributes.o diff --git a/lib/avb/fsl/debug.h b/lib/avb/fsl/debug.h new file mode 100644 index 0000000000..c1165ec1ec --- /dev/null +++ b/lib/avb/fsl/debug.h @@ -0,0 +1,35 @@ +/* + * Copyright (C) 2016 Freescale Semiconductor, Inc. + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#ifndef __AVB_DEBUG_H__ +#define __AVB_DEBUG_H__ + +#ifdef AVB_VVDEBUG +#define AVB_VDEBUG +#define VVDEBUG(format, ...) printf(" %s: "format, __func__, ##__VA_ARGS__) +#else +#define VVDEBUG(format, ...) +#endif + +#ifdef AVB_VDEBUG +#define AVB_DEBUG +#define VDEBUG(format, ...) printf(" %s: "format, __func__, ##__VA_ARGS__) +#else +#define VDEBUG(format, ...) +#endif + +#ifdef AVB_DEBUG +#define DEBUGAVB(format, ...) printf(" %s: "format, __func__, ##__VA_ARGS__) +#else +#define DEBUGAVB(format, ...) +#endif + +#define ERR(format, ...) printf("%s: "format, __func__, ##__VA_ARGS__) + +#define HEXDUMP_COLS 16 +#define HEXDUMP_WIDTH 1 + +#endif diff --git a/lib/avb/fsl/fsl_atx_attributes.c b/lib/avb/fsl/fsl_atx_attributes.c new file mode 100644 index 0000000000..2297140dd1 --- /dev/null +++ b/lib/avb/fsl/fsl_atx_attributes.c @@ -0,0 +1,145 @@ +/* + * Copyright 2018 NXP + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +/* This product_id is generated from + * extern/avb/test/data/atx_product_id.bin */ +unsigned char fsl_atx_product_id[16] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +}; +/* This product_root_public_key is generated form + * extern/avb/test/data/testkey_atx_prk.pem */ +unsigned char fsl_product_root_public_key[1032] = { + 0x00,0x00,0x10,0x00,0x9f,0x35,0xef,0x65, + 0xc3,0x29,0x4c,0x23,0x16,0x10,0xac,0x32, + 0xc1,0x3c,0xd5,0xc5,0xab,0xa1,0xd9,0xe7, + 0x13,0x3f,0x7e,0xd1,0xe6,0x61,0x5d,0xa3, + 0xa1,0x60,0xda,0x57,0x4b,0xb2,0xe6,0x0f, + 0xe1,0x50,0xbf,0x47,0xff,0x09,0xaf,0xcd, + 0x49,0x2d,0x82,0x33,0x76,0xa1,0xfe,0x28, + 0x5f,0x89,0x62,0xb3,0xc0,0xf1,0x11,0xaf, + 0x15,0x09,0x27,0xdb,0xeb,0x06,0x01,0xa2, + 0xf8,0xb7,0xd7,0x9c,0xe4,0x88,0x3a,0x86, + 0x05,0x02,0x20,0x69,0xb2,0x36,0x4c,0x3e, + 0x25,0x03,0xed,0xfc,0x0c,0x6b,0x1b,0x0a, + 0x04,0x9c,0xce,0x7f,0x83,0x82,0x60,0xd9, + 0x52,0x7e,0xc4,0x35,0x7b,0x1c,0xe6,0x64, + 0x9c,0x17,0xec,0x81,0xe7,0x9c,0x0c,0x8b, + 0x4b,0x7e,0x48,0xbe,0x00,0x98,0xa8,0x20, + 0x10,0x4c,0x9b,0xd1,0x16,0x5b,0x25,0xe9, + 0x4e,0x61,0xda,0x7c,0x63,0x80,0x8f,0xa4, + 0xac,0x74,0xee,0xa8,0x06,0xac,0x26,0xd5, + 0x71,0x6f,0xaa,0x73,0x20,0x9c,0x7f,0xcd, + 0x73,0xd4,0xa9,0xa0,0x7e,0x5a,0xb5,0x61, + 0xb0,0x88,0xb0,0xdd,0xdb,0x6b,0x79,0xd1, + 0x5a,0x9e,0x54,0x49,0x55,0xc6,0x89,0x76, + 0x7a,0xc6,0x78,0x99,0xdc,0xc9,0x00,0x5d, + 0x20,0xf5,0xfc,0x8f,0x39,0x46,0xf3,0x02, + 0x96,0x0d,0x9b,0xfb,0xbc,0xd5,0xcf,0x5a, + 0x4f,0xc4,0xb8,0x0b,0xd0,0xf3,0x19,0x3c, + 0x74,0x04,0xd5,0x94,0x2c,0x19,0x15,0x64, + 0xbf,0x53,0x67,0x97,0x7b,0x9e,0xc6,0xe0, + 0xfb,0x29,0x5b,0x90,0xad,0x04,0x8a,0xd8, + 0x5b,0xdf,0x69,0x09,0xe4,0xa5,0xe9,0xd9, + 0x0f,0xc4,0xff,0xae,0xb7,0x44,0x12,0xae, + 0xad,0x03,0x97,0xb8,0xda,0xd7,0x60,0x37, + 0x15,0xf2,0xb9,0xdb,0x10,0xf6,0xe2,0x26, + 0x48,0x7e,0x3e,0x3e,0xc3,0x67,0xd3,0xa6, + 0x02,0xf7,0xbc,0x60,0xed,0x45,0xdf,0x37, + 0xef,0xf9,0xea,0x97,0x5f,0x37,0xb4,0xeb, + 0xb4,0x91,0x6c,0x39,0x4d,0xed,0x52,0x15, + 0x39,0x47,0x59,0x62,0xde,0x32,0x55,0xe1, + 0xd4,0x15,0x58,0x7d,0x52,0x41,0x12,0x78, + 0xee,0x9f,0x0d,0xc8,0x5e,0x34,0x91,0xf9, + 0xe7,0x4c,0x1e,0xe7,0x2f,0x90,0x7f,0xbb, + 0xf8,0x99,0x3e,0xc9,0x79,0xab,0x01,0xdb, + 0x24,0x39,0xe3,0xb4,0xc9,0x52,0x73,0xdb, + 0x65,0x42,0xa5,0x2e,0x43,0x56,0xa0,0x33, + 0x8c,0x1a,0xb7,0xa1,0xed,0x5c,0xd0,0x14, + 0x93,0x8d,0x23,0x78,0x93,0xcb,0x3a,0x03, + 0x1f,0xbb,0xc6,0x7b,0xcd,0x51,0x4e,0xaa, + 0x14,0x01,0xe9,0x03,0x27,0x13,0xe2,0xb2, + 0xf8,0x36,0xc6,0xe3,0xc3,0x7f,0xb5,0x74, + 0x20,0x5e,0x17,0xaa,0x25,0x07,0x9b,0x60, + 0xda,0x83,0x98,0xb5,0x55,0xae,0x1b,0x7a, + 0xc1,0x1f,0x49,0x72,0xe2,0xcb,0x6a,0x11, + 0x77,0xdf,0x3f,0xc0,0x9f,0x8f,0x33,0xc7, + 0x10,0x17,0x8c,0xfc,0xd5,0xb7,0x5f,0x5e, + 0xb2,0xe3,0x7b,0x2e,0xdc,0xc7,0x34,0xdb, + 0x31,0xb0,0xdc,0x5d,0x14,0x98,0xb6,0x1a, + 0x2a,0xd4,0xb4,0x04,0x2c,0xf0,0x68,0x1c, + 0x91,0x60,0x28,0xa5,0x3b,0x01,0x98,0xb6, + 0x1e,0x6e,0xaa,0x35,0x89,0xc7,0x94,0xaa, + 0x9e,0xf0,0x11,0x52,0x0f,0x28,0xa1,0x3d, + 0xd3,0x17,0xb5,0x08,0xd8,0x7a,0x41,0xf9, + 0x07,0xe2,0x87,0x36,0xcd,0x86,0x3e,0x79, + 0x99,0x73,0x50,0x21,0x30,0x00,0xd2,0xf3, + 0x88,0x60,0x32,0x59,0x58,0x2f,0x55,0x93, + 0x86,0x56,0x9a,0x96,0xb9,0xf8,0xbf,0x24, + 0xc4,0xba,0xea,0xa4,0x73,0xb0,0x0c,0xa6, + 0xdb,0x09,0x2d,0x0a,0x36,0x3f,0x80,0xe6, + 0x85,0x7a,0xf3,0x01,0x90,0x3a,0xc6,0xee, + 0x2d,0xa8,0xce,0xb4,0x3f,0x3a,0xa6,0xa3, + 0xaf,0xb9,0x21,0xef,0x40,0x6f,0xf4,0x7f, + 0x78,0x25,0x55,0x39,0x53,0x67,0x53,0x56, + 0x8d,0x81,0xaf,0x63,0x97,0x68,0x86,0x75, + 0x66,0x14,0x1e,0xa6,0x63,0x1e,0x02,0xd0, + 0x41,0xd8,0x78,0x75,0x0d,0x76,0x77,0xfa, + 0x9c,0xc5,0xcc,0x54,0x06,0x25,0x53,0x95, + 0xeb,0x4b,0x7c,0xb4,0xc8,0xbb,0x5d,0x6b, + 0x6e,0xf0,0xd7,0x8d,0x3f,0xdf,0x93,0x4c, + 0x30,0x5b,0x02,0xf5,0x0e,0x49,0x87,0x60, + 0x5f,0x19,0x06,0x24,0x3d,0x5d,0x97,0x37, + 0x61,0xef,0x3e,0x0b,0x9e,0x85,0x1c,0x1a, + 0xa6,0x53,0x91,0xd2,0x2c,0x18,0x7c,0x8f, + 0x5b,0x4a,0xd5,0xdd,0xd9,0x8a,0xc3,0x92, + 0x19,0x54,0x39,0xde,0x33,0xa1,0xe1,0x37, + 0x60,0x3c,0x3b,0x3b,0xc5,0xed,0x1b,0xef, + 0x28,0xf5,0xdf,0x44,0x91,0xa3,0x1e,0x69, + 0x6a,0x35,0x85,0x6e,0x26,0x46,0x22,0x4d, + 0x87,0x92,0x44,0x6b,0x96,0xdb,0x75,0xfe, + 0x76,0x03,0x60,0xf7,0xfd,0x90,0x55,0x7d, + 0x6e,0xd7,0xaa,0x44,0x05,0xc7,0x23,0x37, + 0x12,0xa8,0xd4,0xb2,0x2b,0xed,0x41,0x5f, + 0x23,0x38,0x7c,0x16,0xe6,0x16,0xd3,0x10, + 0x19,0x12,0xcc,0x8b,0x6e,0xcd,0xd6,0xa6, + 0x39,0x8a,0x1b,0x24,0x3f,0x4d,0x6f,0xa6, + 0x00,0x7c,0xa0,0xa1,0x4a,0xfd,0xcd,0x68, + 0x50,0x76,0xc8,0x68,0x9d,0xeb,0xdf,0x24, + 0x39,0xaf,0x77,0xb2,0xb6,0xaf,0xb6,0x34, + 0x61,0x37,0x6a,0xfd,0xc7,0x6d,0x02,0x9f, + 0x29,0xd5,0x45,0xf4,0x89,0xd8,0x8c,0x5c, + 0xd3,0x31,0xa0,0x58,0x19,0x54,0x33,0x46, + 0x92,0xbc,0x1e,0x4b,0x14,0xac,0x73,0xa5, + 0x09,0x9f,0xb6,0x2b,0x2b,0x73,0x6b,0x83, + 0x86,0x13,0x6e,0x03,0xf7,0xe0,0x7d,0x81, + 0x47,0x18,0x08,0xea,0x09,0x10,0x24,0x61, + 0x6d,0x09,0x1d,0xb8,0x8e,0xba,0x04,0x4d, + 0xcc,0xe6,0xff,0x28,0x27,0x86,0x38,0x01, + 0x86,0xbe,0xf0,0x5b,0xf8,0x1a,0xd6,0xde, + 0xbe,0xf9,0x3b,0x76,0x3f,0x85,0x82,0x22, + 0x92,0x4b,0xe0,0x76,0x15,0xb2,0x57,0x5a, + 0xb0,0x64,0xde,0xce,0x93,0xb8,0x9f,0x25, + 0x53,0x8c,0x5e,0xdf,0x29,0x4e,0x50,0x69, + 0xfb,0x7e,0x33,0xcb,0x0e,0x28,0x01,0x6c, + 0xab,0xfa,0xd8,0x88,0x02,0xbc,0xf2,0xb1, + 0x0e,0x2f,0x6d,0x1c,0x8d,0xe4,0x11,0x23, + 0xcc,0x67,0x94,0x7b,0xf7,0x8a,0xf3,0x68, + 0x52,0xe4,0x82,0x25,0x86,0xc6,0x72,0x19, + 0x77,0x80,0x28,0xe3,0x86,0xc8,0x8a,0xea, + 0x3d,0x54,0x2f,0x0b,0x64,0x0a,0xc5,0x12, + 0x8c,0xb2,0x07,0x72,0x1b,0x09,0x9f,0x32, + 0xbd,0xa3,0xb0,0x0c,0x95,0xc8,0x4d,0xe5, + 0xd7,0x20,0xdb,0xf8,0x34,0x2a,0x9d,0x91, + 0x58,0x38,0x7a,0x9c,0xe0,0xa3,0x0f,0x40, + 0x9d,0xff,0xeb,0x4b,0xe2,0x16,0x94,0x32, + 0xce,0xe8,0x52,0x75,0x49,0xf4,0x71,0x13, + 0xbc,0x59,0x7d,0x9a,0xe8,0x60,0x29,0x58, + 0x1a,0x14,0x94,0xe6,0x37,0x23,0xad,0xfe, + 0x0b,0xf0,0x63,0x60,0x4f,0x5d,0x10,0x91, + 0xf2,0x50,0x8e,0x0b,0x4a,0x47,0xc9,0x0c, + 0x1f,0xdc,0x94,0x75,0x25,0x52,0x99,0xfc +}; diff --git a/lib/avb/fsl/fsl_atx_attributes.h b/lib/avb/fsl/fsl_atx_attributes.h new file mode 100644 index 0000000000..e6e43835a1 --- /dev/null +++ b/lib/avb/fsl/fsl_atx_attributes.h @@ -0,0 +1,18 @@ +/* + * Copyright 2018 NXP + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#ifndef __FSL_ATX_ATTRIBUTES_H__ +#define __FSL_ATX_ATTRIBUTES_H__ + +#define fsl_version 1 +/* This product_id is generated from + * extern/avb/test/data/atx_product_id.bin */ +extern unsigned char fsl_atx_product_id[17]; +/* This product_root_public_key is generated form + * extern/avb/test/data/testkey_atx_prk.pem */ +extern unsigned char fsl_product_root_public_key[1032]; + +#endif /* __FSL_ATX_ATTRIBUTES_H__ */ diff --git a/lib/avb/fsl/fsl_avb.c b/lib/avb/fsl/fsl_avb.c new file mode 100644 index 0000000000..ff92654e8b --- /dev/null +++ b/lib/avb/fsl/fsl_avb.c @@ -0,0 +1,861 @@ +/* + * Copyright (C) 2016 Freescale Semiconductor, Inc. + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#include +#include +#include + +#include +#include "../../../drivers/usb/gadget/fastboot_lock_unlock.h" + +#include +#include "fsl_avbkey.h" +#include "utils.h" +#include "debug.h" +#include "trusty/avb.h" +#if !defined(CONFIG_IMX_TRUSTY_OS) +#include "fsl_public_key.h" +#endif +#include "fsl_atx_attributes.h" + +#define FSL_AVB_DEV "mmc" +#define AVB_MAX_BUFFER_LENGTH 2048 + +static struct blk_desc *fs_dev_desc = NULL; +static struct blk_desc *get_mmc_desc(void) { + extern int mmc_get_env_dev(void); + int dev_no = mmc_get_env_dev(); + return blk_get_dev(FSL_AVB_DEV, dev_no); +} + + /* Reads |num_bytes| from offset |offset| from partition with name + * |partition| (NUL-terminated UTF-8 string). If |offset| is + * negative, its absolute value should be interpreted as the number + * of bytes from the end of the partition. + * + * This function returns AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION if + * there is no partition with the given name, + * AVB_IO_RESULT_ERROR_RANGE_OUTSIDE_PARTITION if the requested + * |offset| is outside the partition, and AVB_IO_RESULT_ERROR_IO if + * there was an I/O error from the underlying I/O subsystem. If the + * operation succeeds as requested AVB_IO_RESULT_OK is returned and + * the data is available in |buffer|. + * + * The only time partial I/O may occur is if reading beyond the end + * of the partition. In this case the value returned in + * |out_num_read| may be smaller than |num_bytes|. + */ + AvbIOResult fsl_read_from_partition(AvbOps* ops, const char* partition, + int64_t offset, size_t num_bytes, + void* buffer, size_t* out_num_read) +{ + struct fastboot_ptentry *pte; + unsigned char *bdata; + unsigned char *out_buf = (unsigned char *)buffer; + unsigned long blksz; + unsigned long s, cnt; + size_t num_read = 0; + lbaint_t part_start, part_end, bs, be; + margin_pos_t margin; + + AvbIOResult ret; + + DEBUGAVB("[%s]: offset=%ld, num_bytes=%zu\n", partition, (long)offset, num_bytes); + + assert(buffer != NULL && out_num_read != NULL); + + if ((fs_dev_desc = get_mmc_desc()) == NULL) { + ERR("mmc device not found\n"); + return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION; + } + + pte = fastboot_flash_find_ptn(partition); + if (!pte) { + ERR("no %s partition\n", partition); + fastboot_flash_dump_ptn(); + return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION; + } + + blksz = fs_dev_desc->blksz; + part_start = pte->start; + part_end = pte->start + pte->length - 1; + VDEBUG("blksz: %ld, part_end: %ld, part_start: %ld:\n", + blksz, part_end, part_start); + + if(get_margin_pos((uint64_t)part_start, (uint64_t)part_end, blksz, + &margin, offset, num_bytes, true)) + return AVB_IO_RESULT_ERROR_RANGE_OUTSIDE_PARTITION; + + bs = (lbaint_t)margin.blk_start; + be = (lbaint_t)margin.blk_end; + s = margin.start; + + // alloc a blksz mem + bdata = (unsigned char *)memalign(ALIGN_BYTES, blksz); + if (bdata == NULL) + return AVB_IO_RESULT_ERROR_OOM; + + // one block a time + while (bs <= be) { + memset(bdata, 0, blksz); + if (blk_dread(fs_dev_desc, bs, 1, bdata) != 1) { + ret = AVB_IO_RESULT_ERROR_IO; + goto fail; + } + cnt = blksz - s; + if (num_read + cnt > num_bytes) + cnt = num_bytes - num_read; + VDEBUG("cur: bs=%ld, start=%ld, cnt=%ld bdata=0x%08x\n", + bs, s, cnt, bdata); + memcpy(out_buf, bdata + s, cnt); + bs++; + num_read += cnt; + out_buf += cnt; + s = 0; + } + *out_num_read = num_read; + ret = AVB_IO_RESULT_OK; +#ifdef AVB_VVDEBUG + printf("\nnum_read=%zu", num_read); + printf("\n----dump---\n"); + print_buffer(0, buffer, HEXDUMP_WIDTH, num_read, 0); + printf("--- end ---\n"); +#endif + +fail: + free(bdata); + return ret; +} + +/* multi block read version of read_from_partition */ + AvbIOResult fsl_read_from_partition_multi(AvbOps* ops, const char* partition, + int64_t offset, size_t num_bytes, + void* buffer, size_t* out_num_read) +{ + struct fastboot_ptentry *pte; + unsigned char *bdata; + unsigned char *out_buf = (unsigned char *)buffer; + unsigned char *dst, *dst64 = NULL; + unsigned long blksz; + unsigned long s, cnt; + size_t num_read = 0; + lbaint_t part_start, part_end, bs, be, bm, blk_num; + margin_pos_t margin; + + AvbIOResult ret; + + DEBUGAVB("[%s]: offset=%ld, num_bytes=%zu\n", partition, (long)offset, num_bytes); + + assert(buffer != NULL && out_num_read != NULL); + + if ((fs_dev_desc = get_mmc_desc()) == NULL) { + ERR("mmc device not found\n"); + return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION; + } + + pte = fastboot_flash_find_ptn(partition); + if (!pte) { + ERR("no %s partition\n", partition); + fastboot_flash_dump_ptn(); + return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION; + } + + blksz = fs_dev_desc->blksz; + part_start = pte->start; + part_end = pte->start + pte->length - 1; + VDEBUG("blksz: %ld, part_end: %ld, part_start: %ld:\n", + blksz, part_end, part_start); + + if(get_margin_pos((uint64_t)part_start, (uint64_t)part_end, blksz, + &margin, offset, num_bytes, true)) + return AVB_IO_RESULT_ERROR_RANGE_OUTSIDE_PARTITION; + + bs = (lbaint_t)margin.blk_start; + be = (lbaint_t)margin.blk_end; + s = margin.start; + bm = margin.multi; + + // alloc a blksz mem + bdata = (unsigned char *)memalign(ALIGN_BYTES, blksz); + if (bdata == NULL) + return AVB_IO_RESULT_ERROR_OOM; + + // support multi blk read + while (bs <= be) { + if (!s && bm > 1) { + dst = out_buf; + dst64 = PTR_ALIGN(out_buf, 64); //for mmc blk read alignment + VDEBUG("cur: dst=0x%08x, dst64=0x%08x\n", dst, dst64); + if (dst64 != dst) { + dst = dst64; + bm--; + } + blk_num = bm; + cnt = bm * blksz; + bm = 0; //no more multi blk + } else { + blk_num = 1; + cnt = blksz - s; + if (num_read + cnt > num_bytes) + cnt = num_bytes - num_read; + dst = bdata; + } + VDEBUG("cur: bs=%ld, num=%ld, start=%ld, cnt=%ld dst=0x%08x\n", + bs, blk_num, s, cnt, dst); + if (blk_dread(fs_dev_desc, bs, blk_num, dst) != blk_num) { + ret = AVB_IO_RESULT_ERROR_IO; + goto fail; + } + + if (dst == bdata) + memcpy(out_buf, bdata + s, cnt); + else if (dst == dst64) + memcpy(out_buf, dst, cnt); //internal copy + + s = 0; + bs += blk_num; + num_read += cnt; + out_buf += cnt; +#ifdef AVB_VVDEBUG + printf("\nnum_read=%ld", cnt); + printf("\n----dump---\n"); + print_buffer(0, buffer, HEXDUMP_WIDTH, cnt, 0); + printf("--- end ---\n"); +#endif + } + *out_num_read = num_read; + ret = AVB_IO_RESULT_OK; +#ifdef AVB_VVDEBUG + printf("\nnum_read=%zu", num_read); + printf("\n----dump---\n"); + print_buffer(0, buffer, HEXDUMP_WIDTH, num_read, 0); + printf("--- end ---\n"); +#endif + +fail: + free(bdata); + return ret; +} + + /* Writes |num_bytes| from |bffer| at offset |offset| to partition + * with name |partition| (NUL-terminated UTF-8 string). If |offset| + * is negative, its absolute value should be interpreted as the + * number of bytes from the end of the partition. + * + * This function returns AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION if + * there is no partition with the given name, + * AVB_IO_RESULT_ERROR_RANGE_OUTSIDE_PARTITION if the requested + * byterange goes outside the partition, and AVB_IO_RESULT_ERROR_IO + * if there was an I/O error from the underlying I/O subsystem. If + * the operation succeeds as requested AVB_IO_RESULT_OK is + * returned. + * + * This function never does any partial I/O, it either transfers all + * of the requested bytes or returns an error. + */ + AvbIOResult fsl_write_to_partition(AvbOps* ops, const char* partition, + int64_t offset, size_t num_bytes, + const void* buffer) +{ + struct fastboot_ptentry *pte; + unsigned char *bdata; + unsigned char *in_buf = (unsigned char *)buffer; + unsigned long blksz; + unsigned long s, cnt; + size_t num_write = 0; + lbaint_t part_start, part_end, bs; + margin_pos_t margin; + + AvbIOResult ret; + + DEBUGAVB("[%s]: offset=%ld, num_bytes=%zu\n", partition, (long)offset, num_bytes); + + assert(buffer != NULL); + + if ((fs_dev_desc = get_mmc_desc()) == NULL) { + ERR("mmc device not found\n"); + return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION; + } + + pte = fastboot_flash_find_ptn(partition); + if (!pte) { + ERR("no %s partition\n", partition); + fastboot_flash_dump_ptn(); + return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION; + } + + blksz = fs_dev_desc->blksz; + part_start = pte->start; + part_end = pte->start + pte->length - 1; + VDEBUG("blksz: %ld, part_end: %ld, part_start: %ld:\n", + blksz, part_end, part_start); + + if(get_margin_pos((uint64_t)part_start, (uint64_t)part_end, blksz, + &margin, offset, num_bytes, false)) + return AVB_IO_RESULT_ERROR_RANGE_OUTSIDE_PARTITION; + + bs = (lbaint_t)margin.blk_start; + s = margin.start; + + // alloc a blksz mem + bdata = (unsigned char *)memalign(ALIGN_BYTES, blksz); + if (bdata == NULL) + return AVB_IO_RESULT_ERROR_OOM; + + while (num_write < num_bytes) { + memset(bdata, 0, blksz); + cnt = blksz - s; + if (num_write + cnt > num_bytes) + cnt = num_bytes - num_write; + if (!s || cnt != blksz) { //read blk first + if (blk_dread(fs_dev_desc, bs, 1, bdata) != 1) { + ret = AVB_IO_RESULT_ERROR_IO; + goto fail; + } + } + memcpy(bdata + s, in_buf, cnt); //change data + VDEBUG("cur: bs=%ld, start=%ld, cnt=%ld bdata=0x%08x\n", + bs, s, cnt, bdata); + if (blk_dwrite(fs_dev_desc, bs, 1, bdata) != 1) { + ret = AVB_IO_RESULT_ERROR_IO; + goto fail; + } + bs++; + num_write += cnt; + in_buf += cnt; + if (s != 0) + s = 0; + } + ret = AVB_IO_RESULT_OK; + +fail: + free(bdata); + return ret; +} + +/* Reads A/B metadata from persistent storage. Returned data is + * properly byteswapped. Returns AVB_IO_RESULT_OK on success, error + * code otherwise. + * + * If the data read is invalid (e.g. wrong magic or CRC checksum + * failure), the metadata shoule be reset using avb_ab_data_init() + * and then written to persistent storage. + * + * Implementations will typically want to use avb_ab_data_read() + * here to use the 'misc' partition for persistent storage. + */ +AvbIOResult fsl_read_ab_metadata(AvbABOps* ab_ops, struct AvbABData* data) +{ + return avb_ab_data_read(ab_ops, data); +} + +/* Writes A/B metadata to persistent storage. This will byteswap and + * update the CRC as needed. Returns AVB_IO_RESULT_OK on success, + * error code otherwise. + * + * Implementations will typically want to use avb_ab_data_write() + * here to use the 'misc' partition for persistent storage. + */ +AvbIOResult fsl_write_ab_metadata(AvbABOps* ab_ops, const struct AvbABData* data) +{ + return avb_ab_data_write(ab_ops, data); +} + +/* Gets whether the device is unlocked. The value is returned in + * |out_is_unlocked| (true if unlocked, false otherwise). Returns + * AVB_IO_RESULT_OK if the state was retrieved, otherwise an error + * code. + */ +AvbIOResult fsl_read_is_device_unlocked(AvbOps* ops, bool* out_is_unlocked) { + + FbLockState status; + + assert(out_is_unlocked != NULL); + *out_is_unlocked = false; + + status = fastboot_get_lock_stat(); + if (status != FASTBOOT_LOCK_ERROR) { + if (status == FASTBOOT_LOCK) + *out_is_unlocked = false; + else + *out_is_unlocked = true; + } else + return AVB_IO_RESULT_ERROR_IO; + + DEBUGAVB("is_unlocked=%d\n", *out_is_unlocked); + return AVB_IO_RESULT_OK; +} + +/* Gets the unique partition GUID for a partition with name in + * |partition| (NUL-terminated UTF-8 string). The GUID is copied as + * a string into |guid_buf| of size |guid_buf_size| and will be NUL + * terminated. The string must be lower-case and properly + * hyphenated. For example: + * + * 527c1c6d-6361-4593-8842-3c78fcd39219 + * + * Returns AVB_IO_RESULT_OK on success, otherwise an error code. + */ +AvbIOResult fsl_get_unique_guid_for_partition(AvbOps* ops, + const char* partition, + char* guid_buf, + size_t guid_buf_size) { + assert(guid_buf != NULL); +#ifdef CONFIG_PARTITION_UUIDS + struct fastboot_ptentry *pte; + pte = fastboot_flash_find_ptn(partition); + if (!pte) { + ERR("no %s partition\n", partition); + fastboot_flash_dump_ptn(); + return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION; + } + strncpy(guid_buf, (const char *)pte->uuid, guid_buf_size); + guid_buf[guid_buf_size - 1] = '\0'; + DEBUGAVB("[%s]: GUID=%s\n", partition, guid_buf); + return AVB_IO_RESULT_OK; +#else + return AVB_IO_RESULT_ERROR_IO; +#endif + +} +/* Gets the size of a partition with the name in |partition| + * (NUL-terminated UTF-8 string). Returns the value in + * |out_size_num_bytes|. + * Returns AVB_IO_RESULT_OK on success, otherwise an error code. + */ +AvbIOResult fsl_get_size_of_partition(AvbOps* ops, + const char* partition, + uint64_t* out_size_num_bytes) +{ + struct fastboot_ptentry *pte; + pte = fastboot_flash_find_ptn(partition); + if (!pte) { + ERR("no %s partition\n", partition); + fastboot_flash_dump_ptn(); + return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION; + } + *out_size_num_bytes = (uint64_t)(pte->length * 512); + return AVB_IO_RESULT_OK; +} + +#ifdef CONFIG_AVB_ATX +/* Reads permanent |attributes| data. There are no restrictions on where this + * data is stored. On success, returns AVB_IO_RESULT_OK and populates + * |attributes|. + */ +AvbIOResult fsl_read_permanent_attributes( + AvbAtxOps* atx_ops, AvbAtxPermanentAttributes* attributes) { +#ifdef CONFIG_IMX_TRUSTY_OS + if (!trusty_read_permanent_attributes((uint8_t *)attributes, + sizeof(AvbAtxPermanentAttributes))) { + return AVB_IO_RESULT_OK; + } + ERR("No perm-attr fused. Will use hard code one.