VBoot Reference: Add version checking to for preventing rollbacks.
This CL adds a new function VerifyFirmwareDriver_f() means to be a part of the RO firmware which determine which copy of the firmware to boot from. It is meant to ensure that a particular firmware is only booted if 1) it verifies successfully, 2) its version is newer or equal to current stored version. In addition, the driver function also updates the stored version if needed.
Currently I am using the TLCL API with stub calls, (in fact, most of the TPM interaction is done in rollback_index.c which implements the actual version query/update API) used by the firmware.
Review URL: http://codereview.chromium.org/1241002
diff --git a/utils/Makefile b/utils/Makefile
index 6d5546e..597638e 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -8,12 +8,15 @@
INCLUDES ?= -I../include/
TOP ?= ../
-LIBS = firmware_image.o kernel_image.o signature_digest.o file_keys.o
+LIBS = firmware_image.o kernel_image.o signature_digest.o file_keys.o \
+ rollback_index.o
+
FIRMWARELIBS = $(TOP)/crypto/libcrypto.a $(TOP)/common/libcommon.a
all: dumpRSAPublicKey verify_data file_keys.o signature_digest.o \
firmware_image.o kernel_image.o signature_digest.o \
- signature_digest_utility firmware_utility kernel_utility
+ signature_digest_utility firmware_utility kernel_utility \
+ rollback_index.o
dumpRSAPublicKey: dumpRSAPublicKey.c
$(CC) $(CFLAGS) $< -o $@ -lcrypto
@@ -26,16 +29,15 @@
firmware_utility: firmware_utility.cc $(LIBS) $(FIRMWARELIBS)
$(CXX) $(CFLAGS) $(INCLUDES) -ggdb -D__STDC_LIMIT_MACROS $< \
- -o $@ $(FIRMWARELIBS) $(LIBS) -lcrypto
+ -o $@ $(FIRMWARELIBS) $(LIBS) $(TOP)/common/libcommon.a \
+ -lcrypto
kernel_utility: kernel_utility.cc $(LIBS) $(FIRMWARELIBS)
$(CXX) $(CFLAGS) $(INCLUDES) -ggdb -D__STDC_LIMIT_MACROS $< \
- -o $@ $(FIRMWARELIBS) $(LIBS) -lcrypto
+ -o $@ $(FIRMWARELIBS) $(LIBS) $(TOP)/common/libcommon.a \
+ -lcrypto
-signature_digest.o: signature_digest.c
- $(CC) $(CFLAGS) $(INCLUDES) -c $< -o $@
-
-file_keys.o: file_keys.c
+.c.o:
$(CC) $(CFLAGS) $(INCLUDES) -c $< -o $@
firmware_image.o: firmware_image.c
diff --git a/utils/firmware_image.c b/utils/firmware_image.c
index ab41fec..4098bb2 100644
--- a/utils/firmware_image.c
+++ b/utils/firmware_image.c
@@ -16,6 +16,7 @@
#include "file_keys.h"
#include "padding.h"
+#include "rollback_index.h"
#include "rsa_utility.h"
#include "sha_utility.h"
#include "signature_digest.h"
@@ -97,10 +98,10 @@
}
/* Read pre-processed public half of the sign key. */
- image->firmware_sign_key = (uint8_t*) Malloc(firmware_sign_key_len);
- StatefulMemcpy(&st, image->firmware_sign_key, firmware_sign_key_len);
StatefulMemcpy(&st, &image->firmware_key_version,
FIELD_LEN(firmware_key_version));
+ image->firmware_sign_key = (uint8_t*) Malloc(firmware_sign_key_len);
+ StatefulMemcpy(&st, image->firmware_sign_key, firmware_sign_key_len);
StatefulMemcpy(&st, image->header_checksum, FIELD_LEN(header_checksum));
/* Check whether the header checksum matches. */
@@ -155,10 +156,10 @@
sizeof(image->header_len));
DigestUpdate(&ctx, (uint8_t*) &image->firmware_sign_algorithm,
sizeof(image->firmware_sign_algorithm));
- DigestUpdate(&ctx, image->firmware_sign_key,
- RSAProcessedKeySize(image->firmware_sign_algorithm));
DigestUpdate(&ctx, (uint8_t*) &image->firmware_key_version,
sizeof(image->firmware_key_version));
+ DigestUpdate(&ctx, image->firmware_sign_key,
+ RSAProcessedKeySize(image->firmware_sign_algorithm));
checksum = DigestFinal(&ctx);
Memcpy(header_checksum, checksum, FIELD_LEN(header_checksum));
Free(checksum);
@@ -176,10 +177,10 @@
StatefulMemcpy_r(&st, &image->header_len, FIELD_LEN(header_len));
StatefulMemcpy_r(&st, &image->firmware_sign_algorithm, FIELD_LEN(header_len));
- StatefulMemcpy_r(&st, image->firmware_sign_key,
- RSAProcessedKeySize(image->firmware_sign_algorithm));
StatefulMemcpy_r(&st, &image->firmware_key_version,
FIELD_LEN(firmware_key_version));
+ StatefulMemcpy_r(&st, image->firmware_sign_key,
+ RSAProcessedKeySize(image->firmware_sign_algorithm));
StatefulMemcpy_r(&st, &image->header_checksum, FIELD_LEN(header_checksum));
if (st.remaining_len != 0) { /* Underrun or Overrun. */
@@ -314,6 +315,9 @@
"Preamble Signature Failed.",
"Firmware Signature Failed.",
"Wrong Firmware Magic.",
+ "Invalid Firmware Header Checksum.",
+ "Firmware Signing Key Rollback.",
+ "Firmware Version Rollback."
