Reut Zysman | ff6bab9 | 2016-02-09 14:06:31 +0200 | [diff] [blame] | 1 | /* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved. |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 2 | * |
| 3 | * Redistribution and use in source and binary forms, with or without |
| 4 | * modification, are permitted provided that the following conditions are |
| 5 | * met: |
| 6 | * * Redistributions of source code must retain the above copyright |
| 7 | * notice, this list of conditions and the following disclaimer. |
| 8 | * * Redistributions in binary form must reproduce the above |
| 9 | * copyright notice, this list of conditions and the following |
| 10 | * disclaimer in the documentation and/or other materials provided |
| 11 | * with the distribution. |
| 12 | * * Neither the name of The Linux Foundation nor the names of its |
| 13 | * contributors may be used to endorse or promote products derived |
| 14 | * from this software without specific prior written permission. |
| 15 | * |
| 16 | * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED |
| 17 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
| 18 | * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT |
| 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS |
| 20 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
| 23 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, |
| 24 | * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE |
| 25 | * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN |
| 26 | * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | */ |
| 28 | |
| 29 | #include <debug.h> |
| 30 | #include <dev/fbcon.h> |
| 31 | #include <target.h> |
| 32 | #include <mmc.h> |
| 33 | #include <partition_parser.h> |
| 34 | #include <platform.h> |
| 35 | #include <crypto_hash.h> |
| 36 | #include <malloc.h> |
| 37 | #include <sha.h> |
| 38 | #include <string.h> |
| 39 | #include <rand.h> |
| 40 | #include <stdlib.h> |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 41 | #include <boot_verifier.h> |
| 42 | #include <image_verify.h> |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 43 | #include "scm.h" |
| 44 | #include "mdtp.h" |
Reut Zysman | ff6bab9 | 2016-02-09 14:06:31 +0200 | [diff] [blame] | 45 | #include "mdtp_fs.h" |
| 46 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 47 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 48 | #define DIP_ENCRYPT (0) |
| 49 | #define DIP_DECRYPT (1) |
| 50 | #define MAX_CIPHER_DIP_SCM_CALLS (3) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 51 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 52 | #define MDTP_MAJOR_VERSION (0) |
| 53 | #define MDTP_MINOR_VERSION (2) |
| 54 | |
Reut Zysman | d713862 | 2016-01-18 14:43:59 +0200 | [diff] [blame] | 55 | #define MDTP_CORRECT_PIN_DELAY_MSEC (1000) |
| 56 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 57 | /** Extract major version number from complete version. */ |
| 58 | #define MDTP_GET_MAJOR_VERSION(version) ((version) >> 16) |
| 59 | |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 60 | static int mdtp_tzbsp_dec_verify_DIP(DIP_t *enc_dip, DIP_t *dec_dip, uint32_t *verified); |
| 61 | static int mdtp_tzbsp_enc_hash_DIP(DIP_t *dec_dip, DIP_t *enc_dip); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 62 | static void mdtp_tzbsp_disallow_cipher_DIP(void); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 63 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 64 | uint32_t g_mdtp_version = (((MDTP_MAJOR_VERSION << 16) & 0xFFFF0000) | (MDTP_MINOR_VERSION & 0x0000FFFF)); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 65 | static int is_mdtp_activated = -1; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 66 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 67 | int check_aboot_addr_range_overlap(uint32_t start, uint32_t size); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 68 | int scm_random(uint32_t * rbuf, uint32_t r_len); |
Reut Zysman | d713862 | 2016-01-18 14:43:59 +0200 | [diff] [blame] | 69 | extern void mdelay(unsigned msecs); |
Rami Butstein | faecf7f | 2015-06-04 16:39:30 +0300 | [diff] [blame] | 70 | void free_mdtp_image(void); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 71 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 72 | /********************************************************************************/ |
| 73 | |
| 74 | /* Read the DIP from EMMC */ |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 75 | static int read_DIP(DIP_t *dip) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 76 | { |
| 77 | unsigned long long ptn = 0; |
| 78 | uint32_t actual_partition_size; |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 79 | uint32_t block_size = mmc_get_device_blocksize(); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 80 | |
| 81 | int index = INVALID_PTN; |
| 82 | |
| 83 | ASSERT(dip != NULL); |
| 84 | |
| 85 | index = partition_get_index("dip"); |
| 86 | ptn = partition_get_offset(index); |
| 87 | |
| 88 | if(ptn == 0) |
| 89 | { |
| 90 | return -1; |
| 91 | } |
| 92 | |
| 93 | actual_partition_size = ROUNDUP(sizeof(DIP_t), block_size); |
| 94 | |
| 95 | if(mmc_read(ptn, (void *)dip, actual_partition_size)) |
| 96 | { |
| 97 | dprintf(CRITICAL, "mdtp: read_DIP: ERROR, cannot read DIP info\n"); |
| 98 | return -1; |
| 99 | } |
| 100 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 101 | dprintf(SPEW, "mdtp: read_DIP: SUCCESS, read %d bytes\n", actual_partition_size); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 102 | |
| 103 | return 0; |
| 104 | } |
| 105 | |
| 106 | /* Store the DIP into the EMMC */ |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 107 | static int write_DIP(DIP_t *dip) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 108 | { |