\n"); +#endif /* CONFIG_IMX_TRUSTY_OS */ + + /* use hard code permanent attributes due to limited fuse and RPMB */ + attributes->version = fsl_version; + memcpy(attributes->product_root_public_key, fsl_product_root_public_key, + sizeof(fsl_product_root_public_key)); + memcpy(attributes->product_id, fsl_atx_product_id, + sizeof(fsl_atx_product_id)); + + return AVB_IO_RESULT_OK; +} + +/* Reads a |hash| of permanent attributes. This hash MUST be retrieved from a + * permanently read-only location (e.g. fuses) when a device is LOCKED. On + * success, returned AVB_IO_RESULT_OK and populates |hash|. + */ +AvbIOResult fsl_read_permanent_attributes_hash( + AvbAtxOps* atx_ops, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { +#ifdef CONFIG_ARM64 + /* calculate sha256(permanent attributes) */ + if (permanent_attributes_sha256_hash(hash) != RESULT_OK) { + return AVB_IO_RESULT_ERROR_IO; + } else { + return AVB_IO_RESULT_OK; + } +#else + uint8_t sha256_hash_buf[AVB_SHA256_DIGEST_SIZE]; + uint32_t sha256_hash_fuse[ATX_FUSE_BANK_NUM]; + + /* read first 112 bits of sha256(permanent attributes) from fuse */ + if (fsl_fuse_read(sha256_hash_fuse, ATX_FUSE_BANK_NUM, + PERMANENT_ATTRIBUTE_HASH_OFFSET)) { + printf("ERROR - read permanent attributes hash from " + "fuse error\n"); + return AVB_IO_RESULT_ERROR_IO; + } + /* only take the lower 2 bytes of last bank */ + sha256_hash_fuse[ATX_FUSE_BANK_NUM - 1] &= ATX_FUSE_BANK_MASK; + + /* calculate sha256(permanent attributes) */ + if (permanent_attributes_sha256_hash(sha256_hash_buf) != RESULT_OK) { + return AVB_IO_RESULT_ERROR_IO; + } + /* check if the sha256(permanent attributes) hash match the calculated one, + * if not match, just return all zeros hash. + */ + if (memcmp(sha256_hash_fuse, sha256_hash_buf, ATX_HASH_LENGTH)) { + printf("ERROR - sha256(permanent attributes) does not match\n"); + memset(hash, 0, AVB_SHA256_DIGEST_SIZE); + } else { + memcpy(hash, sha256_hash_buf, AVB_SHA256_DIGEST_SIZE); + } + + return AVB_IO_RESULT_OK; +#endif /* CONFIG_ARM64 */ +} + + /* Generates |num_bytes| random bytes and stores them in |output|, + * which must point to a buffer large enough to store the bytes. + * + * Returns AVB_IO_RESULT_OK on success, otherwise an error code. + */ +AvbIOResult fsl_get_random(AvbAtxOps* atx_ops, + size_t num_bytes, + uint8_t* output) +{ + uint32_t num = 0; + uint32_t i; + + if (output == NULL) { + ERR("Output buffer is NULL!\n"); + return AVB_IO_RESULT_ERROR_INSUFFICIENT_SPACE; + } + + /* set the seed as device boot time. */ + srand((uint32_t)get_timer(0)); + for (i = 0; i < num_bytes; i++) { + num = rand() % 256; + output[i] = (uint8_t)num; + } + + return AVB_IO_RESULT_OK; +} +/* Provides the key version of a key used during verification. This may be + * useful for managing the minimum key version. + */ +void fsl_set_key_version(AvbAtxOps* atx_ops, + size_t rollback_index_location, + uint64_t key_version) { + kblb_hdr_t hdr; + kblb_tag_t *rbk; + uint64_t *plain_idx = NULL; + struct mmc *mmc_dev; + static const uint32_t kTypeMask = 0xF000; + + DEBUGAVB("[rpmb] write to rollback slot: (%zu, %" PRIu64 ")\n", + rollback_index_location, key_version); + + assert(atx_ops != NULL); + + if ((mmc_dev = get_mmc()) == NULL) { + ERR("err get mmc device\n"); + } + /* read the kblb header */ + if (rpmb_read(mmc_dev, (uint8_t *)&hdr, sizeof(hdr), 0) != 0) { + ERR("read RPMB error\n"); + } + + if (memcmp(hdr.magic, AVB_KBLB_MAGIC, AVB_KBLB_MAGIC_LEN) != 0) { + ERR("magic not match\n"); + } + + /* rollback index for Android Things key versions */ + rbk = &hdr.atx_rbk_tags[rollback_index_location & ~kTypeMask]; + + plain_idx = malloc(rbk->len); + if (plain_idx == NULL) + printf("\nError! allocate memory fail!\n"); + memset(plain_idx, 0, rbk->len); + *plain_idx = key_version; + + /* write rollback_index keyblob */ + if (rpmb_write(mmc_dev, (uint8_t *)plain_idx, rbk->len, rbk->offset) != + 0) { + ERR("write rollback index error\n"); + goto fail; + } +fail: + if (plain_idx != NULL) + free(plain_idx); +} +#endif /* CONFIG_AVB_ATX */ + +#ifdef AVB_RPMB +/* Checks if the given public key used to sign the 'vbmeta' + * partition is trusted. Boot loaders typically compare this with + * embedded key material generated with 'avbtool + * extract_public_key'. + * + * If AVB_IO_RESULT_OK is returned then |out_is_trusted| is set - + * true if trusted or false if untrusted. + */ +AvbIOResult fsl_validate_vbmeta_public_key_rpmb(AvbOps* ops, + const uint8_t* public_key_data, + size_t public_key_length, + const uint8_t* public_key_metadata, + size_t public_key_metadata_length, + bool* out_is_trusted) { + AvbIOResult ret; + assert(ops != NULL && out_is_trusted != NULL); + *out_is_trusted = false; + +#if defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX) + uint8_t public_key_buf[AVB_MAX_BUFFER_LENGTH]; + if (trusty_read_vbmeta_public_key(public_key_buf, + public_key_length) != 0) { + ERR("Read public key error\n"); + /* We're not going to return error code here because it will + * abort the following avb verify process even we allow the + * verification error. Return AVB_IO_RESULT_OK and keep the + * 'out_is_trusted' as false, avb will handle the error + * depends on the 'allow_verification_error' flag. + */ + return AVB_IO_RESULT_OK; + } + + if (memcmp(public_key_buf, public_key_data, public_key_length)) { +#else + /* match given public key */ + if (memcmp(fsl_public_key, public_key_data, public_key_length)) { +#endif + ERR("public key not match\n"); + return AVB_IO_RESULT_OK; + } + + *out_is_trusted = true; + ret = AVB_IO_RESULT_OK; + + return ret; +} + +/* Sets the rollback index corresponding to the slot given by + * |rollback_index_slot| to |rollback_index|. Returns + * AVB_IO_RESULT_OK if the rollback index was set, otherwise an + * error code. + * + * A device may have a limited amount of rollback index slots (say, + * one or four) so may error out if |rollback_index_slot| exceeds + * this number. + */ +AvbIOResult fsl_write_rollback_index_rpmb(AvbOps* ops, size_t rollback_index_slot, + uint64_t rollback_index) { + AvbIOResult ret; +#ifdef CONFIG_IMX_TRUSTY_OS + if (trusty_write_rollback_index(rollback_index_slot, rollback_index)) { + ERR("write rollback from Trusty error!\n"); +#ifndef CONFIG_AVB_ATX + /* Read/write rollback index from rpmb will fail if the rpmb + * key hasn't been set, return AVB_IO_RESULT_OK in this case. + */ + if (!rpmbkey_is_set()) + ret = AVB_IO_RESULT_OK; + else +#endif + ret = AVB_IO_RESULT_ERROR_IO; + } else { + ret = AVB_IO_RESULT_OK; + } + return ret; +#else + kblb_hdr_t hdr; + kblb_tag_t *rbk; + uint64_t *plain_idx = NULL; + struct mmc *mmc_dev; +#ifdef CONFIG_AVB_ATX + static const uint32_t kTypeMask = 0xF000; + static const unsigned int kTypeShift = 12; +#endif + + DEBUGAVB("[rpmb] write to rollback slot: (%zu, %" PRIu64 ")\n", + rollback_index_slot, rollback_index); + + assert(ops != NULL); + /* check if the rollback index location exceed the limit */ +#ifdef CONFIG_AVB_ATX + if ((rollback_index_slot & ~kTypeMask) >= AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS) +#else + if (rollback_index_slot >= AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS) +#endif /* CONFIG_AVB_ATX */ + return AVB_IO_RESULT_ERROR_IO; + + if ((mmc_dev = get_mmc()) == NULL) { + ERR("err get mmc device\n"); + return AVB_IO_RESULT_ERROR_IO; + } + /* read the kblb header */ + if (rpmb_read(mmc_dev, (uint8_t *)&hdr, sizeof(hdr), 0) != 0) { + ERR("read RPMB error\n"); + return AVB_IO_RESULT_ERROR_IO; + } + + if (memcmp(hdr.magic, AVB_KBLB_MAGIC, AVB_KBLB_MAGIC_LEN) != 0) { + ERR("magic not match\n"); + return AVB_IO_RESULT_ERROR_IO; + } + /* choose rollback index type */ +#ifdef CONFIG_AVB_ATX + if ((rollback_index_slot & kTypeMask) >> kTypeShift) { + /* rollback index for Android Things key versions */ + rbk = &hdr.atx_rbk_tags[rollback_index_slot & ~kTypeMask]; + } else { + /* rollback index for vbmeta */ + rbk = &hdr.rbk_tags[rollback_index_slot & ~kTypeMask]; + } +#else + rbk = &hdr.rbk_tags[rollback_index_slot]; +#endif /* CONFIG_AVB_ATX */ + plain_idx = malloc(rbk->len); + if (plain_idx == NULL) + return AVB_IO_RESULT_ERROR_OOM; + memset(plain_idx, 0, rbk->len); + *plain_idx = rollback_index; + + /* write rollback_index keyblob */ + if (rpmb_write(mmc_dev, (uint8_t *)plain_idx, rbk->len, rbk->offset) != + 0) { + ERR("write rollback index error\n"); + ret = AVB_IO_RESULT_ERROR_IO; + goto fail; + } + ret = AVB_IO_RESULT_OK; +fail: + if (plain_idx != NULL) + free(plain_idx); + return ret; +#endif /* CONFIG_IMX_TRUSTY_OS */ +} + +/* Gets the rollback index corresponding to the slot given by + * |rollback_index_slot|. The value is returned in + * |out_rollback_index|. Returns AVB_IO_RESULT_OK if the rollback + * index was retrieved, otherwise an error code. + * + * A device may have a limited amount of rollback index slots (say, + * one or four) so may error out if |rollback_index_slot| exceeds + * this number. + */ +AvbIOResult fsl_read_rollback_index_rpmb(AvbOps* ops, size_t rollback_index_slot, + uint64_t* out_rollback_index) { + AvbIOResult ret; +#ifdef CONFIG_IMX_TRUSTY_OS + if (trusty_read_rollback_index(rollback_index_slot, out_rollback_index)) { + ERR("read rollback from Trusty error!\n"); +#ifndef CONFIG_AVB_ATX + if (!rpmbkey_is_set()) { + *out_rollback_index = 0; + ret = AVB_IO_RESULT_OK; + } else +#endif + ret = AVB_IO_RESULT_ERROR_IO; + } else { + ret = AVB_IO_RESULT_OK; + } + return ret; +#else + kblb_hdr_t hdr; + kblb_tag_t *rbk; + uint64_t *extract_idx = NULL; + struct mmc *mmc_dev; +#ifdef CONFIG_AVB_ATX + static const uint32_t kTypeMask = 0xF000; + static const unsigned int kTypeShift = 12; +#endif + + assert(ops != NULL && out_rollback_index != NULL); + *out_rollback_index = ~0; + + DEBUGAVB("[rpmb] read rollback slot: %zu\n", rollback_index_slot); + + /* check if the rollback index location exceed the limit */ +#ifdef CONFIG_AVB_ATX + if ((rollback_index_slot & ~kTypeMask) >= AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS) +#else + if (rollback_index_slot >= AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS) +#endif + return AVB_IO_RESULT_ERROR_IO; + + if ((mmc_dev = get_mmc()) == NULL) { + ERR("err get mmc device\n"); + return AVB_IO_RESULT_ERROR_IO; + } + /* read the kblb header */ + if (rpmb_read(mmc_dev, (uint8_t *)&hdr, sizeof(hdr), 0) != 0) { + ERR("read RPMB error\n"); + return AVB_IO_RESULT_ERROR_IO; + } + + if (memcmp(hdr.magic, AVB_KBLB_MAGIC, AVB_KBLB_MAGIC_LEN) != 0) { + ERR("magic not match\n"); + return AVB_IO_RESULT_ERROR_IO; + } + /* choose rollback index type */ +#ifdef CONFIG_AVB_ATX + if ((rollback_index_slot & kTypeMask) >> kTypeShift) { + /* rollback index for Android Things key versions */ + rbk = &hdr.atx_rbk_tags[rollback_index_slot & ~kTypeMask]; + } else { + /* rollback index for vbmeta */ + rbk = &hdr.rbk_tags[rollback_index_slot & ~kTypeMask]; + } +#else + rbk = &hdr.rbk_tags[rollback_index_slot]; +#endif /* CONFIG_AVB_ATX */ + extract_idx = malloc(rbk->len); + if (extract_idx == NULL) + return AVB_IO_RESULT_ERROR_OOM; + + /* read rollback_index keyblob */ + if (rpmb_read(mmc_dev, (uint8_t *)extract_idx, rbk->len, rbk->offset) != 0) { + ERR("read rollback index error\n"); + ret = AVB_IO_RESULT_ERROR_IO; + goto fail; + } + +#ifdef AVB_VVDEBUG + printf("\n----idx dump: ---\n"); + print_buffer(0, extract_idx, HEXDUMP_WIDTH, rbk->len, 0); + printf("--- end ---\n"); +#endif + *out_rollback_index = *extract_idx; + DEBUGAVB("rollback_index = %" PRIu64 "\n", *out_rollback_index); + ret = AVB_IO_RESULT_OK; +fail: + if (extract_idx != NULL) + free(extract_idx); + return ret; +#endif /* CONFIG_IMX_TRUSTY_OS */ +} +#else /* AVB_RPMB */ +/* + * In no security enhanced ARM64, we cannot protect public key. + * So that we choose to trust the key from vbmeta image + */ +AvbIOResult fsl_validate_vbmeta_public_key_rpmb(AvbOps* ops, + const uint8_t* public_key_data, + size_t public_key_length, + const uint8_t* public_key_metadata, + size_t public_key_metadata_length, + bool* out_is_trusted) { + *out_is_trusted = true; + return AVB_IO_RESULT_OK; +} + +/* In no security enhanced ARM64, rollback index has no protection so no use it */ +AvbIOResult fsl_write_rollback_index_rpmb(AvbOps* ops, size_t rollback_index_slot, + uint64_t rollback_index) { + return AVB_IO_RESULT_OK; + +} +AvbIOResult fsl_read_rollback_index_rpmb(AvbOps* ops, size_t rollback_index_slot, + uint64_t* out_rollback_index) { + *out_rollback_index = 0; + return AVB_IO_RESULT_OK; +} +#endif /* AVB_RPMB */ diff --git a/lib/avb/fsl/fsl_avb_ab_flow.c b/lib/avb/fsl/fsl_avb_ab_flow.c new file mode 100644 index 0000000000..76dd481f90 --- /dev/null +++ b/lib/avb/fsl/fsl_avb_ab_flow.c @@ -0,0 +1,1105 @@ +/* + * Copyright 2018 NXP + */ + +#include +#include +#include +#include +#include +#include +#include "utils.h" +#include "fsl_caam.h" +#include "fsl_avbkey.h" + +#if defined(CONFIG_DUAL_BOOTLOADER) || !defined(CONFIG_SPL_BUILD) +static const char* slot_suffixes[2] = {"_a", "_b"}; + +/* This is a copy of slot_set_unbootable() form + * external/avb/libavb_ab/avb_ab_flow.c. + */ +void fsl_slot_set_unbootable(AvbABSlotData* slot) { + slot->priority = 0; + slot->tries_remaining = 0; + slot->successful_boot = 0; +} + +/* Ensure all unbootable and/or illegal states are marked as the + * canonical 'unbootable' state, e.g. priority=0, tries_remaining=0, + * and successful_boot=0. This is a copy of slot_normalize from + * external/avb/libavb_ab/avb_ab_flow.c. + */ +void fsl_slot_normalize(AvbABSlotData* slot) { + if (slot->priority > 0) { +#if defined(CONFIG_DUAL_BOOTLOADER) && !defined(CONFIG_SPL_BUILD) + if ((slot->tries_remaining == 0) + && (!slot->successful_boot) && (slot->bootloader_verified != 1)) { + /* We've exhausted all tries -> unbootable. */ + fsl_slot_set_unbootable(slot); + } +#else + if ((slot->tries_remaining == 0) && (!slot->successful_boot)) { + /* We've exhausted all tries -> unbootable. */ + fsl_slot_set_unbootable(slot); + } +#endif + if ((slot->tries_remaining > 0) && (slot->successful_boot)) { + /* Illegal state - avb_ab_mark_slot_successful() will clear + * tries_remaining when setting successful_boot. + */ + fsl_slot_set_unbootable(slot); + } + } else { + fsl_slot_set_unbootable(slot); + } +} + +/* This is a copy of slot_is_bootable() from + * externel/avb/libavb_ab/avb_ab_flow.c. + */ +bool fsl_slot_is_bootable(AvbABSlotData* slot) { + return (slot->priority > 0) && + (slot->successful_boot || (slot->tries_remaining > 0)); +} +#endif /* CONFIG_DUAL_BOOTLOADER || !CONFIG_SPL_BUILD */ + +#if defined(CONFIG_DUAL_BOOTLOADER) && defined(CONFIG_SPL_BUILD) + +#define FSL_AB_METADATA_MISC_PARTITION_OFFSET 2048 +#define PARTITION_NAME_LEN 13 +#define PARTITION_MISC "misc" +#define PARTITION_BOOTLOADER "bootloader" + +extern int mmc_switch(struct mmc *mmc, u8 set, u8 index, u8 value); +extern int mmc_load_image_parse_container(struct spl_image_info *spl_image, + struct mmc *mmc, unsigned long sector); + +/* Pre-declaration of h_spl_load_read(), see detail implementation in + * common/spl/spl_mmc.c. + */ +ulong h_spl_load_read(struct spl_load_info *load, ulong sector, + ulong count, void *buf); + +void fsl_avb_ab_data_update_crc_and_byteswap(const AvbABData* src, + AvbABData* dest) { + memcpy(dest, src, sizeof(AvbABData)); + dest->crc32 = cpu_to_be32( + avb_crc32((const uint8_t*)dest, + sizeof(AvbABData) - sizeof(uint32_t))); +} + +void fsl_avb_ab_data_init(AvbABData* data) { + memset(data, '\0', sizeof(AvbABData)); + memcpy(data->magic, AVB_AB_MAGIC, AVB_AB_MAGIC_LEN); + data->version_major = AVB_AB_MAJOR_VERSION; + data->version_minor = AVB_AB_MINOR_VERSION; + data->slots[0].priority = AVB_AB_MAX_PRIORITY; + data->slots[0].tries_remaining = AVB_AB_MAX_TRIES_REMAINING; + data->slots[0].successful_boot = 0; + data->slots[0].bootloader_verified = 0; + data->slots[1].priority = AVB_AB_MAX_PRIORITY - 1; + data->slots[1].tries_remaining = AVB_AB_MAX_TRIES_REMAINING; + data->slots[1].successful_boot = 0; + data->slots[1].bootloader_verified = 0; +} + +bool fsl_avb_ab_data_verify_and_byteswap(const AvbABData* src, + AvbABData* dest) { + /* Ensure magic is correct. */ + if (memcmp(src->magic, AVB_AB_MAGIC, AVB_AB_MAGIC_LEN) != 0) { + printf("Magic is incorrect.\n"); + return false; + } + + memcpy(dest, src, sizeof(AvbABData)); + dest->crc32 = be32_to_cpu(dest->crc32); + + /* Ensure we don't attempt to access any fields if the major version + * is not supported. + */ + if (dest->version_major > AVB_AB_MAJOR_VERSION) { + printf("No support for given major version.\n"); + return false; + } + + /* Fail if CRC32 doesn't match. */ + if (dest->crc32 != + avb_crc32((const uint8_t*)dest, sizeof(AvbABData) - sizeof(uint32_t))) { + printf("CRC32 does not match.\n"); + return false; + } + + return true; +} + +/* Writes A/B metadata to disk only if it has changed. + */ +int fsl_save_metadata_if_changed_dual_uboot(struct blk_desc *dev_desc, + AvbABData* ab_data, + AvbABData* ab_data_orig) { + AvbABData serialized; + size_t num_bytes; + struct disk_partition info; + + /* Save metadata if changed. */ + if (memcmp(ab_data, ab_data_orig, sizeof(AvbABData)) != 0) { + /* Get misc partition info */ + if (part_get_info_by_name(dev_desc, PARTITION_MISC, &info) == -1) { + printf("Can't get partition info of partition: misc\n"); + return -1; + } + + /* Writing A/B metadata to disk. */ + fsl_avb_ab_data_update_crc_and_byteswap(ab_data, &serialized); + if (write_to_partition_in_bytes(dev_desc, &info, + FSL_AB_METADATA_MISC_PARTITION_OFFSET, + sizeof(AvbABData), + (void *)&serialized, &num_bytes) || + (num_bytes != sizeof(AvbABData))) { + printf("Error--write metadata fail!\n"); + return -1; + } + } + return 0; +} + +/* Load metadate from misc partition. + */ +int fsl_load_metadata_dual_uboot(struct blk_desc *dev_desc, + AvbABData* ab_data, + AvbABData* ab_data_orig) { + struct disk_partition info; + AvbABData serialized; + size_t num_bytes; + + if (part_get_info_by_name(dev_desc, PARTITION_MISC, &info) == -1) { + printf("Can't get partition info of partition: misc\n"); + return -1; + } else { + read_from_partition_in_bytes(dev_desc, &info, + FSL_AB_METADATA_MISC_PARTITION_OFFSET, + sizeof(AvbABData), + (void *)ab_data, &num_bytes ); + if (num_bytes != sizeof(AvbABData)) { + printf("Error--read metadata fail!\n"); + return -1; + } else { + if (!fsl_avb_ab_data_verify_and_byteswap(ab_data, &serialized)) { + printf("Error validating A/B metadata from disk.\n"); + printf("Resetting and writing new A/B metadata to disk.\n"); + fsl_avb_ab_data_init(ab_data); + fsl_avb_ab_data_update_crc_and_byteswap(ab_data, &serialized); + num_bytes = 0; + if (write_to_partition_in_bytes( + dev_desc, &info, + FSL_AB_METADATA_MISC_PARTITION_OFFSET, + sizeof(AvbABData), + (void *)&serialized, &num_bytes) || + (num_bytes != sizeof(AvbABData))) { + printf("Error--write metadata fail!\n"); + return -1; + } else + return 0; + } else { + memcpy(ab_data_orig, ab_data, sizeof(AvbABData)); + /* Ensure data is normalized, e.g. illegal states will be marked as + * unbootable and all unbootable states are represented with + * (priority=0, tries_remaining=0, successful_boot=0). + */ + fsl_slot_normalize(&ab_data->slots[0]); + fsl_slot_normalize(&ab_data->slots[1]); + return 0; + } + } + } +} + +#ifndef CONFIG_XEN +static int spl_verify_rbidx(struct mmc *mmc, AvbABSlotData *slot, + struct spl_image_info *spl_image) +{ + kblb_hdr_t hdr; + kblb_tag_t *rbk; + uint64_t extract_idx; +#ifdef CONFIG_AVB_ATX + struct bl_rbindex_package *bl_rbindex; +#endif + + /* Make sure rollback index has been initialized before verify */ + if (rpmb_init()) { + printf("RPMB init failed!\n"); + return -1; + } + + /* Read bootloader rollback index header first. */ + if (rpmb_read(mmc, (uint8_t *)&hdr, sizeof(hdr), + BOOTLOADER_RBIDX_OFFSET) != 0) { + printf("Read RPMB error!\n"); + return -1; + } + + /* Read bootloader rollback index. */ + rbk = &(hdr.bootloader_rbk_tags); + if (rpmb_read(mmc, (uint8_t *)&extract_idx, rbk->len, rbk->offset) != 0) { + printf("Read rollback index error!\n"); + return -1; + } + + /* Verify bootloader rollback index. */ + if (spl_image->rbindex >= extract_idx) { + /* Rollback index verify pass, update it only when current slot + * has been marked as successful. + */ + if ((slot->successful_boot != 0) && (spl_image->rbindex != extract_idx) && + rpmb_write(mmc, (uint8_t *)(&(spl_image->rbindex)), + rbk->len, rbk->offset)) { + printf("Update bootloader rollback index failed!\n"); + return -1; + } + +#ifdef CONFIG_AVB_ATX + /* Pass bootloader rbindex to u-boot here. */ + bl_rbindex = (struct bl_rbindex_package *)BL_RBINDEX_LOAD_ADDR; + memcpy(bl_rbindex->magic, BL_RBINDEX_MAGIC, BL_RBINDEX_MAGIC_LEN); + if (slot->successful_boot != 0) + bl_rbindex->rbindex = spl_image->rbindex; + else + bl_rbindex->rbindex = extract_idx; +#endif + + return 0; + } else { + printf("Rollback index verify rejected!\n"); + return -1; + } + +} +#endif /* CONFIG_XEN */ + +#ifdef CONFIG_PARSE_CONTAINER +int mmc_load_image_parse_container_dual_uboot( + struct spl_image_info *spl_image, struct mmc *mmc) +{ + struct disk_partition info; + int ret = 0, n = 0; + char partition_name[PARTITION_NAME_LEN]; + struct blk_desc *dev_desc; + AvbABData ab_data, ab_data_orig; + size_t slot_index_to_boot, target_slot; +#ifndef CONFIG_XEN + struct keyslot_package kp; +#endif + + /* Check if gpt is valid */ + dev_desc = mmc_get_blk_desc(mmc); + if (dev_desc) { + if (part_get_info(dev_desc, 1, &info)) { + printf("GPT is invalid, please flash correct GPT!\n"); + return -1; + } + } else { + printf("Get block desc fail!\n"); + return -1; + } + +#ifndef CONFIG_XEN + /* Read RPMB keyslot package, xen won't check this. */ + read_keyslot_package(&kp); + if (strcmp(kp.magic, KEYPACK_MAGIC)) { + if (rpmbkey_is_set()) { + printf("\nFATAL - RPMB key was destroyed!\n"); + hang(); + } else + printf("keyslot package magic error, do nothing here!\n"); + } else { + /* Set power-on write protection to boot1 partition. */ + if (mmc_switch(mmc, EXT_CSD_CMD_SET_NORMAL, EXT_CSD_BOOT_WP, BOOT1_PWR_WP)) { + printf("Unable to set power-on write protection to boot1!\n"); + return -1; + } + } +#endif + + /* Load AB metadata from misc partition */ + if (fsl_load_metadata_dual_uboot(dev_desc, &ab_data, + &ab_data_orig)) { + return -1; + } + + slot_index_to_boot = 2; // Means not 0 or 1 + target_slot = + (ab_data.slots[1].priority > ab_data.slots[0].priority) ? 1 : 0; + + for (n = 0; n < 2; n++) { + if (!fsl_slot_is_bootable(&ab_data.slots[target_slot])) { + target_slot = (target_slot == 1 ? 