1 #include <memory> 2 3 #include "gtest/gtest.h" 4 #include "avb_tools.h" 5 #include "nugget_tools.h" 6 #include "nugget/app/avb/avb.pb.h" 7 #include "Avb.client.h" 8 #include "src/test-data/test-keys/reset_key_data.h" 9 #include <avb.h> 10 #include <application.h> 11 #include <nos/AppClient.h> 12 #include <nos/NuggetClientInterface.h> 13 #include "util.h" 14 15 #include <openssl/bio.h> 16 #include <openssl/evp.h> 17 #include <openssl/pem.h> 18 19 using std::cout; 20 using std::string; 21 using std::unique_ptr; 22 23 using namespace nugget::app::avb; 24 using namespace avb_tools; 25 26 namespace { 27 28 class AvbTest: public testing::Test { 29 protected: 30 static unique_ptr<nos::NuggetClientInterface> client; 31 static unique_ptr<test_harness::TestHarness> uart_printer; 32 33 static void SetUpTestCase(); 34 static void TearDownTestCase(); 35 36 virtual void SetUp(void); 37 38 int ProductionResetTest(uint32_t selector, uint64_t nonce, 39 const uint8_t *device_data, size_t data_len, 40 const uint8_t *signature, size_t signature_len); 41 int SignChallenge(const struct ResetMessage *message, 42 uint8_t *signature, size_t *siglen); 43 44 int Load(uint8_t slot, uint64_t *version); 45 int Store(uint8_t slot, uint64_t version); 46 int SetDeviceLock(uint8_t locked); 47 int SetBootLock(uint8_t locked); 48 int SetOwnerLock(uint8_t locked, const uint8_t *metadata, size_t size); 49 int GetOwnerKey(uint32_t offset, uint8_t *metadata, size_t *size); 50 int SetCarrierLock(uint8_t locked, const uint8_t *metadata, size_t size); 51 52 public: 53 const uint64_t LAST_NONCE = 0x4141414141414140ULL; 54 const uint64_t VERSION = 1; 55 const uint64_t NONCE = 0x4141414141414141ULL; 56 const uint8_t DEVICE_DATA[AVB_DEVICE_DATA_SIZE] = { 57 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 58 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 59 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 60 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 61 }; 62 const uint8_t SIGNATURE[AVB_SIGNATURE_SIZE] = { 63 0x68, 0x86, 0x9a, 0x16, 0xca, 0x62, 0xea, 0xa9, 64 0x9b, 0xa0, 0x51, 0x03, 0xa6, 0x00, 0x3f, 0xe8, 65 0xf1, 0x43, 0xe6, 0xb7, 0xde, 0x76, 0xfe, 0x21, 66 0x65, 0x87, 0x78, 0xe5, 0x1d, 0x11, 0x6a, 0xe1, 67 0x7b, 0xc6, 0x2e, 0xe2, 0x96, 0x25, 0x48, 0xa7, 68 0x09, 0x43, 0x2c, 0xfd, 0x28, 0xa9, 0x66, 0x8a, 69 0x09, 0xd5, 0x83, 0x3b, 0xde, 0x18, 0x5d, 0xef, 70 0x50, 0x12, 0x8a, 0x8d, 0xfb, 0x2d, 0x46, 0x20, 71 0x69, 0x55, 0x4e, 0x86, 0x63, 0xf6, 0x10, 0xe3, 72 0x59, 0x3f, 0x55, 0x72, 0x18, 0xcb, 0x60, 0x80, 73 0x0d, 0x2e, 0x2f, 0xfc, 0xc2, 0xbf, 0xda, 0x3f, 74 0x4f, 0x2b, 0x6b, 0xf1, 0x5d, 0x28, 0x6b, 0x2b, 75 0x9b, 0x92, 0xf3, 0x4e, 0xf2, 0xb6, 0x23, 0x8e, 76 0x50, 0x64, 0xf6, 0xee, 0xc7, 0x78, 0x6a, 0xe0, 77 0xed, 0xce, 0x2c, 0x1f, 0x0a, 0x47, 0x43, 0x5c, 78 0xe4, 0x69, 0xc5, 0xc1, 0xf9, 0x52, 0x8c, 0xed, 79 0xfd, 0x71, 0x8f, 0x9a, 0xde, 0x62, 0xfc, 0x21, 80 0x07, 0xf9, 0x5f, 0xe1, 0x1e, 0xdc, 0x65, 0x95, 81 0x15, 0xc8, 0xe7, 0xf2, 0xce, 0xa9, 0xd0, 0x55, 82 0xf1, 0x18, 0x89, 0xae, 0xe8, 0x47, 0xd8, 0x8a, 83 0x1f, 0x68, 0xa8, 0x6f, 0x5e, 0x5c, 0xda, 0x3d, 84 0x98, 0xeb, 0x82, 0xf8, 0x1f, 0x7a, 0x43, 0x6d, 85 0x3a, 0x7c, 0x36, 0x76, 0x4f, 0x55, 0xa4, 0x55, 86 0x5f, 0x52, 0x47, 0xa5, 0x71, 0x17, 0x7b, 0x73, 87 0xaa, 0x5c, 0x85, 0x94, 0xb6, 0xe2, 0x37, 0x1f, 88 0x22, 0x29, 0x46, 0x59, 0x20, 0x1f, 0x49, 