1 /* Copyright (c) 2014 The Chromium OS Authors. All rights reserved.
2  * Use of this source code is governed by a BSD-style license that can be
3  * found in the LICENSE file.
4  *
5  * Data structure definitions for verified boot, for on-disk / in-eeprom
6  * data.
7  */
8 
9 #ifndef VBOOT_REFERENCE_VBOOT_2STRUCT_H_
10 #define VBOOT_REFERENCE_VBOOT_2STRUCT_H_
11 #include <stdint.h>
12 #include "2crypto.h"
13 
14 /*
15  * Key block flags.
16  *
17  *The following flags set where the key is valid.  Not used by firmware
18  * verification; only kernel verification.
19  */
20 #define VB2_KEY_BLOCK_FLAG_DEVELOPER_0  0x01 /* Developer switch off */
21 #define VB2_KEY_BLOCK_FLAG_DEVELOPER_1  0x02 /* Developer switch on */
22 #define VB2_KEY_BLOCK_FLAG_RECOVERY_0   0x04 /* Not recovery mode */
23 #define VB2_KEY_BLOCK_FLAG_RECOVERY_1   0x08 /* Recovery mode */
24 #define VB2_GBB_HWID_DIGEST_SIZE	32
25 
26 /****************************************************************************/
27 
28 /* Flags for vb2_shared_data.flags */
29 enum vb2_shared_data_flags {
30 	/* User has explicitly and physically requested recovery */
31 	VB2_SD_FLAG_MANUAL_RECOVERY = (1 << 0),
32 
33 	/* Developer mode is enabled */
34 	VB2_SD_DEV_MODE_ENABLED = (1 << 1),
35 
36 	/*
37 	 * TODO: might be nice to add flags for why dev mode is enabled - via
38 	 * gbb, virtual dev switch, or forced on for testing.
39 	 */
40 };
41 
42 /* Flags for vb2_shared_data.status */
43 enum vb2_shared_data_status {
44 	/* Reinitialized NV data due to invalid checksum */
45 	VB2_SD_STATUS_NV_REINIT = (1 << 0),
46 
47 	/* NV data has been initialized */
48 	VB2_SD_STATUS_NV_INIT = (1 << 1),
49 
50 	/* Secure data initialized */
51 	VB2_SD_STATUS_SECDATA_INIT = (1 << 2),
52 
53 	/* Chose a firmware slot */
54 	VB2_SD_STATUS_CHOSE_SLOT = (1 << 3),
55 };
56 
57 /*
58  * Data shared between vboot API calls.  Stored at the start of the work
59  * buffer.
60  */
61 struct vb2_shared_data {
62 	/* Flags; see enum vb2_shared_data_flags */
63 	uint32_t flags;
64 
65 	/* Flags from GBB header */
66 	uint32_t gbb_flags;
67 
68 	/*
69 	 * Reason we are in recovery mode this boot (enum vb2_nv_recovery), or
70 	 * 0 if we aren't.
71 	 */
72 	uint32_t recovery_reason;
73 
74 	/* Firmware slot used last boot (0=A, 1=B) */
75 	uint32_t last_fw_slot;
76 
77 	/* Result of last boot (enum vb2_fw_result) */
78 	uint32_t last_fw_result;
79 
80 	/* Firmware slot used this boot */
81 	uint32_t fw_slot;
82 
83 	/*
84 	 * Version for this slot (top 16 bits = key, lower 16 bits = firmware).
85 	 *
86 	 * TODO: Make this a union to allow getting/setting those versions
87 	 * separately?
88 	 */
89 	uint32_t fw_version;
90 
91 	/* Version stored in secdata (must be <= fw_version to boot). */
92 	uint32_t fw_version_secdata;
93 
94 	/*
95 	 * Status flags for this boot; see enum vb2_shared_data_status.  Status
96 	 * is "what we've done"; flags above are "decisions we've made".
97 	 */
98 	uint32_t status;
99 
100 	/**********************************************************************
101 	 * Temporary variables used during firmware verification.  These don't
102 	 * really need to persist through to the OS, but there's nowhere else
103 	 * we can put them.
104 	 */
105 
106 	/* Root key offset and size from GBB header */
107 	uint32_t gbb_rootkey_offset;
108 	uint32_t gbb_rootkey_size;
109 
110 	/* HWID digest from GBB header */
111 	uint8_t gbb_hwid_digest[VB2_GBB_HWID_DIGEST_SIZE];
112 
113 	/* Offset of preamble from start of vblock */
114 	uint32_t vblock_preamble_offset;
115 
116 	/*
117 	 * Offset and size of packed data key in work buffer.  Size is 0 if
118 	 * data key is not stored in the work buffer.
119 	 */
120 	uint32_t workbuf_data_key_offset;
121 	uint32_t workbuf_data_key_size;
122 
123 	/*
124 	 * Offset and size of firmware preamble in work buffer.  Size if 0 if
125 	 * preamble is not stored in the work buffer.
126 	 */
127 	uint32_t workbuf_preamble_offset;
128 	uint32_t workbuf_preamble_size;
129 
130 	/*
131 	 * Offset and size of hash context in work buffer.  Size if 0 if
132 	 * hash context is not stored in the work buffer.
133 	 */
134 	uint32_t workbuf_hash_offset;
135 	uint32_t workbuf_hash_size;
136 
137 	/*
138 	 * Current tag we're hashing
139 	 *
140 	 * For new structs, this is the offset of the vb2_signature struct
141 	 * in the work buffer.