0 : 1); + continue; + } + /* Choose slot to load. */ + snprintf(partition_name, PARTITION_NAME_LEN, + PARTITION_BOOTLOADER"%s", + slot_suffixes[target_slot]); + + /* Read part info from gpt */ + if (part_get_info_by_name(dev_desc, partition_name, &info) == -1) { + printf("Can't get partition info of partition bootloader%s\n", + slot_suffixes[target_slot]); + ret = -1; + goto end; + } else { + ret = mmc_load_image_parse_container(spl_image, mmc, info.start); + + /* Don't need to check rollback index for xen. */ +#ifndef CONFIG_XEN + /* Image loaded successfully, go to verify rollback index */ + if (!ret && rpmbkey_is_set()) + ret = spl_verify_rbidx(mmc, &ab_data.slots[target_slot], spl_image); + + /* Copy rpmb keyslot to secure memory. */ + if (!ret) + fill_secure_keyslot_package(&kp); +#endif + } + + /* Set current slot to unbootable if load/verify fail. */ + if (ret != 0) { + printf("Load or verify bootloader%s fail, setting unbootable..\n", + slot_suffixes[target_slot]); + fsl_slot_set_unbootable(&ab_data.slots[target_slot]); + /* Switch to another slot. */ + target_slot = (target_slot == 1 ? 0 : 1); + } else { + slot_index_to_boot = target_slot; + n = 2; + } + } + + if (slot_index_to_boot == 2) { + /* No bootable slots! */ + printf("No bootable slots found.\n"); + ret = -1; + goto end; + } else if (!ab_data.slots[slot_index_to_boot].successful_boot && + (ab_data.slots[slot_index_to_boot].tries_remaining > 0)) { + /* Set the bootloader_verified flag if current slot only has one chance. */ + if (ab_data.slots[slot_index_to_boot].tries_remaining == 1) + ab_data.slots[slot_index_to_boot].bootloader_verified = 1; + ab_data.slots[slot_index_to_boot].tries_remaining -= 1; + } + printf("Booting from bootloader%s...\n", slot_suffixes[slot_index_to_boot]); + +end: + /* Save metadata if changed. */ + if (fsl_save_metadata_if_changed_dual_uboot(dev_desc, &ab_data, &ab_data_orig)) { + ret = -1; + } + + if (ret) + return -1; + else + return 0; +} +#else /* CONFIG_PARSE_CONTAINER */ +int mmc_load_image_raw_sector_dual_uboot( + struct spl_image_info *spl_image, struct mmc *mmc) +{ + unsigned long count; + struct disk_partition info; + int ret = 0, n = 0; + char partition_name[PARTITION_NAME_LEN]; + struct blk_desc *dev_desc; + struct image_header *header; + AvbABData ab_data, ab_data_orig; + size_t slot_index_to_boot, target_slot; + struct keyslot_package kp; + + /* Check if gpt is valid */ + dev_desc = mmc_get_blk_desc(mmc); + if (dev_desc) { + if (part_get_info(dev_desc, 1, &info)) { + printf("GPT is invalid, please flash correct GPT!\n"); + return -1; + } + } else { + printf("Get block desc fail!\n"); + return -1; + } + + /* Init RPMB keyslot package if not initialized before. */ + read_keyslot_package(&kp); + if (strcmp(kp.magic, KEYPACK_MAGIC)) { + printf("keyslot package magic error. Will generate new one\n"); + if (gen_rpmb_key(&kp)) { + printf("Generate keyslot package fail!\n"); + return -1; + } + } + /* Set power-on write protection to boot1 partition. */ + if (mmc_switch(mmc, EXT_CSD_CMD_SET_NORMAL, EXT_CSD_BOOT_WP, BOOT1_PWR_WP)) { + printf("Unable to set power-on write protection to boot1!\n"); + return -1; + } + + /* Load AB metadata from misc partition */ + if (fsl_load_metadata_dual_uboot(dev_desc, &ab_data, + &ab_data_orig)) { + return -1; + } + + slot_index_to_boot = 2; // Means not 0 or 1 + target_slot = + (ab_data.slots[1].priority > ab_data.slots[0].priority) ? 1 : 0; + + for (n = 0; n < 2; n++) { + if (!fsl_slot_is_bootable(&ab_data.slots[target_slot])) { + target_slot = (target_slot == 1 ? 0 : 1); + continue; + } + /* Choose slot to load. */ + snprintf(partition_name, PARTITION_NAME_LEN, + PARTITION_BOOTLOADER"%s", + slot_suffixes[target_slot]); + + /* Read part info from gpt */ + if (part_get_info_by_name(dev_desc, partition_name, &info) == -1) { + printf("Can't get partition info of partition bootloader%s\n", + slot_suffixes[target_slot]); + ret = -1; + goto end; + } else { + header = (struct image_header *)(CONFIG_SYS_TEXT_BASE - + sizeof(struct image_header)); + + /* read image header to find the image size & load address */ + count = blk_dread(dev_desc, info.start, 1, header); + if (count == 0) { + ret = -1; + goto end; + } + + /* Load fit and check HAB */ + if (IS_ENABLED(CONFIG_SPL_LOAD_FIT) && + image_get_magic(header) == FDT_MAGIC) { + struct spl_load_info load; + + debug("Found FIT\n"); + load.dev = mmc; + load.priv = NULL; + load.filename = NULL; + load.bl_len = mmc->read_bl_len; + load.read = h_spl_load_read; + ret = spl_load_simple_fit(spl_image, &load, + info.start, header); + } else { + ret = -1; + } + + /* Fit image loaded successfully, go to verify rollback index */ + if (!ret) + ret = spl_verify_rbidx(mmc, &ab_data.slots[target_slot], spl_image); + + /* Copy rpmb keyslot to secure memory. */ + if (!ret) + fill_secure_keyslot_package(&kp); + } + + /* Set current slot to unbootable if load/verify fail. */ + if (ret != 0) { + printf("Load or verify bootloader%s fail, setting unbootable..\n", + slot_suffixes[target_slot]); + fsl_slot_set_unbootable(&ab_data.slots[target_slot]); + /* Switch to another slot. */ + target_slot = (target_slot == 1 ? 0 : 1); + } else { + slot_index_to_boot = target_slot; + n = 2; + } + } + + if (slot_index_to_boot == 2) { + /* No bootable slots! */ + printf("No bootable slots found.\n"); + ret = -1; + goto end; + } else if (!ab_data.slots[slot_index_to_boot].successful_boot && + (ab_data.slots[slot_index_to_boot].tries_remaining > 0)) { + /* Set the bootloader_verified flag as if current slot only has one chance. */ + if (ab_data.slots[slot_index_to_boot].tries_remaining == 1) + ab_data.slots[slot_index_to_boot].bootloader_verified = 1; + ab_data.slots[slot_index_to_boot].tries_remaining -= 1; + } + printf("Booting from bootloader%s...\n", slot_suffixes[slot_index_to_boot]); + +end: + /* Save metadata if changed. */ + if (fsl_save_metadata_if_changed_dual_uboot(dev_desc, &ab_data, &ab_data_orig)) { + ret = -1; + } + + if (ret) + return -1; + else + return 0; +} + +/* + * spl_fit_get_rbindex(): Get rollback index of the bootloader. + * @fit: Pointer to the FDT blob. + * @images: Offset of the /images subnode. + * + * Return: the rollback index value of bootloader or a negative + * error number. + */ +int spl_fit_get_rbindex(const void *fit, int images) +{ + const char *str; + uint64_t index; + int conf_node; + int len; + + conf_node = fit_find_config_node(fit); + if (conf_node < 0) { + return conf_node; + } + + str = fdt_getprop(fit, conf_node, "rbindex", &len); + if (!str) { + debug("cannot find property 'rbindex'\n"); + return -EINVAL; + } + + index = simple_strtoul(str, NULL, 10); + + return index; +} +#endif /* CONFIG_PARSE_CONTAINER */ + +/* For normal build */ +#elif !defined(CONFIG_SPL_BUILD) + +/* Writes A/B metadata to disk only if it has been changed. + */ +static AvbIOResult fsl_save_metadata_if_changed(AvbABOps* ab_ops, + AvbABData* ab_data, + AvbABData* ab_data_orig) { + if (avb_safe_memcmp(ab_data, ab_data_orig, sizeof(AvbABData)) != 0) { + avb_debug("Writing A/B metadata to disk.\n"); + return ab_ops->write_ab_metadata(ab_ops, ab_data); + } + return AVB_IO_RESULT_OK; +} + +/* Helper function to load metadata - returns AVB_IO_RESULT_OK on + * success, error code otherwise. This is a copy of load_metadata() + * from /lib/avb/libavb_ab/avb_ab_flow.c. + */ +static AvbIOResult fsl_load_metadata(AvbABOps* ab_ops, + AvbABData* ab_data, + AvbABData* ab_data_orig) { + AvbIOResult io_ret; + + io_ret = ab_ops->read_ab_metadata(ab_ops, ab_data); + if (io_ret != AVB_IO_RESULT_OK) { + avb_error("I/O error while loading A/B metadata.\n"); + return io_ret; + } + *ab_data_orig = *ab_data; + + /* Ensure data is normalized, e.g. illegal states will be marked as + * unbootable and all unbootable states are represented with + * (priority=0, tries_remaining=0, successful_boot=0). + */ + fsl_slot_normalize(&ab_data->slots[0]); + fsl_slot_normalize(&ab_data->slots[1]); + return AVB_IO_RESULT_OK; +} + +#ifdef CONFIG_DUAL_BOOTLOADER +AvbABFlowResult avb_flow_dual_uboot(AvbABOps* ab_ops, + const char* const* requested_partitions, + AvbSlotVerifyFlags flags, + AvbHashtreeErrorMode hashtree_error_mode, + AvbSlotVerifyData** out_data) { + AvbOps* ops = ab_ops->ops; + AvbSlotVerifyData* slot_data = NULL; + AvbSlotVerifyData* data = NULL; + AvbABFlowResult ret; + AvbABData ab_data, ab_data_orig; + AvbIOResult io_ret; + bool saw_and_allowed_verification_error = false; + AvbSlotVerifyResult verify_result; + bool set_slot_unbootable = false; + int target_slot, n; + uint64_t rollback_index_value = 0; + uint64_t current_rollback_index_value = 0; + + io_ret = fsl_load_metadata(ab_ops, &ab_data, &ab_data_orig); + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + } else if (io_ret != AVB_IO_RESULT_OK) { + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + } + + /* Choose the target slot, it should be the same with the one in SPL. */ + target_slot = get_curr_slot(&ab_data); + if (target_slot == -1) { + ret = AVB_AB_FLOW_RESULT_ERROR_NO_BOOTABLE_SLOTS; + printf("No bootable slot found!\n"); + goto out; + } + /* Clear the bootloader_verified flag. */ + ab_data.slots[target_slot].bootloader_verified = 0; + + printf("Verifying slot %s ...\n", slot_suffixes[target_slot]); + verify_result = avb_slot_verify(ops, + requested_partitions, + slot_suffixes[target_slot], + flags, + hashtree_error_mode, + &slot_data); + + switch (verify_result) { + case AVB_SLOT_VERIFY_RESULT_ERROR_OOM: + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + + case AVB_SLOT_VERIFY_RESULT_ERROR_IO: + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + + case AVB_SLOT_VERIFY_RESULT_OK: + ret = AVB_AB_FLOW_RESULT_OK; + break; + + case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA: + case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION: + /* Even with AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR + * these mean game over. + */ + set_slot_unbootable = true; + break; + + case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: + case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX: + case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED: + if (flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR) { + /* Do nothing since we allow this. */ + avb_debugv("Allowing slot ", + slot_suffixes[target_slot], + " which verified " + "with result ", + avb_slot_verify_result_to_string(verify_result), + " because " + "AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR " + "is set.\n", + NULL); + saw_and_allowed_verification_error = + true; + } else { + set_slot_unbootable = true; + } + break; + + case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT: + ret = AVB_AB_FLOW_RESULT_ERROR_INVALID_ARGUMENT; + goto out; + /* Do not add a 'default:' case here because + * of -Wswitch. + */ + } + + if (set_slot_unbootable) { + avb_errorv("Error verifying slot ", + slot_suffixes[target_slot], + " with result ", + avb_slot_verify_result_to_string(verify_result), + " - setting unbootable.\n", + NULL); + fsl_slot_set_unbootable(&ab_data.slots[target_slot]); + + /* Only the slot chosen by SPL will be verified here so we + * return AVB_AB_FLOW_RESULT_ERROR_NO_BOOTABLE_SLOTS if the + * slot should be set unbootable. + */ + ret = AVB_AB_FLOW_RESULT_ERROR_NO_BOOTABLE_SLOTS; + goto out; + } + + /* Update stored rollback index only when the slot has been marked + * as successful. Do this for every rollback index location. + */ + if (ab_data.slots[target_slot].successful_boot != 0) { + for (n = 0; n < AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS; n++) { + + rollback_index_value = slot_data->rollback_indexes[n]; + + if (rollback_index_value != 0) { + io_ret = ops->read_rollback_index( + ops, n, ¤t_rollback_index_value); + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + } else if (io_ret != AVB_IO_RESULT_OK) { + avb_error("Error getting rollback index for slot.\n"); + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + } + if (current_rollback_index_value != rollback_index_value) { + io_ret = ops->write_rollback_index( + ops, n, rollback_index_value); + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + } else if (io_ret != AVB_IO_RESULT_OK) { + avb_error("Error setting stored rollback index.\n"); + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + } + } + } + } + } + + /* Finally, select this slot. */ + avb_assert(slot_data != NULL); + data = slot_data; + slot_data = NULL; + if (saw_and_allowed_verification_error) { + avb_assert( + flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR); + ret = AVB_AB_FLOW_RESULT_OK_WITH_VERIFICATION_ERROR; + } else { + ret = AVB_AB_FLOW_RESULT_OK; + } + +out: + io_ret = fsl_save_metadata_if_changed(ab_ops, &ab_data, &ab_data_orig); + if (io_ret != AVB_IO_RESULT_OK) { + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + } else { + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + } + if (data != NULL) { + avb_slot_verify_data_free(data); + data = NULL; + } + } + + if (slot_data != NULL) + avb_slot_verify_data_free(slot_data); + + if (out_data != NULL) { + *out_data = data; + } else { + if (data != NULL) { + avb_slot_verify_data_free(data); + } + } + + return ret; +} +#else /* CONFIG_DUAL_BOOTLOADER */ +/* For legacy i.mx6/7, we won't enable A/B due to the limitation of + * storage capacity, but we still want to verify boot/recovery with + * AVB. */ +AvbABFlowResult avb_single_flow(AvbABOps* ab_ops, + const char* const* requested_partitions, + AvbSlotVerifyFlags flags, + AvbHashtreeErrorMode hashtree_error_mode, + AvbSlotVerifyData** out_data) { + AvbOps* ops = ab_ops->ops; + AvbSlotVerifyData* slot_data = NULL; + AvbSlotVerifyData* data = NULL; + AvbABFlowResult ret; + bool saw_and_allowed_verification_error = false; + + /* Validate boot/recovery. */ + AvbSlotVerifyResult verify_result; + + verify_result = avb_slot_verify(ops, + requested_partitions, + "", + flags, + hashtree_error_mode, + &slot_data); + switch (verify_result) { + case AVB_SLOT_VERIFY_RESULT_ERROR_OOM: + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + + case AVB_SLOT_VERIFY_RESULT_ERROR_IO: + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + + case AVB_SLOT_VERIFY_RESULT_OK: + break; + + case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA: + case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION: + /* Even with AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR + * these mean game over. + */ + ret = AVB_AB_FLOW_RESULT_ERROR_NO_BOOTABLE_SLOTS; + goto out; + + /* explicit fallthrough. */ + case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: + case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX: + case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED: + if (flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR) { + /* Do nothing since we allow this. */ + avb_debugv("Allowing slot ", + slot_suffixes[n], + " which verified " + "with result ", + avb_slot_verify_result_to_string(verify_result), + " because " + "AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR " + "is set.\n", + NULL); + saw_and_allowed_verification_error = true; + } else { + ret = AVB_AB_FLOW_RESULT_ERROR_NO_BOOTABLE_SLOTS; + goto out; + } + break; + + case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT: + ret = AVB_AB_FLOW_RESULT_ERROR_INVALID_ARGUMENT; + goto out; + /* Do not add a 'default:' case here because of -Wswitch. */ + } + + avb_assert(slot_data != NULL); + data = slot_data; + slot_data = NULL; + if (saw_and_allowed_verification_error) { + avb_assert(flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR); + ret = AVB_AB_FLOW_RESULT_OK_WITH_VERIFICATION_ERROR; + } else { + ret = AVB_AB_FLOW_RESULT_OK; + } + +out: + if (slot_data != NULL) { + avb_slot_verify_data_free(slot_data); + } + + if (out_data != NULL) { + *out_data = data; + } else { + if (data != NULL) { + avb_slot_verify_data_free(data); + } + } + + return ret; +} + +AvbABFlowResult avb_ab_flow_fast(AvbABOps* ab_ops, + const char* const* requested_partitions, + AvbSlotVerifyFlags flags, + AvbHashtreeErrorMode hashtree_error_mode, + AvbSlotVerifyData** out_data) { + AvbOps* ops = ab_ops->ops; + AvbSlotVerifyData* slot_data[2] = {NULL, NULL}; + AvbSlotVerifyData* data = NULL; + AvbABFlowResult ret; + AvbABData ab_data, ab_data_orig; + size_t slot_index_to_boot, n; + AvbIOResult io_ret; + bool saw_and_allowed_verification_error = false; + size_t target_slot; + AvbSlotVerifyResult verify_result; + bool set_slot_unbootable = false; + uint64_t rollback_index_value = 0; + uint64_t current_rollback_index_value = 0; + + io_ret = fsl_load_metadata(ab_ops, &ab_data, &ab_data_orig); + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + } else if (io_ret != AVB_IO_RESULT_OK) { + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + } + + slot_index_to_boot = 2; // Means not 0 or 1 + target_slot = + (ab_data.slots[1].priority > ab_data.slots[0].priority) ? 1 : 0; + + for (n = 0; n < 2; n++) { + if (!fsl_slot_is_bootable(&ab_data.slots[target_slot])) { + target_slot = (target_slot == 1 ? 0 : 1); + continue; + } + verify_result = avb_slot_verify(ops, + requested_partitions, + slot_suffixes[target_slot], + flags, + hashtree_error_mode, + &slot_data[target_slot]); + switch (verify_result) { + case AVB_SLOT_VERIFY_RESULT_ERROR_OOM: + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + + case AVB_SLOT_VERIFY_RESULT_ERROR_IO: + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + + case AVB_SLOT_VERIFY_RESULT_OK: + slot_index_to_boot = target_slot; + n = 2; + break; + + case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA: + case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION: + /* Even with AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR + * these mean game over. + */ + set_slot_unbootable = true; + break; + + /* explicit fallthrough. */ + case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: + case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX: + case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED: + if (flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR) { + /* Do nothing since we allow this. */ + avb_debugv("Allowing slot ", + slot_suffixes[target_slot], + " which verified " + "with result ", + avb_slot_verify_result_to_string(verify_result), + " because " + "AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR " + "is set.\n", + NULL); + saw_and_allowed_verification_error = + true; + slot_index_to_boot = target_slot; + n = 2; + } else { + set_slot_unbootable = true; + } + break; + + case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT: + ret = AVB_AB_FLOW_RESULT_ERROR_INVALID_ARGUMENT; + goto out; + /* Do not add a 'default:' case here because + * of -Wswitch. + */ + } + + if (set_slot_unbootable) { + avb_errorv("Error verifying slot ", + slot_suffixes[target_slot], + " with result ", + avb_slot_verify_result_to_string(verify_result), + " - setting unbootable.\n", + NULL); + fsl_slot_set_unbootable(&ab_data.slots[target_slot]); + set_slot_unbootable = false; + } + /* switch to another slot */ + target_slot = (target_slot == 1 ? 0 : 1); + } + + if (slot_index_to_boot == 2) { + /* No bootable slots! */ + avb_error("No bootable slots found.\n"); + ret = AVB_AB_FLOW_RESULT_ERROR_NO_BOOTABLE_SLOTS; + goto out; + } + + /* Update stored rollback index only when the slot has been marked + * as successful. Do this for every rollback index location. + */ + if (ab_data.slots[slot_index_to_boot].successful_boot != 0) { + for (n = 0; n < AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS; n++) { + + rollback_index_value = slot_data[slot_index_to_boot]->rollback_indexes[n]; + + if (rollback_index_value != 0) { + io_ret = ops->read_rollback_index( + ops, n, ¤t_rollback_index_value); + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + } else if (io_ret != AVB_IO_RESULT_OK) { + avb_error("Error getting rollback index for slot.\n"); + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + } + if (current_rollback_index_value != rollback_index_value) { + io_ret = ops->write_rollback_index( + ops, n, rollback_index_value); + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + } else if (io_ret != AVB_IO_RESULT_OK) { + avb_error("Error setting stored rollback index.\n"); + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + } + } + } + } + } + + /* Finally, select this slot. */ + avb_assert(slot_data[slot_index_to_boot] != NULL); + data = slot_data[slot_index_to_boot]; + slot_data[slot_index_to_boot] = NULL; + if (saw_and_allowed_verification_error) { + avb_assert( + flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR); + ret = AVB_AB_FLOW_RESULT_OK_WITH_VERIFICATION_ERROR; + } else { + ret = AVB_AB_FLOW_RESULT_OK; + } + + /* ... and decrement tries remaining, if applicable. */ + if (!ab_data.slots[slot_index_to_boot].successful_boot && + (ab_data.slots[slot_index_to_boot].tries_remaining > 0)) { + ab_data.slots[slot_index_to_boot].tries_remaining -= 1; + } + +out: + io_ret = fsl_save_metadata_if_changed(ab_ops, &ab_data, &ab_data_orig); + if (io_ret != AVB_IO_RESULT_OK) { + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + } else { + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + } + if (data != NULL) { + avb_slot_verify_data_free(data); + data = NULL; + } + } + + for (n = 0; n < 2; n++) { + if (slot_data[n] != NULL) { + avb_slot_verify_data_free(slot_data[n]); + } + } + + if (out_data != NULL) { + *out_data = data; + } else { + if (data != NULL) { + avb_slot_verify_data_free(data); + } + } + + return ret; +} +#endif /* CONFIG_DUAL_BOOTLOADER */ + +#endif /* CONFIG_DUAL_BOOTLOADER && CONFIG_SPL_BUILD */ diff --git a/lib/avb/fsl/fsl_avb_sysdeps_uboot.c b/lib/avb/fsl/fsl_avb_sysdeps_uboot.c new file mode 100644 index 0000000000..5fcb69f75e --- /dev/null +++ b/lib/avb/fsl/fsl_avb_sysdeps_uboot.c @@ -0,0 +1,70 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, copy, + * modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include +#include +#include + +#include "../libavb/libavb.h" + +int avb_memcmp(const void* src1, const void* src2, size_t n) { + return memcmp(src1, src2, n); +} + +void* avb_memcpy(void* dest, const void* src, size_t n) { + return memcpy(dest, src, n); +} + +void* avb_memset(void* dest, const int c, size_t n) { + return memset(dest, c, n); +} + +int avb_strcmp(const char* s1, const char* s2) { return strcmp(s1, s2); } + +size_t avb_strlen(const char* str) { return strlen(str); } + +void avb_abort(void) { panic("avb_abort!