1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Permission is hereby granted, free of charge, to any person 5 * obtaining a copy of this software and associated documentation 6 * files (the "Software"), to deal in the Software without 7 * restriction, including without limitation the rights to use, copy, 8 * modify, merge, publish, distribute, sublicense, and/or sell copies 9 * of the Software, and to permit persons to whom the Software is 10 * furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #include "avb_atx_validate.h" 26 27 #include <libavb/avb_rsa.h> 28 #include <libavb/avb_sha.h> 29 #include <libavb/avb_sysdeps.h> 30 #include <libavb/avb_util.h> 31 32 /* Computes the SHA256 |hash| of |length| bytes of |data|. */ 33 static void sha256(const uint8_t* data, 34 uint32_t length, 35 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 36 AvbSHA256Ctx context; 37 avb_sha256_init(&context); 38 avb_sha256_update(&context, data, length); 39 uint8_t* tmp = avb_sha256_final(&context); 40 avb_memcpy(hash, tmp, AVB_SHA256_DIGEST_SIZE); 41 } 42 43 /* Computes the SHA512 |hash| of |length| bytes of |data|. */ 44 static void sha512(const uint8_t* data, 45 uint32_t length, 46 uint8_t hash[AVB_SHA512_DIGEST_SIZE]) { 47 AvbSHA512Ctx context; 48 avb_sha512_init(&context); 49 avb_sha512_update(&context, data, length); 50 uint8_t* tmp = avb_sha512_final(&context); 51 avb_memcpy(hash, tmp, AVB_SHA512_DIGEST_SIZE); 52 } 53 54 /* Computes the SHA256 |hash| of a NUL-terminated |str|. */ 55 static void sha256_str(const char* str, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { 56 sha256((const uint8_t*)str, avb_strlen(str), hash); 57 } 58 59 /* Verifies structure and |expected_hash| of permanent |attributes|. */ 60 static bool verify_permanent_attributes( 61 const AvbAtxPermanentAttributes* attributes, 62 uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE]) { 63 uint8_t hash[AVB_SHA256_DIGEST_SIZE]; 64 65 if (attributes->version != 1) { 66 avb_error("Unsupported permanent attributes version.\n"); 67 return false; 68 } 69 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash); 70 if (0 != avb_safe_memcmp(hash, expected_hash, AVB_SHA256_DIGEST_SIZE)) { 71 avb_error("Invalid permanent attributes.\n"); 72 return false; 73 } 74 return true; 75 } 76 77 /* Verifies the format, key version, usage, and signature of a certificate. */ 78 static bool verify_certificate(AvbAtxCertificate* certificate, 79 uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 80 uint64_t minimum_key_version, 81 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]) { 82 const AvbAlgorithmData* algorithm_data; 83 uint8_t certificate_hash[AVB_SHA512_DIGEST_SIZE]; 84 85 if (certificate->signed_data.version != 1) { 86 avb_error("Unsupported certificate format.\n"); 87 return false; 88 } 89 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096); 90 sha512((const uint8_t*)&certificate->signed_data, 91 sizeof(AvbAtxCertificateSignedData), 92 certificate_hash); 93 if (!avb_rsa_verify(authority, 94 AVB_ATX_PUBLIC_KEY_SIZE, 95 certificate->signature, 96 AVB_RSA4096_NUM_BYTES, 97 certificate_hash, 98 AVB_SHA512_DIGEST_SIZE, 99 algorithm_data->padding, 100 algorithm_data->padding_len)) { 101 avb_error("Invalid certificate signature.\n"); 102 return false; 103 } 104 if (certificate->signed_data.key_version < minimum_key_version) { 105 avb_error("Key rollback detected.\n"); 106 return false; 107 } 108 if (0 != avb_safe_memcmp(certificate->signed_data.usage, 109 expected_usage, 110 AVB_SHA256_DIGEST_SIZE)) { 111 avb_error("Invalid certificate usage.\n"); 112 return false; 113 } 114 return true; 115 } 116 117 /* Verifies signature and fields of a PIK certificate. */ 118 static bool verify_pik_certificate(AvbAtxCertificate* certificate, 119 uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 120 uint64_t minimum_version) { 121 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 122 123 sha256_str("com.google.android.things.vboot.ca", expected_usage); 124 if (!verify_certificate( 125 certificate, authority, minimum_version, expected_usage)) { 126 avb_error("Invalid PIK certificate.