| 109 | unsigned long long ptn = 0; |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 110 | uint32_t block_size = mmc_get_device_blocksize(); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 111 | |
| 112 | int index = INVALID_PTN; |
| 113 | |
| 114 | ASSERT(dip != NULL); |
| 115 | |
| 116 | index = partition_get_index("dip"); |
| 117 | ptn = partition_get_offset(index); |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 118 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 119 | if(ptn == 0) |
| 120 | { |
| 121 | return -1; |
| 122 | } |
| 123 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 124 | if(mmc_write(ptn, ROUNDUP(sizeof(DIP_t), block_size), (void *)dip)) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 125 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 126 | dprintf(CRITICAL, "mdtp: write_DIP: ERROR, cannot write DIP info\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 127 | return -1; |
| 128 | } |
| 129 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 130 | dprintf(SPEW, "mdtp: write_DIP: SUCCESS, write %d bytes\n", ROUNDUP(sizeof(DIP_t), block_size)); |
| 131 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 132 | return 0; |
| 133 | } |
| 134 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 135 | /* Deactivate MDTP by storing the default DIP into the EMMC */ |
| 136 | static void write_deactivated_DIP() |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 137 | { |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 138 | DIP_t *enc_dip; |
| 139 | DIP_t *dec_dip; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 140 | int ret; |
| 141 | |
| 142 | enc_dip = malloc(sizeof(DIP_t)); |
| 143 | if (enc_dip == NULL) |
| 144 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 145 | dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot allocate DIP\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 146 | return; |
| 147 | } |
| 148 | |
| 149 | dec_dip = malloc(sizeof(DIP_t)); |
| 150 | if (dec_dip == NULL) |
| 151 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 152 | dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot allocate DIP\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 153 | free(enc_dip); |
| 154 | return; |
| 155 | } |
| 156 | |
| 157 | memset(dec_dip, 0, sizeof(DIP_t)); |
| 158 | |
| 159 | dec_dip->status = DIP_STATUS_DEACTIVATED; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 160 | dec_dip->version = g_mdtp_version; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 161 | |
| 162 | ret = mdtp_tzbsp_enc_hash_DIP(dec_dip, enc_dip); |
| 163 | if(ret < 0) |
| 164 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 165 | dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot cipher DIP\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 166 | goto out; |
| 167 | } |
| 168 | |
| 169 | ret = write_DIP(enc_dip); |
| 170 | if(ret < 0) |
| 171 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 172 | dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot write DIP\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 173 | goto out; |
| 174 | } |
| 175 | |
| 176 | out: |
| 177 | free(enc_dip); |
| 178 | free(dec_dip); |
| 179 | } |
| 180 | |
| 181 | /* Validate a hash calculated on entire given partition */ |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 182 | static int verify_partition_single_hash(char *name, uint64_t size, DIP_hash_table_entry_t *hash_table) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 183 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 184 | unsigned char digest[HASH_LEN]={0}; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 185 | unsigned long long ptn = 0; |
| 186 | int index = INVALID_PTN; |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 187 | unsigned char *buf = (unsigned char *)target_get_scratch_address() + MDTP_SCRATCH_OFFSET; |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 188 | uint32_t block_size = mmc_get_device_blocksize(); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 189 | uint64_t actual_partition_size = ROUNDUP(size, block_size); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 190 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 191 | dprintf(SPEW, "mdtp: verify_partition_single_hash: %s, %llu\n", name, size); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 192 | |
| 193 | ASSERT(name != NULL); |
| 194 | ASSERT(hash_table != NULL); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 195 | ASSERT(size > 0); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 196 | |
| 197 | index = partition_get_index(name); |
| 198 | ptn = partition_get_offset(index); |
| 199 | |
| 200 | if(ptn == 0) { |
| 201 | dprintf(CRITICAL, "mdtp: verify_partition_single_hash: %s: partition was not found\n", name); |
| 202 | return -1; |
| 203 | } |
| 204 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 205 | if (mmc_read(ptn, (void *)buf, actual_partition_size)) |
| 206 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 207 | dprintf(CRITICAL, "mdtp: verify_partition_single_hash: %s: mmc_read() fail.\n", name); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 208 | return -1; |
| 209 | } |
| 210 | |
Amit Blay | fe64921 | 2015-01-25 11:21:10 +0200 | [diff] [blame] | 211 | /* calculating the hash value using HW crypto */ |
| 212 | target_crypto_init_params(); |
Reut Zysman | ff6bab9 | 2016-02-09 14:06:31 +0200 | [diff] [blame] | 213 | |
| 214 | if(strcmp(name, "mdtp") == 0){ |
| 215 | buf[0] = 0; // removes first byte |
| 216 | dprintf(INFO, "mdtp: verify_partition_single_hash: removes 1st byte\n"); |
| 217 | } |