0x36, 89 0x50, 0xa9, 0x60, 0x5d, 0xeb, 0x99, 0x3f, 0x92, 90 0x31, 0xa0, 0x1d, 0xad, 0xdb, 0xde, 0x40, 0xf6, 91 0xaf, 0x9c, 0x36, 0xe4, 0x0c, 0xf4, 0xcc, 0xaf, 92 0x9f, 0x8b, 0xf9, 0xe6, 0x12, 0x53, 0x4e, 0x58, 93 0xeb, 0x9a, 0x57, 0x08, 0x89, 0xa5, 0x4f, 0x7c, 94 0xb9, 0x78, 0x07, 0x02, 0x17, 0x2c, 0xce, 0xb8, 95 }; 96 }; 97 98 unique_ptr<nos::NuggetClientInterface> AvbTest::client; 99 unique_ptr<test_harness::TestHarness> AvbTest::uart_printer; 100 101 void AvbTest::SetUpTestCase() { 102 uart_printer = test_harness::TestHarness::MakeUnique(); 103 104 client = nugget_tools::MakeNuggetClient(); 105 client->Open(); 106 EXPECT_TRUE(client->IsOpen()) << "Unable to connect"; 107 } 108 109 void AvbTest::TearDownTestCase() { 110 client->Close(); 111 client = unique_ptr<nos::NuggetClientInterface>(); 112 113 uart_printer = nullptr; 114 } 115 116 void AvbTest::SetUp(void) 117 { 118 bool bootloader; 119 bool production; 120 uint8_t locks[4]; 121 int code; 122 123 avb_tools::BootloaderDone(client.get()); // We don't need BL for setup. 124 // Perform a challenge/response. If this fails, either 125 // the reset path is broken or the image is probably not 126 // TEST_IMAGE=1. 127 // Note: the reset tests are not safe on -UTEST_IMAGE unless 128 // the storage can be reflashed. 129 ResetProduction(client.get()); 130 131 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0); 132 ASSERT_NO_ERROR(code, ""); 133 134 GetState(client.get(), &bootloader, &production, locks); 135 EXPECT_EQ(bootloader, false); 136 EXPECT_EQ(production, false); 137 EXPECT_EQ(locks[BOOT], 0x00); 138 EXPECT_EQ(locks[CARRIER], 0x00); 139 EXPECT_EQ(locks[DEVICE], 0x00); 140 EXPECT_EQ(locks[OWNER], 0x00); 141 } 142 143 RSA *GetResetKey() 144 { 145 BIO *bio = BIO_new_mem_buf((void*)test_data::kResetKeyPem, 146 test_data::kResetKeyPemSize - 1); 147 RSA *rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, 0, NULL); 148 BIO_free(bio); 149 return rsa; 150 } 151 152 int AvbTest::ProductionResetTest(uint32_t selector, uint64_t nonce, 153 const uint8_t *device_data, size_t data_len, 154 const uint8_t *signature, size_t signature_len) 155 { 156 ProductionResetTestRequest request; 157 request.set_selector(selector); 158 request.set_nonce(nonce); 159 if (signature && signature_len) { 160 request.set_signature(signature, signature_len); 161 } 162 if (device_data && data_len) { 163 request.set_device_data(device_data, data_len); 164 } 165 Avb service(*client); 166 return service.ProductionResetTest(request, nullptr); 167 } 168 169 int AvbTest::SignChallenge(const struct ResetMessage *message, 170 uint8_t *signature, size_t *maxsig) 171 { 172 size_t siglen = *maxsig; 173 RSA *key = GetResetKey(); 174 if (!key) 175 return -1; 176 EVP_PKEY *pkey = EVP_PKEY_new(); 177 if (!pkey) 178 return -1; 179 if (!EVP_PKEY_set1_RSA(pkey, key)) 180 return -1; 181 EVP_MD_CTX md_ctx; 182 EVP_MD_CTX_init(&md_ctx); 183 EVP_PKEY_CTX *pkey_ctx; 184 if (!EVP_DigestSignInit(&md_ctx, &pkey_ctx, EVP_sha256(), NULL, pkey)) 185 return -1; 186 if (!EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING)) 187 return -1; 188 if (!EVP_DigestSignUpdate(&md_ctx, (uint8_t *)message, sizeof(*message))) 189 return -1; 190 EVP_DigestSignFinal(&md_ctx, NULL, &siglen); 191 if (siglen > *maxsig) { 192 std::cerr << "Signature length too long: " << siglen << " > " 193 << *maxsig << std::endl; 194 return -2; 195 } 196 *maxsig = siglen; 197 int code = EVP_DigestSignFinal(&md_ctx, signature, &siglen); 198 if (!code) { 199 std::cerr << "OpenSSL error: " << ERR_get_error() << ": " 200 << ERR_reason_error_string(ERR_get_error()) << std::endl; 201 return -3; 202 } 203 EVP_MD_CTX_cleanup(&md_ctx); 204 EVP_PKEY_free(pkey); 205 RSA_free(key); 206 // Feed it in 207 return 0; 208 } 209 210 int AvbTest::Load(uint8_t slot, uint64_t *version) 211 { 212 LoadRequest request; 213 LoadResponse response; 214 int code; 215 216 request.set_slot(slot); 217 218 Avb service(*client); 219 code = service.Load(request, &response); 220 if (code == APP_SUCCESS) { 221 *version = response.version(); 222 } 223 224 return code; 225 } 226 227 int AvbTest::Store(uint8_t slot, uint64_t version) 228 { 229 StoreRequest request; 230 231 request.set_slot(slot); 232 request.set_version(version); 233 234 Avb service(*client); 235 return service.Store(request, nullptr); 236 } 237 238 int AvbTest::SetDeviceLock(uint8_t locked) 239 { 240 SetDeviceLockRequest request; 241 242 request.set_locked(locked); 243 244 Avb service(*client); 245 return service.SetDeviceLock(request, nullptr); 246 } 247 248 int AvbTest::SetBootLock(uint8_t locked) 249 { 250 SetBootLockRequest request; 251 252 request.set_locked(locked); 253 254 Avb service(*client); 255 return service.SetBootLock(request, nullptr); 256 } 257 258 int AvbTest::SetOwnerLock(uint8_t locked, const uint8_t *metadata, size_t size) 259 { 260 SetOwnerLockRequest request; 261 262 request.set_locked(locked); 263 if (metadata != NULL && size > 0) { 264 request.set_key(metadata, size); 265 } 266 267 Avb service(*client); 268 return service.SetOwnerLock(request, nullptr); 269 } 270 271 int AvbTest::GetOwnerKey(uint32_t offset, uint8_t *metadata, size_t *size) 272 { 273 GetOwnerKeyRequest request; 274 GetOwnerKeyResponse response; 275 size_t i; 276 int code; 277 278 request.set_offset(offset); 279 if (size != NULL) 280 request.set_size(*size); 281 282 Avb service(*client); 283 code = service.GetOwnerKey(request, &response); 284 285 if (code == APP_SUCCESS) { 286 auto chunk = response.chunk(); 287 288 if (metadata != NULL) { 289 for (i = 0; i < chunk.size(); i++) 290 metadata[i] = chunk[i]; 291 } 292 if (size != NULL) 293 *size = chunk.size(); 294 } 295 296 return code; 297 } 298 299 int AvbTest::SetCarrierLock(uint8_t locked, const uint8_t *metadata, size_t size) 300 { 301 CarrierLockRequest request; 302 303 request.set_locked(locked); 304 if (metadata != NULL && size > 0) { 305 request.set_device_data(metadata, size); 306 } 307 308 Avb service(*client); 309 return service.CarrierLock(request, nullptr); 310 } 311 312 // Tests 313 314 TEST_F(AvbTest, CarrierLockTest) 315 { 316 uint8_t carrier_data[AVB_DEVICE_DATA_SIZE]; 317 uint8_t locks[4]; 318 int code; 319 320 // Test we can set and unset the carrier lock in non production mode 321 memset(carrier_data, 0, sizeof(carrier_data)); 322 323 code = SetCarrierLock(0x12, carrier_data, sizeof(carrier_data)); 324 ASSERT_NO_ERROR(code, ""); 325 326 GetState(client.get(), NULL, NULL, locks); 327 ASSERT_EQ(locks[CARRIER], 0x12); 328 329 code = SetCarrierLock(0, NULL, 0); 330 ASSERT_NO_ERROR(code, ""); 331 332 // Set production mode 333 avb_tools::SetBootloader(client.get()); 334 code = SetProduction(client.get(), true, NULL, 0); 