platform: msm_shared: Update to image_verify for verified boot
Updates to image_verify for verified boot
Change-Id: Ie7b4cec3555dbb7a49251980c31a27f0d71c4e31
diff --git a/platform/msm_shared/image_verify.c b/platform/msm_shared/image_verify.c
index 0d280f2..2e7366e 100644
--- a/platform/msm_shared/image_verify.c
+++ b/platform/msm_shared/image_verify.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2011,2013-2014 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011,2013-2015 The Linux Foundation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -25,11 +25,36 @@
* SUCH DAMAGE.
*/
#include <x509.h>
+#include <err.h>
#include <certificate.h>
#include <crypto_hash.h>
+#include <string.h>
+#include <openssl/err.h>
#include "image_verify.h"
#include "scm.h"
+
+/*
+ * Returns -1 if decryption failed otherwise size of plain_text in bytes
+ */
+int image_decrypt_signature_rsa(unsigned char *signature_ptr,
+ unsigned char *plain_text, RSA *rsa_key)
+{
+ int ret = -1;
+
+ if (rsa_key == NULL) {
+ dprintf(CRITICAL, "ERROR: Boot Invalid, RSA_KEY is NULL!\n");
+ return ret;
+ }
+
+ ret = RSA_public_decrypt(SIGNATURE_SIZE, signature_ptr, plain_text,
+ rsa_key, RSA_PKCS1_PADDING);
+ dprintf(SPEW, "DEBUG openssl: Return of RSA_public_decrypt = %d\n",
+ ret);
+
+ return ret;
+}
+
/*
* Returns -1 if decryption failed otherwise size of plain_text in bytes
*/
@@ -41,7 +66,7 @@
*/
int ret = -1;
X509 *x509_certificate = NULL;
- unsigned char *cert_ptr = certBuffer;
+ const unsigned char *cert_ptr = (const unsigned char *)certBuffer;
unsigned int cert_size = sizeof(certBuffer);
EVP_PKEY *pub_key = NULL;
RSA *rsa_key = NULL;
@@ -61,8 +86,7 @@
goto cleanup;
}
- ret = RSA_public_decrypt(SIGNATURE_SIZE, signature_ptr, plain_text,
- rsa_key, RSA_PKCS1_PADDING);
+ ret = image_decrypt_signature_rsa(signature_ptr, plain_text, rsa_key);
dprintf(SPEW, "DEBUG openssl: Return of RSA_public_decrypt = %d\n",
ret);
@@ -76,6 +100,27 @@
return ret;
}
+/* Calculates digest of an image and save it in digest buffer */
+void image_find_digest(unsigned char *image_ptr, unsigned int image_size,
+ unsigned hash_type, unsigned char *digest)
+{
+ /*
+ * Calculate hash of image and save calculated hash on TZ.
+ */
+ hash_find(image_ptr, image_size, (unsigned char *)digest, hash_type);
+}
+
+#ifdef TZ_SAVE_KERNEL_HASH
+void save_kernel_hash(unsigned char *digest, unsigned hash_type)
+{
+ if (hash_type == CRYPTO_AUTH_ALG_SHA256) {
+ save_kernel_hash_cmd(digest);
+ dprintf(INFO, "Image hash saved.\n");
+ } else
+ dprintf(INFO, "image_verify: hash is not SHA-256.\n");
+}
+#endif
+
/*
* Returns 1 when image is signed and authorized.
* Returns 0 when image is unauthorized.
@@ -91,7 +136,7 @@
int auth = 0;
unsigned char *plain_text = NULL;
unsigned int digest[8];
- unsigned int hash_size;
+ int hash_size;
plain_text = (unsigned char *)calloc(sizeof(char), SIGNATURE_SIZE);
if (plain_text == NULL) {
@@ -104,13 +149,10 @@
*/
hash_size =
(hash_type == CRYPTO_AUTH_ALG_SHA256) ? SHA256_SIZE : SHA1_SIZE;
- hash_find(image_ptr, image_size, (unsigned char *)&digest, hash_type);
+ image_find_digest(image_ptr, image_size, hash_type,
+ (unsigned char *)&digest);
#ifdef TZ_SAVE_KERNEL_HASH
- if (hash_type == CRYPTO_AUTH_ALG_SHA256) {
- save_kernel_hash_cmd(digest);
- dprintf(INFO, "Image hash saved.\n");
- } else
- dprintf(INFO, "image_verify: hash is not SHA-256.\n");
+ save_kernel_hash((unsigned char *) &digest, hash_type);
#endif
/*
diff --git a/platform/msm_shared/include/image_verify.h b/platform/msm_shared/include/image_verify.h
index 709aa93..240803f 100644
--- a/platform/msm_shared/include/image_verify.h
+++ b/platform/msm_shared/include/image_verify.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2011, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011,2014-2015 The Linux Foundation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,6 +27,8 @@
#ifndef __IMAGE_VERIFY_H
#define __IMAGE_VERIFY_H
+#include <x509.h>
+
#define SHA1_SIZE 16
#define SHA256_SIZE 32
/* For keys of length 2048 bits */
@@ -37,4 +39,14 @@
int image_verify(unsigned char *image_ptr,
unsigned char *signature_ptr,
unsigned int image_size, unsigned hash_type);
+
+/* Decrypt signature with RSA public key */
+int image_decrypt_signature_rsa(unsigned char *signature_ptr,
+ unsigned char *plain_text, RSA *rsa_key);
+
+/* Find hash of image */
+void image_find_digest(unsigned char *image_ptr, unsigned int image_size,
+ unsigned hash_type, unsigned char *digest);
+void save_kernel_hash_cmd(void *digest);
+void save_kernel_hash(unsigned char *digest, unsigned hash_type);
#endif