1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation
6 * files (the "Software"), to deal in the Software without
7 * restriction, including without limitation the rights to use, copy,
8 * modify, merge, publish, distribute, sublicense, and/or sell copies
9 * of the Software, and to permit persons to whom the Software is
10 * furnished to do so, subject to the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include "avb_atx_validate.h"
26
27 #include <libavb/avb_rsa.h>
28 #include <libavb/avb_sha.h>
29 #include <libavb/avb_sysdeps.h>
30 #include <libavb/avb_util.h>
31
32 /* The most recent unlock challenge generated. */
33 static uint8_t last_unlock_challenge[AVB_ATX_UNLOCK_CHALLENGE_SIZE];
34 static bool last_unlock_challenge_set = false;
35
36 /* Computes the SHA256 |hash| of |length| bytes of |data|. */
sha256(const uint8_t * data,uint32_t length,uint8_t hash[AVB_SHA256_DIGEST_SIZE])37 static void sha256(const uint8_t* data,
38 uint32_t length,
39 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) {
40 AvbSHA256Ctx context;
41 avb_sha256_init(&context);
42 avb_sha256_update(&context, data, length);
43 uint8_t* tmp = avb_sha256_final(&context);
44 avb_memcpy(hash, tmp, AVB_SHA256_DIGEST_SIZE);
45 }
46
47 /* Computes the SHA512 |hash| of |length| bytes of |data|. */
sha512(const uint8_t * data,uint32_t length,uint8_t hash[AVB_SHA512_DIGEST_SIZE])48 static void sha512(const uint8_t* data,
49 uint32_t length,
50 uint8_t hash[AVB_SHA512_DIGEST_SIZE]) {
51 AvbSHA512Ctx context;
52 avb_sha512_init(&context);
53 avb_sha512_update(&context, data, length);
54 uint8_t* tmp = avb_sha512_final(&context);
55 avb_memcpy(hash, tmp, AVB_SHA512_DIGEST_SIZE);
56 }
57
58 /* Computes the SHA256 |hash| of a NUL-terminated |str|. */
sha256_str(const char * str,uint8_t hash[AVB_SHA256_DIGEST_SIZE])59 static void sha256_str(const char* str, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) {
60 sha256((const uint8_t*)str, avb_strlen(str), hash);
61 }
62
63 /* Verifies structure and |expected_hash| of permanent |attributes|. */
verify_permanent_attributes(const AvbAtxPermanentAttributes * attributes,const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE])64 static bool verify_permanent_attributes(
65 const AvbAtxPermanentAttributes* attributes,
66 const uint8_t expected_hash[AVB_SHA256_DIGEST_SIZE]) {
67 uint8_t hash[AVB_SHA256_DIGEST_SIZE];
68
69 if (attributes->version != 1) {
70 avb_error("Unsupported permanent attributes version.\n");
71 return false;
72 }
73 sha256((const uint8_t*)attributes, sizeof(AvbAtxPermanentAttributes), hash);
74 if (0 != avb_safe_memcmp(hash, expected_hash, AVB_SHA256_DIGEST_SIZE)) {
75 avb_error("Invalid permanent attributes.\n");
76 return false;
77 }
78 return true;
79 }
80
81 /* Verifies the format, key version, usage, and signature of a certificate. */
verify_certificate(const AvbAtxCertificate * certificate,const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],uint64_t minimum_key_version,const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE])82 static bool verify_certificate(
83 const AvbAtxCertificate* certificate,
84 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],
85 uint64_t minimum_key_version,
86 const uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE]) {
87 const AvbAlgorithmData* algorithm_data;
88 uint8_t certificate_hash[AVB_SHA512_DIGEST_SIZE];
89
90 if (certificate->signed_data.version != 1) {
91 avb_error("Unsupported certificate format.\n");
92 return false;
93 }
94 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096);
95 sha512((const uint8_t*)&certificate->signed_data,
96 sizeof(AvbAtxCertificateSignedData),
97 certificate_hash);
98 if (!avb_rsa_verify(authority,
99 AVB_ATX_PUBLIC_KEY_SIZE,
100 certificate->signature,
101 AVB_RSA4096_NUM_BYTES,
102 certificate_hash,
103 AVB_SHA512_DIGEST_SIZE,
104 algorithm_data->padding,
105 algorithm_data->padding_len)) {
106 avb_error("Invalid certificate signature.\n");
107 return false;
108 }