335 ASSERT_NO_ERROR(code, ""); 336 avb_tools::BootloaderDone(client.get()); 337 338 // Test we cannot set or unset the carrier lock in production mode 339 code = SetCarrierLock(0x12, carrier_data, sizeof(carrier_data)); 340 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION); 341 342 GetState(client.get(), NULL, NULL, locks); 343 ASSERT_EQ(locks[CARRIER], 0x00); 344 345 code = SetCarrierLock(0, NULL, 0); 346 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION); 347 } 348 349 TEST_F(AvbTest, CarrierUnlockTest) 350 { 351 CarrierLockTestRequest request; 352 CarrierLockTestResponse response; 353 CarrierUnlock *token; 354 355 token = new CarrierUnlock(); 356 token->set_nonce(NONCE); 357 token->set_version(VERSION); 358 token->set_signature(SIGNATURE, sizeof(SIGNATURE)); 359 360 request.set_last_nonce(LAST_NONCE); 361 request.set_version(VERSION); 362 request.set_device_data(DEVICE_DATA, sizeof(DEVICE_DATA)); 363 request.set_allocated_token(token); 364 365 Avb service(*client); 366 ASSERT_NO_ERROR(service.CarrierLockTest(request, &response), ""); 367 368 // The nonce is covered by the signature, so changing it should trip the 369 // signature verification 370 token->set_nonce(NONCE + 1); 371 ASSERT_EQ(service.CarrierLockTest(request, &response), APP_ERROR_AVB_AUTHORIZATION); 372 } 373 374 TEST_F(AvbTest, DeviceLockTest) 375 { 376 bool bootloader; 377 bool production; 378 uint8_t locks[4]; 379 int code; 380 381 // Test cannot set the lock 382 avb_tools::SetBootloader(client.get()); 383 code = SetProduction(client.get(), true, NULL, 0); 384 ASSERT_NO_ERROR(code, ""); 385 386 code = SetDeviceLock(0x12); 387 ASSERT_EQ(code, APP_ERROR_AVB_HLOS); 388 389 // Test can set lock 390 ResetProduction(client.get()); 391 avb_tools::SetBootloader(client.get()); 392 393 code = SetDeviceLock(0x34); 394 ASSERT_NO_ERROR(code, ""); 395 396 GetState(client.get(), &bootloader, &production, locks); 397 ASSERT_TRUE(bootloader); 398 ASSERT_FALSE(production); 399 ASSERT_EQ(locks[DEVICE], 0x34); 400 401 // Test cannot set while set 402 code = SetDeviceLock(0x56); 403 ASSERT_EQ(code, APP_ERROR_AVB_DENIED); 404 405 GetState(client.get(), NULL, NULL, locks); 406 ASSERT_EQ(locks[DEVICE], 0x34); 407 408 // Test can unset 409 code = SetDeviceLock(0x00); 410 ASSERT_NO_ERROR(code, ""); 411 412 GetState(client.get(), NULL, NULL, locks); 413 ASSERT_EQ(locks[DEVICE], 0x00); 414 } 415 416 TEST_F(AvbTest, SetDeviceLockIsIdempotent) { 417 ASSERT_NO_ERROR(SetDeviceLock(0x65), ""); 418 ASSERT_NO_ERROR(SetDeviceLock(0x65), ""); 419 } 420 421 TEST_F(AvbTest, BootLockTest) 422 { 423 uint8_t locks[4]; 424 int code; 425 // Test production logic. 426 code = SetProduction(client.get(), true, NULL, 0); 427 ASSERT_NO_ERROR(code, ""); 428 429 // Test cannot set lock 430 code = SetBootLock(0x12); 431 ASSERT_EQ(code, APP_ERROR_AVB_BOOTLOADER); 432 433 GetState(client.get(), NULL, NULL, locks); 434 ASSERT_EQ(locks[BOOT], 0x00); 435 436 // Show the bootloader setting and unsetting. 