\n"); 127 return false; 128 } 129 return true; 130 } 131 132 /* Verifies signature and fields of a PSK certificate. */ 133 static bool verify_psk_certificate( 134 AvbAtxCertificate* certificate, 135 uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE], 136 uint64_t minimum_version, 137 uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) { 138 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE]; 139 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]; 140 141 sha256_str("com.google.android.things.vboot", expected_usage); 142 if (!verify_certificate( 143 certificate, authority, minimum_version, expected_usage)) { 144 avb_error("Invalid PSK certificate.\n"); 145 return false; 146 } 147 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject); 148 if (0 != avb_safe_memcmp(certificate->signed_data.subject, 149 expected_subject, 150 AVB_SHA256_DIGEST_SIZE)) { 151 avb_error("Product ID mismatch.\n"); 152 return false; 153 } 154 return true; 155 } 156 157 AvbIOResult avb_atx_validate_vbmeta_public_key( 158 AvbOps* ops, 159 const uint8_t* public_key_data, 160 size_t public_key_length, 161 const uint8_t* public_key_metadata, 162 size_t public_key_metadata_length, 163 bool* out_is_trusted) { 164 AvbIOResult result = AVB_IO_RESULT_OK; 165 AvbAtxPermanentAttributes permanent_attributes; 166 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; 167 AvbAtxPublicKeyMetadata metadata; 168 uint64_t minimum_version; 169 170 /* Be pessimistic so we can exit early without having to remember to clear. 171 */ 172 *out_is_trusted = false; 173 174 /* Read and verify permanent attributes. */ 175 result = ops->atx_ops->read_permanent_attributes(ops->atx_ops, 176 &permanent_attributes); 177 if (result != AVB_IO_RESULT_OK) { 178 avb_error("Failed to read permanent attributes.\n"); 179 return result; 180 } 181 result = ops->atx_ops->read_permanent_attributes_hash( 182 ops->atx_ops, permanent_attributes_hash); 183 if (result != AVB_IO_RESULT_OK) { 184 avb_error("Failed to read permanent attributes hash.\n"); 185 return result; 186 } 187 if (!verify_permanent_attributes(&permanent_attributes, 188 permanent_attributes_hash)) { 189 return AVB_IO_RESULT_OK; 190 } 191 192 /* Sanity check public key metadata. */ 193 if (public_key_metadata_length != sizeof(AvbAtxPublicKeyMetadata)) { 194 avb_error("Invalid public key metadata.\n"); 195 return AVB_IO_RESULT_OK; 196 } 197 avb_memcpy(&metadata, public_key_metadata, sizeof(AvbAtxPublicKeyMetadata)); 198 if (metadata.version != 1) { 199 avb_error("Unsupported public key metadata.\n"); 200 return AVB_IO_RESULT_OK; 201 } 202 203 /* Verify the PIK certificate. */ 204 result = ops->read_rollback_index( 205 ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version); 206 if (result != AVB_IO_RESULT_OK) { 207 avb_error("Failed to read PIK minimum version.\n"); 208 return result; 209 } 210 if (!verify_pik_certificate(&metadata.product_intermediate_key_certificate, 211 permanent_attributes.product_root_public_key, 212 minimum_version)) { 213 return AVB_IO_RESULT_OK; 214 } 215 216 /* Verify the PSK certificate. */ 217 result = ops->read_rollback_index( 218 ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version); 219 if (result != AVB_IO_RESULT_OK) { 220 avb_error("Failed to read PSK minimum version.\n"); 221 return result; 222 } 223 if (!verify_psk_certificate( 224 &metadata.product_signing_key_certificate, 225 metadata.product_intermediate_key_certificate.signed_data.public_key, 226 minimum_version, 227 permanent_attributes.product_id)) { 228 return AVB_IO_RESULT_OK; 229 } 230 231 /* Verify the PSK is the same key that verified vbmeta. */ 232 if (public_key_length != AVB_ATX_PUBLIC_KEY_SIZE) { 233 avb_error("Public key length mismatch.\n"); 234 return AVB_IO_RESULT_OK; 235 } 236 if (0 != avb_safe_memcmp( 237 metadata.product_signing_key_certificate.signed_data.public_key, 238 public_key_data, 239 AVB_ATX_PUBLIC_KEY_SIZE)) { 240 avb_error("Public key mismatch.\n"); 241 return AVB_IO_RESULT_OK; 242 } 243 244 /* Report the key versions used during verification. */ 245 ops->atx_ops->set_key_version( 246 ops->atx_ops, 247 AVB_ATX_PIK_VERSION_LOCATION, 248 metadata.product_intermediate_key_certificate.signed_data.key_version); 249 ops->atx_ops->set_key_version( 250 ops->atx_ops, 251 AVB_ATX_PSK_VERSION_LOCATION, 252 metadata.product_signing_key_certificate.signed_data.key_version); 253 254 *out_is_trusted = true; 255 return AVB_IO_RESULT_OK; 256 } 257