| 218 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 219 | hash_find(buf, size, digest, CRYPTO_AUTH_ALG_SHA256); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 220 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 221 | if (memcmp(digest, hash_table->hash, HASH_LEN)) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 222 | { |
| 223 | dprintf(CRITICAL, "mdtp: verify_partition_single_hash: %s: Failed partition hash verification\n", name); |
| 224 | |
| 225 | return -1; |
| 226 | } |
| 227 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 228 | dprintf(SPEW, "verify_partition_single_hash: %s: VERIFIED!\n", name); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 229 | |
| 230 | return 0; |
| 231 | } |
| 232 | |
| 233 | /* Validate a hash table calculated per block of a given partition */ |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 234 | static int verify_partition_block_hash(char *name, |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 235 | uint64_t size, |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 236 | uint32_t verify_num_blocks, |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 237 | DIP_hash_table_entry_t *hash_table, |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 238 | uint8_t *force_verify_block) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 239 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 240 | unsigned char digest[HASH_LEN]={0}; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 241 | unsigned long long ptn = 0; |
| 242 | int index = INVALID_PTN; |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 243 | unsigned char *buf = (unsigned char *)target_get_scratch_address() + MDTP_SCRATCH_OFFSET; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 244 | uint32_t bytes_to_read; |
| 245 | uint32_t block_num = 0; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 246 | uint32_t total_num_blocks = ((size - 1) / MDTP_FWLOCK_BLOCK_SIZE) + 1; |
| 247 | uint32_t rand_int; |
| 248 | uint32_t block_size = mmc_get_device_blocksize(); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 249 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 250 | dprintf(SPEW, "mdtp: verify_partition_block_hash: %s, %llu\n", name, size); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 251 | |
| 252 | ASSERT(name != NULL); |
| 253 | ASSERT(hash_table != NULL); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 254 | ASSERT(size > 0); |
| 255 | ASSERT(force_verify_block != NULL); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 256 | |
| 257 | index = partition_get_index(name); |
| 258 | ptn = partition_get_offset(index); |
| 259 | |
| 260 | if(ptn == 0) { |
| 261 | dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: partition was not found\n", name); |
| 262 | return -1; |
| 263 | } |
| 264 | |
Amit Blay | fe64921 | 2015-01-25 11:21:10 +0200 | [diff] [blame] | 265 | /* initiating parameters for hash calculation using HW crypto */ |
| 266 | target_crypto_init_params(); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 267 | if (check_aboot_addr_range_overlap((uint32_t)buf, ROUNDUP(MDTP_FWLOCK_BLOCK_SIZE, block_size))) |
| 268 | { |
| 269 | dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: image buffer address overlaps with aboot addresses.\n", name); |
| 270 | return -1; |
| 271 | } |
Amit Blay | fe64921 | 2015-01-25 11:21:10 +0200 | [diff] [blame] | 272 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 273 | while (MDTP_FWLOCK_BLOCK_SIZE * block_num < size) |
| 274 | { |
| 275 | if (*force_verify_block == 0) |
| 276 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 277 | if(scm_random((uint32_t *)&rand_int, sizeof(rand_int))) |
| 278 | { |
| 279 | dprintf(CRITICAL,"mdtp: scm_call for random failed\n"); |
| 280 | return -1; |
| 281 | } |
| 282 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 283 | /* Skip validation of this block with probability of verify_num_blocks / total_num_blocks */ |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 284 | if ((rand_int % total_num_blocks) >= verify_num_blocks) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 285 | { |
| 286 | block_num++; |
| 287 | hash_table += 1; |
| 288 | force_verify_block += 1; |
| 289 | dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: skipped verification of block %d\n", name, block_num); |
| 290 | continue; |
| 291 | } |
| 292 | } |
| 293 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 294 | if ((size - (MDTP_FWLOCK_BLOCK_SIZE * block_num) < MDTP_FWLOCK_BLOCK_SIZE)) |
| 295 | { |
| 296 | bytes_to_read = size - (MDTP_FWLOCK_BLOCK_SIZE * block_num); |
| 297 | } else |
| 298 | { |
| 299 | bytes_to_read = MDTP_FWLOCK_BLOCK_SIZE; |
| 300 | } |
| 301 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 302 | if (mmc_read(ptn + (MDTP_FWLOCK_BLOCK_SIZE * block_num), (void *)buf, ROUNDUP(bytes_to_read, block_size))) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 303 | { |
| 304 | dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: mmc_read() fail.\n", name); |
| 305 | return -1; |
| 306 | } |
| 307 | |
Amit Blay | fe64921 | 2015-01-25 11:21:10 +0200 | [diff] [blame] | 308 | /* calculating the hash value using HW */ |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 309 | hash_find(buf, bytes_to_read, digest, CRYPTO_AUTH_ALG_SHA256); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 310 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 311 | if (memcmp(digest, hash_table->hash, HASH_LEN)) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 312 | { |
| 313 | dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: Failed partition hash[%d] verification\n", name, block_num); |
| 314 | return -1; |
| 315 | } |
| 316 | |
| 317 | block_num++; |
| 318 | hash_table += 1; |
| 319 | force_verify_block += 1; |