437 avb_tools::SetBootloader(client.get()); 438 code = SetBootLock(0x12); 439 ASSERT_NO_ERROR(code, ""); 440 441 GetState(client.get(), NULL, NULL, locks); 442 ASSERT_EQ(locks[BOOT], 0x12); 443 444 code = SetBootLock(0x0); 445 ASSERT_NO_ERROR(code, ""); 446 447 GetState(client.get(), NULL, NULL, locks); 448 ASSERT_EQ(locks[BOOT], 0x00); 449 450 // Test cannot unset lock while carrier set 451 ResetProduction(client.get()); 452 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0); 453 ASSERT_NO_ERROR(code, ""); 454 455 code = SetCarrierLock(0x34, DEVICE_DATA, sizeof(DEVICE_DATA)); 456 ASSERT_NO_ERROR(code, ""); 457 458 code = SetProduction(client.get(), true, NULL, 0); 459 ASSERT_NO_ERROR(code, ""); 460 461 // Can lock when carrier lock is set. 462 avb_tools::SetBootloader(client.get()); 463 code = SetBootLock(0x56); 464 ASSERT_NO_ERROR(code, ""); 465 466 // Cannot unlock. 467 code = SetBootLock(0x0); 468 ASSERT_EQ(code, APP_ERROR_AVB_DENIED); 469 470 // Or change the value. 471 code = SetBootLock(0x42); 472 ASSERT_EQ(code, APP_ERROR_AVB_DENIED); 473 474 GetState(client.get(), NULL, NULL, locks); 475 ASSERT_EQ(locks[CARRIER], 0x34); 476 ASSERT_EQ(locks[BOOT], 0x56); 477 478 // Clear the locks to show device lock enforcement. 479 ResetProduction(client.get()); 480 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0); 481 ASSERT_NO_ERROR(code, ""); 482 code = SetProduction(client.get(), true, NULL, 0); 483 ASSERT_NO_ERROR(code, ""); 484 avb_tools::SetBootloader(client.get()); 485 486 // Need to be in the HLOS. 487 code = SetDeviceLock(0x78); 488 ASSERT_EQ(code, APP_ERROR_AVB_HLOS); 489 490 avb_tools::BootloaderDone(client.get()); 491 code = SetDeviceLock(0x78); 492 ASSERT_NO_ERROR(code, ""); 493 494 // We can move to a locked state when 495 // device lock is true. 496 avb_tools::SetBootloader(client.get()); 497 code = SetBootLock(0x9A); 498 ASSERT_NO_ERROR(code, ""); 499 500 // But we can't move back. 501 code = SetBootLock(0x0); 502 ASSERT_EQ(code, APP_ERROR_AVB_DENIED); 503 504 GetState(client.get(), NULL, NULL, locks); 505 ASSERT_EQ(locks[DEVICE], 0x78); 506 ASSERT_EQ(locks[BOOT], 0x9A); 507 } 508 509 TEST_F(AvbTest, SetBootLockIsIdempotent) { 510 ASSERT_NO_ERROR(SetBootLock(0x12), ""); 511 ASSERT_NO_ERROR(SetBootLock(0x12), ""); 512 } 513 514 TEST_F(AvbTest, SetBootLockAfterWipingUserData) { 515 // This is a sequence of commands that the bootloader will issue 516 ASSERT_NO_ERROR(SetProduction(client.get(), true, NULL, 0), ""); 517 avb_tools::SetBootloader(client.get()); 518 ASSERT_TRUE(nugget_tools::WipeUserData(client.get())); 519 ASSERT_NO_ERROR(SetBootLock(0xdc), ""); 520 } 521 522 TEST_F(AvbTest, OwnerLockTest) 523 { 524 uint8_t owner_key[AVB_METADATA_MAX_SIZE]; 525 uint8_t chunk[AVB_CHUNK_MAX_SIZE]; 526 uint8_t locks[4]; 527 int code; 528 size_t i; 529 530 for (i = 0; i < AVB_METADATA_MAX_SIZE; i += 2) { 531 owner_key[i + 0] = (i >> 8) & 0xFF; 532 owner_key[i + 1] = (i >> 8) & 0xFF; 533 } 534 535 // This should pass when BOOT lock is not set 536 code = SetOwnerLock(0x65, owner_key, sizeof(owner_key)); 537 ASSERT_NO_ERROR(code, ""); 538 539 GetState(client.get(), NULL, NULL, locks); 540 ASSERT_EQ(locks[OWNER], 0x65); 541 542 for (i = 0; i < AVB_METADATA_MAX_SIZE; i += AVB_CHUNK_MAX_SIZE) { 543 size_t size = sizeof(chunk); 544 size_t j; 545 546 code = GetOwnerKey(i, chunk, &size); 547 ASSERT_NO_ERROR(code, ""); 548 ASSERT_EQ(size, sizeof(chunk)); 549 for (j = 0; j < size; j++) { 550 ASSERT_EQ(chunk[j], owner_key[i + j]); 551 } 552 } 553 554 // Test setting the lock while set fails 555 code = SetOwnerLock(0x87, owner_key, sizeof(owner_key)); 556 ASSERT_EQ(code, APP_ERROR_AVB_DENIED); 557 558 GetState(client.get(), NULL, NULL, locks); 