Change VerifyFirmware() to take separate pointers to firmware verification header and firmware data.
The firmware verification code no longer assumes that verification data and firmware data are contiguous and follow each other. Needed for EFI where the actual firmware must be stored in its own firmware volume.
BUG=1704
TEST=modified existing tests for the new API, and they still pass
Review URL: http://codereview.chromium.org/1578035
diff --git a/misclibs/file_keys.c b/misclibs/file_keys.c
index de28216..4963bf4 100644
--- a/misclibs/file_keys.c
+++ b/misclibs/file_keys.c
@@ -30,18 +30,17 @@
}
if (-1 == fstat(fd, &stat_fd)) {
- debug("Couldn't stat key file\n");
+ debug("Couldn't stat file\n");
return NULL;
}
*len = stat_fd.st_size;
- /* Read entire key binary blob into a buffer. */
buf = (uint8_t*) Malloc(*len);
if (!buf)
return NULL;
if (*len != read(fd, buf, *len)) {
- debug("Couldn't read key into a buffer.\n");
+ debug("Couldn't read file into a buffer.\n");
return NULL;
}
diff --git a/tests/big_firmware_tests.c b/tests/big_firmware_tests.c
index eb45114..1f83cd2 100644
--- a/tests/big_firmware_tests.c
+++ b/tests/big_firmware_tests.c
@@ -52,7 +52,7 @@
VERIFY_FIRMWARE_SUCCESS,
"Big FirmwareImage Verification");
firmware_blob = GetFirmwareBlob(image, &len);
- TEST_EQ(VerifyFirmware(root_key_blob, firmware_blob),
+ TEST_EQ(VerifyFirmware(root_key_blob, image->firmware_data, firmware_blob),
VERIFY_FIRMWARE_SUCCESS,
"Big Firmware Blob Verification");
diff --git a/tests/firmware_image_tests.c b/tests/firmware_image_tests.c
index a2ce472..96cf955 100644
--- a/tests/firmware_image_tests.c
+++ b/tests/firmware_image_tests.c
@@ -15,8 +15,12 @@
#include "utility.h"
/* Normal Firmware Blob Verification Tests. */
-void VerifyFirmwareTest(uint8_t* firmware_blob, uint8_t* root_key_blob) {
- TEST_EQ(VerifyFirmware(root_key_blob, firmware_blob),
+void VerifyFirmwareTest(uint8_t* verification_header,
+ uint8_t* firmware_data,
+ uint8_t* root_key_blob) {
+ TEST_EQ(VerifyFirmware(root_key_blob,
+ verification_header,
+ firmware_data),
VERIFY_FIRMWARE_SUCCESS,
"Normal Firmware Blob Verification");
}
@@ -92,7 +96,9 @@
firmware_blob = GetFirmwareBlob(image, &firmware_blob_len);
/* Test Firmware blob verify operations. */
- VerifyFirmwareTest(firmware_blob, root_key_blob);
+ VerifyFirmwareTest(firmware_blob,
+ image->firmware_data,
+ root_key_blob);
/* Test FirmwareImage verify operations. */
VerifyFirmwareImageTest(image, root_key_pub);
diff --git a/tests/firmware_rollback_tests.c b/tests/firmware_rollback_tests.c
index 3608db7..14c0475 100644
--- a/tests/firmware_rollback_tests.c
+++ b/tests/firmware_rollback_tests.c
@@ -16,14 +16,14 @@
#include "test_common.h"
const char* kRootKeyPublicFile = "testkeys/key_rsa8192.keyb";
+uint8_t kValidFirmwareData[1] = { 'F' };
+uint8_t kCorruptFirmwareData[1] = { 'X' };
/* Tests that check for correctness of the VerifyFirmwareDriver_f() logic
* and rollback prevention. */
void VerifyFirmwareDriverTest(void) {
- uint8_t* valid_firmwareA = NULL;
- uint8_t* valid_firmwareB = NULL;
- uint8_t* corrupt_firmwareA = NULL;
- uint8_t* corrupt_firmwareB = NULL;
+ uint8_t* verification_blobA = NULL;