109 if (certificate->signed_data.key_version < minimum_key_version) {
110 avb_error("Key rollback detected.\n");
111 return false;
112 }
113 if (0 != avb_safe_memcmp(certificate->signed_data.usage,
114 expected_usage,
115 AVB_SHA256_DIGEST_SIZE)) {
116 avb_error("Invalid certificate usage.\n");
117 return false;
118 }
119 return true;
120 }
121
122 /* Verifies signature and fields of a PIK certificate. */
verify_pik_certificate(const AvbAtxCertificate * certificate,const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],uint64_t minimum_version)123 static bool verify_pik_certificate(
124 const AvbAtxCertificate* certificate,
125 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],
126 uint64_t minimum_version) {
127 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE];
128
129 sha256_str("com.google.android.things.vboot.ca", expected_usage);
130 if (!verify_certificate(
131 certificate, authority, minimum_version, expected_usage)) {
132 avb_error("Invalid PIK certificate.\n");
133 return false;
134 }
135 return true;
136 }
137
138 /* Verifies signature and fields of a PSK certificate. */
verify_psk_certificate(const AvbAtxCertificate * certificate,const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],uint64_t minimum_version,const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE])139 static bool verify_psk_certificate(
140 const AvbAtxCertificate* certificate,
141 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],
142 uint64_t minimum_version,
143 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) {
144 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE];
145 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE];
146
147 sha256_str("com.google.android.things.vboot", expected_usage);
148 if (!verify_certificate(
149 certificate, authority, minimum_version, expected_usage)) {
150 avb_error("Invalid PSK certificate.\n");
151 return false;
152 }
153 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject);
154 if (0 != avb_safe_memcmp(certificate->signed_data.subject,
155 expected_subject,
156 AVB_SHA256_DIGEST_SIZE)) {
157 avb_error("PSK: Product ID mismatch.\n");
158 return false;
159 }
160 return true;
161 }
162
163 /* Verifies signature and fields of a PUK certificate. */
verify_puk_certificate(const AvbAtxCertificate * certificate,const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],uint64_t minimum_version,const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE])164 static bool verify_puk_certificate(
165 const AvbAtxCertificate* certificate,
166 const uint8_t authority[AVB_ATX_PUBLIC_KEY_SIZE],
167 uint64_t minimum_version,
168 const uint8_t product_id[AVB_ATX_PRODUCT_ID_SIZE]) {
169 uint8_t expected_subject[AVB_SHA256_DIGEST_SIZE];
170 uint8_t expected_usage[AVB_SHA256_DIGEST_SIZE];
171
172 sha256_str("com.google.android.things.vboot.unlock", expected_usage);
173 if (!verify_certificate(
174 certificate, authority, minimum_version, expected_usage)) {
175 avb_error("Invalid PUK certificate.\n");
176 return false;
177 }
178 sha256(product_id, AVB_ATX_PRODUCT_ID_SIZE, expected_subject);
179 if (0 != avb_safe_memcmp(certificate->signed_data.subject,
180 expected_subject,
181 AVB_SHA256_DIGEST_SIZE)) {
182 avb_error("PUK: Product ID mismatch.\n");
183 return false;
184 }
185 return true;
186 }
187
avb_atx_validate_vbmeta_public_key(AvbOps * ops,const uint8_t * public_key_data,size_t public_key_length,const uint8_t * public_key_metadata,size_t public_key_metadata_length,bool * out_is_trusted)188 AvbIOResult avb_atx_validate_vbmeta_public_key(
189 AvbOps* ops,
190 const uint8_t* public_key_data,
191 size_t public_key_length,
192 const uint8_t* public_key_metadata,
193 size_t public_key_metadata_length,
194 bool* out_is_trusted) {
195 AvbIOResult result = AVB_IO_RESULT_OK;
196 AvbAtxPermanentAttributes permanent_attributes;
197 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE];
198 AvbAtxPublicKeyMetadata metadata;
199 uint64_t minimum_version;
200
201 /* Be pessimistic so we can exit early without having to remember to clear.
