1 /* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <ctype.h> 18 #include <stdlib.h> 19 #include <android-base/strings.h> 20 #include "fec_private.h" 21 22 /* converts a hex nibble into an int */ 23 static inline int hextobin(char c) 24 { 25 if (c >= '0' && c <= '9') { 26 return c - '0'; 27 } else if (c >= 'a' && c <= 'f') { 28 return c - 'a' + 10; 29 } else { 30 errno = EINVAL; 31 return -1; 32 } 33 } 34 35 /* converts a hex string `src' of `size' characters to binary and copies the 36 the result into `dst' */ 37 static int parse_hex(uint8_t *dst, uint32_t size, const char *src) 38 { 39 int l, h; 40 41 check(dst); 42 check(src); 43 check(2 * size == strlen(src)); 44 45 while (size) { 46 h = hextobin(tolower(*src++)); 47 l = hextobin(tolower(*src++)); 48 49 check(l >= 0); 50 check(h >= 0); 51 52 *dst++ = (h << 4) | l; 53 --size; 54 } 55 56 return 0; 57 } 58 59 /* parses a 64-bit unsigned integer from string `src' into `dst' and if 60 `maxval' is >0, checks that `dst' <= `maxval' */ 61 static int parse_uint64(const char *src, uint64_t maxval, uint64_t *dst) 62 { 63 char *end; 64 unsigned long long int value; 65 66 check(src); 67 check(dst); 68 69 errno = 0; 70 value = strtoull(src, &end, 0); 71 72 if (*src == '\0' || *end != '\0' || 73 (errno == ERANGE && value == ULLONG_MAX)) { 74 errno = EINVAL; 75 return -1; 76 } 77 78 if (maxval && value > maxval) { 79 errno = EINVAL; 80 return -1; 81 } 82 83 *dst = (uint64_t)value; 84 return 0; 85 } 86 87 /* computes the size of verity hash tree for `file_size' bytes and returns the 88 number of hash tree levels in `verity_levels,' and the number of hashes per 89 level in `level_hashes', if the parameters are non-NULL */ 90 uint64_t verity_get_size(uint64_t file_size, uint32_t *verity_levels, 91 uint32_t *level_hashes) 92 { 93 /* we assume a known metadata size, 4 KiB block size, and SHA-256 to avoid 94 relying on disk content */ 95 96 uint32_t level = 0; 97 uint64_t total = 0; 98 uint64_t hashes = file_size / FEC_BLOCKSIZE; 99 100 do { 101 if (level_hashes) { 102 level_hashes[level] = hashes; 103 } 104 105 hashes = fec_div_round_up(hashes * SHA256_DIGEST_LENGTH, FEC_BLOCKSIZE); 106 total += hashes; 107 108 ++level; 109 } while (hashes > 1); 110 111 if (verity_levels) { 112 *verity_levels = level; 113 } 114 115 return total * FEC_BLOCKSIZE; 116 } 117 118 /* computes a SHA-256 salted with `f->verity.salt' from a FEC_BLOCKSIZE byte 119 buffer `block', and copies the hash to `hash' */ 120 static inline int verity_hash(fec_handle *f, const uint8_t *block, 121 uint8_t *hash) 122 { 123 SHA256_CTX ctx; 124 SHA256_Init(&ctx); 125 126 check(f); 127 check(f->verity.salt); 128 SHA256_Update(&ctx, f->verity.salt, f->verity.salt_size); 129 130 check(block); 131 SHA256_Update(&ctx, block, FEC_BLOCKSIZE); 132 133 check(hash); 134 SHA256_Final(hash, &ctx); 135 return 0; 136 } 137 138 /* computes a verity hash for FEC_BLOCKSIZE bytes from buffer `block' and 139 compares it to the expected value in `expected' */ 140 bool verity_check_block(fec_handle *f, const uint8_t *expected, 141 const uint8_t *block) 142 { 143 check(f); 144 check(block); 145 146 uint8_t hash[SHA256_DIGEST_LENGTH]; 147 148 if (unlikely(verity_hash(f, block, hash) == -1)) { 149 error("failed to hash"); 150 return false; 151 } 152 153 check(expected); 154 return !memcmp(expected, hash, SHA256_DIGEST_LENGTH); 155 } 156 157 /* reads a verity hash and the corresponding data block using error correction, 158 if available */ 159 static bool ecc_read_hashes(fec_handle *f, uint64_t hash_offset, 160 uint8_t *hash, uint64_t data_offset, uint8_t *data) 161 { 162 check(f); 163 164 if (hash && fec_pread(f, hash, SHA256_DIGEST_LENGTH, hash_offset) != 165 SHA256_DIGEST_LENGTH) { 166 error("failed to read hash tree: offset %" PRIu64 ": %s", hash_offset, 167 strerror(errno)); 168 return false; 169 } 170 171 check(data); 172 173 if (fec_pread(f, data, FEC_BLOCKSIZE, data_offset) != FEC_BLOCKSIZE) { 174 error("failed to read hash tree: data_offset %" PRIu64 ": %s", 175 data_offset, strerror(errno)); 176 return false; 177 } 178 179 return true; 180 } 181 182 /* reads the verity hash tree, validates it against the root hash in `root', 183 corrects errors if necessary, and copies valid data blocks for later use 184 to `f->verity.hash' */ 185 static int verify_tree(fec_handle *f, const uint8_t *root) 186 { 187 uint8_t data[FEC_BLOCKSIZE]; 188 uint8_t hash[SHA256_DIGEST_LENGTH]; 189 190 check(f); 191 check(root); 192 193 verity_info *v = &f->verity; 194 uint32_t levels = 0; 195 196 /* calculate the size and the number of levels in the hash tree */ 197 v->hash_size = 198 verity_get_size(v->data_blocks * FEC_BLOCKSIZE, &levels, NULL); 199 200 check(v->hash_start < UINT64_MAX - v->hash_size); 201 check(v->hash_start + v->hash_size <= f->data_size); 202 203 uint64_t hash_offset = v->hash_start; 204 uint64_t data_offset = hash_offset + FEC_BLOCKSIZE; 205 206 v->hash_data_offset = data_offset; 207 208 /* validate the root hash */ 209 if (!raw_pread(f, data, FEC_BLOCKSIZE, hash_offset) || 210 !verity_check_block(f, root, data)) { 211 /* try to correct */ 212 if (!ecc_read_hashes(f, 0, NULL, hash_offset, data) || 213 !verity_check_block(f, root, data)) { 214 error("root hash invalid"); 215 return -1; 216 } else if (f->mode & O_RDWR && 217 !raw_pwrite(f, data, FEC_BLOCKSIZE, hash_offset)) { 218 error("failed to rewrite the root block: %s", strerror(errno)); 219 return -1; 220 } 221 } 222 223 debug("root hash valid"); 224 225 /* calculate the number of hashes on each level */ 226 uint32_t hashes[levels]; 227 228 verity_get_size(v->data_blocks * FEC_BLOCKSIZE, NULL, hashes); 229 230 /* calculate the size and offset for the data hashes */ 231 for (uint32_t i = 1; i < levels; ++i) { 232 uint32_t blocks = hashes[levels - i]; 233 debug("%u hash blocks on level %u", blocks, levels - i); 234 235 v->hash_data_offset = data_offset; 236 v->hash_data_blocks = blocks; 237 238 data_offset += blocks * FEC_BLOCKSIZE; 239 } 240 241 check(v->hash_data_blocks); 242 check(v->hash_data_blocks <= v->hash_size / FEC_BLOCKSIZE); 243 244 check(v->hash_data_offset); 245 check(v->hash_data_offset <= 246 UINT64_MAX - (v->hash_data_blocks * FEC_BLOCKSIZE)); 247 check(v->hash_data_offset < f->data_size); 248 check(v->hash_data_offset + v->hash_data_blocks * FEC_BLOCKSIZE <= 249 f->data_size); 250 251 /* copy data hashes to memory in case they are corrupted, so we don't 252 have to correct them every time they are needed */ 253 std::unique_ptr<uint8_t[]> data_hashes( 254 new (std::nothrow) uint8_t[f->verity.hash_data_blocks * FEC_BLOCKSIZE]); 255 256 if (!data_hashes) { 257 errno = ENOMEM; 258 return -1; 259 } 260 261 /* validate the rest of the hash tree */ 262 data_offset = hash_offset + FEC_BLOCKSIZE; 263 264 for (uint32_t i = 1; i < levels; ++i) { 265 uint32_t blocks = hashes[levels - i]; 266 267 for (uint32_t j = 0; j < blocks; ++j) { 268 /* ecc reads are very I/O intensive, so read raw hash tree and do 269 error correcting only if it doesn't validate */ 270 if (!raw_pread(f, hash, SHA256_DIGEST_LENGTH, 271 hash_offset + j * SHA256_DIGEST_LENGTH) || 272 !raw_pread(f, data, FEC_BLOCKSIZE, 273 data_offset + j * FEC_BLOCKSIZE)) { 274 error("failed to read hashes: %s", strerror(errno)); 275 return -1; 276 } 277 278 if (!verity_check_block(f, hash, data)) { 279 /* try to correct */ 280 if (!ecc_read_hashes(f, 281 hash_offset + j * SHA256_DIGEST_LENGTH, hash, 282 data_offset + j * FEC_BLOCKSIZE, data) || 283 !verity_check_block(f, hash, data)) { 284 error("invalid hash tree: hash_offset %" PRIu64 ", " 285 "data_offset %" PRIu64 ", block %u", 286 hash_offset, data_offset, j); 287 return -1; 288 } 289 290 /* update the corrected blocks to the file if we are in r/w 291 mode */ 292 if (f->mode & O_RDWR) { 293 if (!raw_pwrite(f, hash, SHA256_DIGEST_LENGTH, 294 hash_offset + j * SHA256_DIGEST_LENGTH) || 295 !raw_pwrite(f, data, FEC_BLOCKSIZE, 296 data_offset + j * FEC_BLOCKSIZE)) { 297 error("failed to write hashes: %s", strerror(errno)); 298 return -1; 299 } 300 } 301 } 302 303 if (blocks == v->hash_data_blocks) { 304 memcpy(data_hashes.get() + j * FEC_BLOCKSIZE, data, 305 FEC_BLOCKSIZE); 306 } 307 } 308 309 hash_offset = data_offset; 310 data_offset += blocks * FEC_BLOCKSIZE; 311 } 312 313 debug("valid"); 314 315 v->hash = data_hashes.release(); 316 return 0; 317 } 318 319 /* reads, corrects and parses the verity table, validates parameters, and if 320 `f->flags' does not have `FEC_VERITY_DISABLE' set, calls `verify_tree' to 321 load and validate the hash tree */ 322 static int parse_table(fec_handle *f, uint64_t offset, uint32_t size) 323 { 324 check(f); 325 check(size >= VERITY_MIN_TABLE_SIZE); 326 check(size <= VERITY_MAX_TABLE_SIZE); 327 328 debug("offset = %" PRIu64 ", size = %u", offset, size); 329 330 verity_info *v = &f->verity; 331 std::unique_ptr<char[]> table(new (std::nothrow) char[size + 1]); 332 333 if (!table) { 334 errno = ENOMEM; 335 return -1; 336 } 337 338 if (fec_pread(f, table.get(), size, offset) != (ssize_t)size) { 339 error("failed to read verity table: %s", strerror(errno)); 340 return -1; 341 } 342 343 table[size] = '\0'; 344 debug("verity table: '%s'", table.get()); 345 346 int i = 0; 347 std::unique_ptr<uint8_t[]> salt; 348 uint8_t root[SHA256_DIGEST_LENGTH]; 349 350 auto tokens = android::base::Split(table.get(), " "); 351 352 for (const auto token : tokens) { 353 switch (i++) { 354 case 0: /* version */ 355 if (token != stringify(VERITY_TABLE_VERSION)) { 356 error("unsupported verity table version: %s", token.c_str()); 357 return -1; 358 } 359 break; 360 case 3: /* data_block_size */ 361 case 4: /* hash_block_size */ 362 /* assume 4 KiB block sizes for everything */ 363 if (token != stringify(FEC_BLOCKSIZE)) { 364 error("unsupported verity block size: %s", token.c_str()); 365 return -1; 366 } 367 break; 368 case 5: /* num_data_blocks */ 369 if (parse_uint64(token.c_str(), f->data_size / FEC_BLOCKSIZE, 370 &v->data_blocks) == -1) { 371 error("invalid number of verity data blocks: %s", 372 token.c_str()); 373 return -1; 374 } 375 break; 376 case 6: /* hash_start_block */ 377 if (parse_uint64(token.c_str(), f->data_size / FEC_BLOCKSIZE, 378 &v->hash_start) == -1) { 379 error("invalid verity hash start block: %s", token.c_str()); 380 return -1; 381 } 382 383 v->hash_start *= FEC_BLOCKSIZE; 384 break; 385 case 7: /* algorithm */ 386 if (token != "sha256") { 387 error("unsupported verity hash algorithm: %s", token.c_str()); 388 return -1; 389 } 390 break; 391 case 8: /* digest */ 392 if (parse_hex(root, sizeof(root), token.c_str()) == -1) { 