Home | History | Annotate | Download | only in include
      1 /* Copyright (c) 2014 The Chromium OS Authors. All rights reserved.
      2  * Use of this source code is governed by a BSD-style license that can be
      3  * found in the LICENSE file.
      4  *
      5  * Data structure definitions for verified boot, for on-disk / in-eeprom
      6  * data.
      7  */
      8 
      9 #ifndef VBOOT_REFERENCE_VBOOT_2STRUCT_H_
     10 #define VBOOT_REFERENCE_VBOOT_2STRUCT_H_
     11 #include <stdint.h>
     12 #include "2crypto.h"
     13 
     14 /*
     15  * Key block flags.
     16  *
     17  *The following flags set where the key is valid.  Not used by firmware
     18  * verification; only kernel verification.
     19  */
     20 #define VB2_KEY_BLOCK_FLAG_DEVELOPER_0  0x01 /* Developer switch off */
     21 #define VB2_KEY_BLOCK_FLAG_DEVELOPER_1  0x02 /* Developer switch on */
     22 #define VB2_KEY_BLOCK_FLAG_RECOVERY_0   0x04 /* Not recovery mode */
     23 #define VB2_KEY_BLOCK_FLAG_RECOVERY_1   0x08 /* Recovery mode */
     24 #define VB2_GBB_HWID_DIGEST_SIZE	32
     25 
     26 /****************************************************************************/
     27 
     28 /* Flags for vb2_shared_data.flags */
     29 enum vb2_shared_data_flags {
     30 	/* User has explicitly and physically requested recovery */
     31 	VB2_SD_FLAG_MANUAL_RECOVERY = (1 << 0),
     32 
     33 	/* Developer mode is enabled */
     34 	VB2_SD_DEV_MODE_ENABLED = (1 << 1),
     35 
     36 	/*
     37 	 * TODO: might be nice to add flags for why dev mode is enabled - via
     38 	 * gbb, virtual dev switch, or forced on for testing.
     39 	 */
     40 };
     41 
     42 /* Flags for vb2_shared_data.status */
     43 enum vb2_shared_data_status {
     44 	/* Reinitialized NV data due to invalid checksum */
     45 	VB2_SD_STATUS_NV_REINIT = (1 << 0),
     46 
     47 	/* NV data has been initialized */
     48 	VB2_SD_STATUS_NV_INIT = (1 << 1),
     49 
     50 	/* Secure data initialized */
     51 	VB2_SD_STATUS_SECDATA_INIT = (1 << 2),
     52 
     53 	/* Chose a firmware slot */
     54 	VB2_SD_STATUS_CHOSE_SLOT = (1 << 3),
     55 };
     56 
     57 /*
     58  * Data shared between vboot API calls.  Stored at the start of the work
     59  * buffer.
     60  */
     61 struct vb2_shared_data {
     62 	/* Flags; see enum vb2_shared_data_flags */
     63 	uint32_t flags;
     64 
     65 	/* Flags from GBB header */
     66 	uint32_t gbb_flags;
     67 
     68 	/*
     69 	 * Reason we are in recovery mode this boot (enum vb2_nv_recovery), or
     70 	 * 0 if we aren't.
     71 	 */
     72 	uint32_t recovery_reason;
     73 
     74 	/* Firmware slot used last boot (0=A, 1=B) */
     75 	uint32_t last_fw_slot;
     76 
     77 	/* Result of last boot (enum vb2_fw_result) */
     78 	uint32_t last_fw_result;
     79 
     80 	/* Firmware slot used this boot */
     81 	uint32_t fw_slot;
     82 
     83 	/*
     84 	 * Version for this slot (top 16 bits = key, lower 16 bits = firmware).
     85 	 *
     86 	 * TODO: Make this a union to allow getting/setting those versions
     87 	 * separately?
     88 	 */
     89 	uint32_t fw_version;
     90 
     91 	/* Version stored in secdata (must be <= fw_version to boot). */
     92 	uint32_t fw_version_secdata;
     93 
     94 	/*
     95 	 * Status flags for this boot; see enum vb2_shared_data_status.  Status
     96 	 * is "what we've done"; flags above are "decisions we've made".
     97 	 */
     98 	uint32_t status;
     99 
    100 	/**********************************************************************
    101 	 * Temporary variables used during firmware verification.  These don't
    102 	 * really need to persist through to the OS, but there's nowhere else
    103 	 * we can put them.
    104 	 */
    105 
    106 	/* Root key offset and size from GBB header */
    107 	uint32_t gbb_rootkey_offset;
    108 	uint32_t gbb_rootkey_size;
    109 
    110 	/* HWID digest from GBB header */
    111 	uint8_t gbb_hwid_digest[VB2_GBB_HWID_DIGEST_SIZE];
    112 
    113 	/* Offset of preamble from start of vblock */
    114 	uint32_t vblock_preamble_offset;
    115 
    116 	/*
    117 	 * Offset and size of packed data key in work buffer.  Size is 0 if
    118 	 * data key is not stored in the work buffer.
    119 	 */
    120 	uint32_t workbuf_data_key_offset;
    121 	uint32_t workbuf_data_key_size;
    122 
    123 	/*
    124 	 * Offset and size of firmware preamble in work buffer.  Size if 0 if
    125 	 * preamble is not stored in the work buffer.
    126 	 */
    127 	uint32_t workbuf_preamble_offset;
    128 	uint32_t workbuf_preamble_size;
    129 
    130 	/*
    131 	 * Offset and size of hash context in work buffer.  Size if 0 if
    132 	 * hash context is not stored in the work buffer.