};
int VerifyFirmwareHeader(const uint8_t* root_key_blob,
@@ -343,7 +347,7 @@
*algorithm = (int) algo;
firmware_sign_key_len = RSAProcessedKeySize(*algorithm);
- /* Verify if header len is correct? */
+ /* Verify that header len is correct. */
if (hlen != (base_header_checksum_offset +
firmware_sign_key_len +
FIELD_LEN(header_checksum)))
@@ -360,19 +364,18 @@
firmware_sign_key_len),
FIELD_LEN(header_checksum))) {
Free(header_checksum);
- return VERIFY_FIRMWARE_INVALID_IMAGE;
+ return VERIFY_FIRMWARE_WRONG_HEADER_CHECKSUM;
}
Free(header_checksum);
- /* Verify root key signature unless we are in dev mode. */
- if (!dev_mode) {
- if (!RSAVerifyBinary_f(root_key_blob, NULL, /* Key to use */
- header_blob, /* Data to verify */
- *header_len, /* Length of data */
- header_blob + *header_len, /* Expected Signature */
- ROOT_SIGNATURE_ALGORITHM))
- return VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED;
- }
+ /* Root key signature on the firmware signing key is always checked
+ * irrespective of dev mode. */
+ if (!RSAVerifyBinary_f(root_key_blob, NULL, /* Key to use */
+ header_blob, /* Data to verify */
+ *header_len, /* Length of data */
+ header_blob + *header_len, /* Expected Signature */
+ ROOT_SIGNATURE_ALGORITHM))
+ return VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED;
return 0;
}
@@ -382,6 +385,10 @@
int* firmware_len) {
uint32_t len;
int preamble_len;
+ uint16_t firmware_version;
+
+ Memcpy(&firmware_version, preamble_blob, sizeof(firmware_version));
+
preamble_len = (FIELD_LEN(firmware_version) +
FIELD_LEN(firmware_len) +
FIELD_LEN(preamble));
@@ -442,7 +449,8 @@
* times. */
firmware_sign_key_len = RSAProcessedKeySize(algorithm);
firmware_sign_key_ptr = header_ptr + (FIELD_LEN(header_len) +
- FIELD_LEN(firmware_sign_algorithm));
+ FIELD_LEN(firmware_sign_algorithm) +
+ FIELD_LEN(firmware_key_version));
firmware_sign_key = RSAPublicKeyFromBuf(firmware_sign_key_ptr,
firmware_sign_key_len);
signature_len = siglen_map[algorithm];
@@ -458,7 +466,7 @@
}
/* Only continue if firmware data verification succeeds. */
firmware_ptr = (preamble_ptr +
- GetFirmwarePreambleLen(NULL) +
+ GetFirmwarePreambleLen(NULL) +
signature_len);
if ((error_code = VerifyFirmwareData(firmware_sign_key, firmware_ptr,
@@ -494,16 +502,21 @@
* 1) verifying the header length is correct.
* 2) header_checksum is correct.
*/
+ /* TODO(gauravsh): The [dev_mode] switch is actually irrelevant
+ * for the firmware verification.