\n"); } + +void avb_print(const char* message) { printf("%s", message); } + +void avb_printv(const char* message, ...) { + va_list ap; + const char* m; + + va_start(ap, message); + for (m = message; m != NULL; m = va_arg(ap, const char*)) { + printf("%s", m); + } + va_end(ap); +} + +void* avb_malloc_(size_t size) { return malloc(size); } + +void avb_free(void* ptr) { free(ptr); } + +uint32_t avb_div_by_10(uint64_t* dividend) { + uint32_t rem = (uint32_t)(*dividend % 10); + *dividend /= 10; + return rem; +} diff --git a/lib/avb/fsl/fsl_avbkey.c b/lib/avb/fsl/fsl_avbkey.c new file mode 100644 index 0000000000..63d51102f3 --- /dev/null +++ b/lib/avb/fsl/fsl_avbkey.c @@ -0,0 +1,1192 @@ +/* + * Copyright (C) 2016 Freescale Semiconductor, Inc. + * Copyright 2017-2019 NXP + * SPDX-License-Identifier: GPL-2.0+ + * + */ +#include +#include +#ifdef CONFIG_FSL_CAAM_KB +#include +#endif +#include +#include +#include +#include + +#include +#include "trusty/avb.h" +#ifdef CONFIG_IMX_TRUSTY_OS +#include +#endif +#include "fsl_avbkey.h" +#include "utils.h" +#include "debug.h" +#include +#include "trusty/hwcrypto.h" +#include "fsl_atx_attributes.h" + +#define INITFLAG_FUSE_OFFSET 0 +#define INITFLAG_FUSE_MASK 0x00000001 +#define INITFLAG_FUSE 0x00000001 + +#define RPMB_BLKSZ 256 +#define RPMBKEY_LENGTH 32 +#define RPMBKEY_BLOB_LEN ((RPMBKEY_LENGTH) + (CAAM_PAD)) + +extern int mmc_switch(struct mmc *mmc, u8 set, u8 index, u8 value); + +#ifdef AVB_RPMB +static int mmc_dev_no = -1; + +struct mmc *get_mmc(void) { + extern int mmc_get_env_devno(void); + struct mmc *mmc; + if (mmc_dev_no < 0 && (mmc_dev_no = mmc_get_env_dev()) < 0) + return NULL; + mmc = find_mmc_device(mmc_dev_no); + if (!mmc || mmc_init(mmc)) + return NULL; + return mmc; +} + +void fill_secure_keyslot_package(struct keyslot_package *kp) { + + memcpy((void*)CAAM_ARB_BASE_ADDR, kp, sizeof(struct keyslot_package)); + + /* invalidate the cache to make sure no critical information left in it */ + memset(kp, 0, sizeof(struct keyslot_package)); + invalidate_dcache_range(((ulong)kp) & 0xffffffc0,(((((ulong)kp) + + sizeof(struct keyslot_package)) & 0xffffff00) + + 0x100)); +} + +int read_keyslot_package(struct keyslot_package* kp) { + char original_part; + int blksz; + unsigned char* fill = NULL; + int ret = 0; + /* load tee from boot1 of eMMC. */ + int mmcc = mmc_get_env_dev(); + struct blk_desc *dev_desc = NULL; + + struct mmc *mmc; +#ifdef CONFIG_IMX8_TRUSTY_XEN + mmcc = 0; +#endif + mmc = find_mmc_device(mmcc); + if (!mmc) { + printf("boota: cannot find '%d' mmc device\n", mmcc); + return -1; + } +#ifndef CONFIG_BLK + original_part = mmc->block_dev.hwpart; + dev_desc = blk_get_dev("mmc", mmcc); +#else + dev_desc = mmc_get_blk_desc(mmc); +#endif + if (NULL == dev_desc) { + printf("** Block device MMC %d not supported\n", mmcc); + return -1; + } +#ifdef CONFIG_BLK + original_part = dev_desc->hwpart; +#endif + + blksz = dev_desc->blksz; + fill = (unsigned char *)memalign(ALIGN_BYTES, blksz); + + /* below was i.MX mmc operation code */ + if (mmc_init(mmc)) { + printf("mmc%d init failed\n", mmcc); + ret = -1; + goto fail;; + } + + if (mmc_switch_part(mmc, KEYSLOT_HWPARTITION_ID) != 0) { + ret = -1; + goto fail; + } +#ifndef CONFIG_BLK + mmc->block_dev.hwpart = KEYSLOT_HWPARTITION_ID; +#else + dev_desc->hwpart = KEYSLOT_HWPARTITION_ID; +#endif + if (blk_dread(dev_desc, KEYSLOT_BLKS, + 1, fill) != 1) { + printf("Failed to read rpmbkeyblob."); + ret = -1; + goto fail; + } else { + memcpy(kp, fill, sizeof(struct keyslot_package)); + } + +fail: + /* Free allocated memory. */ + if (fill != NULL) + free(fill); + /* Return to original partition */ +#ifndef CONFIG_BLK + if (mmc->block_dev.hwpart != original_part) { + if (mmc_switch_part(mmc, original_part) != 0) + return -1; + mmc->block_dev.hwpart = original_part; + } +#else + if (dev_desc->hwpart != original_part) { + if (mmc_switch_part(mmc, original_part) != 0) + return -1; + dev_desc->hwpart = original_part; + } +#endif + return ret; +} + +bool rpmbkey_is_set(void) +{ + int mmcc; + bool ret; + uint8_t *buf; + struct mmc *mmc; + char original_part; + struct blk_desc *desc = NULL; + + /* Get current mmc device. */ + mmcc = mmc_get_env_dev(); + mmc = find_mmc_device(mmcc); + if (!mmc) { + printf("error - cannot find '%d' mmc device\n", mmcc); + return false; + } + + desc = mmc_get_blk_desc(mmc); + original_part = desc->hwpart; + + /* Switch to the RPMB partition */ + if (desc->hwpart != MMC_PART_RPMB) { + if (mmc_switch_part(mmc, MMC_PART_RPMB) != 0) { + printf("ERROR - can't switch to rpmb partition \n"); + return false; + } + desc->hwpart = MMC_PART_RPMB; + } + + /* Try to read the first one block, return count '1' means the rpmb + * key has been set, otherwise means the key hasn't been set. + */ + buf = (uint8_t *)memalign(ALIGN_BYTES, desc->blksz); + if (mmc_rpmb_read(mmc, buf, 0, 1, NULL) != 1) + ret = false; + else + ret = true; + + /* return to original partition. */ + if (desc->hwpart != original_part) { + if (mmc_switch_part(mmc, original_part) != 0) + ret = false; + desc->hwpart = original_part; + } + /* remember to free the buffer */ + if (buf != NULL) + free(buf); + + return ret; +} + +#ifdef CONFIG_FSL_CAAM_KB +int rpmb_read(struct mmc *mmc, uint8_t *buffer, size_t num_bytes, int64_t offset) { + + unsigned char *bdata = NULL; + unsigned char *out_buf = (unsigned char *)buffer; + unsigned long s, cnt; + unsigned long blksz; + size_t num_read = 0; + unsigned short part_start, part_length, part_end, bs, be; + margin_pos_t margin; + char original_part; + uint8_t *blob = NULL; + struct blk_desc *desc = mmc_get_blk_desc(mmc); + ALLOC_CACHE_ALIGN_BUFFER(uint8_t, extract_key, RPMBKEY_LENGTH); + + struct keyslot_package kp; + int ret; + + blksz = RPMB_BLKSZ; + part_length = mmc->capacity_rpmb >> 8; + part_start = 0; + part_end = part_start + part_length - 1; + + DEBUGAVB("[rpmb]: offset=%ld, num_bytes=%zu\n", (long)offset, num_bytes); + + if(get_margin_pos(part_start, part_end, blksz, + &margin, offset, num_bytes, false)) + return -1; + + bs = (unsigned short)margin.blk_start; + be = (unsigned short)margin.blk_end; + s = margin.start; + + /* Switch to the RPMB partition */ + original_part = desc->hwpart; + if (desc->hwpart != MMC_PART_RPMB) { + if (mmc_switch_part(mmc, MMC_PART_RPMB) != 0) + return -1; + desc->hwpart = MMC_PART_RPMB; + } + + /* get rpmb key */ + blob = (uint8_t *)memalign(ARCH_DMA_MINALIGN, RPMBKEY_BLOB_LEN); + if (read_keyslot_package(&kp)) { + ERR("read rpmb key error\n"); + ret = -1; + goto fail; + } + /* copy rpmb key to blob */ + memcpy(blob, kp.rpmb_keyblob, RPMBKEY_BLOB_LEN); + caam_open(); + if (caam_decap_blob((ulong)extract_key, (ulong)blob, + RPMBKEY_LENGTH)) { + ERR("decap rpmb key error\n"); + ret = -1; + goto fail; + } + + /* alloc a blksz mem */ + bdata = (unsigned char *)memalign(ALIGN_BYTES, blksz); + if (bdata == NULL) { + ret = -1; + goto fail; + } + /* one block a time */ + while (bs <= be) { + memset(bdata, 0, blksz); + if (mmc_rpmb_read(mmc, bdata, bs, 1, extract_key) != 1) { + ret = -1; + goto fail; + } + cnt = blksz - s; + if (num_read + cnt > num_bytes) + cnt = num_bytes - num_read; + VDEBUG("cur: bs=%d, start=%ld, cnt=%ld bdata=0x%p\n", + bs, s, cnt, bdata); + memcpy(out_buf, bdata + s, cnt); + bs++; + num_read += cnt; + out_buf += cnt; + s = 0; + } + ret = 0; + +fail: + /* Return to original partition */ + if (desc->hwpart != original_part) { + if (mmc_switch_part(mmc, original_part) != 0) + ret = -1; + else + desc->hwpart = original_part; + } + if (blob != NULL) + free(blob); + if (bdata != NULL) + free(bdata); + return ret; + +} + +int rpmb_write(struct mmc *mmc, uint8_t *buffer, size_t num_bytes, int64_t offset) { + + unsigned char *bdata = NULL; + unsigned char *in_buf = (unsigned char *)buffer; + unsigned long s, cnt; + unsigned long blksz; + size_t num_write = 0; + unsigned short part_start, part_length, part_end, bs; + margin_pos_t margin; + char original_part; + uint8_t *blob = NULL; + struct blk_desc *desc = mmc_get_blk_desc(mmc); + ALLOC_CACHE_ALIGN_BUFFER(uint8_t, extract_key, RPMBKEY_LENGTH); + + struct keyslot_package kp; + int ret; + + blksz = RPMB_BLKSZ; + part_length = mmc->capacity_rpmb >> 8; + part_start = 0; + part_end = part_start + part_length - 1; + + DEBUGAVB("[rpmb]: offset=%ld, num_bytes=%zu\n", (long)offset, num_bytes); + + if(get_margin_pos(part_start, part_end, blksz, + &margin, offset, num_bytes, false)) { + ERR("get_margin_pos err\n"); + return -1; + } + + bs = (unsigned short)margin.blk_start; + s = margin.start; + + /* Switch to the RPMB partition */ + original_part = desc->hwpart; + if (desc->hwpart != MMC_PART_RPMB) { + if (mmc_switch_part(mmc, MMC_PART_RPMB) != 0) + return -1; + desc->hwpart = MMC_PART_RPMB; + } + + /* get rpmb key */ + blob = (uint8_t *)memalign(ARCH_DMA_MINALIGN, RPMBKEY_BLOB_LEN); + if (read_keyslot_package(&kp)) { + ERR("read rpmb key error\n"); + ret = -1; + goto fail; + } + /* copy rpmb key to blob */ + memcpy(blob, kp.rpmb_keyblob, RPMBKEY_BLOB_LEN); + caam_open(); + if (caam_decap_blob((ulong)extract_key, (ulong)blob, + RPMBKEY_LENGTH)) { + ERR("decap rpmb key error\n"); + ret = -1; + goto fail; + } + /* alloc a blksz mem */ + bdata = (unsigned char *)memalign(ALIGN_BYTES, blksz); + if (bdata == NULL) { + ret = -1; + goto fail; + } + while (num_write < num_bytes) { + memset(bdata, 0, blksz); + cnt = blksz - s; + if (num_write + cnt > num_bytes) + cnt = num_bytes - num_write; + if (!s || cnt != blksz) { /* read blk first */ + if (mmc_rpmb_read(mmc, bdata, bs, 1, extract_key) != 1) { + ERR("mmc_rpmb_read err, mmc= 0x%08x\n", (uint32_t)(ulong)mmc); + ret = -1; + goto fail; + } + } + memcpy(bdata + s, in_buf, cnt); /* change data */ + VDEBUG("cur: bs=%d, start=%ld, cnt=%ld\n", bs, s, cnt); + if (mmc_rpmb_write(mmc, bdata, bs, 1, extract_key) != 1) { + ret = -1; + goto fail; + } + bs++; + num_write += cnt; + in_buf += cnt; + if (s != 0) + s = 0; + } + ret = 0; + +fail: + /* Return to original partition */ + if (desc->hwpart != original_part) { + if (mmc_switch_part(mmc, original_part) != 0) + ret = -1; + else + desc->hwpart = original_part; + } + if (blob != NULL) + free(blob); + if (bdata != NULL) + free(bdata); + + return ret; + +} + +int rpmb_init(void) { +#if !defined(CONFIG_SPL_BUILD) || !defined(CONFIG_DUAL_BOOTLOADER) + int i; +#endif + kblb_hdr_t hdr; + kblb_tag_t *tag; + struct mmc *mmc_dev; + uint32_t offset; + uint32_t rbidx_len; + uint8_t *rbidx; + + /* check init status first */ + if ((mmc_dev = get_mmc()) == NULL) { + ERR("ERROR - get mmc device\n"); + return -1; + } + /* The bootloader rollback index is stored in the last 8k bytes of + * RPMB which is different from the rollback index for vbmeta and + * ATX key versions. + */ +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_DUAL_BOOTLOADER) + if (rpmb_read(mmc_dev, (uint8_t *)&hdr, sizeof(hdr), + BOOTLOADER_RBIDX_OFFSET) != 0) { +#else + if (rpmb_read(mmc_dev, (uint8_t *)&hdr, sizeof(hdr), 0) != 0) { +#endif + ERR("read RPMB error\n"); + return -1; + } + if (!memcmp(hdr.magic, AVB_KBLB_MAGIC, AVB_KBLB_MAGIC_LEN)) + return 0; + else + printf("initialize rollback index...\n"); + /* init rollback index */ +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_DUAL_BOOTLOADER) + offset = BOOTLOADER_RBIDX_START; + rbidx_len = BOOTLOADER_RBIDX_LEN; + rbidx = malloc(rbidx_len); + if (rbidx == NULL) { + ERR("failed to allocate memory!\n"); + return -1; + } + memset(rbidx, 0, rbidx_len); + *(uint64_t *)rbidx = BOOTLOADER_RBIDX_INITVAL; + tag = &hdr.bootloader_rbk_tags; + tag->offset = offset; + tag->len = rbidx_len; + if (rpmb_write(mmc_dev, rbidx, tag->len, tag->offset) != 0) { + ERR("write RBKIDX RPMB error\n"); + free(rbidx); + return -1; + } + if (rbidx != NULL) + free(rbidx); +#else /* CONFIG_SPL_BUILD && CONFIG_DUAL_BOOTLOADER */ + offset = AVB_RBIDX_START; + rbidx_len = AVB_RBIDX_LEN; + rbidx = malloc(rbidx_len); + if (rbidx == NULL) + return -1; + memset(rbidx, 0, rbidx_len); + *(uint64_t *)rbidx = AVB_RBIDX_INITVAL; + for (i = 0; i < AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS; i++) { + tag = &hdr.rbk_tags[i]; + tag->flag = AVB_RBIDX_FLAG; + tag->offset = offset; + tag->len = rbidx_len; + if (rpmb_write(mmc_dev, rbidx, tag->len, tag->offset) != 0) { + ERR("write RBKIDX RPMB error\n"); + free(rbidx); + return -1; + } + offset += AVB_RBIDX_ALIGN; + } + if (rbidx != NULL) + free(rbidx); +#ifdef CONFIG_AVB_ATX + /* init rollback index for Android Things key versions */ + offset = ATX_RBIDX_START; + rbidx_len = ATX_RBIDX_LEN; + rbidx = malloc(rbidx_len); + if (rbidx == NULL) + return -1; + memset(rbidx, 0, rbidx_len); + *(uint64_t *)rbidx = ATX_RBIDX_INITVAL; + for (i = 0; i < AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS; i++) { + tag = &hdr.atx_rbk_tags[i]; + tag->flag = ATX_RBIDX_FLAG; + tag->offset = offset; + tag->len = rbidx_len; + if (rpmb_write(mmc_dev, rbidx, tag->len, tag->offset) != 0) { + ERR("write ATX_RBKIDX RPMB error\n"); + free(rbidx); + return -1; + } + offset += ATX_RBIDX_ALIGN; + } + if (rbidx != NULL) + free(rbidx); +#endif +#endif /* CONFIG_SPL_BUILD && CONFIG_DUAL_BOOTLOADER */ + + /* init hdr */ + memcpy(hdr.magic, AVB_KBLB_MAGIC, AVB_KBLB_MAGIC_LEN); +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_DUAL_BOOTLOADER) + if (rpmb_write(mmc_dev, (uint8_t *)&hdr, sizeof(hdr), + BOOTLOADER_RBIDX_OFFSET) != 0) { +#else + if (rpmb_write(mmc_dev, (uint8_t *)&hdr, sizeof(hdr), 0) != 0) { +#endif + ERR("write RPMB hdr error\n"); + return -1; + } + + return 0; +} + +int gen_rpmb_key(struct keyslot_package *kp) { + char original_part; + unsigned char* fill = NULL; + int blksz; + ALLOC_CACHE_ALIGN_BUFFER(uint8_t, plain_key, RPMBKEY_LENGTH); + + kp->rpmb_keyblob_len = RPMBKEY_LEN; + strcpy(kp->magic, KEYPACK_MAGIC); + + int ret = -1; + /* load tee from boot1 of eMMC. */ + int mmcc = mmc_get_env_dev(); + struct blk_desc *dev_desc = NULL; + + struct mmc *mmc; + mmc = find_mmc_device(mmcc); + if (!mmc) { + printf("boota: cannot find '%d' mmc device\n", mmcc); + return -1; + } +#ifndef CONFIG_BLK + original_part = mmc->block_dev.hwpart; + dev_desc = blk_get_dev("mmc", mmcc); +#else + dev_desc = mmc_get_blk_desc(mmc); + original_part = dev_desc->hwpart; +#endif + if (NULL == dev_desc) { + printf("** Block device MMC %d not supported\n", mmcc); + goto fail; + } + + blksz = dev_desc->blksz; + fill = (unsigned char *)memalign(ALIGN_BYTES, blksz); + + /* below was i.MX mmc operation code */ + if (mmc_init(mmc)) { + printf("mmc%d init failed\n", mmcc); + goto fail; + } + + /* Switch to the RPMB partition */ + + /* use caam hwrng to generate */ + caam_open(); + +#ifdef TRUSTY_RPMB_RANDOM_KEY + /* + * Since boot1 is a bit easy to be erase during development + * so that before production stage use full 0 rpmb key + */ + if (caam_hwrng(plain_key, RPMBKEY_LENGTH)) { + ERR("ERROR - caam rng\n"); + goto fail; + } +#else + memset(plain_key, 0, RPMBKEY_LENGTH); +#endif + + /* generate keyblob and program to boot1 partition */ + if (caam_gen_blob((ulong)plain_key, (ulong)(kp->rpmb_keyblob), + RPMBKEY_LENGTH)) { + ERR("gen rpmb key blb error\n"); + goto fail; + } + memcpy(fill, kp, sizeof(struct keyslot_package)); + + if (mmc_switch_part(mmc, KEYSLOT_HWPARTITION_ID) != 0) { + ret = -1; + goto fail; + } + + if (blk_dwrite(dev_desc, KEYSLOT_BLKS, + 1, (void *)fill) != 1) { + printf("Failed to write rpmbkeyblob."); + goto fail; + } + + /* program key to mmc */ +#ifndef CONFIG_BLK + if (mmc->block_dev.hwpart != MMC_PART_RPMB) { + if (mmc_switch_part(mmc, MMC_PART_RPMB) != 0) { + ret = -1; + goto fail; + } else + mmc->block_dev.hwpart = MMC_PART_RPMB; + } +#else + if (dev_desc->hwpart != MMC_PART_RPMB) { + if (mmc_switch_part(mmc, MMC_PART_RPMB) != 0) { + ret = -1; + goto fail; + } else + dev_desc->hwpart = MMC_PART_RPMB; + } +#endif + if (mmc_rpmb_set_key(mmc, plain_key)) { + ERR("Key already programmed ?\n"); + goto fail; + } + + ret = 0; + +fail: + /* Return to original partition */ +#ifndef CONFIG_BLK + if (mmc->block_dev.hwpart != original_part) { + if (mmc_switch_part(mmc, original_part) != 0) + ret = -1; + else + mmc->block_dev.hwpart = original_part; + } +#else + if (dev_desc->hwpart != original_part) { + if (mmc_switch_part(mmc, original_part) != 0) + ret = -1; + else + dev_desc->hwpart = original_part; + } +#endif + if (fill != NULL) + free(fill); + + return ret; + +} + +int init_avbkey(void) { + struct keyslot_package kp; + read_keyslot_package(&kp); + if (strcmp(kp.magic, KEYPACK_MAGIC)) { + printf("keyslot package magic error. Will generate new one\n"); + gen_rpmb_key(&kp); + } +#ifndef CONFIG_IMX_TRUSTY_OS + if (rpmb_init()) + return RESULT_ERROR; +#endif +#if defined(CONFIG_AVB_ATX) && !defined(CONFIG_IMX_TRUSTY_OS) + if (init_permanent_attributes_fuse()) + return RESULT_ERROR; +#endif + fill_secure_keyslot_package(&kp); + return RESULT_OK; +} + +#ifndef CONFIG_IMX_TRUSTY_OS +int rbkidx_erase(void) { + int i; + kblb_hdr_t hdr; + kblb_tag_t *tag; + struct mmc *mmc_dev; + + if ((mmc_dev = get_mmc()) == NULL) { + ERR("err get mmc device\n"); + return -1; + } + + /* read the kblb header */ + if (rpmb_read(mmc_dev, (uint8_t *)&hdr, sizeof(hdr), 0) != 0) { + ERR("read RPMB error\n"); + return -1; + } + if (memcmp(hdr.magic, AVB_KBLB_MAGIC, AVB_KBLB_MAGIC_LEN) != 0) { + ERR("magic not match\n"); + return -1; + } + + /* reset rollback index */ + uint32_t offset = AVB_RBIDX_START; + uint32_t rbidx_len = AVB_RBIDX_LEN; + uint8_t *rbidx = malloc(rbidx_len); + if (rbidx == NULL) + return -1; + memset(rbidx, 0, rbidx_len); + *(uint64_t *)rbidx = AVB_RBIDX_INITVAL; + for (i = 0; i < AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS; i++) { + tag = &hdr.rbk_tags[i]; + tag->flag = AVB_RBIDX_FLAG; + tag->offset = offset; + tag->len = rbidx_len; + /* write */ + if (rpmb_write(mmc_dev, rbidx, tag->len, tag->offset) != 0) { + ERR("write RBKIDX RPMB error\n"); + free(rbidx); + return -1; + } + offset += AVB_RBIDX_ALIGN; + } + free(rbidx); + /* write back hdr */ + if (rpmb_write(mmc_dev, (uint8_t *)&hdr, sizeof(hdr), 0) != 0) { + ERR("write RPMB hdr error\n"); + return -1; + } + return 0; +} +#endif /* CONFIG_IMX_TRUSTY_OS */ +#endif /* CONFIG_FSL_CAAM_KB */ +#else /* AVB_RPMB */ +int rbkidx_erase(void) { + return 0; +} +#endif /* AVB_RPMB */ + +#ifdef CONFIG_SPL_BUILD +#if defined (CONFIG_IMX8_TRUSTY_XEN) || \ + (defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX)) +int check_rpmb_blob(struct mmc *mmc) +{ + int ret = 0; + char original_part; + struct keyslot_package kp; + + read_keyslot_package(&kp); + if (strcmp(kp.magic, KEYPACK_MAGIC)) { + if (rpmbkey_is_set()) { + printf("\nFATAL - RPMB key was destroyed!\n"); + hang(); + } else { + printf("keyslot package magic error, do nothing here!\n"); + return 0; + } + } + /* If keyslot package valid, copy it to secure memory */ + fill_secure_keyslot_package(&kp); + + /* switch to boot1 partition. */ + original_part = mmc->block_dev.hwpart; + if (mmc_switch_part(mmc, KEYSLOT_HWPARTITION_ID) != 0) { + printf("ERROR - can't switch to boot1 partition! \n"); + ret = -1; + goto fail; + } else + mmc->block_dev.hwpart = KEYSLOT_HWPARTITION_ID; + /* write power-on write protection for boot1 partition. */ + if (mmc_switch(mmc, EXT_CSD_CMD_SET_NORMAL, + EXT_CSD_BOOT_WP, BOOT1_PWR_WP)) { + printf("ERROR - unable to set power-on write protection!\n"); + ret = -1; + goto fail; + } +fail: + /* return to original partition. */ + if (mmc->block_dev.hwpart != original_part) { + if (mmc_switch_part(mmc, original_part) != 0) + return -1; + mmc->block_dev.hwpart = original_part; + } + + return ret; +} +#endif /* CONFIG_IMX_TRUSTY_OS && !defined(CONFIG_AVB_ATX) */ +#else /* CONFIG_SPL_BUILD */ +#ifdef CONFIG_AVB_ATX +static int fsl_fuse_ops(uint32_t *buffer, uint32_t length, uint32_t offset, + const uint8_t read) { + + unsigned short bs, ws, bksz, cnt; + unsigned short num_done = 0; + margin_pos_t margin; + int i; + + /* read from fuse */ + bksz = CONFIG_AVB_FUSE_BANK_SIZEW; + if(get_margin_pos(CONFIG_AVB_FUSE_BANK_START, CONFIG_AVB_FUSE_BANK_END, bksz, + &margin, offset, length, false)) + return -1; + bs = (unsigned short)margin.blk_start; + ws = (unsigned short)margin.start; + + while (num_done < length) { + cnt = bksz - ws; + if (num_done + cnt > length) + cnt = length - num_done; + for (i = 0; i < cnt; i++) { + VDEBUG("cur: bank=%d, word=%d\n",bs, ws); + if (read) { + if (fuse_sense(bs, ws, buffer)) { + ERR("read fuse bank %d, word %d error\n", bs, ws); + return -1; + } + } else { +#ifdef CONFIG_AVB_FUSE + if (fuse_prog(bs, ws, *buffer)) { +#else + if (fuse_override(bs, ws, *buffer)) { +#endif + ERR("write fuse bank %d, word %d error\n", bs, ws); + return -1; + } + } + ws++; + buffer++; + } + bs++; + num_done += cnt; + ws = 0; + } + return 0; +} + +int fsl_fuse_read(uint32_t *buffer, uint32_t length, uint32_t offset) { + + return fsl_fuse_ops( + buffer, + length, + offset, + 1 + ); +} + +int fsl_fuse_write(const uint32_t *buffer, uint32_t length, uint32_t offset) { + + return fsl_fuse_ops( + (uint32_t *)buffer, + length, + offset, + 0 + ); +} + +static int sha256(unsigned char* data, int len, unsigned char* output) { + struct hash_algo *algo; + void *buf; + + if (hash_lookup_algo("sha256", &algo)) { + printf("error in lookup sha256 algo!\n"); + return RESULT_ERROR; + } + buf = map_sysmem((ulong)data, len); + algo->hash_func_ws(buf, len, output, algo->chunk_size); + unmap_sysmem(buf); + + return algo->digest_size; +} + +int permanent_attributes_sha256_hash(unsigned char* output) { + AvbAtxPermanentAttributes attributes; + +#ifdef CONFIG_IMX_TRUSTY_OS + if(!trusty_read_permanent_attributes((uint8_t *)(&attributes), + sizeof(AvbAtxPermanentAttributes))) { + goto calc_sha256; + } else { + ERR("No perm-attr fused. Will use hard code one.