142 	 *
143 	 * TODO: rename to workbuf_hash_sig_offset when vboot1 structs are
144 	 * deprecated.
145 	 */
146 	uint32_t hash_tag;
147 
148 	/* Amount of data we still expect to hash */
149 	uint32_t hash_remaining_size;
150 
151 } __attribute__((packed));
152 
153 /****************************************************************************/
154 
155 /* Signature at start of the GBB
156  * Note that if you compile in the signature as is, you are likely to break any
157  * tools that search for the signature. */
158 #define VB2_GBB_SIGNATURE "$GBB"
159 #define VB2_GBB_SIGNATURE_SIZE 4
160 #define VB2_GBB_XOR_CHARS "****"
161 /* TODO: can we write a macro to produce this at compile time? */
162 #define VB2_GBB_XOR_SIGNATURE { 0x0e, 0x6d, 0x68, 0x68 }
163 
164 /* VB2 GBB struct version */
165 #define VB2_GBB_MAJOR_VER      1
166 #define VB2_GBB_MINOR_VER      2
167 /* v1.2 - added fields for sha256 digest of the HWID */
168 
169 /* Flags for vb2_gbb_header.flags */
170 enum vb2_gbb_flag {
171 	/*
172 	 * Reduce the dev screen delay to 2 sec from 30 sec to speed up
173 	 * factory.
174 	 */
175 	VB2_GBB_FLAG_DEV_SCREEN_SHORT_DELAY = (1 << 0),
176 
177 	/*
178 	 * BIOS should load option ROMs from arbitrary PCI devices. We'll never
179 	 * enable this ourselves because it executes non-verified code, but if
180 	 * a customer wants to void their warranty and set this flag in the
181 	 * read-only flash, they should be able to do so.
182 	 */
183 	VB2_GBB_FLAG_LOAD_OPTION_ROMS = (1 << 1),
184 
185 	/*
186 	 * The factory flow may need the BIOS to boot a non-ChromeOS kernel if
187 	 * the dev-switch is on. This flag allows that.
188 	 */
189 	VB2_GBB_FLAG_ENABLE_ALTERNATE_OS = (1 << 2),
190 
191 	/*
192 	 * Force dev switch on, regardless of physical/keyboard dev switch
193 	 * position.
194 	 */
195 	VB2_GBB_FLAG_FORCE_DEV_SWITCH_ON = (1 << 3),
196 
197 	/* Allow booting from USB in dev mode even if dev_boot_usb=0. */
198 	VB2_GBB_FLAG_FORCE_DEV_BOOT_USB = (1 << 4),
199 
200 	/* Disable firmware rollback protection. */
201 	VB2_GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK = (1 << 5),
202 
203 	/* Allow Enter key to trigger dev->tonorm screen transition */
204 	VB2_GBB_FLAG_ENTER_TRIGGERS_TONORM = (1 << 6),
205 
206 	/* Allow booting Legacy OSes in dev mode even if dev_boot_legacy=0. */
207 	VB2_GBB_FLAG_FORCE_DEV_BOOT_LEGACY = (1 << 7),
208 
209 	/* Allow booting using alternate keys for FAFT servo testing */
210 	VB2_GBB_FLAG_FAFT_KEY_OVERIDE = (1 << 8),
211 
212 	/* Disable EC software sync */
213 	VB2_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC = (1 << 9),
214 
215 	/* Default to booting legacy OS when dev screen times out */
216 	VB2_GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY = (1 << 10),
217 
218 	/* Disable PD software sync */
219 	VB2_GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC = (1 << 11),
220 };
221 
222 struct vb2_gbb_header {
223 	/* Fields present in version 1.1 */
224 	uint8_t  signature[VB2_GBB_SIGNATURE_SIZE]; /* VB2_GBB_SIGNATURE */
225 	uint16_t major_version;   /* See VB2_GBB_MAJOR_VER */
226 	uint16_t minor_version;   /* See VB2_GBB_MINOR_VER */
227 	uint32_t header_size;     /* Size of GBB header in bytes */
228 	uint32_t flags;           /* Flags (see enum vb2_gbb_flag) */
229 
230 	/* Offsets (from start of header) and sizes (in bytes) of components */
231 	uint32_t hwid_offset;		/* HWID */
232 	uint32_t hwid_size;
233 	uint32_t rootkey_offset;	/* Root key */
234 	uint32_t rootkey_size;
235 	uint32_t bmpfv_offset;		/* BMP FV */
236 	uint32_t bmpfv_size;
237 	uint32_t recovery_key_offset;	/* Recovery key */
238 	uint32_t recovery_key_size;
239 
240 	/* Added in version 1.2 */
241 	uint8_t  hwid_digest[VB2_GBB_HWID_DIGEST_SIZE];	/* SHA-256 of HWID */
242 
243 	/* Pad to match EXPECETED_VB2_GBB_HEADER_SIZE.  Initialize to 0. */
244 	uint8_t  pad[48];
245 } __attribute__((packed));
246 
247 /* The GBB is used outside of vboot_reference, so this size is important. */
248 #define EXPECTED_VB2_GBB_HEADER_SIZE 128
249 
250 #endif  /* VBOOT_REFERENCE_VBOOT_2STRUCT_H_ */
251