393 error("invalid verity root hash: %s", token.c_str()); 394 return -1; 395 } 396 break; 397 case 9: /* salt */ 398 v->salt_size = token.size(); 399 check(v->salt_size % 2 == 0); 400 v->salt_size /= 2; 401 402 salt.reset(new (std::nothrow) uint8_t[v->salt_size]); 403 404 if (!salt) { 405 errno = ENOMEM; 406 return -1; 407 } 408 409 if (parse_hex(salt.get(), v->salt_size, token.c_str()) == -1) { 410 error("invalid verity salt: %s", token.c_str()); 411 return -1; 412 } 413 break; 414 default: 415 break; 416 } 417 } 418 419 if (i < VERITY_TABLE_ARGS) { 420 error("not enough arguments in verity table: %d; expected at least " 421 stringify(VERITY_TABLE_ARGS), i); 422 return -1; 423 } 424 425 check(v->hash_start < f->data_size); 426 427 if (v->metadata_start < v->hash_start) { 428 check(v->data_blocks == v->metadata_start / FEC_BLOCKSIZE); 429 } else { 430 check(v->data_blocks == v->hash_start / FEC_BLOCKSIZE); 431 } 432 433 v->salt = salt.release(); 434 v->table = table.release(); 435 436 if (!(f->flags & FEC_VERITY_DISABLE)) { 437 if (verify_tree(f, root) == -1) { 438 return -1; 439 } 440 441 check(v->hash); 442 443 uint8_t zero_block[FEC_BLOCKSIZE]; 444 memset(zero_block, 0, FEC_BLOCKSIZE); 445 446 if (verity_hash(f, zero_block, v->zero_hash) == -1) { 447 error("failed to hash"); 448 return -1; 449 } 450 } 451 452 return 0; 453 } 454 455 /* rewrites verity metadata block using error corrected data in `f->verity' */ 456 static int rewrite_metadata(fec_handle *f, uint64_t offset) 457 { 458 check(f); 459 check(f->data_size > VERITY_METADATA_SIZE); 460 check(offset <= f->data_size - VERITY_METADATA_SIZE); 461 462 std::unique_ptr<uint8_t[]> metadata( 463 new (std::nothrow) uint8_t[VERITY_METADATA_SIZE]); 464 465 if (!metadata) { 466 errno = ENOMEM; 467 return -1; 468 } 469 470 memset(metadata.get(), 0, VERITY_METADATA_SIZE); 471 472 verity_info *v = &f->verity; 473 memcpy(metadata.get(), &v->header, sizeof(v->header)); 474 475 check(v->table); 476 size_t len = strlen(v->table); 477 478 check(sizeof(v->header) + len <= VERITY_METADATA_SIZE); 479 memcpy(metadata.get() + sizeof(v->header), v->table, len); 480 481 return raw_pwrite(f, metadata.get(), VERITY_METADATA_SIZE, offset); 482 } 483 484 static int validate_header(const fec_handle *f, const verity_header *header, 485 uint64_t offset) 486 { 487 check(f); 488 check(header); 489 490 if (header->magic != VERITY_MAGIC && 491 header->magic != VERITY_MAGIC_DISABLE) { 492 return -1; 493 } 494 495 if (header->version != VERITY_VERSION) { 496 error("unsupported verity version %u", header->version); 497 return -1; 498 } 499 500 if (header->length < VERITY_MIN_TABLE_SIZE || 501 header->length > VERITY_MAX_TABLE_SIZE) { 502 error("invalid verity table size: %u; expected [" 503 stringify(VERITY_MIN_TABLE_SIZE) ", " 504 stringify(VERITY_MAX_TABLE_SIZE) ")", header->length); 505 return -1; 506 } 507 508 /* signature is skipped, because for our purposes it won't matter from 509 where the data originates; the caller of the library is responsible 510 for signature verification */ 511 512 if (offset > UINT64_MAX - header->length) { 513 error("invalid verity table length: %u", header->length); 514 return -1; 515 } else if (offset + header->length >= f->data_size) { 516 error("invalid verity table length: %u", header->length); 517 return -1; 518 } 519 520 return 0; 521 } 522 523 /* attempts to read verity metadata from `f->fd' position `offset'; if in r/w 524 mode, rewrites the metadata if it had errors */ 525 int