commit 64d04853dc38c4e7421b26ae821e4d5eb14393c3
author Shashank Mittal <mittals@codeaurora.org> Thu Aug 28 15:02:46 2014 -0700
committer Shashank Mittal <mittals@codeaurora.org> Thu Aug 28 16:09:34 2014 -0700
tree 99799328dd8f3206ed3361eeaebce86d0dfb6aee
parent 0e52724b3eb4d409cc55e817fffd3d670f8734df

platform/msm_shared: Add support for verified boot.

Add support to verify boot image before booting up.

Change-Id: Id6c7f6f712d6a267eaebf9814e2ea3ea1910da71

platform/msm_shared/image_verify.c

diff --git a/platform/msm_shared/image_verify.c b/platform/msm_shared/image_verify.c
index 284f8e5..bc2017d 100644
--- a/platform/msm_shared/image_verify.c
+++ b/platform/msm_shared/image_verify.c
@@ -33,6 +33,27 @@
 /*
  * Returns -1 if decryption failed otherwise size of plain_text in bytes
  */
+int image_decrypt_signature_rsa(unsigned char *signature_ptr,
+		unsigned char *plain_text, RSA *rsa_key)
+{
+	int ret = -1;
+
+	if (rsa_key == NULL) {
+		dprintf(CRITICAL, "ERROR: Boot Invalid, RSA_KEY is NULL!\n");
+		return ret;
+	}
+
+	ret = RSA_public_decrypt(SIGNATURE_SIZE, signature_ptr, plain_text,
+				 rsa_key, RSA_PKCS1_PADDING);
+	dprintf(SPEW, "DEBUG openssl: Return of RSA_public_decrypt = %d\n",
+		ret);
+
+	return ret;
+}
+
+/*
+ * Returns -1 if decryption failed otherwise size of plain_text in bytes
+ */
 static int
 image_decrypt_signature(unsigned char *signature_ptr, unsigned char *plain_text)
 {
@@ -66,8 +87,7 @@
 		goto cleanup;
 	}
 
-	ret = RSA_public_decrypt(SIGNATURE_SIZE, signature_ptr, plain_text,
-				 rsa_key, RSA_PKCS1_PADDING);
+	ret = image_decrypt_signature_rsa(signature_ptr, plain_text, rsa_key);
 	dprintf(SPEW, "DEBUG openssl: Return of RSA_public_decrypt = %d\n",
 		ret);
 
@@ -81,6 +101,23 @@
 	return ret;
 }
 
+/* Calculates digest of an image and save it in digest buffer */
+void image_find_digest(unsigned char *image_ptr, unsigned int image_size,
+		unsigned hash_type, unsigned char *digest)
+{
+	/*
+	 * Calculate hash of image and save calculated hash on TZ.
+	 */
+	hash_find(image_ptr, image_size, (unsigned char *)digest, hash_type);
+#ifdef TZ_SAVE_KERNEL_HASH
+	if (hash_type == CRYPTO_AUTH_ALG_SHA256) {
+		save_kernel_hash_cmd(digest);
+		dprintf(INFO, "Image hash saved.\n");
+	} else
+		dprintf(INFO, "image_verify: hash is not SHA-256.\n");
+#endif
+}
+
 /*
  * Returns 1 when image is signed and authorized.
  * Returns 0 when image is unauthorized.
@@ -109,14 +146,8 @@
 	 */
 	hash_size =
 	    (hash_type == CRYPTO_AUTH_ALG_SHA256) ? SHA256_SIZE : SHA1_SIZE;
-	hash_find(image_ptr, image_size, (unsigned char *)&digest, hash_type);
-#ifdef TZ_SAVE_KERNEL_HASH
-	if (hash_type == CRYPTO_AUTH_ALG_SHA256) {
-		save_kernel_hash_cmd(digest);
-		dprintf(INFO, "Image hash saved.\n");
-	} else
-		dprintf(INFO, "image_verify: hash is not SHA-256.\n");
-#endif
+	image_find_digest(image_ptr, image_size, hash_type,
+			(unsigned char *)&digest);
 
 	/*
 	 * Decrypt the pre-calculated expected image hash.