+ * Change this to always verify the root key signature and change
+ * test expectations appropriately.
+ */
if (!dev_mode) {
DigestInit(&ctx, ROOT_SIGNATURE_ALGORITHM);
DigestUpdate(&ctx, (uint8_t*) &image->header_len,
FIELD_LEN(header_len));
DigestUpdate(&ctx, (uint8_t*) &image->firmware_sign_algorithm,
FIELD_LEN(firmware_sign_algorithm));
- DigestUpdate(&ctx, image->firmware_sign_key,
- RSAProcessedKeySize(image->firmware_sign_algorithm));
DigestUpdate(&ctx, (uint8_t*) &image->firmware_key_version,
FIELD_LEN(firmware_key_version));
+ DigestUpdate(&ctx, image->firmware_sign_key,
+ RSAProcessedKeySize(image->firmware_sign_algorithm));
DigestUpdate(&ctx, image->header_checksum,
FIELD_LEN(header_checksum));
header_digest = DigestFinal(&ctx);
@@ -613,3 +626,117 @@
Free(firmware_signature);
return 1;
}
+
+uint32_t GetLogicalFirmwareVersion(uint8_t* firmware_blob) {
+ uint16_t firmware_key_version;
+ uint16_t firmware_version;
+ uint16_t firmware_sign_algorithm;
+ int firmware_sign_key_len;
+ Memcpy(&firmware_sign_algorithm,
+ firmware_blob + (FIELD_LEN(magic) + /* Offset to field. */
+ FIELD_LEN(header_len)),
+ sizeof(firmware_sign_algorithm));
+ Memcpy(&firmware_key_version,
+ firmware_blob + (FIELD_LEN(magic) + /* Offset to field. */
+ FIELD_LEN(header_len) +
+ FIELD_LEN(firmware_sign_algorithm)),
+ sizeof(firmware_key_version));
+ if (firmware_sign_algorithm >= kNumAlgorithms)
+ return 0;
+ firmware_sign_key_len = RSAProcessedKeySize(firmware_sign_algorithm);
+ Memcpy(&firmware_version,
+ firmware_blob + (FIELD_LEN(magic) + /* Offset to field. */
+ FIELD_LEN(header_len) +
+ FIELD_LEN(firmware_key_version) +
+ firmware_sign_key_len +
+ FIELD_LEN(header_checksum) +
+ FIELD_LEN(firmware_key_signature)),
+ sizeof(firmware_version));
+ return CombineUint16Pair(firmware_key_version, firmware_version);
+}
+
+int VerifyFirmwareDriver_f(uint8_t* root_key_blob,
+ uint8_t* firmwareA,
+ uint8_t* firmwareB) {
+ /* Contains the logical firmware version (32-bit) which is calculated as
+ * (firmware_key_version << 16 | firmware_version) where
+ * [firmware_key_version] [firmware_version] are both 16-bit.
+ */
+ uint32_t firmwareA_lversion, firmwareB_lversion;
+ uint8_t firmwareA_is_verified = 0; /* Whether firmwareA verify succeeded. */
+ uint32_t min_lversion; /* Minimum of firmware A and firmware lversion. */
+ uint32_t stored_lversion; /* Stored logical version in the TPM. */
+
+ /* Initialize the TPM since we'll be reading the rollback indices. */
+ SetupTPM();
+
+ /* We get the key versions by reading directly from the image blobs without
+ * any additional (expensive) sanity checking on the blob since it's faster to
+ * outright reject a firmware with an older firmware key version. A malformed
+ * or corrupted firmware blob will still fail when VerifyFirmware() is called
+ * on it.
+ */
+ firmwareA_lversion = GetLogicalFirmwareVersion(firmwareA);
+ firmwareB_lversion = GetLogicalFirmwareVersion(firmwareB);
+ min_lversion = Min(firmwareA_lversion, firmwareB_lversion);
+ stored_lversion = CombineUint16Pair(GetStoredVersion(FIRMWARE_KEY_VERSION),
+ GetStoredVersion(FIRMWARE_VERSION));
+ /* Always try FirmwareA first. */
+ if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareA,
+ 0))
+ firmwareA_is_verified = 1;
+ if (firmwareA_is_verified && (stored_lversion < firmwareA_lversion)) {
+ /* Stored version may need to be updated but only if FirmwareB
+ * is successfully verified and has a logical version greater than
+ * the stored logical version. */
+ if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB,
+ 0)) {
+ if (stored_lversion < firmwareB_lversion) {
+ WriteStoredVersion(FIRMWARE_KEY_VERSION,
+ (uint16_t) (min_lversion >> 16));
+ WriteStoredVersion(FIRMWARE_VERSION,
+ (uint16_t) (min_lversion & 0x00FFFF));
+ stored_lversion = min_lversion; /* Update stored version as it's used
+ * later. */
+ }
+ }
+ }
+ /* Lock Firmware TPM rollback indices from further writes. */
+ /* TODO(gauravsh): Figure out if these can be combined into one
+ * 32-bit location since we seem to always use them together. This can help
+ * us minimize the number of NVRAM writes/locks (which are limited over flash
+ * memory lifetimes.