verity_parse_header(fec_handle *f, uint64_t offset) 526 { 527 check(f); 528 check(f->data_size > VERITY_METADATA_SIZE); 529 530 if (offset > f->data_size - VERITY_METADATA_SIZE) { 531 debug("failed to read verity header: offset %" PRIu64 " is too far", 532 offset); 533 return -1; 534 } 535 536 verity_info *v = &f->verity; 537 uint64_t errors = f->errors; 538 539 if (!raw_pread(f, &v->header, sizeof(v->header), offset)) { 540 error("failed to read verity header: %s", strerror(errno)); 541 return -1; 542 } 543 544 /* use raw data to check for the alternative magic, because it will 545 be error corrected to VERITY_MAGIC otherwise */ 546 if (v->header.magic == VERITY_MAGIC_DISABLE) { 547 /* this value is not used by us, but can be used by a caller to 548 decide whether dm-verity should be enabled */ 549 v->disabled = true; 550 } 551 552 if (fec_pread(f, &v->ecc_header, sizeof(v->ecc_header), offset) != 553 sizeof(v->ecc_header)) { 554 warn("failed to read verity header: %s", strerror(errno)); 555 return -1; 556 } 557 558 if (validate_header(f, &v->header, offset)) { 559 /* raw verity header is invalid; this could be due to corruption, or 560 due to missing verity metadata */ 561 562 if (validate_header(f, &v->ecc_header, offset)) { 563 return -1; /* either way, we cannot recover */ 564 } 565 566 /* report mismatching fields */ 567 if (!v->disabled && v->header.magic != v->ecc_header.magic) { 568 warn("corrected verity header magic"); 569 v->header.magic = v->ecc_header.magic; 570 } 571 572 if (v->header.version != v->ecc_header.version) { 573 warn("corrected verity header version"); 574 v->header.version = v->ecc_header.version; 575 } 576 577 if (v->header.length != v->ecc_header.length) { 578 warn("corrected verity header length"); 579 v->header.length = v->ecc_header.length; 580 } 581 582 if (memcmp(v->header.signature, v->ecc_header.signature, 583 sizeof(v->header.signature))) { 584 warn("corrected verity header signature"); 585 /* we have no way of knowing which signature is correct, if either 586 of them is */ 587 } 588 } 589 590 v->metadata_start = offset; 591 592 if (parse_table(f, offset + sizeof(v->header), v->header.length) == -1) { 593 return -1; 594 } 595 596 /* if we corrected something while parsing metadata and we are in r/w 597 mode, rewrite the corrected metadata */ 598 if (f->mode & O_RDWR && f->errors > errors && 599 rewrite_metadata(f, offset) < 0) { 600 warn("failed to rewrite verity metadata: %s", strerror(errno)); 601 } 602 603 if (v->metadata_start < v->hash_start) { 604 f->data_size = v->metadata_start; 605 } else { 606 f->data_size = v->hash_start; 607 } 608 609 return 0; 610 } 611 612 int fec_verity_set_status(struct fec_handle *f, bool enabled) 613 { 614 check(f); 615 616 if (!(f->mode & O_RDWR)) { 617 error("cannot update verity magic: read-only handle"); 618 errno = EBADF; 619 return -1; 620 } 621 622 verity_info *v = &f->verity; 623 624 if (!v->metadata_start) { 625 error("cannot update verity magic: no metadata found"); 626 errno = EINVAL; 627 return -1; 628 } 629 630 if (v->disabled == !enabled) { 631 return 0; /* nothing to do */ 632 } 633 634 uint32_t magic = enabled ? VERITY_MAGIC : VERITY_MAGIC_DISABLE; 635 636 if (!raw_pwrite(f, &magic, sizeof(magic), v->metadata_start)) { 637 error("failed to update verity magic to %08x: %s", magic, 638 strerror(errno)); 639 return -1; 640 } 641 642 warn("updated verity magic to %08x (%s)", magic, 643 enabled ? "enabled" : "disabled"); 644 v->disabled = !enabled; 645 646 return 0; 647 } 648
