platform/msm_shared/include/boot_verifier.h

/*
 * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *  * Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *  * Redistributions in binary form must reproduce the above
 *    copyright notice, this list of conditions and the following
 *    disclaimer in the documentation and/or other materials provided
 *    with the distribution.
 *  * Neither the name of The Linux Foundation nor the names of its
 *    contributors may be used to endorse or promote products derived
 *    from this software without specific prior written permission.

 * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef __BOOT_VERIFIER_H
#define __BOOT_VERIFIER_H

#include <asn1.h>
#include <rsa.h>

/**
 *    AndroidVerifiedBootSignature DEFINITIONS ::=
 *    BEGIN
 *        FormatVersion ::= INTEGER
 *        Certificate ::= Certificate
 *        AlgorithmIdentifier ::=  SEQUENCE {
 *            algorithm OBJECT IDENTIFIER,
 *            parameters ANY DEFINED BY algorithm OPTIONAL
 *        }
 *        AuthenticatedAttributes ::= SEQUENCE {
 *            target CHARACTER STRING,
 *            length INTEGER
 *        }
 *        Signature ::= OCTET STRING
 *     END
 */

typedef struct auth_attr_st
{
	ASN1_PRINTABLESTRING *target;
	ASN1_INTEGER *len;
}AUTH_ATTR;

DECLARE_STACK_OF(AUTH_ATTR)
DECLARE_ASN1_SET_OF(AUTH_ATTR)
DECLARE_ASN1_FUNCTIONS(AUTH_ATTR)

typedef struct verif_boot_sig_st
{
	ASN1_INTEGER *version;
	X509 *certificate;
	X509_ALGOR *algor;
	AUTH_ATTR *auth_attr;
	ASN1_OCTET_STRING *sig;
}VERIFIED_BOOT_SIG;

DECLARE_STACK_OF(VERIFIED_BOOT_SIG)
DECLARE_ASN1_SET_OF(VERIFIED_BOOT_SIG)
DECLARE_ASN1_FUNCTIONS(VERIFIED_BOOT_SIG)

/**
 * AndroidVerifiedBootKeystore DEFINITIONS ::=
 * BEGIN
 *     FormatVersion ::= INTEGER
 *     KeyBag ::= SEQUENCE {
 *         Key  ::= SEQUENCE {
 *             AlgorithmIdentifier  ::=  SEQUENCE {
 *                 algorithm OBJECT IDENTIFIER,
 *                 parameters ANY DEFINED BY algorithm OPTIONAL
 *             }
 *             KeyMaterial ::= RSAPublicKey
 *         }
 *     }
 *     Signature ::= AndroidVerifiedBootSignature
 * END
 */

typedef struct key_st
{
	X509_ALGOR *algorithm_id;
	RSA *key_material;
}KEY;

DECLARE_STACK_OF(KEY)
DECLARE_ASN1_SET_OF(KEY)
DECLARE_ASN1_FUNCTIONS(KEY)

typedef struct keybag_st
{
	KEY *mykey;
}KEYBAG;

DECLARE_STACK_OF(KEYBAG)
DECLARE_ASN1_SET_OF(KEYBAG)
DECLARE_ASN1_FUNCTIONS(KEYBAG)

typedef struct keystore_inner_st
{
	ASN1_INTEGER *version;
	KEYBAG *mykeybag;
}KEYSTORE_INNER;

DECLARE_STACK_OF(KEYSTORE_INNER)
DECLARE_ASN1_SET_OF(KEYSTORE_INNER)
DECLARE_ASN1_FUNCTIONS(KEYSTORE_INNER)

typedef struct keystore_st
{
	ASN1_INTEGER *version;
	KEYBAG *mykeybag;
	VERIFIED_BOOT_SIG *sig;
}KEYSTORE;

DECLARE_STACK_OF(KEYSTORE)
DECLARE_ASN1_SET_OF(KEYSTORE)
DECLARE_ASN1_FUNCTIONS(KEYSTORE)

enum boot_state
{
	GREEN,
	ORANGE,
	YELLOW,
	RED,
	BOOT_STATE_MAX = (uint32_t)0xFFFFFFFF,
};

struct verified_boot_verity_mode
{
	bool verity_mode_enforcing;
	char *name;
};

struct verified_boot_state_name
{
	uint32_t boot_state;
	char *name;
};

enum boot_verfiy_event
{
	BOOT_INIT,
	DEV_UNLOCK,
	BOOTIMG_EMBEDDED_CERT_VERIFICATION_PASS,
	BOOTIMG_KEYSTORE_VERIFICATION_PASS,
	BOOTIMG_VERIFICATION_FAIL,
	USER_DENIES,
};

extern char KEYSTORE_PTN_NAME[];
/* Function to initialize keystore */
uint32_t boot_verify_keystore_init();
/* Function to verify boot/recovery image */
bool boot_verify_image(unsigned char* img_addr, uint32_t img_size, char *pname, uint32_t *bs);
/* Function to send event to boot state machine */
void boot_verify_send_event(uint32_t event);
/* Read current boot state */
uint32_t boot_verify_get_state();
/* Print current boot state */
void boot_verify_print_state();
/* Function to validate keystore */
bool boot_verify_validate_keystore(unsigned char * user_addr, unsigned sz);
/* Function to send root of trust to trust zone */
bool send_rot_command(uint32_t is_unlocked);
/* function to set the os version and patch level. */
void set_os_version(unsigned char* img_addr);
unsigned char* get_boot_fingerprint(unsigned int* buf_size);
bool boot_verify_compare_sha256(unsigned char *image_ptr,
		unsigned int image_size, unsigned char *signature_ptr, RSA *rsa);
KEYSTORE *boot_gerity_get_oem_keystore();
uint32_t read_der_message_length(unsigned char* input, unsigned sz);
/* Function to set verified boot hash in keymaster */
int set_verified_boot_hash (const char *vbh, size_t vbh_size);
#endif