| // Copyright 2021 Google LLC |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| #include "config.h" |
| |
| #include <fcntl.h> |
| #include <libcr51sign/cr51_image_descriptor.h> |
| #include <libcr51sign/libcr51sign.h> |
| #include <libcr51sign/libcr51sign_support.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| #include <flasher/device.hpp> |
| #include <flasher/file.hpp> |
| #include <flasher/mod.hpp> |
| #include <flasher/mutate.hpp> |
| #include <flashupdate/info.hpp> |
| #include <flashupdate/logging.hpp> |
| #include <flashupdate/validator/cr51.hpp> |
| #include <stdplus/raw.hpp> |
| |
| #include <format> |
| #include <memory> |
| #include <optional> |
| #include <span> |
| #include <stdexcept> |
| #include <string_view> |
| #include <utility> |
| #include <vector> |
| |
| struct FdState |
| { |
| stdplus::ManagedFd fd; |
| std::optional<size_t> offset; |
| }; |
| |
| flasher::Reader* cr51Reader; |
| flasher::File* mauvManager; |
| |
| int ReadFromFd(const void*, uint32_t offset, uint32_t count, |
| uint8_t* buf) noexcept |
| { |
| if (cr51Reader == nullptr) |
| { |
| return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; |
| } |
| |
| try |
| { |
| cr51Reader->readAtExact( |
| std::span<std::byte>{reinterpret_cast<std::byte*>(buf), count}, |
| offset); |
| return LIBCR51SIGN_SUCCESS; |
| } |
| catch (const std::exception& e) |
| { |
| LOG(flashupdate::LogLevel::Error, "Reading {}", e.what()); |
| return LIBCR51SIGN_ERROR_RUNTIME_FAILURE; |
| } |
| } |
| |
| int ReadImageMauv(const void*, uint8_t* const mauv, uint32_t* const size, |
| const uint32_t maxSize) noexcept |
| { |
| if (maxSize > IMAGE_MAUV_DATA_MAX_SIZE) |
| { |
| return LIBCR51SIGN_ERROR_MAX; |
| } |
| if (mauvManager == nullptr) |
| { |
| return LIBCR51SIGN_NO_STORED_MAUV_FOUND; |
| } |
| |
| try |
| { |
| mauvManager->readAtExact( |
| std::span<std::byte>{reinterpret_cast<std::byte*>(mauv), |
| sizeof(struct image_mauv)}, |
| CR51_MAUV_OFFSET); |
| } |
| catch (const std::exception& e) |
| { |
| LOG(flashupdate::LogLevel::Error, "Reading MAUV {}\n", e.what()); |
| return LIBCR51SIGN_ERROR_RETRIEVING_STORED_IMAGE_MAUV_DATA; |
| } |
| |
| uint32_t mauvStructVersion; |
| memcpy(&mauvStructVersion, mauv, sizeof(mauvStructVersion)); |
| if (mauvStructVersion != IMAGE_MAUV_STRUCT_VERSION) |
| { |
| return LIBCR51SIGN_NO_STORED_MAUV_FOUND; |
| } |
| struct image_mauv* mauvTmp = reinterpret_cast<struct image_mauv*>(mauv); |
| size_t versionDenylistOffset = |
| offsetof(struct image_mauv, version_denylist); |
| |
| size_t denyListSize = |
| std::min(mauvTmp->version_denylist_num_entries * sizeof(uint64_t), |
| IMAGE_MAUV_DATA_MAX_SIZE - sizeof(struct image_mauv)); |
| try |
| { |
| mauvManager->readAtExact( |
| std::span<std::byte>{ |
| reinterpret_cast<std::byte*>(mauv + versionDenylistOffset), |
| // Deny List size. |
| std::min(mauvTmp->version_denylist_num_entries * |
| sizeof(uint64_t), |
| IMAGE_MAUV_DATA_MAX_SIZE - sizeof(struct image_mauv))}, |
| CR51_MAUV_OFFSET + versionDenylistOffset); |
| } |
| catch (const std::exception& e) |
| { |
| LOG(flashupdate::LogLevel::Error, "Reading MAUV {}\n", e.what()); |
| return LIBCR51SIGN_ERROR_RETRIEVING_STORED_IMAGE_MAUV_DATA; |
| } |
| |
| *size = std::min(maxSize, static_cast<uint32_t>(sizeof(struct image_mauv) + |
| denyListSize)); |
| return LIBCR51SIGN_SUCCESS; |
| } |
| |
| int WriteImageMauv(const void*, const uint8_t* const mauv, |