\n"); + } +#endif + /* get permanent attributes */ + attributes.version = fsl_version; + memcpy(attributes.product_root_public_key, fsl_product_root_public_key, + sizeof(fsl_product_root_public_key)); + memcpy(attributes.product_id, fsl_atx_product_id, + sizeof(fsl_atx_product_id)); +#ifdef CONFIG_IMX_TRUSTY_OS +calc_sha256: +#endif + /* calculate sha256(permanent attributes) hash */ + if (sha256((unsigned char *)&attributes, sizeof(AvbAtxPermanentAttributes), + output) == RESULT_ERROR) { + printf("ERROR - calculate permanent attributes hash error"); + return RESULT_ERROR; + } + + return RESULT_OK; +} + +static int init_permanent_attributes_fuse(void) { + +#ifdef CONFIG_ARM64 + return RESULT_OK; +#else + uint8_t sha256_hash[AVB_SHA256_DIGEST_SIZE]; + uint32_t buffer[ATX_FUSE_BANK_NUM]; + int num = 0; + + /* read first 112 bits of sha256(permanent attributes) from fuse */ + if (fsl_fuse_read(buffer, ATX_FUSE_BANK_NUM, PERMANENT_ATTRIBUTE_HASH_OFFSET)) { + printf("ERROR - read permanent attributes hash from fuse error\n"); + return RESULT_ERROR; + } + /* only take the lower 2 bytes of the last bank */ + buffer[ATX_FUSE_BANK_NUM - 1] &= ATX_FUSE_BANK_MASK; + + /* return RESULT_OK if fuse has been initialized before */ + for (num = 0; num < ATX_FUSE_BANK_NUM; num++) { + if (buffer[num]) + return RESULT_OK; + } + + /* calculate sha256(permanent attributes) */ + if (permanent_attributes_sha256_hash(sha256_hash) != RESULT_OK) { + printf("ERROR - calculating permanent attributes SHA256 error!\n"); + return RESULT_ERROR; + } + + /* write first 112 bits of sha256(permanent attributes) into fuse */ + memset(buffer, 0, sizeof(buffer)); + memcpy(buffer, sha256_hash, ATX_HASH_LENGTH); + if (fsl_fuse_write(buffer, ATX_FUSE_BANK_NUM, PERMANENT_ATTRIBUTE_HASH_OFFSET)) { + printf("ERROR - write permanent attributes hash to fuse error\n"); + return RESULT_ERROR; + } + + return RESULT_OK; +#endif /* CONFIG_ARM64 */ +} + +int avb_atx_fuse_perm_attr(uint8_t *staged_buffer, uint32_t size) { + + if (staged_buffer == NULL) { + ERR("Error. Get null staged_buffer\n"); + return -1; + } + if (size != sizeof(AvbAtxPermanentAttributes)) { + ERR("Error. expect perm_attr length %u, but get %u.\n", + (uint32_t)sizeof(AvbAtxPermanentAttributes), size); + return -1; + } +#ifdef CONFIG_IMX_TRUSTY_OS + if (trusty_write_permanent_attributes(staged_buffer, size)) { + ERR("Error. Failed to write permanent attributes into secure storage\n"); + return -1; + } + else + return init_permanent_attributes_fuse(); +#else + /* + * TODO: + * Need to handle this when no Trusty OS support. + * But now every Android Things will have Trusty OS support. + */ + ERR("No Trusty OS enabled in bootloader.\n"); + return 0; +#endif +} + +int avb_atx_get_unlock_challenge(struct AvbAtxOps* atx_ops, + uint8_t *upload_buffer, uint32_t *upload_size) +{ + struct AvbAtxUnlockChallenge *buf = NULL; + int ret, size; + + size = sizeof(struct AvbAtxUnlockChallenge); + buf = (struct AvbAtxUnlockChallenge *)malloc(size); + if (buf == NULL) { + ERR("unable to alloc memory!\n"); + return -1; + } + + if (avb_atx_generate_unlock_challenge(atx_ops, buf) != + AVB_IO_RESULT_OK) { + ERR("generate unlock challenge fail!\n"); + ret = -1; + goto fail; + } + /* Current avbtool only accept 16 bytes random numbers as unlock + * challenge, need to return the whole 'AvbAtxUnlockChallenge' + * when avbtool is ready. + */ + memcpy(upload_buffer, buf->challenge, AVB_ATX_UNLOCK_CHALLENGE_SIZE); + *upload_size = AVB_ATX_UNLOCK_CHALLENGE_SIZE; + ret = 0; +fail: + if (buf != NULL) + free(buf); + return ret; +} + +int avb_atx_verify_unlock_credential(struct AvbAtxOps* atx_ops, + uint8_t *staged_buffer) +{ + bool out_is_trusted; + AvbIOResult ret; + const AvbAtxUnlockCredential* buf = NULL; + + buf = (const AvbAtxUnlockCredential*)staged_buffer; + ret = avb_atx_validate_unlock_credential(atx_ops, buf, &out_is_trusted); + if ((ret != AVB_IO_RESULT_OK) || (out_is_trusted != true)) { + ERR("validate unlock credential fail!\n"); + return -1; + } else + return 0; +} + +bool perm_attr_are_fused(void) +{ +#ifdef CONFIG_IMX_TRUSTY_OS + AvbAtxPermanentAttributes attributes; + if(!trusty_read_permanent_attributes((uint8_t *)(&attributes), + sizeof(AvbAtxPermanentAttributes))) { + return true; + } else { + ERR("No perm-attr fused, please fuse your perm-attr first!.\n"); + return false; + } +#else + /* We hard code the perm-attr if trusty is not enabled. */ + return true; +#endif +} + +bool at_unlock_vboot_is_disabled(void) +{ + uint32_t unlock_vboot_status; + + if (fsl_fuse_read(&unlock_vboot_status, 1, + UNLOCK_VBOOT_STATUS_OFFSET_IN_WORD)) { + printf("Read at unlock vboot status error!\n"); + return false; + } + + if (unlock_vboot_status & (1 << UNLOCK_VBOOT_STATUS_OFFSET_IN_BIT)) + return true; + else + return false; +} + +int at_disable_vboot_unlock(void) +{ + uint32_t unlock_vboot_status = 0; + + /* Read the status first */ + if (fsl_fuse_read(&unlock_vboot_status, 1, + UNLOCK_VBOOT_STATUS_OFFSET_IN_WORD)) { + ERR("Read unlock vboot status error!\n"); + return -1; + } + + /* Set the disable unlock vboot bit */ + unlock_vboot_status |= (1 << UNLOCK_VBOOT_STATUS_OFFSET_IN_BIT); + + /* Write disable unlock vboot bit to fuse */ + if (fsl_fuse_write(&unlock_vboot_status, 1, + UNLOCK_VBOOT_STATUS_OFFSET_IN_WORD)) { + ERR("Write unlock vboot status fail!\n"); + return -1; + } + + return 0; +} +#endif /* CONFIG_AVB_ATX */ + +#if defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX) +int do_rpmb_key_set(uint8_t *key, uint32_t key_size) +{ + int ret = 0; + int mmcc; + struct mmc *mmc; + char original_part; + struct keyslot_package kp; + struct blk_desc *desc = NULL; + ALLOC_CACHE_ALIGN_BUFFER(uint8_t, rpmb_key, RPMBKEY_LENGTH); + ALLOC_CACHE_ALIGN_BUFFER(uint8_t, blob, + RPMBKEY_LENGTH + CAAM_PAD); + + /* copy rpmb key to cache aligned buffer. */ + memset(rpmb_key, 0, RPMBKEY_LENGTH); + memcpy(rpmb_key, key, RPMBKEY_LENGTH); + + /* Get current mmc device. */ + mmcc = mmc_get_env_dev(); + mmc = find_mmc_device(mmcc); + if (!mmc) { + printf("error - cannot find '%d' mmc device\n", mmcc); + return -1; + } + desc = mmc_get_blk_desc(mmc); + original_part = desc->hwpart; + + /* Switch to the RPMB partition */ + if (desc->hwpart != MMC_PART_RPMB) { + if (mmc_switch_part(mmc, MMC_PART_RPMB) != 0) { + printf("ERROR - can't switch to rpmb partition \n"); + return -1; + } + desc->hwpart = MMC_PART_RPMB; + } + + if (mmc_rpmb_set_key(mmc, rpmb_key)) { + printf("ERROR - Key already programmed ?\n"); + ret = -1; + goto fail; + } else + printf("RPMB key programed successfully!\n"); + + /* Generate keyblob with CAAM. */ + kp.rpmb_keyblob_len = RPMBKEY_LENGTH + CAAM_PAD; + strcpy(kp.magic, KEYPACK_MAGIC); + if (hwcrypto_gen_blob((uint32_t)(ulong)rpmb_key, RPMBKEY_LENGTH, + (uint32_t)(ulong)blob) != 0) { + printf("ERROR - generate rpmb key blob error!\n"); + ret = -1; + goto fail; + } else + printf("RPMB key blob generated!\n"); + + memcpy(kp.rpmb_keyblob, blob, kp.rpmb_keyblob_len); + + /* Store the rpmb key blob to last block of boot1 partition. */ + if (mmc_switch_part(mmc, KEYSLOT_HWPARTITION_ID) != 0) { + printf("ERROR - can't switch to boot1 partition! \n"); + ret = -1; + goto fail; + } else + desc->hwpart = KEYSLOT_HWPARTITION_ID; + if (blk_dwrite(desc, KEYSLOT_BLKS, 1, (void *)&kp) != 1) { + printf("ERROR - failed to write rpmbkeyblob!"); + ret = -1; + goto fail; + } + /* Set power-on write protection to boot1 partition. */ + if (mmc_switch(mmc, EXT_CSD_CMD_SET_NORMAL, + EXT_CSD_BOOT_WP, BOOT1_PWR_WP)) { + printf("ERROR - unable to set power-on write protection!\n"); + ret = -1; + goto fail; + } + + /* Erase the key buffer. */ + memset(rpmb_key, 0, RPMBKEY_LENGTH); + memset(key, 0, RPMBKEY_LENGTH); + +fail: + /* Return to original partition */ + if (desc->hwpart != original_part) { + if (mmc_switch_part(mmc, original_part) != 0) + return -1; + desc->hwpart = original_part; + } + + return ret; +} + +int fastboot_set_rpmb_key(uint8_t *staged_buf, uint32_t key_size) +{ + + if (memcmp(staged_buf, RPMB_KEY_MAGIC, strlen(RPMB_KEY_MAGIC))) { + printf("ERROR - rpmb magic doesn't match!\n"); + return -1; + } + + return do_rpmb_key_set(staged_buf + strlen(RPMB_KEY_MAGIC), + RPMBKEY_LENGTH); +} + +int fastboot_set_rpmb_random_key(void) +{ + ALLOC_CACHE_ALIGN_BUFFER(uint8_t, rpmb_key, RPMBKEY_LENGTH); + + if (hwcrypto_gen_rng((ulong)rpmb_key, RPMBKEY_LENGTH)) { + printf("error - can't generate random key!\n"); + return -1; + } + + return do_rpmb_key_set(rpmb_key, RPMBKEY_LENGTH); +} + +int avb_set_public_key(uint8_t *staged_buffer, uint32_t size) { + + if ((staged_buffer == NULL) || (size <= 0)) { + ERR("Error. Get null staged_buffer\n"); + return -1; + } + if (trusty_write_vbmeta_public_key(staged_buffer, size)) { + ERR("Error. Failed to write vbmeta public key into secure storage\n"); + return -1; + } else + printf("Set vbmeta public key successfully!\n"); + + return 0; +} +#endif /* CONFIG_IMX_TRUSTY_OS && !defind(CONFIG_AVB_ATX) */ +#endif /* CONFIG_SPL_BUILD */ diff --git a/lib/avb/fsl/fsl_avbkey.h b/lib/avb/fsl/fsl_avbkey.h new file mode 100644 index 0000000000..8dd8746bf3 --- /dev/null +++ b/lib/avb/fsl/fsl_avbkey.h @@ -0,0 +1,108 @@ +/* + * Copyright (C) 2016 Freescale Semiconductor, Inc. + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#ifndef __FSL_AVBKEY_H__ +#define __FSL_AVBKEY_H__ + +#include + +#define CAAM_PAD 48 + +#define AVB_PUBKY_FLAG 0xABAB +#define AVB_PUBKY_OFFSET 0x1000 + +#define AVB_RBIDX_FLAG 0xCDCD +#define AVB_RBIDX_START 0x2000 +#define AVB_RBIDX_ALIGN 0x1000 +#define AVB_RBIDX_LEN 0x08 +#define AVB_RBIDX_INITVAL 0 + +#ifdef CONFIG_AVB_ATX +#define ATX_RBIDX_FLAG 0xEFEF +#define ATX_RBIDX_START 0x22000 +#define ATX_RBIDX_ALIGN 0x1000 +#define ATX_RBIDX_LEN 0x08 +#define ATX_RBIDX_INITVAL 0 +#endif + +#define AVB_KBLB_MAGIC "\0KBLB!" +#define AVB_KBLB_MAGIC_LEN 6 + +#if defined(CONFIG_AVB_ATX) && defined(CONFIG_DUAL_BOOTLOADER) +#define BL_RBINDEX_MAGIC "BL_RBINDEX" +#define BL_RBINDEX_MAGIC_LEN 11 +struct bl_rbindex_package { + char magic[BL_RBINDEX_MAGIC_LEN]; + uint32_t rbindex; +}; +#endif + +#ifndef CONFIG_AVB_ATX +#define RPMB_KEY_MAGIC "RPMB" +#endif + +#ifdef CONFIG_AVB_ATX +#define ATX_FUSE_BANK_NUM 4 +#define ATX_FUSE_BANK_MASK 0xFFFF +#define ATX_HASH_LENGTH 14 +#endif + +#define RESULT_ERROR -1 +#define RESULT_OK 0 + +struct kblb_tag { + uint32_t flag; + uint32_t offset; + uint32_t len; +}; +typedef struct kblb_tag kblb_tag_t; + +struct kblb_hdr { + /* avbkey partition magic */ + char magic[AVB_KBLB_MAGIC_LEN]; + /* Rollback index for bootloader is managed by SPL and + * will be stored in RPMB. + */ +#if defined(CONFIG_DUAL_BOOTLOADER) && defined(CONFIG_SPL_BUILD) + kblb_tag_t bootloader_rbk_tags; +#endif + /* public key keyblb tag */ + kblb_tag_t pubk_tag; + /* vbmeta rollback index keyblb tag */ + kblb_tag_t rbk_tags[AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS]; +#ifdef CONFIG_AVB_ATX + /* Android Things key versions rollback index keyblb tag */ + kblb_tag_t atx_rbk_tags[AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS]; +#endif +}; +typedef struct kblb_hdr kblb_hdr_t; + +#define RPMBKEY_LEN (32 + CAAM_PAD) +#define KEYPACK_MAGIC "!KS" + +struct keyslot_package +{ + char magic[4]; + unsigned int rpmb_keyblob_len; + unsigned char rpmb_keyblob[RPMBKEY_LEN]; +}; + +int gen_rpmb_key(struct keyslot_package *kp); +int read_keyslot_package(struct keyslot_package* kp); +void fill_secure_keyslot_package(struct keyslot_package *kp); +int rpmb_init(void); +int rpmb_read(struct mmc *mmc, uint8_t *buffer, + size_t num_bytes,int64_t offset); +int rpmb_write(struct mmc *mmc, uint8_t *buffer, size_t num_bytes, + int64_t offset); + +int check_rpmb_blob(struct mmc *mmc); +bool rpmbkey_is_set(void); +int fsl_fuse_write(const uint32_t *buffer, uint32_t length, uint32_t offset); +int fsl_fuse_read(uint32_t *buffer, uint32_t length, uint32_t offset); +int permanent_attributes_sha256_hash(unsigned char* output); +struct mmc *get_mmc(void); +#endif diff --git a/lib/avb/fsl/fsl_bootctl.c b/lib/avb/fsl/fsl_bootctl.c new file mode 100755 index 0000000000..8f853bc807 --- /dev/null +++ b/lib/avb/fsl/fsl_bootctl.c @@ -0,0 +1,209 @@ +/* + * Copyright (C) 2016 Freescale Semiconductor, Inc. + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#include +#include +#include +#include +#include + +/* as libavb's bootctl doesn't have the get_var support + * we add the getvar support on our side ...*/ +#ifndef MAX_PTN +#define MAX_PTN 32 +#endif +#define SLOT_NUM 2 +static char *slot_suffix[SLOT_NUM] = {"_a", "_b"}; + +static int strcmp_l1(const char *s1, const char *s2) { + if (!s1 || !s2) + return -1; + return strncmp(s1, s2, strlen(s1)); +} + +static bool slot_is_bootable(AvbABSlotData* slot) { +#ifdef CONFIG_DUAL_BOOTLOADER + /* The 'bootloader_verified' will be set when the slot has only one chance + * left, which means the slot is bootable even tries_remaining is 0. + */ + return slot->priority > 0 && + (slot->successful_boot || (slot->tries_remaining > 0) + || (slot->bootloader_verified == 1)); +#else + return slot->priority > 0 && + (slot->successful_boot || (slot->tries_remaining > 0)); +#endif +} + +int slotidx_from_suffix(char *suffix) { + int slot = -1; + + if (!strcmp(suffix, "_a") || + !strcmp(suffix, "a")) + slot = 0; + else if (!strcmp(suffix, "_b") || + !strcmp(suffix, "b")) + slot = 1; + + return slot; +} + +bool is_slotvar_avb(char *cmd) { + + assert(cmd != NULL); + if (!strcmp_l1("has-slot:", cmd) || + !strcmp_l1("slot-successful:", cmd) || + !strcmp_l1("slot-count", cmd) || + !strcmp_l1("slot-suffixes", cmd) || + !strcmp_l1("current-slot", cmd) || + !strcmp_l1("slot-unbootable:", cmd) || + !strcmp_l1("slot-retry-count:", cmd)) + return true; + return false; +} + +int get_curr_slot(AvbABData *ab_data) { + if (slot_is_bootable(&ab_data->slots[0]) && + slot_is_bootable(&ab_data->slots[1])) { + if (ab_data->slots[1].priority > ab_data->slots[0].priority) + return 1; + else + return 0; + } else if (slot_is_bootable(&ab_data->slots[0])) + return 0; + else if (slot_is_bootable(&ab_data->slots[1])) + return 1; + else + return -1; +} + +extern struct fastboot_ptentry g_ptable[MAX_PTN]; +extern unsigned int g_pcount; + +static bool has_slot(char *cmd) { + unsigned int n; + char *ptr; + + for (n = 0; n < g_pcount; n++) { + ptr = strstr(g_ptable[n].name, cmd); + if (ptr != NULL) { + ptr += strlen(cmd); + if (!strcmp(ptr, "_a") || !strcmp(ptr, "_b")) + return true; + } + } + return false; +} + +int get_slotvar_avb(AvbABOps *ab_ops, char *cmd, char *buffer, size_t size) { + + AvbABData ab_data; + AvbABSlotData *slot_data; + int slot; + + if ((ab_ops == NULL) || (cmd == NULL) || (buffer == NULL)) + return -1; + + char *str = cmd; + if (!strcmp_l1("has-slot:", cmd)) { + str += strlen("has-slot:"); + if (has_slot(str)) + strlcpy(buffer, "yes", size); + else + strlcpy(buffer, "no", size); + return 0; + + } else if (!strcmp_l1("slot-suffixes", cmd)) { + strlcpy(buffer, "_a,_b", size); + return 0 ; + + } else if (!strcmp_l1("slot-count", cmd)) { + strlcpy(buffer, "2", size); + return 0 ; + } + + /* load ab meta */ + if (ab_ops->read_ab_metadata == NULL || + ab_ops->read_ab_metadata(ab_ops, &ab_data) != AVB_IO_RESULT_OK) { + strlcpy(buffer, "ab data read error", size); + return -1 ; + } + + if (!strcmp_l1("current-slot", cmd)) { + int curr = get_curr_slot(&ab_data); + if (curr >= 0 && curr < SLOT_NUM) + strlcpy(buffer, slot_suffix[curr] + sizeof(unsigned char), size); + else { + strlcpy(buffer, "no bootable slot", size); + return -1; + } + + } else if (!strcmp_l1("slot-successful:", cmd)) { + str += strlen("slot-successful:"); + slot = slotidx_from_suffix(str); + if (slot < 0) { + strlcpy(buffer, "no such slot", size); + return -1; + } else { + slot_data = &ab_data.slots[slot]; + bool succ = (slot_data->successful_boot != 0); + strlcpy(buffer, succ ? "yes" : "no", size); + } + + } else if (!strcmp_l1("slot-unbootable:", cmd)) { + str += strlen("slot-unbootable:"); + slot = slotidx_from_suffix(str); + if (slot < 0) { + strlcpy(buffer, "no such slot", size); + return -1; + } else { + slot_data = &ab_data.slots[slot]; + bool bootable = slot_is_bootable(slot_data); + strlcpy(buffer, bootable ? "no" : "yes", size); + } + + } else if (!strcmp_l1("slot-retry-count:", cmd)) { + str += strlen("slot-retry-count:"); + slot = slotidx_from_suffix(str); + if (slot < 0) { + strlcpy(buffer, "no such slot", size); + return -1; + } + else { + slot_data = &ab_data.slots[slot]; + char var[7]; + sprintf(var, "%d", + slot_data->tries_remaining); + strlcpy(buffer, var, size); + } + + } else { + strlcpy(buffer, "no such slot command", size); + return -1; + } + + return 0; +} + +char *select_slot(AvbABOps *ab_ops) { + AvbABData ab_data; + int curr; + + if (ab_ops == NULL) { + return NULL; + } + + /* load ab meta */ + if (ab_ops->read_ab_metadata == NULL || + ab_ops->read_ab_metadata(ab_ops, &ab_data) != AVB_IO_RESULT_OK) { + return NULL; + } + curr = get_curr_slot(&ab_data); + if (curr >= 0 && curr < SLOT_NUM) + return slot_suffix[curr]; + else + return NULL; +} diff --git a/lib/avb/fsl/fsl_public_key.h b/lib/avb/fsl/fsl_public_key.h new file mode 100644 index 0000000000..f590cdb711 --- /dev/null +++ b/lib/avb/fsl/fsl_public_key.h @@ -0,0 +1,144 @@ +/* + * Copyright (C) 2016 Freescale Semiconductor, Inc. + * Copyright 2017 NXP + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#ifndef __FSL_PUBLIC_KEY_H_ +#define __FSL_PUBLIC_KEY_H_ +/*This public key is generated from testkey_rsa4096.pem.*/ +unsigned char fsl_public_key[] = { + 0x00,0x00,0x10,0x00,0x55,0xd9,0x04,0xad, + 0xd8,0x04,0xaf,0xe3,0xd3,0x84,0x6c,0x7e, + 0x0d,0x89,0x3d,0xc2,0x8c,0xd3,0x12,0x55, + 0xe9,0x62,0xc9,0xf1,0x0f,0x5e,0xcc,0x16, + 0x72,0xab,0x44,0x7c,0x2c,0x65,0x4a,0x94, + 0xb5,0x16,0x2b,0x00,0xbb,0x06,0xef,0x13, + 0x07,0x53,0x4c,0xf9,0x64,0xb9,0x28,0x7a, + 0x1b,0x84,0x98,0x88,0xd8,0x67,0xa4,0x23, + 0xf9,0xa7,0x4b,0xdc,0x4a,0x0f,0xf7,0x3a, + 0x18,0xae,0x54,0xa8,0x15,0xfe,0xb0,0xad, + 0xac,0x35,0xda,0x3b,0xad,0x27,0xbc,0xaf, + 0xe8,0xd3,0x2f,0x37,0x34,0xd6,0x51,0x2b, + 0x6c,0x5a,0x27,0xd7,0x96,0x06,0xaf,0x6b, + 0xb8,0x80,0xca,0xfa,0x30,0xb4,0xb1,0x85, + 0xb3,0x4d,0xaa,0xaa,0xc3,0x16,0x34,0x1a, + 0xb8,0xe7,0xc7,0xfa,0xf9,0x09,0x77,0xab, + 0x97,0x93,0xeb,0x44,0xae,0xcf,0x20,0xbc, + 0xf0,0x80,0x11,0xdb,0x23,0x0c,0x47,0x71, + 0xb9,0x6d,0xd6,0x7b,0x60,0x47,0x87,0x16, + 0x56,0x93,0xb7,0xc2,0x2a,0x9a,0xb0,0x4c, + 0x01,0x0c,0x30,0xd8,0x93,0x87,0xf0,0xed, + 0x6e,0x8b,0xbe,0x30,0x5b,0xf6,0xa6,0xaf, + 0xdd,0x80,0x7c,0x45,0x5e,0x8f,0x91,0x93, + 0x5e,0x44,0xfe,0xb8,0x82,0x07,0xee,0x79, + 0xca,0xbf,0x31,0x73,0x62,0x58,0xe3,0xcd, + 0xc4,0xbc,0xc2,0x11,0x1d,0xa1,0x4a,0xbf, + 0xfe,0x27,0x7d,0xa1,0xf6,0x35,0xa3,0x5e, + 0xca,0xdc,0x57,0x2f,0x3e,0xf0,0xc9,0x5d, + 0x86,0x6a,0xf8,0xaf,0x66,0xa7,0xed,0xcd, + 0xb8,0xed,0xa1,0x5f,0xba,0x9b,0x85,0x1a, + 0xd5,0x09,0xae,0x94,0x4e,0x3b,0xcf,0xcb, + 0x5c,0xc9,0x79,0x80,0xf7,0xcc,0xa6,0x4a, + 0xa8,0x6a,0xd8,0xd3,0x31,0x11,0xf9,0xf6, + 0x02,0x63,0x2a,0x1a,0x2d,0xd1,0x1a,0x66, + 0x1b,0x16,0x41,0xbd,0xbd,0xf7,0x4d,0xc0, + 0x4a,0xe5,0x27,0x49,0x5f,0x7f,0x58,0xe3, + 0x27,0x2d,0xe5,0xc9,0x66,0x0e,0x52,0x38, + 0x16,0x38,0xfb,0x16,0xeb,0x53,0x3f,0xe6, + 0xfd,0xe9,0xa2,0x5e,0x25,0x59,0xd8,0x79, + 0x45,0xff,0x03,0x4c,0x26,0xa2,0x00,0x5a, + 0x8e,0xc2,0x51,0xa1,0x15,0xf9,0x7b,0xf4, + 0x5c,0x81,0x9b,0x18,0x47,0x35,0xd8,0x2d, + 0x05,0xe9,0xad,0x0f,0x35,0x74,0x15,0xa3, + 0x8e,0x8b,0xcc,0x27,0xda,0x7c,0x5d,0xe4, + 0xfa,0x04,0xd3,0x05,0x0b,0xba,0x3a,0xb2, + 0x49,0x45,0x2f,0x47,0xc7,0x0d,0x41,0x3f, + 0x97,0x80,0x4d,0x3f,0xc1,0xb5,0xbb,0x70, + 0x5f,0xa7,0x37,0xaf,0x48,0x22,0x12,0x45, + 0x2e,0xf5,0x0f,0x87,0x92,0xe2,0x84,0x01, + 0xf9,0x12,0x0f,0x14,0x15,0x24,0xce,0x89, + 0x99,0xee,0xb9,0xc4,0x17,0x70,0x70,0x15, + 0xea,0xbe,0xc6,0x6c,0x1f,0x62,0xb3,0xf4, + 0x2d,0x16,0x87,0xfb,0x56,0x1e,0x45,0xab, + 0xae,0x32,0xe4,0x5e,0x91,0xed,0x53,0x66, + 0x5e,0xbd,0xed,0xad,0xe6,0x12,0x39,0x0d, + 0x83,0xc9,0xe8,0x6b,0x6c,0x2d,0xa5,0xee, + 0xc4,0x5a,0x66,0xae,0x8c,0x97,0xd7,0x0d, + 0x6c,0x49,0xc7,0xf5,0xc4,0x92,0x31,0x8b, + 0x09,0xee,0x33,0xda,0xa9,0x37,0xb6,0x49, + 0x18,0xf8,0x0e,0x60,0x45,0xc8,0x33,0x91, + 0xef,0x20,0x57,0x10,0xbe,0x78,0x2d,0x83, + 0x26,0xd6,0xca,0x61,0xf9,0x2f,0xe0,0xbf, + 0x05,0x30,0x52,0x5a,0x12,0x1c,0x00,0xa7, + 0x5d,0xcc,0x7c,0x2e,0xc5,0x95,0x8b,0xa3, + 0x3b,0xf0,0x43,0x2e,0x5e,0xdd,0x00,0xdb, + 0x0d,0xb3,0x37,0x99,0xa9,0xcd,0x9c,0xb7, + 0x43,0xf7,0x35,0x44,0x21,0xc2,0x82,0x71, + 0xab,0x8d,0xaa,0xb4,0x41,0x11,0xec,0x1e, + 0x8d,0xfc,0x14,0x82,0x92,0x4e,0x83,0x6a, + 0x0a,0x6b,0x35,0x5e,0x5d,0xe9,0x5c,0xcc, + 0x8c,0xde,0x39,0xd1,0x4a,0x5b,0x5f,0x63, + 0xa9,0x64,0xe0,0x0a,0xcb,0x0b,0xb8,0x5a, + 0x7c,0xc3,0x0b,0xe6,0xbe,0xfe,0x8b,0x0f, + 0x7d,0x34,0x8e,0x02,0x66,0x74,0x01,0x6c, + 0xca,0x76,0xac,0x7c,0x67,0x08,0x2f,0x3f, + 0x1a,0xa6,0x2c,0x60,0xb3,0xff,0xda,0x8d, + 0xb8,0x12,0x0c,0x00,0x7f,0xcc,0x50,0xa1, + 0x5c,0x64,0xa1,0xe2,0x5f,0x32,0x65,0xc9, + 0x9c,0xbe,0xd6,0x0a,0x13,0x87,0x3c,0x2a, + 0x45,0x47,0x0c,0xca,0x42,0x82,0xfa,0x89, + 0x65,0xe7,0x89,0xb4,0x8f,0xf7,0x1e,0xe6, + 0x23,0xa5,0xd0,0x59,0x37,0x79,0x92,0xd7, + 0xce,0x3d,0xfd,0xe3,0xa1,0x0b,0xcf,0x6c, + 0x85,0xa0,0x65,0xf3,0x5c,0xc6,0x4a,0x63, + 0x5f,0x6e,0x3a,0x3a,0x2a,0x8b,0x6a,0xb6, + 0x2f,0xbb,0xf8,0xb2,0x4b,0x62,0xbc,0x1a, + 0x91,0x25,0x66,0xe3,0x69,0xca,0x60,0x49, + 0x0b,0xf6,0x8a,0xbe,0x3e,0x76,0x53,0xc2, + 0x7a,0xa8,0x04,0x17,0x75,0xf1,0xf3,0x03, + 0x62,0x1b,0x85,0xb2,0xb0,0xef,0x80,0x15, + 0xb6,0xd4,0x4e,0xdf,0x71,0xac,0xdb,0x2a, + 0x04,0xd4,0xb4,0x21,0xba,0x65,0x56,0x57, + 0xe8,0xfa,0x84,0xa2,0x7d,0x13,0x0e,0xaf, + 0xd7,0x9a,0x58,0x2a,0xa3,0x81,0x84,0x8d, + 0x09,0xa0,0x6a,0xc1,0xbb,0xd9,0xf5,0x86, + 0xac,0xbd,0x75,0x61,0x09,0xe6,0x8c,0x3d, + 0x77,0xb2,0xed,0x30,0x20,0xe4,0x00,0x1d, + 0x97,0xe8,0xbf,0xc7,0x00,0x1b,0x21,0xb1, + 0x16,0xe7,0x41,0x67,0x2e,0xec,0x38,0xbc, + 0xe5,0x1b,0xb4,0x06,0x23,0x31,0x71,0x1c, + 0x49,0xcd,0x76,0x4a,0x76,0x36,0x8d,0xa3, + 0x89,0x8b,0x4a,0x7a,0xf4,0x87,0xc8,0x15, + 0x0f,0x37,0x39,0xf6,0x6d,0x80,0x19,0xef, + 0x5c,0xa8,0x66,0xce,0x1b,0x16,0x79,0x21, + 0xdf,0xd7,0x31,0x30,0xc4,0x21,0xdd,0x34, + 0x5b,0xd2,0x1a,0x2b,0x3e,0x5d,0xf7,0xea, + 0xca,0x05,0x8e,0xb7,0xcb,0x49,0x2e,0xa0, + 