559 ASSERT_EQ(locks[OWNER], 0x65); 560 561 // Clear it 562 code = SetOwnerLock(0x00, owner_key, sizeof(owner_key)); 563 ASSERT_NO_ERROR(code, ""); 564 565 GetState(client.get(), NULL, NULL, locks); 566 ASSERT_EQ(locks[OWNER], 0x00); 567 568 // Set the boot lock 569 avb_tools::SetBootloader(client.get()); 570 code = SetBootLock(0x43); 571 ASSERT_NO_ERROR(code, ""); 572 573 GetState(client.get(), NULL, NULL, locks); 574 ASSERT_EQ(locks[BOOT], 0x43); 575 576 // Test setting the lock while BOOT is locked fails 577 code = SetOwnerLock(0x21, owner_key, sizeof(owner_key)); 578 ASSERT_EQ(code, APP_ERROR_AVB_DENIED); 579 } 580 581 TEST_F(AvbTest, ProductionMode) 582 { 583 bool production; 584 uint8_t locks[4]; 585 int code; 586 587 // Check we're not in production mode 588 GetState(client.get(), NULL, &production, NULL); 589 ASSERT_FALSE(production); 590 591 // Set some lock values to make sure production doesn't affect them 592 avb_tools::SetBootloader(client.get()); 593 code = SetOwnerLock(0x11, NULL, 0); 594 ASSERT_NO_ERROR(code, ""); 595 596 code = SetBootLock(0x22); 597 ASSERT_NO_ERROR(code, ""); 598 599 code = SetCarrierLock(0x33, DEVICE_DATA, sizeof(DEVICE_DATA)); 600 ASSERT_NO_ERROR(code, ""); 601 602 code = SetDeviceLock(0x44); 603 ASSERT_NO_ERROR(code, ""); 604 605 // Set production mode with a DUT hash 606 code = SetProduction(client.get(), true, NULL, 0); 607 ASSERT_NO_ERROR(code, ""); 608 609 GetState(client.get(), NULL, &production, locks); 610 ASSERT_TRUE(production); 611 ASSERT_EQ(locks[OWNER], 0x11); 612 ASSERT_EQ(locks[BOOT], 0x22); 613 ASSERT_EQ(locks[CARRIER], 0x33); 614 ASSERT_EQ(locks[DEVICE], 0x44); 615 616 // Test production cannot be turned off. 617 code = SetProduction(client.get(), false, NULL, 0); 618 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION); 619 avb_tools::BootloaderDone(client.get()); 620 code = SetProduction(client.get(), false, NULL, 0); 621 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION); 622 } 623 624 TEST_F(AvbTest, Rollback) 625 { 626 uint64_t value = ~0ULL; 627 int code, i; 628 629 // Test we cannot change values in normal mode 630 code = SetProduction(client.get(), true, NULL, 0); 631 ASSERT_NO_ERROR(code, ""); 632 for (i = 0; i < 8; i++) { 633 code = Store(i, 0xFF00000011223344 + i); 634 ASSERT_EQ(code, APP_ERROR_AVB_BOOTLOADER); 635 636 code = Load(i, &value); 637 ASSERT_NO_ERROR(code, ""); 638 ASSERT_EQ(value, 0x00ULL); 639 } 640 641 // Test we can change values in bootloader mode 642 avb_tools::SetBootloader(client.get()); 643 for (i = 0; i < 8; i++) { 644 code = Store(i, 0xFF00000011223344 + i); 645 ASSERT_NO_ERROR(code, ""); 646 647 code = Load(i, &value); 648 ASSERT_NO_ERROR(code, ""); 649 ASSERT_EQ(value, 0xFF00000011223344 + i); 650 651 code = Store(i, 0x8800000011223344 - i); 652 ASSERT_NO_ERROR(code, ""); 653 654 code = Load(i, &value); 655 ASSERT_NO_ERROR(code, ""); 656 ASSERT_EQ(value, 0x8800000011223344 - i); 657 } 658 } 659 660 TEST_F(AvbTest, Reset) 661 { 662 bool bootloader; 663 bool production; 664 uint8_t locks[4]; 665 int code; 666 667 // Set some locks and production mode*/ 668 avb_tools::SetBootloader(client.get()); 669 code = SetBootLock(0x12); 670 ASSERT_NO_ERROR(code, ""); 671 672 code = SetDeviceLock(0x34); 673 ASSERT_NO_ERROR(code, ""); 674 675 code = SetProduction(client.get(), true, NULL, 0); 676 