| 320 | } |
| 321 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 322 | dprintf(SPEW, "verify_partition_block_hash: %s: VERIFIED!\n", name); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 323 | |
| 324 | return 0; |
| 325 | } |
| 326 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 327 | /* Validate the partition parameters read from DIP */ |
| 328 | static int validate_partition_params(uint64_t size, |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 329 | mdtp_fwlock_mode_t hash_mode, |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 330 | uint32_t verify_ratio) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 331 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 332 | if (size == 0 || size > (uint64_t)MDTP_FWLOCK_BLOCK_SIZE * (uint64_t)MAX_BLOCKS || |
| 333 | hash_mode >= MDTP_FWLOCK_MODE_SIZE || verify_ratio > 100) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 334 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 335 | dprintf(CRITICAL, "mdtp: validate_partition_params: error, size=%llu, hash_mode=%d, verify_ratio=%d\n", |
| 336 | size, hash_mode, verify_ratio); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 337 | return -1; |
| 338 | } |
| 339 | |
| 340 | return 0; |
| 341 | } |
| 342 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 343 | /* Verify a given partitinon */ |
| 344 | static int verify_partition(char *name, |
| 345 | uint64_t size, |
| 346 | mdtp_fwlock_mode_t hash_mode, |
| 347 | uint32_t verify_num_blocks, |
| 348 | DIP_hash_table_entry_t *hash_table, |
| 349 | uint8_t *force_verify_block) |
| 350 | { |
| 351 | if (hash_mode == MDTP_FWLOCK_MODE_SINGLE) |
| 352 | { |
| 353 | return verify_partition_single_hash(name, size, hash_table); |
| 354 | } else if (hash_mode == MDTP_FWLOCK_MODE_BLOCK || hash_mode == MDTP_FWLOCK_MODE_FILES) |
| 355 | { |
| 356 | return verify_partition_block_hash(name, size, verify_num_blocks, hash_table, force_verify_block); |
| 357 | } |
| 358 | |
| 359 | /* Illegal value of hash_mode */ |
| 360 | return -1; |
| 361 | } |
| 362 | |
| 363 | static int validate_dip(DIP_t *dip) |
| 364 | { |
| 365 | uint8_t *dip_p; |
| 366 | |
| 367 | ASSERT(dip != NULL); |
| 368 | |
| 369 | /* Make sure DIP version is supported by current SW */ |
| 370 | if (MDTP_GET_MAJOR_VERSION(dip->version) != MDTP_MAJOR_VERSION) |
| 371 | { |
| 372 | dprintf(CRITICAL, "mdtp: validate_dip: Wrong DIP version 0x%x\n", dip->version); |
| 373 | return -1; |
| 374 | } |
| 375 | |
| 376 | /* Make sure that deactivated DIP content is as expected */ |
| 377 | if (dip->status == DIP_STATUS_DEACTIVATED) |
| 378 | { |
| 379 | dip_p = (uint8_t*)&dip->mdtp_cfg; |
| 380 | while (dip_p < dip->hash) |
| 381 | { |
| 382 | if (*dip_p != 0) |
| 383 | { |
| 384 | dprintf(CRITICAL, "mdtp: validate_dip: error in deactivated DIP\n"); |
| 385 | return -1; |
| 386 | } |
| 387 | dip_p++; |
| 388 | } |
| 389 | } |
| 390 | |
| 391 | return 0; |
| 392 | } |
| 393 | |
Reut Zysman | ff6bab9 | 2016-02-09 14:06:31 +0200 | [diff] [blame] | 394 | /* Display the recovery UI in case mdtp image is corrupted */ |
| 395 | static void display_mdtp_fail_recovery_ui(){ |
| 396 | display_error_msg_mdtp(); |
| 397 | } |
| 398 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 399 | /* Display the recovery UI to allow the user to enter the PIN and continue boot */ |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 400 | static void display_recovery_ui(mdtp_cfg_t *mdtp_cfg) |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 401 | { |
| 402 | uint32_t pin_length = 0; |
| 403 | char entered_pin[MDTP_MAX_PIN_LEN+1] = {0}; |
| 404 | uint32_t i; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 405 | char pin_mismatch = 0; |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 406 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 407 | if (mdtp_cfg->enable_local_pin_authentication) |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 408 | { |
| 409 | dprintf(SPEW, "mdtp: display_recovery_ui: Local deactivation enabled\n"); |
| 410 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 411 | pin_length = strlen(mdtp_cfg->mdtp_pin.mdtp_pin); |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 412 | |
| 413 | if (pin_length > MDTP_MAX_PIN_LEN || pin_length < MDTP_MIN_PIN_LEN) |
| 414 | { |
| 415 | dprintf(CRITICAL, "mdtp: display_recovery_ui: Error, invalid PIN length\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 416 | display_error_msg(); /* This will never return */ |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 417 | } |
| 418 | |
| 419 | // Set entered_pin to initial '0' string + null terminator |
| 420 | for (i=0; i<pin_length; i++) |
| 421 | { |
| 422 | entered_pin[i] = '0'; |
| 423 | } |
| 424 | |
| 425 | // Allow the user to enter the PIN as many times as he wishes |
| 426 | // (with INVALID_PIN_DELAY_MSECONDS after each failed attempt) |
| 427 | while (1) |
| 428 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 429 | get_pin_from_user(entered_pin, pin_length); |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 430 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 431 | // Go over the entire PIN in any case, to prevent side-channel attacks |
| 432 | for (i=0; i<pin_length; i++) |
| 433 | { |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 434 | pin_mismatch |= mdtp_cfg->mdtp_pin.mdtp_pin[i] ^ entered_pin[i]; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 435 | } |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 436 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 437 | if (0 == pin_mismatch) |
| 438 | { |
| 439 | // Valid PIN - deactivate and continue boot |
| 440 | dprintf(SPEW, "mdtp: display_recovery_ui: valid PIN, continue boot\n"); |