202 */
203 *out_is_trusted = false;
204
205 /* Read and verify permanent attributes. */
206 result = ops->atx_ops->read_permanent_attributes(ops->atx_ops,
207 &permanent_attributes);
208 if (result != AVB_IO_RESULT_OK) {
209 avb_error("Failed to read permanent attributes.\n");
210 return result;
211 }
212 result = ops->atx_ops->read_permanent_attributes_hash(
213 ops->atx_ops, permanent_attributes_hash);
214 if (result != AVB_IO_RESULT_OK) {
215 avb_error("Failed to read permanent attributes hash.\n");
216 return result;
217 }
218 if (!verify_permanent_attributes(&permanent_attributes,
219 permanent_attributes_hash)) {
220 return AVB_IO_RESULT_OK;
221 }
222
223 /* Sanity check public key metadata. */
224 if (public_key_metadata_length != sizeof(AvbAtxPublicKeyMetadata)) {
225 avb_error("Invalid public key metadata.\n");
226 return AVB_IO_RESULT_OK;
227 }
228 avb_memcpy(&metadata, public_key_metadata, sizeof(AvbAtxPublicKeyMetadata));
229 if (metadata.version != 1) {
230 avb_error("Unsupported public key metadata.\n");
231 return AVB_IO_RESULT_OK;
232 }
233
234 /* Verify the PIK certificate. */
235 result = ops->read_rollback_index(
236 ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version);
237 if (result != AVB_IO_RESULT_OK) {
238 avb_error("Failed to read PIK minimum version.\n");
239 return result;
240 }
241 if (!verify_pik_certificate(&metadata.product_intermediate_key_certificate,
242 permanent_attributes.product_root_public_key,
243 minimum_version)) {
244 return AVB_IO_RESULT_OK;
245 }
246
247 /* Verify the PSK certificate. */
248 result = ops->read_rollback_index(
249 ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version);
250 if (result != AVB_IO_RESULT_OK) {
251 avb_error("Failed to read PSK minimum version.\n");
252 return result;
253 }
254 if (!verify_psk_certificate(
255 &metadata.product_signing_key_certificate,
256 metadata.product_intermediate_key_certificate.signed_data.public_key,
257 minimum_version,
258 permanent_attributes.product_id)) {
259 return AVB_IO_RESULT_OK;
260 }
261
262 /* Verify the PSK is the same key that verified vbmeta. */
263 if (public_key_length != AVB_ATX_PUBLIC_KEY_SIZE) {
264 avb_error("Public key length mismatch.\n");
265 return AVB_IO_RESULT_OK;
266 }
267 if (0 != avb_safe_memcmp(
268 metadata.product_signing_key_certificate.signed_data.public_key,
269 public_key_data,
270 AVB_ATX_PUBLIC_KEY_SIZE)) {
271 avb_error("Public key mismatch.\n");
272 return AVB_IO_RESULT_OK;
273 }
274
275 /* Report the key versions used during verification. */
276 ops->atx_ops->set_key_version(
277 ops->atx_ops,
278 AVB_ATX_PIK_VERSION_LOCATION,
279 metadata.product_intermediate_key_certificate.signed_data.key_version);
280 ops->atx_ops->set_key_version(
281 ops->atx_ops,
282 AVB_ATX_PSK_VERSION_LOCATION,
283 metadata.product_signing_key_certificate.signed_data.key_version);
284
285 *out_is_trusted = true;
286 return AVB_IO_RESULT_OK;
287 }
288
avb_atx_generate_unlock_challenge(AvbAtxOps * atx_ops,AvbAtxUnlockChallenge * out_unlock_challenge)289 AvbIOResult avb_atx_generate_unlock_challenge(
290 AvbAtxOps* atx_ops, AvbAtxUnlockChallenge* out_unlock_challenge) {
291 AvbIOResult result = AVB_IO_RESULT_OK;
292 AvbAtxPermanentAttributes permanent_attributes;
293
294 /* We need the permanent attributes to compute the product_id_hash. */
295 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes);
296 if (result != AVB_IO_RESULT_OK) {
297 avb_error("Failed to read permanent attributes.\n");
298 return result;
299 }
300 result = atx_ops->get_random(
301 atx_ops, AVB_ATX_UNLOCK_CHALLENGE_SIZE, last_unlock_challenge);
302 if (result != AVB_IO_RESULT_OK) {
303 avb_error("Failed to generate random challenge.\n");
304 return result;
305 }
306 last_unlock_challenge_set = true;
307 out_unlock_challenge->version = 1;
308 sha256(permanent_attributes.product_id,
309 AVB_ATX_PRODUCT_ID_SIZE,
310 out_unlock_challenge->product_id_hash);
311 avb_memcpy(out_unlock_challenge->challenge,
312 last_unlock_challenge,
313 AVB_ATX_UNLOCK_CHALLENGE_SIZE);
314 return result;
315 }
316
avb_atx_validate_unlock_credential(AvbAtxOps * atx_ops,const AvbAtxUnlockCredential * unlock_credential,bool * out_is_trusted)317 AvbIOResult avb_atx_validate_unlock_credential(
318 AvbAtxOps* atx_ops,
319 const AvbAtxUnlockCredential* unlock_credential,
320 bool* out_is_trusted) {
321 AvbIOResult result = AVB_IO_RESULT_OK;
322 AvbAtxPermanentAttributes permanent_attributes;
323 uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE];
324 uint64_t minimum_version;
325 const AvbAlgorithmData* algorithm_data;
326 uint8_t challenge_hash[AVB_SHA512_DIGEST_SIZE];
327
328 /* Be pessimistic so we can exit early without having to remember to clear.