| const uint32_t size) noexcept |
| { |
| if (mauvManager == nullptr) |
| { |
| return LIBCR51SIGN_NO_STORED_MAUV_FOUND; |
| } |
| |
| try |
| { |
| auto data = std::vector<std::byte>(size); |
| memcpy(data.data(), mauv, size); |
| mauvManager->writeAtExact(data, CR51_MAUV_OFFSET); |
| } |
| catch (const std::exception& e) |
| { |
| LOG(flashupdate::LogLevel::Error, "Writing MAUV {}\n", e.what()); |
| return LIBCR51SIGN_ERROR_STORING_NEW_IMAGE_MAUV_DATA; |
| } |
| return LIBCR51SIGN_SUCCESS; |
| } |
| |
| // TODO: Remove after https://gerrit.openbmc.org/c/47332 is submitted. |
| namespace google |
| { |
| namespace cr51 |
| { |
| |
| std::span<const uint8_t> |
| Cr51SignValidatorIpml::hashDescriptor(struct libcr51sign_ctx* ctx, |
| std::span<std::byte> imageDescriptor) |
| { |
| // Create the HASH of the CR51 descriptor on the firmware |
| size_t size = 0; |
| hash_type hashType = static_cast<hash_type>(ctx->descriptor.hash_type); |
| |
| switch (hashType) |
| { |
| case HASH_SHA2_224: |
| case HASH_SHA3_224: |
| size = SHA224_DIGEST_LENGTH; |
| break; |
| case HASH_SHA2_256: |
| case HASH_SHA3_256: |
| size = SHA256_DIGEST_LENGTH; |
| break; |
| case HASH_SHA2_384: |
| case HASH_SHA3_384: |
| size = SHA384_DIGEST_LENGTH; |
| break; |
| case HASH_SHA2_512: |
| case HASH_SHA3_512: |
| size = SHA512_DIGEST_LENGTH; |
| break; |
| case HASH_NONE: |
| default: |
| stdplus::println(stderr, "CR51 Hash type is not supported: type {}", |
| static_cast<int>(hashType)); |
| return {}; |
| break; |
| } |
| |
| hash.resize(size); |
| int ec = hash_init(ctx, hashType); |
| if (ec) |
| { |
| stdplus::println(stderr, "CR51 Hash init error: ec{}", ec); |
| return {}; |
| } |
| |
| ec = hash_update(ctx, |
| reinterpret_cast<const uint8_t*>(imageDescriptor.data()), |
| ctx->descriptor.descriptor_area_size); |
| if (ec) |
| { |
| stdplus::println(stderr, "CR51 Hash update error: ec{}", ec); |
| return {}; |
| } |
| |
| ec = hash_final(ctx, hash.data()); |
| if (ec) |
| { |
| stdplus::println(stderr, "CR51 Hash final error: ec{}", ec); |
| return {}; |
| } |
| |
| return hash; |
| } |
| |
| std::optional<struct libcr51sign_validated_regions> |
| Cr51SignValidatorIpml::validateDescriptor(struct libcr51sign_ctx* ctx) |
| { |
| // Disabled stderr for all info messages |
| fpos_t pos; |
| |
| // Save stderr location |
| fgetpos(stderr, &pos); |
| int fd = dup(fileno(stderr)); |
| |
| // Redirect them to /dev/null |
| if (!freopen("/dev/null", "w", stderr)) |
| { |
| throw std::runtime_error("failed to redirect stderr to /dev/null"); |
| } |
| |
| struct libcr51sign_intf intf = {}; |
| struct libcr51sign_validated_regions imageRegions; |
| enum libcr51sign_validation_failure_reason ec; |
| |
| /* Common functions are from the libcr51sign support header. */ |
| intf.hash_init = &hash_init; |
| intf.hash_update = &hash_update; |
| intf.hash_final = &hash_final; |
| intf.verify_signature = &verify_signature; |
| intf.read = &ReadFromFd; |
| intf.retrieve_stored_image_mauv_data = &ReadImageMauv; |
| intf.store_new_image_mauv_data = &WriteImageMauv; |
| |
| auto returnTrue = []() { return true; }; |
| auto returnFalse = []() { return false; }; |
| intf.prod_to_dev_downgrade_allowed = prodToDev ? returnTrue : returnFalse; |
| intf.is_production_mode = productionMode ? returnTrue : returnFalse; |
| |
| // TODO: Validate the non-static regions after all of the regions are signed |