| 441 | write_deactivated_DIP(); |
Rami Butstein | faecf7f | 2015-06-04 16:39:30 +0300 | [diff] [blame] | 442 | goto out; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 443 | } |
| 444 | else |
| 445 | { |
| 446 | // Invalid PIN - display an appropriate message (which also includes a wait |
| 447 | // for INVALID_PIN_DELAY_MSECONDS), and allow the user to try again |
| 448 | dprintf(CRITICAL, "mdtp: display_recovery_ui: ERROR, invalid PIN\n"); |
| 449 | display_invalid_pin_msg(); |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 450 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 451 | pin_mismatch = 0; |
| 452 | } |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 453 | } |
| 454 | } |
| 455 | else |
| 456 | { |
| 457 | dprintf(CRITICAL, "mdtp: display_recovery_ui: Local deactivation disabled, unable to display recovery UI\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 458 | display_error_msg(); /* This will never return */ |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 459 | } |
Rami Butstein | faecf7f | 2015-06-04 16:39:30 +0300 | [diff] [blame] | 460 | |
| 461 | out: |
Amit Blay | 5484915 | 2015-11-09 15:51:40 +0200 | [diff] [blame] | 462 | display_image_on_screen(); |
Rami Butstein | faecf7f | 2015-06-04 16:39:30 +0300 | [diff] [blame] | 463 | free_mdtp_image(); |
Reut Zysman | d713862 | 2016-01-18 14:43:59 +0200 | [diff] [blame] | 464 | mdelay(MDTP_CORRECT_PIN_DELAY_MSEC); |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 465 | } |
| 466 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 467 | /* Verify the boot or recovery partitions using boot_verifier. */ |
| 468 | static int verify_ext_partition(mdtp_ext_partition_verification_t *ext_partition) |
| 469 | { |
| 470 | int ret = 0; |
| 471 | bool restore_to_orange = false; |
| 472 | unsigned long long ptn = 0; |
| 473 | int index = INVALID_PTN; |
| 474 | |
| 475 | /* If image was already verified in aboot, return its status */ |
| 476 | if (ext_partition->integrity_state == MDTP_PARTITION_STATE_INVALID) |
| 477 | { |
| 478 | dprintf(CRITICAL, "mdtp: verify_ext_partition: image %s verified externally and failed.\n", |
| 479 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 480 | return -1; |
| 481 | } |
| 482 | else if (ext_partition->integrity_state == MDTP_PARTITION_STATE_VALID) |
| 483 | { |
| 484 | dprintf(CRITICAL, "mdtp: verify_ext_partition: image %s verified externally succesfully.\n", |
| 485 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 486 | return 0; |
| 487 | } |
| 488 | |
| 489 | /* If image was not verified in aboot, verify it ourselves using boot_verifier. */ |
| 490 | |
| 491 | /* 1) Initialize keystore. We don't care about return value which is Verified Boot's state machine state. */ |
| 492 | boot_verify_keystore_init(); |
| 493 | |
| 494 | /* 2) If boot_verifier is ORANGE, it will prevent verifying an image. So |
| 495 | * temporarly change boot_verifier state to BOOT_INIT. |
| 496 | */ |
| 497 | if (boot_verify_get_state() == ORANGE) |
| 498 | restore_to_orange = true; |
| 499 | boot_verify_send_event(BOOT_INIT); |
| 500 | |
| 501 | switch (ext_partition->partition) |
| 502 | { |
| 503 | case MDTP_PARTITION_BOOT: |
| 504 | case MDTP_PARTITION_RECOVERY: |
| 505 | |
| 506 | /* 3) Signature may or may not be at the end of the image. Read the signature if needed. */ |
| 507 | if (!ext_partition->sig_avail) |
| 508 | { |
| 509 | if (check_aboot_addr_range_overlap((uint32_t)(ext_partition->image_addr + ext_partition->image_size), ext_partition->page_size)) |
| 510 | { |
| 511 | dprintf(CRITICAL, "ERROR: Signature read buffer address overlaps with aboot addresses.\n"); |
| 512 | return -1; |
| 513 | } |
| 514 | |
| 515 | index = partition_get_index(ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 516 | ptn = partition_get_offset(index); |
| 517 | if(ptn == 0) { |
| 518 | dprintf(CRITICAL, "ERROR: partition %s not found\n", |
| 519 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 520 | return -1; |
| 521 | } |
| 522 | |
| 523 | if(mmc_read(ptn + ext_partition->image_size, (void *)(ext_partition->image_addr + ext_partition->image_size), ext_partition->page_size)) |
| 524 | { |
| 525 | dprintf(CRITICAL, "ERROR: Cannot read %s image signature\n", |
| 526 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 527 | return -1; |
| 528 | } |
| 529 | } |
| 530 | |
| 531 | /* 4) Verify the image using its signature. */ |
| 532 | ret = boot_verify_image((unsigned char *)ext_partition->image_addr, |
| 533 | ext_partition->image_size, |
Amit Blay | 59fad25 | 2015-05-17 17:27:17 +0300 | [diff] [blame] | 534 | ext_partition->partition == MDTP_PARTITION_BOOT ? "/boot" : "/recovery"); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 535 | break; |
| 536 | |
| 537 | default: |
| 538 | /* Only boot and recovery are legal here */ |
| 539 | dprintf(CRITICAL, "ERROR: wrong partition %d\n", ext_partition->partition); |
| 540 | return -1; |
| 541 | } |
| 542 | |
| 543 | if (ret) |
| 544 | { |
| 545 | dprintf(INFO, "mdtp: verify_ext_partition: image %s verified succesfully in MDTP.\n", |
| 546 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 547 | } |
| 548 | else |
| 549 | { |
| 550 | dprintf(CRITICAL, "mdtp: verify_ext_partition: image %s verification failed in MDTP.\n", |
| 551 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 552 | } |
| 553 | |
| 554 | /* 5) Restore the right boot_verifier state upon exit. */ |
| 555 | if (restore_to_orange) |
| 556 | { |
| 557 | boot_verify_send_event(DEV_UNLOCK); |
| 558 | } |
| 559 | |
| 560 | return ret ? 0 : -1; |
| 561 | } |