ASSERT_NO_ERROR(code, ""); 677 678 avb_tools::BootloaderDone(client.get()); 679 680 GetState(client.get(), &bootloader, &production, locks); 681 ASSERT_FALSE(bootloader); 682 ASSERT_TRUE(production); 683 ASSERT_EQ(locks[BOOT], 0x12); 684 ASSERT_EQ(locks[DEVICE], 0x34); 685 686 // Try reset, should fail 687 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0); 688 ASSERT_EQ(code, APP_ERROR_AVB_DENIED); 689 690 GetState(client.get(), &bootloader, &production, locks); 691 ASSERT_FALSE(bootloader); 692 ASSERT_TRUE(production); 693 ASSERT_EQ(locks[BOOT], 0x12); 694 ASSERT_EQ(locks[DEVICE], 0x34); 695 696 // Disable production, try reset, should pass 697 ResetProduction(client.get()); 698 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0); 699 ASSERT_NO_ERROR(code, ""); 700 701 GetState(client.get(), &bootloader, &production, locks); 702 ASSERT_FALSE(bootloader); 703 ASSERT_FALSE(production); 704 ASSERT_EQ(locks[BOOT], 0x00); 705 ASSERT_EQ(locks[DEVICE], 0x00); 706 } 707 708 TEST_F(AvbTest, GetResetChallengeTest) 709 { 710 int code; 711 uint32_t selector; 712 uint64_t nonce; 713 uint8_t data[32]; 714 uint8_t empty[32]; 715 size_t len = sizeof(data); 716 717 memset(data, 0, sizeof(data)); 718 memset(empty, 0, sizeof(empty)); 719 code = GetResetChallenge(client.get(), &selector, &nonce, data, &len); 720 ASSERT_LE(sizeof(data), len); 721 ASSERT_NO_ERROR(code, ""); 722 EXPECT_NE(0ULL, nonce); 723 EXPECT_LE(selector, (uint32_t)ResetToken::CURRENT); 724 EXPECT_EQ(32UL, len); 725 // We didn't set a device id. 726 EXPECT_EQ(0, memcmp(data, empty, sizeof(empty))); 727 } 728 729 // TODO(drewry) move to new test suite since this is unsafe on 730 // non-TEST_IMAGE builds. 731 TEST_F(AvbTest, ResetProductionValid) 732 { 733 static const uint8_t kDeviceHash[] = { 734 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 735 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 736 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 737 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8 738 }; 739 struct ResetMessage message; 740 int code; 741 uint32_t selector; 742 size_t len = sizeof(message.data); 743 uint8_t signature[2048/8 + 1]; 744 size_t siglen = sizeof(signature); 745 746 // Lock in a fixed device hash 747 code = SetProduction(client.get(), true, kDeviceHash, sizeof(kDeviceHash)); 748 EXPECT_EQ(0, code); 749 750 memset(message.data, 0, sizeof(message.data)); 751 code = GetResetChallenge(client.get(), &selector, &message.nonce, message.data, &len); 752 ASSERT_NO_ERROR(code, ""); 753 // Expect, not assert, just in case something goes weird, we may still 754 // exit cleanly. 755 EXPECT_EQ(0, memcmp(message.data, kDeviceHash, sizeof(kDeviceHash))); 756 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen)); 757 758 // Try a bad challenge, wasting the nonce. 759 uint8_t orig = signature[0]; 760 signature[0] += 1; 761 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen); 762 // TODO: expect the LINENO error 763 EXPECT_NE(0, code); 764 signature[0] = orig; 765 // Re-lock since TEST_IMAGE will unlock on failure. 766 code = SetProduction(client.get(), true, kDeviceHash, sizeof(kDeviceHash)); 767 EXPECT_EQ(0, code); 768 769 // Now use a good one, but without getting a new nonce. 770 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen); 771 EXPECT_EQ(code, APP_ERROR_AVB_DENIED); 772 773 // Now get the nonce and use a good signature. 