    133 	 */
    134 	uint32_t workbuf_hash_offset;
    135 	uint32_t workbuf_hash_size;
    136 
    137 	/*
    138 	 * Current tag we're hashing
    139 	 *
    140 	 * For new structs, this is the offset of the vb2_signature struct
    141 	 * in the work buffer.
    142 	 *
    143 	 * TODO: rename to workbuf_hash_sig_offset when vboot1 structs are
    144 	 * deprecated.
    145 	 */
    146 	uint32_t hash_tag;
    147 
    148 	/* Amount of data we still expect to hash */
    149 	uint32_t hash_remaining_size;
    150 
    151 } __attribute__((packed));
    152 
    153 /****************************************************************************/
    154 
    155 /* Signature at start of the GBB
    156  * Note that if you compile in the signature as is, you are likely to break any
    157  * tools that search for the signature. */
    158 #define VB2_GBB_SIGNATURE "$GBB"
    159 #define VB2_GBB_SIGNATURE_SIZE 4
    160 #define VB2_GBB_XOR_CHARS "****"
    161 /* TODO: can we write a macro to produce this at compile time? */
    162 #define VB2_GBB_XOR_SIGNATURE { 0x0e, 0x6d, 0x68, 0x68 }
    163 
    164 /* VB2 GBB struct version */
    165 #define VB2_GBB_MAJOR_VER      1
    166 #define VB2_GBB_MINOR_VER      2
    167 /* v1.2 - added fields for sha256 digest of the HWID */
    168 
    169 /* Flags for vb2_gbb_header.flags */
    170 enum vb2_gbb_flag {
    171 	/*
    172 	 * Reduce the dev screen delay to 2 sec from 30 sec to speed up
    173 	 * factory.
    174 	 */
    175 	VB2_GBB_FLAG_DEV_SCREEN_SHORT_DELAY = (1 << 0),
    176 
    177 	/*
    178 	 * BIOS should load option ROMs from arbitrary PCI devices. We'll never
    179 	 * enable this ourselves because it executes non-verified code, but if
    180 	 * a customer wants to void their warranty and set this flag in the
    181 	 * read-only flash, they should be able to do so.
    182 	 */
    183 	VB2_GBB_FLAG_LOAD_OPTION_ROMS = (1 << 1),
    184 
    185 	/*
    186 	 * The factory flow may need the BIOS to boot a non-ChromeOS kernel if
    187 	 * the dev-switch is on. This flag allows that.
    188 	 */
    189 	VB2_GBB_FLAG_ENABLE_ALTERNATE_OS = (1 << 2),
    190 
    191 	/*
    192 	 * Force dev switch on, regardless of physical/keyboard dev switch
    193 	 * position.
    194 	 */
    195 	VB2_GBB_FLAG_FORCE_DEV_SWITCH_ON = (1 << 3),
    196 
    197 	/* Allow booting from USB in dev mode even if dev_boot_usb=0. */
    198 	VB2_GBB_FLAG_FORCE_DEV_BOOT_USB = (1 << 4),
    199 
    200 	/* Disable firmware rollback protection. */
    201 	VB2_GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK = (1 << 5),
    202 
    203 	/* Allow Enter key to trigger dev->tonorm screen transition */
    204 	VB2_GBB_FLAG_ENTER_TRIGGERS_TONORM = (1 << 6),
    205 
    206 	/* Allow booting Legacy OSes in dev mode even if dev_boot_legacy=0. */
    207 	VB2_GBB_FLAG_FORCE_DEV_BOOT_LEGACY = (1 << 7),
    208 
    209 	/* Allow booting using alternate keys for FAFT servo testing */
    210 	VB2_GBB_FLAG_FAFT_KEY_OVERIDE = (1 << 8),
    211 
    212 	/* Disable EC software sync */
    213 	VB2_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC = (1 << 9),
    214 
    215 	/* Default to booting legacy OS when dev screen times out */
    216 	VB2_GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY = (1 << 10),
    217 
    218 	/* Disable PD software sync */
    219 	VB2_GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC = (1 << 11),
    220 };
    221 
    222 struct vb2_gbb_header {
    223 	/* Fields present in version 1.1 */
    224 	uint8_t  signature[VB2_GBB_SIGNATURE_SIZE]; /* VB2_GBB_SIGNATURE */
    225 	uint16_t major_version;   /* See VB2_GBB_MAJOR_VER */
    226 	uint16_t minor_version;   /* See VB2_GBB_MINOR_VER */
    227 	uint32_t header_size;     /* Size of GBB header in bytes */
    228 	uint32_t flags;           /* Flags (see enum vb2_gbb_flag) */
    229 
    230 	/* Offsets (from start of header) and sizes (in bytes) of components */
    231 	uint32_t hwid_offset;		/* HWID */
    232 	uint32_t hwid_size;
    233 	uint32_t rootkey_offset;	/* Root key */
    234 	uint32_t rootkey_size;
    235 	uint32_t bmpfv_offset;		/* BMP FV */
    236 	uint32_t bmpfv_size;
    237 	uint32_t recovery_key_offset;	/* Recovery key */
    238 	uint32_t recovery_key_size;
    239 
    240 	/* Added in version 1.2 */
    241 	uint8_t  hwid_digest[VB2_GBB_HWID_DIGEST_SIZE];	/* SHA-256 of HWID */
    242 
    243 	/* Pad to match EXPECETED_VB2_GBB_HEADER_SIZE.  Initialize to 0. */
    244 	uint8_t  pad[48];
    245 } __attribute__((packed));
    246 
    247 /* The GBB is used outside of vboot_reference, so this size is important. */
    248 #define EXPECTED_VB2_GBB_HEADER_SIZE 128
    249 
    250 #endif  /* VBOOT_REFERENCE_VBOOT_2STRUCT_H_ */
    251