| // This only applies to clean image that is not read from the flash |
| // directly. |
| ec = libcr51sign_validate(ctx, &intf, &imageRegions); |
| |
| fflush(stderr); |
| dup2(fd, fileno(stderr)); // restore the stderr |
| close(fd); |
| clearerr(stderr); |
| |
| // Move stderr to the normal location |
| fsetpos(stderr, &pos); |
| |
| if (ec != LIBCR51SIGN_SUCCESS) |
| { |
| LOG(flashupdate::LogLevel::Notice, "CR51 Validate error: {}", |
| libcr51sign_errorcode_to_string(ec)) |
| return std::nullopt; |
| } |
| |
| return imageRegions; |
| } |
| |
| } // namespace cr51 |
| } // namespace google |
| |
| namespace flashupdate |
| { |
| namespace validator |
| { |
| namespace cr51 |
| { |
| |
| using flasher::ModArgs; |
| using stdplus::fd::OpenAccess; |
| using stdplus::fd::OpenFlag; |
| using stdplus::fd::OpenFlags; |
| |
| /** @brief Format the Image Version String |
| * |
| * @param[in] descriptor Cr51 image descriptor |
| * |
| * @return version of the image |
| */ |
| std::string formatImageVersion(const struct image_descriptor& descriptor) |
| { |
| return std::format("{}.{}.{}.{}", descriptor.image_major, |
| descriptor.image_minor, descriptor.image_point, |
| descriptor.image_subpoint); |
| } |
| |
| bool Cr51::validateImage(flasher::Reader& reader, |
| const std::vector<std::string>& keys) |
| { |
| this->keys = keys; |
| return verify(reader); |
| } |
| |
| std::string Cr51::imageVersion() const |
| { |
| return version; |
| } |
| |
| bool Cr51::verify(flasher::Reader& reader) |
| { |
| LOG(LogLevel::Info, "Read CR51 Descriptor with size of {}", |
| reader.getSize()); |
| cr51Reader = &reader; |
| valid = false; |
| |
| context.start_offset = 0; |
| context.end_offset = static_cast<uint32_t>(reader.getSize()); |
| context.current_image_family = static_cast<image_family>(imageFamily); |
| context.current_image_type = IMAGE_PROD; |
| context.keyring_len = kSignatureRsa4096Pkcs15KeyLength; |
| context.priv = &shaContext; |
| |
| struct libcr51sign_validated_regions imageRegions; |
| |
| if (keys.empty()) |
| { |
| throw std::runtime_error("no valid validation key available"); |
| } |
| |
| std::unique_ptr<flasher::File> mauv = nullptr; |
| if (std::string(CR51_MAUV_PATH) != "") |
| { |
| auto mauvMod = ModArgs(CR51_MAUV_PATH); |
| mauv = flasher::openFile(mauvMod, OpenFlags(OpenAccess::ReadWrite)); |
| mauvManager = mauv.get(); |
| } |
| else |
| { |
| mauvManager = nullptr; |
| } |
| |
| std::optional<libcr51sign_validated_regions> maybeImageRegions; |
| std::string usedKeys; |
| for (const auto& key : keys) |
| { |
| context.keyring = key.data(); |
| maybeImageRegions = cr51Validator.validateDescriptor(&context); |
| if (maybeImageRegions) |
| { |
| LOG(LogLevel::Notice, "CR51 sign is valid using {}", key); |
| break; |
| } |
| usedKeys += key + ","; |
| } |
| mauvManager = nullptr; |
| |
| if (!maybeImageRegions) |
| { |
| LOG(LogLevel::Crit, "CR51 sign is invalid for using all keys: {}", |
| usedKeys); |
| return false; |
| } |
| imageRegions = *maybeImageRegions; |
| |
| LOG(LogLevel::Notice, "Passed CR51 Sign Validation"); |
| valid = true; |
| regions = std::vector<struct image_region>(&imageRegions.image_regions[0], |
| &imageRegions.image_regions[0] + |
| imageRegions.region_count); |
| version = formatImageVersion(context.descriptor); |
| LOG(LogLevel::Notice, "BIOS Version: {}", version); |
| |
| std::vector<std::byte> buf(context.descriptor.descriptor_area_size); |