+ */
+ LockStoredVersion(FIRMWARE_KEY_VERSION);
+ LockStoredVersion(FIRMWARE_VERSION);
+
+ /* Determine which firmware (if any) to jump to.
+ *
+ * We always attempt to jump to FirmwareA first. If verification of FirmwareA
+ * fails, we try FirmwareB. In all cases, if the firmware successfully
+ * verified but is a rollback, we jump to recovery.
+ *
+ * Note: This means that if FirmwareA verified successfully and is a
+ * rollback, then no attempt is made to check FirmwareB. We still jump to
+ * recovery. FirmwareB is only used as a backup in case FirmwareA gets
+ * corrupted. Since newer firmware updates are always written to A,
+ * the case where firmware A is verified but a rollback should not occur in
+ * normal operation.
+ */
+ if (firmwareA_is_verified) {
+ if (stored_lversion <= firmwareA_lversion)
+ return BOOT_FIRMWARE_A_CONTINUE;
+ } else {
+ /* If FirmwareA was not valid, then we skipped over the
+ * check to update the rollback indices and a Verify of FirmwareB wasn't
+ * attempted.
+ * If FirmwareB is not a rollback, then we attempt to do the verification.
+ */
+ if (stored_lversion <= firmwareB_lversion &&
+ (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, firmwareB,
+ 0)))
+ return BOOT_FIRMWARE_B_CONTINUE;
+ }
+ /* D'oh: No bootable firmware. */
+ return BOOT_FIRMWARE_RECOVERY_CONTINUE;
+}
diff --git a/utils/rollback_index.c b/utils/rollback_index.c
new file mode 100644
index 0000000..0b65bf4
--- /dev/null
+++ b/utils/rollback_index.c
@@ -0,0 +1,148 @@
+/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * Functions for querying, manipulating and locking rollback indices
+ * stored in the TPM NVRAM.
+ */
+
+#include "rollback_index.h"
+
+#include <stdint.h>
+#include <tss/tcs.h>
+
+#include "tlcl.h"
+
+uint16_t g_firmware_key_version = 0;
+uint16_t g_firmware_version = 0;
+uint16_t g_kernel_key_version = 0;
+uint16_t g_kernel_version = 0;
+
+static void InitializeSpaces(void) {
+ uint16_t zero = 0;
+ uint32_t perm = TPM_NV_PER_WRITE_STCLEAR | TPM_NV_PER_PPWRITE;
+
+ printf("Initializing spaces\n");
+ TlclSetNvLocked(); /* useful only the first time */
+
+ TlclDefineSpace(FIRMWARE_KEY_VERSION_NV_INDEX, perm, sizeof(uint16_t));
+ TlclWrite(FIRMWARE_KEY_VERSION_NV_INDEX, (uint8_t*) &zero, sizeof(uint16_t));
+
+ TlclDefineSpace(FIRMWARE_VERSION_NV_INDEX, perm, sizeof(uint16_t));
+ TlclWrite(FIRMWARE_VERSION_NV_INDEX, (uint8_t*) &zero, sizeof(uint16_t));
+
+ TlclDefineSpace(KERNEL_KEY_VERSION_NV_INDEX, perm, sizeof(uint16_t));
+ TlclWrite(KERNEL_KEY_VERSION_NV_INDEX, (uint8_t*) &zero, sizeof(uint16_t));
+
+ TlclDefineSpace(KERNEL_VERSION_NV_INDEX, perm, sizeof(uint16_t));
+ TlclWrite(KERNEL_VERSION_NV_INDEX, (uint8_t*) &zero, sizeof(uint16_t));
+}
+
+static void EnterRecovery(void) {
+ /* Temporary recovery stub. Currently just initalizes spaces. */
+ InitializeSpaces();
+}
+
+static int GetTPMRollbackIndices(void) {