| 562 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 563 | /* Verify all protected partitinons according to the DIP */ |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 564 | static void verify_all_partitions(DIP_t *dip, |
| 565 | mdtp_ext_partition_verification_t *ext_partition, |
| 566 | verify_result_t *verify_result) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 567 | { |
| 568 | int i; |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 569 | int verify_failure = 0; |
Reut Zysman | ff6bab9 | 2016-02-09 14:06:31 +0200 | [diff] [blame] | 570 | int verify_temp_result = 0; |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 571 | int ext_partition_verify_failure = 0; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 572 | uint32_t total_num_blocks; |
| 573 | |
| 574 | ASSERT(dip != NULL); |
| 575 | ASSERT(verify_result != NULL); |
| 576 | |
| 577 | *verify_result = VERIFY_FAILED; |
| 578 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 579 | if (validate_dip(dip)) |
| 580 | { |
| 581 | dprintf(CRITICAL, "mdtp: verify_all_partitions: failed DIP validation\n"); |
| 582 | return; |
| 583 | } |
| 584 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 585 | if (dip->status == DIP_STATUS_DEACTIVATED) |
| 586 | { |
| 587 | *verify_result = VERIFY_SKIPPED; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 588 | return; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 589 | } |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 590 | else |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 591 | { |
Amit Blay | 8a51030 | 2015-08-17 09:20:01 +0300 | [diff] [blame] | 592 | if (ext_partition->partition != MDTP_PARTITION_NONE) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 593 | { |
Amit Blay | 8a51030 | 2015-08-17 09:20:01 +0300 | [diff] [blame] | 594 | for(i=0; i<MAX_PARTITIONS; i++) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 595 | { |
Reut Zysman | ff6bab9 | 2016-02-09 14:06:31 +0200 | [diff] [blame] | 596 | verify_temp_result = 0; |
Amit Blay | 8a51030 | 2015-08-17 09:20:01 +0300 | [diff] [blame] | 597 | if(dip->partition_cfg[i].lock_enabled && dip->partition_cfg[i].size) |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 598 | { |
Amit Blay | 8a51030 | 2015-08-17 09:20:01 +0300 | [diff] [blame] | 599 | total_num_blocks = ((dip->partition_cfg[i].size - 1) / MDTP_FWLOCK_BLOCK_SIZE); |
| 600 | if (validate_partition_params(dip->partition_cfg[i].size, |
| 601 | dip->partition_cfg[i].hash_mode, |
| 602 | dip->partition_cfg[i].verify_ratio)) |
| 603 | { |
| 604 | dprintf(CRITICAL, "mdtp: verify_all_partitions: Wrong partition parameters\n"); |
| 605 | verify_failure = TRUE; |
| 606 | break; |
| 607 | } |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 608 | |
Reut Zysman | ff6bab9 | 2016-02-09 14:06:31 +0200 | [diff] [blame] | 609 | verify_temp_result |= (verify_partition(dip->partition_cfg[i].name, |
Amit Blay | 8a51030 | 2015-08-17 09:20:01 +0300 | [diff] [blame] | 610 | dip->partition_cfg[i].size, |
| 611 | dip->partition_cfg[i].hash_mode, |
| 612 | (dip->partition_cfg[i].verify_ratio * total_num_blocks) / 100, |
| 613 | dip->partition_cfg[i].hash_table, |
| 614 | dip->partition_cfg[i].force_verify_block) != 0); |
Reut Zysman | ff6bab9 | 2016-02-09 14:06:31 +0200 | [diff] [blame] | 615 | |
| 616 | if((verify_temp_result) && (strcmp("mdtp",dip->partition_cfg[i].name) == 0)){ |
| 617 | *verify_result = VERIFY_MDTP_FAILED; |
| 618 | } |
| 619 | |
| 620 | verify_failure |= verify_temp_result; |
Amit Blay | 8a51030 | 2015-08-17 09:20:01 +0300 | [diff] [blame] | 621 | } |
| 622 | } |
| 623 | |
| 624 | ext_partition_verify_failure = verify_ext_partition(ext_partition); |
| 625 | |
| 626 | if (verify_failure || ext_partition_verify_failure) |
| 627 | { |
| 628 | dprintf(CRITICAL, "mdtp: verify_all_partitions: Failed partition verification\n"); |
| 629 | return; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 630 | } |
| 631 | } |
Shay Nachmani | bc10dfe | 2015-02-10 14:45:55 +0200 | [diff] [blame] | 632 | is_mdtp_activated = 1; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 633 | } |
| 634 | |
| 635 | *verify_result = VERIFY_OK; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 636 | return; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 637 | } |
| 638 | |
| 639 | /* Verify the DIP and all protected partitions */ |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 640 | static void validate_DIP_and_firmware(mdtp_ext_partition_verification_t *ext_partition) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 641 | { |
| 642 | int ret; |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 643 | DIP_t *enc_dip; |
| 644 | DIP_t *dec_dip; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 645 | uint32_t verified = 0; |
| 646 | verify_result_t verify_result; |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 647 | uint32_t block_size = mmc_get_device_blocksize(); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 648 | mdtp_cfg_t mdtp_cfg; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 649 | |
| 650 | enc_dip = malloc(ROUNDUP(sizeof(DIP_t), block_size)); |
| 651 | if (enc_dip == NULL) |
| 652 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 653 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot allocate DIP\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 654 | display_error_msg(); /* This will never return */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 655 | } |
| 656 | |
| 657 | dec_dip = malloc(ROUNDUP(sizeof(DIP_t), block_size)); |
| 658 | if (dec_dip == NULL) |
| 659 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 660 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot allocate DIP\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 661 | free(enc_dip); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 662 | display_error_msg(); /* This will never return */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 663 | } |