0xe3,0xf4,0xa7,0x48,0x19,0x10,0x9c,0x04, + 0xa7,0xf4,0x28,0x74,0xc8,0x6f,0x63,0x20, + 0x2b,0x46,0x24,0x26,0x19,0x1d,0xd1,0x2c, + 0x31,0x6d,0x5a,0x29,0xa2,0x06,0xa6,0xb2, + 0x41,0xcc,0x0a,0x27,0x96,0x09,0x96,0xac, + 0x47,0x65,0x78,0x68,0x51,0x98,0xd6,0xd8, + 0xa6,0x2d,0xa0,0xcf,0xec,0xe2,0x74,0xf2, + 0x82,0xe3,0x97,0xd9,0x7e,0xd4,0xf8,0x0b, + 0x70,0x43,0x3d,0xb1,0x7b,0x97,0x80,0xd6, + 0xcb,0xd7,0x19,0xbc,0x63,0x0b,0xfd,0x4d, + 0x88,0xfe,0x67,0xac,0xb8,0xcc,0x50,0xb7, + 0x68,0xb3,0x5b,0xd6,0x1e,0x25,0xfc,0x5f, + 0x3c,0x8d,0xb1,0x33,0x7c,0xb3,0x49,0x01, + 0x3f,0x71,0x55,0x0e,0x51,0xba,0x61,0x26, + 0xfa,0xea,0xe5,0xb5,0xe8,0xaa,0xcf,0xcd, + 0x96,0x9f,0xd6,0xc1,0x5f,0x53,0x91,0xad, + 0x05,0xde,0x20,0xe7,0x51,0xda,0x5b,0x95, + 0x67,0xed,0xf4,0xee,0x42,0x65,0x70,0x13, + 0x0b,0x70,0x14,0x1c,0xc9,0xe0,0x19,0xca, + 0x5f,0xf5,0x1d,0x70,0x4b,0x6c,0x06,0x74, + 0xec,0xb5,0x2e,0x77,0xe1,0x74,0xa1,0xa3, + 0x99,0xa0,0x85,0x9e,0xf1,0xac,0xd8,0x7e +}; + + +#endif diff --git a/lib/avb/fsl/utils.c b/lib/avb/fsl/utils.c new file mode 100644 index 0000000000..94a72e8e6a --- /dev/null +++ b/lib/avb/fsl/utils.c @@ -0,0 +1,216 @@ +/* ++ * Copyright (C) 2016 Freescale Semiconductor, Inc. ++ * Copyright 2018 NXP ++ * ++ * SPDX-License-Identifier: GPL-2.0+ ++ */ +#include +#include + +#include "debug.h" +#include "utils.h" + +/* + * get margin_pos struct from offset [to the partition start/end] and + * num_bytes to read/write + */ +int get_margin_pos(uint64_t part_start, uint64_t part_end, unsigned long blksz, + margin_pos_t *margin, int64_t offset, size_t num_bytes, + bool allow_partial) { + long off; + if (margin == NULL) + return -1; + + if (blksz == 0 || part_start > part_end) + return -1; + + if (offset < 0) { + margin->blk_start = (offset + 1) / (uint64_t)blksz + part_end; + // offset == -1 means the last byte?, or start need -1 + margin->start = (off = offset % (uint64_t)blksz) == 0 ? + 0 : blksz + off; + if (offset + num_bytes - 1 >= 0) { + if (!allow_partial) + return -1; + margin->blk_end = part_end; + margin->end = blksz - 1; + } else { + // which blk the last byte is in + margin->blk_end = (num_bytes + offset) / + (uint64_t)blksz + part_end; + margin->end = (off = (num_bytes + offset - 1) % + (uint64_t)blksz) == 0 ? + 0 : blksz + off; // last byte + } + } else { + margin->blk_start = offset / (uint64_t)blksz + part_start; + margin->start = offset % (uint64_t)blksz; + margin->blk_end = ((offset + num_bytes - 1) / (uint64_t)blksz) + + part_start ; + margin->end = (offset + num_bytes - 1) % (uint64_t)blksz; + if (margin->blk_end > part_end) { + if (!allow_partial) + return -1; + margin->blk_end = part_end; + margin->end = blksz - 1; + } + } + VDEBUG("bs=%ld, be=%ld, s=%ld, e=%ld\n", + margin->blk_start, margin->blk_end, margin->start, margin->end); + + if (margin->blk_start > part_end || margin->blk_start < part_start) + return -1; + long multi = margin->blk_end - margin->blk_start - 1 + + (margin->start == 0) + (margin->end == blksz -1); + margin->multi = multi > 0 ? multi : 0; + VDEBUG("bm=%ld\n", margin->multi); + return 0; +} + +int read_from_partition_in_bytes(struct blk_desc *fs_dev_desc, + struct disk_partition *info, int64_t offset, + size_t num_bytes, void* buffer, + size_t* out_num_read) +{ + unsigned char *bdata; + unsigned char *out_buf = (unsigned char *)buffer; + unsigned char *dst, *dst64 = NULL; + unsigned long blksz; + unsigned long s, cnt; + size_t num_read = 0; + lbaint_t part_start, part_end, bs, be, bm, blk_num; + margin_pos_t margin; + int ret; + + if(buffer == NULL || out_num_read == NULL) { + printf("NULL pointer error!\n"); + return -1; + } + + blksz = fs_dev_desc->blksz; + part_start = info->start; + part_end = info->start + info->size - 1; + + if (get_margin_pos((uint64_t)part_start, (uint64_t)part_end, blksz, + &margin, offset, num_bytes, true)) + return -1; + + bs = (lbaint_t)margin.blk_start; + be = (lbaint_t)margin.blk_end; + s = margin.start; + bm = margin.multi; + + /* alloc a blksz mem */ + bdata = (unsigned char *)memalign(ALIGN_BYTES, blksz); + if (bdata == NULL) { + printf("Failed to allocate memory!\n"); + return -1; + } + + /* support multi blk read */ + while (bs <= be) { + if (!s && bm > 1) { + dst = out_buf; + /* for mmc blk read alignment */ + dst64 = PTR_ALIGN(out_buf, 64); + if (dst64 != dst) { + dst = dst64; + bm--; + } + blk_num = bm; + cnt = bm * blksz; + bm = 0; /* no more multi blk */ + } else { + blk_num = 1; + cnt = blksz - s; + if (num_read + cnt > num_bytes) + cnt = num_bytes - num_read; + dst = bdata; + } + if (!blk_dread(fs_dev_desc, bs, blk_num, dst)) { + ret = -1; + goto fail; + } + + if (dst == bdata) + memcpy(out_buf, bdata + s, cnt); + else if (dst == dst64) + memcpy(out_buf, dst, cnt); /* internal copy */ + + s = 0; + bs += blk_num; + num_read += cnt; + out_buf += cnt; + } + *out_num_read = num_read; + ret = 0; + +fail: + free(bdata); + return ret; +} + +int write_to_partition_in_bytes(struct blk_desc *fs_dev_desc, + struct disk_partition *info, int64_t offset, + size_t num_bytes, + void* buffer, size_t *out_num_write) +{ + unsigned char *bdata; + unsigned char *in_buf = (unsigned char *)buffer; + unsigned long blksz; + unsigned long s, cnt; + size_t num_write = 0; + lbaint_t part_start, part_end, bs; + margin_pos_t margin; + int ret; + + if(buffer == NULL || out_num_write == NULL) { + printf("NULL pointer error!\n"); + return -1; + } + + blksz = fs_dev_desc->blksz; + part_start = info->start; + part_end = info->start + info->size - 1; + + if(get_margin_pos((uint64_t)part_start, (uint64_t)part_end, blksz, + &margin, offset, num_bytes, false)) + return -1; + + bs = (lbaint_t)margin.blk_start; + s = margin.start; + + // alloc a blksz mem + bdata = (unsigned char *)memalign(ALIGN_BYTES, blksz); + if (bdata == NULL) + return -1; + + while (num_write < num_bytes) { + memset(bdata, 0, blksz); + cnt = blksz - s; + if (num_write + cnt > num_bytes) + cnt = num_bytes - num_write; + if (!s || cnt != blksz) { //read blk first + if (!blk_dread(fs_dev_desc, bs, 1, + bdata)) { + ret = -1; + goto fail; + } + } + memcpy(bdata + s, in_buf, cnt); //change data + if (!blk_dwrite(fs_dev_desc, bs, 1, bdata)) { + ret = -1; + goto fail; + } + bs++; + num_write += cnt; + in_buf += cnt; + s = 0; + } + *out_num_write = num_write; + ret = 0; + +fail: + free(bdata); + return ret; +} diff --git a/lib/avb/fsl/utils.h b/lib/avb/fsl/utils.h new file mode 100644 index 0000000000..981b1b5518 --- /dev/null +++ b/lib/avb/fsl/utils.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2016 Freescale Semiconductor, Inc. + * Copyright 2018 NXP + * + * SPDX-License-Identifier: GPL-2.0+ + */ +#ifndef __UTILS_H__ +#define __UTILS_H__ + +#include + +#define ALIGN_BYTES 64 /*mmc block read/write need 64 bytes aligned */ + +struct margin_pos { + /* which blk the read/write starts */ + uint64_t blk_start; + /* which blk the read/write ends */ + uint64_t blk_end; + /* start position inside the start blk */ + unsigned long start; + /* end position inside the end blk */ + unsigned long end; + /* how many blks can be read/write one time */ + unsigned long multi; +}; +typedef struct margin_pos margin_pos_t; + +int get_margin_pos(uint64_t part_start, uint64_t part_end, unsigned long blksz, + margin_pos_t *margin, int64_t offset, size_t num_bytes, + bool allow_partial); + +int read_from_partition_in_bytes(struct blk_desc *fs_dev_desc, + struct disk_partition *info, + int64_t offset, size_t num_bytes, + void* buffer, size_t* out_num_read); + +int write_to_partition_in_bytes(struct blk_desc *fs_dev_desc, + struct disk_partition *info, int64_t offset, + size_t num_bytes, void* buffer, + size_t *out_num_write); + +#endif diff --git a/lib/avb/libavb_ab/Makefile b/lib/avb/libavb_ab/Makefile new file mode 100644 index 0000000000..f22d0ed83f --- /dev/null +++ b/lib/avb/libavb_ab/Makefile @@ -0,0 +1,2 @@ +ccflags-y += -DAVB_COMPILATION +obj-y += avb_ab_flow.o diff --git a/lib/avb/libavb_ab/avb_ab_flow.c b/lib/avb/libavb_ab/avb_ab_flow.c new file mode 100644 index 0000000000..6097988b19 --- /dev/null +++ b/lib/avb/libavb_ab/avb_ab_flow.c @@ -0,0 +1,540 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, copy, + * modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "avb_ab_flow.h" + +bool avb_ab_data_verify_and_byteswap(const AvbABData* src, AvbABData* dest) { + /* Ensure magic is correct. */ + if (avb_safe_memcmp(src->magic, AVB_AB_MAGIC, AVB_AB_MAGIC_LEN) != 0) { + avb_error("Magic is incorrect.\n"); + return false; + } + + avb_memcpy(dest, src, sizeof(AvbABData)); + dest->crc32 = avb_be32toh(dest->crc32); + + /* Ensure we don't attempt to access any fields if the major version + * is not supported. + */ + if (dest->version_major > AVB_AB_MAJOR_VERSION) { + avb_error("No support for given major version.\n"); + return false; + } + + /* Bail if CRC32 doesn't match. */ + if (dest->crc32 != + avb_crc32((const uint8_t*)dest, sizeof(AvbABData) - sizeof(uint32_t))) { + avb_error("CRC32 does not match.\n"); + return false; + } + + return true; +} + +void avb_ab_data_update_crc_and_byteswap(const AvbABData* src, + AvbABData* dest) { + avb_memcpy(dest, src, sizeof(AvbABData)); + dest->crc32 = avb_htobe32( + avb_crc32((const uint8_t*)dest, sizeof(AvbABData) - sizeof(uint32_t))); +} + +void avb_ab_data_init(AvbABData* data) { + avb_memset(data, '\0', sizeof(AvbABData)); + avb_memcpy(data->magic, AVB_AB_MAGIC, AVB_AB_MAGIC_LEN); + data->version_major = AVB_AB_MAJOR_VERSION; + data->version_minor = AVB_AB_MINOR_VERSION; + data->slots[0].priority = AVB_AB_MAX_PRIORITY; + data->slots[0].tries_remaining = AVB_AB_MAX_TRIES_REMAINING; + data->slots[0].successful_boot = 0; +#ifdef CONFIG_DUAL_BOOTLOADER + data->slots[0].bootloader_verified = 0; +#endif + data->slots[1].priority = AVB_AB_MAX_PRIORITY - 1; + data->slots[1].tries_remaining = AVB_AB_MAX_TRIES_REMAINING; + data->slots[1].successful_boot = 0; +#ifdef CONFIG_DUAL_BOOTLOADER + data->slots[1].bootloader_verified = 0; +#endif +} + +/* The AvbABData struct is stored 2048 bytes into the 'misc' partition + * following the 'struct bootloader_message' field. The struct is + * compatible with the guidelines in bootable/recovery/bootloader.h - + * e.g. it is stored in the |slot_suffix| field, starts with a + * NUL-byte, and is 32 bytes long. + */ +#define AB_METADATA_MISC_PARTITION_OFFSET 2048 + +AvbIOResult avb_ab_data_read(AvbABOps* ab_ops, AvbABData* data) { + AvbOps* ops = ab_ops->ops; + AvbABData serialized; + AvbIOResult io_ret; + size_t num_bytes_read; + + io_ret = ops->read_from_partition(ops, + "misc", + AB_METADATA_MISC_PARTITION_OFFSET, + sizeof(AvbABData), + &serialized, + &num_bytes_read); + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + return AVB_IO_RESULT_ERROR_OOM; + } else if (io_ret != AVB_IO_RESULT_OK || + num_bytes_read != sizeof(AvbABData)) { + avb_error("Error reading A/B metadata.\n"); + return AVB_IO_RESULT_ERROR_IO; + } + + if (!avb_ab_data_verify_and_byteswap(&serialized, data)) { + avb_error( + "Error validating A/B metadata from disk. " + "Resetting and writing new A/B metadata to disk.\n"); + avb_ab_data_init(data); + return avb_ab_data_write(ab_ops, data); + } + + return AVB_IO_RESULT_OK; +} + +AvbIOResult avb_ab_data_write(AvbABOps* ab_ops, const AvbABData* data) { + AvbOps* ops = ab_ops->ops; + AvbABData serialized; + AvbIOResult io_ret; + + avb_ab_data_update_crc_and_byteswap(data, &serialized); + io_ret = ops->write_to_partition(ops, + "misc", + AB_METADATA_MISC_PARTITION_OFFSET, + sizeof(AvbABData), + &serialized); + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + return AVB_IO_RESULT_ERROR_OOM; + } else if (io_ret != AVB_IO_RESULT_OK) { + avb_error("Error writing A/B metadata.\n"); + return AVB_IO_RESULT_ERROR_IO; + } + return AVB_IO_RESULT_OK; +} + +static bool slot_is_bootable(AvbABSlotData* slot) { + return slot->priority > 0 && + (slot->successful_boot || (slot->tries_remaining > 0)); +} + +static void slot_set_unbootable(AvbABSlotData* slot) { + slot->priority = 0; + slot->tries_remaining = 0; + slot->successful_boot = 0; +} + +/* Ensure all unbootable and/or illegal states are marked as the + * canonical 'unbootable' state, e.g. priority=0, tries_remaining=0, + * and successful_boot=0. + */ +static void slot_normalize(AvbABSlotData* slot) { + if (slot->priority > 0) { + if (slot->tries_remaining == 0 && !slot->successful_boot) { + /* We've exhausted all tries -> unbootable. */ + slot_set_unbootable(slot); + } + if (slot->tries_remaining > 0 && slot->successful_boot) { + /* Illegal state - avb_ab_mark_slot_successful() will clear + * tries_remaining when setting successful_boot. + */ + slot_set_unbootable(slot); + } + } else { + slot_set_unbootable(slot); + } +} + +static const char* slot_suffixes[2] = {"_a", "_b"}; + +/* Helper function to load metadata - returns AVB_IO_RESULT_OK on + * success, error code otherwise. + */ +static AvbIOResult load_metadata(AvbABOps* ab_ops, + AvbABData* ab_data, + AvbABData* ab_data_orig) { + AvbIOResult io_ret; + + io_ret = ab_ops->read_ab_metadata(ab_ops, ab_data); + if (io_ret != AVB_IO_RESULT_OK) { + avb_error("I/O error while loading A/B metadata.\n"); + return io_ret; + } + *ab_data_orig = *ab_data; + + /* Ensure data is normalized, e.g. illegal states will be marked as + * unbootable and all unbootable states are represented with + * (priority=0, tries_remaining=0, successful_boot=0). + */ + slot_normalize(&ab_data->slots[0]); + slot_normalize(&ab_data->slots[1]); + return AVB_IO_RESULT_OK; +} + +/* Writes A/B metadata to disk only if it has changed - returns + * AVB_IO_RESULT_OK on success, error code otherwise. + */ +static AvbIOResult save_metadata_if_changed(AvbABOps* ab_ops, + AvbABData* ab_data, + AvbABData* ab_data_orig) { + if (avb_safe_memcmp(ab_data, ab_data_orig, sizeof(AvbABData)) != 0) { + avb_debug("Writing A/B metadata to disk.\n"); + return ab_ops->write_ab_metadata(ab_ops, ab_data); + } + return AVB_IO_RESULT_OK; +} + +AvbABFlowResult avb_ab_flow(AvbABOps* ab_ops, + const char* const* requested_partitions, + AvbSlotVerifyFlags flags, + AvbHashtreeErrorMode hashtree_error_mode, + AvbSlotVerifyData** out_data) { + AvbOps* ops = ab_ops->ops; + AvbSlotVerifyData* slot_data[2] = {NULL, NULL}; + AvbSlotVerifyData* data = NULL; + AvbABFlowResult ret; + AvbABData ab_data, ab_data_orig; + size_t slot_index_to_boot, n; + AvbIOResult io_ret; + bool saw_and_allowed_verification_error = false; + + io_ret = load_metadata(ab_ops, &ab_data, &ab_data_orig); + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + } else if (io_ret != AVB_IO_RESULT_OK) { + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + } + + /* Validate all bootable slots. */ + for (n = 0; n < 2; n++) { + if (slot_is_bootable(&ab_data.slots[n])) { + AvbSlotVerifyResult verify_result; + bool set_slot_unbootable = false; + + verify_result = avb_slot_verify(ops, + requested_partitions, + slot_suffixes[n], + flags, + hashtree_error_mode, + &slot_data[n]); + switch (verify_result) { + case AVB_SLOT_VERIFY_RESULT_ERROR_OOM: + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + + case AVB_SLOT_VERIFY_RESULT_ERROR_IO: + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + + case AVB_SLOT_VERIFY_RESULT_OK: + break; + + case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA: + case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION: + /* Even with AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR + * these mean game over. + */ + set_slot_unbootable = true; + break; + + /* explicit fallthrough. */ + case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: + case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX: + case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED: + if (flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR) { + /* Do nothing since we allow this. */ + avb_debugv("Allowing slot ", + slot_suffixes[n], + " which verified " + "with result ", + avb_slot_verify_result_to_string(verify_result), + " because " + "AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR " + "is set.\n", + NULL); + saw_and_allowed_verification_error = true; + } else { + set_slot_unbootable = true; + } + break; + + case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT: + ret = AVB_AB_FLOW_RESULT_ERROR_INVALID_ARGUMENT; + goto out; + /* Do not add a 'default:' case here because of -Wswitch. */ + } + + if (set_slot_unbootable) { + avb_errorv("Error verifying slot ", + slot_suffixes[n], + " with result ", + avb_slot_verify_result_to_string(verify_result), + " - setting unbootable.\n", + NULL); + slot_set_unbootable(&ab_data.slots[n]); + } + } + } + + if (slot_is_bootable(&ab_data.slots[0]) && + slot_is_bootable(&ab_data.slots[1])) { + if (ab_data.slots[1].priority > ab_data.slots[0].priority) { + slot_index_to_boot = 1; + } else { + slot_index_to_boot = 0; + } + } else if (slot_is_bootable(&ab_data.slots[0])) { + slot_index_to_boot = 0; + } else if (slot_is_bootable(&ab_data.slots[1])) { + slot_index_to_boot = 1; + } else { + /* No bootable slots! */ + avb_error("No bootable slots found.\n"); + ret = AVB_AB_FLOW_RESULT_ERROR_NO_BOOTABLE_SLOTS; + goto out; + } + + /* Update stored rollback index such that the stored rollback index + * is the largest value supporting all currently bootable slots. Do + * this for every rollback index location. + */ + for (n = 0; n < AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS; n++) { + uint64_t rollback_index_value = 0; + + if (slot_data[0] != NULL && slot_data[1] != NULL) { + uint64_t a_rollback_index = slot_data[0]->rollback_indexes[n]; + uint64_t b_rollback_index = slot_data[1]->rollback_indexes[n]; + rollback_index_value = + (a_rollback_index < b_rollback_index ? a_rollback_index + : b_rollback_index); + } else if (slot_data[0] != NULL) { + rollback_index_value = slot_data[0]->rollback_indexes[n]; + } else if (slot_data[1] != NULL) { + rollback_index_value = slot_data[1]->rollback_indexes[n]; + } + + if (rollback_index_value != 0) { + uint64_t current_rollback_index_value; + io_ret = ops->read_rollback_index(ops, n, ¤t_rollback_index_value); + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + } else if (io_ret != AVB_IO_RESULT_OK) { + avb_error("Error getting rollback index for slot.\n"); + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + } + if (current_rollback_index_value != rollback_index_value) { + io_ret = ops->write_rollback_index(ops, n, rollback_index_value); + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + goto out; + } else if (io_ret != AVB_IO_RESULT_OK) { + avb_error("Error setting stored rollback index.\n"); + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + goto out; + } + } + } + } + + /* Finally, select this slot. */ + avb_assert(slot_data[slot_index_to_boot] != NULL); + data = slot_data[slot_index_to_boot]; + slot_data[slot_index_to_boot] = NULL; + if (saw_and_allowed_verification_error) { + avb_assert(flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR); + ret = AVB_AB_FLOW_RESULT_OK_WITH_VERIFICATION_ERROR; + } else { + ret = AVB_AB_FLOW_RESULT_OK; + } + + /* ... and decrement tries remaining, if applicable. */ + if (!ab_data.slots[slot_index_to_boot].successful_boot && + ab_data.slots[slot_index_to_boot].tries_remaining > 0) { + ab_data.slots[slot_index_to_boot].tries_remaining -= 1; + } + +out: + io_ret = save_metadata_if_changed(ab_ops, &ab_data, &ab_data_orig); + if (io_ret != AVB_IO_RESULT_OK) { + if (io_ret == AVB_IO_RESULT_ERROR_OOM) { + ret = AVB_AB_FLOW_RESULT_ERROR_OOM; + } else { + ret = AVB_AB_FLOW_RESULT_ERROR_IO; + } + if (data != NULL) { + avb_slot_verify_data_free(data); + data = NULL; + } + } + + for (n = 0; n < 2; n++) { + if (slot_data[n] != NULL) { + avb_slot_verify_data_free(slot_data[n]); + } + } + + if (out_data != NULL) { + *out_data = data; + } else { + if (data != NULL) { + avb_slot_verify_data_free(data); + } + } + + return ret; +} + +AvbIOResult avb_ab_mark_slot_active(AvbABOps* ab_ops, + unsigned int slot_number) { + AvbABData ab_data, ab_data_orig; + unsigned int other_slot_number; + AvbIOResult ret; + + avb_assert(slot_number < 2); + + ret = load_metadata(ab_ops, &ab_data, &ab_data_orig); + if (ret != AVB_IO_RESULT_OK) { + goto out; + } + + /* Make requested slot top priority, unsuccessful, and with max tries. */ + ab_data.slots[slot_number].priority = AVB_AB_MAX_PRIORITY; + ab_data.slots[slot_number].tries_remaining = AVB_AB_MAX_TRIES_REMAINING; + ab_data.slots[slot_number].successful_boot = 0; +#ifdef CONFIG_DUAL_BOOTLOADER + ab_data.slots[slot_number].bootloader_verified = 0; +#endif + + /* Ensure other slot doesn't have as high a priority. */ + other_slot_number = 1 - slot_number; + if (ab_data.slots[other_slot_number].priority == AVB_AB_MAX_PRIORITY) { + ab_data.slots[other_slot_number].priority = AVB_AB_MAX_PRIORITY - 1; + } + + ret = AVB_IO_RESULT_OK; + +out: + if (ret == AVB_IO_RESULT_OK) { + ret = save_metadata_if_changed(ab_ops, &ab_data, &ab_data_orig); + } + return ret; +} + +AvbIOResult avb_ab_mark_slot_unbootable(AvbABOps* ab_ops, + unsigned int slot_number) { + AvbABData ab_data, ab_data_orig; + AvbIOResult ret; + + avb_assert(slot_number < 2); + + ret = load_metadata(ab_ops, &ab_data, &ab_data_orig); + if (ret != AVB_IO_RESULT_OK) { + goto out; + } + + slot_set_unbootable(&ab_data.slots[slot_number]); + + ret = AVB_IO_RESULT_OK; + +out: + if (ret == AVB_IO_RESULT_OK) { + ret = save_metadata_if_changed(ab_ops, &ab_data, &ab_data_orig); + } + return ret; +} + +AvbIOResult avb_ab_mark_slot_successful(AvbABOps* ab_ops, + unsigned int slot_number) { + AvbABData ab_data, ab_data_orig; + AvbIOResult ret; + + avb_assert(slot_number < 2); + + ret = load_metadata(ab_ops, &ab_data, &ab_data_orig); + if (ret != AVB_IO_RESULT_OK) { + goto out; + } + + if (!slot_is_bootable(&ab_data.slots[slot_number])) { + avb_error("Cannot mark unbootable slot as successful.