+ /* We just perform the reads, making sure they succeed. A failure means that
+ * the rollback index locations are some how messed up and we must jump to
+ * recovery */
+ if (TPM_SUCCESS != TlclRead(FIRMWARE_KEY_VERSION_NV_INDEX,
+ (uint8_t*) &g_firmware_key_version,
+ sizeof(g_firmware_key_version)) ||
+ TPM_SUCCESS != TlclRead(FIRMWARE_KEY_VERSION_NV_INDEX,
+ (uint8_t*) &g_firmware_key_version,
+ sizeof(g_firmware_key_version)) ||
+ TPM_SUCCESS != TlclRead(FIRMWARE_KEY_VERSION_NV_INDEX,
+ (uint8_t*) &g_firmware_key_version,
+ sizeof(g_firmware_key_version)) ||
+ TPM_SUCCESS != TlclRead(FIRMWARE_KEY_VERSION_NV_INDEX,
+ (uint8_t*) &g_firmware_key_version,
+ sizeof(g_firmware_key_version)))
+ return 0;
+ return 1;
+}
+
+
+void SetupTPM(void) {
+ TlclLibinit();
+ TlclStartup();
+ /* TODO(gauravsh): The call to self test should probably be deferred.
+ * As per semenzato@chromium.org -
+ * TlclStartup should be called before the firmware initializes the memory
+ * controller, so the selftest can run in parallel with that. Here we should
+ * just call TlclSelftestFull to make sure the self test has
+ * completed---unless we want to rely on the NVRAM operations being available
+ * before the selftest completes. */
+ TlclSelftestfull();
+ TlclAssertPhysicalPresence();
+ if (!GetTPMRollbackIndices()) {
+ fprintf(stderr, "Ho Ho Ho! We must jump to recovery.");
+ EnterRecovery();
+ }
+}
+
+
+uint16_t GetStoredVersion(int type) {
+ switch (type) {
+ case FIRMWARE_KEY_VERSION:
+ return g_firmware_key_version;
+ break;
+ case FIRMWARE_VERSION:
+ return g_firmware_version;
+ break;
+ case KERNEL_KEY_VERSION:
+ return g_kernel_key_version;
+ break;
+ case KERNEL_VERSION:
+ return g_kernel_version;
+ break;
+ }
+ return 0;
+}
+
+int WriteStoredVersion(int type, uint16_t version) {
+ switch (type) {
+ case FIRMWARE_KEY_VERSION:
+ return (TPM_SUCCESS == TlclWrite(FIRMWARE_KEY_VERSION_NV_INDEX,
+ (uint8_t*) &version,
+ sizeof(uint16_t)));
+ break;
+ case FIRMWARE_VERSION:
+ return (TPM_SUCCESS == TlclWrite(FIRMWARE_VERSION_NV_INDEX,
+ (uint8_t*) &version,
+ sizeof(uint16_t)));
+ break;
+ case KERNEL_KEY_VERSION:
+ return (TPM_SUCCESS == TlclWrite(KERNEL_KEY_VERSION_NV_INDEX,
+ (uint8_t*) &version,
+ sizeof(uint16_t)));
+ break;
+ case KERNEL_VERSION:
+ return (TPM_SUCCESS == TlclWrite(KERNEL_VERSION_NV_INDEX,
+ (uint8_t*) &version,
+ sizeof(uint16_t)));
+ break;
+ }
+ return 0;
+}
+
+void LockStoredVersion(int type) {
+ /* TODO(gauravsh): Add error checking here to make sure TlclWriteLock
+ * did not fail. We must jump to recovery in that case.
+ */
+ switch (type) {
+ case FIRMWARE_KEY_VERSION:
+ TlclWriteLock(FIRMWARE_KEY_VERSION_NV_INDEX);
+ break;
+ case FIRMWARE_VERSION:
+ TlclWriteLock(FIRMWARE_VERSION_NV_INDEX);
+ break;
+ case KERNEL_KEY_VERSION:
+ TlclWriteLock(KERNEL_KEY_VERSION_NV_INDEX);
+ break;
+ case KERNEL_VERSION:
+ TlclWriteLock(KERNEL_VERSION_NV_INDEX);
+ break;
+ }
+}