platform/msm_shared/include/boot_verifier.h - kernel/lk - Gitiles

 /*
  * Copyright (c) 2014-2015 The Linux Foundation. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *  * Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  *  * Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
  *    the documentation and/or other materials provided with the
  *    distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
  * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
  * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #ifndef __BOOT_VERIFIER_H
 #define __BOOT_VERIFIER_H

 #include <asn1.h>
 #include <rsa.h>

 /**
  *    AndroidVerifiedBootSignature DEFINITIONS ::=
  *    BEGIN
  *        FormatVersion ::= INTEGER
  *        AlgorithmIdentifier ::=  SEQUENCE {
  *            algorithm OBJECT IDENTIFIER,
  *            parameters ANY DEFINED BY algorithm OPTIONAL
  *        }
  *        AuthenticatedAttributes ::= SEQUENCE {
  *            target CHARACTER STRING,
  *            length INTEGER
  *        }
  *        Signature ::= OCTET STRING
  *     END
  */

 typedef struct auth_attr_st
 {
 	ASN1_PRINTABLESTRING *target;
 	ASN1_INTEGER *len;
 }AUTH_ATTR;

 DECLARE_STACK_OF(AUTH_ATTR)
 DECLARE_ASN1_SET_OF(AUTH_ATTR)
 DECLARE_ASN1_FUNCTIONS(AUTH_ATTR)

 typedef struct verif_boot_sig_st
 {
 	ASN1_INTEGER *version;
 	X509 *certificate;
 	X509_ALGOR *algor;
 	AUTH_ATTR *auth_attr;
 	ASN1_OCTET_STRING *sig;
 }VERIFIED_BOOT_SIG;

 DECLARE_STACK_OF(VERIFIED_BOOT_SIG)
 DECLARE_ASN1_SET_OF(VERIFIED_BOOT_SIG)
 DECLARE_ASN1_FUNCTIONS(VERIFIED_BOOT_SIG)

 /**
  * AndroidVerifiedBootKeystore DEFINITIONS ::=
  * BEGIN
  *     FormatVersion ::= INTEGER
  *     KeyBag ::= SEQUENCE {
  *         Key  ::= SEQUENCE {
  *             AlgorithmIdentifier  ::=  SEQUENCE {
  *                 algorithm OBJECT IDENTIFIER,
  *                 parameters ANY DEFINED BY algorithm OPTIONAL
  *             }
  *             KeyMaterial ::= RSAPublicKey
  *         }
  *     }
  *     Signature ::= AndroidVerifiedBootSignature
  * END
  */

 typedef struct key_st
 {
 	X509_ALGOR *algorithm_id;
 	RSA *key_material;
 }KEY;

 DECLARE_STACK_OF(KEY)
 DECLARE_ASN1_SET_OF(KEY)
 DECLARE_ASN1_FUNCTIONS(KEY)

 typedef struct keybag_st
 {
 	KEY *mykey;
 }KEYBAG;

 DECLARE_STACK_OF(KEYBAG)
 DECLARE_ASN1_SET_OF(KEYBAG)
 DECLARE_ASN1_FUNCTIONS(KEYBAG)

 typedef struct keystore_inner_st
 {
 	ASN1_INTEGER *version;
 	KEYBAG *mykeybag;
 }KEYSTORE_INNER;

 DECLARE_STACK_OF(KEYSTORE_INNER)
 DECLARE_ASN1_SET_OF(KEYSTORE_INNER)
 DECLARE_ASN1_FUNCTIONS(KEYSTORE_INNER)

 typedef struct keystore_st
 {
 	ASN1_INTEGER *version;
 	KEYBAG *mykeybag;
 	VERIFIED_BOOT_SIG *sig;
 }KEYSTORE;

 DECLARE_STACK_OF(KEYSTORE)
 DECLARE_ASN1_SET_OF(KEYSTORE)
 DECLARE_ASN1_FUNCTIONS(KEYSTORE)

 enum boot_state
 {
 	GREEN,
 	ORANGE,
 	YELLOW,
 	RED,
 };

 enum boot_verfiy_event
 {
 	BOOT_INIT,
 	DEV_UNLOCK,
 	KEYSTORE_VERIFICATION_FAIL,
 	BOOT_VERIFICATION_FAIL,
 	USER_DENIES,
 };

 extern char KEYSTORE_PTN_NAME[];
 /* Function to initialize keystore */
 uint32_t boot_verify_keystore_init();
 /* Function to verify boot/recovery image */
 bool boot_verify_image(unsigned char* img_addr, uint32_t img_size, char *pname);
 /* Function to send event to boot state machine */
 void boot_verify_send_event(uint32_t event);
 /* Read current boot state */
 uint32_t boot_verify_get_state();
 /* Print current boot state */
 void boot_verify_print_state();
 /* Function to validate keystore */
 bool boot_verify_validate_keystore(unsigned char * user_addr);
 /* Function to check if partition is allowed to flash in verified mode */
 bool boot_verify_flash_allowed(const char * entry);
 bool boot_verify_compare_sha256(unsigned char *image_ptr,
 		unsigned int image_size, unsigned char *signature_ptr, RSA *rsa);
 KEYSTORE *boot_gerity_get_oem_keystore();
 #endif
	/*
	* Copyright (c) 2014-2015 The Linux Foundation. All rights reserved.
	*
	* Redistribution and use in source and binary forms, with or without
	* modification, are permitted provided that the following conditions
	* are met:
	* * Redistributions of source code must retain the above copyright
	* notice, this list of conditions and the following disclaimer.
	* * Redistributions in binary form must reproduce the above copyright
	* notice, this list of conditions and the following disclaimer in
	* the documentation and/or other materials provided with the
	* distribution.
	*
	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
	* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
	* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
	* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
	* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
	* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	* SUCH DAMAGE.
	*/
	#ifndef __BOOT_VERIFIER_H
	#define __BOOT_VERIFIER_H