\n"); + ret = AVB_IO_RESULT_OK; + goto out; + } + + ab_data.slots[slot_number].tries_remaining = 0; + ab_data.slots[slot_number].successful_boot = 1; + + ret = AVB_IO_RESULT_OK; + +out: + if (ret == AVB_IO_RESULT_OK) { + ret = save_metadata_if_changed(ab_ops, &ab_data, &ab_data_orig); + } + return ret; +} + +const char* avb_ab_flow_result_to_string(AvbABFlowResult result) { + const char* ret = NULL; + + switch (result) { + case AVB_AB_FLOW_RESULT_OK: + ret = "OK"; + break; + + case AVB_AB_FLOW_RESULT_OK_WITH_VERIFICATION_ERROR: + ret = "OK_WITH_VERIFICATION_ERROR"; + break; + + case AVB_AB_FLOW_RESULT_ERROR_OOM: + ret = "ERROR_OOM"; + break; + + case AVB_AB_FLOW_RESULT_ERROR_IO: + ret = "ERROR_IO"; + break; + + case AVB_AB_FLOW_RESULT_ERROR_NO_BOOTABLE_SLOTS: + ret = "ERROR_NO_BOOTABLE_SLOTS"; + break; + + case AVB_AB_FLOW_RESULT_ERROR_INVALID_ARGUMENT: + ret = "ERROR_INVALID_ARGUMENT"; + break; + /* Do not add a 'default:' case here because of -Wswitch. */ + } + + if (ret == NULL) { + avb_error("Unknown AvbABFlowResult value.\n"); + ret = "(unknown)"; + } + + return ret; +} diff --git a/lib/avb/libavb_ab/avb_ab_flow.h b/lib/avb/libavb_ab/avb_ab_flow.h new file mode 100644 index 0000000000..3757ba26ac --- /dev/null +++ b/lib/avb/libavb_ab/avb_ab_flow.h @@ -0,0 +1,261 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, copy, + * modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#if !defined(AVB_INSIDE_LIBAVB_AB_H) && !defined(AVB_COMPILATION) +#error \ + "Never include this file directly, include libavb_ab/libavb_ab.h instead." +#endif + +#ifndef AVB_AB_FLOW_H_ +#define AVB_AB_FLOW_H_ + +#include "avb_ab_ops.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Magic for the A/B struct when serialized. */ +#define AVB_AB_MAGIC "\0AB0" +#define AVB_AB_MAGIC_LEN 4 + +/* Versioning for the on-disk A/B metadata - keep in sync with avbtool. */ +#define AVB_AB_MAJOR_VERSION 1 +#define AVB_AB_MINOR_VERSION 0 + +/* Size of AvbABData struct. */ +#define AVB_AB_DATA_SIZE 32 + +/* Maximum values for slot data */ +#define AVB_AB_MAX_PRIORITY 15 +#define AVB_AB_MAX_TRIES_REMAINING 7 + +/* Struct used for recording per-slot metadata. + * + * When serialized, data is stored in network byte-order. + */ +typedef struct AvbABSlotData { + /* Slot priority. Valid values range from 0 to AVB_AB_MAX_PRIORITY, + * both inclusive with 1 being the lowest and AVB_AB_MAX_PRIORITY + * being the highest. The special value 0 is used to indicate the + * slot is unbootable. + */ + uint8_t priority; + + /* Number of times left attempting to boot this slot ranging from 0 + * to AVB_AB_MAX_TRIES_REMAINING. + */ + uint8_t tries_remaining; + + /* Non-zero if this slot has booted successfully, 0 otherwise. */ + uint8_t successful_boot; + + /* Reserved for future use. */ + uint8_t bootloader_verified; +} AVB_ATTR_PACKED AvbABSlotData; + +/* Struct used for recording A/B metadata. + * + * When serialized, data is stored in network byte-order. + */ +typedef struct AvbABData { + /* Magic number used for identification - see AVB_AB_MAGIC. */ + uint8_t magic[AVB_AB_MAGIC_LEN]; + + /* Version of on-disk struct - see AVB_AB_{MAJOR,MINOR}_VERSION. */ + uint8_t version_major; + uint8_t version_minor; + + /* Padding to ensure |slots| field start eight bytes in. */ + uint8_t reserved1[2]; + + /* Per-slot metadata. */ + AvbABSlotData slots[2]; + + /* Reserved for future use. */ + uint8_t reserved2[12]; + + /* CRC32 of all 28 bytes preceding this field. */ + uint32_t crc32; +} AVB_ATTR_PACKED AvbABData; + +/* Copies |src| to |dest|, byte-swapping fields in the + * process. Returns false if the data is invalid (e.g. wrong magic, + * wrong CRC32 etc.), true otherwise. + */ +bool avb_ab_data_verify_and_byteswap(const AvbABData* src, AvbABData* dest); + +/* Copies |src| to |dest|, byte-swapping fields in the process. Also + * updates the |crc32| field in |dest|. + */ +void avb_ab_data_update_crc_and_byteswap(const AvbABData* src, AvbABData* dest); + +/* Initializes |data| such that it has two slots and both slots have + * maximum tries remaining. The CRC is not set. + */ +void avb_ab_data_init(AvbABData* data); + +/* Reads A/B metadata from the 'misc' partition using |ops|. Returned + * data is properly byteswapped. Returns AVB_IO_RESULT_OK on + * success, error code otherwise. + * + * If the data read from disk is invalid (e.g. wrong magic or CRC + * checksum failure), the metadata will be reset using + * avb_ab_data_init() and then written to disk. + */ +AvbIOResult avb_ab_data_read(AvbABOps* ab_ops, AvbABData* data); + +/* Writes A/B metadata to the 'misc' partition using |ops|. This will + * byteswap and update the CRC as needed. Returns AVB_IO_RESULT_OK on + * success, error code otherwise. + */ +AvbIOResult avb_ab_data_write(AvbABOps* ab_ops, const AvbABData* data); + +/* Return codes used in avb_ab_flow(), see that function for + * documentation of each value. + */ +typedef enum { + AVB_AB_FLOW_RESULT_OK, + AVB_AB_FLOW_RESULT_OK_WITH_VERIFICATION_ERROR, + AVB_AB_FLOW_RESULT_ERROR_OOM, + AVB_AB_FLOW_RESULT_ERROR_IO, + AVB_AB_FLOW_RESULT_ERROR_NO_BOOTABLE_SLOTS, + AVB_AB_FLOW_RESULT_ERROR_INVALID_ARGUMENT +} AvbABFlowResult; + +/* Get a textual representation of |result|. */ +const char* avb_ab_flow_result_to_string(AvbABFlowResult result); + +/* High-level function to select a slot to boot. The following + * algorithm is used: + * + * 1. A/B metadata is loaded and validated using the + * read_ab_metadata() operation. Typically this means it's read from + * the 'misc' partition and if it's invalid then it's reset using + * avb_ab_data_init() and this reset metadata is returned. + * + * 2. All bootable slots listed in the A/B metadata are verified using + * avb_slot_verify(). If a slot is invalid or if it fails verification + * (and AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR is not set, see + * below), it will be marked as unbootable in the A/B metadata and the + * metadata will be saved to disk before returning. + * + * 3. If there are no bootable slots, the value + * AVB_AB_FLOW_RESULT_ERROR_NO_BOOTABLE_SLOTS is returned. + * + * 4. For each bootable slot, the Stored Rollback Indexes are updated + * such that for each rollback index location, the Stored Rollback + * Index is the largest number smaller than or equal to the Rollback + * Index of each slot. + * + * 5. The bootable slot with the highest priority is selected and + * returned in |out_data|. If this slot is already marked as + * successful, the A/B metadata is not modified. However, if the slot + * is not marked as bootable its |tries_remaining| count is + * decremented and the A/B metadata is saved to disk before returning. + * In either case the value AVB_AB_FLOW_RESULT_OK is returning. + * + * The partitions to load is given in |requested_partitions| as a + * NULL-terminated array of NUL-terminated strings. Typically the + * |requested_partitions| array only contains a single item for the + * boot partition, 'boot'. + * + * If the device is unlocked (and _only_ if it's unlocked), the + * AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR flag should be set + * in the |flags| parameter. This will allow considering slots as + * verified even when avb_slot_verify() returns + * AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED, + * AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION, or + * AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX for the slot in + * question. + * + * Note that neither androidboot.slot_suffix nor androidboot.slot are + * set in the |cmdline| field in |AvbSlotVerifyData| - you will have + * to pass these yourself. + * + * If a slot was selected and it verified then AVB_AB_FLOW_RESULT_OK + * is returned. + * + * If a slot was selected but it didn't verify then + * AVB_AB_FLOW_RESULT_OK_WITH_VERIFICATION_ERROR is returned. This can + * only happen when the AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR + * flag is set. + * + * If an I/O operation - such as loading/saving metadata or checking + * rollback indexes - fail, the value AVB_AB_FLOW_RESULT_ERROR_IO is + * returned. + * + * If memory allocation fails, AVB_AB_FLOW_RESULT_ERROR_OOM is + * returned. + * + * If invalid arguments are passed, + * AVB_AB_FLOW_RESULT_ERROR_INVALID_ARGUMENT is returned. For example + * this can happen if using AVB_HASHTREE_ERROR_MODE_LOGGING without + * AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR. + * + * Reasonable behavior for handling AVB_AB_FLOW_RESULT_ERROR_NO_BOOTABLE_SLOTS + * is to initiate device repair (which is device-dependent). + */ +AvbABFlowResult avb_ab_flow(AvbABOps* ab_ops, + const char* const* requested_partitions, + AvbSlotVerifyFlags flags, + AvbHashtreeErrorMode hashtree_error_mode, + AvbSlotVerifyData** out_data); + +/* Marks the slot with the given slot number as active. Returns + * AVB_IO_RESULT_OK on success, error code otherwise. + * + * This function is typically used by the OS updater when completing + * an update. It can also used by the firmware for implementing the + * "set_active" command. + */ +AvbIOResult avb_ab_mark_slot_active(AvbABOps* ab_ops, unsigned int slot_number); + +/* Marks the slot with the given slot number as unbootable. Returns + * AVB_IO_RESULT_OK on success, error code otherwise. + * + * This function is typically used by the OS updater before writing to + * a slot. + */ +AvbIOResult avb_ab_mark_slot_unbootable(AvbABOps* ab_ops, + unsigned int slot_number); + +/* Marks the slot with the given slot number as having booted + * successfully. Returns AVB_IO_RESULT_OK on success, error code + * otherwise. + * + * Calling this on an unbootable slot is an error - AVB_IO_RESULT_OK + * will be returned yet the function will have no side-effects. + * + * This function is typically used by the OS updater after having + * confirmed that the slot works as intended. + */ +AvbIOResult avb_ab_mark_slot_successful(AvbABOps* ab_ops, + unsigned int slot_number); + +#ifdef __cplusplus +} +#endif + +#endif /* AVB_AB_FLOW_H_ */ diff --git a/lib/avb/libavb_ab/avb_ab_ops.h b/lib/avb/libavb_ab/avb_ab_ops.h new file mode 100644 index 0000000000..8d8fde7aa9 --- /dev/null +++ b/lib/avb/libavb_ab/avb_ab_ops.h @@ -0,0 +1,79 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, copy, + * modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#if !defined(AVB_INSIDE_LIBAVB_AB_H) && !defined(AVB_COMPILATION) +#error \ + "Never include this file directly, include libavb_ab/libavb_ab.h instead." +#endif + +#ifndef AVB_AB_OPS_H_ +#define AVB_AB_OPS_H_ + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +struct AvbABOps; +typedef struct AvbABOps AvbABOps; + +struct AvbABData; + +/* High-level operations/functions/methods for A/B that are platform + * dependent. + */ +struct AvbABOps { + /* Operations from libavb. */ + AvbOps* ops; + + /* Reads A/B metadata from persistent storage. Returned data is + * properly byteswapped. Returns AVB_IO_RESULT_OK on success, error + * code otherwise. + * + * If the data read is invalid (e.g. wrong magic or CRC checksum + * failure), the metadata shoule be reset using avb_ab_data_init() + * and then written to persistent storage. + * + * Implementations will typically want to use avb_ab_data_read() + * here to use the 'misc' partition for persistent storage. + */ + AvbIOResult (*read_ab_metadata)(AvbABOps* ab_ops, struct AvbABData* data); + + /* Writes A/B metadata to persistent storage. This will byteswap and + * update the CRC as needed. Returns AVB_IO_RESULT_OK on success, + * error code otherwise. + * + * Implementations will typically want to use avb_ab_data_write() + * here to use the 'misc' partition for persistent storage. + */ + AvbIOResult (*write_ab_metadata)(AvbABOps* ab_ops, + const struct AvbABData* data); +}; + +#ifdef __cplusplus +} +#endif + +#endif /* AVB_AB_OPS_H_ */ diff --git a/lib/avb/libavb_ab/libavb_ab.h b/lib/avb/libavb_ab/libavb_ab.h new file mode 100644 index 0000000000..654ff5e771 --- /dev/null +++ b/lib/avb/libavb_ab/libavb_ab.h @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, copy, + * modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#ifndef LIBAVB_AB_H_ +#define LIBAVB_AB_H_ + +#include + +/* The libavb_ab/ and boot_control/ code has been marked for some time + * as experimental in anticipation of being removed in the future. It + * is now deprecated and to continue using it you must define + * AVB_AB_I_UNDERSTAND_LIBAVB_AB_IS_DEPRECATED. It will be removed Jun + * 1 2018. + */ +#ifndef AVB_AB_I_UNDERSTAND_LIBAVB_AB_IS_DEPRECATED +#error \ + "You must define AVB_AB_I_UNDERSTAND_LIBAVB_AB_IS_DEPRECATED to use this library." +#endif + +/* The AVB_INSIDE_LIBAVB_AB_H preprocessor symbol is used to enforce + * library users to include only this file. All public interfaces, and + * only public interfaces, must be included here. + */ + +#define AVB_INSIDE_LIBAVB_AB_H +#include "avb_ab_flow.h" +#include "avb_ab_ops.h" +#undef AVB_INSIDE_LIBAVB_AB_H + +#endif /* LIBAVB_AB_H_ */ diff --git a/lib/avb/libavb_atx/Makefile b/lib/avb/libavb_atx/Makefile new file mode 100644 index 0000000000..bdd7bccbeb --- /dev/null +++ b/lib/avb/libavb_atx/Makefile @@ -0,0 +1,2 @@ +ccflags-y += -DAVB_COMPILATION +obj-y += avb_atx_validate.o diff --git a/lib/avb/libavb_atx/avb_atx_ops.h b/lib/avb/libavb_atx/avb_atx_ops.h new file mode 100644 index 0000000000..53c898d623 --- /dev/null +++ b/lib/avb/libavb_atx/avb_atx_ops.h @@ -0,0 +1,84 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, copy, + * modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#if !defined(AVB_INSIDE_LIBAVB_ATX_H) && !defined(AVB_COMPILATION) +#error \ + "Never include this file directly, include libavb_atx/libavb_atx.h instead." +#endif + +#ifndef AVB_ATX_OPS_H_ +#define AVB_ATX_OPS_H_ + +#include + +#include "avb_atx_types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +struct AvbAtxOps; +typedef struct AvbAtxOps AvbAtxOps; + +/* An extension to AvbOps required by avb_atx_validate_vbmeta_public_key(). */ +struct AvbAtxOps { + /* Operations from libavb. */ + AvbOps* ops; + + /* Reads permanent |attributes| data. There are no restrictions on where this + * data is stored. On success, returns AVB_IO_RESULT_OK and populates + * |attributes|. + */ + AvbIOResult (*read_permanent_attributes)( + AvbAtxOps* atx_ops, AvbAtxPermanentAttributes* attributes); + + /* Reads a |hash| of permanent attributes. This hash MUST be retrieved from a + * permanently read-only location (e.g. fuses) when a device is LOCKED. On + * success, returned AVB_IO_RESULT_OK and populates |hash|. + */ + AvbIOResult (*read_permanent_attributes_hash)( + AvbAtxOps* atx_ops, uint8_t hash[AVB_SHA256_DIGEST_SIZE]); + + /* Provides the key version of a key used during verification. This may be + * useful for managing the minimum key version. + */ + void (*set_key_version)(AvbAtxOps* atx_ops, + size_t rollback_index_location, + uint64_t key_version); + + /* Generates |num_bytes| random bytes and stores them in |output|, + * which must point to a buffer large enough to store the bytes. + * + * Returns AVB_IO_RESULT_OK on success, otherwise an error code. + */ + AvbIOResult (*get_random)(AvbAtxOps* atx_ops, + size_t num_bytes, + uint8_t* output); +}; + +#ifdef __cplusplus +} +#endif + +#endif /* AVB_ATX_OPS_H_ */ diff --git a/lib/avb/libavb_atx/avb_atx_types.h b/lib/avb/libavb_atx/avb_atx_types.h new file mode 100644 index 0000000000..e78bbfa78c --- /dev/null +++ b/lib/avb/libavb_atx/avb_atx_types.h @@ -0,0 +1,96 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, copy, + * modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#if !defined(AVB_INSIDE_LIBAVB_ATX_H) && !defined(AVB_COMPILATION) +#error \ + "Never include this file directly, include libavb_atx/libavb_atx.h instead." +#endif + +#ifndef AVB_ATX_TYPES_H_ +#define AVB_ATX_TYPES_H_ + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/* Size in bytes of an Android Things product ID. */ +#define AVB_ATX_PRODUCT_ID_SIZE 16 + +/* Size in bytes of an Android Things unlock challenge. */ +#define AVB_ATX_UNLOCK_CHALLENGE_SIZE 16 + +/* Size in bytes of a serialized public key with a 4096-bit modulus. */ +#define AVB_ATX_PUBLIC_KEY_SIZE (sizeof(AvbRSAPublicKeyHeader) + 1024) + +/* Data structure of Android Things permanent attributes. */ +typedef struct AvbAtxPermanentAttributes { + uint32_t version; + uint8_t product_root_public_key[AVB_ATX_PUBLIC_KEY_SIZE]; + uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]; +} AVB_ATTR_PACKED AvbAtxPermanentAttributes; + +/* Data structure of signed fields in an Android Things certificate. */ +typedef struct AvbAtxCertificateSignedData { + uint32_t version; + uint8_t public_key[AVB_ATX_PUBLIC_KEY_SIZE]; + uint8_t subject[AVB_SHA256_DIGEST_SIZE]; + uint8_t usage[AVB_SHA256_DIGEST_SIZE]; + uint64_t key_version; +} AVB_ATTR_PACKED AvbAtxCertificateSignedData; + +/* Data structure of an Android Things certificate. */ +typedef struct AvbAtxCertificate { + AvbAtxCertificateSignedData signed_data; + uint8_t signature[AVB_RSA4096_NUM_BYTES]; +} AVB_ATTR_PACKED AvbAtxCertificate; + +/* Data structure of Android Things public key metadata in vbmeta. */ +typedef struct AvbAtxPublicKeyMetadata { + uint32_t version; + AvbAtxCertificate product_intermediate_key_certificate; + AvbAtxCertificate product_signing_key_certificate; +} AVB_ATTR_PACKED AvbAtxPublicKeyMetadata; + +/* Data structure of an Android Things unlock challenge. */ +typedef struct AvbAtxUnlockChallenge { + uint32_t version; + uint8_t product_id_hash[AVB_SHA256_DIGEST_SIZE]; + uint8_t challenge[AVB_ATX_UNLOCK_CHALLENGE_SIZE]; +} AVB_ATTR_PACKED AvbAtxUnlockChallenge; + +/* Data structure of an Android Things unlock credential. */ +typedef struct AvbAtxUnlockCredential { + uint32_t version; + AvbAtxCertificate product_intermediate_key_certificate; + AvbAtxCertificate product_unlock_key_certificate; + uint8_t challenge_signature[AVB_RSA4096_NUM_BYTES]; +} AVB_ATTR_PACKED AvbAtxUnlockCredential; + +#ifdef __cplusplus +} +#endif + +#endif /* AVB_ATX_TYPES_H_ */ diff --git a/lib/avb/libavb_atx/avb_atx_validate.c b/lib/avb/libavb_atx/avb_atx_validate.c new file mode 100644 index 0000000000..f3c1d96841 --- /dev/null +++ b/lib/avb/libavb_atx/avb_atx_validate.c @@ -0,0 +1,401 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, copy, + * modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "avb_atx_validate.h" + +#include +#include +#include +#include + +/* The most recent unlock challenge generated. */ +static uint8_t last_unlock_challenge[AVB_ATX_UNLOCK_CHALLENGE_SIZE]; + +/* Computes the SHA256 |hash| of |length| bytes of |data|. */ +static void sha256(const uint8_t* data, + uint32_t length, + uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { + AvbSHA256Ctx context; + avb_sha256_init(&context); + avb_sha256_update(&context, data, length); + uint8_t* tmp = avb_sha256_final(&context); + avb_memcpy(hash, tmp, AVB_SHA256_DIGEST_SIZE); +} + +/* Computes the SHA512 |hash| of |length| bytes of |data|. */ +static void sha512(const uint8_t* data, + uint32_t length, + uint8_t hash[AVB_SHA512_DIGEST_SIZE]) { + AvbSHA512Ctx context; + avb_sha512_init(&context); + avb_sha512_update(&context, data, length); + uint8_t* tmp = avb_sha512_final(&context); + avb_memcpy(hash, tmp, AVB_SHA512_DIGEST_SIZE); +} + +/* Computes the SHA256 |hash| of a NUL-terminated |str|. */ +static void sha256_str(const char* str, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { + sha256((const uint8_t*)str, avb_strlen(str), hash); +} + +/* Verifies structure and |expected_hash| of permanent |attributes|. */ +static bool verify_permanent_attributes( + const AvbAtxPermanentAttributes* attributes, + const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE]) { + uint8_t hash[AVB_SHA256_DIGEST_SIZE]; + + if (attributes->version != 1) { + avb_error("Unsupported permanent attributes version.\n"); + return false; + } + sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); + if (0 != avb_safe_memcmp(hash, expected_hash, AVB_SHA256_DIGEST_SIZE)) { + avb_error("Invalid permanent attributes.\n"); + return false; + } + return true; +} + +/* Verifies the format, key version, usage, and signature of a certificate. */ +static bool verify_certificate( + const AvbAtxCertificate* certificate, + const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], + uint64_t minimum_key_version, + const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]) { + const AvbAlgorithmData* algorithm_data; + uint8_t certificate_hash[AVB_SHA512_DIGEST_SIZE]; + + if (certificate->signed_data.version != 1) { + avb_error("Unsupported certificate format.\n"); + return false; + } + algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); + sha512((const uint8_t*)&certificate->signed_data, + sizeof(AvbAtxCertificateSignedData), + certificate_hash); + if (!avb_rsa_verify(authority, + AVB_ATX_PUBLIC_KEY_SIZE, + certificate->signature, + AVB_RSA4096_NUM_BYTES, + certificate_hash, + AVB_SHA512_DIGEST_SIZE, + algorithm_data->padding, + algorithm_data->padding_len)) { + avb_error("Invalid certificate signature.\n"); + return false; + } + if (certificate->signed_data.key_version < minimum_key_version) { + avb_error("Key rollback detected.\n"); + return false; + } + if (0 != avb_safe_memcmp(certificate->signed_data.usage, + expected_usage, + AVB_SHA256_DIGEST_SIZE)) { + avb_error("Invalid certificate usage.\n"); + return false; + } + return true; +} + +/* Verifies signature and fields of a PIK certificate. */ +static bool verify_pik_certificate( + const AvbAtxCertificate* certificate, + const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], + uint64_t minimum_version) { + uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; + + sha256_str("com.google.android.things.vboot.ca", expected_usage); + if (!verify_certificate( + certificate, authority, minimum_version, expected_usage)) { + avb_error("Invalid PIK certificate.\n"); + return false; + } + return true; +} + +/* Verifies signature and fields of a PSK certificate. */ +static bool verify_psk_certificate( + const AvbAtxCertificate* certificate, + const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], + uint64_t minimum_version, + const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { + uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; + uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; + + sha256_str("com.google.android.things.vboot", expected_usage); + if (!verify_certificate( + certificate, authority, minimum_version, expected_usage)) { + avb_error("Invalid PSK certificate.