+ uint8_t* verification_blobB = NULL;
uint64_t len;
uint8_t* root_key_pub = BufferFromFile(kRootKeyPublicFile, &len);
@@ -31,43 +31,55 @@
g_firmware_key_version = 1;
g_firmware_version = 1;
- valid_firmwareA = GenerateRollbackTestFirmwareBlob(1, 1, 0);
- valid_firmwareB = GenerateRollbackTestFirmwareBlob(1, 1, 0);
- corrupt_firmwareA = GenerateRollbackTestFirmwareBlob(1, 1, 1);
- corrupt_firmwareB = GenerateRollbackTestFirmwareBlob(1, 1, 1);
+ verification_blobA = GenerateRollbackTestVerificationBlob(1, 1);
+ verification_blobB = GenerateRollbackTestVerificationBlob(1, 1);
TEST_EQ(VerifyFirmwareDriver_f(root_key_pub,
- valid_firmwareA, valid_firmwareB),
+ verification_blobA,
+ kValidFirmwareData,
+ verification_blobB,
+ kValidFirmwareData),
BOOT_FIRMWARE_A_CONTINUE,
"Firmware A (Valid with current version), "
"Firmware B (Valid with current version)");
TEST_EQ(VerifyFirmwareDriver_f(root_key_pub,
- corrupt_firmwareA, valid_firmwareB),
+ verification_blobA,
+ kCorruptFirmwareData,
+ verification_blobB,
+ kValidFirmwareData),
BOOT_FIRMWARE_B_CONTINUE,
"Firmware A (Corrupt with current version), "
- "FirmwareB (Valid with current version)");
+ "Firmware B (Valid with current version)");
TEST_EQ(VerifyFirmwareDriver_f(root_key_pub,
- valid_firmwareA, corrupt_firmwareB),
+ verification_blobA,
+ kValidFirmwareData,
+ verification_blobB,
+ kCorruptFirmwareData),
BOOT_FIRMWARE_A_CONTINUE,
"Firmware A (Valid with current version), "
- "FirmwareB (Corrupt with current version)");
+ "Firmware B (Corrupt with current version)");
TEST_EQ(VerifyFirmwareDriver_f(root_key_pub,
- corrupt_firmwareA, corrupt_firmwareB),
+ verification_blobA,
+ kCorruptFirmwareData,
+ verification_blobB,
+ kCorruptFirmwareData),
BOOT_FIRMWARE_RECOVERY_CONTINUE,
"Firmware A (Corrupt with current version), "
- "FirmwareB (Corrupt with current version");
+ "Firmware B (Corrupt with current version");
g_firmware_key_version = 2;
g_firmware_version = 2;
- TEST_EQ(VerifyFirmwareDriver_f(root_key_pub, valid_firmwareA, valid_firmwareB),
+ TEST_EQ(VerifyFirmwareDriver_f(root_key_pub,
+ verification_blobA,
+ kValidFirmwareData,
+ verification_blobB,
+ kValidFirmwareData),
BOOT_FIRMWARE_RECOVERY_CONTINUE,
"Firmware A (Valid with old version), "
"Old Firmware B (Valid with old version)");
Free(root_key_pub);
- Free(valid_firmwareA);
- Free(valid_firmwareB);
- Free(corrupt_firmwareA);
- Free(corrupt_firmwareB);
+ Free(verification_blobA);
+ Free(verification_blobB);
}
int main(int argc, char* argv[]) {
diff --git a/tests/firmware_splicing_tests.c b/tests/firmware_splicing_tests.c
index c3259b7..97d16df 100644
--- a/tests/firmware_splicing_tests.c
+++ b/tests/firmware_splicing_tests.c
@@ -67,7 +67,7 @@
VERIFY_FIRMWARE_SIGNATURE_FAILED,
"FirmwareImage firmware_data Splicing");
firmware_blob = GetFirmwareBlob(image2, &len);
- TEST_EQ(VerifyFirmware(root_key_blob, firmware_blob),
+ TEST_EQ(VerifyFirmware(root_key_blob, firmware_blob, image2->firmware_data),
VERIFY_FIRMWARE_SIGNATURE_FAILED,
"Firmware Blob firmware_data Splicing");
}
diff --git a/tests/firmware_verify_benchmark.c b/tests/firmware_verify_benchmark.c
index c69ada7..44e4566 100644