| reader.readAt(buf, context.descriptor.descriptor_offset); |
| |
| // Create the HASH of the CR51 descriptor on the BIOS |
| auto hashDescriptor = cr51Validator.hashDescriptor(&context, buf); |
| if (!hashDescriptor.empty()) |
| { |
| hash = |
| std::vector<uint8_t>(hashDescriptor.begin(), hashDescriptor.end()); |
| descriptorOffset = context.descriptor.descriptor_offset; |
| descriptorSize = context.descriptor.descriptor_area_size; |
| } |
| // Update the sign type for the BIOS image |
| this->prod = context.descriptor.image_type == image_type::IMAGE_PROD; |
| return true; |
| } |
| |
| std::span<ImageRegion> Cr51::persistentRegions() |
| { |
| if (!valid) |
| return {}; |
| |
| persistentRegion.clear(); |
| for (const auto& region : regions) |
| { |
| bool persistent = |
| (region.region_attributes & |
| (IMAGE_REGION_PERSISTENT | IMAGE_REGION_PERSISTENT_RELOCATABLE | |
| IMAGE_REGION_PERSISTENT_EXPANDABLE)) > 0; |
| auto region_name = reinterpret_cast<const char*>(region.region_name); |
| LOG(LogLevel::Debug, |
| "Partition Name: {}, Offset: {}, Size: {}, Persistent?: {}", |
| region_name, region.region_offset, region.region_size, persistent); |
| if (persistent) |
| { |
| persistentRegion.emplace_back(ImageRegion{ |
| region_name, region.region_offset, region.region_size}); |
| }; |
| } |
| |
| return persistentRegion; |
| } |
| |
| std::pair<std::string, bool> |
| Cr51::validateHash(flasher::ModArgs mod, uint32_t offset, uint32_t size, |
| std::span<const uint8_t> expected) |
| { |
| auto readDev = flasher::openDevice(mod); |
| std::vector<std::byte> fileIn(size); |
| readDev->readAt(fileIn, offset); |
| |
| struct image_descriptor descriptor = |
| *reinterpret_cast<struct image_descriptor*>(fileIn.data()); |
| |
| // Get the descriptor hash type from the target partition |
| context.descriptor.hash_type = descriptor.hash_type; |
| context.descriptor.descriptor_offset = 0, |
| context.descriptor.descriptor_area_size = size; |
| context.priv = &shaContext; |
| |
| auto hashDescriptor = cr51Validator.hashDescriptor(&context, fileIn); |
| stdplus::println( |
| stderr, "validateHash: current {} vs. expected {}", |
| info::bytesToHex(std::span<const uint8_t>( |
| &hashDescriptor[0], &hashDescriptor[0] + SHA256_DIGEST_LENGTH)), |
| info::bytesToHex(std::span<const uint8_t>( |
| &expected[0], &expected[0] + SHA256_DIGEST_LENGTH))); |
| |
| std::string version = formatImageVersion(descriptor); |
| bool validHash = hashDescriptor.size() == expected.size() && |
| std::equal(hashDescriptor.begin(), hashDescriptor.end(), |
| expected.begin(), expected.end()); |
| |
| return {version, validHash}; |
| } |
| |
| std::string Cr51::fetchVersion(flasher::ModArgs mod, uint32_t offset, |
| uint32_t size) |
| { |
| return validator::cr51::formatImageVersion( |
| imageDescriptor(mod, offset, size)); |
| } |
| |
| bool Cr51::isProdImage(flasher::ModArgs mod, uint32_t offset, uint32_t size) |
| { |
| return imageDescriptor(mod, offset, size).image_type == |
| image_type::IMAGE_PROD; |
| } |
| |
| struct image_descriptor Cr51::imageDescriptor(flasher::ModArgs mod, |
| uint32_t offset, uint32_t size) |
| { |
| auto readDev = flasher::openDevice(mod); |
| std::vector<std::byte> fileIn(size); |
| readDev->readAt(fileIn, offset); |
| return stdplus::raw::copyFrom<struct image_descriptor>(fileIn); |
| } |
| |
| } // namespace cr51 |
| } // namespace validator |
| } // namespace flashupdate |