774 code = GetResetChallenge(client.get(), &selector, &message.nonce, message.data, &len); 775 ASSERT_NO_ERROR(code, ""); 776 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen)); 777 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen); 778 ASSERT_NO_ERROR(code, ""); 779 } 780 781 TEST_F(AvbTest, ProductionResetTestValid) 782 { 783 static const uint8_t kDeviceHash[] = { 784 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 785 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 786 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 787 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8 788 }; 789 struct ResetMessage message; 790 int code; 791 uint32_t selector = ResetToken::CURRENT; 792 size_t len = sizeof(message.data); 793 uint8_t signature[2048/8 + 1]; 794 size_t siglen = sizeof(signature); 795 796 memcpy(message.data, kDeviceHash, sizeof(message.data)); 797 message.nonce = 123456; 798 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen)); 799 800 // Try a bad challenge, wasting the nonce. 801 uint8_t orig = signature[0]; 802 signature[0] += 1; 803 code = ProductionResetTest(selector, message.nonce, message.data, len, 804 signature, siglen); 805 EXPECT_NE(0, code); 806 signature[0] = orig; 807 808 // Now use a good signature. 809 code = ProductionResetTest(selector, message.nonce, message.data, len, 810 signature, siglen); 811 ASSERT_NO_ERROR(code, ""); 812 813 // Note, testing nonce expiration is handled in the Reset(PRODUCTION) 814 // test. This just checks a second signature over an app sourced nonce. 815 code = GetResetChallenge(client.get(), &selector, &message.nonce, message.data, &len); 816 ASSERT_NO_ERROR(code, ""); 817 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen)); 818 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen); 819 ASSERT_NO_ERROR(code, ""); 820 821 // Now test a null signature as we will for the real keys 822 message.nonce = 0; 823 memset(message.data, 0, sizeof(message.data)); 824 code = ProductionResetTest(selector, message.nonce, message.data, len, 825 test_data::kResetSignatures[selector], 826 test_data::kResetSignatureLengths[selector]); 827 ASSERT_NO_ERROR(code, ""); 828 } 829 830 TEST_F(AvbTest, WipeUserDataDoesNotLockDeviceLock) { 831 ASSERT_NO_ERROR(SetDeviceLock(0x00), ""); 832 ASSERT_TRUE(nugget_tools::WipeUserData(client.get())); 833 834 uint8_t locks[4]; 835 GetState(client.get(), nullptr, nullptr, locks); 836 EXPECT_EQ(locks[DEVICE], 0x00); 837 } 838 839 TEST_F(AvbTest, ResetKeyNullTokenSignatureTest) 840 { 841 struct ResetMessage message; 842 int code; 843 844 uint32_t selector; 845 uint64_t nonce; 846 uint8_t device_data[AVB_DEVICE_DATA_SIZE]; 847 size_t len = sizeof(device_data); 848 849 // Get the selector 850 code = GetResetChallenge(client.get(), &selector, &nonce, 851 device_data, &len); 852 ASSERT_NO_ERROR(code, ""); 853 ASSERT_LT(selector, test_data::kResetSignatureCount); 854 855 memset(&message, 0, sizeof(message)); 856 // Now use a good one, but without getting a new nonce. 857 cout << "Testing key: " << selector << "\n"; 858 code = ProductionResetTest(selector, message.nonce, message.data, 32, 859 test_data::kResetSignatures[selector], 860 test_data::kResetSignatureLengths[selector]); 861 ASSERT_NO_ERROR(code, ""); 862 } 863 864 } // namespace 865