	#include <asn1.h>
	#include <rsa.h>

	/**
	* AndroidVerifiedBootSignature DEFINITIONS ::=
	* BEGIN
	* FormatVersion ::= INTEGER
	* AlgorithmIdentifier ::= SEQUENCE {
	* algorithm OBJECT IDENTIFIER,
	* parameters ANY DEFINED BY algorithm OPTIONAL
	* }
	* AuthenticatedAttributes ::= SEQUENCE {
	* target CHARACTER STRING,
	* length INTEGER
	* }
	* Signature ::= OCTET STRING
	* END
	*/

	typedef struct auth_attr_st
	{
	ASN1_PRINTABLESTRING *target;
	ASN1_INTEGER *len;
	}AUTH_ATTR;

	DECLARE_STACK_OF(AUTH_ATTR)
	DECLARE_ASN1_SET_OF(AUTH_ATTR)
	DECLARE_ASN1_FUNCTIONS(AUTH_ATTR)

	typedef struct verif_boot_sig_st
	{
	ASN1_INTEGER *version;
	X509 *certificate;
	X509_ALGOR *algor;
	AUTH_ATTR *auth_attr;
	ASN1_OCTET_STRING *sig;
	}VERIFIED_BOOT_SIG;

	DECLARE_STACK_OF(VERIFIED_BOOT_SIG)
	DECLARE_ASN1_SET_OF(VERIFIED_BOOT_SIG)
	DECLARE_ASN1_FUNCTIONS(VERIFIED_BOOT_SIG)

	/**
	* AndroidVerifiedBootKeystore DEFINITIONS ::=
	* BEGIN
	* FormatVersion ::= INTEGER
	* KeyBag ::= SEQUENCE {
	* Key ::= SEQUENCE {
	* AlgorithmIdentifier ::= SEQUENCE {
	* algorithm OBJECT IDENTIFIER,
	* parameters ANY DEFINED BY algorithm OPTIONAL
	* }
	* KeyMaterial ::= RSAPublicKey
	* }
	* }
	* Signature ::= AndroidVerifiedBootSignature
	* END
	*/

	typedef struct key_st
	{
	X509_ALGOR *algorithm_id;
	RSA *key_material;
	}KEY;

	DECLARE_STACK_OF(KEY)
	DECLARE_ASN1_SET_OF(KEY)
	DECLARE_ASN1_FUNCTIONS(KEY)

	typedef struct keybag_st
	{
	KEY *mykey;
	}KEYBAG;

	DECLARE_STACK_OF(KEYBAG)
	DECLARE_ASN1_SET_OF(KEYBAG)
	DECLARE_ASN1_FUNCTIONS(KEYBAG)

	typedef struct keystore_inner_st
	{
	ASN1_INTEGER *version;
	KEYBAG *mykeybag;
	}KEYSTORE_INNER;

	DECLARE_STACK_OF(KEYSTORE_INNER)
	DECLARE_ASN1_SET_OF(KEYSTORE_INNER)
	DECLARE_ASN1_FUNCTIONS(KEYSTORE_INNER)

	typedef struct keystore_st
	{
	ASN1_INTEGER *version;
	KEYBAG *mykeybag;
	VERIFIED_BOOT_SIG *sig;
	}KEYSTORE;

	DECLARE_STACK_OF(KEYSTORE)
	DECLARE_ASN1_SET_OF(KEYSTORE)
	DECLARE_ASN1_FUNCTIONS(KEYSTORE)

	enum boot_state
	{
	GREEN,
	ORANGE,
	YELLOW,
	RED,
	};

	enum boot_verfiy_event
	{
	BOOT_INIT,
	DEV_UNLOCK,
	KEYSTORE_VERIFICATION_FAIL,
	BOOT_VERIFICATION_FAIL,
	USER_DENIES,
	};

	extern char KEYSTORE_PTN_NAME[];
	/* Function to initialize keystore */
	uint32_t boot_verify_keystore_init();
	/* Function to verify boot/recovery image */
	bool boot_verify_image(unsigned char* img_addr, uint32_t img_size, char *pname);
	/* Function to send event to boot state machine */
	void boot_verify_send_event(uint32_t event);
	/* Read current boot state */
	uint32_t boot_verify_get_state();
	/* Print current boot state */
	void boot_verify_print_state();
	/* Function to validate keystore */
	bool boot_verify_validate_keystore(unsigned char * user_addr);
	/* Function to check if partition is allowed to flash in verified mode */
	bool boot_verify_flash_allowed(const char * entry);
	bool boot_verify_compare_sha256(unsigned char *image_ptr,
	unsigned int image_size, unsigned char signature_ptr, RSA rsa);
	KEYSTORE *boot_gerity_get_oem_keystore();
	#endif