--- a/tests/firmware_verify_benchmark.c
+++ b/tests/firmware_verify_benchmark.c
@@ -49,6 +49,7 @@
"sha1", "sha256", "sha512", /* RSA-4096 */
"sha1", "sha256", "sha512", /* RSA-8192 */
};
+ uint8_t* verification_blobs[NUM_SIZES_TO_TEST];
uint8_t* firmware_blobs[NUM_SIZES_TO_TEST];
for (i = 0; i < NUM_SIZES_TO_TEST; ++i)
firmware_blobs[i] = NULL;
@@ -67,13 +68,16 @@
/* Generate test images. */
for (i = 0; i < NUM_SIZES_TO_TEST; ++i) {
- firmware_blobs[i] = GenerateTestFirmwareBlob(algorithm,
- firmware_sign_key,
- 1, /* firmware key version. */
- 1, /* firmware version. */
- g_firmware_sizes_to_test[i],
- "testkeys/key_rsa8192.pem",
- firmware_sign_key_file);
+ firmware_blobs[i] = (uint8_t*) Malloc(g_firmware_sizes_to_test[i]);
+ Memset(firmware_blobs[i], 'F', g_firmware_sizes_to_test[i]);
+ verification_blobs[i] = GenerateTestVerificationBlob(
+ algorithm,
+ firmware_sign_key,
+ 1, /* firmware key version. */
+ 1, /* firmware version. */
+ g_firmware_sizes_to_test[i],
+ "testkeys/key_rsa8192.pem",
+ firmware_sign_key_file);
if (!firmware_blobs[i]) {
debug("Couldn't generate test firmware images.\n");
error_code = 1;
@@ -94,7 +98,9 @@
StartTimer(&ct);
for (j = 0; j < NUM_OPERATIONS; ++j) {
if (VERIFY_FIRMWARE_SUCCESS !=
- VerifyFirmware(root_key_blob, firmware_blobs[i]))
+ VerifyFirmware(root_key_blob,
+ verification_blobs[i],
+ firmware_blobs[i]))
debug("Warning: Firmware Verification Failed.\n");
}
StopTimer(&ct);
@@ -113,8 +119,10 @@
}
cleanup:
- for (i = 0; i < NUM_SIZES_TO_TEST; i++)
+ for (i = 0; i < NUM_SIZES_TO_TEST; i++) {
Free(firmware_blobs[i]);
+ Free(verification_blobs[i]);
+ }
Free(root_key_blob);
return error_code;
}
diff --git a/tests/test_common.c b/tests/test_common.c
index 5fcdc5e..6f68d35 100644
--- a/tests/test_common.c
+++ b/tests/test_common.c
@@ -80,13 +80,13 @@
return image;
}
-uint8_t* GenerateTestFirmwareBlob(int algorithm,
- const uint8_t* firmware_sign_key,
- int firmware_key_version,
- int firmware_version,
- uint64_t firmware_len,
- const char* root_key_file,
- const char* firmware_key_file) {
+uint8_t* GenerateTestVerificationBlob(int algorithm,
+ const uint8_t* firmware_sign_key,
+ int firmware_key_version,
+ int firmware_version,
+ uint64_t firmware_len,
+ const char* root_key_file,
+ const char* firmware_key_file) {
FirmwareImage* image = NULL;
uint8_t* firmware_blob = NULL;
uint64_t firmware_blob_len = 0;
@@ -104,12 +104,11 @@
return firmware_blob;
}
-uint8_t* GenerateRollbackTestFirmwareBlob(int firmware_key_version,
- int firmware_version,
- int is_corrupt) {
+uint8_t* GenerateRollbackTestVerificationBlob(int firmware_key_version,
+ int firmware_version) {
FirmwareImage* image = NULL;
uint64_t len;
- uint8_t* firmware_blob = NULL;
+ uint8_t* verification_blob = NULL;
uint8_t* firmware_sign_key = NULL;
firmware_sign_key = BufferFromFile("testkeys/key_rsa1024.keyb",
@@ -126,14 +125,9 @@
'F');
if (!image)
return NULL;
- if (is_corrupt) {
- /* Invalidate image. */
- Memset(image->firmware_data, 'X', image->firmware_len);
- }
-
- firmware_blob = GetFirmwareBlob(image, &len);
+ verification_blob = GetFirmwareBlob(image, &len);
FirmwareImageFree(image);
- return firmware_blob;