329 */
330 *out_is_trusted = false;
331
332 /* Sanity check the credential. */
333 if (unlock_credential->version != 1) {
334 avb_error("Unsupported unlock credential format.\n");
335 return AVB_IO_RESULT_OK;
336 }
337
338 /* Read and verify permanent attributes. */
339 result = atx_ops->read_permanent_attributes(atx_ops, &permanent_attributes);
340 if (result != AVB_IO_RESULT_OK) {
341 avb_error("Failed to read permanent attributes.\n");
342 return result;
343 }
344 result = atx_ops->read_permanent_attributes_hash(atx_ops,
345 permanent_attributes_hash);
346 if (result != AVB_IO_RESULT_OK) {
347 avb_error("Failed to read permanent attributes hash.\n");
348 return result;
349 }
350 if (!verify_permanent_attributes(&permanent_attributes,
351 permanent_attributes_hash)) {
352 return AVB_IO_RESULT_OK;
353 }
354
355 /* Verify the PIK certificate. */
356 result = atx_ops->ops->read_rollback_index(
357 atx_ops->ops, AVB_ATX_PIK_VERSION_LOCATION, &minimum_version);
358 if (result != AVB_IO_RESULT_OK) {
359 avb_error("Failed to read PIK minimum version.\n");
360 return result;
361 }
362 if (!verify_pik_certificate(
363 &unlock_credential->product_intermediate_key_certificate,
364 permanent_attributes.product_root_public_key,
365 minimum_version)) {
366 return AVB_IO_RESULT_OK;
367 }
368
369 /* Verify the PUK certificate. The minimum version is shared with the PSK. */
370 result = atx_ops->ops->read_rollback_index(
371 atx_ops->ops, AVB_ATX_PSK_VERSION_LOCATION, &minimum_version);
372 if (result != AVB_IO_RESULT_OK) {
373 avb_error("Failed to read PSK minimum version.\n");
374 return result;
375 }
376 if (!verify_puk_certificate(
377 &unlock_credential->product_unlock_key_certificate,
378 unlock_credential->product_intermediate_key_certificate.signed_data
379 .public_key,
380 minimum_version,
381 permanent_attributes.product_id)) {
382 return AVB_IO_RESULT_OK;
383 }
384
385 /* Hash the most recent unlock challenge. */
386 if (!last_unlock_challenge_set) {
387 avb_error("Challenge does not exist.\n");
388 return AVB_IO_RESULT_OK;
389 }
390 sha512(last_unlock_challenge, AVB_ATX_UNLOCK_CHALLENGE_SIZE, challenge_hash);
391 last_unlock_challenge_set = false;
392
393 /* Verify the challenge signature. */
394 algorithm_data = avb_get_algorithm_data(AVB_ALGORITHM_TYPE_SHA512_RSA4096);
395 if (!avb_rsa_verify(unlock_credential->product_unlock_key_certificate
396 .signed_data.public_key,
397 AVB_ATX_PUBLIC_KEY_SIZE,
398 unlock_credential->challenge_signature,
399 AVB_RSA4096_NUM_BYTES,
400 challenge_hash,
401 AVB_SHA512_DIGEST_SIZE,
402 algorithm_data->padding,
403 algorithm_data->padding_len)) {
404 avb_error("Invalid unlock challenge signature.\n");
405 return AVB_IO_RESULT_OK;
406 }
407
408 *out_is_trusted = true;
409 return AVB_IO_RESULT_OK;
410 }
411