\n"); + return false; + } + sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); + if (0 != avb_safe_memcmp(certificate->signed_data.subject, + expected_subject, + AVB_SHA256_DIGEST_SIZE)) { + avb_error("PSK: Product ID mismatch.\n"); + return false; + } + return true; +} + +/* Verifies signature and fields of a PUK certificate. */ +static bool verify_puk_certificate( + const AvbAtxCertificate* certificate, + const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], + uint64_t minimum_version, + const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { + uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; + uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; + + sha256_str("com.google.android.things.vboot.unlock", expected_usage); + if (!verify_certificate( + certificate, authority, minimum_version, expected_usage)) { + avb_error("Invalid PUK certificate.\n"); + return false; + } + sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); + if (0 != avb_safe_memcmp(certificate->signed_data.subject, + expected_subject, + AVB_SHA256_DIGEST_SIZE)) { + avb_error("PUK: Product ID mismatch.\n"); + return false; + } + return true; +} + +AvbIOResult avb_atx_validate_vbmeta_public_key( + AvbOps* ops, + const uint8_t* public_key_data, + size_t public_key_length, + const uint8_t* public_key_metadata, + size_t public_key_metadata_length, + bool* out_is_trusted) { + AvbIOResult result = AVB_IO_RESULT_OK; + AvbAtxPermanentAttributes permanent_attributes; + uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; + AvbAtxPublicKeyMetadata metadata; + uint64_t minimum_version; + + /* Be pessimistic so we can exit early without having to remember to clear. + */ + *out_is_trusted = false; + + /* Read and verify permanent attributes. */ + result = ops->atx_ops->read_permanent_attributes(ops->atx_ops, + &permanent_attributes); + if (result != AVB_IO_RESULT_OK) { + avb_error("Failed to read permanent attributes.\n"); + return result; + } + result = ops->atx_ops->read_permanent_attributes_hash( + ops->atx_ops, permanent_attributes_hash); + if (result != AVB_IO_RESULT_OK) { + avb_error("Failed to read permanent attributes hash.\n"); + return result; + } + if (!verify_permanent_attributes(&permanent_attributes, + permanent_attributes_hash)) { + return AVB_IO_RESULT_OK; + } + + /* Sanity check public key metadata. */ + if (public_key_metadata_length != sizeof(AvbAtxPublicKeyMetadata)) { + avb_error("Invalid public key metadata.\n"); + return AVB_IO_RESULT_OK; + } + avb_memcpy(&metadata, public_key_metadata, sizeof(AvbAtxPublicKeyMetadata)); + if (metadata.version != 1) { + avb_error("Unsupported public key metadata.\n"); + return AVB_IO_RESULT_OK; + } + + /* Verify the PIK certificate. */ + result = ops->read_rollback_index( + ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); + if (result != AVB_IO_RESULT_OK) { + avb_error("Failed to read PIK minimum version.\n"); + return result; + } + if (!verify_pik_certificate(&metadata.product_intermediate_key_certificate, + permanent_attributes.product_root_public_key, + minimum_version)) { + return AVB_IO_RESULT_OK; + } + + /* Verify the PSK certificate. */ + result = ops->read_rollback_index( + ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); + if (result != AVB_IO_RESULT_OK) { + avb_error("Failed to read PSK minimum version.\n"); + return result; + } + if (!verify_psk_certificate( + &metadata.product_signing_key_certificate, + metadata.product_intermediate_key_certificate.signed_data.public_key, + minimum_version, + permanent_attributes.product_id)) { + return AVB_IO_RESULT_OK; + } + + /* Verify the PSK is the same key that verified vbmeta. */ + if (public_key_length != AVB_ATX_PUBLIC_KEY_SIZE) { + avb_error("Public key length mismatch.\n"); + return AVB_IO_RESULT_OK; + } + if (0 != avb_safe_memcmp( + metadata.product_signing_key_certificate.signed_data.public_key, + public_key_data, + AVB_ATX_PUBLIC_KEY_SIZE)) { + avb_error("Public key mismatch.\n"); + return AVB_IO_RESULT_OK; + } + + /* Report the key versions used during verification. */ + ops->atx_ops->set_key_version( + ops->atx_ops, + AVB_ATX_PIK_VERSION_LOCATION, + metadata.product_intermediate_key_certificate.signed_data.key_version); + ops->atx_ops->set_key_version( + ops->atx_ops, + AVB_ATX_PSK_VERSION_LOCATION, + metadata.product_signing_key_certificate.signed_data.key_version); + + *out_is_trusted = true; + return AVB_IO_RESULT_OK; +} + +AvbIOResult avb_atx_generate_unlock_challenge( + AvbAtxOps* atx_ops, AvbAtxUnlockChallenge* out_unlock_challenge) { + AvbIOResult result = AVB_IO_RESULT_OK; + AvbAtxPermanentAttributes permanent_attributes; + + /* We need the permanent attributes to compute the product_id_hash. */ + result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); + if (result != AVB_IO_RESULT_OK) { + avb_error("Failed to read permanent attributes.\n"); + return result; + } + result = atx_ops->get_random( + atx_ops, AVB_ATX_UNLOCK_CHALLENGE_SIZE, last_unlock_challenge); + if (result != AVB_IO_RESULT_OK) { + avb_error("Failed to generate random challenge.\n"); + return result; + } + out_unlock_challenge->version = 1; + sha256(permanent_attributes.product_id, + AVB_ATX_PRODUCT_ID_SIZE, + out_unlock_challenge->product_id_hash); + avb_memcpy(out_unlock_challenge->challenge, + last_unlock_challenge, + AVB_ATX_UNLOCK_CHALLENGE_SIZE); + return result; +} + +AvbIOResult avb_atx_validate_unlock_credential( + AvbAtxOps* atx_ops, + const AvbAtxUnlockCredential* unlock_credential, + bool* out_is_trusted) { + AvbIOResult result = AVB_IO_RESULT_OK; + AvbAtxPermanentAttributes permanent_attributes; + uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; + uint64_t minimum_version; + const AvbAlgorithmData* algorithm_data; + uint8_t challenge_hash[AVB_SHA512_DIGEST_SIZE]; + + /* Be pessimistic so we can exit early without having to remember to clear. + */ + *out_is_trusted = false; + + /* Sanity check the credential. */ + if (unlock_credential->version != 1) { + avb_error("Unsupported unlock credential format.\n"); + return AVB_IO_RESULT_OK; + } + + /* Read and verify permanent attributes. */ + result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes); + if (result != AVB_IO_RESULT_OK) { + avb_error("Failed to read permanent attributes.\n"); + return result; + } + result = atx_ops->read_permanent_attributes_hash(atx_ops, + permanent_attributes_hash); + if (result != AVB_IO_RESULT_OK) { + avb_error("Failed to read permanent attributes hash.\n"); + return result; + } + if (!verify_permanent_attributes(&permanent_attributes, + permanent_attributes_hash)) { + return AVB_IO_RESULT_OK; + } + + /* Verify the PIK certificate. */ + result = atx_ops->ops->read_rollback_index( + atx_ops->ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); + if (result != AVB_IO_RESULT_OK) { + avb_error("Failed to read PIK minimum version.\n"); + return result; + } + if (!verify_pik_certificate( + &unlock_credential->product_intermediate_key_certificate, + permanent_attributes.product_root_public_key, + minimum_version)) { + return AVB_IO_RESULT_OK; + } + + /* Verify the PUK certificate. The minimum version is shared with the PSK. */ + result = atx_ops->ops->read_rollback_index( + atx_ops->ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); + if (result != AVB_IO_RESULT_OK) { + avb_error("Failed to read PSK minimum version.\n"); + return result; + } + if (!verify_puk_certificate( + &unlock_credential->product_unlock_key_certificate, + unlock_credential->product_intermediate_key_certificate.signed_data + .public_key, + minimum_version, + permanent_attributes.product_id)) { + return AVB_IO_RESULT_OK; + } + + /* Verify the challenge signature. */ + algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); + sha512(last_unlock_challenge, AVB_ATX_UNLOCK_CHALLENGE_SIZE, challenge_hash); + if (!avb_rsa_verify(unlock_credential->product_unlock_key_certificate + .signed_data.public_key, + AVB_ATX_PUBLIC_KEY_SIZE, + unlock_credential->challenge_signature, + AVB_RSA4096_NUM_BYTES, + challenge_hash, + AVB_SHA512_DIGEST_SIZE, + algorithm_data->padding, + algorithm_data->padding_len)) { + avb_error("Invalid unlock challenge signature.\n"); + return AVB_IO_RESULT_OK; + } + + *out_is_trusted = true; + return AVB_IO_RESULT_OK; +} diff --git a/lib/avb/libavb_atx/avb_atx_validate.h b/lib/avb/libavb_atx/avb_atx_validate.h new file mode 100644 index 0000000000..1a0690d491 --- /dev/null +++ b/lib/avb/libavb_atx/avb_atx_validate.h @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, copy, + * modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#if !defined(AVB_INSIDE_LIBAVB_ATX_H) && !defined(AVB_COMPILATION) +#error \ + "Never include this file directly, include libavb_atx/libavb_atx.h instead." +#endif + +#ifndef AVB_ATX_VALIDATE_H_ +#define AVB_ATX_VALIDATE_H_ + +#include "avb_atx_ops.h" +#include "avb_atx_types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Rollback index locations for Android Things key versions. */ +#define AVB_ATX_PIK_VERSION_LOCATION 0x1000 +#define AVB_ATX_PSK_VERSION_LOCATION 0x1001 + +/* An implementation of validate_vbmeta_public_key for Android Things. See + * libavb/avb_ops.h for details on validate_vbmeta_public_key in general. This + * implementation uses the metadata expected with Android Things vbmeta images + * to perform validation on the public key. The ATX ops must be implemented. + * That is, |ops->atx_ops| must be valid. + * + * There are a multiple values that need verification: + * - Permanent Product Attributes: A hash of these attributes is fused into + * hardware. Consistency is checked. + * - Product Root Key (PRK): This key is provided in permanent attributes and + * is the root authority for all Android Things + * products. + * - Product Intermediate Key (PIK): This key is a rotated intermediary. It is + * certified by the PRK. + * - Product Signing Key (PSK): This key is a rotated authority for a specific + * Android Things product. It is certified by a + * PIK and must match |public_key_data|. + * - Product ID: This value is provided in permanent attributes and is unique + * to a specific Android Things product. This value must match + * the subject of the PSK certificate. + */ +AvbIOResult avb_atx_validate_vbmeta_public_key( + AvbOps* ops, + const uint8_t* public_key_data, + size_t public_key_length, + const uint8_t* public_key_metadata, + size_t public_key_metadata_length, + bool* out_is_trusted); + +/* Generates a challenge which can be used to create an unlock credential. */ +AvbIOResult avb_atx_generate_unlock_challenge( + AvbAtxOps* atx_ops, AvbAtxUnlockChallenge* out_unlock_challenge); + +/* Validates an unlock credential. The certificate validation is very similar to + * the validation of public key metadata except in place of the PSK is a Product + * Unlock Key (PUK) and the certificate usage field identifies it as such. The + * challenge signature field is verified against this PUK. + */ +AvbIOResult avb_atx_validate_unlock_credential( + AvbAtxOps* atx_ops, + const AvbAtxUnlockCredential* unlock_credential, + bool* out_is_trusted); + +#ifdef __cplusplus +} +#endif + +#endif /* AVB_ATX_VALIDATE_H_ */ diff --git a/lib/avb/libavb_atx/libavb_atx.h b/lib/avb/libavb_atx/libavb_atx.h new file mode 100644 index 0000000000..839c0afa98 --- /dev/null +++ b/lib/avb/libavb_atx/libavb_atx.h @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, copy, + * modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#ifndef LIBAVB_ATX_H_ +#define LIBAVB_ATX_H_ + +#include + +/* The AVB_INSIDE_LIBAVB_ATX_H preprocessor symbol is used to enforce + * library users to include only this file. All public interfaces, and + * only public interfaces, must be included here. + */ + +#define AVB_INSIDE_LIBAVB_ATX_H +#include "avb_atx_ops.h" +#include "avb_atx_types.h" +#include "avb_atx_validate.h" +#undef AVB_INSIDE_LIBAVB_ATX_H + +#endif /* LIBAVB_ATX_H_ */ diff --git a/lib/libavb/Makefile b/lib/libavb/Makefile index b983fe768e..9238240a7f 100644 --- a/lib/libavb/Makefile +++ b/lib/libavb/Makefile @@ -2,6 +2,7 @@ # # (C) Copyright 2017 Linaro Limited +ifndef CONFIG_SPL_BUILD obj-$(CONFIG_LIBAVB) += avb_chain_partition_descriptor.o avb_cmdline.o obj-$(CONFIG_LIBAVB) += avb_crypto.o avb_footer.o avb_hashtree_descriptor.o obj-$(CONFIG_LIBAVB) += avb_property_descriptor.o avb_sha256.o @@ -9,5 +10,7 @@ obj-$(CONFIG_LIBAVB) += avb_slot_verify.o avb_util.o avb_version.o obj-$(CONFIG_LIBAVB) += avb_descriptor.o avb_hash_descriptor.o obj-$(CONFIG_LIBAVB) += avb_kernel_cmdline_descriptor.o avb_rsa.o avb_sha512.o obj-$(CONFIG_LIBAVB) += avb_sysdeps_posix.o avb_vbmeta_image.o +endif +obj-$(CONFIG_LIBAVB) += avb_crc32.o ccflags-y = -DAVB_COMPILATION diff --git a/lib/libavb/avb_cmdline.c b/lib/libavb/avb_cmdline.c index cb54e658c4..65be721896 100644 --- a/lib/libavb/avb_cmdline.c +++ b/lib/libavb/avb_cmdline.c @@ -223,7 +223,7 @@ AvbSlotVerifyResult avb_append_options( AvbHashtreeErrorMode hashtree_error_mode, AvbHashtreeErrorMode resolved_hashtree_error_mode) { AvbSlotVerifyResult ret; - const char* verity_mode; + const char* verity_mode = NULL; bool is_device_unlocked; AvbIOResult io_ret; @@ -325,7 +325,7 @@ AvbSlotVerifyResult avb_append_options( if (toplevel_vbmeta->flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED) { verity_mode = "disabled"; } else { - const char* dm_verity_mode; + const char* dm_verity_mode = NULL; char* new_ret; switch (resolved_hashtree_error_mode) { diff --git a/lib/libavb/avb_crc32.c b/lib/libavb/avb_crc32.c new file mode 100644 index 0000000000..7d4cb09035 --- /dev/null +++ b/lib/libavb/avb_crc32.c @@ -0,0 +1,114 @@ +/*- + * COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or + * code or tables extracted from it, as desired without restriction. + */ + +/* + * First, the polynomial itself and its table of feedback terms. The + * polynomial is + * X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0 + * + * Note that we take it "backwards" and put the highest-order term in + * the lowest-order bit. The X^32 term is "implied"; the LSB is the + * X^31 term, etc. The X^0 term (usually shown as "+1") results in + * the MSB being 1 + * + * Note that the usual hardware shift register implementation, which + * is what we're using (we're merely optimizing it by doing eight-bit + * chunks at a time) shifts bits into the lowest-order term. In our + * implementation, that means shifting towards the right. Why do we + * do it this way? Because the calculated CRC must be transmitted in + * order from highest-order term to lowest-order term. UARTs transmit + * characters in order from LSB to MSB. By storing the CRC this way + * we hand it to the UART in the order low-byte to high-byte; the UART + * sends each low-bit to hight-bit; and the result is transmission bit + * by bit from highest- to lowest-order term without requiring any bit + * shuffling on our part. Reception works similarly + * + * The feedback terms table consists of 256, 32-bit entries. Notes + * + * The table can be generated at runtime if desired; code to do so + * is shown later. It might not be obvious, but the feedback + * terms simply represent the results of eight shift/xor opera + * tions for all combinations of data and CRC register values + * + * The values must be right-shifted by eight bits by the "updcrc + * logic; the shift must be unsigned (bring in zeroes). On some + * hardware you could probably optimize the shift in assembler by + * using byte-swap instructions + * polynomial $edb88320 + * + * + * CRC32 code derived from work by Gary S. Brown. + */ + +#include "avb_sysdeps.h" +#include "avb_util.h" + +/* Code taken from FreeBSD 8 */ + +static uint32_t iavb_crc32_tab[] = { + 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, + 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, + 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, + 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, + 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, + 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, + 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, + 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, + 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, + 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, + 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, + 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, + 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, + 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, + 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, + 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, + 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, + 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, + 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, + 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, + 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, + 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, + 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, + 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, + 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, + 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, + 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, + 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, + 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, + 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, + 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, + 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, + 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, + 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, + 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, + 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, + 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, + 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, + 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, + 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, + 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, + 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, + 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d}; + +/* + * A function that calculates the CRC-32 based on the table above is + * given below for documentation purposes. An equivalent implementation + * of this function that's actually used in the kernel can be found + * in sys/libkern.h, where it can be inlined. + */ + +static uint32_t iavb_crc32(uint32_t crc_in, const uint8_t* buf, int size) { + const uint8_t* p = buf; + uint32_t crc; + + crc = crc_in ^ ~0U; + while (size--) + crc = iavb_crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); + return crc ^ ~0U; +} + +uint32_t avb_crc32(const uint8_t* buf, size_t size) { + return iavb_crc32(0, buf, size); +} diff --git a/lib/libavb/avb_slot_verify.c b/lib/libavb/avb_slot_verify.c index ae8e1dffa4..05c4b5993b 100644 --- a/lib/libavb/avb_slot_verify.c +++ b/lib/libavb/avb_slot_verify.c @@ -16,6 +16,10 @@ #include "avb_version.h" #include #include +#if defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX) +#include "trusty/hwcrypto.h" +#include +#endif /* Maximum number of partitions that can be loaded with avb_slot_verify(). */ #define MAX_NUMBER_OF_LOADED_PARTITIONS 32 @@ -281,6 +285,11 @@ static AvbSlotVerifyResult load_and_verify_hash_partition( size_t expected_digest_len = 0; uint8_t expected_digest_buf[AVB_SHA512_DIGEST_SIZE]; const uint8_t* expected_digest = NULL; +#if defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX) + uint8_t* hash_out = NULL; + uint8_t* hash_buf = NULL; +#endif + if (!avb_hash_descriptor_validate_and_byteswap( (const AvbHashDescriptor*)descriptor, &hash_desc)) { @@ -380,10 +389,46 @@ static AvbSlotVerifyResult load_and_verify_hash_partition( image_size_to_hash = image_size; } if (avb_strcmp((const char*)hash_desc.hash_algorithm, "sha256") == 0) { +#if defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX) + /* DMA requires cache aligned input/output buffer */ + hash_out = memalign(ARCH_DMA_MINALIGN, AVB_SHA256_DIGEST_SIZE); + if (hash_out == NULL) { + avb_error("failed to alloc memory!\n"); + ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; + goto out; + } + uint32_t round_buf_size = ROUND(hash_desc.salt_len + image_size_to_hash, + ARCH_DMA_MINALIGN); + hash_buf = memalign(ARCH_DMA_MINALIGN, round_buf_size); + if (hash_buf == NULL) { + avb_error("failed to alloc memory!\n"); + ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; + goto out; + } + + avb_memcpy(hash_buf, desc_salt, hash_desc.salt_len); + avb_memcpy(hash_buf + hash_desc.salt_len, + image_buf, image_size_to_hash); + /* calculate sha256 hash by caam */ + if (hwcrypto_hash((uint32_t)(ulong)hash_buf, + (hash_desc.salt_len + image_size_to_hash), + (uint32_t)(ulong)hash_out, + AVB_SHA256_DIGEST_SIZE, + SHA256) != 0) { + avb_error("Failed to calculate sha256 hash with caam.\n"); + ret = AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION; + goto out; + } + + digest = hash_out; + free(hash_buf); + hash_buf = NULL; +#else avb_sha256_init(&sha256_ctx); avb_sha256_update(&sha256_ctx, desc_salt, hash_desc.salt_len); avb_sha256_update(&sha256_ctx, image_buf, image_size_to_hash); digest = avb_sha256_final(&sha256_ctx); +#endif digest_len = AVB_SHA256_DIGEST_SIZE; } else if (avb_strcmp((const char*)hash_desc.hash_algorithm, "sha512") == 0) { avb_sha512_init(&sha512_ctx); @@ -436,6 +481,16 @@ static AvbSlotVerifyResult load_and_verify_hash_partition( out: +#if defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX) + if (hash_out != NULL) { + free(hash_out); + hash_out = NULL; + } + if (hash_buf != NULL) { + free(hash_buf); + hash_buf = NULL; + } +#endif /* If it worked and something was loaded, copy to slot_data. */ if ((ret == AVB_SLOT_VERIFY_RESULT_OK || result_should_continue(ret)) && image_buf != NULL) { -- 2.17.1