+ return verification_blob;
}
diff --git a/tests/test_common.h b/tests/test_common.h
index 6fed1b4..d73dc0e 100644
--- a/tests/test_common.h
+++ b/tests/test_common.h
@@ -26,13 +26,13 @@
const char* root_key_file,
const char* firmware_key_file,
uint8_t firmware_data_fill_char);
-uint8_t* GenerateTestFirmwareBlob(int algorithm,
- const uint8_t* firmware_sign_key,
- int firmware_key_version,
- int firmware_version,
- uint64_t firmware_len,
- const char* root_key_file,
- const char* firmware_key_file);
+uint8_t* GenerateTestVerificationBlob(int algorithm,
+ const uint8_t* firmware_sign_key,
+ int firmware_key_version,
+ int firmware_version,
+ uint64_t firmware_len,
+ const char* root_key_file,
+ const char* firmware_key_file);
/* Test kernel image generation functions. */
KernelImage* GenerateTestKernelImage(int firmware_sign_algorithm,
@@ -44,7 +44,6 @@
const char* firmware_key_file,
const char* kernel_key_file,
uint8_t kernel_data_fill_char);
-;
uint8_t* GenerateTestKernelBlob(int firmware_sign_algorithm,
int kernel_sign_algorithm,
const uint8_t* kernel_sign_key,
@@ -54,12 +53,12 @@
const char* firmware_key_file,
const char* kernel_key_file);
-/* Generates a test firmware image for rollback tests with a given
- * [firmware_key_version] and [firmware_version]. If [is_corrupt] is 1,
- * then the image has invalid signatures and will fail verification. */
-uint8_t* GenerateRollbackTestFirmwareBlob(int firmware_key_version,
- int firmware_version,
- int is_corrupt);
+/* Generates a test verification block for rollback tests with a given
+ * [firmware_key_version] and [firmware_version]. The firmware length is
+ * assumed to be 1 bytes, and containing { 'F' }.
+ */
+uint8_t* GenerateRollbackTestVerificationBlob(int firmware_key_version,
+ int firmware_version);
/* Generates a test kernel iamge for rollback tests with a given
* [kernel_key_version} and [kernel_version]. If [is_corrupt] is 1,
diff --git a/tests/verify_firmware_fuzz_driver.c b/tests/verify_firmware_fuzz_driver.c
index 8ab33ad..f04a7d5 100644
--- a/tests/verify_firmware_fuzz_driver.c
+++ b/tests/verify_firmware_fuzz_driver.c
@@ -11,11 +11,13 @@
#include "firmware_image.h"
#include "utility.h"
-int VerifySignedFirmware(const char* image_file,
- const char* root_key_file) {
+int VerifySignedFirmware(const char* root_key_file,
+ const char* verification_file,
+ const char* firmware_file) {
int error, error_code = 0;
uint64_t len;
- uint8_t* firmware_blob = BufferFromFile(image_file, &len);
+ uint8_t* verification_blob = BufferFromFile(verification_file, &len);
+ uint8_t* firmware_blob = BufferFromFile(firmware_file, &len);
uint8_t* root_key_blob = BufferFromFile(root_key_file, &len);
if (!root_key_blob) {
@@ -24,11 +26,18 @@
}
if (!error_code && !firmware_blob) {
- fprintf(stderr, "Couldn't read firmware image or malformed image.\n");
+ fprintf(stderr, "Couldn't read firmware image.\n");
error_code = 1;
}
- if (!error_code && (error = VerifyFirmware(root_key_blob, firmware_blob))) {
+ if (!error_code && !verification_blob) {
+ fprintf(stderr, "Couldn't read verification data image.\n");
+ error_code = 1;
+ }
+
+ if (!error_code && (error = VerifyFirmware(root_key_blob,