| 664 | |
| 665 | /* Read the DIP holding the MDTP Firmware Lock state from the DIP partition */ |
| 666 | ret = read_DIP(enc_dip); |
| 667 | if(ret < 0) |
| 668 | { |
| 669 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot read DIP\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 670 | display_error_msg(); /* This will never return */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 671 | } |
| 672 | |
| 673 | /* Decrypt and verify the integrity of the DIP */ |
| 674 | ret = mdtp_tzbsp_dec_verify_DIP(enc_dip, dec_dip, &verified); |
| 675 | if(ret < 0) |
| 676 | { |
| 677 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot verify DIP\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 678 | display_error_msg(); /* This will never return */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 679 | } |
| 680 | |
| 681 | /* In case DIP integrity verification fails, notify the user and halt */ |
| 682 | if(!verified) |
| 683 | { |
| 684 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, corrupted DIP\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 685 | display_error_msg(); /* This will never return */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 686 | } |
| 687 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 688 | /* Verify the integrity of the partitions which are protected, according to the content of the DIP */ |
| 689 | verify_all_partitions(dec_dip, ext_partition, &verify_result); |
| 690 | |
| 691 | mdtp_cfg = dec_dip->mdtp_cfg; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 692 | |
| 693 | /* Clear decrypted DIP since we don't need it anymore */ |
| 694 | memset(dec_dip, 0, sizeof(DIP_t)); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 695 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 696 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 697 | if (verify_result == VERIFY_OK) |
| 698 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 699 | dprintf(SPEW, "mdtp: validate_DIP_and_firmware: Verify OK\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 700 | } |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 701 | else if (verify_result == VERIFY_SKIPPED) |
| 702 | { |
| 703 | dprintf(SPEW, "mdtp: validate_DIP_and_firmware: Verify skipped\n"); |
Reut Zysman | ff6bab9 | 2016-02-09 14:06:31 +0200 | [diff] [blame] | 704 | } |
| 705 | else if(verify_result == VERIFY_MDTP_FAILED) |
| 706 | { |
| 707 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, corrupted mdtp image\n"); |
| 708 | display_mdtp_fail_recovery_ui(); |
| 709 | } |
| 710 | else /* VERIFY_FAILED */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 711 | { |
| 712 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, corrupted firmware\n"); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 713 | display_recovery_ui(&mdtp_cfg); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 714 | } |
| 715 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 716 | memset(&mdtp_cfg, 0, sizeof(mdtp_cfg)); |
| 717 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 718 | free(enc_dip); |
| 719 | free(dec_dip); |
| 720 | |
| 721 | return; |
| 722 | } |
| 723 | |
Reut Zysman | ff6bab9 | 2016-02-09 14:06:31 +0200 | [diff] [blame] | 724 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 725 | /********************************************************************************/ |
| 726 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 727 | /** Entry point of the MDTP Firmware Lock. |
| 728 | * If needed, verify the DIP and all protected partitions. |
| 729 | * Allow passing information about partition verified using an external method |
| 730 | * (either boot or recovery). For boot and recovery, either use aboot's |
| 731 | * verification result, or use boot_verifier APIs to verify internally. |
| 732 | **/ |
| 733 | void mdtp_fwlock_verify_lock(mdtp_ext_partition_verification_t *ext_partition) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 734 | { |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 735 | int ret; |
| 736 | bool enabled; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 737 | |
Reut Zysman | ff6bab9 | 2016-02-09 14:06:31 +0200 | [diff] [blame] | 738 | if(mdtp_fs_init() != 0){ |
| 739 | dprintf(CRITICAL, "mdtp: mdtp_img: ERROR, image file could not be loaded\n"); |
| 740 | display_error_msg_mdtp(); /* This will never return */ |
| 741 | } |
Shay Nachmani | bc10dfe | 2015-02-10 14:45:55 +0200 | [diff] [blame] | 742 | /* sets the default value of this global to be MDTP not activated */ |
| 743 | is_mdtp_activated = 0; |
| 744 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 745 | do { |
| 746 | if (ext_partition == NULL) |
| 747 | { |
| 748 | dprintf(CRITICAL, "mdtp: mdtp_fwlock_verify_lock: ERROR, external partition is NULL\n"); |
| 749 | display_error_msg(); /* This will never return */ |
| 750 | break; |
| 751 | } |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 752 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 753 | ret = mdtp_fuse_get_enabled(&enabled); |
| 754 | if(ret) |
| 755 | { |
| 756 | dprintf(CRITICAL, "mdtp: mdtp_fwlock_verify_lock: ERROR, cannot get enabled fuse\n"); |
| 757 | display_error_msg(); /* This will never return */ |
| 758 | } |
| 759 | |
| 760 | /* Continue with Firmware Lock verification only if enabled by eFuse */ |
| 761 | if (enabled) |
| 762 | { |
| 763 | /* This function will handle firmware verification failure via UI */ |
| 764 | validate_DIP_and_firmware(ext_partition); |
| 765 | } |
| 766 | } while (0); |
| 767 | |