+ verification_blob,
+ firmware_blob))) {
fprintf(stderr, "%s\n", VerifyFirmwareErrorString(error));
error_code = 1;
}
@@ -41,15 +50,15 @@
}
int main(int argc, char* argv[]) {
- if (argc != 3) {
- fprintf(stderr, "Usage: %s <image_to_verify> <root_keyb>\n", argv[0]);
+ if (argc != 4) {
+ fprintf(stderr, "Usage: %s <verification blob> <image_to_verify> <root_keyb>"
+ "\n", argv[0]);
return -1;
}
- if (VerifySignedFirmware(argv[1], argv[2])) {
+ if (VerifySignedFirmware(argv[3], argv[1], argv[2])) {
fprintf(stderr, "Verification SUCCESS!\n");
return 0;
- }
- else {
+ } else {
fprintf(stderr, "Verification FAILURE!\n");
return -1;
}
diff --git a/vfirmware/firmware_image_fw.c b/vfirmware/firmware_image_fw.c
index 5387d95..1cd5af9 100644
--- a/vfirmware/firmware_image_fw.c
+++ b/vfirmware/firmware_image_fw.c
@@ -115,27 +115,30 @@
int VerifyFirmwareData(RSAPublicKey* firmware_sign_key,
const uint8_t* preamble_start,
- const uint8_t* firmware_data_start,
+ const uint8_t* firmware_data,
uint64_t firmware_len,
int algorithm) {
int signature_len = siglen_map[algorithm];
- uint8_t* digest;
+ int preamble_len = (FIELD_LEN(firmware_version) +
+ FIELD_LEN(firmware_len) +
+ FIELD_LEN(preamble));;
+ uint8_t* digest = NULL;
+ const uint8_t* firmware_signature = NULL;
DigestContext ctx;
/* Since the firmware signature is over the preamble and the firmware data,
* which does not form a contiguous region of memory, we calculate the
* message digest ourselves. */
DigestInit(&ctx, algorithm);
- DigestUpdate(&ctx, preamble_start,
- (FIELD_LEN(firmware_version) +
- FIELD_LEN(firmware_len) +
- FIELD_LEN(preamble)));
- DigestUpdate(&ctx, firmware_data_start + signature_len, firmware_len);
+ DigestUpdate(&ctx, preamble_start, preamble_len);
+ DigestUpdate(&ctx, firmware_data, firmware_len);
digest = DigestFinal(&ctx);
+ /* Firmware signature is at the end of preamble and preamble signature. */
+ firmware_signature = preamble_start + preamble_len + signature_len;
if (!RSAVerifyBinaryWithDigest_f(
NULL, firmware_sign_key, /* Key to use. */
digest, /* Digest of the data to verify. */
- firmware_data_start, /* Expected Signature */
+ firmware_signature, /* Expected Signature */
algorithm)) {
Free(digest);
return VERIFY_FIRMWARE_SIGNATURE_FAILED;
@@ -145,6 +148,7 @@
}
int VerifyFirmware(const uint8_t* root_key_blob,
+ const uint8_t* verification_header_blob,
const uint8_t* firmware_blob) {
int error_code = 0;
int algorithm; /* Signing key algorithm. */
@@ -154,21 +158,24 @@
const uint8_t* header_ptr = NULL; /* Pointer to header. */
const uint8_t* firmware_sign_key_ptr = NULL; /* Pointer to signing key. */
const uint8_t* preamble_ptr = NULL; /* Pointer to preamble block. */
- const uint8_t* firmware_ptr = NULL; /* Pointer to firmware signature/data. */
/* Note: All the offset calculations are based on struct FirmwareImage which
- * is defined in include/firmware_image.h. */
+ * is defined in include/firmware_image_fw.h. */
/* Compare magic bytes. */
- if (SafeMemcmp(firmware_blob, FIRMWARE_MAGIC, FIRMWARE_MAGIC_SIZE))
+ if (SafeMemcmp(verification_header_blob, FIRMWARE_MAGIC,
+ FIRMWARE_MAGIC_SIZE)) {
+ debug("Wrong Firmware Magic.\n");
return VERIFY_FIRMWARE_WRONG_MAGIC;
- header_ptr = firmware_blob + FIRMWARE_MAGIC_SIZE;
+ }
+ header_ptr = verification_header_blob + FIRMWARE_MAGIC_SIZE;
/* Only continue if header verification succeeds. */
if ((error_code = VerifyFirmwareHeader(root_key_blob, header_ptr,
- &algorithm, &header_len)))
+ &algorithm, &header_len))) {
+ debug("Couldn't verify Firmware header.\n");
return error_code; /* AKA jump to revovery. */
-
+ }
/* Parse signing key into RSAPublicKey structure since it is required multiple
* times. */
firmware_sign_key_len = RSAProcessedKeySize(algorithm);
@@ -189,15 +196,9 @@
debug("Couldn't verify Firmware preamble.\n");
return error_code; /* AKA jump to recovery. */
}
- /* Only continue if firmware data verification succeeds. */
- firmware_ptr = (preamble_ptr +
- (FIELD_LEN(firmware_version) + /* Skip the preamble. */
- FIELD_LEN(firmware_len) +
- FIELD_LEN(preamble)) +
- signature_len);
if ((error_code = VerifyFirmwareData(firmware_sign_key, preamble_ptr,
- firmware_ptr,
+ firmware_blob,
firmware_len,
algorithm))) {
RSAPublicKeyFree(firmware_sign_key);
@@ -206,39 +207,41 @@
}
RSAPublicKeyFree(firmware_sign_key);
- return 0; /* Success! */
+ return VERIFY_FIRMWARE_SUCCESS; /* Success! */
}
-uint32_t GetLogicalFirmwareVersion(uint8_t* firmware_blob) {
+uint32_t GetLogicalFirmwareVersion(uint8_t* verification_header_blob) {
uint16_t firmware_key_version;
uint16_t firmware_version;
uint16_t firmware_sign_algorithm;
int firmware_sign_key_len;
Memcpy(&firmware_sign_algorithm,
- firmware_blob + (FIELD_LEN(magic) + /* Offset to field. */
- FIELD_LEN(header_len)),
+ verification_header_blob + (FIELD_LEN(magic) + /* Offset to field. */
+ FIELD_LEN(header_len)),
sizeof(firmware_sign_algorithm));
Memcpy(&firmware_key_version,
- firmware_blob + (FIELD_LEN(magic) + /* Offset to field. */
- FIELD_LEN(header_len) +
- FIELD_LEN(firmware_sign_algorithm)),
+ verification_header_blob + (FIELD_LEN(magic) + /* Offset to field. */
+ FIELD_LEN(header_len) +
+ FIELD_LEN(firmware_sign_algorithm)),
sizeof(firmware_key_version));
if (firmware_sign_algorithm >= kNumAlgorithms)
return 0;
firmware_sign_key_len = RSAProcessedKeySize(firmware_sign_algorithm);
Memcpy(&firmware_version,
- firmware_blob + (FIELD_LEN(magic) + /* Offset to field. */
- FIELD_LEN(header_len) +
- FIELD_LEN(firmware_key_version) +
- firmware_sign_key_len +
- FIELD_LEN(header_checksum) +
- FIELD_LEN(firmware_key_signature)),
+ verification_header_blob + (FIELD_LEN(magic) + /* Offset to field. */
+ FIELD_LEN(header_len) +
+ FIELD_LEN(firmware_key_version) +
+ firmware_sign_key_len +
+ FIELD_LEN(header_checksum) +
+ FIELD_LEN(firmware_key_signature)),
sizeof(firmware_version));
return CombineUint16Pair(firmware_key_version, firmware_version);
}
int VerifyFirmwareDriver_f(uint8_t* root_key_blob,
+ uint8_t* verification_headerA,
uint8_t* firmwareA,
+ uint8_t* verification_headerB,
uint8_t* firmwareB) {
/* Contains the logical firmware version (32-bit) which is calculated as
* (firmware_key_version << 16 | firmware_version) where
@@ -258,20 +261,24 @@
* or corrupted firmware blob will still fail when VerifyFirmware() is called
* on it.