| 768 | /* Disallow CIPHER_DIP SCM call from this point, unless we are in recovery */ |
| 769 | /* The recovery image will disallow CIPHER_DIP SCM call by itself. */ |
Amit Blay | 8a51030 | 2015-08-17 09:20:01 +0300 | [diff] [blame] | 770 | if (ext_partition->partition == MDTP_PARTITION_BOOT) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 771 | { |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 772 | mdtp_tzbsp_disallow_cipher_DIP(); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 773 | } |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 774 | } |
Shay Nachmani | bc10dfe | 2015-02-10 14:45:55 +0200 | [diff] [blame] | 775 | /********************************************************************************/ |
| 776 | |
| 777 | /** Indicates whether the MDTP is currently in ACTIVATED state **/ |
| 778 | int mdtp_activated(bool * activated){ |
| 779 | if(is_mdtp_activated < 0){ |
| 780 | /* mdtp_fwlock_verify_lock was not called before, the value is not valid */ |
| 781 | return is_mdtp_activated; |
| 782 | } |
| 783 | |
| 784 | *activated = is_mdtp_activated; |
| 785 | return 0; |
| 786 | } |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 787 | |
| 788 | /********************************************************************************/ |
| 789 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 790 | /* Decrypt a given DIP and verify its integrity */ |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 791 | static int mdtp_tzbsp_dec_verify_DIP(DIP_t *enc_dip, DIP_t *dec_dip, uint32_t *verified) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 792 | { |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 793 | unsigned char hash[HASH_LEN]; |
| 794 | SHA256_CTX sha256_ctx; |
| 795 | int ret; |
| 796 | |
| 797 | ASSERT(enc_dip != NULL); |
| 798 | ASSERT(dec_dip != NULL); |
| 799 | ASSERT(verified != NULL); |
| 800 | |
Amit Blay | 4418fb4 | 2015-05-05 08:45:13 +0300 | [diff] [blame] | 801 | arch_clean_invalidate_cache_range((addr_t)enc_dip, sizeof(DIP_t)); |
| 802 | arch_invalidate_cache_range((addr_t)dec_dip, sizeof(DIP_t)); |
| 803 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 804 | ret = mdtp_cipher_dip_cmd((uint8_t*)enc_dip, sizeof(DIP_t), |
| 805 | (uint8_t*)dec_dip, sizeof(DIP_t), |
| 806 | DIP_DECRYPT); |
| 807 | if (ret) |
| 808 | { |
| 809 | dprintf(CRITICAL, "mdtp: mdtp_tzbsp_dec_verify_DIP: ERROR, cannot cipher DIP\n"); |
| 810 | *verified = 0; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 811 | memset(dec_dip, 0, sizeof(DIP_t)); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 812 | return -1; |
| 813 | } |
| 814 | |
Amit Blay | 4418fb4 | 2015-05-05 08:45:13 +0300 | [diff] [blame] | 815 | arch_invalidate_cache_range((addr_t)dec_dip, sizeof(DIP_t)); |
| 816 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 817 | SHA256_Init(&sha256_ctx); |
| 818 | SHA256_Update(&sha256_ctx, dec_dip, sizeof(DIP_t) - HASH_LEN); |
| 819 | SHA256_Final(hash, &sha256_ctx); |
| 820 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 821 | if (memcmp(hash, dec_dip->hash, HASH_LEN)) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 822 | { |
| 823 | *verified = 0; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 824 | memset(dec_dip, 0, sizeof(DIP_t)); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 825 | } |
| 826 | else |
| 827 | { |
| 828 | *verified = 1; |
| 829 | } |
| 830 | |
| 831 | return 0; |
| 832 | } |
| 833 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 834 | /* Encrypt a given DIP and calculate its integrity information */ |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 835 | static int mdtp_tzbsp_enc_hash_DIP(DIP_t *dec_dip, DIP_t *enc_dip) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 836 | { |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 837 | SHA256_CTX sha256_ctx; |
| 838 | int ret; |
| 839 | |
| 840 | ASSERT(dec_dip != NULL); |
| 841 | ASSERT(enc_dip != NULL); |
| 842 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 843 | SHA256_Init(&sha256_ctx); |
| 844 | SHA256_Update(&sha256_ctx, dec_dip, sizeof(DIP_t) - HASH_LEN); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 845 | SHA256_Final(dec_dip->hash, &sha256_ctx); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 846 | |
Amit Blay | 4418fb4 | 2015-05-05 08:45:13 +0300 | [diff] [blame] | 847 | arch_clean_invalidate_cache_range((addr_t)dec_dip, sizeof(DIP_t)); |
| 848 | arch_invalidate_cache_range((addr_t)enc_dip, sizeof(DIP_t)); |
| 849 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 850 | ret = mdtp_cipher_dip_cmd((uint8_t*)dec_dip, sizeof(DIP_t), |
| 851 | (uint8_t*)enc_dip, sizeof(DIP_t), |
| 852 | DIP_ENCRYPT); |
| 853 | if (ret) |
| 854 | { |
| 855 | dprintf(CRITICAL, "mdtp: mdtp_tzbsp_enc_hash_DIP: ERROR, cannot cipher DIP\n"); |
| 856 | return -1; |
| 857 | } |
| 858 | |
Amit Blay | 4418fb4 | 2015-05-05 08:45:13 +0300 | [diff] [blame] | 859 | arch_invalidate_cache_range((addr_t)enc_dip, sizeof(DIP_t)); |
| 860 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 861 | return 0; |
| 862 | } |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 863 | |
| 864 | /* Disallow the CIPHER_DIP SCM call */ |
| 865 | static void mdtp_tzbsp_disallow_cipher_DIP(void) |
| 866 | { |
| 867 | DIP_t *dip; |
| 868 | int i; |
| 869 | |
| 870 | dip = malloc(sizeof(DIP_t)); |
| 871 | if (dip == NULL) |
| 872 | { |
| 873 | dprintf(CRITICAL, "mdtp: mdtp_tzbsp_disallow_cipher_DIP: ERROR, cannot allocate DIP\n"); |
| 874 | return; |
| 875 | } |
| 876 | |
| 877 | /* Disallow the CIPHER_DIP SCM by calling it MAX_CIPHER_DIP_SCM_CALLS times */ |
| 878 | for (i=0; i<MAX_CIPHER_DIP_SCM_CALLS; i++) |
| 879 | { |
| 880 | mdtp_tzbsp_enc_hash_DIP(dip, dip); |
| 881 | } |
| 882 | |
| 883 | free(dip); |
| 884 | } |