*/
- firmwareA_lversion = GetLogicalFirmwareVersion(firmwareA);
- firmwareB_lversion = GetLogicalFirmwareVersion(firmwareB);
+ firmwareA_lversion = GetLogicalFirmwareVersion(verification_headerA);
+ firmwareB_lversion = GetLogicalFirmwareVersion(verification_headerB);
min_lversion = Min(firmwareA_lversion, firmwareB_lversion);
stored_lversion = CombineUint16Pair(GetStoredVersion(FIRMWARE_KEY_VERSION),
GetStoredVersion(FIRMWARE_VERSION));
/* Always try FirmwareA first. */
- if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareA))
+ if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob,
+ verification_headerA,
+ firmwareA))
firmwareA_is_verified = 1;
if (firmwareA_is_verified && (stored_lversion < firmwareA_lversion)) {
/* Stored version may need to be updated but only if FirmwareB
* is successfully verified and has a logical version greater than
* the stored logical version. */
if (stored_lversion < firmwareB_lversion) {
- if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB)) {
+ if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob,
+ verification_headerB,
+ firmwareB)) {
WriteStoredVersion(FIRMWARE_KEY_VERSION,
(uint16_t) (min_lversion >> 16));
WriteStoredVersion(FIRMWARE_VERSION,
@@ -313,7 +320,9 @@
* If FirmwareB is not a rollback, then we attempt to do the verification.
*/
if (stored_lversion <= firmwareB_lversion &&
- (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB)))
+ (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob,
+ verification_headerB,
+ firmwareB)))
return BOOT_FIRMWARE_B_CONTINUE;
}
/* D'oh: No bootable firmware. */
diff --git a/vfirmware/include/firmware_image_fw.h b/vfirmware/include/firmware_image_fw.h
index dc6db90..8cba176 100644
--- a/vfirmware/include/firmware_image_fw.h
+++ b/vfirmware/include/firmware_image_fw.h
@@ -88,7 +88,7 @@
uint64_t* firmware_len);
/* Checks the signature on the preamble + firmware data at
- * [preamble_start] and [firmware_data_start].
+ * [preamble_start] and [firmware_data].
* The length of the actual firmware data is firmware_len and it is assumed to
* be prepended with the signature whose size depends on the signature_algorithm
* [algorithm]. This signature also covers the preamble data (but not the
@@ -98,21 +98,24 @@
*/
int VerifyFirmwareData(RSAPublicKey* sign_key,
const uint8_t* preamble_start,
- const uint8_t* firmware_data_start,
+ const uint8_t* firmware_data,
uint64_t firmware_len,
int algorithm);
-/* Performs a chained verify of the firmware blob [firmware_blob].
+/* Performs a chained verify of the firmware blob [firmware_blob], using root
+ * key [root_key] and verification header [verification_header_blob].
*
* Returns 0 on success, error code on failure.
*
* NOTE: The length of the firmware blob is derived from reading the fields
- * in the first few bytes of the buffer. This might look risky but in firmware
- * land, the start address of the firmware_blob will always be fixed depending
- * on the memory map on the particular platform. In addition, the signature on
- * length itself is checked early in the verification process for extra safety.
+ * in the first few bytes of the verification header. This might look risky but
+ * in firmware land, the start address of the firmware_blob will always be fixed
+ * depending on the memory map on the particular platform. In addition, the
+ * signature on length itself is checked early in the verification process for
+ * extra safety.
*/
int VerifyFirmware(const uint8_t* root_key_blob,
+ const uint8_t* verification_header_blob,
const uint8_t* firmware_blob);
/* Returns the logical version of a firmware blob which is calculated as
@@ -134,8 +137,9 @@
* BOOT_FIRMWARE_RECOVERY_CONTINUE Jump to recovery mode
*/
int VerifyFirmwareDriver_f(uint8_t* root_key_blob,
+ uint8_t* verification_headerA,
uint8_t* firmwareA,
+ uint8_t* verification_headerB,
uint8_t* firmwareB);
-
#endif /* VBOOT_REFERENCE_FIRMWARE_IMAGE_FW_H_ */